From 99da1b5185643afea27cbbac8b7692004d33cb35 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 8 Feb 2017 10:50:58 +0000
Subject: [PATCH 01/80] Hoist mdattr and saml prefixes in production aggregate

See ukf/ukf-meta#103 and ukf/ukf-meta#105.
---
 mdx/uk/README.md      | 13 ++++++-------
 mdx/uk/ns_norm_uk.xsl |  2 +-
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index fdff0d19..64b27758 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -53,21 +53,20 @@ when it appeared in the fallback aggregate, which would be too late to take corr
 
 ### Test Aggregate vs. Production Aggregate
 
-Status (2017-01-27):
+Status (2017-02-08):
 
 * the test aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
 while the production aggregate implements the traditional entity attribute _whitelist_.
 * the test aggregate no longer implements the "key use" fixup required for pre-1.3.1 Shibboleth SPs.
 This adds the `use="signing"` XML attribute to `<KeyDescriptor>` elements present in IdP metadata
 without a `use` attribute. It is not needed for later releases of the Shibboleth SP.
-* The test aggregate defines the `saml` namespace prefix (used by entity attributes) on the document element
-instead of in each SAML `<Attribute>`.
-* The test aggregate defines the `mdattr` namespace prefix (used by entity attributes) on the document element
-instead of in each `<EntityAttributes>` element.
 * The test aggregate normalises the `xenc` namespace to not use a prefix, as it is not very commonly used.
 
 ### Fallback Aggregate vs. Production Aggregate
 
-Status (2017-01-27):
+Status (2017-02-08):
 
-* these two aggregates are currently identical
+* The production aggregate defines the `saml` namespace prefix (used by entity attributes) on the document element
+instead of in each SAML `<Attribute>`. (2017-02-08)
+* The production aggregate defines the `mdattr` namespace prefix (used by entity attributes) on the document element
+instead of in each `<EntityAttributes>` element. (2017-02-08)
diff --git a/mdx/uk/ns_norm_uk.xsl b/mdx/uk/ns_norm_uk.xsl
index e42943f7..fb3d7896 100644
--- a/mdx/uk/ns_norm_uk.xsl
+++ b/mdx/uk/ns_norm_uk.xsl
@@ -39,7 +39,7 @@
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	
-	exclude-result-prefixes="alg md mdattr saml wayf"
+	exclude-result-prefixes="alg md wayf"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

From 658ce0094fc0f91b328c7ff60f327398dd05221e Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 8 Feb 2017 11:25:10 +0000
Subject: [PATCH 02/80] Separate normalisation transforms for export and export
 preview

---
 mdx/uk/generate.xml               |  15 ++--
 mdx/uk/ns_norm_export.xsl         |   8 +--
 mdx/uk/ns_norm_export_preview.xsl | 111 ++++++++++++++++++++++++++++++
 3 files changed, 120 insertions(+), 14 deletions(-)
 create mode 100644 mdx/uk/ns_norm_export_preview.xsl

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index d4fcbaaa..d8be9833 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -661,9 +661,6 @@
         </property>
     </bean>
     
-    <bean id="uk_normaliseExport" parent="XSLTransformationStage"
-        p:XSLResource="classpath:uk/ns_norm_export.xsl"/>
-    
     <bean id="uk_exportSelector" parent="XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
         <constructor-arg ref="commonNamespaces"/>
@@ -756,8 +753,10 @@
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseExport"/>
-                <ref bean="uk_normaliseExport"/>
-                
+
+                <bean id="uk_normaliseExport" parent="XSLTransformationStage"
+                    p:XSLResource="classpath:uk/ns_norm_export.xsl"/>
+
                 <!--
                     Schema validity and other checks MUST pass.
                     
@@ -866,8 +865,10 @@
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseExport"/>
-                <ref bean="uk_normaliseExport"/>
-                
+
+                <bean id="uk_normaliseExportPreview" parent="XSLTransformationStage"
+                    p:XSLResource="classpath:uk/ns_norm_export_preview.xsl"/>
+
                 <!--
                     Schema validity and other checks MUST pass.
                     
diff --git a/mdx/uk/ns_norm_export.xsl b/mdx/uk/ns_norm_export.xsl
index 45f91dd9..99806323 100644
--- a/mdx/uk/ns_norm_export.xsl
+++ b/mdx/uk/ns_norm_export.xsl
@@ -3,13 +3,7 @@
 
 	ns_norm_export.xsl
 	
-	Normalise the namespaces in a metadata file for export.
-	
-	The main constraint on the output of this transform is that it should minimise the size
-	of the output file while not having "too many" namespace prefix definitions in scope
-	at any point in the document.  "Too many" is more than about ten, as a result of a bug
-	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
-	metadata.
+	Normalise the namespaces in the export aggregate.
 	
 	The strategy is to define the most commonly-used prefixes in the document element.
 	
diff --git a/mdx/uk/ns_norm_export_preview.xsl b/mdx/uk/ns_norm_export_preview.xsl
new file mode 100644
index 00000000..f5c3833b
--- /dev/null
+++ b/mdx/uk/ns_norm_export_preview.xsl
@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	ns_norm_export_preview.xsl
+	
+	Normalise the namespaces in the export preview aggregate.
+	
+	The strategy is to define the most commonly-used prefixes in the document element.
+	
+	Prefixes which are less often used, but which may be used by container elements
+	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+	on the document element.
+	
+	Prefixes which are less often used and are only used for non-containers can be
+	normalised to non-prefix use (i.e., to redefine the default namespace) if required
+	to cut the numbers down.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+	xmlns:remd="http://refeds.org/metadata"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	
+	exclude-result-prefixes="alg md mdattr saml ukfedlabel wayf"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+	<!--
+		Import templates for basic normalisation.
+	-->
+	<xsl:import href="../ns_norm.xsl"/>
+	
+
+	<!--
+		Force UTF-8 encoding for the output.
+	-->
+	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+	
+
+	<!--
+		*******************************************
+		***                                     ***
+		***   D O C U M E N T   E L E M E N T   ***
+		***                                     ***
+		*******************************************
+	-->
+	
+	
+	<!--
+		We need to handle the document element specially in order to arrange
+		for all appropriate namespace prefix definitions to appear on it.
+		
+		There are only two possible document elements in SAML metadata.
+	-->
+	
+	
+	<!--
+		Document element is <EntityDescriptor>.
+	-->
+	<xsl:template match="/md:EntityDescriptor">
+		<EntityDescriptor>
+			<xsl:apply-templates select="node()|@*"/>
+		</EntityDescriptor>
+	</xsl:template>
+	
+	<!--
+		Document element is <EntitiesDescriptor>.
+	-->
+	<xsl:template match="/md:EntitiesDescriptor">
+		<EntitiesDescriptor>
+			<xsl:apply-templates select="node()|@*"/>
+		</EntitiesDescriptor>
+	</xsl:template>
+	
+	
+	<!--
+        *************************************
+        ***                               ***
+        ***   A L G   N A M E S P A C E   ***
+        ***                               ***
+        *************************************
+    -->
+	
+	
+	<!--
+        alg:*
+        
+        Normalise namespace to not use a prefix.
+    -->
+	<xsl:template match="alg:*">
+		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:element>
+	</xsl:template>
+	
+	
+</xsl:stylesheet>

From a31c704e232439a6980bc7319399a80d1f9467b6 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 8 Feb 2017 14:00:39 +0000
Subject: [PATCH 03/80] Don't include usesAthensIdP member attribute in
 statistics

See ukf/ukf-meta#116.
---
 mdx/uk/statistics.xsl | 90 +++++--------------------------------------
 1 file changed, 10 insertions(+), 80 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index c31d1721..f6dad0d5 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -146,9 +146,10 @@
                    This may be because they have not yet registered any; perhaps because they have only recently joined. 
                    Alternatively, they may have outsourced their identity provision.
                    Outsourcing of IdP provision is indicated by an asterisk in the OSrc column in the table.
-                   This indicates either outsourcing to an Eduserv virtual IdP or a member who "pushes" scopes
+                   This indicates a member who "pushes" scopes
                    to an aggregate IdP.
-                   Other IdP outsourcing, and any SP outsourcing, is not recorded in the table.
+                   Other IdP outsourcing (such as use of an OpenAthens virtual IdP),
+                   and any SP outsourcing, is not recorded in the table.
                 </p>
                 <table border="1" cellspacing="2" cellpadding="4">
                     <tr>
@@ -180,12 +181,6 @@
                     select="set:difference($membersWithSps, $membersWithIdPs)"/>
                 <xsl:variable name="membersWithNone"
                     select="set:difference($members, $membersWithEither)"/>
-                <xsl:variable name="membersWithAthensIdP"
-                    select="$members[@usesAthensIdP = 'true']"/>
-                <xsl:variable name="membersWithJustAthensIdP"
-                    select="set:difference($membersWithAthensIdP, $membersWithEither)"/>
-                <xsl:variable name="membersWithNoneNoAthens"
-                    select="set:difference($membersWithNone, $membersWithAthensIdP)"/>
                 <xsl:variable name="membersWithIdPsCount" select="count($membersWithIdPs)"/>
                 <xsl:variable name="membersWithSpsCount" select="count($membersWithSps)"/>
                 <xsl:variable name="membersWithBothCount" select="count($membersWithBoth)"/>
@@ -193,8 +188,6 @@
                 <xsl:variable name="membersWithJustIdPsCount" select="count($membersWithJustIdPs)"/>
                 <xsl:variable name="membersWithJustSPsCount" select="count($membersWithJustSPs)"/>
                 <xsl:variable name="membersWithNoneCount" select="count($membersWithNone)"/>
-                <xsl:variable name="membersWithJustAthensIdPCount" select="count($membersWithJustAthensIdP)"/>
-                <xsl:variable name="membersWithNoneNoAthensCount" select="count($membersWithNoneNoAthens)"/>
                 <p>Breakdown of members by entity registration status:</p>
                 <ul>
                     <li>
@@ -239,26 +232,13 @@
                             (<xsl:value-of select="format-number($membersWithNoneCount div $memberCount, '0.0%')"/>)
                         </p>
                     </li>
-                    <li>
-                        <p>
-                            Without entities, but with Athens IdP access: <xsl:value-of select="$membersWithJustAthensIdPCount"/>
-                            (<xsl:value-of select="format-number($membersWithJustAthensIdPCount div $memberCount, '0.0%')"/>)
-                        </p>
-                    </li>
-                    <li>
-                        <p>
-                            Without entities, and with no Athens IdP access: <xsl:value-of select="$membersWithNoneNoAthensCount"/>
-                            (<xsl:value-of select="format-number($membersWithNoneNoAthensCount div $memberCount, '0.0%')"/>)
-                        </p>
-                    </li>
                     <li>
                         <p>
                             Chart:
                             <xsl:value-of select="$membersWithJustIdPsCount"/>,
                             <xsl:value-of select="$membersWithJustSPsCount"/>,
                             <xsl:value-of select="$membersWithBothCount"/>,
-                            <xsl:value-of select="$membersWithJustAthensIdPCount"/>,
-                            <xsl:value-of select="$membersWithNoneNoAthensCount"/>.                            
+                            <xsl:value-of select="$membersWithNoneCount"/>.                            
                         </p>
                     </li>
                 </ul>
@@ -271,34 +251,6 @@
                     *********************************
                 -->
                 
-                <!--
-                    Members who are Eduserv.
-                    
-                    This is computed because Eduserv are an exception to the normal
-                    rules about outsourcing because they do not outsource even though
-                    they do use an Athens IdP.
-                -->
-                <xsl:variable name="members.eduserv"
-                    select="$members[members:Name = 'Eduserv']"/>
-                <xsl:variable name="members.eduserv.count" select="count($members.eduserv)"/>
-                
-                <!--
-                    Members who are deduced as outsourcing as a result of their use
-                    of an Athens IdP.
-                -->
-                <xsl:variable name="members.osrc.athens"
-                    select="$members[@usesAthensIdP = 'true']"/>
-                <xsl:variable name="members.osrc.athens.count" select="count($members.osrc.athens)"/>
-                
-                <!--
-                    Members who are deduced as outsourcing as a result of their use
-                    of an Athens IdP.  This count excludes Eduserv, as clearly they
-                    can not outsource to themselves.
-                -->
-                <xsl:variable name="members.osrc.athens.true"
-                    select="$members[@usesAthensIdP = 'true'][members:Name != 'Eduserv']"/>
-                <xsl:variable name="members.osrc.athens.true.count" select="count($members.osrc.athens.true)"/>
-                
                 <!--
                     Members who are deduced as outsourcing as a result of their use
                     of the mechanism for describing scopes "pushed" to a specific entity.
@@ -310,8 +262,7 @@
                 <!--
                     Members who are deduced as outsourcing.
                 -->
-                <xsl:variable name="members.osrc"
-                    select="set:distinct($members.osrc.athens.true | $members.osrc.scopes.push)"/>
+                <xsl:variable name="members.osrc" select="$members.osrc.scopes.push"/>
                 <xsl:variable name="members.osrc.count" select="count($members.osrc)"/>
                 
                 <!--
@@ -330,24 +281,6 @@
                 
                 <p>Outsourcing worksheet:</p>
                 <ul>
-                    <li>
-                        <p>
-                            Members who are Eduserv: <xsl:value-of select="$members.eduserv.count"/>
-                            (<xsl:value-of select="format-number($members.eduserv.count div $memberCount, '0.0%')"/>)
-                        </p>
-                    </li>
-                    <li>
-                        <p>
-                            Members using an Athens IdP: <xsl:value-of select="$members.osrc.athens.count"/>
-                            (<xsl:value-of select="format-number($members.osrc.athens.count div $memberCount, '0.0%')"/>)
-                        </p>
-                    </li>
-                    <li>
-                        <p>
-                            Members (other than Eduserv) using an Athens IdP: <xsl:value-of select="$members.osrc.athens.true.count"/>
-                            (<xsl:value-of select="format-number($members.osrc.athens.true.count div $memberCount, '0.0%')"/>)
-                        </p>
-                    </li>
                     <li>
                         <p>
                             Members pushing scopes: <xsl:value-of select="$members.osrc.scopes.push.count"/>
@@ -971,8 +904,8 @@
                     ***************************************************************
                 -->
                 <h2><a name="undeployedMembers">Members Lacking Deployment</a></h2>
-                <!-- start with members with no entities and no OpenAthens -->
-                <xsl:variable name="nodeploy.0" select="$membersWithNoneNoAthens"/>
+                <!-- start with members with no entities -->
+                <xsl:variable name="nodeploy.0" select="$membersWithNone"/>
                 <!-- remove members who have scopes sent to some entity -->
                 <xsl:variable name="nodeploy.1"
                     select="$nodeploy.0[not(members:Scopes/members:Entity)]"
@@ -981,7 +914,9 @@
                 <p>
                     The following <xsl:value-of select="count($nodeploy.out)"/>
                     members of the UK federation have no deployed entities,
-                    either in their own name or deployed on their behalf by other members.
+                    either in their own name or deployed on their behalf by other members
+                    and to which they have "pushed" scopes.
+                    Use of OpenAthens virtual IdPs is not considered here.
                     The list is ordered by date of joining the UK federation.
                 </p>
                 <ul>
@@ -1256,11 +1191,6 @@
                         &#160;
                     </xsl:when>
                     
-                    <!-- anyone else using the Athens IdP does outsource -->
-                    <xsl:when test="@usesAthensIdP = 'true'">
-                        *
-                    </xsl:when>
-                    
                     <!--
                     	Anyone pushing scopes to an entity is assumed to
                     	be outsourcing.  Strictly speaking, this should be

From 04d944fe9d0a4a42356f584116a3fb29ab09ddc2 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 8 Feb 2017 15:02:41 +0000
Subject: [PATCH 04/80] Hoist mdattr and saml prefix definitions in export
 preview aggregate

See ukf/ukf-meta#103 and ukf/ukf-meta#105.
---
 mdx/uk/README.md                  | 7 +++++--
 mdx/uk/ns_norm_export_preview.xsl | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index 64b27758..17ebb0f6 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -28,9 +28,12 @@ before being included in the `export` version consumed by interfederation partne
 
 ### Export Preview Aggregate vs. Export Aggregate
 
-Status (2017-01-27):
+Status (2017-02-08):
 
-* these two aggregates are currently identical.
+* The export preview aggregate defines the `saml` namespace prefix (used by entity attributes) on the document element
+instead of in each SAML `<Attribute>`. (2017-02-08)
+* The export preview aggregate defines the `mdattr` namespace prefix (used by entity attributes) on the document element
+instead of in each `<EntityAttributes>` element. (2017-02-08)
 
 ## Production Maturity Pipeline
 
diff --git a/mdx/uk/ns_norm_export_preview.xsl b/mdx/uk/ns_norm_export_preview.xsl
index f5c3833b..59e402e6 100644
--- a/mdx/uk/ns_norm_export_preview.xsl
+++ b/mdx/uk/ns_norm_export_preview.xsl
@@ -33,7 +33,7 @@
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	
-	exclude-result-prefixes="alg md mdattr saml ukfedlabel wayf"
+	exclude-result-prefixes="alg md ukfedlabel wayf"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

From f2021d9152cf60e3b224f0620b8e519c3ab024d1 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 10 Feb 2017 10:21:38 +0000
Subject: [PATCH 05/80] Hoist mdattr and saml prefix definitions in export
 aggregate

See ukf/ukf-meta#103 and ukf/ukf-meta#105.
---
 mdx/uk/README.md          | 7 ++-----
 mdx/uk/ns_norm_export.xsl | 2 +-
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index 17ebb0f6..7018e031 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -28,12 +28,9 @@ before being included in the `export` version consumed by interfederation partne
 
 ### Export Preview Aggregate vs. Export Aggregate
 
-Status (2017-02-08):
+Status (2017-02-10):
 
-* The export preview aggregate defines the `saml` namespace prefix (used by entity attributes) on the document element
-instead of in each SAML `<Attribute>`. (2017-02-08)
-* The export preview aggregate defines the `mdattr` namespace prefix (used by entity attributes) on the document element
-instead of in each `<EntityAttributes>` element. (2017-02-08)
+* these aggregates are currently identical
 
 ## Production Maturity Pipeline
 
diff --git a/mdx/uk/ns_norm_export.xsl b/mdx/uk/ns_norm_export.xsl
index 99806323..d1448ab2 100644
--- a/mdx/uk/ns_norm_export.xsl
+++ b/mdx/uk/ns_norm_export.xsl
@@ -33,7 +33,7 @@
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	
-	exclude-result-prefixes="alg md mdattr saml ukfedlabel wayf"
+	exclude-result-prefixes="alg md ukfedlabel wayf"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

From 54623c07ac0312f964a9655339c5081f7bda15d9 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 10 Feb 2017 10:43:39 +0000
Subject: [PATCH 06/80] Retire key use fixup in production and WAYF aggregates

See ukf/ukf-meta#109.
---
 mdx/uk/README.md    | 12 +++++++++---
 mdx/uk/generate.xml |  4 ----
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index 7018e031..18455dee 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -43,6 +43,12 @@ The production maturity pipeline consists of:
 In this arrangement, features are first introduced to the `test` variant of the aggregate for a period
 before being included in the `metadata` variant consumed by federation members.
 
+The following additional aggregates are normally kept in sync (where appropriate) with the production `metadata`
+aggregate:
+
+* `ukfederation-cdsall-unsigned.xml`
+* `ukfederation-wayf-unsigned.xml`
+
 Once a feature has been "in production" (present in the `metadata` variant) for a period, normally one month but
 subject to extension at Federation discretion, it will be introduced to the `back` variant. This provides a
 temporary "fallback" mechanism for entity owners whose entities have difficulty with a newly introduced
@@ -57,9 +63,6 @@ Status (2017-02-08):
 
 * the test aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
 while the production aggregate implements the traditional entity attribute _whitelist_.
-* the test aggregate no longer implements the "key use" fixup required for pre-1.3.1 Shibboleth SPs.
-This adds the `use="signing"` XML attribute to `<KeyDescriptor>` elements present in IdP metadata
-without a `use` attribute. It is not needed for later releases of the Shibboleth SP.
 * The test aggregate normalises the `xenc` namespace to not use a prefix, as it is not very commonly used.
 
 ### Fallback Aggregate vs. Production Aggregate
@@ -70,3 +73,6 @@ Status (2017-02-08):
 instead of in each SAML `<Attribute>`. (2017-02-08)
 * The production aggregate defines the `mdattr` namespace prefix (used by entity attributes) on the document element
 instead of in each `<EntityAttributes>` element. (2017-02-08)
+* the production aggregate no longer implements the "key use" fixup required for pre-1.3.1 Shibboleth SPs.
+This adds the `use="signing"` XML attribute to `<KeyDescriptor>` elements present in IdP metadata
+without a `use` attribute. It is not needed for later releases of the Shibboleth SP. (2017-02-10)
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index d8be9833..d3382fea 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -337,12 +337,10 @@
                 <ref bean="entityAttributes.whitelist"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripWayfNamespace"/>
-                <ref bean="fixup_keyuse"/>
                 <ref bean="uk_finaliseProduction"/>
                 <ref bean="uk_normaliseNamespaces"/>
                 
                 <!-- production aggregate MUST pass publishability test -->
-                <ref bean="check_fixup_keyuse"/>
                 <ref bean="checkPublishable"/>
                 <ref bean="errorTerminatingFilter"/>
                 
@@ -407,12 +405,10 @@
                 <ref bean="stripEmptyExtensions"/>
                 
                 <ref bean="stripMdattrNamespace"/>
-                <ref bean="fixup_keyuse"/>
                 <ref bean="uk_finaliseProduction"/>
                 <ref bean="uk_normaliseNamespaces"/>
 
                 <!-- WAYF aggregate MUST pass publishability test -->
-                <ref bean="check_fixup_keyuse"/>
                 <ref bean="checkPublishable"/>
                 <ref bean="errorTerminatingFilter"/>
 

From 1461ae8b5b0c0ac2b80f914ffa5d5abc91198913 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 13 Feb 2017 14:56:43 +0000
Subject: [PATCH 07/80] Normalise xenc namespace without prefix in production,
 wayf and export preview aggregates

See ukf/ukf-meta#110.
---
 mdx/uk/README.md                  | 10 +++++-----
 mdx/uk/ns_norm_export_preview.xsl | 24 +++++++++++++++++++++++-
 mdx/uk/ns_norm_uk.xsl             | 24 +++++++++++++++++++++++-
 3 files changed, 51 insertions(+), 7 deletions(-)

diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index 18455dee..ac44d347 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -28,9 +28,9 @@ before being included in the `export` version consumed by interfederation partne
 
 ### Export Preview Aggregate vs. Export Aggregate
 
-Status (2017-02-10):
+Status (2017-02-13):
 
-* these aggregates are currently identical
+* The export preview aggregate normalises the `xenc` namespace to not use a prefix, as it is not very commonly used. (2017-02-13)
 
 ## Production Maturity Pipeline
 
@@ -59,15 +59,14 @@ when it appeared in the fallback aggregate, which would be too late to take corr
 
 ### Test Aggregate vs. Production Aggregate
 
-Status (2017-02-08):
+Status (2017-02-13):
 
 * the test aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
 while the production aggregate implements the traditional entity attribute _whitelist_.
-* The test aggregate normalises the `xenc` namespace to not use a prefix, as it is not very commonly used.
 
 ### Fallback Aggregate vs. Production Aggregate
 
-Status (2017-02-08):
+Status (2017-02-13):
 
 * The production aggregate defines the `saml` namespace prefix (used by entity attributes) on the document element
 instead of in each SAML `<Attribute>`. (2017-02-08)
@@ -76,3 +75,4 @@ instead of in each `<EntityAttributes>` element. (2017-02-08)
 * the production aggregate no longer implements the "key use" fixup required for pre-1.3.1 Shibboleth SPs.
 This adds the `use="signing"` XML attribute to `<KeyDescriptor>` elements present in IdP metadata
 without a `use` attribute. It is not needed for later releases of the Shibboleth SP. (2017-02-10)
+* The production aggregate normalises the `xenc` namespace to not use a prefix, as it is not very commonly used. (2017-02-13)
diff --git a/mdx/uk/ns_norm_export_preview.xsl b/mdx/uk/ns_norm_export_preview.xsl
index 59e402e6..cb79a27c 100644
--- a/mdx/uk/ns_norm_export_preview.xsl
+++ b/mdx/uk/ns_norm_export_preview.xsl
@@ -32,8 +32,9 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md ukfedlabel wayf"
+	exclude-result-prefixes="alg md ukfedlabel wayf xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
@@ -107,5 +108,26 @@
 		</xsl:element>
 	</xsl:template>
 	
+
+	<!--
+        ***************************************
+        ***                                 ***
+        ***   X E N C   N A M E S P A C E   ***
+        ***                                 ***
+        ***************************************
+    -->
+
+
+	<!--
+        xenc:*
+        
+        Normalise namespace to not use a prefix.
+    -->
+	<xsl:template match="xenc:*">
+		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:element>
+	</xsl:template>	
+	
 	
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_uk.xsl b/mdx/uk/ns_norm_uk.xsl
index fb3d7896..20930f67 100644
--- a/mdx/uk/ns_norm_uk.xsl
+++ b/mdx/uk/ns_norm_uk.xsl
@@ -38,8 +38,9 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md wayf"
+	exclude-result-prefixes="alg md wayf xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
@@ -113,5 +114,26 @@
 		</xsl:element>
 	</xsl:template>
 	
+
+	<!--
+        ***************************************
+        ***                                 ***
+        ***   X E N C   N A M E S P A C E   ***
+        ***                                 ***
+        ***************************************
+    -->
+
+
+	<!--
+        xenc:*
+        
+        Normalise namespace to not use a prefix.
+    -->
+	<xsl:template match="xenc:*">
+		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:element>
+	</xsl:template>	
+	
 	
 </xsl:stylesheet>

From 7ed0dcbc16e4111c9c951ed4de8c3f19dacb12a4 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 14 Feb 2017 10:54:04 +0000
Subject: [PATCH 08/80] Apply R+S checks to eduGAIN as well as local entities

Resolves ukf/ukf-meta#20.
---
 mdx/int_edugain/verbs.xml | 1 -
 mdx/uk/beans.xml          | 1 -
 mdx/validation-beans.xml  | 1 +
 3 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/mdx/int_edugain/verbs.xml b/mdx/int_edugain/verbs.xml
index ed4a6400..e6cd01ce 100644
--- a/mdx/int_edugain/verbs.xml
+++ b/mdx/int_edugain/verbs.xml
@@ -96,7 +96,6 @@
                     p:whitelistingEntities="false"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
                 
-                <ref bean="check_rands"/>
                 <ref bean="standardImportActions"/>
                 <ref bean="errorTerminatingFilter"/>
             </list>
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 6fb81d6a..eb185e63 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -334,7 +334,6 @@
                 <ref bean="check_uk_mdattr"/>
                 <ref bean="check_uk_mdrps"/>
                 <ref bean="check_uk_urlenc"/>
-                <ref bean="check_rands"/>
                 <ref bean="mdui_dn_en_present"/>
                 <ref bean="mdui_dn_en_match"/>
                 <ref bean="check_dup_display"/>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index da3237f7..d59f8ca9 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -660,6 +660,7 @@
                 <ref bean="check_mdrpi"/>
                 <ref bean="check_mdui"/>
                 <ref bean="check_misc"/>
+                <ref bean="check_rands"/>
                 <ref bean="check_reqattr"/>
                 <ref bean="check_saml1"/>
                 <ref bean="check_saml2"/>

From f8e9458d7c80164089b1c204014429400d20920b Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 14 Feb 2017 11:25:28 +0000
Subject: [PATCH 09/80] Normalise xenc namespace without prefix in export
 aggregate

See ukf/ukf-meta#110.
---
 mdx/uk/README.md          |  4 ++--
 mdx/uk/ns_norm_export.xsl | 24 +++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index ac44d347..3b19450c 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -28,9 +28,9 @@ before being included in the `export` version consumed by interfederation partne
 
 ### Export Preview Aggregate vs. Export Aggregate
 
-Status (2017-02-13):
+Status (2017-02-14):
 
-* The export preview aggregate normalises the `xenc` namespace to not use a prefix, as it is not very commonly used. (2017-02-13)
+* These aggregates are currently identical.
 
 ## Production Maturity Pipeline
 
diff --git a/mdx/uk/ns_norm_export.xsl b/mdx/uk/ns_norm_export.xsl
index d1448ab2..0d2b762f 100644
--- a/mdx/uk/ns_norm_export.xsl
+++ b/mdx/uk/ns_norm_export.xsl
@@ -32,8 +32,9 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md ukfedlabel wayf"
+	exclude-result-prefixes="alg md ukfedlabel wayf xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
@@ -107,5 +108,26 @@
 		</xsl:element>
 	</xsl:template>
 	
+
+	<!--
+        ***************************************
+        ***                                 ***
+        ***   X E N C   N A M E S P A C E   ***
+        ***                                 ***
+        ***************************************
+    -->
+
+
+	<!--
+        xenc:*
+        
+        Normalise namespace to not use a prefix.
+    -->
+	<xsl:template match="xenc:*">
+		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:element>
+	</xsl:template>	
+	
 	
 </xsl:stylesheet>

From dd9abaefac6d5a71ff4e5239e78db3c8e6d14bc7 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 14 Feb 2017 14:34:56 +0000
Subject: [PATCH 10/80] Gather statistics about distinct RSA moduli used

See ukf/ukf-meta#113.
---
 build.xml                   | 23 +++++++++++++++++++++++
 utilities/check_embedded.pl | 13 +++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/build.xml b/build.xml
index ac61494e..05b47510 100644
--- a/build.xml
+++ b/build.xml
@@ -2434,6 +2434,29 @@
         <delete file="${temp.dir}/embedded.pem" quiet="true" verbose="false"/>
     </target>
 
+    <!--
+        Check embedded certificates in our production aggregate.
+
+        You can ignore almost all of the output from this, other than
+        the summary information at the end and in particular the
+        number of distinct RSA moduli.
+    -->
+    <target name="check.embedded.all">
+        <echo>Extracting embedded certificates</echo>
+        <XALAN
+            i="${aggregates.dir}/${mdaggr.prod.signed}"
+            o="${temp.dir}/embedded.pem"
+            x="${build.dir}/extract_embedded.xsl"/>
+        <echo>Checking embedded certificates</echo>
+        <echo>Note: ignore expiry on eduGAIN entities</echo>
+        <exec executable="perl" dir="${utilities.dir}"
+            input="${temp.dir}/embedded.pem">
+            <arg value="${utilities.dir}/check_embedded.pl"/>
+            <arg value="${entities.dir}/expiry_whitelist.txt"/>
+        </exec>
+        <delete file="${temp.dir}/embedded.pem" quiet="true" verbose="false"/>
+    </target>
+
     <!--
        Check for IdPs using the single-port configuration.
     -->
diff --git a/utilities/check_embedded.pl b/utilities/check_embedded.pl
index 8272fccd..6919014b 100755
--- a/utilities/check_embedded.pl
+++ b/utilities/check_embedded.pl
@@ -311,6 +311,14 @@ sub comment {
 				next;
 			}
 
+            #
+            # Track distinct RSA moduli
+            #
+            if (/^Modulus=(.*)$/) {
+                $modulus = $1;
+                # print "   modulus: '$modulus'\n";
+                $rsa_modulus{$modulus} = 1;
+            }
 		}
 		close SSL;
 		#print "   text lines: $#lines\n";
@@ -405,6 +413,11 @@ sub comment {
 	}
 	print "\n";
 
+    $distinct_moduli = scalar keys %rsa_modulus;
+    if ($distinct_moduli > 1) {
+        print "Distinct RSA moduli: $distinct_moduli\n";
+    }
+
 	my $first = 1;
 	foreach $fingerprint (sort keys %expiry_whitelist) {
 		if ($expiry_whitelist{$fingerprint} eq 'unused') {

From 60f355ef2a3811745a9cc8f47249da5f60493b6f Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 14 Feb 2017 15:53:09 +0000
Subject: [PATCH 11/80] Use portable enabling of warnings for perl scripts

Resolves ukf/ukf-meta#111.
---
 attic/keynames.pl             | 3 ++-
 attic/keynames_inner.pl       | 4 +++-
 charting/fetch.pl             | 3 ++-
 charting/mdui.pl              | 3 ++-
 charting/saml2.pl             | 3 ++-
 charting/scopes.pl            | 3 ++-
 charting/sizes.pl             | 3 ++-
 utilities/2016-09-16/doall.pl | 4 +++-
 utilities/2016-09-16/patch.pl | 4 +++-
 utilities/2016-10-06/patch.pl | 4 +++-
 10 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/attic/keynames.pl b/attic/keynames.pl
index 23216794..a917025d 100755
--- a/attic/keynames.pl
+++ b/attic/keynames.pl
@@ -1,10 +1,11 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # keynames.pl
 #
 # Extracts statistics about KeyName elements from the published metadata.
 #
+use warnings;
 use lib "../build";
 use Xalan;
 use Months;
diff --git a/attic/keynames_inner.pl b/attic/keynames_inner.pl
index bed6059f..3778f942 100755
--- a/attic/keynames_inner.pl
+++ b/attic/keynames_inner.pl
@@ -1,4 +1,6 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
+
+use warnings;
 use POSIX qw(floor);
 use File::Temp qw(tempfile);
 use Date::Format;
diff --git a/charting/fetch.pl b/charting/fetch.pl
index 9b01e351..47d3e51e 100755
--- a/charting/fetch.pl
+++ b/charting/fetch.pl
@@ -1,8 +1,9 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # fetch.pl
 #
+use warnings;
 use File::stat;
 use Months;
 
diff --git a/charting/mdui.pl b/charting/mdui.pl
index b6e14bd0..fb2a6bfd 100755
--- a/charting/mdui.pl
+++ b/charting/mdui.pl
@@ -1,8 +1,9 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # mdui.pl
 #
+use warnings;
 use lib "../build";
 use Xalan;
 use Months;
diff --git a/charting/saml2.pl b/charting/saml2.pl
index bc69fd04..fd790429 100755
--- a/charting/saml2.pl
+++ b/charting/saml2.pl
@@ -1,10 +1,11 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # saml2.pl
 #
 # Extracts statistics about SAML 2 adoption from the published metadata.
 #
+use warnings;
 use lib "../build";
 use Xalan;
 use Months;
diff --git a/charting/scopes.pl b/charting/scopes.pl
index 2e38809d..3927471b 100755
--- a/charting/scopes.pl
+++ b/charting/scopes.pl
@@ -1,10 +1,11 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # scopes.pl
 #
 # Extracts statistics about number of scopes from the published metadata.
 #
+use warnings;
 use lib "../build";
 use Xalan;
 use Months;
diff --git a/charting/sizes.pl b/charting/sizes.pl
index 4d36b33d..004c6e3f 100755
--- a/charting/sizes.pl
+++ b/charting/sizes.pl
@@ -1,8 +1,9 @@
-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
 
 #
 # sizes.pl
 #
+use warnings;
 use lib "../build";
 use File::stat;
 use Xalan;
diff --git a/utilities/2016-09-16/doall.pl b/utilities/2016-09-16/doall.pl
index 7056b5d1..d2b8255b 100755
--- a/utilities/2016-09-16/doall.pl
+++ b/utilities/2016-09-16/doall.pl
@@ -1,4 +1,6 @@
-#!/usr/bin/env perl -W
+#!/usr/bin/env perl
+
+use warnings;
 
 open(F, "id-to-name.txt") || die "could not open id-to-name map";
 while (<F>) {
diff --git a/utilities/2016-09-16/patch.pl b/utilities/2016-09-16/patch.pl
index c47766c3..543e0a0c 100755
--- a/utilities/2016-09-16/patch.pl
+++ b/utilities/2016-09-16/patch.pl
@@ -1,4 +1,6 @@
-#!/usr/bin/env perl -W
+#!/usr/bin/env perl
+
+use warnings;
 
 my $orgID = shift @ARGV;
 
diff --git a/utilities/2016-10-06/patch.pl b/utilities/2016-10-06/patch.pl
index 638f5d7d..86744119 100755
--- a/utilities/2016-10-06/patch.pl
+++ b/utilities/2016-10-06/patch.pl
@@ -1,4 +1,6 @@
-#!/usr/bin/env perl -W
+#!/usr/bin/env perl
+
+use warnings;
 
 open(F, "id-to-name.txt") || die "could not open id-to-name map";
 while (<F>) {

From 547057db6c39c2fae7a3ca4d7ad0f1b065712cde Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 14 Feb 2017 17:37:55 +0000
Subject: [PATCH 12/80] Automate the collection of some more charting
 statistics

See ukf/ukf-meta#106.
---
 mdx/uk/statistics.xsl | 88 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 74 insertions(+), 14 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index f6dad0d5..ba84c359 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -128,6 +128,7 @@
                     <li><p><a href="#shib13">Shibboleth 1.3 Remnants</a></p></li>
                     <li><p><a href="#exportOptOut">Export Aggregate: Entities Opted Out</a></p></li>
                     <li><p><a href="#exportOptIn">Export Aggregate: Entities Explicitly Opted In</a></p></li>
+                    <li><p><a href="#charting">Charting Statistics</a></p></li>
                     <li><p><a href="#nosaml2">Entities Without SAML 2.0 Support</a></p></li>
                 </ul>
                 
@@ -305,16 +306,6 @@
                             (<xsl:value-of select="format-number($members.osrc.none.count div $memberCount, '0.0%')"/>)
                         </p>
                     </li>
-                    <li>
-                        <p>
-                            Chart:
-                            <xsl:value-of select="$membersWithJustIdPsCount"/>,
-                            <xsl:value-of select="$membersWithJustSPsCount"/>,
-                            <xsl:value-of select="$membersWithBothCount"/>,
-                            <xsl:value-of select="$members.osrc.only.count"/>,
-                            <xsl:value-of select="$members.osrc.none.count"/>.                            
-                        </p>
-                    </li>
                 </ul>
 
 
@@ -1066,6 +1057,65 @@
                     </ul>
                 </xsl:if>
                 
+                
+                <!--
+                    ***************************
+                    ***                     ***
+                    ***   C H A R T I N G   ***
+                    ***                     ***
+                    ***************************
+                -->
+                <h2><a name="charting">Charting Statistics</a></h2>
+                <ul>
+                    <li>Members: <xsl:value-of select="$memberCount"/></li>
+                    <li>
+                        Outsourcing chart:
+                        <xsl:value-of select="$membersWithJustIdPsCount"/>,
+                        <xsl:value-of select="$membersWithJustSPsCount"/>,
+                        <xsl:value-of select="$membersWithBothCount"/>,
+                        <xsl:value-of select="$members.osrc.only.count"/>,
+                        <xsl:value-of select="$members.osrc.none.count"/>                  
+                    </li>
+                    <li>Entities: <xsl:value-of select="$entityCount"/></li>
+                    <li>IdPs: <xsl:value-of select="$idpCount"/></li>
+                    <li>SPs: <xsl:value-of select="$spCount"/></li>
+                    <li>Entities per member: <xsl:value-of select="$entityCount div $memberCount"/></li>
+                    <xsl:variable name="charting.entities.algsupport" select="$entities[descendant::alg:* or descendant::md:EncryptionMethod]"/>
+                    <xsl:variable name="charting.entities.algsupport.count" select="count($charting.entities.algsupport)"/>
+                    <li>
+                        Algorithm support:
+                        <xsl:value-of select="format-number($charting.entities.algsupport.count div $entityCount, '0.00%')"/>
+                        of all entities
+                    </li>
+                    <xsl:variable name="charting.entities.algsupport.gcm"
+                        select="$charting.entities.algsupport[
+                        descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm' or
+                        descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm' or
+                        descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes256-gcm']"/>
+                    <xsl:variable name="charting.entities.algsupport.gcm.count" select="count($charting.entities.algsupport.gcm)"/>
+                    <li>
+                        GCM support:
+                        <xsl:value-of select="format-number($charting.entities.algsupport.gcm.count div $entityCount, '0.00%')"/>
+                        of all entities
+                    </li>
+                    <xsl:variable name="charting.sps.algsupport" select="$sps[descendant::alg:* or descendant::md:EncryptionMethod]"/>
+                    <xsl:variable name="charting.sps.algsupport.count" select="count($charting.sps.algsupport)"/>
+                    <li>
+                        Algorithm support:
+                        <xsl:value-of select="format-number($charting.sps.algsupport.count div $spCount, '0.00%')"/>
+                        of SP entities
+                    </li>
+                    <xsl:variable name="charting.idp3" select="$idps[
+                        md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '3']
+                        ]"/>
+                    <xsl:variable name="charting.idp3.count" select="count($charting.idp3)"/>
+                    <li>
+                        Shibboleth IdP v3:
+                        <xsl:value-of select="$charting.idp3.count"/>
+                        (<xsl:value-of select="format-number($charting.idp3.count div $idpCount, '0.0%')"/> of IdPs)
+                    </li>
+                </ul>
+
                 <!--
                     *****************************************************************************
                     ***                                                                       ***
@@ -1086,9 +1136,14 @@
                     The software used by the entity, if known, is included at the end of the listing within
                     brackets [like this].
                 </p>
+                <xsl:variable name="nosaml2.sps" select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                    'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+                <xsl:variable name="nosaml2.sps.count" select="count($nosaml2.sps)"/>
+                <p>
+                    SPs: <xsl:value-of select="$nosaml2.sps.count"/>
+                </p>
                 <ul>
-                    <xsl:for-each select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
-                        'urn:oasis:names:tc:SAML:2.0:protocol'))]]">
+                    <xsl:for-each select="$nosaml2.sps">
                         <xsl:sort select="descendant::md:OrganizationName"/>
                         <li>
                             <xsl:value-of select="@ID"/>
@@ -1115,9 +1170,14 @@
                 </xsl:call-template>
 
                 <h3>Identity Providers Without SAML 2.0 Support</h3>
+                <xsl:variable name="nosaml2.idps" select="$idps[md:IDPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                    'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+                <xsl:variable name="nosaml2.idps.count" select="count($nosaml2.idps)"/>
+                <p>
+                    IdPs: <xsl:value-of select="$nosaml2.idps.count"/>
+                </p>
                 <xsl:call-template name="entity.breakdown.by.software">
-                    <xsl:with-param name="entities" select="$idps[md:IDPSSODescriptor[not(contains(@protocolSupportEnumeration,
-                        'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+                    <xsl:with-param name="entities" select="$nosaml2.idps"/>
                 </xsl:call-template>
                 
             </body>

From cfca00b5bac926d5719b4d25611c54fa6c32f05d Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 14 Feb 2017 10:17:10 +0000
Subject: [PATCH 13/80] Extend Location checks to ResponseLocation

Resolves ukf/ukf-meta#117.
---
 mdx/_rules/check_idp_tls.xsl   | 12 +++++++++++-
 mdx/_rules/check_misc.xsl      | 13 +++++++++++++
 mdx/_rules/check_saml2meta.xsl | 14 ++++++++++++++
 mdx/_rules/check_sp_tls.xsl    |  7 ++++++-
 4 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/mdx/_rules/check_idp_tls.xsl b/mdx/_rules/check_idp_tls.xsl
index bb6fa6dd..688956a4 100644
--- a/mdx/_rules/check_idp_tls.xsl
+++ b/mdx/_rules/check_idp_tls.xsl
@@ -27,10 +27,20 @@
             <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
         </xsl:call-template>
     </xsl:template>
+	<xsl:template match="md:IDPSSODescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
 	<xsl:template match="md:AttributeAuthorityDescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-
+	<xsl:template match="md:AttributeAuthorityDescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_misc.xsl b/mdx/_rules/check_misc.xsl
index 1b498ab0..ec334f47 100644
--- a/mdx/_rules/check_misc.xsl
+++ b/mdx/_rules/check_misc.xsl
@@ -55,6 +55,19 @@
 	</xsl:template>
 	
 	
+	<!--
+        @ResponseLocation attributes should not contain space characters.
+        
+        This may be a little strict, and might be better confined to md:* elements.
+        At present, however, this produces no false positives.
+    -->
+	<xsl:template match="*[contains(@ResponseLocation, ' ')]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation contains space character</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
 	<!--
 		@Binding attributes should not contain space characters.
 		
diff --git a/mdx/_rules/check_saml2meta.xsl b/mdx/_rules/check_saml2meta.xsl
index b3990b9b..cd5f1139 100644
--- a/mdx/_rules/check_saml2meta.xsl
+++ b/mdx/_rules/check_saml2meta.xsl
@@ -81,6 +81,20 @@
 	</xsl:template>
 
 
+	<!--
+        Check for ResponseLocation attributes that aren't valid URLs.
+    -->
+	<xsl:template match="md:*[@ResponseLocation and mdxURL:invalidURL(@ResponseLocation)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:value-of select='local-name()'/>
+				<xsl:text> ResponseLocation is not a valid URL: </xsl:text>
+				<xsl:value-of select="mdxURL:whyInvalid(@ResponseLocation)"/>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
 	<!--
 		Check for OrganizationURLs that aren't valid URLs.
 	-->
diff --git a/mdx/_rules/check_sp_tls.xsl b/mdx/_rules/check_sp_tls.xsl
index b68c9663..401740ad 100644
--- a/mdx/_rules/check_sp_tls.xsl
+++ b/mdx/_rules/check_sp_tls.xsl
@@ -27,5 +27,10 @@
             <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
         </xsl:call-template>
     </xsl:template>
-
+	<xsl:template match="md:SPSSODescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
 </xsl:stylesheet>

From 122d13baa775de2bc74494ba19e8dbd7439275c6 Mon Sep 17 00:00:00 2001
From: Alex Stuart <alex.stuart@jisc.ac.uk>
Date: Fri, 24 Feb 2017 08:27:36 +0000
Subject: [PATCH 14/80] Add SAFIRE (ZA) to list of Federation
 registrationAuthority URIs

---
 mdx/common-beans.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 7fcb3488..9bc882c7 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -525,6 +525,7 @@
     <bean id="ug_rif_registrar"          parent="String" c:_="https://www.renu.ac.ug"/>
     <bean id="uk_ukf_registrar"          parent="String" c:_="http://ukfederation.org.uk"/>
     <bean id="us_incommon_registrar"     parent="String" c:_="https://incommon.org"/>
+    <bean id="za_safire_registrar"       parent="String" c:_="https://safire.ac.za"/>
 
     
     
@@ -580,6 +581,7 @@
                 <entry key-ref="pl_pionier_registrar"         value="PL"/>
                 <entry key-ref="pt_rctsaai_registrar"         value="PT"/>
                 <entry key-ref="si_arnes_registrar"           value="SI"/>
+                <entry key-ref="za_safire_registrar"          value="ZA"/>
                 <entry key-ref="es_sir_registrar"             value="ES"/>
                 <entry key-ref="se_swamid_registrar"          value="SE"/>
                 <entry key-ref="ch_switchaai_registrar"       value="CH"/>

From a8e99a784bdbef9e63a90d7d493c5a13cb0696a0 Mon Sep 17 00:00:00 2001
From: Alex Stuart <alex.stuart@jisc.ac.uk>
Date: Tue, 28 Feb 2017 16:11:03 +0000
Subject: [PATCH 15/80] Add utilities to replace HideFromWAYF element with
 hide-from-disco Entity Category

---
 utilities/2017-02-27/README.md                | 38 +++++++++++++++++++
 .../2017-02-27/listHideFromWAYFandEA.xsl      | 21 ++++++++++
 utilities/2017-02-27/replaceHideFromWAYF.pl   | 18 +++++++++
 3 files changed, 77 insertions(+)
 create mode 100644 utilities/2017-02-27/README.md
 create mode 100644 utilities/2017-02-27/listHideFromWAYFandEA.xsl
 create mode 100755 utilities/2017-02-27/replaceHideFromWAYF.pl

diff --git a/utilities/2017-02-27/README.md b/utilities/2017-02-27/README.md
new file mode 100644
index 00000000..c56e45ef
--- /dev/null
+++ b/utilities/2017-02-27/README.md
@@ -0,0 +1,38 @@
+# `utilities/2017-02-27`
+
+Scripts to replace the HideFromWAYF element in entity fragment files
+with the REFEDS Hide from Discovery Entity Category.
+
+## 1. Check that no hidden IdPs have Entity Attributes already
+
+Since there can only be a single Entity Attribute element in an entity fragment file,
+we first check that there are no hidden IdPs that already have an Entity Attributes
+element. If there are (and there are not too many) we edit these files manually.
+
+Run the script on the entity fragment files: `xsltproc listHideFromWAYFandEA.xsl uk*.xml`
+
+## 2. Replace HideFromWAYF element with hide-from-disco Entity Category
+
+This command replaces the HideFromWAYF element with an Entity Attributes element
+containing the REFEDS hide-from-disco entity category:
+
+`replaceHideFromWAYF.pl uk*.xml`
+
+It presumes that the `saml` and `mdattr` namespace prefixes are already defined in the
+entity fragment files.
+
+The perl regex matches the string HideFromWAYF rather than an XML element, so check
+that transform has only modified the HideFromWAYF element by generating unsigned
+aggregates before and after the transform and and looking at the differences.
+The only changes should be the timestamp and quantities derived from the timestamp.
+There is a small possibility that the generate target imports different entities from
+eduGAIN -- these differences can be ignored.
+
+```
+ant samlmd.aggregates.generate
+cp ukfederation-metadata.xml /tmp/
+replaceHideFromWAYF.pl uk*.xml
+ant samlmd.aggregates.generate
+diff ukfederation-metadata.xml /tmp/
+```
+
diff --git a/utilities/2017-02-27/listHideFromWAYFandEA.xsl b/utilities/2017-02-27/listHideFromWAYFandEA.xsl
new file mode 100644
index 00000000..fcd27029
--- /dev/null
+++ b/utilities/2017-02-27/listHideFromWAYFandEA.xsl
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0"
+        xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+        xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+        xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+        <xsl:output method="text" encoding="UTF-8"/>
+
+        <xsl:template match="md:EntityDescriptor
+		                    [md:Extensions/mdattr:EntityAttributes]
+		                    [md:Extensions/wayf:HideFromWAYF]">
+                <xsl:value-of select="@entityID"/>
+                <xsl:text>&#10;</xsl:text>
+        </xsl:template>
+
+        <xsl:template match="text()">
+                <!-- do nothing -->
+        </xsl:template>
+</xsl:stylesheet>
diff --git a/utilities/2017-02-27/replaceHideFromWAYF.pl b/utilities/2017-02-27/replaceHideFromWAYF.pl
new file mode 100755
index 00000000..32356fed
--- /dev/null
+++ b/utilities/2017-02-27/replaceHideFromWAYF.pl
@@ -0,0 +1,18 @@
+#!/usr/bin/perl -wni
+
+# If line contains HideFromWAYF, replace it with the Entity Category
+if (/HideFromWAYF/) {
+    print <<EOF;
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>http://refeds.org/category/hide-from-discovery</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+EOF
+# and don't print the line containing HideFromWAYF
+    next;
+}
+
+# If the line didn't have HideFromWAYF, print it unchanged
+print;
+

From 042e7744bd34dbd6bb97e492626b76d3808a923c Mon Sep 17 00:00:00 2001
From: Alex Stuart <alex.stuart@jisc.ac.uk>
Date: Wed, 1 Mar 2017 21:26:19 +0000
Subject: [PATCH 16/80] Add a test to the utility for replacing HideFromWAYF
 element with hide-from-disco Entity Category

---
 utilities/2017-02-27/README.md |  6 +++++-
 utilities/2017-02-27/test.xml  | 20 ++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 utilities/2017-02-27/test.xml

diff --git a/utilities/2017-02-27/README.md b/utilities/2017-02-27/README.md
index c56e45ef..acb2556c 100644
--- a/utilities/2017-02-27/README.md
+++ b/utilities/2017-02-27/README.md
@@ -9,7 +9,11 @@ Since there can only be a single Entity Attribute element in an entity fragment
 we first check that there are no hidden IdPs that already have an Entity Attributes
 element. If there are (and there are not too many) we edit these files manually.
 
-Run the script on the entity fragment files: `xsltproc listHideFromWAYFandEA.xsl uk*.xml`
+First, check that the XSLT will flag an entity fragment file that has an Entity
+Attribute and the HideFromWAYF element. Run `xsltproc listHideFromWAYFandEA.xsl ./test.xml`.
+This should report `https://idp.example.ac.uk/idp/shibboleth`.
+
+Then run the script on all entity fragment files: `xsltproc listHideFromWAYFandEA.xsl uk*.xml`
 
 ## 2. Replace HideFromWAYF element with hide-from-disco Entity Category
 
diff --git a/utilities/2017-02-27/test.xml b/utilities/2017-02-27/test.xml
new file mode 100644
index 00000000..8474b788
--- /dev/null
+++ b/utilities/2017-02-27/test.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd
+        urn:oasis:names:tc:SAML:metadata:attribute sstc-metadata-attr.xsd
+        urn:oasis:names:tc:SAML:2.0:assertion saml-schema-assertion-2.0.xsd
+        http://sdss.ac.uk/2006/06/WAYF uk-wayf.xsd"
+    ID="test000275" entityID="https://idp.example.ac.uk/idp/shibboleth">
+    <Extensions>
+        <mdattr:EntityAttributes>
+            <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+                <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
+            </saml:Attribute>
+        </mdattr:EntityAttributes>
+        <wayf:HideFromWAYF />
+    </Extensions>
+</EntityDescriptor>

From a1ea68f7fce8d7b9aaa99f8a0f94c75e1d23af2b Mon Sep 17 00:00:00 2001
From: Alex Stuart <alex.stuart@jisc.ac.uk>
Date: Wed, 1 Mar 2017 21:30:06 +0000
Subject: [PATCH 17/80] Correct test script in utilities/2017-02-27/README.md
 to refer to unsigned aggregate

---
 utilities/2017-02-27/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/utilities/2017-02-27/README.md b/utilities/2017-02-27/README.md
index acb2556c..525155d2 100644
--- a/utilities/2017-02-27/README.md
+++ b/utilities/2017-02-27/README.md
@@ -34,9 +34,9 @@ eduGAIN -- these differences can be ignored.
 
 ```
 ant samlmd.aggregates.generate
-cp ukfederation-metadata.xml /tmp/
+cp ukfederation-metadata-unsigned.xml /tmp/
 replaceHideFromWAYF.pl uk*.xml
 ant samlmd.aggregates.generate
-diff ukfederation-metadata.xml /tmp/
+diff ukfederation-metadata-unsigned.xml /tmp/
 ```
 

From fee4287d6ba5b9831958bb0a3979018b80bac246 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 2 Mar 2017 15:03:15 +0000
Subject: [PATCH 18/80] Switch to entity attribute blacklist for production
 aggregate

Second phase of ukf/ukf-meta#10.
---
 mdx/uk/README.md    | 9 +++++----
 mdx/uk/generate.xml | 1 -
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index 3b19450c..bbb83c83 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -59,15 +59,16 @@ when it appeared in the fallback aggregate, which would be too late to take corr
 
 ### Test Aggregate vs. Production Aggregate
 
-Status (2017-02-13):
+Status (2017-03-02):
 
-* the test aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
-while the production aggregate implements the traditional entity attribute _whitelist_.
+* These aggregates are currently identical.
 
 ### Fallback Aggregate vs. Production Aggregate
 
-Status (2017-02-13):
+Status (2017-03-02):
 
+* the production aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
+while the production aggregate implements the traditional entity attribute _whitelist_. (2017-03-02)
 * The production aggregate defines the `saml` namespace prefix (used by entity attributes) on the document element
 instead of in each SAML `<Attribute>`. (2017-02-08)
 * The production aggregate defines the `mdattr` namespace prefix (used by entity attributes) on the document element
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index d3382fea..e90a33c6 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -334,7 +334,6 @@
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
                 
-                <ref bean="entityAttributes.whitelist"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripWayfNamespace"/>
                 <ref bean="uk_finaliseProduction"/>

From 34ccd7185a437314d1326f00395ae26afb4523ab Mon Sep 17 00:00:00 2001
From: Alex Stuart <alex.stuart@jisc.ac.uk>
Date: Mon, 6 Mar 2017 16:33:20 +0000
Subject: [PATCH 19/80] Update federation URI and eduGAIN status for new
 eduGAIN members

---
 mdx/common-beans.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 9bc882c7..0f2d3602 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -505,7 +505,7 @@
     <bean id="hu_eduid_registrar"        parent="String" c:_="http://eduid.hu"/>
     <bean id="ie_edugate_registrar"      parent="String" c:_="http://www.heanet.ie"/>
     <bean id="il_iif_registrar"          parent="String" c:_="http://iif.iucc.ac.il"/>
-    <bean id="in_infed_registrar"        parent="String" c:_="http://infilibnet.ac.in/"/>
+    <bean id="in_infed_registrar"        parent="String" c:_="http://inflibnet.ac.in"/>
     <bean id="it_gridp_registrar"        parent="String" c:_="http://gridp.garr.it"/>
     <bean id="it_idem_registrar"         parent="String" c:_="http://www.idem.garr.it/"/>
     <bean id="jp_gakunin_registrar"      parent="String" c:_="https://www.gakunin.jp"/>
@@ -568,6 +568,7 @@
                 <entry key-ref="de_dfnaai_registrar"          value="DE"/>
                 <entry key-ref="gr_grnet_registrar"           value="GR"/>
                 <entry key-ref="hu_eduid_registrar"           value="HU"/>
+                <entry key-ref="in_infed_registrar"           value="IN"/>
                 <entry key-ref="ie_edugate_registrar"         value="IE"/>
                 <entry key-ref="il_iif_registrar"             value="IL"/>
                 <entry key-ref="it_idem_registrar"            value="IT"/>
@@ -576,6 +577,7 @@
                 <entry key-ref="lv_laife_registrar"           value="LV"/>
                 <entry key-ref="lt_litnet_registrar"          value="LT"/>
                 <entry key-ref="lu_eduid_registrar"           value="LU"/>
+                <entry key-ref="mk_aaiedumk_registrar"        value="MK"/>
                 <entry key-ref="md_leaf_registrar"            value="MD"/>
                 <entry key-ref="no_feide_registrar"           value="NO"/>
                 <entry key-ref="pl_pionier_registrar"         value="PL"/>
@@ -597,8 +599,6 @@
                 
                 <!-- eduGAIN candidates -->
                 <entry key-ref="dz_arnaai_registrar"          value="DZ"/>
-                <entry key-ref="in_infed_registrar"           value="IN"/>
-                <entry key-ref="mk_aaiedumk_registrar"        value="MK"/>
                 <entry key-ref="ug_rif_registrar"             value="UG"/>
             </map>
         </property>

From a1629a29a913bc484dc24ae09cb1dbc2a9ce4bb5 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Fri, 10 Mar 2017 10:12:03 +0000
Subject: [PATCH 20/80] Add new md dist servers into build scripting

---
 build.xml | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 108 insertions(+)

diff --git a/build.xml b/build.xml
index 05b47510..0d248f6b 100644
--- a/build.xml
+++ b/build.xml
@@ -148,6 +148,10 @@
     <property name="md.dist.host1.name" value="md1.infr.ukfederation.org.uk"/>
     <property name="md.dist.host2.name" value="md2.infr.ukfederation.org.uk"/>
     <property name="md.dist.host3.name" value="md3.infr.ukfederation.org.uk"/>
+    <property name="md.dist.host-ne-01.name" value="md-ne-01.infr.ukfederation.org.uk"/>
+    <property name="md.dist.host-ne-02.name" value="md-ne-02.infr.ukfederation.org.uk"/>
+    <property name="md.dist.host-we-01.name" value="md-we-01.infr.ukfederation.org.uk"/>
+    <property name="md.dist.host-we-02.name" value="md-we-02.infr.ukfederation.org.uk"/>
     <property name="mdq.dist.name" value="mdq.ukfederation.org.uk"/>
     <property name="md.dist.path.name" value="/"/>
 
@@ -1317,6 +1321,70 @@
         <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
             checksum="${mdaggr.export.preview.signed.checksum}"/>
 
+        <echo>Verifying metadata held at ${md.dist.host-ne-01.name}</echo>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.prod.signed}"
+            checksum="${mdaggr.prod.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.wayf.signed}"
+            checksum="${mdaggr.wayf.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
+            checksum="${mdaggr.cdsall.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.test.signed}"
+            checksum="${mdaggr.test.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.back.signed}"
+            checksum="${mdaggr.back.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.export.signed}"
+            checksum="${mdaggr.export.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
+            checksum="${mdaggr.export.preview.signed.checksum}"/>
+
+        <echo>Verifying metadata held at ${md.dist.host-ne-02.name}</echo>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.prod.signed}"
+            checksum="${mdaggr.prod.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.wayf.signed}"
+            checksum="${mdaggr.wayf.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
+            checksum="${mdaggr.cdsall.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.test.signed}"
+            checksum="${mdaggr.test.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.back.signed}"
+            checksum="${mdaggr.back.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.export.signed}"
+            checksum="${mdaggr.export.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-ne-02.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
+            checksum="${mdaggr.export.preview.signed.checksum}"/>
+
+        <echo>Verifying metadata held at ${md.dist.host-we-01.name}</echo>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.prod.signed}"
+            checksum="${mdaggr.prod.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.wayf.signed}"
+            checksum="${mdaggr.wayf.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
+            checksum="${mdaggr.cdsall.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.test.signed}"
+            checksum="${mdaggr.test.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.back.signed}"
+            checksum="${mdaggr.back.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.export.signed}"
+            checksum="${mdaggr.export.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-01.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
+            checksum="${mdaggr.export.preview.signed.checksum}"/>
+
+        <echo>Verifying metadata held at ${md.dist.host-we-02.name}</echo>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.prod.signed}"
+            checksum="${mdaggr.prod.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.wayf.signed}"
+            checksum="${mdaggr.wayf.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
+            checksum="${mdaggr.cdsall.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.test.signed}"
+            checksum="${mdaggr.test.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.back.signed}"
+            checksum="${mdaggr.back.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.export.signed}"
+            checksum="${mdaggr.export.signed.checksum}"/>
+        <VFY.remote.and.checksum i="http://${md.dist.host-we-02.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
+            checksum="${mdaggr.export.preview.signed.checksum}"/>
+
         <echo>Verification completed.</echo>
     </target>
 
@@ -2058,6 +2126,26 @@
             <arg value="md3"/>
             <arg value="master"/>
         </exec>
+        <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
+            <arg value="push"/>
+            <arg value="md-ne-01"/>
+            <arg value="master"/>
+        </exec>
+        <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
+            <arg value="push"/>
+            <arg value="md-ne-02"/>
+            <arg value="master"/>
+        </exec>
+        <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
+            <arg value="push"/>
+            <arg value="md-we-01"/>
+            <arg value="master"/>
+        </exec>
+        <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
+            <arg value="push"/>
+            <arg value="md-we-02"/>
+            <arg value="master"/>
+        </exec>
     </target>
 
     <target name="publish.mdqcache">
@@ -2083,6 +2171,26 @@
                 <include name="${mdq.cache}"/>
             </fileset>
         </scp>
+        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-ne-01.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
+            <fileset dir="${output.dir}">
+                <include name="${mdq.cache}"/>
+            </fileset>
+        </scp>
+        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-ne-02.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
+            <fileset dir="${output.dir}">
+                <include name="${mdq.cache}"/>
+            </fileset>
+        </scp>
+        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-we-01.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
+            <fileset dir="${output.dir}">
+                <include name="${mdq.cache}"/>
+            </fileset>
+        </scp>
+        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-we-02.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
+            <fileset dir="${output.dir}">
+                <include name="${mdq.cache}"/>
+            </fileset>
+        </scp>
     </target>
 
     <target name="publish.otherfiles">

From 09cad3b4786eb1cf6484d7cfb1b9165e58e11bb1 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Fri, 10 Mar 2017 11:29:14 +0000
Subject: [PATCH 21/80] Add new MD test servers into build scripting

---
 preprod.properties | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/preprod.properties b/preprod.properties
index 5d6b3cb4..23489f03 100644
--- a/preprod.properties
+++ b/preprod.properties
@@ -38,6 +38,10 @@ git.repo.project.tooling=ukf-test-meta
 md.dist.host1.name=md1-test.infr.ukfederation.org.uk
 md.dist.host2.name=md2-test.infr.ukfederation.org.uk
 md.dist.host3.name=md3-test.infr.ukfederation.org.uk
+md.dist.host-ne-01.name=md-ne-01-test.infr.ukfederation.org.uk
+md.dist.host-ne-02.name=md-ne-02-test.infr.ukfederation.org.uk
+md.dist.host-we-01.name=md-we-01-test.infr.ukfederation.org.uk
+md.dist.host-we-02.name=md-we-02-test.infr.ukfederation.org.uk
 md.dist.path.name=/
 
 #

From 6ccec07d83f85e912f62a55b918f14116bed2509 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Fri, 10 Mar 2017 11:36:29 +0000
Subject: [PATCH 22/80] Add missing echo statements to publication output for
 new MD servers

---
 build.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/build.xml b/build.xml
index 0d248f6b..428b613e 100644
--- a/build.xml
+++ b/build.xml
@@ -2126,21 +2126,25 @@
             <arg value="md3"/>
             <arg value="master"/>
         </exec>
+        <echo>-> MD-NE-01</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
             <arg value="push"/>
             <arg value="md-ne-01"/>
             <arg value="master"/>
         </exec>
+        <echo>-> MD-NE-02</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
             <arg value="push"/>
             <arg value="md-ne-02"/>
             <arg value="master"/>
         </exec>
+        <echo>-> MD-WE-01</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
             <arg value="push"/>
             <arg value="md-we-01"/>
             <arg value="master"/>
         </exec>
+        <echo>-> MD-WE-01</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
             <arg value="push"/>
             <arg value="md-we-02"/>
@@ -2171,21 +2175,25 @@
                 <include name="${mdq.cache}"/>
             </fileset>
         </scp>
+        <echo>-> MD-NE-01</echo>
         <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-ne-01.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
             <fileset dir="${output.dir}">
                 <include name="${mdq.cache}"/>
             </fileset>
         </scp>
+        <echo>-> MD-NE-02</echo>
         <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-ne-02.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
             <fileset dir="${output.dir}">
                 <include name="${mdq.cache}"/>
             </fileset>
         </scp>
+        <echo>-> MD-WE-01</echo>
         <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-we-01.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
             <fileset dir="${output.dir}">
                 <include name="${mdq.cache}"/>
             </fileset>
         </scp>
+        <echo>-> MD-WE-02</echo>
         <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-we-02.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
             <fileset dir="${output.dir}">
                 <include name="${mdq.cache}"/>

From b55e1a34785ea33ada799ee638dd7169767057dd Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 10 Mar 2017 12:09:41 +0000
Subject: [PATCH 23/80] Hoist mdattr and saml prefix definitions in fallback
 aggregate

See ukf/ukf-meta#103 and ukf/ukf-meta#105.
---
 mdx/uk/README.md        | 6 +-----
 mdx/uk/ns_norm_back.xsl | 2 +-
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index bbb83c83..e10c6d8f 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -65,14 +65,10 @@ Status (2017-03-02):
 
 ### Fallback Aggregate vs. Production Aggregate
 
-Status (2017-03-02):
+Status (2017-03-10):
 
 * the production aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
 while the production aggregate implements the traditional entity attribute _whitelist_. (2017-03-02)
-* The production aggregate defines the `saml` namespace prefix (used by entity attributes) on the document element
-instead of in each SAML `<Attribute>`. (2017-02-08)
-* The production aggregate defines the `mdattr` namespace prefix (used by entity attributes) on the document element
-instead of in each `<EntityAttributes>` element. (2017-02-08)
 * the production aggregate no longer implements the "key use" fixup required for pre-1.3.1 Shibboleth SPs.
 This adds the `use="signing"` XML attribute to `<KeyDescriptor>` elements present in IdP metadata
 without a `use` attribute. It is not needed for later releases of the Shibboleth SP. (2017-02-10)
diff --git a/mdx/uk/ns_norm_back.xsl b/mdx/uk/ns_norm_back.xsl
index f485059c..64967aac 100644
--- a/mdx/uk/ns_norm_back.xsl
+++ b/mdx/uk/ns_norm_back.xsl
@@ -39,7 +39,7 @@
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	
-	exclude-result-prefixes="alg md mdattr saml wayf"
+	exclude-result-prefixes="alg md wayf"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

From fdabcbc481d995676d74d7449834e3a38de7fb13 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 10 Mar 2017 15:34:53 +0000
Subject: [PATCH 24/80] Retire key use fixup in fallback aggregate

See ukf/ukf-meta#109.
---
 mdx/uk/README.md              |  3 --
 mdx/uk/check_fixup_keyuse.xsl | 44 -----------------------------
 mdx/uk/fixup_keyuse.xsl       | 52 -----------------------------------
 mdx/uk/generate.xml           | 43 +----------------------------
 4 files changed, 1 insertion(+), 141 deletions(-)
 delete mode 100644 mdx/uk/check_fixup_keyuse.xsl
 delete mode 100644 mdx/uk/fixup_keyuse.xsl

diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index e10c6d8f..d0bd2d04 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -69,7 +69,4 @@ Status (2017-03-10):
 
 * the production aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
 while the production aggregate implements the traditional entity attribute _whitelist_. (2017-03-02)
-* the production aggregate no longer implements the "key use" fixup required for pre-1.3.1 Shibboleth SPs.
-This adds the `use="signing"` XML attribute to `<KeyDescriptor>` elements present in IdP metadata
-without a `use` attribute. It is not needed for later releases of the Shibboleth SP. (2017-02-10)
 * The production aggregate normalises the `xenc` namespace to not use a prefix, as it is not very commonly used. (2017-02-13)
diff --git a/mdx/uk/check_fixup_keyuse.xsl b/mdx/uk/check_fixup_keyuse.xsl
deleted file mode 100644
index cb91fe5d..00000000
--- a/mdx/uk/check_fixup_keyuse.xsl
+++ /dev/null
@@ -1,44 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-	check_fixup_keyuse.xsl
-
--->
-<xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-	
-	<!--
-        Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
-        This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which
-        interprets this as "no use permitted" rather than "either signing or encryption use
-        permitted".
-        
-        Two checks are required, one for each of the IdP role descriptors.
-    -->
-	
-	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP SSO KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
-	<xsl:template match="md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP AA KeyDescriptor lacking @use</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-		
-</xsl:stylesheet>
diff --git a/mdx/uk/fixup_keyuse.xsl b/mdx/uk/fixup_keyuse.xsl
deleted file mode 100644
index 126069b6..00000000
--- a/mdx/uk/fixup_keyuse.xsl
+++ /dev/null
@@ -1,52 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-	fixup_keyuse.xsl
-	
--->
-<xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="xsl">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	
-	<!--
-		Patch any @use-less KeyDescriptor elements in IdP roles
-		for the benefit of Shib SPs pre-1.3.1.
-	-->
-	<xsl:template match="md:IDPSSODescriptor/md:KeyDescriptor[not(@use)] |
-		md:AttributeAuthorityDescriptor/md:KeyDescriptor[not(@use)]">
-		<xsl:copy>
-			<xsl:attribute name="use">signing</xsl:attribute>
-			<xsl:apply-templates/>
-		</xsl:copy>
-	</xsl:template>
-	
-	
-	<!--
-        *********************************************
-        ***                                       ***
-        ***   D E F A U L T   T E M P L A T E S   ***
-        ***                                       ***
-        *********************************************
-    -->
-    
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-	
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
-	
-</xsl:stylesheet>
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index e90a33c6..9a5bcb41 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -61,46 +61,6 @@
         </property>
     </bean>
     
-    
-    <!--
-        ***********************
-        ***                 ***
-        ***   F I X U P S   ***
-        ***                 ***
-        ***********************
-    -->
-    
-    <!--
-        Published UK federation metadata for consumption by federation
-        members has a couple of restrictions arising from known bugs in
-        early software.  We address these by "fixups" which transform the
-        metadata into a form which doesn't trigger the bug, and verify that
-        each constraints is met before publication.
-        
-        We apply fixups "late" in each publication pipeline, so that
-        the metadata is only transformed if required for a particular
-        output document.  Our export aggregate, for example, does
-        not have any of the fixups applied.
-        
-        In the long term, we'd hope to retire these fixups entirely as the
-        software they to cater for is retired.
-    -->
-    
-    <!--
-        fixup_keyuse
-        
-        Patch any @use-less KeyName descriptors in IdP roles
-        for the benefit of Shib SPs pre-1.3.1.
-    -->
-    <bean id="fixup_keyuse" parent="XSLTransformationStage"
-        p:XSLResource="classpath:uk/fixup_keyuse.xsl"/>
-    
-    <!--
-        check_fixup_keyuse
-    -->
-    <bean id="check_fixup_keyuse" parent="XSLValidationStage"
-        p:XSLResource="classpath:uk/check_fixup_keyuse.xsl"/>
-    
     <!--
         checkPublishable
         
@@ -120,6 +80,7 @@
         </property>
     </bean>
 
+    
     <!--
         *****************************************
         ***                                   ***
@@ -573,13 +534,11 @@
                 <ref bean="entityAttributes.whitelist"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripWayfNamespace"/>
-                <ref bean="fixup_keyuse"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseFallback"/>
                 <ref bean="uk_normaliseFallback"/>
                 
                 <!-- fallback aggregate MUST pass publishability test -->
-                <ref bean="check_fixup_keyuse"/>
                 <ref bean="checkPublishable"/>
                 <ref bean="errorTerminatingFilter"/>
                 

From 2a889b44733933b362d98fbd89c466998d0afc04 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 14 Mar 2017 11:14:12 +0000
Subject: [PATCH 25/80] Normalise xenc namespace without prefix in fallback
 aggregate

See ukf/ukf-meta#110.
---
 mdx/uk/README.md        |  3 +--
 mdx/uk/ns_norm_back.xsl | 24 +++++++++++++++++++++++-
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/mdx/uk/README.md b/mdx/uk/README.md
index d0bd2d04..88b4703b 100644
--- a/mdx/uk/README.md
+++ b/mdx/uk/README.md
@@ -65,8 +65,7 @@ Status (2017-03-02):
 
 ### Fallback Aggregate vs. Production Aggregate
 
-Status (2017-03-10):
+Status (2017-03-14):
 
 * the production aggregate implements a _blacklisting_ approach to entity attributes imported from eduGAIN,
 while the production aggregate implements the traditional entity attribute _whitelist_. (2017-03-02)
-* The production aggregate normalises the `xenc` namespace to not use a prefix, as it is not very commonly used. (2017-02-13)
diff --git a/mdx/uk/ns_norm_back.xsl b/mdx/uk/ns_norm_back.xsl
index 64967aac..0d2402c2 100644
--- a/mdx/uk/ns_norm_back.xsl
+++ b/mdx/uk/ns_norm_back.xsl
@@ -38,8 +38,9 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md wayf"
+	exclude-result-prefixes="alg md wayf xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
@@ -113,5 +114,26 @@
 		</xsl:element>
 	</xsl:template>
 	
+
+	<!--
+        ***************************************
+        ***                                 ***
+        ***   X E N C   N A M E S P A C E   ***
+        ***                                 ***
+        ***************************************
+    -->
+
+
+	<!--
+        xenc:*
+        
+        Normalise namespace to not use a prefix.
+    -->
+	<xsl:template match="xenc:*">
+		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:element>
+	</xsl:template>	
+	
 	
 </xsl:stylesheet>

From 0253352c05d7eb922f9890f21f427706309639ce Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 15 Mar 2017 14:25:34 +0000
Subject: [PATCH 26/80] Add separate textual charting statistics

This is a much cut-down version of the current stats page, converted to
output text rather than HTML.
See ukf/ukf-meta#106.
---
 build.xml                      |   9 +
 mdx/uk/statistics-charting.xsl | 597 +++++++++++++++++++++++++++++++++
 mdx/uk/verbs.xml               |  29 ++
 3 files changed, 635 insertions(+)
 create mode 100644 mdx/uk/statistics-charting.xsl

diff --git a/build.xml b/build.xml
index 428b613e..3530a35a 100644
--- a/build.xml
+++ b/build.xml
@@ -2409,6 +2409,15 @@
         <CHANNEL.do channel="uk" verb="statistics"/>
         <fixcrlf file="${output.dir}/${mdaggr.stats}" eol="lf" encoding="UTF-8"/>
     </target>
+    
+    <!--
+        This variant generates a much simpler file, intended for use when building the
+        monthly chart pack.
+    -->
+    <target name="stats.charting">
+        <CHANNEL.do channel="uk" verb="statistics.charting"/>
+        <fixcrlf file="${output.dir}/${mdaggr.stats}" eol="lf" encoding="UTF-8"/>
+    </target>
 
     <!--
         Check mailing list against current metadata
diff --git a/mdx/uk/statistics-charting.xsl b/mdx/uk/statistics-charting.xsl
new file mode 100644
index 00000000..574c1130
--- /dev/null
+++ b/mdx/uk/statistics-charting.xsl
@@ -0,0 +1,597 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    
+    statistics.xsl
+    
+    XSL stylesheet taking a UK Federation metadata file and resulting in an HTML document
+    giving statistics.
+    
+    Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:members="http://ukfederation.org.uk/2007/01/members"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:math="http://exslt.org/math"
+    xmlns:date="http://exslt.org/dates-and-times"
+    xmlns:dyn="http://exslt.org/dynamic"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    exclude-result-prefixes="xsl alg ds init md mdattr mdui saml xsi members ukfedlabel math date dyn set idpdisc"
+    version="1.0">
+
+    <xsl:output method="xml" omit-xml-declaration="yes" indent="no"/>
+    
+    <!--
+        memberDocument
+        
+        The members.xml file, as a DOM document, is passed as a parameter.
+    -->
+    <xsl:param name="memberDocument"/>
+    
+    <xsl:template match="md:EntitiesDescriptor">
+        
+        <!--
+            Break down the "members" document.
+        -->
+        <!-- federation members -->
+        <xsl:variable name="members" select="$memberDocument//members:Member"/>
+        <xsl:variable name="memberCount" select="count($members)"/>
+        <xsl:variable name="memberNames" select="$members/members:Name"/>
+        
+        <xsl:variable name="entities" select="//md:EntityDescriptor"/>
+        <xsl:variable name="entityCount" select="count($entities)"/>
+
+        <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
+        <xsl:variable name="idps.saml1"
+            select="$idps[contains(md:IDPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
+        
+        <xsl:variable name="idpCount" select="count($idps)"/>
+        <xsl:variable name="idps.saml1.count" select="count($idps.saml1)"/>
+        
+        <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
+        <xsl:variable name="sps.saml1"
+            select="$sps[contains(md:SPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
+        
+        <xsl:variable name="spCount" select="count($sps)"/>
+        <xsl:variable name="sps.saml1.count" select="count($sps.saml1)"/>
+        
+        <xsl:variable name="entities.saml1" select="set:distinct($idps.saml1 | $sps.saml1)"/>
+        <xsl:variable name="entities.saml1.count" select="count($entities.saml1)"/>
+        
+        <xsl:variable name="dualEntities" select="$entities[md:IDPSSODescriptor][md:SPSSODescriptor]"/>
+        <xsl:variable name="dualEntityCount" select="count($dualEntities)"/>
+        
+        <xsl:variable name="federationMemberEntityCount"
+            select="count($entities[md:Extensions/ukfedlabel:UKFederationMember])"/>
+        
+        <xsl:variable name="memberEntities"
+            select="dyn:closure($members/members:Name, '$entities[md:Organization/md:OrganizationName = current()]')"/>
+        <xsl:variable name="memberEntityCount"
+            select="dyn:sum($memberNames, 'count($entities[md:Organization/md:OrganizationName = current()])')"/>
+
+        <xsl:variable name="idps.artifact"
+            select="$idps[md:IDPSSODescriptor[md:ArtifactResolutionService]]"/>
+        <xsl:variable name="idps.artifact.count" select="count($idps.artifact)"/>
+        <xsl:variable name="idps.artifact.saml1"
+            select="$idps[md:IDPSSODescriptor
+            [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+            [md:ArtifactResolutionService]]"/>
+        <xsl:variable name="idps.artifact.saml1.count" select="count($idps.artifact.saml1)"/>
+        <xsl:variable name="sps.artifact.saml1"
+            select="$sps[md:SPSSODescriptor/md:AssertionConsumerService/@Binding='urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']"/>
+        <xsl:variable name="sps.artifact.saml1.count" select="count($sps.artifact.saml1)"/>
+        <xsl:variable name="entities.artifact.saml1" select="set:distinct($idps.artifact.saml1 | $sps.artifact.saml1)"/>
+        <xsl:variable name="entities.artifact.saml1.count" select="count($entities.artifact.saml1)"/>
+        
+        <pre>
+
+            <!--
+                Break down members by whether or not they have entities registered
+            -->
+            <xsl:variable name="membersWithIdPs"
+                select="$members[members:Name = $idps//md:OrganizationName]"/>
+            <xsl:variable name="membersWithSps"
+                select="$members[members:Name = $sps//md:OrganizationName]"/>
+            <xsl:variable name="membersWithBoth"
+                select="set:intersection($membersWithIdPs, $membersWithSps)"/>
+            <xsl:variable name="membersWithEither"
+                select="set:distinct($membersWithIdPs | $membersWithSps)"/>
+            <xsl:variable name="membersWithJustIdPs"
+                select="set:difference($membersWithIdPs, $membersWithSps)"/>
+            <xsl:variable name="membersWithJustSPs"
+                select="set:difference($membersWithSps, $membersWithIdPs)"/>
+            <xsl:variable name="membersWithNone"
+                select="set:difference($members, $membersWithEither)"/>
+            <xsl:variable name="membersWithIdPsCount" select="count($membersWithIdPs)"/>
+            <xsl:variable name="membersWithSpsCount" select="count($membersWithSps)"/>
+            <xsl:variable name="membersWithBothCount" select="count($membersWithBoth)"/>
+            <xsl:variable name="membersWithEitherCount" select="count($membersWithEither)"/>
+            <xsl:variable name="membersWithJustIdPsCount" select="count($membersWithJustIdPs)"/>
+            <xsl:variable name="membersWithJustSPsCount" select="count($membersWithJustSPs)"/>
+            <xsl:variable name="membersWithNoneCount" select="count($membersWithNone)"/>
+            
+            <!--
+                *********************************
+                ***                           ***
+                ***   O U T S O U R C I N G   ***
+                ***                           ***
+                *********************************
+            -->
+            
+            <!--
+                Members who are deduced as outsourcing as a result of their use
+                of the mechanism for describing scopes "pushed" to a specific entity.
+            -->
+            <xsl:variable name="members.osrc.scopes.push"
+                select="$members[members:Scopes/members:Entity]"/>
+            <xsl:variable name="members.osrc.scopes.push.count" select="count($members.osrc.scopes.push)"/>
+            
+            <!--
+                Members who are deduced as outsourcing.
+            -->
+            <xsl:variable name="members.osrc" select="$members.osrc.scopes.push"/>
+            <xsl:variable name="members.osrc.count" select="count($members.osrc)"/>
+            
+            <!--
+                Members whose only representation in the federation is through outsourcing.
+            -->
+            <xsl:variable name="members.osrc.only"
+                select="set:difference($members.osrc, $membersWithEither)"/>
+            <xsl:variable name="members.osrc.only.count" select="count($members.osrc.only)"/>
+            
+            <!--
+                Members with no representation, even through outsourcing.
+            -->
+            <xsl:variable name="members.osrc.none"
+                select="set:difference($membersWithNone, $members.osrc)"/>
+            <xsl:variable name="members.osrc.none.count" select="count($members.osrc.none)"/>
+
+
+
+            <!--
+                ***************************
+                ***                     ***
+                ***   C H A R T I N G   ***
+                ***                     ***
+                ***************************
+            -->
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:text>Members: </xsl:text>
+            <xsl:value-of select="$memberCount"/>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:text>Outsourcing chart: </xsl:text>
+            <xsl:value-of select="$membersWithJustIdPsCount"/>
+            <xsl:text>, </xsl:text>
+            <xsl:value-of select="$membersWithJustSPsCount"/>
+            <xsl:text>, </xsl:text>
+            <xsl:value-of select="$membersWithBothCount"/>
+            <xsl:text>, </xsl:text>
+            <xsl:value-of select="$members.osrc.only.count"/>
+            <xsl:text>, </xsl:text>
+            <xsl:value-of select="$members.osrc.none.count"/>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:text>Entities: </xsl:text>
+            <xsl:value-of select="$entityCount"/>
+            <xsl:text>&#10;</xsl:text>
+            
+            <xsl:text>   IdPs: </xsl:text>
+            <xsl:value-of select="$idpCount"/>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:text>   SPs: </xsl:text>
+            <xsl:value-of select="$spCount"/>
+            <xsl:text>&#10;</xsl:text>
+            
+            <xsl:text>Entities per member: </xsl:text>
+            <xsl:value-of select="format-number($entityCount div $memberCount, '0.000000')"/>
+            <xsl:text>&#10;</xsl:text>
+            
+            <xsl:variable name="charting.entities.algsupport" select="$entities[descendant::alg:* or descendant::md:EncryptionMethod]"/>
+            <xsl:variable name="charting.entities.algsupport.count" select="count($charting.entities.algsupport)"/>
+            <xsl:text>Algorithm support: </xsl:text>
+            <xsl:value-of select="format-number($charting.entities.algsupport.count div $entityCount, '0.00%')"/>
+            <xsl:text> of all entities</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+            
+            <xsl:variable name="charting.entities.algsupport.gcm"
+                select="$charting.entities.algsupport[
+                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm' or
+                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm' or
+                descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes256-gcm']"/>
+            <xsl:variable name="charting.entities.algsupport.gcm.count" select="count($charting.entities.algsupport.gcm)"/>
+            <xsl:text>GCM support: </xsl:text>
+            <xsl:value-of select="format-number($charting.entities.algsupport.gcm.count div $entityCount, '0.00%')"/>
+            <xsl:text> of all entities</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+            
+            <xsl:variable name="charting.sps.algsupport" select="$sps[descendant::alg:* or descendant::md:EncryptionMethod]"/>
+            <xsl:variable name="charting.sps.algsupport.count" select="count($charting.sps.algsupport)"/>
+            <xsl:text>Algorithm support:</xsl:text>
+            <xsl:value-of select="format-number($charting.sps.algsupport.count div $spCount, '0.00%')"/>
+            <xsl:text> of SP entities</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+            
+            <xsl:variable name="charting.idp3" select="$idps[
+                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '3']
+                ]"/>
+            <xsl:variable name="charting.idp3.count" select="count($charting.idp3)"/>
+            <xsl:text>Shibboleth IdP v3: </xsl:text>
+            <xsl:value-of select="$charting.idp3.count"/>
+            <xsl:text> (</xsl:text>
+            <xsl:value-of select="format-number($charting.idp3.count div $idpCount, '0.0%')"/>
+            <xsl:text>of IdPs)</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+
+            <xsl:variable name="nosaml2.sps" select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+            <xsl:variable name="nosaml2.sps.count" select="count($nosaml2.sps)"/>
+            <xsl:text>&#10;</xsl:text>
+            <xsl:text>SPs without SAML 2.0 support: </xsl:text>
+            <xsl:value-of select="$nosaml2.sps.count"/>
+            <xsl:text>&#10;</xsl:text>
+            
+            <xsl:for-each select="$nosaml2.sps">
+                <xsl:sort select="descendant::md:OrganizationName"/>
+                <xsl:text>   </xsl:text>
+                <xsl:value-of select="@ID"/>
+                <xsl:text>: </xsl:text>
+                <xsl:value-of select="descendant::md:OrganizationName"/>
+                <xsl:text>: </xsl:text>
+                <xsl:choose>
+                    <xsl:when test="descendant::mdui:DisplayName">
+                        <xsl:value-of select="descendant::mdui:DisplayName"/>
+                    </xsl:when>
+                    <xsl:otherwise>
+                        <xsl:text>(</xsl:text>
+                        <xsl:value-of select="descendant::md:OrganizationDisplayName"/>
+                        <xsl:text>)</xsl:text>
+                    </xsl:otherwise>
+                </xsl:choose>
+                <xsl:apply-templates select="md:Extensions/ukfedlabel:Software" mode="short"/>
+                <xsl:text>&#10;</xsl:text>
+            </xsl:for-each>
+
+            <xsl:call-template name="entity.breakdown.by.software">
+                <xsl:with-param name="entities" select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                    'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+            </xsl:call-template>
+
+            <xsl:variable name="nosaml2.idps" select="$idps[md:IDPSSODescriptor[not(contains(@protocolSupportEnumeration,
+                'urn:oasis:names:tc:SAML:2.0:protocol'))]]"/>
+            <xsl:variable name="nosaml2.idps.count" select="count($nosaml2.idps)"/>
+
+            <xsl:text>&#10;</xsl:text>
+            <xsl:text>IdPs without SAML 2.0 support: </xsl:text>
+            <xsl:value-of select="$nosaml2.idps.count"/>
+            <xsl:text>&#10;</xsl:text>
+            
+            <xsl:call-template name="entity.breakdown.by.software">
+                <xsl:with-param name="entities" select="$nosaml2.idps"/>
+            </xsl:call-template>
+
+        </pre>
+    </xsl:template>
+    
+
+    <!--
+        Break down a set of entities by the software used.
+    -->
+    <xsl:template name="entity.breakdown.by.software">
+        <xsl:param name="entities"/>
+        <xsl:variable name="entityCount" select="count($entities)"/>
+        <xsl:text>Breakdown by software used:</xsl:text>
+        <xsl:text>&#10;</xsl:text>
+
+        <!--
+            *********************************************************************
+            ***                                                               ***
+            ***   C L A S S I F Y   E N T I T I E S   B Y   S O F T W A R E   ***
+            ***                                                               ***
+            *********************************************************************
+            
+            The classification algorithms used here are chained together so that
+            each classification step works only on those entities not already
+            classified.  This means that entities won't be counted twice, but
+            means that the order of classification blocks is important and
+            shouldn't be changed without careful thought.  In general, more
+            specific algorithms should appear before more general ones.
+        -->
+        
+        <!--
+            Classify miscellaneous entities.
+            
+            Here we pull off a list of entities labelled with explicit
+            Software labels that aren't for the software we address
+            in more detail below.  The result is, as it were, a list of
+            "known unknowns" that we can re-integrate later with those
+            entities we fail to classify altogether.
+        -->
+        <xsl:variable name="entities.misc.in" select="$entities"/>
+        <xsl:variable name="entities.misc"
+            select="$entities.misc.in[
+                md:Extensions/ukfedlabel:Software
+                    [@name != 'Shibboleth']
+                    [@name != 'EZproxy']
+                    [@name != 'OpenAthens']
+                    [@name != 'Guanxi']
+                    [@name != 'simpleSAMLphp']
+                    [@name != 'Atypon SAML SP 1.1/2.0']
+                    [@name != 'AthensIM']
+                    [@name != 'Eduserv Gateway']
+            ]"/>
+        <xsl:variable name="entities.misc.out"
+            select="set:difference($entities.misc.in, $entities.misc)"/>
+        
+        <!--
+            Classify EZproxy SPs
+        -->
+        <xsl:variable name="entities.ezproxy.in" select="$entities.misc.out"/>
+        <xsl:variable name="entities.ezproxy"
+            select="$entities.ezproxy.in[md:Extensions/ukfedlabel:Software/@name='EZproxy']"/>
+        <xsl:variable name="entities.ezproxy.out"
+            select="set:difference($entities.ezproxy.in, $entities.ezproxy)"/>
+
+        <!--
+            Classify simpleSAMLphp entities.
+        -->
+        <xsl:variable name="entities.simplesamlphp.in" select="$entities.ezproxy.out"/>
+        <xsl:variable name="entities.simplesamlphp"
+            select="$entities.simplesamlphp.in[md:Extensions/ukfedlabel:Software/@name='simpleSAMLphp']"/>
+        <xsl:variable name="entities.simplesamlphp.out"
+            select="set:difference($entities.simplesamlphp.in, $entities.simplesamlphp)"/>
+        
+        <!--
+            Classify Atypon SAML SP entities.
+        -->
+        <xsl:variable name="entities.atyponsamlsp.in" select="$entities.simplesamlphp.out"/>
+        <xsl:variable name="entities.atyponsamlsp"
+            select="$entities.atyponsamlsp.in[md:Extensions/ukfedlabel:Software/@name='Atypon SAML SP 1.1/2.0']"/>
+        <xsl:variable name="entities.atyponsamlsp.out"
+            select="set:difference($entities.atyponsamlsp.in, $entities.atyponsamlsp)"/>
+        
+        <!--
+            Classify OpenAthens entities.
+        -->
+        <xsl:variable name="entities.openathens.in" select="$entities.atyponsamlsp.out"/>
+        <xsl:variable name="entities.openathens"
+            select="$entities.openathens.in[md:Extensions/ukfedlabel:Software/@name='OpenAthens']"/>
+        <xsl:variable name="entities.openathens.out"
+            select="set:difference($entities.openathens.in, $entities.openathens)"/>
+        
+        <!--
+            Classify Shibboleth 3 IdPs entities.
+        -->
+        <xsl:variable name="entities.shib.3.in" select="$entities.openathens.out"/>
+        <xsl:variable name="entities.shib.3"
+            select="$entities.shib.3.in[
+            md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '3']
+            ]"/>
+        <xsl:variable name="entities.shib.3.out"
+            select="set:difference($entities.shib.3.in, $entities.shib.3)"/>
+        
+        <!--
+            Classify Shibboleth 2.0 IdPs and SPs.
+        -->
+        <xsl:variable name="entities.shib.2.in" select="$entities.shib.3.out"/>
+        <xsl:variable name="entities.shib.2"
+            select="$entities.shib.2.in[
+                md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '/profile/Shibboleth/SSO')] |
+                md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, '/Shibboleth.sso/SAML2/POST')] |
+                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '2']
+            ]"/>
+        <xsl:variable name="entities.shib.2.out"
+            select="set:difference($entities.shib.2.in, $entities.shib.2)"/>
+
+        <!--
+            Classify Shibboleth 1.3 entities.
+        -->
+        <xsl:variable name="entities.shib.13.in" select="$entities.shib.2.out"/>
+        <xsl:variable name="entities.shib.13"
+            select="$entities.shib.13.in[
+                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '1.3'] |
+                md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '-idp/SSO')] |
+                md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, 'Shibboleth.sso')]
+            ][
+                not(md:*[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')])
+            ]"/>
+        <xsl:variable name="entities.shib.13.out"
+            select="set:difference($entities.shib.13.in, $entities.shib.13)"/>
+        
+        <!--
+            Classify Athens Gateway entities
+        -->
+        <xsl:variable name="entities.gateways.in" select="$entities.shib.13.out"/>
+        <xsl:variable name="entities.gateways"
+            select="$entities.gateways.in[md:Extensions/ukfedlabel:Software/@name='Eduserv Gateway']"/>
+        <xsl:variable name="entities.gateways.out"
+            select="set:difference($entities.gateways.in, $entities.gateways)"/>
+        
+        <!--
+            Classify OpenAthens virtual IdPs.
+        -->
+        <xsl:variable name="entities.openathens.virtual.in" select="$entities.gateways.out"/>
+        <xsl:variable name="entities.openathens.virtual"
+            select="$entities.openathens.virtual.in[
+                descendant::md:AttributeService/@Location=
+                    'https://gateway.athensams.net:5057/services/SAML11AttributeAuthority' or
+                descendant::md:SingleSignOnService[starts-with(@Location,
+                    'https://login.openathens.net/saml/')]
+                ]"/>
+        <xsl:variable name="entities.openathens.virtual.out"
+            select="set:difference($entities.openathens.virtual.in, $entities.openathens.virtual)"/>
+        
+        <!--
+            Classify Guanxi entities.
+        -->
+        <xsl:variable name="entities.guanxi.in" select="$entities.openathens.virtual.out"/>
+        <xsl:variable name="entities.guanxi"
+            select="$entities.guanxi.in[md:Extensions/ukfedlabel:Software/@name='Guanxi']"/>
+        <xsl:variable name="entities.guanxi.out"
+            select="set:difference($entities.guanxi.in, $entities.guanxi)"/>
+        
+        <!--
+            Classify AthensIM entities.
+        -->
+        <xsl:variable name="entities.athensim.in" select="$entities.guanxi.out"/>
+        <xsl:variable name="entities.athensim"
+            select="$entities.athensim.in[md:Extensions/ukfedlabel:Software/@name='AthensIM']"/>
+        <xsl:variable name="entities.athensim.out"
+            select="set:difference($entities.athensim.in, $entities.athensim)"/>
+        
+        <!--
+            Remaining entities are unknown.
+        -->
+        <xsl:variable name="entities.unclassified" select="$entities.athensim.out"/>
+        <xsl:variable name="unknownSoftwareEntities"
+            select="$entities.unclassified | $entities.misc"/>
+        
+        <!--
+            ***************************************************************
+            ***                                                         ***
+            ***   R E P O R T   C L A S S I F I E D   E N T I T I E S   ***
+            ***                                                         ***
+            ***************************************************************
+        -->
+        
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.shib.3"/>
+            <xsl:with-param name="name">Shibboleth 3.x</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+        
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.shib.2"/>
+            <xsl:with-param name="name">Shibboleth 2.x</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+        
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.shib.13"/>
+            <xsl:with-param name="name">Shibboleth 1.3</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+            <xsl:with-param name="show.max" select="10"/>
+        </xsl:call-template>
+
+        <xsl:variable name="entities.shib" select="$entities.shib.13 | $entities.shib.2 | $entities.shib.3"/>
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.shib"/>
+            <xsl:with-param name="name">Shibboleth combined</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:variable name="entities.not.shib" select="set:difference($entities, $entities.shib)"/>
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.not.shib"/>
+            <xsl:with-param name="name">Other than Shibboleth</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+        
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.ezproxy"/>
+            <xsl:with-param name="name">EZproxy</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+        
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.simplesamlphp"/>
+            <xsl:with-param name="name">simpleSAMLphp</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.atyponsamlsp"/>
+            <xsl:with-param name="name">Atypon SAML SP</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.athensim"/>
+            <xsl:with-param name="name">AthensIM</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+        
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.guanxi"/>
+            <xsl:with-param name="name">Guanxi</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+        
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.gateways"/>
+            <xsl:with-param name="name">Athens/Shibboleth gateway</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+        
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.openathens.virtual"/>
+            <xsl:with-param name="name">OpenAthens Virtual IdP</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+        
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$entities.openathens"/>
+            <xsl:with-param name="name">OpenAthens</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+        </xsl:call-template>
+        
+        <xsl:call-template name="entity.breakdown.by.software.line">
+            <xsl:with-param name="entities" select="$unknownSoftwareEntities"/>
+            <xsl:with-param name="name">Unknown or other</xsl:with-param>
+            <xsl:with-param name="total" select="$entityCount"/>
+            <xsl:with-param name="show" select="1"/>
+            <xsl:with-param name="show.software" select="1"/>
+        </xsl:call-template>
+
+    </xsl:template>
+
+    <xsl:template name="entity.breakdown.by.software.line">
+        <xsl:param name="entities"/>
+        <xsl:param name="name"/>
+        <xsl:param name="total"/>
+        <xsl:param name="show">0</xsl:param>
+        <xsl:param name="show.software">0</xsl:param>
+        <xsl:param name="show.max">8</xsl:param>
+        <xsl:variable name="n" select="count($entities)"/>
+        <xsl:if test="$n != 0">
+            <xsl:text>   </xsl:text>
+            <xsl:value-of select="$name"/>
+            <xsl:text>: </xsl:text>
+            <xsl:value-of select="$n"/>
+            <xsl:text> (</xsl:text>
+            <xsl:value-of select="format-number($n div $total, '0.0%')"/>
+            <xsl:text>)</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+             <xsl:if test="($show != 0) or ($n &lt;= $show.max)">
+                <xsl:for-each select="$entities">
+                    <xsl:sort select="@ID"/>
+                    <xsl:text>      </xsl:text>
+                    <xsl:value-of select="@ID"/>
+                    <xsl:text>: </xsl:text>
+                    <xsl:value-of select="@entityID"/>
+                    <xsl:if test="$show.software != 0">
+                        <xsl:choose>
+                            <xsl:when test="md:Extensions/ukfedlabel:Software">
+                                (<xsl:value-of select="md:Extensions/ukfedlabel:Software/@name"/>)
+                            </xsl:when>
+                        </xsl:choose>
+                    </xsl:if>
+                    <xsl:text>&#10;</xsl:text>
+                </xsl:for-each>
+            </xsl:if>
+        </xsl:if>
+    </xsl:template>
+    
+</xsl:stylesheet>
\ No newline at end of file
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
index e613951b..7941a6ad 100644
--- a/mdx/uk/verbs.xml
+++ b/mdx/uk/verbs.xml
@@ -46,6 +46,35 @@
         </property>
     </bean>
 
+    <!--
+        statistics.charting
+        
+        Stand-along statistics generation for charting.
+    -->
+    <bean id="statistics.charting" parent="SimplePipeline">
+        <property name="stages">
+            <list>
+                <ref bean="uk_registeredEntities"/>
+                <ref bean="assemble"/>
+                <bean parent="XSLTransformationStage"
+                    p:XSLResource="classpath:uk/statistics-charting.xsl">
+                    <property name="transformParameters">
+                        <map>
+                            <entry key="memberDocument" value-ref="uk_membersDocument"/>
+                        </map>
+                    </property>
+                </bean>
+                <bean parent="SerializationStage">
+                    <property name="outputFile">
+                        <bean class="java.io.File">
+                            <constructor-arg value="${output.dir}/statistics-charting.html"/>
+                        </bean>
+                    </property>
+                </bean>
+            </list>
+        </property>
+    </bean>
+
     <!--
         sp_mdui_test
         

From 246063c2a60f74d0a4712903c34d33ffb51df9af Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Mon, 27 Mar 2017 21:32:54 +0100
Subject: [PATCH 27/80] Update stats sync script to include new servers

---
 utilities/stats-sync.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/utilities/stats-sync.sh b/utilities/stats-sync.sh
index af5f02b2..81172ff9 100755
--- a/utilities/stats-sync.sh
+++ b/utilities/stats-sync.sh
@@ -13,15 +13,25 @@ logslocation="/var/stats"
 rsync -at --exclude modsec* stats@md1:/var/log/httpd/* $logslocation/md/md1/
 rsync -at --exclude modsec* stats@md2:/var/log/httpd/* $logslocation/md/md2/
 rsync -at --exclude modsec* stats@md3:/var/log/httpd/* $logslocation/md/md3/
+rsync -at --exclude modsec* stats@md-ne-01:/var/log/httpd/* $logslocation/md/md-ne-01/
+rsync -at --exclude modsec* stats@md-ne-02:/var/log/httpd/* $logslocation/md/md-ne-02/
+rsync -at --exclude modsec* stats@md-we-01:/var/log/httpd/* $logslocation/md/md-we-01/
+rsync -at --exclude modsec* stats@md-we-02:/var/log/httpd/* $logslocation/md/md-we-02/
 
 # Logs from CDS servers
 rsync -at --exclude modsec* stats@shib-cds1:/var/log/httpd/* $logslocation/cds/shib-cds1/
 rsync -at --exclude modsec* stats@shib-cds2:/var/log/httpd/* $logslocation/cds/shib-cds2/
 rsync -at --exclude modsec* stats@shib-cds3:/var/log/httpd/* $logslocation/cds/shib-cds3/
+rsync -at --exclude modsec* stats@shibcds-ne-01:/var/log/httpd/* $logslocation/cds/shibcds-ne-01/
+rsync -at --exclude modsec* stats@shibcds-ne-02:/var/log/httpd/* $logslocation/cds/shibcds-ne-02/
+rsync -at --exclude modsec* stats@shibcds-we-01:/var/log/httpd/* $logslocation/cds/shibcds-we-01/
+rsync -at --exclude modsec* stats@shibcds-we-02:/var/log/httpd/* $logslocation/cds/shibcds-we-02/
 
 # Logs from websites
 rsync -at --exclude modsec* stats@web1:/var/log/httpd/* $logslocation/www/web1/
 rsync -at --exclude modsec* stats@web2:/var/log/httpd/* $logslocation/www/web2/
+rsync -at --exclude modsec* stats@www-ne-01:/var/log/httpd/* $logslocation/www/www-ne-01/
+rsync -at --exclude modsec* stats@www-we-01:/var/log/httpd/* $logslocation/www/www-we-01/
 
 # Logs from Wugen
 rsync -at --exclude modsec* stats@wugen:/var/log/httpd/* $logslocation/wugen/

From 0e335e7def001a231ea7bd3b5fd2e92e1b647591 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Mon, 27 Mar 2017 22:08:32 +0100
Subject: [PATCH 28/80] Fix stats generation bug. Fixes #121

---
 utilities/stats-generate.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index bbc6bbf6..fff9c495 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -333,9 +333,9 @@ if [[ "$timeperiod" != "day" ]]; then
     mdaggrmd1count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | grep md1 | wc -l)
     mdaggrmd1pc=$(echo "scale=4;($mdaggrmd1count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     mdaggrmd2count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | grep md2 | wc -l)
-    mdaggrmd2pc=$(echo "scale=4;($mdaggrmd1count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmd2pc=$(echo "scale=4;($mdaggrmd2count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     mdaggrmd3count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | grep md3 | wc -l)
-    mdaggrmd3pc=$(echo "scale=4;($mdaggrmd1count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmd3pc=$(echo "scale=4;($mdaggrmd3count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 
 

From 560511d0921282ae331b0bcff81b5111acd9b59e Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Tue, 28 Mar 2017 15:41:13 +0100
Subject: [PATCH 29/80] Update build process to take account of change of web
 server hostname

---
 build.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index 3530a35a..7d58db56 100644
--- a/build.xml
+++ b/build.xml
@@ -175,7 +175,7 @@
         Web server properties.
     -->
     <property name="www.user" value="wwwscp"/>
-    <property name="www.hostname" value="web1.infr.ukfederation.org.uk"/>
+    <property name="www.hostname" value="www-ne-01.infr.ukfederation.org.uk"/>
     <property name="www.path.stats" value="/var/www/html/fed"/>
     <property name="www.path.members" value="/var/www/externals"/>
     <property name="www.url.stats" value="${www.user}@${www.hostname}:${www.path.stats}"/>

From 9d3b3d05005ad8e61760d2fe6b48ac9ecae26919 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Tue, 28 Mar 2017 17:37:46 +0100
Subject: [PATCH 30/80] Add new servers into stats gen and update ipv6 parsing
 accordingly

---
 utilities/stats-generate.sh | 127 ++++++++++++++++++++----------------
 1 file changed, 70 insertions(+), 57 deletions(-)

diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index fff9c495..ac8ca846 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -179,18 +179,18 @@ fi
 # Get the filesize of the latest uncompressed main aggregate.
 # Since this is just used for estimation, we'll just take the biggest
 # unique filesize for the relevant periods
-aggrfilesizebytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep -v "GZIP" | cut -f 10 -d " " | sort -r | uniq | head -1)
+aggrfilesizebytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep -v "GZIP" | cut -f 10 -d " " | sort -r | uniq | head -1)
 
 #
 # Download counts
 #
 
 # Aggregate requests. Everything for .xml (HEAD/GET, 200 and 304)
-mdaggrcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | wc -l)
+mdaggrcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | wc -l)
 mdaggrcountfriendly=$(echo $mdaggrcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Main Aggregate requests. Everything for ukfederation-metadata.xml (HEAD/GET, 200 and 304)
-mdaggrmaincount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | wc -l)
+mdaggrmaincount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | wc -l)
 mdaggrmaincountfriendly=$(echo $mdaggrmaincount | awk '{ printf ("%'"'"'d\n", $0) }')
 if [[ "$mdaggrmaincount" -ne "0" ]]; then
     mdaggrmainpc=$(echo "scale=4;($mdaggrmaincount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -200,42 +200,42 @@ fi
 
 # Other aggregate requests (don't calculate these if doing daily stats)
 if [[ "$timeperiod" != "day" ]]; then
-    mdaggrbackcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-back.xml" | wc -l)
+    mdaggrbackcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-back.xml" | wc -l)
     mdaggrbackcountfriendly=$(echo $mdaggrbackcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrbackcount" -ne "0" ]]; then
         mdaggrbackpc=$(echo "scale=4;($mdaggrbackcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrbackpc="0.0"
     fi
-    mdaggrcdsallcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-cdsall.xml" | wc -l)
+    mdaggrcdsallcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-cdsall.xml" | wc -l)
     mdaggrcdsallcountfriendly=$(echo $mdaggrcdsallcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrcdsallcount" -ne "0" ]]; then
         mdaggrcdsallpc=$(echo "scale=4;($mdaggrcdsallcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrcdsallpc="0.0"
     fi
-    mdaggrexportpreviewcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-export-preview.xml" | wc -l)
+    mdaggrexportpreviewcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-export-preview.xml" | wc -l)
     mdaggrexportpreviewcountfriendly=$(echo $mdaggrexportpreviewcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrexportpreviewkcount" -ne "0" ]]; then
         mdaggrexportpreviewpc=$(echo "scale=4;($mdaggrexportpreviewcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrexportpreviewpc="0.0"
     fi
-    mdaggrexportcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-export.xml" | wc -l)
+    mdaggrexportcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-export.xml" | wc -l)
     mdaggrexportcountfriendly=$(echo $mdaggrexportcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrexportcount" -ne "0" ]]; then
         mdaggrexportpc=$(echo "scale=4;($mdaggrexportcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrexportpc="0.0"
     fi
-    mdaggrtestcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-test.xml" | wc -l)
+    mdaggrtestcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-test.xml" | wc -l)
     mdaggrtestcountfriendly=$(echo $mdaggrtestcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrtestcount" -ne "0" ]]; then
         mdaggrtestpc=$(echo "scale=4;($mdaggrtestcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrtestpc="0.0"
     fi
-    mdaggrwayfcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-wayf.xml" | wc -l)
+    mdaggrwayfcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-wayf.xml" | wc -l)
     mdaggrwayfcountfriendly=$(echo $mdaggrwayfcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrwayfcount" -ne "0" ]]; then
         mdaggrwayfpc=$(echo "scale=4;($mdaggrwayfcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -245,11 +245,11 @@ if [[ "$timeperiod" != "day" ]]; then
 fi
 
 # Aggregate downloads (i.e. GETs with HTTP 200 responses only)
-mdaggrcountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404| grep "\" 200" | grep "GET" | wc -l)
+mdaggrcountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404| grep "\" 200" | grep "GET" | wc -l)
 mdaggrcountfullfriendly=$(echo $mdaggrcountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Main Aggregate downloads (i.e. GETs with HTTP 200 responses only)
-mdaggrmaincountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | wc -l)
+mdaggrmaincountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | wc -l)
 mdaggrmaincountfullfriendly=$(echo $mdaggrmaincountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of GETs with HTTP 200 responses compared to total requests
@@ -260,11 +260,11 @@ else
 fi
 
 # Compressed downloads for all
-mdaggrcountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdaggrcountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 mdaggrcountfullcomprfriendly=$(echo $mdaggrcountfullcompr | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Compressed downloads for main aggregate
-mdaggrmaincountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdaggrmaincountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 
 # Percentage of GZIPPED HTTP 200 responses compared to total full downloads
 if [[ "$mdaggrcountfull" -ne "0" ]]; then
@@ -274,18 +274,18 @@ else
 fi
 
 # Unique IP addresses requesting aggregates
-mdaggruniqueip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq | wc -l)
+mdaggruniqueip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 mdaggruniqueipfriendly=$(echo $mdaggruniqueip | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Unique IP addresses requesting aggregates, full D/Ls only
-mdaggruniqueipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq | wc -l)
+mdaggruniqueipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 
 #
 # Data shipped
 #
 
 # Total data shipped, all .xml files
-mdaggrtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
+mdaggrtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
 if [[ "$mdaggrtotalbytes" -gt "0" ]]; then
     mdaggrtotalhr=$(bytestohr $mdaggrtotalbytes)
 else
@@ -293,7 +293,7 @@ else
 fi
 
 # Total data shipped, ukfederation-metadata.xml file
-mdaggrmaintotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
+mdaggrmaintotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
 if [[ "$mdaggrtotalbytes" -gt "0" ]]; then
     mdaggrmaintotalhr=$(bytestohr $mdaggrmaintotalbytes)
 else
@@ -321,27 +321,34 @@ fi
 #
 
 # IPv4 vs IPv6 traffic (don't calculate these if doing daily stats)
-# Note, while all v6 traffic passes through v6v4proxy1/2, we're counting accesses from the IPv4 addresses of those servers vs all others.
-# When we add "real" v6 support to the servers, this needs changing to count IPv4 addresses vs IPv6 addresses.
+# Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
 if [[ "$timeperiod" != "day" ]]; then
-    mdaggrv4count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep -v 193.63.72.83 | grep -v 194.83.7.211 | wc -l)
+    mdaggrv4count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
     mdaggrv4pc=$(echo "scale=4;($mdaggrv4count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     mdaggrv6count=$(( mdaggrcount - mdaggrv4count ))
     mdaggrv6pc=$(echo "scale=4;($mdaggrv6count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 
     # Per-server request count
-    mdaggrmd1count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | grep md1 | wc -l)
+    mdaggrmd1count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmd1pc=$(echo "scale=4;($mdaggrmd1count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmd2count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | grep md2 | wc -l)
+    mdaggrmd2count=$(grep $apachesearchterm $logslocation/md/md2/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmd2pc=$(echo "scale=4;($mdaggrmd2count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmd3count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | grep md3 | wc -l)
+    mdaggrmd3count=$(grep $apachesearchterm $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmd3pc=$(echo "scale=4;($mdaggrmd3count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmdne01count=$(grep $apachesearchterm $logslocation/md/md-ne-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdne01pc=$(echo "scale=4;($mdaggrmdne01count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmdne02count=$(grep $apachesearchterm $logslocation/md/md-ne-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdne02pc=$(echo "scale=4;($mdaggrmdne02count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmdwe01count=$(grep $apachesearchterm $logslocation/md/md-we-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdwe01pc=$(echo "scale=4;($mdaggrmdwe01count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    mdaggrmdwe02count=$(grep $apachesearchterm $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdwe02pc=$(echo "scale=4;($mdaggrmdwe02count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 
 
 # Min queries per IP
 if [[ $mdaggrcount -gt "0" ]]; then
-    mdaggrminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrinqueriesperip="0"
 fi
@@ -355,14 +362,14 @@ fi
 
 # Max queries per IP
 if [[ $mdaggrcount -gt "0" ]]; then
-    mdaggrmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrmaxqueriesperip="0"
 fi
 
 # Min queries per IP, full D/L only
 if [[ $mdaggrcountfull -gt "0" ]]; then
-    mdaggrminqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrminqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrinqueriesperipfull="0"
 fi
@@ -376,7 +383,7 @@ fi
 
 # Max queries per IP, full D/L only
 if [[ $mdaggrcountfull -gt "0" ]]; then
-    mdaggrmaxqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrmaxqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrmaxqueriesperipfull="0"
 fi
@@ -386,7 +393,7 @@ if [[ "$timeperiod" != "day" ]]; then
 
     # Top 10 downloaders and how many downloads / total data shipped (full downloads only)
     if [[ "$timeperiod" != "day" ]]; then
-        mdaggrtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | head -10)
+        mdaggrtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
     fi
 
     #
@@ -408,7 +415,7 @@ if [[ "$timeperiod" != "day" ]]; then
         countfriendly=$(echo $count | awk '{ printf ("%'"'"'d\n", $0) }')
     
         # Figure out total traffic shipped to this IP
-        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
         if [[ "$totaldataforthisip" -gt "0" ]]; then
             totaldataforthisiphr=$(bytestohr $totaldataforthisip)
         else
@@ -436,11 +443,11 @@ fi
 # =====
 
 # MDQ requests
-mdqcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 404 | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | wc -l)
+mdqcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 404 | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | wc -l)
 mdqcountfriendly=$(echo $mdqcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # MDQ downloads (i.e. HTTP 200 responses only)
-mdqcountfull=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | wc -l)
+mdqcountfull=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | wc -l)
 mdqcountfullfriendly=$(echo $mdqcountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of HTTP 200 responses compared to total requests
@@ -451,7 +458,7 @@ else
 fi
 
 # Compressed downloads
-mdqfullcomprcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdqfullcomprcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 mdqfullcomprcountfriendly=$(echo $mdqfullcomprcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of GZIPPED HTTP 200 responses compared to total full downloads
@@ -465,10 +472,9 @@ fi
 # IPv4 vs IPv6 traffic (don't calculate this for daily stats)
 
 if [[ "$timeperiod" != "day" ]]; then
-    # Note, while all v6 traffic passes through v6v4proxy1/2, we're counting accesses from the IPv4 addresses of those servers vs all others.
-    # When we add "real" v6 support to the servers, this needs changing to count IPv4 addresses vs IPv6 addresses.
+    # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
     if [[ "$mdqcount" -ne "0" ]]; then
-        mdqv4count=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep -v 193.63.72.83 | grep -v 194.83.7.211 | wc -l)
+        mdqv4count=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
         mdqv4pc=$(echo "scale=4;($mdqv4count/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
         mdqv6count=$(( mdqcount - mdqv4count ))
         mdqv6pc=$(echo "scale=4;($mdqv6count/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -479,8 +485,8 @@ if [[ "$timeperiod" != "day" ]]; then
 fi
 
 # MDQ requests for entityId based names
-mdqcountentityidhttp=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/http" | wc -l)
-mdqcountentityidurn=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/urn" | wc -l)
+mdqcountentityidhttp=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/http" | wc -l)
+mdqcountentityidurn=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/urn" | wc -l)
 mdqcountentityid=$((mdqcountentityidhttp+mdqcountentityidurn))
 if [[ "$mdqcount" -ne "0" ]]; then
     mdqcountentityidpc=$(echo "scale=3;($mdqcountentityid/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -490,7 +496,7 @@ fi
 mdqcountentityidfriendly=$(echo $mdqcountentityid | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # MDQ requests for hash based names
-mdqcountsha1=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep sha1 | wc -l)
+mdqcountsha1=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep sha1 | wc -l)
 if [[ "$mdqcount" -ne "0" ]]; then
     mdqcountsha1pc=$(echo "scale=3;($mdqcountsha1/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 else
@@ -500,14 +506,14 @@ mdqcountsha1friendly=$(echo $mdqcountsha1 | awk '{ printf ("%'"'"'d\n", $0) }')
 
 
 # MDQ requests for all entities
-mdqcountallentities=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities " | grep -v 404 | wc -l)
+mdqcountallentities=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities " | grep -v 404 | wc -l)
 
 # Unique IP addresses requesting MDQ
-mdquniqueip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq | wc -l)
+mdquniqueip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 mdquniqueipfriendly=$(echo $mdquniqueip | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Total data shipped
-mdqtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+mdqtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
 if [[ "$mdqtotalbytes" -gt "0" ]]; then
     mdqtotalhr=$(bytestohr $mdqtotalbytes)
 else
@@ -516,7 +522,7 @@ fi
 
 # Min queries per IP
 if [[ $mdqcount -gt "0" ]]; then
-    mdqminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdqminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdqminqueriesperip="0"
 fi
@@ -530,14 +536,14 @@ fi
 
 # Max queries per IP
 if [[ $mdqcount -gt "0" ]]; then
-    mdqmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdqmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdqmaxqueriesperip="0"
 fi
 
 if [[ "$timeperiod" != "day" ]]; then
     # Top 10 downloaders and how many downloads / total data shipped
-    mdqtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep "/entities" | grep -v "/entities/ " | grep -v 404 | grep -v "/entities/ " | cut -f 2 -d ":" | cut -f 1 -d " " | sort | uniq -c | sort -nr | head -10)
+    mdqtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep "/entities" | grep -v "/entities/ " | grep -v 404 | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
     
     #
     # Manipute results of the top 10
@@ -558,7 +564,7 @@ if [[ "$timeperiod" != "day" ]]; then
         countfriendly=$(echo $count | awk '{ printf ("%'"'"'d\n", $0) }')
     
         # Figure out total traffic shipped to this IP
-        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
         if [[ "$totaldataforthisip" -gt "0" ]]; then
             totaldataforthisiphr=$(bytestohr $totaldataforthisip)
         else
@@ -581,7 +587,7 @@ if [[ "$timeperiod" != "day" ]]; then
     
     
     # Top 10 queries and how many downloads / total data shipped
-    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | xargs -0 printf "%b" | sort | uniq -c | sort -nr | head -10)
+    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | xargs -0 printf "%b" | sort | uniq -c | sort -nr | head -10)
 fi
 
 # =====
@@ -589,32 +595,39 @@ fi
 # =====
 
 # How many accesses to .ds.
-cdscount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | wc -l)
+cdscount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | wc -l)
 cdscountfriendly=$(echo $cdscount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # IPv4 vs IPv6 traffic (don't count these for daily stats)
 if [[ "$timeperiod" != "day" ]]; then
-    # Note, while all v6 traffic passes through v6v4proxy1/2, we're counting accesses from the IPv4 addresses of those servers vs all others.
-    # When we add "real" v6 support to the servers, this needs changing to count IPv4 addresses vs IPv6 addresses.
-    cdsv4count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep -v 193.63.72.83 | grep -v 194.83.7.211 | wc -l)
+    # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
+    cdsv4count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
     cdsv4pc=$(echo "scale=4;($cdsv4count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
     cdsv6count=$(( cdscount - cdsv4count ))
     cdsv6pc=$(echo "scale=4;($cdsv6count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
 
     # Per-server request count
-    cds1count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep shib-cds1 | wc -l)
+    cds1count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* | grep .ds? | wc -l)
     cds1pc=$(echo "scale=4;($cds1count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cds2count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep shib-cds2 | wc -l)
+    cds2count=$(grep $apachesearchterm $logslocation/cds/shib-cds2/ssl_access_log* | grep .ds? | wc -l)
     cds2pc=$(echo "scale=4;($cds2count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cds3count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep shib-cds3 | wc -l)
+    cds2count=$(grep $apachesearchterm $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | wc -l)
     cds3pc=$(echo "scale=4;($cds3count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    cdsne01count=$(grep $apachesearchterm $logslocation/cds/shibcds-ne-01/ssl_access_log* | grep .ds? | wc -l)
+    cdsne01pc=$(echo "scale=4;($cdsne01count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    cdsne02count=$(grep $apachesearchterm $logslocation/cds/shibcds-ne-02/ssl_access_log* | grep .ds? | wc -l)
+    cdsne02pc=$(echo "scale=4;($cdsne02count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    cdswe01count=$(grep $apachesearchterm $logslocation/cds/shibcds-we-01/ssl_access_log* | grep .ds? | wc -l)
+    cdswe01pc=$(echo "scale=4;($cdswe01count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    cdswe02count=$(grep $apachesearchterm $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | wc -l)
+    cdswe02pc=$(echo "scale=4;($cdswe02count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 
 # How many of these were to the DS (has entityId in the parameters)
-cdsdscount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep entityID | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+cdsdscount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | grep entityID | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # How many of these were to the WAYF (has shire in the parameters)
-cdswayfcount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | grep shire | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+cdswayfcount=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | grep shire | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 
 # =====
@@ -706,7 +719,7 @@ else
     msg+="--> * $mdaggrcountfullfriendly ($mdaggrfullpc%) were full downloads, of which $mdaggrcountfullcomprfriendly ($mdaggrfullcomprpc%) were compressed.\n"
     msg+="--> ukfederation-metadata.xml: $mdaggrmaintotalhr of data actually shipped; would have been an estimated $mdaggrmaintotalestnocompresshr without compression, and $mdaggrmaintotalestnocompressnocgethr without compression or conditional gets.\n"
     msg+="-> IPv4: $mdaggrv4pc% vs IPv6: $mdaggrv6pc%\n"
-    msg+="-> Server distribution: md1: $mdaggrmd1pc% md2: $mdaggrmd2pc% md3: $mdaggrmd3pc%\n"
+    msg+="-> Server distribution: md-ne-01: $mdaggrmdne01pc% md-ne-02: $mdaggrmdne02pc% md-we-01: $mdaggrmdwe01pc% md-we-02: $mdaggrmdwe02pc% / md1: $mdaggrmd1pc% md2: $mdaggrmd2pc% md3: $mdaggrmd3pc%\n"
     msg+="-> $mdaggrminqueriesperip/$mdaggravgqueriesperip/$mdaggrmaxqueriesperip min/avg/max queries per querying IP (all reqs)\n"
     msg+="-> $mdaggrminqueriesperipfull/$mdaggravgqueriesperipfull/$mdaggrmaxqueriesperipfull min/avg/max queries per querying IP (full D/Ls only)\n"
     msg+="\nRequests per published aggregate\n"
@@ -735,7 +748,7 @@ else
     msg+="Central Discovery Service:\n"
     msg+="-> $cdscountfriendly total requests serviced\n"
     msg+="-> IPv4: $cdsv4pc% vs IPv6: $cdsv6pc%\n"
-    msg+="-> Server distribution: shib-cds1: $cds1pc% shib-cds2: $cds2pc% shib-cds3: $cds3pc%\n"
+    msg+="-> Server distribution: shibcds-ne-01: $cdsne01pc% shibcds-ne-02: $cdsne021pc% shibcds-we-01: $cdswe01pc% shibcds-we-02: $cdswe02pc% / shib-cds1: $cds1pc% shib-cds2: $cds2pc% shib-cds3: $cds3pc%\n"
     msg+="-> DS: $cdsdscount / WAYF: $cdswayfcount\n"
     msg+="\n-----\n"
     msg+="Wugen:\n"

From 2ab88a8a365772daf7279bf0c89d7ca477222aea Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Tue, 28 Mar 2017 17:55:17 +0100
Subject: [PATCH 31/80] Add website stats into stats generation

---
 utilities/stats-generate.sh | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index ac8ca846..bb79dcac 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -678,6 +678,31 @@ if [[ "$timeperiod" != "day" ]]; then
 fi
 
 
+# =====
+# Website stats
+# =====
+
+# How many requests were there for the main content files?
+wwwaccesscount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+
+# And from how many unique IdPs?
+wwwaccessipcount=$($apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+
+# Don't count these when doing daily stats
+if [[ "$timeperiod" != "day" ]]; then
+
+    # Per-server request count
+    wwwaccessweb1count=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessweb1pc=$(echo "scale=4;($wwwaccessweb1count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    wwwaccessweb2count=$(grep $apachesearchterm $logslocation/www/web2/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessweb2pc=$(echo "scale=4;($wwwaccessweb2count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    wwwaccessne01count=$(grep $apachesearchterm $logslocation/www/www-ne-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessne01pc=$(echo "scale=4;($wwwaccessne01count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+    wwwaccesswe01count=$(grep $apachesearchterm $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccesswe01pc=$(echo "scale=4;($wwwaccesswe01count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
+fi
+
+
 # =====
 # = Now we're ready to build the message. Different message for daily vs month/year
 # =====
@@ -700,7 +725,9 @@ if [[ "$timeperiod" == "day" ]]; then
     msg+=">*CDS:* $cdscountfriendly requests serviced (DS: $cdsdscount / WAYF: $cdswayfcount).\n"
     msg+=">*Wugen:* $wugencount WAYFless URLs generated, $wugennewsubs new subscriptions.\n"
     msg+=">*Test IdP:* $testidplogincount logins to $testidpspcount SPs.\n"
-    msg+=">*Test SP:* $testsplogincount logins from $testspidpcount IdPs."
+    msg+=">*Test SP:* $testsplogincount logins from $testspidpcount IdPs.\n"
+    msg+=">*Website:* $wwwaccesscount hits from $wwwaccessipcount unique IPs."
+    
     
 else
     #
@@ -766,6 +793,10 @@ else
     msg+="-> $testsplogincount logins from $testspidpcount IdPs.\n"    
     msg+="\n-> Top 10 IdPs logged in from:\n"
     msg+="$testsptoptenidpsbycount\n"
+    msg+="\n-----\n"
+    msg+="Website usage:\n"
+    msg+="-> $wwwaccesscount hits from $wwwaccessipcount unique IPs."
+    msg+="-> Server distribution: www-ne-01: $wwwaccessne01pc% www-we-01: $wwwaccesswe01pc% / web1: $wwwaccessweb1pc% web2: $wwwaccessweb2pc% \n"
     msg+="\n-----"
 fi
 

From dcc82b14562be30e3263c003893773e08e66dbbd Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Tue, 28 Mar 2017 19:02:02 +0100
Subject: [PATCH 32/80] Fix bugs in recent stats generation updates

---
 utilities/stats-generate.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index bb79dcac..afcfc1af 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -474,7 +474,7 @@ fi
 if [[ "$timeperiod" != "day" ]]; then
     # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
     if [[ "$mdqcount" -ne "0" ]]; then
-        mdqv4count=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
+        mdqv4count=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
         mdqv4pc=$(echo "scale=4;($mdqv4count/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
         mdqv6count=$(( mdqcount - mdqv4count ))
         mdqv6pc=$(echo "scale=4;($mdqv6count/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -601,7 +601,7 @@ cdscountfriendly=$(echo $cdscount | awk '{ printf ("%'"'"'d\n", $0) }')
 # IPv4 vs IPv6 traffic (don't count these for daily stats)
 if [[ "$timeperiod" != "day" ]]; then
     # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
-    cdsv4count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
+    cdsv4count=$(grep $apachesearchterm $logslocation/cds/shib-cds1/ssl_access_log* $logslocation/cds/shib-cds2/ssl_access_log* $logslocation/cds/shib-cds3/ssl_access_log* $logslocation/cds/shibcds-ne-01/ssl_access_log* $logslocation/cds/shibcds-ne-02/ssl_access_log* $logslocation/cds/shibcds-we-01/ssl_access_log* $logslocation/cds/shibcds-we-02/ssl_access_log* | grep .ds? | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
     cdsv4pc=$(echo "scale=4;($cdsv4count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
     cdsv6count=$(( cdscount - cdsv4count ))
     cdsv6pc=$(echo "scale=4;($cdsv6count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -611,7 +611,7 @@ if [[ "$timeperiod" != "day" ]]; then
     cds1pc=$(echo "scale=4;($cds1count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
     cds2count=$(grep $apachesearchterm $logslocation/cds/shib-cds2/ssl_access_log* | grep .ds? | wc -l)
     cds2pc=$(echo "scale=4;($cds2count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    cds2count=$(grep $apachesearchterm $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | wc -l)
+    cds3count=$(grep $apachesearchterm $logslocation/cds/shib-cds3/ssl_access_log* | grep .ds? | wc -l)
     cds3pc=$(echo "scale=4;($cds3count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
     cdsne01count=$(grep $apachesearchterm $logslocation/cds/shibcds-ne-01/ssl_access_log* | grep .ds? | wc -l)
     cdsne01pc=$(echo "scale=4;($cdsne01count/$cdscount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -686,7 +686,7 @@ fi
 wwwaccesscount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # And from how many unique IdPs?
-wwwaccessipcount=$($apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+wwwaccessipcount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Don't count these when doing daily stats
 if [[ "$timeperiod" != "day" ]]; then
@@ -775,7 +775,7 @@ else
     msg+="Central Discovery Service:\n"
     msg+="-> $cdscountfriendly total requests serviced\n"
     msg+="-> IPv4: $cdsv4pc% vs IPv6: $cdsv6pc%\n"
-    msg+="-> Server distribution: shibcds-ne-01: $cdsne01pc% shibcds-ne-02: $cdsne021pc% shibcds-we-01: $cdswe01pc% shibcds-we-02: $cdswe02pc% / shib-cds1: $cds1pc% shib-cds2: $cds2pc% shib-cds3: $cds3pc%\n"
+    msg+="-> Server distribution: shibcds-ne-01: $cdsne01pc% shibcds-ne-02: $cdsne02pc% shibcds-we-01: $cdswe01pc% shibcds-we-02: $cdswe02pc% / shib-cds1: $cds1pc% shib-cds2: $cds2pc% shib-cds3: $cds3pc%\n"
     msg+="-> DS: $cdsdscount / WAYF: $cdswayfcount\n"
     msg+="\n-----\n"
     msg+="Wugen:\n"
@@ -795,7 +795,7 @@ else
     msg+="$testsptoptenidpsbycount\n"
     msg+="\n-----\n"
     msg+="Website usage:\n"
-    msg+="-> $wwwaccesscount hits from $wwwaccessipcount unique IPs."
+    msg+="-> $wwwaccesscount hits from $wwwaccessipcount unique IPs.\n"
     msg+="-> Server distribution: www-ne-01: $wwwaccessne01pc% www-we-01: $wwwaccesswe01pc% / web1: $wwwaccessweb1pc% web2: $wwwaccessweb2pc% \n"
     msg+="\n-----"
 fi

From 0c1c2d0d90165ff762dd61f5d87b4f4016fe4991 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Tue, 28 Mar 2017 19:09:16 +0100
Subject: [PATCH 33/80] Fix another bug in stats generation updates

---
 utilities/stats-generate.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index afcfc1af..7295fb9c 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -683,7 +683,8 @@ fi
 # =====
 
 # How many requests were there for the main content files?
-wwwaccesscount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+wwwaccesscount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+wwwaccesscountfriendly=$(echo $wwwaccesscount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # And from how many unique IdPs?
 wwwaccessipcount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
@@ -726,7 +727,7 @@ if [[ "$timeperiod" == "day" ]]; then
     msg+=">*Wugen:* $wugencount WAYFless URLs generated, $wugennewsubs new subscriptions.\n"
     msg+=">*Test IdP:* $testidplogincount logins to $testidpspcount SPs.\n"
     msg+=">*Test SP:* $testsplogincount logins from $testspidpcount IdPs.\n"
-    msg+=">*Website:* $wwwaccesscount hits from $wwwaccessipcount unique IPs."
+    msg+=">*Website:* $wwwaccesscountfriendly hits from $wwwaccessipcount unique IPs."
     
     
 else
@@ -795,7 +796,7 @@ else
     msg+="$testsptoptenidpsbycount\n"
     msg+="\n-----\n"
     msg+="Website usage:\n"
-    msg+="-> $wwwaccesscount hits from $wwwaccessipcount unique IPs.\n"
+    msg+="-> $wwwaccesscountfriendly hits from $wwwaccessipcount unique IPs.\n"
     msg+="-> Server distribution: www-ne-01: $wwwaccessne01pc% www-we-01: $wwwaccesswe01pc% / web1: $wwwaccessweb1pc% web2: $wwwaccessweb2pc% \n"
     msg+="\n-----"
 fi

From debb806fabdfba9f75778b99cdf68d7147dc9189 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Tue, 28 Mar 2017 21:38:10 +0100
Subject: [PATCH 34/80] Update stats generation to fix monthly mdq top 10 issue

---
 utilities/stats-generate.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index 7295fb9c..8e09134b 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -587,7 +587,7 @@ if [[ "$timeperiod" != "day" ]]; then
     
     
     # Top 10 queries and how many downloads / total data shipped
-    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | xargs -0 printf "%b" | sort | uniq -c | sort -nr | head -10)
+    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | sort | uniq -c | xargs -0 printf "%b" | sort -nr | head -10)
 fi
 
 # =====

From 5fd9f02e178a728db6127b7a58840eca022ccc64 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 29 Mar 2017 11:39:04 +0100
Subject: [PATCH 35/80] Clarify past and ongoing intellectual property regimes

---
 README.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 63fba15b..20dae1a5 100644
--- a/README.md
+++ b/README.md
@@ -18,9 +18,13 @@ The second main category excluded from the public repository is the historic reg
 
 Since 2016, we have separated the entity database and aggregate record from the main toolchain repository, but the nature of Git is to never discard anything. We will therefore continue to make this repository publicly available only in redacted form.
 
-## Licensing
+## Copyright and License
 
-Everything in the public repository is Copyright (C) 2004&ndash;2015, University of Edinburgh. Each file is made available to you under the following terms:
+The contents of this repository are Copyright (C) the named contributors or their
+employers, as appropriate.
+
+In particular, all content authored prior to the 1st of August 2016 is
+Copyright (C) 2011&mdash;2016, University of Edinburgh.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

From fb323093c72ef7037dd7f49557af3126638f4e99 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Mon, 3 Apr 2017 10:46:38 +0100
Subject: [PATCH 36/80] Ignore common bots in website stats

---
 utilities/stats-generate.sh | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index 8e09134b..a021ce27 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -682,24 +682,27 @@ fi
 # Website stats
 # =====
 
+# Set up grepping out bots
+botstringlist="(Googlebot|Bingbo|DuckDuckBot|Baiduspider|Yandexbot|Sogou|Exabot|AhrefsBot|seoscanners)"
+
 # How many requests were there for the main content files?
-wwwaccesscount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+wwwaccesscount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
 wwwaccesscountfriendly=$(echo $wwwaccesscount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # And from how many unique IdPs?
-wwwaccessipcount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+wwwaccessipcount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Don't count these when doing daily stats
 if [[ "$timeperiod" != "day" ]]; then
 
     # Per-server request count
-    wwwaccessweb1count=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessweb1count=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
     wwwaccessweb1pc=$(echo "scale=4;($wwwaccessweb1count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    wwwaccessweb2count=$(grep $apachesearchterm $logslocation/www/web2/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessweb2count=$(grep $apachesearchterm $logslocation/www/web2/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
     wwwaccessweb2pc=$(echo "scale=4;($wwwaccessweb2count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    wwwaccessne01count=$(grep $apachesearchterm $logslocation/www/www-ne-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessne01count=$(grep $apachesearchterm $logslocation/www/www-ne-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
     wwwaccessne01pc=$(echo "scale=4;($wwwaccessne01count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    wwwaccesswe01count=$(grep $apachesearchterm $logslocation/www/www-we-01/ssl_access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccesswe01count=$(grep $apachesearchterm $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
     wwwaccesswe01pc=$(echo "scale=4;($wwwaccesswe01count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 

From caaa066bbdc81558423338cc57a34edef48285b3 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Tue, 4 Apr 2017 17:02:41 +0100
Subject: [PATCH 37/80] Remove old MD servers from publishing pipeline

---
 build.xml          | 39 ---------------------------------------
 preprod.properties |  3 ---
 2 files changed, 42 deletions(-)

diff --git a/build.xml b/build.xml
index 7d58db56..dbbd1156 100644
--- a/build.xml
+++ b/build.xml
@@ -145,9 +145,6 @@
         Metadata Distribution Service server properties.
     -->
     <property name="md.user" value="mdscp"/>
-    <property name="md.dist.host1.name" value="md1.infr.ukfederation.org.uk"/>
-    <property name="md.dist.host2.name" value="md2.infr.ukfederation.org.uk"/>
-    <property name="md.dist.host3.name" value="md3.infr.ukfederation.org.uk"/>
     <property name="md.dist.host-ne-01.name" value="md-ne-01.infr.ukfederation.org.uk"/>
     <property name="md.dist.host-ne-02.name" value="md-ne-02.infr.ukfederation.org.uk"/>
     <property name="md.dist.host-we-01.name" value="md-we-01.infr.ukfederation.org.uk"/>
@@ -2108,24 +2105,6 @@
             Push metadata files for the UK Federation to the MD dist servers
         -->
         <echo>Pushing UK Federation metadata files to MD dist.</echo>
-        <echo>-> MD1</echo>
-        <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
-            <arg value="push"/>
-            <arg value="md1"/>
-            <arg value="master"/>
-        </exec>
-        <echo>-> MD2</echo>
-        <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
-            <arg value="push"/>
-            <arg value="md2"/>
-            <arg value="master"/>
-        </exec>
-        <echo>-> MD3</echo>
-        <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
-            <arg value="push"/>
-            <arg value="md3"/>
-            <arg value="master"/>
-        </exec>
         <echo>-> MD-NE-01</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.products}" failonerror="true">
             <arg value="push"/>
@@ -2157,24 +2136,6 @@
             Push mdq cache tar to the MD dist servers
         -->
         <echo>Pushing UK Federation mdq cache to MD dist.</echo>
-        <echo>-> MD1</echo>
-        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host1.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
-            <fileset dir="${output.dir}">
-                <include name="${mdq.cache}"/>
-            </fileset>
-        </scp>
-        <echo>-> MD2</echo>
-        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host2.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
-            <fileset dir="${output.dir}">
-                <include name="${mdq.cache}"/>
-            </fileset>
-        </scp>
-        <echo>-> MD3</echo>
-        <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host3.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
-            <fileset dir="${output.dir}">
-                <include name="${mdq.cache}"/>
-            </fileset>
-        </scp>
         <echo>-> MD-NE-01</echo>
         <scp failonerror="true" remoteTodir="${md.user}@${md.dist.host-ne-01.name}:/tmp" keyfile="~/.ssh/id_rsa" knownhosts="~/.ssh/known_hosts">
             <fileset dir="${output.dir}">
diff --git a/preprod.properties b/preprod.properties
index 23489f03..26a0d200 100644
--- a/preprod.properties
+++ b/preprod.properties
@@ -35,9 +35,6 @@ git.repo.project.tooling=ukf-test-meta
 #
 # Preprod publishes its aggregates to / but accessible at a different hostname
 #
-md.dist.host1.name=md1-test.infr.ukfederation.org.uk
-md.dist.host2.name=md2-test.infr.ukfederation.org.uk
-md.dist.host3.name=md3-test.infr.ukfederation.org.uk
 md.dist.host-ne-01.name=md-ne-01-test.infr.ukfederation.org.uk
 md.dist.host-ne-02.name=md-ne-02-test.infr.ukfederation.org.uk
 md.dist.host-we-01.name=md-we-01-test.infr.ukfederation.org.uk

From d60507ddfcc89719b1ba776797eab43e6d18810b Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Wed, 5 Apr 2017 17:59:50 +0100
Subject: [PATCH 38/80] Remove old MD servers from Verify phase of build
 process

---
 build.xml | 48 ------------------------------------------------
 1 file changed, 48 deletions(-)

diff --git a/build.xml b/build.xml
index dbbd1156..c277c79b 100644
--- a/build.xml
+++ b/build.xml
@@ -1270,54 +1270,6 @@
         <checksum file="${aggregates.dir}/${mdaggr.export.preview.signed}"
             property="mdaggr.export.preview.signed.checksum"/>
 
-        <echo>Verifying metadata held at ${md.dist.host1.name}</echo>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.prod.signed}"
-            checksum="${mdaggr.prod.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.wayf.signed}"
-            checksum="${mdaggr.wayf.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
-            checksum="${mdaggr.cdsall.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.test.signed}"
-            checksum="${mdaggr.test.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.back.signed}"
-            checksum="${mdaggr.back.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.export.signed}"
-            checksum="${mdaggr.export.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host1.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
-            checksum="${mdaggr.export.preview.signed.checksum}"/>
-
-        <echo>Verifying metadata held at ${md.dist.host2.name}</echo>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.prod.signed}"
-            checksum="${mdaggr.prod.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.wayf.signed}"
-            checksum="${mdaggr.wayf.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
-            checksum="${mdaggr.cdsall.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.test.signed}"
-            checksum="${mdaggr.test.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.back.signed}"
-            checksum="${mdaggr.back.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.export.signed}"
-            checksum="${mdaggr.export.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host2.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
-            checksum="${mdaggr.export.preview.signed.checksum}"/>
-
-        <echo>Verifying metadata held at ${md.dist.host3.name}</echo>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.prod.signed}"
-            checksum="${mdaggr.prod.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.wayf.signed}"
-            checksum="${mdaggr.wayf.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.cdsall.signed}"
-            checksum="${mdaggr.cdsall.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.test.signed}"
-            checksum="${mdaggr.test.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.back.signed}"
-            checksum="${mdaggr.back.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.export.signed}"
-            checksum="${mdaggr.export.signed.checksum}"/>
-        <VFY.remote.and.checksum i="http://${md.dist.host3.name}${md.dist.path.name}${mdaggr.export.preview.signed}"
-            checksum="${mdaggr.export.preview.signed.checksum}"/>
-
         <echo>Verifying metadata held at ${md.dist.host-ne-01.name}</echo>
         <VFY.remote.and.checksum i="http://${md.dist.host-ne-01.name}${md.dist.path.name}${mdaggr.prod.signed}"
             checksum="${mdaggr.prod.signed.checksum}"/>

From 723c01ff822fd4eed2a52df3bc95539c74d24516 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 10 Apr 2017 12:03:25 +0100
Subject: [PATCH 39/80] Switch to entity attribute blacklist for fallback
 aggregate

Final phase of ukf/ukf-meta#10.
---
 mdx/uk/generate.xml | 28 ----------------------------
 1 file changed, 28 deletions(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 9a5bcb41..1d5af74d 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -219,33 +219,6 @@
         </property>
     </bean>
 
-    <bean id="entityAttributes.whitelist" parent="EntityAttributeFilteringStage">
-        <property name="whitelisting" value="true"/>
-        <property name="rules">
-            <list>
-                <!-- Permit GÉANT CoC category from any eduGAIN participant. -->
-                <bean parent="EntityCategoryMatcher"
-                    c:category="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
-                
-                <!-- Permit REFEDS Hide From Discovery category from any eduGAIN participant. -->
-                <bean parent="EntityCategoryMatcher"
-                    c:category="http://refeds.org/category/hide-from-discovery"/>
-                
-                <!-- Permit REFEDS R&S category from any eduGAIN participant. -->
-                <bean parent="EntityCategoryMatcher"
-                    c:category="http://refeds.org/category/research-and-scholarship"/>
-                
-                <!-- Permit REFEDS R&S category *support* from any eduGAIN participant. -->
-                <bean parent="EntityCategorySupportMatcher"
-                    c:category="http://refeds.org/category/research-and-scholarship"/>
-                
-                <!-- Permit SIRTFI entity attribute from any eduGAIN participant -->
-                <ref bean="SIRTFI.entity.attribute.matcher"/>
-                
-            </list>
-        </property>
-    </bean>
-    
     <bean id="uk_int_edugain_importPipeline" parent="SimplePipeline">
         <property name="stages">
             <list>
@@ -531,7 +504,6 @@
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
                 
-                <ref bean="entityAttributes.whitelist"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripWayfNamespace"/>
                 <ref bean="stripEmptyExtensions"/>

From 7bfc57b456340a1275fe669854d59f7b6500958b Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 11 Apr 2017 10:26:17 +0100
Subject: [PATCH 40/80] Check that ukfedlabel elements appear at most once per
 entity

Resolves ukf/ukf-meta#42.
---
 mdx/uk/beans.xml            |  2 +
 mdx/uk/check_ukfedlabel.xsl | 74 +++++++++++++++++++++++++++++++++++++
 mdx/uk/check_ukreg.xsl      | 12 ------
 3 files changed, 76 insertions(+), 12 deletions(-)
 create mode 100644 mdx/uk/check_ukfedlabel.xsl

diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index eb185e63..e0f9e151 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -328,6 +328,8 @@
                 
                 <ref bean="checkSchemas"/>
                 <ref bean="CHECK_std"/>
+                <bean id="check_ukfedlabel" parent="XSLValidationStage"
+                    p:XSLResource="classpath:uk/check_ukfedlabel.xsl"/>
                 <ref bean="check_ukreg"/>
                 <ref bean="check_owner"/>
                 <ref bean="check_uk_keydesc_key"/>
diff --git a/mdx/uk/check_ukfedlabel.xsl b/mdx/uk/check_ukfedlabel.xsl
new file mode 100644
index 00000000..8d236355
--- /dev/null
+++ b/mdx/uk/check_ukfedlabel.xsl
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    check_ukfedlabel.xsl
+
+    Checking ruleset for the ukfedlabel namespace.
+
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <!--
+        Check for individual elements appearing more than once in
+        a single entity.
+    -->
+    <xsl:template match="md:EntityDescriptor[count(descendant::ukfedlabel:AccountableUsers)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity must not have more than one ukfedlabel:AccountableUsers element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:EntityDescriptor[count(descendant::ukfedlabel:ExportOptIn)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity must not have more than one ukfedlabel:ExportOptIn element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:EntityDescriptor[count(descendant::ukfedlabel:ExportOptOut)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity must not have more than one ukfedlabel:ExportOptOut element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:EntityDescriptor[count(descendant::ukfedlabel:Software)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity must not have more than one ukfedlabel:Software element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:EntityDescriptor[count(descendant::ukfedlabel:UKFederationMember)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity must not have more than one ukfedlabel:UKFederationMember element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for entities which are both opted in to and opted out from export.
+    -->
+    <xsl:template match="md:EntityDescriptor/md:Extensions[ukfedlabel:ExportOptIn][ukfedlabel:ExportOptOut]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity cannot be both opted in to and opted out from export</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/uk/check_ukreg.xsl b/mdx/uk/check_ukreg.xsl
index 728c0306..28434419 100644
--- a/mdx/uk/check_ukreg.xsl
+++ b/mdx/uk/check_ukreg.xsl
@@ -50,16 +50,4 @@
 		</xsl:call-template>
 	</xsl:template>
 	
-	
-	<!--
-		Check for entities which are both opted in to and opted out from export.
-	-->
-	<xsl:template match="md:EntityDescriptor/md:Extensions[ukfedlabel:ExportOptIn][ukfedlabel:ExportOptOut]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>entity cannot be both opted in to and opted out from export</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	
 </xsl:stylesheet>

From 9998168a0888a7bc75d538afa5a939b553487061 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 11 Apr 2017 11:09:12 +0100
Subject: [PATCH 41/80] Remove statistics for Shibboleth 1.3 entities now there
 are none

---
 mdx/uk/statistics.xsl | 110 +-----------------------------------------
 1 file changed, 2 insertions(+), 108 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index ba84c359..7361c689 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -125,7 +125,6 @@
                     <li><p><a href="#byOwner">Entities by Owner</a></p></li>
                     <li><p><a href="#accountableIdPs">Identity Provider Accountability</a></p></li>
                     <li><p><a href="#undeployedMembers">Members Lacking Deployment</a></p></li>
-                    <li><p><a href="#shib13">Shibboleth 1.3 Remnants</a></p></li>
                     <li><p><a href="#exportOptOut">Export Aggregate: Entities Opted Out</a></p></li>
                     <li><p><a href="#exportOptIn">Export Aggregate: Entities Explicitly Opted In</a></p></li>
                     <li><p><a href="#charting">Charting Statistics</a></p></li>
@@ -922,33 +921,6 @@
                 
 
 
-                <!--
-                    ***************************************************************
-                    ***                                                         ***
-                    ***      S H I B B O L E T H   1 . 3   R E M N A N T S      ***
-                    ***                                                         ***
-                    ***************************************************************
-                -->
-                <h2><a name="shib13">Shibboleth 1.3 Remnants</a></h2>
-                <p>
-                    The following lists show entities that are believed to be running the
-                    Shibboleth 1.3 software, which reached its official end of life
-                    date on 30-June-2010.
-                    As heuristics have been used to create these lists, they may
-                    not be completely accurate.
-                </p>
-
-                <h3>Shibboleth 1.3 Identity Provider Entities</h3>
-                <xsl:call-template name="list.shibboleth.1.3.entities">
-                    <xsl:with-param name="entities" select="$idps"/>
-                </xsl:call-template>
-
-                <h3>Shibboleth 1.3 Service Provider Entities</h3>
-                <xsl:call-template name="list.shibboleth.1.3.entities">
-                    <xsl:with-param name="entities" select="$sps"/>
-                </xsl:call-template>
- 
- 
                 <!--
                     ***************************************
                     ***                                 ***
@@ -1541,62 +1513,6 @@
     </xsl:template>
 
 
-
-    <!--
-        Given a list of entities, extract and list those which are apparently running Shibboleth 1.3.
-    -->
-    <xsl:template name="list.shibboleth.1.3.entities">
-        <xsl:param name="entities"/>
-        <!--
-            Remove everything that says it is something other than Shibboleth, or which includes
-            a SAML 2.0 token in any of its role descriptors' protocolSupportEnumerations.
-        -->
-        <xsl:variable name="entities.1"
-            select="set:difference($entities,
-                $entities[
-                    md:Extensions/ukfedlabel:Software[@name != 'Shibboleth'] |
-                    md:*[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-                ])"/>
-        <!-- remove things that look like Shibboleth 2.x -->
-        <xsl:variable name="entities.2"
-            select="set:difference($entities.1,
-                $entities.1[
-                    md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '/profile/Shibboleth/SSO')] |
-                    md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, '/Shibboleth.sso/SAML2/POST')] |
-                    md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '2']
-                ]
-            )"/>
-        <!-- select only remainder that look like Shibboleth 1.3 -->
-        <xsl:variable name="entities.3"
-            select="$entities.2[
-                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '1.3'] |
-                md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '-idp/SSO')] |
-                md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, 'Shibboleth.sso')]
-            ]"/>
-        <!-- final set -->
-        <xsl:variable name="entities.out" select="$entities.3"/>
-        <xsl:variable name="entities.out.count" select="count($entities.out)"/>
-        <!-- print the list -->
-        <p>
-            <xsl:value-of select="$entities.out.count"/> entities:
-        </p>
-        <ul>
-            <xsl:for-each select="$entities.out">
-                <li>
-                    <xsl:value-of select="@ID"/>:
-                    <code><xsl:value-of select="@entityID"/></code>
-                    <!-- suspect misclassification if an SP has an encryption key -->
-                    <xsl:if test="md:SPSSODescriptor/md:KeyDescriptor[@use='encryption']">
-                        <xsl:text> [HasEncKey]</xsl:text>
-                    </xsl:if>
-                    <xsl:text> (</xsl:text>
-                    <xsl:value-of select="md:Organization/md:OrganizationName"/>
-                    <xsl:text>)</xsl:text>
-                </li>
-            </xsl:for-each>
-        </ul>
-    </xsl:template>
-    
     <!--
         Break down a set of entities by the software used.
     -->
@@ -1707,25 +1623,10 @@
             <xsl:variable name="entities.shib.2.out"
                 select="set:difference($entities.shib.2.in, $entities.shib.2)"/>
 
-            <!--
-                Classify Shibboleth 1.3 entities.
-            -->
-            <xsl:variable name="entities.shib.13.in" select="$entities.shib.2.out"/>
-            <xsl:variable name="entities.shib.13"
-                select="$entities.shib.13.in[
-                    md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '1.3'] |
-                    md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '-idp/SSO')] |
-                    md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, 'Shibboleth.sso')]
-                ][
-                    not(md:*[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')])
-                ]"/>
-            <xsl:variable name="entities.shib.13.out"
-                select="set:difference($entities.shib.13.in, $entities.shib.13)"/>
-            
             <!--
                 Classify Athens Gateway entities
             -->
-            <xsl:variable name="entities.gateways.in" select="$entities.shib.13.out"/>
+            <xsl:variable name="entities.gateways.in" select="$entities.shib.2.out"/>
             <xsl:variable name="entities.gateways"
                 select="$entities.gateways.in[md:Extensions/ukfedlabel:Software/@name='Eduserv Gateway']"/>
             <xsl:variable name="entities.gateways.out"
@@ -1789,15 +1690,8 @@
                 <xsl:with-param name="name">Shibboleth 2.x</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
-            <xsl:call-template name="entity.breakdown.by.software.line">
-                <xsl:with-param name="entities" select="$entities.shib.13"/>
-                <xsl:with-param name="name">Shibboleth 1.3</xsl:with-param>
-                <xsl:with-param name="total" select="$entityCount"/>
-                <xsl:with-param name="show.max" select="10"/>
-            </xsl:call-template>
 
-            <xsl:variable name="entities.shib" select="$entities.shib.13 | $entities.shib.2 | $entities.shib.3"/>
+            <xsl:variable name="entities.shib" select="$entities.shib.2 | $entities.shib.3"/>
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.shib"/>
                 <xsl:with-param name="name">Shibboleth combined</xsl:with-param>

From 63f37ecd2aedd2dc1265a838d7b21214485fa04c Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 11 Apr 2017 11:27:57 +0100
Subject: [PATCH 42/80] Remove charting statistics from main stats page

See ukf/ukf-meta#106.
---
 mdx/uk/statistics.xsl | 61 +------------------------------------------
 1 file changed, 1 insertion(+), 60 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index 7361c689..b1e51d68 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -127,7 +127,6 @@
                     <li><p><a href="#undeployedMembers">Members Lacking Deployment</a></p></li>
                     <li><p><a href="#exportOptOut">Export Aggregate: Entities Opted Out</a></p></li>
                     <li><p><a href="#exportOptIn">Export Aggregate: Entities Explicitly Opted In</a></p></li>
-                    <li><p><a href="#charting">Charting Statistics</a></p></li>
                     <li><p><a href="#nosaml2">Entities Without SAML 2.0 Support</a></p></li>
                 </ul>
                 
@@ -1028,65 +1027,7 @@
                         </xsl:for-each>
                     </ul>
                 </xsl:if>
-                
-                
-                <!--
-                    ***************************
-                    ***                     ***
-                    ***   C H A R T I N G   ***
-                    ***                     ***
-                    ***************************
-                -->
-                <h2><a name="charting">Charting Statistics</a></h2>
-                <ul>
-                    <li>Members: <xsl:value-of select="$memberCount"/></li>
-                    <li>
-                        Outsourcing chart:
-                        <xsl:value-of select="$membersWithJustIdPsCount"/>,
-                        <xsl:value-of select="$membersWithJustSPsCount"/>,
-                        <xsl:value-of select="$membersWithBothCount"/>,
-                        <xsl:value-of select="$members.osrc.only.count"/>,
-                        <xsl:value-of select="$members.osrc.none.count"/>                  
-                    </li>
-                    <li>Entities: <xsl:value-of select="$entityCount"/></li>
-                    <li>IdPs: <xsl:value-of select="$idpCount"/></li>
-                    <li>SPs: <xsl:value-of select="$spCount"/></li>
-                    <li>Entities per member: <xsl:value-of select="$entityCount div $memberCount"/></li>
-                    <xsl:variable name="charting.entities.algsupport" select="$entities[descendant::alg:* or descendant::md:EncryptionMethod]"/>
-                    <xsl:variable name="charting.entities.algsupport.count" select="count($charting.entities.algsupport)"/>
-                    <li>
-                        Algorithm support:
-                        <xsl:value-of select="format-number($charting.entities.algsupport.count div $entityCount, '0.00%')"/>
-                        of all entities
-                    </li>
-                    <xsl:variable name="charting.entities.algsupport.gcm"
-                        select="$charting.entities.algsupport[
-                        descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm' or
-                        descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm' or
-                        descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes256-gcm']"/>
-                    <xsl:variable name="charting.entities.algsupport.gcm.count" select="count($charting.entities.algsupport.gcm)"/>
-                    <li>
-                        GCM support:
-                        <xsl:value-of select="format-number($charting.entities.algsupport.gcm.count div $entityCount, '0.00%')"/>
-                        of all entities
-                    </li>
-                    <xsl:variable name="charting.sps.algsupport" select="$sps[descendant::alg:* or descendant::md:EncryptionMethod]"/>
-                    <xsl:variable name="charting.sps.algsupport.count" select="count($charting.sps.algsupport)"/>
-                    <li>
-                        Algorithm support:
-                        <xsl:value-of select="format-number($charting.sps.algsupport.count div $spCount, '0.00%')"/>
-                        of SP entities
-                    </li>
-                    <xsl:variable name="charting.idp3" select="$idps[
-                        md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '3']
-                        ]"/>
-                    <xsl:variable name="charting.idp3.count" select="count($charting.idp3)"/>
-                    <li>
-                        Shibboleth IdP v3:
-                        <xsl:value-of select="$charting.idp3.count"/>
-                        (<xsl:value-of select="format-number($charting.idp3.count div $idpCount, '0.0%')"/> of IdPs)
-                    </li>
-                </ul>
+
 
                 <!--
                     *****************************************************************************

From 3c0e7555b03f0b8ce7e2c2cb8265b7a2c59cf98e Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 11 Apr 2017 11:28:57 +0100
Subject: [PATCH 43/80] Correct formatting typo

---
 mdx/uk/statistics-charting.xsl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdx/uk/statistics-charting.xsl b/mdx/uk/statistics-charting.xsl
index 574c1130..45c616ad 100644
--- a/mdx/uk/statistics-charting.xsl
+++ b/mdx/uk/statistics-charting.xsl
@@ -232,7 +232,7 @@
             <xsl:value-of select="$charting.idp3.count"/>
             <xsl:text> (</xsl:text>
             <xsl:value-of select="format-number($charting.idp3.count div $idpCount, '0.0%')"/>
-            <xsl:text>of IdPs)</xsl:text>
+            <xsl:text> of IdPs)</xsl:text>
             <xsl:text>&#10;</xsl:text>
 
             <xsl:variable name="nosaml2.sps" select="$sps[md:SPSSODescriptor[not(contains(@protocolSupportEnumeration,

From 3cf8dc7c6c195bed197d10e9815506b92e095db1 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 11 Apr 2017 11:38:29 +0100
Subject: [PATCH 44/80] Remove Shib 1.3 and outsourcing from the charting
 statistics

---
 mdx/uk/statistics-charting.xsl | 101 +--------------------------------
 1 file changed, 2 insertions(+), 99 deletions(-)

diff --git a/mdx/uk/statistics-charting.xsl b/mdx/uk/statistics-charting.xsl
index 45c616ad..12aab305 100644
--- a/mdx/uk/statistics-charting.xsl
+++ b/mdx/uk/statistics-charting.xsl
@@ -95,69 +95,6 @@
         
         <pre>
 
-            <!--
-                Break down members by whether or not they have entities registered
-            -->
-            <xsl:variable name="membersWithIdPs"
-                select="$members[members:Name = $idps//md:OrganizationName]"/>
-            <xsl:variable name="membersWithSps"
-                select="$members[members:Name = $sps//md:OrganizationName]"/>
-            <xsl:variable name="membersWithBoth"
-                select="set:intersection($membersWithIdPs, $membersWithSps)"/>
-            <xsl:variable name="membersWithEither"
-                select="set:distinct($membersWithIdPs | $membersWithSps)"/>
-            <xsl:variable name="membersWithJustIdPs"
-                select="set:difference($membersWithIdPs, $membersWithSps)"/>
-            <xsl:variable name="membersWithJustSPs"
-                select="set:difference($membersWithSps, $membersWithIdPs)"/>
-            <xsl:variable name="membersWithNone"
-                select="set:difference($members, $membersWithEither)"/>
-            <xsl:variable name="membersWithIdPsCount" select="count($membersWithIdPs)"/>
-            <xsl:variable name="membersWithSpsCount" select="count($membersWithSps)"/>
-            <xsl:variable name="membersWithBothCount" select="count($membersWithBoth)"/>
-            <xsl:variable name="membersWithEitherCount" select="count($membersWithEither)"/>
-            <xsl:variable name="membersWithJustIdPsCount" select="count($membersWithJustIdPs)"/>
-            <xsl:variable name="membersWithJustSPsCount" select="count($membersWithJustSPs)"/>
-            <xsl:variable name="membersWithNoneCount" select="count($membersWithNone)"/>
-            
-            <!--
-                *********************************
-                ***                           ***
-                ***   O U T S O U R C I N G   ***
-                ***                           ***
-                *********************************
-            -->
-            
-            <!--
-                Members who are deduced as outsourcing as a result of their use
-                of the mechanism for describing scopes "pushed" to a specific entity.
-            -->
-            <xsl:variable name="members.osrc.scopes.push"
-                select="$members[members:Scopes/members:Entity]"/>
-            <xsl:variable name="members.osrc.scopes.push.count" select="count($members.osrc.scopes.push)"/>
-            
-            <!--
-                Members who are deduced as outsourcing.
-            -->
-            <xsl:variable name="members.osrc" select="$members.osrc.scopes.push"/>
-            <xsl:variable name="members.osrc.count" select="count($members.osrc)"/>
-            
-            <!--
-                Members whose only representation in the federation is through outsourcing.
-            -->
-            <xsl:variable name="members.osrc.only"
-                select="set:difference($members.osrc, $membersWithEither)"/>
-            <xsl:variable name="members.osrc.only.count" select="count($members.osrc.only)"/>
-            
-            <!--
-                Members with no representation, even through outsourcing.
-            -->
-            <xsl:variable name="members.osrc.none"
-                select="set:difference($membersWithNone, $members.osrc)"/>
-            <xsl:variable name="members.osrc.none.count" select="count($members.osrc.none)"/>
-
-
-
             <!--
                 ***************************
                 ***                     ***
@@ -171,18 +108,6 @@
             <xsl:value-of select="$memberCount"/>
             <xsl:text>&#10;</xsl:text>
 
-            <xsl:text>Outsourcing chart: </xsl:text>
-            <xsl:value-of select="$membersWithJustIdPsCount"/>
-            <xsl:text>, </xsl:text>
-            <xsl:value-of select="$membersWithJustSPsCount"/>
-            <xsl:text>, </xsl:text>
-            <xsl:value-of select="$membersWithBothCount"/>
-            <xsl:text>, </xsl:text>
-            <xsl:value-of select="$members.osrc.only.count"/>
-            <xsl:text>, </xsl:text>
-            <xsl:value-of select="$members.osrc.none.count"/>
-            <xsl:text>&#10;</xsl:text>
-
             <xsl:text>Entities: </xsl:text>
             <xsl:value-of select="$entityCount"/>
             <xsl:text>&#10;</xsl:text>
@@ -395,25 +320,10 @@
         <xsl:variable name="entities.shib.2.out"
             select="set:difference($entities.shib.2.in, $entities.shib.2)"/>
 
-        <!--
-            Classify Shibboleth 1.3 entities.
-        -->
-        <xsl:variable name="entities.shib.13.in" select="$entities.shib.2.out"/>
-        <xsl:variable name="entities.shib.13"
-            select="$entities.shib.13.in[
-                md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '1.3'] |
-                md:IDPSSODescriptor/md:SingleSignOnService[contains(@Location, '-idp/SSO')] |
-                md:SPSSODescriptor/md:AssertionConsumerService[contains(@Location, 'Shibboleth.sso')]
-            ][
-                not(md:*[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')])
-            ]"/>
-        <xsl:variable name="entities.shib.13.out"
-            select="set:difference($entities.shib.13.in, $entities.shib.13)"/>
-        
         <!--
             Classify Athens Gateway entities
         -->
-        <xsl:variable name="entities.gateways.in" select="$entities.shib.13.out"/>
+        <xsl:variable name="entities.gateways.in" select="$entities.shib.2.out"/>
         <xsl:variable name="entities.gateways"
             select="$entities.gateways.in[md:Extensions/ukfedlabel:Software/@name='Eduserv Gateway']"/>
         <xsl:variable name="entities.gateways.out"
@@ -477,15 +387,8 @@
             <xsl:with-param name="name">Shibboleth 2.x</xsl:with-param>
             <xsl:with-param name="total" select="$entityCount"/>
         </xsl:call-template>
-        
-        <xsl:call-template name="entity.breakdown.by.software.line">
-            <xsl:with-param name="entities" select="$entities.shib.13"/>
-            <xsl:with-param name="name">Shibboleth 1.3</xsl:with-param>
-            <xsl:with-param name="total" select="$entityCount"/>
-            <xsl:with-param name="show.max" select="10"/>
-        </xsl:call-template>
 
-        <xsl:variable name="entities.shib" select="$entities.shib.13 | $entities.shib.2 | $entities.shib.3"/>
+        <xsl:variable name="entities.shib" select="$entities.shib.2 | $entities.shib.3"/>
         <xsl:call-template name="entity.breakdown.by.software.line">
             <xsl:with-param name="entities" select="$entities.shib"/>
             <xsl:with-param name="name">Shibboleth combined</xsl:with-param>

From d0785b451e5503e8efce1737447310fd228e6e9a Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Thu, 13 Apr 2017 09:20:36 +0100
Subject: [PATCH 45/80] Remove old servers from Stats syncing

---
 utilities/stats-sync.sh | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/utilities/stats-sync.sh b/utilities/stats-sync.sh
index 81172ff9..774f5ddd 100755
--- a/utilities/stats-sync.sh
+++ b/utilities/stats-sync.sh
@@ -10,26 +10,18 @@ logslocation="/var/stats"
 # Logs from API
 
 # Logs from MD servers
-rsync -at --exclude modsec* stats@md1:/var/log/httpd/* $logslocation/md/md1/
-rsync -at --exclude modsec* stats@md2:/var/log/httpd/* $logslocation/md/md2/
-rsync -at --exclude modsec* stats@md3:/var/log/httpd/* $logslocation/md/md3/
 rsync -at --exclude modsec* stats@md-ne-01:/var/log/httpd/* $logslocation/md/md-ne-01/
 rsync -at --exclude modsec* stats@md-ne-02:/var/log/httpd/* $logslocation/md/md-ne-02/
 rsync -at --exclude modsec* stats@md-we-01:/var/log/httpd/* $logslocation/md/md-we-01/
 rsync -at --exclude modsec* stats@md-we-02:/var/log/httpd/* $logslocation/md/md-we-02/
 
 # Logs from CDS servers
-rsync -at --exclude modsec* stats@shib-cds1:/var/log/httpd/* $logslocation/cds/shib-cds1/
-rsync -at --exclude modsec* stats@shib-cds2:/var/log/httpd/* $logslocation/cds/shib-cds2/
-rsync -at --exclude modsec* stats@shib-cds3:/var/log/httpd/* $logslocation/cds/shib-cds3/
 rsync -at --exclude modsec* stats@shibcds-ne-01:/var/log/httpd/* $logslocation/cds/shibcds-ne-01/
 rsync -at --exclude modsec* stats@shibcds-ne-02:/var/log/httpd/* $logslocation/cds/shibcds-ne-02/
 rsync -at --exclude modsec* stats@shibcds-we-01:/var/log/httpd/* $logslocation/cds/shibcds-we-01/
 rsync -at --exclude modsec* stats@shibcds-we-02:/var/log/httpd/* $logslocation/cds/shibcds-we-02/
 
 # Logs from websites
-rsync -at --exclude modsec* stats@web1:/var/log/httpd/* $logslocation/www/web1/
-rsync -at --exclude modsec* stats@web2:/var/log/httpd/* $logslocation/www/web2/
 rsync -at --exclude modsec* stats@www-ne-01:/var/log/httpd/* $logslocation/www/www-ne-01/
 rsync -at --exclude modsec* stats@www-we-01:/var/log/httpd/* $logslocation/www/www-we-01/
 

From 13502945c2230e72b015a2b159b82b228fa5438a Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 1 May 2017 10:22:01 +0100
Subject: [PATCH 46/80] Separate out definitions of MDA beans

All Shibboleth MDA abstract beans are now defined in mda-beans.xml,
which is a first cut of a resource planned for inclusion in MDA 0.10.0.
---
 mdx/at_aconet/beans.xml   |   4 +-
 mdx/at_aconet/verbs.xml   |  17 ++-
 mdx/common-beans.xml      | 270 +++++++++----------------------------
 mdx/int_cobweb/beans.xml  |   2 +-
 mdx/int_cobweb/verbs.xml  |   6 +-
 mdx/int_edugain/beans.xml |   6 +-
 mdx/int_edugain/verbs.xml |  22 +--
 mdx/mda-beans.xml         | 272 ++++++++++++++++++++++++++++++++++++++
 mdx/test/beans.xml        |   2 +-
 mdx/test/verbs.xml        |   4 +-
 mdx/uk/beans.xml          |  57 ++++----
 mdx/uk/collect.xml        |   2 +-
 mdx/uk/generate.xml       |  83 ++++++------
 mdx/uk/mdq-multisign.xml  |  16 +--
 mdx/uk/verbs.xml          |  34 ++---
 mdx/us_incommon/beans.xml |  12 +-
 mdx/us_incommon/verbs.xml |   8 +-
 mdx/validation-beans.xml  | 123 +++++++++--------
 18 files changed, 529 insertions(+), 411 deletions(-)
 create mode 100644 mdx/mda-beans.xml

diff --git a/mdx/at_aconet/beans.xml b/mdx/at_aconet/beans.xml
index 15d9c658..4d822ba2 100644
--- a/mdx/at_aconet/beans.xml
+++ b/mdx/at_aconet/beans.xml
@@ -95,7 +95,7 @@
     <!--
         Fetch the production entities as a collection.
     -->
-    <bean id="at_aconet_productionEntities" parent="CompositeStage">
+    <bean id="at_aconet_productionEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="at_aconet_productionAggregate"/>
@@ -117,7 +117,7 @@
     <!--
         Fetch the eduGAIN export entities as a collection.
     -->
-    <bean id="at_aconet_edugainEntities" parent="CompositeStage">
+    <bean id="at_aconet_edugainEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="at_aconet_edugainAggregate"/>
diff --git a/mdx/at_aconet/verbs.xml b/mdx/at_aconet/verbs.xml
index 4b5a334a..9e77f6de 100644
--- a/mdx/at_aconet/verbs.xml
+++ b/mdx/at_aconet/verbs.xml
@@ -30,7 +30,7 @@
         </property>
     </bean>
     
-    <bean id="importProduction" parent="SimplePipeline">
+    <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="at_aconet_productionEntities"/>
@@ -41,7 +41,7 @@
         </property>
     </bean>
 
-    <bean id="importProductionRaw" parent="SimplePipeline">
+    <bean id="importProductionRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="at_aconet_productionAggregate"/>
@@ -50,7 +50,7 @@
         </property>
     </bean>
     
-    <bean id="importEdugain" parent="SimplePipeline">
+    <bean id="importEdugain" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="at_aconet_edugainEntities"/>
@@ -61,7 +61,7 @@
         </property>
     </bean>
     
-    <bean id="importEdugainRaw" parent="SimplePipeline">
+    <bean id="importEdugainRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="at_aconet_edugainAggregate"/>
@@ -70,17 +70,17 @@
         </property>
     </bean>
     
-    <bean id="verifyEdugain" parent="SimplePipeline">
+    <bean id="verifyEdugain" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="at_aconet_edugainEntities"/>
                 <ref bean="standardImportActions"/>
 
-                <bean id="checkCertificates" parent="X509ValidationStage">
+                <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="X509RSAKeyLengthValidator"
+                            <bean parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                         </list>
                     </property>
@@ -90,8 +90,7 @@
                     Remove a specific entity we know has a problem that it will take
                     a while to resolve.
                 -->
-                <bean id="filterEntities" parent="stage_parent"
-                    class="net.shibboleth.metadata.dom.saml.EntityFilterStage"
+                <bean id="filterEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="false">
                     <property name="designatedEntities">
                         <set>
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 0f2d3602..9a541410 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -19,6 +19,11 @@
     -->
     <context:property-placeholder/>
 
+    <!--
+        Pick up Shibboleth MDA beans.
+    -->
+    <import resource="mda-beans.xml"/>
+
     <!--
         ***********************************
         ***                             ***
@@ -62,9 +67,6 @@
         Parent for all stages.
     -->
     <bean id="stage_parent" abstract="true" parent="component_parent"/>
-    
-    <bean id="XMLSignatureSigningStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureSigningStage"/>
 
     <!--
         XMLSignatureValidationStage
@@ -79,8 +81,7 @@
         overridden in specific beans where a signature is known to
         require it.
     -->
-    <bean id="XMLSignatureValidationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage">
+    <bean id="XMLSignatureValidationStage" abstract="true" parent="mda.XMLSignatureValidationStage">
         <property name="blacklistedDigests">
             <list>
                 <value>http://www.w3.org/2001/04/xmldsig-more#md5</value>
@@ -117,57 +118,15 @@
         </property>
     </bean>
 
-    <bean id="XPathFilteringStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XPathFilteringStage"
+    <bean id="XPathFilteringStage" abstract="true" parent="mda.XPathFilteringStage"
         p:namespaceContext-ref="commonNamespaces"/>
 
-    <!--
-        XSLTransformationStage
-        
-        Parent for XSLT-based checking stages.
-    -->
-    <bean id="XSLTransformationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XSLTransformationStage"/>
-    
-    <!--
-        XSLValidationStage
-        
-        Parent for XSLT-based checking stages.
-    -->
-    <bean id="XSLValidationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XSLValidationStage"/>
-    
-    <!--
-        EmptyContainerStrippingStage
-        
-        Parent for container stripping stages.
-    -->
-    <bean id="EmptyContainerStrippingStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.EmptyContainerStrippingStage"/>
-    
-    <!--
-        ElementStrippingStage
-        
-        Parent for element stripping stages.
-    -->
-    <bean id="ElementStrippingStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.ElementStrippingStage"/>
-    
-    <!--
-        NamespaceStrippingStage
-        
-        Parent for namespace stripping stages.
-    -->
-    <bean id="NamespaceStrippingStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.NamespaceStrippingStage"/>
-
     <!--
         DomFilesystemSourceStage
         
         Parent for DOM filesystem source stages.
     -->
-    <bean id="DOMFilesystemSourceStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.DOMFilesystemSourceStage">
+    <bean id="DOMFilesystemSourceStage" abstract="true" parent="mda.DOMFilesystemSourceStage">
         <property name="parserPool" ref="parserPool"/>
     </bean>
 
@@ -176,19 +135,10 @@
         
         Parent for DOM resource source stages.
     -->
-    <bean id="DOMResourceSourceStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.DOMResourceSourceStage">
+    <bean id="DOMResourceSourceStage" abstract="true" parent="mda.DOMResourceSourceStage">
         <property name="parserPool" ref="parserPool"/>
     </bean>
 
-    <!--
-        EntityRegistrationAuthorityFilterStage
-        
-        Parent for registration authority filtering stages.
-    -->
-    <bean id="EntityRegistrationAuthorityFilterStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.mdrpi.EntityRegistrationAuthorityFilterStage"/>
-    
     <!-- *** Parent beans for Shibboleth spring-extensions factory beans. *** -->
 
     <bean id="DOMDocumentFactoryBean" abstract="true"
@@ -210,108 +160,23 @@
     <bean id="X509CertificateFactoryBean" abstract="true"
         class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"/>
 
-    <!-- *** Parent beans for Shibboleth MDA components. *** -->
-
-    <bean id="CRDetectionStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.CRDetectionStage"/>
-    
-    <bean id="ElementWhitespaceTrimmingStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.ElementWhitespaceTrimmingStage"/>
-    
-    <bean id="EntityFilterStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntityFilterStage"/>
-
-    <bean id="GenerateIdStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.GenerateIdStage"/>
-
-    <bean id="NamespacesStrippingStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.NamespacesStrippingStage"/>
-    
-    <bean id="SetCacheDurationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.SetCacheDurationStage"/>
-
-    <bean id="SetValidUntilStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.SetValidUntilStage"/>
-
-    <bean id="XPathItemSelectionStrategy" abstract="true"
-        class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy"/>
-    
-    <!-- *** Parent beans for entity attribute handling. *** -->
-    
-    <bean id="EntityAttributeFilteringStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.mdattr.EntityAttributeFilteringStage"/>
-    
-    <bean id="EntityCategoryMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.EntityCategoryMatcher"/>
-    
-    <bean id="EntityCategorySupportMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.EntityCategorySupportMatcher"/>
-    
-    <bean id="MultiPredicateMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.MultiPredicateMatcher"/>
-    
-    <bean id="RegistrationAuthorityMatcher" abstract="true"
-        class="net.shibboleth.metadata.dom.saml.mdattr.RegistrationAuthorityMatcher"/>
-    
-    <!-- *** Parent beans for X.509 Certificate validation. *** -->
-
-    <bean id="X509ValidationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.ds.X509ValidationStage"/>
-    
-    <bean id="validator_parent" abstract="true" parent="component_parent"/>
-    
-    <bean id="X509RSAExponentValidator" abstract="true" parent="validator_parent"
-        class="net.shibboleth.metadata.validate.x509.X509RSAExponentValidator"/>
-    
-    <bean id="X509RSAKeyLengthValidator" abstract="true" parent="validator_parent"
-        class="net.shibboleth.metadata.validate.x509.X509RSAKeyLengthValidator"/>
-    
-    <bean id="X509RSAOpenSSLBlacklistValidator" abstract="true" parent="validator_parent"
-        class="net.shibboleth.metadata.validate.x509.X509RSAOpenSSLBlacklistValidator"/>
-
     <!-- *** Parent beans for net.shibboleth.metadata.pipeline package. *** -->
 
-    <bean id="CompositeStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.CompositeStage"/>
-
-    <bean id="FilesInDirectoryMultiOutputStrategy" abstract="true" parent="component_parent"
-        class="net.shibboleth.metadata.pipeline.FilesInDirectoryMultiOutputStrategy"/>
-
-    <bean id="MultiOutputSerializationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.MultiOutputSerializationStage">
+    <bean id="MultiOutputSerializationStage" abstract="true" parent="mda.MultiOutputSerializationStage">
         <property name="serializer" ref="serializer"/>
     </bean>
 
-    <bean id="PipelineDemultiplexerStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.PipelineDemultiplexerStage"
+    <bean id="PipelineDemultiplexerStage" abstract="true" parent="mda.PipelineDemultiplexerStage"
         p:waitingForPipelines="true"
     />
 
-    <bean id="PipelineMergeStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.PipelineMergeStage"/>
-
-    <bean id="PipelineMergeStage.deduplicate" abstract="true" parent="PipelineMergeStage"
+    <bean id="PipelineMergeStage.deduplicate" abstract="true" parent="mda.PipelineMergeStage"
         p:collectionMergeStrategy-ref="deduplicateMergeStrategy"/>
 
-    <bean id="SerializationStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.SerializationStage">
+    <bean id="SerializationStage" abstract="true" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
     </bean>
 
-    <bean id="SimplePipeline" abstract="true" parent="component_parent"
-        class="net.shibboleth.metadata.pipeline.SimplePipeline"/>
-
-    <bean id="SplitMergeStage" abstract="true" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.SplitMergeStage"/>
-
-    <!-- *** Parent beans for net.shibboleth.metadata.utils package. *** -->
-
-    <bean id="PathSegmentStringTransformer" abstract="true"
-        class="net.shibboleth.metadata.util.PathSegmentStringTransformer"/>
-
-    <bean id="SHA1StringTransformer" abstract="true"
-        class="net.shibboleth.metadata.util.SHA1StringTransformer"/>
-
     <!-- *** Parent beans for ukf-mda. *** -->
 
     <bean id="EntityAttributeAddingStage" abstract="true" parent="stage_parent"
@@ -320,7 +185,7 @@
     <bean id="SAMLStringElementCheckingStage" abstract="true" parent="stage_parent"
         class="uk.org.ukfederation.mda.dom.saml.SAMLStringElementCheckingStage"/>
 
-    <bean id="X509ConsistentNameValidator" abstract="true" parent="validator_parent"
+    <bean id="X509ConsistentNameValidator" abstract="true" parent="mda.validator_parent"
         class="uk.org.ukfederation.mda.validate.X509ConsistentNameValidator"/>
         
     <!-- *** Default Shibboleth component bean id property from Spring bean id *** -->
@@ -403,7 +268,7 @@
         
         Remove the algorithm support namespace.
     -->
-    <bean id="stripAlgNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripAlgNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="alg_namespace"/>
     
     <!--
@@ -411,7 +276,7 @@
         
         Remove the IdP discovery namespace.
     -->
-    <bean id="stripIdpdiscNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripIdpdiscNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="idpdisc_namespace"/>
 
     <!--
@@ -419,7 +284,7 @@
         
         Remove the session initiation namespace.
     -->
-    <bean id="stripInitNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripInitNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="init_namespace"/>
     
     <!--
@@ -427,7 +292,7 @@
         
         Remove the namespace used by the entity attributes extension.
     -->
-    <bean id="stripMdattrNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripMdattrNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="mdattr_namespace"/>
     
     <!--
@@ -435,7 +300,7 @@
         
         Remove the namespace used by the registration and publication metdata extension.
     -->
-    <bean id="stripMdrpiNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripMdrpiNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="mdrpi_namespace"/>
     
     <!--
@@ -443,7 +308,7 @@
         
         Remove the UK federation label namespace.
     -->
-    <bean id="stripUkfedlabelNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripUkfedlabelNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="ukfedlabel_namespace"/>
     
     <!--
@@ -451,7 +316,7 @@
         
         Remove the UK federation WAYF namespace.
     -->
-    <bean id="stripWayfNamespace" parent="NamespaceStrippingStage"
+    <bean id="stripWayfNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="wayf_namespace"/>
     
     <!--
@@ -460,7 +325,7 @@
         A pipeline stage that can be used before serialisation to normalise the namespaces
         used in an XML document.
     -->
-    <bean id="normaliseNamespaces" parent="XSLTransformationStage"
+    <bean id="normaliseNamespaces" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:ns_norm.xsl"/>
     
     <!--
@@ -610,8 +475,7 @@
         A pipeline stage that logs any errors present,
         but takes no action on them.
     -->
-    <bean id="errorAnnouncer" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.StatusMetadataLoggingStage">
+    <bean id="errorAnnouncer" parent="mda.StatusMetadataLoggingStage">
         <property name="identificationStrategy" ref="identificationStrategy"/>
         <property name="selectionRequirements">
             <list>
@@ -626,8 +490,7 @@
         A pipeline stage that logs any errors and warnings present,
         but takes no action on them.
     -->
-    <bean id="warningAndErrorAnnouncer" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.StatusMetadataLoggingStage">
+    <bean id="warningAndErrorAnnouncer" parent="mda.StatusMetadataLoggingStage">
         <property name="identificationStrategy" ref="identificationStrategy"/>
         <property name="selectionRequirements">
             <list>
@@ -642,8 +505,7 @@
         
         This pipeline stage removes any items marked with an error status.
     -->
-    <bean id="errorRemover" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.ItemMetadataFilterStage">
+    <bean id="errorRemover" parent="mda.ItemMetadataFilterStage">
         <property name="identificationStrategy" ref="identificationStrategy"/>
         <property name="selectionRequirements">
             <list>
@@ -657,8 +519,7 @@
         
         This pipeline stage causes CLI termination if any item is marked with an error status.
     -->
-    <bean id="errorTerminator" parent="stage_parent"
-        class="net.shibboleth.metadata.pipeline.ItemMetadataTerminationStage">
+    <bean id="errorTerminator" parent="mda.ItemMetadataTerminationStage">
         <property name="identificationStrategy" ref="identificationStrategy"/>
         <property name="selectionRequirements">
             <list>
@@ -673,7 +534,7 @@
         Announce any errors or warnings encountered, then remove
         any items that had errors.  Items with just warnings are retained.
     -->
-    <bean id="errorAnnouncingFilter" parent="CompositeStage">
+    <bean id="errorAnnouncingFilter" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="warningAndErrorAnnouncer"/>
@@ -689,7 +550,7 @@
         
         Warnings are not announced, and do not cause termination.
     -->
-    <bean id="errorTerminatingFilter" parent="CompositeStage">
+    <bean id="errorTerminatingFilter" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="errorAnnouncer"/>
@@ -726,25 +587,22 @@
     <!--
         Basic EntitiesDescriptor disassembler pipeline stage.
     -->
-    <bean id="disassemble" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorDisassemblerStage"/>
+    <bean id="disassemble" parent="mda.EntitiesDescriptorDisassemblerStage"/>
     
     <!--
         Basic EntitiesDescriptor assembler pipeline stage.
     -->
-    <bean id="assemble" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorAssemblerStage"/>
+    <bean id="assemble" parent="mda.EntitiesDescriptorAssemblerStage"/>
     
     <!--
         Populate ItemId values from entities.
     -->
-    <bean id="populateItemIds" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntityDescriptorItemIdPopulationStage"/>
+    <bean id="populateItemIds" parent="mda.EntityDescriptorItemIdPopulationStage"/>
 
     <!--
         Remove any empty Extensions elements.
     -->
-    <bean id="stripEmptyExtensions" parent="EmptyContainerStrippingStage"
+    <bean id="stripEmptyExtensions" parent="mda.EmptyContainerStrippingStage"
         p:elementName="Extensions"
         p:elementNamespace-ref="md_namespace"/>
     
@@ -752,43 +610,43 @@
         Beans to strip out selected SAML metadata elements.
     -->
     
-    <bean id="stripArtifactResolutionService" parent="ElementStrippingStage"
+    <bean id="stripArtifactResolutionService" parent="mda.ElementStrippingStage"
         p:elementName="ArtifactResolutionService"
         p:elementNamespace-ref="md_namespace"/>
     
-    <bean id="stripAssertionConsumerService" parent="ElementStrippingStage"
+    <bean id="stripAssertionConsumerService" parent="mda.ElementStrippingStage"
         p:elementName="AssertionConsumerService"
         p:elementNamespace-ref="md_namespace"/>
     
-    <bean id="stripAttributeAuthorityDescriptor" parent="ElementStrippingStage"
+    <bean id="stripAttributeAuthorityDescriptor" parent="mda.ElementStrippingStage"
         p:elementName="AttributeAuthorityDescriptor"
         p:elementNamespace-ref="md_namespace"/>
     
-    <bean id="stripAttributeConsumingService" parent="ElementStrippingStage"
+    <bean id="stripAttributeConsumingService" parent="mda.ElementStrippingStage"
         p:elementName="AttributeConsumingService"
         p:elementNamespace-ref="md_namespace"/>
     
-    <bean id="stripContactPerson" parent="ElementStrippingStage"
+    <bean id="stripContactPerson" parent="mda.ElementStrippingStage"
         p:elementName="ContactPerson"
         p:elementNamespace-ref="md_namespace"/>
     
-    <bean id="stripKeyDescriptor" parent="ElementStrippingStage"
+    <bean id="stripKeyDescriptor" parent="mda.ElementStrippingStage"
         p:elementName="KeyDescriptor"
         p:elementNamespace-ref="md_namespace"/>
     
-    <bean id="stripManageNameIDService" parent="ElementStrippingStage"
+    <bean id="stripManageNameIDService" parent="mda.ElementStrippingStage"
         p:elementName="ManageNameIDService"
         p:elementNamespace-ref="md_namespace"/>
     
-    <bean id="stripNameIDFormat" parent="ElementStrippingStage"
+    <bean id="stripNameIDFormat" parent="mda.ElementStrippingStage"
         p:elementName="NameIDFormat"
         p:elementNamespace-ref="md_namespace"/>
     
-    <bean id="stripSingleLogoutService" parent="ElementStrippingStage"
+    <bean id="stripSingleLogoutService" parent="mda.ElementStrippingStage"
         p:elementName="SingleLogoutService"
         p:elementNamespace-ref="md_namespace"/>
     
-    <bean id="stripSingleSignOnService" parent="ElementStrippingStage"
+    <bean id="stripSingleSignOnService" parent="mda.ElementStrippingStage"
         p:elementName="SingleSignOnService"
         p:elementNamespace-ref="md_namespace"/>
     
@@ -805,8 +663,7 @@
     <!--
         Populate RegistrationAuthority values from entities.
     -->
-    <bean id="populateRegistrationAuthorities" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.mdrpi.RegistrationAuthorityPopulationStage"/>
+    <bean id="populateRegistrationAuthorities" parent="mda.RegistrationAuthorityPopulationStage"/>
     
     <!--
         default_regauth_parent
@@ -816,7 +673,7 @@
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
-    <bean id="default_regauth_parent" abstract="true" parent="XSLTransformationStage"
+    <bean id="default_regauth_parent" abstract="true" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:default_regauth.xsl"/>
     
 
@@ -838,7 +695,7 @@
     <bean id="mdui-Keywords"        parent="QName" c:_0-ref="mdui_namespace" c:_1="Keywords"/>
     <bean id="mdui-Logo"            parent="QName" c:_0-ref="mdui_namespace" c:_1="Logo"/>
 
-    <bean id="stripMDUIDiscoHints" parent="ElementStrippingStage"
+    <bean id="stripMDUIDiscoHints" parent="mda.ElementStrippingStage"
         p:elementName="DiscoHints"
         p:elementNamespace-ref="mdui_namespace"/>
     
@@ -847,7 +704,7 @@
         
         Remove all MDUI metadata from attribute authority roles.
     -->
-    <bean id="stripAAMDUI" parent="XSLTransformationStage"
+    <bean id="stripAAMDUI" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-aa-mdui.xsl"/>
     
     <!--
@@ -855,7 +712,7 @@
         
         Remove all mdui:Logo elements containing data: URLs.
     -->
-    <bean id="stripMDUILogoData" parent="XSLTransformationStage"
+    <bean id="stripMDUILogoData" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-mdui-logo-data.xsl"/>
 
     <!--
@@ -863,7 +720,7 @@
         
         Remove any mdui:Logo elements containing http:// URLs.
     -->
-    <bean id="stripMDUILogoHttp" parent="XSLTransformationStage"
+    <bean id="stripMDUILogoHttp" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-mdui-logo-http.xsl"/>
     
     <!--
@@ -871,7 +728,7 @@
         
         Remove any empty mdui:UIInfo container elements.
     -->
-    <bean id="stripEmptyMDUIUIInfo" parent="EmptyContainerStrippingStage">
+    <bean id="stripEmptyMDUIUIInfo" parent="mda.EmptyContainerStrippingStage">
         <property name="elementNamespace" ref="mdui_namespace"/>
         <property name="elementName" value="UIInfo"/>
     </bean>
@@ -886,7 +743,7 @@
     
     <bean id="shibmd-Scope" parent="QName" c:_0-ref="shibmd_namespace" c:_1="Scope"/>
 
-    <bean id="stripShibScope" parent="ElementStrippingStage"
+    <bean id="stripShibScope" parent="mda.ElementStrippingStage"
         p:elementName="Scope"
         p:elementNamespace-ref="shibmd_namespace"/>
     
@@ -905,7 +762,7 @@
         
         Remove all ds:KeyName elements.
     -->
-    <bean id="stripKeyNames" parent="ElementStrippingStage"
+    <bean id="stripKeyNames" parent="mda.ElementStrippingStage"
         p:elementName="KeyName"
         p:elementNamespace-ref="ds_namespace"/>
     
@@ -1081,8 +938,7 @@
         
         A pipeline stage that checks against all the common schemas, as above.
     -->
-    <bean id="checkSchemas" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.XMLSchemaValidationStage">
+    <bean id="checkSchemas" parent="mda.XMLSchemaValidationStage">
         <property name="schemaResources" ref="schemaResources"/>
     </bean>
 
@@ -1092,7 +948,7 @@
         A pipeline stage that removes all XML comments from items.
     -->
     
-    <bean id="stripComments" parent="XSLTransformationStage"
+    <bean id="stripComments" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-comments.xsl"/>
     
     <!--
@@ -1106,12 +962,12 @@
     <!--
         Standard serializer.
     -->
-    <bean id="serializer" class="net.shibboleth.metadata.dom.DOMElementSerializer"/>
+    <bean id="serializer" parent="mda.DOMElementSerializer"/>
     
     <!--
         Merge strategy that removes duplicates.
     -->
-    <bean id="deduplicateMergeStrategy" class="net.shibboleth.metadata.DeduplicatingItemIdMergeStrategy"/>
+    <bean id="deduplicateMergeStrategy" parent="mda.DeduplicatingItemIdMergeStrategy"/>
     
 
 
@@ -1130,7 +986,7 @@
         presented, for example by removing redundant attributes or elements which only have
         meaning when added by the UK federation registrar.
     -->
-    <bean id="cleanImport" parent="XSLTransformationStage"
+    <bean id="cleanImport" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:clean-import.xsl"/>
     
     <!--
@@ -1141,7 +997,7 @@
         but repairing the metadata on the fly is often easier than
         asking for it to be corrected at source.
     -->
-    <bean id="trimImportElementWhitespace" parent="ElementWhitespaceTrimmingStage">
+    <bean id="trimImportElementWhitespace" parent="mda.ElementWhitespaceTrimmingStage">
         <property name="elementNames">
             <set>
                 <ref bean="md-EmailAddress"/>
@@ -1165,7 +1021,7 @@
         errors.  No announcement or removal of those entities is performed here;
         that is left to the caller.
     -->
-    <bean id="standardImportActions" parent="CompositeStage">
+    <bean id="standardImportActions" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="populateItemIds"/>
@@ -1175,7 +1031,7 @@
                     Strip all elements and attributes that are in namespaces
                     other than the ones we accept from partners.
                 -->
-                <bean id="whitelistImportedNamespaces" parent="NamespacesStrippingStage"
+                <bean id="whitelistImportedNamespaces" parent="mda.NamespacesStrippingStage"
                     p:whitelisting="true">
                     <property name="namespaces">
                         <set>
@@ -1209,14 +1065,14 @@
                 <ref bean="check_shib_regscope"/>
                 <ref bean="check_namespaces"/>
 
-                <bean id="checkCertificates" parent="X509ValidationStage">
+                <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="X509RSAKeyLengthValidator"
+                            <bean parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
-                            <bean parent="X509RSAExponentValidator"/>
+                            <bean parent="mda.X509RSAExponentValidator"/>
                             
                             <!--
                                 Debian weak key blacklists.
@@ -1247,7 +1103,7 @@
         are currently ending up in files, build an EntitiesDescriptor and normalise the
         namespaces in the document ready for serialisation.
     -->
-    <bean id="standardImportTail" parent="CompositeStage">
+    <bean id="standardImportTail" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <!-- announce and remove any entities with errors -->
diff --git a/mdx/int_cobweb/beans.xml b/mdx/int_cobweb/beans.xml
index 2922f2fc..3d8e2f4d 100644
--- a/mdx/int_cobweb/beans.xml
+++ b/mdx/int_cobweb/beans.xml
@@ -47,7 +47,7 @@
     <!--
         Fetch the production entities as a collection.
     -->
-    <bean id="int_cobweb_productionEntities" parent="CompositeStage">
+    <bean id="int_cobweb_productionEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="int_cobweb_productionAggregate"/>
diff --git a/mdx/int_cobweb/verbs.xml b/mdx/int_cobweb/verbs.xml
index dde7a217..2cadfed2 100644
--- a/mdx/int_cobweb/verbs.xml
+++ b/mdx/int_cobweb/verbs.xml
@@ -30,7 +30,7 @@
         </property>
     </bean>
     
-    <bean id="importProduction" parent="SimplePipeline">
+    <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_cobweb_productionEntities"/>
@@ -41,7 +41,7 @@
         </property>
     </bean>
     
-    <bean id="verifyProduction" parent="SimplePipeline">
+    <bean id="verifyProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_cobweb_productionEntities"/>
@@ -51,7 +51,7 @@
         </property>
     </bean>
     
-    <bean id="importProductionRaw" parent="SimplePipeline">
+    <bean id="importProductionRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_cobweb_productionAggregate"/>
diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
index 05b7c9b3..976fef1d 100644
--- a/mdx/int_edugain/beans.xml
+++ b/mdx/int_edugain/beans.xml
@@ -70,14 +70,14 @@
     <!--
         Remove blacklisted entities.
     -->
-    <bean id="int_edugain_removeBlacklistedEntities" parent="EntityFilterStage"
+    <bean id="int_edugain_removeBlacklistedEntities" parent="mda.EntityFilterStage"
         p:whitelistingEntities="false"
         p:designatedEntities-ref="int_edugain_entity_blacklist"/>
 
     <!--
         Fetch the production entities as a collection.
     -->
-    <bean id="int_edugain_productionEntities" parent="CompositeStage">
+    <bean id="int_edugain_productionEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="int_edugain_productionAggregate"/>
@@ -107,7 +107,7 @@
     <!--
         Fetch the test entities as a collection.
     -->
-    <bean id="int_edugain_testEntities" parent="CompositeStage">
+    <bean id="int_edugain_testEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="int_edugain_testAggregate"/>
diff --git a/mdx/int_edugain/verbs.xml b/mdx/int_edugain/verbs.xml
index e6cd01ce..36d62cd6 100644
--- a/mdx/int_edugain/verbs.xml
+++ b/mdx/int_edugain/verbs.xml
@@ -30,7 +30,7 @@
         </property>
     </bean>
     
-    <bean id="importProduction" parent="SimplePipeline">
+    <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
@@ -41,7 +41,7 @@
         </property>
     </bean>
 
-    <bean id="importProductionRaw" parent="SimplePipeline">
+    <bean id="importProductionRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionAggregate"/>
@@ -50,7 +50,7 @@
         </property>
     </bean>
     
-    <bean id="importTest" parent="SimplePipeline">
+    <bean id="importTest" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_testEntities"/>
@@ -69,11 +69,11 @@
         blacklist are ignored, so that we only need to deal with each entity
         entering an error state once.
     -->
-    <bean id="verify" parent="SimplePipeline">
+    <bean id="verify" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
-                <bean id="removeBlacklistedEntities" parent="EntityFilterStage"
+                <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="false"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
 
@@ -88,11 +88,11 @@
         
         Live verify, but adding "new" checks that we don't impose on the live import.
     -->
-    <bean id="verify.new" parent="SimplePipeline">
+    <bean id="verify.new" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
-                <bean id="removeBlacklistedEntities" parent="EntityFilterStage"
+                <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="false"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
                 
@@ -108,7 +108,7 @@
         Looks for eduGAIN entities which *were* in an error state, as shown by
         their inclusion in our verification blacklist, but have now recovered.
     -->
-    <bean id="verify.recovered" parent="SimplePipeline">
+    <bean id="verify.recovered" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
@@ -118,12 +118,12 @@
                 <ref bean="errorRemover"/>
                 
                 <!-- remove all entities *other* than the ones in the blacklist -->
-                <bean id="removeAllButBlacklistedEntities" parent="EntityFilterStage"
+                <bean id="removeAllButBlacklistedEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="true"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
                 
                 <!-- flag up any remaining entities -->
-                <bean id="check_recovered" parent="XSLValidationStage"
+                <bean id="check_recovered" parent="mda.XSLValidationStage"
                     p:XSLResource="classpath:int_edugain/check_recovered.xsl"/>
 
                 <ref bean="errorTerminatingFilter"/>
@@ -140,7 +140,7 @@
         Output also includes any warnings attached to entities, although
         these do not result in an error termination.
     -->
-    <bean id="verify.all" parent="SimplePipeline">
+    <bean id="verify.all" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
diff --git a/mdx/mda-beans.xml b/mdx/mda-beans.xml
new file mode 100644
index 00000000..ea592084
--- /dev/null
+++ b/mdx/mda-beans.xml
@@ -0,0 +1,272 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+    <!--
+        Bean definitions for simplified access to components in the
+        Shibboleth Metadata Aggregator's aggregator-pipeline artifact.
+
+        All defined bean names are prefixed with "mda.".
+    -->
+
+    <!--
+        Parent for anything based on the Shibboleth component system.
+        These all require initialization before use.
+    -->
+    <bean id="mda.component_parent" abstract="true"
+        init-method="initialize" destroy-method="destroy"/>
+
+    <!--
+        Parent for all stages.
+    -->
+    <bean id="mda.stage_parent" abstract="true" parent="mda.component_parent"/>
+
+    <!--
+        net.shibboleth.metadata
+    -->
+
+    <bean id="mda.DeduplicatingItemIdMergeStrategy" abstract="true"
+        class="net.shibboleth.metadata.DeduplicatingItemIdMergeStrategy"/>
+
+    <bean id="mda.FirstItemIdItemIdentificationStrategy" abstract="true"
+        class="net.shibboleth.metadata.FirstItemIdItemIdentificationStrategy"/>
+
+    <bean id="mda.SimpleCollectionMergeStrategy" abstract="true"
+        class="net.shibboleth.metadata.SimpleCollectionMergeStrategy"/>
+
+    <bean id="mda.SimpleItemCollectionSerializer" abstract="true"
+        class="net.shibboleth.metadata.SimpleItemCollectionSerializer"/>
+
+    <!--
+        net.shibboleth.metadata.dom
+    -->
+
+    <bean id="mda.CRDetectionStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.CRDetectionStage"/>
+
+    <bean id="mda.DOMElementSerializer" abstract="true"
+        class="net.shibboleth.metadata.dom.DOMElementSerializer"/>
+
+    <bean id="mda.DOMFilesystemSourceStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.DOMFilesystemSourceStage"/>
+
+    <bean id="mda.DOMResourceSourceStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.DOMResourceSourceStage"/>
+
+    <bean id="mda.ElementStrippingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.ElementStrippingStage"/>
+
+    <bean id="mda.ElementWhitespaceTrimmingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.ElementWhitespaceTrimmingStage"/>
+
+    <bean id="mda.EmptyContainerStrippingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.EmptyContainerStrippingStage"/>
+
+    <bean id="mda.MultiOutputXSLTransformationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.MultiOutputXSLTransformationStage"/>
+
+    <bean id="mda.NamespacesStrippingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.NamespacesStrippingStage"/>
+
+    <bean id="mda.NamespaceStrippingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.NamespaceStrippingStage"/>
+
+    <bean id="mda.XMLSchemaValidationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XMLSchemaValidationStage"/>
+
+    <bean id="mda.XMLSignatureSigningStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XMLSignatureSigningStage"/>
+
+    <bean id="mda.XMLSignatureValidationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"/>
+
+    <bean id="mda.XPathFilteringStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XPathFilteringStage"/>
+
+    <bean id="mda.XPathItemSelectionStrategy" abstract="true"
+        class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy"/>
+
+    <bean id="mda.XSLTransformationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XSLTransformationStage"/>
+
+    <bean id="mda.XSLValidationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.XSLValidationStage"/>
+
+    <!--
+        net.shibboleth.metadata.dom.ds
+    -->
+
+    <bean id="mda.X509ValidationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.ds.X509ValidationStage"/>
+
+    <!--
+        net.shibboleth.metadata.dom.saml
+    -->
+
+    <bean id="mda.ContactPersonFilterStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.ContactPersonFilterStage"/>
+
+    <bean id="mda.EntitiesDescriptorAssemblerStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorAssemblerStage"/>
+
+    <bean id="mda.EntitiesDescriptorDisassemblerStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorDisassemblerStage"/>
+
+    <bean id="mda.EntityDescriptorItemIdPopulationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.EntityDescriptorItemIdPopulationStage"/>
+
+    <bean id="mda.EntityFilterStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.EntityFilterStage"/>
+
+    <bean id="mda.EntityRoleFilterStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.EntityRoleFilterStage"/>
+
+    <bean id="mda.GenerateIdStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.GenerateIdStage"/>
+
+    <bean id="mda.PullUpCacheDurationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.PullUpCacheDurationStage"/>
+
+    <bean id="mda.PullUpValidUntilStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.PullUpValidUntilStage"/>
+
+    <bean id="mda.RemoveOrganizationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.RemoveOrganizationStage"/>
+
+    <bean id="mda.SetCacheDurationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.SetCacheDurationStage"/>
+
+    <bean id="mda.SetValidUntilStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.SetValidUntilStage"/>
+
+    <bean id="mda.ValidateValidUntilStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.ValidateValidUntilStage"/>
+
+    <!--
+        net.shibboleth.metadata.dom.saml.mdattr
+    -->
+
+    <bean id="mda.EntityAttributeFilteringStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.mdattr.EntityAttributeFilteringStage"/>
+
+    <bean id="mda.EntityCategoryMatcher" abstract="true"
+        class="net.shibboleth.metadata.dom.saml.mdattr.EntityCategoryMatcher"/>
+
+    <bean id="mda.EntityCategorySupportMatcher" abstract="true"
+        class="net.shibboleth.metadata.dom.saml.mdattr.EntityCategorySupportMatcher"/>
+
+    <bean id="mda.MultiPredicateMatcher" abstract="true"
+        class="net.shibboleth.metadata.dom.saml.mdattr.MultiPredicateMatcher"/>
+
+    <bean id="mda.RegistrationAuthorityMatcher" abstract="true"
+        class="net.shibboleth.metadata.dom.saml.mdattr.RegistrationAuthorityMatcher"/>
+
+    <!--
+        net.shibboleth.metadata.dom.saml.mdrpi
+    -->
+
+    <bean id="mda.EntityRegistrationAuthorityFilterStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.mdrpi.EntityRegistrationAuthorityFilterStage"/>
+
+    <bean id="mda.RegistrationAuthorityItemIdentificationStrategy" abstract="true"
+        class="net.shibboleth.metadata.dom.saml.mdrpi.RegistrationAuthorityItemIdentificationStrategy"/>
+
+    <bean id="mda.RegistrationAuthorityPopulationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.dom.saml.mdrpi.RegistrationAuthorityPopulationStage"/>
+
+    <!--
+        net.shibboleth.metadata.pipeline
+    -->
+
+    <bean id="mda.AtLeastCollectionPredicate" abstract="true"
+        class="net.shibboleth.metadata.pipeline.AtLeastCollectionPredicate"/>
+
+    <bean id="mda.CompositeStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.CompositeStage"/>
+
+    <bean id="mda.FilesInDirectoryMultiOutputStrategy" abstract="true" parent="mda.component_parent"
+        class="net.shibboleth.metadata.pipeline.FilesInDirectoryMultiOutputStrategy"/>
+
+    <bean id="mda.ItemIdTransformStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.ItemIdTransformStage"/>
+
+    <bean id="mda.ItemMetadataAddingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.ItemMetadataAddingStage"/>
+
+    <bean id="mda.ItemMetadataFilterStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.ItemMetadataFilterStage"/>
+
+    <bean id="mda.ItemMetadataTerminationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.ItemMetadataTerminationStage"/>
+
+    <bean id="mda.MDQueryMD5ItemIdTransformer" abstract="true"
+        class="net.shibboleth.metadata.pipeline.MDQueryMD5ItemIdTransformer"/>
+
+    <bean id="mda.MDQuerySHA1ItemIdTransformer" abstract="true"
+        class="net.shibboleth.metadata.pipeline.MDQuerySHA1ItemIdTransformer"/>
+
+    <bean id="mda.MultiOutputSerializationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.MultiOutputSerializationStage"/>
+
+    <bean id="mda.PipelineDemultiplexerStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.PipelineDemultiplexerStage"/>
+
+    <bean id="mda.PipelineMergeStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.PipelineMergeStage"/>
+
+    <bean id="mda.ScriptletStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.ScriptletStage"/>
+
+    <bean id="mda.SerializationStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.SerializationStage"/>
+
+    <bean id="mda.SimplePipeline" abstract="true" parent="mda.component_parent"
+        class="net.shibboleth.metadata.pipeline.SimplePipeline"/>
+
+    <bean id="mda.SplitMergeStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.SplitMergeStage"/>
+
+    <bean id="mda.StaticItemSourceStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.StaticItemSourceStage"/>
+
+    <bean id="mda.StatusMetadataLoggingStage" abstract="true" parent="mda.stage_parent"
+        class="net.shibboleth.metadata.pipeline.StatusMetadataLoggingStage"/>
+
+    <!--
+        net.shibboleth.metadata.util
+    -->
+
+    <bean id="mda.PathSegmentStringTransformer" abstract="true"
+        class="net.shibboleth.metadata.util.PathSegmentStringTransformer"/>
+
+    <bean id="mda.SHA1StringTransformer" abstract="true"
+        class="net.shibboleth.metadata.util.SHA1StringTransformer"/>
+
+    <!--
+        net.shibboleth.metadata.validate
+    -->
+
+    <bean id="mda.validator_parent" abstract="true" parent="mda.component_parent"/>
+
+    <!--
+        net.shibboleth.metadata.validate.x509
+    -->
+
+    <bean id="mda.X509RSAExponentValidator" abstract="true" parent="mda.validator_parent"
+        class="net.shibboleth.metadata.validate.x509.X509RSAExponentValidator"/>
+
+    <bean id="mda.X509RSAKeyLengthValidator" abstract="true" parent="mda.validator_parent"
+        class="net.shibboleth.metadata.validate.x509.X509RSAKeyLengthValidator"/>
+
+    <bean id="mda.X509RSAOpenSSLBlacklistValidator" abstract="true" parent="mda.validator_parent"
+        class="net.shibboleth.metadata.validate.x509.X509RSAOpenSSLBlacklistValidator"/>
+
+</beans>
diff --git a/mdx/test/beans.xml b/mdx/test/beans.xml
index 2795c95b..93c69d81 100644
--- a/mdx/test/beans.xml
+++ b/mdx/test/beans.xml
@@ -21,7 +21,7 @@
     <!--
         Fetch and process the entities as a collection.
     -->
-    <bean id="test_entities" parent="CompositeStage">
+    <bean id="test_entities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="test_aggregate"/>
diff --git a/mdx/test/verbs.xml b/mdx/test/verbs.xml
index f5f692df..6f332c87 100644
--- a/mdx/test/verbs.xml
+++ b/mdx/test/verbs.xml
@@ -30,7 +30,7 @@
         </property>
     </bean>
     
-    <bean id="import" parent="SimplePipeline">
+    <bean id="import" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="test_entities"/>
@@ -41,7 +41,7 @@
         </property>
     </bean>
 
-    <bean id="importRaw" parent="SimplePipeline">
+    <bean id="importRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="test_aggregate"/>
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index e0f9e151..1ff7171b 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -87,8 +87,7 @@
         yet expired.  Sets a bound of 30 days on the validity interval; 14 days is the
         expected value.
     -->
-    <bean id="uk_check_validUntil" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.ValidateValidUntilStage">
+    <bean id="uk_check_validUntil" parent="mda.ValidateValidUntilStage">
         <!--
             The validUntil attribute must be present.
         -->
@@ -108,8 +107,7 @@
         Each fragment file contains a single EntityDescriptor.  The name of each
         eligible file matches a particular regular expression.
     -->
-    <bean id="uk_fetchFragmentFiles" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.DOMFilesystemSourceStage">
+    <bean id="uk_fetchFragmentFiles" parent="mda.DOMFilesystemSourceStage">
         <property name="parserPool" ref="parserPool"/>
         <property name="source">
             <bean class="java.io.File">
@@ -165,7 +163,7 @@
         
         Adds "mailto:" to md:EmailAddress elements which don't already have it.
     -->
-    <bean id="uk_fix_mailto" parent="XSLTransformationStage"
+    <bean id="uk_fix_mailto" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/fix_mailto.xsl"/>
     
     
@@ -174,7 +172,7 @@
         
         Checks specific to the UK registrar function.
     -->
-    <bean id="check_ukreg" parent="XSLValidationStage"
+    <bean id="check_ukreg" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_ukreg.xsl"/>
     
     <!--
@@ -189,28 +187,28 @@
     <!--
         check_uk_keydesc_key
     -->
-    <bean id="check_uk_keydesc_key" parent="XSLValidationStage"
+    <bean id="check_uk_keydesc_key" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_keydesc_key.xsl"/>
 
 
     <!--
         check_uk_mdattr
     -->
-    <bean id="check_uk_mdattr" parent="XSLValidationStage"
+    <bean id="check_uk_mdattr" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_mdattr.xsl"/>
     
     
     <!--
         check_uk_mdrps
     -->
-    <bean id="check_uk_mdrps" parent="XSLValidationStage"
+    <bean id="check_uk_mdrps" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_mdrps.xsl"/>
     
     
     <!--
         check_uk_urlenc
     -->
-    <bean id="check_uk_urlenc" parent="XSLValidationStage"
+    <bean id="check_uk_urlenc" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_urlenc.xsl"/>
     
 
@@ -219,7 +217,7 @@
         
         This stage performs any standard cleanup required for UK federation fragment files.
     -->
-    <bean id="uk_processFragment" parent="XSLTransformationStage"
+    <bean id="uk_processFragment" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/fragment.xsl"/>
     
     
@@ -228,8 +226,7 @@
         
         Remove any md:ContactPerson elements with contactType of "administrative".
     -->
-    <bean id="uk_stripAdminContacts" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.ContactPersonFilterStage">
+    <bean id="uk_stripAdminContacts" parent="mda.ContactPersonFilterStage">
         <property name="designatedTypes">
             <list>
                 <value>administrative</value>
@@ -251,8 +248,7 @@
         
         Name attribute is set to the federation URI.  UK ordering is applied.
     -->
-    <bean id="uk_assemble" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorAssemblerStage">
+    <bean id="uk_assemble" parent="mda.EntitiesDescriptorAssemblerStage">
         <property name="descriptorName" ref="uk_federation_uri"/>
         <property name="itemOrderingStrategy">
             <bean class="uk.org.ukfederation.mda.UKEntityOrderingStrategy"/>
@@ -265,8 +261,7 @@
         
         Name attribute is not set.  UK ordering is applied.
     -->
-    <bean id="uk_assembleUnnamed" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntitiesDescriptorAssemblerStage">
+    <bean id="uk_assembleUnnamed" parent="mda.EntitiesDescriptorAssemblerStage">
         <property name="itemOrderingStrategy">
             <bean class="uk.org.ukfederation.mda.UKEntityOrderingStrategy"/>
         </property>
@@ -276,7 +271,7 @@
     <!--
         Fetch and process the registered entities as a collection.
     -->
-    <bean id="uk_registeredEntities" parent="CompositeStage">
+    <bean id="uk_registeredEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="uk_fetchFragmentFiles"/>
@@ -286,7 +281,7 @@
                     Make all three potential scope lists equivalent (on the entity, on
                     the IDPSSODescriptor and on the AttributeAuthority).
                 -->
-                <bean id="scopes_copy" parent="XSLTransformationStage"
+                <bean id="scopes_copy" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/scopes_copy.xsl"/>
 
                 <!--
@@ -305,17 +300,17 @@
                     Add REFEDS Hide from Discovery category as a standardised
                     equivalent to our HideFromWAYF element.
                 -->
-                <bean id="uk_addHideFromDiscovery" parent="SplitMergeStage">
+                <bean id="uk_addHideFromDiscovery" parent="mda.SplitMergeStage">
                     <!-- select entities with HideFromWayf label -->
                     <property name="selectionStrategy">
-                        <bean parent="XPathItemSelectionStrategy">
+                        <bean parent="mda.XPathItemSelectionStrategy">
                             <constructor-arg value="/md:EntityDescriptor[md:Extensions/wayf:HideFromWAYF]"/>
                             <constructor-arg ref="commonNamespaces"/>
                         </bean>
                     </property>
                     
                     <property name="selectedItemPipeline">
-                        <bean id="selectedItemPipeline" parent="SimplePipeline">
+                        <bean id="selectedItemPipeline" parent="mda.SimplePipeline">
                             <property name="stages">
                                 <bean id="addHideFromDiscovery" parent="EntityAttributeAddingStage"
                                     p:attributeValue="http://refeds.org/category/hide-from-discovery"
@@ -328,7 +323,7 @@
                 
                 <ref bean="checkSchemas"/>
                 <ref bean="CHECK_std"/>
-                <bean id="check_ukfedlabel" parent="XSLValidationStage"
+                <bean id="check_ukfedlabel" parent="mda.XSLValidationStage"
                     p:XSLResource="classpath:uk/check_ukfedlabel.xsl"/>
                 <ref bean="check_ukreg"/>
                 <ref bean="check_owner"/>
@@ -340,14 +335,14 @@
                 <ref bean="mdui_dn_en_match"/>
                 <ref bean="check_dup_display"/>
                 
-                <bean id="checkCertificates" parent="X509ValidationStage">
+                <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="X509RSAKeyLengthValidator"
+                            <bean parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
-                            <bean parent="X509RSAExponentValidator"/>
+                            <bean parent="mda.X509RSAExponentValidator"/>
                             <!-- Error on inconsistent subjectAltNames. -->
                             <bean parent="X509ConsistentNameValidator"/>
                             
@@ -381,7 +376,7 @@
         
         Strip those UK federation extensions which we never publish.
     -->
-    <bean id="uk_stripExtensions" parent="XSLTransformationStage"
+    <bean id="uk_stripExtensions" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/strip_extensions.xsl"/>
     
 
@@ -400,7 +395,7 @@
         used in an XML document.  This one is UK-specific, as it makes specific choices
         in order to limit the number of prefixes used.
     -->
-    <bean id="uk_normaliseNamespaces" parent="XSLTransformationStage"
+    <bean id="uk_normaliseNamespaces" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_uk.xsl"/>
     
     <!--
@@ -466,7 +461,7 @@
         
         Input is an aggregate of all registered entities, output is the HTML statistics.
     -->
-    <bean id="uk_generateStatistics" parent="XSLTransformationStage"
+    <bean id="uk_generateStatistics" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/statistics.xsl">
         <property name="transformParameters">
             <map>
@@ -483,7 +478,7 @@
         resulting HTML output is written into the appropriate file in the production
         XML directory.
     -->
-    <bean id="uk_statisticsPipeline" parent="SimplePipeline">
+    <bean id="uk_statisticsPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="assemble"/>
@@ -504,7 +499,7 @@
     <!--
         Fetch the export entities as a collection.
     -->
-    <bean id="uk_exportedEntities" parent="CompositeStage">
+    <bean id="uk_exportedEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="uk_exportAggregate"/>
diff --git a/mdx/uk/collect.xml b/mdx/uk/collect.xml
index fa987eb6..e36eb0f3 100644
--- a/mdx/uk/collect.xml
+++ b/mdx/uk/collect.xml
@@ -30,7 +30,7 @@
         </property>
     </bean>
 
-    <bean id="collect" parent="SimplePipeline">
+    <bean id="collect" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 1d5af74d..b20d2305 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -43,7 +43,7 @@
         Remove entity-level Scope elements, leaving only the ones associated
         with role descriptors.    
     -->
-    <bean id="stripEntityScopes" parent="XSLTransformationStage"
+    <bean id="stripEntityScopes" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/entity_scopes.xsl"/>
     
     <!--
@@ -52,7 +52,7 @@
         Template for a stage used in each output pipeline which performs
         final tweaks on the document.
     -->
-    <bean id="finalise_parent" abstract="true" parent="XSLTransformationStage"
+    <bean id="finalise_parent" abstract="true" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/final_tweak.xsl">
         <property name="transformParameters">
             <map>
@@ -69,7 +69,7 @@
         export flows, for which we desire the closest possible correspondence to
         the registered metadata.
     -->
-    <bean id="checkPublishable" parent="CompositeStage">
+    <bean id="checkPublishable" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="checkSchemas"/>
@@ -92,7 +92,7 @@
     <!--
         Entity attribute matcher for the SIRTFI assurance certification.
     -->
-    <bean id="SIRTFI.entity.attribute.matcher" parent="MultiPredicateMatcher">
+    <bean id="SIRTFI.entity.attribute.matcher" parent="mda.MultiPredicateMatcher">
         <property name="nameFormatPredicate">
             <bean class="com.google.common.base.Predicates"
                 factory-method="equalTo"
@@ -116,24 +116,24 @@
     <!--
         Remove the REFEDS metadata namespace.
     -->
-    <bean id="strip.remd.namespace" parent="NamespaceStrippingStage"
+    <bean id="strip.remd.namespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="remd_namespace"/>
 
     <!--
         Strip SIRTFI information.
     -->
-    <bean id="strip.SIRTFI" parent="CompositeStage">
+    <bean id="strip.SIRTFI" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <!-- remove REFEDS contacts associated with SIRTFI -->
-                <bean id="strip.SIRTFI.contacts" parent="XSLTransformationStage"
+                <bean id="strip.SIRTFI.contacts" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/strip_sirtfi_contacts.xsl"/>
 
                 <!-- remove the REFEDS metadata namespace -->
                 <ref bean="strip.remd.namespace"/>
 
                 <!-- remove the SIRTFI entity attribute -->
-                <bean id="entityAttributes" parent="EntityAttributeFilteringStage"
+                <bean id="entityAttributes" parent="mda.EntityAttributeFilteringStage"
                     p:whitelisting="false">
                     <property name="rules">
                         <list>
@@ -161,7 +161,7 @@
         from another registrar or metadata exchange as they may be
         old versions of entities we have deregistered, or spoofed.
     -->
-    <bean id="removeUKEntities" parent="EntityRegistrationAuthorityFilterStage">
+    <bean id="removeUKEntities" parent="mda.EntityRegistrationAuthorityFilterStage">
         <property name="designatedRegistrationAuthorities">
             <list>
                 <ref bean="uk_ukf_registrar"/>
@@ -176,8 +176,7 @@
         
         Filter out entities which are included in our global import blacklist.
     -->
-    <bean id="removeBlacklistedEntities" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.EntityFilterStage"
+    <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
         p:whitelistingEntities="false"
         p:designatedEntities-ref="importEntityBlacklist"/>
 
@@ -186,7 +185,7 @@
         
         Common actions to be performed on each import pipeline.
     -->
-    <bean id="importCommonTail" parent="CompositeStage">
+    <bean id="importCommonTail" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="removeUKEntities"/>
@@ -204,22 +203,22 @@
         </property>
     </bean>
 
-    <bean id="entityAttributes.blacklist" parent="EntityAttributeFilteringStage">
+    <bean id="entityAttributes.blacklist" parent="mda.EntityAttributeFilteringStage">
         <property name="whitelisting" value="false"/>
         <property name="rules">
             <list>
                 <!-- Deny "InCommon registration" attribute (duplicates mdrpi:registrationAuthority) -->
-                <bean parent="EntityCategoryMatcher"
+                <bean parent="mda.EntityCategoryMatcher"
                     c:category="http://id.incommon.org/category/registered-by-incommon"/>
 
                 <!-- Deny InCommon "supports InCommon R+S" attribute (duplicates REFEDS variant) -->
-                <bean parent="EntityCategorySupportMatcher"
+                <bean parent="mda.EntityCategorySupportMatcher"
                     c:category="http://id.incommon.org/category/research-and-scholarship"/>
             </list>
         </property>
     </bean>
 
-    <bean id="uk_int_edugain_importPipeline" parent="SimplePipeline">
+    <bean id="uk_int_edugain_importPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
@@ -259,7 +258,7 @@
         </property>
     </bean>
 
-    <bean id="uk_productionPipeline" parent="SimplePipeline">
+    <bean id="uk_productionPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -296,7 +295,7 @@
     	   * identity providers, and
     	   * members of the "hide from discovery" entity category.
     -->
-    <bean id="uk_wayfSelector" parent="XPathItemSelectionStrategy">
+    <bean id="uk_wayfSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:IDPSSODescriptor and
             md:Extensions[mdattr:EntityAttributes/saml:Attribute
                 [@Name = 'http://macedir.org/entity-category']
@@ -314,7 +313,7 @@
         </property>
     </bean>
     
-    <bean id="uk_wayfPipeline" parent="SimplePipeline">
+    <bean id="uk_wayfPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -365,7 +364,7 @@
         normal metadata in order to do its job.  This stage
         removes everything it does not need.
     -->
-    <bean id="CDSStripUnwanted" parent="CompositeStage">
+    <bean id="CDSStripUnwanted" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="stripComments"/>
@@ -404,7 +403,7 @@
         </property>
     </bean>
     
-    <bean id="CDSNormaliseNamespaces" parent="XSLTransformationStage"
+    <bean id="CDSNormaliseNamespaces" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_cds.xsl"/>
 
     <!--
@@ -419,7 +418,7 @@
         Entities in the CDSALL aggregate are restricted to those entities registered by the
         UK federation plus all identity providers from whatever source.
     -->
-    <bean id="CDSAllSelector" parent="XPathItemSelectionStrategy">
+    <bean id="CDSAllSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[md:IDPSSODescriptor or
             md:Extensions/mdrpi:RegistrationInfo/@registrationAuthority = 'http://ukfederation.org.uk']"/>
         <constructor-arg ref="commonNamespaces"/>
@@ -433,7 +432,7 @@
         </property>
     </bean>
     
-    <bean id="CDSAllPipeline" parent="SimplePipeline">
+    <bean id="CDSAllPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -484,7 +483,7 @@
         </property>
     </bean>
     
-    <bean id="uk_normaliseFallback" parent="XSLTransformationStage"
+    <bean id="uk_normaliseFallback" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_back.xsl"/>
     
     <bean id="serializeUnsignedFallbackAggregate" parent="SerializationStage">
@@ -495,7 +494,7 @@
         </property>
     </bean>
     
-    <bean id="uk_fallbackPipeline" parent="SimplePipeline">
+    <bean id="uk_fallbackPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -536,7 +535,7 @@
         </property>
     </bean>
     
-    <bean id="uk_normaliseTest" parent="XSLTransformationStage"
+    <bean id="uk_normaliseTest" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_test.xsl"/>
     
     <bean id="serializeUnsignedTestAggregate" parent="SerializationStage">
@@ -547,7 +546,7 @@
         </property>
     </bean>
     
-    <bean id="uk_testPipeline" parent="CompositeStage">
+    <bean id="uk_testPipeline" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <!--
@@ -587,7 +586,7 @@
         </property>
     </bean>
     
-    <bean id="uk_exportSelector" parent="XPathItemSelectionStrategy">
+    <bean id="uk_exportSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
@@ -600,7 +599,7 @@
         </property>
     </bean>
     
-    <bean id="uk_exportPipeline" parent="SimplePipeline">
+    <bean id="uk_exportPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -612,11 +611,11 @@
                     have the ExportOptIn label: in other words, a rule in this section
                     can always be overridden by an explicit ExportOptIn.
                 -->
-                <bean id="exclusion" parent="SplitMergeStage">
+                <bean id="exclusion" parent="mda.SplitMergeStage">
                     
                     <!-- select entities with ExportOptIn label -->
                     <property name="selectionStrategy">
-                        <bean parent="XPathItemSelectionStrategy">
+                        <bean parent="mda.XPathItemSelectionStrategy">
                             <constructor-arg value="/md:EntityDescriptor[md:Extensions/ukfedlabel:ExportOptIn]"/>
                             <constructor-arg ref="commonNamespaces"/>
                         </bean>
@@ -627,7 +626,7 @@
                         matching specific rules.
                     -->
                     <property name="nonselectedItemPipeline">
-                        <bean id="nonSelectedItemPipeline" parent="SimplePipeline">
+                        <bean id="nonSelectedItemPipeline" parent="mda.SimplePipeline">
                             <property name="stages">
                                 <list>
                                     
@@ -650,7 +649,7 @@
                                     <bean id="syntheticScopes" parent="XPathFilteringStage"
                                         p:XPathExpression="//shibmd:Scope[contains(., '.eng.ukfederation.org.uk')]"/>
                                     <!-- Specific providers not caught by the previous condition -->
-                                    <bean id="GlowScotland" parent="EntityFilterStage">
+                                    <bean id="GlowScotland" parent="mda.EntityFilterStage">
                                         <property name="designatedEntities">
                                             <set>
                                                 <value>https://idp.glowscotland.org.uk/shibboleth</value>
@@ -680,7 +679,7 @@
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseExport"/>
 
-                <bean id="uk_normaliseExport" parent="XSLTransformationStage"
+                <bean id="uk_normaliseExport" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/ns_norm_export.xsl"/>
 
                 <!--
@@ -707,12 +706,12 @@
         ***********************************************************
     -->
     
-    <bean id="uk_exportPreviewSelector" parent="XPathItemSelectionStrategy">
+    <bean id="uk_exportPreviewSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
     
-    <bean id="uk_exportPreviewPipeline" parent="SimplePipeline">
+    <bean id="uk_exportPreviewPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -724,11 +723,11 @@
                     have the ExportOptIn label: in other words, a rule in this section
                     can always be overridden by an explicit ExportOptIn.
                 -->
-                <bean id="exclusion" parent="SplitMergeStage">
+                <bean id="exclusion" parent="mda.SplitMergeStage">
 
                     <!-- select entities with ExportOptIn label -->
                     <property name="selectionStrategy">
-                        <bean parent="XPathItemSelectionStrategy">
+                        <bean parent="mda.XPathItemSelectionStrategy">
                             <constructor-arg value="/md:EntityDescriptor[md:Extensions/ukfedlabel:ExportOptIn]"/>
                             <constructor-arg ref="commonNamespaces"/>
                         </bean>
@@ -739,7 +738,7 @@
                         matching specific rules.
                     -->
                     <property name="nonselectedItemPipeline">
-                        <bean id="nonSelectedItemPipeline" parent="SimplePipeline">
+                        <bean id="nonSelectedItemPipeline" parent="mda.SimplePipeline">
                             <property name="stages">
                                 <list>
 
@@ -762,7 +761,7 @@
                                     <bean id="syntheticScopes" parent="XPathFilteringStage"
                                         p:XPathExpression="//shibmd:Scope[contains(., '.eng.ukfederation.org.uk')]"/>
                                     <!-- Specific providers not caught by the previous condition -->
-                                    <bean id="GlowScotland" parent="EntityFilterStage">
+                                    <bean id="GlowScotland" parent="mda.EntityFilterStage">
                                         <property name="designatedEntities">
                                             <set>
                                                 <value>https://idp.glowscotland.org.uk/shibboleth</value>
@@ -792,7 +791,7 @@
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseExport"/>
 
-                <bean id="uk_normaliseExportPreview" parent="XSLTransformationStage"
+                <bean id="uk_normaliseExportPreview" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/ns_norm_export_preview.xsl"/>
 
                 <!--
@@ -827,7 +826,7 @@
         *************************************
     -->
     
-    <bean id="generate" parent="SimplePipeline">
+    <bean id="generate" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
diff --git a/mdx/uk/mdq-multisign.xml b/mdx/uk/mdq-multisign.xml
index 443f09a8..1643d6a6 100644
--- a/mdx/uk/mdq-multisign.xml
+++ b/mdx/uk/mdq-multisign.xml
@@ -38,7 +38,7 @@
     <!--
         Generate per-entity metadata.
     -->
-    <bean id="mdq-multisign" parent="SimplePipeline">
+    <bean id="mdq-multisign" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -57,16 +57,16 @@
                 <ref bean="populateItemIds"/>
 
                 <!-- Set ID, cacheDuration and validUntil attributes. -->
-                <bean parent="GenerateIdStage"/>
-                <bean parent="SetCacheDurationStage" p:cacheDuration="PT6H"/>
-                <bean parent="SetValidUntilStage" p:validityDuration="P14D"/>
+                <bean parent="mda.GenerateIdStage"/>
+                <bean parent="mda.SetCacheDurationStage" p:cacheDuration="PT6H"/>
+                <bean parent="mda.SetValidUntilStage" p:validityDuration="P14D"/>
 
                 <!-- Identity transform fixes signing issues. -->
-                <bean parent="XSLTransformationStage"
+                <bean parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:identity.xsl"/>
 
                 <!-- Sign each item. -->
-                <bean id="perform.signature" parent="XMLSignatureSigningStage">
+                <bean id="perform.signature" parent="mda.XMLSignatureSigningStage">
                     <property name="privateKey">
                         <bean parent="PKCS11PrivateKeyFactoryBean"
                             p:pkcs11Config="${sign.pkcs11Config}"
@@ -79,12 +79,12 @@
                 <!-- Write individual entity documents to files. -->
                 <bean id="write.perentity" parent="MultiOutputSerializationStage">
                     <property name="outputStrategy">
-                        <bean parent="FilesInDirectoryMultiOutputStrategy" p:nameSuffix=".xml">
+                        <bean parent="mda.FilesInDirectoryMultiOutputStrategy" p:nameSuffix=".xml">
                             <property name="directory">
                                 <bean class="java.io.File" c:_="${mdq.output}"/>
                             </property>
                             <property name="nameTransformer">
-                                <bean parent="PathSegmentStringTransformer"/>
+                                <bean parent="mda.PathSegmentStringTransformer"/>
                             </property>
                         </bean>
                     </property>
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
index 7941a6ad..51b93a15 100644
--- a/mdx/uk/verbs.xml
+++ b/mdx/uk/verbs.xml
@@ -35,7 +35,7 @@
         
         Stand-alone statistics generation.
     -->
-    <bean id="statistics" parent="SimplePipeline">
+    <bean id="statistics" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
@@ -51,12 +51,12 @@
         
         Stand-along statistics generation for charting.
     -->
-    <bean id="statistics.charting" parent="SimplePipeline">
+    <bean id="statistics.charting" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
                 <ref bean="assemble"/>
-                <bean parent="XSLTransformationStage"
+                <bean parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/statistics-charting.xsl">
                     <property name="transformParameters">
                         <map>
@@ -81,12 +81,12 @@
         Generates a page of links to discovery services, for each SP that
         has mdui:uiinfo metadata.
     -->
-    <bean id="sp_mdui_test" parent="SimplePipeline">
+    <bean id="sp_mdui_test" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
                 <ref bean="assemble"/>
-                <bean id="process" parent="XSLTransformationStage"
+                <bean id="process" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/sp_mdui_test.xsl"/>
                 <bean id="serialize" parent="SerializationStage">
                     <property name="outputFile">
@@ -107,7 +107,7 @@
         ***********************
     -->
     
-    <bean id="verify" parent="SimplePipeline">
+    <bean id="verify" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
@@ -138,7 +138,7 @@
         *********************************
     -->
     
-    <bean id="checkPorts" parent="SimplePipeline">
+    <bean id="checkPorts" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
@@ -170,7 +170,7 @@
         ***********************************
     -->
     
-    <bean id="checkFuture" parent="SimplePipeline">
+    <bean id="checkFuture" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
@@ -192,7 +192,7 @@
                     Additional X.509 certificate checks, over and above those
                     performed in uk_registeredEntities.
                 -->
-                <bean id="checkCertificates" parent="X509ValidationStage">
+                <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
                             <!-- none at present -->
@@ -248,7 +248,7 @@
         
         For now, just the head of that pipeline.
     -->
-    <bean id="import.metadata" parent="SimplePipeline">
+    <bean id="import.metadata" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!-- fetch the input file -->
@@ -263,11 +263,11 @@
                 <ref bean="uk_fix_mailto"/>
                 
                 <!-- transform into a fragment using our local conventions -->
-                <bean id="importTransform" parent="XSLTransformationStage"
+                <bean id="importTransform" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/import.xsl"/>
                 
                 <!-- normalise namespaces in a specific way -->
-                <bean id="normalizeFragment" parent="XSLTransformationStage"
+                <bean id="normalizeFragment" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/ns_norm_fragment.xsl"/>
                 
                 <!-- check the transformed input -->
@@ -302,14 +302,14 @@
                 <ref bean="check_sp_tls"/>
                 <ref bean="check_uk_trust"/>
                 
-                <bean id="checkCertificates" parent="X509ValidationStage">
+                <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
                             <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="X509RSAKeyLengthValidator"
+                            <bean parent="mda.X509RSAKeyLengthValidator"
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
-                            <bean parent="X509RSAExponentValidator"/>
+                            <bean parent="mda.X509RSAExponentValidator"/>
                             <!-- Error on inconsistent subjectAltNames. -->
                             <bean parent="X509ConsistentNameValidator"/>
 
@@ -360,7 +360,7 @@
         </property>
     </bean>
     
-    <bean id="importExported" parent="SimplePipeline">
+    <bean id="importExported" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_exportedEntities"/>
@@ -371,7 +371,7 @@
         </property>
     </bean>
     
-    <bean id="importExportedRaw" parent="SimplePipeline">
+    <bean id="importExportedRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_exportAggregate"/>
diff --git a/mdx/us_incommon/beans.xml b/mdx/us_incommon/beans.xml
index 749202da..58cfa539 100644
--- a/mdx/us_incommon/beans.xml
+++ b/mdx/us_incommon/beans.xml
@@ -84,7 +84,7 @@
     <!--
         Fetch the production entities as a collection.
     -->
-    <bean id="us_incommon_productionEntities" parent="CompositeStage">
+    <bean id="us_incommon_productionEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="us_incommon_productionAggregate"/>
@@ -106,7 +106,7 @@
     <!--
         Synthesise an export collection by filtering the production entities.
     -->
-    <bean id="us_incommon_exportedEntities" parent="CompositeStage">
+    <bean id="us_incommon_exportedEntities" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="us_incommon_productionAggregate"/>
@@ -133,8 +133,7 @@
                 <!--
                     Filter out all entities not involved in the pilot.
                 -->
-                <bean id="us_incommon_pilot_filterEntities" parent="stage_parent"
-                    class="net.shibboleth.metadata.dom.saml.EntityFilterStage"
+                <bean id="us_incommon_pilot_filterEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="true">
                     <property name="designatedEntities">
                         <set>
@@ -147,8 +146,7 @@
                 <!--
                     Remove all contact information.
                 -->
-                <bean id="us_incommon_remove_contacts" parent="stage_parent"
-                    class="net.shibboleth.metadata.dom.saml.ContactPersonFilterStage"
+                <bean id="us_incommon_remove_contacts" parent="mda.ContactPersonFilterStage"
                     p:whitelistingTypes="true">
                     <property name="designatedTypes">
                         <set>
@@ -175,7 +173,7 @@
     <!--
         Fake an export aggregate by aggregating the exported entities.
     -->
-    <bean id="us_incommon_exportedAggregate" parent="CompositeStage">
+    <bean id="us_incommon_exportedAggregate" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="us_incommon_exportedEntities"/>
diff --git a/mdx/us_incommon/verbs.xml b/mdx/us_incommon/verbs.xml
index 6ca5a631..32b7d3df 100644
--- a/mdx/us_incommon/verbs.xml
+++ b/mdx/us_incommon/verbs.xml
@@ -33,7 +33,7 @@
         </property>
     </bean>
     
-    <bean id="importProduction" parent="SimplePipeline">
+    <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="us_incommon_productionEntities"/>
@@ -44,7 +44,7 @@
         </property>
     </bean>
 
-    <bean id="importProductionRaw" parent="SimplePipeline">
+    <bean id="importProductionRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="us_incommon_productionAggregate"/>
@@ -53,7 +53,7 @@
         </property>
     </bean>
     
-    <bean id="importExported" parent="SimplePipeline">
+    <bean id="importExported" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="us_incommon_exportedEntities"/>
@@ -64,7 +64,7 @@
         </property>
     </bean>
     
-    <bean id="importExportedRaw" parent="SimplePipeline">
+    <bean id="importExportedRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="us_incommon_exportedAggregate"/>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index d59f8ca9..3076a5c4 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -37,61 +37,61 @@
     <!--
         check_future_0
     -->
-    <bean id="check_future_0" parent="XSLValidationStage"
+    <bean id="check_future_0" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_0.xsl"/>
     
     <!--
         check_future_1
     -->
-    <bean id="check_future_1" parent="XSLValidationStage"
+    <bean id="check_future_1" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_1.xsl"/>
     
     <!--
         check_future_2
     -->
-    <bean id="check_future_2" parent="XSLValidationStage"
+    <bean id="check_future_2" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_2.xsl"/>
     
     <!--
         check_future_3
     -->
-    <bean id="check_future_3" parent="XSLValidationStage"
+    <bean id="check_future_3" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_3.xsl"/>
     
     <!--
         check_future_4
     -->
-    <bean id="check_future_4" parent="XSLValidationStage"
+    <bean id="check_future_4" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_4.xsl"/>
     
     <!--
         check_future_5
     -->
-    <bean id="check_future_5" parent="XSLValidationStage"
+    <bean id="check_future_5" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_5.xsl"/>
     
     <!--
         check_future_6
     -->
-    <bean id="check_future_6" parent="XSLValidationStage"
+    <bean id="check_future_6" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_6.xsl"/>
     
     <!--
         check_future_7
     -->
-    <bean id="check_future_7" parent="XSLValidationStage"
+    <bean id="check_future_7" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_7.xsl"/>
     
     <!--
         check_future_8
     -->
-    <bean id="check_future_8" parent="XSLValidationStage"
+    <bean id="check_future_8" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_8.xsl"/>
     
     <!--
         check_future_9
     -->
-    <bean id="check_future_9" parent="XSLValidationStage"
+    <bean id="check_future_9" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_9.xsl"/>
     
     <!--
@@ -99,7 +99,7 @@
         
         Combines all check_future_N stages.
     -->
-    <bean id="check_future" parent="CompositeStage">
+    <bean id="check_future" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="check_future_0"/>
@@ -128,7 +128,7 @@
     <!--
         check_algsupport
     -->
-    <bean id="check_algsupport" parent="XSLValidationStage"
+    <bean id="check_algsupport" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_algsupport.xsl"/>
 
 
@@ -143,7 +143,7 @@
     <!--
         check_mdattr
     -->
-    <bean id="check_mdattr" parent="XSLValidationStage"
+    <bean id="check_mdattr" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdattr.xsl"/>
 
     
@@ -160,7 +160,7 @@
         
         Miscellaneous MDRPI tests, in XSLT.
     -->
-    <bean id="check_mdrpi_xslt" parent="XSLValidationStage"
+    <bean id="check_mdrpi_xslt" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdrpi.xsl"/>
     
     <!--
@@ -168,7 +168,7 @@
         
         Composite check for the MDRPI specification.
     -->
-    <bean id="check_mdrpi" parent="CompositeStage">
+    <bean id="check_mdrpi" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="check_mdrpi_xslt"/>
@@ -184,7 +184,7 @@
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
-    <bean id="check_regauth_parent" abstract="true" parent="XSLValidationStage"
+    <bean id="check_regauth_parent" abstract="true" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_regauth.xsl"/>
     
     <!--
@@ -192,7 +192,7 @@
         
         Check that each entity has an mdrpi:RegistrationInfo element.
     -->
-    <bean id="check_hasreginfo" parent="XSLValidationStage"
+    <bean id="check_hasreginfo" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_hasreginfo.xsl"/>
 
     
@@ -218,7 +218,7 @@
         
         Miscellaneous MDUI tests, in XSLT.
     -->
-    <bean id="check_mdui_xslt" parent="XSLValidationStage"
+    <bean id="check_mdui_xslt" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdui.xsl"/>
     
     <!--
@@ -229,7 +229,7 @@
         
         UKFTS 1.4 section 3.3
     -->
-    <bean id="mdui_dn_en_match" parent="XSLValidationStage"
+    <bean id="mdui_dn_en_match" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/mdui_dn_en_match.xsl"/>
     
     <!--
@@ -238,7 +238,7 @@
         If an entity has mdui:UIInfo, then that must include at least an
         mdui:DisplayName with an English name.
     -->
-    <bean id="mdui_dn_en_present" parent="XSLValidationStage"
+    <bean id="mdui_dn_en_present" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/mdui_dn_en_present.xsl"/>
     
     <!--
@@ -252,7 +252,7 @@
             mdui_dn_en_present
             mdui_dn_en_match
     -->
-    <bean id="check_mdui" parent="CompositeStage">
+    <bean id="check_mdui" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="check_mdui_iphint"/>
@@ -273,7 +273,7 @@
     <!--
         check_incmd
     -->
-    <bean id="check_incmd" parent="XSLValidationStage"
+    <bean id="check_incmd" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_incmd.xsl"/>
 
     
@@ -285,13 +285,13 @@
         ***********************************************************
     -->
 
-    <bean id="check_rands_member" parent="XSLValidationStage"
+    <bean id="check_rands_member" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_rands_member.xsl"/>
 
-    <bean id="check_rands_support" parent="XSLValidationStage"
+    <bean id="check_rands_support" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_rands_support.xsl"/>
 
-    <bean id="check_rands" parent="CompositeStage">
+    <bean id="check_rands" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="check_rands_member"/>
@@ -315,7 +315,7 @@
         Check for regular expressions in Shibboleth Scope elements.  Applied very selectively,
         because we do permit this in certain circumstances.
     -->
-    <bean id="check_shib_regscope" parent="XSLValidationStage"
+    <bean id="check_shib_regscope" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_shib_regscope.xsl"/>
 
     <!--
@@ -325,13 +325,13 @@
         problems with signature generation and validation because the schema includes
         a default value.
     -->
-    <bean id="check_shib_noregscope" parent="XSLValidationStage"
+    <bean id="check_shib_noregscope" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_shib_noregscope.xsl"/>
 
     <!--
         check_shibboleth
     -->
-    <bean id="check_shibboleth" parent="XSLValidationStage"
+    <bean id="check_shibboleth" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_shibboleth.xsl"/>
 
 
@@ -346,7 +346,7 @@
     <!--
         check_sirtfi
     -->
-    <bean id="check_sirtfi" parent="XSLValidationStage"
+    <bean id="check_sirtfi" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_sirtfi.xsl"/>
 
 
@@ -361,19 +361,19 @@
     <!--
         check_uk_algorithms
     -->
-    <bean id="check_uk_algorithms" parent="XSLValidationStage"
+    <bean id="check_uk_algorithms" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_uk_algorithms.xsl"/>
     
     <!--
         check_uk_trust
     -->
-    <bean id="check_uk_trust" parent="XSLValidationStage"
+    <bean id="check_uk_trust" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_uk_trust.xsl"/>
     
     <!--
         check_uk_wayf
     -->
-    <bean id="check_uk_wayf" parent="XSLValidationStage"
+    <bean id="check_uk_wayf" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_uk_wayf.xsl"/>
 
 
@@ -397,7 +397,7 @@
         
         It is assumed that the entities are wrapped in a single EntitiesDescriptor.
     -->
-    <bean id="check_aggregate" parent="XSLValidationStage"
+    <bean id="check_aggregate" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_aggregate.xsl"/>
     
     <!--
@@ -425,15 +425,15 @@
         Debian weak key blacklists.
     -->
 
-    <bean id="debian.1024" parent="X509RSAOpenSSLBlacklistValidator"
+    <bean id="debian.1024" parent="mda.X509RSAOpenSSLBlacklistValidator"
         p:keySize="1024"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/debian-1024.txt"/>
 
-    <bean id="debian.2048" parent="X509RSAOpenSSLBlacklistValidator"
+    <bean id="debian.2048" parent="mda.X509RSAOpenSSLBlacklistValidator"
         p:keySize="2048"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/debian-2048.txt"/>
 
-    <bean id="debian.4096" parent="X509RSAOpenSSLBlacklistValidator"
+    <bean id="debian.4096" parent="mda.X509RSAOpenSSLBlacklistValidator"
         p:keySize="4096"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/debian-4096.txt"/>
 
@@ -441,7 +441,7 @@
         Blacklist of known compromised 1024-bit keys, e.g., "dummy" keys shipped with
         SAML products that are sometimes deployed by accident.
     -->
-    <bean id="compromised.1024" parent="X509RSAOpenSSLBlacklistValidator"
+    <bean id="compromised.1024" parent="mda.X509RSAOpenSSLBlacklistValidator"
         p:keySize="1024"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/compromised-1024.txt"/>
 
@@ -449,7 +449,7 @@
         Blacklist of known compromised 2048-bit keys, e.g., "dummy" keys shipped with
         SAML products that are sometimes deployed by accident.
     -->
-    <bean id="compromised.2048" parent="X509RSAOpenSSLBlacklistValidator"
+    <bean id="compromised.2048" parent="mda.X509RSAOpenSSLBlacklistValidator"
         p:keySize="2048"
         p:blacklistResource="classpath:net/shibboleth/metadata/validate/x509/compromised-2048.txt"/>
 
@@ -465,49 +465,49 @@
     <!--
         check_adfs
     -->
-    <bean id="check_adfs" parent="XSLValidationStage"
+    <bean id="check_adfs" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_adfs.xsl"/>
     
     <!--
         check_bindings
     -->
-    <bean id="check_bindings" parent="XSLValidationStage"
+    <bean id="check_bindings" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_bindings.xsl"/>
     
     <!--
         check_filtered
     -->
-    <bean id="check_filtered" parent="XSLValidationStage"
+    <bean id="check_filtered" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_filtered.xsl"/>
     
     <!--
         check_hoksso
     -->
-    <bean id="check_hoksso" parent="XSLValidationStage"
+    <bean id="check_hoksso" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_hoksso.xsl"/>
         
     <!--
         check_idpdisc
     -->
-    <bean id="check_idpdisc" parent="XSLValidationStage"
+    <bean id="check_idpdisc" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_idpdisc.xsl"/>
     
     <!--
         check_imported
     -->
-    <bean id="check_imported" parent="XSLValidationStage"
+    <bean id="check_imported" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_imported.xsl"/>
     
     <!--
         check_init
     -->
-    <bean id="check_init" parent="XSLValidationStage"
+    <bean id="check_init" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_init.xsl"/>
     
     <!--
         check_mdiop
     -->
-    <bean id="check_mdiop" parent="XSLValidationStage"
+    <bean id="check_mdiop" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdiop.xsl"/>
 
     <!--
@@ -516,66 +516,66 @@
         Check for the presence of CR characters in text content or attribute values.
         This protects against SSPCPP-684 in the Shibboleth SP.
     -->
-    <bean id="check_cr" parent="CRDetectionStage"/>
+    <bean id="check_cr" parent="mda.CRDetectionStage"/>
 
     <!--
         check_entityid_prefix
     -->
-    <bean id="check_entityid_prefix" parent="XSLValidationStage"
+    <bean id="check_entityid_prefix" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_entityid_prefix.xsl"/>
 
     <!--
         check_idp_tls
     -->
-    <bean id="check_idp_tls" parent="XSLValidationStage"
+    <bean id="check_idp_tls" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_idp_tls.xsl"/>
 
     <!--
         check_sp_tls
     -->
-    <bean id="check_sp_tls" parent="XSLValidationStage"
+    <bean id="check_sp_tls" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_sp_tls.xsl"/>
 
     <!--
         check_misc
     -->
-    <bean id="check_misc" parent="XSLValidationStage"
+    <bean id="check_misc" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_misc.xsl"/>
     
     <!--
         check_namespaces
     -->
-    <bean id="check_namespaces" parent="XSLValidationStage"
+    <bean id="check_namespaces" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_namespaces.xsl"/>
     
     <!--
         check_reqattr
     -->
-    <bean id="check_reqattr" parent="XSLValidationStage"
+    <bean id="check_reqattr" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_reqattr.xsl"/>
     
     <!--
         check_saml2int
     -->
-    <bean id="check_saml2int" parent="XSLValidationStage"
+    <bean id="check_saml2int" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml2int.xsl"/>
 
     <!--
         check_saml1
     -->
-    <bean id="check_saml1" parent="XSLValidationStage"
+    <bean id="check_saml1" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml1.xsl"/>
     
     <!--
         check_saml2
     -->
-    <bean id="check_saml2" parent="XSLValidationStage"
+    <bean id="check_saml2" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml2.xsl"/>
     
     <!--
         check_saml2meta
     -->
-    <bean id="check_saml2meta" parent="XSLValidationStage"
+    <bean id="check_saml2meta" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml2meta.xsl"/>
     
     <!--
@@ -611,15 +611,14 @@
         Check that an aggregate has a validUntil instant specified, and that it has not
         yet expired.  Does not put an upper bound on validUntil intervals.
     -->
-    <bean id="check_validUntil" parent="stage_parent"
-        class="net.shibboleth.metadata.dom.saml.ValidateValidUntilStage">
+    <bean id="check_validUntil" parent="mda.ValidateValidUntilStage">
         <!--
             The validUntil attribute must be present.
         -->
         <property name="requireValidUntil" value="true"/>
         <!--
             Do not constrain the validity interval in this general stage.
-            Constrain in necessary on a per-channel basis.
+            Constrain if necessary on a per-channel basis.
         -->
         <property name="maxValidityInterval" value="0"/>
     </bean>
@@ -627,7 +626,7 @@
     <!--
         check_vhosts
     -->
-    <bean id="check_vhosts" parent="XSLValidationStage"
+    <bean id="check_vhosts" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_vhosts.xsl"/>
 
 
@@ -642,7 +641,7 @@
     <!--
         CHECK_std
     -->
-    <bean id="CHECK_std" parent="CompositeStage">
+    <bean id="CHECK_std" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
                 <ref bean="check_adfs"/>

From a6e9ecdc68b3709449f50644ef46d813e624728e Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 1 May 2017 13:05:00 +0100
Subject: [PATCH 47/80] Remove redundant intermediate abstract bean

The waitingForPipelines property is already set in all instances.
---
 mdx/common-beans.xml | 4 ----
 mdx/uk/generate.xml  | 8 ++++----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 9a541410..450d780e 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -166,10 +166,6 @@
         <property name="serializer" ref="serializer"/>
     </bean>
 
-    <bean id="PipelineDemultiplexerStage" abstract="true" parent="mda.PipelineDemultiplexerStage"
-        p:waitingForPipelines="true"
-    />
-
     <bean id="PipelineMergeStage.deduplicate" abstract="true" parent="mda.PipelineMergeStage"
         p:collectionMergeStrategy-ref="deduplicateMergeStrategy"/>
 
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index b20d2305..a4b48785 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -850,7 +850,7 @@
                 <!--
                     Fork a new output pipeline for the registrar statistics.
                 -->
-                <bean id="rawRegistrarDemux" parent="PipelineDemultiplexerStage">
+                <bean id="rawRegistrarDemux" parent="mda.PipelineDemultiplexerStage">
                     <property name="pipelineAndSelectionStrategies">
                         <list>
                             <bean class="net.shibboleth.utilities.java.support.collection.Pair">
@@ -890,7 +890,7 @@
                     metadata as closely as possible, so the fork must happen before
                     too many UK-specific transformations are performed.
                 -->
-                <bean id="registrarDemux" parent="PipelineDemultiplexerStage">
+                <bean id="registrarDemux" parent="mda.PipelineDemultiplexerStage">
                     <property name="pipelineAndSelectionStrategies">
                         <list>
                             <bean class="net.shibboleth.utilities.java.support.collection.Pair">
@@ -952,7 +952,7 @@
                 <!--
                     Fork into new pipelines for the production, fallback and WAYF aggregates.
                 -->
-                <bean id="productionDemux" parent="PipelineDemultiplexerStage">
+                <bean id="productionDemux" parent="mda.PipelineDemultiplexerStage">
                     <property name="pipelineAndSelectionStrategies">
                         <list>
                             <bean class="net.shibboleth.utilities.java.support.collection.Pair">
@@ -1007,7 +1007,7 @@
                 <!--
                     Fork into new pipelines for additional aggregates.
                 -->
-                <bean id="preProductionDemux" parent="PipelineDemultiplexerStage">
+                <bean id="preProductionDemux" parent="mda.PipelineDemultiplexerStage">
                     <property name="pipelineAndSelectionStrategies">
                         <list>
                             <bean class="net.shibboleth.utilities.java.support.collection.Pair">

From ef717ef485f7efb55fb69cd743aa530d3b783345 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 1 May 2017 14:12:14 +0100
Subject: [PATCH 48/80] Push property setting down to bean instances

This allows the removal of many additional intermediate
abstract parent beans, and makes the instances clearer
at the cost of being slightly longer.
---
 mdx/at_aconet/beans.xml   |  6 +++--
 mdx/at_aconet/verbs.xml   |  3 ++-
 mdx/common-beans.xml      | 34 --------------------------
 mdx/int_cobweb/beans.xml  |  3 ++-
 mdx/int_cobweb/verbs.xml  |  3 ++-
 mdx/int_edugain/beans.xml |  6 +++--
 mdx/int_edugain/verbs.xml |  3 ++-
 mdx/test/beans.xml        |  3 ++-
 mdx/test/verbs.xml        |  3 ++-
 mdx/uk/beans.xml          |  9 ++++---
 mdx/uk/collect.xml        |  3 ++-
 mdx/uk/generate.xml       | 51 ++++++++++++++++++++++++++-------------
 mdx/uk/mdq-multisign.xml  |  6 +++--
 mdx/uk/verbs.xml          | 15 ++++++++----
 mdx/us_incommon/beans.xml |  3 ++-
 mdx/us_incommon/verbs.xml |  3 ++-
 16 files changed, 80 insertions(+), 74 deletions(-)

diff --git a/mdx/at_aconet/beans.xml b/mdx/at_aconet/beans.xml
index 4d822ba2..a71afa17 100644
--- a/mdx/at_aconet/beans.xml
+++ b/mdx/at_aconet/beans.xml
@@ -27,7 +27,8 @@
     <!--
         Fetch the production aggregate.
     -->
-    <bean id="at_aconet_productionAggregate" parent="DOMResourceSourceStage">
+    <bean id="at_aconet_productionAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
@@ -39,7 +40,8 @@
     <!--
         Fetch the eduGAIN export aggregate.
     -->
-    <bean id="at_aconet_edugainAggregate" parent="DOMResourceSourceStage">
+    <bean id="at_aconet_edugainAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
diff --git a/mdx/at_aconet/verbs.xml b/mdx/at_aconet/verbs.xml
index 9e77f6de..0a45e865 100644
--- a/mdx/at_aconet/verbs.xml
+++ b/mdx/at_aconet/verbs.xml
@@ -22,7 +22,8 @@
     -->
     <import resource="classpath:at_aconet/beans.xml"/>
     
-    <bean id="serializeImported" parent="SerializationStage">
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${mdx.dir}/at_aconet/imported.xml"/>
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 450d780e..bfda5122 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -118,27 +118,6 @@
         </property>
     </bean>
 
-    <bean id="XPathFilteringStage" abstract="true" parent="mda.XPathFilteringStage"
-        p:namespaceContext-ref="commonNamespaces"/>
-
-    <!--
-        DomFilesystemSourceStage
-        
-        Parent for DOM filesystem source stages.
-    -->
-    <bean id="DOMFilesystemSourceStage" abstract="true" parent="mda.DOMFilesystemSourceStage">
-        <property name="parserPool" ref="parserPool"/>
-    </bean>
-
-    <!--
-        DOMResourceSourceStage
-        
-        Parent for DOM resource source stages.
-    -->
-    <bean id="DOMResourceSourceStage" abstract="true" parent="mda.DOMResourceSourceStage">
-        <property name="parserPool" ref="parserPool"/>
-    </bean>
-
     <!-- *** Parent beans for Shibboleth spring-extensions factory beans. *** -->
 
     <bean id="DOMDocumentFactoryBean" abstract="true"
@@ -160,19 +139,6 @@
     <bean id="X509CertificateFactoryBean" abstract="true"
         class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"/>
 
-    <!-- *** Parent beans for net.shibboleth.metadata.pipeline package. *** -->
-
-    <bean id="MultiOutputSerializationStage" abstract="true" parent="mda.MultiOutputSerializationStage">
-        <property name="serializer" ref="serializer"/>
-    </bean>
-
-    <bean id="PipelineMergeStage.deduplicate" abstract="true" parent="mda.PipelineMergeStage"
-        p:collectionMergeStrategy-ref="deduplicateMergeStrategy"/>
-
-    <bean id="SerializationStage" abstract="true" parent="mda.SerializationStage">
-        <property name="serializer" ref="serializer"/>
-    </bean>
-
     <!-- *** Parent beans for ukf-mda. *** -->
 
     <bean id="EntityAttributeAddingStage" abstract="true" parent="stage_parent"
diff --git a/mdx/int_cobweb/beans.xml b/mdx/int_cobweb/beans.xml
index 3d8e2f4d..b3fa6adf 100644
--- a/mdx/int_cobweb/beans.xml
+++ b/mdx/int_cobweb/beans.xml
@@ -22,7 +22,8 @@
     <!--
         Fetch the production aggregate.
     -->
-    <bean id="int_cobweb_productionAggregate" parent="DOMResourceSourceStage">
+    <bean id="int_cobweb_productionAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
diff --git a/mdx/int_cobweb/verbs.xml b/mdx/int_cobweb/verbs.xml
index 2cadfed2..2b333117 100644
--- a/mdx/int_cobweb/verbs.xml
+++ b/mdx/int_cobweb/verbs.xml
@@ -22,7 +22,8 @@
     -->
     <import resource="classpath:int_cobweb/beans.xml"/>
     
-    <bean id="serializeImported" parent="SerializationStage">
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${mdx.dir}/int_cobweb/imported.xml"/>
diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
index 976fef1d..32cc5d63 100644
--- a/mdx/int_edugain/beans.xml
+++ b/mdx/int_edugain/beans.xml
@@ -33,7 +33,8 @@
     <!--
         Fetches the eduGAIN production aggregate.
     -->
-    <bean id="int_edugain_productionAggregate" parent="DOMResourceSourceStage">
+    <bean id="int_edugain_productionAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
@@ -45,7 +46,8 @@
     <!--
         Fetch the eduGAIN test aggregate.
     -->
-    <bean id="int_edugain_testAggregate" parent="DOMResourceSourceStage">
+    <bean id="int_edugain_testAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
diff --git a/mdx/int_edugain/verbs.xml b/mdx/int_edugain/verbs.xml
index 36d62cd6..b0e278af 100644
--- a/mdx/int_edugain/verbs.xml
+++ b/mdx/int_edugain/verbs.xml
@@ -22,7 +22,8 @@
     -->
     <import resource="classpath:int_edugain/beans.xml"/>
     
-    <bean id="serializeImported" parent="SerializationStage">
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${mdx.dir}/int_edugain/imported.xml"/>
diff --git a/mdx/test/beans.xml b/mdx/test/beans.xml
index 93c69d81..3d6d2700 100644
--- a/mdx/test/beans.xml
+++ b/mdx/test/beans.xml
@@ -15,7 +15,8 @@
     <!--
         Fetch the aggregate aggregate.
     -->
-    <bean id="test_aggregate" parent="DOMResourceSourceStage"
+    <bean id="test_aggregate" parent="mda.DOMResourceSourceStage"
+        p:parserPool-ref="parserPool"
         p:DOMResource="classpath:test/input.xml"/>
     
     <!--
diff --git a/mdx/test/verbs.xml b/mdx/test/verbs.xml
index 6f332c87..59217f8a 100644
--- a/mdx/test/verbs.xml
+++ b/mdx/test/verbs.xml
@@ -22,7 +22,8 @@
     -->
     <import resource="classpath:test/beans.xml"/>
     
-    <bean id="serializeImported" parent="SerializationStage">
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${mdx.dir}/test/imported.xml"/>
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 1ff7171b..17b033e7 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -42,7 +42,8 @@
     <!--
         Fetch the export aggregate.
     -->
-    <bean id="uk_exportAggregate" parent="DOMResourceSourceStage">
+    <bean id="uk_exportAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
@@ -55,7 +56,8 @@
     <!--
         Fetch the production aggregate.
     -->
-    <bean id="uk_productionAggregate" parent="DOMResourceSourceStage">
+    <bean id="uk_productionAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
@@ -448,7 +450,8 @@
         Serialise the (assumed HTML) DomDocumentItem into the UK federation statistics
         output file in the production XML directory.
     -->
-    <bean id="uk_serializeStatistics" parent="SerializationStage">
+    <bean id="uk_serializeStatistics" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${output.dir}/ukfederation-stats.html"/>
diff --git a/mdx/uk/collect.xml b/mdx/uk/collect.xml
index e36eb0f3..2a1c8c4d 100644
--- a/mdx/uk/collect.xml
+++ b/mdx/uk/collect.xml
@@ -22,7 +22,8 @@
     -->
     <import resource="classpath:uk/beans.xml"/>
 
-    <bean id="serializeCollected" parent="SerializationStage">
+    <bean id="serializeCollected" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${mdx.dir}/uk/collected.xml"/>
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index a4b48785..d3204acd 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -250,7 +250,8 @@
         </property>
     </bean>
 
-    <bean id="serializeUnsignedProductionAggregate" parent="SerializationStage">
+    <bean id="serializeUnsignedProductionAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${output.dir}/ukfederation-metadata-unsigned.xml"/>
@@ -305,7 +306,8 @@
         <constructor-arg ref="commonNamespaces"/>
     </bean>
     
-    <bean id="serializeUnsignedWayfAggregate" parent="SerializationStage">
+    <bean id="serializeUnsignedWayfAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${output.dir}/ukfederation-wayf-unsigned.xml"/>
@@ -424,7 +426,8 @@
         <constructor-arg ref="commonNamespaces"/>
     </bean>
     
-    <bean id="serializeCDSAllAggregate" parent="SerializationStage">
+    <bean id="serializeCDSAllAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${output.dir}/ukfederation-cdsall-unsigned.xml"/>
@@ -486,7 +489,8 @@
     <bean id="uk_normaliseFallback" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_back.xsl"/>
     
-    <bean id="serializeUnsignedFallbackAggregate" parent="SerializationStage">
+    <bean id="serializeUnsignedFallbackAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${output.dir}/ukfederation-back-unsigned.xml"/>
@@ -538,7 +542,8 @@
     <bean id="uk_normaliseTest" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_test.xsl"/>
     
-    <bean id="serializeUnsignedTestAggregate" parent="SerializationStage">
+    <bean id="serializeUnsignedTestAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${output.dir}/ukfederation-test-unsigned.xml"/>
@@ -591,7 +596,8 @@
         <constructor-arg ref="commonNamespaces"/>
     </bean>
     
-    <bean id="serializeUnsignedExportAggregate" parent="SerializationStage">
+    <bean id="serializeUnsignedExportAggregate" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${output.dir}/ukfederation-export-unsigned.xml"/>
@@ -631,7 +637,8 @@
                                 <list>
                                     
                                     <!-- Identity providers lacking support for SAML 2.0 -->
-                                    <bean id="SAML1onlyIdPs" parent="XPathFilteringStage"
+                                    <bean id="SAML1onlyIdPs" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="md:IDPSSODescriptor
                                         [not(contains(@protocolSupportEnumeration,'urn:oasis:names:tc:SAML:2.0:protocol'))]">
                                     </bean>
@@ -640,13 +647,15 @@
                                     <!--
                                         Preferred implementation:
                                         
-                                        <bean id="syntheticScopes" parent="XPathFilteringStage"
+                                        <bean id="syntheticScopes" parent="mda.XPathFilteringStage"
+                                            p:namespaceContext-ref="commonNamespaces"
                                             p:XPathExpression="shibmd:Scope[ends-with(., '.eng.ukfederation.org.uk']"/>
                                         
                                         Unfortunately, the "ends-with" function is an XPath 2 feature, so we settle for
                                         using "contains" instead; in our case it is equivalent.
                                     -->
-                                    <bean id="syntheticScopes" parent="XPathFilteringStage"
+                                    <bean id="syntheticScopes" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="//shibmd:Scope[contains(., '.eng.ukfederation.org.uk')]"/>
                                     <!-- Specific providers not caught by the previous condition -->
                                     <bean id="GlowScotland" parent="mda.EntityFilterStage">
@@ -658,7 +667,8 @@
                                     </bean>
                                     
                                     <!-- Identity providers with regular expression scopes -->
-                                    <bean id="regexScopes" parent="XPathFilteringStage"
+                                    <bean id="regexScopes" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="//shibmd:Scope[@regexp='true']"/>
                                 </list>
                             </property>
@@ -743,7 +753,8 @@
                                 <list>
 
                                     <!-- Identity providers lacking support for SAML 2.0 -->
-                                    <bean id="SAML1onlyIdPs" parent="XPathFilteringStage"
+                                    <bean id="SAML1onlyIdPs" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="md:IDPSSODescriptor
                                             [not(contains(@protocolSupportEnumeration,'urn:oasis:names:tc:SAML:2.0:protocol'))]">
                                     </bean>
@@ -752,13 +763,15 @@
                                     <!--
                                         Preferred implementation:
                                         
-                                        <bean id="syntheticScopes" parent="XPathFilteringStage"
+                                        <bean id="syntheticScopes" parent="mda.XPathFilteringStage"
+                                            p:namespaceContext-ref="commonNamespaces"
                                             p:XPathExpression="shibmd:Scope[ends-with(., '.eng.ukfederation.org.uk']"/>
                                         
                                         Unfortunately, the "ends-with" function is an XPath 2 feature, so we settle for
                                         using "contains" instead; in our case it is equivalent.
                                     -->
-                                    <bean id="syntheticScopes" parent="XPathFilteringStage"
+                                    <bean id="syntheticScopes" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="//shibmd:Scope[contains(., '.eng.ukfederation.org.uk')]"/>
                                     <!-- Specific providers not caught by the previous condition -->
                                     <bean id="GlowScotland" parent="mda.EntityFilterStage">
@@ -770,7 +783,8 @@
                                     </bean>
 
                                     <!-- Identity providers with regular expression scopes -->
-                                    <bean id="regexScopes" parent="XPathFilteringStage"
+                                    <bean id="regexScopes" parent="mda.XPathFilteringStage"
+                                        p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="//shibmd:Scope[@regexp='true']"/>
                                 </list>
                             </property>
@@ -805,7 +819,8 @@
                 <ref bean="check_namespaces"/>
                 <ref bean="errorTerminatingFilter"/>
                 
-                <bean id="serializeUnsignedExportPreviewAggregate" parent="SerializationStage">
+                <bean id="serializeUnsignedExportPreviewAggregate" parent="mda.SerializationStage">
+                    <property name="serializer" ref="serializer"/>
                     <property name="outputFile">
                         <bean class="java.io.File">
                             <constructor-arg value="${output.dir}/ukfederation-export-preview-unsigned.xml"/>
@@ -927,7 +942,8 @@
                     Merge in entities from production metadata exchange sources.
                 -->
                 
-                <bean id="mergeProductionMDXEntities" parent="PipelineMergeStage.deduplicate">
+                <bean id="mergeProductionMDXEntities" parent="mda.PipelineMergeStage"
+                    p:collectionMergeStrategy-ref="deduplicateMergeStrategy">
                     <property name="mergedPipelines">
                         <list>
                             <!-- entries earlier in the list have higher precedence -->
@@ -982,7 +998,8 @@
                     Merge in entities from pre-production metadata exchange sources.
                 -->
 
-                <bean id="mergePreproductionMDXEntities" parent="PipelineMergeStage.deduplicate">
+                <bean id="mergePreproductionMDXEntities" parent="mda.PipelineMergeStage"
+                    p:collectionMergeStrategy-ref="deduplicateMergeStrategy">
                     <property name="mergedPipelines">
                         <list>
                             <!-- entries earlier in the list have higher precedence -->
diff --git a/mdx/uk/mdq-multisign.xml b/mdx/uk/mdq-multisign.xml
index 1643d6a6..963c8fd4 100644
--- a/mdx/uk/mdq-multisign.xml
+++ b/mdx/uk/mdq-multisign.xml
@@ -44,7 +44,8 @@
                 <!--
                     Start with the unsigned production aggregate.
                 -->
-                <bean id="production_aggregate" parent="DOMResourceSourceStage">
+                <bean id="production_aggregate" parent="mda.DOMResourceSourceStage">
+                    <property name="parserPool" ref="parserPool"/>
                     <property name="DOMResource">
                         <bean parent="FileSystemResource" c:_0="${mdq.input}"/>
                     </property>
@@ -77,7 +78,8 @@
                 </bean>
 
                 <!-- Write individual entity documents to files. -->
-                <bean id="write.perentity" parent="MultiOutputSerializationStage">
+                <bean id="write.perentity" parent="mda.MultiOutputSerializationStage">
+                    <property name="serializer" ref="serializer"/>
                     <property name="outputStrategy">
                         <bean parent="mda.FilesInDirectoryMultiOutputStrategy" p:nameSuffix=".xml">
                             <property name="directory">
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
index 51b93a15..25b1fcb1 100644
--- a/mdx/uk/verbs.xml
+++ b/mdx/uk/verbs.xml
@@ -64,7 +64,8 @@
                         </map>
                     </property>
                 </bean>
-                <bean parent="SerializationStage">
+                <bean parent="mda.SerializationStage">
+                    <property name="serializer" ref="serializer"/>
                     <property name="outputFile">
                         <bean class="java.io.File">
                             <constructor-arg value="${output.dir}/statistics-charting.html"/>
@@ -88,7 +89,8 @@
                 <ref bean="assemble"/>
                 <bean id="process" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/sp_mdui_test.xsl"/>
-                <bean id="serialize" parent="SerializationStage">
+                <bean id="serialize" parent="mda.SerializationStage">
+                    <property name="serializer" ref="serializer"/>
                     <property name="outputFile">
                         <bean class="java.io.File">
                             <constructor-arg value="${mdx.dir}/uk/temp.html"/>
@@ -220,7 +222,8 @@
         Fetches the contents of the file used to hold metadata to be imported
         into a UK federation fragment file.
     -->
-    <bean id="fetchImportMetadata" parent="DOMFilesystemSourceStage">
+    <bean id="fetchImportMetadata" parent="mda.DOMFilesystemSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="source">
             <bean class="java.io.File">
                 <constructor-arg value="${entities.dir}/import.xml"/>
@@ -233,7 +236,8 @@
         
         Serialise the fragment file just imported.
     -->
-    <bean id="serializeImportedMetadata" parent="SerializationStage">
+    <bean id="serializeImportedMetadata" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${entities.dir}/imported.xml"/>
@@ -352,7 +356,8 @@
         #################################################
     -->
     
-    <bean id="serializeImported" parent="SerializationStage">
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${mdx.dir}/uk/imported.xml"/>
diff --git a/mdx/us_incommon/beans.xml b/mdx/us_incommon/beans.xml
index 58cfa539..d7418cac 100644
--- a/mdx/us_incommon/beans.xml
+++ b/mdx/us_incommon/beans.xml
@@ -31,7 +31,8 @@
     <!--
         Fetch the production aggregate.
     -->
-    <bean id="us_incommon_productionAggregate" parent="DOMResourceSourceStage">
+    <bean id="us_incommon_productionAggregate" parent="mda.DOMResourceSourceStage">
+        <property name="parserPool" ref="parserPool"/>
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
diff --git a/mdx/us_incommon/verbs.xml b/mdx/us_incommon/verbs.xml
index 32b7d3df..3c3c49e5 100644
--- a/mdx/us_incommon/verbs.xml
+++ b/mdx/us_incommon/verbs.xml
@@ -25,7 +25,8 @@
     <!--
         Serialise into this channel's "imported" aggregate file.
     -->
-    <bean id="serializeImported" parent="SerializationStage">
+    <bean id="serializeImported" parent="mda.SerializationStage">
+        <property name="serializer" ref="serializer"/>
         <property name="outputFile">
             <bean class="java.io.File">
                 <constructor-arg value="${mdx.dir}/us_incommon/imported.xml"/>

From d33502e5e70684292994a3c26b93f3a83cfac360 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 1 May 2017 14:19:25 +0100
Subject: [PATCH 49/80] Make consistent use of the String abstract bean

---
 mdx/at_aconet/beans.xml   | 4 ++--
 mdx/int_cobweb/beans.xml  | 2 +-
 mdx/int_edugain/beans.xml | 4 ++--
 mdx/uk/beans.xml          | 4 ++--
 mdx/us_incommon/beans.xml | 8 ++++----
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/mdx/at_aconet/beans.xml b/mdx/at_aconet/beans.xml
index a71afa17..5bebaeda 100644
--- a/mdx/at_aconet/beans.xml
+++ b/mdx/at_aconet/beans.xml
@@ -16,11 +16,11 @@
         Location of various resources.
     -->
     <!-- ACOnet-registered entities without interfederation -->
-    <bean id="at_aconet_registrarAggregate_url" class="java.lang.String">
+    <bean id="at_aconet_registrarAggregate_url" parent="String">
         <constructor-arg value="http://eduid.at/md/aconet-registered.xml"/>
     </bean>
     <!-- eduGAIN export aggregate -->
-    <bean id="at_aconet_edugainAggregate_url" class="java.lang.String">
+    <bean id="at_aconet_edugainAggregate_url" parent="String">
         <constructor-arg value="http://eduid.at/md/upstream-edugain.xml"/>
     </bean>
     
diff --git a/mdx/int_cobweb/beans.xml b/mdx/int_cobweb/beans.xml
index b3fa6adf..21fb37f9 100644
--- a/mdx/int_cobweb/beans.xml
+++ b/mdx/int_cobweb/beans.xml
@@ -15,7 +15,7 @@
     <!--
         Location of various resources.
     -->
-    <bean id="int_cobweb_productionAggregate_url" class="java.lang.String">
+    <bean id="int_cobweb_productionAggregate_url" parent="String">
         <constructor-arg value="https://cobweb.edina.ac.uk/metadata/cobweb-metadata.xml"/>
     </bean>
     
diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
index 32cc5d63..23154d3b 100644
--- a/mdx/int_edugain/beans.xml
+++ b/mdx/int_edugain/beans.xml
@@ -22,11 +22,11 @@
         Location of various resources.
     -->
     <!-- production aggregate -->
-    <bean id="int_edugain_productionAggregate_url" class="java.lang.String">
+    <bean id="int_edugain_productionAggregate_url" parent="String">
         <constructor-arg value="http://mds.edugain.org/"/>
     </bean>
     <!-- test aggregate -->
-    <bean id="int_edugain_testAggregate_url" class="java.lang.String">
+    <bean id="int_edugain_testAggregate_url" parent="String">
         <constructor-arg value="http://mds-test.edugain.org"/>
     </bean>
 
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 17b033e7..fa6c3d0c 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -15,10 +15,10 @@
     <!--
         Location of various resources.
     -->
-    <bean id="uk_productionAggregate_url" class="java.lang.String">
+    <bean id="uk_productionAggregate_url" parent="String">
         <constructor-arg value="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"/>
     </bean>
-    <bean id="uk_exportAggregate_url" class="java.lang.String">
+    <bean id="uk_exportAggregate_url" parent="String">
         <constructor-arg value="http://metadata.ukfederation.org.uk/ukfederation-export.xml"/>
     </bean>
     
diff --git a/mdx/us_incommon/beans.xml b/mdx/us_incommon/beans.xml
index d7418cac..581e97ac 100644
--- a/mdx/us_incommon/beans.xml
+++ b/mdx/us_incommon/beans.xml
@@ -15,16 +15,16 @@
     <!--
         Location of various resources.
     -->
-    <bean id="us_incommon_productionAggregate_url" class="java.lang.String">
+    <bean id="us_incommon_productionAggregate_url" parent="String">
         <constructor-arg value="http://md.incommon.org/InCommon/InCommon-metadata.xml"/>
     </bean>
-    <bean id="us_incommon_fallbackAggregate_url" class="java.lang.String">
+    <bean id="us_incommon_fallbackAggregate_url" parent="String">
         <constructor-arg value="http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml"/>
     </bean>
-    <bean id="us_incommon_previewAggregate_url" class="java.lang.String">
+    <bean id="us_incommon_previewAggregate_url" parent="String">
         <constructor-arg value="http://md.incommon.org/InCommon/InCommon-metadata-preview.xml"/>
     </bean>
-    <bean id="us_incommon_legacyAggregate_url" class="java.lang.String">
+    <bean id="us_incommon_legacyAggregate_url" parent="String">
         <constructor-arg value="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"/>
     </bean>
     

From 32b12ea5459731dc83f78eb4a29c128198e32810 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 1 May 2017 14:36:35 +0100
Subject: [PATCH 50/80] Introduce a File abstract parent bean

---
 mdx/at_aconet/verbs.xml   |  2 +-
 mdx/common-beans.xml      |  1 +
 mdx/int_cobweb/verbs.xml  |  2 +-
 mdx/int_edugain/verbs.xml |  2 +-
 mdx/test/verbs.xml        |  2 +-
 mdx/uk/beans.xml          |  4 ++--
 mdx/uk/collect.xml        |  2 +-
 mdx/uk/generate.xml       | 14 +++++++-------
 mdx/uk/mdq-multisign.xml  |  2 +-
 mdx/uk/verbs.xml          | 10 +++++-----
 mdx/us_incommon/verbs.xml |  2 +-
 11 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/mdx/at_aconet/verbs.xml b/mdx/at_aconet/verbs.xml
index 0a45e865..6919e231 100644
--- a/mdx/at_aconet/verbs.xml
+++ b/mdx/at_aconet/verbs.xml
@@ -25,7 +25,7 @@
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/at_aconet/imported.xml"/>
             </bean>
         </property>
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index bfda5122..5a664007 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -35,6 +35,7 @@
     <!--
         Java class parent shorthand beans.
     -->
+    <bean id="File" abstract="true" class="java.io.File"/>
     <bean id="String" abstract="true" class="java.lang.String"/>
     <bean id="QName" abstract="true" class="javax.xml.namespace.QName"/>
     
diff --git a/mdx/int_cobweb/verbs.xml b/mdx/int_cobweb/verbs.xml
index 2b333117..49cd2a9a 100644
--- a/mdx/int_cobweb/verbs.xml
+++ b/mdx/int_cobweb/verbs.xml
@@ -25,7 +25,7 @@
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/int_cobweb/imported.xml"/>
             </bean>
         </property>
diff --git a/mdx/int_edugain/verbs.xml b/mdx/int_edugain/verbs.xml
index b0e278af..15d98b02 100644
--- a/mdx/int_edugain/verbs.xml
+++ b/mdx/int_edugain/verbs.xml
@@ -25,7 +25,7 @@
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/int_edugain/imported.xml"/>
             </bean>
         </property>
diff --git a/mdx/test/verbs.xml b/mdx/test/verbs.xml
index 59217f8a..8a6d93e7 100644
--- a/mdx/test/verbs.xml
+++ b/mdx/test/verbs.xml
@@ -25,7 +25,7 @@
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/test/imported.xml"/>
             </bean>
         </property>
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index fa6c3d0c..9711fdeb 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -112,7 +112,7 @@
     <bean id="uk_fetchFragmentFiles" parent="mda.DOMFilesystemSourceStage">
         <property name="parserPool" ref="parserPool"/>
         <property name="source">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${entities.dir}"/>
             </bean>
         </property>
@@ -453,7 +453,7 @@
     <bean id="uk_serializeStatistics" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-stats.html"/>
             </bean>
         </property>
diff --git a/mdx/uk/collect.xml b/mdx/uk/collect.xml
index 2a1c8c4d..9b1d2c45 100644
--- a/mdx/uk/collect.xml
+++ b/mdx/uk/collect.xml
@@ -25,7 +25,7 @@
     <bean id="serializeCollected" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/uk/collected.xml"/>
             </bean>
         </property>
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index d3204acd..defd00f4 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -253,7 +253,7 @@
     <bean id="serializeUnsignedProductionAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-metadata-unsigned.xml"/>
             </bean>
         </property>
@@ -309,7 +309,7 @@
     <bean id="serializeUnsignedWayfAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-wayf-unsigned.xml"/>
             </bean>
         </property>
@@ -429,7 +429,7 @@
     <bean id="serializeCDSAllAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-cdsall-unsigned.xml"/>
             </bean>
         </property>
@@ -492,7 +492,7 @@
     <bean id="serializeUnsignedFallbackAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-back-unsigned.xml"/>
             </bean>
         </property>
@@ -545,7 +545,7 @@
     <bean id="serializeUnsignedTestAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-test-unsigned.xml"/>
             </bean>
         </property>
@@ -599,7 +599,7 @@
     <bean id="serializeUnsignedExportAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${output.dir}/ukfederation-export-unsigned.xml"/>
             </bean>
         </property>
@@ -822,7 +822,7 @@
                 <bean id="serializeUnsignedExportPreviewAggregate" parent="mda.SerializationStage">
                     <property name="serializer" ref="serializer"/>
                     <property name="outputFile">
-                        <bean class="java.io.File">
+                        <bean parent="File">
                             <constructor-arg value="${output.dir}/ukfederation-export-preview-unsigned.xml"/>
                         </bean>
                     </property>
diff --git a/mdx/uk/mdq-multisign.xml b/mdx/uk/mdq-multisign.xml
index 963c8fd4..62ac0813 100644
--- a/mdx/uk/mdq-multisign.xml
+++ b/mdx/uk/mdq-multisign.xml
@@ -83,7 +83,7 @@
                     <property name="outputStrategy">
                         <bean parent="mda.FilesInDirectoryMultiOutputStrategy" p:nameSuffix=".xml">
                             <property name="directory">
-                                <bean class="java.io.File" c:_="${mdq.output}"/>
+                                <bean parent="File" c:_="${mdq.output}"/>
                             </property>
                             <property name="nameTransformer">
                                 <bean parent="mda.PathSegmentStringTransformer"/>
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
index 25b1fcb1..7f582df6 100644
--- a/mdx/uk/verbs.xml
+++ b/mdx/uk/verbs.xml
@@ -67,7 +67,7 @@
                 <bean parent="mda.SerializationStage">
                     <property name="serializer" ref="serializer"/>
                     <property name="outputFile">
-                        <bean class="java.io.File">
+                        <bean parent="File">
                             <constructor-arg value="${output.dir}/statistics-charting.html"/>
                         </bean>
                     </property>
@@ -92,7 +92,7 @@
                 <bean id="serialize" parent="mda.SerializationStage">
                     <property name="serializer" ref="serializer"/>
                     <property name="outputFile">
-                        <bean class="java.io.File">
+                        <bean parent="File">
                             <constructor-arg value="${mdx.dir}/uk/temp.html"/>
                         </bean>
                     </property>
@@ -225,7 +225,7 @@
     <bean id="fetchImportMetadata" parent="mda.DOMFilesystemSourceStage">
         <property name="parserPool" ref="parserPool"/>
         <property name="source">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${entities.dir}/import.xml"/>
             </bean>
         </property>
@@ -239,7 +239,7 @@
     <bean id="serializeImportedMetadata" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${entities.dir}/imported.xml"/>
             </bean>
         </property>
@@ -359,7 +359,7 @@
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/uk/imported.xml"/>
             </bean>
         </property>
diff --git a/mdx/us_incommon/verbs.xml b/mdx/us_incommon/verbs.xml
index 3c3c49e5..bd9340a8 100644
--- a/mdx/us_incommon/verbs.xml
+++ b/mdx/us_incommon/verbs.xml
@@ -28,7 +28,7 @@
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
-            <bean class="java.io.File">
+            <bean parent="File">
                 <constructor-arg value="${mdx.dir}/us_incommon/imported.xml"/>
             </bean>
         </property>

From 4fdc93b2eabe9d8b674b3749974bf1bf10902a96 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 1 May 2017 14:39:59 +0100
Subject: [PATCH 51/80] Remove an unreferenced bean definition

---
 mdx/uk/beans.xml | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 9711fdeb..319a65ac 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -258,17 +258,6 @@
     </bean>
     
 
-    <!--
-        UK federation unnamed EntitiesDescriptor assembler pipeline stage.
-        
-        Name attribute is not set.  UK ordering is applied.
-    -->
-    <bean id="uk_assembleUnnamed" parent="mda.EntitiesDescriptorAssemblerStage">
-        <property name="itemOrderingStrategy">
-            <bean class="uk.org.ukfederation.mda.UKEntityOrderingStrategy"/>
-        </property>
-    </bean>
-    
 
     <!--
         Fetch and process the registered entities as a collection.

From 31202101a4f22dc36e05a41566341e0ad3640b14 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 1 May 2017 16:15:32 +0100
Subject: [PATCH 52/80] Separate out definitions of UKF beans

---
 mdx/common-beans.xml     | 16 ++-----
 mdx/uk/beans.xml         | 17 +++----
 mdx/uk/verbs.xml         |  2 +-
 mdx/ukf-beans.xml        | 99 ++++++++++++++++++++++++++++++++++++++++
 mdx/validation-beans.xml | 10 ++--
 5 files changed, 116 insertions(+), 28 deletions(-)
 create mode 100644 mdx/ukf-beans.xml

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 5a664007..001f7210 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -24,6 +24,11 @@
     -->
     <import resource="mda-beans.xml"/>
 
+    <!--
+        Pick up UK federation MDA beans.
+    -->
+    <import resource="ukf-beans.xml"/>
+
     <!--
         ***********************************
         ***                             ***
@@ -140,17 +145,6 @@
     <bean id="X509CertificateFactoryBean" abstract="true"
         class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"/>
 
-    <!-- *** Parent beans for ukf-mda. *** -->
-
-    <bean id="EntityAttributeAddingStage" abstract="true" parent="stage_parent"
-        class="uk.org.ukfederation.mda.dom.saml.mdattr.EntityAttributeAddingStage"/>
-
-    <bean id="SAMLStringElementCheckingStage" abstract="true" parent="stage_parent"
-        class="uk.org.ukfederation.mda.dom.saml.SAMLStringElementCheckingStage"/>
-
-    <bean id="X509ConsistentNameValidator" abstract="true" parent="mda.validator_parent"
-        class="uk.org.ukfederation.mda.validate.X509ConsistentNameValidator"/>
-        
     <!-- *** Default Shibboleth component bean id property from Spring bean id *** -->
     <bean class="net.shibboleth.ext.spring.config.IdentifiableBeanPostProcessor" lazy-init="false"/>
     
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 319a65ac..a1a450b0 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -117,7 +117,7 @@
             </bean>
         </property>
         <property name="sourceFileFilter">
-            <bean class="uk.org.ukfederation.mda.RegexFileFilter">
+            <bean parent="ukf.RegexFileFilter">
                 <constructor-arg value="uk\d{6}.xml"/>
             </bean>
         </property>
@@ -182,8 +182,7 @@
         
         Checks that entities are owned by UK federation members.
     -->
-    <bean id="check_owner" parent="stage_parent"
-        class="uk.org.ukfederation.mda.dom.saml.EntityOwnerCheckingStage"
+    <bean id="check_owner" parent="ukf.EntityOwnerCheckingStage"
         p:members-ref="uk_members"/>
     
     <!--
@@ -241,8 +240,7 @@
     <!--
         Populate UKId values from entities.
     -->
-    <bean id="uk_populateIds" parent="stage_parent"
-        class="uk.org.ukfederation.mda.EntityDescriptorUKIdPopulationStage"/>
+    <bean id="uk_populateIds" parent="ukf.EntityDescriptorUKIdPopulationStage"/>
     
 
     <!--
@@ -253,7 +251,7 @@
     <bean id="uk_assemble" parent="mda.EntitiesDescriptorAssemblerStage">
         <property name="descriptorName" ref="uk_federation_uri"/>
         <property name="itemOrderingStrategy">
-            <bean class="uk.org.ukfederation.mda.UKEntityOrderingStrategy"/>
+            <bean parent="ukf.UKEntityOrderingStrategy"/>
         </property>
     </bean>
     
@@ -278,8 +276,7 @@
                 <!--
                     Inject scopes "pushed" to entities from the members.xml file.
                 -->
-                <bean id="scopes_inject" parent="stage_parent"
-                    class="uk.org.ukfederation.mda.dom.saml.ScopeInjectionStage"
+                <bean id="scopes_inject" parent="ukf.ScopeInjectionStage"
                     p:members-ref="uk_members"/>
 
                 <ref bean="populateItemIds"/>
@@ -303,7 +300,7 @@
                     <property name="selectedItemPipeline">
                         <bean id="selectedItemPipeline" parent="mda.SimplePipeline">
                             <property name="stages">
-                                <bean id="addHideFromDiscovery" parent="EntityAttributeAddingStage"
+                                <bean id="addHideFromDiscovery" parent="ukf.EntityAttributeAddingStage"
                                     p:attributeValue="http://refeds.org/category/hide-from-discovery"
                                     p:addingFirstChild="true"/>
                             </property>
@@ -335,7 +332,7 @@
                             <!-- Error on small RSA public exponents. -->
                             <bean parent="mda.X509RSAExponentValidator"/>
                             <!-- Error on inconsistent subjectAltNames. -->
-                            <bean parent="X509ConsistentNameValidator"/>
+                            <bean parent="ukf.X509ConsistentNameValidator"/>
                             
                             <!--
                                 Debian weak key blacklists.
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
index 7f582df6..18d5b51c 100644
--- a/mdx/uk/verbs.xml
+++ b/mdx/uk/verbs.xml
@@ -315,7 +315,7 @@
                             <!-- Error on small RSA public exponents. -->
                             <bean parent="mda.X509RSAExponentValidator"/>
                             <!-- Error on inconsistent subjectAltNames. -->
-                            <bean parent="X509ConsistentNameValidator"/>
+                            <bean parent="ukf.X509ConsistentNameValidator"/>
 
                             <!--
                                 Debian weak key blacklists.
diff --git a/mdx/ukf-beans.xml b/mdx/ukf-beans.xml
new file mode 100644
index 00000000..9c27b3d5
--- /dev/null
+++ b/mdx/ukf-beans.xml
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+    <!--
+        Bean definitions for simplified access to components in the
+        ukf-mda artifact.
+
+        All defined bean names are prefixed with "ukf.".
+    -->
+
+    <!--
+        Parent for anything based on the Shibboleth component system.
+        These all require initialization before use.
+    -->
+    <bean id="ukf.component_parent" abstract="true"
+        init-method="initialize" destroy-method="destroy"/>
+
+    <!--
+        Parent for all stages.
+    -->
+    <bean id="ukf.stage_parent" abstract="true" parent="ukf.component_parent"/>
+
+    <!--
+        uk.org.ukfederation.mda
+    -->
+
+    <bean id="ukf.EntityDescriptorUKIdPopulationStage" abstract="true" parent="ukf.stage_parent"
+        class="uk.org.ukfederation.mda.EntityDescriptorUKIdPopulationStage"/>
+
+    <bean id="ukf.IdPDisplayNameDuplicateDetectingStage" abstract="true" parent="ukf.stage_parent"
+        class="uk.org.ukfederation.mda.IdPDisplayNameDuplicateDetectingStage"/>
+
+    <bean id="ukf.RegexFileFilter" abstract="true"
+        class="uk.org.ukfederation.mda.RegexFileFilter"/>
+
+    <bean id="ukf.UKEntityOrderingStrategy" abstract="true"
+        class="uk.org.ukfederation.mda.UKEntityOrderingStrategy"/>
+
+    <bean id="ukf.UKEntitySelectionStrategy" abstract="true"
+        class="uk.org.ukfederation.mda.UKEntitySelectionStrategy"/>
+
+    <bean id="ukf.UKItemIdentificationStrategy" abstract="true"
+        class="uk.org.ukfederation.mda.UKItemIdentificationStrategy"/>
+
+    <!--
+        uk.org.ukfederation.mda.dom
+    -->
+
+    <!--
+        uk.org.ukfederation.mda.dom.saml
+    -->
+
+    <bean id="ukf.EntityOwnerCheckingStage" abstract="true" parent="ukf.stage_parent"
+        class="uk.org.ukfederation.mda.dom.saml.EntityOwnerCheckingStage"/>
+
+    <bean id="ukf.SAMLStringElementCheckingStage" abstract="true" parent="ukf.stage_parent"
+        class="uk.org.ukfederation.mda.dom.saml.SAMLStringElementCheckingStage"/>
+
+    <bean id="ukf.ScopeInjectionStage" abstract="true" parent="ukf.stage_parent"
+        class="uk.org.ukfederation.mda.dom.saml.ScopeInjectionStage"/>
+
+    <!--
+        uk.org.ukfederation.mda.dom.saml.mdattr
+    -->
+
+    <bean id="ukf.EntityAttributeAddingStage" abstract="true" parent="ukf.stage_parent"
+        class="uk.org.ukfederation.mda.dom.saml.mdattr.EntityAttributeAddingStage"/>
+
+    <!--
+        uk.org.ukfederation.mda.statistics
+    -->
+
+    <bean id="ukf.StatisticsVelocityStage" abstract="true" parent="ukf.stage_parent"
+        class="uk.org.ukfederation.mda.statistics.StatisticsVelocityStage"/>
+
+    <!--
+        uk.org.ukfederation.mda.validate
+    -->
+
+    <bean id="ukf.X509ConsistentNameValidator" abstract="true" parent="ukf.component_parent"
+        class="uk.org.ukfederation.mda.validate.X509ConsistentNameValidator"/>
+
+    <!--
+        uk.org.ukfederation.mda.validate.mdui
+    -->
+
+    <bean id="ukf.IPHintValidationStage" abstract="true" parent="ukf.stage_parent"
+        class="uk.org.ukfederation.mda.validate.mdui.IPHintValidationStage"/>
+
+</beans>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index 3076a5c4..247156e6 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -209,8 +209,7 @@
         
         Checks for the mdui:IPHint element.
     -->
-    <bean id="check_mdui_iphint" parent="stage_parent"
-        class="uk.org.ukfederation.mda.validate.mdui.IPHintValidationStage"
+    <bean id="check_mdui_iphint" parent="ukf.IPHintValidationStage"
         p:checkingNetworks="true"/>
     
     <!--
@@ -408,9 +407,8 @@
         It is assumed that the entities are independently represented as EntityDescriptor
         items in the item collection.
     -->
-    <bean id="check_dup_display" parent="stage_parent"
-        p:identificationStrategy-ref="identificationStrategy"
-        class="uk.org.ukfederation.mda.IdPDisplayNameDuplicateDetectingStage"/>
+    <bean id="check_dup_display" parent="ukf.IdPDisplayNameDuplicateDetectingStage"
+        p:identificationStrategy-ref="identificationStrategy"/>
 
 
     <!--
@@ -581,7 +579,7 @@
     <!--
         check_saml_strings
     -->
-    <bean id="check_saml_strings" parent="SAMLStringElementCheckingStage">
+    <bean id="check_saml_strings" parent="ukf.SAMLStringElementCheckingStage">
         <property name="elementNames">
             <set>
                 <ref bean="md-Company"/>

From 190d241d1d42ebc1f5df5676f933f67de0c12f32 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 1 May 2017 16:32:05 +0100
Subject: [PATCH 53/80] Remove another redundant parent bean

---
 mdx/common-beans.xml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 001f7210..ea4e9541 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -67,13 +67,6 @@
     <bean id="component_parent" abstract="true"
         init-method="initialize" destroy-method="destroy"/>
     
-    <!--
-        stage_parent
-        
-        Parent for all stages.
-    -->
-    <bean id="stage_parent" abstract="true" parent="component_parent"/>
-
     <!--
         XMLSignatureValidationStage
         

From 3eea6b4e937295d0fa96e31141ce4c192c6a83cd Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 2 May 2017 11:17:08 +0100
Subject: [PATCH 54/80] Allow UK-registered entities to support the GEANT Code
 of Conduct

See ukf/ukf-meta#123.
---
 mdx/uk/check_uk_mdattr.xsl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mdx/uk/check_uk_mdattr.xsl b/mdx/uk/check_uk_mdattr.xsl
index c7e4d913..b5709e1a 100644
--- a/mdx/uk/check_uk_mdattr.xsl
+++ b/mdx/uk/check_uk_mdattr.xsl
@@ -96,6 +96,7 @@
 	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category-support']
 		/saml:AttributeValue
 		[. != 'http://refeds.org/category/research-and-scholarship']
+		[. != 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
 		">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">

From a6155f948e008056b2de3d92577817102a7054b3 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 2 May 2017 14:08:06 +0100
Subject: [PATCH 55/80] Abolish WAYF namespace

See ukf/ukf-meta#71.
---
 attic/extract_entityids.xsl       |  3 +-
 build/extract_addresses.xsl       |  3 +-
 build/extract_locs.xsl            |  3 +-
 build/extract_nk_nocert_locs.xsl  |  3 +-
 build/extract_nocert_locs.xsl     |  3 +-
 mdx/_rules/check_future_0.xsl     |  1 -
 mdx/_rules/check_future_1.xsl     |  1 -
 mdx/_rules/check_future_2.xsl     |  1 -
 mdx/_rules/check_future_3.xsl     |  1 -
 mdx/_rules/check_future_4.xsl     |  1 -
 mdx/_rules/check_namespaces.xsl   |  5 ----
 mdx/_rules/check_uk_wayf.xsl      | 46 -------------------------------
 mdx/common-beans.xml              | 14 ----------
 mdx/ns_norm.xsl                   |  7 -----
 mdx/schema/uk-wayf.xsd            | 39 --------------------------
 mdx/uk/beans.xml                  | 25 -----------------
 mdx/uk/generate.xml               |  6 ----
 mdx/uk/import.xsl                 |  1 -
 mdx/uk/ns_norm_back.xsl           |  3 +-
 mdx/uk/ns_norm_cds.xsl            |  3 +-
 mdx/uk/ns_norm_export.xsl         |  3 +-
 mdx/uk/ns_norm_export_preview.xsl |  3 +-
 mdx/uk/ns_norm_fragment.xsl       |  1 -
 mdx/uk/ns_norm_test.xsl           |  3 +-
 mdx/uk/ns_norm_uk.xsl             |  3 +-
 mdx/uk/sp_mdui_test.xsl           |  3 +-
 mdx/validation-beans.xml          |  7 -----
 utilities/normalise_fragment      |  2 --
 28 files changed, 12 insertions(+), 182 deletions(-)
 delete mode 100644 mdx/_rules/check_uk_wayf.xsl
 delete mode 100644 mdx/schema/uk-wayf.xsd

diff --git a/attic/extract_entityids.xsl b/attic/extract_entityids.xsl
index dc915ee3..95de7af2 100644
--- a/attic/extract_entityids.xsl
+++ b/attic/extract_entityids.xsl
@@ -14,8 +14,7 @@
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	exclude-result-prefixes="md ds wayf">
+	exclude-result-prefixes="md ds">
 
 	<!-- Output is plain text -->
 	<xsl:output method="text"/>
diff --git a/build/extract_addresses.xsl b/build/extract_addresses.xsl
index 24bcf16a..8a0415ba 100644
--- a/build/extract_addresses.xsl
+++ b/build/extract_addresses.xsl
@@ -15,8 +15,7 @@
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	exclude-result-prefixes="md ds wayf">
+	exclude-result-prefixes="md ds">
 
 	<!--Force UTF-8 encoding for the output.-->
 	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
diff --git a/build/extract_locs.xsl b/build/extract_locs.xsl
index db55917b..b5411589 100644
--- a/build/extract_locs.xsl
+++ b/build/extract_locs.xsl
@@ -14,8 +14,7 @@
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	exclude-result-prefixes="md ds wayf">
+	exclude-result-prefixes="md ds">
 
 	<!-- Output is plain text -->
 	<xsl:output method="text"/>
diff --git a/build/extract_nk_nocert_locs.xsl b/build/extract_nk_nocert_locs.xsl
index fae05589..bd038a08 100644
--- a/build/extract_nk_nocert_locs.xsl
+++ b/build/extract_nk_nocert_locs.xsl
@@ -15,8 +15,7 @@
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	exclude-result-prefixes="md ds wayf">
+	exclude-result-prefixes="md ds">
 
 	<!-- Output is plain text -->
 	<xsl:output method="text"/>
diff --git a/build/extract_nocert_locs.xsl b/build/extract_nocert_locs.xsl
index 335e0fc7..a67c1f1c 100644
--- a/build/extract_nocert_locs.xsl
+++ b/build/extract_nocert_locs.xsl
@@ -15,8 +15,7 @@
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	exclude-result-prefixes="md ds wayf">
+	exclude-result-prefixes="md ds">
 
 	<!-- Output is plain text -->
 	<xsl:output method="text"/>
diff --git a/mdx/_rules/check_future_0.xsl b/mdx/_rules/check_future_0.xsl
index f503721c..7604ebd8 100644
--- a/mdx/_rules/check_future_0.xsl
+++ b/mdx/_rules/check_future_0.xsl
@@ -17,7 +17,6 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
diff --git a/mdx/_rules/check_future_1.xsl b/mdx/_rules/check_future_1.xsl
index fef00c40..5ef23c5d 100644
--- a/mdx/_rules/check_future_1.xsl
+++ b/mdx/_rules/check_future_1.xsl
@@ -17,7 +17,6 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
diff --git a/mdx/_rules/check_future_2.xsl b/mdx/_rules/check_future_2.xsl
index c944e5b4..0226d724 100644
--- a/mdx/_rules/check_future_2.xsl
+++ b/mdx/_rules/check_future_2.xsl
@@ -17,7 +17,6 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
diff --git a/mdx/_rules/check_future_3.xsl b/mdx/_rules/check_future_3.xsl
index f0e655b9..4b83d777 100644
--- a/mdx/_rules/check_future_3.xsl
+++ b/mdx/_rules/check_future_3.xsl
@@ -17,7 +17,6 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
diff --git a/mdx/_rules/check_future_4.xsl b/mdx/_rules/check_future_4.xsl
index 7c8ae169..11cfa927 100644
--- a/mdx/_rules/check_future_4.xsl
+++ b/mdx/_rules/check_future_4.xsl
@@ -17,7 +17,6 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:set="http://exslt.org/sets"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
diff --git a/mdx/_rules/check_namespaces.xsl b/mdx/_rules/check_namespaces.xsl
index 315d39ca..2bb9f7fa 100644
--- a/mdx/_rules/check_namespaces.xsl
+++ b/mdx/_rules/check_namespaces.xsl
@@ -22,7 +22,6 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -86,10 +85,6 @@
 		<xsl:apply-templates/>
 	</xsl:template>
 	
-	<xsl:template match="wayf:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-	
 	<xsl:template match="xenc:*">
 		<xsl:apply-templates/>
 	</xsl:template>
diff --git a/mdx/_rules/check_uk_wayf.xsl b/mdx/_rules/check_uk_wayf.xsl
deleted file mode 100644
index c2e443cd..00000000
--- a/mdx/_rules/check_uk_wayf.xsl
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-	check_uk_wayf.xsl
-	
-	Checking ruleset for the SDSS/UK federation WAYF namespace.
-	
-	Author: Ian A. Young <ian@iay.org.uk>
-
--->
-<xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Check for misspelled elements.
-		
-		This covers the case where elements from this namespace are used in a context
-		where lax validation applies.
-	-->
-	<xsl:template match="wayf:*[local-name()!='HideFromWAYF']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown element name wayf:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Check for misplaced HideFromWAYF elements.
-	-->
-	<xsl:template match="wayf:HideFromWAYF[not(parent::md:Extensions) or not(parent::*/parent::md:EntityDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">misplaced wayf:HideFromWAYF element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-</xsl:stylesheet>
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index ea4e9541..40a4fe49 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -170,7 +170,6 @@
     <bean id="samlp_namespace"      parent="String" c:_="urn:oasis:names:tc:SAML:2.0:protocol"/>
     <bean id="shibmd_namespace"     parent="String" c:_="urn:mace:shibboleth:metadata:1.0"/>
     <bean id="ukfedlabel_namespace" parent="String" c:_="http://ukfederation.org.uk/2006/11/label"/>
-    <bean id="wayf_namespace"       parent="String" c:_="http://sdss.ac.uk/2006/06/WAYF"/>
     <bean id="xenc_namespace"       parent="String" c:_="http://www.w3.org/2001/04/xmlenc#"/>
     <bean id="xenc11_namespace"     parent="String" c:_="http://www.w3.org/2009/xmlenc11#"/>
     <bean id="xml_namespace"        parent="String" c:_="http://www.w3.org/XML/1998/namespace"/>
@@ -203,7 +202,6 @@
                 <entry key="samlp"      value-ref="samlp_namespace"/>
                 <entry key="shibmd"     value-ref="shibmd_namespace"/>
                 <entry key="ukfedlabel" value-ref="ukfedlabel_namespace"/>
-                <entry key="wayf"       value-ref="wayf_namespace"/>
                 <entry key="xenc"       value-ref="xenc_namespace"/>
                 <entry key="xenc11"     value-ref="xenc11_namespace"/>
                 <entry key="xs"         value-ref="xs_namespace"/>
@@ -261,14 +259,6 @@
     <bean id="stripUkfedlabelNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="ukfedlabel_namespace"/>
     
-    <!--
-        stripWayfNamespace
-        
-        Remove the UK federation WAYF namespace.
-    -->
-    <bean id="stripWayfNamespace" parent="mda.NamespaceStrippingStage"
-        p:namespace-ref="wayf_namespace"/>
-    
     <!--
         normaliseNamespaces
         
@@ -857,10 +847,6 @@
             <!-- no imports -->
             <constructor-arg value="schema/uk-fed-label.xsd"/>
         </bean>
-        <bean parent="ClassPathResource">
-            <!-- no imports -->
-            <constructor-arg value="schema/uk-wayf.xsd"/>
-        </bean>
         <bean parent="ClassPathResource">
             <!-- imports xenc-schema.xsd -->
             <constructor-arg value="schema/ws-authorization.xsd"/>
diff --git a/mdx/ns_norm.xsl b/mdx/ns_norm.xsl
index 2c907602..78ab442c 100644
--- a/mdx/ns_norm.xsl
+++ b/mdx/ns_norm.xsl
@@ -45,7 +45,6 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
 	exclude-result-prefixes="md"
@@ -179,12 +178,6 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
-	<xsl:template match="wayf:*">
-		<xsl:element name="wayf:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
 
 	<xsl:template match="xenc:*">
 		<xsl:element name="xenc:{local-name()}">
diff --git a/mdx/schema/uk-wayf.xsd b/mdx/schema/uk-wayf.xsd
deleted file mode 100644
index 1139a62c..00000000
--- a/mdx/schema/uk-wayf.xsd
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<schema xmlns="http://www.w3.org/2001/XMLSchema"
-    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
-    targetNamespace="http://sdss.ac.uk/2006/06/WAYF"
-    version="2015-04-16"
-    elementFormDefault="qualified">
-    
-    <annotation>
-        <documentation>
-            This schema describes the WAYF namespace, used internally by the
-            UK federation for the "HideFromWAYF" label.
-            
-            For additional information, see the Federation Technical Specification.
-        </documentation>
-    </annotation>
-    
-    <complexType name="basicLabel">
-        <annotation>
-            <documentation>
-                Basic labels are empty elements whose presence or absence
-                is all that is important.
-            </documentation>
-        </annotation>
-        <!--
-            No content elements are defined, so a basicLabel may contain
-            neither text nor nested elements.
-        -->
-    </complexType>
-    
-    <element name="HideFromWAYF" type="wayf:basicLabel">
-        <annotation>
-            <documentation>
-                Indicates an entity which should be hidden from the
-                Central Discovery Service.
-            </documentation>
-        </annotation>
-    </element>
-
-</schema>
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index a1a450b0..8bfa1255 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -284,31 +284,6 @@
                 <ref bean="uk_default_regauth"/>
                 <ref bean="populateRegistrationAuthorities"/>
                 
-                <!--
-                    Add REFEDS Hide from Discovery category as a standardised
-                    equivalent to our HideFromWAYF element.
-                -->
-                <bean id="uk_addHideFromDiscovery" parent="mda.SplitMergeStage">
-                    <!-- select entities with HideFromWayf label -->
-                    <property name="selectionStrategy">
-                        <bean parent="mda.XPathItemSelectionStrategy">
-                            <constructor-arg value="/md:EntityDescriptor[md:Extensions/wayf:HideFromWAYF]"/>
-                            <constructor-arg ref="commonNamespaces"/>
-                        </bean>
-                    </property>
-                    
-                    <property name="selectedItemPipeline">
-                        <bean id="selectedItemPipeline" parent="mda.SimplePipeline">
-                            <property name="stages">
-                                <bean id="addHideFromDiscovery" parent="ukf.EntityAttributeAddingStage"
-                                    p:attributeValue="http://refeds.org/category/hide-from-discovery"
-                                    p:addingFirstChild="true"/>
-                            </property>
-                        </bean>
-                    </property>
-
-                </bean>
-                
                 <ref bean="checkSchemas"/>
                 <ref bean="CHECK_std"/>
                 <bean id="check_ukfedlabel" parent="mda.XSLValidationStage"
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index defd00f4..528cf9a0 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -269,7 +269,6 @@
                 <ref bean="errorTerminatingFilter"/>
                 
                 <ref bean="uk_assemble"/>
-                <ref bean="stripWayfNamespace"/>
                 <ref bean="uk_finaliseProduction"/>
                 <ref bean="uk_normaliseNamespaces"/>
                 
@@ -376,7 +375,6 @@
                 <ref bean="stripMdattrNamespace"/>
                 <ref bean="stripMdrpiNamespace"/>
                 <ref bean="stripUkfedlabelNamespace"/>
-                <ref bean="stripWayfNamespace"/>
                 
                 <ref bean="stripArtifactResolutionService"/>
                 <ref bean="stripAttributeAuthorityDescriptor"/>
@@ -508,7 +506,6 @@
                 <ref bean="errorTerminatingFilter"/>
                 
                 <ref bean="uk_assemble"/>
-                <ref bean="stripWayfNamespace"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseFallback"/>
                 <ref bean="uk_normaliseFallback"/>
@@ -561,7 +558,6 @@
                 <ref bean="errorTerminatingFilter"/>
                 
                 <ref bean="uk_assemble"/>
-                <ref bean="stripWayfNamespace"/>
                 <ref bean="uk_finaliseTest"/>
                 <ref bean="uk_normaliseTest"/>
                 
@@ -683,7 +679,6 @@
                 <ref bean="errorTerminatingFilter"/>
                 
                 <ref bean="stripUkfedlabelNamespace"/>
-                <ref bean="stripWayfNamespace"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
@@ -799,7 +794,6 @@
                 <ref bean="errorTerminatingFilter"/>
                 
                 <ref bean="stripUkfedlabelNamespace"/>
-                <ref bean="stripWayfNamespace"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
diff --git a/mdx/uk/import.xsl b/mdx/uk/import.xsl
index c413f8c6..900cd105 100644
--- a/mdx/uk/import.xsl
+++ b/mdx/uk/import.xsl
@@ -75,7 +75,6 @@
             urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd
             http://ukfederation.org.uk/2006/11/label uk-fed-label.xsd
             http://refeds.org/metadata refeds-metadata.xsd
-            http://sdss.ac.uk/2006/06/WAYF uk-wayf.xsd
             http://www.w3.org/2001/04/xmlenc# xenc-schema.xsd
             http://www.w3.org/2009/xmlenc11# xenc-schema-11.xsd
             http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd">
diff --git a/mdx/uk/ns_norm_back.xsl b/mdx/uk/ns_norm_back.xsl
index 0d2402c2..e59ac8ce 100644
--- a/mdx/uk/ns_norm_back.xsl
+++ b/mdx/uk/ns_norm_back.xsl
@@ -37,11 +37,10 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md wayf xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	exclude-result-prefixes="alg md xenc"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
diff --git a/mdx/uk/ns_norm_cds.xsl b/mdx/uk/ns_norm_cds.xsl
index 718dba73..3eac4726 100644
--- a/mdx/uk/ns_norm_cds.xsl
+++ b/mdx/uk/ns_norm_cds.xsl
@@ -20,9 +20,8 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	
-	exclude-result-prefixes="alg ds init md mdattr saml shibmd ukfedlabel wayf xsi"
+	exclude-result-prefixes="alg ds init md mdattr saml shibmd ukfedlabel xsi"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
diff --git a/mdx/uk/ns_norm_export.xsl b/mdx/uk/ns_norm_export.xsl
index 0d2b762f..4ee1d693 100644
--- a/mdx/uk/ns_norm_export.xsl
+++ b/mdx/uk/ns_norm_export.xsl
@@ -31,10 +31,9 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md ukfedlabel wayf xenc"
+	exclude-result-prefixes="alg md ukfedlabel xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
diff --git a/mdx/uk/ns_norm_export_preview.xsl b/mdx/uk/ns_norm_export_preview.xsl
index cb79a27c..6bbe0cb8 100644
--- a/mdx/uk/ns_norm_export_preview.xsl
+++ b/mdx/uk/ns_norm_export_preview.xsl
@@ -31,10 +31,9 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md ukfedlabel wayf xenc"
+	exclude-result-prefixes="alg md ukfedlabel xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
diff --git a/mdx/uk/ns_norm_fragment.xsl b/mdx/uk/ns_norm_fragment.xsl
index 9d58ec58..e7cab1d4 100644
--- a/mdx/uk/ns_norm_fragment.xsl
+++ b/mdx/uk/ns_norm_fragment.xsl
@@ -26,7 +26,6 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	
 	exclude-result-prefixes="md"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
diff --git a/mdx/uk/ns_norm_test.xsl b/mdx/uk/ns_norm_test.xsl
index b05bf888..71fdaee4 100644
--- a/mdx/uk/ns_norm_test.xsl
+++ b/mdx/uk/ns_norm_test.xsl
@@ -37,10 +37,9 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md wayf xenc"
+	exclude-result-prefixes="alg md xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
diff --git a/mdx/uk/ns_norm_uk.xsl b/mdx/uk/ns_norm_uk.xsl
index 20930f67..8e5bf095 100644
--- a/mdx/uk/ns_norm_uk.xsl
+++ b/mdx/uk/ns_norm_uk.xsl
@@ -37,10 +37,9 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
-	exclude-result-prefixes="alg md wayf xenc"
+	exclude-result-prefixes="alg md xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
diff --git a/mdx/uk/sp_mdui_test.xsl b/mdx/uk/sp_mdui_test.xsl
index b1e2a0e1..f23e6816 100644
--- a/mdx/uk/sp_mdui_test.xsl
+++ b/mdx/uk/sp_mdui_test.xsl
@@ -16,13 +16,12 @@
     xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:members="http://ukfederation.org.uk/2007/01/members"
-    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
     xmlns:math="http://exslt.org/math"
     xmlns:date="http://exslt.org/dates-and-times"
     xmlns:dyn="http://exslt.org/dynamic"
     xmlns:set="http://exslt.org/sets"
     xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-    exclude-result-prefixes="xsl ds md mdui xsi members wayf math date dyn set idpdisc"
+    exclude-result-prefixes="xsl ds md mdui xsi members math date dyn set idpdisc"
     version="1.0">
 
     <xsl:output method="html" omit-xml-declaration="yes"/>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index 247156e6..cd4f5786 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -368,12 +368,6 @@
     -->
     <bean id="check_uk_trust" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_uk_trust.xsl"/>
-    
-    <!--
-        check_uk_wayf
-    -->
-    <bean id="check_uk_wayf" parent="mda.XSLValidationStage"
-        p:XSLResource="classpath:_rules/check_uk_wayf.xsl"/>
 
 
     <!--
@@ -670,7 +664,6 @@
                 <ref bean="check_sp_tls"/>
                 <ref bean="check_uk_algorithms"/>
                 <ref bean="check_uk_trust"/>
-                <ref bean="check_uk_wayf"/>
             </list>
         </property>
     </bean>
diff --git a/utilities/normalise_fragment b/utilities/normalise_fragment
index a5cc93ac..9e7231ac 100755
--- a/utilities/normalise_fragment
+++ b/utilities/normalise_fragment
@@ -55,7 +55,6 @@ ED_TEMPLATE = Template('''<?xml version="1.0" encoding="UTF-8"?>
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
     xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-    xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd
         urn:oasis:names:tc:SAML:metadata:algsupport sstc-saml-metadata-algsupport-v1.0.xsd
@@ -68,7 +67,6 @@ ED_TEMPLATE = Template('''<?xml version="1.0" encoding="UTF-8"?>
         urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd
         http://ukfederation.org.uk/2006/11/label uk-fed-label.xsd
         http://refeds.org/metadata refeds-metadata.xsd
-        http://sdss.ac.uk/2006/06/WAYF uk-wayf.xsd
         http://www.w3.org/2001/04/xmlenc# xenc-schema.xsd
         http://www.w3.org/2009/xmlenc11# xenc-schema-11.xsd
         http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"

From f4f051c50875abd5687e79fdb39728984cea52b4 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 4 May 2017 15:20:42 +0100
Subject: [PATCH 56/80] Upgrade to ukf-mda 0.9.5

---
 mdx/common-beans.xml            |   2 +-
 mdx/ukf-beans.xml               |  99 --------------------------------
 tools/ukf-mda/ukf-mda-0.9.4.jar | Bin 53652 -> 0 bytes
 tools/ukf-mda/ukf-mda-0.9.5.jar | Bin 0 -> 55752 bytes
 4 files changed, 1 insertion(+), 100 deletions(-)
 delete mode 100644 mdx/ukf-beans.xml
 delete mode 100644 tools/ukf-mda/ukf-mda-0.9.4.jar
 create mode 100644 tools/ukf-mda/ukf-mda-0.9.5.jar

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 40a4fe49..b91f9925 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -27,7 +27,7 @@
     <!--
         Pick up UK federation MDA beans.
     -->
-    <import resource="ukf-beans.xml"/>
+    <import resource="classpath:uk/org/ukfederation/mda/beans.xml"/>
 
     <!--
         ***********************************
diff --git a/mdx/ukf-beans.xml b/mdx/ukf-beans.xml
deleted file mode 100644
index 9c27b3d5..00000000
--- a/mdx/ukf-beans.xml
+++ /dev/null
@@ -1,99 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:c="http://www.springframework.org/schema/c"
-    xmlns:context="http://www.springframework.org/schema/context"
-    xmlns:p="http://www.springframework.org/schema/p"
-    xmlns:util="http://www.springframework.org/schema/util"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
-        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-
-    <!--
-        Bean definitions for simplified access to components in the
-        ukf-mda artifact.
-
-        All defined bean names are prefixed with "ukf.".
-    -->
-
-    <!--
-        Parent for anything based on the Shibboleth component system.
-        These all require initialization before use.
-    -->
-    <bean id="ukf.component_parent" abstract="true"
-        init-method="initialize" destroy-method="destroy"/>
-
-    <!--
-        Parent for all stages.
-    -->
-    <bean id="ukf.stage_parent" abstract="true" parent="ukf.component_parent"/>
-
-    <!--
-        uk.org.ukfederation.mda
-    -->
-
-    <bean id="ukf.EntityDescriptorUKIdPopulationStage" abstract="true" parent="ukf.stage_parent"
-        class="uk.org.ukfederation.mda.EntityDescriptorUKIdPopulationStage"/>
-
-    <bean id="ukf.IdPDisplayNameDuplicateDetectingStage" abstract="true" parent="ukf.stage_parent"
-        class="uk.org.ukfederation.mda.IdPDisplayNameDuplicateDetectingStage"/>
-
-    <bean id="ukf.RegexFileFilter" abstract="true"
-        class="uk.org.ukfederation.mda.RegexFileFilter"/>
-
-    <bean id="ukf.UKEntityOrderingStrategy" abstract="true"
-        class="uk.org.ukfederation.mda.UKEntityOrderingStrategy"/>
-
-    <bean id="ukf.UKEntitySelectionStrategy" abstract="true"
-        class="uk.org.ukfederation.mda.UKEntitySelectionStrategy"/>
-
-    <bean id="ukf.UKItemIdentificationStrategy" abstract="true"
-        class="uk.org.ukfederation.mda.UKItemIdentificationStrategy"/>
-
-    <!--
-        uk.org.ukfederation.mda.dom
-    -->
-
-    <!--
-        uk.org.ukfederation.mda.dom.saml
-    -->
-
-    <bean id="ukf.EntityOwnerCheckingStage" abstract="true" parent="ukf.stage_parent"
-        class="uk.org.ukfederation.mda.dom.saml.EntityOwnerCheckingStage"/>
-
-    <bean id="ukf.SAMLStringElementCheckingStage" abstract="true" parent="ukf.stage_parent"
-        class="uk.org.ukfederation.mda.dom.saml.SAMLStringElementCheckingStage"/>
-
-    <bean id="ukf.ScopeInjectionStage" abstract="true" parent="ukf.stage_parent"
-        class="uk.org.ukfederation.mda.dom.saml.ScopeInjectionStage"/>
-
-    <!--
-        uk.org.ukfederation.mda.dom.saml.mdattr
-    -->
-
-    <bean id="ukf.EntityAttributeAddingStage" abstract="true" parent="ukf.stage_parent"
-        class="uk.org.ukfederation.mda.dom.saml.mdattr.EntityAttributeAddingStage"/>
-
-    <!--
-        uk.org.ukfederation.mda.statistics
-    -->
-
-    <bean id="ukf.StatisticsVelocityStage" abstract="true" parent="ukf.stage_parent"
-        class="uk.org.ukfederation.mda.statistics.StatisticsVelocityStage"/>
-
-    <!--
-        uk.org.ukfederation.mda.validate
-    -->
-
-    <bean id="ukf.X509ConsistentNameValidator" abstract="true" parent="ukf.component_parent"
-        class="uk.org.ukfederation.mda.validate.X509ConsistentNameValidator"/>
-
-    <!--
-        uk.org.ukfederation.mda.validate.mdui
-    -->
-
-    <bean id="ukf.IPHintValidationStage" abstract="true" parent="ukf.stage_parent"
-        class="uk.org.ukfederation.mda.validate.mdui.IPHintValidationStage"/>
-
-</beans>
diff --git a/tools/ukf-mda/ukf-mda-0.9.4.jar b/tools/ukf-mda/ukf-mda-0.9.4.jar
deleted file mode 100644
index 2f7e1a70cecac1d523816f3dcf4c79b5aa7a2a45..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 53652
zcmbTe1CXTMvM${2Y1^8%ZQC}dZQDlmv~5h=wr$(CZA{<!_CELgJMMqaclNmz@kUfc
zWv*Je>U}bwH&F`GpkUBIK;M9X0)iPNf&S$M_2<2;sEQ!1q?{PN!XGhIpl{#4{r|*J
z|5Z#@P)<@zR9S^iR_tDOVq8X=mTneKnwDy6V!B?5VS#z)(2+)JYJ^6bR_Gh#L4jH#
zI&}|;duyf?vy+r_7F8uG6AHCQYi5KJinNk)4@fk4*eF&hbXS;3sR#6s=a6SI;vr?5
zF6HWX9GVB%Jy{u#R`*sQ1!>4{{LuUmmVb8Q|L6K^um3d3=l?JX^v|a*R{t>O|1JRe
zPXRkev%eAg%i=$){3YaKWolw<;%MM(VQ2d{8kqluhK;eo-)Q0fjh3;U&EIGe{x_OV
z1~%4zqfYVfsQ=l!v$NyhtU~-Zt2jCTIWi|_3nQn$S>W%ia5b>D__G0%zfmXqoA3Wm
zbsJ+Bi+`-~&zt-IykThnW{tmo0%1E_X9Ejc6Gsw8IwNZXC#NV?P4#&J)ZYNQUSvcV
zx)%D9N*h@;^)d=n`|_MUK_A@sT9J9lX%eJQ^*4~b;}=k#-()dvbKz3woE{?^+}j&A
zS4^+J@5kAJlr=^T2&6b8bF6dXg`o=tbru%p^i`cw0QOkQ!YzU2*zHBl%a4xzJ+e_U
zI3-vuCOd4xPs!Aq_5eaviYlgp^Dbh{CpI0*<h-SHh3VIHafz<o^$qRAvBh_~RQTmh
z|6cF!g$gb)kO4V1wMd<f-ir-+&D9~qs0cswv}i-MqqpnMx?njq)e}-IVS_dt&d#fj
z8GZ^eb!rKZTg$96cI<>D#~RS)Dm$jxIEiAz9;1{SU&#G@e{VCzyh^<QIp|B0n>fI+
zd*QbA&|#}gQfRG{oNJvrRmwd5;3s1hLoWU$%H*tVxCo~s^?*|4E*&g1DRmm^keYbZ
zUwiqCz6~t-V{GKUAqI_KsY%1xB~8rr%2Bag!2_e<@)bDbUL*Lt%g7LRpX_RfuD^E^
zX<F3TEf-T`YJlcQW`WVp5I6$jDy=035&}QnJs1!+yf%THEX&iY45$x7uIS{?cO<#M
z2F&sk(p7gNv5~%+G99)on&O34iKgu5n)~Wwo=2Dxx8}NMAS+S)F22y*vW1cKQKWoW
zYFz<!K`AZox6uacHEz^0DIvXl*NyP>7wYb3j>LGAihP91c3eT-y@N>0dcG_H#anZk
z-6l6S>L8GdGNBec^`zT!Yk$?*7Wt^GFnJVdM0;eHg%7DcDf@oG2eRL8cmf}MIwnwJ
zFW2#eX0b`}0R2ehLtBaQhR%FCpYUKpU6mKE=vi*jce;z86C)Ps`W{yQlPNC^MqB^a
z-acr9sgXSdqy;NC2uE<g2v+nCg`~wHL9l697mbaf{wcLmbyMt=8Cx8!4?xfuC20P1
zjO~d*rl2_vr^gv!97<&ZA`7sAExyTPihK2XM<cEtBW()lByii~gb!Ncyi*@$oXD49
z)*B=eb&rAg^u;}vAy2l=Oy?H!q&bq?A<-Pu2QU69Ju3-U>;Pd=r!qt`HMhzckBk33
z<o=fRF<podKKCb#$oxY$2-(Rv3L7>z7Ktwy^D1xmKfE|NX#xV*A196R#}EI15$FFM
zluZ8{l-f@7VyM5DYH9Z=2uU~Mb#qw!WepQyI{hgTGiT<w;F|%tCV*85ZSn8bJar2*
zev4fsvT3Kvzg`q!x5sS1m8Q)GJ!SHGO}SOIdww2W`vKAH3StrDY7KGFMH!+y0m{=3
z?<jC5a8?6D2AQNvl531l(40OBcf0Ct8dtrIcFRJn(9b{y&%2)XaX^TZ&Hw^kNS;zV
z=JU&CNzQDl4-&QziMUpPDp)q-gN#ps)R^XvY=0khD>PP+)pJVQ^2vh`6fqlekK6J)
z6%r%<1-apbXbjg(u@WQ62XoW7E9tp=Y;E5is1hl*cF*|}Yx>qwcUA?w!hKJ%VzT|J
zNOMAa#(K%#%TRa2603k(z5{`tijEoCw~Ntd88ryUwM?(rla=cdxbEZn)MsN7ZYs6e
zx+Q~5K%bHv`>*ls18MOqm@Kst7i2II3Vzsx5mh(u`S9CMcX}L@CVSO(!IgU#FWEuu
zTr(r&VH@uV9CX{YmJk!1=BR=IG?;R>s~v8f?ft4A%Ag%ErRJ<q2a(`)sCo4`e~R@N
zVE#38!@(hJEs$eov|0D=;drx5*nluM#tJ(=bvkJe)(i(Ox$*4b7Oc)l)pxgm(cC%1
zyk_E6lcA(DNG)zok%^NvD&6g(=A=)tUwmK=Ig25-17h_Cb1tgY?DZV{^a|5lSBpox
zu84Op4C<L6>`D`tah_Psa}nOTcYf#3`z&o>xJjE;b6=aH>39o_8le+PNYpFrC?#+%
z4*`N@-Q|PvrJ|JZ@5eF~OeA_R&)`i|!rF<Cvm<OgFfRAdrnvLq6Gnm8jC$gHQ=GmX
zh8tPmk7J?d`U-#i<e%S9(1|F$;gfS{e23<UvQP?$xrJ(syzNdzm+;Hp6s%HR@Bi7;
z$ix1+rsDfVkNTuAVSu0pA7kYN%9Z37GMDfJms4%4m!i=+9xoDa#wX;K+^OCWL;Pzc
z=7d>8$1krNE^?P~{uNwrhtiK^x&}T?%(IYS^1D*Mj}&*DqnUlO1UQkmoNX|s6^D2*
zkEuIfa{k&Y3vYe&j?mc)5mkZ5?+AZN-+7)iiCpQ5Lyjtpm>G{YKbXHLRe4To0Mj2Z
zzC-*S82SJ02q|oCVQnmEY;0j`rtJKOGMSip{0BT^xaIp95QndYB-dupN!Y}|kZIgc
zg1J=DBqWf&Q`NTLB5iP)jXJn{vqJCz5kMQ5oead{T-`2zUftfmKf(bqb4+}n)(>Pz
zl%myZRQ%?w*r09jgLLf@hSG7)YCKO(i9$P~(1e~fAp@iK*hkIvE-E*DWt!fr?_04v
zt=EtFdfSJ!nSAFuGI`rxYoAcoZ{&kwU84wuZh0-u6P1hxLS1#0)Te4VLaA4#dZHvj
zlzlGM+EZ=A7*ZBhYJAR$k74#7)m&Zs0yI(9*wDv#gQ|TJRRjH=!iC}-*Nx1g0utY`
z;Srzo5zjsqWaDEC6tBENG>=0W;2A@IM(upZ`vm^$yrcR!(?NlOfcpPj|F!d@{&&y&
zpJ%(N{_dutj`n+MLiWn|$P^jk8%YDH{)iFN{4Ob*KrUf0oAWmb5ZcE8cIK3Wz78&@
zVv?@2h~%cO%BI2Qro1I8RAlVDN-YbkN62L*^~d8f=`UbE`&^f6C%Y?>1OpTFip4`m
zUk<lzr|H$>_pZ)qJ~Q2~=|c=)>pr`4#DU@#&cos(!Y2GD;=p-p-oD9vD*XHY(D@DT
z^o;47nd!G1PPAXoyD-2N0~oEZ@dz>Z#q{sDXgo+g3GP(>%r8{zddjztKwSZLWiQDD
zv>cPay72^1x1o00-P4bG`^SCc2Q~SZZX5-@e`OH7+zRuQ?}__1thZz<-x~3^U8MXf
z;V9ng=$Y$cWKOz}C7YZ$iA`FjHF6dbz!@=)^wyK2M~w^=(4X$<&E3uSaf2IhgRzdl
zkRPafoz=J<U?jGf!DY?}D@^dDNs}FZtHY9Jw{X=4pI!$`M?hyzPGf`50CyrWc`#+t
zl=jSV(b^k+gnYP7y>cCbs85q&Ov(%U?QRDpZ147!y(N6Rn-3b){tg)mF63xQQ)nh;
z)PP+nseA?{(>uq!WWcM+0;WQ2QV<nMTEjC1CTA-pG4bijK50I3>QSeI41%{<Ti9Ao
zl|z2QRa;OE%$z_n{T_kt<+4>UAu{QUQx}OVS`ei=EiLJq0iK<Wiueq*V9U;2)F_;@
zqKV|2B!NMtDl5Ni09;6)L4t*|cVJeNiqCl04;!;MP4=*0z-xEcK3}R~L<X*EFbmaD
zSs@_1l$<lvFiH(B>2>+h!I5+P*dPdcOgb`!Lo|hIiJX}PLQU-zPjkOYvs*!HDtF`}
z)Rb3$j=h?P4r{f7dF*}G0WeJd&`B6aVFk7$cUwZx^xPZZ<30YS>K3`TZMNUm&YYdY
zDptQbn}|frEUO~+5QxMb%N}nU*fiTzRi><DKUeHR%{U}g{bQq1VE#iv?!dHvwf^Md
z63t|-R(9}S#Bl_7@<feMzDf+8+=Etc(P>#nmGT;lO`Ws?)^L_dxwb`f2a%f66PktY
zV@`Rgu~W*pVi+9wT#Th<D+%1&(~)hF%+{D$wc=_KvKXLmFO}U^1nm``1}5*9aZ~V!
z5@|M>XAc%l$5yoFu0z}bLQh{d21j?>WR5Li!Wofe&8<E7`+a)^{1>BKM)=X3tnAL&
z<MsSk==Zlrkv<C4wWVr3dG_upOZhdaX2xlbR?PO=a%q=D_L2H!=B|K@C=k`TLJ!hD
zoV1&ZaWdaq8~K7vm{dOs?FsToUNVA6!R6k{39bIil{^D-_I8F6gHW5z@?EwE^A%_<
z6VX<__Ha~E;_6)@GFF*gWcgDR|DLw8o_WPZDSkNmomhZ{PSN~!wE<?R%7pm~rLWj<
zGyvlk8E+WdH+me~H$ZRBr(TFhrK4h3y+ue*T3ptSuUh`bBYzi7XVxC1y39Rl_%mHk
z3HwTbezQVq!PAVs?(@|<xn(o-`DP?Ce3|tFK<KK1g$Z|Fn|rp4!)krB8%0X-E*^~o
z#Wmtp<uyM;+gvc{Kj>6n;A#I`Q|4KWH-(u=<u)(rDj23Mv&U((w$3%Br*0~oo8n}H
z9jmxQdO7A49Lgn@?g-qYyWk6|*#wqa4U<`1td6oDJ7Gs=oCTWkv|eH2u+D>;En9AK
z$ZO<^XiyAJn#-9lcDm`6J6XNVS@ABdibOWcse4*#@Yy7gn}U8oN{sL5zQIUjUkjtW
z#XDf+Pzl8Z!)_SZYNrqe;IC-YTlQg=b4Jzb87D<QqYGt5dIeX=_xhD_P%x7|u(2uo
z@Z3v<esb-Lhy>(fezYl=WJuh(IOl}Io8bYI_}I9UwE}{$CE5fDci$D#!Zk{cR>FDT
zG|oq5VbUd}vyA?5Npo$bGpZV}g<~OFX1;J$)I5BuDLuV(L%I;$POgX(Eh7XcPEOc2
zIYyFb?=(rmb4)ttYiSoCbxBF#{u7g5W<%bH5}z<T#*h`iAOEeb|0#?+47k7r!vT2?
zJBKf(;R#u+y5WjUI!-OK0{ep4%Oy&9sEE%hMXQKWf^D9`LeO;)=_*=;PADzldW3YL
zmJ^(xm**i>$iGs0M#}mFc^t)jI04zC{BlTiE8r9U4j!^K#{_|6{As?9r<-qsR_HMo
zpdbu>EHB*8Jm-<XyW*l7<0gF!0?ByL5;^Loz(AMxlzCpJ=E_IDY5oK>9JP}_7)B<Z
zl=AK7;L3u<Qz07Q+*8PD4nmg>1V3J2aI3m2<%4kLk`oonrUdoG7exwUX798T$AwBX
z{UEp^ByT`jeUU^BSy-apbF9j(n;~qdc0%k}VO}i9l|g~w-f4C^syW+#-sx{LuOW9r
zG;faV4sByxf#~d8g?kY#m%l3P^T_-SKTL_rYdXv4d^+$@nIw=b9_EEN<Qd`HeoO=D
zcFyE8Ir~AS2H;tV2GcC2TmoS$^ckffpHBDc6-ZOuIOdt^O!egQi-=UbU@FXGy-{YA
z1U7UP2P_o$GD{F9tl4r~2N0wfYQVxZZeKpPS;2vuBARMk-$zsIkO29d>2vNDhrEd1
z`n(m4;3tUjTT10i?9;Cp?*&1UU1q<{KA~Xz?8@cz%H`yZqCdtU@dVdp-nd$L<2Rd_
z4~-yb$JdY}8d)hKb*a6#E+dt4038JhbGbb^ujWmgM5^PXDgD^|=P#!w<1Co^sm*v7
z31y2%8jZ>=Wi`5!vVDqQ#AXv*3wYT>wD@U!yXMBw<<qUFRP5n5MBh=>8LLX`frLil
z2?%L%1pF=ceAD;}RdyAh6HKJz^>B@WlR@uf9S2U4{O~KyW@bLAK$taz!|I+$+sW&4
z$hnHiH+VzbtX0#K)D_k%GGWB?l+CG0f70w2VhI^?u8E*D{WRU6)2flK5bD;TrL=2W
zcB355TF{Re^(q)V=yWDw&5_to<UB=on;XRU>rS8prpP6gt|BVg0~Sw7fN|D5`=N1;
z<AXUY5&~VCSS&N#0sSfn*#0)Qioluh%zdkVnv(<P+_mS-y;C->ODgU<RQgim<X!sm
zjSrfh(5r@sNuG7Y`$c1LG%tL#0geAE`3MvlrG^eQv#*U=A*o)W17n6O$aO3%8s;QZ
z5JPhp=7cT|o~!r=an=g0GbUc#74I6}gCE?l*nU3Ao|Y1Kq{7|ir6t8%f1S=v-`^O2
zQMGT$QyEHs@}tpMe@E5m{u`<$YHea;V(TnxU}fU?A51t=TOLIab@*#Oxr(-2L7@uz
zCrBZ<*Z>SvaPW7L1ZYdB>-ozWx{ImgOPZbLIg#5teeWk>tm!7J{z5~7HnXFLi7&UQ
zwEFk+=Vt<-<eE$|XauE}fKUq(#>FU$iGsMniU6JT4G&N!h$A=}hCl9xwBLMJ05?L}
z_l%3@VZo{|{^OF3Rvi<t4KB4_wNZcWIvRH_<)LN1uIvJcJ1H>dd~GUL+2L?zXtku)
zu4arhsRo|7QpCs6O}jgxT#>Scw3U2o4^)8l0iQ;m%D%a@C*VYBvqa%m{|4WBtnO~#
zLO(udx3^ihV={f15$#+!S3Q{fK$%jNZ(5pw5#d4X?PztXS5hXuU^(RlXuN3r2`6tM
zi1kigAHr~AJjxXVU)od#o^DVij0ZS1EpH)K3As*$FDR7!438jGZJ?Gq=_$^Ou7W_N
zL9TMw9gNFNrrVXuqkC1$sX**nGZ3?Z(I)n7I|1(^ZN9h>V>)i{L?jayMss;f;<9Dt
zSS=4S@)(2m{$>1PyO@%vgZl0`D1y)uW}8ZeZ!p_qlu+~$7Enx<z029JA|8^8*~ehO
zjfVx;8s{~^{E}D3+FP~HObFn*6^$}rc&{EkvD+sz6+O#Bk$Mg>1D9Q%Ar0&PiXEzp
zPhT!~Ej{2=QuoNQ8D46txEDKn%u&1d-gG}D5~@8VLS${P`s|sbeHyp+nsTYOUEj0+
z)x|_P^K+(}zJs%l{d7N(#4Ex&(;C4ONf_X&ZER#b-%79F`e8P}H%BK%E;#Gpc@)=!
zOF5PQ%N2Ced}9bNrxx2B5yHZz=38&yd6C(-l}Mnp53IfI*c|#{@`0|rbKwXSQwW;u
z`RRrSX3Sm+jcYE+ttgTdqEQvPFO*Sc%#=bhY$a2ptnh-pmgS$={qFs83i;``2|WaV
z0Rp5R*rX8z2&f1A?*PH@?*hWv$oxMcp`z`C!jAg;K$^`JRxXoFRzeEuaBqds(!t!q
zDHlu1j4RdNfsFZvtQt+*xYMdZi_R~Ee<r1C28Mw_+5KF`5B1QzQxe;7j<3RbDsIY+
z&&R8vd%N=uMF8&HBXUOwo|A@a$D`nVD#gP)Bm&;j!!a3GXKdffdw-`c$PTLx!Fx6d
zmih60FV}s7z>U|I*g(D|etYY?Q<}k>+yTyFk~Wo!tbEnGuYRy%00C2`1k<2ytQ}Yv
zfd@Wm^e-d>3YU&YNHl0ETgDnMSYhfhb<?O_<JX^a_u8;&<$@8I=;vc8IEu}bk41w9
z6pNth?%G1s=j6SSrxb>b3NfzkIqN)YtI4#b?*nbLz1o5)diTcaZ$|(ITXD-h&7USK
zuzTP7YXL}CQ*g5pf|AUT+l-lfC4IEHl*1A}0?}!}j<M+Ip=ZXT)yKRBsZ`6ft>UcD
z+uq5?lBpGUUU3Ggm@PqjKAkP(A8g&L9rT;NTQ}k7r13@LYRx*rjXnlMvSm8_naXZZ
zO?Y57@{UaHA`O&6qjnanN>vPwCf@^C^Zpnc=Xw}32F>TIFd?e_(^#V6ZPbq=$80QA
z)Dd($s)6i#*XpcN1Gb?y9R@?R6L@5<Ncts#flqU3l?C1jNc3(C=vqghDiMpnD{wKx
zu)^z??5=*LKlMwt!GrKArrc+WtFsB;+5&8fkA?e+;-u-0<os@&Vm6Z$fQJrEtW!5f
zHZvpE@<AAOST!}626eM=ZAXslOir;L^?BNPF`s&jVKqLN=*??x4vj$(lYO3dVs@Po
zq>Wr6*Z7dEU7~slaWcQ>B=J-9z-)wIn7qL%umh5%*gU(k1Lz&Cw3tHet8c`r;JQoT
zNVf0|vToX(H%by)IuVX$#y#Lebi#jMIb7z6ks-w5dz0M2quB^u;HMEgN2<#W7P#Ep
z@eEAR^r-$*^}Km&1(}ZH;@I^_*T4+@LBU?%6XFx_CVlccb#lLjH!xe9oPrs0$r_zX
z;T!st6Rh7iRt#Y@LoW<VOfv^MV2yBf|5~Lh&O7;CV_z|{PaLIbc;HoG(>N*xf+7b#
zT{<JaZ0Zs+91Q>GzYtl?!g|5-Cwl|&x7i!k{|1r&C=?0)sq<JEx;UHsOQcFtv2j`#
zLG+z+rCC?hwKtbkGLJZoFlt95w8(M5J}ZJRSh<RjH9f&NBGOZ4tvle9w0Wie93t<U
z6UqQK^|zaN5J!75CarbA?pw)k-|XD<$=>Yr`aD|R2Bz6@#r~yF7$iwk#28JDoy;V$
zqfF{u#HXHQ!x?f%p=M7Tq6+uROrpDD*AoJ5W2R<^VaP{MOFMubyMq|Bu2KAhk=^>r
z8b`K{W8DOh<`uB7jaO^ov6M_p6}|tq(X2CUlnRHJjqR;x!J;z^Wu1Xr43SseUf1t4
zm%X1&Zj8B8bm#!RYO4Q?6;GXP^jZ#!ao^7YV0FrX4P$MVZ6UWzCdL*tlO9QiE=g@6
zYi4h4NW`T?`7InFFufdz*Ppa5R&y`V5OT45)zCWY$_*IiZc<zo);;DHLQV-rL8sV%
zV8pU|+t?_*x5dncF5e{+wyn`|YazkV8wqHOy0KmU9c{qsN0Q9Ce9NhraM+s8^<dl!
z`>3kz9K4TG)zIn|Jmxx~5e{%i9@OW!O`gGcYq$40k7Mu&WGpb0s7!TTXm!_hA)R*y
zwFq~SM)R?(NlsA(0w^mcv1Ja2MymR{SNtr-l8~H<ToR^qZyzQ2SqCVKcJa<N!qz+E
z2z$mXLin!sL{>>vNWGXV&9x<{HVpO183VJR$(o7H=Dg9T9^C1tHce2T13UDEO997<
z=fd*yR54qTUI+s)>bDI9nDaZbQ9Eliow;m_KZ#V=s`SEP@3K|xwoy4#JrhznE_POu
zZCXAoVz??pR?w3_j$tV0lgDG?NE}4@&9^C*uzOZpb-#<@y(iFaI^W-GUq{O$9scBN
zcZ&WNfHAe@<1JygLBbp7V62)i_+3(J?v1WebMaYl^PnLeJ068Z-UxzmBL0E5(m^W)
zn!d*s$t&Q6SqAm1@5D~RyFMb0-!on5SCN8um~rj{^4dLOFXh{m623k@cIPtlgFQy=
z&lragUupMWG-h6!H^6eByH_$l6)va#gw{v_cO$<9FCAgIe(?v$IBs!3t;T@$wKOpv
zV@+6GcosFPTU=R+2HTGptWmvKN&jF)<c91U;;irx^ZEl&8k8fZLmfh}<u`?+C&eRs
zB#*IVl5<?>gUTLr8Y+treN<vhn1&&9S&VQ$A-|B?AnVcC<1~gK{Hu9Iz;APj++gVj
z^;z_OqX9nd-_R)2Ii$V<M88q?rbF|}+M>P}>6sa~;HJY-`CRw#+#vkr1<K|~6Y~Ff
z0hzxosIdPJy}-YO=OmSFWgJ!1-?nVVqjfASXkcY4b87(EF`@Zns)qQvoJEpFh_qVz
zDbm(LZMJrY`f`qaej+=**SQom7*#Xt?abR4rRh#hkVK7P$)jwqsm^2W?N^8A>2BXo
zJOL!P`5H#E9g?H@k)68eya19aiNi9Ts?mDzAlo18H~3ow1AB;o+Jb$6;4loAE%po0
zIF}TxFfBeCe$^YWB*6L*=_`Gm?wRe<6O&`>h^T*{a|9+US;LKM3P3HDeH_Z;>|Nc@
zP>S1Rv&Fo|x_wWyOgh}qS9P1L&*75o#zmxH+nfbYo<j!OJ{_y&$V1*SYR~A#^X4!<
z!6ocCXoqZCwCA3O-pD3WLk3Lh*WJ76g3qB86E%91E36WcWIp~BB+I?#`8}QJq|S!5
zb@M^nHMCi$9aSkZiUL(tQU@$icux628DS3^ZdrJ1rR=T=q*&>!Wst$ALFCt+e}@nf
zZs{VBUGt_L){qmL<bH;suqa)79%+ZY1HdvjqN<N!?HPU*0ps*)h<NtI6P}KBqa|8P
zZfT_CU2z7nJesEWq&#g>3K5T*%r@WJ5Tu-JYk(t;TY&zOy#g1^_d7kBOyq82ScMMV
zPF@(oEfQMK0G@^l^{OQb!9L2F8^Igw{Z~6U7Zq7q38O~!eH8J494vA56rAubztOVv
zq7<)X^QV7FHbrISX1mk*edAq9qf+C9Js19?O&eus-uw}qfghPuQJ2i2t`p5WBV|*+
zKYO2U;GOZ;=H$n?#DiBf<*n+#k92Y;W!xM_os)a-HxOfZYihbqDL`$}2}gkW6PKJY
zz8D^>)U!h}A2#{ve7@p#>Ak*tPy_0yV!S3NvbYWLzGJe4d^}%(B#C``1A&AkNwubY
z?^Eobi~wZX2La|A+$jAM!%dzQC2pO@tC@smh}q093JAMdE=dP}=@~}p6Slk5{B549
zJ*KUq1m;bO)IM(iwJb&0!z-Fg<kTYG(eBY7^A2*u9&bVM-YM_^6bI9HYB<l#Ubo=P
z@0@0b&kQX=z?Zd;%nu(<1#Sl3F;H_#uNO1)3@8fdysyOZYy0@mG>c#wJ>RSPdypAB
zayepL9K14*WBXwTv(;1=Bb~-&;^sAV_K;`m47Eh#=Xh-n^$guH$c;OK!&8(z<V!J&
z){6HrLuY@=;e)S9H&CBps}g6d4vxrW_Q}s=;|eETK*TbnkWP`h@Vx&6_U<J2eer)_
zU-GxXpX+}Fdo=@Vmw#mdS$~N6KZ>fZ6)TE#94QbWs1z8(uKDOVYw;|iV9foIcv{vx
zJuvlgDc^~tvlpp?yZZ=Eta1g4Oo}dXm_HS5rpJf~Wz(5D%%3;9@3Znh@2mCvKotg~
zaQTLX@bhaNF?%r}x+aK&BD6{@U2MQo>{ol#J?0i*y|aedTMYH%3?ivXHyb6w;Gc<l
z70h{#GB)m7x@{Xr4yqHDXV>GZH?mJ!a@&uf)}KKKlW<-L`)fJ$$M?9UtXOY8NA4-?
z?`RN&35}M|ZAU0u#(S=qjZ<{CRmWlH2S3q{xna|ia-`jdaH{Cl^0(4sZSbm)AmE?5
zblSA!60sgfNEuRaW&vm;F4Sx86m3HAHxF$aXAr#92fWjD&nz1UI6}xXxs!tL`Lu&s
zQDoP{9${3V(y(SvPhY$#9ps6zUOzGSKD(Y14O-nPekS#(XL`m*+{0Zy6r2sbwUK-N
z39+Qd9Zm)<Hvz4fcU|uB2j7*xh#y~{N4pxIG&sWbFO(T!={a?oa-0=oh_|7MPJiN5
znR-0|A!9hB16qU2GJYQck1K6-(=1e=NJ_p`JP}j6HxCkoi-K;aYYe%O71=L}04J!p
zU=)AamY*p>C~>37MjC7kP-e2}XS4t;08RuV_`;V)O+!85Vdo{v>Y*Xz2g8K0C|_GH
zfUz%hyVXfC>a%B1$^5Lk^~-hk>P?Gf0_TgNthXT5c1g@5WYgx6?cz(=_YI^agmULX
zhin>r!=?Q!9(}zNmv14K5wwM+;b{BqH|jiZjaa5_M9zgLS2DrA-_b&D*EWVNJnh9!
z<D_Q6EO@?yNQ}*SfTgA`I+1b;-=P+bS^-Ez&BCYTrRjT`;yeQ$m?KlR4G-X$o|_mS
zyh=ZySC0?khsYmj6+m)8g0g$_HF_j9Qb{K#zQdhH1K--v0qircoPWy#5(7{mz|D#E
zYk(Qv=CDcaujbO0RHY7WF#q(Skk)nUbA*h^I~Za2YFsE54p}bj6t=vT3NFY!f=ul&
zk7b60)pLl)U8iK$Q0{mu)ul7UQYU>0T(RD@C$YF-S5)Z_J?khL$b<H`_!DiqG-+Kx
z;8I3*0A69mj>L`U_=!Kg_0%RO5S5Np#Q?7>IzpTdB|u;Q=z^e?j8RhigI=e<MK90)
z3wr-0a{s}v{KlWA2va-LD1%Xmxe$^D*@PMl>=fw{@c5zFN)?M-sCG@txH9vVEaaf&
ztu-T|-_U;F={pXT6i_HnwF`fjG?{hKB}OQfB0No`aUOebzfMhj+#a_h0GTRG=0%1_
z3(A-p>{!7qI~V9v?c+4^EF$2|bG1%cwp7jEB?36{*zJ}3X(2lMP0lqFxO4SKmf2p=
z+3~KbGF(pAuikk2Pb^QQ+KJO$^{YAi9Dm3=T6o#^Frb55XME_->fGwEJL5w0c%?xG
z+z>CnyY^7FO!j0m7^7P+C%a*Zg_9#m%K{eSm&y2A(=Wr5YU;^80MP2No#<}q8_h|0
z^hF2E86z7NAsI!-)fu}-@_Do$_`l>bGHj}iAUgI_lSv{Q6~aq)OjO%$!Yn<@$$JET
z+$|k3U5lkjQouE1(c!7?06%+(OY9QF5ly!LI0hHa)lkOGo^BvoDI@0UOS&he(njG8
zI^$bBPQ~Z1u=%M*UuTzlI1o=7A@#lU>JP#6HY<M{mZLpSA1g4}>H)dJ#O(b6YQ`u7
zi$GZ6hpqDHGp#O%0^x|sbVEvq^@9E^0R)O(rNAwpJHhb$#j;#ut`GH$HTFviv421i
zR(Mz*rvJbXxkP)s(R1a}lkXO<2|H@>8iRnfOg=;HQt|OLyiv!5gMi?`=FY9OT`;9N
z_|-n7Xd(G_kGx5h8)7-c`ln6nK`T?dNs9*8C7sE@G@;u`!vQ>d3T_)2?C}~=jn6Ef
zITW5K7KCE|F9mMcwg~|ck3|B8OhRg5BYaG%lA-u4A}_Gxk#puck|-!_e)?{Rb@4sc
zc<vEZU-2)m0{m;@&sv>V@HF*<c#(kL9#TMwIkOo|;m|{jlEitzi4aB{2qN_`NFfm{
z(*d8Na!_#l*fv0VGsU&|jBoRt;in&%^OT9y?=!Bka#zXQM9QydKCpj^K=?P91xTqv
z1VyK}>F*e!eZZk0U44hC!pJiGf!xMOS4o&|WJ8n5)ZK#H!e6!pMubZUDn%d+c^+&K
z97>`DRfd5_RO{9U5SgPmUYIKZ$(~^<cX095a>l9)a}t=(D%pk&Ki+Wu;?vpQWB!bP
zpxOGjd9MGiC*mJZ)uOh}7S0~>Zhx8wh0RTjtp3p!VPIzR&rEQmhDRpKBHovrgsYHi
z3lWT%Xnu(o3UDK)+J)}O(nTOmP7bY1yn);Iw6HWN8vMtCrYGA%)rv~-%B3}E{Pu_j
z-AY@la^8k#lk4^D-}4B(U3O&4S7hr+2%qHFlV08T@7!Bn9=qG}JW%?ax(GRN>eB;K
zI?55v`&wAbVYhEU>bBo@j5jFu$!=?xW8A=Yh9`kLP_EO%v~O%{Kk>1y;q>9Fp7wnV
zz5Re9Zh-muDERnDF!^cB?cnqY`1XdyKU-ukHm-(!vD`*pQVHDNZXJ3>M}PJF@ZF$o
zxw_ro0^$pM|9DXWdfpEJ;){a(e2FALc)isWd~4O>i3Dxr_$fXxoi8+K<jbQALl5}G
zM8eJQ>lEHQhQbQ{eDMaNz5&OQA9I%q%v_ptptX|ZAWmM#Vyp*^+nBo4QW`I7vc-=3
za4lHIQ<vg!@R_Q4Y*;e7n4{&*o?C<KZ@{yZI*q_e$E$^Sbl;G%c+w{^JEz=SVx_JV
z-YgWW&>=H2z5J<V98NM~Zl=0fL+n#zaG+HBblH@A$>^MMX1V4przV*?JJTW=*gP*|
ziF`EREPOr=mBCihASlFOO17{-##$b6{gJnfzhJR2HdaNtC^07^PQ#iN?mSQKHNCb8
zNWR2fK<0Ka%Gp+fWYI#zoVnNnk$QxSnjfIlPpV~Qk%^FYrzj-NOdfVmh`8ZmEiYm<
zWP(3KF$9^-b)>j|QGA~$SmiAsb!1cIXf!ZXppcO*Yr;OQZG0FTq7{)kmgyT+R+iFW
zz(3+m16eqh8C^w3>AKd<wnw~{v#^+~QLjQ~a6uq#h}@5lEVgj(=F=~6rISvhE@JCQ
zSJ;*B$lW_)sb@AQQqt-RXkaeXT7sw#<t)R7s$@^8d(>s!4=xjPsuL6XA!>sB0q#ZG
zakx^N%#fjZa3muWWkm_acXoY>th)0}x^zgOV0(%w0(@X&VtpX+Se&3fY^i;fe7Azq
z$tjczb(-9KwDyAWzQ|?_@%e~9QzdOMT;_r#Cc)8qo+&%-wjx;j_jGS|Qxp*;x~1@i
zDU_Fus{rc*H6Fu{9vte7RSim0-P=*HG4Y5)zGYGrIT6D)(mVxzgHkQQk(azkdd2i~
z8CSD<GNUdRB?~+sKDj2not}ijx)njv4etwQS#IPc8$<PrIro*+3QbaraAGla<+mgj
zCN)(@v1xNkeD*l_#kmr(1@Yg`sd<%;8Lier+LaMoEhTHGbs`$2Ie2)`Q^QnP)0FP`
zM#$0S-_?6lZqdN4YBhUdUdn<87inA#Wx!phlx|o%D0We2xBA=Ajues9qH3%VYbA^y
zBW+AW;OIwR+5+u%GMKswcT76+cGh3uQ9Owf@i=*tP@{~R*1!6K$`EnYZhm;n_dbUR
z`DsvVe1dkA^njT04^T7t7VHeaKpE{aEo&Pbxdyc9EXao$YBZKIUEvxLKDXfPS=juH
zA1Q&Nb*$CaGE)!AbMJX>ejb8;oxMKF2%dM+B(^L|wiU&TQ{+ZM3!XKRo(fO)Y*x}8
zXVO)@VgAT0esF&t50l!u23x<MJ4@{QePg?c4?AC5BJld*Ia!i&3j^LgP)#y1jl~V;
z)QrR?`W76LHOsJ`9jLc2>M8)<-D|h{I^UM0b~%uf49guVnAoxes1#&Qkpk?e3wY$|
zf_L{{ui~P90Q(t-D%_BF6zxo7D&JrjG>bE%ey9#O0ZbdHUT}U_={Juo5jsm~uy5AM
znaKnpig3Zy8y<2tp;iM;oPN}z*y=5#u<diN!1tYIn!q41X*#83FT@jRei80=<aaGd
zYWSiK%0+!8j1%glu%cY}98f!1Uky;j*BnIQwO2IXUS<o@)3!8)FZs@?(8dq@POW6A
zGRsr|?h?!@gIKwjadq9sGbpu*p<;FqNlUa*)?<SA%QK@o#$JO3N5h`b<;UItqvc8M
zU+G4NVB>@d#2+qj3Bah~*ySciLlJ6LlE-6e)`GcF7&bpPHy1m*e1xahx+*(2JMlKp
zo1Yq=UGGcL%Gd5rUWE3P0&BcRmSD$yuyiyI`BZ*r870A3N2QONL-g8J`rjScAIL*6
zQL#*UP~BV#(SJ5+j=Z5zado(UhV1>u&eHuE409Qhko)bB=ZvPxR!NyN*?L(~K#_1%
zi(1qZ`dM9OJElWYl>TTwV$pM{jvJD)QsW&3_jI56#T=x~9eY}#8M1`{&uas;sod~m
z`=-6O^pNh>v5ly>sDg@gAn%uSpCgcjXD^PZ{+!QhHAcokAmHv(=$<5Mg1Ie5-TfE=
z@|J-u6XBM;r?9g&)rtDoWDK0n6${)tl$`%3p_O*Z4d$;MCEzkz)g|^_l?o9YpzNkS
z_>o%>-$i?G=HWD458eYi@@^tr(&(-tBne2)+Z<|n*oK^p?r>@U#g^E8o(e&P(jjJk
zi0J^R32G{al=WUn8oDtUt-)F1r}T7!&|+h;9!(o^zffYE0O_O@GE>IkZrv#p18D+s
zU0w6#TlH^S;aKp}Ka}qYCt`0{Ix=5KVDpFG5!p=>Pc@_VDVht4t4fODF^qTzpD}om
zsc|^gPbd;=pi(&0^te`&Csl;Bd2F2f<-0LhVuZG0+LHTk>};`zCiL~e8v7OC+4uuB
z^HVpMxd6-=Excy;-;N-T;fP0~3~+}f?fLuwitK^lklF;jeTujQkAMy%4K2fOQAQlS
zuUZ_DC_&^&?imP1vqw9Wy*J<F@CGdu^+wnMYemUBhPCUccTqbJ=CUP2KY02zjbnvb
z`#G4YLJt^es3<Fnb!wFn@$Uc!1}w1o4*cm-#<GDE)Yg{h%qayuPBVhiVEYikuj>eD
zKm_vs!XoxaO$?Rv{a7uy$9t6p?U}hAI8F{Yph)B&P_W;_&N;S5R%JU#uZ6MS4R&l(
zTSBKpAPx2n4lv(-VD=`tqpKUhs_(1n^shfZy2G(c+&ko}gm%gySGeV?N`Oo?&47%i
z{gA`qX*h9Nv&Y)^V$3$GvdM>hr;t2Mk9kvSu*OMv(DaPYadD&!z{SEgu|6KNh!qyE
z5gF=1y0PGO2aCvj^)}n05Z23<uf~(}oV+`jAOC#(NgkjrIfqSEwY#<@<gc9x)cn+h
z+lL(Aj4ve8cWJ(NKvRq_@)l`mv4Ek2e#dCsoX>W^8+?cizwz}eg}g?TtUknhI-l+U
zCYv|XY3R0#1dn3K8LJb*c2H*nU^=EbG}5pOf3+#;d`%?hCTx}nu%|b2Cop>PM+ssb
zu*M3EJYeHmn$Y=)qD^msakRY0!PzZV90A_G90r`hw{OGnJDce4N{TGT`y1<5pAeS%
z$Vk%%N;YxHt~I6E{`m@Vc7`n;vnAiu3RDIR_(pv7Hq_^VB9+&K1MvkD>SV?-N$kOd
zqjSIVlI9U-7~vskSGiJ8=iXqV-Hy!-hjjp1SY^VGj}4{w%*ztI!cO^`O9DEpk$?_L
z-P?;X_T8ugbT1f+1KGTlVTN-CHEZ~6_P`Tm(&Iq*CHdQDtOcg#^VE0J(GbtotC{*#
zXgo*o#TLFxgWIs%vM-Ro81A1O|FO%T;V8zxZEcYFcOE|fV?yYkME5_7NdLP7_&=#`
zrv{9-wkp=wFSbdWx%Nuuiu{l$rXCl~<{L~W>EW7lEp_wyw&Y$24!eZ)CtFF|mey5J
zk(&Szkgm8=9xxYwqrQUkAyfsAe1D3P9Z=MpkQV`k>_<P_xpflRWuWd~-FjYEoZFn+
zZoiMcvaSz$n{B&6dv1kp^Ra%Z-+=RX{iJ_Y08pcPw<4>LT|G&8i~4q-4KLd#SyxpJ
zu=?smR8zN9Auo@Q+Ntbi+`U&)UG%`Iwji;O9<4*WO5IKRE*Pq#bp_#|ZYYI#Zj|Xa
z6KoIKIGT=x@?s`W>Jo&$lU%wIJnehcy>=CB5)N)ql3(4`KL<&D)Ijt1ZN_`YSYIVM
zJ&y)$RPO{x@tlYwB2d265)AK>L*qXg#eMwY(uR_L3o)eb5>;QNfx}>9Mo0bvvc(o~
zV9K?>MR9_%j(YrUSz%;mt=E~}=9=)A_S$qB6xS=jjkFBEuk@!40AVavN|IX>S5>nr
ziRsDMNs`ED*TXT#A(yyeHbJnaV8UjEiEyD4??3RIUKXJ(TL+ZVxm2P{JI!0tVjs#~
z0+Q;qA)_=@1S(PvW?g=y<6$k(25@E}G2`PhOa`Rl8?#SczBMG`Uo<_GAkA85wZC~r
z1_YZH(}wGEQT8*5(`rY@faU9~qR;Pp_Sx#nafX`4Y{sqV9PI2)1=~U@2Z`zZ!kWMA
z)n8*X1lXLE=H&OOaHX-(a;q~UF|8$=l3Xa_H9oAjEygii9O*PVTVxy<#H4=n^5Q~@
z0~u{FsAC=Hn$HNl3qF<o^i*kPlGsz6<g_hMs|gFOV#q}|J<uL!9efaK3tDZT*s(~S
zKgK?;M7wE7SJX1lB7go?yzkStSgsfs%`DciqBY5Mz#;vx5(L58e&-*nti?kHxxu?4
z_P(;NB^J=YVY^^t1v&>;2I<^Ry4{Xoo2fq0U9P;ZHf4_6J;SNcmzJGCfV7z|$|Re1
zOxPF#BnFz(WZyjt<ws;@uR!O;rUWk)Rjg_~<!u$IGTy?GhlMFQPrBa1DZlUOQ6MGu
zOBmnGYDgm7R^WF9TR{XQcU0mgP2t<dB8Zc;GjsOrVP1F{%%KwJYj!Oy=NX<f%u@2%
z>Redy3?)%UTSEb{bni4+GFo=2v&YnKzUjIe?;dU!ow`anR>W!AP2yTs5jWpiopRcn
znznpFLCk^D@It)sqiKspTHdWB4t5hhM(U5$$df2+BM}%^dtEY&R$JI~6(_|J5OQ3F
zg@M(&@{%5tYl*cxQ{5G4-zk_RH%fXf@EB@$q22`O>^zu8o2U~>@-fs8t(^9j-`l5K
zbJms%i59CfhC`ffMwdxkPR)|a4RRE079@|Da2PthuonfnVT*^?jPq(DcI*XK1bhxe
z+7$9dd!QP`HG7-KqTt<%x7r_agG`we_Io1YlytR8&xigNHs_-oHWNWXO<AzuK@PNi
z=L=dCvnD#Of+X!~gN~Ubh%(w?v89EPDiUO^DkIUso?2~O!o##YWF*b83*et}S1^UN
z!h_J61v?gK(>u>pzx~a?O%Ib$;E-r%dz{y2irGinReGJMvWE%MRH2odd*Vc?;)H;y
zv`FVxUnT87%970Uamrp$eox5c?a|MuexT8R!~LNIp;(K3t$xeiA%TIxaUq~vws);`
z^FU-<utPxgJIqh=*j=)>TeX8`uq%)b?W@;MwIh5PwWDeePSRI7emnlal@m8NqQ6Hh
zAb(?@jRQlnf5T}yV?Ae(=0}9Bm4s;(kmxtn#4ty+tUpsZIJ-z_RCEcxt3R|z2kuBL
z$S9)9MxHh>om371jRHmiNb$*O3$$L^!aP}yGK3*Ru)I|Aet@3Z1b~>dAfu$%Zj$dS
z8)g==nZqgWE82Ws^JI%;Ux!W^hl1yn0VzW=+^O)!$iWpPhIAYVT*Bh;gj_;ms?7L<
zLU9S^Bug@^?~zm^v0$iOltpP`$5l!)DuFl}8Y}BpQ&Eki>Rw6yIuo%cm8d4?6>I$s
z<wBKc390SA(P9!IW2RGtz%k<FeK>F4)^qgdwrs(D)b9)Md~q*GTBitZ$K|6Q{?^)o
z;o+6!=nm(B<i{B5xz@92*0<rRwuz%+vOUv<6E~`wJRmubcc395AKbvf!qGkIrJoY)
zqkMVhG{k6ZmkjlFJ@Gn5l~?N$kal!R{V{q2&@1-&1+EVvu^7BM`LLFy4AkteVD@~k
zc2Mfc)!Pyx_26ucET>K`x}zcW>{%;@7LrGClJqtnwXP<mRS~y7v8{ur&`9GFT*tfx
zwdNs2)Ei+%<~2o<%xNMFO-}2loi@AK(Tls;a6f1}E6dkXXUpz?7E36pdJU&%Z^2cT
zb8)Fdv!oQI8LkGdm4&A%b!$prQ1l`vbTw^*XU|o73zf3!E=zf6w{TTi!92S@RISg<
zt+y8$4VHG=aF%6jT2IZkbl026?3SIkB~M}Msl-1=dv&W~kV$kY<a_F+i>_=C#hl$T
zvb>Q^reF0z8GQJ`F+;gOvxDFUFtLE%<cguMUL=hoV|I|QJm0PF&8VT~HlpX&Za8;U
ztglo#zTt6jwjZIIO_WV!!C*{O@&V~R2YV~O9OehvAc${fVtgz?0ti7^O}rHOz~pm=
zxWPyjlsUn+E2ATIn^<o~^mJG0iV{&6vtHy$MJFYCv@(aPdrmb{lJF1Ir&PgggB&BM
zN6r!1j~LWjCe9ro)FqD^Da;T`;4VUbeW?b#vYzS6w8AJuRUxW{S4K%$55ZbHkSv?F
z)W@4#%M5=rtF8W7fd<AW(O|Ma^9DVus{m$G#R<-ai}>20c(9M^$+#~4^FxWK+ZyD6
zfC`{P9p2G~_==W5bj|(!E=Vj+9fPPFaM>v0ix;QI4}2%Vc%XP9%2Qx!27H$#%3DAH
zs`+PQ<DW%s<_LH~vV>#2)}djJ1X)i{xQWU?5|tSx)X@v>c17SMR@I$IS~HHW`<(--
zihMXU^tnxInT2=g762HC_Y=Gv2f8Zmu2+~IZ903;9Nf#u^!DsQd-%9fUW^#e#Qu<(
zn>a1PytURsk-S$sd*(v8P<srU%F<Hto%MK9uQ&>*8ll}s09Pu#dM2>BG|<FXj=O}W
z2*{Fg&Ys46$Pxtll~7@m>zdf&sd|k1rv1Rrk{{~FSVI>IqCW<0al3Hf+8qY)C!jpe
zJK7x%Y;j3x8}az!-TVvk4-1rvV?VNaQ*p{*7gXW%9k@+n_e#^qe>f6=9Ih}r`kJDB
z9h<#+yYNM)XU+!ByGCZZl$ZA<Sn%x_l${}!-6+!Z7-<9!r%C?W+5KfK!6QoVnQrL~
zpz=gtzrm&JyMJN%b*X;0=!>S?BkPXDexFOb=u3A0gsdTh$cSx*mgNiMr8{Qcul9s0
z1;q(bLSi?>!*}IPNcu}y=JADQYA_Tp;nGpI3Fdg0STjMg-_)3dlDPi&$Hm)yssNKI
z56)I3miV`b?HH;TOmS$wsvQ()x&wl-tZQ;KZ_8k@Z2h?59|b#k>`3+ij2QhU<7p<K
zIdwXRM5>bX$Yq@|r0wU`)b6;m*si8*^&TOM%6A46{=jp~Xsn@HH;AYG78fR;@dA#>
z{ZRAnPmM%jE`x9Pl3Fy9i~a7`h^CG$B-}b&!DJQ-j>9ERC73&;S6@tJH_-P(<>n+q
zrX6xY-Mzt2rg9V2(`B#Lp?VYc2*}1>tzMy7$({XYAVPU4$T6`LD=fDPxwVlB@<GBi
z_DCi-5soq__+p~q@JL&K+QsYMlg%C<vC@@%`9t+?&yUmf82bE9A3y(5(7l^pAp8yk
z1Qhk>KLP&h*)Z<^0V|gk`HPV&yV%>?IXeF{=bWWt^;h>XFH9l*cz>DxAjS)os0I?S
z1x|c8DO&?tdt;pZq%(J7$Q8}%6wz;*L(nji-#~tew^L1d5FP`Y7gL!D?;LJd6W(99
zk2wAwG~$errHD#|GNHFDk!cL3`6og6g8bPb3>czd(`cy(yP~MIbQ<3b6om^OxYR4v
z&P;@bJ6igm(zZ<V3UTHdMX2))>=%*nMuRJAn}(sDaoMO|8~Y&P@?RYr6*eoV>u%0`
zSnU?ZTa|SCTL>-%_-oeN^x3X27!%H~$5;w$!scxYbzB~0yYdX`%(<Gj95dB2&RH7q
za@jRP&vEGNw8#>u1O{rf0wt$OWydkNj3c7g=lG{GJQHZ{ZET$gnW<6DF7$+!k|M+E
z^Qt`h5|fEX+I{0>n@%pzsG6JG2QxNI!WS;d?n7qQq)ef%Os5twCbatEsj=S@lv&{d
zREs6i5HLo|FIM5M)HL%aRqt^V8m%T8QLo~FTWwreXtJpD`b&ht3Y=Xm>EHm(&BrbA
zb)og9?J4}09NAWPtmD&9DZ3SCEG`{;P!_8l-=8X@ML`^eIOgQVh~hgxd*mdv7z{kC
zqzlg$ZBpusdYjzI0NgFo+y@hv`3Ae)XS1<)I&rQV!)FDbsTLMRQ97lmO|8ZUy>nyZ
zmhSQKkq4#NuawUbx!8f5HB!4uu*(j@Aw1$z)p4X`lQviFoskBpe@4_&9M@Ilni=E_
zeF-L;qws8%7{^EFj~|&L*Tmcsjx(o9v5!syF^kSkfS@9Gs7m&O-w?lhUn1a=$cziz
z2bV>>WbpmUNpb$Qv;Oc{+J)>i-QC3EN$Gp`ZOv@^fbVm$5u8RLT~ua<W{I_r1b+r|
zs6PSde4xzi4bvy%R>1o^K9A4|;;xYhTlaVG;1j|sT;e70pioRD3l{!KL{-Rwk~*w8
z7I8^}S7iKss3^fYDG>gDj8jg#Z_$kXX-PKt+ft3_zXKU%L0OqUBddQZH2=}E|9>gi
zRH|9op@^gMqHwS7SmURfnM=bJusASCqu>YJ{A4UDXcX?TRr-!Nbl$65x5e7NkLWA)
z3Yt{r3rr#$vEW;=K%n|Kwc?S;p}3eQ!OgwwcE$U=(MtY)tk?Y;LLZsl5Ob)Jm%|?m
z^c0h*WhwN0gkn4jv#tfJf4K!M|FR;$&hyp=mhr%F#7M4l^J=g|>zX2_ozXiaa1DL&
zi5nD#k!J5*cSAY%3dg<2o+4|UmVPUp)-(m?{#3@*gYO58>Gc#N>~Z#;sx525zE(iV
zPgbjJX-W{gbc5}02*OAb!_R#<awF1J6wEd6u)HaF({bupMEOQAu(OeR=&(VY!zfNs
zT9RO*hZBg?uWW7@?mHzu>zGNZ<i--m*wo1cDiuRxD2nL7>K+wZY1$^;rXd|iS|QGS
z>ahX)s&!Q*Q1Yf_eY&|ef_LHHgEv{}E~)whW;4SdyyuoekH1YlVDA1e#?C3YvPWC@
zoeny-ZQD-Aovhf_ifyB#m5y!Owr$(CjSf1u_de&|+7I{q>paY=RkPOX95u%HzVZ9m
z)iP&dVO_l2!9}yttyuTH;za1MWP`^$!xqP+89`IT0dg{j+Cs7FLSS|3cO6@dw=bI@
zs?0QvoCo8SW3Xx%BaTatu7zM!FiGbgj&M6{nB-#)9d*^BSUmR;W)=9CGH8)2%MvSy
z#f(RO6l0x5qOgaT?8D~Kv?&h}EyG2cL~r$xGI3=0)N#z-QzdF}+i|?+d%RnYN;0CN
zbTtOkLIkKLWarM^7L&>ENEFToaF*hd)aXCWSuP&G+WOF2!*?dzH2dHIA-hpl_KNa7
z?Twz-owOE>_NWE9ZfOL8+#Q-ao*!#wfjvm@{H(PR!<11wXyDG~_!Qtxp{zlnO!je5
z*56E_v&<>vOLXMnRb*6lQ{2NaK%-)nC}Tl+!F+lF<3V)XINtK){M!J5>bXmV^9@Xx
z_Av|!QUys}G!A!4?*&<Y<(aQD0xeHMRAWEcXTQX{-OL6K#Oc5$brd$1Isqa>+0c}c
z;>jr0ZZizew%MyQzeoPukf|B6zu#}jg4*woHN`H0*4*G-c#|CFjeN`{P>I%JZ5tF4
zEx;P62i;hsCg?&KXm`A~SvNqEFKBt_0~R^?EqkW?dcwlQ2SR7&t_<__p200D716FI
zV$;yIpys~PYGPDZ!mClySkp!FUc@GMDONIDI(u|7^3RPdsF^nd<bxTCo9ml-?n~tg
zFZP6bLWdMyg_|ldih0kMRuEB*6bkE=7O+tl7Bg*Q?-c5YKh%6Z4-f0IjOQ|EH>X{e
zW}^`BHXLOWkmqL-#7`jdI!K6|9Zbj;+SJRf6xV|5qCNwrKZ-SbSzb}Gi|is9<LFTt
z3{GlLdFsS^6OLxtg!#hNB&^)-7*^<fcCZD!8g98iz)Z)%sF+2pWJU=*O8c42BWFDC
zINJ1#n16qJ-6C_mX2|QN@)PC~z2fj3N@u<+PCNNX<tO9y%=rFOP-`!RI40hhubhoS
zYxagh!h%3TXeg%OVwn1kTTZblA*y$eTb2nFV0#)jr4WQ!lx@B&dmeo2wsH?nxkcv6
zwDpX6q!UK}Aq!7mv==A~&p-*Yx&@deHw;ITRF=K4GWsk>h><j$xhEB1GGr<W9UM3A
z7MZEq<2PmBsZX$ELUD|uM|m~*g2h}I-ab<V=+q_0o3~4*o{~U0c0u{jy(HC|)*Gwa
zO2_dD`}K>+d~XMUJxhcV*&(d{KEsFa8<;ieJ7})@flJCvvsuaL1d6>4b8VF-r=yZ6
zU_v>a?f!QO){XACM*drV!~X6Q|L3lS^?zN0|Fc<1RJBoFmq7L%NH+%da0H?Mm<Mr|
zBEU$4GYl57Bi7<!ts{@O<l1G`dt*at8x<&zO-qk|qcow^=bPVNICYliG(Z(q@{(|C
zU-NldP3HUfxX!KyqtC+~BJY~5;f%1mRS?(e&o`{tuMLX;Re-M9`C<N=FN46ms|`h~
zJTQWh!&cyd@Y+iED&jN|w@n5m)N~4w&LsK_xUfdQk1rtS(<f|CK=usnu}aK!S1VZt
zO(iu&(-`pIj<gG9IG<&D&D(Ss4+(9O*%po3VicLt4DioFDvNCEF`p4rMjwmC*HBj?
z*poqv7pA2#jOxwdLu#f1$&)68bSd25$_wt-i(_gh>K%*B4>-dm61|tQjiq5t?~CT=
z@S^6;9W$F4hL@}+_Ft36&yz-j;IUXMK$Ah&sMm>ZycI_T&AFdV=4UQ-6YL)0>!ghm
z+_P|h$s_OD$-O2%>*z_qc<o1B&T<bw{bb>f4_&=u#(3#YRWmSf+75%H$<2kr0gxKQ
zI;s`y>waihfWJ$zTxrzdX!%LA<px8&R{Z!BFQt`Qij`DrK0dNnQnA6VG%8`f#8?vE
zpI-lcSXkakq~O1nM@)7y4t@L8jf(xI6or^y&*bSR99kr<VL3Zm@?4}eHUSWAdgCLG
z><GORA7A;PQI%>d4ayGI`z&w64mAq^>rG?<LDaLSQ|5JSg?i4`>vo(lR!@2Rm`*e_
zy_;~*Yh|k!==|2)T~>D$6m&S3v@-$lBJo?j<Eu=b3ZdPygU;6TZn|SyOxLX$iwI5Q
z$|xJX$LN<G1GKa#?_YSm+&<;E(dpl+GM!V*JVtj6D1%cIphmyJJ;&FLDS6p(LB~DV
zT>ng8sv103S%!AKA;Wl{%dgydN<7IL)|HC(%o4o*{ga%A?VTn7XCtP0^mKfuE_A18
zVM;gA%uESZCdF$*_0|cZdj|yZ!4dEm3$pmyx$)eJ*IWD&k>(*-n%;Q4Q7|XIjV}nf
zFEEq{kJoXo0TFU5_kKAm|Bz-H>CNYMA=Yv1p?M1SD2VI9LBFbVvX!M;&LhkC<cw>p
zX0{h;NaNgKCd#(ta^GmTpMFbc`yvLZKNDgS*QH5YWKTd8Fa#<PG;fe|8#UA_J#EPD
zlhl0`*0OVbSP+`qhJC0fSN5AaSU)MI%0!$S2(&8@@iVZ$!XCT!mkP)-)DqsF0OKFP
zza+IGo7iWpB-!Zy3MTbME@|%RRj1+_<Mk~j`x8#Iwm12{nz>+yqVo)i7zhDn9pgku
zMok<x`NgyD5|Q8;{6w*A5FEDoM;z24k(es|E+7u{;|-&7yiQJ9a^~hylU3D-+OHI?
zgpY**Gb}io#XIPSB;n~uJ{9)*Z}3^5w|&qG%+Pw@07}&;Dz&aR)~{pKMW<9HIh6Ut
z95Jc2=HC@xKmT2g$aKDtGeUg%V*8hM_di#o|CK3L8E9v3B4ul70{j>FP1*TBv<we#
zyhW5hSqxq#9zZHsPHz7J5)#FWAV}1&v6(+>O-M<JR-}6h7IXnt9%vToi&YsA(oAb2
zxrLCP!sDAsgy_FSFH-C=*BTzWuEV#UeP$JSuP?QdY*v?;WZ$N*)|>B-CcW=FQ&)Yi
zwxb2X48ZT->`AsLcP|AuBD8500<?c05+u4)ZBguQzW*U4n%p?*_h`}W^XhcZMoMhy
zhwBgFb4bQ=d$UKndfe-h?jRz%*$r&zMkVSCq3|9E(eh4U^80D^flVYZB8ha1g>*j)
z=8IFBGaTrBg;KSzKq0|0#1ujip}wPtUpfGE??6S(+KHC;yhY!Bx9Gas_ugdNh&KCu
zh=wY7I;cp5zCp69jA8s#?8E(STIwYtXj=Lu11tO45Us0+N&jJ2hyQpmxdli6X^-yx
zk1C8l@Fs*Y8pP|>ubbKVLBKG(WRpt>nkQpnD<qd;i(Np+Es_z%QDBh$`_VfH6s>8Y
ziHcWeF{|*U&th{<x99K}nWBzuA+S)$#pM<x&B3=@(4A^>4+dO%e`3^^T214!XmcTG
zEeU1IIFYwY?xveQ!&^Eq<ljkAV5kQ}Ru&nSx8<6onQ~kl*lWA_+1aW4X_quNQf&}i
zo}FG>pF*?HM_#CfEc%RfsVK25B$yU1rWEO{Nr`GT7xc8@H_&P4&1T(*^X29KNg|lF
z(G}P=-=08Fn<h(CR!?I`Ll@f(OvK-4(GE=sh42_8E^Ju%nN*8CMI8}zuXSpF)nH^H
zzf|*>fXNAR0sQr`Gk^@&MA90ZCEzF3DoA_`dSoo0V&WPf3vAER3hmj^>C)xWakLek
z!l~&&CT7s4+NbOYWa%<Z@M~I>)+d}c>RT1_26Q|q8tw7D^Oi%Q(u*iz(q>8P=&GYo
zySg&6S1N40ey&skPcd>5Hfd}lNz!0vk*OAr7R{6zvsUFWgyi}n^?a0Hw9quP$;AZe
z>@<lL7HF^V0kfr!yPKy!*DFnbF+mKYCnUEljET+$M-jEQ;H(u7)^UQ>kTMGp7RW@F
zH<bn1Ff2Aa!G4u0M(M9>rNFT)ChZUs@V{$ys>=9~c@udv(pqyleQ#yRl!bFMAXd0B
ziIs^+9W6j}DdZ^CQd@vWBT^+Raxso?+R7~ww;q!!w7oVfp=rShbnDXt0pvE83YJ&7
zH->l^lc-e5av#=kHh;``@nklF8d`{%cUxv+cll^hHusWL`EVUaBT96Pmw+P~%<5^!
z5q2SO#J_4S(~u_FK8}pwPEv-RVk~<_X`@lQrtJGaQxL@8dNq~vhxRu;ZbQ=qD1}&=
z(kW;rD){E}c>E?Yj2m@0RZPv>5f`HnZfm?=&>BhMmkEylK$1CZm}I7F2_TSwc5aRO
z7d;ScsuczlOnKb&b?S|91Z>hF{N>lptU!ZKQ9*VJoxHK%?ZK(vnk-bNWu!42Hx5)~
z)Z<@Ojej-sBsqs`8mpleJ~l`wr8%Mq|A^Rw!hunYIT|VGH04B_UvrtNREAxsV{2_>
z^+YjQapxaY=;Jc+hTBe>^_RoZJxRJDz}X&r#>T{A1`Ivlg5%IS;|L8zm;6p&HmsF*
z8;Y<<5@$RP1Mhd#%RO@`&nnaHv|I=g6SNu+PUL&)2qGGPf$<$vxISoqZ7JmefEElR
ztJ6mcP<<))k6$1$1k@kStbUB_aZ#l&@qPP+8Wy3yr;h5&u+Q~U8MHn6BJk(?rjlaC
zF6cvX=={bLCwYeyM}5~42SxA|?GJr^aI}bd@-5c8=#bEDK!o2eHjDC5_)Bv{GItkT
zv9c_wB@4(kG;yRN!NXV$bZnv)#a!#FAgh%&L4K5|329*>s7A9t`D^U&g?o4Vidc$t
zI#jRdR!cs9a&WW9t>!5w+atr~uBX$_`y#=_#*0_5O2JH)kjEBGGxHQU)?`lGvbfX;
zX8&PKg-?}*IsyLf#mO~$v~#olZSr$%UQ)Ev_GMvzX+=&TgzVy6WsU+)15lU|oBw#C
zJ^+o^SZ%PZwH1y=V_{iYJ6nFrhM%#xX$8F<>}*V{?kOfURbuB-$F$#p91>Jkni{$m
zGzue`MAa2v%=LL`8KI|;RF*@zoJy+o?d~p(`lqZFoDXLPuR21(Ydpu3=>mJd)B>A4
z?FH(>4gri!sy+h^N!$*Mb=rFyhk%rV5&Z_v4Q3rBGh6n(H6i^J<y4D~x6_8EnBI}8
zTiGZ*WH~VD%6RAs@`7gJqmq7aJ>bT5PP07~rd9W%OayV-nm{0_MCajB{6UAkmDGAA
zjW~jR;^PdrU^?(S_qK?7fM1*ZF%m^-3ujEB{M;mDMapP$DjPq0y?Ffcj_~HMX2ese
zG2V4>@dg?3=KjRX-K;Hhzw;*h0$HQ*lBZA`tvv?^LW{zronRsBn2sE(YxA_Q`R=lx
zj9q4P2WoA9HuQsp?*Cx_X1bsuq^r&X2sZkA+scwt{CV>)v!!Y@4lsJxUO-0b{jHs_
zk(v=(N9U#8-X@CX7n(F32pOv=TO5zxu;~9)j4q+G?Brfh+SSo4)G@)vQv@r7@%qZ`
z&v1*MS(#L&>3|c=PZIXwRi^j!5__dPaV<*jAJod97fQfS`qxjQ-m0lLq2rfsdgc(|
z27=~7W=h(Hn#W2}QkYJFHk(`6NTA8R!&@i@b#L&O4vju9R_2B|Wtg>-)V2DJ`@sj9
z#f%|<yAYSSZ95-PD(m&}M;*5ExXgX>Tua84fb;WgCa+`LRZg*KoS}2IB{sO#O)|d3
zDTzDcuSULLXBge-fDm?F39{ALp~I8>H&PvcUGiQIng>ufos~O;3DPloLinhzNBH>0
z;BSf9W|}Hz44Xo}?S_urTja5#bkyR<v>CPYAFXRICx?BjzPNymB=wmdQ6g|~=fki!
zMcSkVcJ`?Jj9r=^>^H0td42a^I;khuC5MeJrq+uoo8=LVj3LSBDEar;0@<a1A<$s8
z_+zJ8gkP=nP33#>Od@a*g05ZZxdX-oyZJ$o@|>)Gi-sz0RYGS|j0g4j3y=94=no4X
zQA$5gR`;K)tM4O#Ed7QV>`}N#Q8`W34)9dp#&OTa&iH}c;v13*Tp)@odm02JXsecb
z;V_CCB-AHm_G)1Qy~z0++=|{tZaljl$_|v{UC+JwNQfcXgPBQ)afXpSHLxkQ;c$HJ
z{s-6SFDBSh1<*mfuoYnOJp$<(nL~6I$Ky5lI2xo0XkVN>(j}r)k_tc;O}K^OQMnR*
zTfmZ}k(pEMYb<OgY6lkADvI~`5Z436?vN`J{vVM++oe43XZ+{TSyIH7!84f<1G?yo
z?X_Q?_sBP>GB!@AM}R%HtXrY)<s&2^M9VWM^o5VA5V_)7RJ!|0s~IYIQV8L|=_o^g
zF$2D=4mJ0>7UwW3v_CV$8RygC1zLNOWeyO<kp`>KNzr*-PMh3n3NZKf5*btWcuhC6
z(o=V;y>%!VwZ8b}0Pf?!LzhDrlYI@*S{fqZp6(}R+@*WNed;A$*H3`FTwWb6hO<x1
z)PU&0a=%6hxL7Jm-3zhe9*W2@a^cTee2f6GEUVBjhvch29#|k9+Z{(PNqIGGCG2C$
zNd@fkTIV|M8^#B%Gz!w<uoMB*QY}}IYs<Z7uOf=iH`kLE9+S&G)S(KF+Cr&6%FNkz
z6j?7>9ItOX77m;c9&e)6xCk!4m%6J1q^Ays6*2&Y(|$|XQ<w@o7X9+&KZ{Ra;bZSL
zVIODtCmXAd3`wRf9r@LMed9Ws@Ga+->q(Tfm)nNsj4<36&Txe|ej?~C68!wl&Ji{V
zgpSHRB~Idr|6`iQ{fl8LjloDZ^Ubo{-Npa@?CY)NDVRTYvq!4I92BV++hPm@`W0O0
zMWsq4W07}vCcVp!FC5O$HP`O7J?)78XnuF1`un$kIhZaXTP1(~)k=o{Q7ifWzuG#O
zTNoMHS(`YU%bGYF{^boD{(l7%Wod0`l!`nx^j<Tt%ey;azz<l=$|lHmS@7(%Q&)2=
zSF`j>#=GVOB=Wcy@OQ-_K0qKPEUsHUpVQRVaI2Hq)A}=$J{Y|rMU*0cC@I09417Jy
z#NZ8k6mk}V;g?iwcE}?PjbBDAQ4mS!8c};Z{V{)<TJ(H3OHSZN=LCfg(gsbm=LMD%
zF7f+EKxAHo$$FXEUBnx1D^-}B;e7B8K0vGXnUaHXNKhzoU#zRKcG^MHiAyU<0}@7>
zQi*ZnO;Jt#=E$<;;-2TW$;(7{hM#^3t4uQd@X}h;d{dBw@_MXR{Buy#DWIQ?AXPbT
zvgsh}IxcN!`$8S?$N#9sW>RPcjbYbO+|o7Niovm9jo(&!_egr|Xg>~R1`@C$;@QeE
zhN;O>cv{H<Uto3yzl%^T?jZ>{P`$k@vbXB6fN6A(>aFB;lMQ||UO7(@0F8@3a91X6
zv82lmqv{pY^Kb1DE`QiAI|#%fYjad|{c5>-sUqQ&#qhZkDUPrNZ_GafOgD%t5~c~n
zqaPMJcM$WHN<XI$PD^PCTf9^O8m$_m=-dIvUZlxA5Le6vj28@|PoHqcDR;W5jWk+K
zZng=HZ)&T-6a4)-w%oe^+Elv&Xgp(kTq4j8!<x9yXwOW(a-k=7$;fuMn)njy96r$c
zr~f_FeR8_D<9H4h?o*rV&i>_RxFCV^8CbnXHJ_Xjo63uMVjeZuODF~lY=K?V3=)Ax
z>w1EVLN0o>$WjvjMz$!tt=#*({t%?H|Em@6of>-+-R%kDLfL>-%I?wb3ntAw>(wm1
zgJ}?r%sh7g$NiV<U#iO&G$QSz_KwUrJi-sywO^1jiG3q>mC0R&$Xo+rfjWws8Zn2k
z7?1^}IXq#>xfw`bA(3u>4MA%PK>7arxC{$%JgDZcEHd|Z68@j3VBvrGI{wSgCuZUV
zbhNN{wsTYkNEs{G*}GW(n}Yry!*Hd#rW^V&#vf^Iq<jf%9Ed;`96Te5z7`vBxtS58
z*dUygSQGLC=z#dNQ==k9`RA5)EmYSGpXkh$)yR5YIL!>m;Uy!~b<L?!Dc|pecWKET
z#|%6%8)us2krH8YeLPN{wyN82i=E9~UgfXTT-)wwJz(!7VLl_4BaQt*zw%(P5)<qs
z!IC_6=9pKbpsf+aAFsuB^9puHsXceZcO+|3Si`<3qsU0I1dgNdV+_u}`~;chorrJ-
zAeDV0iQgDLe#Rmg|DL551Vu~U!g#X=$cx{cx_U!pNA5V`W<?rtWhw7Z(;au^5Kc?p
z1k}CcftV~_SOeAelwhX~e-$#_(%3@G)gj0q3`Vdh`6e2hpV#99p4ix_+J<qopmda(
zt);c2uo1&FcO!2rWZ5z;xP~tst~4!mQmtbl$IaZi31o1qlDPs#!~4()latP|#pCfr
zqZ$qlg?Eqn%gJ@GFHRG9_L9Exso*5?GmV5G6!Ec>Ir@{2Xc&dogIC#vXDG?i9;eYO
z^PqM$x5jfx6q@mPh?rxZB~n@|qDL98q^VuW5RKpzX|sdI<_oZBU`J&cdHPEm$O?9`
zDy)|pgXx3lwB}H|P#AZ<6~>)Qk*VMJV%M}@N4L@pCvS{~$`}CX`T;@fMpBB#E2`0&
zx>G-9z2>Y`JrioHhJ=-flTOPYn7Rlt#%`+)PrG%>Z2jHF`%bjyf6JJ}Tu|8|R+g?U
zGyfiAoM*mh#L`2M-M!SyD(*^LP|(5)HEWd$W0pw;Rhz%iCeo{xgQ_iFJT;h^Sj9q2
z9rFtK?>KZww4$^;LdJXY*`wKu4nNP@jP5thzLrJhVK;k+zvJ!_Qd#X1IN_^<9))FA
zP#F1uH){nf7rb%?>*y<4up(orT5x3ba$)qEWRjq{{UoyTan+9J@k41027zbRKwH#k
z=<xL=<%G3lY$!EZsZm;(^w%(lj5pGXkHu6}0vB*5Dmjg?{ZN;N*f$kwc(;XOV@*m_
zx_YVDqp#EXE|IkXR4qJXOko94ZwAcPdK>rg8%)T9zo>ct;!J6S?M`1fyF`uWZgo2<
z_Pt&N`==VAbN9bVA3s4Up1+V(S-!+Z5$#hATr3)Z_@^JKjc{IgeZ$nT_sWU~id%__
zbM`hum(2jbU)l27qO$j~7Q~eUaeYhoarFv8)FLJvk8}jpyDlJ`M{#HV8tb#OgecF0
zmMF~$mJJ*(1~#3pp5mZ85)SNQvZ4CAg$0+1eGGzUqizr+f!$6UNdNo=L9fVG4%2tg
zAZ*?L*R=_E3l}4t&XBBnLSUV)8>_8$JOqJ|7jKvQ$N+;fr2Q-^;bLPH*DYrM6Y@N~
zbW`HK61~X$RfVepjYKJbXXSpgJ7Aaxn|F#1@kAaX{`h*^@1^hWSz5j1@b!%s=-|^~
zi{+uB`+JE8!?}Gz%^(X)Sdyy+P;RS??dNXO>!#VtT**BP{-0{YAd(1oTe%lOlEpQ;
z#`#BH9s1U&vPu6km2*x*iRAB1FAM&CRx)8wp$V3?DCJ3cRbp<QCTAt{=3+^PEM%hd
zPR3_Jfefl2%ox$8Oo}UKZRp(dS!44>9Wj7uaS*%aMjzc^@8Vo}8fZFvAOx7|?DBh-
zmHoE=?p*2zMy&aYxoS%#En>ak*4m(@ozdaN7*68(kx~w$UTC7GvYpp*aw-n&xkjVi
zg3+3c;F9UED$RWE5_f@%$2#?l?f?hbb(@Da^%{nSU7boW1|%=v+9D125h4a4ZmQD@
z_n?r(7LO@0NEBwPn=xFvT2)>3R1MC4op#xc)Gl^hNBHpw9I*Qhb^{MX9x8x3@j}nx
zZ8{+`4k3n3wF8zFk}#J{X->6A-^6Wtagyl}f@`r+C(*$@raCqdiioNuyer^omJ2&m
z^X!4RG}xFo_0&TsazQBnb193b#)_PM7tFIMI39|ypjb~WXSyXY_csZ@7#XYWSnL*5
zpP(awEZQ69%mi~t61-F;eE%EP%+QHaOFBg4u8o+dwh;r|O3s0~U3uJk=#owClE;a9
zjlhyC0Unj7>FjK)1!D80(Y@+B!_pWp-?4*Nbx{EW`6STFj=bmtWhk%L#aVX3Q2Y2v
zbHE72)A=fAnEt9{uVdjJ*LA2tbAu;bSKZ#7Vcv~eN?FO9XXK@m#RklcV^<ts2X5zz
zwg+{cV9elIOeVdbFbz6(Yc*)Ndh7kXk-3ugvUo;nTF^O%Xp>u{R8V@(A)|*lvw({D
z2AV%(fL+O1l{Z-30oP9w>a&M=JrL!Im=GwHVe)~E)O-c+BMtWsdEM8Z8+({-pHcvg
zSj+i9Dz&~6jn}Z%-w?Z55icP*g0?m@W=eNT9fbnMy8?bN{ACsxQ{?rd+?q$Fo?o$+
zUs_P@Q9jN$?7=H{vque~m_4H_lmx*70SBR<>*g0o^7NSrp7K*x|B?Y$f}LM&3F42`
zlNoIW!Jx*E>3VcL^jvI0s$GG_Ua=Cls-X+PIn{y4r<&#3_!FOL(oVh^ndy7<Pe{@m
zG=Mo_<!pv6V?kw1lv)fgw6UGMnGxY;kVbS886FxQ&33ps0Y-x*{58d-BRZD3>f@(i
zN4JtK{>#4|M%MR8k)?krG0Z6c)E9{ULtpT>3lOt#vbQ$$kTbL~5p%J(wgCR6e2bYl
z|7%VDFX;FGTa#C6!no_GyZo6pm#|~MKQO_kBjl^43dLebqSD(N01nnNj5eW4snHLI
z>W01X-_v)xv*%BA)K(^NexDCcQfgDYNQx_h6i!cwK^_gm%V8j=2u`TMGMCcSQlhrW
zv6xR-c|V>sVjv^I@0#|!-gvtb823x^x_U{4llR8%G37z-1B<}p#_EH}DhWh7MtE0+
z28%e~86_6P?~}YyBzSN1?}j0XxMj|JS!c%F140Q_T^Ea-EJ^ZZE$wcf-k?bf<O4nh
zBjop#U)`5_gia=k``r<<S#DO5tNPrLv*(|W178BVx=V<<3nu=sL@@2sL3QEw;VvF$
z-%OL7-EycNdHB4CBX$!Ga0R@WB5%X)>APHa<Gi>+<J|`M`yuV~z1Tvh-x5jtFhzV0
z_?_<m#Wo-T@qBZlKM`}kG0{|i!tD8py5oEn2dY2ZewOt=!@nzFcydI*wTy%i(~}A^
z#^5p{3mGPS|6w`EOm6-|S3yJ=h7OSlVvxN+uco1R-&|dCd-l(t4@o}Ww{;}vM}iH%
z?=^XEw&w*dyuO~)1k)O#uD&bMYq#rOQnpz1yHy|Go(L~b&aTh5TwctttFq*TWqJ9C
ze>s~uf!}(+z9hBpZ?5`-@eLy&$c;_4OgT_lw90YLUmwvg6Jn!SpH8jV@(Z2d^Ciiy
zUm19hxK<_{YTYs}6P}f|g}>*0gMDW<CUU%+s%_|`iyv*<O6xH2ka8(!#krm|Wes-L
z;?TD_ymy__UfVrju$6;3_?6Q%Im&&7m^QoO{A0&%y2!e>&z1`Kj0uWbZ4GQ&sb{h%
zMAGDu94?gV<~vb%VAu>sbKvN<-)qUNa}qxlrO}E%%Wv6j;K)OEMF-7WCTtqEyUw|=
zf`3$T<cvssvu<u%45*BhO%7G_buHrJ)I*dPr%tJ6Zgnl=d#%8abiUj`@21CZxVsFL
z<6TT`3K>zYX`KyER8Eh-RdJ=(OWPKdJmHvCjHCIc=>cTY6=y?epK!NO?F#4-7*kM?
zZ;7Y!tT3GRslfWmmMU9(3Wp(T;`TXE=8?SzxhysOX0t3xeX&-&`D8uxm=K1pUQjvl
zJ>&b_>B5gTY!BF405*7P-c9hlJIZ;S#rq0#|AQ@6wH0m=)X|7N4|jF?Sd~o?Azu?-
z-A|Jk3~`0!Yj|V&=9v8@(P|V>Ssi*Bg&3t7#io>$@cNP()-pRd5*vq!zLDNr8LenH
z_iv+wb~2yV3n{g-41-mAd>lU)(IuF6w&Za~%_axR>GAYbfkpvEc#Y<mW#Vb8!V{y}
zJ1k(U8X!7KN}~!Die=OZMOD^>Pkwzg0KmJ(4HNlfRKvz1V7HJ_BiTV}$|9#erHRar
zJ&qQjU0kht6?MMyyM>BgADeLMXv4jZlxZu=6jCtda%?6>X6}lnKsO}yN0)ENdn)AX
z-Pg{tu7xEjSwP(0pPQIOKEvX+uywnX`G}^nt3~^fj|CaabmhRTxgNAN<;A5|oC(u_
zyLKyDZdKCHI?e0UES2Qpk(gi*J*zQ`7ojMr^%J}%DYQ$L+*<!usNo1kK-Za~SE~}o
zih43)dDX;dYgBob$53wpC)sFZg{9mOgBw1@YFf+0AYyuU{X~O-HmmL#=bBlg@d{2;
z>sZuv(_Pat(F9>b?jLKC<c4Q%t?TsTMQdvXx|I`INgynAB%2ovZYuqOV*<VqcS?Pw
zO1I0#mhIjnH*L#rjz=L7Jx8H%6}tnpTimMk$c2NWNApVN#8!Sv3tR}~d68>Yt>Zi@
zUY&#yJFV+PRB181rm3__Qo1{VZ_?wZQr`tFSA-r3r%AAm$=G6@QjPhml=T>GXsTnR
zj@6ipbmh`8?q-eJ(rpAsp<<d$Myx5JziNhsboc<grk!-THL?zmfQ=j0iqPrr26DUg
zRE<;gh*K$KZ8K?|Dl>qvQU2H_dAjUs-aBThW1tS5hBr;}ljd*XqG}Rt*;bTqvMtmp
zEuy8qJ{jNBs0+rT(kR0Y-E`?k>$uF1fyMZ4%tLiD&X8RY6x-zKtF9CK-+?P5O*o#l
zMzz=}aS9cBOzW~1@#&hhGOHwbGOgmSuvKa0UsCD-u4#4JYqF<3)#-CIDhx&602c{~
z&+oP-Mwwf=(-ksD8HQZxKmt~i=nIZpOxr%Def5+5Q$}W!Y>~DZ<8#+?#_q`&TV>CJ
z<pH~$%A$+n=UeC~+&Qzc%d?@Aic3_c@Aa#>im}Ztg?{StZog|zm@o-2Yeg92N3=Ys
zvTrmfH;hHFC^>Cf1RYMj^#<Ars$G+1jAbsT5j1d)^_U1K56RDm-sxg@!Yp;E`OayM
zrxIB5BPW*%SqKJIR1%*)8sv1!R4*Hlt>0>kJWOjp0d;P9$#lcWVClZuoBdrJ=|G(7
zeUnOV3Jtbaw1)*CK>d)i!^OAhj`ot=Lge@NTxP26bQdqpG6*hN%%;zkP4;?A01ps_
zKqRyC^;CBdS_7!u*shW?p0HpQ<VJC2Hg>MV<9p3Lqq?DUsHAMQtz0w5FPNk@tE_E4
z4<6N=XtbjW;t#br{hHYSCM*<9#%fG85_%`q=5>(6k+beus<_^<cAW~9WGj>Pc`@;m
z?<94l5Y|mKSX7ml`!{Q|d7D-1&?wPC;?UJZg0Ctu;6t|;m#~Qqze!EemD0Nqw%VpC
zok6aaVyQh&0AZRH?xQw<obRs*P@D(Pj4x1L%OXVB&Pl<3Pk_M9S#@mGh(Pv@hbpEn
z8iU$<^ZmOT$K6!tD-c?EVf$N#bO0B-Tvu2kn!X)dpqid;Wi!q-2S*;QqPF%(#+Ze#
z6};S47UU+IABG1*GV&HwF%eu)-<vAv3li3bX5L!+m05dz@r4dwIr%c8d8f9vjSUB!
zpN#Z$qszSfA8<qgy{~oex@7M28{Lqqp=t=qoI#9$1ijHB)$hE5CdZi>nPm?OgFvF?
zo)GXaUp1;Op-K<eylx0)x1#N`o9vMBNp#1br@w?JS=bFZqyU@Jz5n1#Hs^xSk!=V=
z*d@J>74Es;Cy!CM`J>i`4ZUZ8X1A?B0seTq!*UBirYHwvOfIre^zE;B!>w94!#s0#
z{zpi??gf1XOX(dxb4TAT?#Xq3<M$YZDq?L5cAaaJ_Bxfc*S8jisYx2x=Qm}KwdA(s
z4rtH}2kzU>ff9^g8US>oFHqaQUEc`BPv|k5_#<yTf<k}(j@_Ghm11K+E5Ukb5)8Jf
zMAPWG@cLr)g8{XIsDF<|Y|4OU7|?NxvBkaP_lphCYV)v1Wl5M<f-C>lSfX6(yg{s{
zJkISRqfo0|x@HKks2Gxh=%vP?Jc#K_ATm_%kz=&|rA~*8&;<#+HzXrOhPdt}q=X|T
zx?6<D(x<aJz#avhv&vWk-Z<!*_?R#Y32HEPX|$x|(()Pt*D~g2*&2Z!LF@yqMd^k(
zO6&swj;3+cFNq?%AYnySqZ7l7jjvNDVh?4NAQ)Xfa(Ol~#!?Z6>n&#F9kH7RqjN4=
zE~m@ozbLrj;rCsFNifG@=Q(CW>>9lLJGo!%kFAhOce1A)S(ykfv|@eItiORj?Q`|+
zbX()ULvA>c7QxwhLtT-2wW_3d$mLkl+PL`!2*8310v`IYX-GcoVJr%-2B*<F1jIfO
z7JB3n#(FEaulBhfhglaSFqwQYI;y%A^~AINxp3U?$2DXw7cic^2(^^h21QMTYBMQ;
zk&8k*+MC^mMcGq8gl#LYG;PAcw#R*Ql{~4?$7q$GmNzn<RQ|mEZ4Q{ryGXT!eh2<2
zbdFUi?YZb0;|`F%i4w20MHpsRbiueTQ3(|<jWnVB4EyeE)FvC}Et0+3Ec39cX^SO?
zN=ZQ-h1dCG*Vzf%bhMUL)E<R-W9+pZn&^S}@GNIg4~gKBDDBdpq?Nc1e~fA<zQzL`
zz^NXs$g2Qf58XSqLhe`GTPSd`hl>D^RT|M#h8UDHp;Y`nZs;az510LRtV09&TM}c(
zirwO6L-|{BWAcc2x9bI8*^nb&%Ljhko(^B{xU~iky=EO21;5XD5~d^7TiT#R?1QqD
z5*{2)>6~V&r98>l6yOVOQHxHR#E8e7Wq;7<O4%(tM=oWFu4~eV<63&&W7|eu<U9gf
zOwi>yB&~*P@8Po^e(8o9uygxwZm3~Z(n<FON_(KLq2-#J!xMzwyqc%{_|0Exy5OCr
zN{*`*>SbwvOg*Q_hU<=GEg<3ST8$LyX=i}>4K7cj-Vzl-{5&6Ss5W}7;Y_*`wX&^j
ze3)6k5<QZ-S{J#JshT6)N|K2Xr}Jj6Fw8OI8284(^8rU<gQ^xXdvElap02;x<EIa3
zTWI{@1z+I7qXS&Or~O9!ou?}ZX=mIWRlj%mMwP$#vp=+YSDZgu{l*1mC*6^wi^A&G
z#-h*7SfJ}%eB^^aKMPnnhh1_U<)a5rPdwec^ZX-t^f$tb&lt<^XICamk$0~Jz&P=v
zXYaVbmgO@)V1Q4vw`qq$<PV~(n+3x#VQIaLJLg7SnA9iZkY1opsL&H_3gxrl75$he
zmk9>Nh9r!57m~_LSNp&-{hxxq%U;-KA%?|{bpxFqX>dQ&9Ra8<FEB5J2+!bapK4OA
zENdXa!=K2mh~98xROTDsGR4(z0muFN?o}vBS4O2C?v`1fCLT9ncAI30gvAJgOsgUl
zw9TA=#HU^Hs!ze_5h9s0fC$A%z>7ifyslpImj(%MV9O;v{3rE0M>L5u;bsU~XY9xR
zi5L82;q2vBiA7sYrN)4=DTVD5GHj38m2tmz-Kiq~QKwMQFhEKO>K*!DIu88x_cId2
zFJCr@{%Iopr-Vi&6EhQc2@7kJzmN0(1B$C!DJx52`(l2j8Xz+e`+iALtAbXNrB%_0
zpv59$h4+;rLGI1Qsg9EFIPPk-|3v>5=>gFF0FvRGf6_L4SCrcppfcz=iAgnPx<2$^
zn(p%Wvp3xhM!(mNPwBw$?HiG)gFr}hjrpzwBGLX4_RwwU?^cuDdHkV>HM0`zRVBn`
zhvB|so{hn}U@y!vc(r6J29+NBuBTtuj#Nu?P6_7W!&4HpWy~3w`-<cVNruRq$tZT7
zd4oNFGYNI${1@D?rxKOCqQBV`=O)6hCEjt07U4EQ^oz+t<q^Kg<~Bv}h<0JNZLA+j
zr#W4-=JT-{Q7`WiP^s8ZZFx{@i8usayf9o@r;Vr;Qk?*L6|KpnYKFGyUf`2C_rC-5
zt;c_$_CTp`U>P^#L*&YJpsocE+|~9YF=cvUL)0F}hO}mdeCxeR_pVs_nwwcdmOeRy
z))v2@Xh}m#1w$9szNv8P3!e<%xW_sJQLO%6<tyTzzu_XT&X#eCp#q8;ZB{C>G%MB4
z{JDcO6fKP-$HngEw&dQdK6Vjz{^-f3!<sq5(WlW`WKW*St2Saagx5c~ze*@o_h6Yz
z4a21-t$?acK;d5AOB5CsX_3IN(Oes#3QCX<CR~KoX#{4|!wUK-5z7Y`QKwj9iKrqM
z!DDvS+)@xS%Mf0d23K2qN2W#cPpzf&@qkv7{~ChXbroq<Fqf<sYHfkw+Zrnkvptyo
ziD+@-ea)Ork>dK;=aZ6sg--`><Jo6y8-h46ZPKsKophd39CKclC<Gras>MdkI)o2-
zP_gevqY9lh47$ahBfKCM9F%*d2JH`Xi?~Ft{pSR1Q$03r^R|}UZP^#s$H!6l3~pCH
zk5NVK6VJZ4(zza74Z&sG;Rl0SqSCe9G7{ei@trU*cdOFb9Q-B3_eXxoQMNoT?%Ctb
z{Mr%bP1IPGJeMDWo}s)^3I#m;FrK5>q)n*${-c_rnrVCe&O(tmT4tvW;^)Yf_4m^~
zM_5lR2}E0xNBR*Lzy~Ca?ig$6<5RZ`cK`E{na>`0*+)3%G&vgw6g#ldE1M3{Kih?!
z;y_%;HFPAzWb^(T!lRKf11<}Wr$PN#pRmy2Px~{b2%k^*R=*>^kj9!2Wv`lN``2S~
zYcw%NmKI4G)wi$Igis0tZ!I#!>T_cEl4PTKL9CYuF9=$b$1=X&NNDngCcYx3FI>j@
zru=Co6BJVt%*NX$<SFt4a4$K<_82e!4i#uG)Y~ok3tJ=lM|kl+3Az6fGy8Y@^xuiI
zY9`ipz`y9V|JX+rs>67rtK)piS7~yhMcGJcM%5`qA;(2%<RBx$kt8%o{eVG`wW*BX
zlwz%Eub-L_`MRW5-bnZZsnMXkQmt}NwShdyyf<I%T=n|Rwlmt(YH{zgGxP7b1UdII
z&ct{9vi1D2?bc0|#rK=~Cm=D7xT;4O!wz;2`6?xVbc4qC3U<%7L-W0Z;%76I0}^66
zH>v9u=0Il))6eE|_mHr+z!Xp*7(a3k-{6fd7(aGTJGi_2mun0-q*8Z%WJBS3jGn)L
z3ClP71BO9FKOAziOMJ9XX7pgs6SbSacMPN@q!~8CS7$*UAeKu2LQ{d;tHOV))#>?g
zM{W!_rW$xwymczWFTRz+$cEjS7r8O}>Mn!)_h&sVA(9b8R1(>*X&B9H^;<Dyyc<Xs
zp3=Q=+Aj2-<iM4nYUp78(!FwF_Pvs@Y8vXObpcqB$)@@I_S>t(_D9q9;$i0{8t5YU
zVUA4B^(Z=x%?x&d&CABNwu_e2$1{uRFzqapwpUwVb#D8q%9tyEClku@y5sSP`2B<!
zt*yIhc`S1<xfCH+oPcNhvBoIjTta1YTvBtad0CPRHMK<zkUVqAnqqRvId9zA6<626
zV<igr7O}r}U_+n&){{ZK_x0$3P<Mm0vv@rsHELJWRY`sTdUAi|v7!VJx@s7L)105Q
zJe^1wk4)<+Q*E>0v#i39ei7NvHzzeMokEagg|b^@JoiM7o0maWy<LpgD&EOK5FMTl
zjeMnnY*kJfB23Fdp-GPq2NGisG~)#-Ofvo)lcR)*$SG1};~QSN5jiXRiBa78JBY1(
zXkN-%s<m@ucqw7Si_uw|sw7D9B%l9;2bB2Wj#AAMd-n=sFFj#<!Ip0kUDq$j-V3m+
z*>_;0l{4MZe9(l%Iv%HBCo^>iZ4LO`(M7E)LMF1hKI!5v0$oM6jU?w`*iId^b5kOx
z`+qJsv71@1tYC2{qap+{r}a~cVGLB{m@}EEN)bzp{d!7!)!Xjokw4Wmvy*vZF8EQc
zB%HN+OrxQ5qww@y6cj=AwIhCjVb2jlyq(6bjVWZZ&PVjxu|zypf_50n#*Y@SrF^P%
z`w_UXhRs!|#uaA>5N4>zM(66aJ70N|$x?)jmvWX5kB!4J-c-DGNkUPB!Pr)~l`V2F
z0<N)}8CW_=w=c%CcQlAbHek4pjgq2vRSaHG9;uE0(te}K-L0rlQX7ky=X;n0S&db=
zyTU=NUpAm|G;8%mI8Dc?oDZm`+};Ix%UG*NPV+lYny)!f1GZPsQzR-jPdJw?%m-Z|
zALHfkXuAq`*I%MQHs*8o6je&Mx(M6-&m8YxgvjS)I>Ubr;7DPApooMyr=rAuQ+@x@
zAAO4kNk<hQ%fX&6J}A%e4lkr$L#~ZRMv8JY9=0MkfKCJGeRzKutw)1%1eF5Y=44zP
z)^n=R6D0OQ=a%lU@^l)+R4yK3E-dqrylS-Zc9^Cf61Wf!V>g~;eDC0~rrGBieGvz=
z1X1?qtoG-1_U9Q9fC#?$_&AKX*xX&LzNcgvVr3RZ6ZN2BY+T<^eVP;&RJC>Z=48dG
znS~pxcL{|Lwf?_y8B_^KXeSyst2g^(={SrB!4H!i3mqC6!*BLR{XLSTdiVO}+qg;Y
zK*>&?_qwf|wnOPG4$OQmf)^<d*X)h_JD|V5MRBm3<NX_a#mH}be}}b&u1?p<G*v4r
zb@LadEHcb8eu8HRCw16J4cnl<LCb(pSL5-gq#qO2M*BV2%xq9R{S$fAeYA^a^YIm+
zb#3oP<A$X&^jhUNKWWnRyn9n-oGY6s0uEh=Qbn_4$xCN`%0OADw_l*khGc24uZFdt
z<*@KZS$NY0xq^#=5jBKWMaJE+2X^UqO&1Qq-=-Yd>aZHdL+Er*17uETDLAv3U5VRM
zb{u&dIRF_$u4GN4OQOxJ(G~6HiW$+JJ1MI?f%-y&*2T`jg5lK<(+JJYt>pAWbIH@w
zvCyYZGE$0e=LNJxu3;s$9t^eTACME!-IS>{K(%J;AFy9r&VGYqv%GRclv53bGqKP~
zZ<=VU<BmJ7c7=TlaF2;#U3#k8d<b!YY&*XdgXNTw@g1v0)!DLoop2n2b4**gGPb9u
zS(wN2L`(=DjsO<RNEYN3LPkXnr=50{N^vg34|iy1e`w@tC%4q?@5a}K#+Om{@);b8
z6tKSi!a?KB<GSM5P}7ulf8f2<h>fp}&dNxrb9T%I77RT@0`GFHm{S|=EG=wr)t%Z9
zG;Q-wD&Cr3g4GSuRaI*qQO(05HR!Jm6IH*uji-E0lEYY18B=uc{d(G}uSXbqc!%#9
zA~AI>Y*i(JjZgL2r)l}Ku{2tRPOI_<Tx`0F*|GZD=O(eOGOZJP`as!+ZPA|>i?W{d
zaE2%g?mG|l7!hva$5zGYj;<sZ1F$fA$e%_*V(TM{u_yS4$qWSDwCJ;Gcg>OYk2>lv
znOXwSg}f@xUk8U39cAY9C%1{adrYW>1zhb5OiE^>GT&)ipa=?(Gn}Ue^ei69sC~GH
zb7UB8@myLKggVBzJCn8{PX=5B^AQ8EMCi)pb0R)1AMX@)Ac`_1Zn&i-bAq8^@e^a*
ze&U;<M#Lzk@>~K?^0Ab`*t=RfdfWrW{-ADXeDUxQyu+Ice=lVIrNMmm5E~*Hll>F3
zEM}*eP|`#2#rDq=a!0V{3LC69_cy@^MlA*;Z+5=W(e#u9GBET<w7fA2AMAPFZ!DdK
zl<Z{axIK^@xp1Ovhs~_cu`h@QOU!)*she7OX>1XtnYpcjDO^9p-4KAj$9E((<G2F>
zuc(MvcLd6~j0AlYuu(Y@5tuaGk%NyWyLBY=DEoy}3N8>ByQsBw70~U3y!Xa7CA>Ou
zhOHTSmS@2r07!9MO7{m*4_wgDZ=9Yml8zc^4kJP>O*}?|o-*D1Q1y7}3O&v+t&5N)
z<B-CBjddC+C`F+l7x5A%vZu$2!~T^S97eo>A(D<C#QhPkb%xew@HUv`2*pu~q0`j&
z3DAti!c|EinET~i3musd$@>d&2p^50kCI+6(4_1`X}U#=_Dr<;p4y*HkorEdA5uL5
z-oT|he0Bf4J9ztjAnf*%G$bO;y**apMlSt8rZmA-5@k1`@`xEHK`xd_LB)YJmn7V&
zix+Zn@obJ}$PTqX`7KmJVNGma`vUc#J5DVo+N|=x`7L6I1Jc}pPM8lr`mUaYNcJ>?
z@Ish;clN_KV_IqfQ5F+gy{bJ*jA{jk`Y>%3J*3xqYF^Rx=xuKd=-*4QTLcIB255R@
zneUuaD@m^;rfB}ZatdYGw1a91B?p;t`9%GNtpzA5vUE$3;f9T&&_F2+UzF`(uEcq+
zfHB+At?pj{H#;RgI%nm_KOq#^ojeic$bK7t*_3nob$xCTC-c&U@?ZUDU}QNg>fh5v
zFRXtWK*jz+5>*BKH|5vS*yLa5<Nr7Jm|Xr}FAR;WO{APnZ2pVBP^qS^j4p}($CC-3
z9-P!&SXhh#8jgDiz^?ZTg2Prv%>?C|vi}Miyqzt5RTBf)K|XZApz2Xi+jT&}#80lO
zC|VYGHyZLD{vMftaqq&Wq_f09qm14uP%NK)pLv}jxas%)aen>9b*~&djitg+tp5}@
zh?zEot&uz233qDP9t^A8p%gdS>TeLPmN&dIW0b|nKuoY|I30F!zZm>u4TsFo3<MvD
zxyXn;F<w+JFuxaLMoAJ)GA?BPD=CQr*9ouqw)49pn|fW}02<1#m99iAa{zCW9Xi!T
zEen^~Z#0RmyUB{vbculTH%QC5rxxHV#Wd=QuHx_SbB{xjR(xy{OOtq#j%r(u?;jrx
ziY|jqj;ncp_1=R5k41LJA~xFspJ~^j!#l9`+7DlUS>420=V;XDoOFr=45{^6rNZ}=
z!^jjMk2G$)?a)MIS{6e$xM3sks1j`ZdExb|yOP8*ieDdPRU4Y#(%nH)kde4Nchn)m
z(S*_L-d(P-#aK)`Kv|u>^klsXcu-&D@cM!>-27qDm_5r(Io~`~%!i3nKo%)?Y&~3O
zOGzwg;G#JNkyl8gjk?4<tUlW8Br(T0Mj=Zn$55q-f9t$!vap_f!K(n~M_R7b09;Ly
zPKD-NEc9Vx<1ofd&{y4nRI3NcLp-TX9hQfQ7rEcthZY=FDz=-?UrEgaQGLeo?D3b?
zS8(1vAz#`Ir{E$J&bbS9qIw=8(wS1STvV1adzPvWO`3J)Ci77lqDlhH>D7xJXN~8y
z##)N>NB#Mk{jX87`g^OmD)C{;cxy&}^r_>gVZ2w<@+|Y$6VGfdezdW59COfC3$~VH
zvAP*q&yBsn&K)@3ejUx}qXU+xczn|O!jLAp0`x$m35}h*s(8&(pS-*~76wpn+Y>C&
zTXV28wK&?&4TfanI>Qb%=xJlf#kmFhv{fwH^L1WgO7!{!%Pf_<peT6<<zcfHiW#j_
z70Z^&eZ;Ff=F=B^{gLRu_Mrh;&dV_~<zdB*Wd~?*$EV&rg`+r%nlhax=+Zb7|JOm;
z02J3z@b-^xN7+yMQ4<RCnse1Z6y4%%*=%#*qNBOr(-<*etElp8!^dK6Fp#tdBh0Y8
zlNq{O%dHLFvZ*NclbEi*cvT!|)3_8mC!L~h9x_IP3RzJ_oyeA4vbid&ao_e{j<iQ$
z&!lMeC5U5md^st)X)#4Lsi(v(j5l<m=%s8IC)xKX7aFr_LDD?irg%kxz|Ulcqa+Q;
zCVFG>)2nMeUmEeSCj>yEs0e4I*y@3V$;~Q-tV!4JyiBGPQ|OBQbW?#(EpEF*AVm;@
zdBSki_T`xuTDJ!#PqfmKe{)Md8gesAE`&R_-&d4nU(pv7(%US_Ur!Tx(mON_xm)@Q
zA72P=vr%BUmI}P^fb}H^B#Y1RbOp?FTyVO?lOE2PE*-FEL_qPdIVk^c8e}ecKD(L~
z@Uw)=xL75eiZ1%by5tIabcy9l;(C@&9;&ZYzyI{9MP29n@3Z(Ke3$%6x2miaV{A?{
z;1E_lWOyNr8_3<is@a7y-P<d^(MRDOIsOt=J;11SB8lOGH#4bw=kkm!umV+*nrm)l
z_-!?+S!$En=OV{7MUB%4%M9hB$keN5p175C#?wsC3aRnQu@hkzD+q1rrV8YP`vg9X
zvTVP@^U4i%%JW0)=a3idH4PXailiy@{Ci?ln%57vYqo`l2f?AU)EW5W*%29ckd>jh
z9Nu<s4>^H+F0O~5=U?nZKkbV~pcU;6&&=fgE@%9luxDa@e?~C+33cBiX&LikaEoV9
zd@|WO@aKiLXV^_Mn|F=s8{wrxYWos_fTec;#|IuEahu_h-jDa2y=h49<#_KH$|oz&
z&i=4Yz(uo0;xon&cO|FtF?Kw1QT3#ZGo0V41)&?2;DHQvgZHeE<d25;;1eTUNT)dX
z9$aMFi4yuwB8*{FKq9Jd{`;8|tbcUt06Ygg^PY-<F_qu{DeWuZvP`<SC8Zmrm2RZF
zOS((CyStI@?w0QE?k?$&ZjcT^LcWLHbzk+}b@%;$qtEZgNAByInS16wXU@zyhbTPR
zX<W`1SNCWHiQn}FdJ!ZHl{X69VS0zil`E7xIdG>lW^3RB$dlm{QmDS+DQ(*$%&+7Q
z)Bi#4{4Qy770sV=HhEA}E)Y}J<i7K!iVtR#-ka5_^+VwmH8n#b&y+v-Bw>SPv2bYM
za8mbvbJeP5jAe6pPw4?)#}J$Q4htKwO{6fcjx;0|ESD($Ii1sW%r^bP=H&S0<NYnx
zI~f#Y7Vi*Z>RKI`O-Kg3+}z>P#Ewt5bjCVEJy?)Ew9CO1i6U#{Wybqev#rMX<{MPV
z82)u{+X>w?tOQhopnT#S)YqlhIUoc&5X3~3iXi=Ww$^}sXpiDRyVpbQ1gT3<e7Vcj
zG1%xdqS&FA5^me_7^b5MLobr77Czrs;ZUz4vL!~Rn<|MewK==@Dae)zVdtohQMix}
z6>q{&rO(n5#w0c0<JR*N;kYi^V#`b)Z~CZCV_=Zl(CWqVYWATH!Nu!kuCek_EudyP
z1yNXhf*GXV33+9Q(!C{zj5V)FB_Y?JgWZf(opbAA4?h~cK47u31D*k)uZpTvd?l(e
zPoFO@L}Kk(W0cSm%()pDY&CNO%4>)<DS8Agu{nCAmBD5N#<*9j{{Aj^E?%jnA$5DE
zz>L_2*Z^b0`K?1EU`T8khV>h_<2g#Me=W>NhAz}Vt$YO{vSewM5mSDeuQn$q^VXQl
zCEJREX;prab=;o6AJ5kdlW(!L{)LbOiJ*iAIT<kf5D`SN!nl&EF3MokB8j>JywWDF
z^t`|d^g~ty`BiGVlkCTF6Epu^2b(1!sz!EBD0LY344s7wv9`5bj&_1RD!Z(Z_4&;W
zsV`ibGdMKX-CZ9Or-+@QFB(MXwX}iiDO-F5{Wo3h1GP7_KuWt;@;a+esaNRF+Wg>8
zGyNiX1~Xh$jM%8MU;xVE(L$GcvH~)gzaL5N`+o8@)c)|(f?Op5=}UbD=dUPfyQuj4
zQ)px%K%@4K4P$)=pO5$@^B;7<oFkLokk}h$hY9A}yy8ZixFe8Y9<1>Q!;VhTSRO2O
zEeOw(>LtS6>In{3vy3UmTDF@#sz>oFxr=elxMee;e;tS36y5y5=%GY#>$M}*>}5dJ
zc(FDcS^1&$<bu3gB<qU1JgpGK5%z&a+|t88`x4`W0L2k-lf#>rV4)s7!yho`r6x8F
z_lnwK-(ApHA&y7unWJYuZ>^d1=&^PYdPXT`8furpB`~#-WY0if(m4=4-4%)T_D$$I
z^ks||-F-N}Zr>??&kNU3M#9;NMPF6!`@7xK*A;bNcKzoj`e+O;(HVWYs00ztD&wQl
z<1;2S93M@$-r#Eq^aKR5ow6<t>Lb8gL2BarmD2>3M|Cq>ol+^D;&63d%jh5rcto1m
z0=xUJNoS335)z3*&P311a!blg9-W>7gBLKc&O1fr7^H^lU^0d#2rpJhSuDZ>{zg4u
zxU4{LA~uP`q@aJn%72-ePYu6jHVurmYs6@8su6xG-Hbt$iBT@V^x~Afly<UB=o9U&
zV<eMg+VOi#>|T34-Lv1b)zJIAek}@cCb$FSL;ib*f?uVW`=%w!>6?9XsJ8(e95i(P
zLot?<kV4@_aEGNN=q3+*2Q`qO*$ll%i;YJJN^6k_wt@fLl9PVatXq8CATMCR^Lzsg
z8NRQYdq|m{owmW3G$^6$;Gj(DM8W>?<_jP$8DmR@HS`4&xpGB?kuKyg8t%u6)1EFl
z=y6I8L-ZACl_UxOPL+p1Z6o&2MBRzmHA}<zO2h$Ouw-=WJ?Rh;0$Jzo7}#_;adaiD
z3uF;7?+o+%Cli8b$Y(ju!93fWv%~0i%`rq@N7TWl4XwGQW#Tt2pQd`vVN=0Mu@BjA
zN+-ib<RG@uc;8v~Xr9zN@L`CUCkqLEx`LNijOwp&iQ(|ycEqp_+KLiIt>i`sdJmdp
zW{i{KO(&9ME!mTFGthhTYBi*GtSb^B&!m?O-Vg4k&6O`2ii^M;)kwR_S7k$^b;C)3
zByjUpZ0b@Vje3-*N2IW(^K^Jv3d8~-z61Lhl2n__7lfU1^Yh_UsBSZ|mcntD$wz6m
z=A!wK+5{p<g{^=z0jPGW@NE}VCZXbj%rP3rhmMpsKOs~KWqqUj<}&hQ9q;v-FioUx
zC(nKiw8vQ+mklpUsCrRJ7|GHV?!b`(X$&GcjcMU(3uZ|eUVkF!Hk@Dv&d?M#Mn2c7
zI6t9Ufdv1{&z{<}p_2lk(rn9dIgaP&^prMxsFT-qd+k%YIpf^I@&1CQaSo}J1ge1S
zsCVLH&n%|c)IfKw0%lE4fct19<F~8dt2&<(F92129s&a=27gU+SqQIP$dh=yOpa)C
zf=j&b7VJh*&J7!CiFo>e<WvfZYh2>?W*fNsp`kh<F)X$rVM2J@2Y(yS0E%5q$7L|$
zo#vAOe(OuaVgc}xdH&1LVXuEFfQ9t+#I<$w&3<qg3zIvNe2TCqC)zxnB@IRu7#v*p
z9;YY>l207UOoU&xhAQl<N!~{<YO^PgvGrOQ?qs74kQ?bfc2gfltuBiy`s>5SU5}Bp
zjP|yNXQyb5pwUi9{WjQAupIQKOC6%Xh%Jd-pc<G1Mg+xSGc2=!OrF;vI~I)<=JBdC
zZ2U!T_+y}szHB@8tJO1S#8D1vjHiC*DP53+-G_-&{mE}B-3^3a9@j%KnEDCrzh5j$
zj5DvEEkYwF?$#l785?(nQ_3QF?yfEJwNO-5R<mLD;(eXcqJE(H!q8`K8gacU3IDzD
zkC~vyvF1d@yyaA_{zmMwyGJTr#!%z4pCLkT)m=L(6yYQrKjB=gT?#wokhpzRXqiJy
zJ%~)JG7`(jy}T>im1FCR-wxFwKCoDOTV-Tg`GsODwJf-(7;LECwJK-q&`ZJ#TC~vv
z-PhYts5V3_QnjoKcsyokH>`|AFrPYn%K+(`=8gNkWifgcbD7VEgM0g9`eXNKlx;Y}
zN=bS9<`<4MI%nw<zH7vMe0!zB&mU;@_C_>_XhTrC2}NQZ7|+>)nlY2Uu+uz0LN=B;
z3>%ptYl6&@ayrIbHA8kzo+k`*LNONKWHJID2=@Ivl88f)f|Tp7lK(;narv#zNPv>>
z1hjY=TxXkq`^l8jD%2}6n_?%P=B<}VL6jd%w9aI;e54;J-QR49kpohb^!f*Cc0e2z
z;vv0g$n{%DJf+)i;A;-h?jYjGViXGP@34Ftkf_LCLKy%9vKg=&_V@2t{9g`85xw7E
zr(yEyN&xL|Ii_4>GP76Z76=t&78sIlkzA3#lHnaJs1ep0Z-zzm$E_~6o+Nh4yO)>n
zHy~~symPX8U)D@A)P`SfpDzt2#`%^|;u`F%07j(y7}xHS=huge*U#W9GkVdv#y1e#
zgg1vNgOw-FSbP{1tA#fxaHOh~yQe7MiVjtkDPplP*}Ii)Ciz=uxO%@0Si120gdID_
zXrzkSCt9{CwllzQ0LI~b_wk}M=rF<%Qzt8P-DNv4jb=(ma;ijBie)s*e>&L8S8axd
z*7NMTE7M<K(A)}kj=XEV*-L$Mg{%0jT4$p@l$Xq_nut)y1*A6reNij3CXFeWaLqID
z>%<%yiRR7`pCcO|BjnCXDC5uiYr@(W{Oi!?o?{#awu7yV{nq+>0$MTJTB|7~rVNhi
z{g9L)?~Vl_^mp}8`V4y4CofgA6m6-fRSjPG5#_A4VHg}eKdSpQs1e>YIjP$fB|yS_
zSm!3;Hb|VHAAH|;-$lcEa!E4%g1@QvUh&Q7%{^aI&F(7L$ocb{)nc5pCQ52I{{E#!
z8PDac43q#0)urrcC8FY&ClwCz@5GmDKaOnPmH8)qnb4P}g~=s$%_C2Si}8AsIMz$x
zV-vkm(n&}^9Q~1fB5!_E394I`wk#CRBrbYbak-=TLITksXG9E2q<dPc_6{_?eV$al
z$7RhqHMn8*oW)drfkK193R)jW6}(O+(}Ht;EN;%0$u*6jUoC7`-gaB<b-%)l{UQ2%
zFK*bfRxhmhTAtTk;*^!6yb4=7mXlWkI9CTJh*&{U!ou@~sCboIx<%RNaLCMNRLP6|
z38vR|BxZCOr=%Gs{gSBfOIvr3qTw));hQo2?H|v#m8t5<4h#y}HRW~Jr$X)Labfod
zChnIr6Z3YMQ_4Qpuqdq56+UC!x!8MVFHD!p0&APi>LO&dSF79yqduS;xK3U+;fl2B
z^qis4uC@P^nsXYhMl$LM&4M7Dy~dSy72TcW+>>Yc#Ta5UF87-a*ywhGE7LtTk&|LO
z7-a$Am+Rn+gD6K94%pT&PJq@;lFcwz@@pj>xov6^zj)G%K}#@VI+N)j4?z)LwBucg
zC6J<GCh!Ai+rGlTp}9?g_9|%JFMWqAz+((%2mWC9%ry5o1&;QFvJT$)qnBjy*3P+K
zMwECe+E*bu4;817OR4n@*hzLMm#B1GJrp+%-wYy_H8L<|?{HYPPU6AG&`YuyIMl3V
z$U<A3n=(n;foz^FIh1Mq1)ZEiQTj5HDLoCST$w1&OifW80#AQ4uXK7fjFGZMIjC&0
z382}&If$c8h$C&^_`%}XF)bKAiED_sp!XX$gdA7zmS(Qy+|bfA!N2~t#Pr#h&<6r2
zZ5;pSSV#b`Pk`xCL{A@(#?0W!(c`y3NI&RpfCPg8VfWP^O>x*p0g!&CV>mt}yTFM|
zXWGcjY(g23iDCcv1Du&-%JN$R&tB$7pf=&t&YLZt_CfS<Giab*E_CJvTZ6G}_5@b?
zRZowvz-!>RTan${8fsp;cp2R=2ClRL&irLNkwDDgbChcJ6&)X{bAWRbFz6&b!tm}`
zE(yDNM8Ir_jOF!f$cwl{{KYaU?imrusx6_bo62<jdu6Kzy9@eaM(y_pg^f_bTh<}J
z-a5++3r)m$DSjG~Kt+`Ruc}jc^&xpWLZD=c6B>h-k|meN1b0rM7V}ni&Y9n29g?a6
zh+<0&Yom0n4Z<X~LSC96rvx9hTfk5WTrBsC^rR0}q5wrkf_#Yxt4%{+>5fKP432h!
zLHyvCMN22KwB!xcP%%wGXvb>GWMgz_X7q3+c`5|9Aku@<u`n9#h{N8!V&CM2NK<k}
z-#Z!zzBHlyqJG%`N3}!fFQVw6K_@Yr)7t$B_(&)+LIDUiaWp|{U*vPc_U$^9BuM?w
zm`rG$Tm|^XG9VkZ*N9~VBHe0nMb;I1nkeV@{LI($!c>*@SUwguqgi}x@M)fw#k!WJ
zNg=|zt~Ap{CqcLPI^025@^Hk_Qqie9aSBObLjF~B)(BXo0v=f%o*=iL4e0u1Iu3dH
z)Zo-ZPKd7Jc3ooT)|O`m8c2RkG%aA!l(PUsAaQi%zMqH6{aFyZ+`sqLEWVXK>sf7<
zb&ibF=k|&{?MyX{yfl#P<i%sylTIw7!W)t7!urYGJ=kutd?%|OO?hTg%mw?DTTcI&
zF+}EPF)Wf&sb88pM&=QYvT;bp0v*Q>-?@v=JP5eTt}}oKE>eNO=ma{=ibKn6-g}kM
z_v{)vP6$dV?I2feH(H{nd=zBv1{_4wcbJ&+D}NPN%Sqqtqx+F85Ry(D`;zpd6-_Wl
zsln8{7b@?M-Wk{<<&#3D6rpz-L%I0p5cH@vO}H<k5B7<;z#Kj=QwEsMjYW`IR;dBu
z3Pf(HW>@UA$#bU~=9wBn?|;jtGTnv#`58cHv;8ua=dZl29kk7i0f7hfUz_XM8^0Ej
z7B;r91Ek`8`tHZjW2H*Qw%ENG9*Zi*@mDu0y1IuwlzhCVA_i74tcrb=)Y-k0L&8-^
zsUfrC<<ql=BXj|j?9WABJ&()|9(n<g@PjX+D<Y-i+{B7*Bv5*%s*A4{Daie$RX=hr
zKj4nLeja&~aetxtY-}?EELPg}S$?H_hXRMCzdkgDbIEZ(V+krCJ=yDs7b6=@cz11n
zFHy9z4IDg_J0ebX>06XLm|szqypR^4f}b1Fz#SU70>)sbG~3C9c0vbSx7SsTP!L|#
zd_ZA2v><mBdyd5zw*-@2s?4MIf`tu#Q&}(w&c{iy-)31Uz2gHI&fZp52hW$0WF8CR
z%h--gFq{IFMP;RlB0LmQYTvTUIlY|Grs^ayCdORu>PQP#?V9x*Rr~EiVN4v!?wGN<
z%UTlTUcsWYgBfQWLenG8=n_I3ehJySaKqbI$Pqv|#W|0ZN^KS$a0dQRD0<cVruAX_
z0?wU0jm|6fEfwn{Uy3rl^(G;z<z4Zt%%m{AKzz3>sD=#sJ37sAKJ|2oT^^Va)+?Zh
zc@o1Q)$)@$Fha;PY+|(|&4jp`YCy<u^rX1Bb6zS`?K8;Z8@G=H=FM&rMqAJ|*UZOd
zH0p0@*vBOGM!_%ze!6evn-aKVn;>_v7%<=OF|NiC3eqhoQc8eDE=AtLemel+X2Ghk
zs)RL}5zHj(V`tH?Ac6cMI{Ye9LNKaD0hXh-I+j@MYM%zSr6Ivdm{~$=U(0ch@j^3x
z2IjK?ar3;75m8Vgd<+`CA}|GymJ=&1(z3K^=nDcz1)*q61wb};?Pww_5IZ{L%FTh}
zJUM8eS6A*ugPK+kl4K}~T?{re`sT80Tj_7_e4_}hin8l4&FWECbIX^?Bj9YNNVDqG
zW=4fYECpw0a>5YZM*FhS>kvK)M=s9yNqE^_D=CLm&lOP|MM87L3-J=gR)$jmr6DLG
z)mPEgHb^hP@)FIUIhZYVnY(=GlRA~_t1!<C%UG`q>!%qJJrMC)9;1CBi1*gRLRqu!
z4ElbuulzJPOzF(jE8rM*!mh}D!{BP~m5-W9F<IE+4XlS4$Qz2>q=Q2n<2n9ZVMYSf
zDPC)lc&2WaBpO3ExW#SDO-Jx`Q>QeU$JNFWAwE>5l@4?8Esq$LwO5UpY~jWN#?u(6
ziTB(tseY>;Z$OAa)4%fR<5_(fCL;mgSV4ePYiifn@DDRUPaH{Ga6i~tYA72g_lB?}
zi*UwSIV@|c;cRm+bIUmT6h0)baX_3$<tS)Cb(UJD^tLV;w|!a0gUZM^z08n#CjD8N
zo5wSCoCk>T<B2P0KZ}AKgM)H1b$jzh@>8uZ;-2uj+l2|T`_<~$6xZ0VOIM{W?iQ=a
z$eP{5SPY00ibM6$WV82|cH5vybI7ullZH}0^V<e+sUG(`>_9Kmfv<9Wau~W$9;j@L
zVs|jK!)7DNsTEe0kmr9de>^oiYR#{W-D|1==4Qy+OfoyZ$C+14vTjkfo4c#e8LA|&
ziL_K|bu!$dNlX8phaSyXMzJX1I8v`19Jrqo^^>skGWF1g_+;Y4R|ZWCFZcV(Ymfk`
z#IfNtJP2DNE4S2Q%QH1A>d;nr+IUy^yOq%fp;25zY0>aheXa#_(bP_KLq%d@Hd*Yk
z9W$%Lllkj}vUizgwk-k96~k_5Qg(@^7{Y67^Uu-OxS1UesL=(1pQUfyFr42I!y(i}
zIkk+=L>Z-HV-ASnNNuRSsXG|JrG^W81c~Q?{!(vMa`Q~dZ)|9&)o1A)FXso{&-4Hr
zHK&Vzvy1<keOoj%KHcX-3Uwrm8q1ha@?I(nxbuQ5r9)4wfWF6&hnHO*>+aY$j;@AT
zh5<BiP}5@`@A%_VtyfeNoml3&)*rR>%(DClHeY554`ug0S7mXCf84N!qvDwE3UaIv
z&1)@`w4w2qyprbrnl!C>B-<)R(TBHw2GTKN30ND|%kODv#jhvoepTDq=U7(Lr%CT7
zQo}nUZ;Y4Ttsl&|xhGEV&#3giz5&x&Vu1%}lCooj4+{D0uRjd3PI3(8hrEqcRVS%G
zO&b~9*+<Hwleg5uq!-Y|_C(?DC3v~%?YCeIZ3_#X5O78b50~hcJ}x^F>WsfMdX-P-
z+!3|0kA~~qjC|9s{g|d^YIsP{Tv?0p5opmcyj&}jzanuaOa!HKybwu_?wahk4GPzS
zPlf=ARs{R2<>;?Wem_bz2>}I>AM7M?(GpT0c@X?pVey!Zjb1&78ykCpWCoNWF#C`T
z=EUI>?FZl?k<?hnS7?=IU$JFz7asr>#@&M4W*3FmBbNHQ6i_)E8W^TK_Oo+)cs#&q
z!K*6VIBjT;cFVmScPmkn>AE1IT=NTn1utJ^Jx+(?^A|ed8v%{*OF#X9nM-m9GaOJj
zR`S7tbVH4<r0G(U*=^M{BNcA(ff>fM>@--Dh;|M?YC&Eg+7mre#COPRa;VKf+2{xc
zV<=!hk>x6V(k7CGz&N~zG~Uk*GsuZFl>FYg!fafjuVQZawX+E^M>|K1uCcE|;m)A)
zX;R>fva*O|nUi$`O@^eLuE+v+;6|eZqqr^dV13cMvirEtMJ#N!r?hj5L{-Ix<Z^_|
zvuw4J{#&XS;Jp%&ZwkY0baU$N_m+fd;d+yn%Gaq6U`9Q^!uu~j9{XxjFtZ5@=2dl^
z0b_w_H?Kk?8H3FPzEXm5WFt@M+mOqY!`7?z$BZvr=AOH?u)`w&wy3vQy*e5gLuh6o
z;ewTgl%ULnlC{=Ia`R?ymS>P)r?6N<Z|&F^Hmw-9aE)v09Rb3UuL}ZyTe~XK5O7y>
z>tqEopO?B(=*hpIBV$3Sk$n!P;iUtoV4eF3)NSuH;?xP(9Jn1|#&`}Ph`oul3H0pQ
zHNdp-_ht>rUzj!i97oEGG_3rV7PiK=c7PShlLPu6N|L1w;nV;9FuY2YoV8G9FdikU
z2F;j|{fs)^4R}MO48ub3MhA{o4lH8ZAxjHWr5#Gf<E13Au!{*7QkhdJd@8*<(B>>E
zoyF9F<&9m0R&||QxmI^wEv;3&Z%xv#)?-FjeVo5;b3SohJ!@ONZneztIIHY_HWnr7
zrtIU+RnpVk($Ez^VXZ*65?1Wq06rJL#-?`C4cjmgkYZI0f6_@sXK|H@a;FCf+RECn
z96-0U-tBtE^>QTw{>F-gi<IdYX?i)g;rTVx{!8*+_l9=g>44tjH=tMV&~Z_^-}IhF
z(rlCSx{LR9bKTJHbbEx}okDO?Z^~dGbEW#ZYhWW><Ny+LCceiGfe-SD2w8`u#s0j3
ztn)<#BjbF1>LxUF9IE$?9tY8S&hbiE=D_Fp@RcKVsx&;ve7i$=$HGoulO7-K?%9px
z8N&6g0slH%rP84dxy5FeDlVy3Cwq5yF;`c@>6liv72I&&MVDp*)#?}gN9#u^D)_An
zAwxUDEFVKp^Nt!fb_Dre_`16AM@ip(wsM^nvaYt+`|JYg=T$_7#9?kAo;`!plxd&q
zf6G{`bR=b!+tM9c6hu{&8**}))xVNSLKLgflINi=W#TknW44IQ1T$(PRxp^;Hww)z
z>%%)049F=5q9R@`ugV;@CM^zoEQ{<SUR(Q~WyJtfgwxp6e>oS<SapeNN+q5sx!ze;
zt@`6gCf*c+TI>qCm4&+_O`)J%yhQ}~Ol&JbgR6vlD}rkK;AB_<R|#=)(b8#-87Jc5
zdty<FKnx@Us&`7UG@D}*A5!#mw64aq0x%rA)p8c=1YO5$n6hX0DoTaqAZL)GXTfxZ
zXu2v)6Y>}cilW*R$MStaY;8u99q$z);9fQ#>rXkQR3pskPJM8ia!G&vDf75f(w@b=
zB<D>8R#94&u;at{HKR|}knm82y^y%n!St*Sdft(5VjGqCCt3QC&N6v?ypoN<-2RNE
z92J<t(zpFVr1~AINDgd^FPdhhFka43e)NNfbmxgcl9X_FMxvFvBuZ<i;Wd+P=<o_u
zYfqxf%9dd?CaHO!%%IqG*33hYGviC+Ln4+fw@4?$S}76gEluDp!Yw&!m<3v%d{#5y
zz^Zh){aiktmoJa!{d#&ya_-B)JY<lfX3u=IS`1x`j2Og(GiMB145{H8Z{IN`DumG)
zV8LyfsrlZReQD?f!V>5$)(lf^g<~X;;fs)ESpI6ClrY|IY+9yd5%wDPB3Nj<ARC>A
zTH@T=@WqXDs9O~bZ~|RE5r5t-_i$Vc&8?J<U7kJ&%@>f+=dV^6V7xV6y;F9821i6F
z7*Y~y8J!Sl!o71DiA9}Z+QavIAR&!1gpPyK@IeE!?EV<E^}*t!Y&MhJ^y+LJz$aoS
za&;y1%kvR|E^Nf%BlWPaoC$+B(cXZ_4R-vUN@t81no6fIZFrk0P;Gvefa4I}CmXJG
zZRKmvZ!$w)lHJgH@Lg2<7{Qp(B8qMpGbt;a%H4~1j-Nqew9B7T+$R^vo>F=cY}P}0
zkT7{haFgB;d?nl*hx+Q>PF@j7h=6(z>#6j?w-)LvUV*(gn-a`!(7GFKN&jLES>xLe
zxWRUB%tsw461_b)H0jdiPAxfJZ*oIvba)a`vf)_}j$~*+s>-?G6L&4TMI~S6!^o`P
z*X>JXFTPyaQqrXr6C-{Qw{CwH2Z&Jisae2^2nQp~1MKxi!N_y@=p0}{@>mY2WIz5e
z9U}ydQaB8m+aB`5-hzHw3(=ecjIXG!)T%NR(?Kl7gKV54GNGmNgxZ_MS17}>w4KBg
z^Np-zqNJi4TxL_%et^(e2N#e|U+}w-ScYBtCg+&%Fu4p}K8q-GH77*9HA%5pTILvY
ze(^R`SH&~<BL#3{vokq5R(US{6>Qf^U>@6PvT0PJf%r9r(}dw%%JgVYUt3pTp<;<&
zYxqh=)s)~Q^GuWo#8?60iE$CTEt+CuudP^<p~{OynZdKJi<aAv>>X(ui)3pZf`j={
zvM4QdY&cOR81tOos%e=Q*^K?Id?OtB?t}5E+Ics@h1*O@B_I0-;`>A+a|rT5^RS4z
zPG(@)AI2&W4V7exiyX=^9aF4y*b&n4JQ_<ovi9A|IK_)b3Fntd<ls*8FpJfz-Np^|
zJ1F*fT3}2U{gXQ=23NPMH|-b$T^TSy^Y@Q&wL+*Y=ry5<^N$b<*<)T(ajH`Y;)Lg7
zEzlcw_KDR?RCd{6Pnx^W4Vw(m1asq3?)E6YlG>l|dqfgPVvMr0?Qvcfc6CZA?Z-7a
zi}hozX^23el^mO$7}@pa(KJ<f!=<>cVbLe9i!>p(hua=L(|f?<VeMS3U&+Q%f^k_v
zE!8-}8RcQ_d>VSsv#U8@5OUdtvuM#aXJ@IZF`AAzLzh>QmMMOHTrq;ke3Vo)`Z!J?
zs+-5nfi+*0G)wx(ZlJn;?`bjgk<bNVh3Zt7X!aQ?Z|)wfutKoVK+;_9Zr|lnY<kMn
zh4a3%y9?K9Qi#l}CShTtZKcTSp2mXPXE_gqP#<<^f_fEeY~|I!eJdtt2}7aRt>L%>
z`DA&_ujELh`-o*e$jE6Za{`U?qM&BEAoZrzZbp)<r3r{AEfc!g>uz1Mu*G)`TL)@_
zU#UaAY;JcJ*1?li4wsSFjmU0aobj5=@~Mv4Wt$L8LDQjbstiJVz58VjkI&R)@^ceK
ztJ=ay9G`IS{0567BDG|5ecT1pS3R-^8E>wZl`HW{mISM#-~$3_lkg5z+Z(v`4ZK(j
z&S$yRJEzE`pUBNl<(*96R>Qv7r&4ef6I)FZN**^Z5iEONE|}c1=TFG(vwF{pj)U$n
zp(&u@SddbiMN(`9Z#2uOzLm!-H@TcubRm)E3X<z_JK&WUPV8y%NtCjEoj`Vwv{<NW
z%9B(PvKhyMp`^=I)`_ncg4z(y(-{A%!3%dO5ZVe^rvby2^`yIWOv1ufoQJB1$O$C3
z*NUxfGfWbt>|L-&M`qR%-a8D$Fh>=heIIn5)cW~g*m<Bd!-(bT;o2Cr6dW4V1d-P|
z;i0@3ko(S*EWu!>L+H`k4Iy;m7~M#SSJ(^7iE7EnF;(7|0qjtEgg6h88`By+wXT76
zW7ercH3}<U$<~xsg+!amd$Je()=gq@VY*T8Eex?qtor6z(3&$~8Kt_oy@-I5#Yn7o
zl(X|cBaG<;CM1+6^1L6T4<a8!E+`|+Gld|;EgKyuA0FWTh^j14uc(S!!WDSSHyt{0
zFX?SXA3x!Q*aGWIY4utiFuq$eI^Es@xkeUVA+WwA-bF`j%9!IEQ(cHqcLHrbBQ5I(
zwdmws^5<`Wj$rRp8#Qf!5YwVp=ipH1KSn%QpE(^-AxXTZ30o1M;Aof<!DJR6mc9qZ
z)H^)G)>k+kaH@v+Dz-$hNfoKra^*~^PPiR0s6j&PnwEH~NeULsX5}x3H=xmGgH+sy
zonA<8Lr5T+da;3%v|*dC3kay=Yg>ng+i~#5s_qphT%&ZPAY3C)WG~!X65$0rDde0v
zJX0{%{%w}!O!fF)xTAB*#SB`r#+W6%SURGe$_mQ$<>@M|68#z#=VJ9sC#<QQX9?^O
z?j%zp4V0Cbp3yRwt)Ne8@l1oPT?*jbG1@QB9rOKvs>Q$W2IeY?S)nMPa9VnBW)MR{
zf|3AX>wFlD{BQ;`MED*L4+#c@jyCeWj$vL5L()F(9WoN)<IDR`NKDj}Az{=NgzwNy
z-s;C~iw^rWRS~i$8~~FBJ853i3=-n$$S_{5d;&yXy7pYXw>k<bf3_5I-Cgj8&6n*G
z>`XcFvj@-}zj7FewhA~tdQT?}Za?z<g~(TDQt$j%7y80H{&H2ou{1@Ia5{-61iYc(
zndh6@ZJ}pG{hb%U3_wlqfcdvN@@A=wo25U%hVULvF!b(?4CWOk!g%!3*!g(D(t$22
zNYvKRI&Dfkz_dwn7SqUoE=rEBy5J9<Ac5ZwlwB@1+)`^dE4XhKzI>ZazHa`hwx4hr
zJ?gMhn+ULXoO_TQJ3a)6<SbWRl`FiIDydGdFeS@CL9`p^aV^Tci0+-Ib7W<H-ut`}
zhgX7?51WY$QNG&g4RLhudWlAC?(oCeO80pKWs+zglf0?y5UKyRNwyDLi9uj#sgfM!
zAhtq)|7EI9n5c7aw1`H$3nkI&4*r&&xqzsue^FSCHMDPufem}(r)n5ie>e(^5OD*3
zm<h1xkLHYTfZn@4R+uEBxJU_6ydf=mCDm966UMyx%(_^Qyn8WM9j{tK3|Gdb3Wbk#
z7c?13e*2(;ijm|>7Ao*{^u&d;ItATyyrE;26=(OS`02Uyc_C@Wix281n{EeP=vH<5
z#$sckNAb|%d_YprG^uP%V9L|L@(;jf{?aNq6MDl;0|lL`Qf&3sXD!T!)r?}fxAGEk
zl#3KtDEMNuYzz|hsY7{AGptp}(Q5djWa?9gYT;^7`Su?NNSDdswakKsRtI>|4?-|q
zYpj(FlZtNm6fo2Y`eD6eZiQe4$MUwdb0vD%7y=t`X#In2!tnd7eYL-obaN)>hLZXR
zLW&1FfxjU;$4?ie2h-@G<sjK`Zh5sK*dhRlct)2j*y62J7{BvIq6c8f)1HBK@mj2-
zuT|)=Zt1Mx5|ZqJ^4E#hr&S2C&z+>5a!4-9RxYc|o@N}Sr9LCpTtPZxT0uOcUePsb
zj}z(s;E<h68YC6jFioqc;-6Z{GK;;RR-e^UX@;*9%lten@GbC6{yMqY%?X{Ma;tn=
z!uBwZ21AO`(m7-$U7HhhU~C*ePOE!>EKajy?5(TC@+lBqR;+Aa#iu-#^EG^731~y)
zjGHgsj3R=9qLUWR2#TLH=xDRiwy^o}SLDq?qeT~pPslt=Wieg@DI$pPE;%QJu9lqQ
z?|{w7dYf$8o|Kb>H`9=(km-ASA5Ep2_u7x08xjh)nhla$URIf*VBEOAh=c|c%(kng
zj4vZfe?N0JmRqKZHdPPm`C(Fh(#=rxwTkeVfpMxTlk*hLOSOUX$5riQWBW@IsP{=7
zZ?Mwb?D9n3e8Rb$k+2hTRoI|Z?s5cA7pQfFYMT<ccpo)u68+30^NPgxl!E*WYZh71
zZrh6F*yeQ8h+M~lKm`8COMr8I6yFc$;N|INmXGu&8&t#_GG4SvPY^R6TSPINHXzRp
zTPH3uUNG#93|pA91Q_E^A*aR)LkbzeED6g~^>>~fcNoC?wg}N}1t%QdFeC%xuyPP-
z{4Dzsw_*$)q0({Bv%D@4SdR!iRQgU~$)owEU!aa<Px{2Ld?hLZAJcKB+xv(e3|?HE
zFI~-z847i*(b~1(POZj*N!>;CC1@==DlQWl!kIZh5|0mH`>QPSC!4lO96(WwYm*vv
z6YJN#Ph6V_1kblpwH-#u$~OR)WKY`8#1M*|Z6~GolskURJk-R$)rT5F4c=kQp#d?0
z)<f^6x!}>&2&I3SuIrJi2jn&Y>Ndi66Dw%tAJothzs|1cb@G<TLr>u*O<@zi*qV=9
zoRw2#A^Jlw1l{Gcl`vPH#~NCZ$5mbV*JN(*?kXUGrTEFFrshNM(rP3&fy}HAv@k_B
zE~1yYvtf_InKgAO((dJDUNKlkJ@RfiHsX?7+at_5G_Cr5P?(0^YYE0QgoWBm#-qmv
zc7WJJJFR$^X196Ylxhp_yacA!iwV^1J6zE0yGW6<iI~6SQkn7@^L0{+&4H=Il}<!=
z)r$x;Q=6AZrfIVIUwGFweNNk-1XL&IVk0fU{x|;11Imp5N<c}73&@GQ`N2FBCo?Px
zLW=@esTaE&xf5hTFBgR5&BVcj%AjN_TIDoQ?29k<NybDQsCW*?t#!elX7{jXlTs5|
zjk|9z#VlP%%rQTEt~^Q*){7l)qijIRu{5pvV&zJqc%7DV`em>3sq`N8b*e&>>xeWP
zv&)vRg9M_G4JHN50&;E~yT0(rArl7OE^#D`t$nUO0cK5Z>x(1lKDWLX+H%UM{i}na
zp9&HAOL4CnE7ftY*y$n_S@aoRf_g^?767jkl9*RAyvBqJvnM1vNgB94m+j>U0n}2N
zt@~CzCk=DJlv9yF5M;cDi5f3IlYI~*qv1xxX4QzhO3|eM#8ol40~yCzt%tz?{f3*7
zF4oiYwC;h_UDW(46${szD@mL@#z%CdUb9ru`6`kdwo5Cg>0<$&peYdgY-A^jc6=6!
z%~q}smG2il&rmp;+H2s?sWm7AJCI(mO-(`g&b{Ttu{0@{BSdwf&Rvu<Xz!$+o+fo4
zij^tA3WxZI6%L?z08RyX`O=609^jt^9`KWdpgb>?h@{YKb8QEGi`P#kyTATrg8%+y
zdsAvl8$)V)Qv>}c*Qck=%U=Lc{5t>u8kM=8_HRHa&mbTmp6UNo?Wg2&KUMp$YVr-p
z%F>+L$=q!8t(fH!6GGdaQh|`9pkV1yjv!jm2mD4*i4U)gy?2Cz)TmmK$RcCsu(}^x
z`40qJnQUeS4}DtMvEkaCtqfS;pvlUNvsyoLY#v-+l+O0DLD;zQvvz?=)}cTqfuB5j
zyx@34QNvcwGFKm5yL9(}dsI%jx@}^Qcz<_%^kzO$H^VxYR%-7{(sS+#!_vbp)hMk|
zP))1%%>CBI!h)AnFTGE8Cz3cxN5C={49QVb5f`>;_9jf)fW?OF_1cyB0EyRI@DTGc
z3#meMqhwlPef(FfbqW{2NiYNBP#$;4VX#g5UF2Tg(!nH0%$)Jsetmm#YGa5Zux-H)
z88<5p0(!jPv9k*rF>W!go|&-s<<yL33obu2e}XX{T;!q_yxUqbTguZJ2OK`XFo$fG
z&xN*E&Cg4}=mt_DNYBqgiiW#fAfDGQX;eqf{9OJm3h?{$>EXgYP}3z*rcf+|^7`pd
zX%Au)bbY}{@Ha5y{j-9)Z(kV@0Ig~a;1nHk0%OF}g^2r-K~%=>n`2}PYyqJ&8o`=6
zkz0UQnmKxADhnkPhlJ4VO(l0kXT5(<s33{`j%Mo?l&Lu<{0wtdtG!OH`5vo@L7Ss-
z*1Yz;F>W_svx`^R$XH=6F&s_<s>mcCDY(#K@rP)5oXRSgpb_^oqES*Oh!H+;?6Ta=
zX#Ji>Er?^)j(zh&ZviV<$E;vSR22Qx%APY`3Mp%~g3=E~QuU^>n=ILci)$lV#%-U$
zK#`HUv_!iti<bl0)Gg;uak|Jrrt`jfJoE#%@w+1{45x;N@ZtHx+uN|`F+;cyQ8Tl>
zzP#y<{p{J&-TmJ4D&<f^T9Q<XEjjmb>n?KZ!drjZ)|q3~abYnxlQtot#bLPOQUSxf
z>2eWPqRiESIST0HxqT&FC(4Q?1&|*|E?*9YA0{8^B8}t*odPsNqvE;Al}?@~3y!1;
z-;DCJ>>XEelm|&DMtv8c#IndcFbbnS7WFOt{5-Ba$LGPZ$@(MmBSb6qCZF+9^Mdbn
z4|I-IC`Gk|D<(12-}9&P#8_==#w_<j+p@l-7lKJ`s&3Cr5>Diz<e9GIVu}~Qg$j$I
zqfa|yw!Un5i4{yvXg6d|(ELoYwp+?KwUOGL<w5N$uG<I%!+iN}Oyl~Uw9V*wHtTA|
z1AiRu1p_5KO>cFxD3v_&@k<?ug4+82<22FtcVP@#e&C%RTnqLjYo%7HaCIj^j)|Lg
zv*lxw`FkHNW>Dqzh&T|J!QV%59|&uh8&}EQK63|R(dwR*br^5XQCE9B%msEqd);{|
zONgtDv=XwQO=w9VXp!M2J!3NxWH<zLP}!Kd-I2BzPkb)Ps8N8LYCZcwd*(7zuCKgq
zoP8W>FG;uM_>@5oDKPICVOrCt1Cu5~3ML#I(z1O~l)KB}g8_Ao3O5%?m_Zjd@&@D`
zW<N$x%MxPcF0Oo;FF9Bgb7)lMeK$k5^>R>yzAe>gD%c?|_lq3gfkD%P{?ZS@`x>9y
zCGEgCX9q!<s#KRvoys5Y%}R0w@#$O@!UDv>$9vWv=~i&_tCzo~o*m+PO6huMl5`GA
zZm<}<Ip4|oLOs!YKzIjxVc=<QSB)9n{Wf2dd1f&`A19Kv(7k3NldBeH?y6F9k!`ZK
z4lBdN1Y0)tPQHv&K}J5B{qR+)(&jh>+AP`Br_E}i*kp8vx<;yieMe|=%`iXmT1L;u
zJ>Rl7eEFXpCtosw!>TZj-_B2?texHau6Os$_rS%hY8|_KC5RlrC8(l77>+C`eJYV+
z)Z;lEQR>nfm`c!Unl1O9f}r-eYn<b~l4kd{Km(-ErlcMPQc#V%ehfMV?bD~{FEwbn
zTo-|@Z>n5EDf<xn9wV`W4g~R_%LPN6Kwx3Dv%2|qRl8u=@*1voP`gvv3ynZvMBFWP
zfwdVCCGFw2d>>uU$21E8C$*ihzTZXqS$?tp?}EU}29V{?#?DyZR?b0cRE$cLQba;V
zxJcfLQdoRUSm9KHQfzcn)`4P39zv2znuY-cpF)?O0)zl8e+>bQ0EC~utZF)IW8|Jg
z6@*ia6S?d%>wXe=9OdJrS?hh4UF+mw%`{46B@e1vkRVZ#anK-<);`1XQmg>=Z<}KQ
z&$ef+0F`zCe5A#IfKfpHTGj&GF8(M8&yJo>68%Ts{eIi;g7K+8xS_bgO#r{}4)8$%
ze7=<&FA~6ye~L*7UP%!lK{<J938C+a-G36TfMZR6lqcdTz|Z!k07?9xn*MwPAdJs<
zH(dUH13)SG<xT&o=MxJCKu-a%Jl*t@Ch_;Q=-*hMJt2tw4Z`ng#NVR;lF9s0o>07g
zfud(={>v8OeFOTfKF$AtWUFm%_DeX@AK-5P4IH4Yc6K(uM19iWelJhW<pHRMf7R_z
zo%UUfrC&Y#A6xD93&213bbkd${H=Pwbz;ZAf&1+M-S3#cPl>1T2}TqH&juLDF93t{
zDU{r|lH&ym`1bGG{Pc(cyUljm#uoZEgtWh#(td_6exK+?2LQPPtdxF)P6B-M@1W`a
z8ak|tH5ml(q`Lth?r&8FTywmL0WXPv2hDF}Y^KMnr}tf0g1;t%h#yOl1-xa#F`hkp
z(#yY<9ItplmZg71_Se9`)j;~SfG5`hczIKQLj_!Oym(Q64J>G;Zw}bzm(Vu-7S-?P
z&M#+RJY)cL{*xaq%@5eJfcL?#D*Y$6ovzW}p%+aO#bg7}#Q~${X_@=2<aliXgwU_h
zf1A#{fZ1oPV{fPbiv~CmUUWqRC<*`#csfb*t>kze0OBG3FBHFM2bD;KtRjHK7C`cp
z`1V`L@meSNUq}FFE$n~Qm~^+HceDVWM!=Ki_(lS_=6GcQB+tKZ%pW|zXwh57)LnbP
z9H0dZ)*ojE8({4IBa<NDG`pR%lp|nT^Bd{wn*Nx!;O9YhK0b~23NQ!40K!4|hh|{|
zytDt2?2p&*@0@>*iEmT#&twTdvyMBhP!0j6jW(b&*?(ZI;{Erm5&}<*KiFM<Ci*^o
zyWkH*+kl`a|JXb^UI}qPz!N|h{xPNgMUQ@;qxos+{;lMA8HxT|%I~wp|J<bSbHn{O
z;6DS78U1sU{x0wH&ph8}+2Z-u2*5SRYenVX@ccUO+|O*^=k5Rufj>)**S-4Rv;98q
z{zV?IpXt62%*y{K*;C_C4E~<(e@GAVGvW7vAb*skd3JwK_?OXNe}?`(#t+XAZOM1~
zd+6_Uo?ph5{F&|h$PR!h^k)Gm;68uP_RT-~x1d4aiR-_LBJ?xk_uko05hK18z?(Pd
ze`ow_IsW!LciA6Bl|=YIbNr3h_s<Ra-Uaf>^Y&ZG@p={YE0VwT!~Gfjdv_@OZ^(da
zj#p*OufV_gRQ`<jz1zo+uNmOPU*i3POV!Ujkl!7|{c+-(r2IY4p9=Orxs?1&_x*Xz
zA0ISN*1x6uud}{ClYGDX{dDy6TgmYX%=s52|I<OxpSi!^*x>s{47dVjOZopF_g~MP
z?@jMN>XAHk|Ay}`Hcx(U5<mm`8yo)bt$JG2!8Lrh=Kp5V|IY&WX9EgAA^f8}-OT>q
zH~*Dg{a3a5&syRM(Cyy=elyg6|Ky%*{@)vcepDQK|2N=2b^yM|f9i?vtuargq;Dn1
oYpm_Ry78}i;#<X^@c(02k`@C4sNMi|74T;Pka;V&{pnx-54cVRhyVZp

diff --git a/tools/ukf-mda/ukf-mda-0.9.5.jar b/tools/ukf-mda/ukf-mda-0.9.5.jar
new file mode 100644
index 0000000000000000000000000000000000000000..de2941e6eba6c97766f9129be60f0e3bdd5aa04e
GIT binary patch
literal 55752
zcmbT81CZs-vfz7K)3!Nn+qP}nIBnZKZClf}ZDZQDZF5>X-~Ha+z43P6y!-Y<{3A}p
z$;?w#@&8q3Wo4DT6bL935D)|qkg7|8B+$QnAb)?C5m6SPk&qRolm9J-0t5j8@qdY-
z{HvIZfUJb5h>|j`jOd-r_?Wa54ebo96b<F%_*A_j{XEn5fdjSV<OsDCjUdF={Q}iQ
zG^!qAx7JKaCPzu9EXqn0Mr11Y*31Y+WGO|Z9^h!Ou%DQvP+egrrS4Ee9z!0<2nQ5x
zx)dwlu&M81c44Dn-CNySf#jvWLKw1a)?58<ivREDug3n}C#C<?Cy?L2I$QmtH~(*e
zuYU{JI+*=I=&vsSw(^&dvz4idv5A9$lZCC#zi24`r~k$HFEjwg27l1P`Gc0RE#MED
z1pkeuqXEGB59;Lqj{5JmJ2^T0!3xnItT;OT9x_KK3nRxr82I)l1I~7Kwhm5z(5Cn|
zv>i>1oE<Ej-2Y(aPebWqU~Tbx6ioi0PWp#d{8JrZ>}>H58-FAApWoU)HNnutz{Zi*
z4Pf1wVk@^sk1(|Lq~zwFQ(&Fmkc&2dV^*#YQt9W$);igEBYr;aV%{#-T|Wm7C6i7s
zNkSaI?l^TdX~uSeJ2@A$9yqHV-qnom!~-1g^LvEFR(luc1D|{7*Q`y9l4($*;7iY1
zh7})-Nz;0MGbkdm@FMzzQ`%TdEK4*YNg=WuPEbDC=Baebm2^oc5XU)ntsuV1Se6CT
z7?su?38ma9?}{v|F48P-yP2!@jn3=G*O!q}FWQFOfL_JY7oWIGZAQy=hnBC8b9s9J
z!+ydZSM*+OF&fyE2^;iIMjhR*p2enik>k<n58I87z-XrP&b#;77w9HGVfvkbwM{F=
zxN!4qQ^*{<?+_+14Wyz-q;t|x2%^Ze-@|gp<F;hpnDc@t`^gg1ekk!`5lh73Dy`Tc
z``2I*`5QxBP2GG%W~92M5?=$8-M`Beq>v*G-6+)3GbD=+DH{Qw*o}}M?$t^I)hAU5
z(>3@rlh<nx{_vL{P`oBP8rh*NhWtDWfv1@HB3`xgWvG_j3-1Bf!s43BQ5`SW2!MjN
z^%Oa}V-N)J;1eMao1KN`wuXk<&+}^Pc<ciV5^>r5pg88_M^^w73x7o|v<4m7a04Uv
zgGjVe@w56c?p#EW4calahe@Z%#w@Lx3YjS!za1zQL#xTQt_+C}B2l)&u0bq`vucS$
z--~XYL~48X7xKv5L+b&7jP3<uVh6Mn+8nm0y^u*8_>3a=@PU+hz%<iyPt>nm{Hi#<
z3>K^<>PMm1=~!-JH0b<<Kw86U&#VT$<~Bm@MTki-2s(>6BFe7@RY+)<uz?{=Tg?2y
zQpP{Wywa6MX9_&80CR2=`f3oYbkXV#5C!oXq<4vwMG~L6nc#0`SKDSx>y>}go!F?t
zWLs{`sw70##mH}h9|OvNW@n@Sp4Y4%98f;lq0$Lq)WVv1(xxb8G7n1}zmjh(=FEGo
zoZeJUH^o>g{lotNN@-rj-BNEp98wQg=|@+9`r+#p@->B&QNJqc)?NnsB*eUm$7}8D
z3&d7nZKt_acdRW`lGn$9<|o!d!y~Fn<wL~jKt$#eDp$wbP_RbZ`89$jNSR$D>SK70
z+1D)Jznq9_$dnoXZy%8Z|F;wQ8^`}VnbZ6M>A$9BAzK?K0}C4y2Vw?VBWnXk$0!vo
zC1eSdk92MDem@L-R2^rP!~tSi^~XF=1&EsRkO;$_+vV{F1LN6*(=?5B-^Q+<Je3ci
zu`OeF52P8AT1&j5sgvrd%BjMm{^I7VFXM((p^oGS^Z|ALl5iA>;PzrlQh_QH6EHhw
z<8V9ZZ)LSx_m8ff>nwJ1M2_H=;D@m5W+RjBv#{tGiov_ALT#5^0Xx?HNrpU@7f=tG
zR~|w8*j*EyfGX|ItAG=`DOikgF-0hqCpQF$RW$6Gu7mO-)QfJEXnAfYZ;M788xEhb
zvRB4^V;z}^c?|H@z4<5YDFcLHV~@s=WRBEEBey|h8iIaJ!Qy?!wZm{`j3VT6<8#^X
z$lf|kFs{-rUmSKM$xLsf)ZT1u+_hONE9G13BxYMDPdqYD-ae%*BZ;f{B8-ol2AZ&2
z5|3r7+@yj8X(UfV?NbvEBWf>}(D=Sc=!}lsHN?>HDK@D)JEw`tUOI@C%e$);T)cb<
zt|#r|*<xS_u}6l#j@@}X`JO`9)-Df2ZDxolMS7~vS{tAO;+y)690SA6dIJiJY_&Sh
z$trEVOVK|e47s?OqridW0^5JQguv#a2bqE7O_%1dZW$3Rw3Ih?BhUP4fN>UKO62~-
zEdxoB+^6_lW77s&!drpjezA2K#2LA?ydR(i+N<2CX;MOR@v0l);V0PL&lHLNOEU5S
zGTUJpWoPJ1n$F`z35X86^9&uCu~7%UY?KL=z=;Q~u50^?>Xxuqd4<V?a3ksin+#lV
z?P=M!b6()RV#8y&pp#Ml5<7{GdsK@JntP}RLT{Q2)L&>!Cvyq+CR8^0;R+t*7JVl>
zct2u9BVCXOG=wo{#xIC!*lup%8%&Mt@Qy54xPV*yB7`w%cf{gnNAV#iklxFkzWYD8
zieKOmWKH1^YW;!-j}wBKETkG{@25}W6}16!#Ei!+ON3;`jAqE}ix@RNT)W_kJWrH5
zhcNr(2|I#<(ZrAM7SSF;8fAV~p*He2^@T0B&xFoWZ?m_&WIU-&Z4b{GQ3Tg&5!DWt
zwQPyT7EdT-EV4_Ow29ll2BMH2UYfUp3T6)?v_Y1c`-Dm@pp#oRKR1qjMx-{L@&f-0
zO-BE4zrWB#{~e+IpJ4R=A5F%8qUks%it@2oOS4B#fM6qW#q1|zm<ZkJM**-Cl(NT>
zoOSAx4qXwCAc|GP)37}5w$zI+8ow`<dsmR|PTD|FWXk_~!QuJnb<|bvtNZza?nlB+
zy9ZNd61n$_+?2trC0)ZNvah!zjz(RbIzPw~QYvJVc{m62(h*uObs`1LMxzCgODo^8
zXT{e=MXy+D1G$f#TMR18=3S{NVJ0S$;Xw9d-<rwEq=tlO>-=k<SI5~C==oR8@)E=m
zT{(L#04ZH2y(QPr2(wY8xX5>TE?hZI-DP{M+-Q<YF{TJ7z4+{<<p&TsewDhNQ<?nw
z=KZ4G1%Btm=rhc$^vHHbLcwiKQ}N!5P&c0vEC1TApZ<Ot?ztKFE6}zAs^AWWw0yEo
z=dSa~TX!1cVvO;)sO9DwXY{f{1{B2^QwMang+wtyvQ+b&kieScwm}m6Wv^WpgU<>b
zY%oDI+6y)ak6s(PN;fvgE2#q<*m^rv!PNk-Kojhz$O3;<=yKM}JuU359seE?qh81Y
z8!l{nVdy8MqH4k~3QadWc&p}ygF{%Fz-o-BGj6^E@n)GY{$Xqk6<6G9v{LR=*zCB)
zCR0Z1k-9@=@8v!F@)is;o^j`ldy)^hm0381rcMCV>Z_TxQH6ZEEPDHjg<zWj(Rzbf
zXO(KUdUifK`6<rJg~OjN)BCLkRqS9k1*vOA9+=Iu5nheAzV~bPSUOlZNgGwOpBo~5
z(PtQ1WcsDwQP2B9EroD9jbcx2Eo+S}6~g;JIFQR>elGRF1GgvT(v1ExH^$BmZgU4?
ziar58WaxcLttP@h!r{|pxSULI6bG}|`SoSs>f{EjYEZc)Izs!R3z*g*U3r_QLyiXI
zBV!i$Bw@vSU$apt5@LPQF`-)K!0eNM2VoEg&fwr$31Gutd|NHQ%G*;~f8ZUdI7YfM
zyv(qnhOw2Mf%=vGeN90azi+oqz&8V<KStUNJ7*Wtmza-fve=@4?R5r*kY)YrKv?1{
z1pb_&|A^d3)btP*?VKPU6F2^t!i8jdwuYD;i?bIj>MZxCNDoT4MYeQ7kyOP2`z4Cp
zjC<QB`d=*moSTJY_|4)g_@7wh`?uYskhz7mv4F9$g^ih#)9<yEiJAL<&>6!e*H4cy
zd?hHcI*mrmDhi53?RFf*se&plj`)qTw*3Ziozv{6y_**cI4=-Bl!4jtKrHs<&C>hj
z&E4w*?C;=b{M(d%0DYn)jb5Vygp)#pmVpk*>IF1~!>rX<o~k0bRz#r*9ZNz6dhL<7
zs>^LuZu;^Roo63Ju^f%3&Ro6C{pxhSQyr<CO|P|gC<_GHplH`mcmmhFmgezF1_Qya
zx=N}ORcyi3OH(}&;y{W%=W4CVwqbNhiz-!KCxwSFySHl2u04M0C~GXJBiuoiKJlu7
zeh;BSG4`uQCJ}z|Z&+{$kNOCw@A5M7u>}g3Uceehq4aPJq2Hsnzu~@r`D?tR`Z&@-
zz5oIB|9<}KxsU4K9q+%#c0>Ke6<ZDUBb)hgWLDiJalvAaz4wMtN`+N0t3?8L%_57^
z<$G2Gg%pMqvL_NCNi=E#4q!go)es!g2?m@<VqsVuoeL(YMgG>~;MX4`5BCQ0HUOFE
zxfLnaRDp9wd~|Pj4R3qd;eOS1^?K?3#PhQ7sqOxyhxM%uPJp{_!h(+l-{4GvkC458
z(P-UEd2smcdIyFL|L72z`#yo!OLDN-`&k;u>RQ8w_o#pG?F5o9d*BG<88{nio4RXc
zB1PGY!>@X~oU-e1STl2HN)P^9crl0@_|~@j*8V|P;cg~Awp;7Bu89fPw`baHl^Y&D
zO@Q{6+6@RF=XnZ#8GH3^K+o-_JyX)T1nI>1a!t|_jghq?KlX@mq?fHE9ZF;Xzy4NF
z?oOOh=M&7pE2zt01ewvwn|g)YZA%=pd34&uz^nvM@_3O^=SpN@26KC1z>yBHOlUaf
zm^8N7cmPK_qX%PJ1qshIr_~<Wedv8y>ZQvNczv2QLsDMYhnpOvP))V3-qg<XNUeWw
z*GDg+e{3d})Ja+`My06LY@!FSQq6s&v#=a0?3V>`Oba3-$cjiNf2B1fB**Rz873?T
zk8J9cAbu@pYl}-7)M;d=EcMwXzch*Xqujhf-7Gc=CWZQ~5E>#eL<@t3JH>e3`kuK2
z;N36&t2RtVn(biW7pOaGVNSJ*3-?Yqi1Hrw67jVJvOeGuCkjM-eb?&m)`D`lGk2uj
zTv_2PHj477XjwgLqfqn407y&ej1I-v1~%I9h(HfrIc#P-fq?T?ie2ek(q0XUnxZ<g
zpNu&ZNRz9EhswHS#^q~VRS7hfy)~kdkdwuaXXK_or&wCK6_Br+9L?Tq3dv;grX8c@
zorfttI$5hc*Y+Saji@tlr7#&7=Y&m^=`d;o-H9wn&9N^|OE^iu$h<Y1k@hO?hYEF|
zD>N}if39n@w<l+A=qMCzv@3Iq5r<CHM%tj>?OQro#4p{c@VHK>B;CsDd#dz}enX>S
zLXF4(gR70tE9T$ZrPDFd*-#-g;-Q67XUp%6s-oVWOK>b@b!W;bHFU1#WoH2mRJy%)
zR#{dXCwBXV9Yj`{W6X`697JSiUCOX9w8y!F+R|1)$<{i6ooDea>44g$?m`>&^~#qB
z-D?OGK$$MZ#^P_q)+P6eA8@>c44E%)zS7~&wDGoD&SOEfF~p6$Z}@gtMZ2J|NjRlD
zHGpQ*1f?vIa+m~RYtrXPxAr`^lqJrAPXB4wlq!euD$R=#SQWUI))>N7E7Xr?^JpmF
zZ?o2>*N=NVTZ7y%dg|c)h(;kPs@qQ@ZIL=;l08cW<S(P*Uz}f-_QA{@(~o6p7cA@B
z9fF9X%22)|_RN6Gg{9jQ;e=!L3|VFVOyMK?Gy!!ZZ?Donb%W$hgUiD6(!u-lC@Li7
zCO#y=O=OVHZJq9gq;QA!etM!zxYF#Ba4l!bENl(L4LfGM#7(8Y8pBX4$$zE>Q>zTG
zOQqihZ&N*hk=dh9d|F`Bxj!Ssrj>*SoH{#$WFZiG%CL>?v^6s>HypjviA;O`05tn7
zI;pW8RJB2ET|nTd>nHnxPMeQ5op?#069e7IE6KZT3z3m}ZC?uqXSxjLVhgC5W|6{o
ziJV|V+LQ^c+At?e+Rc6!bP85e_1WAzf3GI$_1X@_!ie}OClZYX-p|)eWiLI_mcU!V
z3gdkv0y!>G<|_Bn@G<o7+O#YhE;lYXHQ>5!`VbfkXceP;;AK_uXDKE3z?DgMs=J%=
zrwQHN60%U065|^i!hHA@hW<X6UlG5^hmvmMDpNGgYSHjC&(w!C^J{Erc3^UC_iBwi
z{xIlmMo=SrDF9}%)onh{k5@gU8gK?EY-Qhe4Y6pW9(Ts67KDoe@H=^Ar!+lSL+SEK
z*Exb$?Tn!;**U=wZ4`@s1Z7wjZMS}ldsOnoR<^_s2@v~!WAV`qoxG>8>kfW)gYh`C
zw9zEDE(7ze((`*l>>|*EdqHCky+@%lokn=WuJOV)(8`$=4kPOWNBcZult5ithy-+9
zd6S(Pu><5NwU-!Oe)NRJ^T|%`Ff*{VPKc`EUW$4)KUH?(NCtq7_LdcfV`L3yKOmXs
zn0ifa?Dp-KT`|N$D3%~BY9=2n?3DOX`FU^EokxcXCpvqO!LW&RS73lWWaE*JT4UXv
z#))YCS9Tjvd>UD1j<OD6KQh<JA2Wdt%qhnlEbuZtBFH_6Y0T7Jl-i|N{qJxM3bUe=
zy_;q=(%aOF!MLSD1d6G=5L(9;)JI934hKI_9w?u`TNW~v3meKF=Q~uG7s_&GkfZ-1
z))FxlL9c$|Rvp(T$&DD-PwG)JCopRKapyRpZ{`FpgLhh<BXVt?sJP<!v3}-@Mx8^5
zSV7q8x25Rj8%pmZr*#Y8@bYmS(t$~J?Gg^QckY0C(#Lfz8{jlPIL32Dcvf<Lqbt-2
z)%l=TuwOFIQLEpcOpz9}L;s50Yry|%R+~J~e$e9;5~vVrz|1*pS3J8?z>cFPoNAoV
zM{Q<T{`D!#^PMdYX`#{K>K%;t4Hefds^lZ;*QYGkHGaHJ>X7rcszl1d#?|b`)%1fx
z2>vj}498*7PoL11cR=PZ^#E|U&!{9yX+;86#hrlwL**i19eHt6)g2p;x^3q;`h!zW
zy3x7!oVzCDEa>{ljd*8qC5s1Y&B{$BRodgSJ@OnPvvJOO%<NtOUK;O?xiQw+RQm}f
zTlkMHnZ7;BAr@yieh7_Qq5=~T2zeQt_!A{bRJ@088coD6g#u{$9N+Ya#4_=2j;6iP
zV6&>f(MP~0l4I*NcoIf<<lTAnWzD(G$rehuV>Zf+zSt3SMkOl-i~!RLLWCWdBU04}
zRSabr!ajzR-bXmc-@15ur#P%jz&53Jh-pf1N{K0ggfq*grO?`w>73udbDkjiA!#<9
zV+By+IXH1Nil-cG4mNhpghEQImc&ZBk6LTW6KqXfV+(M+;+fsXBKs!6L9OzmQ_41j
zRJEO}I2fB{hCgu*r-VQ4yk8^L!7B?NmV&3j<5#e2C^Mur?S`(;ddVB++2?LEvt|XC
zWd`ncem~S`P?T-Z5q_oS9D&jkHVbReNo9)@-cV)>F^;v|p1I81vU;w;d8Gfcm$xgD
z7_z0SB{m4+@SytoqW4#%)_~I^tMGf{BpUNiks9rP6RC+<n*dB~oMa5FOdS3r5Kh#R
zLl!_8{+vs$qER6yR|6CA*G*Ko5d<b6fS4%=(CmA4;%b0yuQzc;yVkPEb91NXea($D
zYo^*!tcBlTa`ZU-<T@H(d4G6)g$KG*A0Z5E$JFlaq@GQ^9E35gC;wsoBay^)rN<it
z9%h`OAkmJv-_1k~=R1+l{xbLdGmU}dhf82`1Wf)Fa3PJDjaHXR{Xw{5722vp(iA;f
z4horU*A6A>GAph$oyO?w7z}c-6wn}G)M%kn3C|l<>St6>sf4W*Lb$<?-Soaqv~1K%
zBQr@h8p9OIUOd-MaQH_TV;v7bhZ1_nC8yU!a<uZV#^nUOgW38mTIW-12HPMp8=6ig
zm51-DV?I+g+AS!xr<640Mz*!;kb!VV6LZJ0mZhpcFiqR%4N@(d!`B2^o=pL2>FM)y
zEf|a{<+(v{+?1A|hWvxXJ0WMR);}#y5UNPMelCHSgj^TWGM%a~Gv3szuw6^H+61%3
z^KD$T(qm$kwait|3xxJkXyf3_shDoN6Zbc#XQMonEyqQ0-1{F*M`**r-;DI^;mEuo
zgUC6$g&e`m>7d5<Lx@7IU5wD*=Uh?r@B5~Y#!?6EWx~zpl4-*92m8tl>3?Noz*e-y
zQ*5KtW-@OVos@Wc4`oJ6oL{%qY)rS3+SvDRvX;`CJyJOJnYL`rj@E5Ul?Sv#2v0mV
zqNn}}das*Kb6hE3t7Tu$t(FF7CcMXnu#G-f`NdxNQ<o@%crDb2IJS6$a|Lw8`UG0N
z^bIpCra@|2Lf$DpTckjqaF7w)f^9x}$ax(oZ$Vxdqo}dh5EQyPBbz{<27G^PSlmY_
zybC8M_BlKoo-C7|$uDPiD(Cp<cS^1112w(_Q)+TJK27n3Y<8G_Qc6ZxvDG{)tT4U>
zRYXRgv97sP;o_NM8~!gILd;Ej8i0X-dcgj~1O30tgOic@KZ#IYQT$B=PgXDi0TxU+
zIqfzUQo}+^Ao+o!38p=yNK%J0smv^6S{M%xZTBwx^KL|Yp~`87icg}48Ka-LHeS)|
z=9>2ukN2UA@9W17vLBRbJw{I)3?sXxzggTl=Wrc+G%^~chJ&mod(xmqX06>~A4kYN
zh*|?lzxhL#8#&(HFd#G(v75;H=hb)|$6(E#%{JCTGW4jLv)E)?m06HN_8HT8B-5Z}
z?38;IHai>%94<l^opZxO_$?R-8^$uB&{l&(QkucC(wo#t7+A=>NwomXoyx&z>kpk2
z58eR-a%CPZc4)!!>6k!@ImH3XIxK2OIX3s24q|LY*RV$H0JaX+?$ePbrwJK@^W^yf
zCiI{5S0acZGAu;r2N`+D{_&=0lT7DY)qQ|mied3i+2|QOhgdWMxCMy_*<trSdc}&6
zeLR(Oy%%YjSbB>C7vTPy$|JaN*N5F`yNoy0_pXL^_xHIbWT|xOkTw&`vJ)s|bH#(9
zq0BOw8ks38&iI5C(mdxKDIcw|kh<WwIUdMygkb9l=mwhVQu*uL2SYqq=s1{K)uoM4
z9*?3H1>!Zw3w|r$-8&i@k$lqRePuWy_QZZP6!H2-qVX!`1(iyktbS7KCjN|Kdw+<B
zA6fkvLzt4ETPSFz4lUoMU;?|PhUp*aE{;dvYD+OE+h*;$3s0S=;)(`A@^MTO@7<M0
z;W=^TGRWCTRn9^%SgH8ng5{l3C_A}MY+b|CNxEH%#^7`mLUuy#QD^j$lB@h6-%8TZ
z7-VgSfsV7k`3sV>t+;zQ|1!q|1sChn6ZQ#zBd{*iSsU@>cMLexDRkARi*pP2dZ7a6
zC3L^SRm_n(U=#2D@jx76K`qZJpI0mWK`d$yx<<jcKG*}{0u<NCRK_Rif_E;~(%VN1
z-A+*x${V4JaZVB#?3*<dI~JTORiy0^b?<r4Lq>*(3J3qigLo<2L^Z;s2L81d+zj%R
zA4WyPpE9Yt$0OonEB8@UzI8;`|8!UYC;W@7C{<6g;2}+&oIznWL6TSSKm;uR4#AxG
zehGX6I}Qyx1L6e9Y-zha(lg{=C>jXtqR{+K+JOHtX~Xj0p!koCV}alMz7~egPA322
zp^}uhekW29J|<PE*A#rVQLqGa=MO@Su!Yn4B{GXrw;L#$ENU~-Zf9GU#Sr31rX+xW
zRbMX_ccE#HG>kWRpTYQ|Tx3@eyJUsX=g(|hZeIFqU2b;z+`Zxh9omxx%hBfy5u+($
z46EQS%}!sJB2|@d<<-%UC}0gT@=6(s3?Es{(w(%#iDI%jS1?A}Z>21nZbxulL4-&@
z5cm$rWN>Mj22xL|hVATc^xRZNFV}Ee&7qkL+k0PXRqZj12f@incNH_ARqcT`$wVuG
z%q(fI?C@Gl*-s%e!q|=7vIko;)p){$nT*xGp@u}X8sPM&ufT!>768bXVPyy3J*HPs
z>PmqrNo^w5u(dTMqZ89VdkCi;7xdSh4w5mgx6lCuo-JGeo2HHElbdKjvTNMZb5rbq
zh+`jcVHPi`5o}I#lT`<HNO9k3%U~=n_0p1dd<5M-|Awerv(;x$O*|LMSlQWgX35W4
zYZY7%?k%VXR4u2VJ>)87t0#!0i|@54us7`Cy>@TDf_leSeOVKsc?Zam1gJs|ttMhw
z5l6~uv#@NjG_|Isd2+Cew{=iGc9dnaZFk3hwWF{xs5jPNib%}$FZ@uOHrKCt1^I^h
zuzDD&Ln+|0+uk83-ro;4B+A84B%P1r{f$O2*sFYw?EN{*LzITw{HyIUYM!P}Ux-i>
zd%cGJXBAlFg|brd4ly4HoeWanu3+`ayI5@VwaZxpY?hLQ%{tbtH+8yS0QI-to!aH{
z=y{xcxe1naowT-)ci1Yxr)O#F1f~l|r6Ay;b#8rI`C7L0)OaVH_+GtakB#N5JUB39
zt9|ta=2s8NHo5q2JLenyV)sKbv&fiYqAXaT@dcojS2O7f-uUw}vgM@&8bt0`WQhGR
z5`42*#SfYv9LsQqQ;5FdVSQT|-e4E)xRGxwb11LOFMZI&w}a@@Il&OJGrl3WK%`FE
zxyz2^)9v2Dc-Q6XJztGE*2V(n*g=BY;e~=MU6WlH3_<&_UqjdTIO{lhi{OPXaWIDr
z5$iYjqMQbLNJS}KSoM|#>Qs%>lt0vneS|bYAoGcjd3MY=QK4r{N4~bmrlM0EArX*2
z<c?qFj_(pWB+>{hYV7~i@}JRAo@MMM7p6b7h?+?sMgIu6K{9$>K_Zx%GXN)AFV2H`
zpNSPlOfj#{qX`=R?rr);LYghO<P(7Q33g*9q@c1Pioj$;&!`PIL7LR%st@=4kJK$s
zqga3b?^!_lkJ~70|HE0}U;Of4^8m66%7+c>Pu4XWir&ShZ-N5iY`I!6U;rxCMCBP`
z^3tq0^dr{R#KMe?mX(EHhusESUbn&M@|wQmezud(Vx>o$)^o|CIA$)Ftw-ygU3Xdd
zuAgsbOGiMGEgAk%93W)&EP>RUiwcaf11zQEV+U>A?FQ48t}q=D!35NBMxauhn@q>g
zA<-G&o5OX{jQw^Qp%bCyKK$_nYTg6gyG>)AGVO@q(ao(R^zL-Gg2gn8SylBr;dMtZ
z1n{_9XN=Mmp@591D3^_=juGdd4EZ%@9W)rSI{O<{5Q%Gm;xWjQ!JbQ|f)t!7NLxnj
zN&Fa}b;kP1SnV6FptMTP>=LmHSi}km{-0a64z5{Wqvwr`7`=`W78F@l>)!R}qMPu(
zCqsBxuhG~vzcp<f0G4P&QH+S7L}ZZAzZ}HgqrBe-wg?hM#j-V9cI5YzCUV*^NaNGY
zka2&jmIoEHOxn$geueE9?xM8t(y=TXK~-xAMyH*Wr*WE5!WaVIBzWB++}Lm<PUo4*
zEiA%bQWzV<!i436N;h1HBf;?GsMmnZGa4KKC`(HlE)1NdeslPGeDEHk63_#`UzitW
zpUD`PFh-)ydh><1064V;B*KzJ3$RP%CH;=apR;rNY2zPV7KU{Svsmu62T_aMe>~>c
zFaI{R9OY2C`kfP(?^_w!sFl^z<@zt{%3G1&fYWD2i+N|*jOHG@xG62?jAoY7ncY>h
zC%>m6tr_%W81M<W*L_}^ewYx0^9(mUGw#w(B(ze%O=Hl)y77X1sr%Z5nxae6?<VDx
z#ozD?x0nDvzY44Hm0gZ6D&hWYrsQhgoxVd<GkqW9XC_Wqe$xyjhg1QXM9u&T61&Xm
z6EREtQf0Ber#N?TQ=s(@Jj`dv{*kA6=dnh3D7ESi=B(-s<~><>FQ#TOIh?#-G-0k@
z?gsVYu`Qe28Mc!{6*`#N4e1Y;BNU-lF1dElA`7`&TZbhl?P>csUio<2nO<?iNo(Ii
zff%Oe<XB|lql!Mf5SQ3lJS{!}y0^%2+Q=(<3C*@x><=(g;L$uXUw%c;^&{SBl*&5{
zLRxUN?>mGHdh#8^p3B~wjw41PyK?2DmP5fNMG&Xdw2o;d8Vrp{5+~WUP~Aqx=w!y@
zLE&kttvLz|(v4FC3~>2~g}|tZ6b)9VSSrLR8-vHPnL{zt**HQ;=ZfN~V@OBgoZ0VR
z|MLHy9V!<|zsaxoqyOjpACa$WVD0>`K|q$W*5A9SE)~lPwCpM1ikED|tPpmRbP^zh
zshFnc(}sIrbW@``KoK==D^v;Isowm%&{pFuxRl(CLhu(HRM8*_2<SV^pVqtYvhuy}
zwzfWjOLj%!j_i124AePbb^`n(+>Pxdpj9ffvHRFsthd*=Ee>J4Qih+NdwaP1A=D(>
zsN#?Smm&eV^1kCstq1nL3zqRe^+>7%n~C&Vb!J?ITnCYxuD*s-v0V#=2-)|93^pe&
zI&8nj9Vu)-Q{aUN4pl8}#46c^`fr$x(6)4yqhXRpv{OwsVKPbygkDE3>gZ96ZJ-ip
zacUF6;9NGgIyGjJGo8js>C-OdvrxsBt2R8!I|ZHZow&3tK(?ulv}c=KnYZ*V1rh%M
zIeUK$%?RhRg58X`Ls9`p!;n2c|0JVzS0g8IMPTUh<heo*8QksqmJF<Ce=0FKwb(e9
zP=<VFm3<7QhnSpsHyONhZgyxm^13S#A1MAVe#&%};B9qKYlqUiTxf`)ZP#JUf0BnM
z)`clNi^!%u@pz9%oV}!hVTx2{^Xtr$TFU;ZPQG52m}IA3Gp1lWi`19=5cbX75K&E9
zdb=zPc&PN0RrYm5b)f*Jz=bj$qqii?h~1`#)gCqhrkF2+JEWCv1q(!qv?^az=K?)D
z7C)3e(!1phCP@y>b~Va_>GT0uB0sA}t8$I4dc$G?ui@fX)@q<hyTI=jn6iy*6<@%3
zt|Kl^jX4$C<5651E$-oN8R;E6Lj+rf!4{T=qvo$&r*Qvj#4O?@bSgZymI?Cth8ldc
zx;||0VHa`|CpiOZ!Tk+be00_w2qR<Bk%U9&7L@d-RXDMTS@>jr;gNoZIFHyb3emA@
zhI@F%Csu~*I^_@K6|?>LA+>uNdEg(QASO7%U}DD{nWPiSe6S~QUv2=TA=fM$CvQ10
z6d<9nP}8D4`ri8Yg)EZW>xE2}<%y#i^jJx=_#+>|y(pC3gHaZsM76^rmgh(;>QUwR
zXJP;qx@}Nd#Y1Z8%sz{7ukQU+nJ;GX@e4uz+NEz$t>`1RYP0iSLieCdy{1S|U6|>=
z*OSlcm}Nw4_<;oHqSNQ}jl6|R|8gzJxfm@=!{i_B7#*R<&X5we+{y*+0Q(ExxT-E^
zmEZ6>{t;g8{~vh&#drV4*LF@E<%5)st;%9`I=P|dKyw6)e%e7}H8>rKxS&BBiO@f2
zni(^^)aa`x%t7@%{JE4~OQWIM>H%yRK3Jx`bgsPrKp>B!=_JRNYZns}KJUjJz8{5h
zJ$Zhf5zufwy`5mc1TIDDD0^YD+>_8SW|np_OXh;bOGAhw=j2{M2p{G>TuP;w%w<pj
zfu84hj>Fu}Wt~P!*9GkqedGq5j)kl69NamHn0nQj1TElqrP5HopGtx)O?pK3SxB^y
ze|yaJHw2%3j|Dh(ux89<o{;g1i`84Ce(@Wz0mTFYmaE1vxhm6kLxyu|$nM-eRH5p@
zEYc@{$#4Y4%LpkWy5&yz$;+5&%dLDv@Ydd(g=77N^SGZY&Rl#@Es7)}YR3;rbY2A+
zz6;2ja$0vQ6MxtIapJ^~2$;|&D!YW&4x)nVW{J4NjjFrMT=@zLxTzvdMC%1a+?~-h
zq@>EQYys!1<GU<8wq(2rRk}Lcrh|cak_gFfotMErQrh(@?|WRy&Wa|p^hWw<zL*%j
zBp~e!(lFhE>Uvnp58hL1vcoX@^yb^&;4oVvIgon%f+Z}E;1V$>-?I;~sxVTARYGp3
zkOt`O5&E~Eii3Ba=^*DTgEe{1U3hYy;k2TLF3!|0nakkQRWD>8dh;6PO_s6o_f>9P
zOWOrfnuFY};)>>z!*=DGRJg#CgRQ@-a9p)A#+$ULub$AF3?#&IIcYlRu^r*Ik;3Ey
z5SP2mZ5xB4^I!r?cAiRb!F5c(`FEVcV}y*1PN#kahc2r%E*`<_C3n9dkeW^XVek7w
zvP_CZ7pE;$b&L1@N$Bi~eDXP##5U6LErl5Beo6^=8-p2zAq0u^7=W3dG^2|ZX+(!G
z@hF1w@xvYN9GQcJS=zke3(gNYBOb&1Vn>v@R{S}NM5>JG#aP*@6g?s(_Xyq)SmUK;
zH<)RN)Z=~%kB*}59r@*5`5ptDFb?A0dq7Jd+K%i{ixPuPleYU;Z;<!1xaeSYK6wVH
zp6`b%82VbM-t3ZPHRNkf``|DKQLyKlfyuwHOZTaW_1<Dt6r_j@#!I;e&D-xW|H9I`
zfJ^bOHFfJB(_8;tA;dq{)FL)czw40YTz{7h3YnW2S^c9H!obYr@BDA0x`h|Y0j>|J
zHRJD>Qx&)>oHp-}u)<GMn-C-ZTWN+JsQfgVnQN%AzN=|gTJVpi&Bn%N8p>slrd3TX
z|5H+Np0b68rd1(Ny~nPLla!C+n+~S-44JwNQJ?#<Nzb>bBj1jzcDj$(uwo$ULF_LL
zyXmFs(XR8mSuLtV&byx8epGCrc9b@W_6e!$=fmy5*L%r8n^8~FgOzU8%RV`gPhaUl
zmY#3E+`Q`p-CYy#@lumELk`72tj2)Xpf|tThvK`2XL<Xar`V@N#=P9v^If88CwjqO
zKJ4-KI(Os4gI+^=&BlBMaf8T#+MaV;j+uJC`Hr81T98vdn9nXB5y(#L!%L^keK@?=
zcujCL{9_vf=@J)>Pi};LcNiU5J%r4Jn`F-d(m_*dm}M;4&Xl^H$xzcf?tJn>Q?XuI
zj4evshimr2J4K4!U1-tnzG2bid=|iyJ-Z6i@1$)hc@l=1j$Hft;I=MpA?r(gc1*D`
z!@^Z3v{5K}ZcS>WDJx9FD1v0{M6JS>DIQ~iv7%fCXwTQs3AvQlktv_-g@RPV!eW!U
zZp@I7>5ELYG3U`Rm=jH66^9ra4@zIH&}>URLid*Kmd#I2aiu90jW^{qEI&~$NZ{r0
zT)bpuF7MQnI-if~(iOXyGZ*+F=hy~KzQD#Ti&X5V)3-QHPeHqro0x3pfwwn-*LS8Y
zC1W*Uj51F)2$}~{D1Ug9|5z$f@5nD@jGIT_ZD1`=E-h0QjdkMCaDO{gDJ*#;-dBpO
zB$>*Db;y$jJbxrRvVw)&b)}nbhj=AzVKHHsT#Z2Q3`g7$c@`gOX6{zKX;vb;m^W^M
zjIAqCa!s}=@8TH0l18sYL9-*cnym=%%wHMAQHcs#%#z{oXim2mQps=CAj++(V1)b#
z=tSD|cvF^2ous~XAT1hdOboI-y*fou*@luT71b+Ps!bgPHncee81_2O_FLyY=srrY
zd-kob=fVx#L2~Y<I<I$FWYG_7yo6;?&Z)<RW$oK5MFTX4&`r3hb{0P!Ysdik;^D2U
zK<yfR8deXbAwEgaMPJ>F+?lY)2FJ;Yq<?rds9!SiFzyHw7p)OOJs2fZq6S4C8GD7z
z&KuXw)kzO|t+mW@K6>HUcK7&`MF8ppC0h=jPtu);N7n|bmUC}v7&Pi7XHmo=tBUT+
z&5bMa_9L@r6uE5(%ayhAu@vxM<_rRw7OhMxgPJtaJMDD~=S<>i6a}zVDO!N2jJd0~
z!C<7=b0f9E^oG<>DhAQO=yuDI(3I<zqZm-xHMDw{uH%E|ggxQUTvEkE)LHtn1qKKW
zPB4cXf?(;!p4$R!w=)>K3b#=^%C^^@;gCJ36U*y7C@HXpovJ^BUsVX$E4JI8vjeW6
zgFk9iYkqxolkkU)_W7=6@+RIJbAvq8XH?bPKYju1Tw0QYG+1*gZ?euaB)DnM)-$(?
zKoX~btZCe-rg@|skmuI()Z{!2^)hpIkP*aGmyF1wqSc&VHByrB9jfm*Uc^jH%%fRR
zbBs|}>6+;+v-sZpNh(aVV+*qBXfTN)_<d)iZ4ST4NWuRW>>*u&ZVw&GCrnQwHH*as
z>(GYCI{Y3Ink(O+i3hBENb1}V$|rEE?ylIGtCBO!hX&IHK9JnL5_av~lr;%vn8p8A
zy%WkObgQ0&{2An91TJ@5&P}H`hoNGduJ4j^LjGC}af%{+CU4vJxjkTmQ0r@rWMA9Q
zWM@tzte|hRx)`WbQ;mggVEVF0F<EwNZB;dxTfHs_vSt7=x7gZo9S=pRaO3yTpu3nC
zMKXgE1{5xq4>{TtyDSsZ<<}9l-R1FG6=H*#3@#T9+x#`2K;F9T6-v!l3gkv{yjKmQ
z=0ej{b=X3(DNS@MmnzJT%VbuiCQ&53;V~)s=HVuMNHSG+Z1<#cG;osPRV{9cGwh-2
z<f{*>=oDn?Q0e6BC6>sq^5m8kiD?<Mx|JjwR9dxQ!K^wR0B19?qmZU39V^c!XIGc%
z)AgFl;>z{}xk~lHWU=8Rq!dI5uCF)~HJvHFBB+-_Nrfz`Ej^1RX_2M~Z^?}0G4Ns^
z#^3S<_tuMnw`lKYuTq06_)07Kt=P1QFRN#M28*{$tFmK;%TMM_?w*>mB$@nl!2v-r
ziLWTsE+Dh>UD<yh$xyyGWbIV1)M}dBl(QII#orT$&*>dTng&a73-RFT$*5S}!>z$J
z+50Tog0-P>{hl(Hq`_kHd)b2aE{&87%s-oCi{@|tWYVo`9q))G`2;<Yz|1&xjHkP^
z!G|-@zidagE9WQGZp84U%A1uCrES9oI}9u9_ulJpF69;(V_yoiun2XQ!GJ$D1Lap-
z*#dIg9$$~;L$~ir+1-J6+niMo(T&u-AQKo1=O7;(&CM_!B>O>$_eFJ&(8tUGwoRNR
z{e?jp7o*=x7xPe&>)CH`&|QG)xf01!W+Eovav;*Ly)FI?y>0f;P1)VT5XJHR>`)!8
z>E3R8FW3dwH+UP6x?4BT!h%190y)()EYKK)W9b!RXCxVx4VTGJL*#K9?r~a!hfUtq
zd>p5~GBQJ|mK!wDGSK*I_NK`?7im>-L6Yt5-c$AtVgJ2E%MJ8{MutNg793n5BhaDd
z1)&Jmz(a0~e$sOHF_I=Q6*DtQC>EO|vq!*=)z_f}dmuBACY0V4f=tw#V2d6thCWD?
zA#;E7@X*fTIuUX6kSMj8#7&c)`}>O!JC7!A8J;L$u5TN-b`7NrZvb;9T|TPWt*CwE
zTd1W2I~8T<zQH)Qg1TI*VevQaedwPY%=^<V_%cMsG6Cac)|O~QF$F!2(;`x!d*DGY
z?Rbm?d~va%5EtCQTsh*|VU^MqW8%$8xviP4&n}9(0?#V<1kq>DorqXA0nwcu6jx$U
zPXtk~_9S>A!D27gBfY)fsxzhx;X~|Eb^8}Oy!9fM?6a7$m!zB%zs2hZqE`wc*)=4k
zleju@Y!2y94P(#yV(zu$O))K1{rKu>&jV<Qto2E4+tV)3Es7HVCJ_@3xj#BhZp5V~
z8;ZjjF2eXLIzaC1BR};h+N^y~6!X`tm&b+OoRy{uZ)e9A<qh#QrG%!?Ad7Z;E5dfL
zjh|K<I^Gard^3)ya33$Ty<L+QJfU|;4Z9|;Hd2}C$YU<+K38NR5*+t^j@nR-$WVQ7
znI6AR38$MZ+)?zdw+5$t<Oz}o?0QIA3+_Zq;2qaW-lP2$ZJsBaeOoAEdx}D941<>+
zqT6&-FP32wsDS7-6zAf&_IG40e2b&QrCoNGZqechFwc5y5LRzvgC1gbu>H;?X}lK%
z%a7nz#;QaEnm4kt=)92pL7b?nJ<6N)`_oi~^26_0HLdbJ(0319ML9SHbwX9x1~Iwj
zo78On#IA{j*eWDhCdnBXioDzHqhRY~y3#M;o8goxG}FYj&UFzvY_q(@?Us%WuHONl
zb`nBx`!Y9SW@=rKwuFt#8A1fMh=aV57GgElQrB++!Z~>Mw8w_;#J)MAG)lQ}Q%T~q
z^J6Y4*@Mc*v127ecNXvwvR>66zmKGSh0wI`|Kj@luq4ADOB%%gou%i0oEZE&)cxls
z(*G{}{b#V-sSfRiqk{TDwqjhDVS%lf9uEW{*PjEd7Rp<;Qw%c85XV{@Aw$vVXPwK&
zTezAv)z^FbLGU67529152wbc1m&i-ZDT0B59*{s$b^(1sMZkv`&A8rL`DyH0zeauS
z?W6ZN*?F|-c<DQJmYw0b+3|t~G%Vo&MDv^%Ne5;}(RD6{*+sZluF@jy<f^=5wfp)2
z)a5@W;wXaJh1rwTB01Dtb`4;7$)fa9^XgWM%4%uDTH4l}@zNV|4)F2@a$Z)6!r!*U
zWK+)n!Zx~$+XMeQY{q;vf)^F8Uz*zC6=+|Hd4G;G_n|g#hG1w84_gC1e=mS)R@;MH
zrx@WwozOA7w6TxP`T6XQdI|Y0$kSvUy{EQCZwTZIHQJUQXpQhRK8!xaCF+?k#hx0{
z=-%OvpjFyAESSPwkO;Prw((wp3ClQokw$>jmE4-9u#CCkjHq)2R(Sc4en|?`&^Ppj
zY6<M7?CHf*icY?&MywEv@+KQB3P@PE{-)SdL?OgE`q>+H%;F>QEBeYHOR3aTg{86^
zX0}QNBZkZQTrG-rfOyO>vG^I7yR}ZUrC2DlR9|LQNg4!f`k}rybZy4A%e$o{^n<#l
zbWB;(kj{JOuOGRq77=+VGNU!?3S*0VdAS&BO~Z{rrpq)`<VW&P%UMIoz+YpWFw=1*
zVNc%QO||Po1ue8<&YG$U1*4&qPK;+8&aDT9f0}ER*(@7zTH@BQl+R6HBwIH+m1hhX
z#E^${5&?vR`56JJ))Ti?_eHVn1|D;MXmb@X@xs#1(QBqytT)rB;g$xXRgK(A(o@A;
zsZ=Rv+!Ij0wC6e+k-Pw=k*cYSgFJ*M!ri71rOE|+kqRtbs*O$zE@8Z$;>D(FxCjoC
zG6REt?V+m{_@16;7_q9uQ62zi`4)kRAEwQR9#6e8cTg{`GM0U#m@>%doL?C;PdHi;
zXYw_P=Mp*a6jR{!sew*!pRh9^Ff;-K>sB_zImlV!RBK7@Di@S0k$1nF>J!VLTO%KO
z$(#+wm0@_pxd&8Y5>d2$dC>ttpu;<#P_&DPKX{gtjML0axQWI@P?r5nkviD-7<$}K
zb)_ED(ke59Cd(Eq{%&)snh;Hm2`{0Z?OQZ^z!4ggcCpq_;`sc_S^;3nU1idzWbT@N
z_*^n9Yht-(Js}Q>|FbB%oFqasZKuctYKRO_vZg86SMg>nY^#h(WLc7MN7(w^d2c!>
z9a=Ei?(K^R>QwRu7#OXu*sN;9bzkxgJ)QDqVTZZNo92+M@tf`t{;}Z2TAt=?7$c@{
z;<S?b=arMK0V|1Vctb_G{k!!<?IUGW>skTDYIwNJsRWH|f3PYe2$w}kOB-;f>1wzo
zZkyf3${_NJpgkiPeh(HT)t0wz;td&C%q|1in0-JHayV{b%>e6WN?=iAC!1q413cV{
z3nLB`$vk<rl2tB$iv0?hf@@^}D!YOpIRMi@N#>-qM%<ya1{e0J$;CA|M#oKB-I|~T
z8a#6yT~@0tAc<XJXb<Wmk_?4Ate6-lTS=B#R3$&|q^VZV3dOZFvYY&w>SL%PKBtWY
zN8<<5PxK!@WWHr3Wq^`ZX$HHr<pvbrz%YdcnB`JDb7d#kIZ0p&_gZ%7_3~ZIwY3EG
z!|fMBeUO04(QS(|epGI|zlpIALo@0sU+WP(`W~xZBk8JML+K{nqz5d4y}%0iD8+IO
z*d@}!;bN2E9N;$3w2EULWjkK3i?Y~QSXz4;F*<^c#21L0D7FUB5)_9<?I%#8c&R>{
z$XO&Ij3pFU$YZJOJa%9>Djx(l1{HA=5z{c0YCJv;33DE#3PMDkX-a2)z(7Wj!bUB2
z7{*5`7G94v_Z}y*OGzG$RHmYJ1BPUP4@m?EduJWtsQhoN#qoDVNnQC`<iiuE*)_b!
z&zU8{el|$MJBNqYN*jf3n^h@u!g6|PY0DH2ICobRJhPYmC@F1iW(k%lLlVQ~Nyc1I
zq!=A_s7`y4%Y|c+q_M~5E3bkH+sV`c<qS1XQ#(d{=yE;()FsTShHpWSL_5Q-8?W3P
z(aHe(+%H1H$KTW9yq#6hn&-<FKPuBIfREI3PMeTpK{A!bx1+2H0Frfo1sW3a1`Z%8
z{JBe|8Uw{<kFUU-oE@I(5~QKgH*0NFdATM2)s{lOUru`fO8qIXz~($S7MVwz2)?uw
zf{N`1)Q-2+7E&(Rm!Hkh#$Sd;=9hMsn!}EE8f%lLWxTubtdy2^#RlzyBSRNFV>7!B
zf#r$BQAa2<YK6RTu$FZ=xK%cD0wm}jS98wh65h#$HtxyB^v3Fviy{}3rVQK-ia^=r
zvG&|rbM8gKWR(h%rsSM-uC)L_WmqOxZwZM@s%D^|`oh(}*og{X&oXMMQ*s?GJNj&m
z$UDpXjJ4tMq4Grg_Ze8v<T5j~bVp{qV@q7MmfhB>LWUvql>JWRO<R^1$auQ>)WsZA
zMAqh>d=EpIs7?u;IURYFq0c4y1iz;bF+U>t5Huj4`EbIFPDTabz$ehxq_-x{h9od^
z0GK&7TNd3JYZDpAyKLrp6~`cEJ>}gYp}S)_e9w|nqAgUnms8EfK}qNxQa5ZbqImCW
zT_-ty2%WkX2MmY077NU0RCFY7Q{#25&VUO;VS_%WoHOO`a&+LuU1lGW%xLGTdxUPo
zDnd8peQa)lBshEWh}J$M-5918N&0FL4o`j^J38Pum9Ixjl%5O+tkNVcUg{Yunk4~I
znBrXVXN>Dr#xq=V41F5sWARpCkod%_b&%%oFXnuTK!7F=5^MHvw-!btWaRgPP3VX(
zgTfytgd=>)5UrXB?lQc$Qe+~VzWn=NqX?>hiurJ?QGI`tB<wDOxHTu(XD|ojE_iI?
z-d{qykNpDEHjY?@_A2u*jmH_e>Xpb=i%U9+$a%3zov6f<sB{u>k*Gn6Cp+&K>kTFr
z(C+@hE1fdE(E<NeYT3VkC5>Q*bzTGw;clFVeV<nOxoVB$ms@Mkm7_})k?yt&_#iGj
zma8G{r67VUS38?SD7fKD5WDAkZ~sgrD9kQ>rxLVeeCGsQ;hXaaW5r6fM{d^WLPgAF
z&Lqx{@hJtr1|4pG@5L`wI9&Wf#=X2alpdkM-Va@!>|S3dw_@6yAG#37q15Kp&WFx7
z%-5rc9`$8g>be}*qSvGHg9=@G<ZfkSof=XT&rIUC>c2YntMvXVLu9__fl>5oybF@L
z6sp1D5}O*U*tP8%JF0$ioIj65%WQJIufXO(&6d9V@}!{hq!bLV{{?SAk$WKXjvoFK
zLTK0ZK2NN4Xt*SgtOi$(F*4f_f+uS18Yb&bgLB%kCHu-g_mL^BIfYTgI(L<dJQrVU
zrMw{0#o9=&D6z)KkMh=ZeD7!yUH*1uVBT+P565enVTE?exZRFcNodHpuLcuSVsxZ}
zZ%W6PcG7jC1v3egDH;i_8$aoWA==nWdx*?fyN554YfEml#V%2lwr=EzCf<Gq8-lZ6
zF3K=j-xU*RhYFobGN~jza>*-%sOxGYwL9b#p{prdtw+$HvYo+%Pw>n#2D3L$EAZ9+
zoHMRVL=mUgzQ1A1hkB9_moM^#m<F*R9kIg|gNZ}?6fOleUjw6Yo#7OR65K8OwcF3K
zW2EB-DgBy}E<w%wS}ko_cP#wnp(>q?>unb1>Kj2*iks`Q#U-vPej+HR#C9Ag6zc@H
zvKu!M^YnHPIb{p)H;GizBnHY+`|tZ>tIeAm&Fc$GN9K|@@4!0IUfOqBqR&K0AI<-`
z?c}p6o(~@y2q^0J6(Rrii7>AJK~OFu{8vD(^!KeAe<z)@l&$_MI_7~cq#Nrm(-%?r
z9a>`|B3M953?gB#h64cmN=zGYCb?WvP4(aTq+a+5!}xmeO*-l;O9b%j+1An=J+E4i
zCbQD6__};R=tB$1!5J|7lp*E}xFPo}FqjnX{Y0iC%m~Is5qlkB4+T?W2p7LV6Lioc
zP;^WxQx<C0T7S#l+Ih`vY_YDZbD&v~#y-|_HrBE)E$cXd?A!2*Qgoqt>g};>Qva#K
zYPFi``Op<lvlN~txY$!N<<bLpj+U^FcEMu<^;jjYlqZu3M`cV|Zd*qJ^1m2+r|`<!
zZd<!5W>sudY^!41wmD-P70uYTRk59lZCf*}*iQbu-&)td*TLTJwGPI~IDW=6dhf0E
zyP<l_)oRW;q|^0SSaQcNcxcxks<YB2(8wZDY0Hiz9mW?I!GkB?M6a0;9?C5Kn6j2$
z7W#b)cNO_6J=~Ve<co2VP9bZ`8J};3`9yozsax#i)vldSq*E0&Zfma(Q(3v2jAr{R
z<I`g*tz|hNVCPt8`J?79Yw2zek0?5CJN-Ibb#styw(+%EQhV~CuCaiPwheg1VYr3U
zU!<=^I${$=d8cP*oK^X!JErvu6NGf!*;e6fV^jAjpvZGpmySJ2(-mThhsq{VFlHsL
zQF$@q_>H%2`N#%?*;}0yDbpky^-HldyD(=2H%2k;z40?+gPlKrnHcw5nfEW77UZ5X
zsZ5JU(}eg;;RmP!N}Ll_AJE9KN0r$ADj%c-Tf(?nH1-Z)Re^xTJmON#agbHxHaj7m
zk%m|#4LB)qYYT$Sj8aCvgcHqo_=ZYM(j#++cgz@_QG@Y^nUf>bX2$_og(pSdVG(wy
zOF==NNI$&KzT=U~j0xNXRYja~_;>~A&H4n`%`FwYNF}$wH=0gMzbcD=I@akQj@0$F
zpQpYYFv-<x48fwd$QxsQmxEax`JHoYd}}=je%0lE36m!r6ob6-8gPl6AJXC&sR4aU
zXe3a=^vVjZf*)HrS}ciLQ25;kHs&&Q@P`MPf6hN`Y~$Lv@yMqW+3;Vb8qxpF7o#jF
zEAzRh`l-<Tw^9H9BG^=_tvRBKBk>x4`mw7SLdzwEAb$2IBf}q<F@6m~>IpMJP&)kr
z#S#w%xUy6~oy57K+JRO|8iiLNlPHxUP)>@GDl#Y44=`1y-Z3>VS(x*AzP+7!e_E>k
z^Yv#SCR60@U;5KNHt=IC;ufx7C&QFuQCM{?*nLYa=mlpL{&vq-HV906M#IK(og3#v
z9a<NZG3`v5VuCgimM>ZU!B`kqKK$op3J-`p20vpb_meU0CNS#9f}fnp+j(;6G3wn8
zvBaF@pQxLK0Nlw8zw-eTPE^4clZ>a>Ai*Er054nnzHja$$mme6Ie8a#p9(9Su!*;k
zKT-M>b%5bd^L8Wpij*LIl}UuFO!b3Fum_vQ3#@`VGiZckofabx-vv1J?9lMb*3bO_
zn)ToAE;QRNL)3*gtpT?-&FL;8x-HDgsQc)v7^Ky3Ld)8Rbvnk&9NEfo**R1veNGVO
zW&!p%<*o+O!CYMn{)PhK#pCW(h0~*=$~*SWmW}oC5qT^ye{hwb?&bH`Bz}$3cx)ae
zy5HI!Nww2sQ1W6Qv`(D_Xvnr#QMlxZbQ9s%0Ipm}b{sdR9aKzlTKz*1NJMk0;rO?s
zfvcpY2Nfr9{Gifzg~Fi^+CRdJGLz`DaF(uRdz?axv;o~TI!&;0DPYGpbsY}ee+cyF
zxb6+xuosNfw9E}q1($@^$}FIsDf8&`6=>Ro^1g^fDC*H{FAnt%PW!c<I@=moYzO;l
zt~aQDk3RGElKZVCgEx3c&NpC=0L>9DU9J04apBeFFHW9(wcJnSZS?D#Y`#gZbv~Hk
zE<9ez*EJw^0LAJED)ka7xGE~!GI_R9@QzGA0Tgqd#ZFVkHuDaQ9Mlv#?2?o6l$Enr
zAQVG{Nb4XvS+BY{KB`L#IS;E0kMgwlG;hl@KgH-TR^));wT~k~BT4!v>2oEg=XIr@
zE|!+hhK}R?)Y&XD9~lQOD5c1;xUlI69Q<-807gDM05I=&?7)O@r<-^Fng-#r*j*_Z
zDC3ny#8Z$5K3JPva7FM-Q~y}?h?uy*=MLRNql!&W0o3U$bVaF#NG1&J89`7K@KCy3
zQnrId+)~K`R|3A&M75)dS!1KHrhxTtjkMmgSYu!5%zhNmUXnyPBX5JA7u}SzKB+S*
zP2PpZ6#9cmjumS5rXIiY=ZtPMc~cxxAazz!{$y-!m91MuVn{sXapTP#O|{A`X~KEr
zg?CkZw5!eXWwBL$P%5yP7;FtQ$>k|Gf~HU4M6WYX6aYQi_70izB3~asa!bZ2wS~h=
zs!6KVJuFD(Xc87cHBn$5;EGWhxwyHfU8DZojqG_3Fa{Gp1~lQ@BN#UfCa%Y&aJ>dB
z!c-3F7aWoS6Z{Oed5Ir3iJ!f$F>jgo^a||iAW8i4gWq#TSn>;oV1uOahp50j(yf)b
zl=JZs^^GzY6%mZUBu9ON>g0DJOr?*pXrmKujVO<j>5tJST^Zj*+V!*;WV-sQ2pR7P
zYQ3)fn;8$4Ot7sDEtt>=Z4FJBB!^w~!^vT_y;;*O4dvmz^eY2-5QKyC4q076#I^2W
zrz{X>%#)ySDDPyYGjgHHI5MF>2yq_`p9N_M{he!^wag#g{F@We%q3BTd*^Tq{uioe
zExW2?Wf2i?efSss-q80@i#<foUFgl7ZQNU%TN<(QUAv&!V&`VhajVEkeLxD$?L=87
zR$QluiTKBV_#JyCQq+i_cW?OTDDnSYu`vIy@8ADfs3fV{D6fej`Sxd+7<aP;p-BLQ
zGv=WJlqAxPP_;sqqXKP0P1mP6rZo8?1L&BpsrJo__Q4aF6RNY0?fyEqQ9z{j$IfTZ
zY*e}C_}uTy`F*?`;(n1X1u{j4;HW`g(RC@uEnZq6S-Dpb7Z8>2cp=L7D#XF(eV1pe
z7-Or>M-oEDHH<V+w#+W03}*5q#-bjDQz6kER*wJ%XuLyujogyg<F*m$jM)~VAyjg@
zYBOr9Xv~4&pnPs7l*lu@stkVW(x*7aG>xWNGU*Oerd~6ByA4!RZq|%wen=a+GZ$S&
zSx#h40WO@1mBrGlH-`_JnbD<8m=e%naYL6E-e{M6%3C*%#TI+);bKYNi`gbpaAw!V
zbF;Y7a~6(SO>{$xRuvO>vMEb+39#7oCK`wtuv284V;3$OBiy#aA2uWNCnjltYm8=5
z%Ov}JOstBrM-GO-G0!F{+9C4hzc1Em*PGe&fu3I69h17`NuK4C-cTy;J+v9^Wzu1Y
z6&g)sYUsCvsOXSBR&rTN_#+AGGgb>N+GdU9DOoNuixrGZ@s7EtsO@UnJ-tb!tC2WV
z+P3a5FVQrVN2L5n^em!U(~<K$J*H0e(Q8IRg2bCi*7<7|!OK(u0am&jp@j`ss7LN}
zBx5tI5G)UH)?4xt1IYnl@#gU512k%D#Ja0Z_&XFLVRBFfBa?}qGqpC=E2I@^5z!gr
zMTHP<3_mPr%vdPhm+g6$_B5r{m{%2ZA+dwVdAr9}7}^!W{zwlvThBS^j%qPnv}G<J
zHuWhZuMei6optn6QzO5A;qtoqD6xYhaIea8)>yNocneHJGgHDL#l$=(H%%(KpNu9X
zJzhEUvDM<ns8-e`Sssj0S(lD!3eZ;1Z(dtZx-C6CzR7-&jA!o4Ax`Z@^vKBUx@E|K
zDK2uo|IHI9NyTV*?x;R6h5Q<Ti*maJ^LhQNoP2lO0@*_3fZ#0;o(gT}_3RU*Fnzop
z(IQ>3)tRj?qm6e62iLCL#QA4z(%G&N&zEc6mu~9TA^!@qUR$=9JLNUIRccKD9Ba$x
z?CZHu?GUAjrn3<zB!(v39C77`s#|tY(Y-|plO3MT%2K;syb*A4<2`d{xK@Zl07b=f
zzF;}dM=yY^Z@2UOvs<@!ETqbQlY81nMHE@zX8Ygl3WfY~{qA8#FS;ZHvJJKTLqsgm
z>l-36u?)Z6Gyv_P;UP%B{?wFOJE^bDUOGAx^gU-l=zrFq=p6hNpnm&%DI^jZE0*N2
z1gn=TpYm}UL~%atuoOa2tVOHTLKe?T`SIiTF2Q*MtH5eCz~{$FAw&SsZZf_MMfgb?
zUw9)LP^&=e9n>Q%0_H&(8xq4*_XeFW{&<8`YaE#kV;s^#E}iRqnMIKup)&Q7c+JeD
zdoP_RLcLuN_WB<$?6Iz$1RcbeFSei9%m4Rf^uO}LDjVC`n@ZYRni~IufK+z=A1Vf{
zJMIAb`%rRcT}KltByOfaerznIYdje#1aZc%8dG9oLJg_z!g*b3D-TqF`a)G^Pyuv<
z0wvuvE*zTYCm>{30PoXfLswMv;G=)rbrAt|l(ErByH;1pAp3Is;%a7YzS;5c$8XcC
zz+B(^)Zq(m+EQSIea5df-WG7XG9m2EQ9`@&&qMO<>&4z#I}fX43H0F({nrauknQ*1
z4l%gt&=0%3w(EyIZ|>E&7v+O5S6{#Lg@P|UBJt5~lMt|O7kEDj(%*gE^oo5T*d-)5
z=oEfsQWC8Wd0HmX87x@%8KC(7liHvHF2=9}hp=y`oM_wO-E%yO;_*QK+C~1#C1=~!
zJDxuq<C2Oa`%0jf7mQC=)Y5M-(CM<`*A(1i=C7&tE6DHcporHivhR}v^|sz=<yYt&
zU88H&u#a4U9L}P&^XQ0fZlW*TfwfIGd3rz=5(i#7G8f)7CDOmeF0weWh@yW-sA1XY
zGo;{!RaImy>(a)k5ws6<r*UTLB>@+MEs42ld5Q6Ato5ceBbtn&foI+y`}JWb!vF{6
z1vafk{;kYK3EP-{j)^mD6%;A8gFq!NB5j<8<8-R>^mv;z)mr7gGv2ou3pYP6%GE{O
z^Dvi(dpAgKVFYR7_I*Q-oCb!hcvj9zENspyi4+&bltnuFI{NQt;RdvexLxkzwDW}P
z$ZLxmxY2hL>jn!v_1C+j%AWC=7AppYP#kB;#GcHOYD_QyGTvMhL|}b5iJ@OI*IBX}
z?ePSlI9;uGwZ^g(oQkXz&<2<wr_x21Wg;_{z{i?a4(BA@mtiYP|7|3Jhd459%IvwA
zxc5rz7-5#G8L*Pr<}5o_q|_s*JOX4}C_JOqR{d*DM)GRq%G|Pg3!zv>FQj)o>X2o`
zd~BeJnWD_SUopCsC78ll7_XFZ=v+sX5SZ`4D@=Z-Myn<w%Q=#@CrNE~2q94ZW+fFg
zY>Y;G^CGP^5M>PDQvKG!ZDa4XM|%~#of>d$6ru%5$u)gNk}@s)lIT83`X%|L<Rvg@
z1a>8{sHUt?dr?R7N7=lw2G@fO5LgCtG4<)zInSgq=by`-?rMp5km2&Pl{HW3MZ~(q
zeA6IC1$k1Ndg)q9j{uS9`ufE+BWSW(6U$sjvBx-)NR`+gSmrS|B71oA82XAR?5yIg
z?C@+4@tTuMOz5aYCn|oE9k-{BU<*t25;N|!bZ7UuB@+McVJojE+Y7{2Z0#={isc0q
zH%uOH$sG<54~_!Z8zvhv<jeDnakhl>=?IiO(Jm2z+V4Zwlq=sR(>*!kj;Jo>WiA$;
z;yhMp1r5zM(+(z{oT^0C`V56#lABHvCmxa9+9UobQuW%;!Jg~Sqf%rpw*GdRLo$NN
zq-590)K<RN3c#X9Xul&xBgs}}DV9TWPxL9y$L2YJc_iO2{~RBy|H`*(7kZK@Q6M6B
z{?ueSi}Yl}TeLw`6ltPnWQt-Fl&sQm^yDyMiaJDe0J1_(Vt~q&DM%`0wADo`PNyl`
ziiS8GtFIVU5(w5sw!8Ki9V+J>b|e<_>mvM-plhn8G*pY&_ZMM!Y+m>yvaig*RtJ>!
z%dN>>ixHNIBOfOtEeLzG1cz_bl~3~~xWaug+l_|fl=CY;@|E&yWRLj}x4w}2DVgwf
zP4Cj@^6yuE%q#fU`1ov=yYv%__#RyD^ygD>k*}it)t6RZ{~%v!zshxAh`xUHE3_;l
zU9=x~C*5sq(d#d2(db`j5fce|c#r%O3UjRogHQY(?ic=unT>g6heu%+?*5e_+&v7`
zZostwk&j_~grt!+JenqLg6=M7k_3Z#0==J@7b;_58>bqla$vYXY%3<yPq+TYTLjhX
zEVcwgP&atI-)gO?y`6(D#{`1E5Au2bau~&s#UiuyYj@1#&X6sS6f6B8U_37h^|uH)
zvCMWY&hH#4t)`Hn=0Qz(TcbDY*9;S%8Wv{ct^#(r#BfJVy4*3KB?N8UR~CY8RPe(J
zer`r0VUxy+=<@bonW8SdNq50}>w|BOp3|gThzhD0<7vX4t~mb9H=MZgKPVaJ<)UO%
z$Ys7QJ9%t#yLeu05e*%Ki<VJSJDw5cH~#rir3qVODqCySckHw;Fv`zqW2ZLBm?^||
zQ`l`Afzv^pM+aX|1}T#6juJs$Z7K5|1q~}g9jYU!;$bTCkS85lYA%e0{$h*A4I@73
zX(r2&T72?vW)W9ftrxOSxT+tGREsv!rt8m>>3X7)a9z#u?X;qTu^MK~jn2?)cnb9(
zHsx9v5(KCAHt1u|?eCbDN8{V-567>0Kav!n9G%HFltd!Zywf;)by+evJiZaAG>WXn
zrstQ|Z|Dn+s5o-!Y#^UU4L+|m1(TeCX-l+Dt&*ooXdK3=QA=h&_Tfx4AC1tYC(rIx
z(-KEqq|LS_NAp5U)tGPci@n49NDYlv9t6q<{)yE_6%6}$6VPmqkYbK7dZquZ$>9Ga
zo%ouTiCkA+V6(xS7v>k1JP`;Pr#NY%wAY~ePAo!$(P???Nl3!mS}VdC&fb|PEu?;X
zyY?~k^J8*8PD50B5B!U;MRdLXt6l!C;0P+LoPDf9@$*XF;JfDD2Y;rn`sGKa&4<zl
z9?*eBgyy1uUnORIgPl!v4}AS^tFXvdT5Y*yIa+aSda&(5BfSLwyr|95X}JrP?ENi<
zJh#z<dHwN|R;rsOZcrQ*NKcPJ+lM+0@XGvGU1?3aGDPe5@NsM4rWW8^K~oa|tztym
z6>UGJ*JW6%eJ)*BZ0gQFu79kIVzu4@^0`zul%_Vq%w7`3XJ?B#oj`D)&*N*-qJe(T
zE}XeTo{}@ifNFGZ<@~iQO-4GQ=zy~-l!ecF{G!2>W8u~27@hG;8H2s9o*+J^E)>+!
z2;@V-x|Y(`JP%L`Nby5qXu=*swJPv7ufrgR6vMF8Am{m&@2<fwpr6Jg;&J%LUHl>t
z4IWP%VPami(Z%pkQCrfuZ$f;h6`l=LdVUjLP|CSD-q9$oxYT%#ZSMS)a6h+-J0SS0
zdcg^{BT{F3$EHhE6%(z|&v4~Ig^S*wIM3<g4wkw3WwrS;Y~gbit`JcL8mG=F3J<YG
zh#c$!U8HnB3>Z9aa9DS>GW}0#(yPAX+Vir5pfW>nM_xEkv6|xrn+-W^#lN{}Y+E;0
z4hOQx=s#%WB9H{L`cF$lFXW=O;D#<>cf`AP;f=)x3s$LIf4O-gzdP0BOlOlRaG}(9
z$Ga=sbeM--<^Tu1VGOdFejB{6kJR_D5I?_rDXZL;vm}3&n*uEzX-QwofXx`lwq^Wk
z3F+`;u(T(X%Ntl9mTme426allZ!@JY4Yl&x5*=;8Sy??$epFuG&B{lUlCvOJ53Dqv
ziY^fAF2|SFGuEst^$sUPy`MIntUZK8p;Krt_kb{uG&qJy#`mwbI>Sm<hI4Wd%N((%
zpx^F9&)la0M<@AdwSlFU<S+?MjZ1?|Ggy=Et;`Ab$8AE9wGy;(K%(LG<ew5Pn_mZ~
zddnkWzWcTAM6hB&SR^e(5+p1VhAec*82n58S_KBl!}bT5%IvsVNA&t++**>jEvDYZ
zkLEGKs^q<O3FCdpLqJO4QVqK0sGb0L9_e=RAwVCuoCEEqEn<tKWPnW`wcv+PkIjb3
zkFuf(0rO(8m^cp*WZnpf^6zen8U@~&K<izle^ABY&@@+yQqIGvqIFGfT^}$-?d#Cd
z6KUKHmE+wUWIQh3NZ+EjTFzmu2#>q5-WiAH5NwMj-r;SO0f>?ve-In=v)K+W<E7(p
zZW`GdThsuJE~Ivz;I?VD+fc`#y0u$t?#O%9(x+|u-8t_LFhT^+RCS{iA&DD$`gN3u
zZtuKO<o?H-P$Fk<VHx5>Wg(W`R-|9|<PSfRh<82BJHmgazIvT-?EarR$<V**Bm)1d
zse=W;$jHvx)Y(GT)Y<Tp`fd1s6-$(*w55<M^3~9KpqoNzzw0*y6&lP~YS*l>UY4cV
zhPWEKHLaWz`~45Kgw-NH*MXy*<?z%eliSVgkI%<7dN;G$F4h2ua#qpAC^c$F62ZwK
z=+YSmJT*p8*+9^LfHHYk!a&pCT#?5dYjz7`X{;I-J&Q<l^)N)IzQx+A?J&JA%NT3L
z-ed|iTkbT58T9gPZK2o9A%v*P&e{eOC&|0Dn-N*$=WMjK^ruGBNzV~<pC_aYmsEkV
ziRRjb`=nK=rE}4akn@ysa{;dkJdWR4)>?B|O`iS~Oq8syv!~g80Pe*kPEvI%$?G?|
zN^_4HZ<Ztc(|FC5PtacZWI9z66SfYOqR}cDL$XxsI+82iI_zL=2C&)^49#LI#O1}T
zooqmV=i*7EO?$0Gw+0bC^etPs=E00)g@{9}_1{iQDlPKB&gd2679Ek8Im=`G`W0u|
z9hcEw5Z$@M#)T{X5(#XrYTw_8(39v39HTjv843pHbak6tR~4V*v?j_?;d=A<{EozE
zOcM&#W8eBmPDvU{#4VRH*UCi)NV{Wi`8|}>ZhYW;aHr|;yPrRTau-cKyXe^cWK^B&
z7Ipj2Ki!O_xN<4iB8kBpO5u8>_V^%?)_l6?ws6n1ZbZ={2IV<B+cZKLb<R$yZE{<t
z$hY-Z?Fk>l*qWr<3yNKRtVYGbkL~iuky|ozQsp6H{0T*_<v<BT1a(2~2n86!-X-52
z<X#p23FY5M28CQlUeu4i8QHOxcua1AgpdUpyOY_!eBflrk1O91yTO9>dwJ8zCL<Yx
z0XW7jegxb2wSUujMJ+h6<-U=VP=peYU~K21_J3Lv!~4(8`{fuNBWbAN;p=qr@_%7d
zQwm=lP#y*f^a%6hGYP4&bpMCWa^Q!4RP(8c%zn1Q|L-<f@L#@;|FZIlm^v9d0_>gb
z995+yO%&|xU9A5Ti10tU;Y#%rH`F2Yk0^bby#WYl1mYlSf2fuI6;c5$TF{p!7_gC+
z;h$`z0P)!$bb4ph?e$HP>0MhFZn(4N&$%(Tg6WUQtE4`eb93)s-=?eIW-s0r2`nxu
z2%1b+?f{&#X<2EV4;&AhPaE9zeqDE~CttqpemBGuP!p~~^$2CuvX{Jr%cAU6nJ`6E
z&VuQgRZx=WMu0X&ln<GK=73;`oQO4iO#Nm^9;vAVyOYM4J>bR4gDLjCj;KSOcMG%k
zW#I-qL*gdT&>M#E8;Io50)`NN2bA>)!H3;j!s^Wx+4&fW<EMuGz`5Yf7sNmr#bEgu
z4`g7mFr_cDw*gB0WzIPOGRThEiwch87$>Pa0HX!x*!Piytt#9C@@$qz;DK~ha~K7_
zR5a@j*^L&(-1~biY(2WlQRN9Xbrzlo;>z!dJ1vlXIc=oZz5BDy)&+@&V!g@59n8cX
znO4a~pltqx@fc3iEjSV8cua_u8mbFYGttQu2<$LA7T4uk+BoHW2UDGhG<6`v1)VKs
zWTdlfy8uk3Q0HtAnN)8w!kY4EW?CR8$wgwMh-vzs5E+q2w)CVumnl5JU6dumg_bCy
zC%l+7*c<}h-M96$Wp;SMh7m}2?g5gUy(evUB0kfemAPTwX-ZQ{#JXoST1;k%zs=rT
zO~MncC}~aD3r%}ac}&qW4`S{xH+`&5w9?+*WaofdV&l`r?++PH?>h<q#*WxEE6w5J
z^%lG&r0njcJ_xX9V@sSj+tsuU=RpuE-l4(ilA@Ac`MqO>(?vi!euJ>nZ!MRYB$^E@
z7a5DxtZBW~g}c#k(t58hreWXmnk+e`41=9x8L47AcbvsIcUW^Zi6!h0((S3MhpLvx
zDTuatNfwPhD<>vBJHBI_#Vs7JV{<H|)U{o$YtmWptd6froSAj0Vm$KLMK*L8^9BmN
zfc0Ib6H#TD8Y=2C$=S<8wEkgN?!_K*bJ{H|`$@1SfbAjB+H0?FETJYs+{Bf>2bgrz
z)mp-0XbU)Gd5sS}asL9<w^+o>KhR067#W%m!hI}8c}$MB196Lx<8KW_aCL=Tu$=0}
zAaVKTnw(qjHbxWfrUMC&ADMiG#`WOIciN(*38c5?u9Q3akyP2pxcWLNInnoB8<@04
z7juvoTwd}1<Wi^O&0I?3FI_RCiy*_4m+2q7Lsm1NTFB(1b^#PsOYB*R#a+e?vv<xd
zHpijIFrOL}*h$6no%>tNlEd4gAv+2|zPDBy^H(^w7LSe5Tic?)4+?iw(TiL6BaVE5
z!Y>7N!=|hkq2bEOAQ@3Qr|{f@!zq!JZ)v4z>fdyjgQYzxK`tFVH7woZFQ#MT4phmx
z0JlZ1QnUh<%+2{L?T$PU7y>>fI`nPHYgxqidqR)v74ht~5|G;?ukh=~&kL+)_Us=j
z9cn5+;g)Apu|%c08<<LLm$19-#X;vR)>djySkbTQ9AKD(IusN<F|mL5lSYrl5b2Zf
zwf7I~E7hyn1w~Q>n><wf1FU4?p=t}MYl-R!^0PJUEM1ODXDvjM6`5$j7vKvmp#yE$
zo_?U2*QbowxaeM=VXF@Sqy>lf4~d1tS#3c{yVF`bs-k@$vfaKb=ig1<#bC0pjGbaA
zN@D%#7+U+b?bjq*M|N*Ujr>iXu6L2)E><h*nAOXFOUs(UaU;fQTU|QTIR5h4kl~)x
zqf#dwD_EV+0xN6|jtF+s740(v$k5KD8aOmZdw+k)!q57PhUbP-R9EP9(M9e62w&?N
zGc{EH^}<o8SlRgZH+7a4*trJiS#FQcA&utus<%Dot9@KM_EiHzsM6J@YV(J)DAgte
zr*2<4aRP{li<nFovV+a_L8$N5QSP#%ExDZa+qY{Mqv<^m#KW}u^w(#o0v72kf_bX~
zzO3<iJ_(XLlUwVH4Cr>bEDRnI8*#>!n2@ps8n9bzH%bNmNO231Q991}HIe0*O@XmJ
zf6)f!@d7&8PFLW}yQni`8`^nM^x!4A5V%cTlc=@Q+oeGJUpJIWZsIfe>1reMLJ$<Y
z{QX2;xz`xad1~LH)uVP{mWvz1_T*RDyCy}uuWQgk$Y(K(pVo<7b4LR1Hn&M46j;T%
z&WLo*b=5wPybJWxXbYznuWw#eyThKp?G$-s@A7E`$<JdfB3eoyr$E!5Umg~}Bp;tE
z!Ff@Ttn%E?i2S-;#NhEgThy<HHdHm_kFvFdo(>kg-K7ln4D}tdN1-?(#rGEgqmMGX
z#L`WY+c71*a?9-Dk2QK>93>dk#1ID}8uBc+Io(pxU1D}1+J%Uv`}HFK4Yp5pnWlDF
z9VA*WY>b{2yRWmw;gw3B2C8vr-$n2IM9z)i6=6p}<rTANiz%c|4{JLZ`F+4tS4r*{
zzL(%HzA9_IWUtkirY&J10g$l5>I@rV%`E!(!-(?1;nUa*z?!>^4kx{opXFEIw+4DE
z-SWi1dRm4z#V8+UHTIbNaLb!K6^vKyM|`MNugy5}*+S`TpO!i!ee#QgdF^LT4>@5i
z$$*!nDKu6sqz7BsTEf>BU?5`8cbFY9VsRXsZu@P)MwtC$Bpg$Iw`}`~zN0<e7Vq&t
zMZwtV*m?0M9flG4---g^e<=z+O8^molfAW}hn%5}sfdfcHNf~2>MdgG{Lhg5AIA6p
zKP0czfOXedaCx7y5VK>wAzfp}Ai$0M!k|U_U60Y7Hqu6N5KIyyo+-7^A;&yh{CkX9
z|2XbizNCaw8>#G?vvfdv&@7aTKTsgHqJ<QYAS9%OQ^zKqFgsmLW|J_ToIGprz;A~k
zT@aU_>Yd|!(fUc>ymvZpy%}$f@kQuX!-g}2QHGifVvLGe><OuddglrHQtW(Xg7nYd
z{V|CCy|-H*h%~5zh3w57N%olN|7Z584C&eVsCTaIwSk_$V45ZTd4-WL<j>-cCb(Y#
zcg}YZr*}^`rf>^_vY@x*Ap`Ukde(;;zprYT4_#z62p8&|KFEc7isPyhY5&m+{lEkN
zT`*<q+iviWccxH3xLt0~`y9kqX_$<weE$pJRrO;tQq%4h`m-L^*3frn_mOVDpjz;c
zvOd4y>6nzHML*~(exi<mkA;D9uGgH=OI~n(6@NW=5Z<H{QjloBI7Asyz#~8mHmFby
zK{x<74@riWShKn_kedpehgZ9GBRoDM;9=(R-j;BivR_iT*zN%r4p{JU)1;_So>49+
zvslGxbTU?3kKW`GurD#-l*h+vJC<;}xHQ<x?h}W)zkPtQR7xw%tz}4%6>};xUONxJ
zH;tF%9s`$^>y>MtWTLQbl_TdpHKSXSi-vEyE3)B8$90G%m?*S%BjvJeSL=1Gw5Ya<
zxmV*A^^D8o;g4Jm$;@<OHNB85VW|p9K&_w-w@u<G08ew~%8@GDv#QjYob)W+kel4y
z2@*I*n|I{`3~h+AX=#0jebr41qSKf?EIjjnJyPWMQi$Vy+g1A;o8;oGyMEhF@=bGV
zIfb7<_3maUW(Ag8dz&vkmpx3d4p&+eWZ8TEsv(tB*KV^E-7d$)d8#GZXiW-eUueXz
zwgYrZSnVHBc<PP~Osl{{I++ryPq+@{CKbh3Wo7NBkddfWS@lbjc`DsgmccbOxz{>6
zTJfY0M~X$faAU%Bs&Prp7X6^X$IC4*EjCPnsV<dLM{3cAh5HLQf4uUw8h0W*3GR+G
zSE70rT2WZ;<ZrUrEV0;hQJOJayQ4*OJyW(-CqMHPV#8omQscrdB06@KBJGUiVXKv9
zftrOpkfyenSrlD(tOZ2>^^ucvNH>E%c+{Z!S)DCg<y3{&?us+p%{&}VT#D-&4;Y&;
z_qd%tVHH-@vrOM_kXa0GXNeDJtE`@^a*5_0@2_yG70oKAMtIxZgHt?@{%*!Xp;1;B
zkaVM9^12YEHFTD3%`V&^Gp3V{+05c+=~aPMW6M_}m^~*oGnT*4(C=88OrVQeqXUVs
zN-9noo<4k=SqJh+u`e_QvbDkWO!nV)C_1eZJcOqX{M4;C5S%ukwSlp%>R0_6eX`tI
zIz*d7h&yJoVbL+pu$p89$(MR8s~qRNem+&A6Oty;<{NUG2Fc~&ucxXfbwWxVUue(A
zV`&<*7Pi@YWre9yQ2*PD4X=)$DTxa+G51f)W$L~9f{P*8O<C^kd8$n&b)4T!;e#sq
z!T>U}Nf?ndqUK=sP^=ic7myY+$Ww0MjOk*KaSx@(;I6b&qYCHLDk4SI?zvxRN%eym
zWFVG-d?={KMsb$R6-{g>t8-w~JTZlBrd7j|P3?-Sdt=Fb5V_J{SKw8dd3FbV18rmR
zGhu4*%qM#BrAd?xH$w%U-7{%1)ifx%wG%BV@~~dhF`58xWL3>*nak{g^@<!1dHu5O
znNV0Qb(S<G{b$gcq&45zsZ$+i^K{nuR>3EVDFhPN%q@GOsJO^u9>=a&X+r$W>@Jar
zMmB7i8r7~}zV=;TB9*rYI78E4T#-B`)2g!wldQJcU#vqkQLICyp61vnWaXk!0=+l}
zwOL!-AW<InQWT|bfNq{XOFsd$W-StCho!HSS?lz;m-pnSn_6*gYjuZbKarj8=t(Tq
z=}QjiHrsC(ZA!0`J*H#Z*J_ojITfNmYjz}&(HCyYaK!(XZXd_tkRjB^g(n`aCXtAz
z+7rI-ChU}HYS%x>mgBr0XO?WLrM?{zcXL;lWHUre&kBq>O(nsk!HDpuVrpE-Fe#zR
zas-zSrfN4ypyC*{?J<Q%|Dt?9Y^!`Pl|r@Qo<hYdG?RX31mFYg^Ze01J|MW5HCG#~
zpG?gdsr!~zCvVGqB}dRZwR3n3lEO@_)0b`QH#u>w&)+hV$f0^;HrP$Mv{n8#{o;-$
zj)2X&ujXQGvgsQ3J@@H$x^!5Rhq<HVPqniq0%rKP2o1iBXw!<!ga{8(V_Tl$&|12T
zsxaM_oRn*up^^<qbZlklI!T(dbx=`XWTwf6hBq0Cj#4GOsX6b-W?G|JL+wgiO>seL
zIQ8s%&U}<~?e7hY0DOKWHhH>xKZkp{TgNAy{2uD9`j_QqvpQOki+2Tj6U2#`Ye2TU
z_3`hHpk@X+b-tpkpQ@C)lqLszP|W9Fq?5Lv)5gEybw*gK*-#z+m?27BDbLwdj)bxT
zRNg1Up~?#Sh`Gz}8Wwk)C+$8o<!$!vP{*Wey_|O>?cUYqhi9$|Wn}L>YEePxd5mPF
zrn6HLc6|qW;K%*o7PL*Yo$UlcR~8cB=89xRSpGSr*6?QXc(0$6bn92HRfjyUwETvC
zygfd&J}b3^GBkp}moRuPiRq{ML-I|x2M4!)PRCUR*|q8^99?hCnnQWnNV>v~ti3mz
z4CUDvQqXmhO)bEieaa0wr$*^p;N}7Gg~&_0-3eVvf@$0DM^1{^nwWzT@4ns03ZuPD
zuiGIc97R7u`%&1<dFC4`H7ReOiAW7jm&Pu$4uGpjQb7}Y4qw{B>mpX>3NQTg!8`S}
zCjpT+qM9B&Yw$xk0wPbc+hLgHMQhISSY|`LZbf{*tYxRRK4Nn^ke|2+ldEli=;Lb$
z0Rv9mtuBfCSnnT5)i5<gW%eL?=|sK}YU&^OIW<mli*kuxrM-<YG&_ArzrLse+666=
z?g=t+8y`TYbN7e=+^|cIzTh>^MfYYpA+2WZBUdG@ZIEn1za-Ys3M*&apxETQw_Gv&
z`;<$4zy?Ej9WjQW^1+sRV{}W!zehWoVtgZshA{V!GVWLFRjj(z&OIYxB%nhryJP=8
z{u7UqAe)G0h*T^*$dmKs=Tb8V)Ku>IebYU)(#F?7xD3+#pbR+Z@E~+Y9;bED<yhkH
zIj#Uv0tWkgCpkXgG=LW1hqF@;GY57s1ka6Ye%c^kpvO3Uh34ukQ{cby@MRHMi+cHI
zm}!DV2O&+1-gza%)#BHWzIDwWW7I=_<r_xL1^3x%aeVQNXl`Jm3YS!)apJw%sAnoz
zm%kVLY_^&WT5XoTc&l1gg6UiQu)#Qs8HyVVlJ~G@GAt|o3y~$_UVe3ajHUhsjdqIx
zIC~YT81C@T!ygX>nvsZb-1sb&`EBK0a~8h^$Mx%ZYlxAq<UvY3fh{b%`pBt+QiOc|
z5*6%9+)=6lsXg02MlE~ZG)gWtb;K-FII7b6(UAj%jafn@bvUESy^p3V%S&n(L)I?f
zhx?zPS--tzlQmDjbWcsk+ZB^-1)RCl-0$d-53X61G|w$ubW^?3%7Jv<LtnmwHnLSi
zN}cg^vmvd*(EDIBO<3<7-4ZFlEaU5n2z%UTW@FIkDyMn(w1sUYuYKY7J*+re?$$bA
zi{CZERtHVT^uTjY>=Kqf(L85Rn^$njiqtLxKG`A3OXJrHBl6ZIk{ZT$KA8(|83)hD
zw2KaUTU(3oSnSrBLJ?q<aMs=p)}`d~MGvzI7seaz{8hzg9J92Rkq2P=b!{2p{*7=c
z+nA+=)fHNXhnq&FiU))F7=M1!#L+NEGXxq9cE*{{yO$qY<_Xo~H0lq>$A&y3iDsw9
zZIzE1RndDE(MmyTchSNLegk5ef<sCB4~BLMec*Dl?!E>aL_nGi?vmU7T^cOShmg8*
zkNR$2`(*D$${0+C38#}sfDEf#5ogZh;fC&>ypP|{z%tk$=o=h673iC!5Cz>C5}Sj@
z4qAeNJkVg>twtdUo{7;Pvb%&yy5k)amVV3w(KZp7Ev%9!9<RO|B_i0Hb308}OM2q7
zC?Et^VHO`nYy9YSj*?{3g}s<}j+)OFJOorkV*U19Bek_y7d@kJ06}D1M$F3@KD@cl
zg5UQC#BH<QUu)<VR&{^<PQB-F6dp{RC+R%Yi%YTtxP9cQGVAwFS0zPJi+-`Re}Pa!
zW<h!UVcjX_{6J1<bhp_{ON&D+mLY`#EBcoNQF&P&z=ft<E)rsN_l&h^g`ST>whol=
zfnB2AmdpI(w7WirNj=K6Y1K_}JR{Gto880ijnRI^sRlH6py8Xkm}27X68P>DcYI6s
zO5YX9-=ls><c%)BYxRiMB^PP8t^G)@xBEz)o${rNE(HXs8FL{)qn8-<ScOUSa24$t
z-6&<8o89u#iDmI)!flrWHdyj$;*su}>FI-j!BXheZ(Mrp$G+#xn7@|P0}txUTZO^e
zC9~|io~+w3<p4q6+@lSYbfAv^7LgBO`kvBjwt5e1>%)zS{}S|YdH0T<BjvPDuFM0t
zXj{qEi>c-J<gz!x+Jg-+5Z)rzqcAuj>*X}(x`{zAjkn(|4sp?h+@j!x-7b1$CPmyY
zfBs^ueW%<j??>e+w%%D?O17Bs$s2weI=;OfUafNnuAQ5By8hpeP8liy!Y=t&!pm@P
zfS5iCbvkY6_s^g7jti`Sc!3>Cb0%;n=hvSDhoH&)3ww|N$e#*<FS=>>ubSP0)`&H3
z@~&q^kKB~d*T?Y<Yxf8)Uf@vY6N!6%>TN>z2lzh%4(;G-DE_xEU)Bl#tsDKfL`Ef3
zb5nOQfVJu8<NSZ<;a1AHs#v~qFxC>y0?JZ=6EZ<-)EZryMm1p?3BhurAA)#qu63NU
zax2n2UdezDsgGa!ue(vqT*_|;k^G}qyzTx_>8`^v_d1(nH+tDO?=M?~Q(tL6afIad
zB;TPg4((ZDzSkJ+s1XqE-ct@<#yzdqUOEsIh@GLTL|HS%w6~b=%<&}GSnsgF(;%p&
zSkb9;+n3#kUN}%J&N?MpL<~)uQU7Mn%-L5YO-wdK+DJjR^UNRU?lQ;HO!S|Bz@kr7
z_KJbFDalJhSX~(XChSUP4GX+VM-bt?&k(Y~bpi^}Ikz_VC9xiEnyR^(^edDNw9A#Q
z%5}UbGz9HJtz2oZuQ10|O3F{?1QaX-6AYsMq+DW~HSG#W>z@uwpmdX~uVb1t<3Z%f
zb)c;7_g~lc#n5MYVnNg%#)Yh8hd}pio_JR*faPVCl4MLwqqZf?D_T+!Q^3-Mw{IvM
z`y!+uH10A_LzJk$Rrw0JldQXls<ULCpsN6*N1C<rEDuYyvwm%34@OI4PqMSRxh;7#
ztB<bdpWJz}sIX@ZbM$Jo7Tc3%@hA@C4&wGDC9Dug*S$LCQNnVlNhzSL;gh+S_Yj8v
zj-pbbU2m=pX9Fh64-hPb>ogkY(1!E*DUr$#6jP>KVhXFG6(eBqHD5szFv?_}mIX7|
zcn7CPflaQZ_Co@XF{Q>rSansYRWKH9=4%a&QT4T#>t?#y`x=$w$9g%~T_Z*Hv2Z8E
zdyDSTp2u?jvaIvs!?sC1J9koeO0vy*St8@VA*z-bG3wyo=0nB3-XAM;*3jvi?}xe|
z6fhGX6j``E&&-mRR}WoKG3j^@Z08>D0)07l*6!3PSnPL~-}cGGZSqcFFDS;qtqh)Y
z+VSTCgMAB=zNsT#3Dbh9BXn!aM?vk^_#Rasa!O?*clKQIT@XZx0?U#^3sEXbu4km@
z9fD9Mc3`Ka#emCF-jL+Qh^Bz>?=x>`^s`*DB{o_t4RTYw;29bG0>zBZzfQNX__~KL
zYJABxp;C^x#nN*}at37U^tw&CWQ&?w0yut|Jdke^f7s1!<}*bR+en3kV6QTE1ZvhX
zFUx90`5a^JWgB_F6J|c47HshfzgM?z8BAP&#`!+g%Qq_6HHbKQgk;L1{jM)k;$IUl
z>8ntN8(C+1uOu8P3xvGDeIwLvxYe=Nh8~qQRtV$ppV3<}v13T7S;FcKO-{+g0$N3Q
zVjeu<mi#~d6Mgn|T2Q;_ldwkkue{=a6L6jWPtx?~;OW0Zr`1fY?TkNpYyV>uRiy4=
zfVP1BAzL?M&5jzaN<2mc?-&$oA_WOYq(DT9Gol*MQ(E~Ca>9Qj>ulUwqR_IOju&l4
zFTAqpzOE>xAwIA{=)08_gV&bZna^^2W96e)eSL;Wy?^R^E%(La=EK{j+n=Ev&O4Z2
z(q#HyQb3`R++aV$xuq3;wfAq~g1M7ylD==A4rzn6;64ohBzHYW+^%%bAbc44BtNWy
zr$&(YcJ#$S_g`lDc8tZiy<8FSZ_;28BwlrW5eg_?i}^&bK@SbQf;01Jgn!@Z`%2p<
z-hY&*l-Vslur*}DqZ6+BlggO#mtkb05n9P>jcFugja>Je`<I1)LyG<f<SVx}H1kVI
z?3`=RoY1BDtGfzP&ONA}nE>7ZK01Z?*A%Q~PRf=0m$gesCQdR?1asHkPzw06e>F@n
z4-u&RE9-VkWVIw^WLhUmz(nyv`D$%8;>&_reY1LVlN1ao+t^~I>s+Md@_gnr{=zv+
zTl+-n`E421P$+hE-r8T^N`2)s6=r}|G#64#+1ZNIUj9!{9_%^1PSuDLp?GP6Ih0Pz
z5M%5xy;-y+Y}mdPIaYKlZnDR}6O@vN?6|O<Z0Hw@m7Q8{<Gj{l4H_k8*hc4c&zXFE
z$qGxET)E-eh2L(E6gOt^`eaJ4DDyb+)}oPXshC(!=Z($!?V(y{%Ta|itIr$cTP_a5
z8|ynAEaa(oupBz)Y7mLn<0Mj}BY>2c?Ms9Tji>pm>EQ$YvJfy{%%ODX^?lpaOviN^
zOxOrv7Et2N<at_&&`D_$NLYdsMP~PMbvwcHvII1fjZUzbDl$b*wPfpONd!&BA|I{O
zY?BJGsMF%^)3vN5JD0?A!aT<aC<c=A)>zXdR3UZ31gt&Ml^n)Qyu@<FJJ`3Hu$YIV
zWUO?*In!7BeXeOD(~)8KZBOw!So6guTH3}U3wJ$xcbY_))^Y;BR@(yP)@lrY<WuOf
zBJ@gNWFRGB)&~Xnj{dgyw~(ZpEh&G?_H)WsVVT^FJu;Pu(<=_Z^XZPOp}xo)_kU)^
zmVfl1z-$g3b3nsy^O_6Pv<4nyd*+DJg|jO0aauqpq;+q&%e^hiDp?83xHYzAA!uJ)
z=Gm&PL;M*Wc}U|eU?xu(_Q#+*){Au!A6(KD(;zeP79QkC+f9oG%vJc8O~ijI;K<{o
ziogL(T_o0vl6q@~rOS?20x?)@bAz4%nq*Oh1O;xT+-%xz^}DwiFwUt|H2EAjy^+$z
zlE2w@smI-01^K9&Xo}4U+RR8zH4}@@&+47&R`c$Tw9y;#Wrfa86FMU8s2<t73bx@`
zsajClO}*879xi<#`MbY|vFcv*5<37vs|KmDy&IkydxF^fN|(m3BE7&B6BEb@i?}Og
zNdCSlvWm(1{u+s(*1Fze^hMFpct!>epX<}{fJ{Tn<0h-(^wcs%b(C;orimu>S1@@g
zjdM9m$56}sHvHO16Rxd_;Y)-i_}#*T+u#Rx=-vr}rGY2x)^g{cy_J%El_TAiwX^h0
z`!Z@$ViH=w0DZVMeda)!0g)t4WP$>!M|590!*_QL-Mkf_NJn6Cz}9wiz+X2w-xz*I
z0rXd7Kc!2wcbR5B^>M1lh}_m6^1p^3%LD%GTp)NresuF|(%+DY!D8;Ox|)xMw&G+F
zF43*laAdlmLVooALFb7&F?|*9@$2b^%b7yPDv`yvS;*k9TUYAT>-o4us8!f6OC?EN
ztD3Gc3<(o$>7toIxUjT>74M{GhkPaAwTZ1Cr;R7AP~yzWUbkFc+$|%kY*Z`zm9_ez
zjIx53#Sz%LvuT@#yn&IDZttquFEfyDThrRZS7peuPpTX(pi#Qbwrh085{S(Nl4K#O
zQ}r=Rlx?x~O#k7lr7J7jg*|bY2!@d+IS|f!^_a<JCdL|Ux8HOVr4@wh9ERfRbWFDR
z9(I<7>!rPP;02?@ZYAqn*i2f%;^}&P`_oAwhPgZgy1t(F41!mebFRxxr*Mn`-9co3
zqRyFS+q1yD1FSe$KPfarv0%tX;u>uEZT)K`t`A&*EDLBLB^5dEoVk)F%5>RUe*j#N
zM}i!yywZ#R&Cn|Q+><&k$c7~$ry=rZ%8N^k=A!#oIgpJS&d^_PUZ1W*fim}T4Kt-?
z5o)c3!)29<<MWJk6Q>FL@z%TBq3exR^LG62If=5FDy*=Zz9hKB`)T6ih11BL4moDc
zZAC%i)yOgEZp=?J2}w$sQg{swd-GieN(2pT<n__`bQ5%&mTJv{eYQwhciZ&UmvGkb
zG}ldfV6u4_Q3pH~%u?I7OgDeBe+b@1R_v+b&1`a;75Aj3WPDxzDROs?);ua=ILl(k
z1G|*9#+CM&7&7Yht27N$?EY@M6Sv<cd>wCsyq35<ql#ZIee~wQD5AhB`K4n_nkX~(
zdcAZ=U*C$m77wxoPk<;O-)65=z&ZLng%1A@GwDqF^`ESIt}5x*$uc~k3N|g4;Ev>@
zT+1!PuHP?x0}}7$NM1ZDfTgnm!yl9?Aqpx8iX@g=b(JT^aDq{0N>@x=3OxGjZx=VN
z)dy~zZT3+^r3u@?)7PWOXg3t<Rq)T^3XV|z36wY?7^IY!#C+M;2_InB=t`q=CA?Hd
z&UEMkpolT}NCwxqKM+fYf_mu@ud6r2epIZ)7?GbqhdhTp5`_R$`p@~2VmdtEs9)B$
zS1r;Y#AP1sBU0OEp!sFoIO*R_5pj7Ofu0{kqdH1MjLlY9H(I{~ZUTFVbQI7#7+bpE
zlA#$;wuor)ghN>)w8{e`h8Rm|T1>E{L+r1*m}pP5IN)40`!w`UK=zPZOrm-DiaNwQ
zSik!%ih@`)RJHM_2?i{g^jHGIjVa-u`bSs6PQ5NqQ5SkfV;LqK@kLb^;1FL16(%HQ
z74Um+f(D<kd!H3~{(Mn2B3M_zr^e|W^g#{dh?A=5G5~8_{%$*o5HVO&G)9Ikc1GER
zk=vBIe4;TnR8vW#!V`H`;GQP{d}<spUY<c;r&2qS&&fr}iBFa?)Da7Wxw%!i5{NJM
zz&_~7_rMF9iAll|K!?I+4>?lin6=<=aAmO_pmD%z-lo(G_PVsRJZB^@)xIay8#;ew
zmmEA(!j6`ZcAzL)C#vjLEQ4}uCI9n{Y_C34ZaTzBDcPwhrvUx74Lo#a&SE-J*d9$h
z!2N9&CsjnENHSOiFazm&Q)Gf#7K3#z7VaKl9~;uUE-j69*)kBOb$w*_<Bf;|9WARU
z)d-s*#i1ZF!(^Qngw9+Ibq7GpEIKQ(-2@ZrYK(k<dXiY~S%atGAIDx(V(6D4MnY}?
z0?bkv7mX=#g@x6p`6CDCdjF;cGuPVpP8jqeML-zn4T|p+wWJ985+-l^Rt$opf;mN%
zWDC=W20-4_+2agTARaZc20wNYG<)oLabME@(|yv^H!UK4E-ZRs{#*B{_Agqf(|_$L
zGB}wUyEuLpoD5<BcT<!9+8&oQ`3!jjm;p>3#Z5o4zyEES`k(p7mCCYqa{@>{84Mf%
ziwM9Ir9QxaHz*ukNGO+>RHdwxSgIUqe|n8;^XD4Z$*5+*p1wZ>n1ev(lVWHsYOny<
zU;n^PmU@<p&aAArchH#nml#F5p57?Pb=n;aTkTRb#cp7*EW8`-x+x`<yk!BGlo*2R
zn@9&b57O$PEGpI61tVHEP31T|kj>n+ebs3A447@AQAI<C>oAoxgS!L8><_<2Y!N0w
z_Wm=KMR&pc=kK8so=9(k9M?h$5<`_zk15m+!knz&xE-IBXcAMPw>)AY$L?BAs1Mm)
zOQ>s5+<R=HS>jNQ2b!{+e3ObkGAJ)pL>>pbbDoP8069}#B93j(1bZ!3>VgLWVf;d3
z-^#y`p<2RK&22S#wcf&Z1Sva{2VQUd*O4W%plMxM61r*1BR2%r8atvz+|y52xrhRY
zuB7W=N``E0SRVOekEQlLuPBC02JHLT_`6m5Z5?%m9ih6Bw6Mx?gE6*v%(wu|H1YI?
z)eU&E1))iST}g4+hajZi_(Z=!yFepr6#jb)MmBJ@@6y@RR@~C<K<3&Sh5e{j!$2c<
zO3qW#j#~PjcyxFh%meY7rD3&E-k=fM^?;>rEA}Py)hpbrM&yHR^lMXWfp!}V^w^#*
zfvRCJu>@VlG&X&l&CF+9B|<vAlnE8GI11!-<M-h|83vfM+pgi71Z0s+3A;3)UGoOB
zcePgwDFt6*%9!$&WXGzKrzJnIf6i)&QTYeur<qUrU(I|X|8iDUrT-g3?Py~958dGN
zl>R4+n^gXv7luaGrjpL4Hvh#2sZ`TeMiWPS_hdkz?GsfIX$?)Gq}|54Kqf_j*l79H
z78-_=VCeSCe<N+;v?81+J)*T^kIYVOAf;n3IHZu;QbJXU?<v+V?oV8uQI{=7_*mWl
zSK3!VWw~^1E8WuF-Q6J#lF}X0-7VdXNOw0#cXxM#AT81<9sk2Q$MdS+IexzXH*2vT
z#OJ=QnYkzS?AbwT5Rz55eZFG{$oDdpfBUY@^B$*N#|?!anAQY+#<~IMdDy_3ILW7u
zCd^V1YuLG=6D<x)1%a;H*sEuG8rXA@VfdiMh)4-BT?!yG<t&n-<rt12{KG=Vlr({1
zV4}WM8L%&U!Pbosfe1-uW{x;HR_yN>m{RL}x{(ke7FuHwjDxx2tTyxZPi)vMuH{8~
zPe)>Ql10MymVr<pT_+jtn~fl`X$qH+oLa;-X4i7w+cNd?Ee@(gtSn1l86efhN^gO%
zYKOi~W|Jba;EWdOyfinGqrIGuIJkt`H>C>Ca}TS(T}IBF?zZT|95w2tv6{wyEiZ@W
z6m9r+_}u(j6F!d1uy^;&{q=`3FERsroYQ>s^&-p@xj3@AZe*&r!#31qycVBrQR83t
zoiPP0rKTsA=KvgqBHoK7_HLa4M_Aofnet}qNak5djUH+mL`E=kYF6WjH4Ff80I7%C
zlEROU%}13l3b&rNrn0U(O4FJ!+L%^&ICNJn<QBXrU6_#v@}$m{vo~IjlS?EwFA~2p
zv^DG>rfe&!uPQNw#e+&APaO&m5zceI%;gpvQPFc8&0B`f>m$C2o7-kDEh}fb!ht%r
z=+Z#N>?+;ZoH7BLinb&*dpny^!sUH$u{UJdl9MV*l7giODyv)~y_GeP!-8rf)fNTp
z@&>9^)CKPLqgIVAalxsNun1y`wXxE18}-rB>2L|3nfmR}=<!K>fw`M)U8%mMzT2Ys
z4b<fM+Y>0UwoWQNaz&R%N)JfFDC;w=sDYT8<>rZA;K{a#mSbjm-<Gn^38GdOpkL<0
zc{tU|qYX+oxK*H%L*erY$~FLIyXsYyu6_Zkt(=y6N?kZOcskO3ef3o13cCuX_4yk}
zZi8Jp8%%DryoY;NKz8Pfxnp?|{BDIC%r~3+`$aOS(In-$Dzy-WF$UhdGg3YXwFAJe
z$8EM!kJJMWB*fPGM2}G`DT!iO!L6BBGW<#XMpdO`*%fw!?=7}QRT^@PjNIdC+A=>F
z>(ptJkVMDP9X)g9K2q=66<<)!k*G#%Vm6%{d<8QSu2$#%sk+s4zj#C4l7MA8T7gy=
zA70y&m86XlRZz8`M#O}8**=L{%yMRgdAE1ECapT))MUjFE6>;NF`njgoC@egiN5fT
zV_jKWi~z@NMD8E~X|hO(v27RQ)pSx`<&xXPAetmFNbQ+am9J-b3foBqA|KQ4X2ph6
z@y(|mt2E)!u9$-!v!#j`@R#seAkOISKnOD)g2xB~6A_{iPShEas}$9lquMeL&s?*4
ziI7W*U)j$Jqsjn`_U4$TU+EN>J#XamIXea_az;_$6&az=tpR!=L+8+`*#T+}HI6&C
zt5jf_w>vO?A;a&ItU&t_S8ek1X<YZ~(|iAW>=gl;K7NlDNF1XINCvQbR>4rB5QJ7t
zx>a`CEWCIdNIf?qEpOlA`k{rn`iLWIV2kSUP{!TatkkB>y+Z;{>t`}df)lg-aJKMe
z(Tx)O>VX9~IkBniovIL`g$ru)CXpJl<D9i64k>D6^`CrJp*tZ>odvtZV3*tNgjmkG
zMbY{M-by1NWSpewzL9H}?tYKaN$r`N9RN4Ed<}zwllrd0;U)c;3p+Dj%C?%!`>9SR
zdV1kL)<K3Y(XuZ1s(GLnUjbTqG=4Vfz>j?5w>yfXqt>W08C?)cq2-+lD66~A$Rvn9
z>OEhmJ4aqWYF#ZPJ#eiSF*r<ub0|20+;vUH!(Za|<i+=JKG}v!;d=FwUbGr-YEM&X
zpGP-cPw|s7dUo|9U#gv?KxC_9F)?^fzQNLM!a1-I(Zs3nBlh!&E40pH6XapB=4Z2B
zGCBbUJNE_baVmo`$5>m++6v@XDw4x87I;LswCEhe+QHd`izmq5ee<ksz2g-q0hCYy
zO8ii$`w`_bTSvn7g%BXykoJV9f7pxZal*Dg<rI8``IU^s`v0--{JGQQDp|;53&VSW
z#eH0=i1d2~MT$<?>&wRqmJLP=frvP^g!7(AXnk*Kc{8EB&b5Xs*(=VI$TU_lDMry_
zhK?|A@U*I}<1|nOrN*d%s9B>N2+uMvzwUM?-}SBG;X6-{d)RjJ5J>EfWK!B%U6>6>
zW`f*Yi4O_w>TeU684T7BK-Lp1dklt&twEJ*?8WvzF}!CzDGi1Z{8*xm_>zvD@Pm+l
zhj>%zaXt<%2;rNc+#ISI5J5XzYwwPP3vr({Ymr7mG$p9c^tn<P9E`I5RM10-mQo7X
z8e+%|H&TsSo;LHqp*nxKyqxXDSj0Ljjbxixg<=Hoow&1*mm#OS?1G{B4lo1ypW)hu
z4rIjo(k`$?k!x<RR#6>9z(O=&Fbu}yZTu^JNmR+5BV;5Tg~_$nLq2i}R)$^^Lg4h!
zUk`VK)hbF%O*2sR9rjWewrVX4R_U`>Cf7A|kO?d(^~{*IM4?>_Q^Zb)En(3tl9cI=
zv1bu#u)O3SUkIp{yA_ynw&R-5hg0K+ed~bs#bc*t3x$r>$c2S6IXER)HNaUbPP0@X
z9m=K6hU<WBbCh<8_p7`e!AvnBsy=@3t;3<+Dau34-djpas;{C}$d)~ylf}8V8!W%D
z`_an?zG`y1?Cd|xDHxC-5q=}u0HRZ~du?hKM#wRFA*MXjHB%3c%=-RPppCrr)p9;r
zTJ3=m3u_lN7l&nb+)^s8KW#wk>x%tr676HTv=!71RL+SW>wU44e7E$nT^xFw<xbax
zDN+~cvwD7>H#*PRXqw*%2W+?=z;|_bV5$YS2!|W30lOKm6G7u`AVH`5MDbphjN7XV
zVQ?<de5~^4nl2`Vf`NW5!C$A?P8ET(HW8<V%0CgWxOFXWpROE~^I9~A8jN{vd5sgR
z_+uR#$MVH%<V}7<+~w)ia5&WELGL?Bp(D{G)PZUb5x4=Vvct_;CI!){x^=`Cwz|T?
zrFH!?;i#z&w=}{8dk>qR>RKZfhb2e?N;fS%!&hd4JTk7QOfs}24x8&)^r`KSuA2v~
zqm1vzs+b&BH3fO$riR9>V;;bmCnWQ|dM(u!n3<B)17_PjLSFKU>QT$3b)7M*VS#<&
zryH?HwZRT>G*nH}%eh@gNJ1Se$xhUP6^YA14Or^u)P>Q`P6vrzbHc`C3cw?1o!2WN
zsEC*)UAkLa;SKckt{LHFYmQ(IV94$(AUHRn@CkZX6LwyG7k1Hjt4+j<_?(E4#}6d@
zaw39`A*jsyy@vc1So9SthZ{Kfi*ld9E9@1~U@7=({-Pnsa|9p3;MSn%7;+K?2_=bp
zc44u)t}Y4mjML2mL%Qhcuqj!|>;S;Vj&(60b=x6zOHj!xxZ<kAEfOEBgGA)Hajthh
zz4bgLe9%gMA+yTBIo9v&YY#c(h%-%PgV&r{@;TT@-<LW5MfL+*@R?QeQUa{d$3KET
zG^=vf3Il}WOF(|^fA@CzRqDfU0<ye;`L}QnKb_WIBlE+%!%`D<Q3iRP65x9r&>Hty
z`$fWc*Xy7LHQ64|GEEJ$0;D~|w?TJgbXxQ$Z@6!>!&thyR}r&_wHk|xo3vV#XYMz)
z=d7O19(VTAP|p{<ndpoP7geb}o)7RRLrqh2HeBQAIu4i|G-rgF-3<h+L=|)xz1X>1
zTBr?-I}mI+{eDQUgxtu%gO>)@{q~B3<)8J*xTS&8QnAIfNjnQv&ic{r?hhka2UBVc
z$XmD<S?wu(s~iGCzI^Ru0@JdqX68PioC_B;Y2=O)x$1;C>_hNuSy_ZMAg(dN#P~4B
zE2Aom+qEloiXOLO&`lB*NU7NUz(?$Zs9%}uU=B4%Y%t4#n!iqj*5>O*H_HhvD3DNu
zlFyCIxq5rZAVzr=R;`%fKY(Z&?D{oi10fYZ!dJ%DmZ;NSnDUyR(0xmmi`9})KRRgs
zfL((7T4YO5rM`B6&W;ksF84U^WlQ8k;QFFsk5)+wwO9e+kv$T{T`hamp5i?EhpYh3
zuDh?mRyU}aiY0GiGf$2hi|Rum1C-f3#9%h=ag0=M)Q5J0!7Is^C^;C|Yu-NMGiD1I
z#7Mfx5{<lVVP^orh@-x8B%iECVskL{yU?eC4mS<Ph21%L?9@fi4MxwjZ=@1C+T1cy
z*&L_JIkK4W%<p@Z?ioo98#+sQz^*D%J9!0kk(ly)DbJxEVsstu!%QeNdKbHD+?bE$
z)<Cj8c>f~RHhKa&ci(vaOTQi<ott%~;7Hd?da-T!O?8)hlQ(XmUPtlmW+cY|KTR&m
zZS=#w)P`>JobHw|5lTE{3MOL0I=ckAXgr`cz!(OHusFa9u>u_Wz<(Llj_#M6uZV%Z
zq>iqE`48@l;qnL4Pq826#ha$HWI#cM6cp6P;byu)2uS@cr3BThX~G{&^FC%$n;Rt`
z(5}_M@Fp3r17FGXa+&$Eyy>*8WV+mM*!CDsO>b+xe|8ME021Yl-51TChN;4GJluW;
zLg>uk4_Sio%8V#G{3|;vdfto6P{YiW6_%k7rl|yqFA<D<xC9(rmM_g`mPsemiosfC
zJmlHE^%HRHZd8~;bH`wy18-@7M$}qmISXnj4Grc>YKpEy2Fj5`($3D(x?;Z!@N26?
zc@|B^O{0~4<t}h1M?u%+s;#`gghASoj3#K@b|m-aGEg5d9XFFGBUp@>c4>;UPU@_x
z;Q`8isNi`sPY#~H^tF+johJ%s2Xe&`<;VdfpHn}ddU3K4{JwSXIwqn*k0U!FxDm@a
zj(Sne`~ixixHxOq)cf=xjk=J@^^N>$vs@`2Smx@E?7=$XW?XSe`&rJZ%f@_kmOPrM
zEmyE>LiWptIz^a7tT}$0ckXSE5szIXQFd|6T2_{=TMgK$j4m=q0+$H+gbvDu7vl{2
zUxu|v8A6e}h{a-{FkNE1HN%JRa1wkkf~(0dlx}vBmq7q&LY=~`@`ACY%%eoOLqH`r
zSdGE@L;Nm=6L5%<5p(Z-r0Kc|8>_k#UX(#(qa|qI`MAS+uH=`sqO@ZU<eqpr4)78q
zs^-kJPv*9xX5OeiMD)iiFta3vz#_DHAuP%Z64P2sKvyxWp$yu@I=<-g8gdpg3qz-B
zw|W|o(Wq$g%zy#e1h}*P_eGZQmjhBv|4+#;T;Zb}79fUVF*Macs1&wdvP2Mm1OlQC
z(nlL?-{4^ST0XA|ufR<c;_zJW7V@Slg}WC6FE)Wsy9MQ9$rW(rM&*l6Wed+sW+@32
zC~+N~@|<o`4yTsSjyyddKv!R0FroLLVQ_cGQ*e*I!Jy(y%X!~v3MS^3yI}%mcEu?e
zmsMF(Ji~;8#hJF}oT)Rso%Uvy;L>f46Fk=eb}=ttB5Us|isLj=_4(^h4;SWk+-G{~
zf|AoL8gzISNQP>|CJ87zkogrQI{L!w0;Q(tW14p@)&&Hz_Iny#HI>#^(r=U->c)yt
zm8~tq1>PV-91!UVu=<zj<Y8kcm(J1qZp<~0@{m$UPL(p9y(v~8TNJV`5lC`HVV9e~
zlezM_(`J0PpkZq@Vxxh<i7>B^K7UENhdF{XX9F}un8Af0Fu;KkP$BDB&wQU(prjc(
zl!x(32a=-RDnRv?zj*6yWqfvC^?8Cd@x*|UqeLq~tG@3LqOb>19sR4(;4{e7P=XnK
zkE(1#?m8L5gKMYfRd+8BoQg%8N#oI4GxaRLesNpQN=FW)N?yv2QYJ3Ov8qy1@UkDN
zQ6Jv8Ee%*$I%X_D2a}8D(L{g^9B3z!++Kh0!69a&WE7Q1GH`HUT(z{J4AUjYPzv+H
zG&X8TVX3|N1Qx+CXIKJCtV_YOW(+c=X`Wo6TW!@PC8U1koV{3i-mKMp6;+&*71lgc
za`|m}EX@ZaiwjbThy}{AqR)ekT5-iid-JU2zM7a#4<T6SeNw<q3}rfRRn$1OFz36d
zfbrHMyh#+Mhq%EP-p8rkFfPi0!y&Sn(<CjD#hYEmk(o25ACsqx_erB<d}!G_h=jvD
zglohEb9n3;s!+2OoF3M7YAxvP%*WU(=fNC*-*w$2$RIdk#i~)KV^h>@A^*H+czfdc
zZlpfD4d&-SyYsNscC!jU)y7Csgf2ym>`UU_V_ajoowx7S+}{?^81o3!s@I3JlN#5F
z0y0teoq6&Np^d^f;qnTu(?qrDZO)B5M14};L5~y#0$pk+%rkbX+6Xdnd*)Y+QE74&
zIm@|x-#@8)v1}NDnq<m+D%VXKgYxRLXIDR+X4d=hD|}*lPH;k>ciC+V@Ij5qpP;^I
zfyBu1S$xTNS9#}JE{A{`PJ&AKi1(#h-14RN6~;if$r>K<M!tXB`x^?4W?@rxe!5A!
zfNGz2fyZ_r;M}>-<}$K_s8q<V*<Ph@=X8-ySo%*dz_}^syG&N_ZOS806E5gp5lb?a
zlF939LFFbwWa?#hi?oJIdZ)3Lo*UK8$wOsJOgx|MorO4<f;jN-iyJMDS){+o%yab<
z7nQMbLrrTGJ>0#0mM*%D2lS@_SVIr%)pLN<#{K^tste$g3{YEsQ?>&<k^YF&^@HH1
zAR&*$5C0GVqSQ&~69Uu<@9h_ueZ?A-8y80btOmy6oV*V=&~C_9!(}$0ee#)iJQNw1
z`ZeyIRGh&Wu}nsS?-uS`$D0%PWgech`|WMIXQgW%a2%3fbueAP{jm+{KL&CPW7%*7
z!qnT;udf#Qf(E1sqfoYVM-HIPqF25n)MkW<Q6yKM6jAIg&cci|EWmalR6(j>ysc#{
z-lNp1SCwXSL7sDNY@l_=fc}sb$>!Ff%|m6fKz_|QZK~-qD>Jc)Z>BB`^g--i29Uz+
zYa~OLKr6QRNOWV7Qa0Z%Cm`CHTP7&mn;rod!Da+*c%5*hI4Co}7)5<u_BoE24p~+_
z@f#Ir(izHCgIHrmIJ^>@;s*6?XVLkdL=vdhQ>;(A`FU5uNR!$VogXz&r6e|1F$JxJ
zX9O~*5>%}0E&Vcis?mt(<V_6)OACb%4t?pvstxjsL@nCYX)j{jNT9lyA;^!{0iIEW
zsNLinzz_}MF}-PSS>}42IL8KpJ@m68H2zj_V&soT0$Rv#O|X%OwLkR9U7=LahSJ`w
za@HTNgINNSX-sQ^*J&*E;+PhOHjyWdWQDq_*fRKSz|1`wyup}#aK!bPUJW(|@k3xk
z@uV<geoiwFURWwxF$pj=dxx8XLs>R8Fm<03s`n80(KNue_4u|Lojo^JvR?T0q#;uX
zOAQ-DjuDjyauBg<xVTQ1@Rxxt=JAl;_abXMkDXb8{<a1Q{YO}edre%;w^kY1QGMZg
zpDM>D%mSjXCm#?zwU+T&Pxn~A-olWb1};4d%Z^WDKXdR-tRPr;%_U8hUE^wqwV%y`
zN3x(7yMd0sQ;Tg4<6CVwQXR?MaWudsxOcY?*Z5^;&`rS6<q%6`+i`s47|z!&5$D`~
zjjDgsEg^Ba_x%gh?nsykC`rT)WRWj6X(AnnTE^bBkRvOQDLKR%;>PItLFddSfhHCU
zA{XY_Iaovo2<3PQj@DpC7Gm4ht(w!I>Zq&b7kSWVA5z+LYln!Bp`Z5cGz@tAN5H<#
z`O5^ezX}E5sAFydh>BrAXQA(4LMJBk%EZ!M>CeCY7#Qz^@{S!AAeSX;T#LYh1{5R#
z1wRXI+`DoRq>QM{llO1DX}~|)5VSbA+zxtd%#_Y|*>ox%)@m@pXs_a}LTlH9&@dg;
zIp%rF=TB{G4ul{k63FysU*6%29l6atJ{+w)z`X%F+LGb>%9_%x3x{?bgBvGFZB$W-
zhE|c(Rd!;JI`(CRMCt+yscob~Kr#J}HgIL*#an0Az(9P-lC4Nl7HH8iOH{eB8f=U?
zDRccy+j^vUDRaZM#DeWrBKiq>>+yxi(Y({SV#ZcPzvTDNH=?||1PMd*(Tm&P87dOb
za_?ZGCn&Ur;4zIWW2>@6CPHeMthP6w8n6_W4Oj~!VfK%KM;t2&7o4}cCj_%0=kju<
zn=kU$TaqQS><r2n<2Wv(T*Mv6Q0WdxW$h38b8Ph$e_)ED?$gzbqfi%S;)x6v^^MS9
za*e0ZntXFBF9^FSl)Xlg@4usBqb1nDxHfMoQ#a;PNqb*k;-6Sq!(gqij0t=TF|eQk
zA71NyuTCjf5xo6nCRWCLfFALa<Z7R7vRp~X(U5iTlm|(Xk<%Ra(a?MZ>-3`9>VR`s
z>5$5}$9qJn55hL&Db9{InMAw}L*pa6gM~er$8*7E>xP+PCEO@f7z^<|apl=L6A+#A
zvkI}$5=p_c7@OEhuOYc{7f{Bc_d1iI=8(eAmuiWyIBAJ-4hWN>1Z`^8n`~Vfg3-*T
z_}80c*-pGnzqC(wj7FG!_Mj}r*bi55Y=xe%#b(4CBo$BsqH1qnm0RyCqE*JA6FKyO
z0A(4p9=!BrmtqC`;!LUg5j9n?3G>Qh-9;ff)xO!0Vl&Q{*nZO`SAO-XRMj;-PJdNM
z-J)m3l%kbiyFwWcXOmdxmDNWotW4y?%7TGPe}cQt&M^jK!b*6eigJG{FzFRF9hzaS
z66!hu%hfdEa|!Pt1%=ZczXD{g+^s_Y>q%({@nFUZi#5v9318H-KIkx=AxUVu^(22+
z`hM|UaqrYo8(J9P%H|wZ?b>6}X5BT#X2UgyW}VfDWI^Us@^|&BJcF+Z(9}$!x==rL
zt20~ID<l*S)1o+XD?k_!#US7yqX_8`1+Ck-_tmUWdO~|nLOh1G(eJLL51A7y=&V_2
z=<!*y6vFP4DQgNNgp<R3>;fBn6n)2Z65;Q}V7WT{juIMp+cU{l7vB=@y?0gJtVBx2
zCkVIH1}3gz>Cy1Q#S-G6)gt@ExsKS;Qo)Z~AIU=M=37gPCAUbVOFr6)>MtU`E>`n5
zDE@L{X0e5K|8})V?MChZYIOh)E+ab|tz%8I@n!nB1BSB0J&PX^9jzkFk{0&Pfldkc
zwFV(~Z75Ms>0VFG(4+~EIx0zSSs7~I@TQ}Gg`{8+OX@?1)pLJlA#^cKmnp4`mGQpN
zmU$76X{zj#kqXOvjd*|T9kd1uC-J^acR{u2>R6RoSmY3%MNW=Vit6mEVTtq=>U_tZ
z8=Mx=x(oLCfv+Xj%hiD=!MkEUSSW`N373?HV4KFhKs4eKU)vp`&ZpYjWtBxJV=VJS
zE7>=Qb=!CcUW>eW@i>3$?b~O+y*2O*=APKPIlf8M*~)q}+yhpR`3&X4EzTBpk7+a`
z1%?E<p;9ddy@T9H3E)H`XFhsU>Ul1)e_c)V2A>CeNB8gukjmTL;<G6f;ymvS?9J6s
zSX%vak+f%C;Ox@)p-l6ARw^_n#-YVDvSsF&{h~OR8}{n8rbD>HFT(Co^1Mka@z!2F
zupZhTq$Xa2B)$x9q?@TrXOih9keocWjW6wpDCJ*I%!mM&Prg7NHLWo^mWY!5U=tg7
z-)!m;(So<pKHpY;sjf2S7ViFNoEqko3P0!pJR`rd%14onbA`}*G|X&soQ{r(W3@g$
zU)LXfYW;9Q8j-S2=NTi2<iu>Vk5m$A;#9POU7dlXIeqCt_Ei(7Xw0|=9Yo^+DP#M^
zaaFCExIG;GNaQemprMOvTB%2hDsx~}L8N1_26O>K!I9nlbJP=pv`%Fe>1B5C=<`c?
z>BNVkiPUK4nBo^ZU&OfMz#129Y?0c;Q%jVM7-F;DCNCNViEus8gPjIG_=+J_O_7ey
zNTuKrqrXWX-DzMRIZq&|Om*|5j|ImbOgCRYeD|^A5y-V{Tb;`6XfgOh&-}$&@cE6{
za2+J-<l@B48+sgQXY|BBjfaOz!!`{88(JysuMVTX()j(jsYwYbiv6G^iH(wa{gDqo
zU<H<d)x;S8UNX}^4mdNg6rRnOQaC4;kYp#20FkWPCa(NVS@u`XEZ*YX=Y_F1z&F`N
z5p@V3`~Zgl7b8QXG^ai;UJs9ZxHm7<6|bDvbw;`x-{rqdQ<UxOMMN#%S>y1XJHmE)
z4Nf4K?L=Vc(<kuS**JVM+C5;aOTkFVm<!p47DGw%Z9Z1(QO#><@Ph}e02XEEp0cO}
zv-kbxl!ODkF#W^=TYM%4+Dz2djsY-RUG|bGZ(o~m^hdvE7S%-_5_lOd#EmS1^1!W9
zyG^M#zqb|7&4QGsoi<Rx+*zb>rcZq(*=<T)LQJOI%&w8}I=`?YXCF`KM575auOWC-
zU6D`uLEKdlJ5}u}!K@f@VTLJ|BFfS%RgFyW^n;7<I%$8lf@lMSoVtg-We$4ay5!-U
zHJU@fXWmEfu0v0!&hl6+oE$=V)m3NjaG&z!BhcV#A5)=7ssJvWSSh`e!f^_?)2sl@
zxWZ-Lxf@G+0wN&GI?I)>2mOHa5;NILSUE^3>P#p(8?8h)AFd_^W+^Tz%T@H2_VppN
z@-a)-*w&um=U580!C<O2D`NG5x79b!*1+?5DeHxvf;%~~meg9=r=VKix^Rj%xqBdP
zUyk1$JL6jXrDYohM$_DQ4$vF}1f+jgYDoV=sqyzXQemOz5VW$iGqJM=82>!QNBB!d
zva%(9`oABB*M}cW(*2Fwz50D1lFiq_{P4wu?5HbQ!Iwdh<s`_Oq7C{DNk>N!<xI`g
zLua#bKPVmO2!Bv34lovs6t^&|r~z1{uhd*FtC{7tu~nJJ>HAiEedm6ZeA#-5b9C#z
za(j^&kIM_Qie1<p$TGjzC9bj6GxM?;X)b16O=G+3tFtnsWqbI`CBI~MXSPopT{QKI
zy{_)$Jz5xb*Vb^Bmzgk5SH~}#R{~$G`o3HWei0nr1X5Fm?6iSPaQ{ip4gE4UvQc~g
zC4RxXpf!F5HwBm%kn*Jn(_M_XCmru(@h<d+14T~~!rl#_U#?N_e_i)VAai36>I2<U
zaeIY*SC5_s-=#zMk{~WU=7a+8Wq7{6n+W+!LO{B2GKa6`FrsyAb(iKx=7$gx?78mw
zjS{dVibMz@=(Ta<B_fbyqHNV^O{R))>65bysb?;`B*lBXNgo%p)()4pPHSH=FD*`?
zEGIRgTZWpiOk*DmXezLZ5;YhKv09|lT52)7>Etw#VZ+v0ysO?aM`qgzuq=z0K`&S&
z?3gm`Wl>u$#ZohRTmHK0?Q|=#^5Dmjgrub`wZ^Ma>bLtiZ^Z?6NX&L;9r6PMB!}{N
z5W2=oW^<CnO_rJqczEC$KM0ZYjF<JWNYpq?LBRITjMK6d_9?1E2XB1Hdp{{(YdD{}
zn^D`d%=p28Bg-Y3jD)#q1{<3hwnKOa_WAa#Q=pt0wZ+cGt5;GVxdfW#re`249FnP*
zgLVW>D=P+JUoXx^XF8f@Rr}Nv=*$8+3yU$WErGO%k=!aD!PF!}vJDFtS*TZUQyVcE
zhQlnFQl~1=5SVC^Tl!_eG&!oOG3jDnhwiwkvC|ths-8u(?Y_^{n`<$LvXX~eZ?wQn
zGS(P7GgzMH8P9|>h={e{gA}ZpLfsjCylyp=QNobIsvQm5p-5d!g6*nKg`cYP$Ivu&
zWSCBrCiPe3ZaBY+PF4sdsA1V-N63Y7wwoLkx+R>u5!=v9GH5y`$h_QR=q#*YdrkN`
zxHabtjUWgX3XL89{T|blh&gdy-hK|MoP4i1n+KYyUv(0);jzAnxtuyHC0T8-EWD`@
z{Z3!uwPehyVpSUI0_}Flr#r7fhFAT_5X?)_idE-CGtRnv4qp$Zby@YO0ZtBxj4#QE
zXg4r0(&NWZia@gp)iMgW4KbUX8IeraqWm1ZxwrGxRao4Ey|=D=4g)e5GDmv7bl|YC
zMq+S2;Y<a9GzxJrEU87$s)?A}xPZ3M!1%rg1eYDcKlMn$#n4_&Zr|qXrPoG-gg(Xp
z#0=x3h3}=}2n~h+UofaF(kxY>pND(fI8u!=#rlQN|DKHey%BUQ6fIwsPu;qOkgao_
zMIl2n#je$X<n=9$-MH1!_}#rBqX}H-R_!R*W7?2`n`}q?u|Z?zD%Dj{SQ&*gs&@Pd
zEa*yioxYoThtshp#)|y0`yF5J3zRzu-n{DuerB-hdI*veW~>s*D@c!`RimqhFm3WH
z5)WYo3TL>sxDzbUHk9PHt|Jsc+}@|Gi=MsO$SSW8f}kEk+9-^>)j&PbraAdjsRGWr
zty|G&^(=a0c2vhvBOH6oM;xgVd^}gv8Pk-H>6-C3R-m-HJ&CC~2`q_+)72o=C*LyC
zb}rgiB%S8N%C6nj?u=zD;w@|{Z`epk<lafzv^|S$dl$6VqF|kijRETcO1D-p46YEB
z10+lt!wr?>CkU%sfTr~U4vXQYo3gN{u#dq~E~fzF0mYS8Tb5`#n7z1AjYn8E?1KWa
z&PMT9<RLkR4$_JFhAFuinV4p``8-4Dse`NOZKUH<VLuY<xUXTkWlk3?Zllxt(dBNA
zbVOCttjqOHF5Cy2`V0|f?k1LH5Rxk+@*VTeG^vGF@E0O1Gv0F=q20)OjanU{FPlE)
zIFhnnponPHtdHzFoVQk|Qbe^5L`Vu4i;%dymS0Y+Dj%dtQ)lFvYHSY^k3dV?p3%l;
z0vCjwl7z=%=(Cg_AnsbVmTA;A?iz{9ji^V5#l3`LI7_)8QMQdsT&E(9SJ$kt#3NG2
zq~Z^WNI^_6je%%WX4@a;>JmxO6iX~v<T35E=nOvK(+{|kvI0ew+Oj*)k+UG}ID8rF
z=*706a*(v;`jQG*OALJ7K!u4F1h|aYGkz>$Y6kysLLWXQuc<hlrnY{>jV2+bLNw=4
z(gWa;SBmVwo@SyymI8`Jx6IlDHDx1H_f?awm|%$f!MQvIN!^<}R}bq^f?jM|e{ck0
z+kxm{&7v0DwV+2Hb!~kAr9d}3hq_2*Iy6uVjpD(ziofd=lOa@eP@2Hyl|u=w68LH8
zkUCB1OeVodMqrK0;MO@(;#?f~SpN(A2mkPfS9D962cKP~E^D`D_A!)b^d=WE2JOe-
zhOix{(h3*PAGx!b4R^b$ygwwFgdex*m7<J3Zud4zWd*J-1Mw>9!g?VpgnaT+$Tjv$
zanUri>>mzKY@lFDk58O4`h1q!fDW1!>gR{*;m<CS5?b_vZ}D~3vk!35D$UO<uu<Zl
z>zLca1g{c0r*yr@ibR%?zh@4~nSeyD1|Nbh?pxys$`Vj`ol&1{2y@Ebj6}XulIm6F
z7;}d!+9&7C0e4I#=1%H{-pQ>I;Qva8BS1DBLDaLR7`Tj|%Ls4GAtRcVrdz{a2Z=^&
z^sG!cX4c+l-$D6pePtq*e`H8SkIkX3MwE>e)wadmfZXS7kQV3Ey~G?F+O@@*8PN=o
zckNi*ZUC!uc=0-1uSo>%JCH$6=siGczSTAN1nr@Q&MH%EGO5+gLn@w0chU6Xyf!;b
z?$|UU<HGYWJxf7ZgNe19_0G2q0;S}i0+R-_pj;Gv>+&YKB2FPw2tUie$P(xT`HTbb
zq;}1flpULu{G`S+$bPuxj3V93lJL%~0%A@Fw3JMylnBBy1DtJLV9Af&vKJ-gavgP>
zludv%19e@lIc;*C9p~c-7#WnZpfKL548tLOdzfD@7fr_b^K+sOb@L9eeXr4~zQcvB
zMX}NmxP*|QoOpWCUazp6b0Adg9w27}m_hm_VT`;mg5aRHY5SIvw8^N^l|I9PTsPg1
zK%%@kAT?+<2bNhM^kDK4EMlGT*#kgnYxH5DHBBGTrJV{Z8K@Db55hLsN6~S*bT6x3
zUJ>7Is1Rl}*aI0wusWN<tx*R!yIhCZfSB?i6|8ed?27AhzQRATmQwPtP<mJ>ZO>XY
zmU1b$!QX{Kz|OtK0a-Jo&ORY@#)43NgQr;^2;UOl(VYI=)vNF;J_jD*c9+l>qUJ-{
zPlH7B{`d3Yq8Oun)>Lq-tk~U}&P$M=O|`muRDiHd2KV?Pm%66Aiq{frr0I_gp<3Q6
zIa}vPGg~IaWnKwS56y3I3>K}vKOx1qi?0{$O(qy{9)ebBd^Ly{O_h?MvDWSPC_o`I
z?ah<|#eZ=ci=@J`dn~E+KEE=nn}hCC8qG^5&d)%>g6u|SYtKtOkd2@xHzJ`yRW~D{
zK~(o6YkXpGPMP`N;#7)6+G#{g;Vc@c?vK-sW!<ZG#c>TRhscTO<3cYY#>HWxM%RG2
zK_3-FlUnI<khjOe39NM3BhpHg^rmlOta$$6pV?^PGm;LlkVpNcg}lK3Q8fN$38rq1
zq=^0?O}nfSC#Oc92MSwbjHy<u#b*MorbgKVA2}@$8j`FZO)KTNahO+ads6B=C+d9C
zVdFdjj!lu_%Q?!vah1gsaTBDc?WTZ-jFa<V#FitaP6@}vwViT5_UQR|zjA*w*q07e
z4{ZfH9^{7yNJFr;_UynH=;EdV>K3RP1{4tI^*OhX==Gl7-B&*NcY>cK<oH75CxK#~
znMNKHbX}IbAbMGF=Nw6w?KWU@-26<+i#DSjeyJ|gT|P^N{7XO&{)JhR?)j$vl!7E!
znJ#)`M|%K9QKN!XO)Y&r5sfcQ8ZOTVdg}1PBt*K;(IE`@WOhP@;X4!@Y~)y!o^%L2
zvq9p{>bgC$Vr-RiHq6;MD1x;Ln$f2ws+iGsrfRjw!O2tEW_hM+A%;C$&5U0(c0|a0
z#}rB|BBav#>Fc`kDFTDCUx|avP%pm^*0;g`5U;;uYenoRgBwjEFNOj;lN2czqQkNH
zCBtwUxx%5BxhHBEfhBR;E`)_}3q^v|MRm6>#x37BGP<TDrW{6b$k7(suiDU-t6`4`
zrYQ<MHb$7VidfJ%ZF4p&Df`)Y3tKiOssE?gNlFB9%6@rEO2M<Q?0id<iG$W>>!pzk
zc_c=$56u2DqYK`7AT#WoA#q93x-mfO(0S)>T65wsUt<?i$u&lflZ3xI2-m?YEMwaT
zE^^0n@`9yUh;>HEXLD`&e2{5J0)lCZka~_<^GvbLi_n)h(~xC>5>tQrIGil?W4-k!
zfXakLBKJl?DwcYY1`C-`f}xQ`s&0QU&zWVuawAHERNO{$Dx?9s0r}MzVWQmgLT;}$
zVM<RPa2;c6ll{3~>{OH@!ZXEO`*3VF2x&}o24s%ZNG9?8AQodp8|Y4$nOIEWur>Iu
zN{ql;7Ks7MfFK*mAZNrtic`Xfj94JLb@GT{XQ<bq&R}D50z%w@N(f^cphdY2vPdU{
zTDmGO;aVBB2f<bVGc7u%64+>@HJ{7`eN~m2&XyCQdFn-}8BNN$W1ZckS^9Wqf4Z^|
zXV|h(XJ9Kv`{n)|oiEKwQZYS!Vj8>BNpS@E)DbKaZ*RlNtx6O6XJSYAiF5<_zM8N@
zB|kI`19noSZIo-<0JITO%sMxLk|63OAVPyJJ}2{4zGm0$T3gStQmmJJmEs%*FkGd@
zB$sqv(~O?1C&B4-Do6?nImBx*;5s!&q)76n{G$v)L^Qd*<i#<en><@(nnkN5?WR6E
zi9AP~gmYBQUM??dQZjD(_iu}XH)zB94K*<G-?%cns(Zv%oieRwYt`z<vb_~%6^FTV
zRVG1$3K7{cRVUXBb@NdYev8^<ss3t(@b0CA(<{4F3eSl<TTZEsCCVr^_xEep)Q^u`
zl1v}GJ+hu9LAq5>3<w$}*;juOw{jOUs-6=X^AYATS`C?PBwOQ<Vn$0c`9K1>>Z;b}
zjmP_j!lPR)D<}fnvg?4=1B3>UN}YHotA%p$l{3?;=gDsowC?nYrnxjoKs-XC{Liht
z9E@pn#4fm2!#zOeZVd`3ldp!T1)B{77t3)iY4;Z;72X@m?{TB8;@Ely6?Jn!;G{)v
zbGyNi^^ZA3AEygubYY#wncSi0P?kX{rUv$#9Gy-f28_ur6ZmlxtZ~ORS|j%H@{f$G
zQtutRu-*u^E-s2qAHZG<_*Bi&);YZcMuPwqx5l{>vc~B^c|baDV!L@w@M@n5yCNx1
zY}zhil~^fm<+YS2e_!?;`ql)*HK~of*+*i5{JcQvkBM8E1NcIFWig2><d<#o7mxTi
z>Bun>$Rk5R8+bP~tv<+k?=$;N!gRtKtiu{?qFj#Q&enNISAjqGVW75yqISnib}O4h
zwi?XT_nRIwsT&5q6y)F$TZkHuz$d`%z^O+%&ku*Z@q8iQ(tW~u*b4^14Z9`zT8HSc
zVv5z@wPK*um%<)CJ$e5DF7-=g%QZ~$&Sq{1P-cU~-6cX>mxE_wadLg_<UQOKUA8RW
zn8EZy@oT;#=0pVKaw)!aFK`g^e5~7@nz8#$3p#S<V$gl~2Z1h<=|?F}-0C5kfYj=_
zhJmGeO>L%PtS0lgW#<BgXjkL51zLwBJmiNNh`T@Twl3zaeV74iz_DLiD6{<59wj9y
zBrhiVgO(;%c1RkC0hvb_L<k-PkD+lgyfGt#3Xg#SGaS-%9eq6_CJ|^RlOz}TE{+Nb
z4Ul)mpqU9XTw-c7?RK{zzvT$8%<9=iMN%J3kt(%8#W4M&^|E=ot8)AS*1OC}H)OpI
z!A#dBJEfgZ2!bcWU*01v)(D{wU@M_B_K8zDb<$V0OaTI$CGs)GB#93t8;`%g(6Sf6
zIK$BPqtQ{s_9UAsEfawWH$3kSKREePNCj--FE4V&kAJ1&M+q+t2#YLnmbEsnA}V*9
z7F<F{r!XvkuU^_Si7|UbcreYUwNrsff$3aSV*|+nyDW{%zO_y^;GTWouU3fDcBD=L
z^xA$)_BqEe!?CBSKKbLrs>QbKP0Zpx7aRAc8)M=$>1|DdRhd@V+0FBGxXw2@Z`F<Q
zh0UI$&qnrA>jY#WS8nF&()eBLdxpW$H{AkVq*M<_k01f<**gG(o<eC$k?RudP>|Gy
z2?G{b%677+n@Vu(B@i=!G7jM{WgI~G0GI|SIp&B1Uf|#51>iR+VFi8~F=-Jx3mr!T
zOS&h`-9LYs=zo6M!Hm|*)`-@@%+TP;_vy)I;1>W?zXt$7qp{G}`2z^~83Y8xGpV1d
z{gnUkr)vLGO}+tHTUpRLTbPfiN?0wi!nfWk7l=p$tcnjB`O%8T2^&D9BJoXpKED#v
zplLy*h>V%TB6@5Q+!bzNwQUyO_if=y!SFc4H)4l_qOdeBX=&o#*nM~QVYUZzBV|c0
z;uZfojj%x8)$&KSE9Gi|;<FGt_k5M1mX)K4hrv_LQYEyj6}B>7uQ$?ey|JX+dD}*~
zcV5G43;uJ2q)CviZv?F(Hl#^VChFWETGIoK9JBG!AV*%x7QT5mP77WyT6_&fNHLdr
zuM1g-Y;Zye$uaZFLKQhUY}djI>usM{jv*GJ8NQO*-N)i*T+<O>Yd@U>$uOrE-`fDM
zmejd6FrjAI)@4G*&dLKr9A314-iE}m`efNG(3ZWo_GxthM-1b27ZxFG)Mqo;fasI}
zyvGYp7+f)VG5IY2b3*ZYsB(j%E2JXb0jTA}Hy&C+)V}A8ox1XnE=AN(&t+V8w-loN
zj3-T5!?0w^>ZbP&?j?#D2}4M6k1^6-ScLU9@{Nc9wYEfZDcrh(Fp?XfCLzm5>QPL6
zWE80AXJALEi(uhKVe{3molK{AzqYlzPT20Q7Og6Wj2xCTC<Y=Eu$16cF0qSl)lYL`
z##=KqHjz89F;F8t?UUyM0)4Ox+Q=9sFOiC$QtX_6PLMqs(FW@5^NF}jPfs|i8a~8(
z`_{2;Q&6;IDbeq9%ypC@awk-)Bp9}(b5@i=upKo*irnyyW}!88eSoh54x)c3<Dkku
zNa;*IJH@n;@l5_lmO-(Y3F4*5;Ws9&7bvTcu+P&fk3Sl+72#Ud?OnmG#Q>Wsd$!%{
zfv)JZiuD-qlL=?S69wLga2v9byAKkuvC@TIb%kAcy0rr@@!m*@k(0kBf5(-S`?z^4
zgK_F(Fm30;z2da6n48HIKR2MHuR>RBX5IKk-TQN?t0S+Cg$EAu)F7z5bDIT-0#*#v
z`_6kz!B8L8Ff!T1BG9-ca+jLMv>i^|7i2V<)6`zFXQ_z7ZI1#{7TVA9iXS{WppqD*
z(S#Q$y7R*h+au+w!V*Ioh#RFdwe>p{jI71ghgCy`AYm9}IkTb7gLI7%E$@@{oop=N
zwkhno+Y48K>zI)krUF5OIA`Vcg10iqiD{Xpq&<;D-`!5jC=g_}ST?PIT2n&uqS}70
zKVLgPI(35Aiv!$n*gi0_xgANAs(PG{vY9{1<o0pH4gqVN?6)#P&-j(SumPD~Y|`77
z?is%iz$_Q=eZ$MkY5%TWea)GB-h=oPy!7NkJ!h2kMBQ>xaY4VhvvMOWU$*D;`)1=6
zOk9vRU6XQ-R-K0gl@ALNpy$+DlB+I>&XCc^{ljoX?pPGIx6*z^aY$*-dDt1a$;oPP
zOTm^V>z@h(5No`dIxxXXl2q+`uVSy<j!S&fxO(^CUNfnCo7<*Y-m|<ad4A?B>ZUK@
zd^@9cgV5^BYL_{8bIq~C9Q~PCj9VxDnAkTZzDa1m0X&u}Pn`cVtet+zBmIc=(uL4c
zMMIq7D6mrRn6R9{=S`OB4K3pt`wg#cBu)Nz4yQm^*B=g9n&Um)89z-Dq9*bbkqUeU
z8|z+swEdKpQ?>k%a#j-7mM<%iK}K*Q9YwAydN?9>shKr_f28w(^(pzjW@5nf6`Ya#
zeWUUR_qU6MNp>~wKyY^Do7Ng%Iug5-BwB2x@4|BAkYDy_fR|(yusdzr_?(&AV|I3O
z8oYIPlMa@P9*ju%=#o%dmvP#oQYfc>b~z@!^ESs`ymjiK9D&kugnLg<Uf!!u4_O2b
zX$pxe$V0gP5(AgKkSoDb6~7qLNZY*p<!t2h3MNCy<H-E74(2j#kbHua#|yi%_q&;n
z5X-OpC}>m_l3<GtDUTk(*C8cG3=P!*4x;zbNj45s4HO#Qg+fg9ItE~bF@awh6GVb5
z+fJ%(Z#+#3nm)I3PJf2$(gRiti)3KBwlVBG5RrAh_#;0JT}wt-Ex>lW2J8EqrJpx5
zj{kmFu(k!HrL?s-F|d<&d_5vTBTg+QCHtyK!J7J&<mfBKV<~EhkqtSx0di1ADijz=
zWEiOuN!SueN#qnCLF6zPn30A-xzG@%vomwpbLy{>4U?g#642c8<`Pw3PeUiaidRj^
z$@BFBDO!`D#_H#hkj8uEPTAYZBR2eDmVR-&R%H#Sv?Jh0M&daTGVnidyZ}#(zY6@b
zgD2yn|7?DLKKAD>`P3h}ET5{(0AKJ1{2)Jl^RJTQO$PYw?>$qBUs_B=SYClvO5}TD
z`JeV#fOYa;<%xJ2@VkQ<U|arAO@Dp>5Ps^r2fqIK06;?c<wO6e=MxJiKxhH5JU#T2
zSn(fPg`et){*Cq76N2QwAp9v){5uLD`O#nH3B~6ZDEd|wKeXuQ`Vf2r`lCM0{|l0x
zj)nOz;mCi0yZs$FKwItYZGVaSB+mU=o|?-KkQ4u@+n+k^yVzjgzx<zDjsFerk5>Eq
z3h=LR55GdA_yMi`H_-kL9`P&KA72ePV1)l$tN*@?{uLbQ549Be9k@RX|Ng}MbKX8p
zBBg*aBR;^>=>UoRKUIA8EXO<K7nr&RI+k`%qV4x^Pp^g1JH+b=4h=9NpQ1i~D>>d6
zfWQ1(i=T!y;MUz<#{>{(gP7q@b>h#^15=Zb3;^g`z)|r>=xV^~^?T5a{|p`8$&myM
z7~NffAKq_O27Kmt^8sR8{vNcTv5C1pzrOx=ff@dptQxyrS{AUfMqoU9_H;1$R&u<{
z0q@|q$o?5Pz}T?88Zcbj0UH+WH&no9j<*_s>Q}(R<^~o3a|bCMvu^=7f9`x8{&i#;
zK<7Vs64U>HZ3<Yuehb@P&-mZad1^$vvH|FlfHCrP&i__&yuSkCiv9}yk0p#Bu;Q5L
zI@lZhq5-bWiU+X(iV{Ero-B&Kl^pL|qW_NK7wvdo+UlSPAh83GJY}c;RsiiF`)^19
zHYX0hYK(afm)z6aXaKxv?r$W3&m8Ycz=-<&{`!mO7cEk=>3Z%2m|hHk5%lBC5TpAI
zroRG~I02@$ps|6T*&mbR@9ZK!53<M7C|*41XV1a`L+aHJ&7uMH=KtEPzqXz~IsYCL
z-=^fhvetYY)*Ap!8y!Gra{a*CDg67aQbJFRKPaAlZr*0TI3+BABm~f(0OY?*j`umB
zwf}4L<oTr}{|rp@*L3}j9{oO%`jhVBTgmaZ2be?s9_61~=07hv-{)`qalk*9{~i2)
zOV0jt*L|M}kMCO}0G~PDyIQ})^XuG@KeK(GVu$|+HVEB+XZv&9{YI|6pXt7jp)B|V
z9ggY0)BP7&e10bUK4|NYJ87}=zZ3prpyr>UzmLep_d{EX-Toc=J2~%{F<^gY`#z@9
zQ<Sf7CC8g0@E2_Vr<h+q*Wvs48c)%izLgyBnc#n~!#7v;KSDQsCo=p~ET^9tzju^>
zirew6<akR({`ZXkJh8ubT>f#pyomYVIsU}~|L2B$?~DrAP5v%9-h=VKBKb#;=%2yA
zcT6Mv8~SO<P*3_5_&4v?pYgu;!1-~hD@pq$-v8p<_A}4-M$tbmK1f;r&hz(~;eYe)
z`I+u}+u0vq^p}F)rTZUt*FTedZ-ww=hWoALc+(gE2FZVAl>0OH_qR&|--rR9Io=Yr
z|2OV`o;ly&fBY!R9yR|C-#^@7{n;dd)By3%7b$<X>gh1u()yjQ<=eH&e-sZtE3N>N
z?_cHV;oblF@IPH{{Hitp>GL~4s<!`8n|}iQc3blOn|r!=`Cj?<lkoE20snOk^F97k
tPkgThds5+jD}bYK&wo|%C;a~?^kgJJ0pkDDL5Ag-ED}Jj?0x#z{{zrAm5TrX

literal 0
HcmV?d00001


From 80be52422a1f9766a483691f43904f4514981317 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 4 May 2017 15:24:37 +0100
Subject: [PATCH 57/80] Switch to static ID values for per-entity metadata

See ukf/ukf-meta#119.
---
 mdx/uk/mdq-multisign.xml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/mdx/uk/mdq-multisign.xml b/mdx/uk/mdq-multisign.xml
index 62ac0813..e9326e97 100644
--- a/mdx/uk/mdq-multisign.xml
+++ b/mdx/uk/mdq-multisign.xml
@@ -58,7 +58,11 @@
                 <ref bean="populateItemIds"/>
 
                 <!-- Set ID, cacheDuration and validUntil attributes. -->
-                <bean parent="mda.GenerateIdStage"/>
+                <bean parent="mda.GenerateIdStage">
+                    <constructor-arg>
+                        <bean parent="ukf.FixedStringIdentifierGenerationStrategy" c:_="_"/>
+                    </constructor-arg>
+                </bean>
                 <bean parent="mda.SetCacheDurationStage" p:cacheDuration="PT6H"/>
                 <bean parent="mda.SetValidUntilStage" p:validityDuration="P14D"/>
 

From f25b1c74f807639a47e40f235c6578d698f2b71d Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 8 May 2017 11:27:01 +0100
Subject: [PATCH 58/80] Remove UKFederationMember from test and per-entity
 metadata

See ukf/ukf-meta#34.
---
 mdx/uk/beans.xml         | 7 +++++++
 mdx/uk/generate.xml      | 1 +
 mdx/uk/mdq-multisign.xml | 3 +++
 3 files changed, 11 insertions(+)

diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 8bfa1255..c70c921e 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -343,6 +343,13 @@
         p:XSLResource="classpath:uk/strip_extensions.xsl"/>
     
 
+    <!--
+        uk_strip_UKFederationMember
+    -->
+    <bean id="uk_strip_UKFederationMember" parent="mda.ElementStrippingStage"
+        p:elementNamespace-ref="ukfedlabel_namespace"
+        p:elementName="UKFederationMember"/>
+
     <!--
         ***********************************************
         ***                                         ***
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 528cf9a0..0ab0c733 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -557,6 +557,7 @@
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
                 
+                <ref bean="uk_strip_UKFederationMember"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="uk_finaliseTest"/>
                 <ref bean="uk_normaliseTest"/>
diff --git a/mdx/uk/mdq-multisign.xml b/mdx/uk/mdq-multisign.xml
index e9326e97..f97e91d3 100644
--- a/mdx/uk/mdq-multisign.xml
+++ b/mdx/uk/mdq-multisign.xml
@@ -51,6 +51,9 @@
                     </property>
                 </bean>
 
+                <!-- Remove UKFederationLabel elements. -->
+                <ref bean="uk_strip_UKFederationMember"/>
+
                 <!-- Break down into individual entities. -->
                 <ref bean="disassemble"/>
 

From 0fa807297c87b6d58add294cb5ed6ff23ab06ad1 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 8 May 2017 12:06:06 +0100
Subject: [PATCH 59/80] Discard UKf entities at start of eduGAIN verify flows

See ukf/ukf-meta#118.
---
 mdx/int_edugain/verbs.xml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/mdx/int_edugain/verbs.xml b/mdx/int_edugain/verbs.xml
index 15d98b02..21f8be8a 100644
--- a/mdx/int_edugain/verbs.xml
+++ b/mdx/int_edugain/verbs.xml
@@ -31,6 +31,20 @@
         </property>
     </bean>
     
+    <!--
+        removeUKEntities
+
+        Filter out entities which declare themselves as registered
+        by the UK federation, as we don't need to verify those.
+    -->
+    <bean id="removeUKEntities" parent="mda.EntityRegistrationAuthorityFilterStage">
+        <property name="designatedRegistrationAuthorities">
+            <list>
+                <ref bean="uk_ukf_registrar"/>
+            </list>
+        </property>
+    </bean>
+
     <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -74,6 +88,7 @@
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
+                <ref bean="removeUKEntities"/>
                 <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="false"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
@@ -93,6 +108,7 @@
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
+                <ref bean="removeUKEntities"/>
                 <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="false"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
@@ -113,6 +129,7 @@
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
+                <ref bean="removeUKEntities"/>
                 
                 <!-- remove all entities which still have errors -->
                 <ref bean="standardImportActions"/>
@@ -145,6 +162,7 @@
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
+                <ref bean="removeUKEntities"/>
                 
                 <ref bean="standardImportActions"/>
                 <ref bean="warningAndErrorAnnouncer"/>

From ecddc5910785cedce5ca5a5aee8f38ecfa0a2ad8 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Mon, 22 May 2017 11:59:28 +0100
Subject: [PATCH 60/80] Fix address generation script with correct location for
 XSL

---
 utilities/addresses.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utilities/addresses.pl b/utilities/addresses.pl
index 09f72f14..1c9772d5 100755
--- a/utilities/addresses.pl
+++ b/utilities/addresses.pl
@@ -24,7 +24,7 @@
 #
 # UK addresses
 #
-open(XML, xalanCall . " -IN ../mdx/uk/collected.xml -XSL extract_addresses.xsl|") || die "could not open input file";
+open(XML, xalanCall . " -IN ../mdx/uk/collected.xml -XSL ../build/extract_addresses.xsl|") || die "could not open input file";
 while (<XML>) {
 	if (/<EmailAddress>(mailto:)?(.*)<\/EmailAddress>/) {
 		$metadata{$2} = 1;

From ed6caf9c11657c60c4edb455988f589e451a0b3f Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 22 May 2017 13:42:59 +0100
Subject: [PATCH 61/80] Add member ID to stats output

See ukf/ukf-meta#128.
---
 mdx/uk/statistics.xsl | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index b1e51d68..31e89d99 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -134,11 +134,12 @@
                 
                 <h2><a name="members">Member Statistics</a></h2>
                 <p>Number of members: <xsl:value-of select="$memberCount"/></p>
-                <p>The following table shows the canonical name of each member organisation and 
-                   the number of entities belonging to that member.
-                   The canonical name for a member is derived from the member's legal name. 
-                   Ownership  of an entity is established by the OrganizationName field of an entity exactly 
-                   matching the canonical name of the member organisation. 
+                <p>
+                    The following table shows the canonical name of each member organisation,
+                    the Jisc organization ID and the number of entities belonging to that member.
+                    The canonical name for a member is derived from the member's legal name.
+                    Ownership  of an entity is established by the OrganizationName field of an entity exactly
+                    matching the canonical name of the member organisation.
                 </p>
                 <p>
                    Many organisations have no entities in the federation. 
@@ -153,6 +154,7 @@
                 <table border="1" cellspacing="2" cellpadding="4">
                     <tr>
                         <th align="left">Member</th>
+                        <th>orgID</th>
                         <th>Entities</th>
                         <th>IdPs</th>
                         <th>SPs</th>
@@ -1119,6 +1121,18 @@
                     <xsl:text>)</xsl:text>
                 </xsl:if>
             </td>
+            <td>
+                <xsl:choose>
+                    <!-- remove a prefix 'ukforg' if present (currently always the case) -->
+                    <xsl:when test="starts-with(@ID, 'ukforg')">
+                        <xsl:value-of select="substring-after(@ID, 'ukforg')"/>
+                    </xsl:when>
+                    <!-- otherwise just use the whole of the ID -->
+                    <xsl:otherwise>
+                        <xsl:value-of select="@ID"/>
+                    </xsl:otherwise>
+                </xsl:choose>
+            </td>
             <!-- count total entities -->
             <td align="center">
                 <xsl:choose>

From 643c0866fd778e38b5eb48d342988bf6e1eb5e13 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 22 May 2017 17:45:15 +0100
Subject: [PATCH 62/80] Remove entity-level scopes from test aggregate

See ukf/ukf-meta#49.
---
 mdx/uk/generate.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 0ab0c733..f110ad04 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -559,6 +559,7 @@
                 
                 <ref bean="uk_strip_UKFederationMember"/>
                 <ref bean="uk_assemble"/>
+                <ref bean="stripEntityScopes"/>
                 <ref bean="uk_finaliseTest"/>
                 <ref bean="uk_normaliseTest"/>
                 

From 0c884da63919588ccc957e06352ff72cf8c795b8 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 23 May 2017 10:40:18 +0100
Subject: [PATCH 63/80] Set static ID on export preview aggregate

See ukf/ukf-meta#119.
---
 mdx/uk/generate.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index f110ad04..96f70d26 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -80,6 +80,17 @@
         </property>
     </bean>
 
+    <!--
+        setStaticID
+
+        Set the item's ID attribute to the static string "_".
+    -->
+    <bean id="setStaticID" parent="mda.GenerateIdStage">
+        <constructor-arg>
+            <bean parent="ukf.FixedStringIdentifierGenerationStrategy" c:_="_"/>
+        </constructor-arg>
+    </bean>
+
     
     <!--
         *****************************************
@@ -800,6 +811,7 @@
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseExport"/>
+                <ref bean="setStaticID"/>
 
                 <bean id="uk_normaliseExportPreview" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/ns_norm_export_preview.xsl"/>

From a636e47efeb208b1728a2930436b0762c27ce526 Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Wed, 31 May 2017 19:19:20 +0200
Subject: [PATCH 64/80] Add monitis to list of requests to ignore when
 calculating stats

---
 utilities/stats-generate.sh | 104 ++++++++++++++++++------------------
 1 file changed, 52 insertions(+), 52 deletions(-)

diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index a021ce27..010e6da9 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -179,18 +179,18 @@ fi
 # Get the filesize of the latest uncompressed main aggregate.
 # Since this is just used for estimation, we'll just take the biggest
 # unique filesize for the relevant periods
-aggrfilesizebytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep -v "GZIP" | cut -f 10 -d " " | sort -r | uniq | head -1)
+aggrfilesizebytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep -v "GZIP" | cut -f 10 -d " " | sort -r | uniq | head -1)
 
 #
 # Download counts
 #
 
 # Aggregate requests. Everything for .xml (HEAD/GET, 200 and 304)
-mdaggrcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | wc -l)
+mdaggrcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | wc -l)
 mdaggrcountfriendly=$(echo $mdaggrcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Main Aggregate requests. Everything for ukfederation-metadata.xml (HEAD/GET, 200 and 304)
-mdaggrmaincount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | wc -l)
+mdaggrmaincount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | wc -l)
 mdaggrmaincountfriendly=$(echo $mdaggrmaincount | awk '{ printf ("%'"'"'d\n", $0) }')
 if [[ "$mdaggrmaincount" -ne "0" ]]; then
     mdaggrmainpc=$(echo "scale=4;($mdaggrmaincount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -200,42 +200,42 @@ fi
 
 # Other aggregate requests (don't calculate these if doing daily stats)
 if [[ "$timeperiod" != "day" ]]; then
-    mdaggrbackcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-back.xml" | wc -l)
+    mdaggrbackcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-back.xml" | wc -l)
     mdaggrbackcountfriendly=$(echo $mdaggrbackcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrbackcount" -ne "0" ]]; then
         mdaggrbackpc=$(echo "scale=4;($mdaggrbackcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrbackpc="0.0"
     fi
-    mdaggrcdsallcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-cdsall.xml" | wc -l)
+    mdaggrcdsallcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-cdsall.xml" | wc -l)
     mdaggrcdsallcountfriendly=$(echo $mdaggrcdsallcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrcdsallcount" -ne "0" ]]; then
         mdaggrcdsallpc=$(echo "scale=4;($mdaggrcdsallcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrcdsallpc="0.0"
     fi
-    mdaggrexportpreviewcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-export-preview.xml" | wc -l)
+    mdaggrexportpreviewcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-export-preview.xml" | wc -l)
     mdaggrexportpreviewcountfriendly=$(echo $mdaggrexportpreviewcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrexportpreviewkcount" -ne "0" ]]; then
         mdaggrexportpreviewpc=$(echo "scale=4;($mdaggrexportpreviewcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrexportpreviewpc="0.0"
     fi
-    mdaggrexportcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-export.xml" | wc -l)
+    mdaggrexportcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-export.xml" | wc -l)
     mdaggrexportcountfriendly=$(echo $mdaggrexportcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrexportcount" -ne "0" ]]; then
         mdaggrexportpc=$(echo "scale=4;($mdaggrexportcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrexportpc="0.0"
     fi
-    mdaggrtestcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-test.xml" | wc -l)
+    mdaggrtestcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-test.xml" | wc -l)
     mdaggrtestcountfriendly=$(echo $mdaggrtestcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrtestcount" -ne "0" ]]; then
         mdaggrtestpc=$(echo "scale=4;($mdaggrtestcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     else
         mdaggrtestpc="0.0"
     fi
-    mdaggrwayfcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-wayf.xml" | wc -l)
+    mdaggrwayfcount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-wayf.xml" | wc -l)
     mdaggrwayfcountfriendly=$(echo $mdaggrwayfcount | awk '{ printf ("%'"'"'d\n", $0) }')
     if [[ "$mdaggrwayfcount" -ne "0" ]]; then
         mdaggrwayfpc=$(echo "scale=4;($mdaggrwayfcount/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -245,11 +245,11 @@ if [[ "$timeperiod" != "day" ]]; then
 fi
 
 # Aggregate downloads (i.e. GETs with HTTP 200 responses only)
-mdaggrcountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404| grep "\" 200" | grep "GET" | wc -l)
+mdaggrcountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404| grep "\" 200" | grep "GET" | wc -l)
 mdaggrcountfullfriendly=$(echo $mdaggrcountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Main Aggregate downloads (i.e. GETs with HTTP 200 responses only)
-mdaggrmaincountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | wc -l)
+mdaggrmaincountfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | wc -l)
 mdaggrmaincountfullfriendly=$(echo $mdaggrmaincountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of GETs with HTTP 200 responses compared to total requests
@@ -260,11 +260,11 @@ else
 fi
 
 # Compressed downloads for all
-mdaggrcountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdaggrcountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 mdaggrcountfullcomprfriendly=$(echo $mdaggrcountfullcompr | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Compressed downloads for main aggregate
-mdaggrmaincountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdaggrmaincountfullcompr=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 
 # Percentage of GZIPPED HTTP 200 responses compared to total full downloads
 if [[ "$mdaggrcountfull" -ne "0" ]]; then
@@ -274,18 +274,18 @@ else
 fi
 
 # Unique IP addresses requesting aggregates
-mdaggruniqueip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
+mdaggruniqueip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 mdaggruniqueipfriendly=$(echo $mdaggruniqueip | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Unique IP addresses requesting aggregates, full D/Ls only
-mdaggruniqueipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
+mdaggruniqueipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 
 #
 # Data shipped
 #
 
 # Total data shipped, all .xml files
-mdaggrtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
+mdaggrtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
 if [[ "$mdaggrtotalbytes" -gt "0" ]]; then
     mdaggrtotalhr=$(bytestohr $mdaggrtotalbytes)
 else
@@ -293,7 +293,7 @@ else
 fi
 
 # Total data shipped, ukfederation-metadata.xml file
-mdaggrmaintotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
+mdaggrmaintotalbytes=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "ukfederation-metadata.xml" | grep "\" 200" | grep "GET" | cut -f 10 -d " " | awk '{sum+=$1} END {print sum}')
 if [[ "$mdaggrtotalbytes" -gt "0" ]]; then
     mdaggrmaintotalhr=$(bytestohr $mdaggrmaintotalbytes)
 else
@@ -323,32 +323,32 @@ fi
 # IPv4 vs IPv6 traffic (don't calculate these if doing daily stats)
 # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
 if [[ "$timeperiod" != "day" ]]; then
-    mdaggrv4count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
+    mdaggrv4count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
     mdaggrv4pc=$(echo "scale=4;($mdaggrv4count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
     mdaggrv6count=$(( mdaggrcount - mdaggrv4count ))
     mdaggrv6pc=$(echo "scale=4;($mdaggrv6count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 
     # Per-server request count
-    mdaggrmd1count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmd1count=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmd1pc=$(echo "scale=4;($mdaggrmd1count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmd2count=$(grep $apachesearchterm $logslocation/md/md2/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmd2count=$(grep $apachesearchterm $logslocation/md/md2/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmd2pc=$(echo "scale=4;($mdaggrmd2count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmd3count=$(grep $apachesearchterm $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmd3count=$(grep $apachesearchterm $logslocation/md/md3/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmd3pc=$(echo "scale=4;($mdaggrmd3count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmdne01count=$(grep $apachesearchterm $logslocation/md/md-ne-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdne01count=$(grep $apachesearchterm $logslocation/md/md-ne-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmdne01pc=$(echo "scale=4;($mdaggrmdne01count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmdne02count=$(grep $apachesearchterm $logslocation/md/md-ne-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdne02count=$(grep $apachesearchterm $logslocation/md/md-ne-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmdne02pc=$(echo "scale=4;($mdaggrmdne02count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmdwe01count=$(grep $apachesearchterm $logslocation/md/md-we-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdwe01count=$(grep $apachesearchterm $logslocation/md/md-we-01/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmdwe01pc=$(echo "scale=4;($mdaggrmdwe01count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    mdaggrmdwe02count=$(grep $apachesearchterm $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
+    mdaggrmdwe02count=$(grep $apachesearchterm $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 5 -d "/" | wc -l)
     mdaggrmdwe02pc=$(echo "scale=4;($mdaggrmdwe02count/$mdaggrcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 
 
 # Min queries per IP
 if [[ $mdaggrcount -gt "0" ]]; then
-    mdaggrminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrinqueriesperip="0"
 fi
@@ -362,14 +362,14 @@ fi
 
 # Max queries per IP
 if [[ $mdaggrcount -gt "0" ]]; then
-    mdaggrmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrmaxqueriesperip="0"
 fi
 
 # Min queries per IP, full D/L only
 if [[ $mdaggrcountfull -gt "0" ]]; then
-    mdaggrminqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrminqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrinqueriesperipfull="0"
 fi
@@ -383,7 +383,7 @@ fi
 
 # Max queries per IP, full D/L only
 if [[ $mdaggrcountfull -gt "0" ]]; then
-    mdaggrmaxqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdaggrmaxqueriesperipfull=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdaggrmaxqueriesperipfull="0"
 fi
@@ -393,7 +393,7 @@ if [[ "$timeperiod" != "day" ]]; then
 
     # Top 10 downloaders and how many downloads / total data shipped (full downloads only)
     if [[ "$timeperiod" != "day" ]]; then
-        mdaggrtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
+        mdaggrtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
     fi
 
     #
@@ -415,7 +415,7 @@ if [[ "$timeperiod" != "day" ]]; then
         countfriendly=$(echo $count | awk '{ printf ("%'"'"'d\n", $0) }')
     
         # Figure out total traffic shipped to this IP
-        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/metadata.uou-access_log* $logslocation/md/md2/metadata.uou-access_log* $logslocation/md/md3/metadata.uou-access_log* $logslocation/md/md-ne-01/metadata.uou-access_log* $logslocation/md/md-ne-02/metadata.uou-access_log* $logslocation/md/md-we-01/metadata.uou-access_log* $logslocation/md/md-we-02/metadata.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep ".xml" | grep -v 404 | grep "\" 200" | grep "GET" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
         if [[ "$totaldataforthisip" -gt "0" ]]; then
             totaldataforthisiphr=$(bytestohr $totaldataforthisip)
         else
@@ -443,11 +443,11 @@ fi
 # =====
 
 # MDQ requests
-mdqcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 404 | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | wc -l)
+mdqcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep -v 404 | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | wc -l)
 mdqcountfriendly=$(echo $mdqcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # MDQ downloads (i.e. HTTP 200 responses only)
-mdqcountfull=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | wc -l)
+mdqcountfull=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | wc -l)
 mdqcountfullfriendly=$(echo $mdqcountfull | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of HTTP 200 responses compared to total requests
@@ -458,7 +458,7 @@ else
 fi
 
 # Compressed downloads
-mdqfullcomprcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
+mdqfullcomprcount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep "GET" | grep "\"GZIP\"" | wc -l)
 mdqfullcomprcountfriendly=$(echo $mdqfullcomprcount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Percentage of GZIPPED HTTP 200 responses compared to total full downloads
@@ -474,7 +474,7 @@ fi
 if [[ "$timeperiod" != "day" ]]; then
     # Some v6 traffic has traditionally passed through v6v4proxy1/2, so to count v4 we're counting all accesses, minus those from the v4 proxy IP addresses, minus actual v6 addresses
     if [[ "$mdqcount" -ne "0" ]]; then
-        mdqv4count=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
+        mdqv4count=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep -v ":" | wc -l)
         mdqv4pc=$(echo "scale=4;($mdqv4count/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
         mdqv6count=$(( mdqcount - mdqv4count ))
         mdqv6pc=$(echo "scale=4;($mdqv6count/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -485,8 +485,8 @@ if [[ "$timeperiod" != "day" ]]; then
 fi
 
 # MDQ requests for entityId based names
-mdqcountentityidhttp=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/http" | wc -l)
-mdqcountentityidurn=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/urn" | wc -l)
+mdqcountentityidhttp=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/http" | wc -l)
+mdqcountentityidurn=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep "/entities/urn" | wc -l)
 mdqcountentityid=$((mdqcountentityidhttp+mdqcountentityidurn))
 if [[ "$mdqcount" -ne "0" ]]; then
     mdqcountentityidpc=$(echo "scale=3;($mdqcountentityid/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
@@ -496,7 +496,7 @@ fi
 mdqcountentityidfriendly=$(echo $mdqcountentityid | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # MDQ requests for hash based names
-mdqcountsha1=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep sha1 | wc -l)
+mdqcountsha1=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v "/entities " | grep -v "/entities/ " | grep -v 404 | grep sha1 | wc -l)
 if [[ "$mdqcount" -ne "0" ]]; then
     mdqcountsha1pc=$(echo "scale=3;($mdqcountsha1/$mdqcount)*100" | bc | awk '{printf "%.1f\n", $0}')
 else
@@ -506,14 +506,14 @@ mdqcountsha1friendly=$(echo $mdqcountsha1 | awk '{ printf ("%'"'"'d\n", $0) }')
 
 
 # MDQ requests for all entities
-mdqcountallentities=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities " | grep -v 404 | wc -l)
+mdqcountallentities=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities " | grep -v 404 | wc -l)
 
 # Unique IP addresses requesting MDQ
-mdquniqueip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
+mdquniqueip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l)
 mdquniqueipfriendly=$(echo $mdquniqueip | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Total data shipped
-mdqtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+mdqtotalbytes=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
 if [[ "$mdqtotalbytes" -gt "0" ]]; then
     mdqtotalhr=$(bytestohr $mdqtotalbytes)
 else
@@ -522,7 +522,7 @@ fi
 
 # Min queries per IP
 if [[ $mdqcount -gt "0" ]]; then
-    mdqminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdqminqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | tail -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdqminqueriesperip="0"
 fi
@@ -536,14 +536,14 @@ fi
 
 # Max queries per IP
 if [[ $mdqcount -gt "0" ]]; then
-    mdqmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
+    mdqmaxqueriesperip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities" | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -1 | awk '{print $1}' | awk '{ printf ("%'"'"'d\n", $0) }')
 else
     mdqmaxqueriesperip="0"
 fi
 
 if [[ "$timeperiod" != "day" ]]; then
     # Top 10 downloaders and how many downloads / total data shipped
-    mdqtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep "/entities" | grep -v "/entities/ " | grep -v 404 | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
+    mdqtoptenipsbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep -v 193.63.72.83 | grep -v 194.83.7.211 | grep "/entities" | grep -v "/entities/ " | grep -v 404 | grep -v "/entities/ " | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq -c | sort -nr | head -10)
     
     #
     # Manipute results of the top 10
@@ -564,7 +564,7 @@ if [[ "$timeperiod" != "day" ]]; then
         countfriendly=$(echo $count | awk '{ printf ("%'"'"'d\n", $0) }')
     
         # Figure out total traffic shipped to this IP
-        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
+        totaldataforthisip=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep "/entities/" | grep -v "/entities/ " | grep -v 404 | grep "\" 200" | grep $ipaddr | cut -f 10 -d " " | grep -v - | awk '{sum+=$1} END {print sum}')
         if [[ "$totaldataforthisip" -gt "0" ]]; then
             totaldataforthisiphr=$(bytestohr $totaldataforthisip)
         else
@@ -587,7 +587,7 @@ if [[ "$timeperiod" != "day" ]]; then
     
     
     # Top 10 queries and how many downloads / total data shipped
-    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | sort | uniq -c | xargs -0 printf "%b" | sort -nr | head -10)
+    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | sort | uniq -c | xargs -0 printf "%b" | sort -nr | head -10)
 fi
 
 # =====
@@ -686,23 +686,23 @@ fi
 botstringlist="(Googlebot|Bingbo|DuckDuckBot|Baiduspider|Yandexbot|Sogou|Exabot|AhrefsBot|seoscanners)"
 
 # How many requests were there for the main content files?
-wwwaccesscount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+wwwaccesscount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
 wwwaccesscountfriendly=$(echo $wwwaccesscount | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # And from how many unique IdPs?
-wwwaccessipcount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
+wwwaccessipcount=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* $logslocation/www/web2/ssl_access_log* $logslocation/www/www-ne-01/ssl_access_log* $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | cut -f 1 -d " " | cut -f 2-9 -d ":" | sort | uniq | wc -l | awk '{ printf ("%'"'"'d\n", $0) }')
 
 # Don't count these when doing daily stats
 if [[ "$timeperiod" != "day" ]]; then
 
     # Per-server request count
-    wwwaccessweb1count=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessweb1count=$(grep $apachesearchterm $logslocation/www/web1/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
     wwwaccessweb1pc=$(echo "scale=4;($wwwaccessweb1count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    wwwaccessweb2count=$(grep $apachesearchterm $logslocation/www/web2/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessweb2count=$(grep $apachesearchterm $logslocation/www/web2/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
     wwwaccessweb2pc=$(echo "scale=4;($wwwaccessweb2count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    wwwaccessne01count=$(grep $apachesearchterm $logslocation/www/www-ne-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccessne01count=$(grep $apachesearchterm $logslocation/www/www-ne-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
     wwwaccessne01pc=$(echo "scale=4;($wwwaccessne01count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
-    wwwaccesswe01count=$(grep $apachesearchterm $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer)" | grep 200 | grep "/content/" | wc -l)
+    wwwaccesswe01count=$(grep $apachesearchterm $logslocation/www/www-we-01/ssl_access_log* | grep -Eiv "$botstringlist" | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep 200 | grep "/content/" | wc -l)
     wwwaccesswe01pc=$(echo "scale=4;($wwwaccesswe01count/$wwwaccesscount)*100" | bc | awk '{printf "%.1f\n", $0}')
 fi
 

From f98fe67321f8d76a450201df965df7ed7d9b706a Mon Sep 17 00:00:00 2001
From: Rhys Smith <rhys.smith@jisc.ac.uk>
Date: Tue, 6 Jun 2017 18:27:04 +0100
Subject: [PATCH 65/80] Fix stats generation encoding issues for MDQ queries

---
 utilities/stats-generate.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index 010e6da9..22d09928 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -587,7 +587,7 @@ if [[ "$timeperiod" != "day" ]]; then
     
     
     # Top 10 queries and how many downloads / total data shipped
-    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | sort | uniq -c | xargs -0 printf "%b" | sort -nr | head -10)
+    mdqtoptenqueriesbycount=$(grep $apachesearchterm $logslocation/md/md1/mdq.uou-access_log* $logslocation/md/md2/mdq.uou-access_log* $logslocation/md/md3/mdq.uou-access_log* $logslocation/md/md-ne-01/mdq.uou-access_log* $logslocation/md/md-ne-02/mdq.uou-access_log* $logslocation/md/md-we-01/mdq.uou-access_log* $logslocation/md/md-we-02/mdq.uou-access_log* | grep -Ev "(Sensu-HTTP-Check|dummy|check_http|Balancer|monitis)" | grep /entities/ | grep -v 404 | grep -v "/entities/ " | grep -v "/entities/ " | awk '{print $7}' | cut -f 3 -d "/" | sed "s@+@ @g;s@%@\\\\x@g" | printf "%b\n" $(</dev/stdin) | sort | uniq -c | sort -nr | head -10)
 fi
 
 # =====

From 71bfb59cac5b6fdef61a5728ef45946eb5fcdc54 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 14 Jun 2017 15:47:58 +0100
Subject: [PATCH 66/80] Add AD FS SSO binding to check_bindings

Make check_bindings consistent with check_adfs.
See ukf/ukf-meta#131.
---
 mdx/_rules/check_bindings.xsl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mdx/_rules/check_bindings.xsl b/mdx/_rules/check_bindings.xsl
index 2525981a..cd05f0d4 100644
--- a/mdx/_rules/check_bindings.xsl
+++ b/mdx/_rules/check_bindings.xsl
@@ -136,6 +136,7 @@
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+		[@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
 		">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">

From 1806ad9ff3c5f437499c7e89b8cf5a94eb4aae80 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 14 Jun 2017 16:39:04 +0100
Subject: [PATCH 67/80] Add HTTP-Artifact SSO binding to check_bindings

Bug fix: this binding is permitted by the spec, but rarely if ever used.
See ukf/ukf-meta#130.
---
 mdx/_rules/check_bindings.xsl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mdx/_rules/check_bindings.xsl b/mdx/_rules/check_bindings.xsl
index cd05f0d4..7b2d0163 100644
--- a/mdx/_rules/check_bindings.xsl
+++ b/mdx/_rules/check_bindings.xsl
@@ -131,6 +131,7 @@
 	
 	<xsl:template match="md:SingleSignOnService
 		[@Binding != 'urn:mace:shibboleth:1.0:profiles:AuthnRequest']
+		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']

From d62448c4d022959b3eba7ac6bda967a5c940adb5 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 14 Jun 2017 17:13:23 +0100
Subject: [PATCH 68/80] Trim whitespace from some more imported elements

See ukf/ukf-meta#129.
---
 mdx/common-beans.xml | 52 ++++++++++++++++++++++++++++----------------
 1 file changed, 33 insertions(+), 19 deletions(-)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index b91f9925..e782e283 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -512,17 +512,19 @@
     <!--
         QNames for SAML metadata elements.
     -->
-    <bean id="md-Company"                 parent="QName" c:_0-ref="md_namespace" c:_1="Company"/>
-    <bean id="md-EmailAddress"            parent="QName" c:_0-ref="md_namespace" c:_1="EmailAddress"/>
-    <bean id="md-GivenName"               parent="QName" c:_0-ref="md_namespace" c:_1="GivenName"/>
-    <bean id="md-NameIDFormat"            parent="QName" c:_0-ref="md_namespace" c:_1="NameIDFormat"/>
-    <bean id="md-OrganizationDisplayName" parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationDisplayName"/>
-    <bean id="md-OrganizationName"        parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationName"/>
-    <bean id="md-OrganizationURL"         parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationURL"/>
-    <bean id="md-ServiceDescription"      parent="QName" c:_0-ref="md_namespace" c:_1="ServiceDescription"/>
-    <bean id="md-ServiceName"             parent="QName" c:_0-ref="md_namespace" c:_1="ServiceName"/>
-    <bean id="md-SurName"                 parent="QName" c:_0-ref="md_namespace" c:_1="SurName"/>
-    <bean id="md-TelephoneNumber"         parent="QName" c:_0-ref="md_namespace" c:_1="TelephoneNumber"/>
+    <bean id="md-AdditionalMetadataLocation"  parent="QName" c:_0-ref="md_namespace" c:_1="AdditionalMetadataLocation"/>
+    <bean id="md-AttributeProfile"            parent="QName" c:_0-ref="md_namespace" c:_1="AttributeProfile"/>
+    <bean id="md-Company"                     parent="QName" c:_0-ref="md_namespace" c:_1="Company"/>
+    <bean id="md-EmailAddress"                parent="QName" c:_0-ref="md_namespace" c:_1="EmailAddress"/>
+    <bean id="md-GivenName"                   parent="QName" c:_0-ref="md_namespace" c:_1="GivenName"/>
+    <bean id="md-NameIDFormat"                parent="QName" c:_0-ref="md_namespace" c:_1="NameIDFormat"/>
+    <bean id="md-OrganizationDisplayName"     parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationDisplayName"/>
+    <bean id="md-OrganizationName"            parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationName"/>
+    <bean id="md-OrganizationURL"             parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationURL"/>
+    <bean id="md-ServiceDescription"          parent="QName" c:_0-ref="md_namespace" c:_1="ServiceDescription"/>
+    <bean id="md-ServiceName"                 parent="QName" c:_0-ref="md_namespace" c:_1="ServiceName"/>
+    <bean id="md-SurName"                     parent="QName" c:_0-ref="md_namespace" c:_1="SurName"/>
+    <bean id="md-TelephoneNumber"             parent="QName" c:_0-ref="md_namespace" c:_1="TelephoneNumber"/>
 
     <!--
         Basic EntitiesDescriptor disassembler pipeline stage.
@@ -626,14 +628,15 @@
         ***********************************************
     -->
 
-    <bean id="mdui-Description"     parent="QName" c:_0-ref="mdui_namespace" c:_1="Description"/>
-    <bean id="mdui-DisplayName"     parent="QName" c:_0-ref="mdui_namespace" c:_1="DisplayName"/>
-    <bean id="mdui-DomainHint"      parent="QName" c:_0-ref="mdui_namespace" c:_1="DomainHint"/>
-    <bean id="mdui-GeolocationHint" parent="QName" c:_0-ref="mdui_namespace" c:_1="GeolocationHint"/>
-    <bean id="mdui-InformationURL"  parent="QName" c:_0-ref="mdui_namespace" c:_1="InformationURL"/>
-    <bean id="mdui-IPHint"          parent="QName" c:_0-ref="mdui_namespace" c:_1="IPHint"/>
-    <bean id="mdui-Keywords"        parent="QName" c:_0-ref="mdui_namespace" c:_1="Keywords"/>
-    <bean id="mdui-Logo"            parent="QName" c:_0-ref="mdui_namespace" c:_1="Logo"/>
+    <bean id="mdui-Description"         parent="QName" c:_0-ref="mdui_namespace" c:_1="Description"/>
+    <bean id="mdui-DisplayName"         parent="QName" c:_0-ref="mdui_namespace" c:_1="DisplayName"/>
+    <bean id="mdui-DomainHint"          parent="QName" c:_0-ref="mdui_namespace" c:_1="DomainHint"/>
+    <bean id="mdui-GeolocationHint"     parent="QName" c:_0-ref="mdui_namespace" c:_1="GeolocationHint"/>
+    <bean id="mdui-InformationURL"      parent="QName" c:_0-ref="mdui_namespace" c:_1="InformationURL"/>
+    <bean id="mdui-IPHint"              parent="QName" c:_0-ref="mdui_namespace" c:_1="IPHint"/>
+    <bean id="mdui-Keywords"            parent="QName" c:_0-ref="mdui_namespace" c:_1="Keywords"/>
+    <bean id="mdui-Logo"                parent="QName" c:_0-ref="mdui_namespace" c:_1="Logo"/>
+    <bean id="mdui-PrivacyStatementURL" parent="QName" c:_0-ref="mdui_namespace" c:_1="PrivacyStatementURL"/>
 
     <bean id="stripMDUIDiscoHints" parent="mda.ElementStrippingStage"
         p:elementName="DiscoHints"
@@ -936,12 +939,23 @@
     <bean id="trimImportElementWhitespace" parent="mda.ElementWhitespaceTrimmingStage">
         <property name="elementNames">
             <set>
+                <ref bean="md-AdditionalMetadataLocation"/>
+                <ref bean="md-AttributeProfile"/>
+                <ref bean="md-Company"/>
                 <ref bean="md-EmailAddress"/>
+                <ref bean="md-GivenName"/>
                 <ref bean="md-NameIDFormat"/>
                 <ref bean="md-OrganizationDisplayName"/>
+                <ref bean="md-OrganizationName"/>
                 <ref bean="md-OrganizationURL"/>
+                <ref bean="md-ServiceDescription"/>
+                <ref bean="md-ServiceName"/>
+                <ref bean="md-SurName"/>
+                <ref bean="md-TelephoneNumber"/>
+                <ref bean="mdui-GeolocationHint"/>
                 <ref bean="mdui-InformationURL"/>
                 <ref bean="mdui-Logo"/>
+                <ref bean="mdui-PrivacyStatementURL"/>
             </set>
         </property>
     </bean>

From c8fd968cc228a7413014aec3b574387fc471c55e Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 14 Jun 2017 18:18:15 +0100
Subject: [PATCH 69/80] Switch to static ID value for export preview aggregate

See ukf/ukf-meta#119.
---
 mdx/uk/generate.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 96f70d26..7ccd193e 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -696,6 +696,7 @@
                 <ref bean="stripEntityScopes"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseExport"/>
+                <ref bean="setStaticID"/>
 
                 <bean id="uk_normaliseExport" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/ns_norm_export.xsl"/>

From e973511eef136ccb4c1b43f1715e164ee8f9ae8d Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 19 Jun 2017 11:50:40 +0100
Subject: [PATCH 70/80] Switch to static ID value for test aggregate

See ukf/ukf-meta#119.
---
 mdx/uk/generate.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 7ccd193e..b899bb5b 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -572,6 +572,7 @@
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="uk_finaliseTest"/>
+                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseTest"/>
                 
                 <!-- test aggregate MUST pass publishability test -->

From 1a6656a11cf510ccfa2f0ce6aeaf9aae38ddf5d4 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 19 Jun 2017 14:31:12 +0100
Subject: [PATCH 71/80] Text files should end with a newline

See ukf/ukf-meta#134.
---
 attic/patch_entity.pl                                     | 2 +-
 build/find_OpenAthens_entities_not_in_Eduserv_metadata.xq | 2 +-
 mdx/schema/saml-metadata-rpi-v1.0.xsd                     | 2 +-
 mdx/schema/sstc-metadata-attr.xsd                         | 2 +-
 mdx/schema/uk-fed-label.xsd                               | 2 +-
 mdx/schema/ws-authorization.xsd                           | 2 +-
 mdx/schema/ws-securitypolicy-1.2.xsd                      | 2 +-
 mdx/uk/sp_mdui_test.xsl                                   | 2 +-
 mdx/uk/statistics-charting.xsl                            | 2 +-
 mdx/uk/statistics.xsl                                     | 2 +-
 preprod.properties                                        | 2 +-
 utilities/stats-generate.sh                               | 2 +-
 utilities/stats-sync.sh                                   | 2 +-
 13 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/attic/patch_entity.pl b/attic/patch_entity.pl
index a720c6ba..a47c4dfa 100755
--- a/attic/patch_entity.pl
+++ b/attic/patch_entity.pl
@@ -5,4 +5,4 @@
 		next;
 	}
 	print $_;
-}
\ No newline at end of file
+}
diff --git a/build/find_OpenAthens_entities_not_in_Eduserv_metadata.xq b/build/find_OpenAthens_entities_not_in_Eduserv_metadata.xq
index e7617b9e..1d134de6 100644
--- a/build/find_OpenAthens_entities_not_in_Eduserv_metadata.xq
+++ b/build/find_OpenAthens_entities_not_in_Eduserv_metadata.xq
@@ -24,4 +24,4 @@ return
 <Entity ID="{data($f/@ID)}">{data($f/@entityID)}
 </Entity>
 }
-</Entities>
\ No newline at end of file
+</Entities>
diff --git a/mdx/schema/saml-metadata-rpi-v1.0.xsd b/mdx/schema/saml-metadata-rpi-v1.0.xsd
index 135efa33..ebe5e9d1 100644
--- a/mdx/schema/saml-metadata-rpi-v1.0.xsd
+++ b/mdx/schema/saml-metadata-rpi-v1.0.xsd
@@ -76,4 +76,4 @@
         <attribute name="publicationId" type="string" />
     </complexType>
     
-</schema>
\ No newline at end of file
+</schema>
diff --git a/mdx/schema/sstc-metadata-attr.xsd b/mdx/schema/sstc-metadata-attr.xsd
index 5a445e21..432ef1a7 100644
--- a/mdx/schema/sstc-metadata-attr.xsd
+++ b/mdx/schema/sstc-metadata-attr.xsd
@@ -22,4 +22,4 @@
     </choice>
   </complexType>
 
-</schema>
\ No newline at end of file
+</schema>
diff --git a/mdx/schema/uk-fed-label.xsd b/mdx/schema/uk-fed-label.xsd
index 8c1656ae..854255e1 100644
--- a/mdx/schema/uk-fed-label.xsd
+++ b/mdx/schema/uk-fed-label.xsd
@@ -166,4 +166,4 @@
         </annotation>
     </element>
     
-</schema>
\ No newline at end of file
+</schema>
diff --git a/mdx/schema/ws-authorization.xsd b/mdx/schema/ws-authorization.xsd
index 5b8ae986..0fcdade9 100644
--- a/mdx/schema/ws-authorization.xsd
+++ b/mdx/schema/ws-authorization.xsd
@@ -142,4 +142,4 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
     </xs:choice>
   </xs:complexType>
 
-</xs:schema>
\ No newline at end of file
+</xs:schema>
diff --git a/mdx/schema/ws-securitypolicy-1.2.xsd b/mdx/schema/ws-securitypolicy-1.2.xsd
index 0e562726..948e78a9 100644
--- a/mdx/schema/ws-securitypolicy-1.2.xsd
+++ b/mdx/schema/ws-securitypolicy-1.2.xsd
@@ -1202,4 +1202,4 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
     </xs:annotation>
   </xs:element>
   
-</xs:schema>
\ No newline at end of file
+</xs:schema>
diff --git a/mdx/uk/sp_mdui_test.xsl b/mdx/uk/sp_mdui_test.xsl
index f23e6816..0ae7c2ca 100644
--- a/mdx/uk/sp_mdui_test.xsl
+++ b/mdx/uk/sp_mdui_test.xsl
@@ -135,4 +135,4 @@
         </html>
     </xsl:template>
     
-</xsl:stylesheet>
\ No newline at end of file
+</xsl:stylesheet>
diff --git a/mdx/uk/statistics-charting.xsl b/mdx/uk/statistics-charting.xsl
index 12aab305..f85055bb 100644
--- a/mdx/uk/statistics-charting.xsl
+++ b/mdx/uk/statistics-charting.xsl
@@ -497,4 +497,4 @@
         </xsl:if>
     </xsl:template>
     
-</xsl:stylesheet>
\ No newline at end of file
+</xsl:stylesheet>
diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index 31e89d99..d98a266b 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -1772,4 +1772,4 @@
         </p>
     </xsl:template>
     
-</xsl:stylesheet>
\ No newline at end of file
+</xsl:stylesheet>
diff --git a/preprod.properties b/preprod.properties
index 26a0d200..ef97e089 100644
--- a/preprod.properties
+++ b/preprod.properties
@@ -45,4 +45,4 @@ md.dist.path.name=/
 # Preprod MDQ cache is a different file published at a different hostname
 #
 mdq.dist.name=mdq-test.ukfederation.org.uk
-mdq.cache=mdqcache-test.tar.gz
\ No newline at end of file
+mdq.cache=mdqcache-test.tar.gz
diff --git a/utilities/stats-generate.sh b/utilities/stats-generate.sh
index 22d09928..2debef68 100755
--- a/utilities/stats-generate.sh
+++ b/utilities/stats-generate.sh
@@ -813,4 +813,4 @@ fi
 
 
 echo -e "$msg"
-exit 0
\ No newline at end of file
+exit 0
diff --git a/utilities/stats-sync.sh b/utilities/stats-sync.sh
index 774f5ddd..f2fdba77 100755
--- a/utilities/stats-sync.sh
+++ b/utilities/stats-sync.sh
@@ -39,4 +39,4 @@ rsync -at stats@test-sp:/var/log/shibboleth/shibd* $logslocation/test-sp/
 rsync -at stats@test-sp:/var/log/shibboleth/transaction* $logslocation/test-sp/
 
 # Exit happily
-exit 0
\ No newline at end of file
+exit 0

From c099e6395897bd2493f7a3d47952ea0ce587b11a Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 19 Jun 2017 14:37:28 +0100
Subject: [PATCH 72/80] Remove trailing white space from XML files

See ukf/ukf-meta#134.
---
 attic/extract_entityids.xsl                   |   6 +-
 attic/extract_member_dates.xsl                |   8 +-
 attic/extract_saml2sp.xsl                     |  10 +-
 attic/identity.xsl                            |  10 +-
 attic/members_domains.xsl                     |  20 +-
 build.xml                                     |  10 +-
 build/extract_addresses.xsl                   |  12 +-
 build/extract_cert_locs.xsl                   |   8 +-
 build/extract_embedded.xsl                    |   6 +-
 build/extract_locs.xsl                        |  12 +-
 build/extract_nk_cert_locs.xsl                |  12 +-
 build/extract_nk_nocert_locs.xsl              |   8 +-
 build/extract_nocert_locs.xsl                 |   4 +-
 charting/saml2.xsl                            |  14 +-
 charting/scopes.xsl                           |   4 +-
 mdx/_rules/check_adfs.xsl                     |  14 +-
 mdx/_rules/check_aggregate.xsl                |  10 +-
 mdx/_rules/check_algsupport.xsl               |  20 +-
 mdx/_rules/check_bindings.xsl                 |  18 +-
 mdx/_rules/check_entityid_prefix.xsl          |   4 +-
 mdx/_rules/check_filtered.xsl                 |   4 +-
 mdx/_rules/check_framework.xsl                |  16 +-
 mdx/_rules/check_future_0.xsl                 |   4 +-
 mdx/_rules/check_future_1.xsl                 |   4 +-
 mdx/_rules/check_future_2.xsl                 |   4 +-
 mdx/_rules/check_future_3.xsl                 |   6 +-
 mdx/_rules/check_future_4.xsl                 |   4 +-
 mdx/_rules/check_future_5.xsl                 |   4 +-
 mdx/_rules/check_future_6.xsl                 |   4 +-
 mdx/_rules/check_future_7.xsl                 |   4 +-
 mdx/_rules/check_future_8.xsl                 |   4 +-
 mdx/_rules/check_future_9.xsl                 |   4 +-
 mdx/_rules/check_hasreginfo.xsl               |   6 +-
 mdx/_rules/check_hoksso.xsl                   |  28 +-
 mdx/_rules/check_idp_tls.xsl                  |   6 +-
 mdx/_rules/check_idpdisc.xsl                  |  18 +-
 mdx/_rules/check_imported.xsl                 |  10 +-
 mdx/_rules/check_incmd.xsl                    |  24 +-
 mdx/_rules/check_init.xsl                     |  12 +-
 mdx/_rules/check_mdattr.xsl                   |  18 +-
 mdx/_rules/check_mdiop.xsl                    |   6 +-
 mdx/_rules/check_mdrpi.xsl                    |  52 ++--
 mdx/_rules/check_mdui.xsl                     |  78 ++---
 mdx/_rules/check_misc.xsl                     |  30 +-
 mdx/_rules/check_namespaces.xsl               |  46 +--
 mdx/_rules/check_rands_member.xsl             |  16 +-
 mdx/_rules/check_rands_support.xsl            |   8 +-
 mdx/_rules/check_regauth.xsl                  |  10 +-
 mdx/_rules/check_reqattr.xsl                  |  86 +++---
 mdx/_rules/check_saml1.xsl                    |  12 +-
 mdx/_rules/check_saml2.xsl                    |  22 +-
 mdx/_rules/check_saml2int.xsl                 |  32 +-
 mdx/_rules/check_saml2meta.xsl                |  22 +-
 mdx/_rules/check_shib_noregscope.xsl          |   2 +-
 mdx/_rules/check_shib_regscope.xsl            |   6 +-
 mdx/_rules/check_shibboleth.xsl               |  62 ++--
 mdx/_rules/check_sirtfi.xsl                   |   4 +-
 mdx/_rules/check_sp_tls.xsl                   |   6 +-
 mdx/_rules/check_uk_algorithms.xsl            |  24 +-
 mdx/_rules/check_uk_trust.xsl                 |  46 +--
 mdx/_rules/check_vhosts.xsl                   |  14 +-
 mdx/_rules/mdui_dn_en_match.xsl               |   8 +-
 mdx/_rules/mdui_dn_en_present.xsl             |   6 +-
 mdx/at_aconet/beans.xml                       |  34 +--
 mdx/at_aconet/verbs.xml                       |  18 +-
 mdx/clean-import.xsl                          |  28 +-
 mdx/common-beans.xml                          | 256 ++++++++--------
 mdx/default_regauth.xsl                       |  16 +-
 mdx/int_cobweb/beans.xml                      |  14 +-
 mdx/int_cobweb/verbs.xml                      |  14 +-
 mdx/int_edugain/beans.xml                     |  22 +-
 mdx/int_edugain/check_recovered.xsl           |   4 +-
 mdx/int_edugain/verbs.xml                     |  36 +--
 mdx/ns_norm.xsl                               |  68 ++---
 mdx/schema/MetadataExchange.xsd               |   8 +-
 mdx/schema/incommon-metadata.xsd              |   8 +-
 ...oasis-200401-wss-wssecurity-secext-1.0.xsd |   2 +-
 ...asis-200401-wss-wssecurity-utility-1.0.xsd |   8 +-
 mdx/schema/refeds-metadata.xsd                |   6 +-
 mdx/schema/saml-metadata-rpi-v1.0.xsd         |  26 +-
 mdx/schema/saml-schema-metadata-2.0.xsd       |  18 +-
 .../sstc-saml-metadata-algsupport-v1.0.xsd    |   2 +-
 mdx/schema/sstc-saml-metadata-ui-v1.0.xsd     |   6 +-
 mdx/schema/uk-fed-label.xsd                   |  26 +-
 mdx/schema/ws-addr.xsd                        |  30 +-
 mdx/schema/ws-authorization.xsd               |  38 +--
 mdx/schema/ws-federation.xsd                  |  78 ++---
 mdx/schema/ws-securitypolicy-1.2.xsd          |  42 +--
 mdx/schema/xenc-schema-11.xsd                 |  10 +-
 mdx/schema/xenc-schema.xsd                    |  14 +-
 mdx/schema/xml.xsd                            |   2 +-
 mdx/schema/xmldsig-core-schema.xsd            | 140 ++++-----
 mdx/schema/xmldsig11-schema.xsd               |  18 +-
 mdx/strip-aa-mdui.xsl                         |  12 +-
 mdx/strip-comments.xsl                        |  10 +-
 mdx/strip-mdui-logo-data.xsl                  |  12 +-
 mdx/test/beans.xml                            |   6 +-
 mdx/test/verbs.xml                            |  10 +-
 mdx/uk/beans.xml                              | 164 +++++-----
 mdx/uk/blacklist.xml                          |   4 +-
 mdx/uk/check_fixup_encmethod.xsl              |   8 +-
 mdx/uk/check_uk_keydesc_key.xsl               |   6 +-
 mdx/uk/check_uk_mdattr.xsl                    |  14 +-
 mdx/uk/check_uk_mdrps.xsl                     |  12 +-
 mdx/uk/check_uk_urlenc.xsl                    |   8 +-
 mdx/uk/check_ukreg.xsl                        |  12 +-
 mdx/uk/collect.xml                            |   2 +-
 mdx/uk/entity_scopes.xsl                      |   8 +-
 mdx/uk/final_tweak.xsl                        |  42 +--
 mdx/uk/fix_mailto.xsl                         |   8 +-
 mdx/uk/fragment.xsl                           |  18 +-
 mdx/uk/generate.xml                           | 216 ++++++-------
 mdx/uk/ns_norm_back.xsl                       |  50 +--
 mdx/uk/ns_norm_cds.xsl                        |  24 +-
 mdx/uk/ns_norm_export.xsl                     |  48 +--
 mdx/uk/ns_norm_export_preview.xsl             |  48 +--
 mdx/uk/ns_norm_fragment.xsl                   |  28 +-
 mdx/uk/ns_norm_test.xsl                       |  50 +--
 mdx/uk/ns_norm_uk.xsl                         |  50 +--
 mdx/uk/scopes_copy.xsl                        |  16 +-
 mdx/uk/sp_mdui_test.xsl                       |  28 +-
 mdx/uk/statistics-charting.xsl                |  96 +++---
 mdx/uk/statistics.xsl                         | 286 +++++++++---------
 mdx/uk/strip_extensions.xsl                   |  12 +-
 mdx/uk/strip_sirtfi_contacts.xsl              |   8 +-
 mdx/uk/verbs.xml                              |  82 ++---
 mdx/us_incommon/beans.xml                     |  38 +--
 mdx/us_incommon/verbs.xml                     |  14 +-
 mdx/validation-beans.xml                      | 138 ++++-----
 129 files changed, 1786 insertions(+), 1786 deletions(-)

diff --git a/attic/extract_entityids.xsl b/attic/extract_entityids.xsl
index 95de7af2..c8d79b18 100644
--- a/attic/extract_entityids.xsl
+++ b/attic/extract_entityids.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	extract_entityids.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
 	a list of entity IDs.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -23,7 +23,7 @@
 		<xsl:value-of select="@entityID"/>
 		<xsl:text>&#x0a;</xsl:text>
 	</xsl:template>
-	
+
 	<xsl:template match="text()">
 		<!-- do nothing -->
 	</xsl:template>
diff --git a/attic/extract_member_dates.xsl b/attic/extract_member_dates.xsl
index b1e69ec8..ac25f80e 100644
--- a/attic/extract_member_dates.xsl
+++ b/attic/extract_member_dates.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	extract_member_dates.xsl
-	
+
 	XSL stylesheet that takes the UK federation members.xml file ane extracts
 	member names and joining dates in a format suitable for updating.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -16,7 +16,7 @@
 
 	<!-- Output is plain text -->
 	<xsl:output method="text"/>
-	
+
 	<xsl:template match="ukfm:Member">
 		<xsl:value-of select="ukfm:JoinDate"/>
 		<xsl:text>,"</xsl:text>
@@ -30,5 +30,5 @@
 	<xsl:template match="text()">
 		<!-- do nothing -->
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/attic/extract_saml2sp.xsl b/attic/extract_saml2sp.xsl
index e3378aaf..6950a87e 100644
--- a/attic/extract_saml2sp.xsl
+++ b/attic/extract_saml2sp.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	extract_saml2sp.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata aggregate and extracts
 	SAML 2.0 support information for each SP entity.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -18,7 +18,7 @@
 
 	<!-- Output is plain text -->
 	<xsl:output method="text"/>
-	
+
 	<xsl:template match="//md:EntityDescriptor[md:SPSSODescriptor]">
 		<xsl:value-of select="@ID"/>
 		<xsl:text> </xsl:text>
@@ -29,9 +29,9 @@
 		</xsl:choose>
 		<xsl:text>&#x0a;</xsl:text>
 	</xsl:template>
-	
+
 	<xsl:template match="text()">
 		<!-- do nothing -->
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/attic/identity.xsl b/attic/identity.xsl
index caac8f28..dc2ad8b1 100644
--- a/attic/identity.xsl
+++ b/attic/identity.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	identity.xsl
-	
+
 	Identity transform.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -14,17 +14,17 @@
 		Force UTF-8 encoding for the output.
 	-->
 	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-		
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/attic/members_domains.xsl b/attic/members_domains.xsl
index f1104725..eedd6d9f 100644
--- a/attic/members_domains.xsl
+++ b/attic/members_domains.xsl
@@ -2,17 +2,17 @@
 <!--
 
 	members_domains.xsl
-	
+
 	Update members.xml to use Domain and PrimaryScope instead of
 	Scopes and isPrimary.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns:members="http://ukfederation.org.uk/2007/01/members"
 	xmlns:xalan="http://xml.apache.org/xalan"
-	
+
 	exclude-result-prefixes="members xalan"
 	xmlns="http://ukfederation.org.uk/2007/01/members"
 	>
@@ -20,11 +20,11 @@
 	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"
 		indent="yes" xalan:indent-amount="4"
 	/>
-	
+
 	<!--
 		If a Scopes element has an isPrimary Scope, extract that
 		as the domain and primary scope for the member.
-		
+
 		The result may not be schema-valid if the Scopes element is not
 		the first one belonging to the member: duplicate Domains elements
 		need to be removed, and misplaced Domains elements may need
@@ -43,7 +43,7 @@
 			Delete the Scopes element entirely if:
 				* it contains only one Scope, and
 				* it contains no Entity elements
-				
+
 			In other words, retain it if:
 				* it contains more than one Scope, or
 				* it contains any Entity elements
@@ -55,24 +55,24 @@
 			</xsl:copy>
 		</xsl:if>
 	</xsl:template>
-	
+
 	<!--
 		Remove any remaining isPrimary attributes.
 	-->
 	<xsl:template match="@isPrimary">
 		<!-- do nothing -->
 	</xsl:template>
-	
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/build.xml b/build.xml
index c277c79b..6ca3971a 100644
--- a/build.xml
+++ b/build.xml
@@ -522,7 +522,7 @@
         fs.tar.mdqcache">
         <echo>Stage 4 Success: MDQ cache created; all files comitted to data repository.</echo>
     </target>
-    
+
     <!--
         Stage 4.2 of md process: Copy files from keymaster, push.
 
@@ -549,7 +549,7 @@
         Runs on: orchestrator
             * Git: Create New Tag
             * Git: Push to origin
-            * SCP: Copy mdq cache to repo 
+            * SCP: Copy mdq cache to repo
             * Jenkins: Trigger publish task
     -->
     <target name="process.bagandtag" depends="
@@ -1187,7 +1187,7 @@
             <delete file="${temp.xml}" quiet="true" verbose="false"/>
         </sequential>
     </macrodef>
-    
+
     <!--
         Verify a metadata file held on the master distribution site, using the ukfederation-mdq.pem key
     -->
@@ -1706,7 +1706,7 @@
             </XMLSECTOOL>
         </sequential>
     </macrodef>
-    
+
     <macrodef name="XMLSECTOOL.VFY.MDQ.uk">
         <attribute name="i"/><!-- input file -->
         <sequential>
@@ -2322,7 +2322,7 @@
         <CHANNEL.do channel="uk" verb="statistics"/>
         <fixcrlf file="${output.dir}/${mdaggr.stats}" eol="lf" encoding="UTF-8"/>
     </target>
-    
+
     <!--
         This variant generates a much simpler file, intended for use when building the
         monthly chart pack.
diff --git a/build/extract_addresses.xsl b/build/extract_addresses.xsl
index 8a0415ba..1f8d67cd 100644
--- a/build/extract_addresses.xsl
+++ b/build/extract_addresses.xsl
@@ -2,11 +2,11 @@
 <!--
 
 	extract_addresses.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
 	a list of contact e-mail addresses.  Only administrative and
 	technical addresses are used; all others are dropped.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -25,15 +25,15 @@
 			<xsl:apply-templates select="md:EntityDescriptor/md:ContactPerson"/>
 		</Addresses>
 	</xsl:template>
-	
+
 	<xsl:template match="md:ContactPerson[@contactType='support']">
 		<!-- do nothing -->
 	</xsl:template>
-	
+
 	<xsl:template match="md:ContactPerson">
 		<xsl:apply-templates select="md:EmailAddress"/>
 	</xsl:template>
-	
+
 	<xsl:template match="md:EmailAddress">
 		<EmailAddress><xsl:value-of select="."/></EmailAddress>
 	</xsl:template>
@@ -41,5 +41,5 @@
 	<xsl:template match="text()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/build/extract_cert_locs.xsl b/build/extract_cert_locs.xsl
index 983f7194..b2b0eabf 100644
--- a/build/extract_cert_locs.xsl
+++ b/build/extract_cert_locs.xsl
@@ -2,11 +2,11 @@
 <!--
 
 	extract_cert_locs.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
 	a list of service locations that require certificates to be
 	presented to them.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -23,7 +23,7 @@
 		<xsl:value-of select="@Location"/>
 		<xsl:text>&#x0a;</xsl:text>
 	</xsl:template>
-	
+
 	<!--
 		ArtifactResolutionService endpoints on IdPs are assumed to be
 		authenticated by TLS; those on SPs are assumed to be authenticated
@@ -33,7 +33,7 @@
 		<xsl:value-of select="@Location"/>
 		<xsl:text>&#x0a;</xsl:text>
 	</xsl:template>
-	
+
 	<xsl:template match="text()">
 		<!-- do nothing -->
 	</xsl:template>
diff --git a/build/extract_embedded.xsl b/build/extract_embedded.xsl
index 9dc0d3bb..75927cec 100644
--- a/build/extract_embedded.xsl
+++ b/build/extract_embedded.xsl
@@ -2,14 +2,14 @@
 <!--
 
 	extract_embedded.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
 	all embedded certificates on entities in the form of a series of
 	PEM certificate blocks.
-	
+
 	A descriptive comment is added to indicate the entity in question and
 	the KeyName used (if any) so that later processing can distinguish.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/build/extract_locs.xsl b/build/extract_locs.xsl
index b5411589..1de4ddb0 100644
--- a/build/extract_locs.xsl
+++ b/build/extract_locs.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	extract_locs.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
 	a list of service locations that will have TLS certificates.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -23,22 +23,22 @@
 		<xsl:value-of select="@Location"/>
 		<xsl:text>&#x0a;</xsl:text>
 	</xsl:template>
-	
+
 	<xsl:template match="//md:ArtifactResolutionService">
 		<xsl:value-of select="@Location"/>
 		<xsl:text>&#x0a;</xsl:text>
 	</xsl:template>
-	
+
 	<xsl:template match="//md:SingleSignOnService">
 		<xsl:value-of select="@Location"/>
 		<xsl:text>&#x0a;</xsl:text>
 	</xsl:template>
-	
+
 	<xsl:template match="//md:AssertionConsumerService">
 		<xsl:value-of select="@Location"/>
 		<xsl:text>&#x0a;</xsl:text>
 	</xsl:template>
-	
+
 	<xsl:template match="text()">
 		<!-- do nothing -->
 	</xsl:template>
diff --git a/build/extract_nk_cert_locs.xsl b/build/extract_nk_cert_locs.xsl
index b18d937d..8bd8cd03 100644
--- a/build/extract_nk_cert_locs.xsl
+++ b/build/extract_nk_cert_locs.xsl
@@ -2,11 +2,11 @@
 <!--
 
 	extract_nk_cert_locs.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
 	a list of service locations that require certificates to be
 	presented to them.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -22,20 +22,20 @@
 
 	<!--
 		Exclude entities which have embedded certificates.
-		
+
 		I.e., restrict output to entities which only have PKIX trust.
 	-->
 	<xsl:template match="md:EntityDescriptor[descendant::ds:X509Data]">
 		<!-- do nothing -->
 	</xsl:template>
-	
+
 	<xsl:template match="//md:AttributeService">
 		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
 		<xsl:text> </xsl:text>
 		<xsl:value-of select="@Location"/>
 		<xsl:text>&#x0a;</xsl:text>
 	</xsl:template>
-	
+
 	<!--
 		ArtifactResolutionService endpoints on IdPs are assumed to be
 		authenticated by TLS; those on SPs are assumed to be authenticated
@@ -47,7 +47,7 @@
 		<xsl:value-of select="@Location"/>
 		<xsl:text>&#x0a;</xsl:text>
 	</xsl:template>
-	
+
 	<xsl:template match="text()">
 		<!-- do nothing -->
 	</xsl:template>
diff --git a/build/extract_nk_nocert_locs.xsl b/build/extract_nk_nocert_locs.xsl
index bd038a08..8c502036 100644
--- a/build/extract_nk_nocert_locs.xsl
+++ b/build/extract_nk_nocert_locs.xsl
@@ -2,11 +2,11 @@
 <!--
 
 	extract_nk_nocert_locs.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
 	a list of service locations that do not require certificates to be
 	presented to them.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -22,13 +22,13 @@
 
 	<!--
         Exclude entities which have embedded certificates.
-        
+
         I.e., restrict output to entities which only have PKIX trust.
     -->
 	<xsl:template match="md:EntityDescriptor[descendant::ds:X509Data]">
 		<!-- do nothing -->
 	</xsl:template>
-	
+
 	<xsl:template match="//md:SingleSignOnService">
 		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
 		<xsl:text> </xsl:text>
diff --git a/build/extract_nocert_locs.xsl b/build/extract_nocert_locs.xsl
index a67c1f1c..0ca45f9a 100644
--- a/build/extract_nocert_locs.xsl
+++ b/build/extract_nocert_locs.xsl
@@ -2,11 +2,11 @@
 <!--
 
 	extract_nocert_locs.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
 	a list of service locations that do not require certificates to be
 	presented to them.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/charting/saml2.xsl b/charting/saml2.xsl
index 17780729..7e916c3f 100644
--- a/charting/saml2.xsl
+++ b/charting/saml2.xsl
@@ -1,14 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
+
 	saml2.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
 	statistics about the level of SAML 2 protocol support within the
 	included entities.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -16,10 +16,10 @@
 	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	exclude-result-prefixes="md mdrpi">
-	
+
 	<!-- Output is plain text -->
 	<xsl:output method="text"/>
-	
+
 	<xsl:template match="md:EntitiesDescriptor">
 		<xsl:variable name="entities" select="//md:EntityDescriptor
 		[descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
@@ -45,7 +45,7 @@
 			])"/>
 		<xsl:text>&#10;</xsl:text>
 	</xsl:template>
-	
+
 	<xsl:template match="text()">
 		<!-- do nothing -->
 	</xsl:template>
diff --git a/charting/scopes.xsl b/charting/scopes.xsl
index 6b05fd54..b53d2ccc 100644
--- a/charting/scopes.xsl
+++ b/charting/scopes.xsl
@@ -2,11 +2,11 @@
 <!--
 
 	scopes.xsl
-	
+
 	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
 	a list of scopes used.  Regular expression scopes are ignored.
 	Duplicates are not removed, and the result is unsorted.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_adfs.xsl b/mdx/_rules/check_adfs.xsl
index c5336cc8..e4edee1f 100644
--- a/mdx/_rules/check_adfs.xsl
+++ b/mdx/_rules/check_adfs.xsl
@@ -2,12 +2,12 @@
 <!--
 
 	check_adfs.xsl
-	
+
 	Checking ruleset containing rules associated with the ADFS metadata profile,
 	as described here:
 
 		https://spaces.internet2.edu/display/SHIB/ADFSMetadataProfile
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -33,7 +33,7 @@
 			<xsl:with-param name="m">ADFS IdP role lacks SSO service with appropriate Binding</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		An SP's SSO descriptor must contain an AssertionConsumerService element with
 		the appropriate binding.
@@ -45,7 +45,7 @@
 			<xsl:with-param name="m">ADFS SP role lacks SSO service with appropriate Binding</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		If the ADFS binding appears on any service, the parent role's protocol support
 		enumeration must include the appropruate URI.
@@ -57,7 +57,7 @@
 			<xsl:with-param name="m">ADFS SingleSignOnService requires appropriate protocolSupportEnumeration</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:AssertionConsumerService
 		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
 		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
@@ -65,7 +65,7 @@
 			<xsl:with-param name="m">ADFS AssertionConsumerService requires appropriate protocolSupportEnumeration</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:SingleLogoutService
 		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
 		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
@@ -73,5 +73,5 @@
 			<xsl:with-param name="m">ADFS SingleLogoutService requires appropriate protocolSupportEnumeration</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_aggregate.xsl b/mdx/_rules/check_aggregate.xsl
index e331c1c2..031c18aa 100644
--- a/mdx/_rules/check_aggregate.xsl
+++ b/mdx/_rules/check_aggregate.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_aggregate.xsl
-	
+
 	Checking ruleset containing aggregate-level checks.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -26,7 +26,7 @@
 		Checks across the whole of the document are defined here.
 	-->
 	<xsl:template match="/">
-		
+
 		<!-- check for duplicate entityID values -->
 		<xsl:variable name="distinct.entityIDs" select="set:distinct($entities/@entityID)"/>
 		<xsl:variable name="dup.entityIDs"
@@ -39,7 +39,7 @@
 				</xsl:call-template>
 			</xsl:for-each>
 		</xsl:for-each>
-		
+
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_algsupport.xsl b/mdx/_rules/check_algsupport.xsl
index 2902221f..0c2481aa 100644
--- a/mdx/_rules/check_algsupport.xsl
+++ b/mdx/_rules/check_algsupport.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_algsupport.xsl
-	
+
 	Checking ruleset for the SAML V2.0 Metadata Profile for Algorithm Support.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -29,16 +29,16 @@
 			<xsl:with-param name="m">EncryptionMethod should not be present on 'signing' KeyDescriptor</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Check for duplicate SigningMethod or DigestMethod algorithms in any given list.
 	-->
 	<xsl:template match="md:Extensions[alg:*]">
-		
+
 		<!-- check individual alg:SigningMethod and alg:DigestMethod elements -->
-		<xsl:apply-templates/>  
+		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<!--
 		2.4 Check for misplaced SigningMethod or DigestMethod elements.
 	-->
@@ -51,14 +51,14 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Check for duplicate EncryptionMethod elements in any given list.
 	-->
 	<xsl:template match="md:KeyDescriptor[md:EncryptionMethod]">
-		
+
 		<!-- check individual md:EncryptionMethod elements -->
-		<xsl:apply-templates/>	
+		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_bindings.xsl b/mdx/_rules/check_bindings.xsl
index 7b2d0163..282c8658 100644
--- a/mdx/_rules/check_bindings.xsl
+++ b/mdx/_rules/check_bindings.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_bindings.xsl
-	
+
 	Checking ruleset that checks SAML 2.0 metadata Binding values.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -32,7 +32,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:AssertionConsumerService
 		[@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
 		[@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']
@@ -52,7 +52,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:AssertionIDRequestService
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:URI']
@@ -80,7 +80,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:ManageNameIDService
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
@@ -97,7 +97,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:NameIDMappingService
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
 		">
@@ -128,7 +128,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:SingleSignOnService
 		[@Binding != 'urn:mace:shibboleth:1.0:profiles:AuthnRequest']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
@@ -148,7 +148,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Issue warnings for all Bindings on elements other than the ones
 		called out above, as they may well be accurate but need additional
@@ -174,5 +174,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_entityid_prefix.xsl b/mdx/_rules/check_entityid_prefix.xsl
index 6c8e4c71..db29c0a1 100644
--- a/mdx/_rules/check_entityid_prefix.xsl
+++ b/mdx/_rules/check_entityid_prefix.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_entityid_prefix.xsl
-	
+
 	Checking that entityID attributes start with one of a whitelist of prefixes.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_filtered.xsl b/mdx/_rules/check_filtered.xsl
index fdb40a1f..3b4b73e1 100644
--- a/mdx/_rules/check_filtered.xsl
+++ b/mdx/_rules/check_filtered.xsl
@@ -5,7 +5,7 @@
 
 	This checking ruleset verifies that certain constructs have been removed from the
 	metadata before it is published.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -24,7 +24,7 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	
+
 	<xsl:template match="ds:X509SerialNumber">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">ds:X509SerialNumber should have been filtered out</xsl:with-param>
diff --git a/mdx/_rules/check_framework.xsl b/mdx/_rules/check_framework.xsl
index 613c1b6a..d6557058 100644
--- a/mdx/_rules/check_framework.xsl
+++ b/mdx/_rules/check_framework.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_framework.xsl
-	
+
 	XSL stylesheet providing a framework for use by rule checking files.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -19,7 +19,7 @@
 		xsl:message element.
 	-->
 	<xsl:output method="text"/>
-	
+
 
 	<!--
 		Common template to call to report an error on some element within an entity.
@@ -81,8 +81,8 @@
 			<xsl:value-of select="$m"/>
 		</xsl:message>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		Common template to call to report an informational message on some element within an entity.
 	-->
@@ -112,13 +112,13 @@
 			<xsl:value-of select="$m"/>
 		</xsl:message>
 	</xsl:template>
-	
-	
+
+
 	<!-- Recurse down through all elements by default. -->
 	<xsl:template match="*">
 		<xsl:apply-templates select="node()|@*"/>
 	</xsl:template>
-	
+
 
 	<!-- Discard text blocks, comments and attributes by default. -->
 	<xsl:template match="text()|comment()|@*">
diff --git a/mdx/_rules/check_future_0.xsl b/mdx/_rules/check_future_0.xsl
index 7604ebd8..36dcb13e 100644
--- a/mdx/_rules/check_future_0.xsl
+++ b/mdx/_rules/check_future_0.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_future_0.xsl
-	
+
 	Checking ruleset containing rules that we don't currently implement,
 	but which we may implement in the future.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_future_1.xsl b/mdx/_rules/check_future_1.xsl
index 5ef23c5d..020829f6 100644
--- a/mdx/_rules/check_future_1.xsl
+++ b/mdx/_rules/check_future_1.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_future_1.xsl
-	
+
 	Checking ruleset containing rules that we don't currently implement,
 	but which we may implement in the future.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_future_2.xsl b/mdx/_rules/check_future_2.xsl
index 0226d724..9e8119f0 100644
--- a/mdx/_rules/check_future_2.xsl
+++ b/mdx/_rules/check_future_2.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_future_2.xsl
-	
+
 	Checking ruleset containing rules that we don't currently implement,
 	but which we may implement in the future.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_future_3.xsl b/mdx/_rules/check_future_3.xsl
index 4b83d777..cb307b84 100644
--- a/mdx/_rules/check_future_3.xsl
+++ b/mdx/_rules/check_future_3.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_future_3.xsl
-	
+
 	Checking ruleset containing rules that we don't currently implement,
 	but which we may implement in the future.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -27,5 +27,5 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_4.xsl b/mdx/_rules/check_future_4.xsl
index 11cfa927..4d3e9c74 100644
--- a/mdx/_rules/check_future_4.xsl
+++ b/mdx/_rules/check_future_4.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_future_4.xsl
-	
+
 	Checking ruleset containing rules that we don't currently implement,
 	but which we may implement in the future.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_future_5.xsl b/mdx/_rules/check_future_5.xsl
index 326c22c2..42bff55a 100644
--- a/mdx/_rules/check_future_5.xsl
+++ b/mdx/_rules/check_future_5.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_future_5.xsl
-	
+
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
-    	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_future_6.xsl b/mdx/_rules/check_future_6.xsl
index b312f48e..376914dc 100644
--- a/mdx/_rules/check_future_6.xsl
+++ b/mdx/_rules/check_future_6.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_future_6.xsl
-	
+
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_future_7.xsl b/mdx/_rules/check_future_7.xsl
index 65f06792..ea671d33 100644
--- a/mdx/_rules/check_future_7.xsl
+++ b/mdx/_rules/check_future_7.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_future_7.xsl
-	
+
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_future_8.xsl b/mdx/_rules/check_future_8.xsl
index 52030060..f80a9a9b 100644
--- a/mdx/_rules/check_future_8.xsl
+++ b/mdx/_rules/check_future_8.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_future_8.xsl
-	
+
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_future_9.xsl b/mdx/_rules/check_future_9.xsl
index edfbec8e..8d41c815 100644
--- a/mdx/_rules/check_future_9.xsl
+++ b/mdx/_rules/check_future_9.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_future_9.xsl
-	
+
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
diff --git a/mdx/_rules/check_hasreginfo.xsl b/mdx/_rules/check_hasreginfo.xsl
index f3319047..e312f5be 100644
--- a/mdx/_rules/check_hasreginfo.xsl
+++ b/mdx/_rules/check_hasreginfo.xsl
@@ -4,7 +4,7 @@
 	check_hasreginfo.xsl
 
 	Check that an entity has a RegistrationInfo element.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -17,11 +17,11 @@
 		Common support functions.
 	-->
 	<xsl:import href="check_framework.xsl"/>
-	
+
 	<xsl:template match="md:EntityDescriptor[not(md:Extensions/mdrpi:RegistrationInfo)]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">entity does not have an mdrpi:RegistrationInfo element</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_hoksso.xsl b/mdx/_rules/check_hoksso.xsl
index ed17d412..28505a92 100644
--- a/mdx/_rules/check_hoksso.xsl
+++ b/mdx/_rules/check_hoksso.xsl
@@ -2,12 +2,12 @@
 <!--
 
 	check_hoksso.xsl
-	
+
 	Checking ruleset for the SAML V2.0 Holder-of-Key Web Browser SSO
 	Profile Version 1.0, which can be found here:
 
         https://wiki.oasis-open.org/security/SamlHoKWebSSOProfile
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -26,12 +26,12 @@
 
 	<!--
 		Schema checks.
-		
+
 		The schema itself doesn't help very much as most contexts in which the hoksso
 		namespace is used are subject to "lax" checking.  These checks duplicate some
 		aspects of XML Schema checking as we'd like it to behave.
 	-->
-	
+
 	<xsl:template match="hoksso:*">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">
@@ -40,7 +40,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="@hoksso:*[local-name() != 'ProtocolBinding']">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">
@@ -49,7 +49,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		hoksso:ProtocolBinding should only appear on md:SingleSignOnService
 		or on md:AssertionConsumerService.
@@ -63,7 +63,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		If hoksso:ProtocolBinding appears, there must be a sibling Binding attribute
 		with the appropriate value.
@@ -79,12 +79,12 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		If the HoK SSO @Binding appears, hoksso:ProtocolBinding must appear with one of
 		the valid values.
 	-->
-	
+
 	<xsl:template match="md:*
 		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
 		[not(@hoksso:ProtocolBinding)]">
@@ -96,7 +96,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:SingleSignOnService
 		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
 		[@hoksso:ProtocolBinding]
@@ -114,7 +114,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:AssertionConsumerService
 		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
 		[@hoksso:ProtocolBinding]
@@ -132,7 +132,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Use of SAML 2.0 HoK binding requires SAML 2.0 in protocolSupportEnumeration.
     -->
@@ -146,7 +146,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:SPSSODescriptor
 		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
 		[md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
@@ -156,5 +156,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_idp_tls.xsl b/mdx/_rules/check_idp_tls.xsl
index 688956a4..ef39c042 100644
--- a/mdx/_rules/check_idp_tls.xsl
+++ b/mdx/_rules/check_idp_tls.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_idp_tls.xsl
-	
+
 	Checking that all IdP endpoints are TLS-protected.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -42,5 +42,5 @@
 			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_idpdisc.xsl b/mdx/_rules/check_idpdisc.xsl
index 14077c40..f7b18305 100644
--- a/mdx/_rules/check_idpdisc.xsl
+++ b/mdx/_rules/check_idpdisc.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_idpdisc.xsl
-	
+
 	Checking ruleset containing rules associated with the SAML IdP Discovery Protocol.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -25,7 +25,7 @@
 		"index" attributes on DiscoveryResponse elements should all be different
 		for any given entity.
 	-->
-	
+
 	<xsl:template match="md:EntityDescriptor[descendant::idpdisc:DiscoveryResponse]">
 		<xsl:variable name="indices" select="descendant::idpdisc:DiscoveryResponse/@index"/>
 		<xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
@@ -37,29 +37,29 @@
 		<!-- check individual DiscoveryResponse elements for correctness as well -->
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<!--
 		Checks on the DiscoveryResponse extension.
 	-->
-	
+
 	<xsl:template match="idpdisc:DiscoveryResponse[not(@index)]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">missing index attribute on DiscoveryResponse</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="idpdisc:DiscoveryResponse[not(@Binding)]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">missing Binding attribute on DiscoveryResponse</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="idpdisc:DiscoveryResponse[@Binding]
 		[@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">incorrect Binding value on DiscoveryResponse</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_imported.xsl b/mdx/_rules/check_imported.xsl
index e632f40d..de5f97dc 100644
--- a/mdx/_rules/check_imported.xsl
+++ b/mdx/_rules/check_imported.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_imported.xsl
-	
-	Checking ruleset containing rules associated with imported metadata.	
-	
+
+	Checking ruleset containing rules associated with imported metadata.
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -36,7 +36,7 @@
 			<xsl:call-template name="error">
 				<xsl:with-param name="m">this IdP does not have any Scope elements</xsl:with-param>
 			</xsl:call-template>
-		</xsl:if>		
+		</xsl:if>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_incmd.xsl b/mdx/_rules/check_incmd.xsl
index 214860a3..727dd71f 100644
--- a/mdx/_rules/check_incmd.xsl
+++ b/mdx/_rules/check_incmd.xsl
@@ -2,12 +2,12 @@
 <!--
 
 	check_incmd.xsl
-	
+
 	Checking ruleset for the InCommon Federation metadata extensions,
 	the schema for which can be found here:
 
         https://spaces.internet2.edu/x/iIuVAQ
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -27,13 +27,13 @@
 	<!--
 		Checks for the contactType attribute.
 	-->
-	
+
 	<xsl:template match="@incmd:contactType[not(parent::md:ContactPerson)]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">incmd:contactType should only appear on md:ContactPerson</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:ContactPerson[@incmd:contactType][@contactType != 'other']">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">
@@ -43,13 +43,13 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="@incmd:contactType[not(starts-with(.,'http://'))][not(starts-with(.,'https://'))]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">incmd:contactType must be an absolute URI</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Check for specific values.  This test is probably over-specific in the long term.
 	-->
@@ -63,19 +63,19 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="@incmd:contactType">
 		<!-- otherwise, fine -->
 	</xsl:template>
-	
+
 	<!--
 		Additional schema checks.
-		
+
 		The schema itself doesn't help very much as most contexts in which the incmd
 		namespace is used are subject to "lax" checking.  These checks duplicate some
 		aspects of XML Schema checking as we'd like it to behave.
 	-->
-	
+
 	<xsl:template match="incmd:*">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">
@@ -84,7 +84,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="@incmd:*">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">
@@ -93,5 +93,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_init.xsl b/mdx/_rules/check_init.xsl
index f33fd624..6000a50e 100644
--- a/mdx/_rules/check_init.xsl
+++ b/mdx/_rules/check_init.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_int.xsl
-	
+
 	Checking ruleset containing rules associated with the
 	Service Provider Request Initiation Protocol and Profile Version 1.0.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -24,19 +24,19 @@
 	<!--
 		Checks on the RequestInitiator extension.
 	-->
-	
+
 	<xsl:template match="init:RequestInitiator[not(@Binding)]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">missing Binding attribute on RequestInitiator</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="init:RequestInitiator[@Binding]
 		[@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:request-init']">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">incorrect Binding value on RequestInitiator</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdattr.xsl b/mdx/_rules/check_mdattr.xsl
index f5782d52..4a845f6a 100644
--- a/mdx/_rules/check_mdattr.xsl
+++ b/mdx/_rules/check_mdattr.xsl
@@ -2,14 +2,14 @@
 <!--
 
 	check_mdattr.xsl
-	
+
 	Checking ruleset containing rules associated with the SAML V2.0 Metadata
 	Extension for Entity Attributes Version 1.0, see:
 
 		https://wiki.oasis-open.org/security/SAML2MetadataAttr
-		
+
 	This ruleset reflects Committee Specification 01, 04-Aug-2009.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -26,12 +26,12 @@
 		Common support functions.
 	-->
 	<xsl:import href="check_framework.xsl"/>
-	
+
 	<!--
 		Section 2.3
 
 		The specification only defines the meaning of EntityAttributes within the Extensions of either
-		EntitiesDescriptor or EntityDescriptor. 
+		EntitiesDescriptor or EntityDescriptor.
 	-->
 	<xsl:template match="mdattr:EntityAttributes[not(parent::md:Extensions)]">
 		<xsl:call-template name="error">
@@ -44,10 +44,10 @@
 			<xsl:with-param name="m">EntityAttributes must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.3 line 176.
-		
+
 		Assertions not permitted in the context of an EntitiesDescriptor.
 	-->
 	<xsl:template match="md:EntitiesDescriptor/md:Extensions/mdattr:EntityAttributes/saml:Assertion">
@@ -58,7 +58,7 @@
 
 	<!--
 		Section 2.3 line 182.
-		
+
 		EntityAttributes MUST NOT appear more than once within a given <md:Extensions> element.
 	-->
 	<xsl:template match="md:Extensions/mdattr:EntityAttributes[position()>1]">
@@ -66,5 +66,5 @@
 			<xsl:with-param name="m">more than one EntityAttributes element in an Extensions element</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdiop.xsl b/mdx/_rules/check_mdiop.xsl
index ac3104fd..503e76d6 100644
--- a/mdx/_rules/check_mdiop.xsl
+++ b/mdx/_rules/check_mdiop.xsl
@@ -2,7 +2,7 @@
 <!--
 
 	check_mdiop.xsl
-	
+
 	Checking ruleset containing rules associated with the SAML V2.0 Metadata
 	Interoperability Profile, see:
 
@@ -33,7 +33,7 @@
 			<xsl:with-param name="m">KeyDescriptor does not contain a key representation</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.5.1: only one X.509 certificate may appear in any KeyDescriptor.
 	-->
@@ -42,5 +42,5 @@
 			<xsl:with-param name="m">KeyDescriptor contains more than one X509Certificate</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdrpi.xsl b/mdx/_rules/check_mdrpi.xsl
index db9911b9..19253239 100644
--- a/mdx/_rules/check_mdrpi.xsl
+++ b/mdx/_rules/check_mdrpi.xsl
@@ -2,14 +2,14 @@
 <!--
 
 	check_mdrpi.xsl
-	
+
 	Checking ruleset containing rules associated with the SAML V2.0 Metadata
 	Extensions for Registration and Publication Information Version 1.0, see:
 
 		http://wiki.oasis-open.org/security/SAML2MetadataDRI
-		
+
 	This ruleset reflects WD08, 12-Dec-2011.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -26,10 +26,10 @@
 		Common support functions.
 	-->
 	<xsl:import href="check_framework.xsl"/>
-	
+
 	<!--
 		Section 2.1
-		
+
 		RegistrationInfo MUST appear within the Extensions of either
 		EntitiesDescriptor or EntityDescriptor.
 	-->
@@ -44,10 +44,10 @@
 			<xsl:with-param name="m">RegistrationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.1
-		
+
 		<mdrpi:RegistrationInfo> MUST NOT appear more than once within a given <md:Extensions> element.
 	-->
 	<xsl:template match="md:Extensions/mdrpi:RegistrationInfo[position()>1]">
@@ -55,10 +55,10 @@
 			<xsl:with-param name="m">more than one RegistrationInfo element in one Extensions element</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.1
-		
+
 		If RegistrationInfo appears on an EntitiesDescriptor, that precludes any appearance on nested
 		EntitiesDescriptor or EntityDescriptor elements.
 	-->
@@ -66,12 +66,12 @@
 		[md:EntityDescriptor//mdrpi:RegistrationInfo | md:EntitiesDescriptor//mdrpi:RegistrationInfo]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">RegistrationInfo may not appear on both EntitiesDescriptor and child elements</xsl:with-param>
-		</xsl:call-template>        
+		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.1.1
-		
+
 		registrationInstant values MUST be expressed in the UTC timezone using the 'Z' timezone identifier.
 	-->
 	<xsl:template match="mdrpi:RegistrationInfo[@registrationInstant]
@@ -81,12 +81,12 @@
 				<xsl:text>registrationInstant does not end with 'Z': </xsl:text>
 				<xsl:value-of select="@registrationInstant"/>
 			</xsl:with-param>
-		</xsl:call-template>        
+		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.1.1
-		
+
 		RegistrationPolicy elements are required to have unique xml:lang values within a given container.
 	-->
 	<xsl:template match="mdrpi:RegistrationInfo">
@@ -94,7 +94,7 @@
 		<xsl:call-template name="uniqueLang">
 			<xsl:with-param name="e" select="mdrpi:RegistrationPolicy"/>
 		</xsl:call-template>
-		
+
 		<!-- handle individual elements -->
 		<xsl:apply-templates select="*"/>
 	</xsl:template>
@@ -113,10 +113,10 @@
 			</xsl:call-template>
 		</xsl:if>
 	</xsl:template>
-	
+
 	<!--
         Section 2.2
-        
+
         PublicationInfo MUST appear within the Extensions of either
         EntitiesDescriptor or EntityDescriptor.
     -->
@@ -131,12 +131,12 @@
 			<xsl:with-param name="m">PublicationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.2
-		
+
 		PublicationInfo SHOULD NOT appear except on the document element.
-		
+
 		Interpreted as a MUST NOT for now.
 	-->
 	<xsl:template match="mdrpi:PublicationInfo[parent::md:Extensions/parent::md:*/parent::*]">
@@ -144,10 +144,10 @@
 			<xsl:with-param name="m">PublicationInfo must be within document element's Extensions</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Section 2.2
-        
+
         <mdrpi:PublicationInfo> MUST NOT appear more than once within a given <md:Extensions> element.
     -->
 	<xsl:template match="md:Extensions/mdrpi:PublicationInfo[position()>1]">
@@ -155,10 +155,10 @@
 			<xsl:with-param name="m">more than one PublicationInfo element in one Extensions element</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Section 2.1, 2.2
-        
+
         Restrict the elements in this namespace which can appear directly within md:Extensions
         to the two defined container elements.  This will catch mis-spelled containers.
     -->
@@ -171,5 +171,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdui.xsl b/mdx/_rules/check_mdui.xsl
index a2a53f44..05fca711 100644
--- a/mdx/_rules/check_mdui.xsl
+++ b/mdx/_rules/check_mdui.xsl
@@ -2,14 +2,14 @@
 <!--
 
 	check_mdui.xsl
-	
+
 	Checking ruleset containing rules associated with the SAML V2.0 Metadata
 	Extensions for Login and Discovery User Interface Version 1.0, see:
 
 		http://wiki.oasis-open.org/security/SAML2MetadataUI
-		
+
 	This ruleset reflects WD08, 17-Jul-2011.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -27,21 +27,21 @@
 		Common support functions.
 	-->
 	<xsl:import href="check_framework.xsl"/>
-	
+
 	<!--
 		Section 2.1
-		
+
 		<mdui:UIInfo> MUST NOT appear more than once within a given <md:Extensions> element.
 	-->
 	<xsl:template match="md:Extensions/mdui:UIInfo[position()>1]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">more than one UIInfo element in one Extensions element</xsl:with-param>
-		</xsl:call-template>		
+		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.1, 2.2
-		
+
 		Restrict the elements in this namespace which can appear directly within md:Extensions
 		to the two defined container elements.  This will catch mis-spelled containers.
 	-->
@@ -57,18 +57,18 @@
 
 	<!--
 		Section 2.1.1
-		
+
 		The <mdui:UIInfo> container element [...] MUST appear within the
 		<md:Extensions> element of a role element (one whose type is based on
 		md:RoleDescriptorType).
-		
+
 		[The rule here further restricts the location to within either IDPSSODescriptor or
 		SPSSODescriptor elements, which are the ones it actually makes sense to use today.]
 	-->
 	<xsl:template match="mdui:UIInfo[not(parent::md:Extensions)]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">UIInfo appearing outside Extensions element</xsl:with-param>
-		</xsl:call-template>        
+		</xsl:call-template>
 	</xsl:template>
 	<xsl:template match="md:Extensions[mdui:UIInfo]
 		[not(parent::md:IDPSSODescriptor)][not(parent::md:SPSSODescriptor)]">
@@ -78,12 +78,12 @@
 				<xsl:value-of select="name(..)"/>
 				<xsl:text>)</xsl:text>
 			</xsl:with-param>
-		</xsl:call-template>        
+		</xsl:call-template>
 	</xsl:template>
 
 	<!--
 		Constraints across multiple elements within the container.
-		
+
 		DisplayName, Description, InformationURL and PrivacyStatementURL elements
 		are all required to have unique xml:lang values within their element type.
 	-->
@@ -92,27 +92,27 @@
 		<xsl:call-template name="uniqueLang">
 			<xsl:with-param name="e" select="mdui:DisplayName"/>
 		</xsl:call-template>
-		
+
 		<!-- unique xml:lang over Description elements -->
 		<xsl:call-template name="uniqueLang">
 			<xsl:with-param name="e" select="mdui:Description"/>
 		</xsl:call-template>
-		
+
 		<!-- unique xml:lang over Keywords elements -->
 		<xsl:call-template name="uniqueLang">
 			<xsl:with-param name="e" select="mdui:Keywords"/>
 		</xsl:call-template>
-		
+
 		<!-- unique xml:lang over InformationURL elements -->
 		<xsl:call-template name="uniqueLang">
 			<xsl:with-param name="e" select="mdui:InformationURL"/>
 		</xsl:call-template>
-		
+
 		<!-- unique xml:lang over PrivacyStatementURL elements -->
 		<xsl:call-template name="uniqueLang">
 			<xsl:with-param name="e" select="mdui:PrivacyStatementURL"/>
 		</xsl:call-template>
-		
+
 		<!-- handle individual elements -->
 		<xsl:apply-templates select="*"/>
 	</xsl:template>
@@ -130,8 +130,8 @@
 			</xsl:call-template>
 		</xsl:if>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		Section 2.1.5 Element <mdui:Logo>
 	-->
@@ -151,15 +151,15 @@
                 <xsl:with-param name="m">mdui:Logo contains non-breaking space</xsl:with-param>
             </xsl:call-template>
         </xsl:if>
-		
+
 		<!--
 			Require that the URL starts with https://
-			
+
 			This is a SHOULD in the specification; we treat it as a MUST here.
-			
+
 			Exception: allow data: URIs as well.  The spec is currently
 			ambiguous about this, clarification ticket is here:
-			
+
 			https://tools.oasis-open.org/issues/browse/SECURITY-24
 		-->
 		<xsl:if test="not(starts-with(., 'https://'))">
@@ -169,10 +169,10 @@
 				</xsl:call-template>
 			</xsl:if>
 		</xsl:if>
-        
+
         <!--
             Check for <mdui:Logo> elements that aren't valid URLs.
-            
+
             Again, explicitly permit anything starting with 'data:', so that the
             only validity test we're performing on data: URLs is the "no newline" rule.
         -->
@@ -194,7 +194,7 @@
 
 	<!--
 		Section 2.1.6 Element <mdui:InformationURL>
-		
+
 		Require that the URL is valid.
 	-->
 	<xsl:template match="mdui:InformationURL[mdxURL:invalidURL(.)]">
@@ -209,10 +209,10 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Section 2.1.7 Element <mdui:PrivacyStatementURL>
-        
+
         Require that the URL is valid.
     -->
 	<xsl:template match="mdui:PrivacyStatementURL[mdxURL:invalidURL(.)]">
@@ -227,17 +227,17 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.2
-		
+
 		The <mdui:DiscoHints> container element [...] MUST appear within the
 		<md:Extensions> element of an <md:IDPSSODescriptor> element.
 	-->
 	<xsl:template match="mdui:DiscoHints[not(parent::md:Extensions)]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">DiscoHints appearing outside Extensions element</xsl:with-param>
-		</xsl:call-template>        
+		</xsl:call-template>
 	</xsl:template>
 	<xsl:template match="md:Extensions[mdui:DiscoHints][not(parent::md:IDPSSODescriptor)]">
 		<xsl:call-template name="error">
@@ -246,23 +246,23 @@
 				<xsl:value-of select="name(..)"/>
 				<xsl:text>)</xsl:text>
 			</xsl:with-param>
-		</xsl:call-template>        
+		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.2
-		
+
 		<mdui:DiscoHints> MUST NOT appear more than once within a given <md:Extensions> element.
 	-->
 	<xsl:template match="md:Extensions/mdui:DiscoHints[position()>1]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">more than one DiscoHints element in one Extensions element</xsl:with-param>
-		</xsl:call-template>        
+		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 2.2.4
-		
+
 		Coordinates are given in URI form using the geo URI scheme [RFC5870].
 	-->
 	<xsl:template match="mdui:GeolocationHint[not(starts-with(., 'geo:'))]">
@@ -270,5 +270,5 @@
 			<xsl:with-param name="m">GeolocationHint must be RFC5870 URI starting with 'geo:'</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_misc.xsl b/mdx/_rules/check_misc.xsl
index ec334f47..d95af024 100644
--- a/mdx/_rules/check_misc.xsl
+++ b/mdx/_rules/check_misc.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_misc.xsl
-	
+
 	Checking ruleset containing generally applicable rules not falling into any
 	other category.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -21,7 +21,7 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	
+
 	<!--
 		Entity IDs should not contain space characters.
 	-->
@@ -40,11 +40,11 @@
 			<xsl:with-param name="m">OrganizationDisplayName contains line break</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		@Location attributes should not contain space characters.
-		
+
 		This may be a little strict, and might be better confined to md:* elements.
 		At present, however, this produces no false positives.
 	-->
@@ -53,11 +53,11 @@
 			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location contains space character</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
         @ResponseLocation attributes should not contain space characters.
-        
+
         This may be a little strict, and might be better confined to md:* elements.
         At present, however, this produces no false positives.
     -->
@@ -70,7 +70,7 @@
 
 	<!--
 		@Binding attributes should not contain space characters.
-		
+
 		This may be a little strict, and might be better confined to md:* elements.
 		At present, however, this produces no false positives.
 	-->
@@ -79,11 +79,11 @@
 			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Binding contains space character</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		Check for empty xml:lang elements, automatically generated by OIOSAML.
-		
+
 		This is not schema-valid so would be caught further down the line anyway,
 		but it's nice to have a clear error message earlier in the process.
 	-->
@@ -92,8 +92,8 @@
 			<xsl:with-param name="m">empty xml:lang attribute</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		A Shibboleth scope shouldn't be just "ac.uk".
 	-->
diff --git a/mdx/_rules/check_namespaces.xsl b/mdx/_rules/check_namespaces.xsl
index 2bb9f7fa..c4c83a1e 100644
--- a/mdx/_rules/check_namespaces.xsl
+++ b/mdx/_rules/check_namespaces.xsl
@@ -1,13 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
+
 	check_namespaces.xsl
-	
+
 	Metadata checking ruleset that ensures that all namespaces used in a metadata file
 	are known to us, by flagging those which are not.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
@@ -23,76 +23,76 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-	
+
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-	
+
 	<!--
 		Common support functions.
 	-->
 	<xsl:import href="check_framework.xsl"/>
-	
+
 	<!--
 		Explicitly accept elements in namespaces which we know about.
 	-->
-	
+
 	<xsl:template match="alg:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="ds:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="hoksso:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="idpdisc:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="init:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="md:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="mdattr:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="mdrpi:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="mdui:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="saml:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="shibmd:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="ukfedlabel:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="xenc:*">
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<!--
 		Reject elements in all other namespaces.
 	-->
-	
+
 	<xsl:template match="*">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">
@@ -103,5 +103,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_rands_member.xsl b/mdx/_rules/check_rands_member.xsl
index bee2e9d0..5ae4531f 100644
--- a/mdx/_rules/check_rands_member.xsl
+++ b/mdx/_rules/check_rands_member.xsl
@@ -2,12 +2,12 @@
 <!--
 
 	check_rands_member.xsl
-	
+
 	Checking ruleset containing rules associated with membership of the REFEDS
 	Research and Scholarship entity category, see:
 
 		https://refeds.org/category/research-and-scholarship/
-		
+
 	This ruleset reflects v1.3, 8-Sep-2016.
 
 	Author: Ian A. Young <ian@iay.org.uk>
@@ -42,7 +42,7 @@
 			<xsl:when test="not(md:SPSSODescriptor)">
 				<xsl:call-template name="error">
 					<xsl:with-param name="m">REFEDS R+S only applies to service provider entities</xsl:with-param>
-				</xsl:call-template>        
+				</xsl:call-template>
 			</xsl:when>
 			<!--
 		        4.3.1
@@ -53,22 +53,22 @@
 				[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])">
 				<xsl:call-template name="error">
 					<xsl:with-param name="m">REFEDS R+S requires SAML 2.0 POST support</xsl:with-param>
-				</xsl:call-template>        
+				</xsl:call-template>
 			</xsl:when>
 			<!--
 				4.3.3
-				
+
 				The Service Provider provides an mdui:DisplayName and mdui:InformationURL in metadata.
 			-->
 			<xsl:when test="not(md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName)">
 				<xsl:call-template name="error">
 					<xsl:with-param name="m">REFEDS R+S requires mdui:DisplayName</xsl:with-param>
-				</xsl:call-template>        
+				</xsl:call-template>
 			</xsl:when>
 			<xsl:when test="not(md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:InformationURL)">
 				<xsl:call-template name="error">
 					<xsl:with-param name="m">REFEDS R+S requires mdui:InformationURL</xsl:with-param>
-				</xsl:call-template>        
+				</xsl:call-template>
 			</xsl:when>
 			<!--
 				4.3.4
@@ -78,7 +78,7 @@
 			<xsl:when test="not(md:ContactPerson[@contactType='technical'])">
 				<xsl:call-template name="error">
 					<xsl:with-param name="m">REFEDS R+S requires one or more technical contacts</xsl:with-param>
-				</xsl:call-template>        
+				</xsl:call-template>
 			</xsl:when>
 		</xsl:choose>
 	</xsl:template>
diff --git a/mdx/_rules/check_rands_support.xsl b/mdx/_rules/check_rands_support.xsl
index fe92e6d8..71c1ff6a 100644
--- a/mdx/_rules/check_rands_support.xsl
+++ b/mdx/_rules/check_rands_support.xsl
@@ -2,14 +2,14 @@
 <!--
 
 	check_rands_support.xsl
-	
+
 	Checking ruleset containing rules associated with the REFEDS
 	Research and Scholarship entity support category, see:
 
 		https://refeds.org/category/research-and-scholarship/
-		
+
 	This ruleset reflects v1.3, 8-Sep-2016.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -41,7 +41,7 @@
 			<xsl:when test="not(md:IDPSSODescriptor)">
 				<xsl:call-template name="error">
 					<xsl:with-param name="m">REFEDS R+S support only applies to identity provider entities</xsl:with-param>
-				</xsl:call-template>        
+				</xsl:call-template>
 			</xsl:when>
 		</xsl:choose>
 	</xsl:template>
diff --git a/mdx/_rules/check_regauth.xsl b/mdx/_rules/check_regauth.xsl
index e98400ae..bf4328a0 100644
--- a/mdx/_rules/check_regauth.xsl
+++ b/mdx/_rules/check_regauth.xsl
@@ -4,7 +4,7 @@
 	check_regauth.xsl
 
 	Check that the registration authority on an entity is the expected one.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -17,14 +17,14 @@
 		Common support functions.
 	-->
 	<xsl:import href="check_framework.xsl"/>
-	
+
 	<!--
         expectedAuthority
-        
+
         Set this parameter from the calling context.
     -->
 	<xsl:param name="expectedAuthority">(value not set)</xsl:param>
-	
+
 	<xsl:template match="mdrpi:RegistrationInfo">
 		<xsl:if test="@registrationAuthority != $expectedAuthority">
 			<xsl:call-template name="error">
@@ -38,5 +38,5 @@
 			</xsl:call-template>
 		</xsl:if>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_reqattr.xsl b/mdx/_rules/check_reqattr.xsl
index 6840a020..1952aa34 100644
--- a/mdx/_rules/check_reqattr.xsl
+++ b/mdx/_rules/check_reqattr.xsl
@@ -2,33 +2,33 @@
 <!--
 
 	check_reqattr.xsl
-	
+
 	Checking ruleset for RequestedAttribute elements in SAML 2.0 metadata.
 
 	The main check being performed here is that the Name and NameFormat attributes
 	of a RequestedAttribute element together designate a real SAML attribute, either
 	explicitly or implicitly covered by some specification.  Other combinations
 	of Name+NameFormat are presumptively erroneous.
-	
+
 	Attribute profiles we make use of here:
-	
+
 	* eduPerson 2008
-	
+
 	* MACE-Dir SAML Attribute Profiles, April 2008
-	
+
 	* SWITCHaai Attribute Specification, 2010-06-23
-	
+
 	* grEduPerson
 		from http://aai.grnet.gr/static/grEduPerson.schema
 		and http://aai.grnet.gr/static/policy/policy-en.pdf
-	
+
 	* SCHAC
 		Only very basic coverage, most attributes to come later.
 		http://www.terena.org/activities/tf-emc2/docs/schac/schac-schema-IAD-1.4.1.pdf
 		http://www.terena.org/registry/terena.org/attribute-def/
 		http://www.terena.org/registry/terena.org/schac/
 		Assuming encoding rules equivalent to MACEAttr.
-    
+
 
 	Author: Ian A. Young <ian@iay.org.uk>
 
@@ -49,7 +49,7 @@
 		Lack of NameFormat is equivalent to an explicit NameFormat of
 		'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified',
 		see http://tools.oasis-open.org/issues/browse/SECURITY-11
-		
+
 		This is almost certainly not correct, as an implicit
 		NameFormat of 'unspecified' is not the same as saying that
 		any NameFormat will match.
@@ -85,8 +85,8 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		If NameFormat is "urn:mace:shibboleth:1.0:attributeNamespace:uri", then we are
 		dealing with a SAML 1.x attribute.
@@ -94,12 +94,12 @@
 	<xsl:template match="md:RequestedAttribute
 		[@NameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri']">
 		<xsl:choose>
-			
+
 			<!--
 				MACE-Dir Attribute Profile for SAML 1.x
-				
+
 				2.2.1: Legacy names that are explicitly permitted.
-				
+
 				Taken from MACE-Dir SAML Attribute Profiles, April 2008
 			-->
 			<xsl:when test="
@@ -154,29 +154,29 @@
 				">
 				<!-- OK -->
 			</xsl:when>
-			
+
 			<!--
 				Legacy name for eduPersonAssurance (from eduPerson 2008)
 			-->
 			<xsl:when test="@Name='urn:mace:dir:attribute-def:eduPersonAssurance'">
 				<!-- OK -->
 			</xsl:when>
-			
+
 			<!--
 				MACE-Dir Attribute Profile for SAML 1.x
-				
+
 				2.3.2.1.1: Recommended name and syntax for eduPersonTargetedID.
 			-->
 			<xsl:when test="@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.10'">
 				<!-- OK -->
 			</xsl:when>
-			
+
 			<!--
 				MACE-Dir Attribute Profile for SAML 1.x
-				
+
 				'urn:oid:' equivalents of legacy names should NOT appear.
 				If they do, they are probably intended to be a SAML 2.0 mapping.
-				
+
 				The list is in same order as the list of legacy names above, and
 				includes the OID for eduPersonAssurance at the end.
 			-->
@@ -245,10 +245,10 @@
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:when>
-			
+
 			<!--
 				SWITCHaai SAML 1.x names are prefixed by 'urn:mace:switch.ch:attribute-def:'
-				
+
 				Arranged in order of appearance in the specification.
 			-->
 			<xsl:when test="
@@ -267,11 +267,11 @@
 				">
 				<!-- OK -->
 			</xsl:when>
-			
+
 			<!--
 				SWITCHaai SAML 2.0 names are oid-based, and should not appear
 				with the SAML 1.x NameFormat.
-				
+
 				Arranged in order of appearance in the specification.
 			-->
 			<xsl:when test="
@@ -302,14 +302,14 @@
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:when>
-			
+
 			<!--
 				grEduPerson SAML 1.x binding
 			-->
 			<xsl:when test="@Name='urn:mace:grnet.gr:grEduPerson:attribute-def:grEduPersonUndergraduateBranch'">
 				<!-- OK -->
 			</xsl:when>
-			
+
 			<!--
 				grEduPerson SAML 2.0 names should not appear.
 			-->
@@ -327,7 +327,7 @@
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:when>
-			
+
 			<!--
                 SCHAC SAML 1.x binding
             -->
@@ -337,7 +337,7 @@
 				">
 				<!-- OK -->
 			</xsl:when>
-			
+
 			<!--
                 SCHAC SAML 2.0 names should not appear.
             -->
@@ -358,19 +358,19 @@
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:when>
-			
+
 			<!--
 				MACE-Dir Attribute Profile for SAML 1.x
-				
+
 				Forward-looking "urn:oid:" names are permitted, which is to say
 				any "urn:oid" name which does not correspond to a legacy name.
-				
+
 				(Any erroneous OIDs have been eliminated above.)
 			-->
 			<xsl:when test="starts-with(@Name, 'urn:oid:')">
 				<!-- OK -->
 			</xsl:when>
-			
+
 			<!--
 				Otherwise unknown attribute names.
 			-->
@@ -388,10 +388,10 @@
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:otherwise>
-			
+
 		</xsl:choose>
 	</xsl:template>
-	
+
 
 	<!--
 		If NameFormat is "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", then we are
@@ -418,7 +418,7 @@
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:when>
-			
+
 			<!--
 				Common error: using the legacy SWITCHaai name with the SAML 2.0 NameFormat.
 			-->
@@ -436,7 +436,7 @@
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:when>
-			
+
 			<!--
                 Common error: using the legacy grEduPerson name with the SAML 2.0 NameFormat.
             -->
@@ -454,7 +454,7 @@
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:when>
-			
+
 			<!--
                 Common error: using the legacy SCHAC name with the SAML 2.0 NameFormat.
             -->
@@ -472,17 +472,17 @@
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:when>
-			
+
 			<!--
 				MACE-Dir Attribute Profile for SAML 2.0
-				
+
 				Attributes are named per the X.500/LDAP attribute profile in [SAML2Prof].
 			-->
 			<xsl:when test="starts-with(@Name, 'urn:oid:')">
 				<!-- OK -->
 			</xsl:when>
-			
-			
+
+
 			<!--
 				Otherwise unknown attribute names.
 			-->
@@ -500,8 +500,8 @@
 					</xsl:with-param>
 				</xsl:call-template>
 			</xsl:otherwise>
-			
+
 		</xsl:choose>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml1.xsl b/mdx/_rules/check_saml1.xsl
index 92de66c5..e5bc1caa 100644
--- a/mdx/_rules/check_saml1.xsl
+++ b/mdx/_rules/check_saml1.xsl
@@ -4,7 +4,7 @@
 	check_saml1.xsl
 
 	Checking ruleset containing rules associated with the SAML 1.x specification.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -28,7 +28,7 @@
 			<xsl:with-param name="m">no POST support on SAML 1.1 SP</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-		
+
 	<!--
         An IdP with a SAML 1.1 AttributeAuthority needs an AttributeService with an appropriate Binding.
     -->
@@ -40,7 +40,7 @@
 			<xsl:with-param name="m">SAML 1.1 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
@@ -53,7 +53,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
@@ -66,7 +66,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
@@ -79,5 +79,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml2.xsl b/mdx/_rules/check_saml2.xsl
index e35ed8a6..3c5a5e26 100644
--- a/mdx/_rules/check_saml2.xsl
+++ b/mdx/_rules/check_saml2.xsl
@@ -4,7 +4,7 @@
 	check_saml2.xsl
 
 	Checking ruleset containing rules associated with the SAML 2.0 specification.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -20,7 +20,7 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	
+
 	<!--
 		It does not make sense for an IdP to have more than one SingleSignOnService
 		with any of a list of SAML 2.0 front-channel bindings.
@@ -29,19 +29,19 @@
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST binding</xsl:with-param>
 		</xsl:call-template>
-	</xsl:template>	
-	
+	</xsl:template>
+
 	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'][position()>1]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST-SimpleSign binding</xsl:with-param>
 		</xsl:call-template>
-	</xsl:template> 
+	</xsl:template>
 
 	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'][position()>1]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-Redirect binding</xsl:with-param>
 		</xsl:call-template>
-	</xsl:template> 
+	</xsl:template>
 
 	<!--
         A SAML 2.0 IdP with an AttributeAuthority needs an AttributeService with an appropriate Binding.
@@ -58,7 +58,7 @@
 
 	<!--
         Check for SAML 2.0 SPs which lack an encryption key.
-    -->	
+    -->
 	<xsl:template match="md:SPSSODescriptor
 		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
 		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='encryption'])]
@@ -67,7 +67,7 @@
 			<xsl:with-param name="m">SAML 2.0 SP has no encryption key</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
@@ -80,7 +80,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
@@ -93,7 +93,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
@@ -106,5 +106,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml2int.xsl b/mdx/_rules/check_saml2int.xsl
index 812fe87e..f8c930e0 100644
--- a/mdx/_rules/check_saml2int.xsl
+++ b/mdx/_rules/check_saml2int.xsl
@@ -2,11 +2,11 @@
 <!--
 
 	check_saml2int.xsl
-	
+
 	Checking ruleset for the Interoperable SAML 2.0 Web Browser SSO Deployment Profile.
-	
+
 	See: http://saml2int.org/
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -23,10 +23,10 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	
+
 	<!--
 		Section 6.
-		
+
 		Check for SAML 2.0 SPs which exclude both transient and persistent SAML 2 name identifier formats.
 	-->
 	<xsl:template match="md:SPSSODescriptor
@@ -38,10 +38,10 @@
 			<xsl:with-param name="m">SP excludes both SAML 2 name identifier formats</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 6.
-		
+
 		Check for SAML 2.0 IdPs which exclude the transient SAML 2 name identifier format.
 	-->
 	<xsl:template match="md:IDPSSODescriptor
@@ -60,14 +60,14 @@
 			<xsl:with-param name="m">SAML 2.0 AttributeAuthorityDescriptor excludes SAML 2 transient name identifier format</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Section 6.1.
-        
+
         "The <saml2p:AuthnRequest> message issued by a Service Provider MUST be
         communicated to the Identity Provider using the HTTP-REDIRECT binding
         [SAML2Bind]."
-        
+
         Therefore, metadata for this binding MUST be present.
     -->
 	<xsl:template match="md:IDPSSODescriptor
@@ -80,7 +80,7 @@
 
 	<!--
 		Section 7.
-		
+
 		Check for correct NameFormat on Attribute elements.
 	-->
 	<xsl:template match="saml:Attribute[not(@NameFormat)]">
@@ -102,10 +102,10 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 9.1
-		
+
 		Responses MUST use the HTTP-POST binding, so metadata for that MUST be present.
 	-->
 	<xsl:template match="md:SPSSODescriptor
@@ -115,10 +115,10 @@
 			<xsl:with-param name="m">no HTTP-POST support on SAML 2.0 SP</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Section 9.1
-		
+
 		Responses MUST be signed, so appropriate IdP roles MUST include embedded key material
 		suitable for signing those responses.
 	-->
@@ -138,5 +138,5 @@
 			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has no embedded signing key</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml2meta.xsl b/mdx/_rules/check_saml2meta.xsl
index cd5f1139..45cbcaa0 100644
--- a/mdx/_rules/check_saml2meta.xsl
+++ b/mdx/_rules/check_saml2meta.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_saml2meta.xsl
-	
+
 	Checking ruleset encapsulating rules from the SAML 2.0 metadata specification that
 	are not completely encoded in the XML schema.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -22,11 +22,11 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	
+
 	<!--
 		Check for distinct index attributes on appropriate elements.
 	-->
-	
+
 	<xsl:template match="md:SPSSODescriptor">
 
         <xsl:variable name="indices" select="md:ArtifactResolutionService/@index"/>
@@ -44,13 +44,13 @@
 				<xsl:with-param name="m">AssertionConsumerService index values not all different</xsl:with-param>
 			</xsl:call-template>
 		</xsl:if>
-		
+
 		<!--
 			Perform checks on child elements.
 		-->
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<xsl:template match="md:IDPSSODescriptor">
 		<xsl:variable name="indices" select="md:ArtifactResolutionService/@index"/>
 		<xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
@@ -59,14 +59,14 @@
 				<xsl:with-param name="m">ArtifactResolutionService index values not all different</xsl:with-param>
 			</xsl:call-template>
 		</xsl:if>
-		
+
 		<!--
 			Perform checks on child elements.
 		-->
 		<xsl:apply-templates/>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		Check for Location attributes that aren't valid URLs.
 	-->
@@ -108,6 +108,6 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_shib_noregscope.xsl b/mdx/_rules/check_shib_noregscope.xsl
index 0f1e0b79..32470d4d 100644
--- a/mdx/_rules/check_shib_noregscope.xsl
+++ b/mdx/_rules/check_shib_noregscope.xsl
@@ -25,5 +25,5 @@
 			<xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_shib_regscope.xsl b/mdx/_rules/check_shib_regscope.xsl
index b20fa7d3..bffd7332 100644
--- a/mdx/_rules/check_shib_regscope.xsl
+++ b/mdx/_rules/check_shib_regscope.xsl
@@ -4,7 +4,7 @@
 	check_shib_regscope.xsl
 
 	Check for the presence of Shibboleth Scope elements containing regular expressions.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -17,7 +17,7 @@
 		Common support functions.
 	-->
 	<xsl:import href="check_framework.xsl"/>
-	
+
 	<xsl:template match="shibmd:Scope[@regexp='true']">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">
@@ -27,5 +27,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_shibboleth.xsl b/mdx/_rules/check_shibboleth.xsl
index 79aa6799..591e32b3 100644
--- a/mdx/_rules/check_shibboleth.xsl
+++ b/mdx/_rules/check_shibboleth.xsl
@@ -4,11 +4,11 @@
 	check_shibboleth.xsl
 
 	Checking ruleset containing rules associated with:
-	
+
 	* the Shibboleth profile specifications
-	
+
 	* known problems with Shibboleth implementations
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -26,13 +26,13 @@
 	-->
 	<xsl:import href="check_framework.xsl"/>
 
-	
+
 	<!--
 		OrganizationURL elements should contain actual URLs, or some software
 		will reject the metadata.  This is known to be true for at least the Shibboleth
 		1.3 IdP and the accompanying metadatatool application, because they pass the
 		string to the java.net.URL class.
-		
+
 		We perform a very cursory test for this by insisting that they start with
 		either "http://" or "https://".
 	-->
@@ -42,16 +42,16 @@
 			<xsl:with-param name="m">OrganizationURL '<xsl:value-of select="."/>' does not start with acceptable prefix</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		If an IDPSSODescriptor contains a SingleSignOnService with the Shibboleth 1.x
 		authentication request binding, the role descriptor's protocolSupportEnumeration
 		must include both of the following:
-		
+
 			urn:oasis:names:tc:SAML:1.1:protocol
 			urn:mace:shibboleth:1.0
-		
+
 		See the Shibboleth Protocols and Profiles document, section 3.4.3, for details.
 	-->
 	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
@@ -60,20 +60,20 @@
 			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
 		[not(contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0'))]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		If an IDPSSODescriptor indicates support for Shibboleth by including
 		urn:mace:shibboleth:1.0 in its protocolSupportEnumeration, it must contain at
 		least one appropriate SingleSignOnService.
-		
+
 		This is theoretically too severe, as in principle additional profiles could be invented
 		in the future which exist in the same protocolSupportEnumeration "family".  However,
 		at present there are no such uses of the value, so we can be more restrictive.
@@ -84,8 +84,8 @@
 			<xsl:with-param name="m">Shibboleth 1.x support claimed but no appropriate SSO service binding</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		It does not make sense for an IdP to have more than one SingleSignOnService
 		with the Shibboleth authentication request binding, because this is a
@@ -96,11 +96,11 @@
 			<xsl:with-param name="m">more than one SingleSignOnService with Shibboleth binding</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		Check for SAML 1.1 SPs which exclude the Shibboleth transient name identifier format.
-		
+
 		An SP which has no NameIDFormat elements is fine, but if any are mentioned in a
 		SAML 1.1 SP then the Shibboleth transient must be included in the list as otherwise
 		there will be no name identifier sent to the SP and no attribute query can be
@@ -118,13 +118,13 @@
 
 	<!--
 		Check for a construct which is known to cause the Shibboleth 1.3 SP to dump core.
-		
+
 			<md:KeyDescriptor use="signing">
 				<ds:KeyInfo>
 					<KeyName>blabla<KeyName>
 				</ds:KeyInfo>
 			</md:KeyDescriptor>
-		
+
 		The issue here is that the KeyName does not have the ds: namespace.
 	-->
 	<xsl:template match="ds:KeyInfo/*[namespace-uri() != 'http://www.w3.org/2000/09/xmldsig#']">
@@ -132,15 +132,15 @@
 			<xsl:with-param name="m">ds:KeyInfo child element not in ds namespace</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		Check for IDP role descriptors containing (at any level of nesting)
 		SAML 2.0 attribute elements that do not include a NameFormat XML attribute.
-		
+
 		This combination causes the Shibboleth 1.3 and related code (such as metadatatool)
 		to reject the metadata.
-		
+
 		See https://bugs.internet2.edu/jira/browse/SIDPO-34
 	-->
 	<xsl:template match="md:IDPSSODescriptor[descendant::saml:Attribute[not(@NameFormat)]]">
@@ -151,7 +151,7 @@
 
 	<!--
 		Scope elements should not contain space characters.
-		
+
 		This isn't part of the specification, but is assumed by some software.
 	-->
 	<xsl:template match="shibmd:Scope[contains(., ' ')]">
@@ -159,11 +159,11 @@
 			<xsl:with-param name="m">Scope value contains space character</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 
 	<!--
 		Scope elements should not contain line breaks.
-		
+
 		This isn't part of the specification, but is assumed by some software,
 		including the Shibboleth 2.4.3 SP.
 	-->
@@ -172,8 +172,8 @@
 			<xsl:with-param name="m">Scope value contains line break</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		The Shibboleth 1.3f SP, probably along with other software, has
 		problems with comments inside certificate representations.
@@ -183,6 +183,6 @@
 			<xsl:with-param name="m">X509Certificate contains XML comment</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_sirtfi.xsl b/mdx/_rules/check_sirtfi.xsl
index 78240c01..0174c455 100644
--- a/mdx/_rules/check_sirtfi.xsl
+++ b/mdx/_rules/check_sirtfi.xsl
@@ -16,11 +16,11 @@
 	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
 	xmlns:remd="http://refeds.org/metadata"
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	
+
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-	
+
 	<!--
 		Common support functions.
 	-->
diff --git a/mdx/_rules/check_sp_tls.xsl b/mdx/_rules/check_sp_tls.xsl
index 401740ad..fe78eccb 100644
--- a/mdx/_rules/check_sp_tls.xsl
+++ b/mdx/_rules/check_sp_tls.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_sp_tls.xsl
-	
+
 	Checking that all SP endpoints are TLS-protected.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -32,5 +32,5 @@
 			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_uk_algorithms.xsl b/mdx/_rules/check_uk_algorithms.xsl
index 10db2ce2..197da8c8 100644
--- a/mdx/_rules/check_uk_algorithms.xsl
+++ b/mdx/_rules/check_uk_algorithms.xsl
@@ -2,7 +2,7 @@
 <!--
 
 	check_uk_algorithms.xsl
-	
+
 	Checking ruleset for cryptographic algorithms. This is named as a UK
 	ruleset because the division between acceptable and unacceptable algorithms
 	is sometimes a judgement call; however, it should be generally
@@ -11,7 +11,7 @@
 	The best reference for *all* URIs used as algorithm identifiers is the
 	XML Security Algorithm Cross-Reference at http://www.w3.org/TR/xmlsec-algorithms/
 	Algorithm lists here are in the same order as in that document.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 -->
 <xsl:stylesheet version="1.0"
@@ -33,7 +33,7 @@
         ***                               ***
         *************************************
     -->
-	
+
 	<!--
         Check for known BAD SigningMethod algorithms.
     -->
@@ -48,7 +48,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Check for known GOOD SigningMethod algorithms.
     -->
@@ -69,7 +69,7 @@
 		]">
 		<!-- do nothing -->
 	</xsl:template>
-	
+
 	<!--
         Misspelled or otherwise not known SigningMethod algorithms.
     -->
@@ -82,7 +82,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         ***********************************
         ***                             ***
@@ -105,7 +105,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Check for known GOOD DigestMethod algorithms.
     -->
@@ -119,7 +119,7 @@
 		]">
 		<!-- do nothing -->
 	</xsl:template>
-	
+
 	<!--
         Misspelled or otherwise not known DigestMethod algorithms.
     -->
@@ -143,7 +143,7 @@
 
 	<!--
         Check for known BAD EncryptionMethod algorithms.
-		
+
 		This list is of symmetric key encryption algorithms *and*
 		key transport algorithms.
     -->
@@ -158,10 +158,10 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Check for known GOOD EncryptionMethod algorithms.
-		
+
 		This list is of symmetric key encryption algorithms *and*
 		key transport algorithms.
 	-->
@@ -178,7 +178,7 @@
 		]">
 		<!-- do nothing -->
 	</xsl:template>
-	
+
 	<!--
 		Misspelled or otherwise not known EncryptionMethod algorithms.
 	-->
diff --git a/mdx/_rules/check_uk_trust.xsl b/mdx/_rules/check_uk_trust.xsl
index 6db92755..041da61b 100644
--- a/mdx/_rules/check_uk_trust.xsl
+++ b/mdx/_rules/check_uk_trust.xsl
@@ -1,57 +1,57 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
+
     check_uk_trust.xsl
-    
+
     Checking ruleset for the UK federation trust fabric, as documented in the
     Federation Technical Specifications.  Checks are labelled with a section
     number and FTS version, as the section number may change between editions.
-    
+
     Author: Ian A. Young <ian@iay.org.uk>
-    
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-	
+
 	<!--
         Common support functions.
     -->
 	<xsl:import href="check_framework.xsl"/>
-	
-	
+
+
 	<!--
 		FTS 1.5, section 3.10, first paragraph.
-		
+
 		Each <IDPSSODescriptor>, <SPSSODescriptor> and <AttributeAuthorityDescriptor>
 		role descriptor appearing in metadata published by the UK federation SHALL
 		contain at least one <KeyDescriptor> element.
 	-->
-	
+
 	<xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
+		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
+		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>    
+		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
         FTS 1.5 draft of 2014-01-02, section 3.10, second paragraph.
-        
+
 		In roles which indicate support through their protocolSupportEnumeration values for
 		SAML 2.0 or SAML 1.1 profiles, each <KeyDescriptor> MUST support the direct key
 		verification scheme as described in section 2.1.1.
@@ -71,7 +71,7 @@
 			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:SPSSODescriptor
 		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
 		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
@@ -79,7 +79,7 @@
 			<xsl:with-param name="m">SAML 2.0 SP has KeyDescriptor without embedded key</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:IDPSSODescriptor
 		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
 		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
@@ -87,7 +87,7 @@
 			<xsl:with-param name="m">SAML 1.1 IdP has KeyDescriptor without embedded key</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:AttributeAuthorityDescriptor
 		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
 		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
@@ -95,7 +95,7 @@
 			<xsl:with-param name="m">SAML 1.1 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<xsl:template match="md:SPSSODescriptor
 		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
 		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
@@ -106,7 +106,7 @@
 
 	<!--
 		FTS 1.5 draft of 2014-06-25, section 3.10, last paragraph.
-		
+
 		<ds:KeyName> elements SHALL NOT be accepted in locally registered metadata
 	-->
 	<xsl:template match="ds:KeyName">
@@ -114,5 +114,5 @@
 			<xsl:with-param name="m">entity has legacy KeyName element</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_vhosts.xsl b/mdx/_rules/check_vhosts.xsl
index 7b7a1999..a938a1dc 100644
--- a/mdx/_rules/check_vhosts.xsl
+++ b/mdx/_rules/check_vhosts.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_vhosts.xsl
-	
+
 	Checking ruleset that makes sure that an IdP's SSO endpoints and SOAP
 	endpoints are on distinct virtual host.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -30,22 +30,22 @@
 			Look for IdPs which have either attribute authority or artifact resolution locations
 			on the same host:port combination as any of the SSO locations.
 		-->
-		
+
 		<!-- XPath expression to evaluate to extract host:port strings from locations -->
 		<xsl:variable name="extract">substring-before(substring-after(concat(., '/'), 'https://'), '/')</xsl:variable>
-		
+
 		<!-- Collect all of the SSO locations -->
 		<xsl:variable name="ssoLocations" select="descendant::md:SingleSignOnService/@Location"/>
 		<!-- convert to set of unique host:port strings -->
 		<xsl:variable name="ssoHosts" select="set:distinct(dyn:map($ssoLocations, $extract))"/>
-		
+
 		<!-- Collect all of the attribute authority and artifact resolution locations -->
 		<xsl:variable name="soapLocations"
 			select="descendant::md:AttributeService/@Location |
 			descendant::md:ArtifactResolutionService/@Location"/>
 		<!-- convert to set of unique host:port strings -->
 		<xsl:variable name="soapHosts" select="set:distinct(dyn:map($soapLocations, $extract))"/>
-		
+
 		<!-- we expect these two sets to be disjoint -->
 		<xsl:variable name="bothHosts" select="set:distinct($ssoHosts | $soapHosts)"/>
 		<xsl:if test="count($bothHosts) != count($ssoHosts) + count($soapHosts)">
@@ -54,5 +54,5 @@
 			</xsl:call-template>
 		</xsl:if>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/mdui_dn_en_match.xsl b/mdx/_rules/mdui_dn_en_match.xsl
index 8281fe9d..f4b993dc 100644
--- a/mdx/_rules/mdui_dn_en_match.xsl
+++ b/mdx/_rules/mdui_dn_en_match.xsl
@@ -2,12 +2,12 @@
 <!--
 
 	mdui_dn_en_match.xsl
-	
+
     If an IdP has both an OrganizationDisplayName in English, and an
     mdui:DisplayName in English, they must be identical.
-    
+
     UKFTS 1.4 section 3.3
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -37,5 +37,5 @@
 			</xsl:call-template>
 		</xsl:if>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/_rules/mdui_dn_en_present.xsl b/mdx/_rules/mdui_dn_en_present.xsl
index 16e2ab15..42c32d2a 100644
--- a/mdx/_rules/mdui_dn_en_present.xsl
+++ b/mdx/_rules/mdui_dn_en_present.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	mdui_dn_en_present.xsl
-	
+
     If an entity has mdui:UIInfo, then that must include at least an
     mdui:DisplayName with an English name.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -27,5 +27,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/at_aconet/beans.xml b/mdx/at_aconet/beans.xml
index 5bebaeda..5ab7a9fc 100644
--- a/mdx/at_aconet/beans.xml
+++ b/mdx/at_aconet/beans.xml
@@ -11,7 +11,7 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Location of various resources.
     -->
@@ -23,7 +23,7 @@
     <bean id="at_aconet_edugainAggregate_url" parent="String">
         <constructor-arg value="http://eduid.at/md/upstream-edugain.xml"/>
     </bean>
-    
+
     <!--
         Fetch the production aggregate.
     -->
@@ -36,7 +36,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         Fetch the eduGAIN export aggregate.
     -->
@@ -49,13 +49,13 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         Signing certificate.
     -->
     <bean id="at_aconet_signingCertificate" parent="X509CertificateFactoryBean"
         p:resource="classpath:at_aconet/aconet-aai-metadata-signing.crt"/>
-    
+
     <!--
         Check signing signature.
     -->
@@ -65,10 +65,10 @@
     <bean id="at_aconet_checkEdugainSignature" parent="XMLSignatureValidationStageSHA256">
         <property name="verificationCertificate" ref="at_aconet_signingCertificate"/>
     </bean>
-    
+
     <!--
         at_aconet_check_regauth
-        
+
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
@@ -79,10 +79,10 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         at_aconet_default_regauth
-        
+
         Provide a default registrationAuthority appropriate to
         this channel.
     -->
@@ -93,7 +93,7 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         Fetch the production entities as a collection.
     -->
@@ -101,7 +101,7 @@
         <property name="composedStages">
             <list>
                 <ref bean="at_aconet_productionAggregate"/>
-                
+
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
@@ -110,12 +110,12 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="at_aconet_checkProductionSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         Fetch the eduGAIN export entities as a collection.
     -->
@@ -123,7 +123,7 @@
         <property name="composedStages">
             <list>
                 <ref bean="at_aconet_edugainAggregate"/>
-                
+
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
@@ -132,15 +132,15 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="at_aconet_checkEdugainSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
-                
+
                 <ref bean="check_hasreginfo"/>
                 <ref bean="at_aconet_check_regauth"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         Select primary export aggregate.
     -->
diff --git a/mdx/at_aconet/verbs.xml b/mdx/at_aconet/verbs.xml
index 6919e231..54399699 100644
--- a/mdx/at_aconet/verbs.xml
+++ b/mdx/at_aconet/verbs.xml
@@ -11,17 +11,17 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-        
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:at_aconet/beans.xml"/>
-    
+
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
@@ -30,7 +30,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -50,7 +50,7 @@
             </list>
         </property>
     </bean>
-    
+
     <bean id="importEdugain" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -61,7 +61,7 @@
             </list>
         </property>
     </bean>
-    
+
     <bean id="importEdugainRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -70,7 +70,7 @@
             </list>
         </property>
     </bean>
-    
+
     <bean id="verifyEdugain" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -86,7 +86,7 @@
                         </list>
                     </property>
                 </bean>
-                
+
                 <!--
                     Remove a specific entity we know has a problem that it will take
                     a while to resolve.
@@ -104,7 +104,7 @@
             </list>
         </property>
     </bean>
-    
+
     <alias alias="import"    name="importEdugain"/>
     <alias alias="importRaw" name="importEdugainRaw"/>
 </beans>
diff --git a/mdx/clean-import.xsl b/mdx/clean-import.xsl
index 029642f8..20936824 100644
--- a/mdx/clean-import.xsl
+++ b/mdx/clean-import.xsl
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
+
 	clean-import.xsl
-	
+
 	Clean up imported metadata from a metadata exchange channel.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
@@ -23,25 +23,25 @@
 	<xsl:template match="md:EntityDescriptor/@ID"/>
 	<xsl:template match="md:EntityDescriptor/@cacheDuration"/>
 	<xsl:template match="md:EntityDescriptor/@validUntil"/>
-	
+
 	<!-- Remove md:RoleDescriptor elements, which require additional schemas to be available. -->
 	<xsl:template match="md:RoleDescriptor"/>
-	
+
 	<!-- strip xml:base entirely -->
 	<xsl:template match="@xml:base"/>
-	
+
 	<!-- remove KeyDescriptor elements which lack embedded key material -->
 	<xsl:template match="md:KeyDescriptor[not(descendant::ds:X509Certificate)]"/>
-	
+
 	<!-- Remove KeyName elements; they refer to an inaccessable trust fabric -->
 	<xsl:template match="ds:KeyName"/>
-	
+
 	<!-- Remove <ds:X509SubjectName> elements; long ones cause problems. -->
 	<xsl:template match="ds:X509SubjectName"/>
-	
+
 	<!-- Remove any embedded signatures -->
 	<xsl:template match="ds:Signature"/>
-	
+
 	<!-- Remove xsi:type from any entity attribute values. -->
 	<xsl:template match="saml:AttributeValue/@xsi:type"/>
 
@@ -55,7 +55,7 @@
 			<xsl:text>&#10;</xsl:text>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<!--
 		Discard various ds:X509 elements.  Several of these are known to
 		cause problems with software systems, and they don't affect trust
@@ -63,17 +63,17 @@
 	-->
 	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
 	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
-	
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index e782e283..bf13de14 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -36,14 +36,14 @@
         ***                             ***
         ***********************************
     -->
-    
+
     <!--
         Java class parent shorthand beans.
     -->
     <bean id="File" abstract="true" class="java.io.File"/>
     <bean id="String" abstract="true" class="java.lang.String"/>
     <bean id="QName" abstract="true" class="javax.xml.namespace.QName"/>
-    
+
     <!--
         Spring resource class parent shorthand beans.
     -->
@@ -51,7 +51,7 @@
         class="org.springframework.core.io.ClassPathResource"/>
     <bean id="FileSystemResource" abstract="true"
         class="org.springframework.core.io.FileSystemResource"/>
-    
+
     <!--
         Shibboleth-defined Resource class parent bean.
     -->
@@ -60,21 +60,21 @@
 
     <!--
         component_parent
-        
+
         Parent for anything based on the Shibboleth component system.
         These all require initialization before use.
     -->
     <bean id="component_parent" abstract="true"
         init-method="initialize" destroy-method="destroy"/>
-    
+
     <!--
         XMLSignatureValidationStage
-        
+
         Parent for XML Signature validation stages.
-        
+
         Applies global algorithm blacklists. For values, see:
             http://www.w3.org/TR/xmlsec-algorithms/
-            
+
         Establishes a default of *not* permitting empty references
         in signatures, per the SAML specification. This will be
         overridden in specific beans where a signature is known to
@@ -93,10 +93,10 @@
         </property>
         <property name="permittingEmptyReferences" value="false"/>
     </bean>
-    
+
     <!--
         XMLSignatureValidationStageSHA256
-        
+
         Parent for XML signature validation stages where we know
         the signature will not be made with MD5 or SHA-1.
     -->
@@ -125,13 +125,13 @@
     <!-- PKCS11PrivateKeyFactoryBean is in MDA in V0.9.2. -->
     <bean id="PKCS11PrivateKeyFactoryBean" abstract="true"
         class="net.shibboleth.metadata.util.PKCS11PrivateKeyFactoryBean"/>
-    
+
     <bean id="PrivateKeyFactoryBean" abstract="true"
         class="net.shibboleth.ext.spring.factory.PrivateKeyFactoryBean"/>
-    
+
     <bean id="PublicKeyFactoryBean" abstract="true"
         class="net.shibboleth.ext.spring.factory.PublicKeyFactoryBean"/>
-    
+
     <bean id="X509CertificateChainFactoryBean" abstract="true"
         class="net.shibboleth.ext.spring.factory.X509CertificateChainFactoryBean"/>
 
@@ -140,7 +140,7 @@
 
     <!-- *** Default Shibboleth component bean id property from Spring bean id *** -->
     <bean class="net.shibboleth.ext.spring.config.IdentifiableBeanPostProcessor" lazy-init="false"/>
-    
+
     <!--
         ***********************************************
         ***                                         ***
@@ -148,10 +148,10 @@
         ***                                         ***
         ***********************************************
     -->
-    
+
     <!--
         Namespace URI beans.
-        
+
         One String bean for each of the common namespaces, named by its prefix.
     -->
     <bean id="alg_namespace"        parent="String" c:_="urn:oasis:names:tc:SAML:metadata:algsupport"/>
@@ -176,10 +176,10 @@
     <bean id="xs_namespace"         parent="String" c:_="http://www.w3.org/2001/XMLSchema"/>
     <bean id="xsi_namespace"        parent="String" c:_="http://www.w3.org/2001/XMLSchema-instance"/>
     <bean id="xsl_namespace"        parent="String" c:_="http://www.w3.org/1999/XSL/Transform"/>
-    
+
     <!--
         commonNamespaces
-        
+
         A NamespaceContext that assigns the usual prefix for each of the commonly used XML namespaces.
         This is used in the evaluation of XPath expressions.
     -->
@@ -210,18 +210,18 @@
             </util:map>
         </constructor-arg>
     </bean>
-    
+
     <!--
         stripAlgNamespace
-        
+
         Remove the algorithm support namespace.
     -->
     <bean id="stripAlgNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="alg_namespace"/>
-    
+
     <!--
         stripIdpdiscNamespace
-        
+
         Remove the IdP discovery namespace.
     -->
     <bean id="stripIdpdiscNamespace" parent="mda.NamespaceStrippingStage"
@@ -229,45 +229,45 @@
 
     <!--
         stripInitNamespace
-        
+
         Remove the session initiation namespace.
     -->
     <bean id="stripInitNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="init_namespace"/>
-    
+
     <!--
         stripMdattrNamespace
-        
+
         Remove the namespace used by the entity attributes extension.
     -->
     <bean id="stripMdattrNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="mdattr_namespace"/>
-    
+
     <!--
         stripMdrpiNamespace
-        
+
         Remove the namespace used by the registration and publication metdata extension.
     -->
     <bean id="stripMdrpiNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="mdrpi_namespace"/>
-    
+
     <!--
         stripUkfedlabelNamespace
-        
+
         Remove the UK federation label namespace.
     -->
     <bean id="stripUkfedlabelNamespace" parent="mda.NamespaceStrippingStage"
         p:namespace-ref="ukfedlabel_namespace"/>
-    
+
     <!--
         normaliseNamespaces
-        
+
         A pipeline stage that can be used before serialisation to normalise the namespaces
         used in an XML document.
     -->
     <bean id="normaliseNamespaces" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:ns_norm.xsl"/>
-    
+
     <!--
         ***************************************************
         ***                                             ***
@@ -275,12 +275,12 @@
         ***                                             ***
         ***************************************************
     -->
-    
+
     <!--
         Import beans that perform individual validation checks.
     -->
     <import resource="classpath:validation-beans.xml"/>
-    
+
     <!--
         Federation registrationAuthority URIs.
     -->
@@ -332,11 +332,11 @@
     <bean id="us_incommon_registrar"     parent="String" c:_="https://incommon.org"/>
     <bean id="za_safire_registrar"       parent="String" c:_="https://safire.ac.za"/>
 
-    
-    
+
+
     <!--
         identificationStrategy
-        
+
         Standard item identifier strategy.
     -->
     <bean id="identificationStrategy" class="uk.org.ukfederation.mda.UKItemIdentificationStrategy">
@@ -349,9 +349,9 @@
             <map>
                 <!--
                     eduGAIN participant registration authority display names as country codes.
-                
+
                     The ordering here is as on the eduGAIN status page:
-                    
+
                     http://www.edugain.org/technical/status.php
                 -->
                 <entry key-ref="am_afire_registrar"           value="AM"/>
@@ -396,22 +396,22 @@
                 <entry key-ref="us_incommon_registrar"        value="US"/>
                 <entry key-ref="ua_peano_registrar"           value="UA"/>
                 <entry key-ref="uk_ukf_registrar"             value="UK"/>
-                
+
                 <!-- eduGAIN voting-only members -->
                 <entry key-ref="ar_mate_registrar"            value="AR"/>
                 <entry key-ref="by_febas_registrar"           value="BY"/>
                 <entry key-ref="it_gridp_registrar"           value="IT-GRIDP"/>
-                
+
                 <!-- eduGAIN candidates -->
                 <entry key-ref="dz_arnaai_registrar"          value="DZ"/>
                 <entry key-ref="ug_rif_registrar"             value="UG"/>
             </map>
         </property>
     </bean>
-    
+
     <!--
         errorAnnouncer
-        
+
         A pipeline stage that logs any errors present,
         but takes no action on them.
     -->
@@ -426,7 +426,7 @@
 
     <!--
         warningAndErrorAnnouncer
-        
+
         A pipeline stage that logs any errors and warnings present,
         but takes no action on them.
     -->
@@ -439,10 +439,10 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         errorRemover
-        
+
         This pipeline stage removes any items marked with an error status.
     -->
     <bean id="errorRemover" parent="mda.ItemMetadataFilterStage">
@@ -453,10 +453,10 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         errorTerminator
-        
+
         This pipeline stage causes CLI termination if any item is marked with an error status.
     -->
     <bean id="errorTerminator" parent="mda.ItemMetadataTerminationStage">
@@ -467,10 +467,10 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         errorAnnouncingFilter
-        
+
         Announce any errors or warnings encountered, then remove
         any items that had errors.  Items with just warnings are retained.
     -->
@@ -482,12 +482,12 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         errorTerminatingFilter
-        
+
         Announces any errors encountered, and then terminates if any are present.
-        
+
         Warnings are not announced, and do not cause termination.
     -->
     <bean id="errorTerminatingFilter" parent="mda.CompositeStage">
@@ -498,9 +498,9 @@
             </list>
         </property>
     </bean>
-    
-    
-    
+
+
+
     <!--
         *************************************
         ***                               ***
@@ -508,7 +508,7 @@
         ***                               ***
         *************************************
     -->
-    
+
     <!--
         QNames for SAML metadata elements.
     -->
@@ -530,12 +530,12 @@
         Basic EntitiesDescriptor disassembler pipeline stage.
     -->
     <bean id="disassemble" parent="mda.EntitiesDescriptorDisassemblerStage"/>
-    
+
     <!--
         Basic EntitiesDescriptor assembler pipeline stage.
     -->
     <bean id="assemble" parent="mda.EntitiesDescriptorAssemblerStage"/>
-    
+
     <!--
         Populate ItemId values from entities.
     -->
@@ -547,53 +547,53 @@
     <bean id="stripEmptyExtensions" parent="mda.EmptyContainerStrippingStage"
         p:elementName="Extensions"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <!--
         Beans to strip out selected SAML metadata elements.
     -->
-    
+
     <bean id="stripArtifactResolutionService" parent="mda.ElementStrippingStage"
         p:elementName="ArtifactResolutionService"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <bean id="stripAssertionConsumerService" parent="mda.ElementStrippingStage"
         p:elementName="AssertionConsumerService"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <bean id="stripAttributeAuthorityDescriptor" parent="mda.ElementStrippingStage"
         p:elementName="AttributeAuthorityDescriptor"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <bean id="stripAttributeConsumingService" parent="mda.ElementStrippingStage"
         p:elementName="AttributeConsumingService"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <bean id="stripContactPerson" parent="mda.ElementStrippingStage"
         p:elementName="ContactPerson"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <bean id="stripKeyDescriptor" parent="mda.ElementStrippingStage"
         p:elementName="KeyDescriptor"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <bean id="stripManageNameIDService" parent="mda.ElementStrippingStage"
         p:elementName="ManageNameIDService"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <bean id="stripNameIDFormat" parent="mda.ElementStrippingStage"
         p:elementName="NameIDFormat"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <bean id="stripSingleLogoutService" parent="mda.ElementStrippingStage"
         p:elementName="SingleLogoutService"
         p:elementNamespace-ref="md_namespace"/>
-    
+
     <bean id="stripSingleSignOnService" parent="mda.ElementStrippingStage"
         p:elementName="SingleSignOnService"
         p:elementNamespace-ref="md_namespace"/>
-    
-    
-    
+
+
+
     <!--
         *************************************************
         ***                                           ***
@@ -601,23 +601,23 @@
         ***                                           ***
         *************************************************
     -->
-    
+
     <!--
         Populate RegistrationAuthority values from entities.
     -->
     <bean id="populateRegistrationAuthorities" parent="mda.RegistrationAuthorityPopulationStage"/>
-    
+
     <!--
         default_regauth_parent
-        
+
         Parent (template) for per-channel beans.
-        
+
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
     <bean id="default_regauth_parent" abstract="true" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:default_regauth.xsl"/>
-    
+
 
 
     <!--
@@ -641,18 +641,18 @@
     <bean id="stripMDUIDiscoHints" parent="mda.ElementStrippingStage"
         p:elementName="DiscoHints"
         p:elementNamespace-ref="mdui_namespace"/>
-    
+
     <!--
         stripAAMDUI
-        
+
         Remove all MDUI metadata from attribute authority roles.
     -->
     <bean id="stripAAMDUI" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-aa-mdui.xsl"/>
-    
+
     <!--
         stripMDUILogoData
-        
+
         Remove all mdui:Logo elements containing data: URLs.
     -->
     <bean id="stripMDUILogoData" parent="mda.XSLTransformationStage"
@@ -660,22 +660,22 @@
 
     <!--
         stripMDUILogoHttp
-        
+
         Remove any mdui:Logo elements containing http:// URLs.
     -->
     <bean id="stripMDUILogoHttp" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-mdui-logo-http.xsl"/>
-    
+
     <!--
         stripEmptyMDUIUIInfo
-        
+
         Remove any empty mdui:UIInfo container elements.
     -->
     <bean id="stripEmptyMDUIUIInfo" parent="mda.EmptyContainerStrippingStage">
         <property name="elementNamespace" ref="mdui_namespace"/>
         <property name="elementName" value="UIInfo"/>
     </bean>
-    
+
     <!--
         *****************************************************
         ***                                               ***
@@ -683,13 +683,13 @@
         ***                                               ***
         *****************************************************
     -->
-    
+
     <bean id="shibmd-Scope" parent="QName" c:_0-ref="shibmd_namespace" c:_1="Scope"/>
 
     <bean id="stripShibScope" parent="mda.ElementStrippingStage"
         p:elementName="Scope"
         p:elementNamespace-ref="shibmd_namespace"/>
-    
+
 
 
     <!--
@@ -699,18 +699,18 @@
         ***                     ***
         ***************************
     -->
-    
+
     <!--
         stripKeyNames
-        
+
         Remove all ds:KeyName elements.
     -->
     <bean id="stripKeyNames" parent="mda.ElementStrippingStage"
         p:elementName="KeyName"
         p:elementNamespace-ref="ds_namespace"/>
-    
-    
-    
+
+
+
     <!--
         *************************************
         ***                               ***
@@ -718,20 +718,20 @@
         ***                               ***
         *************************************
     -->
-    
+
     <!--
         httpClientBuilder
-        
+
         Factory for the httpClient bean below.
-        
+
         Sets the option to ignore validation of a server's TLS credentials.
-        
+
         Sets socket and connection timeouts explicitly (to 100s) to
         override the tight defaults in java-support, see:
-        
+
             https://github.com/ukf/ukf-meta/issues/1
             https://issues.shibboleth.net/jira/browse/JSPT-48
-            
+
         These options can be removed once the underlying issue has been resolved.
     -->
     <bean id="httpClientBuilder"
@@ -743,26 +743,26 @@
 
     <!--
         httpClient
-        
+
         Common, basic, HTTP client for use with HTTP resources.
     -->
     <bean id="httpClient" factory-bean="httpClientBuilder" factory-method="buildClient"/>
-    
+
     <!--
         parserPool
-        
+
         A pre-configured parser pool for use by source stages.
     -->
     <bean id="parserPool" parent="component_parent"
         class="net.shibboleth.utilities.java.support.xml.BasicParserPool"
         p:ignoreComments="false"
         p:ignoreElementContentWhitespace="false"/>
-    
+
     <!--
         schemaResources
-        
+
         A list of all schema documents that we make common use of in SAML metadata.
-        
+
         The schemas are organised such that each schema appears before any of the schemas importing it,
         so that the parser is not required to explicitly resolve any imports.
     -->
@@ -871,10 +871,10 @@
             <constructor-arg value="schema/xmldsig11-schema.xsd"/>
         </bean>
     </util:list>
-    
+
     <!--
         checkSchemas
-        
+
         A pipeline stage that checks against all the common schemas, as above.
     -->
     <bean id="checkSchemas" parent="mda.XMLSchemaValidationStage">
@@ -883,31 +883,31 @@
 
     <!--
         stripComments
-        
+
         A pipeline stage that removes all XML comments from items.
     -->
-    
+
     <bean id="stripComments" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:strip-comments.xsl"/>
-    
+
     <!--
         everythingSelector
-        
+
         An item selection strategy that selects all items.
     -->
     <bean id="everythingSelector" class="com.google.common.base.Predicates"
         factory-method="alwaysTrue"/>
-    
+
     <!--
         Standard serializer.
     -->
     <bean id="serializer" parent="mda.DOMElementSerializer"/>
-    
+
     <!--
         Merge strategy that removes duplicates.
     -->
     <bean id="deduplicateMergeStrategy" parent="mda.DeduplicatingItemIdMergeStrategy"/>
-    
+
 
 
     <!--
@@ -920,17 +920,17 @@
 
     <!--
         cleanImport
-        
+
         A pipeline stage that can be used in an import pipeline to clean up the metadata
         presented, for example by removing redundant attributes or elements which only have
         meaning when added by the UK federation registrar.
     -->
     <bean id="cleanImport" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:clean-import.xsl"/>
-    
+
     <!--
         trimImportElementWhitespace
-        
+
         Trim whitespace from the specified elements in imported
         entities.  These would be errors in UK-registered metadata,
         but repairing the metadata on the fly is often easier than
@@ -959,14 +959,14 @@
             </set>
         </property>
     </bean>
-    
+
     <!--
         standardImportActions
-        
+
         Standard actions performed on any metadata import channel.  Assumes that the
         collection has been acquired, had its signature validated, and disassembled into
         individual entities.
-        
+
         The result is a collection of entities, some of which may be labelled with
         errors.  No announcement or removal of those entities is performed here;
         that is left to the caller.
@@ -1023,32 +1023,32 @@
                                 p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
                             <bean parent="mda.X509RSAExponentValidator"/>
-                            
+
                             <!--
                                 Debian weak key blacklists.
-                                
+
                                 Don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="debian.2048"/>
                             <ref bean="debian.4096"/>
-                            
+
                             <!--
                                 Compromised key blacklists.
-                                
+
                                 Again, don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="compromised.2048"/>
                         </list>
                     </property>
                 </bean>
-                
+
             </list>
         </property>
     </bean>
-    
+
     <!--
         standardImportTail
-        
+
         Standard actions performed at the end of any metadata import flow.  As imports
         are currently ending up in files, build an EntitiesDescriptor and normalise the
         namespaces in the document ready for serialisation.
@@ -1063,5 +1063,5 @@
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/mdx/default_regauth.xsl b/mdx/default_regauth.xsl
index a0c352ab..bec46fc8 100644
--- a/mdx/default_regauth.xsl
+++ b/mdx/default_regauth.xsl
@@ -4,7 +4,7 @@
 	default_regauth.xsl
 
 	Apply a default registrationAuthority to entities which don't have one already.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -15,11 +15,11 @@
 
 	<!--
         defaultAuthority
-        
+
         Set this parameter from the calling context.
     -->
 	<xsl:param name="defaultAuthority">(value not set)</xsl:param>
-	
+
 	<!--
 		EntityDescriptor with no Extensions doesn't have a RegistrationInfo,
 		by definition.
@@ -37,7 +37,7 @@
 			<xsl:apply-templates select="node()"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 	<!--
 		EntityDescriptor with Extensions but without RegistrationInfo needs to have one
 		injected into the existing Extensions.
@@ -48,7 +48,7 @@
 			<xsl:apply-templates select="node()"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 	<!--
 		Default RegistrationInfo element, with associated white space.
 	-->
@@ -61,17 +61,17 @@
 			</xsl:attribute>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-		
+
 </xsl:stylesheet>
diff --git a/mdx/int_cobweb/beans.xml b/mdx/int_cobweb/beans.xml
index 21fb37f9..a937917c 100644
--- a/mdx/int_cobweb/beans.xml
+++ b/mdx/int_cobweb/beans.xml
@@ -11,14 +11,14 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Location of various resources.
     -->
     <bean id="int_cobweb_productionAggregate_url" parent="String">
         <constructor-arg value="https://cobweb.edina.ac.uk/metadata/cobweb-metadata.xml"/>
     </bean>
-    
+
     <!--
         Fetch the production aggregate.
     -->
@@ -31,13 +31,13 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         Signing certificate.
     -->
     <bean id="int_cobweb_signingCertificate" parent="X509CertificateFactoryBean"
         p:resource="classpath:int_cobweb/cobweb.pem"/>
-    
+
     <!--
         Check signing signature.
     -->
@@ -52,7 +52,7 @@
         <property name="composedStages">
             <list>
                 <ref bean="int_cobweb_productionAggregate"/>
-                
+
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
@@ -60,12 +60,12 @@
                 -->
                 <ref bean="check_validUntil"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
             </list>
         </property>
     </bean>
-        
+
     <!--
         Select primary export aggregate.
     -->
diff --git a/mdx/int_cobweb/verbs.xml b/mdx/int_cobweb/verbs.xml
index 49cd2a9a..0a626f57 100644
--- a/mdx/int_cobweb/verbs.xml
+++ b/mdx/int_cobweb/verbs.xml
@@ -11,17 +11,17 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-        
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:int_cobweb/beans.xml"/>
-    
+
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
@@ -30,7 +30,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -41,7 +41,7 @@
             </list>
         </property>
     </bean>
-    
+
     <bean id="verifyProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -51,7 +51,7 @@
             </list>
         </property>
     </bean>
-    
+
     <bean id="importProductionRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -60,7 +60,7 @@
             </list>
         </property>
     </bean>
-    
+
     <alias alias="import"    name="importProduction"/>
     <alias alias="importRaw" name="importProductionRaw"/>
 </beans>
diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
index 23154d3b..95222469 100644
--- a/mdx/int_edugain/beans.xml
+++ b/mdx/int_edugain/beans.xml
@@ -11,13 +11,13 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import additional channel-local beans.
     -->
     <import resource="file:${edugain.dir}/entity-blacklist.xml"/>
     <import resource="file:${edugain.dir}/verify-blacklist.xml"/>
-    
+
     <!--
         Location of various resources.
     -->
@@ -42,7 +42,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         Fetch the eduGAIN test aggregate.
     -->
@@ -55,13 +55,13 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         eduGAIN signing certificate.
     -->
     <bean id="int_edugain_signingCertificate" parent="X509CertificateFactoryBean"
         p:resource="classpath:int_edugain/mds-2014.cer"/>
-    
+
     <!--
         Check a signature against the eduGAIN signing certificate.
     -->
@@ -92,9 +92,9 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="int_edugain_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
-                
+
                 <ref bean="int_edugain_removeBlacklistedEntities"/>
 
                 <!--
@@ -105,7 +105,7 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         Fetch the test entities as a collection.
     -->
@@ -122,11 +122,11 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="int_edugain_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
 
                 <ref bean="int_edugain_removeBlacklistedEntities"/>
-                
+
                 <!--
                     All eduGAIN entities should have mdrpi:RegistrationInfo elements, but
                     we can't check the actual values.
@@ -135,5 +135,5 @@
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/mdx/int_edugain/check_recovered.xsl b/mdx/int_edugain/check_recovered.xsl
index d75b4e1b..4175fa21 100644
--- a/mdx/int_edugain/check_recovered.xsl
+++ b/mdx/int_edugain/check_recovered.xsl
@@ -2,7 +2,7 @@
 <!--
 
 	check_recovered.xsl
-	
+
 	Checking ruleset which labels every entity as having recovered from a previous
 	error condition.
 -->
@@ -22,5 +22,5 @@
 			<xsl:with-param name="m">entity has recovered from a previous error condition</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/int_edugain/verbs.xml b/mdx/int_edugain/verbs.xml
index 21f8be8a..e4fa53e4 100644
--- a/mdx/int_edugain/verbs.xml
+++ b/mdx/int_edugain/verbs.xml
@@ -11,17 +11,17 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-    
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:int_edugain/beans.xml"/>
-    
+
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
@@ -30,7 +30,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         removeUKEntities
 
@@ -64,7 +64,7 @@
             </list>
         </property>
     </bean>
-    
+
     <bean id="importTest" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -75,10 +75,10 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         verify
-        
+
         Verifies that entities being imported from eduGAIN match our checks.
         Intended to be run from Jenkins once a week. Errors on the verification
         blacklist are ignored, so that we only need to deal with each entity
@@ -101,7 +101,7 @@
 
     <!--
         verify.new
-        
+
         Live verify, but adding "new" checks that we don't impose on the live import.
     -->
     <bean id="verify.new" parent="mda.SimplePipeline">
@@ -112,7 +112,7 @@
                 <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="false"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
-                
+
                 <ref bean="standardImportActions"/>
                 <ref bean="errorTerminatingFilter"/>
             </list>
@@ -121,7 +121,7 @@
 
     <!--
         verify.recovered
-        
+
         Looks for eduGAIN entities which *were* in an error state, as shown by
         their inclusion in our verification blacklist, but have now recovered.
     -->
@@ -130,16 +130,16 @@
             <list>
                 <ref bean="int_edugain_productionEntities"/>
                 <ref bean="removeUKEntities"/>
-                
+
                 <!-- remove all entities which still have errors -->
                 <ref bean="standardImportActions"/>
                 <ref bean="errorRemover"/>
-                
+
                 <!-- remove all entities *other* than the ones in the blacklist -->
                 <bean id="removeAllButBlacklistedEntities" parent="mda.EntityFilterStage"
                     p:whitelistingEntities="true"
                     p:designatedEntities-ref="int_edugain_verify_blacklist"/>
-                
+
                 <!-- flag up any remaining entities -->
                 <bean id="check_recovered" parent="mda.XSLValidationStage"
                     p:XSLResource="classpath:int_edugain/check_recovered.xsl"/>
@@ -148,13 +148,13 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         verify.all
-        
+
         Same as verify, but not making use of the validation
         blacklist. Can be used to check up on blacklisted entities.
-        
+
         Output also includes any warnings attached to entities, although
         these do not result in an error termination.
     -->
@@ -163,14 +163,14 @@
             <list>
                 <ref bean="int_edugain_productionEntities"/>
                 <ref bean="removeUKEntities"/>
-                
+
                 <ref bean="standardImportActions"/>
                 <ref bean="warningAndErrorAnnouncer"/>
                 <ref bean="errorTerminator"/>
             </list>
         </property>
     </bean>
-    
+
     <alias alias="import"    name="importProduction"/>
     <alias alias="importRaw" name="importProductionRaw"/>
 </beans>
diff --git a/mdx/ns_norm.xsl b/mdx/ns_norm.xsl
index 78ab442c..bef1f20b 100644
--- a/mdx/ns_norm.xsl
+++ b/mdx/ns_norm.xsl
@@ -2,20 +2,20 @@
 <!--
 
 	ns_norm.xsl
-	
+
 	XSL stylesheet that takes a SAML 2 metadata file and normalises
 	the namespaces used.  In general, this means assigning a standard
 	prefix to each known namespace and ensuring that those namespaces
 	are declared on the document element.
-	
+
 	The exception is the SAML 2.0 metadata namespace, which is established
 	as the default namespace for the document and therefore does not
 	require a prefix.
-	
+
 	The stylesheet operates by matching every element node in the document
 	and rebuilding it from scratch.  This has the side-effect of discarding
 	any unwanted namespace definitions from intermediate nodes.
-	
+
 	The result is a document with a large number of namespaces declared
 	with associated prefixes on the document element, and with few
 	(hopefully no) namespace prefix declarations elsewhere.  For any
@@ -29,7 +29,7 @@
 	after normalisation, some *de*normalisation will be required or at
 	least desirable prior to publication.  The responsibility for this
 	lies further down the processing pipeline.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -46,7 +46,7 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-	
+
 	exclude-result-prefixes="md"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -65,16 +65,16 @@
 		***                                     ***
 		*******************************************
 	-->
-	
-	
+
+
 	<!--
 		We need to handle the document element specially in order to arrange
 		for all appropriate namespace prefix definitions to appear on it.
-		
+
 		There are only two possible document elements in SAML metadata.
 	-->
-	
-	
+
+
 	<!--
 		Document element is <EntityDescriptor>.
 	-->
@@ -83,7 +83,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntityDescriptor>
 	</xsl:template>
-	
+
 	<!--
 		Document element is <EntitiesDescriptor>.
 	-->
@@ -92,8 +92,8 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntitiesDescriptor>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		*********************************************
 		***                                       ***
@@ -101,15 +101,15 @@
 		***                                       ***
 		*********************************************
 	-->
-	
-	
+
+
 	<xsl:template match="md:*">
 		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		*************************************************************
 		***                                                       ***
@@ -117,7 +117,7 @@
 		***                                                       ***
 		*************************************************************
 	-->
-	
+
 
 	<xsl:template match="alg:*">
 		<xsl:element name="alg:{local-name()}">
@@ -130,43 +130,43 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<xsl:template match="idpdisc:*">
 		<xsl:element name="idpdisc:{local-name()}">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<xsl:template match="init:*">
 		<xsl:element name="init:{local-name()}">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<xsl:template match="mdattr:*">
 		<xsl:element name="mdattr:{local-name()}">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<xsl:template match="mdrpi:*">
 		<xsl:element name="mdrpi:{local-name()}">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<xsl:template match="mdui:*">
 		<xsl:element name="mdui:{local-name()}">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<xsl:template match="saml:*">
 		<xsl:element name="saml:{local-name()}">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<xsl:template match="shibmd:*">
 		<xsl:element name="shibmd:{local-name()}">
 			<xsl:apply-templates select="node()|@*"/>
@@ -184,8 +184,8 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
-		
+
+
 	<!--
 		*********************************************
 		***                                       ***
@@ -193,20 +193,20 @@
 		***                                       ***
 		*********************************************
 	-->
-	
-	
+
+
 	<!--
 		Copy text blocks, comments and attributes unchanged.
 	-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		Copy all other elements from the input to the output, along with their
 		attributes and contents.
-		
+
 		Note that this will also copy across their namespaces and namespace prefix
 		declarations, which can result in denormalised output.  If that turns out
 		to be a problem in practice, this should be changed to reconstruct the
@@ -218,5 +218,5 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/schema/MetadataExchange.xsd b/mdx/schema/MetadataExchange.xsd
index 53094fb7..6dec545c 100644
--- a/mdx/schema/MetadataExchange.xsd
+++ b/mdx/schema/MetadataExchange.xsd
@@ -2,7 +2,7 @@
 <!--
 (c) 2004-2006 BEA Systems Inc., Computer Associates International, Inc.,
 International Business Machines Corporation, Microsoft Corporation,
-Inc., SAP AG, Sun Microsystems, and webMethods. All rights reserved. 
+Inc., SAP AG, Sun Microsystems, and webMethods. All rights reserved.
 
 Permission to copy and display the WS-MetadataExchange Specification
 (the "Specification"), in any medium without fee or royalty is hereby
@@ -90,8 +90,8 @@ No other rights are granted by implication, estoppel or otherwise.
       <xs:anyAttribute namespace='##other' processContents='lax' />
     </xs:complexType>
   </xs:element>
-  
-  <!-- 
+
+  <!--
        Ideally, the type of the MetadataReference would have been
        the union of wsa04:EndpointReferenceType and
        wsa10:EndpointReferenceType but unfortunately xs:union only
@@ -102,7 +102,7 @@ No other rights are granted by implication, estoppel or otherwise.
   <xs:element name='MetadataReference'>
     <xs:complexType>
       <xs:sequence>
-        <xs:any minOccurs='1' maxOccurs='unbounded' 
+        <xs:any minOccurs='1' maxOccurs='unbounded'
                 processContents='lax' namespace='##other' />
       </xs:sequence>
     </xs:complexType>
diff --git a/mdx/schema/incommon-metadata.xsd b/mdx/schema/incommon-metadata.xsd
index f33a8398..b1b046ed 100644
--- a/mdx/schema/incommon-metadata.xsd
+++ b/mdx/schema/incommon-metadata.xsd
@@ -7,13 +7,13 @@
   attributeFormDefault="unqualified"
   blockDefault="substitution"
   version="2.0">
-  
+
   <xs:annotation>
     <xs:documentation>
       Document title: Schema for InCommon Federation metadata extensions
       Document identifier: Metadata Extension Schema
       Location: https://spaces.internet2.edu/x/iIuVAQ
-      Revision history: 
+      Revision history:
       V1.2 (3 May 2013):
       Make schema itself schema-valid.
       V1.1 (2 May 2013):
@@ -22,7 +22,7 @@
       Initial version. Added contactType attribute.
     </xs:documentation>
   </xs:annotation>
-  
+
   <xs:attribute name="contactType" type="xs:anyURI"/>
-  
+
 </xs:schema>
diff --git a/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd b/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd
index 6829a00f..536d869f 100644
--- a/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd
+++ b/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
+<!--
 OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.
 OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
 Copyright © OASIS Open 2002-2004. All Rights Reserved.
diff --git a/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd b/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd
index f8d74e9c..36c61862 100644
--- a/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd
+++ b/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
+<!--
 OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.
 OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
 Copyright © OASIS Open 2002-2004. All Rights Reserved.
@@ -7,11 +7,11 @@ This document and translations of it may be copied and furnished to others, and
 The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
 This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 -->
-<xsd:schema targetNamespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
+<xsd:schema targetNamespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 
 
 
-xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
+xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
 elementFormDefault="qualified" attributeFormDefault="unqualified" version="0.1">
 	<!-- // Fault Codes /////////////////////////////////////////// -->
 	<xsd:simpleType name="tTimestampFault">
@@ -45,7 +45,7 @@ Convenience attribute group used to simplify this schema.
 	<xsd:complexType name="AttributedDateTime">
 		<xsd:annotation>
 			<xsd:documentation>
-This type is for elements whose [children] is a psuedo-dateTime and can have arbitrary attributes. 
+This type is for elements whose [children] is a psuedo-dateTime and can have arbitrary attributes.
       </xsd:documentation>
 		</xsd:annotation>
 		<xsd:simpleContent>
diff --git a/mdx/schema/refeds-metadata.xsd b/mdx/schema/refeds-metadata.xsd
index 1dadc094..3cab63b2 100644
--- a/mdx/schema/refeds-metadata.xsd
+++ b/mdx/schema/refeds-metadata.xsd
@@ -7,14 +7,14 @@
   attributeFormDefault="unqualified"
   blockDefault="substitution"
   version="2.0">
-  
+
   <xs:annotation>
     <xs:documentation>
       Unofficial schema for REFEDS metadata;
       specifically the contactType extension required for SIRTFI.
     </xs:documentation>
   </xs:annotation>
-  
+
   <xs:attribute name="contactType" type="xs:anyURI"/>
-  
+
 </xs:schema>
diff --git a/mdx/schema/saml-metadata-rpi-v1.0.xsd b/mdx/schema/saml-metadata-rpi-v1.0.xsd
index ebe5e9d1..d5025fe2 100644
--- a/mdx/schema/saml-metadata-rpi-v1.0.xsd
+++ b/mdx/schema/saml-metadata-rpi-v1.0.xsd
@@ -12,10 +12,10 @@
     xmlns="http://www.w3.org/2001/XMLSchema"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-    elementFormDefault="unqualified" 
-    attributeFormDefault="unqualified" 
-    blockDefault="substitution" 
-    version="1.0"> 
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    blockDefault="substitution"
+    version="1.0">
 
     <annotation>
         <documentation>
@@ -24,17 +24,17 @@
             Location: http://docs.oasis-open.org/security/saml/Post2.0/
             Revision history:
               21 March 2011
-                Correct minOccurs on elements that were meant to be optional              
+                Correct minOccurs on elements that were meant to be optional
               17 December 2010
                 Change of document title and namespace
               24 November 2010
                 Initial Submission
         </documentation>
     </annotation>
-    
+
     <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
     <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
-    
+
     <element name="RegistrationInfo" type="mdrpi:RegistrationInfoType" />
     <complexType name="RegistrationInfoType">
         <sequence>
@@ -45,9 +45,9 @@
         <attribute name="registrationInstant" type="dateTime" />
         <anyAttribute namespace="##other" processContents="lax" />
     </complexType>
-    
+
     <element name="RegistrationPolicy" type="md:localizedURIType" />
-    
+
     <element name="PublicationInfo" type="mdrpi:PublicationInfoType" />
     <complexType name="PublicationInfoType">
         <sequence>
@@ -59,21 +59,21 @@
         <attribute name="publicationId" type="string" />
         <anyAttribute namespace="##other" processContents="lax" />
     </complexType>
-    
+
     <element name="UsagePolicy" type="md:localizedURIType" />
-    
+
     <element name="PublicationPath" type="mdrpi:PublicationPathType" />
     <complexType name="PublicationPathType">
         <sequence>
             <element ref="mdrpi:Publication" minOccurs="0" maxOccurs="unbounded" />
         </sequence>
     </complexType>
-    
+
     <element name="Publication" type="mdrpi:PublicationType" />
     <complexType name="PublicationType">
         <attribute name="publisher" type="string" use="required" />
         <attribute name="creationInstant" type="dateTime" />
         <attribute name="publicationId" type="string" />
     </complexType>
-    
+
 </schema>
diff --git a/mdx/schema/saml-schema-metadata-2.0.xsd b/mdx/schema/saml-schema-metadata-2.0.xsd
index b656d4f4..f052721c 100644
--- a/mdx/schema/saml-schema-metadata-2.0.xsd
+++ b/mdx/schema/saml-schema-metadata-2.0.xsd
@@ -47,14 +47,14 @@
             </extension>
         </simpleContent>
     </complexType>
-    
+
     <element name="Extensions" type="md:ExtensionsType"/>
     <complexType final="#all" name="ExtensionsType">
         <sequence>
             <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
         </sequence>
     </complexType>
-    
+
     <complexType name="EndpointType">
         <sequence>
             <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
@@ -64,7 +64,7 @@
         <attribute name="ResponseLocation" type="anyURI" use="optional"/>
         <anyAttribute namespace="##other" processContents="lax"/>
     </complexType>
-    
+
     <complexType name="IndexedEndpointType">
         <complexContent>
             <extension base="md:EndpointType">
@@ -73,7 +73,7 @@
             </extension>
         </complexContent>
     </complexType>
-    
+
     <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/>
     <complexType name="EntitiesDescriptorType">
         <sequence>
@@ -116,7 +116,7 @@
         <attribute name="ID" type="ID" use="optional"/>
         <anyAttribute namespace="##other" processContents="lax"/>
     </complexType>
-    
+
     <element name="Organization" type="md:OrganizationType"/>
     <complexType name="OrganizationType">
         <sequence>
@@ -202,7 +202,7 @@
         </restriction>
     </simpleType>
     <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/>
-    
+
     <complexType name="SSODescriptorType" abstract="true">
         <complexContent>
             <extension base="md:RoleDescriptorType">
@@ -239,7 +239,7 @@
     <element name="NameIDMappingService" type="md:EndpointType"/>
     <element name="AssertionIDRequestService" type="md:EndpointType"/>
     <element name="AttributeProfile" type="anyURI"/>
-    
+
     <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/>
     <complexType name="SPSSODescriptorType">
         <complexContent>
@@ -274,7 +274,7 @@
             </extension>
         </complexContent>
     </complexType>
-  
+
     <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/>
     <complexType name="AuthnAuthorityDescriptorType">
         <complexContent>
@@ -318,7 +318,7 @@
         </complexContent>
     </complexType>
     <element name="AttributeService" type="md:EndpointType"/>
-   
+
     <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/>
     <complexType name="AffiliationDescriptorType">
         <sequence>
diff --git a/mdx/schema/sstc-saml-metadata-algsupport-v1.0.xsd b/mdx/schema/sstc-saml-metadata-algsupport-v1.0.xsd
index c4e0f58b..8e30f4af 100644
--- a/mdx/schema/sstc-saml-metadata-algsupport-v1.0.xsd
+++ b/mdx/schema/sstc-saml-metadata-algsupport-v1.0.xsd
@@ -10,7 +10,7 @@
 
 -->
 
-<schema 
+<schema
   targetNamespace="urn:oasis:names:tc:SAML:metadata:algsupport"
   xmlns="http://www.w3.org/2001/XMLSchema"
   xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
diff --git a/mdx/schema/sstc-saml-metadata-ui-v1.0.xsd b/mdx/schema/sstc-saml-metadata-ui-v1.0.xsd
index 66a4a8ba..7b6e5325 100644
--- a/mdx/schema/sstc-saml-metadata-ui-v1.0.xsd
+++ b/mdx/schema/sstc-saml-metadata-ui-v1.0.xsd
@@ -8,7 +8,7 @@
   Source: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/cs01/xsd/
 -->
 
-<schema 
+<schema
   targetNamespace="urn:oasis:names:tc:SAML:metadata:ui"
   xmlns="http://www.w3.org/2001/XMLSchema"
   xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -62,7 +62,7 @@
       </extension>
     </simpleContent>
   </complexType>
-  
+
   <simpleType name="listOfStrings">
     <list itemType="string"/>
   </simpleType>
@@ -89,7 +89,7 @@
   </complexType>
 
   <element name="IPHint" type="string"/>
-  <element name="DomainHint" type="string"/>	
+  <element name="DomainHint" type="string"/>
   <element name="GeolocationHint" type="anyURI"/>
 
 </schema>
diff --git a/mdx/schema/uk-fed-label.xsd b/mdx/schema/uk-fed-label.xsd
index 854255e1..fdf261d3 100644
--- a/mdx/schema/uk-fed-label.xsd
+++ b/mdx/schema/uk-fed-label.xsd
@@ -4,17 +4,17 @@
     targetNamespace="http://ukfederation.org.uk/2006/11/label"
     version="2016-09-15"
     elementFormDefault="qualified">
-    
+
     <annotation>
         <documentation>
             This schema describes the UK federation label namespace.
-            
+
             For additional information, see the Federation Technical Specification.
-            
+
             This version of the schema follows FTS edition 1.1 of 1-June-2007.
         </documentation>
     </annotation>
-    
+
     <complexType name="basicLabel">
         <annotation>
             <documentation>
@@ -28,7 +28,7 @@
             neither text nor nested elements.
         -->
     </complexType>
-    
+
     <complexType name="datedLabel">
         <annotation>
             <documentation>
@@ -84,7 +84,7 @@
             </complexContent>
         </complexType>
     </element>
-    
+
     <element name="AccountableUsers" type="ukfedlabel:basicLabel">
         <annotation>
             <documentation>
@@ -95,7 +95,7 @@
             </documentation>
         </annotation>
     </element>
-    
+
     <element name="Software">
         <annotation>
             <documentation>
@@ -104,7 +104,7 @@
                 version of software used.  This information is added to
                 an entity only if it has been received from the deployer
                 of the entity on the indicated date.
-                
+
                 This information is used in entity fragment files only,
                 and is not included in the metadata published by the
                 UK federation.  Its principal use is in classifying
@@ -124,7 +124,7 @@
                             </documentation>
                         </annotation>
                     </attribute>
-                    
+
                     <attribute name="version" use="optional" type="token">
                         <annotation>
                             <documentation>
@@ -135,7 +135,7 @@
                             </documentation>
                         </annotation>
                     </attribute>
-                    
+
                     <attribute name="fullVersion" use="optional" type="token">
                         <annotation>
                             <documentation>
@@ -147,7 +147,7 @@
             </complexContent>
         </complexType>
     </element>
-    
+
     <element name="ExportOptIn" type="ukfedlabel:datedLabel">
         <annotation>
             <documentation>
@@ -156,7 +156,7 @@
             </documentation>
         </annotation>
     </element>
-    
+
     <element name="ExportOptOut" type="ukfedlabel:datedLabel">
         <annotation>
             <documentation>
@@ -165,5 +165,5 @@
             </documentation>
         </annotation>
     </element>
-    
+
 </schema>
diff --git a/mdx/schema/ws-addr.xsd b/mdx/schema/ws-addr.xsd
index 47362edb..2926d27d 100644
--- a/mdx/schema/ws-addr.xsd
+++ b/mdx/schema/ws-addr.xsd
@@ -16,7 +16,7 @@
    $Id: ws-addr.xsd,v 1.2 2008/07/23 13:38:16 plehegar Exp $
 -->
 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://www.w3.org/2005/08/addressing" targetNamespace="http://www.w3.org/2005/08/addressing" blockDefault="#all" elementFormDefault="qualified" finalDefault="" attributeFormDefault="unqualified">
-	
+
 	<!-- Constructs from the WS-Addressing Core -->
 
 	<xs:element name="EndpointReference" type="tns:EndpointReferenceType"/>
@@ -29,7 +29,7 @@
 		</xs:sequence>
 		<xs:anyAttribute namespace="##other" processContents="lax"/>
 	</xs:complexType>
-	
+
 	<xs:element name="ReferenceParameters" type="tns:ReferenceParametersType"/>
 	<xs:complexType name="ReferenceParametersType" mixed="false">
 		<xs:sequence>
@@ -37,7 +37,7 @@
 		</xs:sequence>
 		<xs:anyAttribute namespace="##other" processContents="lax"/>
 	</xs:complexType>
-	
+
 	<xs:element name="Metadata" type="tns:MetadataType"/>
 	<xs:complexType name="MetadataType" mixed="false">
 		<xs:sequence>
@@ -45,7 +45,7 @@
 		</xs:sequence>
 		<xs:anyAttribute namespace="##other" processContents="lax"/>
 	</xs:complexType>
-	
+
 	<xs:element name="MessageID" type="tns:AttributedURIType"/>
 	<xs:element name="RelatesTo" type="tns:RelatesToType"/>
 	<xs:complexType name="RelatesToType" mixed="false">
@@ -56,17 +56,17 @@
 			</xs:extension>
 		</xs:simpleContent>
 	</xs:complexType>
-	
+
 	<xs:simpleType name="RelationshipTypeOpenEnum">
 		<xs:union memberTypes="tns:RelationshipType xs:anyURI"/>
 	</xs:simpleType>
-	
+
 	<xs:simpleType name="RelationshipType">
 		<xs:restriction base="xs:anyURI">
 			<xs:enumeration value="http://www.w3.org/2005/08/addressing/reply"/>
 		</xs:restriction>
 	</xs:simpleType>
-	
+
 	<xs:element name="ReplyTo" type="tns:EndpointReferenceType"/>
 	<xs:element name="From" type="tns:EndpointReferenceType"/>
 	<xs:element name="FaultTo" type="tns:EndpointReferenceType"/>
@@ -80,15 +80,15 @@
 			</xs:extension>
 		</xs:simpleContent>
 	</xs:complexType>
-	
+
 	<!-- Constructs from the WS-Addressing SOAP binding -->
 
 	<xs:attribute name="IsReferenceParameter" type="xs:boolean"/>
-	
+
 	<xs:simpleType name="FaultCodesOpenEnumType">
 		<xs:union memberTypes="tns:FaultCodesType xs:QName"/>
 	</xs:simpleType>
-	
+
 	<xs:simpleType name="FaultCodesType">
 		<xs:restriction base="xs:QName">
 			<xs:enumeration value="tns:InvalidAddressingHeader"/>
@@ -104,7 +104,7 @@
 			<xs:enumeration value="tns:EndpointUnavailable"/>
 		</xs:restriction>
 	</xs:simpleType>
-	
+
 	<xs:element name="RetryAfter" type="tns:AttributedUnsignedLongType"/>
 	<xs:complexType name="AttributedUnsignedLongType" mixed="false">
 		<xs:simpleContent>
@@ -113,7 +113,7 @@
 			</xs:extension>
 		</xs:simpleContent>
 	</xs:complexType>
-	
+
 	<xs:element name="ProblemHeaderQName" type="tns:AttributedQNameType"/>
 	<xs:complexType name="AttributedQNameType" mixed="false">
 		<xs:simpleContent>
@@ -122,9 +122,9 @@
 			</xs:extension>
 		</xs:simpleContent>
 	</xs:complexType>
-	
+
 	<xs:element name="ProblemIRI" type="tns:AttributedURIType"/>
-	
+
 	<xs:element name="ProblemAction" type="tns:ProblemActionType"/>
 	<xs:complexType name="ProblemActionType" mixed="false">
 		<xs:sequence>
@@ -133,5 +133,5 @@
 		</xs:sequence>
 		<xs:anyAttribute namespace="##other" processContents="lax"/>
 	</xs:complexType>
-	
+
 </xs:schema>
diff --git a/mdx/schema/ws-authorization.xsd b/mdx/schema/ws-authorization.xsd
index 0fcdade9..f9648dd9 100644
--- a/mdx/schema/ws-authorization.xsd
+++ b/mdx/schema/ws-authorization.xsd
@@ -1,34 +1,34 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!-- 
-OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the 
-implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; 
-neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS 
-specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made 
-available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users 
+<!--
+OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the
+implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available;
+neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS
+specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made
+available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users
 of this specification, can be obtained from the OASIS Executive Director.
-OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may 
+OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may
 cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
 Copyright © OASIS Open 2002-2007. All Rights Reserved.
-This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist 
-in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the 
-above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified 
-in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, 
-in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate 
+This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist
+in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the
+above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified
+in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications,
+in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate
 it into languages other than English.
 The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
-This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, 
-INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   -->
 
 <xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema'
-       xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'    
+       xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
 		   xmlns:tns='http://docs.oasis-open.org/wsfed/authorization/200706'
 		   targetNamespace='http://docs.oasis-open.org/wsfed/authorization/200706'
 		   elementFormDefault='qualified' >
   <xs:import namespace='http://www.w3.org/2001/04/xmlenc#'
              schemaLocation='xenc-schema.xsd'/>
-  
+
   <!-- Section 9.2 -->
   <xs:element name='AdditionalContext' type='tns:AdditionalContextType' />
   <xs:complexType name='AdditionalContextType' >
@@ -46,7 +46,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
     </xs:choice>
     <xs:attribute name='Name' type='xs:anyURI' use='required' />
 	<xs:attribute name='Scope' type='xs:anyURI' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+	<xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 9.3 -->
@@ -66,7 +66,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
     </xs:sequence>
 	<xs:attribute name='Uri' type='xs:anyURI' use='required' />
 	<xs:attribute name='Optional' type='xs:boolean' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+	<xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name="DisplayNameType">
@@ -127,7 +127,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       <xs:element name='ValueLowerBound' type='tns:ConstrainedSingleValueType' minOccurs='1' maxOccurs='1'/>
     </xs:sequence>
   </xs:complexType>
-  
+
   <xs:complexType name='ConstrainedSingleValueType'>
     <xs:choice minOccurs='0'>
       <xs:element name='Value' type='xs:string' minOccurs='1' maxOccurs='1' />
diff --git a/mdx/schema/ws-federation.xsd b/mdx/schema/ws-federation.xsd
index f87059db..e6a2a322 100644
--- a/mdx/schema/ws-federation.xsd
+++ b/mdx/schema/ws-federation.xsd
@@ -1,23 +1,23 @@
 <?xml version="1.0" encoding="UTF-8" ?>
-<!-- 
-OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the 
-implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; 
-neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS 
-specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made 
-available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users 
+<!--
+OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the
+implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available;
+neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS
+specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made
+available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users
 of this specification, can be obtained from the OASIS Executive Director.
-OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may 
+OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may
 cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
 Copyright © OASIS Open 2002-2007. All Rights Reserved.
-This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist 
-in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the 
-above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified 
-in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, 
-in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate 
+This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist
+in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the
+above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified
+in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications,
+in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate
 it into languages other than English.
 The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
-This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, 
-INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   -->
 <xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema'
@@ -179,8 +179,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <xs:complexType name='IssuerNameType' >
 	<xs:attribute name='Uri' type='xs:anyURI' use='required' />
 	<xs:anyAttribute namespace='##other' processContents='lax' />
-  </xs:complexType>  
-  
+  </xs:complexType>
+
   <!-- Section 3.1.4 -->
   <xs:element name='PsuedonymServiceEndpoints' type='tns:EndpointType' />
   <xs:complexType name='EndpointType' >
@@ -188,7 +188,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       <xs:element ref='wsa:EndpointReference' minOccurs='1' maxOccurs='unbounded'/>
     </xs:sequence>
   </xs:complexType>
-  
+
   <!-- Section 3.1.5 -->
   <xs:element name='AttributeServiceEndpoints' type='tns:EndpointType' />
 
@@ -226,7 +226,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 	</xs:sequence>
 	<xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
-  
+
   <!-- Section 3.1.10 -->
   <!-- Defined above -->
   <!-- <xs:element name='ClaimTypesRequested' ype='tns:ClaimTypesRequestedType' /> -->
@@ -236,7 +236,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
     </xs:sequence>
     <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
-  
+
   <!-- Section 3.1.11 -->
   <!-- Defined above -->
   <!--<xs:element name='ClaimDialectsOffered' type='tns:ClaimDialectsOfferedType' />-->
@@ -254,18 +254,18 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
     <xs:attribute name='Uri' type='xs:anyURI' />
     <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
-  
+
   <!-- Section 3.1.12 -->
   <!-- Defined above -->
   <!-- <xs:element name='AutomaticPseudonyms' type='xs:boolean' /> -->
 
   <!-- Section 3.1.13 -->
   <xs:element name='PassiveRequestorEnpoints' type='tns:EndpointType'/>
-  
+
   <!-- Section 3.1.14 -->
   <!-- Defined above -->
   <!--<xs:element name='TargetScopes' type='tns:EndpointType'/>-->
-  
+
   <!-- Section 3.2.4 -->
   <xs:element name='FederationMetadataHandler' type='tns:FederationMetadataHandlerType' />
   <xs:complexType name='FederationMetadataHandlerType' >
@@ -288,7 +288,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 	<xs:sequence>
 	  <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='unbounded' />
 	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+	<xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 4.2 -->
@@ -302,7 +302,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 	  <xs:element ref='tns:RelativeTo' minOccurs='0' maxOccurs='1' />
 	  <xs:any namespace='##other' minOccurs='0' maxOccurs='unbounded' />
 	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+	<xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:element name='PseudonymBasis' type='tns:PseudonymBasisType' />
@@ -328,19 +328,19 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 	<xs:sequence>
 	  <!--
 		  *** Accurate content model is nondeterministic ***
-		  <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' /> 
+		  <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' />
 		  <xs:element ref='tns:RelativeTo' minOccurs='1' maxOccurs='1' />
 		  <xs:element ref='wsu:Expires' minOccurs='0' maxOccurs='1' />
 		  <xs:element ref='tns:SecurityToken' minOccurs='0' maxOccurs='unbounded' />
 		  <xs:element ref='tns:ProofToken' minOccurs='0' maxOccurs='unbounded' />
-		  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />	  
+		  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
 	  -->
 
-	  <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' /> 
+	  <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' />
 	  <xs:element ref='tns:RelativeTo' minOccurs='1' maxOccurs='1' />
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />	  
+	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
 	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+	<xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:element name='SecurityToken' type='tns:SecurityTokenType' />
@@ -363,11 +363,11 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <xs:element name='RequestPseudonym' type='tns:RequestPseudonymType' />
   <xs:complexType name='RequestPseudonymType' >
 	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />	  
+	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
 	</xs:sequence>
 	<xs:attribute name='SingleUse' type='xs:boolean' use='optional' />
 	<xs:attribute name='Lookup' type='xs:boolean' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />  
+	<xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 8.1 -->
@@ -378,15 +378,15 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 	  <xs:element name='ReferenceDigest' type='tns:ReferenceDigestType' minOccurs='0' maxOccurs='1' />
 	  <xs:element name='ReferenceType' type='tns:AttributeExtensibleURI' minOccurs='0' maxOccurs='1' />
 	  <xs:element name='SerialNo' type='tns:AttributeExtensibleURI' minOccurs='0' maxOccurs='1' />
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />	  	  
+	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
 	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />  
+	<xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='ReferenceDigestType' >
 	<xs:simpleContent>
 	  <xs:extension base='xs:base64Binary' >
-		<xs:anyAttribute namespace='##other' processContents='lax' />  
+		<xs:anyAttribute namespace='##other' processContents='lax' />
 	  </xs:extension>
 	</xs:simpleContent>
   </xs:complexType>
@@ -397,7 +397,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       </xs:extension>
     </xs:simpleContent>
   </xs:complexType>
-  
+
   <!-- Section 8.2 -->
   <xs:element name='FederationID' type='tns:AttributeExtensibleURI' />
 
@@ -417,9 +417,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 	  <xs:element name='PPID' type='tns:AttributeExtensibleString' minOccurs='0' />
 	  <xs:element name='DisplayName' type='tns:AttributeExtensibleString' minOccurs='0' />
 	  <xs:element name='EMail' type='tns:AttributeExtensibleString' minOccurs='0' />
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />	  	  
+	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
 	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />	
+	<xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='AttributeExtensibleString' >
@@ -436,7 +436,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 	<xs:simpleContent>
 	  <xs:extension base='xs:unsignedInt' >
 		<xs:attribute name='AllowCache' type='xs:boolean' use='optional' />
-		<xs:anyAttribute namespace='##other' processContents='lax' />		
+		<xs:anyAttribute namespace='##other' processContents='lax' />
 	  </xs:extension>
 	</xs:simpleContent>
   </xs:complexType>
@@ -459,7 +459,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <xs:element name='RequireSignedTokens' type='tns:AssertionType' />
   <xs:element name='RequireBearerTokens' type='tns:AssertionType' />
   <xs:element name='RequireSharedCookies' type='tns:AssertionType' />
-  
+
 
   <!-- Section 14.3 -->
   <xs:element name='RequiresGenericClaimDialect' type='tns:AssertionType' />
diff --git a/mdx/schema/ws-securitypolicy-1.2.xsd b/mdx/schema/ws-securitypolicy-1.2.xsd
index 948e78a9..9346a4b3 100644
--- a/mdx/schema/ws-securitypolicy-1.2.xsd
+++ b/mdx/schema/ws-securitypolicy-1.2.xsd
@@ -1,23 +1,23 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!-- 
-OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the 
-implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; 
-neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS 
-specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made 
-available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users 
+<!--
+OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the
+implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available;
+neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS
+specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made
+available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users
 of this specification, can be obtained from the OASIS Executive Director.
-OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may 
+OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may
 cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
 Copyright © OASIS Open 2002-2007. All Rights Reserved.
-This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist 
-in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the 
-above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified 
-in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, 
-in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate 
+This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist
+in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the
+above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified
+in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications,
+in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate
 it into languages other than English.
 The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
-This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, 
-INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 -->
 <xs:schema
@@ -28,7 +28,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 	elementFormDefault="qualified"
 	blockDefault="#all" >
 
-  <xs:import namespace="http://www.w3.org/2005/08/addressing" 
+  <xs:import namespace="http://www.w3.org/2005/08/addressing"
 		schemaLocation="ws-addr.xsd" />
 
   <!--
@@ -253,7 +253,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- RequireDerivedKeys defined above. -->
   <!-- RequireImpliedDerivedKeys defined above. -->
   <!-- RequireExplicitDerivedKeys defined above. -->
-  
+
   <xs:element name="RequireKeyIdentifierReference" type="tns:QNameAssertionType" >
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -574,7 +574,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       </xs:documentation>
     </xs:annotation>
   </xs:element>
-  
+
   <xs:element name="KeyValueToken" type="tns:KeyValueTokenType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -600,7 +600,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       </xs:documentation>
     </xs:annotation>
   </xs:element>
-  
+
   <!--
 	7. Security Binding Assertions
 	-->
@@ -1040,7 +1040,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- SignedElements defined above. -->
   <!-- EncryptedParts defined above. -->
   <!-- EncryptedElements defined above. -->
-  
+
   <xs:element name="EndorsingEncryptedSupportingTokens" type="tns:NestedPolicyType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -1066,7 +1066,7 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- SignedElements defined above. -->
   <!-- EncryptedParts defined above. -->
   <!-- EncryptedElements defined above. -->
-  
+
   <!--
 	9. WSS: SOAP Message Security Options
 	-->
@@ -1201,5 +1201,5 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       </xs:documentation>
     </xs:annotation>
   </xs:element>
-  
+
 </xs:schema>
diff --git a/mdx/schema/xenc-schema-11.xsd b/mdx/schema/xenc-schema-11.xsd
index 1abb6437..1a8ceb2a 100644
--- a/mdx/schema/xenc-schema-11.xsd
+++ b/mdx/schema/xenc-schema-11.xsd
@@ -2,14 +2,14 @@
 
 <!--
 #
-# Copyright ©[2011] World Wide Web Consortium 
-# (Massachusetts Institute of Technology,  
-#  European Research Consortium for Informatics and Mathematics, 
-#  Keio University). All Rights Reserved.  
+# Copyright ©[2011] World Wide Web Consortium
+# (Massachusetts Institute of Technology,
+#  European Research Consortium for Informatics and Mathematics,
+#  Keio University). All Rights Reserved.
 # This work is distributed under the W3C® Software License [1] in the
 # hope that it will be useful, but WITHOUT ANY WARRANTY; without even
 # the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-# PURPOSE. 
+# PURPOSE.
 # [1] http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231
 #
 -->
diff --git a/mdx/schema/xenc-schema.xsd b/mdx/schema/xenc-schema.xsd
index cdfc8333..82f7be4b 100644
--- a/mdx/schema/xenc-schema.xsd
+++ b/mdx/schema/xenc-schema.xsd
@@ -2,14 +2,14 @@
 
 <!--
 #
-# Copyright ©[2011] World Wide Web Consortium 
-# (Massachusetts Institute of Technology,  
-#  European Research Consortium for Informatics and Mathematics, 
-#  Keio University). All Rights Reserved.  
+# Copyright ©[2011] World Wide Web Consortium
+# (Massachusetts Institute of Technology,
+#  European Research Consortium for Informatics and Mathematics,
+#  Keio University). All Rights Reserved.
 # This work is distributed under the W3C® Software License [1] in the
 # hope that it will be useful, but WITHOUT ANY WARRANTY; without even
 # the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-# PURPOSE. 
+# PURPOSE.
 # [1] http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231
 #
 -->
@@ -35,7 +35,7 @@
     <attribute name='MimeType' type='string' use='optional'/>
     <attribute name='Encoding' type='anyURI' use='optional'/>
   </complexType>
-  
+
   <complexType name='EncryptionMethodType' mixed='true'>
     <sequence>
       <element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/>
@@ -166,6 +166,6 @@
   </complexType>
 
   <!-- End Children of ds:KeyValue -->
-  
+
 </schema>
 
diff --git a/mdx/schema/xml.xsd b/mdx/schema/xml.xsd
index 38bba34d..f10e6abb 100644
--- a/mdx/schema/xml.xsd
+++ b/mdx/schema/xml.xsd
@@ -27,7 +27,7 @@
         &lt;type . . .>
          . . .
          &lt;attributeGroup ref="xml:specialAttrs"/>
- 
+
          will define a type which will schema-validate an instance
          element with any of those attributes</xs:documentation>
  </xs:annotation>
diff --git a/mdx/schema/xmldsig-core-schema.xsd b/mdx/schema/xmldsig-core-schema.xsd
index 07aad278..ebcd6a42 100644
--- a/mdx/schema/xmldsig-core-schema.xsd
+++ b/mdx/schema/xmldsig-core-schema.xsd
@@ -19,7 +19,7 @@
 <schema xmlns="http://www.w3.org/2001/XMLSchema"
         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
         targetNamespace="http://www.w3.org/2000/09/xmldsig#"
-        version="0.1" elementFormDefault="qualified"> 
+        version="0.1" elementFormDefault="qualified">
 
 <!-- Basic Types Defined for Signatures -->
 
@@ -32,16 +32,16 @@
 
 <element name="Signature" type="ds:SignatureType"/>
 <complexType name="SignatureType">
-  <sequence> 
-    <element ref="ds:SignedInfo"/> 
-    <element ref="ds:SignatureValue"/> 
-    <element ref="ds:KeyInfo" minOccurs="0"/> 
-    <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/> 
-  </sequence>  
+  <sequence>
+    <element ref="ds:SignedInfo"/>
+    <element ref="ds:SignatureValue"/>
+    <element ref="ds:KeyInfo" minOccurs="0"/>
+    <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
+  </sequence>
   <attribute name="Id" type="ID" use="optional"/>
 </complexType>
 
-  <element name="SignatureValue" type="ds:SignatureValueType"/> 
+  <element name="SignatureValue" type="ds:SignatureValueType"/>
   <complexType name="SignatureValueType">
     <simpleContent>
       <extension base="base64Binary">
@@ -54,21 +54,21 @@
 
 <element name="SignedInfo" type="ds:SignedInfoType"/>
 <complexType name="SignedInfoType">
-  <sequence> 
-    <element ref="ds:CanonicalizationMethod"/> 
-    <element ref="ds:SignatureMethod"/> 
-    <element ref="ds:Reference" maxOccurs="unbounded"/> 
-  </sequence>  
-  <attribute name="Id" type="ID" use="optional"/> 
+  <sequence>
+    <element ref="ds:CanonicalizationMethod"/>
+    <element ref="ds:SignatureMethod"/>
+    <element ref="ds:Reference" maxOccurs="unbounded"/>
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/>
 </complexType>
 
-  <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/> 
+  <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
   <complexType name="CanonicalizationMethodType" mixed="true">
     <sequence>
       <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
       <!-- (0,unbounded) elements from (1,1) namespace -->
     </sequence>
-    <attribute name="Algorithm" type="anyURI" use="required"/> 
+    <attribute name="Algorithm" type="anyURI" use="required"/>
   </complexType>
 
   <element name="SignatureMethod" type="ds:SignatureMethodType"/>
@@ -78,48 +78,48 @@
       <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
       <!-- (0,unbounded) elements from (1,1) external namespace -->
     </sequence>
-    <attribute name="Algorithm" type="anyURI" use="required"/> 
+    <attribute name="Algorithm" type="anyURI" use="required"/>
   </complexType>
 
 <!-- Start Reference -->
 
 <element name="Reference" type="ds:ReferenceType"/>
 <complexType name="ReferenceType">
-  <sequence> 
-    <element ref="ds:Transforms" minOccurs="0"/> 
-    <element ref="ds:DigestMethod"/> 
-    <element ref="ds:DigestValue"/> 
+  <sequence>
+    <element ref="ds:Transforms" minOccurs="0"/>
+    <element ref="ds:DigestMethod"/>
+    <element ref="ds:DigestValue"/>
   </sequence>
-  <attribute name="Id" type="ID" use="optional"/> 
-  <attribute name="URI" type="anyURI" use="optional"/> 
-  <attribute name="Type" type="anyURI" use="optional"/> 
+  <attribute name="Id" type="ID" use="optional"/>
+  <attribute name="URI" type="anyURI" use="optional"/>
+  <attribute name="Type" type="anyURI" use="optional"/>
 </complexType>
 
   <element name="Transforms" type="ds:TransformsType"/>
   <complexType name="TransformsType">
     <sequence>
-      <element ref="ds:Transform" maxOccurs="unbounded"/>  
+      <element ref="ds:Transform" maxOccurs="unbounded"/>
     </sequence>
   </complexType>
 
   <element name="Transform" type="ds:TransformType"/>
   <complexType name="TransformType" mixed="true">
-    <choice minOccurs="0" maxOccurs="unbounded"> 
+    <choice minOccurs="0" maxOccurs="unbounded">
       <any namespace="##other" processContents="lax"/>
       <!-- (1,1) elements from (0,unbounded) namespaces -->
-      <element name="XPath" type="string"/> 
+      <element name="XPath" type="string"/>
     </choice>
-    <attribute name="Algorithm" type="anyURI" use="required"/> 
+    <attribute name="Algorithm" type="anyURI" use="required"/>
   </complexType>
 
 <!-- End Reference -->
 
 <element name="DigestMethod" type="ds:DigestMethodType"/>
-<complexType name="DigestMethodType" mixed="true"> 
+<complexType name="DigestMethodType" mixed="true">
   <sequence>
     <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-  </sequence>    
-  <attribute name="Algorithm" type="anyURI" use="required"/> 
+  </sequence>
+  <attribute name="Algorithm" type="anyURI" use="required"/>
 </complexType>
 
 <element name="DigestValue" type="ds:DigestValueType"/>
@@ -131,26 +131,26 @@
 
 <!-- Start KeyInfo -->
 
-<element name="KeyInfo" type="ds:KeyInfoType"/> 
+<element name="KeyInfo" type="ds:KeyInfoType"/>
 <complexType name="KeyInfoType" mixed="true">
-  <choice maxOccurs="unbounded">     
-    <element ref="ds:KeyName"/> 
-    <element ref="ds:KeyValue"/> 
-    <element ref="ds:RetrievalMethod"/> 
-    <element ref="ds:X509Data"/> 
-    <element ref="ds:PGPData"/> 
+  <choice maxOccurs="unbounded">
+    <element ref="ds:KeyName"/>
+    <element ref="ds:KeyValue"/>
+    <element ref="ds:RetrievalMethod"/>
+    <element ref="ds:X509Data"/>
+    <element ref="ds:PGPData"/>
     <element ref="ds:SPKIData"/>
     <element ref="ds:MgmtData"/>
     <any processContents="lax" namespace="##other"/>
     <!-- (1,1) elements from (0,unbounded) namespaces -->
   </choice>
-  <attribute name="Id" type="ID" use="optional"/> 
+  <attribute name="Id" type="ID" use="optional"/>
 </complexType>
 
   <element name="KeyName" type="string"/>
   <element name="MgmtData" type="string"/>
 
-  <element name="KeyValue" type="ds:KeyValueType"/> 
+  <element name="KeyValue" type="ds:KeyValueType"/>
   <complexType name="KeyValueType" mixed="true">
    <choice>
      <element ref="ds:DSAKeyValue"/>
@@ -159,18 +159,18 @@
    </choice>
   </complexType>
 
-  <element name="RetrievalMethod" type="ds:RetrievalMethodType"/> 
+  <element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
   <complexType name="RetrievalMethodType">
     <sequence>
-      <element ref="ds:Transforms" minOccurs="0"/> 
-    </sequence>  
+      <element ref="ds:Transforms" minOccurs="0"/>
+    </sequence>
     <attribute name="URI" type="anyURI"/>
     <attribute name="Type" type="anyURI" use="optional"/>
   </complexType>
 
 <!-- Start X509Data -->
 
-<element name="X509Data" type="ds:X509DataType"/> 
+<element name="X509Data" type="ds:X509DataType"/>
 <complexType name="X509DataType">
   <sequence maxOccurs="unbounded">
     <choice>
@@ -184,10 +184,10 @@
   </sequence>
 </complexType>
 
-<complexType name="X509IssuerSerialType"> 
-  <sequence> 
-    <element name="X509IssuerName" type="string"/> 
-    <element name="X509SerialNumber" type="integer"/> 
+<complexType name="X509IssuerSerialType">
+  <sequence>
+    <element name="X509IssuerName" type="string"/>
+    <element name="X509SerialNumber" type="integer"/>
   </sequence>
 </complexType>
 
@@ -195,17 +195,17 @@
 
 <!-- Begin PGPData -->
 
-<element name="PGPData" type="ds:PGPDataType"/> 
-<complexType name="PGPDataType"> 
+<element name="PGPData" type="ds:PGPDataType"/>
+<complexType name="PGPDataType">
   <choice>
     <sequence>
-      <element name="PGPKeyID" type="base64Binary"/> 
-      <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/> 
+      <element name="PGPKeyID" type="base64Binary"/>
+      <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/>
       <any namespace="##other" processContents="lax" minOccurs="0"
        maxOccurs="unbounded"/>
     </sequence>
     <sequence>
-      <element name="PGPKeyPacket" type="base64Binary"/> 
+      <element name="PGPKeyPacket" type="base64Binary"/>
       <any namespace="##other" processContents="lax" minOccurs="0"
        maxOccurs="unbounded"/>
     </sequence>
@@ -216,13 +216,13 @@
 
 <!-- Begin SPKIData -->
 
-<element name="SPKIData" type="ds:SPKIDataType"/> 
+<element name="SPKIData" type="ds:SPKIDataType"/>
 <complexType name="SPKIDataType">
   <sequence maxOccurs="unbounded">
     <element name="SPKISexp" type="base64Binary"/>
     <any namespace="##other" processContents="lax" minOccurs="0"/>
   </sequence>
-</complexType> 
+</complexType>
 
 <!-- End SPKIData -->
 
@@ -230,40 +230,40 @@
 
 <!-- Start Object (Manifest, SignatureProperty) -->
 
-<element name="Object" type="ds:ObjectType"/> 
+<element name="Object" type="ds:ObjectType"/>
 <complexType name="ObjectType" mixed="true">
   <sequence minOccurs="0" maxOccurs="unbounded">
     <any namespace="##any" processContents="lax"/>
   </sequence>
-  <attribute name="Id" type="ID" use="optional"/> 
+  <attribute name="Id" type="ID" use="optional"/>
   <attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet -->
-  <attribute name="Encoding" type="anyURI" use="optional"/> 
+  <attribute name="Encoding" type="anyURI" use="optional"/>
 </complexType>
 
-<element name="Manifest" type="ds:ManifestType"/> 
+<element name="Manifest" type="ds:ManifestType"/>
 <complexType name="ManifestType">
   <sequence>
-    <element ref="ds:Reference" maxOccurs="unbounded"/> 
+    <element ref="ds:Reference" maxOccurs="unbounded"/>
   </sequence>
-  <attribute name="Id" type="ID" use="optional"/> 
+  <attribute name="Id" type="ID" use="optional"/>
 </complexType>
 
-<element name="SignatureProperties" type="ds:SignaturePropertiesType"/> 
+<element name="SignatureProperties" type="ds:SignaturePropertiesType"/>
 <complexType name="SignaturePropertiesType">
   <sequence>
-    <element ref="ds:SignatureProperty" maxOccurs="unbounded"/> 
+    <element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
   </sequence>
-  <attribute name="Id" type="ID" use="optional"/> 
+  <attribute name="Id" type="ID" use="optional"/>
 </complexType>
 
-   <element name="SignatureProperty" type="ds:SignaturePropertyType"/> 
+   <element name="SignatureProperty" type="ds:SignaturePropertyType"/>
    <complexType name="SignaturePropertyType" mixed="true">
      <choice maxOccurs="unbounded">
        <any namespace="##other" processContents="lax"/>
        <!-- (1,1) elements from (1,unbounded) namespaces -->
      </choice>
-     <attribute name="Target" type="anyURI" use="required"/> 
-     <attribute name="Id" type="ID" use="optional"/> 
+     <attribute name="Target" type="anyURI" use="required"/>
+     <attribute name="Id" type="ID" use="optional"/>
    </complexType>
 
 <!-- End Object (Manifest, SignatureProperty) -->
@@ -296,10 +296,10 @@
 <element name="RSAKeyValue" type="ds:RSAKeyValueType"/>
 <complexType name="RSAKeyValueType">
   <sequence>
-    <element name="Modulus" type="ds:CryptoBinary"/> 
-    <element name="Exponent" type="ds:CryptoBinary"/> 
+    <element name="Modulus" type="ds:CryptoBinary"/>
+    <element name="Exponent" type="ds:CryptoBinary"/>
   </sequence>
-</complexType> 
+</complexType>
 
 <!-- End KeyValue Element-types -->
 
diff --git a/mdx/schema/xmldsig11-schema.xsd b/mdx/schema/xmldsig11-schema.xsd
index f03643a3..4de60789 100644
--- a/mdx/schema/xmldsig11-schema.xsd
+++ b/mdx/schema/xmldsig11-schema.xsd
@@ -2,14 +2,14 @@
 
 <!--
 #
-# Copyright ©[2011] World Wide Web Consortium 
-# (Massachusetts Institute of Technology,  
-#  European Research Consortium for Informatics and Mathematics, 
-#  Keio University). All Rights Reserved.  
+# Copyright ©[2011] World Wide Web Consortium
+# (Massachusetts Institute of Technology,
+#  European Research Consortium for Informatics and Mathematics,
+#  Keio University). All Rights Reserved.
 # This work is distributed under the W3C® Software License [1] in the
 # hope that it will be useful, but WITHOUT ANY WARRANTY; without even
 # the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-# PURPOSE. 
+# PURPOSE.
 # [1] http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231
 #
 -->
@@ -37,7 +37,7 @@
   <complexType name="NamedCurveType">
     <attribute name="URI" type="anyURI" use="required"/>
   </complexType>
-  
+
   <simpleType name="ECPointType">
     <restriction base="ds:CryptoBinary"/>
   </simpleType>
@@ -53,7 +53,7 @@
                type="dsig11:ECValidationDataType" minOccurs="0"/>
     </sequence>
   </complexType>
-  
+
   <complexType name="FieldIDType">
     <choice>
       <element ref="dsig11:Prime"/>
@@ -91,7 +91,7 @@
       <element name="M" type="positiveInteger"/>
     </sequence>
   </complexType>
-  
+
   <element name="TnB" type="dsig11:TnBFieldParamsType"/>
   <complexType name="TnBFieldParamsType">
     <complexContent>
@@ -125,7 +125,7 @@
     </simpleContent>
   </complexType>
 
-  <element name="KeyInfoReference" type="dsig11:KeyInfoReferenceType"/> 
+  <element name="KeyInfoReference" type="dsig11:KeyInfoReferenceType"/>
   <complexType name="KeyInfoReferenceType">
     <attribute name="URI" type="anyURI" use="required"/>
     <attribute name="Id" type="ID" use="optional"/>
diff --git a/mdx/strip-aa-mdui.xsl b/mdx/strip-aa-mdui.xsl
index dd323f4b..755cefb7 100644
--- a/mdx/strip-aa-mdui.xsl
+++ b/mdx/strip-aa-mdui.xsl
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
+
 	strip-aa-mdui.xsl
-	
+
 	Remove all MDUI metadata from attribute authority roles.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -16,17 +16,17 @@
 		Remove all MDUI metadata from attribute authority roles.
 	-->
 	<xsl:template match="md:AttributeAuthorityDescriptor/md:Extensions/mdui:*"/>
-	
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/strip-comments.xsl b/mdx/strip-comments.xsl
index d42afa7e..b1545093 100644
--- a/mdx/strip-comments.xsl
+++ b/mdx/strip-comments.xsl
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
+
 	strip-comments.xsl
-	
+
 	Remove all comment nodes from a document.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -17,12 +17,12 @@
 	<xsl:template match="text()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!-- Copy all elements from the input to the output, along with their attributes and contents. -->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/strip-mdui-logo-data.xsl b/mdx/strip-mdui-logo-data.xsl
index da379da0..7036cbe1 100644
--- a/mdx/strip-mdui-logo-data.xsl
+++ b/mdx/strip-mdui-logo-data.xsl
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	
+
 	strip-mdui-logo-data.xsl
-	
+
 	Remove all mdui:Logo elements containing data: URLs.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -16,17 +16,17 @@
 	    Remove all mdui:Logo elements containing data: URLs.
 	-->
 	<xsl:template match="mdui:Logo[starts-with(., 'data:')]"/>
-	
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/test/beans.xml b/mdx/test/beans.xml
index 3d6d2700..e3a8f5a0 100644
--- a/mdx/test/beans.xml
+++ b/mdx/test/beans.xml
@@ -11,14 +11,14 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Fetch the aggregate aggregate.
     -->
     <bean id="test_aggregate" parent="mda.DOMResourceSourceStage"
         p:parserPool-ref="parserPool"
         p:DOMResource="classpath:test/input.xml"/>
-    
+
     <!--
         Fetch and process the entities as a collection.
     -->
@@ -30,5 +30,5 @@
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/mdx/test/verbs.xml b/mdx/test/verbs.xml
index 8a6d93e7..3214ed55 100644
--- a/mdx/test/verbs.xml
+++ b/mdx/test/verbs.xml
@@ -11,17 +11,17 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-        
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:test/beans.xml"/>
-    
+
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
@@ -30,7 +30,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <bean id="import" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -50,5 +50,5 @@
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index c70c921e..22b88e63 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -21,18 +21,18 @@
     <bean id="uk_exportAggregate_url" parent="String">
         <constructor-arg value="http://metadata.ukfederation.org.uk/ukfederation-export.xml"/>
     </bean>
-    
-    
+
+
     <!--
         uk_federation_uri
-        
+
         URI for the UK federation.  Used in several contexts:
-        
+
         * as the Name attribute for the main EntitiesDescriptor in UK federation metadata
           (not always the document element)
-          
+
         * in mdrpi:PublicationInfo, as the unique identifier for the UK federation publisher
-        
+
         It is the same as the URI used to indicate the UK federation as a registrar, so is made
         an alias of that bean.
     -->
@@ -47,12 +47,12 @@
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
-                <constructor-arg name="url" ref="uk_exportAggregate_url"/>        
+                <constructor-arg name="url" ref="uk_exportAggregate_url"/>
             </bean>
         </property>
     </bean>
-    
-    
+
+
     <!--
         Fetch the production aggregate.
     -->
@@ -61,30 +61,30 @@
         <property name="DOMResource">
             <bean parent="HTTPResource">
                 <constructor-arg name="client" ref="httpClient"/>
-                <constructor-arg name="url" ref="uk_productionAggregate_url"/>        
+                <constructor-arg name="url" ref="uk_productionAggregate_url"/>
             </bean>
         </property>
     </bean>
-    
-    
+
+
     <!--
         Metadata signing certificate.
     -->
     <bean id="uk_signingCertificate" parent="X509CertificateFactoryBean"
         p:resource="classpath:uk/ukfederation-2014.pem"/>
-    
-    
+
+
     <!--
         Check the signature on a document.
     -->
     <bean id="uk_checkSignature" parent="XMLSignatureValidationStage">
         <property name="verificationCertificate" ref="uk_signingCertificate"/>
     </bean>
-    
-    
+
+
     <!--
         uk_check_validUntil
-        
+
         Check that an aggregate has a validUntil instant specified, and that it has not
         yet expired.  Sets a bound of 30 days on the validity interval; 14 days is the
         expected value.
@@ -99,13 +99,13 @@
         -->
         <property name="maxValidityInterval" value="#{ 1000L * 60 * 60 * 24 * 30 }"/>
     </bean>
-    
-    
+
+
     <!--
         uk_fetchFragmentFiles
-        
+
         Collects all the UK metadata "fragment files" from the /entities directory.
-        
+
         Each fragment file contains a single EntityDescriptor.  The name of each
         eligible file matches a particular regular expression.
     -->
@@ -122,11 +122,11 @@
             </bean>
         </property>
     </bean>
-    
-    
+
+
     <!--
         uk_membersDocument
-        
+
         This bean contains the contents of the members.xml file as a DOM Document.
     -->
     <bean id="uk_membersDocument" parent="DOMDocumentFactoryBean">
@@ -135,11 +135,11 @@
         </property>
         <property name="parserPool" ref="parserPool"/>
     </bean>
-    
-    
+
+
     <!--
         uk_membersSchemaDocument
-        
+
         This bean loads the schema for the members.xml file as a DOM Document.
     -->
     <bean id="uk_membersSchemaDocument" parent="DOMDocumentFactoryBean">
@@ -148,43 +148,43 @@
         </property>
         <property name="parserPool" ref="parserPool"/>
     </bean>
-    
+
 
     <!--
         uk_members
-        
+
         This bean implements an API for access to the contents of the members.xml document.
     -->
     <bean id="uk_members" class="uk.org.ukfederation.members.Members"
         c:_0-ref="uk_membersDocument"
         c:_1-ref="uk_membersSchemaDocument"/>
-    
-    
+
+
     <!--
         uk_fix_mailto
-        
+
         Adds "mailto:" to md:EmailAddress elements which don't already have it.
     -->
     <bean id="uk_fix_mailto" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/fix_mailto.xsl"/>
-    
-    
+
+
     <!--
         check_ukreg
-        
+
         Checks specific to the UK registrar function.
     -->
     <bean id="check_ukreg" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_ukreg.xsl"/>
-    
+
     <!--
         check_owner
-        
+
         Checks that entities are owned by UK federation members.
     -->
     <bean id="check_owner" parent="ukf.EntityOwnerCheckingStage"
         p:members-ref="uk_members"/>
-    
+
     <!--
         check_uk_keydesc_key
     -->
@@ -197,34 +197,34 @@
     -->
     <bean id="check_uk_mdattr" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_mdattr.xsl"/>
-    
-    
+
+
     <!--
         check_uk_mdrps
     -->
     <bean id="check_uk_mdrps" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_mdrps.xsl"/>
-    
-    
+
+
     <!--
         check_uk_urlenc
     -->
     <bean id="check_uk_urlenc" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:uk/check_uk_urlenc.xsl"/>
-    
+
 
     <!--
         uk_processFragment
-        
+
         This stage performs any standard cleanup required for UK federation fragment files.
     -->
     <bean id="uk_processFragment" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/fragment.xsl"/>
-    
-    
+
+
     <!--
         uk_stripAdminContacts
-        
+
         Remove any md:ContactPerson elements with contactType of "administrative".
     -->
     <bean id="uk_stripAdminContacts" parent="mda.ContactPersonFilterStage">
@@ -235,17 +235,17 @@
         </property>
         <property name="whitelistingTypes" value="false"/>
     </bean>
-    
-    
+
+
     <!--
         Populate UKId values from entities.
     -->
     <bean id="uk_populateIds" parent="ukf.EntityDescriptorUKIdPopulationStage"/>
-    
+
 
     <!--
         UK federation named EntitiesDescriptor assembler pipeline stage.
-        
+
         Name attribute is set to the federation URI.  UK ordering is applied.
     -->
     <bean id="uk_assemble" parent="mda.EntitiesDescriptorAssemblerStage">
@@ -254,7 +254,7 @@
             <bean parent="ukf.UKEntityOrderingStrategy"/>
         </property>
     </bean>
-    
+
 
 
     <!--
@@ -283,7 +283,7 @@
                 <ref bean="uk_populateIds"/>
                 <ref bean="uk_default_regauth"/>
                 <ref bean="populateRegistrationAuthorities"/>
-                
+
                 <ref bean="checkSchemas"/>
                 <ref bean="CHECK_std"/>
                 <bean id="check_ukfedlabel" parent="mda.XSLValidationStage"
@@ -297,7 +297,7 @@
                 <ref bean="mdui_dn_en_present"/>
                 <ref bean="mdui_dn_en_match"/>
                 <ref bean="check_dup_display"/>
-                
+
                 <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
@@ -308,18 +308,18 @@
                             <bean parent="mda.X509RSAExponentValidator"/>
                             <!-- Error on inconsistent subjectAltNames. -->
                             <bean parent="ukf.X509ConsistentNameValidator"/>
-                            
+
                             <!--
                                 Debian weak key blacklists.
-                                
+
                                 Don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="debian.2048"/>
                             <ref bean="debian.4096"/>
-                            
+
                             <!--
                                 Compromised key blacklists.
-                                
+
                                 Again, don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="compromised.2048"/>
@@ -332,16 +332,16 @@
             </list>
         </property>
     </bean>
-    
-    
+
+
     <!--
         uk_stripExtensions
-        
+
         Strip those UK federation extensions which we never publish.
     -->
     <bean id="uk_stripExtensions" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/strip_extensions.xsl"/>
-    
+
 
     <!--
         uk_strip_UKFederationMember
@@ -357,17 +357,17 @@
         ***                                         ***
         ***********************************************
     -->
-    
+
     <!--
         uk_normaliseNamespaces
-        
+
         A pipeline stage that can be used before serialisation to normalise the namespaces
         used in an XML document.  This one is UK-specific, as it makes specific choices
         in order to limit the number of prefixes used.
     -->
     <bean id="uk_normaliseNamespaces" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_uk.xsl"/>
-    
+
     <!--
         *************************************************
         ***                                           ***
@@ -375,10 +375,10 @@
         ***                                           ***
         *************************************************
     -->
-    
+
     <!--
         uk_check_regauth
-        
+
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
@@ -389,10 +389,10 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         uk_default_regauth
-        
+
         Provide a default registrationAuthority appropriate to
         this channel.
     -->
@@ -403,7 +403,7 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         *********************************************
         ***                                       ***
@@ -411,10 +411,10 @@
         ***                                       ***
         *********************************************
     -->
-    
+
     <!--
         uk_serializeStatistics
-        
+
         Serialise the (assumed HTML) DomDocumentItem into the UK federation statistics
         output file in the production XML directory.
     -->
@@ -426,10 +426,10 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         uk_generateStatistics
-        
+
         Input is an aggregate of all registered entities, output is the HTML statistics.
     -->
     <bean id="uk_generateStatistics" parent="mda.XSLTransformationStage"
@@ -440,10 +440,10 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         uk_statisticsPipeline
-        
+
         Pipeline to generate the registrar statistics for the UK federation's
         registered entities.  Input is assumed to be a collection of the entities in question;
         resulting HTML output is written into the appropriate file in the production
@@ -458,7 +458,7 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         #################################################
         ###                                           ###
@@ -466,7 +466,7 @@
         ###                                           ###
         #################################################
     -->
-    
+
     <!--
         Fetch the export entities as a collection.
     -->
@@ -474,7 +474,7 @@
         <property name="composedStages">
             <list>
                 <ref bean="uk_exportAggregate"/>
-                
+
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
@@ -483,13 +483,13 @@
                 <ref bean="uk_check_validUntil"/>
                 <ref bean="uk_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
-                
+
                 <ref bean="uk_default_regauth"/>
                 <ref bean="uk_check_regauth"/>
             </list>
         </property>
     </bean>
-    
+
 </beans>
diff --git a/mdx/uk/blacklist.xml b/mdx/uk/blacklist.xml
index d3cca924..10658de7 100644
--- a/mdx/uk/blacklist.xml
+++ b/mdx/uk/blacklist.xml
@@ -24,7 +24,7 @@
         silently discards entities containing errors anyway.
     -->
     <util:set id="importEntityBlacklist">
-        
+
     </util:set>
-    
+
 </beans>
diff --git a/mdx/uk/check_fixup_encmethod.xsl b/mdx/uk/check_fixup_encmethod.xsl
index 0e5825cf..59841507 100644
--- a/mdx/uk/check_fixup_encmethod.xsl
+++ b/mdx/uk/check_fixup_encmethod.xsl
@@ -19,11 +19,11 @@
 	-->
 	<xsl:import href="../_rules/check_framework.xsl"/>
 
-	
+
 	<!--
 		Use of EncryptionMethod within KeyDescriptor causes metadata loading problems
 		for OpenSAML-C 2.0.
-		
+
 		See https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataCorrectness#MetadataCorrectness-Version2.0
 	-->
 	<xsl:template match="md:KeyDescriptor/md:EncryptionMethod">
@@ -31,6 +31,6 @@
 			<xsl:with-param name="m">KeyDescriptor contains EncryptionMethod: OpenSAML-C 2.0 problem</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/check_uk_keydesc_key.xsl b/mdx/uk/check_uk_keydesc_key.xsl
index 1214b41c..bd9c2db3 100644
--- a/mdx/uk/check_uk_keydesc_key.xsl
+++ b/mdx/uk/check_uk_keydesc_key.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_uk_keydesc_key.xsl
-	
+
     UKf-specific check that all KeyDescriptor elements contain an embedded key.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -29,5 +29,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/uk/check_uk_mdattr.xsl b/mdx/uk/check_uk_mdattr.xsl
index b5709e1a..e5016f1b 100644
--- a/mdx/uk/check_uk_mdattr.xsl
+++ b/mdx/uk/check_uk_mdattr.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_uk_mdattr.xsl
-	
+
     UKf-specific check for appropriate entity attributes in fragment files.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -12,11 +12,11 @@
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	
+
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-	
+
 	<!--
 		Common support functions.
 	-->
@@ -31,7 +31,7 @@
 			<xsl:with-param name="m">Assertion not permitted within EntityAttributes</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		All entity attributes should have the standard SAML 2.0 URI name format.
 	-->
@@ -72,7 +72,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
 		Validate entity category values.
 	-->
@@ -89,7 +89,7 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 	<!--
         Validate entity category support values.
     -->
diff --git a/mdx/uk/check_uk_mdrps.xsl b/mdx/uk/check_uk_mdrps.xsl
index d7b83d45..50b72cca 100644
--- a/mdx/uk/check_uk_mdrps.xsl
+++ b/mdx/uk/check_uk_mdrps.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	check_uk_mdrps.xsl
-	
+
     UKf-specific check for appropriate RegistrationPolicy values.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -35,8 +35,8 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		Restrict registrationAuthority values for UK federation entities, if present,
 		to previously used MDRPS document URLs.
@@ -52,6 +52,6 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/check_uk_urlenc.xsl b/mdx/uk/check_uk_urlenc.xsl
index d9806fc9..caf20da5 100644
--- a/mdx/uk/check_uk_urlenc.xsl
+++ b/mdx/uk/check_uk_urlenc.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_uk_urlenc.xsl
-	
+
     UKf-specific check for endpoint locations that include a '%' character,
     which is symptomatic of their being URL-encoded instead of entity-encoded.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -27,6 +27,6 @@
 			<xsl:with-param name="m">URL-encoded Location attribute; should be entity-encoded</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/check_ukreg.xsl b/mdx/uk/check_ukreg.xsl
index 28434419..e1897d02 100644
--- a/mdx/uk/check_ukreg.xsl
+++ b/mdx/uk/check_ukreg.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	check_ukreg.xsl
-	
+
 	Checking ruleset containing rules that only apply to metadata registered
 	by the UK federation's registrar function.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -24,7 +24,7 @@
 	-->
 	<xsl:import href="../_rules/check_framework.xsl"/>
 
-	
+
 	<!--
 		Check for badly formatted e-mail addresses.
 	-->
@@ -33,8 +33,8 @@
 			<xsl:with-param name="m">badly formatted e-mail address: '<xsl:value-of select='.'/>'</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		Check for https:// locations that use an explicit but redundant port specifier.
 	-->
@@ -49,5 +49,5 @@
 			</xsl:with-param>
 		</xsl:call-template>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/uk/collect.xml b/mdx/uk/collect.xml
index 9b1d2c45..fd7392f5 100644
--- a/mdx/uk/collect.xml
+++ b/mdx/uk/collect.xml
@@ -16,7 +16,7 @@
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-    
+
     <!--
         Import channel-specific beans.
     -->
diff --git a/mdx/uk/entity_scopes.xsl b/mdx/uk/entity_scopes.xsl
index 66c3548f..71c2a941 100644
--- a/mdx/uk/entity_scopes.xsl
+++ b/mdx/uk/entity_scopes.xsl
@@ -10,7 +10,7 @@
 <xsl:stylesheet version="1.0"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	
+
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -22,17 +22,17 @@
 	<xsl:template match="md:EntityDescriptor/md:Extensions/shibmd:Scope">
 		<!-- remove entirely -->
 	</xsl:template>
-	
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/uk/final_tweak.xsl b/mdx/uk/final_tweak.xsl
index f27f7e9a..cb8a50b2 100644
--- a/mdx/uk/final_tweak.xsl
+++ b/mdx/uk/final_tweak.xsl
@@ -4,7 +4,7 @@
 	final_tweak.xsl
 
 	Final tweaks required for UK federation aggregates.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -13,7 +13,7 @@
 	xmlns:date="http://exslt.org/dates-and-times"
 	xmlns:mdxDates="xalan://uk.ac.sdss.xalan.md.Dates"
 	extension-element-prefixes="date mdxDates"
-	
+
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -24,37 +24,37 @@
 
 	<!--
 		extraText
-		
+
 		This parameter, if present, provides additional text to be put in the
 		document comment.
 	-->
 	<xsl:param name="extraText"/>
-	
+
 	<!--
         publisher
-        
+
         This parameter, if present, prompts the generation of a PublicationInfo
         element on the EntitiesDescriptor.
     -->
 	<xsl:param name="publisher"/>
-	
+
 	<!--
 		validityDays
-		
+
 		This parameter determines the number of days between the aggregation instant and the
 		end of validity of the signed metadata.
 	-->
 	<xsl:param name="validityDays" select="14"/>
-	
+
 	<xsl:variable name="now" select="date:date-time()"/>
 	<xsl:variable name="validUntil" select="mdxDates:dateAdd($now, $validityDays)"/>
-	
+
 	<!--
 		documentID
-		
+
 		This value is generated from a normalised version of the aggregation instant,
 		transformed so that it can be used as an XML ID value.
-		
+
 		Strict conformance to the SAML 2.0 metadata specification (section 3.1.2) requires
 		that the signature explicitly references an identifier attribute in the element
 		being signed, in this case the document element.
@@ -70,7 +70,7 @@
 		<xsl:call-template name="document.comment"/>
 		<xsl:apply-templates/>
 	</xsl:template>
-	
+
 	<!--
 		Document element.
 	-->
@@ -84,7 +84,7 @@
 			</xsl:attribute>
 			<xsl:apply-templates select="@*"/>
 			<xsl:call-template name="document.comment"/>
-			
+
 			<!--
                 Add an Extensions element if there isn't one, but we need one
                 so that we can put a PublicationInfo inside it.
@@ -99,7 +99,7 @@
 				</xsl:element>
 				<xsl:text>&#10;</xsl:text>
 			</xsl:if>
-			
+
 			<xsl:apply-templates select="node()"/>
 		</EntitiesDescriptor>
 	</xsl:template>
@@ -134,10 +134,10 @@
 			<xsl:text>&#10;</xsl:text>
 		</xsl:comment>
 	</xsl:template>
-	
+
 	<!--
         Document element's Extensions.
-        
+
         Insert a PublicationInfo at the top, if required.
     -->
 	<xsl:template match="/md:EntitiesDescriptor/md:Extensions">
@@ -148,10 +148,10 @@
 			<xsl:apply-templates select="node()"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 	<!--
         PublicationInfo generation.
-        
+
         Assumption: called at the start of the document element's Extensions, at 4-space
         indentation, so the element itself requires 8-space indentation.
     -->
@@ -167,17 +167,17 @@
 			</xsl:attribute>
 		</xsl:element>
 	</xsl:template>
-	
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/uk/fix_mailto.xsl b/mdx/uk/fix_mailto.xsl
index b25f1793..dab37629 100644
--- a/mdx/uk/fix_mailto.xsl
+++ b/mdx/uk/fix_mailto.xsl
@@ -4,7 +4,7 @@
 	fix_mailto.xsl
 
 	Add "mailto:" scheme to e-mail addresses if not already present.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -24,17 +24,17 @@
 			<xsl:value-of select="."/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/uk/fragment.xsl b/mdx/uk/fragment.xsl
index f0a7ef0b..39d59e3e 100644
--- a/mdx/uk/fragment.xsl
+++ b/mdx/uk/fragment.xsl
@@ -2,16 +2,16 @@
 <!--
 
 	fragment.xsl
-	
+
 	XSL stylesheet to perform any required clean-up on a UK federation fragment file
 	before it is passed along to other processes.
-	
+
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	
+
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -34,16 +34,16 @@
 	-->
 	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
 	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
-	
+
 
 	<!--
 		Retain only certain comments.
 	-->
-	
+
 	<xsl:template match="md:EntityDescriptor/comment()">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--
 		All other comments are stripped by the default templates.
 	-->
@@ -56,18 +56,18 @@
         ***                                       ***
         *********************************************
     -->
-    
+
 
 	<!--By default, copy text blocks and attributes unchanged.-->
 	<xsl:template match="text()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index b899bb5b..9622c0aa 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -16,13 +16,13 @@
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-    
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:uk/beans.xml"/>
     <import resource="classpath:uk/blacklist.xml"/>
-    
+
     <!--
         Import beans from other channels.
     -->
@@ -36,19 +36,19 @@
         ***                       ***
         *****************************
     -->
-    
+
     <!--
         stripEntityScopes
-    
+
         Remove entity-level Scope elements, leaving only the ones associated
-        with role descriptors.    
+        with role descriptors.
     -->
     <bean id="stripEntityScopes" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/entity_scopes.xsl"/>
-    
+
     <!--
         finalise_parent
-        
+
         Template for a stage used in each output pipeline which performs
         final tweaks on the document.
     -->
@@ -60,10 +60,10 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         checkPublishable
-        
+
         Check an aggregate metadata document for publishability.  This is applied during
         all UK publication flows prior to any signature step.  It is not applied to
         export flows, for which we desire the closest possible correspondence to
@@ -91,7 +91,7 @@
         </constructor-arg>
     </bean>
 
-    
+
     <!--
         *****************************************
         ***                                   ***
@@ -166,7 +166,7 @@
 
     <!--
         removeUKEntities
-        
+
         Filter out entities which declare themselves as registered
         by the UK federation.  We don't want those coming back in
         from another registrar or metadata exchange as they may be
@@ -184,7 +184,7 @@
 
     <!--
         removeBlacklistedEntities
-        
+
         Filter out entities which are included in our global import blacklist.
     -->
     <bean id="removeBlacklistedEntities" parent="mda.EntityFilterStage"
@@ -193,7 +193,7 @@
 
     <!--
         importCommonTail
-        
+
         Common actions to be performed on each import pipeline.
     -->
     <bean id="importCommonTail" parent="mda.CompositeStage">
@@ -202,13 +202,13 @@
                 <ref bean="removeUKEntities"/>
                 <ref bean="removeBlacklistedEntities"/>
                 <ref bean="standardImportActions"/>
-                
+
                 <!--
                     Silently remove entities which are marked as
                     having errors.
                 -->
                 <ref bean="errorRemover"/>
-                
+
                 <ref bean="uk_fix_mailto"/>
             </list>
         </property>
@@ -233,7 +233,7 @@
         <property name="stages">
             <list>
                 <ref bean="int_edugain_productionEntities"/>
-                
+
                 <!--
                     Entity Attribute policy for entities from eduGAIN participants.
                 -->
@@ -243,8 +243,8 @@
             </list>
         </property>
     </bean>
-    
-    
+
+
     <!--
         ***************************************************
         ***                                             ***
@@ -252,7 +252,7 @@
         ***                                             ***
         ***************************************************
     -->
-    
+
     <bean id="uk_finaliseProduction" parent="finalise_parent">
         <property name="transformParameters">
             <map>
@@ -278,20 +278,20 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="uk_assemble"/>
                 <ref bean="uk_finaliseProduction"/>
                 <ref bean="uk_normaliseNamespaces"/>
-                
+
                 <!-- production aggregate MUST pass publishability test -->
                 <ref bean="checkPublishable"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="serializeUnsignedProductionAggregate"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***************************************
         ***                                 ***
@@ -299,10 +299,10 @@
         ***                                 ***
         ***************************************
     -->
-    
+
     <!--
     	Select all entities which are not both:
-    	
+
     	   * identity providers, and
     	   * members of the "hide from discovery" entity category.
     -->
@@ -315,7 +315,7 @@
             ])]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
-    
+
     <bean id="serializeUnsignedWayfAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
@@ -324,7 +324,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <bean id="uk_wayfPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -338,7 +338,7 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="uk_assemble"/>
 
                 <!--
@@ -347,7 +347,7 @@
                 <ref bean="stripMDUILogoData"/>
                 <ref bean="stripEmptyMDUIUIInfo"/>
                 <ref bean="stripEmptyExtensions"/>
-                
+
                 <ref bean="stripMdattrNamespace"/>
                 <ref bean="uk_finaliseProduction"/>
                 <ref bean="uk_normaliseNamespaces"/>
@@ -360,7 +360,7 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***************************************
         ***                                 ***
@@ -368,10 +368,10 @@
         ***                                 ***
         ***************************************
     -->
-    
+
     <!--
         CDSStripUnwanted
-        
+
         The CDS needs only a very restricted subset of
         normal metadata in order to do its job.  This stage
         removes everything it does not need.
@@ -380,13 +380,13 @@
         <property name="composedStages">
             <list>
                 <ref bean="stripComments"/>
-                
+
                 <ref bean="stripAlgNamespace"/>
                 <ref bean="stripInitNamespace"/>
                 <ref bean="stripMdattrNamespace"/>
                 <ref bean="stripMdrpiNamespace"/>
                 <ref bean="stripUkfedlabelNamespace"/>
-                
+
                 <ref bean="stripArtifactResolutionService"/>
                 <ref bean="stripAttributeAuthorityDescriptor"/>
                 <ref bean="stripAttributeConsumingService"/>
@@ -395,15 +395,15 @@
                 <ref bean="stripManageNameIDService"/>
                 <ref bean="stripNameIDFormat"/>
                 <ref bean="stripSingleLogoutService"/>
-                
+
                 <ref bean="stripShibScope"/>
-                
+
                 <!-- remove any now-empty Extensions elements -->
                 <ref bean="stripEmptyExtensions"/>
             </list>
         </property>
     </bean>
-    
+
     <bean id="CDSFinalise" parent="finalise_parent">
         <property name="transformParameters">
             <map>
@@ -413,7 +413,7 @@
             </map>
         </property>
     </bean>
-    
+
     <bean id="CDSNormaliseNamespaces" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_cds.xsl"/>
 
@@ -424,7 +424,7 @@
         ***                                     ***
         *******************************************
     -->
-    
+
     <!--
         Entities in the CDSALL aggregate are restricted to those entities registered by the
         UK federation plus all identity providers from whatever source.
@@ -434,7 +434,7 @@
             md:Extensions/mdrpi:RegistrationInfo/@registrationAuthority = 'http://ukfederation.org.uk']"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
-    
+
     <bean id="serializeCDSAllAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
@@ -443,7 +443,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <bean id="CDSAllPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -452,13 +452,13 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <!-- make an aggregate first so that we're only traversing one item -->
                 <ref bean="uk_assemble"/>
-                
+
                 <!-- remove many things that the CDS doesn't look at -->
                 <ref bean="CDSStripUnwanted"/>
-                
+
                 <!--
                     Remove embedded images used in mdui:Logo elements.
                 -->
@@ -468,16 +468,16 @@
 
                 <ref bean="CDSFinalise"/>
                 <ref bean="CDSNormaliseNamespaces"/>
-                
+
                 <!-- schema validity check MUST pass -->
                 <ref bean="checkSchemas"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="serializeCDSAllAggregate"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***********************************************
         ***                                         ***
@@ -485,7 +485,7 @@
         ***                                         ***
         ***********************************************
     -->
-    
+
     <bean id="uk_finaliseFallback" parent="finalise_parent">
         <property name="transformParameters">
             <map>
@@ -494,10 +494,10 @@
             </map>
         </property>
     </bean>
-    
+
     <bean id="uk_normaliseFallback" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_back.xsl"/>
-    
+
     <bean id="serializeUnsignedFallbackAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
@@ -506,7 +506,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <bean id="uk_fallbackPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -515,21 +515,21 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseFallback"/>
                 <ref bean="uk_normaliseFallback"/>
-                
+
                 <!-- fallback aggregate MUST pass publishability test -->
                 <ref bean="checkPublishable"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="serializeUnsignedFallbackAggregate"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***************************************
         ***                                 ***
@@ -537,7 +537,7 @@
         ***                                 ***
         ***************************************
     -->
-    
+
     <bean id="uk_finaliseTest" parent="finalise_parent">
         <property name="transformParameters">
             <map>
@@ -546,10 +546,10 @@
             </map>
         </property>
     </bean>
-    
+
     <bean id="uk_normaliseTest" parent="mda.XSLTransformationStage"
         p:XSLResource="classpath:uk/ns_norm_test.xsl"/>
-    
+
     <bean id="serializeUnsignedTestAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
@@ -558,7 +558,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <bean id="uk_testPipeline" parent="mda.CompositeStage">
         <property name="composedStages">
             <list>
@@ -567,18 +567,18 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="uk_strip_UKFederationMember"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEntityScopes"/>
                 <ref bean="uk_finaliseTest"/>
                 <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseTest"/>
-                
+
                 <!-- test aggregate MUST pass publishability test -->
                 <ref bean="checkPublishable"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="serializeUnsignedTestAggregate"/>
             </list>
         </property>
@@ -591,7 +591,7 @@
         ***                                     ***
         *******************************************
     -->
-    
+
     <bean id="uk_finaliseExport" parent="finalise_parent">
         <property name="transformParameters">
             <map>
@@ -600,12 +600,12 @@
             </map>
         </property>
     </bean>
-    
+
     <bean id="uk_exportSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
-    
+
     <bean id="serializeUnsignedExportAggregate" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
@@ -614,13 +614,13 @@
             </bean>
         </property>
     </bean>
-    
+
     <bean id="uk_exportPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
                     Additional rules excluding entities from the aggregate.
-                    
+
                     The basic rule (expressed in uk_exportPreviewSelector) is that
                     entities are excluded if they do not have the ExportOptOut label.
                     Additional rules below are applied to entities which do not
@@ -628,7 +628,7 @@
                     can always be overridden by an explicit ExportOptIn.
                 -->
                 <bean id="exclusion" parent="mda.SplitMergeStage">
-                    
+
                     <!-- select entities with ExportOptIn label -->
                     <property name="selectionStrategy">
                         <bean parent="mda.XPathItemSelectionStrategy">
@@ -645,22 +645,22 @@
                         <bean id="nonSelectedItemPipeline" parent="mda.SimplePipeline">
                             <property name="stages">
                                 <list>
-                                    
+
                                     <!-- Identity providers lacking support for SAML 2.0 -->
                                     <bean id="SAML1onlyIdPs" parent="mda.XPathFilteringStage"
                                         p:namespaceContext-ref="commonNamespaces"
                                         p:XPathExpression="md:IDPSSODescriptor
                                         [not(contains(@protocolSupportEnumeration,'urn:oasis:names:tc:SAML:2.0:protocol'))]">
                                     </bean>
-                                    
+
                                     <!-- Aggregated schools sector identity providers -->
                                     <!--
                                         Preferred implementation:
-                                        
+
                                         <bean id="syntheticScopes" parent="mda.XPathFilteringStage"
                                             p:namespaceContext-ref="commonNamespaces"
                                             p:XPathExpression="shibmd:Scope[ends-with(., '.eng.ukfederation.org.uk']"/>
-                                        
+
                                         Unfortunately, the "ends-with" function is an XPath 2 feature, so we settle for
                                         using "contains" instead; in our case it is equivalent.
                                     -->
@@ -675,7 +675,7 @@
                                             </set>
                                         </property>
                                     </bean>
-                                    
+
                                     <!-- Identity providers with regular expression scopes -->
                                     <bean id="regexScopes" parent="mda.XPathFilteringStage"
                                         p:namespaceContext-ref="commonNamespaces"
@@ -691,7 +691,7 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="stripUkfedlabelNamespace"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEntityScopes"/>
@@ -704,7 +704,7 @@
 
                 <!--
                     Schema validity and other checks MUST pass.
-                    
+
                     These are a subset of the publishability tests applied to
                     aggregates published to federation members.
                 -->
@@ -712,12 +712,12 @@
                 <ref bean="check_aggregate"/>
                 <ref bean="check_namespaces"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="serializeUnsignedExportAggregate"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***********************************************************
         ***                                                     ***
@@ -725,18 +725,18 @@
         ***                                                     ***
         ***********************************************************
     -->
-    
+
     <bean id="uk_exportPreviewSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
         <constructor-arg ref="commonNamespaces"/>
     </bean>
-    
+
     <bean id="uk_exportPreviewPipeline" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <!--
                     Additional rules excluding entities from the aggregate.
-                    
+
                     The basic rule (expressed in uk_exportPreviewSelector) is that
                     entities are excluded if they do not have the ExportOptOut label.
                     Additional rules below are applied to entities which do not
@@ -772,11 +772,11 @@
                                     <!-- Aggregated schools sector identity providers -->
                                     <!--
                                         Preferred implementation:
-                                        
+
                                         <bean id="syntheticScopes" parent="mda.XPathFilteringStage"
                                             p:namespaceContext-ref="commonNamespaces"
                                             p:XPathExpression="shibmd:Scope[ends-with(., '.eng.ukfederation.org.uk']"/>
-                                        
+
                                         Unfortunately, the "ends-with" function is an XPath 2 feature, so we settle for
                                         using "contains" instead; in our case it is equivalent.
                                     -->
@@ -807,7 +807,7 @@
                 -->
                 <ref bean="check_dup_display"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="stripUkfedlabelNamespace"/>
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEntityScopes"/>
@@ -820,7 +820,7 @@
 
                 <!--
                     Schema validity and other checks MUST pass.
-                    
+
                     These are a subset of the publishability tests applied to
                     aggregates published to federation members.
                 -->
@@ -828,7 +828,7 @@
                 <ref bean="check_aggregate"/>
                 <ref bean="check_namespaces"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <bean id="serializeUnsignedExportPreviewAggregate" parent="mda.SerializationStage">
                     <property name="serializer" ref="serializer"/>
                     <property name="outputFile">
@@ -837,7 +837,7 @@
                         </bean>
                     </property>
                 </bean>
-                
+
             </list>
         </property>
     </bean>
@@ -850,7 +850,7 @@
         ***                               ***
         *************************************
     -->
-    
+
     <bean id="generate" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -858,20 +858,20 @@
                     Acquire metadata for all UK-registered entities.
                 -->
                 <ref bean="uk_registeredEntities"/>
-                
+
                 <!--
                     *******************************************************
                     ***                                                 ***
                     ***   R A W   R E G I S T R A R   E N T I T I E S   ***
                     ***                                                 ***
                     *******************************************************
-                    
+
                     At this point, the collection contains only entities
                     registered by the UK federation registrar.  The minimum
                     changes possible have been performed, so that the statistics
                     report can be as comprehensive as possible.
                 -->
-                
+
                 <!--
                     Fork a new output pipeline for the registrar statistics.
                 -->
@@ -886,31 +886,31 @@
                     </property>
                     <property name="waitingForPipelines" value="true"/>
                 </bean>
-                
+
                 <!--
                     Remove constructs which we no longer publish to any
                     external registry clients.
                 -->
                 <ref bean="uk_stripAdminContacts"/>
                 <ref bean="stripEmptyExtensions"/>
-                
+
                 <!--
                     ***********************************************
                     ***                                         ***
                     ***   R E G I S T R A R   E N T I T I E S   ***
                     ***                                         ***
                     ***********************************************
-                    
+
                     At this point, the collection contains only
                     entities registered by the UK federation registrar.
                 -->
-                
+
                 <!--
                     Fork a new output pipeline for the export and export preview aggregates.
-                    
+
                     These aggregates only include UK-registered entities,
                     so the fork needs to occur before any others are introduced.
-                    
+
                     The export aggregates are also intended to reflect the registered
                     metadata as closely as possible, so the fork must happen before
                     too many UK-specific transformations are performed.
@@ -930,10 +930,10 @@
                     </property>
                     <property name="waitingForPipelines" value="true"/>
                 </bean>
-                
+
                 <!--
                     Strip out those ukfedlabel extensions that we don't publish.
-                    
+
                     This is performed independently on the export pipeline because
                     selection for that pipeline is based on these same extensions.
                     A better solution would be to extract the ExportOptIn label into
@@ -941,17 +941,17 @@
                 -->
                 <ref bean="uk_stripExtensions"/>
                 <ref bean="stripEmptyExtensions"/>
-                
+
                 <!--
                     ***************************************************
                     ***                                             ***
                     ***   P R O D U C T I O N   M D X   M E R G E   ***
                     ***                                             ***
                     ***************************************************
-                    
+
                     Merge in entities from production metadata exchange sources.
                 -->
-                
+
                 <bean id="mergeProductionMDXEntities" parent="mda.PipelineMergeStage"
                     p:collectionMergeStrategy-ref="deduplicateMergeStrategy">
                     <property name="mergedPipelines">
@@ -961,14 +961,14 @@
                         </list>
                     </property>
                 </bean>
-                
+
                 <!--
                     *************************************************
                     ***                                           ***
                     ***   P R O D U C T I O N   E N T I T I E S   ***
                     ***                                           ***
                     *************************************************
-                    
+
                     At this point, the collection contains entities
                     registered by the UK federation registrar plus
                     entities received through production-status MDX
@@ -1004,7 +1004,7 @@
                     ***   P R E - P R O D U C T I O N   M D X   M E R G E   ***
                     ***                                                     ***
                     ***********************************************************
-                    
+
                     Merge in entities from pre-production metadata exchange sources.
                 -->
 
@@ -1017,20 +1017,20 @@
                         </list>
                     </property>
                 </bean>
-                
+
                 <!--
                     *********************************************************
                     ***                                                   ***
                     ***   P R E - P R O D U C T I O N   E N T I T I E S   ***
                     ***                                                   ***
                     *********************************************************
-                    
+
                     At this point, the collection contains entities
                     registered by the UK federation registrar plus
                     entities received through both production-status
                     and pre-production-status MDX relationships.
                 -->
-                
+
                 <!--
                     Fork into new pipelines for additional aggregates.
                 -->
@@ -1045,7 +1045,7 @@
                     </property>
                     <property name="waitingForPipelines" value="true"/>
                 </bean>
-                
+
                 <!-- pipeline continues to generate test aggregate -->
                 <ref bean="uk_testPipeline"/>
 
diff --git a/mdx/uk/ns_norm_back.xsl b/mdx/uk/ns_norm_back.xsl
index e59ac8ce..cf1bee2b 100644
--- a/mdx/uk/ns_norm_back.xsl
+++ b/mdx/uk/ns_norm_back.xsl
@@ -2,25 +2,25 @@
 <!--
 
 	ns_norm_back.xsl
-	
+
 	Normalise the namespaces in the UK federation fallback aggregate.
-	
+
 	The main constraint on the output of this transform is that it should minimise the size
 	of the output file while not having "too many" namespace prefix definitions in scope
 	at any point in the document.  "Too many" is more than about ten, as a result of a bug
 	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
 	metadata.
-	
+
 	The strategy is to define the most commonly-used prefixes in the document element.
-	
+
 	Prefixes which are less often used, but which may be used by container elements
 	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
 	on the document element.
-	
+
 	Prefixes which are less often used and are only used for non-containers can be
 	normalised to non-prefix use (i.e., to redefine the default namespace) if required
 	to cut the numbers down.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -38,7 +38,7 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-	
+
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	exclude-result-prefixes="alg md xenc"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -49,13 +49,13 @@
 		Import templates for basic normalisation.
 	-->
 	<xsl:import href="../ns_norm.xsl"/>
-	
+
 
 	<!--
 		Force UTF-8 encoding for the output.
 	-->
 	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
+
 
 	<!--
 		*******************************************
@@ -64,16 +64,16 @@
 		***                                     ***
 		*******************************************
 	-->
-	
-	
+
+
 	<!--
 		We need to handle the document element specially in order to arrange
 		for all appropriate namespace prefix definitions to appear on it.
-		
+
 		There are only two possible document elements in SAML metadata.
 	-->
-	
-	
+
+
 	<!--
 		Document element is <EntityDescriptor>.
 	-->
@@ -82,7 +82,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntityDescriptor>
 	</xsl:template>
-	
+
 	<!--
 		Document element is <EntitiesDescriptor>.
 	-->
@@ -91,8 +91,8 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntitiesDescriptor>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		*************************************
 		***                               ***
@@ -100,11 +100,11 @@
 		***                               ***
 		*************************************
 	-->
-	
-	
+
+
 	<!--
 		alg:*
-		
+
 		Normalise namespace to not use a prefix.
 	-->
 	<xsl:template match="alg:*">
@@ -112,7 +112,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 
 	<!--
         ***************************************
@@ -125,14 +125,14 @@
 
 	<!--
         xenc:*
-        
+
         Normalise namespace to not use a prefix.
     -->
 	<xsl:template match="xenc:*">
 		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
-	</xsl:template>	
-	
-	
+	</xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_cds.xsl b/mdx/uk/ns_norm_cds.xsl
index 3eac4726..15113ea3 100644
--- a/mdx/uk/ns_norm_cds.xsl
+++ b/mdx/uk/ns_norm_cds.xsl
@@ -2,9 +2,9 @@
 <!--
 
 	ns_norm_cds.xsl
-	
+
 	Normalise the namespaces in a metadata file for publication to the UKf CDS.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -20,7 +20,7 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	
+
 	exclude-result-prefixes="alg ds init md mdattr saml shibmd ukfedlabel xsi"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -31,13 +31,13 @@
 		Import templates for basic normalisation.
 	-->
 	<xsl:import href="../ns_norm.xsl"/>
-	
+
 
 	<!--
 		Force UTF-8 encoding for the output.
 	-->
 	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
+
 
 	<!--
 		*******************************************
@@ -46,16 +46,16 @@
 		***                                     ***
 		*******************************************
 	-->
-	
-	
+
+
 	<!--
 		We need to handle the document element specially in order to arrange
 		for all appropriate namespace prefix definitions to appear on it.
-		
+
 		There are only two possible document elements in SAML metadata.
 	-->
-	
-	
+
+
 	<!--
 		Document element is <EntityDescriptor>.
 	-->
@@ -64,7 +64,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntityDescriptor>
 	</xsl:template>
-	
+
 	<!--
 		Document element is <EntitiesDescriptor>.
 	-->
@@ -73,5 +73,5 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntitiesDescriptor>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_export.xsl b/mdx/uk/ns_norm_export.xsl
index 4ee1d693..a64aef3b 100644
--- a/mdx/uk/ns_norm_export.xsl
+++ b/mdx/uk/ns_norm_export.xsl
@@ -2,19 +2,19 @@
 <!--
 
 	ns_norm_export.xsl
-	
+
 	Normalise the namespaces in the export aggregate.
-	
+
 	The strategy is to define the most commonly-used prefixes in the document element.
-	
+
 	Prefixes which are less often used, but which may be used by container elements
 	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
 	on the document element.
-	
+
 	Prefixes which are less often used and are only used for non-containers can be
 	normalised to non-prefix use (i.e., to redefine the default namespace) if required
 	to cut the numbers down.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -32,7 +32,7 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-	
+
 	exclude-result-prefixes="alg md ukfedlabel xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -43,13 +43,13 @@
 		Import templates for basic normalisation.
 	-->
 	<xsl:import href="../ns_norm.xsl"/>
-	
+
 
 	<!--
 		Force UTF-8 encoding for the output.
 	-->
 	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
+
 
 	<!--
 		*******************************************
@@ -58,16 +58,16 @@
 		***                                     ***
 		*******************************************
 	-->
-	
-	
+
+
 	<!--
 		We need to handle the document element specially in order to arrange
 		for all appropriate namespace prefix definitions to appear on it.
-		
+
 		There are only two possible document elements in SAML metadata.
 	-->
-	
-	
+
+
 	<!--
 		Document element is <EntityDescriptor>.
 	-->
@@ -76,7 +76,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntityDescriptor>
 	</xsl:template>
-	
+
 	<!--
 		Document element is <EntitiesDescriptor>.
 	-->
@@ -85,8 +85,8 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntitiesDescriptor>
 	</xsl:template>
-	
-	
+
+
 	<!--
         *************************************
         ***                               ***
@@ -94,11 +94,11 @@
         ***                               ***
         *************************************
     -->
-	
-	
+
+
 	<!--
         alg:*
-        
+
         Normalise namespace to not use a prefix.
     -->
 	<xsl:template match="alg:*">
@@ -106,7 +106,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 
 	<!--
         ***************************************
@@ -119,14 +119,14 @@
 
 	<!--
         xenc:*
-        
+
         Normalise namespace to not use a prefix.
     -->
 	<xsl:template match="xenc:*">
 		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
-	</xsl:template>	
-	
-	
+	</xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_export_preview.xsl b/mdx/uk/ns_norm_export_preview.xsl
index 6bbe0cb8..5bd6277d 100644
--- a/mdx/uk/ns_norm_export_preview.xsl
+++ b/mdx/uk/ns_norm_export_preview.xsl
@@ -2,19 +2,19 @@
 <!--
 
 	ns_norm_export_preview.xsl
-	
+
 	Normalise the namespaces in the export preview aggregate.
-	
+
 	The strategy is to define the most commonly-used prefixes in the document element.
-	
+
 	Prefixes which are less often used, but which may be used by container elements
 	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
 	on the document element.
-	
+
 	Prefixes which are less often used and are only used for non-containers can be
 	normalised to non-prefix use (i.e., to redefine the default namespace) if required
 	to cut the numbers down.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -32,7 +32,7 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-	
+
 	exclude-result-prefixes="alg md ukfedlabel xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -43,13 +43,13 @@
 		Import templates for basic normalisation.
 	-->
 	<xsl:import href="../ns_norm.xsl"/>
-	
+
 
 	<!--
 		Force UTF-8 encoding for the output.
 	-->
 	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
+
 
 	<!--
 		*******************************************
@@ -58,16 +58,16 @@
 		***                                     ***
 		*******************************************
 	-->
-	
-	
+
+
 	<!--
 		We need to handle the document element specially in order to arrange
 		for all appropriate namespace prefix definitions to appear on it.
-		
+
 		There are only two possible document elements in SAML metadata.
 	-->
-	
-	
+
+
 	<!--
 		Document element is <EntityDescriptor>.
 	-->
@@ -76,7 +76,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntityDescriptor>
 	</xsl:template>
-	
+
 	<!--
 		Document element is <EntitiesDescriptor>.
 	-->
@@ -85,8 +85,8 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntitiesDescriptor>
 	</xsl:template>
-	
-	
+
+
 	<!--
         *************************************
         ***                               ***
@@ -94,11 +94,11 @@
         ***                               ***
         *************************************
     -->
-	
-	
+
+
 	<!--
         alg:*
-        
+
         Normalise namespace to not use a prefix.
     -->
 	<xsl:template match="alg:*">
@@ -106,7 +106,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 
 	<!--
         ***************************************
@@ -119,14 +119,14 @@
 
 	<!--
         xenc:*
-        
+
         Normalise namespace to not use a prefix.
     -->
 	<xsl:template match="xenc:*">
 		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
-	</xsl:template>	
-	
-	
+	</xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_fragment.xsl b/mdx/uk/ns_norm_fragment.xsl
index e7cab1d4..8739efa1 100644
--- a/mdx/uk/ns_norm_fragment.xsl
+++ b/mdx/uk/ns_norm_fragment.xsl
@@ -2,14 +2,14 @@
 <!--
 
 	ns_norm_fragment.xsl
-	
+
 	Normalise the namespaces in a fragment file.
-	
+
 	The only difference between this and full normalisation is the selection of prefixes which are
 	included on the document element by default.  We can therefore import the standard templates
 	and just override the ones for the document element as long as an appropriate exclude-result-prefixes
 	is in effect.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -26,7 +26,7 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	
+
 	exclude-result-prefixes="md"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -37,13 +37,13 @@
         Import templates for basic normalisation.
     -->
 	<xsl:import href="../ns_norm.xsl"/>
-	
+
 
 	<!--
 		Force UTF-8 encoding for the output.
 	-->
 	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
+
 
 	<!--
 		*******************************************
@@ -52,16 +52,16 @@
 		***                                     ***
 		*******************************************
 	-->
-	
-	
+
+
 	<!--
 		We need to handle the document element specially in order to arrange
 		for all appropriate namespace prefix definitions to appear on it.
-		
+
 		There are only two possible document elements in SAML metadata.
 	-->
-	
-	
+
+
 	<!--
 		Document element is <EntityDescriptor>.
 	-->
@@ -70,7 +70,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntityDescriptor>
 	</xsl:template>
-	
+
 	<!--
 		Document element is <EntitiesDescriptor>.
 	-->
@@ -79,6 +79,6 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntitiesDescriptor>
 	</xsl:template>
-	
-	
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_test.xsl b/mdx/uk/ns_norm_test.xsl
index 71fdaee4..2a8865c8 100644
--- a/mdx/uk/ns_norm_test.xsl
+++ b/mdx/uk/ns_norm_test.xsl
@@ -2,25 +2,25 @@
 <!--
 
 	ns_norm_test.xsl
-	
+
 	Normalise the namespaces in the UK federation's test aggregate.
-	
+
 	The main constraint on the output of this transform is that it should minimise the size
 	of the output file while not having "too many" namespace prefix definitions in scope
 	at any point in the document.  "Too many" is more than about ten, as a result of a bug
 	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
 	metadata.
-	
+
 	The strategy is to define the most commonly-used prefixes in the document element.
-	
+
 	Prefixes which are less often used, but which may be used by container elements
 	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
 	on the document element.
-	
+
 	Prefixes which are less often used and are only used for non-containers can be
 	normalised to non-prefix use (i.e., to redefine the default namespace) if required
 	to cut the numbers down.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -38,7 +38,7 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-	
+
 	exclude-result-prefixes="alg md xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -49,13 +49,13 @@
 		Import templates for basic normalisation.
 	-->
 	<xsl:import href="../ns_norm.xsl"/>
-	
+
 
 	<!--
 		Force UTF-8 encoding for the output.
 	-->
 	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
+
 
 	<!--
 		*******************************************
@@ -64,16 +64,16 @@
 		***                                     ***
 		*******************************************
 	-->
-	
-	
+
+
 	<!--
 		We need to handle the document element specially in order to arrange
 		for all appropriate namespace prefix definitions to appear on it.
-		
+
 		There are only two possible document elements in SAML metadata.
 	-->
-	
-	
+
+
 	<!--
 		Document element is <EntityDescriptor>.
 	-->
@@ -82,7 +82,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntityDescriptor>
 	</xsl:template>
-	
+
 	<!--
 		Document element is <EntitiesDescriptor>.
 	-->
@@ -91,8 +91,8 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntitiesDescriptor>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		*************************************
 		***                               ***
@@ -100,11 +100,11 @@
 		***                               ***
 		*************************************
 	-->
-	
-	
+
+
 	<!--
 		alg:*
-		
+
 		Normalise namespace to not use a prefix.
 	-->
 	<xsl:template match="alg:*">
@@ -112,7 +112,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 
 	<!--
         ***************************************
@@ -125,14 +125,14 @@
 
 	<!--
         xenc:*
-        
+
         Normalise namespace to not use a prefix.
     -->
 	<xsl:template match="xenc:*">
 		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
-	</xsl:template>	
-	
-	
+	</xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_uk.xsl b/mdx/uk/ns_norm_uk.xsl
index 8e5bf095..8b8bd5ce 100644
--- a/mdx/uk/ns_norm_uk.xsl
+++ b/mdx/uk/ns_norm_uk.xsl
@@ -2,25 +2,25 @@
 <!--
 
 	ns_norm_uk.xsl
-	
+
 	Normalise the namespaces in a metadata file for publication to UK federation members.
-	
+
 	The main constraint on the output of this transform is that it should minimise the size
 	of the output file while not having "too many" namespace prefix definitions in scope
 	at any point in the document.  "Too many" is more than about ten, as a result of a bug
 	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
 	metadata.
-	
+
 	The strategy is to define the most commonly-used prefixes in the document element.
-	
+
 	Prefixes which are less often used, but which may be used by container elements
 	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
 	on the document element.
-	
+
 	Prefixes which are less often used and are only used for non-containers can be
 	normalised to non-prefix use (i.e., to redefine the default namespace) if required
 	to cut the numbers down.
-	
+
 	Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -38,7 +38,7 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-	
+
 	exclude-result-prefixes="alg md xenc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -49,13 +49,13 @@
 		Import templates for basic normalisation.
 	-->
 	<xsl:import href="../ns_norm.xsl"/>
-	
+
 
 	<!--
 		Force UTF-8 encoding for the output.
 	-->
 	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-	
+
 
 	<!--
 		*******************************************
@@ -64,16 +64,16 @@
 		***                                     ***
 		*******************************************
 	-->
-	
-	
+
+
 	<!--
 		We need to handle the document element specially in order to arrange
 		for all appropriate namespace prefix definitions to appear on it.
-		
+
 		There are only two possible document elements in SAML metadata.
 	-->
-	
-	
+
+
 	<!--
 		Document element is <EntityDescriptor>.
 	-->
@@ -82,7 +82,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntityDescriptor>
 	</xsl:template>
-	
+
 	<!--
 		Document element is <EntitiesDescriptor>.
 	-->
@@ -91,8 +91,8 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</EntitiesDescriptor>
 	</xsl:template>
-	
-	
+
+
 	<!--
 		*************************************
 		***                               ***
@@ -100,11 +100,11 @@
 		***                               ***
 		*************************************
 	-->
-	
-	
+
+
 	<!--
 		alg:*
-		
+
 		Normalise namespace to not use a prefix.
 	-->
 	<xsl:template match="alg:*">
@@ -112,7 +112,7 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
-	
+
 
 	<!--
         ***************************************
@@ -125,14 +125,14 @@
 
 	<!--
         xenc:*
-        
+
         Normalise namespace to not use a prefix.
     -->
 	<xsl:template match="xenc:*">
 		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
-	</xsl:template>	
-	
-	
+	</xsl:template>
+
+
 </xsl:stylesheet>
diff --git a/mdx/uk/scopes_copy.xsl b/mdx/uk/scopes_copy.xsl
index 658a1a18..c9a0de6c 100644
--- a/mdx/uk/scopes_copy.xsl
+++ b/mdx/uk/scopes_copy.xsl
@@ -2,10 +2,10 @@
 <!--
 
 	scopes_copy.xsl
-	
+
 	Make all three potential scope lists equivalent (on the entity, on
 	the IDPSSODescriptor and on the AttributeAuthority).
-	
+
 -->
 <xsl:stylesheet version="1.0"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -38,7 +38,7 @@
 			<xsl:apply-templates select="node()"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 	<!--
 		If an IdP's SSO or AA roles already includes an Extensions element, this may
 		already contain extensions other than scopes.  We need to make sure that
@@ -56,7 +56,7 @@
 					<xsl:copy-of select="."/>
 					<xsl:text>&#10;        </xsl:text>
 				</xsl:for-each>
-			</xsl:if>			
+			</xsl:if>
 		</xsl:copy>
 	</xsl:template>
 
@@ -67,18 +67,18 @@
         ***                                       ***
         *********************************************
     -->
-    
-    
+
+
 	<!--By default, copy text blocks, comments and attributes unchanged.-->
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/uk/sp_mdui_test.xsl b/mdx/uk/sp_mdui_test.xsl
index 0ae7c2ca..4c67f43f 100644
--- a/mdx/uk/sp_mdui_test.xsl
+++ b/mdx/uk/sp_mdui_test.xsl
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    
+
     sp_mdui_test.xsl
-    
+
     XSL stylesheet taking a UK Federation metadata aggregate and resulting in an HTML document
     giving discovery links for each mdui-supporting SP entity.
-    
+
     Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -25,19 +25,19 @@
     version="1.0">
 
     <xsl:output method="html" omit-xml-declaration="yes"/>
-    
+
     <xsl:template match="md:EntitiesDescriptor">
-        
+
         <xsl:variable name="entities" select="//md:EntityDescriptor"/>
         <xsl:variable name="sps" select="$entities[md:SPSSODescriptor/md:Extensions/mdui:UIInfo]"/>
-        
+
         <html>
             <head>
                 <title>UK Federation SP discovery UI test</title>
             </head>
             <body>
                 <h1>UK Federation SP discovery UI test</h1>
-                
+
                 <ul>
                     <xsl:for-each select="$sps">
                         <xsl:variable name="acs"
@@ -46,9 +46,9 @@
                             <xsl:value-of select="@ID"/>
                             <xsl:text>: </xsl:text>
                             <xsl:value-of select="@entityID"/>
-                            
+
                             <ul>
-                                
+
                                 <li>
                                     <xsl:choose>
                                         <xsl:when test="descendant::mdui:DisplayName">
@@ -86,7 +86,7 @@
 
                                 <xsl:variable name="parms" select="concat('?shire=',
                                     $acs, '&amp;providerId=', @entityID, '&amp;target=cookie')"/>
-                                
+
                                 <li>
                                     <xsl:variable name="prod" select="concat(
                                         'https://wayf.ukfederation.org.uk/WAYF',
@@ -99,7 +99,7 @@
                                         Production DS (as WAYF)
                                     </xsl:element>
                                 </li>
-                                
+
                                 <li>
                                     <xsl:variable name="rod" select="concat(
                                         'https://dlib-adidp.ucs.ed.ac.uk/discovery/ukfull.wayf',
@@ -125,14 +125,14 @@
                                         Test DS (ukfed4, as WAYF)
                                     </xsl:element>
                                 </li>
-                                
+
                             </ul>
                         </li>
                     </xsl:for-each>
                 </ul>
-                
+
             </body>
         </html>
     </xsl:template>
-    
+
 </xsl:stylesheet>
diff --git a/mdx/uk/statistics-charting.xsl b/mdx/uk/statistics-charting.xsl
index f85055bb..c8cf91fe 100644
--- a/mdx/uk/statistics-charting.xsl
+++ b/mdx/uk/statistics-charting.xsl
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    
+
     statistics.xsl
-    
+
     XSL stylesheet taking a UK Federation metadata file and resulting in an HTML document
     giving statistics.
-    
+
     Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -30,16 +30,16 @@
     version="1.0">
 
     <xsl:output method="xml" omit-xml-declaration="yes" indent="no"/>
-    
+
     <!--
         memberDocument
-        
+
         The members.xml file, as a DOM document, is passed as a parameter.
     -->
     <xsl:param name="memberDocument"/>
-    
+
     <xsl:template match="md:EntitiesDescriptor">
-        
+
         <!--
             Break down the "members" document.
         -->
@@ -47,33 +47,33 @@
         <xsl:variable name="members" select="$memberDocument//members:Member"/>
         <xsl:variable name="memberCount" select="count($members)"/>
         <xsl:variable name="memberNames" select="$members/members:Name"/>
-        
+
         <xsl:variable name="entities" select="//md:EntityDescriptor"/>
         <xsl:variable name="entityCount" select="count($entities)"/>
 
         <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
         <xsl:variable name="idps.saml1"
             select="$idps[contains(md:IDPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
-        
+
         <xsl:variable name="idpCount" select="count($idps)"/>
         <xsl:variable name="idps.saml1.count" select="count($idps.saml1)"/>
-        
+
         <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
         <xsl:variable name="sps.saml1"
             select="$sps[contains(md:SPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
-        
+
         <xsl:variable name="spCount" select="count($sps)"/>
         <xsl:variable name="sps.saml1.count" select="count($sps.saml1)"/>
-        
+
         <xsl:variable name="entities.saml1" select="set:distinct($idps.saml1 | $sps.saml1)"/>
         <xsl:variable name="entities.saml1.count" select="count($entities.saml1)"/>
-        
+
         <xsl:variable name="dualEntities" select="$entities[md:IDPSSODescriptor][md:SPSSODescriptor]"/>
         <xsl:variable name="dualEntityCount" select="count($dualEntities)"/>
-        
+
         <xsl:variable name="federationMemberEntityCount"
             select="count($entities[md:Extensions/ukfedlabel:UKFederationMember])"/>
-        
+
         <xsl:variable name="memberEntities"
             select="dyn:closure($members/members:Name, '$entities[md:Organization/md:OrganizationName = current()]')"/>
         <xsl:variable name="memberEntityCount"
@@ -92,7 +92,7 @@
         <xsl:variable name="sps.artifact.saml1.count" select="count($sps.artifact.saml1)"/>
         <xsl:variable name="entities.artifact.saml1" select="set:distinct($idps.artifact.saml1 | $sps.artifact.saml1)"/>
         <xsl:variable name="entities.artifact.saml1.count" select="count($entities.artifact.saml1)"/>
-        
+
         <pre>
 
             <!--
@@ -111,7 +111,7 @@
             <xsl:text>Entities: </xsl:text>
             <xsl:value-of select="$entityCount"/>
             <xsl:text>&#10;</xsl:text>
-            
+
             <xsl:text>   IdPs: </xsl:text>
             <xsl:value-of select="$idpCount"/>
             <xsl:text>&#10;</xsl:text>
@@ -119,18 +119,18 @@
             <xsl:text>   SPs: </xsl:text>
             <xsl:value-of select="$spCount"/>
             <xsl:text>&#10;</xsl:text>
-            
+
             <xsl:text>Entities per member: </xsl:text>
             <xsl:value-of select="format-number($entityCount div $memberCount, '0.000000')"/>
             <xsl:text>&#10;</xsl:text>
-            
+
             <xsl:variable name="charting.entities.algsupport" select="$entities[descendant::alg:* or descendant::md:EncryptionMethod]"/>
             <xsl:variable name="charting.entities.algsupport.count" select="count($charting.entities.algsupport)"/>
             <xsl:text>Algorithm support: </xsl:text>
             <xsl:value-of select="format-number($charting.entities.algsupport.count div $entityCount, '0.00%')"/>
             <xsl:text> of all entities</xsl:text>
             <xsl:text>&#10;</xsl:text>
-            
+
             <xsl:variable name="charting.entities.algsupport.gcm"
                 select="$charting.entities.algsupport[
                 descendant::md:EncryptionMethod/@Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm' or
@@ -141,14 +141,14 @@
             <xsl:value-of select="format-number($charting.entities.algsupport.gcm.count div $entityCount, '0.00%')"/>
             <xsl:text> of all entities</xsl:text>
             <xsl:text>&#10;</xsl:text>
-            
+
             <xsl:variable name="charting.sps.algsupport" select="$sps[descendant::alg:* or descendant::md:EncryptionMethod]"/>
             <xsl:variable name="charting.sps.algsupport.count" select="count($charting.sps.algsupport)"/>
             <xsl:text>Algorithm support:</xsl:text>
             <xsl:value-of select="format-number($charting.sps.algsupport.count div $spCount, '0.00%')"/>
             <xsl:text> of SP entities</xsl:text>
             <xsl:text>&#10;</xsl:text>
-            
+
             <xsl:variable name="charting.idp3" select="$idps[
                 md:Extensions/ukfedlabel:Software[@name='Shibboleth'][@version = '3']
                 ]"/>
@@ -167,7 +167,7 @@
             <xsl:text>SPs without SAML 2.0 support: </xsl:text>
             <xsl:value-of select="$nosaml2.sps.count"/>
             <xsl:text>&#10;</xsl:text>
-            
+
             <xsl:for-each select="$nosaml2.sps">
                 <xsl:sort select="descendant::md:OrganizationName"/>
                 <xsl:text>   </xsl:text>
@@ -202,14 +202,14 @@
             <xsl:text>IdPs without SAML 2.0 support: </xsl:text>
             <xsl:value-of select="$nosaml2.idps.count"/>
             <xsl:text>&#10;</xsl:text>
-            
+
             <xsl:call-template name="entity.breakdown.by.software">
                 <xsl:with-param name="entities" select="$nosaml2.idps"/>
             </xsl:call-template>
 
         </pre>
     </xsl:template>
-    
+
 
     <!--
         Break down a set of entities by the software used.
@@ -226,7 +226,7 @@
             ***   C L A S S I F Y   E N T I T I E S   B Y   S O F T W A R E   ***
             ***                                                               ***
             *********************************************************************
-            
+
             The classification algorithms used here are chained together so that
             each classification step works only on those entities not already
             classified.  This means that entities won't be counted twice, but
@@ -234,10 +234,10 @@
             shouldn't be changed without careful thought.  In general, more
             specific algorithms should appear before more general ones.
         -->
-        
+
         <!--
             Classify miscellaneous entities.
-            
+
             Here we pull off a list of entities labelled with explicit
             Software labels that aren't for the software we address
             in more detail below.  The result is, as it were, a list of
@@ -259,7 +259,7 @@
             ]"/>
         <xsl:variable name="entities.misc.out"
             select="set:difference($entities.misc.in, $entities.misc)"/>
-        
+
         <!--
             Classify EZproxy SPs
         -->
@@ -277,7 +277,7 @@
             select="$entities.simplesamlphp.in[md:Extensions/ukfedlabel:Software/@name='simpleSAMLphp']"/>
         <xsl:variable name="entities.simplesamlphp.out"
             select="set:difference($entities.simplesamlphp.in, $entities.simplesamlphp)"/>
-        
+
         <!--
             Classify Atypon SAML SP entities.
         -->
@@ -286,7 +286,7 @@
             select="$entities.atyponsamlsp.in[md:Extensions/ukfedlabel:Software/@name='Atypon SAML SP 1.1/2.0']"/>
         <xsl:variable name="entities.atyponsamlsp.out"
             select="set:difference($entities.atyponsamlsp.in, $entities.atyponsamlsp)"/>
-        
+
         <!--
             Classify OpenAthens entities.
         -->
@@ -295,7 +295,7 @@
             select="$entities.openathens.in[md:Extensions/ukfedlabel:Software/@name='OpenAthens']"/>
         <xsl:variable name="entities.openathens.out"
             select="set:difference($entities.openathens.in, $entities.openathens)"/>
-        
+
         <!--
             Classify Shibboleth 3 IdPs entities.
         -->
@@ -306,7 +306,7 @@
             ]"/>
         <xsl:variable name="entities.shib.3.out"
             select="set:difference($entities.shib.3.in, $entities.shib.3)"/>
-        
+
         <!--
             Classify Shibboleth 2.0 IdPs and SPs.
         -->
@@ -328,7 +328,7 @@
             select="$entities.gateways.in[md:Extensions/ukfedlabel:Software/@name='Eduserv Gateway']"/>
         <xsl:variable name="entities.gateways.out"
             select="set:difference($entities.gateways.in, $entities.gateways)"/>
-        
+
         <!--
             Classify OpenAthens virtual IdPs.
         -->
@@ -342,7 +342,7 @@
                 ]"/>
         <xsl:variable name="entities.openathens.virtual.out"
             select="set:difference($entities.openathens.virtual.in, $entities.openathens.virtual)"/>
-        
+
         <!--
             Classify Guanxi entities.
         -->
@@ -351,7 +351,7 @@
             select="$entities.guanxi.in[md:Extensions/ukfedlabel:Software/@name='Guanxi']"/>
         <xsl:variable name="entities.guanxi.out"
             select="set:difference($entities.guanxi.in, $entities.guanxi)"/>
-        
+
         <!--
             Classify AthensIM entities.
         -->
@@ -360,14 +360,14 @@
             select="$entities.athensim.in[md:Extensions/ukfedlabel:Software/@name='AthensIM']"/>
         <xsl:variable name="entities.athensim.out"
             select="set:difference($entities.athensim.in, $entities.athensim)"/>
-        
+
         <!--
             Remaining entities are unknown.
         -->
         <xsl:variable name="entities.unclassified" select="$entities.athensim.out"/>
         <xsl:variable name="unknownSoftwareEntities"
             select="$entities.unclassified | $entities.misc"/>
-        
+
         <!--
             ***************************************************************
             ***                                                         ***
@@ -375,13 +375,13 @@
             ***                                                         ***
             ***************************************************************
         -->
-        
+
         <xsl:call-template name="entity.breakdown.by.software.line">
             <xsl:with-param name="entities" select="$entities.shib.3"/>
             <xsl:with-param name="name">Shibboleth 3.x</xsl:with-param>
             <xsl:with-param name="total" select="$entityCount"/>
         </xsl:call-template>
-        
+
         <xsl:call-template name="entity.breakdown.by.software.line">
             <xsl:with-param name="entities" select="$entities.shib.2"/>
             <xsl:with-param name="name">Shibboleth 2.x</xsl:with-param>
@@ -401,13 +401,13 @@
             <xsl:with-param name="name">Other than Shibboleth</xsl:with-param>
             <xsl:with-param name="total" select="$entityCount"/>
         </xsl:call-template>
-        
+
         <xsl:call-template name="entity.breakdown.by.software.line">
             <xsl:with-param name="entities" select="$entities.ezproxy"/>
             <xsl:with-param name="name">EZproxy</xsl:with-param>
             <xsl:with-param name="total" select="$entityCount"/>
         </xsl:call-template>
-        
+
         <xsl:call-template name="entity.breakdown.by.software.line">
             <xsl:with-param name="entities" select="$entities.simplesamlphp"/>
             <xsl:with-param name="name">simpleSAMLphp</xsl:with-param>
@@ -425,31 +425,31 @@
             <xsl:with-param name="name">AthensIM</xsl:with-param>
             <xsl:with-param name="total" select="$entityCount"/>
         </xsl:call-template>
-        
+
         <xsl:call-template name="entity.breakdown.by.software.line">
             <xsl:with-param name="entities" select="$entities.guanxi"/>
             <xsl:with-param name="name">Guanxi</xsl:with-param>
             <xsl:with-param name="total" select="$entityCount"/>
         </xsl:call-template>
-        
+
         <xsl:call-template name="entity.breakdown.by.software.line">
             <xsl:with-param name="entities" select="$entities.gateways"/>
             <xsl:with-param name="name">Athens/Shibboleth gateway</xsl:with-param>
             <xsl:with-param name="total" select="$entityCount"/>
         </xsl:call-template>
-        
+
         <xsl:call-template name="entity.breakdown.by.software.line">
             <xsl:with-param name="entities" select="$entities.openathens.virtual"/>
             <xsl:with-param name="name">OpenAthens Virtual IdP</xsl:with-param>
             <xsl:with-param name="total" select="$entityCount"/>
         </xsl:call-template>
-        
+
         <xsl:call-template name="entity.breakdown.by.software.line">
             <xsl:with-param name="entities" select="$entities.openathens"/>
             <xsl:with-param name="name">OpenAthens</xsl:with-param>
             <xsl:with-param name="total" select="$entityCount"/>
         </xsl:call-template>
-        
+
         <xsl:call-template name="entity.breakdown.by.software.line">
             <xsl:with-param name="entities" select="$unknownSoftwareEntities"/>
             <xsl:with-param name="name">Unknown or other</xsl:with-param>
@@ -496,5 +496,5 @@
             </xsl:if>
         </xsl:if>
     </xsl:template>
-    
+
 </xsl:stylesheet>
diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index d98a266b..e2698021 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    
+
     statistics.xsl
-    
+
     XSL stylesheet taking a UK Federation metadata file and resulting in an HTML document
     giving statistics.
-    
+
     Author: Ian A. Young <ian@iay.org.uk>
 
 -->
@@ -30,16 +30,16 @@
     version="1.0">
 
     <xsl:output method="html" omit-xml-declaration="yes"/>
-    
+
     <!--
         memberDocument
-        
+
         The members.xml file, as a DOM document, is passed as a parameter.
     -->
     <xsl:param name="memberDocument"/>
-    
+
     <xsl:template match="md:EntitiesDescriptor">
-        
+
         <xsl:variable name="now" select="date:date-time()"/>
 
         <!--
@@ -49,33 +49,33 @@
         <xsl:variable name="members" select="$memberDocument//members:Member"/>
         <xsl:variable name="memberCount" select="count($members)"/>
         <xsl:variable name="memberNames" select="$members/members:Name"/>
-        
+
         <xsl:variable name="entities" select="//md:EntityDescriptor"/>
         <xsl:variable name="entityCount" select="count($entities)"/>
 
         <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
         <xsl:variable name="idps.saml1"
             select="$idps[contains(md:IDPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
-        
+
         <xsl:variable name="idpCount" select="count($idps)"/>
         <xsl:variable name="idps.saml1.count" select="count($idps.saml1)"/>
-        
+
         <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
         <xsl:variable name="sps.saml1"
             select="$sps[contains(md:SPSSODescriptor/@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
-        
+
         <xsl:variable name="spCount" select="count($sps)"/>
         <xsl:variable name="sps.saml1.count" select="count($sps.saml1)"/>
-        
+
         <xsl:variable name="entities.saml1" select="set:distinct($idps.saml1 | $sps.saml1)"/>
         <xsl:variable name="entities.saml1.count" select="count($entities.saml1)"/>
-        
+
         <xsl:variable name="dualEntities" select="$entities[md:IDPSSODescriptor][md:SPSSODescriptor]"/>
         <xsl:variable name="dualEntityCount" select="count($dualEntities)"/>
-        
+
         <xsl:variable name="federationMemberEntityCount"
             select="count($entities[md:Extensions/ukfedlabel:UKFederationMember])"/>
-        
+
         <xsl:variable name="memberEntities"
             select="dyn:closure($members/members:Name, '$entities[md:Organization/md:OrganizationName = current()]')"/>
         <xsl:variable name="memberEntityCount"
@@ -94,7 +94,7 @@
         <xsl:variable name="sps.artifact.saml1.count" select="count($sps.artifact.saml1)"/>
         <xsl:variable name="entities.artifact.saml1" select="set:distinct($idps.artifact.saml1 | $sps.artifact.saml1)"/>
         <xsl:variable name="entities.artifact.saml1.count" select="count($entities.artifact.saml1)"/>
-        
+
         <html>
             <head>
                 <title>UK Federation metadata statistics</title>
@@ -112,9 +112,9 @@
                     The document is regenerated each time the UK Federation metadata is built;
                     this version was created at <xsl:value-of select="$now"/>.
                 </p>
-                <p>This document is produced as a working document of the UK federation core team. 
+                <p>This document is produced as a working document of the UK federation core team.
                    Some of the statistics may be approximations, and the report may be used to track
-                   details of current team interest. 
+                   details of current team interest.
                    For this reason it may be liable to misinterpetation, and should not be considered
                    complete or authoritative.
                 </p>
@@ -129,9 +129,9 @@
                     <li><p><a href="#exportOptIn">Export Aggregate: Entities Explicitly Opted In</a></p></li>
                     <li><p><a href="#nosaml2">Entities Without SAML 2.0 Support</a></p></li>
                 </ul>
-                
 
-                
+
+
                 <h2><a name="members">Member Statistics</a></h2>
                 <p>Number of members: <xsl:value-of select="$memberCount"/></p>
                 <p>
@@ -142,8 +142,8 @@
                     matching the canonical name of the member organisation.
                 </p>
                 <p>
-                   Many organisations have no entities in the federation. 
-                   This may be because they have not yet registered any; perhaps because they have only recently joined. 
+                   Many organisations have no entities in the federation.
+                   This may be because they have not yet registered any; perhaps because they have only recently joined.
                    Alternatively, they may have outsourced their identity provision.
                    Outsourcing of IdP provision is indicated by an asterisk in the OSrc column in the table.
                    This indicates a member who "pushes" scopes
@@ -239,11 +239,11 @@
                             <xsl:value-of select="$membersWithJustIdPsCount"/>,
                             <xsl:value-of select="$membersWithJustSPsCount"/>,
                             <xsl:value-of select="$membersWithBothCount"/>,
-                            <xsl:value-of select="$membersWithNoneCount"/>.                            
+                            <xsl:value-of select="$membersWithNoneCount"/>.
                         </p>
                     </li>
                 </ul>
-                
+
                 <!--
                     *********************************
                     ***                           ***
@@ -251,7 +251,7 @@
                     ***                           ***
                     *********************************
                 -->
-                
+
                 <!--
                     Members who are deduced as outsourcing as a result of their use
                     of the mechanism for describing scopes "pushed" to a specific entity.
@@ -259,27 +259,27 @@
                 <xsl:variable name="members.osrc.scopes.push"
                     select="$members[members:Scopes/members:Entity]"/>
                 <xsl:variable name="members.osrc.scopes.push.count" select="count($members.osrc.scopes.push)"/>
-                
+
                 <!--
                     Members who are deduced as outsourcing.
                 -->
                 <xsl:variable name="members.osrc" select="$members.osrc.scopes.push"/>
                 <xsl:variable name="members.osrc.count" select="count($members.osrc)"/>
-                
+
                 <!--
                     Members whose only representation in the federation is through outsourcing.
                 -->
                 <xsl:variable name="members.osrc.only"
                     select="set:difference($members.osrc, $membersWithEither)"/>
                 <xsl:variable name="members.osrc.only.count" select="count($members.osrc.only)"/>
-                
+
                 <!--
                     Members with no representation, even through outsourcing.
                 -->
                 <xsl:variable name="members.osrc.none"
                     select="set:difference($membersWithNone, $members.osrc)"/>
                 <xsl:variable name="members.osrc.none.count" select="count($members.osrc.none)"/>
-                
+
                 <p>Outsourcing worksheet:</p>
                 <ul>
                     <li>
@@ -316,22 +316,22 @@
                     ***                                       ***
                     *********************************************
                 -->
-                
+
 
                 <h2><a name="entities">Entity Statistics</a></h2>
                 <p>
-                    This section provides a useful bottom-up summary of the federation, 
-                    by categorisation of entities, both total numbers and percentages. 
-                    There are three subsections, presenting statistics applying to all entities, 
-                    to Identity Providers and to Service Providers. 
-                    In each subsection there is a 'breakdown by software used'. 
-                    This lists the entities using each type of software recorded if 
-                    there are fewer than 10 such entities in the category; 
-                    otherwise only the overall numbers and percentages are given. 
+                    This section provides a useful bottom-up summary of the federation,
+                    by categorisation of entities, both total numbers and percentages.
+                    There are three subsections, presenting statistics applying to all entities,
+                    to Identity Providers and to Service Providers.
+                    In each subsection there is a 'breakdown by software used'.
+                    This lists the entities using each type of software recorded if
+                    there are fewer than 10 such entities in the category;
+                    otherwise only the overall numbers and percentages are given.
                     (The software used is requested by the UK federation as part of the entity registration procedure,
                     and this information is recorded in the Software element of our records but not included
                     in published metadata.  Heuristics are used to guess the software in use
-                    if there is no Software element in the metadata.) 
+                    if there is no Software element in the metadata.)
                 </p>
                 <p>Total entities: <xsl:value-of select="$entityCount"/>.  This breaks down into:</p>
                 <ul>
@@ -345,7 +345,7 @@
                         <p>(including dual nature: <xsl:value-of select="$dualEntityCount"/>)</p>
                     </li>
                 </ul>
-                
+
                 <p>Of the <xsl:value-of select="$entityCount"/> entities:</p>
                 <ul>
                     <li>
@@ -386,7 +386,7 @@
                             </p>
                         </li>
                     </xsl:if>
-                    
+
                     <xsl:variable name="urnEntities" select="$entities[starts-with(@entityID, 'urn:')]"/>
                     <xsl:variable name="urnEntityCount" select="count($urnEntities)"/>
                     <xsl:if test="$urnEntityCount != 0">
@@ -406,7 +406,7 @@
                             </p>
                         </li>
                     </xsl:if>
-                    
+
                     <xsl:variable name="httpsEntities" select="$entities[starts-with(@entityID, 'https://')]"/>
                     <xsl:variable name="httpsEntityCount" select="count($httpsEntities)"/>
                     <xsl:if test="$httpsEntityCount != 0">
@@ -426,11 +426,11 @@
                             </p>
                         </li>
                     </xsl:if>
-                    
+
                     <xsl:call-template name="ofthese.entity.extras">
                         <xsl:with-param name="entities" select="$entities"/>
                     </xsl:call-template>
-                    
+
                 </ul>
 
                 <xsl:call-template name="entity.breakdown.by.software">
@@ -450,8 +450,8 @@
                     ***                                         ***
                     ***********************************************
                 -->
-                
-                
+
+
                 <h3>Identity Providers</h3>
                 <p>There are <xsl:value-of select="$idpCount"/> identity providers,
                 including <xsl:value-of select="$dualEntityCount"/>
@@ -484,12 +484,12 @@
                         <p>
                             Support SAML 1.1 artifact resolution: <xsl:value-of select="$idps.artifact.saml1.count"/>
                             (<xsl:value-of select="format-number($idps.artifact.saml1.count div $idpCount, '0.0%')"/>
-                            of all IdPs, 
+                            of all IdPs,
                             <xsl:value-of select="format-number($idps.artifact.saml1.count div $idps.saml1.count, '0.0%')"/>
                             of SAML 1.1 IdPs).
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="idp.noaa" select="$idps[not(md:AttributeAuthorityDescriptor)]"/>
                     <xsl:variable name="idp.noaa.count" select="count($idp.noaa)"/>
                     <xsl:if test="$idp.noaa.count != 0">
@@ -506,7 +506,7 @@
                     </xsl:call-template>
 
                 </ul>
-                
+
                 <p>SSO protocol support:</p>
                 <ul>
                     <xsl:variable name="idp.sso.shibboleth"
@@ -545,7 +545,7 @@
                             </li>
                         </ul>
                     </li>
-                    
+
                     <xsl:variable name="idp.sso.saml.1.1"
                         select="$idps[contains(md:IDPSSODescriptor/@protocolSupportEnumeration,
                         'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
@@ -556,7 +556,7 @@
                             (<xsl:value-of select="format-number($idp.sso.saml.1.1.count div $idpCount, '0.0%')"/>)
                         </p>
                     </li>
-                    
+
                     <li>
                         <p>
                             Not supporting SAML 1.1 SSO:
@@ -565,7 +565,7 @@
                             (<xsl:value-of select="format-number($not.saml.1.1 div $idpCount, '0.0%')"/>)
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="idp.sso.saml.2.0"
                         select="$idps[contains(md:IDPSSODescriptor/@protocolSupportEnumeration,
                         'urn:oasis:names:tc:SAML:2.0:protocol')]"/>
@@ -575,7 +575,7 @@
                             SAML 2.0 SSO: <xsl:value-of select="$idp.sso.saml.2.0.count"/>
                             (<xsl:value-of select="format-number($idp.sso.saml.2.0.count div $idpCount, '0.0%')"/>)
                         </p>
-                        
+
                         <ul>
                             <xsl:variable name="idp.sso.saml.2.0.soap"
                                 select="$idp.sso.saml.2.0[descendant::md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP']]"/>
@@ -585,7 +585,7 @@
                                 (<xsl:value-of select="format-number($idp.sso.saml.2.0.soap.count div $idp.sso.saml.2.0.count, '0.0%')"/> of SAML 2.0 IdPs,
                                 <xsl:value-of select="format-number($idp.sso.saml.2.0.soap.count div $idpCount, '0.0%')"/> of all IdPs)
                             </li>
-                            
+
                             <xsl:variable name="idp.sso.saml.2.0.artifact"
                                 select="$idp.sso.saml.2.0[descendant::md:ArtifactResolutionService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP']]"/>
                             <xsl:variable name="idp.sso.saml.2.0.artifact.count" select="count($idp.sso.saml.2.0.artifact)"/>
@@ -597,7 +597,7 @@
 
                         </ul>
                     </li>
-                    
+
                     <li>
                         <p>
                             Not supporting SAML 2.0 SSO:
@@ -606,7 +606,7 @@
                             (<xsl:value-of select="format-number($not.saml.2 div $idpCount, '0.0%')"/>)
                         </p>
                     </li>
-                    
+
                 </ul>
 
                 <xsl:call-template name="entity.breakdown.by.software">
@@ -616,8 +616,8 @@
                 <xsl:call-template name="keydescriptor.breakdown">
                     <xsl:with-param name="entities" select="$idps"/>
                 </xsl:call-template>
-                
-                
+
+
 
                 <!--
                     *********************************************
@@ -626,8 +626,8 @@
                     ***                                       ***
                     *********************************************
                 -->
-                
-                
+
+
                 <h3>Service Providers</h3>
                 <p>There are <xsl:value-of select="$spCount"/> service providers,
                     including <xsl:value-of select="$dualEntityCount"/>
@@ -642,7 +642,7 @@
                             (<xsl:value-of select="format-number($sp.slo.count div $spCount, '0.0%')"/>).
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="sp.nim" select="$sps[md:SPSSODescriptor/md:ManageNameIDService]"/>
                     <xsl:variable name="sp.nim.count" select="count($sp.nim)"/>
                     <li>
@@ -651,7 +651,7 @@
                             (<xsl:value-of select="format-number($sp.nim.count div $spCount, '0.0%')"/>).
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="sp.idpdisc"
                         select="$sps[md:SPSSODescriptor/md:Extensions/idpdisc:DiscoveryResponse/@Binding=
                         'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']"/>
@@ -662,7 +662,7 @@
                             (<xsl:value-of select="format-number($sp.idpdisc.count div $spCount, '0.0%')"/>).
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="sp.init" select="$sps[md:SPSSODescriptor/md:Extensions/init:RequestInitiator]"/>
                     <xsl:variable name="sp.init.count" select="count($sp.init)"/>
                     <li>
@@ -671,7 +671,7 @@
                             (<xsl:value-of select="format-number($sp.init.count div $spCount, '0.0%')"/>).
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="sp.rqa" select="$sps[descendant::md:RequestedAttribute]"/>
                     <xsl:variable name="sp.rqa.count" select="count($sp.rqa)"/>
                     <xsl:if test="$sp.rqa.count != 0">
@@ -686,9 +686,9 @@
                     <xsl:call-template name="ofthese.entity.extras">
                         <xsl:with-param name="entities" select="$sps"/>
                     </xsl:call-template>
-                    
+
                 </ul>
-                
+
                 <p>SSO protocol support:</p>
                 <ul>
                     <xsl:variable name="sp.sso.saml.1.0"
@@ -710,7 +710,7 @@
                                     (<xsl:value-of select="format-number($sp.saml.1.0.acs.saml.1.0.post.count div $sp.sso.saml.1.0.count, '0.0%')"/>)
                                 </p>
                             </li>
-                            
+
                             <xsl:variable name="sp.saml.1.0.acs.saml.1.0.artifact"
                                 select="$sp.sso.saml.1.0[md:SPSSODescriptor/md:AssertionConsumerService/@Binding='urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']"/>
                             <xsl:variable name="sp.saml.1.0.acs.saml.1.0.artifact.count" select="count($sp.saml.1.0.acs.saml.1.0.artifact)"/>
@@ -722,7 +722,7 @@
                             </li>
                         </ul>
                     </li>
-                    
+
                     <xsl:variable name="sp.sso.saml.1.1"
                         select="$sps[contains(md:SPSSODescriptor/@protocolSupportEnumeration,
                         'urn:oasis:names:tc:SAML:1.1:protocol')]"/>
@@ -742,7 +742,7 @@
                                     (<xsl:value-of select="format-number($sp.saml.1.1.acs.saml.1.0.post.count div $sp.sso.saml.1.1.count, '0.0%')"/>)
                                 </p>
                             </li>
-                            
+
                             <xsl:variable name="sp.saml.1.1.acs.saml.1.0.artifact"
                                 select="$sp.sso.saml.1.1[md:SPSSODescriptor/md:AssertionConsumerService/@Binding='urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']"/>
                             <xsl:variable name="sp.saml.1.1.acs.saml.1.0.artifact.count" select="count($sp.saml.1.1.acs.saml.1.0.artifact)"/>
@@ -755,7 +755,7 @@
 
                         </ul>
                     </li>
-                    
+
                     <li>
                         <p>
                             Not supporting SAML 1.1 SSO:
@@ -764,7 +764,7 @@
                             (<xsl:value-of select="format-number($not.saml.1.1 div $spCount, '0.0%')"/>)
                         </p>
                     </li>
-                    
+
                     <xsl:variable name="sp.sso.saml.2.0"
                         select="$sps[contains(md:SPSSODescriptor/@protocolSupportEnumeration,
                         'urn:oasis:names:tc:SAML:2.0:protocol')]"/>
@@ -784,7 +784,7 @@
                                     (<xsl:value-of select="format-number($sp.saml.2.0.acs.saml.2.0.post.count div $sp.sso.saml.2.0.count, '0.0%')"/>)
                                 </p>
                             </li>
-                            
+
                             <xsl:variable name="sp.saml.2.0.acs.saml.2.0.post.ss"
                                 select="$sp.sso.saml.2.0[md:SPSSODescriptor/md:AssertionConsumerService/@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']"/>
                             <xsl:variable name="sp.saml.2.0.acs.saml.2.0.post.ss.count" select="count($sp.saml.2.0.acs.saml.2.0.post.ss)"/>
@@ -813,11 +813,11 @@
                                     PAOS: <xsl:value-of select="$sp.saml.2.0.acs.saml.2.0.paos.count"/>
                                     (<xsl:value-of select="format-number($sp.saml.2.0.acs.saml.2.0.paos.count div $sp.sso.saml.2.0.count, '0.0%')"/>)
                                 </p>
-                            </li>                            
-                            
+                            </li>
+
                         </ul>
                     </li>
-                    
+
                     <li>
                         <p>
                             Not supporting SAML 2.0 SSO:
@@ -828,7 +828,7 @@
                     </li>
 
                 </ul>
-                
+
                 <xsl:call-template name="entity.breakdown.by.software">
                     <xsl:with-param name="entities" select="$sps"/>
                 </xsl:call-template>
@@ -836,9 +836,9 @@
                 <xsl:call-template name="keydescriptor.breakdown">
                     <xsl:with-param name="entities" select="$sps"/>
                 </xsl:call-template>
-                
-                
-                
+
+
+
                 <!--
                     *********************************************
                     ***                                       ***
@@ -848,9 +848,9 @@
                 -->
                 <h2><a name="byOwner">Entities by Owner</a></h2>
                 <p>
-                    This section is intended to be largely self-explanatory. 
-                    Any items in [...] brackets give additional information about the entity: 
-                    its type, the software used, etc. 
+                    This section is intended to be largely self-explanatory.
+                    Any items in [...] brackets give additional information about the entity:
+                    its type, the software used, etc.
                  </p>
                 <ul>
                     <xsl:apply-templates select="$memberNames" mode="enumerate">
@@ -858,8 +858,8 @@
                     </xsl:apply-templates>
                 </ul>
 
-                
-                
+
+
                 <!--
                     ***********************************************
                     ***                                         ***
@@ -868,7 +868,7 @@
                     ***********************************************
                 -->
                 <h2><a name="accountableIdPs">Identity Provider Accountability</a></h2>
-                
+
                 <p>
                     The following entities are visible in the main federation discovery service
                     but do not assert user accountability:
@@ -918,8 +918,8 @@
                             <xsl:value-of select="members:Name"/>
                         </li>
                     </xsl:for-each>
-                </ul>                
-                
+                </ul>
+
 
 
                 <!--
@@ -929,7 +929,7 @@
                     ***                                 ***
                     ***************************************
                 -->
-                
+
                 <h2><a name="exportOptOut">Export Aggregate: Entities Opted Out</a></h2>
                 <xsl:variable name="entities.export.opt.out" select="$entities[descendant::ukfedlabel:ExportOptOut]"/>
                 <xsl:variable name="entities.export.opt.out.count" select="count($entities.export.opt.out)"/>
@@ -949,7 +949,7 @@
                                             <xsl:text>[RqA] </xsl:text>
                                         </xsl:when>
                                         <xsl:otherwise>
-                                            <xsl:text>[!RqA] </xsl:text> 
+                                            <xsl:text>[!RqA] </xsl:text>
                                         </xsl:otherwise>
                                     </xsl:choose>
                                 </xsl:if>
@@ -969,13 +969,13 @@
                                         <li>
                                             No SAML 2.0 support
                                         </li>
-                                    </ul>                                    
+                                    </ul>
                                 </xsl:if>
                             </li>
                         </xsl:for-each>
                     </ul>
                 </xsl:if>
-                
+
                 <!--
                     *************************************
                     ***                               ***
@@ -983,7 +983,7 @@
                     ***                               ***
                     *************************************
                 -->
-                
+
                 <h2><a name="exportOptIn">Export Aggregate: Entities Explicitly Opted In</a></h2>
                 <xsl:variable name="entities.export" select="$entities[descendant::ukfedlabel:ExportOptIn]"/>
                 <xsl:variable name="entities.export.count" select="count($entities.export)"/>
@@ -1003,7 +1003,7 @@
                                             <xsl:text>[RqA] </xsl:text>
                                         </xsl:when>
                                         <xsl:otherwise>
-                                            <xsl:text>[!RqA] </xsl:text> 
+                                            <xsl:text>[!RqA] </xsl:text>
                                         </xsl:otherwise>
                                     </xsl:choose>
                                 </xsl:if>
@@ -1023,7 +1023,7 @@
                                         <li>
                                             No SAML 2.0 support
                                         </li>
-                                    </ul>                                    
+                                    </ul>
                                 </xsl:if>
                             </li>
                         </xsl:for-each>
@@ -1094,11 +1094,11 @@
                 <xsl:call-template name="entity.breakdown.by.software">
                     <xsl:with-param name="entities" select="$nosaml2.idps"/>
                 </xsl:call-template>
-                
+
             </body>
         </html>
     </xsl:template>
-    
+
     <!--
         *****************************************
         ***                                   ***
@@ -1106,7 +1106,7 @@
         ***                                   ***
         *****************************************
     -->
-    
+
     <xsl:template match="members:Member" mode="count">
         <xsl:param name="entities"/>
         <xsl:variable name="myName" select="string(members:Name)"/>
@@ -1168,16 +1168,16 @@
                     </xsl:otherwise>
                 </xsl:choose>
             </td>
-            
+
             <!-- Outsourcing in general -->
             <td align="center">
                 <xsl:choose>
-                
+
                 	<!-- Special case: Eduserv does NOT outsource -->
                     <xsl:when test="members:Name = 'Eduserv'">
                         &#160;
                     </xsl:when>
-                    
+
                     <!--
                     	Anyone pushing scopes to an entity is assumed to
                     	be outsourcing.  Strictly speaking, this should be
@@ -1187,7 +1187,7 @@
                     <xsl:when test="members:Scopes/members:Entity">
                         *
                     </xsl:when>
-                    
+
                     <!-- if none of the above, not outsourcing -->
                     <xsl:otherwise>
                         &#160;
@@ -1196,7 +1196,7 @@
             </td>
         </tr>
     </xsl:template>
-    
+
     <xsl:template match="members:Name" mode="enumerate">
         <xsl:param name="entities"/>
         <xsl:variable name="myName" select="."/>
@@ -1253,7 +1253,7 @@
         ***   " O F   T H E S E "   E X T R A S   ***
         ***                                       ***
         *********************************************
-        
+
         Extra list entries for the "of these" breakdowns
         in the entity sections.
     -->
@@ -1272,7 +1272,7 @@
                 </p>
             </li>
         </xsl:if>
-        
+
         <xsl:variable name="e.algsupport"
             select="$entities[descendant::alg:* or descendant::md:EncryptionMethod]"/>
         <xsl:variable name="e.algsupport.count" select="count($e.algsupport)"/>
@@ -1283,7 +1283,7 @@
                     (<xsl:value-of select="format-number($e.algsupport.count div $entityCount, '0.0%')"/>)
                     provide algorithm support metadata:
                 </p>
-                
+
                 <ul>
                     <xsl:variable name="e.alg.dig" select="$entities[descendant::alg:SigningMethod]"/>
                     <xsl:variable name="e.alg.dig.count" select="count($e.alg.dig)"/>
@@ -1302,7 +1302,7 @@
                             <xsl:value-of select="$e.sha1.count"/>
                             (<xsl:value-of select="format-number($e.sha1.count div $e.alg.dig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha224" select="$entities[
                             descendant::alg:DigestMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha224']"/>
                         <xsl:variable name="e.sha224.count" select="count($e.sha224)"/>
@@ -1311,7 +1311,7 @@
                             <xsl:value-of select="$e.sha224.count"/>
                             (<xsl:value-of select="format-number($e.sha224.count div $e.alg.dig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha256" select="$entities[
                             descendant::alg:DigestMethod/@Algorithm='http://www.w3.org/2001/04/xmlenc#sha256']"/>
                         <xsl:variable name="e.sha256.count" select="count($e.sha256)"/>
@@ -1320,7 +1320,7 @@
                             <xsl:value-of select="$e.sha256.count"/>
                             (<xsl:value-of select="format-number($e.sha256.count div $e.alg.dig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha384" select="$entities[
                             descendant::alg:DigestMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha384']"/>
                         <xsl:variable name="e.sha384.count" select="count($e.sha384)"/>
@@ -1329,7 +1329,7 @@
                             <xsl:value-of select="$e.sha384.count"/>
                             (<xsl:value-of select="format-number($e.sha384.count div $e.alg.dig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha512" select="$entities[
                             descendant::alg:DigestMethod/@Algorithm='http://www.w3.org/2001/04/xmlenc#sha512']"/>
                         <xsl:variable name="e.sha512.count" select="count($e.sha512)"/>
@@ -1350,9 +1350,9 @@
                             <xsl:value-of select="$e.sha3.any.count"/>
                             (<xsl:value-of select="format-number($e.sha3.any.count div $e.alg.dig.count, '0.0%')"/>)
                         </li>
-                        
+
                     </ul>
-                    
+
                     <xsl:variable name="e.alg.sig" select="$entities[descendant::alg:SigningMethod]"/>
                     <xsl:variable name="e.alg.sig.count" select="count($e.alg.sig)"/>
                     <li>
@@ -1370,7 +1370,7 @@
                             <xsl:value-of select="$e.sha1.count"/>
                             (<xsl:value-of select="format-number($e.sha1.count div $e.alg.sig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha224" select="$entities[
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha224']"/>
                         <xsl:variable name="e.sha224.count" select="count($e.sha224)"/>
@@ -1379,7 +1379,7 @@
                             <xsl:value-of select="$e.sha224.count"/>
                             (<xsl:value-of select="format-number($e.sha224.count div $e.alg.sig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.sha256" select="$entities[
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256']"/>
                         <xsl:variable name="e.sha256.count" select="count($e.sha256)"/>
@@ -1406,7 +1406,7 @@
                             <xsl:value-of select="$e.sha512.count"/>
                             (<xsl:value-of select="format-number($e.sha512.count div $e.alg.sig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.ec.any" select="$entities[
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1' or
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224' or
@@ -1419,7 +1419,7 @@
                             <xsl:value-of select="$e.ec.any.count"/>
                             (<xsl:value-of select="format-number($e.ec.any.count div $e.alg.sig.count, '0.0%')"/>)
                         </li>
-                        
+
                         <xsl:variable name="e.dsa.any" select="$entities[
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2000/09/xmldsig#dsa-sha1' or
                             descendant::alg:SigningMethod/@Algorithm='http://www.w3.org/2009/xmldsig11#dsa-sha256']"/>
@@ -1436,9 +1436,9 @@
                             <xsl:variable name="e.dsa.new.count" select="count($e.dsa.new)"/>
                             [<xsl:value-of select="$e.dsa.old.count"/>, <xsl:value-of select="$e.dsa.new.count"/>]
                         </li>
-                        
+
                     </ul>
-                    
+
                     <xsl:variable name="e.alg.enc" select="$entities[descendant::md:EncryptionMethod]"/>
                     <xsl:variable name="e.alg.enc.count" select="count($e.alg.enc)"/>
                     <li>
@@ -1459,9 +1459,9 @@
                             (<xsl:value-of select="format-number($e.gcm.count div $e.alg.enc.count, '0.0%')"/>)
                         </li>
                     </ul>
-                    
+
                 </ul>
-    
+
             </li>
         </xsl:if>
 
@@ -1484,7 +1484,7 @@
                 ***   C L A S S I F Y   E N T I T I E S   B Y   S O F T W A R E   ***
                 ***                                                               ***
                 *********************************************************************
-                
+
                 The classification algorithms used here are chained together so that
                 each classification step works only on those entities not already
                 classified.  This means that entities won't be counted twice, but
@@ -1492,10 +1492,10 @@
                 shouldn't be changed without careful thought.  In general, more
                 specific algorithms should appear before more general ones.
             -->
-            
+
             <!--
                 Classify miscellaneous entities.
-                
+
                 Here we pull off a list of entities labelled with explicit
                 Software labels that aren't for the software we address
                 in more detail below.  The result is, as it were, a list of
@@ -1517,7 +1517,7 @@
                 ]"/>
             <xsl:variable name="entities.misc.out"
                 select="set:difference($entities.misc.in, $entities.misc)"/>
-            
+
             <!--
                 Classify EZproxy SPs
             -->
@@ -1535,7 +1535,7 @@
                 select="$entities.simplesamlphp.in[md:Extensions/ukfedlabel:Software/@name='simpleSAMLphp']"/>
             <xsl:variable name="entities.simplesamlphp.out"
                 select="set:difference($entities.simplesamlphp.in, $entities.simplesamlphp)"/>
-            
+
             <!--
                 Classify Atypon SAML SP entities.
             -->
@@ -1544,7 +1544,7 @@
                 select="$entities.atyponsamlsp.in[md:Extensions/ukfedlabel:Software/@name='Atypon SAML SP 1.1/2.0']"/>
             <xsl:variable name="entities.atyponsamlsp.out"
                 select="set:difference($entities.atyponsamlsp.in, $entities.atyponsamlsp)"/>
-            
+
             <!--
                 Classify OpenAthens entities.
             -->
@@ -1553,7 +1553,7 @@
                 select="$entities.openathens.in[md:Extensions/ukfedlabel:Software/@name='OpenAthens']"/>
             <xsl:variable name="entities.openathens.out"
                 select="set:difference($entities.openathens.in, $entities.openathens)"/>
-            
+
             <!--
                 Classify Shibboleth 3 IdPs entities.
             -->
@@ -1564,7 +1564,7 @@
                 ]"/>
             <xsl:variable name="entities.shib.3.out"
                 select="set:difference($entities.shib.3.in, $entities.shib.3)"/>
-            
+
             <!--
                 Classify Shibboleth 2.0 IdPs and SPs.
             -->
@@ -1586,7 +1586,7 @@
                 select="$entities.gateways.in[md:Extensions/ukfedlabel:Software/@name='Eduserv Gateway']"/>
             <xsl:variable name="entities.gateways.out"
                 select="set:difference($entities.gateways.in, $entities.gateways)"/>
-            
+
             <!--
                 Classify OpenAthens virtual IdPs.
             -->
@@ -1600,7 +1600,7 @@
                     ]"/>
             <xsl:variable name="entities.openathens.virtual.out"
                 select="set:difference($entities.openathens.virtual.in, $entities.openathens.virtual)"/>
-            
+
             <!--
                 Classify Guanxi entities.
             -->
@@ -1609,7 +1609,7 @@
                 select="$entities.guanxi.in[md:Extensions/ukfedlabel:Software/@name='Guanxi']"/>
             <xsl:variable name="entities.guanxi.out"
                 select="set:difference($entities.guanxi.in, $entities.guanxi)"/>
-            
+
             <!--
                 Classify AthensIM entities.
             -->
@@ -1618,14 +1618,14 @@
                 select="$entities.athensim.in[md:Extensions/ukfedlabel:Software/@name='AthensIM']"/>
             <xsl:variable name="entities.athensim.out"
                 select="set:difference($entities.athensim.in, $entities.athensim)"/>
-            
+
             <!--
                 Remaining entities are unknown.
             -->
             <xsl:variable name="entities.unclassified" select="$entities.athensim.out"/>
             <xsl:variable name="unknownSoftwareEntities"
                 select="$entities.unclassified | $entities.misc"/>
-            
+
             <!--
                 ***************************************************************
                 ***                                                         ***
@@ -1633,13 +1633,13 @@
                 ***                                                         ***
                 ***************************************************************
             -->
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.shib.3"/>
                 <xsl:with-param name="name">Shibboleth 3.x</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.shib.2"/>
                 <xsl:with-param name="name">Shibboleth 2.x</xsl:with-param>
@@ -1659,13 +1659,13 @@
                 <xsl:with-param name="name">Other than Shibboleth</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.ezproxy"/>
                 <xsl:with-param name="name">EZproxy</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.simplesamlphp"/>
                 <xsl:with-param name="name">simpleSAMLphp</xsl:with-param>
@@ -1683,31 +1683,31 @@
                 <xsl:with-param name="name">AthensIM</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.guanxi"/>
                 <xsl:with-param name="name">Guanxi</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.gateways"/>
                 <xsl:with-param name="name">Athens/Shibboleth gateway</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.openathens.virtual"/>
                 <xsl:with-param name="name">OpenAthens Virtual IdP</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$entities.openathens"/>
                 <xsl:with-param name="name">OpenAthens</xsl:with-param>
                 <xsl:with-param name="total" select="$entityCount"/>
             </xsl:call-template>
-            
+
             <xsl:call-template name="entity.breakdown.by.software.line">
                 <xsl:with-param name="entities" select="$unknownSoftwareEntities"/>
                 <xsl:with-param name="name">Unknown or other</xsl:with-param>
@@ -1754,7 +1754,7 @@
             </li>
         </xsl:if>
     </xsl:template>
-    
+
     <!--
         *********************************************************
         ***                                                   ***
@@ -1771,5 +1771,5 @@
             (<xsl:value-of select="format-number($kd.count div count($entities), '0.0')"/> per entity).
         </p>
     </xsl:template>
-    
+
 </xsl:stylesheet>
diff --git a/mdx/uk/strip_extensions.xsl b/mdx/uk/strip_extensions.xsl
index 335a0236..f8899e5a 100644
--- a/mdx/uk/strip_extensions.xsl
+++ b/mdx/uk/strip_extensions.xsl
@@ -1,17 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 	strip_extensions.xsl
-	
+
 	Strip out any ukfedlabel namespace extensions that we don't intend to publish.
 	This may require removing now-empty md:Extensions elements.
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	
+
 	xmlns:exsl="http://exslt.org/common"
 	extension-element-prefixes="exsl"
-	
+
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -33,7 +33,7 @@
 			<xsl:apply-templates select="text()|comment()"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 	<!--
 		Strip all other ukfedlabel namespace elements entirely.
 	-->
@@ -44,12 +44,12 @@
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/uk/strip_sirtfi_contacts.xsl b/mdx/uk/strip_sirtfi_contacts.xsl
index 9975d051..daa51068 100644
--- a/mdx/uk/strip_sirtfi_contacts.xsl
+++ b/mdx/uk/strip_sirtfi_contacts.xsl
@@ -1,14 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 	strip_sirtfi_contacts.xsl
-	
+
 	Strip out any UK federation-registered ContactPerson elements associated with SIRTFI.
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
 	xmlns:remd="http://refeds.org/metadata"
-	
+
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
@@ -23,12 +23,12 @@
 	<xsl:template match="text()|comment()|@*">
 		<xsl:copy/>
 	</xsl:template>
-	
+
 	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
 	<xsl:template match="*">
 		<xsl:copy>
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:copy>
 	</xsl:template>
-	
+
 </xsl:stylesheet>
diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
index 18d5b51c..cfed773c 100644
--- a/mdx/uk/verbs.xml
+++ b/mdx/uk/verbs.xml
@@ -16,12 +16,12 @@
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-    
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:uk/beans.xml"/>
-    
+
     <!--
         ***************************************
         ***                                 ***
@@ -29,10 +29,10 @@
         ***                                 ***
         ***************************************
     -->
-    
+
     <!--
         statistics
-        
+
         Stand-alone statistics generation.
     -->
     <bean id="statistics" parent="mda.SimplePipeline">
@@ -48,7 +48,7 @@
 
     <!--
         statistics.charting
-        
+
         Stand-along statistics generation for charting.
     -->
     <bean id="statistics.charting" parent="mda.SimplePipeline">
@@ -78,7 +78,7 @@
 
     <!--
         sp_mdui_test
-        
+
         Generates a page of links to discovery services, for each SP that
         has mdui:uiinfo metadata.
     -->
@@ -108,7 +108,7 @@
         ***                 ***
         ***********************
     -->
-    
+
     <bean id="verify" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -118,7 +118,7 @@
                     any of them fail.
                 -->
                 <ref bean="uk_registeredEntities"/>
-                
+
                 <!--
                     Now build an aggregate so that we can perform
                     checks across the whole aggregate, such as
@@ -131,7 +131,7 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         *********************************
         ***                           ***
@@ -139,12 +139,12 @@
         ***                           ***
         *********************************
     -->
-    
+
     <bean id="checkPorts" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
                 <ref bean="uk_registeredEntities"/>
-                
+
                 <!--
                     The next four stages ensure that any errors are reported
                     in entity ID order, even on systems where the native order
@@ -157,13 +157,13 @@
                 <ref bean="populateItemIds"/>
                 <ref bean="uk_populateIds"/>
                 <ref bean="populateRegistrationAuthorities"/>
-                
+
                 <ref bean="check_vhosts"/>
                 <ref bean="errorAnnouncingFilter"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         ***********************************
         ***                             ***
@@ -171,7 +171,7 @@
         ***                             ***
         ***********************************
     -->
-    
+
     <bean id="checkFuture" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -189,7 +189,7 @@
                 <ref bean="populateItemIds"/>
                 <ref bean="uk_populateIds"/>
                 <ref bean="populateRegistrationAuthorities"/>
-                
+
                 <!--
                     Additional X.509 certificate checks, over and above those
                     performed in uk_registeredEntities.
@@ -201,13 +201,13 @@
                         </list>
                     </property>
                 </bean>
-                
+
                 <ref bean="check_future"/>
                 <ref bean="errorAnnouncingFilter"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         *****************************************
         ***                                   ***
@@ -215,10 +215,10 @@
         ***                                   ***
         *****************************************
     -->
-    
+
     <!--
         fetchImportMetadata
-        
+
         Fetches the contents of the file used to hold metadata to be imported
         into a UK federation fragment file.
     -->
@@ -230,10 +230,10 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         serializeImportedMetadata
-        
+
         Serialise the fragment file just imported.
     -->
     <bean id="serializeImportedMetadata" parent="mda.SerializationStage">
@@ -247,9 +247,9 @@
 
     <!--
         import
-        
+
         Pipeline to import a metadata fragment file.
-        
+
         For now, just the head of that pipeline.
     -->
     <bean id="import.metadata" parent="mda.SimplePipeline">
@@ -258,28 +258,28 @@
                 <!-- fetch the input file -->
                 <ref bean="fetchImportMetadata"/>
                 <ref bean="populateItemIds"/>
-                
+
                 <!-- perform schema validation and stop immediately if this fails -->
                 <ref bean="checkSchemas"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <!-- fix mailto: in contacts -->
                 <ref bean="uk_fix_mailto"/>
-                
+
                 <!-- transform into a fragment using our local conventions -->
                 <bean id="importTransform" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/import.xsl"/>
-                
+
                 <!-- normalise namespaces in a specific way -->
                 <bean id="normalizeFragment" parent="mda.XSLTransformationStage"
                     p:XSLResource="classpath:uk/ns_norm_fragment.xsl"/>
-                
+
                 <!-- check the transformed input -->
                 <ref bean="checkSchemas"/>
-                
+
                 <!--
                     Standard checks (i.e., CHECK_std), with some exclusions.
-                    
+
                     check_saml2meta is excluded so that the "FILL IN" boilerplate on
                     OrganizationURL is not flagged.
                 -->
@@ -305,7 +305,7 @@
                 <ref bean="check_shibboleth"/>
                 <ref bean="check_sp_tls"/>
                 <ref bean="check_uk_trust"/>
-                
+
                 <bean id="checkCertificates" parent="mda.X509ValidationStage">
                     <property name="validators">
                         <list>
@@ -319,29 +319,29 @@
 
                             <!--
                                 Debian weak key blacklists.
-                                
+
                                 Don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="debian.2048"/>
                             <ref bean="debian.4096"/>
-                            
+
                             <!--
                                 Compromised key blacklists.
-                                
+
                                 Again, don't need to check for keys below our minimum key size.
                             -->
                             <ref bean="compromised.2048"/>
                         </list>
                     </property>
                 </bean>
-                
+
                 <ref bean="check_uk_mdrps"/>
                 <ref bean="check_uk_urlenc"/>
                 <ref bean="check_future"/>
                 <ref bean="check_imported"/>
                 <ref bean="check_vhosts"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <!-- write output file -->
                 <ref bean="serializeImportedMetadata"/>
             </list>
@@ -355,7 +355,7 @@
         ###                                           ###
         #################################################
     -->
-    
+
     <bean id="serializeImported" parent="mda.SerializationStage">
         <property name="serializer" ref="serializer"/>
         <property name="outputFile">
@@ -364,7 +364,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <bean id="importExported" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -375,7 +375,7 @@
             </list>
         </property>
     </bean>
-    
+
     <bean id="importExportedRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -384,7 +384,7 @@
             </list>
         </property>
     </bean>
-    
+
     <alias alias="import"    name="importExported"/>
-    <alias alias="importRaw" name="importExportedRaw"/>    
+    <alias alias="importRaw" name="importExportedRaw"/>
 </beans>
diff --git a/mdx/us_incommon/beans.xml b/mdx/us_incommon/beans.xml
index 581e97ac..2c132199 100644
--- a/mdx/us_incommon/beans.xml
+++ b/mdx/us_incommon/beans.xml
@@ -11,7 +11,7 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Location of various resources.
     -->
@@ -27,7 +27,7 @@
     <bean id="us_incommon_legacyAggregate_url" parent="String">
         <constructor-arg value="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"/>
     </bean>
-    
+
     <!--
         Fetch the production aggregate.
     -->
@@ -40,13 +40,13 @@
             </bean>
         </property>
     </bean>
-    
+
     <!--
         InCommon signing certificate.
     -->
     <bean id="us_incommon_signingCertificate" parent="X509CertificateFactoryBean"
     	p:resource="classpath:us_incommon/inc-md-cert.pem"/>
-    
+
     <!--
         Check InCommon signing signature.
     -->
@@ -56,7 +56,7 @@
 
     <!--
         us_incommon_check_regauth
-        
+
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
@@ -67,10 +67,10 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         us_incommon_default_regauth
-        
+
         Provide a default registrationAuthority appropriate to
         this channel.
     -->
@@ -81,7 +81,7 @@
             </map>
         </property>
     </bean>
-    
+
     <!--
         Fetch the production entities as a collection.
     -->
@@ -98,12 +98,12 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="us_incommon_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         Synthesise an export collection by filtering the production entities.
     -->
@@ -111,7 +111,7 @@
         <property name="composedStages">
             <list>
                 <ref bean="us_incommon_productionAggregate"/>
-                
+
                 <!--
                     Check for fatal errors at the aggregate level:
                         missing or expired validUntil attribute
@@ -120,9 +120,9 @@
                 <ref bean="check_validUntil"/>
                 <ref bean="us_incommon_checkSignature"/>
                 <ref bean="errorTerminatingFilter"/>
-                
+
                 <ref bean="disassemble"/>
-                
+
                 <!--
                     ***********************************
                     ***                             ***
@@ -130,7 +130,7 @@
                     ***                             ***
                     ***********************************
                 -->
-                    
+
                 <!--
                     Filter out all entities not involved in the pilot.
                 -->
@@ -143,7 +143,7 @@
                         </set>
                     </property>
                 </bean>
-                
+
                 <!--
                     Remove all contact information.
                 -->
@@ -153,9 +153,9 @@
                         <set>
                             <!-- no whitelisted types implies remove everything -->
                         </set>
-                    </property>                    
+                    </property>
                 </bean>
-                
+
                 <!--
                     ******************************
                     ***                        ***
@@ -163,14 +163,14 @@
                     ***                        ***
                     ******************************
                 -->
-                
+
                 <!-- default and check registrar -->
                 <ref bean="us_incommon_default_regauth"/>
                 <ref bean="us_incommon_check_regauth"/>
             </list>
         </property>
     </bean>
-    
+
     <!--
         Fake an export aggregate by aggregating the exported entities.
     -->
diff --git a/mdx/us_incommon/verbs.xml b/mdx/us_incommon/verbs.xml
index bd9340a8..aff47f46 100644
--- a/mdx/us_incommon/verbs.xml
+++ b/mdx/us_incommon/verbs.xml
@@ -11,17 +11,17 @@
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
-    
+
     <!--
         Import commonly used beans.
     -->
     <import resource="classpath:common-beans.xml"/>
-        
+
     <!--
         Import channel-specific beans.
     -->
     <import resource="classpath:us_incommon/beans.xml"/>
-    
+
     <!--
         Serialise into this channel's "imported" aggregate file.
     -->
@@ -33,7 +33,7 @@
             </bean>
         </property>
     </bean>
-    
+
     <bean id="importProduction" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -53,7 +53,7 @@
             </list>
         </property>
     </bean>
-    
+
     <bean id="importExported" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -64,7 +64,7 @@
             </list>
         </property>
     </bean>
-    
+
     <bean id="importExportedRaw" parent="mda.SimplePipeline">
         <property name="stages">
             <list>
@@ -73,7 +73,7 @@
             </list>
         </property>
     </bean>
-    
+
     <alias alias="import"    name="importExported"/>
     <alias alias="importRaw" name="importExportedRaw"/>
 </beans>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index cd4f5786..f7ed527f 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -20,12 +20,12 @@
         ***********************************
     -->
 
-    <!--        
+    <!--
         The tests in this section are not applied to the UK federation metadata at the moment,
         but will be in the future.  Usually, the delay is due to the presence of the specific
         case in the current metadata, and the test will be moved into production once that
         has been cleaned up.  In some cases, this can be a lengthy process.
-        
+
         The main check_future test is broken down into a number of sub-tests rather than
         just writing it as one long XSLT ruleset so that overlapping failures can all be
         seen at the same time.  This isn't so important in production, where any failure
@@ -33,70 +33,70 @@
         it's less productive to clear up one problem only to have another one emerge from
         hiding.
     -->
-    
+
     <!--
         check_future_0
     -->
     <bean id="check_future_0" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_0.xsl"/>
-    
+
     <!--
         check_future_1
     -->
     <bean id="check_future_1" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_1.xsl"/>
-    
+
     <!--
         check_future_2
     -->
     <bean id="check_future_2" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_2.xsl"/>
-    
+
     <!--
         check_future_3
     -->
     <bean id="check_future_3" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_3.xsl"/>
-    
+
     <!--
         check_future_4
     -->
     <bean id="check_future_4" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_4.xsl"/>
-    
+
     <!--
         check_future_5
     -->
     <bean id="check_future_5" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_5.xsl"/>
-    
+
     <!--
         check_future_6
     -->
     <bean id="check_future_6" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_6.xsl"/>
-    
+
     <!--
         check_future_7
     -->
     <bean id="check_future_7" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_7.xsl"/>
-    
+
     <!--
         check_future_8
     -->
     <bean id="check_future_8" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_8.xsl"/>
-    
+
     <!--
         check_future_9
     -->
     <bean id="check_future_9" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_future_9.xsl"/>
-    
+
     <!--
         check_future
-        
+
         Combines all check_future_N stages.
     -->
     <bean id="check_future" parent="mda.CompositeStage">
@@ -115,7 +115,7 @@
             </list>
         </property>
     </bean>
-    
+
 
     <!--
         ***********************************************************
@@ -146,7 +146,7 @@
     <bean id="check_mdattr" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdattr.xsl"/>
 
-    
+
     <!--
         *************************************************
         ***                                           ***
@@ -154,18 +154,18 @@
         ***                                           ***
         *************************************************
     -->
-    
+
     <!--
         check_mdrpi_xslt
-        
+
         Miscellaneous MDRPI tests, in XSLT.
     -->
     <bean id="check_mdrpi_xslt" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdrpi.xsl"/>
-    
+
     <!--
         check_mdrpi
-        
+
         Composite check for the MDRPI specification.
     -->
     <bean id="check_mdrpi" parent="mda.CompositeStage">
@@ -175,27 +175,27 @@
             </list>
         </property>
     </bean>
-    
+
     <!--
         check_regauth_parent
-        
+
         Parent (template) for per-channel beans.
-        
+
         Any registrationAuthority already present on an entity in this
         channel must match the known registration authority value.
     -->
     <bean id="check_regauth_parent" abstract="true" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_regauth.xsl"/>
-    
+
     <!--
         check_hasreginfo
-        
+
         Check that each entity has an mdrpi:RegistrationInfo element.
     -->
     <bean id="check_hasreginfo" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_hasreginfo.xsl"/>
 
-    
+
     <!--
         ***********************************************
         ***                                         ***
@@ -203,51 +203,51 @@
         ***                                         ***
         ***********************************************
     -->
-    
+
     <!--
         check_mdui_iphint
-        
+
         Checks for the mdui:IPHint element.
     -->
     <bean id="check_mdui_iphint" parent="ukf.IPHintValidationStage"
         p:checkingNetworks="true"/>
-    
+
     <!--
         check_mdui_xslt
-        
+
         Miscellaneous MDUI tests, in XSLT.
     -->
     <bean id="check_mdui_xslt" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_mdui.xsl"/>
-    
+
     <!--
         mdui_dn_en_match
-        
+
         If an IdP has both an OrganizationDisplayName in English, and an
         mdui:DisplayName in English, they must be identical.
-        
+
         UKFTS 1.4 section 3.3
     -->
     <bean id="mdui_dn_en_match" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/mdui_dn_en_match.xsl"/>
-    
+
     <!--
         mdui_dn_en_present
-        
+
         If an entity has mdui:UIInfo, then that must include at least an
         mdui:DisplayName with an English name.
     -->
     <bean id="mdui_dn_en_present" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/mdui_dn_en_present.xsl"/>
-    
+
     <!--
         check_mdui
-        
+
         Composite check for the MDUI specification.
-        
+
         Omitted the following, which are only applied to
         UK-registered metadata:
-        
+
             mdui_dn_en_present
             mdui_dn_en_match
     -->
@@ -275,7 +275,7 @@
     <bean id="check_incmd" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_incmd.xsl"/>
 
-    
+
     <!--
         ***********************************************************
         ***                                                     ***
@@ -310,7 +310,7 @@
 
     <!--
         check_shib_regscope
-        
+
         Check for regular expressions in Shibboleth Scope elements.  Applied very selectively,
         because we do permit this in certain circumstances.
     -->
@@ -319,7 +319,7 @@
 
     <!--
         check_shib_noregscope
-        
+
         Check for Shibboleth Scope elements lacking a regexp attribute, which can cause
         problems with signature generation and validation because the schema includes
         a default value.
@@ -356,13 +356,13 @@
         ***                                                             ***
         *******************************************************************
     -->
-    
+
     <!--
         check_uk_algorithms
     -->
     <bean id="check_uk_algorithms" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_uk_algorithms.xsl"/>
-    
+
     <!--
         check_uk_trust
     -->
@@ -377,7 +377,7 @@
         ***                                                 ***
         *******************************************************
     -->
-    
+
     <!--
         These checks are for consistency across a collection of entities
         rather than on each entity independently.
@@ -385,19 +385,19 @@
 
     <!--
         check_aggregate
-        
+
         Checks for duplicate entityID values across a set of entities.
-        
+
         It is assumed that the entities are wrapped in a single EntitiesDescriptor.
     -->
     <bean id="check_aggregate" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_aggregate.xsl"/>
-    
+
     <!--
         check_dup_display
-        
+
         Checks for duplicate identity provider display names across a set of entities.
-        
+
         It is assumed that the entities are independently represented as EntityDescriptor
         items in the item collection.
     -->
@@ -412,7 +412,7 @@
         ***                                         ***
         ***********************************************
     -->
-    
+
     <!--
         Debian weak key blacklists.
     -->
@@ -459,43 +459,43 @@
     -->
     <bean id="check_adfs" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_adfs.xsl"/>
-    
+
     <!--
         check_bindings
     -->
     <bean id="check_bindings" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_bindings.xsl"/>
-    
+
     <!--
         check_filtered
     -->
     <bean id="check_filtered" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_filtered.xsl"/>
-    
+
     <!--
         check_hoksso
     -->
     <bean id="check_hoksso" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_hoksso.xsl"/>
-        
+
     <!--
         check_idpdisc
     -->
     <bean id="check_idpdisc" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_idpdisc.xsl"/>
-    
+
     <!--
         check_imported
     -->
     <bean id="check_imported" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_imported.xsl"/>
-    
+
     <!--
         check_init
     -->
     <bean id="check_init" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_init.xsl"/>
-    
+
     <!--
         check_mdiop
     -->
@@ -504,7 +504,7 @@
 
     <!--
         check_cr
-        
+
         Check for the presence of CR characters in text content or attribute values.
         This protects against SSPCPP-684 in the Shibboleth SP.
     -->
@@ -533,19 +533,19 @@
     -->
     <bean id="check_misc" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_misc.xsl"/>
-    
+
     <!--
         check_namespaces
     -->
     <bean id="check_namespaces" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_namespaces.xsl"/>
-    
+
     <!--
         check_reqattr
     -->
     <bean id="check_reqattr" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_reqattr.xsl"/>
-    
+
     <!--
         check_saml2int
     -->
@@ -557,19 +557,19 @@
     -->
     <bean id="check_saml1" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml1.xsl"/>
-    
+
     <!--
         check_saml2
     -->
     <bean id="check_saml2" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml2.xsl"/>
-    
+
     <!--
         check_saml2meta
     -->
     <bean id="check_saml2meta" parent="mda.XSLValidationStage"
         p:XSLResource="classpath:_rules/check_saml2meta.xsl"/>
-    
+
     <!--
         check_saml_strings
     -->
@@ -599,7 +599,7 @@
 
     <!--
         check_validUntil
-        
+
         Check that an aggregate has a validUntil instant specified, and that it has not
         yet expired.  Does not put an upper bound on validUntil intervals.
     -->
@@ -614,7 +614,7 @@
         -->
         <property name="maxValidityInterval" value="0"/>
     </bean>
-    
+
     <!--
         check_vhosts
     -->
@@ -629,7 +629,7 @@
         ***                                       ***
         *********************************************
     -->
-    
+
     <!--
         CHECK_std
     -->
@@ -667,5 +667,5 @@
             </list>
         </property>
     </bean>
-    
+
 </beans>

From 5a74884b38b17530d5557292a9c846afff6e1ce4 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 19 Jun 2017 14:45:25 +0100
Subject: [PATCH 73/80] Convert tabs to spaces in XML files so that 4-space
 convention is not implicit

See ukf/ukf-meta#134.
---
 attic/extract_entityids.xsl                   |  36 +-
 attic/extract_member_dates.xsl                |  48 +-
 attic/extract_saml2sp.xsl                     |  54 +-
 attic/identity.xsl                            |  38 +-
 attic/members_domains.xsl                     | 120 +--
 build/extract_addresses.xsl                   |  70 +-
 build/extract_cert_locs.xsl                   |  62 +-
 build/extract_embedded.xsl                    | 104 +-
 build/extract_locs.xsl                        |  72 +-
 build/extract_nk_cert_locs.xsl                |  90 +-
 build/extract_nk_nocert_locs.xsl              |  82 +-
 build/extract_nocert_locs.xsl                 |  64 +-
 charting/just_ours.xsl                        |  66 +-
 charting/saml2.xsl                            |  86 +-
 charting/scopes.xsl                           |  74 +-
 charting/statistics_mdui.xsl                  |   2 +-
 mdx/_rules/check_adfs.xsl                     | 120 +--
 mdx/_rules/check_aggregate.xsl                |  70 +-
 mdx/_rules/check_algsupport.xsl               |  94 +-
 mdx/_rules/check_bindings.xsl                 | 316 +++---
 mdx/_rules/check_entityid_prefix.xsl          |  46 +-
 mdx/_rules/check_filtered.xsl                 |  48 +-
 mdx/_rules/check_framework.xsl                | 236 ++---
 mdx/_rules/check_future_0.xsl                 |  36 +-
 mdx/_rules/check_future_1.xsl                 |  36 +-
 mdx/_rules/check_future_2.xsl                 |  36 +-
 mdx/_rules/check_future_3.xsl                 |  40 +-
 mdx/_rules/check_future_4.xsl                 |  36 +-
 mdx/_rules/check_future_5.xsl                 |  26 +-
 mdx/_rules/check_future_6.xsl                 |  26 +-
 mdx/_rules/check_future_7.xsl                 |  26 +-
 mdx/_rules/check_future_8.xsl                 |  26 +-
 mdx/_rules/check_future_9.xsl                 |  26 +-
 mdx/_rules/check_hasreginfo.xsl               |  32 +-
 mdx/_rules/check_hoksso.xsl                   | 290 +++---
 mdx/_rules/check_idp_tls.xsl                  |  56 +-
 mdx/_rules/check_idpdisc.xsl                  |  94 +-
 mdx/_rules/check_imported.xsl                 |  60 +-
 mdx/_rules/check_incmd.xsl                    | 170 ++--
 mdx/_rules/check_init.xsl                     |  62 +-
 mdx/_rules/check_mdattr.xsl                   | 100 +-
 mdx/_rules/check_mdiop.xsl                    |  70 +-
 mdx/_rules/check_mdrpi.xsl                    | 296 +++---
 mdx/_rules/check_mdui.xsl                     | 436 ++++----
 mdx/_rules/check_misc.xsl                     | 182 ++--
 mdx/_rules/check_namespaces.xsl               | 194 ++--
 mdx/_rules/check_rands_member.xsl             | 136 +--
 mdx/_rules/check_rands_support.xsl            |  66 +-
 mdx/_rules/check_regauth.xsl                  |  58 +-
 mdx/_rules/check_reqattr.xsl                  | 962 +++++++++---------
 mdx/_rules/check_saml1.xsl                    | 118 +--
 mdx/_rules/check_saml2.xsl                    | 176 ++--
 mdx/_rules/check_saml2int.xsl                 | 246 ++---
 mdx/_rules/check_saml2meta.xsl                | 174 ++--
 mdx/_rules/check_shib_noregscope.xsl          |  30 +-
 mdx/_rules/check_shib_regscope.xsl            |  40 +-
 mdx/_rules/check_shibboleth.xsl               | 350 +++----
 mdx/_rules/check_sirtfi.xsl                   | 112 +-
 mdx/_rules/check_sp_tls.xsl                   |  36 +-
 mdx/_rules/check_uk_algorithms.xsl            | 302 +++---
 mdx/_rules/check_uk_trust.xsl                 | 180 ++--
 mdx/_rules/check_vhosts.xsl                   |  96 +-
 mdx/_rules/mdui_dn_en_match.xsl               |  54 +-
 mdx/_rules/mdui_dn_en_present.xsl             |  34 +-
 mdx/clean-import.xsl                          | 140 +--
 mdx/default_regauth.xsl                       | 116 +--
 mdx/identity.xsl                              |  38 +-
 mdx/int_edugain/check_recovered.xsl           |  32 +-
 mdx/ns_norm.xsl                               | 428 ++++----
 mdx/schema/MetadataExchange.xsd               |   4 +-
 ...oasis-200401-wss-wssecurity-secext-1.0.xsd | 368 +++----
 ...asis-200401-wss-wssecurity-utility-1.0.xsd | 146 +--
 mdx/schema/saml-schema-assertion-2.0.xsd      |   2 +-
 mdx/schema/shibboleth-metadata-1.0.xsd        |  70 +-
 .../sstc-saml-holder-of-key-browser-sso.xsd   |   8 +-
 mdx/schema/ws-addr.xsd                        | 232 ++---
 mdx/schema/ws-authorization.xsd               |  22 +-
 mdx/schema/ws-federation.xsd                  | 280 ++---
 mdx/schema/ws-securitypolicy-1.2.xsd          |  64 +-
 mdx/schema/xenc-schema-11.xsd                 | 116 +--
 mdx/strip-aa-mdui.xsl                         |  40 +-
 mdx/strip-comments.xsl                        |  32 +-
 mdx/strip-mdui-logo-data.xsl                  |  40 +-
 mdx/strip-mdui-logo-http.xsl                  |  78 +-
 mdx/uk/check_fixup_encmethod.xsl              |  54 +-
 mdx/uk/check_uk_keydesc_key.xsl               |  44 +-
 mdx/uk/check_uk_mdattr.xsl                    | 204 ++--
 mdx/uk/check_uk_mdrps.xsl                     |  90 +-
 mdx/uk/check_uk_urlenc.xsl                    |  38 +-
 mdx/uk/check_ukreg.xsl                        |  86 +-
 mdx/uk/entity_scopes.xsl                      |  58 +-
 mdx/uk/final_tweak.xsl                        | 288 +++---
 mdx/uk/fix_mailto.xsl                         |  62 +-
 mdx/uk/fragment.xsl                           |  82 +-
 mdx/uk/generate.xml                           |   6 +-
 mdx/uk/ns_norm_back.xsl                       | 222 ++--
 mdx/uk/ns_norm_cds.xsl                        | 134 +--
 mdx/uk/ns_norm_export.xsl                     | 184 ++--
 mdx/uk/ns_norm_export_preview.xsl             | 184 ++--
 mdx/uk/ns_norm_fragment.xsl                   | 122 +--
 mdx/uk/ns_norm_test.xsl                       | 222 ++--
 mdx/uk/ns_norm_uk.xsl                         | 222 ++--
 mdx/uk/scopes_copy.xsl                        | 102 +-
 mdx/uk/statistics.xsl                         |  10 +-
 mdx/uk/strip_extensions.xsl                   |  96 +-
 mdx/uk/strip_sirtfi_contacts.xsl              |  46 +-
 mdx/us_incommon/beans.xml                     |   2 +-
 utilities/2016-09-16/gen-id-to-name.xsl       |  24 +-
 utilities/2016-09-16/gen-ukid-to-name.xsl     |  24 +-
 utilities/2016-10-06/gen-id-to-name.xsl       |  24 +-
 .../2017-02-27/listHideFromWAYFandEA.xsl      |   4 +-
 111 files changed, 6207 insertions(+), 6207 deletions(-)

diff --git a/attic/extract_entityids.xsl b/attic/extract_entityids.xsl
index c8d79b18..0723dd87 100644
--- a/attic/extract_entityids.xsl
+++ b/attic/extract_entityids.xsl
@@ -1,30 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_entityids.xsl
+    extract_entityids.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of entity IDs.
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of entity IDs.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md ds">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
 
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
 
-	<xsl:template match="//md:EntityDescriptor">
-		<xsl:value-of select="@entityID"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
+    <xsl:template match="//md:EntityDescriptor">
+        <xsl:value-of select="@entityID"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
 
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/attic/extract_member_dates.xsl b/attic/extract_member_dates.xsl
index ac25f80e..0a793447 100644
--- a/attic/extract_member_dates.xsl
+++ b/attic/extract_member_dates.xsl
@@ -1,34 +1,34 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_member_dates.xsl
+    extract_member_dates.xsl
 
-	XSL stylesheet that takes the UK federation members.xml file ane extracts
-	member names and joining dates in a format suitable for updating.
+    XSL stylesheet that takes the UK federation members.xml file ane extracts
+    member names and joining dates in a format suitable for updating.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:ukfm="http://ukfederation.org.uk/2007/01/members">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="ukfm:Member">
-		<xsl:value-of select="ukfm:JoinDate"/>
-		<xsl:text>,"</xsl:text>
-		<xsl:value-of select="md:OrganizationName"/>
-		<xsl:text>"&#x0a;</xsl:text>
-	</xsl:template>
-
-	<!--
-		Junk any extraneous text nodes.
-	-->
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ukfm="http://ukfederation.org.uk/2007/01/members">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="ukfm:Member">
+        <xsl:value-of select="ukfm:JoinDate"/>
+        <xsl:text>,"</xsl:text>
+        <xsl:value-of select="md:OrganizationName"/>
+        <xsl:text>"&#x0a;</xsl:text>
+    </xsl:template>
+
+    <!--
+        Junk any extraneous text nodes.
+    -->
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/attic/extract_saml2sp.xsl b/attic/extract_saml2sp.xsl
index 6950a87e..aa59a0db 100644
--- a/attic/extract_saml2sp.xsl
+++ b/attic/extract_saml2sp.xsl
@@ -1,37 +1,37 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_saml2sp.xsl
+    extract_saml2sp.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata aggregate and extracts
-	SAML 2.0 support information for each SP entity.
+    XSL stylesheet that takes a SAML 2.0 metadata aggregate and extracts
+    SAML 2.0 support information for each SP entity.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md ds">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="//md:EntityDescriptor[md:SPSSODescriptor]">
-		<xsl:value-of select="@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:choose>
-			<xsl:when test="contains(md:SPSSODescriptor/@protocolSupportEnumeration,
-				'urn:oasis:names:tc:SAML:2.0:protocol')">yes</xsl:when>
-			<xsl:otherwise>no</xsl:otherwise>
-		</xsl:choose>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="//md:EntityDescriptor[md:SPSSODescriptor]">
+        <xsl:value-of select="@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:choose>
+            <xsl:when test="contains(md:SPSSODescriptor/@protocolSupportEnumeration,
+                'urn:oasis:names:tc:SAML:2.0:protocol')">yes</xsl:when>
+            <xsl:otherwise>no</xsl:otherwise>
+        </xsl:choose>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/attic/identity.xsl b/attic/identity.xsl
index dc2ad8b1..23f2a177 100644
--- a/attic/identity.xsl
+++ b/attic/identity.xsl
@@ -1,30 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	identity.xsl
+    identity.xsl
 
-	Identity transform.
+    Identity transform.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/attic/members_domains.xsl b/attic/members_domains.xsl
index eedd6d9f..6764589b 100644
--- a/attic/members_domains.xsl
+++ b/attic/members_domains.xsl
@@ -1,78 +1,78 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	members_domains.xsl
+    members_domains.xsl
 
-	Update members.xml to use Domain and PrimaryScope instead of
-	Scopes and isPrimary.
+    Update members.xml to use Domain and PrimaryScope instead of
+    Scopes and isPrimary.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:members="http://ukfederation.org.uk/2007/01/members"
-	xmlns:xalan="http://xml.apache.org/xalan"
+    xmlns:members="http://ukfederation.org.uk/2007/01/members"
+    xmlns:xalan="http://xml.apache.org/xalan"
 
-	exclude-result-prefixes="members xalan"
-	xmlns="http://ukfederation.org.uk/2007/01/members"
-	>
+    exclude-result-prefixes="members xalan"
+    xmlns="http://ukfederation.org.uk/2007/01/members"
+    >
 
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"
-		indent="yes" xalan:indent-amount="4"
-	/>
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"
+        indent="yes" xalan:indent-amount="4"
+    />
 
-	<!--
-		If a Scopes element has an isPrimary Scope, extract that
-		as the domain and primary scope for the member.
+    <!--
+        If a Scopes element has an isPrimary Scope, extract that
+        as the domain and primary scope for the member.
 
-		The result may not be schema-valid if the Scopes element is not
-		the first one belonging to the member: duplicate Domains elements
-		need to be removed, and misplaced Domains elements may need
-		to be moved around manually.
-	-->
-	<xsl:template match="members:Scopes[members:Scope/@isPrimary='true']">
-		<xsl:variable name="prdom" select="members:Scope[@isPrimary='true']"/>
-		<xsl:element name="Domains">
-			<xsl:text>&#10;            </xsl:text>
-			<xsl:element name="Domain"><xsl:value-of select="$prdom"/></xsl:element>
-			<xsl:text>&#10;        </xsl:text>
-		</xsl:element>
-		<xsl:text>&#10;        </xsl:text>
-		<xsl:element name="PrimaryScope"><xsl:value-of select="$prdom"/></xsl:element>
-		<!--
-			Delete the Scopes element entirely if:
-				* it contains only one Scope, and
-				* it contains no Entity elements
+        The result may not be schema-valid if the Scopes element is not
+        the first one belonging to the member: duplicate Domains elements
+        need to be removed, and misplaced Domains elements may need
+        to be moved around manually.
+    -->
+    <xsl:template match="members:Scopes[members:Scope/@isPrimary='true']">
+        <xsl:variable name="prdom" select="members:Scope[@isPrimary='true']"/>
+        <xsl:element name="Domains">
+            <xsl:text>&#10;            </xsl:text>
+            <xsl:element name="Domain"><xsl:value-of select="$prdom"/></xsl:element>
+            <xsl:text>&#10;        </xsl:text>
+        </xsl:element>
+        <xsl:text>&#10;        </xsl:text>
+        <xsl:element name="PrimaryScope"><xsl:value-of select="$prdom"/></xsl:element>
+        <!--
+            Delete the Scopes element entirely if:
+                * it contains only one Scope, and
+                * it contains no Entity elements
 
-			In other words, retain it if:
-				* it contains more than one Scope, or
-				* it contains any Entity elements
-		-->
-		<xsl:if test="count(members:Scope)>1 or count(members:Entity)!=0">
-			<xsl:text>&#10;        </xsl:text>
-			<xsl:copy>
-				<xsl:apply-templates/>
-			</xsl:copy>
-		</xsl:if>
-	</xsl:template>
+            In other words, retain it if:
+                * it contains more than one Scope, or
+                * it contains any Entity elements
+        -->
+        <xsl:if test="count(members:Scope)>1 or count(members:Entity)!=0">
+            <xsl:text>&#10;        </xsl:text>
+            <xsl:copy>
+                <xsl:apply-templates/>
+            </xsl:copy>
+        </xsl:if>
+    </xsl:template>
 
-	<!--
-		Remove any remaining isPrimary attributes.
-	-->
-	<xsl:template match="@isPrimary">
-		<!-- do nothing -->
-	</xsl:template>
+    <!--
+        Remove any remaining isPrimary attributes.
+    -->
+    <xsl:template match="@isPrimary">
+        <!-- do nothing -->
+    </xsl:template>
 
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/build/extract_addresses.xsl b/build/extract_addresses.xsl
index 1f8d67cd..76dbd4c5 100644
--- a/build/extract_addresses.xsl
+++ b/build/extract_addresses.xsl
@@ -1,45 +1,45 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_addresses.xsl
+    extract_addresses.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of contact e-mail addresses.  Only administrative and
-	technical addresses are used; all others are dropped.
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of contact e-mail addresses.  Only administrative and
+    technical addresses are used; all others are dropped.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md ds">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<xsl:template match="/md:EntitiesDescriptor">
-		<Addresses>
-			<xsl:apply-templates select="md:EntityDescriptor/md:ContactPerson"/>
-		</Addresses>
-	</xsl:template>
-
-	<xsl:template match="md:ContactPerson[@contactType='support']">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<xsl:template match="md:ContactPerson">
-		<xsl:apply-templates select="md:EmailAddress"/>
-	</xsl:template>
-
-	<xsl:template match="md:EmailAddress">
-		<EmailAddress><xsl:value-of select="."/></EmailAddress>
-	</xsl:template>
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|@*">
-		<xsl:copy/>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <xsl:template match="/md:EntitiesDescriptor">
+        <Addresses>
+            <xsl:apply-templates select="md:EntityDescriptor/md:ContactPerson"/>
+        </Addresses>
+    </xsl:template>
+
+    <xsl:template match="md:ContactPerson[@contactType='support']">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <xsl:template match="md:ContactPerson">
+        <xsl:apply-templates select="md:EmailAddress"/>
+    </xsl:template>
+
+    <xsl:template match="md:EmailAddress">
+        <EmailAddress><xsl:value-of select="."/></EmailAddress>
+    </xsl:template>
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/build/extract_cert_locs.xsl b/build/extract_cert_locs.xsl
index b2b0eabf..46a293e6 100644
--- a/build/extract_cert_locs.xsl
+++ b/build/extract_cert_locs.xsl
@@ -1,40 +1,40 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_cert_locs.xsl
+    extract_cert_locs.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of service locations that require certificates to be
-	presented to them.
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of service locations that require certificates to be
+    presented to them.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="//md:AttributeService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<!--
-		ArtifactResolutionService endpoints on IdPs are assumed to be
-		authenticated by TLS; those on SPs are assumed to be authenticated
-		using other mechanisms.
-	-->
-	<xsl:template match="//md:IDPSSODescriptor/md:ArtifactResolutionService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="//md:AttributeService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <!--
+        ArtifactResolutionService endpoints on IdPs are assumed to be
+        authenticated by TLS; those on SPs are assumed to be authenticated
+        using other mechanisms.
+    -->
+    <xsl:template match="//md:IDPSSODescriptor/md:ArtifactResolutionService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/extract_embedded.xsl b/build/extract_embedded.xsl
index 75927cec..751a6a91 100644
--- a/build/extract_embedded.xsl
+++ b/build/extract_embedded.xsl
@@ -1,62 +1,62 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_embedded.xsl
+    extract_embedded.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	all embedded certificates on entities in the form of a series of
-	PEM certificate blocks.
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    all embedded certificates on entities in the form of a series of
+    PEM certificate blocks.
 
-	A descriptive comment is added to indicate the entity in question and
-	the KeyName used (if any) so that later processing can distinguish.
+    A descriptive comment is added to indicate the entity in question and
+    the KeyName used (if any) so that later processing can distinguish.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:mdxTextUtils="xalan://uk.ac.sdss.xalan.md.TextUtils">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="md:EntityDescriptor">
-		<xsl:variable name="entity" select="."/>
-		<xsl:for-each select="descendant::md:KeyDescriptor">
-			<xsl:variable name="keydesc" select="."/>
-			<xsl:variable name="keyinfo" select="$keydesc/ds:KeyInfo"/>
-			<xsl:variable name="keyname" select="$keyinfo/ds:KeyName"/>
-			<xsl:variable name="cert" select="$keyinfo/ds:X509Data/ds:X509Certificate"/>
-			<xsl:if test="$cert">
-				<xsl:text>Entity: </xsl:text>
-				<xsl:if test="$entity/@ID">
-					<xsl:text>[</xsl:text>
-					<xsl:value-of select='$entity/@ID'/>
-					<xsl:text>]</xsl:text>
-				</xsl:if>
-				<xsl:value-of select="$entity/@entityID"/>
-				<xsl:text> KeyName: </xsl:text>
-				<xsl:choose>
-					<xsl:when test="$keyname">
-						<xsl:value-of select="$keyname"/>
-					</xsl:when>
-					<xsl:otherwise>
-						<xsl:text>(none)</xsl:text>
-					</xsl:otherwise>
-				</xsl:choose>
-				<xsl:text>&#x0a;</xsl:text>
-				<xsl:text>-----BEGIN CERTIFICATE-----&#x0a;</xsl:text>
-				<xsl:value-of select="mdxTextUtils:wrapBase64($cert)"/>
-				<xsl:text>&#x0a;</xsl:text>
-				<xsl:text>-----END CERTIFICATE-----&#x0a;</xsl:text>
-			</xsl:if>
-		</xsl:for-each>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:mdxTextUtils="xalan://uk.ac.sdss.xalan.md.TextUtils">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="md:EntityDescriptor">
+        <xsl:variable name="entity" select="."/>
+        <xsl:for-each select="descendant::md:KeyDescriptor">
+            <xsl:variable name="keydesc" select="."/>
+            <xsl:variable name="keyinfo" select="$keydesc/ds:KeyInfo"/>
+            <xsl:variable name="keyname" select="$keyinfo/ds:KeyName"/>
+            <xsl:variable name="cert" select="$keyinfo/ds:X509Data/ds:X509Certificate"/>
+            <xsl:if test="$cert">
+                <xsl:text>Entity: </xsl:text>
+                <xsl:if test="$entity/@ID">
+                    <xsl:text>[</xsl:text>
+                    <xsl:value-of select='$entity/@ID'/>
+                    <xsl:text>]</xsl:text>
+                </xsl:if>
+                <xsl:value-of select="$entity/@entityID"/>
+                <xsl:text> KeyName: </xsl:text>
+                <xsl:choose>
+                    <xsl:when test="$keyname">
+                        <xsl:value-of select="$keyname"/>
+                    </xsl:when>
+                    <xsl:otherwise>
+                        <xsl:text>(none)</xsl:text>
+                    </xsl:otherwise>
+                </xsl:choose>
+                <xsl:text>&#x0a;</xsl:text>
+                <xsl:text>-----BEGIN CERTIFICATE-----&#x0a;</xsl:text>
+                <xsl:value-of select="mdxTextUtils:wrapBase64($cert)"/>
+                <xsl:text>&#x0a;</xsl:text>
+                <xsl:text>-----END CERTIFICATE-----&#x0a;</xsl:text>
+            </xsl:if>
+        </xsl:for-each>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/extract_locs.xsl b/build/extract_locs.xsl
index 1de4ddb0..468b75e2 100644
--- a/build/extract_locs.xsl
+++ b/build/extract_locs.xsl
@@ -1,45 +1,45 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_locs.xsl
+    extract_locs.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of service locations that will have TLS certificates.
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of service locations that will have TLS certificates.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md ds">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="//md:AttributeService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:ArtifactResolutionService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:SingleSignOnService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:AssertionConsumerService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="//md:AttributeService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:ArtifactResolutionService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:SingleSignOnService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:AssertionConsumerService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/extract_nk_cert_locs.xsl b/build/extract_nk_cert_locs.xsl
index 8bd8cd03..08b25ce2 100644
--- a/build/extract_nk_cert_locs.xsl
+++ b/build/extract_nk_cert_locs.xsl
@@ -1,54 +1,54 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_nk_cert_locs.xsl
+    extract_nk_cert_locs.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of service locations that require certificates to be
-	presented to them.
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of service locations that require certificates to be
+    presented to them.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<!--
-		Exclude entities which have embedded certificates.
-
-		I.e., restrict output to entities which only have PKIX trust.
-	-->
-	<xsl:template match="md:EntityDescriptor[descendant::ds:X509Data]">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<xsl:template match="//md:AttributeService">
-		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<!--
-		ArtifactResolutionService endpoints on IdPs are assumed to be
-		authenticated by TLS; those on SPs are assumed to be authenticated
-		using other mechanisms.
-	-->
-	<xsl:template match="//md:IDPSSODescriptor/md:ArtifactResolutionService">
-		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <!--
+        Exclude entities which have embedded certificates.
+
+        I.e., restrict output to entities which only have PKIX trust.
+    -->
+    <xsl:template match="md:EntityDescriptor[descendant::ds:X509Data]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <xsl:template match="//md:AttributeService">
+        <xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <!--
+        ArtifactResolutionService endpoints on IdPs are assumed to be
+        authenticated by TLS; those on SPs are assumed to be authenticated
+        using other mechanisms.
+    -->
+    <xsl:template match="//md:IDPSSODescriptor/md:ArtifactResolutionService">
+        <xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/extract_nk_nocert_locs.xsl b/build/extract_nk_nocert_locs.xsl
index 8c502036..1a9afcc5 100644
--- a/build/extract_nk_nocert_locs.xsl
+++ b/build/extract_nk_nocert_locs.xsl
@@ -1,56 +1,56 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_nk_nocert_locs.xsl
+    extract_nk_nocert_locs.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of service locations that do not require certificates to be
-	presented to them.
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of service locations that do not require certificates to be
+    presented to them.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md ds">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
 
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
 
-	<!--
+    <!--
         Exclude entities which have embedded certificates.
 
         I.e., restrict output to entities which only have PKIX trust.
     -->
-	<xsl:template match="md:EntityDescriptor[descendant::ds:X509Data]">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<xsl:template match="//md:SingleSignOnService">
-		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:AssertionConsumerService">
-		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:SPSSODescriptor/md:ArtifactResolutionService">
-		<xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    <xsl:template match="md:EntityDescriptor[descendant::ds:X509Data]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <xsl:template match="//md:SingleSignOnService">
+        <xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:AssertionConsumerService">
+        <xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:SPSSODescriptor/md:ArtifactResolutionService">
+        <xsl:value-of select="ancestor::md:EntityDescriptor/@ID"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/build/extract_nocert_locs.xsl b/build/extract_nocert_locs.xsl
index 0ca45f9a..054d09bf 100644
--- a/build/extract_nocert_locs.xsl
+++ b/build/extract_nocert_locs.xsl
@@ -1,41 +1,41 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	extract_nocert_locs.xsl
+    extract_nocert_locs.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of service locations that do not require certificates to be
-	presented to them.
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of service locations that do not require certificates to be
+    presented to them.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md ds">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="//md:SingleSignOnService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:AssertionConsumerService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="//md:SPSSODescriptor/md:ArtifactResolutionService">
-		<xsl:value-of select="@Location"/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md ds">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="//md:SingleSignOnService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:AssertionConsumerService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="//md:SPSSODescriptor/md:ArtifactResolutionService">
+        <xsl:value-of select="@Location"/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/charting/just_ours.xsl b/charting/just_ours.xsl
index 5c7323c0..3324d60f 100644
--- a/charting/just_ours.xsl
+++ b/charting/just_ours.xsl
@@ -1,44 +1,44 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	just_ours.xsl
+    just_ours.xsl
 
-	Remove SAML entities registered other than by the UK federation.
+    Remove SAML entities registered other than by the UK federation.
 
-	Leave in entities without registrationAuthority so that this still does
-	the right thing with older aggregates which don't have MDRPI metadata.
+    Leave in entities without registrationAuthority so that this still does
+    the right thing with older aggregates which don't have MDRPI metadata.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-	<!--
-		Discard entities not registered by the UK federation.
-	-->
-	<xsl:template match="md:EntityDescriptor
-		[not(descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk')]">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+    <!--
+        Discard entities not registered by the UK federation.
+    -->
+    <xsl:template match="md:EntityDescriptor
+        [not(descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk')]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/charting/saml2.xsl b/charting/saml2.xsl
index 7e916c3f..04dd4455 100644
--- a/charting/saml2.xsl
+++ b/charting/saml2.xsl
@@ -1,52 +1,52 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	saml2.xsl
+    saml2.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	statistics about the level of SAML 2 protocol support within the
-	included entities.
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    statistics about the level of SAML 2 protocol support within the
+    included entities.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="md mdrpi">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<xsl:template match="md:EntitiesDescriptor">
-		<xsl:variable name="entities" select="//md:EntityDescriptor
-		[descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
-		<xsl:value-of select="count($entities)"/><xsl:text> </xsl:text>
-		<xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
-		<xsl:value-of select="count($idps)"/><xsl:text> </xsl:text>
-		<xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
-		<xsl:value-of select="count($sps)"/><xsl:text> </xsl:text>
-
-		<xsl:variable name="entities.saml2"
-			select="$entities[
-			md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')] |
-			md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-			]"/>
-		<xsl:value-of select="count($entities.saml2)"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="count($entities[
-			md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-			])"/>
-		<xsl:text> </xsl:text>
-		<xsl:value-of select="count($entities[
-			md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-			])"/>
-		<xsl:text>&#10;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="md mdrpi">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <xsl:template match="md:EntitiesDescriptor">
+        <xsl:variable name="entities" select="//md:EntityDescriptor
+        [descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
+        <xsl:value-of select="count($entities)"/><xsl:text> </xsl:text>
+        <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
+        <xsl:value-of select="count($idps)"/><xsl:text> </xsl:text>
+        <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
+        <xsl:value-of select="count($sps)"/><xsl:text> </xsl:text>
+
+        <xsl:variable name="entities.saml2"
+            select="$entities[
+            md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')] |
+            md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+            ]"/>
+        <xsl:value-of select="count($entities.saml2)"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="count($entities[
+            md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+            ])"/>
+        <xsl:text> </xsl:text>
+        <xsl:value-of select="count($entities[
+            md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+            ])"/>
+        <xsl:text>&#10;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/charting/scopes.xsl b/charting/scopes.xsl
index b53d2ccc..76e808c2 100644
--- a/charting/scopes.xsl
+++ b/charting/scopes.xsl
@@ -1,46 +1,46 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	scopes.xsl
+    scopes.xsl
 
-	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
-	a list of scopes used.  Regular expression scopes are ignored.
-	Duplicates are not removed, and the result is unsorted.
+    XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+    a list of scopes used.  Regular expression scopes are ignored.
+    Duplicates are not removed, and the result is unsorted.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-
-	<!-- Output is plain text -->
-	<xsl:output method="text"/>
-
-	<!--
-		Discard entities registered by other federations.
-	-->
-	<xsl:template match="md:EntityDescriptor
-		[descendant::mdrpi:RegistrationInfo/@registrationAuthority!='http://ukfederation.org.uk']">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<!--
-		Discard regular expression scopes.
-	-->
-	<xsl:template match="//shibmd:Scope[@regex = 'true']">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<xsl:template match="//shibmd:Scope">
-		<xsl:value-of select="."/>
-		<xsl:text>&#x0a;</xsl:text>
-	</xsl:template>
-
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- Output is plain text -->
+    <xsl:output method="text"/>
+
+    <!--
+        Discard entities registered by other federations.
+    -->
+    <xsl:template match="md:EntityDescriptor
+        [descendant::mdrpi:RegistrationInfo/@registrationAuthority!='http://ukfederation.org.uk']">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--
+        Discard regular expression scopes.
+    -->
+    <xsl:template match="//shibmd:Scope[@regex = 'true']">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <xsl:template match="//shibmd:Scope">
+        <xsl:value-of select="."/>
+        <xsl:text>&#x0a;</xsl:text>
+    </xsl:template>
+
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/charting/statistics_mdui.xsl b/charting/statistics_mdui.xsl
index 1faf2ae3..15c37bf5 100644
--- a/charting/statistics_mdui.xsl
+++ b/charting/statistics_mdui.xsl
@@ -27,7 +27,7 @@
     <xsl:template match="/md:EntitiesDescriptor">
 
         <xsl:variable name="entities" select="//md:EntityDescriptor
-		[descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
+        [descendant::mdrpi:RegistrationInfo/@registrationAuthority='http://ukfederation.org.uk']"/>
         <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
         <xsl:variable name="sps" select="$entities[md:SPSSODescriptor]"/>
 
diff --git a/mdx/_rules/check_adfs.xsl b/mdx/_rules/check_adfs.xsl
index e4edee1f..0381d285 100644
--- a/mdx/_rules/check_adfs.xsl
+++ b/mdx/_rules/check_adfs.xsl
@@ -1,77 +1,77 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_adfs.xsl
+    check_adfs.xsl
 
-	Checking ruleset containing rules associated with the ADFS metadata profile,
-	as described here:
+    Checking ruleset containing rules associated with the ADFS metadata profile,
+    as described here:
 
-		https://spaces.internet2.edu/display/SHIB/ADFSMetadataProfile
+        https://spaces.internet2.edu/display/SHIB/ADFSMetadataProfile
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<!--
-		An IdP's SSO descriptor must contain a SingleSignOn element with
-		the appropriate binding.
-	-->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
-		[not(md:SingleSignOnService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ADFS IdP role lacks SSO service with appropriate Binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        An IdP's SSO descriptor must contain a SingleSignOn element with
+        the appropriate binding.
+    -->
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
+        [not(md:SingleSignOnService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ADFS IdP role lacks SSO service with appropriate Binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		An SP's SSO descriptor must contain an AssertionConsumerService element with
-		the appropriate binding.
-	-->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
-		[not(md:AssertionConsumerService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ADFS SP role lacks SSO service with appropriate Binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        An SP's SSO descriptor must contain an AssertionConsumerService element with
+        the appropriate binding.
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
+        [not(md:AssertionConsumerService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ADFS SP role lacks SSO service with appropriate Binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		If the ADFS binding appears on any service, the parent role's protocol support
-		enumeration must include the appropruate URI.
-	-->
-	<xsl:template match="md:SingleSignOnService
-		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
-		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ADFS SingleSignOnService requires appropriate protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        If the ADFS binding appears on any service, the parent role's protocol support
+        enumeration must include the appropruate URI.
+    -->
+    <xsl:template match="md:SingleSignOnService
+        [@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+        [not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ADFS SingleSignOnService requires appropriate protocolSupportEnumeration</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:AssertionConsumerService
-		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
-		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ADFS AssertionConsumerService requires appropriate protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:AssertionConsumerService
+        [@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+        [not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ADFS AssertionConsumerService requires appropriate protocolSupportEnumeration</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:SingleLogoutService
-		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
-		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ADFS SingleLogoutService requires appropriate protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:SingleLogoutService
+        [@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+        [not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ADFS SingleLogoutService requires appropriate protocolSupportEnumeration</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_aggregate.xsl b/mdx/_rules/check_aggregate.xsl
index 031c18aa..44337a70 100644
--- a/mdx/_rules/check_aggregate.xsl
+++ b/mdx/_rules/check_aggregate.xsl
@@ -1,45 +1,45 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_aggregate.xsl
+    check_aggregate.xsl
 
-	Checking ruleset containing aggregate-level checks.
+    Checking ruleset containing aggregate-level checks.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<xsl:variable name="entities" select="//md:EntityDescriptor"/>
-	<xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
-
-	<!--
-		Checks across the whole of the document are defined here.
-	-->
-	<xsl:template match="/">
-
-		<!-- check for duplicate entityID values -->
-		<xsl:variable name="distinct.entityIDs" select="set:distinct($entities/@entityID)"/>
-		<xsl:variable name="dup.entityIDs"
-			select="set:distinct(set:difference($entities/@entityID, $distinct.entityIDs))"/>
-		<xsl:for-each select="$dup.entityIDs">
-			<xsl:variable name="dup.entityID" select="."/>
-			<xsl:for-each select="$entities[@entityID = $dup.entityID]">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">duplicate entityID: <xsl:value-of select='$dup.entityID'/></xsl:with-param>
-				</xsl:call-template>
-			</xsl:for-each>
-		</xsl:for-each>
-
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <xsl:variable name="entities" select="//md:EntityDescriptor"/>
+    <xsl:variable name="idps" select="$entities[md:IDPSSODescriptor]"/>
+
+    <!--
+        Checks across the whole of the document are defined here.
+    -->
+    <xsl:template match="/">
+
+        <!-- check for duplicate entityID values -->
+        <xsl:variable name="distinct.entityIDs" select="set:distinct($entities/@entityID)"/>
+        <xsl:variable name="dup.entityIDs"
+            select="set:distinct(set:difference($entities/@entityID, $distinct.entityIDs))"/>
+        <xsl:for-each select="$dup.entityIDs">
+            <xsl:variable name="dup.entityID" select="."/>
+            <xsl:for-each select="$entities[@entityID = $dup.entityID]">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">duplicate entityID: <xsl:value-of select='$dup.entityID'/></xsl:with-param>
+                </xsl:call-template>
+            </xsl:for-each>
+        </xsl:for-each>
+
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_algsupport.xsl b/mdx/_rules/check_algsupport.xsl
index 0c2481aa..b9a0962d 100644
--- a/mdx/_rules/check_algsupport.xsl
+++ b/mdx/_rules/check_algsupport.xsl
@@ -1,64 +1,64 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_algsupport.xsl
+    check_algsupport.xsl
 
-	Checking ruleset for the SAML V2.0 Metadata Profile for Algorithm Support.
+    Checking ruleset for the SAML V2.0 Metadata Profile for Algorithm Support.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<!--
-		2.3 md:EncryptionMethod should appear only in md:KeyDescriptor elements
-		whose @use is omitted or set to "encryption", i.e., not "signing".
-	-->
-	<xsl:template match="md:EncryptionMethod[../@use='signing']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">EncryptionMethod should not be present on 'signing' KeyDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        2.3 md:EncryptionMethod should appear only in md:KeyDescriptor elements
+        whose @use is omitted or set to "encryption", i.e., not "signing".
+    -->
+    <xsl:template match="md:EncryptionMethod[../@use='signing']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">EncryptionMethod should not be present on 'signing' KeyDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Check for duplicate SigningMethod or DigestMethod algorithms in any given list.
-	-->
-	<xsl:template match="md:Extensions[alg:*]">
+    <!--
+        Check for duplicate SigningMethod or DigestMethod algorithms in any given list.
+    -->
+    <xsl:template match="md:Extensions[alg:*]">
 
-		<!-- check individual alg:SigningMethod and alg:DigestMethod elements -->
-		<xsl:apply-templates/>
-	</xsl:template>
+        <!-- check individual alg:SigningMethod and alg:DigestMethod elements -->
+        <xsl:apply-templates/>
+    </xsl:template>
 
-	<!--
-		2.4 Check for misplaced SigningMethod or DigestMethod elements.
-	-->
-	<xsl:template match="alg:*[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>alg:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-				<xsl:text> must only appear within an Extensions element</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        2.4 Check for misplaced SigningMethod or DigestMethod elements.
+    -->
+    <xsl:template match="alg:*[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>alg:</xsl:text>
+                <xsl:value-of select="local-name()"/>
+                <xsl:text> must only appear within an Extensions element</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Check for duplicate EncryptionMethod elements in any given list.
-	-->
-	<xsl:template match="md:KeyDescriptor[md:EncryptionMethod]">
+    <!--
+        Check for duplicate EncryptionMethod elements in any given list.
+    -->
+    <xsl:template match="md:KeyDescriptor[md:EncryptionMethod]">
 
-		<!-- check individual md:EncryptionMethod elements -->
-		<xsl:apply-templates/>
-	</xsl:template>
+        <!-- check individual md:EncryptionMethod elements -->
+        <xsl:apply-templates/>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_bindings.xsl b/mdx/_rules/check_bindings.xsl
index 282c8658..b371869d 100644
--- a/mdx/_rules/check_bindings.xsl
+++ b/mdx/_rules/check_bindings.xsl
@@ -1,178 +1,178 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_bindings.xsl
+    check_bindings.xsl
 
-	Checking ruleset that checks SAML 2.0 metadata Binding values.
+    Checking ruleset that checks SAML 2.0 metadata Binding values.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<xsl:template match="md:ArtifactResolutionService
-		[@Binding != 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:ArtifactResolutionService
+        [@Binding != 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:AssertionConsumerService
-		[@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
-		[@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']
-		[@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:AssertionConsumerService
+        [@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
+        [@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01']
+        [@Binding != 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:AssertionIDRequestService
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:URI']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:AssertionIDRequestService
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:URI']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:AttributeService
-		[@Binding != 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:AttributeService
+        [@Binding != 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:ManageNameIDService
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:ManageNameIDService
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:NameIDMappingService
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:NameIDMappingService
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:SingleLogoutService
-		[@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:SingleLogoutService
+        [@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:SingleSignOnService
-		[@Binding != 'urn:mace:shibboleth:1.0:profiles:AuthnRequest']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
-		[@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
-		[@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:SingleSignOnService
+        [@Binding != 'urn:mace:shibboleth:1.0:profiles:AuthnRequest']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+        [@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+        [@Binding != 'http://schemas.xmlsoap.org/ws/2003/07/secext']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Issue warnings for all Bindings on elements other than the ones
-		called out above, as they may well be accurate but need additional
-		checks researched.
-	-->
-	<xsl:template match="md:*
-		[@Binding]
-		[local-name() != 'ArtifactResolutionService']
-		[local-name() != 'AssertionConsumerService']
-		[local-name() != 'AssertionIDRequestService']
-		[local-name() != 'AttributeService']
-		[local-name() != 'ManageNameIDService']
-		[local-name() != 'NameIDMappingService']
-		[local-name() != 'SingleLogoutService']
-		[local-name() != 'SingleSignOnService']
-		">
-		<xsl:call-template name="warning">
-			<xsl:with-param name="m">
-				<xsl:text>unknown binding '</xsl:text>
-				<xsl:value-of select="@Binding"/>
-				<xsl:text>' on </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        Issue warnings for all Bindings on elements other than the ones
+        called out above, as they may well be accurate but need additional
+        checks researched.
+    -->
+    <xsl:template match="md:*
+        [@Binding]
+        [local-name() != 'ArtifactResolutionService']
+        [local-name() != 'AssertionConsumerService']
+        [local-name() != 'AssertionIDRequestService']
+        [local-name() != 'AttributeService']
+        [local-name() != 'ManageNameIDService']
+        [local-name() != 'NameIDMappingService']
+        [local-name() != 'SingleLogoutService']
+        [local-name() != 'SingleSignOnService']
+        ">
+        <xsl:call-template name="warning">
+            <xsl:with-param name="m">
+                <xsl:text>unknown binding '</xsl:text>
+                <xsl:value-of select="@Binding"/>
+                <xsl:text>' on </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_entityid_prefix.xsl b/mdx/_rules/check_entityid_prefix.xsl
index db29c0a1..bf53c54a 100644
--- a/mdx/_rules/check_entityid_prefix.xsl
+++ b/mdx/_rules/check_entityid_prefix.xsl
@@ -1,33 +1,33 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_entityid_prefix.xsl
+    check_entityid_prefix.xsl
 
-	Checking that entityID attributes start with one of a whitelist of prefixes.
+    Checking that entityID attributes start with one of a whitelist of prefixes.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-
-	<!--
-		Entity IDs should start with one of "http://", "https://" or "urn:mace:".
-	-->
-	<xsl:template match="md:EntityDescriptor[not(starts-with(@entityID, 'urn:mace:'))]
-		[not(starts-with(@entityID, 'http://'))]
-		[not(starts-with(@entityID, 'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity ID <xsl:value-of select="@entityID"/> does not start with acceptable prefix</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        Entity IDs should start with one of "http://", "https://" or "urn:mace:".
+    -->
+    <xsl:template match="md:EntityDescriptor[not(starts-with(@entityID, 'urn:mace:'))]
+        [not(starts-with(@entityID, 'http://'))]
+        [not(starts-with(@entityID, 'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">entity ID <xsl:value-of select="@entityID"/> does not start with acceptable prefix</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_filtered.xsl b/mdx/_rules/check_filtered.xsl
index 3b4b73e1..83c057dd 100644
--- a/mdx/_rules/check_filtered.xsl
+++ b/mdx/_rules/check_filtered.xsl
@@ -1,35 +1,35 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_filtered.xsl
+    check_filtered.xsl
 
-	This checking ruleset verifies that certain constructs have been removed from the
-	metadata before it is published.
+    This checking ruleset verifies that certain constructs have been removed from the
+    metadata before it is published.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-
-	<xsl:template match="ds:X509SerialNumber">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ds:X509SerialNumber should have been filtered out</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <xsl:template match="ds:X509SerialNumber">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ds:X509SerialNumber should have been filtered out</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_framework.xsl b/mdx/_rules/check_framework.xsl
index d6557058..f4e8d017 100644
--- a/mdx/_rules/check_framework.xsl
+++ b/mdx/_rules/check_framework.xsl
@@ -1,128 +1,128 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_framework.xsl
+    check_framework.xsl
 
-	XSL stylesheet providing a framework for use by rule checking files.
+    XSL stylesheet providing a framework for use by rule checking files.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-
-	<!--
-		The stylesheet output will be a text file, which will probably be thrown
-		away in any case.  The real output from the check is sent using the
-		xsl:message element.
-	-->
-	<xsl:output method="text"/>
-
-
-	<!--
-		Common template to call to report an error on some element within an entity.
-	-->
-	<xsl:template name="error">
-		<xsl:param name="m"/>
-		<xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
-		<xsl:message terminate='no'>
-			<xsl:text>[ERROR] </xsl:text>
-			<!--
-				If we're processing an aggregate, we need to indicate which
-				individual entity we're dealing with.
-			-->
-			<xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
-				<!--
-					Use an ID if available, otherwise the entityID.
-				-->
-				<xsl:choose>
-					<xsl:when test="$entity/@ID">
-						<xsl:value-of select="$entity/@ID"/>
-					</xsl:when>
-					<xsl:otherwise>
-						<xsl:value-of select="$entity/@entityID"/>
-					</xsl:otherwise>
-				</xsl:choose>
-				<xsl:text>: </xsl:text>
-			</xsl:if>
-			<xsl:value-of select="$m"/>
-		</xsl:message>
-	</xsl:template>
-
-
-	<!--
-		Common template to call to report a warning on some element within an entity.
-	-->
-	<xsl:template name="warning">
-		<xsl:param name="m"/>
-		<xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
-		<xsl:message terminate='no'>
-			<xsl:text>[WARN] </xsl:text>
-			<!--
-				If we're processing an aggregate, we need to indicate which
-				individual entity we're dealing with.
-			-->
-			<xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
-				<!--
-					Use an ID if available, otherwise the entityID.
-				-->
-				<xsl:choose>
-					<xsl:when test="$entity/@ID">
-						<xsl:value-of select="$entity/@ID"/>
-					</xsl:when>
-					<xsl:otherwise>
-						<xsl:value-of select="$entity/@entityID"/>
-					</xsl:otherwise>
-				</xsl:choose>
-				<xsl:text>: </xsl:text>
-			</xsl:if>
-			<xsl:value-of select="$m"/>
-		</xsl:message>
-	</xsl:template>
-
-
-	<!--
-		Common template to call to report an informational message on some element within an entity.
-	-->
-	<xsl:template name="info">
-		<xsl:param name="m"/>
-		<xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
-		<xsl:message terminate='no'>
-			<xsl:text>[INFO] </xsl:text>
-			<!--
-				If we're processing an aggregate, we need to indicate which
-				individual entity we're dealing with.
-			-->
-			<xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
-				<!--
-					Use an ID if available, otherwise the entityID.
-				-->
-				<xsl:choose>
-					<xsl:when test="$entity/@ID">
-						<xsl:value-of select="$entity/@ID"/>
-					</xsl:when>
-					<xsl:otherwise>
-						<xsl:value-of select="$entity/@entityID"/>
-					</xsl:otherwise>
-				</xsl:choose>
-				<xsl:text>: </xsl:text>
-			</xsl:if>
-			<xsl:value-of select="$m"/>
-		</xsl:message>
-	</xsl:template>
-
-
-	<!-- Recurse down through all elements by default. -->
-	<xsl:template match="*">
-		<xsl:apply-templates select="node()|@*"/>
-	</xsl:template>
-
-
-	<!-- Discard text blocks, comments and attributes by default. -->
-	<xsl:template match="text()|comment()|@*">
-		<!-- do nothing -->
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+        The stylesheet output will be a text file, which will probably be thrown
+        away in any case.  The real output from the check is sent using the
+        xsl:message element.
+    -->
+    <xsl:output method="text"/>
+
+
+    <!--
+        Common template to call to report an error on some element within an entity.
+    -->
+    <xsl:template name="error">
+        <xsl:param name="m"/>
+        <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
+        <xsl:message terminate='no'>
+            <xsl:text>[ERROR] </xsl:text>
+            <!--
+                If we're processing an aggregate, we need to indicate which
+                individual entity we're dealing with.
+            -->
+            <xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
+                <!--
+                    Use an ID if available, otherwise the entityID.
+                -->
+                <xsl:choose>
+                    <xsl:when test="$entity/@ID">
+                        <xsl:value-of select="$entity/@ID"/>
+                    </xsl:when>
+                    <xsl:otherwise>
+                        <xsl:value-of select="$entity/@entityID"/>
+                    </xsl:otherwise>
+                </xsl:choose>
+                <xsl:text>: </xsl:text>
+            </xsl:if>
+            <xsl:value-of select="$m"/>
+        </xsl:message>
+    </xsl:template>
+
+
+    <!--
+        Common template to call to report a warning on some element within an entity.
+    -->
+    <xsl:template name="warning">
+        <xsl:param name="m"/>
+        <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
+        <xsl:message terminate='no'>
+            <xsl:text>[WARN] </xsl:text>
+            <!--
+                If we're processing an aggregate, we need to indicate which
+                individual entity we're dealing with.
+            -->
+            <xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
+                <!--
+                    Use an ID if available, otherwise the entityID.
+                -->
+                <xsl:choose>
+                    <xsl:when test="$entity/@ID">
+                        <xsl:value-of select="$entity/@ID"/>
+                    </xsl:when>
+                    <xsl:otherwise>
+                        <xsl:value-of select="$entity/@entityID"/>
+                    </xsl:otherwise>
+                </xsl:choose>
+                <xsl:text>: </xsl:text>
+            </xsl:if>
+            <xsl:value-of select="$m"/>
+        </xsl:message>
+    </xsl:template>
+
+
+    <!--
+        Common template to call to report an informational message on some element within an entity.
+    -->
+    <xsl:template name="info">
+        <xsl:param name="m"/>
+        <xsl:variable name="entity" select="ancestor-or-self::md:EntityDescriptor"/>
+        <xsl:message terminate='no'>
+            <xsl:text>[INFO] </xsl:text>
+            <!--
+                If we're processing an aggregate, we need to indicate which
+                individual entity we're dealing with.
+            -->
+            <xsl:if test="ancestor-or-self::md:EntitiesDescriptor">
+                <!--
+                    Use an ID if available, otherwise the entityID.
+                -->
+                <xsl:choose>
+                    <xsl:when test="$entity/@ID">
+                        <xsl:value-of select="$entity/@ID"/>
+                    </xsl:when>
+                    <xsl:otherwise>
+                        <xsl:value-of select="$entity/@entityID"/>
+                    </xsl:otherwise>
+                </xsl:choose>
+                <xsl:text>: </xsl:text>
+            </xsl:if>
+            <xsl:value-of select="$m"/>
+        </xsl:message>
+    </xsl:template>
+
+
+    <!-- Recurse down through all elements by default. -->
+    <xsl:template match="*">
+        <xsl:apply-templates select="node()|@*"/>
+    </xsl:template>
+
+
+    <!-- Discard text blocks, comments and attributes by default. -->
+    <xsl:template match="text()|comment()|@*">
+        <!-- do nothing -->
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_0.xsl b/mdx/_rules/check_future_0.xsl
index 36dcb13e..809f9ee0 100644
--- a/mdx/_rules/check_future_0.xsl
+++ b/mdx/_rules/check_future_0.xsl
@@ -1,30 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_0.xsl
+    check_future_0.xsl
 
-	Checking ruleset containing rules that we don't currently implement,
-	but which we may implement in the future.
+    Checking ruleset containing rules that we don't currently implement,
+    but which we may implement in the future.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_1.xsl b/mdx/_rules/check_future_1.xsl
index 020829f6..ed05b114 100644
--- a/mdx/_rules/check_future_1.xsl
+++ b/mdx/_rules/check_future_1.xsl
@@ -1,30 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_1.xsl
+    check_future_1.xsl
 
-	Checking ruleset containing rules that we don't currently implement,
-	but which we may implement in the future.
+    Checking ruleset containing rules that we don't currently implement,
+    but which we may implement in the future.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_2.xsl b/mdx/_rules/check_future_2.xsl
index 9e8119f0..ee51f733 100644
--- a/mdx/_rules/check_future_2.xsl
+++ b/mdx/_rules/check_future_2.xsl
@@ -1,30 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_2.xsl
+    check_future_2.xsl
 
-	Checking ruleset containing rules that we don't currently implement,
-	but which we may implement in the future.
+    Checking ruleset containing rules that we don't currently implement,
+    but which we may implement in the future.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_3.xsl b/mdx/_rules/check_future_3.xsl
index cb307b84..a0b99011 100644
--- a/mdx/_rules/check_future_3.xsl
+++ b/mdx/_rules/check_future_3.xsl
@@ -1,31 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_3.xsl
+    check_future_3.xsl
 
-	Checking ruleset containing rules that we don't currently implement,
-	but which we may implement in the future.
+    Checking ruleset containing rules that we don't currently implement,
+    but which we may implement in the future.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_4.xsl b/mdx/_rules/check_future_4.xsl
index 4d3e9c74..8a7084f8 100644
--- a/mdx/_rules/check_future_4.xsl
+++ b/mdx/_rules/check_future_4.xsl
@@ -1,30 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_4.xsl
+    check_future_4.xsl
 
-	Checking ruleset containing rules that we don't currently implement,
-	but which we may implement in the future.
+    Checking ruleset containing rules that we don't currently implement,
+    but which we may implement in the future.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_5.xsl b/mdx/_rules/check_future_5.xsl
index 42bff55a..8ebfc25d 100644
--- a/mdx/_rules/check_future_5.xsl
+++ b/mdx/_rules/check_future_5.xsl
@@ -1,26 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_5.xsl
+    check_future_5.xsl
 
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_6.xsl b/mdx/_rules/check_future_6.xsl
index 376914dc..14726df4 100644
--- a/mdx/_rules/check_future_6.xsl
+++ b/mdx/_rules/check_future_6.xsl
@@ -1,26 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_6.xsl
+    check_future_6.xsl
 
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_7.xsl b/mdx/_rules/check_future_7.xsl
index ea671d33..5dbd9a92 100644
--- a/mdx/_rules/check_future_7.xsl
+++ b/mdx/_rules/check_future_7.xsl
@@ -1,27 +1,27 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_7.xsl
+    check_future_7.xsl
 
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_8.xsl b/mdx/_rules/check_future_8.xsl
index f80a9a9b..c763514f 100644
--- a/mdx/_rules/check_future_8.xsl
+++ b/mdx/_rules/check_future_8.xsl
@@ -1,27 +1,27 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_8.xsl
+    check_future_8.xsl
 
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_future_9.xsl b/mdx/_rules/check_future_9.xsl
index 8d41c815..54911d3d 100644
--- a/mdx/_rules/check_future_9.xsl
+++ b/mdx/_rules/check_future_9.xsl
@@ -1,27 +1,27 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_future_9.xsl
+    check_future_9.xsl
 
     Checking ruleset containing rules that we don't currently implement,
     but which we may implement in the future.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_hasreginfo.xsl b/mdx/_rules/check_hasreginfo.xsl
index e312f5be..e2cb6801 100644
--- a/mdx/_rules/check_hasreginfo.xsl
+++ b/mdx/_rules/check_hasreginfo.xsl
@@ -1,27 +1,27 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_hasreginfo.xsl
+    check_hasreginfo.xsl
 
-	Check that an entity has a RegistrationInfo element.
+    Check that an entity has a RegistrationInfo element.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<xsl:template match="md:EntityDescriptor[not(md:Extensions/mdrpi:RegistrationInfo)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity does not have an mdrpi:RegistrationInfo element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:EntityDescriptor[not(md:Extensions/mdrpi:RegistrationInfo)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">entity does not have an mdrpi:RegistrationInfo element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_hoksso.xsl b/mdx/_rules/check_hoksso.xsl
index 28505a92..d3e50bc1 100644
--- a/mdx/_rules/check_hoksso.xsl
+++ b/mdx/_rules/check_hoksso.xsl
@@ -1,160 +1,160 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_hoksso.xsl
+    check_hoksso.xsl
 
-	Checking ruleset for the SAML V2.0 Holder-of-Key Web Browser SSO
-	Profile Version 1.0, which can be found here:
+    Checking ruleset for the SAML V2.0 Holder-of-Key Web Browser SSO
+    Profile Version 1.0, which can be found here:
 
         https://wiki.oasis-open.org/security/SamlHoKWebSSOProfile
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Schema checks.
-
-		The schema itself doesn't help very much as most contexts in which the hoksso
-		namespace is used are subject to "lax" checking.  These checks duplicate some
-		aspects of XML Schema checking as we'd like it to behave.
-	-->
-
-	<xsl:template match="hoksso:*">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown element hoksso:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="@hoksso:*[local-name() != 'ProtocolBinding']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown attribute hoksso:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		hoksso:ProtocolBinding should only appear on md:SingleSignOnService
-		or on md:AssertionConsumerService.
-	-->
-	<xsl:template match="@hoksso:ProtocolBinding
-		[not(parent::md:SingleSignOnService)][not(parent::md:AssertionConsumerService)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>hoksso:ProtocolBinding may not appear on </xsl:text>
-				<xsl:value-of select="name(parent::*)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		If hoksso:ProtocolBinding appears, there must be a sibling Binding attribute
-		with the appropriate value.
-	-->
-	<xsl:template match="@hoksso:ProtocolBinding
-		[parent::*/@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>hoksso:ProtocolBinding requires @Binding of </xsl:text>
-				<xsl:text>urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser</xsl:text>
-				<xsl:text>, saw </xsl:text>
-				<xsl:value-of select="parent::*/@Binding"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		If the HoK SSO @Binding appears, hoksso:ProtocolBinding must appear with one of
-		the valid values.
-	-->
-
-	<xsl:template match="md:*
-		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
-		[not(@hoksso:ProtocolBinding)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>holder of key SSO @Binding on </xsl:text>
-				<xsl:value-of select="name()"/>
-				<xsl:text> also requires hoksso:ProtocolBinding</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:SingleSignOnService
-		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
-		[@hoksso:ProtocolBinding]
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>holder of key SSO requires appropriate hoksso:ProtocolBinding</xsl:text>
-				<xsl:if test="@hoksso:ProtocolBinding">
-					<xsl:text>, saw </xsl:text>
-					<xsl:value-of select="@hoksso:ProtocolBinding"/>
-				</xsl:if>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:AssertionConsumerService
-		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
-		[@hoksso:ProtocolBinding]
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>holder of key SSO requires appropriate hoksso:ProtocolBinding</xsl:text>
-				<xsl:if test="@hoksso:ProtocolBinding">
-					<xsl:text>, saw </xsl:text>
-					<xsl:value-of select="@hoksso:ProtocolBinding"/>
-				</xsl:if>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Schema checks.
+
+        The schema itself doesn't help very much as most contexts in which the hoksso
+        namespace is used are subject to "lax" checking.  These checks duplicate some
+        aspects of XML Schema checking as we'd like it to behave.
+    -->
+
+    <xsl:template match="hoksso:*">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown element hoksso:</xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="@hoksso:*[local-name() != 'ProtocolBinding']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown attribute hoksso:</xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        hoksso:ProtocolBinding should only appear on md:SingleSignOnService
+        or on md:AssertionConsumerService.
+    -->
+    <xsl:template match="@hoksso:ProtocolBinding
+        [not(parent::md:SingleSignOnService)][not(parent::md:AssertionConsumerService)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>hoksso:ProtocolBinding may not appear on </xsl:text>
+                <xsl:value-of select="name(parent::*)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        If hoksso:ProtocolBinding appears, there must be a sibling Binding attribute
+        with the appropriate value.
+    -->
+    <xsl:template match="@hoksso:ProtocolBinding
+        [parent::*/@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>hoksso:ProtocolBinding requires @Binding of </xsl:text>
+                <xsl:text>urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser</xsl:text>
+                <xsl:text>, saw </xsl:text>
+                <xsl:value-of select="parent::*/@Binding"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        If the HoK SSO @Binding appears, hoksso:ProtocolBinding must appear with one of
+        the valid values.
+    -->
+
+    <xsl:template match="md:*
+        [@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+        [not(@hoksso:ProtocolBinding)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>holder of key SSO @Binding on </xsl:text>
+                <xsl:value-of select="name()"/>
+                <xsl:text> also requires hoksso:ProtocolBinding</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SingleSignOnService
+        [@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+        [@hoksso:ProtocolBinding]
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>holder of key SSO requires appropriate hoksso:ProtocolBinding</xsl:text>
+                <xsl:if test="@hoksso:ProtocolBinding">
+                    <xsl:text>, saw </xsl:text>
+                    <xsl:value-of select="@hoksso:ProtocolBinding"/>
+                </xsl:if>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AssertionConsumerService
+        [@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+        [@hoksso:ProtocolBinding]
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+        [@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>holder of key SSO requires appropriate hoksso:ProtocolBinding</xsl:text>
+                <xsl:if test="@hoksso:ProtocolBinding">
+                    <xsl:text>, saw </xsl:text>
+                    <xsl:value-of select="@hoksso:ProtocolBinding"/>
+                </xsl:if>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 2.0 HoK binding requires SAML 2.0 in protocolSupportEnumeration.
     -->
 
-	<xsl:template match="md:IDPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-		[md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>holder of key binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:SPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-		[md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>holder of key binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:IDPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+        [md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>holder of key binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+        [md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>holder of key binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_idp_tls.xsl b/mdx/_rules/check_idp_tls.xsl
index ef39c042..b06074b4 100644
--- a/mdx/_rules/check_idp_tls.xsl
+++ b/mdx/_rules/check_idp_tls.xsl
@@ -1,46 +1,46 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_idp_tls.xsl
+    check_idp_tls.xsl
 
-	Checking that all IdP endpoints are TLS-protected.
+    Checking that all IdP endpoints are TLS-protected.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
-	<!--
-		Check for IdP endpoints that don't start with https://
-	-->
+    <!--
+        Check for IdP endpoints that don't start with https://
+    -->
     <xsl:template match="md:IDPSSODescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
         </xsl:call-template>
     </xsl:template>
-	<xsl:template match="md:IDPSSODescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:IDPSSODescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_idpdisc.xsl b/mdx/_rules/check_idpdisc.xsl
index f7b18305..0b4766a7 100644
--- a/mdx/_rules/check_idpdisc.xsl
+++ b/mdx/_rules/check_idpdisc.xsl
@@ -1,65 +1,65 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_idpdisc.xsl
+    check_idpdisc.xsl
 
-	Checking ruleset containing rules associated with the SAML IdP Discovery Protocol.
+    Checking ruleset containing rules associated with the SAML IdP Discovery Protocol.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:set="http://exslt.org/sets"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:set="http://exslt.org/sets"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<!--
-		"index" attributes on DiscoveryResponse elements should all be different
-		for any given entity.
-	-->
+    <!--
+        "index" attributes on DiscoveryResponse elements should all be different
+        for any given entity.
+    -->
 
-	<xsl:template match="md:EntityDescriptor[descendant::idpdisc:DiscoveryResponse]">
-		<xsl:variable name="indices" select="descendant::idpdisc:DiscoveryResponse/@index"/>
-		<xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
-		<xsl:if test="count($indices) != count($distinct.indices)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">DiscoveryResponse index values not all different</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-		<!-- check individual DiscoveryResponse elements for correctness as well -->
-		<xsl:apply-templates/>
-	</xsl:template>
+    <xsl:template match="md:EntityDescriptor[descendant::idpdisc:DiscoveryResponse]">
+        <xsl:variable name="indices" select="descendant::idpdisc:DiscoveryResponse/@index"/>
+        <xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
+        <xsl:if test="count($indices) != count($distinct.indices)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">DiscoveryResponse index values not all different</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+        <!-- check individual DiscoveryResponse elements for correctness as well -->
+        <xsl:apply-templates/>
+    </xsl:template>
 
-	<!--
-		Checks on the DiscoveryResponse extension.
-	-->
+    <!--
+        Checks on the DiscoveryResponse extension.
+    -->
 
-	<xsl:template match="idpdisc:DiscoveryResponse[not(@index)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">missing index attribute on DiscoveryResponse</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="idpdisc:DiscoveryResponse[not(@index)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">missing index attribute on DiscoveryResponse</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="idpdisc:DiscoveryResponse[not(@Binding)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">missing Binding attribute on DiscoveryResponse</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="idpdisc:DiscoveryResponse[not(@Binding)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">missing Binding attribute on DiscoveryResponse</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="idpdisc:DiscoveryResponse[@Binding]
-		[@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">incorrect Binding value on DiscoveryResponse</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="idpdisc:DiscoveryResponse[@Binding]
+        [@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">incorrect Binding value on DiscoveryResponse</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_imported.xsl b/mdx/_rules/check_imported.xsl
index de5f97dc..b3064734 100644
--- a/mdx/_rules/check_imported.xsl
+++ b/mdx/_rules/check_imported.xsl
@@ -1,42 +1,42 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_imported.xsl
+    check_imported.xsl
 
-	Checking ruleset containing rules associated with imported metadata.
+    Checking ruleset containing rules associated with imported metadata.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:dyn="http://exslt.org/dynamic"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:dyn="http://exslt.org/dynamic"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<!--
-		Checks for IdPs.
-	-->
-	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
-		<!--
-			IdPs registered with the UK federation are expected to have at least one scope.
-		-->
-		<xsl:if test="not(descendant::shibmd:Scope)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">this IdP does not have any Scope elements</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
+    <!--
+        Checks for IdPs.
+    -->
+    <xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
+        <!--
+            IdPs registered with the UK federation are expected to have at least one scope.
+        -->
+        <xsl:if test="not(descendant::shibmd:Scope)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">this IdP does not have any Scope elements</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_incmd.xsl b/mdx/_rules/check_incmd.xsl
index 727dd71f..2af81047 100644
--- a/mdx/_rules/check_incmd.xsl
+++ b/mdx/_rules/check_incmd.xsl
@@ -1,97 +1,97 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_incmd.xsl
+    check_incmd.xsl
 
-	Checking ruleset for the InCommon Federation metadata extensions,
-	the schema for which can be found here:
+    Checking ruleset for the InCommon Federation metadata extensions,
+    the schema for which can be found here:
 
         https://spaces.internet2.edu/x/iIuVAQ
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:incmd="http://id.incommon.org/metadata"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Checks for the contactType attribute.
-	-->
-
-	<xsl:template match="@incmd:contactType[not(parent::md:ContactPerson)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">incmd:contactType should only appear on md:ContactPerson</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:ContactPerson[@incmd:contactType][@contactType != 'other']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>incmd:contactType requires contactType='other', found '</xsl:text>
-				<xsl:value-of select="@contactType"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="@incmd:contactType[not(starts-with(.,'http://'))][not(starts-with(.,'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">incmd:contactType must be an absolute URI</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Check for specific values.  This test is probably over-specific in the long term.
-	-->
-	<xsl:template match="@incmd:contactType
-		[not(. = 'http://id.incommon.org/metadata/contactType/security')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown value '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>' for incmd:contactType</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="@incmd:contactType">
-		<!-- otherwise, fine -->
-	</xsl:template>
-
-	<!--
-		Additional schema checks.
-
-		The schema itself doesn't help very much as most contexts in which the incmd
-		namespace is used are subject to "lax" checking.  These checks duplicate some
-		aspects of XML Schema checking as we'd like it to behave.
-	-->
-
-	<xsl:template match="incmd:*">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown element incmd:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="@incmd:*">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown attribute incmd:</xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:incmd="http://id.incommon.org/metadata"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Checks for the contactType attribute.
+    -->
+
+    <xsl:template match="@incmd:contactType[not(parent::md:ContactPerson)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">incmd:contactType should only appear on md:ContactPerson</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:ContactPerson[@incmd:contactType][@contactType != 'other']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>incmd:contactType requires contactType='other', found '</xsl:text>
+                <xsl:value-of select="@contactType"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="@incmd:contactType[not(starts-with(.,'http://'))][not(starts-with(.,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">incmd:contactType must be an absolute URI</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Check for specific values.  This test is probably over-specific in the long term.
+    -->
+    <xsl:template match="@incmd:contactType
+        [not(. = 'http://id.incommon.org/metadata/contactType/security')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown value '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>' for incmd:contactType</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="@incmd:contactType">
+        <!-- otherwise, fine -->
+    </xsl:template>
+
+    <!--
+        Additional schema checks.
+
+        The schema itself doesn't help very much as most contexts in which the incmd
+        namespace is used are subject to "lax" checking.  These checks duplicate some
+        aspects of XML Schema checking as we'd like it to behave.
+    -->
+
+    <xsl:template match="incmd:*">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown element incmd:</xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="@incmd:*">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown attribute incmd:</xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_init.xsl b/mdx/_rules/check_init.xsl
index 6000a50e..c7349ddd 100644
--- a/mdx/_rules/check_init.xsl
+++ b/mdx/_rules/check_init.xsl
@@ -1,42 +1,42 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_int.xsl
+    check_int.xsl
 
-	Checking ruleset containing rules associated with the
-	Service Provider Request Initiation Protocol and Profile Version 1.0.
+    Checking ruleset containing rules associated with the
+    Service Provider Request Initiation Protocol and Profile Version 1.0.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Checks on the RequestInitiator extension.
-	-->
-
-	<xsl:template match="init:RequestInitiator[not(@Binding)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">missing Binding attribute on RequestInitiator</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="init:RequestInitiator[@Binding]
-		[@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:request-init']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">incorrect Binding value on RequestInitiator</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Checks on the RequestInitiator extension.
+    -->
+
+    <xsl:template match="init:RequestInitiator[not(@Binding)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">missing Binding attribute on RequestInitiator</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="init:RequestInitiator[@Binding]
+        [@Binding!='urn:oasis:names:tc:SAML:profiles:SSO:request-init']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">incorrect Binding value on RequestInitiator</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdattr.xsl b/mdx/_rules/check_mdattr.xsl
index 4a845f6a..3b0e6ad3 100644
--- a/mdx/_rules/check_mdattr.xsl
+++ b/mdx/_rules/check_mdattr.xsl
@@ -1,70 +1,70 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_mdattr.xsl
+    check_mdattr.xsl
 
-	Checking ruleset containing rules associated with the SAML V2.0 Metadata
-	Extension for Entity Attributes Version 1.0, see:
+    Checking ruleset containing rules associated with the SAML V2.0 Metadata
+    Extension for Entity Attributes Version 1.0, see:
 
-		https://wiki.oasis-open.org/security/SAML2MetadataAttr
+        https://wiki.oasis-open.org/security/SAML2MetadataAttr
 
-	This ruleset reflects Committee Specification 01, 04-Aug-2009.
+    This ruleset reflects Committee Specification 01, 04-Aug-2009.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<!--
-		Section 2.3
+    <!--
+        Section 2.3
 
-		The specification only defines the meaning of EntityAttributes within the Extensions of either
-		EntitiesDescriptor or EntityDescriptor.
-	-->
-	<xsl:template match="mdattr:EntityAttributes[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">EntityAttributes must only appear within an Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:Extensions[mdattr:EntityAttributes]
-		[not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">EntityAttributes must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+        The specification only defines the meaning of EntityAttributes within the Extensions of either
+        EntitiesDescriptor or EntityDescriptor.
+    -->
+    <xsl:template match="mdattr:EntityAttributes[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">EntityAttributes must only appear within an Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:Extensions[mdattr:EntityAttributes]
+        [not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">EntityAttributes must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Section 2.3 line 176.
+    <!--
+        Section 2.3 line 176.
 
-		Assertions not permitted in the context of an EntitiesDescriptor.
-	-->
-	<xsl:template match="md:EntitiesDescriptor/md:Extensions/mdattr:EntityAttributes/saml:Assertion">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Assertion may not appear in the EntityAttributes for an EntitiesDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+        Assertions not permitted in the context of an EntitiesDescriptor.
+    -->
+    <xsl:template match="md:EntitiesDescriptor/md:Extensions/mdattr:EntityAttributes/saml:Assertion">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Assertion may not appear in the EntityAttributes for an EntitiesDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Section 2.3 line 182.
+    <!--
+        Section 2.3 line 182.
 
-		EntityAttributes MUST NOT appear more than once within a given <md:Extensions> element.
-	-->
-	<xsl:template match="md:Extensions/mdattr:EntityAttributes[position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one EntityAttributes element in an Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+        EntityAttributes MUST NOT appear more than once within a given <md:Extensions> element.
+    -->
+    <xsl:template match="md:Extensions/mdattr:EntityAttributes[position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one EntityAttributes element in an Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdiop.xsl b/mdx/_rules/check_mdiop.xsl
index 503e76d6..ee0ec366 100644
--- a/mdx/_rules/check_mdiop.xsl
+++ b/mdx/_rules/check_mdiop.xsl
@@ -1,46 +1,46 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_mdiop.xsl
+    check_mdiop.xsl
 
-	Checking ruleset containing rules associated with the SAML V2.0 Metadata
-	Interoperability Profile, see:
+    Checking ruleset containing rules associated with the SAML V2.0 Metadata
+    Interoperability Profile, see:
 
-		http://wiki.oasis-open.org/security/SAML2MetadataIOP
+        http://wiki.oasis-open.org/security/SAML2MetadataIOP
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Section 2.5.1: at least one representation must appear.
-	-->
-	<xsl:template match="md:KeyDescriptor
-		[not(ds:KeyInfo/ds:KeyValue)]
-		[not(ds:KeyInfo/ds:X509Data/ds:X509Certificate)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">KeyDescriptor does not contain a key representation</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.5.1: only one X.509 certificate may appear in any KeyDescriptor.
-	-->
-	<xsl:template match="md:KeyDescriptor[count(ds:KeyInfo/ds:X509Data/ds:X509Certificate)>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">KeyDescriptor contains more than one X509Certificate</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Section 2.5.1: at least one representation must appear.
+    -->
+    <xsl:template match="md:KeyDescriptor
+        [not(ds:KeyInfo/ds:KeyValue)]
+        [not(ds:KeyInfo/ds:X509Data/ds:X509Certificate)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">KeyDescriptor does not contain a key representation</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.5.1: only one X.509 certificate may appear in any KeyDescriptor.
+    -->
+    <xsl:template match="md:KeyDescriptor[count(ds:KeyInfo/ds:X509Data/ds:X509Certificate)>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">KeyDescriptor contains more than one X509Certificate</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdrpi.xsl b/mdx/_rules/check_mdrpi.xsl
index 19253239..0530f57a 100644
--- a/mdx/_rules/check_mdrpi.xsl
+++ b/mdx/_rules/check_mdrpi.xsl
@@ -1,175 +1,175 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_mdrpi.xsl
+    check_mdrpi.xsl
 
-	Checking ruleset containing rules associated with the SAML V2.0 Metadata
-	Extensions for Registration and Publication Information Version 1.0, see:
+    Checking ruleset containing rules associated with the SAML V2.0 Metadata
+    Extensions for Registration and Publication Information Version 1.0, see:
 
-		http://wiki.oasis-open.org/security/SAML2MetadataDRI
+        http://wiki.oasis-open.org/security/SAML2MetadataDRI
 
-	This ruleset reflects WD08, 12-Dec-2011.
+    This ruleset reflects WD08, 12-Dec-2011.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Section 2.1
-
-		RegistrationInfo MUST appear within the Extensions of either
-		EntitiesDescriptor or EntityDescriptor.
-	-->
-	<xsl:template match="mdrpi:RegistrationInfo[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">RegistrationInfo must only appear within an Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:Extensions[mdrpi:RegistrationInfo]
-		[not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">RegistrationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.1
-
-		<mdrpi:RegistrationInfo> MUST NOT appear more than once within a given <md:Extensions> element.
-	-->
-	<xsl:template match="md:Extensions/mdrpi:RegistrationInfo[position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one RegistrationInfo element in one Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.1
-
-		If RegistrationInfo appears on an EntitiesDescriptor, that precludes any appearance on nested
-		EntitiesDescriptor or EntityDescriptor elements.
-	-->
-	<xsl:template match="md:EntitiesDescriptor[md:Extensions/mdrpi:RegistrationInfo]
-		[md:EntityDescriptor//mdrpi:RegistrationInfo | md:EntitiesDescriptor//mdrpi:RegistrationInfo]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">RegistrationInfo may not appear on both EntitiesDescriptor and child elements</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.1.1
-
-		registrationInstant values MUST be expressed in the UTC timezone using the 'Z' timezone identifier.
-	-->
-	<xsl:template match="mdrpi:RegistrationInfo[@registrationInstant]
-		[substring(@registrationInstant, string-length(@registrationInstant)) != 'Z']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>registrationInstant does not end with 'Z': </xsl:text>
-				<xsl:value-of select="@registrationInstant"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.1.1
-
-		RegistrationPolicy elements are required to have unique xml:lang values within a given container.
-	-->
-	<xsl:template match="mdrpi:RegistrationInfo">
-		<!-- unique xml:lang over RegistrationPolicy elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdrpi:RegistrationPolicy"/>
-		</xsl:call-template>
-
-		<!-- handle individual elements -->
-		<xsl:apply-templates select="*"/>
-	</xsl:template>
-
-	<xsl:template name="uniqueLang">
-		<xsl:param name="e"/>
-		<xsl:variable name="l" select="$e/@xml:lang"></xsl:variable>
-		<xsl:variable name="u" select="set:distinct($l)"/>
-		<xsl:if test="count($l) != count($u)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">
-					<xsl:text>non-unique lang values on </xsl:text>
-					<xsl:value-of select="name($e)"/>
-					<xsl:text> elements</xsl:text>
-				</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
-
-	<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Section 2.1
+
+        RegistrationInfo MUST appear within the Extensions of either
+        EntitiesDescriptor or EntityDescriptor.
+    -->
+    <xsl:template match="mdrpi:RegistrationInfo[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">RegistrationInfo must only appear within an Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:Extensions[mdrpi:RegistrationInfo]
+        [not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">RegistrationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1
+
+        <mdrpi:RegistrationInfo> MUST NOT appear more than once within a given <md:Extensions> element.
+    -->
+    <xsl:template match="md:Extensions/mdrpi:RegistrationInfo[position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one RegistrationInfo element in one Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1
+
+        If RegistrationInfo appears on an EntitiesDescriptor, that precludes any appearance on nested
+        EntitiesDescriptor or EntityDescriptor elements.
+    -->
+    <xsl:template match="md:EntitiesDescriptor[md:Extensions/mdrpi:RegistrationInfo]
+        [md:EntityDescriptor//mdrpi:RegistrationInfo | md:EntitiesDescriptor//mdrpi:RegistrationInfo]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">RegistrationInfo may not appear on both EntitiesDescriptor and child elements</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1.1
+
+        registrationInstant values MUST be expressed in the UTC timezone using the 'Z' timezone identifier.
+    -->
+    <xsl:template match="mdrpi:RegistrationInfo[@registrationInstant]
+        [substring(@registrationInstant, string-length(@registrationInstant)) != 'Z']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>registrationInstant does not end with 'Z': </xsl:text>
+                <xsl:value-of select="@registrationInstant"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1.1
+
+        RegistrationPolicy elements are required to have unique xml:lang values within a given container.
+    -->
+    <xsl:template match="mdrpi:RegistrationInfo">
+        <!-- unique xml:lang over RegistrationPolicy elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdrpi:RegistrationPolicy"/>
+        </xsl:call-template>
+
+        <!-- handle individual elements -->
+        <xsl:apply-templates select="*"/>
+    </xsl:template>
+
+    <xsl:template name="uniqueLang">
+        <xsl:param name="e"/>
+        <xsl:variable name="l" select="$e/@xml:lang"></xsl:variable>
+        <xsl:variable name="u" select="set:distinct($l)"/>
+        <xsl:if test="count($l) != count($u)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">
+                    <xsl:text>non-unique lang values on </xsl:text>
+                    <xsl:value-of select="name($e)"/>
+                    <xsl:text> elements</xsl:text>
+                </xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
+
+    <!--
         Section 2.2
 
         PublicationInfo MUST appear within the Extensions of either
         EntitiesDescriptor or EntityDescriptor.
     -->
-	<xsl:template match="md:PublicationInfo[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">PublicationInfo must only appear within an Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:Extensions[mdrpi:PublicationInfo]
-		[not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">PublicationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.2
-
-		PublicationInfo SHOULD NOT appear except on the document element.
-
-		Interpreted as a MUST NOT for now.
-	-->
-	<xsl:template match="mdrpi:PublicationInfo[parent::md:Extensions/parent::md:*/parent::*]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">PublicationInfo must be within document element's Extensions</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    <xsl:template match="md:PublicationInfo[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">PublicationInfo must only appear within an Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:Extensions[mdrpi:PublicationInfo]
+        [not(parent::md:EntityDescriptor)][not(parent::md:EntitiesDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">PublicationInfo must only appear within Extensions of EntityDescriptor or EntitiesDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.2
+
+        PublicationInfo SHOULD NOT appear except on the document element.
+
+        Interpreted as a MUST NOT for now.
+    -->
+    <xsl:template match="mdrpi:PublicationInfo[parent::md:Extensions/parent::md:*/parent::*]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">PublicationInfo must be within document element's Extensions</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Section 2.2
 
         <mdrpi:PublicationInfo> MUST NOT appear more than once within a given <md:Extensions> element.
     -->
-	<xsl:template match="md:Extensions/mdrpi:PublicationInfo[position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one PublicationInfo element in one Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:Extensions/mdrpi:PublicationInfo[position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one PublicationInfo element in one Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
+    <!--
         Section 2.1, 2.2
 
         Restrict the elements in this namespace which can appear directly within md:Extensions
         to the two defined container elements.  This will catch mis-spelled containers.
     -->
-	<xsl:template match="md:Extensions/mdrpi:*
-		[not(local-name()='RegistrationInfo')][not(local-name()='PublicationInfo')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>misspelled or misplaced mdrpi element within md:Extensions: </xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:Extensions/mdrpi:*
+        [not(local-name()='RegistrationInfo')][not(local-name()='PublicationInfo')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>misspelled or misplaced mdrpi element within md:Extensions: </xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_mdui.xsl b/mdx/_rules/check_mdui.xsl
index 05fca711..547a524e 100644
--- a/mdx/_rules/check_mdui.xsl
+++ b/mdx/_rules/check_mdui.xsl
@@ -1,141 +1,141 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_mdui.xsl
+    check_mdui.xsl
 
-	Checking ruleset containing rules associated with the SAML V2.0 Metadata
-	Extensions for Login and Discovery User Interface Version 1.0, see:
+    Checking ruleset containing rules associated with the SAML V2.0 Metadata
+    Extensions for Login and Discovery User Interface Version 1.0, see:
 
-		http://wiki.oasis-open.org/security/SAML2MetadataUI
+        http://wiki.oasis-open.org/security/SAML2MetadataUI
 
-	This ruleset reflects WD08, 17-Jul-2011.
+    This ruleset reflects WD08, 17-Jul-2011.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Section 2.1
-
-		<mdui:UIInfo> MUST NOT appear more than once within a given <md:Extensions> element.
-	-->
-	<xsl:template match="md:Extensions/mdui:UIInfo[position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one UIInfo element in one Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.1, 2.2
-
-		Restrict the elements in this namespace which can appear directly within md:Extensions
-		to the two defined container elements.  This will catch mis-spelled containers.
-	-->
-	<xsl:template match="md:Extensions/mdui:*
-		[not(local-name()='UIInfo')][not(local-name()='DiscoHints')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>misspelled or misplaced mdui element within md:Extensions: </xsl:text>
-				<xsl:value-of select="local-name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.1.1
-
-		The <mdui:UIInfo> container element [...] MUST appear within the
-		<md:Extensions> element of a role element (one whose type is based on
-		md:RoleDescriptorType).
-
-		[The rule here further restricts the location to within either IDPSSODescriptor or
-		SPSSODescriptor elements, which are the ones it actually makes sense to use today.]
-	-->
-	<xsl:template match="mdui:UIInfo[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">UIInfo appearing outside Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:Extensions[mdui:UIInfo]
-		[not(parent::md:IDPSSODescriptor)][not(parent::md:SPSSODescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>UIInfo appearing outside SSO descriptor element (</xsl:text>
-				<xsl:value-of select="name(..)"/>
-				<xsl:text>)</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Constraints across multiple elements within the container.
-
-		DisplayName, Description, InformationURL and PrivacyStatementURL elements
-		are all required to have unique xml:lang values within their element type.
-	-->
-	<xsl:template match="mdui:UIInfo">
-		<!-- unique xml:lang over DisplayName elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdui:DisplayName"/>
-		</xsl:call-template>
-
-		<!-- unique xml:lang over Description elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdui:Description"/>
-		</xsl:call-template>
-
-		<!-- unique xml:lang over Keywords elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdui:Keywords"/>
-		</xsl:call-template>
-
-		<!-- unique xml:lang over InformationURL elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdui:InformationURL"/>
-		</xsl:call-template>
-
-		<!-- unique xml:lang over PrivacyStatementURL elements -->
-		<xsl:call-template name="uniqueLang">
-			<xsl:with-param name="e" select="mdui:PrivacyStatementURL"/>
-		</xsl:call-template>
-
-		<!-- handle individual elements -->
-		<xsl:apply-templates select="*"/>
-	</xsl:template>
-	<xsl:template name="uniqueLang">
-		<xsl:param name="e"/>
-		<xsl:variable name="l" select="$e/@xml:lang"></xsl:variable>
-		<xsl:variable name="u" select="set:distinct($l)"/>
-		<xsl:if test="count($l) != count($u)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">
-					<xsl:text>non-unique lang values on </xsl:text>
-					<xsl:value-of select="name($e)"/>
-					<xsl:text> elements</xsl:text>
-				</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
-
-
-	<!--
-		Section 2.1.5 Element <mdui:Logo>
-	-->
-	<xsl:template match="mdui:Logo">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Section 2.1
+
+        <mdui:UIInfo> MUST NOT appear more than once within a given <md:Extensions> element.
+    -->
+    <xsl:template match="md:Extensions/mdui:UIInfo[position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one UIInfo element in one Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1, 2.2
+
+        Restrict the elements in this namespace which can appear directly within md:Extensions
+        to the two defined container elements.  This will catch mis-spelled containers.
+    -->
+    <xsl:template match="md:Extensions/mdui:*
+        [not(local-name()='UIInfo')][not(local-name()='DiscoHints')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>misspelled or misplaced mdui element within md:Extensions: </xsl:text>
+                <xsl:value-of select="local-name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.1.1
+
+        The <mdui:UIInfo> container element [...] MUST appear within the
+        <md:Extensions> element of a role element (one whose type is based on
+        md:RoleDescriptorType).
+
+        [The rule here further restricts the location to within either IDPSSODescriptor or
+        SPSSODescriptor elements, which are the ones it actually makes sense to use today.]
+    -->
+    <xsl:template match="mdui:UIInfo[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">UIInfo appearing outside Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:Extensions[mdui:UIInfo]
+        [not(parent::md:IDPSSODescriptor)][not(parent::md:SPSSODescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>UIInfo appearing outside SSO descriptor element (</xsl:text>
+                <xsl:value-of select="name(..)"/>
+                <xsl:text>)</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Constraints across multiple elements within the container.
+
+        DisplayName, Description, InformationURL and PrivacyStatementURL elements
+        are all required to have unique xml:lang values within their element type.
+    -->
+    <xsl:template match="mdui:UIInfo">
+        <!-- unique xml:lang over DisplayName elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdui:DisplayName"/>
+        </xsl:call-template>
+
+        <!-- unique xml:lang over Description elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdui:Description"/>
+        </xsl:call-template>
+
+        <!-- unique xml:lang over Keywords elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdui:Keywords"/>
+        </xsl:call-template>
+
+        <!-- unique xml:lang over InformationURL elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdui:InformationURL"/>
+        </xsl:call-template>
+
+        <!-- unique xml:lang over PrivacyStatementURL elements -->
+        <xsl:call-template name="uniqueLang">
+            <xsl:with-param name="e" select="mdui:PrivacyStatementURL"/>
+        </xsl:call-template>
+
+        <!-- handle individual elements -->
+        <xsl:apply-templates select="*"/>
+    </xsl:template>
+    <xsl:template name="uniqueLang">
+        <xsl:param name="e"/>
+        <xsl:variable name="l" select="$e/@xml:lang"></xsl:variable>
+        <xsl:variable name="u" select="set:distinct($l)"/>
+        <xsl:if test="count($l) != count($u)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">
+                    <xsl:text>non-unique lang values on </xsl:text>
+                    <xsl:value-of select="name($e)"/>
+                    <xsl:text> elements</xsl:text>
+                </xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
+
+
+    <!--
+        Section 2.1.5 Element <mdui:Logo>
+    -->
+    <xsl:template match="mdui:Logo">
         <!--
             Logos must never include un-encoded line breaks. This makes them invalid
             URLs, but also causes problems with the Shibboleth CDS.
@@ -152,23 +152,23 @@
             </xsl:call-template>
         </xsl:if>
 
-		<!--
-			Require that the URL starts with https://
+        <!--
+            Require that the URL starts with https://
 
-			This is a SHOULD in the specification; we treat it as a MUST here.
+            This is a SHOULD in the specification; we treat it as a MUST here.
 
-			Exception: allow data: URIs as well.  The spec is currently
-			ambiguous about this, clarification ticket is here:
+            Exception: allow data: URIs as well.  The spec is currently
+            ambiguous about this, clarification ticket is here:
 
-			https://tools.oasis-open.org/issues/browse/SECURITY-24
-		-->
-		<xsl:if test="not(starts-with(., 'https://'))">
-			<xsl:if test="not(starts-with(., 'data:'))">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">mdui:Logo URL does not start with https://</xsl:with-param>
-				</xsl:call-template>
-			</xsl:if>
-		</xsl:if>
+            https://tools.oasis-open.org/issues/browse/SECURITY-24
+        -->
+        <xsl:if test="not(starts-with(., 'https://'))">
+            <xsl:if test="not(starts-with(., 'data:'))">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">mdui:Logo URL does not start with https://</xsl:with-param>
+                </xsl:call-template>
+            </xsl:if>
+        </xsl:if>
 
         <!--
             Check for <mdui:Logo> elements that aren't valid URLs.
@@ -190,85 +190,85 @@
                 </xsl:call-template>
             </xsl:if>
         </xsl:if>
-	</xsl:template>
-
-	<!--
-		Section 2.1.6 Element <mdui:InformationURL>
-
-		Require that the URL is valid.
-	-->
-	<xsl:template match="mdui:InformationURL[mdxURL:invalidURL(.)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>mdui:</xsl:text>
-				<xsl:value-of select='local-name()'/>
-				<xsl:text> '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>' is not a valid URL: </xsl:text>
-				<xsl:value-of select="mdxURL:whyInvalid(.)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    </xsl:template>
+
+    <!--
+        Section 2.1.6 Element <mdui:InformationURL>
+
+        Require that the URL is valid.
+    -->
+    <xsl:template match="mdui:InformationURL[mdxURL:invalidURL(.)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>mdui:</xsl:text>
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>' is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Section 2.1.7 Element <mdui:PrivacyStatementURL>
 
         Require that the URL is valid.
     -->
-	<xsl:template match="mdui:PrivacyStatementURL[mdxURL:invalidURL(.)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>mdui:</xsl:text>
-				<xsl:value-of select='local-name()'/>
-				<xsl:text> '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>' is not a valid URL: </xsl:text>
-				<xsl:value-of select="mdxURL:whyInvalid(.)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.2
-
-		The <mdui:DiscoHints> container element [...] MUST appear within the
-		<md:Extensions> element of an <md:IDPSSODescriptor> element.
-	-->
-	<xsl:template match="mdui:DiscoHints[not(parent::md:Extensions)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">DiscoHints appearing outside Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:Extensions[mdui:DiscoHints][not(parent::md:IDPSSODescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>DiscoHints appearing outside IDPSSODescriptor element (</xsl:text>
-				<xsl:value-of select="name(..)"/>
-				<xsl:text>)</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.2
-
-		<mdui:DiscoHints> MUST NOT appear more than once within a given <md:Extensions> element.
-	-->
-	<xsl:template match="md:Extensions/mdui:DiscoHints[position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one DiscoHints element in one Extensions element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 2.2.4
-
-		Coordinates are given in URI form using the geo URI scheme [RFC5870].
-	-->
-	<xsl:template match="mdui:GeolocationHint[not(starts-with(., 'geo:'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">GeolocationHint must be RFC5870 URI starting with 'geo:'</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="mdui:PrivacyStatementURL[mdxURL:invalidURL(.)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>mdui:</xsl:text>
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>' is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.2
+
+        The <mdui:DiscoHints> container element [...] MUST appear within the
+        <md:Extensions> element of an <md:IDPSSODescriptor> element.
+    -->
+    <xsl:template match="mdui:DiscoHints[not(parent::md:Extensions)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">DiscoHints appearing outside Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:Extensions[mdui:DiscoHints][not(parent::md:IDPSSODescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>DiscoHints appearing outside IDPSSODescriptor element (</xsl:text>
+                <xsl:value-of select="name(..)"/>
+                <xsl:text>)</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.2
+
+        <mdui:DiscoHints> MUST NOT appear more than once within a given <md:Extensions> element.
+    -->
+    <xsl:template match="md:Extensions/mdui:DiscoHints[position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one DiscoHints element in one Extensions element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 2.2.4
+
+        Coordinates are given in URI form using the geo URI scheme [RFC5870].
+    -->
+    <xsl:template match="mdui:GeolocationHint[not(starts-with(., 'geo:'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">GeolocationHint must be RFC5870 URI starting with 'geo:'</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_misc.xsl b/mdx/_rules/check_misc.xsl
index d95af024..4288d858 100644
--- a/mdx/_rules/check_misc.xsl
+++ b/mdx/_rules/check_misc.xsl
@@ -1,106 +1,106 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_misc.xsl
+    check_misc.xsl
 
-	Checking ruleset containing generally applicable rules not falling into any
-	other category.
+    Checking ruleset containing generally applicable rules not falling into any
+    other category.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-
-	<!--
-		Entity IDs should not contain space characters.
-	-->
-	<xsl:template match="md:EntityDescriptor[contains(@entityID, ' ')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity ID contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for OrganizationDisplayName elements containing line breaks.
-	-->
-	<xsl:template match="md:OrganizationDisplayName[contains(., '&#10;')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">OrganizationDisplayName contains line break</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		@Location attributes should not contain space characters.
-
-		This may be a little strict, and might be better confined to md:* elements.
-		At present, however, this produces no false positives.
-	-->
-	<xsl:template match="*[contains(@Location, ' ')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        Entity IDs should not contain space characters.
+    -->
+    <xsl:template match="md:EntityDescriptor[contains(@entityID, ' ')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">entity ID contains space character</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for OrganizationDisplayName elements containing line breaks.
+    -->
+    <xsl:template match="md:OrganizationDisplayName[contains(., '&#10;')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">OrganizationDisplayName contains line break</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        @Location attributes should not contain space characters.
+
+        This may be a little strict, and might be better confined to md:* elements.
+        At present, however, this produces no false positives.
+    -->
+    <xsl:template match="*[contains(@Location, ' ')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location contains space character</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
         @ResponseLocation attributes should not contain space characters.
 
         This may be a little strict, and might be better confined to md:* elements.
         At present, however, this produces no false positives.
     -->
-	<xsl:template match="*[contains(@ResponseLocation, ' ')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		@Binding attributes should not contain space characters.
-
-		This may be a little strict, and might be better confined to md:* elements.
-		At present, however, this produces no false positives.
-	-->
-	<xsl:template match="*[contains(@Binding, ' ')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> Binding contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for empty xml:lang elements, automatically generated by OIOSAML.
-
-		This is not schema-valid so would be caught further down the line anyway,
-		but it's nice to have a clear error message earlier in the process.
-	-->
-	<xsl:template match="@xml:lang[.='']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">empty xml:lang attribute</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		A Shibboleth scope shouldn't be just "ac.uk".
-	-->
-	<xsl:template match="shibmd:Scope[.='ac.uk']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">bare 'ac.uk' scope not permitted</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="*[contains(@ResponseLocation, ' ')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation contains space character</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        @Binding attributes should not contain space characters.
+
+        This may be a little strict, and might be better confined to md:* elements.
+        At present, however, this produces no false positives.
+    -->
+    <xsl:template match="*[contains(@Binding, ' ')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Binding contains space character</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for empty xml:lang elements, automatically generated by OIOSAML.
+
+        This is not schema-valid so would be caught further down the line anyway,
+        but it's nice to have a clear error message earlier in the process.
+    -->
+    <xsl:template match="@xml:lang[.='']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">empty xml:lang attribute</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        A Shibboleth scope shouldn't be just "ac.uk".
+    -->
+    <xsl:template match="shibmd:Scope[.='ac.uk']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">bare 'ac.uk' scope not permitted</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_namespaces.xsl b/mdx/_rules/check_namespaces.xsl
index c4c83a1e..fffd0369 100644
--- a/mdx/_rules/check_namespaces.xsl
+++ b/mdx/_rules/check_namespaces.xsl
@@ -1,107 +1,107 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_namespaces.xsl
+    check_namespaces.xsl
 
-	Metadata checking ruleset that ensures that all namespaces used in a metadata file
-	are known to us, by flagging those which are not.
+    Metadata checking ruleset that ensures that all namespaces used in a metadata file
+    are known to us, by flagging those which are not.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Explicitly accept elements in namespaces which we know about.
-	-->
-
-	<xsl:template match="alg:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="ds:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="hoksso:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="idpdisc:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="init:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="md:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="mdattr:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="mdrpi:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="mdui:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="saml:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="shibmd:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="ukfedlabel:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="xenc:*">
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<!--
-		Reject elements in all other namespaces.
-	-->
-
-	<xsl:template match="*">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>Unknown namespace: </xsl:text>
-				<xsl:value-of select="namespace-uri()"/>
-				<xsl:text> on element </xsl:text>
-				<xsl:value-of select="name()"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Explicitly accept elements in namespaces which we know about.
+    -->
+
+    <xsl:template match="alg:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="ds:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="hoksso:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="idpdisc:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="init:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="md:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="mdattr:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="mdrpi:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="mdui:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="saml:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="shibmd:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="ukfedlabel:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="xenc:*">
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <!--
+        Reject elements in all other namespaces.
+    -->
+
+    <xsl:template match="*">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>Unknown namespace: </xsl:text>
+                <xsl:value-of select="namespace-uri()"/>
+                <xsl:text> on element </xsl:text>
+                <xsl:value-of select="name()"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_rands_member.xsl b/mdx/_rules/check_rands_member.xsl
index 5ae4531f..0d98138a 100644
--- a/mdx/_rules/check_rands_member.xsl
+++ b/mdx/_rules/check_rands_member.xsl
@@ -1,86 +1,86 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_rands_member.xsl
+    check_rands_member.xsl
 
-	Checking ruleset containing rules associated with membership of the REFEDS
-	Research and Scholarship entity category, see:
+    Checking ruleset containing rules associated with membership of the REFEDS
+    Research and Scholarship entity category, see:
 
-		https://refeds.org/category/research-and-scholarship/
+        https://refeds.org/category/research-and-scholarship/
 
-	This ruleset reflects v1.3, 8-Sep-2016.
+    This ruleset reflects v1.3, 8-Sep-2016.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
     <!--
-    	Process entity category.
-	-->
-	<xsl:template match="md:EntityDescriptor
-		[md:Extensions/mdattr:EntityAttributes/saml:Attribute
-		[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
-		[@Name='http://macedir.org/entity-category']
-		/saml:AttributeValue[.='http://refeds.org/category/research-and-scholarship']
-		]">
-		<xsl:choose>
-			<!--
-				(Implicit) applies only to service providers.
-			-->
-			<xsl:when test="not(md:SPSSODescriptor)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S only applies to service provider entities</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			<!--
-		        4.3.1
+        Process entity category.
+    -->
+    <xsl:template match="md:EntityDescriptor
+        [md:Extensions/mdattr:EntityAttributes/saml:Attribute
+        [@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+        [@Name='http://macedir.org/entity-category']
+        /saml:AttributeValue[.='http://refeds.org/category/research-and-scholarship']
+        ]">
+        <xsl:choose>
+            <!--
+                (Implicit) applies only to service providers.
+            -->
+            <xsl:when test="not(md:SPSSODescriptor)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S only applies to service provider entities</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+            <!--
+                4.3.1
 
-        		The Service Provider [...] supports SAML V2.0 HTTP-POST binding.
-    		-->
-			<xsl:when test="not(md:SPSSODescriptor/md:AssertionConsumerService
-				[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S requires SAML 2.0 POST support</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			<!--
-				4.3.3
+                The Service Provider [...] supports SAML V2.0 HTTP-POST binding.
+            -->
+            <xsl:when test="not(md:SPSSODescriptor/md:AssertionConsumerService
+                [@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S requires SAML 2.0 POST support</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+            <!--
+                4.3.3
 
-				The Service Provider provides an mdui:DisplayName and mdui:InformationURL in metadata.
-			-->
-			<xsl:when test="not(md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S requires mdui:DisplayName</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			<xsl:when test="not(md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:InformationURL)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S requires mdui:InformationURL</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-			<!--
-				4.3.4
+                The Service Provider provides an mdui:DisplayName and mdui:InformationURL in metadata.
+            -->
+            <xsl:when test="not(md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S requires mdui:DisplayName</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+            <xsl:when test="not(md:SPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:InformationURL)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S requires mdui:InformationURL</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+            <!--
+                4.3.4
 
-				The Service Provider provides one or more technical contacts in metadata.
-			-->
-			<xsl:when test="not(md:ContactPerson[@contactType='technical'])">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S requires one or more technical contacts</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-		</xsl:choose>
-	</xsl:template>
+                The Service Provider provides one or more technical contacts in metadata.
+            -->
+            <xsl:when test="not(md:ContactPerson[@contactType='technical'])">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S requires one or more technical contacts</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+        </xsl:choose>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_rands_support.xsl b/mdx/_rules/check_rands_support.xsl
index 71c1ff6a..c767b394 100644
--- a/mdx/_rules/check_rands_support.xsl
+++ b/mdx/_rules/check_rands_support.xsl
@@ -1,49 +1,49 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_rands_support.xsl
+    check_rands_support.xsl
 
-	Checking ruleset containing rules associated with the REFEDS
-	Research and Scholarship entity support category, see:
+    Checking ruleset containing rules associated with the REFEDS
+    Research and Scholarship entity support category, see:
 
-		https://refeds.org/category/research-and-scholarship/
+        https://refeds.org/category/research-and-scholarship/
 
-	This ruleset reflects v1.3, 8-Sep-2016.
+    This ruleset reflects v1.3, 8-Sep-2016.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
         Process entity support category.
     -->
-	<xsl:template match="md:EntityDescriptor
-		[md:Extensions/mdattr:EntityAttributes/saml:Attribute
-		[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
-		[@Name='http://macedir.org/entity-category-support']
-		/saml:AttributeValue[.='http://refeds.org/category/research-and-scholarship']
-		]">
-		<xsl:choose>
-			<!--
+    <xsl:template match="md:EntityDescriptor
+        [md:Extensions/mdattr:EntityAttributes/saml:Attribute
+        [@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+        [@Name='http://macedir.org/entity-category-support']
+        /saml:AttributeValue[.='http://refeds.org/category/research-and-scholarship']
+        ]">
+        <xsl:choose>
+            <!--
                 (Implicit) applies only to identity providers.
             -->
-			<xsl:when test="not(md:IDPSSODescriptor)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">REFEDS R+S support only applies to identity provider entities</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-		</xsl:choose>
-	</xsl:template>
+            <xsl:when test="not(md:IDPSSODescriptor)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">REFEDS R+S support only applies to identity provider entities</xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+        </xsl:choose>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_regauth.xsl b/mdx/_rules/check_regauth.xsl
index bf4328a0..617514ca 100644
--- a/mdx/_rules/check_regauth.xsl
+++ b/mdx/_rules/check_regauth.xsl
@@ -1,42 +1,42 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_regauth.xsl
+    check_regauth.xsl
 
-	Check that the registration authority on an entity is the expected one.
+    Check that the registration authority on an entity is the expected one.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
         expectedAuthority
 
         Set this parameter from the calling context.
     -->
-	<xsl:param name="expectedAuthority">(value not set)</xsl:param>
-
-	<xsl:template match="mdrpi:RegistrationInfo">
-		<xsl:if test="@registrationAuthority != $expectedAuthority">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">
-					<xsl:text>unexpected registration authority '</xsl:text>
-					<xsl:value-of select="@registrationAuthority"/>
-					<xsl:text>'; expected '</xsl:text>
-					<xsl:value-of select="$expectedAuthority"/>
-					<xsl:text>' for this channel</xsl:text>
-				</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
+    <xsl:param name="expectedAuthority">(value not set)</xsl:param>
+
+    <xsl:template match="mdrpi:RegistrationInfo">
+        <xsl:if test="@registrationAuthority != $expectedAuthority">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">
+                    <xsl:text>unexpected registration authority '</xsl:text>
+                    <xsl:value-of select="@registrationAuthority"/>
+                    <xsl:text>'; expected '</xsl:text>
+                    <xsl:value-of select="$expectedAuthority"/>
+                    <xsl:text>' for this channel</xsl:text>
+                </xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_reqattr.xsl b/mdx/_rules/check_reqattr.xsl
index 1952aa34..455d35e8 100644
--- a/mdx/_rules/check_reqattr.xsl
+++ b/mdx/_rules/check_reqattr.xsl
@@ -1,507 +1,507 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_reqattr.xsl
+    check_reqattr.xsl
 
-	Checking ruleset for RequestedAttribute elements in SAML 2.0 metadata.
+    Checking ruleset for RequestedAttribute elements in SAML 2.0 metadata.
 
-	The main check being performed here is that the Name and NameFormat attributes
-	of a RequestedAttribute element together designate a real SAML attribute, either
-	explicitly or implicitly covered by some specification.  Other combinations
-	of Name+NameFormat are presumptively erroneous.
+    The main check being performed here is that the Name and NameFormat attributes
+    of a RequestedAttribute element together designate a real SAML attribute, either
+    explicitly or implicitly covered by some specification.  Other combinations
+    of Name+NameFormat are presumptively erroneous.
 
-	Attribute profiles we make use of here:
+    Attribute profiles we make use of here:
 
-	* eduPerson 2008
+    * eduPerson 2008
 
-	* MACE-Dir SAML Attribute Profiles, April 2008
+    * MACE-Dir SAML Attribute Profiles, April 2008
 
-	* SWITCHaai Attribute Specification, 2010-06-23
+    * SWITCHaai Attribute Specification, 2010-06-23
 
-	* grEduPerson
-		from http://aai.grnet.gr/static/grEduPerson.schema
-		and http://aai.grnet.gr/static/policy/policy-en.pdf
+    * grEduPerson
+        from http://aai.grnet.gr/static/grEduPerson.schema
+        and http://aai.grnet.gr/static/policy/policy-en.pdf
 
-	* SCHAC
-		Only very basic coverage, most attributes to come later.
-		http://www.terena.org/activities/tf-emc2/docs/schac/schac-schema-IAD-1.4.1.pdf
-		http://www.terena.org/registry/terena.org/attribute-def/
-		http://www.terena.org/registry/terena.org/schac/
-		Assuming encoding rules equivalent to MACEAttr.
+    * SCHAC
+        Only very basic coverage, most attributes to come later.
+        http://www.terena.org/activities/tf-emc2/docs/schac/schac-schema-IAD-1.4.1.pdf
+        http://www.terena.org/registry/terena.org/attribute-def/
+        http://www.terena.org/registry/terena.org/schac/
+        Assuming encoding rules equivalent to MACEAttr.
 
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-
-	<!--
-		Lack of NameFormat is equivalent to an explicit NameFormat of
-		'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified',
-		see http://tools.oasis-open.org/issues/browse/SECURITY-11
-
-		This is almost certainly not correct, as an implicit
-		NameFormat of 'unspecified' is not the same as saying that
-		any NameFormat will match.
-	-->
-	<xsl:template match="md:RequestedAttribute[not(@NameFormat)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>RequestedAttribute </xsl:text>
-				<xsl:value-of select="@Name"/>
-				<xsl:text> lacks NameFormat attribute</xsl:text>
-				<xsl:text> (implicitly 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Present but unknown, and therefore presumptively unsuitable, NameFormat values.
-	-->
-	<xsl:template match="md:RequestedAttribute[@NameFormat]
-		[@NameFormat!='urn:mace:shibboleth:1.0:attributeNamespace:uri']
-		[@NameFormat!='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>RequestedAttribute uses NameFormat of </xsl:text>
-				<xsl:value-of select="@NameFormat"/>
-				<xsl:text>: unsuitable for cross-domain use</xsl:text>
-				<xsl:if test="@FriendlyName">
-					<xsl:text> (</xsl:text>
-					<xsl:value-of select="@FriendlyName"/>
-					<xsl:text>)</xsl:text>
-				</xsl:if>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		If NameFormat is "urn:mace:shibboleth:1.0:attributeNamespace:uri", then we are
-		dealing with a SAML 1.x attribute.
-	-->
-	<xsl:template match="md:RequestedAttribute
-		[@NameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri']">
-		<xsl:choose>
-
-			<!--
-				MACE-Dir Attribute Profile for SAML 1.x
-
-				2.2.1: Legacy names that are explicitly permitted.
-
-				Taken from MACE-Dir SAML Attribute Profiles, April 2008
-			-->
-			<xsl:when test="
-				@Name='urn:mace:dir:attribute-def:eduPersonScopedAffiliation' or
-				@Name='urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation' or
-				@Name='urn:mace:dir:attribute-def:eduPersonAffiliation' or
-				@Name='urn:mace:dir:attribute-def:eduPersonPrincipalName' or
-				@Name='urn:mace:dir:attribute-def:eduPersonEntitlement' or
-				@Name='urn:mace:dir:attribute-def:eduPersonTargetedID' or
-				@Name='urn:mace:dir:attribute-def:eduPersonNickname' or
-				@Name='urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN' or
-				@Name='urn:mace:dir:attribute-def:eduPersonOrgUnitDN' or
-				@Name='urn:mace:dir:attribute-def:eduPersonOrgDN' or
-				@Name='urn:mace:dir:attribute-def:eduCourseMember' or
-				@Name='urn:mace:dir:attribute-def:businessCategory' or
-				@Name='urn:mace:dir:attribute-def:carLicense' or
-				@Name='urn:mace:dir:attribute-def:cn' or
-				@Name='urn:mace:dir:attribute-def:departmentNumber' or
-				@Name='urn:mace:dir:attribute-def:description' or
-				@Name='urn:mace:dir:attribute-def:displayName' or
-				@Name='urn:mace:dir:attribute-def:employeeNumber' or
-				@Name='urn:mace:dir:attribute-def:employeeType' or
-				@Name='urn:mace:dir:attribute-def:facsimileTelephoneNumber' or
-				@Name='urn:mace:dir:attribute-def:givenName' or
-				@Name='urn:mace:dir:attribute-def:homePhone' or
-				@Name='urn:mace:dir:attribute-def:homePostalAddress' or
-				@Name='urn:mace:dir:attribute-def:initials' or
-				@Name='urn:mace:dir:attribute-def:jpegPhoto' or
-				@Name='urn:mace:dir:attribute-def:l' or
-				@Name='urn:mace:dir:attribute-def:labeledURI' or
-				@Name='urn:mace:dir:attribute-def:mail' or
-				@Name='urn:mace:dir:attribute-def:manager' or
-				@Name='urn:mace:dir:attribute-def:mobile' or
-				@Name='urn:mace:dir:attribute-def:o' or
-				@Name='urn:mace:dir:attribute-def:ou' or
-				@Name='urn:mace:dir:attribute-def:pager' or
-				@Name='urn:mace:dir:attribute-def:physicalDeliveryOfficeName' or
-				@Name='urn:mace:dir:attribute-def:postalAddress' or
-				@Name='urn:mace:dir:attribute-def:postalCode' or
-				@Name='urn:mace:dir:attribute-def:postOfficeBox' or
-				@Name='urn:mace:dir:attribute-def:preferredLanguage' or
-				@Name='urn:mace:dir:attribute-def:roomNumber' or
-				@Name='urn:mace:dir:attribute-def:seeAlso' or
-				@Name='urn:mace:dir:attribute-def:sn' or
-				@Name='urn:mace:dir:attribute-def:st' or
-				@Name='urn:mace:dir:attribute-def:street' or
-				@Name='urn:mace:dir:attribute-def:telephoneNumber' or
-				@Name='urn:mace:dir:attribute-def:title' or
-				@Name='urn:mace:dir:attribute-def:uid' or
-				@Name='urn:mace:dir:attribute-def:userCertificate' or
-				@Name='urn:mace:dir:attribute-def:userSMIMECertificate'
-				">
-				<!-- OK -->
-			</xsl:when>
-
-			<!--
-				Legacy name for eduPersonAssurance (from eduPerson 2008)
-			-->
-			<xsl:when test="@Name='urn:mace:dir:attribute-def:eduPersonAssurance'">
-				<!-- OK -->
-			</xsl:when>
-
-			<!--
-				MACE-Dir Attribute Profile for SAML 1.x
-
-				2.3.2.1.1: Recommended name and syntax for eduPersonTargetedID.
-			-->
-			<xsl:when test="@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.10'">
-				<!-- OK -->
-			</xsl:when>
-
-			<!--
-				MACE-Dir Attribute Profile for SAML 1.x
-
-				'urn:oid:' equivalents of legacy names should NOT appear.
-				If they do, they are probably intended to be a SAML 2.0 mapping.
-
-				The list is in same order as the list of legacy names above, and
-				includes the OID for eduPersonAssurance at the end.
-			-->
-			<xsl:when test="
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.9' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.5' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.1' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.6' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.7' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.10' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.2' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.8' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.4' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.3' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.6.1.2' or
-				@Name='urn:oid:2.5.4.15' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.1' or
-				@Name='urn:oid:2.5.4.3' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.2' or
-				@Name='urn:oid:2.5.4.13' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.241' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.3' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.4' or
-				@Name='urn:oid:2.5.4.23' or
-				@Name='urn:oid:2.5.4.42' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.20' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.39' or
-				@Name='urn:oid:2.5.4.43' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.60' or
-				@Name='urn:oid:2.5.4.7' or
-				@Name='urn:oid:1.3.6.1.4.1.250.1.57' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.3' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.10' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.41' or
-				@Name='urn:oid:2.5.4.10' or
-				@Name='urn:oid:2.5.4.11' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.42' or
-				@Name='urn:oid:2.5.4.19' or
-				@Name='urn:oid:2.5.4.16' or
-				@Name='urn:oid:2.5.4.17' or
-				@Name='urn:oid:2.5.4.18' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.39' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.6' or
-				@Name='urn:oid:2.5.4.34' or
-				@Name='urn:oid:2.5.4.4' or
-				@Name='urn:oid:2.5.4.8' or
-				@Name='urn:oid:2.5.4.9' or
-				@Name='urn:oid:2.5.4.20' or
-				@Name='urn:oid:2.5.4.12' or
-				@Name='urn:oid:0.9.2342.19200300.100.1.1' or
-				@Name='urn:oid:2.5.4.36' or
-				@Name='urn:oid:2.16.840.1.113730.3.1.40' or
-				@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.11'
-				">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-						<xsl:text> uses OID name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-
-			<!--
-				SWITCHaai SAML 1.x names are prefixed by 'urn:mace:switch.ch:attribute-def:'
-
-				Arranged in order of appearance in the specification.
-			-->
-			<xsl:when test="
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonMatriculationNumber' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonCardUID' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonGender' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel' or
-				@Name='urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory'
-				">
-				<!-- OK -->
-			</xsl:when>
-
-			<!--
-				SWITCHaai SAML 2.0 names are oid-based, and should not appear
-				with the SAML 1.x NameFormat.
-
-				Arranged in order of appearance in the specification.
-			-->
-			<xsl:when test="
-				@Name='urn:oid:2.16.756.1.2.5.1.1.1' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.11' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.12' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.2' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.3' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.4' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.5' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.6' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.7' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.8' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.9' or
-				@Name='urn:oid:2.16.756.1.2.5.1.1.10'
-				">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-						<xsl:text> uses OID name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-
-			<!--
-				grEduPerson SAML 1.x binding
-			-->
-			<xsl:when test="@Name='urn:mace:grnet.gr:grEduPerson:attribute-def:grEduPersonUndergraduateBranch'">
-				<!-- OK -->
-			</xsl:when>
-
-			<!--
-				grEduPerson SAML 2.0 names should not appear.
-			-->
-			<xsl:when test="@Name='urn:oid:1.3.6.1.4.1.16515.2.3.2.1'">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses OID name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-
-			<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        Lack of NameFormat is equivalent to an explicit NameFormat of
+        'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified',
+        see http://tools.oasis-open.org/issues/browse/SECURITY-11
+
+        This is almost certainly not correct, as an implicit
+        NameFormat of 'unspecified' is not the same as saying that
+        any NameFormat will match.
+    -->
+    <xsl:template match="md:RequestedAttribute[not(@NameFormat)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>RequestedAttribute </xsl:text>
+                <xsl:value-of select="@Name"/>
+                <xsl:text> lacks NameFormat attribute</xsl:text>
+                <xsl:text> (implicitly 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified')</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Present but unknown, and therefore presumptively unsuitable, NameFormat values.
+    -->
+    <xsl:template match="md:RequestedAttribute[@NameFormat]
+        [@NameFormat!='urn:mace:shibboleth:1.0:attributeNamespace:uri']
+        [@NameFormat!='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>RequestedAttribute uses NameFormat of </xsl:text>
+                <xsl:value-of select="@NameFormat"/>
+                <xsl:text>: unsuitable for cross-domain use</xsl:text>
+                <xsl:if test="@FriendlyName">
+                    <xsl:text> (</xsl:text>
+                    <xsl:value-of select="@FriendlyName"/>
+                    <xsl:text>)</xsl:text>
+                </xsl:if>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        If NameFormat is "urn:mace:shibboleth:1.0:attributeNamespace:uri", then we are
+        dealing with a SAML 1.x attribute.
+    -->
+    <xsl:template match="md:RequestedAttribute
+        [@NameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri']">
+        <xsl:choose>
+
+            <!--
+                MACE-Dir Attribute Profile for SAML 1.x
+
+                2.2.1: Legacy names that are explicitly permitted.
+
+                Taken from MACE-Dir SAML Attribute Profiles, April 2008
+            -->
+            <xsl:when test="
+                @Name='urn:mace:dir:attribute-def:eduPersonScopedAffiliation' or
+                @Name='urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation' or
+                @Name='urn:mace:dir:attribute-def:eduPersonAffiliation' or
+                @Name='urn:mace:dir:attribute-def:eduPersonPrincipalName' or
+                @Name='urn:mace:dir:attribute-def:eduPersonEntitlement' or
+                @Name='urn:mace:dir:attribute-def:eduPersonTargetedID' or
+                @Name='urn:mace:dir:attribute-def:eduPersonNickname' or
+                @Name='urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN' or
+                @Name='urn:mace:dir:attribute-def:eduPersonOrgUnitDN' or
+                @Name='urn:mace:dir:attribute-def:eduPersonOrgDN' or
+                @Name='urn:mace:dir:attribute-def:eduCourseMember' or
+                @Name='urn:mace:dir:attribute-def:businessCategory' or
+                @Name='urn:mace:dir:attribute-def:carLicense' or
+                @Name='urn:mace:dir:attribute-def:cn' or
+                @Name='urn:mace:dir:attribute-def:departmentNumber' or
+                @Name='urn:mace:dir:attribute-def:description' or
+                @Name='urn:mace:dir:attribute-def:displayName' or
+                @Name='urn:mace:dir:attribute-def:employeeNumber' or
+                @Name='urn:mace:dir:attribute-def:employeeType' or
+                @Name='urn:mace:dir:attribute-def:facsimileTelephoneNumber' or
+                @Name='urn:mace:dir:attribute-def:givenName' or
+                @Name='urn:mace:dir:attribute-def:homePhone' or
+                @Name='urn:mace:dir:attribute-def:homePostalAddress' or
+                @Name='urn:mace:dir:attribute-def:initials' or
+                @Name='urn:mace:dir:attribute-def:jpegPhoto' or
+                @Name='urn:mace:dir:attribute-def:l' or
+                @Name='urn:mace:dir:attribute-def:labeledURI' or
+                @Name='urn:mace:dir:attribute-def:mail' or
+                @Name='urn:mace:dir:attribute-def:manager' or
+                @Name='urn:mace:dir:attribute-def:mobile' or
+                @Name='urn:mace:dir:attribute-def:o' or
+                @Name='urn:mace:dir:attribute-def:ou' or
+                @Name='urn:mace:dir:attribute-def:pager' or
+                @Name='urn:mace:dir:attribute-def:physicalDeliveryOfficeName' or
+                @Name='urn:mace:dir:attribute-def:postalAddress' or
+                @Name='urn:mace:dir:attribute-def:postalCode' or
+                @Name='urn:mace:dir:attribute-def:postOfficeBox' or
+                @Name='urn:mace:dir:attribute-def:preferredLanguage' or
+                @Name='urn:mace:dir:attribute-def:roomNumber' or
+                @Name='urn:mace:dir:attribute-def:seeAlso' or
+                @Name='urn:mace:dir:attribute-def:sn' or
+                @Name='urn:mace:dir:attribute-def:st' or
+                @Name='urn:mace:dir:attribute-def:street' or
+                @Name='urn:mace:dir:attribute-def:telephoneNumber' or
+                @Name='urn:mace:dir:attribute-def:title' or
+                @Name='urn:mace:dir:attribute-def:uid' or
+                @Name='urn:mace:dir:attribute-def:userCertificate' or
+                @Name='urn:mace:dir:attribute-def:userSMIMECertificate'
+                ">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                Legacy name for eduPersonAssurance (from eduPerson 2008)
+            -->
+            <xsl:when test="@Name='urn:mace:dir:attribute-def:eduPersonAssurance'">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                MACE-Dir Attribute Profile for SAML 1.x
+
+                2.3.2.1.1: Recommended name and syntax for eduPersonTargetedID.
+            -->
+            <xsl:when test="@Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.10'">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                MACE-Dir Attribute Profile for SAML 1.x
+
+                'urn:oid:' equivalents of legacy names should NOT appear.
+                If they do, they are probably intended to be a SAML 2.0 mapping.
+
+                The list is in same order as the list of legacy names above, and
+                includes the OID for eduPersonAssurance at the end.
+            -->
+            <xsl:when test="
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.9' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.5' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.1' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.6' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.7' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.10' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.2' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.8' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.4' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.3' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.6.1.2' or
+                @Name='urn:oid:2.5.4.15' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.1' or
+                @Name='urn:oid:2.5.4.3' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.2' or
+                @Name='urn:oid:2.5.4.13' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.241' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.3' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.4' or
+                @Name='urn:oid:2.5.4.23' or
+                @Name='urn:oid:2.5.4.42' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.20' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.39' or
+                @Name='urn:oid:2.5.4.43' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.60' or
+                @Name='urn:oid:2.5.4.7' or
+                @Name='urn:oid:1.3.6.1.4.1.250.1.57' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.3' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.10' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.41' or
+                @Name='urn:oid:2.5.4.10' or
+                @Name='urn:oid:2.5.4.11' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.42' or
+                @Name='urn:oid:2.5.4.19' or
+                @Name='urn:oid:2.5.4.16' or
+                @Name='urn:oid:2.5.4.17' or
+                @Name='urn:oid:2.5.4.18' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.39' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.6' or
+                @Name='urn:oid:2.5.4.34' or
+                @Name='urn:oid:2.5.4.4' or
+                @Name='urn:oid:2.5.4.8' or
+                @Name='urn:oid:2.5.4.9' or
+                @Name='urn:oid:2.5.4.20' or
+                @Name='urn:oid:2.5.4.12' or
+                @Name='urn:oid:0.9.2342.19200300.100.1.1' or
+                @Name='urn:oid:2.5.4.36' or
+                @Name='urn:oid:2.16.840.1.113730.3.1.40' or
+                @Name='urn:oid:1.3.6.1.4.1.5923.1.1.1.11'
+                ">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                        <xsl:text> uses OID name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
+                SWITCHaai SAML 1.x names are prefixed by 'urn:mace:switch.ch:attribute-def:'
+
+                Arranged in order of appearance in the specification.
+            -->
+            <xsl:when test="
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonMatriculationNumber' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonCardUID' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonGender' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel' or
+                @Name='urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory'
+                ">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                SWITCHaai SAML 2.0 names are oid-based, and should not appear
+                with the SAML 1.x NameFormat.
+
+                Arranged in order of appearance in the specification.
+            -->
+            <xsl:when test="
+                @Name='urn:oid:2.16.756.1.2.5.1.1.1' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.11' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.12' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.2' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.3' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.4' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.5' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.6' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.7' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.8' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.9' or
+                @Name='urn:oid:2.16.756.1.2.5.1.1.10'
+                ">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                        <xsl:text> uses OID name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
+                grEduPerson SAML 1.x binding
+            -->
+            <xsl:when test="@Name='urn:mace:grnet.gr:grEduPerson:attribute-def:grEduPersonUndergraduateBranch'">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                grEduPerson SAML 2.0 names should not appear.
+            -->
+            <xsl:when test="@Name='urn:oid:1.3.6.1.4.1.16515.2.3.2.1'">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses OID name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
                 SCHAC SAML 1.x binding
             -->
-			<xsl:when test="
-				@Name='urn:mace:terena.org:attribute-def:schacHomeOrganization' or
-				@Name='urn:mace:terena.org:attribute-def:schacPersonalUniqueCode'
-				">
-				<!-- OK -->
-			</xsl:when>
-
-			<!--
+            <xsl:when test="
+                @Name='urn:mace:terena.org:attribute-def:schacHomeOrganization' or
+                @Name='urn:mace:terena.org:attribute-def:schacPersonalUniqueCode'
+                ">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
                 SCHAC SAML 2.0 names should not appear.
             -->
-			<xsl:when test="
-				@Name='urn:oid:1.3.6.1.4.1.25178.1.2.9' or
-				@Name='urn:oid:1.3.6.1.4.1.25178.1.2.14'
-				">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses OID name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-
-			<!--
-				MACE-Dir Attribute Profile for SAML 1.x
-
-				Forward-looking "urn:oid:" names are permitted, which is to say
-				any "urn:oid" name which does not correspond to a legacy name.
-
-				(Any erroneous OIDs have been eliminated above.)
-			-->
-			<xsl:when test="starts-with(@Name, 'urn:oid:')">
-				<!-- OK -->
-			</xsl:when>
-
-			<!--
-				Otherwise unknown attribute names.
-			-->
-			<xsl:otherwise>
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses unknown name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 1.x NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:otherwise>
-
-		</xsl:choose>
-	</xsl:template>
-
-
-	<!--
-		If NameFormat is "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", then we are
-		dealing with a SAML 2.0 attribute.
-	-->
-	<xsl:template match="md:RequestedAttribute
-		[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
-		<xsl:choose>
-
-			<!--
-				Common error: using the legacy MACEAttr name with the SAML 2.0 NameFormat.
-			-->
-			<xsl:when test="starts-with(@Name, 'urn:mace:dir:attribute-def:')">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses legacy MACEAttr name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-
-			<!--
-				Common error: using the legacy SWITCHaai name with the SAML 2.0 NameFormat.
-			-->
-			<xsl:when test="starts-with(@Name, 'urn:mace:switch.ch:attribute-def:')">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses legacy SWITCHaai name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-
-			<!--
+            <xsl:when test="
+                @Name='urn:oid:1.3.6.1.4.1.25178.1.2.9' or
+                @Name='urn:oid:1.3.6.1.4.1.25178.1.2.14'
+                ">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses OID name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 1.x NameFormat: should use urn:mace name or SAML 2.0 NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
+                MACE-Dir Attribute Profile for SAML 1.x
+
+                Forward-looking "urn:oid:" names are permitted, which is to say
+                any "urn:oid" name which does not correspond to a legacy name.
+
+                (Any erroneous OIDs have been eliminated above.)
+            -->
+            <xsl:when test="starts-with(@Name, 'urn:oid:')">
+                <!-- OK -->
+            </xsl:when>
+
+            <!--
+                Otherwise unknown attribute names.
+            -->
+            <xsl:otherwise>
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses unknown name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 1.x NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:otherwise>
+
+        </xsl:choose>
+    </xsl:template>
+
+
+    <!--
+        If NameFormat is "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", then we are
+        dealing with a SAML 2.0 attribute.
+    -->
+    <xsl:template match="md:RequestedAttribute
+        [@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
+        <xsl:choose>
+
+            <!--
+                Common error: using the legacy MACEAttr name with the SAML 2.0 NameFormat.
+            -->
+            <xsl:when test="starts-with(@Name, 'urn:mace:dir:attribute-def:')">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses legacy MACEAttr name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
+                Common error: using the legacy SWITCHaai name with the SAML 2.0 NameFormat.
+            -->
+            <xsl:when test="starts-with(@Name, 'urn:mace:switch.ch:attribute-def:')">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses legacy SWITCHaai name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
                 Common error: using the legacy grEduPerson name with the SAML 2.0 NameFormat.
             -->
-			<xsl:when test="starts-with(@Name, 'urn:mace:grnet.gr:grEduPerson:attribute-def:')">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses legacy format name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-
-			<!--
+            <xsl:when test="starts-with(@Name, 'urn:mace:grnet.gr:grEduPerson:attribute-def:')">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses legacy format name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
                 Common error: using the legacy SCHAC name with the SAML 2.0 NameFormat.
             -->
-			<xsl:when test="starts-with(@Name, 'urn:mace:terena.org:attribute-def:')">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses legacy format name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:when>
-
-			<!--
-				MACE-Dir Attribute Profile for SAML 2.0
-
-				Attributes are named per the X.500/LDAP attribute profile in [SAML2Prof].
-			-->
-			<xsl:when test="starts-with(@Name, 'urn:oid:')">
-				<!-- OK -->
-			</xsl:when>
-
-
-			<!--
-				Otherwise unknown attribute names.
-			-->
-			<xsl:otherwise>
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">
-						<xsl:text>RequestedAttribute uses unknown name </xsl:text>
-						<xsl:value-of select="@Name"/>
-						<xsl:text> with SAML 2.0 NameFormat</xsl:text>
-						<xsl:if test="@FriendlyName">
-							<xsl:text> (</xsl:text>
-							<xsl:value-of select="@FriendlyName"/>
-							<xsl:text>)</xsl:text>
-						</xsl:if>
-					</xsl:with-param>
-				</xsl:call-template>
-			</xsl:otherwise>
-
-		</xsl:choose>
-	</xsl:template>
+            <xsl:when test="starts-with(@Name, 'urn:mace:terena.org:attribute-def:')">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses legacy format name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 2.0 NameFormat: should use urn:oid name or SAML 1.x NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:when>
+
+            <!--
+                MACE-Dir Attribute Profile for SAML 2.0
+
+                Attributes are named per the X.500/LDAP attribute profile in [SAML2Prof].
+            -->
+            <xsl:when test="starts-with(@Name, 'urn:oid:')">
+                <!-- OK -->
+            </xsl:when>
+
+
+            <!--
+                Otherwise unknown attribute names.
+            -->
+            <xsl:otherwise>
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">
+                        <xsl:text>RequestedAttribute uses unknown name </xsl:text>
+                        <xsl:value-of select="@Name"/>
+                        <xsl:text> with SAML 2.0 NameFormat</xsl:text>
+                        <xsl:if test="@FriendlyName">
+                            <xsl:text> (</xsl:text>
+                            <xsl:value-of select="@FriendlyName"/>
+                            <xsl:text>)</xsl:text>
+                        </xsl:if>
+                    </xsl:with-param>
+                </xsl:call-template>
+            </xsl:otherwise>
+
+        </xsl:choose>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml1.xsl b/mdx/_rules/check_saml1.xsl
index e5bc1caa..33325ed0 100644
--- a/mdx/_rules/check_saml1.xsl
+++ b/mdx/_rules/check_saml1.xsl
@@ -1,83 +1,83 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_saml1.xsl
+    check_saml1.xsl
 
-	Checking ruleset containing rules associated with the SAML 1.x specification.
+    Checking ruleset containing rules associated with the SAML 1.x specification.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<!--
-		A service provider claiming to support SAML 1.1 should include an appropriate POST AssertionConsumerService.
-	-->
-	<xsl:template match="md:EntityDescriptor/md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">no POST support on SAML 1.1 SP</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        A service provider claiming to support SAML 1.1 should include an appropriate POST AssertionConsumerService.
+    -->
+    <xsl:template match="md:EntityDescriptor/md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">no POST support on SAML 1.1 SP</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
+    <!--
         An IdP with a SAML 1.1 AttributeAuthority needs an AttributeService with an appropriate Binding.
     -->
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding'])]
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 1.1 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding'])]
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 1.1 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
+    <!--
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:IDPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 1.0 binding requires SAML 1.1 token in IDPSSODescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:IDPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 1.0 binding requires SAML 1.1 token in IDPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
+    <!--
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 1.0 binding requires SAML 1.1 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 1.0 binding requires SAML 1.1 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
+    <!--
         Use of SAML 1.0 bindings requires SAML 1.1 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:SPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 1.0 binding requires SAML 1.1 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:SPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:1.0:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 1.0 binding requires SAML 1.1 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml2.xsl b/mdx/_rules/check_saml2.xsl
index 3c5a5e26..0f1fed85 100644
--- a/mdx/_rules/check_saml2.xsl
+++ b/mdx/_rules/check_saml2.xsl
@@ -1,110 +1,110 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_saml2.xsl
+    check_saml2.xsl
 
-	Checking ruleset containing rules associated with the SAML 2.0 specification.
+    Checking ruleset containing rules associated with the SAML 2.0 specification.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-
-	<!--
-		It does not make sense for an IdP to have more than one SingleSignOnService
-		with any of a list of SAML 2.0 front-channel bindings.
-	-->
-	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'][position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'][position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST-SimpleSign binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'][position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-Redirect binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        It does not make sense for an IdP to have more than one SingleSignOnService
+        with any of a list of SAML 2.0 front-channel bindings.
+    -->
+    <xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST-SimpleSign binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-Redirect binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         A SAML 2.0 IdP with an AttributeAuthority needs an AttributeService with an appropriate Binding.
     -->
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP'])]
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:AttributeService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP'])]
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 AttributeAuthority missing appropriately bound AttributeService</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
-	<!--
+    <!--
         Check for SAML 2.0 SPs which lack an encryption key.
     -->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='encryption'])]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 SP has no encryption key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='encryption'])]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 SP has no encryption key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:IDPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 2.0 binding requires SAML 2.0 token in IDPSSODescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    <xsl:template match="md:IDPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 2.0 binding requires SAML 2.0 token in IDPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 2.0 binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 2.0 binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Use of SAML 2.0 bindings requires SAML 2.0 in protocolSupportEnumeration.
     -->
-	<xsl:template match="md:SPSSODescriptor
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
-		[md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>SAML 2.0 binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:SPSSODescriptor
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+        [md:*/@Binding[starts-with(., 'urn:oasis:names:tc:SAML:2.0:bindings:')]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>SAML 2.0 binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml2int.xsl b/mdx/_rules/check_saml2int.xsl
index f8c930e0..42f30770 100644
--- a/mdx/_rules/check_saml2int.xsl
+++ b/mdx/_rules/check_saml2int.xsl
@@ -1,67 +1,67 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_saml2int.xsl
+    check_saml2int.xsl
 
-	Checking ruleset for the Interoperable SAML 2.0 Web Browser SSO Deployment Profile.
+    Checking ruleset for the Interoperable SAML 2.0 Web Browser SSO Deployment Profile.
 
-	See: http://saml2int.org/
+    See: http://saml2int.org/
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-
-	<!--
-		Section 6.
-
-		Check for SAML 2.0 SPs which exclude both transient and persistent SAML 2 name identifier formats.
-	-->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:NameIDFormat]
-		[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'])]
-		[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SP excludes both SAML 2 name identifier formats</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 6.
-
-		Check for SAML 2.0 IdPs which exclude the transient SAML 2 name identifier format.
-	-->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:NameIDFormat]
-		[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IDPSSODescriptor excludes SAML 2 transient name identifier format</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:NameIDFormat]
-		[not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthorityDescriptor excludes SAML 2 transient name identifier format</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        Section 6.
+
+        Check for SAML 2.0 SPs which exclude both transient and persistent SAML 2 name identifier formats.
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:NameIDFormat]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'])]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SP excludes both SAML 2 name identifier formats</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 6.
+
+        Check for SAML 2.0 IdPs which exclude the transient SAML 2 name identifier format.
+    -->
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:NameIDFormat]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 IDPSSODescriptor excludes SAML 2 transient name identifier format</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:NameIDFormat]
+        [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 AttributeAuthorityDescriptor excludes SAML 2 transient name identifier format</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Section 6.1.
 
         "The <saml2p:AuthnRequest> message issued by a Service Provider MUST be
@@ -70,73 +70,73 @@
 
         Therefore, metadata for this binding MUST be present.
     -->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IDPSSODescriptor does not support HTTP-Redirect SSO binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 7.
-
-		Check for correct NameFormat on Attribute elements.
-	-->
-	<xsl:template match="saml:Attribute[not(@NameFormat)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>Attribute </xsl:text>
-				<xsl:value-of select="@Name"/>
-				<xsl:text> lacks NameFormat attribute</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="saml:Attribute[@NameFormat][not(@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>Attribute </xsl:text>
-				<xsl:value-of select="@Name"/>
-				<xsl:text> has incorrect NameFormat </xsl:text>
-				<xsl:value-of select="@NameFormat"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 9.1
-
-		Responses MUST use the HTTP-POST binding, so metadata for that MUST be present.
-	-->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">no HTTP-POST support on SAML 2.0 SP</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Section 9.1
-
-		Responses MUST be signed, so appropriate IdP roles MUST include embedded key material
-		suitable for signing those responses.
-	-->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IdP has no embedded signing key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has no embedded signing key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 IDPSSODescriptor does not support HTTP-Redirect SSO binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 7.
+
+        Check for correct NameFormat on Attribute elements.
+    -->
+    <xsl:template match="saml:Attribute[not(@NameFormat)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>Attribute </xsl:text>
+                <xsl:value-of select="@Name"/>
+                <xsl:text> lacks NameFormat attribute</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="saml:Attribute[@NameFormat][not(@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>Attribute </xsl:text>
+                <xsl:value-of select="@Name"/>
+                <xsl:text> has incorrect NameFormat </xsl:text>
+                <xsl:value-of select="@NameFormat"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 9.1
+
+        Responses MUST use the HTTP-POST binding, so metadata for that MUST be present.
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">no HTTP-POST support on SAML 2.0 SP</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Section 9.1
+
+        Responses MUST be signed, so appropriate IdP roles MUST include embedded key material
+        suitable for signing those responses.
+    -->
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 IdP has no embedded signing key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
+        [not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 AttributeAuthority has no embedded signing key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_saml2meta.xsl b/mdx/_rules/check_saml2meta.xsl
index 45cbcaa0..877d5306 100644
--- a/mdx/_rules/check_saml2meta.xsl
+++ b/mdx/_rules/check_saml2meta.xsl
@@ -1,34 +1,57 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_saml2meta.xsl
+    check_saml2meta.xsl
 
-	Checking ruleset encapsulating rules from the SAML 2.0 metadata specification that
-	are not completely encoded in the XML schema.
+    Checking ruleset encapsulating rules from the SAML 2.0 metadata specification that
+    are not completely encoded in the XML schema.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdxURL="xalan://uk.ac.sdss.xalan.md.URLchecker"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Check for distinct index attributes on appropriate elements.
+    -->
 
+    <xsl:template match="md:SPSSODescriptor">
+
+        <xsl:variable name="indices" select="md:ArtifactResolutionService/@index"/>
+        <xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
+        <xsl:if test="count($indices) != count($distinct.indices)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">ArtifactResolutionService index values not all different</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
 
-	<!--
-		Check for distinct index attributes on appropriate elements.
-	-->
+        <xsl:variable name="indices" select="md:AssertionConsumerService/@index"/>
+        <xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
+        <xsl:if test="count($indices) != count($distinct.indices)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">AssertionConsumerService index values not all different</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
 
-	<xsl:template match="md:SPSSODescriptor">
+        <!--
+            Perform checks on child elements.
+        -->
+        <xsl:apply-templates/>
+    </xsl:template>
 
+    <xsl:template match="md:IDPSSODescriptor">
         <xsl:variable name="indices" select="md:ArtifactResolutionService/@index"/>
         <xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
         <xsl:if test="count($indices) != count($distinct.indices)">
@@ -37,77 +60,54 @@
             </xsl:call-template>
         </xsl:if>
 
-		<xsl:variable name="indices" select="md:AssertionConsumerService/@index"/>
-		<xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
-		<xsl:if test="count($indices) != count($distinct.indices)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">AssertionConsumerService index values not all different</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-
-		<!--
-			Perform checks on child elements.
-		-->
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<xsl:template match="md:IDPSSODescriptor">
-		<xsl:variable name="indices" select="md:ArtifactResolutionService/@index"/>
-		<xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
-		<xsl:if test="count($indices) != count($distinct.indices)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">ArtifactResolutionService index values not all different</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-
-		<!--
-			Perform checks on child elements.
-		-->
-		<xsl:apply-templates/>
-	</xsl:template>
-
-
-	<!--
-		Check for Location attributes that aren't valid URLs.
-	-->
-	<xsl:template match="md:*[@Location and mdxURL:invalidURL(@Location)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:value-of select='local-name()'/>
-				<xsl:text> Location is not a valid URL: </xsl:text>
-				<xsl:value-of select="mdxURL:whyInvalid(@Location)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
+        <!--
+            Perform checks on child elements.
+        -->
+        <xsl:apply-templates/>
+    </xsl:template>
+
+
+    <!--
+        Check for Location attributes that aren't valid URLs.
+    -->
+    <xsl:template match="md:*[@Location and mdxURL:invalidURL(@Location)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> Location is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(@Location)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
         Check for ResponseLocation attributes that aren't valid URLs.
     -->
-	<xsl:template match="md:*[@ResponseLocation and mdxURL:invalidURL(@ResponseLocation)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:value-of select='local-name()'/>
-				<xsl:text> ResponseLocation is not a valid URL: </xsl:text>
-				<xsl:value-of select="mdxURL:whyInvalid(@ResponseLocation)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for OrganizationURLs that aren't valid URLs.
-	-->
-	<xsl:template match="md:OrganizationURL[mdxURL:invalidURL(.)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>OrganizationURL '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>' is not a valid URL: </xsl:text>
-				<xsl:value-of select="mdxURL:whyInvalid(.)"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:*[@ResponseLocation and mdxURL:invalidURL(@ResponseLocation)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> ResponseLocation is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(@ResponseLocation)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for OrganizationURLs that aren't valid URLs.
+    -->
+    <xsl:template match="md:OrganizationURL[mdxURL:invalidURL(.)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>OrganizationURL '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>' is not a valid URL: </xsl:text>
+                <xsl:value-of select="mdxURL:whyInvalid(.)"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_shib_noregscope.xsl b/mdx/_rules/check_shib_noregscope.xsl
index 32470d4d..e516425f 100644
--- a/mdx/_rules/check_shib_noregscope.xsl
+++ b/mdx/_rules/check_shib_noregscope.xsl
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_shib_noregscope.xsl
+    check_shib_noregscope.xsl
 
     Check for Shibboleth Scope elements lacking a regexp attribute, which can cause
     problems with signature generation and validation because the schema includes
@@ -9,21 +9,21 @@
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<xsl:template match="shibmd:Scope[not(@regexp)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="shibmd:Scope[not(@regexp)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Scope <xsl:value-of select="."/> lacks @regexp</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_shib_regscope.xsl b/mdx/_rules/check_shib_regscope.xsl
index bffd7332..7f522e92 100644
--- a/mdx/_rules/check_shib_regscope.xsl
+++ b/mdx/_rules/check_shib_regscope.xsl
@@ -1,31 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_shib_regscope.xsl
+    check_shib_regscope.xsl
 
-	Check for the presence of Shibboleth Scope elements containing regular expressions.
+    Check for the presence of Shibboleth Scope elements containing regular expressions.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<xsl:template match="shibmd:Scope[@regexp='true']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>regular expression in scope '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="shibmd:Scope[@regexp='true']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>regular expression in scope '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_shibboleth.xsl b/mdx/_rules/check_shibboleth.xsl
index 591e32b3..12e87c7a 100644
--- a/mdx/_rules/check_shibboleth.xsl
+++ b/mdx/_rules/check_shibboleth.xsl
@@ -1,188 +1,188 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_shibboleth.xsl
+    check_shibboleth.xsl
 
-	Checking ruleset containing rules associated with:
+    Checking ruleset containing rules associated with:
 
-	* the Shibboleth profile specifications
+    * the Shibboleth profile specifications
 
-	* known problems with Shibboleth implementations
+    * known problems with Shibboleth implementations
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-
-	<!--
-		OrganizationURL elements should contain actual URLs, or some software
-		will reject the metadata.  This is known to be true for at least the Shibboleth
-		1.3 IdP and the accompanying metadatatool application, because they pass the
-		string to the java.net.URL class.
-
-		We perform a very cursory test for this by insisting that they start with
-		either "http://" or "https://".
-	-->
-	<xsl:template match="md:OrganizationURL[not(starts-with(., 'http://'))]
-		[not(starts-with(., 'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">OrganizationURL '<xsl:value-of select="."/>' does not start with acceptable prefix</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		If an IDPSSODescriptor contains a SingleSignOnService with the Shibboleth 1.x
-		authentication request binding, the role descriptor's protocolSupportEnumeration
-		must include both of the following:
-
-			urn:oasis:names:tc:SAML:1.1:protocol
-			urn:mace:shibboleth:1.0
-
-		See the Shibboleth Protocols and Profiles document, section 3.4.3, for details.
-	-->
-	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
-		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
-		[not(contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		If an IDPSSODescriptor indicates support for Shibboleth by including
-		urn:mace:shibboleth:1.0 in its protocolSupportEnumeration, it must contain at
-		least one appropriate SingleSignOnService.
-
-		This is theoretically too severe, as in principle additional profiles could be invented
-		in the future which exist in the same protocolSupportEnumeration "family".  However,
-		at present there are no such uses of the value, so we can be more restrictive.
-	-->
-	<xsl:template match="md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0')]
-		[not(md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Shibboleth 1.x support claimed but no appropriate SSO service binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		It does not make sense for an IdP to have more than one SingleSignOnService
-		with the Shibboleth authentication request binding, because this is a
-		front-channel binding.
-	-->
-	<xsl:template match="md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'][position()>1]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">more than one SingleSignOnService with Shibboleth binding</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for SAML 1.1 SPs which exclude the Shibboleth transient name identifier format.
-
-		An SP which has no NameIDFormat elements is fine, but if any are mentioned in a
-		SAML 1.1 SP then the Shibboleth transient must be included in the list as otherwise
-		there will be no name identifier sent to the SP and no attribute query can be
-		performed.
-	-->
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[md:NameIDFormat]
-		[not(md:NameIDFormat[.='urn:mace:shibboleth:1.0:nameIdentifier'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 1.1 SP excludes Shibboleth transient name identifier format</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for a construct which is known to cause the Shibboleth 1.3 SP to dump core.
-
-			<md:KeyDescriptor use="signing">
-				<ds:KeyInfo>
-					<KeyName>blabla<KeyName>
-				</ds:KeyInfo>
-			</md:KeyDescriptor>
-
-		The issue here is that the KeyName does not have the ds: namespace.
-	-->
-	<xsl:template match="ds:KeyInfo/*[namespace-uri() != 'http://www.w3.org/2000/09/xmldsig#']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">ds:KeyInfo child element not in ds namespace</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for IDP role descriptors containing (at any level of nesting)
-		SAML 2.0 attribute elements that do not include a NameFormat XML attribute.
-
-		This combination causes the Shibboleth 1.3 and related code (such as metadatatool)
-		to reject the metadata.
-
-		See https://bugs.internet2.edu/jira/browse/SIDPO-34
-	-->
-	<xsl:template match="md:IDPSSODescriptor[descendant::saml:Attribute[not(@NameFormat)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SIDPO-34: Attribute lacking NameFormat in IDPSSODescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Scope elements should not contain space characters.
-
-		This isn't part of the specification, but is assumed by some software.
-	-->
-	<xsl:template match="shibmd:Scope[contains(., ' ')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Scope value contains space character</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Scope elements should not contain line breaks.
-
-		This isn't part of the specification, but is assumed by some software,
-		including the Shibboleth 2.4.3 SP.
-	-->
-	<xsl:template match="shibmd:Scope[contains(., '&#10;')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Scope value contains line break</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		The Shibboleth 1.3f SP, probably along with other software, has
-		problems with comments inside certificate representations.
-	-->
-	<xsl:template match="ds:X509Certificate[comment()]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">X509Certificate contains XML comment</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+
+    <!--
+        OrganizationURL elements should contain actual URLs, or some software
+        will reject the metadata.  This is known to be true for at least the Shibboleth
+        1.3 IdP and the accompanying metadatatool application, because they pass the
+        string to the java.net.URL class.
+
+        We perform a very cursory test for this by insisting that they start with
+        either "http://" or "https://".
+    -->
+    <xsl:template match="md:OrganizationURL[not(starts-with(., 'http://'))]
+        [not(starts-with(., 'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">OrganizationURL '<xsl:value-of select="."/>' does not start with acceptable prefix</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        If an IDPSSODescriptor contains a SingleSignOnService with the Shibboleth 1.x
+        authentication request binding, the role descriptor's protocolSupportEnumeration
+        must include both of the following:
+
+            urn:oasis:names:tc:SAML:1.1:protocol
+            urn:mace:shibboleth:1.0
+
+        See the Shibboleth Protocols and Profiles document, section 3.4.3, for details.
+    -->
+    <xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
+        [not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
+        [not(contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        If an IDPSSODescriptor indicates support for Shibboleth by including
+        urn:mace:shibboleth:1.0 in its protocolSupportEnumeration, it must contain at
+        least one appropriate SingleSignOnService.
+
+        This is theoretically too severe, as in principle additional profiles could be invented
+        in the future which exist in the same protocolSupportEnumeration "family".  However,
+        at present there are no such uses of the value, so we can be more restrictive.
+    -->
+    <xsl:template match="md:IDPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0')]
+        [not(md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Shibboleth 1.x support claimed but no appropriate SSO service binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        It does not make sense for an IdP to have more than one SingleSignOnService
+        with the Shibboleth authentication request binding, because this is a
+        front-channel binding.
+    -->
+    <xsl:template match="md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'][position()>1]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">more than one SingleSignOnService with Shibboleth binding</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for SAML 1.1 SPs which exclude the Shibboleth transient name identifier format.
+
+        An SP which has no NameIDFormat elements is fine, but if any are mentioned in a
+        SAML 1.1 SP then the Shibboleth transient must be included in the list as otherwise
+        there will be no name identifier sent to the SP and no attribute query can be
+        performed.
+    -->
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [md:NameIDFormat]
+        [not(md:NameIDFormat[.='urn:mace:shibboleth:1.0:nameIdentifier'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 1.1 SP excludes Shibboleth transient name identifier format</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for a construct which is known to cause the Shibboleth 1.3 SP to dump core.
+
+            <md:KeyDescriptor use="signing">
+                <ds:KeyInfo>
+                    <KeyName>blabla<KeyName>
+                </ds:KeyInfo>
+            </md:KeyDescriptor>
+
+        The issue here is that the KeyName does not have the ds: namespace.
+    -->
+    <xsl:template match="ds:KeyInfo/*[namespace-uri() != 'http://www.w3.org/2000/09/xmldsig#']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">ds:KeyInfo child element not in ds namespace</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for IDP role descriptors containing (at any level of nesting)
+        SAML 2.0 attribute elements that do not include a NameFormat XML attribute.
+
+        This combination causes the Shibboleth 1.3 and related code (such as metadatatool)
+        to reject the metadata.
+
+        See https://bugs.internet2.edu/jira/browse/SIDPO-34
+    -->
+    <xsl:template match="md:IDPSSODescriptor[descendant::saml:Attribute[not(@NameFormat)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SIDPO-34: Attribute lacking NameFormat in IDPSSODescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Scope elements should not contain space characters.
+
+        This isn't part of the specification, but is assumed by some software.
+    -->
+    <xsl:template match="shibmd:Scope[contains(., ' ')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Scope value contains space character</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Scope elements should not contain line breaks.
+
+        This isn't part of the specification, but is assumed by some software,
+        including the Shibboleth 2.4.3 SP.
+    -->
+    <xsl:template match="shibmd:Scope[contains(., '&#10;')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Scope value contains line break</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        The Shibboleth 1.3f SP, probably along with other software, has
+        problems with comments inside certificate representations.
+    -->
+    <xsl:template match="ds:X509Certificate[comment()]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">X509Certificate contains XML comment</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_sirtfi.xsl b/mdx/_rules/check_sirtfi.xsl
index 0174c455..48f0e6af 100644
--- a/mdx/_rules/check_sirtfi.xsl
+++ b/mdx/_rules/check_sirtfi.xsl
@@ -1,73 +1,73 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_sirtfi.xsl
+    check_sirtfi.xsl
 
-	Checking ruleset containing rules associated with the SIRTFI specification,
-	as described here:
+    Checking ruleset containing rules associated with the SIRTFI specification,
+    as described here:
 
-		https://refeds.org/wp-content/uploads/2016/11/Sirtfi-certification-v1.0.pdf
+        https://refeds.org/wp-content/uploads/2016/11/Sirtfi-certification-v1.0.pdf
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<!--
-		Process only entities claiming SIRTFI compliance.
-	-->
-	<xsl:template match="md:EntityDescriptor[
-			md:Extensions/mdattr:EntityAttributes/saml:Attribute[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
-				[@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification']
-			/saml:AttributeValue[.='https://refeds.org/sirtfi']
-		]">
+    <!--
+        Process only entities claiming SIRTFI compliance.
+    -->
+    <xsl:template match="md:EntityDescriptor[
+            md:Extensions/mdattr:EntityAttributes/saml:Attribute[@NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:uri']
+                [@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification']
+            /saml:AttributeValue[.='https://refeds.org/sirtfi']
+        ]">
 
-		<!--
-			Collect the REFEDS security contacts for this entity.
-		-->
-		<xsl:variable name="securityContacts"
-			select="md:ContactPerson
-			[@contactType='other']
-			[@remd:contactType='http://refeds.org/metadata/contactType/security']"/>
+        <!--
+            Collect the REFEDS security contacts for this entity.
+        -->
+        <xsl:variable name="securityContacts"
+            select="md:ContactPerson
+            [@contactType='other']
+            [@remd:contactType='http://refeds.org/metadata/contactType/security']"/>
 
-		<!--
-			There must be at least one REFEDS security contact.
-		-->
-		<xsl:if test="count($securityContacts) = 0">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">SIRTFI requires a REFEDS security contact</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
+        <!--
+            There must be at least one REFEDS security contact.
+        -->
+        <xsl:if test="count($securityContacts) = 0">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">SIRTFI requires a REFEDS security contact</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
 
-		<!--
-			REFEDS security contacts used in SIRTFI compliant entities need to have
-			GivenName and EmailAddress attributes.
-		-->
-		<xsl:for-each select="$securityContacts">
-			<xsl:if test="not(md:GivenName)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">SIRTFI requires a REFEDS security contact with a GivenName</xsl:with-param>
-				</xsl:call-template>
-			</xsl:if>
-			<xsl:if test="not(md:EmailAddress)">
-				<xsl:call-template name="error">
-					<xsl:with-param name="m">SIRTFI requires a REFEDS security contact with an EmailAddress</xsl:with-param>
-				</xsl:call-template>
-			</xsl:if>
-		</xsl:for-each>
-	</xsl:template>
+        <!--
+            REFEDS security contacts used in SIRTFI compliant entities need to have
+            GivenName and EmailAddress attributes.
+        -->
+        <xsl:for-each select="$securityContacts">
+            <xsl:if test="not(md:GivenName)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">SIRTFI requires a REFEDS security contact with a GivenName</xsl:with-param>
+                </xsl:call-template>
+            </xsl:if>
+            <xsl:if test="not(md:EmailAddress)">
+                <xsl:call-template name="error">
+                    <xsl:with-param name="m">SIRTFI requires a REFEDS security contact with an EmailAddress</xsl:with-param>
+                </xsl:call-template>
+            </xsl:if>
+        </xsl:for-each>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_sp_tls.xsl b/mdx/_rules/check_sp_tls.xsl
index fe78eccb..3432cd06 100644
--- a/mdx/_rules/check_sp_tls.xsl
+++ b/mdx/_rules/check_sp_tls.xsl
@@ -1,36 +1,36 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_sp_tls.xsl
+    check_sp_tls.xsl
 
-	Checking that all SP endpoints are TLS-protected.
+    Checking that all SP endpoints are TLS-protected.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
 
-	<!--
-		Check for SP endpoints that don't start with https://
-	-->
+    <!--
+        Check for SP endpoints that don't start with https://
+    -->
     <xsl:template match="md:SPSSODescriptor//*[@Location and not(starts-with(@Location,'https://'))]">
         <xsl:call-template name="error">
             <xsl:with-param name="m"><xsl:value-of select='local-name()'/> Location does not start with https://</xsl:with-param>
         </xsl:call-template>
     </xsl:template>
-	<xsl:template match="md:SPSSODescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:SPSSODescriptor//*[@ResponseLocation and not(starts-with(@ResponseLocation,'https://'))]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m"><xsl:value-of select='local-name()'/> ResponseLocation does not start with https://</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_uk_algorithms.xsl b/mdx/_rules/check_uk_algorithms.xsl
index 197da8c8..0a4c024f 100644
--- a/mdx/_rules/check_uk_algorithms.xsl
+++ b/mdx/_rules/check_uk_algorithms.xsl
@@ -1,32 +1,32 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_uk_algorithms.xsl
+    check_uk_algorithms.xsl
 
-	Checking ruleset for cryptographic algorithms. This is named as a UK
-	ruleset because the division between acceptable and unacceptable algorithms
-	is sometimes a judgement call; however, it should be generally
-	applicable.
+    Checking ruleset for cryptographic algorithms. This is named as a UK
+    ruleset because the division between acceptable and unacceptable algorithms
+    is sometimes a judgement call; however, it should be generally
+    applicable.
 
-	The best reference for *all* URIs used as algorithm identifiers is the
-	XML Security Algorithm Cross-Reference at http://www.w3.org/TR/xmlsec-algorithms/
-	Algorithm lists here are in the same order as in that document.
+    The best reference for *all* URIs used as algorithm identifiers is the
+    XML Security Algorithm Cross-Reference at http://www.w3.org/TR/xmlsec-algorithms/
+    Algorithm lists here are in the same order as in that document.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
         *************************************
         ***                               ***
         ***   S I G N I N G M E T H O D   ***
@@ -34,56 +34,56 @@
         *************************************
     -->
 
-	<!--
+    <!--
         Check for known BAD SigningMethod algorithms.
     -->
-	<xsl:template match="alg:SigningMethod[
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5'
-		]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>insecure algorithm in SigningMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    <xsl:template match="alg:SigningMethod[
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5'
+        ]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>insecure algorithm in SigningMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Check for known GOOD SigningMethod algorithms.
     -->
-	<xsl:template match="alg:SigningMethod[
-		@Algorithm = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' or
-		@Algorithm = 'http://www.w3.org/2009/xmldsig11#dsa-sha256' or
-		@Algorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512'
-		]">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<!--
+    <xsl:template match="alg:SigningMethod[
+        @Algorithm = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' or
+        @Algorithm = 'http://www.w3.org/2009/xmldsig11#dsa-sha256' or
+        @Algorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512'
+        ]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--
         Misspelled or otherwise not known SigningMethod algorithms.
     -->
-	<xsl:template match="alg:SigningMethod">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown algorithm in SigningMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    <xsl:template match="alg:SigningMethod">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown algorithm in SigningMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         ***********************************
         ***                             ***
         ***   D I G E S T M E T H O D   ***
@@ -91,105 +91,105 @@
         ***********************************
     -->
 
-	<!--
+    <!--
         Check for known BAD DigestMethod algorithms.
     -->
-	<xsl:template match="alg:DigestMethod[
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#md5'
-		]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>insecure algorithm in DigestMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    <xsl:template match="alg:DigestMethod[
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#md5'
+        ]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>insecure algorithm in DigestMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         Check for known GOOD DigestMethod algorithms.
     -->
-	<xsl:template match="alg:DigestMethod[
-		@Algorithm = 'http://www.w3.org/2000/09/xmldsig#sha1' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha224' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha256' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha384' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha512' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#ripemd160'
-		]">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<!--
+    <xsl:template match="alg:DigestMethod[
+        @Algorithm = 'http://www.w3.org/2000/09/xmldsig#sha1' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha224' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha256' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmldsig-more#sha384' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#sha512' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#ripemd160'
+        ]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--
         Misspelled or otherwise not known DigestMethod algorithms.
     -->
-	<xsl:template match="alg:DigestMethod">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown algorithm in DigestMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
+    <xsl:template match="alg:DigestMethod">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown algorithm in DigestMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
         *******************************************
         ***                                     ***
-		***   E N C R Y P T I O N M E T H O D   ***
+        ***   E N C R Y P T I O N M E T H O D   ***
         ***                                     ***
         *******************************************
-	-->
+    -->
 
-	<!--
+    <!--
         Check for known BAD EncryptionMethod algorithms.
 
-		This list is of symmetric key encryption algorithms *and*
-		key transport algorithms.
+        This list is of symmetric key encryption algorithms *and*
+        key transport algorithms.
+    -->
+    <xsl:template match="md:EncryptionMethod[
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
+        ]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>insecure algorithm in EncryptionMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        Check for known GOOD EncryptionMethod algorithms.
+
+        This list is of symmetric key encryption algorithms *and*
+        key transport algorithms.
+    -->
+    <xsl:template match="md:EncryptionMethod[
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' or
+        @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes128-gcm' or
+        @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes192-gcm' or
+        @Algorithm = 'http://www.w3.org/2009/xmlenc11#aes256-gcm' or
+        @Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' or
+        @Algorithm = 'http://www.w3.org/2009/xmlenc11#rsa-oaep'
+        ]">
+        <!-- do nothing -->
+    </xsl:template>
+
+    <!--
+        Misspelled or otherwise not known EncryptionMethod algorithms.
     -->
-	<xsl:template match="md:EncryptionMethod[
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
-		]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>insecure algorithm in EncryptionMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		Check for known GOOD EncryptionMethod algorithms.
-
-		This list is of symmetric key encryption algorithms *and*
-		key transport algorithms.
-	-->
-	<xsl:template match="md:EncryptionMethod[
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' or
-		@Algorithm = 'http://www.w3.org/2009/xmlenc11#aes128-gcm' or
-		@Algorithm = 'http://www.w3.org/2009/xmlenc11#aes192-gcm' or
-		@Algorithm = 'http://www.w3.org/2009/xmlenc11#aes256-gcm' or
-		@Algorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' or
-		@Algorithm = 'http://www.w3.org/2009/xmlenc11#rsa-oaep'
-		]">
-		<!-- do nothing -->
-	</xsl:template>
-
-	<!--
-		Misspelled or otherwise not known EncryptionMethod algorithms.
-	-->
-	<xsl:template match="md:EncryptionMethod">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown algorithm in EncryptionMethod: '</xsl:text>
-				<xsl:value-of select="@Algorithm"/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:EncryptionMethod">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown algorithm in EncryptionMethod: '</xsl:text>
+                <xsl:value-of select="@Algorithm"/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_uk_trust.xsl b/mdx/_rules/check_uk_trust.xsl
index 041da61b..00a1bee9 100644
--- a/mdx/_rules/check_uk_trust.xsl
+++ b/mdx/_rules/check_uk_trust.xsl
@@ -11,108 +11,108 @@
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
+    <!--
         Common support functions.
     -->
-	<xsl:import href="check_framework.xsl"/>
+    <xsl:import href="check_framework.xsl"/>
 
 
-	<!--
-		FTS 1.5, section 3.10, first paragraph.
+    <!--
+        FTS 1.5, section 3.10, first paragraph.
 
-		Each <IDPSSODescriptor>, <SPSSODescriptor> and <AttributeAuthorityDescriptor>
-		role descriptor appearing in metadata published by the UK federation SHALL
-		contain at least one <KeyDescriptor> element.
-	-->
+        Each <IDPSSODescriptor>, <SPSSODescriptor> and <AttributeAuthorityDescriptor>
+        role descriptor appearing in metadata published by the UK federation SHALL
+        contain at least one <KeyDescriptor> element.
+    -->
 
-	<xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:IDPSSODescriptor[not(md:KeyDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">IdP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:SPSSODescriptor[not(md:KeyDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SP SSO Descriptor lacking KeyDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:AttributeAuthorityDescriptor[not(md:KeyDescriptor)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">IdP AA Descriptor lacking KeyDescriptor</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
-	<!--
+    <!--
         FTS 1.5 draft of 2014-01-02, section 3.10, second paragraph.
 
-		In roles which indicate support through their protocolSupportEnumeration values for
-		SAML 2.0 or SAML 1.1 profiles, each <KeyDescriptor> MUST support the direct key
-		verification scheme as described in section 2.1.1.
-	-->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 SP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 1.1 IdP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 1.1 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<xsl:template match="md:SPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 1.1 SP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-	<!--
-		FTS 1.5 draft of 2014-06-25, section 3.10, last paragraph.
-
-		<ds:KeyName> elements SHALL NOT be accepted in locally registered metadata
-	-->
-	<xsl:template match="ds:KeyName">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity has legacy KeyName element</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+        In roles which indicate support through their protocolSupportEnumeration values for
+        SAML 2.0 or SAML 1.1 profiles, each <KeyDescriptor> MUST support the direct key
+        verification scheme as described in section 2.1.1.
+    -->
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 2.0 SP has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:IDPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 1.1 IdP has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:AttributeAuthorityDescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 1.1 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <xsl:template match="md:SPSSODescriptor
+        [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+        [md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">SAML 1.1 SP has KeyDescriptor without embedded key</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+    <!--
+        FTS 1.5 draft of 2014-06-25, section 3.10, last paragraph.
+
+        <ds:KeyName> elements SHALL NOT be accepted in locally registered metadata
+    -->
+    <xsl:template match="ds:KeyName">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">entity has legacy KeyName element</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/check_vhosts.xsl b/mdx/_rules/check_vhosts.xsl
index a938a1dc..230f88c3 100644
--- a/mdx/_rules/check_vhosts.xsl
+++ b/mdx/_rules/check_vhosts.xsl
@@ -1,58 +1,58 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_vhosts.xsl
+    check_vhosts.xsl
 
-	Checking ruleset that makes sure that an IdP's SSO endpoints and SOAP
-	endpoints are on distinct virtual host.
+    Checking ruleset that makes sure that an IdP's SSO endpoints and SOAP
+    endpoints are on distinct virtual host.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:dyn="http://exslt.org/dynamic"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:set="http://exslt.org/sets"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<!--
-		Check IdPs only.
-	-->
-	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
-		<!--
-			Look for IdPs which have either attribute authority or artifact resolution locations
-			on the same host:port combination as any of the SSO locations.
-		-->
-
-		<!-- XPath expression to evaluate to extract host:port strings from locations -->
-		<xsl:variable name="extract">substring-before(substring-after(concat(., '/'), 'https://'), '/')</xsl:variable>
-
-		<!-- Collect all of the SSO locations -->
-		<xsl:variable name="ssoLocations" select="descendant::md:SingleSignOnService/@Location"/>
-		<!-- convert to set of unique host:port strings -->
-		<xsl:variable name="ssoHosts" select="set:distinct(dyn:map($ssoLocations, $extract))"/>
-
-		<!-- Collect all of the attribute authority and artifact resolution locations -->
-		<xsl:variable name="soapLocations"
-			select="descendant::md:AttributeService/@Location |
-			descendant::md:ArtifactResolutionService/@Location"/>
-		<!-- convert to set of unique host:port strings -->
-		<xsl:variable name="soapHosts" select="set:distinct(dyn:map($soapLocations, $extract))"/>
-
-		<!-- we expect these two sets to be disjoint -->
-		<xsl:variable name="bothHosts" select="set:distinct($ssoHosts | $soapHosts)"/>
-		<xsl:if test="count($bothHosts) != count($ssoHosts) + count($soapHosts)">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">at least one SOAP location on same vhost as an SSO location</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
+    xmlns:dyn="http://exslt.org/dynamic"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:set="http://exslt.org/sets"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <!--
+        Check IdPs only.
+    -->
+    <xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
+        <!--
+            Look for IdPs which have either attribute authority or artifact resolution locations
+            on the same host:port combination as any of the SSO locations.
+        -->
+
+        <!-- XPath expression to evaluate to extract host:port strings from locations -->
+        <xsl:variable name="extract">substring-before(substring-after(concat(., '/'), 'https://'), '/')</xsl:variable>
+
+        <!-- Collect all of the SSO locations -->
+        <xsl:variable name="ssoLocations" select="descendant::md:SingleSignOnService/@Location"/>
+        <!-- convert to set of unique host:port strings -->
+        <xsl:variable name="ssoHosts" select="set:distinct(dyn:map($ssoLocations, $extract))"/>
+
+        <!-- Collect all of the attribute authority and artifact resolution locations -->
+        <xsl:variable name="soapLocations"
+            select="descendant::md:AttributeService/@Location |
+            descendant::md:ArtifactResolutionService/@Location"/>
+        <!-- convert to set of unique host:port strings -->
+        <xsl:variable name="soapHosts" select="set:distinct(dyn:map($soapLocations, $extract))"/>
+
+        <!-- we expect these two sets to be disjoint -->
+        <xsl:variable name="bothHosts" select="set:distinct($ssoHosts | $soapHosts)"/>
+        <xsl:if test="count($bothHosts) != count($ssoHosts) + count($soapHosts)">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">at least one SOAP location on same vhost as an SSO location</xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/mdui_dn_en_match.xsl b/mdx/_rules/mdui_dn_en_match.xsl
index f4b993dc..7ecb8015 100644
--- a/mdx/_rules/mdui_dn_en_match.xsl
+++ b/mdx/_rules/mdui_dn_en_match.xsl
@@ -1,41 +1,41 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	mdui_dn_en_match.xsl
+    mdui_dn_en_match.xsl
 
     If an IdP has both an OrganizationDisplayName in English, and an
     mdui:DisplayName in English, they must be identical.
 
     UKFTS 1.4 section 3.3
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
-
-	<xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
-		<xsl:variable name="mdui" select="md:IDPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName[@xml:lang='en']"/>
-		<xsl:variable name="odn" select="md:Organization/md:OrganizationDisplayName[@xml:lang='en']"/>
-		<xsl:if test="$mdui and $odn and $mdui != $odn">
-			<xsl:call-template name="error">
-				<xsl:with-param name="m">
-					<xsl:text>mismatched xml:lang='en' DisplayNames: '</xsl:text>
-					<xsl:value-of select="$mdui"/>
-					<xsl:text>' in mdui vs. '</xsl:text>
-					<xsl:value-of select="$odn"/>
-					<xsl:text>' in ODN</xsl:text>
-				</xsl:with-param>
-			</xsl:call-template>
-		</xsl:if>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
+
+    <xsl:template match="md:EntityDescriptor[md:IDPSSODescriptor]">
+        <xsl:variable name="mdui" select="md:IDPSSODescriptor/md:Extensions/mdui:UIInfo/mdui:DisplayName[@xml:lang='en']"/>
+        <xsl:variable name="odn" select="md:Organization/md:OrganizationDisplayName[@xml:lang='en']"/>
+        <xsl:if test="$mdui and $odn and $mdui != $odn">
+            <xsl:call-template name="error">
+                <xsl:with-param name="m">
+                    <xsl:text>mismatched xml:lang='en' DisplayNames: '</xsl:text>
+                    <xsl:value-of select="$mdui"/>
+                    <xsl:text>' in mdui vs. '</xsl:text>
+                    <xsl:value-of select="$odn"/>
+                    <xsl:text>' in ODN</xsl:text>
+                </xsl:with-param>
+            </xsl:call-template>
+        </xsl:if>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/_rules/mdui_dn_en_present.xsl b/mdx/_rules/mdui_dn_en_present.xsl
index 42c32d2a..e5364e11 100644
--- a/mdx/_rules/mdui_dn_en_present.xsl
+++ b/mdx/_rules/mdui_dn_en_present.xsl
@@ -1,31 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	mdui_dn_en_present.xsl
+    mdui_dn_en_present.xsl
 
     If an entity has mdui:UIInfo, then that must include at least an
     mdui:DisplayName with an English name.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="check_framework.xsl"/>
 
-	<xsl:template match="mdui:UIInfo[not(mdui:DisplayName[@xml:lang='en'])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>mdui:UIInfo with no xml:lang='en' DisplayName</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="mdui:UIInfo[not(mdui:DisplayName[@xml:lang='en'])]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>mdui:UIInfo with no xml:lang='en' DisplayName</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/clean-import.xsl b/mdx/clean-import.xsl
index 20936824..e7c2211b 100644
--- a/mdx/clean-import.xsl
+++ b/mdx/clean-import.xsl
@@ -1,79 +1,79 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	clean-import.xsl
+    clean-import.xsl
 
-	Clean up imported metadata from a metadata exchange channel.
+    Clean up imported metadata from a metadata exchange channel.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdxTextUtils="xalan://uk.ac.sdss.xalan.md.TextUtils"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	extension-element-prefixes="mdxTextUtils">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<!-- strip redundant attributes from EntityDescriptor elements -->
-	<xsl:template match="md:EntityDescriptor/@ID"/>
-	<xsl:template match="md:EntityDescriptor/@cacheDuration"/>
-	<xsl:template match="md:EntityDescriptor/@validUntil"/>
-
-	<!-- Remove md:RoleDescriptor elements, which require additional schemas to be available. -->
-	<xsl:template match="md:RoleDescriptor"/>
-
-	<!-- strip xml:base entirely -->
-	<xsl:template match="@xml:base"/>
-
-	<!-- remove KeyDescriptor elements which lack embedded key material -->
-	<xsl:template match="md:KeyDescriptor[not(descendant::ds:X509Certificate)]"/>
-
-	<!-- Remove KeyName elements; they refer to an inaccessable trust fabric -->
-	<xsl:template match="ds:KeyName"/>
-
-	<!-- Remove <ds:X509SubjectName> elements; long ones cause problems. -->
-	<xsl:template match="ds:X509SubjectName"/>
-
-	<!-- Remove any embedded signatures -->
-	<xsl:template match="ds:Signature"/>
-
-	<!-- Remove xsi:type from any entity attribute values. -->
-	<xsl:template match="saml:AttributeValue/@xsi:type"/>
-
-	<!--
-		Normalise whitespace in X509Certificate elements.
-	-->
-	<xsl:template match="ds:X509Certificate">
-		<xsl:element name="ds:X509Certificate">
-			<xsl:text>&#10;</xsl:text>
-			<xsl:value-of select="mdxTextUtils:wrapBase64(.)"/>
-			<xsl:text>&#10;</xsl:text>
-		</xsl:element>
-	</xsl:template>
-
-	<!--
-		Discard various ds:X509 elements.  Several of these are known to
-		cause problems with software systems, and they don't affect trust
-		establishment so are safe to remove.
-	-->
-	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
-	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdxTextUtils="xalan://uk.ac.sdss.xalan.md.TextUtils"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    extension-element-prefixes="mdxTextUtils">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <!-- strip redundant attributes from EntityDescriptor elements -->
+    <xsl:template match="md:EntityDescriptor/@ID"/>
+    <xsl:template match="md:EntityDescriptor/@cacheDuration"/>
+    <xsl:template match="md:EntityDescriptor/@validUntil"/>
+
+    <!-- Remove md:RoleDescriptor elements, which require additional schemas to be available. -->
+    <xsl:template match="md:RoleDescriptor"/>
+
+    <!-- strip xml:base entirely -->
+    <xsl:template match="@xml:base"/>
+
+    <!-- remove KeyDescriptor elements which lack embedded key material -->
+    <xsl:template match="md:KeyDescriptor[not(descendant::ds:X509Certificate)]"/>
+
+    <!-- Remove KeyName elements; they refer to an inaccessable trust fabric -->
+    <xsl:template match="ds:KeyName"/>
+
+    <!-- Remove <ds:X509SubjectName> elements; long ones cause problems. -->
+    <xsl:template match="ds:X509SubjectName"/>
+
+    <!-- Remove any embedded signatures -->
+    <xsl:template match="ds:Signature"/>
+
+    <!-- Remove xsi:type from any entity attribute values. -->
+    <xsl:template match="saml:AttributeValue/@xsi:type"/>
+
+    <!--
+        Normalise whitespace in X509Certificate elements.
+    -->
+    <xsl:template match="ds:X509Certificate">
+        <xsl:element name="ds:X509Certificate">
+            <xsl:text>&#10;</xsl:text>
+            <xsl:value-of select="mdxTextUtils:wrapBase64(.)"/>
+            <xsl:text>&#10;</xsl:text>
+        </xsl:element>
+    </xsl:template>
+
+    <!--
+        Discard various ds:X509 elements.  Several of these are known to
+        cause problems with software systems, and they don't affect trust
+        establishment so are safe to remove.
+    -->
+    <xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
+    <xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/default_regauth.xsl b/mdx/default_regauth.xsl
index bec46fc8..6263b601 100644
--- a/mdx/default_regauth.xsl
+++ b/mdx/default_regauth.xsl
@@ -1,77 +1,77 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	default_regauth.xsl
+    default_regauth.xsl
 
-	Apply a default registrationAuthority to entities which don't have one already.
+    Apply a default registrationAuthority to entities which don't have one already.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
+    <!--
         defaultAuthority
 
         Set this parameter from the calling context.
     -->
-	<xsl:param name="defaultAuthority">(value not set)</xsl:param>
+    <xsl:param name="defaultAuthority">(value not set)</xsl:param>
 
-	<!--
-		EntityDescriptor with no Extensions doesn't have a RegistrationInfo,
-		by definition.
-	-->
-	<xsl:template match="md:EntityDescriptor[not(md:Extensions)]">
-		<xsl:copy>
-			<xsl:apply-templates select="@*"/>
-			<xsl:text>&#10;</xsl:text>
-			<xsl:text>    </xsl:text>
-			<xsl:element name="Extensions" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
-				<xsl:call-template name="default_regauth"/>
-				<xsl:text>&#10;</xsl:text>
-				<xsl:text>    </xsl:text>
-			</xsl:element>
-			<xsl:apply-templates select="node()"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--
+        EntityDescriptor with no Extensions doesn't have a RegistrationInfo,
+        by definition.
+    -->
+    <xsl:template match="md:EntityDescriptor[not(md:Extensions)]">
+        <xsl:copy>
+            <xsl:apply-templates select="@*"/>
+            <xsl:text>&#10;</xsl:text>
+            <xsl:text>    </xsl:text>
+            <xsl:element name="Extensions" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
+                <xsl:call-template name="default_regauth"/>
+                <xsl:text>&#10;</xsl:text>
+                <xsl:text>    </xsl:text>
+            </xsl:element>
+            <xsl:apply-templates select="node()"/>
+        </xsl:copy>
+    </xsl:template>
 
-	<!--
-		EntityDescriptor with Extensions but without RegistrationInfo needs to have one
-		injected into the existing Extensions.
-	-->
-	<xsl:template match="md:EntityDescriptor/md:Extensions[not(mdrpi:RegistrationInfo)]">
-		<xsl:copy>
-			<xsl:call-template name="default_regauth"/>
-			<xsl:apply-templates select="node()"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--
+        EntityDescriptor with Extensions but without RegistrationInfo needs to have one
+        injected into the existing Extensions.
+    -->
+    <xsl:template match="md:EntityDescriptor/md:Extensions[not(mdrpi:RegistrationInfo)]">
+        <xsl:copy>
+            <xsl:call-template name="default_regauth"/>
+            <xsl:apply-templates select="node()"/>
+        </xsl:copy>
+    </xsl:template>
 
-	<!--
-		Default RegistrationInfo element, with associated white space.
-	-->
-	<xsl:template name="default_regauth">
-		<xsl:text>&#10;</xsl:text>
-		<xsl:text>        </xsl:text>
-		<xsl:element name="mdrpi:RegistrationInfo">
-			<xsl:attribute name="registrationAuthority">
-				<xsl:value-of select="$defaultAuthority"/>
-			</xsl:attribute>
-		</xsl:element>
-	</xsl:template>
+    <!--
+        Default RegistrationInfo element, with associated white space.
+    -->
+    <xsl:template name="default_regauth">
+        <xsl:text>&#10;</xsl:text>
+        <xsl:text>        </xsl:text>
+        <xsl:element name="mdrpi:RegistrationInfo">
+            <xsl:attribute name="registrationAuthority">
+                <xsl:value-of select="$defaultAuthority"/>
+            </xsl:attribute>
+        </xsl:element>
+    </xsl:template>
 
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/identity.xsl b/mdx/identity.xsl
index dc2ad8b1..23f2a177 100644
--- a/mdx/identity.xsl
+++ b/mdx/identity.xsl
@@ -1,30 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	identity.xsl
+    identity.xsl
 
-	Identity transform.
+    Identity transform.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/int_edugain/check_recovered.xsl b/mdx/int_edugain/check_recovered.xsl
index 4175fa21..2781d372 100644
--- a/mdx/int_edugain/check_recovered.xsl
+++ b/mdx/int_edugain/check_recovered.xsl
@@ -1,26 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_recovered.xsl
+    check_recovered.xsl
 
-	Checking ruleset which labels every entity as having recovered from a previous
-	error condition.
+    Checking ruleset which labels every entity as having recovered from a previous
+    error condition.
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
 
-	<xsl:template match="md:EntityDescriptor">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">entity has recovered from a previous error condition</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="md:EntityDescriptor">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">entity has recovered from a previous error condition</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/ns_norm.xsl b/mdx/ns_norm.xsl
index bef1f20b..60b4c6ac 100644
--- a/mdx/ns_norm.xsl
+++ b/mdx/ns_norm.xsl
@@ -1,222 +1,222 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm.xsl
-
-	XSL stylesheet that takes a SAML 2 metadata file and normalises
-	the namespaces used.  In general, this means assigning a standard
-	prefix to each known namespace and ensuring that those namespaces
-	are declared on the document element.
-
-	The exception is the SAML 2.0 metadata namespace, which is established
-	as the default namespace for the document and therefore does not
-	require a prefix.
-
-	The stylesheet operates by matching every element node in the document
-	and rebuilding it from scratch.  This has the side-effect of discarding
-	any unwanted namespace definitions from intermediate nodes.
-
-	The result is a document with a large number of namespaces declared
-	with associated prefixes on the document element, and with few
-	(hopefully no) namespace prefix declarations elsewhere.  For any
-	particular document, this normalised form may define some namespaces
-	which are never used, and define some at the document level which
-	would be better defined on the elements on which they are actually
-	used (with or without prefixes).  For example, a bug in one of the
-	libraries underlying the xmlsectool application means that it cannot
-	verify the signature on a document where more than about ten prefixes
-	are in scope on any given element.  In practice this may mean that
-	after normalisation, some *de*normalisation will be required or at
-	least desirable prior to publication.  The responsibility for this
-	lies further down the processing pipeline.
-
-	Author: Ian A. Young <ian@iay.org.uk>
+    ns_norm.xsl
+
+    XSL stylesheet that takes a SAML 2 metadata file and normalises
+    the namespaces used.  In general, this means assigning a standard
+    prefix to each known namespace and ensuring that those namespaces
+    are declared on the document element.
+
+    The exception is the SAML 2.0 metadata namespace, which is established
+    as the default namespace for the document and therefore does not
+    require a prefix.
+
+    The stylesheet operates by matching every element node in the document
+    and rebuilding it from scratch.  This has the side-effect of discarding
+    any unwanted namespace definitions from intermediate nodes.
+
+    The result is a document with a large number of namespaces declared
+    with associated prefixes on the document element, and with few
+    (hopefully no) namespace prefix declarations elsewhere.  For any
+    particular document, this normalised form may define some namespaces
+    which are never used, and define some at the document level which
+    would be better defined on the elements on which they are actually
+    used (with or without prefixes).  For example, a bug in one of the
+    libraries underlying the xmlsectool application means that it cannot
+    verify the signature on a document where more than about ten prefixes
+    are in scope on any given element.  In practice this may mean that
+    after normalisation, some *de*normalisation will be required or at
+    least desirable prior to publication.  The responsibility for this
+    lies further down the processing pipeline.
+
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-
-	exclude-result-prefixes="md"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-
-
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-
-		There are only two possible document elements in SAML metadata.
-	-->
-
-
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-
-
-	<!--
-		*********************************************
-		***                                       ***
-		***   D E F A U L T   N A M E S P A C E   ***
-		***                                       ***
-		*********************************************
-	-->
-
-
-	<xsl:template match="md:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-
-	<!--
-		*************************************************************
-		***                                                       ***
-		***   K N O W N   P R E F I X E D   N A M E S P A C E S   ***
-		***                                                       ***
-		*************************************************************
-	-->
-
-
-	<xsl:template match="alg:*">
-		<xsl:element name="alg:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="ds:*">
-		<xsl:element name="ds:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="idpdisc:*">
-		<xsl:element name="idpdisc:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="init:*">
-		<xsl:element name="init:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="mdattr:*">
-		<xsl:element name="mdattr:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="mdrpi:*">
-		<xsl:element name="mdrpi:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="mdui:*">
-		<xsl:element name="mdui:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="saml:*">
-		<xsl:element name="saml:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="shibmd:*">
-		<xsl:element name="shibmd:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="ukfedlabel:*">
-		<xsl:element name="ukfedlabel:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-	<xsl:template match="xenc:*">
-		<xsl:element name="xenc:{local-name()}">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-
-	<!--
-		*********************************************
-		***                                       ***
-		***   D E F A U L T   T E M P L A T E S   ***
-		***                                       ***
-		*********************************************
-	-->
-
-
-	<!--
-		Copy text blocks, comments and attributes unchanged.
-	-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-
-	<!--
-		Copy all other elements from the input to the output, along with their
-		attributes and contents.
-
-		Note that this will also copy across their namespaces and namespace prefix
-		declarations, which can result in denormalised output.  If that turns out
-		to be a problem in practice, this should be changed to reconstruct the
-		nodes in question using xsl:element with name="{local-name()}" along
-		with the original node's namespace but probably not prefix.
-	-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    exclude-result-prefixes="md"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
+        *********************************************
+        ***                                       ***
+        ***   D E F A U L T   N A M E S P A C E   ***
+        ***                                       ***
+        *********************************************
+    -->
+
+
+    <xsl:template match="md:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
+        *************************************************************
+        ***                                                       ***
+        ***   K N O W N   P R E F I X E D   N A M E S P A C E S   ***
+        ***                                                       ***
+        *************************************************************
+    -->
+
+
+    <xsl:template match="alg:*">
+        <xsl:element name="alg:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="ds:*">
+        <xsl:element name="ds:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="idpdisc:*">
+        <xsl:element name="idpdisc:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="init:*">
+        <xsl:element name="init:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="mdattr:*">
+        <xsl:element name="mdattr:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="mdrpi:*">
+        <xsl:element name="mdrpi:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="mdui:*">
+        <xsl:element name="mdui:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="saml:*">
+        <xsl:element name="saml:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="shibmd:*">
+        <xsl:element name="shibmd:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="ukfedlabel:*">
+        <xsl:element name="ukfedlabel:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+    <xsl:template match="xenc:*">
+        <xsl:element name="xenc:{local-name()}">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
+        *********************************************
+        ***                                       ***
+        ***   D E F A U L T   T E M P L A T E S   ***
+        ***                                       ***
+        *********************************************
+    -->
+
+
+    <!--
+        Copy text blocks, comments and attributes unchanged.
+    -->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+
+    <!--
+        Copy all other elements from the input to the output, along with their
+        attributes and contents.
+
+        Note that this will also copy across their namespaces and namespace prefix
+        declarations, which can result in denormalised output.  If that turns out
+        to be a problem in practice, this should be changed to reconstruct the
+        nodes in question using xsl:element with name="{local-name()}" along
+        with the original node's namespace but probably not prefix.
+    -->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/schema/MetadataExchange.xsd b/mdx/schema/MetadataExchange.xsd
index 6dec545c..06d2a6fd 100644
--- a/mdx/schema/MetadataExchange.xsd
+++ b/mdx/schema/MetadataExchange.xsd
@@ -9,8 +9,8 @@ Permission to copy and display the WS-MetadataExchange Specification
 granted, provided that you include the following on ALL copies of the
 Specification that you make:
 
-1.	A link or URL to the Specification at this location.
-2.	The copyright notice as shown in the Specification.
+1.  A link or URL to the Specification at this location.
+2.  The copyright notice as shown in the Specification.
 
 BEA Systems, Computer Associates, IBM, Microsoft, SAP, Sun, and
 webMethods (collectively, the "Authors") each agree to grant you a
diff --git a/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd b/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd
index 536d869f..78a73ef8 100644
--- a/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd
+++ b/mdx/schema/oasis-200401-wss-wssecurity-secext-1.0.xsd
@@ -8,188 +8,188 @@ The limited permissions granted above are perpetual and will not be revoked by O
 This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 -->
 <xsd:schema targetNamespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" elementFormDefault="qualified" attributeFormDefault="unqualified" blockDefault="#all" version="0.2">
-	<xsd:import namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" schemaLocation="oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
-	<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
-	<xsd:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
-	<xsd:complexType name="AttributedString">
-		<xsd:annotation>
-			<xsd:documentation>This type represents an element with arbitrary attributes.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="xsd:string">
-				<xsd:attribute ref="wsu:Id"/>
-				<xsd:anyAttribute namespace="##other" processContents="lax"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:complexType name="PasswordString">
-		<xsd:annotation>
-			<xsd:documentation>This type is used for password elements per Section 4.1.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="wsse:AttributedString">
-				<xsd:attribute name="Type" type="xsd:anyURI"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:complexType name="EncodedString">
-		<xsd:annotation>
-			<xsd:documentation>This type is used for elements containing stringified binary data.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="wsse:AttributedString">
-				<xsd:attribute name="EncodingType" type="xsd:anyURI"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:complexType name="UsernameTokenType">
-		<xsd:annotation>
-			<xsd:documentation>This type represents a username token per Section 4.1</xsd:documentation>
-		</xsd:annotation>
-		<xsd:sequence>
-			<xsd:element name="Username" type="wsse:AttributedString"/>
-			<xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-		</xsd:sequence>
-		<xsd:attribute ref="wsu:Id"/>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:complexType name="BinarySecurityTokenType">
-		<xsd:annotation>
-			<xsd:documentation>A security token that is encoded in binary</xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="wsse:EncodedString">
-				<xsd:attribute name="ValueType" type="xsd:anyURI"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:complexType name="KeyIdentifierType">
-		<xsd:annotation>
-			<xsd:documentation>A security token key identifier</xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="wsse:EncodedString">
-				<xsd:attribute name="ValueType" type="xsd:anyURI"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:simpleType name="tUsage">
-		<xsd:annotation>
-			<xsd:documentation>Typedef to allow a list of usages (as URIs).</xsd:documentation>
-		</xsd:annotation>
-		<xsd:list itemType="xsd:anyURI"/>
-	</xsd:simpleType>
-	<xsd:attribute name="Usage" type="tUsage">
-		<xsd:annotation>
-			<xsd:documentation>This global attribute is used to indicate the usage of a referenced or indicated token within the containing context</xsd:documentation>
-		</xsd:annotation>
-	</xsd:attribute>
-	<xsd:complexType name="ReferenceType">
-		<xsd:annotation>
-			<xsd:documentation>This type represents a reference to an external security token.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:attribute name="URI" type="xsd:anyURI"/>
-		<xsd:attribute name="ValueType" type="xsd:anyURI"/>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:complexType name="EmbeddedType">
-		<xsd:annotation>
-			<xsd:documentation>This type represents a reference to an embedded security token.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:choice minOccurs="0" maxOccurs="unbounded">
-			<xsd:any processContents="lax"/>
-		</xsd:choice>
-		<xsd:attribute name="ValueType" type="xsd:anyURI"/>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:complexType name="SecurityTokenReferenceType">
-		<xsd:annotation>
-			<xsd:documentation>This type is used reference a security token.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:choice minOccurs="0" maxOccurs="unbounded">
-			<xsd:any processContents="lax"/>
-		</xsd:choice>
-		<xsd:attribute ref="wsu:Id"/>
-		<xsd:attribute ref="wsse:Usage"/>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:complexType name="SecurityHeaderType">
-		<xsd:annotation>
-			<xsd:documentation>This complexType defines header block to use for security-relevant data directed at a specific SOAP actor.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:sequence>
-			<xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
-				<xsd:annotation>
-					<xsd:documentation>The use of "any" is to allow extensibility and different forms of security data.</xsd:documentation>
-				</xsd:annotation>
-			</xsd:any>
-		</xsd:sequence>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:complexType name="TransformationParametersType">
-		<xsd:annotation>
-			<xsd:documentation>This complexType defines a container for elements to be specified from any namespace as properties/parameters of a DSIG transformation.</xsd:documentation>
-		</xsd:annotation>
-		<xsd:sequence>
-			<xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
-				<xsd:annotation>
-					<xsd:documentation>The use of "any" is to allow extensibility from any namespace.</xsd:documentation>
-				</xsd:annotation>
-			</xsd:any>
-		</xsd:sequence>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:complexType>
-	<xsd:element name="UsernameToken" type="wsse:UsernameTokenType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines the wsse:UsernameToken element per Section 4.1.</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="BinarySecurityToken" type="wsse:BinarySecurityTokenType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines the wsse:BinarySecurityToken element per Section 4.2.</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="Reference" type="wsse:ReferenceType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines a security token reference</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="Embedded" type="wsse:EmbeddedType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines a security token embedded reference</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="KeyIdentifier" type="wsse:KeyIdentifierType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines a key identifier reference</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="SecurityTokenReference" type="wsse:SecurityTokenReferenceType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines the wsse:SecurityTokenReference per Section 4.3.</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="Security" type="wsse:SecurityHeaderType">
-		<xsd:annotation>
-			<xsd:documentation>This element defines the wsse:Security SOAP header element per Section 4.</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="TransformationParameters" type="wsse:TransformationParametersType">
-		<xsd:annotation>
-			<xsd:documentation>This element contains properties for transformations from any namespace, including DSIG.</xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="Password" type="wsse:PasswordString"/>
-	<xsd:element name="Nonce" type="wsse:EncodedString"/>
-	<xsd:simpleType name="FaultcodeEnum">
-		<xsd:restriction base="xsd:QName">
-			<xsd:enumeration value="wsse:UnsupportedSecurityToken"/>
-			<xsd:enumeration value="wsse:UnsupportedAlgorithm"/>
-			<xsd:enumeration value="wsse:InvalidSecurity"/>
-			<xsd:enumeration value="wsse:InvalidSecurityToken"/>
-			<xsd:enumeration value="wsse:FailedAuthentication"/>
-			<xsd:enumeration value="wsse:FailedCheck"/>
-			<xsd:enumeration value="wsse:SecurityTokenUnavailable"/>
-		</xsd:restriction>
-	</xsd:simpleType>
+    <xsd:import namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" schemaLocation="oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
+    <xsd:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
+    <xsd:complexType name="AttributedString">
+        <xsd:annotation>
+            <xsd:documentation>This type represents an element with arbitrary attributes.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="xsd:string">
+                <xsd:attribute ref="wsu:Id"/>
+                <xsd:anyAttribute namespace="##other" processContents="lax"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:complexType name="PasswordString">
+        <xsd:annotation>
+            <xsd:documentation>This type is used for password elements per Section 4.1.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="wsse:AttributedString">
+                <xsd:attribute name="Type" type="xsd:anyURI"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:complexType name="EncodedString">
+        <xsd:annotation>
+            <xsd:documentation>This type is used for elements containing stringified binary data.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="wsse:AttributedString">
+                <xsd:attribute name="EncodingType" type="xsd:anyURI"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:complexType name="UsernameTokenType">
+        <xsd:annotation>
+            <xsd:documentation>This type represents a username token per Section 4.1</xsd:documentation>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:element name="Username" type="wsse:AttributedString"/>
+            <xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </xsd:sequence>
+        <xsd:attribute ref="wsu:Id"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:complexType name="BinarySecurityTokenType">
+        <xsd:annotation>
+            <xsd:documentation>A security token that is encoded in binary</xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="wsse:EncodedString">
+                <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:complexType name="KeyIdentifierType">
+        <xsd:annotation>
+            <xsd:documentation>A security token key identifier</xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="wsse:EncodedString">
+                <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:simpleType name="tUsage">
+        <xsd:annotation>
+            <xsd:documentation>Typedef to allow a list of usages (as URIs).</xsd:documentation>
+        </xsd:annotation>
+        <xsd:list itemType="xsd:anyURI"/>
+    </xsd:simpleType>
+    <xsd:attribute name="Usage" type="tUsage">
+        <xsd:annotation>
+            <xsd:documentation>This global attribute is used to indicate the usage of a referenced or indicated token within the containing context</xsd:documentation>
+        </xsd:annotation>
+    </xsd:attribute>
+    <xsd:complexType name="ReferenceType">
+        <xsd:annotation>
+            <xsd:documentation>This type represents a reference to an external security token.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:attribute name="URI" type="xsd:anyURI"/>
+        <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:complexType name="EmbeddedType">
+        <xsd:annotation>
+            <xsd:documentation>This type represents a reference to an embedded security token.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:choice minOccurs="0" maxOccurs="unbounded">
+            <xsd:any processContents="lax"/>
+        </xsd:choice>
+        <xsd:attribute name="ValueType" type="xsd:anyURI"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:complexType name="SecurityTokenReferenceType">
+        <xsd:annotation>
+            <xsd:documentation>This type is used reference a security token.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:choice minOccurs="0" maxOccurs="unbounded">
+            <xsd:any processContents="lax"/>
+        </xsd:choice>
+        <xsd:attribute ref="wsu:Id"/>
+        <xsd:attribute ref="wsse:Usage"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:complexType name="SecurityHeaderType">
+        <xsd:annotation>
+            <xsd:documentation>This complexType defines header block to use for security-relevant data directed at a specific SOAP actor.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
+                <xsd:annotation>
+                    <xsd:documentation>The use of "any" is to allow extensibility and different forms of security data.</xsd:documentation>
+                </xsd:annotation>
+            </xsd:any>
+        </xsd:sequence>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:complexType name="TransformationParametersType">
+        <xsd:annotation>
+            <xsd:documentation>This complexType defines a container for elements to be specified from any namespace as properties/parameters of a DSIG transformation.</xsd:documentation>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded">
+                <xsd:annotation>
+                    <xsd:documentation>The use of "any" is to allow extensibility from any namespace.</xsd:documentation>
+                </xsd:annotation>
+            </xsd:any>
+        </xsd:sequence>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:complexType>
+    <xsd:element name="UsernameToken" type="wsse:UsernameTokenType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines the wsse:UsernameToken element per Section 4.1.</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="BinarySecurityToken" type="wsse:BinarySecurityTokenType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines the wsse:BinarySecurityToken element per Section 4.2.</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="Reference" type="wsse:ReferenceType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines a security token reference</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="Embedded" type="wsse:EmbeddedType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines a security token embedded reference</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="KeyIdentifier" type="wsse:KeyIdentifierType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines a key identifier reference</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="SecurityTokenReference" type="wsse:SecurityTokenReferenceType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines the wsse:SecurityTokenReference per Section 4.3.</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="Security" type="wsse:SecurityHeaderType">
+        <xsd:annotation>
+            <xsd:documentation>This element defines the wsse:Security SOAP header element per Section 4.</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="TransformationParameters" type="wsse:TransformationParametersType">
+        <xsd:annotation>
+            <xsd:documentation>This element contains properties for transformations from any namespace, including DSIG.</xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="Password" type="wsse:PasswordString"/>
+    <xsd:element name="Nonce" type="wsse:EncodedString"/>
+    <xsd:simpleType name="FaultcodeEnum">
+        <xsd:restriction base="xsd:QName">
+            <xsd:enumeration value="wsse:UnsupportedSecurityToken"/>
+            <xsd:enumeration value="wsse:UnsupportedAlgorithm"/>
+            <xsd:enumeration value="wsse:InvalidSecurity"/>
+            <xsd:enumeration value="wsse:InvalidSecurityToken"/>
+            <xsd:enumeration value="wsse:FailedAuthentication"/>
+            <xsd:enumeration value="wsse:FailedCheck"/>
+            <xsd:enumeration value="wsse:SecurityTokenUnavailable"/>
+        </xsd:restriction>
+    </xsd:simpleType>
 </xsd:schema>
diff --git a/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd b/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd
index 36c61862..f2ed72d8 100644
--- a/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd
+++ b/mdx/schema/oasis-200401-wss-wssecurity-utility-1.0.xsd
@@ -13,96 +13,96 @@ This document and the information contained herein is provided on an “AS IS”
 
 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
 elementFormDefault="qualified" attributeFormDefault="unqualified" version="0.1">
-	<!-- // Fault Codes /////////////////////////////////////////// -->
-	<xsd:simpleType name="tTimestampFault">
-		<xsd:annotation>
-			<xsd:documentation>
+    <!-- // Fault Codes /////////////////////////////////////////// -->
+    <xsd:simpleType name="tTimestampFault">
+        <xsd:annotation>
+            <xsd:documentation>
 This type defines the fault code value for Timestamp message expiration.
           </xsd:documentation>
-		</xsd:annotation>
-		<xsd:restriction base="xsd:QName">
-			<xsd:enumeration value="wsu:MessageExpired"/>
-		</xsd:restriction>
-	</xsd:simpleType>
-	<!-- // Global attributes //////////////////////////////////// -->
-	<xsd:attribute name="Id" type="xsd:ID">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+        <xsd:restriction base="xsd:QName">
+            <xsd:enumeration value="wsu:MessageExpired"/>
+        </xsd:restriction>
+    </xsd:simpleType>
+    <!-- // Global attributes //////////////////////////////////// -->
+    <xsd:attribute name="Id" type="xsd:ID">
+        <xsd:annotation>
+            <xsd:documentation>
 This global attribute supports annotating arbitrary elements with an ID.
           </xsd:documentation>
-		</xsd:annotation>
-	</xsd:attribute>
-	<xsd:attributeGroup name="commonAtts">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+    </xsd:attribute>
+    <xsd:attributeGroup name="commonAtts">
+        <xsd:annotation>
+            <xsd:documentation>
 Convenience attribute group used to simplify this schema.
           </xsd:documentation>
-		</xsd:annotation>
-		<xsd:attribute ref="wsu:Id" use="optional"/>
-		<xsd:anyAttribute namespace="##other" processContents="lax"/>
-	</xsd:attributeGroup>
-	<!-- // Utility types //////////////////////////////////////// -->
-	<xsd:complexType name="AttributedDateTime">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+        <xsd:attribute ref="wsu:Id" use="optional"/>
+        <xsd:anyAttribute namespace="##other" processContents="lax"/>
+    </xsd:attributeGroup>
+    <!-- // Utility types //////////////////////////////////////// -->
+    <xsd:complexType name="AttributedDateTime">
+        <xsd:annotation>
+            <xsd:documentation>
 This type is for elements whose [children] is a psuedo-dateTime and can have arbitrary attributes.
       </xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="xsd:string">
-				<xsd:attributeGroup ref="wsu:commonAtts"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<xsd:complexType name="AttributedURI">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="xsd:string">
+                <xsd:attributeGroup ref="wsu:commonAtts"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <xsd:complexType name="AttributedURI">
+        <xsd:annotation>
+            <xsd:documentation>
 This type is for elements whose [children] is an anyURI and can have arbitrary attributes.
       </xsd:documentation>
-		</xsd:annotation>
-		<xsd:simpleContent>
-			<xsd:extension base="xsd:anyURI">
-				<xsd:attributeGroup ref="wsu:commonAtts"/>
-			</xsd:extension>
-		</xsd:simpleContent>
-	</xsd:complexType>
-	<!-- // Timestamp header components /////////////////////////// -->
-	<xsd:complexType name="TimestampType">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+        <xsd:simpleContent>
+            <xsd:extension base="xsd:anyURI">
+                <xsd:attributeGroup ref="wsu:commonAtts"/>
+            </xsd:extension>
+        </xsd:simpleContent>
+    </xsd:complexType>
+    <!-- // Timestamp header components /////////////////////////// -->
+    <xsd:complexType name="TimestampType">
+        <xsd:annotation>
+            <xsd:documentation>
 This complex type ties together the timestamp related elements into a composite type.
             </xsd:documentation>
-		</xsd:annotation>
-		<xsd:sequence>
-			<xsd:element ref="wsu:Created" minOccurs="0"/>
-			<xsd:element ref="wsu:Expires" minOccurs="0"/>
-			<xsd:choice minOccurs="0" maxOccurs="unbounded">
-				<xsd:any namespace="##other" processContents="lax"/>
-			</xsd:choice>
-		</xsd:sequence>
-		<xsd:attributeGroup ref="wsu:commonAtts"/>
-	</xsd:complexType>
-	<xsd:element name="Timestamp" type="wsu:TimestampType">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:element ref="wsu:Created" minOccurs="0"/>
+            <xsd:element ref="wsu:Expires" minOccurs="0"/>
+            <xsd:choice minOccurs="0" maxOccurs="unbounded">
+                <xsd:any namespace="##other" processContents="lax"/>
+            </xsd:choice>
+        </xsd:sequence>
+        <xsd:attributeGroup ref="wsu:commonAtts"/>
+    </xsd:complexType>
+    <xsd:element name="Timestamp" type="wsu:TimestampType">
+        <xsd:annotation>
+            <xsd:documentation>
 This element allows Timestamps to be applied anywhere element wildcards are present,
 including as a SOAP header.
             </xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<!-- global element decls to allow individual elements to appear anywhere -->
-	<xsd:element name="Expires" type="wsu:AttributedDateTime">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <!-- global element decls to allow individual elements to appear anywhere -->
+    <xsd:element name="Expires" type="wsu:AttributedDateTime">
+        <xsd:annotation>
+            <xsd:documentation>
 This element allows an expiration time to be applied anywhere element wildcards are present.
             </xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
-	<xsd:element name="Created" type="wsu:AttributedDateTime">
-		<xsd:annotation>
-			<xsd:documentation>
+        </xsd:annotation>
+    </xsd:element>
+    <xsd:element name="Created" type="wsu:AttributedDateTime">
+        <xsd:annotation>
+            <xsd:documentation>
 This element allows a creation time to be applied anywhere element wildcards are present.
             </xsd:documentation>
-		</xsd:annotation>
-	</xsd:element>
+        </xsd:annotation>
+    </xsd:element>
 </xsd:schema>
diff --git a/mdx/schema/saml-schema-assertion-2.0.xsd b/mdx/schema/saml-schema-assertion-2.0.xsd
index 2b2f7b80..a1ef536c 100644
--- a/mdx/schema/saml-schema-assertion-2.0.xsd
+++ b/mdx/schema/saml-schema-assertion-2.0.xsd
@@ -163,7 +163,7 @@
             </sequence>
             <attribute name="Count" type="nonNegativeInteger" use="optional"/>
         </extension>
-	</complexContent>
+    </complexContent>
     </complexType>
     <element name="Advice" type="saml:AdviceType"/>
     <complexType name="AdviceType">
diff --git a/mdx/schema/shibboleth-metadata-1.0.xsd b/mdx/schema/shibboleth-metadata-1.0.xsd
index be1441dd..476ba7b8 100644
--- a/mdx/schema/shibboleth-metadata-1.0.xsd
+++ b/mdx/schema/shibboleth-metadata-1.0.xsd
@@ -1,42 +1,42 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <schema targetNamespace="urn:mace:shibboleth:metadata:1.0"
-	xmlns="http://www.w3.org/2001/XMLSchema"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	elementFormDefault="unqualified"
-	attributeFormDefault="unqualified"
-	version="1.0">
+    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    elementFormDefault="unqualified"
+    attributeFormDefault="unqualified"
+    version="1.0">
 
-	<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
+    <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
 
-	<element name="Scope">
-		<annotation>
-			<documentation>
-			SAML metadata extension used to regulate allowable attribute scopes.
-			</documentation>
-		</annotation>
-		<complexType>
-			<simpleContent>
-				<extension base="string">
-					<attribute name="regexp" type="boolean" use="optional" default="false"/>
-				</extension>
-			</simpleContent>
-		</complexType>
-	</element>
+    <element name="Scope">
+        <annotation>
+            <documentation>
+            SAML metadata extension used to regulate allowable attribute scopes.
+            </documentation>
+        </annotation>
+        <complexType>
+            <simpleContent>
+                <extension base="string">
+                    <attribute name="regexp" type="boolean" use="optional" default="false"/>
+                </extension>
+            </simpleContent>
+        </complexType>
+    </element>
 
-	<element name="KeyAuthority">
-		<annotation>
-			<documentation>
-			Binds keying authorities to the system entity/entities to which the enclosing
-			metadata element applies.
-			</documentation>
-		</annotation>
-		<complexType>
-			<sequence>
-				<element ref="ds:KeyInfo" maxOccurs="unbounded"/>
-			</sequence>
-			<attribute name="VerifyDepth" type="unsignedByte" use="optional" default="1"/>
-			<anyAttribute namespace="##other" processContents="lax"/>
-		</complexType>
-	</element>
+    <element name="KeyAuthority">
+        <annotation>
+            <documentation>
+            Binds keying authorities to the system entity/entities to which the enclosing
+            metadata element applies.
+            </documentation>
+        </annotation>
+        <complexType>
+            <sequence>
+                <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+            </sequence>
+            <attribute name="VerifyDepth" type="unsignedByte" use="optional" default="1"/>
+            <anyAttribute namespace="##other" processContents="lax"/>
+        </complexType>
+    </element>
 
 </schema>
diff --git a/mdx/schema/sstc-saml-holder-of-key-browser-sso.xsd b/mdx/schema/sstc-saml-holder-of-key-browser-sso.xsd
index 7860d029..11f34de3 100644
--- a/mdx/schema/sstc-saml-holder-of-key-browser-sso.xsd
+++ b/mdx/schema/sstc-saml-holder-of-key-browser-sso.xsd
@@ -14,10 +14,10 @@
       Document identifier: sstc-saml-holder-of-key-browser-sso.xsd
       Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
       Revision history:
-	V1.2 (2 November 2008):
-	  Renamed attribute from protocol to ProtocolBinding; targetNamespace changed in accordance with new conventions
-	V1.1 (6 August 2008):
-	  string type changed to anyURI to match original SAML2Meta schema
+    V1.2 (2 November 2008):
+      Renamed attribute from protocol to ProtocolBinding; targetNamespace changed in accordance with new conventions
+    V1.1 (6 August 2008):
+      string type changed to anyURI to match original SAML2Meta schema
         V1.0 (4 August 2008):
           Initial version.
     </xs:documentation>
diff --git a/mdx/schema/ws-addr.xsd b/mdx/schema/ws-addr.xsd
index 2926d27d..f6fc9c53 100644
--- a/mdx/schema/ws-addr.xsd
+++ b/mdx/schema/ws-addr.xsd
@@ -17,121 +17,121 @@
 -->
 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://www.w3.org/2005/08/addressing" targetNamespace="http://www.w3.org/2005/08/addressing" blockDefault="#all" elementFormDefault="qualified" finalDefault="" attributeFormDefault="unqualified">
 
-	<!-- Constructs from the WS-Addressing Core -->
-
-	<xs:element name="EndpointReference" type="tns:EndpointReferenceType"/>
-	<xs:complexType name="EndpointReferenceType" mixed="false">
-		<xs:sequence>
-			<xs:element name="Address" type="tns:AttributedURIType"/>
-			<xs:element ref="tns:ReferenceParameters" minOccurs="0"/>
-			<xs:element ref="tns:Metadata" minOccurs="0"/>
-			<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-		</xs:sequence>
-		<xs:anyAttribute namespace="##other" processContents="lax"/>
-	</xs:complexType>
-
-	<xs:element name="ReferenceParameters" type="tns:ReferenceParametersType"/>
-	<xs:complexType name="ReferenceParametersType" mixed="false">
-		<xs:sequence>
-			<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-		</xs:sequence>
-		<xs:anyAttribute namespace="##other" processContents="lax"/>
-	</xs:complexType>
-
-	<xs:element name="Metadata" type="tns:MetadataType"/>
-	<xs:complexType name="MetadataType" mixed="false">
-		<xs:sequence>
-			<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-		</xs:sequence>
-		<xs:anyAttribute namespace="##other" processContents="lax"/>
-	</xs:complexType>
-
-	<xs:element name="MessageID" type="tns:AttributedURIType"/>
-	<xs:element name="RelatesTo" type="tns:RelatesToType"/>
-	<xs:complexType name="RelatesToType" mixed="false">
-		<xs:simpleContent>
-			<xs:extension base="xs:anyURI">
-				<xs:attribute name="RelationshipType" type="tns:RelationshipTypeOpenEnum" use="optional" default="http://www.w3.org/2005/08/addressing/reply"/>
-				<xs:anyAttribute namespace="##other" processContents="lax"/>
-			</xs:extension>
-		</xs:simpleContent>
-	</xs:complexType>
-
-	<xs:simpleType name="RelationshipTypeOpenEnum">
-		<xs:union memberTypes="tns:RelationshipType xs:anyURI"/>
-	</xs:simpleType>
-
-	<xs:simpleType name="RelationshipType">
-		<xs:restriction base="xs:anyURI">
-			<xs:enumeration value="http://www.w3.org/2005/08/addressing/reply"/>
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:element name="ReplyTo" type="tns:EndpointReferenceType"/>
-	<xs:element name="From" type="tns:EndpointReferenceType"/>
-	<xs:element name="FaultTo" type="tns:EndpointReferenceType"/>
-	<xs:element name="To" type="tns:AttributedURIType"/>
-	<xs:element name="Action" type="tns:AttributedURIType"/>
-
-	<xs:complexType name="AttributedURIType" mixed="false">
-		<xs:simpleContent>
-			<xs:extension base="xs:anyURI">
-				<xs:anyAttribute namespace="##other" processContents="lax"/>
-			</xs:extension>
-		</xs:simpleContent>
-	</xs:complexType>
-
-	<!-- Constructs from the WS-Addressing SOAP binding -->
-
-	<xs:attribute name="IsReferenceParameter" type="xs:boolean"/>
-
-	<xs:simpleType name="FaultCodesOpenEnumType">
-		<xs:union memberTypes="tns:FaultCodesType xs:QName"/>
-	</xs:simpleType>
-
-	<xs:simpleType name="FaultCodesType">
-		<xs:restriction base="xs:QName">
-			<xs:enumeration value="tns:InvalidAddressingHeader"/>
-			<xs:enumeration value="tns:InvalidAddress"/>
-			<xs:enumeration value="tns:InvalidEPR"/>
-			<xs:enumeration value="tns:InvalidCardinality"/>
-			<xs:enumeration value="tns:MissingAddressInEPR"/>
-			<xs:enumeration value="tns:DuplicateMessageID"/>
-			<xs:enumeration value="tns:ActionMismatch"/>
-			<xs:enumeration value="tns:MessageAddressingHeaderRequired"/>
-			<xs:enumeration value="tns:DestinationUnreachable"/>
-			<xs:enumeration value="tns:ActionNotSupported"/>
-			<xs:enumeration value="tns:EndpointUnavailable"/>
-		</xs:restriction>
-	</xs:simpleType>
-
-	<xs:element name="RetryAfter" type="tns:AttributedUnsignedLongType"/>
-	<xs:complexType name="AttributedUnsignedLongType" mixed="false">
-		<xs:simpleContent>
-			<xs:extension base="xs:unsignedLong">
-				<xs:anyAttribute namespace="##other" processContents="lax"/>
-			</xs:extension>
-		</xs:simpleContent>
-	</xs:complexType>
-
-	<xs:element name="ProblemHeaderQName" type="tns:AttributedQNameType"/>
-	<xs:complexType name="AttributedQNameType" mixed="false">
-		<xs:simpleContent>
-			<xs:extension base="xs:QName">
-				<xs:anyAttribute namespace="##other" processContents="lax"/>
-			</xs:extension>
-		</xs:simpleContent>
-	</xs:complexType>
-
-	<xs:element name="ProblemIRI" type="tns:AttributedURIType"/>
-
-	<xs:element name="ProblemAction" type="tns:ProblemActionType"/>
-	<xs:complexType name="ProblemActionType" mixed="false">
-		<xs:sequence>
-			<xs:element ref="tns:Action" minOccurs="0"/>
-			<xs:element name="SoapAction" minOccurs="0" type="xs:anyURI"/>
-		</xs:sequence>
-		<xs:anyAttribute namespace="##other" processContents="lax"/>
-	</xs:complexType>
+    <!-- Constructs from the WS-Addressing Core -->
+
+    <xs:element name="EndpointReference" type="tns:EndpointReferenceType"/>
+    <xs:complexType name="EndpointReferenceType" mixed="false">
+        <xs:sequence>
+            <xs:element name="Address" type="tns:AttributedURIType"/>
+            <xs:element ref="tns:ReferenceParameters" minOccurs="0"/>
+            <xs:element ref="tns:Metadata" minOccurs="0"/>
+            <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+    </xs:complexType>
+
+    <xs:element name="ReferenceParameters" type="tns:ReferenceParametersType"/>
+    <xs:complexType name="ReferenceParametersType" mixed="false">
+        <xs:sequence>
+            <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+    </xs:complexType>
+
+    <xs:element name="Metadata" type="tns:MetadataType"/>
+    <xs:complexType name="MetadataType" mixed="false">
+        <xs:sequence>
+            <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+    </xs:complexType>
+
+    <xs:element name="MessageID" type="tns:AttributedURIType"/>
+    <xs:element name="RelatesTo" type="tns:RelatesToType"/>
+    <xs:complexType name="RelatesToType" mixed="false">
+        <xs:simpleContent>
+            <xs:extension base="xs:anyURI">
+                <xs:attribute name="RelationshipType" type="tns:RelationshipTypeOpenEnum" use="optional" default="http://www.w3.org/2005/08/addressing/reply"/>
+                <xs:anyAttribute namespace="##other" processContents="lax"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+
+    <xs:simpleType name="RelationshipTypeOpenEnum">
+        <xs:union memberTypes="tns:RelationshipType xs:anyURI"/>
+    </xs:simpleType>
+
+    <xs:simpleType name="RelationshipType">
+        <xs:restriction base="xs:anyURI">
+            <xs:enumeration value="http://www.w3.org/2005/08/addressing/reply"/>
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:element name="ReplyTo" type="tns:EndpointReferenceType"/>
+    <xs:element name="From" type="tns:EndpointReferenceType"/>
+    <xs:element name="FaultTo" type="tns:EndpointReferenceType"/>
+    <xs:element name="To" type="tns:AttributedURIType"/>
+    <xs:element name="Action" type="tns:AttributedURIType"/>
+
+    <xs:complexType name="AttributedURIType" mixed="false">
+        <xs:simpleContent>
+            <xs:extension base="xs:anyURI">
+                <xs:anyAttribute namespace="##other" processContents="lax"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+
+    <!-- Constructs from the WS-Addressing SOAP binding -->
+
+    <xs:attribute name="IsReferenceParameter" type="xs:boolean"/>
+
+    <xs:simpleType name="FaultCodesOpenEnumType">
+        <xs:union memberTypes="tns:FaultCodesType xs:QName"/>
+    </xs:simpleType>
+
+    <xs:simpleType name="FaultCodesType">
+        <xs:restriction base="xs:QName">
+            <xs:enumeration value="tns:InvalidAddressingHeader"/>
+            <xs:enumeration value="tns:InvalidAddress"/>
+            <xs:enumeration value="tns:InvalidEPR"/>
+            <xs:enumeration value="tns:InvalidCardinality"/>
+            <xs:enumeration value="tns:MissingAddressInEPR"/>
+            <xs:enumeration value="tns:DuplicateMessageID"/>
+            <xs:enumeration value="tns:ActionMismatch"/>
+            <xs:enumeration value="tns:MessageAddressingHeaderRequired"/>
+            <xs:enumeration value="tns:DestinationUnreachable"/>
+            <xs:enumeration value="tns:ActionNotSupported"/>
+            <xs:enumeration value="tns:EndpointUnavailable"/>
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:element name="RetryAfter" type="tns:AttributedUnsignedLongType"/>
+    <xs:complexType name="AttributedUnsignedLongType" mixed="false">
+        <xs:simpleContent>
+            <xs:extension base="xs:unsignedLong">
+                <xs:anyAttribute namespace="##other" processContents="lax"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+
+    <xs:element name="ProblemHeaderQName" type="tns:AttributedQNameType"/>
+    <xs:complexType name="AttributedQNameType" mixed="false">
+        <xs:simpleContent>
+            <xs:extension base="xs:QName">
+                <xs:anyAttribute namespace="##other" processContents="lax"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+
+    <xs:element name="ProblemIRI" type="tns:AttributedURIType"/>
+
+    <xs:element name="ProblemAction" type="tns:ProblemActionType"/>
+    <xs:complexType name="ProblemActionType" mixed="false">
+        <xs:sequence>
+            <xs:element ref="tns:Action" minOccurs="0"/>
+            <xs:element name="SoapAction" minOccurs="0" type="xs:anyURI"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+    </xs:complexType>
 
 </xs:schema>
diff --git a/mdx/schema/ws-authorization.xsd b/mdx/schema/ws-authorization.xsd
index f9648dd9..51dc059e 100644
--- a/mdx/schema/ws-authorization.xsd
+++ b/mdx/schema/ws-authorization.xsd
@@ -23,9 +23,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 
 <xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema'
        xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
-		   xmlns:tns='http://docs.oasis-open.org/wsfed/authorization/200706'
-		   targetNamespace='http://docs.oasis-open.org/wsfed/authorization/200706'
-		   elementFormDefault='qualified' >
+           xmlns:tns='http://docs.oasis-open.org/wsfed/authorization/200706'
+           targetNamespace='http://docs.oasis-open.org/wsfed/authorization/200706'
+           elementFormDefault='qualified' >
   <xs:import namespace='http://www.w3.org/2001/04/xmlenc#'
              schemaLocation='xenc-schema.xsd'/>
 
@@ -45,8 +45,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
     </xs:choice>
     <xs:attribute name='Name' type='xs:anyURI' use='required' />
-	<xs:attribute name='Scope' type='xs:anyURI' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:attribute name='Scope' type='xs:anyURI' use='optional' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 9.3 -->
@@ -57,16 +57,16 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       <xs:element name="Description" type="tns:DescriptionType" minOccurs="0" maxOccurs="1" />
       <xs:element name="DisplayValue" type="tns:DisplayValueType" minOccurs="0" maxOccurs="1" />
       <xs:choice minOccurs='0'>
-	      <xs:element name='Value' type='xs:string' minOccurs='1' maxOccurs='1' />
+          <xs:element name='Value' type='xs:string' minOccurs='1' maxOccurs='1' />
         <xs:element name='EncryptedValue' type='tns:EncryptedValueType' minOccurs='1' maxOccurs='1' />
         <xs:element name='StructuredValue' type='tns:StructuredValueType' minOccurs='1' maxOccurs='1' />
         <xs:element name='ConstrainedValue' type='tns:ConstrainedValueType' minOccurs='1' maxOccurs='1' />
- 	      <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
-	    </xs:choice>
+          <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
+        </xs:choice>
     </xs:sequence>
-	<xs:attribute name='Uri' type='xs:anyURI' use='required' />
-	<xs:attribute name='Optional' type='xs:boolean' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:attribute name='Uri' type='xs:anyURI' use='required' />
+    <xs:attribute name='Optional' type='xs:boolean' use='optional' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name="DisplayNameType">
diff --git a/mdx/schema/ws-federation.xsd b/mdx/schema/ws-federation.xsd
index e6a2a322..d7b3dcf5 100644
--- a/mdx/schema/ws-federation.xsd
+++ b/mdx/schema/ws-federation.xsd
@@ -21,29 +21,29 @@ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   -->
 <xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema'
-		   xmlns:sp='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
-		   xmlns:tns='http://docs.oasis-open.org/wsfed/federation/200706'
-		   xmlns:wsa='http://www.w3.org/2005/08/addressing'
+           xmlns:sp='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
+           xmlns:tns='http://docs.oasis-open.org/wsfed/federation/200706'
+           xmlns:wsa='http://www.w3.org/2005/08/addressing'
        xmlns:mex='http://schemas.xmlsoap.org/ws/2004/09/mex'
        xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
-		   xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
+           xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
        xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata'
        xmlns:auth='http://docs.oasis-open.org/wsfed/authorization/200706'
-		   targetNamespace='http://docs.oasis-open.org/wsfed/federation/200706'
-		   elementFormDefault='qualified' >
+           targetNamespace='http://docs.oasis-open.org/wsfed/federation/200706'
+           elementFormDefault='qualified' >
 
   <xs:import namespace='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
-			 schemaLocation='oasis-200401-wss-wssecurity-secext-1.0.xsd' />
+             schemaLocation='oasis-200401-wss-wssecurity-secext-1.0.xsd' />
   <xs:import namespace='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
-			 schemaLocation='oasis-200401-wss-wssecurity-utility-1.0.xsd' />
+             schemaLocation='oasis-200401-wss-wssecurity-utility-1.0.xsd' />
   <xs:import namespace='http://www.w3.org/2005/08/addressing'
-			 schemaLocation='ws-addr.xsd' />
+             schemaLocation='ws-addr.xsd' />
   <xs:import namespace='http://schemas.xmlsoap.org/ws/2004/09/mex'
-			 schemaLocation='MetadataExchange.xsd' />
+             schemaLocation='MetadataExchange.xsd' />
   <xs:import namespace='urn:oasis:names:tc:SAML:2.0:metadata'
-			 schemaLocation='saml-schema-metadata-2.0.xsd' />
+             schemaLocation='saml-schema-metadata-2.0.xsd' />
   <xs:import namespace='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
-			 schemaLocation='ws-securitypolicy-1.2.xsd'/>
+             schemaLocation='ws-securitypolicy-1.2.xsd'/>
   <xs:import namespace='http://docs.oasis-open.org/wsfed/authorization/200706'
              schemaLocation='ws-authorization.xsd'/>
 
@@ -53,22 +53,22 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 
   <xs:complexType name='FederationMetadataType' >
     <xs:sequence>
-	  <!--
-		  *** Accurate content model is nondeterministic ***
-		  <xs:element name='Federation' type='tns:FederationType' minOccurs='1' maxOccurs='unbounded' />
-		  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	  -->
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+      <!--
+          *** Accurate content model is nondeterministic ***
+          <xs:element name='Federation' type='tns:FederationType' minOccurs='1' maxOccurs='unbounded' />
+          <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+      -->
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='FederationType' >
-	<xs:sequence>
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:attribute name='FederationID' type='xs:anyURI' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:attribute name='FederationID' type='xs:anyURI' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 3.1.2.1 -->
@@ -170,15 +170,15 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!--<xs:element name='LogicalServiceNamesOffered' type='tns:LogicalServiceNamesOfferedType' />-->
 
   <xs:complexType name='LogicalServiceNamesOfferedType' >
-	<xs:sequence>
-	  <xs:element name='IssuerName' type='tns:IssuerNameType' minOccurs='1' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element name='IssuerName' type='tns:IssuerNameType' minOccurs='1' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='IssuerNameType' >
-	<xs:attribute name='Uri' type='xs:anyURI' use='required' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:attribute name='Uri' type='xs:anyURI' use='required' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 3.1.4 -->
@@ -202,29 +202,29 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- Defined above -->
   <!--<xs:element name='TokenTypesOffered' type='tns:TokenTypesOfferedType' />-->
   <xs:complexType name='TokenTypesOfferedType' >
-	<xs:sequence>
-	  <xs:element name='TokenType' type='tns:TokenType' minOccurs='1' maxOccurs='unbounded' />
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element name='TokenType' type='tns:TokenType' minOccurs='1' maxOccurs='unbounded' />
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='TokenType' >
-	<xs:sequence>
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:attribute name='Uri' type='xs:anyURI' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:attribute name='Uri' type='xs:anyURI' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 3.1.9 -->
   <!-- Defined above -->
   <!-- <xs:element name='ClaimTypesOffered' type='tns:ClaimTypesOfferedType' /> -->
   <xs:complexType name='ClaimTypesOfferedType'>
-	<xs:sequence>
-	  <xs:element ref='auth:ClaimType' minOccurs='1' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element ref='auth:ClaimType' minOccurs='1' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 3.1.10 -->
@@ -269,26 +269,26 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- Section 3.2.4 -->
   <xs:element name='FederationMetadataHandler' type='tns:FederationMetadataHandlerType' />
   <xs:complexType name='FederationMetadataHandlerType' >
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 4.1 -->
   <xs:element name='SignOut' type='tns:SignOutType' />
   <xs:complexType name='SignOutType' >
-	<xs:sequence>
-	  <xs:element ref='tns:Realm' minOccurs='0' />
-	  <xs:element name='SignOutBasis' type='tns:SignOutBasisType' minOccurs='1' maxOccurs='1' />
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:attribute ref='wsu:Id' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element ref='tns:Realm' minOccurs='0' />
+      <xs:element name='SignOutBasis' type='tns:SignOutBasisType' minOccurs='1' maxOccurs='1' />
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:attribute ref='wsu:Id' use='optional' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='SignOutBasisType' >
-	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 4.2 -->
@@ -297,98 +297,98 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- Section 6.1 -->
   <xs:element name='FilterPseudonyms' type='tns:FilterPseudonymsType' />
   <xs:complexType name='FilterPseudonymsType' >
-	<xs:sequence>
-	  <xs:element ref='tns:PseudonymBasis' minOccurs='0' maxOccurs='1' />
-	  <xs:element ref='tns:RelativeTo' minOccurs='0' maxOccurs='1' />
-	  <xs:any namespace='##other' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element ref='tns:PseudonymBasis' minOccurs='0' maxOccurs='1' />
+      <xs:element ref='tns:RelativeTo' minOccurs='0' maxOccurs='1' />
+      <xs:any namespace='##other' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:element name='PseudonymBasis' type='tns:PseudonymBasisType' />
   <xs:complexType name='PseudonymBasisType' >
- 	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:element name='RelativeTo' type='tns:RelativeToType' />
   <xs:complexType name='RelativeToType' >
-	<xs:sequence>
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 6.2  -->
   <xs:element name='Pseudonym' type='tns:PseudonymType' />
 
   <xs:complexType name='PseudonymType' >
-	<xs:sequence>
-	  <!--
-		  *** Accurate content model is nondeterministic ***
-		  <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' />
-		  <xs:element ref='tns:RelativeTo' minOccurs='1' maxOccurs='1' />
-		  <xs:element ref='wsu:Expires' minOccurs='0' maxOccurs='1' />
-		  <xs:element ref='tns:SecurityToken' minOccurs='0' maxOccurs='unbounded' />
-		  <xs:element ref='tns:ProofToken' minOccurs='0' maxOccurs='unbounded' />
-		  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	  -->
-
-	  <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' />
-	  <xs:element ref='tns:RelativeTo' minOccurs='1' maxOccurs='1' />
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <!--
+          *** Accurate content model is nondeterministic ***
+          <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' />
+          <xs:element ref='tns:RelativeTo' minOccurs='1' maxOccurs='1' />
+          <xs:element ref='wsu:Expires' minOccurs='0' maxOccurs='1' />
+          <xs:element ref='tns:SecurityToken' minOccurs='0' maxOccurs='unbounded' />
+          <xs:element ref='tns:ProofToken' minOccurs='0' maxOccurs='unbounded' />
+          <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+      -->
+
+      <xs:element ref='tns:PseudonymBasis' minOccurs='1' maxOccurs='1' />
+      <xs:element ref='tns:RelativeTo' minOccurs='1' maxOccurs='1' />
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:element name='SecurityToken' type='tns:SecurityTokenType' />
   <xs:complexType name='SecurityTokenType' >
- 	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:element name='ProofToken' type='tns:ProofTokenType' />
   <xs:complexType name='ProofTokenType' >
- 	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##other' processContents='lax' minOccurs='1' maxOccurs='1' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 7.1 -->
   <xs:element name='RequestPseudonym' type='tns:RequestPseudonymType' />
   <xs:complexType name='RequestPseudonymType' >
-	<xs:sequence>
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:attribute name='SingleUse' type='xs:boolean' use='optional' />
-	<xs:attribute name='Lookup' type='xs:boolean' use='optional' />
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:attribute name='SingleUse' type='xs:boolean' use='optional' />
+    <xs:attribute name='Lookup' type='xs:boolean' use='optional' />
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 8.1 -->
   <xs:element name='ReferenceToken' type='tns:ReferenceTokenType' />
   <xs:complexType name='ReferenceTokenType'>
-	<xs:sequence>
-	  <xs:element name='ReferenceEPR' type='wsa:EndpointReferenceType' minOccurs='1' maxOccurs='unbounded' />
-	  <xs:element name='ReferenceDigest' type='tns:ReferenceDigestType' minOccurs='0' maxOccurs='1' />
-	  <xs:element name='ReferenceType' type='tns:AttributeExtensibleURI' minOccurs='0' maxOccurs='1' />
-	  <xs:element name='SerialNo' type='tns:AttributeExtensibleURI' minOccurs='0' maxOccurs='1' />
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element name='ReferenceEPR' type='wsa:EndpointReferenceType' minOccurs='1' maxOccurs='unbounded' />
+      <xs:element name='ReferenceDigest' type='tns:ReferenceDigestType' minOccurs='0' maxOccurs='1' />
+      <xs:element name='ReferenceType' type='tns:AttributeExtensibleURI' minOccurs='0' maxOccurs='1' />
+      <xs:element name='SerialNo' type='tns:AttributeExtensibleURI' minOccurs='0' maxOccurs='1' />
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='ReferenceDigestType' >
-	<xs:simpleContent>
-	  <xs:extension base='xs:base64Binary' >
-		<xs:anyAttribute namespace='##other' processContents='lax' />
-	  </xs:extension>
-	</xs:simpleContent>
+    <xs:simpleContent>
+      <xs:extension base='xs:base64Binary' >
+        <xs:anyAttribute namespace='##other' processContents='lax' />
+      </xs:extension>
+    </xs:simpleContent>
   </xs:complexType>
   <xs:complexType name='AttributeExtensibleURI' >
     <xs:simpleContent>
@@ -404,41 +404,41 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- Section 8.3 -->
   <xs:element name='RequestProofToken' type='tns:RequestProofTokenType' />
   <xs:complexType name='RequestProofTokenType' >
-	<xs:sequence>
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 8.4 -->
   <xs:element name='ClientPseudonym' type='tns:ClientPseudonymType' />
   <xs:complexType name='ClientPseudonymType' >
-	<xs:sequence>
-	  <xs:element name='PPID' type='tns:AttributeExtensibleString' minOccurs='0' />
-	  <xs:element name='DisplayName' type='tns:AttributeExtensibleString' minOccurs='0' />
-	  <xs:element name='EMail' type='tns:AttributeExtensibleString' minOccurs='0' />
-	  <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:element name='PPID' type='tns:AttributeExtensibleString' minOccurs='0' />
+      <xs:element name='DisplayName' type='tns:AttributeExtensibleString' minOccurs='0' />
+      <xs:element name='EMail' type='tns:AttributeExtensibleString' minOccurs='0' />
+      <xs:any namespace='##other' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <xs:complexType name='AttributeExtensibleString' >
-	<xs:simpleContent>
-	  <xs:extension base='xs:string' >
-		<xs:anyAttribute namespace='##other' processContents='lax' />
-	  </xs:extension>
-	</xs:simpleContent>
+    <xs:simpleContent>
+      <xs:extension base='xs:string' >
+        <xs:anyAttribute namespace='##other' processContents='lax' />
+      </xs:extension>
+    </xs:simpleContent>
   </xs:complexType>
 
   <!-- Section 8.5 -->
   <xs:element name='Freshness' type='tns:Freshness' />
   <xs:complexType name='Freshness'>
-	<xs:simpleContent>
-	  <xs:extension base='xs:unsignedInt' >
-		<xs:attribute name='AllowCache' type='xs:boolean' use='optional' />
-		<xs:anyAttribute namespace='##other' processContents='lax' />
-	  </xs:extension>
-	</xs:simpleContent>
+    <xs:simpleContent>
+      <xs:extension base='xs:unsignedInt' >
+        <xs:attribute name='AllowCache' type='xs:boolean' use='optional' />
+        <xs:anyAttribute namespace='##other' processContents='lax' />
+      </xs:extension>
+    </xs:simpleContent>
   </xs:complexType>
 
   <!-- Section 14.1 -->
@@ -446,10 +446,10 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <xs:element name='ReferenceToken11' type='tns:AssertionType' />
 
   <xs:complexType name='AssertionType' >
-	<xs:sequence>
-	  <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
-	</xs:sequence>
-	<xs:anyAttribute namespace='##other' processContents='lax' />
+    <xs:sequence>
+      <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+    </xs:sequence>
+    <xs:anyAttribute namespace='##other' processContents='lax' />
   </xs:complexType>
 
   <!-- Section 14.2 -->
diff --git a/mdx/schema/ws-securitypolicy-1.2.xsd b/mdx/schema/ws-securitypolicy-1.2.xsd
index 9346a4b3..bda124b8 100644
--- a/mdx/schema/ws-securitypolicy-1.2.xsd
+++ b/mdx/schema/ws-securitypolicy-1.2.xsd
@@ -21,19 +21,19 @@ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 -->
 <xs:schema
-	targetNamespace='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
+    targetNamespace='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
   xmlns:tns='http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
-	xmlns:wsa="http://www.w3.org/2005/08/addressing"
+    xmlns:wsa="http://www.w3.org/2005/08/addressing"
   xmlns:xs="http://www.w3.org/2001/XMLSchema"
-	elementFormDefault="qualified"
-	blockDefault="#all" >
+    elementFormDefault="qualified"
+    blockDefault="#all" >
 
   <xs:import namespace="http://www.w3.org/2005/08/addressing"
-		schemaLocation="ws-addr.xsd" />
+        schemaLocation="ws-addr.xsd" />
 
   <!--
-	4. Protection Assertions
-	-->
+    4. Protection Assertions
+    -->
   <xs:element name="SignedParts" type="tns:SePartsType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -95,8 +95,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   </xs:complexType>
 
   <!--
-	5. Token Assertions
-	-->
+    5. Token Assertions
+    -->
   <xs:attribute name="IncludeToken" type="tns:IncludeTokenOpenType" >
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -131,9 +131,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
         <xs:element name="IssuerName" type="xs:anyURI" />
       </xs:choice>
       <!--
-			Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
-			<xs:element ref="wsp:Policy" minOccurs="0" />
-			-->
+            Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+            <xs:element ref="wsp:Policy" minOccurs="0" />
+            -->
       <xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax"/>
     </xs:sequence>
     <xs:attribute ref="tns:IncludeToken" use="optional" />
@@ -191,9 +191,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
       </xs:choice>
       <xs:element name="RequestSecurityTokenTemplate" type="tns:RequestSecurityTokenTemplateType" />
       <!--
-			Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
-			<xs:element ref="wsp:Policy" minOccurs="0" />
-			-->
+            Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+            <xs:element ref="wsp:Policy" minOccurs="0" />
+            -->
       <xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax" />
     </xs:sequence>
     <xs:attribute ref="tns:IncludeToken" use="optional" />
@@ -373,9 +373,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
         <xs:element name="IssuerName" type="xs:anyURI" />
       </xs:choice>
       <!--
-			Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
-			<xs:element ref="wsp:Policy" minOccurs="0" />
-			-->
+            Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+            <xs:element ref="wsp:Policy" minOccurs="0" />
+            -->
       <xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax" />
     </xs:sequence>
     <xs:attribute ref="tns:IncludeToken" use="optional" />
@@ -446,9 +446,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
         <xs:element name="IssuerName" type="xs:anyURI" />
       </xs:choice>
       <!--
-			Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
-			<xs:element ref="wsp:Policy" minOccurs="0" />
-			-->
+            Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+            <xs:element ref="wsp:Policy" minOccurs="0" />
+            -->
       <xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax" />
     </xs:sequence>
     <xs:attribute ref="tns:IncludeToken" use="optional" />
@@ -585,9 +585,9 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <xs:complexType name="KeyValueTokenType">
     <xs:sequence>
       <!--
-			Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
-			<xs:element ref="wsp:Policy" minOccurs="0" />
-			-->
+            Actual content model is non-deterministic, hence wildcard. The following shows intended content model:
+            <xs:element ref="wsp:Policy" minOccurs="0" />
+            -->
       <xs:any minOccurs="0" maxOccurs="unbounded" namespace="##other" processContents="lax" />
     </xs:sequence>
     <xs:attribute ref="tns:IncludeToken" use="optional" />
@@ -602,8 +602,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   </xs:element>
 
   <!--
-	7. Security Binding Assertions
-	-->
+    7. Security Binding Assertions
+    -->
   <xs:element name="AlgorithmSuite" type="tns:NestedPolicyType" >
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -961,8 +961,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- OnlySignEntireHeadersAndBody defined above. -->
 
   <!--
-	8. Supporting Tokens
-	-->
+    8. Supporting Tokens
+    -->
   <xs:element name="SupportingTokens" type="tns:NestedPolicyType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -1068,8 +1068,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   <!-- EncryptedElements defined above. -->
 
   <!--
-	9. WSS: SOAP Message Security Options
-	-->
+    9. WSS: SOAP Message Security Options
+    -->
   <xs:element name="Wss10" type="tns:NestedPolicyType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
@@ -1142,8 +1142,8 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
   </xs:element>
 
   <!--
-	10. WS-Trust Options
-	-->
+    10. WS-Trust Options
+    -->
   <xs:element name="Trust13" type="tns:NestedPolicyType">
     <xs:annotation>
       <xs:documentation xml:lang="en">
diff --git a/mdx/schema/xenc-schema-11.xsd b/mdx/schema/xenc-schema-11.xsd
index 1a8ceb2a..9535d2f7 100644
--- a/mdx/schema/xenc-schema-11.xsd
+++ b/mdx/schema/xenc-schema-11.xsd
@@ -21,77 +21,77 @@
         targetNamespace='http://www.w3.org/2009/xmlenc11#'
         elementFormDefault='qualified'>
 
-	<import namespace='http://www.w3.org/2000/09/xmldsig#'
-			schemaLocation='xmldsig-core-schema.xsd'/>
+    <import namespace='http://www.w3.org/2000/09/xmldsig#'
+            schemaLocation='xmldsig-core-schema.xsd'/>
 
-	<import namespace='http://www.w3.org/2001/04/xmlenc#'
-			schemaLocation='xenc-schema.xsd'/>
+    <import namespace='http://www.w3.org/2001/04/xmlenc#'
+            schemaLocation='xenc-schema.xsd'/>
 
-	<element name="ConcatKDFParams" type="xenc11:ConcatKDFParamsType"/>
-	<complexType name="ConcatKDFParamsType">
-		<sequence>
-			<element ref="ds:DigestMethod"/>
-		</sequence>
-		<attribute name="AlgorithmID" type="hexBinary"/>
-		<attribute name="PartyUInfo" type="hexBinary"/>
-		<attribute name="PartyVInfo" type="hexBinary"/>
-		<attribute name="SuppPubInfo" type="hexBinary"/>
-		<attribute name="SuppPrivInfo" type="hexBinary"/>
-	</complexType>
+    <element name="ConcatKDFParams" type="xenc11:ConcatKDFParamsType"/>
+    <complexType name="ConcatKDFParamsType">
+        <sequence>
+            <element ref="ds:DigestMethod"/>
+        </sequence>
+        <attribute name="AlgorithmID" type="hexBinary"/>
+        <attribute name="PartyUInfo" type="hexBinary"/>
+        <attribute name="PartyVInfo" type="hexBinary"/>
+        <attribute name="SuppPubInfo" type="hexBinary"/>
+        <attribute name="SuppPrivInfo" type="hexBinary"/>
+    </complexType>
 
-	<element name="DerivedKey" type="xenc11:DerivedKeyType"/>
-	<complexType name="DerivedKeyType">
-		<sequence>
-			<element ref="xenc11:KeyDerivationMethod" minOccurs="0"/>
-			<element ref="xenc:ReferenceList" minOccurs="0"/>
-			<element name="DerivedKeyName" type="string" minOccurs="0"/>
-			<element name="MasterKeyName" type="string" minOccurs="0"/>
-		</sequence>
-		<attribute name="Recipient" type="string" use="optional"/>
-		<attribute name="Id" type="ID" use="optional"/>
-		<attribute name="Type" type="anyURI" use="optional"/>
-	</complexType>
+    <element name="DerivedKey" type="xenc11:DerivedKeyType"/>
+    <complexType name="DerivedKeyType">
+        <sequence>
+            <element ref="xenc11:KeyDerivationMethod" minOccurs="0"/>
+            <element ref="xenc:ReferenceList" minOccurs="0"/>
+            <element name="DerivedKeyName" type="string" minOccurs="0"/>
+            <element name="MasterKeyName" type="string" minOccurs="0"/>
+        </sequence>
+        <attribute name="Recipient" type="string" use="optional"/>
+        <attribute name="Id" type="ID" use="optional"/>
+        <attribute name="Type" type="anyURI" use="optional"/>
+    </complexType>
 
-	<element name="KeyDerivationMethod" type="xenc11:KeyDerivationMethodType"/>
-	<complexType name="KeyDerivationMethodType">
-		<sequence>
-			<any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
-		</sequence>
-		<attribute name="Algorithm" type="anyURI" use="required"/>
-	</complexType>
+    <element name="KeyDerivationMethod" type="xenc11:KeyDerivationMethodType"/>
+    <complexType name="KeyDerivationMethodType">
+        <sequence>
+            <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="Algorithm" type="anyURI" use="required"/>
+    </complexType>
 
-	<element name="PBKDF2-params" type="xenc11:PBKDF2ParameterType"/>
+    <element name="PBKDF2-params" type="xenc11:PBKDF2ParameterType"/>
 
-	<complexType name="AlgorithmIdentifierType">
-		<sequence>
-			<element name="Parameters" minOccurs="0"/>
-		</sequence>
+    <complexType name="AlgorithmIdentifierType">
+        <sequence>
+            <element name="Parameters" minOccurs="0"/>
+        </sequence>
         <attribute name="Algorithm" type="anyURI" use="required" />
-	</complexType>
+    </complexType>
 
-	<complexType name="PRFAlgorithmIdentifierType">
-		<complexContent>
+    <complexType name="PRFAlgorithmIdentifierType">
+        <complexContent>
           <restriction base="xenc11:AlgorithmIdentifierType">
             <attribute name="Algorithm" type="anyURI" use="required" />
           </restriction>
         </complexContent>
-	</complexType>
+    </complexType>
 
-	<complexType name="PBKDF2ParameterType">
-		<sequence>
-			<element name="Salt">
-				<complexType>
-					<choice>
-						<element name="Specified" type="base64Binary"/>
-						<element name="OtherSource" type="xenc11:AlgorithmIdentifierType"/>
-					</choice>
-				</complexType>
-			</element>
-			<element name="IterationCount" type="positiveInteger"/>
-			<element name="KeyLength" type="positiveInteger"/>
-			<element name="PRF" type="xenc11:PRFAlgorithmIdentifierType"/>
-		</sequence>
-	</complexType>
+    <complexType name="PBKDF2ParameterType">
+        <sequence>
+            <element name="Salt">
+                <complexType>
+                    <choice>
+                        <element name="Specified" type="base64Binary"/>
+                        <element name="OtherSource" type="xenc11:AlgorithmIdentifierType"/>
+                    </choice>
+                </complexType>
+            </element>
+            <element name="IterationCount" type="positiveInteger"/>
+            <element name="KeyLength" type="positiveInteger"/>
+            <element name="PRF" type="xenc11:PRFAlgorithmIdentifierType"/>
+        </sequence>
+    </complexType>
 
     <element name="MGF" type="xenc11:MGFType"/>
     <complexType name="MGFType">
diff --git a/mdx/strip-aa-mdui.xsl b/mdx/strip-aa-mdui.xsl
index 755cefb7..2368a915 100644
--- a/mdx/strip-aa-mdui.xsl
+++ b/mdx/strip-aa-mdui.xsl
@@ -1,32 +1,32 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	strip-aa-mdui.xsl
+    strip-aa-mdui.xsl
 
-	Remove all MDUI metadata from attribute authority roles.
+    Remove all MDUI metadata from attribute authority roles.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Remove all MDUI metadata from attribute authority roles.
-	-->
-	<xsl:template match="md:AttributeAuthorityDescriptor/md:Extensions/mdui:*"/>
+    <!--
+        Remove all MDUI metadata from attribute authority roles.
+    -->
+    <xsl:template match="md:AttributeAuthorityDescriptor/md:Extensions/mdui:*"/>
 
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/strip-comments.xsl b/mdx/strip-comments.xsl
index b1545093..5bbe1fb9 100644
--- a/mdx/strip-comments.xsl
+++ b/mdx/strip-comments.xsl
@@ -1,28 +1,28 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	strip-comments.xsl
+    strip-comments.xsl
 
-	Remove all comment nodes from a document.
+    Remove all comment nodes from a document.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!-- Force UTF-8 encoding for the output. -->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+    <!-- Force UTF-8 encoding for the output. -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
 
-	<!-- Copy text blocks and attributes unchanged. -->
-	<xsl:template match="text()|@*">
-		<xsl:copy/>
-	</xsl:template>
+    <!-- Copy text blocks and attributes unchanged. -->
+    <xsl:template match="text()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!-- Copy all elements from the input to the output, along with their attributes and contents. -->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!-- Copy all elements from the input to the output, along with their attributes and contents. -->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/strip-mdui-logo-data.xsl b/mdx/strip-mdui-logo-data.xsl
index 7036cbe1..e4923841 100644
--- a/mdx/strip-mdui-logo-data.xsl
+++ b/mdx/strip-mdui-logo-data.xsl
@@ -1,32 +1,32 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	strip-mdui-logo-data.xsl
+    strip-mdui-logo-data.xsl
 
-	Remove all mdui:Logo elements containing data: URLs.
+    Remove all mdui:Logo elements containing data: URLs.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-	    Remove all mdui:Logo elements containing data: URLs.
-	-->
-	<xsl:template match="mdui:Logo[starts-with(., 'data:')]"/>
+    <!--
+        Remove all mdui:Logo elements containing data: URLs.
+    -->
+    <xsl:template match="mdui:Logo[starts-with(., 'data:')]"/>
 
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/strip-mdui-logo-http.xsl b/mdx/strip-mdui-logo-http.xsl
index 50702a53..68526030 100644
--- a/mdx/strip-mdui-logo-http.xsl
+++ b/mdx/strip-mdui-logo-http.xsl
@@ -1,49 +1,49 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	strip-mdui-logo-http.xsl
+    strip-mdui-logo-http.xsl
 
-	Remove mdui:Logo elements whose value starts with http://, as these
-	may cause mixed content errors in browser-based discovery interfaces.
+    Remove mdui:Logo elements whose value starts with http://, as these
+    may cause mixed content errors in browser-based discovery interfaces.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="_rules/check_framework.xsl"/>
-
-	<!-- Force UTF-8 encoding for the output. -->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<!-- Match the pattern we want to remove. -->
-	<xsl:template match="mdui:Logo[starts-with(., 'http://')]">
-		<xsl:call-template name="warning">
-			<xsl:with-param name="m">
-				<xsl:text>mdui:Logo from non-TLS location removed: '</xsl:text>
-				<xsl:value-of select="."/>
-				<xsl:text>'</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-		<!-- ... and don't copy the element to the output, so that it is removed ... -->
-	</xsl:template>
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!-- Copy all elements from the input to the output, along with their attributes and contents. -->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="_rules/check_framework.xsl"/>
+
+    <!-- Force UTF-8 encoding for the output. -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <!-- Match the pattern we want to remove. -->
+    <xsl:template match="mdui:Logo[starts-with(., 'http://')]">
+        <xsl:call-template name="warning">
+            <xsl:with-param name="m">
+                <xsl:text>mdui:Logo from non-TLS location removed: '</xsl:text>
+                <xsl:value-of select="."/>
+                <xsl:text>'</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+        <!-- ... and don't copy the element to the output, so that it is removed ... -->
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!-- Copy all elements from the input to the output, along with their attributes and contents. -->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/check_fixup_encmethod.xsl b/mdx/uk/check_fixup_encmethod.xsl
index 59841507..afbe978e 100644
--- a/mdx/uk/check_fixup_encmethod.xsl
+++ b/mdx/uk/check_fixup_encmethod.xsl
@@ -1,36 +1,36 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_fixup_encmethod.xsl
+    check_fixup_encmethod.xsl
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-
-	<!--
-		Use of EncryptionMethod within KeyDescriptor causes metadata loading problems
-		for OpenSAML-C 2.0.
-
-		See https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataCorrectness#MetadataCorrectness-Version2.0
-	-->
-	<xsl:template match="md:KeyDescriptor/md:EncryptionMethod">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">KeyDescriptor contains EncryptionMethod: OpenSAML-C 2.0 problem</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <!--
+        Use of EncryptionMethod within KeyDescriptor causes metadata loading problems
+        for OpenSAML-C 2.0.
+
+        See https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataCorrectness#MetadataCorrectness-Version2.0
+    -->
+    <xsl:template match="md:KeyDescriptor/md:EncryptionMethod">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">KeyDescriptor contains EncryptionMethod: OpenSAML-C 2.0 problem</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/uk/check_uk_keydesc_key.xsl b/mdx/uk/check_uk_keydesc_key.xsl
index bd9c2db3..a134c95f 100644
--- a/mdx/uk/check_uk_keydesc_key.xsl
+++ b/mdx/uk/check_uk_keydesc_key.xsl
@@ -1,33 +1,33 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_uk_keydesc_key.xsl
+    check_uk_keydesc_key.xsl
 
     UKf-specific check that all KeyDescriptor elements contain an embedded key.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-
-	<xsl:template match="md:KeyDescriptor[not(descendant::ds:X509Data)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>KeyDescriptor lacks embedded key material</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <xsl:template match="md:KeyDescriptor[not(descendant::ds:X509Data)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>KeyDescriptor lacks embedded key material</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/check_uk_mdattr.xsl b/mdx/uk/check_uk_mdattr.xsl
index e5016f1b..48f3ef66 100644
--- a/mdx/uk/check_uk_mdattr.xsl
+++ b/mdx/uk/check_uk_mdattr.xsl
@@ -1,124 +1,124 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_uk_mdattr.xsl
+    check_uk_mdattr.xsl
 
     UKf-specific check for appropriate entity attributes in fragment files.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
 
 
-	<!--
-		UKf doesn't register entity attributes using assertions.
-	-->
-	<xsl:template match="mdattr:EntityAttributes/saml:Assertion">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">Assertion not permitted within EntityAttributes</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        UKf doesn't register entity attributes using assertions.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Assertion">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">Assertion not permitted within EntityAttributes</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		All entity attributes should have the standard SAML 2.0 URI name format.
-	-->
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[not(@NameFormat)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>entity attribute </xsl:text>
-				<xsl:value-of select="@Name"/>
-				<xsl:text> has no NameFormat attribute</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute
-		[@NameFormat != 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>entity attribute </xsl:text>
-				<xsl:value-of select="@Name"/>
-				<xsl:text> has wrong NameFormat value </xsl:text>
-				<xsl:value-of select="@NameFormat"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        All entity attributes should have the standard SAML 2.0 URI name format.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute[not(@NameFormat)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity attribute </xsl:text>
+                <xsl:value-of select="@Name"/>
+                <xsl:text> has no NameFormat attribute</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute
+        [@NameFormat != 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri']">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>entity attribute </xsl:text>
+                <xsl:value-of select="@Name"/>
+                <xsl:text> has wrong NameFormat value </xsl:text>
+                <xsl:value-of select="@NameFormat"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Validate attribute name. Each @Name permitted here should have a
-		corresponding attribute value validator below.
-	-->
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute
-		[@Name != 'http://macedir.org/entity-category']
-		[@Name != 'http://macedir.org/entity-category-support']
-		[@Name != 'urn:oasis:names:tc:SAML:attribute:assurance-certification']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown entity attribute name </xsl:text>
-				<xsl:value-of select="@Name"/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        Validate attribute name. Each @Name permitted here should have a
+        corresponding attribute value validator below.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute
+        [@Name != 'http://macedir.org/entity-category']
+        [@Name != 'http://macedir.org/entity-category-support']
+        [@Name != 'urn:oasis:names:tc:SAML:attribute:assurance-certification']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown entity attribute name </xsl:text>
+                <xsl:value-of select="@Name"/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Validate entity category values.
-	-->
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category']
-		/saml:AttributeValue
-		[. != 'http://refeds.org/category/hide-from-discovery']
-		[. != 'http://refeds.org/category/research-and-scholarship']
-		[. != 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown entity category URI </xsl:text>
-				<xsl:value-of select="."/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        Validate entity category values.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category']
+        /saml:AttributeValue
+        [. != 'http://refeds.org/category/hide-from-discovery']
+        [. != 'http://refeds.org/category/research-and-scholarship']
+        [. != 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown entity category URI </xsl:text>
+                <xsl:value-of select="."/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
+    <!--
         Validate entity category support values.
     -->
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category-support']
-		/saml:AttributeValue
-		[. != 'http://refeds.org/category/research-and-scholarship']
-		[. != 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown entity category support URI </xsl:text>
-				<xsl:value-of select="."/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='http://macedir.org/entity-category-support']
+        /saml:AttributeValue
+        [. != 'http://refeds.org/category/research-and-scholarship']
+        [. != 'http://www.geant.net/uri/dataprotection-code-of-conduct/v1']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown entity category support URI </xsl:text>
+                <xsl:value-of select="."/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
-	<!--
-		Validate assurance certification values.
-	-->
-	<xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification']
-		/saml:AttributeValue
-		[. != 'https://refeds.org/sirtfi']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>unknown assurance certification URI </xsl:text>
-				<xsl:value-of select="."/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    <!--
+        Validate assurance certification values.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='urn:oasis:names:tc:SAML:attribute:assurance-certification']
+        /saml:AttributeValue
+        [. != 'https://refeds.org/sirtfi']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown assurance certification URI </xsl:text>
+                <xsl:value-of select="."/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/check_uk_mdrps.xsl b/mdx/uk/check_uk_mdrps.xsl
index 50b72cca..bebafa19 100644
--- a/mdx/uk/check_uk_mdrps.xsl
+++ b/mdx/uk/check_uk_mdrps.xsl
@@ -1,57 +1,57 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_uk_mdrps.xsl
+    check_uk_mdrps.xsl
 
     UKf-specific check for appropriate RegistrationPolicy values.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-
-	<!--
-		If a UK-registered entity is opted in to the export aggregate, it MUST
-		have a registrationInstant.
-	-->
-	<xsl:template match="md:EntityDescriptor
-		[descendant::mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']]
-		[md:Extensions/ukfedlabel:ExportOptIn]
-		[not(descendant::mdrpi:RegistrationInfo/@registrationInstant)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>exported entity lacks a registrationInstant value</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Restrict registrationAuthority values for UK federation entities, if present,
-		to previously used MDRPS document URLs.
-	-->
-	<xsl:template match="mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']
-		/mdrpi:RegistrationPolicy
-			[.!='http://ukfederation.org.uk/doc/mdrps-20130902']
-		">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:text>invalid RegistrationPolicy value </xsl:text>
-				<xsl:value-of select="."/>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <!--
+        If a UK-registered entity is opted in to the export aggregate, it MUST
+        have a registrationInstant.
+    -->
+    <xsl:template match="md:EntityDescriptor
+        [descendant::mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']]
+        [md:Extensions/ukfedlabel:ExportOptIn]
+        [not(descendant::mdrpi:RegistrationInfo/@registrationInstant)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>exported entity lacks a registrationInstant value</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Restrict registrationAuthority values for UK federation entities, if present,
+        to previously used MDRPS document URLs.
+    -->
+    <xsl:template match="mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']
+        /mdrpi:RegistrationPolicy
+            [.!='http://ukfederation.org.uk/doc/mdrps-20130902']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>invalid RegistrationPolicy value </xsl:text>
+                <xsl:value-of select="."/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/uk/check_uk_urlenc.xsl b/mdx/uk/check_uk_urlenc.xsl
index caf20da5..3f14f05c 100644
--- a/mdx/uk/check_uk_urlenc.xsl
+++ b/mdx/uk/check_uk_urlenc.xsl
@@ -1,32 +1,32 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_uk_urlenc.xsl
+    check_uk_urlenc.xsl
 
     UKf-specific check for endpoint locations that include a '%' character,
     which is symptomatic of their being URL-encoded instead of entity-encoded.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-
-	<xsl:template match="@Location[contains(., '%')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">URL-encoded Location attribute; should be entity-encoded</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <xsl:template match="@Location[contains(., '%')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">URL-encoded Location attribute; should be entity-encoded</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/uk/check_ukreg.xsl b/mdx/uk/check_ukreg.xsl
index e1897d02..b29eea90 100644
--- a/mdx/uk/check_ukreg.xsl
+++ b/mdx/uk/check_ukreg.xsl
@@ -1,53 +1,53 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	check_ukreg.xsl
+    check_ukreg.xsl
 
-	Checking ruleset containing rules that only apply to metadata registered
-	by the UK federation's registrar function.
+    Checking ruleset containing rules that only apply to metadata registered
+    by the UK federation's registrar function.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-
-	xmlns:mdxMail="xalan://uk.ac.sdss.xalan.md.Mail"
-	extension-element-prefixes="mdxMail"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-	<!--
-		Common support functions.
-	-->
-	<xsl:import href="../_rules/check_framework.xsl"/>
-
-
-	<!--
-		Check for badly formatted e-mail addresses.
-	-->
-	<xsl:template match="md:EmailAddress[mdxMail:dodgyAddress(.)]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">badly formatted e-mail address: '<xsl:value-of select='.'/>'</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
-
-	<!--
-		Check for https:// locations that use an explicit but redundant port specifier.
-	-->
-	<xsl:template match="*[@Location and starts-with(@Location, 'https://')
-		and contains(@Location,':443/')]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">
-				<xsl:value-of select='local-name()'/>
-				<xsl:text> Location </xsl:text>
-				<xsl:value-of select="@Location"/>
-				<xsl:text> not in standard form</xsl:text>
-			</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+
+    xmlns:mdxMail="xalan://uk.ac.sdss.xalan.md.Mail"
+    extension-element-prefixes="mdxMail"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+    <!--
+        Common support functions.
+    -->
+    <xsl:import href="../_rules/check_framework.xsl"/>
+
+
+    <!--
+        Check for badly formatted e-mail addresses.
+    -->
+    <xsl:template match="md:EmailAddress[mdxMail:dodgyAddress(.)]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">badly formatted e-mail address: '<xsl:value-of select='.'/>'</xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
+
+    <!--
+        Check for https:// locations that use an explicit but redundant port specifier.
+    -->
+    <xsl:template match="*[@Location and starts-with(@Location, 'https://')
+        and contains(@Location,':443/')]">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:value-of select='local-name()'/>
+                <xsl:text> Location </xsl:text>
+                <xsl:value-of select="@Location"/>
+                <xsl:text> not in standard form</xsl:text>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/entity_scopes.xsl b/mdx/uk/entity_scopes.xsl
index 71c2a941..34e74758 100644
--- a/mdx/uk/entity_scopes.xsl
+++ b/mdx/uk/entity_scopes.xsl
@@ -1,38 +1,38 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	entity_scopes.xsl
+    entity_scopes.xsl
 
-	Remove entity-level Scope elements, leaving only the ones associated
-	with role descriptors.
+    Remove entity-level Scope elements, leaving only the ones associated
+    with role descriptors.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<xsl:template match="md:EntityDescriptor/md:Extensions/shibmd:Scope">
-		<!-- remove entirely -->
-	</xsl:template>
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <xsl:template match="md:EntityDescriptor/md:Extensions/shibmd:Scope">
+        <!-- remove entirely -->
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/final_tweak.xsl b/mdx/uk/final_tweak.xsl
index cb8a50b2..dac0c437 100644
--- a/mdx/uk/final_tweak.xsl
+++ b/mdx/uk/final_tweak.xsl
@@ -1,183 +1,183 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	final_tweak.xsl
+    final_tweak.xsl
 
-	Final tweaks required for UK federation aggregates.
+    Final tweaks required for UK federation aggregates.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
 
-	xmlns:date="http://exslt.org/dates-and-times"
-	xmlns:mdxDates="xalan://uk.ac.sdss.xalan.md.Dates"
-	extension-element-prefixes="date mdxDates"
+    xmlns:date="http://exslt.org/dates-and-times"
+    xmlns:mdxDates="xalan://uk.ac.sdss.xalan.md.Dates"
+    extension-element-prefixes="date mdxDates"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
 
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
 
-	<!--
-		extraText
+    <!--
+        extraText
 
-		This parameter, if present, provides additional text to be put in the
-		document comment.
-	-->
-	<xsl:param name="extraText"/>
+        This parameter, if present, provides additional text to be put in the
+        document comment.
+    -->
+    <xsl:param name="extraText"/>
 
-	<!--
+    <!--
         publisher
 
         This parameter, if present, prompts the generation of a PublicationInfo
         element on the EntitiesDescriptor.
     -->
-	<xsl:param name="publisher"/>
-
-	<!--
-		validityDays
-
-		This parameter determines the number of days between the aggregation instant and the
-		end of validity of the signed metadata.
-	-->
-	<xsl:param name="validityDays" select="14"/>
-
-	<xsl:variable name="now" select="date:date-time()"/>
-	<xsl:variable name="validUntil" select="mdxDates:dateAdd($now, $validityDays)"/>
-
-	<!--
-		documentID
-
-		This value is generated from a normalised version of the aggregation instant,
-		transformed so that it can be used as an XML ID value.
-
-		Strict conformance to the SAML 2.0 metadata specification (section 3.1.2) requires
-		that the signature explicitly references an identifier attribute in the element
-		being signed, in this case the document element.
-	-->
-	<xsl:variable name="normalisedNow" select="mdxDates:dateAdd($now, 0)"/>
-	<xsl:variable name="documentID"
-		select="concat('uk', translate($normalisedNow, ':-', ''))"/>
-
-	<!--
-		Document root.
-	-->
-	<xsl:template match="/">
-		<xsl:call-template name="document.comment"/>
-		<xsl:apply-templates/>
-	</xsl:template>
-
-	<!--
-		Document element.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:attribute name="validUntil">
-				<xsl:value-of select="$validUntil"/>
-			</xsl:attribute>
-			<xsl:attribute name="ID">
-				<xsl:value-of select="$documentID"/>
-			</xsl:attribute>
-			<xsl:apply-templates select="@*"/>
-			<xsl:call-template name="document.comment"/>
-
-			<!--
+    <xsl:param name="publisher"/>
+
+    <!--
+        validityDays
+
+        This parameter determines the number of days between the aggregation instant and the
+        end of validity of the signed metadata.
+    -->
+    <xsl:param name="validityDays" select="14"/>
+
+    <xsl:variable name="now" select="date:date-time()"/>
+    <xsl:variable name="validUntil" select="mdxDates:dateAdd($now, $validityDays)"/>
+
+    <!--
+        documentID
+
+        This value is generated from a normalised version of the aggregation instant,
+        transformed so that it can be used as an XML ID value.
+
+        Strict conformance to the SAML 2.0 metadata specification (section 3.1.2) requires
+        that the signature explicitly references an identifier attribute in the element
+        being signed, in this case the document element.
+    -->
+    <xsl:variable name="normalisedNow" select="mdxDates:dateAdd($now, 0)"/>
+    <xsl:variable name="documentID"
+        select="concat('uk', translate($normalisedNow, ':-', ''))"/>
+
+    <!--
+        Document root.
+    -->
+    <xsl:template match="/">
+        <xsl:call-template name="document.comment"/>
+        <xsl:apply-templates/>
+    </xsl:template>
+
+    <!--
+        Document element.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:attribute name="validUntil">
+                <xsl:value-of select="$validUntil"/>
+            </xsl:attribute>
+            <xsl:attribute name="ID">
+                <xsl:value-of select="$documentID"/>
+            </xsl:attribute>
+            <xsl:apply-templates select="@*"/>
+            <xsl:call-template name="document.comment"/>
+
+            <!--
                 Add an Extensions element if there isn't one, but we need one
                 so that we can put a PublicationInfo inside it.
             -->
-			<xsl:if test="$publisher and not(md:Extensions)">
-				<xsl:text>&#10;</xsl:text>
-				<xsl:text>    </xsl:text>
-				<xsl:element name="md:Extensions">
-					<xsl:call-template name="generate.publicationInfo"/>
-					<xsl:text>&#10;</xsl:text>
-					<xsl:text>    </xsl:text>
-				</xsl:element>
-				<xsl:text>&#10;</xsl:text>
-			</xsl:if>
-
-			<xsl:apply-templates select="node()"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-
-	<!--
-		Comment to be added to the top of the document, and just inside the document element.
-	-->
-	<xsl:template name="document.comment">
+            <xsl:if test="$publisher and not(md:Extensions)">
+                <xsl:text>&#10;</xsl:text>
+                <xsl:text>    </xsl:text>
+                <xsl:element name="md:Extensions">
+                    <xsl:call-template name="generate.publicationInfo"/>
+                    <xsl:text>&#10;</xsl:text>
+                    <xsl:text>    </xsl:text>
+                </xsl:element>
+                <xsl:text>&#10;</xsl:text>
+            </xsl:if>
+
+            <xsl:apply-templates select="node()"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+    <!--
+        Comment to be added to the top of the document, and just inside the document element.
+    -->
+    <xsl:template name="document.comment">
         <xsl:text>&#10;</xsl:text>
-		<xsl:comment>
-			<xsl:text>&#10;&#9;U K   F E D E R A T I O N   M E T A D A T A&#10;</xsl:text>
-			<xsl:text>&#10;</xsl:text>
-			<xsl:if test="$extraText">
-				<xsl:text>&#9;*** </xsl:text>
-				<xsl:value-of select="$extraText"/>
-				<xsl:text> ***&#10;</xsl:text>
-				<xsl:text>&#10;</xsl:text>
-			</xsl:if>
-			<xsl:text>&#9;Aggregate built </xsl:text>
+        <xsl:comment>
+            <xsl:text>&#10;&#9;U K   F E D E R A T I O N   M E T A D A T A&#10;</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+            <xsl:if test="$extraText">
+                <xsl:text>&#9;*** </xsl:text>
+                <xsl:value-of select="$extraText"/>
+                <xsl:text> ***&#10;</xsl:text>
+                <xsl:text>&#10;</xsl:text>
+            </xsl:if>
+            <xsl:text>&#9;Aggregate built </xsl:text>
             <xsl:value-of select="$normalisedNow"/>
             <xsl:if test="string($normalisedNow) != string($now)">
                 <xsl:text> (</xsl:text>
                 <xsl:value-of select="$now"/>
                 <xsl:text> local)</xsl:text>
             </xsl:if>
-			<xsl:text>&#10;</xsl:text>
-			<xsl:text>&#10;</xsl:text>
-			<xsl:text>&#9;Aggregate valid for </xsl:text>
-			<xsl:value-of select="$validityDays"/>
-			<xsl:text> days, until </xsl:text>
-			<xsl:value-of select="$validUntil"/>
-			<xsl:text>&#10;</xsl:text>
-		</xsl:comment>
-	</xsl:template>
-
-	<!--
+            <xsl:text>&#10;</xsl:text>
+            <xsl:text>&#10;</xsl:text>
+            <xsl:text>&#9;Aggregate valid for </xsl:text>
+            <xsl:value-of select="$validityDays"/>
+            <xsl:text> days, until </xsl:text>
+            <xsl:value-of select="$validUntil"/>
+            <xsl:text>&#10;</xsl:text>
+        </xsl:comment>
+    </xsl:template>
+
+    <!--
         Document element's Extensions.
 
         Insert a PublicationInfo at the top, if required.
     -->
-	<xsl:template match="/md:EntitiesDescriptor/md:Extensions">
-		<xsl:copy>
-			<xsl:if test="$publisher">
-				<xsl:call-template name="generate.publicationInfo"/>
-			</xsl:if>
-			<xsl:apply-templates select="node()"/>
-		</xsl:copy>
-	</xsl:template>
-
-	<!--
+    <xsl:template match="/md:EntitiesDescriptor/md:Extensions">
+        <xsl:copy>
+            <xsl:if test="$publisher">
+                <xsl:call-template name="generate.publicationInfo"/>
+            </xsl:if>
+            <xsl:apply-templates select="node()"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--
         PublicationInfo generation.
 
         Assumption: called at the start of the document element's Extensions, at 4-space
         indentation, so the element itself requires 8-space indentation.
     -->
-	<xsl:template name="generate.publicationInfo">
-		<xsl:text>&#10;</xsl:text>
-		<xsl:text>        </xsl:text>
-		<xsl:element name="mdrpi:PublicationInfo">
-			<xsl:attribute name="publisher">
-				<xsl:value-of select="$publisher"/>
-			</xsl:attribute>
-			<xsl:attribute name="creationInstant">
-				<xsl:value-of select="$normalisedNow"/>
-			</xsl:attribute>
-		</xsl:element>
-	</xsl:template>
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <xsl:template name="generate.publicationInfo">
+        <xsl:text>&#10;</xsl:text>
+        <xsl:text>        </xsl:text>
+        <xsl:element name="mdrpi:PublicationInfo">
+            <xsl:attribute name="publisher">
+                <xsl:value-of select="$publisher"/>
+            </xsl:attribute>
+            <xsl:attribute name="creationInstant">
+                <xsl:value-of select="$normalisedNow"/>
+            </xsl:attribute>
+        </xsl:element>
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/fix_mailto.xsl b/mdx/uk/fix_mailto.xsl
index dab37629..1c99b1e5 100644
--- a/mdx/uk/fix_mailto.xsl
+++ b/mdx/uk/fix_mailto.xsl
@@ -1,40 +1,40 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	fix_mailto.xsl
+    fix_mailto.xsl
 
-	Add "mailto:" scheme to e-mail addresses if not already present.
+    Add "mailto:" scheme to e-mail addresses if not already present.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
-
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
-
-	<xsl:template match="md:EmailAddress[not(starts-with(., 'mailto:'))]">
-		<xsl:copy>
-			<xsl:apply-templates select="@*"/>
-			<xsl:text>mailto:</xsl:text>
-			<xsl:value-of select="."/>
-		</xsl:copy>
-	</xsl:template>
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
+
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+
+    <xsl:template match="md:EmailAddress[not(starts-with(., 'mailto:'))]">
+        <xsl:copy>
+            <xsl:apply-templates select="@*"/>
+            <xsl:text>mailto:</xsl:text>
+            <xsl:value-of select="."/>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/fragment.xsl b/mdx/uk/fragment.xsl
index 39d59e3e..87375526 100644
--- a/mdx/uk/fragment.xsl
+++ b/mdx/uk/fragment.xsl
@@ -1,55 +1,55 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	fragment.xsl
+    fragment.xsl
 
-	XSL stylesheet to perform any required clean-up on a UK federation fragment file
-	before it is passed along to other processes.
+    XSL stylesheet to perform any required clean-up on a UK federation fragment file
+    before it is passed along to other processes.
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="xsi xsl">
+    exclude-result-prefixes="xsi xsl">
 
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
 
 
-	<!--
-		Remove any xsi:schemaLocation attributes.
-	-->
-	<xsl:template match="@xsi:schemaLocation"/>
+    <!--
+        Remove any xsi:schemaLocation attributes.
+    -->
+    <xsl:template match="@xsi:schemaLocation"/>
 
 
-	<!--
-		Discard various ds:X509 elements.  Several of these are known to
-		cause problems with software systems, and they don't affect trust
-		establishment so are safe to remove.
-	-->
-	<xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
-	<xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
+    <!--
+        Discard various ds:X509 elements.  Several of these are known to
+        cause problems with software systems, and they don't affect trust
+        establishment so are safe to remove.
+    -->
+    <xsl:template match="ds:X509SerialNumber"/><!-- libxml2 has problems with long ones -->
+    <xsl:template match="ds:X509IssuerSerial"/><!-- must remove this if we remove SerialNumber -->
 
 
-	<!--
-		Retain only certain comments.
-	-->
+    <!--
+        Retain only certain comments.
+    -->
 
-	<xsl:template match="md:EntityDescriptor/comment()">
-		<xsl:copy/>
-	</xsl:template>
+    <xsl:template match="md:EntityDescriptor/comment()">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!--
-		All other comments are stripped by the default templates.
-	-->
+    <!--
+        All other comments are stripped by the default templates.
+    -->
 
 
-	<!--
+    <!--
         *********************************************
         ***                                       ***
         ***   D E F A U L T   T E M P L A T E S   ***
@@ -58,16 +58,16 @@
     -->
 
 
-	<!--By default, copy text blocks and attributes unchanged.-->
-	<xsl:template match="text()|@*">
-		<xsl:copy/>
-	</xsl:template>
+    <!--By default, copy text blocks and attributes unchanged.-->
+    <xsl:template match="text()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 9622c0aa..94dd2f9b 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -301,10 +301,10 @@
     -->
 
     <!--
-    	Select all entities which are not both:
+        Select all entities which are not both:
 
-    	   * identity providers, and
-    	   * members of the "hide from discovery" entity category.
+           * identity providers, and
+           * members of the "hide from discovery" entity category.
     -->
     <bean id="uk_wayfSelector" parent="mda.XPathItemSelectionStrategy">
         <constructor-arg value="/md:EntityDescriptor[not(md:IDPSSODescriptor and
diff --git a/mdx/uk/ns_norm_back.xsl b/mdx/uk/ns_norm_back.xsl
index cf1bee2b..c482464e 100644
--- a/mdx/uk/ns_norm_back.xsl
+++ b/mdx/uk/ns_norm_back.xsl
@@ -1,120 +1,120 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_back.xsl
+    ns_norm_back.xsl
 
-	Normalise the namespaces in the UK federation fallback aggregate.
+    Normalise the namespaces in the UK federation fallback aggregate.
 
-	The main constraint on the output of this transform is that it should minimise the size
-	of the output file while not having "too many" namespace prefix definitions in scope
-	at any point in the document.  "Too many" is more than about ten, as a result of a bug
-	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
-	metadata.
+    The main constraint on the output of this transform is that it should minimise the size
+    of the output file while not having "too many" namespace prefix definitions in scope
+    at any point in the document.  "Too many" is more than about ten, as a result of a bug
+    in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
+    metadata.
 
-	The strategy is to define the most commonly-used prefixes in the document element.
+    The strategy is to define the most commonly-used prefixes in the document element.
 
-	Prefixes which are less often used, but which may be used by container elements
-	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
-	on the document element.
+    Prefixes which are less often used, but which may be used by container elements
+    (e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+    on the document element.
 
-	Prefixes which are less often used and are only used for non-containers can be
-	normalised to non-prefix use (i.e., to redefine the default namespace) if required
-	to cut the numbers down.
+    Prefixes which are less often used and are only used for non-containers can be
+    normalised to non-prefix use (i.e., to redefine the default namespace) if required
+    to cut the numbers down.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	exclude-result-prefixes="alg md xenc"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-
-
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-
-		There are only two possible document elements in SAML metadata.
-	-->
-
-
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-
-
-	<!--
-		*************************************
-		***                               ***
-		***   A L G   N A M E S P A C E   ***
-		***                               ***
-		*************************************
-	-->
-
-
-	<!--
-		alg:*
-
-		Normalise namespace to not use a prefix.
-	-->
-	<xsl:template match="alg:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    exclude-result-prefixes="alg md xenc"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   A L G   N A M E S P A C E   ***
+        ***                               ***
+        *************************************
+    -->
+
+
+    <!--
+        alg:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="alg:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
         ***************************************
         ***                                 ***
         ***   X E N C   N A M E S P A C E   ***
@@ -123,16 +123,16 @@
     -->
 
 
-	<!--
+    <!--
         xenc:*
 
         Normalise namespace to not use a prefix.
     -->
-	<xsl:template match="xenc:*">
-		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
+    <xsl:template match="xenc:*">
+        <xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_cds.xsl b/mdx/uk/ns_norm_cds.xsl
index 15113ea3..2d3dcfb2 100644
--- a/mdx/uk/ns_norm_cds.xsl
+++ b/mdx/uk/ns_norm_cds.xsl
@@ -1,77 +1,77 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_cds.xsl
+    ns_norm_cds.xsl
 
-	Normalise the namespaces in a metadata file for publication to the UKf CDS.
+    Normalise the namespaces in a metadata file for publication to the UKf CDS.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-
-	exclude-result-prefixes="alg ds init md mdattr saml shibmd ukfedlabel xsi"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-
-
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-
-		There are only two possible document elements in SAML metadata.
-	-->
-
-
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+
+    exclude-result-prefixes="alg ds init md mdattr saml shibmd ukfedlabel xsi"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_export.xsl b/mdx/uk/ns_norm_export.xsl
index a64aef3b..7947548f 100644
--- a/mdx/uk/ns_norm_export.xsl
+++ b/mdx/uk/ns_norm_export.xsl
@@ -1,93 +1,93 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_export.xsl
+    ns_norm_export.xsl
 
-	Normalise the namespaces in the export aggregate.
+    Normalise the namespaces in the export aggregate.
 
-	The strategy is to define the most commonly-used prefixes in the document element.
+    The strategy is to define the most commonly-used prefixes in the document element.
 
-	Prefixes which are less often used, but which may be used by container elements
-	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
-	on the document element.
+    Prefixes which are less often used, but which may be used by container elements
+    (e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+    on the document element.
 
-	Prefixes which are less often used and are only used for non-containers can be
-	normalised to non-prefix use (i.e., to redefine the default namespace) if required
-	to cut the numbers down.
+    Prefixes which are less often used and are only used for non-containers can be
+    normalised to non-prefix use (i.e., to redefine the default namespace) if required
+    to cut the numbers down.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-
-	exclude-result-prefixes="alg md ukfedlabel xenc"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-
-
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-
-		There are only two possible document elements in SAML metadata.
-	-->
-
-
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-
-
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    exclude-result-prefixes="alg md ukfedlabel xenc"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
         *************************************
         ***                               ***
         ***   A L G   N A M E S P A C E   ***
@@ -96,19 +96,19 @@
     -->
 
 
-	<!--
+    <!--
         alg:*
 
         Normalise namespace to not use a prefix.
     -->
-	<xsl:template match="alg:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
+    <xsl:template match="alg:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
 
 
-	<!--
+    <!--
         ***************************************
         ***                                 ***
         ***   X E N C   N A M E S P A C E   ***
@@ -117,16 +117,16 @@
     -->
 
 
-	<!--
+    <!--
         xenc:*
 
         Normalise namespace to not use a prefix.
     -->
-	<xsl:template match="xenc:*">
-		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
+    <xsl:template match="xenc:*">
+        <xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_export_preview.xsl b/mdx/uk/ns_norm_export_preview.xsl
index 5bd6277d..0ddc1e1f 100644
--- a/mdx/uk/ns_norm_export_preview.xsl
+++ b/mdx/uk/ns_norm_export_preview.xsl
@@ -1,93 +1,93 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_export_preview.xsl
+    ns_norm_export_preview.xsl
 
-	Normalise the namespaces in the export preview aggregate.
+    Normalise the namespaces in the export preview aggregate.
 
-	The strategy is to define the most commonly-used prefixes in the document element.
+    The strategy is to define the most commonly-used prefixes in the document element.
 
-	Prefixes which are less often used, but which may be used by container elements
-	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
-	on the document element.
+    Prefixes which are less often used, but which may be used by container elements
+    (e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+    on the document element.
 
-	Prefixes which are less often used and are only used for non-containers can be
-	normalised to non-prefix use (i.e., to redefine the default namespace) if required
-	to cut the numbers down.
+    Prefixes which are less often used and are only used for non-containers can be
+    normalised to non-prefix use (i.e., to redefine the default namespace) if required
+    to cut the numbers down.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-
-	exclude-result-prefixes="alg md ukfedlabel xenc"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-
-
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-
-		There are only two possible document elements in SAML metadata.
-	-->
-
-
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-
-
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    exclude-result-prefixes="alg md ukfedlabel xenc"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
         *************************************
         ***                               ***
         ***   A L G   N A M E S P A C E   ***
@@ -96,19 +96,19 @@
     -->
 
 
-	<!--
+    <!--
         alg:*
 
         Normalise namespace to not use a prefix.
     -->
-	<xsl:template match="alg:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
+    <xsl:template match="alg:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
 
 
-	<!--
+    <!--
         ***************************************
         ***                                 ***
         ***   X E N C   N A M E S P A C E   ***
@@ -117,16 +117,16 @@
     -->
 
 
-	<!--
+    <!--
         xenc:*
 
         Normalise namespace to not use a prefix.
     -->
-	<xsl:template match="xenc:*">
-		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
+    <xsl:template match="xenc:*">
+        <xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_fragment.xsl b/mdx/uk/ns_norm_fragment.xsl
index 8739efa1..1402c135 100644
--- a/mdx/uk/ns_norm_fragment.xsl
+++ b/mdx/uk/ns_norm_fragment.xsl
@@ -1,84 +1,84 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_fragment.xsl
+    ns_norm_fragment.xsl
 
-	Normalise the namespaces in a fragment file.
+    Normalise the namespaces in a fragment file.
 
-	The only difference between this and full normalisation is the selection of prefixes which are
-	included on the document element by default.  We can therefore import the standard templates
-	and just override the ones for the document element as long as an appropriate exclude-result-prefixes
-	is in effect.
+    The only difference between this and full normalisation is the selection of prefixes which are
+    included on the document element by default.  We can therefore import the standard templates
+    and just override the ones for the document element as long as an appropriate exclude-result-prefixes
+    is in effect.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-
-	exclude-result-prefixes="md"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+
+    exclude-result-prefixes="md"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
         Import templates for basic normalisation.
     -->
-	<xsl:import href="../ns_norm.xsl"/>
+    <xsl:import href="../ns_norm.xsl"/>
 
 
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
 
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
 
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
 
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
 
-		There are only two possible document elements in SAML metadata.
-	-->
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
 
+        There are only two possible document elements in SAML metadata.
+    -->
 
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
 
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_test.xsl b/mdx/uk/ns_norm_test.xsl
index 2a8865c8..3f930240 100644
--- a/mdx/uk/ns_norm_test.xsl
+++ b/mdx/uk/ns_norm_test.xsl
@@ -1,120 +1,120 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_test.xsl
+    ns_norm_test.xsl
 
-	Normalise the namespaces in the UK federation's test aggregate.
+    Normalise the namespaces in the UK federation's test aggregate.
 
-	The main constraint on the output of this transform is that it should minimise the size
-	of the output file while not having "too many" namespace prefix definitions in scope
-	at any point in the document.  "Too many" is more than about ten, as a result of a bug
-	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
-	metadata.
+    The main constraint on the output of this transform is that it should minimise the size
+    of the output file while not having "too many" namespace prefix definitions in scope
+    at any point in the document.  "Too many" is more than about ten, as a result of a bug
+    in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
+    metadata.
 
-	The strategy is to define the most commonly-used prefixes in the document element.
+    The strategy is to define the most commonly-used prefixes in the document element.
 
-	Prefixes which are less often used, but which may be used by container elements
-	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
-	on the document element.
+    Prefixes which are less often used, but which may be used by container elements
+    (e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+    on the document element.
 
-	Prefixes which are less often used and are only used for non-containers can be
-	normalised to non-prefix use (i.e., to redefine the default namespace) if required
-	to cut the numbers down.
+    Prefixes which are less often used and are only used for non-containers can be
+    normalised to non-prefix use (i.e., to redefine the default namespace) if required
+    to cut the numbers down.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-
-	exclude-result-prefixes="alg md xenc"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-
-
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-
-		There are only two possible document elements in SAML metadata.
-	-->
-
-
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-
-
-	<!--
-		*************************************
-		***                               ***
-		***   A L G   N A M E S P A C E   ***
-		***                               ***
-		*************************************
-	-->
-
-
-	<!--
-		alg:*
-
-		Normalise namespace to not use a prefix.
-	-->
-	<xsl:template match="alg:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    exclude-result-prefixes="alg md xenc"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   A L G   N A M E S P A C E   ***
+        ***                               ***
+        *************************************
+    -->
+
+
+    <!--
+        alg:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="alg:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
         ***************************************
         ***                                 ***
         ***   X E N C   N A M E S P A C E   ***
@@ -123,16 +123,16 @@
     -->
 
 
-	<!--
+    <!--
         xenc:*
 
         Normalise namespace to not use a prefix.
     -->
-	<xsl:template match="xenc:*">
-		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
+    <xsl:template match="xenc:*">
+        <xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/uk/ns_norm_uk.xsl b/mdx/uk/ns_norm_uk.xsl
index 8b8bd5ce..dca0f099 100644
--- a/mdx/uk/ns_norm_uk.xsl
+++ b/mdx/uk/ns_norm_uk.xsl
@@ -1,120 +1,120 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	ns_norm_uk.xsl
+    ns_norm_uk.xsl
 
-	Normalise the namespaces in a metadata file for publication to UK federation members.
+    Normalise the namespaces in a metadata file for publication to UK federation members.
 
-	The main constraint on the output of this transform is that it should minimise the size
-	of the output file while not having "too many" namespace prefix definitions in scope
-	at any point in the document.  "Too many" is more than about ten, as a result of a bug
-	in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
-	metadata.
+    The main constraint on the output of this transform is that it should minimise the size
+    of the output file while not having "too many" namespace prefix definitions in scope
+    at any point in the document.  "Too many" is more than about ten, as a result of a bug
+    in the metadatatool application used by Shibboleth 1.3 IdPs to download and verify
+    metadata.
 
-	The strategy is to define the most commonly-used prefixes in the document element.
+    The strategy is to define the most commonly-used prefixes in the document element.
 
-	Prefixes which are less often used, but which may be used by container elements
-	(e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
-	on the document element.
+    Prefixes which are less often used, but which may be used by container elements
+    (e.g., mdui:) or for attributes are normalised to use a prefix, but not declared
+    on the document element.
 
-	Prefixes which are less often used and are only used for non-containers can be
-	normalised to non-prefix use (i.e., to redefine the default namespace) if required
-	to cut the numbers down.
+    Prefixes which are less often used and are only used for non-containers can be
+    normalised to non-prefix use (i.e., to redefine the default namespace) if required
+    to cut the numbers down.
 
-	Author: Ian A. Young <ian@iay.org.uk>
+    Author: Ian A. Young <ian@iay.org.uk>
 
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
-	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
-	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
-	xmlns:remd="http://refeds.org/metadata"
-	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-
-	exclude-result-prefixes="alg md xenc"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
-
-	<!--
-		Import templates for basic normalisation.
-	-->
-	<xsl:import href="../ns_norm.xsl"/>
-
-
-	<!--
-		Force UTF-8 encoding for the output.
-	-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
-
-
-	<!--
-		*******************************************
-		***                                     ***
-		***   D O C U M E N T   E L E M E N T   ***
-		***                                     ***
-		*******************************************
-	-->
-
-
-	<!--
-		We need to handle the document element specially in order to arrange
-		for all appropriate namespace prefix definitions to appear on it.
-
-		There are only two possible document elements in SAML metadata.
-	-->
-
-
-	<!--
-		Document element is <EntityDescriptor>.
-	-->
-	<xsl:template match="/md:EntityDescriptor">
-		<EntityDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntityDescriptor>
-	</xsl:template>
-
-	<!--
-		Document element is <EntitiesDescriptor>.
-	-->
-	<xsl:template match="/md:EntitiesDescriptor">
-		<EntitiesDescriptor>
-			<xsl:apply-templates select="node()|@*"/>
-		</EntitiesDescriptor>
-	</xsl:template>
-
-
-	<!--
-		*************************************
-		***                               ***
-		***   A L G   N A M E S P A C E   ***
-		***                               ***
-		*************************************
-	-->
-
-
-	<!--
-		alg:*
-
-		Normalise namespace to not use a prefix.
-	-->
-	<xsl:template match="alg:*">
-		<xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
-
-
-	<!--
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
+    xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+    xmlns:remd="http://refeds.org/metadata"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+
+    exclude-result-prefixes="alg md xenc"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+
+    <!--
+        Import templates for basic normalisation.
+    -->
+    <xsl:import href="../ns_norm.xsl"/>
+
+
+    <!--
+        Force UTF-8 encoding for the output.
+    -->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8"/>
+
+
+    <!--
+        *******************************************
+        ***                                     ***
+        ***   D O C U M E N T   E L E M E N T   ***
+        ***                                     ***
+        *******************************************
+    -->
+
+
+    <!--
+        We need to handle the document element specially in order to arrange
+        for all appropriate namespace prefix definitions to appear on it.
+
+        There are only two possible document elements in SAML metadata.
+    -->
+
+
+    <!--
+        Document element is <EntityDescriptor>.
+    -->
+    <xsl:template match="/md:EntityDescriptor">
+        <EntityDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntityDescriptor>
+    </xsl:template>
+
+    <!--
+        Document element is <EntitiesDescriptor>.
+    -->
+    <xsl:template match="/md:EntitiesDescriptor">
+        <EntitiesDescriptor>
+            <xsl:apply-templates select="node()|@*"/>
+        </EntitiesDescriptor>
+    </xsl:template>
+
+
+    <!--
+        *************************************
+        ***                               ***
+        ***   A L G   N A M E S P A C E   ***
+        ***                               ***
+        *************************************
+    -->
+
+
+    <!--
+        alg:*
+
+        Normalise namespace to not use a prefix.
+    -->
+    <xsl:template match="alg:*">
+        <xsl:element name="{local-name()}" namespace="urn:oasis:names:tc:SAML:metadata:algsupport">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
+
+
+    <!--
         ***************************************
         ***                                 ***
         ***   X E N C   N A M E S P A C E   ***
@@ -123,16 +123,16 @@
     -->
 
 
-	<!--
+    <!--
         xenc:*
 
         Normalise namespace to not use a prefix.
     -->
-	<xsl:template match="xenc:*">
-		<xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:element>
-	</xsl:template>
+    <xsl:template match="xenc:*">
+        <xsl:element name="{local-name()}" namespace="http://www.w3.org/2001/04/xmlenc#">
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:element>
+    </xsl:template>
 
 
 </xsl:stylesheet>
diff --git a/mdx/uk/scopes_copy.xsl b/mdx/uk/scopes_copy.xsl
index c9a0de6c..c97e12e5 100644
--- a/mdx/uk/scopes_copy.xsl
+++ b/mdx/uk/scopes_copy.xsl
@@ -1,22 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-	scopes_copy.xsl
+    scopes_copy.xsl
 
-	Make all three potential scope lists equivalent (on the entity, on
-	the IDPSSODescriptor and on the AttributeAuthority).
+    Make all three potential scope lists equivalent (on the entity, on
+    the IDPSSODescriptor and on the AttributeAuthority).
 
 -->
 <xsl:stylesheet version="1.0"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 
-	<!--Force UTF-8 encoding for the output.-->
-	<xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
+    <!--Force UTF-8 encoding for the output.-->
+    <xsl:output omit-xml-declaration="no" method="xml" encoding="UTF-8" indent="yes"/>
 
     <!--
         If an IdP's SSO or AA roles are missing Extensions (and Scope extensions in
@@ -24,41 +24,41 @@
     -->
     <xsl:template match="md:IDPSSODescriptor[not(md:Extensions)] |
                          md:AttributeAuthorityDescriptor[not(md:Extensions)]">
-		<xsl:copy>
-		    <xsl:apply-templates select="@*"/>
-			<xsl:text>&#10;        </xsl:text>
-			<xsl:element name="Extensions" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
-				<!-- copy scopes from EntityDescriptor extensions -->
-			    <xsl:for-each select="ancestor::md:EntityDescriptor/md:Extensions/shibmd:Scope">
-					<xsl:text>&#10;            </xsl:text>
-					<xsl:copy-of select="."/>
-				</xsl:for-each>
-				<xsl:text>&#10;        </xsl:text>
-			</xsl:element>
-			<xsl:apply-templates select="node()"/>
-		</xsl:copy>
-	</xsl:template>
+        <xsl:copy>
+            <xsl:apply-templates select="@*"/>
+            <xsl:text>&#10;        </xsl:text>
+            <xsl:element name="Extensions" namespace="urn:oasis:names:tc:SAML:2.0:metadata">
+                <!-- copy scopes from EntityDescriptor extensions -->
+                <xsl:for-each select="ancestor::md:EntityDescriptor/md:Extensions/shibmd:Scope">
+                    <xsl:text>&#10;            </xsl:text>
+                    <xsl:copy-of select="."/>
+                </xsl:for-each>
+                <xsl:text>&#10;        </xsl:text>
+            </xsl:element>
+            <xsl:apply-templates select="node()"/>
+        </xsl:copy>
+    </xsl:template>
 
-	<!--
-		If an IdP's SSO or AA roles already includes an Extensions element, this may
-		already contain extensions other than scopes.  We need to make sure that
-		if it does not also contain scopes, then any scopes declared at the entity
-		level are copied down.
-	-->
-	<xsl:template match="md:IDPSSODescriptor/md:Extensions |
-						 md:AttributeAuthorityDescriptor/md:Extensions">
-		<xsl:copy>
-			<xsl:apply-templates select="node()"/>
-			<xsl:if test="not(shibmd:Scope)">
-				<!-- copy scopes from EntityDescriptor extensions -->
-				<xsl:for-each select="ancestor::md:EntityDescriptor/md:Extensions/shibmd:Scope">
-					<xsl:text>    </xsl:text>
-					<xsl:copy-of select="."/>
-					<xsl:text>&#10;        </xsl:text>
-				</xsl:for-each>
-			</xsl:if>
-		</xsl:copy>
-	</xsl:template>
+    <!--
+        If an IdP's SSO or AA roles already includes an Extensions element, this may
+        already contain extensions other than scopes.  We need to make sure that
+        if it does not also contain scopes, then any scopes declared at the entity
+        level are copied down.
+    -->
+    <xsl:template match="md:IDPSSODescriptor/md:Extensions |
+                         md:AttributeAuthorityDescriptor/md:Extensions">
+        <xsl:copy>
+            <xsl:apply-templates select="node()"/>
+            <xsl:if test="not(shibmd:Scope)">
+                <!-- copy scopes from EntityDescriptor extensions -->
+                <xsl:for-each select="ancestor::md:EntityDescriptor/md:Extensions/shibmd:Scope">
+                    <xsl:text>    </xsl:text>
+                    <xsl:copy-of select="."/>
+                    <xsl:text>&#10;        </xsl:text>
+                </xsl:for-each>
+            </xsl:if>
+        </xsl:copy>
+    </xsl:template>
 
     <!--
         *********************************************
@@ -69,16 +69,16 @@
     -->
 
 
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index e2698021..c79539fb 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -1173,16 +1173,16 @@
             <td align="center">
                 <xsl:choose>
 
-                	<!-- Special case: Eduserv does NOT outsource -->
+                    <!-- Special case: Eduserv does NOT outsource -->
                     <xsl:when test="members:Name = 'Eduserv'">
                         &#160;
                     </xsl:when>
 
                     <!--
-                    	Anyone pushing scopes to an entity is assumed to
-                    	be outsourcing.  Strictly speaking, this should be
-                    	anyone pushing scopes to an entity owned by another
-                    	member.
+                        Anyone pushing scopes to an entity is assumed to
+                        be outsourcing.  Strictly speaking, this should be
+                        anyone pushing scopes to an entity owned by another
+                        member.
                     -->
                     <xsl:when test="members:Scopes/members:Entity">
                         *
diff --git a/mdx/uk/strip_extensions.xsl b/mdx/uk/strip_extensions.xsl
index f8899e5a..176baabb 100644
--- a/mdx/uk/strip_extensions.xsl
+++ b/mdx/uk/strip_extensions.xsl
@@ -1,55 +1,55 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	strip_extensions.xsl
+    strip_extensions.xsl
 
-	Strip out any ukfedlabel namespace extensions that we don't intend to publish.
-	This may require removing now-empty md:Extensions elements.
+    Strip out any ukfedlabel namespace extensions that we don't intend to publish.
+    This may require removing now-empty md:Extensions elements.
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
-
-	xmlns:exsl="http://exslt.org/common"
-	extension-element-prefixes="exsl"
-
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
-
-	<!--
-		Pass through certain ukfedlabel namespace elements.
-	-->
-	<xsl:template match="ukfedlabel:UKFederationMember | ukfedlabel:AccountableUsers">
-		<xsl:copy>
-			<!--
-				Copy nested text and comments, but not attributes.
-
-				AccountableUsers does not have any attributes.
-
-				UKFederationMember does not have any attributes intended for
-				publication.
-			-->
-			<xsl:apply-templates select="text()|comment()"/>
-		</xsl:copy>
-	</xsl:template>
-
-	<!--
-		Strip all other ukfedlabel namespace elements entirely.
-	-->
-	<xsl:template match="ukfedlabel:*"/>
-
-
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
-
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
+
+    xmlns:exsl="http://exslt.org/common"
+    extension-element-prefixes="exsl"
+
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
+
+    <!--
+        Pass through certain ukfedlabel namespace elements.
+    -->
+    <xsl:template match="ukfedlabel:UKFederationMember | ukfedlabel:AccountableUsers">
+        <xsl:copy>
+            <!--
+                Copy nested text and comments, but not attributes.
+
+                AccountableUsers does not have any attributes.
+
+                UKFederationMember does not have any attributes intended for
+                publication.
+            -->
+            <xsl:apply-templates select="text()|comment()"/>
+        </xsl:copy>
+    </xsl:template>
+
+    <!--
+        Strip all other ukfedlabel namespace elements entirely.
+    -->
+    <xsl:template match="ukfedlabel:*"/>
+
+
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
+
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/uk/strip_sirtfi_contacts.xsl b/mdx/uk/strip_sirtfi_contacts.xsl
index daa51068..659847dd 100644
--- a/mdx/uk/strip_sirtfi_contacts.xsl
+++ b/mdx/uk/strip_sirtfi_contacts.xsl
@@ -1,34 +1,34 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-	strip_sirtfi_contacts.xsl
+    strip_sirtfi_contacts.xsl
 
-	Strip out any UK federation-registered ContactPerson elements associated with SIRTFI.
+    Strip out any UK federation-registered ContactPerson elements associated with SIRTFI.
 -->
 <xsl:stylesheet version="1.0"
-	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
-	xmlns:remd="http://refeds.org/metadata"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
+    xmlns:remd="http://refeds.org/metadata"
 
-	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	exclude-result-prefixes="md">
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    exclude-result-prefixes="md">
 
-	<xsl:template match="md:EntityDescriptor[md:Extensions/mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']]
-		/md:ContactPerson[@contactType='other'][@remd:contactType='http://refeds.org/metadata/contactType/security']">
-		<!-- remove -->
-	</xsl:template>
+    <xsl:template match="md:EntityDescriptor[md:Extensions/mdrpi:RegistrationInfo[@registrationAuthority='http://ukfederation.org.uk']]
+        /md:ContactPerson[@contactType='other'][@remd:contactType='http://refeds.org/metadata/contactType/security']">
+        <!-- remove -->
+    </xsl:template>
 
-	<!--By default, copy text blocks, comments and attributes unchanged.-->
-	<xsl:template match="text()|comment()|@*">
-		<xsl:copy/>
-	</xsl:template>
+    <!--By default, copy text blocks, comments and attributes unchanged.-->
+    <xsl:template match="text()|comment()|@*">
+        <xsl:copy/>
+    </xsl:template>
 
-	<!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
-	<xsl:template match="*">
-		<xsl:copy>
-			<xsl:apply-templates select="node()|@*"/>
-		</xsl:copy>
-	</xsl:template>
+    <!--By default, copy all elements from the input to the output, along with their attributes and contents.-->
+    <xsl:template match="*">
+        <xsl:copy>
+            <xsl:apply-templates select="node()|@*"/>
+        </xsl:copy>
+    </xsl:template>
 
 </xsl:stylesheet>
diff --git a/mdx/us_incommon/beans.xml b/mdx/us_incommon/beans.xml
index 2c132199..8d99949b 100644
--- a/mdx/us_incommon/beans.xml
+++ b/mdx/us_incommon/beans.xml
@@ -45,7 +45,7 @@
         InCommon signing certificate.
     -->
     <bean id="us_incommon_signingCertificate" parent="X509CertificateFactoryBean"
-    	p:resource="classpath:us_incommon/inc-md-cert.pem"/>
+        p:resource="classpath:us_incommon/inc-md-cert.pem"/>
 
     <!--
         Check InCommon signing signature.
diff --git a/utilities/2016-09-16/gen-id-to-name.xsl b/utilities/2016-09-16/gen-id-to-name.xsl
index a2c477cc..4f1d0a7b 100644
--- a/utilities/2016-09-16/gen-id-to-name.xsl
+++ b/utilities/2016-09-16/gen-id-to-name.xsl
@@ -1,19 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
     xmlns:members="http://ukfederation.org.uk/2007/01/members"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 
-	<xsl:output method="text" encoding="UTF-8"/>
+    <xsl:output method="text" encoding="UTF-8"/>
 
-	<xsl:template match="members:Member">
-		<xsl:value-of select="@ID"/>
-		<xsl:text>&#9;</xsl:text>
-		<xsl:value-of select="members:Name"/>
-		<xsl:text>&#10;</xsl:text>
-	</xsl:template>
+    <xsl:template match="members:Member">
+        <xsl:value-of select="@ID"/>
+        <xsl:text>&#9;</xsl:text>
+        <xsl:value-of select="members:Name"/>
+        <xsl:text>&#10;</xsl:text>
+    </xsl:template>
 
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/utilities/2016-09-16/gen-ukid-to-name.xsl b/utilities/2016-09-16/gen-ukid-to-name.xsl
index 3df2bd3b..0cd3ba9f 100644
--- a/utilities/2016-09-16/gen-ukid-to-name.xsl
+++ b/utilities/2016-09-16/gen-ukid-to-name.xsl
@@ -1,19 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 
-	<xsl:output method="text" encoding="UTF-8"/>
+    <xsl:output method="text" encoding="UTF-8"/>
 
-	<xsl:template match="md:EntityDescriptor">
-		<xsl:value-of select="@ID"/>
-		<xsl:text>&#9;</xsl:text>
-		<xsl:value-of select="md:Organization/md:OrganizationName"/>
-		<xsl:text>&#10;</xsl:text>
-	</xsl:template>
+    <xsl:template match="md:EntityDescriptor">
+        <xsl:value-of select="@ID"/>
+        <xsl:text>&#9;</xsl:text>
+        <xsl:value-of select="md:Organization/md:OrganizationName"/>
+        <xsl:text>&#10;</xsl:text>
+    </xsl:template>
 
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/utilities/2016-10-06/gen-id-to-name.xsl b/utilities/2016-10-06/gen-id-to-name.xsl
index a2c477cc..4f1d0a7b 100644
--- a/utilities/2016-10-06/gen-id-to-name.xsl
+++ b/utilities/2016-10-06/gen-id-to-name.xsl
@@ -1,19 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <xsl:stylesheet version="1.0"
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
     xmlns:members="http://ukfederation.org.uk/2007/01/members"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 
-	<xsl:output method="text" encoding="UTF-8"/>
+    <xsl:output method="text" encoding="UTF-8"/>
 
-	<xsl:template match="members:Member">
-		<xsl:value-of select="@ID"/>
-		<xsl:text>&#9;</xsl:text>
-		<xsl:value-of select="members:Name"/>
-		<xsl:text>&#10;</xsl:text>
-	</xsl:template>
+    <xsl:template match="members:Member">
+        <xsl:value-of select="@ID"/>
+        <xsl:text>&#9;</xsl:text>
+        <xsl:value-of select="members:Name"/>
+        <xsl:text>&#10;</xsl:text>
+    </xsl:template>
 
-	<xsl:template match="text()">
-		<!-- do nothing -->
-	</xsl:template>
+    <xsl:template match="text()">
+        <!-- do nothing -->
+    </xsl:template>
 </xsl:stylesheet>
diff --git a/utilities/2017-02-27/listHideFromWAYFandEA.xsl b/utilities/2017-02-27/listHideFromWAYFandEA.xsl
index fcd27029..44d25f20 100644
--- a/utilities/2017-02-27/listHideFromWAYFandEA.xsl
+++ b/utilities/2017-02-27/listHideFromWAYFandEA.xsl
@@ -9,8 +9,8 @@
         <xsl:output method="text" encoding="UTF-8"/>
 
         <xsl:template match="md:EntityDescriptor
-		                    [md:Extensions/mdattr:EntityAttributes]
-		                    [md:Extensions/wayf:HideFromWAYF]">
+                            [md:Extensions/mdattr:EntityAttributes]
+                            [md:Extensions/wayf:HideFromWAYF]">
                 <xsl:value-of select="@entityID"/>
                 <xsl:text>&#10;</xsl:text>
         </xsl:template>

From 5e7ec9a68d44ba50e3c2b9b8416ea8adeaf409cc Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 22 Jun 2017 15:09:44 +0100
Subject: [PATCH 74/80] Switch to static ID values for wayf and cdsall
 aggregates

See ukf/ukf-meta#119.
---
 mdx/uk/generate.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 94dd2f9b..0b74b2b6 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -350,6 +350,7 @@
 
                 <ref bean="stripMdattrNamespace"/>
                 <ref bean="uk_finaliseProduction"/>
+                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseNamespaces"/>
 
                 <!-- WAYF aggregate MUST pass publishability test -->
@@ -467,6 +468,7 @@
                 <ref bean="stripEmptyExtensions"/>
 
                 <ref bean="CDSFinalise"/>
+                <ref bean="setStaticID"/>
                 <ref bean="CDSNormaliseNamespaces"/>
 
                 <!-- schema validity check MUST pass -->

From e74256afbadaafa2520c7fb9390500ccdcae5f5f Mon Sep 17 00:00:00 2001
From: Alex Stuart <alex.stuart@jisc.ac.uk>
Date: Fri, 23 Jun 2017 15:42:51 +0100
Subject: [PATCH 75/80] Correct runtime message to indicate the actual branch
 that was checked out

---
 build.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index 6ca3971a..eac6eaa8 100644
--- a/build.xml
+++ b/build.xml
@@ -874,7 +874,7 @@
       Checks out master branch of data repository
     -->
     <target name="git.data.masterbranch.checkout">
-        <echo>Switching to deferred branch in data repository.</echo>
+        <echo>Switching to master branch in data repository.</echo>
         <exec executable="${git.executable}" dir="${shared.ws.dir}/${git.repo.project.data}" failonerror="true">
             <arg value="checkout"/>
             <arg value="master"/>

From f62ec7684636bab1fc85e89e02d212f13439c8e2 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 26 Jun 2017 15:52:43 +0100
Subject: [PATCH 76/80] Switch to static ID values for production aggregate

See ukf/ukf-meta#119.
---
 mdx/uk/generate.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 0b74b2b6..eb923955 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -281,6 +281,7 @@
 
                 <ref bean="uk_assemble"/>
                 <ref bean="uk_finaliseProduction"/>
+                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseNamespaces"/>
 
                 <!-- production aggregate MUST pass publishability test -->

From 50d788e22f04c98d775d1c52615e31eb7aa9f1e8 Mon Sep 17 00:00:00 2001
From: Alex Stuart <alex.stuart@jisc.ac.uk>
Date: Tue, 11 Jul 2017 09:13:30 +0100
Subject: [PATCH 77/80] Explicitly list IdPs that do not have SAML 2 support in
 the statistics output

---
 mdx/uk/statistics.xsl | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl
index c79539fb..ab3b13c3 100644
--- a/mdx/uk/statistics.xsl
+++ b/mdx/uk/statistics.xsl
@@ -1091,6 +1091,30 @@
                 <p>
                     IdPs: <xsl:value-of select="$nosaml2.idps.count"/>
                 </p>
+                <xsl:if test="$nosaml2.idps.count != 0">
+                    <ul>
+                        <xsl:for-each select="$nosaml2.idps">
+                            <xsl:sort select="descendant::md:OrganizationName"/>
+                            <li>
+                                <xsl:value-of select="@ID"/>
+                                <xsl:text>: </xsl:text>
+                                <xsl:value-of select="descendant::md:OrganizationName"/>
+                                <xsl:text>: </xsl:text>
+                                <xsl:choose>
+                                    <xsl:when test="descendant::mdui:DisplayName">
+                                        <xsl:value-of select="descendant::mdui:DisplayName"/>
+                                    </xsl:when>
+                                    <xsl:otherwise>
+                                        <xsl:text>(</xsl:text>
+                                        <xsl:value-of select="descendant::md:OrganizationDisplayName"/>
+                                        <xsl:text>)</xsl:text>
+                                    </xsl:otherwise>
+                                </xsl:choose>
+                                <xsl:apply-templates select="md:Extensions/ukfedlabel:Software" mode="short"/>
+                            </li>
+                        </xsl:for-each>
+                    </ul>
+                </xsl:if>
                 <xsl:call-template name="entity.breakdown.by.software">
                     <xsl:with-param name="entities" select="$nosaml2.idps"/>
                 </xsl:call-template>

From caac861c59a23e9b9acac7d517df1cfdbae5ac96 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 26 Jul 2017 14:08:44 +0100
Subject: [PATCH 78/80] Switch to static ID values for fallback aggregate

See ukf/ukf-meta#119.
---
 mdx/uk/generate.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index eb923955..0c679ef1 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -522,6 +522,7 @@
                 <ref bean="uk_assemble"/>
                 <ref bean="stripEmptyExtensions"/>
                 <ref bean="uk_finaliseFallback"/>
+                <ref bean="setStaticID"/>
                 <ref bean="uk_normaliseFallback"/>
 
                 <!-- fallback aggregate MUST pass publishability test -->

From 594f7bf26eff6f81ab32b5caa659f40831952a8e Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 2 Aug 2017 11:24:12 +0100
Subject: [PATCH 79/80] Remove unnecessary ID setting code from final_tweak.xsl

See ukf/ukf-meta#119.
---
 mdx/uk/final_tweak.xsl | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/mdx/uk/final_tweak.xsl b/mdx/uk/final_tweak.xsl
index dac0c437..c52acc4c 100644
--- a/mdx/uk/final_tweak.xsl
+++ b/mdx/uk/final_tweak.xsl
@@ -48,20 +48,7 @@
 
     <xsl:variable name="now" select="date:date-time()"/>
     <xsl:variable name="validUntil" select="mdxDates:dateAdd($now, $validityDays)"/>
-
-    <!--
-        documentID
-
-        This value is generated from a normalised version of the aggregation instant,
-        transformed so that it can be used as an XML ID value.
-
-        Strict conformance to the SAML 2.0 metadata specification (section 3.1.2) requires
-        that the signature explicitly references an identifier attribute in the element
-        being signed, in this case the document element.
-    -->
     <xsl:variable name="normalisedNow" select="mdxDates:dateAdd($now, 0)"/>
-    <xsl:variable name="documentID"
-        select="concat('uk', translate($normalisedNow, ':-', ''))"/>
 
     <!--
         Document root.
@@ -79,9 +66,6 @@
             <xsl:attribute name="validUntil">
                 <xsl:value-of select="$validUntil"/>
             </xsl:attribute>
-            <xsl:attribute name="ID">
-                <xsl:value-of select="$documentID"/>
-            </xsl:attribute>
             <xsl:apply-templates select="@*"/>
             <xsl:call-template name="document.comment"/>
 

From edb58ad560ed6e7f04c3c6c7faede90137ad12a1 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 2 Aug 2017 15:55:07 +0100
Subject: [PATCH 80/80] Avoid duplicate variables

See ukf/ukf-meta#135.
---
 mdx/_rules/check_saml2meta.xsl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mdx/_rules/check_saml2meta.xsl b/mdx/_rules/check_saml2meta.xsl
index 877d5306..42b5fad4 100644
--- a/mdx/_rules/check_saml2meta.xsl
+++ b/mdx/_rules/check_saml2meta.xsl
@@ -37,9 +37,9 @@
             </xsl:call-template>
         </xsl:if>
 
-        <xsl:variable name="indices" select="md:AssertionConsumerService/@index"/>
-        <xsl:variable name="distinct.indices" select="set:distinct($indices)"/>
-        <xsl:if test="count($indices) != count($distinct.indices)">
+        <xsl:variable name="indices2" select="md:AssertionConsumerService/@index"/>
+        <xsl:variable name="distinct.indices2" select="set:distinct($indices2)"/>
+        <xsl:if test="count($indices2) != count($distinct.indices2)">
             <xsl:call-template name="error">
                 <xsl:with-param name="m">AssertionConsumerService index values not all different</xsl:with-param>
             </xsl:call-template>