From nobody Sat Oct  1 04:44:27 2016
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C17912B1C7; Sat,  1 Oct 2016 04:44:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.516
X-Spam-Level: 
X-Spam-Status: No, score=-6.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wX0GlKiEH1VN; Sat,  1 Oct 2016 04:44:23 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0255612B0C1; Sat,  1 Oct 2016 04:44:22 -0700 (PDT)
X-AuditID: 1209190f-6e7ff70000004040-12-57efa194bfbe
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id E9.7C.16448.491AFE75; Sat,  1 Oct 2016 07:44:21 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u91BiJR0016885; Sat, 1 Oct 2016 07:44:20 -0400
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u91BiIKf016833 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 1 Oct 2016 07:44:19 -0400
To: Brian Campbell <bcampbell@pingidentity.com>, oauth <oauth@ietf.org>, IETF Tokbind WG <unbearable@ietf.org>
References: <CA+k3eCRqKNk2hex1xRR3oR-nZSb1uvGi7Uj2g13f1W6FcqLsow@mail.gmail.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <07fa6f54-1ea3-7877-b624-981e5cdc754b@mit.edu>
Date: Sat, 1 Oct 2016 07:44:16 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCRqKNk2hex1xRR3oR-nZSb1uvGi7Uj2g13f1W6FcqLsow@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------98687EFF35F97A20E6C72B2F"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupgleLIzCtJLcpLzFFi42IRYrdT15268H24we5buhar/99ktDj59hWb xbnHC5kcmD2WLPnJ5HH36EWWAKYoLpuU1JzMstQifbsEroxNZ26zFVxzrVjy/xxzA+NPwy5G Dg4JAROJjV0OXYxcHEICbUwSb6c8YoFwNjBKdBx5xgTh3GKSWNQ+lbWLkZNDWMBZ4tXXt+wg tohAuUTHlS8sIJOEBAIkVm7iAAmzCahKTF/TwgRi8wpYSezv7wCzWQRUJN6uOMgCYosKxEjs nzWTGaJGUOLkzCdgcU6BQIk3fy+A2cwCYRKNN9oYJzDyzUJSNgtJCsK2lbgzdzczhC0vsf3t HChbV2LRthXsMPHmrbOZFzCyrWKUTcmt0s1NzMwpTk3WLU5OzMtLLdI10cvNLNFLTSndxAgK ZE5J/h2Mcxq8DzEKcDAq8fCeiHoXLsSaWFZcmXuIUZKDSUmU16jofbgQX1J+SmVGYnFGfFFp TmrxIUYJDmYlEV73BUA53pTEyqrUonyYlDQHi5I4b9eMA+FCAumJJanZqakFqUUwWRkODiUJ 3kkgjYJFqempFWmZOSUIaSYOTpDhPEDDb4ANLy5IzC3OTIfIn2LU5Tg298ZaJiGWvPy8VClx 3kXzgYoEQIoySvPg5oASUMLbw6avGMWB3hLmNQOmIyEeYPKCm/QKaAkT0JL8o29AlpQkIqSk GhhnFH7Lu/jU6PEvU5MXix6YGjoHmU7aMmk5m8jr+bJdB6TtraIE+p2MOtUu+Ss3RP/OvBfw 3+7Lu80L7i58pDFnaeL1Fa5ntpyZ18HP8Sv89Cum0qQ2qedv1zku3h0Q19d6g0spa/th943h asfLhMvNDK4tNLxXvtkoK2nO633KDwV/zPebrhmkxFKckWioxVxUnAgA1+fqrRsDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Yv_eEgf7dyvG8cY8mPv7AhuKqhg>
Subject: Re: [OAUTH-WG] explicit/implicit signaling to reveal TB ID
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Oct 2016 11:44:25 -0000

This is a multi-part message in MIME format.
--------------98687EFF35F97A20E6C72B2F
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

+1 to this.

I think we also need to keep in mind that it's incredibly common for an 
OAuth client to talk to multiple resource servers with a single token 
from a single authorization server that's been configured (and agreed 
upon, out of band) to protect those resource servers. The client doesn't 
know or care about the details of the deployment, it just knows that it 
can get a token to work across various parts of the API.

  -- Justin


On 9/30/2016 4:03 PM, Brian Campbell wrote:
> Sending this to both the Tokbind and OAuth lists.
>
> There is text now in HTTPSTB that says that a TB ID must only be 
> conveyed to a different server, if the associated server explicitly 
> singles to do so. Specifically these two snippets,
>
> https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-5 
> <https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-5> has
>
>    However, such applications MUST only convey Token Binding IDs to
>    other servers if the server associated with a Token Binding ID
>    explicitly signals to do so, e.g., by returning an Include-Referred-
>    Token-Binding-ID HTTP response header field.
>
>
> and 
> https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-7.3 
> <https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-7.3> has
>
>    Also, applications must take care to only reveal Token Binding IDs to
>    other endpoints if the server associated with a Token Binding ID
>    explicitly signals to do so, see Section 5
>    "Implementation Considerations".
>
>
> This seems like it might be problematic for token binding of OAuth 
> access tokens. Many/most OAuth flows don't begin at the resource sever 
> (token consumer) but at the authorization server (token provider) so 
> there's not an opportunity for such an explicit signal. And even when 
> a request is made to the resource sever (token consumer) without a 
> token or with a bad token, there isn't a redirect but rather a 40x is 
> returned (see https://tools.ietf.org/html/rfc6750#section-3 
> <https://tools.ietf.org/html/rfc6750#section-3>).
>
> The relationship between OAuth servers is much more of an implicit 
> thing in how the OAuth client application (different than a browser 
> client) interacts with those severs. And there's correlatable info 
> already flowing between the two so revealing a referred TB doesn't 
> make the privacy situation any different. But it can greatly improve 
> the security of the access tokens.
>
> Can the text in HTTPSTB be reworked slightly to allow for an implicit 
> okay or a prearrangement to reveal referred Token Binding IDs for 
> applications which are not web browsers? Otherwise OAuth clients will 
> have to ignore that MUST or a token (pun intended) but really 
> meaningless signal will have to be invented for OAuth (like maybe a 
> new auth-param with the WWW-Authenticate Response Header Field from 
> RFC 6750.
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------98687EFF35F97A20E6C72B2F
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>+1 to this. <br>
    </p>
    <p>I think we also need to keep in mind that it's incredibly common
      for an OAuth client to talk to multiple resource servers with a
      single token from a single authorization server that's been
      configured (and agreed upon, out of band) to protect those
      resource servers. The client doesn't know or care about the
      details of the deployment, it just knows that it can get a token
      to work across various parts of the API.</p>
    <p> -- Justin<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 9/30/2016 4:03 PM, Brian Campbell
      wrote:<br>
    </div>
    <blockquote
cite="mid:CA+k3eCRqKNk2hex1xRR3oR-nZSb1uvGi7Uj2g13f1W6FcqLsow@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <div dir="ltr">
        <div>Sending this to both the Tokbind and OAuth lists.<br>
          <br>
        </div>
        There is text now in HTTPSTB that says that a TB ID must only be
        conveyed to a different server, if the associated server
        explicitly singles to do so. Specifically these two snippets,<br>
        <br>
        <div>
          <div>
            <div>
              <div style="margin-left:40px"><a moz-do-not-send="true"
                  href="https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-5"
                  target="_blank">https://tools.ietf.org/html/<wbr>draft-ietf-tokbind-https-06#<wbr>section-5</a>
                has <br>
                <br>
                   However, such applications MUST only convey Token
                Binding IDs to<br>
                   other servers if the server associated with a Token
                Binding ID<br>
                   explicitly signals to do so, e.g., by returning an
                Include-Referred-<br>
                   Token-Binding-ID HTTP response header field.<br>
                <br>
                <br>
                and <a moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-7.3"
                  target="_blank">https://tools.ietf.org/html/<wbr>draft-ietf-tokbind-https-06#<wbr>section-7.3</a>
                has <br>
                <br>
                   Also, applications must take care to only reveal
                Token Binding IDs to<br>
                   other endpoints if the server associated with a Token
                Binding ID<br>
                   explicitly signals to do so, see Section 5<br>
                   "Implementation Considerations".<br>
                <br>
              </div>
              <br>
              This seems like it might be problematic for token binding
              of OAuth access tokens. Many/most OAuth flows don't begin
              at the resource sever (token consumer) but at the
              authorization server (token provider) so there's not an
              opportunity for such an explicit signal. And even when a
              request is made to the resource sever (token consumer)
              without a token or with a bad token, there isn't a
              redirect but rather a 40x is returned (see <a
                moz-do-not-send="true"
                href="https://tools.ietf.org/html/rfc6750#section-3"
                target="_blank">https://tools.ietf.org/html/<wbr>rfc6750#section-3</a>).
              <br>
              <br>
              The relationship between OAuth servers is much more of an
              implicit thing in how the OAuth client application
              (different than a browser client) interacts with those
              severs. And there's correlatable info already flowing
              between the two so revealing a referred TB doesn't make
              the privacy situation any different. But it can greatly
              improve the security of the access tokens.<br>
              <br>
            </div>
            <div>Can the text in HTTPSTB be reworked slightly to allow
              for an implicit okay or a prearrangement to reveal
              referred Token Binding IDs for applications which are not
              web browsers? Otherwise OAuth clients will have to ignore
              that MUST or a token (pun intended) but really meaningless
              signal will have to be invented for OAuth (like maybe a
              new auth-param with the WWW-Authenticate Response Header
              Field from RFC 6750.<br>
              <br>
              <br>
            </div>
            <div><br>
               <br>
              <br>
              <br>
              <br>
              <br>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------98687EFF35F97A20E6C72B2F--


From nobody Mon Oct  3 02:35:26 2016
Return-Path: <session_request_developers@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 20A3312B26C; Mon,  3 Oct 2016 02:35:25 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "\"IETF Meeting Session Request Tool\"" <session_request_developers@ietf.org>
To: <session-request@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.34.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <147548732509.11482.3179415308143865031.idtracker@ietfa.amsl.com>
Date: Mon, 03 Oct 2016 02:35:25 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ORmbpXj5YO0FA01nAstbaLWwOgI>
Cc: oauth-chairs@ietf.org, oauth@ietf.org
Subject: [OAUTH-WG] oauth - New Meeting Session Request for IETF 97
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Oct 2016 09:35:25 -0000

A new meeting session request has just been submitted by Hannes Tschofenig, a Chair of the oauth working group.


---------------------------------------------------------
Working Group Name: Web Authorization Protocol
Area Name: Security Area
Session Requester: Hannes Tschofenig

Number of Sessions: 2
Length of Session(s):  1.5 Hours, 1.5 Hours
Number of Attendees: 50
Conflicts to Avoid: 
 First Priority: tokbind tls core saag 




Special Requests:
  Please avoid conflict with sec area BoFs.
---------------------------------------------------------


From mkwidzinski@atlassian.com  Mon Oct  3 08:46:42 2016
Return-Path: <mkwidzinski@atlassian.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D55C1294CA for <oauth@ietfa.amsl.com>; Mon,  3 Oct 2016 08:46:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level: 
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=atlassian-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwf1SHPHoHm3 for <oauth@ietfa.amsl.com>; Mon,  3 Oct 2016 08:46:40 -0700 (PDT)
Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C0231294CC for <oauth@ietf.org>; Mon,  3 Oct 2016 08:46:39 -0700 (PDT)
Received: by mail-lf0-x22d.google.com with SMTP id b75so27742500lfg.3 for <oauth@ietf.org>; Mon, 03 Oct 2016 08:46:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=atlassian-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=Ah8p6273QP86/EEIHnh+uAFsXLz9Ra38OAFzPLFW9SY=; b=AFUOSrJKp8XK6nuuFr8MRVGNefpKIkhV7Q4mg+mjJKsdFNlSOm2nzidlExYt7PiiEz J2VOBrkGcTPxGX6mjVbznp9Wyf6q/BXYVU0ahPzR8KuolvBJ4y7deSO8DvMRDpp+xilB RO2C8QX07FY4evsjAhu6+AeYhfikzoY+xNzgPxqcB4N2L2hqxdhsmbT1XrgnVQwPoAq0 tgflBDO9Oy5Ak+5HGLAzll0BqiiPWbwI0/HNMFAzJ39tSh3YvikC6F9rAjEA2WhnEnly tEBdslfhQVSxH1NerPajU2Vc/5xvEsflx9snShlxJ50vApexpWRRzSizl/cUhVbA06H4 gkVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=Ah8p6273QP86/EEIHnh+uAFsXLz9Ra38OAFzPLFW9SY=; b=EGJscqnjGLTA0aKex9SYHhCJqW8pvn2oO0X5EW5QiQabOzHy0ZblJLYZW+j6nwjSQb UXcMkaJauknPEm7Hr09LnxI25+n9VCNNHoyFiOLxSWJnEZwjBr5vBmoVZNDFfEihTqWV 02mYb8qZaU/ZKsts+GwKbuQo4tsleVUC2f2qDU0FvZzIl7x7xYqMuk9pv6O84ZDulLA2 bXo8wtwEcHvAQ71R10PVw/hOr3+v7R8jxeS1KA3DsTwDTUG8gteDBToaLHTkQOpnCrEr nuUjODZuKK8KZZFyXXtyMduLH+CFX+dqTB/vkB9iuQbb0lRkQQbf8T4+QgsPTneXjLII IYWg==
X-Gm-Message-State: AA6/9RlW7LxjLaqgoe4JgRqgpgrURJY1/3QQakJQhaGWoPcX2FXwXZhWvsJ6Sc7u87KuBUuJxY810aODddcTRLMC
X-Received: by 10.25.72.82 with SMTP id v79mr3766298lfa.130.1475509597284; Mon, 03 Oct 2016 08:46:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.16.71 with HTTP; Mon, 3 Oct 2016 08:46:36 -0700 (PDT)
From: Maciej Kwidzinski <mkwidzinski@atlassian.com>
Date: Mon, 3 Oct 2016 17:46:36 +0200
Message-ID: <CAObXGQzoRXC2TSA3Dk8fRF=hB=fuzRamZOPvHDzp7cQcjHR8Yg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cUpNFkNaie-vd8wXQeDC3hJDRok>
X-Mailman-Approved-At: Mon, 03 Oct 2016 09:09:09 -0700
Subject: [OAUTH-WG] JWT: Algorithm choice as an attack vector
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Oct 2016 15:49:40 -0000

Hi,

Tim McLean describes an attack vector on JWT-protected services in his
blog post: https://auth0.com/blog/critical-vulnerabilities-in-json-web-toke=
n-libraries/

The culprit is relying on the algorithm in the JWT header. The
workaround/recommendation is to ignore the algorithm from the header
and use a predefined one.

The current RFC 7519 does not address this vulnerability.
Will this problem be addressed in the standard?

Best regards,
Maciej Kwidzi=C5=84ski


From nobody Mon Oct  3 12:44:33 2016
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A6161294F4 for <oauth@ietfa.amsl.com>; Mon,  3 Oct 2016 12:44:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UnDGbIO1lZ8c for <oauth@ietfa.amsl.com>; Mon,  3 Oct 2016 12:44:28 -0700 (PDT)
Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 822291294ED for <oauth@ietf.org>; Mon,  3 Oct 2016 12:44:28 -0700 (PDT)
Received: by mail-it0-x232.google.com with SMTP id o19so107588850ito.1 for <oauth@ietf.org>; Mon, 03 Oct 2016 12:44:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kiPOliRZGiJ/HeAVPa/xb42GvbZIB6dkLvtBk6me8JY=; b=CLRSRJroaoeJ+bx619RLgAzJI9xHwt9kUZ8RljTDxaPvlIYbLu4JdLVkvoJMQVJgmt DvoqxnqsH3IkGDvhG/cPMMbde8SgVBRWXzoAvIi4700T50Q6S0eD/aZyPgBMN+dVR2Ww 3ZpaS4CkaWZj37MsWDvsdAJCrJugWTRBIsPZE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kiPOliRZGiJ/HeAVPa/xb42GvbZIB6dkLvtBk6me8JY=; b=I2apAbK30vKV/8RNXuQrLGL50VN20LmceY98hadOGkVuJhJqRppiioYvzFmE3cJnrq gK5WJ6KtHF4IAJHsqYDFlN85+38aMXKEP2vVcY2Eu0USjkVAk72iQVsR7h9KXxRhAM8Z Wbt3l5ryFWC4SIwCCjZnlIqrslRYIicOx4lhzxmpDqRidXC+nY51DpnMPeopw8BavhdK 5XS7GTXFDvP33mDZBr78LMjo41UM5iF7HenEEEw/zAywNHx6aZjbMo6HxmdfX4N8vbkb 7+3qwDWV6RGZKKw785q0UT7KUTD8xP1Qpq8pwn6YVIjWiqDBbXOFGxIxQpjapjDKO1F+ mA+Q==
X-Gm-Message-State: AA6/9RkUueolLNjQY7CJttZwEF+IS9bNX1/fg+d15xyXZ+5QaVe1dAdBz7U5g+0VFeu92JGucXUMz07ycfkuSCC8
X-Received: by 10.36.129.193 with SMTP id q184mr333224itd.35.1475523867758; Mon, 03 Oct 2016 12:44:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.6.141 with HTTP; Mon, 3 Oct 2016 12:43:57 -0700 (PDT)
In-Reply-To: <CA+k3eCQfU943iCpAm8GxJchddMhFmXi-uVdV_rF_BVf0HyuJBg@mail.gmail.com>
References: <CA+k3eCSKKYC1HTcUFSv7nMjksK-ny62YoZQm1qM6-kn3xwQCpg@mail.gmail.com> <CA+k3eCQ7XFya0stc4XP8r0FCc7vHtNpE5ESZL64n=2sujwvivg@mail.gmail.com> <F30FF116-4306-40CE-9D26-2F8E7EE6B635@mit.edu> <SN1PR0301MB2029A0BBD8C0E7AB3DB01A45A6FB0@SN1PR0301MB2029.namprd03.prod.outlook.com> <CA+k3eCQfU943iCpAm8GxJchddMhFmXi-uVdV_rF_BVf0HyuJBg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 3 Oct 2016 13:43:57 -0600
Message-ID: <CA+k3eCRrzErmGDBH4C=LPP+xyHPd4sbN1PwjEEY_R_-P_uGGyw@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary=94eb2c08bc7efefbe9053dfb2b2d
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KKzaWRSdmqpVmjrZl6lqNw2Yzik>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Following up on token exchange use case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Oct 2016 19:44:31 -0000

--94eb2c08bc7efefbe9053dfb2b2d
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Would your use-case be better accommodated by changing the requiredness of
the request parameters so that it'd be sufficient to provide either the
subject_token or the actor_token?

I've always felt that it was simpler and more straightforward to always
have the subject token. And that cases where the requesting system or
server was the only entity involved could simply use the subject_token to
represent themselves. But perhaps that's too narrow of a view. I'm trying
to work with you on this.

Are there opinions one way or the other from others in the WG? I'd like to,
of course, get some level of consensus around this.

I'd like to publish a -06 draft soon and move things forward. I've got a
few other smallish changes queued up but this has been sitting for 3+
weeks. So I'm looking to get to a resolution.

On Fri, Sep 9, 2016 at 2:14 PM, Brian Campbell <bcampbell@pingidentity.com>
wrote:

> Despite not fully following all of that, I would like to try and
> understand if there are reasonable changes that could be made to
> accommodate what you're looking for.
>
> What if we changed the subject_token parameter from REQUIRED to OPTIONAL
> and then require at least one of subject_token or actor_token? That would
> seem to allow for the 2 distinct functions you mention.
>
> On Thu, Sep 8, 2016 at 4:52 PM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:
>
>> Things have gotten so muddled not sure where to begin, the original goal
>> of this draft was to provide the function that we use in daily high volu=
me
>> production of WS-Trust as we transition to Oauth.  WS-Trust provided man=
y
>> options, one was ActAs and the other was OnBehalfOf, these were 2 distin=
ct
>> functions but could be combined (and thus the results are of a composite
>> nature). There were also other options like delegateTo, Forwardable and
>> Delegatable. So we have use cases for all these.
>>
>>
>>
>> So we have straight forward scenarios for (1) a token request to be on
>> behalf of a given/specified token, we also have a straight forward scena=
rio
>> for (2) requesting a token based upon a specific token. We also have
>> complex scenarios for combining the semantics of both  (1) and (2) where
>> the token request is on behalf of a specific token and the request is ba=
sed
>> upon a specific token, this happened a lot in our server to server
>> scenarios for access to backend documents and services. Where we have
>> chained services this is where the delegateTo, Forwardable and Delegatab=
le
>> options come into the scenario.
>>
>>
>>
>> The way that this current specification is structured and written the
>> Subject is always required which is a not a good thing since there may n=
ot
>> be a subject, as basic token requests don=E2=80=99t have to have subject=
s (just
>> authentication credentials), thus you can=E2=80=99t get the semantics of=
 (2)
>> without (1). Now the semantics of combing (1) and (2) seem to be not
>> understood and wanting to be removed.
>>
>>
>>
>>
>>
>> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Justin
>> Richer
>> *Sent:* Saturday, August 27, 2016 3:26 PM
>> *To:* Brian Campbell <bcampbell@pingidentity.com>
>> *Cc:* <oauth@ietf.org> <oauth@ietf.org>
>> *Subject:* Re: [OAUTH-WG] Following up on token exchange use case
>>
>>
>>
>> No objections. Simplification is better, and this spec is already fairly
>> convoluted with all the options turned on.
>>
>>
>>
>>  =E2=80=94 Justin
>>
>>
>>
>> On Aug 26, 2016, at 1:30 PM, Brian Campbell <bcampbell@pingidentity.com>
>> wrote:
>>
>>
>>
>> Looking for two things here:
>>
>> 1) Any objections to removing the want_composite request parameter?
>> Please explain, if so. I plan to remove it in the next draft barring an
>> outpouring of support to keep it.
>>
>> 2) Tony to explain his use case and describe what changes would be neede=
d
>> to accommodate it.
>>
>>
>>
>> On Mon, Aug 1, 2016 at 2:00 PM, Brian Campbell <
>> bcampbell@pingidentity.com> wrote:
>>
>> During the meeting in Berlin Tony voiced concern about a use case he had
>> for token exchange. Honestly, it's still not entirely clear to me what t=
hat
>> use case is or what would need to change in support of it. I'd like to
>> better understand the use case and see if it's something that can
>> reasonably be accommodated with Token Exchange. During the meeting Tony
>> referred back to an earlier email where he said, "want_composite is not
>> really the effect we are looking for since it provides for a single toke=
n,
>> the use case we have is where you want the ability to use the subject_to=
ken
>> and the actor_token in combination and not as a composite of only the
>> claims."
>>
>> The want_composite parameter came about during some iterative work on th=
e
>> document (between I-D publications) last year. At first the client could
>> express that it wanted a composite token, one containing delegation
>> semantics, with the inclusion of the actor_token parameter. One of the
>> other editors suggested, however, that the actor_token token might be
>> necessary for authorization in cases even when the client wasn't asking =
for
>> a composite token and that placing the desire for delegation semantics o=
n
>> it was overloading the parameter too much. I introduced the want_composi=
te
>> parameter to give the client such a signal independent of the actor_toke=
n
>> parameter. My (admittedly incomplete) understanding of WS-Trust is that =
the
>> client/requester can make such an indication and I was trying to follow
>> that model. However, I'm not sure it's needed or even makes much much
>> sense. Ultimately it's the server's decision about how to construct the
>> issued token and what to include in it. It is the server's policy, not a
>> client signal, which makes the determination. So the want_composite
>> parameter is really just noise that makes the spec longer. And, from the
>> quote above, seems might also lead some readers to incorrect conclusions
>> about what can and cannot be returned in a token exchange.
>>
>> I'd propose then that the want_composite parameter be dropped from the
>> document.
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>
>

--94eb2c08bc7efefbe9053dfb2b2d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Would your use-case be better accommodated by ch=
anging the requiredness of the request parameters so that it&#39;d be suffi=
cient to provide either the subject_token or the actor_token? <br><br>I&#39=
;ve always felt that it was simpler and more straightforward to always have=
 the subject token. And that cases where the requesting system or server wa=
s the only entity involved could simply use the subject_token to represent =
themselves. But perhaps that&#39;s too narrow of a view. I&#39;m trying to =
work with you on this. <br><br><div>Are there opinions one way or the other=
 from others in the WG? I&#39;d like to, of course, get some level of conse=
nsus around this. <br></div><div><br>I&#39;d like to publish a -06 draft so=
on and move things forward. I&#39;ve got a few other smallish changes queue=
d up but this has been sitting for 3+ weeks. So I&#39;m looking to get to a=
 resolution. <br></div></div></div></div><div class=3D"gmail_extra"><br><di=
v class=3D"gmail_quote">On Fri, Sep 9, 2016 at 2:14 PM, Brian Campbell <spa=
n dir=3D"ltr">&lt;<a href=3D"mailto:bcampbell@pingidentity.com" target=3D"_=
blank">bcampbell@pingidentity.com</a>&gt;</span> wrote:<br><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pad=
ding-left:1ex"><div dir=3D"ltr"><div>Despite not fully following all of tha=
t, I would like to try and understand if there are reasonable changes that =
could be made to accommodate what you&#39;re looking for. <br><br></div>Wha=
t if we changed the subject_token parameter from REQUIRED to OPTIONAL and t=
hen require at least one of subject_token or actor_token? That would seem t=
o allow for the 2 distinct functions you mention. =C2=A0 <br></div><div cla=
ss=3D"HOEnZb"><div class=3D"h5"><div class=3D"gmail_extra"><br><div class=
=3D"gmail_quote">On Thu, Sep 8, 2016 at 4:52 PM, Anthony Nadalin <span dir=
=3D"ltr">&lt;<a href=3D"mailto:tonynad@microsoft.com" target=3D"_blank">ton=
ynad@microsoft.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quot=
e" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div link=3D"blue" vlink=3D"purple" lang=3D"EN-US">
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,sans-serif">Things have gotten so muddled not sure where to beg=
in, the original goal of this draft was to provide the function that we use=
 in daily high volume production of WS-Trust as
 we transition to Oauth.=C2=A0 WS-Trust provided many options, one was ActA=
s and the other was OnBehalfOf, these were 2 distinct functions but could b=
e combined (and thus the results are of a composite nature). There were als=
o other options like delegateTo, Forwardable
 and Delegatable. So we have use cases for all these.<u></u><u></u></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,sans-serif"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,sans-serif">So we have straight forward scenarios for (1) a tok=
en request to be on behalf of a given/specified token, we also have a strai=
ght forward scenario for (2) requesting a token
 based upon a specific token. We also have complex scenarios for combining =
the semantics of both =C2=A0(1) and (2) where the token request is on behal=
f of a specific token and the request is based upon a specific token, this =
happened a lot in our server to server
 scenarios for access to backend documents and services. Where we have chai=
ned services this is where the delegateTo, Forwardable and Delegatable opti=
ons come into the scenario.<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,sans-serif"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,sans-serif">The way that this current specification is structur=
ed and written the Subject is always required which is a not a good thing s=
ince there may not be a subject, as basic token
 requests don=E2=80=99t have to have subjects (just authentication credenti=
als), thus you can=E2=80=99t get the semantics of (2) without (1). Now the =
semantics of combing (1) and (2) seem to be not understood and wanting to b=
e removed.<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,sans-serif"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><a name=3D"m_-6735751087737889923_m_-556151431627876=
2600__MailEndCompose"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,sans-serif"><u></u>=C2=A0<u></u></span></a></p>
<span></span>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,sans-serif">From:</span></b><span style=3D"font-size:11.0pt;=
font-family:&quot;Calibri&quot;,sans-serif"> OAuth [mailto:<a href=3D"mailt=
o:oauth-bounces@ietf.org" target=3D"_blank">oauth-bounces@ietf.org</a><wbr>=
]
<b>On Behalf Of </b>Justin Richer<br>
<b>Sent:</b> Saturday, August 27, 2016 3:26 PM<br>
<b>To:</b> Brian Campbell &lt;<a href=3D"mailto:bcampbell@pingidentity.com"=
 target=3D"_blank">bcampbell@pingidentity.com</a>&gt;<br>
<b>Cc:</b> &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ie=
tf.org</a>&gt; &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oaut=
h@ietf.org</a>&gt;<br>
<b>Subject:</b> Re: [OAUTH-WG] Following up on token exchange use case<u></=
u><u></u></span></p>
</div>
</div><div><div class=3D"m_-6735751087737889923h5">
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<p class=3D"MsoNormal">No objections. Simplification is better, and this sp=
ec is already fairly convoluted with all the options turned on.<u></u><u></=
u></p>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=C2=A0=E2=80=94 Justin<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal">On Aug 26, 2016, at 1:30 PM, Brian Campbell &lt;<a h=
ref=3D"mailto:bcampbell@pingidentity.com" target=3D"_blank">bcampbell@pingi=
dentity.com</a>&gt; wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">Looking for two thing=
s here:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">1) Any objections to =
removing the want_composite request parameter? Please explain, if so. I pla=
n to remove it in the next draft barring an outpouring of support to keep i=
t.<u></u><u></u></p>
</div>
<p class=3D"MsoNormal">2) Tony to explain his use case and describe what ch=
anges would be needed to accommodate it.
<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<p class=3D"MsoNormal">On Mon, Aug 1, 2016 at 2:00 PM, Brian Campbell &lt;<=
a href=3D"mailto:bcampbell@pingidentity.com" target=3D"_blank">bcampbell@pi=
ngidentity.com</a>&gt; wrote:<u></u><u></u></p>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">During the meeting in=
 Berlin Tony voiced concern about a use case he had for token exchange. Hon=
estly, it&#39;s still not entirely clear to me what that use case is or wha=
t would need to change in support of it.
 I&#39;d like to better understand the use case and see if it&#39;s somethi=
ng that can reasonably be accommodated with Token Exchange. During the meet=
ing Tony referred back to an earlier email where he said, &quot;want_compos=
ite is not really the effect we are looking for
 since it provides for a single token, the use case we have is where you wa=
nt the ability to use the subject_token and the actor_token in combination =
and not as a composite of only the claims.&quot;
<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">The want_composite pa=
rameter came about during some iterative work on the document (between I-D =
publications) last year. At first the client could express that it wanted a=
 composite token, one containing delegation
 semantics, with the inclusion of the actor_token parameter. One of the oth=
er editors suggested, however, that the actor_token token might be necessar=
y for authorization in cases even when the client wasn&#39;t asking for a c=
omposite token and that placing the
 desire for delegation semantics on it was overloading the parameter too mu=
ch. I introduced the want_composite parameter to give the client such a sig=
nal independent of the actor_token parameter. My (admittedly incomplete) un=
derstanding of WS-Trust is that
 the client/requester can make such an indication and I was trying to follo=
w that model. However, I&#39;m not sure it&#39;s needed or even makes much =
much sense. Ultimately it&#39;s the server&#39;s decision about how to cons=
truct the issued token and what to include in it.
 It is the server&#39;s policy, not a client signal, which makes the determ=
ination. So the want_composite parameter is really just noise that makes th=
e spec longer. And, from the quote above, seems might also lead some reader=
s to incorrect conclusions about what
 can and cannot be returned in a token exchange. <u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">I&#39;d propose then that the want_composite paramet=
er be dropped from the document.=C2=A0
<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<p class=3D"MsoNormal">______________________________<wbr>_________________=
<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><u></u><u></u></p>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
</div></div></div>
</div>

</blockquote></div><br></div>
</div></div></blockquote></div><br></div>

--94eb2c08bc7efefbe9053dfb2b2d--


From nobody Wed Oct  5 08:16:58 2016
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68FA7129787 for <oauth@ietfa.amsl.com>; Wed,  5 Oct 2016 08:16:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.598
X-Spam-Level: 
X-Spam-Status: No, score=-105.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2PC_s2uU4sXB for <oauth@ietfa.amsl.com>; Wed,  5 Oct 2016 08:16:53 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9981F12958F for <oauth@ietf.org>; Wed,  5 Oct 2016 08:16:52 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 82498B80A81; Wed,  5 Oct 2016 08:16:52 -0700 (PDT)
To: dick.hardt@gmail.com, stephen.farrell@cs.tcd.ie, Kathleen.Moriarty.ietf@gmail.com, Hannes.Tschofenig@gmx.net, derek@ihtfp.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20161005151652.82498B80A81@rfc-editor.org>
Date: Wed,  5 Oct 2016 08:16:52 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1gmYkphmm_-HhMqWF7wKstVwijs>
Cc: lars.kemmann@bynalogic.com, oauth@ietf.org, rfc-editor@rfc-editor.org
Subject: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2016 15:16:57 -0000

The following errata report has been submitted for RFC6749,
"The OAuth 2.0 Authorization Framework".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=4819

--------------------------------------
Type: Technical
Reported by: Lars Kemmann <lars.kemmann@bynalogic.com>

Section: 4.2.2

Original Text
-------------
HTTP/1.1 302 Found
Location: http://example.com/cb#
          access_token=2YotnFZFEjr1zCsicMWpAA
          &state=xyz&token_type=example&expires_in=3600

Corrected Text
--------------
HTTP/1.1 302 Found
Location: http://client.example.com/cb#
          access_token=2YotnFZFEjr1zCsicMWpAA
          &state=xyz&token_type=example&expires_in=3600

Notes
-----
In the example for section 4.2.1, the request was made with a `redirect_uri` parameter value of `redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb`. If I understand correctly, the `client` subdomain should be included in the `Location` header in the response.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC6749 (draft-ietf-oauth-v2-31)
--------------------------------------
Title               : The OAuth 2.0 Authorization Framework
Publication Date    : October 2012
Author(s)           : D. Hardt, Ed.
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG


From nobody Wed Oct  5 15:08:00 2016
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0CA21294C5 for <oauth@ietfa.amsl.com>; Wed,  5 Oct 2016 15:07:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level: 
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ujj-rcZJCr_W for <oauth@ietfa.amsl.com>; Wed,  5 Oct 2016 15:07:48 -0700 (PDT)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) by ietfa.amsl.com (Postfix) with ESMTP id 46F551294BF for <oauth@ietf.org>; Wed,  5 Oct 2016 15:07:46 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.31,451,1473084000"; d="scan'208";a="105621549"
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipobni.tcif.telstra.com.au with ESMTP; 06 Oct 2016 09:07:44 +1100
X-IronPort-AV: E=McAfee;i="5700,7163,8309"; a="193634380"
Received: from wsmsg3705.srv.dir.telstra.com ([172.49.40.203]) by ipcani.tcif.telstra.com.au with ESMTP; 06 Oct 2016 09:07:45 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3705.srv.dir.telstra.com ([fe80::6cf2:f98b:1f04:11fe%12]) with mapi; Thu, 6 Oct 2016 09:07:45 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>, "dick.hardt@gmail.com" <dick.hardt@gmail.com>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "Kathleen.Moriarty.ietf@gmail.com" <Kathleen.Moriarty.ietf@gmail.com>, "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>, "derek@ihtfp.com" <derek@ihtfp.com>
Date: Thu, 6 Oct 2016 09:07:43 +1100
Thread-Topic: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)
Thread-Index: AdIfG4dhicfp2ZsxR/ir14K554cxrAAOGHQQ
Message-ID: <255B9BB34FB7D647A506DC292726F6E13C05AA7E63@WSMSG3153V.srv.dir.telstra.com>
References: <20161005151652.82498B80A81@rfc-editor.org>
In-Reply-To: <20161005151652.82498B80A81@rfc-editor.org>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lcqxGEk-Po-7qI9vDaayJHvXDTw>
Cc: "lars.kemmann@bynalogic.com" <lars.kemmann@bynalogic.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2016 22:07:59 -0000

This errata is not quite right. It needs to use https, not http.

Location: https://client.example.com/cb...

--
James Manger

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of RFC Errata System
Sent: Thursday, 6 October 2016 2:17 AM
To: dick.hardt@gmail.com; stephen.farrell@cs.tcd.ie; Kathleen.Moriarty.ietf=
@gmail.com; Hannes.Tschofenig@gmx.net; derek@ihtfp.com
Cc: lars.kemmann@bynalogic.com; oauth@ietf.org; rfc-editor@rfc-editor.org
Subject: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)

The following errata report has been submitted for RFC6749, "The OAuth 2.0 =
Authorization Framework".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=3D6749&eid=3D4819

--------------------------------------
Type: Technical
Reported by: Lars Kemmann <lars.kemmann@bynalogic.com>

Section: 4.2.2

Original Text
-------------
HTTP/1.1 302 Found
Location: http://example.com/cb#
          access_token=3D2YotnFZFEjr1zCsicMWpAA
          &state=3Dxyz&token_type=3Dexample&expires_in=3D3600

Corrected Text
--------------
HTTP/1.1 302 Found
Location: http://client.example.com/cb#
          access_token=3D2YotnFZFEjr1zCsicMWpAA
          &state=3Dxyz&token_type=3Dexample&expires_in=3D3600

Notes
-----
In the example for section 4.2.1, the request was made with a `redirect_uri=
` parameter value of `redirect_uri=3Dhttps%3A%2F%2Fclient%2Eexample%2Ecom%2=
Fcb`. If I understand correctly, the `client` subdomain should be included =
in the `Location` header in the response.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please use "R=
eply All" to discuss whether it should be verified or rejected. When a deci=
sion is reached, the verifying party (IESG) can log in to change the status=
 and edit the report, if necessary.=20

--------------------------------------
RFC6749 (draft-ietf-oauth-v2-31)
--------------------------------------
Title               : The OAuth 2.0 Authorization Framework
Publication Date    : October 2012
Author(s)           : D. Hardt, Ed.
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


From nobody Wed Oct  5 22:11:49 2016
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D27DA1293F5 for <oauth@ietfa.amsl.com>; Wed,  5 Oct 2016 22:11:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hTOoQi_L1n4 for <oauth@ietfa.amsl.com>; Wed,  5 Oct 2016 22:11:46 -0700 (PDT)
Received: from p3plsmtpa11-04.prod.phx3.secureserver.net (p3plsmtpa11-04.prod.phx3.secureserver.net [68.178.252.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AED3128874 for <oauth@ietf.org>; Wed,  5 Oct 2016 22:11:46 -0700 (PDT)
Received: from [192.168.1.10] ([79.100.136.247]) by :SMTPAUTH: with SMTP id s0xdbFfCt01SHs0xebPsh1; Wed, 05 Oct 2016 22:11:15 -0700
To: oauth@ietf.org
References: <CAObXGQzoRXC2TSA3Dk8fRF=hB=fuzRamZOPvHDzp7cQcjHR8Yg@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <d959b93a-d7a7-94c2-f4fb-29e49b58ce5c@connect2id.com>
Date: Thu, 6 Oct 2016 08:11:12 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CAObXGQzoRXC2TSA3Dk8fRF=hB=fuzRamZOPvHDzp7cQcjHR8Yg@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms060407080107060201080408"
X-CMAE-Envelope: MS4wfOgB36ak8iOh6wwL1Rw9mWOxVlaEbPzH1gk+mQj/ceuQTYSV8WeK7JWSuXwVih8ar1sxu6+y+RUzobsh8J78i+0CaoLfrTi4yXWKkbP//PC3jdQcq7cU wQAgeycWVKuRZQyq+lONI//tfbj6gXok4iRAs70OmI239gx+6qYjpZmX
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xnPwkHnMcDuuHPyMH42IDp9sM4w>
Subject: Re: [OAUTH-WG] JWT: Algorithm choice as an attack vector
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 05:11:48 -0000

This is a cryptographically signed message in MIME format.

--------------ms060407080107060201080408
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Maciej,

Apps must not accept arbitrary JWTs, neither let the JWT header alone
drive the JWT validation process.

A good app contract will specify which algs and header parameters are
accepted, and discard all JWTs that don't match these rules, before
passing the JWTs for validation to the library.


On 03/10/16 18:46, Maciej Kwidzinski wrote:
> Hi,
>
> Tim McLean describes an attack vector on JWT-protected services in his
> blog post: https://auth0.com/blog/critical-vulnerabilities-in-json-web-=
token-libraries/
>
> The culprit is relying on the algorithm in the JWT header. The
> workaround/recommendation is to ignore the algorithm from the header
> and use a predefined one.
>
> The current RFC 7519 does not address this vulnerability.
> Will this problem be addressed in the standard?
>
> Best regards,
> Maciej Kwidzi=C5=84ski
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



--------------ms060407080107060201080408
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CfwwggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4
dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh
TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak
+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC
ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr
vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC
ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC
4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs
Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj
mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb
4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ
26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT
9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl
tukWeh95FPZKEBom+nyK+5swggVFMIIELaADAgECAhBvIAvByRn0gXptBJbNZg3jMA0GCSqG
SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy
MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE
AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMTYwNDA1MDAwMDAwWhcNMTcwNDA1MjM1OTU5WjAoMSYwJAYJKoZIhvcNAQkB
Fhd2bGFkaW1pckBjb25uZWN0MmlkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAL/GlaryvhrL+eLYe+8Pv6D/sITLb5c2D5oaq6drPbcqP06xnyLgeFlIwzshIHi5+/Ib
fwSSXRzCDihXBfPlbv2Yf7C0F7QwUYNnqvxfnIZvu/6YFXkWt6Z5h5wvnbFmHWZBiBM8cEMP
qdT7myXDKuHSYvpiCFnIAHJOeoyBRV1I8kyupPe9aBkcYmwAyMjMRgeR92iV4TfTSx4CMRax
OHwa+WUAc2mjWiZOxyxTByORzm2wB2izX/DoeSwcN9mliRAZQ3eBXQD/HoO0LBIX3MXCp9Ry
wHIhz+Qy3mR0VgUu2gGu1r0lLIGwxKE4kEO1I7aBf5hQK/wVKcMyMMpNnU0CAwEAAaOCAfUw
ggHxMB8GA1UdIwQYMBaAFJJha4LhoqCqT+xn8cKj97SAAMHsMB0GA1UdDgQWBBSCdqr1QGt7
r/f9VkCCmYSI3t5aDjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAX
BggrBgEFBQcDBAYLKwYBBAGyMQEDBQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0w
OwYMKwYBBAGyMQECAQEBMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5u
ZXQvQ1BTMF0GA1UdHwRWMFQwUqBQoE6GTGh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9E
T1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgZAGCCsG
AQUFBwEBBIGDMIGAMFgGCCsGAQUFBzAChkxodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01P
RE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJA
Y29ubmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAFClbz5g+/TKUP9zpmoRdZymgYrU
fgq1UlnzLcgI3IH46LaMMMzUCRn7tz8OM2igQEqpSW9u80W3jaYsRLUdySvE6Jxr9xVPVDGu
JMAenNDS3sgNsKvUcCIeQYYTG4/oYTcuV6jtXTSDK0Y8NQ0pNEg8BnQz3V+nPXYC3/CWoFQ+
4InVPLGTZedK+yev6ee6wWWL3neskkSsYpwW1qTWtjHQcNw2eBphxRq5aNM9F3wKGdkUHKUJ
4mof2ckALH5SO/n0GGR58cgrtfuD/fcqvfsTtiMCHk6oW2ZE5Ty93aDvEhYo5RrA0TpFGoOA
m33FY3lP8EGzGel61qKU5nDH1hUxggRBMIIEPQIBATCBsDCBmzELMAkGA1UEBhMCR0IxGzAZ
BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRo
ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBvIAvByRn0gXptBJbNZg3jMA0GCWCG
SAFlAwQCAQUAoIICYTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
Fw0xNjEwMDYwNTExMTJaMC8GCSqGSIb3DQEJBDEiBCBnEpNtsL6QIAhl7tmTd3QG7cu/TPXU
C2efkZkxzdE0dDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G
CCqGSIb3DQMCAgEoMIHBBgkrBgEEAYI3EAQxgbMwgbAwgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQbyALwckZ9IF6bQSWzWYN4zCBwwYLKoZI
hvcNAQkQAgsxgbOggbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo
ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEw
PwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3Vy
ZSBFbWFpbCBDQQIQbyALwckZ9IF6bQSWzWYN4zANBgkqhkiG9w0BAQEFAASCAQA+lB7dIvr7
l6E3sLVrPbs9+sjlGDgdMNQzOo7fcIYtUIqfDGqUQCVG0zCYVG0gY/AqbhrLoDU+i/BManz1
DZvzDrGNg9rp6avTiDBqyp6PUuDz3QRfqoVlCNiYi8we22QCDZYbcPVMFjAMOz7tfQEGnc31
ANFBkYl7bWY+K0KeZRvK+ysJX7YTVNyfO8jJBmMYRgiiDWpXCur3/XVPli3qz79M34jnTgSy
fgZXWfjloVT5rRDsXblH+3Zrzw71YlBCn/RqNaWhXX6qAOwzAULrEGM2pXOeRmaJuDsc62E5
h210K/vo7URncili3z77Xg3PHC4JyuuUvlJ/UrAPq7yvAAAAAAAA
--------------ms060407080107060201080408--


From lars.kemmann@bynalogic.com  Thu Oct  6 14:25:08 2016
Return-Path: <lars.kemmann@bynalogic.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 152FA129460 for <oauth@ietfa.amsl.com>; Thu,  6 Oct 2016 14:25:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level: 
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bynalogic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwJkby_8jeqM for <oauth@ietfa.amsl.com>; Thu,  6 Oct 2016 14:25:04 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0121.outbound.protection.outlook.com [104.47.41.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3219D12943C for <oauth@ietf.org>; Thu,  6 Oct 2016 14:25:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bynalogic.onmicrosoft.com; s=selector1-bynalogic-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8JdzlmK6EoY6rN44ZlTWTTY2TPH4ezDQO+c57x0LwcY=; b=kEOKbGsM1ggTC1MVdu5hbyYSHNj9rjnK/ohWG6OmqZOIJLlyYkJcfo4Fh1lgKcem3ZWdk8bV5OXRlMw5d+f3umrNx9DFvTW0hGvWHlAWbfdPYnWWvAx1GRu0wQGF17d/FRH9icSyuet2ATbiq1xyjzOHI8dRTFYVH4tdGs8QBeE=
Received: from CO2PR0801MB2359.namprd08.prod.outlook.com (10.174.192.152) by CO2PR0801MB2358.namprd08.prod.outlook.com (10.174.192.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.16; Thu, 6 Oct 2016 21:25:01 +0000
Received: from CO2PR0801MB2359.namprd08.prod.outlook.com ([10.174.192.152]) by CO2PR0801MB2359.namprd08.prod.outlook.com ([10.174.192.152]) with mapi id 15.01.0649.024; Thu, 6 Oct 2016 21:25:01 +0000
From: Lars Kemmann <lars.kemmann@bynalogic.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>, RFC Errata System <rfc-editor@rfc-editor.org>, "dick.hardt@gmail.com" <dick.hardt@gmail.com>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "Kathleen.Moriarty.ietf@gmail.com" <Kathleen.Moriarty.ietf@gmail.com>, "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>, "derek@ihtfp.com" <derek@ihtfp.com>
Thread-Topic: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)
Thread-Index: AQHSHxuE+lI7eDlI7kuZ40x+ykQ/eaCaa5OAgAGGZv8=
Date: Thu, 6 Oct 2016 21:25:00 +0000
Message-ID: <CO2PR0801MB23591654EA70BF7A1874380282C70@CO2PR0801MB2359.namprd08.prod.outlook.com>
References: <20161005151652.82498B80A81@rfc-editor.org>, <255B9BB34FB7D647A506DC292726F6E13C05AA7E63@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E13C05AA7E63@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=lars.kemmann@bynalogic.com; 
x-originating-ip: [75.181.129.24]
x-ms-office365-filtering-correlation-id: 0dc19a73-5dab-495c-cecd-08d3ee2f3b10
x-microsoft-exchange-diagnostics: 1; CO2PR0801MB2358; 7:y+tFBCzcdWmw0SYCDK9r4Ob/dsUTTvYfntiZ0h5GxZm3U60Sa0m9MBamJ1WFIrdmb/UPGbChEOX8+mOCiHO5D8I+CeFzw9tbnvxQhvKKkfA6LxB4Neumez90NVfd2pzf3CxFYK7tzV/aCxGSpFb+y2p7XV3WpjeGrn/ybYYKT8+suGakHfW8+ZE5odCtq8Om1wRGQiREgAVAWv4krGiq8zFZlOpaopgprrgc4flDpBehQ/anFWGdzKt2SRQsJXgiPFyxnriZrARZMV5hBmQfMqFolty+QzDU0kQp95droo3y2kO4YmhxwffBlI4g7Q6ax816v/yBHtUDRGKU8dDydg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO2PR0801MB2358;
x-microsoft-antispam-prvs: <CO2PR0801MB2358D9BE30F216F7466851ED82C70@CO2PR0801MB2358.namprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(158342451672863)(192374486261705)(272811157607776)(248736688235697)(67441168502697);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6043046)(6042046); SRVR:CO2PR0801MB2358; BCL:0; PCL:0; RULEID:; SRVR:CO2PR0801MB2358; 
x-forefront-prvs: 00872B689F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(377454003)(13464003)(199003)(189002)(5660300001)(7906003)(10400500002)(7696004)(105586002)(2900100001)(11100500001)(8676002)(8666005)(99286002)(76176999)(81166006)(54356999)(81156014)(106116001)(7846002)(7736002)(106356001)(77096005)(15975445007)(19625215002)(2950100002)(50986999)(74316002)(5002640100001)(189998001)(16236675004)(2501003)(101416001)(33656002)(97736004)(5001770100001)(3660700001)(3900700001)(15395725005)(2906002)(9686002)(66066001)(122556002)(87936001)(19580395003)(19580405001)(4326007)(19617315012)(586003)(3846002)(15188155005)(86362001)(76576001)(2201001)(92566002)(68736007)(8936002)(16799955002)(6116002)(3280700002)(102836003)(7059030)(19627235001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO2PR0801MB2358; H:CO2PR0801MB2359.namprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: bynalogic.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CO2PR0801MB23591654EA70BF7A1874380282C70CO2PR0801MB2359_"
MIME-Version: 1.0
X-OriginatorOrg: bynalogic.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Oct 2016 21:25:00.8650 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 35ae33f5-2565-457b-b049-aae7bfc371ba
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR0801MB2358
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GH0c1y4o3vdn3TzmhV7T6_z9dD4>
X-Mailman-Approved-At: Fri, 07 Oct 2016 02:42:45 -0700
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 21:27:45 -0000

--_000_CO2PR0801MB23591654EA70BF7A1874380282C70CO2PR0801MB2359_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Ah, you=92re right. Thanks! Should I resubmit it?



~Lars



From: Manger, James<mailto:James.H.Manger@team.telstra.com>
Sent: Wednesday, October 5, 2016 6:07 PM
To: RFC Errata System<mailto:rfc-editor@rfc-editor.org>; dick.hardt@gmail.c=
om<mailto:dick.hardt@gmail.com>; stephen.farrell@cs.tcd.ie<mailto:stephen.f=
arrell@cs.tcd.ie>; Kathleen.Moriarty.ietf@gmail.com<mailto:Kathleen.Moriart=
y.ietf@gmail.com>; Hannes.Tschofenig@gmx.net<mailto:Hannes.Tschofenig@gmx.n=
et>; derek@ihtfp.com<mailto:derek@ihtfp.com>
Cc: Lars Kemmann<mailto:lars.kemmann@bynalogic.com>; oauth@ietf.org<mailto:=
oauth@ietf.org>
Subject: RE: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)



This errata is not quite right. It needs to use https, not http.

Location: https://client.example.com/cb...

--
James Manger

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of RFC Errata System
Sent: Thursday, 6 October 2016 2:17 AM
To: dick.hardt@gmail.com; stephen.farrell@cs.tcd.ie; Kathleen.Moriarty.ietf=
@gmail.com; Hannes.Tschofenig@gmx.net; derek@ihtfp.com
Cc: lars.kemmann@bynalogic.com; oauth@ietf.org; rfc-editor@rfc-editor.org
Subject: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)

The following errata report has been submitted for RFC6749, "The OAuth 2.0 =
Authorization Framework".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=3D6749&eid=3D4819

--------------------------------------
Type: Technical
Reported by: Lars Kemmann <lars.kemmann@bynalogic.com>

Section: 4.2.2

Original Text
-------------
HTTP/1.1 302 Found
Location: http://example.com/cb#
          access_token=3D2YotnFZFEjr1zCsicMWpAA
          &state=3Dxyz&token_type=3Dexample&expires_in=3D3600

Corrected Text
--------------
HTTP/1.1 302 Found
Location: http://client.example.com/cb#
          access_token=3D2YotnFZFEjr1zCsicMWpAA
          &state=3Dxyz&token_type=3Dexample&expires_in=3D3600

Notes
-----
In the example for section 4.2.1, the request was made with a `redirect_uri=
` parameter value of `redirect_uri=3Dhttps%3A%2F%2Fclient%2Eexample%2Ecom%2=
Fcb`. If I understand correctly, the `client` subdomain should be included =
in the `Location` header in the response.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please use "R=
eply All" to discuss whether it should be verified or rejected. When a deci=
sion is reached, the verifying party (IESG) can log in to change the status=
 and edit the report, if necessary.

--------------------------------------
RFC6749 (draft-ietf-oauth-v2-31)
--------------------------------------
Title               : The OAuth 2.0 Authorization Framework
Publication Date    : October 2012
Author(s)           : D. Hardt, Ed.
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--_000_CO2PR0801MB23591654EA70BF7A1874380282C70CO2PR0801MB2359_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<meta name=3D"Generator" content=3D"Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; pad=
ding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<meta name=3D"x_Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style>
<!--
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif}
a:x_link, span.x_MsoHyperlink
	{color:blue;
	text-decoration:underline}
a:x_visited, span.x_MsoHyperlinkFollowed
	{color:#954F72;
	text-decoration:underline}
.x_MsoChpDefault
	{}
div.x_WordSection1
	{}
-->
</style>
<div lang=3D"EN-US" link=3D"blue" vlink=3D"#954F72">
<div class=3D"x_WordSection1">
<p class=3D"x_MsoNormal">Ah, you=92re right. Thanks! Should I resubmit it?<=
/p>
<p class=3D"x_MsoNormal">&nbsp;</p>
<p class=3D"x_MsoNormal"><span style=3D"font-size:8.0pt">~</span>Lars</p>
<p class=3D"x_MsoNormal">&nbsp;</p>
<div style=3D"border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0i=
n 0in 0in">
<p class=3D"x_MsoNormal" style=3D"border:none; padding:0in"><b>From: </b><a=
 href=3D"mailto:James.H.Manger@team.telstra.com">Manger, James</a><br>
<b>Sent: </b>Wednesday, October 5, 2016 6:07 PM<br>
<b>To: </b><a href=3D"mailto:rfc-editor@rfc-editor.org">RFC Errata System</=
a>; <a href=3D"mailto:dick.hardt@gmail.com">
dick.hardt@gmail.com</a>; <a href=3D"mailto:stephen.farrell@cs.tcd.ie">step=
hen.farrell@cs.tcd.ie</a>;
<a href=3D"mailto:Kathleen.Moriarty.ietf@gmail.com">Kathleen.Moriarty.ietf@=
gmail.com</a>;
<a href=3D"mailto:Hannes.Tschofenig@gmx.net">Hannes.Tschofenig@gmx.net</a>;=
 <a href=3D"mailto:derek@ihtfp.com">
derek@ihtfp.com</a><br>
<b>Cc: </b><a href=3D"mailto:lars.kemmann@bynalogic.com">Lars Kemmann</a>; =
<a href=3D"mailto:oauth@ietf.org">
oauth@ietf.org</a><br>
<b>Subject: </b>RE: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)</=
p>
</div>
<p class=3D"x_MsoNormal">&nbsp;</p>
</div>
</div>
<font size=3D"2"><span style=3D"font-size:10pt;">
<div class=3D"PlainText">This errata is not quite right. It needs to use ht=
tps, not http.<br>
<br>
Location: <a href=3D"https://client.example.com/cb">https://client.example.=
com/cb</a>...<br>
<br>
--<br>
James Manger<br>
<br>
-----Original Message-----<br>
From: OAuth [<a href=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces=
@ietf.org</a>] On Behalf Of RFC Errata System<br>
Sent: Thursday, 6 October 2016 2:17 AM<br>
To: dick.hardt@gmail.com; stephen.farrell@cs.tcd.ie; Kathleen.Moriarty.ietf=
@gmail.com; Hannes.Tschofenig@gmx.net; derek@ihtfp.com<br>
Cc: lars.kemmann@bynalogic.com; oauth@ietf.org; rfc-editor@rfc-editor.org<b=
r>
Subject: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)<br>
<br>
The following errata report has been submitted for RFC6749, &quot;The OAuth=
 2.0 Authorization Framework&quot;.<br>
<br>
--------------------------------------<br>
You may review the report below and at:<br>
<a href=3D"http://www.rfc-editor.org/errata_search.php?rfc=3D6749&amp;eid=
=3D4819">http://www.rfc-editor.org/errata_search.php?rfc=3D6749&amp;eid=3D4=
819</a><br>
<br>
--------------------------------------<br>
Type: Technical<br>
Reported by: Lars Kemmann &lt;lars.kemmann@bynalogic.com&gt;<br>
<br>
Section: 4.2.2<br>
<br>
Original Text<br>
-------------<br>
HTTP/1.1 302 Found<br>
Location: <a href=3D"http://example.com/cb#">http://example.com/cb#</a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access_token=3D2Yotn=
FZFEjr1zCsicMWpAA<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &amp;state=3Dxyz&amp=
;token_type=3Dexample&amp;expires_in=3D3600<br>
<br>
Corrected Text<br>
--------------<br>
HTTP/1.1 302 Found<br>
Location: <a href=3D"http://client.example.com/cb#">http://client.example.c=
om/cb#</a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access_token=3D2Yotn=
FZFEjr1zCsicMWpAA<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &amp;state=3Dxyz&amp=
;token_type=3Dexample&amp;expires_in=3D3600<br>
<br>
Notes<br>
-----<br>
In the example for section 4.2.1, the request was made with a `redirect_uri=
` parameter value of `redirect_uri=3Dhttps%3A%2F%2Fclient%2Eexample%2Ecom%2=
Fcb`. If I understand correctly, the `client` subdomain should be included =
in the `Location` header in the response.<br>
<br>
Instructions:<br>
-------------<br>
This erratum is currently posted as &quot;Reported&quot;. If necessary, ple=
ase use &quot;Reply All&quot; to discuss whether it should be verified or r=
ejected. When a decision is reached, the verifying party (IESG) can log in =
to change the status and edit the report, if necessary.
<br>
<br>
--------------------------------------<br>
RFC6749 (draft-ietf-oauth-v2-31)<br>
--------------------------------------<br>
Title&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; : The OAuth 2.0 Authorization Framework<br>
Publication Date&nbsp;&nbsp;&nbsp; : October 2012<br>
Author(s)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : D. =
Hardt, Ed.<br>
Category&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
: PROPOSED STANDARD<br>
Source&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; : Web Authorization Protocol<br>
Area&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp; : Security<br>
Stream&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; : IETF<br>
Verifying Party&nbsp;&nbsp;&nbsp;&nbsp; : IESG<br>
<br>
_______________________________________________<br>
OAuth mailing list<br>
OAuth@ietf.org<br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.or=
g/mailman/listinfo/oauth</a><br>
</div>
</span></font>
</body>
</html>

--_000_CO2PR0801MB23591654EA70BF7A1874380282C70CO2PR0801MB2359_--


From nobody Fri Oct  7 12:26:52 2016
Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 899B31293DA for <oauth@ietfa.amsl.com>; Fri,  7 Oct 2016 12:26:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.217
X-Spam-Level: 
X-Spam-Status: No, score=-7.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NF_k0mesRSmx for <oauth@ietfa.amsl.com>; Fri,  7 Oct 2016 12:26:49 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CCBE129530 for <oauth@ietf.org>; Fri,  7 Oct 2016 12:26:48 -0700 (PDT)
X-AuditID: 12074424-163ff700000068a9-2f-57f7f6f6d82f
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id 57.E1.26793.6F6F7F75; Fri,  7 Oct 2016 15:26:47 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u97JQjO0007182; Fri, 7 Oct 2016 15:26:45 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u97JQaiN015503 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 7 Oct 2016 15:26:40 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u97JQZRM022245; Fri, 7 Oct 2016 15:26:35 -0400 (EDT)
Date: Fri, 7 Oct 2016 15:26:35 -0400 (EDT)
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Lars Kemmann <lars.kemmann@bynalogic.com>
In-Reply-To: <CO2PR0801MB23591654EA70BF7A1874380282C70@CO2PR0801MB2359.namprd08.prod.outlook.com>
Message-ID: <alpine.GSO.1.10.1610071526120.5272@multics.mit.edu>
References: <20161005151652.82498B80A81@rfc-editor.org>, <255B9BB34FB7D647A506DC292726F6E13C05AA7E63@WSMSG3153V.srv.dir.telstra.com> <CO2PR0801MB23591654EA70BF7A1874380282C70@CO2PR0801MB2359.namprd08.prod.outlook.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-510569805-1475868395=:5272"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrBKsWRmVeSWpSXmKPExsUixG6novv92/dwg8Y9ShYrJ+1gt3g8s8hi 6c57rBZb77xitGjYmW/x8+o8RouTb1+xWTTt/8pmMX3vNXYHTo/rXz6we6ztvsrmsXPWXXaP xZv2s3ksWfKTyWP51wcsHg1tx1g95nVsYA7giOKySUnNySxLLdK3S+DK2PvlDVPBAdmK8xOf sjUwrpXoYuTkkBAwkTi2axELiC0k0MYkcWuncRcjF5C9gVFib+9xFgjnIJPE+SezoKrqJW42 bgGzWQS0JOY37WUDsdkEVCRmvtkIZosI6ErcnHGRCaSZWeAUs8S21g1gDcICThIT3u0ASnBw cAokSkxcywoS5hVwkLj1fD4rxLKbjBLL/z1kBkmICuhIrN4/hQWiSFDi5MwnYDazgL/E3r3T 2CcwCsxCkpqFJAVh60ncmt3JDGFrS9y/2ca2gJFlFaNsSm6Vbm5iZk5xarJucXJiXl5qka65 Xm5miV5qSukmRnAEuajsYOzu8T7EKMDBqMTDK7D+e7gQa2JZcWXuIUZJDiYlUd6XlUAhvqT8 lMqMxOKM+KLSnNTiQ4wSHMxKIrxsX4ByvCmJlVWpRfkwKWkOFiVxXgb3r+FCAumJJanZqakF qUUwWRkODiUJ3s9fgRoFi1LTUyvSMnNKENJMHJwgw3mAhlt+AxleXJCYW5yZDpE/xagoJc6b DtIsAJLIKM2D6wUnuN1Mqq8YxYFeEebNBWnnASZHuO5XQIOZgAbnL/0CMrgkESEl1cBYybdV zGkjV//0+NDWGOuJsTesbR2Wt7F6rWaycrm0UNXdZXunZVeXZ9vKazY3fQ2Wim51WTBBQDrE 8KPD0ZQJ03s/r1sscNpte0ryhtmXLz4pN/hn/uRo30/tgivdwQdCg2aHX0icclxUYU1cmZHV o5lfpmUsPaM7wfbvpITH9Vv3z3zWG/hRiaU4I9FQi7moOBEASuzJa0sDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/U0Rl6UaaX8KFsP7TZEmW5GM6e18>
Cc: "derek@ihtfp.com" <derek@ihtfp.com>, RFC Errata System <rfc-editor@rfc-editor.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 19:26:51 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

---559023410-510569805-1475868395=:5272
Content-Type: TEXT/PLAIN; charset=Windows-1252
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Thu, 6 Oct 2016, Lars Kemmann wrote:

> Ah, you=92re right. Thanks! Should I resubmit it?

Kathleen can get it edited in-place.

-Ben

>
>
>
> ~Lars
>
>
>
> From: Manger, James<mailto:James.H.Manger@team.telstra.com>
> Sent: Wednesday, October 5, 2016 6:07 PM
> To: RFC Errata System<mailto:rfc-editor@rfc-editor.org>; dick.hardt@gmail=
=2Ecom<mailto:dick.hardt@gmail.com>; stephen.farrell@cs.tcd.ie<mailto:steph=
en.farrell@cs.tcd.ie>; Kathleen.Moriarty.ietf@gmail.com<mailto:Kathleen.Mor=
iarty.ietf@gmail.com>; Hannes.Tschofenig@gmx.net<mailto:Hannes.Tschofenig@g=
mx.net>; derek@ihtfp.com<mailto:derek@ihtfp.com>
> Cc: Lars Kemmann<mailto:lars.kemmann@bynalogic.com>; oauth@ietf.org<mailt=
o:oauth@ietf.org>
> Subject: RE: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)
>
>
>
> This errata is not quite right. It needs to use https, not http.
>
> Location: https://client.example.com/cb...
>
> --
> James Manger
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of RFC Errata Syste=
m
> Sent: Thursday, 6 October 2016 2:17 AM
> To: dick.hardt@gmail.com; stephen.farrell@cs.tcd.ie; Kathleen.Moriarty.ie=
tf@gmail.com; Hannes.Tschofenig@gmx.net; derek@ihtfp.com
> Cc: lars.kemmann@bynalogic.com; oauth@ietf.org; rfc-editor@rfc-editor.org
> Subject: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4819)
>
> The following errata report has been submitted for RFC6749, "The OAuth 2.=
0 Authorization Framework".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=3D6749&eid=3D4819
>
> --------------------------------------
> Type: Technical
> Reported by: Lars Kemmann <lars.kemmann@bynalogic.com>
>
> Section: 4.2.2
>
> Original Text
> -------------
> HTTP/1.1 302 Found
> Location: http://example.com/cb#
>           access_token=3D2YotnFZFEjr1zCsicMWpAA
>           &state=3Dxyz&token_type=3Dexample&expires_in=3D3600
>
> Corrected Text
> --------------
> HTTP/1.1 302 Found
> Location: http://client.example.com/cb#
>           access_token=3D2YotnFZFEjr1zCsicMWpAA
>           &state=3Dxyz&token_type=3Dexample&expires_in=3D3600
>
> Notes
> -----
> In the example for section 4.2.1, the request was made with a `redirect_u=
ri` parameter value of `redirect_uri=3Dhttps%3A%2F%2Fclient%2Eexample%2Ecom=
%2Fcb`. If I understand correctly, the `client` subdomain should be include=
d in the `Location` header in the response.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please use =
"Reply All" to discuss whether it should be verified or rejected. When a de=
cision is reached, the verifying party (IESG) can log in to change the stat=
us and edit the report, if necessary.
>
> --------------------------------------
> RFC6749 (draft-ietf-oauth-v2-31)
> --------------------------------------
> Title               : The OAuth 2.0 Authorization Framework
> Publication Date    : October 2012
> Author(s)           : D. Hardt, Ed.
> Category            : PROPOSED STANDARD
> Source              : Web Authorization Protocol
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

---559023410-510569805-1475868395=:5272--


From nobody Sun Oct  9 09:38:17 2016
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4ED129573 for <oauth@ietfa.amsl.com>; Sun,  9 Oct 2016 09:38:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eq7u3190qzXN for <oauth@ietfa.amsl.com>; Sun,  9 Oct 2016 09:38:13 -0700 (PDT)
Received: from mail-pf0-x234.google.com (mail-pf0-x234.google.com [IPv6:2607:f8b0:400e:c00::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96D39129427 for <oauth@ietf.org>; Sun,  9 Oct 2016 09:38:13 -0700 (PDT)
Received: by mail-pf0-x234.google.com with SMTP id 190so43774422pfv.0 for <oauth@ietf.org>; Sun, 09 Oct 2016 09:38:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=AD/mJCaap8866Y5Z9tRKBNkG82SzrLx7Uunle7lIkLI=; b=djuE3UNQ7dYQ9LuvWaGyM6J1v+VgJERRNgfcuR9LDZhmaRL2T9c4wKFKHohGlo5M+o 51OCNxfULlkU0Em2JZGFioC9DrGHi5Mo5PWfwh7VCSHQRTgIbRA7F2knwl7gqz4zsPPM Qc2oTaroVGxF+Qv/9xN9pNI2xGNoVhnqs2lQQPvOqAIzZ8aI+7AYXDpa3o2ftFlszs4a XwYLVTUfopfg8nYk62HqZBJlnkQ+wrbTux1x/2TDfoiIiE9B47LSlOdiLv41FE+zIfzF L4mslwxdVwIqV5UklM1IKRe9Jlfs7JPVVzmBQOe0FafWcxn4IomZsUyAseUJfEevU78K h04Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=AD/mJCaap8866Y5Z9tRKBNkG82SzrLx7Uunle7lIkLI=; b=L334CNg9/rP9eLUeK2ao7olVNAmuY1D+mvoobJ2FbX6Dc6sDn68KdGwDnYYPBAfRNn E0TkxDv7ChoIXE2BwRaHJgDv+MhC4QfQppedIlyhKJKoBOGpYuzexfxGIRwEua8AYUag LJ6MNPoJj1peazodfjAec/Xhhhg0K/Q2eVi/2yLSMgBB/VnAlJv2HwtCJSs63Dp1pgyZ GSkUoxca/i/umQ9n2g0S6qkkg8413YgTmp8401QDTQk/imQRW52f8jB0YjRoOnw7O3IP ieufH/Omxk39z/z82Y2hu7vfF3d/7sKYFTx6vfMQamTcYoNwmCVlfAAxKz0cCLrS0koc nyWA==
X-Gm-Message-State: AA6/9RlRY25JQ2ILNkymAvJG0ggDBomIHzEzc8nJLBpFPBWOw+AKafLqf9CqgnFx/ZB0du8f
X-Received: by 10.98.208.1 with SMTP id p1mr14372274pfg.44.1476031092948; Sun, 09 Oct 2016 09:38:12 -0700 (PDT)
Received: from heembo.local ([2605:e000:112b:c167:35d4:21ec:8e67:8e04]) by smtp.googlemail.com with ESMTPSA id f86sm28000621pfd.83.2016.10.09.09.38.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 09 Oct 2016 09:38:12 -0700 (PDT)
To: Vladimir Dzhuvinov <vladimir@connect2id.com>, oauth@ietf.org
References: <CAObXGQzoRXC2TSA3Dk8fRF=hB=fuzRamZOPvHDzp7cQcjHR8Yg@mail.gmail.com> <d959b93a-d7a7-94c2-f4fb-29e49b58ce5c@connect2id.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <0cd4f857-1365-98ae-8f1e-e3921311c771@manicode.com>
Date: Sun, 9 Oct 2016 06:38:11 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <d959b93a-d7a7-94c2-f4fb-29e49b58ce5c@connect2id.com>
Content-Type: multipart/alternative; boundary="------------07FEDDB42C9F59BC7BFFE7DF"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NXjd-K2PEzXJMj8jJi0Cz1_0AK8>
Subject: Re: [OAUTH-WG] JWT: Algorithm choice as an attack vector
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Oct 2016 16:38:15 -0000

This is a multi-part message in MIME format.
--------------07FEDDB42C9F59BC7BFFE7DF
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

> A good app contract will specify which algs and header parameters are
accepted, and discard all JWTs that don't match these rules, before
passing the JWTs for validation to the library.

While this is ideal it's not always practical for authorization servers
that need to support a wide array of algs and header parameters.

This is also why - in addition to a good app contract - these token
should be proof tokens at multiple layers - including mutual TLS.

Aloha, Jim


On 10/5/16 7:11 PM, Vladimir Dzhuvinov wrote:
> Hi Maciej,
>
> Apps must not accept arbitrary JWTs, neither let the JWT header alone
> drive the JWT validation process.
>
> A good app contract will specify which algs and header parameters are
> accepted, and discard all JWTs that don't match these rules, before
> passing the JWTs for validation to the library.
>
>
> On 03/10/16 18:46, Maciej Kwidzinski wrote:
>> Hi,
>>
>> Tim McLean describes an attack vector on JWT-protected services in his
>> blog post: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
>>
>> The culprit is relying on the algorithm in the JWT header. The
>> workaround/recommendation is to ignore the algorithm from the header
>> and use a predefined one.
>>
>> The current RFC 7519 does not address this vulnerability.
>> Will this problem be addressed in the standard?
>>
>> Best regards,
>> Maciej Kwidziński
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Jim Manico
Manicode Security
https://www.manicode.com


--------------07FEDDB42C9F59BC7BFFE7DF
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>&gt; A good app contract will specify which algs and header
      parameters are accepted, and discard all JWTs that don't match
      these rules, before passing the JWTs for validation to the
      library.</p>
    <p>While this is ideal it's not always practical for authorization
      servers that need to support a wide array of algs and header
      parameters.</p>
    <p>This is also why - in addition to a good app contract - these
      token should be proof tokens at multiple layers - including mutual
      TLS.</p>
    <p>Aloha, Jim<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 10/5/16 7:11 PM, Vladimir Dzhuvinov
      wrote:<br>
    </div>
    <blockquote
      cite="mid:d959b93a-d7a7-94c2-f4fb-29e49b58ce5c@connect2id.com"
      type="cite">
      <pre wrap="">Hi Maciej,

Apps must not accept arbitrary JWTs, neither let the JWT header alone
drive the JWT validation process.

A good app contract will specify which algs and header parameters are
accepted, and discard all JWTs that don't match these rules, before
passing the JWTs for validation to the library.


On 03/10/16 18:46, Maciej Kwidzinski wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">Hi,

Tim McLean describes an attack vector on JWT-protected services in his
blog post: <a class="moz-txt-link-freetext" href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/">https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/</a>

The culprit is relying on the algorithm in the JWT header. The
workaround/recommendation is to ignore the algorithm from the header
and use a predefined one.

The current RFC 7519 does not address this vulnerability.
Will this problem be addressed in the standard?

Best regards,
Maciej Kwidziński

_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
      </blockquote>
      <pre wrap="">

</pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Jim Manico
Manicode Security
<a class="moz-txt-link-freetext" href="https://www.manicode.com">https://www.manicode.com</a></pre>
  </body>
</html>

--------------07FEDDB42C9F59BC7BFFE7DF--


From nobody Mon Oct 10 02:54:21 2016
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEBC71294BE for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2016 02:54:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.597
X-Spam-Level: 
X-Spam-Status: No, score=-5.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zB0cIbAYK6Ez for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2016 02:54:18 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4A1A129426 for <oauth@ietf.org>; Mon, 10 Oct 2016 02:54:17 -0700 (PDT)
Received: from [192.168.91.134] ([80.92.121.244]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MRGTX-1bR7BA0E0t-00UYQv for <oauth@ietf.org>; Mon, 10 Oct 2016 11:54:15 +0200
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <d0ce0f24-f399-ec9d-af87-b89ba4c99c10@gmx.net>
Date: Mon, 10 Oct 2016 11:54:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="7JB7ge384p3aTw6avdPOU0ETXF2oDQntb"
X-Provags-ID: V03:K0:r2g4mOOOyeKdWe9G6aCw+wHtHGbwLX5vzbcuzFO0LywVZ2Trcvo ba1dWOSIjF8j0ZCJMWpUyF9vLGhNvvHsY1u9KKVq6ujGDsf1eXvrYWWBNpoAKFWXhR9t054 hXv+yiEDix+sia8JQz/Wn1xhGD4JEx3OmjxXccfp6lWm0km7lDAnxPuAe+F60TJXvQSQIRi bumxgMeZYhRBqvK3cPNaQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:n5SmCTX4laU=:92/JMMli4XRRasexO+bVGA OSxRs6jFxouwNHNTCVXNZb1GC9g20zOlgHkhJMZFVP3mkrvjH1JNuGf4XAQOoCgF47hTgFXxn eU+d42IxFd9FLSXQgmaykxCm8qnoRW2D7UAFsJAnSI1VvSSEvECEEPYaQbjkwYRhbXIAhLTC+ GzGh2z0BHqKNuQfrhlTIynnlyc7u3jSlUSBAWZkb8KXYHYksZrvejKMiNeQPumj1R98ZBKXXV CYzPNPjUUJnN+5WV8PTFz54ZZ7qNrA6cedFPiR+y11aw1m3zXjDGSLMIjxYiAl0IYY/0I7Wxn Fv5lyxYpCirtXzNawKQy7MoWV1o1e5SMxC8SmRr71KAmVd6oaiPDV1xhXgGXklZZMNOCMxuO5 rBquTnMjIFQKen9az7+YJulm2olMA/41JbxBQtypz7murpUNZpmc48G8KaI/SFBa00TiYJOJA jytBzanB6f8WuEV9q4HmNixmntTf9pud+iSVeEjOFEtIjlZ7ijWlzB3i7+lGbi16sD2Z3h3b3 /ZGringr2d/+uCgVtQdKTLrqQGVVrNoAjhf8CTDh1G4JUymcp5BmKqMGClKUN6GeyGDObl7O9 nA6GLmv5KU+DLhOrjHvLf8+B2uI/f4bA/FuMZLGHJyZxlTnYQPzaJqqEUQ5ZOKiv01cezvNW1 WX9pnTh0ULK7GMbcI3cezWIMca/69ICv4Jvki1Ta+Wr7Y6j0o4mtOYZ2eaBBtk6KktQczVe0z hFRR1+1gjMJ+lt/jp/pZkwtx484Br8vu0+kVGdWh1U4L3pSyv3wbEcACWqc=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EfESEiWs51cj1x7K899sSeYFnlg>
Subject: [OAUTH-WG] FW: OAuth 2.0 JWT Authorization Request (JAR): IPR Confirmation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 09:54:20 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--7JB7ge384p3aTw6avdPOU0ETXF2oDQntb
Content-Type: multipart/mixed; boundary="pM7smaTLiLF1FodB70htIwkQVAEwSeU0h";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <d0ce0f24-f399-ec9d-af87-b89ba4c99c10@gmx.net>
Subject: FW: OAuth 2.0 JWT Authorization Request (JAR): IPR Confirmation

--pM7smaTLiLF1FodB70htIwkQVAEwSeU0h
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

FWD

From: John Bradley [mailto:jbradley@me.com]
Sent: 09 October 2016 22:24
To: Hannes Tschofenig
Cc: Nat Sakimura
Subject: Re: OAuth 2.0 JWT Authorization Request (JAR): IPR Confirmation

Sorry I thought I had,. Must have been for another one.
I have made all appropriate IPR disclosures required and know of no IPR
disclosures on this work.
John B

On Oct 9, 2016 16:30, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote=
:
Hi John,

I believe you have not sent a response to my message:
https://www.ietf.org/mail-archive/web/oauth/current/msg16671.html

Ciao
Hannes



--pM7smaTLiLF1FodB70htIwkQVAEwSeU0h--

--7JB7ge384p3aTw6avdPOU0ETXF2oDQntb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJX+2VGAAoJEGhJURNOOiAt+qMH/3JiHzz1GLvKcuXQ3OzJL7F7
L0pCeZxM6z49GcsCn1y1xGH3tetD4cZ1pmIh3h7EOa7JjN7G+2x+QgZReng3l0zd
dy8poncIjHbDlEn8HJTDptzPzK5vXExK3p3VHO0mw+L973yeamfgOtF00Vf3sdty
l/x9iwxc2dbfEFMupCecEOf/mgw1+X6P5QuWlOCeqYRc2sxwT4VY86n7wReluKWP
2vFIXTyTWC1DitzSTEY9OYyJV8LAfOB1BFZo5LmB6q5k/xpJ/Ik1p/D/KTyvNjJt
u3Ioisvf8jpT9H+rv0I1npO1tgo2yeNZ8CtwGIpi8Ddx1qQT9yDS0o8l5vSILgY=
=uSl9
-----END PGP SIGNATURE-----

--7JB7ge384p3aTw6avdPOU0ETXF2oDQntb--


From nobody Mon Oct 10 03:30:26 2016
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EDA5129447 for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2016 03:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.597
X-Spam-Level: 
X-Spam-Status: No, score=-5.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ViYjEBzrRKD8 for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2016 03:30:22 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 654BB1200DF for <oauth@ietf.org>; Mon, 10 Oct 2016 03:30:22 -0700 (PDT)
Received: from [192.168.91.134] ([80.92.121.244]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MU0U9-1bSleU19cH-00QinJ for <oauth@ietf.org>; Mon, 10 Oct 2016 12:30:19 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <f42f0eef-925e-a6db-deb5-bc573c3023f2@gmx.net>
Date: Mon, 10 Oct 2016 12:30:16 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="asbhD2XjIt8VX5MQpxIOCcWWIuDfShc2j"
X-Provags-ID: V03:K0:RiDVnzhkpGAL3tP8LmDS/OCBnPS5gYPWcSlqBiqaXKCMkW4+HFy W4k4Arg2+6ZRzcN1VnDNSOkGWPCERpADFzUSRNQU8QySpfGtb83xC4sW5vew12g906+Eh56 8/icoBmHdrx1IPP+e3ljXEbMs4DBP7S5qzKvNMs2XL16X9M9oRbRnh0C5oUEurK+KEur+en LvtVah58kaF4yp8N0v0sw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:OUDvszFRxa4=:PDrEz6sZUX6EzKTo92xVLS yKxzNq5XEdE61Z6eGXVzDXzqCZPU+MgAU77Cs3viXdmyZlBYVum3ikHAvNNqE7+tbKfiB2fSG evOvtcFAGMsTt8+Qq851lFrEE+LRpn9dfCFqsX7KfwUQm9jKyL07MsqvU53VWyPzNmPOpL1Gb JpYnnN9orsILEBfHjASQk6ESWqxi9WrTiDkBtJEXRxcrDmyvd6iYHnBqhnO5rt3hMkgEVkBmL uFv1n1VHFQUQN7oqGTZzq7CX1EBovgtqtR8xX/RmoyXpltHNzcGslSOoakVjfm6B60sTyDEIn kvGZheOxTfQthz939G7Jnq6m+3pVdiv7aD+wq5l9M9ueOfGNW2bY/G2frBoznIMOkleO41cxX wZYBkQhrqWeUsnD09dg08Ydr175qgQBLTbBtaDbfn0vb8ucEPj+j5XayEUG0EWFAflYGjUM1f 0O9NAP7/WNUMQEcHZhXIT2jYuABC3GJ0GlYBjxgAqKvlIarUMctXzlhyH44LaQVWGhPMKihOW rY94XsaXP4/Lr/23mFOrc+IhEXeutFYHZb4iQfKDtWZarB/ZX0rIxxmR0kOYBaTCJw93fU/YP CRdUbt0QORlXzjH1FNiq0Rtcc6MdLGdwiGOpmlszeJD9e/CUtU7coBz8c2/LFLQruvec7opwp 4iLrc6B6XTtCNzVVmZJLTdH4613SdGwhKqFbvjdwraqLAjFuTBzIV7U2e3aAt5PHFla/s/mVS WsywPCTcwdqM3GBwQ//o3Q7ixDVUVxwXV0ryJXgCAXDtkIK0UnOGfRy+1hU=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xTAP-6r2ibvH86Sh9dypeji68sA>
Subject: [OAUTH-WG] Shepherd Writeup for OAuth 2.0 for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 10:30:24 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--asbhD2XjIt8VX5MQpxIOCcWWIuDfShc2j
Content-Type: multipart/mixed; boundary="dlVAc61luUph4LOvJxbi8odeTve3c4saK";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <f42f0eef-925e-a6db-deb5-bc573c3023f2@gmx.net>
Subject: Shepherd Writeup for OAuth 2.0 for Native Apps

--dlVAc61luUph4LOvJxbi8odeTve3c4saK
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

Here is the shepherd writeup for the native apps document:
https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-w=
riteups/Writeup_OAuth_NativeApps.txt

There are only a few minor things missing:

1) I haven't received a response from William on my IPR confirmation
question (as far as I can tell):
https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html

2) The document lacks an IANA Considerations section. Please add one and
indicate that there are no actions for IANA.

3) There is an unused reference in the document, namely RFC 6819

Ciao
Hannes


--dlVAc61luUph4LOvJxbi8odeTve3c4saK--

--asbhD2XjIt8VX5MQpxIOCcWWIuDfShc2j
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJX+225AAoJEGhJURNOOiAtK1YH/3HJRWN0Qszk+whfSww220jt
vfzqPNirmEIZfCjvIF3BG64oeYk/4os+pnoZjYvLHy5K18FOGvycMdgCq2E2J5uO
Tn8/vIrSHqU3oJqZ9Ylsa3D2uSTwM97lRuu9jz7K8zR0bNk6sPjJb5frFwTevbqq
khq6PJ2N5AX0s41w73a7V5Mf8UBMoqNDCrzq6QqNpu/s9eW69WhKIYrxybht3smd
3eqVpjlITJA0BxqumvJUHYigYLFKHHtYO21wStDcEvCqbJmBchoLwlgATIzCAF7u
a5eT7YdLSj3tlfFBR3OETVSnbZD/jYUsr2u9VpfZ6gQJv3Boc5Z4Nh5yKNeU0is=
=nVfo
-----END PGP SIGNATURE-----

--asbhD2XjIt8VX5MQpxIOCcWWIuDfShc2j--


From nobody Mon Oct 10 05:10:49 2016
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60FDE1294DF for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2016 05:10:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.097
X-Spam-Level: 
X-Spam-Status: No, score=-5.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16M9JIIXvV5c for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2016 05:10:46 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FD1C129480 for <oauth@ietf.org>; Mon, 10 Oct 2016 05:10:46 -0700 (PDT)
Received: from [192.168.91.134] ([80.92.121.244]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MgcTf-1bXvfQ4Asx-00O3Ac for <oauth@ietf.org>; Mon, 10 Oct 2016 14:10:44 +0200
References: <147610140905.31526.14218406276011981710.idtracker@ietfa.amsl.com>
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Forwarded-Message-Id: <147610140905.31526.14218406276011981710.idtracker@ietfa.amsl.com>
Message-ID: <6cf9933e-2da6-e91b-8443-12d2b9ac3c73@gmx.net>
Date: Mon, 10 Oct 2016 14:10:41 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <147610140905.31526.14218406276011981710.idtracker@ietfa.amsl.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="k1wcWCR0LIUpp8C4x62eRTFv6oG0Cs0Vm"
X-Provags-ID: V03:K0:bLDEZaSxJBpNsKLmtux8Nb1WQli4VQwY2uN5TN6xYFK3RW6s7qK NCEBc9znprMu33oXZWQZNnr2DVxbfgoDFBk0cxde0hbYY8qHDKLYaNX4SaFJW9J7117sqzj hD9drKX0r87Y8NtDnj3BzkpeA+hKqX+OKX1h1CcPZtIIIJJaWEQ6dyq6LJGxXO5luZMkVYL m/bOS926nNdZzyDLYE3jg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:zm57nt4LWB4=:czOdBw4DhJ0xboRGu2BUOj 3amszI0GQY707agdSLDOenXyQSCtxJwUueFTAXXaefWbAd+lfqYf9T2fXtRBG60hVsyBINOTz D5PnBKGa/XsVfk+YWEtlQMQt1FNiCTXkGzFZZQlV59C/QiSpQA8Pp1fgBemB46ay1mUhkh7pJ MYsHyuJrpmOvyFKEyEhbyl1rHFsDjfYjkEifpvtouXsJBBTuCEc3daJppobbjV69DsTxeDNZf Z72jDSptJ2bzfi3+1iP5MBPUeCWtv9lOx+UEzlVC7S5kb+1vCopzQv+iF1utsSswbDZpZCN7c jT36pr7lxKMoQw3X/+8yot5Fj/mzcFE5hiTgGK3ALzsO0/ieI/rCZml+1e7GwwywIrcoH9WtQ /BO5xu8KWJyviebGC7xNkLCx1bK+SZuwNYRB/3Pzngsr3b0rVgFcQnjZf+mWqtv631ELyHEqi cc9qxGeqSONOcfvkI4p8XHwopiAluDR9DwHPrGz0oTUW3L79EIU8uZUI3yqT7nP0l6/y0LCP6 gzmBoal7Exyu2W+yUOV+zkziQDQYfV4ZSp1JmLlJWv5eJv5Q6Z5puwyg7/WG4ykI3/oShHr2W MIt1xDsX34TzbiXCEbTEcvEshc78TDJ4DmdcRyAstVxw8U+CLzfbesE/yJjc5VHvFknuxdZpV j6u6WCB3MlJs+xmz8edhE6KNI38LT3ISHZggsddt3quGUEo70N3RpAogacUinwJ2Hsk83is5K d6md6S14WZuMhn7Bl3mnj+LTutbGolu8ZJxldo52k6RL4jhJiyouiy0u6Qg=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7XYYhD5Pt0DimcunWUPsGY6AiZg>
Subject: [OAUTH-WG] Fwd: Publication has been requested for draft-ietf-oauth-jwsreq-09
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 12:10:48 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--k1wcWCR0LIUpp8C4x62eRTFv6oG0Cs0Vm
Content-Type: multipart/mixed; boundary="f59BsgXUpDTkTnCXn6p7JalJbtSvvJB1e";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <6cf9933e-2da6-e91b-8443-12d2b9ac3c73@gmx.net>
Subject: Fwd: Publication has been requested for draft-ietf-oauth-jwsreq-09
References: <147610140905.31526.14218406276011981710.idtracker@ietfa.amsl.com>
In-Reply-To: <147610140905.31526.14218406276011981710.idtracker@ietfa.amsl.com>

--f59BsgXUpDTkTnCXn6p7JalJbtSvvJB1e
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

FYI


-------- Forwarded Message --------
Subject: Publication has been requested for draft-ietf-oauth-jwsreq-09
Date: Mon, 10 Oct 2016 05:10:09 -0700
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: Kathleen.Moriarty.ietf@gmail.com
CC: Hannes.Tschofenig@gmx.net, iesg-secretary@ietf.org,
oauth-chairs@ietf.org

Hannes Tschofenig has requested publication of
draft-ietf-oauth-jwsreq-09 as Proposed Standard on behalf of the OAUTH
working group.

Please verify the document's state at
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/



--f59BsgXUpDTkTnCXn6p7JalJbtSvvJB1e--

--k1wcWCR0LIUpp8C4x62eRTFv6oG0Cs0Vm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJX+4VCAAoJEGhJURNOOiAt430H/je7S34lMkBI6qdHDqpiHUQR
FnwBCRxcK/a2bl68AHguUSpHTjeoQ7S68uFSAQQAFYHvgwqJ6JzoWrVPB5f2Ftei
F5EHd58v6f8Cskc7dmgvHHjyYtlYu3GMcs4nffo0F46LPaIjIsX30RWnxXgjGvuP
VuuLyga1pfF1R2tO5qQ9hYuAFmAdz8EtydB5WZgrbMbwVszfb0gLRGnvtB0qqH9F
fA/hbNBXl4D/UK+XLmpiJ0nQVXopg+CBm3zabmJ8floBwZb35S6yoMI0iMRPOhfQ
X5149UU8zRtxnekO48r92wo4gsbJ4lJDCFTvro7tmIXJsfj2kmYQK74QYBwxybc=
=b9Jv
-----END PGP SIGNATURE-----

--k1wcWCR0LIUpp8C4x62eRTFv6oG0Cs0Vm--


From nobody Mon Oct 10 13:59:58 2016
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DD47129777 for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2016 13:59:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9npgzCGxqg5V for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2016 13:59:55 -0700 (PDT)
Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E94B1129759 for <oauth@ietf.org>; Mon, 10 Oct 2016 13:59:54 -0700 (PDT)
Received: by mail-pa0-x231.google.com with SMTP id vu5so1161545pab.0 for <oauth@ietf.org>; Mon, 10 Oct 2016 13:59:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:references:cc:to; bh=KObyPjdQL8y2aMRBC6Zo9Tfgb1NhRlUx/KQFYCZKHwU=; b=g1zb5lK0llMUpXcdVtYpduFwJOY2zNq2nABElwn6yvG/pnYcr0fyImzP/hnEJrwSzc ry4chgWfezfGoqLTrdM7ciau7YkkoJ9V00IFFnxz6zMKsGfaOzyC1ipgvEFoMab/Tl58 yweAQZMlJm0LwFFd4ajw4qKu5UxY60mYrqI80zgucILT/12r+fJcnCuJTdici/nuEnNv //5ps7vF0nUXeALftEXRgVCBcJBBOkEcmEvnpmcvkNjCQCvk6AgiFPyfInndro9/ZTYi YyJdz/lFtJyvl92qua/tl5jmPM8KEt4bIUTIKb0eO7Wg53zJSzuavvIGfcslKVIzhL7v PbYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :references:cc:to; bh=KObyPjdQL8y2aMRBC6Zo9Tfgb1NhRlUx/KQFYCZKHwU=; b=mQ2B7paQnSLkFKViTwr5jDRBy0Wx8xN9QnVpXYwx9PJbkUUOxbOidAHcOPnUIAesUi BTTpHBkVUFAv9YCbQTsHpcZ+UCAd/FWbwkRLReVqCraftxO5Snw8iNeNYebjSlp8WNug D932w4aU9XArZxmN/yPejR2fBceK4WYywaGRe+WbLkvBqspu3yOdQOl/Eoq+i4WkTcAq N6N+oJHZJ7SuSk2jQCQXbvMBesnt/XCsTICuQ0f13poNcbpW81wIJzFV0DsKu3tYloQP N9HVCaRqDlpIvrCZXZvRufJ/U5DmarlPEHJ97Z2n5NjiRef7U5A0XUDIoIrpI99lAdtZ gCJw==
X-Gm-Message-State: AA6/9RnVBv/aXRUfu7Dkd39SDosSMxCPGRmrbBAWoZhoCkki1VHuqEx+DrVAkD3L2bsDDG5U
X-Received: by 10.67.7.39 with SMTP id cz7mr404718pad.20.1476133194151; Mon, 10 Oct 2016 13:59:54 -0700 (PDT)
Received: from [192.168.1.34] ([191.115.164.79]) by smtp.gmail.com with ESMTPSA id e6sm579560pfb.57.2016.10.10.13.59.51 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 10 Oct 2016 13:59:52 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CAAAADA8-3BF2-4E41-B6C7-15DED7A43769"
Message-Id: <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Date: Mon, 10 Oct 2016 17:59:49 -0300
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com>
To: OAuth WG <oauth@ietf.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UuZH4Rgf3eRGvMyuylFO7d186pw>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 20:59:57 -0000

--Apple-Mail=_CAAAADA8-3BF2-4E41-B6C7-15DED7A43769
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

At the request of the OpenID Foundation Financial Services API Working =
group, Brian Campbell and I have documented=20
mutual TLS client authentication.   This is something that lots of =
people do in practice though we have never had a spec for it.

The Banks want to use it for some server to server API use cases being =
driven by new open banking regulation.

The largest thing in the draft is the IANA registration of =
=E2=80=9Ctls_client_auth=E2=80=9D Token Endpoint authentication method =
for use in Registration and discovery.

The trust model is intentionally left open so that you could use a =
=E2=80=9Ccommon name=E2=80=9D and a restricted list of CA or a direct =
lookup of the subject public key against a reregistered value,  or =
something in between.

I hope that this is non controversial and the WG can adopt it quickly.

Regards
John B.




> Begin forwarded message:
>=20
> From: internet-drafts@ietf.org
> Subject: New Version Notification for =
draft-campbell-oauth-tls-client-auth-00.txt
> Date: October 10, 2016 at 5:44:39 PM GMT-3
> To: "Brian Campbell" <brian.d.campbell@gmail.com>, "John Bradley" =
<ve7jtb@ve7jtb.com>
>=20
>=20
> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
> has been successfully submitted by John Bradley and posted to the
> IETF repository.
>=20
> Name:		draft-campbell-oauth-tls-client-auth
> Revision:	00
> Title:		Mutual X.509 Transport Layer Security (TLS) =
Authentication for OAuth Clients
> Document date:	2016-10-10
> Group:		Individual Submission
> Pages:		5
> URL:            =
https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-=
00.txt
> Status:         =
https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
> Htmlized:       =
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
>=20
>=20
> Abstract:
>   This document describes X.509 certificates as OAuth client
>   credentials using Transport Layer Security (TLS) mutual
>   authentication as a mechanism for client authentication to the
>   authorization server's token endpoint.
>=20
>=20
>=20
>=20
> Please note that it may take a couple of minutes from the time of =
submission
> until the htmlized version and diff are available at tools.ietf.org.
>=20
> The IETF Secretariat
>=20


--Apple-Mail=_CAAAADA8-3BF2-4E41-B6C7-15DED7A43769
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">At the request of the OpenID Foundation Financial Services =
API Working group, Brian Campbell and I have documented&nbsp;<div =
class=3D"">mutual TLS client authentication. &nbsp; This is something =
that lots of people do in practice though we have never had a spec for =
it.</div><div class=3D""><br class=3D""></div><div class=3D"">The Banks =
want to use it for some server to server API use cases being driven by =
new open banking regulation.</div><div class=3D""><br =
class=3D""></div><div class=3D"">The largest thing in the draft is the =
IANA registration of =E2=80=9Ctls_client_auth=E2=80=9D Token Endpoint =
authentication method for use in Registration and discovery.</div><div =
class=3D""><br class=3D""></div><div class=3D"">The trust model is =
intentionally left open so that you could use a =E2=80=9Ccommon name=E2=80=
=9D and a restricted list of CA or a direct lookup of the subject public =
key against a reregistered value, &nbsp;or something in =
between.</div><div class=3D""><br class=3D""></div><div class=3D"">I =
hope that this is non controversial and the WG can adopt it =
quickly.</div><div class=3D""><br class=3D""></div><div =
class=3D"">Regards</div><div class=3D"">John B.</div><div class=3D""><br =
class=3D""></div><div class=3D""><br class=3D""></div><div class=3D""><br =
class=3D""><div><br class=3D""><blockquote type=3D"cite" class=3D""><div =
class=3D"">Begin forwarded message:</div><br =
class=3D"Apple-interchange-newline"><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=3D""><span=
 style=3D"font-family: -webkit-system-font, Helvetica Neue, Helvetica, =
sans-serif; color:rgba(0, 0, 0, 1.0);" class=3D""><b class=3D"">From: =
</b></span><span style=3D"font-family: -webkit-system-font, Helvetica =
Neue, Helvetica, sans-serif;" class=3D""><a =
href=3D"mailto:internet-drafts@ietf.org" =
class=3D"">internet-drafts@ietf.org</a><br class=3D""></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;" class=3D""><span style=3D"font-family: =
-webkit-system-font, Helvetica Neue, Helvetica, sans-serif; =
color:rgba(0, 0, 0, 1.0);" class=3D""><b class=3D"">Subject: =
</b></span><span style=3D"font-family: -webkit-system-font, Helvetica =
Neue, Helvetica, sans-serif;" class=3D""><b class=3D"">New Version =
Notification for draft-campbell-oauth-tls-client-auth-00.txt</b><br =
class=3D""></span></div><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px;" class=3D""><span =
style=3D"font-family: -webkit-system-font, Helvetica Neue, Helvetica, =
sans-serif; color:rgba(0, 0, 0, 1.0);" class=3D""><b class=3D"">Date: =
</b></span><span style=3D"font-family: -webkit-system-font, Helvetica =
Neue, Helvetica, sans-serif;" class=3D"">October 10, 2016 at 5:44:39 PM =
GMT-3<br class=3D""></span></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=3D""><span=
 style=3D"font-family: -webkit-system-font, Helvetica Neue, Helvetica, =
sans-serif; color:rgba(0, 0, 0, 1.0);" class=3D""><b class=3D"">To: =
</b></span><span style=3D"font-family: -webkit-system-font, Helvetica =
Neue, Helvetica, sans-serif;" class=3D"">"Brian Campbell" &lt;<a =
href=3D"mailto:brian.d.campbell@gmail.com" =
class=3D"">brian.d.campbell@gmail.com</a>&gt;, "John Bradley" &lt;<a =
href=3D"mailto:ve7jtb@ve7jtb.com" class=3D"">ve7jtb@ve7jtb.com</a>&gt;<br =
class=3D""></span></div><br class=3D""><div class=3D""><div class=3D""><br=
 class=3D"">A new version of I-D, =
draft-campbell-oauth-tls-client-auth-00.txt<br class=3D"">has been =
successfully submitted by John Bradley and posted to the<br =
class=3D"">IETF repository.<br class=3D""><br class=3D"">Name:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span><span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	=
</span>draft-campbell-oauth-tls-client-auth<br class=3D"">Revision:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>00<br =
class=3D"">Title:<span class=3D"Apple-tab-span" style=3D"white-space:pre">=
	</span><span class=3D"Apple-tab-span" style=3D"white-space:pre">	=
</span>Mutual X.509 Transport Layer Security (TLS) Authentication for =
OAuth Clients<br class=3D"">Document date:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span>2016-10-10<br =
class=3D"">Group:<span class=3D"Apple-tab-span" style=3D"white-space:pre">=
	</span><span class=3D"Apple-tab-span" style=3D"white-space:pre">	=
</span>Individual Submission<br class=3D"">Pages:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span><span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>5<br =
class=3D"">URL: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-clie=
nt-auth-00.txt" =
class=3D"">https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-c=
lient-auth-00.txt</a><br class=3D"">Status: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-a=
uth/" =
class=3D"">https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-clien=
t-auth/</a><br class=3D"">Htmlized: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-0=
0" =
class=3D"">https://tools.ietf.org/html/draft-campbell-oauth-tls-client-aut=
h-00</a><br class=3D""><br class=3D""><br class=3D"">Abstract:<br =
class=3D""> &nbsp;&nbsp;This document describes X.509 certificates as =
OAuth client<br class=3D""> &nbsp;&nbsp;credentials using Transport =
Layer Security (TLS) mutual<br class=3D""> &nbsp;&nbsp;authentication as =
a mechanism for client authentication to the<br class=3D""> =
&nbsp;&nbsp;authorization server's token endpoint.<br class=3D""><br =
class=3D""><br class=3D""><br class=3D""><br class=3D"">Please note that =
it may take a couple of minutes from the time of submission<br =
class=3D"">until the htmlized version and diff are available at <a =
href=3D"http://tools.ietf.org" class=3D"">tools.ietf.org</a>.<br =
class=3D""><br class=3D"">The IETF Secretariat<br class=3D""><br =
class=3D""></div></div></blockquote></div><br =
class=3D""></div></body></html>=

--Apple-Mail=_CAAAADA8-3BF2-4E41-B6C7-15DED7A43769--


From nobody Mon Oct 10 19:59:08 2016
Return-Path: <Sascha.Preibisch@ca.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71617129458 for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2016 19:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.731
X-Spam-Level: 
X-Spam-Status: No, score=-0.731 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ca.com header.b=Mg0fgWvn; dkim=pass (1024-bit key) header.d=ca.com header.b=Sdf7yTNX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uFKAwG1WwMQ4 for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2016 19:59:02 -0700 (PDT)
Received: from mx0a-001c7801.pphosted.com (mx0b-001c7801.pphosted.com [148.163.158.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3051D129431 for <oauth@ietf.org>; Mon, 10 Oct 2016 19:59:02 -0700 (PDT)
Received: from pps.filterd (m0081995.ppops.net [127.0.0.1]) by mx0b-001c7801.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u9B2x1j6012050; Mon, 10 Oct 2016 22:59:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ca.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=20151012; bh=+zT5tQurLpqoQ5kVGFECLATLtY40eBLm4ya+w/epyyI=; b=Mg0fgWvnqOYINDnJbedVczW+r3LD0lPIJK2t9BMefNQQ6mBk8gCqUZAkzZhgU23rcGvn hEF7pPY0r7ikIjJIOPBxUQYqmF2lCSrJrWAWZMkqLUuXnmMzEHK5nKpl5yLMOjcxmh5i e7wrWFJtgJX/t+Od4XYkEpMI2uyfj6pHU8iSMrhIr1ByWniO0mknav53JxpPaKT8unbX AjQYZhidyWo+diP8hb5Xq52Hq0p35Pej1jfxVWZsMClDgIc+sXkwAK6MBDdchoIExLMA /l9qgQZbls9jbV2VFrJDU7wTww8s6jxonxI26zVdrQt7rkKui3Dv8FjZsI+243WxpXRH wQ== 
Received: from usilms290.ca.com (usilms290.ca.com [141.202.246.44]) by mx0b-001c7801.pphosted.com with ESMTP id 25xu0c09kc-1 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 10 Oct 2016 22:59:01 -0400
Received: from usilms210.ca.com (141.202.6.100) by usilms290.ca.com (141.202.246.44) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 10 Oct 2016 22:58:59 -0400
Received: from usilms213.ca.com (141.202.6.103) by usilms210.ca.com (141.202.6.100) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 10 Oct 2016 22:58:59 -0400
Received: from usilms291.ca.com (141.202.246.45) by usilms213.ca.com (141.202.6.103) with Microsoft SMTP Server (TLS) id 15.0.1178.4 via Frontend Transport; Mon, 10 Oct 2016 22:58:59 -0400
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (216.32.180.48) by o365smtp.ca.com (141.202.246.45) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 10 Oct 2016 22:58:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ca.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zNgNK6ydX2cnSlyc8oZmRHC66aNu7k2WDnWMyigl/Qc=; b=Sdf7yTNXIFe+e3r8pRU6/el9RNU3SeO8GGGFUrv0VPqXshA/UC37mqbKm3WUJA6YpOmZdKiDJCpt4VOCTKJ8398p1xEB5Ivd6t3oVXRvjKIMWPK8CZhRrKbiHW7eAF4AyAeKmQzJzrdgOvAju5wqUbX1xPgqBL/54VqXwkGX81w=
Received: from BY2PR01MB1863.prod.exchangelabs.com (10.166.109.11) by BY2PR01MB1864.prod.exchangelabs.com (10.166.109.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.639.5; Tue, 11 Oct 2016 02:58:54 +0000
Received: from BY2PR01MB1863.prod.exchangelabs.com ([10.166.109.11]) by BY2PR01MB1863.prod.exchangelabs.com ([10.166.109.11]) with mapi id 15.01.0639.015; Tue, 11 Oct 2016 02:58:53 +0000
From: "Preibisch, Sascha H" <Sascha.Preibisch@ca.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Financial API Working Group List <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Thread-Topic: [Openid-specs-fapi] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Thread-Index: AQHSI2tmIf7KTlHf60+jkUrnW5Qn/A==
Date: Tue, 11 Oct 2016 02:58:53 +0000
Message-ID: <D421A318.1CB98%sascha.preibisch@ca.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com>
In-Reply-To: <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [174.6.144.83]
x-ms-office365-filtering-correlation-id: 71c54622-7028-495d-6a89-08d3f1828939
x-microsoft-exchange-diagnostics: 1; BY2PR01MB1864; 20:ra96pXqcAv+bOWU9erUOznuoaOAOprABQkSJXsKPhvD4ItKlGygSRx0XvWBDjoC7QG/bkIjFSk+btocqHcBd/OlocpRKeLP4bNwLXxIwwRnEEKXqnj1xz2mptIyF80gSvfdb9r18x1uHSg1LyzDtM0L+G6s4jKT4RQoQ8z5IheA=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR01MB1864;
x-microsoft-antispam-prvs: <BY2PR01MB18642068F9BCF3BFFF8BC1E7EFDA0@BY2PR01MB1864.prod.exchangelabs.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(10436049006162)(120809045254105)(192374486261705); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:BY2PR01MB1864; BCL:0; PCL:0; RULEID:; SRVR:BY2PR01MB1864; 
x-forefront-prvs: 00922518D8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(377424004)(199003)(377454003)(189002)(5002640100001)(122556002)(97736004)(68736007)(5001770100001)(19580395003)(19580405001)(15975445007)(189998001)(107886002)(19617315012)(2906002)(4001150100001)(77096005)(2900100001)(81166006)(3846002)(6116002)(102836003)(8676002)(81156014)(16236675004)(87936001)(10090500001)(7846002)(7736002)(3660700001)(8936002)(3280700002)(2950100002)(586003)(101416001)(86362001)(92566002)(5660300001)(106356001)(7906003)(66066001)(15650500001)(106116001)(76176999)(36756003)(54356999)(50986999)(10400500002)(105586002)(230783001)(24704002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR01MB1864; H:BY2PR01MB1863.prod.exchangelabs.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1;  MX:1; LANG:en; 
received-spf: None (protection.outlook.com: ca.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_D421A3181CB98saschapreibischcacom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2016 02:58:53.6983 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 1194df16-3ae0-49aa-b48b-5c4da6e13689
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR01MB1864
X-WgnSS: 01000000010010usilms291.ca.com ID0028<D421A318.1CB98%sascha.preibisch@ca.com>
X-OriginatorOrg: ca.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-10-11_01:, , signatures=0
X-Proofpoint-Outbound-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609300000 definitions=main-1610110050
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WkEF0EeDsjvlD54o4Z1M8tShM1Y>
Subject: Re: [OAUTH-WG] [Openid-specs-fapi] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2016 02:59:06 -0000

--_000_D421A3181CB98saschapreibischcacom_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

+1

From: Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net<mailto:=
openid-specs-fapi-bounces@lists.openid.net>> on behalf of John Bradley via =
Openid-specs-fapi <openid-specs-fapi@lists.openid.net<mailto:openid-specs-f=
api@lists.openid.net>>
Reply-To: John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>, Finan=
cial API Working Group List <openid-specs-fapi@lists.openid.net<mailto:open=
id-specs-fapi@lists.openid.net>>
Date: Monday, October 10, 2016 at 1:59 PM
To: OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net<=
mailto:openid-specs-fapi@lists.openid.net>>
Subject: [Openid-specs-fapi] Fwd: New Version Notification for draft-campbe=
ll-oauth-tls-client-auth-00.txt

At the request of the OpenID Foundation Financial Services API Working grou=
p, Brian Campbell and I have documented
mutual TLS client authentication.   This is something that lots of people d=
o in practice though we have never had a spec for it.

The Banks want to use it for some server to server API use cases being driv=
en by new open banking regulation.

The largest thing in the draft is the IANA registration of "tls_client_auth=
" Token Endpoint authentication method for use in Registration and discover=
y.

The trust model is intentionally left open so that you could use a "common =
name" and a restricted list of CA or a direct lookup of the subject public =
key against a reregistered value,  or something in between.

I hope that this is non controversial and the WG can adopt it quickly.

Regards
John B.




Begin forwarded message:

From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-=
00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
To: "Brian Campbell" <brian.d.campbell@gmail.com<mailto:brian.d.campbell@gm=
ail.com>>, "John Bradley" <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>


A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.

Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth=
 Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL:            https://www.ietf.org/internet-drafts/draft-campbell-oauth-t=
ls-client-auth-00.txt<https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A=
__www.ietf.org_internet-2Ddrafts_draft-2Dcampbell-2Doauth-2Dtls-2Dclient-2D=
auth-2D00.txt&d=3DDQMFaQ&c=3D_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=
=3DBjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=3Dy0V-Som1RDD_XSON16geiVwi=
zJHHdigmrpofDystITA&s=3D260YDXh2PcZARRiXTxOl8pc5v0ziWSLzLiG9CI0OOlI&e=3D>
Status:         https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-c=
lient-auth/<https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__datatrac=
ker.ietf.org_doc_draft-2Dcampbell-2Doauth-2Dtls-2Dclient-2Dauth_&d=3DDQMFaQ=
&c=3D_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=3DBjnOFeRZMwPBZLm00SguJm=
4i4lt0O13oAeF-9EZheL8&m=3Dy0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=3DN=
Okb8avw2ZN74wW-gLDbuZfXskqV9xRqyYvV5Fg18_Y&e=3D>
Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-tls-client=
-auth-00<https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__tools.ietf.=
org_html_draft-2Dcampbell-2Doauth-2Dtls-2Dclient-2Dauth-2D00&d=3DDQMFaQ&c=
=3D_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=3DBjnOFeRZMwPBZLm00SguJm4i=
4lt0O13oAeF-9EZheL8&m=3Dy0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=3D9z7=
70xRpUnNkMOo9UDUj5gYGUZXwQljipKvN0VfMC74&e=3D>


Abstract:
  This document describes X.509 certificates as OAuth client
  credentials using Transport Layer Security (TLS) mutual
  authentication as a mechanism for client authentication to the
  authorization server's token endpoint.




Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available at tools.ietf.org<https:/=
/urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__tools.ietf.org&d=3DDQMFaQ&c=
=3D_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=3DBjnOFeRZMwPBZLm00SguJm4i=
4lt0O13oAeF-9EZheL8&m=3Dy0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=3DkqP=
8TZStoJyWhk2OJiXgoNTWIsNvNH5qgGX7QBWBHWA&e=3D>.

The IETF Secretariat



--_000_D421A3181CB98saschapreibischcacom_
Content-Type: text/html; charset="iso-8859-1"
Content-ID: <CBB3C4BF0422904EB933EA80E71B6E60@prod.exchangelabs.com>
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Calibri, sans-serif;">
<div>&#43;1</div>
<div><br>
</div>
<span id=3D"OLK_SRC_BODY_SECTION">
<div style=3D"font-family:Calibri; font-size:11pt; text-align:left; color:b=
lack; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM:=
 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;=
 BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style=3D"font-weight:bold">From: </span>Openid-specs-fapi &lt;<a href=
=3D"mailto:openid-specs-fapi-bounces@lists.openid.net">openid-specs-fapi-bo=
unces@lists.openid.net</a>&gt; on behalf of John Bradley via Openid-specs-f=
api &lt;<a href=3D"mailto:openid-specs-fapi@lists.openid.net">openid-specs-=
fapi@lists.openid.net</a>&gt;<br>
<span style=3D"font-weight:bold">Reply-To: </span>John Bradley &lt;<a href=
=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt;, Financial API Work=
ing Group List &lt;<a href=3D"mailto:openid-specs-fapi@lists.openid.net">op=
enid-specs-fapi@lists.openid.net</a>&gt;<br>
<span style=3D"font-weight:bold">Date: </span>Monday, October 10, 2016 at 1=
:59 PM<br>
<span style=3D"font-weight:bold">To: </span>OAuth WG &lt;<a href=3D"mailto:=
oauth@ietf.org">oauth@ietf.org</a>&gt;<br>
<span style=3D"font-weight:bold">Cc: </span>Nat Sakimura via Openid-specs-f=
api &lt;<a href=3D"mailto:openid-specs-fapi@lists.openid.net">openid-specs-=
fapi@lists.openid.net</a>&gt;<br>
<span style=3D"font-weight:bold">Subject: </span>[Openid-specs-fapi] Fwd: N=
ew Version Notification for draft-campbell-oauth-tls-client-auth-00.txt<br>
</div>
<div><br>
</div>
<div>
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space;" class=3D"">
At the request of the OpenID Foundation Financial Services API Working grou=
p, Brian Campbell and I have documented&nbsp;
<div class=3D"">mutual TLS client authentication. &nbsp; This is something =
that lots of people do in practice though we have never had a spec for it.<=
/div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">The Banks want to use it for some server to server API use =
cases being driven by new open banking regulation.</div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">The largest thing in the draft is the IANA registration of =
&#8220;tls_client_auth&#8221; Token Endpoint authentication method for use =
in Registration and discovery.</div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">The trust model is intentionally left open so that you coul=
d use a &#8220;common name&#8221; and a restricted list of CA or a direct l=
ookup of the subject public key against a reregistered value, &nbsp;or some=
thing in between.</div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">I hope that this is non controversial and the WG can adopt =
it quickly.</div>
<div class=3D""><br class=3D"">
</div>
<div class=3D"">Regards</div>
<div class=3D"">John B.</div>
<div class=3D""><br class=3D"">
</div>
<div class=3D""><br class=3D"">
</div>
<div class=3D""><br class=3D"">
<div><br class=3D"">
<blockquote type=3D"cite" class=3D"">
<div class=3D"">Begin forwarded message:</div>
<br class=3D"Apple-interchange-newline">
<div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margi=
n-left: 0px;" class=3D"">
<span style=3D"font-family: -webkit-system-font, 'Helvetica Neue', Helvetic=
a, sans-serif; color: rgb(0, 0, 0);" class=3D""><b class=3D"">From:
</b></span><span style=3D"font-family: -webkit-system-font, 'Helvetica Neue=
', Helvetica, sans-serif;" class=3D""><a href=3D"mailto:internet-drafts@iet=
f.org" class=3D"">internet-drafts@ietf.org</a><br class=3D"">
</span></div>
<div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margi=
n-left: 0px;" class=3D"">
<span style=3D"font-family: -webkit-system-font, 'Helvetica Neue', Helvetic=
a, sans-serif; color: rgb(0, 0, 0);" class=3D""><b class=3D"">Subject:
</b></span><span style=3D"font-family: -webkit-system-font, 'Helvetica Neue=
', Helvetica, sans-serif;" class=3D""><b class=3D"">New Version Notificatio=
n for draft-campbell-oauth-tls-client-auth-00.txt</b><br class=3D"">
</span></div>
<div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margi=
n-left: 0px;" class=3D"">
<span style=3D"font-family: -webkit-system-font, 'Helvetica Neue', Helvetic=
a, sans-serif; color: rgb(0, 0, 0);" class=3D""><b class=3D"">Date:
</b></span><span style=3D"font-family: -webkit-system-font, 'Helvetica Neue=
', Helvetica, sans-serif;" class=3D"">October 10, 2016 at 5:44:39 PM GMT-3<=
br class=3D"">
</span></div>
<div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margi=
n-left: 0px;" class=3D"">
<span style=3D"font-family: -webkit-system-font, 'Helvetica Neue', Helvetic=
a, sans-serif; color: rgb(0, 0, 0);" class=3D""><b class=3D"">To:
</b></span><span style=3D"font-family: -webkit-system-font, 'Helvetica Neue=
', Helvetica, sans-serif;" class=3D"">&quot;Brian Campbell&quot; &lt;<a hre=
f=3D"mailto:brian.d.campbell@gmail.com" class=3D"">brian.d.campbell@gmail.c=
om</a>&gt;, &quot;John Bradley&quot; &lt;<a href=3D"mailto:ve7jtb@ve7jtb.co=
m" class=3D"">ve7jtb@ve7jtb.com</a>&gt;<br class=3D"">
</span></div>
<br class=3D"">
<div class=3D"">
<div class=3D""><br class=3D"">
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt<br class=
=3D"">
has been successfully submitted by John Bradley and posted to the<br class=
=3D"">
IETF repository.<br class=3D"">
<br class=3D"">
Name:<span class=3D"Apple-tab-span" style=3D"white-space:pre"> </span><span=
 class=3D"Apple-tab-span" style=3D"white-space:pre"></span>draft-campbell-o=
auth-tls-client-auth<br class=3D"">
Revision:<span class=3D"Apple-tab-span" style=3D"white-space:pre"> </span>0=
0<br class=3D"">
Title:<span class=3D"Apple-tab-span" style=3D"white-space:pre"> </span><spa=
n class=3D"Apple-tab-span" style=3D"white-space:pre"></span>Mutual X.509 Tr=
ansport Layer Security (TLS) Authentication for OAuth Clients<br class=3D""=
>
Document date:<span class=3D"Apple-tab-span" style=3D"white-space:pre"> </s=
pan>2016-10-10<br class=3D"">
Group:<span class=3D"Apple-tab-span" style=3D"white-space:pre"> </span><spa=
n class=3D"Apple-tab-span" style=3D"white-space:pre"></span>Individual Subm=
ission<br class=3D"">
Pages:<span class=3D"Apple-tab-span" style=3D"white-space:pre"> </span><spa=
n class=3D"Apple-tab-span" style=3D"white-space:pre"></span>5<br class=3D""=
>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a h=
ref=3D"https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_=
internet-2Ddrafts_draft-2Dcampbell-2Doauth-2Dtls-2Dclient-2Dauth-2D00.txt&a=
mp;d=3DDQMFaQ&amp;c=3D_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&amp;r=3DB=
jnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&amp;m=3Dy0V-Som1RDD_XSON16geiVwi=
zJHHdigmrpofDystITA&amp;s=3D260YDXh2PcZARRiXTxOl8pc5v0ziWSLzLiG9CI0OOlI&amp=
;e=3D" class=3D"">https://www.ietf.org/internet-drafts/draft-campbell-oauth=
-tls-client-auth-00.txt</a><br class=3D"">
Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"https://=
urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__datatracker.ietf.org_doc_dra=
ft-2Dcampbell-2Doauth-2Dtls-2Dclient-2Dauth_&amp;d=3DDQMFaQ&amp;c=3D_hRq4mq=
lUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&amp;r=3DBjnOFeRZMwPBZLm00SguJm4i4lt0O1=
3oAeF-9EZheL8&amp;m=3Dy0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&amp;s=3DN=
Okb8avw2ZN74wW-gLDbuZfXskqV9xRqyYvV5Fg18_Y&amp;e=3D" class=3D"">https://dat=
atracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/</a><br class=3D=
"">
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"https://urldefense=
.proofpoint.com/v2/url?u=3Dhttps-3A__tools.ietf.org_html_draft-2Dcampbell-2=
Doauth-2Dtls-2Dclient-2Dauth-2D00&amp;d=3DDQMFaQ&amp;c=3D_hRq4mqlUmqpqlyQ5h=
koDXIVh6I6pxfkkNxQuL0p-Z0&amp;r=3DBjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZhe=
L8&amp;m=3Dy0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&amp;s=3D9z770xRpUnNk=
MOo9UDUj5gYGUZXwQljipKvN0VfMC74&amp;e=3D" class=3D"">https://tools.ietf.org=
/html/draft-campbell-oauth-tls-client-auth-00</a><br class=3D"">
<br class=3D"">
<br class=3D"">
Abstract:<br class=3D"">
&nbsp;&nbsp;This document describes X.509 certificates as OAuth client<br c=
lass=3D"">
&nbsp;&nbsp;credentials using Transport Layer Security (TLS) mutual<br clas=
s=3D"">
&nbsp;&nbsp;authentication as a mechanism for client authentication to the<=
br class=3D"">
&nbsp;&nbsp;authorization server's token endpoint.<br class=3D"">
<br class=3D"">
<br class=3D"">
<br class=3D"">
<br class=3D"">
Please note that it may take a couple of minutes from the time of submissio=
n<br class=3D"">
until the htmlized version and diff are available at <a href=3D"https://url=
defense.proofpoint.com/v2/url?u=3Dhttp-3A__tools.ietf.org&amp;d=3DDQMFaQ&am=
p;c=3D_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&amp;r=3DBjnOFeRZMwPBZLm00=
SguJm4i4lt0O13oAeF-9EZheL8&amp;m=3Dy0V-Som1RDD_XSON16geiVwizJHHdigmrpofDyst=
ITA&amp;s=3DkqP8TZStoJyWhk2OJiXgoNTWIsNvNH5qgGX7QBWBHWA&amp;e=3D" class=3D"=
">
tools.ietf.org</a>.<br class=3D"">
<br class=3D"">
The IETF Secretariat<br class=3D"">
<br class=3D"">
</div>
</div>
</blockquote>
</div>
<br class=3D"">
</div>
</div>
</div>
</span>
</body>
</html>

--_000_D421A3181CB98saschapreibischcacom_--


From nobody Tue Oct 11 11:34:34 2016
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB022129686 for <oauth@ietfa.amsl.com>; Tue, 11 Oct 2016 11:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAzBW5BM61fa for <oauth@ietfa.amsl.com>; Tue, 11 Oct 2016 11:34:30 -0700 (PDT)
Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93B64129671 for <oauth@ietf.org>; Tue, 11 Oct 2016 11:34:30 -0700 (PDT)
Received: by mail-it0-x235.google.com with SMTP id l13so113769338itl.1 for <oauth@ietf.org>; Tue, 11 Oct 2016 11:34:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dIlo1yjXROxFLbXph30M/jXdDi0HEu3o3cFbQ2Vl1Hg=; b=Y6F+lZ1DcDR/keMYuk0BuvMBTwEwOPFVxPUelbiAPARHNa6Z0xwZmnh7F80E4F0dmE HFrNRr8kYhVyAzAmivvK4w9ANgcUZDLAhJEAWnjjpdUqwPm0PeM5XQG520Q4IpySj2nH VFFGMKf/1JOHyFfMmeL35STlTc5LPAXoECE9M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dIlo1yjXROxFLbXph30M/jXdDi0HEu3o3cFbQ2Vl1Hg=; b=YMEOsXSk4rJa0RAbyKsRQea3Dxe9aUsId+3IlcsMtLfWuEt2dOaivunhPRW9H73VJc P8PsAz+oj+YgPft2CD8B9gv+yvlf++LVjcLkxmW3PQZj+cJ0Vk2+N5iQ67M71fVAAxX6 zBezaUgBQrEW105dNM40g1iQmbdHwjwLTVR1LHjrwG/zwQ3Gpj/Dw0MWgpCD3WOdtT1f Tp7AIxsNGVt59PeUsHmzEyPMqDHRuUESWTx8t/oJX/8Wz/v8/MsYnBmYjOrU+actBJhD JGZRPI6kQUkc5fAIarwSnFJ1h3RNDn2mg5IeeNCNDmsuWMkaIjI78p/6NNna9GRToPjm Pl9w==
X-Gm-Message-State: AA6/9RmpWF70NyussXvMSmZ2hSrIHqf1oK8992p3xsqYgqp8uxqD3GFxHLxOWlCGuk3dzMBCoRBWWk5gcBdsO1Ez
X-Received: by 10.36.152.5 with SMTP id n5mr7494446itd.79.1476210869778; Tue, 11 Oct 2016 11:34:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.5.148 with HTTP; Tue, 11 Oct 2016 11:33:59 -0700 (PDT)
In-Reply-To: <f42f0eef-925e-a6db-deb5-bc573c3023f2@gmx.net>
References: <f42f0eef-925e-a6db-deb5-bc573c3023f2@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 11 Oct 2016 12:33:59 -0600
Message-ID: <CA+k3eCSkPKCBmO4dJcMV4DQNZtp+aKVL7GVKoeUOyh=9P6qytg@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=94eb2c05f7f881fdf5053e9b2091
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hvCfsjT2KIlN0hrkt6R6IfsUs1A>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Shepherd Writeup for OAuth 2.0 for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2016 18:34:33 -0000

--94eb2c05f7f881fdf5053e9b2091
Content-Type: text/plain; charset=UTF-8

I believe there are a few small WGLC comments outstanding too.

On Mon, Oct 10, 2016 at 4:30 AM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Hi all,
>
> Here is the shepherd writeup for the native apps document:
> https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-
> writeups/Writeup_OAuth_NativeApps.txt
>
> There are only a few minor things missing:
>
> 1) I haven't received a response from William on my IPR confirmation
> question (as far as I can tell):
> https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html
>
> 2) The document lacks an IANA Considerations section. Please add one and
> indicate that there are no actions for IANA.
>
> 3) There is an unused reference in the document, namely RFC 6819
>
> Ciao
> Hannes
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--94eb2c05f7f881fdf5053e9b2091
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I believe there are a few small WGLC comments outstanding =
too. <br></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On=
 Mon, Oct 10, 2016 at 4:30 AM, Hannes Tschofenig <span dir=3D"ltr">&lt;<a h=
ref=3D"mailto:hannes.tschofenig@gmx.net" target=3D"_blank">hannes.tschofeni=
g@gmx.net</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<=
br>
<br>
Here is the shepherd writeup for the native apps document:<br>
<a href=3D"https://github.com/hannestschofenig/tschofenig-ids/blob/master/s=
hepherd-writeups/Writeup_OAuth_NativeApps.txt" rel=3D"noreferrer" target=3D=
"_blank">https://github.com/<wbr>hannestschofenig/tschofenig-<wbr>ids/blob/=
master/shepherd-<wbr>writeups/Writeup_OAuth_<wbr>NativeApps.txt</a><br>
<br>
There are only a few minor things missing:<br>
<br>
1) I haven&#39;t received a response from William on my IPR confirmation<br=
>
question (as far as I can tell):<br>
<a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg16672.htm=
l" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/mail-<wbr>arch=
ive/web/oauth/current/<wbr>msg16672.html</a><br>
<br>
2) The document lacks an IANA Considerations section. Please add one and<br=
>
indicate that there are no actions for IANA.<br>
<br>
3) There is an unused reference in the document, namely RFC 6819<br>
<br>
Ciao<br>
<span class=3D"HOEnZb"><font color=3D"#888888">Hannes<br>
<br>
</font></span><br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--94eb2c05f7f881fdf5053e9b2091--


From nobody Tue Oct 11 12:06:55 2016
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95FA312959A for <oauth@ietfa.amsl.com>; Tue, 11 Oct 2016 12:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OQyht8ZKhux for <oauth@ietfa.amsl.com>; Tue, 11 Oct 2016 12:06:52 -0700 (PDT)
Received: from mail-pf0-x234.google.com (mail-pf0-x234.google.com [IPv6:2607:f8b0:400e:c00::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4B7512950A for <oauth@ietf.org>; Tue, 11 Oct 2016 12:06:52 -0700 (PDT)
Received: by mail-pf0-x234.google.com with SMTP id 190so6485258pfv.1 for <oauth@ietf.org>; Tue, 11 Oct 2016 12:06:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=e9i4nT+ZEZn+89WQd9zQqSoF9kxGdsgEY0+kLmDmoXk=; b=BPvCU1SVKcJgRyJzwH4GI6K7qjvhWVTKnQL9EZeasb14rpM/YoChULbelVxBsX0BQz 6QNcJ6SbOartBsPrjZdPOZ+IAdHmeQtdoUKExCx07q9CQvbwWqWufZ1fg8i4zFsNjTTA 19s8N8w0CZGQk/yHI3gDhk7quE9rMqaowCRQAvxQiV2tjXdKPnsG8ptia7+iFm5qtuJU u5r/IWx3TOSWFZAb/sG0u8RsTV1WjCQvgnlHdKur+zQ7KSRUEyX//abGGSIYh1Izsxk0 RSFFkQChN8VKAsGl0ZV5ucpQuFgzweNJikW/l1zFT4IOQ/V7eNJ7GUl6kRYRzVFUjS2f SszQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=e9i4nT+ZEZn+89WQd9zQqSoF9kxGdsgEY0+kLmDmoXk=; b=e8Ie0CVbG8vjqQtXtdsBoFqK5ZAQDDexh+fzr9uJk7OpO6+hG0B4x0AfS/amRJJhRo 8nWd6ovXSzF2Th1Q8yavKZSnWbkMSEao+/ZEvl/cfiZZ3oJE2Bs1acwlsxa7Rm1JF7rG 8/L+/wgDzVFKSSOEFKRLfb2vPDDGNIjx6hB5Oz5JSvTy8xAFdQS4Drs2WhVdiTM4+mOB E81FJvYUtX2ImKDitSHC4ttzxXbTx4JP9coNmzf2ka1+84oHClQdOCMeVobxbW7V3LA8 VKzibc0mlmNwANF1gA2hxG0vvm8b9AQNLdb/8bRJGFWf0+q8Q9znGK+B6+lbtcZaocPX rHVw==
X-Gm-Message-State: AA6/9Rk77fhTQhA1dT6mmbZpM5cUoH2014lhDEbC4FSSEuDpL8nFlApea1fKSv81N0yP4X0i
X-Received: by 10.99.1.23 with SMTP id 23mr3337234pgb.37.1476212812173; Tue, 11 Oct 2016 12:06:52 -0700 (PDT)
Received: from [192.168.8.100] ([181.201.112.254]) by smtp.gmail.com with ESMTPSA id yo3sm6061120pac.42.2016.10.11.12.06.49 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 11 Oct 2016 12:06:50 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_9344743A-E2E9-460F-B859-3E3D10B92911"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CA+k3eCSkPKCBmO4dJcMV4DQNZtp+aKVL7GVKoeUOyh=9P6qytg@mail.gmail.com>
Date: Tue, 11 Oct 2016 16:06:47 -0300
Message-Id: <E2F7873D-63E5-4E66-8988-AC50DBED012A@ve7jtb.com>
References: <f42f0eef-925e-a6db-deb5-bc573c3023f2@gmx.net> <CA+k3eCSkPKCBmO4dJcMV4DQNZtp+aKVL7GVKoeUOyh=9P6qytg@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MBfVXpI4pihKIXkREYpU43PPTBs>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Shepherd Writeup for OAuth 2.0 for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2016 19:06:54 -0000

--Apple-Mail=_9344743A-E2E9-460F-B859-3E3D10B92911
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

A updated draft with the IANA section and comments addressed will be out =
shortly.

We will try to get it out today or early tomorrow.

John B.


> On Oct 11, 2016, at 3:33 PM, Brian Campbell =
<bcampbell@pingidentity.com> wrote:
>=20
> I believe there are a few small WGLC comments outstanding too.=20
>=20
> On Mon, Oct 10, 2016 at 4:30 AM, Hannes Tschofenig =
<hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> Hi all,
>=20
> Here is the shepherd writeup for the native apps document:
> =
https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-wr=
iteups/Writeup_OAuth_NativeApps.txt =
<https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-w=
riteups/Writeup_OAuth_NativeApps.txt>
>=20
> There are only a few minor things missing:
>=20
> 1) I haven't received a response from William on my IPR confirmation
> question (as far as I can tell):
> https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html =
<https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html>
>=20
> 2) The document lacks an IANA Considerations section. Please add one =
and
> indicate that there are no actions for IANA.
>=20
> 3) There is an unused reference in the document, namely RFC 6819
>=20
> Ciao
> Hannes
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_9344743A-E2E9-460F-B859-3E3D10B92911
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">A updated draft with the IANA section and comments addressed =
will be out shortly.<div class=3D""><br class=3D""></div><div =
class=3D"">We will try to get it out today or early tomorrow.</div><div =
class=3D""><br class=3D""></div><div class=3D"">John B.</div><div =
class=3D""><br class=3D""></div><div class=3D""><br =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">On =
Oct 11, 2016, at 3:33 PM, Brian Campbell &lt;<a =
href=3D"mailto:bcampbell@pingidentity.com" =
class=3D"">bcampbell@pingidentity.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div dir=3D"ltr" =
class=3D"">I believe there are a few small WGLC comments outstanding =
too. <br class=3D""></div><div class=3D"gmail_extra"><br class=3D""><div =
class=3D"gmail_quote">On Mon, Oct 10, 2016 at 4:30 AM, Hannes Tschofenig =
<span dir=3D"ltr" class=3D"">&lt;<a =
href=3D"mailto:hannes.tschofenig@gmx.net" target=3D"_blank" =
class=3D"">hannes.tschofenig@gmx.net</a>&gt;</span> wrote:<br =
class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br class=3D"">
<br class=3D"">
Here is the shepherd writeup for the native apps document:<br class=3D"">
<a =
href=3D"https://github.com/hannestschofenig/tschofenig-ids/blob/master/she=
pherd-writeups/Writeup_OAuth_NativeApps.txt" rel=3D"noreferrer" =
target=3D"_blank" class=3D"">https://github.com/<wbr =
class=3D"">hannestschofenig/tschofenig-<wbr =
class=3D"">ids/blob/master/shepherd-<wbr =
class=3D"">writeups/Writeup_OAuth_<wbr class=3D"">NativeApps.txt</a><br =
class=3D"">
<br class=3D"">
There are only a few minor things missing:<br class=3D"">
<br class=3D"">
1) I haven't received a response from William on my IPR confirmation<br =
class=3D"">
question (as far as I can tell):<br class=3D"">
<a =
href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html"=
 rel=3D"noreferrer" target=3D"_blank" =
class=3D"">https://www.ietf.org/mail-<wbr =
class=3D"">archive/web/oauth/current/<wbr class=3D"">msg16672.html</a><br =
class=3D"">
<br class=3D"">
2) The document lacks an IANA Considerations section. Please add one =
and<br class=3D"">
indicate that there are no actions for IANA.<br class=3D"">
<br class=3D"">
3) There is an unused reference in the document, namely RFC 6819<br =
class=3D"">
<br class=3D"">
Ciao<br class=3D"">
<span class=3D"HOEnZb"><font color=3D"#888888" class=3D"">Hannes<br =
class=3D"">
<br class=3D"">
</font></span><br class=3D"">______________________________<wbr =
class=3D"">_________________<br class=3D"">
OAuth mailing list<br class=3D"">
<a href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D"">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer"=
 target=3D"_blank" class=3D"">https://www.ietf.org/mailman/<wbr =
class=3D"">listinfo/oauth</a><br class=3D"">
<br class=3D""></blockquote></div><br class=3D""></div>
_______________________________________________<br class=3D"">OAuth =
mailing list<br class=3D""><a href=3D"mailto:OAuth@ietf.org" =
class=3D"">OAuth@ietf.org</a><br =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth<br =
class=3D""></div></blockquote></div><br class=3D""></div></body></html>=

--Apple-Mail=_9344743A-E2E9-460F-B859-3E3D10B92911--


From nobody Wed Oct 12 18:15:57 2016
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EAA711295C8; Wed, 12 Oct 2016 18:15:52 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.34.2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <147632135295.6393.13849770710912045247.idtracker@ietfa.amsl.com>
Date: Wed, 12 Oct 2016 18:15:52 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DfXP_WQRYz5b4LF3NI6sE55W4ZQ>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2016 01:15:53 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 for Native Apps
        Authors         : William Denniss
                          John Bradley
	Filename        : draft-ietf-oauth-native-apps-04.txt
	Pages           : 18
	Date            : 2016-10-12

Abstract:
   OAuth 2.0 authorization requests from native apps should only be made
   through external user-agents, primarily the user's browser.  This
   specification details the security and usability reasons why this is
   the case, and how native apps and authorization servers can implement
   this best practice.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-native-apps-04

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-04


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Wed Oct 12 18:26:57 2016
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0A0C129677 for <oauth@ietfa.amsl.com>; Wed, 12 Oct 2016 18:26:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.996
X-Spam-Level: 
X-Spam-Status: No, score=-4.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7icW_EO8OOw for <oauth@ietfa.amsl.com>; Wed, 12 Oct 2016 18:26:54 -0700 (PDT)
Received: from mail-yb0-x230.google.com (mail-yb0-x230.google.com [IPv6:2607:f8b0:4002:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E5BD12966D for <oauth@ietf.org>; Wed, 12 Oct 2016 18:26:54 -0700 (PDT)
Received: by mail-yb0-x230.google.com with SMTP id e20so25705804ybb.0 for <oauth@ietf.org>; Wed, 12 Oct 2016 18:26:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=n8tfuXiP6FKBI7LyxJ8wX3O8OREovm0S2orAt6vpn+A=; b=Uzxu1k7OLjRQs5FbOjEazE/I62L/KWcBX0TkAX5lt4UtZolkpnmSTd40bYMMXXkvNp py/KR2gSKdPmPldAaJNbLvyO4FmlpXROJcQ3nvc8WigV+64HOytuClfKlv2Dz+uUJV+r VzMVa1e8XHC66sUlIAMKIsbExG/W3RaHId9M6cxAwC9xv0FXC2eVNU0wKctwaiytxuyI lnoe1+yVdWCNwpAB6q+5wurO/xcsTbXG9rEAiPyFx5HCm/0o+X9cNHghF9KaqcdJbk9K adx1AlAeiVYyt/6Q3QbPMUzXOYueX6GtJ/5uzIbIE/s2ZW/We3kSU+V7ba3pDsPLGACl oKBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=n8tfuXiP6FKBI7LyxJ8wX3O8OREovm0S2orAt6vpn+A=; b=SQBFRXiBYdig07WcBbJajNV1yE1mlxS6pWUkyH2z8clu3QeTiN4Ho5QxL+7LS70JSb xVWoNXwd2DVdHAYObLo8blVZvgDs2wTtcpRu+orBNKNDgg4Y+RT3k6TeBCVD0MpyPkc/ LBiZY8nqPP5taScWNqlXJ6apTrUCc7aXP+1AwvUsVvUW3k5DpER7dme9meE7DC+f7QH9 O1SGB5qa1dxvIvFoWOIV8jsgElyEhk49me5oC6RgGScde3C+NVtjdCspevGdvSPQHx8v q28X/E+MmeDOqcjbAj9imzh7wPGt5a1KJXMfBvi0+c2oCiNRn4Fr9Zof5D8EGCRZuDEo uFbA==
X-Gm-Message-State: AA6/9RnsbkxwNMobIeel3XZuLx+t0QjoWRWFLF2Z8gn0bvRJAPYqtAUs7bfOr+EN7qPyZYcFyj/SXjrUq/MdCQJx
X-Received: by 10.37.77.137 with SMTP id a131mr3453832ybb.1.1476322013446; Wed, 12 Oct 2016 18:26:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.151 with HTTP; Wed, 12 Oct 2016 18:26:33 -0700 (PDT)
In-Reply-To: <57e008ef.4ae60d0a.20a32.de2a@mx.google.com>
References: <78c4a842-3d86-7f67-bd4d-9243377ce251@gmx.net> <57e008ef.4ae60d0a.20a32.de2a@mx.google.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 12 Oct 2016 18:26:33 -0700
Message-ID: <CAAP42hDiU050QZzeiKOu8G55GDdciDG2BFy4TbUq4zL4pVUDTw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=001a113c5bc22ff7f7053eb5015a
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4v9jOpIOj6Nr45IHBUMSDcdIFXY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 for Native Apps: IPR Confirmation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2016 01:26:57 -0000

--001a113c5bc22ff7f7053eb5015a
Content-Type: text/plain; charset=UTF-8

I know of no IPR disclosures for this document.



I have none to make.


- William Denniss



On Mon, Sep 19, 2016 at 8:49 AM, <ve7jtb@ve7jtb.com> wrote:

> I know of no IPR disclosures for this document.
>
>
>
> I have none to make.
>
>
>
> John B.
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
> *From: *Hannes Tschofenig <hannes.tschofenig@gmx.net>
> *Sent: *September 19, 2016 6:07 AM
> *To: *oauth@ietf.org
> *Subject: *[OAUTH-WG] OAuth 2.0 for Native Apps: IPR Confirmation
>
>
>
> Hi William, Hi John,
>
>
>
> I am working on the shepherd writeup for the Native Apps document:
>
> https://tools.ietf.org/html/draft-ietf-oauth-native-apps-03
>
>
>
> One item in the template requires me to indicate whether each document
>
> author has confirmed that any and all appropriate IPR disclosures
>
> required for full conformance with the provisions of BCP 78 and BCP 79
>
> have already been filed.
>
>
>
> Could you please confirm?
>
>
>
> Ciao
>
> Hannes
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a113c5bc22ff7f7053eb5015a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><p class=3D"MsoNormal" style=3D"font-size:12.8px">I know o=
f no=C2=A0<span class=3D"m_-4449876980590190746m_-9149046053299934111m_4220=
33377180269529m_-8672691732450548629gmail-il">IPR</span>=C2=A0disclosures f=
or this document.</p><p class=3D"MsoNormal" style=3D"font-size:12.8px"><u><=
/u>=C2=A0<u></u></p><p class=3D"MsoNormal" style=3D"font-size:12.8px">I hav=
e none to make.</p><p class=3D"MsoNormal" style=3D"font-size:12.8px"><br></=
p><p class=3D"MsoNormal" style=3D"font-size:12.8px">- William Denniss</p><p=
 class=3D"MsoNormal" style=3D"font-size:12.8px"><br></p><div class=3D"gmail=
_extra"><br><div class=3D"gmail_quote">On Mon, Sep 19, 2016 at 8:49 AM,  <s=
pan dir=3D"ltr">&lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">=
ve7jtb@ve7jtb.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote=
" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><=
div lang=3D"EN-CA" link=3D"blue" vlink=3D"#954F72"><div class=3D"m_-4449876=
980590190746m_-9149046053299934111m_422033377180269529m_-867269173245054862=
9m_-6849209747096060745WordSection1"><p class=3D"MsoNormal">I know of no IP=
R disclosures for this document.</p><p class=3D"MsoNormal"><u></u>=C2=A0<u>=
</u></p><p class=3D"MsoNormal">I have none to make.</p><p class=3D"MsoNorma=
l"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">John B.<u></u><u></u></p>=
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">Sent =
from <a href=3D"https://go.microsoft.com/fwlink/?LinkId=3D550986" target=3D=
"_blank">Mail</a> for Windows 10</p><p class=3D"MsoNormal"><span style=3D"f=
ont-size:12.0pt;font-family:&quot;Times New Roman&quot;,serif"><u></u>=C2=
=A0<u></u></span></p><div style=3D"border:none;border-top:solid #e1e1e1 1.0=
pt;padding:3.0pt 0cm 0cm 0cm"><p class=3D"MsoNormal" style=3D"border:none;p=
adding:0cm"><b>From: </b><a href=3D"mailto:hannes.tschofenig@gmx.net" targe=
t=3D"_blank">Hannes Tschofenig</a><br><b>Sent: </b>September 19, 2016 6:07 =
AM<br><b>To: </b><a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@=
ietf.org</a><br><b>Subject: </b>[OAUTH-WG] OAuth 2.0 for Native Apps: IPR C=
onfirmation</p></div><div><div class=3D"m_-4449876980590190746m_-9149046053=
299934111m_422033377180269529m_-8672691732450548629h5"><p class=3D"MsoNorma=
l"><span style=3D"font-size:12.0pt;font-family:&quot;Times New Roman&quot;,=
serif"><u></u>=C2=A0<u></u></span></p><p class=3D"MsoNormal">Hi William, Hi=
 John,</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNor=
mal">I am working on the shepherd writeup for the Native Apps document:</p>=
<p class=3D"MsoNormal"><a href=3D"https://tools.ietf.org/html/draft-ietf-oa=
uth-native-apps-03" target=3D"_blank">https://tools.ietf.org/html/dr<wbr>af=
t-ietf-oauth-native-apps-03</a></p><p class=3D"MsoNormal"><u></u>=C2=A0<u><=
/u></p><p class=3D"MsoNormal">One item in the template requires me to indic=
ate whether each document</p><p class=3D"MsoNormal">author has confirmed th=
at any and all appropriate IPR disclosures</p><p class=3D"MsoNormal">requir=
ed for full conformance with the provisions of BCP 78 and BCP 79</p><p clas=
s=3D"MsoNormal">have already been filed.</p><p class=3D"MsoNormal"><u></u>=
=C2=A0<u></u></p><p class=3D"MsoNormal">Could you please confirm?</p><p cla=
ss=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">Ciao</p><p =
class=3D"MsoNormal">Hannes</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></=
p><p class=3D"MsoNormal">______________________________<wbr>_______________=
__</p><p class=3D"MsoNormal">OAuth mailing list</p><p class=3D"MsoNormal"><=
a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a></p><p=
 class=3D"MsoNormal"><a href=3D"https://www.ietf.org/mailman/listinfo/oauth=
" target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a></p=
><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p></div></div></div></div><br=
>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div></div>

--001a113c5bc22ff7f7053eb5015a--


From nobody Wed Oct 12 18:32:55 2016
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A98771295F0 for <oauth@ietfa.amsl.com>; Wed, 12 Oct 2016 18:32:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.696
X-Spam-Level: 
X-Spam-Status: No, score=-5.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnuaiVesReNB for <oauth@ietfa.amsl.com>; Wed, 12 Oct 2016 18:32:51 -0700 (PDT)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EE0A1295C4 for <oauth@ietf.org>; Wed, 12 Oct 2016 18:32:51 -0700 (PDT)
Received: by mail-yw0-x22a.google.com with SMTP id u124so44028848ywg.3 for <oauth@ietf.org>; Wed, 12 Oct 2016 18:32:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=aadtihXaDr6Yuf/BHFNtroaLdXGZqc/wdGnsP/4unV4=; b=MKonopPAkups2eyvR07C6equnXR8cQghic0CN+1ThsB6It7/Di2/UxK8/O+efOQ39a klLlbo1C8sK7zFxLfcxxv2Hvjy30o8IRL0RJGUwNxx9bfUwVjJGMPkZRv8rYobPAl+kP aeMrUVYECsbnqAfvZ9yj61eKweutaDBt98idi/I8oOSpqwd9ONAYCQFs8qNJ7/TMYipH SzGdPByxL3YoJy8smw+rt5C1AfsMEHXYDbQncxSN2FIQRKcQBPBqh2vE2sVjWlRVVnGk zEv9w78XtGpOklOxkmZvVIVxBQFRLEJy2Id9TZBiXckVqzxIilGuzMAABW3dhDCvFudG Q+uQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=aadtihXaDr6Yuf/BHFNtroaLdXGZqc/wdGnsP/4unV4=; b=MisGY/JjUSfHXwMdKySiYJAY0okW1n5IXtc3XJd3WXOPR4CxVjHCKZI6VEpRHEKWfT e1RpkQLn4P3y7j/2DDX6tGRf9Gg/wTnn/8eA8Kwr1tF88Q8KVwabsGHX0V3qUvVqUf9y JzzZx+GZNSxNqsRFUzLlShMs6oSbQgz9VpGWu7Osk5HTce7dfYZCA4w7tmB3RfVRjFTJ /7Wu+VUYvVXisbjJo71hiZ31T83C9Mt4vbtwSALafSZCc6eEJetFkGd2C1DoV02U9Rqj +XYTq5XnrcwbiOpwseNgqgWUeCGJ54Ih0L9knRVBVVfDOuY8eFk2IaRaZelkh1qqjaok Fawg==
X-Gm-Message-State: AA6/9RlUiNyYOdRl9fLT5g7sF0eNxP3mlFyT1wECb1PmI/KN9dd4CTMDh5jEgkUnR8/n3U9xSeOe+vOj0+JsIHi3
X-Received: by 10.129.105.194 with SMTP id e185mr3382887ywc.327.1476322370541;  Wed, 12 Oct 2016 18:32:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.151 with HTTP; Wed, 12 Oct 2016 18:32:30 -0700 (PDT)
In-Reply-To: <E2F7873D-63E5-4E66-8988-AC50DBED012A@ve7jtb.com>
References: <f42f0eef-925e-a6db-deb5-bc573c3023f2@gmx.net> <CA+k3eCSkPKCBmO4dJcMV4DQNZtp+aKVL7GVKoeUOyh=9P6qytg@mail.gmail.com> <E2F7873D-63E5-4E66-8988-AC50DBED012A@ve7jtb.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 12 Oct 2016 18:32:30 -0700
Message-ID: <CAAP42hC7+RQbFq9cQf0ZuWCW1amwCs95=HC42Qgwm0U+Y0FFVw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=001a11490b2c78d94a053eb51656
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/E6OiOPjSqSzw2quIRrCidkq3FAs>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Shepherd Writeup for OAuth 2.0 for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2016 01:32:53 -0000

--001a11490b2c78d94a053eb51656
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thank you for the write-up Hannes.

Version 04 adds an IANA consideration section as promised. In reviewing the
IANA considerations, I added a normative reference to RFC7595 where private
use of the URI namespace is defined (and which were compliant with already
=E2=80=93 but I made that more clear as well).

RFC6819 is now informatively referenced.

I went over the ID-nits checklist and cleaned up some of the less stable
informative references based on that. I also did a general editing pass to
clean up some of the rough edges.

I believe all 3 points are addressed now.


On Tue, Oct 11, 2016 at 12:06 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> A updated draft with the IANA section and comments addressed will be out
> shortly.
>
> We will try to get it out today or early tomorrow.
>
> John B.
>
>
> On Oct 11, 2016, at 3:33 PM, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> I believe there are a few small WGLC comments outstanding too.
>
> On Mon, Oct 10, 2016 at 4:30 AM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net> wrote:
>
>> Hi all,
>>
>> Here is the shepherd writeup for the native apps document:
>> https://github.com/hannestschofenig/tschofenig-ids/blob/
>> master/shepherd-writeups/Writeup_OAuth_NativeApps.txt
>>
>> There are only a few minor things missing:
>>
>> 1) I haven't received a response from William on my IPR confirmation
>> question (as far as I can tell):
>> https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html
>>
>> 2) The document lacks an IANA Considerations section. Please add one and
>> indicate that there are no actions for IANA.
>>
>> 3) There is an unused reference in the document, namely RFC 6819
>>
>> Ciao
>> Hannes
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a11490b2c78d94a053eb51656
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thank you for the write-up Hannes.=C2=A0<div><br></div><di=
v>Version 04 adds an IANA consideration section as promised. In reviewing t=
he IANA considerations, I added a normative reference to=C2=A0RFC7595 where=
 private use of the URI namespace is defined (and which were compliant with=
 already =E2=80=93 but I made that more clear as well).=C2=A0</div><div><br=
></div><div>RFC<span style=3D"font-size:12.8px">6819 is now=C2=A0informativ=
ely=C2=A0referenced.</span></div><div><span style=3D"font-size:12.8px"><br>=
</span></div><div><span style=3D"font-size:12.8px">I went over the ID-nits =
checklist and cleaned up some of the less stable informative=C2=A0reference=
s=C2=A0based on that. I also did a general editing pass to clean up some of=
 the rough edges.</span></div><div><span style=3D"font-size:12.8px"><br></s=
pan></div><div><span style=3D"font-size:12.8px">I believe all 3 points are =
addressed now.</span></div><div><br></div></div><div class=3D"gmail_extra">=
<br><div class=3D"gmail_quote">On Tue, Oct 11, 2016 at 12:06 PM, John Bradl=
ey <span dir=3D"ltr">&lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_bl=
ank">ve7jtb@ve7jtb.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_=
quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1=
ex"><div style=3D"word-wrap:break-word">A updated draft with the IANA secti=
on and comments addressed will be out shortly.<div><br></div><div>We will t=
ry to get it out today or early tomorrow.</div><div><br></div><div>John B.<=
/div><div><br></div><div><br><div><blockquote type=3D"cite"><div>On Oct 11,=
 2016, at 3:33 PM, Brian Campbell &lt;<a href=3D"mailto:bcampbell@pingident=
ity.com" target=3D"_blank">bcampbell@pingidentity.com</a>&gt; wrote:</div><=
br class=3D"m_8579444536639399758Apple-interchange-newline"><div><div dir=
=3D"ltr">I believe there are a few small WGLC comments outstanding too. <br=
></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote"><div><div =
class=3D"h5">On Mon, Oct 10, 2016 at 4:30 AM, Hannes Tschofenig <span dir=
=3D"ltr">&lt;<a href=3D"mailto:hannes.tschofenig@gmx.net" target=3D"_blank"=
>hannes.tschofenig@gmx.net</a>&gt;</span> wrote:<br></div></div><blockquote=
 class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli=
d;padding-left:1ex"><div><div class=3D"h5">Hi all,<br>
<br>
Here is the shepherd writeup for the native apps document:<br>
<a href=3D"https://github.com/hannestschofenig/tschofenig-ids/blob/master/s=
hepherd-writeups/Writeup_OAuth_NativeApps.txt" rel=3D"noreferrer" target=3D=
"_blank">https://github.com/hannestscho<wbr>fenig/tschofenig-ids/blob/<wbr>=
master/shepherd-writeups/<wbr>Writeup_OAuth_NativeApps.txt</a><br>
<br>
There are only a few minor things missing:<br>
<br>
1) I haven&#39;t received a response from William on my IPR confirmation<br=
>
question (as far as I can tell):<br>
<a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg16672.htm=
l" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/mail-arch<wbr>=
ive/web/oauth/current/msg16672<wbr>.html</a><br>
<br>
2) The document lacks an IANA Considerations section. Please add one and<br=
>
indicate that there are no actions for IANA.<br>
<br>
3) There is an unused reference in the document, namely RFC 6819<br>
<br>
Ciao<br>
<span class=3D"m_8579444536639399758HOEnZb"><font color=3D"#888888">Hannes<=
br>
<br>
</font></span><br></div></div>______________________________<wbr>__________=
_______<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div>
______________________________<wbr>_________________<br>OAuth mailing list<=
br><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><b=
r><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"=
>https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br></div></blockquote=
></div><br></div></div><br>______________________________<wbr>_____________=
____<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--001a11490b2c78d94a053eb51656--


From nobody Fri Oct 14 12:37:21 2016
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 78C00129510; Fri, 14 Oct 2016 12:37:20 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.34.2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <147647384048.18564.8955731546848627977.idtracker@ietfa.amsl.com>
Date: Fri, 14 Oct 2016 12:37:20 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZJtdhbokW8ov0s7_dW849M21rlc>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-amr-values-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 19:37:21 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : Authentication Method Reference Values
        Authors         : Michael B. Jones
                          Phil Hunt
                          Anthony Nadalin
	Filename        : draft-ietf-oauth-amr-values-03.txt
	Pages           : 13
	Date            : 2016-10-14

Abstract:
   The "amr" (Authentication Methods References) claim is defined and
   registered in the IANA "JSON Web Token Claims" registry but no
   standard Authentication Method Reference values are currently
   defined.  This specification establishes a registry for
   Authentication Method Reference values and defines an initial set of
   Authentication Method Reference values.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-amr-values-03

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-amr-values-03


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Fri Oct 14 12:50:33 2016
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A678129510 for <oauth@ietfa.amsl.com>; Fri, 14 Oct 2016 12:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZigaCmTIS1J for <oauth@ietfa.amsl.com>; Fri, 14 Oct 2016 12:50:29 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0123.outbound.protection.outlook.com [104.47.34.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AC3C129499 for <oauth@ietf.org>; Fri, 14 Oct 2016 12:50:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=26SlSZVmWkXY94cFbcngr6TesVzPJrTJ9noiH6uE4NA=; b=Zz6hP8EbyPJcgrGkp66ezQPxYuLjQmx/0aEGxMZDgrZ6M6xMdoPSwSF31O6I0mfqQFyVqdSudqV6AdnAW6t0GDZavux5Uz8cvZoqV7+6+mD1MHjMVWJh8SvWP6BylheoQbWdoEV58tBdsw+wazNDtWUvxgFV9PxqO+32wXx/LRo=
Received: from CO2PR03MB2358.namprd03.prod.outlook.com (10.166.93.18) by CO2PR03MB2360.namprd03.prod.outlook.com (10.166.93.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.11; Fri, 14 Oct 2016 19:50:28 +0000
Received: from CO2PR03MB2358.namprd03.prod.outlook.com ([10.166.93.18]) by CO2PR03MB2358.namprd03.prod.outlook.com ([10.166.93.18]) with mapi id 15.01.0659.020; Fri, 14 Oct 2016 19:50:28 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: =?Windows-1252?Q?=93amr=94_Values_specification_addressing_shepherd_comme?= =?Windows-1252?Q?nts?=
Thread-Index: AdImQtsMEoxNh1oJRluF8GSkwclI9A==
Date: Fri, 14 Oct 2016 19:50:28 +0000
Message-ID: <CO2PR03MB235882C7DCB61996BDCE04EEF5DF0@CO2PR03MB2358.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; 
x-originating-ip: [50.201.94.142]
x-ms-office365-filtering-correlation-id: 2d05d483-4ed2-40ff-be29-08d3f46b5944
x-microsoft-exchange-diagnostics: 1; CO2PR03MB2360; 7:FDuzs8i3BiFGhYgLQF4KUAlhd+UHoXJM5CuwEpt+sz3oVIY8sWfRbHFrFoYjVsdydd2VrUm2irhavufYl0shDOn5ce6g9WortM5K9BmLB+XO8/e6Xy9mZGY0xdkL7lq22hyOesb12eweEH7yLcry/x9vVz2UynqRuSV6dVtj6QMNdB1z021ril4tojtRL9NyANcn1OChhcDjSZ4HKXuPKzMysEb/ufQm2jhZVd30+MLlRCO0TQ6C0qrqjGYvfW4L7B7DROrzMBfJ9zY+BYOK8cu6tKN5nnCRbtnp100cFwOYDCm8OhIaIkI5VykCfhnqWaS+uwJSbphvKreBmLLlAj65EfLmJGFMT6/Zi4XCNwuROnM9BntdkQAHW1xGV/xY
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO2PR03MB2360;
x-microsoft-antispam-prvs: <CO2PR03MB2360A74A61DCEEF8E002873DF5DF0@CO2PR03MB2360.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(31418570063057)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:CO2PR03MB2360; BCL:0; PCL:0; RULEID:; SRVR:CO2PR03MB2360; 
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(209900001)(189002)(199003)(229853001)(105586002)(86362001)(3846002)(2351001)(102836003)(110136003)(6916009)(11100500001)(66066001)(586003)(10090500001)(790700001)(6116002)(106356001)(99286002)(107886002)(101416001)(19617315012)(5002640100001)(54356999)(5660300001)(50986999)(86612001)(189998001)(7696004)(8990500004)(5005710100001)(97736004)(10400500002)(10290500002)(2906002)(5640700001)(5630700001)(2900100001)(450100001)(3280700002)(77096005)(15975445007)(122556002)(3660700001)(81156014)(81166006)(19580395003)(1730700003)(7906003)(7736002)(7846002)(8936002)(76576001)(2501003)(19300405004)(33656002)(87936001)(9686002)(92566002)(74316002)(16236675004)(19625215002)(68736007)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CO2PR03MB2360; H:CO2PR03MB2358.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords;  MX:1; A:1; LANG:en; 
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CO2PR03MB235882C7DCB61996BDCE04EEF5DF0CO2PR03MB2358namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2016 19:50:28.3035 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR03MB2360
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7EUVsPRzKiytUf0rcI-fzNKpVVQ>
Subject: [OAUTH-WG] =?windows-1252?q?=93amr=94_Values_specification_addres?= =?windows-1252?q?sing_shepherd_comments?=
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 19:50:31 -0000

--_000_CO2PR03MB235882C7DCB61996BDCE04EEF5DF0CO2PR03MB2358namp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Draft -03 of the Authentication Method Reference Values specification addre=
sses the shepherd comments.  It changes the references providing informatio=
n about specific =93amr=94 values to be informative, rather than normative.=
  A reference to ISO/IEC 29115 was also added.  No normative changes were m=
ade.

The specification is available at:

=B7       http://tools.ietf.org/html/draft-ietf-oauth-amr-values-03

An HTML-formatted version is also available at:

=B7       http://self-issued.info/docs/draft-ietf-oauth-amr-values-03.html

                                                       -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=3D1614 and =
as @selfissued<https://twitter.com/selfissued>.

--_000_CO2PR03MB235882C7DCB61996BDCE04EEF5DF0CO2PR03MB2358namp_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:0in;
	margin-left:.5in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman",serif;}
span.EmailStyle18
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
/* List Definitions */
@list l0
	{mso-list-id:818692471;
	mso-list-type:hybrid;
	mso-list-template-ids:-857182326 67698689 67698691 67698693 67698689 67698=
691 67698693 67698689 67698691 67698693;}
@list l0:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l0:level2
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:"Courier New";}
@list l0:level3
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Wingdings;}
@list l0:level4
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l0:level5
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:"Courier New";}
@list l0:level6
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Wingdings;}
@list l0:level7
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l0:level8
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:"Courier New";}
@list l0:level9
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Wingdings;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Draft -03 of the Authentication Method Reference Val=
ues specification addresses the shepherd comments.&nbsp; It changes the ref=
erences providing information about specific =93amr=94 values to be informa=
tive, rather than normative.&nbsp; A reference to
 ISO/IEC 29115 was also added.&nbsp; No normative changes were made.<o:p></=
o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">The specification is available at:<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo1"><![if !supportLists]><span style=3D"font-family:Symbol"><span style=
=3D"mso-list:Ignore">=B7<span style=3D"font:7.0pt &quot;Times New Roman&quo=
t;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><a href=3D"http://tools.ietf.org/html/draft-=
ietf-oauth-amr-values-03">http://tools.ietf.org/html/draft-ietf-oauth-amr-v=
alues-03</a><o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">An HTML-formatted version is also available at:<o:p>=
</o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo1"><![if !supportLists]><span style=3D"font-family:Symbol"><span style=
=3D"mso-list:Ignore">=B7<span style=3D"font:7.0pt &quot;Times New Roman&quo=
t;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><a href=3D"http://self-issued.info/docs/draf=
t-ietf-oauth-amr-values-03.html">http://self-issued.info/docs/draft-ietf-oa=
uth-amr-values-03.html</a><o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">P.S.&nbsp; This notice was also posted at <a href=3D=
"http://self-issued.info/?p=3D1614">
http://self-issued.info/?p=3D1614</a> and as <a href=3D"https://twitter.com=
/selfissued">
@selfissued</a>.<o:p></o:p></p>
</div>
</body>
</html>

--_000_CO2PR03MB235882C7DCB61996BDCE04EEF5DF0CO2PR03MB2358namp_--


From nobody Mon Oct 17 01:48:23 2016
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B497E1295DF for <oauth@ietfa.amsl.com>; Mon, 17 Oct 2016 01:48:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WjiX9FAw63CU for <oauth@ietfa.amsl.com>; Mon, 17 Oct 2016 01:48:19 -0700 (PDT)
Received: from p3plsmtpa07-10.prod.phx3.secureserver.net (p3plsmtpa07-10.prod.phx3.secureserver.net [173.201.192.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57BAF12947F for <oauth@ietf.org>; Mon, 17 Oct 2016 01:48:19 -0700 (PDT)
Received: from [192.168.1.10] ([79.100.136.247]) by :SMTPAUTH: with SMTP id w3aDbDNzCbqFSw3aEbe8qH; Mon, 17 Oct 2016 01:47:48 -0700
To: John Bradley <ve7jtb@ve7jtb.com>, OAuth WG <oauth@ietf.org>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com>
Date: Mon, 17 Oct 2016 11:47:45 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms030004010902080804060709"
X-CMAE-Envelope: MS4wfLTYBtDuEjZ/qcSKMBtElliWQCph1Jexv1SAFdn+YitbyeMXJ3bpncmHm2tLxSIhKcgGB8KhavgEHukpiQa4GkiqksrvA5+o5SSpuE6q8we9CCtbNEaS GQAQY2wvp3znL7YP2nLhDt54gKDm6Vqb/KCcV2lZPhyxejFJQqBc4r8lxGGuSZpmCjB9ZYsmCP6C0tecc2O4yMH7v6Q0L71XyPStWYDjQ9I7ipLcRJdUh/KW 5giBUqXs1iksfQlrwQ1i6A==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jDpY09qrXHBgq6EsbUOPh8lad3w>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 08:48:21 -0000

This is a cryptographically signed message in MIME format.

--------------ms030004010902080804060709
Content-Type: multipart/alternative;
 boundary="------------02B49FA8255A8030190F56D1"

This is a multi-part message in MIME format.
--------------02B49FA8255A8030190F56D1
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Superb, I welcome that!

Regarding
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00#secti=
on-5.2
:

My concern is that the choice of how to bind the client identity is left
to implementers, and that may eventually become an interop problem.

Have you considered some kind of an open ended enumeration of the
possible binding methods, and giving them some identifiers or names, so
that AS / OPs can advertise them in their metadata, and clients register
accordingly?

For example:

"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]


Cheers,

Vladimir


On 10/10/16 23:59, John Bradley wrote:
> At the request of the OpenID Foundation Financial Services API Working =
group, Brian Campbell and I have documented=20
> mutual TLS client authentication.   This is something that lots of peop=
le do in practice though we have never had a spec for it.
>
> The Banks want to use it for some server to server API use cases being =
driven by new open banking regulation.
>
> The largest thing in the draft is the IANA registration of =93tls_clien=
t_auth=94 Token Endpoint authentication method for use in Registration an=
d discovery.
>
> The trust model is intentionally left open so that you could use a =93c=
ommon name=94 and a restricted list of CA or a direct lookup of the subje=
ct public key against a reregistered value,  or something in between.
>
> I hope that this is non controversial and the WG can adopt it quickly.
>
> Regards
> John B.
>
>
>
>
>> Begin forwarded message:
>>
>> From: internet-drafts@ietf.org
>> Subject: New Version Notification for draft-campbell-oauth-tls-client-=
auth-00.txt
>> Date: October 10, 2016 at 5:44:39 PM GMT-3
>> To: "Brian Campbell" <brian.d.campbell@gmail.com>, "John Bradley" <ve7=
jtb@ve7jtb.com>
>>
>>
>> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>> has been successfully submitted by John Bradley and posted to the
>> IETF repository.
>>
>> Name:		draft-campbell-oauth-tls-client-auth
>> Revision:	00
>> Title:		Mutual X.509 Transport Layer Security (TLS) Authentication for=
 OAuth Clients
>> Document date:	2016-10-10
>> Group:		Individual Submission
>> Pages:		5
>> URL:            https://www.ietf.org/internet-drafts/draft-campbell-oa=
uth-tls-client-auth-00.txt
>> Status:         https://datatracker.ietf.org/doc/draft-campbell-oauth-=
tls-client-auth/
>> Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-tls-c=
lient-auth-00
>>
>>
>> Abstract:
>>   This document describes X.509 certificates as OAuth client
>>   credentials using Transport Layer Security (TLS) mutual
>>   authentication as a mechanism for client authentication to the
>>   authorization server's token endpoint.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of subm=
ission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------02B49FA8255A8030190F56D1
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<html>
  <head>
    <meta content=3D"text/html; charset=3Dwindows-1252"
      http-equiv=3D"Content-Type">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    <p>Superb, I welcome that!</p>
    <p>Regarding
<a class=3D"moz-txt-link-freetext" href=3D"https://tools.ietf.org/html/dr=
aft-campbell-oauth-tls-client-auth-00#section-5.2">https://tools.ietf.org=
/html/draft-campbell-oauth-tls-client-auth-00#section-5.2</a>
      :</p>
    <p>My concern is that the choice of how to bind the client identity
      is left to implementers, and that may eventually become an interop
      problem.<br>
    </p>
    Have you considered some kind of an open ended enumeration of the
    possible binding methods, and giving them some identifiers or names,
    so that AS / OPs can advertise them in their metadata, and clients
    register accordingly?<br>
    <br>
    For example:<br>
    <br>
    "tls_client_auth_bind_methods_supported" : [
    "subject_alt_name_match", "subject_public_key_info_match" ]<br>
    <p><br>
    </p>
    <p>Cheers,</p>
    <p>Vladimir<br>
    </p>
    <br>
    <div class=3D"moz-cite-prefix">On 10/10/16 23:59, John Bradley wrote:=
<br>
    </div>
    <blockquote
      cite=3D"mid:9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com"
      type=3D"cite">
      <pre wrap=3D"">At the request of the OpenID Foundation Financial Se=
rvices API Working group, Brian Campbell and I have documented=20
mutual TLS client authentication.   This is something that lots of people=
 do in practice though we have never had a spec for it.

The Banks want to use it for some server to server API use cases being dr=
iven by new open banking regulation.

The largest thing in the draft is the IANA registration of =93tls_client_=
auth=94 Token Endpoint authentication method for use in Registration and =
discovery.

The trust model is intentionally left open so that you could use a =93com=
mon name=94 and a restricted list of CA or a direct lookup of the subject=
 public key against a reregistered value,  or something in between.

I hope that this is non controversial and the WG can adopt it quickly.

Regards
John B.




</pre>
      <blockquote type=3D"cite">
        <pre wrap=3D"">Begin forwarded message:

From: <a class=3D"moz-txt-link-abbreviated" href=3D"mailto:internet-draft=
s@ietf.org">internet-drafts@ietf.org</a>
Subject: New Version Notification for draft-campbell-oauth-tls-client-aut=
h-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
To: "Brian Campbell" <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:br=
ian.d.campbell@gmail.com">&lt;brian.d.campbell@gmail.com&gt;</a>, "John B=
radley" <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:ve7jtb@ve7jtb.c=
om">&lt;ve7jtb@ve7jtb.com&gt;</a>


A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.

Name:		draft-campbell-oauth-tls-client-auth
Revision:	00
Title:		Mutual X.509 Transport Layer Security (TLS) Authentication for OA=
uth Clients
Document date:	2016-10-10
Group:		Individual Submission
Pages:		5
URL:            <a class=3D"moz-txt-link-freetext" href=3D"https://www.ie=
tf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt">https=
://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.t=
xt</a>
Status:         <a class=3D"moz-txt-link-freetext" href=3D"https://datatr=
acker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/">https://datatra=
cker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/</a>
Htmlized:       <a class=3D"moz-txt-link-freetext" href=3D"https://tools.=
ietf.org/html/draft-campbell-oauth-tls-client-auth-00">https://tools.ietf=
=2Eorg/html/draft-campbell-oauth-tls-client-auth-00</a>


Abstract:
  This document describes X.509 certificates as OAuth client
  credentials using Transport Layer Security (TLS) mutual
  authentication as a mechanism for client authentication to the
  authorization server's token endpoint.




Please note that it may take a couple of minutes from the time of submiss=
ion
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

</pre>
      </blockquote>
      <pre wrap=3D"">

</pre>
      <br>
      <fieldset class=3D"mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap=3D"">_______________________________________________
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:OAuth@ietf.org">OAut=
h@ietf.org</a>
<a class=3D"moz-txt-link-freetext" href=3D"https://www.ietf.org/mailman/l=
istinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------02B49FA8255A8030190F56D1--

--------------ms030004010902080804060709
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CfwwggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4
dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh
TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak
+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC
ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr
vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC
ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC
4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs
Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj
mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb
4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ
26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT
9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl
tukWeh95FPZKEBom+nyK+5swggVFMIIELaADAgECAhBvIAvByRn0gXptBJbNZg3jMA0GCSqG
SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy
MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE
AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMTYwNDA1MDAwMDAwWhcNMTcwNDA1MjM1OTU5WjAoMSYwJAYJKoZIhvcNAQkB
Fhd2bGFkaW1pckBjb25uZWN0MmlkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAL/GlaryvhrL+eLYe+8Pv6D/sITLb5c2D5oaq6drPbcqP06xnyLgeFlIwzshIHi5+/Ib
fwSSXRzCDihXBfPlbv2Yf7C0F7QwUYNnqvxfnIZvu/6YFXkWt6Z5h5wvnbFmHWZBiBM8cEMP
qdT7myXDKuHSYvpiCFnIAHJOeoyBRV1I8kyupPe9aBkcYmwAyMjMRgeR92iV4TfTSx4CMRax
OHwa+WUAc2mjWiZOxyxTByORzm2wB2izX/DoeSwcN9mliRAZQ3eBXQD/HoO0LBIX3MXCp9Ry
wHIhz+Qy3mR0VgUu2gGu1r0lLIGwxKE4kEO1I7aBf5hQK/wVKcMyMMpNnU0CAwEAAaOCAfUw
ggHxMB8GA1UdIwQYMBaAFJJha4LhoqCqT+xn8cKj97SAAMHsMB0GA1UdDgQWBBSCdqr1QGt7
r/f9VkCCmYSI3t5aDjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAX
BggrBgEFBQcDBAYLKwYBBAGyMQEDBQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0w
OwYMKwYBBAGyMQECAQEBMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5u
ZXQvQ1BTMF0GA1UdHwRWMFQwUqBQoE6GTGh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9E
T1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgZAGCCsG
AQUFBwEBBIGDMIGAMFgGCCsGAQUFBzAChkxodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01P
RE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJA
Y29ubmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAFClbz5g+/TKUP9zpmoRdZymgYrU
fgq1UlnzLcgI3IH46LaMMMzUCRn7tz8OM2igQEqpSW9u80W3jaYsRLUdySvE6Jxr9xVPVDGu
JMAenNDS3sgNsKvUcCIeQYYTG4/oYTcuV6jtXTSDK0Y8NQ0pNEg8BnQz3V+nPXYC3/CWoFQ+
4InVPLGTZedK+yev6ee6wWWL3neskkSsYpwW1qTWtjHQcNw2eBphxRq5aNM9F3wKGdkUHKUJ
4mof2ckALH5SO/n0GGR58cgrtfuD/fcqvfsTtiMCHk6oW2ZE5Ty93aDvEhYo5RrA0TpFGoOA
m33FY3lP8EGzGel61qKU5nDH1hUxggRBMIIEPQIBATCBsDCBmzELMAkGA1UEBhMCR0IxGzAZ
BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRo
ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBvIAvByRn0gXptBJbNZg3jMA0GCWCG
SAFlAwQCAQUAoIICYTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
Fw0xNjEwMTcwODQ3NDVaMC8GCSqGSIb3DQEJBDEiBCBe14NdPfbfrdW2lm1d9rs+NsxZOgwS
X6gJazpdM+n/bDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G
CCqGSIb3DQMCAgEoMIHBBgkrBgEEAYI3EAQxgbMwgbAwgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQbyALwckZ9IF6bQSWzWYN4zCBwwYLKoZI
hvcNAQkQAgsxgbOggbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo
ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEw
PwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3Vy
ZSBFbWFpbCBDQQIQbyALwckZ9IF6bQSWzWYN4zANBgkqhkiG9w0BAQEFAASCAQAauSIk8Ur3
+GjBzG5z7L9tvT1n6BziEgMuvhEHF7R1A3FU2OohokErYbNv+P6fT7QiWm8fc6I/dqLRx5V8
8Ch/UxHlT3HRMJgMi5dJbBaBzPW+60K9eO+nAFA9vO3oLYUZdkjHz+2nV+2HR5XdfvC0q4gc
qtFZkJK9sSycxDJ8fZy2FLpCXbgYT+XwEkefruYATIS838ub5duymJ+2svoboz3XBlgPvYoZ
lKfKfoM8Kds/lS5oVvjrgZ5lOrZjPpKL9VZMwrPXG2S0NUa7xcyOPAJG+B8EQgydYM8jY+MZ
pYIA8qX1a3XKc5Fd62bpbXHLmJ3hg0AcVjFQk6i2U7DNAAAAAAAA
--------------ms030004010902080804060709--


From nobody Wed Oct 19 08:12:01 2016
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F30591299C7 for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 08:11:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.567
X-Spam-Level: 
X-Spam-Status: No, score=0.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_WEB=3.599, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwkcbymupXls for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 08:11:57 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D0B01299C2 for <oauth@ietf.org>; Wed, 19 Oct 2016 08:11:56 -0700 (PDT)
Received: from [192.168.91.151] ([12.177.140.245]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LmbVT-1cV7Dl1yRH-00aBnS for <oauth@ietf.org>; Wed, 19 Oct 2016 17:11:55 +0200
References: <147688962347.8884.14961306017905306662.idtracker@ietfa.amsl.com>
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Forwarded-Message-Id: <147688962347.8884.14961306017905306662.idtracker@ietfa.amsl.com>
Message-ID: <d3140f6d-0586-5264-37ab-1e0a45ed4d4a@gmx.net>
Date: Wed, 19 Oct 2016 17:11:52 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <147688962347.8884.14961306017905306662.idtracker@ietfa.amsl.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="aUcjvhG5j3GilCCwUqCgWDPaJLeKsoLmv"
X-Provags-ID: V03:K0:3ZZyOGtbsj6NeAIl+FBxLnHpbXG1q2ooBcSaOsNLvXqwloMOxBX c5D06EQQMNLwOIH0L4rJhMsvtfwWjB4f5721jTCywAitT2Cnn5TYntwVGYG4YWkf07oE+Da DqFxL6ycH6cgka6glaXLTTZUqB4fzLffZF4Nv/iTpikBWw2Vjnk1JboVdRMqfpJ2WUUvbnS 0yPQVnr6LFoKlT9xmxRQg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:6QMXM2I3qrs=:IvwYtoq0DbQRbYB+UtWtxY +XdPv4n+5oGOQsdXPQkHUrpETw5XAeLsZIGqe2EVj+MNXno1agzA5C7HNdyvmAxrRJ+elFgmo RLkYZCUMZ0pMRXh9Fmw1vHRgjfsBJDAzb0X4AEqvQnXElJCp9R1vk0UBrZ41ygwy1JeNUO07g al80o+xVVlUT4/c/LsKp/hIehtTm4lgwIfs4M8Anz+LrRWaL6HFeiSov4BCeZXO44Lkxs3FqK c24mMO6+MpmeQRRCH71Pj4l8U/wTtIyyYdmdh0IiAh44tJoTwxYLD6pQhDI0m7/mcaxtVPnhl Ahu1i2Fc7rhFLq4zAMMX2+7tZl7ve7yngkpWx7zavNgZ2m8uFA7i0IC7cDecmMXkyquJ3zqZt Q1DcPvcdTXSKSlfW2dR537YisU/PW92RvcQR69Gv7ZCaKUOoJPuakL3ebFxM7lKSneIgXBxb+ VwB9FMJJbPnY93Fn8xLhrKDv3JRe4YZxjp1+S81/5F4ezoD2/N9N0cI5b1WuDqt2oafl2TGPK KP0/QTika+pGMfiGC+m1GzFvkQwfQE1SHe33p+hyIj9ajwUxeBaAgMbIKf1YrCLCbgC4iGr+k 9PPYnEo8moL2rEHUf+3T+pCXZoj7Fm65Ic//D9/Xc3M7aAG9YsxCIgsC1oAcUOuCXSnDqdvpo zO/+T06sqhM5YbxxBCKC3XGiJKx4vkvEPb+g8x1IM7R1u1U4gs3zD4MtsW7KDmDYPIQ6pUn3j r8tiax8SmNX0aBbViEJh06pMgYncm/bA85qF74cgPcAQDnB5B+Zb38osn/c=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0FUUU7AULOAEpvYFKQrKLueL1Wg>
Subject: [OAUTH-WG] Fwd: Publication has been requested for draft-ietf-oauth-amr-values-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 15:11:59 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--aUcjvhG5j3GilCCwUqCgWDPaJLeKsoLmv
Content-Type: multipart/mixed; boundary="uxKnjW2DSiMxoK05MuTPm2iCopR41Ed6c";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <d3140f6d-0586-5264-37ab-1e0a45ed4d4a@gmx.net>
Subject: Fwd: Publication has been requested for
 draft-ietf-oauth-amr-values-03
References: <147688962347.8884.14961306017905306662.idtracker@ietfa.amsl.com>
In-Reply-To: <147688962347.8884.14961306017905306662.idtracker@ietfa.amsl.com>

--uxKnjW2DSiMxoK05MuTPm2iCopR41Ed6c
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

FYI: I have just submitted the OAuth AMR to the IESG.

-------- Forwarded Message --------
Subject: Publication has been requested for draft-ietf-oauth-amr-values-0=
3
Date: Wed, 19 Oct 2016 08:07:03 -0700
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: Kathleen.Moriarty.ietf@gmail.com
CC: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>,
Hannes.Tschofenig@gmx.net, iesg-secretary@ietf.org, oauth-chairs@ietf.org=


Hannes Tschofenig has requested publication of
draft-ietf-oauth-amr-values-03 as Proposed Standard on behalf of the
OAUTH working group.

Please verify the document's state at
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/



--uxKnjW2DSiMxoK05MuTPm2iCopR41Ed6c--

--aUcjvhG5j3GilCCwUqCgWDPaJLeKsoLmv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYB404AAoJEGhJURNOOiAtW2YH/R+e7UxfQtkW1M9RNCWl9uMZ
FO/hK7b93zE6bW3Ew/li+EdC1SY0qPemNPRsaivLzkL5OhMwJXr8ICAeYL2x/IJg
PCSHu5V/WisRghDZN8nDjQXtfQU+X1yW4pcq3rkg7buaDkSqdJTTK9R4xIt0Odys
/555KzF0Fh+thnJ7EkemEG0Rl8KDTGQKJpjIe79HtjtnttkCiODqEy7Rc7jLLCpH
0sOCINgI0nUWc8PwaaNu1Imb5c+1KbIx/vaO1/0ZOnx4w55Fmyl+rfF0Yx/M2ovD
3z4Q04N9nUyzCBI0sdv//aaTZgAlVla0j+of15oWW0iJ0sDQNFvWoGpc1eZiUD8=
=1Inu
-----END PGP SIGNATURE-----

--aUcjvhG5j3GilCCwUqCgWDPaJLeKsoLmv--


From nobody Wed Oct 19 11:45:22 2016
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CA89126CD8 for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 11:45:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.567
X-Spam-Level: 
X-Spam-Status: No, score=0.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_WEB=3.599, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iw4SpZQ4_s-Q for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 11:45:20 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B151E1293E3 for <oauth@ietf.org>; Wed, 19 Oct 2016 11:45:19 -0700 (PDT)
Received: from [192.168.91.151] ([12.177.140.245]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MTeVY-1cNMhI1Jjs-00QUUM for <oauth@ietf.org>; Wed, 19 Oct 2016 20:45:16 +0200
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net>
Date: Wed, 19 Oct 2016 20:45:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="J9kTS7xcxdUUvnW37JUS0rC0AjUF2I92r"
X-Provags-ID: V03:K0:56tuMU/k54YX/wrOUQSnDdNReWP3X8EKhSfMUQLTaJ/kQ3WHhMG ET+P1KGDsAWigpreEDsGFrPrcfZ9EwkIviR4B+2CHPOMU8RGB7wzt3c9oyMcYZzX60NhAlU ZUqXqXaArrh3Yc9x1S7qE9VUzRvnkOEJFd+g3Uu2wJ7ZjSxBhGUtVYf39OD6MLPLyWzAqe5 tqJSO0jf6l1HvRb4HkONg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:/8veOpZbsVY=:islIxmOnjildYDs2IwHzRC qfYG54bxPy7ZSdmbUxWSoQoO+2F8m12Mg7rvGGw6EaGiI0O6cn0rpSKoveZFFjeN606PRIFV/ 8cIio8pH7ZqbLG2UcMZGbBPoBwTMloyXSegjnvhHbI4QGshebZ2+zgH91goA68Cug7pTfeNKa p3V96zi6Xl+AVFTQllYXfIQOng2La1cxLfDCEou9pVEpUhYatOKAmMxArF5QWdQIv4W/mcnOm tmibJq6Z9h8JzVoxK7+xGt8hWZ0/vknNh5mzUJZ9ftCPdFWBv0aLBgJp1rUXPBRAEUAtqm8t1 g4ug9guIJygyUy9FvnZdsM1UNgfiwPkfvx1xVPbGOQD+kN33RBAlrE8yTsEOohfFjBZqHEgn9 J3PFLx+byB0Cv9qIgkc5gJqedNFO3IjM3Qits3z7+b6Wt6SDhHM7PawzI2leFhTDQNmo4dQ9I 59Cnpr65rVgrB1vt/S4XW+OaTv15MwU3cvjnFgFnGsrvq5Uwem+Vw3Lg2Hc0t11LTwC192nI9 Oy0b+NVf7BnwJLu6XGIUbVpjzTHWjYHCSUEd5tkRyf3ZXlkJCyOLN7AO91OYVnzaeZWq12edM oWfQkBiWWxV5WsVz1zR4Ws7QfrI4lY1yxnXhp70nIBS7+VMzj04l7JMEZewTaGkq2snvBZskf k7B7WJ/os/X93oKl6xcF2yN3kuUrdv7PjbrpHJ/Ikpajuh+LFAcJkmgvHzopHH06/N6TH7BBD L2rc1toKsUBuY+3PdpIDJcoQzG4PPV6ni604Bd7jxDEDoGjdK8VWRRfsCi8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bXd3UWV74Gzf4L6n484G9vZCtQ0>
Subject: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 18:45:21 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--J9kTS7xcxdUUvnW37JUS0rC0AjUF2I92r
Content-Type: multipart/mixed; boundary="4K5cJu8tsqm0pDDUPT6u2kspn2LUbCm4a";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net>
Subject: Future of PoP Work

--4K5cJu8tsqm0pDDUPT6u2kspn2LUbCm4a
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

two questions surfaced at the last IETF meeting, namely

1) Do we want to proceed with the symmetric implementation of PoP or,
alternatively, do we want to move it over to the ACE working group?

2) Do we want to continue the work on HTTP signing?

We would appreciate your input on these two questions.

Ciao
Hannes & Derek


--4K5cJu8tsqm0pDDUPT6u2kspn2LUbCm4a--

--J9kTS7xcxdUUvnW37JUS0rC0AjUF2I92r
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYB786AAoJEGhJURNOOiAt7GEH/j7NIbflg4ggc2aV7CjfnJSl
qqtOOHjntkO01jYv5R3ipSobJk1opoamY98CdSTG6jGn6h3RvIxqhB0SNHTkmVHV
maHkHf3qU3m81JuS9Iuj4ENcxBi5CG3HUss4nRhyB9oIV9I4xBQd1Bslp/lyOKuz
c/bCQB5nPLLPioIn9VWhHZBpi5YsjeXbY8u2EIV7jdoIokAUW/xPo69QyQu87YUU
dvx0vvOfjv1BxbKlmMN3rdoS0zY/3tPEnLVMzgD31s9Wc++2b1Lv327oS04I2wGG
xfQ9kf8Eo7HHjjbvwn5vi+EUre++AhRW0TTWZVoS3PuIAz/vMxKuUTyGgYUMNcs=
=gnRE
-----END PGP SIGNATURE-----

--J9kTS7xcxdUUvnW37JUS0rC0AjUF2I92r--


From nobody Wed Oct 19 12:05:03 2016
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F26C4126CD8 for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 12:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level: 
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qRuT6x6znScG for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 12:04:58 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0135.outbound.protection.outlook.com [104.47.42.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6A4E1293E3 for <oauth@ietf.org>; Wed, 19 Oct 2016 12:04:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/ufYfC8dyz6KqckKooRnjLlg0sxxPE/Cpa137jGYPgg=; b=hEHjEgIIiQrl9tilSaUNHNC6gvm845wWcfm+F4BNUnE37OuGbkD40UG+btWR/bSwNfbl6T0KVDRaKbk2+KK8C62AfMScwZTjR5Ci/4JBRM5iXV65OasybVTER65QedNQCh0OdGeUQSu9AyIGToD5Rj/Ds/ar3NLXW2u1wDQn31Q=
Received: from CO2PR03MB2358.namprd03.prod.outlook.com (10.166.93.18) by CO2PR03MB2360.namprd03.prod.outlook.com (10.166.93.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.11; Wed, 19 Oct 2016 19:04:57 +0000
Received: from CO2PR03MB2358.namprd03.prod.outlook.com ([10.166.93.18]) by CO2PR03MB2358.namprd03.prod.outlook.com ([10.166.93.18]) with mapi id 15.01.0659.025; Wed, 19 Oct 2016 19:04:57 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Future of PoP Work
Thread-Index: AQHSKjj2nonhFQqofk+TyYPiiGORW6CwIWYw
Date: Wed, 19 Oct 2016 19:04:57 +0000
Message-ID: <CO2PR03MB23588AC1D7A56A3A525FF1FDF5D20@CO2PR03MB2358.namprd03.prod.outlook.com>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net>
In-Reply-To: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; 
x-originating-ip: [23.25.204.37]
x-ms-office365-filtering-correlation-id: 560017e5-304d-4c45-6ade-08d3f852d158
x-microsoft-exchange-diagnostics: 1; CO2PR03MB2360; 7:83SESKHyRI/fsh36i4b3MiEs0P2ZB8Zs5tvQCA9cVuvP5R70gmWTaOslFC4aTjKZbFF48VxjU7oMEz20YATpxLT3Jho1qc7fUE6+JgSMsxNL2zII4B4ElJ3PvG1QrUoEbKoQL6hGaV1naxaspkphtEr+ZtQp3Vrmh9E6TLAavdzo/4F+kUZXjt1F6o8JjRR3WJTeIWLosEm5ArHqFxWaUB2SQ8lt21KVSqDs6V17h/wTwXlzFkc+E8wcyzxz0oKDpX1eXs3QWYHA+JdEbDL5mOehxhMgLKZXp3bd6ZsxQqomFa16uPX/wYSfB2n0uw6WIg0IkT4ISlaqwETWvl8D/6PdG+Hb9xoBcJ1dOlfb4yDNv6HD00EP+OYBeBDeOql2
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO2PR03MB2360;
x-microsoft-antispam-prvs: <CO2PR03MB23600B1D24B4321B5EF340E7F5D20@CO2PR03MB2360.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:CO2PR03MB2360; BCL:0; PCL:0; RULEID:; SRVR:CO2PR03MB2360; 
x-forefront-prvs: 0100732B76
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(199003)(377454003)(53754006)(13464003)(189002)(2950100002)(3280700002)(105586002)(66066001)(81166006)(8936002)(2906002)(92566002)(97736004)(99286002)(2501003)(5001770100001)(5002640100001)(8990500004)(106356001)(81156014)(305945005)(87936001)(11100500001)(106116001)(10290500002)(122556002)(10400500002)(7736002)(5005710100001)(7846002)(77096005)(76576001)(6116002)(102836003)(86362001)(19580395003)(10090500001)(33656002)(3846002)(9686002)(5660300001)(2900100001)(15975445007)(86612001)(19580405001)(74316002)(8676002)(54356999)(50986999)(3660700001)(189998001)(7696004)(76176999)(68736007)(586003)(101416001)(107886002); DIR:OUT; SFP:1102; SCL:1; SRVR:CO2PR03MB2360; H:CO2PR03MB2358.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords;  A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2016 19:04:57.0459 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR03MB2360
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vowzR28thXYwsFZbYyXk94sfvho>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 19:05:01 -0000

MS4gIFdlIHNob3VsZCBjb250aW51ZSB0aGUgUG9QIHdvcmsgaW4gdGhlIE9BdXRoIHdvcmtpbmcg
Z3JvdXAgYW5kIG5vdCBtb3ZlIGl0IHRvIEFDRS4gIChUaGlzIHdhcyBhbHNvIGRpc2N1c3NlZCBp
biB0aGUgbWludXRlcyBhdCBodHRwczovL3d3dy5pZXRmLm9yZy9wcm9jZWVkaW5ncy85Ni9taW51
dGVzL21pbnV0ZXMtOTYtb2F1dGguKQ0KDQoyLiAgV2Ugc2hvdWxkIGFiYW5kb24gdGhlIEhUVFAg
c2lnbmluZyB3b3JrLiAgSXQgaXMgYm90aCBvdmVybHkgY29tcGxpY2F0ZWQgKmFuZCogaW5jb21w
bGV0ZSAtIG5vdCBhIGdvb2QgY29tYmluYXRpb24uICBUaGlzIHNhbWUgY29tYmluYXRpb24gaXMg
d2hhdCBsZXQgcGVvcGxlIHRvIGFiYW5kb24gT0F1dGggMS4wIGluIGZhdm9yIG9mIFdSQVAgYW5k
IGxhdGVyIE9BdXRoIDIuMC4gIFdlIHNob3VsZCBsZWFybiBmcm9tIG91ciBvd24gbWlzdGFrZXMu
IDstKQ0KDQoJCQkJLS0gTWlrZQ0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTog
T0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgSGFubmVz
IFRzY2hvZmVuaWcNClNlbnQ6IFdlZG5lc2RheSwgT2N0b2JlciAxOSwgMjAxNiAyOjQ1IFBNDQpU
bzogb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFtPQVVUSC1XR10gRnV0dXJlIG9mIFBvUCBXb3Jr
DQoNCkhpIGFsbCwNCg0KdHdvIHF1ZXN0aW9ucyBzdXJmYWNlZCBhdCB0aGUgbGFzdCBJRVRGIG1l
ZXRpbmcsIG5hbWVseQ0KDQoxKSBEbyB3ZSB3YW50IHRvIHByb2NlZWQgd2l0aCB0aGUgc3ltbWV0
cmljIGltcGxlbWVudGF0aW9uIG9mIFBvUCBvciwgYWx0ZXJuYXRpdmVseSwgZG8gd2Ugd2FudCB0
byBtb3ZlIGl0IG92ZXIgdG8gdGhlIEFDRSB3b3JraW5nIGdyb3VwPw0KDQoyKSBEbyB3ZSB3YW50
IHRvIGNvbnRpbnVlIHRoZSB3b3JrIG9uIEhUVFAgc2lnbmluZz8NCg0KV2Ugd291bGQgYXBwcmVj
aWF0ZSB5b3VyIGlucHV0IG9uIHRoZXNlIHR3byBxdWVzdGlvbnMuDQoNCkNpYW8NCkhhbm5lcyAm
IERlcmVrDQoNCg==


From nobody Wed Oct 19 12:18:53 2016
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B78B31296AF for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 12:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.633
X-Spam-Level: 
X-Spam-Status: No, score=-4.633 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lDA_E1tB9jTF for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 12:18:50 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B81B129665 for <oauth@ietf.org>; Wed, 19 Oct 2016 12:18:49 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u9JJIkga019167 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 19 Oct 2016 19:18:46 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id u9JJIja3029519 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 19 Oct 2016 19:18:46 GMT
Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id u9JJIe9B011808; Wed, 19 Oct 2016 19:18:41 GMT
Received: from [10.0.1.4] (/24.86.208.48) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 19 Oct 2016 12:18:39 -0700
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14A456)
In-Reply-To: <CO2PR03MB23588AC1D7A56A3A525FF1FDF5D20@CO2PR03MB2358.namprd03.prod.outlook.com>
Date: Wed, 19 Oct 2016 12:18:36 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <5B98FAA3-F0A9-409A-9975-6C5D7C2E59AE@oracle.com>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <CO2PR03MB23588AC1D7A56A3A525FF1FDF5D20@CO2PR03MB2358.namprd03.prod.outlook.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LaJNpHXj2EBupKY4XIp3fZdWsXc>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 19:18:52 -0000

While the tokbind seems strategic, there are concerns about universality. A c=
hief barrier is getting all tls termination points to support - a matter of s=
ubstantial time.=20

There are also those that argue that we still need an app layer end-to-end s=
olution that pop provides.=20

That said, I am not sure pop is that useful without some form of request/res=
ponse signing solution.=20

I hate to say this but maybe we have to go with some form of encapsulation? E=
g a signed http request within an http request? Ugh!

Phil

> On Oct 19, 2016, at 12:04 PM, Mike Jones <Michael.Jones@microsoft.com> wro=
te:
>=20
> 1.  We should continue the PoP work in the OAuth working group and not mov=
e it to ACE.  (This was also discussed in the minutes at https://www.ietf.or=
g/proceedings/96/minutes/minutes-96-oauth.)
>=20
> 2.  We should abandon the HTTP signing work.  It is both overly complicate=
d *and* incomplete - not a good combination.  This same combination is what l=
et people to abandon OAuth 1.0 in favor of WRAP and later OAuth 2.0.  We sho=
uld learn from our own mistakes. ;-)
>=20
>                -- Mike
>=20
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig=

> Sent: Wednesday, October 19, 2016 2:45 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Future of PoP Work
>=20
> Hi all,
>=20
> two questions surfaced at the last IETF meeting, namely
>=20
> 1) Do we want to proceed with the symmetric implementation of PoP or, alte=
rnatively, do we want to move it over to the ACE working group?
>=20
> 2) Do we want to continue the work on HTTP signing?
>=20
> We would appreciate your input on these two questions.
>=20
> Ciao
> Hannes & Derek
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Wed Oct 19 12:54:28 2016
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E822129712 for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 12:54:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4L7xeP2nOTIq for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 12:54:25 -0700 (PDT)
Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E38A12970F for <oauth@ietf.org>; Wed, 19 Oct 2016 12:54:25 -0700 (PDT)
Received: by mail-it0-x22f.google.com with SMTP id 4so125053343itv.0 for <oauth@ietf.org>; Wed, 19 Oct 2016 12:54:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BH9IX62fNQhwlWmAukp1sRUT0wVazQojZJK2ruzoHWQ=; b=eooDxj6JitoNOKJtz0S/ZOja8afgtrn132F+Fk7HtVaMKxkQrJ5Bt4Y76w7KQ3yx0N 2N2bx688SGtf+p+5ooHhggZp3gDhGoL0XiE7Pacsoig7rzScQvq9/zydcDRrpIe8EjI+ KREx2PrAABQ/3gt/+HvSNfp0W7VLeMpgNYx2I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BH9IX62fNQhwlWmAukp1sRUT0wVazQojZJK2ruzoHWQ=; b=S2cXz8A3nCb+RSIGYPkqMa0XFBgvsZIbEGSoLzlr5CwGV00r/hkNL68/8aFqaAhYBE y0Sr3LVlUE+osaifByBJqWcOtCpnKtSasXmzjsSFQPKMUQ60Hs0heV/XltvV16/Mezfx I2hx6dR5RMWW7hkhx9knPM2NTQxbCvOSUV5nPywwQQmatrnFMdUb6YsAdYb+V/lkDeSk unTUJI0FX1AvnGNl9eKa/SsgssIqUxZTkzkh5QCVOndUpj+WkCdoGj3vw0oohnY4k1EX Zt3rDtUf5QAUKDT9UtE8Pbk4ouH9Twt7b/eOK0NT+anLVEp1l3Q5EK6Q8hWOZkywddTI Okig==
X-Gm-Message-State: AA6/9Rm3sHCOZvduSdwCft8jkIVgrCsRZxCHxL/5rPnnCgDXqcNMNriyo4cRwk6ZJfOSB+BuQGn+Fa5XkssWV/ui
X-Received: by 10.36.2.211 with SMTP id 202mr8278114itu.35.1476906864435; Wed, 19 Oct 2016 12:54:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.5.148 with HTTP; Wed, 19 Oct 2016 12:53:53 -0700 (PDT)
In-Reply-To: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 19 Oct 2016 13:53:53 -0600
Message-ID: <CA+k3eCR+r+_xX9wZ3DaxSWs0dRB-wFiE+8KB5W5=9NTc7Lvo6A@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=001a11447c8c05ada2053f3d2d65
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hXzGlb_6HxmmwGK3lxdD06s0XCM>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 19:54:27 -0000

--001a11447c8c05ada2053f3d2d65
Content-Type: text/plain; charset=UTF-8

In my opinion, at this time, the OAuth WG should not proceed with the
symmetric implementation of PoP and should not continue work on HTTP
signing.

On Wed, Oct 19, 2016 at 12:45 PM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Hi all,
>
> two questions surfaced at the last IETF meeting, namely
>
> 1) Do we want to proceed with the symmetric implementation of PoP or,
> alternatively, do we want to move it over to the ACE working group?
>
> 2) Do we want to continue the work on HTTP signing?
>
> We would appreciate your input on these two questions.
>
> Ciao
> Hannes & Derek
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a11447c8c05ada2053f3d2d65
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">In my opinion, at this time, the OAuth WG should not proce=
ed with the symmetric implementation of PoP and should not continue work on=
 HTTP signing. </div><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Wed, Oct 19, 2016 at 12:45 PM, Hannes Tschofenig <span dir=3D"ltr">&=
lt;<a href=3D"mailto:hannes.tschofenig@gmx.net" target=3D"_blank">hannes.ts=
chofenig@gmx.net</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote"=
 style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi=
 all,<br>
<br>
two questions surfaced at the last IETF meeting, namely<br>
<br>
1) Do we want to proceed with the symmetric implementation of PoP or,<br>
alternatively, do we want to move it over to the ACE working group?<br>
<br>
2) Do we want to continue the work on HTTP signing?<br>
<br>
We would appreciate your input on these two questions.<br>
<br>
Ciao<br>
Hannes &amp; Derek<br>
<br>
<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--001a11447c8c05ada2053f3d2d65--


From nobody Wed Oct 19 15:24:12 2016
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4787F1297E4 for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 15:24:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ePgLKwytCeyh for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 15:24:08 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0129.outbound.protection.outlook.com [104.47.41.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 305591297D6 for <oauth@ietf.org>; Wed, 19 Oct 2016 15:24:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AJMYT95RZrqGUg5hLoe/mNEO5BX3zqFM9z2boRYuGHY=; b=Ye6bXszDtvbAozvWYdA2LvGGUCqZih3d4B/T1pvKiHMLfskoWrz42Db/3s5WsKAjvOnyDrjInIRfkHeKKvoNwfSfhrnhQJsvCKJOm4NAcysVrN/HK8iKV2IczdlffAsQHJ3yZiMgS0dkg3RVVuxQR08houx023sxnhLgP7WhJyY=
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com (10.163.226.27) by SN1PR0301MB2032.namprd03.prod.outlook.com (10.163.226.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.16; Wed, 19 Oct 2016 22:24:05 +0000
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) by SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) with mapi id 15.01.0669.018; Wed, 19 Oct 2016 22:24:05 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Future of PoP Work
Thread-Index: AQHSKjj2t39Snvl7mUWzoWqbyE62YKCwMJeAgAApjNA=
Date: Wed, 19 Oct 2016 22:24:05 +0000
Message-ID: <SN1PR0301MB2029D26EE92F7047527D4E21A6D20@SN1PR0301MB2029.namprd03.prod.outlook.com>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <CA+k3eCR+r+_xX9wZ3DaxSWs0dRB-wFiE+8KB5W5=9NTc7Lvo6A@mail.gmail.com>
In-Reply-To: <CA+k3eCR+r+_xX9wZ3DaxSWs0dRB-wFiE+8KB5W5=9NTc7Lvo6A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tonynad@microsoft.com; 
x-originating-ip: [2001:4898:80e8:1::7a0]
x-ms-office365-filtering-correlation-id: 969cfaa0-89bd-4e1e-32ca-08d3f86ea331
x-microsoft-exchange-diagnostics: 1; SN1PR0301MB2032; 7:aSvf6JAyWrHtnsyaXs3HI6P7NWkCAN0y/8i6xqPWb4brhupi6nl8mXxu0XISvhveNBb1XF0q0RpgB98Hlk6o6lGjIPrT4lBKqYReQy4srJSYN3RRWRt2Er+KEju8xm4qYQDn5rgr2yBSKUlrvaiVaGOM3T+3wxM/RFKkSP97u60CZGFHwsFW43SJHn+s6BnBYdlFXWViKUWosCDW3fLCB7A74ZQiLZ/Vo4fLASwnxd1OwyHIOpK0tuucAFvbcV9Yp0i9Eq0oUcTk4ZJjz7zBw4+jdxkuccw3pL5L5gKFw9Xhy6zKdXCB+bgJxlzZL0Y+a9MoP4BJGZZU14OveLrNzjRNIYq8AW5PHvx7lt/5zAznKJHHhbn9UJ2vcLi0h4kr
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN1PR0301MB2032;
x-microsoft-antispam-prvs: <SN1PR0301MB203277FE19AAE1DF30804237A6D20@SN1PR0301MB2032.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078)(248736688235697)(219752817060721)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:SN1PR0301MB2032; BCL:0; PCL:0; RULEID:(304825118); SRVR:SN1PR0301MB2032; 
x-forefront-prvs: 0100732B76
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(53754006)(199003)(377454003)(189002)(24454002)(19625215002)(189998001)(3280700002)(33656002)(5001770100001)(5002640100001)(68736007)(77096005)(101416001)(7696004)(86612001)(16236675004)(92566002)(86362001)(97736004)(15975445007)(3660700001)(11100500001)(5660300001)(10090500001)(8936002)(87936001)(74316002)(5005710100001)(10290500002)(10400500002)(122556002)(7906003)(2900100001)(19609705001)(8990500004)(7846002)(81166006)(7736002)(2950100002)(4326007)(81156014)(2906002)(19580395003)(790700001)(102836003)(586003)(19300405004)(19617315012)(19580405001)(76576001)(6116002)(105586002)(99286002)(106356001)(54356999)(8676002)(76176999)(9686002)(106116001)(50986999)(3826002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR0301MB2032; H:SN1PR0301MB2029.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SN1PR0301MB2029D26EE92F7047527D4E21A6D20SN1PR0301MB2029_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2016 22:24:05.6072 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR0301MB2032
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1iqjFEe_qjuaoYZC7cygygOG-PM>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 22:24:10 -0000

--_000_SN1PR0301MB2029D26EE92F7047527D4E21A6D20SN1PR0301MB2029_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SSB3b3VsZCBsaWtlIHRvIHNlZSB1cyBwcm9jZWVkIHdpdGggdGhlIHN5bW1ldHJpYyBQb1Agd29y
ayBpbiBPYXV0aCBXRyBhbmQgc3RvcCB0aGUgSFRUUCBTaWduaW5nIHdvcmsgYWxsIHRvZ2V0aGVy
DQoNCkZyb206IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxm
IE9mIEJyaWFuIENhbXBiZWxsDQpTZW50OiBXZWRuZXNkYXksIE9jdG9iZXIgMTksIDIwMTYgMTI6
NTQgUE0NClRvOiBIYW5uZXMgVHNjaG9mZW5pZyA8aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldD4N
CkNjOiBvYXV0aEBpZXRmLm9yZw0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gRnV0dXJlIG9mIFBv
UCBXb3JrDQoNCkluIG15IG9waW5pb24sIGF0IHRoaXMgdGltZSwgdGhlIE9BdXRoIFdHIHNob3Vs
ZCBub3QgcHJvY2VlZCB3aXRoIHRoZSBzeW1tZXRyaWMgaW1wbGVtZW50YXRpb24gb2YgUG9QIGFu
ZCBzaG91bGQgbm90IGNvbnRpbnVlIHdvcmsgb24gSFRUUCBzaWduaW5nLg0KDQpPbiBXZWQsIE9j
dCAxOSwgMjAxNiBhdCAxMjo0NSBQTSwgSGFubmVzIFRzY2hvZmVuaWcgPGhhbm5lcy50c2Nob2Zl
bmlnQGdteC5uZXQ8bWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ+PiB3cm90ZToNCkhp
IGFsbCwNCg0KdHdvIHF1ZXN0aW9ucyBzdXJmYWNlZCBhdCB0aGUgbGFzdCBJRVRGIG1lZXRpbmcs
IG5hbWVseQ0KDQoxKSBEbyB3ZSB3YW50IHRvIHByb2NlZWQgd2l0aCB0aGUgc3ltbWV0cmljIGlt
cGxlbWVudGF0aW9uIG9mIFBvUCBvciwNCmFsdGVybmF0aXZlbHksIGRvIHdlIHdhbnQgdG8gbW92
ZSBpdCBvdmVyIHRvIHRoZSBBQ0Ugd29ya2luZyBncm91cD8NCg0KMikgRG8gd2Ugd2FudCB0byBj
b250aW51ZSB0aGUgd29yayBvbiBIVFRQIHNpZ25pbmc/DQoNCldlIHdvdWxkIGFwcHJlY2lhdGUg
eW91ciBpbnB1dCBvbiB0aGVzZSB0d28gcXVlc3Rpb25zLg0KDQpDaWFvDQpIYW5uZXMgJiBEZXJl
aw0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpP
QXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4N
Cmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8aHR0cHM6Ly9uYTAx
LnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cu
aWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZvYXV0aCZkYXRhPTAyJTdDMDElN0N0b255
bmFkJTQwbWljcm9zb2Z0LmNvbSU3Qzk4ZmJmN2E1YzhiYTQzZTg3ZGE1MDhkM2Y4NTliZTUyJTdD
NzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjEyNTAzNjc0MDc0
ODMxNSZzZGF0YT13bW1nWlZSYUclMkZORWoyckVKYUdqa051QnVGUHA1dUFERlAwYVBucHJOU0El
M0QmcmVzZXJ2ZWQ9MD4NCg0K

--_000_SN1PR0301MB2029D26EE92F7047527D4E21A6D20SN1PR0301MB2029_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph
OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z
b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw
bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25v
cm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4tYm90
dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZv
bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21z
by1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5z
LXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxl
LXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0K
QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAx
LjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x
O30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRz
IHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtp
ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1h
cCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRp
Zl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy
cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5J
IHdvdWxkIGxpa2UgdG8gc2VlIHVzIHByb2NlZWQgd2l0aCB0aGUgc3ltbWV0cmljIFBvUCB3b3Jr
IGluIE9hdXRoIFdHIGFuZCBzdG9wIHRoZSBIVFRQIFNpZ25pbmcgd29yayBhbGwgdG9nZXRoZXI8
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxhIG5hbWU9Il9NYWlsRW5kQ29t
cG9zZSI+PG86cD4mbmJzcDs8L286cD48L2E+PC9wPg0KPHNwYW4gc3R5bGU9Im1zby1ib29rbWFy
azpfTWFpbEVuZENvbXBvc2UiPjwvc3Bhbj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPkZyb206
PC9iPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIDxiPk9uIEJlaGFsZiBP
Zg0KPC9iPkJyaWFuIENhbXBiZWxsPGJyPg0KPGI+U2VudDo8L2I+IFdlZG5lc2RheSwgT2N0b2Jl
ciAxOSwgMjAxNiAxMjo1NCBQTTxicj4NCjxiPlRvOjwvYj4gSGFubmVzIFRzY2hvZmVuaWcgJmx0
O2hhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQmZ3Q7PGJyPg0KPGI+Q2M6PC9iPiBvYXV0aEBpZXRm
Lm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBGdXR1cmUgb2YgUG9QIFdv
cms8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+
PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkluIG15IG9waW5pb24sIGF0IHRoaXMg
dGltZSwgdGhlIE9BdXRoIFdHIHNob3VsZCBub3QgcHJvY2VlZCB3aXRoIHRoZSBzeW1tZXRyaWMg
aW1wbGVtZW50YXRpb24gb2YgUG9QIGFuZCBzaG91bGQgbm90IGNvbnRpbnVlIHdvcmsgb24gSFRU
UCBzaWduaW5nLg0KPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij5PbiBXZWQsIE9jdCAxOSwgMjAxNiBhdCAxMjo0NSBQTSwgSGFubmVzIFRzY2hvZmVuaWcgJmx0
OzxhIGhyZWY9Im1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0IiB0YXJnZXQ9Il9ibGFu
ayI+aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9w
Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0ND
Q0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJn
aW4tcmlnaHQ6MGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9t
OjEyLjBwdCI+SGkgYWxsLDxicj4NCjxicj4NCnR3byBxdWVzdGlvbnMgc3VyZmFjZWQgYXQgdGhl
IGxhc3QgSUVURiBtZWV0aW5nLCBuYW1lbHk8YnI+DQo8YnI+DQoxKSBEbyB3ZSB3YW50IHRvIHBy
b2NlZWQgd2l0aCB0aGUgc3ltbWV0cmljIGltcGxlbWVudGF0aW9uIG9mIFBvUCBvciw8YnI+DQph
bHRlcm5hdGl2ZWx5LCBkbyB3ZSB3YW50IHRvIG1vdmUgaXQgb3ZlciB0byB0aGUgQUNFIHdvcmtp
bmcgZ3JvdXA/PGJyPg0KPGJyPg0KMikgRG8gd2Ugd2FudCB0byBjb250aW51ZSB0aGUgd29yayBv
biBIVFRQIHNpZ25pbmc/PGJyPg0KPGJyPg0KV2Ugd291bGQgYXBwcmVjaWF0ZSB5b3VyIGlucHV0
IG9uIHRoZXNlIHR3byBxdWVzdGlvbnMuPGJyPg0KPGJyPg0KQ2lhbzxicj4NCkhhbm5lcyAmYW1w
OyBEZXJlazxicj4NCjxicj4NCjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFp
bHRvOk9BdXRoQGlldGYub3JnIj5PQXV0aEBpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRw
czovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUy
RiUyRnd3dy5pZXRmLm9yZyUyRm1haWxtYW4lMkZsaXN0aW5mbyUyRm9hdXRoJmFtcDtkYXRhPTAy
JTdDMDElN0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbSU3Qzk4ZmJmN2E1YzhiYTQzZTg3ZGE1MDhk
M2Y4NTliZTUyJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYz
NjEyNTAzNjc0MDc0ODMxNSZhbXA7c2RhdGE9d21tZ1pWUmFHJTJGTkVqMnJFSmFHamtOdUJ1RlBw
NXVBREZQMGFQbnByTlNBJTNEJmFtcDtyZXNlcnZlZD0wIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6
Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4N
CjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8
L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_SN1PR0301MB2029D26EE92F7047527D4E21A6D20SN1PR0301MB2029_--


From nobody Fri Oct 21 11:33:00 2016
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B2F312969E; Fri, 21 Oct 2016 11:32:59 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.36.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <147707477930.28165.5020040809055466627.idtracker@ietfa.amsl.com>
Date: Fri, 21 Oct 2016 11:32:59 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pndDIGayH2GDNKC_ndL1F92zkEM>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 18:32:59 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 for Native Apps
        Authors         : William Denniss
                          John Bradley
	Filename        : draft-ietf-oauth-native-apps-05.txt
	Pages           : 18
	Date            : 2016-10-21

Abstract:
   OAuth 2.0 authorization requests from native apps should only be made
   through external user-agents, primarily the user's browser.  This
   specification details the security and usability reasons why this is
   the case, and how native apps and authorization servers can implement
   this best practice.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-native-apps-05

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-05


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Fri Oct 21 14:49:55 2016
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7D0B129669 for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 14:49:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.032
X-Spam-Level: 
X-Spam-Status: No, score=-3.032 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgmEJrncWK_B for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 14:49:52 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5048F129596 for <oauth@ietf.org>; Fri, 21 Oct 2016 14:49:51 -0700 (PDT)
Received: from [192.168.91.153] ([104.132.0.103]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MMBiP-1c1HWb0vHR-00856D for <oauth@ietf.org>; Fri, 21 Oct 2016 23:49:48 +0200
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <efbcf875-7e69-d921-0121-4c3ab44cc27d@gmx.net>
Date: Fri, 21 Oct 2016 23:49:46 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jD2xUNc2eFMRmn3bN07MWWtHTr7N3ARMI"
X-Provags-ID: V03:K0:poBXtiKvx/jp4/mioViieQm/kH4gkGlFaiDrqG3qGkmifWLaTSj LEletjUwPVnCofg0F2YdZa3iszN364Wwik6c/DbgDG8QIB8b+upGAPUzh6RfYuwEj/pRCqy AKT9Gx9/oBefpqC1QqOzfFa+11HADZWEvBaldmCHDQ3k8upDC/wKH7VGpn7jFCkCJkkftzQ ztdzrSlQk8j5XwAHU+yjA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:l3b9rrdl9pY=:RnhsEc3hh2G19c9cJDgliI C0UF/Z0pyPOoXwsv+4wIhTR6CbbO51dBg7C6CeXZPWANHkQFP5oZcaF5ndlAsTITgY+nuZJfR WpMITL4sCMCekdo3nwkAJWM4sh2HEa+NGboZA8DLM9Z0Y4u0YUTjdEW7Fju6sziWxcZbuxlwm EqIg3sa8UuhXRni/DLawC3cqgelkrOcAu14jRmJrx6+IgGeo1aFBET5bif38pb4x4fPtUKYFe 5oOZnvai6yM2YJMHHpdyX9zC+g6N+s9aQevC/VR6uuucJBdowralKT6un3NEA4A6VTl8lFnxU ezMHjZVzVJoDAbFMuBrKYWLX30tED+sSX81KlWT3luOPdZtZEmoRv8rEMMOE51rn5kGGjzLFC YKexj6vumApZH5wJLYmEk1o684ICC6o0SS8+kNYXq0wIW1LjpGEJuwlg+Sji7B+y0W8bn5thl uA35bVgqOuP2khlYz5fNWq58KhNOxGLTRM1KBd2CrTujPDdJB5FEQf+Ze3mKHmS4WG0qHYGOm eRQXJ6Eomf8qbq5C77uNsxumc48OfBiM2CNeux3+7u2MogOvVB1HHbhH4Nav+yIHdRGNui027 CFqchpWJIR6EJrchbQCkgeGp6a705pqnJwo09qSxFw6kkIRdmTgTlbhlrkgAmL42TticT/nAW s0Vw+mjvE6b2jD8uY0ujaIvS3m63jr1Z3Ltk4uHnMTq3HEFdV96LlkHIZKb5BixhgrnwH7bYR sTlZInX7C0ky/NkF/hHcuu/zU3z2hC7wrOHIOCdMAjvPjw1zB4JROVZcLqA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aim5RIoIfM9q7zvKEKkf5RwXjsU>
Subject: [OAUTH-WG] Metadata about Authorization Servers
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 21:49:54 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--jD2xUNc2eFMRmn3bN07MWWtHTr7N3ARMI
Content-Type: multipart/mixed; boundary="arp6IqR34Ra8Fmuk6kp5x11SekK5XXChF";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <efbcf875-7e69-d921-0121-4c3ab44cc27d@gmx.net>
Subject: Metadata about Authorization Servers

--arp6IqR34Ra8Fmuk6kp5x11SekK5XXChF
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

I need the feedback from the group on one of our working group items,
namely https://tools.ietf.org/html/draft-ietf-oauth-discovery-04

Despite the name (discovery) the document really only describes
configuration information about an authorization server in a machine
readable form, which today a developer would typically retrieve from an
HTML page. The confirmation information includes things like endpoint
URIs, issuer identifiers, etc..

In the discussions the concern that surfaced was about the envisioned
message flow on when a client would obtain such information:

* One group was of the opinion that a client would already know what
resource server it wants to talk to before reaching out to the
authorization server to obtain this meta data.

* The second group was under the believe that a resource server would
tell the client what authorization server to contact.

There was no conclusion about which message interaction is more likely
or better but in any case there are security concerns that arise. I
don't think that there is a conclusion that the message interaction
actually matters for the context of this work since the information
about resource servers is available already today although not in an
machine readable form.

The main concern is that a resource server gets the client to obtain a
token that he can then re-use with other resource servers.

Quite naturally this is a bad thing and we have developed two solution
approaches to deal with this problem, namely

* Audience restricted access tokens (see
https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-01),=

and

* PoP tokens (with the current token binding solution as a WG item)

Since token binding will need a bit of time before it gets widely
deployed I believe that we need to mandate the use of audience
restrictions for use with the resource meta data (which IMHO should have
been mandated already in the OAuth core specification).

I don't think we have a conclusion whether these security issues are
really tied to the metadata document since the security concern about
tokens getting replayed at other resource servers was a concern long
before the meta-data work was even considered in OAuth.

So, how should we move forward with the metadata document? Your views
are appreciated!

Ciao
Hannes


--arp6IqR34Ra8Fmuk6kp5x11SekK5XXChF--

--jD2xUNc2eFMRmn3bN07MWWtHTr7N3ARMI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYCo16AAoJEGhJURNOOiAtMH4IAJsIE5gwa+h8TuKCce/FSOac
atWbFX/cLx2iRakxGCJlzXlX/HXbMjqnnBK3rbQgnUA8ApyBjkNOPbEtR5DgQi6k
0iwoXwUSstqyO1AyTTjAAXoL+82aE8UIguhPAOTdO6uJZ4NN2rwL7sbY/8Y5RsYY
qbAoz+zLPm0/5WB1pV0lLl3LxSxvnuEK9HEFHF7pMMNWFH+ORb1lz+kY2P4jTijP
mKfxs6INn4nQFY/sVfHmHCt1+PZEuRkqCxXQQGWZ9syrb/67zZE1Yosi6VTR4H57
dD8k9B3DSWmmXJ/P67hc0dcKojLiUDsgZVvfVL1Ve7P7FPE1tEmiEvcLBqkdI+I=
=WJEF
-----END PGP SIGNATURE-----

--jD2xUNc2eFMRmn3bN07MWWtHTr7N3ARMI--


From nobody Fri Oct 21 15:23:14 2016
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5D4312945E for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.032
X-Spam-Level: 
X-Spam-Status: No, score=-3.032 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rw7VfkaY-L0G for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:23:10 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0682512943B for <oauth@ietf.org>; Fri, 21 Oct 2016 15:23:09 -0700 (PDT)
Received: from [192.168.91.153] ([104.132.0.103]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LiY3U-1cVg3S3vum-00cjEJ for <oauth@ietf.org>; Sat, 22 Oct 2016 00:23:07 +0200
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <79bedf7c-05fe-b0e6-d3ba-740530b21b3c@gmx.net>
Date: Sat, 22 Oct 2016 00:23:05 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="b6bdJPqFcAUT9tmmcqFpaUqgRX7cDUFo2"
X-Provags-ID: V03:K0:Ahiani5jCHMoSZpbX6A+Eu4Wc/UUkxOao5AOxfaeR0CfZcwWgMY ru62OE1d6iUu6tD/psqDwj2wETxbzsfsq53R6K0kEdhoAVGlAIirPxjWLLfc10n+0EiTH1u GOvxN6B43dGC9UPSmuq+lviLGOgKPp65m1WzncEXkcYgAD3/40uODiXK4fISoo3S/r4+Z5b m/9r58kR3WS+pWWyGhpJA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:g2mC4vDznxQ=:CSxCbLvRIvRSKdUNX6vUsv XfQ4Ba878fa0iHQ0SkcfnyZeV09CwLuB4Hfa0ZscE4F6bSrMa2bK4aB8Y1x6iloq+WrENPjrS vkkm0mbOZV0YIs45GcwjyvHfePDqGiZQpSE2fHijR0CIt6Y4Wyl99jvCq0PPDfb08uIMeJNNz XRZJBa6NmGm5e20Wfm0ICCFxPolgZcyhH/RvqZ5RQCTb6oSBmkBg8po9d/031zQdmFZaNryT+ f0jeiPUd1GkfhwsrU3tIB6RfYomCxt92nzhXPuPFhOm/nTN5e5+UtKQzbSKQZu8aMGLqT6zRF 5ym7cF4vvQYm7BgtFBmteEXQ1yOagq7pdmfLUBSqWL1H6QpVJ4Riu39VS1oZvBcJPGlfGnsI9 986N8lx9EKxHJhwNTI0REZa/NuDmcqwMi/kRQKv/lwCew/0YXuKLlZGs2xvn6Cfj4LS/qM0nN t+SkPGBkhx9Wl3l7dWcirYRqGhGFxqMDhF1gqoHt/ZB2lPIbjcBI1h+eEeNDsHr+wzPkS5MF8 bKPkadPWbJTIs7amQuaht2vCRxuNv3IzJSEy454kzzyjLKQPbinaxF1/CryG2CSTv6JntMc59 ATENxdHpsE2OJvRKXpAtjzKKHL2BgdyMG7MgpPFKV/p1bRM8okb5e1vEdLmHHoL3KbowfYIgT vEN0eAZnbuk1JRCagwUH32tWFEBoWuRlASBkBNCUJWXUdO9Cq64qezYDJerP1yqNyIdfP1N2Y z/l6afUkPIcM6LqvAuozGjLi/ODBSFG1ZmoPesw/ugTHXh/+Fsh0I/DYx+o=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YuVzEDa9B1LUUltfqhu68oRhLao>
Subject: [OAUTH-WG] Device Flow Open Issues
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 22:23:13 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--b6bdJPqFcAUT9tmmcqFpaUqgRX7cDUFo2
Content-Type: multipart/mixed; boundary="FUeH4WpHEiQpPij14c8OX17NKfLbbkTmf";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <79bedf7c-05fe-b0e6-d3ba-740530b21b3c@gmx.net>
Subject: Device Flow Open Issues

--FUeH4WpHEiQpPij14c8OX17NKfLbbkTmf
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

at the last IETF meeting we got lots of good feedback regarding the
device flow document. Here is the link to the device flow draft:
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03

Four main issues got captured in the minutes, namely
1) Alternative to polling
2) Missing security guidance
3) UI recommendations
4) Alternative Authorization Request/Response Pattern

Here is the link to the meeting minutes:
https://www.ietf.org/proceedings/96/minutes/minutes-96-oauth

In a discussion with John, William, Simon, and myself we thought it
would be best to drop a mail to the list about these issues and seek for
your feedback.

Ciao
Hannes



--FUeH4WpHEiQpPij14c8OX17NKfLbbkTmf--

--b6bdJPqFcAUT9tmmcqFpaUqgRX7cDUFo2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYCpVJAAoJEGhJURNOOiAtLYMH/27ZptTfWHdyjgYOpPz6EHJY
CJReu/Z9pdPj15hPv62OdivEihX27NffXChdIasxPlLzEfU2AjJy8G+2CNGCuOOy
QtJ8U3OGEL+rhGZfSbX/sKlxJfWDci/KqbszklOo/C045IcQkVadTDQRtPbpJGbk
rRQzRU9+DnfPaJH0nJdpqZ4Q/ZOzDV07x0lQmnVYxSy+VJ2buErzXXUP0F6O0a0p
JsLQiM9oLRAesoMse5lG9eKLp42z6XYTvhVqe5OmRZxpRxCyNY7MUuDZPvHJ5IND
SJ54t/LyzTNqRvOhRLczCQ60BmK7bsD3WDtGhCByDUjr7GKbN9PcRC/wE1k8kGQ=
=dohD
-----END PGP SIGNATURE-----

--b6bdJPqFcAUT9tmmcqFpaUqgRX7cDUFo2--


From nobody Fri Oct 21 15:23:23 2016
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D32A129534 for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:23:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.032
X-Spam-Level: 
X-Spam-Status: No, score=-3.032 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KvDWvSeSI3BI for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:23:16 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EA291295C2 for <oauth@ietf.org>; Fri, 21 Oct 2016 15:23:15 -0700 (PDT)
Received: from [192.168.91.153] ([104.132.0.103]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LnTjW-1cZVoF2jvi-00hetu for <oauth@ietf.org>; Sat, 22 Oct 2016 00:23:14 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <8b540eff-2b1c-2d9f-6d40-2be327f91eb7@gmx.net>
Date: Sat, 22 Oct 2016 00:23:11 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="04ueIdh9H64PawnTWPsAFtR9bQfa0roxM"
X-Provags-ID: V03:K0:4dGd+p+GJEtqGn+1Sz95eLKlcpPpWlmWjWxtdskagY3mp1v+OD/ rmBmHXNslm77f8Q2mdNMkJ1H+5cRZMaBr79qA6GkOCFKP4eSUXb+wP+xy4EN8iptEbruvWu kV1ak4lIkBFJGwrr2Q0XklOPCAHW4+qVrn8h7pXuYrmFWJMeKdkuUyfCuJhmNQ/rkbaHSyc oMzAneOm21R40XwvnUJAA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:wyCKY+v9eGk=:W8jdI8oRkeQbtggoBhvVz0 LSq17DdPRcn5ruvfjleRDtfDVMMaZjituKakx7PWJUgEOB2iuLc114eZtgULwpirugSmfi2w6 nL6ta0G7S105LFDTR+y5qCoP9PUEd2/E2y3jwKgCdexzz2ICTZ7rrKdlVdBXFILA7PaXS/Jol k9yV7P1PcmkTnieLzNfgSn8v4EVl8LW0XPfwakOcsmVYBMXMsSqtsWBPILOW+2BmIDx5Iiygs 2P4hZiLxfkeEtiejaqFwIG2H3d0TzczUk0bZJqkIUTICa5q8lnBPhEwvzwGWXpxZ0O3EssZR6 y169JCgtM1oyiyPVx4nWFDhQKtw9qllMTr5AOcXSDLa1z3/lL6LcQOQyF5F7qXt2u2K4/V8vd Z6y/WvgcQD7AJVo1B245WJ6NNA3MeWl1HRexq4IpllqkGR/R8jFAIPeq63Wm7Q3kPFylBnld3 LHPWcsAEO30mzIXIsFEd+IA924li+U9uBfrmb0I7ofv1g3bV/csPZ08ScADUeZQTzRGdXo/px x0L68pGschaR0QgJuL9jyfknTZ9uL0K/MPdWKPw2OKvIc9G8OhbbvhwFRuOAeguCmOaPOeOYh y3RRcz/h8h/eITS+cH7a3wWP4MF8sgLIAN0Bn46HBwSTOPgVl2qcZ4I8ymvwBWEiLyoHrZB58 7Ti/NRJeqnK/MHigCYKbHUiV9SVygNgF405RizO1oVuaDjddQRSvxo0Bh5KSTm3NIcecMYPiy yssSz1dJAvch8daifwYAYiFih8hmPpFqBs0V0Ls39BY88D1c/unNDQs8mkk=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/37INAAHk-kAevBrWJufBrCoQhkM>
Subject: [OAUTH-WG] Device Flow: Alternative to Polling
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 22:23:18 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--04ueIdh9H64PawnTWPsAFtR9bQfa0roxM
Content-Type: multipart/mixed; boundary="2qW2tQfSJXimq3IelSsq8GBbB4VIc2xo4";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <8b540eff-2b1c-2d9f-6d40-2be327f91eb7@gmx.net>
Subject: Device Flow: Alternative to Polling

--2qW2tQfSJXimq3IelSsq8GBbB4VIc2xo4
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

the device flow document outlines the case when an OAuth interaction
gets "outsourced" to a separate device in order to allow user
authentication and collecting the consent.

The exchange is described in Section 1 of
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03.

Here is the step that was raised during the discussions:

      (E) While the end-user authorizes (or denies) the client's request
      (D), the client repeatedly polls the authorization server to find
      out if the end-user completed the end-user authorization step.
      The client includes the verification code and its client
      identifier.

The question was whether we could come up with an alternative to polling
since this step could potentially take some time. Hence, it would be
better if the authorization server has a way to send a message to the
client without polling. Of course, the polling frequency matters and how
quickly one (e.g., user) wants to know about the successful authorization=
=2E

So, the first question is whether polling is considered as a problem in
the first place.

If so, then the question is how this could be addressed and (from work
in other areas) there are really only two approaches:

1) We make use of some protocol that keeps the connection open and allow
asynchronous communication. HTTP/2 and Websockets come to mind.

2) The client can be addressed through some push notification mechanism,
such as by running an HTTP server on the device that can then be used by
the authorization server.

Any views about this topic?

Ciao
Hannes



--2qW2tQfSJXimq3IelSsq8GBbB4VIc2xo4--

--04ueIdh9H64PawnTWPsAFtR9bQfa0roxM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYCpVPAAoJEGhJURNOOiAtl2MH/1L8udoZ9LWYxJtl+Nonrj6O
2z9tR3ZimCsQ+/mjxLchlFTEFecebiwwMoc1MjEkqiLUMyM0XlWeu3qu1V9p1GXm
JK4kfLmtYbaM17Affp4j1JQMQsTldVTx2Fjwu+/6O8lhc+GoBbEI1kU63QiJPeem
K73MyGbwFQtlF4vbB9PJEuN8iFfPtarwE+4jkyroh4vmXi+fmr4PGkBMJevOv1CT
GT/EvzAk0pZsWrJCTrGNhsrwnGm93ergBqwZqVrtCvNaZ26R74GB8wdOAVED/tDa
NZCYVUmKT3w/yYz2iuRuTvr24qkhnE8BeZLk9Ot2tWipjFQinhlcKznK0AdwokY=
=7jBV
-----END PGP SIGNATURE-----

--04ueIdh9H64PawnTWPsAFtR9bQfa0roxM--


From nobody Fri Oct 21 15:35:56 2016
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DEE0129691 for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:35:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaLTjJzyx8m8 for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:35:53 -0700 (PDT)
Received: from mail-ua0-x229.google.com (mail-ua0-x229.google.com [IPv6:2607:f8b0:400c:c08::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD4B91295A3 for <oauth@ietf.org>; Fri, 21 Oct 2016 15:35:52 -0700 (PDT)
Received: by mail-ua0-x229.google.com with SMTP id m11so8674857uab.3 for <oauth@ietf.org>; Fri, 21 Oct 2016 15:35:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=TcJoAo6TEzU6Pj30nXjRv9upTSFFI6Af+UjX7oAH6Jo=; b=bpNrZ/sB3ey4yn48y8Z9eOL/RePxs4ckJdeBXpxOD0Qw+YjLnE2LKWwlXCFvrhbb+F Hu1jiP7oDvUegp6yg1kvklCCjMXW+jq1GKf1MXt8BYfi3jaFCnSRCHBAVjBq24a1+ZSV d3q6vBResJDS6sfnZe9ngLCxc0ANHujXUs1vCtXukaVmH9BYN7axr29djVnr7Z51+EgY YFbS0N59d6reguGZNXh3xh5ditJsMrbQSg9TdV+4Ma+MX50zO0ZUQGRDs8NAOOCmhjQM pWa3nzsuMqto7/crGm42WmzC4HJdFoDPaFp0cJEM2Fmh7XDImERwzF9XQFoigtoVzueV bVLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=TcJoAo6TEzU6Pj30nXjRv9upTSFFI6Af+UjX7oAH6Jo=; b=DLkhUUR29c6KOuUfDhu5V4sh2HvTMBfnmfHsem0YcsSFJXA5pDKNhimC6LRd0ZwyCV dxteegA4FkrbfGgqW/59GW351J3qmFdLRIVvxWF+mOn+rfh+LwR2dt6prrYDbzjI8vyi J2AhpDZrNxum2ApIjvUBdplOicF7ahMEfLOWyCk1xU4F4qHT7NuGfT8MrgtC9ZWshuOr 2wYQGL11EFC+94+vwzL63fl44gLmCpub9tzjK+Y0C2N5AwWy0+j/tpoFh45OR+DOrzoG feGA+Q9wzwpskhw9V1T1p6Ze178a3a6g0fYJ96MfZqe2qqdkoETuef821a08jp7IuoJ8 f9xQ==
X-Gm-Message-State: ABUngveKQvAK7TXf35a2d7xMeGBtyNSxJFUlZ8/JHqvIscGNWquRw+8IsHRKCXWf3drssw==
X-Received: by 10.159.33.246 with SMTP id 109mr1562033uac.33.1477089351732; Fri, 21 Oct 2016 15:35:51 -0700 (PDT)
Received: from mail-ua0-f180.google.com (mail-ua0-f180.google.com. [209.85.217.180]) by smtp.gmail.com with ESMTPSA id 37sm1075116uaj.7.2016.10.21.15.35.51 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Oct 2016 15:35:51 -0700 (PDT)
Received: by mail-ua0-f180.google.com with SMTP id r64so8656662uar.2 for <oauth@ietf.org>; Fri, 21 Oct 2016 15:35:51 -0700 (PDT)
X-Received: by 10.176.67.199 with SMTP id l65mr1537703ual.101.1477089351056; Fri, 21 Oct 2016 15:35:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.223.67 with HTTP; Fri, 21 Oct 2016 15:35:50 -0700 (PDT)
In-Reply-To: <8b540eff-2b1c-2d9f-6d40-2be327f91eb7@gmx.net>
References: <8b540eff-2b1c-2d9f-6d40-2be327f91eb7@gmx.net>
From: Aaron Parecki <aaron@parecki.com>
Date: Fri, 21 Oct 2016 15:35:50 -0700
X-Gmail-Original-Message-ID: <CAGBSGjoO3LiA4NZ9tKrK1KHzBY2MkbfG+XNu_1tnFAptjSnZzQ@mail.gmail.com>
Message-ID: <CAGBSGjoO3LiA4NZ9tKrK1KHzBY2MkbfG+XNu_1tnFAptjSnZzQ@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a114d826a124bac053f67aa60
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/r3XgdOdOtFuxaswBDDFOdZHFI4Y>
Subject: Re: [OAUTH-WG] Device Flow: Alternative to Polling
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 22:35:55 -0000

--001a114d826a124bac053f67aa60
Content-Type: text/plain; charset=UTF-8

Part of the beauty of the current device flow spec is that it's so simple
to support. Keeping that simplicity is crucial especially for this, since
this flow is used by a variety of devices that often do not have higher
level stacks.

I would love to hear from someone who has experience with large-scale
deployments of this to know whether polling is even a problem in the first
place.

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>


On Fri, Oct 21, 2016 at 3:23 PM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Hi all,
>
> the device flow document outlines the case when an OAuth interaction
> gets "outsourced" to a separate device in order to allow user
> authentication and collecting the consent.
>
> The exchange is described in Section 1 of
> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03.
>
> Here is the step that was raised during the discussions:
>
>       (E) While the end-user authorizes (or denies) the client's request
>       (D), the client repeatedly polls the authorization server to find
>       out if the end-user completed the end-user authorization step.
>       The client includes the verification code and its client
>       identifier.
>
> The question was whether we could come up with an alternative to polling
> since this step could potentially take some time. Hence, it would be
> better if the authorization server has a way to send a message to the
> client without polling. Of course, the polling frequency matters and how
> quickly one (e.g., user) wants to know about the successful authorization.
>
> So, the first question is whether polling is considered as a problem in
> the first place.
>
> If so, then the question is how this could be addressed and (from work
> in other areas) there are really only two approaches:
>
> 1) We make use of some protocol that keeps the connection open and allow
> asynchronous communication. HTTP/2 and Websockets come to mind.
>
> 2) The client can be addressed through some push notification mechanism,
> such as by running an HTTP server on the device that can then be used by
> the authorization server.
>
> Any views about this topic?
>
> Ciao
> Hannes
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a114d826a124bac053f67aa60
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr" style=3D"font-size:13px">Part of the beau=
ty of the current device flow spec is that it&#39;s so simple to support. K=
eeping that simplicity is crucial especially for this, since this flow is u=
sed by a variety of devices that often do not have higher level stacks.<div=
><br></div><div>I would love to hear from someone who has experience with l=
arge-scale deployments of this to know whether polling is even a problem in=
 the first place.</div></div><div class=3D"gmail_extra" style=3D"font-size:=
13px"><br clear=3D"all"><div><div class=3D"gmail-m_4705559585795052451gmail=
_signature"><div>----</div><div>Aaron Parecki</div><div><a href=3D"http://a=
aronparecki.com/" target=3D"_blank">aaronparecki.com</a></div><div><a href=
=3D"http://twitter.com/aaronpk" target=3D"_blank">@aaronpk</a></div></div><=
/div></div></div><div class=3D"gmail_extra"><br clear=3D"all"><div><div cla=
ss=3D"gmail_signature" data-smartmail=3D"gmail_signature"><div>----</div><d=
iv>Aaron Parecki</div><div><a href=3D"http://aaronparecki.com" target=3D"_b=
lank">aaronparecki.com</a></div><div><a href=3D"http://twitter.com/aaronpk"=
 target=3D"_blank">@aaronpk</a></div><div><br></div></div></div>
<br><div class=3D"gmail_quote">On Fri, Oct 21, 2016 at 3:23 PM, Hannes Tsch=
ofenig <span dir=3D"ltr">&lt;<a href=3D"mailto:hannes.tschofenig@gmx.net" t=
arget=3D"_blank">hannes.tschofenig@gmx.net</a>&gt;</span> wrote:<br><blockq=
uote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex">Hi all,<br>
<br>
the device flow document outlines the case when an OAuth interaction<br>
gets &quot;outsourced&quot; to a separate device in order to allow user<br>
authentication and collecting the consent.<br>
<br>
The exchange is described in Section 1 of<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03" rel=
=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/<wbr>draft-ie=
tf-oauth-device-flow-<wbr>03</a>.<br>
<br>
Here is the step that was raised during the discussions:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 (E) While the end-user authorizes (or denies) the clie=
nt&#39;s request<br>
=C2=A0 =C2=A0 =C2=A0 (D), the client repeatedly polls the authorization ser=
ver to find<br>
=C2=A0 =C2=A0 =C2=A0 out if the end-user completed the end-user authorizati=
on step.<br>
=C2=A0 =C2=A0 =C2=A0 The client includes the verification code and its clie=
nt<br>
=C2=A0 =C2=A0 =C2=A0 identifier.<br>
<br>
The question was whether we could come up with an alternative to polling<br=
>
since this step could potentially take some time. Hence, it would be<br>
better if the authorization server has a way to send a message to the<br>
client without polling. Of course, the polling frequency matters and how<br=
>
quickly one (e.g., user) wants to know about the successful authorization.<=
br>
<br>
So, the first question is whether polling is considered as a problem in<br>
the first place.<br>
<br>
If so, then the question is how this could be addressed and (from work<br>
in other areas) there are really only two approaches:<br>
<br>
1) We make use of some protocol that keeps the connection open and allow<br=
>
asynchronous communication. HTTP/2 and Websockets come to mind.<br>
<br>
2) The client can be addressed through some push notification mechanism,<br=
>
such as by running an HTTP server on the device that can then be used by<br=
>
the authorization server.<br>
<br>
Any views about this topic?<br>
<br>
Ciao<br>
<span class=3D"HOEnZb"><font color=3D"#888888">Hannes<br>
<br>
<br>
</font></span><br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--001a114d826a124bac053f67aa60--


From nobody Fri Oct 21 15:51:10 2016
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82256129453 for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:51:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.131
X-Spam-Level: 
X-Spam-Status: No, score=-3.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTFt0mmeOYTF for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:51:07 -0700 (PDT)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1C15126D73 for <oauth@ietf.org>; Fri, 21 Oct 2016 15:51:07 -0700 (PDT)
Received: by mail-yw0-x22a.google.com with SMTP id u124so118702662ywg.3 for <oauth@ietf.org>; Fri, 21 Oct 2016 15:51:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1VhSBMxEdw63wWVtKw4FRGnUppstPjBWceZeeXwSQmc=; b=apVzZ+9ITwbBmjNiMC9aWor2/3miVSYyoHqHlrBQawodLOaJDXNSIxpWkZb7YDxm1y ksF9vmYeY5Hiw0pks+PWlTfhdoHTxn137mfrV2wjHXONV4TWuoH8AGpMea5KrXNqox/O mkF4Zkr6FawIqmkiNGZpc55fAFMhEOAuqJMhBgU6dHO2RqvhmZtnuAcgcstX8VtbC0Sb DrpzAo7VHIrplRb7UHTjTrwZjdmbaI7hzZXjhRl0k12JG1hrNJv884foN+0VVXad2Bcv DudZF8JnkfZFWBnwhX1E32adtzVR6J0ayLYFpqDMo3F8pcUvP9TlFdkzvoxrAsiUrTYF UJ9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1VhSBMxEdw63wWVtKw4FRGnUppstPjBWceZeeXwSQmc=; b=gWrXjgWnT1p3i7eBJO3o1pd2VtUKWM0jMHU1gm1dsMpR4QnjAw4A/Wm6wwujEfIi1D Zt/Rh/7SCU9peBGvIOqih5WAYVVe/NtuUKzyr726T0b7d/91q5nmtd16sojfmA9FY88D fdk6PrYh1BK/WCImTEb2QdPa1ibpQIKMXUvWoaU31p9Y/X9dA23+L2EPntmEWjPwxxaJ VifRvnq0P2V9eXPgDZ7rt+0ifmiIV3GF4WCwAx+O87P16rzFPzLrIiGhJ4SHEEu8/UEq 4zlcGobuGxsU1zGq/LfluraZvAskyGZBFVd+sQnsH5ZQ1W0001EbJW9AXIb38bIn2314 6sZQ==
X-Gm-Message-State: ABUngvddr03EI8zxupQy2yyPjindb0nq0A7X6UCXSA213kAENMe6tM7XYEMQLK4ZAnwtNRM7WjGl3lhxXJXTiswp
X-Received: by 10.13.246.2 with SMTP id g2mr543256ywf.233.1477090266756; Fri, 21 Oct 2016 15:51:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.151 with HTTP; Fri, 21 Oct 2016 15:50:46 -0700 (PDT)
In-Reply-To: <CAGBSGjoO3LiA4NZ9tKrK1KHzBY2MkbfG+XNu_1tnFAptjSnZzQ@mail.gmail.com>
References: <8b540eff-2b1c-2d9f-6d40-2be327f91eb7@gmx.net> <CAGBSGjoO3LiA4NZ9tKrK1KHzBY2MkbfG+XNu_1tnFAptjSnZzQ@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 21 Oct 2016 15:50:46 -0700
Message-ID: <CAAP42hC9SubNrhYeoxPUx2faW_G59yQT0Aqm1U5wRVCcb5Qxfw@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Content-Type: multipart/alternative; boundary=94eb2c035754a751e2053f67e0ab
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6oX-hyh0PVbI9LrDsbhHeIvPWBY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Flow: Alternative to Polling
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 22:51:09 -0000

--94eb2c035754a751e2053f67e0ab
Content-Type: text/plain; charset=UTF-8

We've been operating with polling for a while and handle a decent amount of
traffic (the YouTube TV app uses it), the polling gets the job done. The
simplicity of the protocol definitely helps when used on constrained
devices.

I like the idea of adding HTTP/2 based long-poll as an optional
enhancement, especially if we can define it in ways that don't alter the
underlying protocol a whole lot.

On Fri, Oct 21, 2016 at 3:35 PM, Aaron Parecki <aaron@parecki.com> wrote:

> Part of the beauty of the current device flow spec is that it's so simple
> to support. Keeping that simplicity is crucial especially for this, since
> this flow is used by a variety of devices that often do not have higher
> level stacks.
>
> I would love to hear from someone who has experience with large-scale
> deployments of this to know whether polling is even a problem in the first
> place.
>
> ----
> Aaron Parecki
> aaronparecki.com
> @aaronpk <http://twitter.com/aaronpk>
>
> ----
> Aaron Parecki
> aaronparecki.com
> @aaronpk <http://twitter.com/aaronpk>
>
>
> On Fri, Oct 21, 2016 at 3:23 PM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net> wrote:
>
>> Hi all,
>>
>> the device flow document outlines the case when an OAuth interaction
>> gets "outsourced" to a separate device in order to allow user
>> authentication and collecting the consent.
>>
>> The exchange is described in Section 1 of
>> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03.
>>
>> Here is the step that was raised during the discussions:
>>
>>       (E) While the end-user authorizes (or denies) the client's request
>>       (D), the client repeatedly polls the authorization server to find
>>       out if the end-user completed the end-user authorization step.
>>       The client includes the verification code and its client
>>       identifier.
>>
>> The question was whether we could come up with an alternative to polling
>> since this step could potentially take some time. Hence, it would be
>> better if the authorization server has a way to send a message to the
>> client without polling. Of course, the polling frequency matters and how
>> quickly one (e.g., user) wants to know about the successful authorization.
>>
>> So, the first question is whether polling is considered as a problem in
>> the first place.
>>
>> If so, then the question is how this could be addressed and (from work
>> in other areas) there are really only two approaches:
>>
>> 1) We make use of some protocol that keeps the connection open and allow
>> asynchronous communication. HTTP/2 and Websockets come to mind.
>>
>> 2) The client can be addressed through some push notification mechanism,
>> such as by running an HTTP server on the device that can then be used by
>> the authorization server.
>>
>> Any views about this topic?
>>
>> Ciao
>> Hannes
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--94eb2c035754a751e2053f67e0ab
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">We&#39;ve been operating with polling for a while and hand=
le a decent amount of traffic (the YouTube TV app uses it), the polling get=
s the job done. The simplicity of the protocol definitely helps when used o=
n constrained devices.<div><br></div><div>I like the idea of adding HTTP/2 =
based long-poll as an optional enhancement, especially if we can define it =
in ways that don&#39;t alter the underlying protocol a whole lot.</div></di=
v><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Fri, Oct 21,=
 2016 at 3:35 PM, Aaron Parecki <span dir=3D"ltr">&lt;<a href=3D"mailto:aar=
on@parecki.com" target=3D"_blank">aaron@parecki.com</a>&gt;</span> wrote:<b=
r><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:=
1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr" style=3D=
"font-size:13px">Part of the beauty of the current device flow spec is that=
 it&#39;s so simple to support. Keeping that simplicity is crucial especial=
ly for this, since this flow is used by a variety of devices that often do =
not have higher level stacks.<div><br></div><div>I would love to hear from =
someone who has experience with large-scale deployments of this to know whe=
ther polling is even a problem in the first place.</div></div><div class=3D=
"gmail_extra" style=3D"font-size:13px"><br clear=3D"all"><div><div class=3D=
"m_-4887215840389778106gmail-m_4705559585795052451gmail_signature"><div>---=
-</div><div>Aaron Parecki</div><div><a href=3D"http://aaronparecki.com/" ta=
rget=3D"_blank">aaronparecki.com</a></div><div><a href=3D"http://twitter.co=
m/aaronpk" target=3D"_blank">@aaronpk</a></div></div></div></div></div><div=
 class=3D"gmail_extra"><br clear=3D"all"><div><div class=3D"m_-488721584038=
9778106gmail_signature" data-smartmail=3D"gmail_signature"><div>----</div><=
div>Aaron Parecki</div><div><a href=3D"http://aaronparecki.com" target=3D"_=
blank">aaronparecki.com</a></div><div><a href=3D"http://twitter.com/aaronpk=
" target=3D"_blank">@aaronpk</a></div><div><br></div></div></div>
<br><div class=3D"gmail_quote"><div><div class=3D"h5">On Fri, Oct 21, 2016 =
at 3:23 PM, Hannes Tschofenig <span dir=3D"ltr">&lt;<a href=3D"mailto:hanne=
s.tschofenig@gmx.net" target=3D"_blank">hannes.tschofenig@gmx.net</a>&gt;</=
span> wrote:<br></div></div><blockquote class=3D"gmail_quote" style=3D"marg=
in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class=
=3D"h5">Hi all,<br>
<br>
the device flow document outlines the case when an OAuth interaction<br>
gets &quot;outsourced&quot; to a separate device in order to allow user<br>
authentication and collecting the consent.<br>
<br>
The exchange is described in Section 1 of<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03" rel=
=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/dr<wbr>aft-ie=
tf-oauth-device-flow-03</a>.<br>
<br>
Here is the step that was raised during the discussions:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 (E) While the end-user authorizes (or denies) the clie=
nt&#39;s request<br>
=C2=A0 =C2=A0 =C2=A0 (D), the client repeatedly polls the authorization ser=
ver to find<br>
=C2=A0 =C2=A0 =C2=A0 out if the end-user completed the end-user authorizati=
on step.<br>
=C2=A0 =C2=A0 =C2=A0 The client includes the verification code and its clie=
nt<br>
=C2=A0 =C2=A0 =C2=A0 identifier.<br>
<br>
The question was whether we could come up with an alternative to polling<br=
>
since this step could potentially take some time. Hence, it would be<br>
better if the authorization server has a way to send a message to the<br>
client without polling. Of course, the polling frequency matters and how<br=
>
quickly one (e.g., user) wants to know about the successful authorization.<=
br>
<br>
So, the first question is whether polling is considered as a problem in<br>
the first place.<br>
<br>
If so, then the question is how this could be addressed and (from work<br>
in other areas) there are really only two approaches:<br>
<br>
1) We make use of some protocol that keeps the connection open and allow<br=
>
asynchronous communication. HTTP/2 and Websockets come to mind.<br>
<br>
2) The client can be addressed through some push notification mechanism,<br=
>
such as by running an HTTP server on the device that can then be used by<br=
>
the authorization server.<br>
<br>
Any views about this topic?<br>
<br>
Ciao<br>
<span class=3D"m_-4887215840389778106HOEnZb"><font color=3D"#888888">Hannes=
<br>
<br>
<br>
</font></span><br></div></div>______________________________<wbr>__________=
_______<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--94eb2c035754a751e2053f67e0ab--


From nobody Fri Oct 21 15:51:59 2016
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 415821296BC for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:51:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fNmwZaw4XZng for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:51:54 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD8511296AB for <oauth@ietf.org>; Fri, 21 Oct 2016 15:51:54 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id m138so14397788itm.0 for <oauth@ietf.org>; Fri, 21 Oct 2016 15:51:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Lk0TJyLP0E89sVOQf23wKR+WDEoA6iLFZqZbYtMKXxI=; b=doEXag2gT1bSxhMUpvgJqglOmE29supyeL6TronH6NoBuOlKxKY1BJdG8tFUmuPq7d +amoAXbMbaxLSmsKl44SKODh1HMFqY6Lba2QBh6MzLepiLX5R9S5Xy82T4DyOqFsN6nN 91+H4L9ZYcrYk8GGImQxRFd51QHSPVJ7dahoI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Lk0TJyLP0E89sVOQf23wKR+WDEoA6iLFZqZbYtMKXxI=; b=HJhXMUmMZsedKzPHltuWHzHGe1NCl4jb/rpaRjHJj4WwoBEAKPewCuJyJv1GQyTyTW y+U+hwUUpH4pOPVUsa6A1OLIfnD1mdS+VOUPOYMHammE1AjEeEUMUgQQXX7Zf4oT/3oY dN8LQSYP/MakmFG1HeQ9aebpgA6UvBTSQj5txKL4NMxhS9E5UaZQleMm6jdRok1qdu+K o1CKvFbdiGsyR8CdDqz3iWPu8pB2hb7+o7zP1Q2SxVzF0CLZQ5i3KQerEq/QLnB0al2R AMPcI6bdv2vE6BjS4ESNcf424x9PKfdcuyufavSUngE45ZlysunnwoC45XJd74VB3v3V 8Ngg==
X-Gm-Message-State: ABUngvfCzQomQ8vjFUBe6pcKmdkyNqp08QiDGm940++BA+73mHvsL++a1noya+lJSvqc99E2ov8FvNZoTl7gEZ6b
X-Received: by 10.36.121.131 with SMTP id z125mr743986itc.79.1477090314042; Fri, 21 Oct 2016 15:51:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.5.132 with HTTP; Fri, 21 Oct 2016 15:51:23 -0700 (PDT)
In-Reply-To: <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 21 Oct 2016 16:51:23 -0600
Message-ID: <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Content-Type: multipart/alternative; boundary=001a114abbd278590f053f67e341
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nHa-Ryn_-Jk2PatC6Qy5AjBKqrI>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 22:51:57 -0000

--001a114abbd278590f053f67e341
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I did consider something like that but stopped short of putting it in the
-00 document. I'm not convinced that some metadata around it would really
contribute to interop one way or the other. I also wanted to get the basic
concept written down before going too far into the weeds. But I'd be open
to adding something along those lines in future revisions, if there's some
consensus that it'd be useful.

On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <vladimir@connect2id.co=
m
> wrote:

> Superb, I welcome that!
>
> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
> client-auth-00#section-5.2 :
>
> My concern is that the choice of how to bind the client identity is left
> to implementers, and that may eventually become an interop problem.
> Have you considered some kind of an open ended enumeration of the possibl=
e
> binding methods, and giving them some identifiers or names, so that AS /
> OPs can advertise them in their metadata, and clients register accordingl=
y?
>
> For example:
>
> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
> "subject_public_key_info_match" ]
>
>
> Cheers,
>
> Vladimir
>
> On 10/10/16 23:59, John Bradley wrote:
>
> At the request of the OpenID Foundation Financial Services API Working gr=
oup, Brian Campbell and I have documented
> mutual TLS client authentication.   This is something that lots of people=
 do in practice though we have never had a spec for it.
>
> The Banks want to use it for some server to server API use cases being dr=
iven by new open banking regulation.
>
> The largest thing in the draft is the IANA registration of =E2=80=9Ctls_c=
lient_auth=E2=80=9D Token Endpoint authentication method for use in Registr=
ation and discovery.
>
> The trust model is intentionally left open so that you could use a =E2=80=
=9Ccommon name=E2=80=9D and a restricted list of CA or a direct lookup of t=
he subject public key against a reregistered value,  or something in betwee=
n.
>
> I hope that this is non controversial and the WG can adopt it quickly.
>
> Regards
> John B.
>
>
>
>
>
> Begin forwarded message:
>
> From: internet-drafts@ietf.org
> Subject: New Version Notification for draft-campbell-oauth-tls-client-aut=
h-00.txt
> Date: October 10, 2016 at 5:44:39 PM GMT-3
> To: "Brian Campbell" <brian.d.campbell@gmail.com> <brian.d.campbell@gmail=
.com>, "John Bradley" <ve7jtb@ve7jtb.com> <ve7jtb@ve7jtb.com>
>
>
> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
> has been successfully submitted by John Bradley and posted to the
> IETF repository.
>
> Name:		draft-campbell-oauth-tls-client-auth
> Revision:	00
> Title:		Mutual X.509 Transport Layer Security (TLS) Authentication for OA=
uth Clients
> Document date:	2016-10-10
> Group:		Individual Submission
> Pages:		5
> URL:            https://www.ietf.org/internet-drafts/draft-campbell-oauth=
-tls-client-auth-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-campbell-oauth-tls=
-client-auth/
> Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-tls-clie=
nt-auth-00
>
>
> Abstract:
>   This document describes X.509 certificates as OAuth client
>   credentials using Transport Layer Security (TLS) mutual
>   authentication as a mechanism for client authentication to the
>   authorization server's token endpoint.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submiss=
ion
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oau=
th
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a114abbd278590f053f67e341
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I did consider something like that but stopped short of pu=
tting it in the -00 document. I&#39;m not convinced that some metadata arou=
nd it would really contribute to interop one way or the other. I also wante=
d to get the basic concept written down before going too far into the weeds=
. But I&#39;d be open to adding something along those lines in future revis=
ions, if there&#39;s some consensus that it&#39;d be useful. <br></div><div=
 class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mon, Oct 17, 2016 =
at 2:47 AM, Vladimir Dzhuvinov <span dir=3D"ltr">&lt;<a href=3D"mailto:vlad=
imir@connect2id.com" target=3D"_blank">vladimir@connect2id.com</a>&gt;</spa=
n> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;b=
order-left:1px #ccc solid;padding-left:1ex">
 =20
   =20
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    <p>Superb, I welcome that!</p>
    <p>Regarding
<a class=3D"m_-6672115355814729153moz-txt-link-freetext" href=3D"https://to=
ols.ietf.org/html/draft-campbell-oauth-tls-client-auth-00#section-5.2" targ=
et=3D"_blank">https://tools.ietf.org/html/<wbr>draft-campbell-oauth-tls-<wb=
r>client-auth-00#section-5.2</a>
      :</p>
    <p>My concern is that the choice of how to bind the client identity
      is left to implementers, and that may eventually become an interop
      problem.<br>
    </p>
    Have you considered some kind of an open ended enumeration of the
    possible binding methods, and giving them some identifiers or names,
    so that AS / OPs can advertise them in their metadata, and clients
    register accordingly?<br>
    <br>
    For example:<br>
    <br>
    &quot;tls_client_auth_bind_methods_<wbr>supported&quot; : [
    &quot;subject_alt_name_match&quot;, &quot;subject_public_key_info_<wbr>=
match&quot; ]<br>
    <p><br>
    </p>
    <p>Cheers,</p>
    <p>Vladimir<br>
    </p><div><div class=3D"h5">
    <br>
    <div class=3D"m_-6672115355814729153moz-cite-prefix">On 10/10/16 23:59,=
 John Bradley wrote:<br>
    </div>
    </div></div><blockquote type=3D"cite"><div><div class=3D"h5">
      <pre>At the request of the OpenID Foundation Financial Services API W=
orking group, Brian Campbell and I have documented=20
mutual TLS client authentication.   This is something that lots of people d=
o in practice though we have never had a spec for it.

The Banks want to use it for some server to server API use cases being driv=
en by new open banking regulation.

The largest thing in the draft is the IANA registration of =E2=80=9Ctls_cli=
ent_auth=E2=80=9D Token Endpoint authentication method for use in Registrat=
ion and discovery.

The trust model is intentionally left open so that you could use a =E2=80=
=9Ccommon name=E2=80=9D and a restricted list of CA or a direct lookup of t=
he subject public key against a reregistered value,  or something in betwee=
n.

I hope that this is non controversial and the WG can adopt it quickly.

Regards
John B.




</pre>
      <blockquote type=3D"cite">
        <pre>Begin forwarded message:

From: <a class=3D"m_-6672115355814729153moz-txt-link-abbreviated" href=3D"m=
ailto:internet-drafts@ietf.org" target=3D"_blank">internet-drafts@ietf.org<=
/a>
Subject: New Version Notification for draft-campbell-oauth-tls-<wbr>client-=
auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
To: &quot;Brian Campbell&quot; <a class=3D"m_-6672115355814729153moz-txt-li=
nk-rfc2396E" href=3D"mailto:brian.d.campbell@gmail.com" target=3D"_blank">&=
lt;brian.d.campbell@gmail.com&gt;</a>, &quot;John Bradley&quot; <a class=3D=
"m_-6672115355814729153moz-txt-link-rfc2396E" href=3D"mailto:ve7jtb@ve7jtb.=
com" target=3D"_blank">&lt;ve7jtb@ve7jtb.com&gt;</a>


A new version of I-D, draft-campbell-oauth-tls-<wbr>client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.

Name:		draft-campbell-oauth-tls-<wbr>client-auth
Revision:	00
Title:		Mutual X.509 Transport Layer Security (TLS) Authentication for OAut=
h Clients
Document date:	2016-10-10
Group:		Individual Submission
Pages:		5
URL:            <a class=3D"m_-6672115355814729153moz-txt-link-freetext" hr=
ef=3D"https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-=
auth-00.txt" target=3D"_blank">https://www.ietf.org/internet-<wbr>drafts/dr=
aft-campbell-oauth-<wbr>tls-client-auth-00.txt</a>
Status:         <a class=3D"m_-6672115355814729153moz-txt-link-freetext" hr=
ef=3D"https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth=
/" target=3D"_blank">https://datatracker.ietf.org/<wbr>doc/draft-campbell-o=
auth-tls-<wbr>client-auth/</a>
Htmlized:       <a class=3D"m_-6672115355814729153moz-txt-link-freetext" hr=
ef=3D"https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00" =
target=3D"_blank">https://tools.ietf.org/html/<wbr>draft-campbell-oauth-tls=
-<wbr>client-auth-00</a>


Abstract:
  This document describes X.509 certificates as OAuth client
  credentials using Transport Layer Security (TLS) mutual
  authentication as a mechanism for client authentication to the
  authorization server&#39;s token endpoint.




Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" target=3D"_blank">tools.ietf.org</a>.

The IETF Secretariat

</pre>
      </blockquote>
      <pre>
</pre>
      <br>
      <fieldset class=3D"m_-6672115355814729153mimeAttachmentHeader"></fiel=
dset>
      <br>
      </div></div><span class=3D""><pre>______________________________<wbr>=
_________________
OAuth mailing list
<a class=3D"m_-6672115355814729153moz-txt-link-abbreviated" href=3D"mailto:=
OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a>
<a class=3D"m_-6672115355814729153moz-txt-link-freetext" href=3D"https://ww=
w.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.ietf.org/m=
ailman/<wbr>listinfo/oauth</a>
</pre>
    </span></blockquote>
    <br>
  </div>

<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--001a114abbd278590f053f67e341--


From nobody Fri Oct 21 16:25:18 2016
Return-Path: <agenda@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BB49312985D; Fri, 21 Oct 2016 16:21:13 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "\"IETF Secretariat\"" <agenda@ietf.org>
To: <Hannes.Tschofenig@gmx.net>, <oauth-chairs@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.36.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <147709207376.28214.7713062009091088988.idtracker@ietfa.amsl.com>
Date: Fri, 21 Oct 2016 16:21:13 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/t2g7cXUwzOX0Z1CYP0CyBHPq-eU>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 97
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 23:21:17 -0000

Dear Hannes Tschofenig,

The session(s) that you have requested have been scheduled.
Below is the scheduled session information followed by
the original request. 

oauth Session 1 (1:30:00)
    Wednesday, Afternoon Session II 1520-1620
    Room Name: Studio 3 size: 80
    ---------------------------------------------
    oauth Session 2 (1:30:00)
    Monday, Morning Session I 0930-1200
    Room Name: Studio 3 size: 80
    ---------------------------------------------
    


Request Information:


---------------------------------------------------------
Working Group Name: Web Authorization Protocol
Area Name: Security Area
Session Requester: Hannes Tschofenig

Number of Sessions: 2
Length of Session(s):  1.5 Hours, 1.5 Hours
Number of Attendees: 50
Conflicts to Avoid: 
 First Priority: tokbind tls core saag




Special Requests:
  Please avoid conflict with sec area BoFs.
---------------------------------------------------------


From nobody Sat Oct 22 10:47:50 2016
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDE9912944E for <oauth@ietfa.amsl.com>; Sat, 22 Oct 2016 10:47:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.652
X-Spam-Level: 
X-Spam-Status: No, score=-4.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s2OpUqRgFgf9 for <oauth@ietfa.amsl.com>; Sat, 22 Oct 2016 10:47:48 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D5B212944D for <oauth@ietf.org>; Sat, 22 Oct 2016 10:47:47 -0700 (PDT)
X-AuditID: 1209190d-30bff700000075d4-e6-580ba64277c5
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id 81.D3.30164.246AB085; Sat, 22 Oct 2016 13:47:46 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u9MHljXt000995; Sat, 22 Oct 2016 13:47:46 -0400
Received: from [10.199.1.225] (216-75-239-61.static.wiline.com [216.75.239.61]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u9MHlfRU025074 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 22 Oct 2016 13:47:44 -0400
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_15B0069F-602E-4860-B97F-12E1193CAE64"; protocol="application/pgp-signature"; micalg=pgp-sha256
X-Pgp-Agent: GPGMail
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net>
Date: Sat, 22 Oct 2016 10:47:39 -0700
Message-Id: <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKKsWRmVeSWpSXmKPExsUixG6nruu0jDvCoPeDpsXSnfdYLU6+fcXm wOSxeNN+No8lS34yBTBFcdmkpOZklqUW6dslcGX8/7KbveCERMX0HUeZGxjvi3QxcnJICJhI fHv/n62LkYtDSKCNSeL2o0ZmkISQwEZGiYlnmCESZ5gkviw6zwSSEBbQktg05RwjiM0roCex af1bJpAiZoEpjBInTuxjhRgrItF95jOYzSagKjF9TQtYM6eAtcTCm2vYQWwWoPiLtf1AGziA mtUl2k+6QMy0kth5+R0TxBFWEv+33gQ7SETAUOL6zOlQ42UlnpxcxDKBUWAWkjNmITsDJMEs oC2xbOFrZghbU2J/93IWCFteYvvbOVBxS4nFM29AxW0lbvUtYIKw7SQeTVvEuoCRYxWjbEpu lW5uYmZOcWqybnFyYl5eapGukV5uZoleakrpJkZQjHBK8u5g/HfX6xCjAAejEg9vwRLuCCHW xLLiytxDjJIcTEqivEdlgUJ8SfkplRmJxRnxRaU5qcWHGFWAdj3asPoCoxRLXn5eqpIIRCtv SmJlVWpRPkyZNAeLkjjvf7ev4UIC6YklqdmpqQWpRTBZGQ4OJQne/KVAjYJFqempFWmZOSUI aSYOzkOMEhw8QMN7QWp4iwsSc4sz0yHypxgVpcR5fy0GSgiAJDJK8+B6Qanthvd721eM4kBv CfMygbTzANMiXPcroMFMQINr0jhABpckIqSkGhhX7Xlts5hvxsFPLpv+qfWzqi/8FSuoK7Vz htvcmvO8r60fxve+q9/qeGFLyYLDR9snzZru/65APYTxxar4HfKnolLdVj+KOR97WnbBw5u2 gc98nsZYfRNVEZtQNyfl2JX1C84l2XIVLNIQX2BlyBPFeaIy89KZt89WpVw5PUN3TrXuOzee 86snKrEUZyQaajEXFScCAMDDGwlIAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YNi-sdiuIEh-RXznq243bQGFu-M>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2016 17:47:50 -0000

--Apple-Mail=_15B0069F-602E-4860-B97F-12E1193CAE64
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I believe that the PoP work should stay in the working group, and that =
without a usable presentation mechanism such as an HTTP message =
signature the whole work is pointless. I agree with Mike that we should =
learn from our own mistakes =E2=80=94 and that is precisely the =
direction that the current HTTP signing draft took. As a result, the =
base level of functionality is signing the token itself (with a =
timestamp/nonce) using the key. All of the fiddly HTTP bits that trip =
people up? Not only are they optional, but it=E2=80=99s explicitly =
declared what=E2=80=99s covered. Why? Because we=E2=80=99re learning =
from past mistakes.

I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D =
that aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become =
reality then it will be to the benefit of large internet companies over =
everyone else. Additionally, token binding in OAuth is far from the =
simple solution that it=E2=80=99s being sold as. The very nature of an =
access token goes against the original purpose of tying an artifact to a =
single presentation channel. OAuth clients in the real world need to be =
able to deal with multiple resource servers and dynamically deployed =
APIs, and the token binding protocol fundamentally assumes a world where =
two machines are talking directly to each other.

All that said, this working group has consistently shown resistance to =
solving this problem for many years, so the results of this query =
don=E2=80=99t at all surprise me.

 =E2=80=94 Justin

> On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig =
<hannes.tschofenig@gmx.net> wrote:
>=20
> Hi all,
>=20
> two questions surfaced at the last IETF meeting, namely
>=20
> 1) Do we want to proceed with the symmetric implementation of PoP or,
> alternatively, do we want to move it over to the ACE working group?
>=20
> 2) Do we want to continue the work on HTTP signing?
>=20
> We would appreciate your input on these two questions.
>=20
> Ciao
> Hannes & Derek
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_15B0069F-602E-4860-B97F-12E1193CAE64
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYC6Y8AAoJEDPAngkbd+w9GJkIAIfvLykhaamNBEfVQdHLPNQS
uIDMVuh0CFnvQLggNs5SpTM+UgU4TJa9WEoZyPFWrTAf9MLsH3FCAisGH7RKeMUY
NE17u4J1uSbemOpwVDWozN1aaqOoIC8i6/5ALUrWcBnE+PwetEaf5FNPahGnmMpn
y5qor7cH81PUqCEhMdH/rzBvo84/cgCosYTBi3lijG43HBMCHjcmWEz+Kl4Zr49f
a6HcgUMiNMrKUNfxaqKdh+o5Ud3G8ZSkzK3e5wB9Yq2b0n6C/Yr88W+mhIC7gptf
WIg+CTY3jbLv0U3r1sAaco0oCMKdKq+ZkhVpIv4bwJtjfdxTOc74rQQXZkiERlM=
=98Rg
-----END PGP SIGNATURE-----

--Apple-Mail=_15B0069F-602E-4860-B97F-12E1193CAE64--


From nobody Mon Oct 24 01:31:00 2016
Return-Path: <simon.moffatt@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07395129624 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 01:30:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXKZTyyWR2b4 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 01:30:54 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DB90129633 for <oauth@ietf.org>; Mon, 24 Oct 2016 01:30:54 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id c78so90663199wme.0 for <oauth@ietf.org>; Mon, 24 Oct 2016 01:30:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=d51HEThTkSxtohVCtAOGV6KRV487zJeuvcVfiGCHSyY=; b=eEMkyT3J1w+fLvK1l67ltqhpvAPCB0o23Y4nbX2mYD+h+C+Ce5Oj1uRG0Lm89iJbuU 9xYuFf7seW3KaVAQcuUWgJVCnQKNZ74ofRMopD3NzN9DET4EtDfw2xEY9RJr3OPgn4ik MaWFyfRxqu9hgXeQpbCqMPiZr8s6V3BDYqyM8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=d51HEThTkSxtohVCtAOGV6KRV487zJeuvcVfiGCHSyY=; b=N2g9gJujBvidRrn/icjAVUp3F8yPSeZ74eQFdKhmLkNWKMaquz0BzdblFBUhQJTXbb N7P3cX0jwlRfJ+cujT4WKxzTeqdgllyQ6XjIua0PLWP1dwZDzEfjZhrGt3Tkba6zI4fK 9dmJVQeB5wjvdsWmFR17LUXDMOqyccPXiofMvZFB3xEVJKsjtXyOl0fmH/S5bkgJThoC w6oqq+Kkz/KILKyakmo78UmJzrPwPfHDeKU4UpR3m9xrIGfTvbWOJhxQjMco1day7CQ+ CVCsCYQDBi7XpeGaT7NevDIXI52fa44TEV9gLE4fuwNw9gjig4dTKXJrgU4+1aphN8kb rByg==
X-Gm-Message-State: ABUngve82KwYjvM78c+DLq/Fxbjzj01yF4FBRbBfRV9SUmapv4SMaKu6G3o44+hR784Kn3z4b049s1FbJfSSu2dS8/skdTlwoomuYievxUFdXEq77StqJyZgDbmsa8ZypYE5+Sk2FOOnv7Qyd+MxoNA72ITAV8XyPIkbWAakR3QSSxDuCgoT968=
X-Received: by 10.28.170.204 with SMTP id t195mr13143407wme.113.1477297852092;  Mon, 24 Oct 2016 01:30:52 -0700 (PDT)
Received: from ?IPv6:2a02:c7f:ba3b:5f00:9d5c:ab4f:3704:1a7f? ([2a02:c7f:ba3b:5f00:9d5c:ab4f:3704:1a7f]) by smtp.gmail.com with ESMTPSA id w1sm17968774wje.36.2016.10.24.01.30.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Oct 2016 01:30:51 -0700 (PDT)
To: William Denniss <wdenniss@google.com>, Aaron Parecki <aaron@parecki.com>
References: <8b540eff-2b1c-2d9f-6d40-2be327f91eb7@gmx.net> <CAGBSGjoO3LiA4NZ9tKrK1KHzBY2MkbfG+XNu_1tnFAptjSnZzQ@mail.gmail.com> <CAAP42hC9SubNrhYeoxPUx2faW_G59yQT0Aqm1U5wRVCcb5Qxfw@mail.gmail.com>
From: Simon Moffatt <simon.moffatt@forgerock.com>
Message-ID: <ac510d94-424c-0ca7-3e4d-b33629124b08@forgerock.com>
Date: Mon, 24 Oct 2016 09:30:49 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CAAP42hC9SubNrhYeoxPUx2faW_G59yQT0Aqm1U5wRVCcb5Qxfw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------7C27685607EFF2537BE928B8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/K3U8gNWli38dOiNBwDMzGIHj3PE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Flow: Alternative to Polling
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 08:30:59 -0000

This is a multi-part message in MIME format.
--------------7C27685607EFF2537BE928B8
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

I agree, simplicity is key here.

 From a practicality perspective (ForgeRock implemented the AS part of 
the device flow in January), there were some steps to mitigate things 
like potential excessive polling and DoS but they can be easily overcome 
on the AS side of things), but as William says, polling is simple and 
solves the use case.

The option of running an HTTP stack on the device, is maybe overkill for 
some deployments though, especially with lower powered devices and the 
management overhead.

Websocket style notifications are gaining popularity for other web 
access management use cases like session destruction notifications and 
session attribute changes so that seems a viable option.


On 21/10/16 23:50, William Denniss wrote:
> We've been operating with polling for a while and handle a decent 
> amount of traffic (the YouTube TV app uses it), the polling gets the 
> job done. The simplicity of the protocol definitely helps when used on 
> constrained devices.
>
> I like the idea of adding HTTP/2 based long-poll as an optional 
> enhancement, especially if we can define it in ways that don't alter 
> the underlying protocol a whole lot.
>
> On Fri, Oct 21, 2016 at 3:35 PM, Aaron Parecki <aaron@parecki.com 
> <mailto:aaron@parecki.com>> wrote:
>
>     Part of the beauty of the current device flow spec is that it's so
>     simple to support. Keeping that simplicity is crucial especially
>     for this, since this flow is used by a variety of devices that
>     often do not have higher level stacks.
>
>     I would love to hear from someone who has experience with
>     large-scale deployments of this to know whether polling is even a
>     problem in the first place.
>
>     ----
>     Aaron Parecki
>     aaronparecki.com <http://aaronparecki.com/>
>     @aaronpk <http://twitter.com/aaronpk>
>
>     ----
>     Aaron Parecki
>     aaronparecki.com <http://aaronparecki.com>
>     @aaronpk <http://twitter.com/aaronpk>
>
>
>     On Fri, Oct 21, 2016 at 3:23 PM, Hannes Tschofenig
>     <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>
>         Hi all,
>
>         the device flow document outlines the case when an OAuth
>         interaction
>         gets "outsourced" to a separate device in order to allow user
>         authentication and collecting the consent.
>
>         The exchange is described in Section 1 of
>         https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03
>         <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03>.
>
>         Here is the step that was raised during the discussions:
>
>               (E) While the end-user authorizes (or denies) the
>         client's request
>               (D), the client repeatedly polls the authorization
>         server to find
>               out if the end-user completed the end-user authorization
>         step.
>               The client includes the verification code and its client
>               identifier.
>
>         The question was whether we could come up with an alternative
>         to polling
>         since this step could potentially take some time. Hence, it
>         would be
>         better if the authorization server has a way to send a message
>         to the
>         client without polling. Of course, the polling frequency
>         matters and how
>         quickly one (e.g., user) wants to know about the successful
>         authorization.
>
>         So, the first question is whether polling is considered as a
>         problem in
>         the first place.
>
>         If so, then the question is how this could be addressed and
>         (from work
>         in other areas) there are really only two approaches:
>
>         1) We make use of some protocol that keeps the connection open
>         and allow
>         asynchronous communication. HTTP/2 and Websockets come to mind.
>
>         2) The client can be addressed through some push notification
>         mechanism,
>         such as by running an HTTP server on the device that can then
>         be used by
>         the authorization server.
>
>         Any views about this topic?
>
>         Ciao
>         Hannes
>
>
>
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/oauth
>         <https://www.ietf.org/mailman/listinfo/oauth>
>
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>     <https://www.ietf.org/mailman/listinfo/oauth>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
ForgeRock <http://www.forgerock.com/> 	*Simon Moffatt*
OpenAM - Technical Product Manager  |  ForgeRock
*tel* +44 (0) 7903 347 240  | *e* Simon.Moffatt@Forgerock.com 
<mailto:simon.moffatt@forgerock.com>
*skype* simon.moffatt  | *web* www.forgerock.com 
<http://www.forgerock.com/>  | *twitter* @simonmoffatt



Summits <https://summits.forgerock.com/>

--------------7C27685607EFF2537BE928B8
Content-Type: multipart/related;
 boundary="------------07E22B208E6AA0BED694AF44"


--------------07E22B208E6AA0BED694AF44
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>I agree, simplicity is key here.</p>
    <p>From a practicality perspective (ForgeRock implemented the AS
      part of the device flow in January), there were some steps to
      mitigate things like potential excessive polling and DoS but they
      can be easily overcome on the AS side of things), but as William
      says, polling is simple and solves the use case.<br>
    </p>
    <p>The option of running an HTTP stack on the device, is maybe
      overkill for some deployments though, especially with lower
      powered devices and the management overhead.</p>
    <p> Websocket style notifications are gaining popularity for other
      web access management use cases like session destruction
      notifications and session attribute changes so that seems a viable
      option.<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 21/10/16 23:50, William Denniss
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAAP42hC9SubNrhYeoxPUx2faW_G59yQT0Aqm1U5wRVCcb5Qxfw@mail.gmail.com"
      type="cite">
      <div dir="ltr">We've been operating with polling for a while and
        handle a decent amount of traffic (the YouTube TV app uses it),
        the polling gets the job done. The simplicity of the protocol
        definitely helps when used on constrained devices.
        <div><br>
        </div>
        <div>I like the idea of adding HTTP/2 based long-poll as an
          optional enhancement, especially if we can define it in ways
          that don't alter the underlying protocol a whole lot.</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Oct 21, 2016 at 3:35 PM, Aaron
          Parecki <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:aaron@parecki.com" target="_blank">aaron@parecki.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <div dir="ltr" style="font-size:13px">Part of the beauty
                of the current device flow spec is that it's so simple
                to support. Keeping that simplicity is crucial
                especially for this, since this flow is used by a
                variety of devices that often do not have higher level
                stacks.
                <div><br>
                </div>
                <div>I would love to hear from someone who has
                  experience with large-scale deployments of this to
                  know whether polling is even a problem in the first
                  place.</div>
              </div>
              <div class="gmail_extra" style="font-size:13px"><br
                  clear="all">
                <div>
                  <div
                    class="m_-4887215840389778106gmail-m_4705559585795052451gmail_signature">
                    <div>----</div>
                    <div>Aaron Parecki</div>
                    <div><a moz-do-not-send="true"
                        href="http://aaronparecki.com/" target="_blank">aaronparecki.com</a></div>
                    <div><a moz-do-not-send="true"
                        href="http://twitter.com/aaronpk"
                        target="_blank">@aaronpk</a></div>
                  </div>
                </div>
              </div>
            </div>
            <div class="gmail_extra"><br clear="all">
              <div>
                <div class="m_-4887215840389778106gmail_signature"
                  data-smartmail="gmail_signature">
                  <div>----</div>
                  <div>Aaron Parecki</div>
                  <div><a moz-do-not-send="true"
                      href="http://aaronparecki.com" target="_blank">aaronparecki.com</a></div>
                  <div><a moz-do-not-send="true"
                      href="http://twitter.com/aaronpk" target="_blank">@aaronpk</a></div>
                  <div><br>
                  </div>
                </div>
              </div>
              <br>
              <div class="gmail_quote">
                <div>
                  <div class="h5">On Fri, Oct 21, 2016 at 3:23 PM,
                    Hannes Tschofenig <span dir="ltr">&lt;<a
                        moz-do-not-send="true"
                        href="mailto:hannes.tschofenig@gmx.net"
                        target="_blank">hannes.tschofenig@gmx.net</a>&gt;</span>
                    wrote:<br>
                  </div>
                </div>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <div>
                    <div class="h5">Hi all,<br>
                      <br>
                      the device flow document outlines the case when an
                      OAuth interaction<br>
                      gets "outsourced" to a separate device in order to
                      allow user<br>
                      authentication and collecting the consent.<br>
                      <br>
                      The exchange is described in Section 1 of<br>
                      <a moz-do-not-send="true"
                        href="https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03"
                        rel="noreferrer" target="_blank">https://tools.ietf.org/html/dr<wbr>aft-ietf-oauth-device-flow-03</a>.<br>
                      <br>
                      Here is the step that was raised during the
                      discussions:<br>
                      <br>
                            (E) While the end-user authorizes (or
                      denies) the client's request<br>
                            (D), the client repeatedly polls the
                      authorization server to find<br>
                            out if the end-user completed the end-user
                      authorization step.<br>
                            The client includes the verification code
                      and its client<br>
                            identifier.<br>
                      <br>
                      The question was whether we could come up with an
                      alternative to polling<br>
                      since this step could potentially take some time.
                      Hence, it would be<br>
                      better if the authorization server has a way to
                      send a message to the<br>
                      client without polling. Of course, the polling
                      frequency matters and how<br>
                      quickly one (e.g., user) wants to know about the
                      successful authorization.<br>
                      <br>
                      So, the first question is whether polling is
                      considered as a problem in<br>
                      the first place.<br>
                      <br>
                      If so, then the question is how this could be
                      addressed and (from work<br>
                      in other areas) there are really only two
                      approaches:<br>
                      <br>
                      1) We make use of some protocol that keeps the
                      connection open and allow<br>
                      asynchronous communication. HTTP/2 and Websockets
                      come to mind.<br>
                      <br>
                      2) The client can be addressed through some push
                      notification mechanism,<br>
                      such as by running an HTTP server on the device
                      that can then be used by<br>
                      the authorization server.<br>
                      <br>
                      Any views about this topic?<br>
                      <br>
                      Ciao<br>
                      <span class="m_-4887215840389778106HOEnZb"><font
                          color="#888888">Hannes<br>
                          <br>
                          <br>
                        </font></span><br>
                    </div>
                  </div>
                  ______________________________<wbr>_________________<br>
                  OAuth mailing list<br>
                  <a moz-do-not-send="true" href="mailto:OAuth@ietf.org"
                    target="_blank">OAuth@ietf.org</a><br>
                  <a moz-do-not-send="true"
                    href="https://www.ietf.org/mailman/listinfo/oauth"
                    rel="noreferrer" target="_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
                  <br>
                </blockquote>
              </div>
              <br>
            </div>
            <br>
            ______________________________<wbr>_________________<br>
            OAuth mailing list<br>
            <a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
            <a moz-do-not-send="true"
              href="https://www.ietf.org/mailman/listinfo/oauth"
              rel="noreferrer" target="_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <title></title>
      <table border="0" cellpadding="0" cellspacing="0">
        <tbody>
          <tr>
            <td valign="top"><a href="http://www.forgerock.com/"><img
                  src="cid:part12.F39EC122.DAE8A483@forgerock.com"
                  alt="ForgeRock" border="0" height="70" width="185"></a></td>
            <td style="font-family: arial, helvetica, verdana,
              sans-serif; font-size: 11px; color: #2f3438; line-height:
              165%;" bgcolor="#ffffff" align="left" valign="top">
              <strong>Simon Moffatt</strong><br>
              OpenAM - Technical Product Manager  |  ForgeRock<br>
              <span style="color: #7fb7aa;"><strong>tel</strong></span>
              +44 (0) 7903 347 240  |  <span style="color: #7fb7aa;"><strong>e</strong></span>
              <a href="mailto:simon.moffatt@forgerock.com"
                style="text-decoration: none; color: #2f3438;">Simon.Moffatt@Forgerock.com</a><br>
              <span style="color: #7fb7aa;"><strong>skype</strong></span>
              simon.moffatt  |  <span style="color: #7fb7aa;"><strong>web</strong></span>
              <a href="http://www.forgerock.com/"
                style="text-decoration: none; color: #2f3438;">www.forgerock.com</a>
               | 
              <span style="color: #7fb7aa;"><strong>twitter</strong></span>
              @simonmoffatt <span style="color: #7fb7aa;"> </span></td>
          </tr>
        </tbody>
      </table>
      <br>
      <br>
      <a href="https://summits.forgerock.com/"><img
          src="cid:part16.1728F6DD.94D191C4@forgerock.com" alt="Summits"
          border="0" height="200" width="575"></a>
    </div>
  </body>
</html>

--------------07E22B208E6AA0BED694AF44
Content-Type: image/png;
 name="FR_Sig_Logo.png"
Content-Transfer-Encoding: base64
Content-ID: <part12.F39EC122.DAE8A483@forgerock.com>
Content-Disposition: inline;
 filename="FR_Sig_Logo.png"

iVBORw0KGgoAAAANSUhEUgAAALkAAABGCAYAAACQaTWQAAAAGXRFWHRTb2Z0d2FyZQBBZG9i
ZSBJbWFnZVJlYWR5ccllPAAAA2hpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tl
dCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1l
dGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUu
My1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpS
REYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgt
bnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09Imh0dHA6
Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRv
YmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bWxuczp4bXA9Imh0dHA6Ly9u
cy5hZG9iZS5jb20veGFwLzEuMC8iIHhtcE1NOk9yaWdpbmFsRG9jdW1lbnRJRD0ieG1wLmRp
ZDo0MTdDMzdBN0FBMjE2ODExODA4M0ZGQjNERTYwNDVFMiIgeG1wTU06RG9jdW1lbnRJRD0i
eG1wLmRpZDo0RjYxRUYyOUNGOEMxMUU0OTM4QkU4RDlBQzg0QTY2NyIgeG1wTU06SW5zdGFu
Y2VJRD0ieG1wLmlpZDo0RjYxRUYyOENGOEMxMUU0OTM4QkU4RDlBQzg0QTY2NyIgeG1wOkNy
ZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIj4gPHhtcE1NOkRl
cml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6MDcwNEQ1QTUxRDIwNjgxMThD
MTQ5QjkzQTA5OEZCQTYiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6NDE3QzM3QTdBQTIx
NjgxMTgwODNGRkIzREU2MDQ1RTIiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4g
PC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4qUGMsAAAoB0lEQVR42tx9CZhdVZXu
2ufeW3Wr6tZcRSYSwkxAJHQQfbS2jAJO8emTp5EPuhsB7RZbaRAjMisoqPDsthVQoZ1QEFEE
mechhISETGSeA5lTSaWqUqnUPeutvc+09z5rn3vDM75cbn2nzjztvfba//rX2usIRIQPT7kY
AAFAQPgvXEE5NzepX7h59foG+OoFK+Hzn10BPT2NwP98dRkhvHgdwDP2B+v2dvNcRF+7hnwG
Ol4k5wX7QbuGH87Na6rjoncC5rrGc6ljOujfDbTe7Pv58+rr+qCuMADDfl1YHL51Hfu+jnVV
nl7yLtozpY/RrxHcr6FxCyxfcwo88+olkM8PQs4bjp+8va0VXnh5Ojw/bTq0t7bSZQVdKqy0
uDK1urQ2mXIA5rH0+8s9t8O++G3YsAFHjhwp/trXzRsvhuGbCH1u/2ijwKDgfGQvmgiSZ1aa
VVG8gOvLXii4oQApwQat0fjxObygeimhFYZwR+upxngQLX+Wlk+n406huedj7qvNjZuhb7AL
np/1RSj7BcjnhtwlqysFbv3t/GKlI6BAgr1p2+G0iLQ8REWTC2+DzKNgIq8CU3WZCDYj0X/N
5///9Mvb8pvS4FzrRrswhaGRIgFMBMnWmF6GBk+0G8bXCq8X3sm+TiCcYGjTYJvZYOL96HO9
Sjtd41yaT6Ht74uEP3h2eLy+MHBbnoRp+rzz4I1VZ0NTcYshAEIIVsDCl3AKjVIWmOxT10GM
izpat69PjQ7q63qhoX47+NTgUte3JVJwMow1K7h7L+TIdFHCFmBMtXqh/qILaFo2FJ5IC4PR
ldtzx4+OF0oY/YovEQl9NEfkYVP8DPLawcaRNJ1Pwv+/ad/xwb3Sz0aN5fLG4jaYPv98WLL6
ZBjZvpgX6H35c2hSv1xwCKqmvXVIEjW4vRJuYfUAtSjksaZBRitZQq8XthedKzSBSPewiSYH
RqODAxenMXWgmYHB88k10OhNXNAFxtP0ME1Hmz0PWI1RXlfc0VbaOHfdpokwe/GnoKW04Vja
fyYd+b2ooe+VwCOnZIUJLbTtCOhQzME+va6czyJ0SOoQcLQUm9ab1LKA69hAa7FgdJ+VYWLQ
OMxTbOH1U9rWbehp1xBZ2j4x+GxtLhznBceqfbfR8tE6pk96HsP425nP77nSp/V5yz5KHZJH
+HfXP5Jo3UL73qMLpS6owpYi1Ho+kT4Otb+kh7SOw+xGEQs4Y0gKl9pG17ag8fC9h6hVIY8K
AisbGFElyUN9tDZ7hrCb8ME3mQTDGPQ0IeQe0dcE1NOWISXQyTU8Bq6ohU/SNDnC+prgG8av
fGbS4lObGzdsWbzqFFix9iRobtowAdG7NDzoOynjTteweiHGRYspg5ATwOi4eB5qVbtRuDR+
CmlaSoyVV8GcI7iGgLUr5MjBErZL1QrTMzWTJkiasPma8WhSYoEg+Zom1YXdZGTccAaYhuVr
k/6q6hrfSASZM4bjhrewWNf7o/5dnTB32WSoq+uHnOd/Q7vgqbKxQIpEQSes5fa7jkdTFbNQ
JNL4qWtydYda3WEFeUVHQ8CalHFd3UUFYXZTUQGh683jErU4bAMepKlBW4unDcTKhqYNVeR6
SpOjr7Mpl9D+SVGPw+P2SMPD1MaGHnhj1RmwpecQKDX0nOqjONc64aZAyNICEmtp/OsoQoOB
sTV6BWFF29AUDGWOYGp7hMzGui9+Qoh9KOSoGSSWYWIWkEipCuTaTIiLTSHKMgSthoCcw8i3
tLzH9hgBRZhcN1E+fhetX5dgd5ctoF7vARLqP0keev7Sj0FjcTsQMrvK6NGCC0+g8pnqEoKo
7GzoIqqUlBTkAR72OGGlqHBNBqboXDzLSta0JrdfFoTexzpbnNAEEZHzWur7OBjDNxIH1DC8
mhEHn3ImCc/Q+iHXfZnkwjnvYdpG8G8qFPph3tLJ0Edwpb5u5/kCvJNTFR68/NdIcDqyCZXq
IIptpHLwRG8kIuluGeEVLDRB29tpG7gi2SlSgi72qSbfG8LjbVCIHJ2kGaHC/TDIwIi0qzth
LjgoktCL9n7fdH/HlKRvCH7arZ8yPo+h616hO47MBpg4nciw/M/WpvUz1mw4AZauez+0NG1s
pG03CXAIiYA22vYdKpOL8rkcFBuK2RBCd0UIm2q1FCmaMosaC2jLs76tVCpBIeeBX/bd2Dqu
1ySEwzA2BQdPapNKzGfiLmGyixYvFfl/MmhAHYtnxaiAReHpNKKtZdPwxsDhcRyIpzeUbyPD
4Sc9QmyEDuVzg99DyMGcJZNheLgeCo1b/s0ve6NQoCEgStOKmP2YUygUwCNDfP2GjYGH0pK+
xJPJxAYZEs/sMzSz1hqYVuFRQ+vZvgPWrd8A9fV1ptBathZyFig6epwsr+5+jsnzTovajuex
3dNoy6rHOGfM/Qaboa6nC67LSOVwO2gBWmYPgmkFdAYdN1mg72hISQMjw/Ka9tKG1QuWfwRW
kyZvK711kO971xnQ2K5ohBdzudyP2lpb4fmXpsFzL0+HUlMj5CRE0pxrHGUYrZt0IK8vdWoy
mEcyqzuDgsIcLpdpp4Bm0uio21iCEWCut+YfYJ97efctXAGmhdtUIiMckidHhxYXBsTwLfxs
aVoDbmjGp8gI3mLDBLwgpMC89s2cR9XcJo/LzSvW9X2nf6AL5i79CBS8QfBE+RYfvYJeLqjH
7gh15hUdbS2w4I2FJOSvEH4vqMoaxnLyZJiIbzl+SlT7y4wmExI60LKcR29Wtpp6OXpzIVLC
Ia/v5T1zuwuCMBGHrMZ+xwRoycqzumWzUKzYFU/XS54Dntj7PdbZky3EHCOj42srqCs56Hw6
bqKJfSMWxnwGaq83NzVuhhnzz4WNPUdAV+uqk0jAP8113ZEQkBDd3dLc/PKWLdvgkaeeg3wh
V9/Y2Ci37456vpzlYMuBNXcqkUDw7OOjasgLYUUXAh8uXcnBF7vtK1An4m2EMOx37Ar3npXe
x9expM8LqwFHshkv07vJNQhf48LT7nvrcZtow3eDjR7jHEqeiQT88VLDtl9t3X4IvLHiTCgV
t0lv580u+i2EDcM5L3dtXSEH06bPhJ29OwmmlL5JAn6LYSGiGwoEbIbgqT1XF4pW1y7SeFs7
KEU/prh7O/IU9NBcUT0rtN8LOTKOAVEdVkvjKBM7uwWWhzmJdvaZ63D8u2aUmvj829QbjDB9
Vp4VahAIP3VIl9XVDZCx+UnY0TcGGup3fIGu9Pe88AXbymX/utbW5tXLV66BuQsXQ1t7W4HK
4hIqo0vokFEcv22XcyBMaOJd1BsUo12FJdiG884WYMHj6hS9yGwTtcumOOgFVwEyBacJvF/2
oKllj0KI5bJnQRI9MIvTpLZnEsKQXF0AweLUfSa+xbN6eLX/EJr+VYc9HGQJlvM/a23aOG/t
xuNh6epToKW0Pu/7uct1rW1rMpqvqKvP31wmA+/V12Yr7FzI5aRTqDVQzuJS1oAXDLZ12D6o
+9Bdvas+uAU5oWTO1ytbVBDod4aMa5rcyedieltYUY1Ne2DOnDYF7dvbhwDLwgrAynIMeany
RAAWhmTTjH7c02IsQP7Npr3hgRmxGO/ozeeGvi7HMS0gY3NPOQ/53O5raPUQXWvbzhfS2Ne1
trQMzZn3BixdvhJaW1vGk1BelUQr42X0byKLtatEJc5zxP+DIEb1iZimKLGKZ8J3giZH4Ls7
vWvUjh19wG74w2MHwLU/mAC5XBmKDWXDccNrXI/1dCbsC0dJepkwxwzj9c6m6VPc8bajiXD3
1c2lDVuWrjkZlq07ScaKj0X0/t3S2jbV90KxWPzFzp39MGPWnICLBvFN1ahMYfyWgb2xSkFK
c33gsg2cTh5W43N+D51FEGaP4+w59h3Fsm9jV3RIYkAVm2nBRNAVr+zB+AMH4a77xsKDT4wh
zT4gueYq+FATdgTrkA1FWJaGHfw81dUgjOhG9JYX6/r/o3+gA15f/HGoLwwQNvelYDZwwqRh
5m+0NJdg1py5sGnzFmhuKk2ijRcwgvARms6MzxXgjPCMGwCCaTAicHGzvEdVMJY8corLhUlc
Q/f+dhp8X/HknmZ2JzEQmRx5UgHyoQp5H0Z27obbfzkOtu0oQUfrbhJ02+g0GRfbeBRxQJeL
hYkiCX2LyfE0wVX7/pm2fcCMEdc6LENBiqmNDZv8xatPg809h0Njw7aTSbOfl8Um0Pv+qrnU
9OLaN9+CGbPnQKnUJMvmhpi1AMuWAbgppb0554tt5Kc0b7AgKsWO2CN7OM0MDMmAYLIpmfEq
NUwhcoZWNXiNBAO6SMiXrCjBfQ+OBpEbdjiEKnGRfmxw2lo+ce+nIUxi2Hot9O9GO0ZcpxwT
b6z3QlPDtvs2bz8S5i37iBRwee9vViirYepOr60v1sNrs+dCX98ANDQUzyHBP9sot5g6VNr2
+KDh2SyNqICbGeMSLU0nHJSkQdGI1CgjO5TabARaQ8LMB6pNIU8KULixHLox5IgRg3DvwyNg
89ZG6OwYAt/XYYmfSRvG3krGTW9EGWIYsAXpiEaarqV/I+LjtVhzG+tT3X9NUoZzl3wMdvSN
hGLdTtLg4jRdUGzq0Pf9H7S3ty5ftnIVLFi0WOUzoW03sFhSGJMcQdRsQBasIoALHVg7A9On
GgFiahSRcxCzsDQ51wPUaKwtFxLo1tyO8X7ylNbSMKzfVIT7HxpNW/ZAZ+cuyKnQbl2D+nGs
eBp/+8wEhkZWRq0WL54MXPbG0fSFiDGh5Z005yZpR/xna2n9K29tOgaWyyjD0pYiYO5GjTlJ
GXn0t76uULh+eE8ZXnl1JgwPl6FQl5MG6hEV47sRuun/tSkBAoexn2VMVpK3rPOwil4j1SB0
vj7pUWrtlzeZFPfIfMOlyyaqARhD2vzu34+BJasb4eLProUjD98O5eHdMDQYxiYD2sBYG6gh
NA4QzdjSlMNCM4ADoeynfUfS6mZaK6TiaZPre/n8noHh4SJMn38eDJfrgGDLZb7vjbHfV6/s
crl8dWdnR780NpcuXwVdHR0jfR+vMcvNjio0iuYrtPNHdNgKNiowa2SPYARbuCELHzZt16lg
SAVOq2M6dEDUspAbA2FFKrbYFc2my1F9Pf3zhuGxZ7vhuWmdcO4n18KUyVKB1sPQHt80ZEJB
FeG1BRNolGwTaeIAjRraGkxq46DdSvW20dq8HmYt+jS8ufFYaG9ZdwQJ+A2mjSVsB9CMYkPx
pzv7diosXqyvlzE719O1mi1KJCu+Q4Yk3k67znALFQNBBKO6rSRPLOXHwH8z8A5Twszy6QJq
OjDLEnLzRTFVgFpyGS5RTYxbSY3mAA4eNwA7+z340S8OgMHhz8AxR42Dnh19DC8lIGvUbFK+
wsFriSq9Kcl5eWqEu4cblLDTlkGq/D10p4J+Vz2stez7V7e1tqgIwzVvvgUjursmUcO70IUb
UI/vNq1C32hIXP4TuzdNxaOIxJnj0syOurFDa5NnwGwo9DcU8H0cT+4KqxRm5izOpZySOyRh
F9BYLMOo7n5oaChAvtAEe8p9kMt56cLDbF9GKrgOTHQQbpKxIh20skW9k9uDmxvc07CpkN89
6HllyQytoa1fpgr/MZdSwkf/ty3NjY9u2LhJafGWJhWffaP5wOiAEAb0k7EPF7qoSSdITgms
K30funsGDuJE0aYiw5B1DLaoRZ48X0n7GbHFIgMzWtpDUA+dz+VhxqxX4MAx7dDdUYTtO3rB
y3kmZYnpbr5iSCemoMVIms0KL1nWjSY0iWsPcjJDLVyNGFOmP6F//0Z7j9IFUM494V1bT/Dk
ladfUKNturs7P+37/of22hUP8H9oWuMuN738wNTU7Egeq3et9AxOOCOyjUlWwGs+uVD6paod
r2hqlAB3NzY0wrIVq+H3DzykGInm5pKk3cxrCxMmCMfgaa7ytEqfTdvuDJdz0UT7c9p69K5X
0T2ONN5ZwBUp2hDhltbWlsUrV62F+W8sgtY2RRle5XTmuP0KG2m6lu2edFysa2vhYD343Bd8
eaEjuEs42BJRicUR1Tg89mMhR9uZsZf8vzMLGUJXRzssW7kaHvzLY1DI56FYLCrtzWWPMtKl
CYvGMuw7NsZaaujdDP2XosTo+t/S06rR8oO060HtmTYRtPqW3DnjtdlQxjL1Srl/oe3HJvaf
qEzJBUJ1JR3az8MMzcjL0iRc43AaqRWy2QKmWSAXN+/CkDUp5E43vuDL34hj5lIfmAbPAd2d
sHDxUnj62Zegu7MDurs6oaO9TUbvEU7PkYZER/WKlMaPYqKZIKW1NF0DKdM13fDo979oOlm/
Hv10rvwaerbeeQsWwqKlK6C11NJOW68z7IfIn4AGprDns+nAn2UKiKjEYSOf21BkHF+N34ZT
ZBlp49h03rVHITpKQvBWMOqjT4y4i3TpyuNldz9n/nwFV1paStA/MAClUiNMPPZYaC41Kbwe
UYkuRkAfMe7A7N+laQoJwbu5QcKWsMtw3BO1Y6ZLbU7G5mnU2/xkaGg3vDprDhQKeWlHXE/P
1uViLlJDzJLly7NoV6fgiWx8zTMzFYklnnnBKh1QonY1ed5JYbksakxrVtNRlLba5T45wHfY
y8HM1+dIWk4Ju7zd8pVr4QMnnQjjx40DyUUP9A+q1A62Vom0F+eRs5Jf3kzrv7LpQMa59R7a
PoWm30R0Gv3dQI3ov6Tt8NK0V2Hj5s3SfX807fuSafAyoR1pLfgQTU+5ytKgEbmyzDLyq3EC
6fcR6GZj2Gu5P6VSi6G2+ZSx4rLIo5ePPqWC6Exiyf2kvSmFV0IUVYdecI0Vq1bDujffgvdM
mgjvnXQ8dHd3wLae7aoReFFaB6gyMWbw+zVNMprwQylNnk7JILX5H2h5UIUO+/7MAzo7YfHS
ZfDM8y+BHJRM1/i2zS7x10wJxtedyoKj8HQYlDnoWMS+yEyZQw2KodUDZ1CLLDVsvN6+U+f7
NtRWF2JgDL6UQY6VjVDMKBwtB3onYfO6+jrlbPn1fffDgkVLoJOMVQllfPT3ooQMAbwsJYz8
4APpzr8+KuBSUxNs2roNHnvyWUV1NtTXT6bTPpF5T17Wvk1bFlQcxLAXRrzuFEL7g2XVZJsV
bPYvd76dvXm2mjI8LZrKcO3b35gRkJ2xVVRh7EgNr2LS88oY3bptO9z/p7/Aw48+Cbt27Vbb
PM+rroWb95tH088tmtDVC3yZpnGFXJD04clnnqPn6IHWlhZpEF/nxG3ooDNRhRjcClzumqql
R6QiBgyPmKgAYRAckaMizahw54FFbwLUbNpmgyc3edQKlneWccJRX1kVGo2LJEFuaW6GtpZm
eGXWbPj17/4AcgyldKk3NjTE/Do35tLxk3ChrwooVS8NViT4tJuMzd6d/VBfrxIEXUj/jktJ
KccroyEkMi59a1WMhvMYZEfaM4aFlqGLGb5mNzKsxnkkeKZM1LomN7qrKpurEG5hRge+t6+P
lsEl47sIJozs6oL+XQPwwEOPwCOPP6XCAVpJ+KWg68yK7kBi+PDNNqXocjTR9s+Uh8unN5ea
4egjj4ChITXwYwlLj7pc4cH0Cv3/CRsLnjX8jTWMIcPTaDpxUPvek319IUQVnk8LVqY+pbI3
FNF+KuTGQFuxF9pGoxmFnsRfVOBjOUMQk4qSvLnExx1trTBt5iy494E/yzwn0CIFveynOHT7
0yKaEfNDmlbZRqr93Z5w+5V9/f1wwvHHwrixo2FHb+9zdNzPWRrN5U8AuNEtPA6t7mhA6GK5
XH4LLdTBaAuuARpZjqUUN1/p0xQ1IOTOgbbIaMAI0iCDb11Zo7KMNm4EeBR+S3h8ZPcBsHzF
KsLqD6trN5UaY48pY3Ba384RUiVPtbU9l0uFficPDQ2d30DQ6ITjjgM5QML3y1eCCt3loJuw
/Ql/poU/p3Asi5cF38tV1YOCe4wow/wIozcS1RnATCKkdwAmF6xGiZKwpykzzEq/6jZkMhgD
N2RHMkC7YPHy5fDUsy8SPi9CngzVLOLFEubf0jQNdVbC8h5Gx5ORe+P2HTuaJhx1OBxx+CHQ
29u7QY7rdH4n01y9jB0XyfRkAhgsn0EDmj2nyMb5XI8gGH6cvW/6Y17VDk3d/4Vcw88pj6Ow
agch25FgYdAUDsaMyrTzjWhauruzE1597XWYOWsudHS0GyaBLazMlx2+ZnxeUDgHbo8mDX61
LJb3TpoIdXVFIKx+Kx2y1qJS7Hf+Ie1awtKnogK3z/WerrgUJ08tqhREYTI0rhyK75DBEg4K
0focnt7NMXjWGVVn05Au5wOkP+GhOy50DCxjXCROf+q5F2Hp8hVw4JhR0NnRBu2E22Vu8FJz
ExTqCxp6MGroRZruwHjkEAxKBxAdo6Zw2y51X098eUfvjnEHjRsLRx91GPT29w3Rpb4RCtiw
OlaEU/DbYBu4TgMzi1YVwA9Vs6k/Vr6r/AgXIt9zcukohKj87DXyc8euIN/NObOpCot5cYx8
EZbgI/LDrFJeRjquobEB+vr64NEnnoH16zeqdLRlwi3FYr2iH6UTqauzQyWh7+vrV/nThYg/
Ayj5cNLSSby5/aHZcJTQCLrXrhzZAx1tbeAPyyRy4h4U+KjRhIPnlZmZd9G8Nw0voKI3smL8
iXBCo1QOcXTRnPb92NgbSI02EuIdkwqRH/5WPRcOUBVeNQbGcia+NgAgg4+XI/NlXMng4G54
6vmXYtGUCefrCac3NTbBoeMPggmkgceMHq08pr29O9WchGK3iu2GZOyolmdcj27cIZdlfM3Q
nj2qtlFleRRb0EWLupgjO184VuFzqAYmcMrBlWR/b3B1ipaEKmiimhFyNDUEE2TFDnpNj9Bx
V5Qxgh5NAzZLBVrDyyRXXldXgM66Ng3hBDHSAwO7YPprs2HeG4vg0EMOguOPexccfNA4tV3S
g9J7qtsarlBc+f5ywEdDQ32YRkOLNXGO6snQ0JqAs5GRlTS+lkErFbMiKjQS4aB/XbHtolL7
ErUq5Ek3hpnuaF6QMWuMoWGAZWXnQmOcaNV4UCTJ7IsklA2NRdLAwzB3wUJYQth94jHHwPtO
/Dvo7uqA7dt7lYYO6EkBpcZGkB+0SuLZg5H9Ev9v2LQJ1qx9K/m4lJ5ywsCtFeJ4XDCsmp5S
mFAiZXcK4RZY3Q/A9UCOXsYVtQkVAuVqCJNjhbQIlWrTWhaQ7S0UFbpa2+gXjgowvhwiY2Fy
CpsPDe2Bl16dCUtXroLTPvh+OOzg8eEY0+CE5bR989YtUFeoi80IGUcjY91nz11A2n8ApBc0
SGCE7mSZVWg/FByXWK132VIE7FAecCugzLzo6OD+wZ0RoCaFHJnutxJ36yxs1BxGGQFdro8z
cQUqHEZvBlxUyUgLeRg5ootweZ8afjdm1EiQHLhsAPPmL4RFS5bCAOF7eZz+k9pe5ldpbmqK
4UpmJWd9Qc0Bi6xPUUHFOP5sjj47CZHe2CpkBEDXe2WFANeEkFfKzJSCHZpwO7tczKRz2Yqz
U0RnDbSt0qBSIQIlOYC6DKvWvQnr1q9XzqRdJNwqdKChgU1qFLvEU9/hgaoT67P2DQdbKn15
jRE8fYxqZlSibaxmwqIsxqzWMTlmd3luIxKrMFqq7ebsARmY3WWKKpVd2GjkAAwZ4ahCAmgq
1hcN7t8QmhTzKSpn+2UEAtFRPuhusM7MtfYH3UR1SiRlrGKWMSrAmRAU4W/yLc99q8mrMJoy
u9Jgu0yfPA5k+CrCNhKONZJ+qy6WRWM8RAXuPvt5SuoZhEqmL9N2yXwnu6IKjAQajBwvkCEI
AtC6l2nMZXjCssrQCp8Ir9dFqweqpDWBk+ktVtkIG9cb95UesYNAfr8IldNrDe3emdm7CK43
TSkgqRXqaP/O6GYfnnJxO80m0bTiL7+5fcX+KuRRqO3MoFDFQprHExWIsR56+X6uw5Gw+/oQ
TS/QtIO2zKNdM2nzCirgnvD4Ax09xmdBppFAWEzHBPfA+H5LaHkRBMPZTucbokFb/ANNT9LS
dpovCN5JLFLPJLcjnsJo1HZ6xteVMOnvKd89LgsMJqGcSNdAkrPxGvntWWE8szxWPfMSOv8N
mt9J553IalszAvPztC7P26xG+AO8RtOb8rlU7EzQcDWta+dAUS91KN3zl7Qoy3ypen8B82mi
OoGXaDpLM0Q/CjJJKsJKmm8KBdWmgT6ongFhGa2sU04vgHdFbZ4EXKakvjc89wpafyIU+rf9
29djPI+gSSawHOHGjfFvnHXMY0rI9Uy3icaTebn/iRbl9FXacJul0dqVdhDq/i6HikwENIWW
ZcVLQd2ZnB9/1vt31H2fw9JeZH/Susw9fhot303L/2S9/1F0kBw4YXyWMAVdggoYrXXnMke1
RwJ6VAbmnkAzKcAP0jSZgW7jaXqeNo91wINRdB3ZmK6i5bOoPJ8IYEpK415PAn8V8rEycstJ
9P8RWvwZnfh5UMlKQQ5gHR9ep2SyN/A+et9nwchZjz+lfy/LXoKE+TM07wl3nk6TVC53hEJ/
xtsVxr/NGE8XyOM+txGc8yrNP+SGxagffyv9vzQOpBIVPhSZNjgn0fwBBgo8SoVzTiZHn+x7
1tpnUkPMcLNk0AGaudsxDA+o9IHfYP/H6f/dYORqgXFUDnNoeawTUKNRT4/Te57KwDSZm/Gq
VNIj9hOV+KARnJXcVo/pnBj0yobz7lY67sLwuuulYBM8kek/gOZSqC+iuVRCK6gBHLJ/anKT
HpMxGl9RmgrRM7/riY0Q5fQTMJX+vcfixO+h6X4Vy4FwKG35Il373XFORcTvkyZ6nLbPdzzP
xWHXKhPXS1f6cXTO9UrjBxV7WqgpngjXLwL58SnThX4PrdwbQCepbQUJmGoE8qNX/+02sBXu
lGG5MuPVwXFHkBh4JQVFeKfKjhB6bVUaMoiPeT+o5Puqp5K/88OvTiwKi+w2UgItWq8joeDt
SisiDNP2v6P5l1QPk1TPnSBT3AkcDnswKn+Yqqe2oGtKbXt7YA9JjI+foO2fo20yOdKDyXg5
LuccHA4ymA3DL9kF1/2FVE6as2xI6+EnkVAvp/l94brE5YeE8/1Gk3NZbVfRtFjhZKdjAJro
dS+1DBgJKe7RjpeC+BOFqQVM0QzKr9J0gcNp8jJdc0FSYaRRhIo3uVe7z0Ql5MH6FdYlzqWz
fm0l75f3/0oMcxhIpDErS6UtEVeSkypMsTxDND1Nm/Q0dS+EndlN2nHvDxvKe+me/1Mrv10q
D4x89+T3KEnULRDYDEeH20iAUKar+2Eo0FdYz0m9ZfChXM2n8Hs68HqF96130gzoTeGmaTQ1
icTzfY9qnJrhH33cL8TfUntLjX6RBl3u2F8NT70bLcYlIEBPmJnTaNKT4oxSwU/itXt4DYlf
pH9btLZ0NnDRj4G3Msd8aWyN9XxNkRYJtUZUY/eERmp0ai68jwi72IFwPRdXNZoMWsgKReUS
vDOGU7YzhkfDCDOsXIOF8LCzLAXxNZoWpI1SlCmf/9FywJ1sYO3kcZYGGlfPkxEbRzLWvcdg
qdCAk0eGuLpTayCycUzRX1kbMC0FWfZKTxJMkee9RkIvG9xrtN6zfwq5Sf6fo7R5MFBgdThJ
QRuONbBkMswqfYzljYN1GYb6R63yRtH2cY6hWMMpWUIFUfRKXhGuTLQYh6c1mkwakrMVhSjo
PQRIdmBNOA2H75h2lwsJrxTjsCZ+d6G08wtWQ7O8xCLKYGriYEEQBrWYeSHvjwEsSARfQo8/
uLtqMSNknqLWeHC44xhaH6WV4bOG3cQ1Ro7tFLAnhCSn6cJMf1emnEnhK5Ig3xc2itMlqxJq
cLn96/s1T645DRoVz8rnpg7TXxE+NfneHtZ5kVT6RtMVKPlWlg+/JKTgWhQEEOoTgedodUYV
gs+Ey2OtLABbtaqVmHIsvVM9vdMY4x0DLdbkcME3S+Yh6q61lG2jWCFJLiCvd5XikIN3k5j6
JFr/qOZAkZr24fC8knY9OkdsZ51cSVw3QQ0xIXSQFcO9TVb5bdI/h1hVGK6IefW2lGdUqARN
F6WcVeFzhoJ+X+04g0y6cEeoxeo0CZL/DoUkn8hWKwHnSGeYbnDgWAvGDDhiWS52el2DY6Qh
Fg5Fk/ytIXSaVlMjeBbScx0evousxEO1YKUhQ50lhrd8r3UoKcXE6ByhuGKhBVqlhaYxNFiz
PItf0pa3a4xCO8p7gOpBUkoirJfRGrbqC+/RY3H+B1psVIWUf1AhJEBcSI1K9mC/fGekbjZ/
99N0nOJ4BUwQci65ZIUnMWInnrEax6dZly+GXLCO7YSCQmveRgzE2YlRo86dbXkhP6bdc3eI
V7tp/QSafmtV8FrDw5f87gwN2wnxhNBBgngGgCv/oIP6MzcfQxse1+610DrhAvtcjQr8MP0/
TNu3JDxySQgro+1nhl5et/mQFe8jFOQ8x+JgZXkf7KRka0nILW4VU2M00xTDNE2jyt9kOuxK
Q0Mkhudd8ntU2rEPpAQmKbif0+apNF0ed+0xzhSHWTUnDbXXtWF0Z9H8GqYSumnbv8Q8LKqe
aq75OrGw73F+BJYbaJxYrNIb+D1alGM9L4NgTKk+7vJwK87nIat8r6Rjz9K0aLT9YHrouyyh
fEIT2GeS9BZiJP37jSMvy/8A+ckZvgHKn/waxucC+IEagSAkNLor9RnyGvvlGUH20l+hAjv+
2FdetuQTJnKb5KE/RdOPIXBPnxhi7JJWsPKLCz9wB/DDrcoVHdzyexB8JmVi+Az/ETasP8Wf
RpSJ8XUHkeSlkRqcUMfK2I8TafnyiJEJodRdyluX+viXOv84mn+A5mN1IywsHwl5pBE4g6FV
+1R6OBFSiAJk4v1FdL8R4TF/pGOkSzxKAroAglyN/xyjEIGPKAMeyQgUKK/zsYC+M+pmhnIq
Jfe9gY49L2CCVEP8hBJYUJ5l6YtopWPPo9I6A2Vmr4Dp4jT7eTSPoOi/0vZTFUwLAuY+SM92
BW37blz/tSjkxgvb6XttC8akDaVF/hnteserLs5pgFKlIaxLRRaKWFPmlFAlDpgLFBebVEbo
WsbN4RFSeH4csiLR4x4fChBHxG8OPYTMQAT1+7iabEMrWb8jFLQUwW/QkkJh7s/Tu/1ZE1Kp
Id9tOb5kI3yXtu1MBTv4SMFdiq0xbAmF47+onis55wBauJH5ZOUXlB0j4PuxhzOp2n7tVXrU
oG8Bv9Pu/h1af5p995rC5EmhFvhPoyAfYIVKazrYr7jgZHf+4RDvW8JhZvpBc7TBLJrfoCWi
7IrpyOQcCUVuqGgUBYOYPxg7RaKzMQo5cjy/ifuFoSCS8yI/gl6OBEnwbu34Y9X7J/ulcfze
kIpzOJ3iZ19J26R3c7lRJwE0uTPUxGU2uZF+zSRGxrOyZBUi2jM0zu+N/B5aL/+I/DJOLQp5
NFpfunvlC0gv1itOloAPyf2yMtgQLqXlSSEbUSB56KOTV5NgPEbd9m20r4+5hnQJT9fYmu3p
z4zj9eqagIepa8hwAVnhkaMlqImrQ0eQ9PZJYRgd0ocDNF9FV5LvJz8zOGiF0RIswD+G791n
D8mzepVxGERrRr+ZqucijE/HrUXl9UwZ3v8OQSBUSxg+OzKMVVkbjpwaCL/SfJYKUUBl7Etj
mSCj2Eb7lymNGkCsVB1oSfV/qdLUCfX+p9L6+JDxkTSshG2zlDIKIhxB+UCECrbqofIp0jtu
ZMYG0LNLf4MK5ZDe4hNom3RE3VtrQv5/BRgAcKtc5z2U87AAAAAASUVORK5CYII=
--------------07E22B208E6AA0BED694AF44
Content-Type: image/png;
 name="summits.png"
Content-Transfer-Encoding: base64
Content-ID: <part16.1728F6DD.94D191C4@forgerock.com>
Content-Disposition: inline;
 filename="summits.png"

iVBORw0KGgoAAAANSUhEUgAAAj8AAADICAIAAACIxhfoAAAACXBIWXMAAAsTAAALEwEAmpwY
AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAB6mlJREFUeNqUvQm4LVlV
Jhg7Is50pzdl5iMnyTlJwBSEJJOERIQuSwuFBCdABmlLAbG0++uq/qottb/6qqr9qq2uwSpE
SssBlcJSU1TUdmhABZQpmZJMhvdyziSnN9zp3HuGiOi11r/WinXi3MR8Jx+Xc8+NE7Fjx95r
/Ne/0vr6Rl1XmbzyvPD3eNV1LZ/n8T296fz0g/19/BVf9PN0Tu6vv/cqnRPik84Xy7LnJ5zP
Z/gr3ZccUPkN4pOiyOOo8CFOi4P7/X57QEr9Xg/vk5zU76IsS3ozm07pTbLP5/N5v8dfn1dz
Oqapa/yJ3tCfev1+QRcoyqqi3+ZFWfIl5Q3O7DeV5FQypHo4HFZh0oaDIZ28kU/oVPTTz0Zf
L4vST4LJoUHQkDCePOU02lxmoK5kGou8SHnCnKSczlPKqHhCGj6efvJVm4xGPqMhyYc0PPoK
HYyv9Ad9fJ1vuKpxfh5eyqsGD6j0+ZlOpnEM9H5/fz8eQ3/C2OhzHEnnobuby8v/Sm/oVPJM
2ptqqpoGVsrBfn68x1TQJ531U/ZKnw3cON0Ofp1Op37kdDblg4sSM4Cz+WzjKjgzTTU+xwjx
K54Rjz/PB8Mh3tBnSX7iur624/Do4Mn+fiGTg+dLJ6QHSn+aTPZHo5W5nBljoPujMdMCrmTt
0YfrGxs8pBkfgIWNF+aWvktPFoPHr6WsKN96tSxiWoF4RljeOJ4mhN7Q8ZhAugS94cVT1f6s
O2/oPHQ2DGY2m/KGkgU53hvT6qIx08/BYIgVRefBLGE8uGv6FUOle69kD/I5q1rnvMh9xdJV
+OBKlmg1p31ayGhdpPiZ46b2+ceuwXOnM9BP7FNfqDS9DW09e6ZRrPH9JtokCROOR4zv+ptG
rqWrtF5YpfTduqqijMIgfYEtS04/xu9rbouqc3x8+WaH6KMHiTd+wqqqe70Sl6D3kJxVBcmT
L59w+eXf9U/ohLPZPJ7KpbS/9+UXR+4HFIPBoGkam6uc3vMqlVdKiX7iy34M3vhPnzj/hL5l
Z0vxi/HIeHIc8GRXUW0hp8Kbzl/9ijghPq/kkeNXfI5ngxvEndoZ6O9JdF47bHrRBPV6/AiL
ghQePbmeKsKikL/mWH9YfLndC20J+utsPmPB1+vrkBKfmj7plT06G/0CIZvJn3i0JLnoSB5e
ogNYashYcDbaPLQ8VlZWS3k1LDH1MPtr4auHNidOktujpG2T5B5xL/RhIS+I1Fz+xl9Peu+F
3CCdVqc3k8mUoapKoKFm8gj50wZf0Qcnt0ZCMNc55NmlYyBHcC3RdyrF6B7w+LBG5UjSODkU
Eh1Jh2EAeoA8R37cKcMwWNsWBR43TohLsAqXqaaD6EOWX6zqKpyWb02Gx7MhY5CJbTA2X0X0
0OknS+fpFPOmck0mpzT5BWuAvks/VbGJEK/qCo8GAreCEZM1WDZkvtBI9dHLyWl4PhukqLDe
KhGINFbSW/PZDCvHtk/dSqWkzw5jm4iC4fGz7J7RJ2tr6429aEmQcsFXaNiVvEozm2jw9CGt
VfqvEdFasb6d0bf29/ewhmWKeEnwPWJJp7zX78FwwUzSf/gTjoHMJWnDdzcY8IOgE+SJZizD
7diiooXdkxcdTwppNpthg2MBQw/RYXgcssgrGhW2LWZYZoxPSM/dhCbfYCVHynOXfUEbX54U
DQYrQdeMLAOX/lgndAba13LOmQj2yvegHimLn0ZDA6YFA2lGb+hmMWNJVBGPx7Y8VhtUGpYB
fmIFyqLKqwozTDKqpLPRr7xs7HlhMWDx409RH9Mn0+mEFgd2DQ6Ikjm+om6gxw1RSdoF4tz1
QslbzLVgkn/5sqLylYwrztiASHL3FWSv6zO/uusgWXGVKwKX8/BD6E+t9ur1yo4nhOP8PqNi
6Lw6Ksc/8XHjhQPoWceBdjSQX9S/4mNwa8IVVVC3yVe27N5SDJ08XgKqiDYgpiYeINKngFZj
SUG7gq9bYJ+oiCc91O/z8pUPedGY4CuDFYzlC4GOSYDaY6ltpittftotNPsQCTysXJUZbSre
51jEsjN9ZmDX43agF+lgFlKZTCArlIr2C52L/lqJDZWJhCK5QD/ho8TphQTHBsB+cGXP81zk
qq4yVejY0gUv1AQdg83AMo72r3hm+ohJT8D9osvJRRMER6+EQMlMT2TyH5wzzFItstifuOyc
GeQItJ5vUSgG3D4LzbJ0k4UGgJ+tNUqzOpv3SpUyLH1kkjE8iF0W0zQw2ghN5rpcF3YiNdNj
HVkWUHt0wGQ6wUyyQhKtjBc+xA3y+esmWvew2SHCki0hWC1sMfCjVHWFOYeuIiFOnzTsXU1U
AGUZvR+Q705rlx3R0nUYgg37e3t9Epn9AQ1+OiHhlZEuxLDFXx/w45OVA1HLxkFT021iSVei
RPG8eG2LMsOFVlZXYB/Ay5clwHdNT5xXZlKdQadqb1wOwoTQzM9EldIbVgazGZ2N1wBNznQy
Go5ge2EH4VHq/i149jBp7pezTdnvudjB3vR1WFcyq7mKL7oLjFBkX+4GKMZWyk5X2ZKpXIJ6
wDPCFOlFZdfQc6HP6YZ4N9EbES+NbCFsXvoK5IZKEnmgLq9wWshJGCj+CWy1VnaJGMGw8Wjw
OT6BandXzM19H7bZkKkTEouSuePuQx6KAktRY0FXRZeDZ4VvcEHmR8Hrqit8+Pd7aRg8FFVU
SRYbK/xIDo7R7zKI0jWKv3xMB2qvzocxxBfPExWy3zmO7/hSy36bH+A3gPvv6C03WzDv8bqm
C2H+5PBY8TAw9TjAgkgFLG64IJn5EAvSn/0DtTdp1ZIuEbVXY9lBwvIW5QXdYK9CEcKZa+RQ
XKIxzwkuFPYSlj7WE4tpuzTeQClij9Ffs/AIxru7o9FII1oclRr4onelxWMQgQvTVazsEh5M
AQ+s0WiJGX3tVCebz6quMA8ZwoYzDXRUHHMQHSBnxth4tsU3IIHCpydFKLPHe5KOl/BXkXRu
eR5ET+AD2pxwEGERQwiymQL91IjVnKk/AfWDnUwHwK8lQQ9B4/qeRwuLgWSfmP9QPxqiKXLc
hZsgLGTFvavMN3LZR+eB9R3DCSod4GKKPSRbjC8nUb4qS+0Lkg7fxZOFq8RXlGVDL/a65vOV
lRUEx+jrdGODwZAEOivjiu0VOvVMxA2+SxeCF8gjybLV1VVWHrMZnQTDhoEyC3E8RLdYLvPp
WBRgftjBbTjS2ECkynrm2OOgL+G3wmPaMA74oYpmoq9jR9B7PO65iWl1TIuCBknDpgfE2rpi
TwvKGNOCYYz3xrgR1Vsp8/P4NlE1UFXYvFgqbfyN9P2U/puQjpQYmB7Wiq/E5oKbRB46hjHn
G1CUkAaH2QWczchJpI+weRHDFx+O5oU+bKBd4OTV7LqpHLC938A5c0noY8Yqwg7VKIKJUJhH
PjyPSOHM7imSDCR53omLqsQvClc2EA60R1SqNJBXNGpaVAXCeu510Y3QJ7JWM48fuscRBf6S
43Gw+kBs0PWZXavy0XbcmGXNx9oL0g1Oie9PNw1cu8Qo34Gj8a/EI+MI/OQx5BhVo6srNxCi
7rUDcg8Ati5kUL1pQTqUrvPFjsmj+cDGa1741UuJP+AB46kjfITBYMH1OV9VwEabig0OEa/2
gnwdDxQekmdWcvGIMUKIMwS+C3uR/4SYicfrLEHFll1MhvE2q1XtwVzFtWjzQzGwnOz1EOug
M+OcsGoxckT82KuDUyKKTfSNhPJFKOe4gPtqtYYdOJpH2y+XDBm7pBWUn+63pMZy5gqMJ0Wj
fCxWyF5L7DDCUcNFPcs1n1kIRQ7m8BWyL5KmUmMZtnnKfb+p+yXbB1+k88CFVc8eAlFkK8aJ
QJ+HK6FWNXgoKq0UkQFPtBAXJEsLS91DrJhYzCTsBpp2jKbVSXPNSNGzoGXDj3s6hb5sJJSE
ODP9yTMWiA/zn8iP4kBaX5JnE9j+yTw+ekr0tMfjMVQLx4pJRzb1TJJe9DOXMLIKXHF6YC1h
uuCpkGgfSqySTl5IeqNPrhjSlk0GLQI3FIsHNhByXbDxEbTEhTAbrJ/Kwp1auOAabiVfnPOX
BRxAmAuTyT49bchKF6xReCFuQUOC7oHLzmqJJq1Y8BX8GbViToaHMJ3swTYy5I47L4mq7kg2
D8exGoZ/KTHbxOPpwUhld5nUM4fpph7t4l3JIVpVky4VoXpdDEKBQc3j1VEGHvFzmwln80+i
Q+YSG46LqNHCp7HdDjYkWZkzJFA84UJrJGALUnA2Eoz+qqpNiiboMB9PR7DjbMvKAooq3GPe
yUm5FvD30eXykxQwDZbjjzFeF1VIPCwqp6h4Xc+7MovpX5/ljrbzkxSWLnbnzwOArn49AOhv
4GB5bBD/HKMBvRVsk8o0kx4AjYi4fIy0egS8EPGEIJ76PVmGxLX5hbmmH0yvYNvQVWGgJbGa
EaOnxdOzxBiWkao03kBsRdKZNQ9UsDgg3YbIJGREI6E22N2qTU2Msg8nmSE683AwgKhCeAHj
3NvfQ/zT9YQ+TXFxoiSCJ1bVlT+CpA4HaYJM5xhZLrhmSfEaSGlgxWM8uihZVpa1bI8MFijn
OTTZsL+3j2xHAVsBulFcNIk/zLAD4fxp5Fa+KJmtWWleqRgKtSRecvoQ+RucrTWM5D+fE1d+
cO+AMcGNu26GAvZFTlcncQbxTT6NRlzVDCqxtmH6QAhK3qsSqMIMl6KpYDhA0gUmuIkmlwUD
OTvoDyCpEdZGzDkXlSaLSpMioiwbJGPgaMJLEKwB52lm5uLgQSCypys5CZ6lV6r1SmJFDAsN
2ErKBAsDyg9eO0cL5SSZKCcoVPaxTE9AGahzXFmmUEaFMQPrAQGC3KFHy+HJQT7QfqTzDIYD
LNSeeHuIeyMbTfcl3lTVaFq2wvBwIRV8RU5KDsFPsUtKbCVEI11ARckBeQF/TuMl8uAcz9Lg
OYrx4eALthT7fblNM3/lDIj6wkhtFQzdbwBruG3RyaHA2sDuQzoNf8V2cCkqSijrxN47ORdE
43E7EvjNxc2aQYLheBoC/CEoGBf1SDCZFsTwELDN3XkAuMMiVklUYxW9q+WgnflLeYRsuCR3
DRLCG3k8icLq3Jd0hW84vXrZu4opvvbZB9CEK4moYDt61S/n2s69pYiq8GeJ8QD3UovwCuFN
defheMY79NmBpeCxTdoV4p0AoNWLtgkEk7vSwFJpxp73g+c22Xj0KLwLOIke8HZNBrtQrZYh
S6BmLzJA+FacXuxJ2d4zOb2qRpjGHPpAGknOMxqO1LSXGyExAlcMoCyoUlP8ORISNAJWkyKD
IDJcCCKyX2oOhiUQFD52tCIsgIwQpwqOFItmuSNBA8qE1JAkPOHsMJF8ZF9N/Tt+QDQhFlfU
zSx5NXhL0JGFJScwq3QeJPA9jgGHhkOIKVeZBVmMDGiuCBFYDFBpyPbDe8tkq+cWGMnkitBz
MpIMZ4awc0wNvu45M4HjZA7YKyycxU5wWajKlAfNSS+aT4vsSZBWsyyI9CJHpfgRzuj0c08o
JrUU2c11AJRY8Y3BQNjq910m152xOpk2IlVHI85XwYVCCFSxJKK8R8NhCYEkmkadZqzqnONp
tLxyedayFUqTwryf4EZjQvriItKFxrtjuhYePblGbhPA7MBWcl0VEvIcXJWoQY8OIxsLcVea
OoAY86TQTUGRMApmb2+MJcqO0XQ6lMwZlr3AentQqB5NAewQfqG74B7Sh++Fe1egUNGmNioW
rLkENivHyEBoVJbIhCmJfURPE4/JQX2ubGYy7Y0t45jP01iOHY9nDbMDGUpsEIQTF+3+zPN5
bpAhDNuEjQaLyjcRzWLiCSmi8wD5mefASTbywHPLvKgLIYsIYYzcgdzmNHrUoUTi7etnuaLq
6qTHFoELGiDs+l4dLF/nTXSwXA3G98tgCvdwl1EeMZfWJlSSg+LKCDhx+J/jTEzP5a6fMd1y
593YqPlbqdDgNU+ohQr1zKVgqPBQXdBjufcHgxLCNKV2jRrgTQVKGCryHHDIEPoT0JfCHT1c
XhkM1OPXMT8HBTOZ7CebdnXaxAci/cQZiKwJyP7ajX2A3BCegk2NF4stzw4izWPTDgU25fhS
jrAJdAlEWKuoirxNZSFaKFYhy3o6RrQBDHb4VanQxE8mHka+YDHJyGnbSIapkSwZBIraFkUO
VYT0leM24X6RYoCSA7a4FCu+lAwKRAy7RJJoQYAR/iseBxJm89kcrkkLCZE3rG+qWu/IFLN4
V+JLy1wpMK/JHFbADxfAjUKVKINWJDdD84m0B5QEjJJk4GmNc8p6czednC12sm0xwF0AHIOe
DCAYsOjdeB8OhhCy7gTsbG9vb23B6uKAZJ4cceBZooGkuCTMyK4TLJRCpj6TxCRElkALJQEm
mhrLDE9QjVRRYC3YIdM4GJJwrGNkTqDzENFFmAGeCnw+R0JCTJKnQq5So0nTHvJnnoqm9/uT
fYCSJEPHS30ukp3dzX6fw9SiSlsBEmyUNpgEwE6pGh22Djx+yC7GmEjgne/FkqOATdUSt69l
uyEMYAhbNjj4MZkFXxhYw3XG3FA5EQogm9cQpAYP9uCWpzN9rjroRPe33JGwjEABwYVfAckx
U7uBEoKcpAcVnS2Y8Q6GyDW60zgmUARpguMVMy8hMVzUFrP5+5D0VcwHRbXiUTFc8QDfiwwW
9zGXwYRRSz3Zzw7yMPpkHUx8xL5Hted+YjQTYsoqBj3hXTlMDtO0HBV1QLw4WLR6SqhGfxhu
2scR4gFDk7VRGhll3tG1TR2sleRmrwfusJ0g6eAecfCB9gOrzxpGpYKPDdrnj00hapJehsRE
ehynop2pes6MBs/EupEOAxnKAIklz4e36lDUD7QUpKnirASYx5VJjAqROrBcHS+4TUmGrIFD
fO5BSJgGkP6i9vJgW8Eb4gWABJh5bArEtzAmybq5mQXAZXjOAFEvkm+j0QiKFpkD9x1To0IB
KpzrwGQM8KuAKsRsq2UqlwZcBQhJjEfjnKJHWSNW856EcB2oBrwdTkUTBaWoXoW4em10oWjt
P68YgyuvQWlRkE2NWiWOykoGqMZq9BoA2OB74zG+4/KRrj4ej0XmT+ai4AeDwcrKqlZKNBrY
YLC4yXG6R3Ju2H0fjeaC/VMopgYGc9iC9CwlFuJJFzcQG9FhCd6lS4/9vX1o4sFwgKoyCE29
EVlpfcmZaRELnnLifJt50upY0CKn/6SurugJLAVmE6K1mEypb5vt7uzQzKysroqtKsCfoiAN
h+Xt+8L9EhQ2CIaGpW2/13PQP+YKkVI439FvqwVk5BB5q6+oaZw4g6NRPBSEZKQ7TLAm5ZG1
AO+IrPOTq1wNeS+ru6o6mjgKMcgTz7lgAB7H9pyZRS84klQiShzCfRCVMTXjMT0okqjMYoor
ahAfRsxyRTngQbJFDySLWLwApCxEU6Zu6osjyzZQwFSWnbAOgiOiCn3uItBjuU7LofrRmcMV
YypLXOPSFPgCut2nwBzbIs5vZ0YWwZe5B20XawhaTHyrdO1hxzuKqsVnQ6PSVsvin9CWAJoO
e4k3WMWY9RmjuXq6NLPGRYmXScUks2ZfZIT+SdlT9WPJ1blXwMDwV5AbJ8lmEOj0K+r54Mq4
GEVwqQ3Ei2TxjYdCGUQRHcheGLyF3xgC0BBbGQAe/qckM4lKtSSRPXa2YhmGoDkKhBDxmFC9
IOGmJDqGRZtEAhFU1JyTjK0vmsnrulIAyziseW9vT2VKoxpdnc6k9wUoQW1KAtBwVAVAM8M1
9BA/CuTmArvCtLD7JaksQEigTT35jzQGymPbgl9RUT51jupWBKOEDWsZVQvKrytgOugk+/t7
niva39ujg8nP8uouOttQwPGoXlKXqGkYaihTqhA4CYdyzHA0QkBYs2Vq1eWS7lTtFZel5jZ5
hrtiIclkqvsChW1VGbXiECsA2aGQ2m1YKLbTkW9aiOg1XrxfMiRsePyD/u7uDhLAtYQQaYUP
JYRu4RD2mXzNe8GZx+ShXBFswPC8JNEfHP7qCEAvroh5TUxvBwow10ICk5Yhee/A91iWileE
ZmCDx1pjuG60o33Le9jGR+Jgd9dP0YPROhOrQLA4Uy6p91yM0sKtEDlVU2p6vokxvZimitkp
CORYKxzBGp0gXFSK7vB1oOmdsGHnJJ45Yu3ViT/G5FYszHbFEzV/B2TiVkBnTNFXC/opucoh
GypUGxyAj4yj96rvYNG76u5GDmFcoCBEJiLJ0+/FzFYEqog6R0zJFKfEr10/YaGrXklZBJtq
QX6+UACkHhjv0goeWCbywkOUSkywmABDnZkjxedWz8i2JyIASdM8i74mi+n1tfWB4DViAS+k
pJbEitxHiosdDmAcoCQkztaTgBKqVkkRaapAsgIYDEJAXEaDPLBvYzkGeje3lcfaIoOLpnZc
bYepsNAJ1wgeTOw22AIaCLHHAVPE5VDQjYo3LzqO5hufxK0Elj6pEqVltWIJGsinCAYDAn0Z
KpqRhENpOQcS51C95LggcwZPi1E2gz5cWAehYBgIgk0m+14LmELwWQCN6g3Xol8h/hjGBldY
HEf+ME/AZJNW5hRIKMOgk5B+0uCk0qxwzICVh6ROyRERkznHRNEJsTxoPOQtMYOMFAbQg86L
IsRnQh26V/8tbmfsDphrqC4g6w1mFn0kTB8VVALPD28F/lcJ4MgL0pW5QwKqIH1w9ASqPoAt
dMic7y+6UF+gmMi30Z/oTrHpyB+qzJYHU4YrIXeO8RSQG2MER6ZlW66HIgp8b2/slAUtzA1L
KVlW0grGtW5PwuaaobSCUQ96e5FWT8rCPILi+syFodTDTfEnT0DELFf0q2Iq3UEikZbIr+IB
TAGMzMCvIbuWY4AIWdn580WNosI2wJR6VlCbYLN1pLeDvTt+WKj6LSK5RACB58tKy12XVnsF
CVh0FE8EL8ai5ujKxDXdqVP28KO5d1WMFppEq31l+ACWM34o1XIoS4wZNqoS2jkqrbLS3UpF
MS3GAOOCKMSwUbNXEqft4BUTnzuwKqKDmhDpdnC5bzNfhRwSkYQ8NptCIeQcgNtq8qZX4hKk
JICMigEBhd0P+qQMA/MCr/7haNi3WmYt7bK4LpwPr7YBMI82Hon4vmx+WMGQ7PTrdDKNKgE4
8pQp2B3/+L3II1QFJUufBKYJBJeyPLjR8oQ1LMNDqiUkyJG9DF8XgINC/B02lhtPBzJPiGqq
m2u0DpyisJotGCKqFBUVInWsjTpzuRSxAutVSHYLyWpUBEsd26xJmYuMWoQV4Bh4iMBB0Cek
PAAVkaiq8oDA4aAjSQRDiyQrflATQXI2fpso2YbTmUudg8vf6XSyu7NDC3J/fx8aa2V1VRnC
pOxDg04irVBCx9diw4KVCkteGTB5ZhNJntFs4+S4HdZbPBs9DwZGfPaBpTK+PWG5odIO5C00
9xPBLLhzNhoOUXhQNbUnsZAhI22HlQaDjJ4gcmawA1CPgbA2uDAcT89HCjcbouvqwZDdM516
/M0rjqHj4XYgzOvkKTC/aJfBoPR4I56Fm5VIH0LQK60Gbhv1c7UqA1jh21tbFXQGwKaAbDQa
FHEkYS52NIKKHpHy+oqgWuahYjeP0T/HH+I9LTaA4KFvvEIxymF3AR14YlRSbNlPpwqg95he
rBzoUDJ5tBPqWUYyXw7xAZTgimo5QubqMLpPnujpsE9EF+UA7YXBLePgOxPxdUqVO7iM2oj4
PEFqk9UtF4ujlMLhEpFZAMcMfJEbh5NOk+mq0jZMZqWmCpUhAYIV7LZ5rELDT8+mgvYB9RzI
TMCXB/0SLNaYSo01mG5DuV4koztufmQ4nO7By5sgxTgjvb8Hc5IT4JMpToIUFzYPvY/lXx5Y
cJOKY4ZiX7OfV9VOs4RQEoC2rhLgvji3xe54V/HTgqCDurJAQR1ZMICg01pOYf2BiK8YxcRh
w6TFDAnLBI9juUoQBdcckQM8vRFHELxBYiCztEVRsK6MBpSGYI5wXAY2MwamPFviuHCUrOTb
qYRhCzoPQkdJ6qpafESpd5lLsk5GSS7Ozu4OE0ysrKgcgY5UbHqNWl1RQhz9Jm+i9uiHeHik
aXyd0APal0IFTslIwol1zHw2nUyQc1JOzpSGgyEy//t7eyT2JnT03phuaiTVymCFqISggc6P
yncXasmCWjgbvQe6AZxGNNQRFztrETfWEu6FI4eyFXAHbnLFNMEiF4Ozn1h9vUXnODO3t+fH
I3zqlb+wmaCnF0p3zckR/H3PBbqycImAVhinJfYRdKXrouQ5y1oQKWKK0IUKnZjPEUtAuA9n
gMx1MAtUPr14D4qyNxT4vLbFz4kAVq8zrac2npfW65K4ayxF90gdfoUUciSLKw+ssSqwGjpi
PtrBmFWxM3LXcC6lLdGQ3PupGJZVOvslbtmRehblm9udVm79R3SCg1SdLwnh7Twwq4UFkzpu
1rKu6tQpdzRlwAYWnWNCkktSFR3tFf2h5WhhJxLYoX3s8GJE4hBfCsbC0ouo96jYTdI5Qyi7
ol4cF2qW22LvyFjobCL4HDln5I3dQpkbd5wnV91V8jfOheq2HnRMDDNqML3fIm0AQFLnRuL3
KWtBjG0ptNUGOVIRUReMkx0vyBKjuEUGDGEXCaa3iFimPJDw3bd927e94Y1vvOuuOyeMqtdi
T4hvjrpIUEs4pWYgCjL8GIciSZbR55w/4BTCABwBpVGI7bEY1QA9kuoC7uIgVS2OIwifnNoO
ohwTOBcvKqyBg1hhrJIB4ruQImhAGxvTu7DcHQ7OgkxSLyhn1mRbrvUGQNijGqwWbAjgIZV4
Xag5zVU3J6gcJtybTHE8siYI55ZW5AcTeiZ2A0dNWf0UWmotRVozEdNarC3al6a95UKUgJjy
flkBxoQDelw2lIvnjeof+hDkGig9PHz4CI1kbXUNkDyA9IHgQMgLkojEGWk59q4Gw8YyjpBH
K6MVDzAg7uqIJ/ZsGuQs7Rmllt11EfqVdypejMNFrHIscgi1erFGXhQM3QItLdgZWrQnGTJe
+WwDFE6y5alZLQ9vMqew8TB7Y6hXNUFEH4PahqYO2CK4sLprzEHBQoLA6UDJJXKYgaRUnNpG
lFzF1qelBhSOIayDGPyySERIBhpLjWlb51NJOrpLGhkUc4MgQl0x8VveMmJ48tsJQl11OclI
lEvkqZO97mkzEJfH7H5uRTKYFk/LmQxETq42D2GBL9DKxVqiXg9xxYQR0vHmt+T2SYwKlkFd
KRDPBWksT471Z0zNZTESPknHxVtE93ULjQ9kdl8mkl8mj18y3yqnhJcB5ZHh3knbTO7nS7mu
2gvo8GycETmiMNzrB0jX70JWfHIYnv/sGJitlhJVB172DtMzh6SFKB1JoNLmM880LIZheIyb
jokENnoq5bpUjtQsc/YJIywnl6BoMVF8LxJUPP/8829+0YtvvvmFL3/ZS+nz97//jx5/4gn2
umrgG+c0HlJv7MwJpHs+maNujETt3v6+c/QJSUcuDp9eGkYBMwk12UB9Qd05A+H81kR6Uwtt
a2sfMT64yBGDonUOFoyZlmQ2Xa/LK4po4QolfEL5iED+GttLUEWVQfmjSuAhleUypT0yZHhe
X3v44UOHDuPGaRp9n+OKRdESwzM3IL2vy0boTEBawdzwSMZw5CsDHFGKIrKZeIE0qsl4F9dC
RhDu10zS7I3GnXKnFW/CAiOPiuE8QlqI05IYHQrvO0a1u7tDBgVk60h4nlB1tTcek1O4L3oO
WRaoMTpec0i2C5CIdcJ4+pX0WUtSThOS5bUagkXkMn8yPvJo0mWZgn4FQSrcylVG59eKpcLI
+9nzkyhxpmRkPabkyPqZlBNk/CBiuwPvCZCXGjdjuS/5Y1T+0V2Asz9vcvRhQB8AmquZ2AG1
1Q/QLDn+Al67b3bsWVyRtL4Kil5/jq0tzwsbAX/VGyfLQHBAdGk4N0pQyUEzPS0/aCY13scs
0RtefguwiHYahf5433FY3h8DiahYV+M/kQbzlezHCBVWV/aC7Dgqv/gzDglORaVF/awLEAl0
AnjXSfiQ488VQpHtAa7YZpwarwSsV3eI5J1oCry9T9LJZEEZGalH7tKGV3Ukou/osI4e6vy6
TKKFm1+cu+JAlvs43NidJJy5gFry+Ypz1La0KHuxoYlrrMiRsbjZMoDgM0XcVn0jgtLSKGPa
9oYmgDyB/VaBzmgXYrePDeD3oivJmI04mdS0UlV5aauFhgXIvgxHQ04eSEGlTxEWNC5RDspc
BM2RI0defMtLXvziF0Fp4bW1tf2ud70z7gHkyfEGsoB2r+C1MghKkjLauKThNE8t0hzDFnw5
i5iFAG+ZuXxp7GfN+cE5epHACVg0AhrwD4lYn0ELRgRbZYIvGbJfVJmo1TLH/ofKd+mGxh+c
q89KbtSSWLVjK0JM8DHVFBFacmT8iUT7NC/y7qoLcpP/OhfCeOu4AR3W9g0xxe/ir870yUrJ
EQcqnZbFSbCyQVsR6AYQaVYWRom7nMzFeVKkmekk9CIR1AB/CyW6sMb4r7SGzUobjVbor6qJ
ub3IfhasLu8topaNQUI4eTkovZ5ycZs3UTIcxCauYJae9ENh1zarjSyTbxM2xBQJKmYnmRtH
cItWZa93nvW0so1ZnnvWXYVWBdeHiDHRS2XVKFkinXM0HG7v7qAWgo0qUy2toCepvbrWiOpq
Cy5tFeXWPSfWBaNdC41NFXAx9yY4QHYwgxoMQbONKimURnVdbaz/ldgrpErJyGD2jbLUh2XN
SkCQ7QPQDStFeG5LHdS7RPUK5F6rlpLyX3N0wFSFy2QBf/EBU8G+IkxtZ5jZeHryvprN5h20
RdQIkMBGmDuLDVOMmmRBRMceKOLw1fjE9VzoS1VYB6v6QIcK3guEvA+ytDhbsWRhFXMrzTuw
MUxUQk4AbOOon6zXl7mxxVxD1VXsv3Ugn1V0eDEXuFUoS3rKmH0/TInVQ7OlTsOe1kWz4kE1
2BlMHKrhxHxLclgTdVu94IbXwaCArtKSkSKL/Z9cYmrXBmM392slqfjJI4ZFJLjunPn0+PEL
XkRK60Uvetm3fsvyFP339/02OV7aWolzhdIwjK47Zy+NxBZncZhHsQ/RDxRDZS4LlyvlSrWA
zcmaz5SusDy0nU3Y6xf6H3eDoLSspLpcWoINVGPljcRMVtaASEgDsCTcihJJy3FyklyYEBjX
MyGVwPOFm4vNz56W9HACukz3fFYiakQ7nHT2yuoFChZNbfcvB0DyvAzallfQVQjVrgxWrGR4
jv5n7C7QPrTWX6kHUIs85dLgIXR8artt1dKSg8VHymPOEhp3ZXVF3IKVtoWVLGDSRqhMkggb
n4STWLIIZ0LNxNwUlm927iVGSazwF9kXERVYjkqcZ6XP7hrNDE6Vc0iezaY90fqFxtubDsLw
ydo1YRNxnFBuWboczKEV6HYgWPnGZaI4Wi7prszw+N7gDVotiRdLs40HjccEojB+snlZ2SZi
G2XENsqRQ4fRZ86bFaBz3mR/n37CxYTfTzppAO+qCjvR9j5MnLxWIAW5U+O9MZeBM+xCFu9s
Hlv6qe8iOblKrugSBsRa+TAHdoOf/pKLA8/J38AWASBebM1BZkkWd7Cgw9wn8/mH0zaU2kc6
Zm9vT6azF927KOKwrkxysqobSM8BDzDSPnafyZ0ewbzU/qt3/IqOUXQVXMZG1RV9eldd/sZ0
TRXP4MNAHs7Mi/mC77XkchWu4Q9cuNEW67i6pkIXyD86Pd863Rc7XTE9YNi5Fh4JhKTxEOsI
Pa9wcMRSgoR9IdBzhyaCdD146C4XfiJaqGF0i70shI/NU/Ex5Nba0Reod+qCTPR2J1pHbCfh
WJ81kKQDPE5CO+T8889/0Ytuufnmm/6nl7/syUTJgw8+dNvv/S4HVUayRSWOTWPYF8wIvWgn
x0aRjVf0tF6IRnXwa/S6gM6dSNkvxDdsYbxHzr9dZ/woG+TeBpLqaEKLwkF/wKHFhYcrfA4I
RU6Y4Fx5PcyHh75xLcu+juGtIdckdaRKQmlSg+wV9nQWSft7+wOyTkSGgtGnsiUHeCG4Pwpp
MuB4Px98I46FP985AhY+KrHqcdfkhNFdVOJw9wsV3FmVechXSrX2sYTQ7JGdD5kNcKw0qOOR
0iV6cCRJPdiIIGENDTdjij+n3xXIDEvS2uQgGOVZNA760MeksdZW18iOUYu7KEfQMW1IvFl0
sNJyLHExa6B9BtwDU3lXqrIZDUfKziIufoHod6P2HB43TRENYwYrRPQWTBYyKege/VTOygil
wuyFQrexu7XDjqYJNXhCiMHCx0WE1huuthIvqxFNgdGDaDx8X9qjKhZmLAF6YkCg7iUqbzS6
bA1QpDyqebKoYyfINJRmpG6B+XhoDahNZhXcauuYlxYs7IFrQXehoAiBxIEb5Dov9pQRoVSF
XsRQNuoAwJ2IkbDYdjJmB9yRii6aK5XYciv6Xovcx60ujL2RIfwtutvrnHD5uuWBsbv46zKZ
hZPYQ6N0/oRBeBQxqKtiuYOz2RFVdOPiMOjmjdvQM1sA6sximN4h71mAqtcWIYzdSNvQouQq
214YkpBQCyvgJxn5Grr9LoStPTYo4azFkFQOZrZ4L7GtcNsr1komEZHw0OKRw4df9GIODx7o
aXVev/Krv37q1Gk2S/f2nUqATruxvuH9jl3xtL1OJJETjW1UPHkTan9SVsjcwBurggXdU68r
IQYI3WAZQGYeqe2hJ0YqzzwlJpNP5xRUdIGGIhmcRXWSKi00hvLQDSnOJc32aDAs+yWCRe5h
wxxhU7rQLsnwALQ3qa0WEuU0J0l9Sp2KIgbZjQQI/V9ye6we+FIioorEnLWvTarPSpO2ghCZ
+zrRR5zy8e6YPZK8jzvy9s1SrpAlS5Ix2+FgSPoMgriwPKthO+e++CENgZ7X9QkcrFla177k
JfnRI5uXXgIn8QJ54Ie+cOf48Ufv+cIXAU+hORmNRp1u6QfanW7/wf52U0Zg69oKvDR6MOX1
bzRwzYOnaeG+QiWWyswkODQfVmmSZzebaf0DbUi4UHROuOPq9zeQbn10PUZhOCIobVAOcX4x
EL2RtHs2+BZC91LiWztktLFtDt1GzwvqHyEZOF49YfEvLO1UiD7LzN7FpE2ZgHGIEE4UQTEw
6HoOGsu9MXhOMcUlXQiKjhOGVnDxkQnAtQdlGW1u1xCLAnlBdS3X1HZ6KMc4FpwnT2JBYnuW
K3RMrjt6a9G9KTwa522qgu4vXLNIw6M2EZjW1zdcOUW/J34nelcxT+YyDkP3ry+ntUKogb/i
iKl4oSejwccNRw0c0l219ziPrqtDKtydj6rRn6gxviwkuqKGawxp4DkMZL+0VinXDUOmX4xx
JVNCC7dvasl70rvJHBXbsaNHX/SSJw0PHvj6+Cc++YYf+AGUPdJOg2B9+cv/wZ/92Z96J3io
Upi66MSbGYFo615YcgjuFGQHxLq7KSR5V1ZXFGFhCqyxu8P7ot0V0FKVa0fED7nOSdupa94L
4TifDaQVG5fm4LEOHhgpaQRdj19ySfHqV3XXzJ/+vw+dvAdiC1LymltuOfvsZzkaZuP2z979
iU/SJY5d+LTea25VTZwW2EOy4J7ideie+07+xV9c9Z2vOHvRhfgTje/wHXee+MhHKsn84TvX
vPxlZ6+92r96+MGHTn7gj3fHYyhXkp7Pesktuzc830+9cXbzK7/5Xggp+Moo2PrmH3zz1gUX
BARP1vurv7n9Qx9CigX8GnTwDe/40fGxo9ZNNK3s7p74tfeMd3dRYXb5c65PL3zhlPuFRjAQ
wsD8uI489LX7/uIvzp4+g4bLdBfHnnZhetV3+sOtw2xkoazz8B137T3x2MNf+arrZqyl8y6+
iJ4I1zA0YJjM5re9//GHHvZ0F/28/AU3bH3zczOUOsg56Wx3/+3HcIBHurAYiryArFC2xqr2
dUJeaWn0QHBb4XUtZvEREFwIk7BisOw1DAjESzzrTA+iNXq0XD2z1M4c6S43dpMoxYgHwQgd
eoNiOyi28XiMnKWnqD0TFoNAMVvvomzKKNY2XxW7IcsMTCAwh8NRDD510mYm51VbRIHvTkUH
o+C5NI/dOeDiwESPfx4P6GiZeLllLQCnjX4djVbiYXBm/LGW0btazFRVng/DWMuALusM2u7k
YDjiUryxkDhpe1cdbbfY1mQB2eH6yeN+7cmtvjLajwuJevu8Q65RaH+EHMmtnp1W1buJddhi
6JCL5YgE2PrGhia6jEEVpn20rTLXD4u63GOefuR//Pn/dN0zrs3O5fUbv/GbR44c9Z1DA/6G
yy772f/rX62urt522+9qEBI9+mbTQdavTEUBXOBZaP5wLvSjVc3FRtjeMw3lA4KoLcRATuoh
b8kPRSUXLPQEfcaVv3I58qjqvHbMoevOFs8pwbdc8IepUZSmovzz3vb2Nie0BOp5IBM0vVYv
vqQ+cdKN/VzrArvpHEUkN1luoOb2T/JhWkL381lOn20uurA93eoKyg8qX8NHj6BCWuRyqtdW
Z7JWaRhMvk66R4qudEhNlr72CCst8khkaZXDIbKsO5/7fPYPXh6vP7r4YinS4rwOhNq1118/
pssJoZPewpe/eurxx8kkpQtdfcPz926+KVtefKn95MzFF15y66vKD/zJ6SeeoOvS8shMaXXC
PSnLvHss/f/ms6/LsuuuvubaL//BH0J5x2XvRPgJ7ot4usiIj9ZWJ9c/W+YnwTYk/X3yIx9J
guhRXVjViHYiw5oMzSiD1lAtKwzxnICwwHQCl+HmqUv/YTmss9qRkL55EaVAUFEkS97J1qvZ
ajWLXEelLL3s2kK3cUhcsI50dSgnD/ppj1lpmdUWlpnfTEeOx2P3tKzWeL4IFCgtdAQBW6Gq
ZjGzNQsSW/ey/4zuVwAuVh1XLGL3ngxo2gZjqm7GZ1mN4U+uq6Lq6gAvgRkJbp/fHfjDWlxF
r5fF5NSCNgrwj4gtrCLk0SOV6GKDnEe0BeLgOjDCJ0FkFJ5pxKnEbVSIi3T57AUIxqwTY2xR
UpbqnEvD6o7i7KAQuyRY7giDudV53xH4V+A+00vQWqeVyiteVicWN6eGBd4mNIMKami5cSvF
H86t7BFj5soe5hKdMyX49tbu7s4/esV3nqvq+sM/+uPbb/+02m6SFScN8ba3vY3+9BM//o7j
FxxHoEzhGBKWUZO2QOstRaAqWNybR4gNq1EaUmb7+42ZAq51ZpOpzxL3rRAvyletWxv+Fcu6
64qHEQ14vUoouRZfFE6qeKhMxOAJ/JoJmVwuOA64I2bnV17BZApQq9LH0ox+r73hriJeHIqK
MGfxk5FYm5eO/iIr+9QTrrrosOroUekEViv+sKn3WHvp1+mArUOHkoTFpC5AIsbHjrXqhM6w
szMcDIVdpSRLU6qYGWf/xY9/fO3M2Xj1vadfSs+kMoOdXkeuuaal7m+acjY/8bd/iznfOHxo
fsPz9JYbcyOFjbWDyNg6fOjiF928urqSWcdF97rqJQUWFTy9Tl34tGu+/R+Ci5mc8jaAv2gN
4G73pCLtwptumjAdjBXvZdnpD35oAgS8lGAjPrElkAcvE64qjYI0tnJgkzmEkudQqrP3xmMh
h6wdrcoQFfF7tALaohEAyjsPUx2Si9jgSgRczaMwAWslCrALeZMAorFAHwNGkHG0slEP8E5n
6u44RsPho+ZdTQ34XkUQBKAWvCH7A6ilvkAZ8er3BzFFtIhYhnCuYN3amb0oNsd3IxutC+qo
CGYz+H9V251Eu5gV0cnpQM19Sm0MVRS8ntky/ZRD1AvnAJI2VXAHTSLYmWcS0s+sw1juqQ7X
Ja7ScDorvWqdMCBSlvNVHa/WL78cXfVTGQSj58rSR9WaQqVyrvsj90Xpz4wJ8Xq9J0OapAVM
S2sNVfMWylIBrOHftTQy9hIiAC5BaNeR3kIjdn6/v7+zu6P/dnbI3B7vjfftRVuLa3Q4ASTF
QKIU6V5oF11xxRU/8sM/dE6qixyR3/qt32IdZHAM+nfjjTd960tfQr+ur6/f+upXl1ZxpdhC
JANEFhg3UoEMEH9YaacrKELk5GjLjIKegGeG2ixo5UrETQgYFhU6BoLoKKQ0oEiU4z+UiEmH
ME0HQrg4epODmb0eC12x7pG01/Kd6dSdgSgnxysrV37TN5rCq91zsH+a6OppdUTjnlfd4F+j
DllSie8N5Gl+Nh/+WrzeZHUExjzI0PWNQxM2aPRCEvpMF199VSrAjSls6yuj+BB3H3tMzW3h
UmFydMvRNidOLuSAe71n33yzR5zYALr6qkg0sHL/A5tnzsCOufg5z5nxLmg8Qrz+uS88+B//
82Pvenf1++8/9Ojj8cxnLn/6xnnnoYOa8c+2unzJd9OwMNqV0nfPv+iiFKsOGp1MVTZGfUQT
fuF1z6Djo/I+9IU7H773PlVIxsSBWD2MJ6wNhlCSb9ooQq+WajwasGcNaZfRAWQFYk9xD7++
/qks2sQSTS+ZifTPYSyO+usUicIwleZ+pTaIENsUEoA2LA2ALVq09RJ1Qn9aW1vjiumQSrcW
xnOwjOLZKSDTXh5LdG20trbucAx8GLP7ndJjl7Qk0B3W0RG2EYUfS8eiD+ThO4fFad+1XhkT
N8IW0oOmGQwGsQCrsAJKq1/Sw3yEQPZ5QZQh4NVj6XECsgjKtegM2OHy0Eelu4EezTM6+gMA
hx3cZIBLFtFbBGTDPwTg8smCpAdCRVyndvJwMTaI+HVUnLHuOLplMdGVmWOuXNFiN/Vs7foc
VUZuDZRUxF8UlhUDQLmRCsfWsSvyYRpmQWTGAi8HFjp8ADlaesqv+Z7vu+SSi89Je733fb9z
zz13+/0ief6jP/p2P+D1r/v+D37wg1/+0pdiKSjfZlYXmTScTUq5VFgn5ayqY8RVAozc8Sl5
jZfkCZpwDJdzFsNdqdhllJ1AISoDMYs91JTio9fw3SutTq3m6o1llXpm6PzUeMFcIYa2qDcv
22IrQHAZCrdZFq0pW738iurOuzA2NAOMfwYnxLyZx6/jkOYP/nDriVMxb4ef9OtjkgjcOnv2
6Hi8M1pBvJHciNX19fH2Nr6yduxoIzEx/BVacLBxCGYNsAnTtbWQVUsPfPUE3HfEwaK99bkP
fehZz7l+0ut5Wmt4+WXzD38YD+j6W26Z9xc26aO3364rOeX71z3Dv0X/Dn3pK1/88F9Bwp55
9LH9P/+Lo6/7vknwDI5eddXjDz3sob8U0n7NH3xg5/RprN7jV13Z/6bryV3DlEHVHbv66rOP
PQaYe2O6v7GAJthBx+PxkWNH0zddH1KKzeru+K4Pfwi0JuxkF/nqyooWdRXKA6BwfPe/ZTNi
p/dMIkMloBhcgyJ2a0o3NdPac6SHPWriTPNpMbaGwr5SokIC25F8Tz0tTJkhWwYV2JNFC8mw
gI4L2kIDgFXVb3kFcze7PcqHnoLAJXq23l00B3S4HuJIBpPDTVyvTJVBrRAp3+L97HOv3+Lk
2XA4spG0mIZOzAzqcDmJ5Sm0xeKtiJgvlkuwOl6NM1FAJ8FLM+x+KQ5f0QF6+B31hF06f4qy
suMeLsMr3JHMWihaWyYNj63z9Vg34AFJ0cAHeHJeShxQlaUvAo/wRmuCAxGWFaibhdJLX9++
+DzRZfEuKPV5W7CVNFiB1Drj+oqSyZXkFTNMShOFIr7KiiiTuhQxuA/L64rLr3jd93/vOamu
Bx986P23/Z6rVZRMveK7Xhljj+R+veENb0QBb7JCLh1SpZVPQIvpaCWOp21QDFEJVkCUzjS6
ADRvU5hfTn8l/0xbXMqt8ePOQcpXzTVgUgg/j4aANJqKbuhwcAt2YiC8/AExGTFakAi2ra7a
Z6StRg5Kfe1dejE7anU90RCNOQJCAARuN+8uEbyLxisEAB+XMSQ4kT5FPQnoeWzwyCUX0cCA
2lg577waLR1huMjpe+tryJvSgzh20YUTNWP5++tnztBIyG+IZcIQmzz4/f3+nV9qlRC5DseP
X3TJJQg9rV55RdTaG48+du9XvsJxoun0kquunKFG1b64dfLERCLbyPFsb26OTt6zQBt/9GjS
goeqEyc0JiHGgD564uTjf/pnfSB6nB1I+CwEjAO6KeWk868jS33JjTfuSnzSFdj0ox/jzs6C
iaCfk8kU0zgQxCykPJxyUlSj0QjEMc5iU0mcPJJNMKmHGaYoWgAPPcAdvmcrA/IxWliiIDML
RboMARbRAVbigvRjjAdLEdID7perGX+ILpTc9/JSP/oKrYc1MWVc4w4Hg2UrPL7BtMAS4gvJ
SkZQiubHY3FAcJBj5JRRi+CI2tdb1CWxbHcJdFq5eusIZ0ckHgjWi17UggVvy8wg5ZWzsDoE
H16gwxqFYHK+4DVF9QMPMUbtOlE+9x9dZ8ZzHagkMQIvZ1tUnmWsJ4B6W/QxNTxqkcx6OauJ
YH2ogZg7UBXHDMWcoYUiT7fEwmr5O7xlHOA002kTVow6TylvO9ctps2gpfS6BomGFFb7KGVG
XqgYYvzqCgwe5Bve9KaNjfVz0l6/+uvvOXX6VCyXPnL06E/8+Ds6h33Xd37H82+4AbWiLF5X
VzxngOifl1tBXTFDo1Q+IR2F8wOw7qhCtK+kDU9+m6L/BR0OG9YrkWfyYtNVCqomRmODryDr
hq8gXqQdjOyi0IX7e1wOxerBdvXu7g44k8BPn6UD6mrJX3nGjS+wBobztvbO2vB1yszDMq64
x6M0BRavq3IMfSPzwP9On81MM7EQWd+AG83Ox/p6ZhqjsSBkduQwY0lW17iw6dBG5hqXxv7E
KQTBENTKjKLCReSXP/KRFpFBV+n3LnrWs+iv5x8/vnXpJZmHN0lhk4dtga/hoUMWmmMnaDCd
nrzzLkaWhyrsamcnKKm0d/x8MvxhZ7TtjZq20bAhQLOdrc2Vxx5X3iNkydZWFb6Klq1LkUb6
+mXPftbmYk73yFe++sjd9yApC1cDCwxrif34Psck6EOG8gfOT99uTaXBbTRTBagKdE1QD9ho
OBiMoMibIrSI9QaM4jwkDkihbqxvrMnzcpChi13lK8FXki5mhRKL6YBT0Zu98Xhq+bBYnw5q
eYiRsRwTYYf4nLRar9/vpL48Bus4L3fj4sSSxoKsxogWY3F5RBJwspG38CzURSwA/Ix6ovLc
lSfDXAW6FojEhkWRd7y0KNUdAAKdhOhdxAnOzN7FmKGV8DMqmjxi+SNQ0hVJGEcdY4aeLYva
zvVf1GQIRbrmjH8CZZYzBXeIRnz0HZrEqbX7UwI0a4jgPCuwgOBru9pDYAFv3IeDJvPIoZfN
RxIwGK1ePNshQgRnq++uZBsXRZcx5BjVG7AJ+NYtL3nJra/8znNSXZ/45Kf++I/+yIEGsP1f
/ZrvXl8/QAW+6U1vZFkg2CrFMqRQOSD+FvPDzqYeG/TkEIZdoe6EGWznvn96Fp9hSqqC93wy
QS/31UhvYjZ+kXLHjfsX3fdKsNoakoFrCt3sxDll+9ClSZORiCdfl/f8jPHNldSQdpEVqAy9
/HLQ1i35WNr8M3+SKEKj5JbcI2bCyJQGEhCWPrsCO9tJA4Psx+Wrq6hD5xMiKpg1vels4+xZ
hQStrnpF4MoFxyN0otnlcCtqZkGE2Ei53kTKkujed7a3N07crV9Bw4GLLqSf10gCrIUj7o7v
+OjHuD5duLUGrL3aOOpAnEXIR0D1eBMxLMJ6+CVOqs1MinnGqzECdRw5nWhUKmNG45Bx3NlN
haqcbIHUVWebXZMX3BBhn6u74699+tMcZh+NeoP+ikA3B+woFF4yj9rkZDGrWorwsN56FlHE
F1dWVsg8XV/f4Kp8bTNbg8tD7cWCA4C8VaWFgno/UGZGyOJ8TskZc+AIDoZRKDUiEBCV2d7a
Kjj3M4yRIUeBwX9yv3BnZwdoC3YiLdEF94s+H8AHtQuhkoxHJVkmLrrPF/hBfBsCeUHTaKKv
cIgc3s+FhhtvSFfBZ4BL4FkoqBkmczMpDWy6IzU6SLeoCxA/8/RT/PVALKKDuUjsR//Htcly
9NIwI3UXMxKdrU6RROdo13MxdtdxuUIPtNz4r4plHw56zilGfIKQtXPSrU7U2LGhsdzPXWz6
SetAWkLM4u2YvJ074ALYjWKxABldJ1ouEzzVQnUbQoXOduoaTifKH1Uhp0Wb+UKxD0qtZLkl
z2+DM41EFWmX7Bxfv/7r7yEJDmkARMall176w//4LQce/IIbnn/rq19TmZGoCknCcY74GDCU
coiwIajh2G8yglrZQSWkhhRRMYyiFtghaJOgXSqhXLIlm6TFTO3SUBo5awAQY5iI1FbQfEIF
VR0VG5CcLowgd1QTCzCMDe2AK9h49LHBXPXZ2UsuOiLoPnHvUggNZu57dZCxmXV5biL1V90k
S1LSP5r2Mw89JNkdy1zJqlP367CqjQGppZ1dcbMYdgixxcDxtsyDWxbsPfE4B0vnCmxLZk4J
fGMChbd98mR0v7YuvfT4hRcWF1/k+owRLYLvwFrl7RBRS/StySRve+BqjH33zBnoLQ/xnXch
h0AVMNICFBUwjPApMzqQD83Rjsa+zuYkc5RIqy1vM5gZETjN9nXf+tLdlZVWfqU0/8Qndza3
JB+cEKZ2Qg2YOAzf7w9AjKk9Tq38yyMuIxHZuuMsqqGKJOXRDI1RMvbzemVLQ5VayptYTuMl
YjGIx1UNUlQD6Hzf6JUT2sTL/KeQ1MiMvh2xU+2oEgAaCDl2WPfcmAYGzWVUh1HIE/+gAOYE
gelLh9fHKJe7XLhNM+5baJ/X4HpcLSpCRA7NA8vd64K0RwAQvL1PlmDyCwmbTRlpn6L30gEx
gh1xWdfwkdapJXdv0VWoe2A+Vg8BO21ux99CrAjzi/6tfofLHp7PUVStEpGa0UaHjd6JwApm
tN9yZ0hIfSyloO7J9q1cYC7NruKK9GXRhBwv3ldgWgtJr0Y7ri7gc2B2xbqxdjEVZUeLK0gd
TaQKRU81HgCRLfe6173+RjZLz+H1wQ/91Uc/8hH4msxeKsN461vf9nW+8oNvfuPR845pWNUi
gY3g/biX4HTCIMjJdF86MykeTxxEaDjoGOfpwDqCw8e4DwGDNZJCOCMysd17Jkab0InVpQYi
Zgg5wpSOfPzKwCRGA8gh96X/BVr3IpOR8m7YcACcnszyJc99TsTIRAidgty6MXppc2P4yQaE
h4IZievw0QceHLT7PFXke4maOXz0qOd18tNnmp0dUQB80WMXPg0KmFQdVBoUw+kHH5LemMwZ
XwUqjdFoBaKZPvzyZz5DWjlq2CtuvHH7+AUegSQ/7/5PfbowC52NreFC2yNax+SdOAuMgk7b
bmSaw+uPhmjNw+FYgDKgyxum/tIcZ1MfPX78LOnOCIX/2sOONc1Coz7M6NoFxzef/cw8+QNo
Nk7ec/8X7+SmYmIcgIFlNBwh46h5U0kWYNXRfzSA3d0xcqhewC4Bf4OGWeBxiPxr04p4iF+2
lmTzIv4Br8sVVWSk9Nh1tIBb4qwgwVJIVQIySvYxnqMGDMXvRFIcgiszLhVQC2j0Qt74r7QY
gMvH5QoLJinpHQdUe/hKB3YID9JZdyFXFwjBmYBj5N4bQBkO/wOA0CGFnuiCz4ATRovfeNId
QJgDNwg5Dy/KsfLIDS0nwCJMsQNEj4zDHZyg3k6naqqDHlnO7C1G9pZrqlRJIuoa1WGXJDDk
h6WVUWVPqtepDF8uN3bCZvQ6ieCceCQIVNxgiQkzFDZb28Yy4UMD+EJqVOjQIYJVn7eEvJFN
kUMzJZgXIZ5pNKn2bQDVhZ3mXEd8zFwtvmPnH3vLD775XB2vX3jnO73fCoMvyvyFN9/89bk5
Lrnk4td89/f+2n/7ZQAfUt5yW0hog+HPPTgnfDtMCjVH6EC68rCd4PFhb51ciXxvlJgOsMBB
r78AqpZvZGiiIUyGHktRLkEhW3KGhSrQPjFwbrbvARxywrhzo7AaduwGL9eluxg//FDG+RWp
FBZupLIsO4XHaAcl2fuqXPxL+ZpbLzConTBBZJ7ievg//4Lb44MzZydKhJG2DjMdVzbP1s87
5k5btb1dI84mdBIbx4+feYw10JScMw0bNis7u3c98AATw0/HA1E8sdbQARd8tvvuzy443z/e
ec71cdDDE3efPXvGKaMa9WNbioxM21+1TLIc5pVhuAfJz6nfR5eyPGsxLng7YOAZ82Zd8dzn
1dc9Y6z1ALy+Nza37vnKV7OImA/X5iDtc64HlUku56NrPPLxjzeWEaks7uLOx0BKmkKFRgWS
SZByNbZKaVkAT9QTOkSNcHBEgIO02nnV2NrY3yLjsjA4RlO2LQWkCQ4g7LmFyoF3jUBz/JwI
IWElEWmEATh2XeRAyVe2pyIXgWc03N9iK038pMbCPIptFrsugeLOgYviq8EKRyEQn82arcDf
Wu4EgjGQMkLKCtgNfB455p2Gw9EcEUnotBpSnDqJfIbWV6iHeFiHaCJ8sYgEhjGj5n6RayZ3
15xryuOKkewj3myZLfXfMi9qDhiJKx7HO0bmQ8eiWL13HdmuYlIN9+B0+jEG6pMVm2w58CYS
UiwWu5XLHcjivYDmy33HCK9vFuExFdpE+WyKOawLix+IlqOGJopqF9WhCjhgqSw8CKi90ZmH
yInahre+5rvPFSX/7l/6lXvvvXcggsYZNCJK/sler/v+7/393/udre1tErQMl0CPV9QVVuoU
ol+XRaVVS2l3LoERthHqvJiJ2h5k/WYRGZXadVx4RReQNerwyUMBp63GVKWLINcPWMCn7C2s
BFJjQ0s/oKuTimWFYyCAxnCSk5/7wnU33cRxqqbZPnL4+KWXnPraI20osFnkUFjmg8pcXSV/
34R4r3545mzG2kvPePl1zzhxxx3DjY09359bWxOB0UMS9TcO0XfXNjbMOZPWmqdPo+4CKw26
J1m7MjbhU0LZ+Oc+9KFveuZ1AbC38Hrii3eA9IEUIU0OSdLGYBSuBeezeSwVojVz+tFHL2ix
8Rnio0mfI1DvCeqhuPWVh0yN7YSvcHpvNj/zwQ81BgdFGEDxll6VSE6kgDuAmFnZ3H5svNcz
bsPI0GHmToaetGxMSL+EkGlu0kFwG7j44H+JRVTulnkkUMoHy+hmKf5etiow+piriBApQ/eT
LGtJOlDDRz+1m5L4T1Wwkt3UnlqRaCNBGk7ZSrAH9c7ewiIpbId9q3gGoO2HpmycmwOokP5g
0A/Itdh+xcu/vBoauTHhS8wjc2CnmmrZ0ckOIDysYom3MheHYKCnnJwcJHoyyjodKA4cSxHD
cp4Jc6b59idyYhEuAaevzR8GXqll0iZninRnMwIXPWzoDqN9Urja83pvUW/zRQaR0oE6salo
J3ZHe8KzoHEq8YDdv8YXkVpALaFepZDSjsWyZUQAsDhQk89+PjkWKfAOO0l8wNOj9UljSHT3
vZQ63Xjc6Zjzjp33+teeG0p+e3v7D37/NumJnfsVX/WqW58KQ8fGxvp3f8/3AU4CjTKTsJgD
NAAdbLToq+owLAh2o6qtBrmy0nVm3ZVbQwIMIr5aABolj1lhEjggmbc9kwS+OENFFBOuCwfd
VCjtMe2gHs5C6zItZQ1W6oLuOXHSwXjnXX2NVIUv8CTp0i9yj992GJEU1O+YbxOCDs+pWDO1
/B3Dw4eZ63KjxUrMdrbHgSkjiToh58xQ+zyi5vSZiCFCS3G3roAFyKztQL5QudwO+tADD937
1a+CFAYtMYHybyESgmlytNHK6grkuFGQBMXeNMPRSPqqu+sG/6zNV9mRcunPf/HM+37n4Xvv
2x2PGyVJ4aRXkhusG+/MnEnja41Gbp539PhVVwhZMxcCiupyvsBkOehG8kElPrGIIvdkpy8O
+NV3tYQoy+KS095DuZFKO/gQwA03OjV1VLRlLahe4BIxO8wBfiB6ns+VCxjZNfB6FFbdNfPm
EiFhnwnJPYKHnmVwPyzWDifLfbr5niyXWRbaeQr+ltP4IhnpYXDg6Q8kfPIbacFQTDnb5p8A
u48wwg4eIlsknm/zLCGFDOG/rEEiLt0dqcBM33M8oePjvZLM+TEcFYK/5rFAOmomRouVvVAH
kC+37PI/gcOpA6n0Y4DcN9etJZS0cOrc2Se9HA+egWetOgtiGVoSKXpjWCmOfMXyxhpTluVb
5FoiCp+gMa2GiCIZswPwQ0vC1gtN9LSG3wPFUW3M4ilwyyaDzzX+VAzp97a3v/1AiODXef2n
n3/nE088ASwW1POxo0f/1//lJ57i1//yL/8c6HOUwjhRYbL+wk5XSKIGEqGwTseoE5qJimJY
kr0HaB65CiASJZ3G9hAn1cR1A184vgVOoIkoLeVItnDN0GBXKlYYtaA9IR1Q7s0vFjAXjcpT
BHW3H7jfP59febn4Jakj9gF8PBCsmBvZRNM0XtdFP4ExoVElIchYwCgLaD4/dtQ/eejkPWdO
nxpgczZZdeQwsxltbGStV9fMFbOuNImKkBYgjzfrcv/ywc98JiTbWljo+KtfYQahwRDGB6Br
C2q3Ucg7ohGN8O6jiq6bVG/wNGexHiBylLS2AnzdC48fEQAkbEFJp8lTMbB9WjiPz2RT3HBD
WzqijkdtOixHlxZjaW5MKMtS1CfegMYdyBGkYNVssgZjEa6FXnSe/YpGJ5JVDmlh1hukjpKC
FRSZVeQwXsmckv/v7+7sYEE2ARviMRuPyfcWrecqOP3JwjxOu7xN/rpARouAnqtCw2WVlrOZ
nxNqTMhHmvF4HPvrWuHQJKLtI4DQHQ/al4JRKBy12GFB6kDtQs3yAmg+cgQ6BDFCzSM8BJ9H
ziaE5RxIESEhsTEKfbOlZ1oOJob46QIDo0cIvRzaWZqyhW6WlbPCIw7ZKVjzbpZeZy6Zw3Ie
jNA2iSrPwxOesXKizX6F/sheRUHfWhXWFsfNO00GvHvxzBZwmZClVa196GGx+spGHYlScAbK
am9ukoXe51ngn00Wf2iytj/Qdddd98rvesU5qa67vvTlP/mTDyBKnhXahPNVr371UywU+633
/vbJEyextxvTNKDY0f5GHq/zLo4cZJTEYa3UBp7l5s6VeO4sQiT9kJXaGz5L3vFLUc6OExNw
I4nIftkPXB7aiVjtTUub70tzkAjpJDvXOf69E2Bk36WlR588eOLuZ57d3DpEqiLtGmtUDBIm
nLNYJPkVd2V2222PP/xwYYSQcClmXj3NTexZUm+fOr3atKVmzcqIY0Grq1CZK+M93Nrw9JnJ
8fPpo+naGqdbyFhxfr+UxmdOA0k0FbYXMPUhNIr29lBdU5aJ9SMPP3zpfQ9MrroipvrWTp/+
/O2f8W6We3tjZGUacg2PXxAR6klOq5ywAxapR48/bXFaEslaqR3uReUdaDeaxeBq2rrg/Ppl
L33G+vrnP/xh51NPpp7zg+Kxom7S3urKpc99zkOf+5zAMir0HAiQSGdkaOCExU5GImR67tbP
pJKBvo2iBRFJUkO5p11jmFYmaBS0rQGpG+rAkF8QTASIXQxJL2aEbwokSmdSTzavFaruGC6J
IszYeQ1kQIU0stGfIlsaqx5r4CAW2mh00R9iB3ogDlbk7Ahk3w26rgAP0iZEmiaeBNg3IBti
WZglXIoIi/fYVQQliEdRiRlf2swrLiFGAj3C6XoIez92Uu4gDyOjfFSQruc6NVcOO4ykGRyQ
XC6Q9mhm6NFVxataLLVa/tyRLcsuWkBbBpLggNyLEJoOVz09IfKc5lap3qayZgym4hqXorCQ
bh4d9o59jaar8McHsrgbU3ul5RtykW6lLLUFeIyBMmCsgQcdtf3NonBcsGqbrBQrL1klJjY1
iHTP6fWLv/hfmQMwZcCd0ydXXnnlG37g9U/lu1tb2+95z68JAn3uxgPyDYfWN9AGRYjbJ95d
SbVUXpC+EaN2jv6B1oE3c4lAAkS7ods9V8HuCW1OG9TfFFZ25g1Q6MuYz5jSWJGOgtyQyYgS
dHmk0HQKOMZkuSmJkjG07/4Hs+ufhYuOLro4m807WALIo04dmAOv/TEhoAqgStEvMA80zu3N
zQs3t3eOHMKzT+vrNLytwxv4Uv/MGYXAnT2bsfbKJmVx4aXfkNj7bxBcJrfsTuGyQoMovrsi
t+R8H/4lLVeoJWlxlT/yqU+tXHVlW4ZM707enVkXyvlYmc7b/uApuZ9WSHkGYD6gul+fTXuW
jIJqme6OBbUxLzi95OyO2fR3b3vk/gewVZ/+zOvKG1+wu7piiz7NnnN9/ld/Dem/v7fPTyC1
u0HRjLRytne3pJxAS+Wue8bexz9uve0bLCGhBW6Mo6vbGspSPoNssVUmt87BZkysJzRoL4zJ
iN7vS+fonvUS6wnDE/26t7+vjlqpVpQzRPuZsx5/XV2rjJ2nopCQ13wOP8lZNvooXpSH5aID
6IxJsMs1eZEWgljeMaOwzm0x+945jJtxr6x0mi+70NNMR+BRNCdhFqmecAmDF5ZR0LlGdGOC
lmRg3CijA+NaMIIsYkNkVxDLGPpOKRhUaSfxFtuGOe9uJ8+10HOsg7P0+KErJ5+IyLSYHcAa
mXvZltVp9YB+ccRLx99ynubOqZTjS2RTT3wOPCeAcLwDoZdfwG0HBCgFxuU4TvDQFqJ+Cph1
VejkJg15F0iqFuuO1RFJWbK6V0Qjq5D+ARDRm/XBRaPjv+VbvvWG5z/vXFHyn/g7pg8nAbEn
ySH68I1PmaHjl3/lV8+cOdOXstC19TX6yeDAhj0hbsruETApG5eKzl7ZwlsTQF9QXZBZCOzQ
MtrdHUsnP54QZdmo6thdRE7SQHWhMlp/4uSFMvbG7KYio2ZS7JW05yTyVRHmrv2pQ9VsylTq
PfiZ2y3clSZXXl5HeyJp/SxpiHQQTwe3tJ6jbcDcPY7KTDr3qvOdnVoJobL9o0cuvfrKVmbv
jlFO10wmrkgOXfi07PzzHdIz2N3twHeZWGSyrxsBnTtC2HwwGD720MMdB2i6vZUb3VcKwG7V
1sacn4YDJr/fG2MFAlPurVz9nPvjXc0sNt5bLfO+KJBxD3z5y5OPfcy/RVed9PpXPvtZBerw
9EkJ5l77xPLIio9/avq5z7pHR38dr4y4Z6bWY6RFTFYh/J9puTVE0AFt0jGGCrEZUTeNQEhm
PflmRjKi1NIipmFIOQ0YWhO4ZVYh/5o0TJRZ+1N4zIj0ki5BvQ0kPig2PGuFPHrsQUjuL6m9
Smh/mQbBuqrihOi+5FZ1Yw2bollPqsslZ2EVJl7KtsznYLjrHsJjyoQtAnllZdXDWl4IaHz8
LSehZP8nPi1ORgUfJsLoXeUgAuccge5RLRO1R7DisqOmrd2s0bH3IdH5XIak+1nwHZDqZ6FV
Veca6FpCx8iRtVCPzC0mO7CEVpEttjXxSYf8QsR5RXKbyvBk5oNjrDVDaMPwNttOw8xzbBEM
GDJIrnrBRBHYmpMUIwMv1FhBfhYY5bPQf2FhloqWcw+s502lgQicBw0jQGVbpJbYxmXoj73j
7efqeL373e9G+fPAIuk33nTTra/6rqfIiPje3/xNhdvJUK0clYUyxik5KotZN5qysoXVoDUX
mANRj28oIKkRgf0ls0TvmWlUNJk/7pn6bQMxdJLrA8dD+yNDdl3DUD15Io32w6U3nFFvFlCm
yQImqiJE5NEdbZ45u/HYY8AJMMvtN1xq5EyNM+91HmurvKzajHOElVYU4XbgPSNrmJ3d9CTZ
pCxH552vqZ6mmW1uIr84Q2ZLjhkcOjxZW/G2oOmRR1dX18hbQk9RbD0uCWhapBm8qNW1NWYm
3N6aGJWUtzuBhqBlTwaNQ9c40DRbaJVbi/HkNoHIoulgfS03Ugyko6r9iRUYpFzdTwcB5t5R
+uETJweLU7d6wQVJMhaex+WnbJHVww9/7b7Pf/7RE3cLsX3yHNj4GdesCyeICyORJA2e4FKG
7+BnNRAJIyQBpTfWgVhw5n4spyh8lRihkL3uzlajUeXU0hIq02lPdEtPDD42p3poV8ZZRno6
RcjQA6DhNN+5psU9msf+8Wi0UoXqY1oGOr09qQArmHcDChLKqRBh5XhCcH/QMcCaxczIqhTO
x5ZgWSDO71AUYj1gonD83t5etCFizy0g8tyBMWaJhZRTZNxw9wspq6/TBqzjrnVKgSMvcKy2
Vg/KwBvFMrykE/2TfTG3yu0iQjyggY26aeAdv5bPhmRVTGXNJQnJaB+jBWvpVcRG9tI/Xx+K
7Ci7ifdO+wCyg/Ynk9iru7AQcFO3CS0NSS1uE7fmnNC6rXKdzT2v6/y2umiK1hDOLCyGSi/a
ZtBkb3nLD10cij2fyuuXfvlX77/33kJ2W5JA0mg4fPOb3/QUv/5v/++fw2gwwgGpq6o+77zz
EIEE64qCGHO1skGTIXOu5i18L7DYeQKsyRrrmFcUIZe7yNtSgYhBM/8MzVb+wCIs5eVHGd3l
zHq0N+aaAGienG8Cekf6uqnQue9+y/uk7SOHswN6qRy82r0FGt3vXLgc1XqTym6YIKwFmGkp
GZCh6Z13njNfTLY2yeQmDbHz2OMtVG91ZWLN7JlnY16B4ZCWH/IrUD6VGDqcyJFmlcwBPRjS
T4iwcLNgcW+81RM4sWCqz4MYYuV65DCNB/1ZWvqojUN1Y+T6TUM++NkzZ5BQXCx0S14GCyVB
i6fHQqOtKKCV0bScy8KIaGXO9L/Tn/x0IU3dJl+6yxmv2Gkryouf+1wvSZPSyjIkxQuvD/aH
Fjvcd0RhylKbejAhiLps7FYQR7FVIVmoCmacERWy9VnNgSgGzgidjNz2BY4RggJMiW2xjc1P
bdAbJdEAU6+JLJjOTV27gUJ6CxYzPV9udiE4HTBzIkmWFgNaIPKghdGIqnOx5hELTqFVVWjQ
XEBoe197j9E5wBtn3tnZ3t/fg8IInmIBPF20MDwx5GdzqIUTOGXGGugACEQOY29IXCuqKykm
m3UCiR3y90j8IYTZyElKJVasf444C0cohu/nnZA0Qqgcf9jfi0yODkp0VzqS/0NQeqHlAjRT
nr8Hizod5EDp5kxfvm/xgN3YKZmcqOXGdURyC7gA1kMyXsxZvlhjAXrdtpFYNY8IImAOoa4g
fZDOScbUDpXQE0OykmLPI4ePvPb7v+dcUfLv//3bpAVihfQUuORfcMPzn8rXP/GJT/3NX/81
9ic3maxqstNf8cpXvvXtbwc/oUmLwkFcQBWCIH+meZdCmmxltuBS4HpP4IVCn55sgci4qS0p
6JEoCKnG6sDcumafYDKNvWzaqa7m5HYged74o4RhyxmvZoEVyV6P3PUlcREOyGz5enAbIzfi
QbeQEDLSUiHpDQ1GY+BE6Oep++5V4S4X3bzyco9lnXnoYVI5K6srm48/PrCNs3nF5d5cjDOR
99/nuwBtvYCu7AmwjWO8KyvOfQcCrYXiNkTham2L5fIR9vvuY496kDQTzuLLrr2WFaoFlDga
5nhXUV+D06dBW2MkWNqczNCGddTuJEGhgQ4yn8s8AjzFQcRsP373PYcfP5XaBs3Z/nXXHDr/
/F54EFkg2m7Ni1DA0CnOFfzFRFvvVK1DAzw9WtPRg8B7fD4RV5WxP4FrA4AOz3jpwRJDRnmG
LtEZK7zx3tgNX4eAReWKLCNgXwjhCH88e13JqnSiYkOZzVIAW5FiyDM7MZAjmCrJvTnmQp0H
S6YAQxfThILyYIrFAtHjwJqEI5HWGY93HdYQGjcrTSJibB1vJyqISJCBPBZSVqbJeu60OSWH
57eWM2E4v6MQXU22TFGo9+pQy4delrVr1E5/TNjddEmPEGahyWQHguGahmZBy3rABF+1xfZe
8UM/GZNqh0GmYDPDoUaksW06ZxlUmELOJAbETmEPCQa7KzDf+bDOvE1XJy3sIW/A/JxXxjvj
efepzIgA6Ik5hSASHZjOH3jjG88VJf/uX/pvp0+dUi52KSs+fOTID775qVIjvutd75LeE7xd
STaR6Dl+wfGf+Cfv+K5XfMfV11wrMPeZzT8HQ8E33xf/DDWwGk60Mi8FHRmfoWNWxIRsaZHl
tG3saTHI0IAacSJWpBPAK1i5yBHZN1KckuX4YAgBoXQGwimXKS4uBVGpQSf6+uaZM6NHH1vC
yrWCtdK+X413UoasbaS+hB+ulfGBKATKVUAcrM/HOzs91r6oTm/9v8FstnnmrFaCV9Vgd9f9
sxaAnrKd02e8+SdA0hBntSkkLEhw6qu8Y3nqTaATrotxwgNjSKQceeKLd/amNjZRQseuvXZt
dQ2SmgT6kWPHJgwAabmzmkceZTaTEYrMUuY8+TInqMf36sDCaIW1MNnsMxUR3o4mpSxgF2mp
7N95p/cJpdOSYX/sOd/kBnEndlIEij/kukIxaJsIQXijw7kMzhGuVZAIP9KQQCqBtz7WZgAy
A3MNxygTv1clTlTVTZgmer9FkTQu+vsoVdb1b2kC+NaIH+KTtbU11N1zUePMLPIGsbi+l4I1
ZjEnqw9obXoRBY0VRzt/SoxSSHps1U0xhxQ6qsCrp5EJy0OcHzFDL+GNdUcxWwTyX3rF+uAI
FzwQyg6dBI3jxVsdhGH05w5idCpAop85x3wMicaseIxpej9mBAbxzyp/ZqHeK49n0EaOVnYg
dVerw2HbE6sfOkPSXCP1BUFWmpZCnNdzoU2oHtcOHZH5ODR/A24V+V8vC3WBRmsL4QI3+SOf
9MKsGSDeo4WRhz6apU2oS0D/YqR26KJPv+yy17/2+85JdXHK6rd+08tZIGyeOkPH+//wA5/5
zGcy48nuS4+MW1/9GmjQt771R0BpiHpheE59KQXF7gWPHvLntQW1jWg8dQgFAg8cGygIFWK1
OeTBKlIb7UAoIdbCiq/RhRki22cbcnxeaUOmnoc1zOxw8Ys4opvPDDa7556DsyVNM2ufXdJO
yoB0izbmjp2NwkeTNUUcjUYplECQwTR65DHXm851Ozh9xun2WSaeOh26ROoVN85unj1zGkt3
Z2eHI6Kw98XWhh/GyanJfsui2ZOEx2JDMsdTAK+4J/2FgfgY3X1P8GeyzWdcc+1LbsFeO3bR
hRd/+7dNemUIcKfTJ04wtjNU0TliEEXl7hnDdV4Yh/HnzqU1s7KTJPUmHBpDX3zinnsPwf2y
lNuZy75h7ejR2Ei+ZWpXYE7hlFHu0AfbPylslTYaGnoByNCoSYS4SBZI2dnqNagLfqK+SiMo
YAEVLTEUv03d34pjM+vrGx7soUkGQGMgRWCFR/CKEpWjsdco7ieWf8D98oJ0VYSy1FGr7mVh
Uj9fz8x6A3EUQ1UDtVgybl8kX7xq1t+7RehwDEMYABVcLvd+is00YpsqqyaeiXfV8yYmoKoA
ut3hER0OQ+kF6FnzPNYyL3MKP0mGLDd3sCodhugXQxHZ4rXzQBC1ULaMmCYmwrHvDgBVluWq
Io0VW3DheGgX1z3s2VRg5eqjXDw3/pXBYrJRzCkxeeyTnhkXil7t9ds0m4CPG+s8CX+c/G6F
dVnvrk49mfdX9UZTeZl7UIK+QlYq/uSc6KhZToGdGshxQMPpu//0n/5v5wrW+Ll/9+95kKIU
oRovufTSp9jHcmtr+12/8E5YguhjRB9eddVVb/2RH8IBNzz/eS94wY2f++xn81w6CPPptSEQ
pso6dfFOLKSLa2bd1GiPFxZAjstdllOCT+Z/TdLgsaelqVWjDEDZeHfcE5CLJgtxmxIqbNuj
mGOxJ1zM7YbXosiqDFh4rZA19pMTn779yhtvmCDZHuEOIn2ahTqkBuqnfM2t57EqyoJL2YbI
7v8PPw/DnCVdyhsrN27pOehgARxqw0Ma6u54uQMZHQNuPWbH2J2ORiv9vO9MS/Q5GRAT6btN
q3Rg7I42n8kqxnJNykqShhtTjVZgitFpn/jiF/tgYDFY/Ob1z37a9d8Iy23L1DZ+PXz3vXc8
8KD2tEsL3FF4P+iBPjFDzUbqxGJTEhApMqNF9iSIC8gNcr+al7zYVRo9s6PPf97ZP/nTiJJ3
KwOqS29cTJMO5luWWSFtSJVHnxbIRCoCk1O4NcqaP2SrgsWRb1sl2+RKRLnE3Eo4wOWWFoBa
qNwoLJCIPIWmDAB2kzotLjkQowvHZ8Yr7W6ZQzy8SzI9faQMR6RjqhKdw7QAn0YiQxuISeRS
TommxEIsrBxoKsyuPAbrYImLkoXkPVZieRZ9uLm5KTSzjLbrC8Nk3MuApzvRhCXPZh7lQz/J
yNgXYX2L7UeqCFCPFcqOqo8cH7WFeTolYn4hVpzSZKXX6cslXoh6Z56j89MFoo7CAZqxdWQs
LgaYzRupRUBEjAqOxDTIpaGAP13garytSVt/bkZBYT0RtOQbCMPgZTuAnjZ2T4IJrQbtachF
3YVq3iHvaJuhVLXnHjxAgbBPh9xvIZxiDSGx7W+66eZzRcl/8lO3f/KTHwf/hVIJNBx7fKrl
yf/9tx995FGP48NiePuP/mg85p+RQk2ttStp+R6yCPmCctL3YOJoMlVde3t7EVlr+S1tT+wh
R2TOHOiBRYJC4Lnh9XOL/yjlsfhhUGNIMRYiC9hosFU0R+ivaeUk6r4QpIWvMODmWIuytNF0
URsltjQPyP3gOmTW/iMPzVV61mgUsMP56TOeMGuf/s6OI99Yqm6eVXxnkPbNqVN6aSZZ5hpY
J4GEZNzjnuA1YqQMtEGMYtCPN4vkB25kfW0NDBp0/HDAvsXD99638YU7ltdm3lWlaXV3/NBH
P1aWZcQ7tKRQGaMHsZJnEjXlEBz3tGsVfBr0RQconrPxeQ5ss66ZHj1x8sgTp2Oe8vRFT7vw
mqvhqXvSy9DRVXLvrdGYoVu9UytIaCw5h9Y/6NfcBPJ4YICTkkj1GEIFHEGtkFfvHFYEVm7Q
T7M4QtRRPBjyxsCO6AQcygxXaGAA7yE9yl5beAoqPfqzQ0xjFzGACbFslBGxbqlAPFpOIrEx
xQkMF2LgyJiA0t6DTz6L3orTKFdGLgbRCcRo6WNef+a73nhyZq4/0JSxp3RfddB2C+mn2Oiq
g7zo8E6B3n4xX1OEKxaetNrd3UWDTU5OddRmjGzG4uVY6YagJEKIzvAUI9TTRX0Ti3gQ+nNg
odNtxJgs/gTYKJQQSrIUtBpkJT1Rhh0LG167pUPllvhzc5TNN9pqeYhImg/bBRm4oJxUxiOE
sSSQNVmTaXfa+dxXW2M9qJJxpsFCd8Xzv/+zc3a8/t3P/VxjcV3kmW688aan2MfywQcfetc7
/wsgD671X3zLLS9/2UvjYRdffNGtt74GSS+n5Af5BeQRgn6GPFQSKf/6aDTyVHmna4z7Xj21
fhQSkizolwSSjq6GSLYxxHw+nwjWnDHiOztk6TtMvBQpv7/H8A1cDiHlLLXuEfRQruzSvKd3
HnhAgeweuEuKouSwnpbWArgRtKApwoWyX4sZ+kbY39rsOCF0xtnOjuS/NRiwx+zvDcx/B5Xs
nz2LFAuX6w6GjD2T3eEzu7qyCr8KVlR/MIDxFAuQOXKYK8MszdV4PAaOSUtrq/lX/vpvhn/z
0SU6qMw0Lif8Dj/xxOaf/fn25ub+ZD8P2PGWFMrewKXDM6q3t4HagIcwX1mFbtvjAczasKDl
vUzI6JvpXXdlbZ6R/cLBM58JSkNNjWtCMQPGFT414o2ht726UKhHHDBVLf9DVTIqMllQJW33
U4R27dGcd/UuieqEBJhyzcgLywxNaH3tR3iROiuGJIy/dhqFg8PTIz0ovtIdVM0X2C6SQoRw
vFv8YLlzvgBA8/cnk9jdCWLWo19u3+/v73ntk3sUy9miSBtPDhmkPWkXd1oApnCgH/2cTCbI
O8SInXMNxi5aHVesqtqwZCflBPXpShSOkxSZVW1ZNMbkOsw1k7f4AjwxgjKA0UCgM8Lz/L17
xNHm8nCitwrFGzc0sFC8R1Gl9UM6AtRmOeeCWj0WUqgkyuetC4FC5tIcsUqUSdPoBtpkSaMw
QiyXnmRclDZJe30vgr8bK49tWlmGzz2D0BioGlEL3P73vva158ol/973/Y/777uPphlMg8ID
X7/pTU8VJf9rv/4bAOkdEgo+BKl+7MfesXzk//yWN62urrK3pb1d+HEDf2Xs8pVRJRXyWNnx
mkwne/t7c6slhKqLHrbVZCCVgHZpWnuYrFuYZxNx6Z5cF5MPBUC3AMkOdAOz+UnKleNjFXZ+
FTn0OC5k5F70NMlQ/upnP8u8TYtkviQEUfPETk8L3Giij5Y6fIImxqVkYgbD/Gv33CPgiMyU
H59k+9FHgZ/kCESRP/DVk7FCC/9/6l4GHG4x5l6L2LT5p9BA7O7ucFIBzezVAeUp3NrcWkBt
SEWwdCDjCdHmVWAKHfRHwkFzx8c+tv2e39j4/B3oEAbPErd86AtfHH3070787m1bp045fkE3
bPRWpbjbk15o4Th94pRxN/MxO4c3Lnve83TNp+Qul9P0GuZCP3/07rsPP34qeoWb5x/7hm9+
ruApCq+aN/cUyf2263dpTPYW+0n9wSBGPrw6RVPRliEzRyRpTAzdyEIP+0bwRChxgZ5OId1S
GOxes2izeUyQN4Yk1IxsURq6O6TPvZZUJI+3rcktzNim0pNS0ce6Y6cARq0q+DDlWkVTLxRN
pqW6LoAsUNHk4CCAFdx/wGtvbw+JpIm5tnB5oX4C+LzLjhuP95aQoP3NFnt09TiJO4BKc5BI
ZMbwgmioxqnUOqA+2r09nofDhw876iP2BIu/DgaDNhPOgPgcZFGxJs4UW5twQvmwf7HTzcQL
uSIGHe9TRFggJeaulWgOBEyQ2IzEyXPTYaAjMzapqXY4DJ1JY7MD/6IH2ZZbMOQWCvfqY/hY
sYcCk0L1bDCNZoxpD5x/3vnve997zwlquL29/drXvv7M2TNzIdAEW+4//Pbv+Kl/8c+fWsjx
0z/+Y/9kYk0cAEV71a23/vRP/eSTUSD+h3///+SBtx6GtqN46deV1ZVGODhm0h4Q/njP6qJi
lmux4Y4SSMVQhhiMFclWD94C00VCh3aO634gR3ySmWxegM7MZCOVOn0JnjDn22jolc7AU2ii
QlagWvR2KjS6hFYArFlDRgGy7C3Z2qcvK4CuC3ohLIZBrw830SuKUFiN2xwNhwC8+WCg2r1D
x87ODkw9GuRISA4BXsXMMFdnj6EBZzfPuoBjPIh4bPTdldGKl8Tt7Y3dgfM4AejS11bXUHkN
BSk0FtqBAbZjT+ijSskA8dSBtBPiVUj/sIuZnUgyc6X002KnWVxnpmshr13uMfbQcaLCGJvR
TY3oYtNA1YllWQR0YhZpkIxZI3Ovq20awry3lcCOKm3mkiubl2sLOGEtVsISXSgRgd9fSR9n
jTM5qSY64cliwIeIGI93x4juTictSQJUPjQQW8CDfshTWraimq9J4TmWStu8KTRx1uKEpu0r
hm1IEg+tVciyAR/YQLgawCruaLUo4sADEgmGxuNdkP+FLsm1gyOM/GGSW1IgO6ifcNRAkdSi
U34XABPFMo+G98zqkFdFMh1AAh0A4k2ZIxmjtGsnL7VpOu0syYroMZUOanWrqgJsLHkfh8oQ
Fto7QFJWwBkx6bMsTY6e8fkTPgGIQxuGFoWPBssXcQY6spCbk+RqIXqLVzhCB+7rCAkYZ/pp
3wqpriZj3MtmpcWcofzSbgJNjYuDAhtXhB+WjHLG2LEbbgQsV0SJsMfWGzQtxH6TKg3pr1Im
9EOSb4M5ScxQ/vG6H3jDC1944zk5Xv/lnb94+2c+LQmgxDGF2ezI0aM//dP/YmNj46l8/Wd/
9t/efffdpYwQD/vYsWM/8zM//WRfv/4bn/2X/98HSSAiKAphJGYE30Cv30tit9Kd4iEWWjzH
08V1YLJ+GO8n7OIWdkgGZ2cRhua8dCONpOL5uKoGxKAwSCFYt1g7ktdKL6Fn7QmzFBw4eu2J
RIb148uMXjRId8VEODYYKhpRkgWg65MbR82xUelP9C3eIpUS6OAYktfJ8UHic03FEwIyky7K
5QTylJnuuiyY23em3RJKxlxVli3gmyVxwPdVFqDV5vjnfCYsgg10J/0qCQyert3xLuMPZeSV
vIBIpoPBa8UJiOkMe4THmfOZxV5mB24mM08nofslySWbu8DMYDU2RkG5z4SfPbFCKjgTmiJq
lGRIuhjPMYFMZTsYNlKAPOMyowqcsPS7UF3wLqMPgYCAv2W2YNIdJC88LO5yKV8HGT2igSmg
E4EzlGlMEqQSHSOWO4spk84oS2MmTDHJxaitBOjbtEH+lLVZWF54Oe0myQxVKEzWAs2GiR3R
FoXms5KfMEDZrZG1BIsNIIVChudVVnjiM4u28Qw3qopYviUNU8MxTdaLLlklHM6PBcn8gUWJ
uZISb5YzWCouA3OIUxG5SHTBQ6Vf6WAOMlcmruU8rmLpq8z32OtjZUoWhh8H70VxCARBLvOj
WyYTWnztdSOhF8UKwuZwhhtZsU6uoc0PsZuixkLxlRyc3EfH1aE7aAg4lSw8BTaLI4hKJ0lK
ehg/hQLsRZ6Pbs4tBtDgygX6KMQVC+/gidQobAcJtgaAA9121Z4TZh1KuFDFhSaz4PtCTL9B
KgveQJ57kSDqRlHF5S45vDSSL8zY3StR4AUzc2i0zXp8oTkDz4K4jxUrB/VZpNwtJlRaJEBs
pUIZHzZeywlKQFF6F1966Q//47ecK0r+d/7HbydFAyfwtr3yVbc+xdjjH33gT//ub/+2Z5g6
hDv+XpD92972NkFGsEHtLmYuLHAeu7eCswaFxhx7UU4pWI4NGrcvFoGhWEVwzFJC4Iz7yTyS
mQVhoCHIY4A8FYLjUrPNMw3lHzp82CPGTkyAfmAj6WXDHpUUY2qWvlCDTstrqto7DVaVEjFg
fZIDhz9xA5fJFA3pYZjDDwMrmDO/YT14rWvs54sUvWdhA9J3jrWXhRaLWKiKG7TGHJubZ1Gi
h+ChUFSz4oLqBemJc2+SW0yOF7liyOnCJ0PUgeu3DJoIF4S+znVd4M4wLw1dIn2LeWgERHxK
VDGdNh5gLBT74E3Mk7JJJbg1av5L09EU6KbUQm8ak0ENagod4KH+mchcb5UijlGCThXp0VhH
lQS0N7xk7wzn2WhaxgBoeHsH+F49C8hjEXprb3+mXsFXieuDp5BLeYmmNuxXZ7vG5CMp656E
1LPWiMOjqkGj61VLhNgufqlV53qJah7ZxuHYIZXhXXaRVQFOJBnphoLxwAob0AxII4HNueVh
ELfEMRSessKHwD0g44XYW8xpxZcf4NQWhiEfuGrogCo8XTUL0dc4mOC31QhI9qSvW3TymMQH
o0ltHxBozeRoRS6OEQsIhd+wvKF76fOGHRr1pXxmYVbIAVNMBD0V+hNsxgTvp2mY+qFpoK6Q
jWwEuIzJZesjV8Onli8KTAgaXnG0YkH0GttyhZWGwKarRE3CxOagKbOesOVLCxp2CtCrvbKn
YQcxjpC+xrfEJk4RkV0JEYvmusQWhpUEF008CjZ85Px8kv/jJ3/y8suefk7a62f+z3/50IMP
0k6SxcpuytFjR//1v/qXgxDc/zohx3/9b/7N9tYWCNTpFuhpPP2yy37qJ//51//65Zdf9oU7
7nzkkUfgNPTEoHYjsSjFE9KUPjtPGgMUqDSrJTFdM3HFWIGJXwuP3CkQaX4Y9NEo3y7cC55D
KRKCe4dP5Csz+A3sLc3mo9GI7WOBA+JP8AUrMRVpdGhBWaNdiySEKoGrwRiXYtIC9gWcNg8b
/P+kvQmcXVWVPXyHN1dVUlWZRxISBIKAYQiDrd2tIN3tvx0ARWzbfwu2DAr2oPZHt5/9te2E
IyIgKiKDgCAzttoKKuDAGMYkEBLIUBmrUvOrN957v733Omff815VYSL1w7JS9d59dzhnj2uv
hXyag1YhE6FPpFfyrKvPgH5D2sTE7XxATqGanH5gMTCOv1KhP9HSwpJrSHeBbj5Pg5WKuBBc
Ke0FE7H6pkSG4gRuuDA5cTeRLlbWnM+IGEk9gbcG1b1cKzcYcBOwjKsCUBR8E585ygZawgVr
n7kPvFkMtA/P1G60AGYCaQT9QIetCKMEtjOdBu4A18N5C/twY0gXmrZjRFE6doGbZ/iS27S0
Ey1eQ+LrQNMu7C/P+UFB/LhSZKtirDihZ+pdLqqzSCnOHPcExD2hrAohw62Z6jQ9IHEMnEL5
PtCwWHLIEXnl57JAW/jy7LKhgRnbKTZPBK9DNXFifxJTiRH/xKuL2VPN+ueKhRixSOgxcP8Z
8yWf68IrWbBCbqAZkpHVojlKKExf4GZLoGOJewg0nqSnuK5atYojw8wiq5NkMY8cy1p12C5j
zJFKFgpFlDQwNyUZm4dDcdLsB4kDJXXnDiUPRBE4YDE2Pn8UFX3gO/jp+a46M0YVU8ZBPRlb
v6EEtwlDGhhiHe72WQwgu6cQRg3vwclBUAfXoDmj5obINHU+THZTRmvWyhFpb30g6I4sHpXy
JYf2SzCXXCRkeEIYGjyE9T1N2aJIfrOC5FYUk/EZViRXM3EtAGohAmk+LUpKk2RBp2xGInQW
4tnAmUEUFtkbhIbVxCTmIfnG+nCfvGb8pTMkCyMLTfdjjz/+wgvOOyDX9djjT3z/+98XwAdd
OKeJdMR/+ddPHHXk6/fn7Tf88JZf/+oBjuMaTcwt0MWcf8GFRx915B9977Jly+67776G2DWu
cckNQaqNQllstx8HaImdBhL6ROw62VCGdtk+Aowh+4KgiXBYT0BiqOlZ0E2E3gyP+gmvPCMV
fUCWDaMutjFnAHZXK8gb7gcBO51tZ2enYl8tma8P2jA6ZqVaMbGLLXeTn5Bpmwj9HriiSGJD
fFZF6gdGnjjxjIls1KVCI04lm0GREGUfmHsT83JAnZVpJB9xki5s0A5h4dEv5e0henhm0lYM
H8TqwECI86GNQBEY7oYxgixRL84v4ucOw2RUfYuUklKQkaHjkEMFHgS3i48vQDgMGCFiKwiE
uilqOPTg4CaNsxSnhbhBNmnQsDRCQpgpSkCJiW9wAgp21zohXu87BMEumkbdCdYPR4fCEi3I
kZpvUwrfjHYxf6aolhh6e3gOoyrJaZO4KLuRA6mdwhgKNCPEhfPLZIGZ8p6SuOBfieknoMYY
JWZFAcsKL4uVAxcIyJgJNSTm0zobknJ0IrACVUuIgpuarPyM7cvgJkSWt5ArByJY7RvURoiP
hhQcgndMF5jCskX/WkOXwW13Yd7yKRhCiDCxECkMShwzvJqtFqb8uSjxYeOjawB4hHWpnnxc
ZOt7BiOJwqN6DfFPdKoZnBTyaYdQ0Ye70ilpeDi4Oh9D6nC5OIRnJSVt/VCZ37K4Kg2N8Txo
2wv4MCvxDu150HRGVTYQQDAaLkiT4YrFwaAxbnHbIExkkM7C7RRF4ATD80CuoyseJ2BGBZO0
yaE9NuFTaJjnbT1Qi+iXn/o5i81NkMXnCwazhC5XiCaEdINNRciHlo+PJo3UuELsFswz8YVH
zc9//vNzZs8+IO9FjmpwkIeByOzBh616/es/9Yl/2U+sx+f++3PCKhujK0OZwYknnfSv/7xf
4st0qjt37dn00kbOqJDjsnXIgope0JjcJeK8BF3SwLcaur7BOAT8RgTUAoT2xWR5EFyH0Q9Q
6/dNewAjX4KGb5hMolY1szIGC+ojkuW0WIJKya1sdmVTN8UHwSkissGyQQ6H5TExUVa3R1cH
90lWA1z7MLLIWelTaBkgr0Kybhhdoyb9HgsMaxJEJWjn4FOYAzefx4uFBK8GIyvtFQ+5KTsw
CKrJrcI5F/IF9DkyNsHqYGY8HzQGZjKmkKeLxc6Cy9HmP73YuGGxIkWmMy/63POPUADUqA4r
n5YHrgXPFM4Jj9taJR+NHAjAITmAUE6MGMKUCkHLkuCu8s2ULl3qnKw3Ciy/lx4/9WqtriyS
G8IEFo1mYGNEWBXce9iyGBU3JC6x+hWTMipIB8k9ewJxq6hANmVTa3/LWBhppiFQNp17o1Lr
ow2MiUSs/FhdF7qtSAFDgwNST2DYUDMAGZgGpCZeplgVcMRD9w1eDaESEnfJ2qXSU69nbcE2
YsyRcboodYib57hBOMMSDc4QLbkyNGa4kKOfBuw/HbZU6sDqkNdHFoIAUqEImZMiSHEvAr6l
TWVrA6pTX5PlCn8Ihn7EH66EinjlrO+nbBhwpdY5BZpJawlRMzPNlzIWvWPUxhyxlsjFULYp
gwHCD9TKmuNPWLxkcUdn18qVK+ksn32GqYmefvpplKEwl6OzRGjJ6kyiS2v25299K/1w9NGr
6bS2bHllfGxs/bp1/fsGMFWO7r9n+R8VmYYsO3bgYXTwiy6+2CVuXbfu+Ycfegg9rXTgwDJl
KAnpSSedTKdx0LJlXZ2dW7ZsHR8f27xp08C+AbC18hAJht8sGA8gN7f/AYgt8ELvevfph4Ps
YL+/7rnvf7Zt2YI6PgahaKWef97+Zm+XXX4FwxTBpS1IS9pC/3e/Qfb09fGLP/rbhx8aGxsN
BBOf8dBpMOC6SDDcyvwG+QYlj0cLoeFByzGxcLgQwT7dpfHxcYbh+exXlbYHwC0lQ8JAXj6X
w8gOqxX6phvRjJuirVxAgwGk4GhEIVEw8MioWcgU8Dj4lzWDmUT/jynbBWjHcKxG0wzAJkEe
YxJShUF/SHFrIA1i75hwbwMGEXhFYMwizzC/yLaOgVlVLgOIT9ICzsmWY5EtC6bFLmiIsLJm
V+RvaLspcyakqmQ+P4YKNgbteTHHgUoHAKxE76LUDTcWjU86FMpoZrkmhrMjF+Ywfssjd3Lh
+Fy+51GqTWoI2h1WQASbeKa4sdIH4g4aeoQmFmHfHFpYHbKFoG26yOW1gSlIWkQeQOkS5YQJ
ArEjhY5ghbZDqIIGso1qCKtSal+P6g0L72yZ1LTUARybZgLMaIL/kC1bjZZUnVYCNrXpaHoZ
qKciPhOiGUN7lthPxGQO3Bq9nkcdcnyQhvCkYMHwbxIDKcQjiD2DBkA3FCvNhU/rbyLL4Iod
Rx9H8RbQK2jA42QaFq0X2XEuADcMio2NQj2VzrA8uVZ5MQNuDnFmkYs8RzsKhUQXggGchII1
hDgKBa2mI1MZqJSxehb9K8qDLn0Gnrs6I5cO0GtV0sm4j9abXrC5jT8R76RfHnfc8R/+x/P+
6rRTZ86cGsn2/Lr19933k9t/fNvOnTtTRnmrONCwcwynnPq2M88449RT3zrlQbZt7/vJT/7n
rjvu2LN3r0JCdMWbhx0ZzDqGLQ477LDzPvJh9yBXf+eaP/z+90YmCpNnUhjEX086+eR3vetd
bWO8Lobipz//XzmBPS6mXCGtbAVCtgK0cMETQXt43rx55AkOyHUxsdOVV2J3YTY5zIV/9qY3
H3/cMfvz9vUbXvjxrbe695lO5i1vOWXNmuP2/xy6urpOP/PMG6+/Hmh4aNEiIKDNWa1U2Q6G
njt5U6lWwT6AWplv2FpTAQsBesWGIFUsLOCg5GOw5/mOxcbsolJRs4IDMHnYV0ZmiVnDi4zE
k9veNEqs9D23Zvm8OdlkRTxis0G+hWvj+eNNf+0ru9iqgfI/myUz7SqjFrIFM+GHMgurotSV
2i4TGnsEBL8JFRNJg+RUEWFDzQTXSNc2PsZo+KHBwYzVxajHRk4Q2CJwGLJAYphpS6DxIIaG
hiAjGTsThHTrSpkSX4ssQspTS8US7rCOpsAcAz+UF7FgRs+PG8+n3oi7ZVFMz64pqHGKL43f
DQMrmW3Y1FL0uey4ifIEcDFwXfD0oUzXJjIjGBqu5FTTUtHqXjr+5Srp8C+PXdjZ7TWWRKPm
8SVePchs8Hp2TMS7h8v0KLOFDNhUKQe2QlMGcZexnABAUSlGg5bE7Gy8Mh5Vwiw6q2f87uFa
/Pz2Aaw9cCTyDJ9vKByxr9+0cm6P31waj2G0jB2AH27wuuh8+vaNaqyjUoImqA0pefFOPng2
vzexAqQ+n+3TXnd/NXlxxwA8GW41dK4NkAfDLRi7DA2gDLSHAMdjRogeiu+g2NXl0+aoWXYo
dR46LkZGW8lmFY+ugYLEZzUDRwqA9c2o8VcOJvwSk1vqLzCzpQos9JAVJa8tPT2gwilS+xAY
IRGlw8cJpBMmBroCPeRM7JDc+pgmc+afQhe/77pfPV365Ve/9o1zz/mH/TTKn/jEJ3/2s596
jnKMISkpFD796c988O//uLY9+bB///d/X7t2LShc9YSVCAOpBuL3j3zk/PPPa/de1157DaJ1
cGgiAJ89e9Z/ffazJ6w5fn+Kchdd9PHnn38e2UYkykwKdTNCujbzo7V41tnv/+ePf+wAueSv
veG6a7GRgIyizXXLLTfvJ9Twwo9e9NuHHwZwDpg9Os8f3/7jA52Spq+zzjr7lS2vSFLlJ5pF
+QHcP7YrIsEsIBs2hs1Ig0eCoiyKFfp2GBfcumwmCyC4BphcZ2s0IICJUl6xVEIcYMRrZPCo
MjHRNWMGGALZq9WqCHIPWzT7jTMaXXFDKQcxzmtHmL3BsPBAf7Jt9wCAi6qjgSdIRztoXs/f
do63ElJ4W7zOW5/dns8b5ntktPTied1d75lVd+YPBeo5VtrePxJYH0/Hf9PKeauDUT3m7+ud
D23YCorVnOj4hEIrDvOEgxw0b/bZ8yLPa2FZTMkYY88W2PgaN/mddz27ffmi+e+dVXcRnq2d
JPiL5Bm/Z28lJtOJ8TiUDSYmJkqlEqhV8Pols2fSfUiSFrO4Lej8yaahrEQq6uHoIc7qKp4+
s9zCIOklP63M3L53GAkTTMrxi7uOjAb1lJ7wZz27c9RODfOHHDZ/5prMSC6J2i8iAduv90LY
88jOCbU/eHZnLvQ6mrX0sF7vI5t3ax1l1ZJ5JxQnuuK6+0D1VJMkGQyLvxn0dwwMAX6C54i4
6sjFs0/IjqXnMzlS9Gf+dvuI7gvfGRM8fH63vLeZJCnfmFsH2hp0Pry71j84DOAickTMp2pR
hyFXQjelDIqagUEOHtpvjNBxjCE6LzXZpMoTa4WSmw7rbqQeCIwTlv+oZjtM2oprYRl2m0pt
fPBCkNhwHFI68SkDZOnUFyyDS6hYLpfJB7kZuaYoKa+sM63rDuxmVAvOITkM3fRQXZr+/jvf
/f5733P6fprCGTO6vvvdq//pn/7ljjtudycQ6euLX7z0jNPfuT8HWbpk8VVXXvnRj33sySef
xBC748ADEGTAMx39htXvP/usdup3PxUNCnKc3Yvrmv31b3x91eGH7WdScvnl37z4YnZgDXFg
qBgUZHo0rjUp5uJdnRiu9NtuuZn+02WHuXS8MXJqj1rySoyshNR8Lf3aB8/58H76nl/9+sHH
Hn0UMOhE2qdRFP3DOef8Ca6Lvt7/gQ986fOfR/EQU5y+qCpSnF4XPD02fJSkWnOU/uK0wXCD
miHcMD90P3YFomKLj4BnosNUWtUUQyFHzuQy9KwM8XbDUB2SwaV/YpKXc5Fa/egVi9+aH+FC
TOIpu67bQqFf9ETVd8wK7457dw+y3SS3R5uc3JI0V3gxLO4IXT1G6D8v8CtwlnSK5dFx+hkl
RGV8RiyPQv/ijszWvXGzZuQnUok/JfyVLgXXBkslrhYKr50C+slhQ6KQ10syyW+BVNC6osT+
nKSkur4jBZOosEaSGALio5Nhr+C9bmXPfZuGTFppFXUxck4Pmh730i5KjzD+ZA/heQu9akom
QM8i4WpHw2v4fqkFeMbBik93co9lyWp5Bn4LTbi1ud7r5nS9MRj0EyvnkkwiOkm8Q5tD+UXd
D2ylNChKi5BJ6Iq72XFSj1bNirndb80NuyGAwVjYG0g/zIorf9uTuc/r2TM8hkuLJKgl9/Om
zJCX+NMFBOwak5H8QTMe2DqKMM63zJyHzZv5xnAokIflp0DldEHS92XJ+IwFxfviGWMT1Ybl
asIEbSYwKKSgYXwY1EpZHqhhin5QWiFzF0mhVTqORokX/ERIWXQMV2sMWisCDkuZkiwhjpHy
aiMO1IaROjz0jFBI1Akrl1bQmTtu2GQL3N+BpckIFfHLLeFsxqXic5SgY3fWO1VVNMB6WT9t
FUJXHNOdmraEh9FnP/f5/Xdd+vXZz/7X4sWLVVSGwvaPXfzx/XRd6gUvueQSJFha9NOLLJfH
6eBHHXXUf//X/zeZxBb2ALMvUAKjF3/2s5/dT9elJ/C5z/333LlzwXfQMKVYQ+EIg66yGulH
J3Fox+nNPL9tGERiOGBHxsbHMe0EAV9a6rNmz37fe8/Yz3O76qqrpJduaBXJdfX29p79vrO8
P+nrnX/79uPWrGk0GnkrBB6JBLNvRZbZ2goYMrHtLiSdmP1E34tzqdiIBgZ2Bi4SV4T7Ay4A
zyoBZh2WWOlvZcwsVxwjaZ4Q+Q9Kv/hZN+paMzyhMOFZewFGQ5c7Sk0hhdJrZmcxwIQVCP4C
KMf3+E2H1c8QxlOWcfCcbqsnnku1eHzfMlum9BCHZCoYmRobY6M2OjZq29eepRLm+hKS/mKx
hHms8fFxHDOU+oFA+ZVc3AscTsnADjA4tFP+jBkzBPqUno9zxcaDK98ua/Qk4391yCzuWYaB
klKaKQJpLOE+qAQXDpuJmyvndaOM7DttY5nR9vU/vH65N16pVNtY4gSHaOw4sNd4Cj0d+TXZ
0VT12rDhGw59T1XMPG9ZY3j5nBlgSzDc35OQ27EVTOclkaZZnuqNxbakjDfSkji2J8CEPuQf
Z3eVKHNy/JbrSVs+bEU0Sj4ysMIIHNsVcifmxt2FpzfQRjnmc7ujyskLOzwrkWoqY9YsCAao
DteFpim2A/6JEqJAVVPmw5pwakSWLdYV8oVOipCWhcp8qIrEtvmiI5uxKmFp+Q2UTu5EV2oT
rFakSy3vMm64isw2b8Zcf6NarbiMvW5FrY1vxeVubqNcCVRMGaxTOrPc1rizU0ErPjSNIP3z
69Zfe90N9N+27X1Tmv7zL/yoxlzz5sy94LyPTFlm/OUvH7jjznvWrVs/+a/kbM4480x3Xk8l
m09922lf/vJXbrjhuimzDRCuqkY4PUU6zpQNobGxMcpjvvO9ax9/4snJf6WDv+Wtb0U5Cyte
C0r4p074NiQiE1byrG9fiSIbU/f6ppPUsOOrWu4zTCJR/JHzzt9PcqnvfPeaTS+9xMtXqHXJ
r2Sz2fMuuGA/qein/PrgBz8IG9FgJ8TIPW7pW0lJNE54Gh9WTHAiOvsJELAMtJqLSmxDAo4c
E9CRsE9Bdla54PBAfRcaKiXQDhnFpRfnGbRRUOKxEw49qDNppCSCvrfR67x2e3zF5sZNe7O7
g5Kbhy3zJg6aP8fc8NDqGkv+N1/Si8CaNjX/SztDZvdJoUztKohgLqT/uuLGqqXzWdCkUGhI
YceEfaj1+cZs+5ZcHGycAmflEiiaYYEeDpz3sVv1Sow/U9r7JBkdHa3xsFcy5UNMWnMf/HNl
PLpoTk8kPBSYq8bjQxFsflLxvPbD8dB9KUC9AYufTlgmgaaQ/qT7cOii2S5dE2IB309FoRUA
fHh3zi3Q0eseT3qv3ZW5dnf2Cb/Xd+DI9PMRhbq1cUw1EUwSHs1Jk4+Sp864pr6D3rjJ77px
T/aqlxs37g53Sr6o/oUyoXk9XUDH0OEO687K+aTu9LG4+7t93vd3Zh6Ne9qulM4Hc8coNhwx
p0Ru3mV5fsab+bX1Y5dvrNy2L7/TLybWi9Pjo6cwt7vTc7jRM63tz0QG9dj3yFweViy4xVtl
Buy1Sy3aLW4BqCloIwH7yXyF+g/Q1RYsEzrMfuTQuqKuaPUhQ2XB1ZQma+nzofXlwv3In7a5
RhUUFRBHCsp3eY1drkXNt1R7K6U/FjOkjj/rtUqtaH1z8tf7zj57SozGFy/9ylVXXlGXqcDv
fWfpNddcc8QRq9pe8+53vuMzn/4P/Px/3vGOybaVXNc73/muHTt3ANBx0003n3jimrbXvOc9
Z95x++1oe/7rv37ykJUrFi5c8EfrY2DYTLRqEQbnnjMF/8Vjjz3xsYs+hkzie1H86c98ZjKh
+9/8zV/fduut9WZdBaIYPpDJoSntS7OKAWAWiFgtVw3vRmj1q8TEo2FjsDR+03B8CGM05Gme
e/65d/zt3+xPQ+6uO+8w6EdhyqCfX3fooZQ/ea/pS2ZZJB30GoY215RMJc1iByxkd+yVq80O
AW4gP+MfzLRTVCwWUX5M5MVwRUAMspJFBpSSbNnqVrQa6BtLAhunMBmZWFKyFdy6hXklBmIr
vzfT+bP1/ZScdXR0lqv1X+0J3jsvk0vSXbGst3P30Bi2Ry5fogPSdS2b15tjq20SuLof5j2z
web5Nd1Uhp610XR5exMnRF/ZFTxrC/QdImTcUnkS8C9klEFCyLByp+4t0x0OO67P6dKtA9mB
0QmlfETbyVIhly0RaGQ4TeSD7hrt2DU4ItCJ/EGzOlcXqj1RxT2PQ2eXHpmoBZ6DB5GUetGc
rlwyoc1CClKyMQRKvAUBP76apLylUqnoFZJJqhTpTS7Gm1EfFkRG4tTQXFoN+uvByVhaW/O8
DWH3czvGhGLDX7t9ML+056hkSA87Py6X8oVqgwtHtKUc4W48/QSba342co37rqDjpxv2wlAO
jY7/kozYQr6uNCSdkd+1bwQifCu9cdf1bwh6nto6KEW8+Jmdw0U6n3hIH+r8eGJW94yRcab2
p5x+VVDw0uIz98Z+t3kA6dHe4fEHmqWz5qdLkW7p62YV6fda09P5Hy82spwqpOImPeh6KEtL
PWAPGspfkYFpMqcYQhWotCiBLCBRWglr62MVCkVbo4vjVFc2aDuZFkZ821rSo6k3cTGlCspo
rR630Bu6fJjuG11QYvq5LshQUI8RA3YdZ6Z5H/137LFTKFT97y/uv+zrX6tWKshM+/r6Lr/8
W1OmX2/8sz/D2Zx99vsmv+BrX79s27at4IiifPnSSy+dMv065JBD0MZfufJgyp/2p7UDdiPl
v1l1+KrJ7yLf+Z//+Z9ugfXmH/5wyhNQ0SnwwoXSfRF6oRrtH54YFeIo/BLGGm4A6ZGh65Zp
M/BXydhcBi0QqOY0mo377rmnr2/HH720a669fnh4BIZ+ojyBeub555//2lyX99WvfFW4CQz5
lqG4DQItiuoPdMkU0EgUlJX5DxHRkIwtSSu3EV7py21JBL4hwN96Yjthbu5luolRStdLWxGu
y02b6HunHzm1NW9XM1T1B7ohu/sHdnoFz6le5cME95x+MT4+LtPN1SVdWTf8f65ZMnTyidcb
VbpKBa1aQMo9BWv4aW+GfljqTRj18GIpdUXWt+EBR9YXAvVj1DekS69zIEi/7J2JR0aGkRhx
MFSpgpIKBByRoxCt36F3zgiaWm39tj3/28/+2MkVvQ4/QoUZs/BZC81fKvdBM7z1cSd+oAvp
jauUJiOG4ApnEjvmpr2qtiQuAz0PEkW4q8Spw+HJzp9ZzMZN9y5tKWOIM4JwV99Em3f0F3Z3
pHhFt58kHSDheWl2+Zo88YfuqAdSjzfFtLGJ6i6v6Day8oEpzCyZPVMSLz1R/+VxZlHgiVlh
lto+1na3k9kdObiuw5YtyksSGdhW3OYxXploRXOUWalu8jpdupFuv+ki5g2dnhXQKFhtZW0Y
q9SRijureBAgG0oBBVNjlpZtcChdHxTtAV+CY9PCGyqEcCqsKy3MUrSxS6KA4/qqwHQo4skU
UOg9Of2meNIPkXq1Fk0ZR2hJr9RrFXlBO03KpVItUAUwB2qIVl6kuaTKV5504hRss7958EH1
n1jT99//yylt4vx58+k8Xv/6I5cuWTz5r7fcclOaR2cyG17Y8Ohjj09+2VFHHy2U2Bl/Ujd1
ui9L62g6z6e+7bSp3MAPhoaGIBOOUt7LL78M+HLb19FvWA0ZQM4VoiaEBFFrph1L9gWUr1gr
ptJSqaLDAR8ApEZoy4+aXsiIIkcPKLV99Wtff/XrIvd20403MPO60KlBgvKEE07cT5D9dF83
33Lb1q1bIfABLkej4RsbUkcUYE1mZomgxEX5WXCrZLOJEPeBpCexozbQ7uIkVWqPdMLslspl
0/vBYJPg1CF2pbN0nqOqDGEIKJ3ntMsg7Q1ZsTIWEzUBJqwnvrO/GD0CzgLYCFRjFmTSdGow
yO+uem79Z/nsLjTYUO6zg+1TrLBc3Dz24IVYw2R9fKdHxYP8dq4lsWKJRotHXs/qrFJI9CfV
/opFVkSEYBgCRLo0Wk6dnZ0AofmtZUIMvSLx7erqqtSbe8NSatC9pJSw+AW0rxh2LE+ZnvWC
MG3+DfiFbWMN9XiB79N9UMpEI/bo+207zLMtxlWLejO20gjn5RJqhFJF78k61Vef8fF7R6uY
EBIMWbh7eKKtHtARGqoRADRSXKWkdBQ4cjnUi121Uis/n1NenmbK/qasGrz1ZuWVu4CPRy5/
e/9I09L+UkywY2jMaWZJmTTrC3dXZkYOk/jmQ+t+ZuueId0g8ECjTdNVxXsVC0NOCLMQutRd
TUHt8evEAhawjLdn0AbTFpd2VVyQngs4bGuMgYmCl1epIyeiRGBxFEGlRDDGWQu4zyhpIbwD
3J7qpCgcva0CqYgKdSvuNRqVUav8AuC+BouKcFavhhPW7C0zXalNUzwXWzJl2fCpJ5+AqrSD
NmlOediVhxxC65+s/+Q/PfLIY5HTmsP+X/vUM5Ph7PPmzXcxKvvlvaxRwAjnIYesmPyazZs2
oSMCFBYWwT33/s/rDlmJPQ9ecP4u8/lGgI42cz7jsPobtM8/fuS88z5y7gH5jM99/kv33ns3
ijlsUCLvoYcefPyJta/iii798le07ABytnpU/7dPffK1uC5y2Ndfdy2CWTqLKplsP8OISuQc
YaCINZUdyTi0vEBLQnEjY/UyYiEcYr5UWUsoOfoyMowIUY0fHhDKvJS75kVQmC+wYaTddABr
XEQg617gpD/+/AwPtmcEgkVpGL3l3nU7mTxJyE8l9eknZ5Cxwi7kBubO6lkQT6hN2h3nB0bH
/U5P06+eMNLhYqANOVNMprTb/vJi8ngQOGNhCji0Q9PAUwVcPEDETfe5o6NTOJ9SmHUK5JM3
GhR+1KyOVRGHQi8GSBDy2oJ3SACrg40G+tn4ey9w4Hn+hM+6CvQUspYLiksjpdL8uAwIJb14
d5LvHx6KuwILrUxm50wg7zUF5hCBXcIwabR58mX5aCOGqICKTNJkiJnapfJcIO/mBO7jPp1w
U20lqHjHg1xnXHcQ54lTwvL91h6dWTaJ7wz8eeSSDVohNH73Fy8P/cIO7YhXGDD17TBR+nKW
yA6yzWYFgWZsiwflsNAR1RWPybQsdKqFQm8x4yibJvv8fJyU8YiRRdFnjdZjv5jeJfLx2Lks
qRzHIGvWGnXdsKoHmNaHqVHbWJmYgHivkTqzevQoGIKOXFL5BO6BwziLFcB3TL9wnaBUEj6z
SLXBXPUWR6sPYNpa26yeC5F3MRPOyHkE3l43qXLzLT24ykkC/ajjX2jKuHwXliDey7TVGbWw
qHdKXZfOSLd9Pfnkk4plpI+UykY4nXGkvTp//rzJv9+xc5ebRYaGH2WKdvQxq98wXcF92sqh
GNfE6Hhm1hw/BV7jd7/9rUp0+1LTo3dd9o2vmwl5K8ADllWuOKt+tPXU6L2DmuHO23989vve
e0C4iY9f/NGHH/zN0MgwxjW4vBUWvvrVr976o5unfP1jjz/x6KOPkEtgKyY2i06AvOafhpJ3
MSD9AwOmiya0DkJRkaMUUwetANmwRNchvFFopw7NQJgILzUspwbnauA9k3icWTySVHYLvTSA
tpGhcvHQAhqZm8BnSDxyJowt49PHk8BaDDY8C5PKKauW/uL5LSCbJ58HQ48uAlkEtKMmJiZE
EljKXN1kUca0XdFfTQZHxgYW9fYmNWv+6i5e2Xx3nNZOvzgrqeXFEi9LJmaUimOjo2SSmMM6
FKarOIGhZShHjotC2gwAsch4eZziaEqxZAVGLaCQIKD8iVkQmfA6mNE1g+2O5P2o6LbQMfnp
/1WqFcl+hGWqdXSp6YWmDSyIA8zhHdRbouxF/dBQM2gm/mBQmJ1U4QzmB3U1CxivhJ/TQeBd
QQfdB6AwlkSjxXxxTOiejbKQA7IwjUyh7NMd3mDCI5A/8eQ7gHabk5IfdML1MkqFWQ8Ne6+B
Izr+Hj+Qb9YpAnTL3rRy7iNbBlnLO6prhGpSZBl9o4iNbnI+8B2gvF9PApenIxYNsM1Jhxd0
eJYHfLzOFkqwAy1nwRl/ZJTc9SCD45W4kCJu6Bzn9XRt3dUPU6PFYZU5NEztmRxKO55VSaSF
hhhIJ5qhY8CycLS65Gh2iDuoCxuh9r3Uyam0QpqcyWnhlziUHV42IsuQKcb8lvqwtgkwZGMK
PgQ/rx1nNlQYkMdM7adkjVVerjg4vwy1yjQXstTS7kfz+TgONlRifK9FKzqy1CzBNL4hEnmU
nC1cRi5osjWuH6fdeMghh0z+0549u5X7RLJRfjCvvLx5yuMgQDjnnHNSNy50LBS8XP3tqyeD
CS1omOOv3t7e6Y7pWS04xVPonQLyomFvHzsqux91kMIAIMUo9+8b+MZl3/zPz3x6/90G7Z93
nXHmD669xrp55ovbvn3bLT8iR/ieKdqEX/s6nSoLoZLJa3rNuLl08ZLzW0lGDvSrr2/Hj265
JZ/NVaKq2eT2hiitAJ4yBgxNYAXRE+l1QasQU8xNz9yWNhnPmDwUF9JkxWeskJ3VDeE96cdA
MKPjRRsSQosaaWmfYG/dX5lpwTav9kcWHzV/Yz3362c36dCVWhCQRxighIhuz8n71jhK+5NZ
huo7o9wsvwZT1BvXDl26cOueQfBCIdRtqxpujIpHBmWk5muWzbl//TY6YYsxs9UiwxkYh63R
a0OI0EodpaoAzX07Yoy+mrygCvVOMoUYEGSbEgcdpQ7hu2okWp60phzgHQ7XwmBWV3FpPOrO
EvRVjBQApuzpUdIjm5X1xP8aGtHhKtsBysBmJVXU2XqjyvIFszbv6Dfqmk4sq/5zk9e1yhvG
5R4xu/A72u9eAJEj3zen6dvZ9jz9JUqBLbUkSBKDRYReGt2tJ3eOg3zW/gbbDaJThvTdhYTQ
FQ1GGYuvNJ94dDK0ZHlpYz3/zI4hw0AGPJsQ7kDLlEegvJKzkhJKWLkMI0xRDSsF8PtX9gE0
azixQqPSXjBRhzmXhmEbMY1hVCxETLXh3rF8NuTag59O0SBBVGxnnBiFd9W9pNuuCqgIaECk
B/+kHgVz6OrwNKYEOZOL1rZ2LwEzqdVcbrqYQEA52O6JNHHbkFVb30tfYHX+PLdK6bayNIYw
rsgCiQ3BVRimXGKWclrhi1DjSr0iqjpOcmfmlyUOMg72Qx86V/7kt0aHoXh+dp6Izd/85jdP
aRxf3ryJnsWUGQkIJUNb6MTjLJfLk19Jzkn7k4qUBSOqEciYCkFnlmwSrFi5crreGCPoBMbS
09OzcuUhOKvf/ObXbC7FHKTTXV4KpMEy1TyD+xOy8u66885zz/nQAWVCF5z34d/8+oFtW7ZW
G01yS1APuvGG69/+N3/VdtPuvvcnL77wgmrmQhDoH84594AUnCd/ffkrXxWRQwP/A8SOqZsa
dfVbEPwFv1xiKzCcNvFWD2UQJ8bJJ5YaTl9DTgvavp7IAoE9FsRC0uCv4V2s1iGfyO1rqyFr
8FFCIJrN5SgLKZfHH1q/5cg3zDcsG4kBO8xOarMztWOPXfB81PHMzpHhsTK43g2eWEAf9F4G
B4WZ+UENzigBFdCWHfQR/bUkKaQwveXdhe397DJ5xrlQEAWQlL6BFsmuWnBk0djmgzKcl9CV
ZoxXTstjLGInSSGQY3QJ5Ieg2jU+Pg5L5bUSbZzZWwtm0f4q2mFqFGO5LXHF5rKIX7jDsEZn
BLAaWhjHLp11mD/msFgkQ2Hphe170XfMemkDb0FQ823mUfPDrXuYMHNf3fNzSK34hUu7sq8E
gbI4onLo+0rC5O2oxKsK5pBL/CrGyX3fn7wp6QSyBo8gfichb+FLcG1IEdOyEpeMfFcVHTIx
fEq+i5CVsnYzXrtt3+HL85Zlw3xwb1w5MVM5Zll2Xdz93J7y8HgZARlH73ASlPClD4offMML
DHFUzYyImEqjlA0Yc+vUjZ1h/MRFqJo0MdXpdoegvQ4xHSg2aJIXcJ0iyEhYjjkT+g0yFXQH
aHVR9Bwq3b7UyV3xeoAyQIxeS9kL+SM6O7uQgYG1S1M6vNGoGQSGBiy21PVIfdwSnSXTMcmW
55B3eJY7SouHSNeUZcOlekoFzFJIiOSFUTQhyB1NTDV0RgfOlHk8q/EMYTG30SVCoobJypP9
dvfddwJVgoImHLI9+0in4d5wzLFTGsddO3dG0xT9UNFGLgxRomKpNJ2RZXk9Kb8AaK4K7iiV
TIubtxq+U/6VTPa82fNOP+M9b//r09pcDlMI/vj2O26/XZnH3N1oPJZNTVBeq9arhWLh0i9/
5VuXX3ZA/uO8887/1Cc/iYVLFjyTZAb2Ddx62+2uxCUzIl51pU6w8VXXvMMPO/wDf/e+1+K6
Hn9i7e9/9zsTE1kxPcVNaOiXs3O7RSnueULTgKqgyOqkSw1Bom/+xC7N/ElyVggNx02OTCvy
SmkweWBjMvB020BlDYQgBrsY9hUlN6C+vX+f9/ZZYQ7dYOQ5Ykp5FjUYO3ZJsMlfuH64ubFv
N2M9iqVarWrFX4POYr43TtmGdnuGVHfvaIWxir7huejlQQbm4DGiF3x1kZ3EYtHeZzZvO/no
uZ0R7+dZSW3BrJk7BobSoWnuklpEpa128J3Mm94VDE2KB3CbagmYilP0rG+6sB68CGtNpcVG
NrtndFe87pw5SrwPFTakZXU/86t9Hq6dSc6KRcz5dBYLgqo3n73LKwYh83buHa8lPSlPRK8f
WcrXOlAkSco5wl8v7hg48ZAO8Rx+b1yd2925c2BYhI1Tk83NmChuRPWc745EG7QknBDt6ALL
1jQwMWkLJ2Fs2zOJk/VpwJqVdJM28kPjM0/piPJJZBqBljkslzRX+6Or5yebgjnrhps7BsfA
7kYOibdtmj8lRrPKUvHqOlTOs2bSRFEB3dNOc4WpmLixvBLIMuK0mO/rH/RmFto2nakTZgLk
o75od9F/2XwuEVlLsAlrZoaHjtEajF4krQVArC7wboCWVzmaUQaUvdtAu8t066MosPmAi+/A
WzLuDJklfAJbh2Y7OjTsWS4oL6WkitCK4og2m0FtUGuYbhdNNcZcN6ZOrs5fNaD5UypXne5K
paxbp6MxiQYpzDbcpGtf6Lg46OLFiz96wRSI7XXrNmx6eXMYBNNZTwTFiI6Zy6s2dd8LgA6t
FpIVqwjfKMcLUXPag1ujPN0xV69effuPbzvvH6dgV1p1+GH/+ZlPf++a7y1asBBQXXgXc3Mj
xhnSaZBPBRYI2A36/eOP0dcTB+RC3vKXf37iSSeVOgRQl81Bef3aa77noudv+dGt+wb2GaCR
tYD/9m//9hpR8l/72tfS/SkMF8yqLnJTbpaJXUR3O5EAn/4bGxszckGY45ZKY6OZzhXgr4B6
oxJiUYU+j4JJFOzbo8HtQWIYuESLxhTCGWzIbA7/0e9f3L77fwYzA0Hecj74ThcokfncsXfM
qLzziEXKrIgqJbnJlfN63EBkXxSC7v2VXXsBLEHGs8A3BRPgu0RPy4RcwMVT0LqxUVAnc+js
DqlPtrB9AEJJTqsosC5auqMjo0wWLtIenlUMVzSc2Si+ov5SaL6xxfkcynfJlAAS/af1EU97
M28fyA6MlFVsGvEEPeiDekueMlB53lAcYqph1+BIg4FdBj25wKtqVwbbM/BbcBP0yDZFRW1x
rejOaQHNxfRzRS6fsx9nsH90V/P5nG8poWFhshnlI6fl1FTlW69lVMGMhHN/UZbN9v6RByY6
9wVFqEAFhhxSyZt4WPidMyZOW9GriN9cej6JYhFxl0zUL74EJMjo45p3RTGq6C6ukv9m6ee1
vaKjwbgPUA5Klze2jGWvx9QNdgTqh54Vtibbgqpg4hnGDc1m1BpHlvDaJfJXu68TXSCOIWtL
e7NarWq+pYkm0jj9QskuJ/ArUNS78Ajl/9XvcHj4vQubsA2moMVRiZYXQI+KNsQZoi7a2TXD
hXvwX1nWNWrpvGnxECwgrKIt+H0dAkOXy3aeDedjtVoR91j/xCc/NWVt8Cc//SkeyZSsuP39
/WjIw4cBctMmXpe6IolbMd6rYG709qcDHTIZhFSKp7Pdl19+2auX3ei0L7v8m6jao++idVtw
7jEqrNFEn9aIlDfqX/jCFw7Ui1x44QWs6iumX6fHrrzqam1NXfPd7+JDqxBuD4K/fMtbD4hL
fvLX3ff+ZPNLL4G1tmkjlZTmOWv4BvOWcdy3rE5IkvCdQY8O8BehIo8QiMNDDJh3FG0q1Qp5
vgpTDubQWgBnB/4DwSBKo6j7g1AAVgNcl3Bp61/e9r21fb+vdw4G+fYhCYuBPiQZ/8BRC/kS
wLorQe7BpcSJ3b3RRqImYGdSSOX44mj5gllaN9Ydqx6io7Nz+3jD+InEOyQjSaeLYEuMuB1d
zlh5vCoE8wbKGDVdoK/mXpOJen2nNEV/pUNVJiYUy9euedvqvOhv84PG/BlFkGMBI0Bml6cV
6/Vl+aaWH+kg41EAxQ3ywbsZJ5dYKHxzxaI5waRRHvfzdkykgPWV/kQ2xQYr+YWPrKUV6G9V
gIVQTWkYPYeEHpV5UQSNUuflWVop3+qQiRHYtGPv9esGHmnO3Bfkk6TlTqgbWxGNvmN5J0J2
24ZIZ7pBOY/2ocCUcoBKwi3xrRNYPwi1tflgAycWV+NmeWgooCJHc8dLh9cDjaphnbDZdVaE
HjGZAmwKldxEuQ/zHlHr4sHCbrLSad0NHOEw8Ev4Cb299VoNv3dh+lb4BrwwCfphGGbQj0Pn
SZ9RPp/PaJZseQjB06QEvgC7g4zDZmC1dIhNFgbQj+a08bm+iXiqlg1Vr85g8BWsIbQfTU0D
1aO2EoekTl6vAUiSb17+rfecOQUL4ujo2E/uuSeZHiu4c+fOhrgWFvQTiLOOYkz+wiCwuemJ
AUHxUpgGFQkTxpTk2dzygw+eDjTxR038EasOv/if/gVUID4Gj8DF5yAadK4W1nz9hvU33Hjz
ATkSSvVOP/NMTHHhIPRZv/7VA489zmncVVddjQCTqxbMLcRXfdFFH3strotcyHe+/e1EkLju
1EQKZoksibWV+PJDM6PtPhQ4JwXd6hiHGdCW49QadQPgtBBQcWNVTJIxqiJnotEURxOaTDeb
NTNSgdhcjKBqsPXr5zZ/96md94wU1kZd6Xyulr18QSQeOh+fgl73QoZmpFZ0894RqGfRZ+2L
AtcqLyqFXV0z8lKFV71g9RC0JDbv6B8MTf7XlTRWzutWEEViURvG/wmTiJu+e1aFuW3Si75u
G8h+ff3YV9eNffn5ka+tH/vSs/sue7FMP3z5uSHRRw3CdnxvYvXJXXvtAX33luzg6iW9niVV
0gc9L1YyDsbCvTIwptNCg3GYuuDEW9KZSawhtt0vC+4XzHrfwOhggPTL64jrS3s7W90qI/JB
OsXTDimLoG8MXEvtJ7DtEwj0hu7dcW8vWPdljLWhAS/lCE9s7f/xK5X/meh6Nuip+xnHwZhP
XBCX/2I581oxMMQLJjfntOkAohkZyQ/57ol8Lnpy9N4JL+Mmd76oH5OrFVqQPDbsgt6Zk5v9
yHG5cx81TfM+iXUHGcEd6X+b3AhurGHYvSPBCoA+LSfjWjgxN0FxRcaN40m9tadJj2nKCPGY
S/KbsarlLvU1sjcFqOtYmHiBVJrLlfJCsiXJHE+YKexWha5MOVE8FrKjNni9Bo5uRTGr+mDu
LDQ6b1hLChex82UNl/FexS2/cdk3zzzj3VNzN3ztGzt37SwWS9NlPyyAK3w5vsZ0vhdMU2ZU
V6FjEAWZmZjePiemohoGXZ2vCdfwd2ef9aObfrinfy8aJGmCQmciZWdW34lMq4ZD/zi+7gfX
vuudf3tA6Pl//vhFv/vtw5iejgWvS7/89lXf9i684Fe/ekDHrehhU0j4ttP+6kBlMNu+brr5
VlYvk7zELUNjR6mdimT2q1Gr+0JJpR3phnIp1dNsCRVgBXbTfguDwA0SlaOomClAnAKqgGZC
JVNArxvs8pxvFXIoOTLHfGVCcB8FICkMdl8ex4vbdr0UBPfH8QmvW3pMoUqOxDXsr/fHnpjZ
1T/ITalDlyzIxjULW0sGg8LewZ2ZjIlnKZc6rjtNzBZkjNiVLTGlNjBgLWauYW5p5HrDGmpP
C0uBwQIm+gkJlopJvCTQ7ujopCC9LNTDXso50sJrDj+Xy7AkGNiDKtLz80KPST2QwzkokjtH
OkYqIs8YJSvn95xQnOiM6mp5VodjT4o59nmirkY/HLJkXo4Zm0zRbF9QGK+OG0Je39s6Wn/D
jDQSmCeXha7+1AjkJO7zir2eGflekE9qceIWUVgUG4UyOd9E+3sCW00kE1JO2ENmd3RlEsBR
6EbWYm/dnrJoebCD0NQayWUmm0G+gtqyDvZu6x/eM5L/Q6OxalHv6ly5M264iu6rkuFnS8Vy
td7gpK2lKBnqyJosdVqNr5vb1Z2X4TkGVHRQrr5ubzkntFWJ04jD4TU1wRCky52M2KLS4Bpp
IcuYz45iqaHTJokd3RXAiJ1LM+aF7AySVxhxWgwNLd/Z3aqhJ1pfdRmWUlCi9pxQgTSvcUT1
8HpFahiyQdFXhlt1lSRt6dJQvwPO6hQJG63OJW7rN6XoAeuxNC/MSKEP8P00yLO1a8/zMu5B
VS4MUpjQGWvtdQUKAqH30jJicXFZaldcedV0ruuRRx778W0/guuaru/FItxiK3m4LzRCO9M5
JIA1VBzP/EbSkWkwh6YlKPMxr2bHb/zhLY899mgURSed/Ma/nwoEQU7oz//yLXQ5wI8ldgKM
oyGZKEKZS/X9yML27ei7+rvf+9Qn/uWA0PPvee9Z137/GlUkoR/WrV93/vnnozACUTHarp1d
Xf/8Tx9/La5r+/a+K751OVrHrg3CB5Eph5CHcS1JrE1slDu4MdY0D8VkVH46QYjHFCRcHyNH
puvPbUbWJZzERFcKOkILrZUDzbBAxQxBBJ4+sQ1q34r4Rjaa+8MLW16c0XX2wR1dST1tPZE9
7e7cPbCPXr90Rs736paq0O+Nav/P0bPSvMevurW7BUllTvfMkXKFofAzSpNXFz30tX1DxxwE
fgTvdf7E882Sgb0b1t0EE4HoSYQS3nrW94dicGVQsmm9nYfoRwFH8NZ0AkIJH6Px7u4RnDCZ
IZYsEOXJTbuHvPk9p+TrzpBsc+mc7pd3DeRslry4I3SbV7Pi6oXLdAqBzscVr/EpWZnRURwc
GWsr7OMAKM6sH6geZcdSVnrj67yOtvond4Uy4nucWYcOz5A7G5Zn6XAtzMfLm8O6pzeHMz3D
9Bp7Tgvbt8Pg4GZDrsOv9HIIl0GW/cLukS3ZzLsXtExA09fcrsLzg0NJ0kLgW7KDnCgzZD3O
kOh8VkTDmpG/nO2WIN6vJcZtGfZ63geGjgtCr3GQeH4q0YI8rYGWDUQYwpxvvY5KKKDtVPck
UhRbHcRBOjESGmFMESCKq7UarBsyJ3emiqIindTU3MXU4WWDgRpKU65cNut2yzgulFIKXQAq
ioqBhAMDil1R+C4plJNAm6ExdSWafglnVU0TrLa6tIsl0bksICGVQjh0h7fa/uleCROb5mz3
nvnz2dVd/Z3vTVkwFLDG+ksuuYQz3NB7FYIMHfCGwChfYTJt3wujXQhAXIcMIMCUhUNTtOER
yWnt+CX//v/+7//+DA7joYcefOWVlz/z6X+f/LKjjz6avJdqzprJTclUfPsbw2SIAKdYuuG6
697/vrMOCD1/1nvO+MXPf75lyxZDNijQJqUvQ/2NLvn00894LVzy9PXNy6+AvCfuITgpkFly
DGvjAxMxNT2ULCAjmxIWWPlzcD/yZHHTIIW4nCti81EGUN0MGmkt1p8nk0yQpPVSBmI5PWcQ
ELCJz8oku+ctmt191tyWOdxb9gQv9+3KyhKnJ7JveGRtddaf5xpuPtMle5Ze0BvGUKVK64OJ
Sy/e/v2QBb1Pb9nDERhPIDXcUVuk/sPj5d3BgvnxBK2xnBcty9a9KD1yIKtZ9aMjEfoyrQkp
lQOS0IpvYDgiM9bL5QRFZpOi5cQOTG4UL/iZHb7XKoslZEoMqxFP/kJf/5tXFi0/LL9ubjGz
U1CdgRC1d3uNNiS3TeN8p1GU6FZa0l0cK1fa6iK+xcvQ70fGyrtnd9J94JpHEi0N615Lg8yn
iykWihNexs2B8p4ZrnCPrC5EYfHwFmnX0c7qSaupOL9nxukzJ5x2WnDHcM++8QqSWsrpKo3G
U/XuN2VavFcn02UUyolbmeTz0dGgYrEI7ooOL02OEyd2aSQtdCNZ1kVKhTxYHyDwe0q0c8u+
gmI9r9qIjSqm2BwN2lw76duJyUwu446KY5gS7GWWJyF0GX80ggwtm6I6DAjcg+eFJ2tzJo5J
cfkW0Y5DUbwlinpZWqDMcSNfxlxwYpQ3JyYeyGvVBnPAhzpVHLjzZC64o1WcJdBz1o5d+gLp
kraoeYGlUX9ua4EoQb3LOrV06dKbb7l1Otf1/Lr1F1108Y6dO/TBTGdD0cMEGhtGyu17Tw51
1W+5A8ue24JvAW0YEMur5F3rN7xw3733NM2UOAcmt9922/ap1F4WL14YWqJY5b4rioSHL6D/
kqg3wQebDNL3Lvvmtw7IqVD69f4PfIDJgSpV+C1aoyomQr+hfx500EHnvbbx5Mcee+L+X/4C
5Tiz7rO5RGf1aZNYBIdAjXL6GjxNEBYbtIVUJHTAGZ0VlSDBhSAzyOdysTPnyNVFS52uQZJu
pyBMO8OhXetogIH5wmWeo2g8FJlBbFp65e6RiTYUA+JTes1Cv2pMoO9OqTq4dStIhffOzhlk
rG8ZKdTMwgPRn16phTa94DHn9EMDKdYFAXQp8qL2Ym5g0iIG4VIHmoEEeTHq5ICAYo3pylcN
X0hJhSCkEzJJPJGaHySO9FcuSMxAgjy+BbbKp3dB+SAcMkDPIgO9WVkvSmLb/2tRDq4JkxBl
k1saWf04Suba8HhFmbSptWoXdyYNt+qFE8il8wL8pCa8zDRMCIn4gFprDJI4Q4rctG8IA2l/
ud7WIwyk/1R37j19dCmuV6pV05EV2DWzSRk/bEavx2PTuqsnRgbHjBYkVVGOjhTQwZ4vVHgk
f68HmbGJipaOgGaEQ0psY1iFLBQTn8IrLGRDm7jqdfKWGhiAWC2tmw0l4yKepesEf42GxTo3
FoqHQ2mRjNvM7m6QidNvtI4HiCB6SUo/qO5KQRxYj9BkaaPM0HTNLSd6k1gQlfJD0ZXG0erE
GYv/WvUHuC6ckHvjFHaCzUau6/obbjjtbadMl3Vd9NGPbd++Df1IZCfTOTAYem4a2fRQ0C7T
JkooCMSWu53Rd43mq5hplI9p1/nTlC4ffPAh4D5M0CFW+zcPPjQl+FAkuJi4GgaIYSb2nNlM
V6sQOaWT5EBJEIk//9lPpyQdfpWvd73j/5x00smaeYCXNvQNlVlnR+cFF17wGlHyV155Jcwu
APFYi2jaoWvVwu9pwSnA6EMfWW2tO0sHs6gzW5xyOeMQFQHE8x0Ger7RTI2pUwcDOBjMW3ji
EJY13F06H+pkKrO6OrDxdFEVchk1ZXAqtSihOOO4w1bkk7hdKMnyySYKVXReMD+oAaSOZalg
cVqmdG6J6Luv3znUEMBInLTU1EQcOeXpECFKXiE8+yGs+fa2h86gl2nn0A3s7OxkHik/YAQa
yH5CY+mU+Td2hncbLJI5RncVAUctaSmYk6EFBICbXgt6HQWZFk9uNTg9pVvEPxcEPKieZ0Bd
2DKb5vv0e+6lhcFLA2ULnGnfwpD7otPeV2vpC2Tj5uJZXa5BKOVzPc2K61lHjCZBC9xRnz/v
br8dlzF7Rgdwj+WJMq46n209bc+rcIswHqhGetdlOCxaKBJcDbEb9LBmdnTYqTjzAaP1pMF1
M3+fiKwl9oFn42h+d4fY1NTXdoUtfMX7/DymzUJBdmD2n3wsfjC4fIUsAm3Y4AcKVHOGM42C
TQ1LblM5EoYalkJlHGDGRT2gbKZk0JC7BAwNo8qKKiiPjzfEbbA1i/g1GCCjf4JwHJGohEcN
ByjfhOwkVDNdH6ZdN/WyCk6x0SpUnmOrQ9ZUBya88g4KTFl9tS6pLTjPEdmUT0qDX+3hA1z3
35/7/Osn6XjpdNeFF1y4c9dOhA905YnkJdMVD2fPnkPnhAoMXEIw/WQYOwxxh75trrxKkww7
hoIoVKv27Nk95Uv27t1rDLQdgKMTKJcnpht8rjVZiltuTRAHfDeAe0QFWdkzE6lzNsTyXnHF
FSfccP0BeZf/+8EPPvzQQzimbeyZ2t1JJ598ylvf8hpR8k899RSvD69p+LFi2zdGl0W9DgWD
GUNnQC/ShANL0CV41NhC4ylO2kKeJUDsoo+Jfm2609kMPJmyyEO7wcCWLL6D3V5lwlTGxf70
7R1szO3ORpEW91Z0es85a5XO6OAZWS+ppZojiTdc4R27qOSrQBT9b2vQ8aNn+xoONKvJ0+uz
zl/BzBrY6pRLlXLZYXG0Ku5ldqYko5QPjZQrO5IZB/sTaqccdasEVB1Y3iY4sCmv7klX7V4c
ZALtU8MVRHcpyKD2wG+PzZZMBYClhoalgo4jJfFNciQpg59Hd4RrlflcuTy+qDTb3Sdb/c4b
Ht/c09MbWMlsOsOuUvHv5mh+xpRRnaXiSLnsBJe+70CE6QGNjE/s9HqWsVyW3zLBYKFYtCf6
9o3VF4WqTkl/WlgKdg6BhJ4t0oqevJeMqzAxfcCOsYbOqHi+W9OUz4/iwfFqfWaoCpMsJ52P
tghhMYY9yKEs7wg8M/Rtskk6Kl3m1r3D9WVZ8eU+spblPYW+fVz97iixfN3KWUWKBNzq4rZh
SZ4yPl1LYzF9TFOX1LIOf/dwmi50lQoHJ6N6J+jweymx9MqR7Gi05USjmUfWsh5rU+CWhapF
7nNpymBS8jmXz6kec7EKrYyGgC9MskILRBAZbCdlO4BZSmEX2CMoV+BdKCqOjY4CLqGJjiqt
uOgJN1E2vJHSFSMHBoy6UkVbRKLhTtRYH7+k1ytYUcGHLg+Gg/7IaPdOuoC2RgnXBwyhctq7
qI2WMl0QfPvq7/zVaadOaRbvvOveCy+4YJdQF6KLjuoHNEqmTEHmL1jgZlS8q6dvUKEWHFqJ
QnVgr9JXw4anm7J7164pX9Df34+RWDBDY4c8++wzr5L5NQS0jY4RmQNtsBsBKh6Vy0F4kG7C
yPDwQw8+eMed9xyQg1mz5rjTzzgDVTgzESwhM13I33/gA6/FdY2Ojl35LVPMVAIInWMVDG0G
9Nh2LqQOol6zdhumCmG8ji3WI38CGTw2qr5FKXkw7NmwBDmIGAJLDWcwUWGgo7gquEemHzQZ
6gJ3xHm3drUyGf/rVYtRriTD+/bXLz0yGG+ZDfCzG7fvpnNbIJyzaSAcheg86W6kzxoaHasZ
WWOz6pb2dKSSwSkGwRS90brYWgtblb38tiQuFsOEvDPtq9ucMiUktAkgbBavNzQ8ZLHxkP7E
hOS4kQOTT/uIClSjZKhVqt7LJBFyPsrnFgZ1mxGxOR72sl1dM7KS4met9FT/4JDAzQ3igM5r
WW9JxnVTlDhGAhguKNNa9K+tXET1vbZCaOJ5jmB8X9DpPp0jo8HXz+tkwpYked2cziOZMjF1
j3uzXZV6wzOkG2BPdC45SQpCFS8Dap4ONRwcjZy4sKPRaKCp9sYlM1clI27XaszP9e0bxUji
Nr+EgbtA5E6OTobWHDyvUOTA8YhFvavDMSvrxo91d1CqNlhBmzwxJXYvJR3uTN7h0fCxCztx
pXO7O/9ybgCpT0W4vDRYBRBR64QCagtdpD7tMjAAJE6N3YygNIzzoOURWslWNErdhhzqhEmr
3iNm/RWFGIkf0lyHTJoOVrepeXR2drryYM68F5oEIRgxApZN6FCgvLq6dArIGZ0GfsLNi3SS
2NYJQ0WIuMQaBnNo5ZaN9peU2vPKvev2UdXbn3Puh6dDGJKBvuSSf1MnZ8fIyCaaimcSJ1Om
R0xCGjVTVsoknjL96uvbASq8YonPrVQqcSLWaIL0b7paI5he3dh/MmwEIDejiVyr5uLcq5PZ
86SFJItwXSYVE9eCyphbKaXnRMbi6quuPPWUtxwQzuLD557zu9/+dt/gPi0K0SeuXLnyNY4n
33zLrUNDQ+CrdaMnbU+6akNu/dBrJdlsEz81GBNaNnVk8M2ixK1YA2Bnb1riecWCpoUFz3gy
LAOcT7VcNeRSdcl3fcMrT4tkY9lf1uG5sIsj/LEjDtfbO+YOFdPSeL5ZooU+u3vmrLimnSWy
dPvkbH2IG4hXpjyJznyXVziIO+2mS7+sEK2Vc9Ymh6EfFBhYIeQ9//imvpOP7E3Ve/3UsUDV
AjUD+l6rVYHnzEhECaOQ2Oge7ICUhZQ6SvBeSavEbaYA+uNQaenp7tJfItvD8O2CSRxpSHFS
CR7u7J7u3riqeR59DdSMxkIik3lI+AodhT1BcUmUxgGLMvXnHHiewg+bVkGbjr9u5+BJy/NI
rdyEEmraYu38Z4eaK2YYzw7C+jXB0Jr5OGLN5Is2e91QzdPVBILb9oUl30/SYXDURum3m2rZ
pVmr4yzvPzwePvwg0EBRTDzcCvzzXog7s5kxLLan9zVW9qAGi2Kpv8YfWrMMEfywykSD8GRD
nW4yJSvZcrlMN/zFkeYRM9NqMb3uqHjoqMU8Re35YyJik0YYL4czhyfG4VDBZaRDAqDnhho7
6IAx8mg6wYKhNzmKNN1B11KpTGQtUgOEsagQJgrTCDNYb3U71okaO0O0bMc64/Bi5ywmNp1T
dAg4FD0xIYcSfFakrshWUPLWX0RwPEqf4VoMQD/c4pmrWqnyLm1MT4qw58ur1WoymBy67Irq
kPUj4XKPO/a46USkKOv61Cf/VQXTEiv/Gkp4Hspn+cHUsEAUoJTeit676ojXT+m9gCgbHx83
XhqT6rLDp0TE08FB2UdHnpiK+RdlD1oBkCvdT/EwBML6IIHUoEgNJ4OuGJwBnS2FtORot+/o
++HNPzogN7N48aLTz3wP8huDnsjltm3bdve9P/mTXRfdw7vvulPdtnZQ3Xl7/OD6MLU+rgoq
invuaCSdXhYVdtYGzMCLew6rDXPzRgapaNSGagbQ4XZuDZF2zdRjARlP+6ZiBZ7funtj0uG1
9UDaylXGvnqb/M7fv9hHRztkfk8r2sBjcIdwK+jEDP1MbmwwCn1nIncRiOeZIKqFIQl042b0
sFDYGJXaawUcy/ugF4LrCoUODTKnuCdtjevEiReR7nMfwib6+iDaYeuC2iBzgDm8BjjpvcDt
P2UkLiSnKARROtrM/98/zkTJE+UJgFoRKZMNpdzUuQ2srOgATBTW4RmhnJAPXiwUXglmtKm3
pHAyHgny941Xnwl6zDC5l/Ix2lcnyiKywe/evHdEWDYS6TpHIBdpi1bpo1/pHyXf4DAD+157
fTPtPr2cmfnk1gFyHqFUSnfuG37a63ZVZ1qPkJKQbQi6twyMQnmJ8gy6acMTtWf8npQ02TdX
Za/B8HvR93KYf3RvDc4+liwSQ64gXqpJuwjVwoYVuQWbKxrPKvgA5E4YmrIELSSNRLWzZQBt
4rqg2qpxNv2zJh16O0ScgXnv7u6GxzJuJjHgF2ROigy0JBU8fUxuuLOzy/A5iWhqq45ztg0A
2Na55NdInRF6Y0Z+zyZOdckFNeHT9/LJCG9VrqenF2xdLAjd0am9PtQxWxplmcy//8d/TJk9
3HX3vZ+0U02hRUPhTqGogiXz5Nqnp0Jt+Lj1UdPID2azuSkxh+WJCUCwoOeGwARCAzxJOlXB
EQT7IEJcu3btdOPSBtDhp9ZzxYoVUw5IoUGCUg+aMVwatcBTNO2yUkpKYqP2y7RyEyzzccdt
t26bCsr46iPSixcvxqmhKERH++ENN4yOjv1p3uv71143MDDgT4qDUKdSxATSX7eX2zZ1iDE7
I5Qs2G6stgpKBIl9ZdLyRl+VuBupbrJOIOoT0MokxntN6SOJNSnHOdzzfN+6pMs1+X6bAq58
/b4x46cv9mMab07edz3cviA/PF7WwguKLXDPI/XYPVA2iVYsmgMT2waUAIAIS2LHRNxqNk14
BBdVA2lCEoOMGB1T9UZIg1C5Qt8L4Sd9UQCEk/SsTjyIFUzmZIHYoDAGrxJojSw2HeU9f2aY
0J4nazg7nyIJuXwaFMcmKolTrpBJKU7FxpopBxKUFZcvmDXZwOcZVMbclXIaye56kKRcJunt
YG4Lpmau0It/u7n/4WZ34pTUHLQI2l3+i2Hv73eMp5pSKWDVVzxOYhNNOvgDW0fWeTMnPYEU
OYmvx5OeB/smIkG3A31Ht/fRrUMP1mfoweOpijnr/e6Htw3TBco69IEwY8u2c/z3ca+Fv3pt
b0XitTvTcf9IjqIDHiER5g65aWbQllYnIzgEK+fLzZeJ6aZvPZlL/qQAd3wnQwSWIoYNy+Cj
UkChD63yv/ghEs5rVVTBTkcbLMc9jxzUwnRjpm02LXfbWWZtiWm2pNTAbUPKLi4fRWAj9BxF
ri3yLH9xTnQEXd0WnQDj74rrMB14UQxKh0btF7lEnOgpp77tpJNOmBJh+KlPfkIrrS6XPEJO
xNeCZpnC5h5zzGqTq2GaVR48dI3bvjZt2sT4n+5uUJ2C3hBO23PJSVvLkhjzRD7hMt7q1+uP
PIpimaywhyGKKZfHIZLW9rVjx04UjhlVU+M+PLypNt40AuJ0k7lvcvhlR0cnfd+xa+f3r/3B
ATkbihU++A//4LYr+TT6+m750a1/Ckr+8Sfuu/cexHfuV9OmRGYo2JZSjZ66uGSXXghUrYB7
eBbbrUtQ/Y12raASa5pkYeqrVNxIl3vDMr+hFImUHYms58iE4590h3+2vu+2gexT8YzBMB/4
rtqXt8Gf+Yw38/KNlSe29uP4nHME1dRA+t44Y8SM59aqCy7kpd1DbSrKS7tymipobKQOGBv+
hR0DY37Wm2S8wGpo4twwY6Cb0rpACdFzIB6xHWMC9xh4RkxgkTURqOHLRwHTkqknltQDZA30
l32Nllx0Vlw59qA59PvFSdnNvcaSsGElpuSU5Dyz5LLjrYMTnue53G2LuPOVhpfIbiWByGA6
mN66Zd94OcxZ/ERiWZT9LMJ1riYl9HA37B6+ZV/hGb97d2hm1/ApdT94Nuj5eXXmI7smHLBA
Q6sd7qe7RRe6Vw9tGbpnvPNpv3swKDiMWQl8DyVJV22JntoxREfLCvksyAzpZCjpfGbb3pv6
5XyCUuCALet+SOfzs+rM3/eN6ThXW0rx4t6xWwaLz4W9ezIdrTmfR+99OOr5aV9tcJzx9FnG
BERmWtm+XSoNPrg5gHVka4zJP4mAc6I2risNewFlHjZKWY4gM7ZsaJg+mkxzk5XZ5MjunTQt
sxmPZxWIMOupuCdwDyKp0hQtxe4LrVQmDHXCDCVHGXj13QqN5/Ds1C2a0Q45eFrO0RzJjE5H
kVuM8VyiJZhcL1VVTmWhtXSDECy0cwAf+tCHph56/eblCF1BOeE5IqE4MzMZF8RTQiEWLFhg
epAWhEb/OPR1U+hYPvfcc2aQXoA3bALqnsINpubaEHMJQAG97IUXX5w8OEyfpf5Vu0FTus+N
L21SYx1ZHJ2pcYEbOwy078UxrJAe1S2LI53qLTff9NennXbiiWsOCD1/zz33PPfMM6r13PCb
d99119v/5q8PVEz5+utvUEeIDWBmIYJcKmAmILcQA21SA9TMAHgWaHWmqq/ZTJo6GDm7AtTu
23pmrsY5qJbpNywfHEfmTGS1owMamC2W8yPDEKhkgGDFTKz13zkwDDEO5WHBIygUI3XGtEX5
bJveD15qtohleyacQnUFVetEFjzlZF9YazaznV0boe+XDaQt0igawu7ggbzQ7KDvrRtEq49C
FoPXisYwKqchKvlRnXJjWHyhc/fg6DcH0waD7LgKlqI5SNzMBTlNv2hD7egf+kZ/2ntj7qik
1gbufWH3yAbrviDIkMmwQ7vxZX4WkTDDSpWgAm0EALVrwluBEtTA0PBlQ8zwQg8arICJx0SL
V+8Lctwjj0VFsxzankcYhlzc85LbdtCJsQBohByRr3REzUujaVS5KRd5YkdD+YdqtVreHHYM
dK42mI6sWQ5u2xEzzN5YMfIlYwY3xG0kvlc7BoYHxwu/kxChyElGYv/aj1ocaAN9K6fuordH
yuVHt9cgLEk3oQIhG06HhkC6qLqsTYMHSSQV43tcqTcf78OKypJ1zuWV2RYKq741MuS5Q3eS
12tVY0HrC0XCifIEVkUW9PZh4LUoTBbAgg2SX7MsAZcDRF5Y62jxF4uMEkD/mIthGO0StCFF
4VEzLV/jJtcEdqjqKsoypds8VvkkqW9ZO5zALWkbgkWjqtXWWa5IG2Pa9HIbEG4y52oFa6Jl
TtKlD+FBIutjwS4ciN9Gz3nVqiNOPOH4KfHxv/71r3xLc4ItSveCLr4yMZFIlU/V3B/5wx8m
l7yWLln8pje/2ZyuFJROfdvbJttleuNvH34YzQ9MvwLUp52DKSEhdAKUSKE5QS9++OHfTX7N
8ccdu2D+AuQEoRiCJUuWnnDCFA7m2WefVcFvFMHAeW870h5IlZSFAWyqOueL/35w3XUHmjNd
cN55mvrg0/v7+6+97sAg+Hff+xNA8D1HvsEELpFR+DRt4aiJ5odSmaQ4oMjcZcOZGwTaxDLK
NZYgMbTi5Qre0doX6HBgQdimSNsS/KfwQKoni2I98IpoXgLQH1obrXNpODcTNvkB9yBlnszc
McsnZGbSw5SWG9NXECgBDRX+a1gldf1orDfPMmNp5dNkio71Aa2wCuYqLNbSXjd1Hg5z6Hhl
WpMJDScQpnywwBKtlFiFjpwDHkM+iroNPFBRGDdAcUu5DgCcCN5DAAsFJpgKJPqeMpGCFYx+
RZfR0VHK2kl5mEioT9Gf5JZHQtwQyoiuisSHpo/OIpaJoyUf6WVmpYuDYg8tAQTarvQGXFdD
8i1ygZZRE7KKiRMtmdoh4yDDAFkjPBYkeJSKk7IZJDEgrIKorPlrYiYa0WRiKAGTz3NxLzSs
aZELc9QJFmlfJQ35zsLKOrdUq+H+CBl9oKkipze1uoqhIP2yhIp8jYncUNxkDC9rQFPD6K6f
hmi0yJUYHv0UNfRhJpM4UAhzBwx0zuzmcrls+V6adVt18xyyU4VIeKK5iF6SrreiZUpEsdGI
m4Qp3M8l+FB4oOuzhXK+rqU+9VUmY7ME8239NuOw2kBlTTe19H06JxRSkHKe/MY3TmkTjzji
8Jde2rjxxRfw3/PPP/vChvWbN2/Cfxs2rH/22afpvws/+jGIGD3wq19PPsgXv/D5ObNn49Tn
zZv38YsvmvyaX/3mQY3foa3lMg5IS3xqPg0W0pWInv788EMPTnafM2Z0XXHFFVo6o1vzhS9+
cXJ7r69vx89/9lPDKxGZ6CAvvAmoEYd+igjSjNYIfEcpPuKhB39z5133Hih6/i/+4i2aueOX
991994YXXtx/lPyN11+vEQ3yd4gMabVW28Ipcb5FIbpVbMOPboCyASj/bfDbdFN7LzFDtfQ9
byH42ABmCiTP2s2Jpa80rkuqSxiCxj5MwyxWqgxMWVxyfYgEtnXmsjYmM4dqDfEQn+nODEMj
AYPqklsHRjnFJVpEgVGFaFErg2ND4OJaE3WohkpG/PpEhYeOazXTANMRC40nrA6TmWWmQC02
yrEZw0YvZTgAK1KXKegkitNFToLn9yMm5coq4xHXu1rBDELK7mNQXW5VlmnP5Oln0xKNwI/z
eVhqqbClZPD4pzVSprWWWCRibEdHtTgG5VzAm8lmsnS71MdkRiJrd3Sobp73FzfSEnIeFh+U
iHvG6UXyTFv6ao2maRSRF6gxpS8v6RprgdRkaWXRzPO1iRKahrepVtn5KvAKlSfKYGHHOndn
EtCFLQhiQDyuaIULaNCN58DTLL4ZCQrfTFygNrcEhUmuix1bQ3jm2KPEBrthJnBsDUAhM6Ef
pOGajeGwFwzjj4SYqiQFVJpvtxL9qVgs4p9SNsu6TIOATuhWhR1zoYMYFNP6nFuQlEg0j+aZ
SycPBAfUUvTx2YkuI6cpwqT2S/iCFYfRBlkEUZXNtOy4GZxw3kI2PEGbUhR4zOrVrwWlTR8B
EPkvfvGLd7/rHZP9xx133rHhhRfGxsamm8O96cYbPatfbCyD4LAz+UzBm1adEpMpSJ/pLdu3
b/vhTTdfeMF5k30wOd1f3v8rL0ko65oSmXLN96+lFUBPmmIceji+IxmOMpqx7M4IlDDjpSkI
ylP0ww3XX3f6u99xQDfw4os+ev/9vzBxn8WUf/vb37n8m1/fn7ff8qNbN2/e3Ib/QYUNyZYS
/IN5T1USlA9efZjUxNOOFxJQl74MDiO2YWNqo3XSPjS01kiPcgKFx3QzomCDsRRXgZ/VqQTN
QM8nncwNTcVS5gu5XBPVmfGdieBokYuQILaiPiZjC5LYBeym8sdCAQeETtaGPlwf8jlXU0yX
dhowro6hHNxVKW+2XDVdWhQZNQx4owYLBRQ8qxDvjhOMC/G8jHPyrD3TEkrJ1LfDPRa4EZuk
mUKofAFzWsiobFxPFi1P1rtsm/P5Yh6FOOY98cxtLGaLuCGcRvDNCSF2jKec2KmSDCDd4sBc
kKoLlGH/FDIxrRvIe5Oo7ZBvkXOiOxVahnIXI4AcjgnAwoxpB9og21o0JmHiDpGXSAcrSSKj
chAkJuUFb70UFJte6EljydNUDJw4iDsjj4eakVxyWiaEO3y3CyE6iKA0i2Q2C+PPZAGYH8sK
HyKFClO6czz0JLJSQW0SMNaaG+7NvBXQMtvT92JHOB5RmhnjI6viG1AMNhG/wG8ZeinYZiqA
u17soVsPh8oLO2O2p/LzYkumJOOym0BySL7N6LZQtOd4OJcOGFW60Omd1231IoWbWuVl0DbR
cymKo60yiocHvzJOc8sF6E9GQYezZ88RIj4fARHP9tfroleSjaTMavp4IYcf//jhf5w7d86f
7L0ef2Lt2iefpI/YtnXroYcefvDBy9peQEZn8aJFBx+8fMq3X/2da+6//5cUgnENocGgnUTE
7vCoeLfEyTvf8c5Fixa24xQee+LRxx4VPG6CrdW3ve/449dMeS0rDl6+YsXBOn7hfj3yyGNf
+tKXyPpk5WH6IktKpyGLMqNd7JCBNDWJQBmeS3dSUXPcHxZ7Sj5sdHSUdvfxxx/A2NaMGTPo
LU+tXUs3gT4Fj3Prti2rVx8z+aonZ41fvvTS8fGyjMBnItsORbYaWcwPYMh8adm0xEf2FvUQ
usPgQTB8ZawF6HPzQKpDtuwT4p/a4pfwmdkA8KG+RS5LROhLycX4yCz3PTmBcGtNYLwMM6HR
Nbb5K24CGDLpVuM3BoVP216EDOlQWVBcyiwtUA0Ul/D6iUxgDlwf7id9rM6BCXQiBsyOc46Q
kWncq0hibfDgXnFtU/SmaGFEkmrg8kG8DfdGN1AKQlFiJQHpfOgtUmFjFwjDl7HkcrVajfdc
lgFgMmGaxQ7PMqIsgcSwMPjR8U18WigyMwh7WRb6C2WYgUefqkI/SCfW2dmJI+OmCSs521Yy
EEIFUsPjSCw6EVche4F/Jn+MfaE5IhYDHiiOqfAcsGzjc+2ioifbkB6VJ10itjk81SQwE/gh
yUbM0fBwDU7VSCozYF6mD3xxafL05Xtop33oPhYKlCYmCB9D+YrkQQiYnwFlciG5CTaXvHLQ
rcBT0z692OKsqSfbvh0tGFnwEa1GAZckoa1i+XYMEQmxL51jPWc6NzYFdsIX54/vsuliVeLO
SWoImm8saSjBhgJfCsSq0AlgMWMOQ2nGmMZMLkeNg565PiBRGw6xobCGa0IrxWSJskci+4U7
zjm33dRYq1gtjLynQ0ka5Yvf4vq/CHTRd2iQ0i9wyfqw5DuftKXhCHE0dATdm6NrQH92vwu8
2RaysYKRfmF6AKJnCjsBtQRlJ68l9/JsMY32/xe/+IX1G144gIbN3fd95ctfAuhc9d2ZsgHQ
AKi3kRGZXiEFjF4YNd+xc8cXv/TFA0Kc09lecsklmDpCHAT6rbTX5UA2ssIyrMrf2l9FnlyV
sUH6zX333nugqPf3n33WrFm9SkiBDOzSSy/dD5T8D/YN7IMsgqnvW00To+2pOFQrrYnLKUmx
m7/yZobRt0BBFBi1DaDzW6bMHaZxd5TErkADPB8aQijccz4UGX5SPaAirIAiMQWKMNB0UKs3
iLI5KrTQRM4MREtT1YQb4h4iayn0yJ4l30IZEKq16SiFjENouOo5nFiawJWKpVJHib6jUKm4
EjOLg3qpMP2EYUaTtrpwx6Gwk5fGMMYDeJARTXihi6Qom2IdMDUnrvoa2to2xaebw00aK6iG
50LWFhLJoSgpKykB170p3ZHIJbDc5Fkb2Cr7lC9ZC308UHmgWjdTStpfsA4ssTPARh0ClPMh
MMjQPfHhCOk/gHRYfTgIRfuUPHHklP4ati8TtWneA6EO4nZjly0nZWxwCnkZ4zDGTTKlSOj2
ARsJTXuvVgdRsi42H8R9DSNcJ70xBAHci/JFZb6j1AEGQvqUIhlJcBLaGdkmh0Rcqi11dMhp
aIXA1+IYBNNZ15XvagyctRhu31bSeEGH9rFKCit8UXGsQG44jMTuPt/KjSI5hi3C2KXi91zU
n+foa4PDN7a93pR/QFwd3Y/y+Dg5gqzkWz58FQg+bONflQ7hqFDYwPPicrToOCtWfmKi7M4p
61iYGSbO50WC1oAqVTkTZW0tkAgGniGdsLB5czhZiKDENxT6Dik9GnSv6UtKLgzf8IK9e/d+
/KKLP/eFz5+w5vg/+j7Kuq668oqiWAfkpIkXoxwXyhgZcPPTOk1x7sbcWHTNk088cfq7T//8
F7+wPydw400/uuEH1/b392vqChYJWGHGenWUqoLmgpQJHoZf8wyhi1DbqZYBVhv9kw54zjnn
zpk7FyGYawW0ZqKoZEmrGzqf6Hb4N2/e/KEPnUt7BmGO79DO6QF/+/DD2lxBs9qgy8Bs0soq
opLKvOU829IPTU8LLcbYS/0WF6y9jIIt2wZvtbiH+9aMMlBEY0OfeKijGe9ODzTy1DkZgKJV
m3XFI9g8ZczQGIqWGakMw03yyeZCsjXliXJeyUTsn8hygAOQPp3+2vDRWgsaDmbXFHa8tMTv
WwHMFq6a0NATdHV20hH402s870IeiO5JV1fBlGHZr+YghOHbwX+LRTTaPZL5GhNDeTmPbdqO
WmdHpzSHjOY4U5LItTC+11LvoDrKh5Ulx066xq49L9M/lhRf4ANNDw4cUjWNpil2BVLFmiiX
Q4Et1KO6bP8I7k1pi8mOK5OcfkeiifAZGijyUmdUjm9dIsTB3MTS5JV+znJyaZIeCmDIZ4gf
jfj22/dnnYKb5yg32WdBbzdZuOTuNeknZYElkRvmJeYc/LSK5fnCIGUUVn1BQKCZhJKgIMES
LVRGluqJ7m3SYHYMEIuYqAhrOInbkPRSVAw1AVLuPiAV08EyQ15s5oxRQSUPR16Q6wQ8/5oF
qiW0paZsmDMT644GNLffkkDroikPmSu7JWV89lv5grJyRI6eVmix4mCH4SK/SDPC5CoaEKwx
vm2rVioVo8Ksqkb1FHwO0l4Xr+/GJWY7SBKFvhUqgnB+qV2Sm6AkVRl3CbrVRs9ieiKTRHPx
8dHHHqcHRxGbQvvMzxA/jROdaEzs7CRejx/27tmthAt0F/oHBi644IKTT37jKaeeetwxqycj
DCndWbv26Ttu//Err7wC+nn0jVC9BX9HM05Fe8kQvPjiS/bk0/PsH+iHJ84J76IJ0sMMZWDn
nnPum970preddtpxxx6zZMnithOg6924cdNdd96xceNGBAiwNYYZwcITDP5HJK+0CUFfHR2d
gNsCOI73dnZ2IvbCQOILL7xABzdget+AxRnI3miSg6vUqlwtpB1SM7gG7fFoSwmebN36deYc
LN82zDqCUHarOaOyoRMRXBZObMqojZlWYrAWNxnFpmmUtGRIyHuydlTLnfcCHa0ZbJKry+VL
bump7sx9Z1Id8aY7VoKWFV4MaL5JmNB4AKbDssrCpssgtl8RzptY0HHwtYpJ0Y2a9g/ErKOx
Qd+rlWqLtmwSR2mvJVCv4w7h4VD0ltGxUTz9FJHoEA9a+TdfxkhNaYWZyTDgKQYCfdN6s86X
VxN1tzKvoq6uGUjIAFME2gLPnScayxOIipCRI0ZJbKKMMinTGxYKFSHjwGhKVspNkPMAfMCz
o8d4Vxbcp/IC+pm8XTar3ZpQwyO0eVyAhi85lkLMxXeGbazz9ib7DNDPZun1eYaHJDmVFZRr
QUHJOipN8aPQZMm+RTZKJ89XpglfK3JZh/EBwIpY+J2xxjiIkUeJZJROABrivseOXIrPTGKO
dZL1gqSlnc8LDIvQizzkkVoCZRSiQF3cO2PhMIn0vRI9SYcJLIGwS6ogL4hHRHKhtAzldlo1
GZuEYbXzToxMeUP8dGD4xyNzNPqZ1ifXpeMcLiEXpnAwSIjV47rxLqFpaap2lelDBx7y10io
XDOSJ1VrNWRBjuxiwy6PCGJgDgA1NWLOOLMRseQ/JYnMO5YxSsHVF4vYYre9dOlBLhBLD6Tu
13WVAFxBD8Kd6zTDkDIfoMMxQFhVRM0yny9URdfcjIY06mAIVGM0ISXBVYevmjdvHr1gz549
L7/8Mh4MxmjgtAxg1/I1+JZ/CCkdvVJJqnifC8cod+8ECY1AAJ5POQnxRp1YOuqoozo6O2mf
bHzxxd27dyseAU8LOEO02ZUNHRbTjLtKtUdFwpj7TvwQnZiKuJsF4XNPtVgsUnLAgm8iOa/u
kAL5CJLNYph8O9gED6eCkJ4jH44BLB1TxZ7HqBZeoGKerjfS5MblenAbv1r9aKkQWlwlKm9g
YzPIhVqqI6f1ARfUmka+1t/AzkLBNoU12hPTTFGvK5UU8Fu4lA5delQh6CxWuh0xRW+ssKfp
1fv6X4bqvDGF8lnKVg5qSs/S3kPrALM1DRsYGq4ZeWpmcsU3JUT+p++VZJKmhUxLPLfyxTXt
tAAtBhDN4QtTaJhLUcAI+AFSght7kvz7jhJtFl7VwodgmiWyeHAVRYmXIUMDVL3hK5ILx52E
diXiIboVeYARGE2eRe0d1HMGeifI+xqWWcAdcbfHqR1KU4ASy4XmnwJ83LAYtUeOEgxXBdcJ
pUaXwXSUFiHQ18Tx7UKKbI7i25QltuMQvlEsNP0zbBOQZ/nSbPPtVJZZigacIo4faTpCPV3J
eZ7fQDLkK4eTnQWWLqkkkagZosbVvsgdOSt6iKjK4MWAmcDla5EoSIegE3ulYPki717TnUUO
HoAazIdhdEFTUtNAzWaBsdRYE2/nurQfuIK0RoFPNS39dNg3naONDXO3LmYVt7St8Sbk5sFM
jzOfsISKTcth3zbmpSV0MaRG49tlKCRPRq9H3lYqdbjM9LxIli1b7mJ4UnSyTRKRVypPnQHR
SaYJLxLpSLY9J9x4+CrTwnW4F90xNK+Vvb5ph1INnxV4uEGtjShe/JNWfuEy0ZMrFksISBXS
xtN2QkaQLiDHqiojBsxQylAiH0Rv1ElYA8uxCorabqEsCg5ApmILmhPQYpuosH0xzzsySFBX
jjknHeHESylrja6BWBzyapSGIzdCjlWXcXrfQr/SApotdmcljVB7ofkNXmCQ61YsFZ7VHYM1
baRG02vV5NbH6jqwlt6V4/zUNZobZW+sy//rei+cpE5EAY7sOjDPio+oo1Vvp5Eyy53MWzY3
WJ6J8g6xRQtbXpSvbSuv3zfcj6bjSSvflqkV3Qxgj795y+6Nyg6M469ZdkpYT48ZZxovDj82
Wh49ftEpQTOLgF8BDl6S8sg3c7RrR5966Q90+fCIiCRoY8+dNX9l4XgvFRvmSsXm6tpXtr/E
DKoybtzR0bF83qqu6lzD9+p7w/kdL21/XkRbFhycO0Yzm6RVVdOS3RoukEpx+Lmtj6xe+uZM
teTOkQzktmzZtRHDsE2ZLqI7efTCNwfVXHqx2eazAw9pfQ9DXb6lXtUgum3/Sr2FS39wOVCA
i9P0q4XuGSmXSwLihstGAlQuRyed4aKwGpD5wV2xGRc/R/barUnWpFSrLShd7UxsaGlw9fe2
tMhzvkprgvUjLHoJJrGQmyYWh6klzTaKmbQeK+4H44qJKZmmGaErXt/CA9nKb4t7CFBSU3NE
cVQY97Yj277hiWe5yIzuRJXl0/gPxHVZMdGAXLqdF6S8Gr+6mxpplhoB2p6wdUAn+raaomPL
cKXkfhqNJvQtdfbLpYzikLFYBECpjcVb0zjVcNHhsJAcGtZHVka7AFNxXRcGv7g7J4JjAHcx
fobhVU2DJJF2C1aJhZwZ/lAJsmIw4HFpAjV025vh7D0y9lQQYrXAgosAB9JXctLDCGSpxXMN
IwIzIfq0slmiQC6EIUxhBvsnMSRmCSIF/JIOo6OX2Dum5i4BI50wMn2YBgM+9EHMU6MASpCd
ARA+HAEJ5gd3tlDII/oACyp9HFNONOp0HRTcsYQmKPwLeZwJMEX4DaIz2rKCc2KoGFo4dEz+
FB/UMrwLcHq4n3xdvhlHx/kDqAOwnKZcfBtBE2tHR1GLT4f8/dQQmzqeXT0B9znMkQEyTIRz
VI6mhub/Z+09wC27qjPBs0+44aUKKlWVVJKlklQKVgAhERUQIAR43B6b6enxuMc2jbEBYbtt
99fTH93TPd1O38z0zPRnD8aASXbPtN0GRMaAjAjKQmTlUEoVVLleuvfdcM6evda/1jr73nfv
KxnxkJ9fvXfvuSfulf5AV8rucoXPFjZ7A4iRxbpKAJ/wrizP8FcB/uWZfQrSwEKFV1IGpznW
0aEbKWe0kkt2bT93Z3Vh6rNRnTCV9QvPc0hpy2xTsaOXLx1fPBZ+PbOpNedPi+We0kay7+hT
mN9Qo9L7M7aftaU6M6YRLeeH9x99JhzdWZvOd9WYw69TtXr+ryxa5dw5p13c3tI8euIQlSNO
ej6zM3NbsjNid0T6apUHjz4nkxX+Om1hZ7Oct+12s6WlzgkihzZntmRnqoeU00+M1YCdKSgN
i7Xjq8/noSD1p42IFzeSk51D4erQE0Ft0ua2LTs3lTtjbcbV1rHltePYmtGGDCkHBB3AcqYd
5aDoKnsgHl04Pp360O2QRl+A0WU828BtyQZgspobKo9vrYxHnAN+tO1DHNe4pVOYIlaAkpZR
B30jJ3dfojhQDwagZxg7zfAqwtNKpgNDNYa8Ej6zovuz4pKUgsdgCOkNSI3jQbAEnbdAB2hm
SeTa5WJ9SErmOMrKmDDsURaFLgCLPKNRBgTOzEtmAvTD4+85X3dsXxli1bAEuTXc/xDsYN40
3a1DXpEIOKMO2VavwIFWgB5A6tI5KNEkqynAvNRj51mcU/CHaBsY2hBzL6yTXKiUIGijYtYh
dwmuAneY0YkpcGMAKIsriCsEzKcV08DchrfjB709CPhTJ0yAc4Cfz2ILouoYC3K4iCyNC4M5
ngVqI1GGkmV1daXP5FPkL2jROA3mw9gbjftg0CMIb0wV0GJakGhDWWaHHqDlJtCgLJn7CWxk
yF5D6gofUggoeGXh8OC3gZKrwRY4ptVthRdOBWqdcINj0IVFB7+HrGrGhWAtvMZcJehg9tgE
S/IF4At5hpFx1Ziz5mEaQf4yFjeRs+RFw4IYJD3zZKJuL8RsSqUoAiAXnhngEXwEmTPSn7X4
nKIB6SPKiJrjVKICeaE5kujdE7OpZEzKP1uJiXrI+v5joctyK8MfAnRn3CZL9yxJAuULzBsA
SkXz0ItULnYAf8WEKbx3e3puooresSYhli0vNhthVUt3ze8BiHHfoadCNRbDU9vDzSjsDKZ1
+tyuWLPeZ37/8b00JYqYLs7A9ZEMrH5ikpbp9uHuPedc6hScaQT2MenYBb/d8e2KapgFjqPi
DMs0tzRZ7sGvk371zgInFAUj0b+DR54pG5g7ivxta7CJO6I0FwTQY+vMGTHf1+f+wIm9PGMW
faCwnAH0DATHeusi6AVDmA5fQpnQLC2WecUfFE/lze7LwAvGi7D+JDDiLXUTtkUAocjo2DxJ
yjGxy7gyo2BQjWjl8eEM6xtVNVCANMF9Tp1ShvYAJbG6utrtdukClpW1x0VPX5GNVi1BYzdq
AFY4QP1laTIiCDylCk+EXQ1LM+JZJs3GAgNIF1Etw8FCfBJzSkFRaWvEZUICwy3nsnpu7XjP
DTAMxHKq3mCQm4mVWrE+5Kp5aL837JLT95pinMGRsCmekXslOxeGUBXfyyyL2KIFtOViqV/g
ofJohkVjbFQgqM8Mglmq7Dx4ynCISKAgoE9d2N2zd5110SWXGPOGoiIHpycff/zg888nDWri
hfdedNFFO3eeYU8RblmQCSzyh5/vvfcerPIZh0PhkCtp3GTFcZNddtnlZ+7aBa9bSwds/0Fx
ABWs7kJw/yH8/PBDD+0/sB/X8PVvuNGAiI5TP+zh8wcPPrfvOYFFOBmk07O9desFe/aoTHiJ
lPDgwQNP7X0qvOCyyy8L9as1/Y2JZfnj+gXLwFF2cr5z//3hXl5d7Vx51VXzRMqh4hWbCift
2Wee2bdvX7izw+GHswoMCFaTIbM0pmI8DcesmUt444EDB85gL9CxqxP+eecdd4DVGMtlEtRw
OHzpS186y2yhmI0Rfnjiscf2HzyAZYVau4M1axEbPVlgJkylqgVk2XjcNC+sFWkdwtTX6gyU
JkcTOPRUkzI594wLXT9H3EL46rZOPHfy0ZXOSqhyzt/8krzXNr/Hxtr8zm1nHj72fPj3kj+8
JTm7luqtsot2X/7coSeRD1EruLclquF8r1jsl/1WxN+P1Xf1uyTwXoNK+HmbP/f4wqHFpZOj
4lIuukRJOmxccv7lT+17PGrBpaMK7s5UprTYcrFyOz4rdWIKzI+Mg5lIOF3L7ujmZJeYj9Ba
687fdckzhx6fZdhx2IN2T4aFiPfhYAdD5qQxVKrVbmOVDDckNFvlWPguiAF1yaixTsYMuVhl
wyQQQQtDjzEGLOBT7Df4GZKJPXoem1ZqglGUUJEHxpvTSQTAhwRzx2Ap6lJ6tujNrO9X8rCQ
5j1JBXo+EkqaI1elJ6B7hTHn/Px8CGCk1zMsMaa1y4+xNyZ5XjLakoaIrdyQhPFkK2x7yHRV
hsNIAgRgC8Sl4tTE7LJYzBesm5JRJxU7xVUYPFfaw0RHscfSOZlaz2c5sZvjGViscCYwhWbD
1n+TzwBeQ4hVMEBnSGKqooBoxVP+F8qGsC4pux8iGKF+FTlvVUc0LBhBT1Ua0Vy+LP+29V/e
5dwMA7xDYBpAK4svk+A9cBa9Fo+eg5uLPi9nM5gQJPZcdNH7/+z/Wb9Q/uZv/fMQvfhM0dtv
etNb3v3Od7xAIP2+ffvvv/+7d9x5x5f/7u8wLEGlYnELknQ3venN77n5nT8eVv+d77r5+ecP
ohz6s/f96TQNwD/+oz80Ua9wvoBGO/+CC/70T/7T2Iv//IMf/uhffCjcoze/++YXaRQZvl79
qteUXBjd/O53v/zql4399S8+/LGPf+wj4Yc33Hjjb7zj7S/ys/7tv/v3f/D7/37in/7xP/4n
TzzxxKg8iqRpf/iHfzBRDviNb3yTCJ5WgmVaDwMR2b2yMgi4NCezeqpfU+jpUazyJDdPdKzN
Mj3P0rVh7cE2m23G+AfrYNlae+LID4esqrC8urQ3+cGe2Vf6UjqK4f+2zG4P0Su8d+/Bh1+2
fZcra2DYQrbNJU/iKdrzU5e6yAg3/HRgaa/YjVa1YB3CwYnGc0/sexBn6ZwzLtjidmW9Rr0A
Dd3OTeeeWPwucvwo+Hlzxgrb29Lc+Uz6pEE2EhbiU1xvwgRVadfUgF74HA6+e/TEYQKINxsQ
m7A50/D4AFXIvqNPbt6yi+BwGlnn0tOK/GksEDs2n52sjVhAH+48myQgKSeg0wi6SnMmOQBX
x6d4rRn5eSSw+ahIqoyIysgF6grq/CbGPnhM3PmVkQKehkzsDOYd7LlcWuLFW/MchkoduXmM
63IGN2JoGsosiOESE1QJRr1eD0QrK+9C6KKTz4l1+GuR5CVPv5wWPeEAfEpbhqgHwMbh/MeV
n97hQxM8NNtGnugUg2QgLdVGFmPzkhrunyAZBkC3AGQxtSkalZXNRgbEeDjCZlpgJ1tZy/Qe
jX+SslLgyuqKFbUAGcUe95jrSweF1V7w0TKxZmQAXg/oPIM1Vufm5s1VMi7gaq4ITwriKi2W
OhwDRswvLITvy0tLPS7FoPlLW7ZU0GSBpIxQJUeciN6aIHr9FLth9BtxMPyy8oWvp2FZ/Pmf
/0f/53/83//2E3979VVXI3JgJAjQxAu0i9zgC3c5qetmUzf1+htee9rW0ygHcTXHdsQWYiQd
ZkG8skp+El/whRnLjGKFLWnb+p/AZ504ceK2r39z4p9e+epXj3gleyGMvv71N04MXSHeEweu
yGuRzLKybgwziPJ6O14Q7cjgqI5R3D9SPyAnC9OxRRGmQI+6wVgwMpB7IIVvSujiYNBNlkql
hRK8qrPSy5fM+ZB3LDNVwOX8sAUS0vobzoVyDX9ayLfVVoRha83ukROHyPhRCAkjhvcwmUR+
evjE/qdXfuiLUpuKdJvMJlusZ66jLGetR4TC1mDBIFg0/tRs3erq8LiudlbNGQQWYymXPqTj
2Gx0VjvhnCwvLxNUgYobB1lCGHB0W8ctzBOhqt+eac/ioZh1W3E3A543bK0tdxZJdpYpwwOW
UkaNFZMR6/pRugu+7itktRBJHISgfGEYwpjLaE0wKAmZMbwiikteWJtRu36AEw5BF9kOcnlu
VyguUcJnKaxnZ5MIhDc05L0qFOfcHOpz6OIrKxDE8PsmEatTQO0NToVLGK7+7OxMxu0vNH7a
7XZ4KUIXlAwNn4JDh26yYt3LcGU9y/tmwjrwY7xDVSKmLVgJLqsuGeEOzNYKiNMEFbNLwRUD
r7lUbVKqmSBrBw2BrG4YitxasyXyaTwUgJ6A0YpBbDVvBHkky9pQaWFhE4hiBdu4gOk8KhJG
ES6yDqhkVFSDbIvIAoKYZD0FwYoDGWYZ2KdSMej4c/i8kiOZKWpjhRVk6pSvnEr4Prj1G7Sz
Nvj66Usu/vjHP/oLb32rAZqx1tD5IhjCi5BY1CfBxnWTdJjmr7n2OkPBSeq8YWuOpaN/EuHL
JQrVnRQpHZQ6/fp5w4/39elPf3ri7/+bn3mL5T7WWAj/vPbayerMn/3MZ0ZF2+QxQFcLky3J
vDLSMgZFCTEJpRgrRKiZkLJEQSDVRpOMowi+DJEqyJUyZ9b51CAMTks3apKo4YUn5TcTgZA5
R8LQmIM82kEsoWW9dDs2/1T4/Wlbt7X6kSlw4k5Wh7DDPg479ZjIYxqHUdzy8uJydjieTmW9
5pbNW42x4GSxHbHwdVV67pkXjXUkEzW7QhjA+YFNlRPMoaTbWH9LxhyR7mqGQW/hZelMMcdK
vDgSJ6XbOrOTkFYh7nVnY6zmyer51dVVmvowX1BWSY4BFrrQPx9N7JzIjhIdbWhtau6alElM
YnBQ3y9M9YdgKyQ1UljxTUAAhc4bQ1QFxFVPiOtLO4eMJHJI6tHhDDFgLSx7a12aIpcid2tm
WuCiYfZss1uKTGHHMNHi6NJutaETFnKCkgFTNOfme1h6yoz+gIUKpl/IQUudS0HD3gJS+JdN
1Ljo9FAboVtI5X0BEEPmgYNDRNc6jAEguSD1VzsdcNSQaeKvMC0ztzZk4ZChwfwblfT4iFrh
WvS4FTKEdgZa5ioN4GeBOkdy70aCnp2dgxwEtI0QkLJIYFffUphFWaJOyol60pK82VoXR0Rw
ee9NNATWJUMo2yHJiceqUL7Cx5PND1+YDAOwaqNSA4bCqoXx4y/q/+u/+1+ufNmVaz3ynBUo
gR83Qf+HRwdBP25Qe4Wva655DaiLWIizNC2ml30xCfxFfglJsNefsvPO8C8v/rPCRr75jW9M
9HcO2cPVV19tRQC+7zrzzNe/7ob1L77vvvsffPABC1GoP5DN+VHzZYAsHLTanMQelpxvUhDy
gv4oq1E4skpwofXBq4k3VR7gRCpt8An4IllwCvTHUTzw7L3fOXbr947//Q8Wb/v+4m1P7P+R
w0i8rAblYK11Uqdi1J5rJ/Phg87cvDuqrnyZ95/a/2ghPNaUBMXrWs4lavcML0E09I8s7zel
JWxqy/zp2vyJoIajgWoTFXxJxKwwg2gP2pbU3wam5E2kaRqr6YfVFvKGpF3L+ThU0lc6y53W
iTg2tt0mwrwsnBPfZL4Y7j+yF4E2bvUYNNeUPIFxHZGUlQEPwxRRY3nYaiPeZCI0qnANxnYM
DdUGEBpASSzPKONYHRcZ1N4BplhqVm3I5G6nA81Mky2fmZ0RLB8fCNvE5DG+CSU+iG6KJyyz
2OxH8eJAe9fdOfKsaaJ5AAwI+gFSTFUCbSfyNVu0VJUN8zKTbrKWEoE1MqqT2El5gFanbJYj
YppCT7UXqR47PAuzLIHEaxXVHZDT5HZuBukvYeuzcANaHXgATYmKuv1pas4SOC0gR0JXAVRC
VGnoilFmozuPTqBoR5DTS986MSi/YAqBmgnbscO3EIg5lpViYHcB6MH7m8eVVXtmphGSDBP8
kNjDAbCn0zMW/aq9yGDONC2EINVC7zFkUln6okqS9773vaTwz6cDgFT20Pvxtxnud0xfBbA3
5et1N1y/fft2MGfD673WsJNEr1IoHTj3E6iHoIAAKsLEziHBMgc/megFrP/HP/5XE/964xtv
qqMOjxtffc01E+X2/+7LX4YxilhBRl3s+GVA/ah+3dApNJEercHAq6VIeMgBuAL3Oe5NeV0R
PEzlyWxC+DLDpDdS/a+1zz/zcqv/zMUKo2zwc7HxAcvNLQ6OorxBRCjW5mfbc+1kk0+8Uak6
+QkcXcF3zvoxBsoyJ48r5VkhVPisvpBhyS/S1uzs7AgHDRJEra7PVJ51bW7r5q0W9qKa0kGK
euS0SBWVgKjgWNh+QOYaA5CNMLkJ15oHIXRiV8oTiZV+LnzcbKvZblXzHFQkVnaKEwPtrTlG
uwmBksBZgj8SCLsuowaOF/lmVsVVkLjDX9HAcInTzqelB/IClTBGGi1/I4dDIaSXUhOowix1
cUkYjFVumboB3J2NwUC1BCmwqe5oOntLAfCjAU+v71X1SuZkNcKi9gIOb+cbsILXmpM47aED
gIhIfCH0CZpAfwA6mGF26NVDGQUZq4SY0lWpaA7BGfpI2Aw7CaI0o0B7Q1CHej2ijiivyQhk
nJxlKOOcCgIYekAaofxQYKxl8MIiempM/KnT7dTiUpFnEAijNXPZV/hOUJEsBzi8gFY9ZO2c
yAEn6gIBZrSIGbJQRohJiGEQVmV4cLj9CkGYh0Me1Lba4r2HaGZUNewZJHrD5gDccIwfg4qo
nzJ7sStdY4fXfT308CM3v+e33vObv/2bv/XP/8Pv/+F//n//et++/dNaiL/w1reKIiofv3tx
TbOw2zOMiplW39TL90031cpGSIiybOIr4W7+E6m92JUxowdjSiwkHQrKbn5SxV5y5+3fmigQ
fMNrrxMVDMh9pul11103EWjzqU9+sh7JutQ8TYDCT1S0BtMs2CmZ5hOKFYslvK4JdNhpVkg3
XCg4igKrsyCAFVkg1g9Jd7z9u7bj8u3X7Nl1GSfoGd6LtaOnYmPQxwp7tfe5R4eNTjzE2bnp
nGytZT1Dn1UHTz6F+IpAS/sfkYQTlaL3fK9219bgl5GklTM7eu/zNF8n1ucwZ+oWx62pduaW
8+geyNLEhnWuXsig2DQyc2NukNnpFhC9JfQBaztxC84q0cMn9pXtNWNVh02fsXl3YaxtWrf8
gRN0sE12n4LUntI/yrE+QSyVa3RA5aA5sIwt28QFRUMPwzOgJKSYY9ISdwKdeVGSmjsrDYYH
sMEq7wZutKalqyde9FGkIs3uppZhh4gC2CE0D80EEqLDOC2hPuNiYoA7sFI1egvPPAIUUVDc
AANRnS0RyXDHksoftwRQ7hgpMxxId62LxuCQJ1sINjgKq5MgJYwDDHVeuASYQmVcdjMzLjP4
e8n3G5rtGTf37PEZ69kgbFs/M9OGp0tTawBmyhlAnxBwUHma5hdggDkzI25hmc6hzSWcCrIQ
KrgEBAS/0P4eghy6aAN1UYHLOVqFJDEEmjOr/cbAH7DH6hYX+zWfOH58dWWl1J6kejWhhcjt
gJxxkuAFE3OtImYmbNoZqTJ5BTXqq1LlJ7xmeZmdkVV9JJy+j330I+/7s/eFWLX+xddee+2n
b7nF3KG4GTqh8rj3vm//2tt/DUhF5P5rTB1DzAN2EQ4d7EnROOXo6C1vftPf/s3fQHLNm3zG
hGpJpqa/97u/C7YgFuJ2qw2NsjvvvGP9u37rt3/n/vvu6/HsDVkPS5RSOgaZgA0GbOHrIx/+
8F/95cfBsYcFH1LO973vfa9Y57Tywb/46F988ANjqkumoXfo8OHPff6L/9M//cX1CJqXXPGS
H/zwB/jn+eef/4bXT2gbfvFLf1eT8GP6SCJJDOuxEq+u5McDBBSnOK5UfdEQ3nzcEuT1N5Ox
rbclHFdkoOMxtBOfPvTI5advT/t5XKll/eam5MzLtpyxWhw+uPjManfFaZE00A4+/MnCHi4n
J7Yks05xOHPdHS5CoofQstJZSUSztb4ZXD3zknY/rDHqxSIbpMPcRVGOGaC51CWKdw9L2NLg
+KzbBjzFTLJFuqZ+BFafKphFeOJAqfCP5zWuco0JNAk35x5Y+aaJLyCp76SLC65tldtc9/RE
Ig1tqtM80V/sYczDNh0jukf2M2IMwqgJHcm+ealNJew5YcfLoI/lkQz6IYY1in0HNmRMaSnc
ABCmksmfeqaIjP2oqjXAC612W5Q+ItAaQBwhLOoUh9B9zVTuMX7Mad+ahEgsR6WbADmhwh0o
j4EOxU28ESBDYVxlCUQ1QwZMepLDLskkalZhRGyjD+MTB6jVuCazzCAcuIJT6FAhbKhl3xDe
0EgK8Rzh0HpAM3Ga2FeN0MJIypn0CXDmYZQYQ/8bZrSdJSZEAhW6NBqAxf6rlq1CFc+c/Jpp
ShGdCVTmhwmLjzKy7Q0bmZ2bK1UEq92egYWmcXBNot7g9Wu9XqMowrtImXDAzR91f8gKldN3
XOtxk7GRK0V3gxrI0CNV7VYz/jXgehMradjLw4cP/+v3/uuJRUBYNE/bulXcNhkrOK1pCdM/
7F4P4Yq1y+CTjXlAr9+HydYph1WXXHzROeeeiykFlfxlNblf55yqXWA6mlmbBTPbDUZcMlfg
RgE5JXA5iDJuIqTT8croZPaQIV/DcD62ol9Xb1Y2R3EqHCUSfPyWT9/yqYnve8ONbzTZp9dc
c+3E19zyyU+a272UXBHFGNVkpr/HM5OTG1AGCBZWK3b0yEDbxDQ+Ee2cdOz6mmlLaoq6Sm05
VD7pcx9147A2J27oQija03jFRTuu3L5tF7RWw0kDvdRkup5+/pGkMRTk+uigMXwdWd1Xsbw3
VYdeir/R+9Bj7Id5HiYr/Ni7mjVNaH6sBSJTEktjhJKoKob4xLzf3Lr59BE0hJcgJ4P3PIuw
7TC3c3E/cF17W75Qc+w7+kT4LAU78v+ognGIZkc7+4mpzGbH5k5isdp0njRiOcQnqOeYAQ2g
8IJ1Er0bj+GWQ7DX+AR5rTgUQW+e+ew+nvDX/UajyGn7MTZ/Qr1o+I5kVH6JEnP+U0lKvl0l
Dpdr3W44XqgI8hs9mzDTf+xSPQj19JCReyxowah6Z7IUmf0SvwFFAX02b1TUNLMVX+jSCEW8
2yRPLApVZdzHspaM54uiusPcdXRpfKOiZgrxkspWL2wBxkk2UbENWAwh/NxnDp+ZNRMUwFeZ
jgmQFJo7vFO71wHj5vBeGxPIyACRmA1mBQni62cWDVzchU3VszcQh0HcQzmFxQPAdeAPV1ZW
gEy1fh4IZGw47jJmcKWgLjvGQeJElOqDVfL9Gl6ELVaK5dwADlCvNVPA3y6S6MbBPPLoI7//
B3848cUXXXJJTHWcVjYNGAAK96nZ2TnoJSrCR9UeWZtx7Iae9vXGm24C2xGeHZO7ebq++Gjf
kJ2hGz5lOphaHoS4iLI9JCnD4aCcQjPwLDMBviGYJUBO2rRsI4xGdCGccq2we88888zXbvvG
xOZhrvPet7zlTROB8seOH1dUQxUbblXalEPQSmoHZJEVgAG8zAkoI8tsJKaIskytmNwEhKeh
/iA4OxgcPfn8geqRstmL45eLYA/ttS27qksu3nU1FiBxCQEEg1H7y+mxCEyo1pThnmktr64t
637mcM+CSBIHixo9j84eozZIwo4P3Neoi3DaXWbNKKcupqivwt2ykh2zUmzr7E4bj2H8JsJL
grBLrRABxU3inI+4afp2898SFyR+0jvFcVv4ZBf5xf326tLKCVCy2q02LDYVABGVU4p9xzCs
UvChPQKgGGOCi90AEloENXzkTSGCAYKe51sOkEWuRRjHDYR9aiUXz4BN1M0utgpNoXvm+So7
KEuFl1Hjjvc8XEL2eKREkxuVmWjGMzDAjpGQ5TQTKFiUjpALPYaPWYlTaXSH3Ds395oStypq
J87OzLbZ3t4QZwOgFQkiuIpltMeiSpTDFcXi4hKDNSqQHNa6ElwxnYVhAljJ6Etj98ZE6xM1
v7YBLa4vCBX03p6oDKNDgFWIxeoqpzKG4UiBnzT9ORgaAHm+ML9gWlNmKS6jjYHEtm63g2wG
0y/A/YToyRfVmoHSfYnsu5oM3AjvWllZ7pOlKvVSa3dm58zEWduMXLZndalexVZjdnbCPuna
5zfAHFrWMIUj5eBOkjqhN6JI/OIXPj9xg1dc8RLc/dJmnlTQgcwAmDteGc41n8l+TURjJ7os
y19g9HrLm25C8QhL1sklH9aXsjKPuBCBcE+HW3kaUjE8YpYlYAFF0mTl2uTSVnvWsLZT7Cyh
e2PF3vUxz54fryt+zCMOf/3Upz41kX53+RVXhM1eeeWVE5u6n/n0LRYahfTmEzNJQSgyCXnt
P3gv0b2oqhooaELa1jmEqIwRXFKr6VJr75FfTPhPlpKqPHjkuR8dvnOxdaBq9uK4NQJHXNv8
0l3XDVjGnqpk1toBSGTf0cd9Jj1KC0jh/44Png8Ln4GYc657KLK6qERz0vjCZsPhhAtk/u6I
LeGR6ZeDGs2lUDo+FkocVwcnFfLvZoeniWiHM/krVqqVC1f6ZKTOHPGcrXuSEpaAII9Jr4eX
nw0HO3ZPhrefLA8ZaIIz5abQzFOnXkmA/ORmXZiosiW7vdAtpcsuQ+x0xxr8JZKeUsbx4MYL
XN58otkXOBNTLp/UhLBoMYEOahZRyszvO2FjMP5OkMvwPPZJua0rrWZFsZbRiCiDj6X6wlB4
YdPONIW3SwL2hTnQoudfCPnBxeQkRkKmlqInan9aadhA55wFEDwc1ASIwYgMGUFxQOWJI4Dv
BbW7Sfikj51kQYBCc2XpIkATywISY9UHAOKj2Q6tlsyU5HT2TxtneFqXXEg6dpUFpakBrMue
BiiJhCu5vFQoBN2wqRD8QyTD4Knk94ZfVoor9lx45ZF5ZMmyGBTguWQKddjiyZOkKJsXCwub
xJ+ItT8gRQb1qZMnT4TiDMIfOeRSUKk0uNqNAzt2HXEy3Zj8pLTlDdDtK6srYhKTpqFUwum4
975vr3eJ3HnGTuG3boi1M+12nEHPrVUMFS3Ir89TNvjatevMiy6++NFHHrH2/cTgVbLFHH3n
QZTimhwmHNPK09h5hM34pHZRCMDELmVaNxvtptdbcBrWw7nEprJShJUqPJ9LGLvv3nv37du/
nol8441v/NEPf/iGG984EXrzwI8eQIucNsjxiRWKWwaKE20nDLESqLgIl2VQD65LAxQltRVT
LDdeWoQzNiunnKGAa4zxosJG9h54KPywfduuuWLLQrkjGQo517jl2Vrr0nOufvLwg8CPidF6
lnZ6nV5jiaxVvPXqkmGzd+DgMxmjUQYJuVGUFYrXQnt3vvYRTSUgIB8vlXYTiUglNiyJuU/A
he8//Mz2M8/Nek2aEg3zM3ecG6n4hvDlxA5UI6wY6PFmnq1+cGLpmGYwMo+vGXvs/ymeJk7c
D9bm+GDrOO3KZv/QkeeSSPIcdbCGPY/CBXLPytHOlGUllO00FSk47b54J4O66PmJnMDqVFIP
ByMczJsxwRqZ5KnnqoMglp58HCzuK7wXEyCoXcQYYzytoxB/ypsQP8K1hkcP32MYhqWNpAHb
T8juQNowTlBqM3uyGJXUYsARIh2dlcIQlSon2pGCS6tBv1eHQ3LW7nZtGZEhGTjSaWZgVCO9
tbi86zMRLcQf8izMhZcCmp1Tz/eKxekHOgazziEtxUq0Mh+ovJmHSIbQZSI4ZlJDovKDTrtN
II5wL4HXbCTaIddbA14NUCfB6CfEpNm5OYoLanOK2Ca6BOEj0Dvl37AMegaciJVDY+ryMzOz
9DIKvJ0O04F9pdNObLTHahyIZCTkPH0pxx1mMq8o5CdUA6SXTENF8zoiRCazFx9//Mn1rz9j
5w444oBrMrEbGfJvchHrdlC3hp+J4K3+Wwb0JB+28Pt2ayJifj308Q2shYhif8pQSfxhC1Gf
TNE2hFRjOh1/AYp7+A6okinNWG44bVpWsMvJ7OyMNQAt5ZnYzvVewNw1rNZX1ja0GdVHP/aX
69/72uuvDS+74bUT0Iaf+MSnksidC/3xEctjlxqNxpgoWOIlJeTGTq5wTX2vG51SDM1zFpUZ
vg+hVw1LCwqQTmi8ntLkUPUeOrr/see+/4NjXz/aeMY3ypEQFyqw7mnNommdWxPOObz6jLTp
dIy0khyt+BBkCWDcmhaFSTyA0QJR/PREMyLJlNHleOiYWFRwiXmYJKg5SAfWnSQ5KMYcLxRb
6xLcvIl5hl9TrGQrCaKFOULFok1Qzh3rs4XdPNp9bjyhdEdRPA1URJvjgU2PHPhABo4gKXS1
+AK+DkQrLyUImLPMzA3JOA29aJ5klFvT+XTUC+ohp4YSOUmEcGcsXEqkLwJl1C8pIn2UO/Bp
wtQZCEBZ67N0fn4e0Qh1DCTEMtU5BCjfxsZAQKSsOt8lmvMaMrBUn9N2uw0wJ5rJKSa2vDpR
D1AWCkrC7NHAkCxTAQSrjRYXF5F9Eou/2YBBPEgRg2iMTeLI4fTyK9H0hrkwywQPoDnSI+cP
sZH0avViFLQsKhztMLFX4T9aJ1UXO4u8zVpsxzhUq/GmynualAFZoXY7YACDWBWCBcS0wi9D
bBPMZ6tlqus0seZKi6C5nfDuDgIKuZAPBl11AlPecG5dwPDD3NwceGabNm2GT7LcmYbl6DO7
G3sTQiX4zPLkUDwg74+SNaQ3QG1Y0uemLN+xiEP4oIznaqRKt7y0wdgGxePEbeIWRrEF4IaP
Jl44v2JeBWmvSWXKgYMHv/6Nb8W/uf66azDqCAnOtHKzPolKbIxNgacB90XGjLE9sc8k7Mmn
4f0r5vNTZb3a8RonBCYzJeZ509yMVOET1YY3oOC999y9vLy8vnn4a7/2jvU12dLS8mc/+2lT
fjJgvW3QFOvDw6Aib87yIZ5CI6l0ZqZjCay1g7hWczEbxlAD4jYrPgCFeMzzO1vqMIQn8OmD
jz6xdD9ACjHGfGH2NF2kKhMLJyEooNh1SVwbdvBU09POnZy4/zY+edXxdSItmsxVaVKPr5Jh
NYyHmmZGA0xzWGUOLT1j/KdWfwvSEV/faSUEGmJoBkCHiZpNRKIJXsWWZHbFN/8AN0N4/0p3
qW5981d3uIrAU6hQ3EB13zmeUZXAhULPmhlO9a9jDYWaQiAzM1Gt1crb6RwNd75nXfPCWBYI
mXje+ZJmgHsQlFFF60tRMiyxdsNsbKDrLIp+WujR9dJsCWcAUklChBI2fYahF7D10CP2pZiJ
DHgOlAsMhyDTg0jzgnmHJX7IRHo/A5LLRVRo8PGtTSIpdSFz5XarjZBTMjICeZjqWlFmTGMI
Zpuhshyo82Qq9pjUeWq36ItZ3rlBpZDVYaZlqaSMYCLNNvyS4pzRufjwZ7i6El8VDkimt2vW
gKi6cuZcccxrVmqNRulHqyVOMczlMqn3LluCQDgX92S4r8KxLy0trfFv7AxDnlA8M/krvLfH
humU34R8BX9G5ydRb7HwYWPuySyywv+cspTDFwcHDJDbtC4fblPkLGTf12RHnElM5EsuvtgI
ccQLnjJ+GkROHFTSZbTDq6srW7ZsNZ1fVMRmuba+cLzzrrted8P1cfPw1ddcc+ftt8eCY2M1
n7Vr0NLBUxqDdCcGb8FNeCkN0TpwUet14tmFa3NdlwyT2DdyCqY/CbUmHrxeqLuLXCxOkspA
FuFsHD927HOf/9I//aX/Yezt7/yNCSLLf/03/7VG8MMVhc3TjBxGYBwAebNU2ZpevQQNgJPZ
PZNEuOc4mba3VKo1kKjAHYJWeCw3zW7ZnV9poTps6Knh9xarE06hNEsrS8cX9m1Lzk3qLp5r
5TOCrYKQPWe1RT6KaGV7JFRFarCRRSSnOgLh7gGdyBIaBpVn0Yf6oa+X0UiYkbHYfBpXuyvl
whor4pNm1Wy+FR8CmEZ4vYjmwQbTeRPqxbjFAIGwKGTF5xq9xogJ8heOba9F90IKm1QxeIkV
ygCLp8RUC6dioEY8YsgElITZTg7FDnGkGAWstJ4w8S/1vcO44K5Yk0IU9IXuJsE1bvuLrjyP
EtejnaVxyji3JK8rUQjXqmgW7Qb5HBXQcYBoCIUh+LAQQ7YoHEazOU2jCbNGqrkN1HZxjo4d
E8l8GbH3QAtBhtpZ7eBesYeUnpE+1WRhOQqLNXJW87/VuJjgPsf+c4VdgcWfKRjKYE2w32T+
cr/N+ECXWS9A2vVpmbDaQz3isfQaC34rpwbgsCf5NHJrOOsCAefVBsQQE2CMAeJXWPuRY1LS
apW9oQ34Qf+Kr9eMMolLdUVGIzEEsIojdLPZHNYZYZIqqNAqBBRRQgQWjFklsH30HwvydhNH
Tgh+hNDnTyX3gAgxEdoR7kiKkWroHm4xOnHt1qhgQsQ8XZi3Wg3DuvWveeUrXv7kk09svEsf
/NBHPvyhD4KO4yYLdri777xz7FeveuWrbv/mNye6GcV1pJmRY2YAbZhpgzpYL1ZDTYvDM5OL
i5X00PzUfiOqOrsP0AMEVjWZhu8MGWhSIV2wCky8u0raAi7upz99y/roNfHrq1/5ykhZzBuR
Atc0naEbyM8N9Av496mVL2IBXg+kkroNJeMWb+wLL8h4x4ILHo0deaP3Ntlyo4QEwYAUyXLn
xLbiXCNIGT7QnnDgbhKVtYw7w9jOkC3YRzOSmoXGPW0LzGK/u3nzlljBKryyN+wqT7aqA5gR
lXifV5MTm5I2Xp/1GpCfraUFtY2G0+tcBKZXgD7fgTlgbGFVCdkv5HrD34vI6H28my+RqAJS
Y91rhNeFn3F6LXRpDSeIwVhKfMThIoJ0Rf5BGYwrsc4Oh7UeOQJ27C6EN2J3qMFq07VR+hRG
ztgHI0uh3kJjHx1p3EUQIUR61263yRpX8wBBUqCZVuXtdouR9H0buAqkmabdTXJvUbImxktS
niZufn6+qpRO7uWNbdaVBV2aRFKyhvQVhwLrKNlPAPViqrI3PMeiydxscxaVMUnEhzSxFKAj
KMygNlO7j1MNhigPmIuZGuvRkuZYR1vovCGwMUiEApVLQgVGSI1q2Gq2QhiDV2mm0P/wGky5
bBwV6i243jvuhcD0hHXkGjBozFQIDY8hCqeGMsC2bN26urIyIDfaDGUVtr9Gbj19+D+E+tg4
P3T5u50OACfh1eH9pq8RC7ZCKSrdUH6X5wIy+psmyWHLTA1e4MTk6aeemgoGYb2ojdVyTym1
ARSpL6diN0IJMqa8/robrhsDXI3NvaIYBtZFYfi06dFL0OTW+pNllJs2cMCa+D6jB6L7kaj7
3HgdMMqnHglXUXmXRTsQfti798lpqvNjQPknn3yyrmUzTkW5CYy1HFK8UC7mbl5m/K06dFEc
Hao+ghvzP4MLSm0UItWbQ+mAx1jCVZa6dRSndnOu0F45rkWj0QJ6LVH+byg9M+4FSfbACH6A
3OJJkxKphHMjea5K7Y31rm1v0X3aNr8rUcg7xZvcH188LCDsLBtBZDiRhAg7cGzlQJL52OQ6
HnEJulUdSiVw8iiIpTFkIogThdgAqQJg8GIWkcFhZHbGFyIu4CrWpNDkwdv0y8R0TCsWr40/
d6zxgDMD32GkbmieozkWw/35+qaIHOCAJ6pElShIxO51A/XUAEj+G+4W8xH2+mjorSjb9JoQ
mMiA8NgYLRJiA+5wlBrNpkBJcWutdbsY8lGiTwITHhMyvc+zODEIJw1gegihhZfNzs7gAUEJ
hdkYXkBZIKeYToGR5j6Dn724iBls2IPX5dWWUyjMuGZhn3s9NmuWoQn2yQYWSTSAsI8GGhm9
QbM3ws/cJ2vB3ZeCGaYkCoJHD3Co0EQAC2fn5iClofoAIzJyEPTS5bQSa73hEJKSsE0JwSzE
JsyHRHWT2YQSlSxdxWmCFBXwi9hWX2ELGXZ0OmpjyHLKG6PSbW5pMnoU2wfD1dWVaZ1GDIrc
P9B1Zf3nFjwpmcKpIjboXXfdHf8q5E1vfNObp/GuXSqjZBN2w8NTqFDmtLNkorToO1elWAMk
G/mt+FSJyeJNUDfuUxMCX/9huN1BKC7Us9ja8aaUEX55yy23nPIc3vrVrwozkUevWAUQurBI
ILjqI5FFebeLp1+2+o+5GqJhqC0gv27E6LUE8VjKV7pLwlPWr02N0y1HAYx4S2v72LnpDVYT
VfK1oF5fL8Ph1b93hruDf8fUdEGFyecGp8cddYhRibGFYA/MXUQ2RD39XnfQ6Fg1KR7NuvOE
H4kcESX2J17LjiwS5HSo82BZYJJOGbfUUIXXfVo4OboR50BapFjiPbYMBvLTNhgZydvwklaI
pLZE8bUrOs2HvHEMEna4t/pMY78wtDLh8TpOHZqAeBjgcMgSM5wG5kQaY70o3aVMaWcedTAU
/9C05Bb0wEZH8vtMDBBsqiriFEWBGTmW4263ayhiwgsqtJLZCJ7ocb6CgQuGVdA8FHYwqRH0
cC+FXbK5NQQYLYkHQQ1sKsctAUGrk8pUKdKFWDcw7RPyooDmhb3DngwkOsyjMnHk0SfIM2oW
HdwkyjWh3wgomdQ0kTSPVdKkYYQT5WTxoRhRDkN9FoLZ/MJCk8UJw89UgbEyb48hgdB8Rz9v
wJg12Kl4OrEdHEKT32UuXUAqdjqrDJHv4RQBHglnL5H6hYRMXKGXkdaqwSXBWS6nwNvkxirl
s1GNTsQcgrMNDqD5wWxQq2GbyYv7Mn2DcEWlE71u58P3L33pC2P4hWte85razHZSGWmSa3nk
4gqmxQb7g6fCwlWrTZzZLqNXpu3/WnfNWBrcshjKkHi6RrBX/BIeeMyiZDzu6lIMT+999907
TXPSgPL33nMPPlQa4rEhGWovo2ZFo7hRzSNvEIxYiDq2MrI+ajUKbk5Eoje6N8I6VHTizbe7
m/ec8VKwksM/f/rsq2c6p8VFVVUMDx7dZxsZ9PqeCTdy5qPddC5Lo4Rdm8PIZfxIuqAuVuGv
p28+88KtV6WDXB0kaZuLw6PinRFBdq2TmSrTiNxVymOxDqGoUTB7WcAgkTmY6D2qBk+sTJFr
32lQw509RNm5V99GCPHCh/aIEyZTBC9jBfKpzjeLRwHehvoMiDvMsWoAvdYxGLyYYB1r+JWJ
sgMTFas0/CGAD5h+mcGKRGrFa+CQEX4S7S6aRl0VKf2M3UIQ1YSqixOhgBIKT2Z1owLHQ0Tu
JrM2uY8HpgdlZuG5I+4yaZ+mpmQPYckkUk5CDAM8xNa18NGMWpR1lSWVZfjHZ88B09jkAFb6
yu5bcJaHTERDgmiaoijLZHbObE70QpHmAkcj4vdOUM2W/oZjMZcybNAMVG2JQGCTPDsEm06H
xg1MXkaWw+CJBjoxqJ9sxTY8IGAXAnqoxIMi3I3oFrK7PTUhlxm1YR7iNB6bhTVzBr5XCGYx
03llZTk3rA6AG8OybEVCwuhLijw+RIg34HtpJwoGXxPnXqjHZxRSOSYFNKlBV+WKcf+xO4fE
zWI1F1Oim1afff0bt//cP/qZqHl4/f+9aVM6HaiCCKbPibN2xDSfSasCIUjR5aslymB53Ryf
wNwCHIY5efX0MskBwdhAoQPLjUHz6fVZbt0/U+0KL/jYX/7Vv/03752225/4xCeByoHtkx0L
Uce4g9/3Q5TI6jThrZU0CmxJ1fJcF0EODPo9NaSGjyKWN1ULzkxNKepkeWh7cp6MSSAV2Nl6
9Wk3SQDo1EKD+M1Seoj2tgk6mjPPrSTGfsjZK2G2Kxp0PEVUlVWrjRjEuHbGZXNn6nwS6r5i
zMVUqt7BI0/HWkH1s8AVBY3cuX0Uvj97+Iktp53thkTxkiLQop1UnbXOIV5wTvaSZKbGOLgR
3+fkR0vfjPhzFfVN+V519chKGL9gBcS8ydHSWRyB2RaExpYhI27lBQePIbyPaykpfoGVayru
4EQLUdc1OzYZWTFy0rkR4gSOFM1G+DjrjVeGOs+CVjx3LIAq5IvLNGFqaYYXlmq1g8pmoOlj
5Sqwg0PEEWpRrwefSSivQ3sCbwEmYEinkTHuZEpPGlQ4Y1yTDWHsCRIxRnFW3BecBIQ41FSH
1U2bFtj/c4C5A8AawLiCveC1WdUvaQVHzz/LRS/U5S7O8FxOETpUiiW3Cm01hgDQCNgKQO6y
iuHi0CKh+Dcg32ILQo0CMsEyboAXJXjrYq3CUEM6gzBj40wPQ/p2eyYs+O1mi6CGpfwTEArU
TyyRUrNyY0fmEM4XT55EDDLo1liWUHswk2Di7KyJu+A9orapQh0bVELmuGPiDutrL3SxbOMh
jBNqI0m2b98xDXmA7jMbY74omXnYxE2pU2Qdv/vuu8f+8prXXDsRLSKKbXijgq/gnRNuPtbq
nfplmk/Wqhaw8pQDjM8mVLTrYiVLpyMVk0TNCeGv6qIeXYm4FVEp77rjjomCkwDKf+qTn6xT
DTdCzDK7ZKhAFaP2YJgLGprawNXW7UHQigsfS5ORsXqFwEWmWyJx8vS+xzrN48mIwCH0kiIT
Dl0H19qLjz33I7RKPJtNrHY64iFXy8Zbb480EXq9vqHvOHto2trqpvn1RERan/nDw6cH6ns7
noFpsIGVIihl3cZxCba2Ed4gowMSwRx6P/HTx0IXdBys3Rct9OOFI4x912/Himd9l9N2WQlL
e44rJP1eKzlVYhaDzgD6t3KJnTOwAwB+2iD2o2Wfdrqk6PI2rDL4jDm2WLRj51Ka8LHpNmHZ
w/XlMJAO1PIb4SqLuqy4aXnIJ/uC+y2JDAGQ2ccytSmTKMaAxNTX6ZC9dQgeISMhN8uK9mHA
FlmmOGNrEbib4GwA1WnSgrwgl5hPe53s4HPFMAENPYo0AzQMMa0IEXp5eVkMBzgtLvUZ56wi
hYh5vHQgzwYmolKbTcy3YitEeDeG35sJCX7ZY1oY1oTZ9gyswlCKhe+zs3NQgQpxq9lqQSwX
DcMa+cLyGdIVUGKZAN0Z0KFUkB56vyBLACKXx34H5tCcRJK7oJI3GEACq4Jp5CcUgJiIbFAl
GQTWlN/CZnfs3Dlx0Zybm0Ovb9o2oTFfKSG31WwZqwCN1AbXttbC3mCvwvev3/a15eX/eX6+
trN661t//oMf/IuJ9RBE2AyCrOkqoV42+KCQUIR7Gss94EYQXAihv4J+zlSkixqP6lKILvkp
dYft7eibF1yHERwY9Cyun8K1OHb82Oe/8KWJ4MP/8tf/FVILdqIYqFo/zPhNIQo3tVqTwQht
7RgmA7QC1g/5FSPjE0UMxysOhgd0QZOGjbvDf48d/v6FZ7w0lFzwHBnBVDixIQlfi80DTz//
SGTOlNjAAHZuVnkJyMNX4caL7gRnwJO4+HZKpq3VjPTnMh8c9nuPnDiIyBsbT9SvHCWQUfNw
cGI22SbCuTYD8zX0YKz2GscP6thO0ApSYZdxMhFr79Y9cHJ1ESI507ByAALxx0h2AZdVCmuj
65njF3Q9dPXwYjgiMawUTnd9ZUuORFgKRxStoEdcx2Mv0FTrVeJx8zIVziFbxdADImk4NRgk
yCgnVYId12oevT4asyWpAihK3NsM0xDEEKCGaDZgqB87hiuI30GfHkDHNkuEWHhzqNI46qyu
dgp2OhazFXCrS25aehVsdJXdxkRHU4B76nCXJrHKe8YEZ7GD5zFVoerANjXgvRqia0LNp0YD
/6ycdPMARhdmLS8pWMbrx9PJeLsaViFcgYyMGymsSMTl4omaWTnLGyt2Z+zXz7gs+41Gb20t
rMp9rrYhz7G6sjIzMwPXrvmFBcAv8BVC2tLSUkNbynbm6ULgJwiRYb6FeMgJtRd6msoJU/Sa
0uLDTNiQKhMVj8zgzrhH1r2d2J175JFHsfd4y9SOZYSdte9tNrcUvSguwtutVjMc5sTtcAOH
CLbNxhe++OX4LxdduGfb6adPCwrK//dQuBEp0lHZiHF2WsjEXRLbmEoXJ0s3yujVOycGa/gN
W5SJCbtxD92pO5GBNdAzbDORDoSte+65e+J2fvSjH47VeUZ2dhHYJBInTKsIk4nsWxNk1W7g
BkukE2HOuQ7ZMUo0+qdaDlJ+NzMb/gn/jpxN3MOfHjv4/aeG31tuHzKdQzurnZnjy61D3zv2
93sPPOQ1FsIZQEjiPF0XKoXqHLKAVAZn3tH6Y7zWER/L0eq8O3tiaebgwyfvOrb4vEo4OgBe
Rp6LWL5PaU+Hj++viqEMv3xdRQFAOIr48OtzHR9N+dA6dhKbSqsgedH3cY1Izy6fcB8ZfKOV
BzxFjNGo0YbmUuWSiAyQWElkU0wBoOskDDMwcKIB4cM/4wfZ+yQO7QALCOxF0Y+QwgmbRQWA
JjmKLac3P9TZgY+HWgqqK/QqscOAkITFDa6eMqXj/waKWcM4AAtXAc+5VOAkPOspsQKgNdJX
mAbrvg9hXFI/rV5qPjgXSxvfJfV0hp8vGt+iEvUSOEUMWlmemGnZnCL8Zq1LH4d/snxSZXAh
fCftq6JhUc3kqpGbmpIhMBrIsOHvAbJpWYomYdglGHeZGEJ4DbHE1PpMfMCV7IxKDhhF2KDw
78kfGUcUQhfgGInKTc3PL9jMDGgpFoiagS8z2oFiA4j7GHHCJl4dVe+IxSOmaW1YowNRcCL7
mG47nvGEA+50O8tLSzt27KTamSAp5cQAkbJZDskokJZoMnWW1u+P+dmnqn4Lx6lEpSenAdmB
SQ07c9ttX/sff/G/H8VuvHrKEXtDD4ebvk1EhBJ0xWlOXXSjAcyTVJYaWwue07HJ3sr04Fcj
TUIMsU7ZLwXDMVGPlUJBTWIINBhinHvKAq6GRGa1HBSeYFwXSzYjc6ZSRXizUg3XFVhYpmLT
7tUpyln3xiAS+MF0I7V9mCL2oN0EDYKl1RPHFo+IvqISpYlqc1JKFh+J0yeR2VgOaEZZ/WDx
NqsSDMo1EL5tfFH8QyfujFi6w9jOXA58sYo25aITUi2vLj6U1sZv1UplQyZ72Q+OfBOVgeH+
7XZa6S59b/g1/BOkzhjwEpOpMbzhpmut/kB9GG5LPty5cwQp00lU5MxlxBUr4WthEaVS9YcR
Hwk3wnmIpQtrmhrTyLT+luLVCJGUpjSaceMn/iE1dD76HAoA8iw6hUYrIvoYJQDCuz7CgqLX
ZBZZGUy5GPm2NlzLZjKBdJsBt3IoCYNgRMmMsnMiBYfqiu8nNDalFS+myYYWXDN8FuNocjyJ
pnpjBxt+JGGkYa3kxO0LLpUSeoslrEmZ5A1qYyZDqbqwb5Bn7Jd9aDilQ7Hx67MxiukEIhtE
EtxXueFhIiXEkFmoIQLRu0KcaM+gwAj3DIEpqLpNgLPACtYiI5sEAUxm4X68qAhvbCq2nhb5
noD+BqprkegUH409COq2lRBmN8PcHMnhrjGuDWMwQSeN3C6aYRm0A43IkUd0ek+Q4rOZu0wK
NRiHkWIxp06bNm8OJ5Eao0k+Pze3/vUrK6vheEKcC6dyAx8QhPcaJ8Mdi5nmDLSAiQ0HVIy2
iTZCA2bpY48+sn//gV27zrRfvvb6a6c1SwG7IoEv5T+SfNkwabfbU3bVjB6EbxReWXLKY8ic
icytWKzMGtk5VyBT8Y06iyp14oXFelhqvjaszLp3DCg4gWQdtQrR6hwZv4lpgBuV2a3sB2tM
+Uh5Ie7zYaU251lTSYC6AYQSRISqqmcYkPxBAMMQccjHxfeqdL1IU1GkngRfY6BkWF0I4VbC
at1IV7xGEh8UeKloDpvDC05obEY1inoYW/Sdi9Z3Q7LEQoh2jBjhwPTeIpn4sKi+DIpXjvE1
eJgKbm6amYki3k4LTa0W4SNN3vrZtz1XbQ46Ol6efBwgceOZv5fEv6gdSrCXwlRI/IA1Th3n
YQg/NCJiRodBeyr1LdTxhnwE15wO4wMWUiliOL4dQojZJK2khbs1AHCZIIWNEZHT2YyrpE0N
TGP4gSpFJ60L2hNXN+eREIfIF16DRw+PIao38bDv9e1PdTLRp15cuChd9W03twe7ScyXGY9t
hjuQDdXDB0D2t78m6z5MWwx5EQssJWliEoU8UZcCC82eIqFAggmLlG76LGOdRPloqoyhhrHk
DHWbeHcp08AyBhORQrGBEsp6zqLbx7+H6KAlbTi9KysrNFhrNsNGvFpQJiyWmKjaIaSkQFsG
ftob0Qx/K3QZDWUauNNQaURlN22FLdmsBtXl1L5Z6hjF39FukuDfwg8X7rlgQufw0ce8nrKp
LTKXYDCYqmV1uNJ0bRheiKIYuQM0VKaov3uN9tQY+ebtd7wwGMgA3IuQXc7OzEIGVEuEdFoc
KPLcnhzgoywzoPpyUnaAbgy6u8AdNdQkWrzE3NTCa3QMlADFayEH6pxCMd4ItOmsB20Fb3wn
uNFu4YhQrN4z6NhhWIUXR+wumWuWta58ZT+LHIZCP4wTihrXa9cRQy4clGLzZYIQydVXZoeB
AlQ7KllmsjrqjhFTXC2fK2qhXh9x1KwK9zGR1gqXkao0StiBax9jEcSJGqZELGqcxwY0huPH
LIo8iPNC1cfpP2K/svCdUYwzLSvjUsmGwZX2veNbV2mgHto8FvPiS8y+JzVrGAOwUQZ6athR
oIdMnLMhocvFNGoFLua1Mos2O1IexVUKkWe03jD2sczFkrvUhqczKpWdbeB9jKpoZqdQoKD6
jN8X7o0W02ZH+YhCGAeBUtqwZQV/PgBSEORiqo+02pjYihYLohQCFUTgANlY6xKnijRwVzsY
j4UoFVs3tNqteJd8Vc8OQNCGN+/YJaD4MRjCFXa12zHVDzT6bAs0D7MCgEMdVXJagkPSEDuM
URxgihBArzmUPGxCfoz6zMQPUXX11ta8ijpBUGNotxbM29gzBfhBKHRA/xdzMgNk0KeTtJdK
HQKQzWg0n/Mgy1hpeAaGdTY6GR9o4vHTwO2l8KVFjZBez8d/8cUXrX/xkcOHcAbpzK5N8ffy
PoRD3CuNtFEv09AS5N1AsxVOBxNxfSR1vLwiVaZLP/uZz/zSL/6TU+Lw4eqNSazFRcxjp6I2
vGS7JlnmlLsNrOo02AVIGCgv0ATDh2YFz34nijemsksmoigjkLKyOtUnyQtkIQgPX8FOsXJH
LaweFR+6wOlUnyHo8J7g38QNxooVV7zdWijRLJDbKNiA9dFQXWDQ1jCMHMUSSGnERt9g4Nal
W2QwBsU0nI9CSE6oUdwotESYBhKM2eoCW9Ols4oLGhtmjN0SEDGyWKVsaJhzVlEb0HOAEVzi
+j3hT8/i1rQFV0VjsGKX5Dq9kjSEmtYnyKQ4wzBMlPrSLGaapyDnxpV0nJRAyZ6FKkpMKMmd
UocROFE2hTJLNqeKX+S9x90qaJrUs1KduqHwAq8Le9Vd6+ZiY10oXtHFOSXT1bPYWrMcRUG7
0Wa4uZlYSJB7KWp3q6i8kP2xdnMrnrCgJQ+6wo5JWKpk4TZ+y1hdHru5UnbOjX3M7WRnWEJa
fF+1Y2+gRZnl07o+jJnFiDGe3Yat4iFcd9IiTYMs7a524itr9ihDJgOEFRIG9Lmi+WI7J2Aa
6sKjyK01OhTVSvon7BWBMIw5xGaYsqbivMI45kZdqKuAqAg7H9bzTZs3Y1QW4hpRueA2VxTh
Z1RdCFWiCdaemcl13BW20mAch2PMoou08e2kT0RtIE7grE1zkmQU/ww2UnLkDwf85rf8zMLC
/PrXP7V3r3RFe8TWnuyQwvZ3ST8BhEaBwgQTMi3BsIUl1rAnjltvZeLwbHZmxkSYDuzf/8ij
j1980Z6NF3TkC9z6KyEACsedKhr2TngXl2sgYInsPcTNfLVBd1TqdFLkS0wezZqBU/le3N+3
GS9CyAiOnNd6EjGK9SYmzQWpoMkkFcDDti50uah5GKMwEm5zkaWg6W6MdVMZHy91GBbdsUim
8j91L0inWR7jKxPnYAyXuLFgefIyB+obDi3TWZeT4RkoQX7MzVnhuDaZizqlPD3JBDxZWH1j
rOpMEApl3JZfFwBKuxQKaHTGvsC6TzJCzdZAIN2iPo5IzzVI3UiMSrEk2mACyVfcmYS+k9lh
Vk9PU2HdCkuPSz00uNqtdhwbmLVS73+tZ5hl4FeNSC1H/s5wwsPYieZCfKtX2tBW+IALtyFE
mATdw0EUG2QIiQDuzVsLmHiFMjpVA0lwWVM1hKNfDisTYRrWcjC5CfHTSEmXewoDZWJGCijQ
rdFnCEDsdtgxEZQi2FeVt0gXuxuh+DC8sGCv4vHCv7SCfpAMiL7J9V8rb2HaFJ7xmKclpnTh
IiacV1WshcGIETaizq1/C1mJEpNO3PNOwrP4A8uFo2pPDllne+HWQDCz9qMMjKJLD5pXHJsx
fltdXWnasMlJuYZVAA1AuqnYuAvwQJCM5RlhpH632wkRbsjiv9TW4uZfl7uXxmJG2AsBL0Vr
AvYq7EJSWy3gA+xPWjW7abTieg5J49DJL6NdYZ6aV6L1zp073/72t61/5bPP7bvn3nukFqyq
2dm5iXwv9lYVezQBcbLE5MrKSqfbASQESPqF+YV2qzVxwAa4Z8FSdFjavvLVr54CDcEtjOWV
5VWWMxmIwFcPEOFqqiIJy4orytzQ56DBj8jNjiOrlRpjtC1qOxSWG06cltEymkkLuzK2pn6i
jM2LWAU8m9Y5hIkXysoarcQ+66ruODL4sRtmoLe4AVLWKyNE/Z9Mx+x1KM106m6DKzTo7K8G
pPTsNYUIDekBPl5nSr6luutWfGacyEXGZpIThpSjkARv8DkMVKJaU8whOZVx1gZEYmdTkPVO
K5rduzhw0pZL6WXFpyJN6+73aOgCWyMzjl2v38MpDWWNEr9qV7MQ0goWRkqUQmBKSySgVy/u
8SyqFoAYORw/gtsSbBe3EE2WKVFzRTRs4Woj+ZNunKsrJ8gcPR2Vslnjkad1d+HEbX+1pEeR
UOQsg/uh8pU3hyDtIlDPxtdzI27dJ2PlESotyGHHSGm048Lq1CwaszOzCLdx6AJQcIyog4YT
oHmlwrV6bD2jRtVJ7V0yGGJxN9Emk64RlRy9BLL2MliDNahYBaPR8KpYO1CzDrxMiFaKLwWS
DjeDJCVebnhAH9BNJXIkHwt5nIaKotTdM7kpbqtmLBOHz1LrA6E2m2VXwXMQsqyMOMS93pq6
/CRO52GIFGvs/mwoQomjdmtKF5vPKVhp5LlM8O7agWkDqVwyI2X2cfgvy/JqUiJPriJZDtlH
r0DBP/rjP5poP/8NNtxiXLRmCtMiIs+BLDjTGQ8hm43XwvVAlxbfY7G4sdW5YOdy42zed+89
G0evjFuF83Pz4caNupGOGwhrG7fgQDmCWoyNfDYovCyPA5kD854avD6dW+a18gDdxACyuPtr
lyPL01M3bWBpnn54bDAw485bGfuDKLq6zrudAqzHEBmRIdRI0WA4sXjERXsojZ0S5dRQZ+9o
Q/myijjLsrJn2vfwrGOJRqLVHAO2xrCx4sgENFolYxqGqtP69QLqY0KOvNvauytNTzaBKmYt
ExDNvVUS15sEUSGW8872RDucmfHQyQ+lKseoMJZboLGGqZgpnhmUPK4sdZ0tDfkWd4Ntqtej
/KwaAxkiwNDjMxgYOnHIQHldhQcYuJaasMNr0R7GsIwSUJ2++omKa4SthdRQZsu8BcgHm8IT
HybwhxJO4K3sOcCU2tH1kWmqt6fJ151DYUGV0hGJVbDXDxpSwQQKKE64w4zjMEtP4wVVCtIb
aHqNUIGTMBAh2T7qPJF3UokmQ8/BHCrjmgn9Om/CRj6BriDsuIi/rAEGRLo4vKFLCY0okz4A
vxgx1YKZKWhEw9fcOMhhh0PdA4Jvh4UKQ6mA8z8/vxB+GXaIxk6ZoO0xigNcHqYqGCGF0GXr
tsnGJypM2O12AfGLb+w1mHtxOUvhAw3E0VlFCvFEej/fRmsq3Qul+Y3WdH62FP4w/jU3O3fd
9dcDmBSux+7zz3/t9de98hUvn7ipz3z6FgNH5XoZ1n9dcvHFf/b+99ey3D6J/eDRMQ8/Pv74
k3/yJ//Jyuf1BZy1lbCS7ntu38bNQ9bakCcfqwwERkV2S++DdQO20homdHQJt86L3KhIk5MD
JywNmq4leVaD9/yGgzmnXo6l05Y9AqdXrq6C13P4QiXTnAG8IPdo0UnqwRJ6O6AeR2HJmWiW
5d2jC71XtILBsjOrzKI+pDcgIs+HC4MsmqeJePSxagOeCvRgY44qNAbp+dEqEztmroNGsrZY
jrFN7PQRr9TcuGhG0yln4txJZNgx4i3iGDrIGD/vkmSdtKOxgE3RGL/BpNBy2Agh7GJ5iKgr
5TKaFsA1EbTiwvLfcIvmEhENeOJHidgWKQ2+6GPkZBapFya1S30WFps44NWVmatA9srKGu5L
tFZPbFnck1RKKhqQ1e5zsUGJMJZpI4MLJW1Eb79MhFoykxzLGFLrozEtrKoypQbXKrRWUKpi
dTWsjPMLEQqToqj1HEotc9DKS6TrCO4KBDMNsNfjPB6IaPTQ4qhPAA3VXorHMRgpxUJueUoC
UDa+MXsEYRDzv0IUUUP5HJ9lInDx0wdhI8FAMscLCEmLTCmPJKRdqXe7rcPSY+TyKBzUzOwM
Go8Iiq2sFUMoRzC3QPAP+mH1QGWWMdKiyisToS9Vnz5ENafVsLUK0S001ahwG7ea7JBm1GV4
aKURP8DOdQ2jn1IAAXJTMgYfpdX6r0svveTP3/++F4IR+NQtn33k0UeUuiHshImKTQsL8694
xdWn3CAmNxvMltABo+UslxXnU7fc8m/e+6+SDcJXNMrCg+HYzo6UotpTlaKAqPEhS1Wl+SIT
2Ou0mSIUtqGQFgIGPk4bfRtRvqT5o4yfVMUUwuHGZKwINTCNZC0GZmKxyJ9eVWXU8nIxugGr
iVP1LPOtj9B3MnpBlyjCpotEEBIhjjQJlq1mI0siwhZiWIWDQnGjKovNtACkQkDPReGd1Nyq
s0DLJRbg664+6/TN7oLty17NxsJu3/P4/JGTwyefORbPKsCuZcxhJig765qX1RhoZUSsj1Mo
cTWLBu+J2Mdk8bAqURy8AfwMmakzPzmT2PPzty87U9tMknsemzu6WD3+1BH1oS4NVW9iskmk
ZIjOZ5plVvChJCSzq6hWTrN0VBZA0CXYmVA/SGaj3PO6vOaoUNd2DDod+mEjZ1OrhONBSsod
CHJQ8wGQMrxZL7pjhl/YezEsBZUCKoLct0D+gR6S66GlwQ87leANNKIpgSAOXzJMYlGWUu6l
LHIlrFdhaFInw3WPpIQ3DPBEkAJTMa1sEIbHSZC+sjgxJqATa9mYFi2ameEgiEiqLn0px0ub
tgKbLrwuXipD7QK5BhRVMEAhfUIYKzvpRRlQ0Dqc8f4jiNr0TsQ4UoEXYi6D4mcYaXGJVntW
K+gSLi/Lze8eZ8Y8ijGlw7RsdXUVDVU2DxuEdS9UdZY7AihPMvY6WsstdAEQD2n6GizrxQhO
yG7T5XTDPs6yJLBQ7l+Em8nS0vL7/vRPwgUIhwT8PR15Mhm18QK/vBdyQzKlPzdgE0J+jFGO
pPfcfffG8ZCWM7UuhPst9Tcwho1k0MZblCoTjEfX5bXefJFP1eaPJwqW5MakosnHrOuRjqbK
NLUDHAOqOZNRmEaqs9ijKXYW90vHoNgxPM+ADF4loHj1cfHsympTM9OCVp7q24rJHv4pzLA0
275t4ZdvNItmWsL/8lZ/5OiiCBaU2rYKSwbRPwdRuyy5dM/2171k2MxXksipBLXvq/YshR/3
nrvj1ntPrHbqxkP4uF+5MalFg/k9f3tHse/AiTh3vvaqXa/aUytGfuuhue8+dBiqhv/sZ7cs
NNfGLq4zsEqS7Ds+t+9ocvf3n09G1XIHIhBMO3/ZhTtuuGLQyFbkqPUGCf989YWkw/342Ttu
u39xeaUTo/h2bN/0y6/33o8ICXzijsaz+45Zkhu+v+bKM/jwZyo2H/lm2PkHD4mnAa6XkzoV
2rLURSYge7jKGVhceHzYubFBQ648oXCSJhjRe616TfnF+sYQ0Vc0/BCk5oilU0bN25pir0qJ
nkEu5JzSbLpwuliunrIuoXPJs0ARUdxDfFIDuzINDC4dG3aS5qz28Spf/wC8lcAT+n2LdsTB
4m2KVzJvFhgroCvxKTBsQn8M9ZYQxUb5gogls8WsaOUolj18ClwuSaupPWMPXcYNwyoXH3mq
/NJaT85x5LNYWz+nLqyL3I7r9aGTi3au6cChVhNJ8RAsumvGpm1yILT4JGTQoj6NtJ3ZvFJn
qJn2DAIeMBrGogOqEMBCrucKAr17H8J2iEpV1AuBImIGpSj0BnF4fQXHyxizLEV+WEdKG1hy
0JhOqU5uOrD+lKHr5ve85+Ch54FLCZentv56ESq9jgm/eJwmxodSPBRSm8mfPHHi6zx7m7LB
BDYKOcvGgMeas4IRt7kH00pA1P6yEpH2TCEiNzyWm+YUAxgVtJHUZD1N01PC3WXSoeo4WRI1
g0bf7ox6NZkNp6dlrCc8hgaum/syni3j/ch41MGrTIEXDBhZF4+7TI/DsBuo+RgLlxlGlDN9
sXcSZUEvmoDAp8C/CcANIMQQO7HNn75g+5tf1m1mAyuHnJqGWK5w3ulLv3D9/Ey7MXKuDFoj
Nh/+nJ2t+DzpVfGjTeZq5FSuP726+V1bVl65Z+XmX9h8+cU7I3qW55qPtFxD6HrTyzqNbCCB
S/fYR+2APTtXwp7Pz82MCRHU1D0NYT+1o1VPtemm9W4MjKtmj/VqXtZwCWHO9tYgSusjRzT2
GcnY7BFu12K2ax514WcklAPF3VFvkwdIYjNUSfJRCdDCOpkeJkSUyWn/MIKSlnF9qRztgQUk
0gjmmSgcPQyJZ1WIGIWo77BTjTRUWkVkC0crdVlDkFK902Coa39CEKpUhCM87FA7XGXLD0yz
oHrDaXTfYA7U+Ww0eJo1YPXhxER78WKcT3Q4QJ4rpXioYsJG+BMYxFLzuaRmvyhbFNsB3i+J
pOCw4LfaLQHylJV1RxHSkI4A/5Lrl1VdUrwysI1qJicJGfqcIe6G/xCKTBOEB2RgKJKaFM3Y
uIjCNlF7FSxOn+I2SiLVRXw3FicOqaFfG7hTWg7yYzty3Xvft3/1bW+77777Eh2Chx+2bNka
wrV7EQ4p2MGCM77JuHCH8FBhOBwSIlz7u++595SNQ1vQQT1mnHFrWu2VqIXjkKFx0BRQCwlm
w0xkbjmb8ZTa/JGZykYCGSoniOaPFXbQQVHHqXIM+Tb9aDGS8WP8p3XvNQcvH4Mv0NtR0T80
sgcG6R7j3kXaFpnWi5Xo48kOY3JWGkDbnLDincasW1CaXoEqZdVqFjdc3vcGq/BR6210nHj6
Que6l502ap0yfpovOrMXI1aiAZIfrVxHUxM3XlUDVSFuy/nwppeuhgCm3APRL960MB+qLmeP
ghvFSkbb3L7QufalmyPCONAuqvyrKNafPrtOs+BjkuhOICdgFdp8lJyXJqO63jbKhTFj+IiQ
L2MZEU0yKPJVMkmyU1PpCMdgy0o+SeO8jZApUSRAOYVHDE/QgB9bRHewv3lWCniH1BycvJLS
q8sECWm7hMXaSGkugpjDoFnQtuxFMNDJmXlZmWq7KP7pg4YlG8UHDItRwuYcutg7LUf1Bt4u
TkqmfUVjeoHkBNwgUYAZyw5AVggqFBIyES4wUfJSpp5VvGOpGrtXyr2zaC0gIMlOU0ANZmZn
hJTNIBdyvFRgJJQTSBeCP92QJgiHjUhOVsB0kmynIntE1AjRPg6npWBYf/hOwWxmpj8YdDud
cNQrq6sIYw2uCqgHzK9xrKBIIiDGpsRlRuw12UCQn812hVOVclqSD6oyGq/TaoiJX88+t++7
3/neV2/96l133pkoTAqEO8NNUlvyxQQvJgaxUEo2EbVBhqra0xP8blXeefu3lt/zrlhyfiLT
2YAAkHuYZsccN82dzqtNprOARM1UOEztlTWiFO6RH7lpQHdlEfT4ppSRux/B9UUSShulHQbb
dxFWMAbsCiI60k1wpkVkk4zYajJjXJkCykuk6qHGgkbf6CTJC1tAWa4AbnBIyOJdRIchV6Vt
zwsTlB7x9rALV126rZGvxMHo7sfm7vjOvvDzjm2b3nD1/FlbVkjAD8PaXUv3b5k7dmLFLqvC
gtDt85tmehecu+2xvYfXTbxslfYyW4Lro7MQX/cMXVSDaWjyr72s/9RzzU63rzhGd8WFm1q0
505B6jTouv07+xLs+cvnz966agH4p89avv+0+SPHlqW2rLO/2vVsvtnds/t0TPjQQB57cEtp
3ImOu10OPskFYpf15SDyqTRwkacCz8yGOj7qwhl816p/F8EgkWtH1mheK/KwRApOpOJhOKSh
EEf5zoETe6W24x71n/mJWMcvXmTrWygSD6TqSnEZ8PqCOBOqqGTIa8WwSiOmvIBLnQDTDS8X
f1B4GZWYpfhgdVY75oEy05wx2H0SCffYEFFUCzJFAygSGJruCE4IGEISDZGyaPCzXdkjgHxM
E3pCf5TKnqYX55URyQn9RNwcMSZNK2Q5PHV2wq120Kov1zA2iwdm4CyBdoaVHO1TiMoKJwHV
ObjCpGLVDJEJpDSv0zIlU/dAuzLLSTmz0NmzUZtBXPDXlZUVrOnf//73fv3X3wm+pBAn+bZ+
7LHHcJapRC2rW7/y5R98/3tAHCQK/PPqLYs5dvh+YP/+hx9+CIEZTAWScG4QyxrIe8sswtet
t976wAMPALIo2tZO2hpwczCFUBd9Ct67urICdno4rb/1278TVnUvhIYsvHZxaSmDkggj0+QW
TJITJ0/83r/4l+12uw4YugIcPnRIh+qC4ZZVUnEH4VNi8DeS2ccefcTQRCSukTCBlFF8UE77
wAc+8FfE5ss086U3Pv/883YH21Ie56cf/NCH5ojHFo6XTg4mFocPH4KvBMDKhIxwNWFAlQal
nELd+dijj/7O7/4L+tw05pglTz755Bh4ekyKJuo9jotBrBOGkKkVcB/O/lSKhpPCDUzDtDRK
WaypUY/W19VFLYbMUHWruUKp4CtAV67cPTJ5+u5eCgBYJY8eX/n87YO3/8xMqxgmGlouOnf+
rhMrtEHvR9l3MgU6/8z8iafrozaRKhfXXnJ/utjr+VsPzn3nwUPY2AXnnv6qi12o9szeq5EN
XnLRltvv32dpx8vO6yVwP+EXfe/p+bu+dwCn4vDRxS/f7X/lpmYjH1jgDHse4q4iLGTGpgWn
PCYXnNV46jnp52ClgH8YELupUxxKVotZcIE1VN5VYqhOiGdC/x86anCph7It1muAAM1QsJEJ
wss8KhO4hkaEbrMlM3lJls6aRc4EXA/uK3goI5jlGtIwN63vogiUIX3CZg4yE0ZZok7L+2nC
ThZ7sIbIRGfQH4MCAG4EEHwNmVapAQvYXkUU+6z9aDq8UKGMpWHiYRjCksxx3IjaL608hfbr
9OyZYn1voNKLPACuY6FWS0Sl8oKCTot6XMeWRkMMFWPcA1iDSAJcmSz3Ou1mC3weceTiQEun
rhqajlQNReGt0QrPLcRut4OKc3V1BfuPXqKwsDkMkUlKsxkeorCrAGcsLCzkGHEZnUv1gGsx
sbpfzJ8dVtLPfe6zrVYrXpgAcxQNRwaSPsVfotvL/LtBv48dCsFpoA1G8NdQbGEMKLNKZbpB
FwQp0t69T4b/TCEN5zeEVbRTw7lA4Wh3G3Sh6NqsdsDnwANz7733WAZUKjCp4PyxkFZ+aQ/G
Iw8/DLwAulhAw8MqEOSwip9dJHSlTkrDg3r7t76FLAOfpYV5ZnQTz9UAPteMwEP8QP0xhj5f
16zzMZ7t8ccei6/U6KjDic1jI4sKRI+ZE/Ba2GD40MXFxW/fd69XqaRkNDiMKLTKvvlY2WH9
HC4S/asBhFhHnKpdWGTCvvGAylt9ZuKHuLJuVA6/xiDU5YQ3hAjyiVI7+INeP6zGF+w+ndf3
+uvJA71YJmOt139w32lX7V5OxCfZbd/sIEIRKzDpj/R/F+xc+0pEivB+zIvOSYfKj3ceoyrd
7X32+MHDjV98w+ymdi9R5eDzdlZ3C7GhOnvX1iZHJii7Ezrj2a6pfoR/Li6tPrx/y0vPWbIT
s22TNpkzaGxMqK0v2NH9il5ZhvxFPqGgFgHRE0n0qmIcLWt4iBism9boBh5c9QYkAUpEKG7W
kaKEH0DCI1RpkKBN1FpMRrlETPTxzKYu9DMZa6muq4fIbzzJxgI6po1ieh/A0wO7O9YBrswl
y1MkqKAzp04OhukAxHxmdoZ0MViIHcHMBAHaswRLSYeCYmB/51CRzCSlnNW+Oi6aJWGp3GFE
HUzFxG1ENy6jI9s91twxoLgR1GKNmLp7ORRzLxBt8UFYdswPjChJartcm8to6zKL7Tu0yux3
1GswTyFALJTqwbDVbuFshJ20pp3dGGTjMuhDwBbxu2iIeq/JZaCXmPAJIUh9pyM4Q77tO0wC
IzgiKdJj0cfoD5GTkzJuX0KAojBFxfAykehQWfua5lzS4NFgOdgboo4pQw1By8XkcOimcDdT
FJr7/RgOgO5qTJ+SwakuZBLzAHpR06yxZIdCHUgJ0X02VC810eouqGUP6HAuWgne2D85ADe1
TOpgoHKfggvI5K4KFwOpqGUcUQJOnbFCu8DCeQQkAXY4pfRhIn5PJBRrtPEsS2IZcvFHdJF+
lTBqrTbFfZYJhE/qZuTIY4ALGJdE76q5RzoMrpSua1B7F2lVuPjy6fIhaMZMxt9pbFbilafJ
Y38fhy6cYUy8MT7x3K/PNPGsp7AuwoLqdDNzNSZYeiYuXZgZAXb2h/lTTx/idKW0sdzSqq+7
hIk/c0t3LHsQ+2ZFcISgctmF2+OGbazGhX8hTfaRZZeDe0CUI6521r6/t7C6Lfy/7fOdmXYT
UgebZgsDaoRt9sviwKGTeDRsmhv2XI3n6NycvXUNE1Ako/rRnuOfbKrICAmC/i2lDiNFI5qF
zjxsjXWOB4SULDQLSZm/7wh3ICjT8NxQzHC26nkwSUIqS1JnzUZRC8zTp/RZv99qERhukd4q
VxUE3+CxhfXDIY1o4Q0ovibXTKOSHBRhbQ0h2RFmk6HfgxRHPY4JXoF0h+yAi8YYgD5y6UyE
4JypLi3vc48tu2wRgzAS3tKDSq9Spowonek0CCGNUDD9yPdLsX+qaJz4UcAInRwGVCeRGGP9
QzSHM73TZrNRo3j0wuUZFGdzEulnE1fbQyCenAoZh2Kg1+sbOMsKSjvqDk+t5HMdvabN1Y6Z
YwDTb4GWuMmdThaJepveSs2BU9ggw+NJ6DLUKiQ/BThQjBazrwbTNhu8niK0ICYVzBpDL1Jc
pbHYezrXgIEsLi2G3ZqfX7A9LjjUQfAj3idTkwRqEfRsk59HQodTg/yoy8Zrvh410yluc4+R
xDX41Ic7z5m1KE87DbJpqRYs54H65ce71KmeM1/zeFSDTZhIbqkbxGUe2AQR+CLOm9A45s3I
dkCLLhg9aCSkRHFNOkuoYjlwRbF5Ex612OAVM2ewcY6aEnohvTOuD6sKgQOxyvVxvInBabZm
xWAKHZCkNikZnRz4mJqNdT7q/MSMqMykELjrncYiZLZeOMVE+dHhW+bSsfG+MtRrOEDpa2Ug
G7FsmhsZfB5abOh0wTi//uTywGD04TtXPLX7osXyGINx/pnpKOrEmflj9DqfjFY2kciFZOIP
7z0e41rDa87YPo8bb9NcWkVdxyNLTRKQVDMz6NCfXBlIwOF9aObQ2vE8Mnc1AgdloJfu9AW7
UkY4DCxk151P7w2/Z/0G9OisEWcLK8pTqAC7aIyvaYQxoB2ilKZTABZK1qiddg+CGimV+CTK
zMQSBS2TcGlpNVD1p1Ksamr5LvS44MTd5VEZ2m54tnExeoP+2FgaQyNvgkwKi7AVSVhQWZ2m
1wMXBlaoxhblXkBtWDevnlQpgkOqmX7faFJIuAkxNztj8RLekk1e3xAVCk2pY8ahHYWhHwnj
x+L0rrYYlT6kVCfNBpBrPI7qIR3BtcN+Eo6aDH7bWGBxTowxhroNZQbIXkYbwHDLQDqSRmfi
W7K8vORZ1KlJSLcGmnMIbE5jldcwkWlx1Wq1QfHKsa2QZMArDG9YWV0NWRK0ivsrK2PQKeor
rlGbLh6MXXPttbOzc+LEQzOqr4aYR/6YmVSCpSoW4nT3B4NGISs1KRDzWQA8FI21GNpkaYiB
owCVpHKqYNYFD5BAU6XBbJ5CVbpWQ3cpGrt0Onj8k42I6Y17TSXj4AsPYycbMmNwVSpiKmUR
W8djv0zLCwYlJbhB+ZGTMVSqKw4MBtcD0JWvOtC6x1neF0MypEYpS+jH+3VtQ1t0xiRu+eea
p2ym75EfUq5e78KWZTEOb1oMoB+tVwI07pd1QvSjy1g+yoQbrIsYA/HLSK/IaKSVqvKbQDBj
wKpkFIYjUi983W0MaU91j9oyvu6G+qQ3dMBTDFUdMfzvxGKH3h3FmNNPm3/+yElr96Hq2n9i
dtt8r5kNwj/P374y0250un0GPlSCyMAq7P06IG5d4MROVNQPWV3rDWea2tsMr1mYRd/GNQrn
XN257A2tnK2v7OJKD7x+FOThf6dvmz9ydNko1dqS9PtPzJ0+v4bwdt72lfm59vJKF8uEi58I
5xCxXJR8gJCAbaa5aK+geqv9d3h58zzHwi6DDWaTMxNkiclYvNz3rdU52gCEMWndZEvgfsmi
vTgJmQJ/TNQDVL+Q2kLgAy9Ax2zAlRAWHGMyxYYP/aEQnoDLEMQgS1QYKgFcLrFnRDeIhxpq
AVzHPIuClXrEQG3ElaIqHtNyTSPDFBdzl1tmhtBC7GMvclZpLqysWAQEflpkF4XZTMKKdMTr
Iiq6Wa/hLvKusuY8nDChYAm+s4wDdcG3c0XPWpLiCTUUhrHoYlI2lEcID9kbhkA115oL5crs
3BwhIbOocMryUAnXi3bYbEXDJqH/6tVvMmg+h+69WIeFK9rvcxs0g5VJ+A5fS5TGFrGGvCKc
teusn/25n3vt9de/6lWvmIgkvP/+7/793996221fw9AriaR0Zmdnb7jhdVdccYVhExKx63Uf
+tAH7JIb8CZ85m/8xruck1EB5B3C43PrV7/69NNPYxx1zbXXXXb55Wa+jgEPRwxppz7wowfu
v/++uDGlCDrag5ve/OYdO3bw632kKsuzFP7Uj33sI1qN0et/6W2/UiMrkvpTGCrjDx069IXP
f66Etg0jhVypKqVpdtXLX37ppZfZZMWP0oPCL2/72tf279unBd/w6pe/8vIrLh+D0R8+dOjL
f/elsGqEtfeXf/VtUcou62Z9BtYh/bn7lMqHhcUudQ888MB3vv1tYwrHIhpxHDL6wdhAbkwn
aVSJPI9U55PII6pMFb5h2upWiVqKgLUPuXbJrsq1Qp2fyEunJdVmA4k6OdHDkCatRlT+uJB3
w0t+gK4yZjC0EHshgeG14WGxt8XQvQefa121m0ljzr/04q13fe/gephm6owK5iIsohuNuXW2
tNZPm3n9Ea2G1P3NYiTR6g2c6mkZRaHykSANXWLv2tSc8IwDkrhln/rgvvbLdi+jwLriws13
f7+nyajD3AzPDq4CJpTh/DRZrh5PkGnKWEvAK+ELUYRTPZ+oHw1+gLVQGkUaYvpDuJZJY5h+
xfkrA+KLUpw4vN1gzSY6DRXkWqAeYD5t4EpbYgQ9AZpPD6tYj6Nwufmbm4dtNZB4A2J1jQs3
HSl1SDdhQEJ/eBn+mUS9AQKNeoyHAo2rqk8H0mQ53TSv4SHUamK4QAg2aS4DjlSwVwx8595S
ok0gOFsC7Beb8dLvvVw+xBunoxPuu9bePZRDsC4lBj2m0xGipgmwAXcTQ0ZBOS9Vj8NU5+tw
lTVQBQKXYV2QldUVp5FTwBODfl2eRvR56GylOg+DOBSGULkIe+T56upK+MNpp20Ln4qh2YCV
EGdZlN1IzbhpQhh7x2+88z3vftdEZxN8/dTZZ4X/3voLP3fPvd/+0z/9k/vvv5/Y0fA4YMrC
5ZdfcfO737n+je//s/fVOU5ad37f9c53rH9xWHP38SofLu2ll13667/2tg2g6v/lr//22/fe
o7I3ZKURVzO//Zs3bwyO//jHPmItxPD9nb/+9g1evLy8/MXPfy7La0gu8j4kyzfeeOPP/syb
N3j7gw88EKKXCfOEqPyOdUr8377/u1/64hc453XvePvbkhf39eGPfjxEL6tKTPpvrIFpYJAx
W5B1oJIRa3krAWNR9jSCgQGsNSbunClQML7vfey+M4GY4U2eThJkxcrDo3YilwP5O+qAiKhb
NyrbRM7JHZQ0o6bf/iPDq3aj7k3O21HeNV6yu0jNJK3l2GOLqUiMSmZX3XzTTM8rMdr2t2ak
SSPZx8V0PKu3wotoOrkkQI7rc+drlZD9hwdh5zH/On9n9S2upzlTG9HjgESkRBpONWrwHuGY
CgDlwZhE9xvAJblPSgHdsI1y+BPSdmgRiec14O+cEtU2oXH+SpGJJ81DoCdURAZKUV59zGJ6
E+JZqlYyOvXJMHmUGsXAGtRGrEVQbY2mdb8paGRYh2AoAPsuwWl7cVgeAyhiSkT2uTkUCMNt
1ujqEmpYDMDf0ZLJkygwJCPe5R6upJyZjQCVwntDGd7Mgd7EAA85drjSvV5P3tvrm7K2rxcx
j8wA55zktssRCVD6uIKCNFV7a2QsPDc7V580hRGYbhY0EhG3gICvcf+qCN/EqVO3MMTI8BZh
5iHEoneVEHaGWoshhrVnQgxbXlrCYgK/FXLwgvRvwY4p4VxTe7GgSq1gVnOG+DEYAOmBNev/
+I//13v/1b/cIHTFX6965cs/8Od/ftVVV3m9GKsrK2H708jHxmOweQBNy7qdKTxaL7wKAsGf
Yk/27LmgRfB3QUkUilkgc+eLLto4dOF2KSsR0i5PJYUVtnbO7t3NZsME9+xxJZTa+eefUhzE
OFg03nAT1ZvoKpfl8Memh48R1xhvMohqLJ+MGJr4uHiK1VrHKMcR2GTEh3c9IRrNQ0BF4t+Y
pD3EVZ2WYgztqJ0sxrnzxM4xE+Q8XolQw4U/bZrxI1r0vO7hP6ed22MnVl1ddzkNFdYadTaJ
e+Lpo4trTeZSue0Lna2bZ2O0no8wmVHtVQcQr6tuNFstrSc8JomyedbH4724yMCwJ/zz8NGl
xGSsNM5CacIMGj2wIy557KkjJzsNzLhOX+jsPH1zPRbzosuGWi4sgqWvVLNKdO28IpiEySCA
wKy7Fv7XNRgOw0UqBYLz8ToboJYoeggDx9BKLKbQiWf8gsBBh1xUYUZjMtNhmcTFI3cxRl1R
gOSCD2IciepiA4PK6vRwbBkh2NbdTqX0irq/3jO1qJKLoG06kYXmL6mhR/gFkwckcIECKLwa
CsculAY+ROfNqFri3Gu3sR/Bd8RNOcd42hAXO6sdBFqwvmxAqJigjjfmcibphcqalDrvFP/r
8L3Nau5DRcaT2TQ3IdEwbCiwPt4TaR4QL2sNeMKhEsal2ViSpr45rZDqLhdJnqNawTUo4BFG
uM6ol5jCPCWUUkDBIP7x2LAUGD4FNC+chvCijJU8lIyVQaIjfP+jP/7f/ru3/rf/oJUxxLkP
fuADO3fsNBFFs01b/4XRpVl24WumPTNtlY+Ux07BZ3751S+Lk9w4udt93vmnPIqCHX1gE/VC
mNMXnH8BjYv5ueI6vZ4cnNL6MsrZ3TRFKO0auXy6tMc/9EsB9E7BhIKGZ3xiEYHyvfGm48Jo
VOowpjb7UeBFko9iLhT0IytynX3zs4TF0aaYRmRxkxjVeK5KjXDmh1uLICM0pYmhAcVWQ2xN
JuAyxnReTJYpHOnDz9Un/+LdC5XWJTVoMQ7vbmRfw0ay2gvGCWbBjTR6i3ycKOGiG9LI8mqJ
KUHXRyWiAc+82kd6RqyF/z2kOx9+s+en5ghD6NeVh1yzcnO+x0PqoY1wjIqOgb9VzObrLObx
GHX3+gMWiZBoyv3MTL2kezTwL7GYlnqlwmPDCJEBEwEzNlx2VivghnT17LDW9TcRDdC/6hIf
1xroPrVkTCILFYqovupy9LW4Qmt9WI64YjM3kxgOBvRAqujKcMjNogExC8GsOyn1HJtjAaNB
si8MpsD5hIAFdckyEWVHuzVVaXwgXc2UGSPhSOxRHo0u0XrXhopVAbBOgCcMVSd1roGBSEsG
c9amtRbt8MjUMkDasUdAKoejXwxVw3ZCmIDHlicl2D7+CiELVEqSBDD0kcRBCqEQ4Gc4U0P1
yjzewgYdtwND5QOSFZ1qGKUIU8/J6A+4ER6KDk3qos1Dr0svvexXfvmXfoxlMQSw3/m9fxGu
UKYAkukLaJ1xhJBby3NN1K2QVD2l5s8LkJK66OKL08xQpal5ne3evfuU72WJfZFvSF+AkOO5
5+1GFwWKTSk0YHjo9QJPmg3kp5WVBkd88XHLcWuJ3aecyThZFDGZlWi+5Y3ePiqK4ePmoTJt
bTxTqWRwtV5xyrg7mZo/2Z1gy6m1NcbrYo04eLCth4MnHHyGuv2oCoGJWiZqWQy3BB8BK+r6
KZyhGtOvLZinD3Tt0y85a4AJ06h4U40D8pWPRaRw9SJ1zUyRiXUPsD8Q2WiEaxW1EmEpgDnN
VbXiyZdMrXguiLJM5L39CM0pnKWn9q/YIYadrzHZrg7baVYzHDB3MVHdOlxpEYOMPgQMFM3Y
MVwvWcfVVS4zAbCyjLVgMGc1YgVYE3Lp2S8mxltZ1MTdCNc3SxrEXzvSwcHrXdSXFq6Lkq5q
fUItMnBysKomah8v8DHWbq+UyWugCXIZ7nTAB7BpGbhQg6HKYRR5xEtILCA0dZtJUmubgY+c
8TgQKDA0IUqdSqK7YO5uptBRKmCPWfwkLEVYXO7FKdolE4VVrlBhsIlC1qgmMc2rUKSj098o
3FRV5H2F3iCghjYJo+LJiRWcdcsMpRLCldCFddCQsi2U43mYaufK60MAE4QBYgnYWhExKNVE
uLL1HcjFX33bP5u49u3bt//9f/7Bd77r5vDfX/7n/2/ia0LFdtZZZ9t+bLDkWmlZKElrmmOW
9xAnrOApfuqIsvs8WoWZDhPLOV9w/nmnfG+p89vshekFX/mSl1jQZdUZOeDd5546UnrBxwsI
eFpcHqhmwU+q9gqfyw3rAu1Bdp7061GRY53ACOuYJZF4fPyndSHKG5TD6i3Twq/QPtKOqzVe
jEoZB6wRKH0kEOWYIAxTqJJhZmE3/n/23jxesqq6Fz/7nKpbd+yBGQShmxlkRgXMz4EICE74
EjXGERAwGpUkxiFq0MQMDokmTlFRRDROz6cMgoCiqIxNT0za3XQ3U9N0N9DjHepWnbPf3uu7
1jrrnKq6+Mvfr7ifS3XdU2c+e+211nfYMZ3WKp3wX2YdOTrYPXefUOnbpFQTjDW3irc4vX18
07YtO1EYcPNH2oct3kusnPmiFaUkZiww+irUXikNYlKV1jJK7En42/ZJlxg5fNOeVPJ43PNE
umUK0FGNWt9z8zz06JNx52mL80fbhy/au5ZlOmk0ImvB6Yqwi7xshQLfS8gCR9UtZihT+S5W
2gkHw1UvYqbkYshCkrsZ8OtZzioBmZT049Ehhy5IjAYavrmY5AFSn2WlM3UhOyljcSopNeuM
iPxuE7ttGVQ8nuY8BCMetChoacBWVViltGJAV9rrzDRrxkJ4FzlWTDWy2I6BL0mIIZF0RQDx
mM9BCZ4GuvC7I0IkihMZGRnJSMClTT0t1fnVGiPf7TLuM9eKqLcA1ivJtSN665bWgoQYoIwO
KdSEfwGgkYqrVNg0ZoQgTSoXImLiKYnE+AzQYFK1R0jEZBhVPSSpWGAmUrnTWoUgundSOXB6
eiqiCMX5RVV646M6Oxv+GsEbaGCEqwJYCHCWeBOWGB0fn5qKPtAYTc946em9Q94Dv/v9e9/9
ng0bH8d6b/7Fz9etW/fxSz/au+RJJ5/81A1P7dy5I02foc6HOU5MdYtijjKjJ107Vf16xtei
gw4ipG+uyQHEap978onPnJ0IW8s/kxUyXocddogTpQNntB8XL178h0SRhCr1GRl6DVpM605f
+/o3a6CysOnjjj3m5H7Hddk3vlk2QuQy3H/fvbakTh0C6mVXNQuMY0UFZ5jU3OJ7UIjmPfxZ
SkVEZ8jXqkCmQGou9eSFzb+9Ld76ShkRNZ9UFHHw5JMlRpGZTM6uylv2dGJlNBhmMd3u2iju
2N+WkSlrn0j3mGCI/AF7NWfLYMFoUo3KEGGyCaPlzDH3OSsSk2U5xz6ivsTAAjKqUshILzI7
e1PLmJk2ozShoGbFiDH6rN3o9pzgT/YPO98zEQLoHAHGUeXQE9SRDipDEqP4C5wQINS1cNch
Ud0IOiZ765TAgU1jNxqCEPQ74jq7CQU8thrIFDMCphRqrcYNDtU5xWXAjSE1Gi7ww8NjGBO9
yATihIllcKnypIVl0JAxoHdEwTwR9SPopkdxnzBgEj+NHbOow430K8SnKOXnuLVj71sExa6w
QahSypVtzpk826mokWaHIP5sHoakZChi5VspVX3zxOJEolLi0Ciqylx+yEiSI5+FYGN4o10A
jeggEWlPBKzq2S4xeqdncAh4rJquAaQlNNlBBYOFW60Mo1gtXoaaQSqEG36PjoyGlIuVnkQg
kf1CKeUaIaSGL5gAk4s92MS8eaLSm+cphQfIdfDd0OlGq+ksHUvHFfgXbsfnn3JKX6TGF7/4
pae2Ph1PdJfloL7/ve9ecP55zz5g/9qSiw8+pPDXowg5R+6lZspxvxup5a73SYnC0ealX+oz
RJRDD7GNGZzlxYf8QV0oph9R3/gP2dbExMS+++238fHHdWjC83Mo7cMzp3pFntHyMZ2fqzQY
S0Pf/tYVvdqDb37r2/pGrysuvxx1FVXAAnEb5LMwxnVmO8ZCLFOnY91cLYCVaA5XI+gks6Tf
aCy7UmqteZl9O3VC4aRK1EDKLA1K89qjlgCTmz5WWVikSld4SpUlxv0GunaRWdipFCJbTY8/
JWJ3WS9IUhiZmenY1hNLD8g5Wf7AU88/ZAgFt6P2n16+flh5zVKcrABAkIFRD6PeDaNmT6Fd
t7jpWYYsalxBa2tI9PDA2FOHT+cqZ2mmPasIC9PHk9JZmqz43dOnHtZC7D36gBnsfK2X6Fgz
iV0cIc7pBFaa0VAIRQZmNaTNkCV5GolwG3OXLvUCPItId7XHm+5OE8WqQ7sU70OlTivcMSIM
kw7V3zpWwzAcfocxgRznEvGBQxRUkiVCF9M0fQGHR9RUob0bB8+hEiAec6/hmAwpOgMRFH8d
IpMOELwiKJrggqJVJCmRxEiSt43rdyIqXzYjpHqJIiGoZmVuJOgP73AFGCLPkEg8IN1E+0ZK
rM6JTNZMGu3ObIvyHlaimgVaJFep7nCWIpg8S6lfFa9Lu91G9hMiBLxRpmmBsAfT+QzGTKSb
tupT0kwFPIkRFuYpec4sPe1yKSIvpEYY8MFyARVB1+wiP53du1S8MUSZyBVL1IFXjeA8F3lB
nFalrPCaGO+PyrvzjjsQmYFXBJzxllt+MwjbpiabgxYoK61Q7zXYmz69H5HxdwOQ65Xk76QT
pB+Twg8l/Bx66GF/UPQSNYHkD3aBWVwBgzh0mP8gyIZzEF2MqsGJnxvZoSXQHvz6XF9Mbaed
4hia+hYimFbJsDqcWa/6ys7kuajmsGgCxSqWnyebJ6uOmNmWj2ILU2GAaVnMm4JhLljETNQj
LPsYriiYpeamAoMBJdxKM7MV5EOr4asAv1j3nz/echVMiJtpdwX1kNSyt7Dq6XbnsW3jiZib
LN47Byxb2YDCWEq5rCcJXur6GNMMN3KTPrlOl4EzIRywOgZ9HuKueryhGxSrf+OtRECDOMrp
6S66I0Ce2IIHDO2275x89OkxLB13fp+8Gr69dlO8PJUCBwWNvQGDErmL+L6FtwhqgMqySBiX
6KhIW2Si15CxSUczYSGPTspR0GHWCIK8E0gImZ90UGi17j8dsR3HbePkzssEucNzGtM3BSwQ
b1jYhXDXCD/qh8IJhGi4hDdhZG9TjY4NJ6k0in9CpdeCPjIZdvUh7ZLKKMJYKbtKFi/y2JV4
dFjMgLOokzac9rDukZERixXwBq3tsrIZlkM9QR6iWEiM/bnJrvieiApUG5ruUOnT9kQixigJ
0+p3zRAOkKU3RACTidhiM5YX3IFm72ZXlgeRjaGrqqcLiP82lfoalAihYQ5QIaBNXrSmUlhY
akUFRxhWtHPnjrBq7F/I71DwLfxcIQfXGOlheO00Ih0m0kAgILX6mz1IhFQhVYrJmTtahPlF
LIX3c6i6e+nyXuBGItqGqFf0QjaW9nxL8XgqRdi7wO9Xral9cmAsVFbISSeceFJtmQ2Pb+wb
KfVUuGQuPEqvpjv1hp8ZRq/2E75n6lB972o1Q5XGqX0FKZRcWS+Njf4lWG7OGzlEEq1hT0uw
GqQyhh6KiMRnaR3FUym8lTwYx8K4FXTizGzltOw9f7bGiKAY0PBes6dkppNt37FLUMXGDMwl
mpU+uKFc554TU5YznBhou22bCaqisj9jo1Ek3qLtt+1iCb52h2Ma/rDXRNvSGBDv5080dYFI
9+k2duycBNEHo4DKGgOOgdO4ZkOZxe41b7ruk0apW04tpRzvRYJLm3bKrMJGuqJbTV5fs+CZ
qNUWhBMJQJiJWF8pFV0wXD5XtxRPbRWucZGoBzIYii4dAgIUoDQx1o7tvlInETeXfpjC6jJX
dm1VxYb72Z690VNRSwKkYmZ6BgEsvFFsnuZGcYzudJly6xi7EbMfst2cph1zEqpLJUZqm8F8
1Uu/1u4S8IdRV1C50nQ1I75CPdYpxbSSUbAD1WCJ6YsjoSnERSgBdcQpFF0xkleMpK4QmXZs
34FsbGR4ZGxsbJhe4bQwUJCKdaX4PfOdG5yTEeoSFyhmWi4JEWRi3jzGZQCN1YQSYUx5R0ZH
WYQ2TbU31qT+Frpc4fPpMFegKi6KNlELMMRX/BvWlohp4DaDCh6d0EiJkr0+BwyIz372s9et
WwdgCYPxh4buv+/e//rKZRj8VITo3ntWAl1K3M+B2IdYeg5xOJ8FKxDKK4P6Q0xKaKRJv+C6
dt26l7z4hTXgxqrf/14K9FEs4NAqZCOErr5lTSnsZoNMzkKeF0LRs/bb1wA3jv3OlSXnKezt
gQcdWPvW8hUr7Vd6GzPohw86V+EBVkl4HJRRiJ+rLAmmvSZeGHSsyJPm5T3tK2c/rNkVVpD0
NIiY28bVOGEqi6WellZVUoX2hXnqAGNJxOurd74C0EEpx5zwfDmT/sSWrR0T4pJWs3vQAXs+
/OiTntTpsdp546m9BJt3tBi2wEW/MoDJDvtV67eeekRUeBLnkVL+XpOSOrhGcPemreiPWLQg
SXZJfupmuo1HHnsKy2ze2nals2TMkw541m7rH9rEWnzUBZk35ny5br9l57DaWXmb0BkYbTgn
v1u79bQjxsOp6J1shJV0yMdE4C3xWCKwnuwRYFMAfCD05jumPVmY3mS8BEmsdgC7QQiaDC42
7DNJbc6udLxQC0VrTdCnTTtryVxJLgY6A+an9g5X0CluAIAOYO2IN2rbWHnoXALkZOlCAk/I
RlcbObkRl8qa8Z8wmgiL7ersKkQzN0QDCHwgQWlS4RHJX9MUkwCdIM3sBnKv4eaw7mciaq5o
5XIeRu4z4rGcQDav7M3LjQaPrsSoT5F/JysCKl0aVcddu3blebfVGk6LmFGh46VnqegWJLbr
wm8HTH/Csq7Q+OA0QwGT4Sgaw/wYmuKQMsG186rXEYxvbspSK5EmyjN2kGmRhiSKqKztMQIX
D/IuCflW+A2qclzz7GxBAbAhkuS9rzPPetkXvvCfYatjY+Mqp3vnHXcsWXIXaqYoDWuhD+nd
HI0vdS1LWgmkQQYX2FxpZd0vHN57z729wI1wAa0PSK05tPrBtYMgiOFepdvL9bWgDHPrWig6
7LBDaolRjaccAt4TTzwxd4Y0qAIYNhezwDy1uAmLVp8jXRNhsUw5xdY/ycZCLSSqtRJUzFJh
6mjlrmZCzzr0LqmFN2qPMfbAOWt6ad3LnNFFBPSRVQ20GaZJle+tiFbn2twcpVFs/SOb2529
Ws2u5sOH7D/80KNe+5oTY6NH7z9dwdM+6fAAi9SGSu6XCg+7Jmcee3q3g/fqULXQa3cKdIec
HzdnO1KsA6/yoTRsHb+o6wyAcsPTw3pKH93wdLuzMCoTipDGYQeMbNiIJzzmKKMjQ0fvP5Oo
lGH4ypYElRnq4VdQPXBkjfzupAiZ5aNP737I3t3eOVJKfEr1BykE8tBoNaz1mkjdRwyCFxcS
rKzVGuqIXygg7wjaUbmx1TIonhI405S0OxGftpiHpYXOWlQ8JR57l0dDukd52uGNmVZlNiNl
50a4GUg+I86MhxmrrfANJGc5sZ0QABDmEzFXjNkPDf1QVQ1rxA3mYvY8Ok1DFqpqIRDGk59w
N4vjaASVEM6kE2EguQzoDRLvDnd7m2wYndQPNYxhQhZPOEEq9AaH9QlDXdpdDfB67XQ9CEjh
u47xOCxqNZsAmN7AMQK4D08WBLkovz490xoaUr/pbtLVxh72B6cuBC2oMiUCttLeE6SdYlKV
DdUSA0vw7XRmQ4YzORmpXcij9CmgapmoA6vIIYduwm5ywRGFxG43ZG3hzcjIKLqvva93XPz2
P/nT14ZdR3UR8/em3AFK2QNEsk1G2pRcu4GNMQK9jJAL2VyO9dJF425ev9wrbGTJ3cvsJ4cc
cjCgNVjzoYfVm1733Xfv4ESnS6A4P6jsufbBtTXgxrP231/dMsPr+OOPm7uwqWOusXUfTI72
vl8V8Zl5bzZEGZauppi5cUJxqs6puDI4susga4HveB+OlCWbfentUin1SbOKGGaZWm4a1T6v
qLxEkHs2OuZGlsIADCopjqZcOpw5EiesEBsO2vnCk/fHn/bea/4r/mjhUKNr17vqoR2Cffe+
Giwt9+jBx3InlT3X5+KUV8dpaKMlsMOHH7z3687YZ97oDFtH0grWPFbJ8u9/bMQbBP8Ji3ae
dsJ+yI93Xzh2zmkLonWZ5+gWtrHmkV3UhYLbmfc9HdRMTIjWbih6H5xEvKq5iSKOPxgHifQK
6YrIL0YrC+QElhOkD8EzQfWvQy+EPcoB6J/iaEMq51mRs8hrIoq0zhR1UQyEhaw3xiVwyYKJ
mhbf1AkWxUMnjiFRBR8UY5nvxqaLML0yV9bcVAUjSUrvp5SSfvRpAOgnm4oGSny5r2SfMNBS
YRXFKHIvn65lTudWDyeErqYAYdQGjxJZNzIywj4mQ0OioJZTfbLZlNQHJhtlK1d0anT9IXnK
u10VJ8SrJXQrvNejCBcp5GQaPyanpyYnp5588skQyXhOULALFbgBnlyiUADU0QCBNposN5la
ELuG7RnuEVKF0FWxyiELdGnlQuCLQMqgHxbPQlhRiHJRLFIoY1hFh9rvwAci3P36llsGjYYf
v/Sj55z9sssv/+Ztt94KHE4upUj1igxREFxEoCaesZcDTl9ifNIGZSfcJPT9w9uaBx+0gPjw
Hlg7YOWPfs4xPRHowUHbapJpbLP0eqgngg88cH891Vu0OOrtRgqOnzdvXq1IuHbdur7Bxo7L
kqzMgfBgXL6eAvhNzxHGXM8KEahU3hAgbKMRB3ZBbjEX1UvmtBRJDflMHbS92YROgPBXrrM5
XVspbK91OQV6NBsNbSCz+1elPhdfbz0jmjI61+dmuP+x8at/+VB4LO99cMeJiytToucfuuuU
QxdInJ20DpT3PzaxafPDlpxrq2qkL8V5532rN734mN1C/Ci3rmmUzJ2FRca9pxcfM/ni50zI
Ecxopw3wxS07Rh94cLMWJ8PvB9ZPnrgoSTSD8v6UQ3eecuiE+IlP2tgW93zLo2Va03MDoHoG
a++VD2x48TFlSmqfJtWBdaZqlxgER4cGZWgiI5/Lo5x5Cm3AKXrqgQKgyUpq9XnD4Jilwh+K
xcBcUYXI3mKcEwqE+kyKWkcZaWLvI+HCb0N80qGRnRl6O9Tx85zNoB0h1J34bEVxZxG5YC6N
2Bkz9NqVhS/OKjoUI7scq0ImCKENnDfwu6EYkrH3ZhIXCrdxN8H8PlwKuIGrnxbb/oX0rhkT
HcyYMy60etvFcFTrRb1RXcoIP9LK6UzCeyi8zRoSNQkuz+L0NAhbjB8Qhqr6iBPC8Ao51ZC3
Z49NluOilGskwuvD7yHXgBaugv7ZVTlrlPxXSq1SknOyXiXYUAg60XaYbJet1Kp2Ckq/pYl5
8zLpQEIwUUMCRo7RkVGoS4XXL27+1aAB8fnPe+5/ffmL113309e+7nXxUGkqFbYB5y1FVWRE
3KMm0MCmF5MKwY3odNUwZVCc44aw698Y6y0eHn7EkQqUCqlYpUz02IZ169b2rdXBhSjeRhET
5fpua7WxOeY220EHqYPkwT3Q/Afuv39uZGDfHKt2BsjHK5zhrnZQOHI8E6pTxHNzjRbhR9Ks
TFmfMnHM7dwdODoISkHxoRRCzFIVBvSGN0vK/aJXJHZlauCkSj/6u0wQMzhrdF0pnVCacSRG
2YKzH99zM/hy2H1i87Y7Vo9pBqQlPo06KgS1Y7r122VPxfJs1ocjQaU4R9C7HL/vf2y43JqB
kKAnD9QGnwEJUl6EP5LSbIEkNrrNX67saCMQCeiWJ3feuWZeyWL2di5SieTbp1q3rtimpf5M
tAHtvepz9QSJp7eWktZgvSWvgCpO6g2U9FC/CT+aqrbyENWaMtH6i5ANQgYiD9MeBkp2uSgi
dqivg1hVeM3e2qgLIMODFIWvCrKo92wmehC6k4x8o9AFUi22iw2xfBQLi7I/n6ZcKg9RsTiQ
IKdIohC6onFJwY6OrOrb6Vh4FDDSkMygpCrHWEQaQCUACaKOQJNCHwv7qZ0wJ96SQCdBKxLi
hLi1GKxIHUo9FU0hzzUpPWoTPDKkdC5LFcePjFk7Z6A8cyurNQwZJ0W9A6yBJWHxpchDBEuV
eQybCzEJZzi8HxsbDz/IyUIkwwq9uKuErcyQXnxTmOCw2VIxjshUblEWGW+w1jAoUxoJ8U1H
eHyNED/+8Y/nHmb33/9Zl/79R26++RcXXPD2gw48KKST0T4uLxSKwybOraFB6USEtRAXPc1Y
CiROeYq5cq+hiklrfYhZu7aeSx1zzDGUa8eiyqGHVNhXax5ca+0/anwvKRP173th/Fu2bIX9
7PjjjxNgtz/66KPrkI1ly/puy5sRf45jL7MuZ8ZwCl1znzE865C30ayctXloIAaXQFiNPALC
zFO5XMYfUptVPPzjRoJnJs8TXUXUyuLye1WjzGoh+dMtWMcvS42aVGIVczW18dVwb7KdXIqH
v77r0Z8tHVH/SYua1y8+vm386ttmt+/YpabPGlrZAovYylEitsH+KY9t7qC35Kq7AQQdBgK9
UC4pY6fNk8NXQuy56g736Iankx5JrV8veeSG5aP4SspmOF7EdRkt/+jWsatubU9OzSRG5Dfr
qXYA4JeI0u6jmzuDbjAMKE5hnzIq4et5tWKP8NYR2GFTMhVHsMA4CGuxTqQfAGqPNSuSL2KY
u/jHNsW1BGM9imyIZyD8VkQsTbxJXRlHlYreMaCkTFHpGbNLCw2leaGcX6uxmRk9jsSU5pSJ
jEvL7GPHhw+L9kyatWjKpKL4jtNLz51HzZA4A6kW5GOnLUoepFy/pbFrWO1pSPYe+SgIAwio
rRYzq1hBSU4FoIaTU1NQHQyft2fbsdVFsQfDNXqlTWo7QRAEfakYnglVqKBo3roA4lPjso0M
hMMYQdvnTcwDgNMKbuUkKp8Rhh5KHJDHVPeu8NcQp4Au5G5RnsdiJkuPhCEsJxE/nbyTfBSC
FhjReP/b3/zmO//9/WdMFebNm7j4orf/4Aff+9g//MPixYvVhwUaKsmc4kazBA/lLqWUX93A
nMSjpEsnt38YePThh0NGZT88+OCDwwWbnpkOl7zGvlqxYqUfXDb0Uhru3/eisWpFNdU76cTj
bcvN/mnV6jXJnNW9QSLufbZrdjoXSOQgolhhGlTqtYrmvzoIowmBh8eYwec91p1WhdZVEib2
BOGGlq+aNPZNpo1mUmE25IUEVqimFBohLqk6rPVt+lX/rTb296za+JVrZu96cGLD1nHGT8iS
d6wev3H56H9f/9jGzVuBTLbr90k9t+MeYV6sWrtpx9Rwz0Y9q+FRSlomWz17Gj5btn7ilvvH
L7v6SUANq39kCdr712z+6k+LsJMhSpUR3vOe37Bs9Ps3bHxq6y49bzQ7dr7nfDBdXSpCv39w
Y8g1e0+el1HeG3gYI+JMIVHfAJiQCAmXZWHhLi8UQ3zdPtqAWmAIRm7nhdUEtAgm9V48JxE8
OtT/qBUzATFQS3vUB6zUnHZAYyHaJyq6kYjEkQLiiWrGeR76+h1Ra8SkOU61WV25NBoGjMIL
YAG3MaaDKvmIzCzPK+23LqSw1IKEPIPivZmlJYjDeE8rlUo9mglSCPPPBE04clMjygGtpCPC
PbH050pAE1HouuolnZNwWrvDbA1uZRHKfmp6CoLLEW1IZ4mR4UUR/lQYawi+cIgdOeOZNZri
QsAbBWLzDE2kJSPRgt5kaanZiMZW2GhIFmM5ELLzSKUxZIT4Nj01NUKNwWZzqNOZDfs0RBVY
hJZP/uu/hJzv3Fe94g+h64bFws+3v/O9K6/45qbNmxNj0ZYMQMyzAn8ylElSP0eow9xQbJQH
ltdCRhWSwhIKeOghuBjPO+XU2pIPPfTQHDU62OgNGnwTmoyvj62syuvQww5bs3p12NVDq9Fr
2fKVgyJTve/lBwbvvvvJZeJkoDh9VJgxkHf1AHTioqu4SpW9kOpirtPwvueBkypqwmVRJcRL
vHR2gT5tTkGIWM2hxNCxVXUJULdwITY9uf3T3y3b3YpGY3Ep3pNUOk/btIeKGfe27btuWTLF
cUVM9qjBs00KeN6LGGNY4IlNWz/93VQ7KI3mTiVyhe8h7/n6tU9h0AlDU8qOZduU5P6Na5+u
qpO4mu9MUezUk6+EAUn3tTHpd+ycvHXZpLmCTrhxu0Q92QsWBmJU6aZNWz95ZZKUamfbmH4U
5vQCDfnKTzZhxMEJVMJ6ITL/XLA16AOL+URKkVTh+BYYDSGJWHfJk8ZIC8B07sF40dYxbtra
XkqlKWWJVt70vKHIisqSKxLuYCEDSNl9in0jCzkWuuhd0oBQfhWSNi/7zHOp8KbBKDtnG37d
7sTEBMb9RKTo024KQd44fibc+spF6kkNSpDNaNURQr3ohHWI/5PTK81KK1eIlSBpnm23NW0F
2YADsEsQdQCRJ3baNNcJKVRjUJglgizOedEtWs0hXMTwBlEH6ZSSd5F+cCTxqYoZhiPdvn1b
iCCzJEjYakWGVdotSQhsM02NtNl8NhELCJxqRCyA4IdJlh6DBIq3zOOCtDfldgDDO2F9RX8v
1BBxz4eIFtY+TOVET2EwtqkIPY/7L3Zfm41P/MM//Ntn/2PHjp3JH/Z60xv/7LP/8bl99tk7
9rSajCWdC0lIVPaQw2IOlc6pituU266v7ntK6KaQUdkPjzzi8CiMNNTqlRy8e8mdA8lVroSb
941eCDn33LOy3voiNvTEvHn7VSEbDz20flBLy7aLoPs3N2oDVSxtes0N1AyLzBIkl+ZPpbqx
g9gEtbg6EqS1VY6MJwr4Ck2SC8GyXX0DKBT0pHUfbdZV9Hnl0KBCC039lwclkc5qbUgDAANo
V+bmuOkNldlhjuyMTKIYUxXeVodkeuurW0+l9+NEAKIZa4aJhnnITCCL9SyPK768Upg1uSlb
uKmoRJmr0Qqj8jqBaGjC5M2ZtCobHN4EkJmBPOcN54lCrLdNILB3GfBNax5qtQDk09MI/yr1
4yik6QKWKzo6TgSUm82mSgXap1XcpVPbYMN6kASw8SPSO5eq/ovW5QTakFhrEmXUKCtfsT2F
mExjN7wk9JoJUZey0Mq5ZSBxRtVkDSSm8Ur5JyZ/nS5iNqy/yMUjV6heubwr6boWsI78LwpQ
xTJdc2R4GDIZGaEEYlCn6ij7sPjCyIU4byjM4cYIr/B7cmqSwJY5GlpE92cOFs4SEI9osNEy
jRr6BkEupycFCRxw43opEbeQXXESljUU4x4WDjkQ9IVHYGLlE62XFr7EvOBS6nmepaQI7UnI
RLHjR0aOaPTCTAjGKHaqnSuNB14pZR9MemJhV1CpRKeu1N6XLPv73/vueeedf9U1P61JMQ16
HXXkEZ/93Od23303/HNqcmpQY6YM8jIk2S5rb3BCq2wQgcxRy5GAGJXXyc99bvh8cZXXteTu
ZTUN5uqI6QAEH2TXQvYcfueOHTX5jEWLFlPZsA7ZuO/eewcFSmpc5XMHIQE+xDmal8xvUH5T
b33FbMDDPT2XemBq1AVVbkfFFGIdiCvyOhxnNfndxHgiCJRjrlJhFbXvqj0el1TYvqnuFcdR
2HDIdAfNI4U1cx+Cnl4nug9OzKhctWalozCe7QjuyotaUoy+hQ7uqnPoJYorf0P3WTVZNB/q
sZdjjys51d5mY6QFowaDqihdqDoUUjFgbRwjRVk6QVosThKIyJlLs0yNLVxWOjTmsS7XtmLQ
qciUoM2D8Ug1lppiSaXYDVaKios1m5JokvBpF/0Sx1lvrpmcnij4XgLpAIdGbaQhw8NcREt5
rlqzFj1f/haLX2Ql/NUX7CeimythNS5RHF1iHHFVWJXbBOK/jK5HObhLLGfejoRhyK4r5F33
Cu15zHtQy0UI78glQ7m+SXJTgIQQryBEQQ/cDRRV4oyTTgs6YZhMhEgGFnnYyvjEOPZ52ggk
oeroKIi2mkzbmiWBkikxrgzDMkT0o7IGaWixLCF5ZmFstBMIBXpAgwPpVFiDFyw+zgyOqE05
EoDy2L1RSpag0KH264yNyBq5DD5N8tXKJPihARYhETlFP0jrNqX42CSV5VwA+2rMw3bOGc8j
1j+0/h8//vE//dPXhjzsd79f9YwBLGQ87/zLd2uG7gfg6Moh2FjLDAp1cEzKMOXst8JoAJil
S+66qwcKuCisswbZeHDtOuWaDAxfzqWuf+6lTly1VA8Fw6OqkI0Q9Tc+/jhW2R8AYhQF+x97
vfXlQSXKjRHXoMqh4gwTOXuoHBKusnL4iG1dhmg6Ve/tbVPJ2JoqXaimJlXdJV9LxWrdL5Pm
OlXM0goJEYDhhpwlEpzwzMQZrmeJhFxGJW1s4IFn1w8ZWZATOEMeQvpoezzKQFJso6F8wavT
lS4n5f73MhNyjTpmAU3OnCZqak6kp0u9QzXki4dOLhDQIjeKxuHJDklVVlpdJ+pbjUjshMuM
PpMTYT1sBKV7hPx2e1ZH7byqKerFL4NCo4fLhrrFA37VEckiVPPCkkRdanINpkruQI2rkAiH
y6cAP5+YP4mWoLf6+gr4pPEPGHqWgZDMqSsiSQo0KMOS4zEnju+CzrWknTBcZirDkTPfFFAF
VoNMWWkTuQW2iK846bdBpR/FwzIpoYuY5+IJSescGxtHNSiqnMSMi63nUevWU2ENxMOfRgjT
oUqJuEbh2yE+gc6kvGzbDty+fRsqpREnQnQ0hXQNE3QctDY4lUDnCaeIcXkZ5x0hgO3atQuG
iCwUkjHFDXS+sDYYDof3nc5smPHHtiIJE2KmpzVGpMteml5qtBY31yTYvjdzRoYtQj55aIjU
QRJ0TbHfuJCQog+zjE2bNl95xRVv+LM3vO71b/jKVy+bu5z4khe9cOHChVxGGMxhUt0R9n8b
nEk4lj/p6PS8b34WA1iVs0xZl69BNu699x6aCLTcgHAh5rT9G05OiochCtaAG2H5Qw+p5HnL
l6+cA4uROmcn8n2bY6mD3lmjZJETSp6gt2kyJxK/VmXllqforSlOgW3aqe6EMyylkqx39eQK
ViLnRAKqbOqU3WZKy3picQXWoSrjJifLmtIVd0zgj4mjk7YK//hCfUeh5aguf14CGEZtfK4I
49Ih2jT2EtVvhcUJalCVeqmTw4Fyo8XWlwYotcmEbexJ2CuQaVlnZluMtfXGWpjHeW6K7rgv
w0BFatKuh69szviIzJUyS1o10nylFIE1tdTUicNhbJ2lJgkuC4ZILDi2mckBRtIwTnMJWtpj
qM3GbILkeGyjiN2qsobiHrlGlzUUK6/3Bhd4DTrAspj1sUKXq3bplaUUU0lpcHD/xrEQn6O7
C8i6ODq7ZGZ6houKWVWqhg42JDdCAGClKDABtKYVQRYxMLVB4EWNMeYo4MY1MtCRESMx/EKY
KvrdSyepQykRIBVteDtAbkM6eV5Kr1PTUYAidrnE5Ryf77nXXqi0YYi2bFrsT/gi/LeQ8YVd
zYtSLT5Soanuh2dfTb8YqtOJuXXY2xC3cOwIh+GcTcybxwZplJkR5GSGJwoN/gnbapGcB2JY
3E+wl0dGRqGKiEdC+Gp8KyTdBPAS9ngm4zUo5CtwNvzlwQfXPPLww1/76lcvvPgdF194/iAs
4lkvO/vbV36Lcq+ByQEqvKokNrdKb1nH6xcOkSiF+eDyFSssZzlkXccdX3cPeWjduna7HbEG
gyt1HBj653k+PpBZRiyuGsPsiJpG1JoQ4VSKvDc98r4uTjGgQQhogI1GMfKFr0PZaEDfy4AF
WG7J1rUEZOFN4Y41Bl2i0rSoXPXBu1vghkH8O278yOfVtMwr4F6NLnsvuvqAwDNQNQ8zEAq1
M++Z5+7I54kxCILpKKRpr8iC2qinWDs0S0rHr6Q0GtbYbFCRqvrIJwfADU2DDFCzFGi01Iuw
TC2pVoaGgjm7LFQWSTxEYkoUIWJ6afZyuFr4tMbEsOzC+XESAGDXZKcVjEHvFlrVx/kBcwsg
+I50sFxSyiYhcjSdjNE5QwzU6JL1WXzJJg4fjo6OqjQlFwzl6oTZWWzGO7bCwjw7LpNJqYZI
uxbQrymXjVLcW+qWHtwcRLNEoSjhiEaaI4XjjJPxTQQqKaf/WeliFbb71a9+9XnPOzn5f6//
6etLX/7KF77w+eGhYUh1AHYYojncS3A7Rg8Tl4SMjcuL4V2btEAQ5mDJHCb1yK9VUJKdAsTx
i2dkvhxJUTP9+mVfveDtFw3av8WLF4uJRjJHQCJKePMPqhzKdKnvWI1MttUaWr9uvf08ZF01
afkNj2/csGFDyLjTATJQtsA1KDAgDVqzul5HPeroo2uQjQfuv6+U9OmXV9mj7o/aKBtdnKg5
/dacQhuCT0MMc7YYhUkhlIjxNyT+BO7NXXXALR/7HkMWQCZ6A1vSB6biBRxcRkRbdrNfb4pC
FbxjXOnPmSGdwlwSCpZo1CHkZNKvsphvVlgwPbCUjIPpHogrRG/A9t4y9V2v2pjZVEk0G0ui
sZQEU9VvNH5p9eti6mg8S9Bza2uqsdtJyLBUcuKueEMj8KOKaBW/EiGMAwOp6KShVgQRKJJF
FV0TSXHQ/dIH34Jl0EfEeSNaN8MZlEEFPJvKvUNBw1Xli6DNankyKDN6YVbphhhJCIdfqQo6
ASAkxqI3rlDcNxh86MpRi0jEXWtKaTNUJwRbNhCRUhBrmyFjU5Od5tAf4lX7/15/4CsEoKht
K4SweAuFNCuT8+9i4hX+GT/sUE+1SXeYgkliahxlMRMFdw7T3fPKV71qz732DrcE+EUQGrnv
3vuWL1s6PT2t90FYcvnyZZ/598+9768v6d25/fbdp9TK6feCS2lBTtU6FA4GzTvckeDtD6Bg
xcV61Qtf+6f/y/5z9eo1YO8qoXKOvHCQ5KO+li5bYZleZ515Rm2B5cuWzXkaEutTPBj7XvRp
jDku3A3KbntHXjEg7fC0lHjKuZggR+sKSR20Bog0SAJPYUbtwrod10To7XsXW3RdQg65aiKY
WCy47p7MmbSQCG0qJ/jVzGZN1YPNtWxY8pbk7EMTljELpmCIhpZVjO0t2ZnaYJ+CXjyNZMWp
p0KDnKobG4aAM4HKVYGXiGEVJ+taSpeVJqIepAJQhXK2Xc4pIctwiXOmfiNNBP3IIy32pInc
SSjG5KUXpzN1trBYBO9IMHBi1YZQWrLuSF8OOZnCbcob1PCcGAPtKiD7GFoyJiazCXJ7Vsg2
CdDzbCPgS/WmZoPNf+GGFQexgsEa4OokonyIbp9KpGtBEhh6ZtyTWhLkiwD0j2zaEKqTISXz
FKbDh/W/+z2X3HnHHZCVUvvKWvOsEMCLEqtV6WPnzh3z5y+YmJjAtcaEkol3orOVkC0Uel1O
PJe1ETgyPBLmNoDFT01PIUMFAyocLCEyohAwBtWZ9gxkn1R7HudHdy8MiRDRwMkHwkLrikxw
omMfGxul9D3T2TaQOGExlBwjr2t2dnxiHGiR8mZ2yTvf9e53vuNCjKs6O8zgWokGtqsMJjHn
1ueBERnAsrcZHJkYWfvw++yzX/a859bz4q989bI77rgNsy0t0YTlb7rxhr7RC/tKYC03KDxo
mq/l1xNOOGFQ7sUFkAFDvJce4I7t22v2JZYBFqEWK1fOxngJbmB/hxR+XEnMYg78evhrWJuN
XocfVmmwrVq9xivldU7jZOlg9YfVW732RHjKEVrmgCEeGPNM96WcqteYXlKs69Dn6toVHyaY
EplRW5UJCxtsamANnrkTbhMdxJjiiMy8TmBNutA/7bb6xUaN3qkhEPI5JIsqA88zcVMMRI+w
K0Ta3rPkhUumXVU5ohzjtYbtKmst7cO0SHw1j/Ry8p2GbUVwPP+wPfcZK06ct8P7VIsKN29Z
sG3ar1z/lMZF9fdCNELwMIh/VfMqUi635vZP6vjDByIBBmwKk3RySgRjZb0bVVg2o4kOJB8x
sGLqgywwBgJO2sIUoSAzEa7jQcwwrlbiorLxIH6P/AnbCrldnKHKQI+Fc2poIVqBE6bjD3Lr
MFJH9Vhfqq1raOxQX7+Un/cFq9P6tAS+EyUZVSXoFsaRkJqFLO2YS1esVboway0KUc0r06uZ
znZnNTAABwcdyHCwqH+GDxfutptcYh6fu0m3HekTkZlQkGRUOBtOipbeiDHC2hEq5xFn0eAe
UE79oI7Yj8XJDYX/DsG5cTmGiXel7UZoxquKvLKM9eSHDY0TV1hTXrYoy3PF9OpDDWsxYCli
mKTCBiMz8+5QYyjhvqAHFr9s2pFhcoi7XP71MTAhWsWyIWhiYIqZMn3Dlok1ivQdrhFdY404
4SZT2NLWrVvnAmUMNaanpwYmj9Sjiw296LDQCk/LxLz5cyRD4eoOVooqR7qlS5f3OmmVTa/1
DyVGqKJvINGUyw9oVqHvpWsb9AJP2Q2Ww7AD4sDOl2O8oi9NDpma6ufEHJreTGrn8poTIICJ
yI26sGtlD2JRSTVu5caI2WtlTH1VyoQvS2vgeGtz1wuX70NtdkzW2Wu38Xcd0+5Bf2D5IVyj
303OW7ctuX3VZq6FSuhS1tqBe8+/4Mjp8tu05fCt79y5SWltGs/2Wjj+l8fN2jar97UycvzK
zZvnb9yZr35sq9mr2Ou65AXjC7IZneJc9/j8ux6saGoc9qyFLz+os6CxrbaJ8Dp9z/ChO3Xv
+T98YHbT0zstSZng8swHp7lFE2FN+pSpXJ2sK+7DEXUNQETqbLJo6d7UqSJSMGgVwubGcKnS
w7kJijjJyijPZYXKKS5VsqTp5YxUoAJKGf2Yima8S3KqxCDZUhUP1vYNC8QMs8SMYMyOFh6i
2KSgOOX8RPVFIlppTy6XQm0cZ9tdrBCJXVPsj7W4WgIOhWsRLQZ7XjFxyVjrL2YbiukQwjK3
M/Mu7ydajHnhK3cOm12FoTVj6fcoZOy4aOE74sIVdhuSS+xClRcTE/NGRkZ27toZQ1rKfb7J
qckQnLKhzE9Pl627hKNLjJdkIOpMgUd1LmI3YTii08ehUkhI49HRUS/4mpJAKdeUnbpk9lCD
IgN270znHj4npYAkyjB6sRKGw/CJ43KwNLqQSIGdoLRihfbXXocddihod5i14YEBGKnv6/GN
TyBLfWj9+r4LgBcF7Q8goSknHeu7cOwweSFIukG5F/OZ1vaoYFTIXkvujKi2Jggrru+gD8V0
by3i+0A34uuelSvm2FZseqnAT/8WWpmaGguuvpvyGgnKebQb3C0zuZEFGlTx9F4B2ZYnW8UK
OmHOunK6IxUwwyFL9Vu8xVi1055QAa0vPQk2dykDcNVUUZgL4rZVQYFyKiay68lR4ztesf+O
d75gt332mI+BW3+AXD9o96Fq0TX+LB6dRr4isyJnK7TYOtSeNHTZq3j6Xtv/fPHO15+0W8JS
HWVz0cmcwzmjmU1vDtt/4RsP2bmgMdOLY8XmwkHtMzR54bFJCKI2XdNLn1S18DORhcRRlPhM
mUagOtqVqrv6Jiv7O6nq+DWM9C3YzRr20I+EqBIMjhMRpADSJBHVmMygGXGIFVdDmV7YDmAm
oPMwzsQRyTO+Tuk3iWTVjvpSisVAaxPxLOYi4AWLxXAuLT1lgEBYFXVCDLvYN3Z+ocU6VA2z
YPdCDtPCu7SLg9imQJJSpd4oHUPY3gnqRPGBPEGHE42LuVees94/QJvUAS2ZRcrKgtskQsv0
zHSLaoZK9cFWQgzjagTMoAmOoPhDlbNSpprCF0O+yCAputzDI9F2GX1hy3SCLQ4HPApI1rNG
LURqjw+mp7VCqz59nD4SRIMdU5ihbUg8LDTiCw1mSmCsvU4+6YQFCxdyU52h/fE4jjn2uL5D
56ZNm6N4x8jw1PR03wWef8opiucJ98TUZJTVOvXUU3qX3Llz5/Zt28MpiJWovBjA9/Ji0sox
o+/rriV3E1q1DTlnN6AkCOG+Ofpwaryybdu2GmfZviJ7Woe9AYGQ2TtFPgfq0EgCVlAAcxjK
yCV2tSCB9IjIyBZJ6NQEWXWDeop4Na5C/HqzH+m7RuqqWFlKymv9mivdS3W8N4kvGnvOKY7G
27RUPozj/rOGp99ybGPhxHh5IBRlw72x35ivQFZpxGy5zuH771awXkfXeJ4lok1WR+74pLJ7
4Y8hcL76+D16MEB+UD59zoEdI7FSzhu8ryBiRrLOGYeNWiV+63mWGHUJkzgyYSikZeFhgdZt
JqhOoknAg6ZpsXlQ2PP97iV0Y7SiCKRPYmzvgbnIJZOYnpnRRLBDg34MbEZ70CLmOZUpw2Qj
avzTuAlCbrfUcJGpWMYFwMzowbNfV0l4YAAaBD5UHlCpx1wWc4k2dWy5CFfA+n6BDh9jKnGh
dIdxY1jpcM+OhnEZKCepsZZ93yHJWeVsWI8FmKgB8xKDLl1KFBKtrqMpbjP4doYUi9qdkkA9
K+qFOF3ILMPehqMYIh13ux44eGnlkDOwZkOVt2IO5yr8nFINIEtTI86SiGSw1m81gKWu9EmP
n3gIcxdK1ZghOUSqnQ5p7I86GnDURsRWphhRDVKlHCZkPr18RZ98YmJi4n/9yZ/iIZHzmI+P
j7/j4ov7Dp1ISsKSD9x7b19y2Otf+6e777673mfhtB573HEvftEL+2RLdy9zBHaCkmZfrQ1F
PYRl7rvnnkED+po1a1GFCMESary9LwKG5NaJsW+Ia0iff9ny/ulXiGobQ2Ar3a1c3yJkwrQq
V4PzJUl9EBetimeW2KhNZGzQRb5FaL0yl8qyRmL2UHtjNp4J9JHLVtFysCvKbyVW2/cON4nV
yDc7r+UCJT67mmFX/Yy52pteL6vwe7dG+8SDxk2Dij3DFo1M9fYfwyeLd488MG0mSVpZ+DrH
wVffe4mjcaUnzNu+54KxMqIMbnEet2j3hY22zmji/bN9/qeXpJfe0vnUXem66QlbSDxybMdu
E8NWzhhnO+MWZg7OMuTJbf2WRoRMp8mixMiRLFy4DOkp/eb+Fq0nE8ccFYT0psqHZRDPVCgI
752p8CNUYNjKCTHoxf8JFx0UKxWtQMrFBcmcuecdERBKhMpqGbvMR9YxzSSOEAfhEBIG65ER
/ZYGJ0v8srkRZjAq/GHncE73vNF0qrfb7QKArb0rDNyRCExKHJZBjwKjnRDHf3a6IWci8lYH
LiqItQiK8VJGWnPeJvFiKNtymkHbAtVaNbqYekWp4ujIKE4UJIqQY4XrO9RqQa0KjRsro8VI
TscAzhDDkE3y/UBqBlHaY3oaEISSFC+YVa0iwnpGkZw6yZBqAWtB1EaD8bFx5c8hsWEKWMIO
FDwXjvEMZI5c8BpZggh5x513XnzR23sfvAvfft4hhxx81VVXPfbYY5O7dh13/Alvfeubjzzi
8N4lH3tsw5133MGzs0Zx869u6VX73X//Z33m3z7zox/9+N577xkbG3vOMcdceMF5IUb2ru22
22+PySnx8hDD+va9nOmshIBnWV/6WrlyBWYZ2WBuGX3OPoFZ2h9zGHW7pXu0bm3/QuXatWur
03bfFzE/tzeK/VqNa9W3ezQIr6hCugI4zhJx3tI/oV4K+URLeqvBOo34nlJ0e/IMHYC16Ffu
o1dKTSUJo52gWxYGiF6NWBTArejNL97b2rJ9Gu//6PCFp+0xOeK6iuR7wZ5Tv13Fq40jdZod
sOe84XRag0rbN0PWhatz0NisEddXx2fR7o2VyfivL6wcemrHDK7UYc9aePoB+b6tKUr4eOEj
9xnZ9PSuGsRDC5vSvsoXLXBlkumT9TMTV63gltjUzOyP7nPvPqk57DqaZR681+jmrTuTUoAj
MaBQzsOQcEFL3nD4IMqVS1ExZmMk5U6xxzhRafkRkUnvOsy1YwaQl2q2IRMIK2kSjSEiSmCy
BTFfe38KaiYT4XAVEddMxRkZFOaQRaAzE/U0JmH9TkGkDQYUZHARa5fyCwmZs2RwrWzEoDg9
M5OYthnqZqgWwn0R0IDwWyWMrWofEBxd44nsuWXubboWMzzfVdCAxhKA9JBFhf1MG5WqhjaH
AM+LpqxhXGlH7Al1ZJxOBZKukg45ZQR0BTvZarGjMaJRDEg5i2WEhKnTntUdQxTgMENmlQqy
4EmABCEVwg63bUzspmd4z10DnT+FSmXEOYnKVc0hS3svJwdJgRPOVHQZS6jqPNvUHfCpduYA
fVTFywbaSwwwjTdRbC2WlIi8CyF9lEHvv+/eu5bc3Qs7DK+XvPiF4ecZZ/3f/f4P9AqFo/3l
zb/sq1UfIt9HPvzBuVcVAuFPr77aCy0m5tQDxupYuOhOYz64YuU9faPX+nXrAHiN1kSdzqB4
gS406de5uaNC2Kv7BxQql69YWUYF7wcZuzyjQiA4YTXYhc5CIPH5jHHLQh8ZAyI0Mk4NuTfn
dIcr+yNZUS3WhocLcrE1NliRcyrDx84DFavR1w5Ed1US6AS7l5QOWZXQJT5XbD/y21Vb293d
zt53m+7VsOsesNe8Rzfv0JOzeI+Wc9Magm/dMnr6Xtuxgn2HpsZHh6dm2iaJ9EkvNcHs8OoN
Wx/f2ophJu3qxV04koh2vt41nk5bmcSF0zW/mZvTmazfWbnou6Zm1k3tfuRYR3PukaarJdx2
ViE8YsoSKFqQUWGeURjz5jagMniHjFSaIjqVIWKJBmauJ9kbX9A0V0cxDpbiTcW4efU4tuZq
HO0y7n5h2M2odqIlSoUsupypaVGJfKjVJcvKOIwmnO540rqLI2wipRrIF9kwQCchqltRJQrF
zLDzCpYL8WNoeMhSGLuui1E+McqKiuNA9I3jQMYxTKV4vZRM4JySF8aaWXJBraEhDwsjMtIg
tLvI7VoqioJTj/VemS6HhCwehXS/dCXaJWLXNKRQ7Vml7oUzg7LhwrGF8T6hyJFRrIpDvesC
cqRAFQulAS0hozXAKjpsMUaKZrnRWYIpav7akROFMwxIpyPoil4adMUEZQqZSh/2MDOqtnrq
InZUwr86rYiWmudWU1lVzGIehpw6A+swL77zne/+j2lod91193euvFJ9zMKR/OY3t/z3937w
P1vbJz/1adzKoLCEtHcQpD5KvRFCKfysW7u2byBcu25tuzObe8Xo93UeyRg1G8syjUG5Vydy
vyO8dU2PzzJeDz/0sC0PDoLdW3bUoAUNv8rywzh5KuZQknRSeHSczSQCSHGCLOiLRyiDlhT0
qlHW2U6M3aVaEsaxStCSYWC1MvkVxIejun/G2HpnbHH0COyqeX8oPVqy9unazu8zrymd3Yil
PGgi11U+MTv20NYuDgs/h+47YV2nJehW2mye3Kj1JFCYGbEVywXNQuEV3uAasSHV1B9OKw3O
WlMtbH2m6COZiN/hEYDGvFqggcqtQwmTrEUuC4Kw6h6QGiFEDUWQdgTpwov/gFhEVowZMXdW
dy6qc+S6dShReUFeFALbUxCEtoXgaYnujhYDO1SHZnMcAT3mEp/go2GhJYWhfOvAiqRErYtL
/CHt0ujYqKvyTQFVi3U0KpGh8hYW007MCL2ytGS8FShsMnEFxbwuACmaDISBW3XiuWk0Mgy8
BjsOQyKrYNmHsdGxJusteYzS0eVSjhcQpJhIjbCK+izJ4CKRCscVEqOR4eGx0dFEy7MEdti+
YzumJphtqMoiOmRK/R6KSvhDln4XRkhYWXbaZZ0T5mEQY0JHLdYe4WorIMMWrSp8fWpyKjHO
1BpoKPCXbGWtW2pTsDBWWZyp64UHur8CapQ34PTlAt9YsuTOf/qXT374Qx/4H4Suj370I0S2
76Iyi9MU4tkJJxx/5OGH/f9a2z//66eXLb2bjNdyNbH2A/QolBQTtrhyxfLeZVatXoMcFAKv
gwDxOZuYl2q8fTaHZLnVwuizdOnyk06qM9VWLF9WwZP1TY+8t7Nj198L09tiFENxylazd3N6
WrIFM+GSy1zQfMf3Y+Rp5FCLRoXz6LHUXJIVdGfcqipJVaL2lS7RsmHS0+byDNKsQClt6oqU
i4W+5ORs7Y4saLTtgqqGFVKrxSO7dCsPTQ09vXOHDSH7TqQrOaAmNvfqi5XXI50pnHHK9Nui
WF1GJWV7OuF/XRZdZ4rMZrmLJopbbC8wdT9euuWqiofAkyEAR58nzk5yxcrjoShdQlShOI18
og5RrDSn0Z5ZiIDEh81QaeSQQwflmb/vyKrDE1iZHuGc73mWbhK2WYfABYXxn9TAw1oEVDBM
REyhZmhZS28xhIVxPRxdTuVNp9VFH0OFN6BqT8QmIMjCUONFOYyTQjErwcKNVjkHBTNH8Wue
ejkZnYeh8F+TcxrOSwiwzlA1SozCmK4DOoS8PZUrMYSGzBDK5hXZKtIkVLTI0NDQTHvG6Hx2
GeHZjan5UCsL1zqi/Okkh80BEokVJiK/Gf6JthZAgAqdCHugM8JwWpx4k4bl4qqkWYgpQsxy
CPZQ87HCqeu0wVEqK4G2Hpg1uasSIlZERcVzmAGTBZstypvoTCYmhiWsgg1kXEwTQ/BvR2Nk
JdVh98CkQl2XmQGWAGhYKwnpIBdQm57txrgaJiDXXnXVzu07PvzhD/btRfVFBn7vBz/6+te+
qty3MCMABiac2V27dr7vr//mfX/7t39I4RFr++SnPvObX98i4IIIXyJD0c6AKlkeLk8mZnrb
t28LmVaNp7xy5T2Y4w9lQzIQp33rhrGrmEQR90GYQ7QrVUtixcp7atErxDNTM6yUj2oPrY7v
A1WyKmPxQG7vADaZ6w//876XZCsjhbfZmDfCj71gQuWTGTB9XsXo9wrXVnVDHIa/rKwNepF9
iCbgXrPDWu2VnFCcymhR6KoDOpCZHrz3eJLs0O9t2N7dsWt6Y3shNa4StL6S/sIw5eVzad2N
bDjzNrC1i1RDlzgBSN5rgnQIcn64nHMsGt75oqP2uOWBLTXMRYkhIq0T7tKXfGTkAF2YSJXN
KswJTJoiQAzlmMeBrBAnMC+DEZocLE5IPh1hGdj1ViB5GVMMtcEME8v+qX8mbTPpaUFZEQUS
7ZHEDIB2SW2IkeSBlgS1cup1cOMqI/GwDlUXQUrDyNYkLB8Gn/CAs7xhWonr1uAxA/BkpAV7
Np9z4TS2u1oNEiDKCpmqqoZIbUDghEwkgJGwgvakpTxUBRlclzQgsXjuua/51Cf/pcJDffiR
f/qnf169atUee+55zTVX1U7mjTf94iMf+XBY7ZkvO/ucc85+wWkRm719+47Lr7jym9/4ehhp
Tz/9pZ/4x4/dc9/9b/rzN4YNnXf++X91yXvw3R/+6MeXf/3r7afaV1zxrWOec1Rtzd/45rfC
WXrbW95URzlc9BePPvLwz352Xe3zf/nkZ370wx8kwrO2wEUnzHRU/FpDQyXmkCYEMaCi4UqV
w5hoJjwRj7FKlAUh81GoybKSlCGjwtc4hNy8QvUIrxC3Yj+NKpW//s0t9/7ZPaee9oKzzjqz
bxsJYWbJ3ct+e+utd91xx1NPPokqKjK8ELqIf9D0scg2+3T7qY9d+vdXnXTy6S85/cQTjquF
FoswvO2223/+8xt3bN8OPW99jCH3snnzJgjJW4WkqL0fgaGsCR0299PrbzjxhOO9kKLCjXnv
PSubdN/H80hNzjVr1oBOpQlcohcAvc20LlofXg8+uFYll9I48Gb333//0mUr7Az31ttvr+V2
m7dsDstwUiF/2LVrl625bdq0STenE3so2ddigKDI4vR08+YtZbCkeOKk4gemSCLCjF6O1tU7
UmUbSUNybf8VJ2J8fjndBTKiVjPsRaPoGiq6iDAPZHQExwOnoReNr9TVC5s+KSOdc887eLcQ
F+zfn9jR0fElpFYmOLltU7EqEDKwEL1w9PsOTR2w57xHt+wQvlrcosHiU7CpHt0eC0aPGttp
MO5u3VNdFQTB6RfAvVjE0vFumkrdfNVwiXv1kj22HXnKguVPNe9csyURlApSKwhtQN5CbFmy
MllxpToGRtguJVu2b4czKF0cnwvykBtOCcMqxMksL28H0do3BJ3M4PW9+oPoMK1ADy6BQOBf
Pskp1nqDjPBCGFLuijfWoIlKTLlSzF7pz7pXKHOpn1kYDb0rLEzDyWqj7gYlIlzIIsoPNNoT
k0SzCIBE9LAAWK0AlAPiUQvSDd9QUCJSVZX2KDHVQwzfiAWwkWG0fK7/2Y0feP/7w4qPPPLI
yy772mc+/alXverVg2ai4TDPOPvl//SJj99z7/3nnP3yp7du/Zu//dtL3vOuZz1rv09/6pOM
+qQS/V/9zd/8yWvOPe/8C8K4dMYZZ4WvHHXEERdedOFb3/qWiHo97vjLv3FZiHwveMEfoXP2
3vde0rcXg5s/LPmiF70Y9Luvf+MbH/rA+57Y+Pitv/1tM2m081mKUq1wrBrj4xSBeOXwGAOA
kLEzpi6hORYsMYGmKR1t0rR0jDNK4qXwAQ8cLtHGIMOEwk3T4A7wli1brr76Jz+95uqwwLOf
feDee+8jYSOu8cE1a55++mmFrDTI9zM2hCiuNlwDICi9gUIEWr506dIlS7AnJ5x4oidfeXSx
w7Yeefhh7jCLWACwv7G3I6SBn157zXXXXkuetkyb0KIBHhuc06995b+09ad30jDZ4RQiqvbv
//ZvWkFt0v5ju9oNDlu/5L3v8SUnNJXRBPUWZtKsWL4s/EA9RSUPEB40/brxhhtuuuGGXrCG
oU+5G3/2s/BTK3+poqAwlJ0VGAzvb7j+uvBjdJVojKNTqjlQ2f1SySnJG7zztiTYK+1YFeGt
lDGTipjeoHJinUBdi2elKJeroOQlxvsiL2oAOeeUGOxeeMTuL95jqyUczPjGo1t2qqYMpVa8
2pmi8fCm7TG87fLJwrJoumj3oYc3RUknACmj/ahcO0Qxbw7n1MP3OmWPKR3xwjIbZ0d+/+hT
osnudDpQowCENdyxevMpe05AiUOPZd/W5L77JafvM3rbk2NLH965a6pt01Mj+5TlRibDSQvW
S0ipod4pknGHLFc/5TyKRallmtrBeEkyKsjDWCNqWnlManLAb6xrZSS15axSHZbNmhjDGqXx
uqzKH6I7HJakmauY//mkPskWGhNzXemgaN4mqsGJcVdxEvnUiiUEGLwhwmKmUqslpsOzjzOB
nCNeDEU8C6/XrhsOjSUoKV2IHR0quuaGZNYR/AjpmeT2iVi7bu0jjz4WEqNDDzvssUcfRcw4
48wzkX3GIhYlcBdddEH4/dnPfhYKR5/8l38586V//No/ec3//uEPUbWLFTlf/PHpL9m+Y/vK
lStDQnPzz2+67w2vf87RRx144EEPrl6d+55CSMx04/v//PyXvv3tb2mvLhzawt13L8H9VPy8
e+mysJMHH3zwnXfcARypXikohbKKtMBbYpl0ZibiKrIKv9NJ8ZbNvfIIn1HWRwSJFAUk5xsa
qJQnYUel2Il1EaiqBi040Vx7bcb9LpLCdZOQSMK8GPMmYB9yA1kBiLZFwAow7DB5ZIU9qmXP
tts6w1p69xI7p4O3jcgwtiQMNPAExpJgXuJr9VbANCdESqBFxVQsBcWhxLC2Ih4UZevU0DVY
G43us5Rmrd32rDdaAF4wu4XgjxG0xEHClclKaRTi+LYweYzBrwn/yRQDqxJKdd5rxUZE6ni6
rYrOb6ykiaggjfHhKdIshuKBcGNdFQ7hyoqcGLIUFl5hgpZXs5WE5YvqGEIbzPoq0CMMM51Y
S2zSabSlwgrWXqqa74zCUalImGytRYkQA8LjRj0JPzbSCqlVyR+fDtOXybDRDU9PJQfwsYTV
7j2SAwgedoeZRs62tZJ3H9ehOjvu1a2aVwF//6PfddPUZni8O7VqMU7Fj1a7Nx3BsHhbnxxO
Oy/Zc9vpeyXLtu++/PHuI5u32wceY6iGrrKiZXCDyuhKVbRQuFwNWUBZjF0pvinijm6zXAcj
1pWXuysTlzW69BwjGQMdLlKDEO2eU5Zcsisvqk6aJiZVSxqNAdphYqIYgA95oXbP3vixhfU3
VXqD7rEIyaMtooTI0/asgdK04ji8uFnGz7s8kkTsA2GwWclCAHLxDDTCiSp0tAkpRVSKcuU4
OTIyMjM93QiJCDpYUiwtLTcNEqF8jlyF/XLw4oOffcD+jzz66N1Lluy3337hw/nz59115x26
zEc++rGpqckDn/3shx95ZNWq37PwY5KcccaZgAUeLMZMoyOjj2/YcNppp37wg3+3dt26a67+
ycUXXRyrI8hQuyW0ChUyHQzf8+53hh+8v+/+By6+6KISK5uzTOLJJ8UK3D333ONAtXINgBLC
tZulYVOjOxCnmEGyxBcOn+sVDmLxccSOJ1RUKItCbZcRuuLQXbJHJaWF/Ak6nDBh47sz3mfZ
kFHAVHpEh3IdW9UFA06rBGGCMD0zE8IpWnlhTeGs+bxEBymLgn2ps2HtT0T6d55Tx7IVvgXz
C0zxLGMj0rPzbqZijqrNmJVzOq2rlCzFjGvoqVjashc1nYFu0rWSM/o4Fa6Ah7d3hVWlNClI
WE8X4CuakOpYQ/EmL3qDFl08wSUIwd5SqawkubzJbKaS9OjhgrMlSr7VgZ4Vqrx2iWxbq0oo
ozJjRrblWaYlx9qGdPdMFcsbtcaKznqfiGWF5EspDV8TRNaSpu/XKfRV/jLijx7HQzMTv121
Vf9+8N5jLtmmX9k0xZC0p3bMzBRhTsgh5JDxNkIXkXvAHvQ92oa9+5L8csuCJeu3b985qWdD
qyNOaqHSOGQ+2aNbdlzpJ15+SDOEVedUs8MpA/qEedtPnJ8s22/3Hy/bkhhx3rzUn82skZhU
BSKIAykXSgg2heryQ+oyxalHAHuijK4M+A7J2JBuMrtZcA2ZSdcglmh9F/HQpS2ulaEsqRGL
v5u4yt0vaR86UqC+OmEgcSAU0BqHQw6lqU1reCKL0oikF1FZUeTxIPwR9wrVJmGhhfdIv9ii
JU9y4ckWnfhXlRZU3nHNbKVjqjWM52p3czM6hbEuDqHiHxaJfdNTAI6f/bIzw4+u6otf+nJC
Jda+0C3YKO/YsQtp0F+86y/Pe+ubNLbZhT/3uf8IB/+610ZvjQ994H3h9xe+9JXvf/e/21OT
Ec6uDbnZWQbWud7NJW1RSAlx9L57S/2HH/zw/6xYvlzloAgK2432cXQy46mO1PlZ6HVpRzBE
KBhG6vAJvGaJMCxoAUj1hzRE4YiKKkGp2ot4JWAqkbBGmlfq7xcfN4mfFdvTgq2ssd8RHkme
35BRSYw363RUxXc0Ysa7KowL4dQPj4yMjY5FDnmzGTYaUaoxvjZVrt8+BmEvZmejmmKHNPZZ
HDp6CzXCSiCZXIPB8NTJJzaJLMkEInSmtntqucvPRtbQiRLAsq6Ufo95oS9VeeITBZ1fSi49
/L9tgqJcK+pFMYAOAlR4cJEhxXiWd6vlNScjIOtT1ISVk4pLb7dSGPS2hydEWvFVAko+6YeO
F6i0jNlVrHZiBO7E3NIpeVZ9sPpSqgdkXUb7ylWSKlei+Cto/vKgqv7yripSsmzHvG/dvV07
fGElR+xWuRe2zXhgysPX1sc8jDtuIYwdtM9CGvHi7Ux3uOsJXb43jB443t13wUhSEfnVimd5
Ln3CSmZQ43lk844v37bt+o0LNrZHqhdBkCs+6ne87fm7KUMDQAOZEqmSskOhj+aWXW0LpdBU
q+pE0MZzYBEd310pK2UIxEOZ+AWrWLLfW0c8uuivWdkek1wKkcZqXigkRCWFAAkxCZlD7HRE
tS53QDoRuv6aM3LiGF6hzmE8mCIUOfZoLorSVEzPA0MWE/Z+Qv6EfhjrP7jyTsZs287hGArv
k6TiD95VTRD2JzPiHaptj+FxmISasEc33HDTscce/5xjjv3Q3300/PPP//wNTfJXRuXw+ONP
fN7zTwk/4c1NN92AHvnExDiqSv/x2X8/9ZTTbrv9Tvt4ghv60MMPXfLe95588vNe//o3fOOb
V4Z07S/fefE5r3glPNgULhB2g08y7c3nv/DlsMKwrfBz/tve1hXhvbAnJ550cvjwrJedHd6H
oHjwIYeAScnnyhMGx3HC4EglC+zhmekZ5Vpk7GzBrWxwBgAsjBD8nDMlZBdKVWSVXtUpYWYZ
8pKsoR3RECfyotBWqqZKTqFBoDZ3WZYYvH1P/AZG2xf8V0onPdgnQ0MtqiJyD7BJ4So8hy0K
hNMz0+1220zJ2YSwQzNNpGiFSKJZF4xS1lOOBXursl0q26hilIoHhQ8ecEpOpMmwwlJChmro
oNdQZuNaFHfFkAYf1pF1tTYP04RNy8lSrHwpE5VUq23GGhE5kK9EAnV3ZGvj2pqlKaT1NyVR
eclR0Nep0nFLDVzzp5pdb2E1KSAeYbKuJElcL1KjVkjE4agAlV4yRWf04xUUvTHXBq3HZ0d/
9eTCL97bumbl1jCr0Dgd3hw0MpUYE8+1m3ZxczsvNk5piIo/i/ZoGjab3dYgxcJ42haP7Hrz
YVOnHr63hpMk6RUecUjiSZaplB+7fdXmL9227Ru/H715y/yZotlz8pOw8nOO34vlDHBjcH8l
g9UynjInVCpvAJmV5EYfauHk9lOn5IRM1QK1D68RTjUPk6pIayrf0uMuVZJFMRnhig1mWd6e
xV/kr2WgTV2J3bCGgqB+igRDibbQwonCDi1AH91x6InqOvHToHaF6r7jVgTxiyUtRM0Wf+WO
nc5UfDE1NQVyNCSvlBKQiAtXTZUqZ3131F09ZI+WUQ9l4YIFVBL0ykhj95ahSEdbsuSuEDwO
OvDZhx5yKPzJwsJHH3VkjYETlr/pxhtvuunGSDl9+OH/+vIXr7rqmiSKMI2RbU1Xcy/V1ygb
j1mZhFgYPT556smnHnn0sfDPefPmJSJHGmtpTS7xWSJE5kqDLszZ2pB25Cm1z7sotsfW1zD5
UipkA1LyGF3bMzMNsK/0jEe8japbplyRi+JaKSXXPgX0HDXDaDOTNjvGYw3lY8wmOsKjLrMc
1hHhHixQeer5xH05nrnHiVjaaqDAqE428BSImphdZnFDICpiIUmYUWvZKJJwA5ACvlIoYNpm
CwtIsDTJQ2DHg4TkDxbDEMxulvWZwljosuZAHgVahhBi1LlR2SH6oc2BLK5PhnqnaHhkFaj+
ccSSXg6yt57emMzWPWPKMT9gqUBfJjQQXyh7bMCmlyxcXwXXVVhuPeHZ16i1moH12jamFdJS
2rcHJlONDHHeGY6zhl42TahsxoVA9eT2KbP/u5ybFNHIstF4wF7zRtykRpqNs6OTM7tKOvnT
3WTP8nAOGs9vqedZZd/r8yubT24DUsMdut+Ccw7qLmSR+LjM6ftO3bYq1prDDaOYQxuHLASj
5qz2yObtj2x2N3e7Jx6y10v2m92tOWO7Zacs2HbLyNCOyWklF7dl4HaCIXSmXcSdyDxHsyE1
vONcHi54H3s7OcgThVZl0v3yzHssYSOiHhSTMtQSMT6EabcXHSlNoXCYjartZ1NkahUh4iWY
1ySnVZWDXcE8R8pc8dI0+UYJsfQfgSwvwa+JPICD7UKoAtgNZXShEa54bu2GYDSIcAOywmKh
I7l7YwLgS90A1aEI23KGnQ2AOOpeOnsIA++s0SyGyD33XwDmyjlhr/W9Qtw6+5xzvvyVr33w
/X/z3ksu+dillz799NOf+MQ/hcUY5tfN9Wr+n59cfd5b3/Sud7/na1/9r7zdPfnkk6lZtTKe
nKRQWBbP46V9++53/UX40S1+/otfvvaaq+3DULLOKSC1JDr4PFGSg0VOsLbI7CzaWpbsjxLO
GKENRUK6waQCEiWBxAYifQMIer3e8ebIuE6NMjGrNfuyL4oAxrQ+0TyOl7lbOpx28lnlBvI9
IfsHV9ZWq2XjlugP8cUKt06TsCHh+9PdmaQbW2JKwNRStbL2tLQdg1N3lgzQSCmnU7CQvkB4
dcqjM0Qm5Cfxzo53eZIeeOCBDz/ycLxTxR+I2RsunoQQlYeyVNQTytYO6makxOMxIqkEmXVR
sh8iMhUaQpSoq6OUg7oP02+trF+JXQsBjPiApr3kKjGxB+NO0dHbPpbKCSrmnFH10nvjaFfF
tRuzYPUCLiqlQpdoClWhB+F0UTkXo7lqKlbCsNl/bRBqT6x2NgQlbxGUJQyk1hZbtFvTVuT2
G5q69I/SEoGcTHrGr6RIdCbGhnfGOFFTTOZZgvb81jy+7Xq38M8PLnGDI2l30T4LH3piqw5q
ldTW1WzMfFI1mMbnK9Y9uWbj0EUnDS+05ik+2X/38ft3TCIIOYHzKeqBdZ4EMVHQ1DPGhryc
HdvhMkkq1sY6WENoNeX6MQM0vNGjcgn3xhgBn5eiIKXMPHdBYkONHLETHZq5YBQ7TBXwiAK+
VJ4qo+ZTSsjnMq9S8m/Oevax1S3qd1rIggweGioqrKeuyohSzggG2vQOZwMgkdhSyYbKmahL
VfBeS5HhErdIVMlJ6qaZimhC8nbDKJdTGSnx1fKMS2amo+Xx5s2bQ3xasGD+SSefvHHDhr4V
iBBNr77qx+HNK19+zo03/izm7rff+Z+f/+J73v0u2lx5v33p8/+5a+fOt7z5jWiM3Xb7nR/5
6MdWrlwRAqfNqDJi4GUDHBPtcxQjEMWFnTuj5OZxx5+wcsUKWApEepLvNjw5vzQSgF+scjGQ
Co2kARC86N45O8WH+jDT+em7HeJ+wQy6oQgFBLd4DUjdMsSAaEsqGr7RVZo22ZH5Hc93Ci5r
4taBblX4U8iao8stQVcjyVzagDy/yJJ2uy1IwtwSMDE9VCAmVLyGR4Y7YjyWEMMyTwrByXDw
h4tPPAtUPOyQXBjY3Zo79DIKWbGY6lRHH39MeJ39srNWrV7zz//0iU5Ud+5qx06xT4WEH5U2
wOhPnkY5cQMaeoFF2iSjsaBZQVV4EHI5OBVVV8xKQc/obpi6ImtvA8tucYZ2du97sRgyXtj1
VBICGjBQGgWyz7EwRFEDaFgdDeVtVGObV+ij3pFydzqoy+gxWnWoMoAhXFH6FRNNJ6HdZoQ1
qEbf0+gqSeTeI12TQvka7kNPhBc61+K9xlaun+mpADs5FV7EOKLUYXvxyHDa0dO534LWI5vZ
Kc1X9ei5epIX++654D0ndBXoGPb08yuHntwGxEeccE5Oz/5q4/zXHDBjN75gpKyawKEYdwKY
+046QPqMIwmIhT4yt1UUnJW3KMTySgHlZsrlaz1jhJokK3WBGTSIeZjx8SKVtUTYHV5R/lmF
K1ZS/pVSpiXNWsGwBk/X9gTymKYUD4uksJ2S+Mi7Qo2fEmvELCq0iQHQK5qR7QYjcyLR0S9+
segix+KhyfHT3cGzED5vNaDWyMbQWH/Ck2aIcQBVEEa5sBvXX/fTn157TTTlmg5D6G4TExMv
etGLOfPIi1NPOQ25SxjZpiankPyNDI+EbV3/02t/es3VaBPCaeVbV1yBKcj111/XImMR74or
r7ziu9/9DgXjZsEd+gY0hu6//75TTjlNL18Yn7/ypS+Fn7Dzk1OTPPVx7HP2nGOOxWmJ8bvo
vuPii+H84qg11RDcn2YLZYLlwuA/Q+tnzvJUONLolZyL6MkwVB9jlTIdUjIo8hA7q2vg/kh9
qdms94dW2DDpwt4Mkf5KRPe5umVOeEy4nkuFuET8b6Z37Sqd2ejijzSGYxJDryZJlaibKiIK
ZAIwuqVS7w7PHg6jOdQEaqO08NF0sMs1QKynmTbBUGYUg4G96mGG2+LVr37NBee/DSzpMIm4
9NKPvfJVr77qxz9WT1Xgj21RGDDQdt7OYhWxoTEsDvp5atxsUzOjyWwNDdmGAivKKhyCR55b
lLCygKW7lsHUEQEG+ZlGDkQCzWZstS2VrKsmhWWV43VzMji7fvq5vreVVa0QliBDPT81QQ0r
HmF1ESVvK+WYtPzujfmVRZ37fjNDhGRlV0F0GJFs0ei069Gy9IMnmlEyyuAmXCW5TVhCVNxG
potsOC2lMluNAc41jmkMtQ1yibdgOoQK9j/21FRyQEkF4yAuY02D4eO5RtyOgTvl3pC6RN/d
BhiUDZNuYSOZFgwBXmAFKcEoKt7P+i3A2doZ+pS3BcaKCWphv0h17IINq6h6iW15aUZovLGs
GMxx27Ox3KJWh4gZGRlJc69LBYsFLqEuPPBuFiew1FZlcHq1c2YLSLGF4Y2ILQVOJAS4LdjU
cYg11DsdWFx1Kzr6MCA2MvnQd8cD0gozb88wOj4EV+A6Qm0EOJSwz+Gio5GRmDMfic/Uv89J
WyQsP9wcyUlbGSlEJ+lggsLUaceXCeiEBpW1cLanp6eRhTeSqDs8K9kPhPlVpT5sUQ1CeZwk
WsJsPsumZUUMuvFJaQ5NTu7KCJfRyBsQjmBvZZca1KJw+R2TvRSaGDOF2dkGZPbBKFQt4UYD
ks2xVoarkqXo6zqYRqN81xAHQkw0YCcDGGhZpJb6w8TweN7gXmXkZCQMRbXgC1YyFtiBQurV
jDWjSQ3B7kuePO7yYZrdcImgIGVhYIULQwbsFirQEu+JbtzhgxYt+uu/eo+qXn3v+/87jCkf
/fCHxsbGfvi972HE0goJ3XwZ4Js4Fi+SuOp1K2Wxhquixr2wvmq0X6rRdbUqxZFVmVtUME2M
v5TalMjjVKYcWmPUVaOiaLMWxIDekVoLfSW7uSrGWo1YZQ1NhlfXk5p4a/7bl7Pcl7BsT5Gv
mk6WqWTPEbjeNptgNLSQiOM+dL+Fw25HP5x9TTSxXNVBo7NlVdVEVW0NYuJCD4ibybMoA2Cw
nYNcAhzPDDPp9nPiFb67+8TwUzumbT9gNA4pHfFnoZIRJZAgG8WMCqIVRpBCOcIYDlw1INXw
L05R8uLGpG5hNDXKcmM4hxhJFXVnwR0p69k7EGa8AawjGCv5jIV3DXYfHWJFF6NqohBzncVq
JC7zpzTVKAXIFZgAOU2jQWtJG8JqNdU8O6O1GhmFsS7jHLSRVjI/Guu0U65VnFL5AQOasMdK
l+QeUIlC3uyqwhA/OhK1g0PSw5ILOUvOWrxok7r7nsY0EN3CG3RVuOXfGpqemUFXKEYjGhXx
pKumCRIYiDdqQTgXmDQahIBTwg9FFZtCrhkiFpwgndSZZqdnNYrHjRLRFq2+kPOENAtDdDPi
U9JwjIR4IYwoWqqeNa9tShC+G88QYRFzcBtQPMOFxJOKdC+eyiQePPxaxA0zVjBiuY/bwlKv
iHG9QIEST8vo6OjU1BQ0Axl4Q+yyyampECFiW3U4fj45OamULFCDCzHPJj/pdi7FEAamm4Sp
I7OYGOrieO29zBSgDqnFhLxbqEN06ku4KtRNkCC++S1v0dD12GMbfvx/fvS+v/3bKOd1wXk/
v/HG7du3AYoyRE1mAj22ReetiRhf5g000tK92GmVjRxfa2PUpGYpzYpfpLq/H6KVGyyGZ0dB
Hkrii8Shy6gZZjHMlanmBYrFqMMdqwN6WeujKjmX9fgBcFzkTJJS1MPELRm2eDZfdUb2NuD1
am3UPxfFeoRnVZT3PekUgJR+rmSpXgl05uuLFqa2aPi7yXk/XL7N5pfhzfyJ0fedXNay9m1N
TYyN7JycwYmT3fPcqI5ThHByuJc2XaSGn5CMDrGPcxSXYWZd4srWXAx4m5/eNePHhl1XS51H
7pmu3sBDCRCtR+/bCnmdjdpbJzs4BGCU1H4JT6str+GxwmJAQ+DBKQwBJvcl7VdQGEUlW5K1
QT0hpd9UY0DttKwEqmJTmlWc8DAYRbtFyHyUNOo8iVP1FLinxJhpAb3FORxxvHjIEhCa2qNk
Da5Z4XRhhGHQoyC/VO5dN5EYhaqSCyRAg5iJZonSW7V3HvIJrEo9zDD1r9yrFMC4tYyMNkuU
nKNnMqd+CrB8mNCHf4IvXPJQKSuY8sX42DhNJNI22Vyp2i8giCgq5uRFAml/FWWP8SlJSVGv
mdBcXHm9vEsygYpfacR8yCkuBqW1vIvhviHRMQJYOjPcgmqMs8og1Q9xlpDhsPNLTuY1pgxY
9qqgW8gge1l/s9wKvsjC8+B9I7AxJYLeROVcSYYwZDtpDkULhpx1mtFuRcDviOtzlHOm8xh7
a46Rx+HDUdLn1xt3ZGQkcj/pXLMZDOx2EGNE1QllQFcRv2KEbmTVRWBq/JO1n4/ZLuqThVdN
69g20/qn8RqfFYDiqae94NWvfLnecN+84spDDzv89Je8iPgTE6f90R9haMBqcRWbRsS9WkkT
eZhYS2zKaOiSqk0wkcp9jSyCJanOyjMOslzCb0f3RyX+ScBLKIxFeEXCQ3ocGnE9xCjEV5pn
vtCaZMKUZVfC64WkReEwsfFSwlVugYXSZbUFUi8SvUVfwGGvaZnVCsGDbelcFnhiUOaiNu8L
pXb5nuof19B4+TLhPGi0Iv/zxFQ9HQxXYSo8l0Wla33IPuOpkH5KwUWIugIXFOmJTaSLBq7p
Whn3I+muqCjT6/wm/HX91IgzGlEnzt9x9rF7ApkWRvkzn7P7KQu26V9j6OoOP7J5B+tThHMm
qHcmbwiFFp6/XBRCPywr3YpdUsKLSnZXOcH3Rk2wrLCJPASmGhl1zXOFICIHdcpTrrIdIH2p
4CKB6WdO8PQqKo9dalLdTEuLTgYlDCDqg5GImDrNtl0NjeLVK1mkKKKfLbmfIIFDzmqfStYT
j3TUYeWNqaS6StABygFrQM1EC7F75pHTFAxZIaHD3aAOQfDxISvQi92HVfwjQnoXCvos74zc
jpAmyuDG1zPRnYAC39TkVFadQ0SBWaOzhcBJ1dQMQAcUvTKp05YwN8+DVbs9g41285JxVLZj
PPPbQqYVMxlAKJtDaHehu6SICiDj8SccmdqjqPAHpOShHQXxlLDZ1vAwk7qAKEXyFHMjWgIZ
pcJRAPlgfKdk36hs6hSAxZujXlqYHcxkBjFvZK15D7oGE6GVDYSHVqOVkKA1nrcSyCukaWG3
8P3P7gBFbiHUKArHrbQaqJVnpAulJOvZmdk3vvENVgX42muuvvybl6vK8O233qrg3U5EgrYs
YF1zEXSYANKrjtEeyGCb+Fht3GrDqVxnIpEDhZre9hKgGeGlQAlR5rXBvgrhkwGXZXkJB5FW
h1G9aWI/Eq56op0h2Vim1C6NYUYHJNyLYYGuCOV51mytBKpeIccKdL4ETBr3SfXJNFohFCTS
1KLXVYGe33ln5K4covXYyNC+rWmbn23cmXtjsKnQmPXTI0eO7dQlD19Y3POQ65UeqLFTFYdS
RtySkxfnXM4ZzcMyCvqljxdHHqphOP7/lIXbnv9C3DwhKG5PSlvn+NEdW8KougMdWbC74KWQ
9IhWUHPel0mV+RN5DTcUFKdyt2hygFCsKRor2xJMA/eDWqKwqZjpDOETBluJh4sqKDqD2tBV
weTFalMhQXTS3tPKJ1cmRSNRsxkullKY1fGk92ZzBnmvcQgpWqk8QAEAUrwT4+PTMzOMYcnE
wliUtECksXXrWBkjcxPNZQsq6zGnllT+cCyNVkNB+UVSqEIChmwVa6W65TDOJw2qUeZ/cmpy
dpKdhEtnS8AlfMqobE91JlZdzlyzUt73FOrCArL/XhNQLV+BkKCaD4i1YXYbhvdmc2h0ZFR1
i2KMaM+khe2dpwj5UidrINBgrhfeh5QaH8YH2dyEKNpFslejEdYZ94FOWtpN2zMzzaEh5nvF
nLfd1Ralz8sSLc4CCHHh/svIneyii94R/vSNb1yGGdCFF168adOm6667Nnxx0aLFp5xyapis
hKty7z0rb7v1VjQzX/u61++zz97hvpjcteuuu+485thj99h9d09DJ8kVp5s3b9606Yljjzte
40L403333bfnXnvuuedeKakoPfLwQyuWLw/bakq59i3nv51UuuMXNm/ZfM/Klfvss+9zjjlm
584d3/vuf4cPX/yS0xctOmjTps0hJuUJzzVUGDTs2Ktffa71if72t7/z8le88sgjDsc/v/b1
y8fGxz/28Y+/613vjHPAZlPQiTkyFUtGtvbBJGelRdvEkrFK1/a4krSsquGBpEhmn7dCgH9W
8hGjiYI+emhVvsYRxoaSErxQ4ZjVQIkg0juuWqf284LT9VShBBq6EKhUu9KK8FoER638aNPW
siBpHER8T82TUYhS5fPiv+BteZCxgi6pHC6XVckVZbutM254arKEO0rPI7x9Yio7csyA7Edn
iO9c9GIaa7qU7cIG2mS40UtqVhxKeQXXbtq5Yu+FJ8zbLh1F14OtL81qlu+Yf/uqzVKQLNB1
E03tXJ9l1eDwFrMnOAhu8oterZ6QDvVOrHigk7xKRajhnV0antHh49bVSWrMAsUsA0R7SxEr
NaIK9afOVFXYYj6ddN2cofCrQB+GYLTHINsI1KUOtdozazjue7GGIamn8HlIywEQZcDZfBaY
i5npabSFPOu1Nkr1uBCTXAwtmHM7IRSWRkIo+bRY/RW1xJhLkScG9GejxpArjYwhzepE8yIO
96LIzrKNlLXAYUpvHsWNh4A3Njoa9fVF5TYEwjARHx0ddcK6Y2W7Lt8A7fasnuSEekbeMSG9
Ifk6WkjddleRZa3WMKhv0bQTcJsQdFvD0YGz022RaIjOiso38Y4J7xsjo6M4CXHlnVRp2hH0
ND01f8ECzPmi3kXeDREu/Mb7kZHRtrigNWx+rZcZHVRaY4oZK6Z1IUF+x8VvDwtc9rWvhjlI
WOzCt59315K7r776J0cf/Zz//I/PWsevn1x97cf+/u/f/4EPvumNf6YfPvbYhg2PP/785z3X
DgF33rVk6bIVF194vv3wa5ddfvzxx1n7lXANLvmrv/79736HR/HCC95mlw9//bsPf/TPXvcn
YR/Wr1u3evWqv/vQB+bNm3j/B/4OPUBcABmg4wW44Pzz7N6uWb3qE//4Md3P737721/88pfC
Dpx66gvuuuN2ZGDP2n//l55xhtPprU/uvy9E6pVnnHXWmWecEf79+MYnfvGLny+9++5w6t78
1rfJNDzs3q5bfnnz1q1Ph8t35FFHvfrcc/fZe+/wmNx6++2//MUvtm7d+ua3vrWcznuPePzS
l54BAn/4MIT4G3/2M6zwrLPPfsFpp42Pj2984olf/Pzny5YuxZ1x0sknv/rVrw6f79q16xc/
/8X6h9a95PQ/DvOA5UuXzp8//1XnvsYROfHcc8/92KWXKpy9RrSSsBRmxB2pHjeTUnpcg3FD
Mh+HfMskVb4qXuUlpir7LS2MOYiJc2WTzIL4K++pNqcZqks6/YOcfSPOYOG53Xe8kj9tbI/u
mtqOxN3G1PDaOl0JVMOuc9A+C3bNzPbFWFpYyrbZLBkrQ87CRm4RldXpgrPf/fHyJ2eO3fPU
hdt8nQ0GYXs+ousen3/b7zcBel4mi7bI4YuQOWlQT6Ro4aoaJYBFuKzUnihlA0tttrgakpN3
okSMclNmdFUAj8xZBc1EKbROq76gZQxGkuQNU1tFfiHZZltomqUpXiOi49JmWzhqgDZk5j7k
0d+VqUOWZFDE15SLwQuORbe5dNRgfQ3g7FthTa1WkZYZthKNES+VaaDYpXAJRhpDFpqBXDYM
wSkEk6Bmi79mnPFESHY3fg44Q0I1SRRyw1cA9lMrqxqCnPRBGsg0UDPUszQ8MozSIqCP1ClM
UfNESA5HN9tud6p6sAoRgOGysq9iNbsxVE7cKWucnp5GQWtkeFhbbpgoeJn7RvZqtzs2Nh7S
qUbeQAKKoGs1FUHtil0UpXvTNiHN4Sm+zkJmPhOMprVpxwFb6d60kmAKuU98mMI///EfPh7C
xu9+v+ryy6847rjj3vjnrz/3Va/4+U03vYq6SiEYfPJTn/7jl740DLXbtm395vjEmWee+Zpz
X/WTn1xz4003hpzs1NNegBASFiAUcbrx8Q3HHXdM+PCzn/t8SM7OOOOlp7/kRZ/77L+f9bKz
vVHKeO8lfxPmGh/60PvD1hcvPvh73//fIaC+851/sXTp8hC6QmT97W9/rbiaMHdA7b5wxYUX
v8MaiX37yitDRNHo+/kvfPGU005DZvaOd1wUohemovvss8/bz69Ezcu+8c0zzjjj5ee8DP88
KUle+YqzP/zRS3/9q1+9/fy32iXPftlZF1900f/3ohf+8yf+QT88+eQT169fv3Xp0tpql9y9
bPOmzeFY7IfhAP/rS198x1+88w1/9lr98BXnvOyf//VTN1x//dkvf/nfffD9+vlhhx7ymX/7
97DasIfr16795Kc+dcThh1573c+evHmL3PR1tSepBzrBskNJ3OGB12HFVAv1i1lSccj0aPg3
ZXquWrTxt4U1Uu5Fvi0V2EWv6aWiIktZ4R7ooRclpNQ5wxPwzqOIGGndR0xMq7kJdY90zzMl
jyeqHfXsKvJwt+YDG+smqM7VSqPJxp2FX6CwDrdva+r5h+255MGn6hPzqhoTctYb7n9q2fyx
o/YdOXxe20rgR27p0wumu/5X929Jki0IHrlgH1SpnaFoCRXcpNrGRslVbjLxQ1MnCt0i0WRO
prBlJB/KepCigGw0k9IeTOMNp6Qx+6E+XK1IoDQAMyViXwG5f1QuxMF+TClcbFOCCgphVXx1
Cp5IbwyUGy0wcjsHiRcx5SPImQCBUdOViEPlPF6dXGj5IfLHwCQe2gWZOGfCCSyMLYpLDJcY
yoFQSXbCXtBwAiNKMKXATwX4gClrjviy1PBDEszglCZLI4XkowVvEflTR8p32pnrSIceuAQF
r0UZW5qPttttxC08g6qGDASN1nhxEFRTKhTIHmMwvUoXSgi4EDxkuBHhJ82k4YyQY1Q8L9IQ
usLXx8fGgZCIayDnaYptgLm6kF1ZzHNEi3RiVqdoT43lMfxqjqWs8jgpaEc7Sr0VFLaA13kX
vN2gfl1IvEIkCNnPX13yV9u2bfvVL28eGx8L0euYY45dtXr1c08+Kfw1RJTrrvtZyJy2bNkS
1vZ/2bv2aLvq4rx/e59zH8lNUCvkga3VukrwUYog4OqyLa0VkIAsG0ulVm3tasuj0ioqRbE+
sHVpAMUSEqAIVau2CFq1GAgqEYoiNCDBtksUCyQQJCp53Nc5e/86M9/M7NnnxH/6d8/Kyrr3
3HP247f3nsc333zzol85ggvmu3Ztve022ju81+qVK1/4whfSFimhIZuO5/z733/w7m9/+9Zb
b7nhc5+j7Rx99DHb/uMet2v0+ZllM+R1aO9bbrl59+7dJ534isPXHAYAcP36i0HQwBA8XM66
ap7xjKefERzApquuoT392Z/qSZHPIyf6iU9+Ar/Spk4+5VSgozCW5Fre8ld/hb+uOfzwq67c
KBOfL77vvm1nnnnWK0864awz//z2rVvlk/ece+65rzx57bsuOJ+cx5EvfvHZZ7Hmyhe/fNNn
P/OZ57/ghfv376PEyJ3xb/zG8W676cPY13lvfetbz3vbqae88rWnr/vSF78A1/XRj13+1S1b
TnnVaeQj/+LsM8l7Qc3lo5dd/q1v3XnssS/dvv3+pUs5BaD/4bpu23r7xevXk3V+94UXWpJR
O989yBS1KUsTzFachm7mJh2Q8h6seTu0BbOAR1ymP7Hy1CEXrEaEryLL0f7Tzf7op7N/c1sn
gUtpDhmKD1Ez4X4tTF56x74uf/2nI8Op/cD2zc7/zW0jJ7ibPvbeb4wgxrOx/53+v++h3fc9
NLImu8H/vOybc93068dRxhPn9uRTs7fRv9wFVHndnoxikk3gmucwZwSVKk2bvJFIqKcoKcGT
eb15KF3M7RAK+wygJB/905HACGuFyqjPcLIQp3SCgCffoUqqhYkwn6z0bhCXHGqrX1Ihg5QB
He0014Sy07txwOj/NVGbjOwzdg5IK7XS3J3rDyVV5bsPG6jZuSwsxjyBNoJjI+MrbPKacjHV
eq3U4encKIDMz32ula559YQ41YyLpaEZ0Rm2jak4+zv+1/irfwx8K7xJP9b1sNO/ITX4nk7k
qB29kCgN1VOu2qTUotIyr7wrBpBStiJiPLwIkIzAHnK+TVRzxceGNl0IG0HhIwc1uxUrDkE0
GtXjdKEEL03WgsX/K2Meta6miR0VyGQd+E6V65PqsXZRPvaWnGDt2Pnjn/wYR7lr1xM4/g/+
3QfPPuccSpvgUU466YQ3/OHrU+UAsVZ6sQjHHHM0/aMfrrz6mm9SumMXCaSdxx7fRd4L4tke
SHp28tRTezCBjZK8j132EfikH/7wIVBOAI6DMYxyyAXvvNBP4MHvfe/Ms87yX6/YuInyMC+A
cYb35rP/9V8/X5gMM3mCSy69tJBhypQX0g9f+rfN39jKbvjDH/oQea9DV6/CF2dmZo466ugV
h6ygn3fs2Ek7wp8uWb/+FSee+IqXv5yO+dWnnXbe287D59dffLHu8dw34zYi33zkUUctWzZD
P1NCebBs6mtf33rD9dfT9fr0pz5J3pq2efLaU8iF/9d/f+/zN95A63n9wzyi+6iXMEL72tPV
T2/atCnOpbScqR7p0/KxhBAEQgsOuvQKcWBgiISbWLMxGLIc6vPuI0VqoR9Z8iOk+Vazo0va
iB/wRwW0SWe7jPMYveIV9SMDQNoev0OUY3PL6jEi/ih/Mj6N44zKcVXi0pooDiix35WxqEf4
qF15SShJKgvAs64cupTaJrO2zqRAMXI150k5YQ8xcuwJG5n7lVqxbCXT+/RRVLaMSFUdiIyD
449dgJVJ7SSTiQHJolPyjNUyjJwHQ8GFE6O6laQO7ERRyQPrWkCXxSQDJyG3zyUo6cn1iV/e
y6zU+aqogshI3weMpcT+uC5bHU62+U0VdPzo9Za/fHPx/6//0ytHyZ7EpMQk6htxbnUlhP7K
G+V6pqYsBMghSKI6rg3yKq6GJ683n/sWPLeXffQS+vUH338QOcratafe8LnrVxxyyMknncC1
qH302nv99df/3Qc+8MY/ftMfnHH68w9fc8SRR967bVs6UM2A/M11117jgryxc2LNC16AGthj
jz0W68kvexmz2z/96X8ix3bG61739x+77O677sKfvkB2XHrXwKcHlQ6x2LLlB7HSSdZ0lTwQ
uUYvgO189JGPXnpJXFNyzBi2NqombqrtMzNLseLLDzrISPkLWBO4Unp9/Np/3P3kk/iZ8iGy
YytXrVQ/N9a5VEmIxFs47Jc/csl6vPnh9etXruQZ1qtWrSps/CMOiJLOAlMSOJUZtLIQ4XXK
qa+6cuMV0bYC1x8jNPqwQZ/8UnUp/iO8jDZjG9mWD/zFQA2vhTgR35GiNpa3PToq54bbWSqe
LcUhZ4XjhCl1Jn15zSylA8oBl1UcBdAa067DqA6YZY680wU8O71u0nQ5MFZe1lPuUDFi/9/I
5M/OwxKEV6oRjSV/Lhz5KVudCxZlye30uDJKPxjhW1TNIF5qgto6r6vf/9kGpyi7TV1jVa7x
BonknYVFoK54rOPnFdWkpO+z35SNn7LPc2Eek33L1RG9FxjLsiBuj6zeYH6+6LFYXTvaEI2t
mKMkPs81f3FDYgIGDh5AOr0Tw2jcLt978MFsYzlNnEzmNDT5Z9vr3BJlu+33Fnt5e7jRkXy4
qBXgMXmuHTErv4epOk0RuLmpNa026aJ9M48NTGhh4k4326gl7H5bef2cumHj2YmORSu6PTZt
t3hi1+PoPeeulTmeuZetsRg9VBmDm4Vk34ttehRxSFNbrw79+eD7NxJ3+17uvON2bkOxK/fU
U0/902f++Yzf/713X3jBunWvJhcFGsUtm7/y/osuOuYlR//nf/33oTIYdM+evdvvv5/p+CZY
AHoI8HfyeS8+8lexza9s3owlOOssyovORCZEruWRRx7WFEpelAOR50AF6/HHH/e5PvBJWsOb
mgI2TTHU/Nzc1PT0/n371r7yxEMPXa29qCtXXLFhA+39oIOWX7Hh8lf/7rrly5fFVd248Urt
lZHjphQHyCFt89BnPasozj7l5JN27dr10EMPnfaqVwHuwxo++uiOL9+0+ddf9mt0/AcffDC9
SX8iN0w51o03fn65ZFQ7dj7mO/rUpz6FZTlszRqYXMrYbtp88+mvYTbK837pefd95z5aWEr+
3n7++V+99da1a9euXr1qx86d/37H7fRJOqP3vPe9t2zZctyxx33n/u88+aMf4Wg3btpELvC1
p6/bvv1+QJquN9g1wSmyyArjJTvcnw1CGcoD7G7My+ld08kGpemMeknuIaDt69DiCPEhyjyO
kCnG2sOt/qVwXBoxClHI3x2Y19uapj6glxpzG3XZxcRGPM14E1sQP8xheRGz9zCoSGlj+Wep
bUUKjB85wN4yCkJye18I6Tx0SCHXjCoSLhxjBrHtlvPAJRmgJ/Wsapycgl1IMd5zsnb9RyYe
+FXuJsru4L13UFO3WtGqOpKJuImxbJyjn6TT0ZtntWwjTEs94NReRPQd47ymRITJkVJnxImI
sDInK+m3QX2VuxEWFialRAQ7MGEi42RTkuANcG8UPWOKCkKiCRmWGwuKTW5FOsBWaKcCOd+1
YtoCqAa0BUo76H+dCSUdvhMiAdxOCGsaaCT65DMeA8J9sUpN9BgFRzU9NQ0fnIyAyqMWe/25
+TnYNG4QrEQezAbhIsedn5sHC8ara8OuFHsUIcKESLBUaI+0OyyLgtXhW8j+aSVB/QBZY1FE
Oth6T07BUpHXmJyaqsSH6VA0lIXQFIkc3HfPbA7resOvvgpZYGskNKiI0GXj6P7kk+C67rrr
7g0bNuze/eNt2+5dvWoVfA+Z8n+45uOzs7N+E2deyikBEnlZyQk5k2LbvffiQcB3yf9t3fqN
6667FgCUR4JIyMigf/XrW2/ZvDmmCJBk7Jd6c0NDpRJBlJ/+5CeUCb3rnefjk6eecvKNN9zw
8ev+8ZBDVixbttwLYHh97etb77zzDjpOppa2xBj9aeeOHX/7wQ9fcP7bnHZBB0PeAr5/587H
Nm3csOXmzddcc/Wf/embvvvd71555ZVrDvswuZ+/Pv9tClResdEf6Y9cqsjhPfds+8QnPyku
edcnrrv2Bz/4wd9e9L53vOO8173u9X9/+Ub6LvlaTXD37n3Pe95HV/C973v/xes/dPxv/jr9
o/eP/82XXfhuplB+4/Y7tt1zz9XXXEtHeP7bzzvjvnv3PLVnvO8KagERqGmnpiXNw3pBSrwK
TcrOOosgj49ks7ae8fKSxt3Rgflfc5jG4uCeEXZVASsOc4HYY6gqpZw74ap4i2HADPXwPPux
7ddxboD92iEHulpUt+QmbeOeV7UrEyHQVISpAgeeMS0TA2JYa8lWPZKE0R7NylTdprfC3YAl
19mRwOyDSVElt1w/ijbJ+6lR59RmwHW4xPEHi3tSvJTRAQMk9JXx6ak2gjzDEcrk9FwE6R9f
LlYhqEZT3sravLwdGxWsyYkKrVqgzqe6gFkrggJkzzqi0LHq4wyV/i7TJDI6qEy/iitekxOz
+2fBR+jbNGpMuEY26e3GyCGUlyjUD/WLvdK5fIUk+b68cFReuwHVAhQbb7T1Dl/N6futRK0m
i6kZMLt8HokBpGVdLDGzAPwc4CiXmaUVA5gMuVSZaDqQm8dkIsDO64eZJL2Wr+5Dv1x3H7QU
Ph2hfZLdteFMyrTEQA9UHJElpyq4HplOCQ0OLM7MzMzc7CxYhEjL2D2/6EVHaAggW5yUNAh4
1ECyFnSM05LNLJvxWxwnAO8Vb1PrxLaUXC45tJB9BAO2hg/jBlqydIm7a/LStLh09yxY/OIN
iRYXKI2t7rb3A3OH/EcZ7vImNDm6Kod0FcxtuGKD93vd9e27zznnHPrhgne+67RT18Yn5PdO
f+2jjz6C1umff/azX3HCCU888aObvvylUH8eHH7484877qV0hfbt27fl5puffPJJ+usfvelP
nti16wufv5GO+fjf+u1ffO5zHtj+wF3fvPPpz3jG75xw4rJlM2R9vnrrlp07dtLZvf6Nf2RI
ZELiuH37d+hb9MPmm26id169bt3SpUu/+8AD99x997N+/ln0J3pz/779t9y8mXJfHAy9f8wx
xy2dYVjy1i23kHk7/rdf/sD2++kr3CH3hjfSEVLG9tjOna4kFqXnIvgD+DHm9/JsTMK4QDK/
RRSsWmZcNehPJFTmR6TEY5v5eFXJbTeGs7jmIdR1i5ZrmAMkWHTmRqYDqPaiY3fkyL03HEUp
B1pdDv+AQl8ueZyCztZInhR9lXf1xrM+sN8atfsdKeQRtqcNvXQ9lLoo0hhqh7kNCgxC4bMO
/PiktSLtGMO1036gbn9VIBPm7tzUHJr/WrnLEbMQ8afuh3PITfWuM7pjm/CNq9Gn0MTm3dCu
MuV2f0StCoKluEudQe2OzZUhvWu7kO434EwpaCL7GBrnPyuqKdaPZ75DD6mvsxkh9dQzQXNX
yAPx3anhPtEqip0WxlYHu1tLcWQhhTWKbjDcsSwOMjVFR7Jn756nP+3pnu6IDv3UnIwl854o
bYYRHGvgsuYSPdRyUp4Y4WLt3z/rphvNakgHlyxZAm1brhGUOvPTReKjWr/3D6iT7uZhUcVx
6BNF4NQXF5GkxitLy5yOOOJIl7HSBNbubPbbpqDV1/ujvcthXyxYzt664ZL4KUjOsC7LxCRl
Cd6wHTlacKeGBkiXdCo9r0dfgs5AsWIyrbLTuOG0SqVI8S2cTDgYW/Cb0qXoMYflJcceh7od
Xm9/xwU//OFD//zZT0ezsumqa67etDHZbFDa7PT0tFFLGy1mCCd4cWHBy91MTIK4YhhkhcnR
kB4YF/0LvcbVSIdvCORjWlBHexHsbC66wyz8GTDaccdthDFL3kTV6mjgWqNZwk8ZFfvE0lY9
tz4hUymKLlo4OlnjAChcjlavCHNbClN5Up0tDJQJIvrOLRSyOzc2HnBAjOsgj2vejxTSrLu2
jJdgnIBgqh4dociupEh24KXre0brZO4vR2Qk47hSrK1RyJpYrNI2GFttqGX2LInxUM9DT2/z
it3HbQ4xGOSg5zvirjxGGfFtsYMiHnZ0V93CmN82rWaH9PEsxNHPJmplilaiGJBldK0X+Sqj
9jmJw7MWsjkm1mPsEnkwXaVXVTOqlvkNE4EZF25GXY8qd/gjfRFy4xWDZAkOGzbdYUA6YEoJ
BmHupQvyYuhi0dUIhioSermGIUd0XM7RRbDn8V3KRegrU9NTgPf37tsHfRD3Io5bQp8PC4g4
BoNeWdhQ3K2L+tMXly1bBstGC4iMLY6Yh2+O+GF7cwYBJjQ10+Ghy23//n2Tk1MucsjMiD17
Vq1ezQ5+YR7S9fDNaGfGxYLLiM/s3r17qpUrV7FjNOYibiCZ21X7oCCZkF15UMMNEPVQ2mj4
tuBB1DwuqEryJwA42AE7EmkqceVgbJPZpSJeianHlcifl4KBsFXSwUKJDj3BctFfGSURB246
6KJm1PeeTe7OzAIyVKXXSwR8GExM9KWzRY5NrjdXUXN+5JGHD16xcs1hv6zM+MPXXH3VVc/9
pec95zm/6BjgRe+/aHb/fggr8QFPTvTk7LjciSRDVoaNYymFU9aUGmIIfTu3vkxaws3aV+G0
BXobym+wEbV154lNzGCaiiRSMi0DEajNTWC684cFxU5i0FVGtsE01pzhdSrmTCcgtPIVZcCG
LuBk1SYK9FQuna6sjsPgO6QUMm7SqfOq5ueYnuJ1SS43jzZPpc2eTjzRVxi6BUaAyzjKrvYE
WO7JKcK4Rphqr7RaUTlpZG1btq4J30aGcRTCcAn/Ur1dIfTiGk3PTk3MQSDYuLylb82bt3yb
KdStozCjbYQPSq5ggb3Y6pVRIcVJw8Xo7MoUUED1f9hCTMVw7DF3wT1jFEo9QRQgo+uSrDOI
98tNQp+kexuFcdbWqSpASXIAdaMSVQmfVN8p91uESV3FUR8RufC897odPC9nAc3iEouMBVS+
tQRN/MhgjzIoAGwLJ6D3YJHkGSzilBkX5WJTJpcbXAb5X2ZQtFcQPeyinZGwOOK0Gm4WtKub
RJSdzZScjnRl8bLTIy667WJSJLqHdjb9T9Et1/XFGvC8tarywEguoE1fNC1Hsp8tA14ynmRq
MhLvVpRkKOun1rC+tkdAm+okNeEMYWqSpxLWQzoSVlqSISkRTpiamkzqktm803kNZO/9PsvQ
g6oDY0IrQ053TnaNzgE6F0Z365rtVVXRLsDxhrVPZcKcW+DnvOyF4vnc/YaS4XC4sLggNm1A
qwRrTxtfunSp5LI6L9ftAS4fPka/iaAUf3coJ8iO4xee/Wy6ZjJVLFWy2Ehmk7VfwIDSFxbm
F7D6FBske16VBCy+R6jVbNQ4hSr1EZqQpK0/wfpGdBxK9u9B0pRTuhpbK3QQqvNgMPOe7wBW
LtEHHcEg32ryMAn4mweLA+gxyhyQhPue6bwQp2T4dUB7xFkA/ZALxi7t4Yf/5zXr1uECL1++
vM7pXz772de8Rt+5/IpN37rzTjsA7lFIMlMR93EtLgH2iDY9kL0kOFG5Ki6MW4guFt0r7HpF
YocWE6PieTHhJCzu9ksOKV7h22SYQrcgZhC1k4Y9hIylBAuGPkxrUpTJBX5QHsA0Kc9Xsmlu
iopr6ZMtVcbX/Js8hJqxSWCeJX3sgdQUkKXWk4kERpyuaaPUJGQxCKntWZHjUZ+Nc0cLC4y1
/m8DoFPoRHYfpZOgA4/DniK4BKlyqYnsFMY6koqu72Oggvsza5TpiAW7cP0IAGjBUwuOuSOM
zhJMsDJktG7ErT1gdOhMqAX6pLEydgU5PqmtPOZuNWPW6eSyaYm0dOJgsp5ls68RI63roQt2
F/L0eb5fiZ8OCa4ETNCbF3eFiBbOO24Tt2JsFoKvVYGoJDL22npurWw4O4TITCau9RdBXciC
9zmWZ5Ib7UOkjXX8Y6lDTsASbFJQG8Hp2tUucbdjZQppq2fr3KvqoQ5/wRKxdhGFxYuDRvrx
exJDVxVuj0zWhrkkEovDiPMPFoby4NxBK/aBP4FbpDFxzsyms+ZlvTcyi6zi6aAdsSWxmwRe
E1+kRYAVipuFbacXqv6YBA4+OhnneRmCzDEuj/hKMotEHPnUpFd2eEklJUDKQcYcphWdCaDO
cqYl8S/rgEvm46XEgRgNffAlLCC3SpncHOWLMk8Vjzz9ILIjFfBJf5TgULgMxpLE6i8Rf6fj
jn1pabMSPKVtByuUOn/MWTGA75zc0rZlmK4Mm+aFBZc9Tt0SlB/ZzMxMQAN0argq6gtPhl5L
lixp578B92v4KoIFx2Du9DQGLni2i6YufADihEB1YwIeNUlL6wZvbMTf0EaClkGqOYoIJ5+W
aXi6yvhaAz+mZAE4Re0R6wM4IlvXZBnadCIGgqUoddpk3QSuBP3CUUxgpkBTEX31qoLPqe0k
1gRpU2gELkdY1ONiFtrtL9OAOKwJmA9wS3T5/AzieAsAmkWuIX7obfylaQLJcU505RmrbnNu
MdIaGUUXHYDSqrLjhzoXRol8yUYz61mnzkze8bJTEPXQvs2RuZqeJbZdnV57yyO6jrrmxgsf
qfO1Iv16aTi5HLo/OwBducsOdaWlMmigdClFKeqn+FVwdoYKK3SqZR0g2tv48EXQoOKxtZNQ
unXNeI+NtRYkh5qj/uciPbCcX/VaboXxistQL4gqwKDk6DRnTFm0JjB/M1boUfRqrKjTchFt
ipjqo1u3cqx+eZkNfWN0Cj4dvmhblOoFB7hS4aZjn43nxS6UdiFqEVrtk5qW4ooyxWpKOpxA
bZgSnI31kxbmMW0K0GI7IKbXm90/izIbX6DcLJlews1S0vsUZ6mQwXRkGOOeQTxBTQ7QKHh8
+/bve9rTngbqo4o8mB8FfQMWD9MfcZOjcOXtd9oDbm5FleOzDmPT6Z3GPYmsSGzBS4PsDmRB
2hlpUuQaLC5WP/fMgwWf0XlOzGoRfghncEmOMmcGWxtlHiIpFkdSi34uj54S8lVSBRdxeBr1
lRjCUSAxgo8kT7tk6RL6LpwKuWDJByUrAh4jG0H2Ru+w96mVGgQYFGPWkPB58znARhadnGff
yemRHLxAZ6YwJKEQ+wOeYqLN3k7jUVEZiQ8rgwdjkwfWRLCsDHxWTzZzbz8CN+9IL8YGUykM
YmOTBM9RB69a11J25sWXtIxhRsqKJDIaSvoMGBZmhfNoCa5qiamHFNrIscHVAflAlUuCpp6E
abUkZ7nUOBGlOCjU5RDNUXBZA6Q2DXWO+GrL0iRPSrGhxM2xM93xwMjGcztDwP7PoAPaoCyD
2lLAzcyz1w3yTg/EcJAIdb3SaclQCpmN5Wc+TFKi6QOOoHQ8Ce9kmyMTUb6OrEBy9EE9XJTA
LxVbS11ZjZGOmOSJqSeOjvpG/NPTOBWw5qUv/C5LqcRlRQtwkjW3Fm3NSw3nZk9TS66vmTJ/
uIdv2aTN1IVeS9eyK8YoKkPkFlKrD4L6fLPF4COWIeEdowa/HG0jVxl15QH2BQgrGX+SwRKb
PmMJM0/CQxrR4OwSkmZKvzSnESHwAkggAB0AM9oTJtaJkxLKXZpsZZEE/CnShdgG8oTeCpgY
4B8MPqRgc3E4oL0sLC6SJaQPQI0QMAx5zSzKuTBoQPz0pkotj0wzvyKLjFOy8ZUZz7sbIiwq
wx6YkGIWDNN/yMoLSJOml0zDvk9PTUtSVWFJKWdi24XkT/TN4exxOehQYfR4SjVSogEni5wh
VBWdAgwpG2R0y6S0KCOt6c0a04nF4PGBiZ1cYB5AphwL0+dRdsFKYmYIOaRaDIv3DwxtO/Th
eUlA6U0u/fQnxBEsymSWAVhdfIgrV67i3asuCx8HfZmrnRKAyMxphkR7FVTgMuBOHTGFhFFO
ntE5ueoFF0V0boijQMjbnGrIByd9AIJSVrgAWDLeU4+7K3DOyQqAA8nH4WysYJgqkWsUN2aD
g7VlL/ugJp0bl9DAUdE5UPrCcpZgqEiEQtfVnqWyEC0P9lWGmzN0JgBBIbeC3pTwKGi0FDgR
d7w/xzhOr4cAOeT72MszkDsS9wz/SmuE4IDreRymZTqORsYim7pXX9gTbOZ6orts4twJJslQ
GsWUxI6wSa9rb6mpRhImgSNacg2ML5+mQlKJgVl4ZbFTsB36xOTC3EnpZSYmZ1c9T33kVY7b
r1IhQ/zaFF1JdfcShocJf3qw6LUTd1EOP2oQE6pfHXQxNJBFqDMUXRy/UjDKTMZof7rPZ8nW
s2mVnibFV6mIjXmytm0rpm1eMoyHhgWJnMPU+ksr22T1ZIDIJMvP0VV4gVPDBbtyUEmH25MV
Ljp9cjkGIgKsKcmlFfFSD5dafin8TakXupM346it1oir04Y+7sJbdUFztmwEpXDQ5OzrrEwi
qaXxlMuh9FpRAsH1p4oHKtvoN03HIfyIyVsc3Fa1AXRaVxOYHUaJ3Z7UgWDrUghqanlpP1zS
khjqGtyQJEW4odjiyqonQoVgQwzmNmzXvFhzJI4DmeEHZA+IHPvUhDWvwBovbJoSOtukW4up
GXBFRRjKI0K3GtVxhrBkCXJQqAu5bgWcUCUpB8rvRnqwejktaVJ0sS9FE7hAOtqe6I1pJERm
UKpoPC3MgHr/E4Z4kGWjz+B9J3pAKZiZigvz2iydODOrrZqFewDe2kFFH5TKqKkhcOq9kHVp
fyLMXtVDJc2NLPtkpCy4MwRPGEiDBS9TofEdm3XGhSvEDs51xvngbgY8iNkzHiIpri0oAaIV
JEwgH3jZE0+ICprJ/Ve3ZEo14hKeyCTGYY1tS592UtQoof1wUa40t1aA4QPgGQej9TY5F2Tr
zVD7UnVOj5AK+FJl4fJN9JWeJHlxsjowgGA+gKonNIzCS5oYti1ix1JhlriYrgqvT1XNzy/o
nWG19BIVcsYWas2TAGVI/CvymB0VXTNkkfymeklOoPCRKLFsZm4Jrb1VA38m0QRMTy0NoRbm
e/KU8VWvyXEGJ7QUR9egYWH4HguxVUY0MLfhfi4fyBZX7mzi2Y14rFDYy7FyhkUT/be2XGeO
h9+MQ9fi+Jg2tZJkKxUp0jSKQHoJYbIPgSssqS1DnpdMi3FkZkp2t4HzNZpJMvqG6wu3mR9H
61XlNE5znU7xSD6ntGX5lm0tyhOgbqpX+r60oKiRRC7aoXSVJ/Fwn0Z1Seae+R6IM9uiprOf
Mt2AEukOGyMRJbFhVWlSeIZMMhvKcke2cUMZBla2I7lLq/Wi4IZTjk0a3h/CFrYKSLJYZeAi
sKFgXCNa5S2IgQT5y3xhISwDHvc8WFz0PgQUupDWaBXNqj78DPU5FGAegEXYqCdpTaunjBjE
0zj9GgopKWD14oqGwg5zIo8SDiiVlLoUY1pWw07CymYsSm5t3gsgH9o4xe79HmwIng6gShkZ
QqkVDdoVpxXcHLYI4gKXFaTAASqH+wVGXIVSB+hLL1ZVRnE1S7+G5Nv6Or+ipJ/BrPEpcUhs
FmVmctvVIOVS4TAMq2c+82DkenBR2lsnhpK+OT83j7hGbqfk6bbcDMmpX0wIGQxdfU47KBMw
qwrJJlwu+8ykEytEYkPvJ+wC0EHL2kAlsARVr4cbC94IkwJA0wDU1pYJ5dsL4h2RmeI+kOCl
QkWxFsi2L8x1cCa9nMsQKA4ma80TlBuR/c+oamLXzvzB+/DWyo5Dy0hqNV2yWXev5OEcCxOa
q8C2SvonDEFGD7zjjrxWw6E2DrCsV93rKxqgmJVEuACCjLJYV6KwHNKUKtmBKgpXMnGUmxAk
gTYZTTAzC6fFS44/iN3HzuBPFjfk8JLIoJIY32kFEAZNauaSZyEtxQAPpMlYKIwpVlI/gGcM
s6ejA7CnvXHwLbVAYoPjR2zmhiwcdhFcYJwKnUFEgNfXPTobxRqlNbtAvpXSSKdOZBXGlDE4
G2fJtpBa2VIVYhOVO7bS0jXstooMRne3bgHhtZWVI5fPj4GteXahoOQQaXS3URnNPdNY43Bl
Z50C4qo0Vzzmmo2mwtff8dVa2Ex8+2lM2uSwh1IzxUKQiZ7g9BnhlJBjKwoD8VwYs0lmPwo1
ERnMUOaPS9d2CWMKbkUWwApeSms2qa2Rc4YHzr3o5btMrTe8U97GIakMV5uYnESKhnUGgQKl
NeXUSVJF5tifslKMrfCx2Iih3k8fY9gt5+npaZ9AC1uqE9RkF95W6+WipUuXTk5MgNPBjUmL
7LFwh5NvAN0MvDO0+rDPoGMe1igDTXDoXOBxw+3fF3ALBxM5ELSRvXv2AgkEZJWcVym3HCpw
QgyZcNfldyaSJVFcSlojlMoUcEWVESnV+HMckJWZKczTnqJ09Fq9+lDQ2Q1m1aSB7gCX4UDm
5HGXQzB9ceZgUmrsU5UOjiPdodf8/DxIel5vR2aDnbLvSSW3RAwGxkCt4N/aeanWPeCFK9gd
yMMAVwSrUE1brWlQ61HUcDMoxzUiZDxaDWrg4T0ohlMRb02RSJ/vWhAxJF4T3FuJJE48U6cu
nFf4gI7OXqEcSLUUBvRpL7YkheBV0sVjqy3HMDU1BbgfCz+UUe7ZwmeuRcnpc6af7dG1ajm8
jrmoEeHqIo6u1/tPCHXGmypcuBplsJDMqY/EFiRQ6rtFdvkiB9gY5xHuGZI2eCPD64CbJYMf
s5V/2lIN6NqI7yprjcB9jMo5doHDZqSCp/5UkYbgPMP2lC0rzXE6s/g8pNSKJxntO7A5Uixa
oOjYrqF3G3jzgdXhHD80PLAY8WR+FWJKF51cJJq7OPfY7MrWVxmOinQze5cCBsVVpjKOglm/
vYJFNxf0RLBTrjPotAgFM+8riPW2mFxKYuFyhbkYkUt3ps+idI+gx0MDC8YCFTrkLQgSwGgY
akLMXO+BieCq+fT8c/7ROngVLZOwMmODSRpy6HGbnZsDQQOthAIxVKYLmQe1NoGhGFFKkQzu
n6zzQEAmvUN4eZW8rrgfmo4FoMMeQdng7G1irP4i6ZTfBsgBwCFkNSIjAcAbJYXcC5SFNJ3K
mbwXwEAAKkgBuUCeC7eE8BNSX1TPga+jLCKcUn4h/aDjpgSGPjA3N9sYxRoECKF4aNTu1BtY
e8WfwLLOyh5HSQi7c+IxvIAWYu28sHQg7qMzAbuupDsLuZC680MOWeFT7fEdJ3lrGU14htKl
1MDNDgUnZG8x4BpMUiJpgpNrDEulpUckokFWagNzRCIY+w0ji1EFvpSmctb0q96Esey0QbWw
gjxY7D0dMQz/UZuasEdAhaB/eObMMRSNldAq4XZnrlX2UTzz2YlS+1H2vxYJkbpZPj4hCANc
KRx2X4qTuHgGq2dHupxgmo2JDh85FGSAa12Us5L9lRVmdq9cV9BbvONV6w3GHm44UCodNkRO
IwRTJD1NbCenh7w/MWHggycznSq6R0lYZDHoLT+7qrxslgU/7MU0ItbSGpuY62iSJRalG+KY
PAUAxEc4amamxgIs5MUBEF0W69SqXjtCAo8ftuZK1aFipLgo0jv11u2UMMf3Ou20UXoqqEjU
rafR1q/AdE+2mJZHBmnaEdpHm7bF6RhtWlamFIgPoS+q9PfBcrTiZfY8zDBVk/MRQrl4+qJV
yWqBzRQIh8nIXbWPP4ZDivWwUD9S1Q9QbALs2SDCQKs7IhVgG6Wl4Ox4UNgW3SAfblkbW1KN
WqcmJ82dbbLJ28R3/QONALzYkQgkDmttyE1AegA1cbVJQnlP1iPJubQSVMJiy9OXTaNA/KVG
zPAiSB+RwwGyUra6fVeNpDW2IufjAjZYJEHtrMmtuLOSOAyzRd+RAoxoumoaSq2mpqcYqs8q
dQRDRO+j59XFH/yvYFLE3iSkWb0Kc7F7SAk8zsDhAVqERVXMsKqsdT0BMARnhPME6R4vzNb1
peDaF1kp3Dhw4fBMwBKlFUd9GPgj2YhRyDHAyZR0rf5fAQYAuloUfAEKdQEAAAAASUVORK5C
YII=
--------------07E22B208E6AA0BED694AF44--

--------------7C27685607EFF2537BE928B8--


From nobody Mon Oct 24 08:29:25 2016
Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 030311298A1 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 08:29:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8AMHpS2pRdRv for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 08:29:21 -0700 (PDT)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 244B91298A4 for <oauth@ietf.org>; Mon, 24 Oct 2016 08:29:20 -0700 (PDT)
Received: by mail-lf0-x234.google.com with SMTP id x79so207006076lff.0 for <oauth@ietf.org>; Mon, 24 Oct 2016 08:29:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=p3ocmvuIdxsBcQN+vHYjtPNAVt0USRMsHTGauO1hUfM=; b=dKm6nr9Lu1RvSmxFpUi+8XUZEEgB3+dC/7l52FzwncUUA8TMNzJa2Is4RgCP1kHCv/ zh4dB5l65NvCyzsqxHI9LqwrPWhj/YL160zx+GqBIvM3IV6v0s3I0msPeerWMXhN+tW/ 5u8C7QruSAFSUw+jkpT5wFAaCrHfZgiZ7bZnIwORMFdv4Hr+GgaW56CVeft7vN3NBAvv UFNlnljBF4cONqpAdgDfpemjPFaIcybLezi5EUmOqBg6H0RUwh42pEdfdH3OyDmxl/N+ dD/1/WIVJRJ7YiPeZIKTmecXT2hW6RVFPhXW3S49QtvBT30bXs05cFFYFZwtGpZwDbnI h+4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=p3ocmvuIdxsBcQN+vHYjtPNAVt0USRMsHTGauO1hUfM=; b=ejFEScOnJS058i9TqiiUUciII6fNLLSPDKkq8bw1/EtHfNrkod7hS8VN6pRUY1yEgf 2tDFXEc0VOF7lY9Tu5pIM99SqcaLJJRXPQz7s7+nUgTDxqKH1fcM3JqR0IFVwNaF5gc5 NrcfYKq86O6191JgHetCoKfqVjbOtEHdg8pp0QEnYn/AvwXtDmFWSxzxIb/CKFo5bbLu EiFMXTKH0DCdwj4JSDwj0zND3WftFPBd35Lg5OWm/Llh4XzbKjrqNTTakLKpDSBkLemd 3frgWsme06tyNAGgIgn/QDdMDwPS7omplelgTxRVzYn/NBzlIliz/wd+fqVYl6txualt MmfA==
X-Gm-Message-State: ABUngvce23Bn08y8YFZDmaV8YDk5rWJxwZ6Y2t1I9hkPCT/qsS6HqsUdcq7BnEImhvZmRrxYsBl0D+tnWNP5eA==
X-Received: by 10.194.17.197 with SMTP id q5mr12463309wjd.115.1477322959021; Mon, 24 Oct 2016 08:29:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Mon, 24 Oct 2016 08:29:18 -0700 (PDT)
In-Reply-To: <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Mon, 24 Oct 2016 17:29:18 +0200
Message-ID: <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary=047d7b6dc5d03103f6053f9e0e48
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rCpsSZxf5IbUD9THII-s45rMOvI>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 15:29:24 -0000

--047d7b6dc5d03103f6053f9e0e48
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

+1 on doing PoP work in this working group, including HTTP signing/MACing,
I don=C2=B4t think the old HTTP signature document was that far from useful=
.

With the ACE work I like when it is possible to just map work done in the
OAuth and other working groups to the more optimized protocols. Some would
maybe say that it is sub-optimal that the protocol was not initially
designed for the constrained environment but I think the benefit of concept
validation from web is a bigger plus.

//Samuel

On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jricher@mit.edu> wrote:

> I believe that the PoP work should stay in the working group, and that
> without a usable presentation mechanism such as an HTTP message signature
> the whole work is pointless. I agree with Mike that we should learn from
> our own mistakes =E2=80=94 and that is precisely the direction that the c=
urrent
> HTTP signing draft took. As a result, the base level of functionality is
> signing the token itself (with a timestamp/nonce) using the key. All of t=
he
> fiddly HTTP bits that trip people up? Not only are they optional, but it=
=E2=80=99s
> explicitly declared what=E2=80=99s covered. Why? Because we=E2=80=99re le=
arning from past
> mistakes.
>
> I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D t=
hat aren=E2=80=99t real
> yet, and if those =E2=80=9Cifs=E2=80=9D become reality then it will be to=
 the benefit of
> large internet companies over everyone else. Additionally, token binding =
in
> OAuth is far from the simple solution that it=E2=80=99s being sold as. Th=
e very
> nature of an access token goes against the original purpose of tying an
> artifact to a single presentation channel. OAuth clients in the real worl=
d
> need to be able to deal with multiple resource servers and dynamically
> deployed APIs, and the token binding protocol fundamentally assumes a wor=
ld
> where two machines are talking directly to each other.
>
> All that said, this working group has consistently shown resistance to
> solving this problem for many years, so the results of this query don=E2=
=80=99t at
> all surprise me.
>
>  =E2=80=94 Justin
>
> > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net> wrote:
> >
> > Hi all,
> >
> > two questions surfaced at the last IETF meeting, namely
> >
> > 1) Do we want to proceed with the symmetric implementation of PoP or,
> > alternatively, do we want to move it over to the ACE working group?
> >
> > 2) Do we want to continue the work on HTTP signing?
> >
> > We would appreciate your input on these two questions.
> >
> > Ciao
> > Hannes & Derek
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--047d7b6dc5d03103f6053f9e0e48
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>+1 on doing PoP work in this working group, incl=
uding HTTP signing/MACing, I don=C2=B4t think the old HTTP signature docume=
nt was that far from useful.<br><br></div>With the ACE work I like when it =
is possible to just map work done in the OAuth and other working groups to =
the more optimized protocols. Some would maybe say that it is sub-optimal t=
hat the protocol was not initially designed for the constrained environment=
 but I think the benefit of concept validation from web is a bigger plus.<b=
r><br></div>//Samuel<br></div><div class=3D"gmail_extra"><br><div class=3D"=
gmail_quote">On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <span dir=3D"lt=
r">&lt;<a href=3D"mailto:jricher@mit.edu" target=3D"_blank">jricher@mit.edu=
</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin=
:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I believe that the=
 PoP work should stay in the working group, and that without a usable prese=
ntation mechanism such as an HTTP message signature the whole work is point=
less. I agree with Mike that we should learn from our own mistakes =E2=80=
=94 and that is precisely the direction that the current HTTP signing draft=
 took. As a result, the base level of functionality is signing the token it=
self (with a timestamp/nonce) using the key. All of the fiddly HTTP bits th=
at trip people up? Not only are they optional, but it=E2=80=99s explicitly =
declared what=E2=80=99s covered. Why? Because we=E2=80=99re learning from p=
ast mistakes.<br>
<br>
I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D tha=
t aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become realit=
y then it will be to the benefit of large internet companies over everyone =
else. Additionally, token binding in OAuth is far from the simple solution =
that it=E2=80=99s being sold as. The very nature of an access token goes ag=
ainst the original purpose of tying an artifact to a single presentation ch=
annel. OAuth clients in the real world need to be able to deal with multipl=
e resource servers and dynamically deployed APIs, and the token binding pro=
tocol fundamentally assumes a world where two machines are talking directly=
 to each other.<br>
<br>
All that said, this working group has consistently shown resistance to solv=
ing this problem for many years, so the results of this query don=E2=80=99t=
 at all surprise me.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
=C2=A0=E2=80=94 Justin<br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
&gt; On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig &lt;<a href=3D"mailto:=
hannes.tschofenig@gmx.net">hannes.tschofenig@gmx.net</a>&gt; wrote:<br>
&gt;<br>
&gt; Hi all,<br>
&gt;<br>
&gt; two questions surfaced at the last IETF meeting, namely<br>
&gt;<br>
&gt; 1) Do we want to proceed with the symmetric implementation of PoP or,<=
br>
&gt; alternatively, do we want to move it over to the ACE working group?<br=
>
&gt;<br>
&gt; 2) Do we want to continue the work on HTTP signing?<br>
&gt;<br>
&gt; We would appreciate your input on these two questions.<br>
&gt;<br>
&gt; Ciao<br>
&gt; Hannes &amp; Derek<br>
&gt;<br>
</div></div><div class=3D"HOEnZb"><div class=3D"h5">&gt; __________________=
____________<wbr>_________________<br>
&gt; OAuth mailing list<br>
&gt; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"norefer=
rer" target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a>=
<br>
<br>
</div></div><br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--047d7b6dc5d03103f6053f9e0e48--


From nobody Mon Oct 24 08:39:22 2016
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEAD7129895 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 08:39:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.631
X-Spam-Level: 
X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XPSDdWEQXpdg for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 08:39:17 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81E2B1298BA for <oauth@ietf.org>; Mon, 24 Oct 2016 08:39:16 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u9OFdDVD021205 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 24 Oct 2016 15:39:14 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id u9OFdDmM001313 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 24 Oct 2016 15:39:13 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id u9OFdB9b024030; Mon, 24 Oct 2016 15:39:12 GMT
Received: from [25.58.75.121] (/24.114.102.146) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 24 Oct 2016 08:39:11 -0700
Content-Type: multipart/alternative; boundary=Apple-Mail-6537044A-84A2-4FF1-A6FF-B1A1E946DFDC
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14A456)
In-Reply-To: <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com>
Date: Mon, 24 Oct 2016 08:38:48 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <4158ACB0-929A-4DDC-B483-3D07D9AA7A5C@oracle.com>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu> <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com>
To: Samuel Erdtman <samuel@erdtman.se>
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MMJACE0DVHUSSSCSmMk5w_exjhU>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 15:39:20 -0000

--Apple-Mail-6537044A-84A2-4FF1-A6FF-B1A1E946DFDC
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Maybe if we reworked the signing doc so content types like xml and json coul=
d be signed? =20

This would cover for the majority of web api cases.=20

Wonder what the advice of the http wg would be on this.=20

Phil

> On Oct 24, 2016, at 8:29 AM, Samuel Erdtman <samuel@erdtman.se> wrote:
>=20
> +1 on doing PoP work in this working group, including HTTP signing/MACing,=
 I don=C2=B4t think the old HTTP signature document was that far from useful=
.
>=20
> With the ACE work I like when it is possible to just map work done in the O=
Auth and other working groups to the more optimized protocols. Some would ma=
ybe say that it is sub-optimal that the protocol was not initially designed f=
or the constrained environment but I think the benefit of concept validation=
 from web is a bigger plus.
>=20
> //Samuel
>=20
>> On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jricher@mit.edu> wrote:
>> I believe that the PoP work should stay in the working group, and that wi=
thout a usable presentation mechanism such as an HTTP message signature the w=
hole work is pointless. I agree with Mike that we should learn from our own m=
istakes =E2=80=94 and that is precisely the direction that the current HTTP s=
igning draft took. As a result, the base level of functionality is signing t=
he token itself (with a timestamp/nonce) using the key. All of the fiddly HT=
TP bits that trip people up? Not only are they optional, but it=E2=80=99s ex=
plicitly declared what=E2=80=99s covered. Why? Because we=E2=80=99re learnin=
g from past mistakes.
>>=20
>> I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D t=
hat aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become reali=
ty then it will be to the benefit of large internet companies over everyone e=
lse. Additionally, token binding in OAuth is far from the simple solution th=
at it=E2=80=99s being sold as. The very nature of an access token goes again=
st the original purpose of tying an artifact to a single presentation channe=
l. OAuth clients in the real world need to be able to deal with multiple res=
ource servers and dynamically deployed APIs, and the token binding protocol f=
undamentally assumes a world where two machines are talking directly to each=
 other.
>>=20
>> All that said, this working group has consistently shown resistance to so=
lving this problem for many years, so the results of this query don=E2=80=99=
t at all surprise me.
>>=20
>>  =E2=80=94 Justin
>>=20
>> > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig <hannes.tschofenig@gmx.=
net> wrote:
>> >
>> > Hi all,
>> >
>> > two questions surfaced at the last IETF meeting, namely
>> >
>> > 1) Do we want to proceed with the symmetric implementation of PoP or,
>> > alternatively, do we want to move it over to the ACE working group?
>> >
>> > 2) Do we want to continue the work on HTTP signing?
>> >
>> > We would appreciate your input on these two questions.
>> >
>> > Ciao
>> > Hannes & Derek
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-6537044A-84A2-4FF1-A6FF-B1A1E946DFDC
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div>Maybe if we reworked the signing doc s=
o content types like xml and json could be signed? &nbsp;</div><div id=3D"Ap=
pleMailSignature"><br></div><div id=3D"AppleMailSignature">This would cover f=
or the majority of web api cases.&nbsp;</div><div id=3D"AppleMailSignature">=
<br></div><div id=3D"AppleMailSignature">Wonder what the advice of the http w=
g would be on this.&nbsp;<br><br>Phil</div><div><br>On Oct 24, 2016, at 8:29=
 AM, Samuel Erdtman &lt;<a href=3D"mailto:samuel@erdtman.se">samuel@erdtman.=
se</a>&gt; wrote:<br><br></div><blockquote type=3D"cite"><div><div dir=3D"lt=
r"><div><div>+1 on doing PoP work in this working group, including HTTP sign=
ing/MACing, I don=C2=B4t think the old HTTP signature document was that far f=
rom useful.<br><br></div>With the ACE work I like when it is possible to jus=
t map work done in the OAuth and other working groups to the more optimized p=
rotocols. Some would maybe say that it is sub-optimal that the protocol was n=
ot initially designed for the constrained environment but I think the benefi=
t of concept validation from web is a bigger plus.<br><br></div>//Samuel<br>=
</div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sat, Oct 2=
2, 2016 at 7:47 PM, Justin Richer <span dir=3D"ltr">&lt;<a href=3D"mailto:jr=
icher@mit.edu" target=3D"_blank">jricher@mit.edu</a>&gt;</span> wrote:<br><b=
lockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex">I believe that the PoP work should stay in the w=
orking group, and that without a usable presentation mechanism such as an HT=
TP message signature the whole work is pointless. I agree with Mike that we s=
hould learn from our own mistakes =E2=80=94 and that is precisely the direct=
ion that the current HTTP signing draft took. As a result, the base level of=
 functionality is signing the token itself (with a timestamp/nonce) using th=
e key. All of the fiddly HTTP bits that trip people up? Not only are they op=
tional, but it=E2=80=99s explicitly declared what=E2=80=99s covered. Why? Be=
cause we=E2=80=99re learning from past mistakes.<br>
<br>
I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D that=
 aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become reality t=
hen it will be to the benefit of large internet companies over everyone else=
. Additionally, token binding in OAuth is far from the simple solution that i=
t=E2=80=99s being sold as. The very nature of an access token goes against t=
he original purpose of tying an artifact to a single presentation channel. O=
Auth clients in the real world need to be able to deal with multiple resourc=
e servers and dynamically deployed APIs, and the token binding protocol fund=
amentally assumes a world where two machines are talking directly to each ot=
her.<br>
<br>
All that said, this working group has consistently shown resistance to solvi=
ng this problem for many years, so the results of this query don=E2=80=99t a=
t all surprise me.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
&nbsp;=E2=80=94 Justin<br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
&gt; On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig &lt;<a href=3D"mailto:h=
annes.tschofenig@gmx.net">hannes.tschofenig@gmx.net</a>&gt; wrote:<br>
&gt;<br>
&gt; Hi all,<br>
&gt;<br>
&gt; two questions surfaced at the last IETF meeting, namely<br>
&gt;<br>
&gt; 1) Do we want to proceed with the symmetric implementation of PoP or,<b=
r>
&gt; alternatively, do we want to move it over to the ACE working group?<br>=

&gt;<br>
&gt; 2) Do we want to continue the work on HTTP signing?<br>
&gt;<br>
&gt; We would appreciate your input on these two questions.<br>
&gt;<br>
&gt; Ciao<br>
&gt; Hannes &amp; Derek<br>
&gt;<br>
</div></div><div class=3D"HOEnZb"><div class=3D"h5">&gt; ___________________=
___________<wbr>_________________<br>
&gt; OAuth mailing list<br>
&gt; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferr=
er" target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><b=
r>
<br>
</div></div><br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" t=
arget=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>
</div></blockquote><blockquote type=3D"cite"><div><span>____________________=
___________________________</span><br><span>OAuth mailing list</span><br><sp=
an><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a></span><br><span><a h=
ref=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mai=
lman/listinfo/oauth</a></span><br></div></blockquote></body></html>=

--Apple-Mail-6537044A-84A2-4FF1-A6FF-B1A1E946DFDC--


From nobody Mon Oct 24 13:06:39 2016
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 771051295D6 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 13:06:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.631
X-Spam-Level: 
X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kty6j-i92uKN for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 13:06:34 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 993191295CB for <oauth@ietf.org>; Mon, 24 Oct 2016 13:06:34 -0700 (PDT)
X-AuditID: 1209190f-60fff70000003135-0d-580e69c96947
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id F2.E6.12597.9C96E085; Mon, 24 Oct 2016 16:06:33 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u9OK6WUn005705; Mon, 24 Oct 2016 16:06:32 -0400
Received: from [10.1.150.149] ([208.91.2.4]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u9OK6Sd4023203 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 24 Oct 2016 16:06:30 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_52727EAE-3CA1-4396-AB2F-BDD9E2C81581"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <4158ACB0-929A-4DDC-B483-3D07D9AA7A5C@oracle.com>
Date: Mon, 24 Oct 2016 13:06:28 -0700
Message-Id: <35529A23-97AC-4B69-9544-90E2E8C53755@mit.edu>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu> <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com> <4158ACB0-929A-4DDC-B483-3D07D9AA7A5C@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNKsWRmVeSWpSXmKPExsUixG6nonsyky/C4P88YYuTb1+xWSyY38hu 8X/pKSYHZo8X//YweixZ8pPJ4+PTWywBzFFcNimpOZllqUX6dglcGWtW9LMWvA6r+D7rOWsD Y4NXFyMnh4SAicTOyzPZuxi5OIQE2pgkJnyZwAjhbGSUuLJ7KxOEs5JJoruljxGkhVkgQWL2 t+MsIDavgJ7EpvVvmUBsYQEtiU1TzoHVsAmoSkxf0wIW5xSwk7g0aQVbFyMHBwtQfP8tSYgx 3hJfXtxkghhjJXFl33OoXQ8YJdZencIGkhARUJH4dvU6I8SpshJPTi5imcDIPwvJGbOQnAER 15ZYtvA1M4StKbG/ezkLpriGROe3iawLGNlWMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Zro5WaW 6KWmlG5iBIU7pyT/DsY5Dd6HGAU4GJV4eBkM+CKEWBPLiitzDzFKcjApifKeCgAK8SXlp1Rm JBZnxBeV5qQWH2KU4GBWEuG9HQuU401JrKxKLcqHSUlzsCiJ8/53+xouJJCeWJKanZpakFoE k5Xh4FCS4J2RAdQoWJSanlqRlplTgpBm4uAEGc4DNPw3SA1vcUFibnFmOkT+FKMux7G5N9Yy CbHk5eelSonzHgUpEgApyijNg5sDSlMXoplYXjGKA70lzHscpIoHmOLgJr0CWsIEtEQwngdk SUkiQkqqgVF5/oWAczvsvZX2KVxpMQ87n2X3taIvSGbq7y9byz0U9hhk6CkpXtnIUlW4qcNr yf1DOz3ZTvz8+WPfuYseP/0avi/ZsKre0FWnrsKSI/p5SFrT/m2aZfc0rHexyYjOfVgxe/Xu btW7Fx9XZii2LbsVF90X9OZAUMLVdyebrj1pmb8uNOznlfdKLMUZiYZazEXFiQB/jQkOLgMA AA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/i_fadH5AQVFYccAnvp8dY3bo9sc>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 20:06:37 -0000

--Apple-Mail=_52727EAE-3CA1-4396-AB2F-BDD9E2C81581
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

You can already sign arbitrary content using a body hash with the =
current spec.

 =E2=80=94 Justin

> On Oct 24, 2016, at 8:38 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> =
wrote:
>=20
> Maybe if we reworked the signing doc so content types like xml and =
json could be signed? =20
>=20
> This would cover for the majority of web api cases.=20
>=20
> Wonder what the advice of the http wg would be on this.=20
>=20
> Phil
>=20
> On Oct 24, 2016, at 8:29 AM, Samuel Erdtman <samuel@erdtman.se =
<mailto:samuel@erdtman.se>> wrote:
>=20
>> +1 on doing PoP work in this working group, including HTTP =
signing/MACing, I don=C2=B4t think the old HTTP signature document was =
that far from useful.
>>=20
>> With the ACE work I like when it is possible to just map work done in =
the OAuth and other working groups to the more optimized protocols. Some =
would maybe say that it is sub-optimal that the protocol was not =
initially designed for the constrained environment but I think the =
benefit of concept validation from web is a bigger plus.
>>=20
>> //Samuel
>>=20
>> On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jricher@mit.edu =
<mailto:jricher@mit.edu>> wrote:
>> I believe that the PoP work should stay in the working group, and =
that without a usable presentation mechanism such as an HTTP message =
signature the whole work is pointless. I agree with Mike that we should =
learn from our own mistakes =E2=80=94 and that is precisely the =
direction that the current HTTP signing draft took. As a result, the =
base level of functionality is signing the token itself (with a =
timestamp/nonce) using the key. All of the fiddly HTTP bits that trip =
people up? Not only are they optional, but it=E2=80=99s explicitly =
declared what=E2=80=99s covered. Why? Because we=E2=80=99re learning =
from past mistakes.
>>=20
>> I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D=
 that aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become =
reality then it will be to the benefit of large internet companies over =
everyone else. Additionally, token binding in OAuth is far from the =
simple solution that it=E2=80=99s being sold as. The very nature of an =
access token goes against the original purpose of tying an artifact to a =
single presentation channel. OAuth clients in the real world need to be =
able to deal with multiple resource servers and dynamically deployed =
APIs, and the token binding protocol fundamentally assumes a world where =
two machines are talking directly to each other.
>>=20
>> All that said, this working group has consistently shown resistance =
to solving this problem for many years, so the results of this query =
don=E2=80=99t at all surprise me.
>>=20
>>  =E2=80=94 Justin
>>=20
>> > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig =
<hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>> >
>> > Hi all,
>> >
>> > two questions surfaced at the last IETF meeting, namely
>> >
>> > 1) Do we want to proceed with the symmetric implementation of PoP =
or,
>> > alternatively, do we want to move it over to the ACE working group?
>> >
>> > 2) Do we want to continue the work on HTTP signing?
>> >
>> > We would appreciate your input on these two questions.
>> >
>> > Ciao
>> > Hannes & Derek
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>> > https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>


--Apple-Mail=_52727EAE-3CA1-4396-AB2F-BDD9E2C81581
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">You can already sign arbitrary content using a body hash with =
the current spec.<div class=3D""><br class=3D""></div><div =
class=3D"">&nbsp;=E2=80=94 Justin</div><div class=3D""><br =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">On =
Oct 24, 2016, at 8:38 AM, Phil Hunt (IDM) &lt;<a =
href=3D"mailto:phil.hunt@oracle.com" =
class=3D"">phil.hunt@oracle.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D"">
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8" =
class=3D""><div dir=3D"auto" class=3D""><div class=3D"">Maybe if we =
reworked the signing doc so content types like xml and json could be =
signed? &nbsp;</div><div class=3D""><br class=3D""></div><div =
class=3D"">This would cover for the majority of web api =
cases.&nbsp;</div><div class=3D""><br class=3D""></div><div =
class=3D"">Wonder what the advice of the http wg would be on =
this.&nbsp;<br class=3D""><br class=3D"">Phil</div><div class=3D""><br =
class=3D"">On Oct 24, 2016, at 8:29 AM, Samuel Erdtman &lt;<a =
href=3D"mailto:samuel@erdtman.se" class=3D"">samuel@erdtman.se</a>&gt; =
wrote:<br class=3D""><br class=3D""></div><blockquote type=3D"cite" =
class=3D""><div class=3D""><div dir=3D"ltr" class=3D""><div =
class=3D""><div class=3D"">+1 on doing PoP work in this working group, =
including HTTP signing/MACing, I don=C2=B4t think the old HTTP signature =
document was that far from useful.<br class=3D""><br class=3D""></div>With=
 the ACE work I like when it is possible to just map work done in the =
OAuth and other working groups to the more optimized protocols. Some =
would maybe say that it is sub-optimal that the protocol was not =
initially designed for the constrained environment but I think the =
benefit of concept validation from web is a bigger plus.<br class=3D""><br=
 class=3D""></div>//Samuel<br class=3D""></div><div =
class=3D"gmail_extra"><br class=3D""><div class=3D"gmail_quote">On Sat, =
Oct 22, 2016 at 7:47 PM, Justin Richer <span dir=3D"ltr" class=3D"">&lt;<a=
 href=3D"mailto:jricher@mit.edu" target=3D"_blank" =
class=3D"">jricher@mit.edu</a>&gt;</span> wrote:<br class=3D""><blockquote=
 class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex">I believe that the PoP work should stay in the =
working group, and that without a usable presentation mechanism such as =
an HTTP message signature the whole work is pointless. I agree with Mike =
that we should learn from our own mistakes =E2=80=94 and that is =
precisely the direction that the current HTTP signing draft took. As a =
result, the base level of functionality is signing the token itself =
(with a timestamp/nonce) using the key. All of the fiddly HTTP bits that =
trip people up? Not only are they optional, but it=E2=80=99s explicitly =
declared what=E2=80=99s covered. Why? Because we=E2=80=99re learning =
from past mistakes.<br class=3D"">
<br class=3D"">
I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D =
that aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become =
reality then it will be to the benefit of large internet companies over =
everyone else. Additionally, token binding in OAuth is far from the =
simple solution that it=E2=80=99s being sold as. The very nature of an =
access token goes against the original purpose of tying an artifact to a =
single presentation channel. OAuth clients in the real world need to be =
able to deal with multiple resource servers and dynamically deployed =
APIs, and the token binding protocol fundamentally assumes a world where =
two machines are talking directly to each other.<br class=3D"">
<br class=3D"">
All that said, this working group has consistently shown resistance to =
solving this problem for many years, so the results of this query =
don=E2=80=99t at all surprise me.<br class=3D"">
<span class=3D"HOEnZb"><font color=3D"#888888" class=3D""><br class=3D"">
&nbsp;=E2=80=94 Justin<br class=3D"">
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br class=3D"">
&gt; On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig &lt;<a =
href=3D"mailto:hannes.tschofenig@gmx.net" =
class=3D"">hannes.tschofenig@gmx.net</a>&gt; wrote:<br class=3D"">
&gt;<br class=3D"">
&gt; Hi all,<br class=3D"">
&gt;<br class=3D"">
&gt; two questions surfaced at the last IETF meeting, namely<br =
class=3D"">
&gt;<br class=3D"">
&gt; 1) Do we want to proceed with the symmetric implementation of PoP =
or,<br class=3D"">
&gt; alternatively, do we want to move it over to the ACE working =
group?<br class=3D"">
&gt;<br class=3D"">
&gt; 2) Do we want to continue the work on HTTP signing?<br class=3D"">
&gt;<br class=3D"">
&gt; We would appreciate your input on these two questions.<br class=3D"">=

&gt;<br class=3D"">
&gt; Ciao<br class=3D"">
&gt; Hannes &amp; Derek<br class=3D"">
&gt;<br class=3D"">
</div></div><div class=3D"HOEnZb"><div class=3D"h5">&gt; =
______________________________<wbr class=3D"">_________________<br =
class=3D"">
&gt; OAuth mailing list<br class=3D"">
&gt; <a href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D"">
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
rel=3D"noreferrer" target=3D"_blank" =
class=3D"">https://www.ietf.org/mailman/<wbr =
class=3D"">listinfo/oauth</a><br class=3D"">
<br class=3D"">
</div></div><br class=3D"">______________________________<wbr =
class=3D"">_________________<br class=3D"">
OAuth mailing list<br class=3D"">
<a href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D"">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer"=
 target=3D"_blank" class=3D"">https://www.ietf.org/mailman/<wbr =
class=3D"">listinfo/oauth</a><br class=3D"">
<br class=3D""></blockquote></div><br class=3D""></div>
</div></blockquote><blockquote type=3D"cite" class=3D""><div =
class=3D""><span =
class=3D"">_______________________________________________</span><br =
class=3D""><span class=3D"">OAuth mailing list</span><br class=3D""><span =
class=3D""><a href=3D"mailto:OAuth@ietf.org" =
class=3D"">OAuth@ietf.org</a></span><br class=3D""><span class=3D""><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth</a></span><br =
class=3D""></div></blockquote></div></div></blockquote></div><br =
class=3D""></div></body></html>=

--Apple-Mail=_52727EAE-3CA1-4396-AB2F-BDD9E2C81581--


From nobody Mon Oct 24 13:27:26 2016
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29334129861 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 13:27:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.132
X-Spam-Level: 
X-Spam-Status: No, score=-4.132 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A6cpSxHXyglO for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 13:27:22 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E34CB1295F7 for <oauth@ietf.org>; Mon, 24 Oct 2016 13:27:21 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u9OKRIot016961 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 24 Oct 2016 20:27:18 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id u9OKRIXQ004810 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 24 Oct 2016 20:27:18 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id u9OKRG4I004584; Mon, 24 Oct 2016 20:27:16 GMT
Received: from [10.1.166.123] (/208.91.2.4) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 24 Oct 2016 13:27:16 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_926DB3F1-5562-415E-B542-6EC680D893CD"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <35529A23-97AC-4B69-9544-90E2E8C53755@mit.edu>
Date: Mon, 24 Oct 2016 13:27:11 -0700
Message-Id: <F441C93D-64F4-4D48-8E67-0A6E940C9A21@oracle.com>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu> <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com> <4158ACB0-929A-4DDC-B483-3D07D9AA7A5C@oracle.com> <35529A23-97AC-4B69-9544-90E2E8C53755@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: Apple Mail (2.3124)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Jw6lM9AwyYECKAKkIVMI1sOyl9s>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 20:27:24 -0000

--Apple-Mail=_926DB3F1-5562-415E-B542-6EC680D893CD
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Rather than focus on headers and URL param signing, focus on specifying =
how content is signed in the context of PoP.

I think there might be a clearer path for example if we new that signing =
for application/json and application/xml worked well.=20

As we=E2=80=99ve been discussing signing headers and URL params is =
theoretically do-able, but it probably has more limited use and would =
remain experimental.

Phil

@independentid
www.independentid.com =
<http://www.independentid.com/>phil.hunt@oracle.com =
<mailto:phil.hunt@oracle.com>





> On Oct 24, 2016, at 1:06 PM, Justin Richer <jricher@mit.edu> wrote:
>=20
> You can already sign arbitrary content using a body hash with the =
current spec.
>=20
>  =E2=80=94 Justin
>=20
>> On Oct 24, 2016, at 8:38 AM, Phil Hunt (IDM) <phil.hunt@oracle.com =
<mailto:phil.hunt@oracle.com>> wrote:
>>=20
>> Maybe if we reworked the signing doc so content types like xml and =
json could be signed? =20
>>=20
>> This would cover for the majority of web api cases.=20
>>=20
>> Wonder what the advice of the http wg would be on this.=20
>>=20
>> Phil
>>=20
>> On Oct 24, 2016, at 8:29 AM, Samuel Erdtman <samuel@erdtman.se =
<mailto:samuel@erdtman.se>> wrote:
>>=20
>>> +1 on doing PoP work in this working group, including HTTP =
signing/MACing, I don=C2=B4t think the old HTTP signature document was =
that far from useful.
>>>=20
>>> With the ACE work I like when it is possible to just map work done =
in the OAuth and other working groups to the more optimized protocols. =
Some would maybe say that it is sub-optimal that the protocol was not =
initially designed for the constrained environment but I think the =
benefit of concept validation from web is a bigger plus.
>>>=20
>>> //Samuel
>>>=20
>>> On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jricher@mit.edu =
<mailto:jricher@mit.edu>> wrote:
>>> I believe that the PoP work should stay in the working group, and =
that without a usable presentation mechanism such as an HTTP message =
signature the whole work is pointless. I agree with Mike that we should =
learn from our own mistakes =E2=80=94 and that is precisely the =
direction that the current HTTP signing draft took. As a result, the =
base level of functionality is signing the token itself (with a =
timestamp/nonce) using the key. All of the fiddly HTTP bits that trip =
people up? Not only are they optional, but it=E2=80=99s explicitly =
declared what=E2=80=99s covered. Why? Because we=E2=80=99re learning =
from past mistakes.
>>>=20
>>> I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D=
 that aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become =
reality then it will be to the benefit of large internet companies over =
everyone else. Additionally, token binding in OAuth is far from the =
simple solution that it=E2=80=99s being sold as. The very nature of an =
access token goes against the original purpose of tying an artifact to a =
single presentation channel. OAuth clients in the real world need to be =
able to deal with multiple resource servers and dynamically deployed =
APIs, and the token binding protocol fundamentally assumes a world where =
two machines are talking directly to each other.
>>>=20
>>> All that said, this working group has consistently shown resistance =
to solving this problem for many years, so the results of this query =
don=E2=80=99t at all surprise me.
>>>=20
>>>  =E2=80=94 Justin
>>>=20
>>> > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig =
<hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>>> >
>>> > Hi all,
>>> >
>>> > two questions surfaced at the last IETF meeting, namely
>>> >
>>> > 1) Do we want to proceed with the symmetric implementation of PoP =
or,
>>> > alternatively, do we want to move it over to the ACE working =
group?
>>> >
>>> > 2) Do we want to continue the work on HTTP signing?
>>> >
>>> > We would appreciate your input on these two questions.
>>> >
>>> > Ciao
>>> > Hannes & Derek
>>> >
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> > https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>=20


--Apple-Mail=_926DB3F1-5562-415E-B542-6EC680D893CD
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Rather than focus on headers and URL param signing, focus on =
specifying how content is signed in the context of PoP.<div class=3D""><br=
 class=3D""></div><div class=3D"">I think there might be a clearer path =
for example if we new that signing for application/json and =
application/xml worked well.&nbsp;</div><div class=3D""><br =
class=3D""></div><div class=3D"">As we=E2=80=99ve been discussing =
signing headers and URL params is theoretically do-able, but it probably =
has more limited use and would remain experimental.</div><div =
class=3D""><br class=3D""></div><div class=3D""><div class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: =
auto; text-align: start; text-indent: 0px; text-transform: none; =
white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><div class=3D""><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; line-height: normal; border-spacing: =
0px;"><div class=3D"" style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space; -webkit-line-break: after-white-space;"><div class=3D""><div =
class=3D""><div class=3D"">Phil</div><div class=3D""><br =
class=3D""></div><div class=3D"">@independentid</div><div class=3D""><a =
href=3D"http://www.independentid.com" =
class=3D"">www.independentid.com</a></div></div></div></div></span><a =
href=3D"mailto:phil.hunt@oracle.com" class=3D"" style=3D"orphans: 2; =
widows: 2;">phil.hunt@oracle.com</a></div><div class=3D""><br =
class=3D""></div></div><br class=3D"Apple-interchange-newline"></div><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D"">On Oct 24, 2016, at 1:06 PM, Justin Richer &lt;<a =
href=3D"mailto:jricher@mit.edu" class=3D"">jricher@mit.edu</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><meta =
http-equiv=3D"Content-Type" content=3D"text/html charset=3Dutf-8" =
class=3D""><div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space; -webkit-line-break: after-white-space;" class=3D"">You can =
already sign arbitrary content using a body hash with the current =
spec.<div class=3D""><br class=3D""></div><div class=3D"">&nbsp;=E2=80=94 =
Justin</div><div class=3D""><br class=3D""><div class=3D""><blockquote =
type=3D"cite" class=3D""><div class=3D"">On Oct 24, 2016, at 8:38 AM, =
Phil Hunt (IDM) &lt;<a href=3D"mailto:phil.hunt@oracle.com" =
class=3D"">phil.hunt@oracle.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D"">
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8" =
class=3D""><div dir=3D"auto" class=3D""><div class=3D"">Maybe if we =
reworked the signing doc so content types like xml and json could be =
signed? &nbsp;</div><div class=3D""><br class=3D""></div><div =
class=3D"">This would cover for the majority of web api =
cases.&nbsp;</div><div class=3D""><br class=3D""></div><div =
class=3D"">Wonder what the advice of the http wg would be on =
this.&nbsp;<br class=3D""><br class=3D"">Phil</div><div class=3D""><br =
class=3D"">On Oct 24, 2016, at 8:29 AM, Samuel Erdtman &lt;<a =
href=3D"mailto:samuel@erdtman.se" class=3D"">samuel@erdtman.se</a>&gt; =
wrote:<br class=3D""><br class=3D""></div><blockquote type=3D"cite" =
class=3D""><div class=3D""><div dir=3D"ltr" class=3D""><div =
class=3D""><div class=3D"">+1 on doing PoP work in this working group, =
including HTTP signing/MACing, I don=C2=B4t think the old HTTP signature =
document was that far from useful.<br class=3D""><br class=3D""></div>With=
 the ACE work I like when it is possible to just map work done in the =
OAuth and other working groups to the more optimized protocols. Some =
would maybe say that it is sub-optimal that the protocol was not =
initially designed for the constrained environment but I think the =
benefit of concept validation from web is a bigger plus.<br class=3D""><br=
 class=3D""></div>//Samuel<br class=3D""></div><div =
class=3D"gmail_extra"><br class=3D""><div class=3D"gmail_quote">On Sat, =
Oct 22, 2016 at 7:47 PM, Justin Richer <span dir=3D"ltr" class=3D"">&lt;<a=
 href=3D"mailto:jricher@mit.edu" target=3D"_blank" =
class=3D"">jricher@mit.edu</a>&gt;</span> wrote:<br class=3D""><blockquote=
 class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex">I believe that the PoP work should stay in the =
working group, and that without a usable presentation mechanism such as =
an HTTP message signature the whole work is pointless. I agree with Mike =
that we should learn from our own mistakes =E2=80=94 and that is =
precisely the direction that the current HTTP signing draft took. As a =
result, the base level of functionality is signing the token itself =
(with a timestamp/nonce) using the key. All of the fiddly HTTP bits that =
trip people up? Not only are they optional, but it=E2=80=99s explicitly =
declared what=E2=80=99s covered. Why? Because we=E2=80=99re learning =
from past mistakes.<br class=3D"">
<br class=3D"">
I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D =
that aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become =
reality then it will be to the benefit of large internet companies over =
everyone else. Additionally, token binding in OAuth is far from the =
simple solution that it=E2=80=99s being sold as. The very nature of an =
access token goes against the original purpose of tying an artifact to a =
single presentation channel. OAuth clients in the real world need to be =
able to deal with multiple resource servers and dynamically deployed =
APIs, and the token binding protocol fundamentally assumes a world where =
two machines are talking directly to each other.<br class=3D"">
<br class=3D"">
All that said, this working group has consistently shown resistance to =
solving this problem for many years, so the results of this query =
don=E2=80=99t at all surprise me.<br class=3D"">
<span class=3D"HOEnZb"><font color=3D"#888888" class=3D""><br class=3D"">
&nbsp;=E2=80=94 Justin<br class=3D"">
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br class=3D"">
&gt; On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig &lt;<a =
href=3D"mailto:hannes.tschofenig@gmx.net" =
class=3D"">hannes.tschofenig@gmx.net</a>&gt; wrote:<br class=3D"">
&gt;<br class=3D"">
&gt; Hi all,<br class=3D"">
&gt;<br class=3D"">
&gt; two questions surfaced at the last IETF meeting, namely<br =
class=3D"">
&gt;<br class=3D"">
&gt; 1) Do we want to proceed with the symmetric implementation of PoP =
or,<br class=3D"">
&gt; alternatively, do we want to move it over to the ACE working =
group?<br class=3D"">
&gt;<br class=3D"">
&gt; 2) Do we want to continue the work on HTTP signing?<br class=3D"">
&gt;<br class=3D"">
&gt; We would appreciate your input on these two questions.<br class=3D"">=

&gt;<br class=3D"">
&gt; Ciao<br class=3D"">
&gt; Hannes &amp; Derek<br class=3D"">
&gt;<br class=3D"">
</div></div><div class=3D"HOEnZb"><div class=3D"h5">&gt; =
______________________________<wbr class=3D"">_________________<br =
class=3D"">
&gt; OAuth mailing list<br class=3D"">
&gt; <a href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D"">
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
rel=3D"noreferrer" target=3D"_blank" =
class=3D"">https://www.ietf.org/mailman/<wbr =
class=3D"">listinfo/oauth</a><br class=3D"">
<br class=3D"">
</div></div><br class=3D"">______________________________<wbr =
class=3D"">_________________<br class=3D"">
OAuth mailing list<br class=3D"">
<a href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D"">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer"=
 target=3D"_blank" class=3D"">https://www.ietf.org/mailman/<wbr =
class=3D"">listinfo/oauth</a><br class=3D"">
<br class=3D""></blockquote></div><br class=3D""></div>
</div></blockquote><blockquote type=3D"cite" class=3D""><div =
class=3D""><span =
class=3D"">_______________________________________________</span><br =
class=3D""><span class=3D"">OAuth mailing list</span><br class=3D""><span =
class=3D""><a href=3D"mailto:OAuth@ietf.org" =
class=3D"">OAuth@ietf.org</a></span><br class=3D""><span class=3D""><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth</a></span><br =
class=3D""></div></blockquote></div></div></blockquote></div><br =
class=3D""></div></div></div></blockquote></div><br =
class=3D""></div></body></html>=

--Apple-Mail=_926DB3F1-5562-415E-B542-6EC680D893CD--


From nobody Mon Oct 24 14:58:29 2016
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C076129A87 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 14:58:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.651
X-Spam-Level: 
X-Spam-Status: No, score=-4.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSlwvQEuArw3 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 14:58:24 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C56F0129A82 for <oauth@ietf.org>; Mon, 24 Oct 2016 14:58:23 -0700 (PDT)
X-AuditID: 12074424-067ff70000003994-a0-580e83fd1b45
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id C3.50.14740.DF38E085; Mon, 24 Oct 2016 17:58:22 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u9OLwK4x004825; Mon, 24 Oct 2016 17:58:21 -0400
Received: from [10.1.150.149] ([208.91.2.4]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u9OLwHBN026462 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 24 Oct 2016 17:58:19 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_A972F2B0-30A4-4C4B-ADAC-83BCEAFCD372"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <F441C93D-64F4-4D48-8E67-0A6E940C9A21@oracle.com>
Date: Mon, 24 Oct 2016 14:58:16 -0700
Message-Id: <96CE138B-D02A-491F-BEF4-7800201C3CA2@mit.edu>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu> <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com> <4158ACB0-929A-4DDC-B483-3D07D9AA7A5C@oracle.com> <35529A23-97AC-4B69-9544-90E2E8C53755@mit.edu> <F441C93D-64F4-4D48-8E67-0A6E940C9A21@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLKsWRmVeSWpSXmKPExsUixG6nrvuvmS/CYNFnEYuTb1+xWSyY38hu 8X/pKSYHZo8X//YweixZ8pPJ4+PTWywBzFFcNimpOZllqUX6dglcGXN6JrIV3GphrFi27hp7 A+Otwi5GTg4JAROJHVN2sHYxcnEICbQxSaw4eYMZwtnIKDFzxhx2CGclk8TxWc+ZQVqYBRIk thw4xgRi8wroSWxa/xbMFhbQktg05RwjiM0moCoxfU0LWJxTwE7i0LUFYHEWoPiMvX3sEHO8 Jb68uAk1x0pi4fU/UMsOMkmcnfMOrEFEQEXi29XrjBC3yko8ObmIZQIj/ywkd8xCcgdEXFti 2cLXzBC2psT+7uUsmOIaEp3fJrIuYGRbxSibklulm5uYmVOcmqxbnJyYl5dapGuul5tZopea UrqJERzyLio7GLt7vA8xCnAwKvHwMhjwRQixJpYVV+YeYpTkYFIS5X3aCBTiS8pPqcxILM6I LyrNSS0+xCjBwawkwru3CSjHm5JYWZValA+TkuZgURLnZXD/Gi4kkJ5YkpqdmlqQWgSTleHg UJLgfQvSKFiUmp5akZaZU4KQZuLgBBnOAzSctxlkeHFBYm5xZjpE/hSjLsexuTfWMgmx5OXn pUqJ83qADBIAKcoozYObA0pVF6KZWF4xigO9JcxrBDKKB5jm4Ca9AlrCBLREMJ4HZElJIkJK qoHR9xHLs4CeP3JZ4stC761dI/Jdi1PorsWLh6aqy1ZbNi4sl7B7+zZt22GJ6QfP63gcyTpz 9U9ubdLyPS93lDU+Din0iA2Mz+7UPjWnPVmse2X1lM+XFk42afz0J7Dt9Y518SGf/BefbWfi vG36oHnpg+jgZJvA5fUPCrKtVR9VLPc2uyDKFfFWiaU4I9FQi7moOBEAGPixzTADAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/H2eTMI7UvEC92VLW6bR0zUFWIDQ>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 21:58:27 -0000

--Apple-Mail=_A972F2B0-30A4-4C4B-ADAC-83BCEAFCD372
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

The reason that there=E2=80=99s a lot of discussion on headers and query =
parameters and not a lot of discussion on the content is that there=E2=80=99=
s nothing special for signing the body whether it=E2=80=99s XML or JSON =
or HTML: it=E2=80=99s just a hash of the entity body, sent as the =
=E2=80=9Cb=E2=80=9D parameter in the JWS. The body is less likely to be =
transformed than the headers or parameters, and getting into =E2=80=9Chow =
to sign XML=E2=80=9D or =E2=80=9Chow to sign JSON=E2=80=9D beyond =
=E2=80=9Cjust take the body as a byte array and hash it=E2=80=9D is =
problematic. I don=E2=80=99t think we want to get into the business of =
normalization or canonicalization of the message body.=20

Keep in mind that this is all for the HTTP *request* from the client and =
not the HTTP *response* from the RS.

 =E2=80=94 Justin

> On Oct 24, 2016, at 1:27 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>=20
> Rather than focus on headers and URL param signing, focus on =
specifying how content is signed in the context of PoP.
>=20
> I think there might be a clearer path for example if we new that =
signing for application/json and application/xml worked well.=20
>=20
> As we=E2=80=99ve been discussing signing headers and URL params is =
theoretically do-able, but it probably has more limited use and would =
remain experimental.
>=20
> Phil
>=20
> @independentid
> www.independentid.com =
<http://www.independentid.com/>phil.hunt@oracle.com =
<mailto:phil.hunt@oracle.com>
>=20
>=20
>=20
>=20
>=20
>> On Oct 24, 2016, at 1:06 PM, Justin Richer <jricher@mit.edu =
<mailto:jricher@mit.edu>> wrote:
>>=20
>> You can already sign arbitrary content using a body hash with the =
current spec.
>>=20
>>  =E2=80=94 Justin
>>=20
>>> On Oct 24, 2016, at 8:38 AM, Phil Hunt (IDM) <phil.hunt@oracle.com =
<mailto:phil.hunt@oracle.com>> wrote:
>>>=20
>>> Maybe if we reworked the signing doc so content types like xml and =
json could be signed? =20
>>>=20
>>> This would cover for the majority of web api cases.=20
>>>=20
>>> Wonder what the advice of the http wg would be on this.=20
>>>=20
>>> Phil
>>>=20
>>> On Oct 24, 2016, at 8:29 AM, Samuel Erdtman <samuel@erdtman.se =
<mailto:samuel@erdtman.se>> wrote:
>>>=20
>>>> +1 on doing PoP work in this working group, including HTTP =
signing/MACing, I don=C2=B4t think the old HTTP signature document was =
that far from useful.
>>>>=20
>>>> With the ACE work I like when it is possible to just map work done =
in the OAuth and other working groups to the more optimized protocols. =
Some would maybe say that it is sub-optimal that the protocol was not =
initially designed for the constrained environment but I think the =
benefit of concept validation from web is a bigger plus.
>>>>=20
>>>> //Samuel
>>>>=20
>>>> On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jricher@mit.edu =
<mailto:jricher@mit.edu>> wrote:
>>>> I believe that the PoP work should stay in the working group, and =
that without a usable presentation mechanism such as an HTTP message =
signature the whole work is pointless. I agree with Mike that we should =
learn from our own mistakes =E2=80=94 and that is precisely the =
direction that the current HTTP signing draft took. As a result, the =
base level of functionality is signing the token itself (with a =
timestamp/nonce) using the key. All of the fiddly HTTP bits that trip =
people up? Not only are they optional, but it=E2=80=99s explicitly =
declared what=E2=80=99s covered. Why? Because we=E2=80=99re learning =
from past mistakes.
>>>>=20
>>>> I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D=
 that aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become =
reality then it will be to the benefit of large internet companies over =
everyone else. Additionally, token binding in OAuth is far from the =
simple solution that it=E2=80=99s being sold as. The very nature of an =
access token goes against the original purpose of tying an artifact to a =
single presentation channel. OAuth clients in the real world need to be =
able to deal with multiple resource servers and dynamically deployed =
APIs, and the token binding protocol fundamentally assumes a world where =
two machines are talking directly to each other.
>>>>=20
>>>> All that said, this working group has consistently shown resistance =
to solving this problem for many years, so the results of this query =
don=E2=80=99t at all surprise me.
>>>>=20
>>>>  =E2=80=94 Justin
>>>>=20
>>>> > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig =
<hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>> >
>>>> > Hi all,
>>>> >
>>>> > two questions surfaced at the last IETF meeting, namely
>>>> >
>>>> > 1) Do we want to proceed with the symmetric implementation of PoP =
or,
>>>> > alternatively, do we want to move it over to the ACE working =
group?
>>>> >
>>>> > 2) Do we want to continue the work on HTTP signing?
>>>> >
>>>> > We would appreciate your input on these two questions.
>>>> >
>>>> > Ciao
>>>> > Hannes & Derek
>>>> >
>>>> > _______________________________________________
>>>> > OAuth mailing list
>>>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> > https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>>=20
>=20


--Apple-Mail=_A972F2B0-30A4-4C4B-ADAC-83BCEAFCD372
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">The reason that there=E2=80=99s a lot of discussion on =
headers and query parameters and not a lot of discussion on the content =
is that there=E2=80=99s nothing special for signing the body whether =
it=E2=80=99s XML or JSON or HTML: it=E2=80=99s just a hash of the entity =
body, sent as the =E2=80=9Cb=E2=80=9D parameter in the JWS. The body is =
less likely to be transformed than the headers or parameters, and =
getting into =E2=80=9Chow to sign XML=E2=80=9D or =E2=80=9Chow to sign =
JSON=E2=80=9D beyond =E2=80=9Cjust take the body as a byte array and =
hash it=E2=80=9D is problematic. I don=E2=80=99t think we want to get =
into the business of normalization or canonicalization of the message =
body.&nbsp;<div class=3D""><br class=3D""></div><div class=3D"">Keep in =
mind that this is all for the HTTP *request* from the client and not the =
HTTP *response* from the RS.<br class=3D""><div class=3D""><div =
class=3D""><br class=3D""></div><div class=3D"">&nbsp;=E2=80=94 =
Justin</div><div class=3D""><br class=3D""><div><blockquote type=3D"cite" =
class=3D""><div class=3D"">On Oct 24, 2016, at 1:27 PM, Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com" =
class=3D"">phil.hunt@oracle.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D"">
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8" =
class=3D""><div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space; -webkit-line-break: after-white-space;" class=3D"">Rather than =
focus on headers and URL param signing, focus on specifying how content =
is signed in the context of PoP.<div class=3D""><br class=3D""></div><div =
class=3D"">I think there might be a clearer path for example if we new =
that signing for application/json and application/xml worked =
well.&nbsp;</div><div class=3D""><br class=3D""></div><div class=3D"">As =
we=E2=80=99ve been discussing signing headers and URL params is =
theoretically do-able, but it probably has more limited use and would =
remain experimental.</div><div class=3D""><br class=3D""></div><div =
class=3D""><div class=3D"">
<div style=3D"letter-spacing: normal; orphans: auto; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; widows: =
auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space;" class=3D""><div style=3D"letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><div class=3D""><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; line-height: normal; border-spacing: =
0px;"><div class=3D"" style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space; -webkit-line-break: after-white-space;"><div class=3D""><div =
class=3D""><div class=3D"">Phil</div><div class=3D""><br =
class=3D""></div><div class=3D"">@independentid</div><div class=3D""><a =
href=3D"http://www.independentid.com/" =
class=3D"">www.independentid.com</a></div></div></div></div></span><a =
href=3D"mailto:phil.hunt@oracle.com" class=3D"" style=3D"orphans: 2; =
widows: 2;">phil.hunt@oracle.com</a></div><div class=3D""><br =
class=3D""></div></div><br class=3D"Apple-interchange-newline"></div><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br class=3D""><div class=3D""><blockquote type=3D"cite" class=3D""><div =
class=3D"">On Oct 24, 2016, at 1:06 PM, Justin Richer &lt;<a =
href=3D"mailto:jricher@mit.edu" class=3D"">jricher@mit.edu</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space;" class=3D"">You can already sign =
arbitrary content using a body hash with the current spec.<div =
class=3D""><br class=3D""></div><div class=3D"">&nbsp;=E2=80=94 =
Justin</div><div class=3D""><br class=3D""><div class=3D""><blockquote =
type=3D"cite" class=3D""><div class=3D"">On Oct 24, 2016, at 8:38 AM, =
Phil Hunt (IDM) &lt;<a href=3D"mailto:phil.hunt@oracle.com" =
class=3D"">phil.hunt@oracle.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D"">
<div dir=3D"auto" class=3D""><div class=3D"">Maybe if we reworked the =
signing doc so content types like xml and json could be signed? =
&nbsp;</div><div class=3D""><br class=3D""></div><div class=3D"">This =
would cover for the majority of web api cases.&nbsp;</div><div =
class=3D""><br class=3D""></div><div class=3D"">Wonder what the advice =
of the http wg would be on this.&nbsp;<br class=3D""><br =
class=3D"">Phil</div><div class=3D""><br class=3D"">On Oct 24, 2016, at =
8:29 AM, Samuel Erdtman &lt;<a href=3D"mailto:samuel@erdtman.se" =
class=3D"">samuel@erdtman.se</a>&gt; wrote:<br class=3D""><br =
class=3D""></div><blockquote type=3D"cite" class=3D""><div class=3D""><div=
 dir=3D"ltr" class=3D""><div class=3D""><div class=3D"">+1 on doing PoP =
work in this working group, including HTTP signing/MACing, I don=C2=B4t =
think the old HTTP signature document was that far from useful.<br =
class=3D""><br class=3D""></div>With the ACE work I like when it is =
possible to just map work done in the OAuth and other working groups to =
the more optimized protocols. Some would maybe say that it is =
sub-optimal that the protocol was not initially designed for the =
constrained environment but I think the benefit of concept validation =
from web is a bigger plus.<br class=3D""><br class=3D""></div>//Samuel<br =
class=3D""></div><div class=3D"gmail_extra"><br class=3D""><div =
class=3D"gmail_quote">On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer =
<span dir=3D"ltr" class=3D"">&lt;<a href=3D"mailto:jricher@mit.edu" =
target=3D"_blank" class=3D"">jricher@mit.edu</a>&gt;</span> wrote:<br =
class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">I believe that the PoP =
work should stay in the working group, and that without a usable =
presentation mechanism such as an HTTP message signature the whole work =
is pointless. I agree with Mike that we should learn from our own =
mistakes =E2=80=94 and that is precisely the direction that the current =
HTTP signing draft took. As a result, the base level of functionality is =
signing the token itself (with a timestamp/nonce) using the key. All of =
the fiddly HTTP bits that trip people up? Not only are they optional, =
but it=E2=80=99s explicitly declared what=E2=80=99s covered. Why? =
Because we=E2=80=99re learning from past mistakes.<br class=3D"">
<br class=3D"">
I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D =
that aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become =
reality then it will be to the benefit of large internet companies over =
everyone else. Additionally, token binding in OAuth is far from the =
simple solution that it=E2=80=99s being sold as. The very nature of an =
access token goes against the original purpose of tying an artifact to a =
single presentation channel. OAuth clients in the real world need to be =
able to deal with multiple resource servers and dynamically deployed =
APIs, and the token binding protocol fundamentally assumes a world where =
two machines are talking directly to each other.<br class=3D"">
<br class=3D"">
All that said, this working group has consistently shown resistance to =
solving this problem for many years, so the results of this query =
don=E2=80=99t at all surprise me.<br class=3D"">
<span class=3D"HOEnZb"><font color=3D"#888888" class=3D""><br class=3D"">
&nbsp;=E2=80=94 Justin<br class=3D"">
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br class=3D"">
&gt; On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig &lt;<a =
href=3D"mailto:hannes.tschofenig@gmx.net" =
class=3D"">hannes.tschofenig@gmx.net</a>&gt; wrote:<br class=3D"">
&gt;<br class=3D"">
&gt; Hi all,<br class=3D"">
&gt;<br class=3D"">
&gt; two questions surfaced at the last IETF meeting, namely<br =
class=3D"">
&gt;<br class=3D"">
&gt; 1) Do we want to proceed with the symmetric implementation of PoP =
or,<br class=3D"">
&gt; alternatively, do we want to move it over to the ACE working =
group?<br class=3D"">
&gt;<br class=3D"">
&gt; 2) Do we want to continue the work on HTTP signing?<br class=3D"">
&gt;<br class=3D"">
&gt; We would appreciate your input on these two questions.<br class=3D"">=

&gt;<br class=3D"">
&gt; Ciao<br class=3D"">
&gt; Hannes &amp; Derek<br class=3D"">
&gt;<br class=3D"">
</div></div><div class=3D"HOEnZb"><div class=3D"h5">&gt; =
______________________________<wbr class=3D"">_________________<br =
class=3D"">
&gt; OAuth mailing list<br class=3D"">
&gt; <a href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D"">
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
rel=3D"noreferrer" target=3D"_blank" =
class=3D"">https://www.ietf.org/mailman/<wbr =
class=3D"">listinfo/oauth</a><br class=3D"">
<br class=3D"">
</div></div><br class=3D"">______________________________<wbr =
class=3D"">_________________<br class=3D"">
OAuth mailing list<br class=3D"">
<a href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D"">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer"=
 target=3D"_blank" class=3D"">https://www.ietf.org/mailman/<wbr =
class=3D"">listinfo/oauth</a><br class=3D"">
<br class=3D""></blockquote></div><br class=3D""></div>
</div></blockquote><blockquote type=3D"cite" class=3D""><div =
class=3D""><span =
class=3D"">_______________________________________________</span><br =
class=3D""><span class=3D"">OAuth mailing list</span><br class=3D""><span =
class=3D""><a href=3D"mailto:OAuth@ietf.org" =
class=3D"">OAuth@ietf.org</a></span><br class=3D""><span class=3D""><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth</a></span><br =
class=3D""></div></blockquote></div></div></blockquote></div><br =
class=3D""></div></div></div></blockquote></div><br =
class=3D""></div></div></div></blockquote></div><br =
class=3D""></div></div></div></body></html>=

--Apple-Mail=_A972F2B0-30A4-4C4B-ADAC-83BCEAFCD372--


From nobody Mon Oct 24 21:12:14 2016
Return-Path: <teazzerst2d@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B214B1294AC for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 21:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WUDPcNglOJFV for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 21:12:11 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6DE312940E for <oauth@ietf.org>; Mon, 24 Oct 2016 21:12:10 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id m72so74417897oik.3 for <oauth@ietf.org>; Mon, 24 Oct 2016 21:12:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=W7usgI99KCSAd7JBwB/JUm5EowXZKT4Kga0IXr66gKg=; b=xspUGVO/4KURkeqk5G4zs4FuklsKX56LV53ueRECiFxk4FZL1+7ra02g8EIAkd2z9n NiLhwtd2eLOeIAQ6r8BLe1FDRlNcZUoGh0AncyVPWDyBosbeizsKgRiDWZj1sHgLpDb4 Kn+QKW5Q8mv9arreC7scHfDpNAhlve85Y/7woN3DJoUrmPvDx0uUq/I75xhJ2/fHmWxT 5OGMzE29AItSTaoNbbV1Pe663Q6J8/HgTokYFqxvhnkHQwKTiQbx9jm2/pzZsMKz5LP3 mP/lKRSQI6S9QCwf4wdWOsmQl/leliBkrMGJvIvzqTZ4o5Twc5MneOZC5DdhK/4EP/qu BsXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=W7usgI99KCSAd7JBwB/JUm5EowXZKT4Kga0IXr66gKg=; b=SN0FRSxMEj2Rq+V09ziNcVb2TjoW14xQvWc05/pjTczaVm/eEC41NTlgZvt/Cs4hOV 4HQ1LnEamvMrh5LR4Lmh/rInLcLQvVTsTG9qKndKM1X6yXA25RQYS8+b7IQMKZRbCJQK QNzOy2u+qXTwLjEuciTbVLg8/aVdp6PNEUbo9btdYoj16efCrL3yL32qn5WwbyJ7we7V ZvHRnvsCwy/azSYgOpTuztDa4mxOLWhlJQY1enCwfEUCk3Fw9y71ELX96PRIg07bM48A Hd0nKhugFY+inTEireqs8AyHDbAfO1gl/Oc0gDaw1yq0q8WpzHJjofzaariU1emVOEI5 +LJA==
X-Gm-Message-State: ABUngvcIq9wbpwtY2YAnRw+DvHks4VqtEzekR94IE7IoCylREBP0Q2oaDnb4HF9Dn8JOCHYf8sQ13O0KkY3AoA==
X-Received: by 10.107.58.86 with SMTP id h83mr9760662ioa.117.1477368730286; Mon, 24 Oct 2016 21:12:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.39.19 with HTTP; Mon, 24 Oct 2016 21:12:09 -0700 (PDT)
In-Reply-To: <96CE138B-D02A-491F-BEF4-7800201C3CA2@mit.edu>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu> <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com> <4158ACB0-929A-4DDC-B483-3D07D9AA7A5C@oracle.com> <35529A23-97AC-4B69-9544-90E2E8C53755@mit.edu> <F441C93D-64F4-4D48-8E67-0A6E940C9A21@oracle.com> <96CE138B-D02A-491F-BEF4-7800201C3CA2@mit.edu>
From: Blue Teazzers <teazzerst2d@gmail.com>
Date: Tue, 25 Oct 2016 09:42:09 +0530
Message-ID: <CAHuRu6rF7Pibbe3S68mdgqcQSFuuqvg8Q0SkyS9mn9W1pmpx4w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary=001a114ac8845efe44053fa8b66a
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AczB4SgwYOn5ZqjFxkf068i3rXs>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2016 04:12:12 -0000

--001a114ac8845efe44053fa8b66a
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi everyone

On Tue, Oct 25, 2016 at 3:28 AM, Justin Richer <jricher@mit.edu> wrote:

> The reason that there=E2=80=99s a lot of discussion on headers and query
> parameters and not a lot of discussion on the content is that there=E2=80=
=99s
> nothing special for signing the body whether it=E2=80=99s XML or JSON or =
HTML: it=E2=80=99s
> just a hash of the entity body, sent as the =E2=80=9Cb=E2=80=9D parameter=
 in the JWS. The
> body is less likely to be transformed than the headers or parameters, and
> getting into =E2=80=9Chow to sign XML=E2=80=9D or =E2=80=9Chow to sign JS=
ON=E2=80=9D beyond =E2=80=9Cjust take the
> body as a byte array and hash it=E2=80=9D is problematic. I don=E2=80=99t=
 think we want to
> get into the business of normalization or canonicalization of the message
> body.
>
> Keep in mind that this is all for the HTTP *request* from the client and
> not the HTTP *response* from the RS.
>
>  =E2=80=94 Justin
>
> On Oct 24, 2016, at 1:27 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
> Rather than focus on headers and URL param signing, focus on specifying
> how content is signed in the context of PoP.
>
> I think there might be a clearer path for example if we new that signing
> for application/json and application/xml worked well.
>
> As we=E2=80=99ve been discussing signing headers and URL params is theore=
tically
> do-able, but it probably has more limited use and would remain experiment=
al.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
> On Oct 24, 2016, at 1:06 PM, Justin Richer <jricher@mit.edu> wrote:
>
> You can already sign arbitrary content using a body hash with the current
> spec.
>
>  =E2=80=94 Justin
>
> On Oct 24, 2016, at 8:38 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote=
:
>
> Maybe if we reworked the signing doc so content types like xml and json
> could be signed?
>
> This would cover for the majority of web api cases.
>
> Wonder what the advice of the http wg would be on this.
>
> Phil
>
> On Oct 24, 2016, at 8:29 AM, Samuel Erdtman <samuel@erdtman.se> wrote:
>
> +1 on doing PoP work in this working group, including HTTP signing/MACing=
,
> I don=C2=B4t think the old HTTP signature document was that far from usef=
ul.
>
> With the ACE work I like when it is possible to just map work done in the
> OAuth and other working groups to the more optimized protocols. Some woul=
d
> maybe say that it is sub-optimal that the protocol was not initially
> designed for the constrained environment but I think the benefit of conce=
pt
> validation from web is a bigger plus.
>
> //Samuel
>
> On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jricher@mit.edu> wrote:
>
>> I believe that the PoP work should stay in the working group, and that
>> without a usable presentation mechanism such as an HTTP message signatur=
e
>> the whole work is pointless. I agree with Mike that we should learn from
>> our own mistakes =E2=80=94 and that is precisely the direction that the =
current
>> HTTP signing draft took. As a result, the base level of functionality is
>> signing the token itself (with a timestamp/nonce) using the key. All of =
the
>> fiddly HTTP bits that trip people up? Not only are they optional, but it=
=E2=80=99s
>> explicitly declared what=E2=80=99s covered. Why? Because we=E2=80=99re l=
earning from past
>> mistakes.
>>
>> I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D =
that aren=E2=80=99t real
>> yet, and if those =E2=80=9Cifs=E2=80=9D become reality then it will be t=
o the benefit of
>> large internet companies over everyone else. Additionally, token binding=
 in
>> OAuth is far from the simple solution that it=E2=80=99s being sold as. T=
he very
>> nature of an access token goes against the original purpose of tying an
>> artifact to a single presentation channel. OAuth clients in the real wor=
ld
>> need to be able to deal with multiple resource servers and dynamically
>> deployed APIs, and the token binding protocol fundamentally assumes a wo=
rld
>> where two machines are talking directly to each other.
>>
>> All that said, this working group has consistently shown resistance to
>> solving this problem for many years, so the results of this query don=E2=
=80=99t at
>> all surprise me.
>>
>>  =E2=80=94 Justin
>>
>> > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig <
>> hannes.tschofenig@gmx.net> wrote:
>> >
>> > Hi all,
>> >
>> > two questions surfaced at the last IETF meeting, namely
>> >
>> > 1) Do we want to proceed with the symmetric implementation of PoP or,
>> > alternatively, do we want to move it over to the ACE working group?
>> >
>> > 2) Do we want to continue the work on HTTP signing?
>> >
>> > We would appreciate your input on these two questions.
>> >
>> > Ciao
>> > Hannes & Derek
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a114ac8845efe44053fa8b66a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi everyone</div><div class=3D"gmail_extra"><br><div class=
=3D"gmail_quote">On Tue, Oct 25, 2016 at 3:28 AM, Justin Richer <span dir=
=3D"ltr">&lt;<a href=3D"mailto:jricher@mit.edu" target=3D"_blank">jricher@m=
it.edu</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"=
margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style=
=3D"word-wrap:break-word">The reason that there=E2=80=99s a lot of discussi=
on on headers and query parameters and not a lot of discussion on the conte=
nt is that there=E2=80=99s nothing special for signing the body whether it=
=E2=80=99s XML or JSON or HTML: it=E2=80=99s just a hash of the entity body=
, sent as the =E2=80=9Cb=E2=80=9D parameter in the JWS. The body is less li=
kely to be transformed than the headers or parameters, and getting into =E2=
=80=9Chow to sign XML=E2=80=9D or =E2=80=9Chow to sign JSON=E2=80=9D beyond=
 =E2=80=9Cjust take the body as a byte array and hash it=E2=80=9D is proble=
matic. I don=E2=80=99t think we want to get into the business of normalizat=
ion or canonicalization of the message body.=C2=A0<div><br></div><div>Keep =
in mind that this is all for the HTTP *request* from the client and not the=
 HTTP *response* from the RS.<span class=3D"HOEnZb"><font color=3D"#888888"=
><br></font></span><div><span class=3D"HOEnZb"><font color=3D"#888888"><div=
><br></div><div>=C2=A0=E2=80=94 Justin</div></font></span><div><div class=
=3D"h5"><div><br><div><blockquote type=3D"cite"><div>On Oct 24, 2016, at 1:=
27 PM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_bla=
nk">phil.hunt@oracle.com</a>&gt; wrote:</div><br class=3D"m_-24855545072278=
30655Apple-interchange-newline"><div>
<div style=3D"word-wrap:break-word">Rather than focus on headers and URL pa=
ram signing, focus on specifying how content is signed in the context of Po=
P.<div><br></div><div>I think there might be a clearer path for example if =
we new that signing for application/json and application/xml worked well.=
=C2=A0</div><div><br></div><div>As we=E2=80=99ve been discussing signing he=
aders and URL params is theoretically do-able, but it probably has more lim=
ited use and would remain experimental.</div><div><br></div><div><div>
<div style=3D"letter-spacing:normal;text-align:start;text-indent:0px;text-t=
ransform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><di=
v style=3D"letter-spacing:normal;text-align:start;text-indent:0px;text-tran=
sform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div><=
span class=3D"m_-2485554507227830655Apple-style-span" style=3D"border-colla=
pse:separate;line-height:normal;border-spacing:0px"><div style=3D"word-wrap=
:break-word"><div><div><div>Phil</div><div><br></div><div>@independentid</d=
iv><div><a href=3D"http://www.independentid.com/" target=3D"_blank">www.ind=
ependentid.com</a></div></div></div></div></span><a href=3D"mailto:phil.hun=
t@oracle.com" target=3D"_blank">phil.hunt@oracle.com</a></div><div><br></di=
v></div><br class=3D"m_-2485554507227830655Apple-interchange-newline"></div=
><br class=3D"m_-2485554507227830655Apple-interchange-newline"><br class=3D=
"m_-2485554507227830655Apple-interchange-newline">
</div>
<br><div><blockquote type=3D"cite"><div>On Oct 24, 2016, at 1:06 PM, Justin=
 Richer &lt;<a href=3D"mailto:jricher@mit.edu" target=3D"_blank">jricher@mi=
t.edu</a>&gt; wrote:</div><br class=3D"m_-2485554507227830655Apple-intercha=
nge-newline"><div><div style=3D"word-wrap:break-word">You can already sign =
arbitrary content using a body hash with the current spec.<div><br></div><d=
iv>=C2=A0=E2=80=94 Justin</div><div><br><div><blockquote type=3D"cite"><div=
>On Oct 24, 2016, at 8:38 AM, Phil Hunt (IDM) &lt;<a href=3D"mailto:phil.hu=
nt@oracle.com" target=3D"_blank">phil.hunt@oracle.com</a>&gt; wrote:</div><=
br class=3D"m_-2485554507227830655Apple-interchange-newline"><div>
<div dir=3D"auto"><div>Maybe if we reworked the signing doc so content type=
s like xml and json could be signed? =C2=A0</div><div><br></div><div>This w=
ould cover for the majority of web api cases.=C2=A0</div><div><br></div><di=
v>Wonder what the advice of the http wg would be on this.=C2=A0<br><br>Phil=
</div><div><br>On Oct 24, 2016, at 8:29 AM, Samuel Erdtman &lt;<a href=3D"m=
ailto:samuel@erdtman.se" target=3D"_blank">samuel@erdtman.se</a>&gt; wrote:=
<br><br></div><blockquote type=3D"cite"><div><div dir=3D"ltr"><div><div>+1 =
on doing PoP work in this working group, including HTTP signing/MACing, I d=
on=C2=B4t think the old HTTP signature document was that far from useful.<b=
r><br></div>With the ACE work I like when it is possible to just map work d=
one in the OAuth and other working groups to the more optimized protocols. =
Some would maybe say that it is sub-optimal that the protocol was not initi=
ally designed for the constrained environment but I think the benefit of co=
ncept validation from web is a bigger plus.<br><br></div>//Samuel<br></div>=
<div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sat, Oct 22, 2=
016 at 7:47 PM, Justin Richer <span dir=3D"ltr">&lt;<a href=3D"mailto:jrich=
er@mit.edu" target=3D"_blank">jricher@mit.edu</a>&gt;</span> wrote:<br><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #c=
cc solid;padding-left:1ex">I believe that the PoP work should stay in the w=
orking group, and that without a usable presentation mechanism such as an H=
TTP message signature the whole work is pointless. I agree with Mike that w=
e should learn from our own mistakes =E2=80=94 and that is precisely the di=
rection that the current HTTP signing draft took. As a result, the base lev=
el of functionality is signing the token itself (with a timestamp/nonce) us=
ing the key. All of the fiddly HTTP bits that trip people up? Not only are =
they optional, but it=E2=80=99s explicitly declared what=E2=80=99s covered.=
 Why? Because we=E2=80=99re learning from past mistakes.<br>
<br>
I think that token binding is relying on a lot of =E2=80=9Cifs=E2=80=9D tha=
t aren=E2=80=99t real yet, and if those =E2=80=9Cifs=E2=80=9D become realit=
y then it will be to the benefit of large internet companies over everyone =
else. Additionally, token binding in OAuth is far from the simple solution =
that it=E2=80=99s being sold as. The very nature of an access token goes ag=
ainst the original purpose of tying an artifact to a single presentation ch=
annel. OAuth clients in the real world need to be able to deal with multipl=
e resource servers and dynamically deployed APIs, and the token binding pro=
tocol fundamentally assumes a world where two machines are talking directly=
 to each other.<br>
<br>
All that said, this working group has consistently shown resistance to solv=
ing this problem for many years, so the results of this query don=E2=80=99t=
 at all surprise me.<br>
<span class=3D"m_-2485554507227830655HOEnZb"><font color=3D"#888888"><br>
=C2=A0=E2=80=94 Justin<br>
</font></span><div class=3D"m_-2485554507227830655HOEnZb"><div class=3D"m_-=
2485554507227830655h5"><br>
&gt; On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig &lt;<a href=3D"mailto:=
hannes.tschofenig@gmx.net" target=3D"_blank">hannes.tschofenig@gmx.net</a>&=
gt; wrote:<br>
&gt;<br>
&gt; Hi all,<br>
&gt;<br>
&gt; two questions surfaced at the last IETF meeting, namely<br>
&gt;<br>
&gt; 1) Do we want to proceed with the symmetric implementation of PoP or,<=
br>
&gt; alternatively, do we want to move it over to the ACE working group?<br=
>
&gt;<br>
&gt; 2) Do we want to continue the work on HTTP signing?<br>
&gt;<br>
&gt; We would appreciate your input on these two questions.<br>
&gt;<br>
&gt; Ciao<br>
&gt; Hannes &amp; Derek<br>
&gt;<br>
</div></div><div class=3D"m_-2485554507227830655HOEnZb"><div class=3D"m_-24=
85554507227830655h5">&gt; ______________________________<wbr>______________=
___<br>
&gt; OAuth mailing list<br>
&gt; <a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a>=
<br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"norefer=
rer" target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a>=
<br>
<br>
</div></div><br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div>
</div></blockquote><blockquote type=3D"cite"><div><span>___________________=
___________<wbr>_________________</span><br><span>OAuth mailing list</span>=
<br><span><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.or=
g</a></span><br><span><a href=3D"https://www.ietf.org/mailman/listinfo/oaut=
h" target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a></=
span><br></div></blockquote></div></div></blockquote></div><br></div></div>=
</div></blockquote></div><br></div></div></div></blockquote></div><br></div=
></div></div></div></div></div><br>______________________________<wbr>_____=
____________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--001a114ac8845efe44053fa8b66a--


From nobody Mon Oct 24 22:50:56 2016
Return-Path: <ludwig@sics.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E8B912961B for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 22:50:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sics.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MXKm7QrBQRf6 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 22:50:53 -0700 (PDT)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1FCC127735 for <oauth@ietf.org>; Mon, 24 Oct 2016 22:50:52 -0700 (PDT)
Received: by mail-lf0-x229.google.com with SMTP id m193so8825619lfm.4 for <oauth@ietf.org>; Mon, 24 Oct 2016 22:50:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sics.se; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=x1gHOlExV/KqKqjJ2A1ew2N/11MFwJuEC5xV2ikXveU=; b=Bo1CtpSwn5FltU0wAiLUmgrSTh2Udz1UU/JkqMEjfKfTtlifrHpVndvIJa4AhKAbYi EdQXdohtrHBX73kqlwvbv5Sh0uS0UgR1pTM762d4ufDs0U4L109mdfdEn/fRLqHy7HjJ xCvQUKXCU8eB1zRs96ZtyhN1pTV5PZcUfGCPL+jpSSixWu23CAXvKuOoAiVfKysj7444 OnhkfBGuG8kd0Vb7FJC/8gNMzXb+QsR7L5iOzzGW8Tu2RBV3gKLC8a7YAR6mKUuqt7cM ostB5ZkWIOzCrwkiy5A4gx18nap2kTJA5lWOeEheyUr8KchQus192V1z45l1oEdOGvw7 Hx8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=x1gHOlExV/KqKqjJ2A1ew2N/11MFwJuEC5xV2ikXveU=; b=BUbDipFo6TOMnX9bWOZGhqm+3wBtQZT/vLHTqaRMx0cmGsaMJIn5soiVxAXZ913x8E LRTYbwQx9oMbvkG7rL+wPrBI7v152QoqKmIhoooAIPYEkoCf1Q1OcktK4hA9kJHoPlA+ 5HULg8QrJwJ/3v7IuHyKg2tcfBLbOXcIsvtmDIkyHChgbp4Db9Rnm/N4mqStyfcQWGXh jReiYi4ES81QBuuHhvYWacItPE3MIUcRveN7IS5m+lUSaZ/+/H+yshL/z0sghPeq+G46 mDV6pSrJoYB9kgNly6UXANLntlkUM/VOyNJAAS727d877UktwW+HVr7ua6yR3FezD7bu 7hGg==
X-Gm-Message-State: ABUngvdAihZ2tpN6IecDEJs8iRQ9HDhO3GCB1H5hjSrFdsjJxe0rtixoYX3Y4NEGykDHL/hp
X-Received: by 10.25.190.71 with SMTP id o68mr9376626lff.23.1477374650443; Mon, 24 Oct 2016 22:50:50 -0700 (PDT)
Received: from [192.168.0.166] ([85.235.12.155]) by smtp.gmail.com with ESMTPSA id 85sm335851lfx.29.2016.10.24.22.50.49 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Oct 2016 22:50:49 -0700 (PDT)
To: oauth@ietf.org
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net>
From: Ludwig Seitz <ludwig@sics.se>
Message-ID: <f8d3bee6-3d56-1585-5740-9e7f3bf4e5a5@sics.se>
Date: Tue, 25 Oct 2016 07:50:48 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms080505090505090407000503"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_7HMAkOT9cDHoKO1iBSHgh0eo3A>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2016 05:50:55 -0000

This is a cryptographically signed message in MIME format.

--------------ms080505090505090407000503
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: quoted-printable

On 2016-10-19 20:45, Hannes Tschofenig wrote:
> Hi all,
>
> two questions surfaced at the last IETF meeting, namely
>
> 1) Do we want to proceed with the symmetric implementation of PoP or,
> alternatively, do we want to move it over to the ACE working group?
>
> 2) Do we want to continue the work on HTTP signing?
>
> We would appreciate your input on these two questions.
>
> Ciao
> Hannes & Derek
>


Hello,

maybe my 2-cents as author of the ACE draft that needs PoP can=20
contribute something here:

I would also prefer that you guys make the PoP specs and I just make a=20
ACE profile on top of them. However the ACE work is moving forward and=20
the PoP work at OAuth seems to be stuck.

I've currently taken what was available form draft-ietf-oauth-pop-* and=20
moved the relevant text into draft-ietf-ace-oauth-authz (acknowledging=20
the original authors of course), since it was unclear to me what the=20
future status of the pop drafts would be.

I'm absolutely willing to remove the text again and reference an OAuth=20
WG document instead, if I feel it will not significantly delay the=20
progress of the ACE draft.

Hope this information helps in the decision making.


Regards,

Ludwig



--=20
Ludwig Seitz, PhD   SICS Swedish ICT AB
Ideon Science Park, Building Beta 2
Scheelev=E4gen 17, SE-223 70 Lund
Phone +46(0)70-349 92 51

The RISE institutes SP, Swedish ICT and Innventia are merging in order=20
to create a unified institute sector and become a stronger innovation=20
partner for businesses and society. At the end of the year we will=20
change our name to RISE. Read more at www.ri.se/en/about-rise


--------------ms080505090505090407000503
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CtQwggTqMIID0qADAgECAhAU4QcxMULaotNy8Yzm2pESMA0GCSqGSIb3DQEBCwUAMHUxCzAJ
BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll
bnQgQ0EwHhcNMTYwMzE0MDkzNDMyWhcNMTcwMzE0MDkzNDMyWjA4MRcwFQYDVQQDDA5sdWR3
aWdAc2ljcy5zZTEdMBsGCSqGSIb3DQEJARYObHVkd2lnQHNpY3Muc2UwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC9kgmm82Op78D9DXYNJrQW5bUdSxElnOC/CzAK/enHn+uF
B/RLo8alI6Ukd35qsAtcje0I3e/RtbkRnkEuhKneH+aDRofy7YaWQO61CjIlcdndTx8FEmXK
/swcafYX5PbyzQFGgApwtWFkVXcq3R87CDB3VbkHzTHIBmfwZ4hhDeEyuJoSuWEVWQppfTji
/GpVLiDx6s+Zqm3qI5EkjvhQ+jX3tJxXqUf4w1BY6/sBLfvr7TOPGPoAmi6B2UOgyDSfX3c0
+jzlYFLNb6Eqc7uGvaQi7VN39kAJXz9f+qL/wokaNjboK3/JyTG/ikxsWymzO9E0/U9apn2Y
z5SVUGSDAgMBAAGjggGxMIIBrTAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUH
AwIGCCsGAQUFBwMEMAkGA1UdEwQCMAAwHQYDVR0OBBYEFN37NX1Db3Xp23cbQI1MpYPUMw84
MB8GA1UdIwQYMBaAFCSBbDlhvkkPj7cbRivJKLUnSG1oMG8GCCsGAQUFBwEBBGMwYTAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDkGCCsGAQUFBzAChi1odHRwOi8v
YWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zY2EuY2xpZW50MS5jcnQwOAYDVR0fBDEwLzAtoCug
KYYnaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNsaWVudDEuY3JsMBkGA1UdEQQSMBCB
Dmx1ZHdpZ0BzaWNzLnNlMCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBG
BgNVHSAEPzA9MDsGCysGAQQBgbU3AQIEMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3Rh
cnRzc2wuY29tL3BvbGljeTANBgkqhkiG9w0BAQsFAAOCAQEAUy78MN+soYHwIz+6m9mMkzPF
KfgIq7sLupWnis7K5U66U9zfKOVDReyfUvPmar7P7Tb9uNNrUlkk3lSISplqU30TMnVbtK5D
I0mxdpa1hZxIAa8uWQnAh/oYJJYaMziKxpZgsUjel6/ZnD0z/QsuHo763I1boi2ghe4Knj0f
qFO79ErRr9aJJBfQlFVwQ4gRoYtMz18/usC3eqGxFz8a/LCeRMWeZJagGJ/St1WW1HUBmMFd
vRFweeUdCvDbzK+WjqbxhXyi7b0sH65lWIjINCBVQ0AvqOwm/aXEWcIQlAIJjr2kEC6c0VY6
V1aP16BAKooEgGGOTrmcDGeteXZRyjCCBeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEw
DQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x
KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMT
IFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMw
MTIxNjAxMDAwNVowdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAn
BgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFy
dENvbSBDbGFzcyAxIENsaWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL192vfDon2D9luC/dtbX64eG3XAtRmvmCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGt
TCRk9dEDBlmixEd8QiLkUfvHpJX/xKnmVkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdf
a89VLnUztRr2cgmCfyO9Otrh7LJDPG+4D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx
7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PIdopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4D
IM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuuN0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFg
MA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0T
AQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNv
bS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEEWjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5z
dGFydHNzbC5jb20wMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRz
L2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvv
GqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0gBDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wB
i4StDwECW5zhIycjBL008HACblIf26HY0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspB
OB/y5uzSns1lZwh7sG96bYBZpcGzGxpFNjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvets
D+bjyOngCIVeC/GmsmtbuLOzJ606tEc9uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyI
NBfCBJb+e29bLafgu6JqjOUJ9eXXj20p6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA
0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOvZ3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf
1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOumZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/
tdfrBzez76xtDsK0KfUDHt1/q59BvDI7RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH
2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO/ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9
VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsNJQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp
/2deoprGevfnxWB+vHNQiu85o6MxggPMMIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQG
A1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0Q29tIENsYXNzIDEgQ2xpZW50IENBAhAU4QcxMULa
otNy8Yzm2pESMA0GCWCGSAFlAwQCAQUAoIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB
MBwGCSqGSIb3DQEJBTEPFw0xNjEwMjUwNTUwNDhaMC8GCSqGSIb3DQEJBDEiBCC/TwCBhJjQ
CrApRL42LOUaHcnmGk3ZN8BCw4ui79bklzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQB
KjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkG
A1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVu
dCBDQQIQFOEHMTFC2qLTcvGM5tqREjCBnAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UE
BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBD
QQIQFOEHMTFC2qLTcvGM5tqREjANBgkqhkiG9w0BAQEFAASCAQByfnugnU0HhoHNO8gs4hnO
5tMveRnpToH9uowrYEOyB/aPJpzuH8vfexoJJLP30m5xRJ6KPABjitlN9y0MqjkhWHmA1qjO
UF4zMjqWvpJgt77JkQsjP2nllLADoOJ2BIfo+PjbeZCj5PFBIIX16Pt+SiKpoABpSSa5Lk7T
k5g6S+vKTGlFSV6ecRU7VWLIK1tOX+SY6na02pMEenQWo54nHTEC+txKFjCudah7QxyrhnKz
RbRy1E2q+4rGB5lRG7gQs96LtF57JTNOGbrOg9jI2QnhhnWS35Ndrd4ag6TZV8eON6qEqwnC
vQa2xvbnQcZB3esy1M4X4//mMDLjMm5qAAAAAAAA
--------------ms080505090505090407000503--


From nobody Wed Oct 26 19:43:35 2016
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A856C129974 for <oauth@ietfa.amsl.com>; Wed, 26 Oct 2016 19:43:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level: 
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pbfu9XkIENid for <oauth@ietfa.amsl.com>; Wed, 26 Oct 2016 19:43:31 -0700 (PDT)
Received: from p3plsmtpa06-05.prod.phx3.secureserver.net (p3plsmtpa06-05.prod.phx3.secureserver.net [173.201.192.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54E10129560 for <oauth@ietf.org>; Wed, 26 Oct 2016 19:43:31 -0700 (PDT)
Received: from [192.168.1.10] ([79.100.136.247]) by :SMTPAUTH: with SMTP id zaefbJHgwNPPszaegb7uGO; Wed, 26 Oct 2016 19:43:00 -0700
To: Brian Campbell <bcampbell@pingidentity.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com>
Date: Thu, 27 Oct 2016 05:42:57 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms080506020103030800010909"
X-CMAE-Envelope: MS4wfMerM6TXDbcUjEoX9KKn+FiarPUoxZ4yely5ymwBhDwT+wXGuAjfZExKMRbl/JBCvJ91dAnVJg4/7qMaAGzfKvnxj8a0mFvfXPpnoo1/RPV+scqq1mmg QXBjngoo1vag50Zn01ugq5lBKAtzuF4nSHBRAD/zUEEzfs4YMEm+WToZEe2Vp8T3loJ/4rIaJvB2l9tNvOPD2HkJi/B4X048qRVAfaCQpSt+NpacJ/1etz+h 6GflkNovql/Kd4Br/P4hv69EVu8lN9wO1wwU/bwJ/o908NR7MbYn4X/y2YdO2Bgv
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/61FCfjkV3gETDJrHjHkvKJFJO9g>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2016 02:43:34 -0000

This is a cryptographically signed message in MIME format.

--------------ms080506020103030800010909
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).

On 22/10/16 01:51, Brian Campbell wrote:
> I did consider something like that but stopped short of putting it in t=
he
> -00 document. I'm not convinced that some metadata around it would real=
ly
> contribute to interop one way or the other. I also wanted to get the ba=
sic
> concept written down before going too far into the weeds. But I'd be op=
en
> to adding something along those lines in future revisions, if there's s=
ome
> consensus that it'd be useful.
>
> On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <vladimir@connect2i=
d.com
>> wrote:
>> Superb, I welcome that!
>>
>> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
>> client-auth-00#section-5.2 :
>>
>> My concern is that the choice of how to bind the client identity is le=
ft
>> to implementers, and that may eventually become an interop problem.
>> Have you considered some kind of an open ended enumeration of the poss=
ible
>> binding methods, and giving them some identifiers or names, so that AS=
 /
>> OPs can advertise them in their metadata, and clients register accordi=
ngly?
>>
>> For example:
>>
>> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",=

>> "subject_public_key_info_match" ]
>>
>>
>> Cheers,
>>
>> Vladimir
>>
>> On 10/10/16 23:59, John Bradley wrote:
>>
>> At the request of the OpenID Foundation Financial Services API Working=
 group, Brian Campbell and I have documented
>> mutual TLS client authentication.   This is something that lots of peo=
ple do in practice though we have never had a spec for it.
>>
>> The Banks want to use it for some server to server API use cases being=
 driven by new open banking regulation.
>>
>> The largest thing in the draft is the IANA registration of =E2=80=9Ctl=
s_client_auth=E2=80=9D Token Endpoint authentication method for use in Re=
gistration and discovery.
>>
>> The trust model is intentionally left open so that you could use a =E2=
=80=9Ccommon name=E2=80=9D and a restricted list of CA or a direct lookup=
 of the subject public key against a reregistered value,  or something in=
 between.
>>
>> I hope that this is non controversial and the WG can adopt it quickly.=

>>
>> Regards
>> John B.
>>
>>
>>
>>
>>
>> Begin forwarded message:
>>
>> From: internet-drafts@ietf.org
>> Subject: New Version Notification for draft-campbell-oauth-tls-client-=
auth-00.txt
>> Date: October 10, 2016 at 5:44:39 PM GMT-3
>> To: "Brian Campbell" <brian.d.campbell@gmail.com> <brian.d.campbell@gm=
ail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <ve7jtb@ve7jtb.com>
>>
>>
>> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>> has been successfully submitted by John Bradley and posted to the
>> IETF repository.
>>
>> Name:		draft-campbell-oauth-tls-client-auth
>> Revision:	00
>> Title:		Mutual X.509 Transport Layer Security (TLS) Authentication for=
 OAuth Clients
>> Document date:	2016-10-10
>> Group:		Individual Submission
>> Pages:		5
>> URL:            https://www.ietf.org/internet-drafts/draft-campbell-oa=
uth-tls-client-auth-00.txt
>> Status:         https://datatracker.ietf.org/doc/draft-campbell-oauth-=
tls-client-auth/
>> Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-tls-c=
lient-auth-00
>>
>>
>> Abstract:
>>   This document describes X.509 certificates as OAuth client
>>   credentials using Transport Layer Security (TLS) mutual
>>   authentication as a mechanism for client authentication to the
>>   authorization server's token endpoint.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of subm=
ission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/=
oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>



--------------ms080506020103030800010909
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CfwwggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4
dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh
TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak
+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC
ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr
vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC
ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC
4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs
Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj
mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb
4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ
26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT
9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl
tukWeh95FPZKEBom+nyK+5swggVFMIIELaADAgECAhBvIAvByRn0gXptBJbNZg3jMA0GCSqG
SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy
MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE
AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMTYwNDA1MDAwMDAwWhcNMTcwNDA1MjM1OTU5WjAoMSYwJAYJKoZIhvcNAQkB
Fhd2bGFkaW1pckBjb25uZWN0MmlkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAL/GlaryvhrL+eLYe+8Pv6D/sITLb5c2D5oaq6drPbcqP06xnyLgeFlIwzshIHi5+/Ib
fwSSXRzCDihXBfPlbv2Yf7C0F7QwUYNnqvxfnIZvu/6YFXkWt6Z5h5wvnbFmHWZBiBM8cEMP
qdT7myXDKuHSYvpiCFnIAHJOeoyBRV1I8kyupPe9aBkcYmwAyMjMRgeR92iV4TfTSx4CMRax
OHwa+WUAc2mjWiZOxyxTByORzm2wB2izX/DoeSwcN9mliRAZQ3eBXQD/HoO0LBIX3MXCp9Ry
wHIhz+Qy3mR0VgUu2gGu1r0lLIGwxKE4kEO1I7aBf5hQK/wVKcMyMMpNnU0CAwEAAaOCAfUw
ggHxMB8GA1UdIwQYMBaAFJJha4LhoqCqT+xn8cKj97SAAMHsMB0GA1UdDgQWBBSCdqr1QGt7
r/f9VkCCmYSI3t5aDjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAX
BggrBgEFBQcDBAYLKwYBBAGyMQEDBQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0w
OwYMKwYBBAGyMQECAQEBMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5u
ZXQvQ1BTMF0GA1UdHwRWMFQwUqBQoE6GTGh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9E
T1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgZAGCCsG
AQUFBwEBBIGDMIGAMFgGCCsGAQUFBzAChkxodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01P
RE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wIgYDVR0RBBswGYEXdmxhZGltaXJA
Y29ubmVjdDJpZC5jb20wDQYJKoZIhvcNAQELBQADggEBAFClbz5g+/TKUP9zpmoRdZymgYrU
fgq1UlnzLcgI3IH46LaMMMzUCRn7tz8OM2igQEqpSW9u80W3jaYsRLUdySvE6Jxr9xVPVDGu
JMAenNDS3sgNsKvUcCIeQYYTG4/oYTcuV6jtXTSDK0Y8NQ0pNEg8BnQz3V+nPXYC3/CWoFQ+
4InVPLGTZedK+yev6ee6wWWL3neskkSsYpwW1qTWtjHQcNw2eBphxRq5aNM9F3wKGdkUHKUJ
4mof2ckALH5SO/n0GGR58cgrtfuD/fcqvfsTtiMCHk6oW2ZE5Ty93aDvEhYo5RrA0TpFGoOA
m33FY3lP8EGzGel61qKU5nDH1hUxggRBMIIEPQIBATCBsDCBmzELMAkGA1UEBhMCR0IxGzAZ
BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRo
ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBvIAvByRn0gXptBJbNZg3jMA0GCWCG
SAFlAwQCAQUAoIICYTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
Fw0xNjEwMjcwMjQyNTdaMC8GCSqGSIb3DQEJBDEiBCCSzvQa0gLv3nsFJ3Pa6ibJJlFHGiZS
PgVrAglukHsghDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G
CCqGSIb3DQMCAgEoMIHBBgkrBgEEAYI3EAQxgbMwgbAwgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQbyALwckZ9IF6bQSWzWYN4zCBwwYLKoZI
hvcNAQkQAgsxgbOggbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo
ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEw
PwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3Vy
ZSBFbWFpbCBDQQIQbyALwckZ9IF6bQSWzWYN4zANBgkqhkiG9w0BAQEFAASCAQCnRVZ/CRDf
OfJcKByMkjpELRRlW/z6EwKfIRxL9fuzqqtmXKJdZyqep+alA7jZ6AbeKYXEE+0Vj/1UfDxy
1G27Brim4TBX0f2SiQkpm9gzrxAC2MymnCll/7TSXpfZNRCOb78dXSwPAl9N44fxi0xFVuZG
N9y2GNpz25o++dpDfzu+tZzEIKt97xocdQ1w++WKGA9snNDwoQy4hJEUv9QpC7zzKtWJxmZF
JSn2YGNZmmVWDoa8AghLOuh+IevoU+3YHhryU6ZS7laO+X0v+tsmXVTb3sK9D5lNN/AAVeIO
8WIBwBMpRy4cxLaexA52vmNet+hUxZu8OtfxQderiiOSAAAAAAAA
--------------ms080506020103030800010909--


From nobody Wed Oct 26 23:00:48 2016
Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3915E129958 for <oauth@ietfa.amsl.com>; Wed, 26 Oct 2016 23:00:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M5YGvoJgfBaa for <oauth@ietfa.amsl.com>; Wed, 26 Oct 2016 23:00:41 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47C991293EC for <oauth@ietf.org>; Wed, 26 Oct 2016 23:00:41 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id e69so11317670wmg.0 for <oauth@ietf.org>; Wed, 26 Oct 2016 23:00:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=q94kpotfGR7TOMJ8edginDAFOSz6PmRHKlSKfnSaPNU=; b=si08VuX2XVWXgX+cJU43WIEyAlvCIZux2pFP6s6K4qDsXCtjj853ZKfZymzVF17OxF boZhFgLREk7N3hsyeoCfNmHX8gWGR+SiDIexpJ3Y8kySO6P4G48yRdnUzAMfICo7Nsrk gc6uz5QwbZ7FUmWmaOkx4ACnPa5QnK4EfdzjfOCU7/VYpqJnh5IKKNeHqD3eWbFfhCEp U8QjmlDzuudM7idG9HTcHgU/1Mv1xHUt0N/bwVUOXPoPcNl73dJrxt+qbwqyf3wY86c+ hRQdBYehE2yuVhNUK4eLosNLvUjyfkALOcv9dK7e69bQ/776YFNjK0wVVW1YkN2783hy 9jLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=q94kpotfGR7TOMJ8edginDAFOSz6PmRHKlSKfnSaPNU=; b=OTWV0Pc/9Tw3q5BbzHYMrN5+77my2vZwLp/xHiXrfUUpgFXkC+iytwlvy2bqAG9ZSZ 4cFtdXRs+LuCX4agv1jaCi+paI5nIg+Ppx8x3wQLrxBzQOplNxFjNoUOae1L2Tf5wQBP mht3RCkIUxBgSvqTnamingePKDSFeUk7hJrJw9euKUWJxeGyGxFx8cYgWkFhsaS5FT5C PMt0se8jQpzU6rcvNIE0kSSeRAAqfEiWisYB7+wZbw7Y1+UwaRNaR88rl3pFZgbfKdy9 wvafO1biuepo3yvg383TqAgagb66yo6gDNP5sSFVCPMOPjQrXI/PjQ4kN5h3sE1Rn8ob 0MwQ==
X-Gm-Message-State: ABUngvcJxKtG0Z3v6K3XjLMr0LI/f7Hl6JHj8L3PmwvtMbckOlkujENwR+WD4s10zp04n9TUx+ADfJjxVm/96g==
X-Received: by 10.28.2.68 with SMTP id 65mr5642885wmc.5.1477548039645; Wed, 26 Oct 2016 23:00:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Wed, 26 Oct 2016 23:00:38 -0700 (PDT)
In-Reply-To: <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com> <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Thu, 27 Oct 2016 08:00:38 +0200
Message-ID: <CAF2hCbYn5_qBTmYkeJVCtJ-0=zWdRcFfu+0cHHb4ygo6as_V6w@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a113c80200ac105053fd276c3
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bLmDyFA3vG8T_mG1u4pfzesh1jA>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2016 06:00:45 -0000

--001a113c80200ac105053fd276c3
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I think it is awesome that this document has been written since this is one
of the solutions that exists in the wild.

However I think that the connection to client (client_id) and certificate
could be more clearly specified, at the moment it is exemplified under
security considerations. I think there should be text saying that there
MUST be a binding and provide the default solution e.g. client_id as
subject common name.

Further I would prefer if it was not a MUST to include the client_id in the
HTTP request since I think there MUST exist a client binding in the
certificate. I think there is no need to have it explicitly in the HTTP
request. This might not be a problem for Classic OAuth but when adopted for
ACE framework (https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-03)
we would like to lessen the duplicated information as much as possible.

//Samuel


On Thu, Oct 27, 2016 at 4:42 AM, Vladimir Dzhuvinov <vladimir@connect2id.co=
m
> wrote:

> I see. Do you reckon the AS could simply probe the likely cert places
> for containing the client_id? My reasoning is that there aren't that
> many places where you could stick the client_id (let me know if I'm
> wrong). If the AS is in doubt it will respond with invalid_client. I'm
> starting to think this can work quite well. No extra meta param will be
> needed (of which we have enough already).
>
> On 22/10/16 01:51, Brian Campbell wrote:
> > I did consider something like that but stopped short of putting it in t=
he
> > -00 document. I'm not convinced that some metadata around it would real=
ly
> > contribute to interop one way or the other. I also wanted to get the
> basic
> > concept written down before going too far into the weeds. But I'd be op=
en
> > to adding something along those lines in future revisions, if there's
> some
> > consensus that it'd be useful.
> >
> > On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
> vladimir@connect2id.com
> >> wrote:
> >> Superb, I welcome that!
> >>
> >> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
> >> client-auth-00#section-5.2 :
> >>
> >> My concern is that the choice of how to bind the client identity is le=
ft
> >> to implementers, and that may eventually become an interop problem.
> >> Have you considered some kind of an open ended enumeration of the
> possible
> >> binding methods, and giving them some identifiers or names, so that AS=
 /
> >> OPs can advertise them in their metadata, and clients register
> accordingly?
> >>
> >> For example:
> >>
> >> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
> >> "subject_public_key_info_match" ]
> >>
> >>
> >> Cheers,
> >>
> >> Vladimir
> >>
> >> On 10/10/16 23:59, John Bradley wrote:
> >>
> >> At the request of the OpenID Foundation Financial Services API Working
> group, Brian Campbell and I have documented
> >> mutual TLS client authentication.   This is something that lots of
> people do in practice though we have never had a spec for it.
> >>
> >> The Banks want to use it for some server to server API use cases being
> driven by new open banking regulation.
> >>
> >> The largest thing in the draft is the IANA registration of
> =E2=80=9Ctls_client_auth=E2=80=9D Token Endpoint authentication method fo=
r use in
> Registration and discovery.
> >>
> >> The trust model is intentionally left open so that you could use a
> =E2=80=9Ccommon name=E2=80=9D and a restricted list of CA or a direct loo=
kup of the subject
> public key against a reregistered value,  or something in between.
> >>
> >> I hope that this is non controversial and the WG can adopt it quickly.
> >>
> >> Regards
> >> John B.
> >>
> >>
> >>
> >>
> >>
> >> Begin forwarded message:
> >>
> >> From: internet-drafts@ietf.org
> >> Subject: New Version Notification for draft-campbell-oauth-tls-
> client-auth-00.txt
> >> Date: October 10, 2016 at 5:44:39 PM GMT-3
> >> To: "Brian Campbell" <brian.d.campbell@gmail.com> <
> brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <
> ve7jtb@ve7jtb.com>
> >>
> >>
> >> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
> >> has been successfully submitted by John Bradley and posted to the
> >> IETF repository.
> >>
> >> Name:                draft-campbell-oauth-tls-client-auth
> >> Revision:    00
> >> Title:               Mutual X.509 Transport Layer Security (TLS)
> Authentication for OAuth Clients
> >> Document date:       2016-10-10
> >> Group:               Individual Submission
> >> Pages:               5
> >> URL:            https://www.ietf.org/internet-
> drafts/draft-campbell-oauth-tls-client-auth-00.txt
> >> Status:         https://datatracker.ietf.org/
> doc/draft-campbell-oauth-tls-client-auth/
> >> Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-tls-
> client-auth-00
> >>
> >>
> >> Abstract:
> >>   This document describes X.509 certificates as OAuth client
> >>   credentials using Transport Layer Security (TLS) mutual
> >>   authentication as a mechanism for client authentication to the
> >>   authorization server's token endpoint.
> >>
> >>
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> submission
> >> until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> The IETF Secretariat
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/
> oauth
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a113c80200ac105053fd276c3
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><div>I think it is awesome that this document ha=
s been written since this is one of the solutions that exists in the wild.<=
br><br></div>However I think that the connection to client (client_id) and =
certificate could be more clearly specified, at the moment it is exemplifie=
d under security considerations. I think there should be text saying that t=
here MUST be a binding and provide the default solution e.g. client_id as s=
ubject common name.<br><br></div>Further I would prefer if it was not a MUS=
T to include the client_id in the HTTP request since I think there MUST exi=
st a client binding in the certificate. I think there is no need to have it=
 explicitly in the HTTP request. This might not be a problem for Classic OA=
uth but when adopted for ACE framework (<a href=3D"https://tools.ietf.org/h=
tml/draft-ietf-ace-oauth-authz-03">https://tools.ietf.org/html/draft-ietf-a=
ce-oauth-authz-03</a>) we would like to lessen the duplicated information a=
s much as possible.<br><br></div>//Samuel<br><div><div><br></div></div></di=
v><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Thu, Oct 27,=
 2016 at 4:42 AM, Vladimir Dzhuvinov <span dir=3D"ltr">&lt;<a href=3D"mailt=
o:vladimir@connect2id.com" target=3D"_blank">vladimir@connect2id.com</a>&gt=
;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">I see. Do you reckon the =
AS could simply probe the likely cert places<br>
for containing the client_id? My reasoning is that there aren&#39;t that<br=
>
many places where you could stick the client_id (let me know if I&#39;m<br>
wrong). If the AS is in doubt it will respond with invalid_client. I&#39;m<=
br>
starting to think this can work quite well. No extra meta param will be<br>
needed (of which we have enough already).<br>
<br>
On 22/10/16 01:51, Brian Campbell wrote:<br>
&gt; I did consider something like that but stopped short of putting it in =
the<br>
&gt; -00 document. I&#39;m not convinced that some metadata around it would=
 really<br>
&gt; contribute to interop one way or the other. I also wanted to get the b=
asic<br>
&gt; concept written down before going too far into the weeds. But I&#39;d =
be open<br>
&gt; to adding something along those lines in future revisions, if there&#3=
9;s some<br>
&gt; consensus that it&#39;d be useful.<br>
<div><div class=3D"h5">&gt;<br>
&gt; On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov &lt;<a href=3D"mai=
lto:vladimir@connect2id.com">vladimir@connect2id.com</a><br>
&gt;&gt; wrote:<br>
&gt;&gt; Superb, I welcome that!<br>
&gt;&gt;<br>
&gt;&gt; Regarding <a href=3D"https://tools.ietf.org/html/draft-campbell-oa=
uth-tls-" rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/=
<wbr>draft-campbell-oauth-tls-</a><br>
&gt;&gt; client-auth-00#section-5.2 :<br>
&gt;&gt;<br>
&gt;&gt; My concern is that the choice of how to bind the client identity i=
s left<br>
&gt;&gt; to implementers, and that may eventually become an interop problem=
.<br>
&gt;&gt; Have you considered some kind of an open ended enumeration of the =
possible<br>
&gt;&gt; binding methods, and giving them some identifiers or names, so tha=
t AS /<br>
&gt;&gt; OPs can advertise them in their metadata, and clients register acc=
ordingly?<br>
&gt;&gt;<br>
&gt;&gt; For example:<br>
&gt;&gt;<br>
&gt;&gt; &quot;tls_client_auth_bind_methods_<wbr>supported&quot; : [ &quot;=
subject_alt_name_match&quot;,<br>
&gt;&gt; &quot;subject_public_key_info_<wbr>match&quot; ]<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Cheers,<br>
&gt;&gt;<br>
&gt;&gt; Vladimir<br>
&gt;&gt;<br>
&gt;&gt; On 10/10/16 23:59, John Bradley wrote:<br>
&gt;&gt;<br>
&gt;&gt; At the request of the OpenID Foundation Financial Services API Wor=
king group, Brian Campbell and I have documented<br>
&gt;&gt; mutual TLS client authentication.=C2=A0 =C2=A0This is something th=
at lots of people do in practice though we have never had a spec for it.<br=
>
&gt;&gt;<br>
&gt;&gt; The Banks want to use it for some server to server API use cases b=
eing driven by new open banking regulation.<br>
&gt;&gt;<br>
&gt;&gt; The largest thing in the draft is the IANA registration of =E2=80=
=9Ctls_client_auth=E2=80=9D Token Endpoint authentication method for use in=
 Registration and discovery.<br>
&gt;&gt;<br>
&gt;&gt; The trust model is intentionally left open so that you could use a=
 =E2=80=9Ccommon name=E2=80=9D and a restricted list of CA or a direct look=
up of the subject public key against a reregistered value,=C2=A0 or somethi=
ng in between.<br>
&gt;&gt;<br>
&gt;&gt; I hope that this is non controversial and the WG can adopt it quic=
kly.<br>
&gt;&gt;<br>
&gt;&gt; Regards<br>
&gt;&gt; John B.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Begin forwarded message:<br>
&gt;&gt;<br>
&gt;&gt; From: <a href=3D"mailto:internet-drafts@ietf.org">internet-drafts@=
ietf.org</a><br>
&gt;&gt; Subject: New Version Notification for draft-campbell-oauth-tls-<wb=
r>client-auth-00.txt<br>
&gt;&gt; Date: October 10, 2016 at 5:44:39 PM GMT-3<br>
</div></div>&gt;&gt; To: &quot;Brian Campbell&quot; &lt;<a href=3D"mailto:b=
rian.d.campbell@gmail.com">brian.d.campbell@gmail.com</a>&gt; &lt;<a href=
=3D"mailto:brian.d.campbell@gmail.com">brian.d.campbell@gmail.com</a>&gt;, =
&quot;John Bradley&quot; &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve=
7jtb.com</a>&gt; &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com=
</a>&gt;<br>
<div class=3D"HOEnZb"><div class=3D"h5">&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; A new version of I-D, draft-campbell-oauth-tls-<wbr>client-auth-00=
.txt<br>
&gt;&gt; has been successfully submitted by John Bradley and posted to the<=
br>
&gt;&gt; IETF repository.<br>
&gt;&gt;<br>
&gt;&gt; Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 draft=
-campbell-oauth-tls-<wbr>client-auth<br>
&gt;&gt; Revision:=C2=A0 =C2=A0 00<br>
&gt;&gt; Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Mutua=
l X.509 Transport Layer Security (TLS) Authentication for OAuth Clients<br>
&gt;&gt; Document date:=C2=A0 =C2=A0 =C2=A0 =C2=A02016-10-10<br>
&gt;&gt; Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Indiv=
idual Submission<br>
&gt;&gt; Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A05<br>
&gt;&gt; URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"https://w=
ww.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt" re=
l=3D"noreferrer" target=3D"_blank">https://www.ietf.org/internet-<wbr>draft=
s/draft-campbell-oauth-<wbr>tls-client-auth-00.txt</a><br>
&gt;&gt; Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://datatr=
acker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/" rel=3D"noreferrer=
" target=3D"_blank">https://datatracker.ietf.org/<wbr>doc/draft-campbell-oa=
uth-tls-<wbr>client-auth/</a><br>
&gt;&gt; Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://tools.ietf.=
org/html/draft-campbell-oauth-tls-client-auth-00" rel=3D"noreferrer" target=
=3D"_blank">https://tools.ietf.org/html/<wbr>draft-campbell-oauth-tls-<wbr>=
client-auth-00</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Abstract:<br>
&gt;&gt;=C2=A0 =C2=A0This document describes X.509 certificates as OAuth cl=
ient<br>
&gt;&gt;=C2=A0 =C2=A0credentials using Transport Layer Security (TLS) mutua=
l<br>
&gt;&gt;=C2=A0 =C2=A0authentication as a mechanism for client authenticatio=
n to the<br>
&gt;&gt;=C2=A0 =C2=A0authorization server&#39;s token endpoint.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Please note that it may take a couple of minutes from the time of =
submission<br>
&gt;&gt; until the htmlized version and diff are available at <a href=3D"ht=
tp://tools.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a=
>.<br>
&gt;&gt;<br>
&gt;&gt; The IETF Secretariat<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
&gt;&gt; OAuth mailing listOAuth@ietf.orghttps://<a href=3D"http://www.ietf=
.org/mailman/listinfo/oauth" rel=3D"noreferrer" target=3D"_blank">www.<wbr>=
ietf.org/mailman/listinfo/<wbr>oauth</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"nor=
eferrer" target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth=
</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
<br>
<br>
</div></div><br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--001a113c80200ac105053fd276c3--


From nobody Fri Oct 28 08:39:02 2016
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B060012967D for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 08:39:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kd3O5OwajcS6 for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 08:39:00 -0700 (PDT)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33C42129658 for <oauth@ietf.org>; Fri, 28 Oct 2016 08:39:00 -0700 (PDT)
Received: by mail-vk0-x22d.google.com with SMTP id d65so29419290vkg.0 for <oauth@ietf.org>; Fri, 28 Oct 2016 08:39:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:from:date:message-id:subject:to; bh=qkuBAIYFHfgU1lq5j29yR8V18NSwqL07g51sMg/GavI=; b=EORxB8N6LhT+V93AvrfR8c7c06PhW3Ux7JcZn2HZAmu8WNR7UzhFW23xMgBORMq0Zu W4zZ0/neTb6fl/43ma2fMYC9FSV6+uwv9OElF4o6agPZSec+o/iy70oY9bAhU7SRxPUC DzQk7R/xCpOUJSGlhah27CYzkazoyhVydsSi55Z8aOsnBdwWwFn0lbQSa+t6WNZoeSTj O+AKUpLgOvSYZRWx38HRcH4QqTBxVbWoAcDgE6PQlaLOdFM4gsYg7aGQgnctMvusENKR ATfW6SHVGjf+6kg1Qe9/yK+GYAokRlodE26hFoTP07Ho1akamrY3x9+SuukLbbrZTV2V VPAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=qkuBAIYFHfgU1lq5j29yR8V18NSwqL07g51sMg/GavI=; b=Hw451YNlWhbyimtIBNDZT7IiSm9JKnCpZYp9juvnFJ3r9/3S509xQuWx9IF62RAooL tDgJAlyiOrkKnvLrl4i+OTN0lcadp8gFTbttOIwUaNplbRbMOT75xOCoWhwetrd2QTrE tM5Rm53GyMpo0xXQTzX2eHlFWLyHgXLZMBZIPMcFAS3FoRerMqkLKbcs3aHpNJBz4nUG I3Woko194TauHhgHWmVk5ZbqCMqSeV3dNLZVtgPMDnsFgUsA1nc4CREwrkgc7JHVegxD A+1jcnmaY85XQghnvUTAP03+c7/MOGMKVCgEfcrExuqxolw86wNgWlVrs7CuChm96yeJ yBQg==
X-Gm-Message-State: ABUngveYLSlYiG7/+HTwSJcpXqNtgVmrPTlag1Dl1EJSvfE4HLOHaJFF6pte+qUAbOypxDsOLZcs8RQEI7qapg==
X-Received: by 10.31.151.78 with SMTP id z75mr12904493vkd.41.1477669139010; Fri, 28 Oct 2016 08:38:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.82.143 with HTTP; Fri, 28 Oct 2016 08:38:58 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 28 Oct 2016 11:38:58 -0400
Message-ID: <CAHbuEH4Vxdda4yUH932GEZjEiLi1KdYU9_1MLoLAn_AZA=41Yw@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a1140e662205b77053feea8a1
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oJZmtbUFzzm0wY8G6MCx1NlP0Mo>
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 15:39:02 -0000

--001a1140e662205b77053feea8a1
Content-Type: text/plain; charset=UTF-8

Hello,

I just reviewed draft-ietf-oauth-jwsreq, and it looks great and seems to be
a nice addition to help with security.  Thanks for your work on it.

I only have a few comments.

The first is just about some wording that is awkward in the TLS section.

What's there now:

Client implementations supporting the Request Object URI method MUST
   support TLS as recommended in Recommendations for Secure Use of
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS) [RFC7525].

How about:

Client implementations supporting the Request Object URI method MUST
   support TLS following Recommendations for Secure Use of
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS) [RFC7525].

Not a major change and just editorial, so take it or leave it.

2. In section 10, the introduction sentence leaves me wondering where the
additional attacks against OAuth 2.0 should also have a pointer in this
sentence:

   In addition to the all the security considerations discussed in OAuth
   2.0 [RFC6819], the following security considerations should be taken
   into account.


3. Nit: in first line of 10.4:

Although this specification does not require them, researchs

s/researchs/researchers/

4. I'm sure you'll be asked about the following:

   ISO/IEC 29100
   [ISO29100] is a freely accessible International Standard and its
   Privacy Principles are good to follow.

What about the IETF privacy considerations for protocols, RFC6973, were
they also considered?  I think you are covering what's needed, but no
mention of it and favoring an ISO standard seems odd., using both is fine.

Thank you.
-- 

Best regards,
Kathleen

--001a1140e662205b77053feea8a1
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hello,<div><br></div><div>I just reviewed draft-ietf-oauth=
-jwsreq, and it looks great and seems to be a nice addition to help with se=
curity.=C2=A0 Thanks for your work on it.</div><div><br></div><div>I only h=
ave a few comments.</div><div><br></div><div>The first is just about some w=
ording that is awkward in the TLS section.</div><div><br></div><div>What&#3=
9;s there now:</div><div><pre style=3D"box-sizing:border-box;overflow:auto;=
font-family:&#39;pt mono&#39;,monaco,monospace;font-size:14px;padding:10px;=
margin-top:0px;margin-bottom:10.5px;line-height:1.214;color:rgb(0,0,0);word=
-break:break-all;word-wrap:break-word;border:1px solid rgb(204,204,204);bor=
der-radius:4px;background-color:rgb(255,253,245)">Client implementations su=
pporting the Request Object URI method MUST
   support TLS as recommended in Recommendations for Secure Use of
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS) [RFC7525].</pre><pre style=3D"box-sizing:border-box;overflow:auto=
;font-family:&#39;pt mono&#39;,monaco,monospace;font-size:14px;padding:10px=
;margin-top:0px;margin-bottom:10.5px;line-height:1.214;color:rgb(0,0,0);wor=
d-break:break-all;word-wrap:break-word;border:1px solid rgb(204,204,204);bo=
rder-radius:4px;background-color:rgb(255,253,245)"><span style=3D"line-heig=
ht:1.214">How about:</span></pre><pre style=3D"box-sizing:border-box;overfl=
ow:auto;font-family:&#39;pt mono&#39;,monaco,monospace;font-size:14px;paddi=
ng:10px;margin-top:0px;margin-bottom:10.5px;line-height:1.214;color:rgb(0,0=
,0);word-break:break-all;word-wrap:break-word;border:1px solid rgb(204,204,=
204);border-radius:4px;background-color:rgb(255,253,245)"><pre style=3D"box=
-sizing:border-box;overflow:auto;font-family:&#39;pt mono&#39;,monaco,monos=
pace;padding:10px;margin-top:0px;margin-bottom:10.5px;line-height:1.214;wor=
d-break:break-all;word-wrap:break-word;border:1px solid rgb(204,204,204);bo=
rder-radius:4px">Client implementations supporting the Request Object URI m=
ethod MUST
   support TLS following Recommendations for Secure Use of
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS) [RFC7525].</pre></pre><div>Not a major change and just editorial,=
 so take it or leave it.</div><div><br></div><div>2. In section 10, the int=
roduction sentence leaves me wondering where the additional attacks against=
 OAuth 2.0 should also have a pointer in this sentence:</div><div><br></div=
><div><pre style=3D"box-sizing:border-box;overflow:auto;font-family:&#39;pt=
 mono&#39;,monaco,monospace;font-size:14px;padding:10px;margin-top:0px;marg=
in-bottom:10.5px;line-height:1.214;color:rgb(0,0,0);word-break:break-all;wo=
rd-wrap:break-word;border:1px solid rgb(204,204,204);border-radius:4px;back=
ground-color:rgb(255,253,245)">   In addition to the all the security consi=
derations discussed in OAuth
   2.0 [RFC6819], the following security considerations should be taken
   into account.</pre></div><div><br></div><div>3. Nit: in first line of 10=
.4:</div><div><pre style=3D"box-sizing:border-box;overflow:auto;font-family=
:&#39;pt mono&#39;,monaco,monospace;font-size:14px;padding:10px;margin-top:=
0px;margin-bottom:10.5px;line-height:1.214;color:rgb(0,0,0);word-break:brea=
k-all;word-wrap:break-word;border:1px solid rgb(204,204,204);border-radius:=
4px;background-color:rgb(255,253,245)">Although this specification does not=
 require them, researchs</pre></div><div>s/researchs/researchers/</div><div=
><br></div><div>4. I&#39;m sure you&#39;ll be asked about the following:</d=
iv><div><pre style=3D"box-sizing:border-box;overflow:auto;font-family:&#39;=
pt mono&#39;,monaco,monospace;font-size:14px;padding:10px;margin-top:0px;ma=
rgin-bottom:10.5px;line-height:1.214;color:rgb(0,0,0);word-break:break-all;=
word-wrap:break-word;border:1px solid rgb(204,204,204);border-radius:4px;ba=
ckground-color:rgb(255,253,245)">   ISO/IEC 29100
   [ISO29100] is a freely accessible International Standard and its
   Privacy Principles are good to follow.</pre></div><div>What about the IE=
TF privacy considerations for protocols, RFC6973, were they also considered=
?=C2=A0 I think you are covering what&#39;s needed, but no mention of it an=
d favoring an ISO standard seems odd., using both is fine.=C2=A0</div><div>=
<br></div><div>Thank you.</div>-- <br><div class=3D"gmail_signature"><div d=
ir=3D"ltr"><br><div>Best regards,</div><div>Kathleen</div></div></div>
</div></div>

--001a1140e662205b77053feea8a1--


From nobody Fri Oct 28 11:49:41 2016
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E6FF1295DB; Fri, 28 Oct 2016 11:49:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.36.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <147768058025.24887.2363898553292227181.idtracker@ietfa.amsl.com>
Date: Fri, 28 Oct 2016 11:49:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TJYs7Hp5lkvdslWJUZJPaaCThbs>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 18:49:40 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 Token Exchange
        Authors         : Michael B. Jones
                          Anthony Nadalin
                          Brian Campbell
                          John Bradley
                          Chuck Mortimore
	Filename        : draft-ietf-oauth-token-exchange-06.txt
	Pages           : 29
	Date            : 2016-10-28

Abstract:
   This specification defines a protocol for an HTTP- and JSON- based
   Security Token Service (STS) by defining how to request and obtain
   security tokens from OAuth 2.0 authorization servers, including
   security tokens employing impersonation and delegation.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-06

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-06


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Fri Oct 28 11:59:52 2016
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BD7B1293FE for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 11:59:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhDnJ3JIknrF for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 11:59:48 -0700 (PDT)
Received: from mail-ua0-x229.google.com (mail-ua0-x229.google.com [IPv6:2607:f8b0:400c:c08::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD2991204D9 for <oauth@ietf.org>; Fri, 28 Oct 2016 11:50:43 -0700 (PDT)
Received: by mail-ua0-x229.google.com with SMTP id 12so61600799uas.2 for <oauth@ietf.org>; Fri, 28 Oct 2016 11:50:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:from:date:message-id:subject:to; bh=/i3bPMTWwvONxh7JQLdyDNUqB9GQEhI+MQP34qzRs4A=; b=pbZVSQN1uIO8ypVblamBmzAUCqPY1ZxZVa1B+VWTMEfLLRGxunTaJPAZTXPOE+pdXo NvP6LPn7tTaUZiWgozcI62mKv0f1BHyxglojHpvoyJod00rCgxdhNGGV7C/4IQz6s3r1 fmCC0MFjDZfyuUbWX5Rd3Nf8d7Kp385wb08cQR+EWe+kMN5hOUDbqEXxQzkoJDpHt6fc 2xATHpcj8G4Gsa1mAl2rPK714t/4Kkw9ScBoAuGREYWTzdXrUkaLF6flFiuSUq/4auaN Rs18DG8Fm6WSs29/WP7Ojv66RXoPG+fmCKUIrGMnuhlwGMoqfY/Hm501yRfVHV18AFDK HVYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=/i3bPMTWwvONxh7JQLdyDNUqB9GQEhI+MQP34qzRs4A=; b=dRb2Cl2MHIyWh64Hnwa+rDC+Z+t/QWtI40yalNsLkGy5lNKOP7lIX/ANKQ9Kn1LXBF kbOWmmR1i1+9ED+KivlfWK8hZ4HZ02y8c5zUvJbieyMjLjl3QWIO3Cuz44PgcDKRMNYQ GXPo52lanh1jCBHX836SAbOO4iNkBBNiGOq0TC4pi/tXQlGNfYn9sQzd10wekZoA1KwR OYNU5Ko1bTNdLaXhWcnNPXb5Fhv7oM+Y1wEaf4SSD3rP/0zD6iTZAGnRH8+AM0HcewLw 3P+fHzB4vhmVHMwRBGCYCowA3Y/V1CTUXmkgXwORA8hUha7bppxQ6YL2wf9hIs1RxC2I sknw==
X-Gm-Message-State: ABUngvd3fZxNxPyOTxZeBKoJAQd8ra3sLR22RsRpfDoDEgCTUbU28NuPJvPd3sQFDJsDY10pLVmqhy60Tx0IQA==
X-Received: by 10.176.0.180 with SMTP id 49mr14011559uaj.32.1477680642615; Fri, 28 Oct 2016 11:50:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.82.143 with HTTP; Fri, 28 Oct 2016 11:50:42 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 28 Oct 2016 14:50:42 -0400
Message-ID: <CAHbuEH7UtRgV42jEr62yjR9zkLvSzRqSwUDT_EDHmuaMSjuYBw@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a113dc416cb6fc4053ff155ef
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TJc50a7hrIuDdpLBAi3xDfPA3VY>
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-amr-values
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 18:59:50 -0000

--001a113dc416cb6fc4053ff155ef
Content-Type: text/plain; charset=UTF-8

Hello,

I reviewed draft-ietf-oauth-amr-values and have a few comments.  First,
thanks for your work on this draft!

Several of the authentication methods mentioned are typically used (or
recommended for use) as a second or third factor.  I see in section 3 that
multiple methods can be contained in the claim.  I'd like to see an example
of single and multiple authentication methods being represented.  Was it a
WG decision to leave out examples?

In the Privacy considerations section, I think it should be made clear that
the actual credentials are not part of this specification to avoid
additional privacy concerns for biometric data.

Section 5, shouldn't a pointer be here to the attacks on OAuth 2.0 as well?


Thank you.
-- 

Best regards,
Kathleen

--001a113dc416cb6fc4053ff155ef
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hello,<div><br></div><div>I reviewed=C2=A0draft-ietf-oauth=
-amr-values and have a few comments.=C2=A0 First, thanks for your work on t=
his draft!</div><div><br></div><div>Several of the authentication methods m=
entioned are typically used (or recommended for use) as a second or third f=
actor.=C2=A0 I see in section 3 that multiple methods can be contained in t=
he claim.=C2=A0 I&#39;d like to see an example of single and multiple authe=
ntication methods being represented.=C2=A0 Was it a WG decision to leave ou=
t examples?</div><div><br></div><div>In the Privacy considerations section,=
 I think it should be made clear that the actual credentials are not part o=
f this specification to avoid additional privacy concerns for biometric dat=
a.</div><div><br></div><div>Section 5, shouldn&#39;t a pointer be here to t=
he attacks on OAuth 2.0 as well?</div><div><br></div><div><br></div><div>Th=
ank you.</div><div>-- <br><div class=3D"gmail_signature"><div dir=3D"ltr"><=
br><div>Best regards,</div><div>Kathleen</div></div></div>
</div></div>

--001a113dc416cb6fc4053ff155ef--


From nobody Fri Oct 28 12:03:09 2016
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B97F129428 for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 12:03:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.44
X-Spam-Level: 
X-Spam-Status: No, score=-2.44 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPqoyOc8G8_m for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 12:03:06 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18F401293FE for <oauth@ietf.org>; Fri, 28 Oct 2016 12:03:06 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id y2so138142654oie.0 for <oauth@ietf.org>; Fri, 28 Oct 2016 12:03:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=4bgu24/CePMc4C7CPMJnaaSg+0C+c/czuciJICF34Ak=; b=FDkWHpPs98aBuRNWP1Qeg4UHEK9H45kpiq7j/I+EXmjP3xBx/j5v/QDkkiXstiUMCT +xQ6N9j8korSAna3C/YG51mO8Dcw364nCiQlmF896N7UKZvLCPVtYsipfWooVcvsr6je 0ahaYkpNp+dlURppXd6aTI0tdo44uDJ6QE1d4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=4bgu24/CePMc4C7CPMJnaaSg+0C+c/czuciJICF34Ak=; b=S1zWUAUX1WjT05NWGrsofJ1hyf/0bMNbzkQm2jWvgB0BopFkz9HexF95VbjHzd9WT7 Cl97KslHTsuhXmgTBVtnUt5caqqVIyviaPfbIEnaOn6m4FtFVQSTDOtbaH+DHS7fkQPL Ssyd3lPZ903EgC41waRGfinZjQtXrN3NcSaK6T3xdYqa6VYIx9/I83iq2X7fEqPMuAsD z1M8D/od086fP3V5vfG728nnD7MO799NtEUWMekZFWWMxi82S6n+40lzGDx5lyHl271w T1T3ul1osXkCOms60A4yqyF/i8S/0gSMk5U3lMvTI1sMszl5XQE99CkYHjFTqqDwYDKW e32w==
X-Gm-Message-State: ABUngvf3upuq9PjyrVV6Trkq1aGJMiTCelncswxwRdt+Gs8P/MHaqjp/5QSNIS2i67H5Xp7hIvFh5gWdxEdAU46m
X-Received: by 10.107.201.17 with SMTP id z17mr10898588iof.156.1477681385045;  Fri, 28 Oct 2016 12:03:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.156.74 with HTTP; Fri, 28 Oct 2016 12:02:34 -0700 (PDT)
In-Reply-To: <147768058025.24887.2363898553292227181.idtracker@ietfa.amsl.com>
References: <147768058025.24887.2363898553292227181.idtracker@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 28 Oct 2016 13:02:34 -0600
Message-ID: <CA+k3eCRU=k0X84veQ3U0itJVva=cuS9+WniCbKgM6_H_ZSO6Pg@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c0c11840c2dd3053ff18249
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ynz0ri9-so6hw7ffJBZgLsW01xw>
Subject: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-token-exchange-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 19:03:08 -0000

--94eb2c0c11840c2dd3053ff18249
Content-Type: text/plain; charset=UTF-8

Trying to get ahead of the I-D submission rush on Monday, I've published
draft -06 of "OAuth 2.0 Token Exchange" with the following relatively small
set of changes:

-06

   o  Drop "An STS for the REST of Us" from the title.
   o  Drop "heavyweight" and "lightweight" from the abstract and
      introduction.
   o  Clarifications on the language around xxxxxx_token_type.
   o  Remove the want_composite parameter.
   o  Add a short mention of proof-of-possession style tokens to the
      introduction and remove the respective open issue.



---------- Forwarded message ----------
From: <internet-drafts@ietf.org>
Date: Fri, Oct 28, 2016 at 12:49 PM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-06.txt
To: i-d-announce@ietf.org
Cc: oauth@ietf.org



A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 Token Exchange
        Authors         : Michael B. Jones
                          Anthony Nadalin
                          Brian Campbell
                          John Bradley
                          Chuck Mortimore
        Filename        : draft-ietf-oauth-token-exchange-06.txt
        Pages           : 29
        Date            : 2016-10-28

Abstract:
   This specification defines a protocol for an HTTP- and JSON- based
   Security Token Service (STS) by defining how to request and obtain
   security tokens from OAuth 2.0 authorization servers, including
   security tokens employing impersonation and delegation.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-06

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-06


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--94eb2c0c11840c2dd3053ff18249
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Trying to get ahead of the I-D submission rush on Monday, =
I&#39;ve published draft -06 of &quot;OAuth 2.0 Token Exchange&quot; with t=
he following relatively small set of changes:<br><br>-06<br><br>=C2=A0=C2=
=A0 o=C2=A0 Drop &quot;An STS for the REST of Us&quot; from the title.<br>=
=C2=A0=C2=A0 o=C2=A0 Drop &quot;heavyweight&quot; and &quot;lightweight&quo=
t; from the abstract and<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 introduction.<br=
>=C2=A0=C2=A0 o=C2=A0 Clarifications on the language around xxxxxx_token_ty=
pe.<br>=C2=A0=C2=A0 o=C2=A0 Remove the want_composite parameter.<br>=C2=A0=
=C2=A0 o=C2=A0 Add a short mention of proof-of-possession style tokens to t=
he<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 introduction and remove the respective=
 open issue.<br><br><br><br><div class=3D"gmail_quote">---------- Forwarded=
 message ----------<br>From: <b class=3D"gmail_sendername"></b> <span dir=
=3D"ltr">&lt;<a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">=
internet-drafts@ietf.org</a>&gt;</span><br>Date: Fri, Oct 28, 2016 at 12:49=
 PM<br>Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-<wbr>exchange=
-06.txt<br>To: <a href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i=
-d-announce@ietf.org</a><br>Cc: <a href=3D"mailto:oauth@ietf.org" target=3D=
"_blank">oauth@ietf.org</a><br><br><br><br>
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br>
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Token Exchange<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Mich=
ael B. Jones<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Anthony Nadalin<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Brian Campbell<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Chuck Mortimore<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-token-exchang<wbr>e-06.txt<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 29<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2016-10-28<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0This specification defines a protocol for an HTTP- and JSON- b=
ased<br>
=C2=A0 =C2=A0Security Token Service (STS) by defining how to request and ob=
tain<br>
=C2=A0 =C2=A0security tokens from OAuth 2.0 authorization servers, includin=
g<br>
=C2=A0 =C2=A0security tokens employing impersonation and delegation.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange=
/" rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/d<wbr>=
oc/draft-ietf-oauth-token-exch<wbr>ange/</a><br>
<br>
There&#39;s also a htmlized version available at:<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-06" =
rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/dr<wbr>aft=
-ietf-oauth-token-exchange-<wbr>06</a><br>
<br>
A diff from the previous version is available at:<br>
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-excha=
nge-06" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/rfcdiff?u=
<wbr>rl2=3Ddraft-ietf-oauth-token-exc<wbr>hange-06</a><br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a>.<br>
<br>
Internet-Drafts are also available by anonymous FTP at:<br>
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.ietf.org/internet-dr<wbr>afts/</a><br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
</div><br></div>

--94eb2c0c11840c2dd3053ff18249--


From nobody Fri Oct 28 13:31:56 2016
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A509129481 for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 13:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flx8fdn_6PkE for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 13:31:52 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 563BA129458 for <oauth@ietf.org>; Fri, 28 Oct 2016 13:31:52 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id h14so104199503ywa.2 for <oauth@ietf.org>; Fri, 28 Oct 2016 13:31:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BS5XG8GXfPcNNnogWrj+YX5Rd3RhbJEYB7K5xIsnQq0=; b=ieD/hQN7R+A3bhTzSAAPWNuNXxKDxNGZHEiinEQtuVwsZYpC++86Jl2luVzu7NRU34 snqVJdyTyWEJJ1w3Tw1v/I0/7qpKEc1ow3F+hb1pzGTrLCnkwpj8MXV20nLizE/PxZVT tlf1o/OnNe/AtUxJ6wVYhdbK0x30Xlg9SgOE4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BS5XG8GXfPcNNnogWrj+YX5Rd3RhbJEYB7K5xIsnQq0=; b=ERW3ksiR5bcJDvwNe3Gc2smkqKeLD+2dhoh7VPVWFVETGkFyaPryCihPioTC5REJrd ruB0V+uJgyaNGtbIWL8ulTU5JUAQDOxmMapZ9VpuHbwQCHP3To5QKWDX2ohqC++LbFBT 4Uxpezgl4pKKuVy4NimV2YLb51F8mNP7QxvE5TcROXVwFtbRQwL0dbtSrV3wbk86zdLN w/5OSGpZT8I56qL3zuo1vBeISxz5+jkydq8TqRvCOWQagH5+2SKSH4+uQ82oVr8IBDc4 Pb8XZJwm12zsrhQEh/FQgummT6UcFvHXiX3av8OkO8uvoGBAifl4XR+E3LWtL/PMLhyA SaOQ==
X-Gm-Message-State: ABUngvcAHCD+ys9p52Gkf3dxbSCRMHRpdEuVFpmpA+zNNXCVPOIQvQb9KNUeCzueff+qsFNvgs4BORkK8gOy5raF
X-Received: by 10.36.14.201 with SMTP id 192mr318994ite.35.1477686711355; Fri, 28 Oct 2016 13:31:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.156.74 with HTTP; Fri, 28 Oct 2016 13:31:20 -0700 (PDT)
In-Reply-To: <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com> <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 28 Oct 2016 14:31:20 -0600
Message-ID: <CA+k3eCSLvDd8PSzN53w6+QtzGrBiFgaO5=Vnjs1MMnb9oHWtpw@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Content-Type: multipart/alternative; boundary=001a1143e550854793053ff2bfbd
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sgOVeq54A67Ip7BzKPzu6L7ruRc>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 20:31:55 -0000

--001a1143e550854793053ff2bfbd
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Not wanting to add more meta parameters was a motivation. Also not being
sure of how to enumerate the possible approaches. My thinking was also that
there are a lot of factors involved and that it'd probably be better left
to service documentation to describe things like what authorities are
trusted and what the client to cert binding is. Like I said, we can look at
adding more metadata, if there's some consensus to do so. But I worry that
it'll just be bloat that doesn't really add value.

I also think that, in many situations, it's unlikely that a cert will
contain a client id anywhere as subject information. A client id is scoped
to a particular authorization server and it's hard to imagine a CA issuing
a cert with an identifier that's only meaningful in the context of some
other entity like that. Maybe in a more closed system where the AS and an
organizational CA are both in the same management/administrative domain but
not in the more general case.



On Wed, Oct 26, 2016 at 8:42 PM, Vladimir Dzhuvinov <vladimir@connect2id.co=
m
> wrote:

> I see. Do you reckon the AS could simply probe the likely cert places
> for containing the client_id? My reasoning is that there aren't that
> many places where you could stick the client_id (let me know if I'm
> wrong). If the AS is in doubt it will respond with invalid_client. I'm
> starting to think this can work quite well. No extra meta param will be
> needed (of which we have enough already).
>
> On 22/10/16 01:51, Brian Campbell wrote:
> > I did consider something like that but stopped short of putting it in t=
he
> > -00 document. I'm not convinced that some metadata around it would real=
ly
> > contribute to interop one way or the other. I also wanted to get the
> basic
> > concept written down before going too far into the weeds. But I'd be op=
en
> > to adding something along those lines in future revisions, if there's
> some
> > consensus that it'd be useful.
> >
> > On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
> vladimir@connect2id.com
> >> wrote:
> >> Superb, I welcome that!
> >>
> >> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
> >> client-auth-00#section-5.2 :
> >>
> >> My concern is that the choice of how to bind the client identity is le=
ft
> >> to implementers, and that may eventually become an interop problem.
> >> Have you considered some kind of an open ended enumeration of the
> possible
> >> binding methods, and giving them some identifiers or names, so that AS=
 /
> >> OPs can advertise them in their metadata, and clients register
> accordingly?
> >>
> >> For example:
> >>
> >> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
> >> "subject_public_key_info_match" ]
> >>
> >>
> >> Cheers,
> >>
> >> Vladimir
> >>
> >> On 10/10/16 23:59, John Bradley wrote:
> >>
> >> At the request of the OpenID Foundation Financial Services API Working
> group, Brian Campbell and I have documented
> >> mutual TLS client authentication.   This is something that lots of
> people do in practice though we have never had a spec for it.
> >>
> >> The Banks want to use it for some server to server API use cases being
> driven by new open banking regulation.
> >>
> >> The largest thing in the draft is the IANA registration of
> =E2=80=9Ctls_client_auth=E2=80=9D Token Endpoint authentication method fo=
r use in
> Registration and discovery.
> >>
> >> The trust model is intentionally left open so that you could use a
> =E2=80=9Ccommon name=E2=80=9D and a restricted list of CA or a direct loo=
kup of the subject
> public key against a reregistered value,  or something in between.
> >>
> >> I hope that this is non controversial and the WG can adopt it quickly.
> >>
> >> Regards
> >> John B.
> >>
> >>
> >>
> >>
> >>
> >> Begin forwarded message:
> >>
> >> From: internet-drafts@ietf.org
> >> Subject: New Version Notification for draft-campbell-oauth-tls-clien
> t-auth-00.txt
> >> Date: October 10, 2016 at 5:44:39 PM GMT-3
> >> To: "Brian Campbell" <brian.d.campbell@gmail.com> <
> brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <
> ve7jtb@ve7jtb.com>
> >>
> >>
> >> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
> >> has been successfully submitted by John Bradley and posted to the
> >> IETF repository.
> >>
> >> Name:                draft-campbell-oauth-tls-client-auth
> >> Revision:    00
> >> Title:               Mutual X.509 Transport Layer Security (TLS)
> Authentication for OAuth Clients
> >> Document date:       2016-10-10
> >> Group:               Individual Submission
> >> Pages:               5
> >> URL:            https://www.ietf.org/internet-
> drafts/draft-campbell-oauth-tls-client-auth-00.txt
> >> Status:         https://datatracker.ietf.org/
> doc/draft-campbell-oauth-tls-client-auth/
> >> Htmlized:       https://tools.ietf.org/html/d
> raft-campbell-oauth-tls-client-auth-00
> >>
> >>
> >> Abstract:
> >>   This document describes X.509 certificates as OAuth client
> >>   credentials using Transport Layer Security (TLS) mutual
> >>   authentication as a mechanism for client authentication to the
> >>   authorization server's token endpoint.
> >>
> >>
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> submission
> >> until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> The IETF Secretariat
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing listOAuth@ietf.orghttps://www.
> ietf.org/mailman/listinfo/oauth
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
>
>
>

--001a1143e550854793053ff2bfbd
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Not wanting to add more meta parameters was a motivat=
ion. Also not being sure of how to enumerate the possible approaches. My th=
inking was also that there are a lot of factors involved and that it&#39;d =
probably be better left to service documentation to describe things like wh=
at authorities are trusted and what the client to cert binding is. Like I s=
aid, we can look at adding more metadata, if there&#39;s some consensus to =
do so. But I worry that it&#39;ll just be bloat that doesn&#39;t really add=
 value. <br><br></div>I also think that, in many situations, it&#39;s unlik=
ely that a cert will contain a client id anywhere as subject information. A=
 client id is scoped to a particular authorization server and it&#39;s hard=
 to imagine a CA issuing a cert with an identifier that&#39;s only meaningf=
ul in the context of some other entity like that. Maybe in a more closed sy=
stem where the AS and an organizational CA are both in the same management/=
administrative domain but not in the more general case. =C2=A0 <br><div><br=
><br><div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed,=
 Oct 26, 2016 at 8:42 PM, Vladimir Dzhuvinov <span dir=3D"ltr">&lt;<a href=
=3D"mailto:vladimir@connect2id.com" target=3D"_blank">vladimir@connect2id.c=
om</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"marg=
in:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1e=
x">I see. Do you reckon the AS could simply probe the likely cert places<br=
>
for containing the client_id? My reasoning is that there aren&#39;t that<br=
>
many places where you could stick the client_id (let me know if I&#39;m<br>
wrong). If the AS is in doubt it will respond with invalid_client. I&#39;m<=
br>
starting to think this can work quite well. No extra meta param will be<br>
needed (of which we have enough already).<br>
<div><div class=3D"m_2555520943016811025gmail-h5"><br>
On 22/10/16 01:51, Brian Campbell wrote:<br>
&gt; I did consider something like that but stopped short of putting it in =
the<br>
&gt; -00 document. I&#39;m not convinced that some metadata around it would=
 really<br>
&gt; contribute to interop one way or the other. I also wanted to get the b=
asic<br>
&gt; concept written down before going too far into the weeds. But I&#39;d =
be open<br>
&gt; to adding something along those lines in future revisions, if there&#3=
9;s some<br>
&gt; consensus that it&#39;d be useful.<br>
&gt;<br>
&gt; On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov &lt;<a href=3D"mai=
lto:vladimir@connect2id.com" target=3D"_blank">vladimir@connect2id.com</a><=
br>
&gt;&gt; wrote:<br>
&gt;&gt; Superb, I welcome that!<br>
&gt;&gt;<br>
&gt;&gt; Regarding <a href=3D"https://tools.ietf.org/html/draft-campbell-oa=
uth-tls-" rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/=
dr<wbr>aft-campbell-oauth-tls-</a><br>
&gt;&gt; client-auth-00#section-5.2 :<br>
&gt;&gt;<br>
&gt;&gt; My concern is that the choice of how to bind the client identity i=
s left<br>
&gt;&gt; to implementers, and that may eventually become an interop problem=
.<br>
&gt;&gt; Have you considered some kind of an open ended enumeration of the =
possible<br>
&gt;&gt; binding methods, and giving them some identifiers or names, so tha=
t AS /<br>
&gt;&gt; OPs can advertise them in their metadata, and clients register acc=
ordingly?<br>
&gt;&gt;<br>
&gt;&gt; For example:<br>
&gt;&gt;<br>
&gt;&gt; &quot;tls_client_auth_bind_methods_<wbr>supported&quot; : [ &quot;=
subject_alt_name_match&quot;,<br>
&gt;&gt; &quot;subject_public_key_info_match<wbr>&quot; ]<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Cheers,<br>
&gt;&gt;<br>
&gt;&gt; Vladimir<br>
&gt;&gt;<br>
&gt;&gt; On 10/10/16 23:59, John Bradley wrote:<br>
&gt;&gt;<br>
&gt;&gt; At the request of the OpenID Foundation Financial Services API Wor=
king group, Brian Campbell and I have documented<br>
&gt;&gt; mutual TLS client authentication.=C2=A0 =C2=A0This is something th=
at lots of people do in practice though we have never had a spec for it.<br=
>
&gt;&gt;<br>
&gt;&gt; The Banks want to use it for some server to server API use cases b=
eing driven by new open banking regulation.<br>
&gt;&gt;<br>
&gt;&gt; The largest thing in the draft is the IANA registration of =E2=80=
=9Ctls_client_auth=E2=80=9D Token Endpoint authentication method for use in=
 Registration and discovery.<br>
&gt;&gt;<br>
&gt;&gt; The trust model is intentionally left open so that you could use a=
 =E2=80=9Ccommon name=E2=80=9D and a restricted list of CA or a direct look=
up of the subject public key against a reregistered value,=C2=A0 or somethi=
ng in between.<br>
&gt;&gt;<br>
&gt;&gt; I hope that this is non controversial and the WG can adopt it quic=
kly.<br>
&gt;&gt;<br>
&gt;&gt; Regards<br>
&gt;&gt; John B.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Begin forwarded message:<br>
&gt;&gt;<br>
&gt;&gt; From: <a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank=
">internet-drafts@ietf.org</a><br>
&gt;&gt; Subject: New Version Notification for draft-campbell-oauth-tls-cli=
en<wbr>t-auth-00.txt<br>
&gt;&gt; Date: October 10, 2016 at 5:44:39 PM GMT-3<br>
</div></div>&gt;&gt; To: &quot;Brian Campbell&quot; &lt;<a href=3D"mailto:b=
rian.d.campbell@gmail.com" target=3D"_blank">brian.d.campbell@gmail.com</a>=
&gt; &lt;<a href=3D"mailto:brian.d.campbell@gmail.com" target=3D"_blank">br=
ian.d.campbell@gmail.com</a>&gt;, &quot;John Bradley&quot; &lt;<a href=3D"m=
ailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt; &lt;<a=
 href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>&=
gt;<br>
<span class=3D"m_2555520943016811025gmail-">&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; A new version of I-D, draft-campbell-oauth-tls-clien<wbr>t-auth-00=
.txt<br>
&gt;&gt; has been successfully submitted by John Bradley and posted to the<=
br>
&gt;&gt; IETF repository.<br>
&gt;&gt;<br>
&gt;&gt; Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 draft=
-campbell-oauth-tls-clien<wbr>t-auth<br>
&gt;&gt; Revision:=C2=A0 =C2=A0 00<br>
&gt;&gt; Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Mutua=
l X.509 Transport Layer Security (TLS) Authentication for OAuth Clients<br>
&gt;&gt; Document date:=C2=A0 =C2=A0 =C2=A0 =C2=A02016-10-10<br>
&gt;&gt; Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Indiv=
idual Submission<br>
&gt;&gt; Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A05<br>
&gt;&gt; URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"https://w=
ww.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt" re=
l=3D"noreferrer" target=3D"_blank">https://www.ietf.org/internet-<wbr>draft=
s/draft-campbell-oauth-tl<wbr>s-client-auth-00.txt</a><br>
&gt;&gt; Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://datatr=
acker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/" rel=3D"noreferrer=
" target=3D"_blank">https://datatracker.ietf.org/<wbr>doc/draft-campbell-oa=
uth-tls-c<wbr>lient-auth/</a><br>
&gt;&gt; Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://tools.ietf.=
org/html/draft-campbell-oauth-tls-client-auth-00" rel=3D"noreferrer" target=
=3D"_blank">https://tools.ietf.org/html/d<wbr>raft-campbell-oauth-tls-clien=
t<wbr>-auth-00</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Abstract:<br>
&gt;&gt;=C2=A0 =C2=A0This document describes X.509 certificates as OAuth cl=
ient<br>
&gt;&gt;=C2=A0 =C2=A0credentials using Transport Layer Security (TLS) mutua=
l<br>
&gt;&gt;=C2=A0 =C2=A0authentication as a mechanism for client authenticatio=
n to the<br>
&gt;&gt;=C2=A0 =C2=A0authorization server&#39;s token endpoint.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Please note that it may take a couple of minutes from the time of =
submission<br>
&gt;&gt; until the htmlized version and diff are available at <a href=3D"ht=
tp://tools.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a=
>.<br>
&gt;&gt;<br>
&gt;&gt; The IETF Secretariat<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
</span>&gt;&gt; OAuth mailing listOAuth@ietf.orghttps://<a href=3D"http://w=
ww.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" target=3D"_blank">ww=
w.<wbr>ietf.org/mailman/listinfo/oaut<wbr>h</a><br>
<div class=3D"m_2555520943016811025gmail-HOEnZb"><div class=3D"m_2555520943=
016811025gmail-h5">&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; <a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org=
</a><br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"nor=
eferrer" target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth=
</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
<br>
<br>
</div></div></blockquote></div><br></div></div></div></div>

--001a1143e550854793053ff2bfbd--


From nobody Fri Oct 28 13:56:58 2016
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BC1312958D for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 13:56:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JCUs3t4wz4Zc for <oauth@ietfa.amsl.com>; Fri, 28 Oct 2016 13:56:53 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15654129450 for <oauth@ietf.org>; Fri, 28 Oct 2016 13:56:53 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id u124so104584876ywg.3 for <oauth@ietf.org>; Fri, 28 Oct 2016 13:56:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BMf0tBxn+9TYkNyq/z+C4Pleqm1SqL0fAa8Jh3GdLQU=; b=dQ5yO4IW0hXGX8TiVNT2kkrjsvncAnhYkf6aA6+V8ZtlTHqbeIy1tjoUG+6NV1DV5v SZBp+liPgvvQzAt6lWkABYqFYO1TzahynC+V4kSkO4HIdz5KzCxsBqbX/w0sbWT5YfYD UKOv+pfy20y2jVM3viFkn/o7tnaQ4CypcEFRE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BMf0tBxn+9TYkNyq/z+C4Pleqm1SqL0fAa8Jh3GdLQU=; b=BZOCTJrP1lLxEEcoAAaG2+mEO/vGLjbm34MT9lQwT46taYZiD2cG6tSDBpy4wlivmj dVVeUMLynjRO5T78SWvMQ/M2soh2G131YU+k0ZWG/RhyMXvwgizJsDLLFCLH2CYbG4Ta Is8UkmrKDuY1Pn6ZTtTs5gFLJLfs2XYd6CBRuYxvFV2NPKUI6EjWBapW6+O+DxIgVsm7 HSTC3QDMUVnaU+yviuWcIRgX3C/JvP4SPjap+rOlCNtQXkppg3pmR+5Evt4qkQhtNWnq kdttsqV9Cgr0tkjftHaXor01u+X36GSVO0WeiqN1rjKQHbvwrhAhgNEMULWIBFRzcttT B+mg==
X-Gm-Message-State: ABUngvctOYrYtK0bHqI3451INRiFzNuLk6PUFrfSXsOAI0PcyCCQYcwuuemvHXsIkFyR55kxxa4ZmU+2zaZtk9Ku
X-Received: by 10.36.10.84 with SMTP id 81mr369440itw.11.1477688211969; Fri, 28 Oct 2016 13:56:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.156.74 with HTTP; Fri, 28 Oct 2016 13:56:21 -0700 (PDT)
In-Reply-To: <CAF2hCbYn5_qBTmYkeJVCtJ-0=zWdRcFfu+0cHHb4ygo6as_V6w@mail.gmail.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com> <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com> <CAF2hCbYn5_qBTmYkeJVCtJ-0=zWdRcFfu+0cHHb4ygo6as_V6w@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 28 Oct 2016 14:56:21 -0600
Message-ID: <CA+k3eCRXss-4_Cxmi41YAcXHh0VKeHogGT=xNkAo1mU6e5WG1w@mail.gmail.com>
To: Samuel Erdtman <samuel@erdtman.se>
Content-Type: multipart/alternative; boundary=001a113f75b4f6c19e053ff318c4
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Jt9qnM15z3sd5_-_0Jcw4GMLtTw>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 20:56:56 -0000

--001a113f75b4f6c19e053ff318c4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 27, 2016 at 12:00 AM, Samuel Erdtman <samuel@erdtman.se> wrote:

> I think it is awesome that this document has been written since this is
> one of the solutions that exists in the wild.
>
>
Thanks. To some extent I was working to codify those existing solutions,
which is one of the reasons why the specific binding between client and
certificate is left open ended.



> However I think that the connection to client (client_id) and certificate
> could be more clearly specified, at the moment it is exemplified under
> security considerations. I think there should be text saying that there
> MUST be a binding and provide the default solution e.g. client_id as
> subject common name.
>

I sort of thought the need for connection between client and certificate
was implicit in the text that is in section 2. But I can work to make the
language more explicit. As I mentioned in my recent reply to Vladimir, I
expect client_id as subject common name to be more the exception rather
than the common case so don't feel it'd be appropriate as a default.


>
> Further I would prefer if it was not a MUST to include the client_id in
> the HTTP request since I think there MUST exist a client binding in the
> certificate. I think there is no need to have it explicitly in the HTTP
> request. This might not be a problem for Classic OAuth but when adopted f=
or
> ACE framework (https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-03)
> we would like to lessen the duplicated information as much as possible.
>

There needs to be a binding between the client and certificate but that
doesn't mean the client id will be in the certificate. Having the client id
explicitly available in the HTTP request allows the AS to easily identify
the client independently and consistently from the content of the
certificate or key and allows the AS to not have to index its client
storage by some other value. It may lead to a small amount of duplicate
info in some cases but I believe the consistency is worth it.



>
>
>
//Samuel
>
>
> On Thu, Oct 27, 2016 at 4:42 AM, Vladimir Dzhuvinov <
> vladimir@connect2id.com> wrote:
>
>> I see. Do you reckon the AS could simply probe the likely cert places
>> for containing the client_id? My reasoning is that there aren't that
>> many places where you could stick the client_id (let me know if I'm
>> wrong). If the AS is in doubt it will respond with invalid_client. I'm
>> starting to think this can work quite well. No extra meta param will be
>> needed (of which we have enough already).
>>
>> On 22/10/16 01:51, Brian Campbell wrote:
>> > I did consider something like that but stopped short of putting it in
>> the
>> > -00 document. I'm not convinced that some metadata around it would
>> really
>> > contribute to interop one way or the other. I also wanted to get the
>> basic
>> > concept written down before going too far into the weeds. But I'd be
>> open
>> > to adding something along those lines in future revisions, if there's
>> some
>> > consensus that it'd be useful.
>> >
>> > On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
>> vladimir@connect2id.com
>> >> wrote:
>> >> Superb, I welcome that!
>> >>
>> >> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
>> >> client-auth-00#section-5.2 :
>> >>
>> >> My concern is that the choice of how to bind the client identity is
>> left
>> >> to implementers, and that may eventually become an interop problem.
>> >> Have you considered some kind of an open ended enumeration of the
>> possible
>> >> binding methods, and giving them some identifiers or names, so that A=
S
>> /
>> >> OPs can advertise them in their metadata, and clients register
>> accordingly?
>> >>
>> >> For example:
>> >>
>> >> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match"=
,
>> >> "subject_public_key_info_match" ]
>> >>
>> >>
>> >> Cheers,
>> >>
>> >> Vladimir
>> >>
>> >> On 10/10/16 23:59, John Bradley wrote:
>> >>
>> >> At the request of the OpenID Foundation Financial Services API Workin=
g
>> group, Brian Campbell and I have documented
>> >> mutual TLS client authentication.   This is something that lots of
>> people do in practice though we have never had a spec for it.
>> >>
>> >> The Banks want to use it for some server to server API use cases bein=
g
>> driven by new open banking regulation.
>> >>
>> >> The largest thing in the draft is the IANA registration of
>> =E2=80=9Ctls_client_auth=E2=80=9D Token Endpoint authentication method f=
or use in
>> Registration and discovery.
>> >>
>> >> The trust model is intentionally left open so that you could use a
>> =E2=80=9Ccommon name=E2=80=9D and a restricted list of CA or a direct lo=
okup of the subject
>> public key against a reregistered value,  or something in between.
>> >>
>> >> I hope that this is non controversial and the WG can adopt it quickly=
.
>> >>
>> >> Regards
>> >> John B.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Begin forwarded message:
>> >>
>> >> From: internet-drafts@ietf.org
>> >> Subject: New Version Notification for draft-campbell-oauth-tls-clien
>> t-auth-00.txt
>> >> Date: October 10, 2016 at 5:44:39 PM GMT-3
>> >> To: "Brian Campbell" <brian.d.campbell@gmail.com> <
>> brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <
>> ve7jtb@ve7jtb.com>
>> >>
>> >>
>> >> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>> >> has been successfully submitted by John Bradley and posted to the
>> >> IETF repository.
>> >>
>> >> Name:                draft-campbell-oauth-tls-client-auth
>> >> Revision:    00
>> >> Title:               Mutual X.509 Transport Layer Security (TLS)
>> Authentication for OAuth Clients
>> >> Document date:       2016-10-10
>> >> Group:               Individual Submission
>> >> Pages:               5
>> >> URL:            https://www.ietf.org/internet-
>> drafts/draft-campbell-oauth-tls-client-auth-00.txt
>> >> Status:         https://datatracker.ietf.org/
>> doc/draft-campbell-oauth-tls-client-auth/
>> >> Htmlized:       https://tools.ietf.org/html/d
>> raft-campbell-oauth-tls-client-auth-00
>> >>
>> >>
>> >> Abstract:
>> >>   This document describes X.509 certificates as OAuth client
>> >>   credentials using Transport Layer Security (TLS) mutual
>> >>   authentication as a mechanism for client authentication to the
>> >>   authorization server's token endpoint.
>> >>
>> >>
>> >>
>> >>
>> >> Please note that it may take a couple of minutes from the time of
>> submission
>> >> until the htmlized version and diff are available at tools.ietf.org.
>> >>
>> >> The IETF Secretariat
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> OAuth mailing listOAuth@ietf.orghttps://www.
>> ietf.org/mailman/listinfo/oauth
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> OAuth mailing list
>> >> OAuth@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/oauth
>> >>
>> >>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>

--001a113f75b4f6c19e053ff318c4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><div class=3D"gmail_quote">=
On Thu, Oct 27, 2016 at 12:00 AM, Samuel Erdtman <span dir=3D"ltr">&lt;<a h=
ref=3D"mailto:samuel@erdtman.se" target=3D"_blank">samuel@erdtman.se</a>&gt=
;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0p=
x 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div d=
ir=3D"ltr"><div><div><div>I think it is awesome that this document has been=
 written since this is one of the solutions that exists in the wild.<br><br=
></div></div></div></div></blockquote><div><br></div><div>Thanks. To some e=
xtent I was working to codify those existing solutions, which is one of the=
 reasons why the specific binding between client and certificate is left op=
en ended.<br></div><div>=C2=A0<br>=C2=A0</div><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,20=
4);padding-left:1ex"><div dir=3D"ltr"><div><div><div></div>However I think =
that the connection to client (client_id) and certificate could be more cle=
arly specified, at the moment it is exemplified under security consideratio=
ns. I think there should be text saying that there MUST be a binding and pr=
ovide the default solution e.g. client_id as subject common name.<br></div>=
</div></div></blockquote><br>I sort of thought the need for connection betw=
een client and certificate was implicit in the text that is in section 2. B=
ut I can work to make the language more explicit. As I mentioned in my rece=
nt reply to Vladimir, I expect client_id as subject common name to be more =
the exception rather than the common case so don&#39;t feel it&#39;d be app=
ropriate as a default. =C2=A0 </div><div class=3D"gmail_quote"><div>=C2=A0<=
/div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bo=
rder-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><di=
v><div><br></div>Further I would prefer if it was not a MUST to include the=
 client_id in the HTTP request since I think there MUST exist a client bind=
ing in the certificate. I think there is no need to have it explicitly in t=
he HTTP request. This might not be a problem for Classic OAuth but when ado=
pted for ACE framework (<a href=3D"https://tools.ietf.org/html/draft-ietf-a=
ce-oauth-authz-03" target=3D"_blank">https://tools.ietf.org/html/d<wbr>raft=
-ietf-ace-oauth-authz-03</a>) we would like to lessen the duplicated inform=
ation as much as possible.<span class=3D"gmail-m_6794794654778339671gmail-H=
OEnZb"></span><br></div></div></blockquote><div><br></div><div>There needs =
to be a binding between the client and certificate but that doesn&#39;t mea=
n the client id will be in the certificate. Having the client id explicitly=
 available in the HTTP request allows the AS to easily identify the client =
independently and consistently from the content of the certificate or key a=
nd allows the AS to not have to index its client storage by some other valu=
e. It may lead to a small amount of duplicate info in some cases but I beli=
eve the consistency is worth it. <br></div><div><br>=C2=A0</div><blockquote=
 class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so=
lid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div><br>=C2=A0</di=
v></div></blockquote><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div=
 dir=3D"ltr"><div><span class=3D"gmail-m_6794794654778339671gmail-HOEnZb"><=
font color=3D"#888888"></font></span></div><span class=3D"gmail-m_679479465=
4778339671gmail-HOEnZb"><font color=3D"#888888">//Samuel<br><div><div><br><=
/div></div></font></span></div><div class=3D"gmail-m_6794794654778339671gma=
il-HOEnZb"><div class=3D"gmail-m_6794794654778339671gmail-h5"><div class=3D=
"gmail_extra"><br><div class=3D"gmail_quote">On Thu, Oct 27, 2016 at 4:42 A=
M, Vladimir Dzhuvinov <span dir=3D"ltr">&lt;<a href=3D"mailto:vladimir@conn=
ect2id.com" target=3D"_blank">vladimir@connect2id.com</a>&gt;</span> wrote:=
<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left:1px solid rgb(204,204,204);padding-left:1ex">I see. Do you reckon =
the AS could simply probe the likely cert places<br>
for containing the client_id? My reasoning is that there aren&#39;t that<br=
>
many places where you could stick the client_id (let me know if I&#39;m<br>
wrong). If the AS is in doubt it will respond with invalid_client. I&#39;m<=
br>
starting to think this can work quite well. No extra meta param will be<br>
needed (of which we have enough already).<br>
<br>
On 22/10/16 01:51, Brian Campbell wrote:<br>
&gt; I did consider something like that but stopped short of putting it in =
the<br>
&gt; -00 document. I&#39;m not convinced that some metadata around it would=
 really<br>
&gt; contribute to interop one way or the other. I also wanted to get the b=
asic<br>
&gt; concept written down before going too far into the weeds. But I&#39;d =
be open<br>
&gt; to adding something along those lines in future revisions, if there&#3=
9;s some<br>
&gt; consensus that it&#39;d be useful.<br>
<div><div class=3D"gmail-m_6794794654778339671gmail-m_-7521386281464221212h=
5">&gt;<br>
&gt; On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov &lt;<a href=3D"mai=
lto:vladimir@connect2id.com" target=3D"_blank">vladimir@connect2id.com</a><=
br>
&gt;&gt; wrote:<br>
&gt;&gt; Superb, I welcome that!<br>
&gt;&gt;<br>
&gt;&gt; Regarding <a href=3D"https://tools.ietf.org/html/draft-campbell-oa=
uth-tls-" rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/=
dr<wbr>aft-campbell-oauth-tls-</a><br>
&gt;&gt; client-auth-00#section-5.2 :<br>
&gt;&gt;<br>
&gt;&gt; My concern is that the choice of how to bind the client identity i=
s left<br>
&gt;&gt; to implementers, and that may eventually become an interop problem=
.<br>
&gt;&gt; Have you considered some kind of an open ended enumeration of the =
possible<br>
&gt;&gt; binding methods, and giving them some identifiers or names, so tha=
t AS /<br>
&gt;&gt; OPs can advertise them in their metadata, and clients register acc=
ordingly?<br>
&gt;&gt;<br>
&gt;&gt; For example:<br>
&gt;&gt;<br>
&gt;&gt; &quot;tls_client_auth_bind_methods_<wbr>supported&quot; : [ &quot;=
subject_alt_name_match&quot;,<br>
&gt;&gt; &quot;subject_public_key_info_match<wbr>&quot; ]<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Cheers,<br>
&gt;&gt;<br>
&gt;&gt; Vladimir<br>
&gt;&gt;<br>
&gt;&gt; On 10/10/16 23:59, John Bradley wrote:<br>
&gt;&gt;<br>
&gt;&gt; At the request of the OpenID Foundation Financial Services API Wor=
king group, Brian Campbell and I have documented<br>
&gt;&gt; mutual TLS client authentication.=C2=A0 =C2=A0This is something th=
at lots of people do in practice though we have never had a spec for it.<br=
>
&gt;&gt;<br>
&gt;&gt; The Banks want to use it for some server to server API use cases b=
eing driven by new open banking regulation.<br>
&gt;&gt;<br>
&gt;&gt; The largest thing in the draft is the IANA registration of =E2=80=
=9Ctls_client_auth=E2=80=9D Token Endpoint authentication method for use in=
 Registration and discovery.<br>
&gt;&gt;<br>
&gt;&gt; The trust model is intentionally left open so that you could use a=
 =E2=80=9Ccommon name=E2=80=9D and a restricted list of CA or a direct look=
up of the subject public key against a reregistered value,=C2=A0 or somethi=
ng in between.<br>
&gt;&gt;<br>
&gt;&gt; I hope that this is non controversial and the WG can adopt it quic=
kly.<br>
&gt;&gt;<br>
&gt;&gt; Regards<br>
&gt;&gt; John B.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Begin forwarded message:<br>
&gt;&gt;<br>
&gt;&gt; From: <a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank=
">internet-drafts@ietf.org</a><br>
&gt;&gt; Subject: New Version Notification for draft-campbell-oauth-tls-cli=
en<wbr>t-auth-00.txt<br>
&gt;&gt; Date: October 10, 2016 at 5:44:39 PM GMT-3<br>
</div></div>&gt;&gt; To: &quot;Brian Campbell&quot; &lt;<a href=3D"mailto:b=
rian.d.campbell@gmail.com" target=3D"_blank">brian.d.campbell@gmail.com</a>=
&gt; &lt;<a href=3D"mailto:brian.d.campbell@gmail.com" target=3D"_blank">br=
ian.d.campbell@gmail.com</a>&gt;, &quot;John Bradley&quot; &lt;<a href=3D"m=
ailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt; &lt;<a=
 href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>&=
gt;<br>
<div class=3D"gmail-m_6794794654778339671gmail-m_-7521386281464221212HOEnZb=
"><div class=3D"gmail-m_6794794654778339671gmail-m_-7521386281464221212h5">=
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; A new version of I-D, draft-campbell-oauth-tls-clien<wbr>t-auth-00=
.txt<br>
&gt;&gt; has been successfully submitted by John Bradley and posted to the<=
br>
&gt;&gt; IETF repository.<br>
&gt;&gt;<br>
&gt;&gt; Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 draft=
-campbell-oauth-tls-clien<wbr>t-auth<br>
&gt;&gt; Revision:=C2=A0 =C2=A0 00<br>
&gt;&gt; Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Mutua=
l X.509 Transport Layer Security (TLS) Authentication for OAuth Clients<br>
&gt;&gt; Document date:=C2=A0 =C2=A0 =C2=A0 =C2=A02016-10-10<br>
&gt;&gt; Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Indiv=
idual Submission<br>
&gt;&gt; Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A05<br>
&gt;&gt; URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"https://w=
ww.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt" re=
l=3D"noreferrer" target=3D"_blank">https://www.ietf.org/internet-<wbr>draft=
s/draft-campbell-oauth-tl<wbr>s-client-auth-00.txt</a><br>
&gt;&gt; Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://datatr=
acker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/" rel=3D"noreferrer=
" target=3D"_blank">https://datatracker.ietf.org/<wbr>doc/draft-campbell-oa=
uth-tls-c<wbr>lient-auth/</a><br>
&gt;&gt; Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://tools.ietf.=
org/html/draft-campbell-oauth-tls-client-auth-00" rel=3D"noreferrer" target=
=3D"_blank">https://tools.ietf.org/html/d<wbr>raft-campbell-oauth-tls-clien=
t<wbr>-auth-00</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Abstract:<br>
&gt;&gt;=C2=A0 =C2=A0This document describes X.509 certificates as OAuth cl=
ient<br>
&gt;&gt;=C2=A0 =C2=A0credentials using Transport Layer Security (TLS) mutua=
l<br>
&gt;&gt;=C2=A0 =C2=A0authentication as a mechanism for client authenticatio=
n to the<br>
&gt;&gt;=C2=A0 =C2=A0authorization server&#39;s token endpoint.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Please note that it may take a couple of minutes from the time of =
submission<br>
&gt;&gt; until the htmlized version and diff are available at <a href=3D"ht=
tp://tools.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a=
>.<br>
&gt;&gt;<br>
&gt;&gt; The IETF Secretariat<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
&gt;&gt; OAuth mailing listOAuth@ietf.orghttps://<a href=3D"http://www.ietf=
.org/mailman/listinfo/oauth" rel=3D"noreferrer" target=3D"_blank">www.<wbr>=
ietf.org/mailman/listinfo/oaut<wbr>h</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; <a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org=
</a><br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"nor=
eferrer" target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth=
</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
<br>
<br>
</div></div><br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>

--001a113f75b4f6c19e053ff318c4--


From nobody Sun Oct 30 08:28:04 2016
Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B1D129448 for <oauth@ietfa.amsl.com>; Sun, 30 Oct 2016 08:28:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GaaiTAERCMZ for <oauth@ietfa.amsl.com>; Sun, 30 Oct 2016 08:27:59 -0700 (PDT)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED01127077 for <oauth@ietf.org>; Sun, 30 Oct 2016 08:27:58 -0700 (PDT)
Received: by mail-wm0-x22b.google.com with SMTP id n67so189310647wme.1 for <oauth@ietf.org>; Sun, 30 Oct 2016 08:27:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CwaOPuQLkYuHDWCGKNI7FLzaHVYA0iCx5PtnYM4IZus=; b=E4wJ0u9wkZWugUaFUbKGsAFZB0lnmLi9/qDEtBvfEe09SoRPfpy8dQPXlNYfxB6L49 DBIgDpKecdRBTuoR1CKsbD2D5UwSWbubiPze4rouTChQr3sbdWhf+xxU12MFtd1LdF+4 5l6ZMChcTWuuSX3qYA05DcaeEezuF8AkCAD6f4SSxVWyczMmw+1TqqeFlguntLI/dLof KSD0V9c7J6o7yK+Ba5cok/MWkrZ8eJCKoH/MRN82r67VtNARp/91NUn/wRYqdfUwZ+eO Dwzz9eH1bg0aap6p6Y+K87wLNym30Ki/bnzTtumdb0KjY9TpkHlWKw3rsTWfpnJ31ZNk PAtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CwaOPuQLkYuHDWCGKNI7FLzaHVYA0iCx5PtnYM4IZus=; b=Zg7gP0BppHOcdllWZbi9v++w6nbZ6+GYnfkPatqY8joP+YM4FCFTdNHimEwnZA3a6I xOqg+UAyXif5JV5oPr6YUNBr0hA7gcQCtbu7bnjaBKAB3Op6m986ju48DZoYEWLrN27o 9WJIqov41UJsZ7LKnM0SlU9zS05NFUbUHledWNzKFMGXWK+FYjl34VpVHNAgF+/18qh5 yh3rZDvWrl6X5kTf1mAlueHlabatDnrY2C3lpTNdGcOlRk7NADQWyzUwRqAMa7s0ioau hxLDm7StYXNjr/8X1BO924j/aARjrGX5q1k2Pet72VP1fs+z7qkkHy3GEWKeGuNdJ66o gIvQ==
X-Gm-Message-State: ABUngvel+YgtR863vIZXr3CZjoZAioRXf7OAm3vjnVx1qbLuAPvB2XZPgXWUYgdIUl61WP7MgTOGp2QIoVtm1g==
X-Received: by 10.28.163.196 with SMTP id m187mr6503131wme.73.1477841277100; Sun, 30 Oct 2016 08:27:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Sun, 30 Oct 2016 08:27:56 -0700 (PDT)
In-Reply-To: <CA+k3eCRXss-4_Cxmi41YAcXHh0VKeHogGT=xNkAo1mU6e5WG1w@mail.gmail.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com> <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com> <CAF2hCbYn5_qBTmYkeJVCtJ-0=zWdRcFfu+0cHHb4ygo6as_V6w@mail.gmail.com> <CA+k3eCRXss-4_Cxmi41YAcXHh0VKeHogGT=xNkAo1mU6e5WG1w@mail.gmail.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Sun, 30 Oct 2016 16:27:56 +0100
Message-ID: <CAF2hCbaEi4ntDwbWpTJ4-7_uwunK5WhpsoVLKds87r_s4K7n1w@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary=001a114cd9a25b40f9054016bc33
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-O6ZFgvI60VjuOTMoxohFJH1cS4>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2016 15:28:02 -0000

--001a114cd9a25b40f9054016bc33
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thanks for the reply Brian,

See inline

On Fri, Oct 28, 2016 at 10:56 PM, Brian Campbell <bcampbell@pingidentity.co=
m
> wrote:

>
> On Thu, Oct 27, 2016 at 12:00 AM, Samuel Erdtman <samuel@erdtman.se>
> wrote:
>
>> I think it is awesome that this document has been written since this is
>> one of the solutions that exists in the wild.
>>
>>
> Thanks. To some extent I was working to codify those existing solutions,
> which is one of the reasons why the specific binding between client and
> certificate is left open ended.
>
>
>
>> However I think that the connection to client (client_id) and certificat=
e
>> could be more clearly specified, at the moment it is exemplified under
>> security considerations. I think there should be text saying that there
>> MUST be a binding and provide the default solution e.g. client_id as
>> subject common name.
>>
>
> I sort of thought the need for connection between client and certificate
> was implicit in the text that is in section 2. But I can work to make the
> language more explicit. As I mentioned in my recent reply to Vladimir, I
> expect client_id as subject common name to be more the exception rather
> than the common case so don't feel it'd be appropriate as a default.
>

I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.

When it comes to the client_id I think subject common name or maybe subject
serial numbers will be the common location, and I think an example would be
valuable.


>
>
>>
>> Further I would prefer if it was not a MUST to include the client_id in
>> the HTTP request since I think there MUST exist a client binding in the
>> certificate. I think there is no need to have it explicitly in the HTTP
>> request. This might not be a problem for Classic OAuth but when adopted =
for
>> ACE framework (https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-03=
)
>> we would like to lessen the duplicated information as much as possible.
>>
>
> There needs to be a binding between the client and certificate but that
> doesn't mean the client id will be in the certificate. Having the client =
id
> explicitly available in the HTTP request allows the AS to easily identify
> the client independently and consistently from the content of the
> certificate or key and allows the AS to not have to index its client
> storage by some other value. It may lead to a small amount of duplicate
> info in some cases but I believe the consistency is worth it.
>

I=C2=B4m not saying it is a bad Idea just that I would prefer if it was not=
 a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.


>
>
>
>>
>>
>>
> //Samuel
>>
>>
>> On Thu, Oct 27, 2016 at 4:42 AM, Vladimir Dzhuvinov <
>> vladimir@connect2id.com> wrote:
>>
>>> I see. Do you reckon the AS could simply probe the likely cert places
>>> for containing the client_id? My reasoning is that there aren't that
>>> many places where you could stick the client_id (let me know if I'm
>>> wrong). If the AS is in doubt it will respond with invalid_client. I'm
>>> starting to think this can work quite well. No extra meta param will be
>>> needed (of which we have enough already).
>>>
>>> On 22/10/16 01:51, Brian Campbell wrote:
>>> > I did consider something like that but stopped short of putting it in
>>> the
>>> > -00 document. I'm not convinced that some metadata around it would
>>> really
>>> > contribute to interop one way or the other. I also wanted to get the
>>> basic
>>> > concept written down before going too far into the weeds. But I'd be
>>> open
>>> > to adding something along those lines in future revisions, if there's
>>> some
>>> > consensus that it'd be useful.
>>> >
>>> > On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
>>> vladimir@connect2id.com
>>> >> wrote:
>>> >> Superb, I welcome that!
>>> >>
>>> >> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
>>> >> client-auth-00#section-5.2 :
>>> >>
>>> >> My concern is that the choice of how to bind the client identity is
>>> left
>>> >> to implementers, and that may eventually become an interop problem.
>>> >> Have you considered some kind of an open ended enumeration of the
>>> possible
>>> >> binding methods, and giving them some identifiers or names, so that
>>> AS /
>>> >> OPs can advertise them in their metadata, and clients register
>>> accordingly?
>>> >>
>>> >> For example:
>>> >>
>>> >> "tls_client_auth_bind_methods_supported" : [
>>> "subject_alt_name_match",
>>> >> "subject_public_key_info_match" ]
>>> >>
>>> >>
>>> >> Cheers,
>>> >>
>>> >> Vladimir
>>> >>
>>> >> On 10/10/16 23:59, John Bradley wrote:
>>> >>
>>> >> At the request of the OpenID Foundation Financial Services API
>>> Working group, Brian Campbell and I have documented
>>> >> mutual TLS client authentication.   This is something that lots of
>>> people do in practice though we have never had a spec for it.
>>> >>
>>> >> The Banks want to use it for some server to server API use cases
>>> being driven by new open banking regulation.
>>> >>
>>> >> The largest thing in the draft is the IANA registration of
>>> =E2=80=9Ctls_client_auth=E2=80=9D Token Endpoint authentication method =
for use in
>>> Registration and discovery.
>>> >>
>>> >> The trust model is intentionally left open so that you could use a
>>> =E2=80=9Ccommon name=E2=80=9D and a restricted list of CA or a direct l=
ookup of the subject
>>> public key against a reregistered value,  or something in between.
>>> >>
>>> >> I hope that this is non controversial and the WG can adopt it quickl=
y.
>>> >>
>>> >> Regards
>>> >> John B.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> Begin forwarded message:
>>> >>
>>> >> From: internet-drafts@ietf.org
>>> >> Subject: New Version Notification for draft-campbell-oauth-tls-clien
>>> t-auth-00.txt
>>> >> Date: October 10, 2016 at 5:44:39 PM GMT-3
>>> >> To: "Brian Campbell" <brian.d.campbell@gmail.com> <
>>> brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <
>>> ve7jtb@ve7jtb.com>
>>> >>
>>> >>
>>> >> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>>> >> has been successfully submitted by John Bradley and posted to the
>>> >> IETF repository.
>>> >>
>>> >> Name:                draft-campbell-oauth-tls-client-auth
>>> >> Revision:    00
>>> >> Title:               Mutual X.509 Transport Layer Security (TLS)
>>> Authentication for OAuth Clients
>>> >> Document date:       2016-10-10
>>> >> Group:               Individual Submission
>>> >> Pages:               5
>>> >> URL:            https://www.ietf.org/internet-
>>> drafts/draft-campbell-oauth-tls-client-auth-00.txt
>>> >> Status:         https://datatracker.ietf.org/
>>> doc/draft-campbell-oauth-tls-client-auth/
>>> >> Htmlized:       https://tools.ietf.org/html/d
>>> raft-campbell-oauth-tls-client-auth-00
>>> >>
>>> >>
>>> >> Abstract:
>>> >>   This document describes X.509 certificates as OAuth client
>>> >>   credentials using Transport Layer Security (TLS) mutual
>>> >>   authentication as a mechanism for client authentication to the
>>> >>   authorization server's token endpoint.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> Please note that it may take a couple of minutes from the time of
>>> submission
>>> >> until the htmlized version and diff are available at tools.ietf.org.
>>> >>
>>> >> The IETF Secretariat
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OAuth mailing listOAuth@ietf.orghttps://www.
>>> ietf.org/mailman/listinfo/oauth
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OAuth mailing list
>>> >> OAuth@ietf.org
>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>> >>
>>> >>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>

--001a114cd9a25b40f9054016bc33
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Thanks for the reply Brian,<br><br></div>See inline <=
br><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Fri, Oct 28=
, 2016 at 10:56 PM, Brian Campbell <span dir=3D"ltr">&lt;<a href=3D"mailto:=
bcampbell@pingidentity.com" target=3D"_blank">bcampbell@pingidentity.com</a=
>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 =
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><br>=
<div class=3D"gmail_extra"><div class=3D"gmail_quote"><span class=3D"">On T=
hu, Oct 27, 2016 at 12:00 AM, Samuel Erdtman <span dir=3D"ltr">&lt;<a href=
=3D"mailto:samuel@erdtman.se" target=3D"_blank">samuel@erdtman.se</a>&gt;</=
span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=
=3D"ltr"><div><div><div>I think it is awesome that this document has been w=
ritten since this is one of the solutions that exists in the wild.<br><br><=
/div></div></div></div></blockquote><div><br></div></span><div>Thanks. To s=
ome extent I was working to codify those existing solutions, which is one o=
f the reasons why the specific binding between client and certificate is le=
ft open ended.<br></div><span class=3D""><div>=C2=A0<br>=C2=A0</div><blockq=
uote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1p=
x solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div><div><div>=
</div>However I think that the connection to client (client_id) and certifi=
cate could be more clearly specified, at the moment it is exemplified under=
 security considerations. I think there should be text saying that there MU=
ST be a binding and provide the default solution e.g. client_id as subject =
common name.<br></div></div></div></blockquote><br></span>I sort of thought=
 the need for connection between client and certificate was implicit in the=
 text that is in section 2. But I can work to make the language more explic=
it. As I mentioned in my recent reply to Vladimir, I expect client_id as su=
bject common name to be more the exception rather than the common case so d=
on&#39;t feel it&#39;d be appropriate as a default. =C2=A0 </div></div></di=
v></blockquote><div><br></div><div>I agree it is written so that the connec=
tion to the certificate is implicitly required but I think it would be bett=
er if it was explicit written since the lack of a connection would result i=
n a potential security hole.<br><br>When it comes to the client_id I think =
subject common name or maybe subject serial numbers will be the common loca=
tion, and I think an example would be valuable.<br>=C2=A0<br></div><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc s=
olid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_extra"><div cla=
ss=3D"gmail_quote"><span class=3D""><div>=C2=A0</div><blockquote class=3D"g=
mail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204=
,204,204);padding-left:1ex"><div dir=3D"ltr"><div><div><br></div>Further I =
would prefer if it was not a MUST to include the client_id in the HTTP requ=
est since I think there MUST exist a client binding in the certificate. I t=
hink there is no need to have it explicitly in the HTTP request. This might=
 not be a problem for Classic OAuth but when adopted for ACE framework (<a =
href=3D"https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-03" target=
=3D"_blank">https://tools.ietf.org/html/d<wbr>raft-ietf-ace-oauth-authz-03<=
/a>) we would like to lessen the duplicated information as much as possible=
.<span class=3D"m_-190319770776367154gmail-m_6794794654778339671gmail-HOEnZ=
b"></span><br></div></div></blockquote><div><br></div></span><div>There nee=
ds to be a binding between the client and certificate but that doesn&#39;t =
mean the client id will be in the certificate. Having the client id explici=
tly available in the HTTP request allows the AS to easily identify the clie=
nt independently and consistently from the content of the certificate or ke=
y and allows the AS to not have to index its client storage by some other v=
alue. It may lead to a small amount of duplicate info in some cases but I b=
elieve the consistency is worth it. <br></div></div></div></div></blockquot=
e><div><br></div><div>I=C2=B4m not saying it is a bad Idea just that I woul=
d prefer if it was not a MUST. <br>With very limited addition of code it is=
 just as easy to get the certificate attribute for client id as it is to ge=
t it from the HTTP request data (at least in java). I also think that with =
the requirement to match the incoming certificate in some way one has to re=
ad out the certificate that was used to establish the connection to do some=
 kind of matching.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quo=
te" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"=
><div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><di=
v></div><div><div class=3D"h5"><div><br>=C2=A0</div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,=
204,204);padding-left:1ex"><div dir=3D"ltr"><div><br>=C2=A0</div></div></bl=
ockquote><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"=
><div><span class=3D"m_-190319770776367154gmail-m_6794794654778339671gmail-=
HOEnZb"><font color=3D"#888888"></font></span></div><span class=3D"m_-19031=
9770776367154gmail-m_6794794654778339671gmail-HOEnZb"><font color=3D"#88888=
8">//Samuel<br><div><div><br></div></div></font></span></div><div class=3D"=
m_-190319770776367154gmail-m_6794794654778339671gmail-HOEnZb"><div class=3D=
"m_-190319770776367154gmail-m_6794794654778339671gmail-h5"><div class=3D"gm=
ail_extra"><br><div class=3D"gmail_quote">On Thu, Oct 27, 2016 at 4:42 AM, =
Vladimir Dzhuvinov <span dir=3D"ltr">&lt;<a href=3D"mailto:vladimir@connect=
2id.com" target=3D"_blank">vladimir@connect2id.com</a>&gt;</span> wrote:<br=
><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
-left:1px solid rgb(204,204,204);padding-left:1ex">I see. Do you reckon the=
 AS could simply probe the likely cert places<br>
for containing the client_id? My reasoning is that there aren&#39;t that<br=
>
many places where you could stick the client_id (let me know if I&#39;m<br>
wrong). If the AS is in doubt it will respond with invalid_client. I&#39;m<=
br>
starting to think this can work quite well. No extra meta param will be<br>
needed (of which we have enough already).<br>
<br>
On 22/10/16 01:51, Brian Campbell wrote:<br>
&gt; I did consider something like that but stopped short of putting it in =
the<br>
&gt; -00 document. I&#39;m not convinced that some metadata around it would=
 really<br>
&gt; contribute to interop one way or the other. I also wanted to get the b=
asic<br>
&gt; concept written down before going too far into the weeds. But I&#39;d =
be open<br>
&gt; to adding something along those lines in future revisions, if there&#3=
9;s some<br>
&gt; consensus that it&#39;d be useful.<br>
<div><div class=3D"m_-190319770776367154gmail-m_6794794654778339671gmail-m_=
-7521386281464221212h5">&gt;<br>
&gt; On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov &lt;<a href=3D"mai=
lto:vladimir@connect2id.com" target=3D"_blank">vladimir@connect2id.com</a><=
br>
&gt;&gt; wrote:<br>
&gt;&gt; Superb, I welcome that!<br>
&gt;&gt;<br>
&gt;&gt; Regarding <a href=3D"https://tools.ietf.org/html/draft-campbell-oa=
uth-tls-" rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/=
dr<wbr>aft-campbell-oauth-tls-</a><br>
&gt;&gt; client-auth-00#section-5.2 :<br>
&gt;&gt;<br>
&gt;&gt; My concern is that the choice of how to bind the client identity i=
s left<br>
&gt;&gt; to implementers, and that may eventually become an interop problem=
.<br>
&gt;&gt; Have you considered some kind of an open ended enumeration of the =
possible<br>
&gt;&gt; binding methods, and giving them some identifiers or names, so tha=
t AS /<br>
&gt;&gt; OPs can advertise them in their metadata, and clients register acc=
ordingly?<br>
&gt;&gt;<br>
&gt;&gt; For example:<br>
&gt;&gt;<br>
&gt;&gt; &quot;tls_client_auth_bind_methods_<wbr>supported&quot; : [ &quot;=
subject_alt_name_match&quot;,<br>
&gt;&gt; &quot;subject_public_key_info_match<wbr>&quot; ]<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Cheers,<br>
&gt;&gt;<br>
&gt;&gt; Vladimir<br>
&gt;&gt;<br>
&gt;&gt; On 10/10/16 23:59, John Bradley wrote:<br>
&gt;&gt;<br>
&gt;&gt; At the request of the OpenID Foundation Financial Services API Wor=
king group, Brian Campbell and I have documented<br>
&gt;&gt; mutual TLS client authentication.=C2=A0 =C2=A0This is something th=
at lots of people do in practice though we have never had a spec for it.<br=
>
&gt;&gt;<br>
&gt;&gt; The Banks want to use it for some server to server API use cases b=
eing driven by new open banking regulation.<br>
&gt;&gt;<br>
&gt;&gt; The largest thing in the draft is the IANA registration of =E2=80=
=9Ctls_client_auth=E2=80=9D Token Endpoint authentication method for use in=
 Registration and discovery.<br>
&gt;&gt;<br>
&gt;&gt; The trust model is intentionally left open so that you could use a=
 =E2=80=9Ccommon name=E2=80=9D and a restricted list of CA or a direct look=
up of the subject public key against a reregistered value,=C2=A0 or somethi=
ng in between.<br>
&gt;&gt;<br>
&gt;&gt; I hope that this is non controversial and the WG can adopt it quic=
kly.<br>
&gt;&gt;<br>
&gt;&gt; Regards<br>
&gt;&gt; John B.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Begin forwarded message:<br>
&gt;&gt;<br>
&gt;&gt; From: <a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank=
">internet-drafts@ietf.org</a><br>
&gt;&gt; Subject: New Version Notification for draft-campbell-oauth-tls-cli=
en<wbr>t-auth-00.txt<br>
&gt;&gt; Date: October 10, 2016 at 5:44:39 PM GMT-3<br>
</div></div>&gt;&gt; To: &quot;Brian Campbell&quot; &lt;<a href=3D"mailto:b=
rian.d.campbell@gmail.com" target=3D"_blank">brian.d.campbell@gmail.com</a>=
&gt; &lt;<a href=3D"mailto:brian.d.campbell@gmail.com" target=3D"_blank">br=
ian.d.campbell@gmail.com</a>&gt;, &quot;John Bradley&quot; &lt;<a href=3D"m=
ailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt; &lt;<a=
 href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>&=
gt;<br>
<div class=3D"m_-190319770776367154gmail-m_6794794654778339671gmail-m_-7521=
386281464221212HOEnZb"><div class=3D"m_-190319770776367154gmail-m_679479465=
4778339671gmail-m_-7521386281464221212h5">&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; A new version of I-D, draft-campbell-oauth-tls-clien<wbr>t-auth-00=
.txt<br>
&gt;&gt; has been successfully submitted by John Bradley and posted to the<=
br>
&gt;&gt; IETF repository.<br>
&gt;&gt;<br>
&gt;&gt; Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 draft=
-campbell-oauth-tls-clien<wbr>t-auth<br>
&gt;&gt; Revision:=C2=A0 =C2=A0 00<br>
&gt;&gt; Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Mutua=
l X.509 Transport Layer Security (TLS) Authentication for OAuth Clients<br>
&gt;&gt; Document date:=C2=A0 =C2=A0 =C2=A0 =C2=A02016-10-10<br>
&gt;&gt; Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Indiv=
idual Submission<br>
&gt;&gt; Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A05<br>
&gt;&gt; URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"https://w=
ww.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt" re=
l=3D"noreferrer" target=3D"_blank">https://www.ietf.org/internet-<wbr>draft=
s/draft-campbell-oauth-tl<wbr>s-client-auth-00.txt</a><br>
&gt;&gt; Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://datatr=
acker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/" rel=3D"noreferrer=
" target=3D"_blank">https://datatracker.ietf.org/<wbr>doc/draft-campbell-oa=
uth-tls-c<wbr>lient-auth/</a><br>
&gt;&gt; Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://tools.ietf.=
org/html/draft-campbell-oauth-tls-client-auth-00" rel=3D"noreferrer" target=
=3D"_blank">https://tools.ietf.org/html/d<wbr>raft-campbell-oauth-tls-clien=
t<wbr>-auth-00</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Abstract:<br>
&gt;&gt;=C2=A0 =C2=A0This document describes X.509 certificates as OAuth cl=
ient<br>
&gt;&gt;=C2=A0 =C2=A0credentials using Transport Layer Security (TLS) mutua=
l<br>
&gt;&gt;=C2=A0 =C2=A0authentication as a mechanism for client authenticatio=
n to the<br>
&gt;&gt;=C2=A0 =C2=A0authorization server&#39;s token endpoint.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Please note that it may take a couple of minutes from the time of =
submission<br>
&gt;&gt; until the htmlized version and diff are available at <a href=3D"ht=
tp://tools.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a=
>.<br>
&gt;&gt;<br>
&gt;&gt; The IETF Secretariat<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
&gt;&gt; OAuth mailing listOAuth@ietf.orghttps://<a href=3D"http://www.ietf=
.org/mailman/listinfo/oauth" rel=3D"noreferrer" target=3D"_blank">www.<wbr>=
ietf.org/mailman/listinfo/oaut<wbr>h</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; <a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org=
</a><br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"nor=
eferrer" target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth=
</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
<br>
<br>
</div></div><br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div></div></div><br></div></div>
</blockquote></div><br></div></div>

--001a114cd9a25b40f9054016bc33--