From nobody Wed Aug 5 09:52:41 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63B2A1B31E2; Wed, 5 Aug 2015 09:52:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.1 X-Spam-Level: X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id guV5NYfCX_5V; Wed, 5 Aug 2015 09:52:31 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CE521B31E5; Wed, 5 Aug 2015 09:51:45 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: "Alissa Cooper" To: "The IESG" X-Test-IDTracker: no X-IETF-IDTracker: 6.3.0.p1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20150805165145.18515.51753.idtracker@ietfa.amsl.com> Date: Wed, 05 Aug 2015 09:51:45 -0700 Archived-At: Cc: draft-ietf-oauth-introspection@ietf.org, draft-ietf-oauth-introspection.ad@ietf.org, oauth-chairs@ietf.org, draft-ietf-oauth-introspection.shepherd@ietf.org, oauth@ietf.org Subject: [OAUTH-WG] Alissa Cooper's No Objection on draft-ietf-oauth-introspection-11: (with COMMENT) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Aug 2015 16:52:32 -0000 Alissa Cooper has entered the following ballot position for draft-ietf-oauth-introspection-11: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for addressing my DISCUSS and COMMENTs! From nobody Wed Aug 5 12:33:20 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57A371A1B30; Wed, 5 Aug 2015 12:33:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.9 X-Spam-Level: X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwRvB347PjN0; Wed, 5 Aug 2015 12:33:14 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E6381A1B5A; Wed, 5 Aug 2015 12:32:48 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.3.0.p1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20150805193248.5976.84721.idtracker@ietfa.amsl.com> Date: Wed, 05 Aug 2015 12:32:48 -0700 Archived-At: Cc: oauth chair , oauth mailing list , RFC Editor Subject: [OAUTH-WG] Protocol Action: 'OAuth 2.0 Token Introspection' to Proposed Standard (draft-ietf-oauth-introspection-11.txt) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Aug 2015 19:33:15 -0000 The IESG has approved the following document: - 'OAuth 2.0 Token Introspection' (draft-ietf-oauth-introspection-11.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Stephen Farrell and Kathleen Moriarty. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/ Technical Summary The "OAuth 2.0 Token Introspection" specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource. Working Group Summary There was no controversy. When the specification was brought to the working group the concept was already well established and in use. Document Quality There are multiple implementations of this specification, with links included in the shepherd writeup. Personnel Hannes Tschofenig is the document shepherd and Kathleen Moriarty is the responsible area director. IANA Note The IANA consideration section defines a new registry, called "OAuth Token Introspection Response Registry", and populates this registry with 12 values. Additional entries may be added with a Specification Required ([RFC5226]) and Designated Expert review on the oauth-ext-review@ietf.org mailing list. From nobody Mon Aug 10 20:42:24 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69C701AC39F for ; Mon, 10 Aug 2015 20:42:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnhpzowYUdLz for ; Mon, 10 Aug 2015 20:42:21 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0758.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:758]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A4BD1ABC0F for ; Mon, 10 Aug 2015 20:42:21 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 03:42:02 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 03:42:03 +0000 From: Mike Jones To: Brian Campbell , oauth Thread-Topic: [OAUTH-WG] AS in introduction of proof-of-possession-02 Thread-Index: AQHQZQbO5oVhUevPMkCOrC3XgJea1Z4HBLxQ Date: Tue, 11 Aug 2015 03:42:02 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:LB7H8ietad5cTuOau06y3wV7JPF11LVqQo9qC0mNGaxYo0NJtBVJudYIWK2qnXYY+ZXO0Y4Q/78jv4EhyoPWpG0iRecBNHqzt3q6zt32W51HKu2fRwxafO9573oxXY4uBhKxTV4f5v3CryiL2Zbz+w==; 24:7i9T86aQcdyiPk4MPZXS9PximZf3gad0HBLS9DXUnlcSFL5k+pDdZyizMSvoIL0KojsQ4bn7KIbPgHPkOebtiPyBHN9WK3rJWjy2XewIn7Y=; 20:4rGEQlcivwirkZ/9tavwcjBgVYfklXcYB9l2jy2dT6d965xHl0AycEYnlEDeW9Z1wTRbCxvw4fozX6Gwr7vvQQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(377454003)(189002)(87936001)(46102003)(19617315012)(230783001)(107886002)(189998001)(16236675004)(15975445007)(5001860100001)(19609705001)(102836002)(77096005)(76176999)(8990500004)(10400500002)(81156007)(97736004)(5001830100001)(4001540100001)(5003600100002)(5001770100001)(10290500002)(54356999)(5001960100002)(76576001)(101416001)(105586002)(99286002)(19625215002)(5005710100001)(106116001)(5002640100001)(50986999)(68736005)(19580405001)(33656002)(106356001)(2656002)(2950100001)(64706001)(86612001)(2900100001)(122556002)(77156002)(10090500001)(74316001)(62966003)(92566002)(19580395003)(66066001)(86362001)(19300405004)(40100003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4421D75C1126745B6C3DFACF57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 03:42:02.4583 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Subject: Re: [OAUTH-WG] AS in introduction of proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 03:42:23 -0000 --_000_BY2PR03MB4421D75C1126745B6C3DFACF57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 LTAzIHVwZGF0ZWQgdGhlIGxhbmd1YWdlIHRoYXQgZm9ybWVybHkgYXNzdW1lZCB0aGF0IHRoZSBp c3N1ZXIgd2FzIGFuIE9BdXRoIDIuMCBhdXRob3JpemF0aW9uIHNlcnZlci4NCg0KICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlr ZQ0KDQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFs ZiBPZiBCcmlhbiBDYW1wYmVsbA0KU2VudDogU3VuZGF5LCBNYXJjaCAyMiwgMjAxNSA2OjE0IFBN DQpUbzogb2F1dGgNClN1YmplY3Q6IFtPQVVUSC1XR10gQVMgaW4gaW50cm9kdWN0aW9uIG9mIHBy b29mLW9mLXBvc3Nlc3Npb24tMDINCg0KVGhlIGludHJvZHVjdGlvbjxodHRwczovL3Rvb2xzLmll dGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAyI3NlY3Rp b24tMT4gdGFsa3MgYWJvdXQgYW4gT0F1dGggMi4wIGF1dGhvcml6YXRpb24gc2VydmVyIGFzIHRo ZSBKV1QgaXNzdWVyLCBob3dldmVyLCB0aGUgdGVybSBhdXRob3JpemF0aW9uIHNlcnZlciBkb2Vz buKAmXQgYXBwZWFyIGFueXdoZXJlIGVsc2UgaW4gdGhlIGRyYWZ0LiBQcm9vZi1vZi1wb3NzZXNz aW9uIHNlbWFudGljcyBmb3IgSldUIGNlcnRhaW5seSBjYW4gYmUgYXBwbGljYWJsZSB3aGVuIGFu IEFTIGlzIHRoZSBpc3N1ZXIgYnV0IHRoaXMgZHJhZnQgaGFzIHdpZGVyIGFwcGxpY2FiaWxpdHkg dGhhbiB0aGF0LiBJIG1pZ2h0IHN1Z2dlc3QgdGhhdCB0aGUgaW50cm9kdWN0aW9uIGRyb3AgdGhl IGF1dGhvcml6YXRpb24gc2VydmVyIHRhbGsgaW4gZmF2b3Igb2Ygc29tZXRoaW5nIG1vcmUgZ2Vu ZXJhbC4gT3IgY2xhcmlmeSB0aGF0IGFuIEFTIGlzIGp1c3Qgb25lIHBvdGVudGlhbCBpc3N1ZXIu IEFzIGl0IGlzIG5vdywgdGhlIGludHJvIHJlYWRzIG92ZXJseSBzcGVjaWZpYy4NCg== --_000_BY2PR03MB4421D75C1126745B6C3DFACF57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0K QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAx LjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x O30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRz IHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1h cCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRp Zl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+LTAzIHVwZGF0ZWQgdGhl IGxhbmd1YWdlIHRoYXQgZm9ybWVybHkgYXNzdW1lZCB0aGF0IHRoZSBpc3N1ZXIgd2FzIGFuIE9B dXRoIDIuMCBhdXRob3JpemF0aW9uIHNlcnZlci48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3 RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBN aWtlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBPQXV0aCBbbWFp bHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkJyaWFuIENh bXBiZWxsPGJyPg0KPGI+U2VudDo8L2I+IFN1bmRheSwgTWFyY2ggMjIsIDIwMTUgNjoxNCBQTTxi cj4NCjxiPlRvOjwvYj4gb2F1dGg8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gW09BVVRILVdHXSBBUyBp biBpbnRyb2R1Y3Rpb24gb2YgcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoZSA8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3Jn L2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAyI3NlY3Rpb24tMSIg dGFyZ2V0PSJfYmxhbmsiPg0KaW50cm9kdWN0aW9uPC9hPiB0YWxrcyBhYm91dCBhbiBPQXV0aCAy LjAgYXV0aG9yaXphdGlvbiBzZXJ2ZXImbmJzcDthcyB0aGUgSldUIGlzc3VlciwmbmJzcDtob3dl dmVyLCB0aGUmbmJzcDt0ZXJtJm5ic3A7YXV0aG9yaXphdGlvbiBzZXJ2ZXIgZG9lc27igJl0IGFw cGVhciBhbnl3aGVyZSBlbHNlIGluIHRoZSBkcmFmdC4gUHJvb2Ytb2YtcG9zc2Vzc2lvbiZuYnNw O3NlbWFudGljcyBmb3IgSldUJm5ic3A7Y2VydGFpbmx5Jm5ic3A7Y2FuIGJlJm5ic3A7YXBwbGlj YWJsZSB3aGVuIGFuIEFTIGlzIHRoZSBpc3N1ZXImbmJzcDtidXQNCiB0aGlzIGRyYWZ0IGhhcyB3 aWRlciZuYnNwO2FwcGxpY2FiaWxpdHkgdGhhbiB0aGF0LiBJIG1pZ2h0IHN1Z2dlc3QgdGhhdCB0 aGUgaW50cm9kdWN0aW9uIGRyb3AgdGhlJm5ic3A7YXV0aG9yaXphdGlvbiBzZXJ2ZXIgdGFsayBp biBmYXZvciBvZiBzb21ldGhpbmcgbW9yZSBnZW5lcmFsLiBPciZuYnNwO2NsYXJpZnkgdGhhdCBh biBBUyBpcyBqdXN0IG9uZSZuYnNwO3BvdGVudGlhbCBpc3N1ZXIuIEFzIGl0IGlzIG5vdywgdGhl IGludHJvIHJlYWRzIG92ZXJseSBzcGVjaWZpYy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_BY2PR03MB4421D75C1126745B6C3DFACF57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 20:43:46 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0A1D1A92AF for ; Mon, 10 Aug 2015 20:43:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jnt3CMzkRaX4 for ; Mon, 10 Aug 2015 20:43:43 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0133.outbound.protection.outlook.com [207.46.100.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C22E1AC3C7 for ; Mon, 10 Aug 2015 20:43:43 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 03:43:42 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 03:43:42 +0000 From: Mike Jones To: Brian Campbell , oauth Thread-Topic: [OAUTH-WG] similar to a certificate? intro of proof-of-possession-02 Thread-Index: AQHQZQi0h2z9vTWVw0+Ze8xecxg63J4HBZCw Date: Tue, 11 Aug 2015 03:43:42 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:Yd/v2tqde5U2LNRDL1/n3ZcSHWd5xnGR58t6I5uwtn2xlS2S3aj8eNxW24zm1Xo1Lt+pyipQIAP6ZVVXAmXzoSaFjwBnImY6yFriPr/b3YtqtvEphrMFaJuYxS93vGiUhu9mWvrdW987bWT6ye9i3A==; 24:mmck3HY4I2W6JBW7TWKtMKBUreZCjcjLY5uhCTy7teVq3TSvyXZ2nytAIMh+yT3EFcjwzEkyY/vlByGA1V75f4uetXLq0y8T7ajCgeByNLg=; 20:WzBySsvqKYZOWatzxNMsO3VCqSG9sDvYlWpDCKMHsk5q7yxx2yLLgqrYhyYK0VCTYO+gMAUpVLAN/R+hj/rUUg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(43784003)(199003)(377454003)(189002)(87936001)(46102003)(19617315012)(230783001)(107886002)(189998001)(16236675004)(15975445007)(5001860100001)(19609705001)(102836002)(77096005)(76176999)(8990500004)(10400500002)(81156007)(97736004)(5001830100001)(4001540100001)(5003600100002)(5001770100001)(10290500002)(54356999)(5001960100002)(76576001)(101416001)(105586002)(99286002)(19625215002)(5005710100001)(106116001)(5002640100001)(50986999)(68736005)(19580405001)(33656002)(106356001)(2656002)(2950100001)(64706001)(86612001)(2900100001)(122556002)(77156002)(10090500001)(74316001)(62966003)(92566002)(19580395003)(66066001)(86362001)(19300405004)(40100003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442E344E110D050E0EFB980F57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 03:43:42.2526 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Subject: Re: [OAUTH-WG] similar to a certificate? intro of proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 03:43:44 -0000 --_000_BY2PR03MB442E344E110D050E0EFB980F57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhlIGNvbmZ1c2luZyBsYW5ndWFnZSBhYm91dCDigJxjb25jZXB0dWFsbHkgc2ltaWxhciB0byBh IGNlcnRpZmljYXRl4oCdIHdhcyByZW1vdmVkIGZyb20gLTAzLg0KDQpUaGFua3MgYWdhaW4gZm9y IHlvdXIgcmV2aWV3IGNvbW1lbnRzLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IE9BdXRoIFttYWls dG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEJyaWFuIENhbXBiZWxsDQpT ZW50OiBTdW5kYXksIE1hcmNoIDIyLCAyMDE1IDY6MjggUE0NClRvOiBvYXV0aA0KU3ViamVjdDog W09BVVRILVdHXSBzaW1pbGFyIHRvIGEgY2VydGlmaWNhdGU/IGludHJvIG9mIHByb29mLW9mLXBv c3Nlc3Npb24tMDINCg0KSXQgc2F5cywgIlRoZSBhc3ltbWV0cmljIGtleSBtZWNoYW5pc20gZGVz Y3JpYmVkIGFib3ZlIGlzIGNvbmNlcHR1YWxseSBzaW1pbGFyIHRvIGEgY2VydGlmaWNhdGUuIiBu ZWFyIHRoZSBlbmQgb2YgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1 dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiNzZWN0aW9uLTENClRoYXQga2luZGEganVtcGVkIG91 dCBhdCBtZS4gSSBtZWFuLCBJIGtpbmRhIHNlZSB0aGUgcG9pbnQgYnV0IGl0IGFsc28gc2VlbXMg bGlrZSBhIHByZXR0eSBicm9hZCBzdGF0ZW1lbnQgYW5kIHBvdGVudGlhbGx5IG9uZSB0aGF0IGNv dWxkIGJlIGludGVycHJldGVkIGluIHVuZmF2b3JhYmxlIG9yIHVuaW50ZW5kZWQgd2F5cy4NClBl cmhhcHMgaXQgc2hvdWxkIGJlIGxlZnQgb3V0PyBPdGhlcndpc2UgbWF5YmUgZWxhYm9yYXRlIGEg Yml0IG9uIHdoYXQgaXMgYW5kIHdoYXQgaXNuJ3Qgc2ltaWxhciB0byBhIGNlcnRpZmljYXRlPw0K --_000_BY2PR03MB442E344E110D050E0EFB980F57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0K QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAx LjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x O30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRz IHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1h cCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRp Zl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhlIGNvbmZ1c2luZyBs YW5ndWFnZSBhYm91dCDigJxjb25jZXB0dWFsbHkgc2ltaWxhciB0byBhIGNlcnRpZmljYXRl4oCd IHdhcyByZW1vdmVkIGZyb20gLTAzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhhbmtzIGFnYWluIGZvciB5b3VyIHJl dmlldyBjb21tZW50cy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48 L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21h JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5j ZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkJyaWFuIENhbXBiZWxsPGJyPg0KPGI+ U2VudDo8L2I+IFN1bmRheSwgTWFyY2ggMjIsIDIwMTUgNjoyOCBQTTxicj4NCjxiPlRvOjwvYj4g b2F1dGg8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gW09BVVRILVdHXSBzaW1pbGFyIHRvIGEgY2VydGlm aWNhdGU/IGludHJvIG9mIHByb29mLW9mLXBvc3Nlc3Npb24tMDI8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJv dHRvbToxMi4wcHQiPkl0IHNheXMsICZxdW90O1RoZSBhc3ltbWV0cmljIGtleSBtZWNoYW5pc20g ZGVzY3JpYmVkJm5ic3A7YWJvdmUgaXMgY29uY2VwdHVhbGx5IHNpbWlsYXIgdG8gYSBjZXJ0aWZp Y2F0ZS4mcXVvdDsgbmVhciB0aGUgZW5kIG9mDQo8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYu b3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAyI3NlY3Rpb24t MSI+DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1v Zi1wb3NzZXNzaW9uLTAyI3NlY3Rpb24tMTwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5UaGF0IGtpbmRh IGp1bXBlZCBvdXQgYXQgbWUuIEkgbWVhbiwgSSBraW5kYSBzZWUgdGhlIHBvaW50IGJ1dCBpdCBh bHNvIHNlZW1zIGxpa2UgYSBwcmV0dHkgYnJvYWQgc3RhdGVtZW50IGFuZCBwb3RlbnRpYWxseSBv bmUgdGhhdCBjb3VsZCBiZSBpbnRlcnByZXRlZCBpbiB1bmZhdm9yYWJsZSBvciB1bmludGVuZGVk IHdheXMuDQo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UGVy aGFwcyBpdCBzaG91bGQgYmUgbGVmdCBvdXQ/IE90aGVyd2lzZSBtYXliZSBlbGFib3JhdGUgYSBi aXQgb24gd2hhdCBpcyBhbmQgd2hhdCBpc24ndCBzaW1pbGFyIHRvIGEgY2VydGlmaWNhdGU/DQo8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4N Cg== --_000_BY2PR03MB442E344E110D050E0EFB980F57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 20:46:23 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA89B1AC3F9 for ; Mon, 10 Aug 2015 20:46:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mq8qlVlTXo5B for ; Mon, 10 Aug 2015 20:46:20 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0739.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:739]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4655D1AC3E4 for ; Mon, 10 Aug 2015 20:46:20 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 03:46:01 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 03:46:01 +0000 From: Mike Jones To: Brian Campbell , oauth Thread-Topic: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02 Thread-Index: AQHQZQrDEdqJurhWH0i05zydVfQXcZ4HBgmg Date: Tue, 11 Aug 2015 03:46:01 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:BQHkaUsbK2c8epFdZdQCL65WclVV4rg8/C5wZgdY4dbAVQ3hoalZv0lRGo0QICNwNnL0RefPXF7g+bAXP9D3P/7yfU4qGFY5gqNxz7GP3QQHXxSLWrQ8Wvwz7Xw9jmPlSAhXmEdvEXcbNxwIdtbZQA==; 24:zXvlb4JB1q4Wj7J6dxKcsLmbaG4je5k/GSvjxQuehChHbFNHZgYASUuFeDOxTvQosAf0JK7dY5FuQ+/Q9ra9/LQNWv6p+cOoqKIkxG2IFGU=; 20:c33ZKxi5OnI7JWPjG0OeESEJJrcoZhPlY0IisWGfr2KILErHqv0WxdMYBmsN7gffgPAUjS/+w8MMEZQAA5MWzQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(43784003)(199003)(377454003)(189002)(87936001)(46102003)(19617315012)(230783001)(107886002)(189998001)(16236675004)(15975445007)(5001860100001)(19609705001)(102836002)(77096005)(76176999)(8990500004)(10400500002)(81156007)(97736004)(5001830100001)(4001540100001)(5003600100002)(5001770100001)(10290500002)(54356999)(5001960100002)(76576001)(101416001)(105586002)(99286002)(19625215002)(5005710100001)(106116001)(5002640100001)(50986999)(68736005)(19580405001)(33656002)(106356001)(2656002)(2950100001)(64706001)(86612001)(2900100001)(122556002)(77156002)(10090500001)(74316001)(62966003)(92566002)(19580395003)(66066001)(86362001)(19300405004)(40100003)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442E8A02D248AF92C52FA80F57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 03:46:01.1253 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Subject: Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 03:46:23 -0000 --_000_BY2PR03MB442E8A02D248AF92C52FA80F57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhpcyB3YXMgcmV2aXNlZCBpbiAtMDMgdG8gY29ycmVjdGx5IGRpc3Rpbmd1aXNoIGJldHdlZW4g dGhlIGlzc3VlciBhbmQgcHJlc2VudGVyIHJvbGVzLiAgSXQgbm93IHJlYWRzOg0KICAgVGhlIGlz c3VlciBvZiBhIEpXVCBkZWNsYXJlcyB0aGF0IHRoZSBwcmVzZW50ZXIgcG9zc2Vzc2VzIGENCiAg IHBhcnRpY3VsYXIga2V5IGFuZCB0aGF0IHRoZSByZWNpcGllbnQgY2FuIGNyeXB0b2dyYXBoaWNh bGx5IGNvbmZpcm0NCiAgIHByb29mLW9mLXBvc3Nlc3Npb24gb2YgdGhlIGtleSBieSB0aGUgcHJl c2VudGVyIGJ5IGluY2x1ZGluZyBhICJjbmYiDQogICAoY29uZmlybWF0aW9uKSBjbGFpbSBpbiB0 aGUgSldUIHdob3NlIHZhbHVlIGlzIGEgSlNPTiBvYmplY3QsIHdpdGggYQ0KICAgSlNPTiBvYmpl Y3QgY29udGFpbmluZyBhICJqd2siIChKU09OIFdlYiBLZXkpIG1lbWJlciwgYSAiandlIiAoSlNP Tg0KICBXZWIgRW5jcnlwdGlvbikgbWVtYmVyLCBvciBhICJraWQiIChrZXkgSUQpIG1lbWJlciBp ZGVudGlmeWluZyB0aGUNCiAgIGtleS4NCg0KVGhhbmtzIGFnYWluIGZvciB5b3VyIHVzZWZ1bCBy ZXZpZXcgY29tbWVudHMuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0 aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgQnJpYW4gQ2FtcGJlbGwNClNlbnQ6IFN1 bmRheSwgTWFyY2ggMjIsIDIwMTUgNjo0MyBQTQ0KVG86IG9hdXRoDQpTdWJqZWN0OiBbT0FVVEgt V0ddIHRyb3VibGUgcmVhZGluZyB0aGUgc3RhcnQgb2Ygc2VjIDMgcHJvb2Ytb2YtcG9zc2Vzc2lv bi0wMg0KDQpNeSBicmFpbiBodXJ0IHRyeWluZyB0byBwYXJzZSB0aGUgZmlyc3Qgc2VudGVuY2Uv cGFyYWdyYXBoIGZyb20gc2VjdGlvbiAzPGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFm dC1pZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDIjc2VjdGlvbi0zPjoNCg0KICAgIlRo ZSBwcmVzZW50ZXIgb2YgYSBKV1QgZGVjbGFyZXMgdGhhdCBpdCBwb3NzZXNzZXMgYSBwYXJ0aWN1 bGFyIGtleQ0KDQogICBhbmQgdGhhdCB0aGUgcmVjaXBpZW50IGNhbiBjcnlwdG9ncmFwaGljYWxs eSBjb25maXJtIHByb29mLW9mLQ0KDQogICBwb3NzZXNzaW9uIG9mIHRoZSBrZXkgYnkgdGhlIHBy ZXNlbnRlciBieSBpbmNsdWRpbmcgYSAiY25mIg0KDQogICAoY29uZmlybWF0aW9uKSBjbGFpbSBp biB0aGUgSldUIHdob3NlIHZhbHVlIGlzIGEgSlNPTiBvYmplY3QsIHdpdGgNCg0KICAgdGhlIEpT T04gb2JqZWN0IGNvbnRhaW5pbmcgYSAiandrIiAoSlNPTiBXZWIgS2V5KSBvciAia2lkIiAoa2V5 IElEKQ0KDQogICBtZW1iZXIgaWRlbnRpZnlpbmcgdGhlIGtleS4iDQpUaGUgaXNzdWVyIGluY2x1 ZGVzIHRoZSAiY25mIiBjbGFpbSBhbmQgbWFrZXMgdGhlIGRlY2xhcmF0aW9uIG5vdCB0aGUgcHJl c2VudGVyLiBTdXJlLCB0aGUgcHJlc2VudGVyIG1heSBiZSB0aGUgaXNzdWVyIGJ1dCB0aGF0J3Mg YSBzcGVjaWFsIGNhc2UuDQpJc24ndCBpdCBtb3JlIGFjY3VyYXRlIHRvIHNheSB0aGF0IGl0IGlz IHRoZSBpc3N1ZXIgd2hvIGRlY2xhcmVzIHRoYXQgdGhlIHByZXNlbnRlciBjYW4gY29uZmlybSBp dHNlbGYgYnkgc29tZSBjcnlwdG9ncmFwaGljIHByb29mLW9mLXBvc3Nlc3Npb24gb2YgdGhlIGtl eSBpZGVudGlmaWVkIGJ5IHRoZSAiY25mIiBjbGFpbT8gT3Igc29tZXRoaW5nIG1vcmUgbGlrZSB0 aGF0Li4uDQoNCg0KDQoNCg0KDQoNCg0K --_000_BY2PR03MB442E8A02D248AF92C52FA80F57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFzOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDIg MiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNv Tm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAw MXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIs InNlcmlmIjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNp dGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsN Cgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBD aGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6 MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0Kc3Bhbi5IVE1MUHJlZm9ybWF0 dGVkQ2hhcg0KCXttc28tc3R5bGUtbmFtZToiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCI7 DQoJZm9udC1mYW1pbHk6Q29uc29sYXM7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTkNCgl7bXNvLXN0eWxl LXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlm IjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4 cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0KQHBhZ2Ug V29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAx LjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0t Pjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0 PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUg bXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4 dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4N CjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4N CjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhpcyB3YXMgcmV2aXNlZCBpbiAt MDMgdG8gY29ycmVjdGx5IGRpc3Rpbmd1aXNoIGJldHdlZW4gdGhlIGlzc3VlciBhbmQgcHJlc2Vu dGVyIHJvbGVzLiZuYnNwOyBJdCBub3cgcmVhZHM6PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJlYWstYmVmb3JlOmFsd2F5cyI+PHNwYW4g bGFuZz0iRU4iIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5i c3A7Jm5ic3A7IFRoZSBpc3N1ZXIgb2YgYSBKV1QgZGVjbGFyZXMgdGhhdCB0aGUgcHJlc2VudGVy IHBvc3Nlc3NlcyBhPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9InBhZ2UtYnJlYWstYmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5ic3A7Jm5ic3A7IHBhcnRpY3Vs YXIga2V5IGFuZCB0aGF0IHRoZSByZWNpcGllbnQgY2FuIGNyeXB0b2dyYXBoaWNhbGx5IGNvbmZp cm08bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFn ZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtZmFtaWx5 OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsmbmJzcDsgcHJvb2Ytb2YtcG9zc2Vzc2lv biBvZiB0aGUga2V5IGJ5IHRoZSBwcmVzZW50ZXIgYnkgaW5jbHVkaW5nIGEgJnF1b3Q7Y25mJnF1 b3Q7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBh Z2UtYnJlYWstYmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5ic3A7Jm5ic3A7IChjb25maXJtYXRpb24pIGNs YWltIGluIHRoZSBKV1Qgd2hvc2UgdmFsdWUgaXMgYSBKU09OIG9iamVjdCwgd2l0aCBhPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJlYWst YmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtD b3VyaWVyIE5ldyZxdW90OyI+Jm5ic3A7Jm5ic3A7IEpTT04gb2JqZWN0IGNvbnRhaW5pbmcgYSAm cXVvdDtqd2smcXVvdDsgKEpTT04gV2ViIEtleSkgbWVtYmVyLCBhICZxdW90O2p3ZSZxdW90OyAo SlNPTjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJw YWdlLWJyZWFrLWJlZm9yZTphbHdheXMiPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPiZuYnNwOyZuYnNwO1dlYiBFbmNyeXB0aW9uKSBt ZW1iZXIsIG9yIGEgJnF1b3Q7a2lkJnF1b3Q7IChrZXkgSUQpIG1lbWJlciBpZGVudGlmeWluZyB0 aGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFn ZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtZmFtaWx5 OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsmbmJzcDsga2V5LjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhh bmtzIGFnYWluIGZvciB5b3VyIHVzZWZ1bCByZXZpZXcgY29tbWVudHMuPG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 Ij4gT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXQ0KPGI+T24gQmVoYWxmIE9m IDwvYj5CcmlhbiBDYW1wYmVsbDxicj4NCjxiPlNlbnQ6PC9iPiBTdW5kYXksIE1hcmNoIDIyLCAy MDE1IDY6NDMgUE08YnI+DQo8Yj5Ubzo8L2I+IG9hdXRoPGJyPg0KPGI+U3ViamVjdDo8L2I+IFtP QVVUSC1XR10gdHJvdWJsZSByZWFkaW5nIHRoZSBzdGFydCBvZiBzZWMgMyBwcm9vZi1vZi1wb3Nz ZXNzaW9uLTAyPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj5NeSBicmFpbiBodXJ0IHRyeWluZyB0byBwYXJzZSB0aGUgZmlyc3Qgc2VudGVuY2UvcGFy YWdyYXBoIGZyb20NCjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1p ZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDIjc2VjdGlvbi0zIj4NCnNlY3Rpb24gMzwv YT46IDxvOnA+PC9vOnA+PC9wPg0KPHByZT4mbmJzcDsmbmJzcDsmbmJzcDsmcXVvdDtUaGUgcHJl c2VudGVyIG9mIGEgSldUIGRlY2xhcmVzIHRoYXQgaXQgcG9zc2Vzc2VzIGEgcGFydGljdWxhciBr ZXk8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsgYW5kIHRoYXQgdGhlIHJlY2lw aWVudCBjYW4gY3J5cHRvZ3JhcGhpY2FsbHkgY29uZmlybSBwcm9vZi1vZi08bzpwPjwvbzpwPjwv cHJlPg0KPHByZT4mbmJzcDsmbmJzcDsgcG9zc2Vzc2lvbiBvZiB0aGUga2V5IGJ5IHRoZSBwcmVz ZW50ZXIgYnkgaW5jbHVkaW5nIGEgJnF1b3Q7Y25mJnF1b3Q7PG86cD48L286cD48L3ByZT4NCjxw cmU+Jm5ic3A7Jm5ic3A7IChjb25maXJtYXRpb24pIGNsYWltIGluIHRoZSBKV1Qgd2hvc2UgdmFs dWUgaXMgYSBKU09OIG9iamVjdCwgd2l0aDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNwOyZu YnNwOyB0aGUgSlNPTiBvYmplY3QgY29udGFpbmluZyBhICZxdW90O2p3ayZxdW90OyAoSlNPTiBX ZWIgS2V5KSBvciAmcXVvdDtraWQmcXVvdDsgKGtleSBJRCk8bzpwPjwvbzpwPjwvcHJlPg0KPHBy ZT4mbmJzcDsmbmJzcDsgbWVtYmVyIGlkZW50aWZ5aW5nIHRoZSBrZXkuJnF1b3Q7PG86cD48L286 cD48L3ByZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0 b206MTIuMHB0Ij5UaGUgaXNzdWVyIGluY2x1ZGVzIHRoZSAmcXVvdDtjbmYmcXVvdDsgY2xhaW0g YW5kIG1ha2VzIHRoZSBkZWNsYXJhdGlvbiBub3QgdGhlIHByZXNlbnRlci4gU3VyZSwgdGhlIHBy ZXNlbnRlciBtYXkgYmUgdGhlIGlzc3VlciBidXQgdGhhdCdzIGEgc3BlY2lhbCBjYXNlLjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Jc24ndCBpdCBtb3JlIGFj Y3VyYXRlIHRvIHNheSB0aGF0IGl0IGlzIHRoZSBpc3N1ZXIgd2hvIGRlY2xhcmVzIHRoYXQgdGhl IHByZXNlbnRlciBjYW4gY29uZmlybSBpdHNlbGYgYnkgc29tZSBjcnlwdG9ncmFwaGljIHByb29m LW9mLXBvc3Nlc3Npb24gb2YgdGhlIGtleSBpZGVudGlmaWVkIGJ5IHRoZSAmcXVvdDtjbmYmcXVv dDsgY2xhaW0/IE9yIHNvbWV0aGluZyBtb3JlIGxpa2UgdGhhdC4uLjxvOnA+PC9vOnA+PC9wPg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPHByZT48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJp YWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IDwvc3Bhbj48bzpwPjwvbzpwPjwvcHJl Pg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K PC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_BY2PR03MB442E8A02D248AF92C52FA80F57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 20:47:51 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5CE31AC42E for ; Mon, 10 Aug 2015 20:47:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZQFeAXd9jLBx for ; Mon, 10 Aug 2015 20:47:48 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0124.outbound.protection.outlook.com [207.46.100.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 679BD1AC42D for ; Mon, 10 Aug 2015 20:47:48 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 03:47:47 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 03:47:47 +0000 From: Mike Jones To: Brian Campbell , oauth Thread-Topic: [OAUTH-WG] 2119 abuse at the end of section 3 proof-of-possession-02 Thread-Index: AQHQZQxTpn571GL/y0irw0zWMpsYVp4HBpLA Date: Tue, 11 Aug 2015 03:47:47 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:ZbrUhFnfixlI+yuS8SLY/S0u2VYZtyYkMm6uyIx/ZWtuaztACgxYHd/SCtIpgIAqD1Q8lW+CCGuv9kqDPejYDm4SK6rAlgo+74mPICu39YYSrXZC8zRr/FM6pLDqiQitjGcOkdQncjPzpDXXeUgDNQ==; 24:eRGWQ+eH7BcLRrs7cNWKPtGyRtUSGK4ZpVyXu7ISuQMbXUqqp9CywyPFKoIkWStdq0CMDPIhnTYl5i2bd5F8RrMRJo0F6UrjWUSdLkC0lMQ=; 20:CUA9EOJi0a9ybewMGCZUU9qFc2JqMfKIevV1F4G4I/+aKBBkqqx0tTXQmagx+8orCUFlfG5RiPBSBAK/al9u8A== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(377454003)(189002)(87936001)(46102003)(19617315012)(230783001)(107886002)(189998001)(16236675004)(15975445007)(5001860100001)(19609705001)(102836002)(77096005)(76176999)(8990500004)(10400500002)(81156007)(97736004)(5001830100001)(4001540100001)(5003600100002)(5001770100001)(10290500002)(54356999)(5001960100002)(76576001)(101416001)(105586002)(99286002)(19625215002)(5005710100001)(106116001)(5002640100001)(50986999)(68736005)(19580405001)(33656002)(106356001)(2656002)(2950100001)(64706001)(86612001)(2900100001)(122556002)(77156002)(10090500001)(74316001)(62966003)(92566002)(19580395003)(66066001)(86362001)(19300405004)(40100003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442E4D3F8618FBAD0C0A8E8F57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 03:47:47.2517 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Subject: Re: [OAUTH-WG] 2119 abuse at the end of section 3 proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 03:47:50 -0000 --_000_BY2PR03MB442E4D3F8618FBAD0C0A8E8F57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhpcyB3YXMgc2ltcGxpZmllZCBpbiAtMyBpbiBhIHdheSB0aGF0IHJlbW92ZXMgdGhlIGFidXNl ZCBNVVNULiAgSXQgbm93IHJlYWRzOg0KICAgQXQgbGVhc3Qgb25lIG9mIHRoZSAic3ViIiBhbmQg ImlzcyIgY2xhaW1zIE1VU1QgYmUgcHJlc2VudCBpbg0KICAgdGhlIEpXVC4gIFNvbWUgdXNlIGNh c2VzIG1heSByZXF1aXJlIHRoYXQgYm90aCBiZSBwcmVzZW50Lg0KDQogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZy b206IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEJy aWFuIENhbXBiZWxsDQpTZW50OiBTdW5kYXksIE1hcmNoIDIyLCAyMDE1IDY6NTQgUE0NClRvOiBv YXV0aA0KU3ViamVjdDogW09BVVRILVdHXSAyMTE5IGFidXNlIGF0IHRoZSBlbmQgb2Ygc2VjdGlv biAzIHByb29mLW9mLXBvc3Nlc3Npb24tMDINCg0KQXQgdGhlIGVuZCBvZiBzZWN0aW9uIDM8aHR0 cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vz c2lvbi0wMiNzZWN0aW9uLTM+IGl0IHNheXMsICdBdCBsZWFzdCBvbmUgb2YgdGhlICJzdWIiIGFu ZCAiaXNzIiBjbGFpbXMgTVVTVCBiZSBwcmVzZW50IGluIHRoZSBKV1QsIGFuZCBpbiBzb21lIHVz ZSBjYXNlcywgYm90aCBNVVNUIGJlIHByZXNlbnQuJw0KQWRtaXR0ZWRseSBJJ3ZlIG1pc3VzZWQg UkZDIDIxMTkga2V5d29yZHMgYSBmZXcgdGltZXMgbXlzZWxmLCBzbyBJIHNheSB0aGlzIGF3YXJl IG9mIG15IG93biBoeXBvY3Jpc3ksIGJ1dCBzaG91bGRuJ3QgdGhlIHNlY29uZCAiTVVTVCIgaW4g dGhhdCBzZW50aWVuY2UgYmUgYSBsaXR0bGUgIm11c3QiPyBJIGRvbid0IHRoaW5rICJzb21lIHVz ZSBjYXNlcyIgaXMgZW5vdWdoIHRvIGtub3cgd2hlbiBpdCBhcHBsaWVzLiBNYXliZSBldmVuIHNw aXR0aW5nIGl0IHVwIGludG8gdHdvIHNlbnRlbmNlcz8gU29tZXRoaW5nIGxpa2UsICdBdCBsZWFz dCBvbmUgb2YgdGhlICJzdWIiIGFuZCAiaXNzIiBjbGFpbXMgTVVTVCBiZSBwcmVzZW50IGluIHRo ZSBKV1QuIFNvbWUgdXNlIGNhc2VzIG1heSByZXF1aXJlIHRoYXQgYm90aCBiZSBwcmVzZW50LicN Cg0K --_000_BY2PR03MB442E4D3F8618FBAD0C0A8E8F57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2lu OjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250 LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4uRW1haWxTdHlsZTE3DQoJe21zby1zdHlsZS10 eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7 DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHls ZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7 DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291 cmllciBOZXciO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5 Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0KQHBhZ2UgV29yZFNlY3Rp b24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBp bjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+ PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBz cGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4 bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIg ZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4N Cjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xh c3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhpcyB3YXMgc2ltcGxpZmllZCBpbiAtMyBpbiBh IHdheSB0aGF0IHJlbW92ZXMgdGhlIGFidXNlZCBNVVNULiZuYnNwOyBJdCBub3cgcmVhZHM6PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJl YWstYmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5ic3A7Jm5ic3A7IEF0IGxlYXN0IG9uZSBvZiB0aGUgJnF1 b3Q7c3ViJnF1b3Q7IGFuZCAmcXVvdDtpc3MmcXVvdDsgY2xhaW1zIE1VU1QgYmUgcHJlc2VudCBp bjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJwYWdl LWJyZWFrLWJlZm9yZTphbHdheXMiPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1mYW1pbHk6 JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPiZuYnNwOyZuYnNwOyB0aGUgSldULiZuYnNwOyBTb21l IHVzZSBjYXNlcyBtYXkgcmVxdWlyZSB0aGF0IGJvdGggYmUgcHJlc2VudC48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDsiPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYg T2YgPC9iPkJyaWFuIENhbXBiZWxsPGJyPg0KPGI+U2VudDo8L2I+IFN1bmRheSwgTWFyY2ggMjIs IDIwMTUgNjo1NCBQTTxicj4NCjxiPlRvOjwvYj4gb2F1dGg8YnI+DQo8Yj5TdWJqZWN0OjwvYj4g W09BVVRILVdHXSAyMTE5IGFidXNlIGF0IHRoZSBlbmQgb2Ygc2VjdGlvbiAzIHByb29mLW9mLXBv c3Nlc3Npb24tMDI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5BdCB0aGUgZW5kIG9mIDxhIGhyZWY9Imh0dHBz Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nlc3Np b24tMDIjc2VjdGlvbi0zIiB0YXJnZXQ9Il9ibGFuayI+DQpzZWN0aW9uIDM8L2E+IGl0IHNheXMs ICdBdCBsZWFzdCBvbmUgb2YgdGhlICZxdW90O3N1YiZxdW90OyBhbmQgJnF1b3Q7aXNzJnF1b3Q7 IGNsYWltcyBNVVNUIGJlIHByZXNlbnQgaW4gdGhlIEpXVCwgYW5kIGluIHNvbWUgdXNlIGNhc2Vz LCBib3RoIE1VU1QgYmUgcHJlc2VudC4nDQo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+QWRtaXR0ZWRseSBJJ3ZlIG1pc3VzZWQgUkZDIDIxMTkga2V5d29yZHMg YSBmZXcgdGltZXMgbXlzZWxmLCBzbyBJIHNheSB0aGlzIGF3YXJlIG9mIG15IG93biBoeXBvY3Jp c3ksIGJ1dCBzaG91bGRuJ3QgdGhlIHNlY29uZCAmcXVvdDtNVVNUJnF1b3Q7IGluIHRoYXQgc2Vu dGllbmNlIGJlIGEgbGl0dGxlICZxdW90O211c3QmcXVvdDs/IEkgZG9uJ3QgdGhpbmsgJnF1b3Q7 c29tZSB1c2UgY2FzZXMmcXVvdDsgaXMgZW5vdWdoIHRvIGtub3cgd2hlbiBpdCBhcHBsaWVzLg0K IE1heWJlIGV2ZW4gc3BpdHRpbmcgaXQgdXAgaW50byB0d28gc2VudGVuY2VzPyBTb21ldGhpbmcg bGlrZSwgJ0F0IGxlYXN0IG9uZSBvZiB0aGUgJnF1b3Q7c3ViJnF1b3Q7IGFuZCAmcXVvdDtpc3Mm cXVvdDsgY2xhaW1zIE1VU1QgYmUgcHJlc2VudCBpbiB0aGUgSldULiBTb21lIHVzZSBjYXNlcyBt YXkgcmVxdWlyZSB0aGF0IGJvdGggYmUgcHJlc2VudC4nPG86cD48L286cD48L3A+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv Ym9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB442E4D3F8618FBAD0C0A8E8F57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 20:49:27 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7313C1AC436 for ; Mon, 10 Aug 2015 20:49:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5F0mO_BMYBB for ; Mon, 10 Aug 2015 20:49:24 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0134.outbound.protection.outlook.com [207.46.100.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEF571AC435 for ; Mon, 10 Aug 2015 20:49:24 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 03:49:24 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 03:49:24 +0000 From: Mike Jones To: Brian Campbell , oauth Thread-Topic: [OAUTH-WG] refs and links in proof-of-possession-02 section 3.2 Thread-Index: AQHQZQ8Soxk9oayibkOiEJqpxcFSTZ4HBvJw Date: Tue, 11 Aug 2015 03:49:24 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:Iyh6Ub5yGXllEhTeH1VTT+6yO4DaPuj6ot+yW10Wq5TV7VowKb/0mUdZNTCSW1kPa5EdzQ8hpbtM2li5WGneeYwfNP6t6TghRorcIrrcr44nhX/iK9y6oQA/1hvKxt4n1odUZfLjMJ6uCFZVPG4BzQ==; 24:xWOMi18ROcxwcNj6nUf9DpApTVM9LYCW7zoEzltj5YKCv46oM+ox662wMjXmYXVjQNJv9iquFGtAkXpOrm9j4VLWOixxhcMpc45XtpimC3g=; 20:8x5lXZQnhNzAsVluBIZOxmjUy9ehZxCXUvSbm8e2lMh5qYiM3caAYwyDkNKJ4A8rT+RSnC6ASvUSXJhSyZ8hVg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(189002)(377454003)(2656002)(33656002)(106356001)(2900100001)(122556002)(2950100001)(64706001)(86612001)(19625215002)(101416001)(105586002)(99286002)(19580405001)(5002640100001)(5005710100001)(106116001)(50986999)(68736005)(86362001)(66066001)(19580395003)(19300405004)(40100003)(77156002)(92566002)(10090500001)(74316001)(62966003)(5001860100001)(102836002)(77096005)(76176999)(19609705001)(87936001)(107886002)(189998001)(16236675004)(230783001)(19617315012)(15975445007)(46102003)(81156007)(97736004)(54356999)(5001960100002)(5001770100001)(10290500002)(76576001)(4001540100001)(5001830100001)(5003600100002)(10400500002)(5001920100001)(8990500004); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB44203294761C526B3C27D1DF57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 03:49:24.1487 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Subject: Re: [OAUTH-WG] refs and links in proof-of-possession-02 section 3.2 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 03:49:26 -0000 --_000_BY2PR03MB44203294761C526B3C27D1DF57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SW4gLTAzLCB0aGUgc2VjdGlvbiBudW1iZXIgd2FzIGNvcnJlY3RlZCB0byA3LiAgVGhlIGludGVy bmFsIGxpbmsgZXJyb3IgaXMgYSBidWcgaW4gdGhlIHJmY21hcmt1cCB0b29sIHRoYXQgY29udmVy dHMgdGhlIC50eHQgdmVyc2lvbiB0byBIVE1MLCBhbmQgaXMgbm90IGEgYnVnIGluIHRoZSBhY3R1 YWwgc3BlY2lmaWNhdGlvbiB0ZXh0Lg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IE9BdXRoIFttYWls dG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEJyaWFuIENhbXBiZWxsDQpT ZW50OiBTdW5kYXksIE1hcmNoIDIyLCAyMDE1IDc6MTQgUE0NClRvOiBvYXV0aA0KU3ViamVjdDog W09BVVRILVdHXSByZWZzIGFuZCBsaW5rcyBpbiBwcm9vZi1vZi1wb3NzZXNzaW9uLTAyIHNlY3Rp b24gMy4yDQoNCkluIMKnMy4yLiBQcm9vZi1vZi1Qb3NzZXNzaW9uIG9mIGEgU3ltbWV0cmljIEtl eTxodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1w b3NzZXNzaW9uLTAyI3NlY3Rpb24tMy4yPiBpdCBoYXMgIlRoZSBydWxlcyBmb3IgZW5jcnlwdGlu ZyBhIEpXSyBhcmUgZm91bmQgaW4gU2VjdGlvbiA2IG9mIHRoZSBKU09OIFdlYiBLZXkgW0pXS10g c3BlY2lmaWNhdGlvbi4iLCB3aGljaCBoYXMgdHdvIGlzc3Vlcy4NCg0KMSkgdGhlIFNlY3Rpb24g NiBsaW5rIGlzIHRvIHRoZSBzYW1lIGRvY3VtZW50IGF0IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcv aHRtbC9kcmFmdC1pZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDIjc2VjdGlvbi02IHdo aWNoIGtpbmRhIHdvcmtzIGJlY2F1c2UgaXQncyB0aGUgUmVmZXJlbmNlcy4gQnV0IGlzIHByb2Jh Ymx5IG5vdCB3aGF0IHdhcyBpbnRlbmRlZC4gSSB0aGluayBodHRwOi8vd3d3LmlldGYub3JnL21h aWwtYXJjaGl2ZS93ZWIvam9zZS9jdXJyZW50L21zZzA0NTcxLmh0bWwgaGFzIHNvbWUgaW5mbyBv biBob3cgdG8gZml4IHRoYXQga2luZCBvZiB0aGluZy4NCjIpIEl0IHNob3VsZCBhY3R1YWxseSBy ZWZlciB0byBzZWN0aW9uIDc8aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt am9zZS1qc29uLXdlYi1rZXktNDEjc2VjdGlvbi03PiBvZiBKV0sgcmF0aGVyIHRoYW4gNiBhcyBz ZWN0aW9uIDYgaXMgYWJvdXQgIlN0cmluZyBDb21wYXJpc29uIFJ1bGVzIiBhbmQgNyBpcyAiRW5j cnlwdGVkIEpXSyBhbmQgRW5jcnlwdGVkIEpXSyBTZXQgRm9ybWF0cyIuDQo= --_000_BY2PR03MB44203294761C526B3C27D1DF57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0K QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAx LjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x O30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRz IHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1h cCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRp Zl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SW4gLTAzLCB0aGUgc2Vj dGlvbiBudW1iZXIgd2FzIGNvcnJlY3RlZCB0byA3LiZuYnNwOyBUaGUgaW50ZXJuYWwgbGluayBl cnJvciBpcyBhIGJ1ZyBpbiB0aGUgcmZjbWFya3VwIHRvb2wgdGhhdCBjb252ZXJ0cyB0aGUgLnR4 dCB2ZXJzaW9uIHRvIEhUTUwsIGFuZCBpcyBub3QgYQ0KIGJ1ZyBpbiB0aGUgYWN0dWFsIHNwZWNp ZmljYXRpb24gdGV4dC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48 L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21h JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5j ZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkJyaWFuIENhbXBiZWxsPGJyPg0KPGI+ U2VudDo8L2I+IFN1bmRheSwgTWFyY2ggMjIsIDIwMTUgNzoxNCBQTTxicj4NCjxiPlRvOjwvYj4g b2F1dGg8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gW09BVVRILVdHXSByZWZzIGFuZCBsaW5rcyBpbiBw cm9vZi1vZi1wb3NzZXNzaW9uLTAyIHNlY3Rpb24gMy4yPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPkluIMKnPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9y Zy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiNzZWN0aW9uLTMu MiI+My4yLiBQcm9vZi1vZi1Qb3NzZXNzaW9uIG9mIGEgU3ltbWV0cmljIEtleTwvYT4gaXQgaGFz ICZxdW90O1RoZSBydWxlcyBmb3IgZW5jcnlwdGluZyBhIEpXSyBhcmUgZm91bmQgaW4gU2VjdGlv biA2IG9mIHRoZSBKU09OIFdlYiBLZXkgW0pXS10gc3BlY2lmaWNhdGlvbi4mcXVvdDssDQogd2hp Y2ggaGFzIHR3byBpc3N1ZXMuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPjEpIHRo ZSBTZWN0aW9uIDYgbGluayBpcyB0byB0aGUgc2FtZSBkb2N1bWVudCBhdA0KPGEgaHJlZj0iaHR0 cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vz c2lvbi0wMiNzZWN0aW9uLTYiPg0KaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWll dGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiNzZWN0aW9uLTY8L2E+IHdoaWNoIGtpbmRh IHdvcmtzIGJlY2F1c2UgaXQncyB0aGUgUmVmZXJlbmNlcy4gQnV0IGlzIHByb2JhYmx5IG5vdCB3 aGF0IHdhcyBpbnRlbmRlZC4gSSB0aGluaw0KPGEgaHJlZj0iaHR0cDovL3d3dy5pZXRmLm9yZy9t YWlsLWFyY2hpdmUvd2ViL2pvc2UvY3VycmVudC9tc2cwNDU3MS5odG1sIj5odHRwOi8vd3d3Lmll dGYub3JnL21haWwtYXJjaGl2ZS93ZWIvam9zZS9jdXJyZW50L21zZzA0NTcxLmh0bWw8L2E+IGhh cyBzb21lIGluZm8gb24gaG93IHRvIGZpeCB0aGF0IGtpbmQgb2YgdGhpbmcuPG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4yKSBJdCBzaG91bGQgYWN0 dWFsbHkgcmVmZXIgdG8gPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0 LWlldGYtam9zZS1qc29uLXdlYi1rZXktNDEjc2VjdGlvbi03Ij4NCnNlY3Rpb24gNzwvYT4gb2Yg SldLIHJhdGhlciB0aGFuIDYgYXMgc2VjdGlvbiA2IGlzIGFib3V0ICZxdW90O1N0cmluZyBDb21w YXJpc29uIFJ1bGVzJnF1b3Q7IGFuZCA3IGlzICZxdW90O0VuY3J5cHRlZCBKV0sgYW5kIEVuY3J5 cHRlZCBKV0sgU2V0IEZvcm1hdHMmcXVvdDsuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB44203294761C526B3C27D1DF57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 20:51:46 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8DEF1ACC89 for ; Mon, 10 Aug 2015 20:51:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id deOByJ4LnOY8 for ; Mon, 10 Aug 2015 20:51:44 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0144.outbound.protection.outlook.com [207.46.100.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E7171ACC88 for ; Mon, 10 Aug 2015 20:51:44 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 03:51:43 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 03:51:43 +0000 From: Mike Jones To: Brian Campbell , oauth Thread-Topic: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint? Thread-Index: AQHQZTRfYlKVul2ynECUxNG74nzcQJ4HBzIw Date: Tue, 11 Aug 2015 03:51:43 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:6NXjnZEzZq2jlebEwqsceulMVNHPDIpYnpk7QRDwJSDy+XPmUaZM0m4xwDVi6UCBTPBfrQtnDBxaX0e5zROyjzvSkAtvrOJJ1zKmX6l3ndJqDVvle0cj8dLctPIfuP+mz7CpyHDxqEz0HFHXEJUqKQ==; 24:+UAvs9tqLMNATckkS/zmutFWliV6/IuyWxEyZyPtUj6SOpPJvP4Pv7kwP76Ln9nxppGiVBiMSBPzBOQD6b68nxGqOA8ZyC185813u4oB6N8=; 20:3zTIb5+CkkIsI52s+ub31p6PaGUweFiaHAUErrE7YxSGu9bP+wTAUjgIuwYcD27uZjoGibF+uply4nSq5c/SQw== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(189002)(377454003)(2656002)(33656002)(106356001)(2900100001)(122556002)(2950100001)(64706001)(86612001)(19625215002)(101416001)(105586002)(99286002)(19580405001)(5002640100001)(5005710100001)(106116001)(50986999)(68736005)(86362001)(66066001)(19580395003)(19300405004)(40100003)(77156002)(92566002)(10090500001)(74316001)(62966003)(5001860100001)(102836002)(77096005)(76176999)(19609705001)(87936001)(107886002)(189998001)(16236675004)(230783001)(15975445007)(46102003)(81156007)(97736004)(54356999)(5001960100002)(5001770100001)(10290500002)(76576001)(4001540100001)(5001830100001)(5003600100002)(10400500002)(5001920100001)(8990500004); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4429B77C8FCD39807C8B16EF57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 03:51:43.0625 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Subject: Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 03:51:45 -0000 --_000_BY2PR03MB4429B77C8FCD39807C8B16EF57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 QSBrZXkgdGh1bWJwcmludCB2YWx1ZSBjYW4gYmUgdXNlZCBhcyB0aGUgdmFsdWUgb2YgdGhlIOKA nGNuZuKAnSDigJxraWTigJ0gbWVtYmVyIHRvIGFjaGlldmUgdGhpcy4NCg0KICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0K DQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBP ZiBCcmlhbiBDYW1wYmVsbA0KU2VudDogU3VuZGF5LCBNYXJjaCAyMiwgMjAxNSAxMTo0MSBQTQ0K VG86IG9hdXRoDQpTdWJqZWN0OiBbT0FVVEgtV0ddIHByb29mLW9mLXBvc3Nlc3Npb24tMDIgY25m IHZpYSBrZXkgdGh1bWJwcmludD8NCg0KRG8gZm9sa3MgaW4gdGhlIFdHIHRoaW5rIHRoZXJlJ2Qg YmUgdXRpbGl0eSBpbiBoYXZpbmcgYSB3YXkgdG8gaWRlbnRpdHkgdGhlIGZpbmdlci90aHVtYnBy aW50IG9mIGEga2V5IGluIHRoZSBjbmYgY2xhaW0uIEEgcHJlc2VudGVyIG1pZ2h0LCBmb3IgZXhh bXBsZSwgcHJlc2VudCB0aGUgSldUIGFsb25nIHdpdGggYSBwdWJsaWMgSldLIGFuZCBzb21lIHBy b29mLW9mLXBvc3Nlc3Npb24gb2YgdGhhdCBKV0suICBBbmQgdGhlIEpXSyB3b3VsZCBiZSBib3Vu ZCB0byB0aGUgSldUIHZpYSB0aGUgdGh1bWJwcmludCwgd2hpY2ggaXMgbW9yZSBzcGFjZSBlZmZp Y2llbnQgKHdpdGggcmVzcGVjdCB0byB0aGUgSldUIGFueXdheSkgdGhhbiB0aGUgZnVsbCBKV0su DQoNCg== --_000_BY2PR03MB4429B77C8FCD39807C8B16EF57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0K QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAx LjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x O30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRz IHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1h cCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRp Zl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+QSBrZXkgdGh1bWJwcmlu dCB2YWx1ZSBjYW4gYmUgdXNlZCBhcyB0aGUgdmFsdWUgb2YgdGhlIOKAnGNuZuKAnSDigJxraWTi gJ0gbWVtYmVyIHRvIGFjaGlldmUgdGhpcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtl PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5G cm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBPQXV0aCBbbWFpbHRv Om9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkJyaWFuIENhbXBi ZWxsPGJyPg0KPGI+U2VudDo8L2I+IFN1bmRheSwgTWFyY2ggMjIsIDIwMTUgMTE6NDEgUE08YnI+ DQo8Yj5Ubzo8L2I+IG9hdXRoPGJyPg0KPGI+U3ViamVjdDo8L2I+IFtPQVVUSC1XR10gcHJvb2Yt b2YtcG9zc2Vzc2lvbi0wMiBjbmYgdmlhIGtleSB0aHVtYnByaW50PzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+RG8gZm9s a3MgaW4gdGhlIFdHIHRoaW5rIHRoZXJlJ2QgYmUgdXRpbGl0eSBpbiBoYXZpbmcgYSB3YXkgdG8g aWRlbnRpdHkgdGhlIGZpbmdlci90aHVtYnByaW50IG9mIGEga2V5IGluIHRoZSBjbmYgY2xhaW0u IEEgcHJlc2VudGVyIG1pZ2h0LCBmb3IgZXhhbXBsZSwgcHJlc2VudCB0aGUgSldUIGFsb25nIHdp dGggYSBwdWJsaWMgSldLIGFuZCBzb21lIHByb29mLW9mLXBvc3Nlc3Npb24NCiBvZiB0aGF0IEpX Sy4mbmJzcDsgQW5kIHRoZSBKV0sgd291bGQgYmUgYm91bmQgdG8gdGhlIEpXVCB2aWEgdGhlIHRo dW1icHJpbnQsIHdoaWNoIGlzIG1vcmUgc3BhY2UgZWZmaWNpZW50ICh3aXRoIHJlc3BlY3QgdG8g dGhlIEpXVCBhbnl3YXkpIHRoYW4gdGhlIGZ1bGwgSldLLjxicj4NCjxicj4NCjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB4429B77C8FCD39807C8B16EF57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 20:57:31 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9420E1ACCE0 for ; Mon, 10 Aug 2015 20:57:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3a9JAObzz07a for ; Mon, 10 Aug 2015 20:57:27 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0752.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::752]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AFEC1ACC89 for ; Mon, 10 Aug 2015 20:57:27 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 03:57:08 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 03:57:08 +0000 From: Mike Jones To: Brian Campbell , oauth Thread-Topic: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay? Thread-Index: AQHQZTRrvZek/uGdxEOJiDk8KH70x54HCLkw Date: Tue, 11 Aug 2015 03:57:07 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:u3dgvRW6WgPdol5nJ+Ztjv8bE+H1EBCck8GCnTHxRoXz5z82ZYu5T6mCO51gOdezzISlRg0Pip2Vuv3XGWLYaMxxnYq15sF9ZCFsJtsGCKyp55Yf3ZsmMt6RW/Xb2hIJbA86b7U2GcAV0pEJAyikQA==; 24:3VI2iYuBQRE3mSNcQhxVnEn6lWOyZ5K3NmncnnBMbx+ETnKhhKDRwBINt5tBF6GT3CRdEYXeMjugtwYYdYP1iQQNHSpuCQsY+1sXSlyTijE=; 20:9F0lyvZYj33miGyYTmEu5z0xrAAJASK9L63mobBKlIrLxObad615dLoc75vJUW9J4wL6Q9j9SrqFcCkrFhdSRg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(189002)(377454003)(2656002)(33656002)(106356001)(2900100001)(122556002)(2950100001)(64706001)(86612001)(19625215002)(101416001)(105586002)(99286002)(19580405001)(5002640100001)(5005710100001)(106116001)(50986999)(68736005)(86362001)(66066001)(19580395003)(19300405004)(40100003)(77156002)(92566002)(10090500001)(74316001)(62966003)(5001860100001)(102836002)(77096005)(76176999)(19609705001)(87936001)(107886002)(189998001)(16236675004)(230783001)(15975445007)(46102003)(81156007)(97736004)(54356999)(5001960100002)(5001770100001)(10290500002)(76576001)(4001540100001)(5001830100001)(5003600100002)(10400500002)(5001920100001)(8990500004); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442178CDA590A3603391848F57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 03:57:08.0359 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Subject: Re: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 03:57:29 -0000 --_000_BY2PR03MB442178CDA590A3603391848F57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 QXMgZGlzY3Vzc2VkIGluIHRoZSB0aHJlYWQg4oCcW09BVVRILVdHXSBKV1QgUG9QIEtleSBTZW1h bnRpY3MgV0dMQyBmb2xsb3d1cCAyICh3YXMgUmU6IHByb29mLW9mLXBvc3Nlc3Npb24tMDIgdW5l bmNyeXB0ZWQgb2N0IEpXSyBpbiBlbmNyeXB0ZWQgSldUIG9rYXk/KeKAnSwgSSB3aWxsIHVwZGF0 ZSB0aGUgZHJhZnQgdG8gc2F5IHRoYXQgdGhlIHN5bW1ldHJpYyBrZXkgY2FuIGJlIGNhcnJpZWQg aW4gdGhlIOKAnGp3a+KAnSBlbGVtZW50IGluIGFuIHVuZW5jcnlwdGVkIGZvcm0gaWYgdGhlIEpX VCBpcyBpdHNlbGYgZW5jcnlwdGVkLiAgVGhpcyB3aWxsIGhhcHBlbiBpbiAtMDQuDQoNCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0t IE1pa2UNCg0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBC ZWhhbGYgT2YgQnJpYW4gQ2FtcGJlbGwNClNlbnQ6IFN1bmRheSwgTWFyY2ggMjIsIDIwMTUgMTE6 NDEgUE0NClRvOiBvYXV0aA0KU3ViamVjdDogW09BVVRILVdHXSBwcm9vZi1vZi1wb3NzZXNzaW9u LTAyIHVuZW5jcnlwdGVkIG9jdCBKV0sgaW4gZW5jcnlwdGVkIEpXVCBva2F5Pw0KDQpXaGVuIHRo ZSBKV1QgaXMgaXRzZWxmIGVuY3J5cHRlZCBhcyBhIEpXRSwgd291bGQgaXQgbm90IGJlIHJlYXNv bmFibGUgdG8gaGF2ZSBhIHN5bW1ldHJpYyBrZXkgYmUgcmVwcmVzZW50ZWQgaW4gdGhlIGNuZiBj bGFpbSB3aXRoIHRoZSBqd2sgbWVtYmVyIGFzIGFuIHVuZW5jcnlwdGVkIEpTT04gV2ViIEtleT8N CklzIHN1Y2ggYSBwb3NzaWJpbGl0eSBsZWZ0IGFzIGFuIGV4ZXJjaXNlIHRvIHRoZSByZWFkZXI/ IE9yIHNob3VsZCBpdCBiZSBtb3JlIGV4cGxpY2l0bHkgYWxsb3dlZCBvciBkaXNhbGxvd2VkPw0K DQo= --_000_BY2PR03MB442178CDA590A3603391848F57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBp bjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0K CXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1s Pg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1s PjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpl eHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVs YXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGlu az0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPkFzIGRpc2N1c3NlZCBpbiB0aGUgdGhyZWFkIOKAnFtPQVVUSC1XR10gSldUIFBvUCBLZXkg U2VtYW50aWNzIFdHTEMgZm9sbG93dXAgMiAod2FzIFJlOiBwcm9vZi1vZi1wb3NzZXNzaW9uLTAy IHVuZW5jcnlwdGVkIG9jdCBKV0sgaW4gZW5jcnlwdGVkIEpXVCBva2F5PynigJ0sIEkNCiB3aWxs IHVwZGF0ZSB0aGUgZHJhZnQgdG8gc2F5IHRoYXQgdGhlIHN5bW1ldHJpYyBrZXkgY2FuIGJlIGNh cnJpZWQgaW4gdGhlIOKAnGp3a+KAnSBlbGVtZW50IGluIGFuIHVuZW5jcnlwdGVkIGZvcm0gaWYg dGhlIEpXVCBpcyBpdHNlbGYgZW5jcnlwdGVkLiZuYnNwOyBUaGlzIHdpbGwgaGFwcGVuIGluIC0w NC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9t YSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDsiPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmdd DQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkJyaWFuIENhbXBiZWxsPGJyPg0KPGI+U2VudDo8L2I+IFN1 bmRheSwgTWFyY2ggMjIsIDIwMTUgMTE6NDEgUE08YnI+DQo8Yj5Ubzo8L2I+IG9hdXRoPGJyPg0K PGI+U3ViamVjdDo8L2I+IFtPQVVUSC1XR10gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiB1bmVuY3J5 cHRlZCBvY3QgSldLIGluIGVuY3J5cHRlZCBKV1Qgb2theT88bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5XaGVu IHRoZSBKV1QgaXMgaXRzZWxmIGVuY3J5cHRlZCBhcyBhIEpXRSwgd291bGQgaXQgbm90IGJlIHJl YXNvbmFibGUgdG8gaGF2ZSBhIHN5bW1ldHJpYyBrZXkgYmUgcmVwcmVzZW50ZWQgaW4gdGhlIGNu ZiBjbGFpbSB3aXRoIHRoZSBqd2sgbWVtYmVyIGFzIGFuIHVuZW5jcnlwdGVkIEpTT04gV2ViIEtl eT8mbmJzcDsNCjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPklzIHN1Y2ggYSBwb3NzaWJpbGl0eSBsZWZ0IGFz IGFuIGV4ZXJjaXNlIHRvIHRoZSByZWFkZXI/IE9yIHNob3VsZCBpdCBiZSBtb3JlIGV4cGxpY2l0 bHkgYWxsb3dlZCBvciBkaXNhbGxvd2VkPw0KPGJyPg0KPGJyPg0KPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_BY2PR03MB442178CDA590A3603391848F57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 20:59:18 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E85691AC3FC for ; Mon, 10 Aug 2015 20:59:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wDc8k0Dpkl-O for ; Mon, 10 Aug 2015 20:59:15 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0132.outbound.protection.outlook.com [207.46.100.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ABCB1A0155 for ; Mon, 10 Aug 2015 20:59:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=5qKzx2S2+pEqTuwVUAqrJ7Ex6XQKZFa0i3ohgpWexw4=; b=BoC/qNHyxN74ehzU2Dp4FtQRkbNZExwc3/keetpBma5TeI1U91G3V3DbU3t1Nv+LJSdPkBTanGKKr+QNLKG577DXx/ic3oQINHtb1Gw5g+7vFGcMo1NVxFddNhPZBW7nOZ/imkpMb8+UfDlVGewZq57CSwHFs3WtjjOhOcmgtno= Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 03:58:48 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 03:58:48 +0000 From: Mike Jones To: Brian Campbell , oauth Thread-Topic: [OAUTH-WG] jwk as member for both asymmetric and symmetric in proof-of-possession-02 Thread-Index: AQHQZTR5Y2TVcS+O/kC/CiFP5Bf6v54HCVmw Date: Tue, 11 Aug 2015 03:58:48 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:iVBmQH54P1TkX9aQsA0BTRlR8hkBpangYgDxvObQ26j3U+hnMTwJDaXe8kQbtfC4ft0ks7QmWO9emYN3VFcGjKCcIvPCFdXYYMclMisLdP++pcNgMpBj5PHQ5yoSfoIBCOSAnVFFv+N87UvwbyjqMg==; 24:3QK7o2yUgkv+6KoFJl7IU/7sxF1MQI39BDAaZhXNH9SAgcsjyXJGZw9/48GTbuslRHKt3zduWtk+OUKW3mv6vIQPjXtyLYFO5O4kjv85lPQ=; 20:wS1sn5z4L9m50i+clYD5or3Ld7ERg9O/SO1fg08C9doGpTT/uFmf32XTOyGjtVLdcLYb8kbfFfmc/4QVrKUaqA== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(199003)(189002)(19625215002)(33656002)(5003600100002)(4001540100001)(62966003)(81156007)(2900100001)(2950100001)(77156002)(46102003)(19580395003)(19580405001)(5001770100001)(5001830100001)(5001860100001)(189998001)(97736004)(86362001)(87936001)(10400500002)(92566002)(5005710100001)(2656002)(19617315012)(40100003)(19609705001)(19300405004)(101416001)(10290500002)(122556002)(74316001)(5002640100001)(68736005)(77096005)(10090500001)(76576001)(16236675004)(8990500004)(50986999)(54356999)(76176999)(105586002)(107886002)(5001960100002)(106356001)(106116001)(64706001)(66066001)(230783001)(15975445007)(99286002)(102836002)(86612001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442392B66046D6C2F741C53F57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 03:58:48.3827 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442 Archived-At: Subject: Re: [OAUTH-WG] jwk as member for both asymmetric and symmetric in proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 03:59:17 -0000 --_000_BY2PR03MB442392B66046D6C2F741C53F57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 LTAzIHNlcGFyYXRlZCB0aGUgImp3ayIgYW5kICJqd2UiIGNvbmZpcm1hdGlvbiBtZW1iZXJzOyB0 aGUgZm9ybWVyIHJlcHJlc2VudHMgYSBwdWJsaWMga2V5IGFzIGEgSldLIGFuZCB0aGUgbGF0dGVy IHJlcHJlc2VudHMgYSBzeW1tZXRyaWMga2V5IGFzIGEgSldFIGVuY3J5cHRlZCBKV0suICAoWWVz LCBpbiAtMDQgd2XigJlsbCBhbGxvdyDigJxqd2vigJ0gdG8gYmUgYSBzeW1tZXRyaWMga2V5LCBw cm92aWRlZCB0aGUgSldUIGl0c2VsZiBpcyBlbmNyeXB0ZWQuKQ0KDQogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZy b206IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEJy aWFuIENhbXBiZWxsDQpTZW50OiBTdW5kYXksIE1hcmNoIDIyLCAyMDE1IDExOjQxIFBNDQpUbzog b2F1dGgNClN1YmplY3Q6IFtPQVVUSC1XR10gandrIGFzIG1lbWJlciBmb3IgYm90aCBhc3ltbWV0 cmljIGFuZCBzeW1tZXRyaWMgaW4gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMg0KDQpJcyB0aGVyZSBz b21lIHJlYXNvbiB0aGF0IHRoZSAiY25mIiBjbGFpbSB1c2VzIGEgbWVtYmVyIG5hbWVkICJqd2si IGZvciBib3RoIHRoZSBhc3ltbWV0cmljIGNhc2Ugd2hlcmUgaXRzIHZhbHVlIGlzIGEgSldLIHdp dGggYSBwdWJsaWMga2V5IGFuZCB0aGUgc3ltbWV0cmljIGNhc2Ugd2hlcmUgaXRzIHZhbHVlIGlz IHRoZSBKV0UgZW5jcnlwdGVkIG9jdCBKV0sgKHNlY3Rpb25zIDMuMTxodHRwczovL3Rvb2xzLmll dGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAyI3NlY3Rp b24tMy4xPiBhbmQgMy4yPGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9h dXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDIjc2VjdGlvbi0zLjI+KT8NCg0KaHR0cHM6Ly90b29s cy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiNz ZWN0aW9uLTMuMiBhbmQNCkkgcmVhbGl6ZSB0aGF0IHNlY3Rpb24gMy4yIGRlc2NyaWJlcyBob3cg dG8gZGlzdGluZ3Vpc2ggYmV0d2VlbiB0aGUgdHdvIGNhc2VzIGJ5IHRoZSB0eXBlIG9mIHRoZSBt ZW1iZXIgdmFsdWUuIEJ1dCBpdCBzZWVtcyBhIGJpdCBhd2t3YXJkIGFuZCBJIGtpbmQgb2YgZXhw ZWN0ZWQgdHdvIGRpZmZlcmVudCBtZW1iZXIgbmFtZXMgZm9yIHRoZSB0d28gZGlmZmVyZW50IGNh c2VzLg0KDQpNYXliZSAiZXdrIiBvciBldmVuIGp1c3QgImp3ZSIgZm9yIHRoZSBlbmNyeXB0ZWQg a2V5IGNhc2U/DQpOb3RlIHRoYXQgMy4yIGFsc28gbWVudGlvbnMgdGhlICciandrIiBjbGFpbScg d2hpY2ggc2hvdWxkIHByb2JhYmx5IHNheSB0aGUgJyJqd2siIG1lbWJlciIuICJjbmYiIGlzIHRo ZSBjbGFpbSBhbmQgImp3ayIgaXMgYSBtZW1iZXIgb2YgdGhhdCBjbGFpbSB2YWx1ZS4NCg0KDQoN Cg== --_000_BY2PR03MB442392B66046D6C2F741C53F57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBp bjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0K CXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1s Pg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1s PjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpl eHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVs YXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGlu az0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPi0wMyBzZXBhcmF0ZWQgdGhlICZxdW90O2p3ayZxdW90OyBhbmQgJnF1b3Q7andlJnF1b3Q7 IGNvbmZpcm1hdGlvbiBtZW1iZXJzOyB0aGUgZm9ybWVyIHJlcHJlc2VudHMgYSBwdWJsaWMga2V5 IGFzIGEgSldLIGFuZCB0aGUgbGF0dGVyIHJlcHJlc2VudHMgYSBzeW1tZXRyaWMga2V5IGFzIGEg SldFIGVuY3J5cHRlZA0KIEpXSy4mbmJzcDsgKFllcywgaW4gLTA0IHdl4oCZbGwgYWxsb3cg4oCc andr4oCdIHRvIGJlIGEgc3ltbWV0cmljIGtleSwgcHJvdmlkZWQgdGhlIEpXVCBpdHNlbGYgaXMg ZW5jcnlwdGVkLik8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNA aWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkJyaWFuIENhbXBiZWxsPGJyPg0KPGI+U2Vu dDo8L2I+IFN1bmRheSwgTWFyY2ggMjIsIDIwMTUgMTE6NDEgUE08YnI+DQo8Yj5Ubzo8L2I+IG9h dXRoPGJyPg0KPGI+U3ViamVjdDo8L2I+IFtPQVVUSC1XR10gandrIGFzIG1lbWJlciBmb3IgYm90 aCBhc3ltbWV0cmljIGFuZCBzeW1tZXRyaWMgaW4gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJv dHRvbToxMi4wcHQiPklzIHRoZXJlIHNvbWUgcmVhc29uIHRoYXQgdGhlICZxdW90O2NuZiZxdW90 OyBjbGFpbSB1c2VzIGEgbWVtYmVyIG5hbWVkICZxdW90O2p3ayZxdW90OyBmb3IgYm90aCB0aGUg YXN5bW1ldHJpYyBjYXNlIHdoZXJlIGl0cyB2YWx1ZSBpcyBhIEpXSyB3aXRoIGEgcHVibGljIGtl eSBhbmQgdGhlIHN5bW1ldHJpYyBjYXNlIHdoZXJlIGl0cyB2YWx1ZSBpcyB0aGUgSldFIGVuY3J5 cHRlZCBvY3QgSldLDQogKHNlY3Rpb25zIDxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcv aHRtbC9kcmFmdC1pZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDIjc2VjdGlvbi0zLjEi Pg0KMy4xPC9hPiBhbmQgPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0 LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiNzZWN0aW9uLTMuMiI+DQozLjI8L2E+ KT88YnI+DQo8YnI+DQo8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQt aWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAyI3NlY3Rpb24tMy4yIj5odHRwczovL3Rv b2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAy I3NlY3Rpb24tMy4yPC9hPiBhbmQNCjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5JIHJlYWxpemUg dGhhdCBzZWN0aW9uIDMuMiBkZXNjcmliZXMgaG93IHRvIGRpc3Rpbmd1aXNoIGJldHdlZW4gdGhl IHR3byBjYXNlcyBieSB0aGUgdHlwZSBvZiB0aGUgbWVtYmVyIHZhbHVlLiBCdXQgaXQgc2VlbXMg YSBiaXQgYXdrd2FyZCBhbmQgSSBraW5kIG9mIGV4cGVjdGVkIHR3byBkaWZmZXJlbnQgbWVtYmVy IG5hbWVzIGZvciB0aGUgdHdvIGRpZmZlcmVudA0KIGNhc2VzLiA8YnI+DQo8YnI+DQpNYXliZSAm cXVvdDtld2smcXVvdDsgb3IgZXZlbiBqdXN0ICZxdW90O2p3ZSZxdW90OyBmb3IgdGhlIGVuY3J5 cHRlZCBrZXkgY2FzZT8gPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj5Ob3RlIHRoYXQgMy4yIGFsc28gbWVudGlvbnMgdGhlICcmcXVvdDtqd2smcXVv dDsgY2xhaW0nIHdoaWNoIHNob3VsZCBwcm9iYWJseSBzYXkgdGhlICcmcXVvdDtqd2smcXVvdDsg bWVtYmVyJnF1b3Q7LiAmcXVvdDtjbmYmcXVvdDsgaXMgdGhlIGNsYWltIGFuZCAmcXVvdDtqd2sm cXVvdDsgaXMgYSBtZW1iZXIgb2YgdGhhdCBjbGFpbSB2YWx1ZS48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEy LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1s Pg0K --_000_BY2PR03MB442392B66046D6C2F741C53F57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 20:59:58 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 374D41ACCE2 for ; Mon, 10 Aug 2015 20:59:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0xuFiE1bThG for ; Mon, 10 Aug 2015 20:59:55 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0110.outbound.protection.outlook.com [207.46.100.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2DFA1AC3FC for ; Mon, 10 Aug 2015 20:59:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hLrjg6kHewPwetbwQDlAU0C1negTDG/QCfnu0KCJ+Mo=; b=QgAECM8UkOSIkeYAQX9XvlYtbaqFyTJ5gbEPRq1g8yJnAgjdZOpmfJBK00mUXzdDBV+Co5CWg7l/p/hB7ExhZSSSSvj6Mo9U4jMMiHQOYeL6+SfFwGLjTmGsq7Co17UeaSLcFADdzfjk5XSZ1XnmCPjK87OQFSBI+YyiC2rBbBU= Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 03:59:54 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 03:59:54 +0000 From: Mike Jones To: Nat Sakimura , Brian Campbell Thread-Topic: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint? Thread-Index: AQHQZTRfYlKVul2ynECUxNG74nzcQJ0pprQAgN1jInA= Date: Tue, 11 Aug 2015 03:59:54 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:fRUyEX5NYhtDHJQoXWKhF3wKXKjShppA3wthHIdwBsyTVt8or2gaqp070Us2/XvwZ3l0Kv11KT0qUhH5QthQr/V1l27ApfE5q2i5RjF9FnSxTzvm7CHcea4tASmhfi+VCLI8u5IXat+0cpIp4rrlTg==; 24:e8oMo66A+GOkyyY7C8TIx9glbJZeo9aYaBBK0seEwmC0e2JPT/ZGYu02mIov8MMNstqYSULTlMJCCyoGL4706MI1x6bh6dcYM4MH5zi1Wgk=; 20:bWe07FBJj6hEx0RdPkdcOnq9214JQlel/fw4Ub4yTnsnaiDNprXqH1xhtRdq43qIWDw3oDvH7J3mcfXlfzaKLQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(199003)(189002)(377424004)(43784003)(19625215002)(33656002)(5003600100002)(4001540100001)(62966003)(81156007)(2900100001)(2950100001)(77156002)(46102003)(19580395003)(19580405001)(5001770100001)(5001830100001)(5001860100001)(189998001)(97736004)(86362001)(87936001)(10400500002)(92566002)(5005710100001)(2656002)(19617315012)(40100003)(19609705001)(19300405004)(101416001)(10290500002)(122556002)(74316001)(5002640100001)(68736005)(77096005)(10090500001)(76576001)(16236675004)(8990500004)(50986999)(54356999)(76176999)(105586002)(5001960100002)(106356001)(106116001)(64706001)(66066001)(230783001)(15975445007)(99286002)(102836002)(86612001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442ED7120A824B01E8F349DF57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 03:59:54.7520 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442 Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] proof-of-possession-02 cnf via key thumbprint? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 03:59:57 -0000 --_000_BY2PR03MB442ED7120A824B01E8F349DF57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhpcyBpcyB0aGUgYXBwcm9hY2ggc3VwcG9ydGVkIGJ5IHRoZSBjdXJyZW50IGRyYWZ0LiAgVGhh bmtzIGFnYWluIGZvciB5b3VyIHJldmlldyBjb21tZW50cy4NCg0KICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9t OiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBOYXQg U2FraW11cmENClNlbnQ6IE1vbmRheSwgTWFyY2ggMjMsIDIwMTUgMTI6MTEgQU0NClRvOiBCcmlh biBDYW1wYmVsbA0KQ2M6IG9hdXRoDQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBwcm9vZi1vZi1w b3NzZXNzaW9uLTAyIGNuZiB2aWEga2V5IHRodW1icHJpbnQ/DQoNCldvdWxkIG5vdCBraWQgZG8/ DQpSaWdodCwgdGh1bWJwcmludCBoYXMgbW9yZSBzZW1hbnRpY3MgYW5kIGhhcyBuaWNlIHByb3Bl cnRpZXMsIGJ1dCBoYXZpbmcgdG9vIG1hbnkgd2F5cyBpcyBub3QgZ29vZCBmb3IgaW50ZXJvcC4N Cg0KTmF0DQoNCjIwMTUtMDMtMjMgMTU6NDAgR01UKzA5OjAwIEJyaWFuIENhbXBiZWxsIDxiY2Ft cGJlbGxAcGluZ2lkZW50aXR5LmNvbTxtYWlsdG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb20+ PjoNCkRvIGZvbGtzIGluIHRoZSBXRyB0aGluayB0aGVyZSdkIGJlIHV0aWxpdHkgaW4gaGF2aW5n IGEgd2F5IHRvIGlkZW50aXR5IHRoZSBmaW5nZXIvdGh1bWJwcmludCBvZiBhIGtleSBpbiB0aGUg Y25mIGNsYWltLiBBIHByZXNlbnRlciBtaWdodCwgZm9yIGV4YW1wbGUsIHByZXNlbnQgdGhlIEpX VCBhbG9uZyB3aXRoIGEgcHVibGljIEpXSyBhbmQgc29tZSBwcm9vZi1vZi1wb3NzZXNzaW9uIG9m IHRoYXQgSldLLiAgQW5kIHRoZSBKV0sgd291bGQgYmUgYm91bmQgdG8gdGhlIEpXVCB2aWEgdGhl IHRodW1icHJpbnQsIHdoaWNoIGlzIG1vcmUgc3BhY2UgZWZmaWNpZW50ICh3aXRoIHJlc3BlY3Qg dG8gdGhlIEpXVCBhbnl3YXkpIHRoYW4gdGhlIGZ1bGwgSldLLg0KDQoNCl9fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9B dXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vb2F1dGgNCg0KDQoNCi0tDQpOYXQgU2FraW11cmEgKD1uYXQpDQpD aGFpcm1hbiwgT3BlbklEIEZvdW5kYXRpb24NCmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLw0KQF9u YXRfZW4NCg== --_000_BY2PR03MB442ED7120A824B01E8F349DF57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0K QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAx LjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x O30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRz IHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1h cCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRp Zl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhpcyBpcyB0aGUgYXBw cm9hY2ggc3VwcG9ydGVkIGJ5IHRoZSBjdXJyZW50IGRyYWZ0LiZuYnNwOyBUaGFua3MgYWdhaW4g Zm9yIHlvdXIgcmV2aWV3IGNvbW1lbnRzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZy b206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IE9BdXRoIFttYWlsdG86 b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10NCjxiPk9uIEJlaGFsZiBPZiA8L2I+TmF0IFNha2ltdXJh PGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwgTWFyY2ggMjMsIDIwMTUgMTI6MTEgQU08YnI+DQo8 Yj5Ubzo8L2I+IEJyaWFuIENhbXBiZWxsPGJyPg0KPGI+Q2M6PC9iPiBvYXV0aDxicj4NCjxiPlN1 YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBwcm9vZi1vZi1wb3NzZXNzaW9uLTAyIGNuZiB2aWEg a2V5IHRodW1icHJpbnQ/PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPldvdWxkIG5vdCBraWQgZG8/Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5SaWdodCwgdGh1bWJwcmludCBoYXMgbW9yZSBzZW1hbnRp Y3MgYW5kIGhhcyBuaWNlIHByb3BlcnRpZXMsIGJ1dCBoYXZpbmcgdG9vIG1hbnkgd2F5cyBpcyBu b3QgZ29vZCBmb3IgaW50ZXJvcC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+TmF0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjIwMTUtMDMtMjMgMTU6NDAgR01UJiM0MzswOTowMCBC cmlhbiBDYW1wYmVsbCAmbHQ7PGEgaHJlZj0ibWFpbHRvOmJjYW1wYmVsbEBwaW5naWRlbnRpdHku Y29tIiB0YXJnZXQ9Il9ibGFuayI+YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb208L2E+Jmd0Ozo8 bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWJvdHRvbToxMi4wcHQiPkRvIGZvbGtzIGluIHRoZSBXRyB0aGluayB0aGVyZSdkIGJlIHV0aWxp dHkgaW4gaGF2aW5nIGEgd2F5IHRvIGlkZW50aXR5IHRoZSBmaW5nZXIvdGh1bWJwcmludCBvZiBh IGtleSBpbiB0aGUgY25mIGNsYWltLiBBIHByZXNlbnRlciBtaWdodCwgZm9yIGV4YW1wbGUsIHBy ZXNlbnQgdGhlIEpXVCBhbG9uZyB3aXRoIGEgcHVibGljIEpXSyBhbmQgc29tZSBwcm9vZi1vZi1w b3NzZXNzaW9uDQogb2YgdGhhdCBKV0suJm5ic3A7IEFuZCB0aGUgSldLIHdvdWxkIGJlIGJvdW5k IHRvIHRoZSBKV1QgdmlhIHRoZSB0aHVtYnByaW50LCB3aGljaCBpcyBtb3JlIHNwYWNlIGVmZmlj aWVudCAod2l0aCByZXNwZWN0IHRvIHRoZSBKV1QgYW55d2F5KSB0aGFuIHRoZSBmdWxsIEpXSy48 YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxh IGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEg aHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aCIgdGFyZ2V0 PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+ PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxiciBj bGVhcj0iYWxsIj4NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tLSA8 bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5OYXQgU2FraW11cmEg KD1uYXQpPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Q2hhaXJt YW4sIE9wZW5JRCBGb3VuZGF0aW9uPGJyPg0KPGEgaHJlZj0iaHR0cDovL25hdC5zYWtpbXVyYS5v cmcvIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPC9hPjxicj4NCkBf bmF0X2VuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv Ym9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB442ED7120A824B01E8F349DF57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 21:05:00 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1BD21ACCC7 for ; Mon, 10 Aug 2015 21:04:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R1ny8k_SfOkH for ; Mon, 10 Aug 2015 21:04:57 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0125.outbound.protection.outlook.com [207.46.100.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34A851A0146 for ; Mon, 10 Aug 2015 21:04:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yVxzSIpQO80ei9FLRlkA4UeVbMhyqWd+8yThc+4kqWE=; b=V1di3P8j5Vfn4icHB2b/IvbRQLPhmCCTqo0G+Y4q726vOLZqZgl1EoqidYNDsSaJxWopSK2lTgWGFFjn+FztqWxKB1LdBouQhvvwHTFDXrDezwqWQ4+9z5yiOFsz9n9Lg61X8KRWowcbBBpvJU/Xlkh6qt+EI04qaO7NdVwflf4= Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 04:02:12 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 04:02:12 +0000 From: Mike Jones To: Nat Sakimura , oauth Thread-Topic: [OAUTH-WG] The use of sub in POP-02 Thread-Index: AQHQZTqHoTQaG9GCAkmWGlPFKvMQOZ4HCiFA Date: Tue, 11 Aug 2015 04:02:12 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:T+3PLn0RVU8lnBJOeFonzDrJHFOt+bK6lVzPNZSwxRrn+/u3ljKMEkY38bD+A/zAewoFmcQrCCNVN1FFxKlcH2iHkvFqFJLMslpNwk73KNPqYTYLxTFltRJeQ9KS5e5FEOp+uLKuLu3hAzdyx5GWpw==; 24:fSE0vMaSDvsgklfJG9lh94JoBOYnNvKSp4yyrJuQ5cO/49hfuGGKUTYiyNZ7D3aASBw5U9gR25j9dBgIS4Wmqm8SG+6dMU1tPJIohVRJunI=; 20:2tR4E/X7rFObj87daVr2S6UrG4gcb/BUVdttx9EzQvFQSq5S4q7UabQRdvwTzH+MJZc88HbdrXPNSclZ6NYZXg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(199003)(189002)(77096005)(68736005)(10090500001)(74316001)(122556002)(5002640100001)(66066001)(15975445007)(64706001)(106116001)(86612001)(102836002)(99286002)(8990500004)(50986999)(76576001)(16236675004)(106356001)(107886002)(5001960100002)(76176999)(105586002)(54356999)(46102003)(19580395003)(77156002)(19580405001)(5001770100001)(2950100001)(2900100001)(189998001)(5001830100001)(5001860100001)(97736004)(5001920100001)(561944003)(19625215002)(62966003)(81156007)(4001540100001)(33656002)(5003600100002)(40100003)(19300405004)(19609705001)(10290500002)(101416001)(5005710100001)(92566002)(10400500002)(87936001)(86362001)(2656002)(19617315012); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4423C60EE0914BA397FC259F57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 04:02:12.4759 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442 Archived-At: Subject: Re: [OAUTH-WG] The use of sub in POP-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 04:04:58 -0000 --_000_BY2PR03MB4423C60EE0914BA397FC259F57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhlIHNlY29uZCBwYXJhZ3JhcGggb2YgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0 LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMyNzZWN0aW9uLTMgbm93IHByb3ZpZGVz IGEgbW9yZSBnZW5lcmFsIGRlc2NyaXB0aW9uIG9mIHdheXMgdGhhdCBhcHBsaWNhdGlvbnMgbWF5 IGNob29zZSB0byBpZGVudGlmeSB0aGUgcHJlc2VudGVyLCBpbmNsdWRpbmcgdXNlIG9mIHRoZSDi gJxhenDigJ0gKGF1dGhvcml6ZWQgcGFydHkpIGNsYWltLg0KDQogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206 IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIE5hdCBT YWtpbXVyYQ0KU2VudDogTW9uZGF5LCBNYXJjaCAyMywgMjAxNSAxMjoyNSBBTQ0KVG86IG9hdXRo DQpTdWJqZWN0OiBbT0FVVEgtV0ddIFRoZSB1c2Ugb2Ygc3ViIGluIFBPUC0wMg0KDQpSZTogaHR0 cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vz c2lvbi0wMiNzZWN0aW9uLTMNCg0KSSB1bmRlcnN0YW5kIHRoZSB1c2Ugb2Ygc3ViIGluIHRoaXMg c2VjdGlvbiBjb21lcyBkb3duIGZyb20gU0FNTCBidXQgSSBmZWVsIHRoYXQgc29tZSBzZXBhcmF0 aW9uIGJldHdlZW4gc3ViIGFuZCBwcmVzZW50ZXIgd291bGQgYmUgbmljZS4NCg0KRm9yIGV4YW1w bGUsIHdoZW4gSSBhbSBwcmVzZW50aW5nIHRoZSB0b2tlbiB1c2luZyBhbiBhcHAgdGhhdCBJIGlu c3RhbGxlZCBvbiBteSBpUGhvbmUsIHRoZSBwcmVzZW50ZXIgaXMgdGhhdCBhcHAgYW5kIG5vdCBt ZSwgd2hpbGUgdGhlIHN1YiBzdGlsbCBtYXkgYmUgbWUuIFRoZSBhcHAgaXMgdGhlIGF1dGhvcml6 ZWQgcHJlc2VudGVyL3BhcnR5IChhenApIG9mIHRoZSB0b2tlbi4NCg0KU28gbXkgcHJvcG9zYWwg aXMgdG8gdXNlIGEgY2xhaW0gbGlrZSAiYXpwIiBpbnN0ZWFkIG9mICJzdWIiIHRvIGlkZW50aWZ5 IHRoZSBwcmVzZW50ZXIuIExlc3Mgb3ZlcmxvYWQgd291bGQgY2F1c2UgbGVzcyBjb25mdXNpb24g bGF0ZXIsIElNSE8uDQoNCi0tDQpOYXQgU2FraW11cmEgKD1uYXQpDQpDaGFpcm1hbiwgT3BlbklE IEZvdW5kYXRpb24NCmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLw0KQF9uYXRfZW4NCg== --_000_BY2PR03MB4423C60EE0914BA397FC259F57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0K QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAx LjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x O30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRz IHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1h cCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRp Zl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhlIHNlY29uZCBwYXJh Z3JhcGggb2YNCjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRm LW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDMjc2VjdGlvbi0zIj4NCmh0dHBzOi8vdG9vbHMu aWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDMjc2Vj dGlvbi0zPC9hPiBub3cgcHJvdmlkZXMgYSBtb3JlIGdlbmVyYWwgZGVzY3JpcHRpb24gb2Ygd2F5 cyB0aGF0IGFwcGxpY2F0aW9ucyBtYXkgY2hvb3NlIHRvIGlkZW50aWZ5IHRoZSBwcmVzZW50ZXIs IGluY2x1ZGluZyB1c2Ugb2YgdGhlIOKAnGF6cOKAnSAoYXV0aG9yaXplZCBwYXJ0eSkgY2xhaW0u PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0 OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij4gT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXQ0K PGI+T24gQmVoYWxmIE9mIDwvYj5OYXQgU2FraW11cmE8YnI+DQo8Yj5TZW50OjwvYj4gTW9uZGF5 LCBNYXJjaCAyMywgMjAxNSAxMjoyNSBBTTxicj4NCjxiPlRvOjwvYj4gb2F1dGg8YnI+DQo8Yj5T dWJqZWN0OjwvYj4gW09BVVRILVdHXSBUaGUgdXNlIG9mIHN1YiBpbiBQT1AtMDI8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5SZTombmJzcDs8YSBocmVmPSJodHRwczovL3Rv b2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAy I3NlY3Rpb24tMyI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgt cHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiNzZWN0aW9uLTM8L2E+PG86cD48L286cD48L3A+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JIHVuZGVyc3RhbmQgdGhlIHVzZSBvZiBzdWIgaW4g dGhpcyBzZWN0aW9uIGNvbWVzIGRvd24gZnJvbSBTQU1MIGJ1dCBJIGZlZWwgdGhhdCBzb21lIHNl cGFyYXRpb24gYmV0d2VlbiBzdWIgYW5kIHByZXNlbnRlciB3b3VsZCBiZSBuaWNlLiZuYnNwOzxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Gb3Ig ZXhhbXBsZSwgd2hlbiBJIGFtIHByZXNlbnRpbmcgdGhlIHRva2VuIHVzaW5nIGFuIGFwcCB0aGF0 IEkgaW5zdGFsbGVkIG9uIG15IGlQaG9uZSwgdGhlIHByZXNlbnRlciBpcyB0aGF0IGFwcCBhbmQg bm90IG1lLCB3aGlsZSB0aGUgc3ViIHN0aWxsIG1heSBiZSBtZS4gVGhlIGFwcCBpcyB0aGUgYXV0 aG9yaXplZCBwcmVzZW50ZXIvcGFydHkgKGF6cCkgb2YgdGhlIHRva2VuLiZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5TbyBteSBwcm9w b3NhbCBpcyB0byB1c2UgYSBjbGFpbSBsaWtlICZxdW90O2F6cCZxdW90OyBpbnN0ZWFkIG9mICZx dW90O3N1YiZxdW90OyB0byBpZGVudGlmeSB0aGUgcHJlc2VudGVyLiBMZXNzIG92ZXJsb2FkIHdv dWxkIGNhdXNlIGxlc3MgY29uZnVzaW9uIGxhdGVyLCBJTUhPLiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0gPG86cD48 L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+TmF0IFNha2ltdXJhICg9bmF0 KTxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkNoYWlybWFuLCBP cGVuSUQgRm91bmRhdGlvbjxicj4NCjxhIGhyZWY9Imh0dHA6Ly9uYXQuc2FraW11cmEub3JnLyIg dGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLzwvYT48YnI+DQpAX25hdF9l bjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N CjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_BY2PR03MB4423C60EE0914BA397FC259F57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 21:09:11 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E7B71ACD62 for ; Mon, 10 Aug 2015 21:09:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5UXehAIYu38s for ; Mon, 10 Aug 2015 21:09:07 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0773.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:773]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11DFE1ACD54 for ; Mon, 10 Aug 2015 21:09:06 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 04:08:46 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 04:08:46 +0000 From: Mike Jones To: Brian Campbell , oauth Thread-Topic: [OAUTH-WG] confirmation model in proof-of-possession-02 Thread-Index: AQHQZYOD4shzE+g7vkWTjrRAWSEG2J4HCrvg Date: Tue, 11 Aug 2015 04:08:45 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:8OB8oHdR2QXvrM+g6umhBB/U/4e55EFxjWfVp9rbRTngaAuqC5XRYyGsYy9TjkRA6oKIpzvG9f08VNvGgph5848ruTAKbQ1yUze8FWwDKQxiI6u0gQjqxRabuDzYtpc5vkhDI3oQPBlY04vFTavFHg==; 24:8vjZLqZ7Qe2thT1zIbed+7QOoNssIc0Un+xx1Jsiu2+s0NK/g1ef1o9dzP0VExKzrBz+ej902MzIQvfTfu1VtvfynwmhG1vS4B/IBTmAb6A=; 20:5pjrooWtqBzq5UQk+wwlbSbFCH0MABXz0zCrEuxa88ea7DYWv/Wb1wNfofiTpVYOOCJ+e2Ia+xm2HNkib9MfOw== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(189002)(199003)(377454003)(43784003)(105586002)(10400500002)(2656002)(66066001)(76176999)(68736005)(5005710100001)(19580395003)(77096005)(122556002)(2950100001)(62966003)(5003600100002)(76576001)(74316001)(102836002)(54356999)(15975445007)(5002640100001)(40100003)(8990500004)(19580405001)(2900100001)(10290500002)(77156002)(86362001)(87936001)(5001770100001)(10090500001)(16236675004)(5001860100001)(106356001)(64706001)(50986999)(189998001)(230783001)(106116001)(5001960100002)(19609705001)(97736004)(99286002)(5001830100001)(19617315012)(4001540100001)(19300405004)(33656002)(81156007)(101416001)(92566002)(19625215002)(86612001)(46102003)(107886002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442BDC38D3DFF28F3E4BBBEF57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 04:08:45.8524 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441 Archived-At: Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 04:09:09 -0000 --_000_BY2PR03MB442BDC38D3DFF28F3E4BBBEF57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhlcmUgZGlkbuKAmXQgc2VlbSB0byBiZSBzdXBwb3J0IGZvciBoYXZpbmcgY25mIGNvbnRhaW4g YXJyYXkgdmFsdWVzLiAgSW5zdGVhZCwgYXMgZGlzY3Vzc2VkIGluIHRoZSB0aHJlYWQg4oCcW09B VVRILVdHXSBKV1QgUG9QIEtleSBTZW1hbnRpY3MgV0dMQyBmb2xsb3d1cCAzICh3YXMgUmU6IGNv bmZpcm1hdGlvbiBtb2RlbCBpbiBwcm9vZi1vZi1wb3NzZXNzaW9uLTAyKeKAnSwgaWYgZGlmZmVy ZW50IGtleXMgYXJlIGJlaW5nIGNvbmZpcm1lZCwgdGhleSBjYW4gZGVmaW5lIGFkZGl0aW9uYWwg Y2xhaW1zIG90aGVyIHRoYW4g4oCcY25m4oCdIHVzaW5nIHRoZSBzYW1lIHN0cnVjdHVyZSBhcyDi gJxjbmbigJ0gdG8gcmVwcmVzZW50IHRob3NlIGNvbmZpcm1hdGlvbnMuICBJbmRlZWQsIHRob3Nl IG90aGVyIGNsYWltcyBjb3VsZCBiZSBhcnJheS12YWx1ZWQsIGlmIGFwcHJvcHJpYXRlLiAgVGhl IHJlYXNvbnMgZm9yIGhhdmluZyBhIHN0cnVjdHVyZWQg4oCcY25m4oCdIGNsYWltLCByYXRoZXIg dGhhbiBhIHNldCBvZiBmbGF0dGVuZWQgY2xhaW0gdmFsdWVzLCB3ZXJlIGFsc28gZGlzY3Vzc2Vk IGluIHRoYXQgdGhyZWFkLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBUaGFua3MgYWdhaW4sDQogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206 IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEJyaWFu IENhbXBiZWxsDQpTZW50OiBNb25kYXksIE1hcmNoIDIzLCAyMDE1IDk6MDcgQU0NClRvOiBvYXV0 aA0KU3ViamVjdDogW09BVVRILVdHXSBjb25maXJtYXRpb24gbW9kZWwgaW4gcHJvb2Ytb2YtcG9z c2Vzc2lvbi0wMg0KDQpUaGlzIGlzIG1vc3RseSBhYm91dCBzZWN0aW9uIDMuNDxodHRwczovL3Rv b2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAy I3NlY3Rpb24tMy40PiBidXQgYWxzbyB0aGUgd2hvbGUgZHJhZnQuDQoNCklmICJjbmYiIGlzIGlu dGVuZGVkIHRvIGFuYWxvZ291cyB0byB0aGUgU0FNTCAyLjAgU3ViamVjdENvbmZpcm1hdGlvbiBl bGVtZW50LCBpdCBzaG91bGQgcHJvYmFibHkgY29udGFpbiBhbiBhcnJheSB2YWx1ZSByYXRoZXIg dGhhbiBhbiBvYmplY3QgdmFsdWUuIFNBTUwgYWxsb3dzIG5vdCBqdXN0IGZvciBtdWx0aXBsZSBt ZXRob2RzIG9mIGNvbmZpcm1pbmcgYnV0IGZvciBtdWx0aXBsZSBpbnN0YW5jZXMgb2YgdGhlIHNh bWUgbWV0aG9kLiBJSVJDLCBvbmx5IG9uZSBjb25maXJtYXRpb24gbmVlZHMgdG8gYmUgY29uZmly bWFibGUuDQpJJ20gbm90IHN1cmUgdGhlIGV4dHJhIGNvbXBsZXhpdHkgaXMgd29ydGggaXQgdGhv dWdoLiBJJ3ZlIHJhcmVseSwgaWYgZXZlciwgc2VlbiBTQU1MIGFzc2VydGlvbnMgdGhhdCBtYWtl IHVzZSBvZiBpdC4NCklmIHRoZSBpbnRlbnQgaXMganVzdCB0byBhbGxvdyBmb3IgZGlmZmVyZW50 IGtpbmRzIG9mIGNvbmZpcm1hdGlvbiwgY291bGRuJ3QgdGhlIHN0cnVjdHVyZSBiZSBwYXJlZCBk b3duIGFuZCBzaW1wbGlmaWVkIGFuZCBqdXN0IGhhdmUgaW5kaXZpZHVhbCBjbGFpbXMgZm9yIHRo ZSBkaWZmZXJlbnQgY29uZmlybWF0aW9uIHR5cGVzPyBMaWtlICJjandrIiBhbmQgImNraWQiIG9y IHNpbWlsYXIgdGhhdCBoYXZlIHRoZSBqd2sgb3Iga2lkIHZhbHVlIHJlc3BlY3RpdmVseSBhcyB0 aGUgbWVtYmVyIHZhbHVlLg0KDQoNCg== --_000_BY2PR03MB442BDC38D3DFF28F3E4BBBEF57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0K QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAx LjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x O30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRz IHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1h cCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRp Zl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhlcmUgZGlkbuKAmXQg c2VlbSB0byBiZSBzdXBwb3J0IGZvciBoYXZpbmcgY25mIGNvbnRhaW4gYXJyYXkgdmFsdWVzLiZu YnNwOyBJbnN0ZWFkLCBhcyBkaXNjdXNzZWQgaW4gdGhlIHRocmVhZCDigJxbT0FVVEgtV0ddIEpX VCBQb1AgS2V5IFNlbWFudGljcyBXR0xDIGZvbGxvd3VwIDMNCiAod2FzIFJlOiBjb25maXJtYXRp b24gbW9kZWwgaW4gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMinigJ0sIGlmIGRpZmZlcmVudCBrZXlz IGFyZSBiZWluZyBjb25maXJtZWQsIHRoZXkgY2FuIGRlZmluZSBhZGRpdGlvbmFsIGNsYWltcyBv dGhlciB0aGFuIOKAnGNuZuKAnSB1c2luZyB0aGUgc2FtZSBzdHJ1Y3R1cmUgYXMg4oCcY25m4oCd IHRvIHJlcHJlc2VudCB0aG9zZSBjb25maXJtYXRpb25zLiZuYnNwOyBJbmRlZWQsIHRob3NlIG90 aGVyIGNsYWltcyBjb3VsZCBiZSBhcnJheS12YWx1ZWQsDQogaWYgYXBwcm9wcmlhdGUuJm5ic3A7 IFRoZSByZWFzb25zIGZvciBoYXZpbmcgYSBzdHJ1Y3R1cmVkIOKAnGNuZuKAnSBjbGFpbSwgcmF0 aGVyIHRoYW4gYSBzZXQgb2YgZmxhdHRlbmVkIGNsYWltIHZhbHVlcywgd2VyZSBhbHNvIGRpc2N1 c3NlZCBpbiB0aGF0IHRocmVhZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhhbmtzIGFnYWluLDxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+ PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9t YSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gT0F1dGggW21haWx0bzpvYXV0aC1ib3Vu Y2VzQGlldGYub3JnXQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5CcmlhbiBDYW1wYmVsbDxicj4NCjxi PlNlbnQ6PC9iPiBNb25kYXksIE1hcmNoIDIzLCAyMDE1IDk6MDcgQU08YnI+DQo8Yj5Ubzo8L2I+ IG9hdXRoPGJyPg0KPGI+U3ViamVjdDo8L2I+IFtPQVVUSC1XR10gY29uZmlybWF0aW9uIG1vZGVs IGluIHByb29mLW9mLXBvc3Nlc3Npb24tMDI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+VGhpcyBpcyBtb3N0bHkgYWJvdXQgPGEgaHJlZj0iaHR0cHM6Ly90b29s cy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiNz ZWN0aW9uLTMuNCI+DQpzZWN0aW9uIDMuNDwvYT4gYnV0IGFsc28gdGhlIHdob2xlIGRyYWZ0Ljxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpJZiAmcXVvdDtjbmYmcXVvdDsgaXMgaW50ZW5k ZWQgdG8gYW5hbG9nb3VzIHRvIHRoZSBTQU1MIDIuMCBTdWJqZWN0Q29uZmlybWF0aW9uIGVsZW1l bnQsIGl0IHNob3VsZCBwcm9iYWJseSBjb250YWluIGFuIGFycmF5IHZhbHVlIHJhdGhlciB0aGFu IGFuIG9iamVjdCB2YWx1ZS4gU0FNTCBhbGxvd3Mgbm90IGp1c3QgZm9yIG11bHRpcGxlIG1ldGhv ZHMgb2YgY29uZmlybWluZyBidXQgZm9yIG11bHRpcGxlIGluc3RhbmNlcyBvZiB0aGUgc2FtZSBt ZXRob2QuIElJUkMsDQogb25seSBvbmUgY29uZmlybWF0aW9uIG5lZWRzIHRvIGJlIGNvbmZpcm1h YmxlLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5JJ20gbm90IHN1cmUgdGhlIGV4dHJhIGNvbXBs ZXhpdHkgaXMgd29ydGggaXQgdGhvdWdoLiBJJ3ZlIHJhcmVseSwgaWYgZXZlciwgc2VlbiBTQU1M IGFzc2VydGlvbnMgdGhhdCBtYWtlIHVzZSBvZiBpdC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+ SWYgdGhlIGludGVudCBpcyBqdXN0IHRvIGFsbG93IGZvciBkaWZmZXJlbnQga2luZHMgb2YgY29u ZmlybWF0aW9uLCBjb3VsZG4ndCB0aGUgc3RydWN0dXJlIGJlIHBhcmVkIGRvd24gYW5kIHNpbXBs aWZpZWQgYW5kIGp1c3QgaGF2ZSBpbmRpdmlkdWFsIGNsYWltcyBmb3IgdGhlIGRpZmZlcmVudCBj b25maXJtYXRpb24gdHlwZXM/IExpa2UgJnF1b3Q7Y2p3ayZxdW90OyBhbmQgJnF1b3Q7Y2tpZCZx dW90Ow0KIG9yIHNpbWlsYXIgdGhhdCBoYXZlIHRoZSBqd2sgb3Iga2lkIHZhbHVlIHJlc3BlY3Rp dmVseSBhcyB0aGUgbWVtYmVyIHZhbHVlLiZuYnNwOyA8YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90 dG9tOjEyLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_BY2PR03MB442BDC38D3DFF28F3E4BBBEF57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 21:12:21 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9329D1AC3A1 for ; Mon, 10 Aug 2015 21:12:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3qu205_Y2sN for ; Mon, 10 Aug 2015 21:12:17 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0110.outbound.protection.outlook.com [65.55.169.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 995A91ACD8F for ; Mon, 10 Aug 2015 21:12:15 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 04:12:13 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 04:12:13 +0000 From: Mike Jones To: Justin Richer , "" Thread-Topic: [OAUTH-WG] Last Call comments on draft-ietf-oauth-proof-of-possession Thread-Index: AQHQZoqlZC3er+y8/kK+DgLxot7vl54HCfQA Date: Tue, 11 Aug 2015 04:12:13 +0000 Message-ID: References: <6DA5408F-2E11-45AE-A190-1724958D7960@mit.edu> In-Reply-To: <6DA5408F-2E11-45AE-A190-1724958D7960@mit.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:TN229RI9rf/gNIqVlCQw6ks7SGafaLR3A9nsZLHUsLj0hkyfKoUpN9cyJ6k25+IHCuauVlTtCjtj/FGYYYTtdtVEn9nZqVZAnz05+9zkQ5CcTScBC60rSG6CZfkMXBebrLs3uzgB4UMfk1Oa+hyf1Q==; 24:E1UjULgSAccQmvGYOjURfHaN+eEYoNru+SoXRXnoJHVnkVvRR1DX712jjUO9XZB6m2Ya/yL7LqvH154COAUD/agVf3xBqpST41+2c7qs9VA=; 20:apiwjjbMKbmnG3Ze7aiuPmxieLr9txgQb0ZySK+gE4LDuMHYCgSGl2f/sGKa2vylHF/HrY1V14m05GudoX7eRw== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(199003)(377454003)(43784003)(13464003)(105586002)(10400500002)(2656002)(66066001)(76176999)(68736005)(5005710100001)(19580395003)(77096005)(122556002)(2950100001)(62966003)(5003600100002)(76576001)(74316001)(102836002)(54356999)(5002640100001)(40100003)(8990500004)(19580405001)(2900100001)(10290500002)(77156002)(86362001)(87936001)(5001770100001)(10090500001)(5001860100001)(106356001)(64706001)(50986999)(189998001)(230783001)(2171001)(106116001)(5001960100002)(97736004)(99286002)(5001830100001)(4001540100001)(33656002)(81156007)(101416001)(92566002)(86612001)(110136002)(46102003)(107886002)(491001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 04:12:13.1411 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441 Archived-At: Subject: Re: [OAUTH-WG] Last Call comments on draft-ietf-oauth-proof-of-possession X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 04:12:19 -0000 SGkgSnVzdGluLA0KDQotMDMgd2FzIHJlbmFtZWQgdG8gIlByb29mLW9mLVBvc3Nlc3Npb24gS2V5 IFNlbWFudGljcyBmb3IgSlNPTiBXZWIgVG9rZW5zIChKV1RzKSIgdG8gZWxpbWluYXRlIHRoaXMg Y29uZnVzaW9uLiAgVGhlIGludHJvZHVjdGlvbiB3YXMgYWxzbyByZXZpc2VkIHRvIGFkZHJlc3Mg cmVsYXRlZCBwb2ludHMgb2YgY29uZnVzaW9uLg0KDQpUaGFua3MgYWdhaW4gZm9yIHlvdXIgcmV2 aWV3IGNvbW1lbnRzLg0KDQoJCQkJLS0gTWlrZQ0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0t LQ0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYg T2YgSnVzdGluIFJpY2hlcg0KU2VudDogVHVlc2RheSwgTWFyY2ggMjQsIDIwMTUgNDozMSBQTQ0K VG86IDxvYXV0aEBpZXRmLm9yZz4NClN1YmplY3Q6IFtPQVVUSC1XR10gTGFzdCBDYWxsIGNvbW1l bnRzIG9uIGRyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbg0KDQpJIGJlbGlldmUg dGhhdCB0aGlzIGRyYWZ0IGlzIG1pc25hbWVkIGFuZCB0aGVyZWZvcmUgc29tZXdoYXQgbWlzbGVh ZGluZzogaXTigJlzIGZ1bmRhbWVudGFsbHkgYSBtZXRob2Qgb2YgcHJvdGVjdGVkIGtleSB0cmFu c21pc3Npb24gdXNpbmcgSldULCBhbmQgbm90IGFib3V0IHByb29mIG9mIHBvc3Nlc3Npb24gb2Yg dGhhdCBrZXkuIFRoZSBwcm9vZiBpcyBpbiBzaW1wbHkgdXNpbmcgdGhlIGtleSB0byBjcmVhdGUg YSBKV1Qgd2l0aGluIGFuIGFwcGxpY2F0aW9uIChzdWNoIGFzIHdpbGwgYmUgaW4gZHJhZnQtaWV0 Zi1vYXV0aC1zaWduZWQtaHR0cC1yZXF1ZXN0KS4gUHJvb2Ygb2YgcG9zc2Vzc2lvbiBvZiBhIGtl eSBkb2VzIG5vdCByZXF1aXJlIHRoZSB0cmFuc21pc3Npb24gb2YgdGhlIGtleSBvciBhIGRpcmVj dCByZWZlcmVuY2UgdGhyb3VnaCB0aGUgY2xpZW50IHZpYSBhIGRhdGEgc3RydWN0dXJlLCBhbmQg SSBkb27igJl0IHdhbnQgdG8gYWNjaWRlbnRhbGx5IGdpdmUgdGhlIGltcHJlc3Npb24gdGhhdCBv bmUgbmVlZHMgdG8gdXNlIGEgc3RydWN0dXJlZCB0b2tlbiBmb3IgcHJvb2Ygb2YgcG9zc2Vzc2lv biB0byB3b3JrLg0KDQpGb3IgaW5zdGFuY2UsIGluIGFuIGFsdGVybmF0aXZlIGFwcHJvYWNoLCB0 aGUgQVMgY2FuIGlzc3VlIGEgcmFuZG9tLWJsb2IgdG9rZW4gdG8gdGhlIGNsaWVudCBhbG9uZyBz aWRlIHRoZSBrZXkgdmFsdWUgKGFzIGl04oCZcyBkb25lIGluIHRoaXMgZHJhZnQpLCBhbmQgdGhl IGNsaWVudCBwcmVzZW50cyB0aGUgcmFuZG9tLWJsb2IgdG9rZW4gdG8gdGhlIFJTLiBUaGUgUlMg dGhlbiBsb29rcyB1cCB0aGUgaW5mb3JtYXRpb24gYWJvdXQgdGhlIHJhbmRvbS1ibG9iLCB1c2lu ZyBhIGxvY2FsIGxvb2t1cCBvciBpbnRyb3NwZWN0aW9uIG9yIHNvbWUgb3RoZXIgbWFnaWMsIHRv IGdldCB0aGUgaW5mb3JtYXRpb24gdGhhdCBpdCBuZWVkcy4gVGhlIGNsaWVudCBkb2VzbuKAmXQg bmVlZCB0byBrbm93IGFueXRoaW5nIGFib3V0IGl0LCBhcyB0aGUgdG9rZW4gaXRzZWxmIGlzIG9w YXF1ZSB0byB0aGUgY2xpZW50Lg0KDQpUaGF0IHNhaWQsIG92ZXJhbGwgdGhlIHN0cnVjdHVyZSBh bmQgZnVuY3Rpb24gb2YgdGhlIGRyYWZ0IGlzIGdvb2QgZm9yIHdoYXQgaXQgYWN0dWFsbHkgaXMu IFRoZSBjbGllbnQgcmVtYWlucyBhZ25vc3RpYyBhYm91dCB3aGF04oCZcyBpbnNpZGUgdGhlIHRv a2VuIGl0c2VsZiwgYXMgaW4gcmVndWxhciBPQXV0aC4gSXQgZ2l2ZXMgc2VtYW50aWMgcHJvY2Vz c2luZyBmb3IgYW4gUlMgdG8gcHJvY2VzcyBtZXNzYWdlcyAob2YgdmFyaW91cyB0eXBlcykgc2ln bmVkIGJ5IGtleXMgaXNzdWVkIGFsb25nc2lkZSB0aGVzZSBzdHJ1Y3R1cmVkIHRva2Vucy4NCg0K SSB0aGluayB0aGlzIHByb2JsZW0gY291bGQgYmUgZml4ZWQgYnkgcmVuYW1pbmcgdGhlIGRyYWZ0 IGFuZCByZXdyaXRpbmcgdGhlIGludHJvZHVjdGlvbi4NCg0KIOKAlCBKdXN0aW4NCg== From nobody Mon Aug 10 21:17:12 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8BF81ACD92 for ; Mon, 10 Aug 2015 21:17:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AjOEm78jewub for ; Mon, 10 Aug 2015 21:17:09 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0765.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::765]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDD3F1A01F0 for ; Mon, 10 Aug 2015 21:17:08 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 04:17:04 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 04:17:04 +0000 From: Mike Jones To: Nat Sakimura , Justin Richer Thread-Topic: [OAUTH-WG] Last Call comments on draft-ietf-oauth-proof-of-possession Thread-Index: AQHQZpU8IgJqjygHb0Srh12683YxeJ4HCy1g Date: Tue, 11 Aug 2015 04:17:04 +0000 Message-ID: References: <6DA5408F-2E11-45AE-A190-1724958D7960@mit.edu> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:x7cfB43Vijl1pNNYF6dnP4bXKoFlCLCxFpDJe0HpgcgdXYOmU9IQ0xxSpCSXMqYBmFAnB+OndogkElzTgJbuxbna1PqzQ3LCRz/JRppiNjb74gkZl3REAb2Z732clSxhoTHQlvqqxd3E4/HPOoqZgQ==; 24:wtO5Hf6/Zwttl+G0VO1Z1lrzDVv9dfhcLmf2AJO1vNtGaVrf2ma/kinwIlt04hmoFSwPGkvivwbt+/rpR3MEdfL3pGfI7wV6eNU5jsLqX1I=; 20:AndRrEx2XHyPgPszcYLzSFYyTmo6Sp3l8oDJw6n5GnSe0rWDfoPFyxRDu0/ikZZnhA/fjwkP57eAONJJoe8yEg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(189002)(377424004)(199003)(377454003)(105586002)(10400500002)(2656002)(66066001)(76176999)(68736005)(5005710100001)(19580395003)(77096005)(122556002)(2950100001)(62966003)(5003600100002)(76576001)(74316001)(102836002)(54356999)(15975445007)(5002640100001)(40100003)(8990500004)(19580405001)(2900100001)(10290500002)(77156002)(86362001)(87936001)(5001770100001)(10090500001)(16236675004)(5001860100001)(106356001)(64706001)(50986999)(189998001)(230783001)(2171001)(106116001)(5001960100002)(19609705001)(97736004)(99286002)(5001830100001)(19617315012)(4001540100001)(19300405004)(33656002)(81156007)(101416001)(92566002)(19625215002)(86612001)(46102003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4423FBF166B5111249676C8F57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 04:17:04.0662 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441 Archived-At: Cc: "" Subject: Re: [OAUTH-WG] Last Call comments on draft-ietf-oauth-proof-of-possession X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 04:17:11 -0000 --_000_BY2PR03MB4423FBF166B5111249676C8F57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgTmF0LA0KDQpQZXIgbXkgcmVzcG9uc2UgdG8gSnVzdGluLCB0aGUgdGl0bGUgYW5kIGludHJv ZHVjdGlvbiB3ZXJlIHJldmlzZWQgdG8gYWRkcmVzcyB0aGUgY29uZnVzaW9uLiAgSXQgZGlkIG5v dCBpbnRyb2R1Y2UgdGhlIHRlcm0g4oCcUmVnaXN0ZXJlZCB0b2tlbuKAnSwgc2luY2UgdGhpcyBp c27igJl0IHN0YW5kYXJkIHRlcm1pbm9sb2d5IHRoYXQgSeKAmW0gYXdhcmUgb2YsIGFuZCB3b3Vs ZCB0aGVyZWZvcmUgbGlrZWx5IGNhdXNlIG1vcmUgcmVhZGFiaWxpdHkgaXNzdWVzIHRoYW4gaXQg d291bGQgc29sdmUuICBVc2Ugb2YgdGhlIOKAnGF6cOKAnSAoYXV0aG9yaXplZCBwYXJ0eSkgY2xh aW0gaXMgYWxzbyBub3cgZGVzY3JpYmVkIGluIFNlY3Rpb24gMyBvZiAtMDMuDQoNCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1p a2UNCg0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhh bGYgT2YgTmF0IFNha2ltdXJhDQpTZW50OiBUdWVzZGF5LCBNYXJjaCAyNCwgMjAxNSA1OjQ3IFBN DQpUbzogSnVzdGluIFJpY2hlcg0KQ2M6IDxvYXV0aEBpZXRmLm9yZz4NClN1YmplY3Q6IFJlOiBb T0FVVEgtV0ddIExhc3QgQ2FsbCBjb21tZW50cyBvbiBkcmFmdC1pZXRmLW9hdXRoLXByb29mLW9m LXBvc3Nlc3Npb24NCg0KSSB0ZW5kIHRvIGFncmVlLg0KDQpUaGlzIGRvY3VtZW50IGlzIGRlc2Ny aWJpbmcgdGhlIGZvcm1hdCBvZiAoc3Vic2V0IG9mKSB3aGF0IEkgaGF2ZSBiZWVuIGNhbGxpbmcg YXMgUmVnaXN0ZXJlZCB0b2tlbiBpbiBjb250cmFzdCB0byBhIGJlYXJlciB0b2tlbi4NCg0KSXQg aXMgY3VycmVudGx5IGNvdmVyaW5nIHR3byB0eXBlcyBvZiByZWdpc3RlcmVkIHRva2VuOg0KLSBr ZXkgZW1iZWRkaW5nDQotIGtleSByZWZlcmVuY2UgZW1iZWRkaW5nDQoNClRoZXJlIGNhbiBiZSBv dGhlciB0eXBlcyBzdWNoIGFzDQotIGF1dGhvcml6ZWQgcHJlc2VudGVyIElEIGVtYmVkZGluZw0K DQpldGMuIGFzIHdlbGwsIGluIHdoaWNoIGNhc2UsIHlvdSB3b3VsZCBoYXZlIGEgdG9wIGxldmVs IG1lbWJlciAiYXpwIiBhbmQgbm8gImNuZiIuDQoNClBlcmhhcHMgYSB0aXRsZSBjaGFuZ2UgdG8g c29tZXRoaW5nIGxpa2UgIkpXVCByZWdpc3RlcmVkIHRva2VuIGZvcm1hdCIgZXRjLiBtYXkgYmUg YSBnb29kIGlkZWEuDQoNCkNoZWVycywNCg0KTmF0DQoNCg0KMjAxNS0wMy0yNSA4OjMxIEdNVCsw OTowMCBKdXN0aW4gUmljaGVyIDxqcmljaGVyQG1pdC5lZHU8bWFpbHRvOmpyaWNoZXJAbWl0LmVk dT4+Og0KSSBiZWxpZXZlIHRoYXQgdGhpcyBkcmFmdCBpcyBtaXNuYW1lZCBhbmQgdGhlcmVmb3Jl IHNvbWV3aGF0IG1pc2xlYWRpbmc6IGl04oCZcyBmdW5kYW1lbnRhbGx5IGEgbWV0aG9kIG9mIHBy b3RlY3RlZCBrZXkgdHJhbnNtaXNzaW9uIHVzaW5nIEpXVCwgYW5kIG5vdCBhYm91dCBwcm9vZiBv ZiBwb3NzZXNzaW9uIG9mIHRoYXQga2V5LiBUaGUgcHJvb2YgaXMgaW4gc2ltcGx5IHVzaW5nIHRo ZSBrZXkgdG8gY3JlYXRlIGEgSldUIHdpdGhpbiBhbiBhcHBsaWNhdGlvbiAoc3VjaCBhcyB3aWxs IGJlIGluIGRyYWZ0LWlldGYtb2F1dGgtc2lnbmVkLWh0dHAtcmVxdWVzdCkuIFByb29mIG9mIHBv c3Nlc3Npb24gb2YgYSBrZXkgZG9lcyBub3QgcmVxdWlyZSB0aGUgdHJhbnNtaXNzaW9uIG9mIHRo ZSBrZXkgb3IgYSBkaXJlY3QgcmVmZXJlbmNlIHRocm91Z2ggdGhlIGNsaWVudCB2aWEgYSBkYXRh IHN0cnVjdHVyZSwgYW5kIEkgZG9u4oCZdCB3YW50IHRvIGFjY2lkZW50YWxseSBnaXZlIHRoZSBp bXByZXNzaW9uIHRoYXQgb25lIG5lZWRzIHRvIHVzZSBhIHN0cnVjdHVyZWQgdG9rZW4gZm9yIHBy b29mIG9mIHBvc3Nlc3Npb24gdG8gd29yay4NCg0KRm9yIGluc3RhbmNlLCBpbiBhbiBhbHRlcm5h dGl2ZSBhcHByb2FjaCwgdGhlIEFTIGNhbiBpc3N1ZSBhIHJhbmRvbS1ibG9iIHRva2VuIHRvIHRo ZSBjbGllbnQgYWxvbmcgc2lkZSB0aGUga2V5IHZhbHVlIChhcyBpdOKAmXMgZG9uZSBpbiB0aGlz IGRyYWZ0KSwgYW5kIHRoZSBjbGllbnQgcHJlc2VudHMgdGhlIHJhbmRvbS1ibG9iIHRva2VuIHRv IHRoZSBSUy4gVGhlIFJTIHRoZW4gbG9va3MgdXAgdGhlIGluZm9ybWF0aW9uIGFib3V0IHRoZSBy YW5kb20tYmxvYiwgdXNpbmcgYSBsb2NhbCBsb29rdXAgb3IgaW50cm9zcGVjdGlvbiBvciBzb21l IG90aGVyIG1hZ2ljLCB0byBnZXQgdGhlIGluZm9ybWF0aW9uIHRoYXQgaXQgbmVlZHMuIFRoZSBj bGllbnQgZG9lc27igJl0IG5lZWQgdG8ga25vdyBhbnl0aGluZyBhYm91dCBpdCwgYXMgdGhlIHRv a2VuIGl0c2VsZiBpcyBvcGFxdWUgdG8gdGhlIGNsaWVudC4NCg0KVGhhdCBzYWlkLCBvdmVyYWxs IHRoZSBzdHJ1Y3R1cmUgYW5kIGZ1bmN0aW9uIG9mIHRoZSBkcmFmdCBpcyBnb29kIGZvciB3aGF0 IGl0IGFjdHVhbGx5IGlzLiBUaGUgY2xpZW50IHJlbWFpbnMgYWdub3N0aWMgYWJvdXQgd2hhdOKA mXMgaW5zaWRlIHRoZSB0b2tlbiBpdHNlbGYsIGFzIGluIHJlZ3VsYXIgT0F1dGguIEl0IGdpdmVz IHNlbWFudGljIHByb2Nlc3NpbmcgZm9yIGFuIFJTIHRvIHByb2Nlc3MgbWVzc2FnZXMgKG9mIHZh cmlvdXMgdHlwZXMpIHNpZ25lZCBieSBrZXlzIGlzc3VlZCBhbG9uZ3NpZGUgdGhlc2Ugc3RydWN0 dXJlZCB0b2tlbnMuDQoNCkkgdGhpbmsgdGhpcyBwcm9ibGVtIGNvdWxkIGJlIGZpeGVkIGJ5IHJl bmFtaW5nIHRoZSBkcmFmdCBhbmQgcmV3cml0aW5nIHRoZSBpbnRyb2R1Y3Rpb24uDQoNCiDigJQg SnVzdGluDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f DQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9y Zz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCg0KDQoNCi0t DQpOYXQgU2FraW11cmEgKD1uYXQpDQpDaGFpcm1hbiwgT3BlbklEIEZvdW5kYXRpb24NCmh0dHA6 Ly9uYXQuc2FraW11cmEub3JnLw0KQF9uYXRfZW4NCg== --_000_BY2PR03MB4423FBF166B5111249676C8F57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5ob2VuemINCgl7bXNvLXN0eWxl LW5hbWU6aG9lbnpiO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNv bmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6 IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsN Cglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30NCkBwYWdlIFdvcmRTZWN0aW9u MQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47 fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwh LS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3Bp ZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1s Pg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRh dGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8 Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNz PSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkhpIE5hdCw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlBlciBteSByZXNwb25z ZSB0byBKdXN0aW4sIHRoZSB0aXRsZSBhbmQgaW50cm9kdWN0aW9uIHdlcmUgcmV2aXNlZCB0byBh ZGRyZXNzIHRoZSBjb25mdXNpb24uJm5ic3A7IEl0IGRpZCBub3QgaW50cm9kdWNlIHRoZSB0ZXJt IOKAnFJlZ2lzdGVyZWQgdG9rZW7igJ0sIHNpbmNlIHRoaXMgaXNu4oCZdA0KIHN0YW5kYXJkIHRl cm1pbm9sb2d5IHRoYXQgSeKAmW0gYXdhcmUgb2YsIGFuZCB3b3VsZCB0aGVyZWZvcmUgbGlrZWx5 IGNhdXNlIG1vcmUgcmVhZGFiaWxpdHkgaXNzdWVzIHRoYW4gaXQgd291bGQgc29sdmUuJm5ic3A7 IFVzZSBvZiB0aGUg4oCcYXpw4oCdIChhdXRob3JpemVkIHBhcnR5KSBjbGFpbSBpcyBhbHNvIG5v dyBkZXNjcmliZWQgaW4gU2VjdGlvbiAzIG9mIC0wMy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAt LSBNaWtlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBPQXV0aCBb bWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPk5hdCBT YWtpbXVyYTxicj4NCjxiPlNlbnQ6PC9iPiBUdWVzZGF5LCBNYXJjaCAyNCwgMjAxNSA1OjQ3IFBN PGJyPg0KPGI+VG86PC9iPiBKdXN0aW4gUmljaGVyPGJyPg0KPGI+Q2M6PC9iPiAmbHQ7b2F1dGhA aWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbT0FVVEgtV0ddIExhc3QgQ2Fs bCBjb21tZW50cyBvbiBkcmFmdC1pZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb248bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JIHRlbmQgdG8gYWdyZWUuJm5ic3A7PG86 cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGlzIGRvY3VtZW50 IGlzIGRlc2NyaWJpbmcgdGhlIGZvcm1hdCBvZiAoc3Vic2V0IG9mKSB3aGF0IEkgaGF2ZSBiZWVu IGNhbGxpbmcgYXMgUmVnaXN0ZXJlZCB0b2tlbiBpbiBjb250cmFzdCB0byBhIGJlYXJlciB0b2tl bi4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+SXQgaXMgY3VycmVudGx5IGNvdmVyaW5nIHR3byB0eXBlcyBvZiByZWdpc3RlcmVkIHRv a2VuOiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+LSBrZXkgZW1iZWRkaW5nPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj4tIGtleSByZWZlcmVuY2UgZW1iZWRkaW5nPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoZXJlIGNhbiBiZSBvdGhl ciB0eXBlcyBzdWNoIGFzPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj4tIGF1dGhvcml6ZWQgcHJlc2VudGVyIElEIGVtYmVkZGluZzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5ldGMuIGFzIHdlbGws IGluIHdoaWNoIGNhc2UsIHlvdSB3b3VsZCBoYXZlIGEgdG9wIGxldmVsIG1lbWJlciAmcXVvdDth enAmcXVvdDsgYW5kIG5vICZxdW90O2NuZiZxdW90Oy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UGVyaGFwcyBhIHRpdGxlIGNoYW5n ZSB0byBzb21ldGhpbmcgbGlrZSAmcXVvdDtKV1QgcmVnaXN0ZXJlZCB0b2tlbiBmb3JtYXQmcXVv dDsgZXRjLiBtYXkgYmUgYSBnb29kIGlkZWEuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkNoZWVycywmbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+TmF0PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+MjAxNS0wMy0yNSA4 OjMxIEdNVCYjNDM7MDk6MDAgSnVzdGluIFJpY2hlciAmbHQ7PGEgaHJlZj0ibWFpbHRvOmpyaWNo ZXJAbWl0LmVkdSIgdGFyZ2V0PSJfYmxhbmsiPmpyaWNoZXJAbWl0LmVkdTwvYT4mZ3Q7OjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIu MHB0Ij5JIGJlbGlldmUgdGhhdCB0aGlzIGRyYWZ0IGlzIG1pc25hbWVkIGFuZCB0aGVyZWZvcmUg c29tZXdoYXQgbWlzbGVhZGluZzogaXTigJlzIGZ1bmRhbWVudGFsbHkgYSBtZXRob2Qgb2YgcHJv dGVjdGVkIGtleSB0cmFuc21pc3Npb24gdXNpbmcgSldULCBhbmQgbm90IGFib3V0IHByb29mIG9m IHBvc3Nlc3Npb24gb2YgdGhhdCBrZXkuIFRoZSBwcm9vZiBpcyBpbiBzaW1wbHkNCiB1c2luZyB0 aGUga2V5IHRvIGNyZWF0ZSBhIEpXVCB3aXRoaW4gYW4gYXBwbGljYXRpb24gKHN1Y2ggYXMgd2ls bCBiZSBpbiBkcmFmdC1pZXRmLW9hdXRoLXNpZ25lZC1odHRwLXJlcXVlc3QpLiBQcm9vZiBvZiBw b3NzZXNzaW9uIG9mIGEga2V5IGRvZXMgbm90IHJlcXVpcmUgdGhlIHRyYW5zbWlzc2lvbiBvZiB0 aGUga2V5IG9yIGEgZGlyZWN0IHJlZmVyZW5jZSB0aHJvdWdoIHRoZSBjbGllbnQgdmlhIGEgZGF0 YSBzdHJ1Y3R1cmUsIGFuZCBJIGRvbuKAmXQNCiB3YW50IHRvIGFjY2lkZW50YWxseSBnaXZlIHRo ZSBpbXByZXNzaW9uIHRoYXQgb25lIG5lZWRzIHRvIHVzZSBhIHN0cnVjdHVyZWQgdG9rZW4gZm9y IHByb29mIG9mIHBvc3Nlc3Npb24gdG8gd29yay48YnI+DQo8YnI+DQpGb3IgaW5zdGFuY2UsIGlu IGFuIGFsdGVybmF0aXZlIGFwcHJvYWNoLCB0aGUgQVMgY2FuIGlzc3VlIGEgcmFuZG9tLWJsb2Ig dG9rZW4gdG8gdGhlIGNsaWVudCBhbG9uZyBzaWRlIHRoZSBrZXkgdmFsdWUgKGFzIGl04oCZcyBk b25lIGluIHRoaXMgZHJhZnQpLCBhbmQgdGhlIGNsaWVudCBwcmVzZW50cyB0aGUgcmFuZG9tLWJs b2IgdG9rZW4gdG8gdGhlIFJTLiBUaGUgUlMgdGhlbiBsb29rcyB1cCB0aGUgaW5mb3JtYXRpb24g YWJvdXQgdGhlIHJhbmRvbS1ibG9iLA0KIHVzaW5nIGEgbG9jYWwgbG9va3VwIG9yIGludHJvc3Bl Y3Rpb24gb3Igc29tZSBvdGhlciBtYWdpYywgdG8gZ2V0IHRoZSBpbmZvcm1hdGlvbiB0aGF0IGl0 IG5lZWRzLiBUaGUgY2xpZW50IGRvZXNu4oCZdCBuZWVkIHRvIGtub3cgYW55dGhpbmcgYWJvdXQg aXQsIGFzIHRoZSB0b2tlbiBpdHNlbGYgaXMgb3BhcXVlIHRvIHRoZSBjbGllbnQuPGJyPg0KPGJy Pg0KVGhhdCBzYWlkLCBvdmVyYWxsIHRoZSBzdHJ1Y3R1cmUgYW5kIGZ1bmN0aW9uIG9mIHRoZSBk cmFmdCBpcyBnb29kIGZvciB3aGF0IGl0IGFjdHVhbGx5IGlzLiBUaGUgY2xpZW50IHJlbWFpbnMg YWdub3N0aWMgYWJvdXQgd2hhdOKAmXMgaW5zaWRlIHRoZSB0b2tlbiBpdHNlbGYsIGFzIGluIHJl Z3VsYXIgT0F1dGguIEl0IGdpdmVzIHNlbWFudGljIHByb2Nlc3NpbmcgZm9yIGFuIFJTIHRvIHBy b2Nlc3MgbWVzc2FnZXMgKG9mIHZhcmlvdXMgdHlwZXMpDQogc2lnbmVkIGJ5IGtleXMgaXNzdWVk IGFsb25nc2lkZSB0aGVzZSBzdHJ1Y3R1cmVkIHRva2Vucy48YnI+DQo8YnI+DQpJIHRoaW5rIHRo aXMgcHJvYmxlbSBjb3VsZCBiZSBmaXhlZCBieSByZW5hbWluZyB0aGUgZHJhZnQgYW5kIHJld3Jp dGluZyB0aGUgaW50cm9kdWN0aW9uLjxicj4NCjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij48 YnI+DQo8c3BhbiBjbGFzcz0iaG9lbnpiIj4mbmJzcDvigJQgSnVzdGluPC9zcGFuPjxicj4NCjwv c3Bhbj48YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f Xzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRm Lm9yZyI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5v cmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3Lmll dGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxiciBjbGVhcj0iYWxsIj4NCjxvOnA+PC9vOnA+ PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tLSA8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj5OYXQgU2FraW11cmEgKD1uYXQpPG86cD48L286cD48L3A+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Q2hhaXJtYW4sIE9wZW5JRCBGb3VuZGF0aW9uPGJy Pg0KPGEgaHJlZj0iaHR0cDovL25hdC5zYWtpbXVyYS5vcmcvIiB0YXJnZXQ9Il9ibGFuayI+aHR0 cDovL25hdC5zYWtpbXVyYS5vcmcvPC9hPjxicj4NCkBfbmF0X2VuPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB4423FBF166B5111249676C8F57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 22:12:56 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C32EF1A00BF for ; Mon, 10 Aug 2015 22:12:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T2TPzSbKrBkT for ; Mon, 10 Aug 2015 22:12:51 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0129.outbound.protection.outlook.com [207.46.100.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 418801A009B for ; Mon, 10 Aug 2015 22:12:51 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 05:12:49 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 05:12:49 +0000 From: Mike Jones To: Nat Sakimura , oauth Thread-Topic: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 Thread-Index: AQHQZwDsLoYVszt6jEeQRXex8srb+J4HC5Iw Date: Tue, 11 Aug 2015 05:12:48 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:8cTv5xmmHKj/XpmYcjJf4V0gAYlieXDTSf7PyQbrAqMuk7q5mHGxYL4uPix9omTIuOPAWh/vhv/kxx3rokVxXmakjqleY2FxscFccZwQ+BVXvncno0SurtJflQm9yqs0ISX1bhrYjDB2BdoeErwdyw==; 24:i0X3ZjSAetV9wbsJ8SQwdTuTsG8ZPJ4WEq39yYWjtpsERKF+7PLSH7+YE7az0oyGc0DIr4QLxgHCoPo960v9NXemkhht3DynOR8FVAlWXhQ=; 20:pnH2uyH1dMFAjvmeSmUPgTeI4xBs5qdIB57Q3bvp20s0iVZAbpaqN0OfiWfitiboSAfrt2wzW4MdTZ9S5NcfJg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(50944005)(189002)(52084003)(199003)(43784003)(377454003)(2950100001)(10400500002)(4001540100001)(2900100001)(106116001)(77096005)(5005710100001)(102836002)(10090500001)(33656002)(81156007)(230783001)(106356001)(105586002)(46102003)(16236675004)(76576001)(8990500004)(19625215002)(5002640100001)(5003600100002)(19617315012)(189998001)(92566002)(5001770100001)(561944003)(54356999)(2656002)(76176999)(5001830100001)(62966003)(64706001)(101416001)(97736004)(66066001)(40100003)(99286002)(5001860100001)(107886002)(19580405001)(19609705001)(15975445007)(87936001)(122556002)(19580395003)(86362001)(5001960100002)(77156002)(86612001)(50986999)(74316001)(19300405004)(68736005)(10290500002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB44209EC64A7DCD857F52D22F57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 05:12:48.7642 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443 Archived-At: Subject: Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 05:12:56 -0000 --_000_BY2PR03MB44209EC64A7DCD857F52D22F57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 UmVwbGllcyBpbmxpbmXigKYNCg0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGll dGYub3JnXSBPbiBCZWhhbGYgT2YgTmF0IFNha2ltdXJhDQpTZW50OiBXZWRuZXNkYXksIE1hcmNo IDI1LCAyMDE1IDY6MzggQU0NClRvOiBvYXV0aA0KU3ViamVjdDogW09BVVRILVdHXSBSZXZpZXcg Q29tbWVudHMgZm9yIGRyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMg0KDQpE ZWFyIE9BdXRoZXJzOg0KDQpIZXJlIGlzIG15IGJlbGF0ZWQgcmV2aWV3IGNvbW1lbnRzIG9uIGRy YWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMg0KDQpCZWxvdywgW1BPUEFdIHN0 YW5kcyBmb3IgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcG9w LWFyY2hpdGVjdHVyZS0wMQ0KDQpBYnN0cmFjdA0KPT09PT09PT09PT09DQpJdCBpcyBwcm9iYWJs eSBiZXR0ZXIgdG8gc3BlbGwgb3V0IHRoYXQgdGhpcyBkb2N1bWVudCBpcyBkZXNjcmliaW5nIHRo ZSBKV1QgZm9ybWF0IHRoYXQgY2FuIGJlIHVzZWQgZm9yIHNlbmRlciBjb25zdHJhaW50ICg1LjIg b2YgW1BPUEFdKSBhbmQga2V5IGNvbmZpcm1hdGlvbiAoNS4zIG9mIFtQT1BBXSkuIFRoaXMgd2ls bCBtYWtlIGl0IGVhc2llciBmb3IgdGhlIHJlYWRlciB0byB1bmRlcnN0YW5kIHdoYXQgdGhpcyBk b2N1bWVudCBhaW1zIGF0Lg0KDQpJdCBkb2VzIG5vdCBzZWVtIHRvIG1lIHRoYXQgdGhlIOKAnFNl bmRlciBDb25zdHJhaW504oCdIGNvbmNlcHQgZGVzY3JpYmVkIGluIDUuMyBvZiBbUE9QQV0gaXMg dGhlIHNhbWUgdGhpbmcgYXMgaWRlbnRpZnlpbmcgYSBwcm9vZi1vZi1wb3NzZXNzaW9uIGtleSB3 aXRoaW4gYSBKV1QsIHdoaWNoIGlzIHRoZSBwdXJwb3NlIG9mIHRoaXMgc3BlY2lmaWNhdGlvbi4g IEluIHRoaXMgc3BlY2lmaWNhdGlvbiwgdGhlIGlzc3VlciBtYWtlcyBhIHN0YXRlbWVudCB0aGF0 IHRoZSBwcmVzZW50ZXIgY2FuIGNvbmZpcm0gcG9zc2Vzc2lvbiBvZiBhIGtleS4gIEkgZG9u4oCZ dCBrbm93IGhvdyB0aGF0IHdvdWxkIG1hcCBpbnRvIGEg4oCcU2VuZGVyIENvbnN0cmFpbnTigJ0u ICBGb3Igb25lIHRoaW5nLCB3aGljaCBwYXJ0eSBhcmUgeW91IGNvbnNpZGVyaW5nIHRvIGJlIHRo ZSDigJxTZW5kZXLigJ0/ICBBY2NvcmRpbmdseSwgSSBsZWZ0IHRoZSBhYnN0cmFjdCB1bmNoYW5n ZWQuDQoNCkFjY29yZGluZ2x5LCB3ZSBzaG91bGQgY29uc2lkZXIgdGhlIHRpdGxlIGNoYW5nZSB0 byBzb21ldGhpbmcgbGlrZToNCkpXVCBTZW5kZXIgQ29uZmlybWF0aW9uIFRva2VuIFN5bnRheA0K ICBPUg0KYm9ycm93aW5nIGZyb20gdGhlIGZpbmFuY2lhbCBjb25jZXB0IHdoaWNoIEkgYmVsaWV2 ZSBpcyB0aGUgb3JpZ2luIG9mIHRoZSBjb25jZXB0IG9mICJiZWFyZXIgdG9rZW4iLA0KSldUIFJl Z2lzdGVyZWQgVG9rZW4gU3ludGF4DQotLSBoZXJlLCAiUmVnaXN0ZXJlZCIgbWVhbiB0aGF0IGVp dGhlciB0aGUgc2VuZGVyIGNvbnN0cmFpbnQgb3Iga2V5IGNvbmZpcm1hdGlvbiBpcyByZWdpc3Rl cmVkIHdpdGhpbiBvciBpbiBjb25qdW5jdGlvbiB3aXRoIHRoZSB0b2tlbi4NCg0KSSBjaGFuZ2Vk IHRoZSB0aXRsZSBpbiAtMDMgdG8g4oCcUHJvb2Ytb2YtUG9zc2Vzc2lvbiBLZXkgU2VtYW50aWNz IGZvciBKU09OIFdlYiBUb2tlbnMgKEpXVHMp4oCdIHRvIG1ha2UgaXQgY2xlYXIgdGhpcyBkcmFm dCBpcyBhYm91dCBQb1Aga2V5IHNlbWFudGljcyBmb3IgSldUcyDigJMgbm90IHRoZSBwcm9vZi1v Zi1wb3NzZXNzaW9uIG1lY2hhbmlzbSBpdHNlbGYuICBJ4oCZdmUgYWxyZWFkeSByZXNwb25kZWQg dG8gdGhlIOKAnFNlbmRlciBDb25zdHJhaW504oCdIHN1Z2dlc3Rpb24gYWJvdmUuICBQZXIgbXkg ZWFybGllciByZXNwb25zZSwgSSBkb27igJl0IGJlbGlldmUgdGhhdCDigJxSZWdpc3RlcmVkIFRv a2Vu4oCdIGlzIHN0YW5kYXJkIHRlcm1pbm9sb2d5LCBhbmQgc28gd291bGQgY29uZnVzZSBtb3Jl IHRoYW4gaXQgd291bGQgY2xhcmlmeS4NCg0KMS4gSW50cm9kdWN0aW9uDQo9PT09PT09PT09PT09 PQ0KQ29uc2lkZXIgcmVmZXJlbmNpbmcgZHJhZnQtaWV0Zi1vYXV0aC1wb3AtYXJjaGl0ZWN0dXJl Lg0KSXQgd2lsbCBiZSBjbGVhcmVyIGZvciB0aGUgcmVhZGVyIHRoZW4sIGFuZCB0aGUgdGV4dCB3 aWxsIGJlIHNob3J0ZXIuDQoNCkFnYWluLCBJIHN1c3BlY3QgeW914oCZcmUgYXNraW5nIG1lIHRv IHJlZmVyZW5jZSB0aGlzIGRyYWZ0IGZvciB0aGUg4oCcU2VuZGVyIENvbnN0cmFpbnTigJ0gdGVy bWlub2xvZ3ksIHdoaWNoIGlzIGJvdGggdmFndWVseSBkZWZpbmVkIGluIFtQT1BBXSwgYW5kIGRv ZXNu4oCZdCBtYXRjaCB3aGF0IHRoaXMgc3BlY2lmaWNhdGlvbiBkb2VzLiAgVGhlcmVmb3JlLCBJ IGRpZCBub3QgZG8gdGhpcyBoZXJlLCBhbHRob3VnaCBvdGhlciBhcHByb3ByaWF0ZSByZWZlcmVu Y2VzIHRvIFtQT1BBXSBhcmUgaW5jbHVkZWQuDQoNCjIuIFRlcm1pbm9sb2d5IC0gUHJlc2VudGVy DQo9PT09PT09PT09PT09PT09PT09PT09PT0NClNlbnRlbmNlIDENCi0tLS0tLS0tLS0tLS0tLS0t LS0NCk5vdCBzdXJlIGlmIHRoZSBmaXJzdCBzZW50ZW5jZSBpcyBhY2N1cmF0ZWx5IHJlZmxlY3Rp bmcgdGhlIGludGVudC4NCkl0IGV4Y2x1ZGVzIHJvZ3VlIHBhcnR5IHByZXNlbnRpbmcgdGhlIHRv a2VuIChhbmQgZmFpbHMpIGZyb20gcHJlc2VudGVyLg0KSWYgc28sIGl0IGlzIGZpbmUgYnV0IHVz aW5nIG1vcmUgcXVhbGlmaWVkIHRlcm0gbGlrZSAiYXV0aG9yaXplZCBwcmVzZW50ZXIiIG1heSBt YWtlIGl0IGVhc2llcg0KZm9yIHRoZSByZWFkZXIgdG8gcGFyc2UuDQoNCk90aGVyd2lzZSByZXZp c2UgdGhlIGRlZmluaXRpb24uDQoNCkkgYmVsaWV2ZSB0aGUg4oCcUHJlc2VudGVy4oCdIGRlZmlu aXRpb24gYWNjdXJhdGVseSBtYXRjaGVzIGl0cyB1c2FnZSBpbiB0aGlzIHNwZWNpZmljYXRpb24u ICBXaGlsZSB0aGlzIGlzIHJlbGF0ZWQgdG8gYSBkaWZmZXJlbnQgZGlzY3Vzc2lvbiwgSeKAmW0g bm90IGF3YXJlIG9mIGEgZGVmaW5pdGlvbiBmb3Ig4oCcQXV0aG9yaXplZCBQcmVzZW50ZXLigJ0g dGhhdCBjb3VsZCBiZSByZWZlcmVuY2VkIHRoYXQgd291bGQgYWRkIGZ1cnRoZXIgY2xhcml0eSBi ZXlvbmQgdGhlIGV4aXN0aW5nIGRlZmluaXRpb24uICAoTm90ZSB0aGF0IHRoZSBPcGVuSUQgQ29u bmVjdCDigJxhenDigJ0gY2xhaW0gaXMgZm9yIGFuIOKAnEF1dGhvcml6ZWQgUGFydHnigJ0gdG8g d2hpY2ggdGhlIHRva2VuIHdhcyBpc3N1ZWQg4oCTIG5vdCBhbiDigJxBdXRob3JpemVkIFByZXNl bnRlcuKAnS4gIEFsc28sIG5vdGUgdGhhdCB0aGUgdXNhZ2Ugb2Yg4oCcYXpw4oCdIGluIGh0dHA6 Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA0IGlz IGluY29uc2lzdGVudCB3aXRoIGl0cyBkZWZpbml0aW9uIGluIE9wZW5JRCBDb25uZWN0LCBhbmQg c28gc2hvdWxkIHByb2JhYmx5IGJlIHJldmlzZWQgdG8gdXNlIHRoZSDigJxBdXRob3JpemVkIFBh cnR54oCdIHRlcm1pbm9sb2d5IG9yIHJlbW92ZWQsIGFzIGl0IGRvZXMgbm90IGlkZW50aWZ5IGFu IOKAnEF1dGhvcml6ZWQgUHJlc2VudGVy4oCdIGluIHRoZSB3YXkgdGhhdCBJIHRoaW5rIHlvdSBh cmUgdXNpbmcgdGhlIHRlcm0uKQ0KDQpTZW50ZW5jZSAyDQotLS0tLS0tLS0tLS0tLS0tLS0tDQoi aXNzdWVyIG9yIGEgcGFydHkgZGlmZmVyZW50IGZyb20gdGhlIGlzc3VlciIgaXMgbm90IGNvbnN0 cmFpbmluZyBhbnl0aGluZyBhbmQgbWVhbmluZ2xlc3MuDQpUaGVyZSBhcmUgbW9yZSBlYXNpZXIg dG8gcGFyc2UgYW5kIGFjY3VyYXRlIHRleHQgY29taW5nIGluIHRoZSBtYWluIHRleHQsIHRvby4N CkRyb3AuDQoNClRoZSBwaHJhc2UgZXhwcmVzc2VzIHRoZSBpbnRlbnRpb25hbCAqbGFjayBvZiBj b25zdHJhaW50KiwgYnkgc3RhdGluZyB0aGF0IHRoZSBwcmVzZW50ZXIgbWlnaHQgYmUgdGhlIGlz c3VlciBvciBtaWdodCBiZSBhIHBhcnR5IGRpZmZlcmVudCBmcm9tIHRoZSBpc3N1ZXIuICBUb28g bWFueSB0aW1lcyBpbiB0aGUgcGFzdCBwZW9wbGUgdGhvdWdodCB0aGUgdHdvIHdlcmUgdGhlIHNh bWUgcGFydHkgKGFuZCBpbmRlZWQsIHRoaXMgZXJyb3Igb2NjdXJyZWQgaW4gc2V2ZXJhbCBwbGFj ZXMgaW4gLTAyKSwgdGhlcmVmb3JlLCBJIGJlbGlldmUgdGhhdCBleHByZXNzaW5nIHRoaXMgbm9u LWNvbnN0cmFpbnQgYWRkcyB2YWx1ZS4gIElmIHlvdSB3YW50IHRvIHN1Z2dlc3QgYWx0ZXJuYXRp dmUgd29yZGluZyB0byBleHByZXNzIHRoaXMgbm9uLWNvbnN0cmFpbnQsIEnigJlkIGJlIGdsYWQg dG8gY29uc2lkZXIgaXQuDQoNCjMuIFByb29mLU9mLVBvc2Vzc2lvbiBSZXByZXNlbnRhdGlvbg0K PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpUaXRsZQ0KLS0tLS0tLS0tDQpQZXJoYXBz ICJTZW5kZXIgUmVwcmVzZW50YXRpb24gaW4gSldUIiBpcyBtb3JlIHJlZmxlY3RpdmUgb2YgdGhl IGNvbnRlbnQuDQoNClRoaXMgd2FzIGNoYW5nZWQgdG8g4oCcUmVwcmVzZW50YXRpb25zIGZvciBQ cm9vZi1vZi1Qb3NzZXNzaW9uIEtleXPigJ0gaW4gLTAzIHRvIGNsYXJpZnlpbmcgdGhhdCBpdCBp cyB0aGUgUG9QIGtleSBiZWluZyByZXByZXNlbnRlZCwgbm90IHRoZSBwcm9vZi1vZi1wb3NzZXNz aW9uIGl0c2VsZi4NCg0KUGFyYSAyDQotLS0tLS0tLS0tLS0tDQpUaGUgcGFyYWdyYXBoIGRlc2Ny aWJlcyB0d28gd2F5cyBvZiBzZW5kZXIgY29uZmlybWF0aW9uOg0KKDEpIFNlbmRlciBDb25zdHJh aW50DQooMikgS2V5IENvbmZpcm1hdGlvbg0KSXQgc2hvdWxkIHJlZmVyIHRvIDUuMiBhbmQgNS4z IG9mIFtQT1BBXSBmb3IgaXQsIGFzIHdlbGwgYXMgYWxpZ24gdGhlIHRlcm1pbm9sb2d5Lg0KDQpB cyBkZXNjcmliZWQgYWJvdmUsIHRoZSDigJxTZW5kZXIgQ29uc3RyYWludOKAnSB0ZXJtaW5vbG9n eSBpbiBbUE9QQV0gZG9lcyBub3QgbWF0Y2ggd2hhdCB0aGlzIHNwZWNpZmljYXRpb24gZG9lcy4N Cg0KVGhlbiwgaXQgZ29lcyBvbiB0byBkZXNjcmliZSAoMSkgdmVyeSBicmllZmx5LCBpbiB3aGlj aCBpdCBpcyBqdXN0IHNwZWxsaW5nIG91dCAiaXNzIiBhbmQgInN1YiIuDQoNCkkgdW5kZXJzdGFu ZCB0aGUgdXNlIG9mIHN1YiBpbiB0aGlzIHNlY3Rpb24gY29tZXMgZG93biBmcm9tIFNBTUwgYnV0 IEkgZmVlbCB0aGF0IHNvbWUgc2VwYXJhdGlvbiBiZXR3ZWVuIHN1YiBhbmQgcHJlc2VudGVyIHdv dWxkIGJlIG5pY2UuDQoNCkZvciBleGFtcGxlLCB3aGVuIEkgYW0gcHJlc2VudGluZyB0aGUgdG9r ZW4gdXNpbmcgYW4gYXBwIHRoYXQgSSBpbnN0YWxsZWQgb24gbXkgaVBob25lLCB0aGUgcHJlc2Vu dGVyIGlzIHRoYXQgYXBwIGFuZCBub3QgbWUsIHdoaWxlIHRoZSBzdWIgc3RpbGwgbWF5IGJlIG1l LiBUaGUgYXBwIGlzIHRoZSBhdXRob3JpemVkIHByZXNlbnRlci9wYXJ0eSAoYXpwKSBvZiB0aGUg dG9rZW4uIFRoZSBKV1QgbWF5IHdlbGwgYmUgYWJvdXQgdGhlIHN1YiBidXQgcHJlc2VudGVkIGJ5 IHNvbWUgc29mdHdhcmUgY29tcG9uZW50IHRoYXQgc2hvdWxkIGJlIGluZGVwZW5kZW50bHkgaWRl bnRpZmllZC4NCg0KU28gbXkgcHJvcG9zYWwgaXMgdG8gY3JlYXRlIGEgbmV3IHN1YnNlY3Rpb24g b24gKDEpIGZvciB0aGUgY29tcGxldGVuZXNzLCB3aGljaCBpcyBnb2luZyB0byBiZSBhIG5ldyAz LjEsIGFuZCB0byB1c2UgYSBjbGFpbSBsaWtlICJhenAiIGluc3RlYWQgb2YgInN1YiIgdG8gaWRl bnRpZnkgdGhlIHByZXNlbnRlci4gTGVzcyBvdmVybG9hZCB3b3VsZCBjYXVzZSBsZXNzIGNvbmZ1 c2lvbiBsYXRlciwgSU1ITy4NCg0KUGVyIHlvdXIgcmVxdWVzdCwgaHR0cHM6Ly90b29scy5pZXRm Lm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMyNzZWN0aW9u LTMgd2FzIHJldmlzZWQgdG8gaW5jbHVkZSBhIGRlc2NyaXB0aW9uIG9mIHRoZSB1c2Ugb2YgdGhl IOKAnGF6cOKAnSBjbGFpbSBhcyBhIGNob2ljZSB0aGF0IGFwcGxpY2F0aW9ucyBjYW4gZW1wbG95 IHRvIGlkZW50aWZ5IHRoZSBwcmVzZW50ZXIsIGlmIGFwcHJvcHJpYXRlLg0KDQozLjENCj09PT09 PQ0KVGl0bGUNCi0tLS0tLS0tDQpQZXJoYXBzICJDb25maXJtYXRpb24gS2V5IFJlcHJlc2VudGF0 aW9uIGZvciBhbiBBc3ltbWV0cmljIEtleSIgaXMgbW9yZSByZWZsZWN0aXZlIG9mIHRoZSBjb250 ZW50Lg0KDQpUaGlzIHdhcyBjaGFuZ2VkIHRvIOKAnFJlcHJlc2VudGF0aW9uIGZvciBhbiBBc3lt bWV0cmljIFByb29mLW9mLVBvc3Nlc3Npb24gS2V54oCdLg0KDQozLjINCj09PT09PT09DQpUaXRs ZQ0KLS0tLS0tLS0tLS0NClBlcmhhcHMgIkNvbmZpcm1hdGlvbiBLZXkgUmVwcmVzZW50YXRpb24g Zm9yIGEgU3ltbWV0cmljIEtleSIgaXMgbW9yZSByZWZsZWN0aXZlIG9mIHRoZSBjb250ZW50Lg0K DQpUaGlzIHdhcyBjaGFuZ2VkIHRvIOKAnFJlcHJlc2VudGF0aW9uIGZvciBhbiBFbmNyeXB0ZWQg U3ltbWV0cmljIFByb29mLW9mLVBvc3Nlc3Npb24gS2V54oCdLg0KDQpMYXN0IFBhcmENCi0tLS0t LS0tLS0tLS0tLS0tDQpJIGZlZWwgYSBiaXQgbGlrZSBuZWVkaW5nIHRvIHNuaWZmIGludG8gdGhl IGNvbnRlbnQgb2YgandrIHRvIGZpbmQgb3V0IHdoYXQgdHlwZSBtYXkgbm90IGJlIG9wdGltYWws IHRob3VnaCBJIGRvIG5vdCBoYXZlIGEgY29uY3JldGUgcHJvcG9zYWwgYSB0aGlzIHRpbWUuDQoN ClRoZSDigJxqd2XigJ0gbWVtYmVyIHdhcyBpbnRyb2R1Y2VkIGluIC0wMyB0byBlbGltaW5hdGUg dGhlIG5lZWQgZm9yIHRoaXMgc25pZmZpbmcuDQoNCjMuMw0KPT09PT09DQpUaXRsZQ0KLS0tLS0t LS0tDQpQZXJoYXBzICJDb25maXJtYXRpb24gS2V5IFJlcHJlc2VudGF0aW9uIGJ5IEtleSBJRCIg aXMgbW9yZSByZWZsZWN0aXZlIG9mIHRoZSBjb250ZW50Lg0KDQpUaGlzIHdhcyBjaGFuZ2VkIHRv IOKAnFJlcHJlc2VudGF0aW9uIG9mIGEgS2V5IElEIGZvciBhIFByb29mLW9mLVBvc3Nlc3Npb24g S2V54oCdLg0KDQpQYXJhIDENCi0tLS0tLS0tLS0tDQpUaGVyZSBoYXMgYmVlbiBzb21lIGRpc2N1 c3Npb24gb2YgdXNpbmcgdGh1bWJwcmludCBpbnN0ZWFkIG9mIGEgYmxvYiAia2lkIi4NClRoaXMg aXMgYSB2YWxpZCBvcHRpb24uIElmIHdlIGFyZSB0byBvdmVybG9hZCB0aGUgImtpZCIgbWVtYmVy IGZvciB0aGlzIHB1cnBvc2UsIHdlIG5lZWQgdG8gZmluZCBhIHdheSB0byBzaWduYWwgdGhhdCBp dCBpcyBhIHRodW1icHJpbnQuDQpJdCBtYXkgdmVyeSB3ZWxsIGJlIGJldHRlciB0byBkZWZpbmUg YSBzZXBhcmF0ZSBtZW1iZXIgbmFtZSB0aGVuIGZvciB0aGUgdGh1bWJwcmludC4gVGhlIHRpdGxl IHRoZW4gY2hhbmdlcyB0byAiLS0gYnkgS2V5IElEIiB0byAiLS0gYnkgcmVmZXJlbmNlIi4NCg0K Rm9yIHRoZSBzYW1lIHJlYXNvbnMgdGhhdCB0aGUg4oCcamt04oCdIGRlZmluaXRpb24gd2FzIHJl bW92ZWQgZnJvbSBkcmFmdC1pZXRmLWpvc2UtandrLXRodW1icHJpbnQsIGl04oCZcyBub3QgY2xl YXIgdGhhdCBpdOKAmXMgbmVlZGVkIGhlcmUuICBBcHBsaWNhdGlvbnMgYXJlIGZyZWUgdG8gZGVm aW5lIHRoYXQgdGhlIOKAnGtpZOKAnSBpcyB0byBjb250YWluIGEga2V5IHRodW1icHJpbnQgdXNp bmcgYSBwYXJ0aWN1bGFyIGhhc2ggZnVuY3Rpb24uDQoNCkFsc28sIGl0IGlzIGNvbmNlaXZhYmxl IHRvIHVzZSB0aGUgY29tYmluYXRpb24gb2YgImtpZCIgYW5kICJqa3UiLiBUaGlzIGFzcGVjdCBp cyBub3Qgc3BlbGxlZCBvdXQgaGVyZSBidXQgYXBwZWFycyB0aGF0IHNvbWUgbWFnaWMgaGFwcGVu cyBmb3IgdGhlIGtleSBkaXN0cmlidXRpb24uDQoNCllvdeKAmXJlIHJpZ2h0IHRoYXQgaWYg4oCc a2lk4oCdIGlzIHVzZWQsIHVubGVzcyB0aGUga2V5IGlzIGFsc28gdHJhbnNtaXR0ZWQgaW4gdGhl IOKAnGNuZuKAnSBjbGFpbSwgZGlzdHJpYnV0aW9uIG9mIHRoZSBrZXkgaXMgb3V0IG9mIHNjb3Bl IG9mIHRoZSBzcGVjaWZpY2F0aW9uLiAgSSBjYW4gaW1hZ2luZSBtZXRob2RzIHVzaW5nIOKAnGpr deKAnSBidXQgaXQgc2VlbXMgbGlrZSB3ZSBzaG91bGQgZGlzY3VzcyB0aGlzIG1vcmUgYmVmb3Jl IG5vcm1hdGl2ZWx5IHNwZWNpZnlpbmcgaXQgYXQgdGhpcyB0aW1lLg0KDQozLjQNCj09PT09PT09 DQpTaW5jZSAiY25mIiBhcHBlYXJzIGJlZm9yZSAzLjQsIGl0IG1heSBiZSBiZXR0ZXIgdG8gYnJp bmcgMy40IGF0IHRoZSBmcm9udC4NCg0KQWdyZWVkLiAgU29ycnkgSSBtaXNzZWQgZG9pbmcgdGhp cyBpbiAtMDMuICBJ4oCZbGwgcGxhbiB0byBkbyB0aGlzIGluIC0wNC4NCg0KNS4yLjINCj09PT09 PT09PQ0KQWRkICJhenAiIGFuZCAiamt0Ii4NCg0KbyAgQ29uZmlybWF0aW9uIE1ldGhvZCBWYWx1 ZTogImF6cCINCm8gIENvbmZpcm1hdGlvbiBNZXRob2QgRGVzY3JpcHRpb246IENsaWVudCBJRCBv ZiB0aGUgQXV0aG9yaXplZCBQcmVzZW50ZXINCm8gIENoYW5nZSBDb250cm9sbGVyOiBJRVNHDQpv ICBTcGVjaWZpY2F0aW9uIERvY3VtZW50KHMpOiBTZWN0aW9uIFtUQkRdIG9mIFtbIHRoaXMgZG9j dW1lbnQgXV0NCg0KSGF2aW5nIGEgQ2xpZW50IElEIGRvZXNu4oCZdCBpZGVudGlmeSBhIHByb29m LW9mLXBvc3Nlc3Npb24ga2V5LCBzbyB0aGlzIHJlcXVlc3Qgc2VlbXMgdG8gYmUgb3V0IG9mIHBs YWNlIHJlbGF0aXZlIHRvIHRoZSBwdXJwb3NlIG9mIHRoaXMgc3BlY2lmaWNhdGlvbi4NCg0KbyAg Q29uZmlybWF0aW9uIE1ldGhvZCBWYWx1ZTogImprdCINCm8gIENvbmZpcm1hdGlvbiBNZXRob2Qg RGVzY3JpcHRpb246IEpXSyBUaHVtYnByaW50IG9mIHRoZSBDb25maXJtYXRpb24gS2V5DQpvICBD aGFuZ2UgQ29udHJvbGxlcjogSUVTRw0KbyAgU3BlY2lmaWNhdGlvbiBEb2N1bWVudChzKTogU2Vj dGlvbiBbVEJEXSBvZiBbWyB0aGlzIGRvY3VtZW50IF1dDQoNCkFzIGRpc2N1c3NlZCBlYXJsaWVy LCDigJxraWTigJ0gY2FuIGFscmVhZHkgYmUgdXNlZCB0byBob2xkIGEga2V5IHRodW1icHJpbnQg dmFsdWUuDQoNCm8gIENvbmZpcm1hdGlvbiBNZXRob2QgVmFsdWU6ICJqa3UiDQpvICBDb25maXJt YXRpb24gTWV0aG9kIERlc2NyaXB0aW9uOiBKV0sgVVJJIG9mIHRoZSBDb25maXJtYXRpb24gS2V5 DQpvICBDaGFuZ2UgQ29udHJvbGxlcjogSUVTRw0KbyAgU3BlY2lmaWNhdGlvbiBEb2N1bWVudChz KTogU2VjdGlvbiBbVEJEXSBvZiBbWyB0aGlzIGRvY3VtZW50IF1dDQoNCldlIHNob3VsZCBoYXZl IGEgZGlzY3Vzc2lvbiBmb2N1c2VkIHNwZWNpZmljYWxseSBvbiB0aGlzIHByb3Bvc2VkIGFkZGl0 aW9uLiAgSSBjYW4gc2VlIHRoZSB2YWx1ZSBvZiBpdCwgYnV0IHdvdWxkIGxpa2UgdG8gZ2V0IGlu cHV0IGZyb20gbW9yZSB3b3JraW5nIGdyb3VwIG1lbWJlcnMuICBXaGF0IGRvIHBlb3BsZSB0aGlu az8gIChJZiB0aGlzIGRpc2N1c3Npb24gZG9lc27igJl0IGhhcHBlbiBiYXNlZCBvbiB0aGlzIHJl c3BvbnNlLCB3ZSBzaG91bGQgcHJvYmFibHkgc3RhcnQgYSBzZXBhcmF0ZSB0aHJlYWQgb24gdGhp cyB0b3BpYy4pDQoNClByaXZhY3kgQ29uc2lkZXJhdGlvbg0KPT09PT09PT09PT09PT09PT09PT09 PT09DQpJdCBpcyBtaXNzaW5nIHByaXZhY3kgY29uc2lkZXJhdGlvbi4gSXQgaXMgbm90IHJlcXVp cmVkIHBlciBzZSwgYnV0IHNpbmNlIEtleSBDb25maXJtYXRpb24gbWV0aG9kIHdpdGggZXBoZW1l cmFsIGtleSBjYW4gYmUgbGVzcyBwcml2YWN5IGludHJ1c2l2ZSBjb21wYXJlZCB0byBvdGhlciBz ZW5kZXIgY29uZmlybWF0aW9uIG1ldGhvZCBzbyBhZGRpbmcgc29tZSB0ZXh0IGFyb3VuZCBpdCBt YXkgYmUgYSBnb29kIGlkZWEuDQoNCkNhbiB5b3Ugc3VwcGx5IHNvbWUgc3BlY2lmaWMgcHJvcG9z ZWQgdGV4dCBmb3IgLTA0Pw0KDQpCZXN0LA0KLS0NCk5hdCBTYWtpbXVyYSAoPW5hdCkNCkNoYWly bWFuLCBPcGVuSUQgRm91bmRhdGlvbg0KaHR0cDovL25hdC5zYWtpbXVyYS5vcmcvDQpAX25hdF9l bg0KDQpUaGFua3MgYWdhaW4gZm9yIHlvdXIgdXNlZnVsIHJldmlldyBjb21tZW50cyENCg0KICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg LS0gTWlrZQ0KDQo= --_000_BY2PR03MB44209EC64A7DCD857F52D22F57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiLDvzJkw78zMyAgw78zMDBiNDBiNzBjMzBhZiI7DQoJ cGFub3NlLTE6MCAwIDAgMCAwIDAgMCAwIDAgMDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0K cC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0K CW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5 OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246 dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl cmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVw bHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjojMUY0OTdE O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5O30NCkBwYWdl IFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4g MS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQot LT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4 dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3Rl IG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpl eHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+ DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+ DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlJlcGxpZXMgaW5saW5l4oCmPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9t Ojwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBPQXV0aCBbbWFpbHRvOm9h dXRoLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPk5hdCBTYWtpbXVyYTxi cj4NCjxiPlNlbnQ6PC9iPiBXZWRuZXNkYXksIE1hcmNoIDI1LCAyMDE1IDY6MzggQU08YnI+DQo8 Yj5Ubzo8L2I+IG9hdXRoPGJyPg0KPGI+U3ViamVjdDo8L2I+IFtPQVVUSC1XR10gUmV2aWV3IENv bW1lbnRzIGZvciBkcmFmdC1pZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDI8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+RGVhciBPQXV0aGVyczombmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IZXJlIGlz IG15IGJlbGF0ZWQgcmV2aWV3IGNvbW1lbnRzIG9uJm5ic3A7PHNwYW4gbGFuZz0iRU4iIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDvDvzJkw78zMyAgw78zMDBiNDBiNzBjMzBhZiZxdW90OywmcXVv dDtzZXJpZiZxdW90OyI+ZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAyPC9z cGFuPjxiciBjbGVhcj0iYWxsIj4NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+QmVsb3csIFtQT1BBXSBzdGFuZHMgZm9yIDxhIGhyZWY9Imh0dHBzOi8vdG9v bHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXBvcC1hcmNoaXRlY3R1cmUtMDEiPg0K aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcG9wLWFyY2hpdGVj dHVyZS0wMTwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+QWJzdHJhY3Q8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPj09PT09PT09PT09PTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+SXQgaXMgcHJvYmFibHkgYmV0dGVyIHRvIHNwZWxsIG91dCB0 aGF0IHRoaXMgZG9jdW1lbnQgaXMgZGVzY3JpYmluZyB0aGUgSldUIGZvcm1hdCB0aGF0IGNhbiBi ZSB1c2VkIGZvciBzZW5kZXIgY29uc3RyYWludCAoNS4yIG9mIFtQT1BBXSkgYW5kIGtleSBjb25m aXJtYXRpb24gKDUuMyBvZiBbUE9QQV0pLiBUaGlzIHdpbGwgbWFrZSBpdCBlYXNpZXIgZm9yIHRo ZSByZWFkZXIgdG8gdW5kZXJzdGFuZCB3aGF0IHRoaXMNCiBkb2N1bWVudCBhaW1zIGF0LiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0 OTdEIj5JdCBkb2VzIG5vdCBzZWVtIHRvIG1lIHRoYXQgdGhlIOKAnFNlbmRlciBDb25zdHJhaW50 4oCdIGNvbmNlcHQgZGVzY3JpYmVkIGluIDUuMyBvZiBbUE9QQV0gaXMgdGhlIHNhbWUgdGhpbmcg YXMgaWRlbnRpZnlpbmcgYSBwcm9vZi1vZi1wb3NzZXNzaW9uIGtleSB3aXRoaW4gYSBKV1QsDQog d2hpY2ggaXMgdGhlIHB1cnBvc2Ugb2YgdGhpcyBzcGVjaWZpY2F0aW9uLiZuYnNwOyBJbiB0aGlz IHNwZWNpZmljYXRpb24sIHRoZSBpc3N1ZXIgbWFrZXMgYSBzdGF0ZW1lbnQgdGhhdCB0aGUgcHJl c2VudGVyIGNhbiBjb25maXJtIHBvc3Nlc3Npb24gb2YgYSBrZXkuJm5ic3A7IEkgZG9u4oCZdCBr bm93IGhvdyB0aGF0IHdvdWxkIG1hcCBpbnRvIGEg4oCcU2VuZGVyIENvbnN0cmFpbnTigJ0uJm5i c3A7IEZvciBvbmUgdGhpbmcsIHdoaWNoIHBhcnR5IGFyZSB5b3UgY29uc2lkZXJpbmcNCiB0byBi ZSB0aGUg4oCcU2VuZGVy4oCdPyZuYnNwOyBBY2NvcmRpbmdseSwgSSBsZWZ0IHRoZSBhYnN0cmFj dCB1bmNoYW5nZWQuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkFjY29y ZGluZ2x5LCB3ZSBzaG91bGQgY29uc2lkZXIgdGhlIHRpdGxlIGNoYW5nZSB0byBzb21ldGhpbmcg bGlrZTombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5KV1QgU2VuZGVyIENvbmZpcm1hdGlvbiBUb2tlbiBTeW50YXgmbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNw OyBPUjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ Ym9ycm93aW5nIGZyb20gdGhlIGZpbmFuY2lhbCBjb25jZXB0IHdoaWNoIEkgYmVsaWV2ZSBpcyB0 aGUgb3JpZ2luIG9mIHRoZSBjb25jZXB0IG9mICZxdW90O2JlYXJlciB0b2tlbiZxdW90OywmbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkpX VCBSZWdpc3RlcmVkIFRva2VuIFN5bnRheDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0gaGVyZSwgJnF1b3Q7UmVnaXN0ZXJlZCZxdW90OyBtZWFu IHRoYXQgZWl0aGVyIHRoZSBzZW5kZXIgY29uc3RyYWludCBvciBrZXkgY29uZmlybWF0aW9uIGlz IHJlZ2lzdGVyZWQgd2l0aGluIG9yIGluIGNvbmp1bmN0aW9uIHdpdGggdGhlIHRva2VuLiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0 OTdEIj5JIGNoYW5nZWQgdGhlIHRpdGxlIGluIC0wMyB0byDigJxQcm9vZi1vZi1Qb3NzZXNzaW9u IEtleSBTZW1hbnRpY3MgZm9yIEpTT04gV2ViIFRva2VucyAoSldUcynigJ0gdG8gbWFrZSBpdCBj bGVhciB0aGlzIGRyYWZ0IGlzIGFib3V0IFBvUCBrZXkgc2VtYW50aWNzIGZvciBKV1RzDQog4oCT IG5vdCB0aGUgcHJvb2Ytb2YtcG9zc2Vzc2lvbiBtZWNoYW5pc20gaXRzZWxmLiZuYnNwOyBJ4oCZ dmUgYWxyZWFkeSByZXNwb25kZWQgdG8gdGhlIOKAnFNlbmRlciBDb25zdHJhaW504oCdIHN1Z2dl c3Rpb24gYWJvdmUuJm5ic3A7IFBlciBteSBlYXJsaWVyIHJlc3BvbnNlLCBJIGRvbuKAmXQgYmVs aWV2ZSB0aGF0IOKAnFJlZ2lzdGVyZWQgVG9rZW7igJ0gaXMgc3RhbmRhcmQgdGVybWlub2xvZ3ks IGFuZCBzbyB3b3VsZCBjb25mdXNlIG1vcmUgdGhhbiBpdCB3b3VsZCBjbGFyaWZ5LjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4xLiBJbnRyb2R1Y3Rpb248bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPj09PT09PT09PT09PT09 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Db25z aWRlciByZWZlcmVuY2luZyBkcmFmdC1pZXRmLW9hdXRoLXBvcC1hcmNoaXRlY3R1cmUuJm5ic3A7 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JdCB3 aWxsIGJlIGNsZWFyZXIgZm9yIHRoZSByZWFkZXIgdGhlbiwgYW5kIHRoZSB0ZXh0IHdpbGwgYmUg c2hvcnRlci4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzFGNDk3RCI+QWdhaW4sIEkgc3VzcGVjdCB5b3XigJlyZSBhc2tpbmcgbWUgdG8g cmVmZXJlbmNlIHRoaXMgZHJhZnQgZm9yIHRoZSDigJxTZW5kZXIgQ29uc3RyYWludOKAnSB0ZXJt aW5vbG9neSwgd2hpY2ggaXMgYm90aCB2YWd1ZWx5IGRlZmluZWQgaW4gW1BPUEFdLCBhbmQgZG9l c27igJl0IG1hdGNoDQogd2hhdCB0aGlzIHNwZWNpZmljYXRpb24gZG9lcy4mbmJzcDsgVGhlcmVm b3JlLCBJIGRpZCBub3QgZG8gdGhpcyBoZXJlLCBhbHRob3VnaCBvdGhlciBhcHByb3ByaWF0ZSBy ZWZlcmVuY2VzIHRvIFtQT1BBXSBhcmUgaW5jbHVkZWQuPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjIuIFRlcm1pbm9sb2d5IC0gUHJlc2VudGVyPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj49PT09PT09PT09PT09PT09PT09 PT09PT08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PlNlbnRlbmNlIDE8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPi0tLS0tLS0tLS0tLS0tLS0tLS08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPk5vdCBzdXJlIGlmIHRoZSBmaXJzdCBzZW50ZW5jZSBpcyBh Y2N1cmF0ZWx5IHJlZmxlY3RpbmcgdGhlIGludGVudC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkl0IGV4Y2x1ZGVzIHJvZ3VlIHBhcnR5 IHByZXNlbnRpbmcgdGhlIHRva2VuIChhbmQgZmFpbHMpIGZyb20gcHJlc2VudGVyLiZuYnNwOzxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SWYgc28s IGl0IGlzIGZpbmUgYnV0IHVzaW5nIG1vcmUgcXVhbGlmaWVkIHRlcm0gbGlrZSAmcXVvdDthdXRo b3JpemVkIHByZXNlbnRlciZxdW90OyBtYXkgbWFrZSBpdCBlYXNpZXImbmJzcDs8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPmZvciB0aGUgcmVhZGVy IHRvIHBhcnNlLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5PdGhlcndpc2UgcmV2aXNlIHRoZSBkZWZpbml0aW9uLiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5J IGJlbGlldmUgdGhlIOKAnFByZXNlbnRlcuKAnSBkZWZpbml0aW9uIGFjY3VyYXRlbHkgbWF0Y2hl cyBpdHMgdXNhZ2UgaW4gdGhpcyBzcGVjaWZpY2F0aW9uLiZuYnNwOyBXaGlsZSB0aGlzIGlzIHJl bGF0ZWQgdG8gYSBkaWZmZXJlbnQgZGlzY3Vzc2lvbiwgSeKAmW0gbm90IGF3YXJlIG9mDQogYSBk ZWZpbml0aW9uIGZvciDigJxBdXRob3JpemVkIFByZXNlbnRlcuKAnSB0aGF0IGNvdWxkIGJlIHJl ZmVyZW5jZWQgdGhhdCB3b3VsZCBhZGQgZnVydGhlciBjbGFyaXR5IGJleW9uZCB0aGUgZXhpc3Rp bmcgZGVmaW5pdGlvbi4mbmJzcDsgKE5vdGUgdGhhdCB0aGUgT3BlbklEIENvbm5lY3Qg4oCcYXpw 4oCdIGNsYWltIGlzIGZvciBhbiDigJxBdXRob3JpemVkIFBhcnR54oCdIHRvIHdoaWNoIHRoZSB0 b2tlbiB3YXMgaXNzdWVkIOKAkyBub3QgYW4g4oCcQXV0aG9yaXplZCBQcmVzZW50ZXLigJ0uJm5i c3A7DQogQWxzbywgbm90ZSB0aGF0IHRoZSB1c2FnZSBvZiDigJxhenDigJ0gaW4gPGEgaHJlZj0i aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtc2FraW11cmEtb2F1dGgtcmp3dHByb2Yt MDQiPg0KaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtc2FraW11cmEtb2F1dGgtcmp3 dHByb2YtMDQ8L2E+IGlzIGluY29uc2lzdGVudCB3aXRoIGl0cyBkZWZpbml0aW9uIGluIE9wZW5J RCBDb25uZWN0LCBhbmQgc28gc2hvdWxkIHByb2JhYmx5IGJlIHJldmlzZWQgdG8gdXNlIHRoZSDi gJxBdXRob3JpemVkIFBhcnR54oCdIHRlcm1pbm9sb2d5IG9yIHJlbW92ZWQsIGFzIGl0IGRvZXMg bm90IGlkZW50aWZ5IGFuIOKAnEF1dGhvcml6ZWQgUHJlc2VudGVy4oCdDQogaW4gdGhlIHdheSB0 aGF0IEkgdGhpbmsgeW91IGFyZSB1c2luZyB0aGUgdGVybS4pPG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPlNlbnRlbmNlIDI8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tLS0tLS0tLS0tLS0tLS0tLS08bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZxdW90O2lzc3VlciBvciBh IHBhcnR5IGRpZmZlcmVudCBmcm9tIHRoZSBpc3N1ZXImcXVvdDsgaXMgbm90IGNvbnN0cmFpbmlu ZyBhbnl0aGluZyBhbmQgbWVhbmluZ2xlc3MuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGVyZSBhcmUgbW9yZSBlYXNpZXIgdG8gcGFy c2UgYW5kIGFjY3VyYXRlIHRleHQgY29taW5nIGluIHRoZSBtYWluIHRleHQsIHRvby4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkRyb3Au Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMxRjQ5N0QiPlRoZSBwaHJhc2UgZXhwcmVzc2VzIHRoZSBpbnRlbnRpb25hbCAqPGI+bGFjayBv ZiBjb25zdHJhaW50PC9iPiosIGJ5IHN0YXRpbmcgdGhhdCB0aGUgcHJlc2VudGVyIG1pZ2h0IGJl IHRoZSBpc3N1ZXIgb3IgbWlnaHQgYmUgYSBwYXJ0eSBkaWZmZXJlbnQgZnJvbSB0aGUgaXNzdWVy LiZuYnNwOw0KIFRvbyBtYW55IHRpbWVzIGluIHRoZSBwYXN0IHBlb3BsZSB0aG91Z2h0IHRoZSB0 d28gd2VyZSB0aGUgc2FtZSBwYXJ0eSAoYW5kIGluZGVlZCwgdGhpcyBlcnJvciBvY2N1cnJlZCBp biBzZXZlcmFsIHBsYWNlcyBpbiAtMDIpLCB0aGVyZWZvcmUsIEkgYmVsaWV2ZSB0aGF0IGV4cHJl c3NpbmcgdGhpcyBub24tY29uc3RyYWludCBhZGRzIHZhbHVlLiZuYnNwOyBJZiB5b3Ugd2FudCB0 byBzdWdnZXN0IGFsdGVybmF0aXZlIHdvcmRpbmcgdG8gZXhwcmVzcyB0aGlzDQogbm9uLWNvbnN0 cmFpbnQsIEnigJlkIGJlIGdsYWQgdG8gY29uc2lkZXIgaXQuPG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4zLiBQcm9vZi1PZi1Qb3Nl c3Npb24gUmVwcmVzZW50YXRpb248bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PTxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGl0bGU8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tLS0tLS0tLTxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UGVyaGFwcyAm cXVvdDtTZW5kZXIgUmVwcmVzZW50YXRpb24gaW4gSldUJnF1b3Q7IGlzIG1vcmUgcmVmbGVjdGl2 ZSBvZiB0aGUgY29udGVudC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhpcyB3YXMgY2hhbmdlZCB0byDigJxSZXByZXNl bnRhdGlvbnMgZm9yIFByb29mLW9mLVBvc3Nlc3Npb24gS2V5c+KAnSBpbiAtMDMgdG8gY2xhcmlm eWluZyB0aGF0IGl0IGlzIHRoZSBQb1Aga2V5IGJlaW5nIHJlcHJlc2VudGVkLCBub3QgdGhlIHBy b29mLW9mLXBvc3Nlc3Npb24NCiBpdHNlbGYuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPlBhcmEgMjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+LS0tLS0tLS0tLS0tLTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhlIHBhcmFncmFwaCBkZXNjcmliZXMgdHdvIHdheXMgb2Yg c2VuZGVyIGNvbmZpcm1hdGlvbjombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPigxKSBTZW5kZXIgQ29uc3RyYWludDxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+KDIpIEtleSBDb25maXJtYXRp b248bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkl0 IHNob3VsZCByZWZlciB0byA1LjIgYW5kIDUuMyBvZiBbUE9QQV0gZm9yIGl0LCBhcyB3ZWxsIGFz IGFsaWduIHRoZSB0ZXJtaW5vbG9neS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+QXMgZGVzY3JpYmVkIGFib3ZlLCB0aGUg 4oCcU2VuZGVyIENvbnN0cmFpbnTigJ0gdGVybWlub2xvZ3kgaW4gW1BPUEFdIGRvZXMgbm90IG1h dGNoIHdoYXQgdGhpcyBzcGVjaWZpY2F0aW9uIGRvZXMuPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPlRoZW4sIGl0IGdvZXMgb24gdG8gZGVzY3JpYmUgKDEpIHZlcnkgYnJp ZWZseSwgaW4gd2hpY2ggaXQgaXMganVzdCBzcGVsbGluZyBvdXQgJnF1b3Q7aXNzJnF1b3Q7IGFu ZCAmcXVvdDtzdWImcXVvdDsuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+SSB1bmRlcnN0YW5kIHRoZSB1c2Ugb2Ygc3ViIGluIHRoaXMgc2VjdGlv biBjb21lcyBkb3duIGZyb20gU0FNTCBidXQgSSBmZWVsIHRoYXQgc29tZSBzZXBhcmF0aW9uIGJl dHdlZW4gc3ViIGFuZCBwcmVzZW50ZXIgd291bGQgYmUgbmljZS4NCjxicj4NCjxicj4NCkZvciBl eGFtcGxlLCB3aGVuIEkgYW0gcHJlc2VudGluZyB0aGUgdG9rZW4gdXNpbmcgYW4gYXBwIHRoYXQg SSBpbnN0YWxsZWQgb24gbXkgaVBob25lLCB0aGUgcHJlc2VudGVyIGlzIHRoYXQgYXBwIGFuZCBu b3QgbWUsIHdoaWxlIHRoZSBzdWIgc3RpbGwgbWF5IGJlIG1lLiBUaGUgYXBwIGlzIHRoZSBhdXRo b3JpemVkIHByZXNlbnRlci9wYXJ0eSAoYXpwKSBvZiB0aGUgdG9rZW4uJm5ic3A7VGhlIEpXVCBt YXkgd2VsbCBiZSBhYm91dCB0aGUgc3ViIGJ1dA0KIHByZXNlbnRlZCBieSBzb21lIHNvZnR3YXJl IGNvbXBvbmVudCB0aGF0IHNob3VsZCBiZSBpbmRlcGVuZGVudGx5IGlkZW50aWZpZWQuICZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NClNvIG15 IHByb3Bvc2FsIGlzIHRvIGNyZWF0ZSBhIG5ldyBzdWJzZWN0aW9uIG9uICgxKSBmb3IgdGhlIGNv bXBsZXRlbmVzcywgd2hpY2ggaXMgZ29pbmcgdG8gYmUgYSBuZXcgMy4xLCBhbmQgdG8gdXNlIGEg Y2xhaW0gbGlrZSAmcXVvdDthenAmcXVvdDsgaW5zdGVhZCBvZiAmcXVvdDtzdWImcXVvdDsgdG8g aWRlbnRpZnkgdGhlIHByZXNlbnRlci4gTGVzcyBvdmVybG9hZCB3b3VsZCBjYXVzZSBsZXNzIGNv bmZ1c2lvbiBsYXRlciwgSU1ITy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+UGVyIHlvdXIgcmVxdWVzdCwNCjxhIGhyZWY9Imh0dHBz Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nlc3Np b24tMDMjc2VjdGlvbi0zIj4NCmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRm LW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDMjc2VjdGlvbi0zPC9hPiB3YXMgcmV2aXNlZCB0 byBpbmNsdWRlIGEgZGVzY3JpcHRpb24gb2YgdGhlIHVzZSBvZiB0aGUg4oCcYXpw4oCdIGNsYWlt IGFzIGEgY2hvaWNlIHRoYXQgYXBwbGljYXRpb25zIGNhbiBlbXBsb3kgdG8gaWRlbnRpZnkgdGhl IHByZXNlbnRlciwgaWYgYXBwcm9wcmlhdGUuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjMuMTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PT09PT09PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj5UaXRsZTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+LS0tLS0tLS08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPlBlcmhhcHMgJnF1b3Q7Q29uZmlybWF0aW9uIEtleSBSZXByZXNlbnRh dGlvbiBmb3IgYW4gQXN5bW1ldHJpYyBLZXkmcXVvdDsgaXMgbW9yZSByZWZsZWN0aXZlIG9mIHRo ZSBjb250ZW50LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojMUY0OTdEIj5UaGlzIHdhcyBjaGFuZ2VkIHRvIOKAnFJlcHJlc2VudGF0aW9u IGZvciBhbiBBc3ltbWV0cmljIFByb29mLW9mLVBvc3Nlc3Npb24gS2V54oCdLjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4zLjI8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPj09PT09PT09PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaXRsZTxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0tLS0tLS0tLS08bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlBlcmhhcHMgJnF1b3Q7Q29u ZmlybWF0aW9uIEtleSBSZXByZXNlbnRhdGlvbiBmb3IgYSBTeW1tZXRyaWMgS2V5JnF1b3Q7IGlz IG1vcmUgcmVmbGVjdGl2ZSBvZiB0aGUgY29udGVudC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0 OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhpcyB3YXMgY2hhbmdl ZCB0byDigJxSZXByZXNlbnRhdGlvbiBmb3IgYW4gRW5jcnlwdGVkIFN5bW1ldHJpYyBQcm9vZi1v Zi1Qb3NzZXNzaW9uIEtleeKAnS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+TGFzdCBQYXJhPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj4tLS0tLS0tLS0tLS0tLS0tLTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+SSBmZWVsIGEgYml0IGxpa2UgbmVlZGluZyB0byBzbmlmZiBp bnRvIHRoZSBjb250ZW50IG9mIGp3ayB0byBmaW5kIG91dCB3aGF0IHR5cGUgbWF5IG5vdCBiZSBv cHRpbWFsLCB0aG91Z2ggSSBkbyBub3QgaGF2ZSBhIGNvbmNyZXRlIHByb3Bvc2FsIGEgdGhpcyB0 aW1lLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMUY0OTdEIj5UaGUg4oCcandl4oCdIG1lbWJlciB3YXMgaW50cm9kdWNlZCBpbiAtMDMg dG8gZWxpbWluYXRlIHRoZSBuZWVkIGZvciB0aGlzIHNuaWZmaW5nLjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4zLjM8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPj09PT09PTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGl0bGU8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tLS0tLS0tLTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UGVyaGFwcyAmcXVvdDtDb25maXJtYXRpb24g S2V5IFJlcHJlc2VudGF0aW9uIGJ5IEtleSBJRCZxdW90OyBpcyBtb3JlIHJlZmxlY3RpdmUgb2Yg dGhlIGNvbnRlbnQuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoaXMgd2FzIGNoYW5nZWQgdG8g4oCcUmVwcmVzZW50YXRp b24gb2YgYSBLZXkgSUQgZm9yIGEgUHJvb2Ytb2YtUG9zc2Vzc2lvbiBLZXnigJ0uPG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlBhcmEgMTxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0tLS0tLS0tLS08bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoZXJlIGhhcyBiZWVuIHNv bWUgZGlzY3Vzc2lvbiBvZiB1c2luZyB0aHVtYnByaW50IGluc3RlYWQgb2YgYSBibG9iICZxdW90 O2tpZCZxdW90Oy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPlRoaXMgaXMgYSB2YWxpZCBvcHRpb24uIElmIHdlIGFyZSB0byBvdmVybG9h ZCB0aGUgJnF1b3Q7a2lkJnF1b3Q7IG1lbWJlciBmb3IgdGhpcyBwdXJwb3NlLCB3ZSBuZWVkIHRv IGZpbmQgYSB3YXkgdG8gc2lnbmFsIHRoYXQgaXQgaXMgYSB0aHVtYnByaW50LiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SXQgbWF5IHZl cnkgd2VsbCBiZSBiZXR0ZXIgdG8gZGVmaW5lIGEgc2VwYXJhdGUgbWVtYmVyIG5hbWUgdGhlbiBm b3IgdGhlIHRodW1icHJpbnQuIFRoZSB0aXRsZSB0aGVuIGNoYW5nZXMgdG8gJnF1b3Q7LS0gYnkg S2V5IElEJnF1b3Q7IHRvICZxdW90Oy0tIGJ5IHJlZmVyZW5jZSZxdW90Oy4mbmJzcDs8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Rm9y IHRoZSBzYW1lIHJlYXNvbnMgdGhhdCB0aGUg4oCcamt04oCdIGRlZmluaXRpb24gd2FzIHJlbW92 ZWQgZnJvbSBkcmFmdC1pZXRmLWpvc2UtandrLXRodW1icHJpbnQsIGl04oCZcyBub3QgY2xlYXIg dGhhdCBpdOKAmXMgbmVlZGVkIGhlcmUuJm5ic3A7IEFwcGxpY2F0aW9ucyBhcmUgZnJlZQ0KIHRv IGRlZmluZSB0aGF0IHRoZSDigJxraWTigJ0gaXMgdG8gY29udGFpbiBhIGtleSB0aHVtYnByaW50 IHVzaW5nIGEgcGFydGljdWxhciBoYXNoIGZ1bmN0aW9uLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5BbHNvLCBpdCBpcyBjb25jZWl2YWJsZSB0byB1c2UgdGhlIGNvbWJp bmF0aW9uIG9mICZxdW90O2tpZCZxdW90OyBhbmQgJnF1b3Q7amt1JnF1b3Q7LiBUaGlzIGFzcGVj dCBpcyBub3Qgc3BlbGxlZCBvdXQgaGVyZSBidXQgYXBwZWFycyB0aGF0IHNvbWUgbWFnaWMgaGFw cGVucyBmb3IgdGhlIGtleSBkaXN0cmlidXRpb24uJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3 RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPllvdeKAmXJlIHJpZ2h0IHRo YXQgaWYg4oCca2lk4oCdIGlzIHVzZWQsIHVubGVzcyB0aGUga2V5IGlzIGFsc28gdHJhbnNtaXR0 ZWQgaW4gdGhlIOKAnGNuZuKAnSBjbGFpbSwgZGlzdHJpYnV0aW9uIG9mIHRoZSBrZXkgaXMgb3V0 IG9mIHNjb3BlIG9mIHRoZSBzcGVjaWZpY2F0aW9uLiZuYnNwOyBJDQogY2FuIGltYWdpbmUgbWV0 aG9kcyB1c2luZyDigJxqa3XigJ0gYnV0IGl0IHNlZW1zIGxpa2Ugd2Ugc2hvdWxkIGRpc2N1c3Mg dGhpcyBtb3JlIGJlZm9yZSBub3JtYXRpdmVseSBzcGVjaWZ5aW5nIGl0IGF0IHRoaXMgdGltZS48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjMuNCZuYnNwOzxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PT09PT09 PT08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNp bmNlICZxdW90O2NuZiZxdW90OyBhcHBlYXJzIGJlZm9yZSAzLjQsIGl0IG1heSBiZSBiZXR0ZXIg dG8gYnJpbmcgMy40IGF0IHRoZSBmcm9udC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5BZ3JlZWQuJm5ic3A7 IFNvcnJ5IEkgbWlzc2VkIGRvaW5nIHRoaXMgaW4gLTAzLiZuYnNwOyBJ4oCZbGwgcGxhbiB0byBk byB0aGlzIGluIC0wNC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+NS4y LjI8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPj09 PT09PT09PTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+QWRkICZxdW90O2F6cCZxdW90OyBhbmQgJnF1b3Q7amt0JnF1b3Q7LiZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPm8gJm5ic3A7Q29uZmlybWF0 aW9uIE1ldGhvZCBWYWx1ZTogJnF1b3Q7YXpwJnF1b3Q7PGJyPg0KbyAmbmJzcDtDb25maXJtYXRp b24gTWV0aG9kIERlc2NyaXB0aW9uOiBDbGllbnQgSUQgb2YgdGhlIEF1dGhvcml6ZWQgUHJlc2Vu dGVyPGJyPg0KbyAmbmJzcDtDaGFuZ2UgQ29udHJvbGxlcjogSUVTRzxicj4NCm8gJm5ic3A7U3Bl Y2lmaWNhdGlvbiBEb2N1bWVudChzKTogU2VjdGlvbiBbVEJEXSBvZiBbWyB0aGlzIGRvY3VtZW50 IF1dPGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdE Ij5IYXZpbmcgYSBDbGllbnQgSUQgZG9lc27igJl0IGlkZW50aWZ5IGEgcHJvb2Ytb2YtcG9zc2Vz c2lvbiBrZXksIHNvIHRoaXMgcmVxdWVzdCBzZWVtcyB0byBiZSBvdXQgb2YgcGxhY2UgcmVsYXRp dmUgdG8gdGhlIHB1cnBvc2Ugb2YgdGhpcyBzcGVjaWZpY2F0aW9uLjwvc3Bhbj48YnI+DQo8YnI+ DQpvICZuYnNwO0NvbmZpcm1hdGlvbiBNZXRob2QgVmFsdWU6ICZxdW90O2prdCZxdW90Ozxicj4N Cm8gJm5ic3A7Q29uZmlybWF0aW9uIE1ldGhvZCBEZXNjcmlwdGlvbjogSldLIFRodW1icHJpbnQg b2YgdGhlIENvbmZpcm1hdGlvbiBLZXk8YnI+DQpvICZuYnNwO0NoYW5nZSBDb250cm9sbGVyOiBJ RVNHPGJyPg0KbyAmbmJzcDtTcGVjaWZpY2F0aW9uIERvY3VtZW50KHMpOiBTZWN0aW9uIFtUQkRd IG9mIFtbIHRoaXMgZG9jdW1lbnQgXV08YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iY29sb3I6IzFG NDk3RCI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImNvbG9yOiMxRjQ5N0QiPkFzIGRpc2N1c3NlZCBlYXJsaWVyLCDigJxraWTigJ0gY2Fu IGFscmVhZHkgYmUgdXNlZCB0byBob2xkIGEga2V5IHRodW1icHJpbnQgdmFsdWUuPC9zcGFuPjxi cj4NCjxicj4NCm8gJm5ic3A7Q29uZmlybWF0aW9uIE1ldGhvZCBWYWx1ZTogJnF1b3Q7amt1JnF1 b3Q7PGJyPg0KbyAmbmJzcDtDb25maXJtYXRpb24gTWV0aG9kIERlc2NyaXB0aW9uOiBKV0sgVVJJ IG9mIHRoZSBDb25maXJtYXRpb24gS2V5PGJyPg0KbyAmbmJzcDtDaGFuZ2UgQ29udHJvbGxlcjog SUVTRzxicj4NCm8gJm5ic3A7U3BlY2lmaWNhdGlvbiBEb2N1bWVudChzKTogU2VjdGlvbiBbVEJE XSBvZiBbWyB0aGlzIGRvY3VtZW50IF1dPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojMUY0OTdEIj5XZSBzaG91bGQgaGF2ZSBhIGRpc2N1c3Npb24gZm9jdXNlZCBz cGVjaWZpY2FsbHkgb24gdGhpcyBwcm9wb3NlZCBhZGRpdGlvbi4mbmJzcDsgSSBjYW4gc2VlIHRo ZSB2YWx1ZSBvZiBpdCwgYnV0IHdvdWxkIGxpa2UgdG8gZ2V0IGlucHV0IGZyb20gbW9yZSB3b3Jr aW5nIGdyb3VwDQogbWVtYmVycy4mbmJzcDsgV2hhdCBkbyBwZW9wbGUgdGhpbms/Jm5ic3A7IChJ ZiB0aGlzIGRpc2N1c3Npb24gZG9lc27igJl0IGhhcHBlbiBiYXNlZCBvbiB0aGlzIHJlc3BvbnNl LCB3ZSBzaG91bGQgcHJvYmFibHkgc3RhcnQgYSBzZXBhcmF0ZSB0aHJlYWQgb24gdGhpcyB0b3Bp Yy4pPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlByaXZhY3kgQ29uc2lk ZXJhdGlvbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PT09PT09PT09PT09PT09PT09PT09PT09PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JdCBpcyBtaXNzaW5nIHByaXZhY3kgY29uc2lkZXJhdGlv bi4gSXQgaXMgbm90IHJlcXVpcmVkIHBlciBzZSwgYnV0IHNpbmNlIEtleSBDb25maXJtYXRpb24g bWV0aG9kIHdpdGggZXBoZW1lcmFsIGtleSBjYW4gYmUgbGVzcyBwcml2YWN5IGludHJ1c2l2ZSBj b21wYXJlZCB0byBvdGhlciBzZW5kZXIgY29uZmlybWF0aW9uIG1ldGhvZCBzbyBhZGRpbmcgc29t ZSB0ZXh0IGFyb3VuZCBpdCBtYXkgYmUgYSBnb29kDQogaWRlYS4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG NDk3RCI+Q2FuIHlvdSBzdXBwbHkgc29tZSBzcGVjaWZpYyBwcm9wb3NlZCB0ZXh0IGZvciAtMDQ/ PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5CZXN0LCZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tLSA8bzpwPjwvbzpwPjwvcD4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5OYXQgU2FraW11cmEgKD1uYXQpPG86cD48L286cD48L3A+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Q2hhaXJtYW4sIE9wZW5JRCBGb3VuZGF0aW9u PGJyPg0KPGEgaHJlZj0iaHR0cDovL25hdC5zYWtpbXVyYS5vcmcvIiB0YXJnZXQ9Il9ibGFuayI+ aHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPC9hPjxicj4NCkBfbmF0X2VuPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoYW5rcyBhZ2Fp biBmb3IgeW91ciB1c2VmdWwgcmV2aWV3IGNvbW1lbnRzITxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_BY2PR03MB44209EC64A7DCD857F52D22F57F0BY2PR03MB442namprd_-- From nobody Mon Aug 10 22:24:47 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEFFC1A00E0 for ; Mon, 10 Aug 2015 22:24:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.012 X-Spam-Level: X-Spam-Status: No, score=-0.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epyTdQMfb85h for ; Mon, 10 Aug 2015 22:24:42 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0741.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::741]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 923901A000A for ; Mon, 10 Aug 2015 22:24:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ZPOedyam+v8UoEO7eg/DnK3Y4k5+2L2N9tgExYH9vW8=; b=mfLIYDyKtF6ib6hvG3dPjOKZMkoIXShDnzBeY02VU2zhH3qVn31GUO6pl/r9HRYmH3mY9rBVc8nhcgGmbQvFvnE7AnI2SxrBXZaxKo4YqjyLWEzdRcT9wd6U/grUV6/E6kEnFDG3ESAuLJddHI+siQD94mnaGu41yw2r7Q4vurg= Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 05:24:24 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 05:24:24 +0000 From: Mike Jones To: Nat Sakimura , oauth Thread-Topic: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 Thread-Index: AQHQZwDsLoYVszt6jEeQRXex8srb+J31lKCAgAASmACAEXWykA== Date: Tue, 11 Aug 2015 05:24:23 +0000 Message-ID: References: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:76vseVNyCYL5QKQ2c9tjSNNz3nY74A6Y610Du7GntRWAB9YZu3t0HnXGDH4Q4YuY9Nvj7LAYN02ZD97RRbtcZJrmQYVrsnUx+EKILpPlSPrUSXz5iO/vaogdc++p/FSCWD8LveNb1zftrNzEqtt1bQ==; 24:rvAFq3c0AQSds4KGGj/+NCnjXem3y4jOVA5LgPTfahxjFNy7oOLbOgJhG0cywMKtUdYK/uDb9CIUYY5RLQ21IT4WsSSdaLUCtV8KcDeCvYw=; 20:tLG63juqW09DWP8nUbBXZqPyITU2cif+DroIC/LpZuZweRys/6d93jI08vKY3C409Mnk6Vk4dq9I4wCc3AiJXQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(199003)(189002)(50944005)(69234005)(377424004)(561944003)(19625215002)(5003600100002)(33656002)(62966003)(81156007)(2900100001)(19580405001)(19580395003)(77156002)(5001770100001)(5001860100001)(5001830100001)(189998001)(97736004)(4001540100001)(2656002)(86362001)(87936001)(10400500002)(5005710100001)(92566002)(46102003)(19617315012)(40100003)(19609705001)(19300405004)(101416001)(10290500002)(122556002)(74316001)(5002640100001)(68736005)(77096005)(10090500001)(76576001)(16236675004)(8990500004)(50986999)(102836002)(54356999)(76176999)(105586002)(107886002)(5001960100002)(106356001)(106116001)(64706001)(66066001)(230783001)(15975445007)(99286002)(86612001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4421D018D52956CF6575559F57F0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 05:24:23.8684 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442 Archived-At: Subject: Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 05:24:46 -0000 --_000_BY2PR03MB4421D018D52956CF6575559F57F0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBiZWxpZXZlIHRoYXQgSeKAmXZlIG5vdyByZXNwb25kZWQgbGluZS1ieS1saW5lIHRvIGFsbCB0 aGUgV0dMQyBjb21tZW50cyByZWNlaXZlZC4gIElmIEkgbWlzc2VkIGFueSBmcm9tIGFueSBvZiB5 b3UsIHBsZWFzZSBsZXQgbWUga25vdy4NCg0KQWZ0ZXIgZGlzY3Vzc2lvbiBvZiBteSByZXNwb25z ZXMgdGhpcyB3ZWVrLCB1bmxlc3MgZGlzYWdyZWVtZW50cyBhcmlzZSwgSeKAmWxsIHBsYW4gdG8g cHVibGlzaCAtMDQgbmV4dCB3ZWVrIHRvIGluY29ycG9yYXRlIHRoZSByZW1haW5pbmcgcmVzb2x1 dGlvbnMgdGhhdCBoYXZlIGJlZW4gZGlzY3Vzc2VkIGFuZCBwbGFubmVkIGZvciB0aGUgbmV4dCBk cmFmdCwgc3VjaCBhcyBhbGxvd2luZyBzeW1tZXRyaWMga2V5cyBpbiBlbmNyeXB0ZWQgSldUcyB0 byBiZSByZXByZXNlbnRlZCBhcyBzaW1wbGUgSldLcyBpbiB0aGUg4oCcandr4oCdIGNsYWltLg0K DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBCZXN0IHdpc2hlcywNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KRnJvbTogTWlrZSBKb25lcw0KU2VudDog VGh1cnNkYXksIEp1bHkgMzAsIDIwMTUgNzo0OSBQTQ0KVG86ICdOYXQgU2FraW11cmEnOyBvYXV0 aA0KU3ViamVjdDogUkU6IFtPQVVUSC1XR10gUmV2aWV3IENvbW1lbnRzIGZvciBkcmFmdC1pZXRm LW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDINCg0KSSB0eXBpY2FsbHkgZG8gcmVzcG9uZCB0 byByZXZpZXcgY29tbWVudHMgbGluZS1ieS1saW5lIGJ1dCByYW4gb3V0IG9mIHRpbWUgdG8gZG8g dGhpcyBiZWZvcmUgUHJhZ3VlLiAgKEkgd2FzIGRvaW5nIHRoaW5ncyBsaWtlIHdvcmtpbmcgd2l0 aCBCcmlhbiBvbiB0aGUgVG9rZW4gRXhjaGFuZ2UgZGVjaywgcHJlcGFyaW5nIG15IHJlbWFya3Mg dG8gdGhlIENPU0UgV0csIGV0Yy4pICBJ4oCZbGwgcGxhbiB0byBkbyB0aGlzIHNvbWV0aW1lIGVh cmx5IG5leHQgd2Vlaywgd2hpY2ggaXMgdGhlIHNvb25lc3QgSeKAmWxsIGJlIGFibGUgdG8gZ2V0 IHRvIGl0LCBnaXZlbiBvdGhlciB0aGluZ3MgY3VycmVudGx5IG9uIG15IHBsYXRlLg0KDQpGWUks IEkgZGlkIHJlYWQgdGhyb3VnaCBhbGwgb2YgeW91ciBhbmQgb3RoZXLigJlzIGNvbW1lbnRzIGFu ZCBhcHBsaWVkIG1vc3Qgb2YgdGhlbSDigJMgZm9yIGluc3RhbmNlLCBvZmYgdGhlIHRvcCBvZiBt eSBoZWFkLCBjbGFyaWZ5aW5nIGhvdyDigJxhenDigJ0gY291bGQgYmUgdXNlZCBpbiBpZGVudGlm eWluZyB0aGUgcHJlc2VudGVyLCBlbGltaW5hdGluZyB0aGUgbmVlZCB0byBzbmlmZiB0aGUg4oCc andr4oCdIHZhbHVlLCBhbmQgdXBkYXRpbmcgdGhlIHRpdGxlIHRvIGJlIG1vcmUgZXZvY2F0aXZl IG9mIHdoYXQgdGhlIHNwZWNpZmljYXRpb24gYWN0dWFsbHkgYWNoaWV2ZXMuDQoNCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoZWVy cywNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIC0tIE1pa2UNCg0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYu b3JnXSBPbiBCZWhhbGYgT2YgTmF0IFNha2ltdXJhDQpTZW50OiBUaHVyc2RheSwgSnVseSAzMCwg MjAxNSA2OjM2IFBNDQpUbzogb2F1dGgNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIFJldmlldyBD b21tZW50cyBmb3IgZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAyDQoNCkkg Y2Fubm90IGZpbmQgYW55IGRpc3Bvc2l0aW9uIG9mIGNvbW1lbnQgKERvQykgdG8gdGhpcyByZXZp ZXcgdGhhdCB0aGUgV0cgQ2hhaXJzIGFza2VkLg0KTm9yIEkgc2VlIG11Y2ggb2YgdGhlbSByZWZs ZWN0ZWQgaW4gLTAzLg0KDQpUaGUgcHJvY2VzcyBJIHdvdWxkIGltYWdpbmUgdG8gYmUgdGhlIGVk aXRvcnMgdG8NCg0KMSkgUHJvdmlkZSB0aGUgRG9DIFthY2NlcHQsIGRpc2N1c3MsIHJlamVjdCAo d2l0aCByZWFzb25zKV0sDQoyKSBPcGVuIHVwIHNlcmllcyBvZiBkaXNjdXNzaW9ucyBvbiBkaXNj dXNzIGl0ZW1zIGFuZCBkcml2ZSB0b3dhcmRzIHRoZSAocm91Z2gpIGNvbnNlbnN1cy4NCg0KU2lu Y2UgdGhlIGRpZmYgYmV0d2VlbiAtMDIgYW5kIC0wMyBpcyBzbWFsbCwgbXVjaCBvZiB0aGUgYWJv dmUgY29tbWVudHMgc3RpbGwgYXBwbGllcy4NCg0KTG9va2luZyBmb3J3YXJkIHRvIHNlZSB0aGUg RG9DLg0KDQpOYXQNCg0KMjAxNS0wMy0yNSAyMjozNyBHTVQrMDk6MDAgTmF0IFNha2ltdXJhIDxz YWtpbXVyYUBnbWFpbC5jb208bWFpbHRvOnNha2ltdXJhQGdtYWlsLmNvbT4+Og0KRGVhciBPQXV0 aGVyczoNCg0KSGVyZSBpcyBteSBiZWxhdGVkIHJldmlldyBjb21tZW50cyBvbiBkcmFmdC1pZXRm LW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24tMDINCg0KQmVsb3csIFtQT1BBXSBzdGFuZHMgZm9y IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXBvcC1hcmNoaXRl Y3R1cmUtMDE8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91 cmw9aHR0cHMlM2ElMmYlMmZ0b29scy5pZXRmLm9yZyUyZmh0bWwlMmZkcmFmdC1pZXRmLW9hdXRo LXBvcC1hcmNoaXRlY3R1cmUtMDEmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jv c29mdC5jb20lN2M4ZTNhMWM4MDgwMDA0NGFmZWE2NDA4ZDI5OTQ4NzkxNCU3YzcyZjk4OGJmODZm MTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1hQWxVZlZyUHVTNmdacEZkVzg5cEhDdzJE V3JSY2Z0YWdsdVBkZ0YzWHpRJTNkPg0KDQpBYnN0cmFjdA0KPT09PT09PT09PT09DQpJdCBpcyBw cm9iYWJseSBiZXR0ZXIgdG8gc3BlbGwgb3V0IHRoYXQgdGhpcyBkb2N1bWVudCBpcyBkZXNjcmli aW5nIHRoZSBKV1QgZm9ybWF0IHRoYXQgY2FuIGJlIHVzZWQgZm9yIHNlbmRlciBjb25zdHJhaW50 ICg1LjIgb2YgW1BPUEFdKSBhbmQga2V5IGNvbmZpcm1hdGlvbiAoNS4zIG9mIFtQT1BBXSkuIFRo aXMgd2lsbCBtYWtlIGl0IGVhc2llciBmb3IgdGhlIHJlYWRlciB0byB1bmRlcnN0YW5kIHdoYXQg dGhpcyBkb2N1bWVudCBhaW1zIGF0Lg0KDQpBY2NvcmRpbmdseSwgd2Ugc2hvdWxkIGNvbnNpZGVy IHRoZSB0aXRsZSBjaGFuZ2UgdG8gc29tZXRoaW5nIGxpa2U6DQpKV1QgU2VuZGVyIENvbmZpcm1h dGlvbiBUb2tlbiBTeW50YXgNCiAgT1INCmJvcnJvd2luZyBmcm9tIHRoZSBmaW5hbmNpYWwgY29u Y2VwdCB3aGljaCBJIGJlbGlldmUgaXMgdGhlIG9yaWdpbiBvZiB0aGUgY29uY2VwdCBvZiAiYmVh cmVyIHRva2VuIiwNCkpXVCBSZWdpc3RlcmVkIFRva2VuIFN5bnRheA0KLS0gaGVyZSwgIlJlZ2lz dGVyZWQiIG1lYW4gdGhhdCBlaXRoZXIgdGhlIHNlbmRlciBjb25zdHJhaW50IG9yIGtleSBjb25m aXJtYXRpb24gaXMgcmVnaXN0ZXJlZCB3aXRoaW4gb3IgaW4gY29uanVuY3Rpb24gd2l0aCB0aGUg dG9rZW4uDQoNCjEuIEludHJvZHVjdGlvbg0KPT09PT09PT09PT09PT0NCkNvbnNpZGVyIHJlZmVy ZW5jaW5nIGRyYWZ0LWlldGYtb2F1dGgtcG9wLWFyY2hpdGVjdHVyZS4NCkl0IHdpbGwgYmUgY2xl YXJlciBmb3IgdGhlIHJlYWRlciB0aGVuLCBhbmQgdGhlIHRleHQgd2lsbCBiZSBzaG9ydGVyLg0K DQoyLiBUZXJtaW5vbG9neSAtIFByZXNlbnRlcg0KPT09PT09PT09PT09PT09PT09PT09PT09DQpT ZW50ZW5jZSAxDQotLS0tLS0tLS0tLS0tLS0tLS0tDQpOb3Qgc3VyZSBpZiB0aGUgZmlyc3Qgc2Vu dGVuY2UgaXMgYWNjdXJhdGVseSByZWZsZWN0aW5nIHRoZSBpbnRlbnQuDQpJdCBleGNsdWRlcyBy b2d1ZSBwYXJ0eSBwcmVzZW50aW5nIHRoZSB0b2tlbiAoYW5kIGZhaWxzKSBmcm9tIHByZXNlbnRl ci4NCklmIHNvLCBpdCBpcyBmaW5lIGJ1dCB1c2luZyBtb3JlIHF1YWxpZmllZCB0ZXJtIGxpa2Ug ImF1dGhvcml6ZWQgcHJlc2VudGVyIiBtYXkgbWFrZSBpdCBlYXNpZXINCmZvciB0aGUgcmVhZGVy IHRvIHBhcnNlLg0KDQpPdGhlcndpc2UgcmV2aXNlIHRoZSBkZWZpbml0aW9uLg0KDQpTZW50ZW5j ZSAyDQotLS0tLS0tLS0tLS0tLS0tLS0tDQoiaXNzdWVyIG9yIGEgcGFydHkgZGlmZmVyZW50IGZy b20gdGhlIGlzc3VlciIgaXMgbm90IGNvbnN0cmFpbmluZyBhbnl0aGluZyBhbmQgbWVhbmluZ2xl c3MuDQpUaGVyZSBhcmUgbW9yZSBlYXNpZXIgdG8gcGFyc2UgYW5kIGFjY3VyYXRlIHRleHQgY29t aW5nIGluIHRoZSBtYWluIHRleHQsIHRvby4NCkRyb3AuDQoNCjMuIFByb29mLU9mLVBvc2Vzc2lv biBSZXByZXNlbnRhdGlvbg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpUaXRsZQ0K LS0tLS0tLS0tDQpQZXJoYXBzICJTZW5kZXIgUmVwcmVzZW50YXRpb24gaW4gSldUIiBpcyBtb3Jl IHJlZmxlY3RpdmUgb2YgdGhlIGNvbnRlbnQuDQoNClBhcmEgMg0KLS0tLS0tLS0tLS0tLQ0KVGhl IHBhcmFncmFwaCBkZXNjcmliZXMgdHdvIHdheXMgb2Ygc2VuZGVyIGNvbmZpcm1hdGlvbjoNCigx KSBTZW5kZXIgQ29uc3RyYWludA0KKDIpIEtleSBDb25maXJtYXRpb24NCkl0IHNob3VsZCByZWZl ciB0byA1LjIgYW5kIDUuMyBvZiBbUE9QQV0gZm9yIGl0LCBhcyB3ZWxsIGFzIGFsaWduIHRoZSB0 ZXJtaW5vbG9neS4NCg0KVGhlbiwgaXQgZ29lcyBvbiB0byBkZXNjcmliZSAoMSkgdmVyeSBicmll Zmx5LCBpbiB3aGljaCBpdCBpcyBqdXN0IHNwZWxsaW5nIG91dCAiaXNzIiBhbmQgInN1YiIuDQoN CkkgdW5kZXJzdGFuZCB0aGUgdXNlIG9mIHN1YiBpbiB0aGlzIHNlY3Rpb24gY29tZXMgZG93biBm cm9tIFNBTUwgYnV0IEkgZmVlbCB0aGF0IHNvbWUgc2VwYXJhdGlvbiBiZXR3ZWVuIHN1YiBhbmQg cHJlc2VudGVyIHdvdWxkIGJlIG5pY2UuDQoNCkZvciBleGFtcGxlLCB3aGVuIEkgYW0gcHJlc2Vu dGluZyB0aGUgdG9rZW4gdXNpbmcgYW4gYXBwIHRoYXQgSSBpbnN0YWxsZWQgb24gbXkgaVBob25l LCB0aGUgcHJlc2VudGVyIGlzIHRoYXQgYXBwIGFuZCBub3QgbWUsIHdoaWxlIHRoZSBzdWIgc3Rp bGwgbWF5IGJlIG1lLiBUaGUgYXBwIGlzIHRoZSBhdXRob3JpemVkIHByZXNlbnRlci9wYXJ0eSAo YXpwKSBvZiB0aGUgdG9rZW4uIFRoZSBKV1QgbWF5IHdlbGwgYmUgYWJvdXQgdGhlIHN1YiBidXQg cHJlc2VudGVkIGJ5IHNvbWUgc29mdHdhcmUgY29tcG9uZW50IHRoYXQgc2hvdWxkIGJlIGluZGVw ZW5kZW50bHkgaWRlbnRpZmllZC4NCg0KU28gbXkgcHJvcG9zYWwgaXMgdG8gY3JlYXRlIGEgbmV3 IHN1YnNlY3Rpb24gb24gKDEpIGZvciB0aGUgY29tcGxldGVuZXNzLCB3aGljaCBpcyBnb2luZyB0 byBiZSBhIG5ldyAzLjEsIGFuZCB0byB1c2UgYSBjbGFpbSBsaWtlICJhenAiIGluc3RlYWQgb2Yg InN1YiIgdG8gaWRlbnRpZnkgdGhlIHByZXNlbnRlci4gTGVzcyBvdmVybG9hZCB3b3VsZCBjYXVz ZSBsZXNzIGNvbmZ1c2lvbiBsYXRlciwgSU1ITy4NCg0KMy4xDQo9PT09PT0NClRpdGxlDQotLS0t LS0tLQ0KUGVyaGFwcyAiQ29uZmlybWF0aW9uIEtleSBSZXByZXNlbnRhdGlvbiBmb3IgYW4gQXN5 bW1ldHJpYyBLZXkiIGlzIG1vcmUgcmVmbGVjdGl2ZSBvZiB0aGUgY29udGVudC4NCg0KMy4yDQo9 PT09PT09PQ0KVGl0bGUNCi0tLS0tLS0tLS0tDQpQZXJoYXBzICJDb25maXJtYXRpb24gS2V5IFJl cHJlc2VudGF0aW9uIGZvciBhIFN5bW1ldHJpYyBLZXkiIGlzIG1vcmUgcmVmbGVjdGl2ZSBvZiB0 aGUgY29udGVudC4NCg0KTGFzdCBQYXJhDQotLS0tLS0tLS0tLS0tLS0tLQ0KSSBmZWVsIGEgYml0 IGxpa2UgbmVlZGluZyB0byBzbmlmZiBpbnRvIHRoZSBjb250ZW50IG9mIGp3ayB0byBmaW5kIG91 dCB3aGF0IHR5cGUgbWF5IG5vdCBiZSBvcHRpbWFsLCB0aG91Z2ggSSBkbyBub3QgaGF2ZSBhIGNv bmNyZXRlIHByb3Bvc2FsIGEgdGhpcyB0aW1lLg0KDQozLjMNCj09PT09PQ0KVGl0bGUNCi0tLS0t LS0tLQ0KUGVyaGFwcyAiQ29uZmlybWF0aW9uIEtleSBSZXByZXNlbnRhdGlvbiBieSBLZXkgSUQi IGlzIG1vcmUgcmVmbGVjdGl2ZSBvZiB0aGUgY29udGVudC4NCg0KUGFyYSAxDQotLS0tLS0tLS0t LQ0KVGhlcmUgaGFzIGJlZW4gc29tZSBkaXNjdXNzaW9uIG9mIHVzaW5nIHRodW1icHJpbnQgaW5z dGVhZCBvZiBhIGJsb2IgImtpZCIuDQpUaGlzIGlzIGEgdmFsaWQgb3B0aW9uLiBJZiB3ZSBhcmUg dG8gb3ZlcmxvYWQgdGhlICJraWQiIG1lbWJlciBmb3IgdGhpcyBwdXJwb3NlLCB3ZSBuZWVkIHRv IGZpbmQgYSB3YXkgdG8gc2lnbmFsIHRoYXQgaXQgaXMgYSB0aHVtYnByaW50Lg0KSXQgbWF5IHZl cnkgd2VsbCBiZSBiZXR0ZXIgdG8gZGVmaW5lIGEgc2VwYXJhdGUgbWVtYmVyIG5hbWUgdGhlbiBm b3IgdGhlIHRodW1icHJpbnQuIFRoZSB0aXRsZSB0aGVuIGNoYW5nZXMgdG8gIi0tIGJ5IEtleSBJ RCIgdG8gIi0tIGJ5IHJlZmVyZW5jZSIuDQoNCkFsc28sIGl0IGlzIGNvbmNlaXZhYmxlIHRvIHVz ZSB0aGUgY29tYmluYXRpb24gb2YgImtpZCIgYW5kICJqa3UiLiBUaGlzIGFzcGVjdCBpcyBub3Qg c3BlbGxlZCBvdXQgaGVyZSBidXQgYXBwZWFycyB0aGF0IHNvbWUgbWFnaWMgaGFwcGVucyBmb3Ig dGhlIGtleSBkaXN0cmlidXRpb24uDQoNCjMuNA0KPT09PT09PT0NClNpbmNlICJjbmYiIGFwcGVh cnMgYmVmb3JlIDMuNCwgaXQgbWF5IGJlIGJldHRlciB0byBicmluZyAzLjQgYXQgdGhlIGZyb250 Lg0KDQo1LjIuMg0KPT09PT09PT09DQpBZGQgImF6cCIgYW5kICJqa3QiLg0KDQpvICBDb25maXJt YXRpb24gTWV0aG9kIFZhbHVlOiAiYXpwIg0KbyAgQ29uZmlybWF0aW9uIE1ldGhvZCBEZXNjcmlw dGlvbjogQ2xpZW50IElEIG9mIHRoZSBBdXRob3JpemVkIFByZXNlbnRlcg0KbyAgQ2hhbmdlIENv bnRyb2xsZXI6IElFU0cNCm8gIFNwZWNpZmljYXRpb24gRG9jdW1lbnQocyk6IFNlY3Rpb24gW1RC RF0gb2YgW1sgdGhpcyBkb2N1bWVudCBdXQ0KDQoNCm8gIENvbmZpcm1hdGlvbiBNZXRob2QgVmFs dWU6ICJqa3QiDQpvICBDb25maXJtYXRpb24gTWV0aG9kIERlc2NyaXB0aW9uOiBKV0sgVGh1bWJw cmludCBvZiB0aGUgQ29uZmlybWF0aW9uIEtleQ0KbyAgQ2hhbmdlIENvbnRyb2xsZXI6IElFU0cN Cm8gIFNwZWNpZmljYXRpb24gRG9jdW1lbnQocyk6IFNlY3Rpb24gW1RCRF0gb2YgW1sgdGhpcyBk b2N1bWVudCBdXQ0KDQoNCm8gIENvbmZpcm1hdGlvbiBNZXRob2QgVmFsdWU6ICJqa3UiDQpvICBD b25maXJtYXRpb24gTWV0aG9kIERlc2NyaXB0aW9uOiBKV0sgVVJJIG9mIHRoZSBDb25maXJtYXRp b24gS2V5DQpvICBDaGFuZ2UgQ29udHJvbGxlcjogSUVTRw0KbyAgU3BlY2lmaWNhdGlvbiBEb2N1 bWVudChzKTogU2VjdGlvbiBbVEJEXSBvZiBbWyB0aGlzIGRvY3VtZW50IF1dDQoNClByaXZhY3kg Q29uc2lkZXJhdGlvbg0KPT09PT09PT09PT09PT09PT09PT09PT09DQpJdCBpcyBtaXNzaW5nIHBy aXZhY3kgY29uc2lkZXJhdGlvbi4gSXQgaXMgbm90IHJlcXVpcmVkIHBlciBzZSwgYnV0IHNpbmNl IEtleSBDb25maXJtYXRpb24gbWV0aG9kIHdpdGggZXBoZW1lcmFsIGtleSBjYW4gYmUgbGVzcyBw cml2YWN5IGludHJ1c2l2ZSBjb21wYXJlZCB0byBvdGhlciBzZW5kZXIgY29uZmlybWF0aW9uIG1l dGhvZCBzbyBhZGRpbmcgc29tZSB0ZXh0IGFyb3VuZCBpdCBtYXkgYmUgYSBnb29kIGlkZWEuDQoN CkJlc3QsDQotLQ0KTmF0IFNha2ltdXJhICg9bmF0KQ0KQ2hhaXJtYW4sIE9wZW5JRCBGb3VuZGF0 aW9uDQpodHRwOi8vbmF0LnNha2ltdXJhLm9yZy88aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90 ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm5hdC5zYWtpbXVyYS5vcmclMmYm ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M4ZTNhMWM4MDgw MDA0NGFmZWE2NDA4ZDI5OTQ4NzkxNCU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3 JTdjMSZzZGF0YT1Ba0U5OTRKTXRjVjlTR0szeWFaOWJlQ3A0cjRSSU1uOUZzJTJiWlU5RVNkZU0l M2Q+DQpAX25hdF9lbg0KDQoNCg0KLS0NCk5hdCBTYWtpbXVyYSAoPW5hdCkNCkNoYWlybWFuLCBP cGVuSUQgRm91bmRhdGlvbg0KaHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPGh0dHBzOi8vbmEwMS5z YWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZuYXQuc2Fr aW11cmEub3JnJTJmJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29t JTdjOGUzYTFjODA4MDAwNDRhZmVhNjQwOGQyOTk0ODc5MTQlN2M3MmY5ODhiZjg2ZjE0MWFmOTFh YjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9QWtFOTk0Sk10Y1Y5U0dLM3lhWjliZUNwNHI0UklNbjlG cyUyYlpVOUVTZGVNJTNkPg0KQF9uYXRfZW4NCg== --_000_BY2PR03MB4421D018D52956CF6575559F57F0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiLDvzJkw78zMyAgw78zMDBiNDBiNzBjMzBhZiI7DQoJ cGFub3NlLTE6MCAwIDAgMCAwIDAgMCAwIDAgMDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0K cC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0K CW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5 OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246 dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl cmxpbmU7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXtt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFy IjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6OC4w cHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4uaG9lbnpiDQoJ e21zby1zdHlsZS1uYW1lOmhvZW56Yjt9DQpzcGFuLkVtYWlsU3R5bGUxOA0KCXttc28tc3R5bGUt dHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNv bG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTkNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29u YWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjoj MUY0OTdEO30NCnNwYW4uQmFsbG9vblRleHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29u IFRleHQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJC YWxsb29uIFRleHQiOw0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQouTXNv Q2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAu MHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46 MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRT ZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVk ZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0t PjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0K PG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+ PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxp bms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkkgYmVsaWV2 ZSB0aGF0IEnigJl2ZSBub3cgcmVzcG9uZGVkIGxpbmUtYnktbGluZSB0byBhbGwgdGhlIFdHTEMg Y29tbWVudHMgcmVjZWl2ZWQuJm5ic3A7IElmIEkgbWlzc2VkIGFueSBmcm9tIGFueSBvZiB5b3Us IHBsZWFzZSBsZXQgbWUga25vdy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkFmdGVyIGRpc2N1c3Npb24gb2YgbXkgcmVz cG9uc2VzIHRoaXMgd2VlaywgdW5sZXNzIGRpc2FncmVlbWVudHMgYXJpc2UsIEnigJlsbCBwbGFu IHRvIHB1Ymxpc2ggLTA0IG5leHQgd2VlayB0byBpbmNvcnBvcmF0ZSB0aGUgcmVtYWluaW5nIHJl c29sdXRpb25zIHRoYXQgaGF2ZQ0KIGJlZW4gZGlzY3Vzc2VkIGFuZCBwbGFubmVkIGZvciB0aGUg bmV4dCBkcmFmdCwgc3VjaCBhcyBhbGxvd2luZyBzeW1tZXRyaWMga2V5cyBpbiBlbmNyeXB0ZWQg SldUcyB0byBiZSByZXByZXNlbnRlZCBhcyBzaW1wbGUgSldLcyBpbiB0aGUg4oCcandr4oCdIGNs YWltLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEJlc3Qgd2lzaGVzLDxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0i Ym9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQg MGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IE1p a2UgSm9uZXMNCjxicj4NCjxiPlNlbnQ6PC9iPiBUaHVyc2RheSwgSnVseSAzMCwgMjAxNSA3OjQ5 IFBNPGJyPg0KPGI+VG86PC9iPiAnTmF0IFNha2ltdXJhJzsgb2F1dGg8YnI+DQo8Yj5TdWJqZWN0 OjwvYj4gUkU6IFtPQVVUSC1XR10gUmV2aWV3IENvbW1lbnRzIGZvciBkcmFmdC1pZXRmLW9hdXRo LXByb29mLW9mLXBvc3Nlc3Npb24tMDI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ SSB0eXBpY2FsbHkgZG8gcmVzcG9uZCB0byByZXZpZXcgY29tbWVudHMgbGluZS1ieS1saW5lIGJ1 dCByYW4gb3V0IG9mIHRpbWUgdG8gZG8gdGhpcyBiZWZvcmUgUHJhZ3VlLiZuYnNwOyAoSSB3YXMg ZG9pbmcgdGhpbmdzIGxpa2Ugd29ya2luZyB3aXRoIEJyaWFuIG9uIHRoZSBUb2tlbg0KIEV4Y2hh bmdlIGRlY2ssIHByZXBhcmluZyBteSByZW1hcmtzIHRvIHRoZSBDT1NFIFdHLCBldGMuKSZuYnNw OyBJ4oCZbGwgcGxhbiB0byBkbyB0aGlzIHNvbWV0aW1lIGVhcmx5IG5leHQgd2Vlaywgd2hpY2gg aXMgdGhlIHNvb25lc3QgSeKAmWxsIGJlIGFibGUgdG8gZ2V0IHRvIGl0LCBnaXZlbiBvdGhlciB0 aGluZ3MgY3VycmVudGx5IG9uIG15IHBsYXRlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdE Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+RllJLCBJIGRpZCByZWFkIHRo cm91Z2ggYWxsIG9mIHlvdXIgYW5kIG90aGVy4oCZcyBjb21tZW50cyBhbmQgYXBwbGllZCBtb3N0 IG9mIHRoZW0g4oCTIGZvciBpbnN0YW5jZSwgb2ZmIHRoZSB0b3Agb2YgbXkgaGVhZCwgY2xhcmlm eWluZyBob3cg4oCcYXpw4oCdIGNvdWxkIGJlIHVzZWQNCiBpbiBpZGVudGlmeWluZyB0aGUgcHJl c2VudGVyLCBlbGltaW5hdGluZyB0aGUgbmVlZCB0byBzbmlmZiB0aGUg4oCcandr4oCdIHZhbHVl LCBhbmQgdXBkYXRpbmcgdGhlIHRpdGxlIHRvIGJlIG1vcmUgZXZvY2F0aXZlIG9mIHdoYXQgdGhl IHNwZWNpZmljYXRpb24gYWN0dWFsbHkgYWNoaWV2ZXMuPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg Q2hlZXJzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlr ZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+ RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gT0F1dGggWzxhIGhy ZWY9Im1haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnIj5tYWlsdG86b2F1dGgtYm91bmNlc0Bp ZXRmLm9yZzwvYT5dDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPk5hdCBTYWtpbXVyYTxicj4NCjxiPlNl bnQ6PC9iPiBUaHVyc2RheSwgSnVseSAzMCwgMjAxNSA2OjM2IFBNPGJyPg0KPGI+VG86PC9iPiBv YXV0aDxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBSZXZpZXcgQ29tbWVudHMg Zm9yIGRyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgY2Fubm90IGZpbmQgYW55IGRpc3Bvc2l0aW9uIG9m IGNvbW1lbnQgKERvQykgdG8gdGhpcyByZXZpZXcgdGhhdCB0aGUgV0cgQ2hhaXJzIGFza2VkLiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk5vciBJIHNl ZSBtdWNoIG9mIHRoZW0gcmVmbGVjdGVkIGluIC0wMy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhlIHByb2Nlc3MgSSB3b3VsZCBp bWFnaW5lIHRvIGJlIHRoZSBlZGl0b3JzIHRvJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjEpIFByb3ZpZGUgdGhlIERvQyBbYWNjZXB0 LCBkaXNjdXNzLCByZWplY3QgKHdpdGggcmVhc29ucyldLCZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+MikgT3BlbiB1cCBzZXJpZXMgb2Yg ZGlzY3Vzc2lvbnMgb24gZGlzY3VzcyBpdGVtcyBhbmQgZHJpdmUgdG93YXJkcyB0aGUgKHJvdWdo KSBjb25zZW5zdXMuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPlNpbmNlIHRoZSBkaWZmIGJldHdlZW4gLTAyIGFuZCAtMDMgaXMgc21h bGwsIG11Y2ggb2YgdGhlIGFib3ZlIGNvbW1lbnRzIHN0aWxsIGFwcGxpZXMuJm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkxvb2tpbmcg Zm9yd2FyZCB0byBzZWUgdGhlIERvQy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+TmF0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjIwMTUtMDMtMjUgMjI6MzcgR01UJiM0MzswOTow MCBOYXQgU2FraW11cmEgJmx0OzxhIGhyZWY9Im1haWx0bzpzYWtpbXVyYUBnbWFpbC5jb20iIHRh cmdldD0iX2JsYW5rIj5zYWtpbXVyYUBnbWFpbC5jb208L2E+Jmd0Ozo8bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+RGVhciBPQXV0aGVyczombmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IZXJlIGlzIG15 IGJlbGF0ZWQgcmV2aWV3IGNvbW1lbnRzIG9uJm5ic3A7PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJm b250LWZhbWlseTomcXVvdDvDvzJkw78zMyAgw78zMDBiNDBiNzBjMzBhZiZxdW90OywmcXVvdDtz ZXJpZiZxdW90OyI+ZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAyPC9zcGFu PjxiciBjbGVhcj0iYWxsIj4NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+QmVsb3csIFtQT1BBXSBzdGFuZHMgZm9yIDxhIGhyZWY9Imh0dHBzOi8vbmEwMS5z YWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmdG9vbHMu aWV0Zi5vcmclMmZodG1sJTJmZHJhZnQtaWV0Zi1vYXV0aC1wb3AtYXJjaGl0ZWN0dXJlLTAxJmFt cDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzhlM2ExYzgw ODAwMDQ0YWZlYTY0MDhkMjk5NDg3OTE0JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRi NDclN2MxJmFtcDtzZGF0YT1hQWxVZlZyUHVTNmdacEZkVzg5cEhDdzJEV3JSY2Z0YWdsdVBkZ0Yz WHpRJTNkIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh ZnQtaWV0Zi1vYXV0aC1wb3AtYXJjaGl0ZWN0dXJlLTAxPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BYnN0cmFjdDxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PT09PT09PT09PT09PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JdCBpcyBwcm9i YWJseSBiZXR0ZXIgdG8gc3BlbGwgb3V0IHRoYXQgdGhpcyBkb2N1bWVudCBpcyBkZXNjcmliaW5n IHRoZSBKV1QgZm9ybWF0IHRoYXQgY2FuIGJlIHVzZWQgZm9yIHNlbmRlciBjb25zdHJhaW50ICg1 LjIgb2YgW1BPUEFdKSBhbmQga2V5IGNvbmZpcm1hdGlvbiAoNS4zIG9mIFtQT1BBXSkuIFRoaXMg d2lsbCBtYWtlIGl0IGVhc2llciBmb3IgdGhlIHJlYWRlciB0byB1bmRlcnN0YW5kIHdoYXQgdGhp cw0KIGRvY3VtZW50IGFpbXMgYXQuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkFjY29yZGluZ2x5LCB3ZSBzaG91bGQgY29uc2lkZXIg dGhlIHRpdGxlIGNoYW5nZSB0byBzb21ldGhpbmcgbGlrZTombmJzcDs8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5KV1QgU2VuZGVyIENv bmZpcm1hdGlvbiBUb2tlbiBTeW50YXgmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyBPUjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Ym9ycm93aW5nIGZyb20gdGhlIGZpbmFuY2lh bCBjb25jZXB0IHdoaWNoIEkgYmVsaWV2ZSBpcyB0aGUgb3JpZ2luIG9mIHRoZSBjb25jZXB0IG9m ICZxdW90O2JlYXJlciB0b2tlbiZxdW90OywmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkpXVCBSZWdpc3RlcmVkIFRva2VuIFN5bnRheDxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0gaGVy ZSwgJnF1b3Q7UmVnaXN0ZXJlZCZxdW90OyBtZWFuIHRoYXQgZWl0aGVyIHRoZSBzZW5kZXIgY29u c3RyYWludCBvciBrZXkgY29uZmlybWF0aW9uIGlzIHJlZ2lzdGVyZWQgd2l0aGluIG9yIGluIGNv bmp1bmN0aW9uIHdpdGggdGhlIHRva2VuLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4xLiBJbnRyb2R1Y3Rpb248bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPj09PT09PT09PT09PT09PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Db25zaWRl ciByZWZlcmVuY2luZyBkcmFmdC1pZXRmLW9hdXRoLXBvcC1hcmNoaXRlY3R1cmUuJm5ic3A7PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JdCB3aWxs IGJlIGNsZWFyZXIgZm9yIHRoZSByZWFkZXIgdGhlbiwgYW5kIHRoZSB0ZXh0IHdpbGwgYmUgc2hv cnRlci4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+Mi4gVGVybWlub2xvZ3kgLSBQcmVzZW50ZXI8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPj09PT09PT09PT09PT09PT09PT09PT09PTxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+U2VudGVu Y2UgMTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ LS0tLS0tLS0tLS0tLS0tLS0tLTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+Tm90IHN1cmUgaWYgdGhlIGZpcnN0IHNlbnRlbmNlIGlzIGFjY3VyYXRl bHkgcmVmbGVjdGluZyB0aGUgaW50ZW50LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SXQgZXhjbHVkZXMgcm9ndWUgcGFydHkgcHJlc2Vu dGluZyB0aGUgdG9rZW4gKGFuZCBmYWlscykgZnJvbSBwcmVzZW50ZXIuJm5ic3A7PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JZiBzbywgaXQgaXMg ZmluZSBidXQgdXNpbmcgbW9yZSBxdWFsaWZpZWQgdGVybSBsaWtlICZxdW90O2F1dGhvcml6ZWQg cHJlc2VudGVyJnF1b3Q7IG1heSBtYWtlIGl0IGVhc2llciZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Zm9yIHRoZSByZWFkZXIgdG8gcGFy c2UuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPk90aGVyd2lzZSByZXZpc2UgdGhlIGRlZmluaXRpb24uJm5ic3A7PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNlbnRlbmNlIDI8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tLS0tLS0t LS0tLS0tLS0tLS08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPiZxdW90O2lzc3VlciBvciBhIHBhcnR5IGRpZmZlcmVudCBmcm9tIHRoZSBpc3N1ZXIm cXVvdDsgaXMgbm90IGNvbnN0cmFpbmluZyBhbnl0aGluZyBhbmQgbWVhbmluZ2xlc3MuJm5ic3A7 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGVy ZSBhcmUgbW9yZSBlYXNpZXIgdG8gcGFyc2UgYW5kIGFjY3VyYXRlIHRleHQgY29taW5nIGluIHRo ZSBtYWluIHRleHQsIHRvby4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPkRyb3AuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjMuIFByb29mLU9mLVBvc2Vzc2lvbiBSZXByZXNl bnRhdGlvbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaXRsZTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0tLS0tLS0tPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5QZXJoYXBzICZxdW90O1NlbmRlciBS ZXByZXNlbnRhdGlvbiBpbiBKV1QmcXVvdDsgaXMgbW9yZSByZWZsZWN0aXZlIG9mIHRoZSBjb250 ZW50LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5QYXJhIDI8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPi0tLS0tLS0tLS0tLS08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPlRoZSBwYXJhZ3JhcGggZGVzY3JpYmVzIHR3byB3YXlzIG9mIHNl bmRlciBjb25maXJtYXRpb246Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj4oMSkgU2VuZGVyIENvbnN0cmFpbnQ8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPigyKSBLZXkgQ29uZmlybWF0aW9u PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JdCBz aG91bGQgcmVmZXIgdG8gNS4yIGFuZCA1LjMgb2YgW1BPUEFdIGZvciBpdCwgYXMgd2VsbCBhcyBh bGlnbiB0aGUgdGVybWlub2xvZ3kuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoZW4sIGl0IGdvZXMgb24gdG8gZGVzY3JpYmUgKDEp IHZlcnkgYnJpZWZseSwgaW4gd2hpY2ggaXQgaXMganVzdCBzcGVsbGluZyBvdXQgJnF1b3Q7aXNz JnF1b3Q7IGFuZCAmcXVvdDtzdWImcXVvdDsuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSB1bmRlcnN0YW5kIHRoZSB1c2Ugb2Ygc3ViIGluIHRo aXMgc2VjdGlvbiBjb21lcyBkb3duIGZyb20gU0FNTCBidXQgSSBmZWVsIHRoYXQgc29tZSBzZXBh cmF0aW9uIGJldHdlZW4gc3ViIGFuZCBwcmVzZW50ZXIgd291bGQgYmUgbmljZS4NCjxicj4NCjxi cj4NCkZvciBleGFtcGxlLCB3aGVuIEkgYW0gcHJlc2VudGluZyB0aGUgdG9rZW4gdXNpbmcgYW4g YXBwIHRoYXQgSSBpbnN0YWxsZWQgb24gbXkgaVBob25lLCB0aGUgcHJlc2VudGVyIGlzIHRoYXQg YXBwIGFuZCBub3QgbWUsIHdoaWxlIHRoZSBzdWIgc3RpbGwgbWF5IGJlIG1lLiBUaGUgYXBwIGlz IHRoZSBhdXRob3JpemVkIHByZXNlbnRlci9wYXJ0eSAoYXpwKSBvZiB0aGUgdG9rZW4uJm5ic3A7 VGhlIEpXVCBtYXkgd2VsbCBiZSBhYm91dCB0aGUgc3ViIGJ1dA0KIHByZXNlbnRlZCBieSBzb21l IHNvZnR3YXJlIGNvbXBvbmVudCB0aGF0IHNob3VsZCBiZSBpbmRlcGVuZGVudGx5IGlkZW50aWZp ZWQuICZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxi cj4NClNvIG15IHByb3Bvc2FsIGlzIHRvIGNyZWF0ZSBhIG5ldyBzdWJzZWN0aW9uIG9uICgxKSBm b3IgdGhlIGNvbXBsZXRlbmVzcywgd2hpY2ggaXMgZ29pbmcgdG8gYmUgYSBuZXcgMy4xLCBhbmQg dG8gdXNlIGEgY2xhaW0gbGlrZSAmcXVvdDthenAmcXVvdDsgaW5zdGVhZCBvZiAmcXVvdDtzdWIm cXVvdDsgdG8gaWRlbnRpZnkgdGhlIHByZXNlbnRlci4gTGVzcyBvdmVybG9hZCB3b3VsZCBjYXVz ZSBsZXNzIGNvbmZ1c2lvbiBsYXRlciwgSU1ITy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+My4xPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj49PT09PT08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRpdGxlPG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tLS0tLS0tLTxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UGVyaGFwcyAmcXVvdDtDb25maXJtYXRp b24gS2V5IFJlcHJlc2VudGF0aW9uIGZvciBhbiBBc3ltbWV0cmljIEtleSZxdW90OyBpcyBtb3Jl IHJlZmxlY3RpdmUgb2YgdGhlIGNvbnRlbnQuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjMuMjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PT09PT09PT08bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRpdGxlPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tLS0tLS0tLS0tLTxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UGVyaGFwcyAmcXVvdDtD b25maXJtYXRpb24gS2V5IFJlcHJlc2VudGF0aW9uIGZvciBhIFN5bW1ldHJpYyBLZXkmcXVvdDsg aXMgbW9yZSByZWZsZWN0aXZlIG9mIHRoZSBjb250ZW50LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5MYXN0IFBhcmE8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tLS0tLS0tLS0tLS0t LS0tPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5J IGZlZWwgYSBiaXQgbGlrZSBuZWVkaW5nIHRvIHNuaWZmIGludG8gdGhlIGNvbnRlbnQgb2Ygandr IHRvIGZpbmQgb3V0IHdoYXQgdHlwZSBtYXkgbm90IGJlIG9wdGltYWwsIHRob3VnaCBJIGRvIG5v dCBoYXZlIGEgY29uY3JldGUgcHJvcG9zYWwgYSB0aGlzIHRpbWUuJm5ic3A7PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjMuMzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PT09PT09PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaXRsZTxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0tLS0tLS0tPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5QZXJoYXBz ICZxdW90O0NvbmZpcm1hdGlvbiBLZXkgUmVwcmVzZW50YXRpb24gYnkgS2V5IElEJnF1b3Q7IGlz IG1vcmUgcmVmbGVjdGl2ZSBvZiB0aGUgY29udGVudC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UGFyYSAxPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tLS0tLS0tLS0tLTxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhlcmUgaGFzIGJl ZW4gc29tZSBkaXNjdXNzaW9uIG9mIHVzaW5nIHRodW1icHJpbnQgaW5zdGVhZCBvZiBhIGJsb2Ig JnF1b3Q7a2lkJnF1b3Q7LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+VGhpcyBpcyBhIHZhbGlkIG9wdGlvbi4gSWYgd2UgYXJlIHRvIG92 ZXJsb2FkIHRoZSAmcXVvdDtraWQmcXVvdDsgbWVtYmVyIGZvciB0aGlzIHB1cnBvc2UsIHdlIG5l ZWQgdG8gZmluZCBhIHdheSB0byBzaWduYWwgdGhhdCBpdCBpcyBhIHRodW1icHJpbnQuJm5ic3A7 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JdCBt YXkgdmVyeSB3ZWxsIGJlIGJldHRlciB0byBkZWZpbmUgYSBzZXBhcmF0ZSBtZW1iZXIgbmFtZSB0 aGVuIGZvciB0aGUgdGh1bWJwcmludC4gVGhlIHRpdGxlIHRoZW4gY2hhbmdlcyB0byAmcXVvdDst LSBieSBLZXkgSUQmcXVvdDsgdG8gJnF1b3Q7LS0gYnkgcmVmZXJlbmNlJnF1b3Q7LiZuYnNwOzxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BbHNv LCBpdCBpcyBjb25jZWl2YWJsZSB0byB1c2UgdGhlIGNvbWJpbmF0aW9uIG9mICZxdW90O2tpZCZx dW90OyBhbmQgJnF1b3Q7amt1JnF1b3Q7LiBUaGlzIGFzcGVjdCBpcyBub3Qgc3BlbGxlZCBvdXQg aGVyZSBidXQgYXBwZWFycyB0aGF0IHNvbWUgbWFnaWMgaGFwcGVucyBmb3IgdGhlIGtleSBkaXN0 cmlidXRpb24uJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj4zLjQmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPj09PT09PT09PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5TaW5jZSAmcXVvdDtjbmYmcXVvdDsgYXBwZWFy cyBiZWZvcmUgMy40LCBpdCBtYXkgYmUgYmV0dGVyIHRvIGJyaW5nIDMuNCBhdCB0aGUgZnJvbnQu Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+NS4yLjI8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPj09PT09PT09PTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+QWRkICZxdW90O2F6cCZxdW90OyBhbmQgJnF1b3Q7amt0JnF1b3Q7 LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPm8g Jm5ic3A7Q29uZmlybWF0aW9uIE1ldGhvZCBWYWx1ZTogJnF1b3Q7YXpwJnF1b3Q7PGJyPg0KbyAm bmJzcDtDb25maXJtYXRpb24gTWV0aG9kIERlc2NyaXB0aW9uOiBDbGllbnQgSUQgb2YgdGhlIEF1 dGhvcml6ZWQgUHJlc2VudGVyPGJyPg0KbyAmbmJzcDtDaGFuZ2UgQ29udHJvbGxlcjogSUVTRzxi cj4NCm8gJm5ic3A7U3BlY2lmaWNhdGlvbiBEb2N1bWVudChzKTogU2VjdGlvbiBbVEJEXSBvZiBb WyB0aGlzIGRvY3VtZW50IF1dPGJyPg0KPGJyPg0KPGJyPg0KbyAmbmJzcDtDb25maXJtYXRpb24g TWV0aG9kIFZhbHVlOiAmcXVvdDtqa3QmcXVvdDs8YnI+DQpvICZuYnNwO0NvbmZpcm1hdGlvbiBN ZXRob2QgRGVzY3JpcHRpb246IEpXSyBUaHVtYnByaW50IG9mIHRoZSBDb25maXJtYXRpb24gS2V5 PGJyPg0KbyAmbmJzcDtDaGFuZ2UgQ29udHJvbGxlcjogSUVTRzxicj4NCm8gJm5ic3A7U3BlY2lm aWNhdGlvbiBEb2N1bWVudChzKTogU2VjdGlvbiBbVEJEXSBvZiBbWyB0aGlzIGRvY3VtZW50IF1d PGJyPg0KPGJyPg0KPGJyPg0KbyAmbmJzcDtDb25maXJtYXRpb24gTWV0aG9kIFZhbHVlOiAmcXVv dDtqa3UmcXVvdDs8YnI+DQpvICZuYnNwO0NvbmZpcm1hdGlvbiBNZXRob2QgRGVzY3JpcHRpb246 IEpXSyBVUkkgb2YgdGhlIENvbmZpcm1hdGlvbiBLZXk8YnI+DQpvICZuYnNwO0NoYW5nZSBDb250 cm9sbGVyOiBJRVNHPGJyPg0KbyAmbmJzcDtTcGVjaWZpY2F0aW9uIERvY3VtZW50KHMpOiBTZWN0 aW9uIFtUQkRdIG9mIFtbIHRoaXMgZG9jdW1lbnQgXV08bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlByaXZhY3kgQ29uc2lkZXJhdGlvbjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PT09PT09PT09PT09PT09PT09 PT09PT09PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5JdCBpcyBtaXNzaW5nIHByaXZhY3kgY29uc2lkZXJhdGlvbi4gSXQgaXMgbm90IHJlcXVpcmVk IHBlciBzZSwgYnV0IHNpbmNlIEtleSBDb25maXJtYXRpb24gbWV0aG9kIHdpdGggZXBoZW1lcmFs IGtleSBjYW4gYmUgbGVzcyBwcml2YWN5IGludHJ1c2l2ZSBjb21wYXJlZCB0byBvdGhlciBzZW5k ZXIgY29uZmlybWF0aW9uIG1ldGhvZCBzbyBhZGRpbmcgc29tZSB0ZXh0IGFyb3VuZCBpdCBtYXkg YmUgYSBnb29kDQogaWRlYS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkJlc3QsJm5ic3A7PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGNsYXNzPSJob2VuemIiPjxzcGFuIHN0 eWxlPSJjb2xvcjojODg4ODg4Ij4tLSA8bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij5OYXQg U2FraW11cmEgKD1uYXQpPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij5DaGFpcm1hbiwgT3BlbklEIEZv dW5kYXRpb248YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24u b3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmbmF0LnNha2ltdXJhLm9yZyUyZiZhbXA7ZGF0 YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M4ZTNhMWM4MDgwMDA0 NGFmZWE2NDA4ZDI5OTQ4NzkxNCU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdj MSZhbXA7c2RhdGE9QWtFOTk0Sk10Y1Y5U0dLM3lhWjliZUNwNHI0UklNbjlGcyUyYlpVOUVTZGVN JTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPC9hPjxicj4NCkBf bmF0X2VuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyIGNsZWFy PSJhbGwiPg0KPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tIDxvOnA+ PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk5hdCBTYWtpbXVyYSAoPW5h dCk8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5DaGFpcm1hbiwg T3BlbklEIEZvdW5kYXRpb248YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnBy b3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmbmF0LnNha2ltdXJhLm9yZyUy ZiZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M4ZTNh MWM4MDgwMDA0NGFmZWE2NDA4ZDI5OTQ4NzkxNCU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2Qw MTFkYjQ3JTdjMSZhbXA7c2RhdGE9QWtFOTk0Sk10Y1Y5U0dLM3lhWjliZUNwNHI0UklNbjlGcyUy YlpVOUVTZGVNJTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPC9h Pjxicj4NCkBfbmF0X2VuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8 L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB4421D018D52956CF6575559F57F0BY2PR03MB442namprd_-- From nobody Tue Aug 11 01:00:35 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E8FD1A1B57 for ; Tue, 11 Aug 2015 01:00:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.79 X-Spam-Level: X-Spam-Status: No, score=0.79 tagged_above=-999 required=5 tests=[BAYES_50=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q_ffQPkXcF7H for ; Tue, 11 Aug 2015 01:00:32 -0700 (PDT) Received: from mail2.safelayer.com (mail2.safelayer.com [213.37.153.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 337291A1B51 for ; Tue, 11 Aug 2015 01:00:31 -0700 (PDT) Received: from [192.168.8.23] (port=60471 helo=mailmad.safelayer.lan) by mail2.safelayer.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1ZP4Tr-0008Ph-1O for oauth@ietf.org; Tue, 11 Aug 2015 10:00:19 +0200 Auto-Submitted: auto-generated From: Laura Sanchez To: oauth@ietf.org Message-ID: Date: Tue, 11 Aug 2015 10:00:19 +0200 X-MIMETrack: Serialize by Router on mailmad/SFLY(Release 9.0.1FP4|June 07, 2015) at 11/08/2015 10:00:19 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Archived-At: Subject: [OAUTH-WG] AUTO: Laura Sanchez is out of the office (returning 24/08/2015) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 08:00:34 -0000 I am out of the office until 24/08/2015. Note: This is an automated response to your message "OAuth Digest, Vol 82, Issue 3" sent on 11/08/2015 5:46:23. This is the only notification you will receive while this person is away. From nobody Tue Aug 11 06:00:05 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23E3A1A8A07 for ; Tue, 11 Aug 2015 06:00:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZA6bvZgyTky for ; Tue, 11 Aug 2015 06:00:02 -0700 (PDT) Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EBA51A8A06 for ; Tue, 11 Aug 2015 06:00:02 -0700 (PDT) Received: by wicja10 with SMTP id ja10so74296050wic.1 for ; Tue, 11 Aug 2015 06:00:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Eul9/RutFU/AP9yrEh3ZoycDC+1HVWJlGqVUgVb+ctk=; b=b5g1VRRJkmfQ013byG7yPH7A6QrHrccDbmQLhBeYk5Plpqy66tO/ee850Y6wodDvfU fwL949x5DAICG2/b2RJ6jeq1eogOub/9tUeAwNxlL648h3Fp6/nDYIqPwLZdzrrHQXok yyi//mLusvpHxM+Slw+EN9eaw+T7ED2tPGTL2kN9bSUlEAaCI0bEaWYvMXTmJOGcI6sk Q5+rm9sg0uQmzQNMS0tsOciwpqdP0T+IJW+rEPbG7GVPKuo4Tw72RMkn7DFzZNcedXfu d7k2QGOkCQNqfTX8V0Ns8gH0P63Xk1VNMEyPnLrHO3+O44Mlz6BBH2iU8uqEbsD1LWhK N6Sw== MIME-Version: 1.0 X-Received: by 10.180.74.229 with SMTP id x5mr34321057wiv.90.1439298000831; Tue, 11 Aug 2015 06:00:00 -0700 (PDT) Received: by 10.28.157.84 with HTTP; Tue, 11 Aug 2015 06:00:00 -0700 (PDT) In-Reply-To: References: Date: Tue, 11 Aug 2015 09:00:00 -0400 Message-ID: From: Kathleen Moriarty To: Mike Jones Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 13:00:04 -0000 On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones wrote: > There didn=E2=80=99t seem to be support for having cnf contain array valu= es. > Instead, as discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key Seman= tics WGLC > followup 3 (was Re: confirmation model in proof-of-possession-02)=E2=80= =9D, if > different keys are being confirmed, they can define additional claims oth= er > than =E2=80=9Ccnf=E2=80=9D using the same structure as =E2=80=9Ccnf=E2=80= =9D to represent those > confirmations. Indeed, those other claims could be array-valued, if > appropriate. The reasons for having a structured =E2=80=9Ccnf=E2=80=9D c= laim, rather than a > set of flattened claim values, were also discussed in that thread. Can you send the link to that thread and the result if it differs from what Brian and Nat agree on? I'd like to know that there is enough to determine consensus on this point. Thanks! Kathleen > > > > Thanks again, > > -- Mike > > > > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell > Sent: Monday, March 23, 2015 9:07 AM > To: oauth > Subject: [OAUTH-WG] confirmation model in proof-of-possession-02 > > > > This is mostly about section 3.4 but also the whole draft. > > > If "cnf" is intended to analogous to the SAML 2.0 SubjectConfirmation > element, it should probably contain an array value rather than an object > value. SAML allows not just for multiple methods of confirming but for > multiple instances of the same method. IIRC, only one confirmation needs = to > be confirmable. > > I'm not sure the extra complexity is worth it though. I've rarely, if eve= r, > seen SAML assertions that make use of it. > > If the intent is just to allow for different kinds of confirmation, could= n't > the structure be pared down and simplified and just have individual claim= s > for the different confirmation types? Like "cjwk" and "ckid" or similar t= hat > have the jwk or kid value respectively as the member value. > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Best regards, Kathleen From nobody Tue Aug 11 06:29:25 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C8BA1A8A6E for ; Tue, 11 Aug 2015 06:29:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9uKVEoxMhdSp for ; Tue, 11 Aug 2015 06:29:19 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0132.outbound.protection.outlook.com [207.46.100.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBED91A8A6B for ; Tue, 11 Aug 2015 06:29:05 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 13:29:04 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 13:29:04 +0000 From: Mike Jones To: Kathleen Moriarty Thread-Topic: [OAUTH-WG] confirmation model in proof-of-possession-02 Thread-Index: AQHQZYOD4shzE+g7vkWTjrRAWSEG2J4HCrvggACVgACAAAHvkA== Date: Tue, 11 Aug 2015 13:29:04 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:ftj9U/w7S4mbE6RVP+tSGeg86LnFFcWHl5cEFye6XjciTgRI8js6VpRX9LOxUAmgAft986I6rlehQUofsXr+hxhVUJ9DqsgcTcfvB43NSb6YfCPOpSoIfp5gWuGGRuzHZfKPVOwNKvTo1ted0nRiow==; 24:UfpO2toythjS0iQpy09ZLGUxiGhQabLY7hh+lbFQLvpT/z9oT4hhVodj3v9WM/9eBWRAHlFI2Y9ZgaIsTTXNsl4B9lJxKM/8X0QHkEP+zH0=; 20:vyLkdYs0d6ZET75NFS6VC1wNvnjIWVnq3rgHW1S/ciW3/uKSCCRGzfpK8mOHnhNflPwY+231dWr4PT+027CZxQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066517B35B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(24454002)(199003)(189002)(377454003)(33656002)(2656002)(106356001)(2900100001)(122556002)(64706001)(561944003)(86612001)(105586002)(5002640100001)(19580405001)(5005710100001)(106116001)(68736005)(50986999)(66066001)(86362001)(40100003)(19580395003)(575784001)(2950100001)(99286002)(101416001)(77156002)(92566002)(10090500001)(62966003)(74316001)(5001860100001)(76176999)(77096005)(102836002)(87936001)(15975445007)(230783001)(189998001)(46102003)(110136002)(81156007)(97736004)(10290500002)(5001960100002)(76576001)(4001540100001)(5001830100001)(54356999)(5003600100002)(10400500002)(5001920100001)(8990500004); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 13:29:04.4149 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 13:29:23 -0000 QnJpYW4ncyBub3RlIGNvbnRhaW5lZCB0d28gc3VnZ2VzdGlvbnMsIHdoaWNoIEknbGwgYWRkcmVz cyBzZXBhcmF0ZWx5Lg0KDQpUaGUgZmlyc3Qgd2FzIHRvIGhhdmUgImNuZiIgY29udGFpbiBhbiBh cnJheSBvZiB2YWx1ZXMgcmF0aGVyIHRoYW4gaW5kaXZpZHVhbCB2YWx1ZXMuICBCdXQgZXZlbiBo ZSBzYWlkICJJJ20gbm90IHN1cmUgdGhlIGV4dHJhIGNvbXBsZXhpdHkgaXMgd29ydGggaXQgdGhv dWdoLiBJJ3ZlIHJhcmVseSwgaWYgZXZlciwgc2VlbiBTQU1MIGFzc2VydGlvbnMgdGhhdCBtYWtl IHVzZSBvZiBpdC4iICBJIHRvb2sgTmF0J3MgKzEgYXMgYW4gYWdyZWVtZW50IHRoYXQgdGhlIGNv bXBsZXhpdHkgb2YgYXJyYXkgdmFsdWVzIGlzbid0IHdvcnRoIGl0LCBhbmQgc2hvdWxkbid0IGJl IGludHJvZHVjZWQuICBObyBvbmUgZWxzZSBoYXMgc2luY2Ugc3Bva2UgdXAgZm9yIGhhdmluZyB0 aGUgImNuZiIgY2xhaW0gY29udGFpbiBhcnJheSB2YWx1ZXMsIGFuZCBCcmlhbiBvbmx5IG1lbnRp b25lZCBpdCBhcyBhIHBvc3NpYmlsaXR5IGJ1dCBkaXNtaXNzZWQgaXQgYXMgdG9vIGNvbXBsZXgu DQoNClRoZSBzZWNvbmQgd2FzIHRvIG5vdCBoYXZlIHRoZSAiY25mIiBjbGFpbSBhdCBhbGwsIGJ1 dCBpbnN0ZWFkIHRvIGZsYXR0ZW4gdGhpbmdzIHNvIHRoYXQgdGhlICJjbmYiIGVsZW1lbnRzIHdv dWxkIGJlY29tZSBpbmRpdmlkdWFsIGNsYWltcywgYWxvbmcgdGhlIGxpbmVzIG9mICJjbmZfandr IiwgImNuZl9qd2UiLCAiY25mX2tpZCIsIGV0Yy4gIFRoaXMgd2FzIGRpc2N1c3NlZCBpbiB0aGUg dGhyZWFkICIgW09BVVRILVdHXSBKV1QgUG9QIEtleSBTZW1hbnRpY3MgV0dMQyBmb2xsb3d1cCAz ICh3YXMgUmU6IGNvbmZpcm1hdGlvbiBtb2RlbCBpbiBwcm9vZi1vZi1wb3NzZXNzaW9uLTAyKSIg LSBmb3IgaW5zdGFuY2UsIEpvaG4gQnJhZGxleSdzIG1lc3NhZ2UgaHR0cDovL3d3dy5pZXRmLm9y Zy9tYWlsLWFyY2hpdmUvd2ViL29hdXRoL2N1cnJlbnQvbXNnMTQ4NTkuaHRtbCBpbiB3aGljaCBo ZSBzdGF0ZWQgdGhhdCAiZmxhdHRlbmluZyB3b3VsZCBiZSBhIGJhZCBkaXJlY3Rpb24iLiAgTmF0 IGFsc28gaW1wbGljaXRseSBlbmRvcnNlZCBrZWVwaW5nICJjbmYiIGluIGhpcyBXR0xDIHJldmll dyBjb21tZW50cyBpbiBodHRwOi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93ZWIvb2F1dGgv Y3VycmVudC9tc2cxNDQxOC5odG1sLCBpbiBoaXMgY29tbWVudCAiU2luY2UgJ2NuZicgYXBwZWFy cyBiZWZvcmUgMy40LCBpdCBtYXkgYmUgYmV0dGVyIHRvIGJyaW5nIDMuNCBhdCB0aGUgZnJvbnQu IiAgSGUgc3VnZ2VzdGVkIGNoYW5naW5nIHRoZSBsb2NhdGlvbiBvZiAiY25mIiBpbiB0aGUgZG9j dW1lbnQgLSBub3QgcmVtb3ZpbmcgaXQsIGFzIEJyaWFuJ3MgZmxhdHRlbmluZyBzdWdnZXN0aW9u IHdvdWxkIGhhdmUgZG9uZS4NCg0KVG9ueSBOYWRhbGluIGFsc28gZWFybGllciBoYWQgc3Bva2Vu IGFib3V0IHRoZSBuZWVkIHRvIHN1cHBvcnQgdXNlIGNhc2VzIGluIHdoaWNoIHRoZXJlIHdvdWxk IGJlIG11bHRpcGxlIHByb29mLW9mLXBvc3Nlc3Npb24ga2V5cy4gIEFtb25nIG90aGVyIHBsYWNl cywgaGUgYWxsdWRlZCB0byB0aGlzIGluIGhpcyBub3RlIGh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFp bC1hcmNoaXZlL3dlYi9vYXV0aC9jdXJyZW50L21zZzE0MzA1Lmh0bWwgaW4gd2hpY2ggaGUgd3Jv dGUgIklzIHRoaXMgcHJvcG9zYWwgYWxzbyBsaW1pdGVkIHRvIGEgc2luZ2xlIGtleSBmb3IgYm90 aCBhc3ltbWV0cmljIGFuZCBzeW1tZXRyaWM/Ii4gIFRoaXMgaXMgcGVydGluZW50IGJlY2F1c2Ug YXMgSSB3cm90ZSBpbiB0aGUgZmlyc3QgdGhyZWFkIG1lbnRpb25lZCBhdCBodHRwOi8vd3d3Lmll dGYub3JnL21haWwtYXJjaGl2ZS93ZWIvb2F1dGgvY3VycmVudC9tc2cxNDg1Ni5odG1sLCAiUGFy dCBvZiB0aGUgcmVhc29uaW5nIGZvciB1c2luZyBhIHN0cnVjdHVyZWQgY29uZmlybWF0aW9uIGNs YWltLCByYXRoZXIgdGhhbiBmbGF0dGVuaW5nIHRoZSBjb25maXJtYXRpb24gY2xhaW0gaW50byB0 aGUgdG9wLWxldmVsIEpXVCBjbGFpbXMgc2V0LCBpcyB0aGF0IGEgSldUIG1heSBjYXJyeSBtb3Jl IHRoYW4gb25lIGNvbmZvcm1hdGlvbiBrZXkgb3Iga2V5IGRlc2NyaXB0b3IiIC0gcGVyIFRvbnkn cyB1c2UgY2FzZXMuICBKb2huIEJyYWRsZXkncyBub3RlIGFncmVlaW5nIHRoYXQgZmxhdHRlbmlu ZyB3b3VsZCBiZSBhIGJhZCBkaXJlY3Rpb24gd2FzIGEgcmVzcG9uc2UgdG8gdGhhdC4NCg0KCQkJ CS0tIE1pa2UNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IEthdGhsZWVuIE1v cmlhcnR5IFttYWlsdG86a2F0aGxlZW4ubW9yaWFydHkuaWV0ZkBnbWFpbC5jb21dIA0KU2VudDog VHVlc2RheSwgQXVndXN0IDExLCAyMDE1IDY6MDAgQU0NClRvOiBNaWtlIEpvbmVzDQpDYzogQnJp YW4gQ2FtcGJlbGw7IG9hdXRoDQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBjb25maXJtYXRpb24g bW9kZWwgaW4gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMg0KDQpPbiBUdWUsIEF1ZyAxMSwgMjAxNSBh dCAxMjowOCBBTSwgTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPiB3cm90 ZToNCj4gVGhlcmUgZGlkbuKAmXQgc2VlbSB0byBiZSBzdXBwb3J0IGZvciBoYXZpbmcgY25mIGNv bnRhaW4gYXJyYXkgdmFsdWVzLg0KPiBJbnN0ZWFkLCBhcyBkaXNjdXNzZWQgaW4gdGhlIHRocmVh ZCDigJxbT0FVVEgtV0ddIEpXVCBQb1AgS2V5IFNlbWFudGljcyANCj4gV0dMQyBmb2xsb3d1cCAz ICh3YXMgUmU6IGNvbmZpcm1hdGlvbiBtb2RlbCBpbiANCj4gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0w MinigJ0sIGlmIGRpZmZlcmVudCBrZXlzIGFyZSBiZWluZyBjb25maXJtZWQsIHRoZXkgDQo+IGNh biBkZWZpbmUgYWRkaXRpb25hbCBjbGFpbXMgb3RoZXIgdGhhbiDigJxjbmbigJ0gdXNpbmcgdGhl IHNhbWUgc3RydWN0dXJlIA0KPiBhcyDigJxjbmbigJ0gdG8gcmVwcmVzZW50IHRob3NlIGNvbmZp cm1hdGlvbnMuICBJbmRlZWQsIHRob3NlIG90aGVyIGNsYWltcyANCj4gY291bGQgYmUgYXJyYXkt dmFsdWVkLCBpZiBhcHByb3ByaWF0ZS4gIFRoZSByZWFzb25zIGZvciBoYXZpbmcgYSANCj4gc3Ry dWN0dXJlZCDigJxjbmbigJ0gY2xhaW0sIHJhdGhlciB0aGFuIGEgc2V0IG9mIGZsYXR0ZW5lZCBj bGFpbSB2YWx1ZXMsIHdlcmUgYWxzbyBkaXNjdXNzZWQgaW4gdGhhdCB0aHJlYWQuDQoNCkNhbiB5 b3Ugc2VuZCB0aGUgbGluayB0byB0aGF0IHRocmVhZCBhbmQgdGhlIHJlc3VsdCBpZiBpdCBkaWZm ZXJzIGZyb20gd2hhdCBCcmlhbiBhbmQgTmF0IGFncmVlIG9uPyAgSSdkIGxpa2UgdG8ga25vdyB0 aGF0IHRoZXJlIGlzIGVub3VnaCB0byBkZXRlcm1pbmUgY29uc2Vuc3VzIG9uIHRoaXMgcG9pbnQu DQoNClRoYW5rcyENCkthdGhsZWVuDQo+DQo+DQo+DQo+ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRoYW5rcyANCj4gYWdhaW4sDQo+ DQo+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIC0tIE1pa2UNCj4NCj4NCj4NCj4gRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1ib3Vu Y2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgQnJpYW4gDQo+IENhbXBiZWxsDQo+IFNlbnQ6IE1v bmRheSwgTWFyY2ggMjMsIDIwMTUgOTowNyBBTQ0KPiBUbzogb2F1dGgNCj4gU3ViamVjdDogW09B VVRILVdHXSBjb25maXJtYXRpb24gbW9kZWwgaW4gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMg0KPg0K Pg0KPg0KPiBUaGlzIGlzIG1vc3RseSBhYm91dCBzZWN0aW9uIDMuNCBidXQgYWxzbyB0aGUgd2hv bGUgZHJhZnQuDQo+DQo+DQo+IElmICJjbmYiIGlzIGludGVuZGVkIHRvIGFuYWxvZ291cyB0byB0 aGUgU0FNTCAyLjAgU3ViamVjdENvbmZpcm1hdGlvbiANCj4gZWxlbWVudCwgaXQgc2hvdWxkIHBy b2JhYmx5IGNvbnRhaW4gYW4gYXJyYXkgdmFsdWUgcmF0aGVyIHRoYW4gYW4gDQo+IG9iamVjdCB2 YWx1ZS4gU0FNTCBhbGxvd3Mgbm90IGp1c3QgZm9yIG11bHRpcGxlIG1ldGhvZHMgb2YgY29uZmly bWluZyANCj4gYnV0IGZvciBtdWx0aXBsZSBpbnN0YW5jZXMgb2YgdGhlIHNhbWUgbWV0aG9kLiBJ SVJDLCBvbmx5IG9uZSANCj4gY29uZmlybWF0aW9uIG5lZWRzIHRvIGJlIGNvbmZpcm1hYmxlLg0K Pg0KPiBJJ20gbm90IHN1cmUgdGhlIGV4dHJhIGNvbXBsZXhpdHkgaXMgd29ydGggaXQgdGhvdWdo LiBJJ3ZlIHJhcmVseSwgaWYgDQo+IGV2ZXIsIHNlZW4gU0FNTCBhc3NlcnRpb25zIHRoYXQgbWFr ZSB1c2Ugb2YgaXQuDQo+DQo+IElmIHRoZSBpbnRlbnQgaXMganVzdCB0byBhbGxvdyBmb3IgZGlm ZmVyZW50IGtpbmRzIG9mIGNvbmZpcm1hdGlvbiwgDQo+IGNvdWxkbid0IHRoZSBzdHJ1Y3R1cmUg YmUgcGFyZWQgZG93biBhbmQgc2ltcGxpZmllZCBhbmQganVzdCBoYXZlIA0KPiBpbmRpdmlkdWFs IGNsYWltcyBmb3IgdGhlIGRpZmZlcmVudCBjb25maXJtYXRpb24gdHlwZXM/IExpa2UgImNqd2si IA0KPiBhbmQgImNraWQiIG9yIHNpbWlsYXIgdGhhdCBoYXZlIHRoZSBqd2sgb3Iga2lkIHZhbHVl IHJlc3BlY3RpdmVseSBhcyB0aGUgbWVtYmVyIHZhbHVlLg0KPg0KPg0KPg0KPg0KPiBfX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiBPQXV0aCBtYWlsaW5n IGxpc3QNCj4gT0F1dGhAaWV0Zi5vcmcNCj4gaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0 aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaQ0KPiBldGYub3JnJTJmbWFp bG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1p DQo+IGNyb3NvZnQuY29tJTdjYThlMzhiMGVhMDMzNGQxMWU1MDAwOGQyYTI0Y2M1NzMlN2M3MmY5 ODhiZjg2ZjE0MWFmOTFhYjINCj4gZDdjZDAxMWRiNDclN2MxJnNkYXRhPTl1a0NUdWdCZGJoVFZy aUVvSDNIZGZNSWxvRCUyZlRIWVklMmJkUE9wUVNzN3g0JQ0KPiAzZA0KPg0KDQoNCg0KLS0gDQoN CkJlc3QgcmVnYXJkcywNCkthdGhsZWVuDQo= From nobody Tue Aug 11 06:50:37 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C47E51A8ABD for ; Tue, 11 Aug 2015 06:50:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.378 X-Spam-Level: X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ot5UxZaf8MhS for ; Tue, 11 Aug 2015 06:50:24 -0700 (PDT) Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F3BB1A8A9D for ; Tue, 11 Aug 2015 06:50:24 -0700 (PDT) Received: by igbij6 with SMTP id ij6so90864557igb.1 for ; Tue, 11 Aug 2015 06:50:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=BgtHxkFEROJsMegm5DsQpDMsjotq3NspUZetJsul7WE=; b=XF2enUwOkku/TvPzXFYOJA6svqj4y2rB977LhaL2FCnjIhlDaespBaJeq+ep1rIECE +n/mYR4psyvkIpukEdwbJfpJX2FzR1paekax0fmedeHgzNoq/la/jsGYWNinCR8e4uuy WynFdbodhRuZZH60QOvSJ20y7hkG4s35bi700= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=BgtHxkFEROJsMegm5DsQpDMsjotq3NspUZetJsul7WE=; b=b7uTRtyASYgecbv9QYQXA9wR2C9zPBOVaeNiQUZpxW5w3uj9kO4+HAbn8EhjVXj5E0 9YQGFuUQZc59/kBLAIJKAdmk0KuA4u53uFDH69+sFu0PB7RU47jSTOjGWRApNTTiW5xp XcMmjZfJsuZrz8MGvpGJGK6cPYMIyznYDlSSXTfvTacM2pGMLRJouXKYXXWlkmF9co8F upOZ5Ee5IXV5KcXYo+M1CVNmnZQqRSBMGQnvR+ZMUZCJYMK+k7D8GNkndwm24pscdFev dH2t++mmIAuw1lvW39plXgX+Nsfun1JyY/FfR0OPnZ4v2TzNkhaX0YfroQlH6UN2n8Xt 0UeA== X-Gm-Message-State: ALoCoQnr21KiQbHxz9dK7/ZSwc2MD84q/R4bgX329sGsR64kx8d4JvKfrpN++CztSYSR+YciHGlN X-Received: by 10.50.64.147 with SMTP id o19mr18413174igs.15.1439301023294; Tue, 11 Aug 2015 06:50:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.96.199 with HTTP; Tue, 11 Aug 2015 06:49:53 -0700 (PDT) In-Reply-To: References: From: Brian Campbell Date: Tue, 11 Aug 2015 07:49:53 -0600 Message-ID: To: Mike Jones Content-Type: multipart/alternative; boundary=047d7bea2f9838074c051d0962c0 Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 13:50:27 -0000 --047d7bea2f9838074c051d0962c0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Thank you On Mon, Aug 10, 2015 at 9:57 PM, Mike Jones wrote: > As discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key Semantics WGLC= followup > 2 (was Re: proof-of-possession-02 unencrypted oct JWK in encrypted JWT > okay?)=E2=80=9D, I will update the draft to say that the symmetric key ca= n be > carried in the =E2=80=9Cjwk=E2=80=9D element in an unencrypted form if th= e JWT is itself > encrypted. This will happen in -04. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Brian > Campbell > *Sent:* Sunday, March 22, 2015 11:41 PM > *To:* oauth > *Subject:* [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in > encrypted JWT okay? > > > > When the JWT is itself encrypted as a JWE, would it not be reasonable to > have a symmetric key be represented in the cnf claim with the jwk member = as > an unencrypted JSON Web Key? > > Is such a possibility left as an exercise to the reader? Or should it be > more explicitly allowed or disallowed? > > --047d7bea2f9838074c051d0962c0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thank you

On Mon, Aug 10, 2015 at 9:57 PM, Mike Jones <= Michael.Jones@microsoft.com> wrote:

As discussed in the threa= d =E2=80=9C[OAUTH-WG] JWT PoP Key Semantics WGLC followup 2 (was Re: proof-= of-possession-02 unencrypted oct JWK in encrypted JWT okay?)=E2=80=9D, I will update the draft to say that the symmetric key can be carried in the = =E2=80=9Cjwk=E2=80=9D element in an unencrypted form if the JWT is itself e= ncrypted.=C2=A0 This will happen in -04.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: OAuth [m= ailto:oauth-bou= nces@ietf.org] On Behalf Of Brian Campbell
Sent: Sunday, March 22, 2015 11:41 PM
To: oauth
Subject: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in en= crypted JWT okay?

=C2=A0

When the JWT is itsel= f encrypted as a JWE, would it not be reasonable to have a symmetric key be= represented in the cnf claim with the jwk member as an unencrypted JSON We= b Key?=C2=A0

Is such a possibility= left as an exercise to the reader? Or should it be more explicitly allowed= or disallowed?


--047d7bea2f9838074c051d0962c0-- From nobody Tue Aug 11 09:41:45 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00FE41ACD79 for ; Tue, 11 Aug 2015 09:41:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.378 X-Spam-Level: X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mC99pix1ecaT for ; Tue, 11 Aug 2015 09:41:41 -0700 (PDT) Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43C971ACD2C for ; Tue, 11 Aug 2015 09:41:41 -0700 (PDT) Received: by igbpg9 with SMTP id pg9so95385941igb.0 for ; Tue, 11 Aug 2015 09:41:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=1ksowXib88iSEOhiHPDHynFvLsL/c5CWYPssj6fJgJ4=; b=GxgZ9zjZ6l0BTshlpm6XYaFuEwKr6eBPGZLAcc5/b/KQ6vjsGAPWrDRCMpHOrEbwv3 UHoXTmIcAOp80MpP6xT4KWMpd1JVhP3yNAN27+tK8tgafiLl6rM936bKzu3buOYhkeWV oUOYafjHOzAWWQUVaAolztUReBreJ2ejOQw/s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=1ksowXib88iSEOhiHPDHynFvLsL/c5CWYPssj6fJgJ4=; b=I/279f6jFGZOf/RX1Tmpepbe/r2lBLxYHrxVGJRew920pJKWMQL+S8/1wIwtBAyIQo OGbO205AcB3my9zc3rvqSWQu/ePgYKz0feuYiQAdQCotSiVC9eZ7mDzthOOMQnFZ6MJT lZHicJh06ociBN1Gt3//8t1qVsBAd4BEgCDZYxUQiwHIKKe+AuGJzMqBR64TV/gnTPzR Ij+gycJa39oMu+Krhd6bEcL7GANOzgMuoqLzYgt1Zku21MmGUqtSrApN+NNJ2qGOJ12f NH0HUypK7tV/syZzudS6eY4Bec5jHpyt+sb9S0pdsAHIjSmkakdvnLOJnm1eJ/Jui43q GmIg== X-Gm-Message-State: ALoCoQlj822pn7Qg1bs4+KBYqq2xTH05weC3tn1/LBdWsZm+rGFRPjE+JG3nNfIDeUUT7jmQ0QbR X-Received: by 10.50.64.147 with SMTP id o19mr19386860igs.15.1439311300462; Tue, 11 Aug 2015 09:41:40 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.96.199 with HTTP; Tue, 11 Aug 2015 09:41:11 -0700 (PDT) In-Reply-To: References: From: Brian Campbell Date: Tue, 11 Aug 2015 10:41:11 -0600 Message-ID: To: Mike Jones Content-Type: multipart/alternative; boundary=047d7bea2f98c960b2051d0bc68e Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 16:41:44 -0000 --047d7bea2f98c960b2051d0bc68e Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I took Nat's "+1" as support for flattening things into individual claims like "cjwe", "cjwk" and "ckid". Maybe that's just confirmation bias on my part. But it'd be interesting to get Nat's actual opinion as apposed to his assumed or implied opinion. Nat? It seems to me that it's really a question of aesthetics because the arguments in favor of the structured claim approach that cite flexibility or the ability to "carry more than one conformation key or key descriptor" are erroneous. Both approaches can carry more than one as long as they are different types and both can achieve additional flexibility by adding new names for things (all of which, I suspect, will be very unlikely to happen anyway). My suggesting to flatten was an attempt at simplification. And I do think it would simplify. But that's only my opinion. If folks prefer the aesthetics and structure of the "cnf" as currently defined and feel it's easier to comprehend, I can live with that. All the rest of the justification, however, just obscures things. To Kathleen's request, the thread index is http://www.ietf.org/mail-archive/web/oauth/current/threads.html#14854 and starts with http://www.ietf.org/mail-archive/web/oauth/current/msg14854.htm= l. The consensus therein seems to be to leave things as they are (though only John, Mike and I participated and I was the minority opinion). On Tue, Aug 11, 2015 at 7:29 AM, Mike Jones wrote: > Brian's note contained two suggestions, which I'll address separately. > > The first was to have "cnf" contain an array of values rather than > individual values. But even he said "I'm not sure the extra complexity i= s > worth it though. I've rarely, if ever, seen SAML assertions that make use > of it." I took Nat's +1 as an agreement that the complexity of array > values isn't worth it, and shouldn't be introduced. No one else has sinc= e > spoke up for having the "cnf" claim contain array values, and Brian only > mentioned it as a possibility but dismissed it as too complex. > > The second was to not have the "cnf" claim at all, but instead to flatten > things so that the "cnf" elements would become individual claims, along t= he > lines of "cnf_jwk", "cnf_jwe", "cnf_kid", etc. This was discussed in the > thread " [OAUTH-WG] JWT PoP Key Semantics WGLC followup 3 (was Re: > confirmation model in proof-of-possession-02)" - for instance, John > Bradley's message > http://www.ietf.org/mail-archive/web/oauth/current/msg14859.html in which > he stated that "flattening would be a bad direction". Nat also implicitl= y > endorsed keeping "cnf" in his WGLC review comments in > http://www.ietf.org/mail-archive/web/oauth/current/msg14418.html, in his > comment "Since 'cnf' appears before 3.4, it may be better to bring 3.4 at > the front." He suggested changing the location of "cnf" in the document = - > not removing it, as Brian's flattening suggestion would have done. > > Tony Nadalin also earlier had spoken about the need to support use cases > in which there would be multiple proof-of-possession keys. Among other > places, he alluded to this in his note > http://www.ietf.org/mail-archive/web/oauth/current/msg14305.html in which > he wrote "Is this proposal also limited to a single key for both asymmetr= ic > and symmetric?". This is pertinent because as I wrote in the first threa= d > mentioned at > http://www.ietf.org/mail-archive/web/oauth/current/msg14856.html, "Part > of the reasoning for using a structured confirmation claim, rather than > flattening the confirmation claim into the top-level JWT claims set, is > that a JWT may carry more than one conformation key or key descriptor" - > per Tony's use cases. John Bradley's note agreeing that flattening would > be a bad direction was a response to that. > > -- Mike > > -----Original Message----- > From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > Sent: Tuesday, August 11, 2015 6:00 AM > To: Mike Jones > Cc: Brian Campbell; oauth > Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 > > On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones > wrote: > > There didn=E2=80=99t seem to be support for having cnf contain array va= lues. > > Instead, as discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key Sem= antics > > WGLC followup 3 (was Re: confirmation model in > > proof-of-possession-02)=E2=80=9D, if different keys are being confirmed= , they > > can define additional claims other than =E2=80=9Ccnf=E2=80=9D using the= same structure > > as =E2=80=9Ccnf=E2=80=9D to represent those confirmations. Indeed, tho= se other claims > > could be array-valued, if appropriate. The reasons for having a > > structured =E2=80=9Ccnf=E2=80=9D claim, rather than a set of flattened = claim values, > were also discussed in that thread. > > Can you send the link to that thread and the result if it differs from > what Brian and Nat agree on? I'd like to know that there is enough to > determine consensus on this point. > > Thanks! > Kathleen > > > > > > > > Thanks > > again, > > > > -- Mike > > > > > > > > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian > > Campbell > > Sent: Monday, March 23, 2015 9:07 AM > > To: oauth > > Subject: [OAUTH-WG] confirmation model in proof-of-possession-02 > > > > > > > > This is mostly about section 3.4 but also the whole draft. > > > > > > If "cnf" is intended to analogous to the SAML 2.0 SubjectConfirmation > > element, it should probably contain an array value rather than an > > object value. SAML allows not just for multiple methods of confirming > > but for multiple instances of the same method. IIRC, only one > > confirmation needs to be confirmable. > > > > I'm not sure the extra complexity is worth it though. I've rarely, if > > ever, seen SAML assertions that make use of it. > > > > If the intent is just to allow for different kinds of confirmation, > > couldn't the structure be pared down and simplified and just have > > individual claims for the different confirmation types? Like "cjwk" > > and "ckid" or similar that have the jwk or kid value respectively as th= e > member value. > > > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fwww.= i > > etf.org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jones%40m= i > > crosoft.com%7ca8e38b0ea0334d11e50008d2a24cc573%7c72f988bf86f141af91ab2 > > d7cd011db47%7c1&sdata=3D9ukCTugBdbhTVriEoH3HdfMIloD%2fTHYY%2bdPOpQSs7x4= % > > 3d > > > > > > -- > > Best regards, > Kathleen > --047d7bea2f98c960b2051d0bc68e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I took Nat's "+1" as support for flatte= ning things into individual claims like "cjwe", "cjwk" = and "ckid". Maybe that's just confirmation bias on my part. B= ut it'd be interesting to get Nat's actual opinion as apposed to hi= s assumed or implied opinion. Nat?

It seems to me that it= 's really a question of aesthetics because the arguments in favor of th= e structured claim approach that cite flexibility or the ability to "c= arry more than one conformation key or key descriptor" are erroneous. = Both approaches can carry more than one as long as they are different types= and both can achieve additional flexibility by adding new names for things= (all of which, I suspect, will be very unlikely to happen anyway). My sugg= esting to flatten was an attempt at simplification. And I do think it would= simplify. But that's only my opinion. If folks prefer the aesthetics a= nd structure of the "cnf" as currently defined and feel it's = easier to comprehend, I can live with that. All the rest of the justificati= on, however, just obscures things.

To Kathleen's request, the t= hread index is http://www.ietf.org/mail-archive/web/oauth/current/th= reads.html#14854 and starts with http://www.ietf.org/mail-archive/web= /oauth/current/msg14854.html. The consensus therein seems to be to leav= e things as they are (though only John, Mike and I participated and I was t= he minority opinion).





On Tue, Aug 11, 2015 at 7:29 AM, Mike = Jones <Michael.Jones@microsoft.com> wrote:
Brian's note contained two suggestions, whic= h I'll address separately.

The first was to have "cnf" contain an array of values rather tha= n individual values.=C2=A0 But even he said "I'm not sure the extr= a complexity is worth it though. I've rarely, if ever, seen SAML assert= ions that make use of it."=C2=A0 I took Nat's +1 as an agreement t= hat the complexity of array values isn't worth it, and shouldn't be= introduced.=C2=A0 No one else has since spoke up for having the "cnf&= quot; claim contain array values, and Brian only mentioned it as a possibil= ity but dismissed it as too complex.

The second was to not have the "cnf" claim at all, but instead to= flatten things so that the "cnf" elements would become individua= l claims, along the lines of "cnf_jwk", "cnf_jwe", &quo= t;cnf_kid", etc.=C2=A0 This was discussed in the thread " [OAUTH-= WG] JWT PoP Key Semantics WGLC followup 3 (was Re: confirmation model in pr= oof-of-possession-02)" - for instance, John Bradley's message http://www.ietf.org/mail-archive/web/oau= th/current/msg14859.html in which he stated that "flattening would= be a bad direction".=C2=A0 Nat also implicitly endorsed keeping "= ;cnf" in his WGLC review comments in http://www.ietf.org/mail-archive/web/oauth/current/msg14418.html,= in his comment "Since 'cnf' appears before 3.4, it may be bet= ter to bring 3.4 at the front."=C2=A0 He suggested changing the locati= on of "cnf" in the document - not removing it, as Brian's fla= ttening suggestion would have done.

Tony Nadalin also earlier had spoken about the need to support use cases in= which there would be multiple proof-of-possession keys.=C2=A0 Among other = places, he alluded to this in his note http://www.ietf.org/mail-archive/web/oauth/current/msg14305.html in = which he wrote "Is this proposal also limited to a single key for both= asymmetric and symmetric?".=C2=A0 This is pertinent because as I wrot= e in the first thread mentioned at h= ttp://www.ietf.org/mail-archive/web/oauth/current/msg14856.html, "= Part of the reasoning for using a structured confirmation claim, rather tha= n flattening the confirmation claim into the top-level JWT claims set, is t= hat a JWT may carry more than one conformation key or key descriptor" = - per Tony's use cases.=C2=A0 John Bradley's note agreeing that fla= ttening would be a bad direction was a response to that.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -- Mike

-----Original Message-----
From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
Sent: Tuesday, August 11, 2015 6:00 AM
To: Mike Jones
Cc: Brian Campbell; oauth
Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02

On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> There didn=E2=80=99t seem to be support for having cnf contain array v= alues.
> Instead, as discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key Se= mantics
> WGLC followup 3 (was Re: confirmation model in
> proof-of-possession-02)=E2=80=9D, if different keys are being confirme= d, they
> can define additional claims other than =E2=80=9Ccnf=E2=80=9D using th= e same structure
> as =E2=80=9Ccnf=E2=80=9D to represent those confirmations.=C2=A0 Indee= d, those other claims
> could be array-valued, if appropriate.=C2=A0 The reasons for having a<= br> > structured =E2=80=9Ccnf=E2=80=9D claim, rather than a set of flattened= claim values, were also discussed in that thread.

Can you send the link to that thread and the result if it differs from what= Brian and Nat agree on?=C2=A0 I'd like to know that there is enough to= determine consensus on this point.

Thanks!
Kathleen
>
>
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Th= anks
> again,
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0--= Mike
>
>
>
> From: OAuth [mailto:oauth-bo= unces@ietf.org] On Behalf Of Brian
> Campbell
> Sent: Monday, March 23, 2015 9:07 AM
> To: oauth
> Subject: [OAUTH-WG] confirmation model in proof-of-possession-02
>
>
>
> This is mostly about section 3.4 but also the whole draft.
>
>
> If "cnf" is intended to analogous to the SAML 2.0 SubjectCon= firmation
> element, it should probably contain an array value rather than an
> object value. SAML allows not just for multiple methods of confirming<= br> > but for multiple instances of the same method. IIRC, only one
> confirmation needs to be confirmable.
>
> I'm not sure the extra complexity is worth it though. I've rar= ely, if
> ever, seen SAML assertions that make use of it.
>
> If the intent is just to allow for different kinds of confirmation, > couldn't the structure be pared down and simplified and just have<= br> > individual claims for the different confirmation types? Like "cjw= k"
> and "ckid" or similar that have the jwk or kid value respect= ively as the member value.
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://na0= 1.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fwww.i
> etf.or= g%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jones%40mi<= br> > cr= osoft.com%7ca8e38b0ea0334d11e50008d2a24cc573%7c72f988bf86f141af91ab2 > d7cd011db47%7c1&sdata=3D9ukCTugBdbhTVriEoH3HdfMIloD%2fTHYY%2bdPOpQ= Ss7x4%
> 3d
>



--

Best regards,
Kathleen

--047d7bea2f98c960b2051d0bc68e-- From nobody Tue Aug 11 14:30:22 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A67C1B2ADA for ; Tue, 11 Aug 2015 14:30:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sZi32t9Os8yw for ; Tue, 11 Aug 2015 14:30:17 -0700 (PDT) Received: from mail-qg0-f53.google.com (mail-qg0-f53.google.com [209.85.192.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6E6E1B2AD9 for ; Tue, 11 Aug 2015 14:30:16 -0700 (PDT) Received: by qgdd90 with SMTP id d90so48550179qgd.3 for ; Tue, 11 Aug 2015 14:30:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=deVe4TaFbIJlFwg/A2+UtW6OpxQ8/fPjLCZRnEbBmXQ=; b=miagGkPue8S4rEfXxJNvNbBt05eQEWnq1g/jZZeIik12QyrsMDaXSUQT6eLvnEWerW yivfN6LlhhsNBj5US280WvpEeB8rCthm/0W8gSIoZ4Qa8lcL+FnFM9K6dUgqBnlt1kWw Y+PDDKuJy0BajZY/4hqF+mk6wmsuf+qWlAYH/N+AmUvufSpYllbdlcuD6gBt5tf0M53p bdH40T22FiECRCR+qO0pEdsVxocic1p5sPDawE84ZRWKzwAdhQjqqMnc+siO2HjWq6LD RqotaL4pz0WpH3Xx+wWO3OGsmyldR4K4FoYZnl1DowucPg/11JaGbVyz/6s91TqOYAfx MViA== X-Gm-Message-State: ALoCoQkVagzeuLeM0Y3dNdqTdRQSJTHznP7WaeNkyns7PuHsQAfd2nKeS4ymtaAZIrMdV+yf3vtQ X-Received: by 10.141.28.149 with SMTP id f143mr55327316qhe.97.1439328615825; Tue, 11 Aug 2015 14:30:15 -0700 (PDT) Received: from [192.168.8.100] ([181.202.72.12]) by smtp.gmail.com with ESMTPSA id t77sm1959281qge.42.2015.08.11.14.30.13 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 11 Aug 2015 14:30:14 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_DDBC1AAC-3818-48A1-AB58-0F0DACE696F8"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) From: John Bradley In-Reply-To: Date: Tue, 11 Aug 2015 18:30:10 -0300 Message-Id: References: To: Brian Campbell X-Mailer: Apple Mail (2.2102) Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 21:30:21 -0000 --Apple-Mail=_DDBC1AAC-3818-48A1-AB58-0F0DACE696F8 Content-Type: multipart/alternative; boundary="Apple-Mail=_AAD5B6F6-061F-46CE-96EF-3FC51D76F410" --Apple-Mail=_AAD5B6F6-061F-46CE-96EF-3FC51D76F410 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I think Brian also argued that flattening would save a registry, and be = easier to process in the default case. I don=E2=80=99t really by the argument that having a cnf object makes it = that much harder to process. I think it is stylistically better json to = keep the elements together so that they can be extended separately from = the main JWT claim space. Having two confirmation elements could be done flat but I think that = gets even more messy.=20 I understand Brians arguments, however prefer having a cnf object with = no array.=20 I have to agree with his observation that we should keep away from = promoting multiple confirmation elements as it adds to complexity and = interoperability issues. Better to make one work well and allow for an extension for those cases = that really need it. I think the SAML subject confirmation is too complex for most people who = use it to really understand all the combinations of options.=20 John B. > On Aug 11, 2015, at 1:41 PM, Brian Campbell = wrote: >=20 > I took Nat's "+1" as support for flattening things into individual = claims like "cjwe", "cjwk" and "ckid". Maybe that's just confirmation = bias on my part. But it'd be interesting to get Nat's actual opinion as = apposed to his assumed or implied opinion. Nat? >=20 > It seems to me that it's really a question of aesthetics because the = arguments in favor of the structured claim approach that cite = flexibility or the ability to "carry more than one conformation key or = key descriptor" are erroneous. Both approaches can carry more than one = as long as they are different types and both can achieve additional = flexibility by adding new names for things (all of which, I suspect, = will be very unlikely to happen anyway). My suggesting to flatten was an = attempt at simplification. And I do think it would simplify. But that's = only my opinion. If folks prefer the aesthetics and structure of the = "cnf" as currently defined and feel it's easier to comprehend, I can = live with that. All the rest of the justification, however, just = obscures things.=20 >=20 > To Kathleen's request, the thread index is = http://www.ietf.org/mail-archive/web/oauth/current/threads.html#14854 = = and starts with = http://www.ietf.org/mail-archive/web/oauth/current/msg14854.html = . The = consensus therein seems to be to leave things as they are (though only = John, Mike and I participated and I was the minority opinion).=20 >=20 >=20 >=20 >=20 >=20 > On Tue, Aug 11, 2015 at 7:29 AM, Mike Jones = > = wrote: > Brian's note contained two suggestions, which I'll address separately. >=20 > The first was to have "cnf" contain an array of values rather than = individual values. But even he said "I'm not sure the extra complexity = is worth it though. I've rarely, if ever, seen SAML assertions that make = use of it." I took Nat's +1 as an agreement that the complexity of = array values isn't worth it, and shouldn't be introduced. No one else = has since spoke up for having the "cnf" claim contain array values, and = Brian only mentioned it as a possibility but dismissed it as too = complex. >=20 > The second was to not have the "cnf" claim at all, but instead to = flatten things so that the "cnf" elements would become individual = claims, along the lines of "cnf_jwk", "cnf_jwe", "cnf_kid", etc. This = was discussed in the thread " [OAUTH-WG] JWT PoP Key Semantics WGLC = followup 3 (was Re: confirmation model in proof-of-possession-02)" - for = instance, John Bradley's message = http://www.ietf.org/mail-archive/web/oauth/current/msg14859.html = in = which he stated that "flattening would be a bad direction". Nat also = implicitly endorsed keeping "cnf" in his WGLC review comments in = http://www.ietf.org/mail-archive/web/oauth/current/msg14418.html = , in = his comment "Since 'cnf' appears before 3.4, it may be better to bring = 3.4 at the front." He suggested changing the location of "cnf" in the = document - not removing it, as Brian's flattening suggestion would have = done. >=20 > Tony Nadalin also earlier had spoken about the need to support use = cases in which there would be multiple proof-of-possession keys. Among = other places, he alluded to this in his note = http://www.ietf.org/mail-archive/web/oauth/current/msg14305.html = in = which he wrote "Is this proposal also limited to a single key for both = asymmetric and symmetric?". This is pertinent because as I wrote in the = first thread mentioned at = http://www.ietf.org/mail-archive/web/oauth/current/msg14856.html = , = "Part of the reasoning for using a structured confirmation claim, rather = than flattening the confirmation claim into the top-level JWT claims = set, is that a JWT may carry more than one conformation key or key = descriptor" - per Tony's use cases. John Bradley's note agreeing that = flattening would be a bad direction was a response to that. >=20 > -- Mike >=20 > -----Original Message----- > From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com = ] > Sent: Tuesday, August 11, 2015 6:00 AM > To: Mike Jones > Cc: Brian Campbell; oauth > Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 >=20 > On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones = > = wrote: > > There didn=E2=80=99t seem to be support for having cnf contain array = values. > > Instead, as discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key = Semantics > > WGLC followup 3 (was Re: confirmation model in > > proof-of-possession-02)=E2=80=9D, if different keys are being = confirmed, they > > can define additional claims other than =E2=80=9Ccnf=E2=80=9D using = the same structure > > as =E2=80=9Ccnf=E2=80=9D to represent those confirmations. Indeed, = those other claims > > could be array-valued, if appropriate. The reasons for having a > > structured =E2=80=9Ccnf=E2=80=9D claim, rather than a set of = flattened claim values, were also discussed in that thread. >=20 > Can you send the link to that thread and the result if it differs from = what Brian and Nat agree on? I'd like to know that there is enough to = determine consensus on this point. >=20 > Thanks! > Kathleen > > > > > > > > Thanks > > again, > > > > -- Mike > > > > > > > > From: OAuth [mailto:oauth-bounces@ietf.org = ] On Behalf Of Brian > > Campbell > > Sent: Monday, March 23, 2015 9:07 AM > > To: oauth > > Subject: [OAUTH-WG] confirmation model in proof-of-possession-02 > > > > > > > > This is mostly about section 3.4 but also the whole draft. > > > > > > If "cnf" is intended to analogous to the SAML 2.0 = SubjectConfirmation > > element, it should probably contain an array value rather than an > > object value. SAML allows not just for multiple methods of = confirming > > but for multiple instances of the same method. IIRC, only one > > confirmation needs to be confirmable. > > > > I'm not sure the extra complexity is worth it though. I've rarely, = if > > ever, seen SAML assertions that make use of it. > > > > If the intent is just to allow for different kinds of confirmation, > > couldn't the structure be pared down and simplified and just have > > individual claims for the different confirmation types? Like "cjwk" > > and "ckid" or similar that have the jwk or kid value respectively as = the member value. > > > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > = https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fwww.i = = > > etf.org = %2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jo= nes%40mi > > crosoft.com = %7ca8e38b0ea0334d11e50008d2a24cc573%7c72f988bf86f141a= f91ab2 > > = d7cd011db47%7c1&sdata=3D9ukCTugBdbhTVriEoH3HdfMIloD%2fTHYY%2bdPOpQSs7x4% > > 3d > > >=20 >=20 >=20 > -- >=20 > Best regards, > Kathleen >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_AAD5B6F6-061F-46CE-96EF-3FC51D76F410 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I think Brian also argued that flattening would save a = registry, and be easier to process in the default case.
I don=E2=80=99t really by the argument = that having a cnf object makes it that much harder to process.  I = think it is stylistically better json to keep the elements together so = that they can be extended separately from the main JWT claim = space.

Having = two confirmation elements could be done flat but I think that gets even = more messy. 

I understand Brians arguments, however prefer having a cnf = object with no array. 

I have to agree with his observation that we should keep = away from promoting multiple confirmation elements as it adds to = complexity and interoperability issues.
Better to = make one work well and allow for an extension for those cases that = really need it.

I think the SAML subject confirmation is too complex for most = people who use it to really understand all the combinations of = options. 

John B.


On Aug 11, 2015, at 1:41 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:

I took Nat's "+1" as support for flattening = things into individual claims like "cjwe", "cjwk" and "ckid". Maybe = that's just confirmation bias on my part. But it'd be interesting to get = Nat's actual opinion as apposed to his assumed or implied opinion. = Nat?

It seems to me = that it's really a question of aesthetics because the arguments in favor = of the structured claim approach that cite flexibility or the ability to = "carry more than one conformation key or key descriptor" are erroneous. = Both approaches can carry more than one as long as they are different = types and both can achieve additional flexibility by adding new names = for things (all of which, I suspect, will be very unlikely to happen = anyway). My suggesting to flatten was an attempt at simplification. And = I do think it would simplify. But that's only my opinion. If folks = prefer the aesthetics and structure of the "cnf" as currently defined = and feel it's easier to comprehend, I can live with that. All the rest = of the justification, however, just obscures things.

To Kathleen's request, the thread index is http://www.ietf.org/mail-archive/web/oauth/current/threads.html= #14854 and starts with http://www.ietf.org/mail-archive/web/oauth/current/msg14854.htm= l. The consensus therein seems to be to leave things as they are = (though only John, Mike and I participated and I was the minority = opinion).





On Tue, Aug 11, 2015 at 7:29 AM, = Mike Jones <Michael.Jones@microsoft.com> wrote:
Brian's note contained = two suggestions, which I'll address separately.

The first was to have "cnf" contain an array of values rather than = individual values.  But even he said "I'm not sure the extra = complexity is worth it though. I've rarely, if ever, seen SAML = assertions that make use of it."  I took Nat's +1 as an agreement = that the complexity of array values isn't worth it, and shouldn't be = introduced.  No one else has since spoke up for having the "cnf" = claim contain array values, and Brian only mentioned it as a possibility = but dismissed it as too complex.

The second was to not have the "cnf" claim at all, but instead to = flatten things so that the "cnf" elements would become individual = claims, along the lines of "cnf_jwk", "cnf_jwe", "cnf_kid", etc.  = This was discussed in the thread " [OAUTH-WG] JWT PoP Key Semantics WGLC = followup 3 (was Re: confirmation model in proof-of-possession-02)" - for = instance, John Bradley's message http://www.ietf.org/mail-archive/web/oauth/current/msg14859.htm= l in which he stated that "flattening would be a bad = direction".  Nat also implicitly endorsed keeping "cnf" in his WGLC = review comments in http://www.ietf.org/mail-archive/web/oauth/current/msg14418.htm= l, in his comment "Since 'cnf' appears before 3.4, it may be better = to bring 3.4 at the front."  He suggested changing the location of = "cnf" in the document - not removing it, as Brian's flattening = suggestion would have done.

Tony Nadalin also earlier had spoken about the need to support use cases = in which there would be multiple proof-of-possession keys.  Among = other places, he alluded to this in his note http://www.ietf.org/mail-archive/web/oauth/current/msg14305.htm= l in which he wrote "Is this proposal also limited to a single key = for both asymmetric and symmetric?".  This is pertinent because as = I wrote in the first thread mentioned at http://www.ietf.org/mail-archive/web/oauth/current/msg14856.htm= l, "Part of the reasoning for using a structured confirmation claim, = rather than flattening the confirmation claim into the top-level JWT = claims set, is that a JWT may carry more than one conformation key or = key descriptor" - per Tony's use cases.  John Bradley's note = agreeing that flattening would be a bad direction was a response to = that.

                    =             -- Mike

-----Original Message-----
From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
Sent: Tuesday, August 11, 2015 6:00 AM
To: Mike Jones
Cc: Brian Campbell; oauth
Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02

On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> There didn=E2=80=99t seem to be support for having cnf contain = array values.
> Instead, as discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key = Semantics
> WGLC followup 3 (was Re: confirmation model in
> proof-of-possession-02)=E2=80=9D, if different keys are being = confirmed, they
> can define additional claims other than =E2=80=9Ccnf=E2=80=9D using = the same structure
> as =E2=80=9Ccnf=E2=80=9D to represent those confirmations.  = Indeed, those other claims
> could be array-valued, if appropriate.  The reasons for having = a
> structured =E2=80=9Ccnf=E2=80=9D claim, rather than a set of = flattened claim values, were also discussed in that thread.
=
Can you send the link to that thread and the result if it differs from = what Brian and Nat agree on?  I'd like to know that there is enough = to determine consensus on this point.

Thanks!
Kathleen
>
>
>
>                  =                     =                     =    Thanks
> again,
>
>                  =                     =                     =    -- Mike
>
>
>
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian
> Campbell
> Sent: Monday, March 23, 2015 9:07 AM
> To: oauth
> Subject: [OAUTH-WG] confirmation model in proof-of-possession-02
>
>
>
> This is mostly about section 3.4 but also the whole draft.
>
>
> If "cnf" is intended to analogous to the SAML 2.0 = SubjectConfirmation
> element, it should probably contain an array value rather than = an
> object value. SAML allows not just for multiple methods of = confirming
> but for multiple instances of the same method. IIRC, only one
> confirmation needs to be confirmable.
>
> I'm not sure the extra complexity is worth it though. I've rarely, = if
> ever, seen SAML assertions that make use of it.
>
> If the intent is just to allow for different kinds of = confirmation,
> couldn't the structure be pared down and simplified and just = have
> individual claims for the different confirmation types? Like = "cjwk"
> and "ckid" or similar that have the jwk or kid value respectively = as the member value.
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3a%2= f%2fwww.i
> etf.org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cM= ichael.Jones%40mi
> crosoft.com%7ca8e38b0ea0334d11e50008d2a24cc573%7c72f988bf86= f141af91ab2
> = d7cd011db47%7c1&sdata=3D9ukCTugBdbhTVriEoH3HdfMIloD%2fTHYY%2bdPOpQSs7x= 4%
> 3d
>



--

Best regards,
Kathleen

_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_AAD5B6F6-061F-46CE-96EF-3FC51D76F410-- --Apple-Mail=_DDBC1AAC-3818-48A1-AB58-0F0DACE696F8 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MTEyMTMwMTFaMCMGCSqGSIb3DQEJBDEWBBSRBjbh3mW6zP/7A4aCjnii EBp5pTCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQAs/HjQYLrz/Np8nwJoB08oPshMm6065sQl/aJmiTUiLJnjwaukza3E F6fM3gdwtd/XKCk9NgPZ/hzyK5gYzPpEM7xv1vMHX/rAvI5jfs7C1mO5MtmQ+gj3DuXCvnaKxBif g0JybRBlOU0E2P+Zk7NJt7R+u2oKXYo5MWrqOiVP2QElc2Eh0f5zWJKwMBqonjcLQCZUUvYhoSV+ +G2RgrERHeHpiRdgGX4N38kVD82bdevmBd04n38a/J/ktgNGtkWO3Jszby6KTCjyVgqFQoSj08gV /o0MWlBD0IA6Eid+J84FUGJWYo0V+YlgxIWNBO4amvtR00zHIGJENSmiY7TzAAAAAAAA --Apple-Mail=_DDBC1AAC-3818-48A1-AB58-0F0DACE696F8-- From nobody Tue Aug 11 15:00:12 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EDBC1A895C for ; Tue, 11 Aug 2015 15:00:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mRUaALZBE_Sx for ; Tue, 11 Aug 2015 15:00:03 -0700 (PDT) Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E508B1B2B36 for ; Tue, 11 Aug 2015 15:00:02 -0700 (PDT) Received: by wibhh20 with SMTP id hh20so2600095wib.0 for ; Tue, 11 Aug 2015 15:00:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=rRkMqg0cNqyfr6ABMq9GuSzh3IPXH/syQt2kjJCyYZU=; b=jMywyc1Kb2N5m96EmXZQw7S2cMo5jlbjuiSR3nTGkt++7cvo4admTwYxVknfBcrXNM 19QXbS9nrAbBdkgHncCVpM+ptN1oZoWnQFlktvR6bBqA71tnjHVQlntgl4nqk6ImGisY KzM7k6dxHGMnevfHDv6ASD5vz3QRaCg2uBsxhFB9/BVkj2k6YMvvSX3OyslctREDL/qI YHS8tqWrHlJqh4gsBHYpxHEcUrApcpTg708qx4OVEmETG2wvrFVfMPrLgNHxmdYUjMsq ptBRKpZT14sLthuPe6FPSlOtTCdndIIVMCZI7frxE1oK1DpnQGv1K9GLKiuYF5cshfko bMyA== MIME-Version: 1.0 X-Received: by 10.194.2.9 with SMTP id 9mr58654967wjq.95.1439330401600; Tue, 11 Aug 2015 15:00:01 -0700 (PDT) Received: by 10.28.157.84 with HTTP; Tue, 11 Aug 2015 15:00:01 -0700 (PDT) In-Reply-To: References: Date: Tue, 11 Aug 2015 18:00:01 -0400 Message-ID: From: Kathleen Moriarty To: John Bradley Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 22:00:09 -0000 On Tue, Aug 11, 2015 at 5:30 PM, John Bradley wrote: > I think Brian also argued that flattening would save a registry, and be > easier to process in the default case. > > I don=E2=80=99t really by the argument that having a cnf object makes it = that much > harder to process. I think it is stylistically better json to keep the > elements together so that they can be extended separately from the main J= WT > claim space. > > Having two confirmation elements could be done flat but I think that gets > even more messy. > > I understand Brians arguments, however prefer having a cnf object with no > array. > > I have to agree with his observation that we should keep away from promot= ing > multiple confirmation elements as it adds to complexity and interoperabil= ity > issues. > Better to make one work well and allow for an extension for those cases t= hat > really need it. > > I think the SAML subject confirmation is too complex for most people who = use > it to really understand all the combinations of options. Thanks to all for the additional discussion/explanation. If others want to weigh in, please do so. Best regards, Kathleen > > John B. > > > On Aug 11, 2015, at 1:41 PM, Brian Campbell > wrote: > > I took Nat's "+1" as support for flattening things into individual claims > like "cjwe", "cjwk" and "ckid". Maybe that's just confirmation bias on my > part. But it'd be interesting to get Nat's actual opinion as apposed to h= is > assumed or implied opinion. Nat? > > It seems to me that it's really a question of aesthetics because the > arguments in favor of the structured claim approach that cite flexibility= or > the ability to "carry more than one conformation key or key descriptor" a= re > erroneous. Both approaches can carry more than one as long as they are > different types and both can achieve additional flexibility by adding new > names for things (all of which, I suspect, will be very unlikely to happe= n > anyway). My suggesting to flatten was an attempt at simplification. And I= do > think it would simplify. But that's only my opinion. If folks prefer the > aesthetics and structure of the "cnf" as currently defined and feel it's > easier to comprehend, I can live with that. All the rest of the > justification, however, just obscures things. > > To Kathleen's request, the thread index is > http://www.ietf.org/mail-archive/web/oauth/current/threads.html#14854 and > starts with > http://www.ietf.org/mail-archive/web/oauth/current/msg14854.html. The > consensus therein seems to be to leave things as they are (though only Jo= hn, > Mike and I participated and I was the minority opinion). > > > > > > On Tue, Aug 11, 2015 at 7:29 AM, Mike Jones > wrote: >> >> Brian's note contained two suggestions, which I'll address separately. >> >> The first was to have "cnf" contain an array of values rather than >> individual values. But even he said "I'm not sure the extra complexity = is >> worth it though. I've rarely, if ever, seen SAML assertions that make us= e of >> it." I took Nat's +1 as an agreement that the complexity of array value= s >> isn't worth it, and shouldn't be introduced. No one else has since spok= e up >> for having the "cnf" claim contain array values, and Brian only mentione= d it >> as a possibility but dismissed it as too complex. >> >> The second was to not have the "cnf" claim at all, but instead to flatte= n >> things so that the "cnf" elements would become individual claims, along = the >> lines of "cnf_jwk", "cnf_jwe", "cnf_kid", etc. This was discussed in th= e >> thread " [OAUTH-WG] JWT PoP Key Semantics WGLC followup 3 (was Re: >> confirmation model in proof-of-possession-02)" - for instance, John >> Bradley's message >> http://www.ietf.org/mail-archive/web/oauth/current/msg14859.html in whic= h he >> stated that "flattening would be a bad direction". Nat also implicitly >> endorsed keeping "cnf" in his WGLC review comments in >> http://www.ietf.org/mail-archive/web/oauth/current/msg14418.html, in his >> comment "Since 'cnf' appears before 3.4, it may be better to bring 3.4 a= t >> the front." He suggested changing the location of "cnf" in the document= - >> not removing it, as Brian's flattening suggestion would have done. >> >> Tony Nadalin also earlier had spoken about the need to support use cases >> in which there would be multiple proof-of-possession keys. Among other >> places, he alluded to this in his note >> http://www.ietf.org/mail-archive/web/oauth/current/msg14305.html in whic= h he >> wrote "Is this proposal also limited to a single key for both asymmetric= and >> symmetric?". This is pertinent because as I wrote in the first thread >> mentioned at >> http://www.ietf.org/mail-archive/web/oauth/current/msg14856.html, "Part = of >> the reasoning for using a structured confirmation claim, rather than >> flattening the confirmation claim into the top-level JWT claims set, is = that >> a JWT may carry more than one conformation key or key descriptor" - per >> Tony's use cases. John Bradley's note agreeing that flattening would be= a >> bad direction was a response to that. >> >> -- Mike >> >> -----Original Message----- >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] >> Sent: Tuesday, August 11, 2015 6:00 AM >> To: Mike Jones >> Cc: Brian Campbell; oauth >> Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 >> >> On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones >> wrote: >> > There didn=E2=80=99t seem to be support for having cnf contain array v= alues. >> > Instead, as discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key Se= mantics >> > WGLC followup 3 (was Re: confirmation model in >> > proof-of-possession-02)=E2=80=9D, if different keys are being confirme= d, they >> > can define additional claims other than =E2=80=9Ccnf=E2=80=9D using th= e same structure >> > as =E2=80=9Ccnf=E2=80=9D to represent those confirmations. Indeed, th= ose other claims >> > could be array-valued, if appropriate. The reasons for having a >> > structured =E2=80=9Ccnf=E2=80=9D claim, rather than a set of flattened= claim values, >> > were also discussed in that thread. >> >> Can you send the link to that thread and the result if it differs from >> what Brian and Nat agree on? I'd like to know that there is enough to >> determine consensus on this point. >> >> Thanks! >> Kathleen >> > >> > >> > >> > Thanks >> > again, >> > >> > -- Mike >> > >> > >> > >> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian >> > Campbell >> > Sent: Monday, March 23, 2015 9:07 AM >> > To: oauth >> > Subject: [OAUTH-WG] confirmation model in proof-of-possession-02 >> > >> > >> > >> > This is mostly about section 3.4 but also the whole draft. >> > >> > >> > If "cnf" is intended to analogous to the SAML 2.0 SubjectConfirmation >> > element, it should probably contain an array value rather than an >> > object value. SAML allows not just for multiple methods of confirming >> > but for multiple instances of the same method. IIRC, only one >> > confirmation needs to be confirmable. >> > >> > I'm not sure the extra complexity is worth it though. I've rarely, if >> > ever, seen SAML assertions that make use of it. >> > >> > If the intent is just to allow for different kinds of confirmation, >> > couldn't the structure be pared down and simplified and just have >> > individual claims for the different confirmation types? Like "cjwk" >> > and "ckid" or similar that have the jwk or kid value respectively as t= he >> > member value. >> > >> > >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fwww= .i >> > etf.org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jones%40= mi >> > crosoft.com%7ca8e38b0ea0334d11e50008d2a24cc573%7c72f988bf86f141af91ab2 >> > d7cd011db47%7c1&sdata=3D9ukCTugBdbhTVriEoH3HdfMIloD%2fTHYY%2bdPOpQSs7x= 4% >> > 3d >> > >> >> >> >> -- >> >> Best regards, >> Kathleen > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Best regards, Kathleen From nobody Tue Aug 11 16:05:29 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2B441B2A40 for ; Tue, 11 Aug 2015 16:05:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4N7vyxuxbTPa for ; Tue, 11 Aug 2015 16:05:26 -0700 (PDT) Received: from mail-qg0-f52.google.com (mail-qg0-f52.google.com [209.85.192.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5D3F1B2A2C for ; Tue, 11 Aug 2015 16:05:25 -0700 (PDT) Received: by qgj62 with SMTP id 62so216857qgj.2 for ; Tue, 11 Aug 2015 16:05:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=r1RcWxdhmBaLSmsb1Bk82jbx04KL41trQ8Rdcw9oM74=; b=aRT3vNF9Uq2QgseG0Gj1RT4Ui70bN35vgGLhTDF5MAfxOcBIhKTJ1w4KqfYwAEu1BH +n7fnQf7KFrzkz7vbPebXRd5rOZdeMflDXNRC+tTDiyEars3aklE9ZqUXJfVGKtkwPhh k1Oa2/kWsYoW4xHEupz1tyVhaYSlmMf5g2hJMDM8mxpx7FONkTDF2Pvsh1HhA+ZN69WU u0JvnQ8L5uUchdXwH32a2DgFf2/sIOjnwYnE0q0ZSp3ZxaBSGTKnK7r/n+IaTx54VT0U RPXS0T3qvtkAwSHsTPKYGdfH4bxtJexxNjYJfKIVekqaMWqrHZmsW4n6+26oblSowNTT y+YQ== X-Gm-Message-State: ALoCoQnZriRhj6oBq+o7peSNECEP8URqJiA6xCH88ggHr2NEO/SPZE66yQXj4MGHDPN0UfF0Niai X-Received: by 10.140.94.14 with SMTP id f14mr51235988qge.101.1439334324791; Tue, 11 Aug 2015 16:05:24 -0700 (PDT) Received: from [192.168.8.100] ([181.202.72.12]) by smtp.gmail.com with ESMTPSA id h35sm2116987qkh.34.2015.08.11.16.05.22 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 11 Aug 2015 16:05:23 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_B422C0E9-510C-4036-9CFD-C186E60ED61D"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) From: John Bradley In-Reply-To: Date: Tue, 11 Aug 2015 20:05:19 -0300 Message-Id: References: To: Michael Jones X-Mailer: Apple Mail (2.2102) Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2015 23:05:27 -0000 --Apple-Mail=_B422C0E9-510C-4036-9CFD-C186E60ED61D Content-Type: multipart/alternative; boundary="Apple-Mail=_718CFF99-6B63-4D14-9969-ACD990754F41" --Apple-Mail=_718CFF99-6B63-4D14-9969-ACD990754F41 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 OK > On Aug 11, 2015, at 12:57 AM, Mike Jones = wrote: >=20 > As discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key Semantics = WGLC followup 2 (was Re: proof-of-possession-02 unencrypted oct JWK in = encrypted JWT okay?)=E2=80=9D, I will update the draft to say that the = symmetric key can be carried in the =E2=80=9Cjwk=E2=80=9D element in an = unencrypted form if the JWT is itself encrypted. This will happen in = -04. > =20 > -- Mike > =20 > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian = Campbell > Sent: Sunday, March 22, 2015 11:41 PM > To: oauth > Subject: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in = encrypted JWT okay? > =20 > When the JWT is itself encrypted as a JWE, would it not be reasonable = to have a symmetric key be represented in the cnf claim with the jwk = member as an unencrypted JSON Web Key?=20 >=20 > Is such a possibility left as an exercise to the reader? Or should it = be more explicitly allowed or disallowed?=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_718CFF99-6B63-4D14-9969-ACD990754F41 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 OK
On Aug 11, 2015, at 12:57 AM, Mike Jones = <Michael.Jones@microsoft.com> wrote:

As discussed in the thread =E2=80=9C[OAUTH-W= G] JWT PoP Key Semantics WGLC followup 2 (was Re: proof-of-possession-02 = unencrypted oct JWK in encrypted JWT okay?)=E2=80=9D, I will update the = draft to say that the symmetric key can be carried in the =E2=80=9Cjwk=E2=80= =9D element in an unencrypted form if the JWT is itself encrypted.  = This will happen in -04.
 
          &nb= sp;            = ;            &= nbsp;           &nb= sp;            -- = Mike
 
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf = Of Brian = Campbell
Sent: Sunday, March 22, 2015 = 11:41 PM
To: oauth
Subject: [OAUTH-WG] = proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?
 

When the JWT is itself encrypted = as a JWE, would it not be reasonable to have a symmetric key be = represented in the cnf claim with the jwk member as an unencrypted JSON = Web Key? 

Is such a possibility left as an exercise to the reader? = Or should it be more explicitly allowed or disallowed? 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_718CFF99-6B63-4D14-9969-ACD990754F41-- --Apple-Mail=_B422C0E9-510C-4036-9CFD-C186E60ED61D Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MTEyMzA1MTlaMCMGCSqGSIb3DQEJBDEWBBTqdpRUKsIWLy/zEUkQrjr1 E8ai1TCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQACNOXaqZL/cgSwyCaIs6seVjqU9q1jJ4+2Xj3SoCHXJBuoxNSQs3G5 GzlIDMk+zORZN/UcCWisoCKmTqbFnrWoYdqItatuocwWbaJYFbvbAmUhUQrKENEdd2aHgaNsNiII vtp1XrcfWZfwBOhhjyFZSEV08kQakppuOgLWwmj2rMtKvnn0DtdNwPTxUirbFnVevEvzAADnvdGl /9vcNAfAghXDxrpSKTX1r8vFLC0J6/i+oKF/KJoj1NZrKCi4kgtmgfrKqE/2QtUzewykEmQOfZ2G qiGfR+TNMttI0QZtmSpaFDMYc4Yjt3RAvuMaSfSHgOQbf694WPM+f4oqs4Q+AAAAAAAA --Apple-Mail=_B422C0E9-510C-4036-9CFD-C186E60ED61D-- From nobody Wed Aug 12 10:01:48 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C55C1A9085 for ; Wed, 12 Aug 2015 10:01:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.643 X-Spam-Level: X-Spam-Status: No, score=-1.643 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buxZzfFEorRC for ; Wed, 12 Aug 2015 10:01:46 -0700 (PDT) Received: from mx0a-0019e102.pphosted.com (mx0a-0019e102.pphosted.com [67.231.149.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 297CE1A907E for ; Wed, 12 Aug 2015 10:01:45 -0700 (PDT) Received: from pps.filterd (m0074410.ppops.net [127.0.0.1]) by mx0a-0019e102.pphosted.com (8.15.0.59/8.14.7) with SMTP id t7CH02d9031026 for ; Wed, 12 Aug 2015 12:01:45 -0500 Received: from mail-yk0-f180.google.com (mail-yk0-f180.google.com [209.85.160.180]) by mx0a-0019e102.pphosted.com with ESMTP id 1w89s502gb-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 12 Aug 2015 12:01:45 -0500 Received: by ykdt205 with SMTP id t205so19423965ykd.1 for ; Wed, 12 Aug 2015 10:01:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=ZBbe0lhueVZ3eSvWXcVq32IqbGiJ8xSPNmf0+U0+6/I=; b=fYuzPvP/UhV9dfwN0wDU8oEDkbIgTCQq07oH90jc+A5fhOu5pzKM2cLIBBBmkSqV8Q ZDpZ99bN5SqWtVIf1qsUnlEL0AJMPFe3XzD1MNyltv6zGCcDFER3TteRla22Z82s/5LV oKGh9+p47VdIRBfjXDULFeWEO+ag6b7N6MJ/qMnRPoMXCKhXiUb1q70M5k3E+hoPp7w2 nMgB5OyjRIhWODutLRUzhI+yqD7dxjHUVgCwaiJJChVi6BUCU8cajUcOV+J0NqF40gmB I2uBktYwdEI0O7W1/Kvj+5uETxJEEZBiMjssxXgJ5GE5i/sf5i0DZddSQnyy50dj3+qD bIVw== X-Gm-Message-State: ALoCoQmpdSU5U/07s2bxvJbuqXUgQXIacwEpAeRNmM2pnxl7MOXfa6t5nEG5DgGn57H8hxxCfJzkbOSWwCcpntp+gsq7ou4qYDYhOOh1esF2vD5vhLaylGPsAuQW5GJLINAvbXa5j3vK X-Received: by 10.170.128.17 with SMTP id u17mr10568647ykb.32.1439398904560; Wed, 12 Aug 2015 10:01:44 -0700 (PDT) X-Received: by 10.170.128.17 with SMTP id u17mr10568642ykb.32.1439398904470; Wed, 12 Aug 2015 10:01:44 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.196.69 with HTTP; Wed, 12 Aug 2015 10:01:25 -0700 (PDT) From: Adam Lewis Date: Wed, 12 Aug 2015 12:01:25 -0500 Message-ID: To: OAuth WG Content-Type: multipart/alternative; boundary=001a11398938643166051d202ccd X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=1 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1506180000 definitions=main-1508120242 Archived-At: Subject: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Aug 2015 17:01:47 -0000 --001a11398938643166051d202ccd Content-Type: text/plain; charset=UTF-8 Hi, Are there any drafts that discuss the notion of an RS acting as a client? I'm considering the use case whereby a native mobile app obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP. It's a bearer token so no reason it wouldn't work, but obviously it is meant to be presented by the client and not the RS. Curious to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise accepted practice. tx adam --001a11398938643166051d202ccd Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,

Are there any drafts that discuss t= he notion of an RS acting as a client? I'm considering the use case whe= reby a native mobile app obtains an access token and sends it to the RS, an= d then the RS uses it to access the UserInfo endpoint on an OP. =C2=A0

It's a bearer token so no reason it wouldn't w= ork, but obviously it is meant to be presented by the client and not the RS= .=C2=A0 Curious to understand the security implications of this, read on an= y thoughts given to this, or to know if it's an otherwise accepted prac= tice.

tx
adam
--001a11398938643166051d202ccd-- From nobody Wed Aug 12 11:27:22 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCB0E1A037C for ; Wed, 12 Aug 2015 11:27:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.1 X-Spam-Level: X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id am4cO2Trj7KD for ; Wed, 12 Aug 2015 11:27:19 -0700 (PDT) Received: from omr-m007.mx.aol.com (omr-m007e.mx.aol.com [204.29.186.9]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A3161A006D for ; Wed, 12 Aug 2015 11:27:19 -0700 (PDT) Received: from mtaout-mca01.mx.aol.com (mtaout-mca01.mx.aol.com [172.26.221.77]) by omr-m007.mx.aol.com (Outbound Mail Relay) with ESMTP id 4F49C38001BF; Wed, 12 Aug 2015 14:27:18 -0400 (EDT) Received: from [10.172.108.118] (unknown [10.172.108.118]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mca01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 17485380000A8; Wed, 12 Aug 2015 14:27:18 -0400 (EDT) To: Adam Lewis , OAuth WG References: From: George Fletcher Organization: AOL LLC Message-ID: <55CB9005.2000904@aol.com> Date: Wed, 12 Aug 2015 14:27:17 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------040108030409080502050305" x-aol-global-disposition: G DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1439404038; bh=4NTCeJVAXlf02JK4Kd5XM4soz6fUuUzCvOp5eg3wJYQ=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=n072LNOpEyyGnsEE0Lq2jyaPskrAsQcHbx1k/Hl15+5BFrA5H8uX5TqyEtAGClvVj Qb5WcovGwLiBcrK43IBvIb4rCaFroSlHUkhd2zqgf8Te74AW+y0DVzkfLtysZsM7w/ Drz3q/ybXi7dkuhBXL9rhA6SI7Wx/pdAonl0deis= x-aol-sid: 3039ac1add4d55cb90064021 X-AOL-IP: 10.172.108.118 Archived-At: Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Aug 2015 18:27:21 -0000 This is a multi-part message in MIME format. --------------040108030409080502050305 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Hi Adam, If all the RS needs is say the "sub" field for the user, then you might want to look at the introspection spec as this allows the AS/OP to determine if the RS is "authorized" to introspect the token. I know that Justin implemented a simple token exchange model that allowed for downstream chaining. Another thing to consider is scope issues. Does the token the native app received have more scopes than the RS should be able to leverage? Is so, the native app should downscope the access token before sending it to the RS. Thanks, George On 8/12/15 1:01 PM, Adam Lewis wrote: > Hi, > > Are there any drafts that discuss the notion of an RS acting as a > client? I'm considering the use case whereby a native mobile app > obtains an access token and sends it to the RS, and then the RS uses > it to access the UserInfo endpoint on an OP. > > It's a bearer token so no reason it wouldn't work, but obviously it is > meant to be presented by the client and not the RS. Curious to > understand the security implications of this, read on any thoughts > given to this, or to know if it's an otherwise accepted practice. > > tx > adam > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------040108030409080502050305 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit Hi Adam,

If all the RS needs is say the "sub" field for the user, then you might want to look at the introspection spec as this allows the AS/OP to determine if the RS is "authorized" to introspect the token.

I know that Justin implemented a simple token exchange model that allowed for downstream chaining.

Another thing to consider is scope issues. Does the token the native app received have more scopes than the RS should be able to leverage? Is so, the native app should downscope the access token before sending it to the RS.

Thanks,
George

On 8/12/15 1:01 PM, Adam Lewis wrote:
Hi,

Are there any drafts that discuss the notion of an RS acting as a client? I'm considering the use case whereby a native mobile app obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP.  

It's a bearer token so no reason it wouldn't work, but obviously it is meant to be presented by the client and not the RS.  Curious to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise accepted practice.

tx
adam


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------040108030409080502050305-- From nobody Thu Aug 13 20:43:23 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E53051A1AA7 for ; Thu, 13 Aug 2015 20:43:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.601 X-Spam-Level: X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1_kiR4P4aJ_O for ; Thu, 13 Aug 2015 20:43:20 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0138.outbound.protection.outlook.com [65.55.169.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4072C1A1A2E for ; Thu, 13 Aug 2015 20:43:20 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.231.11; Fri, 14 Aug 2015 03:43:18 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Fri, 14 Aug 2015 03:43:18 +0000 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: =?Windows-1252?Q?=93amr=94_Values_spec_updated?= Thread-Index: AdDWQ1gyDLM4k4XkRyqlkp9xqb3+ow== Date: Fri, 14 Aug 2015 03:43:18 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:LAMCuinZcclmnjR/C2W7IYo9AYMMcB7JMX0wwaBVWr7UVQ5QF9bChdVtdiSwlIVfGq4k+UIKTaa2SvmE9kNgTY8++XJLUK3EflIANTWphjD3X96Ko4Xf4cQaSuV/xP0gpUsZwcmDuL0ivN9UafvI6g==; 24:zhJ+9gacn/f6y6DVuPeBgsfjek8+JempVlen1Cy+OHp4xJPWL/A5SqjnA+TrAtBjMbDlnIvRgLaiWnUUR+iQ4nMfXLSIpCBdh3/6oF8gqSk=; 20:bGmor5ePEfOzh5BkgRLaRlVgfoU+rlLRhxUBh7CrGZBE2TIgZh5sre4jjlW1IXvHN+r82Zk9Bv+JbDET52vTIw== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; x-forefront-prvs: 066898046A x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(189002)(199003)(110136002)(77096005)(2900100001)(122556002)(40100003)(107886002)(2501003)(10090500001)(2351001)(2420400006)(229853001)(5001960100002)(86612001)(551544002)(99286002)(92566002)(97736004)(77156002)(7110500001)(10290500002)(62966003)(10400500002)(5001860100001)(10710500001)(5002640100001)(4001540100001)(81156007)(189998001)(15975445007)(5001830100001)(8990500004)(450100001)(68736005)(102836002)(76576001)(54356999)(2656002)(50986999)(19617315012)(5005710100001)(101416001)(86362001)(106356001)(19580395003)(74316001)(19300405004)(105586002)(46102003)(16236675004)(33656002)(5003600100002)(66066001)(19625215002)(87936001)(64706001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4424015DC23E68533ADD66BF57C0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2015 03:43:18.0965 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441 Archived-At: Subject: [OAUTH-WG] =?windows-1252?q?=93amr=94_Values_spec_updated?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 03:43:22 -0000 --_000_BY2PR03MB4424015DC23E68533ADD66BF57C0BY2PR03MB442namprd_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable I=92ve updated the Authentication Method Reference Values spec to incorpora= te feedback received from the OAuth working group. Changes were: =B7 Added the values =93mca=94 (multiple-channel authentication), = =93risk=94 (risk-based authentication), and =93user=94 (user presence test)= . =B7 Added citations in the definitions of Windows integrated authent= ication, knowledge-based authentication, risk-based authentication, multipl= e-factor authentication, one-time password, and proof-of-possession. =B7 Alphabetized the values. =B7 Added Tony Nadalin as an author and added acknowledgements. The specification is available at: =B7 http://tools.ietf.org/html/draft-jones-oauth-amr-values-01 An HTML formatted version is also available at: =B7 http://self-issued.info/docs/draft-jones-oauth-amr-values-01.htm= l -- Mike P.S. This note was also posted at http://self-issued.info/?p=3D1437 and as= @selfissued. --_000_BY2PR03MB4424015DC23E68533ADD66BF57C0BY2PR03MB442namprd_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

I=92ve updated the Authentication Method Reference V= alues spec to incorporate feedback received from the OAuth working group.&n= bsp; Changes were:

=B7        Added the values =93mca=94 (multiple-channel authentication)= , =93risk=94 (ri= sk-based authentication), and =93user=94 (user presence test).

=B7        Added citations in the definitions of Window= s integrated authentication, knowledge-based authentication, risk-based aut= hentication, multiple-factor authentication, one-time password, and proof-o= f-possession.

=B7        Alphabetized the values.

=B7        Added Tony Nadalin as an author and added ac= knowledgements.

 

The specification is available at:

=B7        http://tools.ietf.org/html/draft-jones-oauth-amr= -values-01

 

An HTML formatted version is also available at:=

=B7        http://self-issued.info/docs/draft-jones-= oauth-amr-values-01.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1437 and as @selfissued.

--_000_BY2PR03MB4424015DC23E68533ADD66BF57C0BY2PR03MB442namprd_-- From nobody Thu Aug 13 20:51:36 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E66651A1A0C for ; Thu, 13 Aug 2015 20:51:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.159 X-Spam-Level: ** X-Spam-Status: No, score=2.159 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y94w_NCPZ53W for ; Thu, 13 Aug 2015 20:51:31 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0745.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::745]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F0F51A6FEC for ; Thu, 13 Aug 2015 20:51:30 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Fri, 14 Aug 2015 03:51:08 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Fri, 14 Aug 2015 03:51:08 +0000 From: Mike Jones To: William Denniss , Brian Campbell Thread-Topic: [OAUTH-WG] Authentication Method Reference Values Specification Thread-Index: AdDEponiitwaXF5YTtCgg2mzrUGsugAcbbeAAABKDwAAABfdYAACq1kAAAKorwAERUAYYA== Date: Fri, 14 Aug 2015 03:51:08 +0000 Message-ID: References: <8BADFB60-1BE4-415A-B386-F34F9FE72A3C@mit.edu> <61575F9A-8A0F-415A-89AA-480432813020@ve7jtb.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:xhmI4LEFBDpWo3JS7QPsawhQPGSlzniE0WMf/jHmOS8xKqZDyzUIdB8d+ybVT9mDg/LlBr7EpR0AGVmkevAQBfUJ5gNYIGj/5uiYiOts2ZOY3Sx3ZiPFaXiL4qNzs99DNCIktqRWLq8ijQGC13XFQg==; 24:ZHPyxztLOO3KaA71yTQeh0YUqtQKkLIO8iergXnXvzVP1GKgS4ea5zX+7by4OCspv/4PbKro6EFwZPOscERcZyWd099pElKplLv48yLFzuQ=; 20:3JPcKHCCunJzXfl4PbZ3Y2hwpeI68AfDtuJqNHcn/7N0XbXvnr2t8/igo3K1MK9U1jXQf2R/uG4ZJUIB9PH1EA== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066898046A x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(199003)(189002)(377454003)(52604005)(54094003)(164054003)(24454002)(8990500004)(33656002)(19625215002)(86612001)(76176999)(54356999)(50986999)(5001960100002)(5001860100001)(74316001)(76576001)(81156007)(4001540100001)(5001830100001)(86362001)(101416001)(66066001)(10290500002)(5005710100001)(10400500002)(77156002)(40100003)(62966003)(97736004)(64706001)(5001770100001)(92566002)(122556002)(46102003)(16236675004)(2900100001)(2950100001)(87936001)(2656002)(19617315012)(551544002)(93886004)(5003600100002)(19609705001)(10090500001)(106356001)(15975445007)(68736005)(77096005)(102836002)(19300405004)(19580395003)(5002640100001)(99286002)(189998001)(19580405001)(105586002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4422E4CCAA5C42CC33CF58BF57C0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2015 03:51:08.7151 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Cc: "" Subject: Re: [OAUTH-WG] Authentication Method Reference Values Specification X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 03:51:35 -0000 --_000_BY2PR03MB4422E4CCAA5C42CC33CF58BF57C0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzLCBXaWxsaWFtLiAgVGhlc2Ugd2VyZSBhZGRlZCBpbiAtMDEgd2l0aCB0aGUgbmFtZXMg 4oCccmlza+KAnSBhbmQg4oCcdXNlcuKAnS4gIEkgYWRkZWQgcmVmZXJlbmNlcyB0byBhIGJ1bmNo IG9mIHRoZSBkZWZpbml0aW9ucywgaW5jbHVkaW5nIG9uZSBmb3Ig4oCcd2lh4oCdLg0KDQpBYm91 dCDigJxhbXJfdmFsdWVz4oCdLCBJIGRpZCB0aGUgaW52ZXN0aWdhdGlvbiBJ4oCZZCBwcm9taXNl ZCBhYm91dCB3aGV0aGVyIGl0IHdhcyBiZWluZyB1c2VkLCBhbmQgaXQgaXMgaW4gcHJvZHVjdGlv biB1c2UgYnkgQXp1cmUgQWN0aXZlIERpcmVjdG9yeSBhdCBwcmVzZW50LiAgVGh1cywgSeKAmXZl IGxlZnQgaXQgaW4gdGhlIHNwZWMgYXQgcHJlc2VudC4NCg0KICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBX aWxsaWFtIERlbm5pc3MgW21haWx0bzp3ZGVubmlzc0Bnb29nbGUuY29tXQ0KU2VudDogVGh1cnNk YXksIEp1bHkgMjMsIDIwMTUgNjowNSBBTQ0KVG86IEJyaWFuIENhbXBiZWxsDQpDYzogTWlrZSBK b25lczsgPG9hdXRoQGlldGYub3JnPg0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gQXV0aGVudGlj YXRpb24gTWV0aG9kIFJlZmVyZW5jZSBWYWx1ZXMgU3BlY2lmaWNhdGlvbg0KDQpUaGFua3MgZm9y IGRyYWZ0aW5nIHRoaXMgTWlrZS4gSSdtIGluIGZhdm9yIG9mIGhhdmluZyB0aGlzIHJlZ2lzdHJ5 Lg0KDQpJbiBhZGRpdGlvbiB0byB0aGUgc3BlY2lmaWMgdmFsdWVzLCBJIHByb3Bvc2Ugd2UgYWRk IHNvbWUgZ2VuZXJpYyBvbmVzIHRvbyAodHJ5aW5nIHRvIGZvbGxvdyB5b3VyIG5hbWluZyBzY2hl bWUpOg0KDQoicmJhIjogICJyaXNrLWJhc2VkIGF1dGgiDQoidXB0IjogICJ1c2VyIHByZXNlbmNl IHRlc3QiDQoNCk15IGZlYXIgb2YgbWFraW5nIHRoaW5ncyB0b28gc3BlY2lmaWMgaXMgdGhhdCBS UHMgbWF5IGdldCBsb3N0IGluIHRoZSB3ZWVkcyB0cnlpbmcgdG8gd29yayBvdXQgd2hhdCB0aGlu Z3MgdGhleSBzaG91bGQgY2FyZSBhYm91dCBhbmQgaG93LiBBcyBhbiBJZFAgd2UgbGlrZSB0byBn dWlkZSBSUHMgdGhyb3VnaCB0aGVzZSBraW5kcyBvZiBkZWNpc2lvbnMsIGFuZCBwcmVmZXIgdG8g cGFzcyBhIG1vcmUgaGlnaCBsZXZlbCBpbmRpY2F0aW9uIG9mIHdoYXQgaGFwcGVuZWQgKHN1Y2gg YXMgdGhlc2UgdHdvIHZhbHVlcykuICBJZiBzb21lb25lIHdhbnRlZCB0byBoYXZlIGJlc3Qgb2Yg Ym90aCB3b3JsZHMsIHRoZW4gYm90aCBjb3VsZCBiZSBhc3NlcnRlZCwgZS5nLiAidXB0IGZwdCIg dG8gaW5kaWNhdGUgdGhhdCB0aGUgdXNlciBwcmVzZW5jZSB3YXMgdGVzdGVkLCB1c2luZyBhIGZp bmdlcnByaW50IHRlc3QuDQoNClJlZ2FyZGluZyB0aGUgcHJvcG9zZWQgIndpYSIgdmFsdWUuIEkg ZG9uJ3Qga25vdyB3aGF0IGl0IGlzLCBhbmQgdGhlIHNwZWMgZG9lc24ndCBoZWxwIG1lIGZpbmQg b3V0LCBjYW4gYSByZWZlcmVuY2UgYmUgYWRkZWQ/ICBJIGFsc28gd29uZGVyIGlmIGl0IGNvdWxk IGJlIGdlbmVyaWNpemVkIHRvIGF2b2lkIGJlaW5nIHZlbmRvciBzcGVjaWZpYyB2YWx1ZXMg4oCT IGJ1dCBtb3N0bHkgSSBqdXN0IHdhbnQgdG8gdW5kZXJzdGFuZCB3aGF0IGl0IGlzLiAgQWxtb3N0 IGFsbCB0aGUgb3RoZXIgdmFsdWVzIGFyZSBzZWxmLWV4cGxhbmF0b3J5LCBwZXJoYXBzICJwb3Ai IGNvdWxkIHVzZSBhIHJlZmVyZW5jZSBhcyB3ZWxsIChvciBtYXliZSBqdXN0IGEgbG9uZ2VyIGV4 cGxhbmF0aW9uKS4NCg0KSSBkb24ndCBzZWUgdGhlIGltbWVkaWF0ZSB2YWx1ZSBvZiAiYW1yX3Zh bHVlcyIsIGNhbiB5b3UgZWxhYm9yYXRlIHdpdGggc29tZSBwbGFjZXMgd2hlcmUgdGhpcyB3b3Vs ZCBiZSBhcHBsaWVkPyAgU2VwYXJhdGVseSwgSSB3b25kZXIgaWYgYW4gZXh0ZW5zaW9uIHRvIE9J REMgc2hvdWxkIGJlIGluY2x1ZGVkIGluIHRoaXMgZG9jLCB3aGljaCBpcyBvdGhlcndpc2UgYSBm YWlybHkgY2xlYW4gcmVnaXN0cnkgc3BlYyB0aGF0IGNvdWxkIGJlIHVzZWQgbW9yZSBicm9hZGx5 Lg0KDQpPbiBUaHUsIEp1bCAyMywgMjAxNSBhdCAxMDo0OSBBTSwgQnJpYW4gQ2FtcGJlbGwgPGJj YW1wYmVsbEBwaW5naWRlbnRpdHkuY29tPG1haWx0bzpiY2FtcGJlbGxAcGluZ2lkZW50aXR5LmNv bT4+IHdyb3RlOg0KU28gbWF5YmUgYSBuYWl2ZSBxdWVzdGlvbiBidXQgd2h5IGRvZXMgdGhpcyBk cmFmdCBkZWZpbmUgImFtcl92YWx1ZXMiIHdoaWxlIGFsc28gc3VnZ2VzdGluZyB0aGF0IGl0J3Mg ZnJhZ2lsZSBhbmQgdGhhdCAiYWNyIiAmICJhY3JfdmFsdWVzIiBpcyBwcmVmZXJhYmxlPyBTZWVt cyBjb250cmFkaWN0b3J5LiBBbmQgSSBkb3VidCBJJ20gdGhlIG9ubHkgb25lIHRoYXQgd2lsbCBm aW5kIGl0IGNvbmZ1c2luZy4NCg0KT24gVGh1LCBKdWwgMjMsIDIwMTUgYXQgOTozNSBBTSwgTWlr ZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVz QG1pY3Jvc29mdC5jb20+PiB3cm90ZToNClRoZSBrZXkgcGFydCBvZiB0aGlzIGlzIGVzdGFibGlz aGluZyBhIHJlZ2lzdHJ5LiAgVGhhdCBjYW4gb25seSBiZSBkb25lIGluIGFuIFJGQy4NCg0KSm9o biwgSSBlbmNvdXJhZ2UgeW91IHRvIHN1Ym1pdCB0ZXh0IGJlZWZpbmcgdXAgdGhlIGFyZ3VtZW50 cyBhYm91dCB3aHkgdXNpbmcg4oCcYWNy4oCdIGlzIHByZWZlcmFibGUuICBUaGUgdGV4dCBhdCBo dHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWpvbmVzLW9hdXRoLWFtci12YWx1ZXMt MDAuaHRtbCNhY3JSZWxhdGlvbnNoaXA8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9u Lm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnNlbGYtaXNzdWVkLmluZm8lMmZkb2NzJTJm ZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0wMC5odG1sJTIzYWNyUmVsYXRpb25zaGlwJmRh dGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjZjc0YWMzYTliNzM4 NDc2NWVkMzAwOGQyOTM0NjQ3MjQlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3 YzEmc2RhdGE9NmR5b3pTeDNneEJvOFQ1c3hJJTJmYjhqZmVOJTJiZlhWdjVZdDJtS1R2SEQ3WjAl M2Q+IGlzIGEgc3RhcnQgYXQgdGhhdC4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBKb2huIEJyYWRs ZXkgW21haWx0bzp2ZTdqdGJAdmU3anRiLmNvbTxtYWlsdG86dmU3anRiQHZlN2p0Yi5jb20+XQ0K U2VudDogVGh1cnNkYXksIEp1bHkgMjMsIDIwMTUgOTozMCBBTQ0KVG86IEp1c3RpbiBSaWNoZXIN CkNjOiBNaWtlIEpvbmVzOyA8b2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPj4N ClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIEF1dGhlbnRpY2F0aW9uIE1ldGhvZCBSZWZlcmVuY2Ug VmFsdWVzIFNwZWNpZmljYXRpb24NCg0KSSBkb27igJl0IHBlcnNvbmFsbHkgaGF2ZSBhIHByb2Js ZW0gd2l0aCBwZW9wbGUgZGVmaW5pbmcgdmFsdWVzIGZvciBBTVIgYW5kIGNyZWF0aW5nIGEgSUFO QSByZWdpc3RyeS4NCg0KVGhhdCBleGlzdHMgZm9yIEFDUi4NCg0KSSBhbSBvbiByZWNvcmQgYXMg bm90IHN1cHBvcnRpbmcgY2xpZW50cyByZXF1ZXN0aW5nIGFtciBhcyBpdCBhaSBhIGJhZCBpZGVh IGFuZCB0aGUgc3BlYyBtZW50aW9ucyB0aGF0IGF0IHRoZSBzYW1lIHRpbWUgaXQgZGVmaW5lcyBh IG5ldyByZXF1ZXN0IHBhcmFtZXRlciBmb3IgaXQuDQoNCkl0IGlzIHByb2JhYmx5IG5vdCBzb21l dGhpbmcgSSB3aWxsIHB1dCBhbnkgcmVhbCBlZmZvcnQgaW50byBmaWdodGluZywgaWYgcGVvcGxl IGluc2lzdCBvbiBpdC4gIEkgd2lsbCBjb250aW51ZSB0byByZWNvbW1lbmQgb25seSB1c2luZyBB Q1IgaW4gdGhlIHJlcXVlc3QuDQoNCkpvaG4gQi4NCg0KT24gSnVsIDIzLCAyMDE1LCBhdCA5OjIx IEFNLCBKdXN0aW4gUmljaGVyIDxqcmljaGVyQG1pdC5lZHU8bWFpbHRvOmpyaWNoZXJAbWl0LmVk dT4+IHdyb3RlOg0KDQpVc2VmdWwgd29yaywgYnV0IHNob3VsZG7igJl0IHRoaXMgYmUgZGVmaW5l ZCBpbiB0aGUgT0lERiwgd2hlcmUgdGhlIOKAnGFtciIgcGFyYW1ldGVyIGlzIGRlZmluZWQ/DQoN CiDigJQgSnVzdGluDQoNCk9uIEp1bCAyMiwgMjAxNSwgYXQgNzo0OCBQTSwgTWlrZSBKb25lcyA8 TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29m dC5jb20+PiB3cm90ZToNCg0KUGhpbCBIdW50IGFuZCBJIGhhdmUgcG9zdGVkIGEgbmV3IGRyYWZ0 IHRoYXQgZGVmaW5lcyBzb21lIHZhbHVlcyB1c2VkIHdpdGggdGhlIOKAnGFtcuKAnSAoQXV0aGVu dGljYXRpb24gTWV0aG9kcyBSZWZlcmVuY2VzKSBjbGFpbSBhbmQgZXN0YWJsaXNoZXMgYSByZWdp c3RyeSBmb3IgQXV0aGVudGljYXRpb24gTWV0aG9kIFJlZmVyZW5jZSB2YWx1ZXMuICBUaGVzZSB2 YWx1ZXMgaW5jbHVkZSBjb21tb25seSB1c2VkIGF1dGhlbnRpY2F0aW9uIG1ldGhvZHMgbGlrZSDi gJxwd2TigJ0gKHBhc3N3b3JkKSBhbmQg4oCcb3Rw4oCdIChvbmUgdGltZSBwYXNzd29yZCkuICBJ dCBhbHNvIGRlZmluZXMgYSBwYXJhbWV0ZXIgZm9yIHJlcXVlc3RpbmcgdGhhdCBzcGVjaWZpYyBh dXRoZW50aWNhdGlvbiBtZXRob2RzIGJlIHVzZWQgaW4gdGhlIGF1dGhlbnRpY2F0aW9uLg0KDQpU aGUgc3BlY2lmaWNhdGlvbiBpcyBhdmFpbGFibGUgYXQ6DQrigKIgICAgICAgIGh0dHBzOi8vdG9v bHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAwPGh0dHBzOi8v bmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJm dG9vbHMuaWV0Zi5vcmclMmZodG1sJTJmZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0wMCZk YXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2Y3NGFjM2E5Yjcz ODQ3NjVlZDMwMDhkMjkzNDY0NzI0JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDcl N2MxJnNkYXRhPWd4WHFFam5FWEtOamtqVUtCYmp1WWtxbG0lMmJBT1kwQm5HJTJiVyUyZkNGdTdp b3clM2Q+DQoNCkFuIEhUTUwgZm9ybWF0dGVkIHZlcnNpb24gaXMgYWxzbyBhdmFpbGFibGUgYXQ6 DQrigKIgICAgICAgIGh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtam9uZXMtb2F1 dGgtYW1yLXZhbHVlcy0wMC5odG1sPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5v dXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZvJTJmZG9jcyUyZmRy YWZ0LWpvbmVzLW9hdXRoLWFtci12YWx1ZXMtMDAuaHRtbCZkYXRhPTAxJTdjMDElN2NNaWNoYWVs LkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2Y3NGFjM2E5YjczODQ3NjVlZDMwMDhkMjkzNDY0NzI0 JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPXBvTTduekFrdUdE QlozcmRMbTVSR25yVW1tdWolMmIzQVkwajRLM0o1bDhWNCUzZD4NCg0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpQ LlMuICBUaGlzIG5vdGUgd2FzIGFsc28gcG9zdGVkIGF0IGh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZv Lz9wPTE0Mjk8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91 cmw9aHR0cCUzYSUyZiUyZnNlbGYtaXNzdWVkLmluZm8lMmYlM2ZwJTNkMTQyOSZkYXRhPTAxJTdj MDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2Y3NGFjM2E5YjczODQ3NjVlZDMw MDhkMjkzNDY0NzI0JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRh PUx3TURPdVN3dnElMmJqcGx1Y3ZpTXU3QlYlMmJXdDhvVHN3WnVhOXdiTHR0NkUwJTNkPiBhbmQg YXMgQHNlbGZpc3N1ZWQ8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2su Y29tLz91cmw9aHR0cHMlM2ElMmYlMmZ0d2l0dGVyLmNvbSUyZnNlbGZpc3N1ZWQmZGF0YT0wMSU3 YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2NmNzRhYzNhOWI3Mzg0NzY1ZWQz MDA4ZDI5MzQ2NDcyNCU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0 YT1VNjBIb1d4MCUyZlV5eUIlMmYxdnF5OFNvdnZTRFROdjNMY2VBVWdvJTJmbzF4JTJmVE0lM2Q+ Lg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRo IG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxodHRwczovL25hMDEuc2Fm ZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRm Lm9yZyUyZm1haWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwu Sm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjZjc0YWMzYTliNzM4NDc2NWVkMzAwOGQyOTM0NjQ3MjQl N2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9QnNDVEI0TEN3N29I NkprVkd5UiUyYmNlTyUyZnhqbWJCY1QlMmZZZGV1RG1XR3RNOCUzZD4NCg0KX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0K T0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5v cmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rp b24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4l MmZsaXN0aW5mbyUyZm9hdXRoJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3Nv ZnQuY29tJTdjZjc0YWMzYTliNzM4NDc2NWVkMzAwOGQyOTM0NjQ3MjQlN2M3MmY5ODhiZjg2ZjE0 MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9QnNDVEI0TEN3N29INkprVkd5UiUyYmNlTyUy ZnhqbWJCY1QlMmZZZGV1RG1XR3RNOCUzZD4NCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9y ZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL29hdXRoPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNv bS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJm b2F1dGgmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2NmNzRh YzNhOWI3Mzg0NzY1ZWQzMDA4ZDI5MzQ2NDcyNCU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2Qw MTFkYjQ3JTdjMSZzZGF0YT1Cc0NUQjRMQ3c3b0g2SmtWR3lSJTJiY2VPJTJmeGptYkJjVCUyZllk ZXVEbVdHdE04JTNkPg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0 aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8 aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMl M2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZkYXRhPTAx JTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2Y3NGFjM2E5YjczODQ3NjVl ZDMwMDhkMjkzNDY0NzI0JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNk YXRhPUJzQ1RCNExDdzdvSDZKa1ZHeVIlMmJjZU8lMmZ4am1iQmNUJTJmWWRldURtV0d0TTglM2Q+ DQoNCg== --_000_BY2PR03MB4422E4CCAA5C42CC33CF58BF57C0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5v c2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5N c29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1h cmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJU aW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXtt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5k ZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxp bmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7 DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30N Ci5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6 OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29y ZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUg bXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2 IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFw ZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4N CjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9 IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0 aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+VGhhbmtzLCBXaWxsaWFtLiZuYnNwOyBUaGVzZSB3ZXJlIGFkZGVkIGlu IC0wMSB3aXRoIHRoZSBuYW1lcyDigJxyaXNr4oCdIGFuZCDigJx1c2Vy4oCdLiZuYnNwOyBJIGFk ZGVkIHJlZmVyZW5jZXMgdG8gYSBidW5jaCBvZiB0aGUgZGVmaW5pdGlvbnMsIGluY2x1ZGluZyBv bmUgZm9yIOKAnHdpYeKAnS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkFib3V0IOKAnGFtcl92YWx1ZXPigJ0sIEkgZGlk IHRoZSBpbnZlc3RpZ2F0aW9uIEnigJlkIHByb21pc2VkIGFib3V0IHdoZXRoZXIgaXQgd2FzIGJl aW5nIHVzZWQsIGFuZCBpdCBpcyBpbiBwcm9kdWN0aW9uIHVzZSBieSBBenVyZSBBY3RpdmUgRGly ZWN0b3J5IGF0IHByZXNlbnQuJm5ic3A7DQogVGh1cywgSeKAmXZlIGxlZnQgaXQgaW4gdGhlIHNw ZWMgYXQgcHJlc2VudC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48 L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21h JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBXaWxsaWFtIERlbm5pc3MgW21haWx0bzp3 ZGVubmlzc0Bnb29nbGUuY29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBKdWx5IDIz LCAyMDE1IDY6MDUgQU08YnI+DQo8Yj5Ubzo8L2I+IEJyaWFuIENhbXBiZWxsPGJyPg0KPGI+Q2M6 PC9iPiBNaWtlIEpvbmVzOyAmbHQ7b2F1dGhAaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8 L2I+IFJlOiBbT0FVVEgtV0ddIEF1dGhlbnRpY2F0aW9uIE1ldGhvZCBSZWZlcmVuY2UgVmFsdWVz IFNwZWNpZmljYXRpb248bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGFu a3MgZm9yIGRyYWZ0aW5nIHRoaXMgTWlrZS4gSSdtIGluIGZhdm9yIG9mIGhhdmluZyB0aGlzIHJl Z2lzdHJ5LjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SW4g YWRkaXRpb24gdG8gdGhlIHNwZWNpZmljIHZhbHVlcywgSSBwcm9wb3NlIHdlIGFkZCBzb21lIGdl bmVyaWMgb25lcyB0b28gKHRyeWluZyB0byBmb2xsb3cgeW91ciBuYW1pbmcgc2NoZW1lKTo8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+JnF1b3Q7 cmJhJnF1b3Q7OiAmbmJzcDsmcXVvdDtyaXNrLWJhc2VkIGF1dGgmcXVvdDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZxdW90O3VwdCZxdW90Ozog Jm5ic3A7JnF1b3Q7dXNlciBwcmVzZW5jZSB0ZXN0JnF1b3Q7PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk15IGZlYXIgb2YgbWFraW5nIHRoaW5n cyB0b28gc3BlY2lmaWMgaXMgdGhhdCBSUHMgbWF5IGdldCBsb3N0IGluIHRoZSB3ZWVkcyB0cnlp bmcgdG8gd29yayBvdXQgd2hhdCB0aGluZ3MgdGhleSBzaG91bGQgY2FyZSBhYm91dCBhbmQgaG93 LiBBcyBhbiBJZFAgd2UgbGlrZSB0byBndWlkZSBSUHMgdGhyb3VnaCB0aGVzZSBraW5kcyBvZiBk ZWNpc2lvbnMsIGFuZCBwcmVmZXIgdG8gcGFzcyBhIG1vcmUgaGlnaCBsZXZlbA0KIGluZGljYXRp b24gb2Ygd2hhdCBoYXBwZW5lZCAoc3VjaCBhcyB0aGVzZSB0d28gdmFsdWVzKS4mbmJzcDsgSWYg c29tZW9uZSB3YW50ZWQgdG8gaGF2ZSBiZXN0IG9mIGJvdGggd29ybGRzLCB0aGVuIGJvdGggY291 bGQgYmUgYXNzZXJ0ZWQsIGUuZy4gJnF1b3Q7dXB0IGZwdCZxdW90OyB0byBpbmRpY2F0ZSB0aGF0 IHRoZSB1c2VyIHByZXNlbmNlIHdhcyB0ZXN0ZWQsIHVzaW5nIGEgZmluZ2VycHJpbnQgdGVzdC48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UmVn YXJkaW5nIHRoZSBwcm9wb3NlZCAmcXVvdDt3aWEmcXVvdDsgdmFsdWUuIEkgZG9uJ3Qga25vdyB3 aGF0IGl0IGlzLCBhbmQgdGhlIHNwZWMgZG9lc24ndCBoZWxwIG1lIGZpbmQgb3V0LCBjYW4gYSBy ZWZlcmVuY2UgYmUgYWRkZWQ/Jm5ic3A7IEkgYWxzbyB3b25kZXIgaWYgaXQgY291bGQgYmUgZ2Vu ZXJpY2l6ZWQgdG8gYXZvaWQgYmVpbmcgdmVuZG9yIHNwZWNpZmljIHZhbHVlcyDigJMgYnV0IG1v c3RseSBJIGp1c3Qgd2FudCB0byB1bmRlcnN0YW5kDQogd2hhdCBpdCBpcy4mbmJzcDsgQWxtb3N0 IGFsbCB0aGUgb3RoZXIgdmFsdWVzIGFyZSBzZWxmLWV4cGxhbmF0b3J5LCBwZXJoYXBzICZxdW90 O3BvcCZxdW90OyBjb3VsZCB1c2UgYSByZWZlcmVuY2UgYXMgd2VsbCAob3IgbWF5YmUganVzdCBh IGxvbmdlciBleHBsYW5hdGlvbikuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPkkgZG9uJ3Qgc2VlIHRoZSBpbW1lZGlhdGUgdmFsdWUgb2YgJnF1 b3Q7YW1yX3ZhbHVlcyZxdW90OywgY2FuIHlvdSBlbGFib3JhdGUgd2l0aCBzb21lIHBsYWNlcyB3 aGVyZSB0aGlzIHdvdWxkIGJlIGFwcGxpZWQ/Jm5ic3A7IFNlcGFyYXRlbHksIEkgd29uZGVyIGlm IGFuIGV4dGVuc2lvbiB0byBPSURDIHNob3VsZCBiZSBpbmNsdWRlZCBpbiB0aGlzIGRvYywgd2hp Y2ggaXMgb3RoZXJ3aXNlIGEgZmFpcmx5IGNsZWFuIHJlZ2lzdHJ5IHNwZWMNCiB0aGF0IGNvdWxk IGJlIHVzZWQgbW9yZSBicm9hZGx5LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+T24gVGh1LCBKdWwgMjMsIDIwMTUgYXQgMTA6NDkgQU0sIEJyaWFuIENhbXBi ZWxsICZsdDs8YSBocmVmPSJtYWlsdG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb20iIHRhcmdl dD0iX2JsYW5rIj5iY2FtcGJlbGxAcGluZ2lkZW50aXR5LmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+ PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNvIG1heWJlIGEgbmFpdmUg cXVlc3Rpb24gYnV0IHdoeSBkb2VzIHRoaXMgZHJhZnQgZGVmaW5lICZxdW90O2Ftcl92YWx1ZXMm cXVvdDsgd2hpbGUgYWxzbyBzdWdnZXN0aW5nIHRoYXQgaXQncyBmcmFnaWxlIGFuZCB0aGF0ICZx dW90O2FjciZxdW90OyAmYW1wOyAmcXVvdDthY3JfdmFsdWVzJnF1b3Q7IGlzIHByZWZlcmFibGU/ IFNlZW1zIGNvbnRyYWRpY3RvcnkuIEFuZCBJIGRvdWJ0IEknbSB0aGUgb25seSBvbmUgdGhhdCB3 aWxsIGZpbmQgaXQgY29uZnVzaW5nLiZuYnNwOw0KPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIFRodSwgSnVsIDIzLCAyMDE1IGF0 IDk6MzUgQU0sIE1pa2UgSm9uZXMgJmx0OzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1p Y3Jvc29mdC5jb20iIHRhcmdldD0iX2JsYW5rIj5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208 L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhl IGtleSBwYXJ0IG9mIHRoaXMgaXMgZXN0YWJsaXNoaW5nIGEgcmVnaXN0cnkuJm5ic3A7IFRoYXQg Y2FuIG9ubHkgYmUgZG9uZSBpbiBhbiBSRkMuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3 RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Sm9obiwgSSBlbmNvdXJh Z2UgeW91IHRvIHN1Ym1pdCB0ZXh0IGJlZWZpbmcgdXAgdGhlIGFyZ3VtZW50cyBhYm91dCB3aHkg dXNpbmcg4oCcYWNy4oCdIGlzIHByZWZlcmFibGUuJm5ic3A7DQogVGhlIHRleHQgYXQgPGEgaHJl Zj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0 cCUzYSUyZiUyZnNlbGYtaXNzdWVkLmluZm8lMmZkb2NzJTJmZHJhZnQtam9uZXMtb2F1dGgtYW1y LXZhbHVlcy0wMC5odG1sJTIzYWNyUmVsYXRpb25zaGlwJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNo YWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2Y3NGFjM2E5YjczODQ3NjVlZDMwMDhkMjkzNDY0 NzI0JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT02ZHlv elN4M2d4Qm84VDVzeEklMmZiOGpmZU4lMmJmWFZ2NVl0Mm1LVHZIRDdaMCUzZCIgdGFyZ2V0PSJf YmxhbmsiPg0KaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1qb25lcy1vYXV0aC1h bXItdmFsdWVzLTAwLmh0bWwjYWNyUmVsYXRpb25zaGlwPC9hPiBpcyBhIHN0YXJ0IGF0IHRoYXQu PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2UNCjwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2IHN0 eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzoz LjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDsiPiBKb2huIEJyYWRsZXkgW21haWx0bzo8YSBocmVmPSJtYWlsdG86dmU3anRiQHZlN2p0Yi5j b20iIHRhcmdldD0iX2JsYW5rIj52ZTdqdGJAdmU3anRiLmNvbTwvYT5dDQo8YnI+DQo8Yj5TZW50 OjwvYj4gVGh1cnNkYXksIEp1bHkgMjMsIDIwMTUgOTozMCBBTTxicj4NCjxiPlRvOjwvYj4gSnVz dGluIFJpY2hlcjxicj4NCjxiPkNjOjwvYj4gTWlrZSBKb25lczsgJmx0OzxhIGhyZWY9Im1haWx0 bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm9hdXRoQGlldGYub3JnPC9hPiZndDs8 YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gQXV0aGVudGljYXRpb24gTWV0aG9k IFJlZmVyZW5jZSBWYWx1ZXMgU3BlY2lmaWNhdGlvbjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7 PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkkgZG9u4oCZdCBwZXJzb25h bGx5IGhhdmUgYSBwcm9ibGVtIHdpdGggcGVvcGxlIGRlZmluaW5nIHZhbHVlcyBmb3IgQU1SIGFu ZCBjcmVhdGluZyBhIElBTkEgcmVnaXN0cnkuJm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VGhhdCBleGlzdHMgZm9yIEFDUi48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkkgYW0gb24g cmVjb3JkIGFzIG5vdCBzdXBwb3J0aW5nIGNsaWVudHMgcmVxdWVzdGluZyBhbXIgYXMgaXQgYWkg YSBiYWQgaWRlYSBhbmQgdGhlIHNwZWMgbWVudGlvbnMgdGhhdCBhdCB0aGUgc2FtZSB0aW1lIGl0 IGRlZmluZXMgYSBuZXcgcmVxdWVzdCBwYXJhbWV0ZXIgZm9yIGl0LjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SXQgaXMgcHJvYmFibHkg bm90IHNvbWV0aGluZyBJIHdpbGwgcHV0IGFueSByZWFsIGVmZm9ydCBpbnRvIGZpZ2h0aW5nLCBp ZiBwZW9wbGUgaW5zaXN0IG9uIGl0LiZuYnNwOyBJIHdpbGwgY29udGludWUgdG8gcmVjb21tZW5k IG9ubHkgdXNpbmcgQUNSIGluIHRoZSByZXF1ZXN0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Sm9obiBCLjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1 LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i Pk9uIEp1bCAyMywgMjAxNSwgYXQgOToyMSBBTSwgSnVzdGluIFJpY2hlciAmbHQ7PGEgaHJlZj0i bWFpbHRvOmpyaWNoZXJAbWl0LmVkdSIgdGFyZ2V0PSJfYmxhbmsiPmpyaWNoZXJAbWl0LmVkdTwv YT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2Em cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+VXNlZnVsIHdvcmssIGJ1dCBzaG91bGRu4oCZ dCB0aGlzIGJlIGRlZmluZWQgaW4gdGhlIE9JREYsIHdoZXJlIHRoZSDigJxhbXImcXVvdDsgcGFy YW1ldGVyIGlzIGRlZmluZWQ/PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTom cXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5ic3A7PC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDvigJQgSnVzdGluPC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2 Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBw dCI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7Ij5PbiBKdWwgMjIsIDIwMTUsIGF0IDc6NDggUE0sIE1pa2UgSm9uZXMgJmx0OzxhIGhy ZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20iIHRhcmdldD0iX2JsYW5rIj48 c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L3Nw YW4+PC9hPiZndDsNCiB3cm90ZTo8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWls eTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5ic3A7PC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlBoaWwgSHVudCBhbmQgSSBoYXZl IHBvc3RlZCBhIG5ldyBkcmFmdCB0aGF0IGRlZmluZXMgc29tZSB2YWx1ZXMgdXNlZCB3aXRoIHRo ZSDigJw8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q291cmllciBOZXcmcXVvdDsiPmFtcjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDsiPuKAnQ0KIChBdXRoZW50aWNhdGlvbiBNZXRob2RzIFJlZmVyZW5jZXMpIGNsYWltIGFuZCBl c3RhYmxpc2hlcyBhIHJlZ2lzdHJ5IGZvciBBdXRoZW50aWNhdGlvbiBNZXRob2QgUmVmZXJlbmNl IHZhbHVlcy4mbmJzcDsgVGhlc2UgdmFsdWVzIGluY2x1ZGUgY29tbW9ubHkgdXNlZCBhdXRoZW50 aWNhdGlvbiBtZXRob2RzIGxpa2Ug4oCcPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5wd2Q8L3NwYW4+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij7igJ0NCiAocGFzc3dvcmQpIGFuZCDigJw8L3NwYW4+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDsiPm90cDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPuKAnSAob25lIHRp bWUgcGFzc3dvcmQpLiZuYnNwOyBJdCBhbHNvIGRlZmluZXMgYSBwYXJhbWV0ZXIgZm9yIHJlcXVl c3RpbmcgdGhhdCBzcGVjaWZpYyBhdXRoZW50aWNhdGlvbiBtZXRob2RzDQogYmUgdXNlZCBpbiB0 aGUgYXV0aGVudGljYXRpb24uPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNw Ozwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5UaGUgc3BlY2lmaWNhdGlvbiBpcyBh dmFpbGFibGUgYXQ6PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJt YXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sIj7Ctzwvc3Bhbj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjcuMHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YSBocmVmPSJodHRw czovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUy ZiUyZnRvb2xzLmlldGYub3JnJTJmaHRtbCUyZmRyYWZ0LWpvbmVzLW9hdXRoLWFtci12YWx1ZXMt MDAmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjZjc0 YWMzYTliNzM4NDc2NWVkMzAwOGQyOTM0NjQ3MjQlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2Nk MDExZGI0NyU3YzEmYW1wO3NkYXRhPWd4WHFFam5FWEtOamtqVUtCYmp1WWtxbG0lMmJBT1kwQm5H JTJiVyUyZkNGdTdpb3clM2QiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVy cGxlIj5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZh bHVlcy0wMDwvc3Bhbj48L2E+PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNw Ozwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5BbiBIVE1MIGZvcm1hdHRlZCB2ZXJz aW9uIGlzIGFsc28gYXZhaWxhYmxlIGF0Ojwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbCI+wrc8L3NwYW4+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+ PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91 cmw9aHR0cCUzYSUyZiUyZnNlbGYtaXNzdWVkLmluZm8lMmZkb2NzJTJmZHJhZnQtam9uZXMtb2F1 dGgtYW1yLXZhbHVlcy0wMC5odG1sJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQw bWljcm9zb2Z0LmNvbSU3Y2Y3NGFjM2E5YjczODQ3NjVlZDMwMDhkMjkzNDY0NzI0JTdjNzJmOTg4 YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1wb003bnpBa3VHREJaM3Jk TG01UkduclVtbXVqJTJiM0FZMGo0SzNKNWw4VjQlM2QiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBz dHlsZT0iY29sb3I6cHVycGxlIj5odHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWpv bmVzLW9hdXRoLWFtci12YWx1ZXMtMDAuaHRtbDwvc3Bhbj48L2E+PC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4m bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgLS0gTWlrZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJz cDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+UC5TLiZuYnNwOyBUaGlzIG5vdGUg d2FzIGFsc28gcG9zdGVkIGF0Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5w cm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnNlbGYtaXNzdWVkLmluZm8l MmYlM2ZwJTNkMTQyOSZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29m dC5jb20lN2NmNzRhYzNhOWI3Mzg0NzY1ZWQzMDA4ZDI5MzQ2NDcyNCU3YzcyZjk4OGJmODZmMTQx YWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9THdNRE91U3d2cSUyYmpwbHVjdmlNdTdC ViUyYld0OG9Uc3dadWE5d2JMdHQ2RTAlM2QiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0i Y29sb3I6cHVycGxlIj5odHRwOi8vc2VsZi1pc3N1ZWQuaW5mby8/cD0xNDI5PC9zcGFuPjwvYT4m bmJzcDthbmQNCiBhcyZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVj dGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmdHdpdHRlci5jb20lMmZzZWxmaXNz dWVkJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2Y3 NGFjM2E5YjczODQ3NjVlZDMwMDhkMjkzNDY0NzI0JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdj ZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1VNjBIb1d4MCUyZlV5eUIlMmYxdnF5OFNvdnZTRFROdjNM Y2VBVWdvJTJmbzF4JTJmVE0lM2QiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6 cHVycGxlIj5Ac2VsZmlzc3VlZDwvc3Bhbj48L2E+Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNp emU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDsiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f PGJyPg0KT0F1dGggbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYu b3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+T0F1dGhAaWV0 Zi5vcmc8L3NwYW4+PC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJv dGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFp bG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMl NDBtaWNyb3NvZnQuY29tJTdjZjc0YWMzYTliNzM4NDc2NWVkMzAwOGQyOTM0NjQ3MjQlN2M3MmY5 ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPUJzQ1RCNExDdzdvSDZK a1ZHeVIlMmJjZU8lMmZ4am1iQmNUJTJmWWRldURtV0d0TTglM2QiIHRhcmdldD0iX2JsYW5rIj48 c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL29hdXRoPC9zcGFuPjwvYT48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv YmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZh bWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+X19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpPQXV0aCBtYWls aW5nIGxpc3Q8YnI+DQo8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIiB0YXJn ZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVv dDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpwdXJwbGUiPk9B dXRoQGlldGYub3JnPC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnI+ DQo8L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxv b2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGlu Zm8lMmZvYXV0aCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5j b20lN2NmNzRhYzNhOWI3Mzg0NzY1ZWQzMDA4ZDI5MzQ2NDcyNCU3YzcyZjk4OGJmODZmMTQxYWY5 MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9QnNDVEI0TEN3N29INkprVkd5UiUyYmNlTyUy ZnhqbWJCY1QlMmZZZGV1RG1XR3RNOCUzZCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6cHVycGxlIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFu L2xpc3RpbmZvL29hdXRoPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9j a3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJyPg0KX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpPQXV0aCBtYWlsaW5nIGxp c3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5P QXV0aEBpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnBy b3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1h aWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVz JTQwbWljcm9zb2Z0LmNvbSU3Y2Y3NGFjM2E5YjczODQ3NjVlZDMwMDhkMjkzNDY0NzI0JTdjNzJm OTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1Cc0NUQjRMQ3c3b0g2 SmtWR3lSJTJiY2VPJTJmeGptYkJjVCUyZllkZXVEbVdHdE04JTNkIiB0YXJnZXQ9Il9ibGFuayI+ aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwvYT48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWJvdHRvbToxMi4wcHQiPjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFp bHRvOk9BdXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJy Pg0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29t Lz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZv YXV0aCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2Nm NzRhYzNhOWI3Mzg0NzY1ZWQzMDA4ZDI5MzQ2NDcyNCU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3 Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9QnNDVEI0TEN3N29INkprVkd5UiUyYmNlTyUyZnhqbWJC Y1QlMmZZZGV1RG1XR3RNOCUzZCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_BY2PR03MB4422E4CCAA5C42CC33CF58BF57C0BY2PR03MB442namprd_-- From nobody Thu Aug 13 20:53:24 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BDB81A6FEC for ; Thu, 13 Aug 2015 20:53:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.159 X-Spam-Level: ** X-Spam-Status: No, score=2.159 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BTHpXeBn9Ab0 for ; Thu, 13 Aug 2015 20:53:19 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0757.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::757]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF2461A6EF0 for ; Thu, 13 Aug 2015 20:53:18 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Fri, 14 Aug 2015 03:52:57 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Fri, 14 Aug 2015 03:52:57 +0000 From: Mike Jones To: Nat Sakimura , William Denniss Thread-Topic: [OAUTH-WG] Authentication Method Reference Values Specification Thread-Index: AdDEponiitwaXF5YTtCgg2mzrUGsugAcbbeAAABKDwAAABfdYAACq1kAAAKorwAADSeqAAAAHwlABDgZxKA= Date: Fri, 14 Aug 2015 03:52:57 +0000 Message-ID: References: <8BADFB60-1BE4-415A-B386-F34F9FE72A3C@mit.edu> <61575F9A-8A0F-415A-89AA-480432813020@ve7jtb.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:CYQQfLN3Vi+0ocADloHGVhy/b8PJUt+0yMYcEwd+r8vM9uNshF3TxL0Do9veLPlbvbNs7u8+buGyrtyT+ZBwAK/0VDi1XnXyfUIcP6uJWj8vP9FOFsSYwrPgJrCyitPSS8CXVqnYry+EbKvNLL29Hw==; 24:zSC9325ltuEmHa50xB2oJTKHDGAWqjdG4fcHR1EDPQvW5uiotFn4mCTiaqCiI3/BdScfswpUDHTI2hnpha7j2apJ+IsDyerfR5SadWWNDKY=; 20:CE8x9ds5wOoqMfnwO279i+18oeijY1Up45QKd965Subfln/Wulx4HL1IwqjnVYk59p1sMCimEG7hn4CaWoHx1A== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066898046A x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(199003)(189002)(377454003)(52604005)(377424004)(54094003)(24454002)(8990500004)(33656002)(19625215002)(86612001)(76176999)(54356999)(50986999)(5001960100002)(5001860100001)(74316001)(76576001)(81156007)(4001540100001)(5001830100001)(86362001)(101416001)(66066001)(10290500002)(5005710100001)(10400500002)(77156002)(40100003)(62966003)(97736004)(64706001)(5001770100001)(92566002)(122556002)(46102003)(16236675004)(2900100001)(87936001)(2656002)(19617315012)(551544002)(93886004)(5003600100002)(19609705001)(10090500001)(106356001)(15975445007)(68736005)(77096005)(102836002)(19300405004)(19580395003)(5002640100001)(99286002)(189998001)(19580405001)(105586002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4424775A27D18090EB566B9F57C0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2015 03:52:57.7448 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Cc: "" Subject: Re: [OAUTH-WG] Authentication Method Reference Values Specification X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 03:53:22 -0000 --_000_BY2PR03MB4424775A27D18090EB566B9F57C0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBhZGRlZCByZWZlcmVuY2VzIGluIGEgYnVuY2ggb2YgdGhlIGRlZmluaXRpb25zLiAgUGxlYXNl IHJldmlldyB0aGVtIGFuZCBzdWdnZXN0IG90aGVycywgYXMgYXBwcm9wcmlhdGUuDQoNCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0t IE1pa2UNCg0KRnJvbTogTWlrZSBKb25lcw0KU2VudDogVGh1cnNkYXksIEp1bHkgMjMsIDIwMTUg MTI6MjkgUE0NClRvOiAnTmF0IFNha2ltdXJhJzsgV2lsbGlhbSBEZW5uaXNzDQpDYzogPG9hdXRo QGlldGYub3JnPg0KU3ViamVjdDogUkU6IFtPQVVUSC1XR10gQXV0aGVudGljYXRpb24gTWV0aG9k IFJlZmVyZW5jZSBWYWx1ZXMgU3BlY2lmaWNhdGlvbg0KDQpJIGFncmVlIHRoYXQgYW4gb2J2aW91 cyBnb29kIHRoaW5nIHRvIGRvIGlzIHRvIGFkZCBzcGVjIHJlZmVyZW5jZXMgdG8gdGhlIGZpZWxk IGRlZmluaXRpb25zLg0KDQpJIG5lZWQgdG8gaW52ZXN0aWdhdGUgdXNlIGNhc2VzIGZvciBhbXJf dmFsdWVzLiAgSSB0aGluayB0aGlzIGNhbWUgZnJvbSBkZXZlbG9wZXJzIHdobyBhY3R1YWxseSB3 YW50ZWQgdGhpcyBmb3IgYSBwYXJ0aWN1bGFyIHB1cnBvc2UgYnV0IEnigJlsbCBoYXZlIHRvIGdl dCBiYWNrIHRvIHRoZSBXRyBvbiB0aGF0LiAgSXTigJlzIGRlZmluZWQgaGVyZSwgcmF0aGVyIHRo YW4gaW4gYW5vdGhlciBzcGVjLCBiZWNhdXNlIGl04oCZcyBoaWdobHkgcmVsYXRlZCB0byB0aGUg 4oCcYW1y4oCdIHZhbHVlcy4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9h dXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBOYXQgU2FraW11cmENClNlbnQ6IFRo dXJzZGF5LCBKdWx5IDIzLCAyMDE1IDY6MjIgUE0NClRvOiBXaWxsaWFtIERlbm5pc3MNCkNjOiA8 b2F1dGhAaWV0Zi5vcmc+DQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBBdXRoZW50aWNhdGlvbiBN ZXRob2QgUmVmZXJlbmNlIFZhbHVlcyBTcGVjaWZpY2F0aW9uDQoNClNvLCBhbGxvdyBtZSBhIG5h aXZlIHF1ZXN0aW9uLg0KSSBzdXBwcG9zZSB0aGVyZSBhcmUgZ29vZCByYW5kb20gb3RwLCBhcyB3 ZWxsIGFzIHByZXR0eSBiYWQgb3RwIGV0Yy4NCldvdWxkIGl0IGJlIHVzZWZ1bCB0byBzYXkganVz dCAib3RwIi4gV291bGQgaXQgbm90IGJlIGJldHRlciB0byBoYXZlIGF0IGxlYXN0IGEgZmllbGQg dGhhdCByZWZlcmVuY2VzIGEgc3BlYyB0aGF0IHNwZWNpZmllcyB0aGUgc2VjdXJpdHkgcmVxdWly ZW1lbnQgZm9yIHRoYXQgbWVjaGFuaXNtPw0KDQoyMDE1LTA3LTIzIDEyOjA1IEdNVCswMjowMCBX aWxsaWFtIERlbm5pc3MgPHdkZW5uaXNzQGdvb2dsZS5jb208bWFpbHRvOndkZW5uaXNzQGdvb2ds ZS5jb20+PjoNClRoYW5rcyBmb3IgZHJhZnRpbmcgdGhpcyBNaWtlLiBJJ20gaW4gZmF2b3Igb2Yg aGF2aW5nIHRoaXMgcmVnaXN0cnkuDQoNCkluIGFkZGl0aW9uIHRvIHRoZSBzcGVjaWZpYyB2YWx1 ZXMsIEkgcHJvcG9zZSB3ZSBhZGQgc29tZSBnZW5lcmljIG9uZXMgdG9vICh0cnlpbmcgdG8gZm9s bG93IHlvdXIgbmFtaW5nIHNjaGVtZSk6DQoNCiJyYmEiOiAgInJpc2stYmFzZWQgYXV0aCINCiJ1 cHQiOiAgInVzZXIgcHJlc2VuY2UgdGVzdCINCg0KTXkgZmVhciBvZiBtYWtpbmcgdGhpbmdzIHRv byBzcGVjaWZpYyBpcyB0aGF0IFJQcyBtYXkgZ2V0IGxvc3QgaW4gdGhlIHdlZWRzIHRyeWluZyB0 byB3b3JrIG91dCB3aGF0IHRoaW5ncyB0aGV5IHNob3VsZCBjYXJlIGFib3V0IGFuZCBob3cuIEFz IGFuIElkUCB3ZSBsaWtlIHRvIGd1aWRlIFJQcyB0aHJvdWdoIHRoZXNlIGtpbmRzIG9mIGRlY2lz aW9ucywgYW5kIHByZWZlciB0byBwYXNzIGEgbW9yZSBoaWdoIGxldmVsIGluZGljYXRpb24gb2Yg d2hhdCBoYXBwZW5lZCAoc3VjaCBhcyB0aGVzZSB0d28gdmFsdWVzKS4gIElmIHNvbWVvbmUgd2Fu dGVkIHRvIGhhdmUgYmVzdCBvZiBib3RoIHdvcmxkcywgdGhlbiBib3RoIGNvdWxkIGJlIGFzc2Vy dGVkLCBlLmcuICJ1cHQgZnB0IiB0byBpbmRpY2F0ZSB0aGF0IHRoZSB1c2VyIHByZXNlbmNlIHdh cyB0ZXN0ZWQsIHVzaW5nIGEgZmluZ2VycHJpbnQgdGVzdC4NCg0KUmVnYXJkaW5nIHRoZSBwcm9w b3NlZCAid2lhIiB2YWx1ZS4gSSBkb24ndCBrbm93IHdoYXQgaXQgaXMsIGFuZCB0aGUgc3BlYyBk b2Vzbid0IGhlbHAgbWUgZmluZCBvdXQsIGNhbiBhIHJlZmVyZW5jZSBiZSBhZGRlZD8gIEkgYWxz byB3b25kZXIgaWYgaXQgY291bGQgYmUgZ2VuZXJpY2l6ZWQgdG8gYXZvaWQgYmVpbmcgdmVuZG9y IHNwZWNpZmljIHZhbHVlcyDigJMgYnV0IG1vc3RseSBJIGp1c3Qgd2FudCB0byB1bmRlcnN0YW5k IHdoYXQgaXQgaXMuICBBbG1vc3QgYWxsIHRoZSBvdGhlciB2YWx1ZXMgYXJlIHNlbGYtZXhwbGFu YXRvcnksIHBlcmhhcHMgInBvcCIgY291bGQgdXNlIGEgcmVmZXJlbmNlIGFzIHdlbGwgKG9yIG1h eWJlIGp1c3QgYSBsb25nZXIgZXhwbGFuYXRpb24pLg0KDQpJIGRvbid0IHNlZSB0aGUgaW1tZWRp YXRlIHZhbHVlIG9mICJhbXJfdmFsdWVzIiwgY2FuIHlvdSBlbGFib3JhdGUgd2l0aCBzb21lIHBs YWNlcyB3aGVyZSB0aGlzIHdvdWxkIGJlIGFwcGxpZWQ/ICBTZXBhcmF0ZWx5LCBJIHdvbmRlciBp ZiBhbiBleHRlbnNpb24gdG8gT0lEQyBzaG91bGQgYmUgaW5jbHVkZWQgaW4gdGhpcyBkb2MsIHdo aWNoIGlzIG90aGVyd2lzZSBhIGZhaXJseSBjbGVhbiByZWdpc3RyeSBzcGVjIHRoYXQgY291bGQg YmUgdXNlZCBtb3JlIGJyb2FkbHkuDQoNCk9uIFRodSwgSnVsIDIzLCAyMDE1IGF0IDEwOjQ5IEFN LCBCcmlhbiBDYW1wYmVsbCA8YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb208bWFpbHRvOmJjYW1w YmVsbEBwaW5naWRlbnRpdHkuY29tPj4gd3JvdGU6DQpTbyBtYXliZSBhIG5haXZlIHF1ZXN0aW9u IGJ1dCB3aHkgZG9lcyB0aGlzIGRyYWZ0IGRlZmluZSAiYW1yX3ZhbHVlcyIgd2hpbGUgYWxzbyBz dWdnZXN0aW5nIHRoYXQgaXQncyBmcmFnaWxlIGFuZCB0aGF0ICJhY3IiICYgImFjcl92YWx1ZXMi IGlzIHByZWZlcmFibGU/IFNlZW1zIGNvbnRyYWRpY3RvcnkuIEFuZCBJIGRvdWJ0IEknbSB0aGUg b25seSBvbmUgdGhhdCB3aWxsIGZpbmQgaXQgY29uZnVzaW5nLg0KDQpPbiBUaHUsIEp1bCAyMywg MjAxNSBhdCA5OjM1IEFNLCBNaWtlIEpvbmVzIDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208 bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT4+IHdyb3RlOg0KVGhlIGtleSBwYXJ0 IG9mIHRoaXMgaXMgZXN0YWJsaXNoaW5nIGEgcmVnaXN0cnkuICBUaGF0IGNhbiBvbmx5IGJlIGRv bmUgaW4gYW4gUkZDLg0KDQpKb2huLCBJIGVuY291cmFnZSB5b3UgdG8gc3VibWl0IHRleHQgYmVl ZmluZyB1cCB0aGUgYXJndW1lbnRzIGFib3V0IHdoeSB1c2luZyDigJxhY3LigJ0gaXMgcHJlZmVy YWJsZS4gIFRoZSB0ZXh0IGF0IGh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtam9u ZXMtb2F1dGgtYW1yLXZhbHVlcy0wMC5odG1sI2FjclJlbGF0aW9uc2hpcDxodHRwczovL25hMDEu c2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmc2VsZi1p c3N1ZWQuaW5mbyUyZmRvY3MlMmZkcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAwLmh0bWwl MjNhY3JSZWxhdGlvbnNoaXAmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29m dC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQx YWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT02JTJibFBTeUcweGZCTWcwanhLYVF0MWxBY1c2 R1YzJTJmamU0ZG1rRSUyYmI3UThvJTNkPiBpcyBhIHN0YXJ0IGF0IHRoYXQuDQoNCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1p a2UNCg0KRnJvbTogSm9obiBCcmFkbGV5IFttYWlsdG86dmU3anRiQHZlN2p0Yi5jb208bWFpbHRv OnZlN2p0YkB2ZTdqdGIuY29tPl0NClNlbnQ6IFRodXJzZGF5LCBKdWx5IDIzLCAyMDE1IDk6MzAg QU0NClRvOiBKdXN0aW4gUmljaGVyDQpDYzogTWlrZSBKb25lczsgPG9hdXRoQGlldGYub3JnPG1h aWx0bzpvYXV0aEBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBBdXRoZW50aWNh dGlvbiBNZXRob2QgUmVmZXJlbmNlIFZhbHVlcyBTcGVjaWZpY2F0aW9uDQoNCkkgZG9u4oCZdCBw ZXJzb25hbGx5IGhhdmUgYSBwcm9ibGVtIHdpdGggcGVvcGxlIGRlZmluaW5nIHZhbHVlcyBmb3Ig QU1SIGFuZCBjcmVhdGluZyBhIElBTkEgcmVnaXN0cnkuDQoNClRoYXQgZXhpc3RzIGZvciBBQ1Iu DQoNCkkgYW0gb24gcmVjb3JkIGFzIG5vdCBzdXBwb3J0aW5nIGNsaWVudHMgcmVxdWVzdGluZyBh bXIgYXMgaXQgYWkgYSBiYWQgaWRlYSBhbmQgdGhlIHNwZWMgbWVudGlvbnMgdGhhdCBhdCB0aGUg c2FtZSB0aW1lIGl0IGRlZmluZXMgYSBuZXcgcmVxdWVzdCBwYXJhbWV0ZXIgZm9yIGl0Lg0KDQpJ dCBpcyBwcm9iYWJseSBub3Qgc29tZXRoaW5nIEkgd2lsbCBwdXQgYW55IHJlYWwgZWZmb3J0IGlu dG8gZmlnaHRpbmcsIGlmIHBlb3BsZSBpbnNpc3Qgb24gaXQuICBJIHdpbGwgY29udGludWUgdG8g cmVjb21tZW5kIG9ubHkgdXNpbmcgQUNSIGluIHRoZSByZXF1ZXN0Lg0KDQpKb2huIEIuDQoNCk9u IEp1bCAyMywgMjAxNSwgYXQgOToyMSBBTSwgSnVzdGluIFJpY2hlciA8anJpY2hlckBtaXQuZWR1 PG1haWx0bzpqcmljaGVyQG1pdC5lZHU+PiB3cm90ZToNCg0KVXNlZnVsIHdvcmssIGJ1dCBzaG91 bGRu4oCZdCB0aGlzIGJlIGRlZmluZWQgaW4gdGhlIE9JREYsIHdoZXJlIHRoZSDigJxhbXIiIHBh cmFtZXRlciBpcyBkZWZpbmVkPw0KDQog4oCUIEp1c3Rpbg0KDQpPbiBKdWwgMjIsIDIwMTUsIGF0 IDc6NDggUE0sIE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTxtYWlsdG86 TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPj4gd3JvdGU6DQoNClBoaWwgSHVudCBhbmQgSSBo YXZlIHBvc3RlZCBhIG5ldyBkcmFmdCB0aGF0IGRlZmluZXMgc29tZSB2YWx1ZXMgdXNlZCB3aXRo IHRoZSDigJxhbXLigJ0gKEF1dGhlbnRpY2F0aW9uIE1ldGhvZHMgUmVmZXJlbmNlcykgY2xhaW0g YW5kIGVzdGFibGlzaGVzIGEgcmVnaXN0cnkgZm9yIEF1dGhlbnRpY2F0aW9uIE1ldGhvZCBSZWZl cmVuY2UgdmFsdWVzLiAgVGhlc2UgdmFsdWVzIGluY2x1ZGUgY29tbW9ubHkgdXNlZCBhdXRoZW50 aWNhdGlvbiBtZXRob2RzIGxpa2Ug4oCccHdk4oCdIChwYXNzd29yZCkgYW5kIOKAnG90cOKAnSAo b25lIHRpbWUgcGFzc3dvcmQpLiAgSXQgYWxzbyBkZWZpbmVzIGEgcGFyYW1ldGVyIGZvciByZXF1 ZXN0aW5nIHRoYXQgc3BlY2lmaWMgYXV0aGVudGljYXRpb24gbWV0aG9kcyBiZSB1c2VkIGluIHRo ZSBhdXRoZW50aWNhdGlvbi4NCg0KVGhlIHNwZWNpZmljYXRpb24gaXMgYXZhaWxhYmxlIGF0Og0K 4oCiICAgICAgICBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtam9uZXMtb2F1dGgt YW1yLXZhbHVlcy0wMDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5j b20vP3VybD1odHRwcyUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRtbCUyZmRyYWZ0LWpvbmVz LW9hdXRoLWFtci12YWx1ZXMtMDAmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jv c29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZm MTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1tSjQ3SyUyYkNlcEt4eDhaeXN0JTJiQXZl WklaYjZFeVRSWXY2THYyd3A2ejl2WSUzZD4NCg0KQW4gSFRNTCBmb3JtYXR0ZWQgdmVyc2lvbiBp cyBhbHNvIGF2YWlsYWJsZSBhdDoNCuKAoiAgICAgICAgaHR0cDovL3NlbGYtaXNzdWVkLmluZm8v ZG9jcy9kcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAwLmh0bWw8aHR0cHM6Ly9uYTAxLnNh ZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnNlbGYtaXNz dWVkLmluZm8lMmZkb2NzJTJmZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0wMC5odG1sJmRh dGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMy NDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3 YzEmc2RhdGE9VDlWTHFPJTJiSmpwZkJpRjc2cUJFcWtLTzFidERyUHJhNTlzcSUyYmhOVXBONUkl M2Q+DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIC0tIE1pa2UNCg0KUC5TLiAgVGhpcyBub3RlIHdhcyBhbHNvIHBvc3RlZCBhdCBo dHRwOi8vc2VsZi1pc3N1ZWQuaW5mby8/cD0xNDI5PGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJv dGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZvJTJm JTNmcCUzZDE0MjkmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20l N2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFi MmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT16djJ6SXJsTjBVR0FGS2U5ckFEVnBoVUduSktPZ0h3aVJZ WGswdG9hNVFRJTNkPiBhbmQgYXMgQHNlbGZpc3N1ZWQ8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5w cm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ0d2l0dGVyLmNvbSUyZnNl bGZpc3N1ZWQmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0 NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3 Y2QwMTFkYjQ3JTdjMSZzZGF0YT1HWkI2JTJmMEZZWlBTWDBSVXhRa2pNVUFjNXVHYVRKVnVaYmtZ VWN1U0ZCa0ElM2Q+Lg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGll dGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxodHRw czovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUy ZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmRhdGE9MDElN2Mw MSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUw OGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9 NGFOaFR4R0QlMmY5dzhxRDlXUFhwaTIlMmJRZmlwckpEYnNGMlBLNUVCeGF1MzQlM2Q+DQoNCl9f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWls aW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8v d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8aHR0cHM6Ly9uYTAxLnNhZmVsaW5r cy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmcl MmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVz JTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJm OTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPTRhTmhUeEdEJTJmOXc4cUQ5 V1BYcGkyJTJiUWZpcHJKRGJzRjJQSzVFQnhhdTM0JTNkPg0KDQoNCl9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRo QGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21h aWxtYW4vbGlzdGluZm8vb2F1dGg8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91 dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlz dGluZm8lMmZvYXV0aCZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNv bSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFhZjkx YWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPTRhTmhUeEdEJTJmOXc4cUQ5V1BYcGkyJTJiUWZpcHJK RGJzRjJQSzVFQnhhdTM0JTNkPg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0 bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v b2F1dGg8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9 aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZk YXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTlj MjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDcl N2MxJnNkYXRhPTRhTmhUeEdEJTJmOXc4cUQ5V1BYcGkyJTJiUWZpcHJKRGJzRjJQSzVFQnhhdTM0 JTNkPg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f DQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9y Zz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8aHR0cHM6Ly9u YTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3 d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZkYXRhPTAxJTdjMDElN2NN aWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkz N2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPTRhTmhU eEdEJTJmOXc4cUQ5V1BYcGkyJTJiUWZpcHJKRGJzRjJQSzVFQnhhdTM0JTNkPg0KDQoNCg0KLS0N Ck5hdCBTYWtpbXVyYSAoPW5hdCkNCkNoYWlybWFuLCBPcGVuSUQgRm91bmRhdGlvbg0KaHR0cDov L25hdC5zYWtpbXVyYS5vcmcvPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRs b29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZuYXQuc2FraW11cmEub3JnJTJmJmRhdGE9MDElN2Mw MSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUw OGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9 T0lFZkhFRmR3WUpNZkVXa1plQVl4ckVkZWRjVXJ0VnVaYVl3ODZqQ0JrcyUzZD4NCkBfbmF0X2Vu DQo= --_000_BY2PR03MB4424775A27D18090EB566B9F57C0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5v c2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5N c29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1h cmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJU aW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXtt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5k ZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxp bmU7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsN CgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7 DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4uQmFsbG9vblRleHRD aGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQiOw0KCWZvbnQtZmFtaWx5 OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5bGUxOQ0KCXttc28tc3R5bGUt dHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNv bG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjANCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29u YWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjoj MUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0K CWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEu MGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24x DQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4 bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94 bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2 OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFw ZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBs aW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG NDk3RCI+SSBhZGRlZCByZWZlcmVuY2VzIGluIGEgYnVuY2ggb2YgdGhlIGRlZmluaXRpb25zLiZu YnNwOyBQbGVhc2UgcmV2aWV3IHRoZW0gYW5kIHN1Z2dlc3Qgb3RoZXJzLCBhcyBhcHByb3ByaWF0 ZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJi b3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAw aW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gTWlr ZSBKb25lcw0KPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBKdWx5IDIzLCAyMDE1IDEyOjI5 IFBNPGJyPg0KPGI+VG86PC9iPiAnTmF0IFNha2ltdXJhJzsgV2lsbGlhbSBEZW5uaXNzPGJyPg0K PGI+Q2M6PC9iPiAmbHQ7b2F1dGhAaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJF OiBbT0FVVEgtV0ddIEF1dGhlbnRpY2F0aW9uIE1ldGhvZCBSZWZlcmVuY2UgVmFsdWVzIFNwZWNp ZmljYXRpb248bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SSBhZ3JlZSB0aGF0IGFu IG9idmlvdXMgZ29vZCB0aGluZyB0byBkbyBpcyB0byBhZGQgc3BlYyByZWZlcmVuY2VzIHRvIHRo ZSBmaWVsZCBkZWZpbml0aW9ucy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkkgbmVlZCB0byBpbnZlc3RpZ2F0ZSB1c2Ug Y2FzZXMgZm9yIGFtcl92YWx1ZXMuJm5ic3A7IEkgdGhpbmsgdGhpcyBjYW1lIGZyb20gZGV2ZWxv cGVycyB3aG8gYWN0dWFsbHkgd2FudGVkIHRoaXMgZm9yIGEgcGFydGljdWxhciBwdXJwb3NlIGJ1 dCBJ4oCZbGwgaGF2ZSB0byBnZXQgYmFjaw0KIHRvIHRoZSBXRyBvbiB0aGF0LiZuYnNwOyBJdOKA mXMgZGVmaW5lZCBoZXJlLCByYXRoZXIgdGhhbiBpbiBhbm90aGVyIHNwZWMsIGJlY2F1c2UgaXTi gJlzIGhpZ2hseSByZWxhdGVkIHRvIHRoZSDigJxhbXLigJ0gdmFsdWVzLjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 OyI+IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10NCjxiPk9uIEJlaGFsZiBP ZiA8L2I+TmF0IFNha2ltdXJhPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBKdWx5IDIzLCAy MDE1IDY6MjIgUE08YnI+DQo8Yj5Ubzo8L2I+IFdpbGxpYW0gRGVubmlzczxicj4NCjxiPkNjOjwv Yj4gJmx0O29hdXRoQGlldGYub3JnJmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRI LVdHXSBBdXRoZW50aWNhdGlvbiBNZXRob2QgUmVmZXJlbmNlIFZhbHVlcyBTcGVjaWZpY2F0aW9u PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+U28sIGFsbG93IG1lIGEgbmFp dmUgcXVlc3Rpb24uJm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+SSBzdXBwcG9zZSB0aGVyZSBhcmUgZ29vZCByYW5kb20gb3RwLCBhcyB3ZWxsIGFzIHBy ZXR0eSBiYWQgb3RwIGV0Yy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPldvdWxkIGl0IGJlIHVzZWZ1bCB0byBzYXkganVzdCAmcXVvdDtv dHAmcXVvdDsuIFdvdWxkIGl0IG5vdCBiZSBiZXR0ZXIgdG8gaGF2ZSBhdCBsZWFzdCBhIGZpZWxk IHRoYXQgcmVmZXJlbmNlcyBhIHNwZWMgdGhhdCBzcGVjaWZpZXMgdGhlIHNlY3VyaXR5IHJlcXVp cmVtZW50IGZvciB0aGF0IG1lY2hhbmlzbT8mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+MjAxNS0wNy0yMyAxMjowNSBHTVQmIzQzOzAy OjAwIFdpbGxpYW0gRGVubmlzcyAmbHQ7PGEgaHJlZj0ibWFpbHRvOndkZW5uaXNzQGdvb2dsZS5j b20iIHRhcmdldD0iX2JsYW5rIj53ZGVubmlzc0Bnb29nbGUuY29tPC9hPiZndDs6PG86cD48L286 cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhhbmtzIGZvciBkcmFmdGluZyB0 aGlzIE1pa2UuIEknbSBpbiBmYXZvciBvZiBoYXZpbmcgdGhpcyByZWdpc3RyeS48bzpwPjwvbzpw PjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkluIGFkZGl0aW9uIHRvIHRoZSBz cGVjaWZpYyB2YWx1ZXMsIEkgcHJvcG9zZSB3ZSBhZGQgc29tZSBnZW5lcmljIG9uZXMgdG9vICh0 cnlpbmcgdG8gZm9sbG93IHlvdXIgbmFtaW5nIHNjaGVtZSk6PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZxdW90O3JiYSZxdW90OzogJm5ic3A7 JnF1b3Q7cmlzay1iYXNlZCBhdXRoJnF1b3Q7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mcXVvdDt1cHQmcXVvdDs6ICZuYnNwOyZxdW90O3VzZXIg cHJlc2VuY2UgdGVzdCZxdW90OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5NeSBmZWFyIG9mIG1ha2luZyB0aGluZ3MgdG9vIHNwZWNpZmljIGlz IHRoYXQgUlBzIG1heSBnZXQgbG9zdCBpbiB0aGUgd2VlZHMgdHJ5aW5nIHRvIHdvcmsgb3V0IHdo YXQgdGhpbmdzIHRoZXkgc2hvdWxkIGNhcmUgYWJvdXQgYW5kIGhvdy4gQXMgYW4gSWRQIHdlIGxp a2UgdG8gZ3VpZGUgUlBzIHRocm91Z2ggdGhlc2Uga2luZHMgb2YgZGVjaXNpb25zLCBhbmQgcHJl ZmVyIHRvIHBhc3MgYSBtb3JlIGhpZ2ggbGV2ZWwNCiBpbmRpY2F0aW9uIG9mIHdoYXQgaGFwcGVu ZWQgKHN1Y2ggYXMgdGhlc2UgdHdvIHZhbHVlcykuJm5ic3A7IElmIHNvbWVvbmUgd2FudGVkIHRv IGhhdmUgYmVzdCBvZiBib3RoIHdvcmxkcywgdGhlbiBib3RoIGNvdWxkIGJlIGFzc2VydGVkLCBl LmcuICZxdW90O3VwdCBmcHQmcXVvdDsgdG8gaW5kaWNhdGUgdGhhdCB0aGUgdXNlciBwcmVzZW5j ZSB3YXMgdGVzdGVkLCB1c2luZyBhIGZpbmdlcnByaW50IHRlc3QuPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlJlZ2FyZGluZyB0aGUgcHJvcG9z ZWQgJnF1b3Q7d2lhJnF1b3Q7IHZhbHVlLiBJIGRvbid0IGtub3cgd2hhdCBpdCBpcywgYW5kIHRo ZSBzcGVjIGRvZXNuJ3QgaGVscCBtZSBmaW5kIG91dCwgY2FuIGEgcmVmZXJlbmNlIGJlIGFkZGVk PyZuYnNwOyBJIGFsc28gd29uZGVyIGlmIGl0IGNvdWxkIGJlIGdlbmVyaWNpemVkIHRvIGF2b2lk IGJlaW5nIHZlbmRvciBzcGVjaWZpYyB2YWx1ZXMg4oCTIGJ1dCBtb3N0bHkgSSBqdXN0IHdhbnQg dG8gdW5kZXJzdGFuZA0KIHdoYXQgaXQgaXMuJm5ic3A7IEFsbW9zdCBhbGwgdGhlIG90aGVyIHZh bHVlcyBhcmUgc2VsZi1leHBsYW5hdG9yeSwgcGVyaGFwcyAmcXVvdDtwb3AmcXVvdDsgY291bGQg dXNlIGEgcmVmZXJlbmNlIGFzIHdlbGwgKG9yIG1heWJlIGp1c3QgYSBsb25nZXIgZXhwbGFuYXRp b24pLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5JIGRvbid0IHNlZSB0aGUgaW1tZWRpYXRlIHZhbHVlIG9mICZxdW90O2Ftcl92YWx1ZXMmcXVv dDssIGNhbiB5b3UgZWxhYm9yYXRlIHdpdGggc29tZSBwbGFjZXMgd2hlcmUgdGhpcyB3b3VsZCBi ZSBhcHBsaWVkPyZuYnNwOyBTZXBhcmF0ZWx5LCBJIHdvbmRlciBpZiBhbiBleHRlbnNpb24gdG8g T0lEQyBzaG91bGQgYmUgaW5jbHVkZWQgaW4gdGhpcyBkb2MsIHdoaWNoIGlzIG90aGVyd2lzZSBh IGZhaXJseSBjbGVhbiByZWdpc3RyeSBzcGVjDQogdGhhdCBjb3VsZCBiZSB1c2VkIG1vcmUgYnJv YWRseS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+T24gVGh1LCBKdWwgMjMsIDIwMTUgYXQgMTA6NDkgQU0sIEJyaWFuIENhbXBiZWxs ICZsdDs8YSBocmVmPSJtYWlsdG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb20iIHRhcmdldD0i X2JsYW5rIj5iY2FtcGJlbGxAcGluZ2lkZW50aXR5LmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9v OnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNvIG1heWJlIGEgbmFpdmUgcXVl c3Rpb24gYnV0IHdoeSBkb2VzIHRoaXMgZHJhZnQgZGVmaW5lICZxdW90O2Ftcl92YWx1ZXMmcXVv dDsgd2hpbGUgYWxzbyBzdWdnZXN0aW5nIHRoYXQgaXQncyBmcmFnaWxlIGFuZCB0aGF0ICZxdW90 O2FjciZxdW90OyAmYW1wOyAmcXVvdDthY3JfdmFsdWVzJnF1b3Q7IGlzIHByZWZlcmFibGU/IFNl ZW1zIGNvbnRyYWRpY3RvcnkuIEFuZCBJIGRvdWJ0IEknbSB0aGUgb25seSBvbmUgdGhhdCB3aWxs IGZpbmQgaXQgY29uZnVzaW5nLiZuYnNwOw0KPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIFRodSwgSnVsIDIzLCAyMDE1IGF0IDk6 MzUgQU0sIE1pa2UgSm9uZXMgJmx0OzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jv c29mdC5jb20iIHRhcmdldD0iX2JsYW5rIj5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+ Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhlIGtl eSBwYXJ0IG9mIHRoaXMgaXMgZXN0YWJsaXNoaW5nIGEgcmVnaXN0cnkuJm5ic3A7IFRoYXQgY2Fu IG9ubHkgYmUgZG9uZSBpbiBhbiBSRkMuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Sm9obiwgSSBlbmNvdXJhZ2Ug eW91IHRvIHN1Ym1pdCB0ZXh0IGJlZWZpbmcgdXAgdGhlIGFyZ3VtZW50cyBhYm91dCB3aHkgdXNp bmcg4oCcYWNy4oCdIGlzIHByZWZlcmFibGUuJm5ic3A7DQogVGhlIHRleHQgYXQgPGEgaHJlZj0i aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUz YSUyZiUyZnNlbGYtaXNzdWVkLmluZm8lMmZkb2NzJTJmZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZh bHVlcy0wMC5odG1sJTIzYWNyUmVsYXRpb25zaGlwJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVs LkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUy JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT02JTJibFBT eUcweGZCTWcwanhLYVF0MWxBY1c2R1YzJTJmamU0ZG1rRSUyYmI3UThvJTNkIiB0YXJnZXQ9Il9i bGFuayI+DQpodHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWpvbmVzLW9hdXRoLWFt ci12YWx1ZXMtMDAuaHRtbCNhY3JSZWxhdGlvbnNoaXA8L2E+IGlzIGEgc3RhcnQgYXQgdGhhdC48 L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZQ0KPC9zcGFuPjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXYgc3R5 bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMu MHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 OyI+IEpvaG4gQnJhZGxleSBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzp2ZTdqdGJAdmU3anRiLmNv bSIgdGFyZ2V0PSJfYmxhbmsiPnZlN2p0YkB2ZTdqdGIuY29tPC9hPl0NCjxicj4NCjxiPlNlbnQ6 PC9iPiBUaHVyc2RheSwgSnVseSAyMywgMjAxNSA5OjMwIEFNPGJyPg0KPGI+VG86PC9iPiBKdXN0 aW4gUmljaGVyPGJyPg0KPGI+Q2M6PC9iPiBNaWtlIEpvbmVzOyAmbHQ7PGEgaHJlZj0ibWFpbHRv Om9hdXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+b2F1dGhAaWV0Zi5vcmc8L2E+Jmd0Ozxi cj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBBdXRoZW50aWNhdGlvbiBNZXRob2Qg UmVmZXJlbmNlIFZhbHVlcyBTcGVjaWZpY2F0aW9uPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SSBkb27igJl0IHBlcnNvbmFs bHkgaGF2ZSBhIHByb2JsZW0gd2l0aCBwZW9wbGUgZGVmaW5pbmcgdmFsdWVzIGZvciBBTVIgYW5k IGNyZWF0aW5nIGEgSUFOQSByZWdpc3RyeS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5UaGF0IGV4aXN0cyBmb3IgQUNSLjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SSBhbSBvbiBy ZWNvcmQgYXMgbm90IHN1cHBvcnRpbmcgY2xpZW50cyByZXF1ZXN0aW5nIGFtciBhcyBpdCBhaSBh IGJhZCBpZGVhIGFuZCB0aGUgc3BlYyBtZW50aW9ucyB0aGF0IGF0IHRoZSBzYW1lIHRpbWUgaXQg ZGVmaW5lcyBhIG5ldyByZXF1ZXN0IHBhcmFtZXRlciBmb3IgaXQuPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JdCBpcyBwcm9iYWJseSBu b3Qgc29tZXRoaW5nIEkgd2lsbCBwdXQgYW55IHJlYWwgZWZmb3J0IGludG8gZmlnaHRpbmcsIGlm IHBlb3BsZSBpbnNpc3Qgb24gaXQuJm5ic3A7IEkgd2lsbCBjb250aW51ZSB0byByZWNvbW1lbmQg b25seSB1c2luZyBBQ1IgaW4gdGhlIHJlcXVlc3QuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5Kb2huIEIuPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUu MHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ T24gSnVsIDIzLCAyMDE1LCBhdCA5OjIxIEFNLCBKdXN0aW4gUmljaGVyICZsdDs8YSBocmVmPSJt YWlsdG86anJpY2hlckBtaXQuZWR1IiB0YXJnZXQ9Il9ibGFuayI+anJpY2hlckBtaXQuZWR1PC9h PiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Vc2VmdWwgd29yaywgYnV0IHNob3VsZG7igJl0 IHRoaXMgYmUgZGVmaW5lZCBpbiB0aGUgT0lERiwgd2hlcmUgdGhlIOKAnGFtciZxdW90OyBwYXJh bWV0ZXIgaXMgZGVmaW5lZD88L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+ PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz cGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwO+KAlCBKdXN0aW48L3NwYW4+PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+ DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0 Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDsiPk9uIEp1bCAyMiwgMjAxNSwgYXQgNzo0OCBQTSwgTWlrZSBKb25lcyAmbHQ7PGEgaHJl Zj0ibWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPjxz cGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTwvc3Bh bj48L2E+Jmd0Ow0KIHdyb3RlOjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3Nw YW4+PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+UGhpbCBIdW50IGFuZCBJIGhhdmUg cG9zdGVkIGEgbmV3IGRyYWZ0IHRoYXQgZGVmaW5lcyBzb21lIHZhbHVlcyB1c2VkIHdpdGggdGhl IOKAnDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90OyI+YW1yPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 OyI+4oCdDQogKEF1dGhlbnRpY2F0aW9uIE1ldGhvZHMgUmVmZXJlbmNlcykgY2xhaW0gYW5kIGVz dGFibGlzaGVzIGEgcmVnaXN0cnkgZm9yIEF1dGhlbnRpY2F0aW9uIE1ldGhvZCBSZWZlcmVuY2Ug dmFsdWVzLiZuYnNwOyBUaGVzZSB2YWx1ZXMgaW5jbHVkZSBjb21tb25seSB1c2VkIGF1dGhlbnRp Y2F0aW9uIG1ldGhvZHMgbGlrZSDigJw8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPnB3ZDwvc3Bhbj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDsiPuKAnQ0KIChwYXNzd29yZCkgYW5kIOKAnDwvc3Bhbj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90OyI+b3RwPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+4oCdIChvbmUgdGlt ZSBwYXNzd29yZCkuJm5ic3A7IEl0IGFsc28gZGVmaW5lcyBhIHBhcmFtZXRlciBmb3IgcmVxdWVz dGluZyB0aGF0IHNwZWNpZmljIGF1dGhlbnRpY2F0aW9uIG1ldGhvZHMNCiBiZSB1c2VkIGluIHRo ZSBhdXRoZW50aWNhdGlvbi48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5ic3A7 PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlRoZSBzcGVjaWZpY2F0aW9uIGlzIGF2 YWlsYWJsZSBhdDo8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1h cmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTpTeW1ib2wiPsK3PC9zcGFuPjxzcGFuIHN0eWxlPSJm b250LXNpemU6Ny4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxhIGhyZWY9Imh0dHBz Oi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJm JTJmdG9vbHMuaWV0Zi5vcmclMmZodG1sJTJmZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0w MCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3 M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2Qw MTFkYjQ3JTdjMSZhbXA7c2RhdGE9bUo0N0slMmJDZXBLeHg4WnlzdCUyYkF2ZVpJWmI2RXlUUll2 Nkx2MndwNno5dlklM2QiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxl Ij5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVl cy0wMDwvc3Bhbj48L2E+PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwOzwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5BbiBIVE1MIGZvcm1hdHRlZCB2ZXJzaW9u IGlzIGFsc28gYXZhaWxhYmxlIGF0Ojwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbCI+wrc8L3NwYW4+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGEg aHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9 aHR0cCUzYSUyZiUyZnNlbGYtaXNzdWVkLmluZm8lMmZkb2NzJTJmZHJhZnQtam9uZXMtb2F1dGgt YW1yLXZhbHVlcy0wMC5odG1sJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWlj cm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4 NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1UOVZMcU8lMmJKanBmQmlGNzZx QkVxa0tPMWJ0RHJQcmE1OXNxJTJiaE5VcE41SSUzZCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0 eWxlPSJjb2xvcjpwdXJwbGUiPmh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtam9u ZXMtb2F1dGgtYW1yLXZhbHVlcy0wMC5odG1sPC9zcGFuPjwvYT48L3NwYW4+PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90OyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAtLSBNaWtlPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNw Ozwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5QLlMuJm5ic3A7IFRoaXMgbm90ZSB3 YXMgYWxzbyBwb3N0ZWQgYXQmbmJzcDs8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnBy b3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmc2VsZi1pc3N1ZWQuaW5mbyUy ZiUzZnAlM2QxNDI5JmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0 LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFh ZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT16djJ6SXJsTjBVR0FGS2U5ckFEVnBoVUdu SktPZ0h3aVJZWGswdG9hNVFRJTNkIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9y OnB1cnBsZSI+aHR0cDovL3NlbGYtaXNzdWVkLmluZm8vP3A9MTQyOTwvc3Bhbj48L2E+Jm5ic3A7 YW5kDQogYXMmbmJzcDs8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24u b3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnR3aXR0ZXIuY29tJTJmc2VsZmlzc3VlZCZh bXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2Vl YzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFk YjQ3JTdjMSZhbXA7c2RhdGE9R1pCNiUyZjBGWVpQU1gwUlV4UWtqTVVBYzV1R2FUSlZ1WmJrWVVj dVNGQmtBJTNkIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+QHNl bGZpc3N1ZWQ8L3NwYW4+PC9hPi48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRo IG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyIgdGFyZ2V0 PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPk9BdXRoQGlldGYub3JnPC9zcGFu PjwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0 bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0 aW5mbyUyZm9hdXRoJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0 LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFh ZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT00YU5oVHhHRCUyZjl3OHFEOVdQWHBpMiUy YlFmaXBySkRic0YyUEs1RUJ4YXUzNCUzZCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJj b2xvcjpwdXJwbGUiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8 L3NwYW4+PC9hPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0K PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hl bHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4N Cjwvc3Bhbj48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOnB1cnBsZSI+T0F1dGhAaWV0Zi5vcmc8 L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxicj4NCjwvc3Bhbj48YSBo cmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1o dHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmFt cDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVj NTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRi NDclN2MxJmFtcDtzZGF0YT00YU5oVHhHRCUyZjl3OHFEOVdQWHBpMiUyYlFmaXBySkRic0YyUEs1 RUJ4YXUzNCUzZCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6cHVycGxlIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRo PC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJyPg0KX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX188YnI+DQpPQXV0aCBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVm PSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5PQXV0aEBpZXRmLm9yZzwv YT48YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9v ay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5m byUyZm9hdXRoJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNv bSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFhZjkx YWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT00YU5oVHhHRCUyZjl3OHFEOVdQWHBpMiUyYlFm aXBySkRic0YyUEs1RUJ4YXUzNCUzZCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYu b3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0 Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxi cj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9y ZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBz Oi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJm JTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmYW1wO2RhdGE9MDEl N2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0 ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1w O3NkYXRhPTRhTmhUeEdEJTJmOXc4cUQ5V1BYcGkyJTJiUWZpcHJKRGJzRjJQSzVFQnhhdTM0JTNk IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9v YXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJyPg0KX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpPQXV0aCBtYWls aW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciPk9BdXRoQGlldGYu b3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5v dXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxp c3RpbmZvJTJmb2F1dGgmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3Nv ZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0 MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPTRhTmhUeEdEJTJmOXc4cUQ5V1BYcGky JTJiUWZpcHJKRGJzRjJQSzVFQnhhdTM0JTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cu aWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyIGNsZWFyPSJhbGwiPg0KPG86cD48L286 cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tIDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPk5hdCBTYWtpbXVyYSAoPW5hdCk8bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5DaGFpcm1hbiwgT3BlbklEIEZvdW5kYXRpb248 YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5j b20vP3VybD1odHRwJTNhJTJmJTJmbmF0LnNha2ltdXJhLm9yZyUyZiZhbXA7ZGF0YT0wMSU3YzAx JTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4 ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2Rh dGE9T0lFZkhFRmR3WUpNZkVXa1plQVl4ckVkZWRjVXJ0VnVaYVl3ODZqQ0JrcyUzZCIgdGFyZ2V0 PSJfYmxhbmsiPmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLzwvYT48YnI+DQpAX25hdF9lbjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0 bWw+DQo= --_000_BY2PR03MB4424775A27D18090EB566B9F57C0BY2PR03MB442namprd_-- From nobody Thu Aug 13 20:53:57 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3BA41A702B for ; Thu, 13 Aug 2015 20:53:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.17 X-Spam-Level: X-Spam-Status: No, score=0.17 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsRYZCz3k1xW for ; Thu, 13 Aug 2015 20:53:52 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0119.outbound.protection.outlook.com [207.46.100.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54E641A7025 for ; Thu, 13 Aug 2015 20:53:52 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Fri, 14 Aug 2015 03:53:50 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Fri, 14 Aug 2015 03:53:50 +0000 From: Mike Jones To: Brian Campbell Thread-Topic: [OAUTH-WG] Authentication Method Reference Values Specification Thread-Index: AdDEponiitwaXF5YTtCgg2mzrUGsugAcbbeAAABKDwAAABfdYAACq1kAAAKorwAADSeqAAAAHwlAAFzvmYAD2zNPUA== Date: Fri, 14 Aug 2015 03:53:50 +0000 Message-ID: References: <8BADFB60-1BE4-415A-B386-F34F9FE72A3C@mit.edu> <61575F9A-8A0F-415A-89AA-480432813020@ve7jtb.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:gZuaQa6jnpJbAcKiQHEzONGdtx0exRk5xZeKbDm19cv4BoZOAlL6xTN4A8Nmg46lAhiz9TtBU/CXob3ERGX6N/XSiIy87l6xMRQDlmiElvb05u90GTy+G5WUGmbtVmbVY2FvWkaHsFSEv1Aecp0rAg==; 24:4JJP9Fychr95U7ger+z8zb8GuB8qgWsB6HjObcg43H0vGZY+nleRPErHa0D5G6Uw6KONc6MdrDcxdVipkpa5JXv/8Odyq0dC3sT/kq1raU4=; 20:BNz7sKl8g0HD/hxqgMF7KYAvw7fcRKlTjJFXVC98E/F7Qi2ynF8b32ZgEYIhfLl/ixWOOq4LDWoVbMmQ7JhShg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066898046A x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(199003)(189002)(377454003)(52604005)(377424004)(54094003)(164054003)(24454002)(8990500004)(33656002)(19625215002)(86612001)(76176999)(54356999)(50986999)(5001960100002)(5001860100001)(74316001)(76576001)(81156007)(4001540100001)(5001830100001)(86362001)(101416001)(66066001)(10290500002)(5005710100001)(10400500002)(77156002)(40100003)(62966003)(97736004)(64706001)(92566002)(122556002)(46102003)(16236675004)(2900100001)(2950100001)(87936001)(2656002)(19617315012)(551544002)(93886004)(5003600100002)(19609705001)(110136002)(10090500001)(106356001)(15975445007)(68736005)(77096005)(102836002)(19300405004)(19580395003)(5002640100001)(99286002)(189998001)(19580405001)(105586002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4423382B77A1DD7501E4C02F57C0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2015 03:53:50.5503 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Cc: "" Subject: Re: [OAUTH-WG] Authentication Method Reference Values Specification X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 03:53:56 -0000 --_000_BY2PR03MB4423382B77A1DD7501E4C02F57C0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBhZGRlZCB0aGlzIGluIC0wMSBhcyDigJxtY2HigJ0gKG11bHRpcGxlLWNoYW5uZWwgYXV0aGVu dGljYXRpb24pLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBUaGFua3MsDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IEJyaWFuIENhbXBi ZWxsIFttYWlsdG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb21dDQpTZW50OiBTYXR1cmRheSwg SnVseSAyNSwgMjAxNSA4OjQ3IEFNDQpUbzogTWlrZSBKb25lcw0KQ2M6IE5hdCBTYWtpbXVyYTsg V2lsbGlhbSBEZW5uaXNzOyA8b2F1dGhAaWV0Zi5vcmc+DQpTdWJqZWN0OiBSZTogW09BVVRILVdH XSBBdXRoZW50aWNhdGlvbiBNZXRob2QgUmVmZXJlbmNlIFZhbHVlcyBTcGVjaWZpY2F0aW9uDQoN ClRoZXJlJ3MgYSBtZXRob2Qgb2YgYXV0aGVudGljYXRpb24gdGhhdCBpcyBnYWluaW5nIGluIHBv cHVsYXJpdHkgd2hpY2ggSSdkIHByb3Bvc2UgYWRkaW5nIGEgbWV0aG9kIGZvci4gSXQgaXMgdHlw aWNhbGx5IHVzZWQgYXMgYSBzZWNvbmQgZmFjdG9yIHdoZXJlIGFmdGVyIGEgcHJpbWFyeSBhdXRo LCBsaWtlIHVzZXJuYW1lIGFuZCBwYXNzd29yZCwgYSBwdXNoIG5vdGlmaWNhdGlvbiBpcyBzZW50 IHRvIHRoZSB1c2VyJ3MgcGhvbmUgYW5kIHRoZXkgYWNrbm93bGVkZ2UgaXQgZnJvbSB0aGUgZGV2 aWNlLiBXZSBoYXZlIHRoZSBQaW5nSUQgcHJvZHVjdDxodHRwczovL25hMDEuc2FmZWxpbmtzLnBy b3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5waW5naWRlbnRpdHku Y29tJTJmZW4lMmZwcm9kdWN0cyUyZnBpbmdpZC5odG1sJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwu Sm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNjJjMjc2NGE2ZGM0NGY2YzAxMmUwOGQyOTRlZjI2NmUl N2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9M01xNEVMQ3h3Rmlx ZWZocXRXN1k0ZHFPdG81NUZjdlFUJTJiSjlkMXdOck1vJTNkPiB0aGF0IGRvZXMgaXQgYW5kIEVu dHJ1c3Q8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9 aHR0cCUzYSUyZiUyZnd3dy5lbnRydXN0LmNvbSUyZnJlc291cmNlJTJmZW50cnVzdC1pZGVudGl0 eWd1YXJkLW1vYmlsZS1wdXNoLWF1dGhlbnRpY2F0aW9uLWZvci12cG4tYW5kLXdlYi1hY2Nlc3Mm ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M2MmMyNzY0YTZk YzQ0ZjZjMDEyZTA4ZDI5NGVmMjY2ZSU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3 JTdjMSZzZGF0YT1rR0h1UG0lMmJXeTFUZzEyNWxvSmhpZm1Wb3clMmJNVUU3TDQ3d3JSWkQ0JTJm OWprJTNkPiBhbmQgRHVvPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29r LmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmR1b3NlY3VyaXR5LmNvbSUyZnByb2R1Y3QlMmZt ZXRob2RzJTJmZHVvLW1vYmlsZSsmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jv c29mdC5jb20lN2M2MmMyNzY0YTZkYzQ0ZjZjMDEyZTA4ZDI5NGVmMjY2ZSU3YzcyZjk4OGJmODZm MTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1BeDduWkxVcXBDZWhPJTJmTU5xRkdJNTZa dnpVZ2l0azhaMnRUM21ROVYlMmZjbyUzZD4sIGFtb25nIG90aGVycyBJJ20gc3VyZSwgb2ZmZXIg c29tZXRoaW5nIHNpbWlsYXIuDQpJdCdzIGNvbW1vbmx5IGNhbGxlZCAibW9iaWxlIHB1c2ggYXV0 aGVudGljYXRpb24iIHNvIG1heWJlICJtcGEiIGNvdWxkIGJlIHRoZSBhbXIgdmFsdWUuIEJ1dCwg YXMgTmF0IHBvaW50ZWQgb3V0LCB0aGUgcmVhbGx5IGludGVyZXN0aW5nIGNoYXJhY3RlcmlzdGlj IGlzIHRoYXQgaXQncyBhIHNlY29uZCBmYWN0b3IgdGhhdCB1dGlsaXplcyBvbmx5IGEgc2Vjb25k YXJ5IGNoYW5uZWwgLSBzbyBwZXJoYXBzICJzY2EiIGZvciAic2Vjb25kIGNoYW5uZWwgYXV0aGVu dGljYXRpb24iIHdvdWxkIGJlIGEgbW9yZSBhcHByb3ByaWF0ZSBnZW5lcmFsIGFtciBuYW1lLg0K VGhvdWdodHMgYXJlIHdlbGNvbWUuIEJ1dCBJIGJlbGlldmUgaXQncyBiZWNvbWluZyBwcmV2YWxl bnQgZW5vdWdoIHRoYXQgaXQgZGVzZXJ2ZXMgaXRzIG93biBhbXIgdmFsdWUgaW4gdGhpcyBkb2Mu DQoNCg0KDQpPbiBUaHUsIEp1bCAyMywgMjAxNSBhdCA2OjI5IFBNLCBNaWtlIEpvbmVzIDxNaWNo YWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNv bT4+IHdyb3RlOg0KSSBhZ3JlZSB0aGF0IGFuIG9idmlvdXMgZ29vZCB0aGluZyB0byBkbyBpcyB0 byBhZGQgc3BlYyByZWZlcmVuY2VzIHRvIHRoZSBmaWVsZCBkZWZpbml0aW9ucy4NCg0KSSBuZWVk IHRvIGludmVzdGlnYXRlIHVzZSBjYXNlcyBmb3IgYW1yX3ZhbHVlcy4gIEkgdGhpbmsgdGhpcyBj YW1lIGZyb20gZGV2ZWxvcGVycyB3aG8gYWN0dWFsbHkgd2FudGVkIHRoaXMgZm9yIGEgcGFydGlj dWxhciBwdXJwb3NlIGJ1dCBJ4oCZbGwgaGF2ZSB0byBnZXQgYmFjayB0byB0aGUgV0cgb24gdGhh dC4gIEl04oCZcyBkZWZpbmVkIGhlcmUsIHJhdGhlciB0aGFuIGluIGFub3RoZXIgc3BlYywgYmVj YXVzZSBpdOKAmXMgaGlnaGx5IHJlbGF0ZWQgdG8gdGhlIOKAnGFtcuKAnSB2YWx1ZXMuDQoNCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IC0tIE1pa2UNCg0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnPG1h aWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnPl0gT24gQmVoYWxmIE9mIE5hdCBTYWtpbXVyYQ0K U2VudDogVGh1cnNkYXksIEp1bHkgMjMsIDIwMTUgNjoyMiBQTQ0KVG86IFdpbGxpYW0gRGVubmlz cw0KQ2M6IDxvYXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5vcmc+Pg0KU3ViamVjdDog UmU6IFtPQVVUSC1XR10gQXV0aGVudGljYXRpb24gTWV0aG9kIFJlZmVyZW5jZSBWYWx1ZXMgU3Bl Y2lmaWNhdGlvbg0KDQpTbywgYWxsb3cgbWUgYSBuYWl2ZSBxdWVzdGlvbi4NCkkgc3VwcHBvc2Ug dGhlcmUgYXJlIGdvb2QgcmFuZG9tIG90cCwgYXMgd2VsbCBhcyBwcmV0dHkgYmFkIG90cCBldGMu DQpXb3VsZCBpdCBiZSB1c2VmdWwgdG8gc2F5IGp1c3QgIm90cCIuIFdvdWxkIGl0IG5vdCBiZSBi ZXR0ZXIgdG8gaGF2ZSBhdCBsZWFzdCBhIGZpZWxkIHRoYXQgcmVmZXJlbmNlcyBhIHNwZWMgdGhh dCBzcGVjaWZpZXMgdGhlIHNlY3VyaXR5IHJlcXVpcmVtZW50IGZvciB0aGF0IG1lY2hhbmlzbT8N Cg0KMjAxNS0wNy0yMyAxMjowNSBHTVQrMDI6MDAgV2lsbGlhbSBEZW5uaXNzIDx3ZGVubmlzc0Bn b29nbGUuY29tPG1haWx0bzp3ZGVubmlzc0Bnb29nbGUuY29tPj46DQpUaGFua3MgZm9yIGRyYWZ0 aW5nIHRoaXMgTWlrZS4gSSdtIGluIGZhdm9yIG9mIGhhdmluZyB0aGlzIHJlZ2lzdHJ5Lg0KDQpJ biBhZGRpdGlvbiB0byB0aGUgc3BlY2lmaWMgdmFsdWVzLCBJIHByb3Bvc2Ugd2UgYWRkIHNvbWUg Z2VuZXJpYyBvbmVzIHRvbyAodHJ5aW5nIHRvIGZvbGxvdyB5b3VyIG5hbWluZyBzY2hlbWUpOg0K DQoicmJhIjogICJyaXNrLWJhc2VkIGF1dGgiDQoidXB0IjogICJ1c2VyIHByZXNlbmNlIHRlc3Qi DQoNCk15IGZlYXIgb2YgbWFraW5nIHRoaW5ncyB0b28gc3BlY2lmaWMgaXMgdGhhdCBSUHMgbWF5 IGdldCBsb3N0IGluIHRoZSB3ZWVkcyB0cnlpbmcgdG8gd29yayBvdXQgd2hhdCB0aGluZ3MgdGhl eSBzaG91bGQgY2FyZSBhYm91dCBhbmQgaG93LiBBcyBhbiBJZFAgd2UgbGlrZSB0byBndWlkZSBS UHMgdGhyb3VnaCB0aGVzZSBraW5kcyBvZiBkZWNpc2lvbnMsIGFuZCBwcmVmZXIgdG8gcGFzcyBh IG1vcmUgaGlnaCBsZXZlbCBpbmRpY2F0aW9uIG9mIHdoYXQgaGFwcGVuZWQgKHN1Y2ggYXMgdGhl c2UgdHdvIHZhbHVlcykuICBJZiBzb21lb25lIHdhbnRlZCB0byBoYXZlIGJlc3Qgb2YgYm90aCB3 b3JsZHMsIHRoZW4gYm90aCBjb3VsZCBiZSBhc3NlcnRlZCwgZS5nLiAidXB0IGZwdCIgdG8gaW5k aWNhdGUgdGhhdCB0aGUgdXNlciBwcmVzZW5jZSB3YXMgdGVzdGVkLCB1c2luZyBhIGZpbmdlcnBy aW50IHRlc3QuDQoNClJlZ2FyZGluZyB0aGUgcHJvcG9zZWQgIndpYSIgdmFsdWUuIEkgZG9uJ3Qg a25vdyB3aGF0IGl0IGlzLCBhbmQgdGhlIHNwZWMgZG9lc24ndCBoZWxwIG1lIGZpbmQgb3V0LCBj YW4gYSByZWZlcmVuY2UgYmUgYWRkZWQ/ICBJIGFsc28gd29uZGVyIGlmIGl0IGNvdWxkIGJlIGdl bmVyaWNpemVkIHRvIGF2b2lkIGJlaW5nIHZlbmRvciBzcGVjaWZpYyB2YWx1ZXMg4oCTIGJ1dCBt b3N0bHkgSSBqdXN0IHdhbnQgdG8gdW5kZXJzdGFuZCB3aGF0IGl0IGlzLiAgQWxtb3N0IGFsbCB0 aGUgb3RoZXIgdmFsdWVzIGFyZSBzZWxmLWV4cGxhbmF0b3J5LCBwZXJoYXBzICJwb3AiIGNvdWxk IHVzZSBhIHJlZmVyZW5jZSBhcyB3ZWxsIChvciBtYXliZSBqdXN0IGEgbG9uZ2VyIGV4cGxhbmF0 aW9uKS4NCg0KSSBkb24ndCBzZWUgdGhlIGltbWVkaWF0ZSB2YWx1ZSBvZiAiYW1yX3ZhbHVlcyIs IGNhbiB5b3UgZWxhYm9yYXRlIHdpdGggc29tZSBwbGFjZXMgd2hlcmUgdGhpcyB3b3VsZCBiZSBh cHBsaWVkPyAgU2VwYXJhdGVseSwgSSB3b25kZXIgaWYgYW4gZXh0ZW5zaW9uIHRvIE9JREMgc2hv dWxkIGJlIGluY2x1ZGVkIGluIHRoaXMgZG9jLCB3aGljaCBpcyBvdGhlcndpc2UgYSBmYWlybHkg Y2xlYW4gcmVnaXN0cnkgc3BlYyB0aGF0IGNvdWxkIGJlIHVzZWQgbW9yZSBicm9hZGx5Lg0KDQpP biBUaHUsIEp1bCAyMywgMjAxNSBhdCAxMDo0OSBBTSwgQnJpYW4gQ2FtcGJlbGwgPGJjYW1wYmVs bEBwaW5naWRlbnRpdHkuY29tPG1haWx0bzpiY2FtcGJlbGxAcGluZ2lkZW50aXR5LmNvbT4+IHdy b3RlOg0KU28gbWF5YmUgYSBuYWl2ZSBxdWVzdGlvbiBidXQgd2h5IGRvZXMgdGhpcyBkcmFmdCBk ZWZpbmUgImFtcl92YWx1ZXMiIHdoaWxlIGFsc28gc3VnZ2VzdGluZyB0aGF0IGl0J3MgZnJhZ2ls ZSBhbmQgdGhhdCAiYWNyIiAmICJhY3JfdmFsdWVzIiBpcyBwcmVmZXJhYmxlPyBTZWVtcyBjb250 cmFkaWN0b3J5LiBBbmQgSSBkb3VidCBJJ20gdGhlIG9ubHkgb25lIHRoYXQgd2lsbCBmaW5kIGl0 IGNvbmZ1c2luZy4NCg0KT24gVGh1LCBKdWwgMjMsIDIwMTUgYXQgOTozNSBBTSwgTWlrZSBKb25l cyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jv c29mdC5jb20+PiB3cm90ZToNClRoZSBrZXkgcGFydCBvZiB0aGlzIGlzIGVzdGFibGlzaGluZyBh IHJlZ2lzdHJ5LiAgVGhhdCBjYW4gb25seSBiZSBkb25lIGluIGFuIFJGQy4NCg0KSm9obiwgSSBl bmNvdXJhZ2UgeW91IHRvIHN1Ym1pdCB0ZXh0IGJlZWZpbmcgdXAgdGhlIGFyZ3VtZW50cyBhYm91 dCB3aHkgdXNpbmcg4oCcYWNy4oCdIGlzIHByZWZlcmFibGUuICBUaGUgdGV4dCBhdCBodHRwOi8v c2VsZi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWpvbmVzLW9hdXRoLWFtci12YWx1ZXMtMDAuaHRt bCNhY3JSZWxhdGlvbnNoaXA8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxv b2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnNlbGYtaXNzdWVkLmluZm8lMmZkb2NzJTJmZHJhZnQt am9uZXMtb2F1dGgtYW1yLXZhbHVlcy0wMC5odG1sJTIzYWNyUmVsYXRpb25zaGlwJmRhdGE9MDEl N2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0 ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2Rh dGE9NiUyYmxQU3lHMHhmQk1nMGp4S2FRdDFsQWNXNkdWMyUyZmplNGRta0UlMmJiN1E4byUzZD4g aXMgYSBzdGFydCBhdCB0aGF0Lg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IEpvaG4gQnJhZGxleSBb bWFpbHRvOnZlN2p0YkB2ZTdqdGIuY29tPG1haWx0bzp2ZTdqdGJAdmU3anRiLmNvbT5dDQpTZW50 OiBUaHVyc2RheSwgSnVseSAyMywgMjAxNSA5OjMwIEFNDQpUbzogSnVzdGluIFJpY2hlcg0KQ2M6 IE1pa2UgSm9uZXM7IDxvYXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5vcmc+Pg0KU3Vi amVjdDogUmU6IFtPQVVUSC1XR10gQXV0aGVudGljYXRpb24gTWV0aG9kIFJlZmVyZW5jZSBWYWx1 ZXMgU3BlY2lmaWNhdGlvbg0KDQpJIGRvbuKAmXQgcGVyc29uYWxseSBoYXZlIGEgcHJvYmxlbSB3 aXRoIHBlb3BsZSBkZWZpbmluZyB2YWx1ZXMgZm9yIEFNUiBhbmQgY3JlYXRpbmcgYSBJQU5BIHJl Z2lzdHJ5Lg0KDQpUaGF0IGV4aXN0cyBmb3IgQUNSLg0KDQpJIGFtIG9uIHJlY29yZCBhcyBub3Qg c3VwcG9ydGluZyBjbGllbnRzIHJlcXVlc3RpbmcgYW1yIGFzIGl0IGFpIGEgYmFkIGlkZWEgYW5k IHRoZSBzcGVjIG1lbnRpb25zIHRoYXQgYXQgdGhlIHNhbWUgdGltZSBpdCBkZWZpbmVzIGEgbmV3 IHJlcXVlc3QgcGFyYW1ldGVyIGZvciBpdC4NCg0KSXQgaXMgcHJvYmFibHkgbm90IHNvbWV0aGlu ZyBJIHdpbGwgcHV0IGFueSByZWFsIGVmZm9ydCBpbnRvIGZpZ2h0aW5nLCBpZiBwZW9wbGUgaW5z aXN0IG9uIGl0LiAgSSB3aWxsIGNvbnRpbnVlIHRvIHJlY29tbWVuZCBvbmx5IHVzaW5nIEFDUiBp biB0aGUgcmVxdWVzdC4NCg0KSm9obiBCLg0KDQpPbiBKdWwgMjMsIDIwMTUsIGF0IDk6MjEgQU0s IEp1c3RpbiBSaWNoZXIgPGpyaWNoZXJAbWl0LmVkdTxtYWlsdG86anJpY2hlckBtaXQuZWR1Pj4g d3JvdGU6DQoNClVzZWZ1bCB3b3JrLCBidXQgc2hvdWxkbuKAmXQgdGhpcyBiZSBkZWZpbmVkIGlu IHRoZSBPSURGLCB3aGVyZSB0aGUg4oCcYW1yIiBwYXJhbWV0ZXIgaXMgZGVmaW5lZD8NCg0KIOKA lCBKdXN0aW4NCg0KT24gSnVsIDIyLCAyMDE1LCBhdCA3OjQ4IFBNLCBNaWtlIEpvbmVzIDxNaWNo YWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNv bT4+IHdyb3RlOg0KDQpQaGlsIEh1bnQgYW5kIEkgaGF2ZSBwb3N0ZWQgYSBuZXcgZHJhZnQgdGhh dCBkZWZpbmVzIHNvbWUgdmFsdWVzIHVzZWQgd2l0aCB0aGUg4oCcYW1y4oCdIChBdXRoZW50aWNh dGlvbiBNZXRob2RzIFJlZmVyZW5jZXMpIGNsYWltIGFuZCBlc3RhYmxpc2hlcyBhIHJlZ2lzdHJ5 IGZvciBBdXRoZW50aWNhdGlvbiBNZXRob2QgUmVmZXJlbmNlIHZhbHVlcy4gIFRoZXNlIHZhbHVl cyBpbmNsdWRlIGNvbW1vbmx5IHVzZWQgYXV0aGVudGljYXRpb24gbWV0aG9kcyBsaWtlIOKAnHB3 ZOKAnSAocGFzc3dvcmQpIGFuZCDigJxvdHDigJ0gKG9uZSB0aW1lIHBhc3N3b3JkKS4gIEl0IGFs c28gZGVmaW5lcyBhIHBhcmFtZXRlciBmb3IgcmVxdWVzdGluZyB0aGF0IHNwZWNpZmljIGF1dGhl bnRpY2F0aW9uIG1ldGhvZHMgYmUgdXNlZCBpbiB0aGUgYXV0aGVudGljYXRpb24uDQoNClRoZSBz cGVjaWZpY2F0aW9uIGlzIGF2YWlsYWJsZSBhdDoNCuKAoiAgICAgICAgaHR0cHM6Ly90b29scy5p ZXRmLm9yZy9odG1sL2RyYWZ0LWpvbmVzLW9hdXRoLWFtci12YWx1ZXMtMDA8aHR0cHM6Ly9uYTAx LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ0b29s cy5pZXRmLm9yZyUyZmh0bWwlMmZkcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAwJmRhdGE9 MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYz NjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEm c2RhdGE9bUo0N0slMmJDZXBLeHg4WnlzdCUyYkF2ZVpJWmI2RXlUUll2Nkx2MndwNno5dlklM2Q+ DQoNCkFuIEhUTUwgZm9ybWF0dGVkIHZlcnNpb24gaXMgYWxzbyBhdmFpbGFibGUgYXQ6DQrigKIg ICAgICAgIGh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtam9uZXMtb2F1dGgtYW1y LXZhbHVlcy0wMC5odG1sPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29r LmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZvJTJmZG9jcyUyZmRyYWZ0LWpv bmVzLW9hdXRoLWFtci12YWx1ZXMtMDAuaHRtbCZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVz JTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJm OTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPVQ5VkxxTyUyYkpqcGZCaUY3 NnFCRXFrS08xYnREclByYTU5c3ElMmJoTlVwTjVJJTNkPg0KDQogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNClAuUy4g IFRoaXMgbm90ZSB3YXMgYWxzbyBwb3N0ZWQgYXQgaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vP3A9 MTQyOTxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1o dHRwJTNhJTJmJTJmc2VsZi1pc3N1ZWQuaW5mbyUyZiUzZnAlM2QxNDI5JmRhdGE9MDElN2MwMSU3 Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUwOGQy OTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9enYy eklybE4wVUdBRktlOXJBRFZwaFVHbkpLT2dId2lSWVhrMHRvYTVRUSUzZD4gYW5kIGFzIEBzZWxm aXNzdWVkPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJs PWh0dHBzJTNhJTJmJTJmdHdpdHRlci5jb20lMmZzZWxmaXNzdWVkJmRhdGE9MDElN2MwMSU3Y01p Y2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUwOGQyOTM3 YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9R1pCNiUy ZjBGWVpQU1gwUlV4UWtqTVVBYzV1R2FUSlZ1WmJrWVVjdVNGQmtBJTNkPi4NCl9fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QN Ck9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYu b3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0 aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFu JTJmbGlzdGluZm8lMmZvYXV0aCZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9z b2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYx NDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPTRhTmhUeEdEJTJmOXc4cUQ5V1BYcGkyJTJi UWZpcHJKRGJzRjJQSzVFQnhhdTM0JTNkPg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZzxt YWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL29hdXRoPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/ dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1 dGgmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2Vl YzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFk YjQ3JTdjMSZzZGF0YT00YU5oVHhHRCUyZjl3OHFEOVdQWHBpMiUyYlFmaXBySkRic0YyUEs1RUJ4 YXUzNCUzZD4NCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0 Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPGh0dHBz Oi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJm JTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmZGF0YT0wMSU3YzAx JTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4 ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT00 YU5oVHhHRCUyZjl3OHFEOVdQWHBpMiUyYlFmaXBySkRic0YyUEs1RUJ4YXUzNCUzZD4NCg0KDQpf X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFp bGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczov L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPGh0dHBzOi8vbmEwMS5zYWZlbGlu a3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3Jn JTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25l cyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3Yzcy Zjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT00YU5oVHhHRCUyZjl3OHFE OVdQWHBpMiUyYlFmaXBySkRic0YyUEs1RUJ4YXUzNCUzZD4NCg0KDQpfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0 aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9t YWlsbWFuL2xpc3RpbmZvL29hdXRoPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5v dXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxp c3RpbmZvJTJmb2F1dGgmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5j b20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5 MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT00YU5oVHhHRCUyZjl3OHFEOVdQWHBpMiUyYlFmaXBy SkRic0YyUEs1RUJ4YXUzNCUzZD4NCg0KDQoNCi0tDQpOYXQgU2FraW11cmEgKD1uYXQpDQpDaGFp cm1hbiwgT3BlbklEIEZvdW5kYXRpb24NCmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLzxodHRwczov L25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJm bmF0LnNha2ltdXJhLm9yZyUyZiZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9z b2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYx NDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPU9JRWZIRUZkd1lKTWZFV2taZUFZeHJFZGVk Y1VydFZ1WmFZdzg2akNCa3MlM2Q+DQpAX25hdF9lbg0KDQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRm Lm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFu L2xpc3RpbmZvL29hdXRoPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29r LmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZv JTJmb2F1dGgmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M2 MmMyNzY0YTZkYzQ0ZjZjMDEyZTA4ZDI5NGVmMjY2ZSU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3 Y2QwMTFkYjQ3JTdjMSZzZGF0YT0wUEREUzhQQUNnSm13TDVQWUJIeFZ4SlBJbElRMzMxWUcwOVFh Znpnd3NvJTNkPg0KDQo= --_000_BY2PR03MB4423382B77A1DD7501E4C02F57C0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5v c2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5N c29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1h cmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJU aW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXtt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5k ZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxp bmU7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsN CgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7 DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4uRW1haWxTdHlsZTE3 DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp Iiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkJhbGxvb25UZXh0Q2hhcg0K CXttc28tc3R5bGUtbmFtZToiQmFsbG9vbiBUZXh0IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9vbiBUZXh0IjsNCglmb250LWZhbWlseToiVGFo b21hIiwic2Fucy1zZXJpZiI7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhw b3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjt9DQpAcGFnZSBX b3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEu MGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+ PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9 ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBt c28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0 PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0K PC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0K PGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5JIGFkZGVkIHRoaXMgaW4gLTAxIGFz IOKAnG1jYeKAnSAobXVsdGlwbGUtY2hhbm5lbCBhdXRoZW50aWNhdGlvbikuPG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4m bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgVGhhbmtzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4g QnJpYW4gQ2FtcGJlbGwgW21haWx0bzpiY2FtcGJlbGxAcGluZ2lkZW50aXR5LmNvbV0NCjxicj4N CjxiPlNlbnQ6PC9iPiBTYXR1cmRheSwgSnVseSAyNSwgMjAxNSA4OjQ3IEFNPGJyPg0KPGI+VG86 PC9iPiBNaWtlIEpvbmVzPGJyPg0KPGI+Q2M6PC9iPiBOYXQgU2FraW11cmE7IFdpbGxpYW0gRGVu bmlzczsgJmx0O29hdXRoQGlldGYub3JnJmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09B VVRILVdHXSBBdXRoZW50aWNhdGlvbiBNZXRob2QgUmVmZXJlbmNlIFZhbHVlcyBTcGVjaWZpY2F0 aW9uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPlRoZXJlJ3MgYSBtZXRob2Qgb2YgYXV0aGVudGlj YXRpb24gdGhhdCBpcyBnYWluaW5nIGluIHBvcHVsYXJpdHkgd2hpY2ggSSdkIHByb3Bvc2UgYWRk aW5nIGEgbWV0aG9kIGZvci4gSXQgaXMgdHlwaWNhbGx5IHVzZWQgYXMgYSBzZWNvbmQgZmFjdG9y IHdoZXJlIGFmdGVyIGEgcHJpbWFyeSBhdXRoLCBsaWtlIHVzZXJuYW1lIGFuZCBwYXNzd29yZCwg YSBwdXNoDQogbm90aWZpY2F0aW9uIGlzIHNlbnQgdG8gdGhlIHVzZXIncyBwaG9uZSBhbmQgdGhl eSBhY2tub3dsZWRnZSBpdCBmcm9tIHRoZSBkZXZpY2UuIFdlIGhhdmUgdGhlDQo8YSBocmVmPSJo dHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUz YSUyZiUyZnd3dy5waW5naWRlbnRpdHkuY29tJTJmZW4lMmZwcm9kdWN0cyUyZnBpbmdpZC5odG1s JmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzYyYzI3 NjRhNmRjNDRmNmMwMTJlMDhkMjk0ZWYyNjZlJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAx MWRiNDclN2MxJmFtcDtzZGF0YT0zTXE0RUxDeHdGaXFlZmhxdFc3WTRkcU90bzU1RmN2UVQlMmJK OWQxd05yTW8lM2QiPg0KUGluZ0lEIHByb2R1Y3Q8L2E+IHRoYXQgZG9lcyBpdCBhbmQgPGEgaHJl Zj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0 cCUzYSUyZiUyZnd3dy5lbnRydXN0LmNvbSUyZnJlc291cmNlJTJmZW50cnVzdC1pZGVudGl0eWd1 YXJkLW1vYmlsZS1wdXNoLWF1dGhlbnRpY2F0aW9uLWZvci12cG4tYW5kLXdlYi1hY2Nlc3MmYW1w O2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNjJjMjc2NGE2 ZGM0NGY2YzAxMmUwOGQyOTRlZjI2NmUlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0 NyU3YzEmYW1wO3NkYXRhPWtHSHVQbSUyYld5MVRnMTI1bG9KaGlmbVZvdyUyYk1VRTdMNDd3clJa RDQlMmY5amslM2QiPg0KRW50cnVzdDwvYT4gYW5kIDxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZl bGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmR1b3Nl Y3VyaXR5LmNvbSUyZnByb2R1Y3QlMmZtZXRob2RzJTJmZHVvLW1vYmlsZSYjNDM7JmFtcDtkYXRh PTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzYyYzI3NjRhNmRjNDRm NmMwMTJlMDhkMjk0ZWYyNjZlJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2Mx JmFtcDtzZGF0YT1BeDduWkxVcXBDZWhPJTJmTU5xRkdJNTZadnpVZ2l0azhaMnRUM21ROVYlMmZj byUzZCI+DQpEdW88L2E+LCBhbW9uZyBvdGhlcnMgSSdtIHN1cmUsIG9mZmVyIHNvbWV0aGluZyBz aW1pbGFyLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPkl0J3MgY29tbW9ubHkgY2FsbGVkICZxdW90O21vYmls ZSBwdXNoIGF1dGhlbnRpY2F0aW9uJnF1b3Q7IHNvIG1heWJlICZxdW90O21wYSZxdW90OyBjb3Vs ZCBiZSB0aGUgYW1yIHZhbHVlLiBCdXQsIGFzIE5hdCBwb2ludGVkIG91dCwgdGhlIHJlYWxseSBp bnRlcmVzdGluZyBjaGFyYWN0ZXJpc3RpYyBpcyB0aGF0IGl0J3MgYSBzZWNvbmQgZmFjdG9yIHRo YXQgdXRpbGl6ZXMgb25seSBhIHNlY29uZGFyeQ0KIGNoYW5uZWwgLSBzbyBwZXJoYXBzICZxdW90 O3NjYSZxdW90OyBmb3IgJnF1b3Q7c2Vjb25kIGNoYW5uZWwgYXV0aGVudGljYXRpb24mcXVvdDsg d291bGQgYmUgYSBtb3JlIGFwcHJvcHJpYXRlIGdlbmVyYWwgYW1yIG5hbWUuJm5ic3A7DQo8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhvdWdodHMgYXJlIHdl bGNvbWUuIEJ1dCBJIGJlbGlldmUgaXQncyBiZWNvbWluZyBwcmV2YWxlbnQgZW5vdWdoIHRoYXQg aXQgZGVzZXJ2ZXMgaXRzIG93biBhbXIgdmFsdWUgaW4gdGhpcyBkb2MuPG86cD48L286cD48L3A+ DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWJvdHRvbToxMi4wcHQiPjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gVGh1LCBKdWwgMjMs IDIwMTUgYXQgNjoyOSBQTSwgTWlrZSBKb25lcyAmbHQ7PGEgaHJlZj0ibWFpbHRvOk1pY2hhZWwu Sm9uZXNAbWljcm9zb2Z0LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPk1pY2hhZWwuSm9uZXNAbWljcm9z b2Z0LmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0 OTdEIj5JIGFncmVlIHRoYXQgYW4gb2J2aW91cyBnb29kIHRoaW5nIHRvIGRvIGlzIHRvIGFkZCBz cGVjIHJlZmVyZW5jZXMgdG8gdGhlIGZpZWxkIGRlZmluaXRpb25zLjwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkkg bmVlZCB0byBpbnZlc3RpZ2F0ZSB1c2UgY2FzZXMgZm9yIGFtcl92YWx1ZXMuJm5ic3A7IEkgdGhp bmsgdGhpcyBjYW1lIGZyb20gZGV2ZWxvcGVycyB3aG8gYWN0dWFsbHkgd2FudGVkDQogdGhpcyBm b3IgYSBwYXJ0aWN1bGFyIHB1cnBvc2UgYnV0IEnigJlsbCBoYXZlIHRvIGdldCBiYWNrIHRvIHRo ZSBXRyBvbiB0aGF0LiZuYnNwOyBJdOKAmXMgZGVmaW5lZCBoZXJlLCByYXRoZXIgdGhhbiBpbiBh bm90aGVyIHNwZWMsIGJlY2F1c2UgaXTigJlzIGhpZ2hseSByZWxhdGVkIHRvIHRoZSDigJxhbXLi gJ0gdmFsdWVzLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZh bWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3Nw YW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rh aG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gT0F1dGggW21haWx0bzo8YSBocmVm PSJtYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm9hdXRoLWJv dW5jZXNAaWV0Zi5vcmc8L2E+XQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5OYXQgU2FraW11cmE8YnI+ DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXksIEp1bHkgMjMsIDIwMTUgNjoyMiBQTTxicj4NCjxiPlRv OjwvYj4gV2lsbGlhbSBEZW5uaXNzPGJyPg0KPGI+Q2M6PC9iPiAmbHQ7PGEgaHJlZj0ibWFpbHRv Om9hdXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+b2F1dGhAaWV0Zi5vcmc8L2E+Jmd0Ozxi cj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBBdXRoZW50aWNhdGlvbiBNZXRob2Qg UmVmZXJlbmNlIFZhbHVlcyBTcGVjaWZpY2F0aW9uPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPlNvLCBhbGxvdyBtZSBhIG5haXZlIHF1ZXN0aW9uLiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SSBzdXBwcG9zZSB0aGVy ZSBhcmUgZ29vZCByYW5kb20gb3RwLCBhcyB3ZWxsIGFzIHByZXR0eSBiYWQgb3RwIGV0Yy4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ V291bGQgaXQgYmUgdXNlZnVsIHRvIHNheSBqdXN0ICZxdW90O290cCZxdW90Oy4gV291bGQgaXQg bm90IGJlIGJldHRlciB0byBoYXZlIGF0IGxlYXN0IGEgZmllbGQgdGhhdCByZWZlcmVuY2VzIGEg c3BlYyB0aGF0IHNwZWNpZmllcyB0aGUgc2VjdXJpdHkgcmVxdWlyZW1lbnQgZm9yIHRoYXQgbWVj aGFuaXNtPyZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+MjAxNS0wNy0yMyAxMjowNSBHTVQmIzQzOzAyOjAwIFdpbGxpYW0gRGVu bmlzcyAmbHQ7PGEgaHJlZj0ibWFpbHRvOndkZW5uaXNzQGdvb2dsZS5jb20iIHRhcmdldD0iX2Js YW5rIj53ZGVubmlzc0Bnb29nbGUuY29tPC9hPiZndDs6PG86cD48L286cD48L3A+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj5UaGFua3MgZm9yIGRyYWZ0aW5nIHRoaXMgTWlrZS4gSSdt IGluIGZhdm9yIG9mIGhhdmluZyB0aGlzIHJlZ2lzdHJ5LjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkluIGFkZGl0aW9uIHRvIHRoZSBzcGVjaWZpYyB2 YWx1ZXMsIEkgcHJvcG9zZSB3ZSBhZGQgc29tZSBnZW5lcmljIG9uZXMgdG9vICh0cnlpbmcgdG8g Zm9sbG93IHlvdXIgbmFtaW5nIHNjaGVtZSk6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mcXVvdDtyYmEmcXVvdDs6ICZuYnNwOyZxdW90 O3Jpc2stYmFzZWQgYXV0aCZxdW90OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj4mcXVvdDt1cHQmcXVvdDs6ICZuYnNwOyZxdW90O3VzZXIgcHJl c2VuY2UgdGVzdCZxdW90OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+TXkgZmVhciBvZiBtYWtpbmcgdGhpbmdzIHRvbyBzcGVjaWZpYyBp cyB0aGF0IFJQcyBtYXkgZ2V0IGxvc3QgaW4gdGhlIHdlZWRzIHRyeWluZyB0byB3b3JrIG91dCB3 aGF0IHRoaW5ncyB0aGV5IHNob3VsZCBjYXJlIGFib3V0IGFuZCBob3cuIEFzIGFuIElkUCB3ZSBs aWtlIHRvIGd1aWRlIFJQcyB0aHJvdWdoDQogdGhlc2Uga2luZHMgb2YgZGVjaXNpb25zLCBhbmQg cHJlZmVyIHRvIHBhc3MgYSBtb3JlIGhpZ2ggbGV2ZWwgaW5kaWNhdGlvbiBvZiB3aGF0IGhhcHBl bmVkIChzdWNoIGFzIHRoZXNlIHR3byB2YWx1ZXMpLiZuYnNwOyBJZiBzb21lb25lIHdhbnRlZCB0 byBoYXZlIGJlc3Qgb2YgYm90aCB3b3JsZHMsIHRoZW4gYm90aCBjb3VsZCBiZSBhc3NlcnRlZCwg ZS5nLiAmcXVvdDt1cHQgZnB0JnF1b3Q7IHRvIGluZGljYXRlIHRoYXQgdGhlIHVzZXIgcHJlc2Vu Y2Ugd2FzIHRlc3RlZCwNCiB1c2luZyBhIGZpbmdlcnByaW50IHRlc3QuPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5SZWdhcmRpbmcgdGhl IHByb3Bvc2VkICZxdW90O3dpYSZxdW90OyB2YWx1ZS4gSSBkb24ndCBrbm93IHdoYXQgaXQgaXMs IGFuZCB0aGUgc3BlYyBkb2Vzbid0IGhlbHAgbWUgZmluZCBvdXQsIGNhbiBhIHJlZmVyZW5jZSBi ZSBhZGRlZD8mbmJzcDsgSSBhbHNvIHdvbmRlciBpZiBpdCBjb3VsZCBiZSBnZW5lcmljaXplZCB0 byBhdm9pZA0KIGJlaW5nIHZlbmRvciBzcGVjaWZpYyB2YWx1ZXMg4oCTIGJ1dCBtb3N0bHkgSSBq dXN0IHdhbnQgdG8gdW5kZXJzdGFuZCB3aGF0IGl0IGlzLiZuYnNwOyBBbG1vc3QgYWxsIHRoZSBv dGhlciB2YWx1ZXMgYXJlIHNlbGYtZXhwbGFuYXRvcnksIHBlcmhhcHMgJnF1b3Q7cG9wJnF1b3Q7 IGNvdWxkIHVzZSBhIHJlZmVyZW5jZSBhcyB3ZWxsIChvciBtYXliZSBqdXN0IGEgbG9uZ2VyIGV4 cGxhbmF0aW9uKS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPkkgZG9uJ3Qgc2VlIHRoZSBpbW1lZGlhdGUgdmFsdWUgb2YgJnF1b3Q7YW1y X3ZhbHVlcyZxdW90OywgY2FuIHlvdSBlbGFib3JhdGUgd2l0aCBzb21lIHBsYWNlcyB3aGVyZSB0 aGlzIHdvdWxkIGJlIGFwcGxpZWQ/Jm5ic3A7IFNlcGFyYXRlbHksIEkgd29uZGVyIGlmIGFuIGV4 dGVuc2lvbiB0byBPSURDIHNob3VsZCBiZSBpbmNsdWRlZA0KIGluIHRoaXMgZG9jLCB3aGljaCBp cyBvdGhlcndpc2UgYSBmYWlybHkgY2xlYW4gcmVnaXN0cnkgc3BlYyB0aGF0IGNvdWxkIGJlIHVz ZWQgbW9yZSBicm9hZGx5LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+T24gVGh1LCBKdWwgMjMsIDIwMTUgYXQgMTA6NDkgQU0s IEJyaWFuIENhbXBiZWxsICZsdDs8YSBocmVmPSJtYWlsdG86YmNhbXBiZWxsQHBpbmdpZGVudGl0 eS5jb20iIHRhcmdldD0iX2JsYW5rIj5iY2FtcGJlbGxAcGluZ2lkZW50aXR5LmNvbTwvYT4mZ3Q7 IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+U28g bWF5YmUgYSBuYWl2ZSBxdWVzdGlvbiBidXQgd2h5IGRvZXMgdGhpcyBkcmFmdCBkZWZpbmUgJnF1 b3Q7YW1yX3ZhbHVlcyZxdW90OyB3aGlsZSBhbHNvIHN1Z2dlc3RpbmcgdGhhdCBpdCdzIGZyYWdp bGUgYW5kIHRoYXQgJnF1b3Q7YWNyJnF1b3Q7ICZhbXA7ICZxdW90O2Fjcl92YWx1ZXMmcXVvdDsg aXMgcHJlZmVyYWJsZT8gU2VlbXMgY29udHJhZGljdG9yeS4gQW5kDQogSSBkb3VidCBJJ20gdGhl IG9ubHkgb25lIHRoYXQgd2lsbCBmaW5kIGl0IGNvbmZ1c2luZy4mbmJzcDsgPG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ Jm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5PbiBU aHUsIEp1bCAyMywgMjAxNSBhdCA5OjM1IEFNLCBNaWtlIEpvbmVzICZsdDs8YSBocmVmPSJtYWls dG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tIiB0YXJnZXQ9Il9ibGFuayI+TWljaGFlbC5K b25lc0BtaWNyb3NvZnQuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPlRoZSBrZXkgcGFydCBvZiB0aGlzIGlzIGVzdGFibGlzaGluZyBhIHJl Z2lzdHJ5LiZuYnNwOyBUaGF0IGNhbiBvbmx5IGJlIGRvbmUgaW4gYW4gUkZDLjwvc3Bhbj48bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPkpvaG4sIEkgZW5jb3VyYWdlIHlvdSB0byBzdWJtaXQgdGV4dCBiZWVmaW5nIHVwIHRoZSBh cmd1bWVudHMgYWJvdXQgd2h5IHVzaW5nIOKAnGFjcuKAnSBpcyBwcmVmZXJhYmxlLiZuYnNwOw0K IFRoZSB0ZXh0IGF0IDxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5v dXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZvJTJmZG9jcyUyZmRy YWZ0LWpvbmVzLW9hdXRoLWFtci12YWx1ZXMtMDAuaHRtbCUyM2FjclJlbGF0aW9uc2hpcCZhbXA7 ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5 YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3 JTdjMSZhbXA7c2RhdGE9NiUyYmxQU3lHMHhmQk1nMGp4S2FRdDFsQWNXNkdWMyUyZmplNGRta0Ul MmJiN1E4byUzZCIgdGFyZ2V0PSJfYmxhbmsiPg0KaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9j cy9kcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAwLmh0bWwjYWNyUmVsYXRpb25zaGlwPC9h PiBpcyBhIHN0YXJ0IGF0IHRoYXQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5i c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2UN Cjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNC NUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBKb2huIEJyYWRsZXkgW21haWx0bzo8YSBocmVmPSJt YWlsdG86dmU3anRiQHZlN2p0Yi5jb20iIHRhcmdldD0iX2JsYW5rIj52ZTdqdGJAdmU3anRiLmNv bTwvYT5dDQo8YnI+DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXksIEp1bHkgMjMsIDIwMTUgOTozMCBB TTxicj4NCjxiPlRvOjwvYj4gSnVzdGluIFJpY2hlcjxicj4NCjxiPkNjOjwvYj4gTWlrZSBKb25l czsgJmx0OzxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm9h dXRoQGlldGYub3JnPC9hPiZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10g QXV0aGVudGljYXRpb24gTWV0aG9kIFJlZmVyZW5jZSBWYWx1ZXMgU3BlY2lmaWNhdGlvbjwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPkkgZG9u4oCZdCBwZXJzb25hbGx5IGhhdmUgYSBwcm9ibGVtIHdpdGggcGVvcGxlIGRlZmlu aW5nIHZhbHVlcyBmb3IgQU1SIGFuZCBjcmVhdGluZyBhIElBTkEgcmVnaXN0cnkuJm5ic3A7PG86 cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VGhhdCBleGlz dHMgZm9yIEFDUi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPkkgYW0gb24gcmVjb3JkIGFzIG5vdCBzdXBwb3J0aW5nIGNsaWVudHMgcmVx dWVzdGluZyBhbXIgYXMgaXQgYWkgYSBiYWQgaWRlYSBhbmQgdGhlIHNwZWMgbWVudGlvbnMgdGhh dCBhdCB0aGUgc2FtZSB0aW1lIGl0IGRlZmluZXMgYSBuZXcgcmVxdWVzdCBwYXJhbWV0ZXIgZm9y IGl0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+SXQgaXMgcHJvYmFibHkgbm90IHNvbWV0aGluZyBJIHdpbGwgcHV0IGFueSByZWFsIGVm Zm9ydCBpbnRvIGZpZ2h0aW5nLCBpZiBwZW9wbGUgaW5zaXN0IG9uIGl0LiZuYnNwOyBJIHdpbGwg Y29udGludWUgdG8gcmVjb21tZW5kIG9ubHkgdXNpbmcgQUNSIGluIHRoZSByZXF1ZXN0LjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Sm9o biBCLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8YmxvY2txdW90 ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPk9uIEp1bCAyMywgMjAxNSwgYXQgOToyMSBBTSwgSnVzdGlu IFJpY2hlciAmbHQ7PGEgaHJlZj0ibWFpbHRvOmpyaWNoZXJAbWl0LmVkdSIgdGFyZ2V0PSJfYmxh bmsiPmpyaWNoZXJAbWl0LmVkdTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZh bWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+VXNlZnVs IHdvcmssIGJ1dCBzaG91bGRu4oCZdCB0aGlzIGJlIGRlZmluZWQgaW4gdGhlIE9JREYsIHdoZXJl IHRoZSDigJxhbXImcXVvdDsgcGFyYW1ldGVyIGlzIGRlZmluZWQ/PC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90OyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDvi gJQgSnVzdGluPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+ PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4w cHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5PbiBKdWwgMjIsIDIwMTUsIGF0IDc6NDggUE0s IE1pa2UgSm9uZXMgJmx0OzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5j b20iIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5NaWNoYWVsLkpv bmVzQG1pY3Jvc29mdC5jb208L3NwYW4+PC9hPiZndDsNCiB3cm90ZTo8L3NwYW4+PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90OyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsi PlBoaWwgSHVudCBhbmQgSSBoYXZlIHBvc3RlZCBhIG5ldyBkcmFmdCB0aGF0IGRlZmluZXMgc29t ZSB2YWx1ZXMgdXNlZCB3aXRoIHRoZSDigJw8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPmFtcjwvc3Bhbj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPuKAnQ0KIChBdXRoZW50aWNhdGlvbiBNZXRob2RzIFJl ZmVyZW5jZXMpIGNsYWltIGFuZCBlc3RhYmxpc2hlcyBhIHJlZ2lzdHJ5IGZvciBBdXRoZW50aWNh dGlvbiBNZXRob2QgUmVmZXJlbmNlIHZhbHVlcy4mbmJzcDsgVGhlc2UgdmFsdWVzIGluY2x1ZGUg Y29tbW9ubHkgdXNlZCBhdXRoZW50aWNhdGlvbiBtZXRob2RzIGxpa2Ug4oCcPC9zcGFuPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1 b3Q7Ij5wd2Q8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij7igJ0NCiAocGFzc3dv cmQpIGFuZCDigJw8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPm90cDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDsiPuKAnSAob25lIHRpbWUgcGFzc3dvcmQpLiZuYnNwOyBJdCBhbHNvIGRlZmluZXMg YSBwYXJhbWV0ZXIgZm9yIHJlcXVlc3RpbmcgdGhhdCBzcGVjaWZpYyBhdXRoZW50aWNhdGlvbiBt ZXRob2RzDQogYmUgdXNlZCBpbiB0aGUgYXV0aGVudGljYXRpb24uPC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5U aGUgc3BlY2lmaWNhdGlvbiBpcyBhdmFpbGFibGUgYXQ6PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sIj7C tzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuMHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7Ij48YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9v ay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRtbCUyZmRyYWZ0LWpv bmVzLW9hdXRoLWFtci12YWx1ZXMtMDAmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMl NDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5 ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPW1KNDdLJTJiQ2VwS3h4 OFp5c3QlMmJBdmVaSVpiNkV5VFJZdjZMdjJ3cDZ6OXZZJTNkIiB0YXJnZXQ9Il9ibGFuayI+PHNw YW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0 LWpvbmVzLW9hdXRoLWFtci12YWx1ZXMtMDA8L3NwYW4+PC9hPjwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+QW4g SFRNTCBmb3JtYXR0ZWQgdmVyc2lvbiBpcyBhbHNvIGF2YWlsYWJsZSBhdDo8L3NwYW4+PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTpTeW1ib2wiPsK3PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6Ny4wcHQiPiZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzwvc3Bhbj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDsiPjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVj dGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZvJTJmZG9j cyUyZmRyYWZ0LWpvbmVzLW9hdXRoLWFtci12YWx1ZXMtMDAuaHRtbCZhbXA7ZGF0YT0wMSU3YzAx JTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4 ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2Rh dGE9VDlWTHFPJTJiSmpwZkJpRjc2cUJFcWtLTzFidERyUHJhNTlzcSUyYmhOVXBONUklM2QiIHRh cmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRwOi8vc2VsZi1pc3N1 ZWQuaW5mby9kb2NzL2RyYWZ0LWpvbmVzLW9hdXRoLWFtci12YWx1ZXMtMDAuaHRtbDwvc3Bhbj48 L2E+PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+ UC5TLiZuYnNwOyBUaGlzIG5vdGUgd2FzIGFsc28gcG9zdGVkIGF0Jm5ic3A7PGEgaHJlZj0iaHR0 cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUy ZiUyZnNlbGYtaXNzdWVkLmluZm8lMmYlM2ZwJTNkMTQyOSZhbXA7ZGF0YT0wMSU3YzAxJTdjTWlj aGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5Mzdh ZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9enYy eklybE4wVUdBRktlOXJBRFZwaFVHbkpLT2dId2lSWVhrMHRvYTVRUSUzZCIgdGFyZ2V0PSJfYmxh bmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvLz9w PTE0Mjk8L3NwYW4+PC9hPiZuYnNwO2FuZA0KIGFzJm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly9uYTAx LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ0d2l0 dGVyLmNvbSUyZnNlbGZpc3N1ZWQmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBt aWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhi Zjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPUdaQjYlMmYwRllaUFNYMFJV eFFrak1VQWM1dUdhVEpWdVpia1lVY3VTRkJrQSUzZCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0 eWxlPSJjb2xvcjpwdXJwbGUiPkBzZWxmaXNzdWVkPC9zcGFuPjwvYT4uPC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90OyI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX188YnI+DQpPQXV0aCBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86 T0F1dGhAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxl Ij5PQXV0aEBpZXRmLm9yZzwvc3Bhbj48L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNh ZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0 Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWlj aGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5Mzdh ZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9NGFO aFR4R0QlMmY5dzhxRDlXUFhwaTIlMmJRZmlwckpEYnNGMlBLNUVCeGF1MzQlM2QiIHRhcmdldD0i X2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRwczovL3d3dy5pZXRmLm9yZy9t YWlsbWFuL2xpc3RpbmZvL29hdXRoPC9zcGFuPjwvYT48L3NwYW4+PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBw dDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 OyI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpP QXV0aCBtYWlsaW5nIGxpc3Q8YnI+DQo8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYu b3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZh bWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpw dXJwbGUiPk9BdXRoQGlldGYub3JnPC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjku MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7Ij48YnI+DQo8L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0 aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFu JTJmbGlzdGluZm8lMmZvYXV0aCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1p Y3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJm ODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9NGFOaFR4R0QlMmY5dzhxRDlX UFhwaTIlMmJRZmlwckpEYnNGMlBLNUVCeGF1MzQlM2QiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOnB1cnBsZSI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcv bWFpbG1hbi9saXN0aW5mby9vYXV0aDwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJv dHRvbToxMi4wcHQiPjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fPGJyPg0KT0F1dGggbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOk9B dXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEg aHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9 aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZh bXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2Vl YzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFk YjQ3JTdjMSZhbXA7c2RhdGE9NGFOaFR4R0QlMmY5dzhxRDlXUFhwaTIlMmJRZmlwckpEYnNGMlBL NUVCeGF1MzQlM2QiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFu L2xpc3RpbmZvL29hdXRoPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdp bi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0 bzpPQXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4N CjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/ dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1 dGgmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVm NzNlZWM1OWMyNDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2Nk MDExZGI0NyU3YzEmYW1wO3NkYXRhPTRhTmhUeEdEJTJmOXc4cUQ5V1BYcGkyJTJiUWZpcHJKRGJz RjJQSzVFQnhhdTM0JTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp bG1hbi9saXN0aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rp dj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxh IGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYu b3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5v dXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxp c3RpbmZvJTJmb2F1dGgmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3Nv ZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0 MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPTRhTmhUeEdEJTJmOXc4cUQ5V1BYcGky JTJiUWZpcHJKRGJzRjJQSzVFQnhhdTM0JTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cu aWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQo8YnIgY2xlYXI9ImFsbCI+DQo8bzpwPjwv bzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPi0tDQo8bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk5hdCBTYWtpbXVyYSAoPW5hdCk8bzpwPjwv bzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkNoYWlybWFuLCBPcGVuSUQg Rm91bmRhdGlvbjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlv bi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZuYXQuc2FraW11cmEub3JnJTJmJmFtcDtk YXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTlj MjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDcl N2MxJmFtcDtzZGF0YT1PSUVmSEVGZHdZSk1mRVdrWmVBWXhyRWRlZGNVcnRWdVphWXc4NmpDQmtz JTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPC9hPjxicj4NCkBf bmF0X2VuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48 YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4N Ck9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyI+ T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5w cm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZt YWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25l cyU0MG1pY3Jvc29mdC5jb20lN2M2MmMyNzY0YTZkYzQ0ZjZjMDEyZTA4ZDI5NGVmMjY2ZSU3Yzcy Zjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9MFBERFM4UEFDZ0pt d0w1UFlCSHhWeEpQSWxJUTMzMVlHMDlRYWZ6Z3dzbyUzZCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBz Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB4423382B77A1DD7501E4C02F57C0BY2PR03MB442namprd_-- From nobody Thu Aug 13 20:55:05 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9447D1A6FF2 for ; Thu, 13 Aug 2015 20:55:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.17 X-Spam-Level: X-Spam-Status: No, score=0.17 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8GqXZQ-bbu0k for ; Thu, 13 Aug 2015 20:54:59 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0784.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::784]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EDAF1A86DD for ; Thu, 13 Aug 2015 20:54:53 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Fri, 14 Aug 2015 03:54:36 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Fri, 14 Aug 2015 03:54:36 +0000 From: Mike Jones To: Nat Sakimura , Brian Campbell Thread-Topic: [OAUTH-WG] Authentication Method Reference Values Specification Thread-Index: AdDEponiitwaXF5YTtCgg2mzrUGsugAcbbeAAABKDwAAABfdYAACq1kAAAKorwAADSeqAAAAHwlAAFzvmYAAQYPbgAOZt/Og Date: Fri, 14 Aug 2015 03:54:36 +0000 Message-ID: References: <8BADFB60-1BE4-415A-B386-F34F9FE72A3C@mit.edu> <61575F9A-8A0F-415A-89AA-480432813020@ve7jtb.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:PKL82YgBNPhb6ZECpvZ6W31J2aeICUOQD+kgbaUti7GJLMiwK3exP5zknyKbEKAvHawLq7BQ7yGvw0/lEcbzGBgjc/aY7hMbVjcDLctfMP4yPz2Cswft77J1WA/Bcgzrp6ISQ9qZ9cRkfIxX0Tl+5Q==; 24:nfHHg/joK23krgppCjLyfhGRZuPFnnJcG/zAoJCGRNHj3KjZJtD+qnbqe+iTrQ9JWgk59JUs52Yei3Bh0/sw88MTWs6TBvbrU2LEsgnnWTU=; 20:ixWT67y0dsxv+Dqh7Yt+d9EVpNoAO7dvBv84fWMNThZ8yxyt4AscA8IW+66/hnnQwO905AHu+Qnfk841BVQYLA== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066898046A x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(199003)(189002)(377454003)(52604005)(377424004)(43784003)(54094003)(24454002)(8990500004)(33656002)(19625215002)(561944003)(86612001)(76176999)(54356999)(50986999)(5001960100002)(5001860100001)(74316001)(76576001)(81156007)(4001540100001)(5001830100001)(86362001)(101416001)(66066001)(10290500002)(5005710100001)(10400500002)(77156002)(40100003)(62966003)(97736004)(64706001)(5001770100001)(92566002)(122556002)(46102003)(16236675004)(2900100001)(2950100001)(87936001)(2656002)(19617315012)(551544002)(93886004)(5003600100002)(19609705001)(10090500001)(106356001)(15975445007)(68736005)(77096005)(102836002)(19300405004)(19580395003)(5002640100001)(99286002)(189998001)(19580405001)(105586002)(6606295002)(9078065003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB44271B875F9A6A1235F120DF57C0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2015 03:54:36.9206 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Cc: "" Subject: Re: [OAUTH-WG] Authentication Method Reference Values Specification X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 03:55:03 -0000 --_000_BY2PR03MB44271B875F9A6A1235F120DF57C0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhlc2Ugd2VyZSBhbGwgYWRkZWQsIHBlciBteSBvdGhlciByZXBsaWVzLg0KDQogICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUaGFua3Mg YWdhaW4sDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IE5hdCBTYWtpbXVyYSBbbWFpbHRvOnNha2ltdXJh QGdtYWlsLmNvbV0NClNlbnQ6IFN1bmRheSwgSnVseSAyNiwgMjAxNSA0OjAzIFBNDQpUbzogQnJp YW4gQ2FtcGJlbGwNCkNjOiBNaWtlIEpvbmVzOyBXaWxsaWFtIERlbm5pc3M7IDxvYXV0aEBpZXRm Lm9yZz4NClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIEF1dGhlbnRpY2F0aW9uIE1ldGhvZCBSZWZl cmVuY2UgVmFsdWVzIFNwZWNpZmljYXRpb24NCg0KSSBhbSBpbiBmYXZvciBvZiBXaWxsaWFtJ3Mg cHJvcG9zYWwuDQpJbiBhZGRpdGlvbiwgSSB3b3VsZCBsaWtlIHRvIHNlZSBvbmUgZm9yIDJuZCBj aGFubmVsIGF1dGgsIDJjaC4gVGhhdCB3b3VsZCBpbmRpY2F0ZSBzb21lIHJlc2lsaWVuY2UgYWdh aW5zdCBNSVRCLg0KDQpPbiBTYXR1cmRheSwgSnVseSAyNSwgMjAxNSwgQnJpYW4gQ2FtcGJlbGwg PGJjYW1wYmVsbEBwaW5naWRlbnRpdHkuY29tPG1haWx0bzpiY2FtcGJlbGxAcGluZ2lkZW50aXR5 LmNvbT4+IHdyb3RlOg0KVGhlcmUncyBhIG1ldGhvZCBvZiBhdXRoZW50aWNhdGlvbiB0aGF0IGlz IGdhaW5pbmcgaW4gcG9wdWxhcml0eSB3aGljaCBJJ2QgcHJvcG9zZSBhZGRpbmcgYSBtZXRob2Qg Zm9yLiBJdCBpcyB0eXBpY2FsbHkgdXNlZCBhcyBhIHNlY29uZCBmYWN0b3Igd2hlcmUgYWZ0ZXIg YSBwcmltYXJ5IGF1dGgsIGxpa2UgdXNlcm5hbWUgYW5kIHBhc3N3b3JkLCBhIHB1c2ggbm90aWZp Y2F0aW9uIGlzIHNlbnQgdG8gdGhlIHVzZXIncyBwaG9uZSBhbmQgdGhleSBhY2tub3dsZWRnZSBp dCBmcm9tIHRoZSBkZXZpY2UuIFdlIGhhdmUgdGhlIFBpbmdJRCBwcm9kdWN0PGh0dHBzOi8vbmEw MS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3 LnBpbmdpZGVudGl0eS5jb20lMmZlbiUyZnByb2R1Y3RzJTJmcGluZ2lkLmh0bWwmZGF0YT0wMSU3 YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2MxZTAxNGQyMmFkMGE0NWEyOWJh MjA4ZDI5NWY1MjQ1MyU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0 YT1rSHBxemhJUllwYms3Y3pTbldvMTRYJTJmZzI1azdYZXlNeVowTXBYTDhWd2slM2Q+IHRoYXQg ZG9lcyBpdCBhbmQgRW50cnVzdDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0 bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmd3d3LmVudHJ1c3QuY29tJTJmcmVzb3VyY2UlMmZl bnRydXN0LWlkZW50aXR5Z3VhcmQtbW9iaWxlLXB1c2gtYXV0aGVudGljYXRpb24tZm9yLXZwbi1h bmQtd2ViLWFjY2VzcyZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNv bSU3YzFlMDE0ZDIyYWQwYTQ1YTI5YmEyMDhkMjk1ZjUyNDUzJTdjNzJmOTg4YmY4NmYxNDFhZjkx YWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPUQlMmJLVHpiaDRCbmFMNVJ4SGRoTWJXZEU2NXlhWjh6 MHVCWmo5bVBrM0JYSSUzZD4gYW5kIER1bzxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rp b24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5kdW9zZWN1cml0eS5jb20lMmZw cm9kdWN0JTJmbWV0aG9kcyUyZmR1by1tb2JpbGUmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25l cyU0MG1pY3Jvc29mdC5jb20lN2MxZTAxNGQyMmFkMGE0NWEyOWJhMjA4ZDI5NWY1MjQ1MyU3Yzcy Zjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT10MDd0N0N2dEJrUUJKOSUy Ym9Za0czQWQ1bEZCQjBEd3J3REtPdFhhMnlBQ2clM2Q+LCBhbW9uZyBvdGhlcnMgSSdtIHN1cmUs IG9mZmVyIHNvbWV0aGluZyBzaW1pbGFyLg0KSXQncyBjb21tb25seSBjYWxsZWQgIm1vYmlsZSBw dXNoIGF1dGhlbnRpY2F0aW9uIiBzbyBtYXliZSAibXBhIiBjb3VsZCBiZSB0aGUgYW1yIHZhbHVl LiBCdXQsIGFzIE5hdCBwb2ludGVkIG91dCwgdGhlIHJlYWxseSBpbnRlcmVzdGluZyBjaGFyYWN0 ZXJpc3RpYyBpcyB0aGF0IGl0J3MgYSBzZWNvbmQgZmFjdG9yIHRoYXQgdXRpbGl6ZXMgb25seSBh IHNlY29uZGFyeSBjaGFubmVsIC0gc28gcGVyaGFwcyAic2NhIiBmb3IgInNlY29uZCBjaGFubmVs IGF1dGhlbnRpY2F0aW9uIiB3b3VsZCBiZSBhIG1vcmUgYXBwcm9wcmlhdGUgZ2VuZXJhbCBhbXIg bmFtZS4NClRob3VnaHRzIGFyZSB3ZWxjb21lLiBCdXQgSSBiZWxpZXZlIGl0J3MgYmVjb21pbmcg cHJldmFsZW50IGVub3VnaCB0aGF0IGl0IGRlc2VydmVzIGl0cyBvd24gYW1yIHZhbHVlIGluIHRo aXMgZG9jLg0KDQoNCg0KT24gVGh1LCBKdWwgMjMsIDIwMTUgYXQgNjoyOSBQTSwgTWlrZSBKb25l cyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPGphdmFzY3JpcHQ6X2UoJTdCJTdELCdjdm1s JywnTWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tJyk7Pj4gd3JvdGU6DQpJIGFncmVlIHRoYXQg YW4gb2J2aW91cyBnb29kIHRoaW5nIHRvIGRvIGlzIHRvIGFkZCBzcGVjIHJlZmVyZW5jZXMgdG8g dGhlIGZpZWxkIGRlZmluaXRpb25zLg0KDQpJIG5lZWQgdG8gaW52ZXN0aWdhdGUgdXNlIGNhc2Vz IGZvciBhbXJfdmFsdWVzLiAgSSB0aGluayB0aGlzIGNhbWUgZnJvbSBkZXZlbG9wZXJzIHdobyBh Y3R1YWxseSB3YW50ZWQgdGhpcyBmb3IgYSBwYXJ0aWN1bGFyIHB1cnBvc2UgYnV0IEnigJlsbCBo YXZlIHRvIGdldCBiYWNrIHRvIHRoZSBXRyBvbiB0aGF0LiAgSXTigJlzIGRlZmluZWQgaGVyZSwg cmF0aGVyIHRoYW4gaW4gYW5vdGhlciBzcGVjLCBiZWNhdXNlIGl04oCZcyBoaWdobHkgcmVsYXRl ZCB0byB0aGUg4oCcYW1y4oCdIHZhbHVlcy4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBPQXV0aCBb bWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8amF2YXNjcmlwdDpfZSglN0IlN0QsJ2N2bWwn LCdvYXV0aC1ib3VuY2VzQGlldGYub3JnJyk7Pl0gT24gQmVoYWxmIE9mIE5hdCBTYWtpbXVyYQ0K U2VudDogVGh1cnNkYXksIEp1bHkgMjMsIDIwMTUgNjoyMiBQTQ0KVG86IFdpbGxpYW0gRGVubmlz cw0KQ2M6IDxvYXV0aEBpZXRmLm9yZzxqYXZhc2NyaXB0Ol9lKCU3QiU3RCwnY3ZtbCcsJ29hdXRo QGlldGYub3JnJyk7Pj4NClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIEF1dGhlbnRpY2F0aW9uIE1l dGhvZCBSZWZlcmVuY2UgVmFsdWVzIFNwZWNpZmljYXRpb24NCg0KU28sIGFsbG93IG1lIGEgbmFp dmUgcXVlc3Rpb24uDQpJIHN1cHBwb3NlIHRoZXJlIGFyZSBnb29kIHJhbmRvbSBvdHAsIGFzIHdl bGwgYXMgcHJldHR5IGJhZCBvdHAgZXRjLg0KV291bGQgaXQgYmUgdXNlZnVsIHRvIHNheSBqdXN0 ICJvdHAiLiBXb3VsZCBpdCBub3QgYmUgYmV0dGVyIHRvIGhhdmUgYXQgbGVhc3QgYSBmaWVsZCB0 aGF0IHJlZmVyZW5jZXMgYSBzcGVjIHRoYXQgc3BlY2lmaWVzIHRoZSBzZWN1cml0eSByZXF1aXJl bWVudCBmb3IgdGhhdCBtZWNoYW5pc20/DQoNCjIwMTUtMDctMjMgMTI6MDUgR01UKzAyOjAwIFdp bGxpYW0gRGVubmlzcyA8d2Rlbm5pc3NAZ29vZ2xlLmNvbTxqYXZhc2NyaXB0Ol9lKCU3QiU3RCwn Y3ZtbCcsJ3dkZW5uaXNzQGdvb2dsZS5jb20nKTs+PjoNClRoYW5rcyBmb3IgZHJhZnRpbmcgdGhp cyBNaWtlLiBJJ20gaW4gZmF2b3Igb2YgaGF2aW5nIHRoaXMgcmVnaXN0cnkuDQoNCkluIGFkZGl0 aW9uIHRvIHRoZSBzcGVjaWZpYyB2YWx1ZXMsIEkgcHJvcG9zZSB3ZSBhZGQgc29tZSBnZW5lcmlj IG9uZXMgdG9vICh0cnlpbmcgdG8gZm9sbG93IHlvdXIgbmFtaW5nIHNjaGVtZSk6DQoNCiJyYmEi OiAgInJpc2stYmFzZWQgYXV0aCINCiJ1cHQiOiAgInVzZXIgcHJlc2VuY2UgdGVzdCINCg0KTXkg ZmVhciBvZiBtYWtpbmcgdGhpbmdzIHRvbyBzcGVjaWZpYyBpcyB0aGF0IFJQcyBtYXkgZ2V0IGxv c3QgaW4gdGhlIHdlZWRzIHRyeWluZyB0byB3b3JrIG91dCB3aGF0IHRoaW5ncyB0aGV5IHNob3Vs ZCBjYXJlIGFib3V0IGFuZCBob3cuIEFzIGFuIElkUCB3ZSBsaWtlIHRvIGd1aWRlIFJQcyB0aHJv dWdoIHRoZXNlIGtpbmRzIG9mIGRlY2lzaW9ucywgYW5kIHByZWZlciB0byBwYXNzIGEgbW9yZSBo aWdoIGxldmVsIGluZGljYXRpb24gb2Ygd2hhdCBoYXBwZW5lZCAoc3VjaCBhcyB0aGVzZSB0d28g dmFsdWVzKS4gIElmIHNvbWVvbmUgd2FudGVkIHRvIGhhdmUgYmVzdCBvZiBib3RoIHdvcmxkcywg dGhlbiBib3RoIGNvdWxkIGJlIGFzc2VydGVkLCBlLmcuICJ1cHQgZnB0IiB0byBpbmRpY2F0ZSB0 aGF0IHRoZSB1c2VyIHByZXNlbmNlIHdhcyB0ZXN0ZWQsIHVzaW5nIGEgZmluZ2VycHJpbnQgdGVz dC4NCg0KUmVnYXJkaW5nIHRoZSBwcm9wb3NlZCAid2lhIiB2YWx1ZS4gSSBkb24ndCBrbm93IHdo YXQgaXQgaXMsIGFuZCB0aGUgc3BlYyBkb2Vzbid0IGhlbHAgbWUgZmluZCBvdXQsIGNhbiBhIHJl ZmVyZW5jZSBiZSBhZGRlZD8gIEkgYWxzbyB3b25kZXIgaWYgaXQgY291bGQgYmUgZ2VuZXJpY2l6 ZWQgdG8gYXZvaWQgYmVpbmcgdmVuZG9yIHNwZWNpZmljIHZhbHVlcyDigJMgYnV0IG1vc3RseSBJ IGp1c3Qgd2FudCB0byB1bmRlcnN0YW5kIHdoYXQgaXQgaXMuICBBbG1vc3QgYWxsIHRoZSBvdGhl ciB2YWx1ZXMgYXJlIHNlbGYtZXhwbGFuYXRvcnksIHBlcmhhcHMgInBvcCIgY291bGQgdXNlIGEg cmVmZXJlbmNlIGFzIHdlbGwgKG9yIG1heWJlIGp1c3QgYSBsb25nZXIgZXhwbGFuYXRpb24pLg0K DQpJIGRvbid0IHNlZSB0aGUgaW1tZWRpYXRlIHZhbHVlIG9mICJhbXJfdmFsdWVzIiwgY2FuIHlv dSBlbGFib3JhdGUgd2l0aCBzb21lIHBsYWNlcyB3aGVyZSB0aGlzIHdvdWxkIGJlIGFwcGxpZWQ/ ICBTZXBhcmF0ZWx5LCBJIHdvbmRlciBpZiBhbiBleHRlbnNpb24gdG8gT0lEQyBzaG91bGQgYmUg aW5jbHVkZWQgaW4gdGhpcyBkb2MsIHdoaWNoIGlzIG90aGVyd2lzZSBhIGZhaXJseSBjbGVhbiBy ZWdpc3RyeSBzcGVjIHRoYXQgY291bGQgYmUgdXNlZCBtb3JlIGJyb2FkbHkuDQoNCk9uIFRodSwg SnVsIDIzLCAyMDE1IGF0IDEwOjQ5IEFNLCBCcmlhbiBDYW1wYmVsbCA8YmNhbXBiZWxsQHBpbmdp ZGVudGl0eS5jb208amF2YXNjcmlwdDpfZSglN0IlN0QsJ2N2bWwnLCdiY2FtcGJlbGxAcGluZ2lk ZW50aXR5LmNvbScpOz4+IHdyb3RlOg0KU28gbWF5YmUgYSBuYWl2ZSBxdWVzdGlvbiBidXQgd2h5 IGRvZXMgdGhpcyBkcmFmdCBkZWZpbmUgImFtcl92YWx1ZXMiIHdoaWxlIGFsc28gc3VnZ2VzdGlu ZyB0aGF0IGl0J3MgZnJhZ2lsZSBhbmQgdGhhdCAiYWNyIiAmICJhY3JfdmFsdWVzIiBpcyBwcmVm ZXJhYmxlPyBTZWVtcyBjb250cmFkaWN0b3J5LiBBbmQgSSBkb3VidCBJJ20gdGhlIG9ubHkgb25l IHRoYXQgd2lsbCBmaW5kIGl0IGNvbmZ1c2luZy4NCg0KT24gVGh1LCBKdWwgMjMsIDIwMTUgYXQg OTozNSBBTSwgTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPGphdmFzY3Jp cHQ6X2UoJTdCJTdELCdjdm1sJywnTWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tJyk7Pj4gd3Jv dGU6DQpUaGUga2V5IHBhcnQgb2YgdGhpcyBpcyBlc3RhYmxpc2hpbmcgYSByZWdpc3RyeS4gIFRo YXQgY2FuIG9ubHkgYmUgZG9uZSBpbiBhbiBSRkMuDQoNCkpvaG4sIEkgZW5jb3VyYWdlIHlvdSB0 byBzdWJtaXQgdGV4dCBiZWVmaW5nIHVwIHRoZSBhcmd1bWVudHMgYWJvdXQgd2h5IHVzaW5nIOKA nGFjcuKAnSBpcyBwcmVmZXJhYmxlLiAgVGhlIHRleHQgYXQgaHR0cDovL3NlbGYtaXNzdWVkLmlu Zm8vZG9jcy9kcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAwLmh0bWwjYWNyUmVsYXRpb25z aGlwPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0 dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZvJTJmZG9jcyUyZmRyYWZ0LWpvbmVzLW9hdXRoLWFt ci12YWx1ZXMtMDAuaHRtbCUyM2FjclJlbGF0aW9uc2hpcCZkYXRhPTAxJTdjMDElN2NNaWNoYWVs LkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUy JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPTYlMmJsUFN5RzB4 ZkJNZzBqeEthUXQxbEFjVzZHVjMlMmZqZTRkbWtFJTJiYjdROG8lM2Q+IGlzIGEgc3RhcnQgYXQg dGhhdC4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBKb2huIEJyYWRsZXkgW21haWx0bzp2ZTdqdGJA dmU3anRiLmNvbTxqYXZhc2NyaXB0Ol9lKCU3QiU3RCwnY3ZtbCcsJ3ZlN2p0YkB2ZTdqdGIuY29t Jyk7Pl0NClNlbnQ6IFRodXJzZGF5LCBKdWx5IDIzLCAyMDE1IDk6MzAgQU0NClRvOiBKdXN0aW4g UmljaGVyDQpDYzogTWlrZSBKb25lczsgPG9hdXRoQGlldGYub3JnPGphdmFzY3JpcHQ6X2UoJTdC JTdELCdjdm1sJywnb2F1dGhAaWV0Zi5vcmcnKTs+Pg0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10g QXV0aGVudGljYXRpb24gTWV0aG9kIFJlZmVyZW5jZSBWYWx1ZXMgU3BlY2lmaWNhdGlvbg0KDQpJ IGRvbuKAmXQgcGVyc29uYWxseSBoYXZlIGEgcHJvYmxlbSB3aXRoIHBlb3BsZSBkZWZpbmluZyB2 YWx1ZXMgZm9yIEFNUiBhbmQgY3JlYXRpbmcgYSBJQU5BIHJlZ2lzdHJ5Lg0KDQpUaGF0IGV4aXN0 cyBmb3IgQUNSLg0KDQpJIGFtIG9uIHJlY29yZCBhcyBub3Qgc3VwcG9ydGluZyBjbGllbnRzIHJl cXVlc3RpbmcgYW1yIGFzIGl0IGFpIGEgYmFkIGlkZWEgYW5kIHRoZSBzcGVjIG1lbnRpb25zIHRo YXQgYXQgdGhlIHNhbWUgdGltZSBpdCBkZWZpbmVzIGEgbmV3IHJlcXVlc3QgcGFyYW1ldGVyIGZv ciBpdC4NCg0KSXQgaXMgcHJvYmFibHkgbm90IHNvbWV0aGluZyBJIHdpbGwgcHV0IGFueSByZWFs IGVmZm9ydCBpbnRvIGZpZ2h0aW5nLCBpZiBwZW9wbGUgaW5zaXN0IG9uIGl0LiAgSSB3aWxsIGNv bnRpbnVlIHRvIHJlY29tbWVuZCBvbmx5IHVzaW5nIEFDUiBpbiB0aGUgcmVxdWVzdC4NCg0KSm9o biBCLg0KDQpPbiBKdWwgMjMsIDIwMTUsIGF0IDk6MjEgQU0sIEp1c3RpbiBSaWNoZXIgPGpyaWNo ZXJAbWl0LmVkdTxqYXZhc2NyaXB0Ol9lKCU3QiU3RCwnY3ZtbCcsJ2pyaWNoZXJAbWl0LmVkdScp Oz4+IHdyb3RlOg0KDQpVc2VmdWwgd29yaywgYnV0IHNob3VsZG7igJl0IHRoaXMgYmUgZGVmaW5l ZCBpbiB0aGUgT0lERiwgd2hlcmUgdGhlIOKAnGFtciIgcGFyYW1ldGVyIGlzIGRlZmluZWQ/DQoN CiDigJQgSnVzdGluDQoNCk9uIEp1bCAyMiwgMjAxNSwgYXQgNzo0OCBQTSwgTWlrZSBKb25lcyA8 TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPGphdmFzY3JpcHQ6X2UoJTdCJTdELCdjdm1sJywn TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tJyk7Pj4gd3JvdGU6DQoNClBoaWwgSHVudCBhbmQg SSBoYXZlIHBvc3RlZCBhIG5ldyBkcmFmdCB0aGF0IGRlZmluZXMgc29tZSB2YWx1ZXMgdXNlZCB3 aXRoIHRoZSDigJxhbXLigJ0gKEF1dGhlbnRpY2F0aW9uIE1ldGhvZHMgUmVmZXJlbmNlcykgY2xh aW0gYW5kIGVzdGFibGlzaGVzIGEgcmVnaXN0cnkgZm9yIEF1dGhlbnRpY2F0aW9uIE1ldGhvZCBS ZWZlcmVuY2UgdmFsdWVzLiAgVGhlc2UgdmFsdWVzIGluY2x1ZGUgY29tbW9ubHkgdXNlZCBhdXRo ZW50aWNhdGlvbiBtZXRob2RzIGxpa2Ug4oCccHdk4oCdIChwYXNzd29yZCkgYW5kIOKAnG90cOKA nSAob25lIHRpbWUgcGFzc3dvcmQpLiAgSXQgYWxzbyBkZWZpbmVzIGEgcGFyYW1ldGVyIGZvciBy ZXF1ZXN0aW5nIHRoYXQgc3BlY2lmaWMgYXV0aGVudGljYXRpb24gbWV0aG9kcyBiZSB1c2VkIGlu IHRoZSBhdXRoZW50aWNhdGlvbi4NCg0KVGhlIHNwZWNpZmljYXRpb24gaXMgYXZhaWxhYmxlIGF0 Og0K4oCiICAgICAgICBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtam9uZXMtb2F1 dGgtYW1yLXZhbHVlcy0wMDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9v ay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRtbCUyZmRyYWZ0LWpv bmVzLW9hdXRoLWFtci12YWx1ZXMtMDAmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1p Y3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJm ODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1tSjQ3SyUyYkNlcEt4eDhaeXN0JTJi QXZlWklaYjZFeVRSWXY2THYyd3A2ejl2WSUzZD4NCg0KQW4gSFRNTCBmb3JtYXR0ZWQgdmVyc2lv biBpcyBhbHNvIGF2YWlsYWJsZSBhdDoNCuKAoiAgICAgICAgaHR0cDovL3NlbGYtaXNzdWVkLmlu Zm8vZG9jcy9kcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAwLmh0bWw8aHR0cHM6Ly9uYTAx LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnNlbGYt aXNzdWVkLmluZm8lMmZkb2NzJTJmZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0wMC5odG1s JmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1 OWMyNDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0 NyU3YzEmc2RhdGE9VDlWTHFPJTJiSmpwZkJpRjc2cUJFcWtLTzFidERyUHJhNTlzcSUyYmhOVXBO NUklM2Q+DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIC0tIE1pa2UNCg0KUC5TLiAgVGhpcyBub3RlIHdhcyBhbHNvIHBvc3RlZCBh dCBodHRwOi8vc2VsZi1pc3N1ZWQuaW5mby8/cD0xNDI5PGh0dHBzOi8vbmEwMS5zYWZlbGlua3Mu cHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZv JTJmJTNmcCUzZDE0MjkmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5j b20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5 MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT16djJ6SXJsTjBVR0FGS2U5ckFEVnBoVUduSktPZ0h3 aVJZWGswdG9hNVFRJTNkPiBhbmQgYXMgQHNlbGZpc3N1ZWQ8aHR0cHM6Ly9uYTAxLnNhZmVsaW5r cy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ0d2l0dGVyLmNvbSUy ZnNlbGZpc3N1ZWQmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20l N2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFi MmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1HWkI2JTJmMEZZWlBTWDBSVXhRa2pNVUFjNXVHYVRKVnVa YmtZVWN1U0ZCa0ElM2Q+Lg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8amF2YXNjcmlwdDpf ZSglN0IlN0QsJ2N2bWwnLCdPQXV0aEBpZXRmLm9yZycpOz4NCmh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vb2F1dGg8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9u Lm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJm bGlzdGluZm8lMmZvYXV0aCZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0 LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFh ZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPTRhTmhUeEdEJTJmOXc4cUQ5V1BYcGkyJTJiUWZp cHJKRGJzRjJQSzVFQnhhdTM0JTNkPg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZzxqYXZh c2NyaXB0Ol9lKCU3QiU3RCwnY3ZtbCcsJ09BdXRoQGlldGYub3JnJyk7Pg0KaHR0cHM6Ly93d3cu aWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxodHRwczovL25hMDEuc2FmZWxpbmtzLnBy b3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1h aWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBt aWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhi Zjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9NGFOaFR4R0QlMmY5dzhxRDlXUFhw aTIlMmJRZmlwckpEYnNGMlBLNUVCeGF1MzQlM2Q+DQoNCg0KX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0 Zi5vcmc8amF2YXNjcmlwdDpfZSglN0IlN0QsJ2N2bWwnLCdPQXV0aEBpZXRmLm9yZycpOz4NCmh0 dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8aHR0cHM6Ly9uYTAxLnNh ZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0 Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZkYXRhPTAxJTdjMDElN2NNaWNoYWVs LkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUy JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPTRhTmhUeEdEJTJm OXc4cUQ5V1BYcGkyJTJiUWZpcHJKRGJzRjJQSzVFQnhhdTM0JTNkPg0KDQoNCl9fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QN Ck9BdXRoQGlldGYub3JnPGphdmFzY3JpcHQ6X2UoJTdCJTdELCdjdm1sJywnT0F1dGhAaWV0Zi5v cmcnKTs+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPGh0dHBz Oi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJm JTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmZGF0YT0wMSU3YzAx JTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4 ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT00 YU5oVHhHRCUyZjl3OHFEOVdQWHBpMiUyYlFmaXBySkRic0YyUEs1RUJ4YXUzNCUzZD4NCg0KDQpf X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFp bGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZzxqYXZhc2NyaXB0Ol9lKCU3QiU3RCwnY3ZtbCcsJ09B dXRoQGlldGYub3JnJyk7Pg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9v YXV0aDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1o dHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmRh dGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMy NDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3 YzEmc2RhdGE9NGFOaFR4R0QlMmY5dzhxRDlXUFhwaTIlMmJRZmlwckpEYnNGMlBLNUVCeGF1MzQl M2Q+DQoNCg0KDQotLQ0KTmF0IFNha2ltdXJhICg9bmF0KQ0KQ2hhaXJtYW4sIE9wZW5JRCBGb3Vu ZGF0aW9uDQpodHRwOi8vbmF0LnNha2ltdXJhLm9yZy88aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5w cm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm5hdC5zYWtpbXVyYS5vcmcl MmYmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2Vl YzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFk YjQ3JTdjMSZzZGF0YT1PSUVmSEVGZHdZSk1mRVdrWmVBWXhyRWRlZGNVcnRWdVphWXc4NmpDQmtz JTNkPg0KQF9uYXRfZW4NCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8amF2YXNjcmlwdDpf ZSglN0IlN0QsJ2N2bWwnLCdPQXV0aEBpZXRmLm9yZycpOz4NCmh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vb2F1dGg8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9u Lm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJm bGlzdGluZm8lMmZvYXV0aCZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0 LmNvbSU3YzFlMDE0ZDIyYWQwYTQ1YTI5YmEyMDhkMjk1ZjUyNDUzJTdjNzJmOTg4YmY4NmYxNDFh ZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPXgzbjFtZzRZR042U1hvNzJpQVBPUnlVbHVGcU5r RHA3Z2IxZWtkbUxGbWclM2Q+DQoNCg0KDQotLQ0KTmF0IFNha2ltdXJhICg9bmF0KQ0KQ2hhaXJt YW4sIE9wZW5JRCBGb3VuZGF0aW9uDQpodHRwOi8vbmF0LnNha2ltdXJhLm9yZy88aHR0cHM6Ly9u YTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm5h dC5zYWtpbXVyYS5vcmclMmYmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29m dC5jb20lN2MxZTAxNGQyMmFkMGE0NWEyOWJhMjA4ZDI5NWY1MjQ1MyU3YzcyZjk4OGJmODZmMTQx YWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1LZUVFdnNIVVIyS0k2cnYlMmJ0cGZQV21HRCUy Ymt0R0tGZjMlMmJrcFdSMnpZamFvJTNkPg0KQF9uYXRfZW4NCg0K --_000_BY2PR03MB44271B875F9A6A1235F120DF57C0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5v c2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5N c29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1h cmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJU aW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXtt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5k ZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxp bmU7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsN CgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7 DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4uRW1haWxTdHlsZTE3 DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp Iiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkJhbGxvb25UZXh0Q2hhcg0K CXttc28tc3R5bGUtbmFtZToiQmFsbG9vbiBUZXh0IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9vbiBUZXh0IjsNCglmb250LWZhbWlseToiVGFo b21hIiwic2Fucy1zZXJpZiI7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhw b3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjt9DQpAcGFnZSBX b3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEu MGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+ PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9 ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBt c28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0 PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0K PC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0K PGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5UaGVzZSB3ZXJlIGFsbCBhZGRlZCwg cGVyIG15IG90aGVyIHJlcGxpZXMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhhbmtzIGFnYWlu LDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8 L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gTmF0IFNha2ltdXJhIFttYWls dG86c2FraW11cmFAZ21haWwuY29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IFN1bmRheSwgSnVseSAy NiwgMjAxNSA0OjAzIFBNPGJyPg0KPGI+VG86PC9iPiBCcmlhbiBDYW1wYmVsbDxicj4NCjxiPkNj OjwvYj4gTWlrZSBKb25lczsgV2lsbGlhbSBEZW5uaXNzOyAmbHQ7b2F1dGhAaWV0Zi5vcmcmZ3Q7 PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbT0FVVEgtV0ddIEF1dGhlbnRpY2F0aW9uIE1ldGhv ZCBSZWZlcmVuY2UgVmFsdWVzIFNwZWNpZmljYXRpb248bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPkkgYW0gaW4gZmF2b3Igb2YgV2lsbGlhbSdzIHByb3Bvc2FsLiZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkluIGFkZGl0aW9uLCBJIHdvdWxk IGxpa2UgdG8gc2VlIG9uZSBmb3ImbmJzcDsybmQgY2hhbm5lbCBhdXRoLCAyY2guIFRoYXQgd291 bGQgaW5kaWNhdGUgc29tZSByZXNpbGllbmNlIGFnYWluc3QgTUlUQi4mbmJzcDs8YnI+DQo8YnI+ DQpPbiBTYXR1cmRheSwgSnVseSAyNSwgMjAxNSwgQnJpYW4gQ2FtcGJlbGwgJmx0OzxhIGhyZWY9 Im1haWx0bzpiY2FtcGJlbGxAcGluZ2lkZW50aXR5LmNvbSI+YmNhbXBiZWxsQHBpbmdpZGVudGl0 eS5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+VGhlcmUn cyBhIG1ldGhvZCBvZiBhdXRoZW50aWNhdGlvbiB0aGF0IGlzIGdhaW5pbmcgaW4gcG9wdWxhcml0 eSB3aGljaCBJJ2QgcHJvcG9zZSBhZGRpbmcgYSBtZXRob2QgZm9yLiBJdCBpcyB0eXBpY2FsbHkg dXNlZCBhcyBhIHNlY29uZCBmYWN0b3Igd2hlcmUgYWZ0ZXIgYSBwcmltYXJ5IGF1dGgsIGxpa2Ug dXNlcm5hbWUgYW5kIHBhc3N3b3JkLCBhIHB1c2gNCiBub3RpZmljYXRpb24gaXMgc2VudCB0byB0 aGUgdXNlcidzIHBob25lIGFuZCB0aGV5IGFja25vd2xlZGdlIGl0IGZyb20gdGhlIGRldmljZS4g V2UgaGF2ZSB0aGUNCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5v dXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LnBpbmdpZGVudGl0eS5jb20lMmZlbiUy ZnByb2R1Y3RzJTJmcGluZ2lkLmh0bWwmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMl NDBtaWNyb3NvZnQuY29tJTdjMWUwMTRkMjJhZDBhNDVhMjliYTIwOGQyOTVmNTI0NTMlN2M3MmY5 ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPWtIcHF6aElSWXBiazdj elNuV28xNFglMmZnMjVrN1hleU15WjBNcFhMOFZ3ayUzZCIgdGFyZ2V0PSJfYmxhbmsiPg0KUGlu Z0lEIHByb2R1Y3Q8L2E+IHRoYXQgZG9lcyBpdCBhbmQgPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNh ZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnd3dy5lbnRy dXN0LmNvbSUyZnJlc291cmNlJTJmZW50cnVzdC1pZGVudGl0eWd1YXJkLW1vYmlsZS1wdXNoLWF1 dGhlbnRpY2F0aW9uLWZvci12cG4tYW5kLXdlYi1hY2Nlc3MmYW1wO2RhdGE9MDElN2MwMSU3Y01p Y2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjMWUwMTRkMjJhZDBhNDVhMjliYTIwOGQyOTVm NTI0NTMlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPUQl MmJLVHpiaDRCbmFMNVJ4SGRoTWJXZEU2NXlhWjh6MHVCWmo5bVBrM0JYSSUzZCIgdGFyZ2V0PSJf YmxhbmsiPg0KRW50cnVzdDwvYT4gYW5kIDxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3Mu cHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmR1b3NlY3VyaXR5 LmNvbSUyZnByb2R1Y3QlMmZtZXRob2RzJTJmZHVvLW1vYmlsZSZhbXA7ZGF0YT0wMSU3YzAxJTdj TWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2MxZTAxNGQyMmFkMGE0NWEyOWJhMjA4ZDI5 NWY1MjQ1MyU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9 dDA3dDdDdnRCa1FCSjklMmJvWWtHM0FkNWxGQkIwRHdyd0RLT3RYYTJ5QUNnJTNkIiB0YXJnZXQ9 Il9ibGFuayI+DQpEdW88L2E+LCBhbW9uZyBvdGhlcnMgSSdtIHN1cmUsIG9mZmVyIHNvbWV0aGlu ZyBzaW1pbGFyLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPkl0J3MgY29tbW9ubHkgY2FsbGVkICZxdW90O21v YmlsZSBwdXNoIGF1dGhlbnRpY2F0aW9uJnF1b3Q7IHNvIG1heWJlICZxdW90O21wYSZxdW90OyBj b3VsZCBiZSB0aGUgYW1yIHZhbHVlLiBCdXQsIGFzIE5hdCBwb2ludGVkIG91dCwgdGhlIHJlYWxs eSBpbnRlcmVzdGluZyBjaGFyYWN0ZXJpc3RpYyBpcyB0aGF0IGl0J3MgYSBzZWNvbmQgZmFjdG9y IHRoYXQgdXRpbGl6ZXMgb25seSBhIHNlY29uZGFyeQ0KIGNoYW5uZWwgLSBzbyBwZXJoYXBzICZx dW90O3NjYSZxdW90OyBmb3IgJnF1b3Q7c2Vjb25kIGNoYW5uZWwgYXV0aGVudGljYXRpb24mcXVv dDsgd291bGQgYmUgYSBtb3JlIGFwcHJvcHJpYXRlIGdlbmVyYWwgYW1yIG5hbWUuJm5ic3A7DQo8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhvdWdodHMgYXJl IHdlbGNvbWUuIEJ1dCBJIGJlbGlldmUgaXQncyBiZWNvbWluZyBwcmV2YWxlbnQgZW5vdWdoIHRo YXQgaXQgZGVzZXJ2ZXMgaXRzIG93biBhbXIgdmFsdWUgaW4gdGhpcyBkb2MuPG86cD48L286cD48 L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWJvdHRvbToxMi4wcHQiPjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gVGh1LCBKdWwg MjMsIDIwMTUgYXQgNjoyOSBQTSwgTWlrZSBKb25lcyAmbHQ7PGEgaHJlZj0iamF2YXNjcmlwdDpf ZSglN0IlN0QsJ2N2bWwnLCdNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20nKTsiIHRhcmdldD0i X2JsYW5rIj5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwv bzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SSBhZ3JlZSB0aGF0IGFuIG9idmlvdXMg Z29vZCB0aGluZyB0byBkbyBpcyB0byBhZGQgc3BlYyByZWZlcmVuY2VzIHRvIHRoZSBmaWVsZCBk ZWZpbml0aW9ucy48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+ PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5JIG5lZWQgdG8gaW52ZXN0aWdhdGUgdXNlIGNhc2Vz IGZvciBhbXJfdmFsdWVzLiZuYnNwOyBJIHRoaW5rIHRoaXMgY2FtZSBmcm9tIGRldmVsb3BlcnMg d2hvIGFjdHVhbGx5IHdhbnRlZA0KIHRoaXMgZm9yIGEgcGFydGljdWxhciBwdXJwb3NlIGJ1dCBJ 4oCZbGwgaGF2ZSB0byBnZXQgYmFjayB0byB0aGUgV0cgb24gdGhhdC4mbmJzcDsgSXTigJlzIGRl ZmluZWQgaGVyZSwgcmF0aGVyIHRoYW4gaW4gYW5vdGhlciBzcGVjLCBiZWNhdXNlIGl04oCZcyBo aWdobHkgcmVsYXRlZCB0byB0aGUg4oCcYW1y4oCdIHZhbHVlcy48L3NwYW4+PG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgLS0gTWlrZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90OyI+IE9BdXRoIFttYWlsdG86PGEgaHJlZj0iamF2YXNjcmlwdDpfZSglN0IlN0QsJ2N2bWwn LCdvYXV0aC1ib3VuY2VzQGlldGYub3JnJyk7IiB0YXJnZXQ9Il9ibGFuayI+b2F1dGgtYm91bmNl c0BpZXRmLm9yZzwvYT5dDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPk5hdCBTYWtpbXVyYTxicj4NCjxi PlNlbnQ6PC9iPiBUaHVyc2RheSwgSnVseSAyMywgMjAxNSA2OjIyIFBNPGJyPg0KPGI+VG86PC9i PiBXaWxsaWFtIERlbm5pc3M8YnI+DQo8Yj5DYzo8L2I+ICZsdDs8YSBocmVmPSJqYXZhc2NyaXB0 Ol9lKCU3QiU3RCwnY3ZtbCcsJ29hdXRoQGlldGYub3JnJyk7IiB0YXJnZXQ9Il9ibGFuayI+b2F1 dGhAaWV0Zi5vcmc8L2E+Jmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBB dXRoZW50aWNhdGlvbiBNZXRob2QgUmVmZXJlbmNlIFZhbHVlcyBTcGVjaWZpY2F0aW9uPC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpw PjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlNvLCBhbGxvdyBtZSBhIG5haXZl IHF1ZXN0aW9uLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+SSBzdXBwcG9zZSB0aGVyZSBhcmUgZ29vZCByYW5kb20gb3RwLCBhcyB3ZWxsIGFzIHBy ZXR0eSBiYWQgb3RwIGV0Yy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+V291bGQgaXQgYmUgdXNlZnVsIHRvIHNheSBqdXN0ICZxdW90 O290cCZxdW90Oy4gV291bGQgaXQgbm90IGJlIGJldHRlciB0byBoYXZlIGF0IGxlYXN0IGEgZmll bGQgdGhhdCByZWZlcmVuY2VzIGEgc3BlYyB0aGF0IHNwZWNpZmllcyB0aGUgc2VjdXJpdHkgcmVx dWlyZW1lbnQgZm9yIHRoYXQgbWVjaGFuaXNtPyZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+MjAxNS0wNy0yMyAxMjowNSBHTVQm IzQzOzAyOjAwIFdpbGxpYW0gRGVubmlzcyAmbHQ7PGEgaHJlZj0iamF2YXNjcmlwdDpfZSglN0Il N0QsJ2N2bWwnLCd3ZGVubmlzc0Bnb29nbGUuY29tJyk7IiB0YXJnZXQ9Il9ibGFuayI+d2Rlbm5p c3NAZ29vZ2xlLmNvbTwvYT4mZ3Q7OjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+VGhhbmtzIGZvciBkcmFmdGluZyB0aGlzIE1pa2UuIEknbSBpbiBmYXZvciBv ZiBoYXZpbmcgdGhpcyByZWdpc3RyeS48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj5JbiBhZGRpdGlvbiB0byB0aGUgc3BlY2lmaWMgdmFsdWVzLCBJIHBy b3Bvc2Ugd2UgYWRkIHNvbWUgZ2VuZXJpYyBvbmVzIHRvbyAodHJ5aW5nIHRvIGZvbGxvdyB5b3Vy IG5hbWluZyBzY2hlbWUpOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+JnF1b3Q7cmJhJnF1b3Q7OiAmbmJzcDsmcXVvdDtyaXNrLWJhc2Vk IGF1dGgmcXVvdDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0byI+JnF1b3Q7dXB0JnF1b3Q7OiAmbmJzcDsmcXVvdDt1c2VyIHByZXNlbmNlIHRlc3Qm cXVvdDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPk15IGZlYXIgb2YgbWFraW5nIHRoaW5ncyB0b28gc3BlY2lmaWMgaXMgdGhhdCBSUHMg bWF5IGdldCBsb3N0IGluIHRoZSB3ZWVkcyB0cnlpbmcgdG8gd29yayBvdXQgd2hhdCB0aGluZ3Mg dGhleSBzaG91bGQgY2FyZSBhYm91dCBhbmQgaG93LiBBcyBhbiBJZFAgd2UgbGlrZSB0byBndWlk ZSBSUHMgdGhyb3VnaA0KIHRoZXNlIGtpbmRzIG9mIGRlY2lzaW9ucywgYW5kIHByZWZlciB0byBw YXNzIGEgbW9yZSBoaWdoIGxldmVsIGluZGljYXRpb24gb2Ygd2hhdCBoYXBwZW5lZCAoc3VjaCBh cyB0aGVzZSB0d28gdmFsdWVzKS4mbmJzcDsgSWYgc29tZW9uZSB3YW50ZWQgdG8gaGF2ZSBiZXN0 IG9mIGJvdGggd29ybGRzLCB0aGVuIGJvdGggY291bGQgYmUgYXNzZXJ0ZWQsIGUuZy4gJnF1b3Q7 dXB0IGZwdCZxdW90OyB0byBpbmRpY2F0ZSB0aGF0IHRoZSB1c2VyIHByZXNlbmNlIHdhcyB0ZXN0 ZWQsDQogdXNpbmcgYSBmaW5nZXJwcmludCB0ZXN0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+UmVnYXJkaW5nIHRoZSBwcm9wb3NlZCAm cXVvdDt3aWEmcXVvdDsgdmFsdWUuIEkgZG9uJ3Qga25vdyB3aGF0IGl0IGlzLCBhbmQgdGhlIHNw ZWMgZG9lc24ndCBoZWxwIG1lIGZpbmQgb3V0LCBjYW4gYSByZWZlcmVuY2UgYmUgYWRkZWQ/Jm5i c3A7IEkgYWxzbyB3b25kZXIgaWYgaXQgY291bGQgYmUgZ2VuZXJpY2l6ZWQgdG8gYXZvaWQNCiBi ZWluZyB2ZW5kb3Igc3BlY2lmaWMgdmFsdWVzIOKAkyBidXQgbW9zdGx5IEkganVzdCB3YW50IHRv IHVuZGVyc3RhbmQgd2hhdCBpdCBpcy4mbmJzcDsgQWxtb3N0IGFsbCB0aGUgb3RoZXIgdmFsdWVz IGFyZSBzZWxmLWV4cGxhbmF0b3J5LCBwZXJoYXBzICZxdW90O3BvcCZxdW90OyBjb3VsZCB1c2Ug YSByZWZlcmVuY2UgYXMgd2VsbCAob3IgbWF5YmUganVzdCBhIGxvbmdlciBleHBsYW5hdGlvbiku PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij5JIGRvbid0IHNlZSB0aGUgaW1tZWRpYXRlIHZhbHVlIG9mICZxdW90O2Ftcl92YWx1ZXMmcXVv dDssIGNhbiB5b3UgZWxhYm9yYXRlIHdpdGggc29tZSBwbGFjZXMgd2hlcmUgdGhpcyB3b3VsZCBi ZSBhcHBsaWVkPyZuYnNwOyBTZXBhcmF0ZWx5LCBJIHdvbmRlciBpZiBhbiBleHRlbnNpb24gdG8g T0lEQyBzaG91bGQgYmUgaW5jbHVkZWQNCiBpbiB0aGlzIGRvYywgd2hpY2ggaXMgb3RoZXJ3aXNl IGEgZmFpcmx5IGNsZWFuIHJlZ2lzdHJ5IHNwZWMgdGhhdCBjb3VsZCBiZSB1c2VkIG1vcmUgYnJv YWRseS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPk9uIFRodSwgSnVsIDIzLCAyMDE1IGF0IDEwOjQ5IEFNLCBCcmlhbiBDYW1w YmVsbCAmbHQ7PGEgaHJlZj0iamF2YXNjcmlwdDpfZSglN0IlN0QsJ2N2bWwnLCdiY2FtcGJlbGxA cGluZ2lkZW50aXR5LmNvbScpOyIgdGFyZ2V0PSJfYmxhbmsiPmJjYW1wYmVsbEBwaW5naWRlbnRp dHkuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj5TbyBtYXliZSBhIG5haXZlIHF1ZXN0aW9uIGJ1dCB3aHkgZG9lcyB0aGlzIGRy YWZ0IGRlZmluZSAmcXVvdDthbXJfdmFsdWVzJnF1b3Q7IHdoaWxlIGFsc28gc3VnZ2VzdGluZyB0 aGF0IGl0J3MgZnJhZ2lsZSBhbmQgdGhhdCAmcXVvdDthY3ImcXVvdDsgJmFtcDsgJnF1b3Q7YWNy X3ZhbHVlcyZxdW90OyBpcyBwcmVmZXJhYmxlPyBTZWVtcyBjb250cmFkaWN0b3J5LiBBbmQNCiBJ IGRvdWJ0IEknbSB0aGUgb25seSBvbmUgdGhhdCB3aWxsIGZpbmQgaXQgY29uZnVzaW5nLiZuYnNw OyA8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPk9uIFRodSwgSnVsIDIzLCAyMDE1IGF0IDk6MzUgQU0sIE1pa2UgSm9uZXMgJmx0 OzxhIGhyZWY9ImphdmFzY3JpcHQ6X2UoJTdCJTdELCdjdm1sJywnTWljaGFlbC5Kb25lc0BtaWNy b3NvZnQuY29tJyk7IiB0YXJnZXQ9Il9ibGFuayI+TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29t PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRo ZSBrZXkgcGFydCBvZiB0aGlzIGlzIGVzdGFibGlzaGluZyBhIHJlZ2lzdHJ5LiZuYnNwOyBUaGF0 IGNhbiBvbmx5IGJlIGRvbmUgaW4gYW4gUkZDLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkpvaG4sIEkgZW5jb3Vy YWdlIHlvdSB0byBzdWJtaXQgdGV4dCBiZWVmaW5nIHVwIHRoZSBhcmd1bWVudHMgYWJvdXQgd2h5 IHVzaW5nIOKAnGFjcuKAnSBpcyBwcmVmZXJhYmxlLiZuYnNwOw0KIFRoZSB0ZXh0IGF0IDxhIGhy ZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0 dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZvJTJmZG9jcyUyZmRyYWZ0LWpvbmVzLW9hdXRoLWFt ci12YWx1ZXMtMDAuaHRtbCUyM2FjclJlbGF0aW9uc2hpcCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWlj aGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5Mzdh ZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9NiUy YmxQU3lHMHhmQk1nMGp4S2FRdDFsQWNXNkdWMyUyZmplNGRta0UlMmJiN1E4byUzZCIgdGFyZ2V0 PSJfYmxhbmsiPg0KaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1qb25lcy1vYXV0 aC1hbXItdmFsdWVzLTAwLmh0bWwjYWNyUmVsYXRpb25zaGlwPC9hPiBpcyBhIHN0YXJ0IGF0IHRo YXQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2UNCjwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2 IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGlu ZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDsiPiBKb2huIEJyYWRsZXkgW21haWx0bzo8YSBocmVmPSJqYXZhc2NyaXB0Ol9lKCU3QiU3 RCwnY3ZtbCcsJ3ZlN2p0YkB2ZTdqdGIuY29tJyk7IiB0YXJnZXQ9Il9ibGFuayI+dmU3anRiQHZl N2p0Yi5jb208L2E+XQ0KPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBKdWx5IDIzLCAyMDE1 IDk6MzAgQU08YnI+DQo8Yj5Ubzo8L2I+IEp1c3RpbiBSaWNoZXI8YnI+DQo8Yj5DYzo8L2I+IE1p a2UgSm9uZXM7ICZsdDs8YSBocmVmPSJqYXZhc2NyaXB0Ol9lKCU3QiU3RCwnY3ZtbCcsJ29hdXRo QGlldGYub3JnJyk7IiB0YXJnZXQ9Il9ibGFuayI+b2F1dGhAaWV0Zi5vcmc8L2E+Jmd0Ozxicj4N CjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBBdXRoZW50aWNhdGlvbiBNZXRob2QgUmVm ZXJlbmNlIFZhbHVlcyBTcGVjaWZpY2F0aW9uPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SSBkb27igJl0IHBlcnNvbmFsbHkg aGF2ZSBhIHByb2JsZW0gd2l0aCBwZW9wbGUgZGVmaW5pbmcgdmFsdWVzIGZvciBBTVIgYW5kIGNy ZWF0aW5nIGEgSUFOQSByZWdpc3RyeS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj5UaGF0IGV4aXN0cyBmb3IgQUNSLjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SSBhbSBvbiByZWNv cmQgYXMgbm90IHN1cHBvcnRpbmcgY2xpZW50cyByZXF1ZXN0aW5nIGFtciBhcyBpdCBhaSBhIGJh ZCBpZGVhIGFuZCB0aGUgc3BlYyBtZW50aW9ucyB0aGF0IGF0IHRoZSBzYW1lIHRpbWUgaXQgZGVm aW5lcyBhIG5ldyByZXF1ZXN0IHBhcmFtZXRlciBmb3IgaXQuPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JdCBpcyBwcm9iYWJseSBub3Qg c29tZXRoaW5nIEkgd2lsbCBwdXQgYW55IHJlYWwgZWZmb3J0IGludG8gZmlnaHRpbmcsIGlmIHBl b3BsZSBpbnNpc3Qgb24gaXQuJm5ic3A7IEkgd2lsbCBjb250aW51ZSB0byByZWNvbW1lbmQgb25s eSB1c2luZyBBQ1IgaW4gdGhlIHJlcXVlc3QuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5Kb2huIEIuPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0 O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+T24g SnVsIDIzLCAyMDE1LCBhdCA5OjIxIEFNLCBKdXN0aW4gUmljaGVyICZsdDs8YSBocmVmPSJqYXZh c2NyaXB0Ol9lKCU3QiU3RCwnY3ZtbCcsJ2pyaWNoZXJAbWl0LmVkdScpOyIgdGFyZ2V0PSJfYmxh bmsiPmpyaWNoZXJAbWl0LmVkdTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZh bWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+VXNlZnVs IHdvcmssIGJ1dCBzaG91bGRu4oCZdCB0aGlzIGJlIGRlZmluZWQgaW4gdGhlIE9JREYsIHdoZXJl IHRoZSDigJxhbXImcXVvdDsgcGFyYW1ldGVyIGlzIGRlZmluZWQ/PC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90OyI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDvi gJQgSnVzdGluPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+ PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4w cHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5PbiBKdWwgMjIsIDIwMTUsIGF0IDc6NDggUE0s IE1pa2UgSm9uZXMgJmx0OzxhIGhyZWY9ImphdmFzY3JpcHQ6X2UoJTdCJTdELCdjdm1sJywnTWlj aGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tJyk7IiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9 ImNvbG9yOnB1cnBsZSI+TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPC9zcGFuPjwvYT4mZ3Q7 DQogd3JvdGU6PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVs dmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5QaGlsIEh1bnQgYW5kIEkgaGF2ZSBwb3N0ZWQgYSBu ZXcgZHJhZnQgdGhhdCBkZWZpbmVzIHNvbWUgdmFsdWVzIHVzZWQgd2l0aCB0aGUg4oCcPC9zcGFu PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIg TmV3JnF1b3Q7Ij5hbXI8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij7igJ0NCiAo QXV0aGVudGljYXRpb24gTWV0aG9kcyBSZWZlcmVuY2VzKSBjbGFpbSBhbmQgZXN0YWJsaXNoZXMg YSByZWdpc3RyeSBmb3IgQXV0aGVudGljYXRpb24gTWV0aG9kIFJlZmVyZW5jZSB2YWx1ZXMuJm5i c3A7IFRoZXNlIHZhbHVlcyBpbmNsdWRlIGNvbW1vbmx5IHVzZWQgYXV0aGVudGljYXRpb24gbWV0 aG9kcyBsaWtlIOKAnDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+cHdkPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90OyI+4oCdDQogKHBhc3N3b3JkKSBhbmQg4oCcPC9zcGFuPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5vdHA8 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij7igJ0gKG9uZSB0aW1lIHBhc3N3b3Jk KS4mbmJzcDsgSXQgYWxzbyBkZWZpbmVzIGEgcGFyYW1ldGVyIGZvciByZXF1ZXN0aW5nIHRoYXQg c3BlY2lmaWMgYXV0aGVudGljYXRpb24gbWV0aG9kcw0KIGJlIHVzZWQgaW4gdGhlIGF1dGhlbnRp Y2F0aW9uLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+VGhlIHNwZWNpZmljYXRpb24gaXMgYXZhaWxhYmxlIGF0 Ojwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6 LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OlN5bWJvbCI+wrc8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3 LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9z cGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNh ZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ0b29scy5p ZXRmLm9yZyUyZmh0bWwlMmZkcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAwJmFtcDtkYXRh PTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2 MzY2NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2Mx JmFtcDtzZGF0YT1tSjQ3SyUyYkNlcEt4eDhaeXN0JTJiQXZlWklaYjZFeVRSWXY2THYyd3A2ejl2 WSUzZCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmh0dHBzOi8v dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAwPC9zcGFu PjwvYT48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5ic3A7PC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDsiPkFuIEhUTUwgZm9ybWF0dGVkIHZlcnNpb24gaXMgYWxzbyBh dmFpbGFibGUgYXQ6PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJt YXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sIj7Ctzwvc3Bhbj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjcuMHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDs8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YSBocmVmPSJodHRw czovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJm JTJmc2VsZi1pc3N1ZWQuaW5mbyUyZmRvY3MlMmZkcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVz LTAwLmh0bWwmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29t JTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFh YjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPVQ5VkxxTyUyYkpqcGZCaUY3NnFCRXFrS08xYnRE clByYTU5c3ElMmJoTlVwTjVJJTNkIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9y OnB1cnBsZSI+aHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1qb25lcy1vYXV0aC1h bXItdmFsdWVzLTAwLmh0bWw8L3NwYW4+PC9hPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IC0tIE1pa2U8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5ic3A7PC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlAuUy4mbmJzcDsgVGhpcyBub3RlIHdhcyBhbHNvIHBv c3RlZCBhdCZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5v dXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZvJTJmJTNmcCUzZDE0 MjkmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVm NzNlZWM1OWMyNDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2Nk MDExZGI0NyU3YzEmYW1wO3NkYXRhPXp2MnpJcmxOMFVHQUZLZTlyQURWcGhVR25KS09nSHdpUllY azB0b2E1UVElM2QiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5o dHRwOi8vc2VsZi1pc3N1ZWQuaW5mby8/cD0xNDI5PC9zcGFuPjwvYT4mbmJzcDthbmQNCiBhcyZu YnNwOzxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNv bS8/dXJsPWh0dHBzJTNhJTJmJTJmdHdpdHRlci5jb20lMmZzZWxmaXNzdWVkJmFtcDtkYXRhPTAx JTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2 NGRlMDhkMjkzN2FkZjUyJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFt cDtzZGF0YT1HWkI2JTJmMEZZWlBTWDBSVXhRa2pNVUFjNXVHYVRKVnVaYmtZVWN1U0ZCa0ElM2Qi IHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5Ac2VsZmlzc3VlZDwv c3Bhbj48L2E+Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPl9fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFpbGluZyBs aXN0PGJyPg0KPGEgaHJlZj0iamF2YXNjcmlwdDpfZSglN0IlN0QsJ2N2bWwnLCdPQXV0aEBpZXRm Lm9yZycpOyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPk9BdXRo QGlldGYub3JnPC9zcGFuPjwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtz LnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUy Zm1haWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpv bmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUyJTdj NzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT00YU5oVHhHRCUy Zjl3OHFEOVdQWHBpMiUyYlFmaXBySkRic0YyUEs1RUJ4YXUzNCUzZCIgdGFyZ2V0PSJfYmxhbmsi PjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4v bGlzdGluZm8vb2F1dGg8L3NwYW4+PC9hPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxl PSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1h aWxpbmcgbGlzdDxicj4NCjwvc3Bhbj48YSBocmVmPSJqYXZhc2NyaXB0Ol9lKCU3QiU3RCwnY3Zt bCcsJ09BdXRoQGlldGYub3JnJyk7IiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjpwdXJwbGUiPk9BdXRoQGlldGYub3JnPC9zcGFuPjwvYT48c3BhbiBz dHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnI+DQo8L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly9uYTAx LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cu aWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZhbXA7ZGF0YT0wMSU3YzAxJTdj TWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5 MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9 NGFOaFR4R0QlMmY5dzhxRDlXUFhwaTIlMmJRZmlwckpEYnNGMlBLNUVCeGF1MzQlM2QiIHRhcmdl dD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOnB1cnBsZSI+aHR0 cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwvc3Bhbj48L2E+PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPjxicj4NCl9fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFpbGluZyBsaXN0PGJyPg0K PGEgaHJlZj0iamF2YXNjcmlwdDpfZSglN0IlN0QsJ2N2bWwnLCdPQXV0aEBpZXRmLm9yZycpOyIg dGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8v bmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJm d3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmYW1wO2RhdGE9MDElN2Mw MSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMyNDYzNjY0ZGUw OGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3Nk YXRhPTRhTmhUeEdEJTJmOXc4cUQ5V1BYcGkyJTJiUWZpcHJKRGJzRjJQSzVFQnhhdTM0JTNkIiB0 YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0 aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90dG9tOjEyLjBw dCI+PGJyPg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188 YnI+DQpPQXV0aCBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJqYXZhc2NyaXB0Ol9lKCU3QiU3 RCwnY3ZtbCcsJ09BdXRoQGlldGYub3JnJyk7IiB0YXJnZXQ9Il9ibGFuayI+T0F1dGhAaWV0Zi5v cmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91 dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlz dGluZm8lMmZvYXV0aCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29m dC5jb20lN2M0NWY3M2VlYzU5YzI0NjM2NjRkZTA4ZDI5MzdhZGY1MiU3YzcyZjk4OGJmODZmMTQx YWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9NGFOaFR4R0QlMmY5dzhxRDlXUFhwaTIl MmJRZmlwckpEYnNGMlBLNUVCeGF1MzQlM2QiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5p ZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPjxicj4NCl9fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFpbGluZyBs aXN0PGJyPg0KPGEgaHJlZj0iamF2YXNjcmlwdDpfZSglN0IlN0QsJ2N2bWwnLCdPQXV0aEBpZXRm Lm9yZycpOyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9 Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBz JTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmYW1wO2Rh dGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNDVmNzNlZWM1OWMy NDYzNjY0ZGUwOGQyOTM3YWRmNTIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3 YzEmYW1wO3NkYXRhPTRhTmhUeEdEJTJmOXc4cUQ5V1BYcGkyJTJiUWZpcHJKRGJzRjJQSzVFQnhh dTM0JTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0 aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj48YnI+DQo8YnIgY2xlYXI9ImFsbCI+DQo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPi0tDQo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPk5hdCBTYWtpbXVyYSAoPW5hdCk8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPkNoYWlybWFuLCBPcGVuSUQgRm91bmRhdGlvbjxicj4NCjxhIGhy ZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0 dHAlM2ElMmYlMmZuYXQuc2FraW11cmEub3JnJTJmJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVs LkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzQ1ZjczZWVjNTljMjQ2MzY2NGRlMDhkMjkzN2FkZjUy JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1PSUVmSEVG ZHdZSk1mRVdrWmVBWXhyRWRlZGNVcnRWdVphWXc4NmpDQmtzJTNkIiB0YXJnZXQ9Il9ibGFuayI+ aHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPC9hPjxicj4NCkBfbmF0X2VuPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxi cj4NCjxhIGhyZWY9ImphdmFzY3JpcHQ6X2UoJTdCJTdELCdjdm1sJywnT0F1dGhAaWV0Zi5vcmcn KTsiIHRhcmdldD0iX2JsYW5rIj5PQXV0aEBpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRw czovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUy ZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmFtcDtkYXRhPTAx JTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzFlMDE0ZDIyYWQwYTQ1YTI5 YmEyMDhkMjk1ZjUyNDUzJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFt cDtzZGF0YT14M24xbWc0WUdONlNYbzcyaUFQT1J5VWx1RnFOa0RwN2diMWVrZG1MRm1nJTNkIiB0 YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0 aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJy Pg0KPGJyPg0KLS0gPGJyPg0KTmF0IFNha2ltdXJhICg9bmF0KTxvOnA+PC9vOnA+PC9wPg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkNoYWlybWFuLCBPcGVuSUQgRm91bmRhdGlvbjxicj4N CjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/ dXJsPWh0dHAlM2ElMmYlMmZuYXQuc2FraW11cmEub3JnJTJmJmFtcDtkYXRhPTAxJTdjMDElN2NN aWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzFlMDE0ZDIyYWQwYTQ1YTI5YmEyMDhkMjk1 ZjUyNDUzJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1L ZUVFdnNIVVIyS0k2cnYlMmJ0cGZQV21HRCUyYmt0R0tGZjMlMmJrcFdSMnpZamFvJTNkIiB0YXJn ZXQ9Il9ibGFuayI+aHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPC9hPjxicj4NCkBfbmF0X2VuPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_BY2PR03MB44271B875F9A6A1235F120DF57C0BY2PR03MB442namprd_-- From nobody Fri Aug 14 10:40:32 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0486C1B2ABE for ; Fri, 14 Aug 2015 10:40:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.828 X-Spam-Level: X-Spam-Status: No, score=-0.828 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wcxusGBDe9Zn for ; Fri, 14 Aug 2015 10:40:29 -0700 (PDT) Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 656021B2AA7 for ; Fri, 14 Aug 2015 10:40:29 -0700 (PDT) Received: by qgeg42 with SMTP id g42so56523216qge.1 for ; Fri, 14 Aug 2015 10:40:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=78rx0RnLBse/0AR5URIXcwGUXejLq6euQlO/WIROI4Q=; b=B734sWh0IfCiRxV8Ol+9MLTokaoyxkFabFopX96imyi6yhsyWWd+0mgWDbCzSfVULL wPudyBVhKdYNLr4YCxaz3sRj6tYxpg4552yu32VhVHtSoXA8ppkUvV3yIdyhkk3JFBys 7yQPN7yVfNXkyJYnjVjffj/00vpIL+mQtLMnqOgsrqynBrqs/mY38n/7M+GMzKBYCnj9 71ptY+tABy+5fw/XWgGNpgRsvHKDmdScy9npJn/CcingU4A4b/j0zR2i7lDDr2b7Gd8C 1vQOhYd/TClCKwF94ViW2cBIjCm18uwrol6nCBqpPKnhHKu1Tthkvtd7mU+XwzC2HZrD JLYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=78rx0RnLBse/0AR5URIXcwGUXejLq6euQlO/WIROI4Q=; b=ARBh2bBIrK5IaQ/DsjPQIloqKwiUp7E8Q7kuYokWoqL8tAAPO36FnyC1DqYoqG46tT wmk/oBUauR7JUEaqhjd3CHjS4EUAi1MK7X1okUbAXQWYfySFDVUW8T/ViwlwBtbyp/mh Nq2YN4gvA9JL/aeh2PjI3FGmqND4FAULV2uVpW8XgU/spuC4l5ZTyHTBHoMwWTFLk6cp J4lqnuIiulYrifZD22DkLr5XZC9fryXIVDULyQ8hhPD32HArpPRqSJp8yW14IuO4kXrw 7TG13pQmj0qlh4uEINdKx0/i47a90TmdnaMZdf9cuq+C590jI07II22vMEv59CmcRrnI g3yg== X-Gm-Message-State: ALoCoQmM+JCVZ/3oenhak7dqHE+GAuGcI/H3j3s3DT7Sh+1UQunRXA2AWuwwC36O8naI3cLwiJGl X-Received: by 10.140.232.83 with SMTP id d80mr76543498qhc.15.1439574028646; Fri, 14 Aug 2015 10:40:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.108.100 with HTTP; Fri, 14 Aug 2015 10:40:09 -0700 (PDT) In-Reply-To: References: From: William Denniss Date: Fri, 14 Aug 2015 10:40:09 -0700 Message-ID: To: Mike Jones Content-Type: multipart/alternative; boundary=001a113539949b3149051d48f2fe Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] =?utf-8?b?4oCcYW1y4oCdIFZhbHVlcyBzcGVjIHVwZGF0ZWQ=?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 17:40:31 -0000 --001a113539949b3149051d48f2fe Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Looking good, thanks for putting this together. I wonder if we should say "risk_based" rather than just "risk" to avoid ambiguity (i.e. that it's not a risky authentication method, rather, it was risk-based). "user" seems to work well, e.g. "user mfa pwd otp" tells a logical story. On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones wrote: > I=E2=80=99ve updated the Authentication Method Reference Values spec to > incorporate feedback received from the OAuth working group. Changes were= : > > =C2=B7 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel au= thentication), =E2=80=9Crisk=E2=80=9D > (risk-based authentication), and =E2=80=9Cuser=E2=80=9D (user presence te= st). > > =C2=B7 Added citations in the definitions of Windows integrated > authentication, knowledge-based authentication, risk-based authentication= , > multiple-factor authentication, one-time password, and proof-of-possessio= n. > > =C2=B7 Alphabetized the values. > > =C2=B7 Added Tony Nadalin as an author and added acknowledgements. > > > > The specification is available at: > > =C2=B7 http://tools.ietf.org/html/draft-jones-oauth-amr-values-01 > > > > An HTML formatted version is also available at: > > =C2=B7 http://self-issued.info/docs/draft-jones-oauth-amr-values-0= 1.html > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=3D1437 and = as > @selfissued . > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --001a113539949b3149051d48f2fe Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Looking good, thanks for putting this together.

I wonder if we should say "risk_based" rather than just = "risk" to avoid ambiguity (i.e. that it's not a risky authent= ication method, rather, it was risk-based). =C2=A0"user" seems to= work well, e.g. "user mfa pwd otp" tells a logical story.
<= div>


On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones <M= ichael.Jones@microsoft.com> wrote:

I=E2=80=99ve updated the Authentication Method Refer= ence Values spec to incorporate feedback received from the OAuth working gr= oup.=C2=A0 Changes were:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel authen= tication), =E2=80=9Cris= k=E2=80=9D (risk-based authentication), and =E2=80=9Cuser=E2=80=9D (user presence test).

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 Added citations in the definitions of Windows i= ntegrated authentication, knowledge-based authentication, risk-based authen= tication, multiple-factor authentication, one-time password, and proof-of-p= ossession.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 Alphabetized the values.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 Added Tony Nadalin as an author and added ackno= wledgements.

=C2=A0

The specification is available at:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 http://tools.ietf.org/html/draft-= jones-oauth-amr-values-01

=C2=A0

An HTML formatted version is also available at:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 http://self-issued.info/do= cs/draft-jones-oauth-amr-values-01.html

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 -- Mike

=C2=A0

P.S.=C2=A0 This note was also posted at http://self-issued.info/?p=3D1437 and as @selfissued.


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--001a113539949b3149051d48f2fe-- From nobody Fri Aug 14 10:44:37 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7C0B1B2AB7 for ; Fri, 14 Aug 2015 10:44:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.459 X-Spam-Level: ** X-Spam-Status: No, score=2.459 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LYgSvJvPgVeL for ; Fri, 14 Aug 2015 10:44:34 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0111.outbound.protection.outlook.com [207.46.100.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 397331B2AAC for ; Fri, 14 Aug 2015 10:44:34 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.231.11; Fri, 14 Aug 2015 17:44:33 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Fri, 14 Aug 2015 17:44:33 +0000 From: Mike Jones To: William Denniss Thread-Topic: =?utf-8?B?W09BVVRILVdHXSDigJxhbXLigJ0gVmFsdWVzIHNwZWMgdXBkYXRlZA==?= Thread-Index: AdDWQ1gyDLM4k4XkRyqlkp9xqb3+owAdOtmAAAAaBIA= Date: Fri, 14 Aug 2015 17:44:33 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:cSDQaTI6JkS8EFrfxU7F3y+tGivhG+UJx7XWelOvYjY2roFmVkS74UI1lnJiN3lL1RKCx6wjvBob5RpCSEJs3lm9TYvMtnwNnny4gxwU2xxRM17a/wek5yZxXqR6bcHkkJW6FLP1UfGmwXOiDPTttg==; 24:V9BnIhB7kM0JlaJ73/JIM/PZzuOz5xUW3TtoPRxIZ6nxs8db9tg5K7l3XKzRHF5AfgnpOkhMiLKgiLxSuFONUhR59YvoTTUIy8MZoyu+zP8=; 20:bctFfx0lwQsz8YA1pauwEP3dfM0VTJsJPS0m5OJOGDjt6qHRcrM7+znbt6HVs1QgYHUZGpBk1WAvML3vkB8CIA== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 066898046A x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(189002)(164054003)(54094003)(377454003)(199003)(24454002)(52604005)(50986999)(66066001)(86362001)(551544002)(64706001)(2900100001)(19580395003)(19580405001)(77096005)(86612001)(102836002)(68736005)(76176999)(101416001)(92566002)(54356999)(2950100001)(19300405004)(19609705001)(122556002)(105586002)(19625215002)(33656002)(110136002)(87936001)(97736004)(5001830100001)(16236675004)(99286002)(5001960100002)(5001860100001)(189998001)(7110500001)(10290500002)(46102003)(4001540100001)(81156007)(15975445007)(106356001)(5005710100001)(62966003)(2420400006)(74316001)(77156002)(19617315012)(5002640100001)(5003600100002)(2656002)(76576001)(10400500002)(40100003)(8990500004)(10710500001)(10090500001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442670B6531CEA4E5988A7AF57C0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2015 17:44:33.0945 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] =?utf-8?b?4oCcYW1y4oCdIFZhbHVlcyBzcGVjIHVwZGF0ZWQ=?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 17:44:36 -0000 --_000_BY2PR03MB442670B6531CEA4E5988A7AF57C0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBoZWFyIHlvdSwgYnV0IHdl4oCZcmUgdHJ5aW5nIHRvIGtlZXAgdGhlIHZhbHVlcyBzaG9ydCBm b3Igc3BhY2UgcmVhc29ucyDigJMganVzdCBsaWtlIG90aGVyIGlkZW50aWZpZXJzIGluIEpXVHMu ICBVbHRpbWF0ZWx5LCB0aGUgdmFsdWVzIGFyZW7igJl0IG1lYW5pbmdmdWwgd2l0aG91dCByZWZl cnJpbmcgdG8gdGhlIHNwZWMgaW4gdGhlIGZpcnN0IHBsYWNlLCBzbyB0aGUgcGxhY2UgdG8gYmVl ZiB1cCB0aGUgbWVhbmluZyBpcyBpbiB0aGUgZGVzY3JpcHRpb24gaW4gdGhlIHNwZWMg4oCTIG5v dCBpbiB0aGUg4oCcYW1y4oCdIHZhbHVlLiAgSWYgeW914oCZZCBsaWtlIHRvIHN1Z2dlc3QgYW55 IGVkaXRzIGluIHRoYXQgcmVnYXJkLCBoYXZlIGF0IGl0IQ0KDQogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUaGFua3MsDQogICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBN aWtlDQoNCkZyb206IFdpbGxpYW0gRGVubmlzcyBbbWFpbHRvOndkZW5uaXNzQGdvb2dsZS5jb21d DQpTZW50OiBGcmlkYXksIEF1Z3VzdCAxNCwgMjAxNSAxOjQwIFBNDQpUbzogTWlrZSBKb25lcw0K Q2M6IG9hdXRoQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSDigJxhbXLigJ0gVmFs dWVzIHNwZWMgdXBkYXRlZA0KDQpMb29raW5nIGdvb2QsIHRoYW5rcyBmb3IgcHV0dGluZyB0aGlz IHRvZ2V0aGVyLg0KDQpJIHdvbmRlciBpZiB3ZSBzaG91bGQgc2F5ICJyaXNrX2Jhc2VkIiByYXRo ZXIgdGhhbiBqdXN0ICJyaXNrIiB0byBhdm9pZCBhbWJpZ3VpdHkgKGkuZS4gdGhhdCBpdCdzIG5v dCBhIHJpc2t5IGF1dGhlbnRpY2F0aW9uIG1ldGhvZCwgcmF0aGVyLCBpdCB3YXMgcmlzay1iYXNl ZCkuICAidXNlciIgc2VlbXMgdG8gd29yayB3ZWxsLCBlLmcuICJ1c2VyIG1mYSBwd2Qgb3RwIiB0 ZWxscyBhIGxvZ2ljYWwgc3RvcnkuDQoNCg0KDQpPbiBUaHUsIEF1ZyAxMywgMjAxNSBhdCA4OjQz IFBNLCBNaWtlIEpvbmVzIDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hh ZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT4+IHdyb3RlOg0KSeKAmXZlIHVwZGF0ZWQgdGhlIEF1dGhl bnRpY2F0aW9uIE1ldGhvZCBSZWZlcmVuY2UgVmFsdWVzIHNwZWMgdG8gaW5jb3Jwb3JhdGUgZmVl ZGJhY2sgcmVjZWl2ZWQgZnJvbSB0aGUgT0F1dGggd29ya2luZyBncm91cC4gIENoYW5nZXMgd2Vy ZToNCg0K4oCiICAgICAgICBBZGRlZCB0aGUgdmFsdWVzIOKAnG1jYeKAnSAobXVsdGlwbGUtY2hh bm5lbCBhdXRoZW50aWNhdGlvbiksIOKAnHJpc2vigJ0gKHJpc2stYmFzZWQgYXV0aGVudGljYXRp b24pLCBhbmQg4oCcdXNlcuKAnSAodXNlciBwcmVzZW5jZSB0ZXN0KS4NCg0K4oCiICAgICAgICBB ZGRlZCBjaXRhdGlvbnMgaW4gdGhlIGRlZmluaXRpb25zIG9mIFdpbmRvd3MgaW50ZWdyYXRlZCBh dXRoZW50aWNhdGlvbiwga25vd2xlZGdlLWJhc2VkIGF1dGhlbnRpY2F0aW9uLCByaXNrLWJhc2Vk IGF1dGhlbnRpY2F0aW9uLCBtdWx0aXBsZS1mYWN0b3IgYXV0aGVudGljYXRpb24sIG9uZS10aW1l IHBhc3N3b3JkLCBhbmQgcHJvb2Ytb2YtcG9zc2Vzc2lvbi4NCg0K4oCiICAgICAgICBBbHBoYWJl dGl6ZWQgdGhlIHZhbHVlcy4NCg0K4oCiICAgICAgICBBZGRlZCBUb255IE5hZGFsaW4gYXMgYW4g YXV0aG9yIGFuZCBhZGRlZCBhY2tub3dsZWRnZW1lbnRzLg0KDQpUaGUgc3BlY2lmaWNhdGlvbiBp cyBhdmFpbGFibGUgYXQ6DQoNCuKAoiAgICAgICAgaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwv ZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0wMTxodHRwczovL25hMDEuc2FmZWxpbmtzLnBy b3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmdG9vbHMuaWV0Zi5vcmclMmZo dG1sJTJmZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0wMSZkYXRhPTAxJTdjMDElN2NNaWNo YWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzFmMjFmODZmNGU0YTQ4NThkZmY5MDhkMmE0Y2Y3 MWYzJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPUk1TUZaYmQx Qk1BTkx1VmVESDI0Ym9CVkoxQ1N3eWJJZzNQMVJxVFp3ZVUlM2Q+DQoNCkFuIEhUTUwgZm9ybWF0 dGVkIHZlcnNpb24gaXMgYWxzbyBhdmFpbGFibGUgYXQ6DQoNCuKAoiAgICAgICAgaHR0cDovL3Nl bGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAxLmh0bWw8 aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUz YSUyZiUyZnNlbGYtaXNzdWVkLmluZm8lMmZkb2NzJTJmZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZh bHVlcy0wMS5odG1sJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29t JTdjMWYyMWY4NmY0ZTRhNDg1OGRmZjkwOGQyYTRjZjcxZjMlN2M3MmY5ODhiZjg2ZjE0MWFmOTFh YjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9cnBBMiUyZkxRR3M1bWRvbUVQNHhCdTdUOVY0UFd6Vmky ajhkMVZUelBDQ1pnJTNkPg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNClAuUy4gIFRoaXMgbm90ZSB3YXMgYWxz byBwb3N0ZWQgYXQgaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vP3A9MTQzNzxodHRwczovL25hMDEu c2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmc2VsZi1p c3N1ZWQuaW5mbyUyZiUzZnAlM2QxNDM3JmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBt aWNyb3NvZnQuY29tJTdjMWYyMWY4NmY0ZTRhNDg1OGRmZjkwOGQyYTRjZjcxZjMlN2M3MmY5ODhi Zjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9c3Y1SGJjUlclMmJqUmJZY2Q3MU1S WkJjRmRrcyUyZnJvYURxWiUyZnFUS09KckolMmZvJTNkPiBhbmQgYXMgQHNlbGZpc3N1ZWQ8aHR0 cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2El MmYlMmZ0d2l0dGVyLmNvbSUyZnNlbGZpc3N1ZWQmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25l cyU0MG1pY3Jvc29mdC5jb20lN2MxZjIxZjg2ZjRlNGE0ODU4ZGZmOTA4ZDJhNGNmNzFmMyU3Yzcy Zjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1leDQzVVA1eXR1SU1zZmU2 U2tBQm1QQXZKYmVPcFhQYkhRYm52aXhVTmNRJTNkPi4NCg0KX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0 Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1h bi9saXN0aW5mby9vYXV0aDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9v ay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5m byUyZm9hdXRoJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdj MWYyMWY4NmY0ZTRhNDg1OGRmZjkwOGQyYTRjZjcxZjMlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJk N2NkMDExZGI0NyU3YzEmc2RhdGE9aGxNcEdiR2hYQkNZaW10TUphOUlmRXpXU0ZxWFJ5M2tLSE44 WiUyYkx4am4wJTNkPg0KDQo= --_000_BY2PR03MB442670B6531CEA4E5988A7AF57C0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcA0KCXttc28tc3R5bGUtcHJpb3JpdHk6 OTk7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjEy LjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYiO30NCnNwYW4uaG9l bnpiDQoJe21zby1zdHlsZS1uYW1lOmhvZW56Yjt9DQpzcGFuLkVtYWlsU3R5bGUxOQ0KCXttc28t c3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMt c2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5 cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjt9DQpA cGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEu MGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7 fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMg djpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lm IGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFw IHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlm XS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJw bGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5JIGhlYXIgeW91LCBidXQg d2XigJlyZSB0cnlpbmcgdG8ga2VlcCB0aGUgdmFsdWVzIHNob3J0IGZvciBzcGFjZSByZWFzb25z IOKAkyBqdXN0IGxpa2Ugb3RoZXIgaWRlbnRpZmllcnMgaW4gSldUcy4mbmJzcDsgVWx0aW1hdGVs eSwgdGhlIHZhbHVlcyBhcmVu4oCZdCBtZWFuaW5nZnVsIHdpdGhvdXQNCiByZWZlcnJpbmcgdG8g dGhlIHNwZWMgaW4gdGhlIGZpcnN0IHBsYWNlLCBzbyB0aGUgcGxhY2UgdG8gYmVlZiB1cCB0aGUg bWVhbmluZyBpcyBpbiB0aGUgZGVzY3JpcHRpb24gaW4gdGhlIHNwZWMg4oCTIG5vdCBpbiB0aGUg 4oCcYW1y4oCdIHZhbHVlLiZuYnNwOyBJZiB5b3XigJlkIGxpa2UgdG8gc3VnZ2VzdCBhbnkgZWRp dHMgaW4gdGhhdCByZWdhcmQsIGhhdmUgYXQgaXQhPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhh bmtzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJv bTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gV2lsbGlhbSBEZW5uaXNz IFttYWlsdG86d2Rlbm5pc3NAZ29vZ2xlLmNvbV0NCjxicj4NCjxiPlNlbnQ6PC9iPiBGcmlkYXks IEF1Z3VzdCAxNCwgMjAxNSAxOjQwIFBNPGJyPg0KPGI+VG86PC9iPiBNaWtlIEpvbmVzPGJyPg0K PGI+Q2M6PC9iPiBvYXV0aEBpZXRmLm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRI LVdHXSDigJxhbXLigJ0gVmFsdWVzIHNwZWMgdXBkYXRlZDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPkxvb2tpbmcgZ29vZCwgdGhhbmtzIGZvciBwdXR0aW5nIHRoaXMgdG9n ZXRoZXIuPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JIHdv bmRlciBpZiB3ZSBzaG91bGQgc2F5ICZxdW90O3Jpc2tfYmFzZWQmcXVvdDsgcmF0aGVyIHRoYW4g anVzdCAmcXVvdDtyaXNrJnF1b3Q7IHRvIGF2b2lkIGFtYmlndWl0eSAoaS5lLiB0aGF0IGl0J3Mg bm90IGEgcmlza3kgYXV0aGVudGljYXRpb24gbWV0aG9kLCByYXRoZXIsIGl0IHdhcyByaXNrLWJh c2VkKS4gJm5ic3A7JnF1b3Q7dXNlciZxdW90OyBzZWVtcyB0byB3b3JrIHdlbGwsIGUuZy4gJnF1 b3Q7dXNlciBtZmEgcHdkIG90cCZxdW90OyB0ZWxscyBhIGxvZ2ljYWwgc3RvcnkuPG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBUaHUs IEF1ZyAxMywgMjAxNSBhdCA4OjQzIFBNLCBNaWtlIEpvbmVzICZsdDs8YSBocmVmPSJtYWlsdG86 TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tIiB0YXJnZXQ9Il9ibGFuayI+TWljaGFlbC5Kb25l c0BtaWNyb3NvZnQuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SeKAmXZlIHVwZGF0ZWQgdGhlIEF1dGhlbnRpY2F0 aW9uIE1ldGhvZCBSZWZlcmVuY2UgVmFsdWVzIHNwZWMgdG8gaW5jb3Jwb3JhdGUgZmVlZGJhY2sg cmVjZWl2ZWQgZnJvbSB0aGUgT0F1dGggd29ya2luZyBncm91cC4mbmJzcDsgQ2hhbmdlcyB3ZXJl OjxvOnA+PC9vOnA+PC9wPg0KPHA+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OlN5bWJvbCI+wrc8 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+QWRkZWQgdGhlIHZhbHVlcyDigJw8c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPm1jYTwvc3Bhbj7igJ0g KG11bHRpcGxlLWNoYW5uZWwgYXV0aGVudGljYXRpb24pLCDigJw8c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPnJpc2s8L3NwYW4+4oCdIChyaXNrLWJhc2Vk IGF1dGhlbnRpY2F0aW9uKSwgYW5kIOKAnDxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtD b3VyaWVyIE5ldyZxdW90OyI+dXNlcjwvc3Bhbj7igJ0gKHVzZXINCiBwcmVzZW5jZSB0ZXN0KS4g PG86cD48L286cD48L3A+DQo8cD48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6U3ltYm9sIj7Ctzwv c3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuMHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj5BZGRlZCBjaXRhdGlvbnMgaW4gdGhlIGRlZmlu aXRpb25zIG9mIFdpbmRvd3MgaW50ZWdyYXRlZCBhdXRoZW50aWNhdGlvbiwga25vd2xlZGdlLWJh c2VkIGF1dGhlbnRpY2F0aW9uLCByaXNrLWJhc2VkIGF1dGhlbnRpY2F0aW9uLCBtdWx0aXBsZS1m YWN0b3IgYXV0aGVudGljYXRpb24sIG9uZS10aW1lIHBhc3N3b3JkLCBhbmQgcHJvb2Ytb2YtcG9z c2Vzc2lvbi4NCjxvOnA+PC9vOnA+PC9wPg0KPHA+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OlN5 bWJvbCI+wrc8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdCI+Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+QWxwaGFiZXRpemVkIHRoZSB2 YWx1ZXMuIDxvOnA+PC9vOnA+PC9wPg0KPHA+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OlN5bWJv bCI+wrc8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+QWRkZWQgVG9ueSBOYWRhbGluIGFz IGFuIGF1dGhvciBhbmQgYWRkZWQgYWNrbm93bGVkZ2VtZW50cy48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPlRoZSBzcGVjaWZpY2F0aW9uIGlzIGF2YWlsYWJsZSBhdDo8bzpwPjwvbzpwPjwv cD4NCjxwPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpTeW1ib2wiPsK3PC9zcGFuPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6Ny4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOw0KPC9zcGFuPjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlv bi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZ0b29scy5pZXRmLm9yZyUyZmh0bWwlMmZk cmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAxJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVs LkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzFmMjFmODZmNGU0YTQ4NThkZmY5MDhkMmE0Y2Y3MWYz JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1JNU1GWmJk MUJNQU5MdVZlREgyNGJvQlZKMUNTd3liSWczUDFScVRad2VVJTNkIiB0YXJnZXQ9Il9ibGFuayI+ aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0w MTwvYT48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkFuIEhUTUwgZm9ybWF0dGVkIHZlcnNp b24gaXMgYWxzbyBhdmFpbGFibGUgYXQ6PG86cD48L286cD48L3A+DQo8cD48c3BhbiBzdHlsZT0i Zm9udC1mYW1pbHk6U3ltYm9sIj7Ctzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuMHB0 Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48YSBo cmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1o dHRwJTNhJTJmJTJmc2VsZi1pc3N1ZWQuaW5mbyUyZmRvY3MlMmZkcmFmdC1qb25lcy1vYXV0aC1h bXItdmFsdWVzLTAxLmh0bWwmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNy b3NvZnQuY29tJTdjMWYyMWY4NmY0ZTRhNDg1OGRmZjkwOGQyYTRjZjcxZjMlN2M3MmY5ODhiZjg2 ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPXJwQTIlMmZMUUdzNW1kb21FUDR4 QnU3VDlWNFBXelZpMmo4ZDFWVHpQQ0NaZyUzZCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9zZWxm LWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0wMS5odG1sPC9h PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29s b3I6Izg4ODg4OCI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5QLlMuJm5ic3A7IFRoaXMgbm90ZSB3 YXMgYWxzbyBwb3N0ZWQgYXQNCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVj dGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZvJTJmJTNm cCUzZDE0MzcmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29t JTdjMWYyMWY4NmY0ZTRhNDg1OGRmZjkwOGQyYTRjZjcxZjMlN2M3MmY5ODhiZjg2ZjE0MWFmOTFh YjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPXN2NUhiY1JXJTJialJiWWNkNzFNUlpCY0Zka3Ml MmZyb2FEcVolMmZxVEtPSnJKJTJmbyUzZCIgdGFyZ2V0PSJfYmxhbmsiPg0KaHR0cDovL3NlbGYt aXNzdWVkLmluZm8vP3A9MTQzNzwvYT4gYW5kIGFzIDxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZl bGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmdHdpdHRlci5j b20lMmZzZWxmaXNzdWVkJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9z b2Z0LmNvbSU3YzFmMjFmODZmNGU0YTQ4NThkZmY5MDhkMmE0Y2Y3MWYzJTdjNzJmOTg4YmY4NmYx NDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1leDQzVVA1eXR1SU1zZmU2U2tBQm1Q QXZKYmVPcFhQYkhRYm52aXhVTmNRJTNkIiB0YXJnZXQ9Il9ibGFuayI+DQpAc2VsZmlzc3VlZDwv YT4uPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxh IGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEg aHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9 aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZh bXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2MxZjIxZjg2 ZjRlNGE0ODU4ZGZmOTA4ZDJhNGNmNzFmMyU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFk YjQ3JTdjMSZhbXA7c2RhdGE9aGxNcEdiR2hYQkNZaW10TUphOUlmRXpXU0ZxWFJ5M2tLSE44WiUy Ykx4am4wJTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9s aXN0aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9o dG1sPg0K --_000_BY2PR03MB442670B6531CEA4E5988A7AF57C0BY2PR03MB442namprd_-- From nobody Fri Aug 14 10:53:22 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D917E1B2AE0 for ; Fri, 14 Aug 2015 10:53:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.972 X-Spam-Level: ** X-Spam-Status: No, score=2.972 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C8dxsGoIUSP9 for ; Fri, 14 Aug 2015 10:53:19 -0700 (PDT) Received: from mail-qg0-x22e.google.com (mail-qg0-x22e.google.com [IPv6:2607:f8b0:400d:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C370A1B2ADF for ; Fri, 14 Aug 2015 10:53:18 -0700 (PDT) Received: by qgdd90 with SMTP id d90so56285856qgd.3 for ; Fri, 14 Aug 2015 10:53:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=OZfIUP3EYie+Puj6fEHul4Zjw7NiTfR2O/05QNQDjrg=; b=QyW/1mgyOTgcUjf7Z7ZldJzD91iuaQ2ybSGuz7xlbelFRiXMqqhpIwxic/zUXE2jso bvF4V0Fwc6QjKGevgzY7GZou2JkYjYMuXk2xJdxNCgo4k8fqteWO4g8Xy72Je+ce4uKL ogvaIhQe9lpfiT19MyrEVa3EeRLInTMzn/f2YOs14I1vyz8FUGs3QuyEg6nCVyR2//GY XeAWELrNp0G5nRI6XPQ5DcsdjPUgCpGu2JWKVB15q4UwBXJRlPPhxRNRGf9P+eCd+8d8 CR+fObDqN5CnYSzaBXWV4FfJRZcXAjGfvW1Zbw5vuMIBHyWdJjKrjyxkFCCJtFfdTyVr BrhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=OZfIUP3EYie+Puj6fEHul4Zjw7NiTfR2O/05QNQDjrg=; b=RCAxQ/QNXhS/RBlvU7Jcpx5CfawX4JUHNDvxu5EkKc/WETMH5ixN6qvz6ferxGMOQU U8JSTgOMS6+yF7e3+jEFVoWXrXTQsgvIpxnIs4kZD0h7tlM6z5QD4TzrdQcSR+Okbyuk +dHxts3NewGNVqv3E/ygzpNa4+hNaP94EWhnAQNpS/0n1SIQD23UhQqZR9T6bQREm79c P9lth26BBpfUUkiloO6NGkC/TnJ9yV4B6247rK/08bb+/ZVsIFQ8PLByz1rXAHpjYa6V NZxWogFVl3rAYBvTaiLIvsfpFiBi+1Fbj+naPKGMCppbvppLCZseCLjNbgFQPCfAqgQR AHvw== X-Gm-Message-State: ALoCoQmQNDfFOyitdo7qCN6N6pF6uR3OnKtOo7AKe8hxEZo3x3Bd4TBGZunFs8o8r3EzTu9zLRzL X-Received: by 10.140.91.66 with SMTP id y60mr80841708qgd.90.1439574797931; Fri, 14 Aug 2015 10:53:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.108.100 with HTTP; Fri, 14 Aug 2015 10:52:58 -0700 (PDT) In-Reply-To: References: From: William Denniss Date: Fri, 14 Aug 2015 10:52:58 -0700 Message-ID: To: Mike Jones Content-Type: multipart/alternative; boundary=001a113a4f80759bef051d4920c8 Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] =?utf-8?b?4oCcYW1y4oCdIFZhbHVlcyBzcGVjIHVwZGF0ZWQ=?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 17:53:21 -0000 --001a113a4f80759bef051d4920c8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Fair point. RBA is a fairly common acronym for Risk-Based Authentication, how about going with "rba"? Would align with existing "mfa", "mca" definitions (while also saving 1 character and helping the ambiguity issue)= . On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones wrote: > I hear you, but we=E2=80=99re trying to keep the values short for space r= easons =E2=80=93 > just like other identifiers in JWTs. Ultimately, the values aren=E2=80= =99t > meaningful without referring to the spec in the first place, so the place > to beef up the meaning is in the description in the spec =E2=80=93 not in= the =E2=80=9Camr=E2=80=9D > value. If you=E2=80=99d like to suggest any edits in that regard, have a= t it! > > > > Thanks, > > -- Mike > > > > *From:* William Denniss [mailto:wdenniss@google.com] > *Sent:* Friday, August 14, 2015 1:40 PM > *To:* Mike Jones > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated > > > > Looking good, thanks for putting this together. > > > > I wonder if we should say "risk_based" rather than just "risk" to avoid > ambiguity (i.e. that it's not a risky authentication method, rather, it w= as > risk-based). "user" seems to work well, e.g. "user mfa pwd otp" tells a > logical story. > > > > > > > > On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones > wrote: > > I=E2=80=99ve updated the Authentication Method Reference Values spec to > incorporate feedback received from the OAuth working group. Changes were= : > > =C2=B7 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel au= thentication), =E2=80=9Crisk=E2=80=9D > (risk-based authentication), and =E2=80=9Cuser=E2=80=9D (user presence te= st). > > =C2=B7 Added citations in the definitions of Windows integrated > authentication, knowledge-based authentication, risk-based authentication= , > multiple-factor authentication, one-time password, and proof-of-possessio= n. > > =C2=B7 Alphabetized the values. > > =C2=B7 Added Tony Nadalin as an author and added acknowledgements. > > > > The specification is available at: > > =C2=B7 http://tools.ietf.org/html/draft-jones-oauth-amr-values-01 > > > > > An HTML formatted version is also available at: > > =C2=B7 http://self-issued.info/docs/draft-jones-oauth-amr-values-0= 1.html > > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=3D1437 > > and as @selfissued > > . > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > --001a113a4f80759bef051d4920c8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Fair point. RBA is a fairly common acronym for Risk-Based = Authentication, how about going with "rba"? Would align with exis= ting "mfa", "mca" definitions (while also saving 1 char= acter and helping the ambiguity issue).
On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:

I hear you, but we=E2=80= =99re trying to keep the values short for space reasons =E2=80=93 just like= other identifiers in JWTs.=C2=A0 Ultimately, the values aren=E2=80=99t mea= ningful without referring to the spec in the first place, so the place to beef up the mean= ing is in the description in the spec =E2=80=93 not in the =E2=80=9Camr=E2= =80=9D value.=C2=A0 If you=E2=80=99d like to suggest any edits in that rega= rd, have at it!

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thanks,

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: William = Denniss [mailto:wd= enniss@google.com]
Sent: Friday, August 14, 2015 1:40 PM
To: Mike Jones
Cc: oauth@ietf.o= rg
Subject: Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated=

=C2=A0

Looking good, thanks for putting this together.

=C2=A0

I wonder if we should say "risk_based" rat= her than just "risk" to avoid ambiguity (i.e. that it's not a= risky authentication method, rather, it was risk-based). =C2=A0"user&= quot; seems to work well, e.g. "user mfa pwd otp" tells a logical= story.

=C2=A0

=C2=A0

=C2=A0

On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones <Michael.Jones@= microsoft.com> wrote:

I=E2=80=99ve updated the Authentication Method Refer= ence Values spec to incorporate feedback received from the OAuth working gr= oup.=C2=A0 Changes were:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel authentication), =E2=80=9C<= span style=3D"font-family:"Courier New"">risk=E2=80=9D (ri= sk-based authentication), and =E2=80=9Cuser=E2=80=9D (user presence test).

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Added citations in the definitions of Windows integrated authenticat= ion, knowledge-based authentication, risk-based authentication, multiple-fa= ctor authentication, one-time password, and proof-of-possession.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Alphabetized the values.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Added Tony Nadalin as an author and added acknowledgements.

=C2=A0

The specification is available at:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 http://tools.ietf.org/html/dra= ft-jones-oauth-amr-values-01

=C2=A0

An HTML formatted version is also available at:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 http://self-issued.info= /docs/draft-jones-oauth-amr-values-01.html

=C2=A0

=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

P.S.=C2=A0 This note was also posted at http://self-issued.info/?p=3D1437 and as @selfissued.


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth=

=C2=A0


--001a113a4f80759bef051d4920c8-- From nobody Fri Aug 14 11:04:01 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED991A02F1 for ; Fri, 14 Aug 2015 11:03:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.983 X-Spam-Level: ** X-Spam-Status: No, score=2.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_8BIT_HEADER=0.3, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWUPw4J0ha8S for ; Fri, 14 Aug 2015 11:03:57 -0700 (PDT) Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 518A61A038E for ; Fri, 14 Aug 2015 11:03:57 -0700 (PDT) Received: by igfj19 with SMTP id j19so18029556igf.0 for ; Fri, 14 Aug 2015 11:03:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=e88pBlti2+Qz4aI/V1ImRhy4TUPQigelVSkLPPkK1iU=; b=g4F9xj6bRJljh8+RuOWhge63JS5RAer+DhIsrlNgEvfBjeXwGV3XTVdFc+rme3MMW1 OQtauqNPypFPas04SgEOReMWWNMrpw6Wg8vs4J1Ti++ddX2Nu0MNdPlu5Mt/IGjMNRHK hkOuXyUBk63nbyzfjXOhTJ5/5Wul7LC+M8cg4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=e88pBlti2+Qz4aI/V1ImRhy4TUPQigelVSkLPPkK1iU=; b=lbMGjcFKiR0/go9EjilhnxhmA1kpFKhk/NVxdZZ4F/22HIao4iilI3C4zM5CBTZthw ySPhN0s9o55V4hSa8bNzjqN7aQnldT6QP25gYtzpNRL3PH2nbCYbq6DoDuuTP3keaTsJ vwTaiYGx6orI1SkSgVMB45HmZaMyUSSaAPyftTPPLTkIY1Lm9ZkZIbpmWu/+ZJ0aswx1 Kif1WnoKGgZEAM/83z7ESytNftExxn0LUetg0uFQf7N30cvBo24pd27n9FxVa0nPdERo 3XM72SbeL7SiFJsHJ9bbvW7RaAjq4QqL3TyGM3fI4vlExe3P8LtdORKmfG5R9ektZpDQ FBJA== X-Gm-Message-State: ALoCoQmBK6VROFoQdbBnPRgxL1sCO5JYzFW7FF31FuiUwhT9XFoDhi824ksOmZRNv8r5NS9SUAGH X-Received: by 10.50.61.195 with SMTP id s3mr4032683igr.62.1439575436602; Fri, 14 Aug 2015 11:03:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.96.199 with HTTP; Fri, 14 Aug 2015 11:03:27 -0700 (PDT) In-Reply-To: References: From: Brian Campbell Date: Fri, 14 Aug 2015 12:03:27 -0600 Message-ID: To: William Denniss Content-Type: multipart/alternative; boundary=047d7bdc05f286cf88051d494614 Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] =?utf-8?b?4oCcYW1y4oCdIFZhbHVlcyBzcGVjIHVwZGF0ZWQ=?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 18:03:59 -0000 --047d7bdc05f286cf88051d494614 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable +1 for "rba" On Fri, Aug 14, 2015 at 11:52 AM, William Denniss wrote: > Fair point. RBA is a fairly common acronym for Risk-Based Authentication, > how about going with "rba"? Would align with existing "mfa", "mca" > definitions (while also saving 1 character and helping the ambiguity issu= e). > > On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones > wrote: > >> I hear you, but we=E2=80=99re trying to keep the values short for space = reasons =E2=80=93 >> just like other identifiers in JWTs. Ultimately, the values aren=E2=80= =99t >> meaningful without referring to the spec in the first place, so the plac= e >> to beef up the meaning is in the description in the spec =E2=80=93 not i= n the =E2=80=9Camr=E2=80=9D >> value. If you=E2=80=99d like to suggest any edits in that regard, have = at it! >> >> >> >> Thanks, >> >> -- Mike >> >> >> >> *From:* William Denniss [mailto:wdenniss@google.com] >> *Sent:* Friday, August 14, 2015 1:40 PM >> *To:* Mike Jones >> *Cc:* oauth@ietf.org >> *Subject:* Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated >> >> >> >> Looking good, thanks for putting this together. >> >> >> >> I wonder if we should say "risk_based" rather than just "risk" to avoid >> ambiguity (i.e. that it's not a risky authentication method, rather, it = was >> risk-based). "user" seems to work well, e.g. "user mfa pwd otp" tells a >> logical story. >> >> >> >> >> >> >> >> On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones >> wrote: >> >> I=E2=80=99ve updated the Authentication Method Reference Values spec to >> incorporate feedback received from the OAuth working group. Changes wer= e: >> >> =C2=B7 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel a= uthentication), =E2=80=9Crisk=E2=80=9D >> (risk-based authentication), and =E2=80=9Cuser=E2=80=9D (user presence t= est). >> >> =C2=B7 Added citations in the definitions of Windows integrated >> authentication, knowledge-based authentication, risk-based authenticatio= n, >> multiple-factor authentication, one-time password, and proof-of-possessi= on. >> >> =C2=B7 Alphabetized the values. >> >> =C2=B7 Added Tony Nadalin as an author and added acknowledgements= . >> >> >> >> The specification is available at: >> >> =C2=B7 http://tools.ietf.org/html/draft-jones-oauth-amr-values-01 >> >> >> >> >> An HTML formatted version is also available at: >> >> =C2=B7 >> http://self-issued.info/docs/draft-jones-oauth-amr-values-01.html >> >> >> >> >> -- Mike >> >> >> >> P.S. This note was also posted at http://self-issued.info/?p=3D1437 >> >> and as @selfissued >> >> . >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --047d7bdc05f286cf88051d494614 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
+1 for "rba"
On Fri, Aug 14, 2015 at 11:52 AM, William Denni= ss <wdenniss@google.com> wrote:
Fair point. RBA is a fairly common acronym for Ris= k-Based Authentication, how about going with "rba"? Would align w= ith existing "mfa", "mca" definitions (while also savin= g 1 character and helping the ambiguity issue).
=

On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones <Michael.Jones@mic= rosoft.com> wrote:

I hear you, but we=E2=80= =99re trying to keep the values short for space reasons =E2=80=93 just like= other identifiers in JWTs.=C2=A0 Ultimately, the values aren=E2=80=99t mea= ningful without referring to the spec in the first place, so the place to beef up the mean= ing is in the description in the spec =E2=80=93 not in the =E2=80=9Camr=E2= =80=9D value.=C2=A0 If you=E2=80=99d like to suggest any edits in that rega= rd, have at it!

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thanks,

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: William = Denniss [mailto:wd= enniss@google.com]
Sent: Friday, August 14, 2015 1:40 PM
To: Mike Jones
Cc: oauth@ietf.o= rg
Subject: Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated=

=C2=A0

Looking good, thanks for putting this together.

=C2=A0

I wonder if we should say "risk_based" rat= her than just "risk" to avoid ambiguity (i.e. that it's not a= risky authentication method, rather, it was risk-based). =C2=A0"user&= quot; seems to work well, e.g. "user mfa pwd otp" tells a logical= story.

=C2=A0

=C2=A0

=C2=A0

On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones <Michael.Jones@= microsoft.com> wrote:

I=E2=80=99ve updated the Authentication Method Refer= ence Values spec to incorporate feedback received from the OAuth working gr= oup.=C2=A0 Changes were:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel authentication), =E2=80=9C<= span style=3D"font-family:"Courier New"">risk=E2=80=9D (ri= sk-based authentication), and =E2=80=9Cuser=E2=80=9D (user presence test).

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Added citations in the definitions of Windows integrated authenticat= ion, knowledge-based authentication, risk-based authentication, multiple-fa= ctor authentication, one-time password, and proof-of-possession.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Alphabetized the values.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Added Tony Nadalin as an author and added acknowledgements.

=C2=A0

The specification is available at:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 http://tools.ietf.org/html/dra= ft-jones-oauth-amr-values-01

=C2=A0

An HTML formatted version is also available at:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 http://self-issued.info= /docs/draft-jones-oauth-amr-values-01.html

=C2=A0

=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

P.S.=C2=A0 This note was also posted at http://self-issued.info/?p=3D1437 and as @selfissued.


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth=

=C2=A0



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--047d7bdc05f286cf88051d494614-- From nobody Fri Aug 14 11:05:45 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E64D91A88FC for ; Fri, 14 Aug 2015 11:05:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.459 X-Spam-Level: ** X-Spam-Status: No, score=2.459 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXXtQnyA71aq for ; Fri, 14 Aug 2015 11:05:42 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0798.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:798]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABFEB1A88F3 for ; Fri, 14 Aug 2015 11:05:41 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.231.11; Fri, 14 Aug 2015 18:05:35 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Fri, 14 Aug 2015 18:05:35 +0000 From: Mike Jones To: Brian Campbell , William Denniss Thread-Topic: =?utf-8?B?W09BVVRILVdHXSDigJxhbXLigJ0gVmFsdWVzIHNwZWMgdXBkYXRlZA==?= Thread-Index: AdDWQ1gyDLM4k4XkRyqlkp9xqb3+owAdOtmAAAAaBIAAAFiTAAAAXbqAAAAILFA= Date: Fri, 14 Aug 2015 18:05:35 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.95.140.212] x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:J4nj9rw4N1eWQOFJxyI8QMDHfHqJUelAGxdFnnlFlpFwj8FA2h/JldMaoTJnEqXh+AhAEGB3S1yw/sy/fqE5pmr2EZFTlG+gpExXGJ5FTBpogi9Rw+DMyETUtFW2F8sUTAEbBdAK/i22VIZr41mBbA==; 24:mF8VuY0N876m3wTWmTq3J918jsskikC/ZSpwa7hkolE9+TvEvj6P5slhNt8ygrOoBEETezfu8yUTX9VvrLKUKagBts1gSa1U/sQo0VgoLsk=; 20:zfOgKGyhLt/YFVvdCSbkTnpxKEthqlWvwuUfZ+a66qD0hNmJ0MwYCchmd7IFYlVI+8CStUURHWGyHVZa5zNQSQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; x-forefront-prvs: 066898046A x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(24454002)(164054003)(189002)(52604005)(199003)(54094003)(377454003)(77096005)(77156002)(40100003)(122556002)(92566002)(2900100001)(2950100001)(10090500001)(5001960100002)(86612001)(2420400006)(551544002)(99286002)(4001540100001)(62966003)(10290500002)(7110500001)(5001860100001)(10710500001)(10400500002)(5002640100001)(81156007)(8990500004)(5001830100001)(97736004)(5001770100001)(189998001)(15975445007)(102836002)(68736005)(76576001)(93886004)(2656002)(19617315012)(50986999)(54356999)(76176999)(5005710100001)(19609705001)(101416001)(106356001)(86362001)(19580395003)(46102003)(19300405004)(105586002)(16236675004)(33656002)(19580405001)(74316001)(66066001)(19625215002)(5003600100002)(87936001)(64706001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4427BC11B16C961AE6173BBF57C0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2015 18:05:35.3901 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441 Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] =?utf-8?b?4oCcYW1y4oCdIFZhbHVlcyBzcGVjIHVwZGF0ZWQ=?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 18:05:45 -0000 --_000_BY2PR03MB4427BC11B16C961AE6173BBF57C0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 T0sg4oCTIEnigJl2ZSBhZGRlZCDigJxyYmHigJ0gdG8gbXkgdG8tZG8gbGlzdCBmb3IgdGhlIG5l eHQgc3BlYyB2ZXJzaW9uLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IEJyaWFuIENhbXBiZWxsIFtt YWlsdG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb21dDQpTZW50OiBGcmlkYXksIEF1Z3VzdCAx NCwgMjAxNSAyOjAzIFBNDQpUbzogV2lsbGlhbSBEZW5uaXNzDQpDYzogTWlrZSBKb25lczsgb2F1 dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIOKAnGFtcuKAnSBWYWx1ZXMgc3Bl YyB1cGRhdGVkDQoNCisxIGZvciAicmJhIg0KDQpPbiBGcmksIEF1ZyAxNCwgMjAxNSBhdCAxMTo1 MiBBTSwgV2lsbGlhbSBEZW5uaXNzIDx3ZGVubmlzc0Bnb29nbGUuY29tPG1haWx0bzp3ZGVubmlz c0Bnb29nbGUuY29tPj4gd3JvdGU6DQpGYWlyIHBvaW50LiBSQkEgaXMgYSBmYWlybHkgY29tbW9u IGFjcm9ueW0gZm9yIFJpc2stQmFzZWQgQXV0aGVudGljYXRpb24sIGhvdyBhYm91dCBnb2luZyB3 aXRoICJyYmEiPyBXb3VsZCBhbGlnbiB3aXRoIGV4aXN0aW5nICJtZmEiLCAibWNhIiBkZWZpbml0 aW9ucyAod2hpbGUgYWxzbyBzYXZpbmcgMSBjaGFyYWN0ZXIgYW5kIGhlbHBpbmcgdGhlIGFtYmln dWl0eSBpc3N1ZSkuDQoNCk9uIEZyaSwgQXVnIDE0LCAyMDE1IGF0IDEwOjQ0IEFNLCBNaWtlIEpv bmVzIDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWlj cm9zb2Z0LmNvbT4+IHdyb3RlOg0KSSBoZWFyIHlvdSwgYnV0IHdl4oCZcmUgdHJ5aW5nIHRvIGtl ZXAgdGhlIHZhbHVlcyBzaG9ydCBmb3Igc3BhY2UgcmVhc29ucyDigJMganVzdCBsaWtlIG90aGVy IGlkZW50aWZpZXJzIGluIEpXVHMuICBVbHRpbWF0ZWx5LCB0aGUgdmFsdWVzIGFyZW7igJl0IG1l YW5pbmdmdWwgd2l0aG91dCByZWZlcnJpbmcgdG8gdGhlIHNwZWMgaW4gdGhlIGZpcnN0IHBsYWNl LCBzbyB0aGUgcGxhY2UgdG8gYmVlZiB1cCB0aGUgbWVhbmluZyBpcyBpbiB0aGUgZGVzY3JpcHRp b24gaW4gdGhlIHNwZWMg4oCTIG5vdCBpbiB0aGUg4oCcYW1y4oCdIHZhbHVlLiAgSWYgeW914oCZ ZCBsaWtlIHRvIHN1Z2dlc3QgYW55IGVkaXRzIGluIHRoYXQgcmVnYXJkLCBoYXZlIGF0IGl0IQ0K DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBUaGFua3MsDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IFdpbGxpYW0gRGVubmlzcyBbbWFpbHRv OndkZW5uaXNzQGdvb2dsZS5jb208bWFpbHRvOndkZW5uaXNzQGdvb2dsZS5jb20+XQ0KU2VudDog RnJpZGF5LCBBdWd1c3QgMTQsIDIwMTUgMTo0MCBQTQ0KVG86IE1pa2UgSm9uZXMNCkNjOiBvYXV0 aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5vcmc+DQpTdWJqZWN0OiBSZTogW09BVVRILVdH XSDigJxhbXLigJ0gVmFsdWVzIHNwZWMgdXBkYXRlZA0KDQpMb29raW5nIGdvb2QsIHRoYW5rcyBm b3IgcHV0dGluZyB0aGlzIHRvZ2V0aGVyLg0KDQpJIHdvbmRlciBpZiB3ZSBzaG91bGQgc2F5ICJy aXNrX2Jhc2VkIiByYXRoZXIgdGhhbiBqdXN0ICJyaXNrIiB0byBhdm9pZCBhbWJpZ3VpdHkgKGku ZS4gdGhhdCBpdCdzIG5vdCBhIHJpc2t5IGF1dGhlbnRpY2F0aW9uIG1ldGhvZCwgcmF0aGVyLCBp dCB3YXMgcmlzay1iYXNlZCkuICAidXNlciIgc2VlbXMgdG8gd29yayB3ZWxsLCBlLmcuICJ1c2Vy IG1mYSBwd2Qgb3RwIiB0ZWxscyBhIGxvZ2ljYWwgc3RvcnkuDQoNCg0KDQpPbiBUaHUsIEF1ZyAx MywgMjAxNSBhdCA4OjQzIFBNLCBNaWtlIEpvbmVzIDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5j b208bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT4+IHdyb3RlOg0KSeKAmXZlIHVw ZGF0ZWQgdGhlIEF1dGhlbnRpY2F0aW9uIE1ldGhvZCBSZWZlcmVuY2UgVmFsdWVzIHNwZWMgdG8g aW5jb3Jwb3JhdGUgZmVlZGJhY2sgcmVjZWl2ZWQgZnJvbSB0aGUgT0F1dGggd29ya2luZyBncm91 cC4gIENoYW5nZXMgd2VyZToNCg0K4oCiICAgICAgICBBZGRlZCB0aGUgdmFsdWVzIOKAnG1jYeKA nSAobXVsdGlwbGUtY2hhbm5lbCBhdXRoZW50aWNhdGlvbiksIOKAnHJpc2vigJ0gKHJpc2stYmFz ZWQgYXV0aGVudGljYXRpb24pLCBhbmQg4oCcdXNlcuKAnSAodXNlciBwcmVzZW5jZSB0ZXN0KS4N Cg0K4oCiICAgICAgICBBZGRlZCBjaXRhdGlvbnMgaW4gdGhlIGRlZmluaXRpb25zIG9mIFdpbmRv d3MgaW50ZWdyYXRlZCBhdXRoZW50aWNhdGlvbiwga25vd2xlZGdlLWJhc2VkIGF1dGhlbnRpY2F0 aW9uLCByaXNrLWJhc2VkIGF1dGhlbnRpY2F0aW9uLCBtdWx0aXBsZS1mYWN0b3IgYXV0aGVudGlj YXRpb24sIG9uZS10aW1lIHBhc3N3b3JkLCBhbmQgcHJvb2Ytb2YtcG9zc2Vzc2lvbi4NCg0K4oCi ICAgICAgICBBbHBoYWJldGl6ZWQgdGhlIHZhbHVlcy4NCg0K4oCiICAgICAgICBBZGRlZCBUb255 IE5hZGFsaW4gYXMgYW4gYXV0aG9yIGFuZCBhZGRlZCBhY2tub3dsZWRnZW1lbnRzLg0KDQpUaGUg c3BlY2lmaWNhdGlvbiBpcyBhdmFpbGFibGUgYXQ6DQoNCuKAoiAgICAgICAgaHR0cDovL3Rvb2xz LmlldGYub3JnL2h0bWwvZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0wMTxodHRwczovL25h MDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmdG9v bHMuaWV0Zi5vcmclMmZodG1sJTJmZHJhZnQtam9uZXMtb2F1dGgtYW1yLXZhbHVlcy0wMSZkYXRh PTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzFmMjFmODZmNGU0YTQ4 NThkZmY5MDhkMmE0Y2Y3MWYzJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2Mx JnNkYXRhPUk1TUZaYmQxQk1BTkx1VmVESDI0Ym9CVkoxQ1N3eWJJZzNQMVJxVFp3ZVUlM2Q+DQoN CkFuIEhUTUwgZm9ybWF0dGVkIHZlcnNpb24gaXMgYWxzbyBhdmFpbGFibGUgYXQ6DQoNCuKAoiAg ICAgICAgaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1qb25lcy1vYXV0aC1hbXIt dmFsdWVzLTAxLmh0bWw8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2su Y29tLz91cmw9aHR0cCUzYSUyZiUyZnNlbGYtaXNzdWVkLmluZm8lMmZkb2NzJTJmZHJhZnQtam9u ZXMtb2F1dGgtYW1yLXZhbHVlcy0wMS5odG1sJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMl NDBtaWNyb3NvZnQuY29tJTdjMWYyMWY4NmY0ZTRhNDg1OGRmZjkwOGQyYTRjZjcxZjMlN2M3MmY5 ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9cnBBMiUyZkxRR3M1bWRvbUVQ NHhCdTdUOVY0UFd6VmkyajhkMVZUelBDQ1pnJTNkPg0KDQogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNClAuUy4gIFRo aXMgbm90ZSB3YXMgYWxzbyBwb3N0ZWQgYXQgaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vP3A9MTQz NzxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRw JTNhJTJmJTJmc2VsZi1pc3N1ZWQuaW5mbyUyZiUzZnAlM2QxNDM3JmRhdGE9MDElN2MwMSU3Y01p Y2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjMWYyMWY4NmY0ZTRhNDg1OGRmZjkwOGQyYTRj ZjcxZjMlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9c3Y1SGJj UlclMmJqUmJZY2Q3MU1SWkJjRmRrcyUyZnJvYURxWiUyZnFUS09KckolMmZvJTNkPiBhbmQgYXMg QHNlbGZpc3N1ZWQ8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29t Lz91cmw9aHR0cHMlM2ElMmYlMmZ0d2l0dGVyLmNvbSUyZnNlbGZpc3N1ZWQmZGF0YT0wMSU3YzAx JTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2MxZjIxZjg2ZjRlNGE0ODU4ZGZmOTA4 ZDJhNGNmNzFmMyU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1l eDQzVVA1eXR1SU1zZmU2U2tBQm1QQXZKYmVPcFhQYkhRYm52aXhVTmNRJTNkPi4NCg0KX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcg bGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cu aWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxodHRwczovL25hMDEuc2FmZWxpbmtzLnBy b3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1h aWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBt aWNyb3NvZnQuY29tJTdjMWYyMWY4NmY0ZTRhNDg1OGRmZjkwOGQyYTRjZjcxZjMlN2M3MmY5ODhi Zjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9aGxNcEdiR2hYQkNZaW10TUphOUlm RXpXU0ZxWFJ5M2tLSE44WiUyYkx4am4wJTNkPg0KDQoNCg0KX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0 Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1h bi9saXN0aW5mby9vYXV0aDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9v ay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5m byUyZm9hdXRoJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdj Y2QwNTdlODZmNmY4NDU4NjJkODAwOGQyYTRkMmI5NTMlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJk N2NkMDExZGI0NyU3YzEmc2RhdGE9QVVjN21LTHJFV0lPM2oxZ2tXRmFqUTJscW41TmJ3NzltNmFr UFR3YmFNTSUzZD4NCg0K --_000_BY2PR03MB4427BC11B16C961AE6173BBF57C0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcA0KCXttc28tc3R5bGUtcHJpb3JpdHk6 OTk7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjEy LjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYiO30NCnAuTXNvQWNl dGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRhdGUNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBpbjsN CgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjguMHB0Ow0KCWZvbnQtZmFtaWx5 OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5bGUxOA0KCXttc28tc3R5bGUt dHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYi Ow0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5CYWxsb29uVGV4dENoYXINCgl7bXNvLXN0eWxlLW5h bWU6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0 eWxlLWxpbms6IkJhbGxvb24gVGV4dCI7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2Vy aWYiO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZv bnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJ e3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpk aXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4 PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8 bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0i MSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5 IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9Ildv cmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+T0sg4oCTIEnigJl2ZSBhZGRlZCDigJxyYmHigJ0gdG8gbXkg dG8tZG8gbGlzdCBmb3IgdGhlIG5leHQgc3BlYyB2ZXJzaW9uLjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IEJy aWFuIENhbXBiZWxsIFttYWlsdG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb21dDQo8YnI+DQo8 Yj5TZW50OjwvYj4gRnJpZGF5LCBBdWd1c3QgMTQsIDIwMTUgMjowMyBQTTxicj4NCjxiPlRvOjwv Yj4gV2lsbGlhbSBEZW5uaXNzPGJyPg0KPGI+Q2M6PC9iPiBNaWtlIEpvbmVzOyBvYXV0aEBpZXRm Lm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSDigJxhbXLigJ0gVmFsdWVz IHNwZWMgdXBkYXRlZDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiYjNDM7 MSBmb3IgJnF1b3Q7cmJhJnF1b3Q7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj5PbiBGcmksIEF1ZyAxNCwgMjAxNSBhdCAxMTo1MiBBTSwgV2lsbGlhbSBEZW5u aXNzICZsdDs8YSBocmVmPSJtYWlsdG86d2Rlbm5pc3NAZ29vZ2xlLmNvbSIgdGFyZ2V0PSJfYmxh bmsiPndkZW5uaXNzQGdvb2dsZS5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5GYWlyIHBvaW50LiBSQkEgaXMgYSBmYWlybHkgY29t bW9uIGFjcm9ueW0gZm9yIFJpc2stQmFzZWQgQXV0aGVudGljYXRpb24sIGhvdyBhYm91dCBnb2lu ZyB3aXRoICZxdW90O3JiYSZxdW90Oz8gV291bGQgYWxpZ24gd2l0aCBleGlzdGluZyAmcXVvdDtt ZmEmcXVvdDssICZxdW90O21jYSZxdW90OyBkZWZpbml0aW9ucyAod2hpbGUgYWxzbyBzYXZpbmcg MSBjaGFyYWN0ZXIgYW5kIGhlbHBpbmcgdGhlIGFtYmlndWl0eSBpc3N1ZSkuPG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIEZyaSwg QXVnIDE0LCAyMDE1IGF0IDEwOjQ0IEFNLCBNaWtlIEpvbmVzICZsdDs8YSBocmVmPSJtYWlsdG86 TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tIiB0YXJnZXQ9Il9ibGFuayI+TWljaGFlbC5Kb25l c0BtaWNyb3NvZnQuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiMxRjQ5N0QiPkkgaGVhciB5b3UsIGJ1dCB3ZeKAmXJlIHRyeWluZyB0byBrZWVwIHRoZSB2 YWx1ZXMgc2hvcnQgZm9yIHNwYWNlIHJlYXNvbnMg4oCTIGp1c3QgbGlrZSBvdGhlciBpZGVudGlm aWVycw0KIGluIEpXVHMuJm5ic3A7IFVsdGltYXRlbHksIHRoZSB2YWx1ZXMgYXJlbuKAmXQgbWVh bmluZ2Z1bCB3aXRob3V0IHJlZmVycmluZyB0byB0aGUgc3BlYyBpbiB0aGUgZmlyc3QgcGxhY2Us IHNvIHRoZSBwbGFjZSB0byBiZWVmIHVwIHRoZSBtZWFuaW5nIGlzIGluIHRoZSBkZXNjcmlwdGlv biBpbiB0aGUgc3BlYyDigJMgbm90IGluIHRoZSDigJxhbXLigJ0gdmFsdWUuJm5ic3A7IElmIHlv deKAmWQgbGlrZSB0byBzdWdnZXN0IGFueSBlZGl0cyBpbiB0aGF0IHJlZ2FyZCwgaGF2ZSBhdA0K IGl0ITwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGFua3MsPC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8L3NwYW4+PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBXaWxsaWFtIERlbm5pc3MgW21haWx0bzo8YSBocmVm PSJtYWlsdG86d2Rlbm5pc3NAZ29vZ2xlLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPndkZW5uaXNzQGdv b2dsZS5jb208L2E+XQ0KPGJyPg0KPGI+U2VudDo8L2I+IEZyaWRheSwgQXVndXN0IDE0LCAyMDE1 IDE6NDAgUE08YnI+DQo8Yj5Ubzo8L2I+IE1pa2UgSm9uZXM8YnI+DQo8Yj5DYzo8L2I+IDxhIGhy ZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm9hdXRoQGlldGYub3Jn PC9hPjxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSDigJxhbXLigJ0gVmFsdWVz IHNwZWMgdXBkYXRlZDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPkxvb2tpbmcgZ29vZCwgdGhhbmtzIGZvciBwdXR0aW5nIHRoaXMgdG9nZXRo ZXIuPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SSB3 b25kZXIgaWYgd2Ugc2hvdWxkIHNheSAmcXVvdDtyaXNrX2Jhc2VkJnF1b3Q7IHJhdGhlciB0aGFu IGp1c3QgJnF1b3Q7cmlzayZxdW90OyB0byBhdm9pZCBhbWJpZ3VpdHkgKGkuZS4gdGhhdCBpdCdz IG5vdCBhIHJpc2t5IGF1dGhlbnRpY2F0aW9uIG1ldGhvZCwgcmF0aGVyLCBpdCB3YXMgcmlzay1i YXNlZCkuICZuYnNwOyZxdW90O3VzZXImcXVvdDsgc2VlbXMgdG8NCiB3b3JrIHdlbGwsIGUuZy4g JnF1b3Q7dXNlciBtZmEgcHdkIG90cCZxdW90OyB0ZWxscyBhIGxvZ2ljYWwgc3RvcnkuPG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPk9uIFRodSwgQXVnIDEzLCAyMDE1IGF0IDg6NDMgUE0sIE1pa2UgSm9uZXMgJmx0OzxhIGhy ZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20iIHRhcmdldD0iX2JsYW5rIj5N aWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5J4oCZdmUgdXBkYXRlZCB0aGUg QXV0aGVudGljYXRpb24gTWV0aG9kIFJlZmVyZW5jZSBWYWx1ZXMgc3BlYyB0byBpbmNvcnBvcmF0 ZSBmZWVkYmFjayByZWNlaXZlZCBmcm9tIHRoZSBPQXV0aCB3b3JraW5nIGdyb3VwLiZuYnNwOyBD aGFuZ2VzIHdlcmU6PG86cD48L286cD48L3A+DQo8cD48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6 U3ltYm9sIj7Ctzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuMHB0Ij4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj5BZGRlZCB0aGUgdmFsdWVz IOKAnDxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OywmcXVv dDtzZXJpZiZxdW90OyI+bWNhPC9zcGFuPuKAnSAobXVsdGlwbGUtY2hhbm5lbCBhdXRoZW50aWNh dGlvbiksIOKAnDxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 OywmcXVvdDtzZXJpZiZxdW90OyI+cmlzazwvc3Bhbj7igJ0gKHJpc2stYmFzZWQgYXV0aGVudGlj YXRpb24pLCBhbmQg4oCcPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7Ij51c2VyPC9zcGFuPuKAnQ0KICh1c2VyIHByZXNlbmNl IHRlc3QpLiA8bzpwPjwvbzpwPjwvcD4NCjxwPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpTeW1i b2wiPsK3PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6Ny4wcHQiPiZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPkFkZGVkIGNpdGF0aW9ucyBpbiB0 aGUgZGVmaW5pdGlvbnMgb2YgV2luZG93cyBpbnRlZ3JhdGVkIGF1dGhlbnRpY2F0aW9uLCBrbm93 bGVkZ2UtYmFzZWQgYXV0aGVudGljYXRpb24sIHJpc2stYmFzZWQgYXV0aGVudGljYXRpb24sIG11 bHRpcGxlLWZhY3RvciBhdXRoZW50aWNhdGlvbiwgb25lLXRpbWUgcGFzc3dvcmQsIGFuZCBwcm9v Zi1vZi1wb3NzZXNzaW9uLg0KPG86cD48L286cD48L3A+DQo8cD48c3BhbiBzdHlsZT0iZm9udC1m YW1pbHk6U3ltYm9sIj7Ctzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuMHB0Ij4mbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj5BbHBoYWJldGl6 ZWQgdGhlIHZhbHVlcy4gPG86cD48L286cD48L3A+DQo8cD48c3BhbiBzdHlsZT0iZm9udC1mYW1p bHk6U3ltYm9sIj7Ctzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuMHB0Ij4mbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj5BZGRlZCBUb255IE5h ZGFsaW4gYXMgYW4gYXV0aG9yIGFuZCBhZGRlZCBhY2tub3dsZWRnZW1lbnRzLjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+VGhlIHNwZWNpZmljYXRpb24gaXMgYXZhaWxhYmxlIGF0OjxvOnA+ PC9vOnA+PC9wPg0KPHA+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OlN5bWJvbCI+wrc8L3NwYW4+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo3LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5w cm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJm aHRtbCUyZmRyYWZ0LWpvbmVzLW9hdXRoLWFtci12YWx1ZXMtMDEmYW1wO2RhdGE9MDElN2MwMSU3 Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjMWYyMWY4NmY0ZTRhNDg1OGRmZjkwOGQy YTRjZjcxZjMlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRh PUk1TUZaYmQxQk1BTkx1VmVESDI0Ym9CVkoxQ1N3eWJJZzNQMVJxVFp3ZVUlM2QiIHRhcmdldD0i X2JsYW5rIj5odHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1qb25lcy1vYXV0aC1hbXIt dmFsdWVzLTAxPC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+QW4gSFRNTCBmb3JtYXR0 ZWQgdmVyc2lvbiBpcyBhbHNvIGF2YWlsYWJsZSBhdDo8bzpwPjwvbzpwPjwvcD4NCjxwPjxzcGFu IHN0eWxlPSJmb250LWZhbWlseTpTeW1ib2wiPsK3PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNp emU6Ny4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9z cGFuPjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNv bS8/dXJsPWh0dHAlM2ElMmYlMmZzZWxmLWlzc3VlZC5pbmZvJTJmZG9jcyUyZmRyYWZ0LWpvbmVz LW9hdXRoLWFtci12YWx1ZXMtMDEuaHRtbCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25l cyU0MG1pY3Jvc29mdC5jb20lN2MxZjIxZjg2ZjRlNGE0ODU4ZGZmOTA4ZDJhNGNmNzFmMyU3Yzcy Zjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9cnBBMiUyZkxRR3M1 bWRvbUVQNHhCdTdUOVY0UFd6VmkyajhkMVZUelBDQ1pnJTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0 cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1qb25lcy1vYXV0aC1hbXItdmFsdWVzLTAx Lmh0bWw8L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0 eWxlPSJjb2xvcjojODg4ODg4Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij4mbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg LS0gTWlrZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5i c3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlAuUy4mbmJzcDsgVGhp cyBub3RlIHdhcyBhbHNvIHBvc3RlZCBhdA0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5r cy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnNlbGYtaXNzdWVkLmlu Zm8lMmYlM2ZwJTNkMTQzNyZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jv c29mdC5jb20lN2MxZjIxZjg2ZjRlNGE0ODU4ZGZmOTA4ZDJhNGNmNzFmMyU3YzcyZjk4OGJmODZm MTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9c3Y1SGJjUlclMmJqUmJZY2Q3MU1S WkJjRmRrcyUyZnJvYURxWiUyZnFUS09KckolMmZvJTNkIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRw Oi8vc2VsZi1pc3N1ZWQuaW5mby8/cD0xNDM3PC9hPiBhbmQgYXMgPGEgaHJlZj0iaHR0cHM6Ly9u YTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ0 d2l0dGVyLmNvbSUyZnNlbGZpc3N1ZWQmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMl NDBtaWNyb3NvZnQuY29tJTdjMWYyMWY4NmY0ZTRhNDg1OGRmZjkwOGQyYTRjZjcxZjMlN2M3MmY5 ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPWV4NDNVUDV5dHVJTXNm ZTZTa0FCbVBBdkpiZU9wWFBiSFFibnZpeFVOY1ElM2QiIHRhcmdldD0iX2JsYW5rIj4NCkBzZWxm aXNzdWVkPC9hPi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4w cHQiPjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f PGJyPg0KT0F1dGggbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYu b3JnIiB0YXJnZXQ9Il9ibGFuayI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0 cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2El MmYlMmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZhbXA7ZGF0YT0w MSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2MxZjIxZjg2ZjRlNGE0ODU4 ZGZmOTA4ZDJhNGNmNzFmMyU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZh bXA7c2RhdGE9aGxNcEdiR2hYQkNZaW10TUphOUlmRXpXU0ZxWFJ5M2tLSE44WiUyYkx4am4wJTNk IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9v YXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4m bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k aXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0 bzpPQXV0aEBpZXRmLm9yZyI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6 Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYl MmZ3d3cuaWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZhbXA7ZGF0YT0wMSU3 YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2NjZDA1N2U4NmY2Zjg0NTg2MmQ4 MDA4ZDJhNGQyYjk1MyU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7 c2RhdGE9QVVjN21LTHJFV0lPM2oxZ2tXRmFqUTJscW41TmJ3NzltNmFrUFR3YmFNTSUzZCIgdGFy Z2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8 L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB4427BC11B16C961AE6173BBF57C0BY2PR03MB442namprd_-- From nobody Fri Aug 14 12:10:28 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54B001A3BA2 for ; Fri, 14 Aug 2015 12:10:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.76 X-Spam-Level: * X-Spam-Status: No, score=1.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gl6kWGSiIm3b for ; Fri, 14 Aug 2015 12:10:25 -0700 (PDT) Received: from mail-qg0-f49.google.com (mail-qg0-f49.google.com [209.85.192.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DACE01A8824 for ; Fri, 14 Aug 2015 12:08:31 -0700 (PDT) Received: by qgj62 with SMTP id 62so57887527qgj.2 for ; Fri, 14 Aug 2015 12:08:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=1KJ3fS7FB7FHoyh36t5o1MzQPCCZsxKNqJLK31l+vAs=; b=dmElsIFl3uXk74/9Dc2IcGBzcgIEoR4aOlw2pCHlyInmzC0p0+F8qCyEpNMCgNy3CY LviUoSRS8kN7ZdATK+PZNEQP/vjoZS+9SkUYz79eW+oyMXGifCpzGA1nZqcjzvrV6qgx p1L2NpQECwT51aBMM9heUcrscme0UACAcoRgflRLEQnQo1mYnLK8egXgpnftrlyausSi Fy1j+uvNJ99lKHz6eKH6SA1xWzVTMwfwiA6Os3WL6XG1808gTavlgsh2ysXbrfDT7mI9 UfjstoFuV+LqQQHCPsiToTG/ciRUUDmqzMKc+K6PWNNfIPY80O5wpjBwLtcK4or+h2C8 dwmQ== X-Gm-Message-State: ALoCoQnP9H9Fk2qpm/mGVHpif8RvIfwoXi3dDF0H0ZXBYxdSxz8U3ydXJb/1ZmTJHeoFSvgJhufn X-Received: by 10.140.218.133 with SMTP id o127mr82830589qhb.67.1439579311118; Fri, 14 Aug 2015 12:08:31 -0700 (PDT) Received: from [192.168.1.43] (181-163-79-124.baf.movistar.cl. [181.163.79.124]) by smtp.gmail.com with ESMTPSA id t2sm3317912qki.24.2015.08.14.12.08.24 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 14 Aug 2015 12:08:29 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_493CE769-1D00-4DF5-AFDC-BF5A30BF3BAB"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) From: John Bradley In-Reply-To: Date: Fri, 14 Aug 2015 16:08:08 -0300 Message-Id: <5BBF1AFE-DBED-4DCF-8043-BF7B370E5E12@ve7jtb.com> References: To: Brian Campbell X-Mailer: Apple Mail (2.2102) Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] =?utf-8?b?4oCcYW1y4oCdIFZhbHVlcyBzcGVjIHVwZGF0ZWQ=?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 19:10:27 -0000 --Apple-Mail=_493CE769-1D00-4DF5-AFDC-BF5A30BF3BAB Content-Type: multipart/alternative; boundary="Apple-Mail=_6F280665-6581-4328-9A7E-E3C578B2523D" --Apple-Mail=_6F280665-6581-4328-9A7E-E3C578B2523D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 +1 > On Aug 14, 2015, at 3:03 PM, Brian Campbell = wrote: >=20 > +1 for "rba" >=20 > On Fri, Aug 14, 2015 at 11:52 AM, William Denniss > wrote: > Fair point. RBA is a fairly common acronym for Risk-Based = Authentication, how about going with "rba"? Would align with existing = "mfa", "mca" definitions (while also saving 1 character and helping the = ambiguity issue). >=20 > On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones = > = wrote: > I hear you, but we=E2=80=99re trying to keep the values short for = space reasons =E2=80=93 just like other identifiers in JWTs. = Ultimately, the values aren=E2=80=99t meaningful without referring to = the spec in the first place, so the place to beef up the meaning is in = the description in the spec =E2=80=93 not in the =E2=80=9Camr=E2=80=9D = value. If you=E2=80=99d like to suggest any edits in that regard, have = at it! >=20 > =20 >=20 > Thanks, >=20 > -- Mike >=20 > =20 >=20 > From: William Denniss [mailto:wdenniss@google.com = ]=20 > Sent: Friday, August 14, 2015 1:40 PM > To: Mike Jones > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated >=20 > =20 >=20 > Looking good, thanks for putting this together. >=20 > =20 >=20 > I wonder if we should say "risk_based" rather than just "risk" to = avoid ambiguity (i.e. that it's not a risky authentication method, = rather, it was risk-based). "user" seems to work well, e.g. "user mfa = pwd otp" tells a logical story. >=20 > =20 >=20 > =20 >=20 > =20 >=20 > On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones = > = wrote: >=20 > I=E2=80=99ve updated the Authentication Method Reference Values spec = to incorporate feedback received from the OAuth working group. Changes = were: >=20 > =C2=B7 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel = authentication), =E2=80=9Crisk=E2=80=9D (risk-based authentication), and = =E2=80=9Cuser=E2=80=9D (user presence test). >=20 > =C2=B7 Added citations in the definitions of Windows integrated = authentication, knowledge-based authentication, risk-based = authentication, multiple-factor authentication, one-time password, and = proof-of-possession. >=20 > =C2=B7 Alphabetized the values. >=20 > =C2=B7 Added Tony Nadalin as an author and added = acknowledgements. >=20 > =20 >=20 > The specification is available at: >=20 > =C2=B7 = http://tools.ietf.org/html/draft-jones-oauth-amr-values-01 = > =20 >=20 > An HTML formatted version is also available at: >=20 > =C2=B7 = http://self-issued.info/docs/draft-jones-oauth-amr-values-01.html = > =20 >=20 > -- Mike >=20 > =20 >=20 > P.S. This note was also posted at http://self-issued.info/?p=3D1437 = and as = @selfissued = . >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = > =20 >=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_6F280665-6581-4328-9A7E-E3C578B2523D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 +1

On Aug 14, 2015, at 3:03 PM, = Brian Campbell <bcampbell@pingidentity.com> wrote:

+1 for "rba"

On Fri, Aug 14, 2015 at 11:52 AM, = William Denniss <wdenniss@google.com> wrote:
Fair point. RBA is a fairly common acronym for Risk-Based = Authentication, how about going with "rba"? Would align with existing = "mfa", "mca" definitions (while also saving 1 character and helping the = ambiguity issue).

On Fri, = Aug 14, 2015 at 10:44 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:

I hear you, but we=E2=80=99re trying to = keep the values short for space reasons =E2=80=93 just like other = identifiers in JWTs.  Ultimately, the values aren=E2=80=99t = meaningful without referring to the spec in the first place, so the place to beef up the = meaning is in the description in the spec =E2=80=93 not in the =E2=80=9Cam= r=E2=80=9D value.  If you=E2=80=99d like to suggest any edits in = that regard, have at it!

 

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            = Thanks,

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            -- = Mike

 

From: William Denniss [mailto:wdenniss@google.com]
Sent: Friday, August 14, 2015 1:40 PM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values = spec updated

 

Looking good, thanks for putting = this together.

 

I wonder if we should say = "risk_based" rather than just "risk" to avoid ambiguity (i.e. that it's = not a risky authentication method, rather, it was risk-based). =  "user" seems to work well, e.g. "user mfa pwd otp" tells a logical = story.

 

 

 

On Thu, Aug 13, 2015 at 8:43 PM, = Mike Jones <Michael.Jones@microsoft.com> = wrote:

I=E2=80=99ve updated the = Authentication Method Reference Values spec to incorporate feedback = received from the OAuth working group.  Changes were:

=C2=B7        Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel = authentication), =E2=80=9Crisk=E2=80=9D (risk-based authentication), = and =E2=80=9Cuser=E2=80=9D (user presence test).

=C2=B7        Added citations in the definitions of Windows integrated = authentication, knowledge-based authentication, risk-based = authentication, multiple-factor authentication, one-time password, and = proof-of-possession.

=C2=B7        Alphabetized the values.

=C2=B7        Added Tony Nadalin as an author and added acknowledgements.

 

The = specification is available at:

=C2=B7        http://tools.ietf.org/html/draft-jones-oauth-amr-values-01<= u class=3D"">

 

An HTML = formatted version is also available at:

=C2=B7        http://self-issued.info/docs/draft-jones-oauth-amr-values-01.ht= ml

 

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            -- = Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1437 and as @selfissued.


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_6F280665-6581-4328-9A7E-E3C578B2523D-- --Apple-Mail=_493CE769-1D00-4DF5-AFDC-BF5A30BF3BAB Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MTQxOTA4MDhaMCMGCSqGSIb3DQEJBDEWBBQZ/xT7qngkg4BH6h3yb0y/ KwUjIjCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQCgcotXLbt/aYVMrktbZbHLZQkWQiGH1r5jSVUtc9ldIINIkDaLPIZM i4aKFgk2tKTuTAwrfutfuplXchQ9iJI4jI8CRS1sNqiu0YmBlWBJaf0d/WPu9CZDBbIk2LV+M2wI lOfgykfd6TOCd5lrOd3Gvial8R333zc+Jb8taTBSRxPpVOaDOHi/oulYhCvAlVKAfd0IwPIFUNzD 0DLvIvQFjI75Itvv5gGWvvZqkMRxKgLfMcacXPf7Q3kcdZloeVuBSaoZvTReYBjwzeQhfuaMK/ci CnXb3QHFjL4C3Lz9J3o20IY6IBBipOQbXkpxVPQs/mLjKY7ivO4ceedAeMiXAAAAAAAA --Apple-Mail=_493CE769-1D00-4DF5-AFDC-BF5A30BF3BAB-- From nobody Fri Aug 14 12:21:07 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A5401A6EF1 for ; Fri, 14 Aug 2015 12:21:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.15 X-Spam-Level: X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZLM-GBbBhpIM for ; Fri, 14 Aug 2015 12:21:02 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 610111A1BBB for ; Fri, 14 Aug 2015 12:21:01 -0700 (PDT) Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t7EJKxgN021176 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 14 Aug 2015 19:21:00 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.13.8/8.13.8) with ESMTP id t7EJKx2M019217 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 14 Aug 2015 19:20:59 GMT Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id t7EJKxAa026093; Fri, 14 Aug 2015 19:20:59 GMT Received: from [10.0.1.22] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 14 Aug 2015 12:20:58 -0700 Content-Type: multipart/alternative; boundary="Apple-Mail=_71E2DB5A-0394-4349-A014-97E5D245D4D8" Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) From: Phil Hunt In-Reply-To: <5BBF1AFE-DBED-4DCF-8043-BF7B370E5E12@ve7jtb.com> Date: Fri, 14 Aug 2015 12:20:56 -0700 Message-Id: References: <5BBF1AFE-DBED-4DCF-8043-BF7B370E5E12@ve7jtb.com> To: John Bradley X-Mailer: Apple Mail (2.2102) X-Source-IP: userv0022.oracle.com [156.151.31.74] Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] =?utf-8?b?4oCcYW1y4oCdIFZhbHVlcyBzcGVjIHVwZGF0ZWQ=?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2015 19:21:04 -0000 --Apple-Mail=_71E2DB5A-0394-4349-A014-97E5D245D4D8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 +1 Phil @independentid www.independentid.com phil.hunt@oracle.com > On Aug 14, 2015, at 12:08 PM, John Bradley wrote: >=20 > +1 >=20 >> On Aug 14, 2015, at 3:03 PM, Brian Campbell = > wrote: >>=20 >> +1 for "rba" >>=20 >> On Fri, Aug 14, 2015 at 11:52 AM, William Denniss = > wrote: >> Fair point. RBA is a fairly common acronym for Risk-Based = Authentication, how about going with "rba"? Would align with existing = "mfa", "mca" definitions (while also saving 1 character and helping the = ambiguity issue). >>=20 >> On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones = > = wrote: >> I hear you, but we=E2=80=99re trying to keep the values short for = space reasons =E2=80=93 just like other identifiers in JWTs. = Ultimately, the values aren=E2=80=99t meaningful without referring to = the spec in the first place, so the place to beef up the meaning is in = the description in the spec =E2=80=93 not in the =E2=80=9Camr=E2=80=9D = value. If you=E2=80=99d like to suggest any edits in that regard, have = at it! >>=20 >> =20 >>=20 >> Thanks, >>=20 >> -- Mike >>=20 >> =20 >>=20 >> From: William Denniss [mailto:wdenniss@google.com = ]=20 >> Sent: Friday, August 14, 2015 1:40 PM >> To: Mike Jones >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated >>=20 >> =20 >>=20 >> Looking good, thanks for putting this together. >>=20 >> =20 >>=20 >> I wonder if we should say "risk_based" rather than just "risk" to = avoid ambiguity (i.e. that it's not a risky authentication method, = rather, it was risk-based). "user" seems to work well, e.g. "user mfa = pwd otp" tells a logical story. >>=20 >> =20 >>=20 >> =20 >>=20 >> =20 >>=20 >> On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones = > = wrote: >>=20 >> I=E2=80=99ve updated the Authentication Method Reference Values spec = to incorporate feedback received from the OAuth working group. Changes = were: >>=20 >> =C2=B7 Added the values =E2=80=9Cmca=E2=80=9D = (multiple-channel authentication), =E2=80=9Crisk=E2=80=9D (risk-based = authentication), and =E2=80=9Cuser=E2=80=9D (user presence test). >>=20 >> =C2=B7 Added citations in the definitions of Windows = integrated authentication, knowledge-based authentication, risk-based = authentication, multiple-factor authentication, one-time password, and = proof-of-possession. >>=20 >> =C2=B7 Alphabetized the values. >>=20 >> =C2=B7 Added Tony Nadalin as an author and added = acknowledgements. >>=20 >> =20 >>=20 >> The specification is available at: >>=20 >> =C2=B7 = http://tools.ietf.org/html/draft-jones-oauth-amr-values-01 = >> =20 >>=20 >> An HTML formatted version is also available at: >>=20 >> =C2=B7 = http://self-issued.info/docs/draft-jones-oauth-amr-values-01.html = >> =20 >>=20 >> -- Mike >>=20 >> =20 >>=20 >> P.S. This note was also posted at http://self-issued.info/?p=3D1437 = and as = @selfissued = . >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = >> =20 >>=20 >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_71E2DB5A-0394-4349-A014-97E5D245D4D8 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 +1


On Aug 14, 2015, at 12:08 PM, John Bradley <ve7jtb@ve7jtb.com> = wrote:

+1

On Aug 14, 2015, at 3:03 PM, = Brian Campbell <bcampbell@pingidentity.com> wrote:

+1 for "rba"

On Fri, Aug 14, 2015 at 11:52 AM, = William Denniss <wdenniss@google.com> wrote:
Fair point. RBA is a fairly common acronym for Risk-Based = Authentication, how about going with "rba"? Would align with existing = "mfa", "mca" definitions (while also saving 1 character and helping the = ambiguity issue).

On Fri, = Aug 14, 2015 at 10:44 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:

I hear you, but we=E2=80=99re trying to = keep the values short for space reasons =E2=80=93 just like other = identifiers in JWTs.  Ultimately, the values aren=E2=80=99t = meaningful without referring to the spec in the first place, so the place to beef up the = meaning is in the description in the spec =E2=80=93 not in the =E2=80=9Cam= r=E2=80=9D value.  If you=E2=80=99d like to suggest any edits in = that regard, have at it!

 

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            = Thanks,

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            -- = Mike

 

From: William Denniss [mailto:wdenniss@google.com]
Sent: Friday, August 14, 2015 1:40 PM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values = spec updated

 

Looking good, thanks for putting = this together.

 

I wonder if we should say = "risk_based" rather than just "risk" to avoid ambiguity (i.e. that it's = not a risky authentication method, rather, it was risk-based). =  "user" seems to work well, e.g. "user mfa pwd otp" tells a logical = story.

 

 

 

On Thu, Aug 13, 2015 at 8:43 PM, = Mike Jones <Michael.Jones@microsoft.com> = wrote:

I=E2=80=99ve updated the = Authentication Method Reference Values spec to incorporate feedback = received from the OAuth working group.  Changes were:

=C2=B7        Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel = authentication), =E2=80=9Crisk=E2=80=9D (risk-based authentication), = and =E2=80=9Cuser=E2=80=9D (user presence test).

=C2=B7        Added citations in the definitions of Windows integrated = authentication, knowledge-based authentication, risk-based = authentication, multiple-factor authentication, one-time password, and = proof-of-possession.

=C2=B7        Alphabetized the values.

=C2=B7        Added Tony Nadalin as an author and added acknowledgements.

 

The = specification is available at:

=C2=B7        http://tools.ietf.org/html/draft-jones-oauth-amr-values-01<= u class=3D"">

 

An HTML = formatted version is also available at:

=C2=B7        http://self-issued.info/docs/draft-jones-oauth-amr-values-01.ht= ml

 

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            -- = Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1437 and as @selfissued.


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_71E2DB5A-0394-4349-A014-97E5D245D4D8-- From nobody Tue Aug 18 12:33:30 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D3B81A88C4 for ; Tue, 18 Aug 2015 12:33:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5xCZ_9kazHoQ for ; Tue, 18 Aug 2015 12:33:25 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0115.outbound.protection.outlook.com [207.46.100.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE7601A88B3 for ; Tue, 18 Aug 2015 12:33:25 -0700 (PDT) Received: from BN3PR0301MB1234.namprd03.prod.outlook.com (10.161.207.22) by BN3PR0301MB1233.namprd03.prod.outlook.com (10.161.207.21) with Microsoft SMTP Server (TLS) id 15.1.231.21; Tue, 18 Aug 2015 19:33:24 +0000 Received: from BN3PR0301MB1234.namprd03.prod.outlook.com ([10.161.207.22]) by BN3PR0301MB1234.namprd03.prod.outlook.com ([10.161.207.22]) with mapi id 15.01.0231.024; Tue, 18 Aug 2015 19:33:23 +0000 From: Anthony Nadalin To: Kathleen Moriarty , John Bradley Thread-Topic: [OAUTH-WG] confirmation model in proof-of-possession-02 Thread-Index: AQHQZYOD0VzQmZ5DUUSae0pqRu1svp4HC82AgACUbgCAAAgfAIAANa6AgABQvQCAAAhXgIAK1Y1w Date: Tue, 18 Aug 2015 19:33:23 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=tonynad@microsoft.com; x-originating-ip: [2001:4898:80e8:7::1dd] x-microsoft-exchange-diagnostics: 1; BN3PR0301MB1233; 5:6OJxvCMRYMcxmCVuFFvj1+sDLNO5PE7/OTG1EqZtOU9DcA3zVD8PXGtRtlnSSNf8SbjYeEqUCpv5Rsz2lIDo48n/edXF35QpCPeRgAYqN62ztbJYqJJV/fg/CQGR1sW7/ZxpKD6Oi4n34bHvTDHg6Q==; 24:iHtvHMIExImZI0uJCjb+AnH7bXrnFtqu2cX2kEW13w+si3l6+8MvJfDdnxZrDYd3c/Nd++TIGzWmcqCMHhG23gkiUsEF/n7CmOqcMlbFaUU=; 20:/itw3slJx6HjNqwhQFY6CiroxZnq1xKxWIJK8IF0+MJn26igz1slfVUekSh0emQxZJyAQ53H6cuvlKCPE0RxJg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1233; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(8121501046)(5005006)(3002001); SRVR:BN3PR0301MB1233; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1233; x-forefront-prvs: 067270ECAF x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(13464003)(199003)(24454002)(189002)(54164003)(51444003)(10090500001)(5001960100002)(561944003)(189998001)(93886004)(2900100001)(2656002)(54356999)(76176999)(50986999)(5003600100002)(230783001)(68736005)(74316001)(86612001)(77156002)(64706001)(5002640100001)(62966003)(2950100001)(86362001)(106356001)(10400500002)(105586002)(15975445007)(10290500002)(40100003)(101416001)(575784001)(5001770100001)(81156007)(5005710100001)(19580395003)(97736004)(5001860100001)(19580405001)(8990500004)(122556002)(99286002)(77096005)(76576001)(5001830100001)(102836002)(4001540100001)(46102003)(92566002)(33656002)(87936001)(106116001)(3826002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1233; H:BN3PR0301MB1234.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Aug 2015 19:33:23.8471 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB1233 Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2015 19:33:29 -0000 SSB3b3VsZCByYXRoZXIganVzdCBrZWVwIHRoZSAiY25mIiBjbGFpbSByYXRoZXIgdGhhbiBmbGF0 dGVuIHRoZSBzdHJ1Y3R1cmUgc2luY2Ugd2UgYXJlIGFscmVhZHkgdXNpbmcgdGhlICJjbmYiIGlu IHByb2R1Y3Rpb24gd2l0aCB0aGUgWEJPWCBPbmUuIFdlIGFyZSBhbHNvIHVzaW5nIG11bHRpcGxl IGNvbmZvcm1hdGlvbiBrZXlzICBhbmQgdXNpbmcgdGhlICJjbmYiIGNsYWltIG1ha2VzIGl0IGVh c2llciB0byBoYXZlIG11bHRpcGxlIGNvbmZpcm1hdGlvbiBrZXlzIChieSBqdXN0IGRlZmluaW5n IGEgbmV3IGNsYWltIHRvIGhvbGQgZWFjaCBjb25maXJtYXRpb24ga2V5LCB1c2luZyB0aGUgc2Ft ZSBzdHJ1Y3R1cmUgYXMgImNuZiIpLg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJv bTogT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgS2F0 aGxlZW4gTW9yaWFydHkNClNlbnQ6IFR1ZXNkYXksIEF1Z3VzdCAxMSwgMjAxNSAzOjAwIFBNDQpU bzogSm9obiBCcmFkbGV5IDx2ZTdqdGJAdmU3anRiLmNvbT4NCkNjOiBvYXV0aCA8b2F1dGhAaWV0 Zi5vcmc+DQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBjb25maXJtYXRpb24gbW9kZWwgaW4gcHJv b2Ytb2YtcG9zc2Vzc2lvbi0wMg0KDQpPbiBUdWUsIEF1ZyAxMSwgMjAxNSBhdCA1OjMwIFBNLCBK b2huIEJyYWRsZXkgPHZlN2p0YkB2ZTdqdGIuY29tPiB3cm90ZToNCj4gSSB0aGluayBCcmlhbiBh bHNvIGFyZ3VlZCB0aGF0IGZsYXR0ZW5pbmcgd291bGQgc2F2ZSBhIHJlZ2lzdHJ5LCBhbmQgDQo+ IGJlIGVhc2llciB0byBwcm9jZXNzIGluIHRoZSBkZWZhdWx0IGNhc2UuDQo+DQo+IEkgZG9u4oCZ dCByZWFsbHkgYnkgdGhlIGFyZ3VtZW50IHRoYXQgaGF2aW5nIGEgY25mIG9iamVjdCBtYWtlcyBp dCB0aGF0IA0KPiBtdWNoIGhhcmRlciB0byBwcm9jZXNzLiAgSSB0aGluayBpdCBpcyBzdHlsaXN0 aWNhbGx5IGJldHRlciBqc29uIHRvIA0KPiBrZWVwIHRoZSBlbGVtZW50cyB0b2dldGhlciBzbyB0 aGF0IHRoZXkgY2FuIGJlIGV4dGVuZGVkIHNlcGFyYXRlbHkgDQo+IGZyb20gdGhlIG1haW4gSldU IGNsYWltIHNwYWNlLg0KPg0KPiBIYXZpbmcgdHdvIGNvbmZpcm1hdGlvbiBlbGVtZW50cyBjb3Vs ZCBiZSBkb25lIGZsYXQgYnV0IEkgdGhpbmsgdGhhdCANCj4gZ2V0cyBldmVuIG1vcmUgbWVzc3ku DQo+DQo+IEkgdW5kZXJzdGFuZCBCcmlhbnMgYXJndW1lbnRzLCBob3dldmVyIHByZWZlciBoYXZp bmcgYSBjbmYgb2JqZWN0IHdpdGggDQo+IG5vIGFycmF5Lg0KPg0KPiBJIGhhdmUgdG8gYWdyZWUg d2l0aCBoaXMgb2JzZXJ2YXRpb24gdGhhdCB3ZSBzaG91bGQga2VlcCBhd2F5IGZyb20gDQo+IHBy b21vdGluZyBtdWx0aXBsZSBjb25maXJtYXRpb24gZWxlbWVudHMgYXMgaXQgYWRkcyB0byBjb21w bGV4aXR5IGFuZCANCj4gaW50ZXJvcGVyYWJpbGl0eSBpc3N1ZXMuDQo+IEJldHRlciB0byBtYWtl IG9uZSB3b3JrIHdlbGwgYW5kIGFsbG93IGZvciBhbiBleHRlbnNpb24gZm9yIHRob3NlIA0KPiBj YXNlcyB0aGF0IHJlYWxseSBuZWVkIGl0Lg0KPg0KPiBJIHRoaW5rIHRoZSBTQU1MIHN1YmplY3Qg Y29uZmlybWF0aW9uIGlzIHRvbyBjb21wbGV4IGZvciBtb3N0IHBlb3BsZSANCj4gd2hvIHVzZSBp dCB0byByZWFsbHkgdW5kZXJzdGFuZCBhbGwgdGhlIGNvbWJpbmF0aW9ucyBvZiBvcHRpb25zLg0K DQpUaGFua3MgdG8gYWxsIGZvciB0aGUgYWRkaXRpb25hbCBkaXNjdXNzaW9uL2V4cGxhbmF0aW9u LiAgSWYgb3RoZXJzIHdhbnQgdG8gd2VpZ2ggaW4sIHBsZWFzZSBkbyBzby4NCg0KQmVzdCByZWdh cmRzLA0KS2F0aGxlZW4NCg0KPg0KPiBKb2huIEIuDQo+DQo+DQo+IE9uIEF1ZyAxMSwgMjAxNSwg YXQgMTo0MSBQTSwgQnJpYW4gQ2FtcGJlbGwgDQo+IDxiY2FtcGJlbGxAcGluZ2lkZW50aXR5LmNv bT4NCj4gd3JvdGU6DQo+DQo+IEkgdG9vayBOYXQncyAiKzEiIGFzIHN1cHBvcnQgZm9yIGZsYXR0 ZW5pbmcgdGhpbmdzIGludG8gaW5kaXZpZHVhbCANCj4gY2xhaW1zIGxpa2UgImNqd2UiLCAiY2p3 ayIgYW5kICJja2lkIi4gTWF5YmUgdGhhdCdzIGp1c3QgY29uZmlybWF0aW9uIA0KPiBiaWFzIG9u IG15IHBhcnQuIEJ1dCBpdCdkIGJlIGludGVyZXN0aW5nIHRvIGdldCBOYXQncyBhY3R1YWwgb3Bp bmlvbiANCj4gYXMgYXBwb3NlZCB0byBoaXMgYXNzdW1lZCBvciBpbXBsaWVkIG9waW5pb24uIE5h dD8NCj4NCj4gSXQgc2VlbXMgdG8gbWUgdGhhdCBpdCdzIHJlYWxseSBhIHF1ZXN0aW9uIG9mIGFl c3RoZXRpY3MgYmVjYXVzZSB0aGUgDQo+IGFyZ3VtZW50cyBpbiBmYXZvciBvZiB0aGUgc3RydWN0 dXJlZCBjbGFpbSBhcHByb2FjaCB0aGF0IGNpdGUgDQo+IGZsZXhpYmlsaXR5IG9yIHRoZSBhYmls aXR5IHRvICJjYXJyeSBtb3JlIHRoYW4gb25lIGNvbmZvcm1hdGlvbiBrZXkgb3IgDQo+IGtleSBk ZXNjcmlwdG9yIiBhcmUgZXJyb25lb3VzLiBCb3RoIGFwcHJvYWNoZXMgY2FuIGNhcnJ5IG1vcmUg dGhhbiBvbmUgDQo+IGFzIGxvbmcgYXMgdGhleSBhcmUgZGlmZmVyZW50IHR5cGVzIGFuZCBib3Ro IGNhbiBhY2hpZXZlIGFkZGl0aW9uYWwgDQo+IGZsZXhpYmlsaXR5IGJ5IGFkZGluZyBuZXcgbmFt ZXMgZm9yIHRoaW5ncyAoYWxsIG9mIHdoaWNoLCBJIHN1c3BlY3QsIA0KPiB3aWxsIGJlIHZlcnkg dW5saWtlbHkgdG8gaGFwcGVuIGFueXdheSkuIE15IHN1Z2dlc3RpbmcgdG8gZmxhdHRlbiB3YXMg DQo+IGFuIGF0dGVtcHQgYXQgc2ltcGxpZmljYXRpb24uIEFuZCBJIGRvIHRoaW5rIGl0IHdvdWxk IHNpbXBsaWZ5LiBCdXQgDQo+IHRoYXQncyBvbmx5IG15IG9waW5pb24uIElmIGZvbGtzIHByZWZl ciB0aGUgYWVzdGhldGljcyBhbmQgc3RydWN0dXJlIA0KPiBvZiB0aGUgImNuZiIgYXMgY3VycmVu dGx5IGRlZmluZWQgYW5kIGZlZWwgaXQncyBlYXNpZXIgdG8gY29tcHJlaGVuZCwgDQo+IEkgY2Fu IGxpdmUgd2l0aCB0aGF0LiBBbGwgdGhlIHJlc3Qgb2YgdGhlIGp1c3RpZmljYXRpb24sIGhvd2V2 ZXIsIGp1c3Qgb2JzY3VyZXMgdGhpbmdzLg0KPg0KPiBUbyBLYXRobGVlbidzIHJlcXVlc3QsIHRo ZSB0aHJlYWQgaW5kZXggaXMgDQo+IGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5v dXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZ3d3cuaWUNCj4gdGYub3JnJTJmbWFpbC1hcmNo aXZlJTJmd2ViJTJmb2F1dGglMmZjdXJyZW50JTJmdGhyZWFkcy5odG1sJTIzMTQ4NTQmZA0KPiBh dGE9MDElN2MwMSU3Y3RvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdjYzg5MzVlYTY3N2I4NDhhMzdk ZDMwOGQyYTI5ODNjDQo+IGU3JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2Mx JnNkYXRhPXE0TUNxZE53d3hRMldxWjFDQVdBQkcNCj4gSWRVbERFTkZNME52UTRTWUVVTURZJTNk IGFuZCBzdGFydHMgd2l0aCBodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9v ay5jb20vP3VybD1odHRwJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbC1hcmNoaXZlJTJmd2Vi JTJmb2F1dGglMmZjdXJyZW50JTJmbXNnMTQ4NTQuaHRtbC4mZGF0YT0wMSU3YzAxJTdjdG9ueW5h ZCU0MG1pY3Jvc29mdC5jb20lN2NjODkzNWVhNjc3Yjg0OGEzN2RkMzA4ZDJhMjk4M2NlNyU3Yzcy Zjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1UR3g1OUxab1NySnBMWTBy clZpSnpPNktKbkNUcnFyJTJiWXk1N05BOVlIOEUlM2QgVGhlIGNvbnNlbnN1cyB0aGVyZWluIHNl ZW1zIHRvIGJlIHRvIGxlYXZlIHRoaW5ncyBhcyB0aGV5IGFyZSAodGhvdWdoIG9ubHkgSm9obiwg TWlrZSBhbmQgSSBwYXJ0aWNpcGF0ZWQgYW5kIEkgd2FzIHRoZSBtaW5vcml0eSBvcGluaW9uKS4N Cj4NCj4NCj4NCj4NCj4NCj4gT24gVHVlLCBBdWcgMTEsIDIwMTUgYXQgNzoyOSBBTSwgTWlrZSBK b25lcyANCj4gPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT4NCj4gd3JvdGU6DQo+Pg0KPj4g QnJpYW4ncyBub3RlIGNvbnRhaW5lZCB0d28gc3VnZ2VzdGlvbnMsIHdoaWNoIEknbGwgYWRkcmVz cyBzZXBhcmF0ZWx5Lg0KPj4NCj4+IFRoZSBmaXJzdCB3YXMgdG8gaGF2ZSAiY25mIiBjb250YWlu IGFuIGFycmF5IG9mIHZhbHVlcyByYXRoZXIgdGhhbiANCj4+IGluZGl2aWR1YWwgdmFsdWVzLiAg QnV0IGV2ZW4gaGUgc2FpZCAiSSdtIG5vdCBzdXJlIHRoZSBleHRyYSANCj4+IGNvbXBsZXhpdHkg aXMgd29ydGggaXQgdGhvdWdoLiBJJ3ZlIHJhcmVseSwgaWYgZXZlciwgc2VlbiBTQU1MIA0KPj4g YXNzZXJ0aW9ucyB0aGF0IG1ha2UgdXNlIG9mIGl0LiIgIEkgdG9vayBOYXQncyArMSBhcyBhbiBh Z3JlZW1lbnQgDQo+PiB0aGF0IHRoZSBjb21wbGV4aXR5IG9mIGFycmF5IHZhbHVlcyBpc24ndCB3 b3J0aCBpdCwgYW5kIHNob3VsZG4ndCBiZSANCj4+IGludHJvZHVjZWQuICBObyBvbmUgZWxzZSBo YXMgc2luY2Ugc3Bva2UgdXAgZm9yIGhhdmluZyB0aGUgImNuZiIgDQo+PiBjbGFpbSBjb250YWlu IGFycmF5IHZhbHVlcywgYW5kIEJyaWFuIG9ubHkgbWVudGlvbmVkIGl0IGFzIGEgcG9zc2liaWxp dHkgYnV0IGRpc21pc3NlZCBpdCBhcyB0b28gY29tcGxleC4NCj4+DQo+PiBUaGUgc2Vjb25kIHdh cyB0byBub3QgaGF2ZSB0aGUgImNuZiIgY2xhaW0gYXQgYWxsLCBidXQgaW5zdGVhZCB0byANCj4+ IGZsYXR0ZW4gdGhpbmdzIHNvIHRoYXQgdGhlICJjbmYiIGVsZW1lbnRzIHdvdWxkIGJlY29tZSBp bmRpdmlkdWFsIA0KPj4gY2xhaW1zLCBhbG9uZyB0aGUgbGluZXMgb2YgImNuZl9qd2siLCAiY25m X2p3ZSIsICJjbmZfa2lkIiwgZXRjLiAgDQo+PiBUaGlzIHdhcyBkaXNjdXNzZWQgaW4gdGhlIHRo cmVhZCAiIFtPQVVUSC1XR10gSldUIFBvUCBLZXkgU2VtYW50aWNzIFdHTEMgZm9sbG93dXAgMyAo d2FzIFJlOg0KPj4gY29uZmlybWF0aW9uIG1vZGVsIGluIHByb29mLW9mLXBvc3Nlc3Npb24tMDIp IiAtIGZvciBpbnN0YW5jZSwgSm9obiANCj4+IEJyYWRsZXkncyBtZXNzYWdlIA0KPj4gaHR0cHM6 Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUy Znd3dy5pDQo+PiBldGYub3JnJTJmbWFpbC1hcmNoaXZlJTJmd2ViJTJmb2F1dGglMmZjdXJyZW50 JTJmbXNnMTQ4NTkuaHRtbCZkYXRhPTANCj4+IDElN2MwMSU3Y3RvbnluYWQlNDBtaWNyb3NvZnQu Y29tJTdjYzg5MzVlYTY3N2I4NDhhMzdkZDMwOGQyYTI5ODNjZTclNw0KPj4gYzcyZjk4OGJmODZm MTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1tVkNXN2FEV0p3aVVXaktZNFhSaWsxaE1K DQo+PiBnY3hzWk84NUtSZWR6aiUyYkprWSUzZCBpbiB3aGljaCBoZSBzdGF0ZWQgdGhhdCAiZmxh dHRlbmluZyB3b3VsZCBiZSANCj4+IGEgYmFkIGRpcmVjdGlvbiIuICBOYXQgYWxzbyBpbXBsaWNp dGx5IGVuZG9yc2VkIGtlZXBpbmcgImNuZiIgaW4gaGlzIA0KPj4gV0dMQyByZXZpZXcgY29tbWVu dHMgaW4gaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9 aHR0cCUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWwtYXJjaGl2ZSUyZndlYiUyZm9hdXRoJTJm Y3VycmVudCUyZm1zZzE0NDE4Lmh0bWwlMmMmZGF0YT0wMSU3YzAxJTdjdG9ueW5hZCU0MG1pY3Jv c29mdC5jb20lN2NjODkzNWVhNjc3Yjg0OGEzN2RkMzA4ZDJhMjk4M2NlNyU3YzcyZjk4OGJmODZm MTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1mclNaeDZSc3VTaHFiUmxOdGRaUlE2UllX bW9DbUZhSXclMmYzdzFMRzRzVUUlM2QgaW4gaGlzIGNvbW1lbnQgIlNpbmNlICdjbmYnIGFwcGVh cnMgYmVmb3JlIDMuNCwgaXQgbWF5IGJlIGJldHRlciB0byBicmluZyAzLjQgYXQgdGhlIGZyb250 LiIgIEhlIHN1Z2dlc3RlZCBjaGFuZ2luZyB0aGUgbG9jYXRpb24gb2YgImNuZiIgaW4gdGhlIGRv Y3VtZW50IC0gbm90IHJlbW92aW5nIGl0LCBhcyBCcmlhbidzIGZsYXR0ZW5pbmcgc3VnZ2VzdGlv biB3b3VsZCBoYXZlIGRvbmUuDQo+Pg0KPj4gVG9ueSBOYWRhbGluIGFsc28gZWFybGllciBoYWQg c3Bva2VuIGFib3V0IHRoZSBuZWVkIHRvIHN1cHBvcnQgdXNlIA0KPj4gY2FzZXMgaW4gd2hpY2gg dGhlcmUgd291bGQgYmUgbXVsdGlwbGUgcHJvb2Ytb2YtcG9zc2Vzc2lvbiBrZXlzLiAgDQo+PiBB bW9uZyBvdGhlciBwbGFjZXMsIGhlIGFsbHVkZWQgdG8gdGhpcyBpbiBoaXMgbm90ZSANCj4+IGh0 dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2El MmYlMmZ3d3cuaQ0KPj4gZXRmLm9yZyUyZm1haWwtYXJjaGl2ZSUyZndlYiUyZm9hdXRoJTJmY3Vy cmVudCUyZm1zZzE0MzA1Lmh0bWwmZGF0YT0wDQo+PiAxJTdjMDElN2N0b255bmFkJTQwbWljcm9z b2Z0LmNvbSU3Y2M4OTM1ZWE2NzdiODQ4YTM3ZGQzMDhkMmEyOTgzY2U3JTcNCj4+IGM3MmY5ODhi Zjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9UFJHJTJiN0NkRUVRMjltJTJmVFg5 TmU5bw0KPj4gWG14MlpSNDFrV2RkOUFnQlRYQ2RObyUzZCBpbiB3aGljaCBoZSB3cm90ZSAiSXMg dGhpcyBwcm9wb3NhbCBhbHNvIA0KPj4gbGltaXRlZCB0byBhIHNpbmdsZSBrZXkgZm9yIGJvdGgg YXN5bW1ldHJpYyBhbmQgc3ltbWV0cmljPyIuICBUaGlzIGlzIA0KPj4gcGVydGluZW50IGJlY2F1 c2UgYXMgSSB3cm90ZSBpbiB0aGUgZmlyc3QgdGhyZWFkIG1lbnRpb25lZCBhdCANCj4+IGh0dHBz Oi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYl MmZ3d3cuaQ0KPj4gZXRmLm9yZyUyZm1haWwtYXJjaGl2ZSUyZndlYiUyZm9hdXRoJTJmY3VycmVu dCUyZm1zZzE0ODU2Lmh0bWwlMmMmZGF0DQo+PiBhPTAxJTdjMDElN2N0b255bmFkJTQwbWljcm9z b2Z0LmNvbSU3Y2M4OTM1ZWE2NzdiODQ4YTM3ZGQzMDhkMmEyOTgzY2U3JTdjNzJmOTg4YmY4NmYx NDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPUt3NkElMmY3dHU5MWZwZEc1b3lENXNCJTJi NjIwUHMlMmY2JTJiNDJrYyUyZmlIemY3MjBJJTNkICJQYXJ0IG9mIHRoZSByZWFzb25pbmcgZm9y IHVzaW5nIGEgc3RydWN0dXJlZCBjb25maXJtYXRpb24gY2xhaW0sIHJhdGhlciB0aGFuIGZsYXR0 ZW5pbmcgdGhlIGNvbmZpcm1hdGlvbiBjbGFpbSBpbnRvIHRoZSB0b3AtbGV2ZWwgSldUIGNsYWlt cyBzZXQsIGlzIHRoYXQgYSBKV1QgbWF5IGNhcnJ5IG1vcmUgdGhhbiBvbmUgY29uZm9ybWF0aW9u IGtleSBvciBrZXkgZGVzY3JpcHRvciIgLSBwZXIgVG9ueSdzIHVzZSBjYXNlcy4gIEpvaG4gQnJh ZGxleSdzIG5vdGUgYWdyZWVpbmcgdGhhdCBmbGF0dGVuaW5nIHdvdWxkIGJlIGEgYmFkIGRpcmVj dGlvbiB3YXMgYSByZXNwb25zZSB0byB0aGF0Lg0KPj4NCj4+ICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgLS0gTWlrZQ0KPj4NCj4+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+ PiBGcm9tOiBLYXRobGVlbiBNb3JpYXJ0eSBbbWFpbHRvOmthdGhsZWVuLm1vcmlhcnR5LmlldGZA Z21haWwuY29tXQ0KPj4gU2VudDogVHVlc2RheSwgQXVndXN0IDExLCAyMDE1IDY6MDAgQU0NCj4+ IFRvOiBNaWtlIEpvbmVzDQo+PiBDYzogQnJpYW4gQ2FtcGJlbGw7IG9hdXRoDQo+PiBTdWJqZWN0 OiBSZTogW09BVVRILVdHXSBjb25maXJtYXRpb24gbW9kZWwgaW4gcHJvb2Ytb2YtcG9zc2Vzc2lv bi0wMg0KPj4NCj4+IE9uIFR1ZSwgQXVnIDExLCAyMDE1IGF0IDEyOjA4IEFNLCBNaWtlIEpvbmVz IA0KPj4gPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT4NCj4+IHdyb3RlOg0KPj4gPiBUaGVy ZSBkaWRu4oCZdCBzZWVtIHRvIGJlIHN1cHBvcnQgZm9yIGhhdmluZyBjbmYgY29udGFpbiBhcnJh eSB2YWx1ZXMuDQo+PiA+IEluc3RlYWQsIGFzIGRpc2N1c3NlZCBpbiB0aGUgdGhyZWFkIOKAnFtP QVVUSC1XR10gSldUIFBvUCBLZXkgDQo+PiA+IFNlbWFudGljcyBXR0xDIGZvbGxvd3VwIDMgKHdh cyBSZTogY29uZmlybWF0aW9uIG1vZGVsIGluIA0KPj4gPiBwcm9vZi1vZi1wb3NzZXNzaW9uLTAy KeKAnSwgaWYgZGlmZmVyZW50IGtleXMgYXJlIGJlaW5nIGNvbmZpcm1lZCwgDQo+PiA+IHRoZXkg Y2FuIGRlZmluZSBhZGRpdGlvbmFsIGNsYWltcyBvdGhlciB0aGFuIOKAnGNuZuKAnSB1c2luZyB0 aGUgc2FtZSANCj4+ID4gc3RydWN0dXJlIGFzIOKAnGNuZuKAnSB0byByZXByZXNlbnQgdGhvc2Ug Y29uZmlybWF0aW9ucy4gIEluZGVlZCwgdGhvc2UgDQo+PiA+IG90aGVyIGNsYWltcyBjb3VsZCBi ZSBhcnJheS12YWx1ZWQsIGlmIGFwcHJvcHJpYXRlLiAgVGhlIHJlYXNvbnMgDQo+PiA+IGZvciBo YXZpbmcgYSBzdHJ1Y3R1cmVkIOKAnGNuZuKAnSBjbGFpbSwgcmF0aGVyIHRoYW4gYSBzZXQgb2Yg ZmxhdHRlbmVkIA0KPj4gPiBjbGFpbSB2YWx1ZXMsIHdlcmUgYWxzbyBkaXNjdXNzZWQgaW4gdGhh dCB0aHJlYWQuDQo+Pg0KPj4gQ2FuIHlvdSBzZW5kIHRoZSBsaW5rIHRvIHRoYXQgdGhyZWFkIGFu ZCB0aGUgcmVzdWx0IGlmIGl0IGRpZmZlcnMgDQo+PiBmcm9tIHdoYXQgQnJpYW4gYW5kIE5hdCBh Z3JlZSBvbj8gIEknZCBsaWtlIHRvIGtub3cgdGhhdCB0aGVyZSBpcyANCj4+IGVub3VnaCB0byBk ZXRlcm1pbmUgY29uc2Vuc3VzIG9uIHRoaXMgcG9pbnQuDQo+Pg0KPj4gVGhhbmtzIQ0KPj4gS2F0 aGxlZW4NCj4+ID4NCj4+ID4NCj4+ID4NCj4+ID4gICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhhbmtzIA0KPj4gPiBhZ2FpbiwNCj4+ ID4NCj4+ID4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgLS0gTWlrZQ0KPj4gPg0KPj4gPg0KPj4gPg0KPj4gPiBGcm9tOiBPQXV0aCBb bWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBCcmlhbiANCj4+ID4g Q2FtcGJlbGwNCj4+ID4gU2VudDogTW9uZGF5LCBNYXJjaCAyMywgMjAxNSA5OjA3IEFNDQo+PiA+ IFRvOiBvYXV0aA0KPj4gPiBTdWJqZWN0OiBbT0FVVEgtV0ddIGNvbmZpcm1hdGlvbiBtb2RlbCBp biBwcm9vZi1vZi1wb3NzZXNzaW9uLTAyDQo+PiA+DQo+PiA+DQo+PiA+DQo+PiA+IFRoaXMgaXMg bW9zdGx5IGFib3V0IHNlY3Rpb24gMy40IGJ1dCBhbHNvIHRoZSB3aG9sZSBkcmFmdC4NCj4+ID4N Cj4+ID4NCj4+ID4gSWYgImNuZiIgaXMgaW50ZW5kZWQgdG8gYW5hbG9nb3VzIHRvIHRoZSBTQU1M IDIuMCANCj4+ID4gU3ViamVjdENvbmZpcm1hdGlvbiBlbGVtZW50LCBpdCBzaG91bGQgcHJvYmFi bHkgY29udGFpbiBhbiBhcnJheSANCj4+ID4gdmFsdWUgcmF0aGVyIHRoYW4gYW4gb2JqZWN0IHZh bHVlLiBTQU1MIGFsbG93cyBub3QganVzdCBmb3IgDQo+PiA+IG11bHRpcGxlIG1ldGhvZHMgb2Yg Y29uZmlybWluZyBidXQgZm9yIG11bHRpcGxlIGluc3RhbmNlcyBvZiB0aGUgDQo+PiA+IHNhbWUg bWV0aG9kLiBJSVJDLCBvbmx5IG9uZSBjb25maXJtYXRpb24gbmVlZHMgdG8gYmUgY29uZmlybWFi bGUuDQo+PiA+DQo+PiA+IEknbSBub3Qgc3VyZSB0aGUgZXh0cmEgY29tcGxleGl0eSBpcyB3b3J0 aCBpdCB0aG91Z2guIEkndmUgcmFyZWx5LCANCj4+ID4gaWYgZXZlciwgc2VlbiBTQU1MIGFzc2Vy dGlvbnMgdGhhdCBtYWtlIHVzZSBvZiBpdC4NCj4+ID4NCj4+ID4gSWYgdGhlIGludGVudCBpcyBq dXN0IHRvIGFsbG93IGZvciBkaWZmZXJlbnQga2luZHMgb2YgY29uZmlybWF0aW9uLCANCj4+ID4g Y291bGRuJ3QgdGhlIHN0cnVjdHVyZSBiZSBwYXJlZCBkb3duIGFuZCBzaW1wbGlmaWVkIGFuZCBq dXN0IGhhdmUgDQo+PiA+IGluZGl2aWR1YWwgY2xhaW1zIGZvciB0aGUgZGlmZmVyZW50IGNvbmZp cm1hdGlvbiB0eXBlcz8gTGlrZSAiY2p3ayINCj4+ID4gYW5kICJja2lkIiBvciBzaW1pbGFyIHRo YXQgaGF2ZSB0aGUgandrIG9yIGtpZCB2YWx1ZSByZXNwZWN0aXZlbHkgDQo+PiA+IGFzIHRoZSBt ZW1iZXIgdmFsdWUuDQo+PiA+DQo+PiA+DQo+PiA+DQo+PiA+DQo+PiA+IF9fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+PiA+IE9BdXRoIG1haWxpbmcgbGlz dA0KPj4gPiBPQXV0aEBpZXRmLm9yZw0KPj4gPiBodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3Rl Y3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3DQo+PiA+IHcuaSANCj4+ID4g ZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmRhdGE9MDElN2MwMSU3Y01pY2hh ZWwuSm9uZXMlNA0KPj4gPiAwbWkNCj4+ID4gY3Jvc29mdC5jb20lN2NhOGUzOGIwZWEwMzM0ZDEx ZTUwMDA4ZDJhMjRjYzU3MyU3YzcyZjk4OGJmODZmMTQxYWY5MQ0KPj4gPiBhYjIgDQo+PiA+IGQ3 Y2QwMTFkYjQ3JTdjMSZzZGF0YT05dWtDVHVnQmRiaFRWcmlFb0gzSGRmTUlsb0QlMmZUSFlZJTJi ZFBPcFFTczcNCj4+ID4geDQlDQo+PiA+IDNkDQo+PiA+DQo+Pg0KPj4NCj4+DQo+PiAtLQ0KPj4N Cj4+IEJlc3QgcmVnYXJkcywNCj4+IEthdGhsZWVuDQo+DQo+DQo+IF9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+IE9BdXRoIG1haWxpbmcgbGlzdA0KPiBP QXV0aEBpZXRmLm9yZw0KPiBodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9v ay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pDQo+IGV0Zi5vcmclMmZtYWlsbWFuJTJmbGlz dGluZm8lMmZvYXV0aCZkYXRhPTAxJTdjMDElN2N0b255bmFkJTQwbWljcm9zb2YNCj4gdC5jb20l N2NjODkzNWVhNjc3Yjg0OGEzN2RkMzA4ZDJhMjk4M2NlNyU3YzcyZjk4OGJmODZmMTQxYWY5MWFi MmQ3Y2QwMQ0KPiAxZGI0NyU3YzEmc2RhdGE9NmMlMmJMc1hzaDhwJTJiTmVCWXp1JTJiQUZtcnNr bGNqUlVtMzBkbGhFRE5zVWUyayUzZA0KPg0KPg0KPg0KPiBfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXw0KPiBPQXV0aCBtYWlsaW5nIGxpc3QNCj4gT0F1dGhA aWV0Zi5vcmcNCj4gaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29t Lz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaQ0KPiBldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZv JTJmb2F1dGgmZGF0YT0wMSU3YzAxJTdjdG9ueW5hZCU0MG1pY3Jvc29mDQo+IHQuY29tJTdjYzg5 MzVlYTY3N2I4NDhhMzdkZDMwOGQyYTI5ODNjZTclN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2Nk MDENCj4gMWRiNDclN2MxJnNkYXRhPTZjJTJiTHNYc2g4cCUyYk5lQll6dSUyYkFGbXJza2xjalJV bTMwZGxoRUROc1VlMmslM2QNCj4NCg0KDQoNCi0tIA0KDQpCZXN0IHJlZ2FyZHMsDQpLYXRobGVl bg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1 dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZw0KaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5w cm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0Zi5vcmclMmZt YWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCUwYSZkYXRhPTAxJTdjMDElN2N0b255bmFkJTQwbWlj cm9zb2Z0LmNvbSU3Y2M4OTM1ZWE2NzdiODQ4YTM3ZGQzMDhkMmEyOTgzY2U3JTdjNzJmOTg4YmY4 NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPURwY3AzVDM5dmdxY2VTaVQxbUI0N2xu NExGaGZNbG1vVE1wRzkzN0NuMmMlM2QNCg== From nobody Tue Aug 18 13:57:57 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 736B31AC3AD for ; Tue, 18 Aug 2015 13:57:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.378 X-Spam-Level: X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2EMEGNAKZ6f for ; Tue, 18 Aug 2015 13:57:52 -0700 (PDT) Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8271F1AC3B5 for ; Tue, 18 Aug 2015 13:57:46 -0700 (PDT) Received: by igxp17 with SMTP id p17so90827193igx.1 for ; Tue, 18 Aug 2015 13:57:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=99iDpbTE2uXZzpSjHdL0eQFieLQJboA5Pg8VL3Za9EI=; b=G6yhjf3Gy+seBcbK+Kpxg6u0cCc2FBu7xcI1LZK5ziuJShjdYC04bvglKPKvxsotj9 0uci6QxERT37PMkXrmHkG5xX0gJSofsUy/+fLoBVb0uKXa1owRXLH5NNEGbMzDqvOeet Wi+MtNXQa/7e47aagWUpcaYTQ8an8DO12XqpI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=99iDpbTE2uXZzpSjHdL0eQFieLQJboA5Pg8VL3Za9EI=; b=MF3f+dA5tDk/6ARU////GLUljIbbgAemfLDc4qKKUus7XdCmT8545gN1QvS34ufusD AAuSmHtMWzerWiGn2hh7qQw7fCzbu5cOtT3qDinwE13F65F6e1Nw7M1DikmFAuRHITN/ 7+U4L+I+V65J43ZNIoSM0VeOZlI2vGBoM90UUULy/WgaM0nVxeYde7F8UXvfB2jwTI0+ i1+lLc/H/92TI4btp3AdyGU6UM3IICDYixTDofmsmp4neL621/NvAkPM2XKALGtpVtUG WSnAMCwJq8VF37unJYOivOjc5qCwyBusC9Y6LpcUiUSMbmRpq+ECSJ4xFbuXrhUSqmAC b+QA== X-Gm-Message-State: ALoCoQnPeYzddEL03Q8M9xpkmSAMyJD7NdowXS121J8V0hyn1rE2Qh2ZOqztSB0MwAnXZd1PPv/a X-Received: by 10.50.50.175 with SMTP id d15mr24561417igo.18.1439931465865; Tue, 18 Aug 2015 13:57:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.96.199 with HTTP; Tue, 18 Aug 2015 13:57:16 -0700 (PDT) In-Reply-To: References: From: Brian Campbell Date: Tue, 18 Aug 2015 14:57:16 -0600 Message-ID: To: Anthony Nadalin Content-Type: multipart/alternative; boundary=047d7b2e549c864117051d9c2b85 Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2015 20:57:56 -0000 --047d7b2e549c864117051d9c2b85 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Seems the consensus here is clearly in favor of keeping the "cnf" claim as it is. I'll let the flattening suggestion go gentle into that good night. On Tue, Aug 18, 2015 at 1:33 PM, Anthony Nadalin wrote: > I would rather just keep the "cnf" claim rather than flatten the structur= e > since we are already using the "cnf" in production with the XBOX One. We > are also using multiple conformation keys and using the "cnf" claim make= s > it easier to have multiple confirmation keys (by just defining a new clai= m > to hold each confirmation key, using the same structure as "cnf"). > > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Kathleen Moriart= y > Sent: Tuesday, August 11, 2015 3:00 PM > To: John Bradley > Cc: oauth > Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 > > On Tue, Aug 11, 2015 at 5:30 PM, John Bradley wrote: > > I think Brian also argued that flattening would save a registry, and > > be easier to process in the default case. > > > > I don=E2=80=99t really by the argument that having a cnf object makes i= t that > > much harder to process. I think it is stylistically better json to > > keep the elements together so that they can be extended separately > > from the main JWT claim space. > > > > Having two confirmation elements could be done flat but I think that > > gets even more messy. > > > > I understand Brians arguments, however prefer having a cnf object with > > no array. > > > > I have to agree with his observation that we should keep away from > > promoting multiple confirmation elements as it adds to complexity and > > interoperability issues. > > Better to make one work well and allow for an extension for those > > cases that really need it. > > > > I think the SAML subject confirmation is too complex for most people > > who use it to really understand all the combinations of options. > > Thanks to all for the additional discussion/explanation. If others want > to weigh in, please do so. > > Best regards, > Kathleen > > > > > John B. > > > > > > On Aug 11, 2015, at 1:41 PM, Brian Campbell > > > > wrote: > > > > I took Nat's "+1" as support for flattening things into individual > > claims like "cjwe", "cjwk" and "ckid". Maybe that's just confirmation > > bias on my part. But it'd be interesting to get Nat's actual opinion > > as apposed to his assumed or implied opinion. Nat? > > > > It seems to me that it's really a question of aesthetics because the > > arguments in favor of the structured claim approach that cite > > flexibility or the ability to "carry more than one conformation key or > > key descriptor" are erroneous. Both approaches can carry more than one > > as long as they are different types and both can achieve additional > > flexibility by adding new names for things (all of which, I suspect, > > will be very unlikely to happen anyway). My suggesting to flatten was > > an attempt at simplification. And I do think it would simplify. But > > that's only my opinion. If folks prefer the aesthetics and structure > > of the "cnf" as currently defined and feel it's easier to comprehend, > > I can live with that. All the rest of the justification, however, just > obscures things. > > > > To Kathleen's request, the thread index is > > https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3a%2f%2fwww.i= e > > tf.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fthreads.html%2314854&d > > ata=3D01%7c01%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd308d2a2983= c > > e7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3Dq4MCqdNwwxQ2WqZ1CAWAB= G > > IdUlDENFM0NvQ4SYEUMDY%3d and starts with > https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3a%2f%2fwww.iet= f.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg14854.html.&data=3D01%7c0= 1%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd308d2a2983ce7%7c72f988bf86= f141af91ab2d7cd011db47%7c1&sdata=3DTGx59LZoSrJpLY0rrViJzO6KJnCTrqr%2bYy57NA= 9YH8E%3d > The consensus therein seems to be to leave things as they are (though onl= y > John, Mike and I participated and I was the minority opinion). > > > > > > > > > > > > On Tue, Aug 11, 2015 at 7:29 AM, Mike Jones > > > > wrote: > >> > >> Brian's note contained two suggestions, which I'll address separately. > >> > >> The first was to have "cnf" contain an array of values rather than > >> individual values. But even he said "I'm not sure the extra > >> complexity is worth it though. I've rarely, if ever, seen SAML > >> assertions that make use of it." I took Nat's +1 as an agreement > >> that the complexity of array values isn't worth it, and shouldn't be > >> introduced. No one else has since spoke up for having the "cnf" > >> claim contain array values, and Brian only mentioned it as a > possibility but dismissed it as too complex. > >> > >> The second was to not have the "cnf" claim at all, but instead to > >> flatten things so that the "cnf" elements would become individual > >> claims, along the lines of "cnf_jwk", "cnf_jwe", "cnf_kid", etc. > >> This was discussed in the thread " [OAUTH-WG] JWT PoP Key Semantics > WGLC followup 3 (was Re: > >> confirmation model in proof-of-possession-02)" - for instance, John > >> Bradley's message > >> https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3a%2f%2fwww.= i > >> etf.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg14859.html&data=3D= 0 > >> 1%7c01%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd308d2a2983ce7%7 > >> c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3DmVCW7aDWJwiUWjKY4XRik1hM= J > >> gcxsZO85KRedzj%2bJkY%3d in which he stated that "flattening would be > >> a bad direction". Nat also implicitly endorsed keeping "cnf" in his > >> WGLC review comments in > https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3a%2f%2fwww.iet= f.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg14418.html%2c&data=3D01%7= c01%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd308d2a2983ce7%7c72f988bf= 86f141af91ab2d7cd011db47%7c1&sdata=3DfrSZx6RsuShqbRlNtdZRQ6RYWmoCmFaIw%2f3w= 1LG4sUE%3d > in his comment "Since 'cnf' appears before 3.4, it may be better to bring > 3.4 at the front." He suggested changing the location of "cnf" in the > document - not removing it, as Brian's flattening suggestion would have > done. > >> > >> Tony Nadalin also earlier had spoken about the need to support use > >> cases in which there would be multiple proof-of-possession keys. > >> Among other places, he alluded to this in his note > >> https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3a%2f%2fwww.= i > >> etf.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg14305.html&data=3D= 0 > >> 1%7c01%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd308d2a2983ce7%7 > >> c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3DPRG%2b7CdEEQ29m%2fTX9Ne9= o > >> Xmx2ZR41kWdd9AgBTXCdNo%3d in which he wrote "Is this proposal also > >> limited to a single key for both asymmetric and symmetric?". This is > >> pertinent because as I wrote in the first thread mentioned at > >> https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3a%2f%2fwww.= i > >> etf.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg14856.html%2c&dat > >> a=3D01%7c01%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd308d2a2983c= e7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3DKw6A%2f7tu91fpdG5oyD5sB%2= b620Ps%2f6%2b42kc%2fiHzf720I%3d > "Part of the reasoning for using a structured confirmation claim, rather > than flattening the confirmation claim into the top-level JWT claims set, > is that a JWT may carry more than one conformation key or key descriptor"= - > per Tony's use cases. John Bradley's note agreeing that flattening would > be a bad direction was a response to that. > >> > >> -- Mike > >> > >> -----Original Message----- > >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > >> Sent: Tuesday, August 11, 2015 6:00 AM > >> To: Mike Jones > >> Cc: Brian Campbell; oauth > >> Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 > >> > >> On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones > >> > >> wrote: > >> > There didn=E2=80=99t seem to be support for having cnf contain array= values. > >> > Instead, as discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key > >> > Semantics WGLC followup 3 (was Re: confirmation model in > >> > proof-of-possession-02)=E2=80=9D, if different keys are being confir= med, > >> > they can define additional claims other than =E2=80=9Ccnf=E2=80=9D u= sing the same > >> > structure as =E2=80=9Ccnf=E2=80=9D to represent those confirmations.= Indeed, those > >> > other claims could be array-valued, if appropriate. The reasons > >> > for having a structured =E2=80=9Ccnf=E2=80=9D claim, rather than a s= et of flattened > >> > claim values, were also discussed in that thread. > >> > >> Can you send the link to that thread and the result if it differs > >> from what Brian and Nat agree on? I'd like to know that there is > >> enough to determine consensus on this point. > >> > >> Thanks! > >> Kathleen > >> > > >> > > >> > > >> > Thanks > >> > again, > >> > > >> > -- Mike > >> > > >> > > >> > > >> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian > >> > Campbell > >> > Sent: Monday, March 23, 2015 9:07 AM > >> > To: oauth > >> > Subject: [OAUTH-WG] confirmation model in proof-of-possession-02 > >> > > >> > > >> > > >> > This is mostly about section 3.4 but also the whole draft. > >> > > >> > > >> > If "cnf" is intended to analogous to the SAML 2.0 > >> > SubjectConfirmation element, it should probably contain an array > >> > value rather than an object value. SAML allows not just for > >> > multiple methods of confirming but for multiple instances of the > >> > same method. IIRC, only one confirmation needs to be confirmable. > >> > > >> > I'm not sure the extra complexity is worth it though. I've rarely, > >> > if ever, seen SAML assertions that make use of it. > >> > > >> > If the intent is just to allow for different kinds of confirmation, > >> > couldn't the structure be pared down and simplified and just have > >> > individual claims for the different confirmation types? Like "cjwk" > >> > and "ckid" or similar that have the jwk or kid value respectively > >> > as the member value. > >> > > >> > > >> > > >> > > >> > _______________________________________________ > >> > OAuth mailing list > >> > OAuth@ietf.org > >> > https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fw= w > >> > w.i > >> > etf.org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jones%= 4 > >> > 0mi > >> > crosoft.com%7ca8e38b0ea0334d11e50008d2a24cc573%7c72f988bf86f141af91 > >> > ab2 > >> > d7cd011db47%7c1&sdata=3D9ukCTugBdbhTVriEoH3HdfMIloD%2fTHYY%2bdPOpQSs= 7 > >> > x4% > >> > 3d > >> > > >> > >> > >> > >> -- > >> > >> Best regards, > >> Kathleen > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fwww.= i > > etf.org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7ctonynad%40microso= f > > t.com%7cc8935ea677b848a37dd308d2a2983ce7%7c72f988bf86f141af91ab2d7cd01 > > 1db47%7c1&sdata=3D6c%2bLsXsh8p%2bNeBYzu%2bAFmrsklcjRUm30dlhEDNsUe2k%3d > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fwww.= i > > etf.org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7ctonynad%40microso= f > > t.com%7cc8935ea677b848a37dd308d2a2983ce7%7c72f988bf86f141af91ab2d7cd01 > > 1db47%7c1&sdata=3D6c%2bLsXsh8p%2bNeBYzu%2bAFmrsklcjRUm30dlhEDNsUe2k%3d > > > > > > -- > > Best regards, > Kathleen > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > > https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fwww.ie= tf.org%2fmailman%2flistinfo%2foauth%0a&data=3D01%7c01%7ctonynad%40microsoft= .com%7cc8935ea677b848a37dd308d2a2983ce7%7c72f988bf86f141af91ab2d7cd011db47%= 7c1&sdata=3DDpcp3T39vgqceSiT1mB47ln4LFhfMlmoTMpG937Cn2c%3d > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --047d7b2e549c864117051d9c2b85 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Seems the consensus here is clearly in favor of keeping th= e "cnf" claim as it is. I'll let the flattening suggestion go= gentle into that good night.

On Tue, Aug 18, 2015 at 1:33 PM, Anthony Nadalin <ton= ynad@microsoft.com> wrote:
= I would rather just keep the "cnf" claim rather than flatten the = structure since we are already using the "cnf" in production with= the XBOX One. We are also using multiple conformation keys=C2=A0 and using= the "cnf" claim makes it easier to have multiple confirmation ke= ys (by just defining a new claim to hold each confirmation key, using the s= ame structure as "cnf").

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Kathleen Moriarty
Sent: Tuesday, August 11, 2015 3:00 PM
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: oauth <oauth@iet= f.org>
Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02

On Tue, Aug 11, 2015 at 5:30 PM, John Bradley <ve7jtb@ve7jtb.com> w= rote:
> I think Brian also argued that flattening would save a registry, and > be easier to process in the default case.
>
> I don=E2=80=99t really by the argument that having a cnf object makes = it that
> much harder to process.=C2=A0 I think it is stylistically better json = to
> keep the elements together so that they can be extended separately
> from the main JWT claim space.
>
> Having two confirmation elements could be done flat but I think that > gets even more messy.
>
> I understand Brians arguments, however prefer having a cnf object with=
> no array.
>
> I have to agree with his observation that we should keep away from
> promoting multiple confirmation elements as it adds to complexity and<= br> > interoperability issues.
> Better to make one work well and allow for an extension for those
> cases that really need it.
>
> I think the SAML subject confirmation is too complex for most people > who use it to really understand all the combinations of options.

Thanks to all for the additional discussion/explanation.=C2=A0 If others wa= nt to weigh in, please do so.

Best regards,
Kathleen

>
> John B.
>
>
> On Aug 11, 2015, at 1:41 PM, Brian Campbell
> <bc= ampbell@pingidentity.com>
> wrote:
>
> I took Nat's "+1" as support for flattening things into = individual
> claims like "cjwe", "cjwk" and "ckid". M= aybe that's just confirmation
> bias on my part. But it'd be interesting to get Nat's actual o= pinion
> as apposed to his assumed or implied opinion. Nat?
>
> It seems to me that it's really a question of aesthetics because t= he
> arguments in favor of the structured claim approach that cite
> flexibility or the ability to "carry more than one conformation k= ey or
> key descriptor" are erroneous. Both approaches can carry more tha= n one
> as long as they are different types and both can achieve additional > flexibility by adding new names for things (all of which, I suspect, > will be very unlikely to happen anyway). My suggesting to flatten was<= br> > an attempt at simplification. And I do think it would simplify. But > that's only my opinion. If folks prefer the aesthetics and structu= re
> of the "cnf" as currently defined and feel it's easier t= o comprehend,
> I can live with that. All the rest of the justification, however, just= obscures things.
>
> To Kathleen's request, the thread index is
> https://na0= 1.safelinks.protection.outlook.com/?url=3Dhttp%3a%2f%2fwww.ie
> tf.org<= /a>%2fmail-archive%2fweb%2foauth%2fcurrent%2fthreads.html%2314854&d
> ata=3D01%7c01%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd308d2a29= 83c
> e7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3Dq4MCqdNwwxQ2WqZ1= CAWABG
> IdUlDENFM0NvQ4SYEUMDY%3d and starts with https://na01.safelinks.protection.outloo= k.com/?url=3Dhttp%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2foauth%2fcurre= nt%2fmsg14854.html.&data=3D01%7c01%7ctonynad%40microsoft.com%7cc8935ea6= 77b848a37dd308d2a2983ce7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata= =3DTGx59LZoSrJpLY0rrViJzO6KJnCTrqr%2bYy57NA9YH8E%3d The consensus there= in seems to be to leave things as they are (though only John, Mike and I pa= rticipated and I was the minority opinion).
>
>
>
>
>
> On Tue, Aug 11, 2015 at 7:29 AM, Mike Jones
> <M= ichael.Jones@microsoft.com>
> wrote:
>>
>> Brian's note contained two suggestions, which I'll address= separately.
>>
>> The first was to have "cnf" contain an array of values r= ather than
>> individual values.=C2=A0 But even he said "I'm not sure t= he extra
>> complexity is worth it though. I've rarely, if ever, seen SAML=
>> assertions that make use of it."=C2=A0 I took Nat's +1 as= an agreement
>> that the complexity of array values isn't worth it, and should= n't be
>> introduced.=C2=A0 No one else has since spoke up for having the &q= uot;cnf"
>> claim contain array values, and Brian only mentioned it as a possi= bility but dismissed it as too complex.
>>
>> The second was to not have the "cnf" claim at all, but i= nstead to
>> flatten things so that the "cnf" elements would become i= ndividual
>> claims, along the lines of "cnf_jwk", "cnf_jwe"= ;, "cnf_kid", etc.
>> This was discussed in the thread " [OAUTH-WG] JWT PoP Key Sem= antics WGLC followup 3 (was Re:
>> confirmation model in proof-of-possession-02)" - for instance= , John
>> Bradley's message
>> https://na01.= safelinks.protection.outlook.com/?url=3Dhttp%3a%2f%2fwww.i
>> et= f.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg14859.html&data= =3D0
>> 1%7c01%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd308d2a2983c= e7%7
>> c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3DmVCW7aDWJwiUWjKY= 4XRik1hMJ
>> gcxsZO85KRedzj%2bJkY%3d in which he stated that "flattening w= ould be
>> a bad direction".=C2=A0 Nat also implicitly endorsed ke= eping "cnf" in his
>> WGLC review comments in https://na01.safelinks.protection.outlook.co= m/?url=3Dhttp%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2foauth%2fcurrent%2= fmsg14418.html%2c&data=3D01%7c01%7ctonynad%40microsoft.com%7cc8935ea677= b848a37dd308d2a2983ce7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3Df= rSZx6RsuShqbRlNtdZRQ6RYWmoCmFaIw%2f3w1LG4sUE%3d in his comment "Si= nce 'cnf' appears before 3.4, it may be better to bring 3.4 at the = front."=C2=A0 He suggested changing the location of "cnf" in= the document - not removing it, as Brian's flattening suggestion would= have done.
>>
>> Tony Nadalin also earlier had spoken about the need to support use=
>> cases in which there would be multiple proof-of-possession keys. >> Among other places, he alluded to this in his note
>> https://na01.= safelinks.protection.outlook.com/?url=3Dhttp%3a%2f%2fwww.i
>> et= f.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg14305.html&data= =3D0
>> 1%7c01%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd308d2a2983c= e7%7
>> c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3DPRG%2b7CdEEQ29m%= 2fTX9Ne9o
>> Xmx2ZR41kWdd9AgBTXCdNo%3d in which he wrote "Is this proposal= also
>> limited to a single key for both asymmetric and symmetric?&q= uot;.=C2=A0 This is
>> pertinent because as I wrote in the first thread mentioned at
>> https://na01.= safelinks.protection.outlook.com/?url=3Dhttp%3a%2f%2fwww.i
>> et= f.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg14856.html%2c&dat=
>> a=3D01%7c01%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd308d2a= 2983ce7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3DKw6A%2f7tu91fpdG= 5oyD5sB%2b620Ps%2f6%2b42kc%2fiHzf720I%3d "Part of the reasoning for us= ing a structured confirmation claim, rather than flattening the confirmatio= n claim into the top-level JWT claims set, is that a JWT may carry more tha= n one conformation key or key descriptor" - per Tony's use cases.= =C2=A0 John Bradley's note agreeing that flattening would be a bad dire= ction was a response to that.
>>
>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-- Mike
>>
>> -----Original Message-----
>> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] >> Sent: Tuesday, August 11, 2015 6:00 AM
>> To: Mike Jones
>> Cc: Brian Campbell; oauth
>> Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-= 02
>>
>> On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones
>> <Michael.Jones@microsoft.com>
>> wrote:
>> > There didn=E2=80=99t seem to be support for having cnf contai= n array values.
>> > Instead, as discussed in the thread =E2=80=9C[OAUTH-WG] JWT P= oP Key
>> > Semantics WGLC followup 3 (was Re: confirmation model in
>> > proof-of-possession-02)=E2=80=9D, if different keys are being= confirmed,
>> > they can define additional claims other than =E2=80=9Ccnf=E2= =80=9D using the same
>> > structure as =E2=80=9Ccnf=E2=80=9D to represent those confirm= ations.=C2=A0 Indeed, those
>> > other claims could be array-valued, if appropriate.=C2=A0 The= reasons
>> > for having a structured =E2=80=9Ccnf=E2=80=9D claim, rather t= han a set of flattened
>> > claim values, were also discussed in that thread.
>>
>> Can you send the link to that thread and the result if it differs<= br> >> from what Brian and Nat agree on?=C2=A0 I'd like to know that = there is
>> enough to determine consensus on this point.
>>
>> Thanks!
>> Kathleen
>> >
>> >
>> >
>> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0Thanks
>> > again,
>> >
>> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0-- Mike
>> >
>> >
>> >
>> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian
>> > Campbell
>> > Sent: Monday, March 23, 2015 9:07 AM
>> > To: oauth
>> > Subject: [OAUTH-WG] confirmation model in proof-of-possession= -02
>> >
>> >
>> >
>> > This is mostly about section 3.4 but also the whole draft. >> >
>> >
>> > If "cnf" is intended to analogous to the SAML 2.0 >> > SubjectConfirmation element, it should probably contain an ar= ray
>> > value rather than an object value. SAML allows not just for >> > multiple methods of confirming but for multiple instances of = the
>> > same method. IIRC, only one confirmation needs to be confirma= ble.
>> >
>> > I'm not sure the extra complexity is worth it though. I&#= 39;ve rarely,
>> > if ever, seen SAML assertions that make use of it.
>> >
>> > If the intent is just to allow for different kinds of confirm= ation,
>> > couldn't the structure be pared down and simplified and j= ust have
>> > individual claims for the different confirmation types? Like = "cjwk"
>> > and "ckid" or similar that have the jwk or kid valu= e respectively
>> > as the member value.
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@iet= f.org
>> > https://na01.safe= links.protection.outlook.com/?url=3Dhttps%3a%2f%2fww
>> > w.i
>> > etf.org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jo= nes%4
>> > 0mi
>> > crosoft.com%7ca8e38b0ea0334d11e50008d2a24cc573%7c72f988bf86f141a= f91
>> > ab2
>> > d7cd011db47%7c1&sdata=3D9ukCTugBdbhTVriEoH3HdfMIloD%2fTHY= Y%2bdPOpQSs7
>> > x4%
>> > 3d
>> >
>>
>>
>>
>> --
>>
>> Best regards,
>> Kathleen
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org=
> https://na0= 1.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fwww.i
> etf.or= g%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7ctonynad%40microsof<= br> > t.com%7cc8935ea677b848a37dd308d2a2983ce7%7c72f988bf86f141af91ab2d7cd01
> 1db47%7c1&sdata=3D6c%2bLsXsh8p%2bNeBYzu%2bAFmrsklcjRUm30dlhEDNsUe2= k%3d
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org=
> https://na01.safelinks.= protection.outlook.com/?url=3Dhttps%3a%2f%2fwww.i
> etf.org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7ctonynad%40mi= crosof
> t.com%7cc8935ea677b848a37dd308d2a2983ce7%7c72f988bf86f141af91ab2d7cd01
> 1db47%7c1&sdata=3D6c%2bLsXsh8p%2bNeBYzu%2bAFmrsklcjRUm30dlhEDNsUe2= k%3d
>



--

Best regards,
Kathleen

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://na01.safelinks.protec= tion.outlook.com/?url=3Dhttps%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2fo= auth%0a&data=3D01%7c01%7ctonynad%40microsoft.com%7cc8935ea677b848a37dd3= 08d2a2983ce7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3DDpcp3T39vgq= ceSiT1mB47ln4LFhfMlmoTMpG937Cn2c%3d
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--047d7b2e549c864117051d9c2b85-- From nobody Tue Aug 18 19:26:46 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A82BF1AC3CD for ; Tue, 18 Aug 2015 19:26:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LSirw2dV67A9 for ; Tue, 18 Aug 2015 19:26:42 -0700 (PDT) Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3310E1AC3AD for ; Tue, 18 Aug 2015 19:26:42 -0700 (PDT) Received: by oiey141 with SMTP id y141so7601322oie.1 for ; Tue, 18 Aug 2015 19:26:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=EwIwikqjF7X7bMnhTRmh4CrqXRf370fqbG4XWH7U4T4=; b=LVb4rH9n5BRsy/0pN4M1WbEz7VI+9Rhxg3aB6QUSNJ15+R+jBwvUMvkFfIwYhhXZWH t5QgAa6XCaoi4YBcZ9gPMmtA+0xtD+I9II2cRaNAkVDYsa9aTQUlycOFSB4UAJnxtVAl 0FthjKt5wr0tCIQA50hsqGv8CSkk5Im1o1FzxhAr0rL5yR/byE4pEtcllh3r8zfcTuM0 3ZI3oOgSR/uVc1eDBMGwwl5+K8rXllckKNi8hLKtRrSaBYd+y/rDGv0j7Gl+8EsSqYwE 8i0XIb66KogJKAjTV6zSuQyPPM3f69k4oVasOyc+avJRuRBT941x29jlhxggPuGdFeQE O8ww== MIME-Version: 1.0 X-Received: by 10.202.240.215 with SMTP id o206mr8317597oih.94.1439951201510; Tue, 18 Aug 2015 19:26:41 -0700 (PDT) Received: by 10.182.96.66 with HTTP; Tue, 18 Aug 2015 19:26:41 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Aug 2015 11:26:41 +0900 Message-ID: From: Nat Sakimura To: Brian Campbell Content-Type: multipart/alternative; boundary=94eb2c09204edc2ae0051da0c35a Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 02:26:45 -0000 --94eb2c09204edc2ae0051da0c35a Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sorry for a tardy reply. You are right. My +1 was for flattening. Also, my comment around 3.4 was not an implicit endorsement for having structured cnf claim. I was merely pointing out that it is a bad practice to use a defined term before it being defined. Nat 2015-08-12 1:41 GMT+09:00 Brian Campbell : > I took Nat's "+1" as support for flattening things into individual claims > like "cjwe", "cjwk" and "ckid". Maybe that's just confirmation bias on my > part. But it'd be interesting to get Nat's actual opinion as apposed to h= is > assumed or implied opinion. Nat? > > It seems to me that it's really a question of aesthetics because the > arguments in favor of the structured claim approach that cite flexibility > or the ability to "carry more than one conformation key or key descriptor= " > are erroneous. Both approaches can carry more than one as long as they ar= e > different types and both can achieve additional flexibility by adding new > names for things (all of which, I suspect, will be very unlikely to happe= n > anyway). My suggesting to flatten was an attempt at simplification. And I > do think it would simplify. But that's only my opinion. If folks prefer t= he > aesthetics and structure of the "cnf" as currently defined and feel it's > easier to comprehend, I can live with that. All the rest of the > justification, however, just obscures things. > > To Kathleen's request, the thread index is > http://www.ietf.org/mail-archive/web/oauth/current/threads.html#14854 and > starts with > http://www.ietf.org/mail-archive/web/oauth/current/msg14854.html. The > consensus therein seems to be to leave things as they are (though only > John, Mike and I participated and I was the minority opinion). > > > > > > On Tue, Aug 11, 2015 at 7:29 AM, Mike Jones > wrote: > >> Brian's note contained two suggestions, which I'll address separately. >> >> The first was to have "cnf" contain an array of values rather than >> individual values. But even he said "I'm not sure the extra complexity = is >> worth it though. I've rarely, if ever, seen SAML assertions that make us= e >> of it." I took Nat's +1 as an agreement that the complexity of array >> values isn't worth it, and shouldn't be introduced. No one else has sin= ce >> spoke up for having the "cnf" claim contain array values, and Brian only >> mentioned it as a possibility but dismissed it as too complex. >> >> The second was to not have the "cnf" claim at all, but instead to flatte= n >> things so that the "cnf" elements would become individual claims, along = the >> lines of "cnf_jwk", "cnf_jwe", "cnf_kid", etc. This was discussed in th= e >> thread " [OAUTH-WG] JWT PoP Key Semantics WGLC followup 3 (was Re: >> confirmation model in proof-of-possession-02)" - for instance, John >> Bradley's message >> http://www.ietf.org/mail-archive/web/oauth/current/msg14859.html in >> which he stated that "flattening would be a bad direction". Nat also >> implicitly endorsed keeping "cnf" in his WGLC review comments in >> http://www.ietf.org/mail-archive/web/oauth/current/msg14418.html, in his >> comment "Since 'cnf' appears before 3.4, it may be better to bring 3.4 a= t >> the front." He suggested changing the location of "cnf" in the document= - >> not removing it, as Brian's flattening suggestion would have done. >> >> Tony Nadalin also earlier had spoken about the need to support use cases >> in which there would be multiple proof-of-possession keys. Among other >> places, he alluded to this in his note >> http://www.ietf.org/mail-archive/web/oauth/current/msg14305.html in >> which he wrote "Is this proposal also limited to a single key for both >> asymmetric and symmetric?". This is pertinent because as I wrote in the >> first thread mentioned at >> http://www.ietf.org/mail-archive/web/oauth/current/msg14856.html, "Part >> of the reasoning for using a structured confirmation claim, rather than >> flattening the confirmation claim into the top-level JWT claims set, is >> that a JWT may carry more than one conformation key or key descriptor" - >> per Tony's use cases. John Bradley's note agreeing that flattening woul= d >> be a bad direction was a response to that. >> >> -- Mike >> >> -----Original Message----- >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] >> Sent: Tuesday, August 11, 2015 6:00 AM >> To: Mike Jones >> Cc: Brian Campbell; oauth >> Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02 >> >> On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones >> wrote: >> > There didn=E2=80=99t seem to be support for having cnf contain array v= alues. >> > Instead, as discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key Se= mantics >> > WGLC followup 3 (was Re: confirmation model in >> > proof-of-possession-02)=E2=80=9D, if different keys are being confirme= d, they >> > can define additional claims other than =E2=80=9Ccnf=E2=80=9D using th= e same structure >> > as =E2=80=9Ccnf=E2=80=9D to represent those confirmations. Indeed, th= ose other claims >> > could be array-valued, if appropriate. The reasons for having a >> > structured =E2=80=9Ccnf=E2=80=9D claim, rather than a set of flattened= claim values, >> were also discussed in that thread. >> >> Can you send the link to that thread and the result if it differs from >> what Brian and Nat agree on? I'd like to know that there is enough to >> determine consensus on this point. >> >> Thanks! >> Kathleen >> > >> > >> > >> > Thanks >> > again, >> > >> > -- Mike >> > >> > >> > >> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian >> > Campbell >> > Sent: Monday, March 23, 2015 9:07 AM >> > To: oauth >> > Subject: [OAUTH-WG] confirmation model in proof-of-possession-02 >> > >> > >> > >> > This is mostly about section 3.4 but also the whole draft. >> > >> > >> > If "cnf" is intended to analogous to the SAML 2.0 SubjectConfirmation >> > element, it should probably contain an array value rather than an >> > object value. SAML allows not just for multiple methods of confirming >> > but for multiple instances of the same method. IIRC, only one >> > confirmation needs to be confirmable. >> > >> > I'm not sure the extra complexity is worth it though. I've rarely, if >> > ever, seen SAML assertions that make use of it. >> > >> > If the intent is just to allow for different kinds of confirmation, >> > couldn't the structure be pared down and simplified and just have >> > individual claims for the different confirmation types? Like "cjwk" >> > and "ckid" or similar that have the jwk or kid value respectively as >> the member value. >> > >> > >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fwww= .i >> > etf.org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jones%40= mi >> > crosoft.com%7ca8e38b0ea0334d11e50008d2a24cc573%7c72f988bf86f141af91ab2 >> > d7cd011db47%7c1&sdata=3D9ukCTugBdbhTVriEoH3HdfMIloD%2fTHYY%2bdPOpQSs7x= 4% >> > 3d >> > >> >> >> >> -- >> >> Best regards, >> Kathleen >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --94eb2c09204edc2ae0051da0c35a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Sorry for a tardy reply.=C2=A0
You are right. My +1 wa= s for flattening.=C2=A0

Also, my comment around 3.= 4 was not an implicit endorsement for having structured cnf claim. I was me= rely pointing out that it is a bad practice to use a defined term before it= being defined.=C2=A0

Nat

2015-08-12 1:41 GMT+09:00 Bria= n Campbell <bcampbell@pingidentity.com>:
I took Nat's "+1&quo= t; as support for flattening things into individual claims like "cjwe&= quot;, "cjwk" and "ckid". Maybe that's just confirm= ation bias on my part. But it'd be interesting to get Nat's actual = opinion as apposed to his assumed or implied opinion. Nat?

It seems to me that it's really a question of aesthetics because the = arguments in favor of the structured claim approach that cite flexibility o= r the ability to "carry more than one conformation key or key descript= or" are erroneous. Both approaches can carry more than one as long as = they are different types and both can achieve additional flexibility by add= ing new names for things (all of which, I suspect, will be very unlikely to= happen anyway). My suggesting to flatten was an attempt at simplification.= And I do think it would simplify. But that's only my opinion. If folks= prefer the aesthetics and structure of the "cnf" as currently de= fined and feel it's easier to comprehend, I can live with that. All the= rest of the justification, however, just obscures things.

To Kathl= een's request, the thread index is http://www.= ietf.org/mail-archive/web/oauth/current/threads.html#14854 and starts w= ith http://www.ietf.org/mail-archive/web/oauth/current/= msg14854.html. The consensus therein seems to be to leave things as the= y are (though only John, Mike and I participated and I was the minority opi= nion).





On Tue, Aug 1= 1, 2015 at 7:29 AM, Mike Jones <Michael.Jones@microsoft.com&= gt; wrote:
Brian's note contai= ned two suggestions, which I'll address separately.

The first was to have "cnf" contain an array of values rather tha= n individual values.=C2=A0 But even he said "I'm not sure the extr= a complexity is worth it though. I've rarely, if ever, seen SAML assert= ions that make use of it."=C2=A0 I took Nat's +1 as an agreement t= hat the complexity of array values isn't worth it, and shouldn't be= introduced.=C2=A0 No one else has since spoke up for having the "cnf&= quot; claim contain array values, and Brian only mentioned it as a possibil= ity but dismissed it as too complex.

The second was to not have the "cnf" claim at all, but instead to= flatten things so that the "cnf" elements would become individua= l claims, along the lines of "cnf_jwk", "cnf_jwe", &quo= t;cnf_kid", etc.=C2=A0 This was discussed in the thread " [OAUTH-= WG] JWT PoP Key Semantics WGLC followup 3 (was Re: confirmation model in pr= oof-of-possession-02)" - for instance, John Bradley's message http://www.ietf.org/mail-archive/web/oau= th/current/msg14859.html in which he stated that "flattening would= be a bad direction".=C2=A0 Nat also implicitly endorsed keeping "= ;cnf" in his WGLC review comments in http://www.ietf.org/mail-archive/web/oauth/current/msg14418.html,= in his comment "Since 'cnf' appears before 3.4, it may be bet= ter to bring 3.4 at the front."=C2=A0 He suggested changing the locati= on of "cnf" in the document - not removing it, as Brian's fla= ttening suggestion would have done.

Tony Nadalin also earlier had spoken about the need to support use cases in= which there would be multiple proof-of-possession keys.=C2=A0 Among other = places, he alluded to this in his note http://www.ietf.org/mail-archive/web/oauth/current/msg14305.html in = which he wrote "Is this proposal also limited to a single key for both= asymmetric and symmetric?".=C2=A0 This is pertinent because as I wrot= e in the first thread mentioned at h= ttp://www.ietf.org/mail-archive/web/oauth/current/msg14856.html, "= Part of the reasoning for using a structured confirmation claim, rather tha= n flattening the confirmation claim into the top-level JWT claims set, is t= hat a JWT may carry more than one conformation key or key descriptor" = - per Tony's use cases.=C2=A0 John Bradley's note agreeing that fla= ttening would be a bad direction was a response to that.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -- Mike

-----Original Message-----
From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
Sent: Tuesday, August 11, 2015 6:00 AM
To: Mike Jones
Cc: Brian Campbell; oauth
Subject: Re: [OAUTH-WG] confirmation model in proof-of-possession-02

On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones <Michael.Jones@microsoft.com> = wrote:
> There didn=E2=80=99t seem to be support for having cnf contain array v= alues.
> Instead, as discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key Se= mantics
> WGLC followup 3 (was Re: confirmation model in
> proof-of-possession-02)=E2=80=9D, if different keys are being confirme= d, they
> can define additional claims other than =E2=80=9Ccnf=E2=80=9D using th= e same structure
> as =E2=80=9Ccnf=E2=80=9D to represent those confirmations.=C2=A0 Indee= d, those other claims
> could be array-valued, if appropriate.=C2=A0 The reasons for having a<= br> > structured =E2=80=9Ccnf=E2=80=9D claim, rather than a set of flattened= claim values, were also discussed in that thread.

Can you send the link to that thread and the result if it differs from what= Brian and Nat agree on?=C2=A0 I'd like to know that there is enough to= determine consensus on this point.

Thanks!
Kathleen
>
>
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Th= anks
> again,
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0--= Mike
>
>
>
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian
> Campbell
> Sent: Monday, March 23, 2015 9:07 AM
> To: oauth
> Subject: [OAUTH-WG] confirmation model in proof-of-possession-02
>
>
>
> This is mostly about section 3.4 but also the whole draft.
>
>
> If "cnf" is intended to analogous to the SAML 2.0 SubjectCon= firmation
> element, it should probably contain an array value rather than an
> object value. SAML allows not just for multiple methods of confirming<= br> > but for multiple instances of the same method. IIRC, only one
> confirmation needs to be confirmable.
>
> I'm not sure the extra complexity is worth it though. I've rar= ely, if
> ever, seen SAML assertions that make use of it.
>
> If the intent is just to allow for different kinds of confirmation, > couldn't the structure be pared down and simplified and just have<= br> > individual claims for the different confirmation types? Like "cjw= k"
> and "ckid" or similar that have the jwk or kid value respect= ively as the member value.
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org=
> https://na0= 1.safelinks.protection.outlook.com/?url=3Dhttps%3a%2f%2fwww.i
> etf.or= g%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jones%40mi<= br> > cr= osoft.com%7ca8e38b0ea0334d11e50008d2a24cc573%7c72f988bf86f141af91ab2 > d7cd011db47%7c1&sdata=3D9ukCTugBdbhTVriEoH3HdfMIloD%2fTHYY%2bdPOpQ= Ss7x4%
> 3d
>



--

Best regards,
Kathleen


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundatio= n
http://nat.saki= mura.org/
@_nat_en
--94eb2c09204edc2ae0051da0c35a-- From nobody Tue Aug 18 19:28:34 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B268A1AC3D0 for ; Tue, 18 Aug 2015 19:28:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.361 X-Spam-Level: ** X-Spam-Status: No, score=2.361 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZ_6A5RV5I4D for ; Tue, 18 Aug 2015 19:28:31 -0700 (PDT) Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93C341AC3CD for ; Tue, 18 Aug 2015 19:28:31 -0700 (PDT) Received: by oiew67 with SMTP id w67so93482686oie.2 for ; Tue, 18 Aug 2015 19:28:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kOanGhvVA+z/koMLATqGs5nzzDwlpuBm8Itrx+vBMdc=; b=xJevRIpFtg9broRlQkbOE6gSMJ3i44tmxUZACLKpcS9dqlDjns2zBNp9br1XwzmiaN l784Xxp8QXusQrSYSmOLF7lc8BpmS7nrNKeHUJxeFqvq3VADlhZlvS2+QBBBRmJCCcV3 EAy6h31Wgg0EXBb0SeLQVb+OImy7d4DS8tkg8WuxkjaQJnK1HV2/4s71q1t0zfkzODyU V8n+TdV6+HFWVlFV4NJPG+VBER20NpCxFcj7Ifukks5u/u0XcNN0YA+1DCNppK9uwRyj ixKLMREOsqrb8edGo67HjmiuxNGVFmsPwPUVegVgR+AMcT3El89nyU+H9HFJhtFKYc02 kc/g== MIME-Version: 1.0 X-Received: by 10.202.230.70 with SMTP id d67mr8363883oih.14.1439951311064; Tue, 18 Aug 2015 19:28:31 -0700 (PDT) Received: by 10.182.96.66 with HTTP; Tue, 18 Aug 2015 19:28:30 -0700 (PDT) In-Reply-To: References: <5BBF1AFE-DBED-4DCF-8043-BF7B370E5E12@ve7jtb.com> Date: Wed, 19 Aug 2015 11:28:30 +0900 Message-ID: From: Nat Sakimura To: Phil Hunt Content-Type: multipart/alternative; boundary=001a114075c663d65c051da0ca36 Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] =?utf-8?b?4oCcYW1y4oCdIFZhbHVlcyBzcGVjIHVwZGF0ZWQ=?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 02:28:33 -0000 --001a114075c663d65c051da0ca36 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable +1 2015-08-15 4:20 GMT+09:00 Phil Hunt : > +1 > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > On Aug 14, 2015, at 12:08 PM, John Bradley wrote: > > +1 > > On Aug 14, 2015, at 3:03 PM, Brian Campbell > wrote: > > +1 for "rba" > > On Fri, Aug 14, 2015 at 11:52 AM, William Denniss > wrote: > >> Fair point. RBA is a fairly common acronym for Risk-Based Authentication= , >> how about going with "rba"? Would align with existing "mfa", "mca" >> definitions (while also saving 1 character and helping the ambiguity iss= ue). >> >> On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones > > wrote: >> >>> I hear you, but we=E2=80=99re trying to keep the values short for space= reasons >>> =E2=80=93 just like other identifiers in JWTs. Ultimately, the values = aren=E2=80=99t >>> meaningful without referring to the spec in the first place, so the pla= ce >>> to beef up the meaning is in the description in the spec =E2=80=93 not = in the =E2=80=9Camr=E2=80=9D >>> value. If you=E2=80=99d like to suggest any edits in that regard, have= at it! >>> >>> >>> >>> Thanks, >>> >>> -- Mike >>> >>> >>> >>> *From:* William Denniss [mailto:wdenniss@google.com] >>> *Sent:* Friday, August 14, 2015 1:40 PM >>> *To:* Mike Jones >>> *Cc:* oauth@ietf.org >>> *Subject:* Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated >>> >>> >>> >>> Looking good, thanks for putting this together. >>> >>> >>> >>> I wonder if we should say "risk_based" rather than just "risk" to avoid >>> ambiguity (i.e. that it's not a risky authentication method, rather, it= was >>> risk-based). "user" seems to work well, e.g. "user mfa pwd otp" tells = a >>> logical story. >>> >>> >>> >>> >>> >>> >>> >>> On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones >>> wrote: >>> >>> I=E2=80=99ve updated the Authentication Method Reference Values spec to >>> incorporate feedback received from the OAuth working group. Changes we= re: >>> >>> =C2=B7 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel = authentication), =E2=80=9Crisk=E2=80=9D >>> (risk-based authentication), and =E2=80=9Cuser=E2=80=9D (user presence = test). >>> >>> =C2=B7 Added citations in the definitions of Windows integrated >>> authentication, knowledge-based authentication, risk-based authenticati= on, >>> multiple-factor authentication, one-time password, and proof-of-possess= ion. >>> >>> =C2=B7 Alphabetized the values. >>> >>> =C2=B7 Added Tony Nadalin as an author and added acknowledgement= s. >>> >>> >>> >>> The specification is available at: >>> >>> =C2=B7 http://tools.ietf.org/html/draft-jones-oauth-amr-values-0= 1 >>> >>> >>> >>> >>> An HTML formatted version is also available at: >>> >>> =C2=B7 >>> http://self-issued.info/docs/draft-jones-oauth-amr-values-01.html >>> >>> >>> >>> >>> -- Mike >>> >>> >>> >>> P.S. This note was also posted at http://self-issued.info/?p=3D1437 >>> >>> and as @selfissued >>> >>> . >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --001a114075c663d65c051da0ca36 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
+1

2015-08-15 4:20 GMT+09:00 Phil Hunt <phil.hunt@oracle.com= >:
+1


On Aug 14, 2015, at 12:08 PM, John = Bradley <ve7jtb@v= e7jtb.com> wrote:

= +1

On Aug 14, 2015, at 3:03 PM,= Brian Campbell <bcampbell@pingidentity.com> wrote:

+1 for "rba"

On Fri, Aug 14, 2015 at 11:52 AM, William Denniss <w= denniss@google.com> wrote:
=
Fair point. RBA is a fairly common acronym for Risk-Based = Authentication, how about going with "rba"? Would align with exis= ting "mfa", "mca" definitions (while also saving 1 char= acter and helping the ambiguity issue).

On Fri, Aug 14, 2015 at 10:44 AM, Mik= e Jones <Michael.Jones@microsoft.com> wrote:

I hear you, but we= =E2=80=99re trying to keep the values short for space reasons =E2=80=93 jus= t like other identifiers in JWTs.=C2=A0 Ultimately, the values aren=E2=80= =99t meaningful without referring to the spec in the first place, so the place to beef up the mean= ing is in the description in the spec =E2=80=93 not in the =E2=80=9Camr=E2= =80=9D value.=C2=A0 If you=E2=80=99d like to suggest any edits in that rega= rd, have at it!

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 Thanks,

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike<= u>

<= u>=C2=A0

From: William Denniss [mailto:wdenniss@google.com]
Sent: Friday, August 14, 2015 1:40 PM
To: Mike Jones
Cc: oauth@ietf.o= rg
Subject: Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated=

=C2=A0=

Looking good, thanks for putting this together.=

=C2=A0

I wonder if we should say "risk_based"= ; rather than just "risk" to avoid ambiguity (i.e. that it's = not a risky authentication method, rather, it was risk-based). =C2=A0"= user" seems to work well, e.g. "user mfa pwd otp" tells a lo= gical story.

=C2=A0

=C2=A0

=C2=A0

On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones <= ;Michael.J= ones@microsoft.com> wrote:

I=E2=80=99ve updated the Authentication Method = Reference Values spec to incorporate feedback received from the OAuth worki= ng group.=C2=A0 Changes were:

=C2=B7=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel authentication), =E2=80=9C<= span style=3D"font-family:"Courier New"">risk=E2=80=9D (ri= sk-based authentication), and =E2=80=9Cuser=E2=80=9D (user presence test).

= =C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 Added citations in the definitions of Windows integrated authenticat= ion, knowledge-based authentication, risk-based authentication, multiple-fa= ctor authentication, one-time password, and proof-of-possession.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Alphabetized the values.

=C2=B7=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 Added Tony Nadalin as an author and added acknowledgements.

=C2=A0

The specification is available at:

=C2=B7=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 http://tools.ietf.org/html/dra= ft-jones-oauth-amr-values-01

= =C2=A0

An HTML formatted version is= also available at:

= =C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 http://self-issued.info= /docs/draft-jones-oauth-amr-values-01.html

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

P.S.=C2=A0 This n= ote was also posted at http://self-issued.info/?p=3D1437 and as @selfissued.


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth=

=C2=A0



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
http= s://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth maili= ng list
OAuth@ietf.o= rg
https://www.ietf.org/mailman/listinfo/oauth


_________________________________= ______________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundatio= n
http://nat.saki= mura.org/
@_nat_en
--001a114075c663d65c051da0ca36-- From nobody Tue Aug 18 19:37:33 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD09E1AC3D9 for ; Tue, 18 Aug 2015 19:37:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NhqUkG-M2Ock for ; Tue, 18 Aug 2015 19:37:29 -0700 (PDT) Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B772D1AC3D5 for ; Tue, 18 Aug 2015 19:37:29 -0700 (PDT) Received: by oiey141 with SMTP id y141so7711133oie.1 for ; Tue, 18 Aug 2015 19:37:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=k2l7i8VoRUqLrQXx6xv53BkvtARMJqHYjLvmjCIUNN4=; b=UgfekKoQy08zwVkjnU+nfGWX4CdiAeElr+zY1eJ/1d5dYjqMyB5Bo8EM7kiYj5oF6P PfytIV+h5AZfsTzzmlhNFsyju7Pdeu8/5taR4Y33jbNn6Ad6frzmWJSwrJ1++I9oKOJT 0qSGA+F3AGLVTzbGQpvQV9UtgyVXluOXQr4KqLRcoCEiquhBGqkNT2coGtW5c0WwJyzp TTo/hDLCOYGH5H5lUJr7JQ59t1WHyCVUOnwg2br1wNEELa0trM2rSU3K8jOJeebmUJsi Miwo0zxXsHNTdJGgp+EcKZq/ZnQj0DSbnq8fVDb39zQIcsess2HFvhrCwt4giMzdgSlo QpiA== MIME-Version: 1.0 X-Received: by 10.202.44.195 with SMTP id s186mr8233260ois.53.1439951849267; Tue, 18 Aug 2015 19:37:29 -0700 (PDT) Received: by 10.182.96.66 with HTTP; Tue, 18 Aug 2015 19:37:29 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Aug 2015 11:37:29 +0900 Message-ID: From: Nat Sakimura To: Adam Lewis Content-Type: multipart/alternative; boundary=001a11379ab8782cca051da0eaa1 Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 02:37:31 -0000 --001a11379ab8782cca051da0eaa1 Content-Type: text/plain; charset=UTF-8 It is not directly, but Sender Constrained JWT for OAuth 2.0 ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ) talks about a model that allows it. In essence, it uses a structured access token that is sender constrained. It as a claim "azp" which stands for authorised presenter. To be used, the "client" has to present a proof that it is indeed the party pointed by "azp". In your case, the native mobile app obtains the structured access token with "azp":"the_RS". Since "azp" is not pointing to the mobile app, the mobile app cannot use it. The mobile app then ships it to the RS. The RS can now use it since the "azp" points to it. In general, shipping a bearer token around is a bad idea. If you want to do that, I think you should do so with a sender constrained token. Nat 2015-08-13 2:01 GMT+09:00 Adam Lewis : > Hi, > > Are there any drafts that discuss the notion of an RS acting as a client? > I'm considering the use case whereby a native mobile app obtains an access > token and sends it to the RS, and then the RS uses it to access the > UserInfo endpoint on an OP. > > It's a bearer token so no reason it wouldn't work, but obviously it is > meant to be presented by the client and not the RS. Curious to understand > the security implications of this, read on any thoughts given to this, or > to know if it's an otherwise accepted practice. > > tx > adam > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --001a11379ab8782cca051da0eaa1 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
It is not directly, but=C2=A0Sender Constrai= ned JWT for OAuth 2.0
talks about a model that allows it.=C2= =A0

In essence, it uses a structured access token = that is sender constrained.=C2=A0
It as a claim "azp" w= hich stands for authorised presenter.=C2=A0
To be used, the "= ;client" has to present a proof that it is indeed the party pointed by= "azp".=C2=A0

In your case, the native m= obile app obtains the structured access token=C2=A0
with "az= p":"the_RS". Since "azp" is not pointing to the mo= bile app,=C2=A0
the mobile app cannot use it.=C2=A0
The= mobile app then ships it to the RS.=C2=A0
The RS can now use it = since the "azp" points to it.=C2=A0

In g= eneral, shipping a bearer token around is a bad idea.=C2=A0
If yo= u want to do that, I think you should do so with a sender constrained token= .=C2=A0

Nat



201= 5-08-13 2:01 GMT+09:00 Adam Lewis <adam.lewis@motorolasolut= ions.com>:
Hi,

Are there any drafts that discuss the notion of an = RS acting as a client? I'm considering the use case whereby a native mo= bile app obtains an access token and sends it to the RS, and then the RS us= es it to access the UserInfo endpoint on an OP. =C2=A0

=
It's a bearer token so no reason it wouldn't work, but obvious= ly it is meant to be presented by the client and not the RS.=C2=A0 Curious = to understand the security implications of this, read on any thoughts given= to this, or to know if it's an otherwise accepted practice.
=
tx
= adam

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundatio= n
http://nat.saki= mura.org/
@_nat_en
--001a11379ab8782cca051da0eaa1-- From nobody Tue Aug 18 19:44:24 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 472351AC3EC for ; Tue, 18 Aug 2015 19:44:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.012 X-Spam-Level: X-Spam-Status: No, score=-0.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HV2h4KCkX3cR for ; Tue, 18 Aug 2015 19:44:20 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0124.outbound.protection.outlook.com [207.46.100.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF6FB1AC3E5 for ; Tue, 18 Aug 2015 19:44:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=DxszAjsQDfBTDpqRdfzGN7QS13U13ITgz7Hhrs0Een8=; b=JW78IfIbr932TZglGwS4udxIaVsWA4H+9yTToXJJmnLyRbzJ1hucHiCAFH/t1AqpSimHNDcI9LZTniey8WPg1kh6ZO2FlL99sGX8OM3XXowC3b2UzLUZ7reiM8AitRp/DTsOOdpm2CrRMXli5h3CqUKat3gnixQuMfJYGba/RfQ= Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.231.11; Wed, 19 Aug 2015 02:44:19 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Wed, 19 Aug 2015 02:44:19 +0000 From: Mike Jones To: Nat Sakimura , Adam Lewis Thread-Topic: [OAUTH-WG] RS as a client guidance Thread-Index: AQHQ1SCcusHdwHLfSU6hr3g/5Q6eZJ4SpbqAgAAANJA= Date: Wed, 19 Aug 2015 02:44:19 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.47.90.173] x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:21qpz5vbX6WP363vpYD7AXmpDJ1cvKrPuVfZfMlblqETr+1KYWCwG7jj2tcmK9u2W1m9GzXGStwevTwuPUg//K186rakNYz2vfUudr8ti7RfkZjmzXsLV8JWqyiABVau/o9UBe+LNsX/CLZyJOV3vQ==; 24:4TA/jKXXkmrD/FHA2vHqsncxV9BIjcfd8sLW24lh5D0OJUpILeRDDteombNROcx5kPOc1gG92EXB92D8e8A55RQqY7i7itZl9GOAXW+aSfs=; 20:eujx60UNT+qREG7EihS3TNC5s8zobzelqZ+Cm0QzZfr5fsX1jsoRnYc9wyaBaxTknGSoXrH0BaC7GD95HwlsoA== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(8121501046)(3002001); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; x-forefront-prvs: 0673F5BE31 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377424004)(377454003)(199003)(189002)(33656002)(19609705001)(105586002)(106356001)(2656002)(99286002)(106116001)(86612001)(19625215002)(19273905006)(50986999)(101416001)(74316001)(19580395003)(19580405001)(86362001)(10090500001)(46102003)(87936001)(19300405004)(15395725005)(19617315012)(5001960100002)(16236675004)(5001920100001)(76176999)(92566002)(5001860100001)(5003600100002)(102836002)(77096005)(40100003)(81156007)(5001770100001)(122556002)(97736004)(10400500002)(4001540100001)(76576001)(15975445007)(68736005)(2950100001)(62966003)(54356999)(77156002)(2900100001)(8990500004)(5002640100001)(5005710100001)(10290500002)(64706001)(189998001)(66066001)(5001830100001)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4423BA4B13A72CEAAEA5AC1F5670BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Aug 2015 02:44:19.4334 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442 Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 02:44:23 -0000 --_000_BY2PR03MB4423BA4B13A72CEAAEA5AC1F5670BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SnVzdCBhcyBhIHBvaW50IG9mIGNsYXJpZmljYXRpb24sIHRoZSBkZWZpbml0aW9uIG9mIHRoZSDi gJxhenDigJ0gY2xhaW0gaXMgbm90IOKAnGF1dGhvcmlzZWQgcHJlc2VudGVy4oCdLiAgQXQgbGVh c3QgYXMgZGVmaW5lZCBieSBPcGVuSUQgQ29ubmVjdCwgaXRzIGRlZmluaXRpb24gaXM6DQoNCmF6 cA0KT1BUSU9OQUwuIEF1dGhvcml6ZWQgcGFydHkgLSB0aGUgcGFydHkgdG8gd2hpY2ggdGhlIElE IFRva2VuIHdhcyBpc3N1ZWQuIElmIHByZXNlbnQsIGl0IE1VU1QgY29udGFpbiB0aGUgT0F1dGgg Mi4wIENsaWVudCBJRCBvZiB0aGlzIHBhcnR5LiBUaGlzIENsYWltIGlzIG9ubHkgbmVlZGVkIHdo ZW4gdGhlIElEIFRva2VuIGhhcyBhIHNpbmdsZSBhdWRpZW5jZSB2YWx1ZSBhbmQgdGhhdCBhdWRp ZW5jZSBpcyBkaWZmZXJlbnQgdGhhbiB0aGUgYXV0aG9yaXplZCBwYXJ0eS4gSXQgTUFZIGJlIGlu Y2x1ZGVkIGV2ZW4gd2hlbiB0aGUgYXV0aG9yaXplZCBwYXJ0eSBpcyB0aGUgc2FtZSBhcyB0aGUg c29sZSBhdWRpZW5jZS4gVGhlIGF6cCB2YWx1ZSBpcyBhIGNhc2Ugc2Vuc2l0aXZlIHN0cmluZyBj b250YWluaW5nIGEgU3RyaW5nT3JVUkkgdmFsdWUuDQoNCkEgcmVmZXJlbmNlIHRvIHRoaXMgZGVm aW5pdGlvbiBpcyByZWdpc3RlcmVkIGJ5IE9wZW5JRCBDb25uZWN0IENvcmUgaHR0cDovL29wZW5p ZC5uZXQvc3BlY3Mvb3BlbmlkLWNvbm5lY3QtY29yZS0xXzAuaHRtbCBpbiB0aGUgSUFOQSDigJxK U09OIFdlYiBUb2tlbiBDbGFpbXPigJ0gcmVnaXN0cnkgYXQgaHR0cDovL3d3dy5pYW5hLm9yZy9h c3NpZ25tZW50cy9qd3Qvand0LnhodG1sLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IE9BdXRoIFtt YWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIE5hdCBTYWtpbXVyYQ0K U2VudDogVHVlc2RheSwgQXVndXN0IDE4LCAyMDE1IDc6MzcgUE0NClRvOiBBZGFtIExld2lzDQpD YzogT0F1dGggV0cNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIFJTIGFzIGEgY2xpZW50IGd1aWRh bmNlDQoNCkl0IGlzIG5vdCBkaXJlY3RseSwgYnV0IFNlbmRlciBDb25zdHJhaW5lZCBKV1QgZm9y IE9BdXRoIDIuMA0KKCBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtc2FraW11cmEt b2F1dGgtcmp3dHByb2YtMDU8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxv b2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ0b29scy5pZXRmLm9yZyUyZmh0bWwlMmZkcmFmdC1z YWtpbXVyYS1vYXV0aC1yand0cHJvZi0wNSZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQw bWljcm9zb2Z0LmNvbSU3Y2RhYzJiZDQ5NDY1OTRiYTdmNGZmMDhkMmE4M2YyM2NmJTdjNzJmOTg4 YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPURoTDklMmJwNU1sMzJQNiUyZmRh QVFISGtobzF5Q3NicTJXME00V05yd2dvMXpvJTNkPiApDQp0YWxrcyBhYm91dCBhIG1vZGVsIHRo YXQgYWxsb3dzIGl0Lg0KDQpJbiBlc3NlbmNlLCBpdCB1c2VzIGEgc3RydWN0dXJlZCBhY2Nlc3Mg dG9rZW4gdGhhdCBpcyBzZW5kZXIgY29uc3RyYWluZWQuDQpJdCBhcyBhIGNsYWltICJhenAiIHdo aWNoIHN0YW5kcyBmb3IgYXV0aG9yaXNlZCBwcmVzZW50ZXIuDQpUbyBiZSB1c2VkLCB0aGUgImNs aWVudCIgaGFzIHRvIHByZXNlbnQgYSBwcm9vZiB0aGF0IGl0IGlzIGluZGVlZCB0aGUgcGFydHkg cG9pbnRlZCBieSAiYXpwIi4NCg0KSW4geW91ciBjYXNlLCB0aGUgbmF0aXZlIG1vYmlsZSBhcHAg b2J0YWlucyB0aGUgc3RydWN0dXJlZCBhY2Nlc3MgdG9rZW4NCndpdGggImF6cCI6InRoZV9SUyIu IFNpbmNlICJhenAiIGlzIG5vdCBwb2ludGluZyB0byB0aGUgbW9iaWxlIGFwcCwNCnRoZSBtb2Jp bGUgYXBwIGNhbm5vdCB1c2UgaXQuDQpUaGUgbW9iaWxlIGFwcCB0aGVuIHNoaXBzIGl0IHRvIHRo ZSBSUy4NClRoZSBSUyBjYW4gbm93IHVzZSBpdCBzaW5jZSB0aGUgImF6cCIgcG9pbnRzIHRvIGl0 Lg0KDQpJbiBnZW5lcmFsLCBzaGlwcGluZyBhIGJlYXJlciB0b2tlbiBhcm91bmQgaXMgYSBiYWQg aWRlYS4NCklmIHlvdSB3YW50IHRvIGRvIHRoYXQsIEkgdGhpbmsgeW91IHNob3VsZCBkbyBzbyB3 aXRoIGEgc2VuZGVyIGNvbnN0cmFpbmVkIHRva2VuLg0KDQpOYXQNCg0KDQoNCjIwMTUtMDgtMTMg MjowMSBHTVQrMDk6MDAgQWRhbSBMZXdpcyA8YWRhbS5sZXdpc0Btb3Rvcm9sYXNvbHV0aW9ucy5j b208bWFpbHRvOmFkYW0ubGV3aXNAbW90b3JvbGFzb2x1dGlvbnMuY29tPj46DQpIaSwNCg0KQXJl IHRoZXJlIGFueSBkcmFmdHMgdGhhdCBkaXNjdXNzIHRoZSBub3Rpb24gb2YgYW4gUlMgYWN0aW5n IGFzIGEgY2xpZW50PyBJJ20gY29uc2lkZXJpbmcgdGhlIHVzZSBjYXNlIHdoZXJlYnkgYSBuYXRp dmUgbW9iaWxlIGFwcCBvYnRhaW5zIGFuIGFjY2VzcyB0b2tlbiBhbmQgc2VuZHMgaXQgdG8gdGhl IFJTLCBhbmQgdGhlbiB0aGUgUlMgdXNlcyBpdCB0byBhY2Nlc3MgdGhlIFVzZXJJbmZvIGVuZHBv aW50IG9uIGFuIE9QLg0KDQpJdCdzIGEgYmVhcmVyIHRva2VuIHNvIG5vIHJlYXNvbiBpdCB3b3Vs ZG4ndCB3b3JrLCBidXQgb2J2aW91c2x5IGl0IGlzIG1lYW50IHRvIGJlIHByZXNlbnRlZCBieSB0 aGUgY2xpZW50IGFuZCBub3QgdGhlIFJTLiAgQ3VyaW91cyB0byB1bmRlcnN0YW5kIHRoZSBzZWN1 cml0eSBpbXBsaWNhdGlvbnMgb2YgdGhpcywgcmVhZCBvbiBhbnkgdGhvdWdodHMgZ2l2ZW4gdG8g dGhpcywgb3IgdG8ga25vdyBpZiBpdCdzIGFuIG90aGVyd2lzZSBhY2NlcHRlZCBwcmFjdGljZS4N Cg0KdHgNCmFkYW0NCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGll dGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxodHRw czovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUy ZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmRhdGE9MDElN2Mw MSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjZGFjMmJkNDk0NjU5NGJhN2Y0ZmYw OGQyYTgzZjIzY2YlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9 ZU0lMmYybk1ZNFlFY2ElMmZ5WnRsNks0ZjRwUmNlTkNIdDFzRjd2OXVmWjdxZ2slM2Q+DQoNCg0K DQotLQ0KTmF0IFNha2ltdXJhICg9bmF0KQ0KQ2hhaXJtYW4sIE9wZW5JRCBGb3VuZGF0aW9uDQpo dHRwOi8vbmF0LnNha2ltdXJhLm9yZy88aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9u Lm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm5hdC5zYWtpbXVyYS5vcmclMmYmZGF0YT0w MSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2NkYWMyYmQ0OTQ2NTk0YmE3 ZjRmZjA4ZDJhODNmMjNjZiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZz ZGF0YT0yeDUlMmY5YkxKblVjTWRPRnJZV0lrNEcwQkl3cDh5dERLMkxOeDJCUXVUdGslM2Q+DQpA X25hdF9lbg0K --_000_BY2PR03MB4423BA4B13A72CEAAEA5AC1F5670BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlZlcmRhbmE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1 IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29O b3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAx cHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwi c2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0 ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnR0DQoJe21zby1z dHlsZS1wcmlvcml0eTo5OTsNCglmb250LWZhbWlseToiQ291cmllciBOZXciOw0KCWNvbG9yOiMw MDMzNjY7fQ0Kc3Bhbi5ob2VuemINCgl7bXNvLXN0eWxlLW5hbWU6aG9lbnpiO30NCnNwYW4uRW1h aWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5 OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVs dA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs InNhbnMtc2VyaWYiO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsN CgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtw YWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0K PG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwh W2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9 ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlv dXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0i Ymx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi Pkp1c3QgYXMgYSBwb2ludCBvZiBjbGFyaWZpY2F0aW9uLCB0aGUgZGVmaW5pdGlvbiBvZiB0aGUg 4oCcYXpw4oCdIGNsYWltIGlzIG5vdCDigJw8L3NwYW4+YXV0aG9yaXNlZCBwcmVzZW50ZXI8c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+4oCdLiZuYnNwOw0KIEF0IGxl YXN0IGFzIGRlZmluZWQgYnkgT3BlbklEIENvbm5lY3QsIGl0cyBkZWZpbml0aW9uIGlzOjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZx dW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+YXpw PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VmVy ZGFuYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj5PUFRJT05BTC4g QXV0aG9yaXplZCBwYXJ0eSAtIHRoZSBwYXJ0eSB0byB3aGljaCB0aGUgSUQgVG9rZW4gd2FzIGlz c3VlZC4gSWYgcHJlc2VudCwgaXQgTVVTVCBjb250YWluIHRoZSBPQXV0aCAyLjAgQ2xpZW50IElE IG9mIHRoaXMgcGFydHkuDQogVGhpcyBDbGFpbSBpcyBvbmx5IG5lZWRlZCB3aGVuIHRoZSBJRCBU b2tlbiBoYXMgYSBzaW5nbGUgYXVkaWVuY2UgdmFsdWUgYW5kIHRoYXQgYXVkaWVuY2UgaXMgZGlm ZmVyZW50IHRoYW4gdGhlIGF1dGhvcml6ZWQgcGFydHkuIEl0IE1BWSBiZSBpbmNsdWRlZCBldmVu IHdoZW4gdGhlIGF1dGhvcml6ZWQgcGFydHkgaXMgdGhlIHNhbWUgYXMgdGhlIHNvbGUgYXVkaWVu Y2UuIFRoZQ0KPC9zcGFuPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6IzAwMzM2NiI+YXpwPC9zcGFuPjxzcGFuIGxhbmc9IkVO IiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOmJsYWNrIj4gdmFsdWUgaXMgYSBjYXNlIHNlbnNpdGl2ZSBzdHJpbmcgY29u dGFpbmluZyBhIFN0cmluZ09yVVJJIHZhbHVlLg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5BIHJlZmVyZW5jZSB0byB0 aGlzIGRlZmluaXRpb24gaXMgcmVnaXN0ZXJlZCBieSBPcGVuSUQgQ29ubmVjdCBDb3JlDQo8YSBo cmVmPSJodHRwOi8vb3BlbmlkLm5ldC9zcGVjcy9vcGVuaWQtY29ubmVjdC1jb3JlLTFfMC5odG1s Ij5odHRwOi8vb3BlbmlkLm5ldC9zcGVjcy9vcGVuaWQtY29ubmVjdC1jb3JlLTFfMC5odG1sPC9h PiBpbiB0aGUgSUFOQSDigJw8YSBuYW1lPSJjbGFpbXMiPjwvYT5KU09OIFdlYiBUb2tlbiBDbGFp bXPigJ0gcmVnaXN0cnkgYXQNCjxhIGhyZWY9Imh0dHA6Ly93d3cuaWFuYS5vcmcvYXNzaWdubWVu dHMvand0L2p3dC54aHRtbCI+aHR0cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50cy9qd3Qvand0 LnhodG1sPC9hPi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNA aWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPk5hdCBTYWtpbXVyYTxicj4NCjxiPlNlbnQ6 PC9iPiBUdWVzZGF5LCBBdWd1c3QgMTgsIDIwMTUgNzozNyBQTTxicj4NCjxiPlRvOjwvYj4gQWRh bSBMZXdpczxicj4NCjxiPkNjOjwvYj4gT0F1dGggV0c8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6 IFtPQVVUSC1XR10gUlMgYXMgYSBjbGllbnQgZ3VpZGFuY2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5JdCBpcyBub3QgZGlyZWN0bHksIGJ1dCZuYnNwOzxiPjx1PlNlbmRl ciBDb25zdHJhaW5lZCBKV1QgZm9yIE9BdXRoIDIuMDwvdT48L2I+PG86cD48L286cD48L3A+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+KCA8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxp bmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnRvb2xzLmlldGYu b3JnJTJmaHRtbCUyZmRyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA1JmFtcDtkYXRhPTAx JTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2RhYzJiZDQ5NDY1OTRiYTdm NGZmMDhkMmE4M2YyM2NmJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFt cDtzZGF0YT1EaEw5JTJicDVNbDMyUDYlMmZkYUFRSEhraG8xeUNzYnEyVzBNNFdOcndnbzF6byUz ZCI+DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtc2FraW11cmEtb2F1dGgtcmp3 dHByb2YtMDU8L2E+ICk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPnRhbGtzIGFib3V0IGEgbW9kZWwgdGhhdCBhbGxvd3MgaXQuJm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkluIGVzc2Vu Y2UsIGl0IHVzZXMgYSBzdHJ1Y3R1cmVkIGFjY2VzcyB0b2tlbiB0aGF0IGlzIHNlbmRlciBjb25z dHJhaW5lZC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPkl0IGFzIGEgY2xhaW0gJnF1b3Q7YXpwJnF1b3Q7IHdoaWNoIHN0YW5kcyBmb3Ig YXV0aG9yaXNlZCBwcmVzZW50ZXIuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UbyBiZSB1c2VkLCB0aGUgJnF1b3Q7Y2xpZW50JnF1b3Q7 IGhhcyB0byBwcmVzZW50IGEgcHJvb2YgdGhhdCBpdCBpcyBpbmRlZWQgdGhlIHBhcnR5IHBvaW50 ZWQgYnkgJnF1b3Q7YXpwJnF1b3Q7LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JbiB5b3VyIGNhc2UsIHRoZSBuYXRpdmUgbW9iaWxl IGFwcCBvYnRhaW5zIHRoZSBzdHJ1Y3R1cmVkIGFjY2VzcyB0b2tlbiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+d2l0aCAmcXVvdDthenAm cXVvdDs6JnF1b3Q7dGhlX1JTJnF1b3Q7LiBTaW5jZSAmcXVvdDthenAmcXVvdDsgaXMgbm90IHBv aW50aW5nIHRvIHRoZSBtb2JpbGUgYXBwLCZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+dGhlIG1vYmlsZSBhcHAgY2Fubm90IHVzZSBpdC4m bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PlRoZSBtb2JpbGUgYXBwIHRoZW4gc2hpcHMgaXQgdG8gdGhlIFJTLiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhlIFJTIGNhbiBub3cg dXNlIGl0IHNpbmNlIHRoZSAmcXVvdDthenAmcXVvdDsgcG9pbnRzIHRvIGl0LiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JbiBnZW5l cmFsLCBzaGlwcGluZyBhIGJlYXJlciB0b2tlbiBhcm91bmQgaXMgYSBiYWQgaWRlYS4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPklmIHlv dSB3YW50IHRvIGRvIHRoYXQsIEkgdGhpbmsgeW91IHNob3VsZCBkbyBzbyB3aXRoIGEgc2VuZGVy IGNvbnN0cmFpbmVkIHRva2VuLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5OYXQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjIwMTUtMDgtMTMgMjow MSBHTVQmIzQzOzA5OjAwIEFkYW0gTGV3aXMgJmx0OzxhIGhyZWY9Im1haWx0bzphZGFtLmxld2lz QG1vdG9yb2xhc29sdXRpb25zLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmFkYW0ubGV3aXNAbW90b3Jv bGFzb2x1dGlvbnMuY29tPC9hPiZndDs6PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+SGksPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj5BcmUgdGhlcmUgYW55IGRyYWZ0cyB0aGF0IGRpc2N1c3MgdGhlIG5vdGlvbiBvZiBhbiBS UyBhY3RpbmcgYXMgYSBjbGllbnQ/IEknbSBjb25zaWRlcmluZyB0aGUgdXNlIGNhc2Ugd2hlcmVi eSBhIG5hdGl2ZSBtb2JpbGUgYXBwIG9idGFpbnMgYW4gYWNjZXNzIHRva2VuIGFuZCBzZW5kcyBp dCB0byB0aGUgUlMsIGFuZCB0aGVuIHRoZSBSUyB1c2VzIGl0IHRvIGFjY2VzcyB0aGUgVXNlcklu Zm8gZW5kcG9pbnQgb24NCiBhbiBPUC4gJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkl0J3MgYSBiZWFyZXIgdG9rZW4gc28gbm8gcmVh c29uIGl0IHdvdWxkbid0IHdvcmssIGJ1dCBvYnZpb3VzbHkgaXQgaXMgbWVhbnQgdG8gYmUgcHJl c2VudGVkIGJ5IHRoZSBjbGllbnQgYW5kIG5vdCB0aGUgUlMuJm5ic3A7IEN1cmlvdXMgdG8gdW5k ZXJzdGFuZCB0aGUgc2VjdXJpdHkgaW1wbGljYXRpb25zIG9mIHRoaXMsIHJlYWQgb24gYW55IHRo b3VnaHRzIGdpdmVuIHRvIHRoaXMsIG9yIHRvIGtub3cgaWYgaXQncw0KIGFuIG90aGVyd2lzZSBh Y2NlcHRlZCBwcmFjdGljZS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+dHg8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij5hZGFtPG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tYm90dG9tOjEyLjBwdCI+PGJyPg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX188YnI+DQpPQXV0aCBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJt YWlsdG86T0F1dGhAaWV0Zi5vcmciPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0 dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNh JTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmYW1wO2RhdGE9 MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjZGFjMmJkNDk0NjU5NGJh N2Y0ZmYwOGQyYTgzZjIzY2YlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEm YW1wO3NkYXRhPWVNJTJmMm5NWTRZRWNhJTJmeVp0bDZLNGY0cFJjZU5DSHQxc0Y3djl1Zlo3cWdr JTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5m by9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PGJyPg0KPGJyIGNsZWFyPSJhbGwiPg0KPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPi0tIDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk5h dCBTYWtpbXVyYSAoPW5hdCk8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj5DaGFpcm1hbiwgT3BlbklEIEZvdW5kYXRpb248YnI+DQo8YSBocmVmPSJodHRwczovL25h MDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmbmF0 LnNha2ltdXJhLm9yZyUyZiZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jv c29mdC5jb20lN2NkYWMyYmQ0OTQ2NTk0YmE3ZjRmZjA4ZDJhODNmMjNjZiU3YzcyZjk4OGJmODZm MTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9Mng1JTJmOWJMSm5VY01kT0ZyWVdJ azRHMEJJd3A4eXRESzJMTngyQlF1VHRrJTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL25hdC5z YWtpbXVyYS5vcmcvPC9hPjxicj4NCkBfbmF0X2VuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB4423BA4B13A72CEAAEA5AC1F5670BY2PR03MB442namprd_-- From nobody Tue Aug 18 20:29:10 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 696F91AC428 for ; Tue, 18 Aug 2015 20:29:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.01 X-Spam-Level: X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htJR7enu_Y5C for ; Tue, 18 Aug 2015 20:29:04 -0700 (PDT) Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85B6C1A21A5 for ; Tue, 18 Aug 2015 20:29:04 -0700 (PDT) Received: by oiev193 with SMTP id v193so112340864oie.3 for ; Tue, 18 Aug 2015 20:29:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/+Ux4qO8Dm7Ywbh/o8Uukdj5qv2Tz0UMiKzk0o68n00=; b=X42VaLQZNHClelg0zxZmJwDpdwVPCHV7IW6wQ5C5Jm6uPURFZdUBg5QHq4PMiYanBB BSB/uEvouUHZdPmrWptthMT1Z7OCKCr6cXCe6CVG+zdWIAM0ZfMrhzOvtYwvqxbMAofg 32eq9J4bRfkBnrQV/Yw4c7cp3NYvj9x/g8o2CNSmxoo57WDe9ObfxfSWSXaOBHE5hQBh 2b9NA/7mVj3inO8EzK2VYYwTLSJl166yXt7x+VGpwaZHwTTR0YK9K/HspFyYI4buNBuQ r6FLz/u2lwtKDgGWx36qumI14uyH/bcrQrc0JKIVTRCb8TO8O5M80LhSLFjI/O05z+ZR bJfA== MIME-Version: 1.0 X-Received: by 10.202.243.215 with SMTP id r206mr7673902oih.106.1439954943876; Tue, 18 Aug 2015 20:29:03 -0700 (PDT) Received: by 10.182.96.66 with HTTP; Tue, 18 Aug 2015 20:29:02 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Aug 2015 12:29:02 +0900 Message-ID: From: Nat Sakimura To: Mike Jones Content-Type: multipart/alternative; boundary=94eb2c095d80ec27d0051da1a2d0 Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 03:29:08 -0000 --94eb2c095d80ec27d0051da1a2d0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Thanks. I am working on your response now. 2015-08-11 14:24 GMT+09:00 Mike Jones : > I believe that I=E2=80=99ve now responded line-by-line to all the WGLC co= mments > received. If I missed any from any of you, please let me know. > > > > After discussion of my responses this week, unless disagreements arise, > I=E2=80=99ll plan to publish -04 next week to incorporate the remaining r= esolutions > that have been discussed and planned for the next draft, such as allowing > symmetric keys in encrypted JWTs to be represented as simple JWKs in the > =E2=80=9Cjwk=E2=80=9D claim. > > > > Best wishes, > > -- Mike > > > > *From:* Mike Jones > *Sent:* Thursday, July 30, 2015 7:49 PM > *To:* 'Nat Sakimura'; oauth > *Subject:* RE: [OAUTH-WG] Review Comments for > draft-ietf-oauth-proof-of-possession-02 > > > > I typically do respond to review comments line-by-line but ran out of tim= e > to do this before Prague. (I was doing things like working with Brian on > the Token Exchange deck, preparing my remarks to the COSE WG, etc.) I=E2= =80=99ll > plan to do this sometime early next week, which is the soonest I=E2=80=99= ll be able > to get to it, given other things currently on my plate. > > > > FYI, I did read through all of your and other=E2=80=99s comments and appl= ied most > of them =E2=80=93 for instance, off the top of my head, clarifying how = =E2=80=9Cazp=E2=80=9D could > be used in identifying the presenter, eliminating the need to sniff the > =E2=80=9Cjwk=E2=80=9D value, and updating the title to be more evocative = of what the > specification actually achieves. > > > > Cheers, > > -- Mike > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org ] *O= n > Behalf Of *Nat Sakimura > *Sent:* Thursday, July 30, 2015 6:36 PM > *To:* oauth > *Subject:* Re: [OAUTH-WG] Review Comments for > draft-ietf-oauth-proof-of-possession-02 > > > > I cannot find any disposition of comment (DoC) to this review that the WG > Chairs asked. > > Nor I see much of them reflected in -03. > > > > The process I would imagine to be the editors to > > > > 1) Provide the DoC [accept, discuss, reject (with reasons)], > > 2) Open up series of discussions on discuss items and drive towards the > (rough) consensus. > > > > Since the diff between -02 and -03 is small, much of the above comments > still applies. > > > > Looking forward to see the DoC. > > > > Nat > > > > 2015-03-25 22:37 GMT+09:00 Nat Sakimura : > > Dear OAuthers: > > > > Here is my belated review comments on > draft-ietf-oauth-proof-of-possession-02 > > > > Below, [POPA] stands for > https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-01 > > > > > Abstract > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > It is probably better to spell out that this document is describing the > JWT format that can be used for sender constraint (5.2 of [POPA]) and key > confirmation (5.3 of [POPA]). This will make it easier for the reader to > understand what this document aims at. > > > > Accordingly, we should consider the title change to something like: > > JWT Sender Confirmation Token Syntax > > OR > > borrowing from the financial concept which I believe is the origin of the > concept of "bearer token", > > JWT Registered Token Syntax > > -- here, "Registered" mean that either the sender constraint or key > confirmation is registered within or in conjunction with the token. > > > > 1. Introduction > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Consider referencing draft-ietf-oauth-pop-architecture. > > It will be clearer for the reader then, and the text will be shorter. > > > > 2. Terminology - Presenter > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Sentence 1 > > ------------------- > > Not sure if the first sentence is accurately reflecting the intent. > > It excludes rogue party presenting the token (and fails) from presenter. > > If so, it is fine but using more qualified term like "authorized > presenter" may make it easier > > for the reader to parse. > > > > Otherwise revise the definition. > > > > Sentence 2 > > ------------------- > > "issuer or a party different from the issuer" is not constraining anythin= g > and meaningless. > > There are more easier to parse and accurate text coming in the main text, > too. > > Drop. > > > > 3. Proof-Of-Posession Representation > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > > Title > > --------- > > Perhaps "Sender Representation in JWT" is more reflective of the content. > > > > Para 2 > > ------------- > > The paragraph describes two ways of sender confirmation: > > (1) Sender Constraint > > (2) Key Confirmation > > It should refer to 5.2 and 5.3 of [POPA] for it, as well as align the > terminology. > > > > Then, it goes on to describe (1) very briefly, in which it is just > spelling out "iss" and "sub". > > > > I understand the use of sub in this section comes down from SAML but I > feel that some separation between sub and presenter would be nice. > > For example, when I am presenting the token using an app that I installed > on my iPhone, the presenter is that app and not me, while the sub still m= ay > be me. The app is the authorized presenter/party (azp) of the token. The > JWT may well be about the sub but presented by some software component th= at > should be independently identified. > > > So my proposal is to create a new subsection on (1) for the completeness, > which is going to be a new 3.1, and to use a claim like "azp" instead of > "sub" to identify the presenter. Less overload would cause less confusion > later, IMHO. > > > > 3.1 > > =3D=3D=3D=3D=3D=3D > > Title > > -------- > > Perhaps "Confirmation Key Representation for an Asymmetric Key" is more > reflective of the content. > > > > 3.2 > > =3D=3D=3D=3D=3D=3D=3D=3D > > Title > > ----------- > > Perhaps "Confirmation Key Representation for a Symmetric Key" is more > reflective of the content. > > > > Last Para > > ----------------- > > I feel a bit like needing to sniff into the content of jwk to find out > what type may not be optimal, though I do not have a concrete proposal a > this time. > > > > 3.3 > > =3D=3D=3D=3D=3D=3D > > Title > > --------- > > Perhaps "Confirmation Key Representation by Key ID" is more reflective of > the content. > > > > Para 1 > > ----------- > > There has been some discussion of using thumbprint instead of a blob > "kid". > > This is a valid option. If we are to overload the "kid" member for this > purpose, we need to find a way to signal that it is a thumbprint. > > It may very well be better to define a separate member name then for the > thumbprint. The title then changes to "-- by Key ID" to "-- by reference"= . > > > > Also, it is conceivable to use the combination of "kid" and "jku". This > aspect is not spelled out here but appears that some magic happens for th= e > key distribution. > > > > 3.4 > > =3D=3D=3D=3D=3D=3D=3D=3D > > Since "cnf" appears before 3.4, it may be better to bring 3.4 at the > front. > > > > 5.2.2 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D > > Add "azp" and "jkt". > > > > o Confirmation Method Value: "azp" > o Confirmation Method Description: Client ID of the Authorized Presenter > o Change Controller: IESG > o Specification Document(s): Section [TBD] of [[ this document ]] > > > o Confirmation Method Value: "jkt" > o Confirmation Method Description: JWK Thumbprint of the Confirmation Ke= y > o Change Controller: IESG > o Specification Document(s): Section [TBD] of [[ this document ]] > > > o Confirmation Method Value: "jku" > o Confirmation Method Description: JWK URI of the Confirmation Key > o Change Controller: IESG > o Specification Document(s): Section [TBD] of [[ this document ]] > > > > Privacy Consideration > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > It is missing privacy consideration. It is not required per se, but since > Key Confirmation method with ephemeral key can be less privacy intrusive > compared to other sender confirmation method so adding some text around i= t > may be a good idea. > > > > Best, > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > > > > > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --94eb2c095d80ec27d0051da1a2d0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks. I am working on your response now.=C2=A0

2015-08-11 14:24 GMT+= 09:00 Mike Jones <Michael.Jones@microsoft.com>:

I believe that I=E2=80=99= ve now responded line-by-line to all the WGLC comments received.=C2=A0 If I= missed any from any of you, please let me know.

=C2=A0

After discussion of my re= sponses this week, unless disagreements arise, I=E2=80=99ll plan to publish= -04 next week to incorporate the remaining resolutions that have been discussed and planned for the next draft, such as allowing symmetric = keys in encrypted JWTs to be represented as simple JWKs in the =E2=80=9Cjwk= =E2=80=9D claim.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Best wishes,

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: Mike Jon= es
Sent: Thursday, July 30, 2015 7:49 PM
To: 'Nat Sakimura'; oauth
Subject: RE: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-o= f-possession-02

=C2=A0

I typically do respond to= review comments line-by-line but ran out of time to do this before Prague.= =C2=A0 (I was doing things like working with Brian on the Token Exchange deck, preparing my remarks to the COSE WG, etc.)=C2=A0 I=E2=80=99= ll plan to do this sometime early next week, which is the soonest I=E2=80= =99ll be able to get to it, given other things currently on my plate.

=C2=A0

FYI, I did read through a= ll of your and other=E2=80=99s comments and applied most of them =E2=80=93 = for instance, off the top of my head, clarifying how =E2=80=9Cazp=E2=80=9D = could be used in identifying the presenter, eliminating the need to sniff the =E2=80=9Cj= wk=E2=80=9D value, and updating the title to be more evocative of what the = specification actually achieves.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Cheers,

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: O= Auth [mailto:oa= uth-bounces@ietf.org] On Behalf Of Nat Sakimura
Sent: Thursday, July 30, 2015 6:36 PM
To: oauth
Subject: Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-= proof-of-possession-02

=C2=A0

I cannot find any disposition of comment (DoC) to th= is review that the WG Chairs asked.=C2=A0

Nor I see much of them reflected in -03.=C2=A0

=C2=A0

The process I would imagine to be the editors to=C2= =A0

=C2=A0

1) Provide the DoC [accept, discuss, reject (with re= asons)],=C2=A0

2) Open up series of discussions on discuss items an= d drive towards the (rough) consensus.=C2=A0

=C2=A0

Since the diff between -02 and -03 is small, much of= the above comments still applies.=C2=A0

=C2=A0

Looking forward to see the DoC.=C2=A0<= /p>

=C2=A0

Nat

=C2=A0

2015-03-25 22:37 GMT+09:00 Nat Sakimura <sakimura@gmail.com>= :

Dear OAuthers:=C2=A0

=C2=A0

Here is my belated review comments on=C2=A0draft-ietf-oauth-proof-of-possession-02<= br clear=3D"all">

=C2=A0

=C2=A0

Abstract

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

It is probably better to spell out that this documen= t is describing the JWT format that can be used for sender constraint (5.2 = of [POPA]) and key confirmation (5.3 of [POPA]). This will make it easier f= or the reader to understand what this document aims at.=C2=A0

=C2=A0

Accordingly, we should consider the title change to = something like:=C2=A0

JWT Sender Confirmation Token Syntax=C2=A0=

=C2=A0 OR

borrowing from the financial concept which I believe= is the origin of the concept of "bearer token",=C2=A0<= /u>

JWT Registered Token Syntax

-- here, "Registered" mean that either the= sender constraint or key confirmation is registered within or in conjuncti= on with the token.=C2=A0

=C2=A0

1. Introduction

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

Consider referencing draft-ietf-oauth-pop-architectu= re.=C2=A0

It will be clearer for the reader then, and the text= will be shorter.=C2=A0

=C2=A0

2. Terminology - Presenter

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D

Sentence 1

-------------------

Not sure if the first sentence is accurately reflect= ing the intent.=C2=A0

It excludes rogue party presenting the token (and fa= ils) from presenter.=C2=A0

If so, it is fine but using more qualified term like= "authorized presenter" may make it easier=C2=A0

for the reader to parse.=C2=A0

=C2=A0

Otherwise revise the definition.=C2=A0=

=C2=A0

Sentence 2

-------------------

"issuer or a party different from the issuer&qu= ot; is not constraining anything and meaningless.=C2=A0

There are more easier to parse and accurate text com= ing in the main text, too.=C2=A0

Drop.=C2=A0

=C2=A0

3. Proof-Of-Posession Representation

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Title

---------

Perhaps "Sender Representation in JWT" is = more reflective of the content.=C2=A0

=C2=A0

Para 2

-------------

The paragraph describes two ways of sender confirmat= ion:=C2=A0

(1) Sender Constraint

(2) Key Confirmation

It should refer to 5.2 and 5.3 of [POPA] for it, as = well as align the terminology.=C2=A0

=C2=A0

Then, it goes on to describe (1) very briefly, in wh= ich it is just spelling out "iss" and "sub".=C2=A0

=C2=A0

I understand the use of sub in this section comes do= wn from SAML but I feel that some separation between sub and presenter woul= d be nice.

For example, when I am presenting the token using an app that I installed o= n my iPhone, the presenter is that app and not me, while the sub still may = be me. The app is the authorized presenter/party (azp) of the token.=C2=A0T= he JWT may well be about the sub but presented by some software component that should be independently identifi= ed. =C2=A0


So my proposal is to create a new subsection on (1) for the completeness, w= hich is going to be a new 3.1, and to use a claim like "azp" inst= ead of "sub" to identify the presenter. Less overload would cause= less confusion later, IMHO.

=C2=A0

3.1

=3D=3D=3D=3D=3D=3D

Title

--------

Perhaps "Confirmation Key Representation for an= Asymmetric Key" is more reflective of the content.=C2=A0

=C2=A0

3.2

=3D=3D=3D=3D=3D=3D=3D=3D

Title

-----------

Perhaps "Confirmation Key Representation for a = Symmetric Key" is more reflective of the content.=C2=A0<= /p>

=C2=A0

Last Para

-----------------

I feel a bit like needing to sniff into the content = of jwk to find out what type may not be optimal, though I do not have a con= crete proposal a this time.=C2=A0

=C2=A0

3.3

=3D=3D=3D=3D=3D=3D

Title

---------

Perhaps "Confirmation Key Representation by Key= ID" is more reflective of the content.=C2=A0

=C2=A0

Para 1

-----------

There has been some discussion of using thumbprint i= nstead of a blob "kid".=C2=A0

This is a valid option. If we are to overload the &q= uot;kid" member for this purpose, we need to find a way to signal that= it is a thumbprint.=C2=A0

It may very well be better to define a separate memb= er name then for the thumbprint. The title then changes to "-- by Key = ID" to "-- by reference".=C2=A0

=C2=A0

Also, it is conceivable to use the combination of &q= uot;kid" and "jku". This aspect is not spelled out here but = appears that some magic happens for the key distribution.=C2=A0

=C2=A0

3.4=C2=A0

=3D=3D=3D=3D=3D=3D=3D=3D

Since "cnf" appears before 3.4, it may be = better to bring 3.4 at the front.=C2=A0

=C2=A0

5.2.2

=3D=3D=3D=3D=3D=3D=3D=3D=3D

Add "azp" and "jkt".=C2=A0

=C2=A0

o =C2=A0Confirmation Method Value: "azp" o =C2=A0Confirmation Method Description: Client ID of the Authorized Presen= ter
o =C2=A0Change Controller: IESG
o =C2=A0Specification Document(s): Section [TBD] of [[ this document ]]


o =C2=A0Confirmation Method Value: "jkt"
o =C2=A0Confirmation Method Description: JWK Thumbprint of the Confirmation= Key
o =C2=A0Change Controller: IESG
o =C2=A0Specification Document(s): Section [TBD] of [[ this document ]]


o =C2=A0Confirmation Method Value: "jku"
o =C2=A0Confirmation Method Description: JWK URI of the Confirmation Key o =C2=A0Change Controller: IESG
o =C2=A0Specification Document(s): Section [TBD] of [[ this document ]]<= /u>

=C2=A0

Privacy Consideration

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D

It is missing privacy consideration. It is not requi= red per se, but since Key Confirmation method with ephemeral key can be les= s privacy intrusive compared to other sender confirmation method so adding = some text around it may be a good idea.=C2=A0

=C2=A0

Best,=C2=A0

--

Nat Sakimura (=3Dnat)<= /span>

Chairman, OpenID Found= ation
http://nat.sakimura.org/
@_nat_en



=C2=A0

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation<= br>http://nat.sakimu= ra.org/
@_nat_en
--94eb2c095d80ec27d0051da1a2d0-- From nobody Tue Aug 18 21:00:30 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4416C1A8A6B for ; Tue, 18 Aug 2015 21:00:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCcw3Q6v6wUc for ; Tue, 18 Aug 2015 21:00:22 -0700 (PDT) Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 939921A8989 for ; Tue, 18 Aug 2015 21:00:22 -0700 (PDT) Received: by obbhe7 with SMTP id he7so158789657obb.0 for ; Tue, 18 Aug 2015 21:00:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=GFb+Wxr4wLCeSyrrVNNjbXzAhMpoVw3sSupYMsrk6/o=; b=ZGVArii+qgfFdKp9DxdRFVGVr7BHIl+VG+0tWoqro180AtMeEa7G7Usln57dB0NFs/ n1RVdFiqtp3237T0hwl3EQF6Qnj9xaROykiq+sZHJrCivBig5m0ry+VQ3AHg8FHbvv68 Mpd750+ewFNnqBtiRcvOGcPlArbRLJRI+GusiDe13NwxuYfzA9+Kbe9GhiSGc3O0Bh3V ZEPFH/r8oiyEsl/B1TeDBlJ7Q5g3XhJ8srXHFPLR2BVjOWpGOaTwInMkfC/5RbAHxtjY tSIMtr2Pzlk0AhUg4562mG5qWfE49YIJ9p9muIvj8rmICU+cUiFo6Z8sViK4Wi5cw8Hi 68eg== MIME-Version: 1.0 X-Received: by 10.60.142.234 with SMTP id rz10mr8794524oeb.4.1439956821058; Tue, 18 Aug 2015 21:00:21 -0700 (PDT) Received: by 10.182.96.66 with HTTP; Tue, 18 Aug 2015 21:00:19 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Aug 2015 13:00:19 +0900 Message-ID: From: Nat Sakimura To: Mike Jones Content-Type: multipart/alternative; boundary=047d7b41c0d0cfae2c051da2126f Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 04:00:28 -0000 --047d7b41c0d0cfae2c051da2126f Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Inline: 2015-08-11 14:12 GMT+09:00 Mike Jones : > Replies inline=E2=80=A6 > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Nat Sakimura > *Sent:* Wednesday, March 25, 2015 6:38 AM > *To:* oauth > *Subject:* [OAUTH-WG] Review Comments for > draft-ietf-oauth-proof-of-possession-02 > > > > Dear OAuthers: > > > > Here is my belated review comments on > draft-ietf-oauth-proof-of-possession-02 > > > > Below, [POPA] stands for > https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-01 > > > > Abstract > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > It is probably better to spell out that this document is describing the > JWT format that can be used for sender constraint (5.2 of [POPA]) and key > confirmation (5.3 of [POPA]). This will make it easier for the reader to > understand what this document aims at. > > > > It does not seem to me that the =E2=80=9CSender Constraint=E2=80=9D conce= pt described in > 5.3 of [POPA] is the same > 5.2 I guess, not 5.3. > thing as identifying a proof-of-possession key within a JWT, which is the > purpose of this specification. In this specification, the issuer makes a > statement that the presenter can confirm possession of a key. I don=E2= =80=99t know > how that would map into a =E2=80=9CSender Constraint=E2=80=9D. For one t= hing, which party > are you considering to be the =E2=80=9CSender=E2=80=9D? Accordingly, I l= eft the abstract > unchanged. > OK. Since the draft was titled "Proof of Possession Semantics for for JSON Web Tokens (JWTs)", I pointed it out that it should not only talk about 5.3 of [POPA] but also 5.2. However, now that you have changed the tile to "Pro= of of Possession *KEY* Semantics for for JSON Web Tokens (JWTs)", this issue is resolved. It would be nice to state that it is talking about 5.3 of [POPA] in the introduction though. > > > Accordingly, we should consider the title change to something like: > > JWT Sender Confirmation Token Syntax > > OR > > borrowing from the financial concept which I believe is the origin of the > concept of "bearer token", > > JWT Registered Token Syntax > > -- here, "Registered" mean that either the sender constraint or key > confirmation is registered within or in conjunction with the token. > > > > I changed the title in -03 to =E2=80=9CProof-of-Possession Key Semantics = for JSON > Web Tokens (JWTs)=E2=80=9D to make it clear this draft is about PoP key s= emantics > for JWTs =E2=80=93 not the proof-of-possession mechanism itself. I=E2=80= =99ve already > responded to the =E2=80=9CSender Constraint=E2=80=9D suggestion above. P= er my earlier > response, I don=E2=80=99t believe that =E2=80=9CRegistered Token=E2=80=9D= is standard terminology, > and so would confuse more than it would clarify. > Now that you have clarified that this document is only about 5.3 of [POPA], the title in -03 is appropriate. NOTE: "Registered *" is a very well established term in financial industry, describing kind of "token" needed to be presented to exercise the right assigned to it. e.g., Registered Security, Registered Share Certificate, etc. > > 1. Introduction > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Consider referencing draft-ietf-oauth-pop-architecture. > > It will be clearer for the reader then, and the text will be shorter. > > > > Again, I suspect you=E2=80=99re asking me to reference this draft for the= =E2=80=9CSender > Constraint=E2=80=9D terminology, which is both vaguely defined in [POPA],= and > doesn=E2=80=99t match what this specification does. Therefore, I did not= do this > here, although other appropriate references to [POPA] are included. > It would be nice to point out that this document is talking about the model presented in 5.3 of [POPA]. My suggestion: Insert ", *as described in section 5.3 of [POPA]"* before the end of the Para 1. This specification defines how to express a declaration in a JSON Web Token (JWT) [JWT] that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as the presenter being a holder-of-key, *as described in section 5.3 of [POPA]. * > > 2. Terminology - Presenter > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Sentence 1 > > ------------------- > > Not sure if the first sentence is accurately reflecting the intent. > > It excludes rogue party presenting the token (and fails) from presenter. > > If so, it is fine but using more qualified term like "authorized > presenter" may make it easier > > for the reader to parse. > > > > Otherwise revise the definition. > > > > I believe the =E2=80=9CPresenter=E2=80=9D definition accurately matches i= ts usage in this > specification. While this is related to a different discussion, I=E2=80= =99m not > aware of a definition for =E2=80=9CAuthorized Presenter=E2=80=9D that cou= ld be referenced > that would add further clarity beyond the existing definition. (Note tha= t > the OpenID Connect =E2=80=9Cazp=E2=80=9D claim is for an =E2=80=9CAuthori= zed Party=E2=80=9D to which the > token was issued =E2=80=93 not an =E2=80=9CAuthorized Presenter=E2=80=9D.= Also, note that the > usage of =E2=80=9Cazp=E2=80=9D in > http://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-04 is > inconsistent with its definition in OpenID Connect, and so should probabl= y > be revised to use the =E2=80=9CAuthorized Party=E2=80=9D terminology or r= emoved, as it does > not identify an =E2=80=9CAuthorized Presenter=E2=80=9D in the way that I = think you are > using the term.) > > > It is not a good practice to define such a generic word like "presenter". Since you have used "presenter" as party that holds the key, we have lost the word for the rogue party that presents the token without the key. Also, the current definition includes the issuer in the presenter. Issuer is not typically a party that is supposed to present the token to the resource, so the term seems to be especially weird. > Sentence 2 > > ------------------- > > "issuer or a party different from the issuer" is not constraining anythin= g > and meaningless. > > There are more easier to parse and accurate text coming in the main text, > too. > > Drop. > > > > The phrase expresses the intentional **lack of constraint**, by stating > that the presenter might be the issuer or might be a party different from > the issuer. Too many times in the past people thought the two were the > same party (and indeed, this error occurred in several places in -02), > therefore, I believe that expressing this non-constraint adds value. If > you want to suggest alternative wording to express this non-constraint, I= =E2=80=99d > be glad to consider it. > What is the most usual case? Is presenter usually the issuer? I do not think so. So, if we really want to express the lack of constraint, then something like this would be better: The presenter is usually distinct from the issuer, but the issuer can be a presenter as well. Also, I have to point out that the characteristics of this sentence is more like a note to definition and not the definition itself. > > > 3. Proof-Of-Posession Representation > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > > Title > > --------- > > Perhaps "Sender Representation in JWT" is more reflective of the content. > > > > This was changed to =E2=80=9CRepresentations for Proof-of-Possession Keys= =E2=80=9D in -03 > to clarifying that it is the PoP key being represented, not the > proof-of-possession itself. > OK. > > > Para 2 > > ------------- > > The paragraph describes two ways of sender confirmation: > > (1) Sender Constraint > > (2) Key Confirmation > > It should refer to 5.2 and 5.3 of [POPA] for it, as well as align the > terminology. > > > > As described above, the =E2=80=9CSender Constraint=E2=80=9D terminology i= n [POPA] does not > match what this specification does. > The title change clarified the situation so now it is ok. > > Then, it goes on to describe (1) very briefly, in which it is just > spelling out "iss" and "sub". > > > > I understand the use of sub in this section comes down from SAML but I > feel that some separation between sub and presenter would be nice. > > For example, when I am presenting the token using an app that I installed > on my iPhone, the presenter is that app and not me, while the sub still m= ay > be me. The app is the authorized presenter/party (azp) of the token. The > JWT may well be about the sub but presented by some software component th= at > should be independently identified. > > > So my proposal is to create a new subsection on (1) for the completeness, > which is going to be a new 3.1, and to use a claim like "azp" instead of > "sub" to identify the presenter. Less overload would cause less confusion > later, IMHO. > > > > Per your request, > https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-03#secti= on-3 > was revised to include a description of the use of the =E2=80=9Cazp=E2=80= =9D claim as a > choice that applications can employ to identify the presenter, if > appropriate. > Thank you. > > > 3.1 > > =3D=3D=3D=3D=3D=3D > > Title > > -------- > > Perhaps "Confirmation Key Representation for an Asymmetric Key" is more > reflective of the content. > > > > This was changed to =E2=80=9CRepresentation for an Asymmetric Proof-of-Po= ssession > Key=E2=80=9D. > Thanks. > > > 3.2 > > =3D=3D=3D=3D=3D=3D=3D=3D > > Title > > ----------- > > Perhaps "Confirmation Key Representation for a Symmetric Key" is more > reflective of the content. > > > > This was changed to =E2=80=9CRepresentation for an Encrypted Symmetric > Proof-of-Possession Key=E2=80=9D. > Thanks. > > > Last Para > > ----------------- > > I feel a bit like needing to sniff into the content of jwk to find out > what type may not be optimal, though I do not have a concrete proposal a > this time. > > > > The =E2=80=9Cjwe=E2=80=9D member was introduced in -03 to eliminate the n= eed for this > sniffing. > Thanks. > > > 3.3 > > =3D=3D=3D=3D=3D=3D > > Title > > --------- > > Perhaps "Confirmation Key Representation by Key ID" is more reflective of > the content. > > > > This was changed to =E2=80=9CRepresentation of a Key ID for a Proof-of-Po= ssession > Key=E2=80=9D. > Thanks. > > > Para 1 > > ----------- > > There has been some discussion of using thumbprint instead of a blob > "kid". > > This is a valid option. If we are to overload the "kid" member for this > purpose, we need to find a way to signal that it is a thumbprint. > > It may very well be better to define a separate member name then for the > thumbprint. The title then changes to "-- by Key ID" to "-- by reference"= . > > > > For the same reasons that the =E2=80=9Cjkt=E2=80=9D definition was remove= d from > draft-ietf-jose-jwk-thumbprint, it=E2=80=99s not clear that it=E2=80=99s = needed here. > Applications are free to define that the =E2=80=9Ckid=E2=80=9D is to cont= ain a key > thumbprint using a particular hash function. > OK. So you mean that it should be specified in the application layer. That is acceptable, but then mentioning it in the text would be nice. > > > Also, it is conceivable to use the combination of "kid" and "jku". This > aspect is not spelled out here but appears that some magic happens for th= e > key distribution. > > > > You=E2=80=99re right that if =E2=80=9Ckid=E2=80=9D is used, unless the ke= y is also transmitted in > the =E2=80=9Ccnf=E2=80=9D claim, distribution of the key is out of scope = of the > specification. I can imagine methods using =E2=80=9Cjku=E2=80=9D but it = seems like we > should discuss this more before normatively specifying it at this time. > Looking forward to. > > > 3.4 > > =3D=3D=3D=3D=3D=3D=3D=3D > > Since "cnf" appears before 3.4, it may be better to bring 3.4 at the > front. > > > > Agreed. Sorry I missed doing this in -03. I=E2=80=99ll plan to do this = in -04. > Looking forward to. Note that this is not an endorsement for structured cnf, but rather, it was just an editorial point that I raised. > > > 5.2.2 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D > > Add "azp" and "jkt". > > > > o Confirmation Method Value: "azp" > o Confirmation Method Description: Client ID of the Authorized Presenter > o Change Controller: IESG > o Specification Document(s): Section [TBD] of [[ this document ]] > > Having a Client ID doesn=E2=80=99t identify a proof-of-possession key, so= this > request seems to be out of place relative to the purpose of this > specification. > Indeed. If the title was like before the change, it would have been, but now the title and the scope is smaller, it is out of scope, I think.. > > > o Confirmation Method Value: "jkt" > o Confirmation Method Description: JWK Thumbprint of the Confirmation Ke= y > o Change Controller: IESG > o Specification Document(s): Section [TBD] of [[ this document ]] > > As discussed earlier, =E2=80=9Ckid=E2=80=9D can already be used to hold a= key thumbprint > value. > OK. > > > o Confirmation Method Value: "jku" > o Confirmation Method Description: JWK URI of the Confirmation Key > o Change Controller: IESG > o Specification Document(s): Section [TBD] of [[ this document ]] > > > > We should have a discussion focused specifically on this proposed > addition. I can see the value of it, but would like to get input from mo= re > working group members. What do people think? (If this discussion doesn= =E2=80=99t > happen based on this response, we should probably start a separate thread > on this topic.) > OK. > > > Privacy Consideration > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > It is missing privacy consideration. It is not required per se, but since > Key Confirmation method with ephemeral key can be less privacy intrusive > compared to other sender confirmation method so adding some text around i= t > may be a good idea. > > > > Can you supply some specific proposed text for -04? > When do you expect -04? Depending on it, I may be able to. > > > Best, > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > > > Thanks again for your useful review comments! > > > > -- Mike > > > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --047d7b41c0d0cfae2c051da2126f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Inline:=C2=A0

2015-08-11 14:12 GMT+09:00 Mike Jones <Michael.Jone= s@microsoft.com>:

Replies inline=E2=80=A6

=C2=A0

From: OAuth [m= ailto:oauth-bou= nces@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, March 25, 2015 6:38 AM
To: oauth
Subject: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-po= ssession-02

=C2=A0

Dear OAuthers:=C2=A0

=C2=A0

Here is my belated review comments on=C2=A0draft-ietf-oauth-proof-of-possession-02<= br clear=3D"all">

=C2=A0

=C2=A0

Abstract

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

It is probably better to spell out that this documen= t is describing the JWT format that can be used for sender constraint (5.2 = of [POPA]) and key confirmation (5.3 of [POPA]). This will make it easier f= or the reader to understand what this document aims at.=C2=A0

=C2=A0

It does not seem to me th= at the =E2=80=9CSender Constraint=E2=80=9D concept described in 5.3 of [POP= A] is the same


5.2 I guess, not 5.3.=C2=A0
=C2=A0
=

thing as identifyin= g a proof-of-possession key within a JWT, which is the purpose of this specification.=C2=A0 In this specification, t= he issuer makes a statement that the presenter can confirm possession of a = key.=C2=A0 I don=E2=80=99t know how that would map into a =E2=80=9CSender C= onstraint=E2=80=9D.=C2=A0 For one thing, which party are you considering to be the =E2=80=9CSender=E2=80=9D?=C2=A0 Accordingly, I left the abstract= unchanged.


<= div>OK. Since the draft was titled "Proof of Possession Semantics for= =C2=A0for JSON Web Tokens (JWTs)", I = pointed it out that it should not only talk about 5.3 of [POPA] but also 5.= 2. However, now that you have changed the tile to=C2=A0"Proof o= f Possession KEY Semantics for=C2=A0for JSON Web Tokens (JWTs)", this issue is resolved. It would = be nice to state that it is talking about 5.3 of [POPA] in the introduction= though.=C2=A0
=C2=A0
=

=C2=A0

Accordingly, we should consider the title change to = something like:=C2=A0

JWT Sender Confirmation Token Syntax=C2=A0=

=C2=A0 OR

borrowing from the financial concept which I believe= is the origin of the concept of "bearer token",=C2=A0<= /u>

JWT Registered Token Syntax

-- here, "Registered" mean that either the= sender constraint or key confirmation is registered within or in conjuncti= on with the token.=C2=A0

=C2=A0

I changed the title in -0= 3 to =E2=80=9CProof-of-Possession Key Semantics for JSON Web Tokens (JWTs)= =E2=80=9D to make it clear this draft is about PoP key semantics for JWTs =E2=80=93 not the proof-of-possession mechanism itself.=C2=A0 I=E2=80=99ve= already responded to the =E2=80=9CSender Constraint=E2=80=9D suggestion ab= ove.=C2=A0 Per my earlier response, I don=E2=80=99t believe that =E2=80=9CR= egistered Token=E2=80=9D is standard terminology, and so would confuse more= than it would clarify.


Now that you have clarified that this document is onl= y about 5.3 of [POPA],=C2=A0
the title in -03 is appropriate.=C2= =A0

NOTE: "Registered *" is a very well = established term in financial industry,=C2=A0
describing kind of = "token" needed to be presented to exercise the right assigned to = it. =C2=A0
e.g., Registered Security, Registered Share Certificat= e, etc.=C2=A0

=C2=A0

1. Introduction

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

Consider referencing draft-ietf-oauth-pop-architectu= re.=C2=A0

It will be clearer for the reader then, and the text= will be shorter.=C2=A0

=C2=A0

Again, I suspect you=E2= =80=99re asking me to reference this draft for the =E2=80=9CSender Constrai= nt=E2=80=9D terminology, which is both vaguely defined in [POPA], and doesn= =E2=80=99t match what this specification does.=C2=A0 Therefore, I did not do this here, alt= hough other appropriate references to [POPA] are included.

=

It would be nice t= o point out that this document is talking about the model presented in 5.3 = of [POPA]. =C2=A0
My suggestion: Insert ",=C2=A0as described in section 5.3 of [POPA]"=C2=A0befo= re the end of the Para 1.=C2=A0

   This specification defines how to express a declaration in=
 a JSON Web
   Token (JWT) [JWT] that the presenter of the JWT possesses a
   particular key and that the recipient can cryptographically confirm
   proof-of-possession of the key by the presenter.  This property is
   also sometimes described as the presenter being a holder-of-key,=20
   as described in section 5.3 of [POPA].
=

=C2= =A0

2. Terminology - Presenter

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D

Sentence 1

-------------------

Not sure if the first sentence is accurately reflect= ing the intent.=C2=A0

It excludes rogue party presenting the token (and fa= ils) from presenter.=C2=A0

If so, it is fine but using more qualified term like= "authorized presenter" may make it easier=C2=A0

for the reader to parse.=C2=A0

=C2=A0

Otherwise revise the definition.=C2=A0=

=C2=A0

I believe the =E2=80=9CPr= esenter=E2=80=9D definition accurately matches its usage in this specificat= ion.=C2=A0 While this is related to a different discussion, I=E2=80=99m not= aware of a definition for =E2=80=9CAuthorized Presenter=E2=80=9D that could be refe= renced that would add further clarity beyond the existing definition.=C2=A0= (Note that the OpenID Connect =E2=80=9Cazp=E2=80=9D claim is for an =E2=80= =9CAuthorized Party=E2=80=9D to which the token was issued =E2=80=93 not an= =E2=80=9CAuthorized Presenter=E2=80=9D.=C2=A0 Also, note that the usage of =E2=80=9Cazp=E2=80=9D in http://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-04 is inconsis= tent with its definition in OpenID Connect, and so should probably be revis= ed to use the =E2=80=9CAuthorized Party=E2=80=9D terminology or removed, as= it does not identify an =E2=80=9CAuthorized Presenter=E2=80=9D in the way that I think you are using the term.)

=C2=A0

<= /div>

It is not a g= ood practice to define such a generic word like "presenter".=C2= =A0
Since you have used "presenter" as party that holds= the key,=C2=A0
we have lost the word for the rogue party that pr= esents the token=C2=A0
without the key.=C2=A0

Also, the current definition includes the issuer in the presenter.=C2= =A0
Issuer is not typically a party that is supposed to present t= he token to the resource,=C2=A0
so the term seems to be especiall= y weird.=C2=A0

=C2=A0
<= div>

Sentence 2

-------------------

"issuer or a party different from the issuer&qu= ot; is not constraining anything and meaningless.=C2=A0

There are more easier to parse and accurate text com= ing in the main text, too.=C2=A0

Drop.=C2=A0

=C2=A0

The phrase expresses the = intentional *lack of constraint*, by stating that the presenter migh= t be the issuer or might be a party different from the issuer.=C2=A0 Too many times in the past people thought the two were the same party (and= indeed, this error occurred in several places in -02), therefore, I believ= e that expressing this non-constraint adds value.=C2=A0 If you want to sugg= est alternative wording to express this non-constraint, I=E2=80=99d be glad to consider it.

=

What is the most usual c= ase? Is presenter usually the issuer?=C2=A0
I do not think so.=C2= =A0
So, if we really want to express the lack of constraint, then= something like this would be better:=C2=A0

The pr= esenter is usually distinct from the issuer, but the issuer can be a presen= ter as well.=C2=A0

Also, I have to point out that = the characteristics of this sentence is more like a note to definition and = not the definition itself.=C2=A0
=C2=A0

=C2=A0

3. Proof-Of-Posession Representation

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Title

---------

Perhaps "Sender Representation in JWT" is = more reflective of the content.=C2=A0

=C2=A0

This was changed to =E2= =80=9CRepresentations for Proof-of-Possession Keys=E2=80=9D in -03 to clari= fying that it is the PoP key being represented, not the proof-of-possession itself.


OK.=C2=A0
=C2=A0

=C2=A0

Para 2

-------------

The paragraph describes two ways of sender confirmat= ion:=C2=A0

(1) Sender Constraint

(2) Key Confirmation

It should refer to 5.2 and 5.3 of [POPA] for it, as = well as align the terminology.=C2=A0

=C2=A0

As described above, the = =E2=80=9CSender Constraint=E2=80=9D terminology in [POPA] does not match wh= at this specification does.


The title change clarified the situation so now i= t is ok.=C2=A0

=C2=A0

Then, it goes on to describe (1) very briefly, in wh= ich it is just spelling out "iss" and "sub".=C2=A0

=C2=A0

I understand the use of sub in this section comes do= wn from SAML but I feel that some separation between sub and presenter woul= d be nice.

For example, when I am presenting the token using an app that I installed o= n my iPhone, the presenter is that app and not me, while the sub still may = be me. The app is the authorized presenter/party (azp) of the token.=C2=A0T= he JWT may well be about the sub but presented by some software component that should be independently identifi= ed. =C2=A0


So my proposal is to create a new subsection on (1) for the completeness, w= hich is going to be a new 3.1, and to use a claim like "azp" inst= ead of "sub" to identify the presenter. Less overload would cause= less confusion later, IMHO.

=C2=A0

Per your request, https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-03#section= -3 was revised to include a description of the use of the =E2=80=9Cazp= =E2=80=9D claim as a choice that applications can employ to identify the pr= esenter, if appropriate.


Thank you.=C2=A0
=C2=A0
<= div>

<= /u>

=C2=A0

3.1

=3D=3D=3D=3D=3D=3D

Title

--------

Perhaps "Confirmation Key Representation for an= Asymmetric Key" is more reflective of the content.=C2=A0

=C2=A0

This was changed to =E2= =80=9CRepresentation for an Asymmetric Proof-of-Possession Key=E2=80=9D.


Than= ks.=C2=A0
=C2=A0

=C2=A0

3.2

=3D=3D=3D=3D=3D=3D=3D=3D

Title

-----------

Perhaps "Confirmation Key Representation for a = Symmetric Key" is more reflective of the content.=C2=A0<= /p>

=C2=A0

This was changed to =E2= =80=9CRepresentation for an Encrypted Symmetric Proof-of-Possession Key=E2= =80=9D.


Thanks.=C2=A0
=C2=A0

=C2=A0

Last Para

-----------------

I feel a bit like needing to sniff into the content = of jwk to find out what type may not be optimal, though I do not have a con= crete proposal a this time.=C2=A0

=C2=A0

The =E2=80=9Cjwe=E2=80=9D= member was introduced in -03 to eliminate the need for this sniffing.


Thanks= .=C2=A0
=C2=A0

=C2=A0

3.3

=3D=3D=3D=3D=3D=3D

Title

---------

Perhaps "Confirmation Key Representation by Key= ID" is more reflective of the content.=C2=A0

=C2=A0

This was changed to =E2= =80=9CRepresentation of a Key ID for a Proof-of-Possession Key=E2=80=9D.


Than= ks.=C2=A0
=C2=A0

=C2=A0

Para 1

-----------

There has been some discussion of using thumbprint i= nstead of a blob "kid".=C2=A0

This is a valid option. If we are to overload the &q= uot;kid" member for this purpose, we need to find a way to signal that= it is a thumbprint.=C2=A0

It may very well be better to define a separate memb= er name then for the thumbprint. The title then changes to "-- by Key = ID" to "-- by reference".=C2=A0

=C2=A0

For the same reasons that= the =E2=80=9Cjkt=E2=80=9D definition was removed from draft-ietf-jose-jwk-= thumbprint, it=E2=80=99s not clear that it=E2=80=99s needed here.=C2=A0 App= lications are free to define that the =E2=80=9Ckid=E2=80=9D is to contain a key thumbprint us= ing a particular hash function.


OK. So you mean that it should be specified i= n the application layer. That is acceptable, but then mentioning it in the = text would be nice.=C2=A0
=C2=A0
=

=C2=A0

Also, it is conceivable to use the combination of &q= uot;kid" and "jku". This aspect is not spelled out here but = appears that some magic happens for the key distribution.=C2=A0

=C2=A0

You=E2=80=99re right that= if =E2=80=9Ckid=E2=80=9D is used, unless the key is also transmitted in th= e =E2=80=9Ccnf=E2=80=9D claim, distribution of the key is out of scope of t= he specification.=C2=A0 I can imagine methods using =E2=80=9Cjku=E2=80=9D but it seems like we shoul= d discuss this more before normatively specifying it at this time.


Looking fo= rward to.=C2=A0
=C2=A0

=C2=A0

3.4=C2=A0

=3D=3D=3D=3D=3D=3D=3D=3D

Since "cnf" appears before 3.4, it may be = better to bring 3.4 at the front.=C2=A0

=C2=A0

Agreed.=C2=A0 Sorry I mis= sed doing this in -03.=C2=A0 I=E2=80=99ll plan to do this in -04.


Looking for= ward to.=C2=A0
Note that this is not an endorsement for structure= d cnf, but rather,=C2=A0
it was just an editorial point that I ra= ised.=C2=A0
=C2=A0

=C2=A0

5.2.2

=3D=3D=3D=3D=3D=3D=3D=3D=3D

Add "azp" and "jkt".=C2=A0

=C2=A0

o =C2=A0Confirmation Method Value: "azp" o =C2=A0Confirmation Method Description: Client ID of the Authorized Presen= ter
o =C2=A0Change Controller: IESG
o =C2=A0Specification Document(s): Section [TBD] of [[ this document ]]

Having a Client= ID doesn=E2=80=99t identify a proof-of-possession key, so this request see= ms to be out of place relative to the purpose of this specification.=


Indeed. If the= title was like before the change, it would have been, but now the title an= d the scope is smaller, it is out of scope, I think..=C2=A0
=C2= =A0



o =C2=A0Confirmation Method Value: "jkt"
o =C2=A0Confirmation Method Description: JWK Thumbprint of the Confirmation= Key
o =C2=A0Change Controller: IESG
o =C2=A0Specification Document(s): Section [TBD] of [[ this document ]]

As discussed earlier, = =E2=80=9Ckid=E2=80=9D can already be used to hold a key thumbprint value.


OK. =C2= =A0



o =C2=A0Confirmation Method Value: "jku"
o =C2=A0Confirmation Method Description: JWK URI of the Confirmation Key o =C2=A0Change Controller: IESG
o =C2=A0Specification Document(s): Section [TBD] of [[ this document ]]<= /u>

=C2=A0

We should have a discussi= on focused specifically on this proposed addition.=C2=A0 I can see the valu= e of it, but would like to get input from more working group members.=C2=A0 What do people think?=C2=A0 (If this discussion doesn=E2=80= =99t happen based on this response, we should probably start a separate thr= ead on this topic.)


OK.=C2=A0
=C2=A0

=C2=A0

Privacy Consideration

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D

It is missing privacy consideration. It is not requi= red per se, but since Key Confirmation method with ephemeral key can be les= s privacy intrusive compared to other sender confirmation method so adding = some text around it may be a good idea.=C2=A0

=C2=A0

Can you supply some speci= fic proposed text for -04?


When do you expect -04?=C2=A0
Depending = on it, I may be able to.=C2=A0
=C2=A0
=

=C2=A0

Best,=C2=A0

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.= org/
@_nat_en

=C2=A0

Thanks again for y= our useful review comments!<= u>

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation<= br>http://nat.sakimu= ra.org/
@_nat_en
--047d7b41c0d0cfae2c051da2126f-- From nobody Tue Aug 18 21:03:59 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA2E1A88F5 for ; Tue, 18 Aug 2015 21:03:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.01 X-Spam-Level: X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vtKyibTVm9PJ for ; Tue, 18 Aug 2015 21:03:55 -0700 (PDT) Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87A051A1BB1 for ; Tue, 18 Aug 2015 21:03:55 -0700 (PDT) Received: by obbhe7 with SMTP id he7so158841757obb.0 for ; Tue, 18 Aug 2015 21:03:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Flxjy/LzjSf3BgYsGYnzI0ORRMyBJgtRSLEs2i7X6jg=; b=idT+J6+hVNf5h+T1BpAFdv5zaHEAEw1y+R05GXu2R7l91lJ9OvkfvRaOqiT2gf8Xqu vufP/vrZImnS/Kj5kKJd+EV70lL4a8i8bACQbznjG4+E9pCg/l7GxbWeLoFxaV3NILFZ g/N+45z+Ias/NM4P1uU5q0P4oZ83W2RhLQc85uzZhpLMu0UXnZcGReq5RiMK+rC3kmng L52yTYtuW2BnStLMG6+jnRh4gwzuTFOSot9mSDFoxF5Py4V2mWuX/cYeF0KKaq8xBjNN ltb2ywlt/iyGDrTyh9m5vHHJJv/icA5i7zxiXod0mePFNguREjGeP7rfkXMYgkfHmhlW S1lQ== MIME-Version: 1.0 X-Received: by 10.60.74.2 with SMTP id p2mr8694353oev.57.1439957035006; Tue, 18 Aug 2015 21:03:55 -0700 (PDT) Received: by 10.182.96.66 with HTTP; Tue, 18 Aug 2015 21:03:54 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Aug 2015 13:03:54 +0900 Message-ID: From: Nat Sakimura To: Mike Jones Content-Type: multipart/alternative; boundary=001a11360288904146051da21ff7 Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 04:03:58 -0000 --001a11360288904146051da21ff7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I have dug into it why it ended up like that. The approved text per the ticket #712 and #830 was: azp OPTIONAL. Authorized Presenters. This member identifies OAuth 2.0 Client(s) and potentially other parties authorized to use this ID Token as an assertion of the identity of the ID Token's subject at the ID Token's audiences. If present, it MUST contain the client_id or other identifiers for all Authorized Presenters. The issuer is not to be listed as an Authorized Presenter. This Claim is only needed when the party requesting the ID Token is not the same as the sole audience of the ID Token. It MAY be included even when the Authorized Presenter is the same as the sole audience. Authorized Presenter values should be verified by the participants, however the mechanisms for validating azp values are beyond the scope of this specification. In the general case, the azp value is an array of case sensitive strings, each containing a StringOrURI value. In the special case when the ID Token has one authorized presenter, the azp value MAY be a single case sensitive string containing a StringOrURI value. It got changed to the one that Mike sited without any ticket. It is a mystery. Nat 2015-08-19 11:44 GMT+09:00 Mike Jones : > Just as a point of clarification, the definition of the =E2=80=9Cazp=E2= =80=9D claim is not > =E2=80=9Cauthorised presenter=E2=80=9D. At least as defined by OpenID Co= nnect, its > definition is: > > > > azp > > OPTIONAL. Authorized party - the party to which the ID Token was issued. > If present, it MUST contain the OAuth 2.0 Client ID of this party. This > Claim is only needed when the ID Token has a single audience value and th= at > audience is different than the authorized party. It MAY be included even > when the authorized party is the same as the sole audience. The azp value > is a case sensitive string containing a StringOrURI value. > > > > A reference to this definition is registered by OpenID Connect Core > http://openid.net/specs/openid-connect-core-1_0.html in the IANA =E2=80= =9CJSON > Web Token Claims=E2=80=9D registry at > http://www.iana.org/assignments/jwt/jwt.xhtml. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Nat Sakimura > *Sent:* Tuesday, August 18, 2015 7:37 PM > *To:* Adam Lewis > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > > > It is not directly, but *Sender Constrained JWT for OAuth 2.0* > > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 > > ) > > talks about a model that allows it. > > > > In essence, it uses a structured access token that is sender constrained. > > It as a claim "azp" which stands for authorised presenter. > > To be used, the "client" has to present a proof that it is indeed the > party pointed by "azp". > > > > In your case, the native mobile app obtains the structured access token > > with "azp":"the_RS". Since "azp" is not pointing to the mobile app, > > the mobile app cannot use it. > > The mobile app then ships it to the RS. > > The RS can now use it since the "azp" points to it. > > > > In general, shipping a bearer token around is a bad idea. > > If you want to do that, I think you should do so with a sender constraine= d > token. > > > > Nat > > > > > > > > 2015-08-13 2:01 GMT+09:00 Adam Lewis : > > Hi, > > > > Are there any drafts that discuss the notion of an RS acting as a client? > I'm considering the use case whereby a native mobile app obtains an acces= s > token and sends it to the RS, and then the RS uses it to access the > UserInfo endpoint on an OP. > > > > It's a bearer token so no reason it wouldn't work, but obviously it is > meant to be presented by the client and not the RS. Curious to understan= d > the security implications of this, read on any thoughts given to this, or > to know if it's an otherwise accepted practice. > > > > tx > > adam > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --001a11360288904146051da21ff7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I have dug into it why it ended up like that. The approved= text per the ticket #712 and #830 was:=C2=A0

azp
   OPTIONAL. Authorized Presenters.
   This member identifies OAuth 2.0 Client(s) and potentially
   other parties authorized to use this ID Token as an assertion
   of the identity of the ID Token's subject at the ID Token's audi=
ences.
   If present, it MUST contain the client_id or other identifiers for=20
   all Authorized Presenters.
   The issuer is not to be listed as an Authorized Presenter.
   This Claim is only needed when the party requesting the ID Token
   is not the same as the sole audience of the ID Token.
   It MAY be included even when the Authorized Presenter is the same
   as the sole audience.
   Authorized Presenter values should be verified by the participants,
   however the mechanisms for validating azp values are beyond the scope of=
 this specification.
   In the general case,  the azp value is an array of
   case sensitive strings, each containing a StringOrURI value.
   In the special case when the ID Token has one authorized presenter,
   the azp value MAY be a single  case sensitive string containing a String=
OrURI value.

It got changed to the one that Mike sited without any ticket. It is = a mystery.=C2=A0

Nat


2015-08-19 11:44 GMT+09:00 Mi= ke Jones <Michael.Jones@microsoft.com>:

Just as a point of clarif= ication, the definition of the =E2=80=9Cazp=E2=80=9D claim is not =E2=80=9C= authorised presenter=E2=80=9D.=C2=A0 At least as defined by OpenID Connect, its definition is:

=C2=A0

azp

OPT= IONAL. Authorized party - the party to which the ID Token was issued. If pr= esent, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value an= d that audience is different than the authorized party. It MAY be included = even when the authorized party is the same as the sole audience. The azp value is a case sensitive string c= ontaining a StringOrURI value.

=C2=A0

A reference to this defin= ition is registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in the IAN= A =E2=80=9CJSON Web Token Claims=E2= =80=9D registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: OAuth [m= ailto:oauth-bou= nces@ietf.org] On Behalf Of Nat Sakimura
Sent: Tuesday, August 18, 2015 7:37 PM
To: Adam Lewis
Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance=

=C2=A0

It is not directly, but=C2=A0Sender Constraine= d JWT for OAuth 2.0

talks about a model that allows it.=C2=A0<= /u>

=C2=A0

In essence, it uses a structured access token that i= s sender constrained.=C2=A0

It as a claim "azp" which stands for autho= rised presenter.=C2=A0

To be used, the "client" has to present a = proof that it is indeed the party pointed by "azp".=C2=A0<= u>

=C2=A0

In your case, the native mobile app obtains the stru= ctured access token=C2=A0

with "azp":"the_RS". Since "= ;azp" is not pointing to the mobile app,=C2=A0

the mobile app cannot use it.=C2=A0

The mobile app then ships it to the RS.=C2=A0=

The RS can now use it since the "azp" poin= ts to it.=C2=A0

=C2=A0

In general, shipping a bearer token around is a bad = idea.=C2=A0

If you want to do that, I think you should do so wit= h a sender constrained token.=C2=A0

=C2=A0

Nat

=C2=A0

=C2=A0

=C2=A0

2015-08-13 2:01 GMT+09:00 Adam Lewis <adam.lewis@motor= olasolutions.com>:

Hi,

=C2=A0

Are there any drafts that discuss the notion of an R= S acting as a client? I'm considering the use case whereby a native mob= ile app obtains an access token and sends it to the RS, and then the RS use= s it to access the UserInfo endpoint on an OP. =C2=A0

=C2=A0

It's a bearer token so no reason it wouldn't= work, but obviously it is meant to be presented by the client and not the = RS.=C2=A0 Curious to understand the security implications of this, read on = any thoughts given to this, or to know if it's an otherwise accepted practice.

=C2=A0

tx

adam


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth<= u>



=C2=A0

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation<= br>http://nat.sakimu= ra.org/
@_nat_en
--001a11360288904146051da21ff7-- From nobody Tue Aug 18 21:59:54 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 241E71ACCDE for ; Tue, 18 Aug 2015 21:59:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QZQjVqERgQpg for ; Tue, 18 Aug 2015 21:59:48 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0739.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:739]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F5391ACCEA for ; Tue, 18 Aug 2015 21:59:47 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.231.11; Wed, 19 Aug 2015 04:59:30 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Wed, 19 Aug 2015 04:59:29 +0000 From: Mike Jones To: Nat Sakimura Thread-Topic: [OAUTH-WG] RS as a client guidance Thread-Index: AQHQ1SCcusHdwHLfSU6hr3g/5Q6eZJ4SpbqAgAAANJCAABfxAIAACQyw Date: Wed, 19 Aug 2015 04:59:28 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.47.90.173] x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:fqxi8f5MCtUD82TOx30UNQ9Aw42Gx/drgEQZ8JAFrURIhPX/3LxmVzgpOyQ+eTB1EiLQtLym8hqtJLYg3FoJqi/Kq9PrVPFk4FxD7ouQPhsM1F82kfbC7PezHFaf6zAgI7bH09GhfNoNySz07hqGmw==; 24:8CID4lZtqwmls7KkO76gS0izPNe9yevcw1gKpV1hxZW1iIZA5WjxlB7m5h27WWWj4HOL11p610BpLFEDH+bdZCIw/YK6zbaa4yOHH1HIIx0=; 20:e3bdWlFBWdKpxD3LsRk69tMkWwI/OMlid7+g7Ye/dTWOPhoYuWY8XJdr6+uu0LxPq9MZEz0QHXyiwppx4lzu2A== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(8121501046)(5005006)(3002001); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; x-forefront-prvs: 0673F5BE31 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(377454003)(189002)(377424004)(52604005)(101416001)(2950100001)(10090500001)(66066001)(76176999)(97736004)(19625215002)(106356001)(46102003)(33656002)(5890100001)(5001960100002)(81156007)(74316001)(16236675004)(15395725005)(5001830100001)(19580395003)(105586002)(76576001)(4001540100001)(5001860100001)(99286002)(106116001)(92566002)(64706001)(54356999)(1411001)(19609705001)(575784001)(19300405004)(10400500002)(50986999)(86612001)(5005710100001)(19273905006)(87936001)(110136002)(19617315012)(19580405001)(86362001)(2656002)(5003600100002)(8990500004)(189998001)(2900100001)(10290500002)(68736005)(122556002)(15975445007)(77156002)(5002640100001)(40100003)(62966003)(77096005)(102836002)(93886004)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB44228AE5B9CB1EC9E318ACEF5670BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Aug 2015 04:59:29.1882 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441 Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 04:59:52 -0000 --_000_BY2PR03MB44228AE5B9CB1EC9E318ACEF5670BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhlIOKAnGF6cOKAnSBkZXNjcmlwdGlvbiB3YXMgY2hhbmdlZCBhZnRlciB0aGUgaW4tcGVyc29u IE9wZW5JRCBDb25uZWN0IHdvcmtpbmcgZ3JvdXAgbWVldGluZyBhdCBHb29nbGUgb24gNi1NYXkt MTMsIGluIHdoaWNoIHdlIGFncmVlZCB0aGF0IOKAnGF6cOKAnSB3b3VsZCBiZSB1c2VkIHRvIHJl cHJlc2VudCB0aGUgaXNzdWVkLXRvIGluZm9ybWF0aW9uLCBhbmQgdGhhdCB0aGUgY2xhaW0gd291 bGQgYmUgbmFtZWQg4oCcQXV0aG9yaXplZCBQYXJ0eeKAnS4gIFNlZSB0aGUgbWVldGluZyBub3Rl cyBhdCBodHRwOi8vbGlzdHMub3BlbmlkLm5ldC9waXBlcm1haWwvb3BlbmlkLXNwZWNzLWFiL1dl ZWstb2YtTW9uLTIwMTMwNTA2LzAwMzQ2Ni5odG1sLCBpbmNsdWRpbmcgYXR0YWNobWVudCBodHRw Oi8vbGlzdHMub3BlbmlkLm5ldC9waXBlcm1haWwvb3BlbmlkLXNwZWNzLWFiL2F0dGFjaG1lbnRz LzIwMTMwNTA4LzZkOWIwYWMwL2F0dGFjaG1lbnQtMDAwNS5qcGcsIHdoaWNoIGRvY3VtZW50cyB0 aGF0IHdlIGRlY2lkZWQgdG8gcmVwcmVzZW50IGlzc3VlZC10byBpbmZvcm1hdGlvbiB3aXRoIOKA nGF6cOKAnSBhbmQgYXR0YWNobWVudCBodHRwOi8vbGlzdHMub3BlbmlkLm5ldC9waXBlcm1haWwv b3BlbmlkLXNwZWNzLWFiL2F0dGFjaG1lbnRzLzIwMTMwNTA4LzZkOWIwYWMwL2F0dGFjaG1lbnQt MDAwNi5qcGcsIHdoaWNoIGRvY3VtZW50cyB0aGF0IHRoZSDigJxhenDigJ0gY2xhaW0gaXMgdG8g cmVwcmVzZW50IGFuIOKAnEF1dGhvcml6ZWQgUGFydHnigJ0uICBXZSBhbHNvIGRlY2lkZWQgdG8g bWFrZSDigJxhenDigJ0gc2luZ2xlLXZhbHVlZCB0aGVyZSwgd2hlcmUgaXQgaGFkIHByZXZpb3Vz bHkgYmVlbiBtdWx0aS12YWx1ZWQuDQoNCkJyZW5vIGRlIE1lZGVpcm9zIGFuZCBOYXZlZW4gQWdh cndhbCBvZiBHb29nbGUgd2VyZSBhdCB0aGUgbWVldGluZywgYW5kIGluIGZhY3QsIHdlcmUgYmVo aW5kIG1hbnkgb2YgdGhlc2UgY2hhbmdlcywgd2hpY2ggaXMgc2lnbmlmaWNhbnQsIHNpbmNlIHRo ZXkgd2VyZSB0aGUgaW52ZW50b3JzIG9mIHRoaXMgZnVuY3Rpb25hbGl0eS4gIFRoZXkgY29uY3Vy cmVkIHdpdGggYW5kIHBhcnRpY2lwYXRlZCBkZXZlbG9waW5nIHRoZXNlIHJlc29sdXRpb25zIHBy ZXZpb3VzbHkgb3BlbiBpc3N1ZXMgYWJvdXQgdGhlIG1lYW5pbmdzIG9mIOKAnGF1ZOKAnSBhbmQg 4oCcYXpw4oCdLiAgQWZ0ZXJ3YXJkcywgdGhlIG1lZXRpbmcgbm90ZXMgd2VyZSBzZW50IHRvIHRo ZSB3b3JraW5nIGdyb3VwIG1haWxpbmcgbGlzdCBmb3IgcmV2aWV3IHRoZXJlIGFuZCBubyBvYmpl Y3Rpb25zIHdlcmUgcmFpc2VkLg0KDQpUaGVyZeKAmXMgbm8gbXlzdGVyeS4NCg0KRnVydGhlcm1v cmUsIGFsbCBvZiB0aGlzIHRleHQgd2VudCB0aHJvdWdoIGJvdGggdGhlIDQ1IGRheSBJbXBsZW1l bnRlcuKAmXMgRHJhZnQgMiBwdWJsaWMgcmV2aWV3IHBlcmlvZCBhbm5vdW5jZWQgYXQgaHR0cDov L29wZW5pZC5uZXQvMjAxMy8wNi8wNy9yZXZpZXctb2YtcHJvcG9zZWQtb3BlbmlkLWNvbm5lY3Qt aW1wbGVtZW50ZXJzLWRyYWZ0cy8gYW5kIHRoZSA2MCBkYXkgRmluYWwgU3BlY2lmaWNhdGlvbiBw dWJsaWMgcmV2aWV3IHBlcmlvZCBhbm5vdW5jZWQgYXQgaHR0cDovL29wZW5pZC5uZXQvMjAxMy8x Mi8yMC9yZXZpZXctb2YtcHJvcG9zZWQtZmluYWwtb3BlbmlkLWNvbm5lY3Qtc3BlY2lmaWNhdGlv bnMtYW5kLWltcGxlbWVudGVycy1kcmFmdHMvLCBhbmQgbm8gb2JqZWN0aW9ucyB3ZXJlIHJhaXNl ZCBkdXJpbmcgdGhvc2UgcmV2aWV3cyBlaXRoZXIuICBQZW9wbGUgc2VlbWVkIGhhcHB5IHdpdGgg dGhlIHJlc29sdXRpb24gYXJyaXZlZCBhdCBkdXJpbmcgdGhlIHdvcmtpbmcgZ3JvdXAgbWVldGlu Zy4NCg0KU28gaW4gY29uY2x1c2lvbiwgaXQgd291bGQgcHJvYmFibHkgYmUgbGVzcyBjb25mdXNp bmcgdG8gYWxsIGNvbmNlcm5lZCBpZiB5b3Ugd2VyZSB0byBzdG9wIHJlZmVycmluZyB0byDigJxh enDigJ0gYXMg4oCcYXV0aG9yaXplZCBwcmVzZW50ZXLigJ0gb3IgYXNjcmliaW5nIHRob3NlIHNl bWFudGljcyB0byBpdCAod2hhdGV2ZXIgdGhvc2UgbWF5IGJlKS4gIFNvbWV0aW1lIGJlZm9yZSBJ bXBsZW1lbnRlcuKAmXMgRHJhZnQgMiBvZiBPcGVuSUQgQ29ubmVjdCB0aGF0IHRlcm1pbm9sb2d5 IHdhcyB1c2VkLCBidXQgdGhlIHdvcmtpbmcgZ3JvdXAgY2hhbmdlZCB0aGF0IGFuZCB0aGUgbWVh bmluZyBvZiDigJxhenDigJ0gYnkgY29uc2Vuc3VzIGluIE1heSAyMDEzIGFuZCBpdOKAmXMgYmVl biB0aGF0IHdheSBldmVyIHNpbmNlLiAgVHJ5aW5nIHRvIG92ZXJsb2FkIOKAnGF6cOKAnSB3aXRo IGEgZGlmZmVyZW50IG1lYW5pbmcgdGhhbiB3aGF04oCZcyBpbiB0aGUgc3RhbmRhcmQgc2VlbXMg Y291bnRlcnByb2R1Y3RpdmUsIHdoaWNoIGlzIHdoeSBJIHdyb3RlIG15IG9yaWdpbmFsIG5vdGUg b2YgY2xhcmlmaWNhdGlvbi4NCg0KVGhhbmtzIGZvciB0YWtpbmcgdGhpcyBpbnRvIGFjY291bnQu DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIEJlc3Qgd2lzaGVzLA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBOYXQgU2FraW11cmEgW21h aWx0bzpzYWtpbXVyYUBnbWFpbC5jb21dDQpTZW50OiBUdWVzZGF5LCBBdWd1c3QgMTgsIDIwMTUg OTowNCBQTQ0KVG86IE1pa2UgSm9uZXMNCkNjOiBBZGFtIExld2lzOyBPQXV0aCBXRw0KU3ViamVj dDogUmU6IFtPQVVUSC1XR10gUlMgYXMgYSBjbGllbnQgZ3VpZGFuY2UNCg0KSSBoYXZlIGR1ZyBp bnRvIGl0IHdoeSBpdCBlbmRlZCB1cCBsaWtlIHRoYXQuIFRoZSBhcHByb3ZlZCB0ZXh0IHBlciB0 aGUgdGlja2V0ICM3MTIgYW5kICM4MzAgd2FzOg0KDQoNCmF6cA0KDQogICBPUFRJT05BTC4gQXV0 aG9yaXplZCBQcmVzZW50ZXJzLg0KDQogICBUaGlzIG1lbWJlciBpZGVudGlmaWVzIE9BdXRoIDIu MCBDbGllbnQocykgYW5kIHBvdGVudGlhbGx5DQoNCiAgIG90aGVyIHBhcnRpZXMgYXV0aG9yaXpl ZCB0byB1c2UgdGhpcyBJRCBUb2tlbiBhcyBhbiBhc3NlcnRpb24NCg0KICAgb2YgdGhlIGlkZW50 aXR5IG9mIHRoZSBJRCBUb2tlbidzIHN1YmplY3QgYXQgdGhlIElEIFRva2VuJ3MgYXVkaWVuY2Vz Lg0KDQogICBJZiBwcmVzZW50LCBpdCBNVVNUIGNvbnRhaW4gdGhlIGNsaWVudF9pZCBvciBvdGhl ciBpZGVudGlmaWVycyBmb3INCg0KICAgYWxsIEF1dGhvcml6ZWQgUHJlc2VudGVycy4NCg0KICAg VGhlIGlzc3VlciBpcyBub3QgdG8gYmUgbGlzdGVkIGFzIGFuIEF1dGhvcml6ZWQgUHJlc2VudGVy Lg0KDQogICBUaGlzIENsYWltIGlzIG9ubHkgbmVlZGVkIHdoZW4gdGhlIHBhcnR5IHJlcXVlc3Rp bmcgdGhlIElEIFRva2VuDQoNCiAgIGlzIG5vdCB0aGUgc2FtZSBhcyB0aGUgc29sZSBhdWRpZW5j ZSBvZiB0aGUgSUQgVG9rZW4uDQoNCiAgIEl0IE1BWSBiZSBpbmNsdWRlZCBldmVuIHdoZW4gdGhl IEF1dGhvcml6ZWQgUHJlc2VudGVyIGlzIHRoZSBzYW1lDQoNCiAgIGFzIHRoZSBzb2xlIGF1ZGll bmNlLg0KDQogICBBdXRob3JpemVkIFByZXNlbnRlciB2YWx1ZXMgc2hvdWxkIGJlIHZlcmlmaWVk IGJ5IHRoZSBwYXJ0aWNpcGFudHMsDQoNCiAgIGhvd2V2ZXIgdGhlIG1lY2hhbmlzbXMgZm9yIHZh bGlkYXRpbmcgYXpwIHZhbHVlcyBhcmUgYmV5b25kIHRoZSBzY29wZSBvZiB0aGlzIHNwZWNpZmlj YXRpb24uDQoNCiAgIEluIHRoZSBnZW5lcmFsIGNhc2UsICB0aGUgYXpwIHZhbHVlIGlzIGFuIGFy cmF5IG9mDQoNCiAgIGNhc2Ugc2Vuc2l0aXZlIHN0cmluZ3MsIGVhY2ggY29udGFpbmluZyBhIFN0 cmluZ09yVVJJIHZhbHVlLg0KDQogICBJbiB0aGUgc3BlY2lhbCBjYXNlIHdoZW4gdGhlIElEIFRv a2VuIGhhcyBvbmUgYXV0aG9yaXplZCBwcmVzZW50ZXIsDQoNCiAgIHRoZSBhenAgdmFsdWUgTUFZ IGJlIGEgc2luZ2xlICBjYXNlIHNlbnNpdGl2ZSBzdHJpbmcgY29udGFpbmluZyBhIFN0cmluZ09y VVJJIHZhbHVlLg0KDQpJdCBnb3QgY2hhbmdlZCB0byB0aGUgb25lIHRoYXQgTWlrZSBzaXRlZCB3 aXRob3V0IGFueSB0aWNrZXQuIEl0IGlzIGEgbXlzdGVyeS4NCg0KTmF0DQoNCg0KMjAxNS0wOC0x OSAxMTo0NCBHTVQrMDk6MDAgTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29t PG1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20+PjoNCkp1c3QgYXMgYSBwb2ludCBv ZiBjbGFyaWZpY2F0aW9uLCB0aGUgZGVmaW5pdGlvbiBvZiB0aGUg4oCcYXpw4oCdIGNsYWltIGlz IG5vdCDigJxhdXRob3Jpc2VkIHByZXNlbnRlcuKAnS4gIEF0IGxlYXN0IGFzIGRlZmluZWQgYnkg T3BlbklEIENvbm5lY3QsIGl0cyBkZWZpbml0aW9uIGlzOg0KDQphenANCk9QVElPTkFMLiBBdXRo b3JpemVkIHBhcnR5IC0gdGhlIHBhcnR5IHRvIHdoaWNoIHRoZSBJRCBUb2tlbiB3YXMgaXNzdWVk LiBJZiBwcmVzZW50LCBpdCBNVVNUIGNvbnRhaW4gdGhlIE9BdXRoIDIuMCBDbGllbnQgSUQgb2Yg dGhpcyBwYXJ0eS4gVGhpcyBDbGFpbSBpcyBvbmx5IG5lZWRlZCB3aGVuIHRoZSBJRCBUb2tlbiBo YXMgYSBzaW5nbGUgYXVkaWVuY2UgdmFsdWUgYW5kIHRoYXQgYXVkaWVuY2UgaXMgZGlmZmVyZW50 IHRoYW4gdGhlIGF1dGhvcml6ZWQgcGFydHkuIEl0IE1BWSBiZSBpbmNsdWRlZCBldmVuIHdoZW4g dGhlIGF1dGhvcml6ZWQgcGFydHkgaXMgdGhlIHNhbWUgYXMgdGhlIHNvbGUgYXVkaWVuY2UuIFRo ZSBhenAgdmFsdWUgaXMgYSBjYXNlIHNlbnNpdGl2ZSBzdHJpbmcgY29udGFpbmluZyBhIFN0cmlu Z09yVVJJIHZhbHVlLg0KDQpBIHJlZmVyZW5jZSB0byB0aGlzIGRlZmluaXRpb24gaXMgcmVnaXN0 ZXJlZCBieSBPcGVuSUQgQ29ubmVjdCBDb3JlIGh0dHA6Ly9vcGVuaWQubmV0L3NwZWNzL29wZW5p ZC1jb25uZWN0LWNvcmUtMV8wLmh0bWw8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9u Lm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm9wZW5pZC5uZXQlMmZzcGVjcyUyZm9wZW5p ZC1jb25uZWN0LWNvcmUtMV8wLmh0bWwmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1p Y3Jvc29mdC5jb20lN2M3MThhNzdkZTg3YTU0MzEyYTc2YjA4ZDJhODRiMzNjYyU3YzcyZjk4OGJm ODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1yYWszNVlNNGx3cTE5MVNieDBHOWZl dmlVVTJsdEN4aERTM2F1WXVBNmV3JTNkPiBpbiB0aGUgSUFOQSDigJxKU09OIFdlYiBUb2tlbiBD bGFpbXPigJ0gcmVnaXN0cnkgYXQgaHR0cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50cy9qd3Qv and0LnhodG1sPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/ dXJsPWh0dHAlM2ElMmYlMmZ3d3cuaWFuYS5vcmclMmZhc3NpZ25tZW50cyUyZmp3dCUyZmp3dC54 aHRtbCZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzcxOGE3 N2RlODdhNTQzMTJhNzZiMDhkMmE4NGIzM2NjJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAx MWRiNDclN2MxJnNkYXRhPXJ2R0hrZmoxSWllNEJUU3RPeXF6RjZ6ZlVFU3ZJRDNKUjMlMmJrS1Fa ZWw3dyUzZD4uDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1ib3Vu Y2VzQGlldGYub3JnPG1haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnPl0gT24gQmVoYWxmIE9m IE5hdCBTYWtpbXVyYQ0KU2VudDogVHVlc2RheSwgQXVndXN0IDE4LCAyMDE1IDc6MzcgUE0NClRv OiBBZGFtIExld2lzDQpDYzogT0F1dGggV0cNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIFJTIGFz IGEgY2xpZW50IGd1aWRhbmNlDQoNCkl0IGlzIG5vdCBkaXJlY3RseSwgYnV0IFNlbmRlciBDb25z dHJhaW5lZCBKV1QgZm9yIE9BdXRoIDIuMA0KKCBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwv ZHJhZnQtc2FraW11cmEtb2F1dGgtcmp3dHByb2YtMDU8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5w cm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ0b29scy5pZXRmLm9yZyUy Zmh0bWwlMmZkcmFmdC1zYWtpbXVyYS1vYXV0aC1yand0cHJvZi0wNSZkYXRhPTAxJTdjMDElN2NN aWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2RhYzJiZDQ5NDY1OTRiYTdmNGZmMDhkMmE4 M2YyM2NmJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPURoTDkl MmJwNU1sMzJQNiUyZmRhQVFISGtobzF5Q3NicTJXME00V05yd2dvMXpvJTNkPiApDQp0YWxrcyBh Ym91dCBhIG1vZGVsIHRoYXQgYWxsb3dzIGl0Lg0KDQpJbiBlc3NlbmNlLCBpdCB1c2VzIGEgc3Ry dWN0dXJlZCBhY2Nlc3MgdG9rZW4gdGhhdCBpcyBzZW5kZXIgY29uc3RyYWluZWQuDQpJdCBhcyBh IGNsYWltICJhenAiIHdoaWNoIHN0YW5kcyBmb3IgYXV0aG9yaXNlZCBwcmVzZW50ZXIuDQpUbyBi ZSB1c2VkLCB0aGUgImNsaWVudCIgaGFzIHRvIHByZXNlbnQgYSBwcm9vZiB0aGF0IGl0IGlzIGlu ZGVlZCB0aGUgcGFydHkgcG9pbnRlZCBieSAiYXpwIi4NCg0KSW4geW91ciBjYXNlLCB0aGUgbmF0 aXZlIG1vYmlsZSBhcHAgb2J0YWlucyB0aGUgc3RydWN0dXJlZCBhY2Nlc3MgdG9rZW4NCndpdGgg ImF6cCI6InRoZV9SUyIuIFNpbmNlICJhenAiIGlzIG5vdCBwb2ludGluZyB0byB0aGUgbW9iaWxl IGFwcCwNCnRoZSBtb2JpbGUgYXBwIGNhbm5vdCB1c2UgaXQuDQpUaGUgbW9iaWxlIGFwcCB0aGVu IHNoaXBzIGl0IHRvIHRoZSBSUy4NClRoZSBSUyBjYW4gbm93IHVzZSBpdCBzaW5jZSB0aGUgImF6 cCIgcG9pbnRzIHRvIGl0Lg0KDQpJbiBnZW5lcmFsLCBzaGlwcGluZyBhIGJlYXJlciB0b2tlbiBh cm91bmQgaXMgYSBiYWQgaWRlYS4NCklmIHlvdSB3YW50IHRvIGRvIHRoYXQsIEkgdGhpbmsgeW91 IHNob3VsZCBkbyBzbyB3aXRoIGEgc2VuZGVyIGNvbnN0cmFpbmVkIHRva2VuLg0KDQpOYXQNCg0K DQoNCjIwMTUtMDgtMTMgMjowMSBHTVQrMDk6MDAgQWRhbSBMZXdpcyA8YWRhbS5sZXdpc0Btb3Rv cm9sYXNvbHV0aW9ucy5jb208bWFpbHRvOmFkYW0ubGV3aXNAbW90b3JvbGFzb2x1dGlvbnMuY29t Pj46DQpIaSwNCg0KQXJlIHRoZXJlIGFueSBkcmFmdHMgdGhhdCBkaXNjdXNzIHRoZSBub3Rpb24g b2YgYW4gUlMgYWN0aW5nIGFzIGEgY2xpZW50PyBJJ20gY29uc2lkZXJpbmcgdGhlIHVzZSBjYXNl IHdoZXJlYnkgYSBuYXRpdmUgbW9iaWxlIGFwcCBvYnRhaW5zIGFuIGFjY2VzcyB0b2tlbiBhbmQg c2VuZHMgaXQgdG8gdGhlIFJTLCBhbmQgdGhlbiB0aGUgUlMgdXNlcyBpdCB0byBhY2Nlc3MgdGhl IFVzZXJJbmZvIGVuZHBvaW50IG9uIGFuIE9QLg0KDQpJdCdzIGEgYmVhcmVyIHRva2VuIHNvIG5v IHJlYXNvbiBpdCB3b3VsZG4ndCB3b3JrLCBidXQgb2J2aW91c2x5IGl0IGlzIG1lYW50IHRvIGJl IHByZXNlbnRlZCBieSB0aGUgY2xpZW50IGFuZCBub3QgdGhlIFJTLiAgQ3VyaW91cyB0byB1bmRl cnN0YW5kIHRoZSBzZWN1cml0eSBpbXBsaWNhdGlvbnMgb2YgdGhpcywgcmVhZCBvbiBhbnkgdGhv dWdodHMgZ2l2ZW4gdG8gdGhpcywgb3IgdG8ga25vdyBpZiBpdCdzIGFuIG90aGVyd2lzZSBhY2Nl cHRlZCBwcmFjdGljZS4NCg0KdHgNCmFkYW0NCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8 bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0 aW5mby9vYXV0aDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20v P3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5mbyUyZm9h dXRoJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjZGFjMmJk NDk0NjU5NGJhN2Y0ZmYwOGQyYTgzZjIzY2YlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDEx ZGI0NyU3YzEmc2RhdGE9ZU0lMmYybk1ZNFlFY2ElMmZ5WnRsNks0ZjRwUmNlTkNIdDFzRjd2OXVm WjdxZ2slM2Q+DQoNCg0KDQotLQ0KTmF0IFNha2ltdXJhICg9bmF0KQ0KQ2hhaXJtYW4sIE9wZW5J RCBGb3VuZGF0aW9uDQpodHRwOi8vbmF0LnNha2ltdXJhLm9yZy88aHR0cHM6Ly9uYTAxLnNhZmVs aW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm5hdC5zYWtpbXVy YS5vcmclMmYmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2Nk YWMyYmQ0OTQ2NTk0YmE3ZjRmZjA4ZDJhODNmMjNjZiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3 Y2QwMTFkYjQ3JTdjMSZzZGF0YT0yeDUlMmY5YkxKblVjTWRPRnJZV0lrNEcwQkl3cDh5dERLMkxO eDJCUXVUdGslM2Q+DQpAX25hdF9lbg0KDQoNCg0KLS0NCk5hdCBTYWtpbXVyYSAoPW5hdCkNCkNo YWlybWFuLCBPcGVuSUQgRm91bmRhdGlvbg0KaHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPGh0dHBz Oi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYl MmZuYXQuc2FraW11cmEub3JnJTJmJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNy b3NvZnQuY29tJTdjNzE4YTc3ZGU4N2E1NDMxMmE3NmIwOGQyYTg0YjMzY2MlN2M3MmY5ODhiZjg2 ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9WUYxaGJPTjFXcmVtWEMlMmJsUjBONDNw RGlCVnIlMmZqaEJiQWllRUR0S2t2MUUlM2Q+DQpAX25hdF9lbg0K --_000_BY2PR03MB44228AE5B9CB1EC9E318ACEF5670BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFzOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDIg MiA0IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6VmVyZGFuYTsNCglwYW5vc2Ut MToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29O b3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdp bi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1l cyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJs aW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUt cHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7 fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQ cmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7 DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnAuTXNv QWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRhdGUNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBp bjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjguMHB0Ow0KCWZvbnQtZmFt aWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJ e21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJp b3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZh bWlseTpDb25zb2xhczt9DQpzcGFuLkVtYWlsU3R5bGUxOQ0KCXttc28tc3R5bGUtdHlwZTpwZXJz b25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9y OiMxRjQ5N0Q7fQ0Kc3Bhbi5CYWxsb29uVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxv b24gVGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6 IkJhbGxvb24gVGV4dCI7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCi5N c29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5O30NCkBwYWdlIFdvcmRT ZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4g MS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0 eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRp dCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5 XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVk aXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hl YWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2 IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoZSDigJxhenDigJ0gZGVzY3JpcHRpb24g d2FzIGNoYW5nZWQgYWZ0ZXIgdGhlIGluLXBlcnNvbiBPcGVuSUQgQ29ubmVjdCB3b3JraW5nIGdy b3VwIG1lZXRpbmcgYXQgR29vZ2xlIG9uIDYtTWF5LTEzLCBpbiB3aGljaCB3ZSBhZ3JlZWQgdGhh dCDigJxhenDigJ0gd291bGQgYmUgdXNlZA0KIHRvIHJlcHJlc2VudCB0aGUgaXNzdWVkLXRvIGlu Zm9ybWF0aW9uLCBhbmQgdGhhdCB0aGUgY2xhaW0gd291bGQgYmUgbmFtZWQg4oCcQXV0aG9yaXpl ZCBQYXJ0eeKAnS4mbmJzcDsgU2VlIHRoZSBtZWV0aW5nIG5vdGVzIGF0DQo8YSBocmVmPSJodHRw Oi8vbGlzdHMub3BlbmlkLm5ldC9waXBlcm1haWwvb3BlbmlkLXNwZWNzLWFiL1dlZWstb2YtTW9u LTIwMTMwNTA2LzAwMzQ2Ni5odG1sIj4NCmh0dHA6Ly9saXN0cy5vcGVuaWQubmV0L3BpcGVybWFp bC9vcGVuaWQtc3BlY3MtYWIvV2Vlay1vZi1Nb24tMjAxMzA1MDYvMDAzNDY2Lmh0bWw8L2E+LCBp bmNsdWRpbmcgYXR0YWNobWVudA0KPGEgaHJlZj0iaHR0cDovL2xpc3RzLm9wZW5pZC5uZXQvcGlw ZXJtYWlsL29wZW5pZC1zcGVjcy1hYi9hdHRhY2htZW50cy8yMDEzMDUwOC82ZDliMGFjMC9hdHRh Y2htZW50LTAwMDUuanBnIj4NCmh0dHA6Ly9saXN0cy5vcGVuaWQubmV0L3BpcGVybWFpbC9vcGVu aWQtc3BlY3MtYWIvYXR0YWNobWVudHMvMjAxMzA1MDgvNmQ5YjBhYzAvYXR0YWNobWVudC0wMDA1 LmpwZzwvYT4sIHdoaWNoIGRvY3VtZW50cyB0aGF0IHdlIGRlY2lkZWQgdG8gcmVwcmVzZW50IGlz c3VlZC10byBpbmZvcm1hdGlvbiB3aXRoIOKAnGF6cOKAnSBhbmQgYXR0YWNobWVudA0KPGEgaHJl Zj0iaHR0cDovL2xpc3RzLm9wZW5pZC5uZXQvcGlwZXJtYWlsL29wZW5pZC1zcGVjcy1hYi9hdHRh Y2htZW50cy8yMDEzMDUwOC82ZDliMGFjMC9hdHRhY2htZW50LTAwMDYuanBnIj4NCmh0dHA6Ly9s aXN0cy5vcGVuaWQubmV0L3BpcGVybWFpbC9vcGVuaWQtc3BlY3MtYWIvYXR0YWNobWVudHMvMjAx MzA1MDgvNmQ5YjBhYzAvYXR0YWNobWVudC0wMDA2LmpwZzwvYT4sIHdoaWNoIGRvY3VtZW50cyB0 aGF0IHRoZSDigJxhenDigJ0gY2xhaW0gaXMgdG8gcmVwcmVzZW50IGFuIOKAnEF1dGhvcml6ZWQg UGFydHnigJ0uJm5ic3A7IFdlIGFsc28gZGVjaWRlZCB0byBtYWtlIOKAnGF6cOKAnSBzaW5nbGUt dmFsdWVkIHRoZXJlLCB3aGVyZSBpdCBoYWQgcHJldmlvdXNseQ0KIGJlZW4gbXVsdGktdmFsdWVk LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+QnJlbm8gZGUgTWVkZWlyb3MgYW5kIE5hdmVlbiBBZ2Fyd2FsIG9mIEdvb2ds ZSB3ZXJlIGF0IHRoZSBtZWV0aW5nLCBhbmQgaW4gZmFjdCwgd2VyZSBiZWhpbmQgbWFueSBvZiB0 aGVzZSBjaGFuZ2VzLCB3aGljaCBpcyBzaWduaWZpY2FudCwgc2luY2UgdGhleSB3ZXJlIHRoZQ0K IGludmVudG9ycyBvZiB0aGlzIGZ1bmN0aW9uYWxpdHkuJm5ic3A7IFRoZXkgY29uY3VycmVkIHdp dGggYW5kIHBhcnRpY2lwYXRlZCBkZXZlbG9waW5nIHRoZXNlIHJlc29sdXRpb25zIHByZXZpb3Vz bHkgb3BlbiBpc3N1ZXMgYWJvdXQgdGhlIG1lYW5pbmdzIG9mIOKAnGF1ZOKAnSBhbmQg4oCcYXpw 4oCdLiZuYnNwOyBBZnRlcndhcmRzLCB0aGUgbWVldGluZyBub3RlcyB3ZXJlIHNlbnQgdG8gdGhl IHdvcmtpbmcgZ3JvdXAgbWFpbGluZyBsaXN0IGZvciByZXZpZXcgdGhlcmUgYW5kDQogbm8gb2Jq ZWN0aW9ucyB3ZXJlIHJhaXNlZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoZXJl4oCZcyBubyBteXN0ZXJ5LjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG NDk3RCI+RnVydGhlcm1vcmUsIGFsbCBvZiB0aGlzIHRleHQgd2VudCB0aHJvdWdoIGJvdGggdGhl IDQ1IGRheSBJbXBsZW1lbnRlcuKAmXMgRHJhZnQgMiBwdWJsaWMgcmV2aWV3IHBlcmlvZCBhbm5v dW5jZWQgYXQNCjxhIGhyZWY9Imh0dHA6Ly9vcGVuaWQubmV0LzIwMTMvMDYvMDcvcmV2aWV3LW9m LXByb3Bvc2VkLW9wZW5pZC1jb25uZWN0LWltcGxlbWVudGVycy1kcmFmdHMvIj4NCmh0dHA6Ly9v cGVuaWQubmV0LzIwMTMvMDYvMDcvcmV2aWV3LW9mLXByb3Bvc2VkLW9wZW5pZC1jb25uZWN0LWlt cGxlbWVudGVycy1kcmFmdHMvPC9hPiBhbmQgdGhlIDYwIGRheSBGaW5hbCBTcGVjaWZpY2F0aW9u IHB1YmxpYyByZXZpZXcgcGVyaW9kIGFubm91bmNlZCBhdA0KPGEgaHJlZj0iaHR0cDovL29wZW5p ZC5uZXQvMjAxMy8xMi8yMC9yZXZpZXctb2YtcHJvcG9zZWQtZmluYWwtb3BlbmlkLWNvbm5lY3Qt c3BlY2lmaWNhdGlvbnMtYW5kLWltcGxlbWVudGVycy1kcmFmdHMvIj4NCmh0dHA6Ly9vcGVuaWQu bmV0LzIwMTMvMTIvMjAvcmV2aWV3LW9mLXByb3Bvc2VkLWZpbmFsLW9wZW5pZC1jb25uZWN0LXNw ZWNpZmljYXRpb25zLWFuZC1pbXBsZW1lbnRlcnMtZHJhZnRzLzwvYT4sIGFuZCBubyBvYmplY3Rp b25zIHdlcmUgcmFpc2VkIGR1cmluZyB0aG9zZSByZXZpZXdzIGVpdGhlci4mbmJzcDsgUGVvcGxl IHNlZW1lZCBoYXBweSB3aXRoIHRoZSByZXNvbHV0aW9uIGFycml2ZWQgYXQgZHVyaW5nIHRoZSB3 b3JraW5nIGdyb3VwIG1lZXRpbmcuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5TbyBpbiBjb25jbHVzaW9uLCBpdCB3b3Vs ZCBwcm9iYWJseSBiZSBsZXNzIGNvbmZ1c2luZyB0byBhbGwgY29uY2VybmVkIGlmIHlvdSB3ZXJl IHRvIHN0b3AgcmVmZXJyaW5nIHRvIOKAnGF6cOKAnSBhcyDigJxhdXRob3JpemVkIHByZXNlbnRl cuKAnSBvciBhc2NyaWJpbmcgdGhvc2Ugc2VtYW50aWNzDQogdG8gaXQgKHdoYXRldmVyIHRob3Nl IG1heSBiZSkuJm5ic3A7IFNvbWV0aW1lIGJlZm9yZSBJbXBsZW1lbnRlcuKAmXMgRHJhZnQgMiBv ZiBPcGVuSUQgQ29ubmVjdCB0aGF0IHRlcm1pbm9sb2d5IHdhcyB1c2VkLCBidXQgdGhlIHdvcmtp bmcgZ3JvdXAgY2hhbmdlZCB0aGF0IGFuZCB0aGUgbWVhbmluZyBvZiDigJxhenDigJ0gYnkgY29u c2Vuc3VzIGluIE1heSAyMDEzIGFuZCBpdOKAmXMgYmVlbiB0aGF0IHdheSBldmVyIHNpbmNlLiZu YnNwOyBUcnlpbmcgdG8gb3ZlcmxvYWQg4oCcYXpw4oCdDQogd2l0aCBhIGRpZmZlcmVudCBtZWFu aW5nIHRoYW4gd2hhdOKAmXMgaW4gdGhlIHN0YW5kYXJkIHNlZW1zIGNvdW50ZXJwcm9kdWN0aXZl LCB3aGljaCBpcyB3aHkgSSB3cm90ZSBteSBvcmlnaW5hbCBub3RlIG9mIGNsYXJpZmljYXRpb24u PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj5UaGFua3MgZm9yIHRha2luZyB0aGlzIGludG8gYWNjb3VudC48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi PiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyBCZXN0IHdpc2hlcyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90OyI+IE5hdCBTYWtpbXVyYSBbbWFpbHRvOnNha2ltdXJhQGdtYWlsLmNvbV0NCjxicj4NCjxi PlNlbnQ6PC9iPiBUdWVzZGF5LCBBdWd1c3QgMTgsIDIwMTUgOTowNCBQTTxicj4NCjxiPlRvOjwv Yj4gTWlrZSBKb25lczxicj4NCjxiPkNjOjwvYj4gQWRhbSBMZXdpczsgT0F1dGggV0c8YnI+DQo8 Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gUlMgYXMgYSBjbGllbnQgZ3VpZGFuY2U8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JIGhhdmUgZHVnIGludG8gaXQgd2h5 IGl0IGVuZGVkIHVwIGxpa2UgdGhhdC4gVGhlIGFwcHJvdmVkIHRleHQgcGVyIHRoZSB0aWNrZXQg IzcxMiBhbmQgIzgzMCB3YXM6Jm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0 eWxlPSJtc28tZWxlbWVudDpwYXJhLWJvcmRlci1kaXY7Ym9yZGVyOnNvbGlkICNDQ0NDQ0MgMS4w cHQ7cGFkZGluZzo0LjBwdCA4LjBwdCA0LjBwdCA4LjBwdDtiYWNrZ3JvdW5kOndoaXRlc21va2Ui Pg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZXNtb2tlO2JvcmRlcjpub25lO3BhZGRpbmc6 MGluO2JvcmRlci1yYWRpdXM6M3B4O292ZXJmbG93LXg6YXV0bzt3b3JkLXdyYXA6bm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OkNvbnNvbGFzO2NvbG9yOiMz MzMzMzMiPmF6cDxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dyb3Vu ZDp3aGl0ZXNtb2tlO2JvcmRlcjpub25lO3BhZGRpbmc6MGluIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjkuMHB0O2ZvbnQtZmFtaWx5OkNvbnNvbGFzO2NvbG9yOiMzMzMzMzMiPiZuYnNwOyZuYnNw OyBPUFRJT05BTC4gQXV0aG9yaXplZCBQcmVzZW50ZXJzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJl Pg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZXNtb2tlO2JvcmRlcjpub25lO3BhZGRpbmc6 MGluIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OkNvbnNvbGFzO2Nv bG9yOiMzMzMzMzMiPiZuYnNwOyZuYnNwOyBUaGlzIG1lbWJlciBpZGVudGlmaWVzIE9BdXRoIDIu MCBDbGllbnQocykgYW5kIHBvdGVudGlhbGx5PG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJl IHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlc21va2U7Ym9yZGVyOm5vbmU7cGFkZGluZzowaW4iPjxz cGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6Q29uc29sYXM7Y29sb3I6IzMz MzMzMyI+Jm5ic3A7Jm5ic3A7IG90aGVyIHBhcnRpZXMgYXV0aG9yaXplZCB0byB1c2UgdGhpcyBJ RCBUb2tlbiBhcyBhbiBhc3NlcnRpb248bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5 bGU9ImJhY2tncm91bmQ6d2hpdGVzbW9rZTtib3JkZXI6bm9uZTtwYWRkaW5nOjBpbiI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTpDb25zb2xhcztjb2xvcjojMzMzMzMz Ij4mbmJzcDsmbmJzcDsgb2YgdGhlIGlkZW50aXR5IG9mIHRoZSBJRCBUb2tlbidzIHN1YmplY3Qg YXQgdGhlIElEIFRva2VuJ3MgYXVkaWVuY2VzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHBy ZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZXNtb2tlO2JvcmRlcjpub25lO3BhZGRpbmc6MGluIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OkNvbnNvbGFzO2NvbG9yOiMz MzMzMzMiPiZuYnNwOyZuYnNwOyBJZiBwcmVzZW50LCBpdCBNVVNUIGNvbnRhaW4gdGhlIGNsaWVu dF9pZCBvciBvdGhlciBpZGVudGlmaWVycyBmb3IgPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8 cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlc21va2U7Ym9yZGVyOm5vbmU7cGFkZGluZzowaW4i PjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6Q29uc29sYXM7Y29sb3I6 IzMzMzMzMyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7YWxsIEF1dGhvcml6ZWQgUHJlc2VudGVycy48bzpw PjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGVzbW9rZTti b3JkZXI6bm9uZTtwYWRkaW5nOjBpbiI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250 LWZhbWlseTpDb25zb2xhcztjb2xvcjojMzMzMzMzIj4mbmJzcDsmbmJzcDsgVGhlIGlzc3VlciBp cyBub3QgdG8gYmUgbGlzdGVkIGFzIGFuIEF1dGhvcml6ZWQgUHJlc2VudGVyLjxvOnA+PC9vOnA+ PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZXNtb2tlO2JvcmRlcjpu b25lO3BhZGRpbmc6MGluIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5 OkNvbnNvbGFzO2NvbG9yOiMzMzMzMzMiPiZuYnNwOyZuYnNwOyBUaGlzIENsYWltIGlzIG9ubHkg bmVlZGVkIHdoZW4gdGhlIHBhcnR5IHJlcXVlc3RpbmcgdGhlIElEIFRva2VuPG86cD48L286cD48 L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlc21va2U7Ym9yZGVyOm5v bmU7cGFkZGluZzowaW4iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6 Q29uc29sYXM7Y29sb3I6IzMzMzMzMyI+Jm5ic3A7Jm5ic3A7IGlzIG5vdCB0aGUgc2FtZSBhcyB0 aGUgc29sZSBhdWRpZW5jZSBvZiB0aGUgSUQgVG9rZW4uPG86cD48L286cD48L3NwYW4+PC9wcmU+ DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlc21va2U7Ym9yZGVyOm5vbmU7cGFkZGluZzow aW4iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6Q29uc29sYXM7Y29s b3I6IzMzMzMzMyI+Jm5ic3A7Jm5ic3A7IEl0IE1BWSBiZSBpbmNsdWRlZCBldmVuIHdoZW4gdGhl IEF1dGhvcml6ZWQgUHJlc2VudGVyIGlzIHRoZSBzYW1lPG86cD48L286cD48L3NwYW4+PC9wcmU+ DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlc21va2U7Ym9yZGVyOm5vbmU7cGFkZGluZzow aW4iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6Q29uc29sYXM7Y29s b3I6IzMzMzMzMyI+Jm5ic3A7Jm5ic3A7IGFzIHRoZSBzb2xlIGF1ZGllbmNlLjxvOnA+PC9vOnA+ PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZXNtb2tlO2JvcmRlcjpu b25lO3BhZGRpbmc6MGluIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5 OkNvbnNvbGFzO2NvbG9yOiMzMzMzMzMiPiZuYnNwOyZuYnNwOyBBdXRob3JpemVkIFByZXNlbnRl ciB2YWx1ZXMgc2hvdWxkIGJlIHZlcmlmaWVkIGJ5IHRoZSBwYXJ0aWNpcGFudHMsPG86cD48L286 cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlc21va2U7Ym9yZGVy Om5vbmU7cGFkZGluZzowaW4iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1p bHk6Q29uc29sYXM7Y29sb3I6IzMzMzMzMyI+Jm5ic3A7Jm5ic3A7IGhvd2V2ZXIgdGhlIG1lY2hh bmlzbXMgZm9yIHZhbGlkYXRpbmcgYXpwIHZhbHVlcyBhcmUgYmV5b25kIHRoZSBzY29wZSBvZiB0 aGlzIHNwZWNpZmljYXRpb24uPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJi YWNrZ3JvdW5kOndoaXRlc21va2U7Ym9yZGVyOm5vbmU7cGFkZGluZzowaW4iPjxzcGFuIHN0eWxl PSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6Q29uc29sYXM7Y29sb3I6IzMzMzMzMyI+Jm5i c3A7Jm5ic3A7IEluIHRoZSBnZW5lcmFsIGNhc2UsJm5ic3A7IHRoZSBhenAgdmFsdWUgaXMgYW4g YXJyYXkgb2Y8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6 d2hpdGVzbW9rZTtib3JkZXI6bm9uZTtwYWRkaW5nOjBpbiI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZTo5LjBwdDtmb250LWZhbWlseTpDb25zb2xhcztjb2xvcjojMzMzMzMzIj4mbmJzcDsmbmJzcDsg Y2FzZSBzZW5zaXRpdmUgc3RyaW5ncywgZWFjaCBjb250YWluaW5nIGEgU3RyaW5nT3JVUkkgdmFs dWUuPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRl c21va2U7Ym9yZGVyOm5vbmU7cGFkZGluZzowaW4iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4w cHQ7Zm9udC1mYW1pbHk6Q29uc29sYXM7Y29sb3I6IzMzMzMzMyI+Jm5ic3A7Jm5ic3A7IEluIHRo ZSBzcGVjaWFsIGNhc2Ugd2hlbiB0aGUgSUQgVG9rZW4gaGFzIG9uZSBhdXRob3JpemVkIHByZXNl bnRlciw8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmUgc3R5bGU9ImJhY2tncm91bmQ6d2hp dGVzbW9rZTtib3JkZXI6bm9uZTtwYWRkaW5nOjBpbiI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5 LjBwdDtmb250LWZhbWlseTpDb25zb2xhcztjb2xvcjojMzMzMzMzIj4mbmJzcDsmbmJzcDsgdGhl IGF6cCB2YWx1ZSBNQVkgYmUgYSBzaW5nbGUmbmJzcDsgY2FzZSBzZW5zaXRpdmUgc3RyaW5nIGNv bnRhaW5pbmcgYSBTdHJpbmdPclVSSSB2YWx1ZS48bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SXQgZ290IGNoYW5nZWQgdG8gdGhl IG9uZSB0aGF0IE1pa2Ugc2l0ZWQgd2l0aG91dCBhbnkgdGlja2V0LiBJdCBpcyBhIG15c3Rlcnku Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPk5hdDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjIwMTUtMDgtMTkgMTE6NDQgR01UJiM0MzswOTowMCBNaWtlIEpvbmVzICZsdDs8YSBo cmVmPSJtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tIiB0YXJnZXQ9Il9ibGFuayI+ TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPC9hPiZndDs6PG86cD48L286cD48L3A+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPkp1c3QgYXMgYSBwb2ludCBvZiBjbGFyaWZpY2F0aW9uLCB0aGUg ZGVmaW5pdGlvbiBvZiB0aGUg4oCcYXpw4oCdIGNsYWltIGlzIG5vdCDigJw8L3NwYW4+YXV0aG9y aXNlZCBwcmVzZW50ZXI8c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ 4oCdLiZuYnNwOw0KIEF0IGxlYXN0IGFzIGRlZmluZWQgYnkgT3BlbklEIENvbm5lY3QsIGl0cyBk ZWZpbml0aW9uIGlzOjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4i IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6YmxhY2siPmF6cDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0bzttYXJnaW4tbGVmdDouNWluIj4NCjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9u dC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OmJsYWNrIj5PUFRJT05BTC4gQXV0aG9yaXplZCBwYXJ0eSAtIHRoZSBwYXJ0eSB0byB3aGljaCB0 aGUgSUQgVG9rZW4gd2FzIGlzc3VlZC4gSWYgcHJlc2VudCwgaXQgTVVTVCBjb250YWluIHRoZSBP QXV0aCAyLjAgQ2xpZW50IElEIG9mIHRoaXMgcGFydHkuIFRoaXMgQ2xhaW0gaXMgb25seSBuZWVk ZWQgd2hlbiB0aGUgSUQgVG9rZW4gaGFzDQogYSBzaW5nbGUgYXVkaWVuY2UgdmFsdWUgYW5kIHRo YXQgYXVkaWVuY2UgaXMgZGlmZmVyZW50IHRoYW4gdGhlIGF1dGhvcml6ZWQgcGFydHkuIEl0IE1B WSBiZSBpbmNsdWRlZCBldmVuIHdoZW4gdGhlIGF1dGhvcml6ZWQgcGFydHkgaXMgdGhlIHNhbWUg YXMgdGhlIHNvbGUgYXVkaWVuY2UuIFRoZQ0KPC9zcGFuPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0i Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6IzAwMzM2NiI+YXpwPC9z cGFuPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj4gdmFsdWUgaXMgYSBjYXNlIHNl bnNpdGl2ZSBzdHJpbmcgY29udGFpbmluZyBhIFN0cmluZ09yVVJJIHZhbHVlLg0KPC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG NDk3RCI+QSByZWZlcmVuY2UgdG8gdGhpcyBkZWZpbml0aW9uIGlzIHJlZ2lzdGVyZWQgYnkgT3Bl bklEIENvbm5lY3QgQ29yZQ0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0 aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm9wZW5pZC5uZXQlMmZzcGVjcyUyZm9w ZW5pZC1jb25uZWN0LWNvcmUtMV8wLmh0bWwmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9u ZXMlNDBtaWNyb3NvZnQuY29tJTdjNzE4YTc3ZGU4N2E1NDMxMmE3NmIwOGQyYTg0YjMzY2MlN2M3 MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPXJhazM1WU00bHdx MTkxU2J4MEc5ZmV2aVVVMmx0Q3hoRFMzYXVZdUE2ZXclM2QiIHRhcmdldD0iX2JsYW5rIj4NCmh0 dHA6Ly9vcGVuaWQubmV0L3NwZWNzL29wZW5pZC1jb25uZWN0LWNvcmUtMV8wLmh0bWw8L2E+IGlu IHRoZSBJQU5BIOKAnDxhIG5hbWU9IjE0ZjQzZDdjZTNjMWM3NGJfY2xhaW1zIj48L2E+SlNPTiBX ZWIgVG9rZW4gQ2xhaW1z4oCdIHJlZ2lzdHJ5IGF0DQo8YSBocmVmPSJodHRwczovL25hMDEuc2Fm ZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmd3d3LmlhbmEu b3JnJTJmYXNzaWdubWVudHMlMmZqd3QlMmZqd3QueGh0bWwmYW1wO2RhdGE9MDElN2MwMSU3Y01p Y2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNzE4YTc3ZGU4N2E1NDMxMmE3NmIwOGQyYTg0 YjMzY2MlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPXJ2 R0hrZmoxSWllNEJUU3RPeXF6RjZ6ZlVFU3ZJRDNKUjMlMmJrS1FaZWw3dyUzZCIgdGFyZ2V0PSJf YmxhbmsiPg0KaHR0cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50cy9qd3Qvand0LnhodG1sPC9h Pi48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0byI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IE9BdXRoIFttYWlsdG86PGEgaHJlZj0ibWFpbHRv Om9hdXRoLWJvdW5jZXNAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5vYXV0aC1ib3VuY2VzQGll dGYub3JnPC9hPl0NCjxiPk9uIEJlaGFsZiBPZiA8L2I+TmF0IFNha2ltdXJhPGJyPg0KPGI+U2Vu dDo8L2I+IFR1ZXNkYXksIEF1Z3VzdCAxOCwgMjAxNSA3OjM3IFBNPGJyPg0KPGI+VG86PC9iPiBB ZGFtIExld2lzPGJyPg0KPGI+Q2M6PC9iPiBPQXV0aCBXRzxicj4NCjxiPlN1YmplY3Q6PC9iPiBS ZTogW09BVVRILVdHXSBSUyBhcyBhIGNsaWVudCBndWlkYW5jZTwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpw PjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkl0IGlzIG5vdCBkaXJlY3RseSwg YnV0Jm5ic3A7PGI+PHU+U2VuZGVyIENvbnN0cmFpbmVkIEpXVCBmb3IgT0F1dGggMi4wPC91Pjwv Yj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPigNCjxhIGhy ZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0 dHBzJTNhJTJmJTJmdG9vbHMuaWV0Zi5vcmclMmZodG1sJTJmZHJhZnQtc2FraW11cmEtb2F1dGgt cmp3dHByb2YtMDUmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQu Y29tJTdjZGFjMmJkNDk0NjU5NGJhN2Y0ZmYwOGQyYTgzZjIzY2YlN2M3MmY5ODhiZjg2ZjE0MWFm OTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPURoTDklMmJwNU1sMzJQNiUyZmRhQVFISGto bzF5Q3NicTJXME00V05yd2dvMXpvJTNkIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwczovL3Rvb2xz LmlldGYub3JnL2h0bWwvZHJhZnQtc2FraW11cmEtb2F1dGgtcmp3dHByb2YtMDU8L2E+ICk8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+dGFsa3Mg YWJvdXQgYSBtb2RlbCB0aGF0IGFsbG93cyBpdC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkluIGVzc2VuY2UsIGl0IHVzZXMg YSBzdHJ1Y3R1cmVkIGFjY2VzcyB0b2tlbiB0aGF0IGlzIHNlbmRlciBjb25zdHJhaW5lZC4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ SXQgYXMgYSBjbGFpbSAmcXVvdDthenAmcXVvdDsgd2hpY2ggc3RhbmRzIGZvciBhdXRob3Jpc2Vk IHByZXNlbnRlci4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+VG8gYmUgdXNlZCwgdGhlICZxdW90O2NsaWVudCZxdW90OyBoYXMgdG8g cHJlc2VudCBhIHByb29mIHRoYXQgaXQgaXMgaW5kZWVkIHRoZSBwYXJ0eSBwb2ludGVkIGJ5ICZx dW90O2F6cCZxdW90Oy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPkluIHlvdXIgY2FzZSwgdGhlIG5hdGl2ZSBtb2JpbGUgYXBw IG9idGFpbnMgdGhlIHN0cnVjdHVyZWQgYWNjZXNzIHRva2VuJm5ic3A7PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPndpdGggJnF1b3Q7YXpwJnF1 b3Q7OiZxdW90O3RoZV9SUyZxdW90Oy4gU2luY2UgJnF1b3Q7YXpwJnF1b3Q7IGlzIG5vdCBwb2lu dGluZyB0byB0aGUgbW9iaWxlIGFwcCwmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+dGhlIG1vYmlsZSBhcHAgY2Fubm90IHVzZSBpdC4m bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+VGhlIG1vYmlsZSBhcHAgdGhlbiBzaGlwcyBpdCB0byB0aGUgUlMuJm5ic3A7PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlRoZSBSUyBjYW4g bm93IHVzZSBpdCBzaW5jZSB0aGUgJnF1b3Q7YXpwJnF1b3Q7IHBvaW50cyB0byBpdC4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5i c3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PkluIGdlbmVyYWwsIHNoaXBwaW5nIGEgYmVhcmVyIHRva2VuIGFyb3VuZCBpcyBhIGJhZCBpZGVh LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj5JZiB5b3Ugd2FudCB0byBkbyB0aGF0LCBJIHRoaW5rIHlvdSBzaG91bGQgZG8gc28gd2l0 aCBhIHNlbmRlciBjb25zdHJhaW5lZCB0b2tlbi4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk5hdDxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj4yMDE1LTA4LTEzIDI6MDEgR01UJiM0MzswOTowMCBBZGFtIExld2lzICZsdDs8YSBo cmVmPSJtYWlsdG86YWRhbS5sZXdpc0Btb3Rvcm9sYXNvbHV0aW9ucy5jb20iIHRhcmdldD0iX2Js YW5rIj5hZGFtLmxld2lzQG1vdG9yb2xhc29sdXRpb25zLmNvbTwvYT4mZ3Q7OjxvOnA+PC9vOnA+ PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SGksPG86cD48L286cD48L3A+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+QXJlIHRoZXJlIGFueSBkcmFmdHMgdGhh dCBkaXNjdXNzIHRoZSBub3Rpb24gb2YgYW4gUlMgYWN0aW5nIGFzIGEgY2xpZW50PyBJJ20gY29u c2lkZXJpbmcgdGhlIHVzZSBjYXNlIHdoZXJlYnkgYSBuYXRpdmUgbW9iaWxlIGFwcCBvYnRhaW5z IGFuIGFjY2VzcyB0b2tlbiBhbmQgc2VuZHMgaXQgdG8gdGhlIFJTLA0KIGFuZCB0aGVuIHRoZSBS UyB1c2VzIGl0IHRvIGFjY2VzcyB0aGUgVXNlckluZm8gZW5kcG9pbnQgb24gYW4gT1AuICZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4m bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+SXQncyBhIGJlYXJlciB0b2tlbiBzbyBubyByZWFzb24gaXQgd291bGRuJ3Qgd29yaywgYnV0 IG9idmlvdXNseSBpdCBpcyBtZWFudCB0byBiZSBwcmVzZW50ZWQgYnkgdGhlIGNsaWVudCBhbmQg bm90IHRoZSBSUy4mbmJzcDsgQ3VyaW91cyB0byB1bmRlcnN0YW5kIHRoZSBzZWN1cml0eSBpbXBs aWNhdGlvbnMgb2YgdGhpcywNCiByZWFkIG9uIGFueSB0aG91Z2h0cyBnaXZlbiB0byB0aGlzLCBv ciB0byBrbm93IGlmIGl0J3MgYW4gb3RoZXJ3aXNlIGFjY2VwdGVkIHByYWN0aWNlLjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+dHg8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4g c3R5bGU9ImNvbG9yOiM4ODg4ODgiPmFkYW08L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhy ZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3Jn PC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRs b29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3Rp bmZvJTJmb2F1dGgmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQu Y29tJTdjZGFjMmJkNDk0NjU5NGJhN2Y0ZmYwOGQyYTgzZjIzY2YlN2M3MmY5ODhiZjg2ZjE0MWFm OTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPWVNJTJmMm5NWTRZRWNhJTJmeVp0bDZLNGY0 cFJjZU5DSHQxc0Y3djl1Zlo3cWdrJTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0 Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQo8YnIgY2xlYXI9ImFsbCI+DQo8bzpwPjwvbzpw PjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPi0tDQo8bzpwPjwvbzpwPjwvcD4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk5hdCBTYWtpbXVyYSAoPW5hdCk8bzpwPjwvbzpw PjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkNoYWlybWFuLCBPcGVuSUQgRm91 bmRhdGlvbjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5v dXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZuYXQuc2FraW11cmEub3JnJTJmJmFtcDtkYXRh PTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2RhYzJiZDQ5NDY1OTRi YTdmNGZmMDhkMmE4M2YyM2NmJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2Mx JmFtcDtzZGF0YT0yeDUlMmY5YkxKblVjTWRPRnJZV0lrNEcwQkl3cDh5dERLMkxOeDJCUXVUdGsl M2QiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vbmF0LnNha2ltdXJhLm9yZy88L2E+PGJyPg0KQF9u YXRfZW48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8 YnIgY2xlYXI9ImFsbCI+DQo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ LS0gPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+TmF0IFNha2lt dXJhICg9bmF0KTxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkNo YWlybWFuLCBPcGVuSUQgRm91bmRhdGlvbjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZl bGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZuYXQuc2FraW11 cmEub3JnJTJmJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNv bSU3YzcxOGE3N2RlODdhNTQzMTJhNzZiMDhkMmE4NGIzM2NjJTdjNzJmOTg4YmY4NmYxNDFhZjkx YWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1ZRjFoYk9OMVdyZW1YQyUyYmxSME40M3BEaUJW ciUyZmpoQmJBaWVFRHRLa3YxRSUzZCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9uYXQuc2FraW11 cmEub3JnLzwvYT48YnI+DQpAX25hdF9lbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB44228AE5B9CB1EC9E318ACEF5670BY2PR03MB442namprd_-- From nobody Tue Aug 18 23:13:04 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D5CD1ACD27 for ; Tue, 18 Aug 2015 23:13:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E_AFS0D5VDQf for ; Tue, 18 Aug 2015 23:12:58 -0700 (PDT) Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C7B71ACD22 for ; Tue, 18 Aug 2015 23:12:58 -0700 (PDT) Received: by oiew67 with SMTP id w67so95638698oie.2 for ; Tue, 18 Aug 2015 23:12:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zUEGG4Fx62QY8+fg1qGnZDj8L2xFLA/HhhB9hwHZcS4=; b=sWgoMHfwblGIRt7qb/4vYa/Wu0oFr8SZDA+bVPUZMGaMqePiKmXcGihh2dFNc15PVF BhR4BHJSDJE65vKXJQvLgadArbwCnZIesf/+glcjEZdfywHvhLlbzzue/BRvLMmqaAp3 OQ6jhOBpCRMDP9LpU287bHcskATKM+Gk1+3ttSmR/bqUTLE/dcPlNbJpkah78DXI9DFk r0F9vgL7ArMCZiaj4mGqeEgdOCYKUNr+QZ/vN/54M26FThf7Qg8w3G8Ee3w+qV34vYpw 4MuuZAz/fuNsiNP+ACfKFf5xjnWWLirHwr84pdM94jhtt5sU2C4IOPTVIHtmkMh3MtPq 7l1Q== MIME-Version: 1.0 X-Received: by 10.202.44.195 with SMTP id s186mr8812400ois.53.1439964776892; Tue, 18 Aug 2015 23:12:56 -0700 (PDT) Received: by 10.182.96.66 with HTTP; Tue, 18 Aug 2015 23:12:56 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Aug 2015 15:12:56 +0900 Message-ID: From: Nat Sakimura To: Mike Jones Content-Type: multipart/alternative; boundary=001a11379ab804227e051da3ed17 Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 06:13:03 -0000 --001a11379ab804227e051da3ed17 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sorry OAuth folks: I have mistakingly Cc: all'ed. This is OpenID Connect ID Token stuff and not pertinent to OAuth WG per se nor this discussion which was about the access token. I should have removed the list from Cc:. I will respond more stuff directly related to the original thread subsequently. 2015-08-19 13:59 GMT+09:00 Mike Jones : > The =E2=80=9Cazp=E2=80=9D description was changed after the in-person Ope= nID Connect > working group meeting at Google on 6-May-13, in which we agreed that =E2= =80=9Cazp=E2=80=9D > would be used to represent the issued-to information, and that the claim > would be named =E2=80=9CAuthorized Party=E2=80=9D. See the meeting notes= at > http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20130506/00= 3466.html, > including attachment > http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130508/6d= 9b0ac0/attachment-0005.jpg, > which documents that we decided to represent issued-to information with > =E2=80=9Cazp=E2=80=9D and attachment > http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130508/6d= 9b0ac0/attachment-0006.jpg, > which documents that the =E2=80=9Cazp=E2=80=9D claim is to represent an = =E2=80=9CAuthorized > Party=E2=80=9D. We also decided to make =E2=80=9Cazp=E2=80=9D single-val= ued there, where it had > previously been multi-valued. > > > > Breno de Medeiros and Naveen Agarwal of Google were at the meeting, and i= n > fact, were behind many of these changes, which is significant, since they > were the inventors of this functionality. They concurred with and > participated developing these resolutions previously open issues about th= e > meanings of =E2=80=9Caud=E2=80=9D and =E2=80=9Cazp=E2=80=9D. Afterwards,= the meeting notes were sent to > the working group mailing list for review there and no objections were > raised. > > > > There=E2=80=99s no mystery. > > > > Furthermore, all of this text went through both the 45 day Implementer=E2= =80=99s > Draft 2 public review period announced at > http://openid.net/2013/06/07/review-of-proposed-openid-connect-implemente= rs-drafts/ > and the 60 day Final Specification public review period announced at > http://openid.net/2013/12/20/review-of-proposed-final-openid-connect-spec= ifications-and-implementers-drafts/, > and no objections were raised during those reviews either. People seemed > happy with the resolution arrived at during the working group meeting. > > > > So in conclusion, it would probably be less confusing to all concerned if > you were to stop referring to =E2=80=9Cazp=E2=80=9D as =E2=80=9Cauthorize= d presenter=E2=80=9D or ascribing > those semantics to it (whatever those may be). Sometime before > Implementer=E2=80=99s Draft 2 of OpenID Connect that terminology was used= , but the > working group changed that and the meaning of =E2=80=9Cazp=E2=80=9D by co= nsensus in May > 2013 and it=E2=80=99s been that way ever since. Trying to overload =E2= =80=9Cazp=E2=80=9D with a > different meaning than what=E2=80=99s in the standard seems counterproduc= tive, > which is why I wrote my original note of clarification. > > > > Thanks for taking this into account. > > > > Best wishes, > > -- Mike > > > > *From:* Nat Sakimura [mailto:sakimura@gmail.com] > *Sent:* Tuesday, August 18, 2015 9:04 PM > *To:* Mike Jones > *Cc:* Adam Lewis; OAuth WG > > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > > > I have dug into it why it ended up like that. The approved text per the > ticket #712 and #830 was: > > > > azp > > OPTIONAL. Authorized Presenters. > > This member identifies OAuth 2.0 Client(s) and potentially > > other parties authorized to use this ID Token as an assertion > > of the identity of the ID Token's subject at the ID Token's audiences. > > If present, it MUST contain the client_id or other identifiers for > > all Authorized Presenters. > > The issuer is not to be listed as an Authorized Presenter. > > This Claim is only needed when the party requesting the ID Token > > is not the same as the sole audience of the ID Token. > > It MAY be included even when the Authorized Presenter is the same > > as the sole audience. > > Authorized Presenter values should be verified by the participants, > > however the mechanisms for validating azp values are beyond the scope = of this specification. > > In the general case, the azp value is an array of > > case sensitive strings, each containing a StringOrURI value. > > In the special case when the ID Token has one authorized presenter, > > the azp value MAY be a single case sensitive string containing a Stri= ngOrURI value. > > > > It got changed to the one that Mike sited without any ticket. It is a > mystery. > > > > Nat > > > > > > 2015-08-19 11:44 GMT+09:00 Mike Jones : > > Just as a point of clarification, the definition of the =E2=80=9Cazp=E2= =80=9D claim is not > =E2=80=9Cauthorised presenter=E2=80=9D. At least as defined by OpenID Co= nnect, its > definition is: > > > > azp > > OPTIONAL. Authorized party - the party to which the ID Token was issued. > If present, it MUST contain the OAuth 2.0 Client ID of this party. This > Claim is only needed when the ID Token has a single audience value and th= at > audience is different than the authorized party. It MAY be included even > when the authorized party is the same as the sole audience. The azp value > is a case sensitive string containing a StringOrURI value. > > > > A reference to this definition is registered by OpenID Connect Core > http://openid.net/specs/openid-connect-core-1_0.html > > in the IANA =E2=80=9CJSON Web Token Claims=E2=80=9D registry at > http://www.iana.org/assignments/jwt/jwt.xhtml > > . > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Nat Sakimura > *Sent:* Tuesday, August 18, 2015 7:37 PM > *To:* Adam Lewis > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > > > It is not directly, but *Sender Constrained JWT for OAuth 2.0* > > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 > > ) > > talks about a model that allows it. > > > > In essence, it uses a structured access token that is sender constrained. > > It as a claim "azp" which stands for authorised presenter. > > To be used, the "client" has to present a proof that it is indeed the > party pointed by "azp". > > > > In your case, the native mobile app obtains the structured access token > > with "azp":"the_RS". Since "azp" is not pointing to the mobile app, > > the mobile app cannot use it. > > The mobile app then ships it to the RS. > > The RS can now use it since the "azp" points to it. > > > > In general, shipping a bearer token around is a bad idea. > > If you want to do that, I think you should do so with a sender constraine= d > token. > > > > Nat > > > > > > > > 2015-08-13 2:01 GMT+09:00 Adam Lewis : > > Hi, > > > > Are there any drafts that discuss the notion of an RS acting as a client? > I'm considering the use case whereby a native mobile app obtains an acces= s > token and sends it to the RS, and then the RS uses it to access the > UserInfo endpoint on an OP. > > > > It's a bearer token so no reason it wouldn't work, but obviously it is > meant to be presented by the client and not the RS. Curious to understan= d > the security implications of this, read on any thoughts given to this, or > to know if it's an otherwise accepted practice. > > > > tx > > adam > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > > > > > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --001a11379ab804227e051da3ed17 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Sorry OAuth folks: I have mistakingly Cc: all'ed. This= is OpenID Connect ID Token stuff and not pertinent to OAuth WG per se nor = this discussion which was about the access token. I should have removed the= list from Cc:.=C2=A0

I will respond more stuff directly= related to the original thread subsequently.=C2=A0

2015-08-19 13:59 GMT+09:00 = Mike Jones <Michael.Jones@microsoft.com>:

The =E2=80=9Cazp=E2=80=9D= description was changed after the in-person OpenID Connect working group m= eeting at Google on 6-May-13, in which we agreed that =E2=80=9Cazp=E2=80=9D= would be used to represent the issued-to information, and that the claim would be named = =E2=80=9CAuthorized Party=E2=80=9D.=C2=A0 See the meeting notes at http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20130506/0034= 66.html, including attachment http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130508/6d9b= 0ac0/attachment-0005.jpg, which documents that we decided to represent = issued-to information with =E2=80=9Cazp=E2=80=9D and attachment http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130508/6d9b= 0ac0/attachment-0006.jpg, which documents that the =E2=80=9Cazp=E2=80= =9D claim is to represent an =E2=80=9CAuthorized Party=E2=80=9D.=C2=A0 We a= lso decided to make =E2=80=9Cazp=E2=80=9D single-valued there, where it had= previously been multi-valued.

=C2=A0

Breno de Medeiros and Nav= een Agarwal of Google were at the meeting, and in fact, were behind many of= these changes, which is significant, since they were the inventors of this functionality.=C2=A0 They concurred with and participate= d developing these resolutions previously open issues about the meanings of= =E2=80=9Caud=E2=80=9D and =E2=80=9Cazp=E2=80=9D.=C2=A0 Afterwards, the mee= ting notes were sent to the working group mailing list for review there and no objections were raised.

=C2=A0

There=E2=80=99s no myster= y.

=C2=A0

Furthermore, all of this = text went through both the 45 day Implementer=E2=80=99s Draft 2 public revi= ew period announced at http://openid.net/2013/06/07/review-of-proposed-openid-connect-implementers= -drafts/ and the 60 day Final Specification public review period announ= ced at http://openid.net/2013/12/20/review-of-proposed-final-openid-connect-specif= ications-and-implementers-drafts/, and no objections were raised during= those reviews either.=C2=A0 People seemed happy with the resolution arrive= d at during the working group meeting.

=C2=A0

So in conclusion, it woul= d probably be less confusing to all concerned if you were to stop referring= to =E2=80=9Cazp=E2=80=9D as =E2=80=9Cauthorized presenter=E2=80=9D or ascr= ibing those semantics to it (whatever those may be).=C2=A0 Sometime before Implementer=E2=80=99s= Draft 2 of OpenID Connect that terminology was used, but the working group= changed that and the meaning of =E2=80=9Cazp=E2=80=9D by consensus in May = 2013 and it=E2=80=99s been that way ever since.=C2=A0 Trying to overload = =E2=80=9Cazp=E2=80=9D with a different meaning than what=E2=80=99s in the standard seems counter= productive, which is why I wrote my original note of clarification.<= u>

=C2=A0

Thanks for taking this in= to account.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Best wishes,

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: Nat Saki= mura [mailto:sakimu= ra@gmail.com]
Sent: Tuesday, August 18, 2015 9:04 PM
To: Mike Jones
Cc: Adam Lewis; OAuth WG


Subject: Re: [OAUTH-WG] RS as a client guidance
<= /div>

=C2=A0

I have dug into it why it ended up like that. The ap= proved text per the ticket #712 and #830 was:=C2=A0

=C2=A0

azp
=C2=A0=C2=A0 OPTIONAL.=
 Authorized Presenters.
=C2=A0=C2=A0 This memb=
er identifies OAuth 2.0 Client(s) and potentially

=C2=A0=C2=A0 other par=
ties authorized to use this ID Token as an assertion

=C2=A0=C2=A0 of the id=
entity of the ID Token's subject at the ID Token's audiences.


=C2=A0=C2=A0 If presen=
t, it MUST contain the client_id or other identifiers for 


=C2=A0=C2=A0=C2=A0all =
Authorized Presenters.


=C2=A0=C2=A0 The issue=
r is not to be listed as an Authorized Presenter.

=C2=A0=C2=A0 This Clai=
m is only needed when the party requesting the ID Token


=C2=A0=C2=A0 is not th=
e same as the sole audience of the ID Token.


=C2=A0=C2=A0 It MAY be=
 included even when the Authorized Presenter is the same


=C2=A0=C2=A0 as the so=
le audience.


=C2=A0=C2=A0 Authorize=
d Presenter values should be verified by the participants,


=C2=A0=C2=A0 however t=
he mechanisms for validating azp values are beyond the scope of this specif=
ication.


=C2=A0=C2=A0 In the ge=
neral case,=C2=A0 the azp value is an array of


=C2=A0=C2=A0 case sens=
itive strings, each containing a StringOrURI value.

=C2=A0=C2=A0 In the sp=
ecial case when the ID Token has one authorized presenter,


=C2=A0=C2=A0 the azp v=
alue MAY be a single=C2=A0 case sensitive string containing a StringOrURI v=
alue.

=C2=A0

It got changed to the one that Mike sited without an= y ticket. It is a mystery.=C2=A0

=C2=A0

Nat

=C2=A0

=C2=A0

2015-08-19 11:44 GMT+09:00 Mike Jones <Michael.Jones@micros= oft.com>:

Just as a point of clarif= ication, the definition of the =E2=80=9Cazp=E2=80=9D claim is not =E2=80=9C= authorised presenter=E2=80=9D.=C2=A0 At least as defined by OpenID Connect, its definition is:=

=C2=A0

azp

OPTIONAL. Authorized party - the party to which the ID = Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of th= is party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized= party. It MAY be included even when the authorized party is the same as th= e sole audience. The azp value is a case sensitive string c= ontaining a StringOrURI value.

=C2=A0

A reference to this defin= ition is registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in the IANA =E2=80= =9CJSON Web Token = Claims=E2=80=9D registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: OAuth [m= ailto:oauth-bou= nces@ietf.org] On Behalf Of Nat Sakimura
Sent: Tuesday, August 18, 2015 7:37 PM
To: Adam Lewis
Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance=

=C2=A0

It is not directly, but=C2=A0Sender Constraine= d JWT for OAuth 2.0

talks about a model that allows it.=C2=A0<= /u>

=C2=A0

In essence, it uses a structured access token that i= s sender constrained.=C2=A0

It as a claim "azp" which stands for autho= rised presenter.=C2=A0

To be used, the "client" has to present a = proof that it is indeed the party pointed by "azp".=C2=A0<= u>

=C2=A0

In your case, the native mobile app obtains the stru= ctured access token=C2=A0

with "azp":"the_RS". Since "= ;azp" is not pointing to the mobile app,=C2=A0

the mobile app cannot use it.=C2=A0

The mobile app then ships it to the RS.=C2=A0=

The RS can now use it since the "azp" poin= ts to it.=C2=A0

=C2=A0

In general, shipping a bearer token around is a bad = idea.=C2=A0

If you want to do that, I think you should do so wit= h a sender constrained token.=C2=A0

=C2=A0

Nat

=C2=A0

=C2=A0

=C2=A0

2015-08-13 2:01 GMT+09:00 Adam Lewis <adam.lewis@motor= olasolutions.com>:

Hi,

=C2=A0

Are there any drafts that discuss the notion of an R= S acting as a client? I'm considering the use case whereby a native mob= ile app obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP. =C2=A0

=C2=A0

It's a bearer token so no reason it wouldn't= work, but obviously it is meant to be presented by the client and not the = RS.=C2=A0 Curious to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise ac= cepted practice.

=C2=A0

tx

adam<= /u>


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth<= u>



=C2=A0

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



=C2=A0

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation<= br>http://nat.sakimu= ra.org/
@_nat_en
--001a11379ab804227e051da3ed17-- From nobody Tue Aug 18 23:17:54 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8FC21ACD33 for ; Tue, 18 Aug 2015 23:17:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.01 X-Spam-Level: X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VAgO6208Jy21 for ; Tue, 18 Aug 2015 23:17:50 -0700 (PDT) Received: from mail-ob0-x22d.google.com (mail-ob0-x22d.google.com [IPv6:2607:f8b0:4003:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EAFA1ACD32 for ; Tue, 18 Aug 2015 23:17:50 -0700 (PDT) Received: by obkg7 with SMTP id g7so29560343obk.3 for ; Tue, 18 Aug 2015 23:17:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7z1fNNw/l7KFaa8hCFY98lm6OO2E4MMzVJ89qERAixI=; b=uGS/iYf6SK3fywdhgeADiKVdstf+es2Hq2iX+f4xR2/F4OQODLQbUGzjYfIiGbqekH 2MYJb/aDuiInKoS5VHv/CZLSeiTRWOokw3tkn9m8trXc7KBaTWRjEGR+1OhGQa0zOyPd vnT+7QUURnfGB1HHFmRu+67fvjKyRpgn0jjEiIfa55hLNIFphi3DgTrzfN4g/dKiZu5c MBtazTGJvgXasqERGZnV58mcBLlPlUbV8XxuMm92//RWO6YHMeHaRYBTcUyFQsngMBeM lcWTxamS5LcaLQsycntjgh67szKMtm0lMD/q5iMMqbaXgf8YHfPH5u7ilPKAfP5Cq1UU uyRg== MIME-Version: 1.0 X-Received: by 10.182.236.102 with SMTP id ut6mr9598042obc.75.1439965069619; Tue, 18 Aug 2015 23:17:49 -0700 (PDT) Received: by 10.182.96.66 with HTTP; Tue, 18 Aug 2015 23:17:49 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Aug 2015 15:17:49 +0900 Message-ID: From: Nat Sakimura To: Mike Jones Content-Type: multipart/alternative; boundary=001a11c3124e76bcdc051da3fed3 Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 06:17:53 -0000 --001a11c3124e76bcdc051da3fed3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable So, Mike, Authorized Presenter is a defined term in Sender Constrained JWT for OAuth 2.0 ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ). It is used in the context of OAuth 2.0 Access Token, not a claim in ID Token of OpenID Connect. Nat 2015-08-19 11:44 GMT+09:00 Mike Jones : > Just as a point of clarification, the definition of the =E2=80=9Cazp=E2= =80=9D claim is not > =E2=80=9Cauthorised presenter=E2=80=9D. At least as defined by OpenID Co= nnect, its > definition is: > > > > azp > > OPTIONAL. Authorized party - the party to which the ID Token was issued. > If present, it MUST contain the OAuth 2.0 Client ID of this party. This > Claim is only needed when the ID Token has a single audience value and th= at > audience is different than the authorized party. It MAY be included even > when the authorized party is the same as the sole audience. The azp value > is a case sensitive string containing a StringOrURI value. > > > > A reference to this definition is registered by OpenID Connect Core > http://openid.net/specs/openid-connect-core-1_0.html in the IANA =E2=80= =9CJSON > Web Token Claims=E2=80=9D registry at > http://www.iana.org/assignments/jwt/jwt.xhtml. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Nat Sakimura > *Sent:* Tuesday, August 18, 2015 7:37 PM > *To:* Adam Lewis > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > > > It is not directly, but *Sender Constrained JWT for OAuth 2.0* > > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 > > ) > > talks about a model that allows it. > > > > In essence, it uses a structured access token that is sender constrained. > > It as a claim "azp" which stands for authorised presenter. > > To be used, the "client" has to present a proof that it is indeed the > party pointed by "azp". > > > > In your case, the native mobile app obtains the structured access token > > with "azp":"the_RS". Since "azp" is not pointing to the mobile app, > > the mobile app cannot use it. > > The mobile app then ships it to the RS. > > The RS can now use it since the "azp" points to it. > > > > In general, shipping a bearer token around is a bad idea. > > If you want to do that, I think you should do so with a sender constraine= d > token. > > > > Nat > > > > > > > > 2015-08-13 2:01 GMT+09:00 Adam Lewis : > > Hi, > > > > Are there any drafts that discuss the notion of an RS acting as a client? > I'm considering the use case whereby a native mobile app obtains an acces= s > token and sends it to the RS, and then the RS uses it to access the > UserInfo endpoint on an OP. > > > > It's a bearer token so no reason it wouldn't work, but obviously it is > meant to be presented by the client and not the RS. Curious to understan= d > the security implications of this, read on any thoughts given to this, or > to know if it's an otherwise accepted practice. > > > > tx > > adam > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --001a11c3124e76bcdc051da3fed3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
So, Mike,=C2=A0

Authorized Presenter is= a defined term in=C2=A0Sender Constrained JWT for OAuth 2.0<= /span>
(=C2=A0https://to= ols.ietf.org/html/draft-sakimura-oauth-rjwtprof-05=C2=A0). It is used i= n the context of OAuth 2.0 Access Token, not a claim in ID Token of OpenID = Connect.=C2=A0

Nat

2015-08-19 11:44 GMT+09:00 Mike Jones <Michael.Jone= s@microsoft.com>:

Just as a point of clarif= ication, the definition of the =E2=80=9Cazp=E2=80=9D claim is not =E2=80=9C= authorised presenter=E2=80=9D.=C2=A0 At least as defined by OpenID Connect, its definition is:

=C2=A0

azp

OPT= IONAL. Authorized party - the party to which the ID Token was issued. If pr= esent, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value an= d that audience is different than the authorized party. It MAY be included = even when the authorized party is the same as the sole audience. The azp value is a case sensitive string c= ontaining a StringOrURI value.

=C2=A0

A reference to this defin= ition is registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in the IAN= A =E2=80=9CJSON Web Token Claims=E2= =80=9D registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: OAuth [m= ailto:oauth-bou= nces@ietf.org] On Behalf Of Nat Sakimura
Sent: Tuesday, August 18, 2015 7:37 PM
To: Adam Lewis
Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance=

=C2=A0

It is not directly, but=C2=A0Sender Constraine= d JWT for OAuth 2.0

talks about a model that allows it.=C2=A0<= /u>

=C2=A0

In essence, it uses a structured access token that i= s sender constrained.=C2=A0

It as a claim "azp" which stands for autho= rised presenter.=C2=A0

To be used, the "client" has to present a = proof that it is indeed the party pointed by "azp".=C2=A0<= u>

=C2=A0

In your case, the native mobile app obtains the stru= ctured access token=C2=A0

with "azp":"the_RS". Since "= ;azp" is not pointing to the mobile app,=C2=A0

the mobile app cannot use it.=C2=A0

The mobile app then ships it to the RS.=C2=A0=

The RS can now use it since the "azp" poin= ts to it.=C2=A0

=C2=A0

In general, shipping a bearer token around is a bad = idea.=C2=A0

If you want to do that, I think you should do so wit= h a sender constrained token.=C2=A0

=C2=A0

Nat

=C2=A0

=C2=A0

=C2=A0

2015-08-13 2:01 GMT+09:00 Adam Lewis <adam.lewis@motor= olasolutions.com>:

Hi,

=C2=A0

Are there any drafts that discuss the notion of an R= S acting as a client? I'm considering the use case whereby a native mob= ile app obtains an access token and sends it to the RS, and then the RS use= s it to access the UserInfo endpoint on an OP. =C2=A0

=C2=A0

It's a bearer token so no reason it wouldn't= work, but obviously it is meant to be presented by the client and not the = RS.=C2=A0 Curious to understand the security implications of this, read on = any thoughts given to this, or to know if it's an otherwise accepted practice.

=C2=A0

tx

adam


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth<= u>



=C2=A0

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation<= br>http://nat.sakimu= ra.org/
@_nat_en
--001a11c3124e76bcdc051da3fed3-- From nobody Wed Aug 19 11:05:15 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 299071A1A83 for ; Wed, 19 Aug 2015 11:05:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.611 X-Spam-Level: X-Spam-Status: No, score=-0.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OOUgvv6INUu2 for ; Wed, 19 Aug 2015 11:05:10 -0700 (PDT) Received: from mail-qg0-f43.google.com (mail-qg0-f43.google.com [209.85.192.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBBB61A876C for ; Wed, 19 Aug 2015 11:05:09 -0700 (PDT) Received: by qgj62 with SMTP id 62so10433005qgj.2 for ; Wed, 19 Aug 2015 11:05:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=qcp7v5lZdgmcN/z0BR2yXLBapCtil5pPr9nWiUhsayo=; b=iiZgb8R6fXYeVylKQhuiAWZFIsFEsiMDRIoIWYzZz3xRw8FPWEnhK7tmPYUNWW8Odn JFdMgNhpWusQuPHbNm5bgl4+DaaOKYa9md9siQCtAwq70+jpi4jQ6JySiBOW4NdcpopV 7dKu4kPZpsii1Vg/kEO3ztIFSFUMJ1qxWEdnNXeRbcPjlUz4Aap3Z8WUXL0jXolfY+5O mwLoqYNE83vUWo441gROpAbDkVG9x7NDQmatPCyp6Ccqy2dtPIUfXLnCk0aXj2jXAqG4 XwfJfbyhlWUCrVLUUcgzymuh+YoYBt688BnJuOs4sb6Mf1WWUbTdxd3OC+2UPU2qbSfe XWaA== X-Gm-Message-State: ALoCoQkGaMcJ1IVNaFyA2RhO1EFsuhslqYfL072kQgJY1tYf3nFCROtut6t7q65Bsvjuugf82Oip X-Received: by 10.140.94.194 with SMTP id g60mr25195997qge.72.1440007508860; Wed, 19 Aug 2015 11:05:08 -0700 (PDT) Received: from [192.168.1.40] (181-163-26-65.baf.movistar.cl. [181.163.26.65]) by smtp.gmail.com with ESMTPSA id 42sm759542qgf.42.2015.08.19.11.05.05 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Aug 2015 11:05:07 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_73B7426E-33D9-4C57-A2EC-51637434925E"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: John Bradley In-Reply-To: Date: Wed, 19 Aug 2015 15:05:00 -0300 Message-Id: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> References: To: Nat Sakimura X-Mailer: Apple Mail (2.2104) Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 18:05:14 -0000 --Apple-Mail=_73B7426E-33D9-4C57-A2EC-51637434925E Content-Type: multipart/alternative; boundary="Apple-Mail=_D2FABFC1-612F-4C55-AD92-CD3A7F3B531D" --Apple-Mail=_D2FABFC1-612F-4C55-AD92-CD3A7F3B531D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Having two azp claims with slightly different definitions is not a good = way to go, both access tokens and id_tokens are JWT. =20 For better or worse the claim was defined for bearer tokens where it was = only the identity of the requester that was able to be confirmed by the = token endpoint. It supported a simple use case where a refresh token is used by client A = to use as an assertion at AS B. =20 In the simplest 3 party sase the requester of the token and the = presenter of the token are the same. However in some situations they = are not the same.=20 The important thing was to allow the =E2=80=9Caud=E2=80=9D recipient of = the token to be able to differentiate a token that it requested from a a = token that a 3rd party requested and presented to it. The =E2=80=9Cazp=E2=80=9D should probably be left as it is and not tied = to proof of possession/ binding the token to the presenter. =20 There was a lot of debate and back and forth on azp at the time, the = main reason to include it was to warn normal Connect clients that JWT = containing that azp claim need to have it=E2=80=99s value be them or = someone they know and trust that can request assertions for them. That = was because we knew that token containing that claim exist in the wild = using that claim. > https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 = should = probably be using a different claim to reduce the confusion. John B. > On Aug 19, 2015, at 3:17 AM, Nat Sakimura wrote: >=20 > So, Mike,=20 >=20 > Authorized Presenter is a defined term in Sender Constrained JWT for = OAuth 2.0 > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 = ). It is = used in the context of OAuth 2.0 Access Token, not a claim in ID Token = of OpenID Connect.=20 >=20 > Nat >=20 > 2015-08-19 11:44 GMT+09:00 Mike Jones >: > Just as a point of clarification, the definition of the =E2=80=9Cazp=E2=80= =9D claim is not =E2=80=9Cauthorised presenter=E2=80=9D. At least as = defined by OpenID Connect, its definition is: >=20 > =20 >=20 > azp >=20 > OPTIONAL. Authorized party - the party to which the ID Token was = issued. If present, it MUST contain the OAuth 2.0 Client ID of this = party. This Claim is only needed when the ID Token has a single audience = value and that audience is different than the authorized party. It MAY = be included even when the authorized party is the same as the sole = audience. The azp value is a case sensitive string containing a = StringOrURI value. >=20 > =20 >=20 > A reference to this definition is registered by OpenID Connect Core = http://openid.net/specs/openid-connect-core-1_0.html = in the IANA =E2=80=9C= <>JSON Web Token Claims=E2=80=9D registry at = http://www.iana.org/assignments/jwt/jwt.xhtml = . >=20 > =20 >=20 > -- Mike >=20 > =20 >=20 > From: OAuth [mailto:oauth-bounces@ietf.org = ] On Behalf Of Nat Sakimura > Sent: Tuesday, August 18, 2015 7:37 PM > To: Adam Lewis > Cc: OAuth WG > Subject: Re: [OAUTH-WG] RS as a client guidance >=20 > =20 >=20 > It is not directly, but Sender Constrained JWT for OAuth 2.0 >=20 > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 = ) >=20 > talks about a model that allows it.=20 >=20 > =20 >=20 > In essence, it uses a structured access token that is sender = constrained.=20 >=20 > It as a claim "azp" which stands for authorised presenter.=20 >=20 > To be used, the "client" has to present a proof that it is indeed the = party pointed by "azp".=20 >=20 > =20 >=20 > In your case, the native mobile app obtains the structured access = token=20 >=20 > with "azp":"the_RS". Since "azp" is not pointing to the mobile app,=20 >=20 > the mobile app cannot use it.=20 >=20 > The mobile app then ships it to the RS.=20 >=20 > The RS can now use it since the "azp" points to it.=20 >=20 > =20 >=20 > In general, shipping a bearer token around is a bad idea.=20 >=20 > If you want to do that, I think you should do so with a sender = constrained token.=20 >=20 > =20 >=20 > Nat >=20 > =20 >=20 > =20 >=20 > =20 >=20 > 2015-08-13 2:01 GMT+09:00 Adam Lewis >: >=20 > Hi, >=20 > =20 >=20 > Are there any drafts that discuss the notion of an RS acting as a = client? I'm considering the use case whereby a native mobile app obtains = an access token and sends it to the RS, and then the RS uses it to = access the UserInfo endpoint on an OP. =20 >=20 > =20 >=20 > It's a bearer token so no reason it wouldn't work, but obviously it is = meant to be presented by the client and not the RS. Curious to = understand the security implications of this, read on any thoughts given = to this, or to know if it's an otherwise accepted practice. >=20 > =20 >=20 > tx >=20 > adam >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 > =20 >=20 > -- >=20 > Nat Sakimura (=3Dnat) >=20 > Chairman, OpenID Foundation > http://nat.sakimura.org/ = > @_nat_en >=20 >=20 >=20 >=20 > --=20 > Nat Sakimura (=3Dnat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_D2FABFC1-612F-4C55-AD92-CD3A7F3B531D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Having two azp claims with slightly different definitions is = not a good way to go,  both access tokens and id_tokens are JWT. =   
For better or worse the claim was defined = for bearer tokens where it was only the identity of the requester that = was able to be confirmed by the token endpoint.
It = supported a simple use case where a refresh token is used by client A to = use as an assertion at AS B.  
In the simplest = 3 party sase the requester of the token and the presenter of the token = are the same.  However in some situations they are not the = same. 
The important thing was to allow the = =E2=80=9Caud=E2=80=9D recipient of the token to be able to differentiate = a token that it requested from a a token that a 3rd party requested and = presented to it.

The =E2=80=9Cazp=E2=80=9D should probably be left as it is = and not tied to proof of possession/ binding the token to the presenter. =  
There was a lot of debate and back and forth = on azp at the time, the main reason to include it was to warn normal = Connect clients that JWT containing that azp claim need to have it=E2=80=99= s value be them or someone they know and trust that can request = assertions for them.  That was because we knew that token = containing that claim exist in the wild using that claim.

https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 should probably be using a different claim to reduce the = confusion.

John B.


On Aug 19, 2015, at 3:17 AM, = Nat Sakimura <sakimura@gmail.com> wrote:

So, Mike, 

Authorized Presenter is a defined term in Sender Constrained JWT for OAuth = 2.0
https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ). It is used in the context of OAuth 2.0 Access Token, not a = claim in ID Token of OpenID Connect. 

Nat

2015-08-19= 11:44 GMT+09:00 Mike Jones <Michael.Jones@microsoft.com>:

Just as a point of clarification, the = definition of the =E2=80=9Cazp=E2=80=9D claim is not = =E2=80=9Cauthorised presenter=E2=80=9D.  At least as defined by OpenID Connect, its definition is:

 

azp

OPTIONAL. Authorized party - the party = to which the ID Token was issued. If present, it MUST contain the OAuth = 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value = and that audience is different than the authorized party. It MAY be = included even when the authorized party is the same as the sole = audience. The azp value is a case = sensitive string containing a StringOrURI value.

 

A reference to this definition is = registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in = the IANA =E2=80=9CJSON = Web Token Claims=E2=80=9D registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

 

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            -- = Mike

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Nat Sakimura
Sent: Tuesday, August 18, 2015 7:37 PM
To: Adam Lewis
Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance

 

It is not directly, but Sender Constrained JWT for OAuth 2.0

( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 )

talks about a model that allows = it. 

 

In essence, it uses a structured = access token that is sender constrained. 

It as a claim "azp" which stands = for authorised presenter. 

To be used, the "client" has to = present a proof that it is indeed the party pointed by "azp". 

 

In your case, the native mobile = app obtains the structured access token 

with "azp":"the_RS". Since "azp" = is not pointing to the mobile app, 

the mobile app cannot use = it. 

The mobile app then ships it to = the RS. 

The RS can now use it since the = "azp" points to it. 

 

In general, shipping a bearer = token around is a bad idea. 

If you want to do that, I think = you should do so with a sender constrained token. 

 

Nat

 

 

 

2015-08-13 2:01 GMT+09:00 Adam = Lewis <adam.lewis@motorolasolutions.com>:

Hi,

 

Are there any drafts that discuss = the notion of an RS acting as a client? I'm considering the use case = whereby a native mobile app obtains an access token and sends it to the = RS, and then the RS uses it to access the UserInfo endpoint on an OP.  

 

It's a bearer token so no reason = it wouldn't work, but obviously it is meant to be presented by the = client and not the RS.  Curious to understand the security = implications of this, read on any thoughts given to this, or to know if = it's an otherwise accepted practice.

 

tx

adam


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



 

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




--
Nat Sakimura (=3Dnat)
Chairman, = OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_D2FABFC1-612F-4C55-AD92-CD3A7F3B531D-- --Apple-Mail=_73B7426E-33D9-4C57-A2EC-51637434925E Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MTkxODA1MDFaMCMGCSqGSIb3DQEJBDEWBBRcqIaxPljSaxSi7Aht3XN5 HeGeSjCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQAaOV3Qw+aZg/jMlD/RUoBSslkmYIxjzXH9R7UgUg5cT/dsTtchDWAQ 4w0TLF90hq7gYx7iv3g6Kz7pDHE2IAq2kzw0xSbwmUyW5JiOaKtSPyx2o58AthjleMg413ynfpuN /ego9SZigCWDcJCuE5JQ7mzka7ZIK0zPrNg63vtfrEcCJFAzfH+g4lFS+BIWtdafAhW6nSOAdaDt If7ezbOB8iUAMhMW6l/Na7qUEfnTYjqpL6+gFyIlZsIQfRZDFzaXYd4TE4bl7GdKJ6CgB7PbQ5PA Dogy5axs3MtNitU5V0isXFfw7FIos88Y2D7zzN2GdWjc1voR7Ra3EqngcRTIAAAAAAAA --Apple-Mail=_73B7426E-33D9-4C57-A2EC-51637434925E-- From nobody Wed Aug 19 11:38:08 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 758401A88A3 for ; Wed, 19 Aug 2015 11:38:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.088 X-Spam-Level: X-Spam-Status: No, score=0.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CedjyQTebTee for ; Wed, 19 Aug 2015 11:38:02 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0795.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::795]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCFD31A8892 for ; Wed, 19 Aug 2015 11:38:01 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.1.231.11; Wed, 19 Aug 2015 18:37:41 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Wed, 19 Aug 2015 18:37:41 +0000 From: Mike Jones To: Nat Sakimura , John Bradley Thread-Topic: [OAUTH-WG] RS as a client guidance Thread-Index: AQHQ1SCcusHdwHLfSU6hr3g/5Q6eZJ4SpbqAgAAANJCAAD1bgIAAxZYAgAAIVrA= Date: Wed, 19 Aug 2015 18:37:41 +0000 Message-ID: References: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> In-Reply-To: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [2001:4898:80e8:6::500] x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:RAb7tDuWXZhjWItsoLhuSujd099nYmledx1XAgyhj/MFGFakMw3LpF3SmDfQqgL/zBxR0JrZiP/fhDw7KyXj0F4kX7mol+crobfH8r5wwaM5HNIgd0zr0A48RcLGmASLwhPpIbYOL+MreooaSZrPig==; 24:HFED3t4tiQBomXsmzCQnRTnMyyalKEXh+aYrKc7hkF0pYiJnEkLAFiBDoFJ3NmsWlxg4wPzcgifI+Hv3YGihNeKKNHguTXhtmTO1/6gauKU=; 20:jiAMGkSxoxMNalVr9f5TinVPnuN20cL4cANVh+idMr/nnrsJkiGaNf7Jrsy6/2Vnd8XNeGCeWeSs9RtkNrQxYg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(8121501046)(5005006)(3002001); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443; x-forefront-prvs: 0673F5BE31 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(24454002)(199003)(377454003)(164054003)(189002)(377424004)(97736004)(5001770100001)(62966003)(19273905006)(19580395003)(19580405001)(105586002)(40100003)(33656002)(19300405004)(106116001)(99286002)(50986999)(19625215002)(5001830100001)(19609705001)(5001920100001)(2656002)(106356001)(122556002)(86362001)(4001540100001)(15395725005)(16236675004)(92566002)(76176999)(81156007)(5001960100002)(68736005)(54356999)(15975445007)(86612001)(77096005)(64706001)(5001860100001)(2900100001)(101416001)(102836002)(2950100001)(74316001)(93886004)(5005710100001)(10400500002)(19617315012)(10290500002)(8990500004)(87936001)(189998001)(5003600100002)(77156002)(10090500001)(5002640100001)(76576001)(46102003)(3826002)(563064011); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4428F2D1134837B21A592D9F5670BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Aug 2015 18:37:41.3901 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443 Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 18:38:06 -0000 --_000_BY2PR03MB4428F2D1134837B21A592D9F5670BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 TGV0IG1lIHNlY29uZCBKb2hu4oCZcyBwb2ludCB0aGF0IHdlIHNob3VsZG7igJl0IGhhdmUgdHdv IGRpZmZlcmVudCBkZWZpbml0aW9ucyBmb3Ig4oCcYXpw4oCdLiAgQXMgSSB3cm90ZSBpbiBteSBm cmllbmRseSByZXZpZXcgb2YgZHJhZnQtc2FraW11cmEtb2F1dGgtcmp3dHByb2YtMDQgYXQgaHR0 cDovL3d3dy5pZXRmLm9yZy9tYWlsLWFyY2hpdmUvd2ViL29hdXRoL2N1cnJlbnQvbXNnMTQ2Nzku aHRtbCwgdGhlIGNsYWltIOKAnGF6cOKAnSBoYXMgYWxyZWFkeSBiZWVuIHJlZ2lzdGVyZWQgYnkg T3BlbklEIENvbm5lY3QgQ29yZSBhdCBodHRwOi8vd3d3LmlhbmEub3JnL2Fzc2lnbm1lbnRzL2p3 dC9qd3QueGh0bWwgYW5kIHNvIGNhbm5vdCBiZSByZS1yZWdpc3RlcmVkLiAgR2l2ZW4gdGhhdCBJ IGJlbGlldmUgdGhlIGludGVuZGVkIHNlbWFudGljcyBhcmUgdGhlIHNhbWUsIHBsZWFzZSBjaXRl IHRoZSBleGlzdGluZyBkZWZpbml0aW9uIGluIHJqd3Rwcm9mLCByYXRoZXIgdGhhbiByZXBlYXRp bmcgaXQgb3IgcmV2aXNpbmcgaXQuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRoYW5rcywNCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KRnJvbTog Sm9obiBCcmFkbGV5IFttYWlsdG86dmU3anRiQHZlN2p0Yi5jb21dDQpTZW50OiBXZWRuZXNkYXks IEF1Z3VzdCAxOSwgMjAxNSAxMTowNSBBTQ0KVG86IE5hdCBTYWtpbXVyYQ0KQ2M6IE1pa2UgSm9u ZXM7IE9BdXRoIFdHDQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBSUyBhcyBhIGNsaWVudCBndWlk YW5jZQ0KDQpIYXZpbmcgdHdvIGF6cCBjbGFpbXMgd2l0aCBzbGlnaHRseSBkaWZmZXJlbnQgZGVm aW5pdGlvbnMgaXMgbm90IGEgZ29vZCB3YXkgdG8gZ28sICBib3RoIGFjY2VzcyB0b2tlbnMgYW5k IGlkX3Rva2VucyBhcmUgSldULg0KRm9yIGJldHRlciBvciB3b3JzZSB0aGUgY2xhaW0gd2FzIGRl ZmluZWQgZm9yIGJlYXJlciB0b2tlbnMgd2hlcmUgaXQgd2FzIG9ubHkgdGhlIGlkZW50aXR5IG9m IHRoZSByZXF1ZXN0ZXIgdGhhdCB3YXMgYWJsZSB0byBiZSBjb25maXJtZWQgYnkgdGhlIHRva2Vu IGVuZHBvaW50Lg0KSXQgc3VwcG9ydGVkIGEgc2ltcGxlIHVzZSBjYXNlIHdoZXJlIGEgcmVmcmVz aCB0b2tlbiBpcyB1c2VkIGJ5IGNsaWVudCBBIHRvIHVzZSBhcyBhbiBhc3NlcnRpb24gYXQgQVMg Qi4NCkluIHRoZSBzaW1wbGVzdCAzIHBhcnR5IHNhc2UgdGhlIHJlcXVlc3RlciBvZiB0aGUgdG9r ZW4gYW5kIHRoZSBwcmVzZW50ZXIgb2YgdGhlIHRva2VuIGFyZSB0aGUgc2FtZS4gIEhvd2V2ZXIg aW4gc29tZSBzaXR1YXRpb25zIHRoZXkgYXJlIG5vdCB0aGUgc2FtZS4NClRoZSBpbXBvcnRhbnQg dGhpbmcgd2FzIHRvIGFsbG93IHRoZSDigJxhdWTigJ0gcmVjaXBpZW50IG9mIHRoZSB0b2tlbiB0 byBiZSBhYmxlIHRvIGRpZmZlcmVudGlhdGUgYSB0b2tlbiB0aGF0IGl0IHJlcXVlc3RlZCBmcm9t IGEgYSB0b2tlbiB0aGF0IGEgM3JkIHBhcnR5IHJlcXVlc3RlZCBhbmQgcHJlc2VudGVkIHRvIGl0 Lg0KDQpUaGUg4oCcYXpw4oCdIHNob3VsZCBwcm9iYWJseSBiZSBsZWZ0IGFzIGl0IGlzIGFuZCBu b3QgdGllZCB0byBwcm9vZiBvZiBwb3NzZXNzaW9uLyBiaW5kaW5nIHRoZSB0b2tlbiB0byB0aGUg cHJlc2VudGVyLg0KVGhlcmUgd2FzIGEgbG90IG9mIGRlYmF0ZSBhbmQgYmFjayBhbmQgZm9ydGgg b24gYXpwIGF0IHRoZSB0aW1lLCB0aGUgbWFpbiByZWFzb24gdG8gaW5jbHVkZSBpdCB3YXMgdG8g d2FybiBub3JtYWwgQ29ubmVjdCBjbGllbnRzIHRoYXQgSldUIGNvbnRhaW5pbmcgdGhhdCBhenAg Y2xhaW0gbmVlZCB0byBoYXZlIGl04oCZcyB2YWx1ZSBiZSB0aGVtIG9yIHNvbWVvbmUgdGhleSBr bm93IGFuZCB0cnVzdCB0aGF0IGNhbiByZXF1ZXN0IGFzc2VydGlvbnMgZm9yIHRoZW0uICBUaGF0 IHdhcyBiZWNhdXNlIHdlIGtuZXcgdGhhdCB0b2tlbiBjb250YWluaW5nIHRoYXQgY2xhaW0gZXhp c3QgaW4gdGhlIHdpbGQgdXNpbmcgdGhhdCBjbGFpbS4NCg0KaHR0cHM6Ly90b29scy5pZXRmLm9y Zy9odG1sL2RyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA1IHNob3VsZCBwcm9iYWJseSBi ZSB1c2luZyBhIGRpZmZlcmVudCBjbGFpbSB0byByZWR1Y2UgdGhlIGNvbmZ1c2lvbi4NCg0KSm9o biBCLg0KDQoNCk9uIEF1ZyAxOSwgMjAxNSwgYXQgMzoxNyBBTSwgTmF0IFNha2ltdXJhIDxzYWtp bXVyYUBnbWFpbC5jb208bWFpbHRvOnNha2ltdXJhQGdtYWlsLmNvbT4+IHdyb3RlOg0KDQpTbywg TWlrZSwNCg0KQXV0aG9yaXplZCBQcmVzZW50ZXIgaXMgYSBkZWZpbmVkIHRlcm0gaW4gU2VuZGVy IENvbnN0cmFpbmVkIEpXVCBmb3IgT0F1dGggMi4wDQooIGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcv aHRtbC9kcmFmdC1zYWtpbXVyYS1vYXV0aC1yand0cHJvZi0wNSApLiBJdCBpcyB1c2VkIGluIHRo ZSBjb250ZXh0IG9mIE9BdXRoIDIuMCBBY2Nlc3MgVG9rZW4sIG5vdCBhIGNsYWltIGluIElEIFRv a2VuIG9mIE9wZW5JRCBDb25uZWN0Lg0KDQpOYXQNCg0KMjAxNS0wOC0xOSAxMTo0NCBHTVQrMDk6 MDAgTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVs LkpvbmVzQG1pY3Jvc29mdC5jb20+PjoNCkp1c3QgYXMgYSBwb2ludCBvZiBjbGFyaWZpY2F0aW9u LCB0aGUgZGVmaW5pdGlvbiBvZiB0aGUg4oCcYXpw4oCdIGNsYWltIGlzIG5vdCDigJxhdXRob3Jp c2VkIHByZXNlbnRlcuKAnS4gIEF0IGxlYXN0IGFzIGRlZmluZWQgYnkgT3BlbklEIENvbm5lY3Qs IGl0cyBkZWZpbml0aW9uIGlzOg0KDQphenANCk9QVElPTkFMLiBBdXRob3JpemVkIHBhcnR5IC0g dGhlIHBhcnR5IHRvIHdoaWNoIHRoZSBJRCBUb2tlbiB3YXMgaXNzdWVkLiBJZiBwcmVzZW50LCBp dCBNVVNUIGNvbnRhaW4gdGhlIE9BdXRoIDIuMCBDbGllbnQgSUQgb2YgdGhpcyBwYXJ0eS4gVGhp cyBDbGFpbSBpcyBvbmx5IG5lZWRlZCB3aGVuIHRoZSBJRCBUb2tlbiBoYXMgYSBzaW5nbGUgYXVk aWVuY2UgdmFsdWUgYW5kIHRoYXQgYXVkaWVuY2UgaXMgZGlmZmVyZW50IHRoYW4gdGhlIGF1dGhv cml6ZWQgcGFydHkuIEl0IE1BWSBiZSBpbmNsdWRlZCBldmVuIHdoZW4gdGhlIGF1dGhvcml6ZWQg cGFydHkgaXMgdGhlIHNhbWUgYXMgdGhlIHNvbGUgYXVkaWVuY2UuIFRoZSBhenAgdmFsdWUgaXMg YSBjYXNlIHNlbnNpdGl2ZSBzdHJpbmcgY29udGFpbmluZyBhIFN0cmluZ09yVVJJIHZhbHVlLg0K DQpBIHJlZmVyZW5jZSB0byB0aGlzIGRlZmluaXRpb24gaXMgcmVnaXN0ZXJlZCBieSBPcGVuSUQg Q29ubmVjdCBDb3JlIGh0dHA6Ly9vcGVuaWQubmV0L3NwZWNzL29wZW5pZC1jb25uZWN0LWNvcmUt MV8wLmh0bWwgaW4gdGhlIElBTkEg4oCcSlNPTiBXZWIgVG9rZW4gQ2xhaW1z4oCdIHJlZ2lzdHJ5 IGF0IGh0dHA6Ly93d3cuaWFuYS5vcmcvYXNzaWdubWVudHMvand0L2p3dC54aHRtbC4NCg0KICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg LS0gTWlrZQ0KDQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8bWFp bHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc+XSBPbiBCZWhhbGYgT2YgTmF0IFNha2ltdXJhDQpT ZW50OiBUdWVzZGF5LCBBdWd1c3QgMTgsIDIwMTUgNzozNyBQTQ0KVG86IEFkYW0gTGV3aXMNCkNj OiBPQXV0aCBXRw0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gUlMgYXMgYSBjbGllbnQgZ3VpZGFu Y2UNCg0KSXQgaXMgbm90IGRpcmVjdGx5LCBidXQgU2VuZGVyIENvbnN0cmFpbmVkIEpXVCBmb3Ig T0F1dGggMi4wDQooIGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1zYWtpbXVyYS1v YXV0aC1yand0cHJvZi0wNTxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9v ay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRtbCUyZmRyYWZ0LXNh a2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA1JmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBt aWNyb3NvZnQuY29tJTdjZGFjMmJkNDk0NjU5NGJhN2Y0ZmYwOGQyYTgzZjIzY2YlN2M3MmY5ODhi Zjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9RGhMOSUyYnA1TWwzMlA2JTJmZGFB UUhIa2hvMXlDc2JxMlcwTTRXTnJ3Z28xem8lM2Q+ICkNCnRhbGtzIGFib3V0IGEgbW9kZWwgdGhh dCBhbGxvd3MgaXQuDQoNCkluIGVzc2VuY2UsIGl0IHVzZXMgYSBzdHJ1Y3R1cmVkIGFjY2VzcyB0 b2tlbiB0aGF0IGlzIHNlbmRlciBjb25zdHJhaW5lZC4NCkl0IGFzIGEgY2xhaW0gImF6cCIgd2hp Y2ggc3RhbmRzIGZvciBhdXRob3Jpc2VkIHByZXNlbnRlci4NClRvIGJlIHVzZWQsIHRoZSAiY2xp ZW50IiBoYXMgdG8gcHJlc2VudCBhIHByb29mIHRoYXQgaXQgaXMgaW5kZWVkIHRoZSBwYXJ0eSBw b2ludGVkIGJ5ICJhenAiLg0KDQpJbiB5b3VyIGNhc2UsIHRoZSBuYXRpdmUgbW9iaWxlIGFwcCBv YnRhaW5zIHRoZSBzdHJ1Y3R1cmVkIGFjY2VzcyB0b2tlbg0Kd2l0aCAiYXpwIjoidGhlX1JTIi4g U2luY2UgImF6cCIgaXMgbm90IHBvaW50aW5nIHRvIHRoZSBtb2JpbGUgYXBwLA0KdGhlIG1vYmls ZSBhcHAgY2Fubm90IHVzZSBpdC4NClRoZSBtb2JpbGUgYXBwIHRoZW4gc2hpcHMgaXQgdG8gdGhl IFJTLg0KVGhlIFJTIGNhbiBub3cgdXNlIGl0IHNpbmNlIHRoZSAiYXpwIiBwb2ludHMgdG8gaXQu DQoNCkluIGdlbmVyYWwsIHNoaXBwaW5nIGEgYmVhcmVyIHRva2VuIGFyb3VuZCBpcyBhIGJhZCBp ZGVhLg0KSWYgeW91IHdhbnQgdG8gZG8gdGhhdCwgSSB0aGluayB5b3Ugc2hvdWxkIGRvIHNvIHdp dGggYSBzZW5kZXIgY29uc3RyYWluZWQgdG9rZW4uDQoNCk5hdA0KDQoNCg0KMjAxNS0wOC0xMyAy OjAxIEdNVCswOTowMCBBZGFtIExld2lzIDxhZGFtLmxld2lzQG1vdG9yb2xhc29sdXRpb25zLmNv bTxtYWlsdG86YWRhbS5sZXdpc0Btb3Rvcm9sYXNvbHV0aW9ucy5jb20+PjoNCkhpLA0KDQpBcmUg dGhlcmUgYW55IGRyYWZ0cyB0aGF0IGRpc2N1c3MgdGhlIG5vdGlvbiBvZiBhbiBSUyBhY3Rpbmcg YXMgYSBjbGllbnQ/IEknbSBjb25zaWRlcmluZyB0aGUgdXNlIGNhc2Ugd2hlcmVieSBhIG5hdGl2 ZSBtb2JpbGUgYXBwIG9idGFpbnMgYW4gYWNjZXNzIHRva2VuIGFuZCBzZW5kcyBpdCB0byB0aGUg UlMsIGFuZCB0aGVuIHRoZSBSUyB1c2VzIGl0IHRvIGFjY2VzcyB0aGUgVXNlckluZm8gZW5kcG9p bnQgb24gYW4gT1AuDQoNCkl0J3MgYSBiZWFyZXIgdG9rZW4gc28gbm8gcmVhc29uIGl0IHdvdWxk bid0IHdvcmssIGJ1dCBvYnZpb3VzbHkgaXQgaXMgbWVhbnQgdG8gYmUgcHJlc2VudGVkIGJ5IHRo ZSBjbGllbnQgYW5kIG5vdCB0aGUgUlMuICBDdXJpb3VzIHRvIHVuZGVyc3RhbmQgdGhlIHNlY3Vy aXR5IGltcGxpY2F0aW9ucyBvZiB0aGlzLCByZWFkIG9uIGFueSB0aG91Z2h0cyBnaXZlbiB0byB0 aGlzLCBvciB0byBrbm93IGlmIGl0J3MgYW4gb3RoZXJ3aXNlIGFjY2VwdGVkIHByYWN0aWNlLg0K DQp0eA0KYWRhbQ0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0 Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPGh0dHBz Oi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJm JTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmZGF0YT0wMSU3YzAx JTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2NkYWMyYmQ0OTQ2NTk0YmE3ZjRmZjA4 ZDJhODNmMjNjZiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1l TSUyZjJuTVk0WUVjYSUyZnladGw2SzRmNHBSY2VOQ0h0MXNGN3Y5dWZaN3FnayUzZD4NCg0KDQoN Ci0tDQpOYXQgU2FraW11cmEgKD1uYXQpDQpDaGFpcm1hbiwgT3BlbklEIEZvdW5kYXRpb24NCmh0 dHA6Ly9uYXQuc2FraW11cmEub3JnLzxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24u b3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmbmF0LnNha2ltdXJhLm9yZyUyZiZkYXRhPTAx JTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2RhYzJiZDQ5NDY1OTRiYTdm NGZmMDhkMmE4M2YyM2NmJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNk YXRhPTJ4NSUyZjliTEpuVWNNZE9GcllXSWs0RzBCSXdwOHl0REsyTE54MkJRdVR0ayUzZD4NCkBf bmF0X2VuDQoNCg0KDQotLQ0KTmF0IFNha2ltdXJhICg9bmF0KQ0KQ2hhaXJtYW4sIE9wZW5JRCBG b3VuZGF0aW9uDQpodHRwOi8vbmF0LnNha2ltdXJhLm9yZy8NCkBfbmF0X2VuDQpfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0 DQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRm Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQoNCg== --_000_BY2PR03MB4428F2D1134837B21A592D9F5670BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlZlcmRhbmE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1 IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29O b3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAx cHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwi c2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0 ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNvQWNldGF0 ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRhdGUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5 Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCglt YXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjguMHB0Ow0KCWZvbnQtZmFtaWx5OiJU YWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5bGUxNw0KCXttc28tc3R5bGUtdHlw ZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0K CWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5CYWxsb29uVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6 IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxl LWxpbms6IkJhbGxvb24gVGV4dCI7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYi O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQt c2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0K CW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3Bh Z2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8 bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFb ZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0i ZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91 dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJi bHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ TGV0IG1lIHNlY29uZCBKb2hu4oCZcyBwb2ludCB0aGF0IHdlIHNob3VsZG7igJl0IGhhdmUgdHdv IGRpZmZlcmVudCBkZWZpbml0aW9ucyBmb3Ig4oCcYXpw4oCdLiZuYnNwOyBBcyBJIHdyb3RlIGlu IG15IGZyaWVuZGx5IHJldmlldyBvZiBkcmFmdC1zYWtpbXVyYS1vYXV0aC1yand0cHJvZi0wNA0K IGF0IDxhIGhyZWY9Imh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dlYi9vYXV0aC9j dXJyZW50L21zZzE0Njc5Lmh0bWwiPmh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dl Yi9vYXV0aC9jdXJyZW50L21zZzE0Njc5Lmh0bWw8L2E+LA0KPC9zcGFuPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj50aGUgY2xhaW0g4oCcYXpw4oCdIGhhcyBhbHJl YWR5IGJlZW4gcmVnaXN0ZXJlZCBieSBPcGVuSUQgQ29ubmVjdCBDb3JlIGF0DQo8YSBocmVmPSJo dHRwOi8vd3d3LmlhbmEub3JnL2Fzc2lnbm1lbnRzL2p3dC9qd3QueGh0bWwiPmh0dHA6Ly93d3cu aWFuYS5vcmcvYXNzaWdubWVudHMvand0L2p3dC54aHRtbDwvYT4gYW5kIHNvIGNhbm5vdCBiZSBy ZS1yZWdpc3RlcmVkLiZuYnNwOyBHaXZlbiB0aGF0IEkgYmVsaWV2ZSB0aGUgaW50ZW5kZWQgc2Vt YW50aWNzIGFyZSB0aGUgc2FtZSwgcGxlYXNlIGNpdGUgdGhlIGV4aXN0aW5nIGRlZmluaXRpb24g aW4NCjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+cmp3 dHByb2Y8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiwg cmF0aGVyIHRoYW4gcmVwZWF0aW5nIGl0IG9yIHJldmlzaW5nIGl0LjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7IFRoYW5rcyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IC0tIE1pa2U8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVD NERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFo b21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90OyI+IEpvaG4gQnJhZGxleSBbbWFpbHRvOnZlN2p0YkB2ZTdqdGIu Y29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IFdlZG5lc2RheSwgQXVndXN0IDE5LCAyMDE1IDExOjA1 IEFNPGJyPg0KPGI+VG86PC9iPiBOYXQgU2FraW11cmE8YnI+DQo8Yj5DYzo8L2I+IE1pa2UgSm9u ZXM7IE9BdXRoIFdHPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbT0FVVEgtV0ddIFJTIGFzIGEg Y2xpZW50IGd1aWRhbmNlPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+SGF2aW5nIHR3byBhenAgY2xhaW1zIHdpdGggc2xpZ2h0bHkgZGlmZmVyZW50IGRlZmlu aXRpb25zIGlzIG5vdCBhIGdvb2Qgd2F5IHRvIGdvLCAmbmJzcDtib3RoIGFjY2VzcyB0b2tlbnMg YW5kIGlkX3Rva2VucyBhcmUgSldULiAmbmJzcDsmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Gb3IgYmV0dGVyIG9yIHdvcnNlIHRoZSBjbGFpbSB3YXMg ZGVmaW5lZCBmb3IgYmVhcmVyIHRva2VucyB3aGVyZSBpdCB3YXMgb25seSB0aGUgaWRlbnRpdHkg b2YgdGhlIHJlcXVlc3RlciB0aGF0IHdhcyBhYmxlIHRvIGJlIGNvbmZpcm1lZCBieSB0aGUgdG9r ZW4gZW5kcG9pbnQuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5JdCBzdXBwb3J0ZWQgYSBzaW1wbGUgdXNlIGNhc2Ugd2hlcmUgYSByZWZyZXNoIHRv a2VuIGlzIHVzZWQgYnkgY2xpZW50IEEgdG8gdXNlIGFzIGFuIGFzc2VydGlvbiBhdCBBUyBCLiAm bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PkluIHRoZSBzaW1wbGVzdCAzIHBhcnR5IHNhc2UgdGhlIHJlcXVlc3RlciBvZiB0aGUgdG9rZW4g YW5kIHRoZSBwcmVzZW50ZXIgb2YgdGhlIHRva2VuIGFyZSB0aGUgc2FtZS4gJm5ic3A7SG93ZXZl ciBpbiBzb21lIHNpdHVhdGlvbnMgdGhleSBhcmUgbm90IHRoZSBzYW1lLiZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhlIGltcG9ydGFu dCB0aGluZyB3YXMgdG8gYWxsb3cgdGhlIOKAnGF1ZOKAnSByZWNpcGllbnQgb2YgdGhlIHRva2Vu IHRvIGJlIGFibGUgdG8gZGlmZmVyZW50aWF0ZSBhIHRva2VuIHRoYXQgaXQgcmVxdWVzdGVkIGZy b20gYSBhIHRva2VuIHRoYXQgYSAzcmQgcGFydHkgcmVxdWVzdGVkIGFuZCBwcmVzZW50ZWQgdG8g aXQuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PlRoZSDigJxhenDigJ0gc2hvdWxkIHByb2JhYmx5IGJlIGxlZnQgYXMgaXQgaXMgYW5kIG5vdCB0 aWVkIHRvIHByb29mIG9mIHBvc3Nlc3Npb24vIGJpbmRpbmcgdGhlIHRva2VuIHRvIHRoZSBwcmVz ZW50ZXIuICZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+VGhlcmUgd2FzIGEgbG90IG9mIGRlYmF0ZSBhbmQgYmFjayBhbmQgZm9ydGggb24g YXpwIGF0IHRoZSB0aW1lLCB0aGUgbWFpbiByZWFzb24gdG8gaW5jbHVkZSBpdCB3YXMgdG8gd2Fy biBub3JtYWwgQ29ubmVjdCBjbGllbnRzIHRoYXQgSldUIGNvbnRhaW5pbmcgdGhhdCBhenAgY2xh aW0gbmVlZCB0byBoYXZlIGl04oCZcyB2YWx1ZSBiZSB0aGVtIG9yIHNvbWVvbmUgdGhleSBrbm93 IGFuZCB0cnVzdCB0aGF0IGNhbg0KIHJlcXVlc3QgYXNzZXJ0aW9ucyBmb3IgdGhlbS4gJm5ic3A7 VGhhdCB3YXMgYmVjYXVzZSB3ZSBrbmV3IHRoYXQgdG9rZW4gY29udGFpbmluZyB0aGF0IGNsYWlt IGV4aXN0IGluIHRoZSB3aWxkIHVzaW5nIHRoYXQgY2xhaW0uPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1i b3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjVwdCI+PGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9o dG1sL2RyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA1IiB0YXJnZXQ9Il9ibGFuayI+aHR0 cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA1 PC9hPiZuYnNwO3Nob3VsZCBwcm9iYWJseSBiZSB1c2luZyBhIGRpZmZlcmVudCBjbGFpbSB0byBy ZWR1Y2UNCiB0aGUgY29uZnVzaW9uLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkpvaG4gQi48bzpwPjwv bzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPGRpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1i b3R0b206NS4wcHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIEF1ZyAxOSwgMjAx NSwgYXQgMzoxNyBBTSwgTmF0IFNha2ltdXJhICZsdDs8YSBocmVmPSJtYWlsdG86c2FraW11cmFA Z21haWwuY29tIj5zYWtpbXVyYUBnbWFpbC5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNvLCBNaWtlLCZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+QXV0aG9yaXplZCBQcmVzZW50 ZXIgaXMgYSBkZWZpbmVkIHRlcm0gaW4mbmJzcDs8Yj48dT5TZW5kZXIgQ29uc3RyYWluZWQgSldU IGZvciBPQXV0aCAyLjA8L3U+PC9iPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQiPigmbmJzcDs8 YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtc2FraW11cmEtb2F1dGgt cmp3dHByb2YtMDUiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwv ZHJhZnQtc2FraW11cmEtb2F1dGgtcmp3dHByb2YtMDU8L2E+Jm5ic3A7KS4gSXQgaXMgdXNlZCBp biB0aGUgY29udGV4dCBvZiBPQXV0aCAyLjAgQWNjZXNzIFRva2VuLA0KIG5vdCBhIGNsYWltIGlu IElEIFRva2VuIG9mIE9wZW5JRCBDb25uZWN0LiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuNXB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdCI+TmF0PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij4yMDE1LTA4LTE5IDExOjQ0IEdNVCYjNDM7MDk6MDAgTWlrZSBKb25lcyAmbHQ7PGEgaHJlZj0i bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPk1pY2hh ZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTwvYT4mZ3Q7OjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMUY0OTdEIj5KdXN0IGFzIGEgcG9pbnQgb2YgY2xhcmlmaWNhdGlvbiwgdGhlIGRlZmlu aXRpb24gb2YgdGhlIOKAnGF6cOKAnSBjbGFpbSBpcyBub3Qg4oCcPC9zcGFuPmF1dGhvcmlzZWQg cHJlc2VudGVyPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPuKAnS4m bmJzcDsNCiBBdCBsZWFzdCBhcyBkZWZpbmVkIGJ5IE9wZW5JRCBDb25uZWN0LCBpdHMgZGVmaW5p dGlvbiBpczo8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOIiBzdHls ZT0iZm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 Ij5henA8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bWFyZ2lu LWxlZnQ6LjVpbiI+DQo8c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1Zl cmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+T1BUSU9OQUwuIEF1dGhvcml6ZWQg cGFydHkgLSB0aGUgcGFydHkgdG8gd2hpY2ggdGhlIElEIFRva2VuIHdhcyBpc3N1ZWQuIElmIHBy ZXNlbnQsIGl0IE1VU1QgY29udGFpbiB0aGUgT0F1dGggMi4wIENsaWVudCBJRCBvZiB0aGlzIHBh cnR5LiBUaGlzIENsYWltIGlzIG9ubHkgbmVlZGVkIHdoZW4gdGhlIElEIFRva2VuIGhhcyBhIHNp bmdsZSBhdWRpZW5jZQ0KIHZhbHVlIGFuZCB0aGF0IGF1ZGllbmNlIGlzIGRpZmZlcmVudCB0aGFu IHRoZSBhdXRob3JpemVkIHBhcnR5LiBJdCBNQVkgYmUgaW5jbHVkZWQgZXZlbiB3aGVuIHRoZSBh dXRob3JpemVkIHBhcnR5IGlzIHRoZSBzYW1lIGFzIHRoZSBzb2xlIGF1ZGllbmNlLiBUaGUNCjwv c3Bhbj48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3 JnF1b3Q7O2NvbG9yOiMwMDMzNjYiPmF6cDwvc3Bhbj48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZv bnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IHZh bHVlIGlzIGEgY2FzZSBzZW5zaXRpdmUgc3RyaW5nIGNvbnRhaW5pbmcgYSBTdHJpbmdPclVSSSB2 YWx1ZS4NCjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkEgcmVmZXJlbmNlIHRvIHRoaXMgZGVmaW5pdGlvbiBpcyBy ZWdpc3RlcmVkIGJ5IE9wZW5JRCBDb25uZWN0IENvcmUNCjxhIGhyZWY9Imh0dHA6Ly9vcGVuaWQu bmV0L3NwZWNzL29wZW5pZC1jb25uZWN0LWNvcmUtMV8wLmh0bWwiIHRhcmdldD0iX2JsYW5rIj5o dHRwOi8vb3BlbmlkLm5ldC9zcGVjcy9vcGVuaWQtY29ubmVjdC1jb3JlLTFfMC5odG1sPC9hPiBp biB0aGUgSUFOQSDigJw8YSBuYW1lPSIxNGY0M2Q3Y2UzYzFjNzRiX2NsYWltcyI+PC9hPkpTT04g V2ViIFRva2VuIENsYWltc+KAnSByZWdpc3RyeSBhdA0KPGEgaHJlZj0iaHR0cDovL3d3dy5pYW5h Lm9yZy9hc3NpZ25tZW50cy9qd3Qvand0LnhodG1sIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL3d3 dy5pYW5hLm9yZy9hc3NpZ25tZW50cy9qd3Qvand0LnhodG1sPC9hPi48L3NwYW4+PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4m bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgLS0gTWlrZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNw Ozwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90OyI+IE9BdXRoIFttYWlsdG86PGEgaHJlZj0ibWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0 Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5vYXV0aC1ib3VuY2VzQGlldGYub3JnPC9hPl0NCjxiPk9u IEJlaGFsZiBPZiA8L2I+TmF0IFNha2ltdXJhPGJyPg0KPGI+U2VudDo8L2I+IFR1ZXNkYXksIEF1 Z3VzdCAxOCwgMjAxNSA3OjM3IFBNPGJyPg0KPGI+VG86PC9iPiBBZGFtIExld2lzPGJyPg0KPGI+ Q2M6PC9iPiBPQXV0aCBXRzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBSUyBh cyBhIGNsaWVudCBndWlkYW5jZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPkl0IGlzIG5vdCBkaXJlY3RseSwgYnV0Jm5ic3A7PGI+PHU+U2Vu ZGVyIENvbnN0cmFpbmVkIEpXVCBmb3IgT0F1dGggMi4wPC91PjwvYj48bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPigNCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5z YWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmdG9vbHMu aWV0Zi5vcmclMmZodG1sJTJmZHJhZnQtc2FraW11cmEtb2F1dGgtcmp3dHByb2YtMDUmYW1wO2Rh dGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjZGFjMmJkNDk0NjU5 NGJhN2Y0ZmYwOGQyYTgzZjIzY2YlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3 YzEmYW1wO3NkYXRhPURoTDklMmJwNU1sMzJQNiUyZmRhQVFISGtobzF5Q3NicTJXME00V05yd2dv MXpvJTNkIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh ZnQtc2FraW11cmEtb2F1dGgtcmp3dHByb2YtMDU8L2E+ICk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+dGFsa3MgYWJvdXQgYSBtb2RlbCB0aGF0 IGFsbG93cyBpdC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPkluIGVzc2VuY2UsIGl0IHVzZXMgYSBzdHJ1Y3R1cmVkIGFjY2Vz cyB0b2tlbiB0aGF0IGlzIHNlbmRlciBjb25zdHJhaW5lZC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SXQgYXMgYSBjbGFpbSAmcXVv dDthenAmcXVvdDsgd2hpY2ggc3RhbmRzIGZvciBhdXRob3Jpc2VkIHByZXNlbnRlci4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VG8g YmUgdXNlZCwgdGhlICZxdW90O2NsaWVudCZxdW90OyBoYXMgdG8gcHJlc2VudCBhIHByb29mIHRo YXQgaXQgaXMgaW5kZWVkIHRoZSBwYXJ0eSBwb2ludGVkIGJ5ICZxdW90O2F6cCZxdW90Oy4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPkluIHlvdXIgY2FzZSwgdGhlIG5hdGl2ZSBtb2JpbGUgYXBwIG9idGFpbnMgdGhlIHN0cnVj dHVyZWQgYWNjZXNzIHRva2VuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPndpdGggJnF1b3Q7YXpwJnF1b3Q7OiZxdW90O3RoZV9SUyZx dW90Oy4gU2luY2UgJnF1b3Q7YXpwJnF1b3Q7IGlzIG5vdCBwb2ludGluZyB0byB0aGUgbW9iaWxl IGFwcCwmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0byI+dGhlIG1vYmlsZSBhcHAgY2Fubm90IHVzZSBpdC4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VGhlIG1vYmlsZSBhcHAg dGhlbiBzaGlwcyBpdCB0byB0aGUgUlMuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlRoZSBSUyBjYW4gbm93IHVzZSBpdCBzaW5jZSB0 aGUgJnF1b3Q7YXpwJnF1b3Q7IHBvaW50cyB0byBpdC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkluIGdlbmVyYWwsIHNoaXBw aW5nIGEgYmVhcmVyIHRva2VuIGFyb3VuZCBpcyBhIGJhZCBpZGVhLiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JZiB5b3Ugd2FudCB0 byBkbyB0aGF0LCBJIHRoaW5rIHlvdSBzaG91bGQgZG8gc28gd2l0aCBhIHNlbmRlciBjb25zdHJh aW5lZCB0b2tlbi4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPk5hdDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7 PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4yMDE1LTA4LTEz IDI6MDEgR01UJiM0MzswOTowMCBBZGFtIExld2lzICZsdDs8YSBocmVmPSJtYWlsdG86YWRhbS5s ZXdpc0Btb3Rvcm9sYXNvbHV0aW9ucy5jb20iIHRhcmdldD0iX2JsYW5rIj5hZGFtLmxld2lzQG1v dG9yb2xhc29sdXRpb25zLmNvbTwvYT4mZ3Q7OjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+SGksPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+QXJlIHRoZXJlIGFueSBkcmFmdHMgdGhhdCBkaXNjdXNzIHRoZSBub3Rp b24gb2YgYW4gUlMgYWN0aW5nIGFzIGEgY2xpZW50PyBJJ20gY29uc2lkZXJpbmcgdGhlIHVzZSBj YXNlIHdoZXJlYnkgYSBuYXRpdmUgbW9iaWxlIGFwcCBvYnRhaW5zIGFuIGFjY2VzcyB0b2tlbiBh bmQgc2VuZHMgaXQgdG8gdGhlIFJTLA0KIGFuZCB0aGVuIHRoZSBSUyB1c2VzIGl0IHRvIGFjY2Vz cyB0aGUgVXNlckluZm8gZW5kcG9pbnQgb24gYW4gT1AuICZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SXQncyBhIGJlYXJlciB0 b2tlbiBzbyBubyByZWFzb24gaXQgd291bGRuJ3Qgd29yaywgYnV0IG9idmlvdXNseSBpdCBpcyBt ZWFudCB0byBiZSBwcmVzZW50ZWQgYnkgdGhlIGNsaWVudCBhbmQgbm90IHRoZSBSUy4mbmJzcDsg Q3VyaW91cyB0byB1bmRlcnN0YW5kIHRoZSBzZWN1cml0eSBpbXBsaWNhdGlvbnMgb2YgdGhpcywN CiByZWFkIG9uIGFueSB0aG91Z2h0cyBnaXZlbiB0byB0aGlzLCBvciB0byBrbm93IGlmIGl0J3Mg YW4gb3RoZXJ3aXNlIGFjY2VwdGVkIHByYWN0aWNlLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+dHg8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4 ODgiPmFkYW08L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206 MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBp ZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9 Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBz JTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUyZmxpc3RpbmZvJTJmb2F1dGgmYW1wO2Rh dGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjZGFjMmJkNDk0NjU5 NGJhN2Y0ZmYwOGQyYTgzZjIzY2YlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3 YzEmYW1wO3NkYXRhPWVNJTJmMm5NWTRZRWNhJTJmeVp0bDZLNGY0cFJjZU5DSHQxc0Y3djl1Zlo3 cWdrJTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0 aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj48YnI+DQo8YnIgY2xlYXI9ImFsbCI+DQo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPi0tDQo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPk5hdCBTYWtpbXVyYSAoPW5hdCk8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPkNoYWlybWFuLCBPcGVuSUQgRm91bmRhdGlvbjxicj4NCjxhIGhy ZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0 dHAlM2ElMmYlMmZuYXQuc2FraW11cmEub3JnJTJmJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVs LkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Y2RhYzJiZDQ5NDY1OTRiYTdmNGZmMDhkMmE4M2YyM2Nm JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT0yeDUlMmY5 YkxKblVjTWRPRnJZV0lrNEcwQkl3cDh5dERLMkxOeDJCUXVUdGslM2QiIHRhcmdldD0iX2JsYW5r Ij5odHRwOi8vbmF0LnNha2ltdXJhLm9yZy88L2E+PGJyPg0KQF9uYXRfZW48bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnIgY2xlYXI9ImFsbCI+DQo8 bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0gPG86cD48L286cD48L3A+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+TmF0IFNha2ltdXJhICg9bmF0KTxvOnA+PC9v OnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkNoYWlybWFuLCBPcGVuSUQgRm91 bmRhdGlvbjxicj4NCjxhIGhyZWY9Imh0dHA6Ly9uYXQuc2FraW11cmEub3JnLyIgdGFyZ2V0PSJf YmxhbmsiPmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLzwvYT48YnI+DQpAX25hdF9lbjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+X19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpPQXV0aCBt YWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciPk9BdXRoQGll dGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlz dGluZm8vb2F1dGgiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8 L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k aXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_BY2PR03MB4428F2D1134837B21A592D9F5670BY2PR03MB442namprd_-- From nobody Wed Aug 19 17:30:05 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3032F1A1A7B for ; Wed, 19 Aug 2015 17:30:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.01 X-Spam-Level: X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xn2WsILh2I9H for ; Wed, 19 Aug 2015 17:30:00 -0700 (PDT) Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BEC31A1A77 for ; Wed, 19 Aug 2015 17:30:00 -0700 (PDT) Received: by oiew67 with SMTP id w67so13641115oie.2 for ; Wed, 19 Aug 2015 17:29:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ja9N1orj6bIszKzW8YhEBGzwMtHw1ecmgLvDq+EI6ek=; b=V+AfpFkLN1CmTT2gQ/g62hTlmjOq9/vlPHutHyYpeTGf0g0w/Qgs+F9r/LTGX64tSh PhhXwSOBZeG0jW79e+OtXxavsGjyw6asOLUiaXVD+blnLsTwuJKQR+XGp4RkePHQUZI2 ugpxCa8GC9g5E1f8TbuhbL6ktHHjsazUVE+KuGu8pXPqa1axaEDbKJxK++6SjnHlig7N +EqfFG35W1JgmhaDONwVd1JQQpynn306NRFbFytzyr87Rx7I2PVcHeIKC54tAv7bw3bv Kq1CVeqcoFdoSADEuHNwlXCexxYT0nZaUc8Cqnde5F7RbBSzN9S+I0bEjcNMLaafe22p g4Xg== MIME-Version: 1.0 X-Received: by 10.202.240.215 with SMTP id o206mr255677oih.94.1440030599656; Wed, 19 Aug 2015 17:29:59 -0700 (PDT) Received: by 10.182.96.66 with HTTP; Wed, 19 Aug 2015 17:29:59 -0700 (PDT) In-Reply-To: References: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> Date: Thu, 20 Aug 2015 09:29:59 +0900 Message-ID: From: Nat Sakimura To: Mike Jones Content-Type: multipart/alternative; boundary=94eb2c09204e5bbb38051db340d9 Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 00:30:04 -0000 --94eb2c09204e5bbb38051db340d9 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Well, the abstract meaning is the same, but the practical implications and interpretation can vary within the boundaries depending on the context. A jku is a URI of a cryptographical key, which can be a uri of a signing key or encryption key depending on the context. Similarly the azp in an ID Token and an Access Token can share the same abstract concept while the concrete meaning in that particular concept can vary. 2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B=9C=E6=97=A5=E3=80=81Mike = Jones=E3=81=95=E3=82=93=E3=81=AF=E6=9B=B8=E3= =81=8D=E3=81=BE=E3=81=97=E3=81=9F: > Let me second John=E2=80=99s point that we shouldn=E2=80=99t have two dif= ferent > definitions for =E2=80=9Cazp=E2=80=9D. As I wrote in my friendly review = of > draft-sakimura-oauth-rjwtprof-04 at > http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html, the > claim =E2=80=9Cazp=E2=80=9D has already been registered by OpenID Connect= Core at > http://www.iana.org/assignments/jwt/jwt.xhtml and so cannot be > re-registered. Given that I believe the intended semantics are the same, > please cite the existing definition in rjwtprof, rather than repeating it > or revising it. > > > > Thanks, > > -- Mike > > > > *From:* John Bradley [mailto:ve7jtb@ve7jtb.com > ] > *Sent:* Wednesday, August 19, 2015 11:05 AM > *To:* Nat Sakimura > *Cc:* Mike Jones; OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > > > Having two azp claims with slightly different definitions is not a good > way to go, both access tokens and id_tokens are JWT. > > For better or worse the claim was defined for bearer tokens where it was > only the identity of the requester that was able to be confirmed by the > token endpoint. > > It supported a simple use case where a refresh token is used by client A > to use as an assertion at AS B. > > In the simplest 3 party sase the requester of the token and the presenter > of the token are the same. However in some situations they are not the > same. > > The important thing was to allow the =E2=80=9Caud=E2=80=9D recipient of t= he token to be > able to differentiate a token that it requested from a a token that a 3rd > party requested and presented to it. > > > > The =E2=80=9Cazp=E2=80=9D should probably be left as it is and not tied t= o proof of > possession/ binding the token to the presenter. > > There was a lot of debate and back and forth on azp at the time, the main > reason to include it was to warn normal Connect clients that JWT containi= ng > that azp claim need to have it=E2=80=99s value be them or someone they kn= ow and > trust that can request assertions for them. That was because we knew tha= t > token containing that claim exist in the wild using that claim. > > > > https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 should > probably be using a different claim to reduce the confusion. > > > > John B. > > > > > > On Aug 19, 2015, at 3:17 AM, Nat Sakimura > wrote: > > > > So, Mike, > > > > Authorized Presenter is a defined term in *Sender Constrained JWT for > OAuth 2.0* > > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ). It is > used in the context of OAuth 2.0 Access Token, not a claim in ID Token of > OpenID Connect. > > > > Nat > > > > 2015-08-19 11:44 GMT+09:00 Mike Jones >: > > Just as a point of clarification, the definition of the =E2=80=9Cazp=E2= =80=9D claim is not > =E2=80=9Cauthorised presenter=E2=80=9D. At least as defined by OpenID Co= nnect, its > definition is: > > > > azp > > OPTIONAL. Authorized party - the party to which the ID Token was issued. > If present, it MUST contain the OAuth 2.0 Client ID of this party. This > Claim is only needed when the ID Token has a single audience value and th= at > audience is different than the authorized party. It MAY be included even > when the authorized party is the same as the sole audience. The azp value > is a case sensitive string containing a StringOrURI value. > > > > A reference to this definition is registered by OpenID Connect Core > http://openid.net/specs/openid-connect-core-1_0.html in the IANA =E2=80= =9CJSON > Web Token Claims=E2=80=9D registry at > http://www.iana.org/assignments/jwt/jwt.xhtml. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org > ] *On Behalf Of *= Nat > Sakimura > *Sent:* Tuesday, August 18, 2015 7:37 PM > *To:* Adam Lewis > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > > > It is not directly, but *Sender Constrained JWT for OAuth 2.0* > > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 > > ) > > talks about a model that allows it. > > > > In essence, it uses a structured access token that is sender constrained. > > It as a claim "azp" which stands for authorised presenter. > > To be used, the "client" has to present a proof that it is indeed the > party pointed by "azp". > > > > In your case, the native mobile app obtains the structured access token > > with "azp":"the_RS". Since "azp" is not pointing to the mobile app, > > the mobile app cannot use it. > > The mobile app then ships it to the RS. > > The RS can now use it since the "azp" points to it. > > > > In general, shipping a bearer token around is a bad idea. > > If you want to do that, I think you should do so with a sender constraine= d > token. > > > > Nat > > > > > > > > 2015-08-13 2:01 GMT+09:00 Adam Lewis >: > > Hi, > > > > Are there any drafts that discuss the notion of an RS acting as a client? > I'm considering the use case whereby a native mobile app obtains an acces= s > token and sends it to the RS, and then the RS uses it to access the > UserInfo endpoint on an OP. > > > > It's a bearer token so no reason it wouldn't work, but obviously it is > meant to be presented by the client and not the RS. Curious to understan= d > the security implications of this, read on any thoughts given to this, or > to know if it's an otherwise accepted practice. > > > > tx > > adam > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > > > > > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --94eb2c09204e5bbb38051db340d9 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Well, the abstract meaning is the same, but the practical implications and = interpretation can vary within the boundaries=C2=A0depending on the context= .=C2=A0

A jku is a URI of a cryptographical key, which= =C2=A0can be a uri of a signing key or encryption key depending on the cont= ext. Similarly the azp in an=C2=A0ID Token and an Access Token can share th= e same abstract concept while the concrete meaning in that particular conce= pt can vary.=C2=A0

2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B= =9C=E6=97=A5=E3=80=81Mike Jones<Michael.Jones@microsoft.com>=E3=81=95=E3=82=93=E3=81=AF=E6=9B= =B8=E3=81=8D=E3=81=BE=E3=81=97=E3=81=9F:

Let me second John=E2=80= =99s point that we shouldn=E2=80=99t have two different definitions for =E2= =80=9Cazp=E2=80=9D.=C2=A0 As I wrote in my friendly review of draft-sakimur= a-oauth-rjwtprof-04 at http://www.ietf.org/mail-archive/web/oauth/current/= msg14679.html, the claim =E2=80=9Cazp=E2=80=9D has alrea= dy been registered by OpenID Connect Core at http://www.iana.org/assignments/jwt/jwt.xhtml and so cannot be re-regi= stered.=C2=A0 Given that I believe the intended semantics are the same, ple= ase cite the existing definition in rjwtprof, rather than repeating it or revising it.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thanks,

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike=

=C2=A0

From: John Bra= dley [mailto:ve7jtb@ve7jtb.com]
Sent: Wednesday, August 19, 2015 11:05 AM
To: Nat Sakimura
Cc: Mike Jones; OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance=

=C2=A0

Having two azp claims with slightly different defini= tions is not a good way to go, =C2=A0both access tokens and id_tokens are J= WT. =C2=A0=C2=A0

For better or worse the claim was defined for bearer= tokens where it was only the identity of the requester that was able to be= confirmed by the token endpoint.

It supported a simple use case where a refresh token= is used by client A to use as an assertion at AS B. =C2=A0

In the simplest 3 party sase the requester of the to= ken and the presenter of the token are the same.=C2=A0 However in some situ= ations they are not the same.=C2=A0

The important thing was to allow the =E2=80=9Caud=E2= =80=9D recipient of the token to be able to differentiate a token that it r= equested from a a token that a 3rd party requested and presented to it.<= /u>

=C2=A0

The =E2=80=9Cazp=E2=80=9D should probably be left as= it is and not tied to proof of possession/ binding the token to the presen= ter. =C2=A0

There was a lot of debate and back and forth on azp = at the time, the main reason to include it was to warn normal Connect clien= ts that JWT containing that azp claim need to have it=E2=80=99s value be th= em or someone they know and trust that can request assertions for them.=C2=A0 That was because we knew that token con= taining that claim exist in the wild using that claim.

=C2=A0

htt= ps://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05=C2=A0should p= robably be using a different claim to reduce the confusion.

=C2=A0

John B.

=C2=A0

=C2=A0

On Aug 19, 2015, at 3:17 AM, Nat Sakimura <sakimura@gmail.com> wrote:

=C2=A0

So, Mike,=C2=A0

=C2=A0

Authorized Presenter is a defined term in=C2=A0Sender Constrained JWT for OAuth 2.0

(=C2=A0https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05=C2=A0)= . It is used in the context of OAuth 2.0 Access Token, not a claim in ID Token of OpenID Connect.=C2=A0

=C2=A0

Nat

=C2=A0

2015-08-19 11:44 GMT+09:00 Mike Jones <Michael.Jones@microsoft.com>:

Just as a point of clarif= ication, the definition of the =E2=80=9Cazp=E2=80=9D claim is not =E2=80=9C= authorised presenter=E2=80=9D.=C2=A0 At least as defined by OpenID Connect, its definition is:=

=C2=A0

azp

OPTIONAL. Authorized party - the party to which the ID Token was is= sued. If present, it MUST contain the OAuth 2.0 Client ID of this party. Th= is Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be = included even when the authorized party is the same as the sole audience. T= he azp value is a case sensitive string containing a = StringOrURI value.

=C2=A0

A reference to this defin= ition is registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in the IAN= A =E2=80=9CJSON We= b Token Claims=E2=80=9D registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: OAuth [m= ailto:oauth-bounces@ietf.org] On Behalf Of Nat Sakimura
Sent: Tuesday, August 18, 2015 7:37 PM
To: Adam Lewis
Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance=

=C2=A0

It is not directly, but=C2=A0Sender Constraine= d JWT for OAuth 2.0

talks about a model that allows it.=C2=A0<= /u>

=C2=A0

In essence, it uses a structured access token that i= s sender constrained.=C2=A0

It as a claim "azp" which stands for autho= rised presenter.=C2=A0

To be used, the "client" has to present a = proof that it is indeed the party pointed by "azp".=C2=A0<= u>

=C2=A0

In your case, the native mobile app obtains the stru= ctured access token=C2=A0

with "azp":"the_RS". Since "= ;azp" is not pointing to the mobile app,=C2=A0

the mobile app cannot use it.=C2=A0

The mobile app then ships it to the RS.=C2=A0=

The RS can now use it since the "azp" poin= ts to it.=C2=A0

=C2=A0

In general, shipping a bearer token around is a bad = idea.=C2=A0

If you want to do that, I think you should do so wit= h a sender constrained token.=C2=A0

=C2=A0

Nat

=C2=A0

=C2=A0

=C2=A0

2015-08-13 2:01 GMT+09:00 Adam Lewis <adam.lewis@motorolasolutions.com>:

Hi,

=C2=A0

Are there any drafts that discuss the notion of an R= S acting as a client? I'm considering the use case whereby a native mob= ile app obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP. =C2=A0

=C2=A0

It's a bearer token so no reason it wouldn't= work, but obviously it is meant to be presented by the client and not the = RS.=C2=A0 Curious to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise ac= cepted practice.

=C2=A0

tx

adam<= /u>


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth<= u>



=C2=A0

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



=C2=A0

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.= org/
@_nat_en

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

=C2=A0



--
Nat Sakimura (=3Dnat)
Chairman, OpenI= D Foundation
http= ://nat.sakimura.org/
@_nat_en

--94eb2c09204e5bbb38051db340d9-- From nobody Wed Aug 19 17:35:34 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EE141A86E4 for ; Wed, 19 Aug 2015 17:35:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.611 X-Spam-Level: X-Spam-Status: No, score=-0.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTrbWSoNMKVY for ; Wed, 19 Aug 2015 17:35:29 -0700 (PDT) Received: from mail-qg0-f48.google.com (mail-qg0-f48.google.com [209.85.192.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20E551A1A92 for ; Wed, 19 Aug 2015 17:35:29 -0700 (PDT) Received: by qgeb6 with SMTP id b6so17961022qge.3 for ; Wed, 19 Aug 2015 17:35:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Zk45/jkTYVsgn0PlLJfbShIm2HbLO1sLNJ9jUTLqOr4=; b=JHG6pOwPhq4xiVoeFMfKcdsNO+JaVEpGrROR4liKfwOa21OBvMld+MALehjpnDtwEQ k7xQKtx3Tjrs7VXi3xUp5Q6EIdM2lqjZsdtibNWRyMYgYsMgUQI2ZQwtrq7cTFR5/mxv OmstZQ74dB7eAGXFtA4NbJjPTN1BD9UhII+hDg1tGYnQ2zubitIdFGCedV9PcqnzPsMd LpBfI5NFlqamhmDmvwKkGzYKHR9IFkgwjPND4AOA25w9tuNZHgaEJZ3QundDncO4CuyE lPWXgL68rnzcu9ggO6lv1rT14zoPg6VtrnVKrVgoOXZtNbppeTCNHJX42ssZKrPch7Fd jojw== X-Gm-Message-State: ALoCoQmz0yz6W5gh6aJGBb+O/W4G+WBzhlyh0HQMPitBdoQaJOMStUl2HjCfI35SKX0cYJa0d88C X-Received: by 10.140.89.10 with SMTP id u10mr556758qgd.15.1440030928159; Wed, 19 Aug 2015 17:35:28 -0700 (PDT) Received: from [192.168.8.100] ([181.202.69.11]) by smtp.gmail.com with ESMTPSA id f194sm1353572qka.49.2015.08.19.17.35.26 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Aug 2015 17:35:27 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_72126BEA-1547-41CB-89AE-ECD7F7EF90EE"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: John Bradley In-Reply-To: Date: Wed, 19 Aug 2015 21:35:22 -0300 Message-Id: <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com> References: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> To: Nat Sakimura X-Mailer: Apple Mail (2.2104) Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 00:35:33 -0000 --Apple-Mail=_72126BEA-1547-41CB-89AE-ECD7F7EF90EE Content-Type: multipart/alternative; boundary="Apple-Mail=_165F3E5C-2087-4FD1-98AF-72F100130444" --Apple-Mail=_165F3E5C-2087-4FD1-98AF-72F100130444 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 It could, but I remain to be convinced that would be a good idea. = =E2=80=9Cazp=E2=80=9D came from a existing Google claim, I am not = attached to the name. John B. > On Aug 19, 2015, at 9:29 PM, Nat Sakimura wrote: >=20 > Well, the abstract meaning is the same, but the practical implications = and interpretation can vary within the boundaries depending on the = context.=20 >=20 > A jku is a URI of a cryptographical key, which can be a uri of a = signing key or encryption key depending on the context. Similarly the = azp in an ID Token and an Access Token can share the same abstract = concept while the concrete meaning in that particular concept can vary.=20= >=20 > 2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B=9C=E6=97=A5=E3=80=81Mi= ke Jones>=E3=81=95=E3=82=93=E3=81=AF=E6=9B=B8=E3= =81=8D=E3=81=BE=E3=81=97=E3=81=9F: > Let me second John=E2=80=99s point that we shouldn=E2=80=99t have two = different definitions for =E2=80=9Cazp=E2=80=9D. As I wrote in my = friendly review of draft-sakimura-oauth-rjwtprof-04 at = http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html = , the = claim =E2=80=9Cazp=E2=80=9D has already been registered by OpenID = Connect Core at http://www.iana.org/assignments/jwt/jwt.xhtml = and so cannot be = re-registered. Given that I believe the intended semantics are the = same, please cite the existing definition in rjwtprof, rather than = repeating it or revising it. >=20 > =20 >=20 > Thanks, >=20 > -- Mike >=20 > =20 >=20 > From: John Bradley [mailto:ve7jtb@ve7jtb.com = ]=20 > Sent: Wednesday, August 19, 2015 11:05 AM > To: Nat Sakimura > Cc: Mike Jones; OAuth WG > Subject: Re: [OAUTH-WG] RS as a client guidance >=20 > =20 >=20 > Having two azp claims with slightly different definitions is not a = good way to go, both access tokens and id_tokens are JWT. =20 >=20 > For better or worse the claim was defined for bearer tokens where it = was only the identity of the requester that was able to be confirmed by = the token endpoint. >=20 > It supported a simple use case where a refresh token is used by client = A to use as an assertion at AS B. =20 >=20 > In the simplest 3 party sase the requester of the token and the = presenter of the token are the same. However in some situations they = are not the same.=20 >=20 > The important thing was to allow the =E2=80=9Caud=E2=80=9D recipient = of the token to be able to differentiate a token that it requested from = a a token that a 3rd party requested and presented to it. >=20 > =20 >=20 > The =E2=80=9Cazp=E2=80=9D should probably be left as it is and not = tied to proof of possession/ binding the token to the presenter. =20 >=20 > There was a lot of debate and back and forth on azp at the time, the = main reason to include it was to warn normal Connect clients that JWT = containing that azp claim need to have it=E2=80=99s value be them or = someone they know and trust that can request assertions for them. That = was because we knew that token containing that claim exist in the wild = using that claim. >=20 > =20 >=20 > https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 = should = probably be using a different claim to reduce the confusion. >=20 > =20 >=20 > John B. >=20 > =20 >=20 > =20 >=20 > On Aug 19, 2015, at 3:17 AM, Nat Sakimura > wrote: >=20 > =20 >=20 > So, Mike,=20 >=20 > =20 >=20 > Authorized Presenter is a defined term in Sender Constrained JWT for = OAuth 2.0 >=20 > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 = ). It is = used in the context of OAuth 2.0 Access Token, not a claim in ID Token = of OpenID Connect.=20 >=20 > =20 >=20 > Nat >=20 > =20 >=20 > 2015-08-19 11:44 GMT+09:00 Mike Jones >: >=20 > Just as a point of clarification, the definition of the =E2=80=9Cazp=E2=80= =9D claim is not =E2=80=9Cauthorised presenter=E2=80=9D. At least as = defined by OpenID Connect, its definition is: >=20 > =20 >=20 > azp >=20 > OPTIONAL. Authorized party - the party to which the ID Token was = issued. If present, it MUST contain the OAuth 2.0 Client ID of this = party. This Claim is only needed when the ID Token has a single audience = value and that audience is different than the authorized party. It MAY = be included even when the authorized party is the same as the sole = audience. The azp value is a case sensitive string containing a = StringOrURI value. >=20 > =20 >=20 > A reference to this definition is registered by OpenID Connect Core = http://openid.net/specs/openid-connect-core-1_0.html = in the IANA =E2=80=9C= <>JSON Web Token Claims=E2=80=9D registry at = http://www.iana.org/assignments/jwt/jwt.xhtml = . >=20 > =20 >=20 > -- Mike >=20 > =20 >=20 > From: OAuth [mailto:oauth-bounces@ietf.org = ] On Behalf Of = Nat Sakimura > Sent: Tuesday, August 18, 2015 7:37 PM > To: Adam Lewis > Cc: OAuth WG > Subject: Re: [OAUTH-WG] RS as a client guidance >=20 > =20 >=20 > It is not directly, but Sender Constrained JWT for OAuth 2.0 >=20 > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 = ) >=20 > talks about a model that allows it.=20 >=20 > =20 >=20 > In essence, it uses a structured access token that is sender = constrained.=20 >=20 > It as a claim "azp" which stands for authorised presenter.=20 >=20 > To be used, the "client" has to present a proof that it is indeed the = party pointed by "azp".=20 >=20 > =20 >=20 > In your case, the native mobile app obtains the structured access = token=20 >=20 > with "azp":"the_RS". Since "azp" is not pointing to the mobile app,=20 >=20 > the mobile app cannot use it.=20 >=20 > The mobile app then ships it to the RS.=20 >=20 > The RS can now use it since the "azp" points to it.=20 >=20 > =20 >=20 > In general, shipping a bearer token around is a bad idea.=20 >=20 > If you want to do that, I think you should do so with a sender = constrained token.=20 >=20 > =20 >=20 > Nat >=20 > =20 >=20 > =20 >=20 > =20 >=20 > 2015-08-13 2:01 GMT+09:00 Adam Lewis >: >=20 > Hi, >=20 > =20 >=20 > Are there any drafts that discuss the notion of an RS acting as a = client? I'm considering the use case whereby a native mobile app obtains = an access token and sends it to the RS, and then the RS uses it to = access the UserInfo endpoint on an OP. =20 >=20 > =20 >=20 > It's a bearer token so no reason it wouldn't work, but obviously it is = meant to be presented by the client and not the RS. Curious to = understand the security implications of this, read on any thoughts given = to this, or to know if it's an otherwise accepted practice. >=20 > =20 >=20 > tx >=20 > adam >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 > =20 >=20 > -- >=20 > Nat Sakimura (=3Dnat) >=20 > Chairman, OpenID Foundation > http://nat.sakimura.org/ = > @_nat_en >=20 >=20 >=20 >=20 > =20 >=20 > -- >=20 > Nat Sakimura (=3Dnat) >=20 > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = > =20 >=20 >=20 >=20 > --=20 > Nat Sakimura (=3Dnat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en >=20 --Apple-Mail=_165F3E5C-2087-4FD1-98AF-72F100130444 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 It could, but I remain to be convinced that would be a good = idea.   =E2=80=9Cazp=E2=80=9D came from a existing Google claim, I = am not attached to the name.

John B.
On Aug 19, 2015, at 9:29 PM, Nat Sakimura = <sakimura@gmail.com> wrote:

Well, the abstract = meaning is the same, but the practical implications and interpretation = can vary within the boundaries depending on the context. 

A jku is a URI of a = cryptographical key, which can be a uri of a signing key or = encryption key depending on the context. Similarly the azp in an ID = Token and an Access Token can share the same abstract concept while the = concrete meaning in that particular concept can vary. 

2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B= =9C=E6=97=A5=E3=80=81Mike Jones<Michael.Jones@microsoft.com>=E3=81=95=E3=82=93=E3=81=AF=E6= =9B=B8=E3=81=8D=E3=81=BE=E3=81=97=E3=81=9F:

Let me second John=E2=80=99s point that = we shouldn=E2=80=99t have two different definitions for =E2=80=9Cazp=E2=80= =9D.  As I wrote in my friendly review of = draft-sakimura-oauth-rjwtprof-04 at http://www.ietf.org/mail-archive/web/oauth/current/msg14679.htm= l, the claim =E2=80=9Cazp=E2=80=9D has = already been registered by OpenID Connect Core at http://www.iana.org/assignments/jwt/jwt.xhtml and so = cannot be re-registered.  Given that I believe the intended = semantics are the same, please cite the existing definition in rjwtprof, rather than repeating it or revising = it.

 

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            = Thanks,

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            -- = Mike

 

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Wednesday, August 19, 2015 11:05 AM
= To: Nat Sakimura
Cc: Mike Jones; OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance

 

Having two azp claims with = slightly different definitions is not a good way to go,  both = access tokens and id_tokens are JWT.   

For better or worse the claim was = defined for bearer tokens where it was only the identity of the = requester that was able to be confirmed by the token endpoint.

It supported a simple use case = where a refresh token is used by client A to use as an assertion at AS = B.  

In the simplest 3 party sase the = requester of the token and the presenter of the token are the = same.  However in some situations they are not the same. 

The important thing was to allow = the =E2=80=9Caud=E2=80=9D recipient of the token to be able to = differentiate a token that it requested from a a token that a 3rd party = requested and presented to it.

 

The =E2=80=9Cazp=E2=80=9D should = probably be left as it is and not tied to proof of possession/ binding = the token to the presenter.  

=

There was a lot of debate and = back and forth on azp at the time, the main reason to include it was to = warn normal Connect clients that JWT containing that azp claim need to = have it=E2=80=99s value be them or someone they know and trust that can request assertions for them.  That was because we knew that token = containing that claim exist in the wild using that claim.

 

https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 should probably be using a different claim to reduce the confusion.

 

John B.

 

 

On Aug 19, 2015, at 3:17 AM, Nat = Sakimura <sakimura@gmail.com> wrote:

 

So, Mike, 

 

Authorized Presenter is a defined = term in Sender Constrained JWT for = OAuth 2.0

https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ). It is used in the context of OAuth 2.0 Access Token, not a claim in ID Token of OpenID Connect. 

 

Nat

 

2015-08-19 11:44 GMT+09:00 Mike = Jones <Michael.Jones@microsoft.com>:

Just as a point of clarification, the = definition of the =E2=80=9Cazp=E2=80=9D claim is not = =E2=80=9Cauthorised presenter=E2=80=9D.  At least as defined by OpenID Connect, its definition is:

 

azp

OPTIONAL. Authorized party - the party to which the ID Token = was issued. If present, it MUST contain the OAuth 2.0 Client ID of this = party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY = be included even when the authorized party is the same as the sole = audience. The azp value is a case sensitive string containing a StringOrURI = value.

 

A reference to this definition is = registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in = the IANA =E2=80=9CJSON Web Token Claims=E2=80=9D registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

 

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            -- = Mike

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Nat Sakimura
Sent: Tuesday, August 18, 2015 7:37 PM
To: Adam Lewis
Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client = guidance

 

It is not directly, but Sender Constrained JWT for OAuth 2.0

( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 )

talks about a model that allows = it. 

 

In essence, it uses a structured = access token that is sender constrained. 

It as a claim "azp" which stands = for authorised presenter. 

To be used, the "client" has to = present a proof that it is indeed the party pointed by "azp". 

 

In your case, the native mobile = app obtains the structured access token 

with "azp":"the_RS". Since "azp" = is not pointing to the mobile app, 

the mobile app cannot use = it. 

The mobile app then ships it to = the RS. 

The RS can now use it since the = "azp" points to it. 

 

In general, shipping a bearer = token around is a bad idea. 

If you want to do that, I think = you should do so with a sender constrained token. 

 

Nat

 

 

 

2015-08-13 2:01 GMT+09:00 Adam = Lewis <adam.lewis@motorolasolutions.com>:

Hi,

 

Are there any drafts that discuss = the notion of an RS acting as a client? I'm considering the use case = whereby a native mobile app obtains an access token and sends it to the = RS, and then the RS uses it to access the UserInfo endpoint on an OP. =  

 

It's a bearer token so no reason = it wouldn't work, but obviously it is meant to be presented by the = client and not the RS.  Curious to understand the security = implications of this, read on any thoughts given to this, or to know if it's an otherwise = accepted practice.

 

tx

adam


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



 

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



 

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 



--
Nat = Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


= --Apple-Mail=_165F3E5C-2087-4FD1-98AF-72F100130444-- --Apple-Mail=_72126BEA-1547-41CB-89AE-ECD7F7EF90EE Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MjAwMDM1MjNaMCMGCSqGSIb3DQEJBDEWBBSq8N3+bub8H41Ra2UhqFWk uDmeazCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQC1CjRYmLYQhqJYrUCTg1PxQlkQVrUJ5y3OQni+hY+iVBfTdSnVmPgL F+TtR1TIpV3WkycuOBFBCX/0tvMmdvwkp7ldo+Lc+ONXqlRcGsmi7DOEYDlFR2Kgjt52vLNK/Z0Z 0t+OKXJbQvYsnMQcc8pv5i95boMnS4GmGRt30qf7rWWf0Y+BvEGiX68I+7X4Pr9Th+1qnBl4vRPT J81q/84g0VYnp5jSQF5hr1SfB/BEkUGXZUgIIlqzgqa2ltER4aRIiKCwivaz/CQY0RA3PEnkt1eX 5TY8ADWFPyzGP1TY0PfvLUw/Z065oAwMBnKGA60BKDY3UICHooTFkA/oqcl8AAAAAAAA --Apple-Mail=_72126BEA-1547-41CB-89AE-ECD7F7EF90EE-- From nobody Wed Aug 19 17:40:20 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E7051A8A8A for ; Wed, 19 Aug 2015 17:40:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsuSaIxCUkmE for ; Wed, 19 Aug 2015 17:40:14 -0700 (PDT) Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45CA71A8A7E for ; Wed, 19 Aug 2015 17:40:14 -0700 (PDT) X-AuditID: 12074424-f79b46d000001e7f-dd-55d521eca3d3 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 3A.86.07807.CE125D55; Wed, 19 Aug 2015 20:40:12 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t7K0eBUk032372; Wed, 19 Aug 2015 20:40:12 -0400 Received: from [192.168.128.56] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t7K0e6Cd025146 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 19 Aug 2015 20:40:11 -0400 To: John Bradley , Nat Sakimura References: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com> From: Justin Richer Message-ID: <55D521DF.30306@mit.edu> Date: Wed, 19 Aug 2015 20:39:59 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com> Content-Type: multipart/alternative; boundary="------------030102080400080103090108" X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHKsWRmVeSWpSXmKPExsUixG6novtG8WqowYSDGhYn375iszhzawWj xeq7f9kcmD12zrrL7rFkyU8mj9u3N7IEMEdx2aSk5mSWpRbp2yVwZVz48pGxYN5C5oof02+z NTB+P8/YxcjJISFgInGx+S6ULSZx4d56ti5GLg4hgcVMEq+e/WaFcDYyShye1wvl3GaS+PXv EgtIi7CAvsTG3Z3MILaIgLvE8md3mCCK1rNIPLy4EizBLCAr0XryEjuIzSagKjF9TQsTiM0r oCLxbe5VVhCbBSj+dG4rmC0qECPR82sDG0SNoMTJmU/AlnEK2ElMa77FAjEzTOL5lGtMExgF ZiEpm4UkBWGbSXRt7WKEsOUlmrfOZoaw1SRub7vKjiy+gJFtFaNsSm6Vbm5iZk5xarJucXJi Xl5qka65Xm5miV5qSukmRnA0uKjsYGw+pHSIUYCDUYmH94Lw1VAh1sSy4srcQ4ySHExKorxV nEAhvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrxnfl0JFeJNSaysSi3Kh0lJc7AoifNu+sEXIiSQ nliSmp2aWpBaBJOV4eBQkuB9owA0VLAoNT21Ii0zpwQhzcTBCTKcB2g4FzB5CPEWFyTmFmem Q+RPMSpKifNuAWkWAElklObB9cKS1StGcaBXhHkdQKp4gIkOrvsV0GAmoMGHJ1wEGVySiJCS amDU0pX4HvsrnKGsevHtI96MnjfyJxX9dnx9QHP7Tma1618nHl7352+ioPqRxEX3hDVuclxY 5idxOO79qosi83Y+XnvDNeWv5JpJWwsVT4r6WYVYPBRpK9sUNHmCunTu5C+ytTLNyddqgyJe cGcd/3+Mb7Vs3xehbyV3zjcUpi9QPtkYyM0kEdarxFKckWioxVxUnAgAKOuiijEDAAA= Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 00:40:19 -0000 This is a multi-part message in MIME format. --------------030102080400080103090108 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Just want to clear up some history: "azp" did not come from any existing claims from Google or otherwise. I very clearly recall proposing that we name it "prn" for "presenter", and Mike told me not to be evil[1] because we had just changed "prn" (for "principal") in the ID token to "sub" in order to match the more generic JWT. John suggested "a-zed-p" in the same discussion. As such, it clearly was "authorized presenter" in the first take, then it got widened/shifted a little bit in the final definition for reasons I never quite followed (nor cared much about at the time). -- Justin [1] Being told "don't be evil" by a Microsoft employee remains one of my proudest achievements. On 8/19/2015 8:35 PM, John Bradley wrote: > It could, but I remain to be convinced that would be a good idea. > “azp†came from a existing Google claim, I am not attached to the name. > > John B. >> On Aug 19, 2015, at 9:29 PM, Nat Sakimura > > wrote: >> >> Well, the abstract meaning is the same, but the practical >> implications and interpretation can vary within the >> boundaries depending on the context. >> >> A jku is a URI of a cryptographical key, which can be a uri of a >> signing key or encryption key depending on the context. Similarly the >> azp in an ID Token and an Access Token can share the same abstract >> concept while the concrete meaning in that particular concept can vary. >> >> 2015å¹´8月20日木曜日ã€Mike Jones> > ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ: >> >> Let me second John’s point that we shouldn’t have two different >> definitions for “azpâ€. As I wrote in my friendly review of >> draft-sakimura-oauth-rjwtprof-04 at >> http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html, >> the claim “azp†has already been registered by OpenID Connect >> Core at http://www.iana.org/assignments/jwt/jwt.xhtml and so >> cannot be re-registered. Given that I believe the intended >> semantics are the same, please cite the existing definition in >> rjwtprof, rather than repeating it or revising it. >> >> Thanks, >> >> -- Mike >> >> *From:*John Bradley [mailto:ve7jtb@ve7jtb.com >> ] >> *Sent:* Wednesday, August 19, 2015 11:05 AM >> *To:* Nat Sakimura >> *Cc:* Mike Jones; OAuth WG >> *Subject:* Re: [OAUTH-WG] RS as a client guidance >> >> Having two azp claims with slightly different definitions is not >> a good way to go, both access tokens and id_tokens are JWT. >> >> For better or worse the claim was defined for bearer tokens where >> it was only the identity of the requester that was able to be >> confirmed by the token endpoint. >> >> It supported a simple use case where a refresh token is used by >> client A to use as an assertion at AS B. >> >> In the simplest 3 party sase the requester of the token and the >> presenter of the token are the same. However in some situations >> they are not the same. >> >> The important thing was to allow the “aud†recipient of the token >> to be able to differentiate a token that it requested from a a >> token that a 3rd party requested and presented to it. >> >> The “azp†should probably be left as it is and not tied to proof >> of possession/ binding the token to the presenter. >> >> There was a lot of debate and back and forth on azp at the time, >> the main reason to include it was to warn normal Connect clients >> that JWT containing that azp claim need to have it’s value be >> them or someone they know and trust that can request assertions >> for them. That was because we knew that token containing that >> claim exist in the wild using that claim. >> >> https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 should >> probably be using a different claim to reduce the confusion. >> >> John B. >> >> On Aug 19, 2015, at 3:17 AM, Nat Sakimura > > wrote: >> >> So, Mike, >> >> Authorized Presenter is a defined term in *_Sender >> Constrained JWT for OAuth 2.0_* >> >> ( >> https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ). >> It is used in the context of OAuth 2.0 Access Token, not a >> claim in ID Token of OpenID Connect. >> >> Nat >> >> 2015-08-19 11:44 GMT+09:00 Mike Jones >> > >: >> >> Just as a point of clarification, the definition of the “azp†>> claim is not “authorised presenterâ€. At least as defined by >> OpenID Connect, its definition is: >> >> azp >> >> OPTIONAL. Authorized party - the party to which the ID Token >> was issued. If present, it MUST contain the OAuth 2.0 Client >> ID of this party. This Claim is only needed when the ID Token >> has a single audience value and that audience is different >> than the authorized party. It MAY be included even when the >> authorized party is the same as the sole audience. The >> azpvalue is a case sensitive string containing a StringOrURI >> value. >> >> A reference to this definition is registered by OpenID >> Connect Core >> http://openid.net/specs/openid-connect-core-1_0.html in the >> IANA “JSON Web Token Claims†registry at >> http://www.iana.org/assignments/jwt/jwt.xhtml. >> >> -- Mike >> >> *From:*OAuth [mailto:oauth-bounces@ietf.org >> ] *On >> Behalf Of *Nat Sakimura >> *Sent:* Tuesday, August 18, 2015 7:37 PM >> *To:* Adam Lewis >> *Cc:* OAuth WG >> *Subject:* Re: [OAUTH-WG] RS as a client guidance >> >> It is not directly, but *_Sender Constrained JWT for OAuth 2.0_* >> >> ( >> https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 >> >> ) >> >> talks about a model that allows it. >> >> In essence, it uses a structured access token that is sender >> constrained. >> >> It as a claim "azp" which stands for authorised presenter. >> >> To be used, the "client" has to present a proof that it is >> indeed the party pointed by "azp". >> >> In your case, the native mobile app obtains the structured >> access token >> >> with "azp":"the_RS". Since "azp" is not pointing to the >> mobile app, >> >> the mobile app cannot use it. >> >> The mobile app then ships it to the RS. >> >> The RS can now use it since the "azp" points to it. >> >> In general, shipping a bearer token around is a bad idea. >> >> If you want to do that, I think you should do so with a >> sender constrained token. >> >> Nat >> >> 2015-08-13 2:01 GMT+09:00 Adam Lewis >> > >: >> >> Hi, >> >> Are there any drafts that discuss the notion of an RS acting >> as a client? I'm considering the use case whereby a native >> mobile app obtains an access token and sends it to the RS, >> and then the RS uses it to access the UserInfo endpoint on an >> OP. >> >> It's a bearer token so no reason it wouldn't work, but >> obviously it is meant to be presented by the client and not >> the RS. Curious to understand the security implications of >> this, read on any thoughts given to this, or to know if it's >> an otherwise accepted practice. >> >> tx >> >> adam >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> -- >> >> Nat Sakimura (=nat) >> >> Chairman, OpenID Foundation >> http://nat.sakimura.org/ >> >> @_nat_en >> >> >> >> -- >> >> Nat Sakimura (=nat) >> >> Chairman, OpenID Foundation >> http://nat.sakimura.org/ >> @_nat_en >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> -- >> Nat Sakimura (=nat) >> Chairman, OpenID Foundation >> http://nat.sakimura.org/ >> @_nat_en >> > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------030102080400080103090108 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Just want to clear up some history: "azp" did not come from any existing claims from Google or otherwise. I very clearly recall proposing that we name it "prn" for "presenter", and Mike told me not to be evil[1] because we had just changed "prn" (for "principal") in the ID token to "sub" in order to match the more generic JWT. John suggested "a-zed-p" in the same discussion. As such, it clearly was "authorized presenter" in the first take, then it got widened/shifted a little bit in the final definition for reasons I never quite followed (nor cared much about at the time).

 -- Justin

[1] Being told "don't be evil" by a Microsoft employee remains one of my proudest achievements.

On 8/19/2015 8:35 PM, John Bradley wrote:
It could, but I remain to be convinced that would be a good idea.   “azp†came from a existing Google claim, I am not attached to the name.

John B.
On Aug 19, 2015, at 9:29 PM, Nat Sakimura <sakimura@gmail.com> wrote:

Well, the abstract meaning is the same, but the practical implications and interpretation can vary within the boundaries depending on the context. 

A jku is a URI of a cryptographical key, which can be a uri of a signing key or encryption key depending on the context. Similarly the azp in an ID Token and an Access Token can share the same abstract concept while the concrete meaning in that particular concept can vary. 

2015å¹´8月20日木曜日ã€Mike Jones<Michael.Jones@microsoft.com> ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:

Let me second John’s point that we shouldn’t have two different definitions for “azpâ€.  As I wrote in my friendly review of draft-sakimura-oauth-rjwtprof-04 at http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html, the claim “azp†has already been registered by OpenID Connect Core at http://www.iana.org/assignments/jwt/jwt.xhtml and so cannot be re-registered.  Given that I believe the intended semantics are the same, please cite the existing definition in rjwtprof, rather than repeating it or revising it.

 

                                                            Thanks,

                                                            -- Mike

 

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Wednesday, August 19, 2015 11:05 AM
To: Nat Sakimura
Cc: Mike Jones; OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance

 

Having two azp claims with slightly different definitions is not a good way to go,  both access tokens and id_tokens are JWT.   

For better or worse the claim was defined for bearer tokens where it was only the identity of the requester that was able to be confirmed by the token endpoint.

It supported a simple use case where a refresh token is used by client A to use as an assertion at AS B.  

In the simplest 3 party sase the requester of the token and the presenter of the token are the same.  However in some situations they are not the same. 

The important thing was to allow the “aud†recipient of the token to be able to differentiate a token that it requested from a a token that a 3rd party requested and presented to it.

 

The “azp†should probably be left as it is and not tied to proof of possession/ binding the token to the presenter.  

There was a lot of debate and back and forth on azp at the time, the main reason to include it was to warn normal Connect clients that JWT containing that azp claim need to have it’s value be them or someone they know and trust that can request assertions for them.  That was because we knew that token containing that claim exist in the wild using that claim.

 

https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 should probably be using a different claim to reduce the confusion.

 

John B.

 

 

On Aug 19, 2015, at 3:17 AM, Nat Sakimura <sakimura@gmail.com> wrote:

 

So, Mike, 

 

Authorized Presenter is a defined term in Sender Constrained JWT for OAuth 2.0

( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ). It is used in the context of OAuth 2.0 Access Token, not a claim in ID Token of OpenID Connect. 

 

Nat

 

2015-08-19 11:44 GMT+09:00 Mike Jones <Michael.Jones@microsoft.com>:

Just as a point of clarification, the definition of the “azp†claim is not “authorised presenterâ€.  At least as defined by OpenID Connect, its definition is:

 

azp

OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.

 

A reference to this definition is registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in the IANA “JSON Web Token Claims†registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

 

                                                            -- Mike

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Nat Sakimura
Sent: Tuesday, August 18, 2015 7:37 PM
To: Adam Lewis
Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance

 

It is not directly, but Sender Constrained JWT for OAuth 2.0

talks about a model that allows it. 

 

In essence, it uses a structured access token that is sender constrained. 

It as a claim "azp" which stands for authorised presenter. 

To be used, the "client" has to present a proof that it is indeed the party pointed by "azp". 

 

In your case, the native mobile app obtains the structured access token 

with "azp":"the_RS". Since "azp" is not pointing to the mobile app, 

the mobile app cannot use it. 

The mobile app then ships it to the RS. 

The RS can now use it since the "azp" points to it. 

 

In general, shipping a bearer token around is a bad idea. 

If you want to do that, I think you should do so with a sender constrained token. 

 

Nat

 

 

 

2015-08-13 2:01 GMT+09:00 Adam Lewis <adam.lewis@motorolasolutions.com>:

Hi,

 

Are there any drafts that discuss the notion of an RS acting as a client? I'm considering the use case whereby a native mobile app obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP.  

 

It's a bearer token so no reason it wouldn't work, but obviously it is meant to be presented by the client and not the RS.  Curious to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise accepted practice.

 

tx

adam


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



 

--

Nat Sakimura (=nat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



 

--

Nat Sakimura (=nat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------030102080400080103090108-- From nobody Wed Aug 19 17:41:23 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 606AD1A8A94 for ; Wed, 19 Aug 2015 17:41:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nkk1WK2xDo0x for ; Wed, 19 Aug 2015 17:41:18 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0719.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::719]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CB621A8A90 for ; Wed, 19 Aug 2015 17:41:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+0SyftDz26gez58yKUZM7wLFrz+0MRfJrDVEl6qlRR0=; b=LG6Xip3Ntsln4jIcwITV/1A5j/kwIILiw3ItDcLS40rYdCD26PxOuMSSw26mVNjEWk/X0aCO1VT3ndE6nJfVeI/arksVUKFK7dmdsk0EbisIDacBFo27dz+o0VxS9Itfg8ihLky/bu/Cle1kYD3p0EVf8abpkZ9UAvI9003YoQQ= Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.231.11; Thu, 20 Aug 2015 00:41:00 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Thu, 20 Aug 2015 00:41:00 +0000 From: Mike Jones To: Nat Sakimura Thread-Topic: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 Thread-Index: AQHQ2jOTWaLNLadkjU2DITHnPVooS54UDQaQ Date: Thu, 20 Aug 2015 00:41:00 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [2001:4898:80e8::33c] x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:j9aUUvbU9pNpejI+8iORmmrn8YvxrMRTre6DIBoE8ljADJUIdGp7LO1aaRNfFu+I+BwC9d4cT40027svm8/gV2ksHPIuej2dXXtSPQW7WXibC3CvxJJD97Bsq55f6w+Mep6JmrvFajy9fagi0c8mqw==; 24:GS85IYKPzpCT6Zh9QHvOb4wTK4nF37MnH9oO197M0y2GLqeh7Bkj90CmCnsy7E9S8URIyVXG1ZB8t78J33Vaf9aivqAp7zG5sPkqT0AqbHg=; 20:ANvOcav/a6O4Knb6dTya99+MVE8R94CFsFyHVmuEl8It0bkyNrvMDZltTXuGi3j+h1uMESciQC3JcPuR9pz/zw== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(8121501046)(5005006)(3002001); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; x-forefront-prvs: 0674DC6DD3 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(189002)(92566002)(86612001)(105586002)(97736004)(16236675004)(33656002)(230783001)(110136002)(106116001)(106356001)(2656002)(87936001)(99286002)(74316001)(19625215002)(86362001)(19580395003)(5007970100001)(101416001)(50986999)(1411001)(46102003)(19300405004)(10090500001)(5001920100001)(76176999)(10290500002)(102836002)(122556002)(81156007)(40100003)(77096005)(5003600100002)(5001860100001)(10400500002)(4001540100001)(189998001)(15975445007)(68736005)(76576001)(62966003)(54356999)(77156002)(2900100001)(2950100001)(5002640100001)(5005710100001)(64706001)(8990500004)(5001960100002)(5001830100001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4424D9473EB965A3E6153ADF5660BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2015 00:41:00.1130 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442 Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 00:41:21 -0000 --_000_BY2PR03MB4424D9473EB965A3E6153ADF5660BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 UHJpdmFjeSBDb25zaWRlcmF0aW9uDQo9PT09PT09PT09PT09PT09PT09PT09PT0NCkl0IGlzIG1p c3NpbmcgcHJpdmFjeSBjb25zaWRlcmF0aW9uLiBJdCBpcyBub3QgcmVxdWlyZWQgcGVyIHNlLCBi dXQgc2luY2UgS2V5IENvbmZpcm1hdGlvbiBtZXRob2Qgd2l0aCBlcGhlbWVyYWwga2V5IGNhbiBi ZSBsZXNzIHByaXZhY3kgaW50cnVzaXZlIGNvbXBhcmVkIHRvIG90aGVyIHNlbmRlciBjb25maXJt YXRpb24gbWV0aG9kIHNvIGFkZGluZyBzb21lIHRleHQgYXJvdW5kIGl0IG1heSBiZSBhIGdvb2Qg aWRlYS4NCg0KQ2FuIHlvdSBzdXBwbHkgc29tZSBzcGVjaWZpYyBwcm9wb3NlZCB0ZXh0IGZvciAt MDQ/DQoNCldoZW4gZG8geW91IGV4cGVjdCAtMDQ/DQpEZXBlbmRpbmcgb24gaXQsIEkgbWF5IGJl IGFibGUgdG8uDQoNCkkgZXhwZWN0IHRvIHdvcmsgb24gdGhpcyBvbiBteSBGcmlkYXkgbW9ybmlu ZyDigJMgMS41IGRheXMgZnJvbSBub3cuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCZXN0IHdpc2hlcywNCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt LSBNaWtlDQoNCg== --_000_BY2PR03MB4424D9473EB965A3E6153ADF5660BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFzOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDIg MiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNv Tm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAw MXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIs InNlcmlmIjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNp dGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsN Cgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBD aGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6 MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29BY2V0YXRlLCBsaS5N c29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNv LXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIs InNhbnMtc2VyaWYiO30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5h bWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCglt c28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFz O30NCnNwYW4uaG9lbnpiDQoJe21zby1zdHlsZS1uYW1lOmhvZW56Yjt9DQpzcGFuLkVtYWlsU3R5 bGUyMA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2Fs aWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5CYWxsb29uVGV4dENo YXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJp b3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCI7DQoJZm9udC1mYW1pbHk6 IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBl OmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0KQHBh Z2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBp biAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30N Ci0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6 ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBn dGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2 OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0t LT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxl Ij4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8Ymxv Y2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBw dDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdo dDowaW4iPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPlByaXZhY3kgQ29uc2lkZXJhdGlvbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj49PT09PT09PT09PT09PT09PT09PT09PT08bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SXQgaXMg bWlzc2luZyBwcml2YWN5IGNvbnNpZGVyYXRpb24uIEl0IGlzIG5vdCByZXF1aXJlZCBwZXIgc2Us IGJ1dCBzaW5jZSBLZXkgQ29uZmlybWF0aW9uIG1ldGhvZCB3aXRoIGVwaGVtZXJhbCBrZXkgY2Fu IGJlIGxlc3MgcHJpdmFjeSBpbnRydXNpdmUgY29tcGFyZWQgdG8gb3RoZXIgc2VuZGVyIGNvbmZp cm1hdGlvbg0KIG1ldGhvZCBzbyBhZGRpbmcgc29tZSB0ZXh0IGFyb3VuZCBpdCBtYXkgYmUgYSBn b29kIGlkZWEuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4m bmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5DYW4geW91IHN1cHBseSBzb21l IHNwZWNpZmljIHByb3Bvc2VkIHRleHQgZm9yIC0wND88L3NwYW4+PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+V2hlbiBkbyB5b3UgZXhwZWN0IC0wND8mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkRlcGVu ZGluZyBvbiBpdCwgSSBtYXkgYmUgYWJsZSB0by4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdE Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SSBleHBlY3QgdG8gd29yayBv biB0aGlzIG9uIG15IEZyaWRheSBtb3JuaW5nIOKAkyAxLjUgZGF5cyBmcm9tIG5vdy48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBCZXN0IHdpc2hlcyw8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N CjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB4424D9473EB965A3E6153ADF5660BY2PR03MB442namprd_-- From nobody Wed Aug 19 17:50:11 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AC8C1A8A97 for ; Wed, 19 Aug 2015 17:50:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kSAViKtCDQ4V for ; Wed, 19 Aug 2015 17:50:04 -0700 (PDT) Received: from mail-qk0-f174.google.com (mail-qk0-f174.google.com [209.85.220.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05F1B1A8A98 for ; Wed, 19 Aug 2015 17:50:03 -0700 (PDT) Received: by qkch123 with SMTP id h123so3209732qkc.0 for ; Wed, 19 Aug 2015 17:50:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=bhtmR0GqU667REs+AYFQBWm2P2sTniSAx3YUjZLuIbw=; b=ggbRQbw87tMcluwXZ3ig692ptvhQVeaBqCuu9LkVyDLo9t7tUnDYqewj5Qq0sjt/+S un3zFle0NpXwn/gVnNTIdHzMQSNFK1vuhn/XQ4bd36XSsKy5ZrBpXVyoR/EksAQYfxNq 8kut4un+JafE9Ud2FDShOt32kOSwa9nmbQHzC4c7ywSxCaLJx7q38QMjzxzY1TV4eYnB 8iugnckABApDCTE+j7XEVyseE+7sF2irz3jFOtAMVqTsemXBUhrKAsjL02msqtX5U0l4 GOFktJ2PDZMdzY2buj+LzN6dhbAv3oWJzECaw2sgkwrfa6aFGOonBfGwhQBX7usdrY8W 0YDQ== X-Gm-Message-State: ALoCoQnaAon0qAS84HPIIlDV5t/Z6FKCXTo0/ao+d6EnB+PqVavey+0PrHO1dfwpemD870keAmE5 X-Received: by 10.55.49.67 with SMTP id x64mr700594qkx.24.1440031802998; Wed, 19 Aug 2015 17:50:02 -0700 (PDT) Received: from [192.168.8.100] ([181.202.69.11]) by smtp.gmail.com with ESMTPSA id a50sm1376801qga.39.2015.08.19.17.50.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Aug 2015 17:50:02 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_074A7763-FE77-41F7-9A11-220586A4D916"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: John Bradley In-Reply-To: <55D521DF.30306@mit.edu> Date: Wed, 19 Aug 2015 21:49:55 -0300 Message-Id: <594C7BF1-3AD8-45C0-B08B-33166F268740@ve7jtb.com> References: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com> <55D521DF.30306@mit.edu> To: Justin Richer X-Mailer: Apple Mail (2.2104) Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 00:50:09 -0000 --Apple-Mail=_074A7763-FE77-41F7-9A11-220586A4D916 Content-Type: multipart/alternative; boundary="Apple-Mail=_889AC7E2-E402-48D3-B4BA-DBF8CBA6166C" --Apple-Mail=_889AC7E2-E402-48D3-B4BA-DBF8CBA6166C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Ah yes, Now I recall that we had Google change the claim once to azp = and then discussed changing it again once we decided that azp was not = the necessarily the presenter presenter. That was what we decided was = too cruel getting them to change the name again for something that they = then had released in production. That caused us to re-acrom =E2=80=9Cazp= =E2=80=9D. =20 John B. > On Aug 19, 2015, at 9:39 PM, Justin Richer wrote: >=20 > Just want to clear up some history: "azp" did not come from any = existing claims from Google or otherwise. I very clearly recall = proposing that we name it "prn" for "presenter", and Mike told me not to = be evil[1] because we had just changed "prn" (for "principal") in the ID = token to "sub" in order to match the more generic JWT. John suggested = "a-zed-p" in the same discussion. As such, it clearly was "authorized = presenter" in the first take, then it got widened/shifted a little bit = in the final definition for reasons I never quite followed (nor cared = much about at the time). >=20 > -- Justin >=20 > [1] Being told "don't be evil" by a Microsoft employee remains one of = my proudest achievements. >=20 > On 8/19/2015 8:35 PM, John Bradley wrote: >> It could, but I remain to be convinced that would be a good idea. = =E2=80=9Cazp=E2=80=9D came from a existing Google claim, I am not = attached to the name. >>=20 >> John B. >>> On Aug 19, 2015, at 9:29 PM, Nat Sakimura < = sakimura@gmail.com = > wrote: >>>=20 >>> Well, the abstract meaning is the same, but the practical = implications and interpretation can vary within the boundaries depending = on the context.=20 >>>=20 >>> A jku is a URI of a cryptographical key, which can be a uri of a = signing key or encryption key depending on the context. Similarly the = azp in an ID Token and an Access Token can share the same abstract = concept while the concrete meaning in that particular concept can vary.=20= >>>=20 >>> 2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B=9C=E6=97=A5=E3=80=81= Mike Jones> =E3=81=95=E3=82=93=E3=81=AF=E6=9B=B8= =E3=81=8D=E3=81=BE=E3=81=97=E3=81=9F: >>> Let me second John=E2=80=99s point that we shouldn=E2=80=99t have = two different definitions for =E2=80=9Cazp=E2=80=9D. As I wrote in my = friendly review of draft-sakimura-oauth-rjwtprof-04 at = http://w= ww.ietf.org/mail-archive/web/oauth/current/msg14679.html = , the = claim =E2=80=9Cazp=E2=80=9D has already been registered by OpenID = Connect Core at http://www.iana.org/assignments/jwt/jwt.xhtml = and so cannot be = re-registered. Given that I believe the intended semantics are the = same, please cite the existing definition in rjwtprof, rather than = repeating it or revising it. >>>=20 >>> =20 >>> Thanks, >>>=20 >>> -- Mike >>>=20 >>> =20 >>> From: John Bradley [mailto: = ve7jtb@ve7jtb.com = ]=20 >>> Sent: Wednesday, August 19, 2015 11:05 AM >>> To: Nat Sakimura >>> Cc: Mike Jones; OAuth WG >>> Subject: Re: [OAUTH-WG] RS as a client guidance >>>=20 >>> =20 >>> Having two azp claims with slightly different definitions is not a = good way to go, both access tokens and id_tokens are JWT. =20 >>>=20 >>> For better or worse the claim was defined for bearer tokens where it = was only the identity of the requester that was able to be confirmed by = the token endpoint. >>>=20 >>> It supported a simple use case where a refresh token is used by = client A to use as an assertion at AS B. =20 >>>=20 >>> In the simplest 3 party sase the requester of the token and the = presenter of the token are the same. However in some situations they = are not the same.=20 >>>=20 >>> The important thing was to allow the =E2=80=9Caud=E2=80=9D recipient = of the token to be able to differentiate a token that it requested from = a a token that a 3rd party requested and presented to it. >>>=20 >>> =20 >>> The =E2=80=9Cazp=E2=80=9D should probably be left as it is and not = tied to proof of possession/ binding the token to the presenter. =20 >>>=20 >>> There was a lot of debate and back and forth on azp at the time, the = main reason to include it was to warn normal Connect clients that JWT = containing that azp claim need to have it=E2=80=99s value be them or = someone they know and trust that can request assertions for them. That = was because we knew that token containing that claim exist in the wild = using that claim. >>>=20 >>> =20 >>> = https://tool= s.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 = should = probably be using a different claim to reduce the confusion. >>>=20 >>> =20 >>> John B. >>>=20 >>> =20 >>> =20 >>> On Aug 19, 2015, at 3:17 AM, Nat Sakimura < = sakimura@gmail.com = > wrote: >>>=20 >>> =20 >>> So, Mike,=20 >>>=20 >>> =20 >>> Authorized Presenter is a defined term in Sender Constrained JWT for = OAuth 2.0 >>>=20 >>> ( = https://tool= s.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 = ). It is = used in the context of OAuth 2.0 Access Token, not a claim in ID Token = of OpenID Connect.=20 >>>=20 >>> =20 >>> Nat >>>=20 >>> =20 >>> 2015-08-19 11:44 GMT+09:00 Mike Jones < = Michael.Jones= @microsoft.com >: >>>=20 >>> Just as a point of clarification, the definition of the =E2=80=9Cazp=E2= =80=9D claim is not =E2=80=9Cauthorised presenter=E2=80=9D. At least as = defined by OpenID Connect, its definition is: >>>=20 >>> =20 >>> azp >>>=20 >>> OPTIONAL. Authorized party - the party to which the ID Token was = issued. If present, it MUST contain the OAuth 2.0 Client ID of this = party. This Claim is only needed when the ID Token has a single audience = value and that audience is different than the authorized party. It MAY = be included even when the authorized party is the same as the sole = audience. The azp value is a case sensitive string containing a = StringOrURI value. >>>=20 >>> =20 >>> A reference to this definition is registered by OpenID Connect Core = http://openid.net/specs/openid-connect-core-1_0.html = in the IANA =E2=80=9C= <>JSON Web Token Claims=E2=80=9D registry = athttp://www.iana.org/assignments/jwt/jwt.xhtml = . >>>=20 >>> =20 >>> -- Mike >>>=20 >>> =20 >>> From: OAuth [mailto: = oauth-bounces@ietf= .org ] On Behalf Of Nat Sakimura >>> Sent: Tuesday, August 18, 2015 7:37 PM >>> To: Adam Lewis >>> Cc: OAuth WG >>> Subject: Re: [OAUTH-WG] RS as a client guidance >>>=20 >>> =20 >>> It is not directly, but Sender Constrained JWT for OAuth 2.0 >>>=20 >>> ( = https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 = ) >>>=20 >>> talks about a model that allows it.=20 >>>=20 >>> =20 >>> In essence, it uses a structured access token that is sender = constrained.=20 >>>=20 >>> It as a claim "azp" which stands for authorised presenter.=20 >>>=20 >>> To be used, the "client" has to present a proof that it is indeed = the party pointed by "azp".=20 >>>=20 >>> =20 >>> In your case, the native mobile app obtains the structured access = token=20 >>>=20 >>> with "azp":"the_RS". Since "azp" is not pointing to the mobile app,=20= >>>=20 >>> the mobile app cannot use it.=20 >>>=20 >>> The mobile app then ships it to the RS.=20 >>>=20 >>> The RS can now use it since the "azp" points to it.=20 >>>=20 >>> =20 >>> In general, shipping a bearer token around is a bad idea.=20 >>>=20 >>> If you want to do that, I think you should do so with a sender = constrained token.=20 >>>=20 >>> =20 >>> Nat >>>=20 >>> =20 >>> =20 >>> =20 >>> 2015-08-13 2:01 GMT+09:00 Adam Lewis < = adam.lew= is@motorolasolutions.com >: >>>=20 >>> Hi, >>>=20 >>> =20 >>> Are there any drafts that discuss the notion of an RS acting as a = client? I'm considering the use case whereby a native mobile app obtains = an access token and sends it to the RS, and then the RS uses it to = access the UserInfo endpoint on an OP. =20 >>>=20 >>> =20 >>> It's a bearer token so no reason it wouldn't work, but obviously it = is meant to be presented by the client and not the RS. Curious to = understand the security implications of this, read on any thoughts given = to this, or to know if it's an otherwise accepted practice. >>>=20 >>> =20 >>> tx >>>=20 >>> adam >>>=20 >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org = >>> = https:= //www.ietf.org/mailman/listinfo/oauth = >>>=20 >>>=20 >>> =20 >>> -- >>>=20 >>> Nat Sakimura (=3Dnat) >>>=20 >>> Chairman, OpenID Foundation >>> = http://nat.sakimura.org/ = >>> @_nat_en >>>=20 >>>=20 >>>=20 >>> =20 >>> -- >>>=20 >>> Nat Sakimura (=3Dnat) >>>=20 >>> Chairman, OpenID Foundation >>> http://nat.sakimura.org/ >>> @_nat_en >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth = >>> =20 >>>=20 >>>=20 >>> --=20 >>> Nat Sakimura (=3Dnat) >>> Chairman, OpenID Foundation >>> http://nat.sakimura.org/ >>> @_nat_en >>>=20 >>=20 >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = >=20 --Apple-Mail=_889AC7E2-E402-48D3-B4BA-DBF8CBA6166C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Ah yes,  Now I recall that we had Google change the = claim once to azp and then discussed changing it again once we decided = that azp was not the necessarily the presenter presenter.  That was = what we decided was too cruel getting them to change the name again for = something that they then had released in production.   That caused = us to re-acrom =E2=80=9Cazp=E2=80=9D.  

John B.

On = Aug 19, 2015, at 9:39 PM, Justin Richer <jricher@mit.edu> = wrote:

=20 =20
Just want to clear up some history: "azp" did not come from any existing claims from Google or otherwise. I very clearly recall proposing that we name it "prn" for "presenter", and Mike told me not to be evil[1] because we had just changed "prn" (for "principal") in the ID token to "sub" in order to match the more generic JWT. John suggested "a-zed-p" in the same discussion. As such, it clearly was "authorized presenter" in the first take, then it got widened/shifted a little bit in the final definition for reasons I never quite followed (nor cared much about at the = time).

 -- Justin

[1] Being told "don't be evil" by a Microsoft employee remains one of my proudest achievements.

On 8/19/2015 8:35 PM, John Bradley wrote:
It could, but I remain to be convinced that would be a good idea.   =E2=80=9Cazp=E2=80=9D came from a existing Google claim, I = am not attached to the name.

John B.
On Aug 19, 2015, at 9:29 PM, Nat Sakimura = <sakimura@gmail.com> = wrote:

Well, the abstract meaning is the same, but the practical implications and interpretation can vary within the boundaries depending on the context. 

A jku is a URI of a cryptographical key, which can be a uri of a signing key or encryption = key depending on the context. Similarly the azp in = an ID Token and an Access Token can share the same abstract concept while the concrete meaning in that particular concept can vary. 

2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B=9C=E6=97= =A5=E3=80=81Mike Jones<Michael.Jones@microsoft.com> =E3=81=95=E3=82=93=E3=81=AF=E6=9B=B8=E3=81=8D=E3=81=BE=E3=81= =97=E3=81=9F:

Let me second John=E2=80=99s point that = we shouldn=E2=80=99t have two different = definitions for =E2=80=9Cazp=E2=80=9D.  As I wrote in my = friendly review of draft-sakimura-oauth-rjwtprof-04 at = http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html, the claim =E2=80=9Cazp=E2=80=9D has = already been registered by OpenID Connect Core at http://www.iana.org/assignments/jwt/jwt.xhtml and so cannot be re-registered.  Given = that I believe the intended semantics are the same, please cite the existing definition in rjwtprof, rather than repeating it or revising it.

 

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            Thanks,

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            -- Mike

 

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Wednesday, August 19, 2015 11:05 AM
To: Nat Sakimura
Cc: Mike Jones; OAuth = WG
Subject: Re: [OAUTH-WG] = RS as a client guidance

 

Having = two azp claims with slightly different definitions is not a good way to go,  both access tokens and id_tokens = are JWT.   

For better = or worse the claim was defined for bearer tokens where it was only the identity of the requester that was able to be confirmed by the token endpoint.

It = supported a simple use case where a refresh token is used by client A to use as an assertion at AS B.  

In the = simplest 3 party sase the requester of the token and the presenter of the token are the same.  = However in some situations they are not the = same. 

The = important thing was to allow the =E2=80=9Caud=E2=80=9D recipient of = the token to be able to differentiate a token that it requested from a a token that a 3rd party requested and presented to it.

 

The = =E2=80=9Cazp=E2=80=9D should probably be left as it is and not tied to proof of possession/ binding the token to the presenter.  

There was a = lot of debate and back and forth on azp at the time, the main reason to include it was to warn normal Connect clients that JWT containing that azp claim need to have it=E2=80=99s value be them = or someone they know and trust that can request assertions for them.  That was because we = knew that token containing that claim exist in the wild using that claim.

 

http= s://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 should probably be using a different claim to reduce the confusion.

 

John B.

 
 

On = Aug 19, 2015, at 3:17 AM, Nat Sakimura <sakimura@gmail.com> wrote:

 

So,= Mike, 

 

Authorized Presenter is a defined term = in Sender Constrained JWT for OAuth = 2.0

http= s://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ). It is used in the context of OAuth 2.0 Access Token, not a claim in ID Token of OpenID Connect. 

 

Nat

 

2015-08-19 11:44 GMT+09:00 Mike Jones <Michael.Jones@microsoft.com>:

Just as a point of clarification, the definition of the =E2=80=9Cazp= =E2=80=9D claim is not = =E2=80=9Cauthorised presenter=E2=80=9D.  At least as defined by OpenID Connect, its definition = is:

 

azp

OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.

 

A reference to this definition is registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in the IANA =E2=80=9CJSON Web Token Claims=E2=80=9D = registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

 

          &nb= sp;            = ;            &= nbsp;           &nb= sp;            -- Mike

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of = Nat Sakimura
Sent: Tuesday, August 18, 2015 7:37 PM
To: Adam Lewis
Cc: OAuth = WG
Subject: = Re: [OAUTH-WG] RS as a client guidance

 

It is not directly, = but Sender Constrained JWT for OAuth = 2.0

( http= s://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 )

talks about a model that allows it. 

 

In essence, it uses a structured access token that is sender constrained. 

It as a claim "azp" which stands for authorised presenter. 

To be used, the "client" has to present a proof that it is indeed the party pointed by "azp". 

 

In your case, the native mobile app obtains the structured access token 

with "azp":"the_RS". Since "azp" is not pointing to the mobile = app, 

the mobile app cannot use it. 

The mobile app then ships it to the = RS. 

The RS can now use it since the "azp" points to it. 

 

In general, shipping a bearer token around is a bad idea. 

If you want to do that, I think you should do so with a sender constrained = token. 

 

Nat

 
 
 

2015-08-13 2:01 GMT+09:00 Adam Lewis <adam.lewis@motorolasoluti= ons.com>:

Hi,

 

Are there any drafts that discuss the notion of an RS acting as a client? I'm considering the use case whereby a native mobile app obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP. =  

 

It's a bearer token so no reason it wouldn't work, but obviously it is meant to be presented by the client and not the RS.  Curious = to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise accepted practice.

 

tx

adam


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth



 

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



 

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 


--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth


= --Apple-Mail=_889AC7E2-E402-48D3-B4BA-DBF8CBA6166C-- --Apple-Mail=_074A7763-FE77-41F7-9A11-220586A4D916 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MjAwMDQ5NTZaMCMGCSqGSIb3DQEJBDEWBBQGxz95jrv0ugOW41ZwByRw 8iYYdjCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQCDWgZc7dhD5Us0FxdKD/TtSO5UHmYqLWHVHxggLFU90qskoomGrfOE Klh0wYDmDO1FnOjUlX3HPmfuNPY5knu8mEO2PxlUYfC9lXuXRZp6W480RwRGi7k6NDrDau8UTT9E sMVGt2nmXTt+Ej0kEgJSVCFp8Q71jwq9TbscIWY5UFqKOTyhb9h0epgNOKVLMkVM+zfPx+I2lY0/ Ca+qYNvmCEVkizroWg4juWtoaGKLJaA0E/4ffL2echX5zzp8qkjQOdFw2cCvb9upxRK/IMtbLaIb UX+3CFmecFG+mQYXtKtsXkYu3dBdS8PFE3aVIngm3g/YObxEpClbBld2Qd/8AAAAAAAA --Apple-Mail=_074A7763-FE77-41F7-9A11-220586A4D916-- From nobody Wed Aug 19 17:52:36 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC641A8A9C for ; Wed, 19 Aug 2015 17:52:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.012 X-Spam-Level: X-Spam-Status: No, score=-0.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PtXRxSgOmvKP for ; Wed, 19 Aug 2015 17:52:30 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0124.outbound.protection.outlook.com [207.46.100.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 896161A8A97 for ; Wed, 19 Aug 2015 17:52:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=vClfvQ29XoBWZGXd5YJU7xwq/oprmnLGQDqZDsVjoFE=; b=DhFFueljCSqZkV69XlNDFx1AhMxR49vZguxeBidYuIkiH7sG9eWintsXGxa36ejKKw/p33xNhS9KSa05FNmHGWUNERw999uzjd4w8W6fYvxAKI2MOwCFLtE2h4LJmnB+Ape8DEOJRqo4yJMp5Zpq/26PHjlbvB+WtpNm8oWf26k= Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.231.11; Thu, 20 Aug 2015 00:52:28 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Thu, 20 Aug 2015 00:52:28 +0000 From: Mike Jones To: John Bradley , Justin Richer Thread-Topic: [OAUTH-WG] RS as a client guidance Thread-Index: AQHQ1SCcusHdwHLfSU6hr3g/5Q6eZJ4SpbqAgAAANJCAAD1bgIAAxZYAgAAIVrCAAGM6gIAAAYEAgAABSoCAAALHgIAAAElw Date: Thu, 20 Aug 2015 00:52:28 +0000 Message-ID: References: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com> <55D521DF.30306@mit.edu> <594C7BF1-3AD8-45C0-B08B-33166F268740@ve7jtb.com> In-Reply-To: <594C7BF1-3AD8-45C0-B08B-33166F268740@ve7jtb.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [2001:4898:80e8::7b8] x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:VINzzjWuu1H7GNGaGLljaRSchBUT20T54kBjziHsKnoioCwLFGSSpfliDe/ZIwpOBMMIQTrVstpOR1m5gOXk1l/l73zog3dUQ/bnx8iI4KXL7zQ8xFMN/sIDugP+AADrZIpITIuf5Yiz1+xRW2SStw==; 24:0FvNIIvpioG7L6dh+UbK51qkTOiC2U1jJTGhCC0UBDQl4LJdsA0ymoIuQ+uC94gFc/x84N7fSAbBgdkRFGJawfjPLcu1HZ5/Q380q7d4LCw=; 20:mH8f5x7IotKvCr4SMlViaiuR/34zUDl7Wf+2jm7q3eX79oeQU0wCsK6XwBXTTQt/Uoq3dtJ21W9JrWV8PkmGPQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(8121501046)(5005006)(3002001); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; x-forefront-prvs: 0674DC6DD3 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(189002)(24454002)(164054003)(479174004)(377424004)(377454003)(4001540100001)(189998001)(10400500002)(5890100001)(62966003)(68736005)(15975445007)(76576001)(93886004)(10290500002)(76176999)(2171001)(5001860100001)(5003600100002)(102836002)(81156007)(40100003)(77096005)(122556002)(5005710100001)(5001770100001)(5001830100001)(5001960100002)(64706001)(8990500004)(77156002)(54356999)(2950100001)(5002640100001)(2900100001)(87936001)(106116001)(2656002)(106356001)(99286002)(97736004)(16236675004)(105586002)(92566002)(86612001)(19609705001)(33656002)(15395725005)(46102003)(50986999)(19617315012)(19300405004)(10090500001)(19273905006)(74316001)(19625215002)(86362001)(19580405001)(101416001)(19580395003)(5007970100001)(3826002)(563064011)(9078065003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4429242167D842299D4A8C1F5660BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2015 00:52:28.4569 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442 Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 00:52:35 -0000 --_000_BY2PR03MB4429242167D842299D4A8C1F5660BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SnVzdCB0byBjb21wbGV0ZSB0aGUgaGlzdG9yeSwgSSBiZWxpZXZlIHRoZSBvcmlnaW5hbCBHb29n bGUgZGVwbG95ZWQgY2xhaW0gbmFtZSBmb3IgdGhpcyBwdXJwb3NlIHdhcyDigJxjaWTigJ0gKENs aWVudCBJRCkg4oCTIGEgbmFtZSB0aGF0IHNlZW1lZCByaXBlIHdpdGggYW1iaWd1aXR5Lg0KDQpG cm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBK b2huIEJyYWRsZXkNClNlbnQ6IFdlZG5lc2RheSwgQXVndXN0IDE5LCAyMDE1IDU6NTAgUE0NClRv OiBKdXN0aW4gUmljaGVyDQpDYzogT0F1dGggV0cNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIFJT IGFzIGEgY2xpZW50IGd1aWRhbmNlDQoNCkFoIHllcywgIE5vdyBJIHJlY2FsbCB0aGF0IHdlIGhh ZCBHb29nbGUgY2hhbmdlIHRoZSBjbGFpbSBvbmNlIHRvIGF6cCBhbmQgdGhlbiBkaXNjdXNzZWQg Y2hhbmdpbmcgaXQgYWdhaW4gb25jZSB3ZSBkZWNpZGVkIHRoYXQgYXpwIHdhcyBub3QgdGhlIG5l Y2Vzc2FyaWx5IHRoZSBwcmVzZW50ZXIgcHJlc2VudGVyLiAgVGhhdCB3YXMgd2hhdCB3ZSBkZWNp ZGVkIHdhcyB0b28gY3J1ZWwgZ2V0dGluZyB0aGVtIHRvIGNoYW5nZSB0aGUgbmFtZSBhZ2FpbiBm b3Igc29tZXRoaW5nIHRoYXQgdGhleSB0aGVuIGhhZCByZWxlYXNlZCBpbiBwcm9kdWN0aW9uLiAg IFRoYXQgY2F1c2VkIHVzIHRvIHJlLWFjcm9tIOKAnGF6cOKAnS4NCg0KSm9obiBCLg0KDQpPbiBB dWcgMTksIDIwMTUsIGF0IDk6MzkgUE0sIEp1c3RpbiBSaWNoZXIgPGpyaWNoZXJAbWl0LmVkdTxt YWlsdG86anJpY2hlckBtaXQuZWR1Pj4gd3JvdGU6DQoNCkp1c3Qgd2FudCB0byBjbGVhciB1cCBz b21lIGhpc3Rvcnk6ICJhenAiIGRpZCBub3QgY29tZSBmcm9tIGFueSBleGlzdGluZyBjbGFpbXMg ZnJvbSBHb29nbGUgb3Igb3RoZXJ3aXNlLiBJIHZlcnkgY2xlYXJseSByZWNhbGwgcHJvcG9zaW5n IHRoYXQgd2UgbmFtZSBpdCAicHJuIiBmb3IgInByZXNlbnRlciIsIGFuZCBNaWtlIHRvbGQgbWUg bm90IHRvIGJlIGV2aWxbMV0gYmVjYXVzZSB3ZSBoYWQganVzdCBjaGFuZ2VkICJwcm4iIChmb3Ig InByaW5jaXBhbCIpIGluIHRoZSBJRCB0b2tlbiB0byAic3ViIiBpbiBvcmRlciB0byBtYXRjaCB0 aGUgbW9yZSBnZW5lcmljIEpXVC4gSm9obiBzdWdnZXN0ZWQgImEtemVkLXAiIGluIHRoZSBzYW1l IGRpc2N1c3Npb24uIEFzIHN1Y2gsIGl0IGNsZWFybHkgd2FzICJhdXRob3JpemVkIHByZXNlbnRl ciIgaW4gdGhlIGZpcnN0IHRha2UsIHRoZW4gaXQgZ290IHdpZGVuZWQvc2hpZnRlZCBhIGxpdHRs ZSBiaXQgaW4gdGhlIGZpbmFsIGRlZmluaXRpb24gZm9yIHJlYXNvbnMgSSBuZXZlciBxdWl0ZSBm b2xsb3dlZCAobm9yIGNhcmVkIG11Y2ggYWJvdXQgYXQgdGhlIHRpbWUpLg0KDQogLS0gSnVzdGlu DQoNClsxXSBCZWluZyB0b2xkICJkb24ndCBiZSBldmlsIiBieSBhIE1pY3Jvc29mdCBlbXBsb3ll ZSByZW1haW5zIG9uZSBvZiBteSBwcm91ZGVzdCBhY2hpZXZlbWVudHMuDQpPbiA4LzE5LzIwMTUg ODozNSBQTSwgSm9obiBCcmFkbGV5IHdyb3RlOg0KSXQgY291bGQsIGJ1dCBJIHJlbWFpbiB0byBi ZSBjb252aW5jZWQgdGhhdCB3b3VsZCBiZSBhIGdvb2QgaWRlYS4gICDigJxhenDigJ0gY2FtZSBm cm9tIGEgZXhpc3RpbmcgR29vZ2xlIGNsYWltLCBJIGFtIG5vdCBhdHRhY2hlZCB0byB0aGUgbmFt ZS4NCg0KSm9obiBCLg0KT24gQXVnIDE5LCAyMDE1LCBhdCA5OjI5IFBNLCBOYXQgU2FraW11cmEg PHNha2ltdXJhQGdtYWlsLmNvbTxtYWlsdG86c2FraW11cmFAZ21haWwuY29tPj4gd3JvdGU6DQoN CldlbGwsIHRoZSBhYnN0cmFjdCBtZWFuaW5nIGlzIHRoZSBzYW1lLCBidXQgdGhlIHByYWN0aWNh bCBpbXBsaWNhdGlvbnMgYW5kIGludGVycHJldGF0aW9uIGNhbiB2YXJ5IHdpdGhpbiB0aGUgYm91 bmRhcmllcyBkZXBlbmRpbmcgb24gdGhlIGNvbnRleHQuDQoNCkEgamt1IGlzIGEgVVJJIG9mIGEg Y3J5cHRvZ3JhcGhpY2FsIGtleSwgd2hpY2ggY2FuIGJlIGEgdXJpIG9mIGEgc2lnbmluZyBrZXkg b3IgZW5jcnlwdGlvbiBrZXkgZGVwZW5kaW5nIG9uIHRoZSBjb250ZXh0LiBTaW1pbGFybHkgdGhl IGF6cCBpbiBhbiBJRCBUb2tlbiBhbmQgYW4gQWNjZXNzIFRva2VuIGNhbiBzaGFyZSB0aGUgc2Ft ZSBhYnN0cmFjdCBjb25jZXB0IHdoaWxlIHRoZSBjb25jcmV0ZSBtZWFuaW5nIGluIHRoYXQgcGFy dGljdWxhciBjb25jZXB0IGNhbiB2YXJ5Lg0KDQoyMDE15bm0OOaciDIw5pel5pyo5puc5pel44CB TWlrZSBKb25lczxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hhZWwuSm9u ZXNAbWljcm9zb2Z0LmNvbT4+IOOBleOCk+OBr+abuOOBjeOBvuOBl+OBnzoNCkxldCBtZSBzZWNv bmQgSm9obuKAmXMgcG9pbnQgdGhhdCB3ZSBzaG91bGRu4oCZdCBoYXZlIHR3byBkaWZmZXJlbnQg ZGVmaW5pdGlvbnMgZm9yIOKAnGF6cOKAnS4gIEFzIEkgd3JvdGUgaW4gbXkgZnJpZW5kbHkgcmV2 aWV3IG9mIGRyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA0IGF0IGh0dHA6Ly93d3cuaWV0 Zi5vcmcvbWFpbC1hcmNoaXZlL3dlYi9vYXV0aC9jdXJyZW50L21zZzE0Njc5Lmh0bWw8aHR0cHM6 Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUy Znd3dy5pZXRmLm9yZyUyZm1haWwtYXJjaGl2ZSUyZndlYiUyZm9hdXRoJTJmY3VycmVudCUyZm1z ZzE0Njc5Lmh0bWwmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20l N2M4ZmM3ZjBkYTkxMzI0ZGQ5NTcwOTA4ZDJhOGY5NGZjMSU3YzcyZjk4OGJmODZmMTQxYWY5MWFi MmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT0zVGJTSnpmT055OG52SDFoRGNqR1FQbWRlZW4zOUlKREhr MVI5OXREN0JFJTNkPiwgdGhlIGNsYWltIOKAnGF6cOKAnSBoYXMgYWxyZWFkeSBiZWVuIHJlZ2lz dGVyZWQgYnkgT3BlbklEIENvbm5lY3QgQ29yZSBhdCBodHRwOi8vd3d3LmlhbmEub3JnL2Fzc2ln bm1lbnRzL2p3dC9qd3QueGh0bWw8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91 dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnd3dy5pYW5hLm9yZyUyZmFzc2lnbm1lbnRzJTJm and0JTJmand0LnhodG1sJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQu Y29tJTdjOGZjN2YwZGE5MTMyNGRkOTU3MDkwOGQyYThmOTRmYzElN2M3MmY5ODhiZjg2ZjE0MWFm OTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9a2lqVlhGY24yZHUySGE1eHZYJTJiVGd3b2hWR09s JTJmeG1yeXBsUU5zV0hZem8lM2Q+IGFuZCBzbyBjYW5ub3QgYmUgcmUtcmVnaXN0ZXJlZC4gIEdp dmVuIHRoYXQgSSBiZWxpZXZlIHRoZSBpbnRlbmRlZCBzZW1hbnRpY3MgYXJlIHRoZSBzYW1lLCBw bGVhc2UgY2l0ZSB0aGUgZXhpc3RpbmcgZGVmaW5pdGlvbiBpbiByand0cHJvZiwgcmF0aGVyIHRo YW4gcmVwZWF0aW5nIGl0IG9yIHJldmlzaW5nIGl0Lg0KDQogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUaGFua3MsDQogICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtl DQoNCkZyb206IEpvaG4gQnJhZGxleSBbbWFpbHRvOnZlN2p0YkB2ZTdqdGIuY29tPG1haWx0bzp2 ZTdqdGJAdmU3anRiLmNvbT5dDQpTZW50OiBXZWRuZXNkYXksIEF1Z3VzdCAxOSwgMjAxNSAxMTow NSBBTQ0KVG86IE5hdCBTYWtpbXVyYQ0KQ2M6IE1pa2UgSm9uZXM7IE9BdXRoIFdHDQpTdWJqZWN0 OiBSZTogW09BVVRILVdHXSBSUyBhcyBhIGNsaWVudCBndWlkYW5jZQ0KDQpIYXZpbmcgdHdvIGF6 cCBjbGFpbXMgd2l0aCBzbGlnaHRseSBkaWZmZXJlbnQgZGVmaW5pdGlvbnMgaXMgbm90IGEgZ29v ZCB3YXkgdG8gZ28sICBib3RoIGFjY2VzcyB0b2tlbnMgYW5kIGlkX3Rva2VucyBhcmUgSldULg0K Rm9yIGJldHRlciBvciB3b3JzZSB0aGUgY2xhaW0gd2FzIGRlZmluZWQgZm9yIGJlYXJlciB0b2tl bnMgd2hlcmUgaXQgd2FzIG9ubHkgdGhlIGlkZW50aXR5IG9mIHRoZSByZXF1ZXN0ZXIgdGhhdCB3 YXMgYWJsZSB0byBiZSBjb25maXJtZWQgYnkgdGhlIHRva2VuIGVuZHBvaW50Lg0KSXQgc3VwcG9y dGVkIGEgc2ltcGxlIHVzZSBjYXNlIHdoZXJlIGEgcmVmcmVzaCB0b2tlbiBpcyB1c2VkIGJ5IGNs aWVudCBBIHRvIHVzZSBhcyBhbiBhc3NlcnRpb24gYXQgQVMgQi4NCkluIHRoZSBzaW1wbGVzdCAz IHBhcnR5IHNhc2UgdGhlIHJlcXVlc3RlciBvZiB0aGUgdG9rZW4gYW5kIHRoZSBwcmVzZW50ZXIg b2YgdGhlIHRva2VuIGFyZSB0aGUgc2FtZS4gIEhvd2V2ZXIgaW4gc29tZSBzaXR1YXRpb25zIHRo ZXkgYXJlIG5vdCB0aGUgc2FtZS4NClRoZSBpbXBvcnRhbnQgdGhpbmcgd2FzIHRvIGFsbG93IHRo ZSDigJxhdWTigJ0gcmVjaXBpZW50IG9mIHRoZSB0b2tlbiB0byBiZSBhYmxlIHRvIGRpZmZlcmVu dGlhdGUgYSB0b2tlbiB0aGF0IGl0IHJlcXVlc3RlZCBmcm9tIGEgYSB0b2tlbiB0aGF0IGEgM3Jk IHBhcnR5IHJlcXVlc3RlZCBhbmQgcHJlc2VudGVkIHRvIGl0Lg0KDQpUaGUg4oCcYXpw4oCdIHNo b3VsZCBwcm9iYWJseSBiZSBsZWZ0IGFzIGl0IGlzIGFuZCBub3QgdGllZCB0byBwcm9vZiBvZiBw b3NzZXNzaW9uLyBiaW5kaW5nIHRoZSB0b2tlbiB0byB0aGUgcHJlc2VudGVyLg0KVGhlcmUgd2Fz IGEgbG90IG9mIGRlYmF0ZSBhbmQgYmFjayBhbmQgZm9ydGggb24gYXpwIGF0IHRoZSB0aW1lLCB0 aGUgbWFpbiByZWFzb24gdG8gaW5jbHVkZSBpdCB3YXMgdG8gd2FybiBub3JtYWwgQ29ubmVjdCBj bGllbnRzIHRoYXQgSldUIGNvbnRhaW5pbmcgdGhhdCBhenAgY2xhaW0gbmVlZCB0byBoYXZlIGl0 4oCZcyB2YWx1ZSBiZSB0aGVtIG9yIHNvbWVvbmUgdGhleSBrbm93IGFuZCB0cnVzdCB0aGF0IGNh biByZXF1ZXN0IGFzc2VydGlvbnMgZm9yIHRoZW0uICBUaGF0IHdhcyBiZWNhdXNlIHdlIGtuZXcg dGhhdCB0b2tlbiBjb250YWluaW5nIHRoYXQgY2xhaW0gZXhpc3QgaW4gdGhlIHdpbGQgdXNpbmcg dGhhdCBjbGFpbS4NCg0KaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LXNha2ltdXJh LW9hdXRoLXJqd3Rwcm9mLTA1PGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRs b29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmdG9vbHMuaWV0Zi5vcmclMmZodG1sJTJmZHJhZnQt c2FraW11cmEtb2F1dGgtcmp3dHByb2YtMDUmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0 MG1pY3Jvc29mdC5jb20lN2M4ZmM3ZjBkYTkxMzI0ZGQ5NTcwOTA4ZDJhOGY5NGZjMSU3YzcyZjk4 OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT1WVElwSGFxQ2QlMmZteHJFZnhL RDhpNWg1QXplV1Y1cnNaQzA1b1ZPdjczU0ElM2Q+IHNob3VsZCBwcm9iYWJseSBiZSB1c2luZyBh IGRpZmZlcmVudCBjbGFpbSB0byByZWR1Y2UgdGhlIGNvbmZ1c2lvbi4NCg0KSm9obiBCLg0KDQoN Ck9uIEF1ZyAxOSwgMjAxNSwgYXQgMzoxNyBBTSwgTmF0IFNha2ltdXJhIDxzYWtpbXVyYUBnbWFp bC5jb208bWFpbHRvOnNha2ltdXJhQGdtYWlsLmNvbT4+IHdyb3RlOg0KDQpTbywgTWlrZSwNCg0K QXV0aG9yaXplZCBQcmVzZW50ZXIgaXMgYSBkZWZpbmVkIHRlcm0gaW4gU2VuZGVyIENvbnN0cmFp bmVkIEpXVCBmb3IgT0F1dGggMi4wDQooIGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFm dC1zYWtpbXVyYS1vYXV0aC1yand0cHJvZi0wNTxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3Rl Y3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRt bCUyZmRyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA1JmRhdGE9MDElN2MwMSU3Y01pY2hh ZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjOGZjN2YwZGE5MTMyNGRkOTU3MDkwOGQyYThmOTRm YzElN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9VlRJcEhhcUNk JTJmbXhyRWZ4S0Q4aTVoNUF6ZVdWNXJzWkMwNW9WT3Y3M1NBJTNkPiApLiBJdCBpcyB1c2VkIGlu IHRoZSBjb250ZXh0IG9mIE9BdXRoIDIuMCBBY2Nlc3MgVG9rZW4sIG5vdCBhIGNsYWltIGluIElE IFRva2VuIG9mIE9wZW5JRCBDb25uZWN0Lg0KDQpOYXQNCg0KMjAxNS0wOC0xOSAxMTo0NCBHTVQr MDk6MDAgTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNo YWVsLkpvbmVzQG1pY3Jvc29mdC5jb20+PjoNCkp1c3QgYXMgYSBwb2ludCBvZiBjbGFyaWZpY2F0 aW9uLCB0aGUgZGVmaW5pdGlvbiBvZiB0aGUg4oCcYXpw4oCdIGNsYWltIGlzIG5vdCDigJxhdXRo b3Jpc2VkIHByZXNlbnRlcuKAnS4gIEF0IGxlYXN0IGFzIGRlZmluZWQgYnkgT3BlbklEIENvbm5l Y3QsIGl0cyBkZWZpbml0aW9uIGlzOg0KDQphenANCk9QVElPTkFMLiBBdXRob3JpemVkIHBhcnR5 IC0gdGhlIHBhcnR5IHRvIHdoaWNoIHRoZSBJRCBUb2tlbiB3YXMgaXNzdWVkLiBJZiBwcmVzZW50 LCBpdCBNVVNUIGNvbnRhaW4gdGhlIE9BdXRoIDIuMCBDbGllbnQgSUQgb2YgdGhpcyBwYXJ0eS4g VGhpcyBDbGFpbSBpcyBvbmx5IG5lZWRlZCB3aGVuIHRoZSBJRCBUb2tlbiBoYXMgYSBzaW5nbGUg YXVkaWVuY2UgdmFsdWUgYW5kIHRoYXQgYXVkaWVuY2UgaXMgZGlmZmVyZW50IHRoYW4gdGhlIGF1 dGhvcml6ZWQgcGFydHkuIEl0IE1BWSBiZSBpbmNsdWRlZCBldmVuIHdoZW4gdGhlIGF1dGhvcml6 ZWQgcGFydHkgaXMgdGhlIHNhbWUgYXMgdGhlIHNvbGUgYXVkaWVuY2UuIFRoZSBhenAgdmFsdWUg aXMgYSBjYXNlIHNlbnNpdGl2ZSBzdHJpbmcgY29udGFpbmluZyBhIFN0cmluZ09yVVJJIHZhbHVl Lg0KDQpBIHJlZmVyZW5jZSB0byB0aGlzIGRlZmluaXRpb24gaXMgcmVnaXN0ZXJlZCBieSBPcGVu SUQgQ29ubmVjdCBDb3JlIGh0dHA6Ly9vcGVuaWQubmV0L3NwZWNzL29wZW5pZC1jb25uZWN0LWNv cmUtMV8wLmh0bWw8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29t Lz91cmw9aHR0cCUzYSUyZiUyZm9wZW5pZC5uZXQlMmZzcGVjcyUyZm9wZW5pZC1jb25uZWN0LWNv cmUtMV8wLmh0bWwmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20l N2M4ZmM3ZjBkYTkxMzI0ZGQ5NTcwOTA4ZDJhOGY5NGZjMSU3YzcyZjk4OGJmODZmMTQxYWY5MWFi MmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT0zZTZVUzlzeFFvUVZlanRocnhPJTJmbyUyYnZkbHRFJTJm QlVqMU5VU01CazZ2T1MwJTNkPiBpbiB0aGUgSUFOQSDigJxKU09OIFdlYiBUb2tlbiBDbGFpbXPi gJ0gcmVnaXN0cnkgYXQgaHR0cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50cy9qd3Qvand0Lnho dG1sPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0 dHAlM2ElMmYlMmZ3d3cuaWFuYS5vcmclMmZhc3NpZ25tZW50cyUyZmp3dCUyZmp3dC54aHRtbCZk YXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzhmYzdmMGRhOTEz MjRkZDk1NzA5MDhkMmE4Zjk0ZmMxJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDcl N2MxJnNkYXRhPWtpalZYRmNuMmR1MkhhNXh2WCUyYlRnd29oVkdPbCUyZnhtcnlwbFFOc1dIWXpv JTNkPi4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNA aWV0Zi5vcmc8bWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc+XSBPbiBCZWhhbGYgT2YgTmF0 IFNha2ltdXJhDQpTZW50OiBUdWVzZGF5LCBBdWd1c3QgMTgsIDIwMTUgNzozNyBQTQ0KVG86IEFk YW0gTGV3aXMNCkNjOiBPQXV0aCBXRw0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gUlMgYXMgYSBj bGllbnQgZ3VpZGFuY2UNCg0KSXQgaXMgbm90IGRpcmVjdGx5LCBidXQgU2VuZGVyIENvbnN0cmFp bmVkIEpXVCBmb3IgT0F1dGggMi4wDQooIGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFm dC1zYWtpbXVyYS1vYXV0aC1yand0cHJvZi0wNTxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3Rl Y3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRt bCUyZmRyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA1JmRhdGE9MDElN2MwMSU3Y01pY2hh ZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjOGZjN2YwZGE5MTMyNGRkOTU3MDkwOGQyYThmOTRm YzElN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9VlRJcEhhcUNk JTJmbXhyRWZ4S0Q4aTVoNUF6ZVdWNXJzWkMwNW9WT3Y3M1NBJTNkPiApDQp0YWxrcyBhYm91dCBh IG1vZGVsIHRoYXQgYWxsb3dzIGl0Lg0KDQpJbiBlc3NlbmNlLCBpdCB1c2VzIGEgc3RydWN0dXJl ZCBhY2Nlc3MgdG9rZW4gdGhhdCBpcyBzZW5kZXIgY29uc3RyYWluZWQuDQpJdCBhcyBhIGNsYWlt ICJhenAiIHdoaWNoIHN0YW5kcyBmb3IgYXV0aG9yaXNlZCBwcmVzZW50ZXIuDQpUbyBiZSB1c2Vk LCB0aGUgImNsaWVudCIgaGFzIHRvIHByZXNlbnQgYSBwcm9vZiB0aGF0IGl0IGlzIGluZGVlZCB0 aGUgcGFydHkgcG9pbnRlZCBieSAiYXpwIi4NCg0KSW4geW91ciBjYXNlLCB0aGUgbmF0aXZlIG1v YmlsZSBhcHAgb2J0YWlucyB0aGUgc3RydWN0dXJlZCBhY2Nlc3MgdG9rZW4NCndpdGggImF6cCI6 InRoZV9SUyIuIFNpbmNlICJhenAiIGlzIG5vdCBwb2ludGluZyB0byB0aGUgbW9iaWxlIGFwcCwN CnRoZSBtb2JpbGUgYXBwIGNhbm5vdCB1c2UgaXQuDQpUaGUgbW9iaWxlIGFwcCB0aGVuIHNoaXBz IGl0IHRvIHRoZSBSUy4NClRoZSBSUyBjYW4gbm93IHVzZSBpdCBzaW5jZSB0aGUgImF6cCIgcG9p bnRzIHRvIGl0Lg0KDQpJbiBnZW5lcmFsLCBzaGlwcGluZyBhIGJlYXJlciB0b2tlbiBhcm91bmQg aXMgYSBiYWQgaWRlYS4NCklmIHlvdSB3YW50IHRvIGRvIHRoYXQsIEkgdGhpbmsgeW91IHNob3Vs ZCBkbyBzbyB3aXRoIGEgc2VuZGVyIGNvbnN0cmFpbmVkIHRva2VuLg0KDQpOYXQNCg0KDQoNCjIw MTUtMDgtMTMgMjowMSBHTVQrMDk6MDAgQWRhbSBMZXdpcyA8YWRhbS5sZXdpc0Btb3Rvcm9sYXNv bHV0aW9ucy5jb208bWFpbHRvOmFkYW0ubGV3aXNAbW90b3JvbGFzb2x1dGlvbnMuY29tPj46DQpI aSwNCg0KQXJlIHRoZXJlIGFueSBkcmFmdHMgdGhhdCBkaXNjdXNzIHRoZSBub3Rpb24gb2YgYW4g UlMgYWN0aW5nIGFzIGEgY2xpZW50PyBJJ20gY29uc2lkZXJpbmcgdGhlIHVzZSBjYXNlIHdoZXJl YnkgYSBuYXRpdmUgbW9iaWxlIGFwcCBvYnRhaW5zIGFuIGFjY2VzcyB0b2tlbiBhbmQgc2VuZHMg aXQgdG8gdGhlIFJTLCBhbmQgdGhlbiB0aGUgUlMgdXNlcyBpdCB0byBhY2Nlc3MgdGhlIFVzZXJJ bmZvIGVuZHBvaW50IG9uIGFuIE9QLg0KDQpJdCdzIGEgYmVhcmVyIHRva2VuIHNvIG5vIHJlYXNv biBpdCB3b3VsZG4ndCB3b3JrLCBidXQgb2J2aW91c2x5IGl0IGlzIG1lYW50IHRvIGJlIHByZXNl bnRlZCBieSB0aGUgY2xpZW50IGFuZCBub3QgdGhlIFJTLiAgQ3VyaW91cyB0byB1bmRlcnN0YW5k IHRoZSBzZWN1cml0eSBpbXBsaWNhdGlvbnMgb2YgdGhpcywgcmVhZCBvbiBhbnkgdGhvdWdodHMg Z2l2ZW4gdG8gdGhpcywgb3IgdG8ga25vdyBpZiBpdCdzIGFuIG90aGVyd2lzZSBhY2NlcHRlZCBw cmFjdGljZS4NCg0KdHgNCmFkYW0NCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRv Ok9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9v YXV0aDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1o dHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmRh dGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjOGZjN2YwZGE5MTMy NGRkOTU3MDkwOGQyYThmOTRmYzElN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3 YzEmc2RhdGE9TGpQcFRHVjRpR3R4MVNRS2Z6JTJic1l2M1pkeEVxeW9UWHJDZDFCQ3F2TWx3JTNk Pg0KDQoNCg0KLS0NCk5hdCBTYWtpbXVyYSAoPW5hdCkNCkNoYWlybWFuLCBPcGVuSUQgRm91bmRh dGlvbg0KaHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJv dGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZuYXQuc2FraW11cmEub3JnJTJm JmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjOGZjN2YwZGE5 MTMyNGRkOTU3MDkwOGQyYThmOTRmYzElN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0 NyU3YzEmc2RhdGE9SE5WSXd1REpBT1d4Zld5ZHV6b3Y4UkslMmZaS0cxN3hRbllaVkZXdjk0b3FZ JTNkPg0KQF9uYXRfZW4NCg0KDQoNCi0tDQpOYXQgU2FraW11cmEgKD1uYXQpDQpDaGFpcm1hbiwg T3BlbklEIEZvdW5kYXRpb24NCmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLzxodHRwczovL25hMDEu c2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmbmF0LnNh a2ltdXJhLm9yZyUyZiZkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNv bSU3YzhmYzdmMGRhOTEzMjRkZDk1NzA5MDhkMmE4Zjk0ZmMxJTdjNzJmOTg4YmY4NmYxNDFhZjkx YWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPUhOVkl3dURKQU9XeGZXeWR1em92OFJLJTJmWktHMTd4 UW5ZWlZGV3Y5NG9xWSUzZD4NCkBfbmF0X2VuDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZzxq YXZhc2NyaXB0Ol9lKCU3QiU3RCwnY3ZtbCcsJ09BdXRoQGlldGYub3JnJyk7Pg0KaHR0cHM6Ly93 d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxodHRwczovL25hMDEuc2FmZWxpbmtz LnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUy Zm1haWxtYW4lMmZsaXN0aW5mbyUyZm9hdXRoJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMl NDBtaWNyb3NvZnQuY29tJTdjOGZjN2YwZGE5MTMyNGRkOTU3MDkwOGQyYThmOTRmYzElN2M3MmY5 ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9TGpQcFRHVjRpR3R4MVNRS2Z6 JTJic1l2M1pkeEVxeW9UWHJDZDFCQ3F2TWx3JTNkPg0KDQoNCg0KLS0NCk5hdCBTYWtpbXVyYSAo PW5hdCkNCkNoYWlybWFuLCBPcGVuSUQgRm91bmRhdGlvbg0KaHR0cDovL25hdC5zYWtpbXVyYS5v cmcvPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0 dHAlM2ElMmYlMmZuYXQuc2FraW11cmEub3JnJTJmJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9u ZXMlNDBtaWNyb3NvZnQuY29tJTdjOGZjN2YwZGE5MTMyNGRkOTU3MDkwOGQyYThmOTRmYzElN2M3 MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9SE5WSXd1REpBT1d4Zld5 ZHV6b3Y4UkslMmZaS0cxN3hRbllaVkZXdjk0b3FZJTNkPg0KQF9uYXRfZW4NCg0KDQoNCg0KDQoN Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQoNCk9BdXRo IG1haWxpbmcgbGlzdA0KDQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQoN Cmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8aHR0cHM6Ly9uYTAx LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cu aWV0Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZkYXRhPTAxJTdjMDElN2NNaWNo YWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzhmYzdmMGRhOTEzMjRkZDk1NzA5MDhkMmE4Zjk0 ZmMxJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPUxqUHBUR1Y0 aUd0eDFTUUtmeiUyYnNZdjNaZHhFcXlvVFhyQ2QxQkNxdk1sdyUzZD4NCg0KDQo= --_000_BY2PR03MB4429242167D842299D4A8C1F5660BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Ik1TIE1pbmNobyI7DQoJcGFub3NlLTE6MiAyIDYgOSA0IDIgNSA4IDMgNDt9DQpAZm9udC1mYWNl DQoJe2ZvbnQtZmFtaWx5OiJNUyBNaW5jaG8iOw0KCXBhbm9zZS0xOjIgMiA2IDkgNCAyIDUgOCAz IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJpOw0KCXBhbm9zZS0xOjIgMTUg NSAyIDIgMiA0IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6VGFob21hOw0KCXBh bm9zZS0xOjIgMTEgNiA0IDMgNSA0IDQgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IlxATVMgTWluY2hvIjsNCglwYW5vc2UtMToyIDIgNiA5IDQgMiA1IDggMyA0O30NCkBmb250LWZh Y2UNCgl7Zm9udC1mYW1pbHk6Q29uc29sYXM7DQoJcGFub3NlLTE6MiAxMSA2IDkgMiAyIDQgMyAy IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpWZXJkYW5hOw0KCXBhbm9zZS0xOjIgMTEg NiA0IDMgNSA0IDQgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3 IFw7Y29sb3JcOlwjMDAzMzY2IjsNCglwYW5vc2UtMTowIDAgMCAwIDAgMCAwIDAgMCAwO30NCi8q IFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNv Tm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6 ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsInNlcmlmIjt9DQphOmxp bmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpi bHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5 cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7 DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46 MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQt ZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYu TXNvQWNldGF0ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJh bGxvb24gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsN Cglmb250LXNpemU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30N CnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9y bWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoi SFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFzO30NCnNwYW4uQmFsbG9v blRleHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbXNvLXN0 eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQiOw0KCWZvbnQt ZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5bGUyMQ0KCXttc28t c3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMt c2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5 cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjEN Cgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30N CmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0t W2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRt YXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4N CjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRh PSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJv ZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0i V29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjojMUY0OTdEIj5KdXN0IHRvIGNvbXBsZXRlIHRoZSBoaXN0b3J5LCBJIGJl bGlldmUgdGhlIG9yaWdpbmFsIEdvb2dsZSBkZXBsb3llZCBjbGFpbSBuYW1lIGZvciB0aGlzIHB1 cnBvc2Ugd2FzIOKAnGNpZOKAnSAoQ2xpZW50IElEKSDigJMgYSBuYW1lIHRoYXQgc2VlbWVkIHJp cGUgd2l0aCBhbWJpZ3VpdHkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3Jk ZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8 L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gT0F1dGggW21haWx0bzpvYXV0 aC1ib3VuY2VzQGlldGYub3JnXQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5Kb2huIEJyYWRsZXk8YnI+ DQo8Yj5TZW50OjwvYj4gV2VkbmVzZGF5LCBBdWd1c3QgMTksIDIwMTUgNTo1MCBQTTxicj4NCjxi PlRvOjwvYj4gSnVzdGluIFJpY2hlcjxicj4NCjxiPkNjOjwvYj4gT0F1dGggV0c8YnI+DQo8Yj5T dWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gUlMgYXMgYSBjbGllbnQgZ3VpZGFuY2U8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BaCB5ZXMsICZuYnNwO05v dyBJIHJlY2FsbCB0aGF0IHdlIGhhZCBHb29nbGUgY2hhbmdlIHRoZSBjbGFpbSBvbmNlIHRvIGF6 cCBhbmQgdGhlbiBkaXNjdXNzZWQgY2hhbmdpbmcgaXQgYWdhaW4gb25jZSB3ZSBkZWNpZGVkIHRo YXQgYXpwIHdhcyBub3QgdGhlIG5lY2Vzc2FyaWx5IHRoZSBwcmVzZW50ZXIgcHJlc2VudGVyLiAm bmJzcDtUaGF0IHdhcyB3aGF0IHdlIGRlY2lkZWQgd2FzIHRvbyBjcnVlbCBnZXR0aW5nIHRoZW0g dG8NCiBjaGFuZ2UgdGhlIG5hbWUgYWdhaW4gZm9yIHNvbWV0aGluZyB0aGF0IHRoZXkgdGhlbiBo YWQgcmVsZWFzZWQgaW4gcHJvZHVjdGlvbi4gJm5ic3A7IFRoYXQgY2F1c2VkIHVzIHRvIHJlLWFj cm9tIOKAnGF6cOKAnS4gJm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj5Kb2huIEIuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8YmxvY2txdW90ZSBz dHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5PbiBBdWcgMTksIDIwMTUsIGF0IDk6MzkgUE0sIEp1c3RpbiBSaWNo ZXIgJmx0OzxhIGhyZWY9Im1haWx0bzpqcmljaGVyQG1pdC5lZHUiPmpyaWNoZXJAbWl0LmVkdTwv YT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5KdXN0IHdhbnQgdG8gY2xlYXIgdXAgc29t ZSBoaXN0b3J5OiAmcXVvdDthenAmcXVvdDsgZGlkIG5vdCBjb21lIGZyb20gYW55IGV4aXN0aW5n IGNsYWltcyBmcm9tIEdvb2dsZSBvciBvdGhlcndpc2UuIEkgdmVyeSBjbGVhcmx5IHJlY2FsbCBw cm9wb3NpbmcgdGhhdCB3ZSBuYW1lIGl0ICZxdW90O3BybiZxdW90OyBmb3IgJnF1b3Q7cHJlc2Vu dGVyJnF1b3Q7LCBhbmQgTWlrZSB0b2xkIG1lIG5vdCB0byBiZSBldmlsWzFdDQogYmVjYXVzZSB3 ZSBoYWQganVzdCBjaGFuZ2VkICZxdW90O3BybiZxdW90OyAoZm9yICZxdW90O3ByaW5jaXBhbCZx dW90OykgaW4gdGhlIElEIHRva2VuIHRvICZxdW90O3N1YiZxdW90OyBpbiBvcmRlciB0byBtYXRj aCB0aGUgbW9yZSBnZW5lcmljIEpXVC4gSm9obiBzdWdnZXN0ZWQgJnF1b3Q7YS16ZWQtcCZxdW90 OyBpbiB0aGUgc2FtZSBkaXNjdXNzaW9uLiBBcyBzdWNoLCBpdCBjbGVhcmx5IHdhcyAmcXVvdDth dXRob3JpemVkIHByZXNlbnRlciZxdW90OyBpbiB0aGUgZmlyc3QgdGFrZSwgdGhlbiBpdCBnb3Qg d2lkZW5lZC9zaGlmdGVkDQogYSBsaXR0bGUgYml0IGluIHRoZSBmaW5hbCBkZWZpbml0aW9uIGZv ciByZWFzb25zIEkgbmV2ZXIgcXVpdGUgZm9sbG93ZWQgKG5vciBjYXJlZCBtdWNoIGFib3V0IGF0 IHRoZSB0aW1lKS48YnI+DQo8YnI+DQombmJzcDstLSBKdXN0aW48YnI+DQo8YnI+DQpbMV0gQmVp bmcgdG9sZCAmcXVvdDtkb24ndCBiZSBldmlsJnF1b3Q7IGJ5IGEgTWljcm9zb2Z0IGVtcGxveWVl IHJlbWFpbnMgb25lIG9mIG15IHByb3VkZXN0IGFjaGlldmVtZW50cy48bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiA4LzE5LzIwMTUgODozNSBQTSwgSm9obiBC cmFkbGV5IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0i bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkl0IGNvdWxkLCBidXQgSSByZW1haW4gdG8gYmUgY29udmluY2VkIHRoYXQgd291bGQgYmUg YSBnb29kIGlkZWEuICZuYnNwOyDigJxhenDigJ0gY2FtZSBmcm9tIGEgZXhpc3RpbmcgR29vZ2xl IGNsYWltLCBJIGFtIG5vdCBhdHRhY2hlZCB0byB0aGUgbmFtZS4NCjxvOnA+PC9vOnA+PC9wPg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Sm9obiBCLjxvOnA+PC9vOnA+PC9wPg0KPGRp dj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4w cHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIEF1ZyAxOSwgMjAxNSwgYXQgOToy OSBQTSwgTmF0IFNha2ltdXJhICZsdDs8YSBocmVmPSJtYWlsdG86c2FraW11cmFAZ21haWwuY29t Ij5zYWtpbXVyYUBnbWFpbC5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+V2VsbCwgdGhlIGFic3RyYWN0IG1lYW5pbmcgaXMgdGhlIHNhbWUs IGJ1dCB0aGUgcHJhY3RpY2FsIGltcGxpY2F0aW9ucyBhbmQgaW50ZXJwcmV0YXRpb24gY2FuIHZh cnkgd2l0aGluIHRoZSBib3VuZGFyaWVzJm5ic3A7ZGVwZW5kaW5nIG9uIHRoZSBjb250ZXh0LiZu YnNwOw0KPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BIGpr dSBpcyBhIFVSSSBvZiBhIGNyeXB0b2dyYXBoaWNhbCBrZXksIHdoaWNoJm5ic3A7Y2FuIGJlIGEg dXJpIG9mIGEgc2lnbmluZyBrZXkgb3IgZW5jcnlwdGlvbiBrZXkgZGVwZW5kaW5nIG9uIHRoZSBj b250ZXh0LiBTaW1pbGFybHkgdGhlIGF6cCBpbiBhbiZuYnNwO0lEIFRva2VuIGFuZCBhbiBBY2Nl c3MgVG9rZW4gY2FuIHNoYXJlIHRoZSBzYW1lIGFic3RyYWN0IGNvbmNlcHQgd2hpbGUgdGhlIGNv bmNyZXRlIG1lYW5pbmcNCiBpbiB0aGF0IHBhcnRpY3VsYXIgY29uY2VwdCBjYW4gdmFyeS4mbmJz cDs8YnI+DQo8YnI+DQoyMDE1PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O01TIE1pbmNo byZxdW90OyI+5bm0PC9zcGFuPjg8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7TVMgTWlu Y2hvJnF1b3Q7Ij7mnIg8L3NwYW4+MjA8c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7TVMg TWluY2hvJnF1b3Q7Ij7ml6XmnKjmm5zml6XjgIE8L3NwYW4+TWlrZSBKb25lcyZsdDs8YSBocmVm PSJtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tIj5NaWNoYWVsLkpvbmVzQG1pY3Jv c29mdC5jb208L2E+Jmd0Ow0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O01TIE1pbmNo byZxdW90OyI+44GV44KT44Gv5pu444GN44G+44GX44GfPC9zcGFuPjo8bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+TGV0IG1lIHNlY29uZCBKb2hu4oCZcyBwb2ludCB0aGF0 IHdlIHNob3VsZG7igJl0IGhhdmUgdHdvIGRpZmZlcmVudCBkZWZpbml0aW9ucyBmb3Ig4oCcYXpw 4oCdLiZuYnNwOyBBcyBJIHdyb3RlDQogaW4gbXkgZnJpZW5kbHkgcmV2aWV3IG9mIGRyYWZ0LXNh a2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA0IGF0IDxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlu a3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZ3d3cuaWV0Zi5vcmcl MmZtYWlsLWFyY2hpdmUlMmZ3ZWIlMmZvYXV0aCUyZmN1cnJlbnQlMmZtc2cxNDY3OS5odG1sJmFt cDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzhmYzdmMGRh OTEzMjRkZDk1NzA5MDhkMmE4Zjk0ZmMxJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRi NDclN2MxJmFtcDtzZGF0YT0zVGJTSnpmT055OG52SDFoRGNqR1FQbWRlZW4zOUlKREhrMVI5OXRE N0JFJTNkIj4NCmh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dlYi9vYXV0aC9jdXJy ZW50L21zZzE0Njc5Lmh0bWw8L2E+LCB0aGUgY2xhaW0g4oCcYXpw4oCdIGhhcyBhbHJlYWR5IGJl ZW4gcmVnaXN0ZXJlZCBieSBPcGVuSUQgQ29ubmVjdCBDb3JlIGF0DQo8YSBocmVmPSJodHRwczov L25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJm d3d3LmlhbmEub3JnJTJmYXNzaWdubWVudHMlMmZqd3QlMmZqd3QueGh0bWwmYW1wO2RhdGE9MDEl N2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjOGZjN2YwZGE5MTMyNGRkOTU3 MDkwOGQyYThmOTRmYzElN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1w O3NkYXRhPWtpalZYRmNuMmR1MkhhNXh2WCUyYlRnd29oVkdPbCUyZnhtcnlwbFFOc1dIWXpvJTNk IiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwOi8vd3d3LmlhbmEub3JnL2Fzc2lnbm1lbnRzL2p3dC9q d3QueGh0bWw8L2E+IGFuZCBzbyBjYW5ub3QgYmUgcmUtcmVnaXN0ZXJlZC4mbmJzcDsgR2l2ZW4g dGhhdCBJIGJlbGlldmUgdGhlIGludGVuZGVkIHNlbWFudGljcyBhcmUgdGhlIHNhbWUsIHBsZWFz ZSBjaXRlIHRoZSBleGlzdGluZyBkZWZpbml0aW9uIGluIHJqd3Rwcm9mLCByYXRoZXIgdGhhbiBy ZXBlYXRpbmcgaXQgb3IgcmV2aXNpbmcgaXQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyBUaGFua3MsPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7IC0tIE1pa2U8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNw Ozwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRl cjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAw aW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IEpvaG4g QnJhZGxleSBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzp2ZTdqdGJAdmU3anRiLmNvbSI+dmU3anRi QHZlN2p0Yi5jb208L2E+XQ0KPGJyPg0KPGI+U2VudDo8L2I+IFdlZG5lc2RheSwgQXVndXN0IDE5 LCAyMDE1IDExOjA1IEFNPGJyPg0KPGI+VG86PC9iPiBOYXQgU2FraW11cmE8YnI+DQo8Yj5DYzo8 L2I+IE1pa2UgSm9uZXM7IE9BdXRoIFdHPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbT0FVVEgt V0ddIFJTIGFzIGEgY2xpZW50IGd1aWRhbmNlPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5IYXZpbmcgdHdvIGF6cCBjbGFpbXMg d2l0aCBzbGlnaHRseSBkaWZmZXJlbnQgZGVmaW5pdGlvbnMgaXMgbm90IGEgZ29vZCB3YXkgdG8g Z28sICZuYnNwO2JvdGggYWNjZXNzIHRva2VucyBhbmQgaWRfdG9rZW5zIGFyZSBKV1QuICZuYnNw OyZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Rm9y IGJldHRlciBvciB3b3JzZSB0aGUgY2xhaW0gd2FzIGRlZmluZWQgZm9yIGJlYXJlciB0b2tlbnMg d2hlcmUgaXQgd2FzIG9ubHkgdGhlIGlkZW50aXR5IG9mIHRoZSByZXF1ZXN0ZXIgdGhhdCB3YXMg YWJsZSB0byBiZSBjb25maXJtZWQgYnkgdGhlIHRva2VuIGVuZHBvaW50LjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JdCBzdXBwb3J0ZWQgYSBz aW1wbGUgdXNlIGNhc2Ugd2hlcmUgYSByZWZyZXNoIHRva2VuIGlzIHVzZWQgYnkgY2xpZW50IEEg dG8gdXNlIGFzIGFuIGFzc2VydGlvbiBhdCBBUyBCLiAmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SW4gdGhlIHNpbXBsZXN0IDMgcGFy dHkgc2FzZSB0aGUgcmVxdWVzdGVyIG9mIHRoZSB0b2tlbiBhbmQgdGhlIHByZXNlbnRlciBvZiB0 aGUgdG9rZW4gYXJlIHRoZSBzYW1lLiZuYnNwOyBIb3dldmVyIGluIHNvbWUgc2l0dWF0aW9ucyB0 aGV5IGFyZSBub3QgdGhlIHNhbWUuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlRoZSBpbXBvcnRhbnQgdGhpbmcgd2FzIHRvIGFsbG93 IHRoZSDigJxhdWTigJ0gcmVjaXBpZW50IG9mIHRoZSB0b2tlbiB0byBiZSBhYmxlIHRvIGRpZmZl cmVudGlhdGUgYSB0b2tlbiB0aGF0IGl0IHJlcXVlc3RlZCBmcm9tIGEgYSB0b2tlbiB0aGF0IGEg M3JkIHBhcnR5IHJlcXVlc3RlZCBhbmQgcHJlc2VudGVkIHRvDQogaXQuPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ VGhlIOKAnGF6cOKAnSBzaG91bGQgcHJvYmFibHkgYmUgbGVmdCBhcyBpdCBpcyBhbmQgbm90IHRp ZWQgdG8gcHJvb2Ygb2YgcG9zc2Vzc2lvbi8gYmluZGluZyB0aGUgdG9rZW4gdG8gdGhlIHByZXNl bnRlci4gJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPlRoZXJlIHdhcyBhIGxvdCBvZiBkZWJhdGUgYW5kIGJhY2sgYW5kIGZvcnRoIG9u IGF6cCBhdCB0aGUgdGltZSwgdGhlIG1haW4gcmVhc29uIHRvIGluY2x1ZGUgaXQgd2FzIHRvIHdh cm4gbm9ybWFsIENvbm5lY3QgY2xpZW50cyB0aGF0IEpXVCBjb250YWluaW5nIHRoYXQgYXpwIGNs YWltIG5lZWQgdG8gaGF2ZQ0KIGl04oCZcyB2YWx1ZSBiZSB0aGVtIG9yIHNvbWVvbmUgdGhleSBr bm93IGFuZCB0cnVzdCB0aGF0IGNhbiByZXF1ZXN0IGFzc2VydGlvbnMgZm9yIHRoZW0uJm5ic3A7 IFRoYXQgd2FzIGJlY2F1c2Ugd2Uga25ldyB0aGF0IHRva2VuIGNvbnRhaW5pbmcgdGhhdCBjbGFp bSBleGlzdCBpbiB0aGUgd2lsZCB1c2luZyB0aGF0IGNsYWltLjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRv cDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdCI+PGEgaHJlZj0iaHR0cHM6 Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYl MmZ0b29scy5pZXRmLm9yZyUyZmh0bWwlMmZkcmFmdC1zYWtpbXVyYS1vYXV0aC1yand0cHJvZi0w NSZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M4ZmM3 ZjBkYTkxMzI0ZGQ5NTcwOTA4ZDJhOGY5NGZjMSU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2Qw MTFkYjQ3JTdjMSZhbXA7c2RhdGE9VlRJcEhhcUNkJTJmbXhyRWZ4S0Q4aTVoNUF6ZVdWNXJzWkMw NW9WT3Y3M1NBJTNkIj5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtc2FraW11cmEt b2F1dGgtcmp3dHByb2YtMDU8L2E+Jm5ic3A7c2hvdWxkDQogcHJvYmFibHkgYmUgdXNpbmcgYSBk aWZmZXJlbnQgY2xhaW0gdG8gcmVkdWNlIHRoZSBjb25mdXNpb24uPC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj5Kb2huIEIuPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDtt YXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk9uIEF1 ZyAxOSwgMjAxNSwgYXQgMzoxNyBBTSwgTmF0IFNha2ltdXJhICZsdDs8YSBocmVmPSJtYWlsdG86 c2FraW11cmFAZ21haWwuY29tIj5zYWtpbXVyYUBnbWFpbC5jb208L2E+Jmd0OyB3cm90ZTo8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+U28sIE1pa2UsJm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkF1dGhvcml6ZWQgUHJlc2VudGVyIGlzIGEgZGVmaW5l ZCB0ZXJtIGluJm5ic3A7PGI+PHU+U2VuZGVyIENvbnN0cmFpbmVkIEpXVCBmb3IgT0F1dGggMi4w PC91PjwvYj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQiPigmbmJzcDs8YSBocmVmPSJodHRw czovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUy ZiUyZnRvb2xzLmlldGYub3JnJTJmaHRtbCUyZmRyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9m LTA1JmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Yzhm YzdmMGRhOTEzMjRkZDk1NzA5MDhkMmE4Zjk0ZmMxJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdj ZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1WVElwSGFxQ2QlMmZteHJFZnhLRDhpNWg1QXplV1Y1cnNa QzA1b1ZPdjczU0ElM2QiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1zYWtpbXVy YS1vYXV0aC1yand0cHJvZi0wNTwvYT4mbmJzcDspLg0KIEl0IGlzIHVzZWQgaW4gdGhlIGNvbnRl eHQgb2YgT0F1dGggMi4wIEFjY2VzcyBUb2tlbiwgbm90IGEgY2xhaW0gaW4gSUQgVG9rZW4gb2Yg T3BlbklEIENvbm5lY3QuJm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu NXB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQiPk5h dDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj4yMDE1LTA4LTE5IDExOjQ0IEdNVCYjNDM7MDk6MDAgTWlr ZSBKb25lcyAmbHQ7PGEgaHJlZj0ibWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSI+ TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPC9hPiZndDs6PG86cD48L286cD48L3A+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPkp1c3QgYXMgYSBwb2ludCBvZiBjbGFyaWZpY2F0aW9uLCB0aGUg ZGVmaW5pdGlvbiBvZiB0aGUg4oCcYXpw4oCdIGNsYWltIGlzIG5vdCDigJw8L3NwYW4+YXV0aG9y aXNlZCBwcmVzZW50ZXI8c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ 4oCdLiZuYnNwOw0KIEF0IGxlYXN0IGFzIGRlZmluZWQgYnkgT3BlbklEIENvbm5lY3QsIGl0cyBk ZWZpbml0aW9uIGlzOjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7 PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz cGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7Ij5henA8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG87bWFyZ2luLWxlZnQ6LjVpbiI+DQo8c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZv bnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+T1BU SU9OQUwuIEF1dGhvcml6ZWQgcGFydHkgLSB0aGUgcGFydHkgdG8gd2hpY2ggdGhlIElEIFRva2Vu IHdhcyBpc3N1ZWQuIElmIHByZXNlbnQsIGl0IE1VU1QgY29udGFpbiB0aGUgT0F1dGggMi4wIENs aWVudCBJRCBvZiB0aGlzIHBhcnR5LiBUaGlzIENsYWltIGlzIG9ubHkgbmVlZGVkIHdoZW4gdGhl IElEIFRva2VuIGhhcyBhIHNpbmdsZSBhdWRpZW5jZQ0KIHZhbHVlIGFuZCB0aGF0IGF1ZGllbmNl IGlzIGRpZmZlcmVudCB0aGFuIHRoZSBhdXRob3JpemVkIHBhcnR5LiBJdCBNQVkgYmUgaW5jbHVk ZWQgZXZlbiB3aGVuIHRoZSBhdXRob3JpemVkIHBhcnR5IGlzIHRoZSBzYW1lIGFzIHRoZSBzb2xl IGF1ZGllbmNlLiBUaGUNCjwvc3Bhbj48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtZmFtaWx5 OiZxdW90O0NvdXJpZXIgTmV3IDtjb2xvcjojMDAzMzY2JnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7 Ij5henA8L3NwYW4+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtWZXJk YW5hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiB2YWx1ZSBpcyBhIGNhc2Ugc2Vuc2l0 aXZlIHN0cmluZyBjb250YWluaW5nIGEgU3RyaW5nT3JVUkkgdmFsdWUuDQo8L3NwYW4+PG86cD48 L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+QSByZWZlcmVuY2UgdG8gdGhpcyBkZWZpbml0aW9uIGlzIHJlZ2lzdGVy ZWQgYnkgT3BlbklEIENvbm5lY3QgQ29yZQ0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5r cy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm9wZW5pZC5uZXQlMmZz cGVjcyUyZm9wZW5pZC1jb25uZWN0LWNvcmUtMV8wLmh0bWwmYW1wO2RhdGE9MDElN2MwMSU3Y01p Y2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjOGZjN2YwZGE5MTMyNGRkOTU3MDkwOGQyYThm OTRmYzElN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPTNl NlVTOXN4UW9RVmVqdGhyeE8lMmZvJTJidmRsdEUlMmZCVWoxTlVTTUJrNnZPUzAlM2QiIHRhcmdl dD0iX2JsYW5rIj4NCmh0dHA6Ly9vcGVuaWQubmV0L3NwZWNzL29wZW5pZC1jb25uZWN0LWNvcmUt MV8wLmh0bWw8L2E+IGluIHRoZSBJQU5BIOKAnDxhIG5hbWU9IjE0ZjQ3NDBhZDg2NjM2YTZfMTRm NDNkN2NlM2MxYzc0Yl9jbGFpbXMiPjwvYT5KU09OIFdlYiBUb2tlbiBDbGFpbXPigJ0gcmVnaXN0 cnkgYXQNCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29r LmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZ3d3cuaWFuYS5vcmclMmZhc3NpZ25tZW50cyUyZmp3dCUy Zmp3dC54aHRtbCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5j b20lN2M4ZmM3ZjBkYTkxMzI0ZGQ5NTcwOTA4ZDJhOGY5NGZjMSU3YzcyZjk4OGJmODZmMTQxYWY5 MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9a2lqVlhGY24yZHUySGE1eHZYJTJiVGd3b2hW R09sJTJmeG1yeXBsUU5zV0hZem8lM2QiIHRhcmdldD0iX2JsYW5rIj4NCmh0dHA6Ly93d3cuaWFu YS5vcmcvYXNzaWdubWVudHMvand0L2p3dC54aHRtbDwvYT4uPC9zcGFuPjxvOnA+PC9vOnA+PC9w Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwv Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IE9BdXRoIFttYWlsdG86PGEgaHJlZj0ibWFp bHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmciPm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8L2E+XQ0K PGI+T24gQmVoYWxmIE9mIDwvYj5OYXQgU2FraW11cmE8YnI+DQo8Yj5TZW50OjwvYj4gVHVlc2Rh eSwgQXVndXN0IDE4LCAyMDE1IDc6MzcgUE08YnI+DQo8Yj5Ubzo8L2I+IEFkYW0gTGV3aXM8YnI+ DQo8Yj5DYzo8L2I+IE9BdXRoIFdHPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbT0FVVEgtV0dd IFJTIGFzIGEgY2xpZW50IGd1aWRhbmNlPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkl0IGlzIG5vdCBkaXJlY3RseSwg YnV0Jm5ic3A7PGI+PHU+U2VuZGVyIENvbnN0cmFpbmVkIEpXVCBmb3IgT0F1dGggMi4wPC91Pjwv Yj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPigNCjxhIGhy ZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0 dHBzJTNhJTJmJTJmdG9vbHMuaWV0Zi5vcmclMmZodG1sJTJmZHJhZnQtc2FraW11cmEtb2F1dGgt cmp3dHByb2YtMDUmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQu Y29tJTdjOGZjN2YwZGE5MTMyNGRkOTU3MDkwOGQyYThmOTRmYzElN2M3MmY5ODhiZjg2ZjE0MWFm OTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPVZUSXBIYXFDZCUyZm14ckVmeEtEOGk1aDVB emVXVjVyc1pDMDVvVk92NzNTQSUzZCI+DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh ZnQtc2FraW11cmEtb2F1dGgtcmp3dHByb2YtMDU8L2E+ICk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+dGFsa3MgYWJvdXQgYSBtb2RlbCB0aGF0 IGFsbG93cyBpdC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JbiBlc3NlbmNlLCBpdCB1c2VzIGEgc3Ry dWN0dXJlZCBhY2Nlc3MgdG9rZW4gdGhhdCBpcyBzZW5kZXIgY29uc3RyYWluZWQuJm5ic3A7PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkl0IGFz IGEgY2xhaW0gJnF1b3Q7YXpwJnF1b3Q7IHdoaWNoIHN0YW5kcyBmb3IgYXV0aG9yaXNlZCBwcmVz ZW50ZXIuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPlRvIGJlIHVzZWQsIHRoZSAmcXVvdDtjbGllbnQmcXVvdDsgaGFzIHRvIHByZXNl bnQgYSBwcm9vZiB0aGF0IGl0IGlzIGluZGVlZCB0aGUgcGFydHkgcG9pbnRlZCBieSAmcXVvdDth enAmcXVvdDsuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SW4geW91ciBjYXNlLCB0aGUgbmF0aXZlIG1v YmlsZSBhcHAgb2J0YWlucyB0aGUgc3RydWN0dXJlZCBhY2Nlc3MgdG9rZW4mbmJzcDs8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+d2l0aCAmcXVv dDthenAmcXVvdDs6JnF1b3Q7dGhlX1JTJnF1b3Q7LiBTaW5jZSAmcXVvdDthenAmcXVvdDsgaXMg bm90IHBvaW50aW5nIHRvIHRoZSBtb2JpbGUgYXBwLCZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj50aGUgbW9iaWxlIGFwcCBjYW5ub3Qg dXNlIGl0LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj5UaGUgbW9iaWxlIGFwcCB0aGVuIHNoaXBzIGl0IHRvIHRoZSBSUy4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VGhl IFJTIGNhbiBub3cgdXNlIGl0IHNpbmNlIHRoZSAmcXVvdDthenAmcXVvdDsgcG9pbnRzIHRvIGl0 LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPkluIGdlbmVyYWwsIHNoaXBwaW5nIGEgYmVhcmVyIHRva2Vu IGFyb3VuZCBpcyBhIGJhZCBpZGVhLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JZiB5b3Ugd2FudCB0byBkbyB0aGF0LCBJIHRoaW5r IHlvdSBzaG91bGQgZG8gc28gd2l0aCBhIHNlbmRlciBjb25zdHJhaW5lZCB0b2tlbi4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj5OYXQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+MjAxNS0wOC0xMyAyOjAxIEdNVCYjNDM7MDk6MDAgQWRh bSBMZXdpcyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmFkYW0ubGV3aXNAbW90b3JvbGFzb2x1dGlvbnMu Y29tIj5hZGFtLmxld2lzQG1vdG9yb2xhc29sdXRpb25zLmNvbTwvYT4mZ3Q7OjxvOnA+PC9vOnA+ PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SGksPG86cD48L286cD48L3A+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkFyZSB0aGVyZSBh bnkgZHJhZnRzIHRoYXQgZGlzY3VzcyB0aGUgbm90aW9uIG9mIGFuIFJTIGFjdGluZyBhcyBhIGNs aWVudD8gSSdtIGNvbnNpZGVyaW5nIHRoZSB1c2UgY2FzZSB3aGVyZWJ5IGEgbmF0aXZlIG1vYmls ZSBhcHAgb2J0YWlucyBhbiBhY2Nlc3MgdG9rZW4gYW5kIHNlbmRzIGl0IHRvIHRoZSBSUywNCiBh bmQgdGhlbiB0aGUgUlMgdXNlcyBpdCB0byBhY2Nlc3MgdGhlIFVzZXJJbmZvIGVuZHBvaW50IG9u IGFuIE9QLiAmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JdCdzIGEgYmVhcmVyIHRva2VuIHNvIG5vIHJl YXNvbiBpdCB3b3VsZG4ndCB3b3JrLCBidXQgb2J2aW91c2x5IGl0IGlzIG1lYW50IHRvIGJlIHBy ZXNlbnRlZCBieSB0aGUgY2xpZW50IGFuZCBub3QgdGhlIFJTLiZuYnNwOyBDdXJpb3VzIHRvIHVu ZGVyc3RhbmQgdGhlIHNlY3VyaXR5IGltcGxpY2F0aW9ucyBvZiB0aGlzLA0KIHJlYWQgb24gYW55 IHRob3VnaHRzIGdpdmVuIHRvIHRoaXMsIG9yIHRvIGtub3cgaWYgaXQncyBhbiBvdGhlcndpc2Ug YWNjZXB0ZWQgcHJhY3RpY2UuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+dHg8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4 ODgiPmFkYW08L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206 MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBp ZXRmLm9yZyI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNh ZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuaWV0 Zi5vcmclMmZtYWlsbWFuJTJmbGlzdGluZm8lMmZvYXV0aCZhbXA7ZGF0YT0wMSU3YzAxJTdjTWlj aGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M4ZmM3ZjBkYTkxMzI0ZGQ5NTcwOTA4ZDJhOGY5 NGZjMSU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9TGpQ cFRHVjRpR3R4MVNRS2Z6JTJic1l2M1pkeEVxeW9UWHJDZDFCQ3F2TWx3JTNkIj5odHRwczovL3d3 dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxicj4NCjxiciBjbGVhcj0iYWxsIj4NCjxvOnA+ PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPi0tDQo8 bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk5hdCBTYWtpbXVy YSAoPW5hdCk8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkNo YWlybWFuLCBPcGVuSUQgRm91bmRhdGlvbjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZl bGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM2ElMmYlMmZuYXQuc2FraW11 cmEub3JnJTJmJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNv bSU3YzhmYzdmMGRhOTEzMjRkZDk1NzA5MDhkMmE4Zjk0ZmMxJTdjNzJmOTg4YmY4NmYxNDFhZjkx YWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1ITlZJd3VESkFPV3hmV3lkdXpvdjhSSyUyZlpL RzE3eFFuWVpWRld2OTRvcVklM2QiPmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLzwvYT48YnI+DQpA X25hdF9lbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGJy Pg0KPGJyIGNsZWFyPSJhbGwiPg0KPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+LS0NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+TmF0IFNha2ltdXJhICg9bmF0KTxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Q2hhaXJtYW4sIE9wZW5JRCBGb3VuZGF0aW9uPGJyPg0K PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91 cmw9aHR0cCUzYSUyZiUyZm5hdC5zYWtpbXVyYS5vcmclMmYmYW1wO2RhdGE9MDElN2MwMSU3Y01p Y2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjOGZjN2YwZGE5MTMyNGRkOTU3MDkwOGQyYThm OTRmYzElN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPUhO Vkl3dURKQU9XeGZXeWR1em92OFJLJTJmWktHMTd4UW5ZWlZGV3Y5NG9xWSUzZCIgdGFyZ2V0PSJf YmxhbmsiPmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLzwvYT48YnI+DQpAX25hdF9lbjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRo IG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9ImphdmFzY3JpcHQ6X2UoJTdCJTdELCdjdm1sJywn T0F1dGhAaWV0Zi5vcmcnKTsiIHRhcmdldD0iX2JsYW5rIj5PQXV0aEBpZXRmLm9yZzwvYT48YnI+ DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20v P3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4lMmZsaXN0aW5mbyUyZm9h dXRoJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3Yzhm YzdmMGRhOTEzMjRkZDk1NzA5MDhkMmE4Zjk0ZmMxJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdj ZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1MalBwVEdWNGlHdHgxU1FLZnolMmJzWXYzWmR4RXF5b1RY ckNkMUJDcXZNbHclM2QiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWls bWFuL2xpc3RpbmZvL29hdXRoPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Jsb2NrcXVv dGU+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxicj4NCi0tIDxicj4NCk5hdCBTYWtpbXVyYSAoPW5h dCkgPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Q2hhaXJtYW4s IE9wZW5JRCBGb3VuZGF0aW9uPGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5w cm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm5hdC5zYWtpbXVyYS5vcmcl MmYmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjOGZj N2YwZGE5MTMyNGRkOTU3MDkwOGQyYThmOTRmYzElN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2Nk MDExZGI0NyU3YzEmYW1wO3NkYXRhPUhOVkl3dURKQU9XeGZXeWR1em92OFJLJTJmWktHMTd4UW5Z WlZGV3Y5NG9xWSUzZCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLzwv YT48YnI+DQpAX25hdF9lbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyPg0KPGJyPg0KPG86cD48L286cD48L3A+DQo8cHJl Pl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPG86cD48L286 cD48L3ByZT4NCjxwcmU+T0F1dGggbWFpbGluZyBsaXN0PG86cD48L286cD48L3ByZT4NCjxwcmU+ PGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIj5PQXV0aEBpZXRmLm9yZzwvYT48bzpwPjwv bzpwPjwvcHJlPg0KPHByZT48YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rp b24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4l MmZsaXN0aW5mbyUyZm9hdXRoJmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWlj cm9zb2Z0LmNvbSU3YzhmYzdmMGRhOTEzMjRkZDk1NzA5MDhkMmE4Zjk0ZmMxJTdjNzJmOTg4YmY4 NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1MalBwVEdWNGlHdHgxU1FLZnol MmJzWXYzWmR4RXF5b1RYckNkMUJDcXZNbHclM2QiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt YW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48L3ByZT4NCjwvYmxvY2txdW90ZT4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_BY2PR03MB4429242167D842299D4A8C1F5660BY2PR03MB442namprd_-- From nobody Wed Aug 19 18:01:31 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C951B1A8A97 for ; Wed, 19 Aug 2015 18:01:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.01 X-Spam-Level: X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGWRM4ka80Nn for ; Wed, 19 Aug 2015 18:01:26 -0700 (PDT) Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AB4A1A1A69 for ; Wed, 19 Aug 2015 18:01:26 -0700 (PDT) Received: by obkg7 with SMTP id g7so19572665obk.3 for ; Wed, 19 Aug 2015 18:01:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qCYzk29l3+NyUIKVfE1wu1DehRV1GfFrF4IT+vlSdUM=; b=n1nI++dmViegVIqyS7uWUS2a5vUrx/eqa9ovasei04iPtKjXnBanIaGZdJ0aEdYiAd GIJBD0f1khagEtrvkqJ0wFbQpRuIJ173OYoDemEo8z3Gxy7F+k0Yvs7UPSBqs8xc3psT 9kYVAFF1mosWW/bof3UMXqVw4VF//Qwc+uZboDnRsx6SZT0BVbrcQTSko/AB5eLnWjyK KsP3oeFGa4k1ft9hH+qtTNrRlM0IY1lO3sfirDqd7nJ29zoKZ9bmI3uvcjxJw2MUAc0H 9RNNXL/RKkn+zXP10aaAZSsgihcrDvSrJ+eJkZ6ToF15siOTlz+6olsD3eomZ0lC1ujx 5IPQ== MIME-Version: 1.0 X-Received: by 10.182.158.231 with SMTP id wx7mr327852obb.53.1440032485782; Wed, 19 Aug 2015 18:01:25 -0700 (PDT) Received: by 10.182.202.99 with HTTP; Wed, 19 Aug 2015 18:01:25 -0700 (PDT) In-Reply-To: References: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com> <55D521DF.30306@mit.edu> <594C7BF1-3AD8-45C0-B08B-33166F268740@ve7jtb.com> Date: Thu, 20 Aug 2015 10:01:25 +0900 Message-ID: From: Nat Sakimura To: Mike Jones Content-Type: multipart/alternative; boundary=089e013d0a4cc7bbdc051db3b03b Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 01:01:31 -0000 --089e013d0a4cc7bbdc051db3b03b Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable And while we are at the history, my original draft idea (on my blog) on Aug. 3, 2012 had "nau" -- named authorized user. So, three of us came up with a similar idea independently with more or less the same idea, and it was unified to azp -- authorized presenter. The name change to authorized party took later to expand the meaning of it. >From what I see, authorized presenter is a subset of authorized party. 2015-08-20 9:52 GMT+09:00 Mike Jones : > Just to complete the history, I believe the original Google deployed clai= m > name for this purpose was =E2=80=9Ccid=E2=80=9D (Client ID) =E2=80=93 a n= ame that seemed ripe with > ambiguity. > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John Bradley > *Sent:* Wednesday, August 19, 2015 5:50 PM > *To:* Justin Richer > > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > > > Ah yes, Now I recall that we had Google change the claim once to azp and > then discussed changing it again once we decided that azp was not the > necessarily the presenter presenter. That was what we decided was too > cruel getting them to change the name again for something that they then > had released in production. That caused us to re-acrom =E2=80=9Cazp=E2= =80=9D. > > > > John B. > > > > On Aug 19, 2015, at 9:39 PM, Justin Richer wrote: > > > > Just want to clear up some history: "azp" did not come from any existing > claims from Google or otherwise. I very clearly recall proposing that we > name it "prn" for "presenter", and Mike told me not to be evil[1] because > we had just changed "prn" (for "principal") in the ID token to "sub" in > order to match the more generic JWT. John suggested "a-zed-p" in the same > discussion. As such, it clearly was "authorized presenter" in the first > take, then it got widened/shifted a little bit in the final definition fo= r > reasons I never quite followed (nor cared much about at the time). > > -- Justin > > [1] Being told "don't be evil" by a Microsoft employee remains one of my > proudest achievements. > > On 8/19/2015 8:35 PM, John Bradley wrote: > > It could, but I remain to be convinced that would be a good idea. =E2= =80=9Cazp=E2=80=9D > came from a existing Google claim, I am not attached to the name. > > > > John B. > > On Aug 19, 2015, at 9:29 PM, Nat Sakimura wrote: > > > > Well, the abstract meaning is the same, but the practical implications an= d > interpretation can vary within the boundaries depending on the context. > > > > A jku is a URI of a cryptographical key, which can be a uri of a signing > key or encryption key depending on the context. Similarly the azp in an I= D > Token and an Access Token can share the same abstract concept while the > concrete meaning in that particular concept can vary. > > 2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B=9C=E6=97=A5=E3=80=81Mik= e Jones =E3=81=95=E3=82=93=E3=81=AF=E6=9B=B8= =E3=81=8D=E3=81=BE=E3=81=97=E3=81=9F: > > Let me second John=E2=80=99s point that we shouldn=E2=80=99t have two dif= ferent > definitions for =E2=80=9Cazp=E2=80=9D. As I wrote in my friendly review = of > draft-sakimura-oauth-rjwtprof-04 at > http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html > , > the claim =E2=80=9Cazp=E2=80=9D has already been registered by OpenID Con= nect Core at > http://www.iana.org/assignments/jwt/jwt.xhtml > > and so cannot be re-registered. Given that I believe the intended > semantics are the same, please cite the existing definition in rjwtprof, > rather than repeating it or revising it. > > > > Thanks, > > -- Mike > > > > *From:* John Bradley [mailto:ve7jtb@ve7jtb.com] > *Sent:* Wednesday, August 19, 2015 11:05 AM > *To:* Nat Sakimura > *Cc:* Mike Jones; OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > > > Having two azp claims with slightly different definitions is not a good > way to go, both access tokens and id_tokens are JWT. > > For better or worse the claim was defined for bearer tokens where it was > only the identity of the requester that was able to be confirmed by the > token endpoint. > > It supported a simple use case where a refresh token is used by client A > to use as an assertion at AS B. > > In the simplest 3 party sase the requester of the token and the presenter > of the token are the same. However in some situations they are not the > same. > > The important thing was to allow the =E2=80=9Caud=E2=80=9D recipient of t= he token to be > able to differentiate a token that it requested from a a token that a 3rd > party requested and presented to it. > > > > The =E2=80=9Cazp=E2=80=9D should probably be left as it is and not tied t= o proof of > possession/ binding the token to the presenter. > > There was a lot of debate and back and forth on azp at the time, the main > reason to include it was to warn normal Connect clients that JWT containi= ng > that azp claim need to have it=E2=80=99s value be them or someone they kn= ow and > trust that can request assertions for them. That was because we knew tha= t > token containing that claim exist in the wild using that claim. > > > > https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 > should > probably be using a different claim to reduce the confusion. > > > > John B. > > > > > > On Aug 19, 2015, at 3:17 AM, Nat Sakimura wrote: > > > > So, Mike, > > > > Authorized Presenter is a defined term in *Sender Constrained JWT for > OAuth 2.0* > > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 > ). > It is used in the context of OAuth 2.0 Access Token, not a claim in ID > Token of OpenID Connect. > > > > Nat > > > > 2015-08-19 11:44 GMT+09:00 Mike Jones : > > Just as a point of clarification, the definition of the =E2=80=9Cazp=E2= =80=9D claim is not > =E2=80=9Cauthorised presenter=E2=80=9D. At least as defined by OpenID Co= nnect, its > definition is: > > > > azp > > OPTIONAL. Authorized party - the party to which the ID Token was issued. > If present, it MUST contain the OAuth 2.0 Client ID of this party. This > Claim is only needed when the ID Token has a single audience value and th= at > audience is different than the authorized party. It MAY be included even > when the authorized party is the same as the sole audience. The azp value > is a case sensitive string containing a StringOrURI value. > > > > A reference to this definition is registered by OpenID Connect Core > http://openid.net/specs/openid-connect-core-1_0.html > > in the IANA =E2=80=9CJSON Web Token Claims=E2=80=9D registry at > http://www.iana.org/assignments/jwt/jwt.xhtml > > . > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Nat Sakimura > *Sent:* Tuesday, August 18, 2015 7:37 PM > *To:* Adam Lewis > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > > > It is not directly, but *Sender Constrained JWT for OAuth 2.0* > > ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 > > ) > > talks about a model that allows it. > > > > In essence, it uses a structured access token that is sender constrained. > > It as a claim "azp" which stands for authorised presenter. > > To be used, the "client" has to present a proof that it is indeed the > party pointed by "azp". > > > > In your case, the native mobile app obtains the structured access token > > with "azp":"the_RS". Since "azp" is not pointing to the mobile app, > > the mobile app cannot use it. > > The mobile app then ships it to the RS. > > The RS can now use it since the "azp" points to it. > > > > In general, shipping a bearer token around is a bad idea. > > If you want to do that, I think you should do so with a sender constraine= d > token. > > > > Nat > > > > > > > > 2015-08-13 2:01 GMT+09:00 Adam Lewis : > > Hi, > > > > Are there any drafts that discuss the notion of an RS acting as a client? > I'm considering the use case whereby a native mobile app obtains an acces= s > token and sends it to the RS, and then the RS uses it to access the > UserInfo endpoint on an OP. > > > > It's a bearer token so no reason it wouldn't work, but obviously it is > meant to be presented by the client and not the RS. Curious to understan= d > the security implications of this, read on any thoughts given to this, or > to know if it's an otherwise accepted practice. > > > > tx > > adam > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > > > > > > -- > > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > -- > Nat Sakimura (=3Dnat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --089e013d0a4cc7bbdc051db3b03b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
And while we are at the history, my original draft idea (o= n my blog) on Aug. 3, 2012 had "nau" -- named authorized user.=C2= =A0
So, three of us came up with a similar idea independently with more= or less the same idea, and it was unified to azp -- authorized presenter.= =C2=A0

The name change to authorized party took la= ter to expand the meaning of it.=C2=A0

From what I= see, authorized presenter is a subset of authorized party.=C2=A0


= 2015-08-20 9:52 GMT+09:00 Mike Jones <Michael.Jones@microsoft.co= m>:

Just to complete the hist= ory, I believe the original Google deployed claim name for this purpose was= =E2=80=9Ccid=E2=80=9D (Client ID) =E2=80=93 a name that seemed ripe with a= mbiguity.

=C2=A0

From: OAuth [m= ailto:oauth-bou= nces@ietf.org] On Behalf Of John Bradley
Sent: Wednesday, August 19, 2015 5:50 PM
To: Justin Richer


Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance
<= /div>

=C2=A0

Ah yes, =C2=A0Now I recall that we had Google change= the claim once to azp and then discussed changing it again once we decided= that azp was not the necessarily the presenter presenter.=C2=A0 That was w= hat we decided was too cruel getting them to change the name again for something that they then had released in product= ion. =C2=A0 That caused us to re-acrom =E2=80=9Cazp=E2=80=9D. =C2=A0=

=C2=A0

John B.

=C2=A0

On Aug 19, 2015, at 9:39 PM, Justin Richer <jricher@mit.edu> wro= te:

=C2=A0

Just want to clear up= some history: "azp" did not come from any existing claims from G= oogle or otherwise. I very clearly recall proposing that we name it "p= rn" for "presenter", and Mike told me not to be evil[1] because we had just changed "prn" (for "principal") in= the ID token to "sub" in order to match the more generic JWT. Jo= hn suggested "a-zed-p" in the same discussion. As such, it clearl= y was "authorized presenter" in the first take, then it got widen= ed/shifted a little bit in the final definition for reasons I never quite followed (n= or cared much about at the time).

=C2=A0-- Justin

[1] Being told "don't be evil" by a Microsoft employee remain= s one of my proudest achievements.

On 8/19/2015 8:35 PM, John Bradley wrote:<= /u>

It could, but I remain to be convinced that would be= a good idea. =C2=A0 =E2=80=9Cazp=E2=80=9D came from a existing Google clai= m, I am not attached to the name.

=C2=A0

John B.

On Aug 19, 2015, at 9:29 PM, Nat Sakimura <sakimura@gmail.com>= ; wrote:

=C2=A0

Well, the abstract meaning is the same, but the prac= tical implications and interpretation can vary within the boundaries=C2=A0d= epending on the context.=C2=A0

=C2=A0

A jku is a URI of a cryptographical key, which=C2=A0= can be a uri of a signing key or encryption key depending on the context. S= imilarly the azp in an=C2=A0ID Token and an Access Token can share the same= abstract concept while the concrete meaning in that particular concept can vary.=C2=A0

2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B=9C=E6=97=A5= =E3=80=81Mike Jones<Michael.Jones@microsoft.com> =E3=81=95=E3=82=93=E3=81= =AF=E6=9B=B8=E3=81=8D=E3=81=BE=E3=81=97=E3=81=9F:

Let me second John=E2=80= =99s point that we shouldn=E2=80=99t have two different definitions for =E2= =80=9Cazp=E2=80=9D.=C2=A0 As I wrote in my friendly review of draft-sakimura-oauth-rjwtprof-04 at http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html, the c= laim =E2=80=9Cazp=E2=80=9D has already been registered by OpenID Connect Co= re at http://www.iana.org/assignments/jwt/jwt.xhtml and so cannot be re-regis= tered.=C2=A0 Given that I believe the intended semantics are the same, plea= se cite the existing definition in rjwtprof, rather than repeating it or re= vising it.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thanks,

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: John Bra= dley [mailto:ve7jtb@= ve7jtb.com]
Sent: Wednesday, August 19, 2015 11:05 AM
To: Nat Sakimura
Cc: Mike Jones; OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance=

=C2=A0

Having two azp claims with slightly different defini= tions is not a good way to go, =C2=A0both access tokens and id_tokens are J= WT. =C2=A0=C2=A0

For better or worse the claim was defined for bearer= tokens where it was only the identity of the requester that was able to be= confirmed by the token endpoint.

It supported a simple use case where a refresh token= is used by client A to use as an assertion at AS B. =C2=A0

In the simplest 3 party sase the requester of the to= ken and the presenter of the token are the same.=C2=A0 However in some situ= ations they are not the same.=C2=A0

The important thing was to allow the =E2=80=9Caud=E2= =80=9D recipient of the token to be able to differentiate a token that it r= equested from a a token that a 3rd party requested and presented to it.

=C2=A0

The =E2=80=9Cazp=E2=80=9D should probably be left as= it is and not tied to proof of possession/ binding the token to the presen= ter. =C2=A0

There was a lot of debate and back and forth on azp = at the time, the main reason to include it was to warn normal Connect clien= ts that JWT containing that azp claim need to have it=E2=80=99s value be them or someone they know and trust that can request= assertions for them.=C2=A0 That was because we knew that token containing = that claim exist in the wild using that claim.

=C2=A0

https://tools.ietf.org/html/draft-sakimura-oauth-rjwtp= rof-05=C2=A0should probably be using a different claim to reduce the confusion.=

=C2=A0

John B.

=C2=A0

=C2=A0

On Aug 19, 2015, at 3:17 AM, Nat Sakimura <sakimura@gmail.com>= ; wrote:

=C2=A0

So, Mike,=C2=A0

=C2=A0

Authorized Presenter is a defined term in=C2=A0Sender Constrained JWT for OAuth 2.0

(=C2=A0https://tools.ietf.org/html/draft-sakimura-oaut= h-rjwtprof-05=C2=A0). It is used in the context of OAuth 2.0 Access Token, not a claim in ID Tok= en of OpenID Connect.=C2=A0

=C2=A0

Nat

=C2=A0

2015-08-19 11:44 GMT+09:00 Mike Jones <Michael.Jones@micros= oft.com>:

Just as a point of clarif= ication, the definition of the =E2=80=9Cazp=E2=80=9D claim is not =E2=80=9C= authorised presenter=E2=80=9D.=C2=A0 At least as defined by OpenID Connect, its definition is:=

=C2=A0

azp

OPTIONAL. Authorized party - the party to which the ID Token was is= sued. If present, it MUST contain the OAuth 2.0 Client ID of this party. Th= is Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be = included even when the authorized party is the same as the sole audience. T= he azp value is a case sensitive s= tring containing a StringOrURI value.

=C2=A0

A reference to this defin= ition is registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in the IANA =E2=80= =9CJSON Web Token Claims=E2=80=9D registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: OAuth [m= ailto:oauth-bou= nces@ietf.org] On Behalf Of Nat Sakimura
Sent: Tuesday, August 18, 2015 7:37 PM
To: Adam Lewis
Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance=

=C2=A0

It is not directly, but=C2=A0Sender Constraine= d JWT for OAuth 2.0

talks about a model that allows it.=C2=A0<= /u>

=C2=A0

In essence, it uses a structured access token that i= s sender constrained.=C2=A0

It as a claim "azp" which stands for autho= rised presenter.=C2=A0

To be used, the "client" has to present a = proof that it is indeed the party pointed by "azp".=C2=A0<= u>

=C2=A0

In your case, the native mobile app obtains the stru= ctured access token=C2=A0

with "azp":"the_RS". Since "= ;azp" is not pointing to the mobile app,=C2=A0

the mobile app cannot use it.=C2=A0

The mobile app then ships it to the RS.=C2=A0=

The RS can now use it since the "azp" poin= ts to it.=C2=A0

=C2=A0

In general, shipping a bearer token around is a bad = idea.=C2=A0

If you want to do that, I think you should do so wit= h a sender constrained token.=C2=A0

=C2=A0

Nat

=C2=A0

=C2=A0

=C2=A0

2015-08-13 2:01 GMT+09:00 Adam Lewis <adam.lewis@motor= olasolutions.com>:

Hi,

=C2=A0

Are there any drafts that discuss the notion of an R= S acting as a client? I'm considering the use case whereby a native mob= ile app obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP. =C2=A0

=C2=A0

It's a bearer token so no reason it wouldn't= work, but obviously it is meant to be presented by the client and not the = RS.=C2=A0 Curious to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise ac= cepted practice.

=C2=A0

tx

adam<= /u>


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth=



=C2=A0

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



=C2=A0

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth=

=C2=A0



--
Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

=C2=A0

=C2=A0




_______________________________________________
OAuth mailing list
OAuth@ietf.org=

https://www.ietf.org/mailman/listinfo/oauth

=C2=A0

=C2=A0


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundatio= n
http://nat.saki= mura.org/
@_nat_en
--089e013d0a4cc7bbdc051db3b03b-- From nobody Wed Aug 19 18:29:55 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C4461A1BE0 for ; Wed, 19 Aug 2015 18:29:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3fo5QD5O2N0e for ; Wed, 19 Aug 2015 18:29:48 -0700 (PDT) Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 1F1991A09CF for ; Wed, 19 Aug 2015 18:29:48 -0700 (PDT) X-AuditID: 12074422-f79d26d0000026d6-75-55d52d8a24a1 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 8F.56.09942.A8D25D55; Wed, 19 Aug 2015 21:29:46 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t7K1TjkY014202; Wed, 19 Aug 2015 21:29:46 -0400 Received: from [192.168.128.56] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t7K1Thuh003957 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 19 Aug 2015 21:29:44 -0400 To: Nat Sakimura , Mike Jones References: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com> <55D521DF.30306@mit.edu> <594C7BF1-3AD8-45C0-B08B-33166F268740@ve7jtb.com> From: Justin Richer Message-ID: <55D52D80.6030403@mit.edu> Date: Wed, 19 Aug 2015 21:29:36 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------030201040705000308020605" X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrKKsWRmVeSWpSXmKPExsUixCmqrNulezXU4M4eXYu90z6xWJx8+4rN 4sytFYwWq+/+ZXNg8dg56y67x5IlP5k8Wnf8Zfe4fXsjSwBLFJdNSmpOZllqkb5dAlfG/B89 bAVTj7JWrNrxl7GB8ctUpi5GTg4JAROJr89uskDYYhIX7q1n62Lk4hASWMwkcfTkBEYIZyOj xO65e5ghnNtMEve2fGQGaREW0JfYuLsTzBYRiJDYeH8FK4gtJDCFTeL73JIuRg4OZgF7iTeN BSBhNgFVielrWsA28wqoSRx9t5MRxGYBive0nAKLiwrESPT82sAGUSMocXLmE7DrOAUCJd69 /QI2nlkgTOLS0u+MExgFZiEpm4UkBWGbSczb/JAZwpaXaN46G8gGuUhNYlmrErLwAka2VYyy KblVurmJmTnFqcm6xcmJeXmpRbqmermZJXqpKaWbGEGxwe6itIPx50GlQ4wCHIxKPLwXhK+G CrEmlhVX5h5ilORgUhLlreIECvEl5adUZiQWZ8QXleakFh9ilOBgVhLhPfPrSqgQb0piZVVq UT5MSpqDRUmcd9MPvhAhgfTEktTs1NSC1CKYrAwHh5IEL6cO0FDBotT01Iq0zJwShDQTByfI cB6g4de0gWp4iwsSc4sz0yHypxgVpcR5f4MkBEASGaV5cL2w1PWKURzoFWFeDpAVPMC0B9f9 CmgwE9DgwxMuggwuSURISTUw5l+tU7/xziFr/ZSsNYJOd9kWs+0/nJ90YoFb8l/ZxeKaE+3u 35LTeFJ06Pjk8JNTTn1IOrrsRve1D1f2zNc+G1mtavwl8CuHxqE3y1wOe1+/tfOYz9QTKmsc XDt+VirP8YvnS1abaisT83RXu+m5UK2w2Nb6xKMtU5y+Sy5Tau+9qHrAZzevjhJLcUaioRZz UXEiAEtJzY04AwAA Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 01:29:54 -0000 This is a multi-part message in MIME format. --------------030201040705000308020605 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit I read it that way as well. -- Justin On 8/19/2015 9:01 PM, Nat Sakimura wrote: > And while we are at the history, my original draft idea (on my blog) > on Aug. 3, 2012 had "nau" -- named authorized user. > So, three of us came up with a similar idea independently with more or > less the same idea, and it was unified to azp -- authorized presenter. > > The name change to authorized party took later to expand the meaning > of it. > > From what I see, authorized presenter is a subset of authorized party. > > > 2015-08-20 9:52 GMT+09:00 Mike Jones >: > > Just to complete the history, I believe the original Google > deployed claim name for this purpose was “cid†(Client ID) – a > name that seemed ripe with ambiguity. > > *From:*OAuth [mailto:oauth-bounces@ietf.org > ] *On Behalf Of *John Bradley > *Sent:* Wednesday, August 19, 2015 5:50 PM > *To:* Justin Richer > > > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > Ah yes, Now I recall that we had Google change the claim once to > azp and then discussed changing it again once we decided that azp > was not the necessarily the presenter presenter. That was what we > decided was too cruel getting them to change the name again for > something that they then had released in production. That caused > us to re-acrom “azpâ€. > > John B. > > On Aug 19, 2015, at 9:39 PM, Justin Richer > wrote: > > Just want to clear up some history: "azp" did not come from > any existing claims from Google or otherwise. I very clearly > recall proposing that we name it "prn" for "presenter", and > Mike told me not to be evil[1] because we had just changed > "prn" (for "principal") in the ID token to "sub" in order to > match the more generic JWT. John suggested "a-zed-p" in the > same discussion. As such, it clearly was "authorized > presenter" in the first take, then it got widened/shifted a > little bit in the final definition for reasons I never quite > followed (nor cared much about at the time). > > -- Justin > > [1] Being told "don't be evil" by a Microsoft employee remains > one of my proudest achievements. > > On 8/19/2015 8:35 PM, John Bradley wrote: > > It could, but I remain to be convinced that would be a > good idea. “azp†came from a existing Google claim, I am > not attached to the name. > > John B. > > On Aug 19, 2015, at 9:29 PM, Nat Sakimura > > wrote: > > Well, the abstract meaning is the same, but the > practical implications and interpretation can vary > within the boundaries depending on the context. > > A jku is a URI of a cryptographical key, which can be > a uri of a signing key or encryption key depending on > the context. Similarly the azp in an ID Token and an > Access Token can share the same abstract concept while > the concrete meaning in that particular concept can vary. > > 2015å¹´8月20日木曜日ã€Mike > Jones > ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ: > > Let me second John’s point that we shouldn’t have two > different definitions for “azpâ€. As I wrote in my > friendly review of draft-sakimura-oauth-rjwtprof-04 at > http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html > , > the claim “azp†has already been registered by OpenID > Connect Core at > http://www.iana.org/assignments/jwt/jwt.xhtml > > and so cannot be re-registered. Given that I believe > the intended semantics are the same, please cite the > existing definition in rjwtprof, rather than repeating > it or revising it. > > Thanks, > > -- Mike > > *From:*John Bradley [mailto:ve7jtb@ve7jtb.com > ] > *Sent:* Wednesday, August 19, 2015 11:05 AM > *To:* Nat Sakimura > *Cc:* Mike Jones; OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > Having two azp claims with slightly different > definitions is not a good way to go, both access > tokens and id_tokens are JWT. > > For better or worse the claim was defined for bearer > tokens where it was only the identity of the requester > that was able to be confirmed by the token endpoint. > > It supported a simple use case where a refresh token > is used by client A to use as an assertion at AS B. > > In the simplest 3 party sase the requester of the > token and the presenter of the token are the same. > However in some situations they are not the same. > > The important thing was to allow the “aud†recipient > of the token to be able to differentiate a token that > it requested from a a token that a 3rd party requested > and presented to it. > > The “azp†should probably be left as it is and not > tied to proof of possession/ binding the token to the > presenter. > > There was a lot of debate and back and forth on azp at > the time, the main reason to include it was to warn > normal Connect clients that JWT containing that azp > claim need to have it’s value be them or someone they > know and trust that can request assertions for them. > That was because we knew that token containing that > claim exist in the wild using that claim. > > https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 > should > probably be using a different claim to reduce the > confusion. > > John B. > > On Aug 19, 2015, at 3:17 AM, Nat Sakimura > > > wrote: > > So, Mike, > > Authorized Presenter is a defined term in *_Sender > Constrained JWT for OAuth 2.0_* > > ( > https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 > ). > It is used in the context of OAuth 2.0 Access > Token, not a claim in ID Token of OpenID Connect. > > Nat > > 2015-08-19 11:44 GMT+09:00 Mike Jones > >: > > Just as a point of clarification, the definition > of the “azp†claim is not “authorised presenterâ€. > At least as defined by OpenID Connect, its > definition is: > > azp > > OPTIONAL. Authorized party - the party to which > the ID Token was issued. If present, it MUST > contain the OAuth 2.0 Client ID of this party. > This Claim is only needed when the ID Token has a > single audience value and that audience is > different than the authorized party. It MAY be > included even when the authorized party is the > same as the sole audience. The azpvalue is a case > sensitive string containing a StringOrURI value. > > A reference to this definition is registered by > OpenID Connect Core > http://openid.net/specs/openid-connect-core-1_0.html > > in the IANA “JSON Web Token Claims†registry at > http://www.iana.org/assignments/jwt/jwt.xhtml > . > > -- Mike > > *From:*OAuth [mailto:oauth-bounces@ietf.org > ] *On Behalf Of > *Nat Sakimura > *Sent:* Tuesday, August 18, 2015 7:37 PM > *To:* Adam Lewis > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] RS as a client guidance > > It is not directly, but *_Sender Constrained JWT > for OAuth 2.0_* > > ( > https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 > > ) > > talks about a model that allows it. > > In essence, it uses a structured access token that > is sender constrained. > > It as a claim "azp" which stands for authorised > presenter. > > To be used, the "client" has to present a proof > that it is indeed the party pointed by "azp". > > In your case, the native mobile app obtains the > structured access token > > with "azp":"the_RS". Since "azp" is not pointing > to the mobile app, > > the mobile app cannot use it. > > The mobile app then ships it to the RS. > > The RS can now use it since the "azp" points to it. > > In general, shipping a bearer token around is a > bad idea. > > If you want to do that, I think you should do so > with a sender constrained token. > > Nat > > 2015-08-13 2:01 GMT+09:00 Adam Lewis > >: > > Hi, > > Are there any drafts that discuss the notion of an > RS acting as a client? I'm considering the use > case whereby a native mobile app obtains an access > token and sends it to the RS, and then the RS uses > it to access the UserInfo endpoint on an OP. > > It's a bearer token so no reason it wouldn't work, > but obviously it is meant to be presented by the > client and not the RS. Curious to understand the > security implications of this, read on any > thoughts given to this, or to know if it's an > otherwise accepted practice. > > tx > > adam > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > > Nat Sakimura (=nat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > > > > -- > > Nat Sakimura (=nat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > Nat Sakimura (=nat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en --------------030201040705000308020605 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit I read it that way as well.
 -- Justin

On 8/19/2015 9:01 PM, Nat Sakimura wrote:
And while we are at the history, my original draft idea (on my blog) on Aug. 3, 2012 had "nau" -- named authorized user. 
So, three of us came up with a similar idea independently with more or less the same idea, and it was unified to azp -- authorized presenter. 

The name change to authorized party took later to expand the meaning of it. 

From what I see, authorized presenter is a subset of authorized party. 


2015-08-20 9:52 GMT+09:00 Mike Jones <Michael.Jones@microsoft.com>:

Just to complete the history, I believe the original Google deployed claim name for this purpose was “cid†(Client ID) – a name that seemed ripe with ambiguity.

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Wednesday, August 19, 2015 5:50 PM
To: Justin Richer


Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance

 

Ah yes,  Now I recall that we had Google change the claim once to azp and then discussed changing it again once we decided that azp was not the necessarily the presenter presenter.  That was what we decided was too cruel getting them to change the name again for something that they then had released in production.   That caused us to re-acrom “azpâ€.  

 

John B.

 

On Aug 19, 2015, at 9:39 PM, Justin Richer <jricher@mit.edu> wrote:

 

Just want to clear up some history: "azp" did not come from any existing claims from Google or otherwise. I very clearly recall proposing that we name it "prn" for "presenter", and Mike told me not to be evil[1] because we had just changed "prn" (for "principal") in the ID token to "sub" in order to match the more generic JWT. John suggested "a-zed-p" in the same discussion. As such, it clearly was "authorized presenter" in the first take, then it got widened/shifted a little bit in the final definition for reasons I never quite followed (nor cared much about at the time).

 -- Justin

[1] Being told "don't be evil" by a Microsoft employee remains one of my proudest achievements.

On 8/19/2015 8:35 PM, John Bradley wrote:

It could, but I remain to be convinced that would be a good idea.   “azp†came from a existing Google claim, I am not attached to the name.

 

John B.

On Aug 19, 2015, at 9:29 PM, Nat Sakimura <sakimura@gmail.com> wrote:

 

Well, the abstract meaning is the same, but the practical implications and interpretation can vary within the boundaries depending on the context. 

 

A jku is a URI of a cryptographical key, which can be a uri of a signing key or encryption key depending on the context. Similarly the azp in an ID Token and an Access Token can share the same abstract concept while the concrete meaning in that particular concept can vary. 

2015å¹´8月20日木曜日ã€Mike Jones<Michael.Jones@microsoft.com> ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:

Let me second John’s point that we shouldn’t have two different definitions for “azpâ€.  As I wrote in my friendly review of draft-sakimura-oauth-rjwtprof-04 at http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html, the claim “azp†has already been registered by OpenID Connect Core at http://www.iana.org/assignments/jwt/jwt.xhtml and so cannot be re-registered.  Given that I believe the intended semantics are the same, please cite the existing definition in rjwtprof, rather than repeating it or revising it.

 

                                                            Thanks,

                                                            -- Mike

 

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Wednesday, August 19, 2015 11:05 AM
To: Nat Sakimura
Cc: Mike Jones; OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance

 

Having two azp claims with slightly different definitions is not a good way to go,  both access tokens and id_tokens are JWT.   

For better or worse the claim was defined for bearer tokens where it was only the identity of the requester that was able to be confirmed by the token endpoint.

It supported a simple use case where a refresh token is used by client A to use as an assertion at AS B.  

In the simplest 3 party sase the requester of the token and the presenter of the token are the same.  However in some situations they are not the same. 

The important thing was to allow the “aud†recipient of the token to be able to differentiate a token that it requested from a a token that a 3rd party requested and presented to it.

 

The “azp†should probably be left as it is and not tied to proof of possession/ binding the token to the presenter.  

There was a lot of debate and back and forth on azp at the time, the main reason to include it was to warn normal Connect clients that JWT containing that azp claim need to have it’s value be them or someone they know and trust that can request assertions for them.  That was because we knew that token containing that claim exist in the wild using that claim.

 

https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 should probably be using a different claim to reduce the confusion.

 

John B.

 

 

On Aug 19, 2015, at 3:17 AM, Nat Sakimura <sakimura@gmail.com> wrote:

 

So, Mike, 

 

Authorized Presenter is a defined term in Sender Constrained JWT for OAuth 2.0

( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ). It is used in the context of OAuth 2.0 Access Token, not a claim in ID Token of OpenID Connect. 

 

Nat

 

2015-08-19 11:44 GMT+09:00 Mike Jones <Michael.Jones@microsoft.com>:

Just as a point of clarification, the definition of the “azp†claim is not “authorised presenterâ€.  At least as defined by OpenID Connect, its definition is:

 

azp

OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.

 

A reference to this definition is registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in the IANA “JSON Web Token Claims†registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

 

                                                            -- Mike

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Nat Sakimura
Sent: Tuesday, August 18, 2015 7:37 PM
To: Adam Lewis
Cc: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance

 

It is not directly, but Sender Constrained JWT for OAuth 2.0

talks about a model that allows it. 

 

In essence, it uses a structured access token that is sender constrained. 

It as a claim "azp" which stands for authorised presenter. 

To be used, the "client" has to present a proof that it is indeed the party pointed by "azp". 

 

In your case, the native mobile app obtains the structured access token 

with "azp":"the_RS". Since "azp" is not pointing to the mobile app, 

the mobile app cannot use it. 

The mobile app then ships it to the RS. 

The RS can now use it since the "azp" points to it. 

 

In general, shipping a bearer token around is a bad idea. 

If you want to do that, I think you should do so with a sender constrained token. 

 

Nat

 

 

 

2015-08-13 2:01 GMT+09:00 Adam Lewis <adam.lewis@motorolasolutions.com>:

Hi,

 

Are there any drafts that discuss the notion of an RS acting as a client? I'm considering the use case whereby a native mobile app obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP.  

 

It's a bearer token so no reason it wouldn't work, but obviously it is meant to be presented by the client and not the RS.  Curious to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise accepted practice.

 

tx

adam


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



 

--

Nat Sakimura (=nat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



 

--

Nat Sakimura (=nat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 



--
Nat Sakimura (=nat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

 

 




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

--------------030201040705000308020605-- From nobody Wed Aug 19 18:56:23 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FB431A8AED for ; Wed, 19 Aug 2015 18:56:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.009 X-Spam-Level: X-Spam-Status: No, score=-0.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZtdtpiyqI0Hn for ; Wed, 19 Aug 2015 18:56:14 -0700 (PDT) Received: from out4133-50.mail.aliyun.com (out4133-50.mail.aliyun.com [42.120.133.50]) by ietfa.amsl.com (Postfix) with ESMTP id 9C01C1A8AC8 for ; Wed, 19 Aug 2015 18:56:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1440035770; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=aW6e2o/oyhz8BnOxMtWl4BnzazmXHHyPqGVPdkWLPk4=; b=bD7+JIRJIALv4H73qx44bEACl6g/qWrvP9CES7dEmVXq2rbz44xnqnT1pTm4vUMVDvmHDrtQsjn0seMQASFrN8Wg/gWXVSdsNzIEGwsEytcJUHSzjlTZcB+dCmHF1BS9aMag+apLK9vnQ15Uki9dc/fNMi/2HtoYjPnnCBEHCRs= X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R131e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03302; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=3; SR=0; Received: from 10.1.159.139(mailfrom:kepeng.lkp@alibaba-inc.com ip:42.120.74.187) by smtp.aliyun-inc.com(127.0.0.1); Thu, 20 Aug 2015 09:56:05 +0800 User-Agent: Microsoft-MacOutlook/14.4.8.150116 Date: Thu, 20 Aug 2015 09:56:00 +0800 From: "Kepeng Li" To: Nat Sakimura , Mike Jones Message-ID: Thread-Topic: [OAUTH-WG] RS as a client guidance References: <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com> <55D521DF.30306@mit.edu> <594C7BF1-3AD8-45C0-B08B-33166F268740@ve7jtb.com> In-Reply-To: Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3522909365_20073344" Archived-At: Cc: OAuth WG Subject: Re: [OAUTH-WG] RS as a client guidance X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 01:56:22 -0000 > ´ËÓʼþʹÓà MIME ¸ñʽ¡£ÓÉÓÚÓʼþÔĶÁ³ÌÐò²»ÄÜʶ±ð ´Ë¸ñʽ£¬Òò´Ë£¬¿ÉÄÜÎÞ·¨Ê¶±ð¸ÃÓʼþµÄ·Ö²¿»ò²¿·ÖÄÚÈÝ¡£ --B_3522909365_20073344 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable > From what I see, authorized presenter is a subset of authorized party. That is also my understanding. Kind Regards Kepeng =E5=8F=91=E4=BB=B6=E4=BA=BA: Nat Sakimura =E6=97=A5=E6=9C=9F: Thursday, 20 August, 2015 9:01 am =E8=87=B3: Mike Jones =E6=8A=84=E9=80=81: OAuth WG =E4=B8=BB=E9=A2=98: Re: [OAUTH-WG] RS as a client guidance And while we are at the history, my original draft idea (on my blog) on Aug= . 3, 2012 had "nau" -- named authorized user. So, three of us came up with a similar idea independently with more or less the same idea, and it was unified to azp -- authorized presenter. The name change to authorized party took later to expand the meaning of it. >From what I see, authorized presenter is a subset of authorized party. 2015-08-20 9:52 GMT+09:00 Mike Jones : > Just to complete the history, I believe the original Google deployed clai= m > name for this purpose was =E2=80=9Ccid=E2=80=9D (Client ID) =E2=80=93 a name that seemed ri= pe with > ambiguity. > =20 >=20 > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley > Sent: Wednesday, August 19, 2015 5:50 PM > To: Justin Richer >=20 >=20 > Cc: OAuth WG > Subject: Re: [OAUTH-WG] RS as a client guidance > =20 > Ah yes, Now I recall that we had Google change the claim once to azp and= then > discussed changing it again once we decided that azp was not the necessar= ily > the presenter presenter. That was what we decided was too cruel getting = them > to change the name again for something that they then had released in > production. That caused us to re-acrom =E2=80=9Cazp=E2=80=9D. >=20 > =20 >=20 > John B. >=20 > =20 >>=20 >> On Aug 19, 2015, at 9:39 PM, Justin Richer wrote: >> =20 >>=20 >> Just want to clear up some history: "azp" did not come from any existing >> claims from Google or otherwise. I very clearly recall proposing that we= name >> it "prn" for "presenter", and Mike told me not to be evil[1] because we = had >> just changed "prn" (for "principal") in the ID token to "sub" in order t= o >> match the more generic JWT. John suggested "a-zed-p" in the same discuss= ion. >> As such, it clearly was "authorized presenter" in the first take, then i= t got >> widened/shifted a little bit in the final definition for reasons I never >> quite followed (nor cared much about at the time). >>=20 >> -- Justin >>=20 >> [1] Being told "don't be evil" by a Microsoft employee remains one of my >> proudest achievements. >>=20 >> On 8/19/2015 8:35 PM, John Bradley wrote: >>> It could, but I remain to be convinced that would be a good idea. =E2=80=9C= azp=E2=80=9D >>> came from a existing Google claim, I am not attached to the name. >>>=20 >>> =20 >>>=20 >>> John B. >>>>=20 >>>> On Aug 19, 2015, at 9:29 PM, Nat Sakimura wrote: >>>> =20 >>>>=20 >>>> Well, the abstract meaning is the same, but the practical implications= and >>>> interpretation can vary within the boundaries depending on the context= . >>>>=20 >>>> =20 >>>>=20 >>>> A jku is a URI of a cryptographical key, which can be a uri of a signi= ng >>>> key or encryption key depending on the context. Similarly the azp in a= n ID >>>> Token and an Access Token can share the same abstract concept while th= e >>>> concrete meaning in that particular concept can vary. >>>>=20 >>>> 2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B=9C=E6=97=A5=E3=80=81Mike Jones =E3=81= =95=E3=82=93=E3=81=AF=E6=9B=B8=E3=81=8D=E3=81=BE=E3=81=97=E3=81=9F: >>>>=20 >>>> Let me second John=E2=80=99s point that we shouldn=E2=80=99t have two different de= finitions >>>> for =E2=80=9Cazp=E2=80=9D. As I wrote in my friendly review of >>>> draft-sakimura-oauth-rjwtprof-04 at >>>> http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html >>>> >>> rg%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg14679.html&data=3D01%7c01= %7cMi >>>> chael.Jones%40microsoft.com%7c8fc7f0da91324dd9570908d2a8f94fc1%7c72f98= 8bf86 >>>> f141af91ab2d7cd011db47%7c1&sdata=3D3TbSJzfONy8nvH1hDcjGQPmdeen39IJDHk1R9= 9tD7B >>>> E%3d> , the claim =E2=80=9Cazp=E2=80=9D has already been registered by OpenID Conn= ect Core >>>> at http://www.iana.org/assignments/jwt/jwt.xhtml >>>> >>> rg%2fassignments%2fjwt%2fjwt.xhtml&data=3D01%7c01%7cMichael.Jones%40micr= osoft >>>> .com%7c8fc7f0da91324dd9570908d2a8f94fc1%7c72f988bf86f141af91ab2d7cd011= db47% >>>> 7c1&sdata=3DkijVXFcn2du2Ha5xvX%2bTgwohVGOl%2fxmryplQNsWHYzo%3d> and so >>>> cannot be re-registered. Given that I believe the intended semantics = are >>>> the same, please cite the existing definition in rjwtprof, rather than >>>> repeating it or revising it. >>>>=20 >>>> =20 >>>> Thanks, >>>> -- Mike >>>>=20 >>>> =20 >>>>=20 >>>> From: John Bradley [mailto:ve7jtb@ve7jtb.com] >>>> Sent: Wednesday, August 19, 2015 11:05 AM >>>> To: Nat Sakimura >>>> Cc: Mike Jones; OAuth WG >>>> Subject: Re: [OAUTH-WG] RS as a client guidance >>>>=20 >>>> =20 >>>> Having two azp claims with slightly different definitions is not a goo= d way >>>> to go, both access tokens and id_tokens are JWT. >>>>=20 >>>> For better or worse the claim was defined for bearer tokens where it w= as >>>> only the identity of the requester that was able to be confirmed by th= e >>>> token endpoint. >>>>=20 >>>> It supported a simple use case where a refresh token is used by client= A to >>>> use as an assertion at AS B. >>>>=20 >>>> In the simplest 3 party sase the requester of the token and the presen= ter >>>> of the token are the same. However in some situations they are not th= e >>>> same.=20 >>>>=20 >>>> The important thing was to allow the =E2=80=9Caud=E2=80=9D recipient of the token = to be >>>> able to differentiate a token that it requested from a a token that a = 3rd >>>> party requested and presented to it. >>>>=20 >>>> =20 >>>>=20 >>>> The =E2=80=9Cazp=E2=80=9D should probably be left as it is and not tied to proof o= f >>>> possession/ binding the token to the presenter. >>>>=20 >>>> There was a lot of debate and back and forth on azp at the time, the m= ain >>>> reason to include it was to warn normal Connect clients that JWT conta= ining >>>> that azp claim need to have it=E2=80=99s value be them or someone they know = and >>>> trust that can request assertions for them. That was because we knew = that >>>> token containing that claim exist in the wild using that claim. >>>>=20 >>>> =20 >>>>>=20 >>>>> https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 >>>>> >>>> tf.org%2fhtml%2fdraft-sakimura-oauth-rjwtprof-05&data=3D01%7c01%7cMicha= el.Jo >>>>> nes%40microsoft.com%7c8fc7f0da91324dd9570908d2a8f94fc1%7c72f988bf86f1= 41af9 >>>>> 1ab2d7cd011db47%7c1&sdata=3DVTIpHaqCd%2fmxrEfxKD8i5h5AzeWV5rsZC05oVOv73= SA%3d >>>>> > should probably be using a different claim to reduce the confusion= . >>>>=20 >>>> =20 >>>> John B. >>>>=20 >>>> =20 >>>>=20 >>>> =20 >>>>>=20 >>>>> On Aug 19, 2015, at 3:17 AM, Nat Sakimura wrote: >>>>>=20 >>>>> =20 >>>>>=20 >>>>> So, Mike,=20 >>>>>=20 >>>>> =20 >>>>>=20 >>>>> Authorized Presenter is a defined term in Sender Constrained JWT for = OAuth >>>>> 2.0 >>>>>=20 >>>>> ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 >>>>> >>>> tf.org%2fhtml%2fdraft-sakimura-oauth-rjwtprof-05&data=3D01%7c01%7cMicha= el.Jo >>>>> nes%40microsoft.com%7c8fc7f0da91324dd9570908d2a8f94fc1%7c72f988bf86f1= 41af9 >>>>> 1ab2d7cd011db47%7c1&sdata=3DVTIpHaqCd%2fmxrEfxKD8i5h5AzeWV5rsZC05oVOv73= SA%3d >>>>> > ). It is used in the context of OAuth 2.0 Access Token, not a clai= m in >>>>> ID Token of OpenID Connect. >>>>>=20 >>>>> =20 >>>>>=20 >>>>> Nat >>>>>=20 >>>>> =20 >>>>>=20 >>>>> 2015-08-19 11:44 GMT+09:00 Mike Jones : >>>>>=20 >>>>> Just as a point of clarification, the definition of the =E2=80=9Cazp=E2=80=9D cla= im is not >>>>> =E2=80=9Cauthorised presenter=E2=80=9D. At least as defined by OpenID Connect, i= ts >>>>> definition is: >>>>>=20 >>>>> =20 >>>>> azp >>>>> OPTIONAL. Authorized party - the party to which the ID Token was issu= ed. >>>>> If present, it MUST contain the OAuth 2.0 Client ID of this party. Th= is >>>>> Claim is only needed when the ID Token has a single audience value an= d >>>>> that audience is different than the authorized party. It MAY be inclu= ded >>>>> even when the authorized party is the same as the sole audience. The = azp >>>>> value is a case sensitive string containing a StringOrURI value. >>>>>=20 >>>>> =20 >>>>> A reference to this definition is registered by OpenID Connect Core >>>>> http://openid.net/specs/openid-connect-core-1_0.html >>>>> >>>> t%2fspecs%2fopenid-connect-core-1_0.html&data=3D01%7c01%7cMichael.Jones= %40mi >>>>> crosoft.com%7c8fc7f0da91324dd9570908d2a8f94fc1%7c72f988bf86f141af91ab= 2d7cd >>>>> 011db47%7c1&sdata=3D3e6US9sxQoQVejthrxO%2fo%2bvdltE%2fBUj1NUSMBk6vOS0%3= d> >>>>> in the IANA =E2=80=9CJSON Web Token Claims=E2=80=9D registry at >>>>> http://www.iana.org/assignments/jwt/jwt.xhtml >>>>> >>>> org%2fassignments%2fjwt%2fjwt.xhtml&data=3D01%7c01%7cMichael.Jones%40mi= croso >>>>> ft.com%7c8fc7f0da91324dd9570908d2a8f94fc1%7c72f988bf86f141af91ab2d7cd= 011db >>>>> 47%7c1&sdata=3DkijVXFcn2du2Ha5xvX%2bTgwohVGOl%2fxmryplQNsWHYzo%3d> . >>>>>=20 >>>>> =20 >>>>> -- Mike >>>>>=20 >>>>> =20 >>>>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Nat Sakimura >>>>> Sent: Tuesday, August 18, 2015 7:37 PM >>>>> To: Adam Lewis >>>>> Cc: OAuth WG >>>>> Subject: Re: [OAUTH-WG] RS as a client guidance >>>>>=20 >>>>> =20 >>>>>=20 >>>>> It is not directly, but Sender Constrained JWT for OAuth 2.0 >>>>>=20 >>>>> ( https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 >>>>> >>>> tf.org%2fhtml%2fdraft-sakimura-oauth-rjwtprof-05&data=3D01%7c01%7cMicha= el.Jo >>>>> nes%40microsoft.com%7c8fc7f0da91324dd9570908d2a8f94fc1%7c72f988bf86f1= 41af9 >>>>> 1ab2d7cd011db47%7c1&sdata=3DVTIpHaqCd%2fmxrEfxKD8i5h5AzeWV5rsZC05oVOv73= SA%3d >>>>> > ) >>>>>=20 >>>>> talks about a model that allows it. >>>>>=20 >>>>> =20 >>>>>=20 >>>>> In essence, it uses a structured access token that is sender constrai= ned. >>>>>=20 >>>>> It as a claim "azp" which stands for authorised presenter. >>>>>=20 >>>>> To be used, the "client" has to present a proof that it is indeed the >>>>> party pointed by "azp". >>>>>=20 >>>>> =20 >>>>>=20 >>>>> In your case, the native mobile app obtains the structured access tok= en >>>>>=20 >>>>> with "azp":"the_RS". Since "azp" is not pointing to the mobile app, >>>>>=20 >>>>> the mobile app cannot use it. >>>>>=20 >>>>> The mobile app then ships it to the RS. >>>>>=20 >>>>> The RS can now use it since the "azp" points to it. >>>>>=20 >>>>> =20 >>>>>=20 >>>>> In general, shipping a bearer token around is a bad idea. >>>>>=20 >>>>> If you want to do that, I think you should do so with a sender constr= ained >>>>> token.=20 >>>>>=20 >>>>> =20 >>>>>=20 >>>>> Nat >>>>>=20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>>=20 >>>>> 2015-08-13 2:01 GMT+09:00 Adam Lewis : >>>>>=20 >>>>> Hi, >>>>>=20 >>>>> =20 >>>>>=20 >>>>> Are there any drafts that discuss the notion of an RS acting as a cli= ent? >>>>> I'm considering the use case whereby a native mobile app obtains an a= ccess >>>>> token and sends it to the RS, and then the RS uses it to access the >>>>> UserInfo endpoint on an OP. >>>>>=20 >>>>> =20 >>>>>=20 >>>>> It's a bearer token so no reason it wouldn't work, but obviously it i= s >>>>> meant to be presented by the client and not the RS. Curious to under= stand >>>>> the security implications of this, read on any thoughts given to this= , or >>>>> to know if it's an otherwise accepted practice. >>>>>=20 >>>>> =20 >>>>>=20 >>>>> tx >>>>>=20 >>>>> adam >>>>>=20 >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> .org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jones%40micr= osoft >>>>> .com%7c8fc7f0da91324dd9570908d2a8f94fc1%7c72f988bf86f141af91ab2d7cd01= 1db47 >>>>> %7c1&sdata=3DLjPpTGV4iGtx1SQKfz%2bsYv3ZdxEqyoTXrCd1BCqvMlw%3d> >>>>>=20 >>>>>=20 >>>>> =20 >>>>> --=20 >>>>>=20 >>>>> Nat Sakimura (=3Dnat) >>>>>=20 >>>>> Chairman, OpenID Foundation >>>>> http://nat.sakimura.org/ >>>>> >>>> ura.org%2f&data=3D01%7c01%7cMichael.Jones%40microsoft.com%7c8fc7f0da913= 24dd9 >>>>> 570908d2a8f94fc1%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3DHNVIwuD= JAOWx >>>>> fWyduzov8RK%2fZKG17xQnYZVFWv94oqY%3d> >>>>> @_nat_en >>>>>=20 >>>>>=20 >>>>> =20 >>>>> --=20 >>>>>=20 >>>>> Nat Sakimura (=3Dnat) >>>>>=20 >>>>> Chairman, OpenID Foundation >>>>> http://nat.sakimura.org/ >>>>> >>>> ura.org%2f&data=3D01%7c01%7cMichael.Jones%40microsoft.com%7c8fc7f0da913= 24dd9 >>>>> 570908d2a8f94fc1%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3DHNVIwuD= JAOWx >>>>> fWyduzov8RK%2fZKG17xQnYZVFWv94oqY%3d> >>>>> @_nat_en >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> .org%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jones%40micr= osoft >>>>> .com%7c8fc7f0da91324dd9570908d2a8f94fc1%7c72f988bf86f141af91ab2d7cd01= 1db47 >>>>> %7c1&sdata=3DLjPpTGV4iGtx1SQKfz%2bsYv3ZdxEqyoTXrCd1BCqvMlw%3d> >>>>=20 >>>> =20 >>>>=20 >>>>=20 >>>> --=20 >>>> Nat Sakimura (=3Dnat) >>>>=20 >>>> Chairman, OpenID Foundation >>>> http://nat.sakimura.org/ >>>> >>> ra.org%2f&data=3D01%7c01%7cMichael.Jones%40microsoft.com%7c8fc7f0da91324= dd957 >>>> 0908d2a8f94fc1%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3DHNVIwuDJAO= WxfWy >>>> duzov8RK%2fZKG17xQnYZVFWv94oqY%3d> >>>> @_nat_en >>>> =20 >>> =20 >>>=20 >>>=20 >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> rg%2fmailman%2flistinfo%2foauth&data=3D01%7c01%7cMichael.Jones%40microsof= t.com >>> %7c8fc7f0da91324dd9570908d2a8f94fc1%7c72f988bf86f141af91ab2d7cd011db47%= 7c1&s >>> data=3DLjPpTGV4iGtx1SQKfz%2bsYv3ZdxEqyoTXrCd1BCqvMlw%3d> >> =20 > =20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --B_3522909365_20073344 Content-type: text/html; charset="UTF-8" Content-transfer-encoding: quoted-printable
> From what I see, aut= horized presenter is a subset of authorized party. 
That is also my understanding.

Kind Reg= ards
Kepeng

=E5=8F=91=E4=BB=B6= =E4=BA=BA: Nat Sakimura <sakimura@g= mail.com>
=E6=97=A5=E6=9C=9F: Thursday,= 20 August, 2015 9:01 am
=E8=87=B3: Mike= Jones <Michael.Jones@micros= oft.com>
=E6=8A=84=E9=80=81: OAuth WG &= lt;oauth@ietf.org>
=E4=B8=BB=E9=A2=98: Re: [OAUTH-WG] RS as a client guidance

And while we are at the history, my origin= al draft idea (on my blog) on Aug. 3, 2012 had "nau" -- named authorized use= r. 
So, three of us came up with a similar idea independently with = more or less the same idea, and it was unified to azp -- authorized presente= r. 

The name change to authorized party took l= ater to expand the meaning of it. 

From what I= see, authorized presenter is a subset of authorized party. 
=

2015-0= 8-20 9:52 GMT+09:00 Mike Jones <Michael.Jones@microsoft.com>:

Just to complete the history, I be= lieve the original Google deployed claim name for this purpose was “ci= d” (Client ID) – a name that seemed ripe with ambiguity.<= u>

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Wednesday, August 19, 2015= 5:50 PM
To: Justin Richer


C= c: OAuth WG
Subject: Re: [OAUTH-WG] RS as a client guidance=

 

Ah yes,  Now I rec= all that we had Google change the claim once to azp and then discussed chang= ing it again once we decided that azp was not the necessarily the presenter = presenter.  That was what we decided was too cruel getting them to change the name again for something that they then had released in product= ion.   That caused us to re-acrom “azp”.  

 

John B.

=  

On Aug 19, 2015, at 9:39 PM, Justin Richer <= jricher@mit.edu> wro= te:

 

Just want to clear u= p some history: "azp" did not come from any existing claims from Google or o= therwise. I very clearly recall proposing that we name it "prn" for "present= er", and Mike told me not to be evil[1] because we had just changed "prn" (for "principal") in the ID token to "su= b" in order to match the more generic JWT. John suggested "a-zed-p" in the s= ame discussion. As such, it clearly was "authorized presenter" in the first = take, then it got widened/shifted a little bit in the final definition for reasons I never quite followed (n= or cared much about at the time).

 -- Justin

[1] Being told "don't be evil" by a Microsoft employee remains one of my pr= oudest achievements.

On 8/19/2015= 8:35 PM, John Bradley wrote:

It could, but I remai= n to be convinced that would be a good idea.   “azp” came f= rom a existing Google claim, I am not attached to the name.

 

<= div>

John B.

On Aug 19, 201= 5, at 9:29 PM, Nat Sakimura <sakimura@gmail.com> wrote:

 

Well, the abstra= ct meaning is the same, but the practical implications and interpretation ca= n vary within the boundaries depending on the context. 

 

<= div>

A jku is a URI of a cryptographical key, which = ;can be a uri of a signing key or encryption key depending on the context. S= imilarly the azp in an ID Token and an Access Token can share the same = abstract concept while the concrete meaning in that particular concept can vary. 

2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B=9C=E6=97=A5=E3=80=81Mike Jo= nes<Michael.= Jones@microsoft.com> =E3=81=95=E3=82=93=E3=81=AF=E6=9B=B8=E3=81=8D=E3=81=BE= =E3=81=97=E3=81=9F:

Let me second John’s point that we shouldn’t have two different= definitions for “azp”.  As I wrote in my friendly review of draft-sakimura-oauth-rjwtprof-04 at http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html, the c= laim “azp” has already been registered by OpenID Connect Core at= http://www.iana.org/assignments/jwt/jwt.xhtml and so cannot be re-regis= tered.  Given that I believe the intended semantics are the same, pleas= e cite the existing definition in rjwtprof, rather than repeating it or revi= sing it.

&nb= sp;

 &= nbsp;            = ;            &nb= sp;            &= nbsp;            = ;        Thanks,

=

       = ;            &nb= sp;            &= nbsp;            = ;            &nb= sp;  -- Mike

 

<= b>From: John = Bradley [mailto:ve7jtb@ve= 7jtb.com]
Sent: Wednesday, August 19, 2015 11:05 AM
To: Nat Saki= mura
Cc: Mike Jones; OAuth WG
Subject: Re: [OAUTH-WG] RS= as a client guidance

 

Having two azp cl= aims with slightly different definitions is not a good way to go,  both= access tokens and id_tokens are JWT.   

For better or worse the claim was defined for bearer token= s where it was only the identity of the requester that was able to be confir= med by the token endpoint.

= It supported a simple use case where a refresh token is used by client A to = use as an assertion at AS B.  

In the simplest 3 party sase the requester of the token and the pre= senter of the token are the same.  However in some situations they are = not the same. 

The imp= ortant thing was to allow the “aud” recipient of the token to be= able to differentiate a token that it requested from a a token that a 3rd p= arty requested and presented to it.

 =

The “azp” should p= robably be left as it is and not tied to proof of possession/ binding the to= ken to the presenter.  

There was a lot of debate and back and forth on azp at the time, the main = reason to include it was to warn normal Connect clients that JWT containing = that azp claim need to have it’s value be them or someone they know and trust that can request a= ssertions for them.  That was because we knew that token containing tha= t claim exist in the wild using that claim.

 

<= span style=3D"font-size:10.5pt">https://tools.ietf.o= rg/html/draft-sakimura-oauth-rjwtprof-05 should probably be using a different claim to reduce the confusion.=

 =

John B.

 

 

On Aug 19, 2015= , at 3:17 AM, Nat Sakimura <sakimura@gmail.com> wrote:

 

S= o, Mike, 

 =

Authorized Presenter is a d= efined term in Sender Constrained JWT for OAuth 2.0

(=  https://tools.ietf.org/html/draft-sakimura-o= auth-rjwtprof-05 ). It is used in the context of OAuth 2.0 Access Token, not a claim in ID Tok= en of OpenID Connect. 

 

<= /div>

Nat

 =

2015-08-19 11:44 GMT+09:00 Mike J= ones <Michae= l.Jones@microsoft.com>:

Just as a point of clarification, the definition of the = 220;azp” claim is not “authorised presenter= ”.  At least as defined by OpenID Connect, its definition is:=

 <= /p>

azp

OPTIONAL= . Authorized party - the party to which the ID Token was issued. If present,= it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only n= eeded when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be = included even when the authorized party is the same as the sole audience. Th= e azp value is a case sensitive string containing a StringOrURI = value.

 

A reference to= this definition is registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html in the IANA “= ;JSO= N Web Token Claims” registry at http://www.iana.org/assignments/jwt/jwt.xhtml.

=

 

      &nbs= p;            &n= bsp;            =             &nbs= p;            &n= bsp;  -- Mike

 

From: OAuth [mailto:<= a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bounces@ietf.or= g] On Behalf Of Nat Sakimura
Sent: Tuesday, August 18, 2015 7= :37 PM
To: Adam Lewis
Cc: OAuth WG
Subject: Re= : [OAUTH-WG] RS as a client guidance

=

 

It is not directly, but Sender Constrained JWT for OAuth 2.0=

talks about a model that allows it.=  

 

In essence, it uses a structu= red access token that is sender constrained. 

It as a claim "azp" which stands for authorised pres= enter. 

To be used, th= e "client" has to present a proof that it is indeed the party pointed by "az= p". 

 

In your case, the native m= obile app obtains the structured access token 

<= div>

with "azp":"the_RS". Since "azp" is not pointing to= the mobile app, 

the = mobile app cannot use it. 

The mobile app then ships it to the RS. 

The RS can now use it since the "azp" points to it.&= nbsp;

 =

In general, shipping a bearer = token around is a bad idea. 

If you want to do that, I think you should do so with a sender constr= ained token. 

&nb= sp;

Nat=

 

=

 

 

<= p class=3D"MsoNormal">2015-08-13 2:01 GMT+09:00 Adam Lewis <adam.lewis@motorolasoluti= ons.com>:

Hi,

 

Are there any drafts that discuss the notion of an RS = acting as a client? I'm considering the use case whereby a native mobile app= obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP.  

 

It's a bearer token so no reason it w= ouldn't work, but obviously it is meant to be presented by the client and no= t the RS.  Curious to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise accept= ed practice.

 =

tx

adam<= u>


= _______________________________________________
OAuth mailing list
OAuth= @ietf.org
https://www.ietf.org/mailman/listinfo/oauth<= u>



 

--

Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/<= /a>
@_nat_en

<= p class=3D"MsoNormal">

 

--

__________= _____________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.= org/mailman/listinfo/oauth

 



--
Nat Sakimura (=3Dnat)

Chairman, O= penID Foundation
http://nat.sakimura.org/
@_nat_en

 

 




__________________=
_____________________________
OAuth mailing list<=
/u>
OAuth@i=
etf.org
https://www.ietf.org/mailman/=
listinfo/oauth

<= /u> 

<= /u> 


______________________= _________________________
OAuth mailing list
OAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en<= /div>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/= mailman/listinfo/oauth --B_3522909365_20073344-- From nobody Thu Aug 20 06:39:48 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87F711ACE67 for ; Thu, 20 Aug 2015 06:39:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2zcggqcM67b for ; Thu, 20 Aug 2015 06:39:39 -0700 (PDT) Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FCE71ACE6C for ; Thu, 20 Aug 2015 06:39:39 -0700 (PDT) Received: by oiew67 with SMTP id w67so22697653oie.2 for ; Thu, 20 Aug 2015 06:39:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=a3f3O3KuG8jDawTGHOeFArBHMOgAsIs/LoOrqDq8GtE=; b=QwzW6vZtIkzNYsfbQIWomPwZCErSlKUt4S6bgoxnyz5Wv3NzzFv4zwuQlxnV43z4Ns 7QwtAOhxtyzbdAavm1en6+nrg7Zd6Zsi8zD2Vz3KS2lT59VCypb5ODtttPTJOwKEOfYB 0f1Zx7g5zOfuJYf01BSEdq/ieR+qWr13iWqaukCjxGmqoyhAq4Jd8n3/W2vGW95WNrUS ngAKbFWeXbMkvQmeDUAOwh/0uMFTAPmuUhfLwJJ2VCV0O5xOUzkvAJrhvNlpH7rFHhe0 z2a+YqexJHhl7pCBnxQ9f5se5eF4QMPRfyCPfiWRrJtsLPmzu7QIP4y0Rg/rGCu4O09K 9Ogw== MIME-Version: 1.0 X-Received: by 10.202.230.70 with SMTP id d67mr2671180oih.14.1440077978653; Thu, 20 Aug 2015 06:39:38 -0700 (PDT) Received: by 10.182.96.66 with HTTP; Thu, 20 Aug 2015 06:39:38 -0700 (PDT) In-Reply-To: References: Date: Thu, 20 Aug 2015 22:39:38 +0900 Message-ID: From: Nat Sakimura To: Mike Jones Content-Type: multipart/alternative; boundary=001a114075c65dde21051dbe48ce Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 13:39:47 -0000 --001a114075c65dde21051dbe48ce Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sorry, I'm completely sold out till then... I could do it over the weekend. 2015=E5=B9=B48=E6=9C=8820=E6=97=A5=E6=9C=A8=E6=9B=9C=E6=97=A5=E3=80=81Mike = Jones=E3=81=95=E3=82=93=E3=81=AF=E6=9B=B8=E3= =81=8D=E3=81=BE=E3=81=97=E3=81=9F: > Privacy Consideration > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > It is missing privacy consideration. It is not required per se, but since > Key Confirmation method with ephemeral key can be less privacy intrusive > compared to other sender confirmation method so adding some text around i= t > may be a good idea. > > > > Can you supply some specific proposed text for -04? > > > > When do you expect -04? > > Depending on it, I may be able to. > > > > I expect to work on this on my Friday morning =E2=80=93 1.5 days from now= . > > > > Best > wishes, > > -- Mike > > > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --001a114075c65dde21051dbe48ce Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sorry, I'm completely sold out till then...=C2=A0
I could do it ove= r the weekend.=C2=A0

2015=E5=B9=B48=E6=9C=8820=E6=97=A5= =E6=9C=A8=E6=9B=9C=E6=97=A5=E3=80=81Mike Jones<Michael.Jones@microsoft.com>=E3=81=95=E3=82=93= =E3=81=AF=E6=9B=B8=E3=81=8D=E3=81=BE=E3=81=97=E3=81=9F:

Privacy Consideration

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D

It is missing privacy consideration. It is not requi= red per se, but since Key Confirmation method with ephemeral key can be les= s privacy intrusive compared to other sender confirmation method so adding some text around it may be a good idea.=C2=A0

=C2=A0

Can you supply some speci= fic proposed text for -04?

=C2=A0

When do you expect -04?=C2=A0

Depending on it, I may be able to.=C2=A0

=C2=A0

I expect to work on this = on my Friday morning =E2=80=93 1.5 days from now.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Best wishes,<= u>

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0



--
Nat Sakimura (=3Dnat)
Chairman, OpenI= D Foundation
http= ://nat.sakimura.org/
@_nat_en

--001a114075c65dde21051dbe48ce-- From flowersinthesand@gmail.com Thu Aug 20 07:15:42 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A1551A026C for ; Thu, 20 Aug 2015 07:15:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A896XwbZRo11 for ; Thu, 20 Aug 2015 07:15:40 -0700 (PDT) Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C77511A0404 for ; Thu, 20 Aug 2015 07:15:40 -0700 (PDT) Received: by iodv127 with SMTP id v127so47245012iod.3 for ; Thu, 20 Aug 2015 07:15:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Xuy7xFKDBjUpM5k/+PYsVa3/fFL0Vi8dy5Jx9nK+mNE=; b=Ynk+0GwJjxmXUi2tD3boyim0g1gq8Q1D7NJrTgd1UYsIWOqxrZyG+Pfqg8iWdkIBNI F5zyvDvDcwl9OY+dub2rceEBRqGiNqviTD/kZhqGpEnvRkr84JZ4PmhKm1cxgTsXrd3f AhNGwXWqSdyo8eUf44ybP5ZHmMrMig00E9A5GYtQxF7QXvyIzzwaGehzqhWZiFR7okE0 F9MznE0NeG2CARbh5BueTtxYgGWz5fpkS/QS/s8ftHbC6NhPK8U0/48j5ALZAUA1MImL dihMLNVrPNmtWH1QkJRj9GNEzWKT/ygurFUJTfXhTSWwGmtRharVFLeY4SClcP3QowZj c02Q== MIME-Version: 1.0 X-Received: by 10.107.166.136 with SMTP id p130mr2762118ioe.163.1440080140279; Thu, 20 Aug 2015 07:15:40 -0700 (PDT) Received: by 10.36.137.136 with HTTP; Thu, 20 Aug 2015 07:15:40 -0700 (PDT) Date: Thu, 20 Aug 2015 23:15:40 +0900 Message-ID: From: Donghwan Kim To: oauth@ietf.org Content-Type: multipart/alternative; boundary=001a1141f39235a9c2051dbec99f Archived-At: X-Mailman-Approved-At: Fri, 21 Aug 2015 08:36:06 -0700 Subject: [OAUTH-WG] Is it allow to add custom attribute to access token response? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 14:17:20 -0000 --001a1141f39235a9c2051dbec99f Content-Type: text/plain; charset=UTF-8 Hi, I would like to add a custom property representing the account who just authenticated to the access token response for the sake of convenience like login request's response. Then, an exchange of request and response will look like this: POST /tokens HTTP/1.1 Host: api.example.com Content-Type: application/json {"grant_type":"password","username":"${username}","password":"${password}"} HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token":"${JSON web token}", "token_type":"Bearer", "account": {"username":"donghwan", ...} } However http://tools.ietf.org/html/rfc6749#section-5.1 says that > The client MUST ignore unrecognized value names in the response. Does it mean that I shouldn't add such property, 'account'? Though, I saw Instagram API adds such custom property to access token response for the same purpose from https://instagram.com/developer/authentication/ (Please find 'snoopdogg' to see that token response.) If it's not allowed or desirable, how should I add such information to the access token response? BTW, I have some questions on usage of JSON web token with OAuth. Can I post them here? If not, where should I do that? Thanks, -- Donghawn --001a1141f39235a9c2051dbec99f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,

I would like to= add a custom property representing the account who just authenticated to t= he access token response for the sake of convenience like login request'= ;s response. Then, an exchange of request and response will look like this:=

POST /tokens HTTP/1.1
Content-Type: application/json
=

{"grant_type":"pas= sword","username":"${username}","password&quo= t;:"${password}"}

HTTP/1.1 200 OK
Content-Type: application= /json
Cache-Control: no-store
Pragma: no-cache

{
=C2=A0 "access_token":"= ${JSON web token}",
=C2=A0 "token_type"= :"Bearer",
=C2=A0 "account": {&quo= t;username":"donghwan", ...}
}

> The c= lient MUST ignore unrecognized value names in the response.

<= /div>
Does it mean that I shouldn't add such property, 'account= '? Though, I saw Instagram API adds such custom property to access toke= n response for the same purpose from https://instagram.com/developer/authentication/ (= Please find 'snoopdogg' to see that token response.) If it's no= t allowed or desirable, how should I add such information to the access tok= en response?

BTW, I have some questions on usage o= f JSON web token with OAuth. Can I post them here? If not, where should I d= o that?

Thanks,

-- Donghawn
--001a1141f39235a9c2051dbec99f-- From nobody Fri Aug 21 09:25:12 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BD0A1AC3F0 for ; Fri, 21 Aug 2015 09:25:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.109 X-Spam-Level: X-Spam-Status: No, score=-0.109 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBcT3zjHULfa for ; Fri, 21 Aug 2015 09:25:10 -0700 (PDT) Received: from nm29-vm1.bullet.mail.bf1.yahoo.com (nm29-vm1.bullet.mail.bf1.yahoo.com [98.139.213.144]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B387E1AC3EF for ; Fri, 21 Aug 2015 09:25:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1440174308; bh=/pL+yWGBNmnDItEcVbq2kGkLgm95hA8qeQ7fAbM6Lcs=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=tGgcJ6OovfRW2HreuIciJPA9DZk5x0Z/eoDA7ZSXFEdd2IbuiPbyFHy6Ofnk39pZlpWKNtN21WUWgAoR3a2vyvJaijZZb+pa9zhcF6S1dD5VGahC7ash9G513wLCi456neGpDa9LEujr+ua1u441HicoQRxdF/bJvUyw10mKxebC8iFHJemG1SUvSfTyFI2hFbub8p1lgNrYsojvU7MnqspPg/hKnJNX0Mm+hI0Rw+AamV/uGCZA8MAgtFIyiHuPep9mWEQ46EIoaLKmJ/z/ZDKC14PHGGoaoJ9MiiMmXTjrV/iqIPhMrTSALBQPIopD2F8Wo1b9X3p3tOgXEbpbhQ== Received: from [66.196.81.170] by nm29.bullet.mail.bf1.yahoo.com with NNFMP; 21 Aug 2015 16:25:08 -0000 Received: from [98.139.212.195] by tm16.bullet.mail.bf1.yahoo.com with NNFMP; 21 Aug 2015 16:25:08 -0000 Received: from [127.0.0.1] by omp1004.mail.bf1.yahoo.com with NNFMP; 21 Aug 2015 16:25:08 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 786757.88743.bm@omp1004.mail.bf1.yahoo.com X-YMail-OSG: yPjpyjgVM1lZF.sywhdmNNj.cARqy4HY8EEh0tj5GpL_AxGFYgEZw1mtsDOv5qV cD_vhKQSjjJoqqs0ZNW.Mv7dULVtBnC4eLc6phALhte7IyX..oPxkH0ZJoUeZp9Frlw_p3fzVYYc aj4HXv_VnsvcuH9YNkFJrBXF0UZ6.nQ4lSVbq2Ii43xKomLvIGtGjTAPufTtXJa06XZ4s3gPNU92 cA29TMN8M2glDBP0urtJkEhVAwRHiUze2890FS8dSoC0kJqL_gOixzfjPYPDXpeeOxFvXpFyaOGH 3qEyL15VqDmfzmDVzsrzsozGXp2Vy48qXOg46WIQOqVvp5wD0jvgtc7jZjCLRACsoHSbyPGOt2DQ _eUXQ7lb4je27SesTAp38sPwgtj8saOvH5BoYc3A6frdaqzRcUIEE5mLxe_WyRXHI9dQfsHgABT7 nfPNWTKGNPql2v63jm_gdNL1MqU26XHEMMVViLKZhM4cNSOlFYa5CCiTmwKuKYxFqpYvxc8pWruH SoBzNXLmGYw-- Received: by 66.196.80.121; Fri, 21 Aug 2015 16:25:08 +0000 Date: Fri, 21 Aug 2015 16:25:07 +0000 (UTC) From: Bill Mills To: Donghwan Kim , "oauth@ietf.org" Message-ID: <1321929189.8689226.1440174307997.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: References: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_8689225_819424988.1440174307991" Archived-At: Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Bill Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2015 16:25:11 -0000 ------=_Part_8689225_819424988.1440174307991 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable You can do your own extension in your own app, just don't expect anyone els= e to use it. =C2=A0 Not understanding why you want this though, because you= already had a username in the request so the client should know. Take a look at the Token Introspection stuff, it might solve this for you a= different way if I am guessing right on what you're trying to do.=20 On Friday, August 21, 2015 8:43 AM, Donghwan Kim wrote: =20 Hi, I would like to add a custom property representing the account who just aut= henticated to the access token response for the sake of convenience like lo= gin request's response. Then, an exchange of request and response will look= like this: POST /tokens HTTP/1.1Host: api.example.comContent-Type: application/json {"grant_type":"password","username":"${username}","password":"${password}"} HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma:= no-cache {=C2=A0 "access_token":"${JSON web token}",=C2=A0 "token_type":"Bearer",=C2= =A0 "account": {"username":"donghwan", ...}} However=C2=A0http://tools.ietf.org/html/rfc6749#section-5.1=C2=A0says that > The client MUST ignore unrecognized value names in the response. Does it mean that I shouldn't add such property, 'account'? Though, I saw I= nstagram API adds such custom property to access token response for the sam= e purpose from https://instagram.com/developer/authentication/ (Please find= 'snoopdogg' to see that token response.) If it's not allowed or desirable,= how should I add such information to the access token response? BTW, I have some questions on usage of JSON web token with OAuth. Can I pos= t them here? If not, where should I do that? Thanks, -- Donghawn _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ------=_Part_8689225_819424988.1440174307991 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
You can do your own extension in = your own app, just don't expect anyone else to use it.   Not understan= ding why you want this though, because you already had a username in the re= quest so the client should know.

Take a look at the Token Introspection stuff, it might solve this for yo= u a different way if I am guessing right on what you're trying to do.



On Friday, August 21, 2015 8:43 AM, Donghwan= Kim <flowersinthesand@gmail.com> wrote:


=
=
Hi,

I would like to add a custom pro= perty representing the account who just authenticated to the access token r= esponse for the sake of convenience like login request's response. Then, an= exchange of request and response will look like this:

=
POST /tokens HTTP/1.1
Content-Type: application/json
=

{"grant_type":"pa= ssword","username":"${username}","password":"${password}"}

HTTP/1.1 200 OK
Content-Type: application/json
Cache= -Control: no-store
Pragma: no-cache

{
 = "access_token":"${JSON web token}",
  "token_typ= e":"Bearer",
  "account": {"username":"donghwan",= ...}
}

> The clie= nt MUST ignore unrecognized value names in the response.

Does it mean that I shouldn't add such property, 'account'? Though, = I saw Instagram API adds such custom property to access token response for = the same purpose from https://instagram.com/developer/a= uthentication/ (Please find 'snoopdogg' to see that token response.) If= it's not allowed or desirable, how should I add such information to the ac= cess token response?

BTW, I have some questions on= usage of JSON web token with OAuth. Can I post them here? If not, where sh= ould I do that?

Thanks,
<= br>
-- Donghawn

______________________= _________________________
OAuth mailing list
OAuth@ietf.org
https://= www.ietf.org/mailman/listinfo/oauth


<= /div>
------=_Part_8689225_819424988.1440174307991-- From nobody Fri Aug 21 09:34:35 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB1DF1AC3FE for ; Fri, 21 Aug 2015 09:34:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.388 X-Spam-Level: X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1dR2hqyDCkad for ; Fri, 21 Aug 2015 09:34:33 -0700 (PDT) Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 152A01AC3FD for ; Fri, 21 Aug 2015 09:34:33 -0700 (PDT) Received: by ykll84 with SMTP id l84so75658069ykl.0 for ; Fri, 21 Aug 2015 09:34:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=UfxkOxcEhwTXv9IxS1Snd24EVkbXA1LDx9OXcM1XIPI=; b=jsQPU3It0ZKr7momYqDS/RDiurK2V+gbGENdfbbhWjl0RURNG9kxemgmWXxw5sXiFm eFgYLDJxX0Ok1xKikhVMoX3tzbMz68r0nw+CcomXyLtklYiashd0kBk7DIAPhP6OhiEH 63EnRJqcaJtmCNxub2QKQ5hx++7X4itRIHLpK/lIssSvjqaREiwIBk6Ax2JhhYRTNVEe EZliihCEe2lfL6T4NkdUxCXGJK3Ec5XVnBa2TurFRoD2hE1Oru7imN7GWySzkcTTL2WH JKgl4t/M+ED6flENXmnWCWw9IomZX1tVigFbJicgsacHEovJ/s0jLdN8CFbm7tc1H4f6 pl5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=UfxkOxcEhwTXv9IxS1Snd24EVkbXA1LDx9OXcM1XIPI=; b=IaWTdp+JdzbOoocpZq8Fhi4YsYOOYjSReHB0Zx+J3Z1jgoigtRGVSSlA0RAtJOQFTi 0VKYadkK6bdnn4HqHT2AYDqYZ5gy+rwxvkPBLwZopNhHRzbQT22NSU6hgskPrGd8IFO0 SjkXRmk4KrQJJH+k8nH6LNgacECwfDM5ck1VmvCZkRXY2Ex807VOk0BdWQM0gQnrJ0lN xWvFkXMVkniWQ8AI5nPcnYGllI59rv0PtwkIbpHOu/QlBhTEKmvIpAbIodNH+RvC22v0 q6iJcMwa7hJ+3ziTYNDuHqj4NUn6JFac8eGr1QjtnU5aQVd2r6l/V/be9PUra/8sAGcj PYww== X-Gm-Message-State: ALoCoQlGQN3ehWP2ybwDKY10ZHlrjE2WndNwcLm9MGOsvWfX11T2koh0NHL4jOkUm7N21EEYfCSh X-Received: by 10.13.192.1 with SMTP id b1mr13229123ywd.152.1440174872307; Fri, 21 Aug 2015 09:34:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.39.196 with HTTP; Fri, 21 Aug 2015 09:34:12 -0700 (PDT) In-Reply-To: References: From: William Denniss Date: Fri, 21 Aug 2015 09:34:12 -0700 Message-ID: To: Donghwan Kim Content-Type: multipart/alternative; boundary=001a114edee6adfade051dd4d73b Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2015 16:34:35 -0000 --001a114edee6adfade051dd4d73b Content-Type: text/plain; charset=UTF-8 You can add additional parameters. "The client MUST ignore unrecognized value names in the response" is there so that other clients who don't understand your parameters will ignore them. That line basically enables the behavior you wanted (if it said the client must *error* on unrecognized values, that would be a problem). It would be best if you tried to name your params to be hardened against collision with any future extensions to OAuth/OpenID Connect (e.g., adding a vendor prefix) On Thu, Aug 20, 2015 at 7:15 AM, Donghwan Kim wrote: > Hi, > > I would like to add a custom property representing the account who just > authenticated to the access token response for the sake of convenience like > login request's response. Then, an exchange of request and response will > look like this: > > POST /tokens HTTP/1.1 > Host: api.example.com > Content-Type: application/json > > {"grant_type":"password","username":"${username}","password":"${password}"} > > > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > Pragma: no-cache > > { > "access_token":"${JSON web token}", > "token_type":"Bearer", > "account": {"username":"donghwan", ...} > } > > > However http://tools.ietf.org/html/rfc6749#section-5.1 says that > > > The client MUST ignore unrecognized value names in the response. > > Does it mean that I shouldn't add such property, 'account'? Though, I saw > Instagram API adds such custom property to access token response for the > same purpose from https://instagram.com/developer/authentication/ (Please > find 'snoopdogg' to see that token response.) If it's not allowed or > desirable, how should I add such information to the access token response? > > BTW, I have some questions on usage of JSON web token with OAuth. Can I > post them here? If not, where should I do that? > > Thanks, > > -- Donghawn > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --001a114edee6adfade051dd4d73b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
You can add additional parameters.

"The client MUST ignore unrec= ognized value names in the response" is there so that other clients wh= o don't understand your parameters will ignore them. That line basicall= y enables the behavior you wanted (if it said the client must *error* on=C2= =A0unrecognized=C2=A0values, that would be a problem).

It would be best if you tried to name= your params to be hardened against collision with=C2=A0any future extensions to OAuth/OpenID Con= nect (e.g., adding a vendor prefix)

On Thu, Aug 20, 2015 at 7:15 AM, Dongh= wan Kim <flowersinthesand@gmail.com> wrote:
Hi,

I would like to add a custom property representing the account = who just authenticated to the access token response for the sake of conveni= ence like login request's response. Then, an exchange of request and re= sponse will look like this:

POST /tokens HTTP/1.1<= /div>
Content-Typ= e: application/json

<= div>
{"grant_type":"password","username&q= uot;:"${username}","password":"${password}"}<= /div>

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma:= no-cache

{
=C2=A0 "access_token":"${JSON web token}",
=C2=A0 "token_type":"Bearer",
=
=C2=A0 "account": {"username":"don= ghwan", ...}
}

> The client MU= ST ignore unrecognized value names in the response.

Does it mean that I shouldn't add such property, 'account'? T= hough, I saw Instagram API adds such custom property to access token respon= se for the same purpose from https://instagram.com/developer/authenticat= ion/ (Please find 'snoopdogg' to see that token response.) If i= t's not allowed or desirable, how should I add such information to the = access token response?

BTW, I have some questions = on usage of JSON web token with OAuth. Can I post them here? If not, where = should I do that?

Thanks,

-- Donghawn

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--001a114edee6adfade051dd4d73b-- From nobody Fri Aug 21 09:35:59 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 706BB1AC409 for ; Fri, 21 Aug 2015 09:35:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7V5KUEhrtVh for ; Fri, 21 Aug 2015 09:35:53 -0700 (PDT) Received: from mail-qk0-f180.google.com (mail-qk0-f180.google.com [209.85.220.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C77CB1AC405 for ; Fri, 21 Aug 2015 09:35:52 -0700 (PDT) Received: by qkch123 with SMTP id h123so28652889qkc.0 for ; Fri, 21 Aug 2015 09:35:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=zRkAYtJsvdrE/9FrZciraQuigc9uVQHHuTfTBhx89i4=; b=YF08SM8usmLJBCfeJmfQNL93MgO6ZTMAa5VjKcuhZo346kDpmdobP23BFIBnCmOmJv 6YJdFHhkHNCfRqs41xFIDUQ/+SzPXLVWFf6Ic6L2Kmfd0KSGr8ohsOy8Z7kVVOD7Ye57 ZoxuZ7GlbtEq9CE/nLkrR+RQDy6c49l/jEQ6vctvV37AkRYLljq5h+6pTa5zH3ACHLy0 De8fA+NRnRtFJQsWBaZLEYM8EmHDR+Kko8gjcX/bC5eesuHyv+d4Hi/s5lZBJmjOiUoa o5A6tA63+o2Fr+sorxATfH4wlFmnPvkTYhLNjLU6dJCAFHctWRffoH4w8rCWvWkzTPyt KOBw== X-Gm-Message-State: ALoCoQlDj0Q68gV/t6DM5CcmQTWW9nRfLV5inkqqVhX5b2Ns/u+iamAdKLqL+mbICTsz1ciyGB1h X-Received: by 10.55.49.67 with SMTP id x64mr19257177qkx.24.1440174951917; Fri, 21 Aug 2015 09:35:51 -0700 (PDT) Received: from [192.168.8.100] ([181.202.146.234]) by smtp.gmail.com with ESMTPSA id n67sm2880494qge.35.2015.08.21.09.35.50 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Aug 2015 09:35:51 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_8B02DE96-6F6B-49EB-A77A-229430E72280"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: John Bradley In-Reply-To: Date: Fri, 21 Aug 2015 13:35:48 -0300 Message-Id: <0EF80C0D-55C2-4F1F-B741-87EDE63D3FD5@ve7jtb.com> References: To: Donghwan Kim X-Mailer: Apple Mail (2.2104) Archived-At: Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2015 16:35:57 -0000 --Apple-Mail=_8B02DE96-6F6B-49EB-A77A-229430E72280 Content-Type: multipart/alternative; boundary="Apple-Mail=_F0296538-3024-4797-8488-636E3E71983D" --Apple-Mail=_F0296538-3024-4797-8488-636E3E71983D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Requests to the token endpoint are URL form encoded not JSON in your = example. The use of the password credentials grant was to allow migration from = HTTP basic, but it not recommended for privacy and security reasons. OpenID Connect is a better way to authenticate users. However assuming you have a closed system and don=E2=80=99t care about = interoperability between clients and the Token endpoint, you could just = add that parameter to your AS and the world will not end. If you want to have interoperable clients then you should register the = new element in the IANA registry Sec 11.2 of the spec. Parameter name: The name requested (e.g., =E2=80=9Cusername"). Parameter usage location: token response. Change controller: For Standards Track RFCs, state "IETF". For others, give the name of the responsible party. Other details (e.g., postal address, email address, home page URI) may also be included. You need to have a specification to do that. I don=E2=80=99t see this as a good idea, but that is how you would do = it. Regards John B. > On Aug 20, 2015, at 11:15 AM, Donghwan Kim = wrote: >=20 > Hi, >=20 > I would like to add a custom property representing the account who = just authenticated to the access token response for the sake of = convenience like login request's response. Then, an exchange of request = and response will look like this: >=20 > POST /tokens HTTP/1.1 > Host: api.example.com > Content-Type: application/json >=20 > = {"grant_type":"password","username":"${username}","password":"${password}"= } >=20 > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > Pragma: no-cache >=20 > { > "access_token":"${JSON web token}", > "token_type":"Bearer", > "account": {"username":"donghwan", ...} > } >=20 > However http://tools.ietf.org/html/rfc6749#section-5.1 = says that >=20 > > The client MUST ignore unrecognized value names in the response. >=20 > Does it mean that I shouldn't add such property, 'account'? Though, I = saw Instagram API adds such custom property to access token response for = the same purpose from https://instagram.com/developer/authentication/ = (Please find = 'snoopdogg' to see that token response.) If it's not allowed or = desirable, how should I add such information to the access token = response? >=20 > BTW, I have some questions on usage of JSON web token with OAuth. Can = I post them here? If not, where should I do that? >=20 > Thanks, >=20 > -- Donghawn > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_F0296538-3024-4797-8488-636E3E71983D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Requests to the token endpoint are URL form = encoded not JSON in your example.

The use of the password credentials = grant was to allow migration from HTTP basic, but it not recommended for = privacy and security reasons.

OpenID Connect is a better way to = authenticate users.

However assuming you have a closed system and don=E2=80=99t = care about interoperability between clients and the Token endpoint, you = could just add that parameter to your AS and the world will not = end.

If you = want to have interoperable clients then you should register the new = element in the IANA registry Sec 11.2 of the spec.

Parameter name:
      The name requested (e.g., =E2=80=9Cusername").

   Parameter usage location:
      token response.

   Change controller:
      For Standards Track RFCs, state "IETF".  For others, give the name
      of the responsible party.  Other details (e.g., postal address,
      email address, home page URI) may also be included.
You need to have a specification to do that.

I don=E2=80=99t see this = as a good idea, but that is how you would do it.

Regards
John = B.


On Aug 20, 2015, at 11:15 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

I would like to add a = custom property representing the account who just authenticated to the = access token response for the sake of convenience like login request's = response. Then, an exchange of request and response will look like = this:

POST /tokens HTTP/1.1
Host: api.example.com
Content-Type: = application/json

{"grant_type":"password","username":"${username}","password":"$= {password}"}

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: = no-store
Pragma: no-cache

{
  = "access_token":"${JSON web token}",
  "token_type":"Bearer",
  "account": {"username":"donghwan", = ...}
}

However http://tools.ietf.org/html/rfc6749#section-5.1 says = that

> The client MUST ignore unrecognized value names in the = response.

Does = it mean that I shouldn't add such property, 'account'? Though, I saw = Instagram API adds such custom property to access token response for the = same purpose from https://instagram.com/developer/authentication/ (Please = find 'snoopdogg' to see that token response.) If it's not allowed or = desirable, how should I add such information to the access token = response?

BTW, = I have some questions on usage of JSON web token with OAuth. Can I post = them here? If not, where should I do that?

Thanks,

-- Donghawn
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_F0296538-3024-4797-8488-636E3E71983D-- --Apple-Mail=_8B02DE96-6F6B-49EB-A77A-229430E72280 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MjExNjM1NDlaMCMGCSqGSIb3DQEJBDEWBBRy0Ou3AX5/AXhRFGwwaJDJ tMHvVTCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQAevGm9gvNzMTmSXQDhUR8Q0MVPOpzzQ/FOvy3eQmoG5Plm+ERVrO1K GoMHCH7V9BCyy1T/+HijtnOJkF9dkoGP992OhUtU8sqediCoU1/bLarTfmLQ12fLGw6jqlg0L+Pe Z6Q8ueo7BDFHqy2OnHkvR6J6606MLRXY7rKZbVxZJMWwBwkfb4y8HVVDkGPf2JrICAWprfYiBYSG QWg/QYc7Ff+v6OtUsKE6YOGU963W6fGENHohok5gBdUqT5hC/TkGFmtLoGYIzyYVlWhTDf8p7NaZ gsc40jo7szyZrQSmCXbHw2RRkqQ6WB1WaAD4wgfIZtGBGf2tafC5AQF3pfsRAAAAAAAA --Apple-Mail=_8B02DE96-6F6B-49EB-A77A-229430E72280-- From nobody Fri Aug 21 09:38:41 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8B901AC42D for ; Fri, 21 Aug 2015 09:38:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ML9xL-tyP8Lw for ; Fri, 21 Aug 2015 09:38:37 -0700 (PDT) Received: from mail-qk0-f180.google.com (mail-qk0-f180.google.com [209.85.220.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E7E31AC41B for ; Fri, 21 Aug 2015 09:38:37 -0700 (PDT) Received: by qkfh127 with SMTP id h127so34517365qkf.1 for ; Fri, 21 Aug 2015 09:38:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=VvZXbcht9eHZbSkUdLUYOnCiqgY/L2HpZVI7p8I31No=; b=Suv6W++EsmbHvOwP898N0TsMxSIw1rxL1ERC8P7YI1IGsldnX+Q+7FbuF1AeLlLKJm dYAkm8UKEXFqBJtUf787PG7UMY0GAipPvnvgZQ8UpEA2nWsg1pEAj2zuZxsoObeFLZ7C rW7IqpRRcEE1fmjiu3T/Xtix7uVI0i6zCLoJyL0EYIC+7AhVdBpB7GdmgXPhpqEE7QvW v9M/VU5v8wwutYsKyXBHvRJPtxtxVa7VJj0Muhc403lu3an8SVrVCD4KBxdBWt9vi50q IO+HlsnqCxiYM77S2bx5RoGbtSx7tTe23G+yzmKNHPARZ7c+oRBGf2DLMnSfp442R8bU W7cQ== X-Gm-Message-State: ALoCoQkKYKfOEnwN8R5ZEnDmA0c9IrjA16QBRvxL1szfuBv1JPTCDknMv9dV5/HOfdSCYFnaPv/e X-Received: by 10.55.31.225 with SMTP id n94mr19593273qkh.17.1440175116631; Fri, 21 Aug 2015 09:38:36 -0700 (PDT) Received: from [192.168.8.100] ([181.202.146.234]) by smtp.gmail.com with ESMTPSA id 42sm4672457qgf.42.2015.08.21.09.38.34 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Aug 2015 09:38:35 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_35EE3080-7EA3-4CDC-938B-C070A9182B65"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: John Bradley In-Reply-To: Date: Fri, 21 Aug 2015 13:38:33 -0300 Message-Id: <3AAE1F6E-1440-4086-8D31-911AFBC4310A@ve7jtb.com> References: To: William Denniss X-Mailer: Apple Mail (2.2104) Archived-At: Cc: Donghwan Kim , "oauth@ietf.org" Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2015 16:38:40 -0000 --Apple-Mail=_35EE3080-7EA3-4CDC-938B-C070A9182B65 Content-Type: multipart/alternative; boundary="Apple-Mail=_4FEC95F3-4381-4388-A523-90DF6DA5D683" --Apple-Mail=_4FEC95F3-4381-4388-A523-90DF6DA5D683 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Yes going the unregistered route it is probably best to use a name in = you namespace eg =E2=80=9Ccom.example:username=E2=80=9D. > On Aug 21, 2015, at 1:34 PM, William Denniss = wrote: >=20 > You can add additional parameters. >=20 > "The client MUST ignore unrecognized value names in the response" is = there so that other clients who don't understand your parameters will = ignore them. That line basically enables the behavior you wanted (if it = said the client must *error* on unrecognized values, that would be a = problem). >=20 > It would be best if you tried to name your params to be hardened = against collision with any future extensions to OAuth/OpenID Connect = (e.g., adding a vendor prefix) >=20 > On Thu, Aug 20, 2015 at 7:15 AM, Donghwan Kim = > wrote: > Hi, >=20 > I would like to add a custom property representing the account who = just authenticated to the access token response for the sake of = convenience like login request's response. Then, an exchange of request = and response will look like this: >=20 > POST /tokens HTTP/1.1 > Host: api.example.com > Content-Type: application/json >=20 > = {"grant_type":"password","username":"${username}","password":"${password}"= } >=20 > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > Pragma: no-cache >=20 > { > "access_token":"${JSON web token}", > "token_type":"Bearer", > "account": {"username":"donghwan", ...} > } >=20 > However http://tools.ietf.org/html/rfc6749#section-5.1 = says that >=20 > > The client MUST ignore unrecognized value names in the response. >=20 > Does it mean that I shouldn't add such property, 'account'? Though, I = saw Instagram API adds such custom property to access token response for = the same purpose from https://instagram.com/developer/authentication/ = (Please find = 'snoopdogg' to see that token response.) If it's not allowed or = desirable, how should I add such information to the access token = response? >=20 > BTW, I have some questions on usage of JSON web token with OAuth. Can = I post them here? If not, where should I do that? >=20 > Thanks, >=20 > -- Donghawn >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_4FEC95F3-4381-4388-A523-90DF6DA5D683 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Yes going the unregistered route it is probably best to use a = name in you namespace eg =E2=80=9Ccom.example:username=E2=80=9D.


On = Aug 21, 2015, at 1:34 PM, William Denniss <wdenniss@google.com>= wrote:

You can add additional parameters.

"The client MUST = ignore unrecognized value names in the response" is there so that other = clients who don't understand your parameters will ignore them. That line = basically enables the behavior you wanted (if it said the client must = *error* on unrecognized values, that would be a = problem).

It would be best if = you tried to name your params to be hardened against collision = with any future extensions to OAuth/OpenID Connect (e.g., adding a = vendor prefix)

On Thu, Aug 20, 2015 at 7:15 AM, = Donghwan Kim <flowersinthesand@gmail.com> wrote:
Hi,

I would like to add a = custom property representing the account who just authenticated to the = access token response for the sake of convenience like login request's = response. Then, an exchange of request and response will look like = this:

POST /tokens HTTP/1.1
Host: api.example.com
Content-Type: = application/json

{"grant_type":"password","username":"${username}","password":"$= {password}"}

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: = no-store
Pragma: no-cache

{
  = "access_token":"${JSON web token}",
  "token_type":"Bearer",
  "account": {"username":"donghwan", = ...}
}

However http://tools.ietf.org/html/rfc6749#section-5.1 says = that

> The client MUST ignore unrecognized value names in the = response.

Does = it mean that I shouldn't add such property, 'account'? Though, I saw = Instagram API adds such custom property to access token response for the = same purpose from https://instagram.com/developer/authentication/ (Please = find 'snoopdogg' to see that token response.) If it's not allowed or = desirable, how should I add such information to the access token = response?

BTW, = I have some questions on usage of JSON web token with OAuth. Can I post = them here? If not, where should I do that?

Thanks,

-- Donghawn

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_4FEC95F3-4381-4388-A523-90DF6DA5D683-- --Apple-Mail=_35EE3080-7EA3-4CDC-938B-C070A9182B65 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MjExNjM4MzRaMCMGCSqGSIb3DQEJBDEWBBR74ZzbUwb91K9dlLTcyq8L EoDIjDCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQAaIIE51eOKQMXWkq25kOxh1fRT6y3fcpBmEi1khAMi0aRhewpcupQk Ixr6bgu/eOIGyRbLSlO88FrZDF+sb4LxNBtr/VL3vHdXisqnj05YncVjp847laQ55Z0+zSyvbdLC pwkulG9uzFdNiYkjKcz13K20qvGllzMfSt9Sjf5uyBxa+Kn9my4gJLqqBi0CCO/Az/b2rQ8slM9g tgYV918BM5Br6GtuzzYm6KQdmiR7b6c+n6+C+3lzmSddOoOWqq5MFAzK4wRFZpbapbTyjaufd72k 9kWJeI0JWRZgZvhT6GJRmrLPGQyw66SI9k3/F9O5KVFccubMkrqPHt7Ghn+ZAAAAAAAA --Apple-Mail=_35EE3080-7EA3-4CDC-938B-C070A9182B65-- From nobody Fri Aug 21 09:41:33 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D30C61AC417 for ; Fri, 21 Aug 2015 09:41:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.209 X-Spam-Level: X-Spam-Status: No, score=-2.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50qJmf5KlitV for ; Fri, 21 Aug 2015 09:41:29 -0700 (PDT) Received: from nm7.bullet.mail.bf1.yahoo.com (nm7.bullet.mail.bf1.yahoo.com [98.139.212.166]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31EF61AC410 for ; Fri, 21 Aug 2015 09:41:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1440175288; bh=0o/tpc6clAkpwsCf0knFI56dWFmSR61IbKoQdnLfgY4=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=MZKqLX8EBNKCWttazHBU3ERKnbVJL2X4t3mepei4Qz9+tbutZp8ebbqQjoUNZC11qAA19D+E4fuhRxUo1x87wKk+BN5+y2c2iSDZaM1Ik8RJUe6Lm8m668bPB2v9aML4I3tjxHb+bYBWR25dE28J1/fQw0q6gz0TeCEQL7f7OPe58j2hfj5DthS40FcmZERGy00bejyNZtU8HRlLyOYdRSOHpU5P7vgLyO0ky4QPlOOxUOwe0wd+MWO95FwYMU1Zpauso3O/M9PMWoWzFeaCvJNNpwpwJ/2nv9yWzNd5wHdnTIaZxmXHQ1wO7H/y1Qk2mXuO52vHd2mZFqstjRupaQ== Received: from [98.139.214.32] by nm7.bullet.mail.bf1.yahoo.com with NNFMP; 21 Aug 2015 16:41:28 -0000 Received: from [98.139.212.217] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 21 Aug 2015 16:41:28 -0000 Received: from [127.0.0.1] by omp1026.mail.bf1.yahoo.com with NNFMP; 21 Aug 2015 16:41:28 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 331288.13212.bm@omp1026.mail.bf1.yahoo.com X-YMail-OSG: ULvofRsVM1mc9EwHor.YMCPylWvAhAI0hgWxjWYCnZxKlxyEXMGEoyczMqq2hty Cj71z3hkFJk69N.RFBKc8S_Hn5m.CTyp7mPAGV61xWraHYO86k0zpf.qa1C9Xg43TQM0wRGPU78e 1j_F15KnIJfxaLXzOdAfKUWjR3TSAEWJu5xYkOPaCJeJruE3zEGD7wOM4iIUaQYly2.rdXFEM06A TnjrJ26OZULj3nDYoMS7hI1VT0HKdSkdBwmG_YNtlXqeuFNaNkRQO1pOI_kJaSF0Leja3SEVm_mE EVlf3s8r1d5SaqNmle8ioxXA.bBl0MWSM4o.9GxAq7WV3SH2RDhDCVaufsd13h_ZP4f0KgzoyKI9 rS9gJBj9qxFSMUNBDIvFcGjBIWeMgoM9aWYPYaeoT5Caaaer3xBkdf.dcQKxjlsSuILrb_P6kCyK 3r9fCjqCAmSRV_TUZ_vXDoUoQm2yVc3oRCLmrguJ5uAoEHz6NvWpUJhIHP7StIUicauMnwGuuRCF ry_IMU7t9xA-- Received: by 76.13.26.107; Fri, 21 Aug 2015 16:41:27 +0000 Date: Fri, 21 Aug 2015 16:41:21 +0000 (UTC) From: Bill Mills To: John Bradley , William Denniss Message-ID: <40935351.8157372.1440175281185.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: <3AAE1F6E-1440-4086-8D31-911AFBC4310A@ve7jtb.com> References: <3AAE1F6E-1440-4086-8D31-911AFBC4310A@ve7jtb.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_8157371_734855184.1440175281174" Archived-At: Cc: Donghwan Kim , "oauth@ietf.org" Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Bill Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2015 16:41:32 -0000 ------=_Part_8157371_734855184.1440175281174 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable And as John said, if you are doing user authentication use OpenID instead.= =20 On Friday, August 21, 2015 9:38 AM, John Bradley w= rote: =20 Yes going the unregistered route it is probably best to use a name in you = namespace eg =E2=80=9Ccom.example:username=E2=80=9D. On Aug 21, 2015, at 1:34 PM, William Denniss wrote: You can add additional parameters. "The client MUST ignore unrecognized value names in the response" is there = so that other clients who don't understand your parameters will ignore them= . That line basically enables the behavior you wanted (if it said the clien= t must *error* on=C2=A0unrecognized=C2=A0values, that would be a problem). It would be best if you tried to name your params to be hardened against co= llision with=C2=A0any future extensions to OAuth/OpenID Connect (e.g., addi= ng a vendor prefix) On Thu, Aug 20, 2015 at 7:15 AM, Donghwan Kim = wrote: Hi, I would like to add a custom property representing the account who just aut= henticated to the access token response for the sake of convenience like lo= gin request's response. Then, an exchange of request and response will look= like this: POST /tokens HTTP/1.1Host: api.example.comContent-Type: application/json {"grant_type":"password","username":"${username}","password":"${password}"} HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma:= no-cache {=C2=A0 "access_token":"${JSON web token}",=C2=A0 "token_type":"Bearer",=C2= =A0 "account": {"username":"donghwan", ...}} However=C2=A0http://tools.ietf.org/html/rfc6749#section-5.1=C2=A0says that > The client MUST ignore unrecognized value names in the response. Does it mean that I shouldn't add such property, 'account'? Though, I saw I= nstagram API adds such custom property to access token response for the sam= e purpose from https://instagram.com/developer/authentication/ (Please find= 'snoopdogg' to see that token response.) If it's not allowed or desirable,= how should I add such information to the access token response? BTW, I have some questions on usage of JSON web token with OAuth. Can I pos= t them here? If not, where should I do that? Thanks, -- Donghawn _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ------=_Part_8157371_734855184.1440175281174 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
And as John said, if you are doing user authentica= tion use OpenID instead.


On Friday, Aug= ust 21, 2015 9:38 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:


Yes going the unregistered route it is probably best to use a name= in you namespace eg =E2=80=9Ccom.example:username=E2=80=9D.


On Aug 21, 2015, at 1:34 PM, William= Denniss <= wdenniss@google.com> wrote:

You can add additional parameters.

"The client MUST= ignore unrecognized value names in the response" is there so that other cl= ients who don't understand your parameters will ignore them. That line basi= cally enables the behavior you wanted (if it said the client must *error* o= n unrecognized values, that would be a problem).

It would be best if you tried to nam= e your params to be hardened against collision with any future exten= sions to OAuth/OpenID Connect (e.g., adding a vendor prefix)

On Thu, Aug 20, 2015 at 7:15 AM, Dongh= wan Kim <flowersinthesand@gma= il.com> wrote:
Hi,

I would like to add a custom property repres= enting the account who just authenticated to the access token response for = the sake of convenience like login request's response. Then, an exchange of= request and response will look like this:

POST /tokens HTTP/1.1
Host: api.example.com
Content-Type: application/json

{"grant_type":"password= ","username":"${username}","password":"${password}"}

<= div class=3D"yiv9605957664">HTTP/1.1 200 OK
Content-= Type: application/json
Cache-Control: no-store=
Pragma: no-cache

{
  "= access_token":"${JSON web token}",
=
  "token_type":"Bearer",
  "account": {"us= ername":"donghwan", ...}
}
<= div class=3D"yiv9605957664">
However htt= p://tools.ietf.org/html/rfc6749#section-5.1 says that
<= div class=3D"yiv9605957664">

> The client MUST ignore un= recognized value names in the response.
<= br class=3D"yiv9605957664">
Does it mean = that I shouldn't add such property, 'account'? Though, I saw Instagram API = adds such custom property to access token response for the same purpose fro= m https://instagram.com/develop= er/authentication/ (Please find 'snoopdogg' to see that token response.= ) If it's not allowed or desirable, how should I add such information to th= e access token response?

BTW, I have some questions o= n usage of JSON web token with OAuth. Can I post them here? If not, where s= hould I do that?

Thanks,=

-- Donghawn
<= /div>

_______________________________________________=
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listin= fo/oauth


=
_______________________________________________
= OAuth mailing list
OAuth@ietf.org
http= s://www.ietf.org/mailman/listinfo/oauth


________= _______________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


------=_Part_8157371_734855184.1440175281174-- From nobody Fri Aug 21 09:42:34 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 589411AC41F for ; Fri, 21 Aug 2015 09:42:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.388 X-Spam-Level: X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lI21PkVCz0N4 for ; Fri, 21 Aug 2015 09:42:30 -0700 (PDT) Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 705B41AC418 for ; Fri, 21 Aug 2015 09:42:30 -0700 (PDT) Received: by ykbi184 with SMTP id i184so75870723ykb.2 for ; Fri, 21 Aug 2015 09:42:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=EJcx5ec6RbNiTsXnBYKdTjVhP6JHwm1ZR92n+7RcHdI=; b=RKSLKdHKS+nE2KuyeUGe16t8iG7Hj/Jypx4Ow0sLNtI/rv3aqKjYKepU82OKMrmbVh xfs1so17EO0yCzDXIdZIUu2yUKBqahSDa3FPBtmFQV+RDgcKEV+JdivBGCy/y+vXAYmn kMzh+kI4aLy7gCuxCAzlhi+SXzVMmgToWUxoVbz0zsmhB90R7tLvflYNPOyMS0skF/7/ M4t5OjuHS28EunoS45k6wSA0t8SSt0S4Wt9AYtO8JTP6LXh41iceYJ43daI/1qh5D+4m FdYHOu7/spw9Uj/OlkXJAg4uyCvi0Cp/RXyaL7VJjdqLJFPKfqVvgHy+bAWUp4rgbKj2 +qyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=EJcx5ec6RbNiTsXnBYKdTjVhP6JHwm1ZR92n+7RcHdI=; b=m/+YJ00l0Z53X/0Wic0RlEVnrSQAR1yjpOuzcvBjvuQdpaNPTB6U6fk3LZAmmzVyHI EHhpHldaIL/NHFD4PboMRezryflfdOCQGvhVzgmwR/pbkwnOqyriEQp17EBZfvtpsxyL FoidDqzb37n1ZXAHQaoe1Z3tI3Z2gJ2BwDZkj6Qm0aiR83zuAod82Lxc0H4veGQYAmAm ++A6rn7sE0PfCyf+F1MgFNwW1ETbUGDAu3PJ+jW/SSi0ckgGD4NmXY8mUEd+pYdrKxsy CUP9E3XXSwlaX0+NgKzYJbGcsmwpP865iAoEj/BIPjBm21KvD+Gf8wgfa0swVaMqTCOn IDXQ== X-Gm-Message-State: ALoCoQlYyBlHevTjiHiAlO5Koep4EVSgpfG24a4EaNlrJEOWA2Y9Gw5R3Spxjuk5tclMc9Z4BELA X-Received: by 10.13.198.71 with SMTP id i68mr12274248ywd.149.1440175349554; Fri, 21 Aug 2015 09:42:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.39.196 with HTTP; Fri, 21 Aug 2015 09:42:10 -0700 (PDT) In-Reply-To: <0EF80C0D-55C2-4F1F-B741-87EDE63D3FD5@ve7jtb.com> References: <0EF80C0D-55C2-4F1F-B741-87EDE63D3FD5@ve7jtb.com> From: William Denniss Date: Fri, 21 Aug 2015 09:42:10 -0700 Message-ID: To: John Bradley Content-Type: multipart/alternative; boundary=001a114e53da206dc9051dd4f448 Archived-At: Cc: Donghwan Kim , "oauth@ietf.org" Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2015 16:42:32 -0000 --001a114e53da206dc9051dd4f448 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable As for your specific use-case though, as John said it's better to use OpenID Connect which provides a solution for what you are trying to do already. That way you get an interoperable solution, and one that has been vetted by security experts. There is even a free test suite for you to test your implementation. On Fri, Aug 21, 2015 at 9:35 AM, John Bradley wrote: > Requests to the token endpoint are URL form encoded not JSON in your > example. > > The use of the password credentials grant was to allow migration from HTT= P > basic, but it not recommended for privacy and security reasons. > > OpenID Connect is a better way to authenticate users. > > However assuming you have a closed system and don=E2=80=99t care about > interoperability between clients and the Token endpoint, you could just a= dd > that parameter to your AS and the world will not end. > > If you want to have interoperable clients then you should register the ne= w > element in the IANA registry Sec 11.2 of the spec. > > Parameter name: > The name requested (e.g., =E2=80=9Cusername"). > > Parameter usage location: > token response. > > Change controller: > For Standards Track RFCs, state "IETF". For others, give the name > of the responsible party. Other details (e.g., postal address, > email address, home page URI) may also be included. > > You need to have a specification to do that. > > I don=E2=80=99t see this as a good idea, but that is how you would do it. > > Regards > John B. > > > On Aug 20, 2015, at 11:15 AM, Donghwan Kim > wrote: > > Hi, > > I would like to add a custom property representing the account who just > authenticated to the access token response for the sake of convenience li= ke > login request's response. Then, an exchange of request and response will > look like this: > > POST /tokens HTTP/1.1 > Host: api.example.com > Content-Type: application/json > > {"grant_type":"password","username":"${username}","password":"${password}= "} > > > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > Pragma: no-cache > > { > "access_token":"${JSON web token}", > "token_type":"Bearer", > "account": {"username":"donghwan", ...} > } > > > However http://tools.ietf.org/html/rfc6749#section-5.1 says that > > > The client MUST ignore unrecognized value names in the response. > > Does it mean that I shouldn't add such property, 'account'? Though, I saw > Instagram API adds such custom property to access token response for the > same purpose from https://instagram.com/developer/authentication/ (Please > find 'snoopdogg' to see that token response.) If it's not allowed or > desirable, how should I add such information to the access token response= ? > > BTW, I have some questions on usage of JSON web token with OAuth. Can I > post them here? If not, where should I do that? > > Thanks, > > -- Donghawn > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --001a114e53da206dc9051dd4f448 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
As for your specific use-case though, as John said it'= s better to use OpenID Connect which provides a solution for what you are t= rying to do already.

That way you get an interoperable s= olution, and one that has been vetted by security experts. There is even a = free test suite fo= r you to test your implementation.
On Fri, Aug 21, 2015 at 9:35 AM, John Bradley = <ve7jtb@ve7jtb.com> wrote:
Requests to the token endpoint ar= e URL form encoded not JSON in your example.

The u= se of the password credentials grant was to allow migration from HTTP basic= , but it not recommended for privacy and security reasons.

OpenID Connect is a better way to authenticate users.
However assuming you have a closed system and don=E2=80=99t ca= re about interoperability between clients and the Token endpoint, you could= just add that parameter to your AS and the world will not end.
<= br>
If you want to have interoperable clients then you should reg= ister the new element in the IANA registry Sec 11.2 of the spec.
= 
Parameter name:
      The name requested (e.g., =E2=80=9Cusername").

   Parameter usage location:
      token response.

   Change controller:
      For Standards Track RFCs, state "IETF".  For others, give t=
he name
      of the responsible party.  Other details (e.g., postal address,
      email address, home page URI) may also be included.
You nee= d to have a specification to do that.

I don= =E2=80=99t see this as a good idea, but that is how you would do it.
<= div>
Regards
John B.

=
On Aug 20, 2= 015, at 11:15 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

=
Hi,
=

I would like to add a custom property representing= the account who just authenticated to the access token response for the sa= ke of convenience like login request's response. Then, an exchange of r= equest and response will look like this:

POST /tok= ens HTTP/1.1
Content-Type: application/json

<= /div>
{"grant_type":"password",&quo= t;username":"${username}","password":"${passw= ord}"}

HTTP/1.1= 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{<= /div>
=C2=A0 "access_token":"${JSON web token= }",
=C2=A0 "token_type":"Bearer&qu= ot;,
=C2=A0 "account": {"username"= :"donghwan", ...}
}
=

> The= client MUST ignore unrecognized value names in the response.
Does it mean that I shouldn't add such property, 'accou= nt'? Though, I saw Instagram API adds such custom property to access to= ken response for the same purpose from https://instagram.com/developer/a= uthentication/ (Please find 'snoopdogg' to see that token respo= nse.) If it's not allowed or desirable, how should I add such informati= on to the access token response?

BTW, I have some = questions on usage of JSON web token with OAuth. Can I post them here? If n= ot, where should I do that?

Thanks,
=

-- Donghawn
_______________________________________________
OAuth mailing list
OAuth@ietf.org
http= s://www.ietf.org/mailman/listinfo/oauth


_____________________________________________= __
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--001a114e53da206dc9051dd4f448-- From nobody Fri Aug 21 14:22:28 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E6F81ACE39 for ; Fri, 21 Aug 2015 14:22:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.341 X-Spam-Level: X-Spam-Status: No, score=-1.341 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 75DrWWOzTmnq for ; Fri, 21 Aug 2015 14:22:26 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0739.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::739]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C2A11ACE30 for ; Fri, 21 Aug 2015 14:22:26 -0700 (PDT) Received: from BL2PR03MB433.namprd03.prod.outlook.com (10.141.92.19) by BL2PR03MB434.namprd03.prod.outlook.com (10.141.92.22) with Microsoft SMTP Server (TLS) id 15.1.243.23; Fri, 21 Aug 2015 21:22:08 +0000 Received: from BL2PR03MB433.namprd03.prod.outlook.com ([10.141.92.19]) by BL2PR03MB433.namprd03.prod.outlook.com ([10.141.92.19]) with mapi id 15.01.0231.011; Fri, 21 Aug 2015 21:22:08 +0000 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: =?Windows-1252?Q?=93amr=94_values_"rba"_and_"sc"?= Thread-Index: AdDcV26qWDfDaX0dToGGUSpUPhzKNg== Date: Fri, 21 Aug 2015 21:22:08 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.47.90.173] x-microsoft-exchange-diagnostics: 1; BL2PR03MB434; 5:p/tijDt7EpIK6qBzCIUQdvnAPrxeaaXYuTTgEwQpuc8khMbH5idUibP/BRvO22fDQL2gmLt+4LTy008dvgxfqEiFepcr0Ncaa/Rsdghijmk0+m2fn92eTWVIvUZ4M0wvIxqw6qjMijJoaJISVIjHtw==; 24:i3Rt0J7hhtjuJZjmdCTOs5/0gd/OCKpXWZdaw8cbrR/em+dvJT9Tg/MHaseqBVLkHbl0zPpDTcPUytiO/0Zuu62DKgOE6fMMVodBd3EA/ZQ=; 20:F13VANO2LdRTsgZKJdw1bJI9zuRerbekX0POGAkAPUnlzfcIgCNLiB5baXxMjcPi8V2NlttLRGXFcVBkMKBxwA== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB434; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(8121501046)(5005006)(3002001); SRVR:BL2PR03MB434; BCL:0; PCL:0; RULEID:; SRVR:BL2PR03MB434; x-forefront-prvs: 067553F396 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(189002)(199003)(19300405004)(86612001)(77156002)(99286002)(2900100001)(33656002)(101416001)(19580395003)(92566002)(62966003)(86362001)(19625215002)(450100001)(40100003)(2351001)(46102003)(106356001)(77096005)(102836002)(54356999)(229853001)(15975445007)(87936001)(5007970100001)(105586002)(19617315012)(50986999)(16236675004)(4001540100001)(97736004)(81156007)(122556002)(68736005)(2501003)(5001830100001)(5001960100002)(2656002)(64706001)(8990500004)(5002640100001)(5001860100001)(110136002)(66066001)(5003600100002)(5005710100001)(10090500001)(10290500002)(189998001)(10400500002)(74316001)(107886002)(76576001)(5004730100002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB434; H:BL2PR03MB433.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BL2PR03MB433DD6D2107945702F421B7F5650BL2PR03MB433namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2015 21:22:08.8775 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB434 Archived-At: Subject: [OAUTH-WG] =?windows-1252?q?=93amr=94_values_=22rba=22_and_=22sc?= =?windows-1252?q?=22?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2015 21:22:27 -0000 --_000_BL2PR03MB433DD6D2107945702F421B7F5650BL2PR03MB433namprd_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Authentication Method Reference Values draft -02 changed the identifier for= risk-based authentication from =93risk=94 to =93rba=94, by popular acclaim= , and added the identifier =93sc=94 (smart card). The specification is available at: =B7 http://tools.ietf.org/html/draft-jones-oauth-amr-values-02 An HTML formatted version is also available at: =B7 http://self-issued.info/docs/draft-jones-oauth-amr-values-02.htm= l -- Mike P.S. This note was also posted at http://self-issued.info/?p=3D1440 and as= @selfissued. --_000_BL2PR03MB433DD6D2107945702F421B7F5650BL2PR03MB433namprd_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

Authentication Method Reference Values draft -02 cha= nged the identifier for risk-based authentication from =93risk=94 to =93rba=94, by popular acclaim, and added the identifier =93sc=94 (smart card).

 

The specification is available at:

=B7        http://tools.ietf.org/html/draft-jones-oauth-amr= -values-02

 

An HTML formatted version is also available at:=

=B7        http://self-issued.info/docs/draft-jones-= oauth-amr-values-02.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1440 and as @selfissued.

 

--_000_BL2PR03MB433DD6D2107945702F421B7F5650BL2PR03MB433namprd_-- From nobody Fri Aug 21 14:29:10 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0AD1ACE39 for ; Fri, 21 Aug 2015 14:29:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.081 X-Spam-Level: **** X-Spam-Status: No, score=4.081 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_HEX=1.122, URI_NOVOWEL=0.5, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eh3L3U5dNI0B for ; Fri, 21 Aug 2015 14:29:06 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0753.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::753]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A9511ACE36 for ; Fri, 21 Aug 2015 14:29:06 -0700 (PDT) Received: from BL2PR03MB433.namprd03.prod.outlook.com (10.141.92.19) by BL2PR03MB434.namprd03.prod.outlook.com (10.141.92.22) with Microsoft SMTP Server (TLS) id 15.1.243.23; Fri, 21 Aug 2015 21:28:47 +0000 Received: from BL2PR03MB433.namprd03.prod.outlook.com ([10.141.92.19]) by BL2PR03MB433.namprd03.prod.outlook.com ([10.141.92.19]) with mapi id 15.01.0231.011; Fri, 21 Aug 2015 21:28:47 +0000 From: Mike Jones To: Nat Sakimura , Phil Hunt Thread-Topic: =?windows-1256?Q?[OAUTH-WG]_=93amr=94_Values_spec_updated?= Thread-Index: AdDWQ1gyDLM4k4XkRyqlkp9xqb3+owAdOtmAAAAaBIAAAFiTAAAAXbqAAAJCUAAAAHJxAADYGSkAAIxoIcc= Date: Fri, 21 Aug 2015 21:28:47 +0000 Message-ID: References: <5BBF1AFE-DBED-4DCF-8043-BF7B370E5E12@ve7jtb.com> , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [50.47.90.173] x-microsoft-exchange-diagnostics: 1; BL2PR03MB434; 5:n1JP8+S4Er8C0mPqvEr4wgrKSHkk9U0d5Zr5LWPVKGkORsbAliKalzGOVgIWq7Ees2I1YqBAZj1K0AlG9MR4V9pL9XCgsDP++33iN9dnsP5+MHAX1p8/aPwLwvp4EpfzXoRI+pgPO5npv9PPjaTqhQ==; 24:yej5at7zp+2swDZna5QlDuVB1oPzcwbhwJrTf33X9rjRt7YxnOH+J6PdKPEJujw5uNbzHvNh7hwviZzNHoaQK5Q/jna3bqeVgyLIu20JOQg=; 20:4KG0jxs6/IZtmyebCy+8Dq1X5RNrc0ZmA9Fa3QleSEIpAVRgClKCb1sa4Y9ijfcBQk4wdV26WEoC49YTAf0aqg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB434; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(8121501046)(5005006)(3002001); SRVR:BL2PR03MB434; BCL:0; PCL:0; RULEID:; SRVR:BL2PR03MB434; x-forefront-prvs: 067553F396 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(189002)(377424004)(377454003)(24454002)(52604005)(199003)(54094003)(164054003)(86612001)(77156002)(93886004)(99286002)(2900100001)(33656002)(101416001)(19580395003)(92566002)(62966003)(86362001)(40100003)(46102003)(106356001)(77096005)(102836002)(54356999)(76176999)(2950100001)(10710500002)(15975445007)(87936001)(5007970100001)(105586002)(551544002)(19617315012)(50986999)(16236675004)(4001540100001)(97736004)(81156007)(19580405001)(16297215004)(122556002)(68736005)(5001830100001)(5001960100002)(2656002)(64706001)(8990500004)(5002640100001)(5001860100001)(66066001)(5003600100002)(7110500001)(2420400006)(5005710100001)(10090500001)(10290500002)(189998001)(10400500002)(74316001)(5001770100001)(76576001)(5004730100002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB434; H:BL2PR03MB433.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BL2PR03MB433D25E1FEE44291E9A832FF5650BL2PR03MB433namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2015 21:28:47.1952 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB434 Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] =?cp1256?q?=93amr=94_Values_spec_updated?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2015 21:29:09 -0000 --_000_BL2PR03MB433D25E1FEE44291E9A832FF5650BL2PR03MB433namprd_ Content-Type: text/plain; charset="windows-1256" Content-Transfer-Encoding: quoted-printable Done in -02. ________________________________ From: Nat Sakimura Sent: =FD8/=FD18/=FD2015 7:28 PM To: Phil Hunt Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] =93amr=94 Values spec updated +1 2015-08-15 4:20 GMT+09:00 Phil Hunt >: +1 Phil @independentid www.independentid.com phil.hunt@oracle.com On Aug 14, 2015, at 12:08 PM, John Bradley > wrote: +1 On Aug 14, 2015, at 3:03 PM, Brian Campbell > wrote: +1 for "rba" On Fri, Aug 14, 2015 at 11:52 AM, William Denniss > wrote: Fair point. RBA is a fairly common acronym for Risk-Based Authentication, h= ow about going with "rba"? Would align with existing "mfa", "mca" definitio= ns (while also saving 1 character and helping the ambiguity issue). On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones > wrote: I hear you, but we=92re trying to keep the values short for space reasons = =96 just like other identifiers in JWTs. Ultimately, the values aren=92t m= eaningful without referring to the spec in the first place, so the place to= beef up the meaning is in the description in the spec =96 not in the =93am= r=94 value. If you=92d like to suggest any edits in that regard, have at i= t! Thanks, -- Mike From: William Denniss [mailto:wdenniss@google.com] Sent: Friday, August 14, 2015 1:40 PM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] =93amr=94 Values spec updated Looking good, thanks for putting this together. I wonder if we should say "risk_based" rather than just "risk" to avoid amb= iguity (i.e. that it's not a risky authentication method, rather, it was ri= sk-based). "user" seems to work well, e.g. "user mfa pwd otp" tells a logi= cal story. On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones > wrote: I=92ve updated the Authentication Method Reference Values spec to incorpora= te feedback received from the OAuth working group. Changes were: =95 Added the values =93mca=94 (multiple-channel authentication), = =93risk=94 (risk-based authentication), and =93user=94 (user presence test)= . =95 Added citations in the definitions of Windows integrated authent= ication, knowledge-based authentication, risk-based authentication, multipl= e-factor authentication, one-time password, and proof-of-possession. =95 Alphabetized the values. =95 Added Tony Nadalin as an author and added acknowledgements. The specification is available at: =95 http://tools.ietf.org/html/draft-jones-oauth-amr-values-01 An HTML formatted version is also available at: =95 http://self-issued.info/docs/draft-jones-oauth-amr-values-01.htm= l -- Mike P.S. This note was also posted at http://self-issued.info/?p=3D1437 and as @selfissued. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --_000_BL2PR03MB433D25E1FEE44291E9A832FF5650BL2PR03MB433namprd_ Content-Type: text/html; charset="windows-1256" Content-Transfer-Encoding: quoted-printable
Done in -02.<= /div>
From: Nat Sakimura
Sent: =FD8/= =FD18/=FD2015 7:28 PM
To: Phil Hunt
Cc: oauth@ietf.org
Subject: Re: [= OAUTH-WG] =93amr=94 Values spec updated

+1

2015-08-15 4:20 GMT+09:00 Phil Hunt <phi= l.hunt@oracle.com>:
+1


On Aug 14, 2015, at 12:08 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

+1

On Aug 14, 2015, at 3:03 PM, Brian Campbell <bcampbell@pingidentity.com>= ; wrote:

+1 for "rba"

On Fri, Aug 14, 2015 at 11:52 AM, William Dennis= s <wdenniss@googl= e.com> wrote:
Fair point. RBA is a fairly common acronym for Risk-Based = Authentication, how about going with "rba"? Would align with exis= ting "mfa", "mca" definitions (while also saving 1 char= acter and helping the ambiguity issue).

On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones <Michae= l.Jones@microsoft.com> wrote:

I hear you, but we=92re= trying to keep the values short for space reasons =96 just like other iden= tifiers in JWTs.  Ultimately, the values aren=92t meaningful without referring to the spec in the first place, so the place to beef up the mean= ing is in the description in the spec =96 not in the =93amr=94 value. = If you=92d like to suggest any edits in that regard, have at it!=

 

    = ;            &n= bsp;            = ;            &n= bsp;            = ;      Thanks,

    = ;            &n= bsp;            = ;            &n= bsp;            = ;      -- Mike

 

From: Willia= m Denniss [mailto:= wdenniss@google.com]
Sent: Friday, August 14, 2015 1:40 PM
To: Mike Jones
Cc: oauth@ietf.o= rg
Subject: Re: [OAUTH-WG] =93amr=94 Values spec updated<= /span>

 

Looking good, thanks for putting this together.

 

I wonder if we should say "risk_based" rat= her than just "risk" to avoid ambiguity (i.e. that it's not a ris= ky authentication method, rather, it was risk-based).  "user"= ; seems to work well, e.g. "user mfa pwd otp" tells a logical sto= ry.

 

 

 

On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones <Michael.Jones@= microsoft.com> wrote:

I=92ve updated the Authentication Method Reference V= alues spec to incorporate feedback received from the OAuth working group.&n= bsp; Changes were:

=B7        Added the values =93mca=94 (multiple-channel authentication), =93risk=94 (risk-based authentication)= , and =93user=94= (user presence test).

=B7        Added citations in the definitions of Windows integrated authenticat= ion, knowledge-based authentication, risk-based authentication, multiple-fa= ctor authentication, one-time password, and proof-of-possession.

=B7        Alphabetized the values.

=B7        Added Tony Nadalin as an author and added acknowledgements.

 

The specification is available at:

=B7        http://tools.ietf.org/html/dra= ft-jones-oauth-amr-values-01

 

An HTML formatted version is also available at:

=B7        http://self-issued.info= /docs/draft-jones-oauth-amr-values-01.html

 

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;      -- Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1437 and as @selfissued.


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth=

 



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/li= stinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/li= stinfo/oauth




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
--_000_BL2PR03MB433D25E1FEE44291E9A832FF5650BL2PR03MB433namprd_-- From nobody Fri Aug 21 14:34:24 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52C5D1ACE36 for ; Fri, 21 Aug 2015 14:34:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.594 X-Spam-Level: **** X-Spam-Status: No, score=4.594 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URI_HEX=1.122, URI_NOVOWEL=0.5, URI_NO_WWW_INFO_CGI=2.071] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2lK6r0T-IPUR for ; Fri, 21 Aug 2015 14:34:19 -0700 (PDT) Received: from mail-qg0-x235.google.com (mail-qg0-x235.google.com [IPv6:2607:f8b0:400d:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74FE91ACE35 for ; Fri, 21 Aug 2015 14:34:19 -0700 (PDT) Received: by qgeg42 with SMTP id g42so54971826qge.1 for ; Fri, 21 Aug 2015 14:34:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=epGsvoRkRGd1Cx29z+HT2yWkGrU62Ng9Qdu5G3fvuAQ=; b=hYkc3DtLXRGQq1baQLF/lYPkOeyGfrtnt054yyatt+GGn+ttbT6/UN/UkOK1p3mER2 muTQQYV3sFnxmGO/BNQmI4P5eIVDaUjtdPbzqZgxY0iwKPe/+f/fII8pcn/2upQJGPg3 t3ElwEhaTTRjqRrwiojHpYVzn1i0pkgj2EfK7rW8GyBNnaFAzoHU3JDKVSCuSjqqmVes vhzlUG9pb+zA8nSif23Ro3dXwmirctcCFCMhJq13HMidza9JvKA1wUoB6wj0698YQggq myvze88PYYJJoF778tQYR5kfDtj4jzOt2ex5CWOZpqxiGvN/GI9o5FvaOs98PqNf2TtL SRCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=epGsvoRkRGd1Cx29z+HT2yWkGrU62Ng9Qdu5G3fvuAQ=; b=h1N4ISIDw9gWGnXkMUrzbUcqOzzBtqYNJ+3Z88vS0C9DFlj8Z51EDry0zoji/eigj2 +ERXZBlaRpQOAAEp0m5xVCs4Ggvao2NRb8Ky9Ns36tbfv3hQKC9xZhTIfkO1avyHacYt /BcFXK+8LwqKiJG3vPQSFBbWZ6JxMK6LSleZLbUZkSISXT6WBYOLXsEJePWYhnNCVSIi ozyGie9nwSfPmvdtyAcKSTFEPG2BsD2WW3ufJ3qgLrgooiY3eWq1Rj9s9iYJxQWZfKOX r9L2In6INaJ4ISZhwoTcdXBsIPgkKGCGNH0GyZkmXAkFtkSaLMJM+vTkfbjJmmSZiadc A69A== X-Gm-Message-State: ALoCoQnPR85ux8uW8HolaPmtucbLwzOPO/VIfMNrCJzCMed4VrI+DdsEEAcsQVzvbqICBfjcZ5yC X-Received: by 10.140.232.83 with SMTP id d80mr23171093qhc.15.1440192858312; Fri, 21 Aug 2015 14:34:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.108.100 with HTTP; Fri, 21 Aug 2015 14:33:58 -0700 (PDT) In-Reply-To: References: <5BBF1AFE-DBED-4DCF-8043-BF7B370E5E12@ve7jtb.com> From: William Denniss Date: Fri, 21 Aug 2015 14:33:58 -0700 Message-ID: To: Mike Jones Content-Type: multipart/alternative; boundary=001a11353994ba9fbc051dd9076d Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] =?utf-8?b?4oCcYW1y4oCdIFZhbHVlcyBzcGVjIHVwZGF0ZWQ=?= X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2015 21:34:22 -0000 --001a11353994ba9fbc051dd9076d Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Thanks Mike. Looks good. On Fri, Aug 21, 2015 at 2:28 PM, Mike Jones wrote: > Done in -02. > ------------------------------ > From: Nat Sakimura > Sent: =E2=80=8E8/=E2=80=8E18/=E2=80=8E2015 7:28 PM > To: Phil Hunt > > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated > > +1 > > 2015-08-15 4:20 GMT+09:00 Phil Hunt : > >> +1 >> >> Phil >> >> @independentid >> www.independentid.com >> >> phil.hunt@oracle.com >> >> On Aug 14, 2015, at 12:08 PM, John Bradley wrote: >> >> +1 >> >> On Aug 14, 2015, at 3:03 PM, Brian Campbell >> wrote: >> >> +1 for "rba" >> >> On Fri, Aug 14, 2015 at 11:52 AM, William Denniss >> wrote: >> >>> Fair point. RBA is a fairly common acronym for Risk-Based >>> Authentication, how about going with "rba"? Would align with existing >>> "mfa", "mca" definitions (while also saving 1 character and helping the >>> ambiguity issue). >>> >>> On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones < >>> Michael.Jones@microsoft.com> wrote: >>> >>>> I hear you, but we=E2=80=99re trying to keep the values short for spac= e reasons >>>> =E2=80=93 just like other identifiers in JWTs. Ultimately, the values= aren=E2=80=99t >>>> meaningful without referring to the spec in the first place, so the pl= ace >>>> to beef up the meaning is in the description in the spec =E2=80=93 not= in the =E2=80=9Camr=E2=80=9D >>>> value. If you=E2=80=99d like to suggest any edits in that regard, hav= e at it! >>>> >>>> >>>> >>>> Thanks, >>>> >>>> -- Mike >>>> >>>> >>>> >>>> *From:* William Denniss [mailto:wdenniss@google.com] >>>> *Sent:* Friday, August 14, 2015 1:40 PM >>>> *To:* Mike Jones >>>> *Cc:* oauth@ietf.org >>>> *Subject:* Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated >>>> >>>> >>>> >>>> Looking good, thanks for putting this together. >>>> >>>> >>>> >>>> I wonder if we should say "risk_based" rather than just "risk" to avoi= d >>>> ambiguity (i.e. that it's not a risky authentication method, rather, i= t was >>>> risk-based). "user" seems to work well, e.g. "user mfa pwd otp" tells= a >>>> logical story. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones < >>>> Michael.Jones@microsoft.com> wrote: >>>> >>>> I=E2=80=99ve updated the Authentication Method Reference Values spec t= o >>>> incorporate feedback received from the OAuth working group. Changes w= ere: >>>> >>>> =C2=B7 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel= authentication), =E2=80=9C >>>> risk=E2=80=9D (risk-based authentication), and =E2=80=9Cuser=E2=80=9D = (user presence test). >>>> >>>> =C2=B7 Added citations in the definitions of Windows integrated >>>> authentication, knowledge-based authentication, risk-based authenticat= ion, >>>> multiple-factor authentication, one-time password, and proof-of-posses= sion. >>>> >>>> =C2=B7 Alphabetized the values. >>>> >>>> =C2=B7 Added Tony Nadalin as an author and added acknowledgemen= ts. >>>> >>>> >>>> >>>> The specification is available at: >>>> >>>> =C2=B7 http://tools.ietf.org/html/draft-jones-oauth-amr-values-= 01 >>>> >>>> >>>> >>>> >>>> An HTML formatted version is also available at: >>>> >>>> =C2=B7 >>>> http://self-issued.info/docs/draft-jones-oauth-amr-values-01.html >>>> >>>> >>>> >>>> >>>> -- Mike >>>> >>>> >>>> >>>> P.S. This note was also posted at http://self-issued.info/?p=3D1437 >>>> >>>> and as @selfissued >>>> >>>> . >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> >>>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > > > -- > Nat Sakimura (=3Dnat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > > @_nat_en > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --001a11353994ba9fbc051dd9076d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks Mike. Looks good.
<= br>
On Fri, Aug 21, 2015 at 2:28 PM, Mike Jones <= span dir=3D"ltr"><Michael.Jones@microsoft.com> wrote:
Done in -02.
From: Nat Sakimura Sent: =E2=80= =8E8/=E2=80=8E18/=E2=80=8E2015 7:28 PM
To: Phil Hunt

Cc: oauth@ietf.org
Subject: Re: [O= AUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated

+1

2015-08-15 4:20 GMT+09:00 Phil Hunt <phil.hu= nt@oracle.com>:
+1


On Aug 14, 2015, at 12:08 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

+1

On Aug 14, 2015, at 3:03 PM, Brian Campbell <bcampbell@pingidentity.com>= ; wrote:

+1 for "rba"

On Fri, Aug 14, 2015 at 11:52 AM, William Dennis= s <wdenniss@googl= e.com> wrote:
Fair point. RBA is a fairly common acronym for Risk-Based = Authentication, how about going with "rba"? Would align with exis= ting "mfa", "mca" definitions (while also saving 1 char= acter and helping the ambiguity issue).

On Fri, Aug 14, 2015 at 10:44 AM, Mike Jones <Michae= l.Jones@microsoft.com> wrote:

I hear you, but we=E2=80= =99re trying to keep the values short for space reasons =E2=80=93 just like= other identifiers in JWTs.=C2=A0 Ultimately, the values aren=E2=80=99t mea= ningful without referring to the spec in the first place, so the place to beef up the mean= ing is in the description in the spec =E2=80=93 not in the =E2=80=9Camr=E2= =80=9D value.=C2=A0 If you=E2=80=99d like to suggest any edits in that rega= rd, have at it!

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thanks,

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: William = Denniss [mailto:wd= enniss@google.com]
Sent: Friday, August 14, 2015 1:40 PM
To: Mike Jones
Cc: oauth@ietf.o= rg
Subject: Re: [OAUTH-WG] =E2=80=9Camr=E2=80=9D Values spec updated=

=C2=A0

Looking good, thanks for putting this together.

=C2=A0

I wonder if we should say "risk_based" rat= her than just "risk" to avoid ambiguity (i.e. that it's not a= risky authentication method, rather, it was risk-based). =C2=A0"user&= quot; seems to work well, e.g. "user mfa pwd otp" tells a logical= story.

=C2=A0

=C2=A0

=C2=A0

On Thu, Aug 13, 2015 at 8:43 PM, Mike Jones <Michael.Jones@= microsoft.com> wrote:

I=E2=80=99ve updated the Authentication Method Refer= ence Values spec to incorporate feedback received from the OAuth working gr= oup.=C2=A0 Changes were:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Added the values =E2=80=9Cmca=E2=80=9D (multiple-channel authentication), =E2=80=9C<= span style=3D"font-family:"Courier New"">risk=E2=80=9D (ri= sk-based authentication), and =E2=80=9Cuser=E2=80=9D (user presence test).

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Added citations in the definitions of Windows integrated authenticat= ion, knowledge-based authentication, risk-based authentication, multiple-fa= ctor authentication, one-time password, and proof-of-possession.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Alphabetized the values.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Added Tony Nadalin as an author and added acknowledgements.

=C2=A0

The specification is available at:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 http://tools.ietf.org/html/dra= ft-jones-oauth-amr-values-01

=C2=A0

An HTML formatted version is also available at:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 http://self-issued.info= /docs/draft-jones-oauth-amr-values-01.html

=C2=A0

=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

P.S.=C2=A0 This note was also posted at http://self-issued.info/?p=3D1437 and as @selfissued.


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth=

=C2=A0



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/li= stinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/li= stinfo/oauth




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--001a11353994ba9fbc051dd9076d-- From nobody Sun Aug 23 11:37:46 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9BF31B2A16 for ; Sun, 23 Aug 2015 11:37:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O3U7UhqaQmM9 for ; Sun, 23 Aug 2015 11:37:41 -0700 (PDT) Received: from mail-qk0-f172.google.com (mail-qk0-f172.google.com [209.85.220.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93F151B2A1A for ; Sun, 23 Aug 2015 11:37:41 -0700 (PDT) Received: by qkda128 with SMTP id a128so7116036qkd.3 for ; Sun, 23 Aug 2015 11:37:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=AM99JafP2M5MdTOfPV7Ma4T8qva9/OEm8Tysp7Jx+Jk=; b=hd+43j0abCN2DGckybaizAz/obpidQIItXXLeGTV1epQprowie+MwkFLfP7/fbnOpn ciQ6rbrk/qWggOoAXsn7n9w83dLaxvJ4t1ZOjfhDh+00TZaugPqUJ91UeNqA33QWJTqD LtEojPhBpL44MHV0NECKUa7iuw5EBp+PMIVhsDKNEZpT9caBAPpvqqVyXj4JfH59ZjxO riuts7F4jv98kNUR1r4ozM6lcJj8pzZsxgGX8Uild9a1mHSXUghxs2iuRmZGdHO7s+f5 cf1t1ORc3fzDgHmJ8uA5wcKUBbN4KMzRR9Jx+gL5CF/RIzWNXspLO2bBJK0AZ/haRpnu mKJQ== X-Gm-Message-State: ALoCoQmT3DmeFXNtBDtC0b2jhRA54silZrAaX1PKT7mN5zOUUpb/NteiBrQltaReiefsswGaPt1d X-Received: by 10.55.195.198 with SMTP id r67mr8760782qkl.30.1440355060632; Sun, 23 Aug 2015 11:37:40 -0700 (PDT) Received: from [192.168.8.100] ([181.202.150.98]) by smtp.gmail.com with ESMTPSA id k32sm7354930qkh.39.2015.08.23.11.37.38 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 23 Aug 2015 11:37:39 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_944E46BF-9E16-41A7-B3A8-6A5B2A3BED54"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: John Bradley In-Reply-To: Date: Sun, 23 Aug 2015 15:37:36 -0300 Message-Id: References: <0EF80C0D-55C2-4F1F-B741-87EDE63D3FD5@ve7jtb.com> To: Donghwan Kim X-Mailer: Apple Mail (2.2104) Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2015 18:37:45 -0000 --Apple-Mail=_944E46BF-9E16-41A7-B3A8-6A5B2A3BED54 Content-Type: multipart/alternative; boundary="Apple-Mail=_80C4037F-12D3-41BF-9924-CF87E6824AA6" --Apple-Mail=_80C4037F-12D3-41BF-9924-CF87E6824AA6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 OIDC returns a signed JWT/id_token from the token endpoint that can = contain all of that information (no extra round trips). Setting a = id_token as a cookie is not unusual. I would not conflate the access = token with session tokens. John B. > On Aug 23, 2015, at 3:32 PM, Donghwan Kim = wrote: >=20 > Hi folks, >=20 > First off, I appreciate your answers. >=20 > What I try to do with OAuth is to design a set of APIs which allow to = write application without server in a standard-compliant way and I chose = OAuth for the social web. Because the current API I work on uses a kind = of Form-based authentication = (https://en.wikipedia.org/wiki/Form-based_authentication = ), I started = with Resource Owner Password Credentials first to support other grant = types gracefully later. Here I faced the problem with authentication. = (Now I realized that I may have abused OAuth according to your answers) >=20 > My thought is to use access_token as a session token containing values = like roles not just a reference on server's memory indicating such = values (traditional cookie). That means access_token should be a JSON = Web Token (JWT) which contains usename (to log who did an action), roles = (ACL, to determine this request has a proper permission), and so on. = Then every server (or microservice unit) accepting request doesn't need = to have not only session states in its memory (stateless), but also a = dependency with auth server because access_token included in = Authorization request header as bearer token contains all about = authentication and authorization information. Having said that, because = token would be not valid over time if values contained in the token = might be changed e.g. role or due to OAuth's expiration mechanism, = removing dependency with auth server is unlikely to be feasible = practically IMO. (Then it would be better for access_token to be = reference rather than a set of values) >=20 > As for the original question, as Bill pointed, it's okay to get user = information by username through other separate endpoint for that purpose = (like /userinfo from the context of OpenID Connect (OIDC)). Though, I = wanted to reduce round-trip by adding a custom property to token = endpoint's response. >=20 > Here's some questions: >=20 > 1. Is it an abuse of OAuth to use access_token as a session token = which is a set of values not reference on server indicating values? or = what if it is in the form of reference? As far as I read = https://tools.ietf.org/html/rfc6749 = , I didn't feel that access_token = should not be like that. On the contrary, if I introduce another = standard for authentication, API implementators should do more work and = I didn't want to do that. In this case, support for OIDC can be regarded = as enhancement of API like Google did = https://developers.google.com/+/web/api/rest/openidconnect/ = >=20 > If not or it doesn't sound that good, I'll take a look = https://tools.ietf.org/html/draft-ietf-oauth-introspection-11 = and = http://openid.net/specs/openid-connect-core-1_0.html = which you = suggested. (Though I'm not comfortable that OIDC is also regarded abuse = of OAuth according to http://security.stackexchange.com/a/44614 = ) >=20 > Thanks! >=20 > -- Donghwan >=20 > On Sat, Aug 22, 2015 at 1:42 AM, William Denniss > wrote: > As for your specific use-case though, as John said it's better to use = OpenID Connect which provides a solution for what you are trying to do = already. >=20 > That way you get an interoperable solution, and one that has been = vetted by security experts. There is even a free test suite = for you to test your = implementation. >=20 > On Fri, Aug 21, 2015 at 9:35 AM, John Bradley > wrote: > Requests to the token endpoint are URL form encoded not JSON in your = example. >=20 > The use of the password credentials grant was to allow migration from = HTTP basic, but it not recommended for privacy and security reasons. >=20 > OpenID Connect is a better way to authenticate users. >=20 > However assuming you have a closed system and don=E2=80=99t care about = interoperability between clients and the Token endpoint, you could just = add that parameter to your AS and the world will not end. >=20 > If you want to have interoperable clients then you should register the = new element in the IANA registry Sec 11.2 of the spec. >=20 > Parameter name: > The name requested (e.g., =E2=80=9Cusername"). >=20 > Parameter usage location: > token response. >=20 > Change controller: > For Standards Track RFCs, state "IETF". For others, give the = name > of the responsible party. Other details (e.g., postal address, > email address, home page URI) may also be included. > You need to have a specification to do that. >=20 > I don=E2=80=99t see this as a good idea, but that is how you would do = it. >=20 > Regards > John B. >=20 >=20 >> On Aug 20, 2015, at 11:15 AM, Donghwan Kim = > wrote: >>=20 >> Hi, >>=20 >> I would like to add a custom property representing the account who = just authenticated to the access token response for the sake of = convenience like login request's response. Then, an exchange of request = and response will look like this: >>=20 >> POST /tokens HTTP/1.1 >> Host: api.example.com >> Content-Type: application/json >>=20 >> = {"grant_type":"password","username":"${username}","password":"${password}"= } >>=20 >> HTTP/1.1 200 OK >> Content-Type: application/json >> Cache-Control: no-store >> Pragma: no-cache >>=20 >> { >> "access_token":"${JSON web token}", >> "token_type":"Bearer", >> "account": {"username":"donghwan", ...} >> } >>=20 >> However http://tools.ietf.org/html/rfc6749#section-5.1 = says that >>=20 >> > The client MUST ignore unrecognized value names in the response. >>=20 >> Does it mean that I shouldn't add such property, 'account'? Though, I = saw Instagram API adds such custom property to access token response for = the same purpose from https://instagram.com/developer/authentication/ = (Please find = 'snoopdogg' to see that token response.) If it's not allowed or = desirable, how should I add such information to the access token = response? >>=20 >> BTW, I have some questions on usage of JSON web token with OAuth. Can = I post them here? If not, where should I do that? >>=20 >> Thanks, >>=20 >> -- Donghawn >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 >=20 --Apple-Mail=_80C4037F-12D3-41BF-9924-CF87E6824AA6 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 OIDC returns a signed JWT/id_token from the token endpoint = that can contain all of that information (no extra round trips).   = Setting a id_token as a cookie is not unusual.   I would not = conflate the access token with session tokens.

John B.

On = Aug 23, 2015, at 3:32 PM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi folks,

First off, I appreciate your = answers.

What I try to do with OAuth is to design a set of APIs which = allow to write application without server in a standard-compliant way = and I chose OAuth for the social web. Because the current API I work on = uses a kind of Form-based authentication (https://en.wikipedia.org/wiki/Form-based_authentication), = I started with Resource Owner Password Credentials first to support = other grant types gracefully later. Here I faced the problem with = authentication. (Now I realized that I may have abused OAuth according = to your answers)

My thought is to use access_token as a session token = containing values like roles not just a reference on server's memory = indicating such values (traditional cookie). That means access_token = should be a JSON Web Token (JWT) which contains usename (to log who did = an action), roles (ACL, to determine this request has a proper = permission), and so on. Then every server (or microservice unit) = accepting request doesn't need to have not only session states in its = memory (stateless), but also a dependency with auth server because = access_token included in Authorization request header as bearer token = contains all about authentication and authorization information. Having = said that, because token would be not valid over time if values = contained in the token might be changed e.g. role or due to OAuth's = expiration mechanism, removing dependency with auth server is unlikely = to be feasible practically IMO. (Then it would be better for = access_token to be reference rather than a set of values)

As for the original = question, as Bill pointed, it's okay to get user information by username = through other separate endpoint for that purpose (like /userinfo from = the context of OpenID Connect (OIDC)). Though, I wanted to reduce = round-trip by adding a custom property to token endpoint's = response.

Here's= some questions:

1. Is it an abuse of OAuth to use access_token as a session = token which is a set of values not reference on server indicating = values? or what if it is in the form of reference? As far as I read https://tools.ietf.org/html/rfc6749, I didn't feel that = access_token should not be like that. On the contrary, if I introduce = another standard for authentication, API implementators should do more = work and I didn't want to do that. In this case, support for OIDC can be = regarded as enhancement of API like Google did https://developers.google.com/+/web/api/rest/openidconnect/=

If not or it doesn't sound that good, I'll take a look https://tools.ietf.org/html/draft-ietf-oauth-introspection-11 and http://openid.net/specs/openid-connect-core-1_0.html = which you suggested. (Though I'm not comfortable that OIDC is also = regarded abuse of OAuth according to http://security.stackexchange.com/a/44614)

Thanks!

-- = Donghwan

On Sat, Aug 22, 2015 at 1:42 AM, William Denniss = <wdenniss@google.com> = wrote:
As for your specific use-case though, as John said it's = better to use OpenID Connect which provides a solution for what you are = trying to do already.

That way you get an interoperable solution, and one that has = been vetted by security experts. There is even a free test suite for you to test your = implementation.

On Fri, = Aug 21, 2015 at 9:35 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
Requests to = the token endpoint are URL form encoded not JSON in your = example.

The = use of the password credentials grant was to allow migration from HTTP = basic, but it not recommended for privacy and security = reasons.

OpenID = Connect is a better way to authenticate users.

However assuming you have a closed = system and don=E2=80=99t care about interoperability between clients and = the Token endpoint, you could just add that parameter to your AS and the = world will not end.

If you want to have interoperable clients then you should = register the new element in the IANA registry Sec 11.2 of the = spec.

Parameter name:
      The name requested (e.g., =E2=80=9Cusername").

   Parameter usage location:
      token response.

   Change controller:
      For Standards Track RFCs, state "IETF".  For others, give the name
      of the responsible party.  Other details (e.g., postal address,
      email address, home page URI) may also be included.
You need to have a specification to do that.

I don=E2=80=99t see this = as a good idea, but that is how you would do it.

Regards
John = B.


On Aug 20, = 2015, at 11:15 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

I would like to add a custom property representing the = account who just authenticated to the access token response for the sake = of convenience like login request's response. Then, an exchange of = request and response will look like this:

POST /tokens HTTP/1.1
Host: api.example.com
Content-Type: = application/json

{"grant_type":"password","username":"${username}","password":"$= {password}"}

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: = no-store
Pragma: no-cache

{
  = "access_token":"${JSON web token}",
  "token_type":"Bearer",
  "account": {"username":"donghwan", = ...}
}

However http://tools.ietf.org/html/rfc6749#section-5.1 says = that

> The client MUST ignore unrecognized value names in the = response.

Does = it mean that I shouldn't add such property, 'account'? Though, I saw = Instagram API adds such custom property to access token response for the = same purpose from https://instagram.com/developer/authentication/ (Please = find 'snoopdogg' to see that token response.) If it's not allowed or = desirable, how should I add such information to the access token = response?

BTW, = I have some questions on usage of JSON web token with OAuth. Can I post = them here? If not, where should I do that?

Thanks,

-- Donghawn
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




= --Apple-Mail=_80C4037F-12D3-41BF-9924-CF87E6824AA6-- --Apple-Mail=_944E46BF-9E16-41A7-B3A8-6A5B2A3BED54 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MjMxODM3MzZaMCMGCSqGSIb3DQEJBDEWBBQNG7vWg8btcAVXCQwTckFJ lb7zeTCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQBep1T+kvFQpxYm7ZXwRpvHsPlKJjt+4w2KBLxtcd5OUL0ZvcXJpd/v hiAQeOhinqJtwxmEKP7W+nm7BN0CsTVtyux45jcoKOrNl7mfRRCvLswc9/kPfhJVTc8GCF1GC4dR mhuY3DlcXo7SfLIgEyxgwhzuITTCK/eqwQz8o91tRAUU3/jAZ9iZx5gZ6fTUZjvo5Iy5NJLN9Uzg jcYG2+Ejn4CN1NBF2+lH7kcJXzcDKnBdWK5EqERdKGP9hnDVVe5WPZH7sB71X+UsGtzha37si2uW E+wLAmUtVOA6rCSfzkBTsR5g2p4fT0a/kB32F7K64B+uWPPQalrSQsJmplYPAAAAAAAA --Apple-Mail=_944E46BF-9E16-41A7-B3A8-6A5B2A3BED54-- From nobody Mon Aug 24 06:56:52 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7233D1B2A10 for ; Sun, 23 Aug 2015 11:32:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.701 X-Spam-Level: X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HS5tqi6nINJr for ; Sun, 23 Aug 2015 11:32:34 -0700 (PDT) Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 404981B2A0D for ; Sun, 23 Aug 2015 11:32:34 -0700 (PDT) Received: by iodb91 with SMTP id b91so127004265iod.1 for ; Sun, 23 Aug 2015 11:32:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=IZ5aJM7UDAWxG7t9KVAIOycqwbc7Gvk0FHfstrVBirc=; b=WlrlnlE6aWJ3VodZipiklMZ123MLX2BiSw1ZU8l9VJK4kL/FjAkcM/8XHZx9yrhUqP MqJVUQzbPyd17E8fzNXLeaxELVjwQPiVH9wyz+sPGzPgL3GqFB9eCUDaSVdoMLPmP1ag b7NYgIiRrrUXCTKZUWhkg5i5dCHLHCY+rcX7tF3tW3vD1OiC0Phl3czmoGm8ybfOTMLV HjfCrisrVrmXGsxs5n9D5Cx2ohewh4IvhejyuTcEkF4oA1jqFVzCEHdOSo55weDokOWL VzvYjNDUALB3iNMbekeksfuhNZ8eCG/LfM5PTdoHVZEBfOAc7dta2kJlGXf0rFcx4MaT UcAQ== MIME-Version: 1.0 X-Received: by 10.107.166.136 with SMTP id p130mr16116614ioe.163.1440354753689; Sun, 23 Aug 2015 11:32:33 -0700 (PDT) Received: by 10.36.137.136 with HTTP; Sun, 23 Aug 2015 11:32:33 -0700 (PDT) In-Reply-To: References: <0EF80C0D-55C2-4F1F-B741-87EDE63D3FD5@ve7jtb.com> Date: Mon, 24 Aug 2015 03:32:33 +0900 Message-ID: From: Donghwan Kim To: "oauth@ietf.org" Content-Type: multipart/alternative; boundary=001a1141f39271be8f051dfeb9d1 Archived-At: X-Mailman-Approved-At: Mon, 24 Aug 2015 06:56:49 -0700 Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2015 18:32:37 -0000 --001a1141f39271be8f051dfeb9d1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi folks, First off, I appreciate your answers. What I try to do with OAuth is to design a set of APIs which allow to write application without server in a standard-compliant way and I chose OAuth for the social web. Because the current API I work on uses a kind of Form-based authentication ( https://en.wikipedia.org/wiki/Form-based_authentication), I started with Resource Owner Password Credentials first to support other grant types gracefully later. Here I faced the problem with authentication. (Now I realized that I may have abused OAuth according to your answers) My thought is to use access_token as a session token containing values like roles not just a reference on server's memory indicating such values (traditional cookie). That means access_token should be a JSON Web Token (JWT) which contains usename (to log who did an action), roles (ACL, to determine this request has a proper permission), and so on. Then every server (or microservice unit) accepting request doesn't need to have not only session states in its memory (stateless), but also a dependency with auth server because access_token included in Authorization request header as bearer token contains all about authentication and authorization information. Having said that, because token would be not valid over time if values contained in the token might be changed e.g. role or due to OAuth's expiration mechanism, removing dependency with auth server is unlikely to be feasible practically IMO. (Then it would be better for access_token to be reference rather than a set of values) As for the original question, as Bill pointed, it's okay to get user information by username through other separate endpoint for that purpose (like /userinfo from the context of OpenID Connect (OIDC)). Though, I wanted to reduce round-trip by adding a custom property to token endpoint's response. Here's some questions: 1. Is it an abuse of OAuth to use access_token as a session token which is a set of values not reference on server indicating values? or what if it is in the form of reference? As far as I read https://tools.ietf.org/html/rfc6749, I didn't feel that access_token should not be like that. On the contrary, if I introduce another standard for authentication, API implementators should do more work and I didn't want to do that. In this case, support for OIDC can be regarded as enhancement of API like Google did https://developers.google.com/+/web/api/rest/openidconnect/ If not or it doesn't sound that good, I'll take a look https://tools.ietf.org/html/draft-ietf-oauth-introspection-11 and http://openid.net/specs/openid-connect-core-1_0.html which you suggested. (Though I'm not comfortable that OIDC is also regarded abuse of OAuth according to http://security.stackexchange.com/a/44614) Thanks! -- Donghwan On Sat, Aug 22, 2015 at 1:42 AM, William Denniss wrote: > As for your specific use-case though, as John said it's better to use > OpenID Connect which provides a solution for what you are trying to do > already. > > That way you get an interoperable solution, and one that has been vetted > by security experts. There is even a free test suite > for you to test your > implementation. > > On Fri, Aug 21, 2015 at 9:35 AM, John Bradley wrote: > >> Requests to the token endpoint are URL form encoded not JSON in your >> example. >> >> The use of the password credentials grant was to allow migration from >> HTTP basic, but it not recommended for privacy and security reasons. >> >> OpenID Connect is a better way to authenticate users. >> >> However assuming you have a closed system and don=E2=80=99t care about >> interoperability between clients and the Token endpoint, you could just = add >> that parameter to your AS and the world will not end. >> >> If you want to have interoperable clients then you should register the >> new element in the IANA registry Sec 11.2 of the spec. >> >> Parameter name: >> The name requested (e.g., =E2=80=9Cusername"). >> >> Parameter usage location: >> token response. >> >> Change controller: >> For Standards Track RFCs, state "IETF". For others, give the name >> of the responsible party. Other details (e.g., postal address, >> email address, home page URI) may also be included. >> >> You need to have a specification to do that. >> >> I don=E2=80=99t see this as a good idea, but that is how you would do it= . >> >> Regards >> John B. >> >> >> On Aug 20, 2015, at 11:15 AM, Donghwan Kim >> wrote: >> >> Hi, >> >> I would like to add a custom property representing the account who just >> authenticated to the access token response for the sake of convenience l= ike >> login request's response. Then, an exchange of request and response will >> look like this: >> >> POST /tokens HTTP/1.1 >> Host: api.example.com >> Content-Type: application/json >> >> >> {"grant_type":"password","username":"${username}","password":"${password= }"} >> >> >> HTTP/1.1 200 OK >> Content-Type: application/json >> Cache-Control: no-store >> Pragma: no-cache >> >> { >> "access_token":"${JSON web token}", >> "token_type":"Bearer", >> "account": {"username":"donghwan", ...} >> } >> >> >> However http://tools.ietf.org/html/rfc6749#section-5.1 says that >> >> > The client MUST ignore unrecognized value names in the response. >> >> Does it mean that I shouldn't add such property, 'account'? Though, I sa= w >> Instagram API adds such custom property to access token response for the >> same purpose from https://instagram.com/developer/authentication/ >> (Please find 'snoopdogg' to see that token response.) If it's not allowe= d >> or desirable, how should I add such information to the access token >> response? >> >> BTW, I have some questions on usage of JSON web token with OAuth. Can I >> post them here? If not, where should I do that? >> >> Thanks, >> >> -- Donghawn >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > --001a1141f39271be8f051dfeb9d1 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi folks,

First off, I appre= ciate your answers.

What I try to do with OAut= h is to design a set of APIs which allow to write application without serve= r in a standard-compliant way and I chose OAuth for the social web. Because= the current API I work on uses a kind of=C2=A0Form-based authentication (<= a href=3D"https://en.wikipedia.org/wiki/Form-based_authentication" target= =3D"_blank">https://en.wikipedia.org/wiki/Form-based_authentication), I= started with=C2=A0Resource Owner Password Credentials first to support oth= er grant types gracefully later. Here I faced the problem with authenticati= on. (Now I realized that I may have abused OAuth according to your answers)=

My thought is to use access_token as a session to= ken containing values like roles not just a reference on server's memor= y indicating such values (traditional cookie). That means access_token shou= ld be a JSON Web Token (JWT) which contains usename (to log who did an acti= on), roles (ACL, to determine this request has a proper permission), and so= on. Then every server (or microservice unit) accepting request doesn't= need to have not only session states in its memory (stateless), but also a= dependency with auth server because access_token included in Authorization= request header as bearer token contains all about authentication and autho= rization information. Having said that, because token would be not valid ov= er time if values contained in the token might be changed e.g. role or due = to OAuth's expiration mechanism, removing dependency with auth server i= s unlikely to be feasible practically IMO. (Then it would be better for acc= ess_token to be reference rather than a set of values)

=
As for the original question, as Bill pointed, it's okay to get us= er information by username through other separate endpoint for that purpose= (like /userinfo from the context of OpenID Connect (OIDC)). Though, I want= ed to reduce round-trip by adding a custom property to token endpoint's= response.

Here's some questions:
1. Is it an abuse of OAuth to use access_token as a session to= ken which is a set of values not reference on server indicating values? or = what if it is in the form of reference? As far as I read https://tools.ietf.org/html= /rfc6749, I didn't feel that access_token should not be like that. = On the contrary, if I introduce another standard for authentication, API im= plementators should do more work and I didn't want to do that. In this = case, support for OIDC can be regarded as enhancement of API like Google di= d https://developers.google.com/+/web/api/rest/openidconnect= /

If not or it doesn't sound that good= , I'll take a look https://tools.ietf.org/html/draft-i= etf-oauth-introspection-11 and http://openid.net/specs/openid-c= onnect-core-1_0.html which you suggested. (Though I'm not comfortab= le that OIDC is also regarded abuse of OAuth according to http://security.stac= kexchange.com/a/44614)

Thanks!

<= /div>
-- Donghwan

On Sat, Aug 22, 2015 at 1:42 AM, William Denniss <wdenn= iss@google.com> wrote:
As for your specific use-case though, as John said it's be= tter to use OpenID Connect which provides a solution for what you are tryin= g to do already.

That way you get an interoperable solut= ion, and one that has been vetted by security experts. There is even a free tes= t suite for you to test your implementation.

On Fri, Aug 21, 2015 at 9:35 AM, John Bradley <= ;ve7jtb@ve7jtb.com> wrote:
Requests to the token endpoint are URL form encoded no= t JSON in your example.

The use of the password cr= edentials grant was to allow migration from HTTP basic, but it not recommen= ded for privacy and security reasons.

OpenID Conne= ct is a better way to authenticate users.

However = assuming you have a closed system and don=E2=80=99t care about interoperabi= lity between clients and the Token endpoint, you could just add that parame= ter to your AS and the world will not end.

If you = want to have interoperable clients then you should register the new element= in the IANA registry Sec 11.2 of the spec.

P=
arameter name:
      The name requested (e.g., =E2=80=9Cusername").

   Parameter usage location:
      token response.

   Change controller:
      For Standards Track RFCs, state "IETF".  For others, give t=
he name
      of the responsible party.  Other details (e.g., postal address,
      email address, home page URI) may also be included.
You nee= d to have a specification to do that.

I don= =E2=80=99t see this as a good idea, but that is how you would do it.
<= div>
Regards
John B.

=C2=A0 "account": {"username":"donghwan", .= ..}
}

> The client MUST ignore unre= cognized value names in the response.

Does it mean= that I shouldn't add such property, 'account'? Though, I saw I= nstagram API adds such custom property to access token response for the sam= e purpose from https://instagram.com/developer/authentication/ (Plea= se find 'snoopdogg' to see that token response.) If it's not al= lowed or desirable, how should I add such information to the access token r= esponse?

BTW, I have some questions on usage of JS= ON web token with OAuth. Can I post them here? If not, where should I do th= at?

Thanks,

-- Donghawn
_______________________________________________
OAuth mailing list
OAuth@ietf.org
http= s://www.ietf.org/mailman/listinfo/oauth


_____________________________________________= __
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



--001a1141f39271be8f051dfeb9d1-- From nobody Mon Aug 24 06:56:54 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72F481B2F1B for ; Sun, 23 Aug 2015 22:41:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xjJOoK21t1V for ; Sun, 23 Aug 2015 22:41:35 -0700 (PDT) Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9EEE1B2F1A for ; Sun, 23 Aug 2015 22:41:34 -0700 (PDT) Received: by igui7 with SMTP id i7so53564327igu.1 for ; Sun, 23 Aug 2015 22:41:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=96lUHfpfcwWZcuxWNQ5cdKSo//WA7PkyqEHRRWRk1ec=; b=Rg/i9dN8vLbUCQTvJDtohOZzSsIaK9tLM1XAKVaXWj2sQVTlGGk6GUGTDgew+Eg6d0 ve6qDSX8gJfh5MlA3uUbyqzvlGERmHnOvJE64mKT61+qkxKLQY1qHn9vi6d9I0GXdIuc Fp9D8+By5CcwqACzTLmLqXgXrHnCkWUxIkn8LhViaPm1Zvdg2i/SA2nFwEdMre59F5+8 3Nees6oxitqIOzrtPZ6Y9IlTMgb3jumTQBP8gZ1hmn6aoS64f+Ro52BFTDLwm/Fc3uRO mu6zSCaHRoHuDeLkTjpiUZAevzbIsiK4LkkoAOp1aTX6bGZ4q1Ivp6NFPXgjEVP7RSUv Mv0w== MIME-Version: 1.0 X-Received: by 10.50.164.167 with SMTP id yr7mr12473733igb.50.1440394894226; Sun, 23 Aug 2015 22:41:34 -0700 (PDT) Received: by 10.36.137.136 with HTTP; Sun, 23 Aug 2015 22:41:34 -0700 (PDT) Date: Mon, 24 Aug 2015 14:41:34 +0900 Message-ID: From: Donghwan Kim To: oauth@ietf.org Content-Type: multipart/alternative; boundary=089e0122a7fc01bbae051e081288 Archived-At: X-Mailman-Approved-At: Mon, 24 Aug 2015 06:56:50 -0700 Subject: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2015 05:41:36 -0000 --089e0122a7fc01bbae051e081288 Content-Type: text/plain; charset=UTF-8 Hi, According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires? I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough. So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token? Thanks, -- Donghwan --089e0122a7fc01bbae051e081288 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,

According to Fi= gure 2 from=C2=A0http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be u= sed to refresh an expired access token without requesting resource owner to= sign in again (uncomfortable experience). However, if it's true, isn&#= 39;t it that refresh token might be used to request a new access token even= years later? and then isn't refresh token the same with access token w= hich never expires?

I intended to use refresh toke= n to implement persistent login by sending a refresh request before issued = access token expires (expires_in runs out). But if refresh token works even= if access token expired already, sending a refresh request on application = start up would be enough.

So I'm not sure what= I'm missing about refresh token as well as how to implement persistent= login using it (you can regard authentication here pseudo-authentication i= llustrated in https://upload.wikimedia.or= g/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg).= What is the lifetime of refresh token?

Thanks,

-- Donghwan
--089e0122a7fc01bbae051e081288-- From nobody Mon Aug 24 06:56:55 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA641B30D4 for ; Sun, 23 Aug 2015 23:13:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEugThr_dJMl for ; Sun, 23 Aug 2015 23:13:02 -0700 (PDT) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C3501B30D3 for ; Sun, 23 Aug 2015 23:13:02 -0700 (PDT) Received: by iodt126 with SMTP id t126so137877149iod.2 for ; Sun, 23 Aug 2015 23:13:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lQH1nCcFDFUJ53zSr5iXTQwmTn2rBZLyGvCSuw6gVds=; b=fevKka9q6HreAYWVeC9YPia+GyW1R908v8H1hhH5xh1OaQgzw1HUwcstq95T1vNa23 eg7NjZm9u4OfNHxtrhqAsKmz0Kesmdis9D9/jOoOZIzu52Y13SRGLGVAyS9vVmpfYZMf d6igkWaQfrc8lJyOzWXeuW9q1GEZ/SPqJmtojLeb2CwWdLAcjv3kUCYeUgw1Aa4/yE9D o83GtKy64uO99+o9ubb7MNvqLpa978eJuHkN4iX/kK3a+M6iTuAaYl9rYjPyirBCxonG oXIo0F2+h2N//LwIk+S9xowKxMR6DOqt0PMd9HxKc8CymAP/MYFV5P7p972ys60ARP4X ZF/A== MIME-Version: 1.0 X-Received: by 10.107.129.141 with SMTP id l13mr16691268ioi.181.1440396781676; Sun, 23 Aug 2015 23:13:01 -0700 (PDT) Received: by 10.36.137.136 with HTTP; Sun, 23 Aug 2015 23:13:01 -0700 (PDT) In-Reply-To: <0EF80C0D-55C2-4F1F-B741-87EDE63D3FD5@ve7jtb.com> References: <0EF80C0D-55C2-4F1F-B741-87EDE63D3FD5@ve7jtb.com> Date: Mon, 24 Aug 2015 15:13:01 +0900 Message-ID: From: Donghwan Kim To: oauth@ietf.org Content-Type: multipart/alternative; boundary=001a113f96be821081051e088299 Archived-At: X-Mailman-Approved-At: Mon, 24 Aug 2015 06:56:50 -0700 Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2015 06:13:04 -0000 --001a113f96be821081051e088299 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, > Requests to the token endpoint are URL form encoded not JSON in your example. My bad. According to http://tools.ietf.org/html/rfc6749#section-4.3, application/x-www-form-urlencoded not application/json is correct for token endpoint request's content type. Right? Thanks, -- Donghwan On Sat, Aug 22, 2015 at 1:35 AM, John Bradley wrote: > Requests to the token endpoint are URL form encoded not JSON in your > example. > > The use of the password credentials grant was to allow migration from HTT= P > basic, but it not recommended for privacy and security reasons. > > OpenID Connect is a better way to authenticate users. > > However assuming you have a closed system and don=E2=80=99t care about > interoperability between clients and the Token endpoint, you could just a= dd > that parameter to your AS and the world will not end. > > If you want to have interoperable clients then you should register the ne= w > element in the IANA registry Sec 11.2 of the spec. > > Parameter name: > The name requested (e.g., =E2=80=9Cusername"). > > Parameter usage location: > token response. > > Change controller: > For Standards Track RFCs, state "IETF". For others, give the name > of the responsible party. Other details (e.g., postal address, > email address, home page URI) may also be included. > > You need to have a specification to do that. > > I don=E2=80=99t see this as a good idea, but that is how you would do it. > > Regards > John B. > > > On Aug 20, 2015, at 11:15 AM, Donghwan Kim > wrote: > > Hi, > > I would like to add a custom property representing the account who just > authenticated to the access token response for the sake of convenience li= ke > login request's response. Then, an exchange of request and response will > look like this: > > POST /tokens HTTP/1.1 > Host: api.example.com > Content-Type: application/json > > {"grant_type":"password","username":"${username}","password":"${password}= "} > > > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > Pragma: no-cache > > { > "access_token":"${JSON web token}", > "token_type":"Bearer", > "account": {"username":"donghwan", ...} > } > > > However http://tools.ietf.org/html/rfc6749#section-5.1 says that > > > The client MUST ignore unrecognized value names in the response. > > Does it mean that I shouldn't add such property, 'account'? Though, I saw > Instagram API adds such custom property to access token response for the > same purpose from https://instagram.com/developer/authentication/ (Please > find 'snoopdogg' to see that token response.) If it's not allowed or > desirable, how should I add such information to the access token response= ? > > BTW, I have some questions on usage of JSON web token with OAuth. Can I > post them here? If not, where should I do that? > > Thanks, > > -- Donghawn > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > --001a113f96be821081051e088299 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,

>=C2=A0Requests to the tok= en endpoint are URL form encoded not JSON in your example.

My bad.

According to http://tools.ietf.org/html/rfc6749#section= -4.3, application/x-www-form-urlencoded not application/json is correct= for token endpoint request's content type. Right?

Thanks,

-- Donghwan

On Sat, Aug 22, 2015 at 1:3= 5 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
Requests to th= e token endpoint are URL form encoded not JSON in your example.
<= br>
The use of the password credentials grant was to allow migrat= ion from HTTP basic, but it not recommended for privacy and security reason= s.

OpenID Connect is a better way to authenticate = users.

However assuming you have a closed system a= nd don=E2=80=99t care about interoperability between clients and the Token = endpoint, you could just add that parameter to your AS and the world will n= ot end.

If you want to have interoperable clients = then you should register the new element in the IANA registry Sec 11.2 of t= he spec.

Parameter name:
      The name requested (e.g., =E2=80=9Cusername").

   Parameter usage location:
      token response.

   Change controller:
      For Standards Track RFCs, state "IETF".  For others, give t=
he name
      of the responsible party.  Other details (e.g., postal address,
      email address, home page URI) may also be included.
You nee= d to have a specification to do that.

I don= =E2=80=99t see this as a good idea, but that is how you would do it.
<= div>
Regards
John B.

=
On Aug 20, 2= 015, at 11:15 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

=
Hi,
=

I would like to add a custom property representing= the account who just authenticated to the access token response for the sa= ke of convenience like login request's response. Then, an exchange of r= equest and response will look like this:

POST /tok= ens HTTP/1.1
Content-Type: application/json

<= /div>
{"grant_type":"password",&quo= t;username":"${username}","password":"${passw= ord}"}

HTTP/1.1= 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{<= /div>
=C2=A0 "access_token":"${JSON web token= }",
=C2=A0 "token_type":"Bearer&qu= ot;,
=C2=A0 "account": {"username"= :"donghwan", ...}
}
=

> The= client MUST ignore unrecognized value names in the response.
Does it mean that I shouldn't add such property, 'accou= nt'? Though, I saw Instagram API adds such custom property to access to= ken response for the same purpose from https://instagram.com/developer/a= uthentication/ (Please find 'snoopdogg' to see that token respo= nse.) If it's not allowed or desirable, how should I add such informati= on to the access token response?

BTW, I have some = questions on usage of JSON web token with OAuth. Can I post them here? If n= ot, where should I do that?

Thanks,
=

-- Donghawn
_______________________________________________
OAuth mailing list
OAuth@ietf.org
http= s://www.ietf.org/mailman/listinfo/oauth


--001a113f96be821081051e088299-- From nobody Mon Aug 24 07:46:00 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C563F1A1BE5 for ; Mon, 24 Aug 2015 07:45:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vKYjlKk8xEls for ; Mon, 24 Aug 2015 07:45:56 -0700 (PDT) Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 142781A1BDA for ; Mon, 24 Aug 2015 07:45:55 -0700 (PDT) X-AuditID: 1209190d-f796f6d000005314-31-55db2e22cec1 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 82.F7.21268.22E2BD55; Mon, 24 Aug 2015 10:45:54 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t7OEjsNY009039; Mon, 24 Aug 2015 10:45:54 -0400 Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t7OEjqH6015732 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 24 Aug 2015 10:45:53 -0400 Content-Type: multipart/alternative; boundary="Apple-Mail=_5BB500D5-F93A-4EB7-B266-239E0BB3EBCA" Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: Justin Richer In-Reply-To: Date: Mon, 24 Aug 2015 10:45:51 -0400 Message-Id: References: To: Donghwan Kim X-Mailer: Apple Mail (2.2104) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprAKsWRmVeSWpSXmKPExsUixG6noqukdzvUYMIKE4sVC78wWpx8+4rN gclj56y77B5LlvxkCmCK4rJJSc3JLEst0rdL4MqYfraXqWC7ScXsPadYGxhf6nQxcnJICJhI fHn4nxnCFpO4cG89WxcjF4eQwGImiftnpjBCOBsZJU7MgnEeMklM/7uSCaSFWSBBYt/B2Wwg Nq+AnsSrW5dZQWxhAUOJ0xtmMoLYbAKqEtPXtIDVcwoESnSeX84OYrMAxSduaAVazQE0R12i /aQLxBgriQt7p4CNFBIIkHhy5QNYq4iArsSbS7dZIS6Vldj9+xHTBEaBWUiumIXkCoi4tsSy ha+ZIWxNif3dy1kwxTUkOr9NZF3AyLaKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI10gvN7NELzWl dBMjKOA5JXl3ML47qHSIUYCDUYmHd4XZrVAh1sSy4srcQ4ySHExKorw3NG+HCvEl5adUZiQW Z8QXleakFh9ilOBgVhLhzWEHyvGmJFZWpRblw6SkOViUxHk3/eALERJITyxJzU5NLUgtgsnK cHAoSfCW6wI1ChalpqdWpGXmlCCkmTg4QYbzAA13AKnhLS5IzC3OTIfIn2JUlBLn3aUDlBAA SWSU5sH1whLSK0ZxoFeEeXeAVPEAkxlc9yugwUxAg9/n3QQZXJKIkJJqYNSKm51aKqfwU/7F 1l/XqyMeM68oaJpl5fvj8c3V3etsHorNPT27Z6uuK/8Gi6CXO5acU7sd6P96ttRxkVdBpade iIrPF31wJahl/wPjN+5VLx1Nsy27NSuYjzdrvbq8ckJu+XRtsbjtZ7hki9+fCLrR0sLndaA3 OoE/eucqgVupnUevzpNOmafEUpyRaKjFXFScCABhKpPLIwMAAA== Archived-At: Cc: "" Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2015 14:45:59 -0000 --Apple-Mail=_5BB500D5-F93A-4EB7-B266-239E0BB3EBCA Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 The lifetime of a refresh token is up to the AS =E2=80=94 they can = expire, be revoked, etc. The difference between a refresh token and an = access token is the audience: the refresh token only goes back to the = AS, the access token goes to the RS.=20 Also, just getting an access token doesn=E2=80=99t mean the user=E2=80=99s= logged in. In fact, the user might not even be there anymore, which is = actually the intended use case of the refresh token. Refreshing the = access token will give you access to an API on the user=E2=80=99s = behalf, it will not tell you if the user=E2=80=99s there. OpenID Connect doesn=E2=80=99t just give you user information from an = access token, it also gives you an ID token. This is a separate piece of = data that=E2=80=99s directed at the client itself, not the AS or the RS. = In OIDC, you should only consider someone actually =E2=80=9Clogged in=E2=80= =9D by the protocol if you can get a fresh ID token. Refreshing it is = not likely to be enough. =E2=80=94 Justin > On Aug 24, 2015, at 1:41 AM, Donghwan Kim = wrote: >=20 > Hi, >=20 > According to Figure 2 from = http://tools.ietf.org/html/rfc6749#section-1.5 = , refresh token can be = used to refresh an expired access token without requesting resource = owner to sign in again (uncomfortable experience). However, if it's = true, isn't it that refresh token might be used to request a new access = token even years later? and then isn't refresh token the same with = access token which never expires? >=20 > I intended to use refresh token to implement persistent login by = sending a refresh request before issued access token expires (expires_in = runs out). But if refresh token works even if access token expired = already, sending a refresh request on application start up would be = enough. >=20 > So I'm not sure what I'm missing about refresh token as well as how to = implement persistent login using it (you can regard authentication here = pseudo-authentication illustrated in = https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-Authen= ticationusingOAuth.svg = ). What is the lifetime of refresh token? >=20 > Thanks, >=20 > -- Donghwan > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_5BB500D5-F93A-4EB7-B266-239E0BB3EBCA Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 The lifetime of a refresh token is up to the AS =E2=80=94 = they can expire, be revoked, etc. The difference between a refresh token = and an access token is the audience: the refresh token only goes back to = the AS, the access token goes to the RS. 

Also, just getting an access token = doesn=E2=80=99t mean the user=E2=80=99s logged in. In fact, the user = might not even be there anymore, which is actually the intended use case = of the refresh token. Refreshing the access token will give you access = to an API on the user=E2=80=99s behalf, it will not tell you if the = user=E2=80=99s there.

OpenID Connect doesn=E2=80=99t just give you user information = from an access token, it also gives you an ID token. This is a separate = piece of data that=E2=80=99s directed at the client itself, not the AS = or the RS. In OIDC, you should only consider someone actually =E2=80=9Clog= ged in=E2=80=9D by the protocol if you can get a fresh ID token. = Refreshing it is not likely to be enough.

 =E2=80=94 Justin

On Aug 24, 2015, at 1:41 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh = token can be used to refresh an expired access token without requesting = resource owner to sign in again (uncomfortable experience). However, if = it's true, isn't it that refresh token might be used to request a new = access token even years later? and then isn't refresh token the same = with access token which never expires?

I intended to use refresh token to = implement persistent login by sending a refresh request before issued = access token expires (expires_in runs out). But if refresh token works = even if access token expired already, sending a refresh request on = application start up would be enough.

So I'm not sure what I'm missing about = refresh token as well as how to implement persistent login using it (you = can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Ps= eudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh = token?

Thanks,

-- Donghwan
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_5BB500D5-F93A-4EB7-B266-239E0BB3EBCA-- From nobody Mon Aug 24 08:08:53 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16A2D1A1A82 for ; Mon, 24 Aug 2015 08:08:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8kiGlDUhNZi for ; Mon, 24 Aug 2015 08:08:41 -0700 (PDT) Received: from mail-qk0-f180.google.com (mail-qk0-f180.google.com [209.85.220.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7881D1A0197 for ; Mon, 24 Aug 2015 08:08:40 -0700 (PDT) Received: by qkbm65 with SMTP id m65so70429089qkb.2 for ; Mon, 24 Aug 2015 08:08:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Xg1wbhUeFDsVrXc/2kpt2kST/ThKnBUZiiCL2zulIXc=; b=LhKaCiQwpggtdo0Vq9k2wlIjd+7rkNcqh3X2LLoh96cMcBwBwvjVFcbn7PbTQ/129C njXiEoHKle7eRyJLjMpbWW66frVKPzPLWf90Z29Mf6R0HQ/WQN0m65e5ELaU9GLVqMiE rstHHt3Gezr+MEfKOBM1s3W+1AgGiohMKYt+zw3kLHiqAq17AgxSBOBYSUS226sEsPgB fRcgitDyNgZxZJi3dEgVbR8qMeYiJXETUXPeNRizNVLGb9Ysd3uXL5Yh0Bx7qbdABUh9 /7Mk/MPBUcqO8OZzZBgqWFB26zfoCTHJwoLw5Gzu65w8UzEGV+D8jBTveql5qgv9C5IV Y72Q== X-Gm-Message-State: ALoCoQlmEoL9JdH6lPQ6WxkFChH22NrZFJkGljZfLrLZKu/ZHSa5NBKB8Meca58/JY/TVoV2Zs+Z X-Received: by 10.55.197.82 with SMTP id p79mr2986804qki.5.1440428919635; Mon, 24 Aug 2015 08:08:39 -0700 (PDT) Received: from [192.168.1.41] (186-79-69-78.baf.movistar.cl. [186.79.69.78]) by smtp.gmail.com with ESMTPSA id 124sm11313478qht.14.2015.08.24.08.08.34 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 24 Aug 2015 08:08:38 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_4F6BC506-C322-4C97-BBA2-26E91E5540EE"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: John Bradley In-Reply-To: Date: Mon, 24 Aug 2015 12:08:21 -0300 Message-Id: References: To: Donghwan Kim X-Mailer: Apple Mail (2.2104) Archived-At: Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2015 15:08:50 -0000 --Apple-Mail=_4F6BC506-C322-4C97-BBA2-26E91E5540EE Content-Type: multipart/alternative; boundary="Apple-Mail=_A355472D-335F-4996-B281-76AFDC668721" --Apple-Mail=_A355472D-335F-4996-B281-76AFDC668721 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I think Nat=E2=80=99s diagram about the problems of doing pseudo = authentication with OAuth is being taken out of context. The refresh token dosen=E2=80=99t expire, it is revoked by the user or = system. In some cases refresh tokens are automatically revoked if the = users session to the AS ends. I think AOL typically revokes refresh = tokens when sessions terminate. OpenID Connect provides a separate id_token with a independent lifetime = from the refresh token. A client may keep a refresh token for a much = longer time than the user has a login session with the AS. Refresh tokens are typically used by confidential clients that are using = a client secret in combination with the refresh token for getting a new = access token. By design access tokens should be short lived as the AS is expected to = have a way of revoking refresh tokens but not access tokens. A access token that dosen't expire , and can=E2=80=99t be revoked is not = a good idea. John B. > On Aug 24, 2015, at 2:41 AM, Donghwan Kim = wrote: >=20 > Hi, >=20 > According to Figure 2 from = http://tools.ietf.org/html/rfc6749#section-1.5 = , refresh token can be = used to refresh an expired access token without requesting resource = owner to sign in again (uncomfortable experience). However, if it's = true, isn't it that refresh token might be used to request a new access = token even years later? and then isn't refresh token the same with = access token which never expires? >=20 > I intended to use refresh token to implement persistent login by = sending a refresh request before issued access token expires (expires_in = runs out). But if refresh token works even if access token expired = already, sending a refresh request on application start up would be = enough. >=20 > So I'm not sure what I'm missing about refresh token as well as how to = implement persistent login using it (you can regard authentication here = pseudo-authentication illustrated in = https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-Authen= ticationusingOAuth.svg = ). What is the lifetime of refresh token? >=20 > Thanks, >=20 > -- Donghwan > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_A355472D-335F-4996-B281-76AFDC668721 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I think Nat=E2=80=99s diagram about the problems of doing = pseudo authentication with OAuth is being taken out of context.

The refresh token = dosen=E2=80=99t expire, it is revoked by the user or system.  In = some cases refresh tokens are automatically revoked if the users session = to the AS ends.  I think AOL typically revokes refresh tokens when = sessions terminate.

OpenID Connect provides a separate id_token with a = independent lifetime from the refresh token.  A client may keep a = refresh token for a much longer time than the user has a login session = with the AS.

Refresh tokens are typically used by confidential clients = that are using a client secret in combination with the refresh token for = getting a new access token.

By design access tokens should be short lived as the AS is = expected to have a way of revoking refresh tokens but not access = tokens.
A access token that dosen't expire , and = can=E2=80=99t be revoked is not a good idea.

John B.


On Aug 24, 2015, at 2:41 AM, = Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

According to Figure 2 = from http://tools.ietf.org/html/rfc6749#section-1.5, refresh = token can be used to refresh an expired access token without requesting = resource owner to sign in again (uncomfortable experience). However, if = it's true, isn't it that refresh token might be used to request a new = access token even years later? and then isn't refresh token the same = with access token which never expires?

I intended to use refresh token to = implement persistent login by sending a refresh request before issued = access token expires (expires_in runs out). But if refresh token works = even if access token expired already, sending a refresh request on = application start up would be enough.

So I'm not sure what I'm missing about = refresh token as well as how to implement persistent login using it (you = can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Ps= eudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh = token?

Thanks,

-- Donghwan
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_A355472D-335F-4996-B281-76AFDC668721-- --Apple-Mail=_4F6BC506-C322-4C97-BBA2-26E91E5540EE Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MjQxNTA4MjJaMCMGCSqGSIb3DQEJBDEWBBQP4ftcXiF78dGNLRo0+xHG 77UEpjCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQBZ/INBiaiMkrfqK6D9p+jyfVLBu/HWPAdWsap9HkYt2zwSqG7jnFur wrIcM+fRKrXbCi49BkC29xyjXWgh7twvM91XzQkaEotmDasB/GqV1Ol004TuPDKXTlChgT5XqdYZ +XR9m3+6OTpBE8QIg9HuMkbzlQ7DlhW58Y7JxO4AZClZ2b0dP+fQu6tPGrzysEIz4dA0O5RC8hkU wXu+pX10IHqT3JL1gHzmBFbMiexUnVxeJ7TxTRBONEmtrOc3ePT0niLuxabV89hGwGO6WPT1axQg XXYpmiQ3dNt2QNnbtelMP2X/CBgvFD1oxljsXheWeyWrM7rfx7uO7oY2Y6AkAAAAAAAA --Apple-Mail=_4F6BC506-C322-4C97-BBA2-26E91E5540EE-- From nobody Mon Aug 24 08:12:41 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A28F1A0121 for ; Mon, 24 Aug 2015 08:12:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jvD0C3jqZnpR for ; Mon, 24 Aug 2015 08:12:38 -0700 (PDT) Received: from mail-ob0-f178.google.com (mail-ob0-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5390A1A007E for ; Mon, 24 Aug 2015 08:12:38 -0700 (PDT) Received: by obbwr7 with SMTP id wr7so115939842obb.2 for ; Mon, 24 Aug 2015 08:12:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=sk1cVtvhJXNIBL8cYz7d/GQLRjueh4nGVI80JMN9uVw=; b=ZvGVDLt05gt4qLG+ngujDm0D/9l9xX6w59NBC6oXtyICfyHe2TaBWZpqn/dF0YUWGO vhO6lWh/CFwLoE+PaZ3Eu1y8BKSUDjptoJr2Q7Y24ZQb1Py8QMyMPVr/AukpCFOqQCmR 8pWeWf9jUl3JlQu1EqvZa21w+waKZ2bWx5PPwNiMvOOFfXypKDWEjHZI0ZbM5jwU6XG3 2JfoA6Eu/sUI+UFq7+2xtr2GkZAUeIG4Oppnrip7FTtEiBBZN8FUvlBGLFPSkW5uRpqN a9HG9UF8+y+svgOwDZe970M1J9G7OHuTqi9QN0rp+A3XVdZrZRAf0X+x1bHaKjEPWJI6 nF8w== X-Gm-Message-State: ALoCoQnwx5772MlI4cToPH+Bmq3hIDIrYLqTXtnaUSufyc5JwPcjUUI33XSPrFxV/PkJFdGVdFvl X-Received: by 10.60.45.104 with SMTP id l8mr22506655oem.61.1440429157834; Mon, 24 Aug 2015 08:12:37 -0700 (PDT) Received: from [10.17.60.128] (mobile-166-173-057-142.mycingular.net. [166.173.57.142]) by smtp.gmail.com with ESMTPSA id p10sm10239935oev.0.2015.08.24.08.12.36 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 24 Aug 2015 08:12:36 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-859ADEE8-59BE-4412-8870-2893337F3982 Mime-Version: 1.0 (1.0) From: Jim Manico X-Mailer: iPhone Mail (12H321) In-Reply-To: Date: Mon, 24 Aug 2015 09:12:35 -0600 Content-Transfer-Encoding: 7bit Message-Id: <0319D202-789F-448B-823C-A538309B4F7E@manicode.com> References: To: Donghwan Kim Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2015 15:12:40 -0000 --Apple-Mail-859ADEE8-59BE-4412-8870-2893337F3982 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable There is a good debate and discussion on refresh tokens on StackOverflow.=20= http://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-acces= s-and-refresh-tokens Is this a good place to send developers to answer refresh token questions, a= nd if not, can the illustrious smart people on this list update StackOverflo= w if necessary? Aloha, -- Jim Manico @Manicode (808) 652-3805 > On Aug 23, 2015, at 11:41 PM, Donghwan Kim wr= ote: >=20 > Hi, >=20 > According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5,= refresh token can be used to refresh an expired access token without reques= ting resource owner to sign in again (uncomfortable experience). However, if= it's true, isn't it that refresh token might be used to request a new acces= s token even years later? and then isn't refresh token the same with access t= oken which never expires? >=20 > I intended to use refresh token to implement persistent login by sending a= refresh request before issued access token expires (expires_in runs out). B= ut if refresh token works even if access token expired already, sending a re= fresh request on application start up would be enough. >=20 > So I'm not sure what I'm missing about refresh token as well as how to imp= lement persistent login using it (you can regard authentication here pseudo-= authentication illustrated in https://upload.wikimedia.org/wikipedia/commons= /3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of= refresh token? >=20 > Thanks, >=20 > -- Donghwan > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail-859ADEE8-59BE-4412-8870-2893337F3982 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
There is a good debate and discussion o= n refresh tokens on StackOverflow. 


Is t= his a good place to send developers to answer refresh token questions, and i= f not, can the illustrious smart people on this list update StackOverflow if= necessary?

Aloha,
--
Jim Manico
@Manicod= e
(808) 652-3805

On Aug 23, 2015, at 11:41 PM,= Donghwan Kim <flowersinthe= sand@gmail.com> wrote:

Hi,

According to Figur= e 2 from htt= p://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used t= o refresh an expired access token without requesting resource owner to sign i= n again (uncomfortable experience). However, if it's true, isn't it that ref= resh token might be used to request a new access token even years later? and= then isn't refresh token the same with access token which never expires?

I intended to use refresh token to implement persiste= nt login by sending a refresh request before issued access token expires (ex= pires_in runs out). But if refresh token works even if access token expired a= lready, sending a refresh request on application start up would be enough.

So I'm not sure what I'm missing about refresh token= as well as how to implement persistent login using it (you can regard authe= ntication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo= -AuthenticationusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwan
____________________= ___________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mai= lman/listinfo/oauth
= --Apple-Mail-859ADEE8-59BE-4412-8870-2893337F3982-- From nobody Mon Aug 24 10:01:16 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 508D01ACDE9 for ; Mon, 24 Aug 2015 10:01:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.209 X-Spam-Level: X-Spam-Status: No, score=-2.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KZGau6bSm6Aj for ; Mon, 24 Aug 2015 10:01:11 -0700 (PDT) Received: from nm50-vm2.bullet.mail.bf1.yahoo.com (nm50-vm2.bullet.mail.bf1.yahoo.com [216.109.115.221]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F4181ACDE7 for ; Mon, 24 Aug 2015 10:01:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1440435670; bh=viUib24pIO8t49hAuqY++FQYQumLl3YLOa6/tiO9TtQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=j1SfUpZPsOFv1oLA7djZTI+wwjiENcTqvIGcQ5wVicLJ6zaKy0CNjpT+nZYvDUhBbtLGy57Ps5RAsDA+PvNqpcXgnBf2mIAtbIFqKYc3Z+oyaVBSViIQkvuMBMZYITS8j9RyWRtWhyujPS0OwruKtO7SQkTZZmbiBO7u38pTkHy2m0gjsRD2GqPGq6FQFnTNwFowL2WlxavZsTn985ssoeRQBgIPNSTMlEGFzhoPzU8nNUblwTFhv2DFjld+a18oV4JXYLVyjZo16tweCWeiPN5BEy6kbAROeS6hxGLwp22oOWAS2TarYRChNhSanfAD8klIbNS+oc9nCEosed6QXg== Received: from [98.139.215.141] by nm50.bullet.mail.bf1.yahoo.com with NNFMP; 24 Aug 2015 17:01:10 -0000 Received: from [98.139.212.208] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 24 Aug 2015 17:01:10 -0000 Received: from [127.0.0.1] by omp1017.mail.bf1.yahoo.com with NNFMP; 24 Aug 2015 17:01:10 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 785525.66541.bm@omp1017.mail.bf1.yahoo.com X-YMail-OSG: hFAsttEVM1kGaf2unr7od.GrSmSyrOzJO3RLFCUDk9_DSt9UNvhok4NK.ADCf95 9bfkuK3H3NymFCuoXWybrISXjsJPSVh4F8IXv1mOBEpqAMoaw6C9LnPTAxlIx7eqcbsvBw55kqmt w_9_U6nYh5kYPFZur.Nu1Caz91C0SPMwEXyH8NAdsYJnNyv3w35EM58qOWXFhFxbFoVaH84GReak d91y_lTUb4UJ_MPsOCzPT15kdpaHO4zJWx12WHjfjDUmKrjg.mKJM0RITLwRJqRILOVr_UQYmvKT KK_hDniVAqXPmlY1V5ua4CYIKoG9t9AtwV36q60_pR9StwuUlZHBFNDD4Sbb2zP9KAq_vJVAeeNk FwsSi2LhOgoQurPrGaf8xRZtfejtUwF89gFmwqfNt4SGDs9Z1xOSbwjwUygdl.a3kAYd2VQrhgTZ xRNk9SJMcXtLssFKKxSEtsFTA1VtHOSApY_N5ijQvrSAWyggwxKuzM5UNTWWOpZftxzf81NEVqtv UnqkOYruKwJkDfA-- Received: by 66.196.80.121; Mon, 24 Aug 2015 17:01:10 +0000 Date: Mon, 24 Aug 2015 17:01:10 +0000 (UTC) From: Bill Mills To: John Bradley , Donghwan Kim Message-ID: <1261043119.9433875.1440435670047.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: References: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_9433873_165754956.1440435670041" Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Bill Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2015 17:01:14 -0000 ------=_Part_9433873_165754956.1440435670041 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable You could have a refresh token that never expires. =C2=A0Having to use the = refresh token to get a new access token gives you a single control point to= allow checking whether that refresh token should still be valid. =C2=A0Mea= ns the RS doesn't have to do that stuff.=20 On Monday, August 24, 2015 8:09 AM, John Bradley w= rote: =20 I think Nat=E2=80=99s diagram about the problems of doing pseudo authentic= ation with OAuth is being taken out of context. The refresh token dosen=E2=80=99t expire, it is revoked by the user or syst= em. =C2=A0In some cases refresh tokens are automatically revoked if the use= rs session to the AS ends. =C2=A0I think AOL typically revokes refresh toke= ns when sessions terminate. OpenID Connect provides a separate id_token with a independent lifetime fro= m the refresh token. =C2=A0A client may keep a refresh token for a much lon= ger time than the user has a login session with the AS. Refresh tokens are typically used by confidential clients that are using a = client secret in combination with the refresh token for getting a new acces= s token. By design access tokens should be short lived as the AS is expected to have= a way of revoking refresh tokens but not access tokens.A access token that= dosen't expire , and can=E2=80=99t be revoked is not a good idea. John B. On Aug 24, 2015, at 2:41 AM, Donghwan Kim wrot= e: Hi, According to Figure 2 from=C2=A0http://tools.ietf.org/html/rfc6749#section-= 1.5, refresh token can be used to refresh an expired access token without r= equesting resource owner to sign in again (uncomfortable experience). Howev= er, if it's true, isn't it that refresh token might be used to request a ne= w access token even years later? and then isn't refresh token the same with= access token which never expires? I intended to use refresh token to implement persistent login by sending a = refresh request before issued access token expires (expires_in runs out). B= ut if refresh token works even if access token expired already, sending a r= efresh request on application start up would be enough. So I'm not sure what I'm missing about refresh token as well as how to impl= ement persistent login using it (you can regard authentication here pseudo-= authentication illustrated in https://upload.wikimedia.org/wikipedia/common= s/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime = of refresh token? Thanks, -- Donghwan_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ------=_Part_9433873_165754956.1440435670041 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Fri, Aug 28, 2015 at 5:43 PM, T= orsten Lodderstedt <torsten@lodderstedt.net> wrote:
Refresh= tokens are also used by public clients, e.g. native apps. OIDC allows to a= cquire a new id token from a refresh token as well. Note: this does not mea= n a fresh authentication but a refreshed id token containing the data of th= e original authentication transaction.

Am 24. August 2015 17:08:21 MESZ, schrieb John Bradle= y <ve7jtb@ve7jtb.= com>:
I think Nat=E2=80=99s diagram about the problems of doing pseudo authentica= tion with OAuth is being taken out of context.

The refre= sh token dosen=E2=80=99t expire, it is revoked by the user or system.=C2=A0= In some cases refresh tokens are automatically revoked if the users sessio= n to the AS ends.=C2=A0 I think AOL typically revokes refresh tokens when s= essions terminate.

OpenID Connect provides a separ= ate id_token with a independent lifetime from the refresh token.=C2=A0 A cl= ient may keep a refresh token for a much longer time than the user has a lo= gin session with the AS.

Refresh tokens are typica= lly used by confidential clients that are using a client secret in combinat= ion with the refresh token for getting a new access token.

By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access tokens.
A access token that dosen't expire , and can=E2=80=99t be revok= ed is not a good idea.

John B.


On Aug 24, 2015, at 2:41 AM, = Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

According to Figure 2 from= =C2=A0http://tools.ietf.org/html/rfc6749#section-1.5, refresh token c= an be used to refresh an expired access token without requesting resource o= wner to sign in again (uncomfortable experience). However, if it's true= , isn't it that refresh token might be used to request a new access token= even years later? and then isn't refresh token the same with access to= ken which never expires?

I intended to use refresh= token to implement persistent login by sending a refresh request before is= sued access token expires (expires_in runs out). But if refresh token works= even if access token expired already, sending a refresh request on applica= tion start up would be enough.

So I'm not sure= what I'm missing about refresh token as well as how to implement persi= stent login using it (you can regard authentication here pseudo-authenticat= ion illustrated in http= s://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-Authenticat= ionusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwa= n
_______________________________________________
OAuth mailing list
OAuth@ietf.org
http= s://www.ietf.org/mailman/listinfo/oauth


OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/=
listinfo/oauth

--047d7bd75bb27551d7051e5fcd05-- From nobody Fri Aug 28 08:15:02 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49F761B2E2B for ; Fri, 28 Aug 2015 08:15:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.209 X-Spam-Level: X-Spam-Status: No, score=-2.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkRuj15kv8LD for ; Fri, 28 Aug 2015 08:14:57 -0700 (PDT) Received: from nm42-vm10.bullet.mail.bf1.yahoo.com (nm42-vm10.bullet.mail.bf1.yahoo.com [216.109.114.155]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 346261B2DDE for ; Fri, 28 Aug 2015 08:14:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1440774895; bh=A2Fh1XwuBuAZxg+uDtCSQvvcLzNGGjLpMc5oGIFsJjA=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=EXg6L7mhpCo/bXoNHncjyIpDQU9AYIqvqfn3jXysDpZRfvEAlg4UqRpVN+ER+phfSy9OQ69AtO3eZZEd+FKnoyt3qlNrzl6Fck7MaSy9W/pHFVqE1TH8HSeIWdwt8C4Q/XPqwUDrcGiAVZbQKPV53srcDMnnoji0Dtnsqa3oqmCv6pZpdZzF/gjBfkqQM8PC2MqiYX9K0U0HG8z0RB43rT0QNhQ3UmXhyubnKYmAAGu/7ZXhMWbA5SvH4kyYFWR05i+oVDceDLL3BR4QCoyWqI7Wad9a1OJtqbuvraiI8QVN4xB0hY66jeXW/rWabnliDLwIUZumCbavsmqwy2HFDQ== Received: from [98.139.215.141] by nm42.bullet.mail.bf1.yahoo.com with NNFMP; 28 Aug 2015 15:14:55 -0000 Received: from [98.139.215.250] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 28 Aug 2015 15:14:55 -0000 Received: from [127.0.0.1] by omp1063.mail.bf1.yahoo.com with NNFMP; 28 Aug 2015 15:14:55 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 364386.96587.bm@omp1063.mail.bf1.yahoo.com X-YMail-OSG: 069qdoUVM1ldjslLFCVoeDshBpzkz6iK_s.6gdZ_RT2_jN5BZ12AJcuY_lzvtVf z4hioc7teyNrqGF_impl.o.RNz0Zi5vpbqUxunvm5ViK4rSGhjigj8NpjHzU3XQ1NHY9Ymg44M.Q qxWFGpDZ76kcfgavA7kVbPVr0PDbBNIy4iOQgMiO3LfWGy0PcPJXLgQsuS_Z3r.CIo_hkznjw8Yb 0qeXmJJGh5JAVNVXhoQ02XSKSB5MIn4yNBX81MC0PoJjkA0QLQwFDdWUfSRhNi_wYVSMK6iGPmyy iJUL.fWx1XM2IDnbY13KwJkGpYPYQyUsFFyFNIGw_mQdSIjC88xEfzpACEqpVZjkdfn7T6kDVE0s QAkXPEps74IYvUFwTF2yy0QzMc9hbM8HaEeUFLQmcgOtLrnXM6YVyZ5ln4cfo1z8KzBBpVtbqfi6 w2yoXBCTuQNyZrOrLtQtWK5ztZcxqfYc3wX3sGy16n6f87Yd15xWoJqm0NKEgbrGq3L17l.kG97u sBcIub9Ik_EiNjDU1VciDsNlTCpZPDgsoyBXSn0WVnjLJcUQ- Received: by 66.196.81.107; Fri, 28 Aug 2015 15:14:54 +0000 Date: Fri, 28 Aug 2015 15:14:54 +0000 (UTC) From: Bill Mills To: Donghwan Kim , Torsten Lodderstedt Message-ID: <311612966.2262095.1440774894499.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: References: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_2262094_1742360394.1440774894485" Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Bill Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 15:15:00 -0000 ------=_Part_2262094_1742360394.1440774894485 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable You don't need to put an expiration on the refresh token. =C2=A0You get to = see that refresh token every 5 minutes anyway. =C2=A0If you ever want to fo= rce the client to re-auth just use policy on the AS. =C2=A0Nothing will be = broken with what you are doing though.=20 On Friday, August 28, 2015 7:21 AM, Donghwan Kim wrote: =20 I'm sorry to introduce a common topic. As John has suggested, I'm going to design that=C2=A0 * An access token should be short lived e.g. 5 minutes (not to hit the AS t= o verify the token or 1 hour (to hit the AS to verify the token). I'm incli= ned to 5 minutes for stateless architecture of RSs.* A refresh token should= have 1 month of expiration time by default. If it turns out that some acce= ss token expired, its refresh token should refresh the token. Then, so call= ed persistent login can be implemented regardless of the form of authentica= tion. Only if it fails for some reason e.g. token revocation or inactivity = for 1 month, a user is logged out automatically and should log in again.* A= refresh token should be able to be revoked somehow. With 5 minutes approac= h, it will invalidate only the refresh token (Yes the attacker can have 5 m= inutes at most), and with 1 hour approach, it will invalidate the refresh t= oken as well as the corresponding access token. Thanks, -- Donghwan On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt wrote: Refresh tokens are also used by public clients, e.g. native apps. OIDC allo= ws to acquire a new id token from a refresh token as well. Note: this does = not mean a fresh authentication but a refreshed id token containing the dat= a of the original authentication transaction.=20 Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley : I think Nat=E2=80=99s diagram about the problems of doing pseudo authentica= tion with OAuth is being taken out of context. The refresh token dosen=E2=80=99t expire, it is revoked by the user or syst= em.=C2=A0 In some cases refresh tokens are automatically revoked if the use= rs session to the AS ends.=C2=A0 I think AOL typically revokes refresh toke= ns when sessions terminate. OpenID Connect provides a separate id_token with a independent lifetime fro= m the refresh token.=C2=A0 A client may keep a refresh token for a much lon= ger time than the user has a login session with the AS. Refresh tokens are typically used by confidential clients that are using a = client secret in combination with the refresh token for getting a new acces= s token. By design access tokens should be short lived as the AS isexpected to have = a way of revoking refresh tokens but not access tokens.A access token that = dosen't expire , and can=E2=80=99t be revoked is not a good idea. John B. On Aug 24, 2015, at 2:41 AM, Donghwan Kim wrot= e: Hi, According to Figure 2 from=C2=A0http://tools.ietf.org/html/rfc6749#section-= 1.5, refresh token can be used to refresh an expired access token without r= equesting resource owner to sign in again (uncomfortable experience). Howev= er, if it's true,isn't it that refresh token might be used to request a new= access token even years later? and then isn't refresh token the same with = access token which never expires? I intended to use refresh token to implement persistent login by sending a = refresh request before issued access token expires (expires_in runs out). B= ut if refresh token works even if access token expired already, sending a r= efresh request on application start up would be enough. So I'm not sure what I'm missing about refresh token as well as how to impl= ement persistent login using it (you can regard authentication here pseudo-= authentication illustrated in https://upload.wikimedia.org/wikipedia/common= s/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime = of refreshtoken? Thanks, -- Donghwan_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ------=_Part_2262094_1742360394.1440774894485 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
You don't need to put an expiration on= the refresh token.  You get to see that refresh token every 5 minutes= anyway.  If you ever want to force the client to re-auth just use pol= icy on the AS.  Nothing will be broken with what you are doing though.=



On Friday, August 28, 2015 7:21 AM, Do= nghwan Kim <flowersinthesand@gmail.com> wrote:

I'm sorry to introduce a common topic.

As John has= suggested, I'm going to design that 

* An ac= cess token should be short lived e.g. 5 minutes (not to hit the AS to verif= y the token or 1 hour (to hit the AS to verify the token). I'm inclined to = 5 minutes for stateless architecture of RSs.
* A refresh token sh= ould have 1 month of expiration time by default. If it turns out that some = access token expired, its refresh token should refresh the token. Then, so = called persistent login can be implemented regardless of the form of authen= tication. Only if it fails for some reason e.g. token revocation or inactiv= ity for 1 month, a user is logged out automatically and should log in again= .
* A refresh token should be able to be revoked someh= ow. With 5 minutes approach, it will invalidate only the refresh token (Yes= the attacker can have 5 minutes at most), and with 1 hour approach, it wil= l invalidate the refresh token as well as the corresponding access token.

Thanks,

-- Don= ghwan
=
On Fri, Aug 28, 2015 at 5:43 PM= , Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
Refr= esh tokens are also used by public clients, e.g. native apps. OIDC allows t= o acquire a new id token from a refresh token as well. Note: this does not = mean a fresh authentication but a refreshed id token containing the data of= the original authentication transaction.

Am 24. August 2015 17:08= :21 MESZ, schrieb John Bradley <ve7jtb= @ve7jtb.com>:
I think Nat=E2=80=99s diagram about the problems of doing pseudo authentica= tion with OAuth is being taken out of context.

The refre= sh token dosen=E2=80=99t expire, it is revoked by the user or system. = In some cases refresh tokens are automatically revoked if the users sessio= n to the AS ends.  I think AOL typically revokes refresh tokens when s= essions terminate.

OpenID Connect provides a separ= ate id_token with a independent lifetime from the refresh token.  A cl= ient may keep a refresh token for a much longer time than the user has a lo= gin session with the AS.

Refresh tokens are typica= lly used by confidential clients that are using a client secret in combinat= ion with the refresh token for getting a new access token.

By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access tokens.
A access token that dosen't expire , and can=E2=80=99t be revoked i= s not a good idea.

John B.


On Aug 24, 2015, at 2:41 AM, Dong= hwan Kim <flowersint= hesand@gmail.com> wrote:

Hi,
=

According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token ca= n be used to refresh an expired access token without requesting resource ow= ner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token eve= n years later? and then isn't refresh token the same with access token whic= h never expires?

I intended to use refresh token t= o implement persistent login by sending a refresh request before issued acc= ess token expires (expires_in runs out). But if refresh token works even if= access token expired already, sending a refresh request on application sta= rt up would be enough.

So I'm not sure what I'm mi= ssing about refresh token as well as how to implement persistent login usin= g it (you can regard authentication here pseudo-authentication illustrated = in htt= ps://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-Authentica= tionusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwa= n
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://ww= w.ietf.org/mailman/listinfo/oauth


OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinf=
o/oauth


_______________________________________________
OA= uth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oau= th


------=_Part_2262094_1742360394.1440774894485-- From nobody Fri Aug 28 09:21:03 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DEAD1B3120 for ; Fri, 28 Aug 2015 09:21:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dD5ULLovn_nU for ; Fri, 28 Aug 2015 09:20:57 -0700 (PDT) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09A101B30C0 for ; Fri, 28 Aug 2015 09:20:56 -0700 (PDT) X-AuditID: 1209190c-f79296d000000622-84-55e08a66e1b2 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 16.64.01570.66A80E55; Fri, 28 Aug 2015 12:20:54 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t7SGKsRH015922; Fri, 28 Aug 2015 12:20:54 -0400 Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t7SGKpOb001321 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 28 Aug 2015 12:20:53 -0400 Content-Type: multipart/alternative; boundary="Apple-Mail=_6752F4D6-1FDD-439A-8768-2B156F100B28" Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: Justin Richer In-Reply-To: Date: Fri, 28 Aug 2015 12:20:51 -0400 Message-Id: References: To: Donghwan Kim X-Mailer: Apple Mail (2.2104) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOKsWRmVeSWpSXmKPExsUixG6nopvW9SDU4Ol9C4sVC78wWpx8+4rN 4tWxpywOzB47Z91l91iy5CeTx7GeftYA5igum5TUnMyy1CJ9uwSujH0XEgr68yqWL+9lbWCc F9fFyMEhIWAicfGachcjJ5ApJnHh3nq2LkYuDiGBxUwSq+e0M0M4GxklVn/9ywjhPGSSeNf1 jwWkhVkgQWLZ0emsIDavgJ7Eq1uXwWxhAUOJ0xtmMoLYbAKqEtPXtDCBbOMUCJRYdDsFJMwC FP704g87SJhZIF7i6UEVEJNXwEpiX5cTxKZ/jBLHFy1mBykXEdCVeHPpNivEobISu38/YprA KDALyRGzkBwBEdeWWLbwNTOErSmxv3s5C6a4hkTnt4msCxjZVjHKpuRW6eYmZuYUpybrFicn 5uWlFuka6uVmluilppRuYgSFP6ckzw7GNweVDjEKcDAq8fBabLgfKsSaWFZcmXuIUZKDSUmU V67jQagQX1J+SmVGYnFGfFFpTmrxIUYJDmYlEd4QIaAcb0piZVVqUT5MSpqDRUmcd9MPvhAh gfTEktTs1NSC1CKYrAwHh5IE7xaQoYJFqempFWmZOSUIaSYOTpDhPEDDGTpBhhcXJOYWZ6ZD 5E8xKkqJ854AaRYASWSU5sH1wtLTK0ZxoFeEecNA2nmAqQ2u+xXQYCagwS/j74IMLklESEk1 MGbL/NhucfuNx6HuB1OflCx//PKcw/LlM2u21wTw9OlVe0wq/aBRzz/f/oZ85OEmIcUPk06U Jtcu/lLfvjnQ4ayTjO+prLrlosmrhKT3ve9688Hn5ZHb5s4BEk/zej8fTk70/r4hqHDfEodT IqfW5i4W5RT8VryqLCvszYK2Na6xXXKVEXNNfimxFGckGmoxFxUnAgDzRisyKgMAAA== Archived-At: Cc: "" Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 16:21:01 -0000 --Apple-Mail=_6752F4D6-1FDD-439A-8768-2B156F100B28 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 One viable method for detecting =E2=80=9Cinactivity for one month=E2=80=9D= would be to have a one month expiration on the refresh token, but reset = that counter every time the refresh token is used to get a new access = token. You can do this by manipulating the expiration of the token = object itself on your authorization server, or you can just throw away = the old refresh token and create a new one with an expiration one month = out. Each of these methods has its benefits and pitfalls. =E2=80=94 Justin > On Aug 28, 2015, at 10:21 AM, Donghwan Kim = wrote: >=20 > I'm sorry to introduce a common topic. >=20 > As John has suggested, I'm going to design that=20 >=20 > * An access token should be short lived e.g. 5 minutes (not to hit the = AS to verify the token or 1 hour (to hit the AS to verify the token). = I'm inclined to 5 minutes for stateless architecture of RSs. > * A refresh token should have 1 month of expiration time by default. = If it turns out that some access token expired, its refresh token should = refresh the token. Then, so called persistent login can be implemented = regardless of the form of authentication. Only if it fails for some = reason e.g. token revocation or inactivity for 1 month, a user is logged = out automatically and should log in again. > * A refresh token should be able to be revoked somehow. With 5 minutes = approach, it will invalidate only the refresh token (Yes the attacker = can have 5 minutes at most), and with 1 hour approach, it will = invalidate the refresh token as well as the corresponding access token. >=20 > Thanks, >=20 > -- Donghwan >=20 > On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt = > wrote: > Refresh tokens are also used by public clients, e.g. native apps. OIDC = allows to acquire a new id token from a refresh token as well. Note: = this does not mean a fresh authentication but a refreshed id token = containing the data of the original authentication transaction.=20 >=20 > Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley = >: > I think Nat=E2=80=99s diagram about the problems of doing pseudo = authentication with OAuth is being taken out of context. >=20 > The refresh token dosen=E2=80=99t expire, it is revoked by the user or = system. In some cases refresh tokens are automatically revoked if the = users session to the AS ends. I think AOL typically revokes refresh = tokens when sessions terminate. >=20 > OpenID Connect provides a separate id_token with a independent = lifetime from the refresh token. A client may keep a refresh token for = a much longer time than the user has a login session with the AS. >=20 > Refresh tokens are typically used by confidential clients that are = using a client secret in combination with the refresh token for getting = a new access token. >=20 > By design access tokens should be short lived as the AS is expected to = have a way of revoking refresh tokens but not access tokens. > A access token that dosen't expire , and can=E2=80=99t be revoked is = not a good idea. >=20 > John B. >=20 >=20 >> On Aug 24, 2015, at 2:41 AM, Donghwan Kim > wrote: >>=20 >> Hi, >>=20 >> According to Figure 2 from = http://tools.ietf.org/html/rfc6749#section-1.5 = , refresh token can be = used to refresh an expired access token without requesting resource = owner to sign in again (uncomfortable experience). However, if it's = true, isn't it that refresh token might be used to request a new access = token even years later? and then isn't refresh token the same with = access token which never expires? >>=20 >> I intended to use refresh token to implement persistent login by = sending a refresh request before issued access token expires (expires_in = runs out). But if refresh token works even if access token expired = already, sending a refresh request on application start up would be = enough. >>=20 >> So I'm not sure what I'm missing about refresh token as well as how = to implement persistent login using it (you can regard authentication = here pseudo-authentication illustrated in = https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-Authen= ticationusingOAuth.svg = ). What is the lifetime of refresh token? >>=20 >> Thanks, >>=20 >> -- Donghwan >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 >=20 > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_6752F4D6-1FDD-439A-8768-2B156F100B28 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 One viable method for detecting =E2=80=9Cinactivity for one = month=E2=80=9D would be to have a one month expiration on the refresh = token, but reset that counter every time the refresh token is used to = get a new access token. You can do this by manipulating the expiration = of the token object itself on your authorization server, or you can just = throw away the old refresh token and create a new one with an expiration = one month out. Each of these methods has its benefits and pitfalls.

 =E2=80=94 = Justin

On Aug 28, 2015, at 10:21 AM, = Donghwan Kim <flowersinthesand@gmail.com> wrote:

I'm sorry to introduce a common = topic.

As John has = suggested, I'm going to design that 

* An access token should be short lived = e.g. 5 minutes (not to hit the AS to verify the token or 1 hour (to hit = the AS to verify the token). I'm inclined to 5 minutes for stateless = architecture of RSs.
* A refresh token should have = 1 month of expiration time by default. If it turns out that some access = token expired, its refresh token should refresh the token. Then, so = called persistent login can be implemented regardless of the form of = authentication. Only if it fails for some reason e.g. token revocation = or inactivity for 1 month, a user is logged out automatically and should = log in again.
* A refresh = token should be able to be revoked somehow. With 5 minutes approach, it = will invalidate only the refresh token (Yes the attacker can have 5 = minutes at most), and with 1 hour approach, it will invalidate the = refresh token as well as the corresponding access token.

Thanks,

-- = Donghwan

On Fri, Aug 28, 2015 at 5:43 PM, = Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
Refresh tokens are also used = by public clients, e.g. native apps. OIDC allows to acquire a new id = token from a refresh token as well. Note: this does not mean a fresh = authentication but a refreshed id token containing the data of the = original authentication transaction.

Am 24. August = 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com>:
I think Nat=E2=80=99s diagram about the problems of doing pseudo = authentication with OAuth is being taken out of context.

The refresh token = dosen=E2=80=99t expire, it is revoked by the user or system.  In = some cases refresh tokens are automatically revoked if the users session = to the AS ends.  I think AOL typically revokes refresh tokens when = sessions terminate.

OpenID Connect provides a separate id_token with a = independent lifetime from the refresh token.  A client may keep a = refresh token for a much longer time than the user has a login session = with the AS.

Refresh tokens are typically used by confidential clients = that are using a client secret in combination with the refresh token for = getting a new access token.

By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access = tokens.
A access token that dosen't expire , and = can=E2=80=99t be revoked is not a good idea.

John B.


On Aug = 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh = token can be used to refresh an expired access token without requesting = resource owner to sign in again (uncomfortable experience). However, if = it's true, isn't it that refresh token might be used to request a new access token = even years later? and then isn't refresh token the same with access = token which never expires?

I intended to use refresh token to implement persistent login = by sending a refresh request before issued access token expires = (expires_in runs out). But if refresh token works even if access token = expired already, sending a refresh request on application start up would = be enough.

So = I'm not sure what I'm missing about refresh token as well as how to = implement persistent login using it (you can regard authentication here = pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Ps= eudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwan
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
<= br class=3D"">
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_6752F4D6-1FDD-439A-8768-2B156F100B28-- From nobody Fri Aug 28 13:41:40 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F4D81B2F29 for ; Fri, 28 Aug 2015 13:41:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMjFgc2D99B1 for ; Fri, 28 Aug 2015 13:41:36 -0700 (PDT) Received: from mail-qg0-f49.google.com (mail-qg0-f49.google.com [209.85.192.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0C881B2F17 for ; Fri, 28 Aug 2015 13:41:35 -0700 (PDT) Received: by qgj62 with SMTP id 62so36493870qgj.2 for ; Fri, 28 Aug 2015 13:41:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=asumWdUFK2gOl+OOk94p9d28kBBwx6rM1AkpEdpCAEA=; b=PkijP/za2TKTv4bILIV3pqjt9yz872ZttltMWzMEUJWH4IOKF9lIagUEgwdfqDhgFv qB8Q9dBEkzQ2PamJSaJp9e60iMqt8AiBYeUW5DwkrHsyC66PegFSEui9P6yLibcBNLj/ 9tL11Y3D9paNtNTnioSTFRlNuU9iE7Gms+0aTYMjbhG9ambh+dRzrKepTeKPMqh92GYd D+6HTcI4TfbEPVku9j1FpjKj43Xgfmb48EMkZPsLU8iv+yVcyvNL02aVddgO8GsHiStB 1prpTe7oinaxlPFazPyDJLznLTXVt+QFYAHXmY355gq4+Uuw7aQCZcJpadtJXcpinImg FXPw== X-Gm-Message-State: ALoCoQlk7F9f2MD5IUy9OtrY7NsOl6FYHFzjIB1a+Rq0+kepTk7MPyBKeHUsegx/8FQYoQZObpqZ X-Received: by 10.140.235.142 with SMTP id g136mr21361430qhc.18.1440794494751; Fri, 28 Aug 2015 13:41:34 -0700 (PDT) Received: from [192.168.8.103] ([181.202.146.150]) by smtp.gmail.com with ESMTPSA id s69sm4126824qgd.18.2015.08.28.13.41.33 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 28 Aug 2015 13:41:34 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_5861A81D-56D7-4D52-998B-FE20D5B9B28E"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: John Bradley In-Reply-To: Date: Fri, 28 Aug 2015 17:41:30 -0300 Message-Id: References: To: Donghwan Kim X-Mailer: Apple Mail (2.2104) Archived-At: Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 20:41:39 -0000 --Apple-Mail=_5861A81D-56D7-4D52-998B-FE20D5B9B28E Content-Type: multipart/alternative; boundary="Apple-Mail=_BC4B4701-0085-4860-B54E-50DABB31A9BF" --Apple-Mail=_BC4B4701-0085-4860-B54E-50DABB31A9BF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I would use a 5 min AT and roll the refresh token per = https://tools.ietf.org/html/rfc6749#page-47 = with a 1 month expiry if = that is what you want for a inactivity timeout after which the user must = authenticate again. The user can always revoke the refresh token. Rolling the refresh token also has the advantage that if the token leaks = or is stollen then you will detect the second use of the expired refresh = token and invalidate both, so the user needs to loggin. In general I think rolling the refresh token is a good idea though it is = not popular, I think it is more secure. John B. > On Aug 28, 2015, at 11:21 AM, Donghwan Kim = wrote: >=20 > I'm sorry to introduce a common topic. >=20 > As John has suggested, I'm going to design that=20 >=20 > * An access token should be short lived e.g. 5 minutes (not to hit the = AS to verify the token or 1 hour (to hit the AS to verify the token). = I'm inclined to 5 minutes for stateless architecture of RSs. > * A refresh token should have 1 month of expiration time by default. = If it turns out that some access token expired, its refresh token should = refresh the token. Then, so called persistent login can be implemented = regardless of the form of authentication. Only if it fails for some = reason e.g. token revocation or inactivity for 1 month, a user is logged = out automatically and should log in again. > * A refresh token should be able to be revoked somehow. With 5 minutes = approach, it will invalidate only the refresh token (Yes the attacker = can have 5 minutes at most), and with 1 hour approach, it will = invalidate the refresh token as well as the corresponding access token. >=20 > Thanks, >=20 > -- Donghwan >=20 > On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt = > wrote: > Refresh tokens are also used by public clients, e.g. native apps. OIDC = allows to acquire a new id token from a refresh token as well. Note: = this does not mean a fresh authentication but a refreshed id token = containing the data of the original authentication transaction.=20 >=20 > Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley = >: > I think Nat=E2=80=99s diagram about the problems of doing pseudo = authentication with OAuth is being taken out of context. >=20 > The refresh token dosen=E2=80=99t expire, it is revoked by the user or = system. In some cases refresh tokens are automatically revoked if the = users session to the AS ends. I think AOL typically revokes refresh = tokens when sessions terminate. >=20 > OpenID Connect provides a separate id_token with a independent = lifetime from the refresh token. A client may keep a refresh token for = a much longer time than the user has a login session with the AS. >=20 > Refresh tokens are typically used by confidential clients that are = using a client secret in combination with the refresh token for getting = a new access token. >=20 > By design access tokens should be short lived as the AS is expected to = have a way of revoking refresh tokens but not access tokens. > A access token that dosen't expire , and can=E2=80=99t be revoked is = not a good idea. >=20 > John B. >=20 >=20 >> On Aug 24, 2015, at 2:41 AM, Donghwan Kim > wrote: >>=20 >> Hi, >>=20 >> According to Figure 2 from = http://tools.ietf.org/html/rfc6749#section-1.5 = , refresh token can be = used to refresh an expired access token without requesting resource = owner to sign in again (uncomfortable experience). However, if it's = true, isn't it that refresh token might be used to request a new access = token even years later? and then isn't refresh token the same with = access token which never expires? >>=20 >> I intended to use refresh token to implement persistent login by = sending a refresh request before issued access token expires (expires_in = runs out). But if refresh token works even if access token expired = already, sending a refresh request on application start up would be = enough. >>=20 >> So I'm not sure what I'm missing about refresh token as well as how = to implement persistent login using it (you can regard authentication = here pseudo-authentication illustrated in = https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-Authen= ticationusingOAuth.svg = ). What is the lifetime of refresh token? >>=20 >> Thanks, >>=20 >> -- Donghwan >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth = >=20 >=20 >=20 > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth = >=20 --Apple-Mail=_BC4B4701-0085-4860-B54E-50DABB31A9BF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I would use a 5 min AT and roll the refresh token per https://tools.ietf.org/html/rfc6749#page-47 with a 1 = month expiry if that is what you want for a inactivity timeout after = which the user must authenticate again.   The user can always = revoke the refresh token.

Rolling the refresh token also has the advantage that if the = token leaks or is stollen then you will detect the second use of the = expired refresh token and invalidate both, so the user needs to = loggin.

In = general I think rolling the refresh token is a good idea though it is = not popular, I think it is more secure.

John B.



On = Aug 28, 2015, at 11:21 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

I'm sorry to introduce a common topic.

As John has suggested, I'm going to = design that 

* An access token should be short lived e.g. 5 minutes (not = to hit the AS to verify the token or 1 hour (to hit the AS to verify the = token). I'm inclined to 5 minutes for stateless architecture of = RSs.
* A refresh token should have 1 month of = expiration time by default. If it turns out that some access token = expired, its refresh token should refresh the token. Then, so called = persistent login can be implemented regardless of the form of = authentication. Only if it fails for some reason e.g. token revocation = or inactivity for 1 month, a user is logged out automatically and should = log in again.
* A refresh = token should be able to be revoked somehow. With 5 minutes approach, it = will invalidate only the refresh token (Yes the attacker can have 5 = minutes at most), and with 1 hour approach, it will invalidate the = refresh token as well as the corresponding access token.

Thanks,

-- = Donghwan

On Fri, Aug 28, 2015 at 5:43 PM, = Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
Refresh tokens are also used = by public clients, e.g. native apps. OIDC allows to acquire a new id = token from a refresh token as well. Note: this does not mean a fresh = authentication but a refreshed id token containing the data of the = original authentication transaction.

Am 24. August = 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com>:
I think Nat=E2=80=99s diagram about the problems of doing pseudo = authentication with OAuth is being taken out of context.

The refresh token = dosen=E2=80=99t expire, it is revoked by the user or system.  In = some cases refresh tokens are automatically revoked if the users session = to the AS ends.  I think AOL typically revokes refresh tokens when = sessions terminate.

OpenID Connect provides a separate id_token with a = independent lifetime from the refresh token.  A client may keep a = refresh token for a much longer time than the user has a login session = with the AS.

Refresh tokens are typically used by confidential clients = that are using a client secret in combination with the refresh token for = getting a new access token.

By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access = tokens.
A access token that dosen't expire , and = can=E2=80=99t be revoked is not a good idea.

John B.


On Aug = 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh = token can be used to refresh an expired access token without requesting = resource owner to sign in again (uncomfortable experience). However, if = it's true, isn't it that refresh token might be used to request a new access token = even years later? and then isn't refresh token the same with access = token which never expires?

I intended to use refresh token to implement persistent login = by sending a refresh request before issued access token expires = (expires_in runs out). But if refresh token works even if access token = expired already, sending a refresh request on application start up would = be enough.

So = I'm not sure what I'm missing about refresh token as well as how to = implement persistent login using it (you can regard authentication here = pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Ps= eudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwan
_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
<= br class=3D"">
= --Apple-Mail=_BC4B4701-0085-4860-B54E-50DABB31A9BF-- --Apple-Mail=_5861A81D-56D7-4D52-998B-FE20D5B9B28E Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA4MjgyMDQxMzFaMCMGCSqGSIb3DQEJBDEWBBSHcNw7kBRmWbxXZmyR9Vuq FeR1SDCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQCvWJd31qwC7s2VjDtC40okxhEPbxnvIyCwbq4uFSiUwwsgnInj3GuF APyc0pNMGyxqygcFWNal8ybABQeR1xP08/Fml5sM+H0BGPNIwphJ6lDOZ+PUHoeZ+UQeprSA0NDj g9hXbkIIdsSmoqJn/GDO0JwX51tifSVgi2CEFP+X18tIf2accQNqfhnRsgwIct/l7D2fsmByrSxa FZafHOSEEJ3O7q1xUiyjh+9IZpwM1hwkPPWW9GYNmpXzhzof0LPgGybxlbj5uz4bJ9CKgxXWUzNo iFaHu2zMzEMD6P616ZvYr49PB5uQUgsue1TWNtUSs0ck0tV/nMnPfAddFrBuAAAAAAAA --Apple-Mail=_5861A81D-56D7-4D52-998B-FE20D5B9B28E-- From nobody Fri Aug 28 13:58:24 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 063091A21C4 for ; Fri, 28 Aug 2015 13:58:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.388 X-Spam-Level: X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k4fkUJ0fQFP2 for ; Fri, 28 Aug 2015 13:58:19 -0700 (PDT) Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAF331A005B for ; Fri, 28 Aug 2015 13:58:19 -0700 (PDT) Received: by qgeh99 with SMTP id h99so38579262qge.0 for ; Fri, 28 Aug 2015 13:58:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=bhYqTmgaxh3vtuuzqFbwqcnSNYHj0injYX2sGxbYNyA=; b=dYhavCKC4zhvP+HcHDrbGolYA93ewwIfF+0htTY+8Y/JOt14wdagyj67/xp7cXU0SZ nCXl6bsEHpDuiP4XXi4eUinr75uPxKnvfKvtBskUQmL1vgJjlm78Vli3GSsxzi7EJfq9 vxYZfM/12nOwt/RCrzxLQ5+h/JWxORpX4nVHzUEMR3Ps465G46jlRk8WULCIXO3ngq9L 9QSuQH5zGWLhof5PlGHkHfBi5D2RiOsNLs84aI/7cSMX6Xsr+QDvOFXGU9/ViASnpE7s /n0/LOfxAhIjuERdDQcts0LYJNG/NjATOKyOHPAWFTmjRDFV/rFQOm2SMTJLvK7Mtve9 l0aA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=bhYqTmgaxh3vtuuzqFbwqcnSNYHj0injYX2sGxbYNyA=; b=Ymn5tZ3ULK0SBqA6I3jKnFw6xs3YrvWa57rpgX4x+jKE190/l7gJt5b7LzQvOHZgso Aew9+bGTiJxtm8RYsVCShcEH0p2T+31f3IznAh9x3i2+pc/VURtBrWJKvzxfr3cAeMeB +94lWdbFoVJJPL+i3RN5pbUlGGd0CmU+zohtRFqbmkxufBPCsTtwBZidelAFxKSp2IhA wiOiOpfU2npGmTEiiz1js+Atu/nLjJUYIbk9wAqIMeEGVlzlHs687fwoeTKq2i6G0BS9 LOimJqe+lTcWezjY5AH+j/qWGy8CtbumuNArE71t5UuBxqksyjFdCJtzIz+kEHmkdmyn h5Ag== X-Gm-Message-State: ALoCoQneeARFTmIeA4VZ4kHEty8SRR7pWi9UZyToqq6BZJD+NnhswGQaHCsxIKtTGiQht1YZrtpF X-Received: by 10.140.235.143 with SMTP id g137mr20202923qhc.102.1440795498824; Fri, 28 Aug 2015 13:58:18 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: William Denniss Date: Fri, 28 Aug 2015 20:58:09 +0000 Message-ID: To: John Bradley , Donghwan Kim Content-Type: multipart/alternative; boundary=001a1137688ce71039051e6557a2 Archived-At: Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 20:58:23 -0000 --001a1137688ce71039051e6557a2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable +1 for John's suggestion. Why force users to re-authenticate after an arbitrary 30-day window? On Fri, Aug 28, 2015 at 1:41 PM John Bradley wrote: > I would use a 5 min AT and roll the refresh token per > https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if that > is what you want for a inactivity timeout after which the user must > authenticate again. The user can always revoke the refresh token. > > Rolling the refresh token also has the advantage that if the token leaks > or is stollen then you will detect the second use of the expired refresh > token and invalidate both, so the user needs to loggin. > > In general I think rolling the refresh token is a good idea though it is > not popular, I think it is more secure. > > John B. > > > > On Aug 28, 2015, at 11:21 AM, Donghwan Kim > wrote: > > I'm sorry to introduce a common topic. > > As John has suggested, I'm going to design that > > * An access token should be short lived e.g. 5 minutes (not to hit the AS > to verify the token or 1 hour (to hit the AS to verify the token). I'm > inclined to 5 minutes for stateless architecture of RSs. > * A refresh token should have 1 month of expiration time by default. If i= t > turns out that some access token expired, its refresh token should refres= h > the token. Then, so called persistent login can be implemented regardless > of the form of authentication. Only if it fails for some reason e.g. toke= n > revocation or inactivity for 1 month, a user is logged out automatically > and should log in again. > * A refresh token should be able to be revoked somehow. With 5 minutes > approach, it will invalidate only the refresh token (Yes the attacker can > have 5 minutes at most), and with 1 hour approach, it will invalidate the > refresh token as well as the corresponding access token. > > Thanks, > > -- Donghwan > > On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > >> Refresh tokens are also used by public clients, e.g. native apps. OIDC >> allows to acquire a new id token from a refresh token as well. Note: thi= s >> does not mean a fresh authentication but a refreshed id token containing >> the data of the original authentication transaction. >> >> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley > >: >>> >>> I think Nat=E2=80=99s diagram about the problems of doing pseudo authen= tication >>> with OAuth is being taken out of context. >>> >>> The refresh token dosen=E2=80=99t expire, it is revoked by the user or = system. >>> In some cases refresh tokens are automatically revoked if the users ses= sion >>> to the AS ends. I think AOL typically revokes refresh tokens when sess= ions >>> terminate. >>> >>> OpenID Connect provides a separate id_token with a independent lifetime >>> from the refresh token. A client may keep a refresh token for a much >>> longer time than the user has a login session with the AS. >>> >>> Refresh tokens are typically used by confidential clients that are usin= g >>> a client secret in combination with the refresh token for getting a new >>> access token. >>> >>> By design access tokens should be short lived as the AS is expected to >>> have a way of revoking refresh tokens but not access tokens. >>> A access token that dosen't expire , and can=E2=80=99t be revoked is no= t a good >>> idea. >>> >>> John B. >>> >>> >>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim >>> wrote: >>> >>> Hi, >>> >>> According to Figure 2 from >>> http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be >>> used to refresh an expired access token without requesting resource own= er >>> to sign in again (uncomfortable experience). However, if it's true, isn= 't >>> it that refresh token might be used to request a new access token even >>> years later? and then isn't refresh token the same with access token wh= ich >>> never expires? >>> >>> I intended to use refresh token to implement persistent login by sendin= g >>> a refresh request before issued access token expires (expires_in runs o= ut). >>> But if refresh token works even if access token expired already, sendin= g a >>> refresh request on application start up would be enough. >>> >>> So I'm not sure what I'm missing about refresh token as well as how to >>> implement persistent login using it (you can regard authentication here >>> pseudo-authentication illustrated in >>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-Aut= henticationusingOAuth.svg). >>> What is the lifetime of refresh token? >>> >>> Thanks, >>> >>> -- Donghwan >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> ------------------------------ >>> >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --001a1137688ce71039051e6557a2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
+1 for John's suggestion.

Why force= users to re-authenticate after an arbitrary 30-day window?
=
On Fri, Aug 28, 2015 at 1:4= 1 PM John Bradley <ve7jtb@ve7jtb.co= m> wrote:
I would use a 5 min AT and roll the refresh token per=C2= =A0https://tools.ietf.org/html/rfc6749#page-47=C2=A0with a 1 month expir= y if that is what you want for a inactivity timeout after which the user mu= st authenticate again. =C2=A0 The user can always revoke the refresh token.=

Rolling the refresh token also has the advantage that i= f the token leaks or is stollen then you will detect the second use of the = expired refresh token and invalidate both, so the user needs to loggin.

In general I think rolling the refresh token is a goo= d idea though it is not popular, I think it is more secure.

<= /div>
John B.

<= div>

On Aug 28, 2015,= at 11:21 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

I'm sorry to introduce a common topic.

=
As John has suggested, I'm going to design that=C2=A0
* An access token should be short lived e.g. 5 minutes (not to= hit the AS to verify the token or 1 hour (to hit the AS to verify the toke= n). I'm inclined to 5 minutes for stateless architecture of RSs.
<= div>* A refresh token should have 1 month of expiration time by default. If= it turns out that some access token expired, its refresh token should refr= esh the token. Then, so called persistent login can be implemented regardle= ss of the form of authentication. Only if it fails for some reason e.g. tok= en revocation or inactivity for 1 month, a user is logged out automatically= and should log in again.
* A refresh token should be = able to be revoked somehow. With 5 minutes approach, it will invalidate onl= y the refresh token (Yes the attacker can have 5 minutes at most), and with= 1 hour approach, it will invalidate the refresh token as well as the corre= sponding access token.

Thanks,
-- Donghwan

On Fri, Aug 28, 2015 at 5:43 PM, = Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
Refres= h tokens are also used by public clients, e.g. native apps. OIDC allows to = acquire a new id token from a refresh token as well. Note: this does not me= an a fresh authentication but a refreshed id token containing the data of t= he original authentication transaction.

Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com>:=
I think Nat=E2=80=99s diagram about the problems of doing pseudo authentica= tion with OAuth is being taken out of context.

The refre= sh token dosen=E2=80=99t expire, it is revoked by the user or system.=C2=A0= In some cases refresh tokens are automatically revoked if the users sessio= n to the AS ends.=C2=A0 I think AOL typically revokes refresh tokens when s= essions terminate.

OpenID Connect provides a separ= ate id_token with a independent lifetime from the refresh token.=C2=A0 A cl= ient may keep a refresh token for a much longer time than the user has a lo= gin session with the AS.

Refresh tokens are typica= lly used by confidential clients that are using a client secret in combinat= ion with the refresh token for getting a new access token.

By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access tokens.
A access token that dosen't expire , and can=E2=80=99t be revok= ed is not a good idea.

John B.


On Aug 24, 2015, at 2:41 AM, = Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

According to Figure 2 from= =C2=A0http://tools.ietf.org/html/rfc6749#section-1.5, refresh token c= an be used to refresh an expired access token without requesting resource o= wner to sign in again (uncomfortable experience). However, if it's true= , isn't it that refresh token might be used to request a new access token= even years later? and then isn't refresh token the same with access to= ken which never expires?

I intended to use refresh= token to implement persistent login by sending a refresh request before is= sued access token expires (expires_in runs out). But if refresh token works= even if access token expired already, sending a refresh request on applica= tion start up would be enough.

So I'm not sure= what I'm missing about refresh token as well as how to implement persi= stent login using it (you can regard authentication here pseudo-authenticat= ion illustrated in http= s://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-Authenticat= ionusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwa= n
_______________________________________________
OAuth mailing list
OAuth@ietf.org
http= s://www.ietf.org/mailman/listinfo/oauth


OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oaut= h

=

____________________________= ___________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--001a1137688ce71039051e6557a2-- From nobody Fri Aug 28 14:34:15 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79A841ABD3D for ; Fri, 28 Aug 2015 14:34:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id peypuvn2prXZ for ; Fri, 28 Aug 2015 14:34:11 -0700 (PDT) Received: from mail-pa0-f50.google.com (mail-pa0-f50.google.com [209.85.220.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3029F1A92F4 for ; Fri, 28 Aug 2015 14:34:11 -0700 (PDT) Received: by padhm10 with SMTP id hm10so18707701pad.3 for ; Fri, 28 Aug 2015 14:34:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=EMQsq+PXN3WsR1R3iBNX9iSeLNVZ5LKDaYdf/gqVXZs=; b=AcqPi0CoXvBQqsUc1dxp1w+lKTBs+wkH16lz6raz7uyq9LmNs8Fx66TtpzZL20vN7s vy4tZsvoiacS9cZu5T/mDapRq/7zNyd+9dl+iZYriZ+1JzK7kMEbkzCEpS8yKuKZ9RgK 2gP986fbj/Gj1ReWou00CEA+fRMgfwrKq6LGU0PfDB+x5AgnxdUc5+hbuCicIbvWhFeQ UNKgkgxdq651dw5XED81uuBeHyYc7AgzLzqeVIVe8MGXLJYl32tJAfzvnN92ot15epoL erHWOjkW8Kp0fhU/eWCtpaM3IPk65mCFGo7cwz143K3dH1cCqSIbIoHOyrbH3+di105k /DuQ== X-Gm-Message-State: ALoCoQkC5pfP2LNGCn+AO+GvvuzDjkX38cUobj7gauCoVsz0gQrbfOfXaqjiWe1KfGNpCO0qpMj8 X-Received: by 10.66.236.74 with SMTP id us10mr18789888pac.64.1440797650585; Fri, 28 Aug 2015 14:34:10 -0700 (PDT) Received: from heembo.local (cpe-50-113-38-25.hawaii.res.rr.com. [50.113.38.25]) by smtp.googlemail.com with ESMTPSA id eg2sm6798517pad.44.2015.08.28.14.34.08 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Aug 2015 14:34:10 -0700 (PDT) To: William Denniss , John Bradley , Donghwan Kim References: From: Jim Manico Message-ID: <55E0D3CF.2040507@manicode.com> Date: Fri, 28 Aug 2015 11:34:07 -1000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------010709090907030109080200" Archived-At: Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 21:34:14 -0000 This is a multi-part message in MIME format. --------------010709090907030109080200 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit This is all contextual to the application. In some situations I want to immediately force re-authentication for all transactions above X$ such as banking applications. In some situations I want a permanent refresh token, like for Twitter like social applications. etc...etc... - Jim Manico On 8/28/15 10:58 AM, William Denniss wrote: > +1 for John's suggestion. > > Why force users to re-authenticate after an arbitrary 30-day window? > > On Fri, Aug 28, 2015 at 1:41 PM John Bradley > wrote: > > I would use a 5 min AT and roll the refresh token per > https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry > if that is what you want for a inactivity timeout after which the > user must authenticate again. The user can always revoke the > refresh token. > > Rolling the refresh token also has the advantage that if the token > leaks or is stollen then you will detect the second use of the > expired refresh token and invalidate both, so the user needs to > loggin. > > In general I think rolling the refresh token is a good idea though > it is not popular, I think it is more secure. > > John B. > > > >> On Aug 28, 2015, at 11:21 AM, Donghwan Kim >> > >> wrote: >> >> I'm sorry to introduce a common topic. >> >> As John has suggested, I'm going to design that >> >> * An access token should be short lived e.g. 5 minutes (not to >> hit the AS to verify the token or 1 hour (to hit the AS to verify >> the token). I'm inclined to 5 minutes for stateless architecture >> of RSs. >> * A refresh token should have 1 month of expiration time by >> default. If it turns out that some access token expired, its >> refresh token should refresh the token. Then, so called >> persistent login can be implemented regardless of the form of >> authentication. Only if it fails for some reason e.g. token >> revocation or inactivity for 1 month, a user is logged out >> automatically and should log in again. >> * A refresh token should be able to be revoked somehow. With 5 >> minutes approach, it will invalidate only the refresh token (Yes >> the attacker can have 5 minutes at most), and with 1 hour >> approach, it will invalidate the refresh token as well as the >> corresponding access token. >> >> Thanks, >> >> -- Donghwan >> >> On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt >> > wrote: >> >> Refresh tokens are also used by public clients, e.g. native >> apps. OIDC allows to acquire a new id token from a refresh >> token as well. Note: this does not mean a fresh >> authentication but a refreshed id token containing the data >> of the original authentication transaction. >> >> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley >> >: >> >> I think Nat’s diagram about the problems of doing pseudo >> authentication with OAuth is being taken out of context. >> >> The refresh token dosen’t expire, it is revoked by the >> user or system. In some cases refresh tokens are >> automatically revoked if the users session to the AS >> ends. I think AOL typically revokes refresh tokens when >> sessions terminate. >> >> OpenID Connect provides a separate id_token with a >> independent lifetime from the refresh token. A client >> may keep a refresh token for a much longer time than the >> user has a login session with the AS. >> >> Refresh tokens are typically used by confidential clients >> that are using a client secret in combination with the >> refresh token for getting a new access token. >> >> By design access tokens should be short lived as the AS >> is expected to have a way of revoking refresh tokens but >> not access tokens. >> A access token that dosen't expire , and can’t be revoked >> is not a good idea. >> >> John B. >> >> >>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim >>> >> > wrote: >>> >>> Hi, >>> >>> According to Figure 2 from >>> http://tools.ietf.org/html/rfc6749#section-1.5, refresh >>> token can be used to refresh an expired access token >>> without requesting resource owner to sign in again >>> (uncomfortable experience). However, if it's true, isn't >>> it that refresh token might be used to request a new >>> access token even years later? and then isn't refresh >>> token the same with access token which never expires? >>> >>> I intended to use refresh token to implement persistent >>> login by sending a refresh request before issued access >>> token expires (expires_in runs out). But if refresh >>> token works even if access token expired already, >>> sending a refresh request on application start up would >>> be enough. >>> >>> So I'm not sure what I'm missing about refresh token as >>> well as how to implement persistent login using it (you >>> can regard authentication here pseudo-authentication >>> illustrated in >>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). >>> What is the lifetime of refresh token? >>> >>> Thanks, >>> >>> -- Donghwan >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> ------------------------------------------------------------------------ >> >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Jim Manico Manicode Security https://www.manicode.com --------------010709090907030109080200 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit This is all contextual to the application. In some situations I want to immediately force re-authentication for all transactions above X$ such as banking applications. In some situations I want a permanent refresh token, like for Twitter like social applications. etc...etc...

- Jim Manico



On 8/28/15 10:58 AM, William Denniss wrote:
+1 for John's suggestion.

Why force users to re-authenticate after an arbitrary 30-day window?

On Fri, Aug 28, 2015 at 1:41 PM John Bradley <ve7jtb@ve7jtb.com> wrote:
I would use a 5 min AT and roll the refresh token per https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if that is what you want for a inactivity timeout after which the user must authenticate again.   The user can always revoke the refresh token.

Rolling the refresh token also has the advantage that if the token leaks or is stollen then you will detect the second use of the expired refresh token and invalidate both, so the user needs to loggin.

In general I think rolling the refresh token is a good idea though it is not popular, I think it is more secure.

John B.



On Aug 28, 2015, at 11:21 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

I'm sorry to introduce a common topic.

As John has suggested, I'm going to design that 

* An access token should be short lived e.g. 5 minutes (not to hit the AS to verify the token or 1 hour (to hit the AS to verify the token). I'm inclined to 5 minutes for stateless architecture of RSs.
* A refresh token should have 1 month of expiration time by default. If it turns out that some access token expired, its refresh token should refresh the token. Then, so called persistent login can be implemented regardless of the form of authentication. Only if it fails for some reason e.g. token revocation or inactivity for 1 month, a user is logged out automatically and should log in again.
* A refresh token should be able to be revoked somehow. With 5 minutes approach, it will invalidate only the refresh token (Yes the attacker can have 5 minutes at most), and with 1 hour approach, it will invalidate the refresh token as well as the corresponding access token.

Thanks,

-- Donghwan

On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
Refresh tokens are also used by public clients, e.g. native apps. OIDC allows to acquire a new id token from a refresh token as well. Note: this does not mean a fresh authentication but a refreshed id token containing the data of the original authentication transaction.

Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com>:
I think Nat’s diagram about the problems of doing pseudo authentication with OAuth is being taken out of context.

The refresh token dosen’t expire, it is revoked by the user or system.  In some cases refresh tokens are automatically revoked if the users session to the AS ends.  I think AOL typically revokes refresh tokens when sessions terminate.

OpenID Connect provides a separate id_token with a independent lifetime from the refresh token.  A client may keep a refresh token for a much longer time than the user has a login session with the AS.

Refresh tokens are typically used by confidential clients that are using a client secret in combination with the refresh token for getting a new access token.

By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access tokens.
A access token that dosen't expire , and can’t be revoked is not a good idea.

John B.


On Aug 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires?

I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough.

So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwan
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
Jim Manico
Manicode Security
https://www.manicode.com
--------------010709090907030109080200-- From nobody Fri Aug 28 14:36:52 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 153E81B2A8A for ; Fri, 28 Aug 2015 14:36:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUmdJWmTV-iB for ; Fri, 28 Aug 2015 14:36:49 -0700 (PDT) Received: from mail-pa0-f46.google.com (mail-pa0-f46.google.com [209.85.220.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 201341B2A7F for ; Fri, 28 Aug 2015 14:36:49 -0700 (PDT) Received: by pabzx8 with SMTP id zx8so74574763pab.1 for ; Fri, 28 Aug 2015 14:36:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=T6FJGYau0B/wa9rkTEuaYSk1tJjL3pd3Fs2BXnSaa28=; b=RoDBq7y17URkbPQGCVFEM3x+WgtcJcPmbCA3OkcY5WSZXjEnXQLwqrA2XPGYhEZbcS k40/vaRcrqftrifn2UaX+0QW+JhYqWwqUvt+f4aWdTOhzz5IntXuyKOjpID3HUHJQhCs mI7DK/wBvCTJmRV191PkjomcKycwB4HHL7RdlXLVvdLIKK7JraihlQ8wDjwc+Cqe+tOd +3sQ+55Du+j05BCFnXxf9n7pbUo8K8MUh9nqlgKqba9mSEQ9A78V7AaLn45890sfs2M+ 7dXppU5HL4uACDW7qLJ3rZUAAZmrw4DlMLySitOgYsFE6hdyh5egIuT0yr9mKJV9hrxy P07w== X-Gm-Message-State: ALoCoQnKFKLE0h6/3c046z3kJgRMlTZUzxYDxtqz4nCV9FwyiNhD5eLCg/3JkBAunm/igU78bFbG X-Received: by 10.66.124.133 with SMTP id mi5mr18600959pab.92.1440797808797; Fri, 28 Aug 2015 14:36:48 -0700 (PDT) Received: from heembo.local ([2605:e000:112c:e0:d153:472a:c47b:5949]) by smtp.googlemail.com with ESMTPSA id xo14sm6788415pac.24.2015.08.28.14.36.46 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Aug 2015 14:36:48 -0700 (PDT) To: John Bradley , Donghwan Kim References: From: Jim Manico Message-ID: <55E0D46C.2080901@manicode.com> Date: Fri, 28 Aug 2015 11:36:44 -1000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------070002000003040706040501" Archived-At: Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 21:36:52 -0000 This is a multi-part message in MIME format. --------------070002000003040706040501 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Again, I would state that this is all contextual to the application being built - which is why the RFC never gives specific times other than "short lived" or "long lived". I would suggest giving a series of recommendations relative to a few different risk profiles (low risk, social media, banking, enterprise, etc) as opposed to one recommendation. With respect, Jim Manico On 8/28/15 10:41 AM, John Bradley wrote: > I would use a 5 min AT and roll the refresh token per > https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if > that is what you want for a inactivity timeout after which the user > must authenticate again. The user can always revoke the refresh token. > > Rolling the refresh token also has the advantage that if the token > leaks or is stollen then you will detect the second use of the expired > refresh token and invalidate both, so the user needs to loggin. > > In general I think rolling the refresh token is a good idea though it > is not popular, I think it is more secure. > > John B. > > > >> On Aug 28, 2015, at 11:21 AM, Donghwan Kim >> > wrote: >> >> I'm sorry to introduce a common topic. >> >> As John has suggested, I'm going to design that >> >> * An access token should be short lived e.g. 5 minutes (not to hit >> the AS to verify the token or 1 hour (to hit the AS to verify the >> token). I'm inclined to 5 minutes for stateless architecture of RSs. >> * A refresh token should have 1 month of expiration time by default. >> If it turns out that some access token expired, its refresh token >> should refresh the token. Then, so called persistent login can be >> implemented regardless of the form of authentication. Only if it >> fails for some reason e.g. token revocation or inactivity for 1 >> month, a user is logged out automatically and should log in again. >> * A refresh token should be able to be revoked somehow. With 5 >> minutes approach, it will invalidate only the refresh token (Yes the >> attacker can have 5 minutes at most), and with 1 hour approach, it >> will invalidate the refresh token as well as the corresponding access >> token. >> >> Thanks, >> >> -- Donghwan >> >> On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt >> > wrote: >> >> Refresh tokens are also used by public clients, e.g. native apps. >> OIDC allows to acquire a new id token from a refresh token as >> well. Note: this does not mean a fresh authentication but a >> refreshed id token containing the data of the original >> authentication transaction. >> >> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley >> >: >> >> I think Nat’s diagram about the problems of doing pseudo >> authentication with OAuth is being taken out of context. >> >> The refresh token dosen’t expire, it is revoked by the user >> or system. In some cases refresh tokens are automatically >> revoked if the users session to the AS ends. I think AOL >> typically revokes refresh tokens when sessions terminate. >> >> OpenID Connect provides a separate id_token with a >> independent lifetime from the refresh token. A client may >> keep a refresh token for a much longer time than the user has >> a login session with the AS. >> >> Refresh tokens are typically used by confidential clients >> that are using a client secret in combination with the >> refresh token for getting a new access token. >> >> By design access tokens should be short lived as the AS is >> expected to have a way of revoking refresh tokens but not >> access tokens. >> A access token that dosen't expire , and can’t be revoked is >> not a good idea. >> >> John B. >> >> >>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim >>> >> > wrote: >>> >>> Hi, >>> >>> According to Figure 2 from >>> http://tools.ietf.org/html/rfc6749#section-1.5, refresh >>> token can be used to refresh an expired access token without >>> requesting resource owner to sign in again (uncomfortable >>> experience). However, if it's true, isn't it that refresh >>> token might be used to request a new access token even years >>> later? and then isn't refresh token the same with access >>> token which never expires? >>> >>> I intended to use refresh token to implement persistent >>> login by sending a refresh request before issued access >>> token expires (expires_in runs out). But if refresh token >>> works even if access token expired already, sending a >>> refresh request on application start up would be enough. >>> >>> So I'm not sure what I'm missing about refresh token as well >>> as how to implement persistent login using it (you can >>> regard authentication here pseudo-authentication illustrated >>> in >>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). >>> What is the lifetime of refresh token? >>> >>> Thanks, >>> >>> -- Donghwan >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> ------------------------------------------------------------------------ >> >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Jim Manico Manicode Security https://www.manicode.com --------------070002000003040706040501 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit Again, I would state that this is all contextual to the application being built - which is why the RFC never gives specific times other than "short lived" or "long lived". I would suggest giving a series of recommendations relative to a few different risk profiles (low risk, social media, banking, enterprise, etc) as opposed to one recommendation.

With respect,
Jim Manico

On 8/28/15 10:41 AM, John Bradley wrote:
I would use a 5 min AT and roll the refresh token per https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if that is what you want for a inactivity timeout after which the user must authenticate again.   The user can always revoke the refresh token.

Rolling the refresh token also has the advantage that if the token leaks or is stollen then you will detect the second use of the expired refresh token and invalidate both, so the user needs to loggin.

In general I think rolling the refresh token is a good idea though it is not popular, I think it is more secure.

John B.



On Aug 28, 2015, at 11:21 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

I'm sorry to introduce a common topic.

As John has suggested, I'm going to design that 

* An access token should be short lived e.g. 5 minutes (not to hit the AS to verify the token or 1 hour (to hit the AS to verify the token). I'm inclined to 5 minutes for stateless architecture of RSs.
* A refresh token should have 1 month of expiration time by default. If it turns out that some access token expired, its refresh token should refresh the token. Then, so called persistent login can be implemented regardless of the form of authentication. Only if it fails for some reason e.g. token revocation or inactivity for 1 month, a user is logged out automatically and should log in again.
* A refresh token should be able to be revoked somehow. With 5 minutes approach, it will invalidate only the refresh token (Yes the attacker can have 5 minutes at most), and with 1 hour approach, it will invalidate the refresh token as well as the corresponding access token.

Thanks,

-- Donghwan

On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
Refresh tokens are also used by public clients, e.g. native apps. OIDC allows to acquire a new id token from a refresh token as well. Note: this does not mean a fresh authentication but a refreshed id token containing the data of the original authentication transaction.

Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com>:
I think Nat’s diagram about the problems of doing pseudo authentication with OAuth is being taken out of context.

The refresh token dosen’t expire, it is revoked by the user or system.  In some cases refresh tokens are automatically revoked if the users session to the AS ends.  I think AOL typically revokes refresh tokens when sessions terminate.

OpenID Connect provides a separate id_token with a independent lifetime from the refresh token.  A client may keep a refresh token for a much longer time than the user has a login session with the AS.

Refresh tokens are typically used by confidential clients that are using a client secret in combination with the refresh token for getting a new access token.

By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access tokens.
A access token that dosen't expire , and can’t be revoked is not a good idea.

John B.


On Aug 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires?

I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough.

So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwan
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
Jim Manico
Manicode Security
https://www.manicode.com
--------------070002000003040706040501-- From nobody Fri Aug 28 14:39:02 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A3731A8A3C for ; Fri, 28 Aug 2015 14:39:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8VjA6Oiabzl for ; Fri, 28 Aug 2015 14:38:57 -0700 (PDT) Received: from mail-pa0-f43.google.com (mail-pa0-f43.google.com [209.85.220.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFC951B2AAB for ; Fri, 28 Aug 2015 14:38:57 -0700 (PDT) Received: by pabzx8 with SMTP id zx8so74616575pab.1 for ; Fri, 28 Aug 2015 14:38:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=yqVbe8gbSADqSXt1oSU8+E8o5bgOINftIr1UqhDHZJ0=; b=Lou5EwSkdtIHVibMfOvNHqKvcS+esobNcvqLEX/Rc/iYnuYw9JyAa5Vgay7EvrBTcB pChYJOvUoiQa0yGD6ZPqWUgqA09h2Ax4Tx/3fSlDhZjeMeaZXcvJDDAzDAh6v3YV68AS nnpOlaxgYLBOA0yO2JByUtFWjvXepvTqHCcJWaefJqZL9jWUZa1z/SvnmqxuJ/OMJMG4 DzR6KKm5lziVfwyXZUhXHWa+N2v5uwOeBQImDFrwGGsA4hahGrakceqbgURx+d3xHAM9 CPn3WCF7/3eZhpaw+ahHO67fTPaUerkUBik2fRp4cyM5TMwKyap+iGtvJfJbhZ0O9h0E Fc8w== X-Gm-Message-State: ALoCoQmu9vm3JgSIsiFw+ugWZrdqzTluFASXBmwGAwR1QYIlsjQBkr89040+afsQ/MrXM8kly2jF X-Received: by 10.66.175.7 with SMTP id bw7mr17852599pac.155.1440797937436; Fri, 28 Aug 2015 14:38:57 -0700 (PDT) Received: from heembo.local ([2605:e000:112c:e0:d153:472a:c47b:5949]) by smtp.googlemail.com with ESMTPSA id x3sm6754589pdr.43.2015.08.28.14.38.56 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Aug 2015 14:38:56 -0700 (PDT) To: John Bradley , Donghwan Kim References: <55E0D46C.2080901@manicode.com> From: Jim Manico Message-ID: <55E0D4EE.9090402@manicode.com> Date: Fri, 28 Aug 2015 11:38:54 -1000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <55E0D46C.2080901@manicode.com> Content-Type: multipart/alternative; boundary="------------070708080107080605050302" Archived-At: Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 21:39:00 -0000 This is a multi-part message in MIME format. --------------070708080107080605050302 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit I stand corrected, the RFC does give specific time recommendations such as 10 minutes authorization code recommendation here https://tools.ietf.org/html/rfc6749#section-4.1.2 but I think my overall point is still valid. :) Aloha, Jim On 8/28/15 11:36 AM, Jim Manico wrote: > Again, I would state that this is all contextual to the application > being built - which is why the RFC never gives specific times other > than "short lived" or "long lived". I would suggest giving a series of > recommendations relative to a few different risk profiles (low risk, > social media, banking, enterprise, etc) as opposed to one recommendation. > > With respect, > Jim Manico > > On 8/28/15 10:41 AM, John Bradley wrote: >> I would use a 5 min AT and roll the refresh token per >> https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if >> that is what you want for a inactivity timeout after which the user >> must authenticate again. The user can always revoke the refresh token. >> >> Rolling the refresh token also has the advantage that if the token >> leaks or is stollen then you will detect the second use of the >> expired refresh token and invalidate both, so the user needs to loggin. >> >> In general I think rolling the refresh token is a good idea though it >> is not popular, I think it is more secure. >> >> John B. >> >> >> >>> On Aug 28, 2015, at 11:21 AM, Donghwan Kim >>> > wrote: >>> >>> I'm sorry to introduce a common topic. >>> >>> As John has suggested, I'm going to design that >>> >>> * An access token should be short lived e.g. 5 minutes (not to hit >>> the AS to verify the token or 1 hour (to hit the AS to verify the >>> token). I'm inclined to 5 minutes for stateless architecture of RSs. >>> * A refresh token should have 1 month of expiration time by default. >>> If it turns out that some access token expired, its refresh token >>> should refresh the token. Then, so called persistent login can be >>> implemented regardless of the form of authentication. Only if it >>> fails for some reason e.g. token revocation or inactivity for 1 >>> month, a user is logged out automatically and should log in again. >>> * A refresh token should be able to be revoked somehow. With 5 >>> minutes approach, it will invalidate only the refresh token (Yes the >>> attacker can have 5 minutes at most), and with 1 hour approach, it >>> will invalidate the refresh token as well as the corresponding >>> access token. >>> >>> Thanks, >>> >>> -- Donghwan >>> >>> On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt >>> wrote: >>> >>> Refresh tokens are also used by public clients, e.g. native >>> apps. OIDC allows to acquire a new id token from a refresh token >>> as well. Note: this does not mean a fresh authentication but a >>> refreshed id token containing the data of the original >>> authentication transaction. >>> >>> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley >>> : >>> >>> I think Nat’s diagram about the problems of doing pseudo >>> authentication with OAuth is being taken out of context. >>> >>> The refresh token dosen’t expire, it is revoked by the user >>> or system. In some cases refresh tokens are automatically >>> revoked if the users session to the AS ends. I think AOL >>> typically revokes refresh tokens when sessions terminate. >>> >>> OpenID Connect provides a separate id_token with a >>> independent lifetime from the refresh token. A client may >>> keep a refresh token for a much longer time than the user >>> has a login session with the AS. >>> >>> Refresh tokens are typically used by confidential clients >>> that are using a client secret in combination with the >>> refresh token for getting a new access token. >>> >>> By design access tokens should be short lived as the AS is >>> expected to have a way of revoking refresh tokens but not >>> access tokens. >>> A access token that dosen't expire , and can’t be revoked is >>> not a good idea. >>> >>> John B. >>> >>> >>>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim >>>> wrote: >>>> >>>> Hi, >>>> >>>> According to Figure 2 from >>>> http://tools.ietf.org/html/rfc6749#section-1.5, refresh >>>> token can be used to refresh an expired access token >>>> without requesting resource owner to sign in again >>>> (uncomfortable experience). However, if it's true, isn't it >>>> that refresh token might be used to request a new access >>>> token even years later? and then isn't refresh token the >>>> same with access token which never expires? >>>> >>>> I intended to use refresh token to implement persistent >>>> login by sending a refresh request before issued access >>>> token expires (expires_in runs out). But if refresh token >>>> works even if access token expired already, sending a >>>> refresh request on application start up would be enough. >>>> >>>> So I'm not sure what I'm missing about refresh token as >>>> well as how to implement persistent login using it (you can >>>> regard authentication here pseudo-authentication >>>> illustrated in >>>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). >>>> What is the lifetime of refresh token? >>>> >>>> Thanks, >>>> >>>> -- Donghwan >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> ------------------------------------------------------------------------ >>> >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- > Jim Manico > Manicode Security > https://www.manicode.com -- Jim Manico Manicode Security https://www.manicode.com --------------070708080107080605050302 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit I stand corrected, the RFC does give specific time recommendations such as 10 minutes authorization code recommendation here https://tools.ietf.org/html/rfc6749#section-4.1.2 but I think my overall point is still valid. :)

Aloha,
Jim




On 8/28/15 11:36 AM, Jim Manico wrote:
Again, I would state that this is all contextual to the application being built - which is why the RFC never gives specific times other than "short lived" or "long lived". I would suggest giving a series of recommendations relative to a few different risk profiles (low risk, social media, banking, enterprise, etc) as opposed to one recommendation.

With respect,
Jim Manico

On 8/28/15 10:41 AM, John Bradley wrote:
I would use a 5 min AT and roll the refresh token per https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if that is what you want for a inactivity timeout after which the user must authenticate again.   The user can always revoke the refresh token.

Rolling the refresh token also has the advantage that if the token leaks or is stollen then you will detect the second use of the expired refresh token and invalidate both, so the user needs to loggin.

In general I think rolling the refresh token is a good idea though it is not popular, I think it is more secure.

John B.



On Aug 28, 2015, at 11:21 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

I'm sorry to introduce a common topic.

As John has suggested, I'm going to design that 

* An access token should be short lived e.g. 5 minutes (not to hit the AS to verify the token or 1 hour (to hit the AS to verify the token). I'm inclined to 5 minutes for stateless architecture of RSs.
* A refresh token should have 1 month of expiration time by default. If it turns out that some access token expired, its refresh token should refresh the token. Then, so called persistent login can be implemented regardless of the form of authentication. Only if it fails for some reason e.g. token revocation or inactivity for 1 month, a user is logged out automatically and should log in again.
* A refresh token should be able to be revoked somehow. With 5 minutes approach, it will invalidate only the refresh token (Yes the attacker can have 5 minutes at most), and with 1 hour approach, it will invalidate the refresh token as well as the corresponding access token.

Thanks,

-- Donghwan

On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
Refresh tokens are also used by public clients, e.g. native apps. OIDC allows to acquire a new id token from a refresh token as well. Note: this does not mean a fresh authentication but a refreshed id token containing the data of the original authentication transaction.

Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com>:
I think Nat’s diagram about the problems of doing pseudo authentication with OAuth is being taken out of context.

The refresh token dosen’t expire, it is revoked by the user or system.  In some cases refresh tokens are automatically revoked if the users session to the AS ends.  I think AOL typically revokes refresh tokens when sessions terminate.

OpenID Connect provides a separate id_token with a independent lifetime from the refresh token.  A client may keep a refresh token for a much longer time than the user has a login session with the AS.

Refresh tokens are typically used by confidential clients that are using a client secret in combination with the refresh token for getting a new access token.

By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access tokens.
A access token that dosen't expire , and can’t be revoked is not a good idea.

John B.


On Aug 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires?

I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough.

So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwan
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 
Jim Manico
Manicode Security
https://www.manicode.com
-- 
Jim Manico
Manicode Security
https://www.manicode.com
--------------070708080107080605050302-- From nobody Fri Aug 28 17:52:10 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C612A1ACE35; Fri, 28 Aug 2015 17:52:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KiDk0mw4YbI9; Fri, 28 Aug 2015 17:52:06 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CFFBC1B3751; Fri, 28 Aug 2015 17:52:05 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 6.4.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20150829005205.5953.80875.idtracker@ietfa.amsl.com> Date: Fri, 28 Aug 2015 17:52:05 -0700 Archived-At: Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-proof-of-possession-04.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2015 00:52:08 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) Authors : Michael B. Jones John Bradley Hannes Tschofenig Filename : draft-ietf-oauth-proof-of-possession-04.txt Pages : 16 Date : 2015-08-28 Abstract: This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of- possession of the key by the presenter. This property is also sometimes described as the presenter being a holder-of-key. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-04 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-proof-of-possession-04 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Aug 28 17:58:23 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1851D1ACE88 for ; Fri, 28 Aug 2015 17:58:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.641 X-Spam-Level: X-Spam-Status: No, score=-1.641 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cGtSj1-97WQZ for ; Fri, 28 Aug 2015 17:58:19 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0741.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:741]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 020661A890E for ; Fri, 28 Aug 2015 17:58:19 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.256.15; Sat, 29 Aug 2015 00:58:16 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0243.020; Sat, 29 Aug 2015 00:58:15 +0000 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: Proof-of-Possession Key Semantics for JWTs spec addressing remaining comments Thread-Index: AdDh9b9zCWYe9r9gTLCP/s/NNZtqzQ== Date: Sat, 29 Aug 2015 00:58:15 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [2001:4898:80e8:4::521] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:2Gdq/VstjaNbgMJqoyPks9KHT6kmVBVFUS+OdDl05wO0+i3nFjJcRE/Kb9A2WfK2RXSPmxEfXPljI6xs4Cp4uU/VSGh1V2EPAAZknPzDsuvVn3GnfckAwF7xRmFveiP6lmcjxkI6+TuZi/CHL6Smsg==; 24:Sj13w6Bz7qijfRZWv1ZvUA00boFB4UnCjqY9nKEMJAdVnl1jKmfdVbQq2rdY5Z7XHTsCpzNYyKOkWrlc0R+9KxVz2XFQ1nTUtT4vOSCIrR0=; 20:SAhC/O/SMuIac3vCCQMnp9cvCGGvmgYJ5GsfZE50UNPF5TR5qEZOBq7WDFyfR8gNVgqBWteBppLcsqAWM/3CTQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(8121501046)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 06833C6A67 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(199003)(189002)(106356001)(46102003)(99286002)(19617315012)(450100001)(92566002)(77156002)(68736005)(64706001)(101416001)(62966003)(2900100001)(76576001)(5007970100001)(19625215002)(19609705001)(122556002)(50986999)(40100003)(5002640100001)(5004730100002)(189998001)(4001540100001)(102836002)(10290500002)(15975445007)(5003600100002)(230783001)(10400500002)(5001860100001)(16236675004)(97736004)(229853001)(2351001)(5001830100001)(8990500004)(2656002)(86612001)(77096005)(2501003)(5001920100001)(74316001)(10090500001)(54356999)(33656002)(107886002)(110136002)(86362001)(19300405004)(105586002)(87936001)(19580395003)(81156007)(5001960100002)(5005710100001)(3826002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4428946326DE18F01ACF6E1F56D0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2015 00:58:15.4890 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Subject: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing remaining comments X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2015 00:58:22 -0000 --_000_BY2PR03MB4428946326DE18F01ACF6E1F56D0BY2PR03MB442namprd_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Proof-of-Possession Key Semantics for JWTs draft -04 addresses the remainin= g working group comments received - both a few leftover WGLC comments and c= omments received during IETF 93 in Prague.= The changes were: * Allowed the use of "jwk" for symmetric keys when the JWT is encry= pted. * Added the "jku" (JWK Set URL) member. * Added privacy considerations. * Reordered sections so that the "cnf" (confirmation) claim is defi= ned before it is used. * Noted that applications can define new claim names, in addition t= o "cnf", to represent additional proof-of-possession keys, using the same r= epresentation as "cnf". * Applied wording clarifications suggested by Nat Sakimura. The updated specification is available at: * https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-= 04 An HTML formatted version is also available at: * http://self-issued.info/docs/draft-ietf-oauth-proof-of-possession= -04.html -- Mike P.S. This note was also published at http://self-issued.info/?p=3D1442 and= as @selfissued. --_000_BY2PR03MB4428946326DE18F01ACF6E1F56D0BY2PR03MB442namprd_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Proof-of-Possession Key Semantics for JWTs draft -04= addresses the remaining working group comments received – both a few= leftover WGLC comments and comments received during IETF 93 in Prague.  Th= e changes were:

·         Allowed the use of “jwk” for symmetric keys when= the JWT is encrypted.

·         Added the “jku” (JWK Set URL) member.=

·         Added privacy considerations.

·         Reordered sections so that the “cnf” (confirmati= on) claim is defined before it is used.

·         Noted that applications can define new claim= names, in addition to “cnf”, to represent additional proof-of-possession keys,= using the same representation as “cnf”.

·         Applied wording clarifications suggested by = Nat Sakimura.

 

The updated specification is available at:

·         https://tools.ietf.org/html/draft-ietf-= oauth-proof-of-possession-04

 

An HTML formatted version is also available at:=

·         http://self-issued.info/docs/draf= t-ietf-oauth-proof-of-possession-04.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;     -- Mike

 

P.S.  This note was also published at http://self-issued.info/?p=3D1442 and as @selfissued.

 

--_000_BY2PR03MB4428946326DE18F01ACF6E1F56D0BY2PR03MB442namprd_-- From nobody Fri Aug 28 18:03:14 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B7E61A8F3D for ; Fri, 28 Aug 2015 18:03:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.088 X-Spam-Level: X-Spam-Status: No, score=0.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C3b0ppUveQ3p for ; Fri, 28 Aug 2015 18:03:06 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0799.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::799]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDC4D1B2EEF for ; Fri, 28 Aug 2015 18:02:54 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.256.15; Sat, 29 Aug 2015 01:02:49 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0243.020; Sat, 29 Aug 2015 01:02:49 +0000 From: Mike Jones To: Nat Sakimura Thread-Topic: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 Thread-Index: AdDh9mGOWaLNLadkjU2DITHnPVooSw== Date: Sat, 29 Aug 2015 01:02:49 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [2001:4898:80e8:4::521] x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:aYse+Wu/7tTMdINa6x0hjMDfT6Q3G7cppEai6ssN1dya9+d8FmB0DjbzEIZ1ZMIl/jhIBZT7DeGvaCt+m7/JoZFUD/LTCPVz1hcKgPFVu+UV3/JPY44haOYdpvC0upqy2BXAHnXj6wTLAbLhCTazjw==; 24:rYFCivLTDYH1slcaxQi5YZB8oG5VGfVlzWOGzm9HLbr8FpMGVwmUmV1ZbwFn8ISiNmKRlacrjRvWhWoBy63S+PQ/FZZg4wroUa1RwGS3+bI=; 20:xUV7mumbvghIGWTFFXyTgMNVZRz5wxiGGkTPBMcMe5bz2eFPBVHYom+8NDTi2AKKK5XpGq/POhIV1GotioW34g== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(8121501046)(3002001); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 06833C6A67 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(43784003)(52084003)(199003)(50944005)(189002)(377424004)(106356001)(46102003)(99286002)(19617315012)(92566002)(77156002)(68736005)(64706001)(101416001)(62966003)(2900100001)(76576001)(5007970100001)(19625215002)(19609705001)(122556002)(50986999)(40100003)(5002640100001)(5004730100002)(189998001)(4001540100001)(102836002)(10290500002)(15975445007)(5003600100002)(230783001)(10400500002)(5001860100001)(16236675004)(97736004)(1411001)(561944003)(19580405001)(5001830100001)(8990500004)(2656002)(86612001)(77096005)(5001920100001)(74316001)(10090500001)(54356999)(33656002)(110136002)(86362001)(19300405004)(105586002)(87936001)(19580395003)(81156007)(5001960100002)(5005710100001)(3826002)(559001)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442AFC9FE80B6CF9F696342F56D0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2015 01:02:49.4785 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2015 01:03:13 -0000 --_000_BY2PR03MB442AFC9FE80B6CF9F696342F56D0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIGFnYWluIGZvciB5b3VyIGRldGFpbGVkIHJldmlldywgTmF0LiAgVGhlIHJlbWFpbmRl ciBvZiB0aGUgaXNzdWVzIHlvdSByYWlzZWQgYXJlIGFkZHJlc3NlZCBpbiB0aGUgLTA0IGRyYWZ0 PGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9z c2Vzc2lvbi0wND4uICBSZXBsaWVzIGFyZSBpbmxpbmUgcHJlZml4ZWQgYnkgTWlrZT4g4oCmDQoN CkZyb206IE5hdCBTYWtpbXVyYSBbbWFpbHRvOnNha2ltdXJhQGdtYWlsLmNvbV0NClNlbnQ6IFR1 ZXNkYXksIEF1Z3VzdCAxOCwgMjAxNSA5OjAwIFBNDQpUbzogTWlrZSBKb25lcw0KQ2M6IG9hdXRo DQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBSZXZpZXcgQ29tbWVudHMgZm9yIGRyYWZ0LWlldGYt b2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMg0KDQpJbmxpbmU6DQoNCjIwMTUtMDgtMTEgMTQ6 MTIgR01UKzA5OjAwIE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTxtYWls dG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPj46DQpSZXBsaWVzIGlubGluZeKApg0KDQpG cm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoLWJv dW5jZXNAaWV0Zi5vcmc+XSBPbiBCZWhhbGYgT2YgTmF0IFNha2ltdXJhDQpTZW50OiBXZWRuZXNk YXksIE1hcmNoIDI1LCAyMDE1IDY6MzggQU0NClRvOiBvYXV0aA0KU3ViamVjdDogW09BVVRILVdH XSBSZXZpZXcgQ29tbWVudHMgZm9yIGRyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lv bi0wMg0KDQpEZWFyIE9BdXRoZXJzOg0KDQpIZXJlIGlzIG15IGJlbGF0ZWQgcmV2aWV3IGNvbW1l bnRzIG9uIGRyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMg0KDQpCZWxvdywg W1BPUEFdIHN0YW5kcyBmb3IgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt b2F1dGgtcG9wLWFyY2hpdGVjdHVyZS0wMTxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rp b24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRtbCUy ZmRyYWZ0LWlldGYtb2F1dGgtcG9wLWFyY2hpdGVjdHVyZS0wMSZkYXRhPTAxJTdjMDElN2NNaWNo YWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzYxOTc0M2JhY2RjMzRjMWJjNjc0MDhkMmE4NGFi NDFiJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJnNkYXRhPTNTN2tycWkw S0NEVHBnTjhiT01YYWtxTU53c3hWa2EyNG12VXFCOHVXakUlM2Q+DQoNCkFic3RyYWN0DQo9PT09 PT09PT09PT0NCkl0IGlzIHByb2JhYmx5IGJldHRlciB0byBzcGVsbCBvdXQgdGhhdCB0aGlzIGRv Y3VtZW50IGlzIGRlc2NyaWJpbmcgdGhlIEpXVCBmb3JtYXQgdGhhdCBjYW4gYmUgdXNlZCBmb3Ig c2VuZGVyIGNvbnN0cmFpbnQgKDUuMiBvZiBbUE9QQV0pIGFuZCBrZXkgY29uZmlybWF0aW9uICg1 LjMgb2YgW1BPUEFdKS4gVGhpcyB3aWxsIG1ha2UgaXQgZWFzaWVyIGZvciB0aGUgcmVhZGVyIHRv IHVuZGVyc3RhbmQgd2hhdCB0aGlzIGRvY3VtZW50IGFpbXMgYXQuDQoNCkl0IGRvZXMgbm90IHNl ZW0gdG8gbWUgdGhhdCB0aGUg4oCcU2VuZGVyIENvbnN0cmFpbnTigJ0gY29uY2VwdCBkZXNjcmli ZWQgaW4gNS4zIG9mIFtQT1BBXSBpcyB0aGUgc2FtZQ0KDQo1LjIgSSBndWVzcywgbm90IDUuMy4N Cg0KdGhpbmcgYXMgaWRlbnRpZnlpbmcgYSBwcm9vZi1vZi1wb3NzZXNzaW9uIGtleSB3aXRoaW4g YSBKV1QsIHdoaWNoIGlzIHRoZSBwdXJwb3NlIG9mIHRoaXMgc3BlY2lmaWNhdGlvbi4gIEluIHRo aXMgc3BlY2lmaWNhdGlvbiwgdGhlIGlzc3VlciBtYWtlcyBhIHN0YXRlbWVudCB0aGF0IHRoZSBw cmVzZW50ZXIgY2FuIGNvbmZpcm0gcG9zc2Vzc2lvbiBvZiBhIGtleS4gIEkgZG9u4oCZdCBrbm93 IGhvdyB0aGF0IHdvdWxkIG1hcCBpbnRvIGEg4oCcU2VuZGVyIENvbnN0cmFpbnTigJ0uICBGb3Ig b25lIHRoaW5nLCB3aGljaCBwYXJ0eSBhcmUgeW91IGNvbnNpZGVyaW5nIHRvIGJlIHRoZSDigJxT ZW5kZXLigJ0/ICBBY2NvcmRpbmdseSwgSSBsZWZ0IHRoZSBhYnN0cmFjdCB1bmNoYW5nZWQuDQoN Ck9LLiBTaW5jZSB0aGUgZHJhZnQgd2FzIHRpdGxlZCAiUHJvb2Ygb2YgUG9zc2Vzc2lvbiBTZW1h bnRpY3MgZm9yIGZvciBKU09OIFdlYiBUb2tlbnMgKEpXVHMpIiwgSSBwb2ludGVkIGl0IG91dCB0 aGF0IGl0IHNob3VsZCBub3Qgb25seSB0YWxrIGFib3V0IDUuMyBvZiBbUE9QQV0gYnV0IGFsc28g NS4yLiBIb3dldmVyLCBub3cgdGhhdCB5b3UgaGF2ZSBjaGFuZ2VkIHRoZSB0aWxlIHRvICJQcm9v ZiBvZiBQb3NzZXNzaW9uIEtFWSBTZW1hbnRpY3MgZm9yIGZvciBKU09OIFdlYiBUb2tlbnMgKEpX VHMpIiwgdGhpcyBpc3N1ZSBpcyByZXNvbHZlZC4gSXQgd291bGQgYmUgbmljZSB0byBzdGF0ZSB0 aGF0IGl0IGlzIHRhbGtpbmcgYWJvdXQgNS4zIG9mIFtQT1BBXSBpbiB0aGUgaW50cm9kdWN0aW9u IHRob3VnaC4NCg0KTWlrZT4gSSBoYXZlIGFkZGVkIHRoaXMgdG8gdGhlIGludHJvZHVjdGlvbiBp biByZXNwb25zZSB0byB5b3VyIGNvbW1lbnQ6DQrigJxTZWUgPHhyZWYgdGFyZ2V0PSJJLUQuaWV0 Zi1vYXV0aC1wb3AtYXJjaGl0ZWN0dXJlIi8+IGZvciBhIGZ1cnRoZXIgZGlzY3Vzc2lvbiBvZiBr ZXkgY29uZmlybWF0aW9uLuKAnQ0KDQpBY2NvcmRpbmdseSwgd2Ugc2hvdWxkIGNvbnNpZGVyIHRo ZSB0aXRsZSBjaGFuZ2UgdG8gc29tZXRoaW5nIGxpa2U6DQpKV1QgU2VuZGVyIENvbmZpcm1hdGlv biBUb2tlbiBTeW50YXgNCiAgT1INCmJvcnJvd2luZyBmcm9tIHRoZSBmaW5hbmNpYWwgY29uY2Vw dCB3aGljaCBJIGJlbGlldmUgaXMgdGhlIG9yaWdpbiBvZiB0aGUgY29uY2VwdCBvZiAiYmVhcmVy IHRva2VuIiwNCkpXVCBSZWdpc3RlcmVkIFRva2VuIFN5bnRheA0KLS0gaGVyZSwgIlJlZ2lzdGVy ZWQiIG1lYW4gdGhhdCBlaXRoZXIgdGhlIHNlbmRlciBjb25zdHJhaW50IG9yIGtleSBjb25maXJt YXRpb24gaXMgcmVnaXN0ZXJlZCB3aXRoaW4gb3IgaW4gY29uanVuY3Rpb24gd2l0aCB0aGUgdG9r ZW4uDQoNCkkgY2hhbmdlZCB0aGUgdGl0bGUgaW4gLTAzIHRvIOKAnFByb29mLW9mLVBvc3Nlc3Np b24gS2V5IFNlbWFudGljcyBmb3IgSlNPTiBXZWIgVG9rZW5zIChKV1RzKeKAnSB0byBtYWtlIGl0 IGNsZWFyIHRoaXMgZHJhZnQgaXMgYWJvdXQgUG9QIGtleSBzZW1hbnRpY3MgZm9yIEpXVHMg4oCT IG5vdCB0aGUgcHJvb2Ytb2YtcG9zc2Vzc2lvbiBtZWNoYW5pc20gaXRzZWxmLiAgSeKAmXZlIGFs cmVhZHkgcmVzcG9uZGVkIHRvIHRoZSDigJxTZW5kZXIgQ29uc3RyYWludOKAnSBzdWdnZXN0aW9u IGFib3ZlLiAgUGVyIG15IGVhcmxpZXIgcmVzcG9uc2UsIEkgZG9u4oCZdCBiZWxpZXZlIHRoYXQg 4oCcUmVnaXN0ZXJlZCBUb2tlbuKAnSBpcyBzdGFuZGFyZCB0ZXJtaW5vbG9neSwgYW5kIHNvIHdv dWxkIGNvbmZ1c2UgbW9yZSB0aGFuIGl0IHdvdWxkIGNsYXJpZnkuDQoNCk5vdyB0aGF0IHlvdSBo YXZlIGNsYXJpZmllZCB0aGF0IHRoaXMgZG9jdW1lbnQgaXMgb25seSBhYm91dCA1LjMgb2YgW1BP UEFdLA0KdGhlIHRpdGxlIGluIC0wMyBpcyBhcHByb3ByaWF0ZS4NCg0KTk9URTogIlJlZ2lzdGVy ZWQgKiIgaXMgYSB2ZXJ5IHdlbGwgZXN0YWJsaXNoZWQgdGVybSBpbiBmaW5hbmNpYWwgaW5kdXN0 cnksDQpkZXNjcmliaW5nIGtpbmQgb2YgInRva2VuIiBuZWVkZWQgdG8gYmUgcHJlc2VudGVkIHRv IGV4ZXJjaXNlIHRoZSByaWdodCBhc3NpZ25lZCB0byBpdC4NCmUuZy4sIFJlZ2lzdGVyZWQgU2Vj dXJpdHksIFJlZ2lzdGVyZWQgU2hhcmUgQ2VydGlmaWNhdGUsIGV0Yy4NCg0KDQoxLiBJbnRyb2R1 Y3Rpb24NCj09PT09PT09PT09PT09DQpDb25zaWRlciByZWZlcmVuY2luZyBkcmFmdC1pZXRmLW9h dXRoLXBvcC1hcmNoaXRlY3R1cmUuDQpJdCB3aWxsIGJlIGNsZWFyZXIgZm9yIHRoZSByZWFkZXIg dGhlbiwgYW5kIHRoZSB0ZXh0IHdpbGwgYmUgc2hvcnRlci4NCg0KQWdhaW4sIEkgc3VzcGVjdCB5 b3XigJlyZSBhc2tpbmcgbWUgdG8gcmVmZXJlbmNlIHRoaXMgZHJhZnQgZm9yIHRoZSDigJxTZW5k ZXIgQ29uc3RyYWludOKAnSB0ZXJtaW5vbG9neSwgd2hpY2ggaXMgYm90aCB2YWd1ZWx5IGRlZmlu ZWQgaW4gW1BPUEFdLCBhbmQgZG9lc27igJl0IG1hdGNoIHdoYXQgdGhpcyBzcGVjaWZpY2F0aW9u IGRvZXMuICBUaGVyZWZvcmUsIEkgZGlkIG5vdCBkbyB0aGlzIGhlcmUsIGFsdGhvdWdoIG90aGVy IGFwcHJvcHJpYXRlIHJlZmVyZW5jZXMgdG8gW1BPUEFdIGFyZSBpbmNsdWRlZC4NCg0KSXQgd291 bGQgYmUgbmljZSB0byBwb2ludCBvdXQgdGhhdCB0aGlzIGRvY3VtZW50IGlzIHRhbGtpbmcgYWJv dXQgdGhlIG1vZGVsIHByZXNlbnRlZCBpbiA1LjMgb2YgW1BPUEFdLg0KTXkgc3VnZ2VzdGlvbjog SW5zZXJ0ICIsIGFzIGRlc2NyaWJlZCBpbiBzZWN0aW9uIDUuMyBvZiBbUE9QQV0iIGJlZm9yZSB0 aGUgZW5kIG9mIHRoZSBQYXJhIDEuDQoNCg0KICAgVGhpcyBzcGVjaWZpY2F0aW9uIGRlZmluZXMg aG93IHRvIGV4cHJlc3MgYSBkZWNsYXJhdGlvbiBpbiBhIEpTT04gV2ViDQoNCiAgIFRva2VuIChK V1QpIFtKV1RdIHRoYXQgdGhlIHByZXNlbnRlciBvZiB0aGUgSldUIHBvc3Nlc3NlcyBhDQoNCiAg IHBhcnRpY3VsYXIga2V5IGFuZCB0aGF0IHRoZSByZWNpcGllbnQgY2FuIGNyeXB0b2dyYXBoaWNh bGx5IGNvbmZpcm0NCg0KICAgcHJvb2Ytb2YtcG9zc2Vzc2lvbiBvZiB0aGUga2V5IGJ5IHRoZSBw cmVzZW50ZXIuICBUaGlzIHByb3BlcnR5IGlzDQoNCiAgIGFsc28gc29tZXRpbWVzIGRlc2NyaWJl ZCBhcyB0aGUgcHJlc2VudGVyIGJlaW5nIGEgaG9sZGVyLW9mLWtleSwNCg0KICAgYXMgZGVzY3Jp YmVkIGluIHNlY3Rpb24gNS4zIG9mIFtQT1BBXS4NCg0KDQpNaWtlPiBBcyBub3RlZCBlYXJsaWVy LCBJIGhhdmUgYWRkZWQgdGhpcyB0byB0aGUgaW50cm9kdWN0aW9uIGluIHJlc3BvbnNlIHRvIHlv dXIgY29tbWVudDoNCuKAnFNlZSA8eHJlZiB0YXJnZXQ9IkktRC5pZXRmLW9hdXRoLXBvcC1hcmNo aXRlY3R1cmUiLz4gZm9yIGEgZnVydGhlciBkaXNjdXNzaW9uIG9mIGtleSBjb25maXJtYXRpb24u 4oCdDQpJIGRpZCBub3QgcmVmZXJlbmNlIGEgc3BlY2lmaWMgc2VjdGlvbiBudW1iZXIgYmVjYXVz ZSBpZXRmLW9hdXRoLXBvcC1hcmNoaXRlY3R1cmUgaGFzIG5vdCB5ZXQgZW50ZXJlZCB0aGUgUkZD IEVkaXRvciBxdWV1ZSwgYW5kIHNvIHRoZSBzZWN0aW9uIG51bWJlciBtYXkgY2hhbmdlLg0KDQoN Cg0KMi4gVGVybWlub2xvZ3kgLSBQcmVzZW50ZXINCj09PT09PT09PT09PT09PT09PT09PT09PQ0K U2VudGVuY2UgMQ0KLS0tLS0tLS0tLS0tLS0tLS0tLQ0KTm90IHN1cmUgaWYgdGhlIGZpcnN0IHNl bnRlbmNlIGlzIGFjY3VyYXRlbHkgcmVmbGVjdGluZyB0aGUgaW50ZW50Lg0KSXQgZXhjbHVkZXMg cm9ndWUgcGFydHkgcHJlc2VudGluZyB0aGUgdG9rZW4gKGFuZCBmYWlscykgZnJvbSBwcmVzZW50 ZXIuDQpJZiBzbywgaXQgaXMgZmluZSBidXQgdXNpbmcgbW9yZSBxdWFsaWZpZWQgdGVybSBsaWtl ICJhdXRob3JpemVkIHByZXNlbnRlciIgbWF5IG1ha2UgaXQgZWFzaWVyDQpmb3IgdGhlIHJlYWRl ciB0byBwYXJzZS4NCg0KT3RoZXJ3aXNlIHJldmlzZSB0aGUgZGVmaW5pdGlvbi4NCg0KSSBiZWxp ZXZlIHRoZSDigJxQcmVzZW50ZXLigJ0gZGVmaW5pdGlvbiBhY2N1cmF0ZWx5IG1hdGNoZXMgaXRz IHVzYWdlIGluIHRoaXMgc3BlY2lmaWNhdGlvbi4gIFdoaWxlIHRoaXMgaXMgcmVsYXRlZCB0byBh IGRpZmZlcmVudCBkaXNjdXNzaW9uLCBJ4oCZbSBub3QgYXdhcmUgb2YgYSBkZWZpbml0aW9uIGZv ciDigJxBdXRob3JpemVkIFByZXNlbnRlcuKAnSB0aGF0IGNvdWxkIGJlIHJlZmVyZW5jZWQgdGhh dCB3b3VsZCBhZGQgZnVydGhlciBjbGFyaXR5IGJleW9uZCB0aGUgZXhpc3RpbmcgZGVmaW5pdGlv bi4gIChOb3RlIHRoYXQgdGhlIE9wZW5JRCBDb25uZWN0IOKAnGF6cOKAnSBjbGFpbSBpcyBmb3Ig YW4g4oCcQXV0aG9yaXplZCBQYXJ0eeKAnSB0byB3aGljaCB0aGUgdG9rZW4gd2FzIGlzc3VlZCDi gJMgbm90IGFuIOKAnEF1dGhvcml6ZWQgUHJlc2VudGVy4oCdLiAgQWxzbywgbm90ZSB0aGF0IHRo ZSB1c2FnZSBvZiDigJxhenDigJ0gaW4gaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQt c2FraW11cmEtb2F1dGgtcmp3dHByb2YtMDQ8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0 aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRtbCUy ZmRyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA0JmRhdGE9MDElN2MwMSU3Y01pY2hhZWwu Sm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNjE5NzQzYmFjZGMzNGMxYmM2NzQwOGQyYTg0YWI0MWIl N2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9WThUeTBRbThLa2dp SSUyYnpEODZjbU1NaWtiRVp1QWJQMlUzelg3TWhScjdFJTNkPiBpcyBpbmNvbnNpc3RlbnQgd2l0 aCBpdHMgZGVmaW5pdGlvbiBpbiBPcGVuSUQgQ29ubmVjdCwgYW5kIHNvIHNob3VsZCBwcm9iYWJs eSBiZSByZXZpc2VkIHRvIHVzZSB0aGUg4oCcQXV0aG9yaXplZCBQYXJ0eeKAnSB0ZXJtaW5vbG9n eSBvciByZW1vdmVkLCBhcyBpdCBkb2VzIG5vdCBpZGVudGlmeSBhbiDigJxBdXRob3JpemVkIFBy ZXNlbnRlcuKAnSBpbiB0aGUgd2F5IHRoYXQgSSB0aGluayB5b3UgYXJlIHVzaW5nIHRoZSB0ZXJt LikNCg0KDQpJdCBpcyBub3QgYSBnb29kIHByYWN0aWNlIHRvIGRlZmluZSBzdWNoIGEgZ2VuZXJp YyB3b3JkIGxpa2UgInByZXNlbnRlciIuDQpTaW5jZSB5b3UgaGF2ZSB1c2VkICJwcmVzZW50ZXIi IGFzIHBhcnR5IHRoYXQgaG9sZHMgdGhlIGtleSwNCndlIGhhdmUgbG9zdCB0aGUgd29yZCBmb3Ig dGhlIHJvZ3VlIHBhcnR5IHRoYXQgcHJlc2VudHMgdGhlIHRva2VuDQp3aXRob3V0IHRoZSBrZXku DQoNCk1pa2U+IOKAnFByZXNlbnRlcuKAnSBpcyBubyBtb3JlIGdlbmVyaWMgdGhhbiDigJxJc3N1 ZXLigJ0gb3Ig4oCcUmVjaXBpZW504oCdLiAgQWxsIGFyZSBzdGFuZGFyZCB0ZXJtcyBmb3IgdGhl c2Uga2luZHMgb2YgZmxvd3MsIHNvIEnigJltIHJlbHVjdGFudCB0byBpbnZlbnQgbmV3IHRlcm1p bm9sb2d5LiAgQnkgZGVzaWduIGFuZCBieSBkZWZpbml0aW9uLCBhIHJvZ3VlIHBhcnR5IHdobyBk b2VzIG5vdCBob2xkIHRoZSBrZXkgaXMgbm90IGEgcHJlc2VudGVyLiAgKEluIHRoZSBzYW1lIHdh eSwgYSBwYXJ0eSB3aG8gY3JlYXRlcyBhIEpXVCBhbmQgc2lnbnMgYSBmb3JnZWQg4oCcaXNz4oCd IHZhbHVlIHdpdGggYSBrZXkgb3RoZXIgdGhlIG5hbWVkIGlzc3VlcuKAmXMga2V5cyBpcyBub3Qg dGhlIGlzc3Vlci4pICBUaGUgc3RhbmRhcmQgdGVybSBmb3Igc3VjaCBhIHBhcnR5IGlzIOKAnHRo ZSBhdHRhY2tlcuKAnTsgd2UgaGF2ZW7igJl0IGxvc3QgdGhlIHdvcmQgZm9yIHN1Y2ggYSBwYXJ0 eS4NCg0KQWxzbywgdGhlIGN1cnJlbnQgZGVmaW5pdGlvbiBpbmNsdWRlcyB0aGUgaXNzdWVyIGlu IHRoZSBwcmVzZW50ZXIuDQpJc3N1ZXIgaXMgbm90IHR5cGljYWxseSBhIHBhcnR5IHRoYXQgaXMg c3VwcG9zZWQgdG8gcHJlc2VudCB0aGUgdG9rZW4gdG8gdGhlIHJlc291cmNlLA0Kc28gdGhlIHRl cm0gc2VlbXMgdG8gYmUgZXNwZWNpYWxseSB3ZWlyZC4NCg0KU2VudGVuY2UgMg0KLS0tLS0tLS0t LS0tLS0tLS0tLQ0KImlzc3VlciBvciBhIHBhcnR5IGRpZmZlcmVudCBmcm9tIHRoZSBpc3N1ZXIi IGlzIG5vdCBjb25zdHJhaW5pbmcgYW55dGhpbmcgYW5kIG1lYW5pbmdsZXNzLg0KVGhlcmUgYXJl IG1vcmUgZWFzaWVyIHRvIHBhcnNlIGFuZCBhY2N1cmF0ZSB0ZXh0IGNvbWluZyBpbiB0aGUgbWFp biB0ZXh0LCB0b28uDQpEcm9wLg0KDQpUaGUgcGhyYXNlIGV4cHJlc3NlcyB0aGUgaW50ZW50aW9u YWwgKmxhY2sgb2YgY29uc3RyYWludCosIGJ5IHN0YXRpbmcgdGhhdCB0aGUgcHJlc2VudGVyIG1p Z2h0IGJlIHRoZSBpc3N1ZXIgb3IgbWlnaHQgYmUgYSBwYXJ0eSBkaWZmZXJlbnQgZnJvbSB0aGUg aXNzdWVyLiAgVG9vIG1hbnkgdGltZXMgaW4gdGhlIHBhc3QgcGVvcGxlIHRob3VnaHQgdGhlIHR3 byB3ZXJlIHRoZSBzYW1lIHBhcnR5IChhbmQgaW5kZWVkLCB0aGlzIGVycm9yIG9jY3VycmVkIGlu IHNldmVyYWwgcGxhY2VzIGluIC0wMiksIHRoZXJlZm9yZSwgSSBiZWxpZXZlIHRoYXQgZXhwcmVz c2luZyB0aGlzIG5vbi1jb25zdHJhaW50IGFkZHMgdmFsdWUuICBJZiB5b3Ugd2FudCB0byBzdWdn ZXN0IGFsdGVybmF0aXZlIHdvcmRpbmcgdG8gZXhwcmVzcyB0aGlzIG5vbi1jb25zdHJhaW50LCBJ 4oCZZCBiZSBnbGFkIHRvIGNvbnNpZGVyIGl0Lg0KDQpXaGF0IGlzIHRoZSBtb3N0IHVzdWFsIGNh c2U/IElzIHByZXNlbnRlciB1c3VhbGx5IHRoZSBpc3N1ZXI/DQpJIGRvIG5vdCB0aGluayBzby4N ClNvLCBpZiB3ZSByZWFsbHkgd2FudCB0byBleHByZXNzIHRoZSBsYWNrIG9mIGNvbnN0cmFpbnQs IHRoZW4gc29tZXRoaW5nIGxpa2UgdGhpcyB3b3VsZCBiZSBiZXR0ZXI6DQoNClRoZSBwcmVzZW50 ZXIgaXMgdXN1YWxseSBkaXN0aW5jdCBmcm9tIHRoZSBpc3N1ZXIsIGJ1dCB0aGUgaXNzdWVyIGNh biBiZSBhIHByZXNlbnRlciBhcyB3ZWxsLg0KDQpBbHNvLCBJIGhhdmUgdG8gcG9pbnQgb3V0IHRo YXQgdGhlIGNoYXJhY3RlcmlzdGljcyBvZiB0aGlzIHNlbnRlbmNlIGlzIG1vcmUgbGlrZSBhIG5v dGUgdG8gZGVmaW5pdGlvbiBhbmQgbm90IHRoZSBkZWZpbml0aW9uIGl0c2VsZi4NCg0KTWlrZT4g SeKAmXZlIGRlbGV0ZWQgdGhpcyBzZW50ZW5jZSBmcm9tIHRoZSBkcmFmdCDigJxUaGUgcHJlc2Vu dGVyIG1heSBiZSB0aGUgaXNzdWVyIG9yIGEgcGFydHkgZGlzdGluY3QgZnJvbSB0aGUgaXNzdWVy LuKAnSAgSXQgc2VlbXMgdG8gaGF2ZSBiZWVuIGNhdXNpbmcgbW9yZSBjb25mdXNpb24gdGhhbiBj bGFyaXR5Lg0KDQoNCjMuIFByb29mLU9mLVBvc3Nlc3Npb24gUmVwcmVzZW50YXRpb24NCj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQ0KVGl0bGUNCi0tLS0tLS0tLQ0KUGVyaGFwcyAiU2Vu ZGVyIFJlcHJlc2VudGF0aW9uIGluIEpXVCIgaXMgbW9yZSByZWZsZWN0aXZlIG9mIHRoZSBjb250 ZW50Lg0KDQpUaGlzIHdhcyBjaGFuZ2VkIHRvIOKAnFJlcHJlc2VudGF0aW9ucyBmb3IgUHJvb2Yt b2YtUG9zc2Vzc2lvbiBLZXlz4oCdIGluIC0wMyB0byBjbGFyaWZ5aW5nIHRoYXQgaXQgaXMgdGhl IFBvUCBrZXkgYmVpbmcgcmVwcmVzZW50ZWQsIG5vdCB0aGUgcHJvb2Ytb2YtcG9zc2Vzc2lvbiBp dHNlbGYuDQoNCk9LLg0KDQoNClBhcmEgMg0KLS0tLS0tLS0tLS0tLQ0KVGhlIHBhcmFncmFwaCBk ZXNjcmliZXMgdHdvIHdheXMgb2Ygc2VuZGVyIGNvbmZpcm1hdGlvbjoNCigxKSBTZW5kZXIgQ29u c3RyYWludA0KKDIpIEtleSBDb25maXJtYXRpb24NCkl0IHNob3VsZCByZWZlciB0byA1LjIgYW5k IDUuMyBvZiBbUE9QQV0gZm9yIGl0LCBhcyB3ZWxsIGFzIGFsaWduIHRoZSB0ZXJtaW5vbG9neS4N Cg0KQXMgZGVzY3JpYmVkIGFib3ZlLCB0aGUg4oCcU2VuZGVyIENvbnN0cmFpbnTigJ0gdGVybWlu b2xvZ3kgaW4gW1BPUEFdIGRvZXMgbm90IG1hdGNoIHdoYXQgdGhpcyBzcGVjaWZpY2F0aW9uIGRv ZXMuDQoNClRoZSB0aXRsZSBjaGFuZ2UgY2xhcmlmaWVkIHRoZSBzaXR1YXRpb24gc28gbm93IGl0 IGlzIG9rLg0KDQoNClRoZW4sIGl0IGdvZXMgb24gdG8gZGVzY3JpYmUgKDEpIHZlcnkgYnJpZWZs eSwgaW4gd2hpY2ggaXQgaXMganVzdCBzcGVsbGluZyBvdXQgImlzcyIgYW5kICJzdWIiLg0KDQpJ IHVuZGVyc3RhbmQgdGhlIHVzZSBvZiBzdWIgaW4gdGhpcyBzZWN0aW9uIGNvbWVzIGRvd24gZnJv bSBTQU1MIGJ1dCBJIGZlZWwgdGhhdCBzb21lIHNlcGFyYXRpb24gYmV0d2VlbiBzdWIgYW5kIHBy ZXNlbnRlciB3b3VsZCBiZSBuaWNlLg0KDQpGb3IgZXhhbXBsZSwgd2hlbiBJIGFtIHByZXNlbnRp bmcgdGhlIHRva2VuIHVzaW5nIGFuIGFwcCB0aGF0IEkgaW5zdGFsbGVkIG9uIG15IGlQaG9uZSwg dGhlIHByZXNlbnRlciBpcyB0aGF0IGFwcCBhbmQgbm90IG1lLCB3aGlsZSB0aGUgc3ViIHN0aWxs IG1heSBiZSBtZS4gVGhlIGFwcCBpcyB0aGUgYXV0aG9yaXplZCBwcmVzZW50ZXIvcGFydHkgKGF6 cCkgb2YgdGhlIHRva2VuLiBUaGUgSldUIG1heSB3ZWxsIGJlIGFib3V0IHRoZSBzdWIgYnV0IHBy ZXNlbnRlZCBieSBzb21lIHNvZnR3YXJlIGNvbXBvbmVudCB0aGF0IHNob3VsZCBiZSBpbmRlcGVu ZGVudGx5IGlkZW50aWZpZWQuDQoNClNvIG15IHByb3Bvc2FsIGlzIHRvIGNyZWF0ZSBhIG5ldyBz dWJzZWN0aW9uIG9uICgxKSBmb3IgdGhlIGNvbXBsZXRlbmVzcywgd2hpY2ggaXMgZ29pbmcgdG8g YmUgYSBuZXcgMy4xLCBhbmQgdG8gdXNlIGEgY2xhaW0gbGlrZSAiYXpwIiBpbnN0ZWFkIG9mICJz dWIiIHRvIGlkZW50aWZ5IHRoZSBwcmVzZW50ZXIuIExlc3Mgb3ZlcmxvYWQgd291bGQgY2F1c2Ug bGVzcyBjb25mdXNpb24gbGF0ZXIsIElNSE8uDQoNClBlciB5b3VyIHJlcXVlc3QsIGh0dHBzOi8v dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nlc3Npb24t MDMjc2VjdGlvbi0zPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNv bS8/dXJsPWh0dHBzJTNhJTJmJTJmdG9vbHMuaWV0Zi5vcmclMmZodG1sJTJmZHJhZnQtaWV0Zi1v YXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAzJTIzc2VjdGlvbi0zJmRhdGE9MDElN2MwMSU3Y01p Y2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjNjE5NzQzYmFjZGMzNGMxYmM2NzQwOGQyYTg0 YWI0MWIlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9Y29UenlH SHR1JTJiYUlaeTRDcGhZVEhjckZYWnRjd254dFh1bHBUNTVidE1FJTNkPiB3YXMgcmV2aXNlZCB0 byBpbmNsdWRlIGEgZGVzY3JpcHRpb24gb2YgdGhlIHVzZSBvZiB0aGUg4oCcYXpw4oCdIGNsYWlt IGFzIGEgY2hvaWNlIHRoYXQgYXBwbGljYXRpb25zIGNhbiBlbXBsb3kgdG8gaWRlbnRpZnkgdGhl IHByZXNlbnRlciwgaWYgYXBwcm9wcmlhdGUuDQoNClRoYW5rIHlvdS4NCg0KDQozLjENCj09PT09 PQ0KVGl0bGUNCi0tLS0tLS0tDQpQZXJoYXBzICJDb25maXJtYXRpb24gS2V5IFJlcHJlc2VudGF0 aW9uIGZvciBhbiBBc3ltbWV0cmljIEtleSIgaXMgbW9yZSByZWZsZWN0aXZlIG9mIHRoZSBjb250 ZW50Lg0KDQpUaGlzIHdhcyBjaGFuZ2VkIHRvIOKAnFJlcHJlc2VudGF0aW9uIGZvciBhbiBBc3lt bWV0cmljIFByb29mLW9mLVBvc3Nlc3Npb24gS2V54oCdLg0KDQpUaGFua3MuDQoNCg0KMy4yDQo9 PT09PT09PQ0KVGl0bGUNCi0tLS0tLS0tLS0tDQpQZXJoYXBzICJDb25maXJtYXRpb24gS2V5IFJl cHJlc2VudGF0aW9uIGZvciBhIFN5bW1ldHJpYyBLZXkiIGlzIG1vcmUgcmVmbGVjdGl2ZSBvZiB0 aGUgY29udGVudC4NCg0KVGhpcyB3YXMgY2hhbmdlZCB0byDigJxSZXByZXNlbnRhdGlvbiBmb3Ig YW4gRW5jcnlwdGVkIFN5bW1ldHJpYyBQcm9vZi1vZi1Qb3NzZXNzaW9uIEtleeKAnS4NCg0KVGhh bmtzLg0KDQoNCkxhc3QgUGFyYQ0KLS0tLS0tLS0tLS0tLS0tLS0NCkkgZmVlbCBhIGJpdCBsaWtl IG5lZWRpbmcgdG8gc25pZmYgaW50byB0aGUgY29udGVudCBvZiBqd2sgdG8gZmluZCBvdXQgd2hh dCB0eXBlIG1heSBub3QgYmUgb3B0aW1hbCwgdGhvdWdoIEkgZG8gbm90IGhhdmUgYSBjb25jcmV0 ZSBwcm9wb3NhbCBhIHRoaXMgdGltZS4NCg0KVGhlIOKAnGp3ZeKAnSBtZW1iZXIgd2FzIGludHJv ZHVjZWQgaW4gLTAzIHRvIGVsaW1pbmF0ZSB0aGUgbmVlZCBmb3IgdGhpcyBzbmlmZmluZy4NCg0K VGhhbmtzLg0KDQoNCjMuMw0KPT09PT09DQpUaXRsZQ0KLS0tLS0tLS0tDQpQZXJoYXBzICJDb25m aXJtYXRpb24gS2V5IFJlcHJlc2VudGF0aW9uIGJ5IEtleSBJRCIgaXMgbW9yZSByZWZsZWN0aXZl IG9mIHRoZSBjb250ZW50Lg0KDQpUaGlzIHdhcyBjaGFuZ2VkIHRvIOKAnFJlcHJlc2VudGF0aW9u IG9mIGEgS2V5IElEIGZvciBhIFByb29mLW9mLVBvc3Nlc3Npb24gS2V54oCdLg0KDQpUaGFua3Mu DQoNCg0KUGFyYSAxDQotLS0tLS0tLS0tLQ0KVGhlcmUgaGFzIGJlZW4gc29tZSBkaXNjdXNzaW9u IG9mIHVzaW5nIHRodW1icHJpbnQgaW5zdGVhZCBvZiBhIGJsb2IgImtpZCIuDQpUaGlzIGlzIGEg dmFsaWQgb3B0aW9uLiBJZiB3ZSBhcmUgdG8gb3ZlcmxvYWQgdGhlICJraWQiIG1lbWJlciBmb3Ig dGhpcyBwdXJwb3NlLCB3ZSBuZWVkIHRvIGZpbmQgYSB3YXkgdG8gc2lnbmFsIHRoYXQgaXQgaXMg YSB0aHVtYnByaW50Lg0KSXQgbWF5IHZlcnkgd2VsbCBiZSBiZXR0ZXIgdG8gZGVmaW5lIGEgc2Vw YXJhdGUgbWVtYmVyIG5hbWUgdGhlbiBmb3IgdGhlIHRodW1icHJpbnQuIFRoZSB0aXRsZSB0aGVu IGNoYW5nZXMgdG8gIi0tIGJ5IEtleSBJRCIgdG8gIi0tIGJ5IHJlZmVyZW5jZSIuDQoNCkZvciB0 aGUgc2FtZSByZWFzb25zIHRoYXQgdGhlIOKAnGprdOKAnSBkZWZpbml0aW9uIHdhcyByZW1vdmVk IGZyb20gZHJhZnQtaWV0Zi1qb3NlLWp3ay10aHVtYnByaW50LCBpdOKAmXMgbm90IGNsZWFyIHRo YXQgaXTigJlzIG5lZWRlZCBoZXJlLiAgQXBwbGljYXRpb25zIGFyZSBmcmVlIHRvIGRlZmluZSB0 aGF0IHRoZSDigJxraWTigJ0gaXMgdG8gY29udGFpbiBhIGtleSB0aHVtYnByaW50IHVzaW5nIGEg cGFydGljdWxhciBoYXNoIGZ1bmN0aW9uLg0KDQpPSy4gU28geW91IG1lYW4gdGhhdCBpdCBzaG91 bGQgYmUgc3BlY2lmaWVkIGluIHRoZSBhcHBsaWNhdGlvbiBsYXllci4gVGhhdCBpcyBhY2NlcHRh YmxlLCBidXQgdGhlbiBtZW50aW9uaW5nIGl0IGluIHRoZSB0ZXh0IHdvdWxkIGJlIG5pY2UuDQoN Ck1pa2U+IEZhaXIgcG9pbnQuICBJ4oCZdmUgYWRkZWQgdGhpcyB0ZXh0IHRvIGFkZHJlc3MgeW91 ciBzdWdnZXN0aW9uOg0KICAgICAgICAgICAgICAgICAg4oCcVGhlIGNvbnRlbnQgb2YgdGhlIDxz cGFueCBzdHlsZT0idmVyYiI+a2lkPC9zcGFueD4gdmFsdWUgaXMgYXBwbGljYXRpb24gc3BlY2lm aWMuDQogICAgICAgICAgICAgICAgICBGb3IgaW5zdGFuY2UsIHNvbWUgYXBwbGljYXRpb25zIG1h eSBjaG9vc2UgdG8gdXNlIGEgSldLIFRodW1icHJpbnQgPHhyZWYgdGFyZ2V0PSJKV0suVGh1bWJw cmludCIvPg0KICAgICAgICAgICAgICAgICAgdmFsdWUgYXMgdGhlIDxzcGFueCBzdHlsZT0idmVy YiI+a2lkPC9zcGFueD4gdmFsdWUu4oCdDQoNCkFsc28sIGl0IGlzIGNvbmNlaXZhYmxlIHRvIHVz ZSB0aGUgY29tYmluYXRpb24gb2YgImtpZCIgYW5kICJqa3UiLiBUaGlzIGFzcGVjdCBpcyBub3Qg c3BlbGxlZCBvdXQgaGVyZSBidXQgYXBwZWFycyB0aGF0IHNvbWUgbWFnaWMgaGFwcGVucyBmb3Ig dGhlIGtleSBkaXN0cmlidXRpb24uDQoNCllvdeKAmXJlIHJpZ2h0IHRoYXQgaWYg4oCca2lk4oCd IGlzIHVzZWQsIHVubGVzcyB0aGUga2V5IGlzIGFsc28gdHJhbnNtaXR0ZWQgaW4gdGhlIOKAnGNu ZuKAnSBjbGFpbSwgZGlzdHJpYnV0aW9uIG9mIHRoZSBrZXkgaXMgb3V0IG9mIHNjb3BlIG9mIHRo ZSBzcGVjaWZpY2F0aW9uLiAgSSBjYW4gaW1hZ2luZSBtZXRob2RzIHVzaW5nIOKAnGprdeKAnSBi dXQgaXQgc2VlbXMgbGlrZSB3ZSBzaG91bGQgZGlzY3VzcyB0aGlzIG1vcmUgYmVmb3JlIG5vcm1h dGl2ZWx5IHNwZWNpZnlpbmcgaXQgYXQgdGhpcyB0aW1lLg0KDQpMb29raW5nIGZvcndhcmQgdG8u DQoNCk1pa2U+IFRoZSBtb3JlIEkgdGhvdWdodCBhYm91dCB0aGlzLCB0aGUgbW9yZSBJIGFncmVl ZCB0aGF0IOKAnGprdeKAnSB3YXMgbmVlZGVkIHRvIGVuYWJsZSBQb1Aga2V5cyB0byBiZSBwYXNz ZWQgYnkgcmVmZXJlbmNlLiAgUGxlYXNlIHJldmlldyB0aGUgdGV4dCBhZGRpbmcg4oCcamt14oCd IGF0IGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2Yt cG9zc2Vzc2lvbi0wNCNzZWN0aW9uLTMuNS4NCg0KDQozLjQNCj09PT09PT09DQpTaW5jZSAiY25m IiBhcHBlYXJzIGJlZm9yZSAzLjQsIGl0IG1heSBiZSBiZXR0ZXIgdG8gYnJpbmcgMy40IGF0IHRo ZSBmcm9udC4NCg0KQWdyZWVkLiAgU29ycnkgSSBtaXNzZWQgZG9pbmcgdGhpcyBpbiAtMDMuICBJ 4oCZbGwgcGxhbiB0byBkbyB0aGlzIGluIC0wNC4NCg0KTG9va2luZyBmb3J3YXJkIHRvLg0KTm90 ZSB0aGF0IHRoaXMgaXMgbm90IGFuIGVuZG9yc2VtZW50IGZvciBzdHJ1Y3R1cmVkIGNuZiwgYnV0 IHJhdGhlciwNCml0IHdhcyBqdXN0IGFuIGVkaXRvcmlhbCBwb2ludCB0aGF0IEkgcmFpc2VkLg0K DQpNaWtlPiBEb25lLiAgVGhlIGZvcm1lciAzLjQgaXMgbm93IDMuMS4NCg0KNS4yLjINCj09PT09 PT09PQ0KQWRkICJhenAiIGFuZCAiamt0Ii4NCg0KbyAgQ29uZmlybWF0aW9uIE1ldGhvZCBWYWx1 ZTogImF6cCINCm8gIENvbmZpcm1hdGlvbiBNZXRob2QgRGVzY3JpcHRpb246IENsaWVudCBJRCBv ZiB0aGUgQXV0aG9yaXplZCBQcmVzZW50ZXINCm8gIENoYW5nZSBDb250cm9sbGVyOiBJRVNHDQpv ICBTcGVjaWZpY2F0aW9uIERvY3VtZW50KHMpOiBTZWN0aW9uIFtUQkRdIG9mIFtbIHRoaXMgZG9j dW1lbnQgXV0NCkhhdmluZyBhIENsaWVudCBJRCBkb2VzbuKAmXQgaWRlbnRpZnkgYSBwcm9vZi1v Zi1wb3NzZXNzaW9uIGtleSwgc28gdGhpcyByZXF1ZXN0IHNlZW1zIHRvIGJlIG91dCBvZiBwbGFj ZSByZWxhdGl2ZSB0byB0aGUgcHVycG9zZSBvZiB0aGlzIHNwZWNpZmljYXRpb24uDQoNCkluZGVl ZC4gSWYgdGhlIHRpdGxlIHdhcyBsaWtlIGJlZm9yZSB0aGUgY2hhbmdlLCBpdCB3b3VsZCBoYXZl IGJlZW4sIGJ1dCBub3cgdGhlIHRpdGxlIGFuZCB0aGUgc2NvcGUgaXMgc21hbGxlciwgaXQgaXMg b3V0IG9mIHNjb3BlLCBJIHRoaW5rLi4NCg0KDQoNCm8gIENvbmZpcm1hdGlvbiBNZXRob2QgVmFs dWU6ICJqa3QiDQpvICBDb25maXJtYXRpb24gTWV0aG9kIERlc2NyaXB0aW9uOiBKV0sgVGh1bWJw cmludCBvZiB0aGUgQ29uZmlybWF0aW9uIEtleQ0KbyAgQ2hhbmdlIENvbnRyb2xsZXI6IElFU0cN Cm8gIFNwZWNpZmljYXRpb24gRG9jdW1lbnQocyk6IFNlY3Rpb24gW1RCRF0gb2YgW1sgdGhpcyBk b2N1bWVudCBdXQ0KQXMgZGlzY3Vzc2VkIGVhcmxpZXIsIOKAnGtpZOKAnSBjYW4gYWxyZWFkeSBi ZSB1c2VkIHRvIGhvbGQgYSBrZXkgdGh1bWJwcmludCB2YWx1ZS4NCg0KT0suDQoNCg0KbyAgQ29u ZmlybWF0aW9uIE1ldGhvZCBWYWx1ZTogImprdSINCm8gIENvbmZpcm1hdGlvbiBNZXRob2QgRGVz Y3JpcHRpb246IEpXSyBVUkkgb2YgdGhlIENvbmZpcm1hdGlvbiBLZXkNCm8gIENoYW5nZSBDb250 cm9sbGVyOiBJRVNHDQpvICBTcGVjaWZpY2F0aW9uIERvY3VtZW50KHMpOiBTZWN0aW9uIFtUQkRd IG9mIFtbIHRoaXMgZG9jdW1lbnQgXV0NCg0KV2Ugc2hvdWxkIGhhdmUgYSBkaXNjdXNzaW9uIGZv Y3VzZWQgc3BlY2lmaWNhbGx5IG9uIHRoaXMgcHJvcG9zZWQgYWRkaXRpb24uICBJIGNhbiBzZWUg dGhlIHZhbHVlIG9mIGl0LCBidXQgd291bGQgbGlrZSB0byBnZXQgaW5wdXQgZnJvbSBtb3JlIHdv cmtpbmcgZ3JvdXAgbWVtYmVycy4gIFdoYXQgZG8gcGVvcGxlIHRoaW5rPyAgKElmIHRoaXMgZGlz Y3Vzc2lvbiBkb2VzbuKAmXQgaGFwcGVuIGJhc2VkIG9uIHRoaXMgcmVzcG9uc2UsIHdlIHNob3Vs ZCBwcm9iYWJseSBzdGFydCBhIHNlcGFyYXRlIHRocmVhZCBvbiB0aGlzIHRvcGljLikNCg0KT0su DQoNCk1pa2U+IERvbmUg4oCTIHRoYW5rcyENCg0KUHJpdmFjeSBDb25zaWRlcmF0aW9uDQo9PT09 PT09PT09PT09PT09PT09PT09PT0NCkl0IGlzIG1pc3NpbmcgcHJpdmFjeSBjb25zaWRlcmF0aW9u LiBJdCBpcyBub3QgcmVxdWlyZWQgcGVyIHNlLCBidXQgc2luY2UgS2V5IENvbmZpcm1hdGlvbiBt ZXRob2Qgd2l0aCBlcGhlbWVyYWwga2V5IGNhbiBiZSBsZXNzIHByaXZhY3kgaW50cnVzaXZlIGNv bXBhcmVkIHRvIG90aGVyIHNlbmRlciBjb25maXJtYXRpb24gbWV0aG9kIHNvIGFkZGluZyBzb21l IHRleHQgYXJvdW5kIGl0IG1heSBiZSBhIGdvb2QgaWRlYS4NCg0KQ2FuIHlvdSBzdXBwbHkgc29t ZSBzcGVjaWZpYyBwcm9wb3NlZCB0ZXh0IGZvciAtMDQ/DQoNCldoZW4gZG8geW91IGV4cGVjdCAt MDQ/DQpEZXBlbmRpbmcgb24gaXQsIEkgbWF5IGJlIGFibGUgdG8uDQoNCk1pa2U+IEkgd3JvdGUg YSBQcml2YWN5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24sIGFkZHJlc3NpbmcgdGhlIHVzZSBvZiBj b25maXJtYXRpb24ga2V5cyBhcyBjb3JyZWxhdGlvbiBoYW5kbGVzLg0KDQoNCkJlc3QsDQotLQ0K TmF0IFNha2ltdXJhICg9bmF0KQ0KQ2hhaXJtYW4sIE9wZW5JRCBGb3VuZGF0aW9uDQpodHRwOi8v bmF0LnNha2ltdXJhLm9yZy88aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxv b2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm5hdC5zYWtpbXVyYS5vcmclMmYmZGF0YT0wMSU3YzAx JTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M2MTk3NDNiYWNkYzM0YzFiYzY3NDA4 ZDJhODRhYjQxYiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZzZGF0YT0w MFIxTSUyZnZxVmk2d3JrNVZXSFZBYU51MlFad0JvWE1paXVlR1d3OGtKV0klM2Q+DQpAX25hdF9l bg0KDQpUaGFua3MgYWdhaW4gZm9yIHlvdXIgdXNlZnVsIHJldmlldyBjb21tZW50cyENCg0KICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg LS0gTWlrZQ0KDQoNCg0KDQotLQ0KTmF0IFNha2ltdXJhICg9bmF0KQ0KQ2hhaXJtYW4sIE9wZW5J RCBGb3VuZGF0aW9uDQpodHRwOi8vbmF0LnNha2ltdXJhLm9yZy88aHR0cHM6Ly9uYTAxLnNhZmVs aW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZm5hdC5zYWtpbXVy YS5vcmclMmYmZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M2 MTk3NDNiYWNkYzM0YzFiYzY3NDA4ZDJhODRhYjQxYiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3 Y2QwMTFkYjQ3JTdjMSZzZGF0YT0wMFIxTSUyZnZxVmk2d3JrNVZXSFZBYU51MlFad0JvWE1paXVl R1d3OGtKV0klM2Q+DQpAX25hdF9lbg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhhbmtzIGFnYWluLCBOYXQhDQogICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgLS0gTWlrZQ0KDQo= --_000_BY2PR03MB442AFC9FE80B6CF9F696342F56D0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFzOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDIg MiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNv Tm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAw MXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIs InNlcmlmIjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNp dGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsN Cgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBD aGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6 MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29BY2V0YXRlLCBsaS5N c29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNv LXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIs InNhbnMtc2VyaWYiO30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5h bWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCglt c28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFz O30NCnNwYW4uQmFsbG9vblRleHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQg Q2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29u IFRleHQiOw0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLmhvZW56 Yg0KCXttc28tc3R5bGUtbmFtZTpob2VuemI7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjINCgl7bXNvLXN0 eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNl cmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBl OmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki LCJzYW5zLXNlcmlmIjt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47 DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7 cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4N CjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48 IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0 PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5 b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9 ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDBCMDUw Ij5UaGFua3MgYWdhaW4gZm9yIHlvdXIgZGV0YWlsZWQgcmV2aWV3LCBOYXQuJm5ic3A7IFRoZSBy ZW1haW5kZXIgb2YgdGhlIGlzc3VlcyB5b3UgcmFpc2VkIGFyZSBhZGRyZXNzZWQgaW4gdGhlDQo8 YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXByb29m LW9mLXBvc3Nlc3Npb24tMDQiPi0wNCBkcmFmdDwvYT4uJm5ic3A7IFJlcGxpZXMgYXJlIGlubGlu ZSBwcmVmaXhlZCBieSBNaWtlJmd0OyDigKY8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90OyI+IE5hdCBTYWtpbXVyYSBbPGEgaHJlZj0ibWFpbHRvOnNha2ltdXJhQGdtYWls LmNvbSI+bWFpbHRvOnNha2ltdXJhQGdtYWlsLmNvbTwvYT5dDQo8YnI+DQo8Yj5TZW50OjwvYj4g VHVlc2RheSwgQXVndXN0IDE4LCAyMDE1IDk6MDAgUE08YnI+DQo8Yj5Ubzo8L2I+IE1pa2UgSm9u ZXM8YnI+DQo8Yj5DYzo8L2I+IG9hdXRoPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbT0FVVEgt V0ddIFJldmlldyBDb21tZW50cyBmb3IgZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNz aW9uLTAyPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SW5saW5lOiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjIwMTUtMDgtMTEgMTQ6MTIg R01UJiM0MzswOTowMCBNaWtlIEpvbmVzICZsdDs8YSBocmVmPSJtYWlsdG86TWljaGFlbC5Kb25l c0BtaWNyb3NvZnQuY29tIiB0YXJnZXQ9Il9ibGFuayI+TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQu Y29tPC9hPiZndDs6PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlJlcGxp ZXMgaW5saW5l4oCmPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48Yj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 Ij4gT0F1dGggW21haWx0bzo8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0 Zi5vcmciIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+b2F1dGgt Ym91bmNlc0BpZXRmLm9yZzwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPl0N CjxiPk9uIEJlaGFsZiBPZiA8L2I+TmF0IFNha2ltdXJhPGJyPg0KPGI+U2VudDo8L2I+IFdlZG5l c2RheSwgTWFyY2ggMjUsIDIwMTUgNjozOCBBTTxicj4NCjxiPlRvOjwvYj4gb2F1dGg8YnI+DQo8 Yj5TdWJqZWN0OjwvYj4gW09BVVRILVdHXSBSZXZpZXcgQ29tbWVudHMgZm9yIGRyYWZ0LWlldGYt b2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+RGVhciBPQXV0aGVyczombmJzcDs8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SGVyZSBpcyBteSBiZWxhdGVkIHJl dmlldyBjb21tZW50cyBvbiZuYnNwOzxzcGFuIGxhbmc9IkVOIj5kcmFmdC1pZXRmLW9hdXRoLXBy b29mLW9mLXBvc3Nlc3Npb24tMDI8L3NwYW4+PGJyIGNsZWFyPSJhbGwiPg0KPG86cD48L286cD48 L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+QmVsb3csIFtQT1BBXSBzdGFu ZHMgZm9yDQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9v ay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRtbCUyZmRyYWZ0LWll dGYtb2F1dGgtcG9wLWFyY2hpdGVjdHVyZS0wMSZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5K b25lcyU0MG1pY3Jvc29mdC5jb20lN2M2MTk3NDNiYWNkYzM0YzFiYzY3NDA4ZDJhODRhYjQxYiU3 YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9M1M3a3JxaTBL Q0RUcGdOOGJPTVhha3FNTndzeFZrYTI0bXZVcUI4dVdqRSUzZCIgdGFyZ2V0PSJfYmxhbmsiPg0K aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtcG9wLWFyY2hpdGVj dHVyZS0wMTwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPkFic3RyYWN0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPj09PT09PT09PT09PTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JdCBpcyBwcm9iYWJseSBiZXR0ZXIgdG8gc3Bl bGwgb3V0IHRoYXQgdGhpcyBkb2N1bWVudCBpcyBkZXNjcmliaW5nIHRoZSBKV1QgZm9ybWF0IHRo YXQgY2FuIGJlIHVzZWQgZm9yIHNlbmRlciBjb25zdHJhaW50ICg1LjIgb2YgW1BPUEFdKSBhbmQg a2V5IGNvbmZpcm1hdGlvbiAoNS4zIG9mIFtQT1BBXSkuIFRoaXMNCiB3aWxsIG1ha2UgaXQgZWFz aWVyIGZvciB0aGUgcmVhZGVyIHRvIHVuZGVyc3RhbmQgd2hhdCB0aGlzIGRvY3VtZW50IGFpbXMg YXQuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojMUY0OTdEIj5JdCBkb2VzIG5vdCBzZWVtIHRvIG1lIHRoYXQgdGhlIOKAnFNlbmRl ciBDb25zdHJhaW504oCdIGNvbmNlcHQgZGVzY3JpYmVkIGluIDUuMyBvZiBbUE9QQV0gaXMgdGhl IHNhbWU8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjUuMiBJIGd1ZXNzLCBub3QgNS4zLiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6 bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4g Ni4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGlu O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPnRoaW5nIGFzIGlkZW50aWZ5aW5nIGEgcHJvb2Ytb2YtcG9zc2Vzc2lvbiBrZXkgd2l0aGlu IGEgSldULCB3aGljaCBpcyB0aGUgcHVycG9zZSBvZiB0aGlzIHNwZWNpZmljYXRpb24uJm5ic3A7 DQogSW4gdGhpcyBzcGVjaWZpY2F0aW9uLCB0aGUgaXNzdWVyIG1ha2VzIGEgc3RhdGVtZW50IHRo YXQgdGhlIHByZXNlbnRlciBjYW4gY29uZmlybSBwb3NzZXNzaW9uIG9mIGEga2V5LiZuYnNwOyBJ IGRvbuKAmXQga25vdyBob3cgdGhhdCB3b3VsZCBtYXAgaW50byBhIOKAnFNlbmRlciBDb25zdHJh aW504oCdLiZuYnNwOyBGb3Igb25lIHRoaW5nLCB3aGljaCBwYXJ0eSBhcmUgeW91IGNvbnNpZGVy aW5nIHRvIGJlIHRoZSDigJxTZW5kZXLigJ0/Jm5ic3A7IEFjY29yZGluZ2x5LCBJIGxlZnQgdGhl DQogYWJzdHJhY3QgdW5jaGFuZ2VkLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+T0suIFNpbmNlIHRoZSBkcmFmdCB3YXMgdGl0bGVkICZxdW90O1Byb29mIG9mIFBv c3Nlc3Npb24gU2VtYW50aWNzIGZvciZuYnNwOzxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Zm9y IEpTT04gV2ViIFRva2VucyAoSldUcykmcXVvdDssIEkgcG9pbnRlZCBpdCBvdXQgdGhhdCBpdCBz aG91bGQgbm90IG9ubHkgdGFsayBhYm91dCA1LjMgb2YgW1BPUEFdIGJ1dCBhbHNvIDUuMi4gSG93 ZXZlciwgbm93IHRoYXQgeW91IGhhdmUgY2hhbmdlZA0KIHRoZSB0aWxlIHRvJm5ic3A7PC9zcGFu PiZxdW90O1Byb29mIG9mIFBvc3Nlc3Npb24gPGI+PHU+S0VZPC91PjwvYj4gU2VtYW50aWNzIGZv ciZuYnNwOzxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Zm9yIEpTT04gV2ViIFRva2VucyAoSldU cykmcXVvdDssIHRoaXMgaXNzdWUgaXMgcmVzb2x2ZWQuIEl0IHdvdWxkIGJlIG5pY2UgdG8gc3Rh dGUgdGhhdCBpdCBpcyB0YWxraW5nIGFib3V0IDUuMyBvZiBbUE9QQV0gaW4gdGhlIGludHJvZHVj dGlvbiB0aG91Z2guJm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMEIwNTAiPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojMDBCMDUwIj5NaWtlJmd0OyBJIGhhdmUgYWRkZWQgdGhpcyB0 byB0aGUgaW50cm9kdWN0aW9uIGluIHJlc3BvbnNlIHRvIHlvdXIgY29tbWVudDo8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzAwQjA1MCI+4oCcU2VlICZsdDt4cmVmIHRhcmdldD0mcXVvdDtJLUQuaWV0 Zi1vYXV0aC1wb3AtYXJjaGl0ZWN0dXJlJnF1b3Q7LyZndDsgZm9yIGEgZnVydGhlciBkaXNjdXNz aW9uIG9mIGtleSBjb25maXJtYXRpb24u4oCdPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0ND QyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdp bi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkFjY29yZGluZ2x5LCB3 ZSBzaG91bGQgY29uc2lkZXIgdGhlIHRpdGxlIGNoYW5nZSB0byBzb21ldGhpbmcgbGlrZTombmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPkpXVCBTZW5kZXIgQ29uZmlybWF0aW9uIFRva2VuIFN5bnRheCZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDsgT1I8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Ym9y cm93aW5nIGZyb20gdGhlIGZpbmFuY2lhbCBjb25jZXB0IHdoaWNoIEkgYmVsaWV2ZSBpcyB0aGUg b3JpZ2luIG9mIHRoZSBjb25jZXB0IG9mICZxdW90O2JlYXJlciB0b2tlbiZxdW90OywmbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SldU IFJlZ2lzdGVyZWQgVG9rZW4gU3ludGF4PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPi0tIGhlcmUsICZxdW90O1JlZ2lzdGVyZWQmcXVvdDsgbWVh biB0aGF0IGVpdGhlciB0aGUgc2VuZGVyIGNvbnN0cmFpbnQgb3Iga2V5IGNvbmZpcm1hdGlvbiBp cyByZWdpc3RlcmVkIHdpdGhpbiBvciBpbiBjb25qdW5jdGlvbiB3aXRoIHRoZSB0b2tlbi4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMxRjQ5N0QiPkkgY2hhbmdlZCB0aGUgdGl0bGUgaW4gLTAzIHRvIOKAnFByb29mLW9mLVBvc3Nl c3Npb24gS2V5IFNlbWFudGljcyBmb3IgSlNPTiBXZWIgVG9rZW5zIChKV1RzKeKAnSB0byBtYWtl DQogaXQgY2xlYXIgdGhpcyBkcmFmdCBpcyBhYm91dCBQb1Aga2V5IHNlbWFudGljcyBmb3IgSldU cyDigJMgbm90IHRoZSBwcm9vZi1vZi1wb3NzZXNzaW9uIG1lY2hhbmlzbSBpdHNlbGYuJm5ic3A7 IEnigJl2ZSBhbHJlYWR5IHJlc3BvbmRlZCB0byB0aGUg4oCcU2VuZGVyIENvbnN0cmFpbnTigJ0g c3VnZ2VzdGlvbiBhYm92ZS4mbmJzcDsgUGVyIG15IGVhcmxpZXIgcmVzcG9uc2UsIEkgZG9u4oCZ dCBiZWxpZXZlIHRoYXQg4oCcUmVnaXN0ZXJlZCBUb2tlbuKAnSBpcyBzdGFuZGFyZCB0ZXJtaW5v bG9neSwNCiBhbmQgc28gd291bGQgY29uZnVzZSBtb3JlIHRoYW4gaXQgd291bGQgY2xhcmlmeS48 L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Tm93IHRo YXQgeW91IGhhdmUgY2xhcmlmaWVkIHRoYXQgdGhpcyBkb2N1bWVudCBpcyBvbmx5IGFib3V0IDUu MyBvZiBbUE9QQV0sJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj50aGUgdGl0bGUgaW4gLTAzIGlzIGFwcHJvcHJpYXRlLiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5OT1RFOiAm cXVvdDtSZWdpc3RlcmVkIComcXVvdDsgaXMgYSB2ZXJ5IHdlbGwgZXN0YWJsaXNoZWQgdGVybSBp biBmaW5hbmNpYWwgaW5kdXN0cnksJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5kZXNjcmliaW5nIGtpbmQgb2YgJnF1b3Q7dG9rZW4mcXVv dDsgbmVlZGVkIHRvIGJlIHByZXNlbnRlZCB0byBleGVyY2lzZSB0aGUgcmlnaHQgYXNzaWduZWQg dG8gaXQuICZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+ZS5nLiwgUmVnaXN0ZXJlZCBTZWN1cml0eSwgUmVnaXN0ZXJlZCBTaGFyZSBDZXJ0 aWZpY2F0ZSwgZXRjLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3Rl IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRp bmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDtt YXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2 Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjEuIEludHJvZHVjdGlvbjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj49PT09PT09 PT09PT09PTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj5Db25zaWRlciByZWZlcmVuY2luZyBkcmFmdC1pZXRmLW9hdXRoLXBvcC1hcmNoaXRlY3R1 cmUuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPkl0IHdpbGwgYmUgY2xlYXJlciBmb3IgdGhlIHJlYWRlciB0aGVuLCBhbmQgdGhlIHRl eHQgd2lsbCBiZSBzaG9ydGVyLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7 PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+QWdhaW4sIEkgc3VzcGVjdCB5b3XigJly ZSBhc2tpbmcgbWUgdG8gcmVmZXJlbmNlIHRoaXMgZHJhZnQgZm9yIHRoZSDigJxTZW5kZXIgQ29u c3RyYWludOKAnSB0ZXJtaW5vbG9neSwNCiB3aGljaCBpcyBib3RoIHZhZ3VlbHkgZGVmaW5lZCBp biBbUE9QQV0sIGFuZCBkb2VzbuKAmXQgbWF0Y2ggd2hhdCB0aGlzIHNwZWNpZmljYXRpb24gZG9l cy4mbmJzcDsgVGhlcmVmb3JlLCBJIGRpZCBub3QgZG8gdGhpcyBoZXJlLCBhbHRob3VnaCBvdGhl ciBhcHByb3ByaWF0ZSByZWZlcmVuY2VzIHRvIFtQT1BBXSBhcmUgaW5jbHVkZWQuPC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv YmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkl0IHdvdWxkIGJlIG5p Y2UgdG8gcG9pbnQgb3V0IHRoYXQgdGhpcyBkb2N1bWVudCBpcyB0YWxraW5nIGFib3V0IHRoZSBt b2RlbCBwcmVzZW50ZWQgaW4gNS4zIG9mIFtQT1BBXS4gJm5ic3A7PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5NeSBzdWdnZXN0aW9uOiBJbnNlcnQg JnF1b3Q7LCZuYnNwOzxiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+YXMgZGVzY3JpYmVkIGlu IHNlY3Rpb24gNS4zIG9mIFtQT1BBXSZxdW90Ozwvc3Bhbj48L2I+Jm5ic3A7YmVmb3JlIHRoZSBl bmQgb2YgdGhlIFBhcmEgMS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHByZT48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiAmbmJzcDsmbmJzcDtUaGlzIHNwZWNpZmlj YXRpb24gZGVmaW5lcyBob3cgdG8gZXhwcmVzcyBhIGRlY2xhcmF0aW9uIGluIGEgSlNPTiBXZWI8 bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4m bmJzcDsmbmJzcDsgVG9rZW4gKEpXVCkgW0pXVF0gdGhhdCB0aGUgcHJlc2VudGVyIG9mIHRoZSBK V1QgcG9zc2Vzc2VzIGE8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9 ImNvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgcGFydGljdWxhciBrZXkgYW5kIHRoYXQgdGhlIHJl Y2lwaWVudCBjYW4gY3J5cHRvZ3JhcGhpY2FsbHkgY29uZmlybTxvOnA+PC9vOnA+PC9zcGFuPjwv cHJlPg0KPHByZT48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyBwcm9vZi1v Zi1wb3NzZXNzaW9uIG9mIHRoZSBrZXkgYnkgdGhlIHByZXNlbnRlci4mbmJzcDsgVGhpcyBwcm9w ZXJ0eSBpczxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHlsZT0iY29sb3I6 YmxhY2siPiZuYnNwOyZuYnNwOyBhbHNvIHNvbWV0aW1lcyBkZXNjcmliZWQgYXMgdGhlIHByZXNl bnRlciBiZWluZyBhIGhvbGRlci1vZi1rZXksIDxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHBy ZT48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOzxiPjx1PmFzIGRl c2NyaWJlZCBpbiBzZWN0aW9uIDUuMyBvZiBbUE9QQV0uIDxvOnA+PC9vOnA+PC91PjwvYj48L3Nw YW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdE Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDBCMDUwIj5NaWtlJmd0OyBBcyBub3Rl ZCBlYXJsaWVyLCBJIGhhdmUgYWRkZWQgdGhpcyB0byB0aGUgaW50cm9kdWN0aW9uIGluIHJlc3Bv bnNlIHRvIHlvdXIgY29tbWVudDo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwQjA1MCI+4oCcU2Vl ICZsdDt4cmVmIHRhcmdldD0mcXVvdDtJLUQuaWV0Zi1vYXV0aC1wb3AtYXJjaGl0ZWN0dXJlJnF1 b3Q7LyZndDsgZm9yIGEgZnVydGhlciBkaXNjdXNzaW9uIG9mIGtleSBjb25maXJtYXRpb24u4oCd PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMEIwNTAiPkkgZGlkIG5vdCByZWZlcmVuY2UgYSBzcGVj aWZpYyBzZWN0aW9uIG51bWJlciBiZWNhdXNlIGlldGYtb2F1dGgtcG9wLWFyY2hpdGVjdHVyZSBo YXMgbm90IHlldCBlbnRlcmVkIHRoZSBSRkMgRWRpdG9yIHF1ZXVlLCBhbmQgc28gdGhlIHNlY3Rp b24gbnVtYmVyIG1heSBjaGFuZ2UuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHByZT48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wcmU+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXIt bGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2lu LWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0 b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4m bmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPjIuIFRlcm1pbm9sb2d5IC0gUHJlc2VudGVyPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPj09PT09PT09PT09PT09PT09PT09PT09 PTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5T ZW50ZW5jZSAxPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPi0tLS0tLS0tLS0tLS0tLS0tLS08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Tm90IHN1cmUgaWYgdGhlIGZpcnN0IHNlbnRlbmNlIGlz IGFjY3VyYXRlbHkgcmVmbGVjdGluZyB0aGUgaW50ZW50LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JdCBleGNsdWRlcyByb2d1ZSBw YXJ0eSBwcmVzZW50aW5nIHRoZSB0b2tlbiAoYW5kIGZhaWxzKSBmcm9tIHByZXNlbnRlci4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ SWYgc28sIGl0IGlzIGZpbmUgYnV0IHVzaW5nIG1vcmUgcXVhbGlmaWVkIHRlcm0gbGlrZSAmcXVv dDthdXRob3JpemVkIHByZXNlbnRlciZxdW90OyBtYXkgbWFrZSBpdCBlYXNpZXImbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Zm9yIHRo ZSByZWFkZXIgdG8gcGFyc2UuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5PdGhlcndpc2UgcmV2aXNlIHRoZSBkZWZpbml0aW9u LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+SSBiZWxpZXZlIHRoZSDigJxQcmVzZW50ZXLigJ0gZGVmaW5pdGlvbiBh Y2N1cmF0ZWx5IG1hdGNoZXMgaXRzIHVzYWdlIGluIHRoaXMgc3BlY2lmaWNhdGlvbi4mbmJzcDsg V2hpbGUgdGhpcw0KIGlzIHJlbGF0ZWQgdG8gYSBkaWZmZXJlbnQgZGlzY3Vzc2lvbiwgSeKAmW0g bm90IGF3YXJlIG9mIGEgZGVmaW5pdGlvbiBmb3Ig4oCcQXV0aG9yaXplZCBQcmVzZW50ZXLigJ0g dGhhdCBjb3VsZCBiZSByZWZlcmVuY2VkIHRoYXQgd291bGQgYWRkIGZ1cnRoZXIgY2xhcml0eSBi ZXlvbmQgdGhlIGV4aXN0aW5nIGRlZmluaXRpb24uJm5ic3A7IChOb3RlIHRoYXQgdGhlIE9wZW5J RCBDb25uZWN0IOKAnGF6cOKAnSBjbGFpbSBpcyBmb3IgYW4g4oCcQXV0aG9yaXplZCBQYXJ0eeKA nSB0bw0KIHdoaWNoIHRoZSB0b2tlbiB3YXMgaXNzdWVkIOKAkyBub3QgYW4g4oCcQXV0aG9yaXpl ZCBQcmVzZW50ZXLigJ0uJm5ic3A7IEFsc28sIG5vdGUgdGhhdCB0aGUgdXNhZ2Ugb2Yg4oCcYXpw 4oCdIGluDQo8L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9u Lm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRtbCUyZmRy YWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA0JmFtcDtkYXRhPTAxJTdjMDElN2NNaWNoYWVs LkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzYxOTc0M2JhY2RjMzRjMWJjNjc0MDhkMmE4NGFiNDFi JTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN2MxJmFtcDtzZGF0YT1ZOFR5MFFt OEtrZ2lJJTJiekQ4NmNtTU1pa2JFWnVBYlAyVTN6WDdNaFJyN0UlM2QiIHRhcmdldD0iX2JsYW5r Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPmh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1s L2RyYWZ0LXNha2ltdXJhLW9hdXRoLXJqd3Rwcm9mLTA0PC9zcGFuPjwvYT48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+DQogaXMgaW5jb25zaXN0ZW50IHdpdGggaXRz IGRlZmluaXRpb24gaW4gT3BlbklEIENvbm5lY3QsIGFuZCBzbyBzaG91bGQgcHJvYmFibHkgYmUg cmV2aXNlZCB0byB1c2UgdGhlIOKAnEF1dGhvcml6ZWQgUGFydHnigJ0gdGVybWlub2xvZ3kgb3Ig cmVtb3ZlZCwgYXMgaXQgZG9lcyBub3QgaWRlbnRpZnkgYW4g4oCcQXV0aG9yaXplZCBQcmVzZW50 ZXLigJ0gaW4gdGhlIHdheSB0aGF0IEkgdGhpbmsgeW91IGFyZSB1c2luZyB0aGUgdGVybS4pPC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkl0IGlzIG5vdCBhIGdvb2QgcHJhY3RpY2Ug dG8gZGVmaW5lIHN1Y2ggYSBnZW5lcmljIHdvcmQgbGlrZSAmcXVvdDtwcmVzZW50ZXImcXVvdDsu Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5TaW5jZSB5b3UgaGF2ZSB1c2VkICZxdW90O3ByZXNlbnRlciZxdW90OyBhcyBwYXJ0eSB0aGF0 IGhvbGRzIHRoZSBrZXksJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj53ZSBoYXZlIGxvc3QgdGhlIHdvcmQgZm9yIHRoZSByb2d1ZSBwYXJ0 eSB0aGF0IHByZXNlbnRzIHRoZSB0b2tlbiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+d2l0aG91dCB0aGUga2V5LiZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImNvbG9yOiMwMEIwNTAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDBCMDUwIj5NaWtl Jmd0OyDigJxQcmVzZW50ZXLigJ0gaXMgbm8gbW9yZSBnZW5lcmljIHRoYW4g4oCcSXNzdWVy4oCd IG9yIOKAnFJlY2lwaWVudOKAnS4mbmJzcDsgQWxsIGFyZSBzdGFuZGFyZCB0ZXJtcyBmb3IgdGhl c2Uga2luZHMgb2YgZmxvd3MsIHNvIEnigJltIHJlbHVjdGFudCB0byBpbnZlbnQgbmV3IHRlcm1p bm9sb2d5LiZuYnNwOw0KIEJ5IGRlc2lnbiBhbmQgYnkgZGVmaW5pdGlvbiwgYSByb2d1ZSBwYXJ0 eSB3aG8gZG9lcyBub3QgaG9sZCB0aGUga2V5IGlzIG5vdCBhIHByZXNlbnRlci4mbmJzcDsgKElu IHRoZSBzYW1lIHdheSwgYSBwYXJ0eSB3aG8gY3JlYXRlcyBhIEpXVCBhbmQgc2lnbnMgYSBmb3Jn ZWQg4oCcaXNz4oCdIHZhbHVlIHdpdGggYSBrZXkgb3RoZXIgdGhlIG5hbWVkIGlzc3VlcuKAmXMg a2V5cyBpcyBub3QgdGhlIGlzc3Vlci4pJm5ic3A7IFRoZSBzdGFuZGFyZCB0ZXJtIGZvciBzdWNo IGENCiBwYXJ0eSBpcyDigJx0aGUgYXR0YWNrZXLigJ07IHdlIGhhdmVu4oCZdCBsb3N0IHRoZSB3 b3JkIGZvciBzdWNoIGEgcGFydHkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkFsc28sIHRoZSBjdXJyZW50IGRlZmluaXRpb24gaW5jbHVkZXMgdGhlIGlzc3VlciBpbiB0 aGUgcHJlc2VudGVyLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+SXNzdWVyIGlzIG5vdCB0eXBpY2FsbHkgYSBwYXJ0eSB0aGF0IGlzIHN1 cHBvc2VkIHRvIHByZXNlbnQgdGhlIHRva2VuIHRvIHRoZSByZXNvdXJjZSwmbmJzcDs8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPnNvIHRoZSB0ZXJt IHNlZW1zIHRvIGJlIGVzcGVjaWFsbHkgd2VpcmQuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwQjA1 MCI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHls ZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBp biAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2lu LXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5TZW50ZW5jZSAyPG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPi0tLS0tLS0tLS0tLS0t LS0tLS08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+JnF1b3Q7aXNzdWVyIG9yIGEgcGFydHkgZGlmZmVyZW50IGZyb20gdGhlIGlzc3VlciZxdW90 OyBpcyBub3QgY29uc3RyYWluaW5nIGFueXRoaW5nIGFuZCBtZWFuaW5nbGVzcy4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VGhlcmUg YXJlIG1vcmUgZWFzaWVyIHRvIHBhcnNlIGFuZCBhY2N1cmF0ZSB0ZXh0IGNvbWluZyBpbiB0aGUg bWFpbiB0ZXh0LCB0b28uJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPkRyb3AuJm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4m bmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5UaGUgcGhyYXNlIGV4cHJlc3Nl cyB0aGUgaW50ZW50aW9uYWwgKjxiPmxhY2sgb2YgY29uc3RyYWludDwvYj4qLCBieSBzdGF0aW5n IHRoYXQgdGhlIHByZXNlbnRlciBtaWdodA0KIGJlIHRoZSBpc3N1ZXIgb3IgbWlnaHQgYmUgYSBw YXJ0eSBkaWZmZXJlbnQgZnJvbSB0aGUgaXNzdWVyLiZuYnNwOyBUb28gbWFueSB0aW1lcyBpbiB0 aGUgcGFzdCBwZW9wbGUgdGhvdWdodCB0aGUgdHdvIHdlcmUgdGhlIHNhbWUgcGFydHkgKGFuZCBp bmRlZWQsIHRoaXMgZXJyb3Igb2NjdXJyZWQgaW4gc2V2ZXJhbCBwbGFjZXMgaW4gLTAyKSwgdGhl cmVmb3JlLCBJIGJlbGlldmUgdGhhdCBleHByZXNzaW5nIHRoaXMgbm9uLWNvbnN0cmFpbnQgYWRk cyB2YWx1ZS4mbmJzcDsNCiBJZiB5b3Ugd2FudCB0byBzdWdnZXN0IGFsdGVybmF0aXZlIHdvcmRp bmcgdG8gZXhwcmVzcyB0aGlzIG5vbi1jb25zdHJhaW50LCBJ4oCZZCBiZSBnbGFkIHRvIGNvbnNp ZGVyIGl0Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5XaGF0IGlzIHRoZSBtb3N0IHVzdWFsIGNhc2U/IElzIHByZXNlbnRlciB1c3VhbGx5IHRoZSBp c3N1ZXI/Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5JIGRvIG5vdCB0aGluayBzby4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNvLCBpZiB3ZSByZWFsbHkgd2FudCB0byBleHBy ZXNzIHRoZSBsYWNrIG9mIGNvbnN0cmFpbnQsIHRoZW4gc29tZXRoaW5nIGxpa2UgdGhpcyB3b3Vs ZCBiZSBiZXR0ZXI6Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPlRoZSBwcmVzZW50ZXIgaXMgdXN1YWxseSBkaXN0aW5jdCBmcm9tIHRo ZSBpc3N1ZXIsIGJ1dCB0aGUgaXNzdWVyIGNhbiBiZSBhIHByZXNlbnRlciBhcyB3ZWxsLiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5B bHNvLCBJIGhhdmUgdG8gcG9pbnQgb3V0IHRoYXQgdGhlIGNoYXJhY3RlcmlzdGljcyBvZiB0aGlz IHNlbnRlbmNlIGlzIG1vcmUgbGlrZSBhIG5vdGUgdG8gZGVmaW5pdGlvbiBhbmQgbm90IHRoZSBk ZWZpbml0aW9uIGl0c2VsZi4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDBCMDUwIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzAwQjA1MCI+TWlrZSZndDsgSeKAmXZlIGRlbGV0ZWQgdGhpcyBz ZW50ZW5jZSBmcm9tIHRoZSBkcmFmdCDigJxUaGUgcHJlc2VudGVyIG1heSBiZSB0aGUgaXNzdWVy IG9yIGEgcGFydHkgZGlzdGluY3QgZnJvbSB0aGUgaXNzdWVyLuKAnSZuYnNwOyBJdCBzZWVtcyB0 byBoYXZlIGJlZW4gY2F1c2luZyBtb3JlIGNvbmZ1c2lvbg0KIHRoYW4gY2xhcml0eS48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNv bGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0 LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBw dCI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPjMuIFByb29mLU9mLVBvc3Nlc3Npb24gUmVwcmVzZW50YXRpb248bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPlRpdGxlPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPi0tLS0tLS0tLTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5QZXJoYXBzICZxdW90O1NlbmRlciBSZXByZXNlbnRh dGlvbiBpbiBKV1QmcXVvdDsgaXMgbW9yZSByZWZsZWN0aXZlIG9mIHRoZSBjb250ZW50LiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6 IzFGNDk3RCI+VGhpcyB3YXMgY2hhbmdlZCB0byDigJxSZXByZXNlbnRhdGlvbnMgZm9yIFByb29m LW9mLVBvc3Nlc3Npb24gS2V5c+KAnSBpbiAtMDMgdG8gY2xhcmlmeWluZyB0aGF0IGl0IGlzDQog dGhlIFBvUCBrZXkgYmVpbmcgcmVwcmVzZW50ZWQsIG5vdCB0aGUgcHJvb2Ytb2YtcG9zc2Vzc2lv biBpdHNlbGYuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K PC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPk9LLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxl PSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGlu IDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4t cmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlBhcmEgMjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4tLS0tLS0tLS0tLS0tPG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlRoZSBwYXJhZ3Jh cGggZGVzY3JpYmVzIHR3byB3YXlzIG9mIHNlbmRlciBjb25maXJtYXRpb246Jm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPigxKSBTZW5k ZXIgQ29uc3RyYWludDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj4oMikgS2V5IENvbmZpcm1hdGlvbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JdCBzaG91bGQgcmVmZXIgdG8gNS4yIGFuZCA1 LjMgb2YgW1BPUEFdIGZvciBpdCwgYXMgd2VsbCBhcyBhbGlnbiB0aGUgdGVybWlub2xvZ3kuJm5i c3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj5BcyBkZXNjcmliZWQgYWJvdmUsIHRoZSDigJxTZW5kZXIgQ29uc3RyYWludOKA nSB0ZXJtaW5vbG9neSBpbiBbUE9QQV0gZG9lcyBub3QgbWF0Y2ggd2hhdCB0aGlzIHNwZWNpZmlj YXRpb24NCiBkb2VzLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5UaGUgdGl0bGUgY2hhbmdlIGNsYXJpZmllZCB0aGUgc2l0dWF0aW9uIHNvIG5vdyBp dCBpcyBvay4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHls ZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBp biAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2lu LXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxk aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5UaGVuLCBpdCBnb2VzIG9uIHRvIGRlc2Ny aWJlICgxKSB2ZXJ5IGJyaWVmbHksIGluIHdoaWNoIGl0IGlzIGp1c3Qgc3BlbGxpbmcgb3V0ICZx dW90O2lzcyZxdW90OyBhbmQgJnF1b3Q7c3ViJnF1b3Q7LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JIHVuZGVyc3RhbmQgdGhlIHVzZSBv ZiBzdWIgaW4gdGhpcyBzZWN0aW9uIGNvbWVzIGRvd24gZnJvbSBTQU1MIGJ1dCBJIGZlZWwgdGhh dCBzb21lIHNlcGFyYXRpb24gYmV0d2VlbiBzdWIgYW5kIHByZXNlbnRlciB3b3VsZCBiZSBuaWNl Lg0KPGJyPg0KPGJyPg0KRm9yIGV4YW1wbGUsIHdoZW4gSSBhbSBwcmVzZW50aW5nIHRoZSB0b2tl biB1c2luZyBhbiBhcHAgdGhhdCBJIGluc3RhbGxlZCBvbiBteSBpUGhvbmUsIHRoZSBwcmVzZW50 ZXIgaXMgdGhhdCBhcHAgYW5kIG5vdCBtZSwgd2hpbGUgdGhlIHN1YiBzdGlsbCBtYXkgYmUgbWUu IFRoZSBhcHAgaXMgdGhlIGF1dGhvcml6ZWQgcHJlc2VudGVyL3BhcnR5IChhenApIG9mIHRoZSB0 b2tlbi4mbmJzcDtUaGUgSldUIG1heSB3ZWxsIGJlIGFib3V0IHRoZSBzdWIgYnV0DQogcHJlc2Vu dGVkIGJ5IHNvbWUgc29mdHdhcmUgY29tcG9uZW50IHRoYXQgc2hvdWxkIGJlIGluZGVwZW5kZW50 bHkgaWRlbnRpZmllZC4gJm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj48YnI+DQpTbyBteSBwcm9wb3NhbCBpcyB0byBjcmVhdGUgYSBuZXcgc3Vic2Vj dGlvbiBvbiAoMSkgZm9yIHRoZSBjb21wbGV0ZW5lc3MsIHdoaWNoIGlzIGdvaW5nIHRvIGJlIGEg bmV3IDMuMSwgYW5kIHRvIHVzZSBhIGNsYWltIGxpa2UgJnF1b3Q7YXpwJnF1b3Q7IGluc3RlYWQg b2YgJnF1b3Q7c3ViJnF1b3Q7IHRvIGlkZW50aWZ5IHRoZSBwcmVzZW50ZXIuIExlc3Mgb3Zlcmxv YWQgd291bGQgY2F1c2UgbGVzcyBjb25mdXNpb24gbGF0ZXIsIElNSE8uPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xv cjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5QZXIgeW91 ciByZXF1ZXN0LA0KPC9zcGFuPjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVj dGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmdG9vbHMuaWV0Zi5vcmclMmZodG1s JTJmZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTAzJTIzc2VjdGlvbi0zJmFt cDtkYXRhPTAxJTdjMDElN2NNaWNoYWVsLkpvbmVzJTQwbWljcm9zb2Z0LmNvbSU3YzYxOTc0M2Jh Y2RjMzRjMWJjNjc0MDhkMmE4NGFiNDFiJTdjNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRi NDclN2MxJmFtcDtzZGF0YT1jb1R6eUdIdHUlMmJhSVp5NENwaFlUSGNyRlhadGN3bnh0WHVscFQ1 NWJ0TUUlM2QiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPmh0 dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXByb29mLW9mLXBvc3Nl c3Npb24tMDMjc2VjdGlvbi0zPC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+DQogd2FzIHJldmlzZWQgdG8gaW5jbHVkZSBhIGRlc2NyaXB0aW9uIG9m IHRoZSB1c2Ugb2YgdGhlIOKAnGF6cOKAnSBjbGFpbSBhcyBhIGNob2ljZSB0aGF0IGFwcGxpY2F0 aW9ucyBjYW4gZW1wbG95IHRvIGlkZW50aWZ5IHRoZSBwcmVzZW50ZXIsIGlmIGFwcHJvcHJpYXRl Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K PC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGFu ayB5b3UuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9 ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4g MGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1y aWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+My4xPG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPj09PT09PTxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5UaXRsZTxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4tLS0tLS0tLTxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5QZXJoYXBzICZxdW90 O0NvbmZpcm1hdGlvbiBLZXkgUmVwcmVzZW50YXRpb24gZm9yIGFuIEFzeW1tZXRyaWMgS2V5JnF1 b3Q7IGlzIG1vcmUgcmVmbGVjdGl2ZSBvZiB0aGUgY29udGVudC4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNv bG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoaXMg d2FzIGNoYW5nZWQgdG8g4oCcUmVwcmVzZW50YXRpb24gZm9yIGFuIEFzeW1tZXRyaWMgUHJvb2Yt b2YtUG9zc2Vzc2lvbiBLZXnigJ0uPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPlRoYW5rcy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAx LjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10 b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4zLjI8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PT09PT09PT08 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VGl0 bGU8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ LS0tLS0tLS0tLS08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0byI+UGVyaGFwcyAmcXVvdDtDb25maXJtYXRpb24gS2V5IFJlcHJlc2VudGF0aW9uIGZv ciBhIFN5bW1ldHJpYyBLZXkmcXVvdDsgaXMgbW9yZSByZWZsZWN0aXZlIG9mIHRoZSBjb250ZW50 LiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+VGhpcyB3YXMgY2hhbmdlZCB0byDigJxSZXByZXNlbnRhdGlvbiBmb3Ig YW4gRW5jcnlwdGVkIFN5bW1ldHJpYyBQcm9vZi1vZi1Qb3NzZXNzaW9uIEtleeKAnS48L3NwYW4+ PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K PC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhhbmtzLiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5i c3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9u ZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4w cHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21h cmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPkxhc3QgUGFyYTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4tLS0tLS0tLS0tLS0tLS0tLTxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JIGZlZWwgYSBiaXQgbGlr ZSBuZWVkaW5nIHRvIHNuaWZmIGludG8gdGhlIGNvbnRlbnQgb2YgandrIHRvIGZpbmQgb3V0IHdo YXQgdHlwZSBtYXkgbm90IGJlIG9wdGltYWwsIHRob3VnaCBJIGRvIG5vdCBoYXZlIGEgY29uY3Jl dGUgcHJvcG9zYWwgYSB0aGlzIHRpbWUuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4m bmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5UaGUg4oCcandl4oCdIG1lbWJl ciB3YXMgaW50cm9kdWNlZCBpbiAtMDMgdG8gZWxpbWluYXRlIHRoZSBuZWVkIGZvciB0aGlzIHNu aWZmaW5nLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5UaGFua3MuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5 bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzow aW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdp bi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+My4zPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPj09PT09PTxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5UaXRsZTxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4tLS0tLS0tLS08bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+UGVyaGFwcyAm cXVvdDtDb25maXJtYXRpb24gS2V5IFJlcHJlc2VudGF0aW9uIGJ5IEtleSBJRCZxdW90OyBpcyBt b3JlIHJlZmxlY3RpdmUgb2YgdGhlIGNvbnRlbnQuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0 OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5UaGlzIHdhcyBjaGFu Z2VkIHRvIOKAnFJlcHJlc2VudGF0aW9uIG9mIGEgS2V5IElEIGZvciBhIFByb29mLW9mLVBvc3Nl c3Npb24gS2V54oCdLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5UaGFua3MuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVv dGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFk ZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0 O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxk aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+UGFyYSAxPG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPi0tLS0tLS0tLS0tPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlRoZXJl IGhhcyBiZWVuIHNvbWUgZGlzY3Vzc2lvbiBvZiB1c2luZyB0aHVtYnByaW50IGluc3RlYWQgb2Yg YSBibG9iICZxdW90O2tpZCZxdW90Oy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VGhpcyBpcyBhIHZhbGlkIG9wdGlvbi4gSWYgd2Ug YXJlIHRvIG92ZXJsb2FkIHRoZSAmcXVvdDtraWQmcXVvdDsgbWVtYmVyIGZvciB0aGlzIHB1cnBv c2UsIHdlIG5lZWQgdG8gZmluZCBhIHdheSB0byBzaWduYWwgdGhhdCBpdCBpcyBhIHRodW1icHJp bnQuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPkl0IG1heSB2ZXJ5IHdlbGwgYmUgYmV0dGVyIHRvIGRlZmluZSBhIHNlcGFyYXRlIG1l bWJlciBuYW1lIHRoZW4gZm9yIHRoZSB0aHVtYnByaW50LiBUaGUgdGl0bGUgdGhlbiBjaGFuZ2Vz IHRvICZxdW90Oy0tIGJ5IEtleSBJRCZxdW90OyB0byAmcXVvdDstLSBieSByZWZlcmVuY2UmcXVv dDsuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojMUY0OTdEIj5Gb3IgdGhlIHNhbWUgcmVhc29ucyB0aGF0IHRoZSDigJxqa3TigJ0g ZGVmaW5pdGlvbiB3YXMgcmVtb3ZlZCBmcm9tIGRyYWZ0LWlldGYtam9zZS1qd2stdGh1bWJwcmlu dCwgaXTigJlzDQogbm90IGNsZWFyIHRoYXQgaXTigJlzIG5lZWRlZCBoZXJlLiZuYnNwOyBBcHBs aWNhdGlvbnMgYXJlIGZyZWUgdG8gZGVmaW5lIHRoYXQgdGhlIOKAnGtpZOKAnSBpcyB0byBjb250 YWluIGEga2V5IHRodW1icHJpbnQgdXNpbmcgYSBwYXJ0aWN1bGFyIGhhc2ggZnVuY3Rpb24uPC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rp dj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9LLiBTbyB5 b3UgbWVhbiB0aGF0IGl0IHNob3VsZCBiZSBzcGVjaWZpZWQgaW4gdGhlIGFwcGxpY2F0aW9uIGxh eWVyLiBUaGF0IGlzIGFjY2VwdGFibGUsIGJ1dCB0aGVuIG1lbnRpb25pbmcgaXQgaW4gdGhlIHRl eHQgd291bGQgYmUgbmljZS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMEIwNTAiPk1pa2UmZ3Q7 IEZhaXIgcG9pbnQuJm5ic3A7IEnigJl2ZSBhZGRlZCB0aGlzIHRleHQgdG8gYWRkcmVzcyB5b3Vy IHN1Z2dlc3Rpb246PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMEIwNTAiPiZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyAmbmJzcDsg4oCcVGhlIGNvbnRlbnQgb2YgdGhlICZsdDtzcGFu eCBzdHlsZT0mcXVvdDt2ZXJiJnF1b3Q7Jmd0O2tpZCZsdDsvc3BhbngmZ3Q7IHZhbHVlIGlzIGFw cGxpY2F0aW9uIHNwZWNpZmljLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDBCMDUwIj4mbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5ic3A7IEZvciBpbnN0YW5jZSwgc29tZSBhcHBs aWNhdGlvbnMgbWF5IGNob29zZSB0byB1c2UgYSBKV0sgVGh1bWJwcmludCAmbHQ7eHJlZiB0YXJn ZXQ9JnF1b3Q7SldLLlRodW1icHJpbnQmcXVvdDsvJmd0OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MDBCMDUwIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5ic3A7IHZhbHVlIGFz IHRoZSAmbHQ7c3Bhbnggc3R5bGU9JnF1b3Q7dmVyYiZxdW90OyZndDtraWQmbHQ7L3NwYW54Jmd0 OyB2YWx1ZS7igJ08bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0 eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6 MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJn aW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkFsc28sIGl0IGlzIGNvbmNlaXZhYmxl IHRvIHVzZSB0aGUgY29tYmluYXRpb24gb2YgJnF1b3Q7a2lkJnF1b3Q7IGFuZCAmcXVvdDtqa3Um cXVvdDsuIFRoaXMgYXNwZWN0IGlzIG5vdCBzcGVsbGVkIG91dCBoZXJlIGJ1dCBhcHBlYXJzIHRo YXQgc29tZSBtYWdpYyBoYXBwZW5zIGZvciB0aGUga2V5IGRpc3RyaWJ1dGlvbi4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4g c3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPllvdeKAmXJlIHJpZ2h0IHRoYXQgaWYg4oCca2lk4oCdIGlzIHVzZWQsIHVubGVzcyB0aGUg a2V5IGlzIGFsc28gdHJhbnNtaXR0ZWQgaW4gdGhlIOKAnGNuZuKAnSBjbGFpbSwgZGlzdHJpYnV0 aW9uDQogb2YgdGhlIGtleSBpcyBvdXQgb2Ygc2NvcGUgb2YgdGhlIHNwZWNpZmljYXRpb24uJm5i c3A7IEkgY2FuIGltYWdpbmUgbWV0aG9kcyB1c2luZyDigJxqa3XigJ0gYnV0IGl0IHNlZW1zIGxp a2Ugd2Ugc2hvdWxkIGRpc2N1c3MgdGhpcyBtb3JlIGJlZm9yZSBub3JtYXRpdmVseSBzcGVjaWZ5 aW5nIGl0IGF0IHRoaXMgdGltZS48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+TG9va2luZyBmb3J3YXJkIHRvLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMw MEIwNTAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDBCMDUwIj5NaWtlJmd0OyBUaGUg bW9yZSBJIHRob3VnaHQgYWJvdXQgdGhpcywgdGhlIG1vcmUgSSBhZ3JlZWQgdGhhdCDigJxqa3Xi gJ0gd2FzIG5lZWRlZCB0byBlbmFibGUgUG9QIGtleXMgdG8gYmUgcGFzc2VkIGJ5IHJlZmVyZW5j ZS4mbmJzcDsgUGxlYXNlIHJldmlldyB0aGUgdGV4dCBhZGRpbmcg4oCcamt14oCdDQogYXQgPGEg aHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1v Zi1wb3NzZXNzaW9uLTA0I3NlY3Rpb24tMy41Ij4NCmh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1s L2RyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wNCNzZWN0aW9uLTMuNTwvYT4u PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMwMEIwNTAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNv bGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0 LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBw dCI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPjMuNCZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj49PT09PT09PTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj5TaW5jZSAmcXVvdDtjbmYmcXVvdDsgYXBwZWFycyBiZWZv cmUgMy40LCBpdCBtYXkgYmUgYmV0dGVyIHRvIGJyaW5nIDMuNCBhdCB0aGUgZnJvbnQuJm5ic3A7 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPkFncmVlZC4mbmJzcDsgU29ycnkgSSBtaXNzZWQgZG9pbmcgdGhpcyBp biAtMDMuJm5ic3A7IEnigJlsbCBwbGFuIHRvIGRvIHRoaXMgaW4gLTA0Ljwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2Nr cXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkxvb2tpbmcgZm9yd2FyZCB0by4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk5vdGUg dGhhdCB0aGlzIGlzIG5vdCBhbiBlbmRvcnNlbWVudCBmb3Igc3RydWN0dXJlZCBjbmYsIGJ1dCBy YXRoZXIsJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5pdCB3YXMganVzdCBhbiBlZGl0b3JpYWwgcG9pbnQgdGhhdCBJIHJhaXNlZC4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAw QjA1MCI+TWlrZSZndDsgRG9uZS4mbmJzcDsgVGhlIGZvcm1lciAzLjQgaXMgbm93IDMuMS48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9u ZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4w cHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21h cmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPjUuMi4yPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPj09PT09PT09PTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5BZGQgJnF1b3Q7YXpwJnF1b3Q7IGFuZCAmcXVv dDtqa3QmcXVvdDsuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbTox Mi4wcHQiPm8gJm5ic3A7Q29uZmlybWF0aW9uIE1ldGhvZCBWYWx1ZTogJnF1b3Q7YXpwJnF1b3Q7 PGJyPg0KbyAmbmJzcDtDb25maXJtYXRpb24gTWV0aG9kIERlc2NyaXB0aW9uOiBDbGllbnQgSUQg b2YgdGhlIEF1dGhvcml6ZWQgUHJlc2VudGVyPGJyPg0KbyAmbmJzcDtDaGFuZ2UgQ29udHJvbGxl cjogSUVTRzxicj4NCm8gJm5ic3A7U3BlY2lmaWNhdGlvbiBEb2N1bWVudChzKTogU2VjdGlvbiBb VEJEXSBvZiBbWyB0aGlzIGRvY3VtZW50IF1dPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5IYXZpbmcgYSBDbGllbnQgSUQg ZG9lc27igJl0IGlkZW50aWZ5IGEgcHJvb2Ytb2YtcG9zc2Vzc2lvbiBrZXksIHNvIHRoaXMgcmVx dWVzdCBzZWVtcyB0byBiZSBvdXQgb2YgcGxhY2UgcmVsYXRpdmUgdG8gdGhlIHB1cnBvc2Ugb2Yg dGhpcyBzcGVjaWZpY2F0aW9uLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+SW5kZWVkLiBJZiB0aGUgdGl0bGUgd2FzIGxpa2UgYmVmb3JlIHRoZSBjaGFuZ2UsIGl0 IHdvdWxkIGhhdmUgYmVlbiwgYnV0IG5vdyB0aGUgdGl0bGUgYW5kIHRoZSBzY29wZSBpcyBzbWFs bGVyLCBpdCBpcyBvdXQgb2Ygc2NvcGUsIEkgdGhpbmsuLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp ZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44 cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQi Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJyPg0KPGJy Pg0KbyAmbmJzcDtDb25maXJtYXRpb24gTWV0aG9kIFZhbHVlOiAmcXVvdDtqa3QmcXVvdDs8YnI+ DQpvICZuYnNwO0NvbmZpcm1hdGlvbiBNZXRob2QgRGVzY3JpcHRpb246IEpXSyBUaHVtYnByaW50 IG9mIHRoZSBDb25maXJtYXRpb24gS2V5PGJyPg0KbyAmbmJzcDtDaGFuZ2UgQ29udHJvbGxlcjog SUVTRzxicj4NCm8gJm5ic3A7U3BlY2lmaWNhdGlvbiBEb2N1bWVudChzKTogU2VjdGlvbiBbVEJE XSBvZiBbWyB0aGlzIGRvY3VtZW50IF1dPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5BcyBkaXNjdXNzZWQgZWFybGllciwg 4oCca2lk4oCdIGNhbiBhbHJlYWR5IGJlIHVzZWQgdG8gaG9sZCBhIGtleSB0aHVtYnByaW50IHZh bHVlLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T0suICZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7 Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0 O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJn aW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPjxicj4NCjxicj4NCm8gJm5ic3A7Q29uZmlybWF0aW9uIE1ldGhvZCBWYWx1 ZTogJnF1b3Q7amt1JnF1b3Q7PGJyPg0KbyAmbmJzcDtDb25maXJtYXRpb24gTWV0aG9kIERlc2Ny aXB0aW9uOiBKV0sgVVJJIG9mIHRoZSBDb25maXJtYXRpb24gS2V5PGJyPg0KbyAmbmJzcDtDaGFu Z2UgQ29udHJvbGxlcjogSUVTRzxicj4NCm8gJm5ic3A7U3BlY2lmaWNhdGlvbiBEb2N1bWVudChz KTogU2VjdGlvbiBbVEJEXSBvZiBbWyB0aGlzIGRvY3VtZW50IF1dPG86cD48L286cD48L3A+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+ Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+V2Ugc2hvdWxkIGhhdmUgYSBk aXNjdXNzaW9uIGZvY3VzZWQgc3BlY2lmaWNhbGx5IG9uIHRoaXMgcHJvcG9zZWQgYWRkaXRpb24u Jm5ic3A7IEkgY2FuIHNlZSB0aGUgdmFsdWUNCiBvZiBpdCwgYnV0IHdvdWxkIGxpa2UgdG8gZ2V0 IGlucHV0IGZyb20gbW9yZSB3b3JraW5nIGdyb3VwIG1lbWJlcnMuJm5ic3A7IFdoYXQgZG8gcGVv cGxlIHRoaW5rPyZuYnNwOyAoSWYgdGhpcyBkaXNjdXNzaW9uIGRvZXNu4oCZdCBoYXBwZW4gYmFz ZWQgb24gdGhpcyByZXNwb25zZSwgd2Ugc2hvdWxkIHByb2JhYmx5IHN0YXJ0IGEgc2VwYXJhdGUg dGhyZWFkIG9uIHRoaXMgdG9waWMuKTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5PSy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwQjA1MCI+TWlrZSZndDsgRG9uZSDigJMgdGhhbmtzITxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpu b25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2 LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47 bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+UHJpdmFjeSBDb25zaWRlcmF0aW9uPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPj09PT09PT09PT09PT09PT09 PT09PT09PTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj5JdCBpcyBtaXNzaW5nIHByaXZhY3kgY29uc2lkZXJhdGlvbi4gSXQgaXMgbm90IHJlcXVp cmVkIHBlciBzZSwgYnV0IHNpbmNlIEtleSBDb25maXJtYXRpb24gbWV0aG9kIHdpdGggZXBoZW1l cmFsIGtleSBjYW4gYmUgbGVzcyBwcml2YWN5IGludHJ1c2l2ZSBjb21wYXJlZCB0byBvdGhlciBz ZW5kZXIgY29uZmlybWF0aW9uDQogbWV0aG9kIHNvIGFkZGluZyBzb21lIHRleHQgYXJvdW5kIGl0 IG1heSBiZSBhIGdvb2QgaWRlYS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9y OiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkNhbiB5b3Ug c3VwcGx5IHNvbWUgc3BlY2lmaWMgcHJvcG9zZWQgdGV4dCBmb3IgLTA0Pzwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2Nr cXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5XaGVuIGRvIHlvdSBleHBlY3Qg LTA0PyZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+RGVwZW5kaW5nIG9uIGl0LCBJIG1heSBiZSBhYmxlIHRvLiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNv bG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMDBCMDUwIj5NaWtlJmd0 OyBJIHdyb3RlIGEgUHJpdmFjeSBDb25zaWRlcmF0aW9ucyBzZWN0aW9uLCBhZGRyZXNzaW5nIHRo ZSB1c2Ugb2YgY29uZmlybWF0aW9uIGtleXMgYXMgY29ycmVsYXRpb24gaGFuZGxlcy48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0ND Q0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21h cmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxk aXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+QmVzdCwmbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4tLQ0KPG86cD48 L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5OYXQgU2FraW11cmEgKD1u YXQpPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5DaGFpcm1h biwgT3BlbklEIEZvdW5kYXRpb248YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtz LnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmbmF0LnNha2ltdXJhLm9y ZyUyZiZhbXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M2 MTk3NDNiYWNkYzM0YzFiYzY3NDA4ZDJhODRhYjQxYiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3 Y2QwMTFkYjQ3JTdjMSZhbXA7c2RhdGE9MDBSMU0lMmZ2cVZpNndyazVWV0hWQWFOdTJRWndCb1hN aWl1ZUdXdzhrSldJJTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL25hdC5zYWtpbXVyYS5vcmcv PC9hPjxicj4NCkBfbmF0X2VuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+ PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5UaGFua3MgYWdhaW4gZm9yIHlvdXIgdXNlZnVsIHJl dmlldyBjb21tZW50cyE8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3Nw YW4+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4 ODg4Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFu IHN0eWxlPSJjb2xvcjojODg4ODg4Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxv Y2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyIGNsZWFyPSJh bGwiPg0KPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tIDxvOnA+PC9v OnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk5hdCBTYWtpbXVyYSAoPW5hdCk8 bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5DaGFpcm1hbiwgT3Bl bklEIEZvdW5kYXRpb248YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3Rl Y3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmbmF0LnNha2ltdXJhLm9yZyUyZiZh bXA7ZGF0YT0wMSU3YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M2MTk3NDNi YWNkYzM0YzFiYzY3NDA4ZDJhODRhYjQxYiU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFk YjQ3JTdjMSZhbXA7c2RhdGE9MDBSMU0lMmZ2cVZpNndyazVWV0hWQWFOdTJRWndCb1hNaWl1ZUdX dzhrSldJJTNkIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPC9hPjxi cj4NCkBfbmF0X2VuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMwMEIwNTAiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGFu a3MgYWdhaW4sIE5hdCE8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzAwQjA1MCI+Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BY2PR03MB442AFC9FE80B6CF9F696342F56D0BY2PR03MB442namprd_-- From nobody Fri Aug 28 18:05:02 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 975181B3887 for ; Fri, 28 Aug 2015 18:05:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 180HjkjKHoXB for ; Fri, 28 Aug 2015 18:04:55 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0122.outbound.protection.outlook.com [65.55.169.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DADC1B3880 for ; Fri, 28 Aug 2015 18:04:54 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.243.23; Sat, 29 Aug 2015 01:04:52 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0243.020; Sat, 29 Aug 2015 01:04:52 +0000 From: Mike Jones To: Brian Campbell Thread-Topic: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay? Thread-Index: AdDh9rQ7JsIqFds1TemX1WLLLxf4Qg== Date: Sat, 29 Aug 2015 01:04:52 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [2001:4898:80e8:4::521] x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:nH3jMF5tK1wxWd0YyiOaZxFLvpJX8V7PW/H+CZrVoFalvvQ/uepO7AL54zDXPNCvZUopdCzDsmPqeHmwgCaY/53qbsCyexH4gV3c4R4n9CpO1nE0tMU54MxfYAawcaKhOzYQI3XMSn2bCNyDwrGq9g==; 24:fNnaQ/fASX4Luf0z+JEhPwaFRnX19CFi9yb/WdTeyzuXgFWap396on89uCD+fjPuvN8cRBNMjyN/U7yAiwuZEBkIUbxPKzCOivPNrj0kf/g=; 20:MWGlzZg4eFTX96am0BjAZO0/um9x9WfY0pAy/h1ygfCDwb5V3vz/eHdeRFTUPQgy4VS621grmU3F0ZmRU7+YwA== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(8121501046)(5005006)(3002001); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; x-forefront-prvs: 06833C6A67 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(43784003)(377454003)(189002)(24454002)(92566002)(105586002)(5002640100001)(189998001)(76576001)(5003600100002)(2656002)(5007970100001)(5004730100002)(16236675004)(19617315012)(5001860100001)(4001540100001)(10090500001)(101416001)(19625215002)(5001960100002)(10400500002)(10290500002)(5005710100001)(99286002)(46102003)(81156007)(74316001)(62966003)(8990500004)(19580405001)(33656002)(40100003)(87936001)(86362001)(97736004)(106356001)(110136002)(19300405004)(230783001)(19580395003)(5001830100001)(122556002)(50986999)(19609705001)(77096005)(68736005)(86612001)(77156002)(64706001)(15975445007)(102836002)(2900100001)(54356999)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4424EDD3DAA9E1CD5E6E396F56D0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2015 01:04:52.5653 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442 Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2015 01:05:00 -0000 --_000_BY2PR03MB4424EDD3DAA9E1CD5E6E396F56D0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhpcyB3YXMgYWRkZWQgYXQgdGhlIGVuZCBvZiBTZWN0aW9uIDMuMiBpbiAtMDQ8aHR0cDovL3Rv b2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTA0 Pi4gIFRoYW5rcyBhZ2FpbiBmb3IgdGhlIHByYWN0aWNhbCBmZWVkYmFjaywgQnJpYW4hDQoNCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAtLSBNaWtlDQoNCkZyb206IEpvaG4gQnJhZGxleSBbbWFpbHRvOnZlN2p0YkB2ZTdqdGIu Y29tXQ0KU2VudDogVHVlc2RheSwgQXVndXN0IDExLCAyMDE1IDQ6MDUgUE0NClRvOiBNaWtlIEpv bmVzDQpDYzogQnJpYW4gQ2FtcGJlbGw7IG9hdXRoDQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBw cm9vZi1vZi1wb3NzZXNzaW9uLTAyIHVuZW5jcnlwdGVkIG9jdCBKV0sgaW4gZW5jcnlwdGVkIEpX VCBva2F5Pw0KDQpPSw0KT24gQXVnIDExLCAyMDE1LCBhdCAxMjo1NyBBTSwgTWlrZSBKb25lcyA8 TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29m dC5jb20+PiB3cm90ZToNCg0KQXMgZGlzY3Vzc2VkIGluIHRoZSB0aHJlYWQg4oCcW09BVVRILVdH XSBKV1QgUG9QIEtleSBTZW1hbnRpY3MgV0dMQyBmb2xsb3d1cCAyICh3YXMgUmU6IHByb29mLW9m LXBvc3Nlc3Npb24tMDIgdW5lbmNyeXB0ZWQgb2N0IEpXSyBpbiBlbmNyeXB0ZWQgSldUIG9rYXk/ KeKAnSwgSSB3aWxsIHVwZGF0ZSB0aGUgZHJhZnQgdG8gc2F5IHRoYXQgdGhlIHN5bW1ldHJpYyBr ZXkgY2FuIGJlIGNhcnJpZWQgaW4gdGhlIOKAnGp3a+KAnSBlbGVtZW50IGluIGFuIHVuZW5jcnlw dGVkIGZvcm0gaWYgdGhlIEpXVCBpcyBpdHNlbGYgZW5jcnlwdGVkLiAgVGhpcyB3aWxsIGhhcHBl biBpbiAtMDQuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1ib3Vu Y2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgQnJpYW4gQ2FtcGJlbGwNClNlbnQ6IFN1bmRheSwg TWFyY2ggMjIsIDIwMTUgMTE6NDEgUE0NClRvOiBvYXV0aA0KU3ViamVjdDogW09BVVRILVdHXSBw cm9vZi1vZi1wb3NzZXNzaW9uLTAyIHVuZW5jcnlwdGVkIG9jdCBKV0sgaW4gZW5jcnlwdGVkIEpX VCBva2F5Pw0KDQpXaGVuIHRoZSBKV1QgaXMgaXRzZWxmIGVuY3J5cHRlZCBhcyBhIEpXRSwgd291 bGQgaXQgbm90IGJlIHJlYXNvbmFibGUgdG8gaGF2ZSBhIHN5bW1ldHJpYyBrZXkgYmUgcmVwcmVz ZW50ZWQgaW4gdGhlIGNuZiBjbGFpbSB3aXRoIHRoZSBqd2sgbWVtYmVyIGFzIGFuIHVuZW5jcnlw dGVkIEpTT04gV2ViIEtleT8NCklzIHN1Y2ggYSBwb3NzaWJpbGl0eSBsZWZ0IGFzIGFuIGV4ZXJj aXNlIHRvIHRoZSByZWFkZXI/IE9yIHNob3VsZCBpdCBiZSBtb3JlIGV4cGxpY2l0bHkgYWxsb3dl ZCBvciBkaXNhbGxvd2VkPw0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpP QXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1 dGgNCg0K --_000_BY2PR03MB4424EDD3DAA9E1CD5E6E396F56D0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5v c2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5N c29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1h cmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJU aW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXtt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5k ZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxp bmU7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsN CgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7 DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4uYXBwbGUtY29udmVy dGVkLXNwYWNlDQoJe21zby1zdHlsZS1uYW1lOmFwcGxlLWNvbnZlcnRlZC1zcGFjZTt9DQpzcGFu LkVtYWlsU3R5bGUxOA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5CYWxs b29uVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCI7DQoJZm9u dC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1z dHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNl Y3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAx LjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5 bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0 IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDld Pjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRp dCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVh ZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYg Y2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhpcyB3YXMgYWRkZWQgYXQgdGhlIGVuZCBv ZiBTZWN0aW9uIDMuMiBpbg0KPGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh ZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTA0Ij4tMDQ8L2E+LiZuYnNwOyBUaGFu a3MgYWdhaW4gZm9yIHRoZSBwcmFjdGljYWwgZmVlZGJhY2ssIEJyaWFuITxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXYg c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5n OjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDsiPiBKb2huIEJyYWRsZXkgW21haWx0bzp2ZTdqdGJAdmU3anRiLmNvbV0NCjxicj4NCjxiPlNl bnQ6PC9iPiBUdWVzZGF5LCBBdWd1c3QgMTEsIDIwMTUgNDowNSBQTTxicj4NCjxiPlRvOjwvYj4g TWlrZSBKb25lczxicj4NCjxiPkNjOjwvYj4gQnJpYW4gQ2FtcGJlbGw7IG9hdXRoPGJyPg0KPGI+ U3ViamVjdDo8L2I+IFJlOiBbT0FVVEgtV0ddIHByb29mLW9mLXBvc3Nlc3Npb24tMDIgdW5lbmNy eXB0ZWQgb2N0IEpXSyBpbiBlbmNyeXB0ZWQgSldUIG9rYXk/PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T0s8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8Ymxv Y2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBBdWcgMTEsIDIwMTUsIGF0IDEyOjU3IEFNLCBN aWtlIEpvbmVzICZsdDs8YSBocmVmPSJtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29t Ij5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojMUY0OTdEIj5BcyBkaXNjdXNzZWQgaW4gdGhlIHRocmVhZCDigJxbT0FVVEgt V0ddIEpXVCBQb1AgS2V5IFNlbWFudGljcyBXR0xDIGZvbGxvd3VwIDIgKHdhcyBSZTogcHJvb2Yt b2YtcG9zc2Vzc2lvbi0wMiB1bmVuY3J5cHRlZCBvY3QgSldLIGluIGVuY3J5cHRlZCBKV1Qgb2th eT8p4oCdLCBJDQogd2lsbCB1cGRhdGUgdGhlIGRyYWZ0IHRvIHNheSB0aGF0IHRoZSBzeW1tZXRy aWMga2V5IGNhbiBiZSBjYXJyaWVkIGluIHRoZSDigJxqd2vigJ0gZWxlbWVudCBpbiBhbiB1bmVu Y3J5cHRlZCBmb3JtIGlmIHRoZSBKV1QgaXMgaXRzZWxmIGVuY3J5cHRlZC4mbmJzcDsgVGhpcyB3 aWxsIGhhcHBlbiBpbiAtMDQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdE Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgLS0gTWlrZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8 L3NwYW4+PC9iPjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDs8L3NwYW4+PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7Ij5PQXV0aA0KIFs8YSBocmVmPSJtYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZyI+ bWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8L2E+XTxzcGFuIGNsYXNzPSJhcHBsZS1jb252 ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48Yj5PbiBCZWhhbGYgT2Y8c3BhbiBjbGFzcz0iYXBw bGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9iPkJyaWFuIENhbXBiZWxsPGJyPg0K PGI+U2VudDo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9z cGFuPlN1bmRheSwgTWFyY2ggMjIsIDIwMTUgMTE6NDEgUE08YnI+DQo8Yj5Ubzo8L2I+PHNwYW4g Y2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPm9hdXRoPGJyPg0KPGI+ U3ViamVjdDo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9z cGFuPltPQVVUSC1XR10gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiB1bmVuY3J5cHRlZCBvY3QgSldL IGluIGVuY3J5cHRlZCBKV1Qgb2theT88L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbTox Mi4wcHQiPldoZW4gdGhlIEpXVCBpcyBpdHNlbGYgZW5jcnlwdGVkIGFzIGEgSldFLCB3b3VsZCBp dCBub3QgYmUgcmVhc29uYWJsZSB0byBoYXZlIGEgc3ltbWV0cmljIGtleSBiZSByZXByZXNlbnRl ZCBpbiB0aGUgY25mIGNsYWltIHdpdGggdGhlIGp3ayBtZW1iZXIgYXMgYW4gdW5lbmNyeXB0ZWQg SlNPTiBXZWIgS2V5PyZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPklzIHN1Y2ggYSBwb3NzaWJpbGl0 eSBsZWZ0IGFzIGFuIGV4ZXJjaXNlIHRvIHRoZSByZWFkZXI/IE9yIHNob3VsZCBpdCBiZSBtb3Jl IGV4cGxpY2l0bHkgYWxsb3dlZCBvciBkaXNhbGxvd2VkPzxzcGFuIGNsYXNzPSJhcHBsZS1jb252 ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YnI+DQo8YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5 LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90OyI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+ DQpPQXV0aCBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmci Pk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21h aWxtYW4vbGlzdGluZm8vb2F1dGgiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu Zm8vb2F1dGg8L2E+PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_BY2PR03MB4424EDD3DAA9E1CD5E6E396F56D0BY2PR03MB442namprd_-- From nobody Mon Aug 31 07:36:40 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25AB91B38ED for ; Fri, 28 Aug 2015 21:26:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdJotrxyuVyx for ; Fri, 28 Aug 2015 21:26:41 -0700 (PDT) Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A36FA1B38F3 for ; Fri, 28 Aug 2015 21:26:41 -0700 (PDT) Received: by iofe124 with SMTP id e124so47584381iof.1 for ; Fri, 28 Aug 2015 21:26:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=j6EnbAl3t9OvYavZVE+pQrYivrTq4LAvy4wN5mz6ND4=; b=pasXvVu+aml4r6yKg/98WVrmkP6f1V1EtC8hRVZSeILcdue2qf60bOh9iTc6cYBblL Pr3WnyV1mqC0Sw28pCS4dmPZAEkmfq8qNguVv8q+0IOae76iFm12+f/Bj92gdh+C7dsn 1S1XCYHjbDJEnQ8Jm5R4/WWVnLBr4l3C+XZd5L2PUsRJKGx9lE5XtidywrxOCegldULW 91tOWDRnHpV2yMQpIZNOZNV7H3ZF6+IJvcd1XvvLvUoPvbs+Qcv8WIA7pWi4kOGOWDH2 d24VNTtA/fbPuQUR+hC5zXelv5F1ybnqLkyTV+a/Db8vcwEHlaK3rszNXcY2zhEEmxTY FvSg== MIME-Version: 1.0 X-Received: by 10.107.129.141 with SMTP id l13mr16255546ioi.181.1440822401086; Fri, 28 Aug 2015 21:26:41 -0700 (PDT) Received: by 10.36.137.136 with HTTP; Fri, 28 Aug 2015 21:26:40 -0700 (PDT) In-Reply-To: <55E0D4EE.9090402@manicode.com> References: <55E0D46C.2080901@manicode.com> <55E0D4EE.9090402@manicode.com> Date: Sat, 29 Aug 2015 13:26:40 +0900 Message-ID: From: Donghwan Kim To: Jim Manico Content-Type: multipart/alternative; boundary=001a113f96be66bbae051e6b9bb6 Archived-At: X-Mailman-Approved-At: Mon, 31 Aug 2015 07:36:38 -0700 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2015 04:26:45 -0000 --001a113f96be66bbae051e6b9bb6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable @John, @William I'm of exactly the same opinion. When refreshing the token on expiration of the access token, a new exchange of access token and refresh token should be issued unless that refresh token expired due to inactivity of 1 month or is invalidated by user through their some setting pages. Then, new 1 month of expiration starts again, which is what I called the persistent login. @Bill Come to think of it, it makes sense. If user lose his/her phone or something, he/she should invalidate the token issued to that device. Waiting for one month doesn't help. @Jim Your point is quite valid :) BTW, a self-descriptive access token that only the server understand may be able to cover some of profiles. For example, if the access token contains when the user is signed, banking resource server can ask user to sign in again, insisting such operation should be performed only within 10 minutes of signing in. Thanks for all replies! -- Donghwan On Sat, Aug 29, 2015 at 6:38 AM, Jim Manico wrote: > I stand corrected, the RFC does give specific time recommendations such a= s > 10 minutes authorization code recommendation here > https://tools.ietf.org/html/rfc6749#section-4.1.2 but I think my overall > point is still valid. :) > > Aloha, > Jim > > > > > > On 8/28/15 11:36 AM, Jim Manico wrote: > > Again, I would state that this is all contextual to the application being > built - which is why the RFC never gives specific times other than "short > lived" or "long lived". I would suggest giving a series of recommendation= s > relative to a few different risk profiles (low risk, social media, bankin= g, > enterprise, etc) as opposed to one recommendation. > > With respect, > Jim Manico > > On 8/28/15 10:41 AM, John Bradley wrote: > > I would use a 5 min AT and roll the refresh token per > > https://tools.ietf.org/html/rfc6749#page-47 with a 1 month expiry if that > is what you want for a inactivity timeout after which the user must > authenticate again. The user can always revoke the refresh token. > > Rolling the refresh token also has the advantage that if the token leaks > or is stollen then you will detect the second use of the expired refresh > token and invalidate both, so the user needs to loggin. > > In general I think rolling the refresh token is a good idea though it is > not popular, I think it is more secure. > > John B. > > > > On Aug 28, 2015, at 11:21 AM, Donghwan Kim > wrote: > > I'm sorry to introduce a common topic. > > As John has suggested, I'm going to design that > > * An access token should be short lived e.g. 5 minutes (not to hit the AS > to verify the token or 1 hour (to hit the AS to verify the token). I'm > inclined to 5 minutes for stateless architecture of RSs. > * A refresh token should have 1 month of expiration time by default. If i= t > turns out that some access token expired, its refresh token should refres= h > the token. Then, so called persistent login can be implemented regardless > of the form of authentication. Only if it fails for some reason e.g. toke= n > revocation or inactivity for 1 month, a user is logged out automatically > and should log in again. > * A refresh token should be able to be revoked somehow. With 5 minutes > approach, it will invalidate only the refresh token (Yes the attacker can > have 5 minutes at most), and with 1 hour approach, it will invalidate the > refresh token as well as the corresponding access token. > > Thanks, > > -- Donghwan > > On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > >> Refresh tokens are also used by public clients, e.g. native apps. OIDC >> allows to acquire a new id token from a refresh token as well. Note: thi= s >> does not mean a fresh authentication but a refreshed id token containing >> the data of the original authentication transaction. >> >> Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley : >> >>> >>> I think Nat=E2=80=99s diagram about the problems of doing pseudo authen= tication >>> with OAuth is being taken out of context. >>> >>> The refresh token dosen=E2=80=99t expire, it is revoked by the user or = system. >>> In some cases refresh tokens are automatically revoked if the users ses= sion >>> to the AS ends. I think AOL typically revokes refresh tokens when sess= ions >>> terminate. >>> >>> OpenID Connect provides a separate id_token with a independent lifetime >>> from the refresh token. A client may keep a refresh token for a much >>> longer time than the user has a login session with the AS. >>> >>> Refresh tokens are typically used by confidential clients that are usin= g >>> a client secret in combination with the refresh token for getting a new >>> access token. >>> >>> By design access tokens should be short lived as the AS is expected to >>> have a way of revoking refresh tokens but not access tokens. >>> A access token that dosen't expire , and can=E2=80=99t be revoked is no= t a good >>> idea. >>> >>> John B. >>> >>> >>> On Aug 24, 2015, at 2:41 AM, Donghwan Kim < >>> flowersinthesand@gmail.com> wrote: >>> >>> Hi, >>> >>> According to Figure 2 from >>> >>> http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be >>> used to refresh an expired access token without requesting resource own= er >>> to sign in again (uncomfortable experience). However, if it's true, isn= 't >>> it that refresh token might be used to request a new access token even >>> years later? and then isn't refresh token the same with access token wh= ich >>> never expires? >>> >>> I intended to use refresh token to implement persistent login by sendin= g >>> a refresh request before issued access token expires (expires_in runs o= ut). >>> But if refresh token works even if access token expired already, sendin= g a >>> refresh request on application start up would be enough. >>> >>> So I'm not sure what I'm missing about refresh token as well as how to >>> implement persistent login using it (you can regard authentication here >>> pseudo-authentication illustrated in >>> >>> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-Aut= henticationusingOAuth.svg). >>> What is the lifetime of refresh token? >>> >>> Thanks, >>> >>> -- Donghwan >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> ------------------------------ >>> >>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/o= auth >>> >>> _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oau= th > > -- > Jim Manico > Manicode Securityhttps://www.manicode.com > > -- > Jim Manico > Manicode Securityhttps://www.manicode.com > > --001a113f96be66bbae051e6b9bb6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
@John, @William I'm of exactly the same opinion. = When refreshing the token on expiration of the access token, a new exchange= of access token and refresh token should be issued unless that refresh tok= en expired due to inactivity of 1 month or is invalidated by user through t= heir some setting pages. Then, new 1 month of expiration starts again, whic= h is what I called the persistent login.

@Bill Com= e to think of it, it makes sense. If user lose his/her phone or something, = he/she should invalidate the token issued to that device. Waiting for one m= onth doesn't help.

@Jim Your point is quite va= lid :) BTW, a self-descriptive access token that only the server understand= may be able to cover some of profiles. For example, if the access token co= ntains when the user is signed, banking resource server can ask user to sig= n in again, insisting such operation should be performed only within 10 min= utes=C2=A0of signing in.

Thanks for all replies!

-- Donghwan

On Sat, Aug 29, 2015 at 6:38 AM, Jim Mani= co <jim@manicode.com> wrote:
I stand corrected, the RFC does give specific time recommendations such as 10 minutes authorization code recommendation here https://tools.ietf.org/html/rfc6749#section-4.1.2 but I think = my overall point is still valid. :)

Aloha,
Jim





On 8/28/15 11:36 AM, Jim Manico wrote:
=20 Again, I would state that this is all contextual to the application being built - which is why the RFC never gives specific times other than "short lived" or "long lived= ". I would suggest giving a series of recommendations relative to a few different risk profiles (low risk, social media, banking, enterprise, etc) as opposed to one recommendation.

With respect,
Jim Manico

On 8/28/15 10:41 AM, John Bradley wrote:
=20 I would use a 5 min AT and roll the refresh token per=C2=A0https= ://tools.ietf.org/html/rfc6749#page-47=C2=A0with a 1 month expiry if that is what you want for a inactivity timeout after which the user must authenticate again. =C2=A0 The us= er can always revoke the refresh token.

Rolling the refresh token also has the advantage that if the token leaks or is stollen then you will detect the second use of the expired refresh token and invalidate both, so the user needs to loggin.

In general I think rolling the refresh token is a good idea though it is not popular, I think it is more secure.

John B.



On Aug 28, 2015, at 11:21 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

I'm sorry to introduce a common topic.

As John has suggested, I'm going to design that=C2=A0

* An access token should be short lived e.g. 5 minutes (not to hit the AS to verify the token or 1 hour (to hit the AS to verify the token). I'm inclined to 5 minutes for stateless architecture of RSs.
* A refresh token should have 1 month of expiration time by default. If it turns out that some access token expired, its refresh token should refresh the token. Then, so called persistent login can be implemented regardless of the form of authentication. Only if it fails for some reason e.g. token revocation or inactivity for 1 month, a user is logged out automatically and should log in again.
* A refresh token should be able to be revoked somehow. With 5 minutes approach, it will invalidate only the refresh token (Yes the attacker can have 5 minutes at most), and with 1 hour approach, it will invalidate the refresh token as well as the corresponding access token.

Thanks,

-- Donghwan

On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt <torsten@lodderst= edt.net> wrote:
Refresh tokens are also used by public clients, e.g. native apps. OIDC allows to acquire a new id token from a refresh token as well. Note: this does not mean a fresh authentication but a refreshed id token containing the data of the original authentication transaction.

Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com>:
I think Nat=E2=80=99s diagram about the pro= blems of doing pseudo authentication with OAuth is being taken out of context.

The refresh token dosen=E2=80=99t expire, it is revoked b= y the user or system.=C2=A0 In some cases refresh tokens are automatically revoked if the users session to the AS ends.=C2=A0 I think AOL typically revokes refresh tokens when sessions terminate.

OpenID Connect provides a separate id_token with a independent lifetime from the refresh token.=C2=A0 A client may keep = a refresh token for a much longer time than the user has a login session with the AS.

Refresh tokens are typically used by confidential clients that are using a client secret in combination with the refresh token for getting a new access token.

By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access tokens.
A access token that dosen't expire , and can=E2=80=99t = be revoked is not a good idea.

John B.


On Aug 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail= .com> wrote:

Hi,

According to Figure 2 from=C2=A0<= a href=3D"http://tools.ietf.org/html/rfc6749#section-1.5" target=3D"_blank"= >http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it= that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires?

I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough.

So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/Op= enIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwan
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listi= nfo/oauth



OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth

--=20
Jim Manico
Manicode Security
https://www.manicode=
.com
--=20
Jim Manico
Manicode Security
https://www.manicode=
.com

--001a113f96be66bbae051e6b9bb6-- From nobody Mon Aug 31 13:47:43 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF9721B43BB for ; Mon, 31 Aug 2015 13:47:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.378 X-Spam-Level: X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P5LVhSqJ_uVp for ; Mon, 31 Aug 2015 13:47:39 -0700 (PDT) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 406E91ACCFB for ; Mon, 31 Aug 2015 13:47:39 -0700 (PDT) Received: by igbuu8 with SMTP id uu8so34847986igb.1 for ; Mon, 31 Aug 2015 13:47:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=feuQXLVlML3KA36rMaIPQRnm+MZnQaGfmKwyI3kpiAg=; b=SsNTZ5r67+7EcWeI58MxeTmG+oJ+4lB/XC/SdCTMcFTzBs1Q/j9n5VwcF9EJntpVrJ Quas73iLO/hmd7I4/0XuRXQotUPc1p+8AHdirsO3BAHl7qY4NAcjH1RA6qAyfmW/6gu3 1CkPkMyVZ8xUn/UudxI0H+FKtUHZbG0f/KwXQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=feuQXLVlML3KA36rMaIPQRnm+MZnQaGfmKwyI3kpiAg=; b=a3E1akBI8eF6GK0cdW1JmnwCHhY5bNmnsqfvPTKvMvi23O++YpOUlOOYhKZTmJAdpl EPvKku6M6XUoXBsuW0yNC/hOIh2vBFtALBV+RpzBqLXDJtHvfBD0yLK6zNV++bvFKs0q iOZLx8+Vi1FizHYUd87h9Q9ktd1ZQjZfhJEVl4cDW6RWmCzC0FfLEVhi9Fn42XPwYK+b DdiDnwYwxs8/QgYmT/Z8b/oEUzatavyb4hpfrZa83S5RA36hDuuZEshjbv82dAclap0N Y+LR/Jgsvl7lCD8owoNQDqzsgpUvIuctujb6McoSCXpnzAY3kLort8aNHRctCKSIcf8t 7GOg== X-Gm-Message-State: ALoCoQnxZ571FMkaxxB5MSefv/se5B8D3YDEkyNR7nZtKNfMy2Egi1BZsoW0LzeGF39ZKM3jpnhE X-Received: by 10.50.13.100 with SMTP id g4mr524233igc.62.1441054058476; Mon, 31 Aug 2015 13:47:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.96.199 with HTTP; Mon, 31 Aug 2015 13:47:09 -0700 (PDT) In-Reply-To: References: From: Brian Campbell Date: Mon, 31 Aug 2015 14:47:09 -0600 Message-ID: To: Mike Jones Content-Type: multipart/alternative; boundary=089e013c66144218da051ea18b1d Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2015 20:47:42 -0000 --089e013c66144218da051ea18b1d Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Thank you On Fri, Aug 28, 2015 at 7:04 PM, Mike Jones wrote: > This was added at the end of Section 3.2 in -04 > . > Thanks again for the practical feedback, Brian! > > > > -- Mike > > > > *From:* John Bradley [mailto:ve7jtb@ve7jtb.com] > *Sent:* Tuesday, August 11, 2015 4:05 PM > *To:* Mike Jones > *Cc:* Brian Campbell; oauth > *Subject:* Re: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in > encrypted JWT okay? > > > > OK > > On Aug 11, 2015, at 12:57 AM, Mike Jones > wrote: > > > > As discussed in the thread =E2=80=9C[OAUTH-WG] JWT PoP Key Semantics WGLC= followup > 2 (was Re: proof-of-possession-02 unencrypted oct JWK in encrypted JWT > okay?)=E2=80=9D, I will update the draft to say that the symmetric key ca= n be > carried in the =E2=80=9Cjwk=E2=80=9D element in an unencrypted form if th= e JWT is itself > encrypted. This will happen in -04. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org ] *O= n > Behalf Of *Brian Campbell > *Sent:* Sunday, March 22, 2015 11:41 PM > *To:* oauth > *Subject:* [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in > encrypted JWT okay? > > > > When the JWT is itself encrypted as a JWE, would it not be reasonable to > have a symmetric key be represented in the cnf claim with the jwk member = as > an unencrypted JSON Web Key? > > Is such a possibility left as an exercise to the reader? Or should it be > more explicitly allowed or disallowed? > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > --089e013c66144218da051ea18b1d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thank you

On Fri, Aug 28, 2015 at 7:04 PM, Mike Jones <= Michael.Jones@microsoft.com> wrote:

This was added at the end= of Section 3.2 in -04.=C2=A0 Thanks again for the practical feedbac= k, Brian!

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From: John Bra= dley [mailto:ve7jtb@= ve7jtb.com]
Sent: Tuesday, August 11, 2015 4:05 PM
To: Mike Jones
Cc: Brian Campbell; oauth
Subject: Re: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK i= n encrypted JWT okay?

=C2=A0

OK

On Aug 11, 2015, at 12:57 AM, Mike Jones <Michael.Jones@mic= rosoft.com> wrote:

=C2=A0

As discussed in the threa= d =E2=80=9C[OAUTH-WG] JWT PoP Key Semantics WGLC followup 2 (was Re: proof-= of-possession-02 unencrypted oct JWK in encrypted JWT okay?)=E2=80=9D, I will update the draft to say that the symmetric key can be carried in the = =E2=80=9Cjwk=E2=80=9D element in an unencrypted form if the JWT is itself e= ncrypted.=C2=A0 This will happen in -04.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

From:=C2= =A0OAuth [mailto:oauth-= bounces@ietf.org]=C2=A0On Behalf Of=C2=A0<= /b>Brian Campbell
Sent:=C2=A0Sunday, March 22, 2015 11:41 PM
To:=C2=A0oauth
Subject:=C2=A0[OAUTH-WG] proof-of-possession-02 unencry= pted oct JWK in encrypted JWT okay?

=C2=A0

When the JWT is itsel= f encrypted as a JWE, would it not be reasonable to have a symmetric key be= represented in the cnf claim with the jwk member as an unencrypted JSON We= b Key?=C2=A0

Is such a possibility= left as an exercise to the reader? Or should it be more explicitly allowed= or disallowed?=C2=A0


______________________________________= _________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

=C2=A0


--089e013c66144218da051ea18b1d-- From nobody Mon Aug 31 13:48:55 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A315F1B60AA for ; Mon, 31 Aug 2015 13:48:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.088 X-Spam-Level: X-Spam-Status: No, score=0.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBhqe3-f5UGt for ; Mon, 31 Aug 2015 13:48:50 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0105.outbound.protection.outlook.com [207.46.100.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25DB01B5EBF for ; Mon, 31 Aug 2015 13:48:50 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.243.23; Mon, 31 Aug 2015 20:48:48 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0243.020; Mon, 31 Aug 2015 20:48:48 +0000 From: Mike Jones To: Brian Campbell Thread-Topic: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay? Thread-Index: AdDh9rQ7JsIqFds1TemX1WLLLxf4QgCN4AGAAAAHuOA= Date: Mon, 31 Aug 2015 20:48:48 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [2001:4898:80e8:5::521] x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:UV/bPyX9hDzBehMNdboM1gVmBmVx3MO76nmGGqnNowq+E3lc9yGEypmE2kCCPsP2/7L2Jac3DJl0fo9wEPfYYJMuvFktHB9xBbk0lyAJuZhL/OpcOXShVro3SkZaRha5ByioPMEP6ZEf2899aE0sFw==; 24:s4KTQZhU3zlpzEXoIgosRPvURjqu/MmwxfpKxJflACqwb5LRKLBy6AW1Ce0Z19vMFKx5lB+bPNXX/eOfhXptfvndp9JkkEnzEGKmTRnkP54=; 20:aefSoOlhj8Fqs1Jz6Ws+5/rmDW9vaUbf+lfNPwplCjslDvwYxaDBn7g8AP559grU5inhT9VElOR5ofRHHtUI5w== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(108003899814671); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(8121501046)(3002001); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; x-forefront-prvs: 0685122203 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(24454002)(189002)(164054003)(43784003)(199003)(97736004)(5007970100001)(19300405004)(5001830100001)(106356001)(110136002)(2950100001)(33656002)(87936001)(40100003)(19580405001)(122556002)(15975445007)(102836002)(2900100001)(50986999)(64706001)(76176999)(230783001)(19609705001)(19580395003)(86612001)(54356999)(77096005)(68736005)(8990500004)(62966003)(5003600100002)(5004730100002)(10400500002)(189998001)(86362001)(81156007)(105586002)(77156002)(46102003)(76576001)(5002640100001)(101416001)(2656002)(92566002)(19625215002)(10090500001)(16236675004)(74316001)(10290500002)(5005710100001)(99286002)(5001960100002)(4001540100001)(5001860100001)(19617315012)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4423F81E85EE756CF12F1E0F56B0BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Aug 2015 20:48:48.7655 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442 Archived-At: Cc: oauth Subject: Re: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2015 20:48:52 -0000 --_000_BY2PR03MB4423F81E85EE756CF12F1E0F56B0BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 WW914oCZcmUgd2VsY29tZS4gIFRoYW5rcywgYXMgYWx3YXlzLCBmb3IgdGhlIHVzZWZ1bCBmZWVk YmFjayB0aGF0IGltcHJvdmVkIHRoZSBzcGVjaWZpY2F0aW9uLg0KDQpGcm9tOiBCcmlhbiBDYW1w YmVsbCBbbWFpbHRvOmJjYW1wYmVsbEBwaW5naWRlbnRpdHkuY29tXQ0KU2VudDogTW9uZGF5LCBB dWd1c3QgMzEsIDIwMTUgMTo0NyBQTQ0KVG86IE1pa2UgSm9uZXMNCkNjOiBvYXV0aA0KU3ViamVj dDogUmU6IFtPQVVUSC1XR10gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiB1bmVuY3J5cHRlZCBvY3Qg SldLIGluIGVuY3J5cHRlZCBKV1Qgb2theT8NCg0KVGhhbmsgeW91DQoNCk9uIEZyaSwgQXVnIDI4 LCAyMDE1IGF0IDc6MDQgUE0sIE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNv bTxtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPj4gd3JvdGU6DQpUaGlzIHdhcyBh ZGRlZCBhdCB0aGUgZW5kIG9mIFNlY3Rpb24gMy4yIGluIC0wNDxodHRwczovL25hMDEuc2FmZWxp bmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwJTNhJTJmJTJmdG9vbHMuaWV0Zi5v cmclMmZodG1sJTJmZHJhZnQtaWV0Zi1vYXV0aC1wcm9vZi1vZi1wb3NzZXNzaW9uLTA0JmRhdGE9 MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3NvZnQuY29tJTdjOGZjNjg5NGNhYmIyNDAx ZjE2ZDEwOGQyYjI0NTY4YzQlN2M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEm c2RhdGE9emlZd01CWDg2dSUyYkM5N3AzVk9OaWVxOEUlMmJZTmhYRUVVVlljSDJjbjEybmMlM2Q+ LiAgVGhhbmtzIGFnYWluIGZvciB0aGUgcHJhY3RpY2FsIGZlZWRiYWNrLCBCcmlhbiENCg0KICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIC0tIE1pa2UNCg0KRnJvbTogSm9obiBCcmFkbGV5IFttYWlsdG86dmU3anRiQHZlN2p0Yi5j b208bWFpbHRvOnZlN2p0YkB2ZTdqdGIuY29tPl0NClNlbnQ6IFR1ZXNkYXksIEF1Z3VzdCAxMSwg MjAxNSA0OjA1IFBNDQpUbzogTWlrZSBKb25lcw0KQ2M6IEJyaWFuIENhbXBiZWxsOyBvYXV0aA0K U3ViamVjdDogUmU6IFtPQVVUSC1XR10gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiB1bmVuY3J5cHRl ZCBvY3QgSldLIGluIGVuY3J5cHRlZCBKV1Qgb2theT8NCg0KT0sNCk9uIEF1ZyAxMSwgMjAxNSwg YXQgMTI6NTcgQU0sIE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTxtYWls dG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPj4gd3JvdGU6DQoNCkFzIGRpc2N1c3NlZCBp biB0aGUgdGhyZWFkIOKAnFtPQVVUSC1XR10gSldUIFBvUCBLZXkgU2VtYW50aWNzIFdHTEMgZm9s bG93dXAgMiAod2FzIFJlOiBwcm9vZi1vZi1wb3NzZXNzaW9uLTAyIHVuZW5jcnlwdGVkIG9jdCBK V0sgaW4gZW5jcnlwdGVkIEpXVCBva2F5PynigJ0sIEkgd2lsbCB1cGRhdGUgdGhlIGRyYWZ0IHRv IHNheSB0aGF0IHRoZSBzeW1tZXRyaWMga2V5IGNhbiBiZSBjYXJyaWVkIGluIHRoZSDigJxqd2vi gJ0gZWxlbWVudCBpbiBhbiB1bmVuY3J5cHRlZCBmb3JtIGlmIHRoZSBKV1QgaXMgaXRzZWxmIGVu Y3J5cHRlZC4gIFRoaXMgd2lsbCBoYXBwZW4gaW4gLTA0Lg0KDQogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206 IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEJyaWFu IENhbXBiZWxsDQpTZW50OiBTdW5kYXksIE1hcmNoIDIyLCAyMDE1IDExOjQxIFBNDQpUbzogb2F1 dGgNClN1YmplY3Q6IFtPQVVUSC1XR10gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiB1bmVuY3J5cHRl ZCBvY3QgSldLIGluIGVuY3J5cHRlZCBKV1Qgb2theT8NCg0KV2hlbiB0aGUgSldUIGlzIGl0c2Vs ZiBlbmNyeXB0ZWQgYXMgYSBKV0UsIHdvdWxkIGl0IG5vdCBiZSByZWFzb25hYmxlIHRvIGhhdmUg YSBzeW1tZXRyaWMga2V5IGJlIHJlcHJlc2VudGVkIGluIHRoZSBjbmYgY2xhaW0gd2l0aCB0aGUg andrIG1lbWJlciBhcyBhbiB1bmVuY3J5cHRlZCBKU09OIFdlYiBLZXk/DQpJcyBzdWNoIGEgcG9z c2liaWxpdHkgbGVmdCBhcyBhbiBleGVyY2lzZSB0byB0aGUgcmVhZGVyPyBPciBzaG91bGQgaXQg YmUgbW9yZSBleHBsaWNpdGx5IGFsbG93ZWQgb3IgZGlzYWxsb3dlZD8NCg0KX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0K T0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5v cmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rp b24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzYSUyZiUyZnd3dy5pZXRmLm9yZyUyZm1haWxtYW4l MmZsaXN0aW5mbyUyZm9hdXRoJmRhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNyb3Nv ZnQuY29tJTdjOGZjNjg5NGNhYmIyNDAxZjE2ZDEwOGQyYjI0NTY4YzQlN2M3MmY5ODhiZjg2ZjE0 MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmc2RhdGE9eWJCdTFVdklZMzI5ckFmMFUlMmZGMTY1QnpL SEthWE9xekdtZjJCMUZpWk80JTNkPg0KDQoNCg== --_000_BY2PR03MB4423F81E85EE756CF12F1E0F56B0BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5v c2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5N c29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1h cmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJU aW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXtt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5k ZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxp bmU7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsN CgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7 DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4uQmFsbG9vblRleHRD aGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQiOw0KCWZvbnQtZmFtaWx5 OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5bGUxOQ0KCXttc28tc3R5bGUt dHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYi Ow0KCWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhw b3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjt9DQpAcGFnZSBX b3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEu MGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+ PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9 ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBt c28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0 PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0K PC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0K PGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5Zb3XigJlyZSB3ZWxjb21lLiZuYnNw OyBUaGFua3MsIGFzIGFsd2F5cywgZm9yIHRoZSB1c2VmdWwgZmVlZGJhY2sgdGhhdCBpbXByb3Zl ZCB0aGUgc3BlY2lmaWNhdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90OyI+IEJyaWFuIENhbXBiZWxsIFttYWlsdG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb21d DQo8YnI+DQo8Yj5TZW50OjwvYj4gTW9uZGF5LCBBdWd1c3QgMzEsIDIwMTUgMTo0NyBQTTxicj4N CjxiPlRvOjwvYj4gTWlrZSBKb25lczxicj4NCjxiPkNjOjwvYj4gb2F1dGg8YnI+DQo8Yj5TdWJq ZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiB1bmVuY3J5cHRl ZCBvY3QgSldLIGluIGVuY3J5cHRlZCBKV1Qgb2theT88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5UaGFuayB5b3U8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPk9uIEZyaSwgQXVnIDI4LCAyMDE1IGF0IDc6MDQgUE0sIE1pa2UgSm9uZXMg Jmx0OzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20iIHRhcmdldD0i X2JsYW5rIj5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwv bzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhpcyB3YXMgYWRkZWQgYXQgdGhlIGVu ZCBvZiBTZWN0aW9uIDMuMiBpbg0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90 ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUzYSUyZiUyZnRvb2xzLmlldGYub3JnJTJmaHRt bCUyZmRyYWZ0LWlldGYtb2F1dGgtcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wNCZhbXA7ZGF0YT0wMSU3 YzAxJTdjTWljaGFlbC5Kb25lcyU0MG1pY3Jvc29mdC5jb20lN2M4ZmM2ODk0Y2FiYjI0MDFmMTZk MTA4ZDJiMjQ1NjhjNCU3YzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdjMSZhbXA7 c2RhdGE9emlZd01CWDg2dSUyYkM5N3AzVk9OaWVxOEUlMmJZTmhYRUVVVlljSDJjbjEybmMlM2Qi IHRhcmdldD0iX2JsYW5rIj4NCi0wNDwvYT4uJm5ic3A7IFRoYW5rcyBhZ2FpbiBmb3IgdGhlIHBy YWN0aWNhbCBmZWVkYmFjaywgQnJpYW4hPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdE Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVy Om5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBp biAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gSm9obiBC cmFkbGV5IFttYWlsdG86PGEgaHJlZj0ibWFpbHRvOnZlN2p0YkB2ZTdqdGIuY29tIiB0YXJnZXQ9 Il9ibGFuayI+dmU3anRiQHZlN2p0Yi5jb208L2E+XQ0KPGJyPg0KPGI+U2VudDo8L2I+IFR1ZXNk YXksIEF1Z3VzdCAxMSwgMjAxNSA0OjA1IFBNPGJyPg0KPGI+VG86PC9iPiBNaWtlIEpvbmVzPGJy Pg0KPGI+Q2M6PC9iPiBCcmlhbiBDYW1wYmVsbDsgb2F1dGg8YnI+DQo8Yj5TdWJqZWN0OjwvYj4g UmU6IFtPQVVUSC1XR10gcHJvb2Ytb2YtcG9zc2Vzc2lvbi0wMiB1bmVuY3J5cHRlZCBvY3QgSldL IGluIGVuY3J5cHRlZCBKV1Qgb2theT88L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+T0s8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8YmxvY2txdW90ZSBz dHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPk9uIEF1ZyAxMSwgMjAxNSwgYXQgMTI6NTcgQU0sIE1pa2UgSm9u ZXMgJmx0OzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20iIHRhcmdl dD0iX2JsYW5rIj5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+Jmd0OyB3cm90ZTo8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwv bzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+QXMgZGlzY3Vzc2VkIGluIHRoZSB0aHJl YWQg4oCcW09BVVRILVdHXSBKV1QgUG9QIEtleSBTZW1hbnRpY3MgV0dMQyBmb2xsb3d1cCAyICh3 YXMgUmU6IHByb29mLW9mLXBvc3Nlc3Npb24tMDINCiB1bmVuY3J5cHRlZCBvY3QgSldLIGluIGVu Y3J5cHRlZCBKV1Qgb2theT8p4oCdLCBJIHdpbGwgdXBkYXRlIHRoZSBkcmFmdCB0byBzYXkgdGhh dCB0aGUgc3ltbWV0cmljIGtleSBjYW4gYmUgY2FycmllZCBpbiB0aGUg4oCcandr4oCdIGVsZW1l bnQgaW4gYW4gdW5lbmNyeXB0ZWQgZm9ybSBpZiB0aGUgSldUIGlzIGl0c2VsZiBlbmNyeXB0ZWQu Jm5ic3A7IFRoaXMgd2lsbCBoYXBwZW4gaW4gLTA0Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48Yj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 Ij4mbmJzcDtPQXV0aCBbPGEgaHJlZj0ibWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmciIHRh cmdldD0iX2JsYW5rIj5tYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZzwvYT5dJm5ic3A7PGI+ T24NCiBCZWhhbGYgT2YmbmJzcDs8L2I+QnJpYW4gQ2FtcGJlbGw8YnI+DQo8Yj5TZW50OjwvYj4m bmJzcDtTdW5kYXksIE1hcmNoIDIyLCAyMDE1IDExOjQxIFBNPGJyPg0KPGI+VG86PC9iPiZuYnNw O29hdXRoPGJyPg0KPGI+U3ViamVjdDo8L2I+Jm5ic3A7W09BVVRILVdHXSBwcm9vZi1vZi1wb3Nz ZXNzaW9uLTAyIHVuZW5jcnlwdGVkIG9jdCBKV0sgaW4gZW5jcnlwdGVkIEpXVCBva2F5Pzwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206MTIu MHB0Ij5XaGVuIHRoZSBKV1QgaXMgaXRzZWxmIGVuY3J5cHRlZCBhcyBhIEpXRSwgd291bGQgaXQg bm90IGJlIHJlYXNvbmFibGUgdG8gaGF2ZSBhIHN5bW1ldHJpYyBrZXkgYmUgcmVwcmVzZW50ZWQg aW4gdGhlIGNuZiBjbGFpbSB3aXRoIHRoZSBqd2sgbWVtYmVyIGFzIGFuIHVuZW5jcnlwdGVkIEpT T04gV2ViIEtleT8mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206MTIuMHB0 Ij5JcyBzdWNoIGEgcG9zc2liaWxpdHkgbGVmdCBhcyBhbiBleGVyY2lzZSB0byB0aGUgcmVhZGVy PyBPciBzaG91bGQgaXQgYmUgbW9yZSBleHBsaWNpdGx5IGFsbG93ZWQgb3IgZGlzYWxsb3dlZD8m bmJzcDs8YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hl bHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4N CjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGll dGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlv bi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNhJTJmJTJmd3d3LmlldGYub3JnJTJmbWFpbG1hbiUy Zmxpc3RpbmZvJTJmb2F1dGgmYW1wO2RhdGE9MDElN2MwMSU3Y01pY2hhZWwuSm9uZXMlNDBtaWNy b3NvZnQuY29tJTdjOGZjNjg5NGNhYmIyNDAxZjE2ZDEwOGQyYjI0NTY4YzQlN2M3MmY5ODhiZjg2 ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3YzEmYW1wO3NkYXRhPXliQnUxVXZJWTMyOXJBZjBVJTJm RjE2NUJ6S0hLYVhPcXpHbWYyQjFGaVpPNCUzZCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3 LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PC9zcGFuPjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+ DQo8L2h0bWw+DQo= --_000_BY2PR03MB4423F81E85EE756CF12F1E0F56B0BY2PR03MB442namprd_--
You could have a refresh token that never exp= ires.  Having to use the refresh token to get a new access token gives= you a single control point to allow checking whether that refresh token sh= ould still be valid.  Means the RS doesn't have to do that stuff.



<= font size=3D"2" face=3D"Arial"> On Monday, August 24, 2015 8:09 AM, John Br= adley <ve7jtb@ve7jtb.com> wrote:


I think Nat=E2=80=99= s diagram about the problems of doing pseudo authentication with OAuth is b= eing taken out of context.

The refresh token= dosen=E2=80=99t expire, it is revoked by the user or system.  In some= cases refresh tokens are automatically revoked if the users session to the= AS ends.  I think AOL typically revokes refresh tokens when sessions = terminate.

OpenID Connect provides a s= eparate id_token with a independent lifetime from the refresh token.  = A client may keep a refresh token for a much longer time than the user has = a login session with the AS.

Refresh t= okens are typically used by confidential clients that are using a client se= cret in combination with the refresh token for getting a new access token.<= /div>

By design access tokens should be shor= t lived as the AS is expected to have a way of revoking refresh tokens but = not access tokens.
A access token that do= sen't expire , and can=E2=80=99t be revoked is not a good idea.

John B.


On Aug 24, 2015, at 2:41 AM, Do= nghwan Kim <flowersinthesand@gmail.com> wrote:
Hi,

According to Figu= re 2 from ht= tp://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used= to refresh an expired access token without requesting resource owner to si= gn in again (uncomfortable experience). However, if it's true, isn't it tha= t refresh token might be used to request a new access token even years late= r? and then isn't refresh token the same with access token which never expi= res?

I intended to use refresh token t= o implement persistent login by sending a refresh request before issued acc= ess token expires (expires_in runs out). But if refresh token works even if= access token expired already, sending a refresh request on application sta= rt up would be enough.

So I'm not sure= what I'm missing about refresh token as well as how to implement persisten= t login using it (you can regard authentication here pseudo-authentication = illustrated in https://upload.wikimedia.or= g/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg).= What is the lifetime of refresh token?
<= br clear=3D"none" class=3D"yiv4226778186">
Thanks,

-- Donghwan
 _______________________________________________
OAuth mailing list
OAuth@i= etf.org
https://www.ietf.org/= mailman/listinfo/oauth


___________________= ____________________________
OAuth mailing list
OAuth@ietf.org
https:= //www.ietf.org/mailman/listinfo/oauth


<= /div>
------=_Part_9433873_165754956.1440435670041-- From nobody Fri Aug 28 01:44:02 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8636C1B2AEC for ; Fri, 28 Aug 2015 01:44:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.251 X-Spam-Level: X-Spam-Status: No, score=-2.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8lIwY-IdB7yD for ; Fri, 28 Aug 2015 01:43:58 -0700 (PDT) Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 275A41AD08F for ; Fri, 28 Aug 2015 01:43:57 -0700 (PDT) Received: from [80.187.101.24] (helo=[10.23.196.190]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.84) (envelope-from ) id 1ZVFGH-0004au-B2; Fri, 28 Aug 2015 10:43:49 +0200 User-Agent: K-9 Mail for Android In-Reply-To: References: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----GF6UIMOD2AEB89J6GMCQ4SFQNQBS7G" Content-Transfer-Encoding: 8bit From: Torsten Lodderstedt Date: Fri, 28 Aug 2015 10:43:52 +0200 To: John Bradley , Donghwan Kim Message-ID: X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ= Archived-At: Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 08:44:01 -0000 ------GF6UIMOD2AEB89J6GMCQ4SFQNQBS7G Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Refresh tokens are also used by public clients, e.g. native apps. OIDC allows to acquire a new id token from a refresh token as well. Note: this does not mean a fresh authentication but a refreshed id token containing the data of the original authentication transaction. Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley : >I think Nat’s diagram about the problems of doing pseudo authentication >with OAuth is being taken out of context. > >The refresh token dosen’t expire, it is revoked by the user or system. >In some cases refresh tokens are automatically revoked if the users >session to the AS ends. I think AOL typically revokes refresh tokens >when sessions terminate. > >OpenID Connect provides a separate id_token with a independent lifetime >from the refresh token. A client may keep a refresh token for a much >longer time than the user has a login session with the AS. > >Refresh tokens are typically used by confidential clients that are >using a client secret in combination with the refresh token for getting >a new access token. > >By design access tokens should be short lived as the AS is expected to >have a way of revoking refresh tokens but not access tokens. >A access token that dosen't expire , and can’t be revoked is not a good >idea. > >John B. > > >> On Aug 24, 2015, at 2:41 AM, Donghwan Kim > wrote: >> >> Hi, >> >> According to Figure 2 from >http://tools.ietf.org/html/rfc6749#section-1.5 >, refresh token can be >used to refresh an expired access token without requesting resource >owner to sign in again (uncomfortable experience). However, if it's >true, isn't it that refresh token might be used to request a new access >token even years later? and then isn't refresh token the same with >access token which never expires? >> >> I intended to use refresh token to implement persistent login by >sending a refresh request before issued access token expires >(expires_in runs out). But if refresh token works even if access token >expired already, sending a refresh request on application start up >would be enough. >> >> So I'm not sure what I'm missing about refresh token as well as how >to implement persistent login using it (you can regard authentication >here pseudo-authentication illustrated in >https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg >). >What is the lifetime of refresh token? >> >> Thanks, >> >> -- Donghwan >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > >------------------------------------------------------------------------ > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth ------GF6UIMOD2AEB89J6GMCQ4SFQNQBS7G Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Refresh tokens are also used by public clients, e.g. native apps. OIDC allows to acquire a new id token from a refresh token as well. Note: this does not mean a fresh authentication but a refreshed id token containing the data of the original authentication transaction.

Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley <ve7jtb@ve7jtb.com>:
I think Nat’s diagram about the problems of doing pseudo authentication with OAuth is being taken out of context.

The refresh token dosen’t expire, it is revoked by the user or system.  In some cases refresh tokens are automatically revoked if the users session to the AS ends.  I think AOL typically revokes refresh tokens when sessions terminate.

OpenID Connect provides a separate id_token with a independent lifetime from the refresh token.  A client may keep a refresh token for a much longer time than the user has a login session with the AS.

Refresh tokens are typically used by confidential clients that are using a client secret in combination with the refresh token for getting a new access token.

By design access tokens should be short lived as the AS is expected to have a way of revoking refresh tokens but not access tokens.
A access token that dosen't expire , and can’t be revoked is not a good idea.

John B.


On Aug 24, 2015, at 2:41 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:

Hi,

According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5, refresh token can be used to refresh an expired access token without requesting resource owner to sign in again (uncomfortable experience). However, if it's true, isn't it that refresh token might be used to request a new access token even years later? and then isn't refresh token the same with access token which never expires?

I intended to use refresh token to implement persistent login by sending a refresh request before issued access token expires (expires_in runs out). But if refresh token works even if access token expired already, sending a refresh request on application start up would be enough.

So I'm not sure what I'm missing about refresh token as well as how to implement persistent login using it (you can regard authentication here pseudo-authentication illustrated in https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-AuthenticationusingOAuth.svg). What is the lifetime of refresh token?

Thanks,

-- Donghwan
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
------GF6UIMOD2AEB89J6GMCQ4SFQNQBS7G-- From nobody Fri Aug 28 08:08:17 2015 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C5981B2B13 for ; Fri, 28 Aug 2015 07:21:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sCgoUBd1iXLK for ; Fri, 28 Aug 2015 07:21:42 -0700 (PDT) Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD7271B2AF5 for ; Fri, 28 Aug 2015 07:21:41 -0700 (PDT) Received: by igbuu8 with SMTP id uu8so8479054igb.0 for ; Fri, 28 Aug 2015 07:21:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JZO2+b/4QuIbqdi2Uzc+xNbhwsQlXDh4xrpuA6Mb7sk=; b=LbDO8qXcwvj1YyYLAx7TQ9EI6h4tFZ7ydDEGqevGr/gYr3LrGwxGIRzzEKCssMestE ndbcBuFkoadrGGmI2QOP3043mA5sspJwkAGqBrzQbmm5YRe4HThI9YgUX4SeyBOcwd4m C2cKpzxs5Q1DDyMlrXQ3wbeeqHhlgin6re9FABQnQHTjGlo5CaQrNVQsMLX8t+kYBcSY zSUqFOrOOKu4YoKTF7DxLVBrg7jNLODPAKJalb74qkyXsLGXAyz/w+FUpTD5NCQnn/VE 8zJmj0aLmRDmDvQMss4KIB64i1TdOwUyr/r4v/FSHCeUKgU32zwaEgSuWeVe7S5BAG9z eARg== MIME-Version: 1.0 X-Received: by 10.50.26.66 with SMTP id j2mr3417908igg.42.1440771701295; Fri, 28 Aug 2015 07:21:41 -0700 (PDT) Received: by 10.36.137.136 with HTTP; Fri, 28 Aug 2015 07:21:41 -0700 (PDT) In-Reply-To: References: Date: Fri, 28 Aug 2015 23:21:41 +0900 Message-ID: From: Donghwan Kim To: Torsten Lodderstedt Content-Type: multipart/alternative; boundary=047d7bd75bb27551d7051e5fcd05 Archived-At: X-Mailman-Approved-At: Fri, 28 Aug 2015 08:08:17 -0700 Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Lifetime of refresh token X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2015 14:21:44 -0000 --047d7bd75bb27551d7051e5fcd05 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I'm sorry to introduce a common topic. As John has suggested, I'm going to design that * An access token should be short lived e.g. 5 minutes (not to hit the AS to verify the token or 1 hour (to hit the AS to verify the token). I'm inclined to 5 minutes for stateless architecture of RSs. * A refresh token should have 1 month of expiration time by default. If it turns out that some access token expired, its refresh token should refresh the token. Then, so called persistent login can be implemented regardless of the form of authentication. Only if it fails for some reason e.g. token revocation or inactivity for 1 month, a user is logged out automatically and should log in again. * A refresh token should be able to be revoked somehow. With 5 minutes approach, it will invalidate only the refresh token (Yes the attacker can have 5 minutes at most), and with 1 hour approach, it will invalidate the refresh token as well as the corresponding access token. Thanks, -- Donghwan On Fri, Aug 28, 2015 at 5:43 PM, Torsten Lodderstedt < torsten@lodderstedt.net> wrote: > Refresh tokens are also used by public clients, e.g. native apps. OIDC > allows to acquire a new id token from a refresh token as well. Note: this > does not mean a fresh authentication but a refreshed id token containing > the data of the original authentication transaction. > > Am 24. August 2015 17:08:21 MESZ, schrieb John Bradley >: >> >> I think Nat=E2=80=99s diagram about the problems of doing pseudo authent= ication >> with OAuth is being taken out of context. >> >> The refresh token dosen=E2=80=99t expire, it is revoked by the user or s= ystem. >> In some cases refresh tokens are automatically revoked if the users sess= ion >> to the AS ends. I think AOL typically revokes refresh tokens when sessi= ons >> terminate. >> >> OpenID Connect provides a separate id_token with a independent lifetime >> from the refresh token. A client may keep a refresh token for a much >> longer time than the user has a login session with the AS. >> >> Refresh tokens are typically used by confidential clients that are using >> a client secret in combination with the refresh token for getting a new >> access token. >> >> By design access tokens should be short lived as the AS is expected to >> have a way of revoking refresh tokens but not access tokens. >> A access token that dosen't expire , and can=E2=80=99t be revoked is not= a good >> idea. >> >> John B. >> >> >> On Aug 24, 2015, at 2:41 AM, Donghwan Kim >> wrote: >> >> Hi, >> >> According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.= 5, >> refresh token can be used to refresh an expired access token without >> requesting resource owner to sign in again (uncomfortable experience). >> However, if it's true, isn't it that refresh token might be used to requ= est >> a new access token even years later? and then isn't refresh token the sa= me >> with access token which never expires? >> >> I intended to use refresh token to implement persistent login by sending >> a refresh request before issued access token expires (expires_in runs ou= t). >> But if refresh token works even if access token expired already, sending= a >> refresh request on application start up would be enough. >> >> So I'm not sure what I'm missing about refresh token as well as how to >> implement persistent login using it (you can regard authentication here >> pseudo-authentication illustrated in >> https://upload.wikimedia.org/wikipedia/commons/3/32/OpenIDvs.Pseudo-Auth= enticationusingOAuth.svg). >> What is the lifetime of refresh token? >> >> Thanks, >> >> -- Donghwan >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> ------------------------------ >> >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> --047d7bd75bb27551d7051e5fcd05 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I'm sorry to introduce a common topic.

<= div>As John has suggested, I'm going to design that=C2=A0
* An access token should be short lived e.g. 5 minutes (not to = hit the AS to verify the token or 1 hour (to hit the AS to verify the token= ). I'm inclined to 5 minutes for stateless architecture of RSs.
* A refresh token should have 1 month of expiration time by default. If = it turns out that some access token expired, its refresh token should refre= sh the token. Then, so called persistent login can be implemented regardles= s of the form of authentication. Only if it fails for some reason e.g. toke= n revocation or inactivity for 1 month, a user is logged out automatically = and should log in again.
* A refresh token should be a= ble to be revoked somehow. With 5 minutes approach, it will invalidate only= the refresh token (Yes the attacker can have 5 minutes at most), and with = 1 hour approach, it will invalidate the refresh token as well as the corres= ponding access token.

Thanks,
-- Donghwan