From nobody Wed Mar  1 01:00:10 2017
Return-Path: <simon.moffatt@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 641F41294DB for <oauth@ietfa.amsl.com>; Wed,  1 Mar 2017 01:00:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AAvFqLq40RtG for <oauth@ietfa.amsl.com>; Wed,  1 Mar 2017 01:00:06 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89ADF1294BF for <oauth@ietf.org>; Wed,  1 Mar 2017 01:00:05 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id u199so30688452wmd.1 for <oauth@ietf.org>; Wed, 01 Mar 2017 01:00:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=k1w6o6Yt6NzRsWEfc2l6vFIaOJxsA8D8UM36Vd7WoOQ=; b=hNrZ20hCJY7Bpyd0VcVOdr2ZSRsuXgiFdh4Y6JELYbzwvxRYhZfi2E50nl0VQevXnA FEqxezeDOKpc0HRPbFebLbzllK0YdgTJ/zNTlw/0loyEMOKRx45ze5/QcmCKaA1yHddS BFV/lj/Nr6FZY+Lj+qy/2PwWBI1tWlUxlEA0w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=k1w6o6Yt6NzRsWEfc2l6vFIaOJxsA8D8UM36Vd7WoOQ=; b=ktVTBg/4FCs1xJ8IaHUGr+jzetjYVx0gw3f2QTE9ORVS0zWNnUbeVP0bMemUO+M3LN 7jVJ98qiXxZ/WUVbM0ycJ6yTPTnvPuDdlt10F6WkeX9EvuRB55oAY1atpo8EzSc/i7Ff rJdw6+ojngRFQjIXVP6/NCIE7aGkaRTT8gSpeyLnxXnM/XjkwA0Cf8W3jRLClDjLDctN 12jPBf+ppsyo+imW1CzPkWt1mqELXPOcJN+08zEgFz3wKnysSygDBaySQJvx7F5xRLer S4u6DCpZjLQmVbz4yn6svCa0NEBQzNLJctTrG6xRCoQrM0vT0kAf2VNeGlJihHlchK0H wN/A==
X-Gm-Message-State: AMke39k/43albN9V0b8yxYIOAMZi9bhTWvIT648780qNXxXBvp6ABQl6SrL6b8L39cBXSXIV
X-Received: by 10.28.179.7 with SMTP id c7mr2215812wmf.128.1488358803720; Wed, 01 Mar 2017 01:00:03 -0800 (PST)
Received: from [192.168.0.38] (97e131d7.skybroadband.com. [151.225.49.215]) by smtp.gmail.com with ESMTPSA id m83sm21803263wmc.33.2017.03.01.01.00.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Mar 2017 01:00:02 -0800 (PST)
To: "Manger, James" <James.H.Manger@team.telstra.com>, "oauth@ietf.org" <oauth@ietf.org>, William Denniss <wdenniss@google.com>, "mbj@microsoft.com" <mbj@microsoft.com>, "ve7jtb@ve7jtb.com" <ve7jtb@ve7jtb.com>, "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>
References: <SYXPR01MB16152987001DF96C3660FD6DE5290@SYXPR01MB1615.ausprd01.prod.outlook.com>
From: Simon Moffatt <simon.moffatt@forgerock.com>
Message-ID: <4487bfe9-a67f-ab45-a1a9-9a644c1cb3a2@forgerock.com>
Date: Wed, 1 Mar 2017 09:00:01 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <SYXPR01MB16152987001DF96C3660FD6DE5290@SYXPR01MB1615.ausprd01.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------793932BBFDA6BF2AA90469C4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tegBtjzRQ6Je3EURNCW_s7vsRtQ>
Subject: Re: [OAUTH-WG] FW: draft-ietf-oauth-device-flow: url with code
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 09:00:08 -0000

This is a multi-part message in MIME format.
--------------793932BBFDA6BF2AA90469C4
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit

Hi James

My only comment on sending values are URL arguments, is that 
intermediary network devices typically log the entire URL - meaning the 
code would be written to a secondary location in logs for example.  
Whilst the re-use potential would be limited, it is of a course a 
potential...

Worth considering if using that approach.

My 2c.

Simon


On 01/03/17 00:23, Manger, James wrote:
>
> Resending; not sure that OAuth email list is working at the moment.
>
> *From:*Manger, James
> *Sent:* Tuesday, 28 February 2017 9:53 AM
> *To:* oauth@ietf.org
> *Subject:* draft-ietf-oauth-device-flow: url with code
>
> How about combining the verification_uri and user_code?
>
> The Device Flow provides a verification_uri and user_code, both of 
> which have to be copied to a web browser on, say, a mobile phone. The 
> main model in this draft is that the user copies the uri, then the 
> resulting web page prompts for the code. The draft also mentions other 
> possibilities such as Bluetooth to do the “copying”. Transmitting a 
> URI via Bluetooth, or NFC, or QR code, is quite common. In such cases 
> it would be nicer to transmit the user_code as part of the URI.
>
> Perhaps both modes could be supported by saying the user_code can be 
> included as a query parameter on the verification_uri when it is more 
> convenient for a device to transmit a single URI. Authorization 
> Servers MUST accept this. The choice is to use user_code as the 
> complete query string (eg https://example.com/device?wdjb-mjht) or 
> specify a “code” parameter name (eg 
> https://example.com/device?code=wdjb-mjht).
>
> Recommending case-insensitive punctuation-ignoring alphabetic codes is 
> good, but how does a user know this is the case for a particular code? 
> Perhaps the advice needs to be to use a “fancy” input field with 
> javascript to convert to uppercase as the user types and handle 
> punctuation?
>
> [§6.1] The example user code “WDJB-MJHT” doesn’t have “24^8 bits of 
> entropy”, but “log2(24 ^ 8) = 36.7 bits of entropy”.
>
> --
>
> James Manger
>
> On Mon, Feb 27, 2017 at 9:46 AM, <internet-drafts@ietf.org 
> <mailto:internet-drafts@ietf.org>> wrote:
>
>         Title           : OAuth 2.0 Device Flow for Browserless and
>     Input Constrained Devices
>             Filename        : draft-ietf-oauth-device-flow-04.txt
>
>     Abstract:
>        This OAuth 2.0 authorization flow for browserless and input
>        constrained devices, often referred to as the device flow, enables
>        OAuth clients to request user authorization from devices that
>     have an
>        Internet connection, but don't have an easy input method (such as a
>        smart TV, media console, picture frame, or printer), or lack a
>        suitable browser for a more traditional OAuth flow.  This
>        authorization flow instructs the user to perform the authorization
>        request on a secondary device, such as a smartphone.  There is no
>        requirement for communication between the constrained device
>     and the
>        user's secondary device.
>
>     https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
ForgeRock <http://www.forgerock.com/> 	*Simon Moffatt*
Product Management  |  ForgeRock
*tel* +44 (0) 7903 347 240  | *e* Simon.Moffatt@Forgerock.com 
<mailto:simon.moffatt@forgerock.com>
*skype* simon.moffatt  | *web* www.forgerock.com 
<http://www.forgerock.com/>  | *twitter* @simonmoffatt


ForgeRock Live 2017 <https://summits.forgerock.com/>

--------------793932BBFDA6BF2AA90469C4
Content-Type: multipart/related;
 boundary="------------36A59D9C8B42F2E40AFB95BB"


--------------36A59D9C8B42F2E40AFB95BB
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Hi James</p>
    <p>My only comment on sending values are URL arguments, is that
      intermediary network devices typically log the entire URL -
      meaning the code would be written to a secondary location in logs
      for example.  Whilst the re-use potential would be limited, it is
      of a course a potential...</p>
    <p>Worth considering if using that approach.</p>
    <p>My 2c.</p>
    <p>Simon<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 01/03/17 00:23, Manger, James wrote:<br>
    </div>
    <blockquote
cite="mid:SYXPR01MB16152987001DF96C3660FD6DE5290@SYXPR01MB1615.ausprd01.prod.outlook.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:#1F497D;}
span.EmailStyle18
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:#1F497D;}
span.EmailStyle19
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US">Resending;
            not sure that OAuth email list is working at the moment.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0cm 0cm 0cm">
            <p class="MsoNormal"><b><span
                  style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif"
                  lang="EN-US">From:</span></b><span
                style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif"
                lang="EN-US"> Manger, James
                <br>
                <b>Sent:</b> Tuesday, 28 February 2017 9:53 AM<br>
                <b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:oauth@ietf.org">oauth@ietf.org</a><br>
                <b>Subject:</b> draft-ietf-oauth-device-flow: url with
                code<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US">How
            about combining the verification_uri and user_code?<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US">The
            Device Flow provides a verification_uri and user_code, both
            of which have to be copied to a web browser on, say, a
            mobile phone. The main model in this draft is that the user
            copies the uri, then the resulting web page prompts for the
            code. The draft also mentions other possibilities such as
            Bluetooth to do the “copying”. Transmitting a URI via
            Bluetooth, or NFC, or QR code, is quite common. In such
            cases it would be nicer to transmit the user_code as part of
            the URI.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US">Perhaps
            both modes could be supported by saying the user_code can be
            included as a query parameter on the verification_uri when
            it is more convenient for a device to transmit a single URI.
            Authorization Servers MUST accept this. The choice is to use
            user_code as the complete query string (eg
            <a moz-do-not-send="true"
              href="https://example.com/device?wdjb-mjht">https://example.com/device?wdjb-mjht</a>)
            or specify a “code” parameter name (eg
            <a moz-do-not-send="true"
              href="https://example.com/device?code=wdjb-mjht">https://example.com/device?code=wdjb-mjht</a>).<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US">Recommending
            case-insensitive punctuation-ignoring alphabetic codes is
            good, but how does a user know this is the case for a
            particular code? Perhaps the advice needs to be to use a
            “fancy” input field with javascript to convert to uppercase
            as the user types and handle punctuation?<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US">[§6.1]
            The example user code “WDJB-MJHT” doesn’t have “24^8 bits of
            entropy”, but “log2(24 ^ 8) = 36.7 bits of entropy”.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US">--<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US">James
            Manger<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
        <div>
          <div>
            <div>
              <p class="MsoNormal"><o:p> </o:p></p>
              <div>
                <p class="MsoNormal">On Mon, Feb 27, 2017 at 9:46 AM,
                  &lt;<a moz-do-not-send="true"
                    href="mailto:internet-drafts@ietf.org"
                    target="_blank">internet-drafts@ietf.org</a>&gt;
                  wrote:<o:p></o:p></p>
                <blockquote style="border:none;border-left:solid #CCCCCC
                  1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
                  <p class="MsoNormal" style="margin-bottom:12.0pt">   
                        Title           : OAuth 2.0 Device Flow for
                    Browserless and Input Constrained Devices<br>
                            Filename        :
                    draft-ietf-oauth-device-flow-04.txt<br>
                    <br>
                    Abstract:<br>
                       This OAuth 2.0 authorization flow for browserless
                    and input<br>
                       constrained devices, often referred to as the
                    device flow, enables<br>
                       OAuth clients to request user authorization from
                    devices that have an<br>
                       Internet connection, but don't have an easy input
                    method (such as a<br>
                       smart TV, media console, picture frame, or
                    printer), or lack a<br>
                       suitable browser for a more traditional OAuth
                    flow.  This<br>
                       authorization flow instructs the user to perform
                    the authorization<br>
                       request on a secondary device, such as a
                    smartphone.  There is no<br>
                       requirement for communication between the
                    constrained device and the<br>
                       user's secondary device.<br>
                    <br>
                    <a moz-do-not-send="true"
                      href="https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04"
                      target="_blank">https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04</a><o:p></o:p></p>
                </blockquote>
              </div>
              <p class="MsoNormal"><o:p> </o:p></p>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <title></title>
      <table border="0" cellpadding="0" cellspacing="0">
        <tbody>
          <tr>
            <td valign="top"><a href="http://www.forgerock.com/"><img
                  src="cid:part5.6865EF5C.CEC438B2@forgerock.com"
                  alt="ForgeRock" border="0" height="70" width="185"></a></td>
            <td style="font-family: arial, helvetica, verdana,
              sans-serif; font-size: 11px; color: #2f3438; line-height:
              165%;" bgcolor="#ffffff" align="left" valign="top">
              <strong>Simon Moffatt</strong><br>
              Product Management  |  ForgeRock<br>
              <span style="color: #7fb7aa;"><strong>tel</strong></span>
              +44 (0) 7903 347 240  |  <span style="color: #7fb7aa;"><strong>e</strong></span>
              <a href="mailto:simon.moffatt@forgerock.com"
                style="text-decoration: none; color: #2f3438;">Simon.Moffatt@Forgerock.com</a><br>
              <span style="color: #7fb7aa;"><strong>skype</strong></span>
              simon.moffatt  |  <span style="color: #7fb7aa;"><strong>web</strong></span>
              <a href="http://www.forgerock.com/"
                style="text-decoration: none; color: #2f3438;">www.forgerock.com</a>
               | 
              <span style="color: #7fb7aa;"><strong>twitter</strong></span>
              @simonmoffatt <span style="color: #7fb7aa;"> </span></td>
          </tr>
        </tbody>
      </table>
      <br>
      <a href="https://summits.forgerock.com/"><img
          src="cid:part9.56B2AFA6.06BC7272@forgerock.com" alt="ForgeRock
          Live 2017" border="0" height="134" width="400"></a>
    </div>
  </body>
</html>

--------------36A59D9C8B42F2E40AFB95BB
Content-Type: image/png;
 name="FR_Sig_Logo.png"
Content-Transfer-Encoding: base64
Content-ID: <part5.6865EF5C.CEC438B2@forgerock.com>
Content-Disposition: inline;
 filename="FR_Sig_Logo.png"

iVBORw0KGgoAAAANSUhEUgAAALkAAABGCAYAAACQaTWQAAAAGXRFWHRTb2Z0d2FyZQBBZG9i
ZSBJbWFnZVJlYWR5ccllPAAAA2hpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tl
dCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1l
dGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUu
My1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpS
REYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgt
bnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09Imh0dHA6
Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRv
YmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bWxuczp4bXA9Imh0dHA6Ly9u
cy5hZG9iZS5jb20veGFwLzEuMC8iIHhtcE1NOk9yaWdpbmFsRG9jdW1lbnRJRD0ieG1wLmRp
ZDo0MTdDMzdBN0FBMjE2ODExODA4M0ZGQjNERTYwNDVFMiIgeG1wTU06RG9jdW1lbnRJRD0i
eG1wLmRpZDo0RjYxRUYyOUNGOEMxMUU0OTM4QkU4RDlBQzg0QTY2NyIgeG1wTU06SW5zdGFu
Y2VJRD0ieG1wLmlpZDo0RjYxRUYyOENGOEMxMUU0OTM4QkU4RDlBQzg0QTY2NyIgeG1wOkNy
ZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIj4gPHhtcE1NOkRl
cml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6MDcwNEQ1QTUxRDIwNjgxMThD
MTQ5QjkzQTA5OEZCQTYiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6NDE3QzM3QTdBQTIx
NjgxMTgwODNGRkIzREU2MDQ1RTIiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4g
PC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4qUGMsAAAoB0lEQVR42tx9CZhdVZXu
2ufeW3Wr6tZcRSYSwkxAJHQQfbS2jAJO8emTp5EPuhsB7RZbaRAjMisoqPDsthVQoZ1QEFEE
mechhISETGSeA5lTSaWqUqnUPeutvc+09z5rn3vDM75cbn2nzjztvfba//rX2usIRIQPT7kY
AAFAQPgvXEE5NzepX7h59foG+OoFK+Hzn10BPT2NwP98dRkhvHgdwDP2B+v2dvNcRF+7hnwG
Ol4k5wX7QbuGH87Na6rjoncC5rrGc6ljOujfDbTe7Pv58+rr+qCuMADDfl1YHL51Hfu+jnVV
nl7yLtozpY/RrxHcr6FxCyxfcwo88+olkM8PQs4bjp+8va0VXnh5Ojw/bTq0t7bSZQVdKqy0
uDK1urQ2mXIA5rH0+8s9t8O++G3YsAFHjhwp/trXzRsvhuGbCH1u/2ijwKDgfGQvmgiSZ1aa
VVG8gOvLXii4oQApwQat0fjxObygeimhFYZwR+upxngQLX+Wlk+n406huedj7qvNjZuhb7AL
np/1RSj7BcjnhtwlqysFbv3t/GKlI6BAgr1p2+G0iLQ8REWTC2+DzKNgIq8CU3WZCDYj0X/N
5///9Mvb8pvS4FzrRrswhaGRIgFMBMnWmF6GBk+0G8bXCq8X3sm+TiCcYGjTYJvZYOL96HO9
Sjtd41yaT6Ht74uEP3h2eLy+MHBbnoRp+rzz4I1VZ0NTcYshAEIIVsDCl3AKjVIWmOxT10GM
izpat69PjQ7q63qhoX47+NTgUte3JVJwMow1K7h7L+TIdFHCFmBMtXqh/qILaFo2FJ5IC4PR
ldtzx4+OF0oY/YovEQl9NEfkYVP8DPLawcaRNJ1Pwv+/ad/xwb3Sz0aN5fLG4jaYPv98WLL6
ZBjZvpgX6H35c2hSv1xwCKqmvXVIEjW4vRJuYfUAtSjksaZBRitZQq8XthedKzSBSPewiSYH
RqODAxenMXWgmYHB88k10OhNXNAFxtP0ME1Hmz0PWI1RXlfc0VbaOHfdpokwe/GnoKW04Vja
fyYd+b2ooe+VwCOnZIUJLbTtCOhQzME+va6czyJ0SOoQcLQUm9ab1LKA69hAa7FgdJ+VYWLQ
OMxTbOH1U9rWbehp1xBZ2j4x+GxtLhznBceqfbfR8tE6pk96HsP425nP77nSp/V5yz5KHZJH
+HfXP5Jo3UL73qMLpS6owpYi1Ho+kT4Otb+kh7SOw+xGEQs4Y0gKl9pG17ag8fC9h6hVIY8K
AisbGFElyUN9tDZ7hrCb8ME3mQTDGPQ0IeQe0dcE1NOWISXQyTU8Bq6ohU/SNDnC+prgG8av
fGbS4lObGzdsWbzqFFix9iRobtowAdG7NDzoOynjTteweiHGRYspg5ATwOi4eB5qVbtRuDR+
CmlaSoyVV8GcI7iGgLUr5MjBErZL1QrTMzWTJkiasPma8WhSYoEg+Zom1YXdZGTccAaYhuVr
k/6q6hrfSASZM4bjhrewWNf7o/5dnTB32WSoq+uHnOd/Q7vgqbKxQIpEQSes5fa7jkdTFbNQ
JNL4qWtydYda3WEFeUVHQ8CalHFd3UUFYXZTUQGh683jErU4bAMepKlBW4unDcTKhqYNVeR6
SpOjr7Mpl9D+SVGPw+P2SMPD1MaGHnhj1RmwpecQKDX0nOqjONc64aZAyNICEmtp/OsoQoOB
sTV6BWFF29AUDGWOYGp7hMzGui9+Qoh9KOSoGSSWYWIWkEipCuTaTIiLTSHKMgSthoCcw8i3
tLzH9hgBRZhcN1E+fhetX5dgd5ctoF7vARLqP0keev7Sj0FjcTsQMrvK6NGCC0+g8pnqEoKo
7GzoIqqUlBTkAR72OGGlqHBNBqboXDzLSta0JrdfFoTexzpbnNAEEZHzWur7OBjDNxIH1DC8
mhEHn3ImCc/Q+iHXfZnkwjnvYdpG8G8qFPph3tLJ0Edwpb5u5/kCvJNTFR68/NdIcDqyCZXq
IIptpHLwRG8kIuluGeEVLDRB29tpG7gi2SlSgi72qSbfG8LjbVCIHJ2kGaHC/TDIwIi0qzth
LjgoktCL9n7fdH/HlKRvCH7arZ8yPo+h616hO47MBpg4nciw/M/WpvUz1mw4AZauez+0NG1s
pG03CXAIiYA22vYdKpOL8rkcFBuK2RBCd0UIm2q1FCmaMosaC2jLs76tVCpBIeeBX/bd2Dqu
1ySEwzA2BQdPapNKzGfiLmGyixYvFfl/MmhAHYtnxaiAReHpNKKtZdPwxsDhcRyIpzeUbyPD
4Sc9QmyEDuVzg99DyMGcJZNheLgeCo1b/s0ve6NQoCEgStOKmP2YUygUwCNDfP2GjYGH0pK+
xJPJxAYZEs/sMzSz1hqYVuFRQ+vZvgPWrd8A9fV1ptBathZyFig6epwsr+5+jsnzTovajuex
3dNoy6rHOGfM/Qaboa6nC67LSOVwO2gBWmYPgmkFdAYdN1mg72hISQMjw/Ka9tKG1QuWfwRW
kyZvK711kO971xnQ2K5ohBdzudyP2lpb4fmXpsFzL0+HUlMj5CRE0pxrHGUYrZt0IK8vdWoy
mEcyqzuDgsIcLpdpp4Bm0uio21iCEWCut+YfYJ97efctXAGmhdtUIiMckidHhxYXBsTwLfxs
aVoDbmjGp8gI3mLDBLwgpMC89s2cR9XcJo/LzSvW9X2nf6AL5i79CBS8QfBE+RYfvYJeLqjH
7gh15hUdbS2w4I2FJOSvEH4vqMoaxnLyZJiIbzl+SlT7y4wmExI60LKcR29Wtpp6OXpzIVLC
Ia/v5T1zuwuCMBGHrMZ+xwRoycqzumWzUKzYFU/XS54Dntj7PdbZky3EHCOj42srqCs56Hw6
bqKJfSMWxnwGaq83NzVuhhnzz4WNPUdAV+uqk0jAP8113ZEQkBDd3dLc/PKWLdvgkaeeg3wh
V9/Y2Ci37456vpzlYMuBNXcqkUDw7OOjasgLYUUXAh8uXcnBF7vtK1An4m2EMOx37Ar3npXe
x9expM8LqwFHshkv07vJNQhf48LT7nvrcZtow3eDjR7jHEqeiQT88VLDtl9t3X4IvLHiTCgV
t0lv580u+i2EDcM5L3dtXSEH06bPhJ29OwmmlL5JAn6LYSGiGwoEbIbgqT1XF4pW1y7SeFs7
KEU/prh7O/IU9NBcUT0rtN8LOTKOAVEdVkvjKBM7uwWWhzmJdvaZ63D8u2aUmvj829QbjDB9
Vp4VahAIP3VIl9XVDZCx+UnY0TcGGup3fIGu9Pe88AXbymX/utbW5tXLV66BuQsXQ1t7W4HK
4hIqo0vokFEcv22XcyBMaOJd1BsUo12FJdiG884WYMHj6hS9yGwTtcumOOgFVwEyBacJvF/2
oKllj0KI5bJnQRI9MIvTpLZnEsKQXF0AweLUfSa+xbN6eLX/EJr+VYc9HGQJlvM/a23aOG/t
xuNh6epToKW0Pu/7uct1rW1rMpqvqKvP31wmA+/V12Yr7FzI5aRTqDVQzuJS1oAXDLZ12D6o
+9Bdvas+uAU5oWTO1ytbVBDod4aMa5rcyedieltYUY1Ne2DOnDYF7dvbhwDLwgrAynIMeany
RAAWhmTTjH7c02IsQP7Npr3hgRmxGO/ozeeGvi7HMS0gY3NPOQ/53O5raPUQXWvbzhfS2Ne1
trQMzZn3BixdvhJaW1vGk1BelUQr42X0byKLtatEJc5zxP+DIEb1iZimKLGKZ8J3giZH4Ls7
vWvUjh19wG74w2MHwLU/mAC5XBmKDWXDccNrXI/1dCbsC0dJepkwxwzj9c6m6VPc8bajiXD3
1c2lDVuWrjkZlq07ScaKj0X0/t3S2jbV90KxWPzFzp39MGPWnICLBvFN1ahMYfyWgb2xSkFK
c33gsg2cTh5W43N+D51FEGaP4+w59h3Fsm9jV3RIYkAVm2nBRNAVr+zB+AMH4a77xsKDT4wh
zT4gueYq+FATdgTrkA1FWJaGHfw81dUgjOhG9JYX6/r/o3+gA15f/HGoLwwQNvelYDZwwqRh
5m+0NJdg1py5sGnzFmhuKk2ijRcwgvARms6MzxXgjPCMGwCCaTAicHGzvEdVMJY8corLhUlc
Q/f+dhp8X/HknmZ2JzEQmRx5UgHyoQp5H0Z27obbfzkOtu0oQUfrbhJ02+g0GRfbeBRxQJeL
hYkiCX2LyfE0wVX7/pm2fcCMEdc6LENBiqmNDZv8xatPg809h0Njw7aTSbOfl8Um0Pv+qrnU
9OLaN9+CGbPnQKnUJMvmhpi1AMuWAbgppb0554tt5Kc0b7AgKsWO2CN7OM0MDMmAYLIpmfEq
NUwhcoZWNXiNBAO6SMiXrCjBfQ+OBpEbdjiEKnGRfmxw2lo+ce+nIUxi2Hot9O9GO0ZcpxwT
b6z3QlPDtvs2bz8S5i37iBRwee9vViirYepOr60v1sNrs+dCX98ANDQUzyHBP9sot5g6VNr2
+KDh2SyNqICbGeMSLU0nHJSkQdGI1CgjO5TabARaQ8LMB6pNIU8KULixHLox5IgRg3DvwyNg
89ZG6OwYAt/XYYmfSRvG3krGTW9EGWIYsAXpiEaarqV/I+LjtVhzG+tT3X9NUoZzl3wMdvSN
hGLdTtLg4jRdUGzq0Pf9H7S3ty5ftnIVLFi0WOUzoW03sFhSGJMcQdRsQBasIoALHVg7A9On
GgFiahSRcxCzsDQ51wPUaKwtFxLo1tyO8X7ylNbSMKzfVIT7HxpNW/ZAZ+cuyKnQbl2D+nGs
eBp/+8wEhkZWRq0WL54MXPbG0fSFiDGh5Z005yZpR/xna2n9K29tOgaWyyjD0pYiYO5GjTlJ
GXn0t76uULh+eE8ZXnl1JgwPl6FQl5MG6hEV47sRuun/tSkBAoexn2VMVpK3rPOwil4j1SB0
vj7pUWrtlzeZFPfIfMOlyyaqARhD2vzu34+BJasb4eLProUjD98O5eHdMDQYxiYD2sBYG6gh
NA4QzdjSlMNCM4ADoeynfUfS6mZaK6TiaZPre/n8noHh4SJMn38eDJfrgGDLZb7vjbHfV6/s
crl8dWdnR780NpcuXwVdHR0jfR+vMcvNjio0iuYrtPNHdNgKNiowa2SPYARbuCELHzZt16lg
SAVOq2M6dEDUspAbA2FFKrbYFc2my1F9Pf3zhuGxZ7vhuWmdcO4n18KUyVKB1sPQHt80ZEJB
FeG1BRNolGwTaeIAjRraGkxq46DdSvW20dq8HmYt+jS8ufFYaG9ZdwQJ+A2mjSVsB9CMYkPx
pzv7diosXqyvlzE719O1mi1KJCu+Q4Yk3k67znALFQNBBKO6rSRPLOXHwH8z8A5Twszy6QJq
OjDLEnLzRTFVgFpyGS5RTYxbSY3mAA4eNwA7+z340S8OgMHhz8AxR42Dnh19DC8lIGvUbFK+
wsFriSq9Kcl5eWqEu4cblLDTlkGq/D10p4J+Vz2stez7V7e1tqgIwzVvvgUjursmUcO70IUb
UI/vNq1C32hIXP4TuzdNxaOIxJnj0syOurFDa5NnwGwo9DcU8H0cT+4KqxRm5izOpZySOyRh
F9BYLMOo7n5oaChAvtAEe8p9kMt56cLDbF9GKrgOTHQQbpKxIh20skW9k9uDmxvc07CpkN89
6HllyQytoa1fpgr/MZdSwkf/ty3NjY9u2LhJafGWJhWffaP5wOiAEAb0k7EPF7qoSSdITgms
K30funsGDuJE0aYiw5B1DLaoRZ48X0n7GbHFIgMzWtpDUA+dz+VhxqxX4MAx7dDdUYTtO3rB
y3kmZYnpbr5iSCemoMVIms0KL1nWjSY0iWsPcjJDLVyNGFOmP6F//0Z7j9IFUM494V1bT/Dk
ladfUKNturs7P+37/of22hUP8H9oWuMuN738wNTU7Egeq3et9AxOOCOyjUlWwGs+uVD6paod
r2hqlAB3NzY0wrIVq+H3DzykGInm5pKk3cxrCxMmCMfgaa7ytEqfTdvuDJdz0UT7c9p69K5X
0T2ONN5ZwBUp2hDhltbWlsUrV62F+W8sgtY2RRle5XTmuP0KG2m6lu2edFysa2vhYD343Bd8
eaEjuEs42BJRicUR1Tg89mMhR9uZsZf8vzMLGUJXRzssW7kaHvzLY1DI56FYLCrtzWWPMtKl
CYvGMuw7NsZaaujdDP2XosTo+t/S06rR8oO060HtmTYRtPqW3DnjtdlQxjL1Srl/oe3HJvaf
qEzJBUJ1JR3az8MMzcjL0iRc43AaqRWy2QKmWSAXN+/CkDUp5E43vuDL34hj5lIfmAbPAd2d
sHDxUnj62Zegu7MDurs6oaO9TUbvEU7PkYZER/WKlMaPYqKZIKW1NF0DKdM13fDo979oOlm/
Hv10rvwaerbeeQsWwqKlK6C11NJOW68z7IfIn4AGprDns+nAn2UKiKjEYSOf21BkHF+N34ZT
ZBlp49h03rVHITpKQvBWMOqjT4y4i3TpyuNldz9n/nwFV1paStA/MAClUiNMPPZYaC41Kbwe
UYkuRkAfMe7A7N+laQoJwbu5QcKWsMtw3BO1Y6ZLbU7G5mnU2/xkaGg3vDprDhQKeWlHXE/P
1uViLlJDzJLly7NoV6fgiWx8zTMzFYklnnnBKh1QonY1ed5JYbksakxrVtNRlLba5T45wHfY
y8HM1+dIWk4Ju7zd8pVr4QMnnQjjx40DyUUP9A+q1A62Vom0F+eRs5Jf3kzrv7LpQMa59R7a
PoWm30R0Gv3dQI3ov6Tt8NK0V2Hj5s3SfX807fuSafAyoR1pLfgQTU+5ytKgEbmyzDLyq3EC
6fcR6GZj2Gu5P6VSi6G2+ZSx4rLIo5ePPqWC6Exiyf2kvSmFV0IUVYdecI0Vq1bDujffgvdM
mgjvnXQ8dHd3wLae7aoReFFaB6gyMWbw+zVNMprwQylNnk7JILX5H2h5UIUO+/7MAzo7YfHS
ZfDM8y+BHJRM1/i2zS7x10wJxtedyoKj8HQYlDnoWMS+yEyZQw2KodUDZ1CLLDVsvN6+U+f7
NtRWF2JgDL6UQY6VjVDMKBwtB3onYfO6+jrlbPn1fffDgkVLoJOMVQllfPT3ooQMAbwsJYz8
4APpzr8+KuBSUxNs2roNHnvyWUV1NtTXT6bTPpF5T17Wvk1bFlQcxLAXRrzuFEL7g2XVZJsV
bPYvd76dvXm2mjI8LZrKcO3b35gRkJ2xVVRh7EgNr2LS88oY3bptO9z/p7/Aw48+Cbt27Vbb
PM+rroWb95tH088tmtDVC3yZpnGFXJD04clnnqPn6IHWlhZpEF/nxG3ooDNRhRjcClzumqql
R6QiBgyPmKgAYRAckaMizahw54FFbwLUbNpmgyc3edQKlneWccJRX1kVGo2LJEFuaW6GtpZm
eGXWbPj17/4AcgyldKk3NjTE/Do35tLxk3ChrwooVS8NViT4tJuMzd6d/VBfrxIEXUj/jktJ
KccroyEkMi59a1WMhvMYZEfaM4aFlqGLGb5mNzKsxnkkeKZM1LomN7qrKpurEG5hRge+t6+P
lsEl47sIJozs6oL+XQPwwEOPwCOPP6XCAVpJ+KWg68yK7kBi+PDNNqXocjTR9s+Uh8unN5ea
4egjj4ChITXwYwlLj7pc4cH0Cv3/CRsLnjX8jTWMIcPTaDpxUPvek319IUQVnk8LVqY+pbI3
FNF+KuTGQFuxF9pGoxmFnsRfVOBjOUMQk4qSvLnExx1trTBt5iy494E/yzwn0CIFveynOHT7
0yKaEfNDmlbZRqr93Z5w+5V9/f1wwvHHwrixo2FHb+9zdNzPWRrN5U8AuNEtPA6t7mhA6GK5
XH4LLdTBaAuuARpZjqUUN1/p0xQ1IOTOgbbIaMAI0iCDb11Zo7KMNm4EeBR+S3h8ZPcBsHzF
KsLqD6trN5UaY48pY3Ba384RUiVPtbU9l0uFficPDQ2d30DQ6ITjjgM5QML3y1eCCt3loJuw
/Ql/poU/p3Asi5cF38tV1YOCe4wow/wIozcS1RnATCKkdwAmF6xGiZKwpykzzEq/6jZkMhgD
N2RHMkC7YPHy5fDUsy8SPi9CngzVLOLFEubf0jQNdVbC8h5Gx5ORe+P2HTuaJhx1OBxx+CHQ
29u7QY7rdH4n01y9jB0XyfRkAhgsn0EDmj2nyMb5XI8gGH6cvW/6Y17VDk3d/4Vcw88pj6Ow
agch25FgYdAUDsaMyrTzjWhauruzE1597XWYOWsudHS0GyaBLazMlx2+ZnxeUDgHbo8mDX61
LJb3TpoIdXVFIKx+Kx2y1qJS7Hf+Ie1awtKnogK3z/WerrgUJ08tqhREYTI0rhyK75DBEg4K
0focnt7NMXjWGVVn05Au5wOkP+GhOy50DCxjXCROf+q5F2Hp8hVw4JhR0NnRBu2E22Vu8FJz
ExTqCxp6MGroRZruwHjkEAxKBxAdo6Zw2y51X098eUfvjnEHjRsLRx91GPT29w3Rpb4RCtiw
OlaEU/DbYBu4TgMzi1YVwA9Vs6k/Vr6r/AgXIt9zcukohKj87DXyc8euIN/NObOpCot5cYx8
EZbgI/LDrFJeRjquobEB+vr64NEnnoH16zeqdLRlwi3FYr2iH6UTqauzQyWh7+vrV/nThYg/
Ayj5cNLSSby5/aHZcJTQCLrXrhzZAx1tbeAPyyRy4h4U+KjRhIPnlZmZd9G8Nw0voKI3smL8
iXBCo1QOcXTRnPb92NgbSI02EuIdkwqRH/5WPRcOUBVeNQbGcia+NgAgg4+XI/NlXMng4G54
6vmXYtGUCefrCac3NTbBoeMPggmkgceMHq08pr29O9WchGK3iu2GZOyolmdcj27cIZdlfM3Q
nj2qtlFleRRb0EWLupgjO184VuFzqAYmcMrBlWR/b3B1ipaEKmiimhFyNDUEE2TFDnpNj9Bx
V5Qxgh5NAzZLBVrDyyRXXldXgM66Ng3hBDHSAwO7YPprs2HeG4vg0EMOguOPexccfNA4tV3S
g9J7qtsarlBc+f5ywEdDQ32YRkOLNXGO6snQ0JqAs5GRlTS+lkErFbMiKjQS4aB/XbHtolL7
ErUq5Ek3hpnuaF6QMWuMoWGAZWXnQmOcaNV4UCTJ7IsklA2NRdLAwzB3wUJYQth94jHHwPtO
/Dvo7uqA7dt7lYYO6EkBpcZGkB+0SuLZg5H9Ev9v2LQJ1qx9K/m4lJ5ywsCtFeJ4XDCsmp5S
mFAiZXcK4RZY3Q/A9UCOXsYVtQkVAuVqCJNjhbQIlWrTWhaQ7S0UFbpa2+gXjgowvhwiY2Fy
CpsPDe2Bl16dCUtXroLTPvh+OOzg8eEY0+CE5bR989YtUFeoi80IGUcjY91nz11A2n8ApBc0
SGCE7mSZVWg/FByXWK132VIE7FAecCugzLzo6OD+wZ0RoCaFHJnutxJ36yxs1BxGGQFdro8z
cQUqHEZvBlxUyUgLeRg5ootweZ8afjdm1EiQHLhsAPPmL4RFS5bCAOF7eZz+k9pe5ldpbmqK
4UpmJWd9Qc0Bi6xPUUHFOP5sjj47CZHe2CpkBEDXe2WFANeEkFfKzJSCHZpwO7tczKRz2Yqz
U0RnDbSt0qBSIQIlOYC6DKvWvQnr1q9XzqRdJNwqdKChgU1qFLvEU9/hgaoT67P2DQdbKn15
jRE8fYxqZlSibaxmwqIsxqzWMTlmd3luIxKrMFqq7ebsARmY3WWKKpVd2GjkAAwZ4ahCAmgq
1hcN7t8QmhTzKSpn+2UEAtFRPuhusM7MtfYH3UR1SiRlrGKWMSrAmRAU4W/yLc99q8mrMJoy
u9Jgu0yfPA5k+CrCNhKONZJ+qy6WRWM8RAXuPvt5SuoZhEqmL9N2yXwnu6IKjAQajBwvkCEI
AtC6l2nMZXjCssrQCp8Ir9dFqweqpDWBk+ktVtkIG9cb95UesYNAfr8IldNrDe3emdm7CK43
TSkgqRXqaP/O6GYfnnJxO80m0bTiL7+5fcX+KuRRqO3MoFDFQprHExWIsR56+X6uw5Gw+/oQ
TS/QtIO2zKNdM2nzCirgnvD4Ax09xmdBppFAWEzHBPfA+H5LaHkRBMPZTucbokFb/ANNT9LS
dpovCN5JLFLPJLcjnsJo1HZ6xteVMOnvKd89LgsMJqGcSNdAkrPxGvntWWE8szxWPfMSOv8N
mt9J553IalszAvPztC7P26xG+AO8RtOb8rlU7EzQcDWta+dAUS91KN3zl7Qoy3ypen8B82mi
OoGXaDpLM0Q/CjJJKsJKmm8KBdWmgT6ongFhGa2sU04vgHdFbZ4EXKakvjc89wpafyIU+rf9
29djPI+gSSawHOHGjfFvnHXMY0rI9Uy3icaTebn/iRbl9FXacJul0dqVdhDq/i6HikwENIWW
ZcVLQd2ZnB9/1vt31H2fw9JeZH/Susw9fhot303L/2S9/1F0kBw4YXyWMAVdggoYrXXnMke1
RwJ6VAbmnkAzKcAP0jSZgW7jaXqeNo91wINRdB3ZmK6i5bOoPJ8IYEpK415PAn8V8rEycstJ
9P8RWvwZnfh5UMlKQQ5gHR9ep2SyN/A+et9nwchZjz+lfy/LXoKE+TM07wl3nk6TVC53hEJ/
xtsVxr/NGE8XyOM+txGc8yrNP+SGxagffyv9vzQOpBIVPhSZNjgn0fwBBgo8SoVzTiZHn+x7
1tpnUkPMcLNk0AGaudsxDA+o9IHfYP/H6f/dYORqgXFUDnNoeawTUKNRT4/Te57KwDSZm/Gq
VNIj9hOV+KARnJXcVo/pnBj0yobz7lY67sLwuuulYBM8kek/gOZSqC+iuVRCK6gBHLJ/anKT
HpMxGl9RmgrRM7/riY0Q5fQTMJX+vcfixO+h6X4Vy4FwKG35Il373XFORcTvkyZ6nLbPdzzP
xWHXKhPXS1f6cXTO9UrjBxV7WqgpngjXLwL58SnThX4PrdwbQCepbQUJmGoE8qNX/+02sBXu
lGG5MuPVwXFHkBh4JQVFeKfKjhB6bVUaMoiPeT+o5Puqp5K/88OvTiwKi+w2UgItWq8joeDt
SisiDNP2v6P5l1QPk1TPnSBT3AkcDnswKn+Yqqe2oGtKbXt7YA9JjI+foO2fo20yOdKDyXg5
LuccHA4ymA3DL9kF1/2FVE6as2xI6+EnkVAvp/l94brE5YeE8/1Gk3NZbVfRtFjhZKdjAJro
dS+1DBgJKe7RjpeC+BOFqQVM0QzKr9J0gcNp8jJdc0FSYaRRhIo3uVe7z0Ql5MH6FdYlzqWz
fm0l75f3/0oMcxhIpDErS6UtEVeSkypMsTxDND1Nm/Q0dS+EndlN2nHvDxvKe+me/1Mrv10q
D4x89+T3KEnULRDYDEeH20iAUKar+2Eo0FdYz0m9ZfChXM2n8Hs68HqF96130gzoTeGmaTQ1
icTzfY9qnJrhH33cL8TfUntLjX6RBl3u2F8NT70bLcYlIEBPmJnTaNKT4oxSwU/itXt4DYlf
pH9btLZ0NnDRj4G3Msd8aWyN9XxNkRYJtUZUY/eERmp0ai68jwi72IFwPRdXNZoMWsgKReUS
vDOGU7YzhkfDCDOsXIOF8LCzLAXxNZoWpI1SlCmf/9FywJ1sYO3kcZYGGlfPkxEbRzLWvcdg
qdCAk0eGuLpTayCycUzRX1kbMC0FWfZKTxJMkee9RkIvG9xrtN6zfwq5Sf6fo7R5MFBgdThJ
QRuONbBkMswqfYzljYN1GYb6R63yRtH2cY6hWMMpWUIFUfRKXhGuTLQYh6c1mkwakrMVhSjo
PQRIdmBNOA2H75h2lwsJrxTjsCZ+d6G08wtWQ7O8xCLKYGriYEEQBrWYeSHvjwEsSARfQo8/
uLtqMSNknqLWeHC44xhaH6WV4bOG3cQ1Ro7tFLAnhCSn6cJMf1emnEnhK5Ig3xc2itMlqxJq
cLn96/s1T645DRoVz8rnpg7TXxE+NfneHtZ5kVT6RtMVKPlWlg+/JKTgWhQEEOoTgedodUYV
gs+Ey2OtLABbtaqVmHIsvVM9vdMY4x0DLdbkcME3S+Yh6q61lG2jWCFJLiCvd5XikIN3k5j6
JFr/qOZAkZr24fC8knY9OkdsZ51cSVw3QQ0xIXSQFcO9TVb5bdI/h1hVGK6IefW2lGdUqARN
F6WcVeFzhoJ+X+04g0y6cEeoxeo0CZL/DoUkn8hWKwHnSGeYbnDgWAvGDDhiWS52el2DY6Qh
Fg5Fk/ytIXSaVlMjeBbScx0evousxEO1YKUhQ50lhrd8r3UoKcXE6ByhuGKhBVqlhaYxNFiz
PItf0pa3a4xCO8p7gOpBUkoirJfRGrbqC+/RY3H+B1psVIWUf1AhJEBcSI1K9mC/fGekbjZ/
99N0nOJ4BUwQci65ZIUnMWInnrEax6dZly+GXLCO7YSCQmveRgzE2YlRo86dbXkhP6bdc3eI
V7tp/QSafmtV8FrDw5f87gwN2wnxhNBBgngGgCv/oIP6MzcfQxse1+610DrhAvtcjQr8MP0/
TNu3JDxySQgro+1nhl5et/mQFe8jFOQ8x+JgZXkf7KRka0nILW4VU2M00xTDNE2jyt9kOuxK
Q0Mkhudd8ntU2rEPpAQmKbif0+apNF0ed+0xzhSHWTUnDbXXtWF0Z9H8GqYSumnbv8Q8LKqe
aq75OrGw73F+BJYbaJxYrNIb+D1alGM9L4NgTKk+7vJwK87nIat8r6Rjz9K0aLT9YHrouyyh
fEIT2GeS9BZiJP37jSMvy/8A+ckZvgHKn/waxucC+IEagSAkNLor9RnyGvvlGUH20l+hAjv+
2FdetuQTJnKb5KE/RdOPIXBPnxhi7JJWsPKLCz9wB/DDrcoVHdzyexB8JmVi+Az/ETasP8Wf
RpSJ8XUHkeSlkRqcUMfK2I8TafnyiJEJodRdyluX+viXOv84mn+A5mN1IywsHwl5pBE4g6FV
+1R6OBFSiAJk4v1FdL8R4TF/pGOkSzxKAroAglyN/xyjEIGPKAMeyQgUKK/zsYC+M+pmhnIq
Jfe9gY49L2CCVEP8hBJYUJ5l6YtopWPPo9I6A2Vmr4Dp4jT7eTSPoOi/0vZTFUwLAuY+SM92
BW37blz/tSjkxgvb6XttC8akDaVF/hnteserLs5pgFKlIaxLRRaKWFPmlFAlDpgLFBebVEbo
WsbN4RFSeH4csiLR4x4fChBHxG8OPYTMQAT1+7iabEMrWb8jFLQUwW/QkkJh7s/Tu/1ZE1Kp
Id9tOb5kI3yXtu1MBTv4SMFdiq0xbAmF47+onis55wBauJH5ZOUXlB0j4PuxhzOp2n7tVXrU
oG8Bv9Pu/h1af5p995rC5EmhFvhPoyAfYIVKazrYr7jgZHf+4RDvW8JhZvpBc7TBLJrfoCWi
7IrpyOQcCUVuqGgUBYOYPxg7RaKzMQo5cjy/ifuFoSCS8yI/gl6OBEnwbu34Y9X7J/ulcfze
kIpzOJ3iZ19J26R3c7lRJwE0uTPUxGU2uZF+zSRGxrOyZBUi2jM0zu+N/B5aL/+I/DJOLQp5
NFpfunvlC0gv1itOloAPyf2yMtgQLqXlSSEbUSB56KOTV5NgPEbd9m20r4+5hnQJT9fYmu3p
z4zj9eqagIepa8hwAVnhkaMlqImrQ0eQ9PZJYRgd0ocDNF9FV5LvJz8zOGiF0RIswD+G791n
D8mzepVxGERrRr+ZqucijE/HrUXl9UwZ3v8OQSBUSxg+OzKMVVkbjpwaCL/SfJYKUUBl7Etj
mSCj2Eb7lymNGkCsVB1oSfV/qdLUCfX+p9L6+JDxkTSshG2zlDIKIhxB+UCECrbqofIp0jtu
ZMYG0LNLf4MK5ZDe4hNom3RE3VtrQv5/BRgAcKtc5z2U87AAAAAASUVORK5CYII=
--------------36A59D9C8B42F2E40AFB95BB
Content-Type: image/png;
 name="fr-live-2017.png"
Content-Transfer-Encoding: base64
Content-ID: <part9.56B2AFA6.06BC7272@forgerock.com>
Content-Disposition: inline;
 filename="fr-live-2017.png"

iVBORw0KGgoAAAANSUhEUgAAAZAAAACGCAYAAADzR9z+AAAABGdBTUEAALGPC/xhBQAAACBj
SFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAAsTAAAL
EwEAmpwYAAABy2lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4
PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJE
RiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1u
cyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4
bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyIKICAgICAgICAgICAg
eG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIj4KICAgICAgICAgPHRp
ZmY6T3JpZW50YXRpb24+MTwvdGlmZjpPcmllbnRhdGlvbj4KICAgICAgICAgPHhtcDpDcmVh
dG9yVG9vbD5BZG9iZSBJbWFnZVJlYWR5PC94bXA6Q3JlYXRvclRvb2w+CiAgICAgIDwvcmRm
OkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgqyI37xAABAAElEQVR4
Aey9B2Bk5Xku/EzTzEgzo977antvbGPZBkvvYDBuuJfEN/nxHyex48QtiePfSRz/jq9rANvE
BVwwGFhY2rLL9t6reu/SSJoZacp9nm90xLDWGrjGDnH07o7mzDlfP+e8/X0/G4AEP1MwtQJT
KzC1AlMrMLUCb2gFnKmlXTY3HDYnKcoUTUldl6njqRX4Y12BsXgYcf4T2BwOpCXcgN2G0Yw0
uIZHoUtj/jQ4wlE4R2MGM+i3LZaAa4TXYUM0zYFohgvOEMuExhBzJX+bMmzDlkgg6nUhxnLO
4TE4orGJMvaxOJwjY2yFXdnYVrpLTcI1xHOsF3faEXU7YI/G4WD/NqKmuIPlvMRTDjvrRmEf
i5k6CdaPs++Y28452GFjHY3JHosjoQ4IGkPMk0R7GovaNX2zzTFfGtnpBNKCmhf7Yd9aixj7
T5j2YnBEYqaOdV3tJVwsR9B8NWYb56Rjgfq2QP3obFxtqRw/BjQnrZnXwUZYanysGr8jEmd/
nN84aP4xrQnXW+XMenL+mvsY105Vdd/0W2DWi3Mw91D3h2soMG1wDTW/BD8OtuHivONOB9fB
Zc6Z+xkeM+NVfY3NHgwhFg2ZNvRHvZhZiHDEEtGJC1MHUyswtQL/M1bAJjRA5JBIvILs3ujM
JxCJcOnFzaTz3MgbbfH3UF504/WiuIvmQdSOV9A4fxB/Y4yfcZiYv3XiUt9Wu/rW56LxWJdf
Vf11N/6qWm/8x+vsx+ZMQyKaJLKmisuWhrHEKG6c/nbkpucjGo/yedKlKZhagakV+ONcAXLr
iRgOte3BqZ5DZoqFq9fhyqF5gN+JXTdVYvHLbUhrH8XOWysxo7YfZS90wzYUx8mPVhObJjD3
O/WI5znQN92HrddWYOXJblT/ZxvCM93Yf0slMsjhz3+yGe4jYXS8uwBPrijG1Wyz5MUeBKu9
2H17JfyUIBb9vBFpQs+1cZz9UBkaS31Y83gDfA0hw5WfuKEULnLyM55ug4vcfawngca7irBz
bi6uONSF0pe7YSc3nyCRCs7w4sLqAjSVZsAVjmHZng4UHOlHIo3cc2MMQ4vTcega9hFIw5W7
2pB/oB92EpZoRwJH/2waBilRrPxZA9JbIxjLd1IysOHstaU4WOJHKedTc7IX5Xt74OyIYrTQ
heZVuTg3LwdDaXa4R+PwxhMobBlCRmcETkoQ+XVBuMT1k6g6wnFEYzYM5brh7RqFm3OP55M0
jXA+mwqwc0GeBAL4+HFTIph2uh/lu7rhGowhnm03UoVjIIaOZVnYsbYExZQOlv6qAd6OUYQD
Thy4tQLFvSFMu78F0RpSOI7FHoojVO7BnqvLsXRHGzJPDRlprG9RAKe4fjaPHR2ZbsxvC2L2
P9Sh95Zs7GXbYUpDK/Z3oOgXXRhemo69N1YgjQuVt+Uodj/zPdjd6YhHRmBkOUkfIiB5GYUo
9JeQgEiknCIgf5yIY2pW/9NXQCoHvd8iIP7ewMRyeLKzURwrRnB6JnxlZSi1EwH54ygoIQE5
70QWVTyRQidc1TWoONuPwsIo2ASCq8pRVJqHaWfsKPDZcYYEZ3hJAarO9qGIBUbemYG+TWUk
TmOY1z4MR046ukk8XDVZWPlME/K9xYYwNf1JAYZYb9OhDpR25CBSmYZzN5SgjMSqam8XvK5i
hMvTUPeRYtTNyMa6piAWtIXgdqVheJoHbctz0VqTiSEixBm9Ycw+24n8tgDsHh9GiWAHNgXQ
sLIQXqqQbjnXhwpeS7N5EclwovG+YtQuLcS6s72o6hjGwAY/mq4oQl+Bl/jdhk1dI6g+04Ws
Ux7EfWXovyKAjkW56CjKQIDjm0PEXUwi6+sKw9tDFV+I6iQicFfIC1t/HKO5TkTLnBitdCNe
SOTLVfe0jcBznuqgTCD7JFCS5yFx8aAnz4s6fnqmUYV1WQjTX+5A7m4SwUwSkSIbAsMuRNIK
cHRGACFbHip+1AQbRRd3tw8tNaXIXu42xFPEz+4l0Yo7UF9cidBVhZjeXA+HKwHfqBdNM6sR
yqKqkmqrLEc/iorGkBFKR1tBOS4UkwD3B3jvPYg6XbhQWIFoFue6r9s8LzYXCVSEKjT9smwe
IhzR2BjGpgiIWaSpP1Mr8Me6AtIwxIjcRUQsSMRiGKM9onGeDwM2HlOXHpzvg7tvGO4zAxiL
RjE4zYtofwh5ezsQGx3FwCI/9tT4sXpbA/K+3oL6/6cEW+ZlIkIVx9WnOtA7z40H76rGku4R
LP3JeTiOhdHwwRL8mnXe/mI9crd2UnJIoO22fByanYk1T1xA/kNd6LslC8c3FqOscQBlv+6E
YySOnhUB7LitCn3U9a/e34LKrR1wNY+i5do8HLiiBO05bjhJHWfV92LRw5RgtpMQXBdA7U3F
6MxPx+ksD1bVD2DZMy0IbBnC6BISI9Y9vTgfQ2T9b3r6Aop+3onmW/Lw4roy9HocWEwiNf9A
F/J/0oPRuWloWZWNpjnZOFbiwyDtFqvaScR+2Qj/E0MIb/DQduTEMHlvr4241OdA0+IsDFX7
0Evi2+t0ooX2hZBsHewvcziKyj7aoGjTKAyGUXSiHzP+/wZU1zhRvikXx0lMt5WQmFxfgkVl
aSjf0QU3pY20gTDm338GsXur8fjsLDivGkLVL9qR92wbRgcjGMyzI2vnEGKUDpFOVqGNwkFD
H7YsLUDWhkyUbmU758dQ2DGAI/5s5A+FETjahUgebSkkhGlDIwiNusx3ND6KGCUgX0cQbbSD
9BZId0eaMS5fGAKSNIUkuRI9WOYzJYFY79XU99QK/NGtgCQQ/bPefU0wPRLF0OwMXCjNxKIL
fbCPJrD38lJMP98PG5G8TSqiigwUEkml1RNB5rhwakMpqokEy3b3InJFOk4tK8TinjCqDnUj
/XQIh99ZjXKqdhZvbYW3fhT912Rh/7Ii3HqoE6VPkZuN2NBzTQ6O8tzaF5qR/VAfWv5XKQ4t
L8SMM30of7ILNqqf+ucHsPO2agRoxF732Hn4T1KSoTqr68pc7KF0EyRyK+uPIEICMlPSyvYI
pYoynFySjx5KJKOc6pVHujHrwUbYWajz3nzUrsjH/vIApgUjuOqhC/CcDqP+Q+V4YWEByqiu
WkcVV9Fz3XAfH0P7vbk4uLEUnQE3emk0X9RJieREL/J39cLmtqH+M+U4NScXozS4R0VAOOcY
JZBaOiNkcJzVoVFUE/HPaRgwhvyhbKqxKJE5WW6IhO9gWSZiFVlYMjcH8x5tRNXXWpF7ZRAl
JB5nOMbHV5Vg3uwczDrRg+LdPfDWRjB3SwsG7vZg/5oSqvYSKHuyEyXHBzBS4MaZD1QYlVfp
oR4ESLzzW4ZRMydKolSIrNphBLh+RUf6cLwmGxVNQyh6sRfxHCfcA3EU1lEFl+9DVkcIJEGI
UbxxcF2jdFoY4XwElpF+nICYc6/8Scq4r/yeOppagTeyAuPcSdI9441UnCr7X7kC8oiKZjoR
IXfsaw/BezaCKurz3dThO5uiiCzzoKXIh7mUPpxtMbTcUoAwPZ5WPVQLd9Momu4sxBCRzNqf
noeT6q8976pGO5H32hebkbt3AJFpbhy6thyzmgdQ80AzRqspAVxdhOb8DCw40onMxwdw+vOV
2LqoANfta0f1z1rpGQb0z/Zh1w2VHEsQMx5uNvYQGaB7FwZwaFMpBkg8atqHsJC2lIE5fpxe
XwzPynycKfaT+NgRpoppDfX5M7/YhMHb/KhdW4hj1ZnopL1jPSWcWY8203aSgT1vn4ZWSgpL
Lwxg5kttCLw8hNB8qsY+noeDq4sQoeRQ0h/GEiHjJ1oxPCcDp99eQRsCy5AIyKmqksQzl8Ql
r2PEEIiVfgfcrWGkHxyBq5u2ZRKVOCWE3jk++Nt4fm+Ytng7Zl+TgVN3VWC/VHD3TkfBbWH4
mkdQ9nwnKtK7EKpKx4Vp2XhyNQnJ9CwseL4V+U/1YXFuM567qQo7Scgvo8RU9SzvTZCSYqEX
Oyoz8Taq8gJ1JCDP92Ix57b9skJEsylFkDnwDowhQFtLbUUAJSsykXN0gJSBajdKRmm038jO
lXAmX2ZL4ohzPQ2Mv+OTE5D/yqf4j7hvG33qyMdJZ/jWBbEcFryi3Uh6jOihkfLWGr/K6ljn
BPqtY31U1nIpsY556jfAKpvatuql/lYla1ypY/qNxqZO/E4rEE0gRhXMKJFEnESElm2M0r01
Qa470Qucp0rJzWc4sCuI0BI3mqsCWPByOzw0CI9mOdFVHUAdXWQHZvqQ0RJCQ44XZZRO8rb3
IU4p4uidlQgMRDCLOvsE9fPnrytBW146Vj9aB9/WYTR+vBjPk/u/YXcbKqmSsXspncyjiowG
+pl1/aj5dhPiVURZQ0DP4gAObKYxPNeLpbS1zH2sGb4zsic4cJYcubvQYYzXfiLQctpdqp7p
QN2nynB0YR4G6L46q3MYa2sHUUgJouGaIjw/Pw/zqL656ZHzCJwZhrMuis635eKIVGOcv5fS
2cYn65F9eBBjRNQ9a3Kwe3kRWjPTkEmpqJT9lLUNo+LlTqRfCMNBtY+DDge2PhLlHAdtPrm4
sCAXLpYdod2hL9uDdLrVlpFYeeQiTYN6lFg6g+9DlCqtgyUBxCmR5C+i3ehwJ8r/tQ15S3tQ
cUUedtHI3Usnhyu4poW/7MHqIi92kjAc4CdAolPweC+qZ3djd1kAA9No/N9C54cM3k4ShjgJ
glRrCd5Xd88oClpH8PKMLMxYnIO8HXI2AMJ5lNh4Xe+x7pPmUkCieG4eX8xAUoVlrP182KYI
yO/0xr12ZRm3RDjop4DoKF9Muv45pKh9KwKHZesmhhZS54OT8GvwyYHaBnmSXAsCNOTxGp92
83IwcChZjkXtfFlkuEt4qByhmsBGsVpt6NtG0djMerw9/dBhIosVVXaYZWUkpDrA9BVigfHf
4oT0IqqGKW+1kRza1N83aQVGSfEHiNhcvKeSQGI0mA+lpyFIhBf991nGW2fV1iY4Oil93FaA
TBKDnH3kWomUpPpqp43h7r2tRIYxBIu9pD+MqYhTlRNwkFiUIkTEeNkjDfTsiqLrhhwcn5aF
q56oh+8wde6Ubs7Ny8VVNKBX/rQNNj+Jx4IAnrm5CjNo1J72g2bEpznNM9Z9WSZ2kKjIFrKg
fhCzt7bA00sixvG2zslCBseToNS0+DA9tJ7rgmsgilP3VmLvrGyk87FaerIHs39Iz69TUZz9
TAVeovdTBdVJS+jRlHWEthF6VzW8twjHaXBvp3RTTWliAT2YCh7owdB1GdhHO8xZGplz2McV
Uik1DiJwIoj056jjK7EjVuzA4PQMDNMoHiXCbavy41QxDfkkPNms42dfUgFFKK2dmpODTs5D
0gv/YjqN9ct/VEsvtQxsp+dUQ5YbDbTHXJXuRM1DLSh/vAOe4Bj2XFmGl6+uwBV8t6q/3AjH
fTE8vaEcrUtykLtnAAF6Wy1dNcxx+lA5x4vMg0OGKYhR/dZLop3r7qOhP248wQKUNjJ4v8Uw
jFHK6i4jteEzYNMrp/easSjpjO9p45jzx2NeOFwDUwRkfCHezC8RDLsINRc8GmJQ1gAfqDM2
5M4YgX9aAsN9HnpNWLfgzez5d2hLDws5mvZr8xHhg+4iEsijPjVtiFwLH5rOtTl0FXQh92wQ
forE4WI3OtZlwkm1Rz5FX1ffGHpWZaJ5djaGaSiUi2LZ2QEUvtxL9UA6ejdSnSDETxHeADlc
HeWdoGqjyI2+onTknR+E7+wIutjXCFUC2eeDyDwzRM+fNHSuyzKumkX7emGnO6QecNNAsrWp
v6+5ApJ+Lwad4cdQcnKevO+dlBpqqKf3nx1GnMTfySC2Ma51Mb2WZjaOwFcbQnghjakkFtP2
dRG7JOjF5MDJKwpRQjVS2b+3YHReGp6+by7cREyZtC/s+1AN+hmkuOGRWuruw+hf48fOK8tR
Q9fRLCK7KJmOCzcWUe1DQvHTFthy+c7QQH1kU4nhcGfS6I0sehT1xTBYnY5dV5UZxLbppWaU
7OiBg8Z/kNtvvaEA+yhhCBsvpTfVtO83kwmh5PPeahyamY1C2jWW085SsKePBIZew58oxsHF
efDyGV5IFZf/HOccsKGbUs+uNcUYITKdf6Ef8x9tQsaREAZu9+PolaWo57NaNDSKZdtbUbCt
F2knaNu5MxP1f1lCu1EcvXRDbqzwo5cEomhwFBWtQWw618/gyCgy6TXmHOQ7RUlJCDxGaa+v
ymeYNgVAZteSEDXRk6s+jBW5LvSQ+PT63Ni+MB++q0IoojRR+IMuLOGaP7+xHPsohS2i2jG9
NYRKOjecpGquZBW9p35Cd+MVvTi+vgwdS7Ph30WxjcRc7tCDtL/EyZzZKFk4qcJKcL0cXBtD
LMJUYfGpYMhm8tlgnIpctb21I7iZkmF7ZAidvKKgTikDJicgqjsFb2gFUiWNWJSc3ElyIt1x
BJbFMWtdJ1Z8if7vFQ342b+vQV9DOjy5coF8iyy0uAw+zEOlfDnXlWKYhkCEYrhpYBTePf2I
Uh1wehndBvni3DbShKyXBxGi/vnptaUoptfOVRTrQwv8ePr6KhIh+sMTcYi7usCX6CqK5xGq
DLZQrUAPT6PV0sKKXg0Sd91G9Uf/oiw8OacAt6ER6fScOb88H3toOFxT3IeVJ84jnJ2Gbewr
ky/Adcdp0A1SmtGT+5sYUU1PwSQrYJcxwSAFXaREN/GPN4VraSf+CFH6aKTefC29jpz9ZH7y
GD2e7qYjjx0l+wfhoA4/6neh7vYyDJCLTXuqE86IHU3XFcLhcGI+bRCOUnLcm4rZhwMbf14H
RzCGc/fOwJIT3cjZOoLg5kzsuX2acX1d8GQbEmQUTr2tHB30krriB+fgpLttfMyGpltL0UhD
7rXPNiLzAiOrfU4Mzk/HPkokbhK0Vb+qR852GqTL6S5Ld9LeDdnYv7ECWZSMl29rQdHzPUiQ
8ThzezmOzsmDj8/O/ON9KH2snwTQizNXl+LEzCy4yNBsoE2n4mmWp6Rl74lhgC7Cgz4PVpBo
znmE0g3Pdd1RgN0kesOcf4BEYuGRXpQ91otYpQst9xVi7+piDJBxsrM9KRgyqZ5aRyN7KT2n
PHUR2kvoljuX9g2Pi0RiyBi9EyQYMk4XnR9O3hq+FDo3RnuMYyiGyie7Ma2jE4MrMuC8k3aO
q6uxkPEoVS91INA1Bh/nPZKbjhevmYZ0vmdSDNjcTpzZVE5DeYRMHI35vC+hDDKsmRx3f5Qx
JlS/lWcike+G+wK96SjNDHjd6JqXh6Jd/Ujj+5hOZ4SxHEoh5PgUUa9oe08XVY8/bea82rCH
d1fZAy5NQPRivkVwG0fylgY7nxYbuelomFxT0IGhU/TTLgxhybuHMWNhC2YtPIui8nqkZfbj
7L71qN2RA08R6TvX1wT+vwXW2eBhPigDNLzJyJdFPe0gCUGYD1mCz7ZARrVCcmp6QaSyUBqG
HHIvXp5PUIweJPFppyh+ZT310T+op+tkCZ6gZ0370lzMeKgRdw5dQJxBS/uvKTftLX+6yUgS
0jf309URbMtB7kh4zsU2S/lCdNEHP0hDpURov/pS32awpompP29gBUbGho3brh43LaEISJyR
56MxYqHxZU2EQkSgPRgIDyIYG8SIh5LjGNUzTWMYtAVhT4uhaTWJeyFQ1t1rzo1FI2jOykX2
iSZEOnowSM+s+uwxVO+thZMG7xOfqUI02If03fVUj4VQN50cdXgA60kAYs8H0fShAjzN9q49
WIexc3QlzXUglJ+Go3lx1BxvhPe5egS95IjDoAdRNi5Eh3Dt041wvdiHvgoSj5ERpvBw4PDc
fAwOkOHY0w4/CdswuZWeaj+O5cZIALqR2xWC/6VGBDMiuLDYj70FVNv09aCSNoicnzQhmEv1
Mt/hrpWZOBegi2tdKwqfbECsaRj1q7JwdJEXwxy3g95oJfWUnOgB1Uc6Wb+SRvu5RNDD/cim
hOQbHEN6XwSlDALMOhhk/IkNdZvzcHZBNt2CKSlEnche4L40etUN4vtUeprEjswbplMKPBxE
ZcEoGqnK2lXpQOvVmQhQkgHHj6ANLuIfIfRCSi9jdOttIoGtyQwhRKks0uuDs7kTQ4MDiHeG
4erKRJBxMO0e2qZcg4jVU7hr8SJM1934GJnabAfyyaQV0gHBMqDbpLpmd3ILTgyOGyMNAruU
BMI5TMFrrADXVHaNUI8DkVMJ+JczUnZNF5b+bQcNWPW8AXvhzmEbSndAJi9MI+Tj9y/FWJiB
WETEo702ePkQx+Xz919NRMRpDFG1VpmOAXIbM1uHMUbk3UOOtJAvooiKvDAmBCZhIIJyF40f
muucJsIMSnKcjaLkFF0wK8nh0XDn7h1D3n6qKqijtl1jqiLnXBDOTnql0DZiDLY8Lb5YoHbV
1iC5qY5FVD3QbdH0RdXgFLzxFZBbfutgIx47/yMUeyvoXvpK/oyB0T7eWK49lz64dRvizx/B
tjIvjnSHMHjMg3C9EwWn+vFr3psQ3UMHdlFt+UwYjbR/dLeHqWpk8Nv9aQxIjOAAVTQjY24M
f9eF0nOdOBjwo/9HtKlQxbSVxt1R5m/q2eJD9reC2DYcQiSQjuCWNHi22nDowiDLMwCvJY4B
2k/CX3chTKmlkUGCytU0kktbzI/TkdUwiN39VGtmU+1zhKpiSgODRR6Evu8hUh3C8a5e7M3K
hq2VLr5RP+zHWIYR6aN1A1S9sB16hfU9ydiWR6MIUw2TaOjHaS+DAzvoosoI/CF7JnCAxuVj
fXiJeUZG/HwPTjPY8nSCtoeIUTsl2tpRhwC6ymjX2E7p4KmIUel4OiKIDjWDaB9N8CHsZ7Ch
i+M84AF2krAwd9gAVXNNbimJLgF6xDnfI/wKNAfh7Wd+KqrSnPePYugJLx0anNjnZ3ssk/Yk
qao8pXh/HZzjUHMv+qpzMcbfW7oZX0LVc3iPG8+yTCZjPWx7yOjVe2kgt+NRrlt27whij9sR
2sdI9bEBzM5/JzzufHptDfFaxNgz7T1xdK7IxhBV1tOe47MiY42B5PeUCmt8Od7olzjlKEXE
0oVBXPb/1mPeZWeRX3wBaZ4g2XW2NsZkbyFSbCans6cN4tCu23Di/hxkruGNKxxG5rJRnHkh
F94c6kMnMPMbHcWbU15SxRgfzH56tKSTuBWcH8AA0y100VAYpweJjWqBS4Gu2Cg7Z5NTK6Ve
uLYwA7EvzcLMXR245RunOHeuUxEJB7mYODlFU551dBzLou6VOleTVM4iotJt8Vg+/j6Oq50B
W/7sIDxUQejSFLyxFZDlQ5kmsr25Rm/YNtw4eQO8MWPMBdIf50NdB6PnRnOyqHTeBnjg4Efk
R0hSH5Ax0oeoJQltya8mMarkejGY5KHYqjm2nUiW7RMOHWRFXheQ+Z84JvY1rESbzqkzPTSt
PMeP6Vd1+0zvPCBwnHZ+1NQgc0Gif1xsPm1oo1G1dKgtfTgkfSh3GWgVBiQeNn1wkI4Os0zJ
+esaX2dhc1VVMUGj+hjjL3L2DvarIeqjNgcoLRmI0+YQ1CfJpUvdQyYeukz0b/hK8ZZq92LQ
dAVmPjqgvcZwVBwb+BFzJdBpC9RWs8ZLQimgbJKE8QNaq5JQm/xSXTUncDQk5xwr5BvG/wlq
CkR8tHD2jhg652ehhYxC5TM0vFuDS1a9hA1k/OLU1+QrIAP4GIlDRnYYH/rsL1FQc+6VBz3G
NAW0H9htydtrdw+iq3EaHv/GLARW88butOE9Tx1BaeVJfGnXvfTMcjG1ANVA8ckepcn7fzPP
JvicyCgdLvOgg0FC+TT6FR4bQCPtEP30ABllcFFaG71GLtGpHqh4uh2B3YO4IrcF++mnfpZG
xI7rPViaT93ylo6kl5awPwnCxCx5LO4p2TDPWh3oASZ3JSmtsHEIjdMDqCRH7KFaK0zubQre
2ApIVSWJI4sEZGXJBuxpfZGpPHx0fBM641pTjTVhXifnaqPOXKAssjFym/lFBQj4fAZx9PSS
w+2nDSqNGFzqRt4TqW9jbCObaVBy+YmLQ+U5615LsrFRZTIWjqCluRUxqlfYTTJjLQ+Ky+ga
7CFKJYOQ4DOhMpEo0SHvtV3cdSyKjAwfCgrz2S4fVjY/kcWW4xyj2mVgcBCDoeEkcqO7rYsR
36XlZaZfjS84RMNvO5G9nkH2WVJeyj7dGKH6q721XYuQVClrraie1Q8xVXGOIzc7F1l5OWZe
vMJhkiNnW6EI+7OTIeI4y4uKkJZGSYnX7Kzb19uHnl4a90m49VrHKJUX5tOFl9JUUzMpDiWy
wmLO2+1GN9d0ZJht0clAmQDcXi+K8vPh0FxT3xe2O8a1GAgGMcj5aK30MmlMZWzL9M97Ytae
51RXYKO00dvD+6bxMJdVjL9NPd47o45muzYXKeKoiC5b07ypvh6kK2+chnq1YuOahDgH2cRs
9VrEVyD5tLzye+rodayAnRz30E7g9h+eQUHlOUoaftYSwVASyhHznJtmlBqbL+/u59eic0cG
3DV0IfxID+Ysfg6ezDFs+mA9fvmns5Czni+rxRK9jv7f1CJ6gIIJjC73oIsqhlzaHkarPDSO
xhBKo08/8/YUNKdwe3piU8D85FMWp6tm/qM9WNsSxlkaUevK/NhGw+I6Ioyqx9uRoE//pSH5
MpjrLCaV2QhVacUMYhtk5HMLVQUhvlBOIaff1sylO/gffUUEwkW3wPLMakNAIvEQz6QQDmt1
uL4JIW+COOaMjAx0tbdjgnvlORGKvr6kvCHkIo7VnCOCEpJ6LbBR2pbXjxBdnPe5uYnixkUg
ZDjKNClq30uEOjQcxBD1+78NcnJy0EtkbNWtq6t9VXEfieAQEa8abWpseNU1qfgM4dPZ5PQ1
LWRlZaGHdgZ9LgYPiV44TCmEBKup4dXtqazq9pPYqr9cfybaWyg+pUBH6yu/rbFrriESiAZ+
fhtkZmZiYGCAuCa5lpP1f3H9ifs2jv+1trrHNlJ4x9grsoyIdpCMYy/f/WF+i+Vz0q4TLKBT
EGN9bNQYpL6DUwTk4pV+jd8ymo90OjHz7X1YseHn5gGRcGqzSYgl6M4QyUl1ZUsbRsvZJXj+
uxXwL6O7Y1Mcm99+DJ4sPqUsvu66Z3DoNubpueBHmp/62P8CVZasGLJB9BXQM4zMSTvtHsdv
nIYccijinobL02F7mW6PIjSamzgbEQM9R0I4PLRRgum+LAtnmTZiJrOjLvv388h4fyUOzMlF
A4OUinJ64OFDmPrgaaleATZiAYUMEZA2+r2nM09TCYO9jtJX3s2+THSsVW7q+3WvAO8cpQQG
g/mKUe6bhqahWsMdX2r7BjuJtRDuIDn7f/mXf8HGjRsNsnr44YfxpS99iUn36BxBwiKwjj/1
qU/h7rvvNkjVQmy6LmLhYuK9lpYWfPCDH0RXV5dp2yBzXv/Rj36EWbNmkSmPIRKJ4JOf/CR2
795tiJeDXLnGcO+99+IjH/mIaUflDAFiXV1Xu1//+tfx/PPPT4xlxYoVZtzi8NX3li1boPGl
p6ebdr/3ve+huroaR48exbve9S7TnkV4NGZBQUEBOjs78Xd/93e47bbbzLzUlsbzb//2b3js
scdMexqP1qW8vNyMX4Tll7/8Jb7whS8w2WQhJSS6t9Mx4R/+4R9w7bXXGoKo8ateE4nnn/7p
n6K+vh5lTF7ZTOnklltuwZ//+Z8jEAggytxj1lydyqPFuf7gBz/AL37xiwkClZeXh/vvv9/U
F9FNBdXVGmh8//RP/zSxPq8qw1dPmYxp0uE+KVRddQNty+gUQaN83lESwDI7/J0hBCpZgMb9
Cff58Vd2cgLCcpd+2VO7/x92bBaNomRtHFd/5TgycolAmdXSZpM6gEFwpO6yZ0glZbOTw6NU
sf2pJRhu88BBW9rSe9owe8FzvBEq60FmYQc2v+s0vn3HZcjbwJdcLMEfEjgf0b04gwN7mQWU
Q0Zl7QBWXAiiZ4Yfu2cxHoO2kDiphFMqDXFqFG8ddXxQ15AGUhx2iKAw6G+4gIY4BoZlMU9S
2XdaUUY3x4MzckydGO0dtr7xh1vP1m8AT/K/ZZI3ajH+1uY3RfSfP8D8QNIbi7BMwf/dChhk
4vRgXuGScQJCF91L7P8jAiJEKGS5YMECLFmyxHR65AiNAQQRFwskpQhEBBYtWmSd/o3vaiJs
IXCB3+830sDmzZtxxx13GKnBqrBhwwZDQFRWhEhjqKysxOrV1P9OApdddpkhcELqn/vc50wJ
IdW1a9dOlBaRe/DBB3HmzBmUlJRg5cqVBrmLIFig41QEbM1rzpw5WLx4sVXMfIvwiIBIBfbu
d78bV1111cTcVOD06dOmnIjQsWPH8J3vfAfve9/7ICKQClrbZ555BnfeeachZrpWWlqKyy+/
/FVrYtVZvnw5tD7z5883BEr3Qeuk+aivS8GJEzQ8EVLv26vL8r3iCyZV9vDcdJwr9SOXBMTR
GzWeV3mnB+G+rABjRXRy6CKSSGPtcUmNPOcUvN4VkPQRrHdg+cc7sXDF00kZ0JjOuIxUsNqc
TL9s7BlUXbnGcPrIOmz/dhkypstbZBSbbjsIB61oibgeXIq/vBdL1zyGRR/uxcApJxxpf2AE
KYJIriKa7TSBfOJEKg/3YNo3memU+x5I2ugKUFRnBs4cukF2MT6kkSmsa+8rRz33XOiVlEAk
7zkTgZeBSC662nZS3XTuk1VoZC6ibpbPpOeJp40eHfRvF2g3OX0mgFOWzUOcjb5FhJVmQb/j
DGzL3DaIKqaJkHeYOZ9SdaKNqYPXXAGpsez8VxqoFK+DUaqx7ApeugRYnK+kAgusY9kBLLi4
nK4JsZ4/fx7nzp3D2bNnDYd9/PjxVyFo1RfBsaQVq52bbrrJNC3O2TonLt7qW2qhbdu2mY/U
OAKpdN7xjneYY/3RGEJ0SRaojXzaFG644QbzW8TRumZ9W+VMgfE/1hytfiUx6COQOsgCSTtC
4romiUFg1RHxeM973oN77rnHEA/NQ5LSj3/8Y9TV1ZmyM2bMwF/8xV+YY/1RG1o/gVSFL730
kvmkzvWjH/2oWTtJcSJ81jzUvqQarbnWX9+NjY1oGFexWeVM4+N/DLOmB4LaPVcX43yoplIu
tF665IcryVQy5kqSSV5LMvV8vJQqAvGC4+/hq0liastTx5OsABFcM3Pi3HYE8s4z0oc9+aAO
95XBmcbUAF4mgHOGmVYZ2PrwYur+XYwNAW76XD1q5u/hE0KfcRuJByER88CdFcbmu46idtta
xMbIqfOOSqL8Q4EChYYZzEWTB3JoQPfRfW9sAbcw7R7DtHZ65dCVNsbUDuVHerCg3I8LTBy3
hxGwfnpm1ZCoVB2jca7Yhqyjg1hd1Y9z9Jo6dEUp0tnuYuUgYrSyg04HUoFJ6ap8PAaEg/QQ
kpba6XTgYXoHxXvYyAk5GAWfyQCnOPtw142ZfEFtTKnhon0mqbhlvT/gGpnx/jf/Y6mx/B6m
TC++CjtbnmXgmYfG9CSyutT0hOAtEPK9FFjX9F1PlYzUTuLoLUIge0FHR9LvR6onwZVXXmkQ
oJC11DxC9BYnLURqtakxWONQGxs2bDD1P/vZz+Jv/uZvTBuyOdx+++1GvaP2rboiIPp98803
41//9V9NWeua9W0au8Qfq1+VtYiKNUZVsYiJ+rCuW3V0fdOmTROc/969e82cdV6qwL/8y780
4xQRqqmpwYULF8xvq76Iwfr161XcqKCk2pJkKAlr7ty5kESofq3yImJSlf385z837YmgaNyt
4/aWtrY209akf4iSEtREuLmRVgHT+Hf5yQTzdtubGFi5OQNHGHQ5k04t9t18iXnJcgF7QwTE
rrDJV54ncotJjtEE0/GZMNwj4xqEAOWpNMHg8Lcpy2+B2pEbrCDO8Uj3/6ryumDqsJ3xdvUc
J6hKUR8Cta1+BZbqyEIq1nj0W1GtSregYUu9pHrqy0LSr9fu4HAn0LONgXJfbMCMedtJCLSK
Ye4PTPWUN4zWBnpCsEzlfBrHiOcOvnwjjvxvRsCuAgpnBrHu+q0ch+YqQ7tGLSApZ9nZNKqX
r1qCupczkV5E1ZdiQ/4QIG6fuafSGWV6xS/qtEzcRIaImyonL3dUW/VYg9l72s2snR4+WGsG
maNnZgZzVtGYxgjjDKaFzmDahRhdfdNYb+GP61E1y4cofcbtzAjqZz4ebzf92BWCzvtsJ2G4
7NEGMzMdG0MqA8fKX+jAPdzlTT7vdmYqnf1sK2ro+57RQ2J2WRrTVXTjaorR4pbsw1wfhdwm
b/0fYpX+aPqQFOK0MUYjswJokRTC2AD+0/k3E4T89+/fb5oUAbE4cp2QGsfi1IU0BUKcUgtJ
nSWELLXQD3/4Q1RXV5vrk/0R0nzqqafwV3/1V4YoqN3c3FxT1EKo+mEdi9OXncIiYpO1+dvO
qR2Nc9q0aYb7l/pJEkZFBdeSMExPKktFl9qOpCMLLFXS7NmzjQpM0olUaprnwoULTfvWeK06
ui4p46//+q+NLWbmzJkTkpDKWFKaVV6EuLu725SxnB10TYTGkqCssq98830iLoh57Ug/G0bh
UARHCnwYYwaICCPta5fkMbMEnxTh6iTam6j6ugmIEO5ID7nRkWRnUp96iOxcTB8ZbKC408TA
lhzudDWDEcVE7JEhbs4+QF0/dWWODHKSOXQbE+Fg9XAfA3ZOSKBmSuG5vBZgoA/Lj/YnEY0I
guq4/PQO4jkXd0WLM6G/k5nQnNxhSzA2YsfQIVJ9HnunM9lXAWfHtoWkh9udGDlPrx2OI2OB
PJz4knC8KjMWsjM6k8FxIob871W913h/RHTUX8EVw9h0y26mC2AVqm5iMQYldeQjr6SJiPNE
8mHlgAa6CrHlwbnwr+I+BruBux45i6zitldJH5qDYb8djIw9uQ6tR2nEzuOrnJxe8vIf4K/U
Rm5y+0pGp/WTjUOGcbn4+ZmGmopyg7CjzN3jZWqTjBd5jkGHYMJEJTaU/UREUFuGuviQaItQ
Wz/rcCObuK6LeGhObFPJ2TLrkz76lkpL/aeTWGVEw6Yfqal8THNt+mWbioZNo3jkrkupp/s8
BW94BUQs4uTYCn0lqMmaiwv9J3+rMf0NdzBJhVTiIWQqBCkDvKQFC7kePHhwArGLCMh+IQIi
r6SLwUKYlmrKQrhS+/zqV78yxYUorXJS/YgLFyKWwVqI2Kpzcduv9VtqIdkoZByXFCBiIsSv
OZ46dQqyUVwMqURFSFyg8rt27ZogrBqvJIuLQRKNJT3IDiUpS6DywUt4aol4CFKJRyrRNhcv
/qP3SThQ7yi9rLTB1QwGTfoODqLzhjwcp1ZhJvcUSWtm6vkMFpJb3vg7+LoIiKQHl2cMsza3
wuMjtiCWdjhjaD6bg2a6p66+tw6l00PoaUvD/l+WYKSbQScrGQ5fwcAT+koPkWDU7eMWlcNu
pjWwYcaGTsz98x6MEbFfOJyNxmO5qF7ahdxiKuIockhCGAm60NviQXHNINrqc5CeEUJfWwa6
z9NoR6RTODuIqz/QCrkw1x/34diWYubRIXFojGPR3S2oWcx0DL1OHHmhGHnlI/T7juDwr8tQ
OIebtKzvpxu7C05HFMeeLYFDtr1LERGel22ie6cT937/PEqmHSVRpIHPwf2A7VHklzYR6RNJ
Uhpx0vVN7ex+/kq0bKNnVTkw//39WLb2ccSYVDHCbS7T/USOhBhTGjicdJmlx94zP12CoTo3
shZTBxkmcbvkYEzVN/2PkHh83M3WZOAc7yFGBC6Kr3P6CLkrmyfyWIBSgHJSkaE1xEJDFuGJ
MiARes752xi9RTxSQFyOILUfSRRK9y0JQ/V0POH1pXZFgyapZxqa+vOGVkDSRprDjbkFiw0B
kURyKWP6G2o4pbCM3kKQQuL6SAqRPl52ChmlZcfYsGHDhLpKSF52jQ984APGS8pSEaUSH6t5
ERXZSYSsRYQsxCvuXl5TAqtfHUsNpHZU3nIGsIiLrr8RENJWXREkzVGESN5SIl7yoLIIiEWg
ZLy35qJ+rH4tA71ltFd5tXkxyNlA9pPp06cbbzGrrT179uDXv/61KW61oR8iFF/96leNNKQ2
5VmmccmDTWtzsTQ40R/nxNRlZtfHEe5/0sT8ZzXce8W/g270TOMigX+Y8S4RZgMYYrwY6vVO
8iR579ckIEYnz8klyKXe+N5tKK06zRwrZECJdJ979GZceXcUKzc/yQ3WideJTC6/djnu/8x6
bLzzKFZs3IowGcc09tlSvxTf/tQ1WPDOHtz23u9wMpox3Ubrp+Mrd9+B9bcdw9IrXsAw7WJq
u72J+We2L8VVb38eA7058GVy5y97AR7+1u3obPDiw5/9BTJzGgzHnrgd2HX5rbj/rkV493+e
wvrrH1b4hTFYT5t3NQI5ET5o3Tj9yLV432dfREHxAex78UZEGS1+9KliDoQ3T9iL/y8GO/cP
Huni/gFv68dl618wl20kFsGeHBrMY0gP0B+bLLYrjROiNNFWOw9bvzMNGXOoIuCmO9e98yA8
2ZSwBv1wurhIQrKjIpJ0ZXCO4OjeG3HwG3nI28Skg/RwcNAQb6PdxAQKXTyY3+PvVIRudWMh
dI1Z0ejypqrlvsrKVZXbQH91ekcpg2rxS0w1Mi5pGNdeq4FJvs0ysz0RhYn2ue7m2Cr/Wr+t
cm/0W/3yI5hsvskrf9x/RUA4e7r0FsHnCmCIua6UaDF1a9vfZQXENUuyWLVq1auaEdcuEJIT
SCIQCKmKgMg1VZ5UQq7Lli0zaiLL60vlLAQrNdQjjzxikKOFqGVovuaaa4x0IFfXVFD7Tzzx
hEHu8m6SK+2lVTmpNX/zWATk5MmTkM1Crs1S02kMMk5bhu/UWkLYltSRet4iJJc6Z82ruroa
DzzwgEH8Vtl9+/ZN2FF0TuttlVdfF3uMifhYkpwIymRE2dgnJewRX/XekIXzTCmzkAk15cQS
JaHoI/5f1BeCpz2CumXkHnewX0opr4uACLdGqbbKLIgiO/80oz5X44mHFlMSIdJkDoOr3/4Y
2huX4tmfLcf8VU1YvPEprLmjgno7xkYQp/7iGx/BvOV1WHzlM7jqvbOwZNUu3sBCPPXwVcjO
Y379QR9izIeU7o9gZCgfj//oVmQwxUUvpZnsrA4amUnw9l+FhpNevO1j38fGW48jSIkms7AB
O564HW0NWbj27u2MyXgUXf/iwtprnkJP11xs/dnlKKwM4fjOAtz64XPIyjmJjz/8HCpqDmP7
ljvxyFcWkshQfZNFnTrVNZcELmDoRBwbP38WgdwujAxwQIzi7e/KoMSUVKskiA1tUhCSaL34
+CoM1NIuQtXnZe/owOxFL5CS2GkfIdWVzYYcuYNqGZtrBAOdBXjy/jmMEWGE+gtO3PzVU4x6
HcIP37UcWeuY4kT7cP6hQF1d3J1+S4LQt9RUlFIOM0JdG+gs5tOzdWURNl/oQekvOxHjzmti
NgQOZvbVwyX7ilRbOhaYqHdesnN/a/NbajBKNaYPneCz9hugJvWxriWrvrqYdc06yybFVE0Q
CY2fH23RavY0IQ6zVGgTTMNkbbCSnAwMjLdhdTHxPdl4Ji6+VQ+oCia3l+3OMwSEs3zTBipE
L9dbIVohNyFLSwJRJ7IbyAawdOlS06cQ/j//8z+bY9UTiNOWpJJKQMwF/pFhWGoa9SOjuwiS
bCmf+9znzMcqZ33LfqBr9913n5EW5Dps2WCsMq/3WwRE6jYRENkiLLdYSQQmaPCihjRGC7mn
XprsXOp169iaq36L4KqeJB/FtMgIbxEGq7wIoyQxjVN9a+5aX8v7KlVaseroO6HodKKn6Fwn
2hkAXCL1NbezVdJUvZsJvgMBOtR4OkdR7hyArFt2MpECvkqTQMrzZA5Z1kXbQ3TMA39mI666
g547zMrY00KswgI7tq7AZz87A3eszad76z4U0iYQl1qHhmYqPYigiUE4HpeDG53kdOGFRzfj
wqkivOvPttMu4kfGV5mFk0glw9+NzXceRGg4Dd/8xHos2EQPEfYdI6JXoJ42YxoNjyKnkBvH
d9jw8J/OxI6uAuTk9ePKu85hzrJzbG8ILz+zEt/89HSUs3ILZbOb3neGMRtdqCnsQvu5JfjB
PXORvtwGT0bst+ahkvQx3OzEoo9147J11K9yrmnMkSxiUTa9iVIEpxhh8kAnlzEtgjP7r8DL
D5TCP4dpN2qjXCe67VKaSkToP+0IIzQQIEcyZiQyYeQ9L2xC4y8D8F+eQN7qIay7cScNcbV4
8cYZDC7MhJcp302yxUlu0Zt6SjeZJpAEM40aoLQhN1qlszAbSIkQULq0cSOh9TS2i/lI747g
nr7zxtgeYwZPSR6SUmiXRaiMLpiKF6EfuZvpoeO8LtAObVGqwEbLk/peJz290oZ5DzK0kOxf
thURGxH08aHYfBwcZejEQPKE+a3xWsAhTtQTsudLJtWZg10YqUin1B5zx4fpTaaIeW12ldZO
gz1vm4icfNoTjMY3hExtkGnQXJy8/7Esjp2nEqxjkhlZY+NPI7jSzvMm4l9rVr/XbxGMwXCf
iQdJszG53nhakzerU7mOTha3ISlERmwREEsCEVcsZCgO3lJHiShIWvjJT34yMSQRI4FUUjKI
6/OP//iPRo0lu4RUPZ8jobgYLAnA4twVFGhJQReXfa3fQtCWbUFSltRXArnkTsbZ67wVMJna
toXIrbGJyKYSFUtCkdFe6qcdO3bgpz/9Ke666y5DXD/84Q/joYceMmshImGVF2H8/Oc/bwIZ
U/uzjicbo64ZJo7vXzyXtul8j3kF9c7EKhzooFt+Gd3zs5iCXtm0E2LCUmByAqIyqS8pf8qD
yW6nP35/CXZumc13nNy7k7ECfH/mLanD25Z6sfG93IYyoxuhkYUsy7fSGcE77vseLdW88UdW
4tkHZ2H11TuxaM05NJ7KRNO5HCzYfBiuw1dwEWgUHyzErmfmYmiAurZWum2mMZCFCGn1NT8F
6MYtj8Mn/2MRrvtgK4qnJbDp003IeTqC2ctaODEmE6stw8zFx7FkzVlsujYTFYuZipk2lmiM
2I8QbM1navVDuOv+Wfjh++ehcB0nOc4dmwKpf3hJY4qRENz4nn2Umuhv3V2CQH4DkR0v6jpt
Qw7jUTYGagLw7CNL2BzHfjaBqz/ZiMoZe1iWk5fbLtcpPEy3ybAfRTNb0H52llF1+deQ+B8E
3vndM8gpqjXt3vwnJ/Gte1YiwY11zH149T1LHeXvfiz8R8TetSobLXOzTWCgidNgn+lMjli6
pwe+Bu4Yx9TutZu47wPjRqq3cBtTGt0jjM1ouLwAWdXcyvP5LpM368LtxaglF6PcOfmsP5O7
vxVu6+a+Bwn0c8+Q8ysK0JzHNSEUcrvT2bs7zA5qgwt8qGXsiPYTUeZdzVviczmz+gbODeHs
XdxciMh91lNkCegBJglC7r7DlV5cYEyKqcfyQvYKeiw+2Y+cvdyik6o1ZiZDE/dzqOVmO/30
b8+gBFXCLTpnvtgGb10Y3cu4EdbiHBJ5KiPVBkF95dUNooAbYomYtqzPR2+lckJRCcQyGmMa
X6zZTzSbLT//u3iGyXUlSv3uyc4jZp50MTHfr+ePuFqBjLmWB5UIwMUghCYEL4QroqBvITeL
E96wYYPhjlVP0sb73//+iSZEKIRYRUAmA0t6UIzJt7/9bRPfIU5cUo4VzZ2KjK1jxaHIbbiq
qspIRmrbms9k/Ux2Tv08++yzJlJc87PGIqJoufOqnoXQdWwZtVPPa46W9KTzGoekjYtBhEbE
QyB3ZTkXiPAWM/eVYmhETC0iZNW1pCJ5iVmEStH/SvOitUgdm1VHTJeAVzHK2K3qtuTGbsMz
vaij676i0gPcTCzGYONG7hqJ50kP+H7r0ZmcgCTbm2hfyI9OMvCSmx7qycc/fmIuFpBlLLwy
hAWrWzDnsqfx908/DaePiTCbMvHiIwtx04eIPNn6tz9zH667ewcqZu/BjLVLsPvZK3D5TY/j
3Z88wcl4MEKv173PL8La6w7DX9iOtTfU0WDOjevXd+L4NhqaqTF6/uEPIkKvgOve90OsvbMd
O37FlAyVwK0f/E/c9B6+38RHx3deiV99cREKKjimy5/DZx56mR5blI6euI2xGZQI+jmWT78N
H/nSM7j67p+gs+XDeOl/M8XIdEk2F0+YbdJw3rebm+J8gQb5uS9jbDSfqT5ooOGi8f0waz5M
9ZudD3t6Tj+O7b8GR75FYz9TlnjLQthw005yzizLh8CodkiAs4s66Q3GpGskhDu2rEL/2XR4
SQirbgrS0L7NID/eGSxa8QQu+zC34HyImyhN58Ytk4zvlZvzOx5p6owkD3IvkBcYeT6ND4v2
ah7m3gWt3AhqOXeeW3Z/rQn+O8dIc04dpXS59dA9N8g9QJ5jmpENbKOysR1NbyvF1gX5WDAY
Rv5wBO184F5aU4IbKf6mHxjmrnXFOMYHUntPSwQ+x/QIYyRCa45zrwombts/PdtsR+rnGKTt
Gyaizm+iKzBdeg/zWjYJw8w0PjDCeXwmJUmMcpfEQ7zmobidyWBG7Z7XzqSQRYU+bGD6lCwm
eWy8pRDbuDdJFl/cMo6tj9dfmpvLFNzcZOhYPTdSSsMBbiLk540NcCdF3ip0civTdBLCTXRH
zt3Rj+6SDOzlrnZlwVGTUmWMYr+Pnnhmz4Qkc/w73ojff3XZP2Tv6A914WjXXtNh/BLR6JON
xgpmkxrnt4EQqxD8xSBuWSD7gZCmEKnatDhjSQbybhIoP5QFFhHQ71SkL6JhgcpYxunU8pbk
8o1vfMNEfEtaSb1u1X893+rvaeI5GaSrqqqMJCMCIRWcjNeTQaptxELu8uaSxGQRHcXIWJJN
ahuaqwiNCIDmYREZHaeug1VHxOHAgQPmp1SFqTCRmyv15PixMYjzuJ9572KMRp++txNpjWPo
WE3HJ76DuXx/HW1kAKZp51BhAKIqqbdo0p2cgKgMrwvi5LKdbubcp85/70s382b7sbR4FNlz
xzDcQ1XTfZtxzZ/MQmlFO3WfOXjpFxU4+9Ms1K6tIKfDje8fyEFf0zrc8hEvsnO78Z/3LkL7
PxRiztImciZ27HxqBg58LQ+l1eVUk23kyOJUE5FjvJDF2ApuCPP8Rhx4Lh8nv0cvpdybScS4
MdPOOfh62yew/o4G+LOGUHuyCC88UIZouhcP/vUqbPpQBSpndhHpu7H3uWpyPp1o9NyMwz8q
xCNV12Dt9dx8Ppsii1785HqYuVp/jGqK3lCBORESgt2GELhA9zgFSnA9DEHgYUaA6iwa0gfb
c/HkAwvgWejgfgkkbP95FnmlZ4no6E4cJFUlZGT3k1AxspMxIxcOrsBL36tEgC7G/du4mc7n
j5F4MmHbGFUsrONIj2LT7Ydw8Pv5XP+kbUFE6/cGfEiUPj2NYmsNt9+c85kL6LonF3u573ID
c2TNmcH9rVsYUc4yilY3dgE+HyIChUSiaTw/RlVPvyQLtjV7TwfKv9aCfd+chxdrchAsS4e9
gQSH3H+AxGnRo/XwnONL85dzcZIp5JdU02bEYEIfuf4cIuhlP69Hes+oiYB1cz/r4DQvtMmV
V4tgrYO+SUTsVDX5OI4A96K47Md1FBYSOHRXFU4wrXx/jQ+Zj/Sjj2lZ+inZrOWLMfPzDWj8
s2L0byhFKzccmlPK9WYAowIfixkYueQndUakP357BU6SgPSXZ3DXtj4jkcj2s2BHO4r29iHm
431hv3aeM3Yea1y/t5v05jQsZrNpgHPkWrrt6YgoffvrBBmg582bZ7h9i5N98cUXjdokFSnL
0P3CCy9McLvikqXK+da3voXHH398wnYgQvPpT3/anNcQFBy3detWw2VL3SWuW4FxqcjS6lfl
JdlYoPOWRJBaxrougqaIbBGQ/1uwxmH1o3ZkbxABsIjjxW3L+8wCBQVKDaXcVB/72Mcm3Jil
XtO8BRbBs+pYKjARV2uN9W0RI6ucSaPieQAAQABJREFUvlVGeb4k6WmsWgcRPaVd+fKXvzxB
jFLrGKcSMl1SKp+mdiCL73J6PV3qmTxR79qQiBgZPhc1Mc1v92GAjj+CuOwmhMkJCB+yCWAj
Em0SjEj+/j3LKBFwd7i5jIEgV+zOpHcRVTQ/fOccWhqmU5XshJ/pcHLWxfDUV+cwZxQ3MuFx
y+ks/POGTchgzEfGajue+kI1nugvI/5mDMBcB3I2RvEM050/dm4me5JPkwZmRwa5+SPfLYBv
sY0Za2148IPLuDDcJ2KhDXV76UH1/WyW0u693O+A+2z4aOiPxd342Uems4UqXmEisPks+zz3
taCOr3QzcOjXhdj5j1fBPYM3oYaqEKmjUoHzle2jb6cDt36dSc5qKOoTsSeYjC5plE3FFOSA
KE7s374RDVsC8M4Bpt85gKWXv5AkwERKbi+NPwI+63a6DXNDNbzwq8soXroQbaOh/b52LF65
BdHhTBIPamK8lHJIaGrm7cKmT87BU59kYsP1nBddnn9vMD6lUT6YslZ4HDFkHw8iZyldn5ma
Pa40zheYjsQMYXwc43VMfizVY4Cfixy9h0SobVoA+Wv6UXa0B5eTTju5oRSLwCm9KiWOLu4v
UHayDfOOd6OIRMdFrn+MW24m22egaw9tJ8y3Fc+mmkqGeVbWgz7e5SvLwBM6FyPRUjHeJWQ+
FUTe1RGEKIFIxaZAqDCfXamccuhJYvMzOyo3LwqsLcIorxv3YNbVJjyy+fhayFZ1kJheS684
tq12Beqfs4CHQZX+PZSYaEtJFFIdRL3xfwfgG8y1dGCYfuPnuk+ZIUcVpPU6QYhNhm19UsEy
HlvITeUkRWzYsCG1mEHuSpyoWAzL/iHJwwquU0CeDO+SbnRdqi/ZSgRW269qcPy8hdTl8iq7
i+wGF6t1rHpCpCpj1bHOv9FvBT3Ku0lgIfjJxihD+9/+7d/i+uuvN04DmpfyYn3zm9+cIB4i
RsqHZcHFxM/6rQBBC3TO6lfnrL5FQCazPckmJRDRkTTzG6D3kifbAm7MoITubYqYoMLBacwg
TgbRz83A9KYFmRl7mEZO4QgrHdHrfvrFdftXEwnSghrq4e5dR/nCEdHaGfDnqWSgH+MqHESY
MqLGafj0lFDlVUr0TqNLWjp1oZsYoxHkBvIv0ziZz+HyBRQHGW2hdDPkhK+ayKeYb6veVP4n
xjZIP3sdC/F4jEbUOEWDBHVv/Qc4lvlRpG8gYqGx3s54jFA39yE/zhQGrJpWRK6Q00yjxDBa
S08QG0Vndheu43glEHDv4jjHypHy82pQFHuk34Gi9TRqX7fDkNgEkbeSIyYHZgbHfukgQIN6
d9N0bPnWDGSQqA3vjOPKT51CoID7K48nWXRyG1BBIs6ki/RMO7XnSuz+MvdYuILzoYrlunfu
Bv0IEOzI4LTJzadz60kiMjtp07rrd2H/40V0KvCaNCl/qCDDuJ9rSmLg5jjGiJwlVXBBJ4Xk
arAIx1vMPaCzin04WZ2FwQ+5MX9HG1Z97gziNXzMqCarqu1HYzb3j15SiB4SDkWcVx+gSiqT
jtG0sWh/6gjVVafvKjPH8o6bvrXNSDzGLsLn4DdAAxgHuSMmKul9woBHjT0sd2ga6NmMAXmB
SVxXWng9+EGWH6EKTE3oXJgSUst1+Rjjvtet5T6UU5WWd36QkfeqyDIs2L48B6OzMhClRJNB
21De7j7zjCR7eOv+tZapa7iDxvMLr1v6sJCt9X3xDC21ioXELlVOxEJIUOory1guRLx9+3Zj
jLbOSVdvgewMAhEliyhY37K9HD582OR6UjmpvMThy7isMVjlUscjo/zHP/5xYytRu6nX9DsV
JpuPdU75rG699VZTX/ErAuuaji9uV4ZwZTWWa7MVPKly8pCSNPKVr3zFECSpti4eu6QbqZ+0
dpJ2BLLFKIuwCKIkH6u/1DGonAiNzln3yCJGupYKNmkQeKKAqekLaTuUard/oQ/HuaPozIEw
fIeGEF7KnScZC1LQw3xbLCtboGByAqJr1hNnivHP+Es4cNSOwpUjWHN3DwqKOuipQmRNpO8g
d93fl4NT+0tRv81HAsIKwnicgDyyho4zb8yMIWz6cjO9prgZfUz5apTC2Yvje6pw9vEA0mvY
Dx8WtWeB5BERnpyqMG76X6cZEMitMcM0Zv1kgYmMl3dYmBHv01b1our9PfTYIqWwBms1Yn2z
2TjVZvGEk67Abhx5opBSlNx4rQL8JoIZPmLDXT89i+xiivqjARIPUeCk/lYlNT5tkiPPoR1b
1qDvZDpcxTYs/0QnpY8njLRhFISmsMpT3eGkr3ifH0//aBG8i+0IngCu/usmGtoPkLJxS9Cc
VqoJ8yjZkRA7uRfCKLeTrTyFTfcuxI8/sIDZesklMBjxN+6L+nizQRjXugW67/pYv9VX6rF+
8nqMe0oX7OjFRorDh1cWozHfi67rKrG4yoeax1uZWQCo+lWb2SToyCKqJGnQ7r6b6quiVpQ8
TvUgnxMulEHMdcwGKmnIRSJQmc6NSC0KoL4vBo1tAviD/6VisyQH89u6rrK81/rSR9Mw5Xgg
6WiQxOSpy0sxTEMiM6pgFvfLzmjg3hkmfb04eDDXFx0EEn708GVaF+1FbozGSUVaqcG3MJDd
M8bzs918EQmx3yJ9pHobffe73zXJ/MQpX4yg1I6kBoESBEpNJGR1cTkhOCFCRWsLiQtRCiw3
XREXGYQFIgDKZps6BqUskS1B6hgrFYkIiHI7yT1X2WnFfVvtirAo4lyI1ko7r4hwqbAkAUlV
JmRqXVO/Gl8qWNc0HktKsuwLUjcpj5XgySefNN+av6WuOnTokDknLyzZORQvIuImQiKbhvrW
eor4KHW9JDYruaIIqlR3sudYUehKkyL4+7//e5M6RXO1CK2I0Be/+EXTz8X3SP2IwFg2K2tO
prGUP45Rakb4e9o5esk2ibmmtF2Yhna+B0tPBaEtqQfneBHhO+lnuiED4zhzcgKS0rh1aCf+
HK6zYc3HmnHju5+mjr/eupR8E9Ug36PNtzHA8LF78NinGN+wgO8Vz0c6gDu/fBLzlu5ESVXj
K2RLdYjv111Ptc7ye/Do38xBBqVWIQC5YarB0TAljsPAe//+MJZdzZvFmcbCmXTVnQ9u88w4
DiL8l4Flf9WA9W/7JZ+E5DhUe1JQn1TVNxy/Di/8f8Uo20APEbOfJmkHpY+RNgcWfbQLqzb+
gic4AgfdqzivVDBIJ43xKUeX4UXaMnzzyGAfH8OVdx5CWoBzJlFMpni3apE9Z+T6vhevxskH
spB5OdV8c0ew7gYOnHcgQc8mqcf8Wb2024gYs0t5sbHfVRtfws4bqtBd72dA4h/KrTcFIWru
+owjSB1OYF8dG+BF/g9zz+zA/kGsZN6sunWFOE8j+faF+cjoi6D42W5E6EZb/Az3g2gN4fSa
QjRwy9ydG0txLX3OtaezMUwz2eLC51rhZXJFickZbGuoggkoUxG0NSYzGGsM4988J7/2FB7k
lQLj9azqatIEUfFAHl+5TEW/kgFUo9kunJiXh3q5MM4LoPA5csW8Lu/mpfs6UXB6gCI+JVwG
19oU55I6tld6e8scWeqrHhrPj3XtN+P6bYGDFoITwtbeFq8F4v6FVC09/m8rLyQuTyYLhNgt
Q7NULBe3I0lCiNtC3qonwiAVjqQWBQnqY4HakMom1ait8hYBEteuTyqI4F1sexBBERKX0Vwf
CyRBiFBIorBAEsLF41ZdIX4Zx6Ve01jlNXYxWJ5jOi9kL2JlESyrrIiy2kt1a9Y1uRHLCWGy
dq261rc1Hut36rdMFMKJFTu7mNmjAFHaBZvnZJuEEm6mGZJ4MkLX+wQJyvTTvRDLYHas5Pfk
BERvWAooh1Wo14kZV3Xhzg/9B3xF3OhkhOk86KZryJVeIIMIvfBmh3D9239MxP9ePP216VTT
JHDbP53G5jt+kmTimQYEMtxJs6M6o5RWAkO47p4fo7/3w3ju8+XwLUmglYF1THwCX8ko7n3w
DBavJvHQzn+2IKk3XcnYp5hWgRYgTolGxCUezeJ5jmsCVIj2CwX6sWQ8ToNujAiAqUR0hUR6
ApRY0ckuRqjCevTB95jyExdTDiSBSPI6s6+Qi+rCMKWJjZ9sRs2cnVxsxb6M2z1YJ8EACgUN
9lDV9ewPZnBbW/rgk27c82AtCqu4myHXI0EfZBGQSKSCRv95WL7+CUa5M9UK92/ILGrDNe87
hQfuWg7P5RyxGXTKYH4PhyaeQ/EaRMReGoqZdW/iSZGHkvzGNQwBrxi1oWxiZ24sxdnyAK55
pg5L7jsHfG0G9tZkY4CbVPmmp2PvzZXIoL1j+QMXsKyZnP091ThSlIHB6gxk1PGZYKNSg2Y1
MEljJ5M0ah+RSPJGm4dcHVod6/hi4ANha2CsSSZTUnPsGXQjtlF1NnGLdcDHRAKNxs1d62m3
SaoYo6zroVuwCB2YEaD7016cmJZJPwhyESpM0JeyFeccDlLiEpXn8yTp4y0OGqFWobH/ghmp
h8bz8GsZzzk3SQbioIWURVR+E7hdbHDQcMNCkip7MSJWHSHoGKXJjo52k3Awi+X04mmr2X4i
WEtiEVFQO0LIAvUvjych31xy6drmVYhd51RHx8qdZeWbkopHNhkRHaUR0fdEeT44ak/cvgiK
QNdkEzBzY3sGzDSTqh8RACHppNqJee36+wzCFqK3IuvlhaU+U8ctpK6gSI1RzRlDeyiMYtpA
NCb1p97UvlKNCPRGiVCkcdvbvHzOlVJGmMZwjU/XVDZ17DKUq2/1obFoTJPdI0l/Gl/qeEyH
5n4m3+OEvIaIspzk9rUnyAATosoVX7ntnHz/R8tdOL62BOnMhh04SyMuwU611zgKN79f/Uez
Tnkv5B8/cjKBzV87A18+ueDhLNo/+jHc78PuF25kUKEbKzcxgLDyJI29fnoRBRnvcRRPf6IS
+VeNYtWmFwwCiofFng/iyJ4bGUhYjBXrD6Ni5j56JwVg9wzy935sLy41uave9peMNfDQkJt9
nokKj5JYsWosQs5cQ0u+9ObucKi6HXYafkWQ7E7666aMfWJipoouJLGB8lAZSCmrNXV64gw2
zELDdj7E7GtSYB1pADylvMrj7EVj2HjzrvEki0ot8Eotmxn4GA7sWI7Gp/3IXE5X1HdoN8On
NXDOR4GJpH2keXb7EGYsbOK3k3nC3DTA06DOcS9b+xgOfJRGxmeKmK339yCFpI6X2NXWyr2X
r81AD7e0LKYk4GTQnQLuFBvRxTQHoxRvbU8OIPR27plOzlz2CSHqCG1LTbw+nOlGrog/kW24
hmsh3Q8JwQhTIwxwD5FwFQnjI4PIuIXGc9XVcnEt5ORm4iw45wQJktbYRI/zsspIClE2XnsP
C1AcUOK35Hle4H8nAxeDV3Ib1iwyMpyHN8QXsp77lPCiiMWAz42CPup36Vk1SAKTReKhTMOJ
cg6RN19SSzSf7hse2qIoEelJkaRhKI76VhkaQmJMLGmIG9dD/b6VQYTDyWdwcHQAxzsOcr2U
a41puxlAqKGPJSL8HqeQzFuXlqBozXsaoxu3k27Rw/1hDPWHGABKb7Uo3VJEfQlxqvB0351U
f6TZqd6gF1x7sJNxNLR7klN1EtnYiJBirBejE4OLKcKdZKZCzFIQtA8yqJSBnFq/zCzTj9oc
86UhTHf9jiClQBp0HfRwc9M/aIwq55b+QbjEELCcwxugMwZtXfwd7BlGb4T3kOMR46OxiBnr
aO1FlO0p6tWeEWDWID5MHG/3KL+pPlJDdjIzbrLe5r57qLrRveaYXNpaQKp0lgnSs2NQtgce
23iswEsbNQYdzd20lVGzIGIkCYdrFWkaN1CzH2t9ja2Av6WJ6W3t0TS52kIstMfyY8rxepQO
HdpATevcGqGzR3+MziW05XE+ulFadTN2ztXFNRLhMHV5oWOEzBhjzZz0YEyOm8SI66cx65yD
xNvh8fNZJoIkCPk7+G5ovSX5u6n1YFY+Yx/UezxAY/kg13MGt2PIPcKcglWMtcrx4Lr9zABA
BxMxYfJAFCRbNIcpf9ixBRwnI9D5ss0OoaCk3Zw2Ngo2suuFW/Ct98xl5/Tu+JIH9zAATgZt
blVHyk1vihs3Yt7mMHJKWmlcJ9Hx9qOzfh7+430MgmnPRMP7ffgzqrZcbqqJeF/Lp59A2Urm
z88K4fLN36c1nN0Jz9MryRAP60G3BsdvqX/SF9iw79lp6O14V9IGMj7+JP3ny8CAr7XX70FJ
zTk+1EQ+7OvMoSzjunZxk5rvGFO3DLbwgTS3LaWzlEOhrjR6fbl8NL722BhgmQ+aQQivUB0j
fbhDaD69BFu/W4M8eqT1v2TD5i+cpqGdhI7SymiEwYUhH9VXHazajfxi2Ycy4QtwG1lJSSR0
Y6MFdAdminQ6LfyWIaWM7g0eEinEiRiFUhqp4x/4/iL08oVqIEG44lyfCbaT1JFJJHChwIuT
60vQtCAH7fTQkp94Jjd8cteOIaeNkoOM6EsK0PEvPnQydkJEIas7BN/xERSy3FGqtY5fU4a0
K6Jm3/RCvqx+ShzatEY61kESrYMfmm64nzDbnnGoG77zQ0a9NUh10Z6PzDTBjiEipTk720x+
Hhn6B7MYy/En0xHig1/LF7u6JwQ/AxDtJYy/aRpGWmkApxfmYfBfvejN86CX9WvqmfKhm4SC
SGaEn5is5EJqfOYkefQSEYaZQM4mBw5eG+I5qbyEqCyi8gZX+g9eXORZRKQj2ILucPL9DcWT
XKQ1GEPCOS9ljBgVK8pXBFS762vieaPqW6/iBPAdEhiNeBKXJE/omE2MX+YBOSP+mPitRpJ8
UbL9gdAr1/qHXzmmN5D6p1c7mY/kZ6INcvOv6mNIaemTQx3X0PMXIZjUBGhI5jxvG4hqLNB5
NW3mSI5eG4uqyEQ/ujbE8+NFdO3V7SftJrpuxkqcbSqnrgdPmUZVmWYA05jVCHGoqahrbMp4
IVIQp8LCNGOKWW2p7cHkfMz4VEegNnleWGfi/uga11Wgc8bRlNKW+lA5NWmaHRhJXudvAySa
8mntY8BsHwlaQWMQrr2UAm8tQRH3CirY34sh4jtl4zWhDKw0OQEZb09fyow7xgy6pfNCSPce
NtTH4aHnCWfXeC4XuRX0wiocQ1cTgwJ5c9K13zeN5mnk4nIrKDLmtiV7oSeTFrKzfTrjJtIx
k2lKOuoD6OsqY/DfGS6k9i+OoKiyn3mmqNZhM0LmZqZMAyINlDFep4xNh4pTSWPa97rdWTh5
P9VX49e1hq58vjhdLtzxuVoi5nOmD1vaCKPgl+HJf5sO/4pXu/HSy9Gkep97ZTeWf7mXwyXC
YENWm2pa7QocdADY9WQRzm8PMOW8C8/9bCFqZm9jLAspOQ315Mu5dmpwjPmxVqDvMLniuUDV
Lf2YMfeZ5LyoahuN5JmI/DnLW4x0NTJUynPkLtK5xuSPiK2wj5tNnflhFrLXJdPamwG8WX80
IeakcnM/jzkM2pMxOUREmRHhDop8gKq3MbsACbmNXMzMnR10k6YnEmM3aulplUWua8OxbhTv
YzLFJU6Uv9iJtUS65yoy0cKgw1xyiNfsb0f+rl44MxOY/XI7kRTVk6wfYYBiCQmLItXTj44g
uMSH6hYiNsYAyR4hl9kIn/YYEbo40eLWYaM6M/sScMgjetj5TCh+pKKVbxyJiwiJixzuEsZz
VB/vNf7sYxXc/+KlLmzMcOIsx3WsiqljyHUt51a5s7fRw4s318V5TG8ZRhaJjkDPQRYj1ee1
0vZCL8JYoQO+7jBm+kiISPAUdZ76TJhKb+E/cbK/AU8Wbp31bgoX4nvF/ugJjeMEpZJzfdTB
8kHPW7YSVwwywrrYgzYyCJWPtiJBjzwxD3VLclHYOsSsBESog9wAahO3O2b26fKnuxAtYNI9
Em7tez9Cb7pWunH/H/beA76u6zrz/dA7Ljpw0TvA3nsVJRZ125ItyzVxbE8cO5PESWbyXjIv
fknmpSeT5jiOuyzJkqwuUSJFir33ToLovfde57/2xaVAibIpWclvkqctEcC999xT9tln1W99
K+dql6sd6lkcqyrWwpxDTQpuxUOcHaVjK9M0q7zbQaJPL0nR6kM0YeP4J1d7tfgA7ADUAB1/
MFsl17qU9FyHmh6mmC4jSsU7m1xCt25riurSorVoT6NCG0d16ZEs1bKmCur6VLgPYA8hV2vF
fGlDmno9ocqFUSBvR4uGczBOyLkZnG4ET2kW8XzvAYA3sBVcvtOrRnJyybAjzNmFYYLAtDbN
5zZ4iZyDdGLdFsGKkHEQhCWU5l1Y6eepmwjEa/HQtyb/cCtFq9B9ZOGZGcTbvG7WrqH+HAjE
JDbCfpR12IeBE8T6jSY3GNpLAjvG1xE06fVudT4Yr2PLU+UlWT1/R73CWKuGHgy8Mq6yX89S
Ax1CV26vcw3YHBvD9XFVfDVDl+jfsfFAAyEmjDG8syv3ZqiD0PF85j3+ZJ8aQReWlcDKwfnE
45XMfqNRF+9MV2rboLJ3wWUHZD4yjPh9L31+OK+JHOqr8ICGl4Tpao5HmZ3QudeN4Y2Qgqhi
ubAfU34/V4GYfLEcyBgMsj3dpdC6AzPFpezvGldXIy4vPUBGsMDDQNkEmTa0q0XoTaD67Htx
iVjaTJ6DwXLAnnbcXjabIHFtQnhogC+5p9HUMeGgFBhq38jQc9/9nEtqj5FET07vgCfqFeKC
7OBtwwSAoQbC4icVsYEP7YQZ1u9jHAk0Z0GP7v7kbtdB0DyjMWTU60+uoGdImDylnCfum3+Y
VrW6kEncsyUrH1NIAp+YCn9rE9+mdgxO25u+SH9z5D6FFYTo1N8n68K2e7V4Iwk9lKF7REFe
XTtFW9u/9Cph9TgNqYK18IvdFCAShhoFthswoOikBpWgLLrbAR14DAJc5+ZrgiLIoNABtdXm
a/ePihW1iGOadfyOk/Gd0vv+yb0xqGvqaR7Wc5iGPCgWArAHIJgiPrunk4SvTGjGURuypJJw
Bi1upyJRkv24vxQYBjJvRtMeStV26VP1ysuk4h5yxUDWSFg9YQe88HEK7/zfX5DG9xH4wc1j
CmtFICdRzU+vgWU/rXH3z09gaFfLo8gVT2npT6rdJd7qs2XP8Bkb22e2/IzM0YSI61XC+8Eo
oKKf1Csrm3g3D3cAn4cgeCy+a82wEvBUVlVWOiFmYRUL12XSxMp7zOgf2DWQrNwDrco+BCUL
GtTVjphA+A80UqOwIhGUbqL4aQpkAm+80ZAoZqswolPSlBcOTRECLibGo4xUQs7cd7t3g4Vp
yh/uVEzvoKZ4LtImwmHgBuSQlejmw9ZLCMZS55w4tRAvz+utUETZkJrnpam9NEl5F64jDMfU
keXRpYV5KuhpUGJXrwbTc5UfA6FqIowCS/OV1l6j5H1daigslZdwdM5zPA+FWZos8Cj/GMlo
FPjI3Fx1ZcYq91ysorC0g7i23kXE6GGhyCu7TgiKGh48zJ7ZBbqGlxwX06W8y9UYc9ZjKFNn
5yYRKcEoHmlQ3vEmTdoaGInVieIs9RC6ixuvcwSh4yz+xLEEnS9MVTeh2ancIWW0VygMoT8G
B15UbLrOFydoGIXUt2iIerYupZ1FcdYSNiLUOhXL4mFeXNW2TTAvrR2CyRjLNQQgiwNoQmeG
8fm7ctT9cfKpQMm9nPuq/Q38BkkExH1qAEP4dxI1tDJd68o6hX+uKS9QZYR9z0PRfLdAC1EK
pfsIyNG2ovmuRI3cCbiHZ7ngarkSCBkqP0PXVmUoBSW/ZnedptZ4Nb4mW7N21nIcD4wQBHkp
lhuG/6ojMVLrqrqVAjqy5654inBBHB4hPOmlpXVpPIgnZAIh4HdXIPbkcrE2XGKZSvTuthh9
5/fvpyodicoFT4zDutkZpYgELuJssDIKemgMxY5H0NZhOMKDyeprBX6bYkLJ9mRSCQ1MhbcN
Q3UNN7GPLr5kDylKySy/+NQhdZ6GMqC2EII7QhPcqOWfb9S6e+yE7MTeGjNfWWRqRmEqVjPf
PRyge0nYJmVWcl4UHYZ2qfzKBh3/q1RX4DhTedhe7cZGeid06lspOrTuIW386LMoukSEiLmq
vglx3QzxegKGg5VddEbrgdm+8ltFil46RTX6bLoVHlFMYic7A0FG6HTXMwsVlBmkrlMB2vSN
Wt336HfYHxeK8hjsTVR/UwIsxz1qqE7V7MVXgPp6HFS5szVeSWnNoM3WqP6NGCVtgNLE0GK+
03hrEj6gv1yclNjojf3bbaaex9266Yk20sMQJjm0ig+xzAnC0r3QLFrmg/l3ljn3NbKW+bLk
N/BXqylxXhw7uvH9cr5vgtpqNBJ8C9GstFBw6O8YSHCLRYcSa79p2DkhBNxnM79nm3HvLSRm
itCGe4AxriIbOK9KvohQnELhTeF52QWadRk0xhd56Swrflu+I4g4vvu+KVOL+WI1+j93H/wH
+jFulCU2H1ybU7bMqymQmWisKXIDo/DPBTePK4V+EKNWbY+gm8AQa0oLVSr1XxEnCS1l8IzT
3tTovketzologUOzdeGBIF/aqJsZHyfGTshzjFDCIPJjPIC8ArQ+Y5xHMOGU0EaEGuGhsPZ+
tkWZlw0qsbNfnSnBSr42qNwrLWoljp9KK4QAtutTlEYjyBF4KXhLoE007aN70zFaykaVdqBR
iaDlmvEGupKDFN8F9Qb5t7gmkscopgBCXmMTo3TbhJbmQiuUHNGKQOi3pIQqMRPL24ARLzar
ENLP11F+B1clazXnmoq3kfo0fT5qe3T44XxVxkK1siZeJd+sVUBOkPKfrFTirFa1zI/TRTzy
I/DCFc9G0TX04s1yjay3YFCFocBgbc5DUWyh9cxxRqgGsyMUe6nfKZpuvO8OlM3ptAhl4LVv
fLlcqW90aDQvRCENY2rYlKSnKXzdfKVVeX9XrbFC8nQQj/YTXj20xas+ku8rd9co9BKAhlXR
OgypbQh5kUXUYUXiaXfPD1FtFkwgrXRGfbYSAylQOx/I0+zrbUp6plGt2+LUXBCrwqea1Lk2
TkcJMz+AYg2smFDLF2NVhJfiOdyr8UWxGkid9jl4Jmz8XA/EbTX9o6s1Fi01/YLvh8XQGasx
WKmrh7Rw+VHfB2YCMro7S9Vw1NhnXZQRoYkrxlrraoa2gtCSjUnCYK5ug305SnTOJjkThBf/
xS/kYeVYoa0WFvMf1H3txg/fJdx4eeMPF4rqxmr8WB89PA669wPhsTJixgOvzFEQbqZrUXhD
Wt74qhNsVk2/54lCzV2ah/KpIpzGIuQBsGE9RFzC3qaO3ay/Z5/O7EhXX3ekqp6J1bH7tuqu
h5/kM6roj92tc9+jre1CwnyRI75EO+Egtz+8r4FeEtIkgid4cHOKLrJfbghhPKsxMeVReXWl
9n4vV/EredDNU3q3C55x+u/3TycA3r4afLfprV1yG0yAWqEoE2I3Daudj+2fndv09hMoBtk2
9vnMW+f/fozv+861Z024YZuz73eM6X26kMDbP/wZn910XNuOfxMoOxF+uHHe/nOztxAobkzv
065n5nvu3Gxp+z/3bf0f5qd5HDfWj/vT3rFrtn++YfcyEGs3gHCUKebADiaIJm2BPMJERTQM
P5gF1G07Axd0U+OTWEPYE3JLywsZceVAWKgwqhnsAAPCPLperOqRhDCeZTzSllFFkLfsKQbd
hKLooV5oFGEatrcHrxfkHzkwm+YoyDqvFiVo9nwAGWV9GlqdrgYEdPZPCWOhzHspEq1alKyE
01hpCEQLGg9z3g3LkwjZ9AOv5tTr8ApKYZUgNDVJ6MjkSWQNISpCpVeoQ6rNRiB+ukDz9qGA
hnuUcrFHS/Ji1UbC+Pq8JMVWw+EGgWwUcG3Lk4Wx5q/NTVTU58aUBhw9mPB+EnUS8aDyMmd3
qnp1iguD7ZqT7EJFeXhLkSTGTdYa4CASAySMfY3ghXQxl9krCQm2DKtqTryrAr/vWBPKE+Vz
tR9gR4hCa+Ckgyy0fFUaUxmg9OsguwinWjLfoi7XHshUY0KENu+pU/JhOMUKwnVlc5bjerv7
xSql4MkZ0KThY2mqIcR390tVSny+Rye+NUdRGE2lz9drNDdMJzdmKg2wxCR0RBUlCcogwW7h
yI5PxOsU4cc7jjQquJoIyv1RavL4jCrXD4T7ZPfqneOtNXXTZ8aJFYIVEEJ+I4IdDTQRlkgf
0pf+fI8yi64CyeXmG7SXY+x/ZZZCcujpgXU904y1nMWNo/KnySEbZqXa+5HkM0ymTCCvMRo0
MeCbLNvmdofVc/Seh6TvwWp5kpvQFeaKT6q2fLku7UhWRDrKyfCotxjmhYTHTaj61VgdfG0t
J2Dn6JsmczVHh3FlyfFYncbUGDxJWdXa8Gi1etGfsaun9Po381CS8G9x2a98ex70JiTYD+J9
/EotSfwLzFGkxrBsJ8cIzeU00f+jTi9+a6U6WnI4Rx5UvLdAQnU2H7ufW6I+6y2CteXm5xbn
+0G/ZYrEhKUJkJuGvbZ/nJcJZwsXOeXh38j/Ob/tfVMONwlx2+5t33dftfd+3vBvw36dAPf/
frf37fNbjBvnzfm/QxH49znzezPfm/n3zG3+M/zN8rapbCV01b4i3nkgA8UYRDArW3fI4M4J
FUM705QA2Z5ZoDwTwYQBU873KJgwyghWfs9siEVROMHcfMtFOYQVVC/BkG4GAo/uSQeigecX
eWmIsBAoP2M2bmVdI/xbs2M0BmR7FElraDiCO+oi5zEIGecUwjaUMGcseaqG3BhQ/BhjhCTt
FhqHmU+2cDtZt/aUngI2XvbFbBBGQUolBFla16trCM/6lUnAmJBffHf2c7WaVdWjYb7TBijk
0N3ZattA07rqIS3+caXu+PY1Led3BGFVk/6Guioq61IkQtWqsfeuy9DZXwG0MzvGMW9YNMVy
D3Mfr9aaJyr00YMN2nqF3B6ecTOhrzD43+JMQNO6IJbKbiuQNRqda8DE9xNK6kDBrjvapMKf
NCj+GgqRKR7FEG+8P1nHP5OnHrZdTa4xGmUZiGdvCOzyT2ZqLySiq861Kv1VQsZcfPWWVB0k
x7ewvEuJZ1HIGGr9syNUluvRMvI9yT8yZBoKiOPPYX+RR+hrtNyjUZRjMaHC5nWJOg2H3Joj
Tcr5mwb15UQqzs4dz2ZsXqiq5yaooJ7zmzHebnPO+OidfzrvA8kSHIFWvxqq9GX9+uI3tiur
9ByCkUC3XXlIny4dXq8j/5yhhKWW4whTpGfGvvwP/Yy3bvrzXR7+m7b5GS9c0n8wSOlr+/Ag
Ljovwbx3O+yFU3PVfT5YKRvfKh58x67Y0Kz9BKz+fT/I0fxVS5U/7yTXBxonYJRr4e7dECY+
2Mayda/r+CPpaoYAsu9aFMpzDb1GlqlhDzHaOZPKun9AqzfvcwpyZIgahSHyLwZEYD+BQcHa
9MnrtMa97gsFTFFHEkQjrCN36uRfJytu7c15mnec7wf1BtdtQj+IRe4gIIR3nMXO/v15B9P2
MxWL/317eB1c0ebFJnr6t/MapufKKRv27/ZhT7r9aa/t/2nPw78/tw82uTFMWjD829nfdhhf
Tujm9+3tD8d7nAEeW7Af0LpQ6V0CT9k/tKnrMzHauzRNnz7dATABOClGz2UEUdbqeFcrM4rS
qNmWogwAFAF4bycQqmsI1XgPdSidWqAxEsMh4TAXk2uKwgof8FJ/1dUG6zLeAvc9FPi03fso
rPTL5BHGHkB0sC56gJYOFeOZIzS7EWxdGZFKGCCchgs0QDL74ldz1A4AI5Z9TAc73GLAntEs
wjVm671KEeh9eCml36qB/r9RfQ+D0FuaonAsa+/r7UQ4IcV8rFphH8/SRViYR0EbniOxvwpq
mqjmYdeWuWJzhqIBY1iSPezKiIqb6jCSqfkojnFeyEmEfx2ezYJsCkuhu4moRDFUwf6MAkh4
uQcbOlAFQOEtXxhSNaxAgAc8Jgo7O6zK/5qhhmTq6PivALDGLEJNiWfoDEke2frejORB0/JQ
rlN868+3Ku1Ih9qzCXOtACSEp9cwP0HH8aA2oNTyXgPkggLrXBjrcjsbqntUgmdhJKMDFP8d
fSTfKd+cnc3qvy9a9UvIpWA8zz5KiGx2qCph055V0a3Iw0MauQeyUxRsTMOgU8aDeI3JwJ8t
THjqN/Pcvcp5ol4nWF5BKBZ7LG+tQLgZ73iIbU3yfiD+aV9NkHLW9uiX/+BNZRSZ8iDAzJQF
hPWp8uwiPfZHaxVoyAwOMthHnNE97baDm4dNqNup/232b3mMd9ncv9XP/G2T2UXuY+1ftSk1
67I7t8DQXvU0x+jSfoqi5uLR+KJR77ofs/bN6u8uC9ee55fSxfCkYyQ2r8UJPf832XC0n9qO
tC5t+cwV/cP9q5RCa9qd3yzCSwHtsGJCrW8G6qEnyoAy1zBF1A/QV4RaoWnFhkUGsifSg/Lg
uv2UJ/3tUXrtRwsUVMTtMRbIX2hG/Cf7M34z4YFYlCPRIESWxrrYdjCoLM/1AQwwrhGq9Qmu
x6zKENxwJ/TZ3QgJR7uHlh8YJ25oysWvBPjTJdUtjGGKZAxhYKSHQSzsEOoJLAk3aqES247X
NkbZnxkpfsVi71lYzyC0LpwJIsW3Ztxq0zgxePs8BAv333qK7Fz+Mw9bZQaxGyB8OjI3VMkX
uuWdlej6vZRcrFXM2X6VLBpQBVBo7z+QR3g4TDvnJmsTtQUl/1yjyLvG6ZdtcX3YaUHiteEt
5FymSVT9iFLxOGqJq+cUkeS9RF4A5NwgQjuAgs0MkFPleCDXFpD4ZY0gRUiok2toBXU3kUgu
ikeFuqQsLN9LnM8wqKp+jmlKyDxKWIJcQjq6eUj559oV92K3Er/kFZR5LqQWXTukEtgD6qHV
OYqSW8n+rFg0iJxDyU9qpU9M6QRJdesLZswHlstrLvboYEGcJuh9saAojsR8l+IAmMQSGos5
N6CEc93KhxOtAnr/XYTWopanaW4tvWNAKtl6NoMqCAUZdxTAzDUjH+RdnvmBokiVw/N2vTDO
UfXMv9ypvDebFYXyMU+vtxiyQ4hGKwmtdaDMt5DsTt9OIWHTpGr+L7qXgs5KARzSwzwtg1du
Hp6U5QbHeG7L1qS556sQdFUEnQNHyNdcuDdLLVEhevDFapeTPPRQnsrwxj76OmzY+4bV9JUU
9fL5wkPU3ZSGqg3vI69/hLwJymRWiLoI5aVX96r9HiD7fG/bkzWEDm2hMOesFRu3ViD29L99
MAdWhzDcGSTvwn594Q9eUHpxGS4cXFHAUQPoyHf91HJ9/xt3gdCKJKFOGIZw0E1PNvtwXsz0
vi0nYrkPG4bksdBXeyMFNfYGL9/rMOEyQc1KZMG4Zi285kJCU0OEm3i/qWGNrvwkTikbYBI2
SPHPGZZg98yd0NE/S9Pqu+/QrOV7NDoQS3FfrwagaA8JxbqycBMQY1PF85Zv1/JfL9D5F1MV
k2+PI2G0cnp7fBFIsHUz5C1TTFGeDnfkCVBtiEWHFptCsQSQE8GfZyKM3fduXftxPCy8t3eu
P+dSfvbHTL+hkvoKInVuS6aDQ3YgRNIQ6rMqezT7yVp1lsbq/Fqv4ntGtPC5GhBMY6q5L0UX
lqQqv6ZHhVh5Zz+TD6zTnmamgwk3OLAXGHDBq4243ZOquidVlTSsyiT+POexGooRg3XuwSz1
476veqnaLZNj9+SguEH9cHxTRlZjMps6kHEehqu463PPtin3lWZX7Hf+4Rz3kM090qJ0g2IS
q39HyOxnX/mHn86YAVaf4vAyGuMj1LE+Xonfa5Pn/nEH186Y1abYc4NKq+nTvqWpyv5tr7x7
2rWmnta1CNrgh0Edcd8v0e8lgHj9tSRCHzkjygiBGgPlHktCef+8GM1eGKesNxsV3zyoC2b5
bo1S6tFOpSGoDXpaAktyH8rByCujyQNkLsByJ5cYVAPkFZRRP+sh53Q7HHzhenOl1wEdDBBh
Sf8CrOghaoHiiXZk7WjFuKC2Jz/cMcsmn+3W3EJaSxDfP7ghUxtRYKk7eQ7TUX4/qdP4LwXR
p4biRAwlg8umZffo00396smMUhm5kCc3ZGkhXs3SnTRwApkYiUeRf7mB8+7U/IIoNaMcm3Ni
dAy4a789Aygi6xWTsSxNHjysKMJvVrBXzTaV5D4Keb32UIMydrXxPkq7JEK1K5NVgbJq4/NU
Eukb3gAdtQt4PHmlrkfj1Emu6O4TLYrDK+qAYqfgQLNLyhuYpX8OeRK8oUVXQMmhMEcBGVx5
KEtXYHnYuqdesS+gBD6ToGqU0iZCkd4dHRpZGaayBUkqttDcm4Nq/Bp5Ejy7TeRTwi+PqPHz
Keqgb85S0IjlD2Qol6LCKNZAj5HE2TARijy7tQJxW9z8ww+LDSUp/tn/vkvpRaY8YoDDUXEE
rce5A3fou19bAyonnBwC2GbQVmPIVgth2cH8KCtPMrTgXYhODh5EUUpoGDkTUxYuxoGcpQL5
54v3m8/N/8rc1xH27V0yqLxSFAhCOzAIdwP3vOxMvEIsiWrZp9s9AkIwCMTDjh/PV17RHhhx
BwDiADnFa3CDEw0OtVwIVeP0dL/ns0dUtuceFJQhyqgAhmBy8yMXaDhlhJAx1Hb0udyLwYWD
rHL+xiAmOhyp0Ghj983RG98vdLDdKaz12z7XG/t673+4bo5YgKehL1jaNqBVCP5yYsmnSxOU
tAKX/GqfJten6yLNoLILopXU06MKHvpaFvsiLD+rUG/HWunFMsqjmNAw7jXp0armoYuG5yrj
ZXrJEwtuoUK9B9MwZ26UQqCM7mTBNmEBrbDYBXNZxz6AacjbAuYcC8cs0kgExxRudP2iVIXP
SaDzYat6cqN0CRhnEgIvniSuQYLf75p577P1n/MbttKsRse8uiskpz3/N2R+3K8hvMJaUD2l
UG54CXsUk2Q+AFLpIySc4+sH1IFi708N1xCCv8kT7qhhEhCe9SiRggL6uJzHaucepWOtt7Im
vMUhSrvQJav/6C+OwptplvehIVUkRil/V7NDYprXa2GjBO57xeJkxe7qhRUhXD2sk455cc7j
KSKE0wREtxTamtAWkr4I3QPrM7UGhZW8l1g/qLHzGESZoMkynm/RrJcbgPyO6gIK4dSGDC0D
cZhwgup2BHvpM7Ua+ly+zt2dpdLUMCUd6FIILQWiCFcn05GyiNxAE9e9j1wJS02zyG8kne5W
9BVq404NEX7uUkkcxiLrcpi8QT9AAEvoRwJbjqJGxNrERlJjNAuZsIyi1uiKAXnO+loCtK0B
wXUnORWgs9mE2CyvsxBUWca3WjWyIkzXH0jXKUJ8G0FFZf8ldTn5GHex1KgRYjbPfiQ5RBfu
MgE/qEKu0QANtXcnaS8AhK0X2uTd3a6JQuC3PN+F5GHyXgddBcS45tFUIgCBythLHc/8UFXN
5llnvpNOdmuMe1QJWCCFmpjQ89SCfCpEkTzHk7hp/dTG2DAvy8atFcgt5JbRmfQfDdSnf3CN
nMApQkMkzUAoID10dt9d+u5XVymYmxYeDmIBzyMonMXIx+NY177BAfk/MgaBi9a0MFJEKlZP
Etlmjhdg5iMyta8TNlrcPVMwP2+8YxP83eHaQM39cp2iooFvTeJvYdGPDiZQj+FVWOZ7S0bb
dUSlT+jCvybp9JYHtXrri+gfX/2GWdrtDZmK9nSR70ChgNTKKz6pNZ+dpzf+rECRhZOKmzWO
wL2qcUubIFQnHYLLvJMZgzmZIL/S2wlsN3JQh3euVdOuaF8PkH9D2K47A7slCH9rjtSHgI8h
FJV2rUfFf1qpoT8q1oWFKXQqDFfGt1tVsrpdV9dSnFTiQWEC1aRIaRbwvtTDnUB1Kebku5EI
oFnb6xVzeEDhv5urvYQG+lA4AU0tLuQQg2AZIWnahjXorScWjZKwZlAuf8Ltt14isQiCeY/X
KAoosJ2Xeb1WaDVvfr9q0yLVOt8DgidG7Sz+tVArhFfQ/MZ4qXwe9YyJ/fDP254BlqRNXxTF
c2nc0wTqeQpOEXtvH9CJVelqIsRUABFmOPmMWXgQXXiK46CwzLvA/FMqXqWxEZxGQdx/oUUe
hNnuzTnqLYpWLAok+RTFs8VxqsICLyzEwCS0HUhYsheDIQ2hgGhRRXyYVs2PUeqrNILLQgCA
4kvE49m9yquiNdFKIVcwzlqNQWmFE16dS8Hh6/fnqW4d0NnrtS5UFst62rUtR5sJ8yQ/26nc
0m7tZs3eh9XuOdarghcblVTWq1P3ZGnnfXkqXM36JX+R82qzFv2wUuc+n6/Ht+RqfUm8ivY3
K/YqxhBCP/OVFqUFtalwSTS1FGl6bnWG5mJAZcPW7L3YpegLhOqo/Ug/g8BTh8bSCPkyP1aP
FEjIxcA3gcimQIr+RmeFaoQ5uPjbBU7R1KN0BzCU7rjWqZyThJLI81geZWBTpC5+JEun8W62
nmhW5uPN6vpknKtxCW+jtgrhN0IPnaOfKdAgz8KGpyoIDXMsbkhveqSWNuH9v9jglEXdxyA2
pT/Opu3ViiwfVsdGD/mSRK06hhdzbVRt98WrkvDVfLwRUy6TwJl7OQ/zTvqXQ3ZJ+LrkbAe0
ROF4LTgEu1gvKEiT14jBWwxu6MxhceZhMOBFn+yC14pvc/JTFosKHkMwr9Of371Og+0RGmok
/3AmRL2XEEhldCEDCTXQ5+OUcqEqjhYG/t64YKB7wuKm0DCZSbfVC0wW+aFOqtSDEt+hGmae
zrv+HYCLO05/71lLSVCzBicn+cExWxu8aq2MhiiRxJuhwN7L4KQi5ks7flCqrtYMakmIzcLp
Y+eckNrM9fiS6rZIDEW1dtsxxeZDLYCp0naQ4qjDqxVMwZC17x1DURAQ5cWMc+BSg0CNJWU1
qKF8gfY9lkeFvCkbtpmx2Xs55dve1u4jT28gVosHJlpDY9TBwtn4S2nKQjg/dLiBvuB4TaXQ
m1+mmhcB08RCK1sFtQrnln+104WzDCljl+TumtWKMDnxVJkbQaHlOSZwe+1SSCEpnEVeR9jD
kqwGxzTadjf4ZcvAepKPU+w3RrHhOIrBqnpD2sd4WLsdauYaLL4N0L0bRDL5Ug95NxcI9O3j
w5/vbwZs4hkeQpRFhEGqqfIeI0eR8ffNWnCyRWUIuTZqHYJ6qAFCeJmgalsQR13NkNK5D5Zs
TiaXMY9K9czj7Ur9UburCrccwXgC+Qor4MN4MATTIIzNQ+wbBjg6VIZqAmEbNZ20NUU1DM+a
ezx4lgzQYYV3bRgtcWdIDnN+I3i9k+TVEskvLL7eqZcxcjrvJLd5ZVDLnqlSDt3zDm7NVs/m
GHl/2KpFFV3qpLdLQDnSjrViXsdK6jcKybEcYR3tIxTWsCWZepRxLf7XCm3Bu9gHdPXwx/Jo
6UrtGLxrk1j71o4g/kyfFn+3Ug8g0DuAEb9GiOq1R4p05Zdz1HJPkhq+mKaOrRTl4Y0EIR+t
gHaSgtoAZK55CvW/ka6j/7VIr362WAcJpx1mnhPhtdqKYJ/7o2pXaJv2FAqUMNiBzxWqnBDU
g7tqVfAnNepbF6PDW7JRMMwnYa/ACvpyrE5SE/Ox6vVaRZO3MOLRAVBXltzPhYkh7NyoOld7
dHxFmpbgjSQcAeqLIXBpI33VmctUwpBW69W0MEExIMYKjHUCzTQKX50xY0eQX7Hi4HkYDdEX
BjSQFKY+FL0NB5Dh9609ELfJWz8sHDNwmYI+KNMjsbinxkFUEMqy0EdTdaw2/Q7Eh9GjrvLb
lI2pRxOKp1/NUHVFIe7iG76d8VlGbj2yfY7KDsTood8vV3hENWdjeowucv0Jqi1LUUgcosgp
Fd/X3u3ntOhxH5scMkZYD9WiMR68D/vQkiwcs6kulf4bJKxn+956t/3d6n0T5OEUM9W9GqPd
Gzfr4S//AG8JRcQqD4SnanTQV3UeRqtaY9ZNL7hMi9+5euY3fBDeXY8VaMHKTMVn1GMdIBSB
AQeHMHH+wX6sbsXmctezK9VzPlxxK0Be3Uaexr+LX/R3AA9I1rF2lRASsEXbiYU5B4uo4Elc
Ym7EGASD0VcGVESi8AwLP5y+GZndI7LYslXK2rCfbsr5aYRsEeRQ7PUw+YwxyAft/oQQkjNK
knoe6E66nUXj4huliTNIUBxBKOthQlqnYOm17Q1JsuDVWiVQYJZ0vlvZ9DG3RlRGOLKYBz36
EiFFCsf8iXve/nD8AjMwRg4h6QTV1IQ/DmzL1l1tI8rG+l6FQKqYl6ikM9CP0JnSw709QwJ9
FuHISJTJBLHj+Nd7tKaukmcbgZsbpIyaXr1B0rpoTYK8T7RSwT9FDxWYYWd5lPK/qlVyZ6/6
TRmkk1Pd267VeCcDhMtCrJh12rAJg+zQw5powrPJb2rQgjNtOgTdScJd/Up5o1P5UJt8mvUU
Du3HmDdEUS0jWgL8tvKuNJqD0R01B3gq+bnrUJpUfD1T3mus1yS6opJkXvjjKoU8AkFplken
FqcC4R1UXPmASp+ucx7xcdbakS1ZKgH9lFrWQ6dK2roC4w0F1JL3T/XkUrvVA4u0iSmDIR9c
k64q1m4xYdUIuPdySD5nnWgjOU7vH3IPtQsTtZ8cST5COY1QUQ45hQhqQgqgXomsw9vmGRkH
2j+yKkInH851IvG+x67L83Kveh/w6DwULKVVlszvd0i2ls8m6SrP4sY36x1VySgGlxlrZ0Bv
hTGHqSfxHjbCgH1vtossZJDLgCBETShLqwm554VKF77rLyKMDDx7LsZgZBnGPLKtEcXUjwKJ
Yk7CuOYQmukFwKo+iMc4ZGUaDD8i8rYUCKle/uNi52HZ8w2XHLdcQkCwNtz/qjYCwbNBPRwu
n7v/cMQQrkr6De3/X3Ha9jEakSR3a2qYmGfmCX2VWoyyi5na9MBR54lMjGHdRHeq7NBSVW+P
VtRcLHDMVUug+Yez8N1LhLcTTf5PfL8NvjvcQ3wdtzQy8oxzr5yfxzm1NmVppBMhGMRi5/V7
GggyUyLmFRx5OlOrt8wn/3MeZQDc1qpbyYG4gWczRWzHhKYVLx5clwttS4wadkTr5MF12vzx
J0FgYX1B3RITR1zfmVnM1VQEczAIueM6HfpTL3TvVvlre/l3Gva8okCisOCWP1GpuPsyHVzz
AISI3Qj3eS8QHqCaNgCrL/1UB4nAWHXzoOcBF7Rk4qR16zPX0T8s9sgaM5SM/13WpBvjeDsG
k4zFimmdBbkmW7BcfJrHt4n7jq9bJG+gQFxkE68mEqRKLgn743EpSuAhTT8NzQjnbYf+d5yt
6bP8z/mrD4Vg9PQLnq7Rzi8UqhMvI/MkrYefqtHlz+Rq538p0YYXqlQAp1k94aOrhHGsm935
O9KVmxOlIYR2wW6sWGREHHmzuKXjqiG2ntbf6lBVk1PJGkHIBjVBLXOoRcfIKfSDTIqnyrlk
bzM8VekazgCphUA1OpnYukHH29QHr9UUCe8UlFsMcNyT5DBWsSbjqORO3d7u1uA4lj4BEYfw
Kn6iTq0r4zVAgWIMRkbB/hY1rUzUuY3AZzFAVpxtVc5fo5C6KpW2Cd5o8j4R7fA/sc7McCl+
rt7xdB0H9XRgYbKSyL0lkcvIo74iHKXaVhCjFMJrGX/DtYJKzY5vUelCSDqZrxoQVlYHU0FS
/hI5RCu468SIsnqK+y62KeUM12AtYlm35pkZM24AVeXDBaG6spFGbBhxlotY8xMEPJQp1/9H
DvUicInBGZe1vcUZSw13JOunoL8+DveVdwfXjxHVQDHiFbi5rI5mDfcoqIV2E5/IcaCEDdup
Uif82LcoSicXpGjleQASeFMmg0YK4aXjfL3HARUgs4fwMqq4hnRYBEKrcBKYkwnOr2dtrMqW
JiuovtYtfiv6tOH76f689Q9XV0FCPG1tv6Iiq9w3rLd3AJoiIJiLZ8HRuML9CyaRFgAdcaA1
1eCtUGhPLl+PpSL7QbfzgBDTcNFasHa7Pv7lbysxjcK6Cejfozod++2up+YpkM52ZuHfkD58
0/K6TzkAAEAASURBVG5qkAVKiZuaxDElZVKDrW4MW7SDF+G3QfnEYWVw5YSRiO9zyKZaDxhr
LvV2Eis39vjWHxatC4Hmvb+JBjY/Wk3/cqaBoko7EeuWa/8MhhLIfNhx4zMb9eDXrmrwEg/S
mknt+Ga+mirnKTiahGKifZnvcT0B1IAE0hZ3CL2844nFCsxl/uxg/57DpopDdq6I1VBGuIpJ
xK093MhDP6bzFCXVb4AwzhhrASCYFRZDUttCTwmEj1xV94zTdfeDmzUVz8JEGNkIJfdjvEA2
9208TBF4hZmEDxqwZrqwzCKxTP11JAbzjQChsuT5Wq377nWtRKFFUanrKsJRYHZMa1Vr52Dn
YkLGr5z+PafsP92xeHYsMNECDX7tnXTpPD0MQeWArgKbHVgCuIMkde7xVrURttn/sXxHsZ9H
ctpu/arXqYIm2frTNRD6oVAsRGX0JxaKNO+kFlRX/wP0+DhJbg2SvsrkKHV/jJDUM+QPsMLr
qWmw+x+G92B5gyrCowbvnQJFFdI0pizyDEbibjDX0OoRleIZX8aCbgFqK2NxoPmRhaaM+8z2
Y9+z9dKBkD+FNd6+CpQYYZicF5o1h1BMKqGas4tTdOLvSxGoMcr4Xotyn4bokXVlAsUEbygc
bgUQSd7703KtBbWEjHcs1M9yja/dm6v9hM2euz9f5X9IAeInEtS2LZ6wFfB8qudzT7RrBd7N
uu+XKwUv3ZL0d5AA3/p0uYp+WKe4KhiimbdgwoFWn9a1IFaXv5SjEx/JVTmJ+nzmZCnr3rO9
TzWb0/TCcq/mX2pX9jNNePvAnPH2qkFrbWUeMq2AEHk5icHWNA8wA9X2K7bXKnZnn9ruitd+
alxmYeilPtXhQomXSbbntAy4zqCGW55EFDWjLDLb8TTIJY4RbrxM3qUC8EQUnlIIdT1D3jCd
/WK+9nyywM3P8j0NbvkHUi9ig9m/xTBJgIB2g99WWBfpJV491ADKCcMQimYT6m44qXGzWT81
RRtE4gzDaK4U7srL/zyXfEQgPTCeA6EFm6GtvGklEDDBRF2YB8HhOl1/LV4xxUY0yM6n94+T
40JT/cDnrH7C3h4eHnTlES70447vro1PSMJ6cPEIBw0NDTi9NoCc6yd/E5KOoLLjvs9hsN6o
3Emd/FaaVm7doJL5+2gAw/n452F6v1NTvuNm5byk/PsK1FSVoP7r4TDyrtJHPo/CNP6W6e9Y
Hok+MLDt3q9LP01UzCwEtYM+v8+TfK9f4zws/GOsnhehaC9PidTdr9Uq/y/rNPoHQaomgTkA
9bnRnPsFtW2PbHAQylt5ggbZVRshTwjhbJjAD8bitG1tyVmTmjgSj5dx54cJaQRS5evmY/o+
mscRwYMY2QBaD6Vl5zaJULBh/FT2l6NTt+3fNve2zYfjfcwAk2qPRhg3uQra+9yF4cqjpuL8
Q0W6jEe6oKdKMRf7tS2lXofWZ+gEaCXr42J0++NARou/W6P+3wwFGRej8hWpWlA+5GLnEUje
y4Q/xxBCsc/3asHqVu0jKV+5LlXzoPePI9l+xmDBWMYx+wlTAqA4j0Dzro9VwgUsZOLz2Xi9
1rLB4KoBkTRPukJCvjDBhTvdldqJ87Elf+23MeUaVCoGpfY6XnQPTczu6C13VeaGiFrxL2Xq
XORR5cIk7SHhXgTrcMEbcEZdhlY+PUStDyQ5kE84PFaeHcDY9/Qq4WMDGiZsa5WOXVSum64Z
5+/ThJDGQXXZOrZ8n/USnwWgoI9alQzCXrP2wxaMEI7ei6RG302S0zNvg0i3+lbAWM2xz+Fd
ePBOZqMQFtJjJ6Z80PW16V8XqToUypYr7cp4EhbrbILJVPrXP4iCRykVv0KCnPs1isF+/lPZ
ukZh4p14JHHQqoxQIHgd7ymZvFP6mU7nWZjXchoU5X07auF9I8rRiyL6PAgvjr/t9RoF0yen
6U7mhW2iecZjQV2FVoyr9aMxOkrOMoaw3OoDLQrlHC3XG4wituf51grE3RnfDx+ZIlQEHVF6
8h+/5ixxf/hlxmY3/2k3FGu8tYok0VLi3COh+v6jC3X6K/mEf4YVGU7XMKhAJqh7aGuJ19kn
6CsxjrtZjACdoTwsjGUsu/VlCfren38dJAOHYdImoEvvbyW5ShLe0hw2TMDHLQMR9iYxviu/
dSMENtwPEdwVyNMSPwDhzMSGzQrU03+7Rkl5iznqu0swi/D1doHYYlVHz6JY6UWSdWVfBzjA
Irdz9n8Vodhg55c3/b5dzL/jsGRYwCDniMcxlUGMGihi0gKUBrFbezaNZNFyEfa3DTttnzLh
e1ybX4nYe6ZMrRtg56fjVYeVlMiii2jCU0iyb0FBwTamjBJoe5u8GjQI2HZ76PzDRSy5x8NU
0AZCL20FhEEk+INg/fUNnyJzStt2+eH4wGbAZjgGQdYJGq9+U4qSj3W4KuRLeKHpK+FH+laz
UttblQUr7hBhqFU7anSdug/rb2+kg7Neq1fro4W6itDLnU+I5wcIvnU9OkVObQyr2QyFrGdb
tBTr9nXaHGeshOIfz6AMLzQPDqm5h/uVAdLHlNDZrVla0VEB9HVU4U0jKuimroMajSBkQfRJ
LPSERnUUxRJy8IWAbA13UWdiaL4owl/Ghpv9SqsewuM9QpLcqroXPF+tmJNUWKfAPH2ki4Ry
twaBk1eRmzj2qXwHCOkHWbiTc/MSIo0l/5K8BZr2Y6DRnoP3CiPIFNNYBqAQgB2Go5mXRc9U
KvKNKMwV1g1iLNHUzB4SA36EvkpuZiGgonti1J0aqQFCcRMU/XUTRiuPwsrHiJ7T3I8yqKfu
hSJEvAKrRandlKbLKIAJnrtCYLeCEsa6g57/ah61yIFasL3O0cBbYr7s7gxXS/WR5yrkuQyk
ncNXPghvGPN6B/mRxAOQKW6MRVGnKIvQWGQX/hx8Z51bPNoNCGAtucTEg92wUpOrodGaMe/m
QbeSfhKvJQ/WdfoCRTOvBUDrk492qWUlOcujLBaTxYxbK5C3PZxOMABBvb6PlpUWhZr+MjLh
rfG275jiCU+ZoMOfCZkpJW6QrrwSp1N1psBSnfCxNCuZDnmI+0cRFnsH8siEElJluI/CmNcS
nJlkhzTPIyKVb5sX4z8H25arab1Ouf4RwmAk8V0OHfREOIzBH8RgHqn7oBK0BRf6kk85uP26
k3rrCLadnVt4EsIXGKqdo7WNLD9ETBTP7Mb88RUTwBFpCEnCbb+Ih/TW0d/DX3benKf11Eij
Z4Kw/i6SPKz+Ok2lsKLicVOT6f9tKBL/MHSGr7ES79j3bWCJGo9RL5TQe2H5NH+0j4WYCzon
BXrrKZTBBNq/jwfa+kaEXCCJCBfRJZKj0dMeiAmBAfYzBYZ+9ycK3Prs5vXaM60qhordsf6y
xuzYcZyDG/7j+159+PP9zsD0PE6QUDJo9SUgnh64qPqxuo32vJwE+sRXA9RJMr0HwTSGwAyi
TqLwzSZdRml0LKdA9B/gclrWrf3UkFQQK48hP5F2CiAGUO7LCOWAXwVaS01F1jlqScijDZOw
TznSqfuyWnS9JF5ZmzxK2t+l+aVx2s0azFmWqAK4oYxq3UKlFYS2irCAgyJBDDYN6goCsXVz
vOKB547S8+XwR/PUyporog4plwJHT1mfcr7ZqBgs6dPkPvYRgpm7qNNBZM2bCsHA9Zzq1aIn
u3XyH0t0inPMBoq8CCRZE4ZNBzQe9eTqyoC/Fi0m30HILqIWll+QYeEk4W3tWzuCOMgJqd7Q
4PoIQl8YxfFQFSWBMlsSq/YHotVIPUwfa3qM9T2BIG3jHFMR5KvxLKyuJoKe4+ZZm3cSWDau
+q+k6Vmgx/PwoJbSJ8WONUUCu+Ir6S7ku+6JckVdBeFI+Pz8l8izElZc+8NyeLtGXAiq4gvZ
ugAz8EbQW1YsOQqVyiVCV/aMriAXEk9LhuF8vMXVaUokxJiGh0LmS33U5FRnxyoV5blwNzUz
VUMg5ILVTlM40MjKJck+xr6OLc1xCmScPChQundRILdYiJaXiMm03IetNtMWXDThFhN69sqE
t+VLfK/4xeemRG4IRT7yFIKqKEIP8L5v2PZ4BhYKQiaYEL3VsPfDCqYPxCZGtGjHNtJEZ41O
f8kEdygMweEeC5n4zsT2a+/7hyG17OhOsPvfvI3fN66V/VmVfXi8L2xngAJj97C+GT7TfPra
OKarWfQfm7djs3zWiR3OP2+sHl/Yanq7t1PM2/nbdc4cpmhnXtPMz97z3+hWg8qmkqDcjCtu
BVPmfSQSr86i6U8KhHQTJChtQi28lA2SJZmH1OB9Fms2AJ3FvAsvgGNHuFti3CrRQ/E+vBSM
RcC+atW0KSioO1mwHmjAp0qwAi92ayP95C0Jbn1H7KYsh+DNeJV8V2sPHHNGInWK/IcpOjvm
ovPtigAZYufikCA3T817vvwPv8AM2PPEr2QKzeZR/3FuObUf1Nxkc68i8EouI+C7YAyYRYMn
K8y7QOjGrPaFr9Y5LqdTIKNiK/uVRyionhCIdZ2MfihDs/+oSnOXtOsVcgej0H2srRhU7P4+
eTfAN8VaC8dKL/lmnfp/H2G9KEELnupSwa4moOKRuooS8eZ1OGSV0ck3UxUeATqo4Hv1bk0V
E2KrQFlNrsRSZ91lkCtJNwoVzvtFb7o8Cyd0V3qD0v+pWRtRZlX3e3VsHtvPS1HJun5lg5CK
RSEoXSp9tUFzqGkJhrRx1AtVSkmUWoD49qRGaIy8QgOJ7f3wgCUQ4QhhwaYSGrJ1bkWxGV/G
y8A4qsFSTyV/Zwt6GANnjHxOLKGi9PIex2TcRIjJepYvg9yxdAeNn85TDkD+wiTwFEZlXx4h
q08k6xIcWxtJ1s9+qV5REE8OlISr6rPpOkMYadvOGkUfGFTTZ5IJUaVoAGW0+sVqh0IzEIF5
Hq+AKPv4wXqlvowH4Q1WBYWIF4ALb9tXr+TtGHN4GhOABgwebVaaXUdA1aSGNkfoEsy+21Bs
Sa+zHdGIXtgp6vAgF3HPU3e2q/VOr7JqYQm3h8YeXAanf5uDZ7jzINrVBDdfsa975pBwAnJr
yKa+47Bpgh5is2kB4GSC+9ves++EZRDGyMDNQyE4iifeMw1gqKPu0z5eJNv27cOO5d+vnbBn
uc+j6DwS7Kxd/2fIGBfGmjKBa08EBx2CMXiw2ieUbLt4CB5NSPeet6nz7ZdfP3PYdjHFkwpP
hB/reLBG+b7/mNGFvvfbDxjg9a3ztB3aNjOH/3i2HWh3/jNsm29u7DNIHORZgWdlk8VG5sWM
9gWq54KvjoJ33TkbxUporM/DesdBbKP3OjhRO9dMqBXSw0BjcHwT0IG45A5lZfuzbXgAcne3
mM7HBWROEfY2jEer6IUG35y7d9iWcJ9RalvzJQtveY/T/e0g8Vi8GasNCCM0MeuZOh+eHDSV
jVkz9+HXkCRILQ9iw3Ijs35a75SJJU4/kGt3e/7wh83AFIZD5o4WKqejdBSlYcWBpQj48K9P
0kUyUjlQqQcjaId/K0T7EGiz6UeRA4Hh8S05ivtoDtZ8lQqxVBuBtF6kQj3+lweUAa3IAsJg
Bh0dpdA4YBdV6UB8o1E44zQSC4yclBfhf5XK9PaPkFwHNbWERO1LFPrVbUrVrD8FUYT1bt0v
d5MvieKcvC8QHhujVwecVI2gq7aDSFpD3dHcf6jUJDVH85bEO9jstbx4Df46xhHMCqXfqFHa
R7tUBSX8eZTBJWL7aSS5QagqheLJbOqeguhDHkU9RfSbg0rxQiOSbIAeOKzSw7V4Nl5TBv3Q
WYqDgIZMSWSNDLpc3zBCaWlbD94C4TOMmzDCRFFNcGB1TqhjZZzqSPiPEI5axNxYvsW6fxp8
ObAPDjn2U3dvqs6Tr6lASd/JNnOeqFFY25i6yAWd25ypMyjlLM41lOLato/Fa88W0Gvcqwde
rVb0ZV+nztZ18TqOt2eCPRpDQC1Tqv5Cmg6x33zmLA1DcBBARE9htNJghph3uFnXAT0Ynfww
xYGVACZSMPo81eSoCfNNddPeegndUlFSG6GP6aJivpeK+ux/oUSCEYgxaGLg1grEL+lsS3tO
cX9GG8b1lZcuKDMPV4aCuMCAIW3/yRId/Qvw4etH9JnnTisjj0UBltkm3YZ/N5Yz6Wye0pmD
+Tr1VAqTjwCxYkEudqSLmNvKTn39O5dIkqNYgMNOf923E/vJG+NI2mCs/N7OAD3xPxe79768
9zQdDLkJYyZgrL9GuB7/i0XqrgURQX5kHNfv3t++pLkr4eQhEWsxxcf/bAFFe4O6+7ErXBed
vTiNdxzvrSPzIedDeeeB7YXa/50s/doLx5WeO8AxgSPCmnv8zQLtfzpH3zh1SGFwY00AFvhZ
+7PjBRPW6mix76Pwkmi8w/mHUNHf3hShx/5kkYZ7oWeIBvVVG6Q593fp/u+foW98CPsmJxQ6
pB3PLtHeP0j0Vat/QJBfV4rj55OyG8e5+Zs9zZwOa3/rhm3jH/YWCc6ZwyFi7A3TljaIH1tx
pxv2XfM0YnnP/vbv66Z9zNif/3N7y5KkNvzv+V59+PMDmIEBQ86BqswGSXSWXIcVjQWQ/M2A
bO/ip4vUem+ScqDTKEb41GGthmKJhxJqSaXA9BpWbvAjuZrzSp28wFerCANZvD8cJlfrt9F9
f66uE3YS3qqXXMgEIRtXjIaBYfQZkaXxOkDTpo1TFUomlLWNYsMDgDjCvpap7GebtPCxKnmw
pvduyNQGrGfvCzzTPEzZL7ToHtbCBbyRnt8r0XzCL1n/TBvlxV0aJUcwgNC/AGV6DtXZmT9u
0dxLNKuiorzfC8U71v41y7kQpolH4ZX2gDIkFxhCXUkE/yxvY8SeSVd6lP39Zt9SRqmMEdox
Kz7iOjB23OTBOVTXU9NhUsiQgQb66Jgbq3IgwO3ki0oJ1y6/CvUJnpBV709Y5AbJO5Rt/Tsy
tJdEdiEAgofxEjLebHP5lLY7E2gWle1k6Ro8P6trOQf/m3UstNL9bW/UKekQngIN2wYgsTxB
nUgaVC3r8dCjzOP6bxl6E89wNhX885+rdor/4oMwDFsOhBONP04h5uU+cjsQXd6Xqit4WVbb
lUjPEaNQat6WxHsx+sjRJpcvOvYreUq0/LRd5IxxawUy49k1290s5QCKPLLzLiil5BpXzh7A
DHvzZqtvnHBECJTlOceVWkzCh/DgDQlq+5kWIFmF0uxF0sb75um1J9br3PNpkA5Cq05Jc1TM
kHILdzrr1L/9OwSE7QcB1N+I7Amd7w6Rk78DqhHet2Oy9u13MQvpwOkChdHTY6JvSnkl5cpb
CAGxqUuUUHhUqeITe5RVuMc3GbZfO88Z18yrmwUUk5Z1jQrTumyu87BSitvdvkz9Jl/xcENy
lFewnZ3zPTvOrfbn36cJPrabGp8LUzGFdSVgfa02h/P3ZpKGWJKh089lOg9jsn1SK+68ACqG
c7VtuP5RjPj2qsUKK2YfdqwPath52b+Z536r/ds2txpvf/92Xv+8bW7nOLfa5sP33tsMsPas
W3Qb5HkVy7wqRMAvqO7RIYRq1ja4qKjpwAbUGcIjUZ8eUtLjkAgWdejUOlqsfvu67gTFc548
wxWUSD7UN/OON+v8PXm+tYS8iwdRtSagRvtRIgPbsrSqjbawCGqjQ7FQijV5KoUcsPWBXCrN
+QL1Eel4w5tIZJ/gGPVfj1UJtQv5eEPBX5jQLnIEy4GB57/RjDE2oezdrUrGG6nFYzlCbckC
ahlSybfE0LAqZifcU1sx9EBjDf0aHtMrCMSXuhU/0CVvLm2K76NozjisQDNdJSdX64XlAKU4
SDisBSQhtrOWQB4bcd+YelFqvRQ/jhDWMnFj15B1vUc99EdvxcOyEJU9kwZIMWqftP5hLdxR
58gMA/G8R3MBmCyDioeOiI0pdixKDdhuy7UO5e5tUcw+DHAUa9WjXh1ZBooKuPqKl2qo2SAv
syVJu7ZmKw4vYQNIqhSuz2C9EzgM57dmOrjwcnIcCU93qe5LqQ7tlkG1+bwXCXuBMDvyu8WO
kLLgsQYNzKdmpQjaGIoNLVJgleeDGMpeGI/DK8mlUJR4GvJUo5rP+ykCNyZAeec7lQScu9dy
uoxAi9szbq1AbBsTJG7wB6+t1mF0hPoOlMf4cArduGjEDhrKAkHmYYyO4D4N01941AQqYZgA
rsz2w/dsTI15sKL7lLvogj6dikvU9Kiay+MdZ9Yk+xkbhuGWQjyjHwmgZDIgxLLNvu+6n/a3
71Tc25Mcc2Q4XlHDVCPTyMriJYEhHVq4vlF7/ihPKkLpIfjHQXeZYpkai8ZroDAGD2HQCB7t
+k2b2n45T+tn4roi8tLeCwgBemefTY8Ac6sI1Y2OmhUFQyxzMAA6ZHggVEHsDjuFzVEs/oGH
MknhIPYInzFPwezP8kc2JwzwInrpmwv0awVU90Y0UK9CkQ7spYvvaNChv85SeDI39M5BYIY+
hT0xxueTbTpz5F6d/S7u5gYU5AfkfbgT4vIsp+DnpXLvzfxhn9t83HAvMSvsWvzXM22Z3Hjv
7fvzf3/GPm13NwwG//vsx7wXN3ggb+zP3pj+bCbdu3uPjyzk9uF4nzOANHSCj5t5Frr2YSqT
vafalU/c/jyCbD3cTHcRLjlyV5ZTAhuxynNeblbjr8W43MKc36foDaRc38N5uggya8UPyvVg
eov2LPVqPesjCwFvcfUielEco/J7YRr1PyeGNRIPimhligqiO5TwPPDcBb26uN6reezfA+Fg
EqifDdT7XANp9JO7crQWkMf8b1fp/rp+lWMotlK4Z2SB9pxH0fxp9t9VKeEjybpGaKaRvibR
bXhHhMsMAjyFsjpCCKyDviSxwHkt9OBpoJVCPSGrqgGF1Y1iVFJUB+TYGkkZ0ioYg22Q/iQH
VlE/QdJyMTxfU+RbXDtm1qiFcIOB6Q5TuxHCMRO76B+Ct2EAgyAS7GHlWKzxkIT+upfWuuGO
u6qKpLy1REhpHdKqE01KukDo6/iQeu/CE/rjIkdKaYn3SAAsS6mxSTjeq6GcMF0m1xPKvKx8
HeWxm7wkwIEA9t/06TS8mnFtfKJK4STxB1ZGuvCdrYTF9BmJf6lXFb+XpU4U3+Knql2x5Hlg
2Ka803bDYg1UfhBAwxChtGQURuD1CTV9NM15X7Neb3C57THyK14AEYFhYXg7WL8V9tj7ntFb
K5BbrUMWQoAFDJm/QOjb7fv+59x25ejI+SOQsI7xclw5vVqNtZlK9I7RYKZMKZmXWKRE/gdg
XKVL4PqHKvW9R5YqYo7t2L6PgCWhTDcClEiYGq4vdQrKFRWyAfebug7rzU7J/gghnnCUTKBB
wswlM1N50J1bRs45Zd87jxBRPBfPNiaB3P5h30HKGIqq5nKiqq4sJ2RmlenAAzG/0nMugDgx
18qtLTVXzUFBwaFj18u5tTbEKjTPpo1j8Z5R2EdavST7MAbgqmulFE5Sn0K/D5OKCclo/nji
hRbS4rg97TnqaofummsMhfq+uS5Blx9P0cVPztfSzdyoQY7N3cjMrVHK0jnqqvFo1UcaFZdQ
yz5QUsEQrXGJJ3blQ1fPfGA5uAuzE/5Fh80PD5khTJwLbqzFtnv/sM9x511BIErUhtvOijNt
LjgXi+e693nPQYPftj+3f3IqLlTmP3XCJZYjuXEsjmP7MU4f9x6CzfqoG9uuDcP622dTrj6E
92w5UpBlwypm/fQK7o0Pf9z+DExPt60pE1LWKa8DOK8p8noQRC30vij+42qtBexwACVhFd3r
j1/V3L1N2vlgngL/OE8lf1KjuaUdegnYbPKdIHxA4A0ASd29Ml13kxfIoJ93+pkOxabTl4eK
8yVUdEeeH1L4esmoRhYSyy/Y0ajej+fqB58q1oMU3xXicUTRT3fRX5Yr6+4E7d+crchHMjTr
D6u09BxoomQaIt2bpnEUUSZUPAbhTXuJPt9Y1t2zY9RKn++zeDA1wGbNdrNruwrSKCQddCSv
R4AgD3GN5mVkkzdIRqgH4RFMwvRrDbQsN2N9zT1Q7qRcwmv5R5hraTUbQM2EKUw3sM6t06K3
r039ECBOAGO31w2EhTqjgfmicKoJD9lzMoCQXkGCfN5/K1dAGmsfMEzfphhd+L18VUGH0gey
iUdccwCpzKLaP/EcnQDh1SrfRgkA92P9YRTOUSC3dg6146r+XLquwze25gVIEun8aD1ALn/C
CBg9Wn21Q14YfbsejnPggdVX2hS1b1Atv5Tk6Io2UTMSWjYmo0Q5D2prDR5n/LFu9d9LT3UK
JZfAM+Z5rU89HyMPc1emFr9SQ5g6XBdmYy3vQ4fePgqLmTYJPGPYO+8+mECK5U7vK9RPvzFH
kZjtGcuL9dVvhihnzlkQB6h1JjOvFKhY3hy8AuvMZYOfpiX4bHwkVf/y3+9S8w4YQHMQOibX
7WOEVzA1BRPhYUrLp6Jxin25eBof0wnGvIgEeonP39yjl36TJOB82+/MgcUQOqHGU7H6209u
dvsz9t60bWP6Hz9qVWhELftkcshJPPN3q3XmX72KzmW/lukG0hiVYeguTtBOkxVpnocptZ6T
Qfq7z26gOIftiE+ONkzo17bv08I7qBQdAe4bCHLl2Hz90ycXKwUk2jjeZ2iOJdAjVFORraV3
cP62osfClZx2XvPuX69n/zBGizbUOgjt5DB1ERGjqjy9FjhzkiJSOI8bSLaZ1/c+/mZeTTn0
5Uaqgzaj1rshkValrniPU7J5t8K9URZn69o4DRmZGu/HgdBJpNWlxYlHqMJtXx7rDp50pZck
Iq4uqJJO//5O4eaXgjEHGmp1JTZM6RgcM5LEoEuI27GoLG5b7FE3IYFJknfGcZRCY6Nw6gFs
dCz0OEsurnaAil48TxRJw0aQNZxj8lWOSxMfl9i3fX04bn8GWN92VxJJthZCWnlpTopD4mUi
QAMKPTpDsVzQ700q/y/qtSIJD5liwl7yCIlPdmlRaaxehWo/7rP9yn2+SUtImJfDvFuDElpB
QrgNL+YMsXhjFEjc3a01CU16akOW4rfgaewh31Hdq9e25iqb1qopPyKCIBLDm72qJzcR8GXo
2E/R8TAV//6JThVTtW4UO4H/D6FpwlemgFLS+lXvgcZjUzr9ahD2JOfjoApJ2AWC8Id4Uavh
eVoUC006zMEwZVwlL9FC+Mva2a6GYNA8lF4oe9qx+sdJTPeibKyKvoV1/sbsJCUQMrK1OLIs
RZXfSXRrzTROPuABQxQaYnEY4T5IjYdrBEXYy3qBjBDuisbTsDxNBh0d+3kf0aB2inUv/1Uh
BuOEQ3gZTNiYb40DLIFc0lqQiNkAGULrQISlh+jaJ7O0F0TavQcblf0iBYUgqwLqUR6PUgTI
tdxBPU5U2SBmbQCggxQdKU5QCaAA63c+QEfEM4S3VhD+y3qiUYMbI3UB5W3KMoUeOiMLQ1W+
DHoZTiyd6wk7Oqzy/5muUMKKVoA4ARKrCXLVk+RCvNzXftB3dYFQCLFWbE5uE8Zrm7+XwdPL
V8KjxpWaP0ZTe9ys7R7teXGVPpt7ljANwoCQVaznhAruMiGNlb/N/8Tbsexvksrx9BKeF0Ky
HYuApJN/mKCd6PG/9v+2T+1vrAKs+HlLz2vfogyNdyHs3f7scxvT2zNhIRQB2ZgkcRwcZ+/b
tjZ82wSGc/ySMIVQo2GQ2/Eh84LsMZveh23KS/+Zh2TgJaTwmbllURbCs7iAbTS9X7hWwoEg
hWQRzkrF6uE6YhfBI7TTo033ZyveW0uNTbSC8GqyCtq06O4wZWRTsWP7MC+KS7t0drb6K4KU
Ahx43KjeP4hhp0cupoOY6PP0U9haTqxzN8m5HMAQWGxOeZAMPfNwrsqwpBApiuKhiCDUsSyz
VYWPN2gIHp8T9AuxTml3hjcq568o9Noaqxcg09taQS9mHuT2B2O1FyinVbn2YonZwxVNRe0i
KKUzdre566ynRepRLNgeakVGOQaFyMonFLEECyv64ICafilRO0HWrILUcfl3KxxtxVlCHtZF
bzMIGKO5Nuvvxk35IObn/0f7CGZN5r3arO40Ct+wMCOxwi2WP0b4Yz9FZ1Gfh3332xhoVGNf
3EQeonpIeS80abEXmCsJ3y2dFSiFRu2iJqMPg6v46qhW7WzSyY/n6fVHi7QupU5Zf9uohwmf
nKBXTA5rIn4fzZ5Ke3Ric5YKMTjSUFpz/6Iayzxa5+mTUYEFHIwBM/ko7N7sM451cYoeITXA
zWchbI2IcdaxPo3T7ZDlquoVyTqGxWxULMl0CIxsHFLEFQgXsdCD8YBjrvWrFY9qiDqnLJqT
TdHYLAqRlPlXTZoqIKfAaxsDXvrbZEZqjGPaU2+cVubhWsFgPwroLEJ9nGtIIfltJKD2rBTR
gG1e54jCSKhHNg4DN4aehee/8e5kHYaSJAPjzLpvtpNrymzpVfbRNkUCX65COBfw3RTCRDGn
oDaaR+8TWtRWUy1/HI9py+kWZb1BNIMur0GXR1X/2TSdRnls3A3RKAy7BrNvo7r+hCGuyN8s
53mZQvwcfjRfaVT7GwjByizaS2LUgSLbuK9WIVfGVP21dFXDrg2dl5MvrV9IcvdlNmG4qDJq
TZKCVQ/J5SwUczL9X7o5pnlNJnlcOJvfvtnijw96GG36RC/WeD8MuasmdGUHPRw+ma/UvEos
bTDd9NCIpRjQ2Za3kIV2TSavbT+smRuDaNCMMfMDCy9hSuGlZBddVdrsDap4nCrCW+zb7cCS
QPZ1C8m4A8zYF2+5XAAPjxV52DFZOu5rN/2YuW9bvfbPFAhC0rfzmVtPv+cWG5uiEKyepHp7
rC5+bonW3Ye3YYfg/aI5l3hg0EOJoDzwYALJHbXXlejkCwnyLEWB+gzymTv/xf6207Y98MPc
ef+wRWJhqzaswzISjIbSuO8I/SBYdMdZrNfpKpedDWqEB9xgyaHEhJtA76RnwL5qkztjf3Zp
VpSWD+23hQZaeGiMtuI6RWrWL8LmrNy4lEhe3nG2VXHACS0efgallU0ToejtcAixk0TuVQtW
XPfsaJpJ0a+BfYaiYGectv/0P/x9uzNgUoDnoN0Toet3ZmFdEhcnsXoEFFQ4AtOLELLiwcNb
szUP5ZFMcWgFHsaJX4Zp+7EKrYL36fyncvX6IwW6+4dlWnG0WYfxOs4DK02q7tOKpyr1xueL
dZRGVBuI12f9sFHtvxqqYWDAnoZezX4WqPD96XqJ4y0nlLO8rFwxu/u14kK5+leQu8T77eae
D4MSa6Eb3wBJ7HTCPFadPUg+JSpkxNVwmLFT9Eqj9ECATmLgjJGASCMRHQ7tRskpmisBJY/E
q80nMWxehkHKWzKhO1+ZpqLZccqFdDHiCh4xz3t0L8l3aEUC4cYKbjb7ntCprbJE5BpzUTI3
3IXOjN4+sJf6kFb+4TUQHEOxUMFdEqlKwnctXE8rtPVLzLPAazJor4kSa+1sQj2nu0UZ9Box
RoZOet3UAjMONWJHjNwuwof3769X+k6eMSLj47CI1H4hXWV4Aut31brGV3YZ3czBIe5bOLJq
xas1iqge1oHfIqQO4q342Xo8HyrPV8Hoyz2Zf6FDKT/uUPeDvIYTLILnyQyFesgYjYLF2vom
kAsZhjb+yqezQdNBb/QmrXPhB7OixRQgyLUsF7NpbdyGArEt3//j6eQpAs88iaAgiwUhK0Bu
BXPzkjIpYGHfto1vTJ8VUnQKBMPkJdzH2XggBh+bHoFWmepK0P3v2Et6DXTBDMqOohLgwQ/r
0cIN9brw+Gz2zmp4+7DDuENNKyf/YWds5zax2Ah/GEhgphKbsdlbf7ov2DLjnzvkW+fs38gd
xu3P946F5KJKp3T0tVwtW0+4LgbgARrem3MVxt5m91C7Rlvs7+q5uWrYC0XEBqpdP8jkuZ2K
/1TdNbiz9J2g3RjCSoPpEc67WEVRVNK32hR9B72xib0OAGUcJnxl1hdqVhH8rgONUrSWZmM8
EDZmzlsfrxMIW+X9LU2nHklUAwVjbSQpXX0AobB2IIqpFDCm7W9T3Bt0ocuLccR5PdBf2INp
98KsvSGswRbI4+LK+n2K/sYFuEN++OO9zgBTy/8WGNAlFHYoZJ/x9IexZdFOeCYaq7Zwe5Mq
P0KhGkIon+52OZVUgKPsD/9KoRY/X6MF/2+54r6WoQtwZ5WSG1kY3a7Xge1eW5WqFf/9qu4a
u6p6OhsevDNT6YSijFfKqsnHkYBpe6hO/8dqDfxusI936ZFMF0qNpJe6hz4g8U8QkoJx1jri
Zc6DGgWYbDzJZSMkNai5PaaGULQiVEtgFz+OcIVBYZz6IQ+5GOOMCqBPkAlHs8wnqT+xi7O+
Gt4XWrWR3IflZd5AAeZTiW75jzZCWX1AcOPwJqwXjfVACUZ4BnXwj3DTKKzBjp8L7jdj8e27
K1pDdOszjrAK0GuWs0imdiWTxPrc1+rkOQCSLR0vBhj6GNXql0iKFx1olWdPv7o+Gqftj5Yo
HOW65EizUk4TAUDPFBxqVTDXE8Az2LMoWlfvpMCTcNuG16rptw7cFkh9b36ELt+TKQ99RZZt
B/G1o1fnSMZX4DU+9Fq5wujJ3rktTofuzYZOP0grgROP5HP8DV6V8ex9fE+tkq/1aucvl7gu
igEooQrqZLoeCXc8WXl0Uow90aPyRzMUyvUsBdVVy3QH0T3RbO9bKxC7ITfGTS9uvPte/jA5
5DyJGw+63T32gEl5k6y1Q/FGcEiLfvXPd2jy/7MEtGl+G9AnBPbr5P4levorUKoXTgs6+8VV
tDUXA4slAbXiiFtMs5fUAwAr8H1oX/8/cFjNixUnVu6K07VHN2jBhl1Q3hMKo9eKJ4lmLxPE
O4NBaLSl6c2fFCh23s3hvA/skqan8qb9+W87eIlxT4ijYrDq8olS6C0Q4lFYdu0RWIUgOMLB
lttDHGZcSiiB9lKPK0K7aX/TLyzBPlkYwsNIy1C2H2ChO2+Pe2h079ZL3fIYE2xjjJ+G25jE
0ryB5uNcLcbciEWaQZ4lFA1lIawPxy8+A4EUJsFdS5W41SiR7cMrjIBiobE4ESbpMBURjkqk
2O6AhSJpe5pHB73W3Hht/9JcLV9FvuHZRtVi+V7flK3Fj1VrU0KUruXEKepPZisVuGsedQvZ
QHprVoGgiotSE97MoCeStQTB5vV+FeGJ9iciKOdAdcR9DuY+xy8YU976bqWfwzCE1iMenivz
0ifTQAMxrDO0Y0PAoh9KClXHYmo6yJGlUsVt4oYO1G5fkyi7KcI3Zuy4wfY9xeRGSsnn0Xlw
dVmNOsnxGROD9Ry3WmTwpBriOHXBAHeI+fdioQejPKwa3dozm9ecTQOrCEKx4+zP2IQjeC6K
aVu7vKUNMsJhFA8nSG3I4KZ4BZN4t2sQxcFhNOm6/KkipVOvYrxx+SimOS/XuRYJI/k01YMD
zjyqsbxwiiWTdJY8VDKw3M1sE3uZSn7qWBrIeZwk/xRv9O/PVCqWJHntV7N1qSBRW4+RcD+C
7NhKWOrBXECqQbof+G9cDcwC/6VQlwoT9VFCY7kvdGkIWG8Y99mMwJUwEcSDTju6JUchvFdY
16Fejr9jYboeONelWBpZ2XC4JX7fWoG4TW7/h92SmZbmzG/a+0EE2XrKDD0F1DeAUI0JJ1yy
EBBbVn3t0xC2F9sPFZqBtNbMPede3/QDOZFwrYSwFzuwfbhhf2BhUJx4/kCqZi/mI6yR1PT9
WvKrC4HdstBubDv9lf9TfnHJRlMy0hAC5T1FUCt2OavKlG2AJcnNXAJJVnZxoepeIcG9whTI
v/XJv22yeOkeOrtN9jeewrRGd9w+k1iSpgAsJGAUI17oRlpyY2hNa1BJzvVtu3Nnb7BK7qUL
I9g2/jHjb4fEcguFXUy/b7+HUS5pJEobaErVXRjjCqQE5PLD8QvMwPSaGu/u1lBtDQ9sEIB0
ninmOxCsCk6x9sJz1ldC+OeJc8oIoHdPShSQ2HEFV1eDzgnWyQjYXFdNqb+5TsZhFuOF7v3U
NZ5nhB8GwEAJ1O/A6HOfrFHyyUpF0C+9b0uGurHUDxJlKOnuU8Kb9ALvbVbLRqhI8AKSaa88
xr7P4IlWz51SKQSJIbj3Dsln7qx/cH7GAt0fHa7jBdnKCR1VXiWMCUaBwzW4WgeE4QgeczTc
U2a8WnfF2nkpqsqP1byePsWzpiZ3NCse7ybZXTjrEw9mPDKInAaN41BAV7elqxGvmbZCCu2e
VAQewwiQYAMCeFBa1kgtwNrYthE56ZlU+7ooXcGzsednGCVSiKWfgiIcoflVcy8Q5iiS3Hm0
ga6sUv7LJLlRRG0QiVaVJin/LDTyzGMjjABlKRDQ1lQr8+VajVQMkeAndAeQ6HAcJLRNtZpL
5f4wzb56MbrOxcQq4/hlhcPy0EIEvywzROU9zVoNp1zQvzaq4hOJOhraqyQ4yUKoG+kcGVZD
VKJaGuuUgScW9Z1q8j44VxDAhqF0hk9BLTMnVgHVhNjauKfhIIAYExY+YbwvBcJtccOUg3kQ
IZHE0aLRTLy+5bD3zRLwf9E25ItREe2EIfNYZPbB275sb/m3t4+mXweCtnrH4PNgrPZLe2mg
8ktY6okV0MbDcbOUWOe4P2FgZ3p7lqo7H/8x33GwD/YNC8951kzoxA/jtenBZcosoehxxLoc
oiZBeI3zoJw7XOASxlYfcyN79cGexjv39rbb8c4N7Jaw0bRFZ3clgAc0l2TgZcj4mkCXRPmt
vZlftkUzvW//7Z358c/7uw9vIwMG0wFoFeo4xhRoliAfAOznffXDz99tBng0AoPC1f/GG+7f
rTbDJtNx+xfJjz/0PUl+GQ5I1cmBWn77RxUV7CAuFPAD9+i7z9+0D+1eEZ1VHe/vdc6EGnh5
xR5NjEq9xPv842P3tJqAsnVSxb/TCESB9r/lsO9fYVsOYucBs5ALAd/Y1i7ATpR0mzsZszm+
wz9GJaViLhmLzHBxGc77ViOc4IaJTVvr9nXzgezvM/y7aQCEkf0zG3jfW59csz/ti1YuxmTa
5dqjcNr30hVnq5EX+31z7fax13f9NtfP8M9dg02O7Ydrtctiulw+R+hMnfLtl1++D//GJ+R3
22s7p6fZH/8Ills5h+8inuA3/zr4dc522Mu/38Eu4Nd2/ul53z4O2t/cDGJBlFiQK2LYNL/3
YXeURWekhnbfLF438bNgpWxvpIM+RWGH4w3+H6PIz9JT9r9/GBx3cjJWddfWsE+jRWGK3f+G
XKInd10aSsfemPElvhyIT9W8F/bMC6XUVTA13OnShWeoG2FVcK63PTie5Wgsj+GS2rf9xfe3
ocnTIEyaHlbxmYOFUMWccJDeqQlc5KBh1VWt1slvJip2PrFWMwX/jYebVqMr8aOZ/jd77wEm
13XdeZ7KVd1dnXMC0AgESIAgCWZZEilSkhVtjWVbMx7L68/2fLZn7fHa67Xnm90d72q8+3k8
ttczu86W9Xlsz1hhRlawSCWKFHMACYBEDp1zDlXVlXp///vqdVc3CgQEghJJ4QJd9eq9G8+7
95x7T1STZScBuWBwrwz4sN9ymine++E+O7aGgSULIRwfg5deDctr3SjQ7zd1yTmiXquUE9Se
8jg2VnkedmwXJxXiLicYeQ9+CQ+qdVj9itWyZTpcXPT6nVeHgLQ69J4VoEYw9teMrvkD5Ah6
WfAYKhSinmZSALmA3t2ybAIQtocyCH9h92g+hFGpFkukiAsesnnPaUOhUd195JgFdvViAwWR
dciyGY9BCI9x2YOMC2Th9iZZ9YkK1XYQN+RUXTnRhqsX+U2IY7r2Wn5SGczFjIPTRnmG6+Rq
PJMvN6UiGBQRHuFcw5Z29ly6i1wF6lJgwmZwmOg6Rd8ku1HYVzc4Bhjw1dNpIQBLTpsrD4z6
VLsOUzotLlkeAC0X+1zjl35vgABOoVI//DGi/U8+DyZZTvoGSze8XBqYcC5SeJ2MjHUWQlFA
LXFlOVh1wVXghRxSvcjzvtTvEPIc5ckDYzmzDGDfEkIOpPYKBFvSGgoKzrzsPO8xRT22ggxJ
ZTB6CyL3CGDTACObO166KgIipEc/naWmLjX3iiDdSyWp4SZ03JU1NskBiM6mVxsNl2MekVA3
VTGqhLnVJvv9f3G3DT4XxV4btk2pYgGjfmfBkrdBZMomiB5rd44uhp06ut0O/QC/2VF17+xH
GN0iqGoeXFkCinKPwPx2hPHKCr22XPKnU32waC98tdfe9t5t1tgxwItiu8R6PfViD6F64xhU
MYnL1JlfW4tbSpfBRmqK4bOsNr0k7ssA0E1y3o0mcegU06cJp5powiRY9IqZLPVGGWpl+a49
vWK9+1fgwxKydgthUJUK4RnGP1JhH0JHCI6CDkmY6Zwu8lyCXIVJDcuKlzbVNZXbuCAPC64N
IWkQVUr1Q7zy6+m1QgBIC95Z/8R+cX3+OizP46aOvNCS9Dwgp3Uk741Q3+pGfX55vdGAWCCw
qZT0fv03GNCu1P/hnnofKrtRvuzBpkvqBTFcPp9fyMvpo5IOTkdji308hG/n/kLWjUr+MGhL
Gx6oil/wkt/K5ubreg7/l1d2owZwjD9vSzc3nnmF/XGUw2RTHmAYKMHQzyvgBSA0atXLu/FO
/TyV6gvkvPfkl9N7XOMvFG13nHRLyRcYSHELdCsTENXiZoY3kIqfJbgom3SD5RCwUhltIOT9
tnYbTsoiI659x4ZinmRWsMdQ5aW6/HbYt1jLbgYAYo0TRGYTsSBvZoFub+mfTjf1fSDhzzTY
g//kFmvD5oQtDs4W0fVGkiZNre9lArdeOjEmxVZeGI/b/Ey9NXYOkJdx0+WlORBkO7uELTC6
dGVX8UR1078Yjch1w/QvtLk40dq11GP5mkCXvn7Hmg1DFJp+atkWcQcxBe86DqKvQmsqCxLX
8OTGXfYtbVjtnkGTYxECsZ7IIE5BCk2V8V/osH6c50kQuUdaL8QykOO7BnY4s8SbmL6LSG/E
VJhGlpKBWCSRpwS0myoBUbYeyaeXree+tPVjg1DnL8T1xq5ffEcQ4DXJ+Lf6XQ9Yw/vex+ZQ
uycmhV7q6znvvqNOvl6ZGSTUAYNyO7EasQ+09Ntv3vwZq4uyQYGrcWT8I/YTL9xnuzBA5uDw
fQCPDTgHsF3Lw0OfWXzSsrlJWGJwRcbgb/35UVhfTBo2fpUJiCbOeiphl/XfF1+ISOivPIn1
FAApKpZHFp5f0/0Fq6nlTMbRMBAm1i68yMkL7ECZoZ7aa3lpb/5qkyL2WPlzWYBXYi3piBgh
2MzkS3XWf2q7tXW/RD6Gh1sVHSdfr7R13Be3A93n/+Kc5323YleAHevXqvAsXFOrQasWxsl9
p2D0ep08/M6qfRpTDOszDVX29A/2EaIThI8WyEfHsujPz1gfCL8ffz4XiAUt78z4McY99YzF
+1dxBx01ydblKqKIHKQBL58td6XtAtbEPuGTOEQaVi/jZuGxPkIX86ADVdG9h1FVFPtjlMhz
xB+Zwo3CNw61WxHtkiAnnhuxqm0lFnoAlpbqEGwUFzp2HvcYqBWfxIIYJ9slmPkDuv79HUHA
WyYWbmyw+M6dvChucLp0E1Awf0smDQzWEXhKTqCPQDx+sfOc/e+HHrG22CDP2vibsIFkL4eR
PXjx8PzovSVB4QblwcNfSAGxx3CZsbBw3LI1crCCApRcCvmGeGJxIwapTED8uq4QWhfNMW5I
JrI6QtzknpDNDwXsxjvGiB3CvEzFLBhftlSq1ybPxohaCAG5qAK0NkC480exht3OTrzM6loB
rYK8cQ9xM4iypJNQza6C08a68z7Gig8rOU9U2pzT3XqNHx5hWJ6H36gmGMNFw3AteC1HYxwr
dQiq0BGNpcA7SjSiZdYKhS+r6GLYvMZuby3OMLT9akJD5IEVeNEQDdaU44dKe0QxOOQi5M7P
nrde9PcVWlRn4yQhLltxw71GsKg4ee791ogrF0AbRh5Gb/rGqHVjyVuLZW4RjwLN1P8g2iwh
8Xz5L7XfemxCas7gPwyX1NKU2f5V3FOgJbOM6qSIVAgBeQsxsKtxd5LfH7FO3Iz/k/Mr1ogL
ifxtGDXh8+jd+O9SUj+dz6wy2LkH1z+uHAIQjSJsCyePet0n3pV36/XIqWmiZVvFZD+C0sr/
tv2o/dqh3+TkwfTERRKYy63VZeYz23C4LARQk5DgLZ+0cY1YJof21dxDDH0UOCB9R/aByihr
f/MCq0xArhZIwJrmHeBjiQJxQoiJXUuskP/Yb3e+E9G/2KMe5rfJsb028OU6qyI40saLoXP8
l++ou997ylL34D+mFBJWXdKcjkRz9srzfZZbBpFJMlaWhKBlsHjyyTYbOH27bb/peTAV+Sox
VcvKXd2lN5kU20MnjNKwy3F/qVryMVNjVSzOV2uIbDppFV1/Xy3jNX4mkLObqO1PWb1iKnv0
dp2IyEmh/GIlxrO28xyTCQIjc3W5ISvWoFuPWq3kIN3fmnIdc/fYqTTgTbURnX/ndBEiU3uB
+olTsKl+8ol4CDASxsL9ss7H8a6KMNW9bNhXzpliKQZJ49FFa8rgp0uOEzmRxGSoVWrXOVMk
f4UXcI0B9taujq3Z+hp9K49U07wG4vHSatx+q++Y/eqhf20YXzPtasCRnDbQsYoEiHIYB6lA
OCTPc4v8rQwURi3isZqdsrH5hy1fmAAX13HXu7+mneWWVJmACFbradOP9btbL3QUlLfYEKqn
KDHY+/7ZI/bej0nBLYv32QuOeBVzWChHcUBGvqce6rP4bhCREJKf1BSaV5HItH34p/7uImTg
2CBipH/yl+3JP4FxsZWAwP2JVuOQ75vEUD9yo22/GQKiAFevQkD80TnCV+rKOkHzH/r949tt
zMjnXL8zC+MI2SoRBn8Dp2/BvZwNV1bd+qXflOuC+wA27ns9y+t3of6BzPPS6NiS3IlVz0HY
eZzRrSc65+aTnkFQinVeWT9/kfxr5He7WRGICvW7MZcDD3jKjba/yVBbfnldu7joWPKu26Vs
bVeZrqfrELgMBDTvPOIRtX+z7bj96m0e8SiuoWkUgOef6YZdmrCOqglrjnkT1F+fl6n6TfzY
IxLZ3DTE46ucPCAeAdTk2fWHgrhTChDedw01Nm0wylIZRii7K8S1OZ/77dhBQgZrCFOEOJSv
lIpYTUfR0y7mUAdjFx2NI3Rxisl8BXgAsg8m0D7mZPitL3/Mnv5kl9XuzdvyMF1wdUEZEHoU
3fERNogEeVuT2sWtuVwYiCasralBsTDY2YpVpT5DZWK4DBg81WCryFliVbjByGPVTPtrRUT2
W8bmjyEoPhT/KUHb+iaVjU8/RSRloStlhGCRfrv8WwGlnDzSM1WpYx/fleQ2LmPpY1M/1D59
1Y5cGx//WXn+a36ttraMd1Mber7l+Fr+3GeNrt/bmv9y9avgeh4uKiXmHmRp48l6/o1b16+u
Q+DVIMDZ1ck8XsLjw2/1vWL/022/aYphVQSXiHgotSWGmYvwk79vkkc8VrOTNu6IB84XHfEQ
bsXBZBFvv2uookkduHz98QvsdrmkBQsGZHcfj6PehnVJOABxwIomQiRClMYcYo3FsQ6CBgTD
8PCFU/11znchtWJp2l9eOmhPf/2gfeUTu6x6lygR/0ustYgCOMEWcbFG1CW/vK5LSQhVeeRC
XRnicSx+6I+65/rGeGUrkUQO8tIf1dr0T95qXQdeRCeaPIw0grGhTkhOFqEaqE+IXaeDLMGw
uORehpC93j13g3tKyidtshRuCORePkdMZtG4AhpAPgnxuywV4Dx63VLbyGb9fNJSr5wq9aNY
XHD9UhheBfP6riT/vfnfWxv17/vfl3pedt9nG6vIpne6tY6tv5XdFfIqu4i4Vcjv5bz+eR0C
F0NAa1NeLxLsyI6shux39hy2Xzz4bw1H0454BALgH7fghVu4x7XwwVs/ecQjvTrs2FbFAgor
bPixhisbuhZb5QV3WQLisXMAJ659v/Gl91nj8zjRApFGEAqDYfk7AABAAElEQVSffAG1zh2Y
+adD9s1//DFrPMwJAuF5eRJynB0L2NT5sF14FJ/yo1VWdwvIlfckZB9rLNr4QIN9/u9+wcUK
x57lkjtu1RVBne704VoXQOih//7zVlUnooO3SWKMB7FP8PhJZOyI2lc+fb/1HiUwFUGjdCIo
0KzaUptSEdakiiTxpTQVsv/6Rz8DcRHQYMfwNXaOfFIh1njIKJcj+WzIPv8X77HW7e9wSgJq
d6K/2mpuhY3FWFyFdDKMq4FvfeFue/nwLZXzlQOIaxGw8n6E6YfgrhCZQ8drLdElu5fNcN1S
xTX56VooNSNZhTPw808d3K/4XHxFAZKk5w7p67d+8BcquT5x9SEv8fl9euxVqItS4qbe8day
+l2U1oeeVWrLL3/9+zoEKkBAUybCWo0wOY9kQvZnyEY/fuATXhiatSrwh4iHEngBsgEG4Lo0
0dz9t+pHiXhkBm1k/ksMPwPxiDNyjZ8/LUbthl2qDI/LEhC/rNxUfOV/7hAHqkSncfu7G4d4
nbjbWA3aw7/e6Z45xOC1uP4pk//YXk4JLQWrb8dCVciw1J9wYs3mBmP2uV+E70g+/VWqw69M
+/2mPXmE5VjY/1KPk8urKolG6u+BQjBo1V/VUbBn/6zRvj7VTH89C1btKJpA9uH4huaXXCrn
iPXxNMGj0Pj1Gude9XYc+ZUJ8NXfIMTt/LNNduIznLpE6OhsvBtjulomXhl8VefZx5vsFbTP
Xi0frXmJsnpPF/WDDie2oWsd18v0M78O33odgK7ASc2XL4hdFWZQBXk/pu0iz5THsbHUF/4i
GCzJG6rkGzpJyruBxh7khbt8yzi4awVQjEMGiTHCfxrxV4p8FVNUoBctoqJUkoUF0AgLCphY
86axBXFRePgpJ3QBLNhdWzpp+m1R/fV0HQKXggBTB0LBPIat/jIGZX9zy+P2Y3t/3zlaKDri
IRVV1OyzXc7teXVklF+vhoFc9jf5h6AizlEYQ/NzNrbwMAsS7bsy4hEMEOiPXXehiNjBYfzK
Q2a5V0iV4Eebre9CjkEJIU7H0sGtuHbrIRZxywMscBCFv2Mvr1X5nT0Hu3m3Uy97KFwRxl6k
/T6wypZ2nc0H9zRcP0kmkKdd1df+Lj5KhdQPGRw6ZYlS5vr9eWvk5FBeXoGhXB/8tnioftft
o/2y5NyGqCD5ZBzn11HVnLcaIqRBu3nIt8ZURhBdfuQk1W3k6/RLafwerPxmy5rauORhw4HN
mmWqW/BzSYW53nrKKz29ui8h96WiTby9yQZQ05WthpwchiEgrTiJ6/z6lAshewZX3kvNqNfS
B6ngKl8tRoTduJyuPpG2ufvr7SjxHFqJ07DzH0YRugft/D/rtCGimcnGNI5q73bsPHYQ3Gb8
AzixI5ZIDLVRqQ0r5bD5kEuSfQ8PE6d61c7/GGUJpqNoabIvacMeZOcjqPn2Z2zqjno7e1er
8/i7+yujLgypvPyuv6Srg8T1Um8xCGhmxSEeWYjHWXaHX7ztEfvgzj/mLtqDa5KLingwOVlU
eclHdfmWT4KKBkoU0pXjNrH4VS75DZ/cO3kIADqZyEPI5QFSmYCoDSGrLWlpGD81WI8HOTUU
FZPCW/teXhEVkHWCIFFX0O6mmkVEtkbY073MdNiKIPyLXqz6RnshNK7iDVCOUl8zc0wMHUJg
J60j3bKWdC9az4mBv63PJd+4KHFLxGZ1BWBKAOOPtyyjCImeRapBhsBbhCc1CreVfvj9Ws9O
fYKRiEkQA0tHVEusL+3gA+gIVGrDlaes8odrGHOjCOc1Shq2Yn4QkvNpjPz24DI6gm+dkYY4
ho3V9u7htNXhnmS8o9ouYIHeSdjNGM8ncO892Vtn78Rb6i3/eMbyH4nYc1if3019O6chSD/e
Zl/BKHBfKmtNGAyONiTs6dvbrXYo5bS2VtDQ0qudwZ279BIaiWegIDsKkTv+jib7JmU7aKeD
8JszWKx/rbXZwth87HtxkBCiEXueQD0H8BaKIt+lYXaNQHS9mjcfBLRUZeMxjeHyOPZgj9z5
Zbuv52+4C3+fxRYIiJeiqaOcEWuM9+snSUgTRLEpVVj4m56/WX5oHCIW+LlcftmmFzl5OAUn
LaLyMYdhvaOBJDkIp5JXS5UJSKUSWAvf8oFRq67N2MpCzKqSvIQypCoNpXw+bC8/3o06LzIH
EOUlkWGl+v17jEXuzGXvsf8jw5ZIEmsChKsh+smBgbaX5+N2+tkOBqtYIQU78J4xvnGzTN90
evHbFzHS1jmEO5OpUaLgPd1iUewy3H2/0q3fNCjiUd2Uteb98/TBA/zWbPqt/k4M1Nvqctga
OlN26L0I5AVZtesnDYDfq8iLIlECaa0QE4PveBUuW+DN4t/sVSMNqio5XVyaT9jJJ9qZB5ro
1ygJNpwQ5Jdq98sz1vvFCTv6M9vtGARlti9p9UeWLMr7r8adyI2PE4L2c1M28tMd9jjBhcYh
DJnb4y6imqFQEOWvgN3HDF7p5Bpl5/FZu+G3ztuxf7fLHsK6fIb6dv/XYWv76rSLk/4k4U7j
5Lv3U2dd8JwQYUfPvr/LMkR92//cuO387UEb+uUOm7+/20Zx672nB9sg+tFEXxXkx6XyyXGN
QHK9mjcvBLRWRDzOon1Zh+vyJ+/8rN3T8XnuSi1VfH7t7rQcfXlHzlK53cS4IjZ56Lh75rCs
u2JyOcFe6fab9ktbXYJyQTznFg/b3MrjHvFwmLUcUWlNAZmS6m6+iFKUIy5aZBcvtMoEpCyf
WBYSpham8va+f/6U9e46ChIUMivVV2pbqq+ZdItdOP3zljoWIlASzV7FRllEKY+WRH1T2j78
039vrV2LTitK/fCTEL+E7QOnibx1+GMAJWgLTwXs/f/phG3f9ShxR8Cv6h/5VE4nIgnQIxDT
s8fvt9/+0/ss9g4eb+YW+dW7b8UwmX0qZA/80Zh98GN/aauZVurSzsVV6z5Q6kUTbcb6Tx6w
P/9ff8hSF0K2/4Fl++jPfwr1YbKUE3X134cV/cG41dWlfgpOgmkCreSKRE1tUleEE8rg2Zvt
+Bc+SFx12Elkrph/00iu4IcqoY0VBhcFMVcfSVmE2AQZ+qngUUpaQ1p27vlExmpHU7AGeK5x
SdCub8qL/RVcRd7B6UHW5LOd1URrI0bB0Vl7kIho9cSqDmDLEWVA8unK3sClCAQ/gi7wKvGd
V/FyKp21ek4lQQKjV48T7xxikSVCHDwJl79AW2+Jde0N//rnNYKAllySeXQUc4K7qxbsT+7+
lB1s/gbrpIH5iYbR+k7bIx7ZQiv2DZP2DxcetKlUk/3Lg8dLYrkS8pJVK5tTj2V9jTr5Xa9m
g3jMLj5j8yuPMSbg4VIJKblruCjIPoqomdbG9xJuow+13ofZoEsOUkKoXqH1z8oEZP1x2QXs
hQhBZaS+G3N6pbyq0uLHHJn6YX0UazwEqz75z8qquKJLykp4nZqkw4FOsOoiOwNJZctlFLQX
xvcuesk+CykLOpqZbMD6HCQXFvbmxQtjFwmZmqkC+cLvjGasvuG8db3rdltcrKU8E0MM/a2J
W/IuHMcvVUfXAEiMbkRQXVZWzVB9+9dI72dnOm3xFGF666HcdFuIPhSnz6Ja7IRcErYL5RH+
0p9swuJ1qCCrLvFe0U1eQ6AXIj4KGNjLv/WTcVg87d6BWFnXNAkZU2EDhGRsd51l/uAGG+qs
tV2zGQLgzGFxTp/IIHn35M6k5X+l18b3EK8NAtE1vmKJF3E/8k4BxGVjEuLnitCZrbh1P4Fb
9/mP77IDz03Yzb9zzgK4tslDJBRxTf63vFKUUx9Ejfwbqkug0GuXfENpE7UswdV7cv3zOgTc
HPaJx62JBfuLe/7Ubmp6nGnDbjYwsz61PGLgfQ4udxAPq84+tOMvLJWvY6pprsGixx5N0zEU
wsd7JMMeSe5NpKVVNkHfFDBXjzl5sJBmFp+2hZUnWbeNjEPrp3wNMS7WVwjcSVxFW8icsOXs
BTxjgEfZgQfcbg0RwZYxXwJbbcmln+SUfzUhvUIuYuklEBo31mBtrGmXyv1iabf6mkBMYckj
anD/Hgpj+QgOLhZA9GqHP7WZZ4cr9py/w5dMIdGzZmdewPm7bC9gDxWdd+AiTgxb7PSRPu80
RL+TdQO27Y6MpQcQ2l6CfGoOScsnSQjZ1s5xh8SKeRGEAN5xGxg7fp9FeJwKl9nI0DbLjOET
i1OLcJxOFJJprJXg4+Ckm4xlbopgS/0teBRG/5hbM+NN2JZUW7JlijYlO9HYvHH68NVvB1vy
u3fwmgBc4d26W6hUMz0m8Ib7dE+9LSPbkEwiT5hOl+iW8PhRhN+ffrDXjvfUWiOhNJuJ/yEt
NyV1S/SygFV6/eFFYjcP2jZiUo/Xx+yRB3rs+K/vcFHhnIaWwOdK+R8ULCMQrkZ9AIrr6ToE
LgcBTZUkk+9oLmZ3cPL41D1/VSIezWxqN4iH6tF2SX+r+e32ihwlEmYiGclhQMgGzgW8IaDV
0m6bTO8hPjxIQnGJXAc2z1h36w39sUE8ZheehXg8BS3wXJMw0LKec43QNhDEN2G4iWUonL4C
lwRfd1qA7FjDoXo25hBix4fYKHrlBGTTQi5iaS7KJEm9KvMeevvYjcqv5sqvTj6wggGoASnA
kVQaAZKzSOI62r/NchwogsgERESEd0JERRwdaGPnUA+STfMnoQKTqn7I9t/zPMQoAxzCFsMv
WGMXnNAp1/2KXdSY8qiGJ1EFboGFJlh7fFPcPtfPwWoioD1sm8mhnTY/ZjZ6Om6JfYxeh56y
5CYqfc5DzOQEcmqkA1uXnLX3TjKGdltZTFhtw4wlGyad4H9pTgY8JNh4kvs42Y/GzJ9g4Gax
AOQylTV0DS7V1wUGvufUnH3kr0/b7oFFe6W9ijClqEHPAUjBhHZvOz1rP/nogB24sGBTNREb
ONDElNIOpaxbbCTSPUzG0Ywd+nS/HXplxmlSPX1Tsw3/YJuFZtkQaHv3Ksk91YvYoF+Vc/vV
+N+Vc12/+xaGgJaDiMeRXNjuqZ62T97zF3Zz8zfBCzp5QBS2pOlMhzttxML99uHtn7H62Biz
X9sg4RiP09FRfcZaE6dxY97CxEfGx/p7HZbdlp5dy5/CGQjDQUrT80/YfOpJ8Aresd0oykfC
qOHwhEI847SxlDmJDyy4I7I/0AZZiW/dy+YFy8277soEpLx+1yB8bSF0eIGiFatpNGcQADtV
I4fcrv3q9TajHvbwfFnRNi9YRKGth3i+HAiKnAIcAaO/EbSTJs7X2OxkC4LprM1PN7vsuVVY
RqmoMyaUYZ4QUlPTOAyvS7CvHMDQG08HcQk/a7HYYImAeEhUj10CqDW1xH+eOWj9TyYs0cwp
oSRTUZ8CMgYsZXXW76jj1jXPW33LNCyuDMGuJumn/IaBulEp1F91nYJGcQ4Q8dPL489/tiYW
lirUUfJag7u08yfqhsWw7Wj6wpy1EvFPUdcUZdBtOhiU3kDDiUXr/t0h23Z4CjYfxJFjSbGO
hVcaq/vm9HbhB9DC+tkbLN0Ws/2/c8FufmUav5YBm0abK4sTRslWfPiUinrjowI3TG4quJVY
WAHacfW6l72e28uoTvl/F1VYlvf65VsSAswQq2PDdSQbsZ9onLS/e8cf2v6mR1k3uCLZcvIQ
gVCKBDOWCC/YUvYGW1rt447ml/5Um5fihJxQms5SBhz35ppaJeKB08HJ+UdsMfUseJKds0sb
Y/R+i2sCOxlCEwgmUEKCM7IOh41RyzJdJ5OtyYPo1rvlv8khFdv63XKKOOGQcqIGTSy0vJ7/
9g+DqPcgZNEq3yi00ezGvau5cmgDhL84v41Ig/dB/DQAYkEkYG2JEJaQqcYVRqV38ZWgDZ3t
lUiBnf006rcJTkrSFisNXBn539bRD3sq7+xJtuIk9VP3siMB27Z32lMWwAdXEd9X8ve1kaJW
1ZLCc2WnTTxfjS0LOxRfIqxMjmfo5ZZigMYSjXKi4n44Dixr5zg1ISSOYT+DxlmQe5FqhNeR
tPeb+/4z9zyGIItx6QSzcYq8RpDWu6MqcTjV7VxXxJYa4x6S9wXkEBmGYQVYWrmdMWdhXo3A
3cku3Lvwxuo+gXEOx4zDnFAWe6stNJ/HrXvGUtStOqQEU3p1XiENgz+dSqSFFaGtKH8LSYgp
xCHdRLwRngUVOEr9Ibl6dKG+l//p3vX0fQEBzYR6kPuLxPL4UU7xv3PPH9j25Esl4iHHfyhj
rMnmo3S6YPHPZHZzmiBca/ag/fbLD9jTU3scrNZKrKutgBtBa1Lziyn9Jkk+8UjbxPw3MRQ8
Cv7Dc4cbgSAmlK8Fo8QG1mlbIbTlflPyDquJb2chskDX83DpEmX8Yv4tvssx4sbtsoy61CKO
YPsRDMHX4ToLrz6Xjdnu/RdAePPsmuGXx3BjwolAm1mHlL11vlHnVV1RCf/D4UlrxTWJ2nby
Bbj1IYT2/oDUptSGUxMhGx3utUPqNJ0YOtNt2/cO03f4XZR1WIuZ0Nq9SIjdgK2IHtZwX8/K
k4gm9gjdu0H4knGjrrU43cMFhLRtAHYTO24RJR73n4B4oFK75gxQyispA4D654gYHWPCZ5Zr
bWWpndocdF29fklHbC4S7GuXgIPK2JJNj7cgZ0cITdF1r8F+4av9pn/SnqoGZmf3N9nIv2+w
qSrkRWg+1V2AcMmlO8+zapQkw0OdJnRvkXjY+R0ECdOL4p7CzSrGdNPEikWQl5zf12BL/z5i
U13Vjs3VMJmyMBpezv06dekE4+iuxsNfGKJUP56yIDYmrxxssZnfr7LZ1oRN0c6ec0SJG2Ge
3SpWA7tD7j/xP+6FmPDusQm589Fha/zyjOUhgDq1XE9vXQgIodezixDx+HFOHr97z/9nXdXH
WRPlAvOiTcKuqkbhpiYigoIib2SO9bpINN0q+5UbHicG+oi776v26gc+GNzK1DVT/E2UNojH
5MIjllo9Dp6SzKOE4DhlhEKSY4DyHJvKU+vViCVoX0ydglW1xAIH12o9rycBofz3+oNLEJCN
5+tXTnhbotLLC7VoEjVZx84jcp8CYQHLUr98ZMlNhdxyVG5uvboruxBGoa5TR+5GffgUDale
7qnyrQ0Ao1gPJ5CTSUujOJGoW7Ud+87SNzL68FNpftY1zlhLz7ItnEMwlBRvc2OWCDEV0MCq
bU9bUwsCdNovpOKoFQ96fYY4y7dWGI0u6QwMnW6yCDKVi/pDnarVR/KS32iXo9PEmSP77FP/
6u0WaUaGBPITAVxPut7ozvpt/2IN4EY6ofulnbh//6q/1R6uSCKpvLXPZDh1FDkpBKwdddtD
Y8vW/uSss+uoXshaC2q4DvnjjiS8nLfOybSlOGnkerDqJVhUJ+Xj8/DxmmD/PTtr70Igf2ZP
g50kmmENware/eKkdT8yacV6xg2BDolYEHAqJkDyjjTsQkPIuh6dsvshGGf66uzszjqLQXDu
wop9zxPjTvEhJDbbDKc33o36qj0VXFu30XE/uL6e3roQ0JRtgHgchnj8SMOU/Yd7/h/rrnl5
E/FYWO2xqdVq21V7ch0QWuex0LSnURUcsHa4FhtJWyCxYpVLO3APafQkvOOy5tgbO9FvWN4F
5L8T89+AeLzCb508NA49i+BMtx05Bp4ltNkVktYTafto5SFjzhJEyiHZ0jNvRQIjl0f5L0ZM
lU8ggmspr9vdYzWdmQdR5NA+Cs9ZTX0KY0KKunMdFZcwYAQtJGxx3EIWIi5/PdR4FUkDw4vv
Yo2tLDeCl0b5CcKQ00PXP71sL+lkEm8r2uixGLv7XkvUD3JKSsLukg6zlzweJ/x3eKMdCLJP
pdGF9ivw8zAxV5dC1v2OlCWqXnFjlLC7qibvsY/IF2TXrHKp5Z3YorRaRL6wtp4aRPyoK7Os
Iw4ELUk/SiyuIvKMdBp1WGl3iIA4OLpsXn9eBXAiRE6ZoJT9NX/RtqIKth+es5bj6MmrL7Qf
wOo7Mg9QIRZiABx4aNhuQl4TJkpgHqeVVQjI7/3MeWJ+QEzIG8BX1Q+PncaSHIUHTsRB4iXv
+fyI7eiaxhUKb02sqQHYcsiuFIRKQayqiT749k+fd0MIUYdzR8JKjULM9vz9kO3Yhup0jLwQ
m8ho1hkQ5lvD1nwSDa9BTsNKPuwAdyiNESNOP6+fPjzQvBU/tTTqWAMiHh9tnLDfu/tP14mH
tK1EBDQpcqjDe1I7QYHJwRN9Kg0u7YJ1k7HeGuZvacch3OA/H1+5xRpicxZDTtLgZL1eDV7p
N+KncIKsx1dscuEx7+QRKDt5aJQ8F1G8WI7BRg42Vhgh+qrckDt4CMr8iXBowxpucScTyUq2
psoExIekclOPNNkyMyE6iCCGBRurkmYScc2xpUjUopGEeqxTEgJhOsKh9q9BCgToMGO4474v
Y/8AFw/LNvHyxM5xU8LxN72GhIQjCKWHv5m0hcUbrDkwiEEhMhDsPyTQdvCgVCELsCKL1rYt
bblRENuuzR0VnFeOBqz3Y3lrwJjRcnHkKbOw53AsxslDHns9bTCzCyeabf4ksdiR15WfItzw
Q3ScZhPVHgGTfESnEfU7l+WIiBWeQk9Lm6s0hzd3ZOsvVeoGrXq2PnyNv6lXhCGySNhOvUAl
9Q2vwoKb/iILqPlJ8C3kz7leuaK6N8sbgRjorB+fIJIbxNXlIZ9gGR/iiIojRZ1yZE/iuq4P
igjRx6axxFcTPPfGx7VfFr9XLti62qyiLH+af7JED0OQvM7xTNUBFL8f/Lye3pIQwP8a8/NF
BOa/1D5g/+bOP0T19iycgEa3KdSQvU1iwJoTA/z5QPAmXGna2Y5az9rcIx6aywWbTt9sU5m4
7Wt4FocKEjjDyiFN4L2XyeXNW3fnjfbhEY98fpEQtA9DBC6An/yTh99XOUXElgUC4508tHr9
VIr3QcwPQc9bUzIoBHdGmyyTxasGpxdBycGPRa1vP4lcXyZRVLtyCEixyPbRtY0xGJaeZ17q
ASEnqFA77dIjai/v3mUqf9XHgMZVFq9hQHqP9EMaTe4mPZ8cabflc+yAtat1yFlDCxNMipMS
p7TaZnjmuC8pEJVQAacktxDxkFxj+z70nAWKrZ1lgopINbfDFGEC+sg6SLspZBeS97hC9GcW
ucjKKYgKxE1VucS3+KaFTD2yIl5k6f7sRCPaa1QonKzsJYKifuv0ctk/P5/fTqm5a/UlpF3k
NLGGpbf70ynLx9E0ohODQtuWq98K6StKoBPIaMwqL2KipH7yV0B+UmhEAYFv/557rg81UWpv
/Z4u/LIQHJUtEPbWGRWqP3oMgFVO/fHLq++uH16W659vIQhoOjADHPF4CfnjjzeP2L+9648c
8WCVs94k3yjNOzduldA0UikhPD3Tp3ffLULuMIPcJx8WDc1bUxzeN6m39tucPi5W/3UP31Af
jIkTQh5LcQnMPeKBOu6lXGw41pQPJ2Cx6UQBLNZ/e/ASO0xpNTfitLTE5tp6CmHVVUg+nPVI
1BdkF8dJYigkKgVu5viYqCZecB8xr8krAXEcou2Qpd8/l/PqP3SikO+q3FIV7LJGdrMACwLi
3rkmAv8bWyatqhd3GJy83MmHMrGeovW/gi2I2JjSqwXz6PQQ4Cg6M95jJ164mx0xwrTksDXf
ABEhxsc6S4i+y/ttAo+7DQ0I12ij1CBthJwNSCjMrhtAynf9+Egre5dSeeVVeYhBmAPGxEi3
jWNg6ORRPKhtFJeeTnEqiWFDE4T/qjFeI3Cpo68tqf/+H/1y1+qc30H/mX/Pv6+8pXs++4s7
m+6tu4D3y7gMpY/yev37fn08U1lXL89EOBwB03O16//5dah8qawuN6Wt97f+3pSZHzwX0Vpv
r/x5eVn/+tW+L1W2/P7164oQ0KsVCYhBDF5Eeef/7jti/+ltvwCyP8ETlDMydTaV7uVaOfUS
/KQ9s9hSrFeepbEyH0t1If9gt8n9mcxeG0/tc89hkFptdBC7j3PklC4iGx7U6pWaxMIiV3nN
7sEb4ENyjQzxy0dmv2jpbD/dRFGFmBORiCcor9hFJ8+QXV0Y1lQD45IIAiyGNlE00loqAuQQ
uOdyGMsJrg6JiVSULzQvq7bTF6cyaAkxS423aRuqpxjcqI5gkJfCYm7uHvRsH8Sr8Fc5tamZ
15o8gqDAVTg/g3AU0ceWOl4oAhLWO6URqeiG4LfnfDEHu/Qwp5XBs+34rkIOUjuod49NR9Ty
C0lYUQucQJgYwCweP2bthx6wgSPVlkAU4uRKGitEN3mjWdeOca8dGpIjRV8V2LHPMEocQcPr
xCNVVnsbYioIku88Ua7fxUps6xYB4iWsyL0LUzSBDyjZ0ajr9POaAMnVdm0+xJ7SK3RIU6cP
4OtkCXw72QTNVJQtKK+QfCmfhqYkIbk7bek4pt9i1em9+UjZ3d1oQ6cHV5bsPtFwYFL9+i+h
O8J0JXfykX0KVSr5/fR+eZ/lJyH1zVlBlrWtMm68Wj+lPq6X99tbFUDotn+y4ucmODFJK8KE
8g5+lIXL6sGvvK+qlhPfGxIrrQPhe38hkCkQVIhJ+TIbuz/c97T9iwP/lxGaqJRY/xj+ZTVp
SUL82qF5JwvWJUbFs5lua0m8TLyPHhtcqSLOOeuSVB3GQWrpBYjI6LTiERxvjqk2pRnZgXBd
en3u3hvhQyePVGbAJha+CWtKVtHSnNoY0UYfS5PRjQBuDdbk+cIip7a4IyA5rpXkZJGPjWKC
DQRqHTFq4XJPhKc8V2UCohxq10/81unHvRiuZQEuraxCJgFChr2Vkm0GiL28jF/2ar+pS04S
cbCFD6Y07CAoBUknAD859k/ZaJwcBO7V7Jkw9iAttuc25CBiG2F4kF/NoZmVtTp8a8FrsTrk
G9tuzdvxv0OYex9tqfs0l18KWMe+tDV3cIQVwsB/leoVYXAJnzhIa9Fm2GUj/1hjtW/HCEcu
2X2wcqn8oRjHaiZ/errVZibqrHc33mZlnOTDSN9lxbzKv0efDC2HfUcWF+vSsoqhMVUEwa3i
Nl3fMTSs1NfVOiaUEmtMuzrJS1xQKTznKp6HyoXlYZG8qUaMTUHAUSF9fmdQCy6A9KMZ8iBg
1z0RiEx91HmFUb6IEDaTOFuNmjjaXdLSiiFQD6zAPuyM23JXApDizn46a8khKL1YaNShfhbo
J/sa9xa0+YjPYF+jNsiTp3+ruGYJy1swgna9n3Qd/sdgt+l3mD/1xyW+XXtdcVtpxQ4FApbE
pX1iFPkOrLQcMMoCqzCaYJLFZLF1cclHaqpKR3H6I9iFkC3F+NOmRYoeq7SraEaxJWx/RGT9
dr1arn+WIKDVJk93QXDAcdhWf3XgMfv4jb/n0Njwyj58NbXjquQRa4yx0XNJclHWF6kobUfW
vGKcn15EQBnosraqlyEkrXZm/h22o+4xXHb45YQYhXgxisWXn04pHdWn9LpceiOeQBzxSPfb
6PyXmeCoxYfarTrabQvpI56sw8kzGJdjSWmtibhooqHIgt8vlc/lJi1FvlikzXL5BfD5Cjo+
yiN4+Ely2gY2vPjwy0smJJuaDfyrXJUJSKVJTT+85Uk3CNASRB116PhONKSasQf5FhXrOeka
rgm9VPef9qIY3WUWQSKZpNMCU1NiFzkkX+qvW7dEG5x9JmijQztsz50vAIBVKHStjYzegCbV
08grOMlot12FPUj7NGBt9U4EqpDGCli7dfZOUW6C34oFIiKpiYmwl/YUpUsIVG7hM1j21QU5
briXw5eSxk+WYhavlvjwqkFHPRpboQ1NyY2jcEjiEB3cNET+riQJ8a2zKa+kwJXkoa+BOeJ3
/ECzvXB3u3UREOrgpwcsuFy0E/+0h7ggCXvX5zjag0if+OB24McyxVuukP8SsLjn2XErJsP2
1I3NdtfzE9b36TFbuK3Gnvmh7dYwv2q3/e155l3Ajn2016bxiXXoGyPW9gK7P5BxgIiFw+9u
tmM3N9tNZ+bshv88aAXkGqc+1G1n8LV1CHfu2//zmA3+ZIcdxyZkAuSt1ATy3nt8xvq+OIbg
PGgnyD+B2xXBssBpIsppp34uYzd8c8y5op+8v9mev7/T+s4u2I1/MWhjH2q2l3BFn4CY3f75
AU95AG0vvcbgQtFG3tNix26H8McjxsbXulaydvOT49b2uWkb+clm+/a9nXb36WmrOblsT7y/
F/YKho8inKQ0hC8GoWo7t2RTO2ocQb3jywNW++yyDX60zV68q92aiLly+6cvWABC6k5KV/j+
XQPfBx8Ch4iHRLcvQzw+deBRiMfv80uIMAvRmLUkxFnJOznoqmAvTr/DttUM47NpxJZzjXZh
cY/d2vQSvq68XfYMcsnhFPZr9Sqn9QgeAIH4p4/VQp2dX+qwnppTEKGNtara3yhJyH8lfYH4
5f9I98E9CLsLeM/NiN2kXb5LfHOiSMS2QVCyzgVJJFTriEcW/1b5vDhJEkl0IvshDEUOXOfK
Cqb+ZAQ2nDaiEBxXd6nmrV+VCUhZLiG3EEh5cTSC7UcnDS16Ozt23cm6SYTNQyB3US0WUAmX
+l0oq+YqLxkQ/9cgIGv4uYlXI3gAbcvVRwD5iCd43ly12EXsZW1yHH4e/QkmCnb88RttdqrR
dt5EL2FHuRMC3U3WTlii/QbuAXDKCfFnh/Ewu3uRkw71YoGeRd6jOoNoVelEJPU/iVYuvJKk
LJPPwxteJ9RXBi8aI3cvRbzxhmHBRavQfiCfc0dCzgIypbnjePttZpJS15qw1Ksl1QsNC7ch
1++kostkf7WqLnqmuthU5OALzHNKWCGC4I6bktbwhVlLcxIYZIfttKpAzJMEf6plIL1DyxbN
FywbDloVth8p4DSG3cZcS5WbfgpONU7ePMg0L7clwGQCFyY6qFXLTkTjoT7ZczRCsFK3tdop
glFtw39WoT5sR7lO4Mak5eySpW5O2IsQjwX6cdeZWUckXtzVYIf3N1vbmUWrem7Z0jybrIra
/oEFd2IZ6a6xZ6kj8Lai3X502WlnDdCfXsaYxRPwwM2EJcbS/kPPjln1hbStoaqsOav47am2
qJ042Gwj2LDcQ3t0075xQ5Mlbm+xhofwTMwpSmPTySM+m7WdQyAnCOS5bRx9SX34EJMxZMvp
BVvFjcvjxFTZtStpVd9csbEb6u00gbp++MSshcc52UrLrXz+uBq+vz/0Hrz45bCtYB996ubH
7KcgHkvZ3fivgoSEllGxHWUxaIPnsZ30rRQDmaYxEGxExliD8XEmuxfWVb29MP5+1m3R2pPP
WJc0SF3yiIcuHWeF72ho1rYlL4gjS43qyRsreWyrfojHF8AxSaZdAzgJ90fFJRxDDjMQyXc2
+i2V3ZB06kEeucIceEwEuGi1iTu5DhIDZYhNuBCQOCN6tlFWI5fAPCfDQndfiOLiVJmAqB4/
P5TYWXnDFsrlPZuGAMh0ERfmZ47dYHe86zD1b0ZqftGLm/vO7ugVa6MwN9VpC3Pt1nfgaZDd
Ru1SqdUuHlHDehIrqvqmNes/HLUFuFB17YZBYb/dePsTbp4FxEcQhqfL3X3jltwLSWJOSZNL
zYkbuv1GsUeoFxW+pITfggd/LgYK5Cmfb8DKvdlCSW7qmZ+41ilQ7L14VcoRED33Ti6MRqq9
PJMzxR//f48jk1n2Th+lajZG5lfofQsOUiiYm0zaY5/dBzuO4zpKBZva3lzkO/sFOMTbV0Ap
sV7GMd6rS84TsAnnkVpN/NdzuRepWc7Zns8OW/UAaoG1sJnYeU++rd562M2nYCURyQf/Vzhn
Iy+QhpUVg92DB2XqqEvnLY5BouP/U2+ReOuN3563m25etMf76m16X60jOnMQnoPH5y353xZs
+pfbbJiIhLeMLtvOvxoCb+Rt8RNREHOtpWFrVc0sWYi+iZW289EJa/zsnNX+UicBqLoggLDg
0OSSTEXjEHtu8oEmO91ZY7eMr1jPY1OOzcuo3YsLLBZs9UDCxiAeO/EivPvPsSXqjlhzW9Km
I2Fb3QZbTjDCQl8bhTqI1/5jHP07wjb6Kze6JXPjpwctNIYnaTYd2ZaoNXbAFqGviQ9lbKi5
yvbh0qXtRQgh80vtXuqdq0vfbwmQQgT4ZKP2Mkorf33zo/aje38PJNkAy2maOVRnwysdjoDI
R5zv+NCDZNhubHrYgcwJwnm+HVbV+MohO7kctQ92n7WOmgGeDzCdxe7S7PRT0DKFemQrs9Zb
PUC98D7oxhvj3QgqbDQ5Daykz9v4wlf5rRMGrHO4IlFYTOlVEBjE04ODxqTOS8Cu8TJOsVtI
WQhGKNSIkD2JrcgI+HwGLXlffqJ2ypOIMi2gHuzg4NhbW/OALsqLrF+XQ44Xql17okcufT3j
LXm1rW0ctbsenKSITgLwHJEVXLOk9l1fuWCVReOLtm0Pxy6acB5qfXkEQ9s6JKcxRsjaga/V
2PJv3I3R0dM4KRyhQgACEpFA3k0e6m3pmEU5II0zxKRFCUkrjazmvStWXa38SiB8zbMSPCTE
lyB8ZqLVpgaSFoGAiDhUSs7/jvg8dFBt5ogDIvuPqmQG7bWT7s/VqwHoXamasrY21ak8IJwL
h/fZI38DxRPCV9VbB7+p0Hfww/XBg2UNSH6kp8Z6duALiwbK6LVDeJJ7yFg0mCS/5iUEp4bY
6AnyLsGiklrvKvKPPKcTmWqsdBKZEHnEMmyvnmkUInCDojIenkDpAQApdkhbd9LO4fpkFeLR
DTHqPoILbvKpHsVFr8/kcIWGOje+3pJZyDz9SMcoLSNFusGhztmdSIdG9acoIwBJ+O5kNVwv
c2qYwKVKhHmw5+i0JQZWLd/uGR46Jwsp8nJCmYJVtncczQw2FRHYUfc/Mux8gEUhUnLfogYd
6HkeaGMx40zSvxeQY0k8GaD4Zy0vzVvPLbDexF67u9W5fdl3ZsqqT+Ituo126cf15EFAkFD8
8hSA6+c9/5dbH7OP3fAHnCharR85Zl9ywBn3VYXBA6QN4uF+8ZG31UIz9hywYbFKdzZkLJT2
6mP2c3tfUCaS0F1p/bsrj5CMpXbaybk+u7/rYU6cvE/hND6/90m9EPEI2lLqBALzr/MbjbRw
K2wpbNPYOTvjP7FO3Oos7zFyHRkI8qfTh0ucUGQPMrP4mJdfJxYpQKmsOwRoN846C+E5It5H
4KnnBOgSLJj0FVJlArIlo/ju0RrxzGAhUY8M6pTCURYyK7cACygsCWapjdcKfI1Fp55QcFbw
Qu01zYtddYRsZZHYGfWcEC6RwBPOVmRxElfkg23W1Qd48tIxXoEN5fVMXnkVICUQmHBykPOr
tQAbcoEAvfdWBKaJI977kNc/IQsmtdhO8pwr5D1yoQvHjaj77uaZkH55cvl1gx2vNMZKCRIC
O6zRjr9wyHbtP4VPrXFYmAiFgVseA6YcMpNE9Rw4rwREv6C+3W5rmT4QhVD1lz+7FtelCiX8
TeJaZAYfU2OHGiwEgvPbEhLWTl/soud+dpdbijpV7P3WmEOUNQiFF2ujNteF2jWyg0aE33ny
Z9ohRJxAlkDoSeQSAWQrPutGp5oi7KPmIwvWAdtoinZz5NuDq/ha4rDn+0KWVhAz2hFLISg5
A/1wSFwd0x/vQ+88wrs5fW+bDdxKPURBrKbv23F/EkS+I/mNiMZ0d7WlccfSTj9aX4AdBQtp
ExIX6KnLETctHIiFTjatz3L81yNkNgqC5fLwW99qu3ztau5qIyBWV3Q8Z32nZu3Juzosy6mn
ifgpnYdn0CFXHSp4PQkCgkQ1QF+BVd0Ph+DhOx6292z/M+424DV30jqrauzs4m7rrh7mlADL
kbchtDa3CsHIIIOtw82RS9LI8tZcrljt7kSIh+60s5BBBhRdkJRGJgqJx62Jp77ZEJuxO1r9
hawX+EZIgopwFD6qiF8+ufgQP0H4nD6yEIRouBFr+xVwIiwmaUsx6WT8F0MVN50dLA0ASAmx
MdcC2vWRPDcmsLVc8iYvKxvcWAVxwUyD9gprOMtdHeK6nDxUnq/UfplEObGJUlM4zRMiZu5L
ZiA36XrzsrEQK0n3feTH5VUn1RFJoKfdX2Vzs3e4eiSPWJjF2tQZEbLXEAFTI5XH5IhpvBU2
1ivE1+AQEURuISIgZKNyTiUXoIsl1bFz2XKD2lWzQ305YD0HC1bfTD5iALgYHBQI0G44ognm
Ec6x0T4cMVJe/anQB+EY9dWHh/JE5YwSPmx3H0JbPPe6ci5cpmKi521hhiNoCM2hIG6VuV/+
Z6WJn0AGpGCL4sJd20QH+Z/hlFA3lbGGZdzhb6thhyPx4pbEvQJHixyuR/L8kQlpOkZenC7Y
eNt0b40tiIDMpK0OIpKCqCzD0spwkqhfxv6Fsutqs2oWjaQI1ug7T87qvOfYXb3HZi2E5pU0
qMjikgiYe3la37qpn0qlb7EdzvXW2nOcYqZps0oaV4vyxLyRLUcflJZgbS3t4FSQ0enEe77+
Wf671Lja1kHT78t6Xl1UIgSljOIqtBxbsGaE5hmE/dv7F63mHKePBP14o+CpTYP57v8QqEQ8
jhG//Dz8/Idu3yAeSF5dh+Igep1APOIB0S91MxlZts7qk/xSLcT6CS3YjqR+o36baXJ/7gdU
XetJhEdpGmH6heUu7xH3xLqqiZznt55XfMsu73fvQz0VjsNZ6corJeIhFpXmL3MWfLGqE4gM
/RzxUM9YK7ovgThCdf93FjaVJlsYmYn+Nna8/jgFm6gjPN5cZqvGe8jlxylXWjxcXSpdPgcw
lZylpisP7wx5ADgjmgCRcfpYTcPrJiysOqv/qSVUHOFyObmN379LtXzJ+wIQSCUOAohCEalH
1uQRtL6yCKa1q5cW2KsmyoRxkjh0FkM/dhvoS9JPkJ7sQbLwEhdq8K4LLwSCvm3vspN76GWJ
tdXWBcC573aSaoTJnVlupU1CWiLDyAKCsfNVFkUAvp6nUmfog+QUi3OwuwgkpXeRw9lkNLYI
S20S7S4IFARFVvIiCO09/fSp1ZZmURG5xFsRXCrhq0rNf6f3hKpngUEDcci7kTdMI1BfxJ16
HAIhhK/TiTSc4hCF2z4/aPf+5Vl729+et0YE3SIiDYsZyyJbWuAEkgJZNhEzvY7A77OxiM22
VVmr5B/4vgrAcipfo1oqQvLJcdzYc6SpW0F7RO5PtEvXAbA0YPetomwm6OZGHcBOv3OUvf+R
Ifvnn3zF9iOknoRInEO7qyAZiE46FNG3iOMCwvSRA43monWqrvJUNm+lPCFFgKlDdTZ+Lzu+
FqJOqj9by5SXL127NqtCVvNyyrqAzTjEq2MEeY2CaYm9dj05CNSIeOAK6cHkpL34jr+19+7Q
yQND4DXfuAuFFOKW9y/e4vJ7Am+9JNifbAzT2Xcg57ib3zp5uHOqy9eSGEZtd9hdextBlfBe
bnf1oO1dP7V4i83XynIFvqcfHvGQFfjswlMQj6/ScTgV60hBbkYIYBfpZA0w+bVDFlJ2Y5fq
MuGyo7tL+T046VQhL7uep13hzvLdizzyriITOVeqhy9KOySuy8ukyqjKg7NXlGudfuQqPZeD
glFCcTGk2hqDkKwn8tXUItRBzi4PvW6Rrz+88guVk+FibdsqarccTWkvgKqshNIiJIkaxQUH
aOoXhMFZp2+pXog2jHxior8WATzIW+uVe1lkEJJDOGNAGfVxv7Z+wup6UxCnkNXekLeWlgve
+5AfLsqo/enxeqIHQoggmnMzu+zCE3Gr7sMWZoNDtaUH/FSbVFFVM2vVtQu8Z4wxeyYgHhkI
kpw8SnZEoKtcAuePtbaK59BljB0jUidV7BHcxqwVURAt/Wm87hR1cUuv/Y6ArvoZawGV3Nbn
Z20VOcA8Ngti/bixlFoRYozN5Yg2yDuZwMEhqqgSSSUXYTHybKk1blkISPP5JatF/XUmIUIU
tWYIQ2iK05YjIBQoT5pT9AFc4jXFtwM9PrQSnCR0MwuVkafn4CQnE9pxGQVjvyoQe2IkbcnP
L1oDbccRdss31hrwlMFgCgTejcbXvqcnnJrvICyllf1VFlzcciLSfKNaLbEQKr15iOLz7+yy
R+/rsQxxSYKCxxUmNwYZQPpEUBVfTw4CgqJOHkdXY/azrYP2qbf/n3ZL6z+wNhXQCNYjBoKe
oBsVfjzo7qg7DKIL2YWlPbaiKIG8eOkz/N6JW+2ZiZ2uTp1CfCIRYr6ITmcLaFKyhpT8E4iu
j0y/y2bTt7g21tAiZGvk8IKeeel78bLoIWwjaT6Nz33N5pYfpSvquzbVsN8ce451wAkhnRtl
omJ7BSEJB6WXLGRE+IXqGy2J/MJTYfFGohmt32yHqF/KB+zC+LWR8lYV3UVdPdymHfJv/G3k
qnSlmi5OZbDT7jC/gtV5XxZZhEfRMytCwoqgl7b0cjNea9m1U2ZpPmpSCAhpB1/ev4tbeNU7
wmcFJ72ttqUJdpD0oaYZnrUcm2mBi5/A98C5vTb/bNiSh9hhliNzJlYYFujSmYANn2+xlu2n
gG+I/nq7GhHu1BLEkO8E7gvaiZE+dKzaGrZLQwqBk993YTTydO04TX+gjPxMpXfZ0BO11v5O
jGtWywB10Yi8k5ROamFipahsnhOQ2FhhHDzqlKPqown02hvpF1k6G895bdP/oNtReZUG9FLh
GEbjS24qXNTUa72hYdAXUf1sA6q6z8MaeCBlo6jDuh13qX6JkNZgc63sQ113m2dkGJ7jZLGS
sQjeeCWAX8YwUDYRcdhHEZwrFnuDthzGRfsERkuTEBDscDTuTYnfuqf9o4NoqT86nUfQ+mpC
e2oCTayFuzmGL+P4jpNRGCJSlcYYLw2cqcztq2ANFbZBfNUG90Q4PBmHV6/61PStOduGGu9R
hPbjBxAWnsDZJjU4diOKAaHZvHUgq5ihvcU7kk6WsYIRYgsEMKL+30TNW/uvtjYNqPSDfCLK
LlUoU3ryffclUCiKoGJ5/C89p+03bv9VbDtAf8TykKfsVL4J4XkjrCXCR0emtdRJepmwQaPL
RBT0ZKBhEOG/PvApqxZnxCWxg+EUwK4aWbzPFti0VcdOMDeSeOw9QQ7VBCKlA/V4202Uyik/
5xxNf5I+NF+8F/bde20e8cjmZlDT/Sqb9TGG20gv5LwVzguCbckmis5IUH30ZpzkFs6K3HU+
iOCbEBvawbv+a7zkg+DIlXuIiIN5HCrKOeKqXLevExKUVYqouzt1Xq0kkB4Gig7pOBaZ1xY3
LkqVCYigViojYCued3ZFrBaQ7to89hjwsrGqnp9sw8EgOvt9aGORf3kB/fhFDlsguxL8L2rw
Sm645hmH1GFDsIHkhDA90GtN7ahVos1UZEcRI4KfnssnlUtlb1p9DmHBvtQftsnJXcybx+kP
FQIX9ZM9KScAJiFyjoameSzSs3bsc0Hb/Y6UNbRCDDXmsmOe+OthseqyZiPnMCxUJWXtlXpQ
8ctX4U1z6hjC9fueW8/B1uq0ocN7mCB6wVSk9lSltqxe45vr4r4s8CeGONojyxFBvdL2N1d0
iV8AzMklIA7SegoP5q3n3Lwd7cXWpSQ3ENuFfQTha6P20If7XH/HYWl94PCk3Xh8EIEx1uFo
Tx1HE2snbK4qjAirx+D3M7BhBNd7QPbRmZzlUYvdJLgudUmIdpH2q2hHoNUBsFiP9t+ZlG2f
TjnV25WP9Lkwt1Mg9xsJTJU8xaTvoM+UmaasK8g7imBZnqVvC/S1gFaV0IGeZ2BHxVAD7iQw
1Quo1568odE6d81Y1TAyMoiPjBurTtMeJ5WXdtTZN354h1McmMTG5UbgkTiGa5r30A51Ffz2
1H/gIvmRS3qFfuJa43B5gaMjJpqzb4bkFn75YK5Np/Vua9ktvIhniZ/g5PFrh3zi0QJiQ6WU
tJKrwYK8xY7O32RNnGY/0PM1iIRnj+BsQMijdypr89qoTzzUVyFhT9bRnnzOOpCqYQrMfeQC
JO9EAzpgTm5Lvuju6WNw6XZ7ZvxWO9T2DBENj/K8ylbhAsDp5JoM6vTrmjziIZXZcWJ55LJD
rHHfo65YVjLoq4eIJBkfG7L0OQgB4+Z+vjDPt+ae/iA3ck3iNMlK81GdhwjkMCDMGptjfzAu
jz8wxQLRiYYB894jqPrWJe61FfqRyaHsAy4UC62CRBRceAVJ/StAzUXdlcQblvGbHCrWN0/A
igMp8LJaulaspmPNpl5hjXmnxiuo/eIsbtq6saG5047V8sqSZdL1jpWWh43hJgILsbfvtNW9
7RYITAQET5/KFyfXETR8hk7XWQ5YS6bikDlgKHCCkSzFqR8jlG7uoH660bV9AtxArG88DUtN
sIh8QsJwERzDnQp2gXb8mRaLbdvS1sVD4A6l2GVJTqR+RWOr1rMHrTJAeO7lHfaHH/wBDqe8
MPrjv8aK1ZTdDHdD+LqJzwFB1/q+JkkwQ05QN7Bi73l6zJpBzMV97LhfXrAHsX0Qco7MO6Db
24iDLr6AL5eQ64OmIbTDQPQKSLX7pRlrb1q2atR6JRGvgYAcwjr9IMizmXzSvhILrDw5WQHW
51GM8t72wqRTm41w4hCyVdTDGG3f+rVhazjUjDAez88g6u0nZmzb89Ow0VDDrQvZtqOz1lyD
ceMs76yV/eZQyu59lnmpeUvdNchX3vfchNWPpTihoIX1zIz9IPWIWOaIZCgsoROQiKi0rg58
ddhq7kZWgtaWaPpeNLZ2PAYS2hPagBMnKqdNprJEYLzpeTZRJF27VUV9IpTFZsb+yry9G1Xm
mAgVwbbY6pWD4I15rR3NNU6qMQmgX2J9vbN+3D5x6JMGx5OU4BVMscNmRUAAWnDFrr99dftQ
V62DhcVkIqm8IxzuVxTbDYIkBZe5z5ZOGpPuuaeaGwrANnaaV9o16g+4r28KtX7EyvHqTUbn
7BAefldK2qXwGXC02IP7E/CBJsbrmjziUSB++fTC4yDyAfCGPOpKDiB8y2YFbauVzBl3CgkF
8XDBicIjGppk0q5SH5mH7kQhRK/k9xuowd5Cf5IsIDvBQAjJERCX0fuQ4Fpl2PEU4Hh4lu2l
OYCvrWB4G02CD2Q3UpaujIBQj9g18jGjpLklTahwVAPhRqmvYU4LjojxvpTHH4IrdBUfqlrv
fmmhFaO7cXcd5eThACAY4ONdp4NKDTmDwhuK1v9UxOY/3gMba4hTKv1nokkNWUTQCdfoZAs7
oajtto4+5Cy8D/nPkown5DSvqF4TEdZTanmHjcASi+Cw0TstbBlUGSzUKRGsWBxBH07cgqhA
J5LeJA+CvJIg6SjIjor0/8qS3v13wIO/okppW3KChpNL1nCY3QuaT4oKGEHOsRNXIULCLg4H
le3+IrsU+rApya06KqvgUet6DMtNxf4AhioTI76I6nBllI9d/kXvSu0jq4ijibXnH6i/1J4T
3Gu8lEmeWrEDx9HOoG8uyYcU+WRzIhZb97eY1IBWYXIL3Isv5GyX6lLdbCKi+PLae2ZYVmrO
VX0EuU3fF+iXnnPqKHcnIlgkhlftxv8y6LVHHmcFyX25pG88sWSNLwAn/aYt1RFcXbOdqo+k
4FxOSK5yJJVpe3LW2jMzGDV6ZcRa+35LenPVfLwE2+qn2/rt/7jjP+Iy5IwDQ77Qac9P3mo3
NX/Wkswd4ZkgQGp0Hnd9SKkG1mwJ4ehksZBtRZX3Bttb/wLPhDj1tIDA/RCyjzrb0/BNLNG3
I4QPQpDOl57zzpQP4jGe7ra6CGrB8LS3Nfyj285Np+7FJmSH3dX+CDtx9kFil6vp1yUJB+l0
MGeT84+iEHCatqppiU1PYh+GgOOlkwZAAbHqtJEvwCFxhMXvlD/RlkHy4KYILpZWL5TyaH7C
eg03YzvShBuok7DQq8FFcephDm9KnkdeN6G5v5w7x4tIQ7RaLVn1bltIHed0Iw0p+lKWKhMQ
v29+Rn471dFSX4U8Q7CwMikP0SrYk5JDqlxe681LRIRKGIPJsUp4Wee40TXoD1c/Nichb6kD
j34raSsre6xlbQiELvciORjxIAAAOrpJREFUOBSDHeVOUcLcLObWzjGroe7OPnbOQCQa086k
NFhXLQCg+fHBWlscgnAiDtn02G9aRdZhV7rgyxP6M8GJJRIIaywUB+msYdHsEZD1Qu7Zd/2D
fktlVkjRjUsIDruKYn2pXyWEJ2R8UdKYS39OQC4soaQyqs4v4+dzDyt8aK7LIE+p1J67Vt9A
wi7pvupRP9WM36+tz9VuWV0OoWssfj9VXdlzfm0ktZcgr/78fujaL1sOJ91T0uPL1OcpD5DX
L+MKfn98CLXXgBReXA3ab+84Zb9w668T6Q/wIjAPclIocP6vJxYHJkYuBdnkOXYJhETr1O0c
uSN7Duc5d63aRpZvJ565XHGkOS3ssvaqszzjRZDqkJNg7UG9Sjl8YXkbN7AWv73rPJqcUTaF
iTAGq8hdcvlOcNoopxC1tgLxAFm+rknEA+8G2UnYVsg88E8VCHDyUP8gFjlifEjm4SaML5tw
yFtA0sg0Vv0JPmxUozs4qRAkD9ZWFMG6WFZeXZ7QXT6w3KmFut0JhlJe8haV5CxijzmWGA+C
AdT46YvsUCQbcfYjJfj6JfVdWpnlt7gun+QQC7FMVmdR0V0FzeokRL9lC+LUa8UKWs+/frGl
wqv9SX38r6qd4dTA4LAUjxCLXFbeLnnz5ZKVi5sOubCBU2h2iBVKx/OoDK454cpGsTpCtHY9
uGw1qPcprUndx0+uDdrj/8xkl628hHaH2GVbh0q+AlyMBNpfigeirbvj5pMvjNZYAA/G3mLg
WelY7BFcCqquK/3z+3Wtv9W+j6BVt//bR6K6p+utf8rnp1crU57Pz7/126/7Uvf1LvTq/Xb8
fJXKbb2n334f/PK6Vyn5ZdWe/iqV9evyy/tl/N/l3357W8uU53mLXmsNVIOYRDz+ZN/z9mt3
eMRjbS3piAc8Uew3RmxvwyMO1ONYhS+sbuda6yWPML3GZldbHHREPJSoES0qHLlm65GB4OBy
BYeopSdrxPtoiJ+iTNJ+47lf54TSgPxkAiSoXV8eh4sP2PDS2+zMwi2cTurs9MyP2sD8R3GV
MsqaTtq22iftnV2f51rERojUfV3jD+/kkcGdyPDs50D2E4wVdmmJMChO+SryhzWE4WG5HsFo
0CeiIpJh5CNuYkrzSsSFVBVFGwsZiWQg0RD4DsTvTXiFusXbLoS0re69KA60oXCEKx0RUwhU
FYQnHu6mTBPsuiqriuxA/nELhNkzUJQV+0LqWfpGO07WsnkSazlenCoBDYwpQhIScgQByppb
NhXurW+pYXMTWx5e4U9HpCBe2RXa4DSRIrb49HinLc5vB7BQ4Ep93FK3WH0xAkxdeFl65UyG
MJpAePUtFGosx+lJVuCCSySWtlvf22/VybMOWUjWoRmpU0xmWUxaGiPf4AUdhyMODqUZu9Gi
6ue9ZdMcolVeWEeD4H96GaEcXkBzhOLUb0U1lG2NHl8LWG104g12xfiu5D1dca8FrMsBzG9T
31eT/PIqeyXtXU0blytT3ofL5X2DPhfopL6gELQvMdf/eN8L9nMH/53B7XTIPICrdcfrBGm+
MPEB+9qFX3IjSbG+5NXfT6s4TpVnXKWJdB8OALeB1CftAzs+ac1VhyEOk3ao5Uk3zUDLrCnv
hF8XTdu/2n2Gk4nHs5cnC6Vt1bO4RFmwLr670Mx6ZmKbnZzd5p55/dF5KcZvr81R1PuF78q6
VMp7tV8+8Ri2kbkvgGOk/SUnpGqBNkHqiUi3tdY+wE+dwDQmn1EEVEUYyKbTQtgJ1psoh3nB
yrPILUa4DjtWlVP7dScu1Us58LWE7xncuONhttSe/BsuoIG14lSHVyFk8UgLdiQi2P6I1ZjH
VvMWBI/Kkt+zsltc6u178Fv/4Vx26B44sJDCGG+xCvsG+Gi6V3rBXF2zpB1+kBcXjUtmEXHR
AFNLGHQNtVl9a3+lsVzcNv0KE/lv+HyrZTJdUFcAzAQ+c3SHNbXNWVvfMBbVCIay83bgrqN4
F0Z1DeQfkvt2xqUTgkL3xkOLtsA8PP9czKr386p5fFHSu8VYNM/8dew+EVneQXqZmwxG792d
nKhXWmX5SSbGDi/PRXV9D244B4e06zSkNN+0tZDAXP5KNJf47fJw7WtROdaQ8mnsks3w3096
FhTV5r7z5ssDn/fvl9tUN/mV3D3BXm5jSm35fXHtqD+kTXXolorTF9eG2y2wh9VaK532XX7l
KeujK0P/lEcbTj1242DRug2oxl3Kvwk+l4AHudeTy++353/TLx8G6xnLL8gn2Y+zNWHOOLjR
/quWKS//BrkWyPwogoex6frjG0U8PuEOj0XYT8GAp06fgYsRR0C+s/5FYnu84nrfV7Ik994G
bvk5YSjJ5uPcwnabSHXbh3b8Na7a9+PC5GVejyagACxlFza1bPqGV/Y7bSpLHFXRUoINA2Fo
TLzo33DfH9j516gF64WSAnN8qPceUtetWRdQan0a6NZrSOXE40sl4qFgAJqkXpL/qtX8tK0u
o3DDmHIiCgjORY6VdDrJ5+mfIg9y0tCJYi71EsQER6ScPhyryReIu4WL8XIEVzpYpOczqssn
BoxZ8pcCsmUhd+cmpWjzGdSdpQgiXv56Ekz0p+R/e7/Kc3l39Kn3sTX5i4D7iki4MMOREMpY
R1hZz5MdaphzsWtiB+KaVj9LbcqBYgjC1drd7/7WICgBF6Njayc3/xYRitSu2cw53I33t9jO
WwAgp6ad+4eoOm35FCyxKizsozNolKHNoXdEGZ0MlGSzUSO/W0BpGZ7r6DNVFuuQIVsFAOmW
3ok/nym7NI2BYEbEbwmhfBb41OE+BS2l2mVcs0OI5F5lywtRu9/VRL+FNMPnoJx0p9DJvhGh
dginh8EJnAd24RsHQXYQtx/hsyzCWhBzMycoYCWbieA0g0YuUGyHVyr5QOm9haYh/NhjOEE3
BnnSZpHfK8EoPAlvlXKy2XDOEBG8hwdghVK80IMAFflQ8DxtYZdRwPrb78saQuhCqzdl5ZVX
frWKHaX+iRBQZx7r7zUJ9XkWglVZREsroPqpz61TFde70prlz5VHfhFSXbCcpdUlB4xhPPOu
oV3mZEOAJnwBNiQEoNDJ2JHBBHG8GO6X1hdjbAYYWnN+AgZ65qIy+veZv8U2YCRFAv+en1/f
eg/UH5zCRYxUj1FfDU/j3wjcodjv3+tpUt7VV7vW65c79jAU+BhH8b+6+Wn7yZv+g0N/a2vS
ttqQLYylduDnipgtMRQeSGfm77OnRu+wj+37XaaUzi8ee1x8+AiGv/e2Pw57ay+gImaPbM9I
YnX5ScL3+WyTK1ekLeULBFKws9qRi8zR9qodnr4DAtNs7XhIuLP9C9ifgL9cUm713pse7oIP
d/rRfLkWiXGscAoYX3gYHML8ANE7OQUtK4VA7k4OwakARAXrqtMaag/a9PLTbEohuv5JBCQj
dyPyeeW5KmEqI+CW+3av9944dB0KOjU3rigjg0PgFeSeCJH+4tHtzqOvCM9S5iw4qfR+fGRI
iY0keGprsJEqE5CN51yVoEffHGLVogN79O4d5MJbDH6412Q9BitJbveTF/pS3tCmKq/kh5pV
BfQwLArp2tcAuH2FFQueLpbJY7goH+62nbe9RFl4rlUIlARr6sni6lkRFkP4oRJhcMQK1V0/
OcMkXrbYZ3MXqqytN3cZA8ISxNg2VyURxkVxB1LD8ZkqpZHlxRkB2QE6te8P02/vu/pN49rx
52rDNv4zra4/Tc/MYgCYs4Vbk/iLqrE61HmTJ1Ysszdh0x9utwgaTg3Pzztr9Ll3NthKOwuV
7WHty7hoGUE+JetvTmHj72m28e24XMdjbk0qaz0vz1r9YdwpEB9k9n0YirXErfkYxly4+sj0
xm32B1HTBh6tj0zZCr/nP1jn2mr+9qwt0pdF+hLFqLD5iVk3LSY+0Gw5IiTW0W7N+ZTlqHf8
I6023V7t/E7Jgr3zzLy1Pjpnme0xm3tfmzu1iFhq+mgeySljDerLdU8t2OLBGhs92GjzMlIk
T9NMyjqfmrHYVNbyDdgT/VSHy1+Hh135s0phxT71Iw3OBUv9t3GCifaVqxh4SgNt7OPtOBTQ
S/baWuN+Ek23mrOo/5a0t9xDl4E8tCm14skfbrFxDDgVtKtxPmNdz89Y9SD2NG8CIiK4+sTj
FeLFfObWb9pHd//R+jCRpKI51UisDmKmsAndVtPPe2DdIbcIBDBGxbNEDxs5HT7FCljFxfpo
qhU/WKcBLYQdpFoX804V1ZEx8nirh9XEvzU7t9Tr2tpdexJCQgAlJlQ1+GMq04h9EciS4HL1
EQxEMWzdXuedRNYgOmJRsTVxZTc+NBrOIm6Tt3H3aq9EBJdTZyAeX2aeaOGJQIJ3nFquCCWb
EYTgbnYKeZeOwGvwuvVMY3WEFDlHFq0tt9vjs+AIi9huyuPNNy4oT92cSiLEOs9k+8FvDe52
ASv3MG0WYJ3JM69zLEu5tAJSUYtXhwdX77d7Ga6s96Fd9kaqTEDcCvMzlX5ofXApo+giarCy
gctm2H0V8QCJNbWETbJ7EIIMwkIMSjPLyQL8erZ8l7ehPoJgi876fEs+fip4VHpJQjAJqaHE
W9+1e1L5Q6FoV+G7jY/1uP4olrs8CM9ONHESUKhc1DZxjyJgibiIXRYi5rmSIyjsCgWywZMY
LyK7ckTePb3Mh9hnCM9liV7gGCzHi64dYOO02DhJShgv4cyVEkS16BAfcLrifrxaNwV33pFY
JU8dbLMxkP3HBtLWdDZr5/c32SM3t9gHUZVu/Ny8Tb6vxT79tl67c3De7n50lskXsJO3ttqT
ODCEb2AfCodtz8lhpxI88q4W+/rbuywBW6pmNW/nEjXW35W0+zPnLf5S2o7f3GrPE/Dp4/NY
r3960VZuidqX7ui0egDxUVSB53F//vd3ddsBYnY8+PCMjffV2ZfubLdOjBF/ED9ZtedW7Ch1
HMXH1o/OFSz55JIN/Q/t9tDbOq2ZvtRgy3EBVyyne5L2AAz1MLYkXznYzuETbRXG7DwLg7Bn
AOaHigQVO5myZ9/Xa+eJ19EJscsxuZ8mJsoP1Mbt5r/pd6q/T9/ebudxEvl+XLPs/9I5W3l/
tX323l57kMiETUQqzBEbRScImRYUCHn71O0dNoQn4SSELEs7GU5j+25I211EQKy7gBfV8pMI
aykwW7TBf9ppX7mtzTpAvlEIzjGMGfc3JojqeAH3K7KNUedf7YV+756pW3LHHmANiXh8+haf
eMSYHiAxrMtroqc13WFHYbcFAQliW+WS4zPiBaLqvHUnnwCdaWISuhjniI3ROlc+jL2HkJu3
GrV7Zk9Ne14S4iwQy2OM+jnqkZJOPVf1mO1MYo2u3Qkrua/ucf7cbeoS4MX6KhI7fZdNZKpt
X/2R0kM9w5ZJjmIp6tXkPbryT7UpxC/jv7Ml4sE8gf0UROvJeb/VczcumtHOS4hQJw3+JJuY
Wn7M1aEdp54L8Uv118tLr/xTiesUZV1PdR/cjMZTVvYMnHSc5pXrDt58HQFSVlmkj/DXzw+E
2+7UwSV90EkjDusrg3NGT54iGAtXebIk5VKqTEA2QWvTD8fnl0dV7dQXZpDoMyMUP9wzqg7Y
8jSR7Y6ErKqL1yLT5fKkn4IPfRUrDgG/5oRTJBCBdNH29LbKE2Xy6I7LF5bTYhKMvoMkeUSi
Dwvyk1Fbob3qBo6OII+GVjQRmDxxTkwLky3UGLC6NsLPyuKcsQEpboH4IynkIHV27pVuizTT
+JbuVeqKy8LkLhBFcTWFZkPSlxXxMqlCruHnj3MSmmGp0JfLRiT0G1G3oG2JPeiWIdt5zURE
HYXtJHckvSOcMrYlLUNQKKneKoZ5Qw616WaE/yy8FY78YYhBC67Q4+exaX07pwIQ5G7idCi0
bQaLMC1F+ZaaJwLfLAj8fQpJ+9/H7NjP7bBvE0Xw4M5a6/rWCoGr8GlGXW7s7R66aAfpx0uU
VDKALp7Lo67mRxii0Avx0Ilh4uYGqz267Oro4rlikxe6w9aPF14Rj0PPTFgnp5gLP9RpDx1q
syEMEG/6ywv24c9fwCIcovf2dlvA3crBx8asCuNFGRlO3tFgo/VxFwPklv82aJmOmD31/m3W
v6PWdvXguA43Jkna6eZUME5kxZ37OKWob/Qxyne5HYlbv6yJGk5luxCI3f7QkHtPp9/RbieJ
2Ljjlgarf2mJU4h21Jpj/IdllmmN2hAEj+lodz5BpMQzK/bsj++wo/js2ruryuLPIexsRKgK
bN5oSUuyivm+gI+8YRDWZ2/9uv3I7j/mLvI/qdMWW2wq1eUIiMLRenILw17jLoTgChQVso6q
03ZqfjcnjGbkF8fcELPs/qVKusippTGOISp3ZbCcLVTbUKodwnCOO5o/vAtSDFfvak9Jqqdh
EVxS2BEPXfGuQHmSRQY5+ZSzv+pjQ2h0le2uS8RJBE/pO4e6StA3Ng/eyeMhflM/OEWjUIhZ
ERCfiGiSRHDFjkkufcfjATYfEcLNKmWxBhehkxNF1ekRHxCBIx6CPqUIPSs3JY6wSDtLBIcn
3ulF34KR1/am0ayrBpPbyUIEA2Ym/XFW6KrLlfMh4MGUmy5VJiDKu56v9KPsnmCgE0YuG7N0
qsHad8LDVJ/hN972wIDdcAg+Nrs94QPJEbzKVIGXtLPPMf5oFffYSchVyiquUs4810qdor5+
Tr7J4mDOVBLC9K7Lnl/mUsi5qr1g576KX61/eZtVNx220XMYDW47g0yiz86f2mu79j6KsF7u
WppttL/HOnqPWayaAWGAhEQTFy3NNokNSEhIW8fPK01uyHxQTW613mmtJeqnrR73Kff/5gBG
i3qhLtOV1Ujbcp1/4XibTZzEI7AMGgXeq000zdq1ADIKxeqYYdedJRiUovgt45xIezn5sVo9
EHVxQOIgryj+rVCTt1w7YWtBxDuIsFct1gshZdOdUUseZwFTr6IXZuAfxIdz1kV8j92tVS6a
XxFnigJhmoUVwuI8Mr6KvAEPy9xbHwrXOD5w+VSX8ufIHwUhjHXVWHdPjB06E7y0Iy/CvlL4
3WoIUydW6TUvZqzjtkXbcwMxTcin+dQK6ykPvM8S2ClPXQ2DK1Z/nF0tm77ht7e4eCVtWMvX
HSWgGJb0jffgT4mwtyutMUucg41FWxFsiAY5ERy4t9bFOmclr/dx6yvQYVpvt/kCLINHVm2Z
wFrPtdc4X2PlJ3ONTTKfbA8RNCHarbh+b3pl0RKn0tZ5PycVfHYFxPLS5pS8b7SkdybXJEfR
LOxD8+nrt37RHuj9W+6ilgoiFAKNhYets3YYxE/gttCGP7c4WpF5EFQ1c3ox22cHmx9zw0vl
brTzcwcxpnuGU8kcJxFvp+kj/DDOVVvRpNLK0b2x1I3UXcQ9yUl3bzl7kx2ZvMXu6vxbWDge
q4g35erWLJOdSZbYOhk8dSf///bOPDbys7zjj+cej+9jfe3h3eyRbM4l5FpALaWnBEilqgCp
RVVVqSAkRCu1aqWWioqqov+WVvxHCy1/UEFLq9JwKBBCspRsNsnm2PvyHt71bY/t8Rwe9/N9
3vnZ42M33mRBKPUre+Y37++939/ved7nTirUq6gh3DP5+uojKkv7b2rNVV+7z2Eq/5qN5Z+i
Ib1NAs68s6yLgLMQQb1NhoC84nYojrlYWyWE6WL5KIpgU3rQQ9AugaArrmKrtsIKqE1Zsnui
DSEi3i7q4z1BV7TVmNph86WrlNNhVmA/mmP0zehAavKjFYT6INtlpBOa3uhzYwSyUcm6vBi8
xEVYP727LiI/gBcp9hspmSJU6ye+FK1dyNTnyhg1H6gXDm/AmSzHLUd6UCST12L2D+c+bTeG
2h2hLFembhxW0CQyCLHMegavgKw2v6tCYnLlPnIuZ+NjA9a75xiCeEKZ0kRrx2W79xAuFMDc
acjaa6cH7cKJHcTseDGMWW83+3TpNOrDZ5gfYgL26g2Tj466MrZsbEZdkWdphngmWodsK55F
7zluew4GXu6qxrROt5iaI1AOdd/8p0/a177WBIBB4Ira8FtJYovEEQi34jm3jOltCYpjFiQy
x2msjZP3LFTGwt6MFQBuTbykuRFOlCCBfBd5lG+9MmfF7rSd6AE4DsCfewU37uewah9osVN7
QZqf2WcHnhq2D/zPcTe2KxPGVnvSioB7dD+npj+V11+oF8Zxq9O1gP42/GuNEOtj+kCTA/kK
J3a5VSlANQGqrIlrRS1c3BG39qcm7f3fB/Agk5GPqwrzWQTRaUuVJOBfRGAeg3W0qPpQF2mo
iSpGgxJgK3StHrNFrl0LiuvMLC8vlNU1EFO/YqHTn7Zso6RudK8COyuOv64c1IpASoF+yshU
XENNFZmX5FCScShmithvfijABcq9Xx+ye1WEY/BiNxQL5X6ekl6FVpDHS9hWHcrO2Jee+BeQ
gE7arcwdpRRnTYUFnyn129X5Fru//QwKFaIEiBbYGCiNxWoLthx7oQDC7DKJc7a3A5972Gb4
C+jZ0Ysn1hUAB5lJGX9V8+VOhO877fFe9YtPMhBDHhbNo30/BHkoB6CsL/+UrCO0U6w2wrJq
pM8gRB8t7PZS3dkLPjapIQpG7MhykOSh8aa8xBt9qA8hLSKXzvwY54bP0rXY7xpF/RxwOprs
hH00wmOk0zcsK+wzOEpxnYSiCPHORTGJSgkCbgnShYjWjiY8Fz5PkFIGi/R5BZXyduXAlYNQ
cQhkBdDVpBjdStKYlIeBdBwNMAnRod4kM4nhuqTMmNb3t1J7YwTiI4kK8YP+JNcQ4J9lvafG
d9m2gRsgD9gK8FRA8jz0kFYIo0WVzE03Wls3lpDkLcDCyaKFtLx2HDUVoErIQ8dOdyjICcAa
4KXX0qrulUdGCXfnkyNJ69kVldr8t17ILAji/PGsHXwQkjZFHGvYS3HGPz0B0nj9fnvnLx2z
/t2vW/+u152x55SbyB36Hr662/Jn8Q+1HWAD5bS5FLSs5JJBkKhj2/lQjTVUs1qbZVf0PKyi
dPy5ENUjCKtFqN9n1UZf3Oq0WEKDb/FTXUEZZ0ewBsabrpDCFD6gGkAWreMAbITdJdg4RZ3w
AWQtBJxa3E6MDCiKRk73fSenbaqp3cYArAsgEgHlvmfH7YmmhB19aJu9BsN5jJP8A7CWBp4Z
43DAy8VDrBjlR3e12+RuHLcxUR4vp2J93mumpKWQc8Seq7NWor0r/KdxmJjW+uiFUAGSqJj4
9KJd/r0BG+bkLmF4M7HNB79xDcEsDDatay05h0LvjoA3gDtKjiz4IUSjZqPfcgopNu3glVm7
QcjfFgTc8ggcXsio9upvH5aKEMkwhVxAvct/WBXqXC7eI2TmtVSOC81BF0IavFzL/XuZn6MP
zaWdRTzGe/QLuSn7x8e/SkzyJ3l0YQc3sM/MVkgiAtjdmWuc9hVf21fFZxIE43zGZmxn8zHP
G559HARBXJ7c87jT2Il1+hD5qhPa07d+pZGLppCjzOCfLw0bbL74HpzAn4HCqVhvdpg22FcW
uAiVociDalPtFCo9WJ/fwDp9gjgij1gu1m39Tc9DBUHi1TZbYxc7Vv00E2hOaWXU/vMmHwF5
iH02PnPEpueO8I7r6VYboZ1QkVUBbsrzroTY0fxW5BlwdwS4AUJJwtdKeC5qRBRCYHmt7V4j
FsUg6irpspMkGleqpxTa4mEH8LjmlwO3MB6xxdwLL+NJQemIhVYoD9EWslu3R1jb1+rfK29O
fX79XJXP6kFV+QvUxCk85qpEvAwAxsKcMIGuOeEJ+JHE5nFWD5uYyszb7HiX+5cqzqG2preG
9mVZXuVt8fXjd9277W0sf2jn6Ke9+zLhaaE+9NKv2ozlkje/oP1EB36xTvawKEBLTjCVMlb1
HGRefv5RKJNdUEJE1CtxitY/7lIcd8A7rYD7rl1oxZ6Euemlvo2kWPLhyePBYh7azzLyHEVz
1Nw1DY/xAQmfx0PvCB6HwwRZF5/n6s6itVqd+xZ/MSdpBcUJv9pDsKVZBOmju4lXgkv2NuQi
ceQG+c6MzeNnonkG1UJ51O1N2iThZ3MgmRIxMooslpDLFHKERdYpjuB67+cu23u/dcl2X0eN
Eu+5T/3idrtxuANVe50I4ZcDtB89Pmof+coZO/zMsIfP9bXaaInJA986QOhiTDfQUirgNMkB
ONPXaxuqhdP8dC5tP2rP2fN9uGxH7qC11GO0qbRR/1QU+IFosYFrefcaPNyJRh4OJF2wrZu3
Suy7h8KljHx3OXII27+uliM25XLfVZGvIyuSf7FoAtH3upo/uwwtkSiPYzzHH2y9Yf/8ni/U
kEcnzznUve+GAHD0EIdBK7Kg2EdKuhdkF6sXvBtZiJDHldlDdnp6wMuGyYf21Lb2O+Uu3RPW
lQEuoJDwzNUHaZt9wlO3kMdCpdu+fvH9ePXdwXMTNuhGYSfRCDtpE6RF2XY4G9fm+rwP2Ygp
3noQ0mtMYVybf+X1jkMtwHIamfoe1tsR8tAaRHPUOKJr4B9AOzxZ5PkYo7K1MkIGsJxKlVHk
Ie0gyi7K16eoPKtSQwpy9y6vvs2Zu0AGgreioOiXsbXgXyuLW/cAYxSlsIn3W9RRaEduUOQz
S9RItYr1OhpbKxQglxskXokN0kYPqeakfP77d5+z4UsYpxAasqkDUp7MZAayB02jOJjcBdSS
ffCyyNYhm5OQfcE1nxSMiqMgA0fHnf9oQSMQQMa6JKFXIokvfACyWEGR2vC6gjfJENKSPcjw
+TYE/9u9VCqNSi0H+v33niBG+QWnosRojsFfXZgHwMPTRUJrUxPE2T5KiNQDzCU8+zfpZW22
tLDQrZ5CrgDSmJ3pRfayGyQVs4nrYHqXDemhW8SYEaALNZTNgaX92eHlQi7k4xCicaiistro
O5u0pRICS121vUQIWiiQaQTiEnR3wJ5Ks4fD7QS9AuC3j0NtwvJRiNqCBI5gxe8SbOn4jhbr
5IQ9ioBZrJkrv9VnT3/lAcuVyvb4F8/YXtg9YhldhqW1iLxCMs08dTsm5q33G+PWcQl2B/3U
XpsNJ6ioHZJB7Dw/DRsIJYROAAV19DyqTz3IeoYquKU58G9D9uH/vWo6PGYUR/1WiYoR60zN
SatTSUBegKpe80lu2VtRxe3Kl2wEKkR9+4b5t65XJ58P7cuJoig7/c7SSRIk6kQnQ1umiura
UJ4ULc5+ZIcd+et7Lf8wbj+wCRE71ZHP6m5+5r+EPF7Eq8InB07bF9/997j/wNXFEu8lPqVC
0mQ4JJR2AFAlSNfMwwRlq1FaRGkB/1VlnQq4N7ZAJM5y4EAkYpy8SdubXrRDXUf8OnzEQQrA
HJwkBlih9vRCxin7E/vA3i+ATK5bZ+YGVEePjRR6bU/TjD3Y8SqAkl5Y8FjDjPVkx6FC0LhD
5fdg51P2zp7/RFOpGZcndzEetS2YtJLqtmUlc91VQB7yP3V94ttYgr/KWrQxs/pnj2cUVpbY
W2E91IjmL2UKAvRhVS5/VDrtiOUUB7irnCgLfZdBIvPFIa5XkqIPBiv1lfV1Vlh1ykZnvgXi
ue7seVEucVhIVTS4iuUxGlD5oKAgBKV+RelILjMF1aS9SsAGiyE7CciFr5skzWBziZV0AzrW
RH6wUnhXzU8jdAHmVXE/sIRtiP7FLazCm5SrdC2OHAlOjD3gD1jvrmsAfxZFZZHeRv+aj671
Xb9hUZ7rarPIOSzFZYSn/kKd+tK3mAZjVizx/IUY1IRIbPXHPyeo7buP2T6MneTZNwElINXb
EGtE7CIZEB60q08i/Mvx0jt/4Rb9aDg+F30zP5BlY/M8yI9oeblJ3N3jKgDhfNcAmii1+Wsj
iwtEIkxNWHMnvvdRQxSSLSlcMN6NvR2tp8qzbmrf/28xjNu6RXtym54arRDOtmR5Yl/kRW3A
s+8+O2tpePITUBuK6d06DdI9A9tgeyO69Hg4HSvYe9G0evT1MY9cOEMsENl5TKMO+5PeZlfH
bSY4Vd8J7G5gJ5WJxyHDvAhoVgHIlVZObTrar0lrd1bIQurGrWgj9SELyTcRZEdAnoJZ1IGz
yD7mQUqzjCF3ZI4w8lUr0Kzur02Oj5WptUSvNwmrrgV23Aysthjx3eVRuMQ6JOlTWl56DoT0
pI7beH3B+glNO8eYJZR3nL5++N6l+kmOQ6VwxppgTbKMN4m3Ps1FFIn0gCoANiHw2Pyia53N
sUbu5Xe4ald7cvZcNzYhIGu31+FZ4YhzR7ffB3obHx7Lg/fm431n7G8e+zPry73CSRq5ZUMA
/EK6Wli5Wj8zrdM/6paeExZpstgJcAdhFHsAagHAFtGqKi4K0YRUrnZgcX5/rSUBXJWr2NGx
ffbq1G4vFPpRX8gBURN+dfI+K9DG0ZEn7Onhe0Eqr+Pi5OlaWfqGSu7OTNoYVMjEQi+sqVEQ
iU7bij+Ss5PIUQq4jg9JY1Xbm0kR8pi24cnvWKF4grVoYQXqEZEeNMwFUr3ckwwj/BZlILlD
AiogGBECM6FgxIbSfyjHYRIAnwLAh3XgSwlZRdrdjvRTTIi0frwcCNN7gWcE5UrvJKjWIPtA
sLcFAuMROCogLmhAbEgkYJexodhYQjKyXBXrSxbuuudGXepvVfue4R+189ZKhl/V5hdy9YMF
5eFXTAsxq2McxfvuPhfm5+sEFqlL9VNRvxlC3ybTCGdYkwYGWp8aRF6Rn0K9LwFTW2w3yVR4
vwC8TBak7H5s+C0S1ddeQ6KOXK5vJglZyKBw4lTCblzfY/dnjghsazAryyIZRK39dCukpetk
o6Fztg0dAXmq1BxV4ObJKUXG7s4U0UgR21WkckiVcK2xrHq40DXvxvJUc+K/AU/AAkri5Wru
nl9roQHy1NdDz1kt7459cUrOEL9jcVerUxuNBIdKXoYqmijaBOq9ElI3I2hXzzOcvhVk6fDF
Gdvzd7iDeSxtQ8glhjHCm9rXZNkxnLTtwv7j7g4rfQqjwoPtNg2wbRsvWJzTtxCWHim11QDA
9mXX5tZNyk/+vuEUU3GuZVwnFeL+SzM21EXsZ/JULiZbEJDAMOM6964em+5vtFPv6LZmIZio
DXWn5HX49k7pEoSWQ/6TAYFcGUSN9mP9VkSaO4KSQA6ZUMsVDP9AXGG8vAaw6HqID9K6v4P5
skG1dpa/1Qd5en4LINlTH9xuxd9J2nnsYFpBRq2nwCY8d/P9GXvh13ZYF7KUe746ZI2XFqwT
FuIryG7OoWqcu2fBZmD9HSCYVuYiXhNQ+z39oe02BptQqsFycR/ivavDn0LSXmhuy0lOEeVR
N2mf3n7S/uqRv8W6WzJQDEDdBUgoGKgDbBx4fx7qes6NAsUWik72rRyUWtNj5J/Ci+79NjSz
B4vwb3rlKsh0stSM1pVYVAGmqF51aZvNFvfaAx2vIBjnpSIF9pgGCEXLu9mblXZXBlnKsD2Y
Puuw4lL+IKwfDEIbL/JoaUJx5B0/UfVakuEe7PH0dXuiB9fp1d32gysfhir5d2QvoZ+o5Mbf
1IY1VCpP2A0CQYVYHqI81tbl0ES5ueI5mglj9ocdpBap8S5x+k+AJHKNhyxfOE4xgWaoJoC7
hi4EsLIhHHqSA1AYOogCLLxs9PKofShxqfSCePXtgnq0q+K4PpH7k4XSFeoIyCK4R114Jaku
O0hf+cKrXGashfEUSsO4VBnhntSIV6eNEUhdmdrrjYFY0i6fG2BKxDWokZ6rAPByHW0VpyRO
zWIHqX4Sb5hjV1tZBE4qy+XChdhLcvMxMdKOZhYPgw4cFKqUUQ29MohmwhisnC7akmYAAFRt
86AlCEc5dhU9adZNL+sbJoBJAl7p0NkuGzutDemniviwLDNu3uVYMXooNWaxmCrlir12pNsa
96F6t/aZWNOh9jGOJ96FPLYCQzKuRIuCPjczNG29+pbVewXvo6JGAsTidFVp8Z4SWO8qTnom
M2T5cV4wctXnnUjOPqoB0jQnZLFq0sOwqxh/G0LzC1h3t2EFniEg0sI7sRJHEJ6D/98CJVA9
gGsPTtBt1+bt5J6U5Qey1vfMqB0k4t8J6r32y5ywwOAPIXzeScApHXKWoA6ME7cproemB3XS
gFCcBQj7yW+OkyjakKfDIxpRuh+DHbXUHbNtx6es4652y0vNhqYkK7ibAFKinF7EQHF2sM0e
GpmzPgToVYTk2mOtsZK3KV8/6lN7j/ynC2v7Q4MT9vw9nTb07n7fsw7mdx9BotLDqPD24zpH
4yNJQ0uW79svzNgpIhq65z8OM96BOtGG8y2KosKavrQbth0AUev1yNkp6z6BvyKQkJDoqSaM
U6X5xQOchuLbfXzcxnIp+/F+NGD2Q1kx38OnJqwR48kKWlp5NOFU5xAILchRap3R5R1Pax5c
uWN/GRX7z+45bn906C84wesdIuRxgwCQTgMCLno/BVJK9tLor9ur0732m4P/TdCoUZYkuGJP
8B6HRYIjgPZWV+MlfmvJJOCFUseWIwsbPIebdY6sLCfGc7Ckvn/lkL1v8DnuURZqPLBzteA8
F5y4ujKhnUx20tuTwloC9d9OHVxJ2muVDWNVf2H/Q75K8P423LAn+o5weCPaqXsL9q0MN9d9
Uh8ArJgdw5NPMka5hZc79vCcLD8IeiBApmmM8poygzZTOAOiucrtAIyD7IIyvBgxDAzLUtH1
pDUlnyS7kKooB6dKeC+gSJoye6AoLsLaoi1nNWl+/PspVh54OaiornE4VT3GKimS7EtoIJT1
9tWPUpQXfoW+4MAsnKN/9mwVkqqViWqlGUCR0+3v3v9J62nGlzzSZelv1ydpNMQWWAj49Ok2
Bnoz4EU1AbYqivxxV5PhGuTpCG/NGJfb58GRfGMex4MBObEmAPBGLMQlV1mYArHABkrVG89R
R4L7uTxk1qaT2CcYqKnd6HTPmBQsS+1zIPA98OZq85jFaaQQ1mZSQIah/eU92kxFlaE/rVNx
GiPMLoCKYKfC+c4Io0L4tSiPcer0Opd1ucqye3gv8RY/tKUgggInY7F9JBNJYZ9Rak+iXYUq
IEGYssNQbQyn0INwjtO1NLcSc7D2mGyRcqUO1A9BQI3nQTTUKexHl503PqW803OWIkiVAPYC
thWVHGTyCD4CplCN5Vpt0q3lLnPaRvVVZWQnkiXqYAkDuiIBJJKMJzMWTqbzA5DdAPP0aNFS
QkYYtxZwgVIYxE0DVEbTWQAH26ZgVwpZ643TgfpZJE9zkbDfERTQRpb1c7gzKaLSK0PGNGPL
YaEuv3TqR/0pNeKupQHAXqbcAm3JvUqGttxZowroHQbAi8IQ9ROx6yQIb8QFihxuar00rgJz
jIEcM9jC6NlrmIMNtydrxe1ovsG2amRuudeIYS1gzdjVn8aSYWxx9sPhtvp8E0nAZBFg89zQ
U3Z0/BmQMxpHH/qQdX3ko0Beh9LeKtNxbasXCCX9+f0v2qcOfQbKj/G4U0QBZyEMnY6VYLXy
Kbfr0wsP4/BwB4jygt3XfhGKAkDmm6ASWqYVDa154p9nE1PcxUAZwL0IgkjGopOxnv8AlOfK
d1EO7c+aM8ZKtRP2E0Gh0i97m+emDyEEnrXtuTNocO2irYKr6V7K3+PykVwSlzP0EiGN6HoW
VeAbMkxsfQ2Pv2hp0WULYSMwMbZTIx+3u7/3fnsoC9tUL4YnIQ/2n5P5tclv8V4ydveoGyEP
PQQCelobwQ4hOZzPpjUm+bC65mNbt4F+SpV8mDVAXqF6ko8I4AdE453zEdpvqCGOyFhQY4rz
gFWQgahtGSIK2cgQMYYHXiG8RQ7kCReks2tOfWh82hP961osM55r2F9FKJVEostXrCxXJ2ne
ATxR2OeO8LCwSHlYcNRYn6J1qrsjwLWUTaF3jZ3AsDbhFkk3Ke9P/S2KrboFkzkhH1S1hqXR
NTUORufNiQPcxVGqEm896tenSx3FPt98oh0WcRrB9ioEKAa3Hg41Wp/I8ljo9Xm3uBZAr6DW
ODlC+2vbukU93VJxAREhjXmtr4ZDpn4r5WdX8hLMeVkF2O/egQ/6i0ERyO+VXjDZJYg3L6Cv
0LECiu5+g8NIM3HKdQIWMohYRFkQjk7KqrOI3UV6BvbXdyGx2T/Nq9pBWU7eYs/lcJci62uv
T/kEp/sW+lUSiyhJBMH0CNSr+mQc6VHaIkqg2E3Vmryk6RxjANBrTA68MX4UcM/hW8vfcxwh
hgZpkzKeWMoc7CDBI0U69HMBeepHj0DbjzBO02FLu0FgrEXckziHAASjdVHSmMWXSTE/AX4f
kyAqVTyxjpJXiMUUCeLVns9F0Q9rj6uQYwtlgJXLfq7kTyt3oWBNL5Ev5MMhR9Eh9RzQbFg3
xu62Ktz/aSdNSQLzF2Bb/UH/WfvD+z9bQx6K5YE1PeBDyEKGfyfGiSne+6/UEMDHPijzgj3E
/7HRw5Yv9SHcluGfkEYEZMP4WSoMAWV9jsYfxnzX5vrRhipheY4ZAO2ofNTP6ak9dqAN2yqx
tkkFkMR/XThsHz3wsrOHtxPnPBKnzZW6kIv0I4g/Yf0glCC8DntbQlNrAaPGFtR/lcQuy9Tc
F3WkZ2hLrlIQqDNEicBWJyEP7CPQWLox/QOQhzxaNDHGqKCQRc4a0wOw3c5TVasoufCs5Ymr
0Zh5wDWqimUoDZ1O/H6tB70oIB4B/qUlcXrkO6+dm3BDAPwr5bV2IFm3VOeQh6ddJXg91pzd
B5VzCgpkkjGKClH/QgopENh2K6HNtYCargTwGpfua23EKlPoXLWivKqE25z6XWaiJhwZ6kL/
K2ljBLJyf9WVkEhMAFun9zdK3ukbFQr3fciUrxdSa/OSaZFr5EdjVsFa2qhOdO/W3wgy0zod
1JW6xVjlN+t2kpBIUsZHbzYxFmmHKUVz9GvWPBpmpALshe7kBx0u6mTBt7NI6FAIoYJqrzbB
BcYqA6DTxkRlNAR54l1CLqI8lfN6fbB+uOfjFluqBjwVdra+voCljP2UHOgCoCVcj/oUkK7U
2o6eX6kL17ehtuU12KBmPDGOKPm4az+W+9Z4olS7rOD5d/m5IC/SzlKerwvlozkLIVTamK8e
ztq8oua8PMoEK5PnTrR+tUKac8XnXFtX5WsOmhd7wGO0sm61Oj52GvUx1PJ+el+wL5n3MbSt
PtEvgblkHlDBzraK2CzaXbGicCw5H9T5BfCvzg0CeHO2p+WkvYNYHSGtII8IMZycfNRGC332
nv5vUiTsfzLOoQNAuFjNIcQNAI2V4n6D3df5XZep1Bq05vQxDAZBYNwulA7b92/02R6cMT68
7duoAr+AQSGeAzAzuFtUW1wn+pDmK/IKHDZd4FPW8QM5IURAsKsHq1y4f4nQFdqMsMWUEPLA
W+51VHXL5cv8XsO24oQQgx2V5uQ+WzxNO4BnYpy77AHW1XwkB1mFPFhHTi4SlGdBPNO4Z/f1
oC+5JpFQuwGAv4Kk1CwKFWhmcfThhxLvEKq3c8VLXNEnyKU5ux8kkkewPwRCmUIWkqWPNupB
veO40U92qkk/+g9z5pDDWMqOsNT/CixTX3I3X/+4q9b6pLULz8aqew7Il8m4Vbfe0o+wVeub
EEK56b31xTedU4+oNl3pNgreLtK5WdP1c4+uo++b1Xmr+euAEx0uA9Ja4wEgrxnJ2nL6reMl
ae2jtFH9Vf1u1FY9wFeb/hSH9r2TKK8OcUT59d8b1Yvur51nlK/vVeNTxtoxKq8urStfdy+6
3KiMj682h82sW9TWnfrWigokoVPhdh6/33vOkUc7gu8gF4iQh/ZV8owYoWWP2q/uOcq1Royf
OcpiFcQ11MOyvKIe7ISZ9TfO2VVi/EjUlcEIWQC8JzuKRtS9Nk700/2tAsArewwe8DRfwWcb
BoKLAKT9rQicSfOlBpBHGc+7xMWgSooT91487k4UOwCiXZSYpk6a+CII8VPT9BTajb4jpKa2
NI4of0HyXoYLDQmQRUYB5SHkUSyd53c98gg1JTsQC2mcAE9hPaA+sPcoR8+v5BHe98q8/DcI
oSI5BwgoTsTByOWIKICUYp2n2kAEF2hSB6SwfjpxCLU5NcGBLt7QDnKAUkFmkkz0QbVATcVh
DUsQ7yq8l+ljHgTXyJhwIeQRDOe5RuazKAS7gowCxaE9W+lL15LThJ0M+RsjkKgO1bfS1gps
rcDbfwUEzgQ+5BQRotNeJI7Nnw++an9y6PMghCmATAuAKghmI6ASsaROT74bu44me1fv08go
CrCgAotJqxbcmehKSYBF4Dmcakuwad6388t+J9wNQHVf60lkGzJ4kyV5KxRCAPinph6zu1pe
sdcnDuMK/jLeYq97Xck4+nLPQnWglwF0C4hGCjwJ4n0IkVWJdY4quswNvFVHB7Qe+ovmIbwt
mYN8Y0nuKe5Hl7Sx+ItzQl8oXreR6R8iU7hYQx6ah9qoA7yc3tOpHYwNCgQBtNynq8TiktZE
5UKfXKxJdAYSmS68EvIdUaisBN+TUGSS42lsYmkySSiDFKq20uJKYfwn4XigUIKGVgVEV164
TpNQLi5YV9/ZGkuKcUMBOdWxzOLR3tSnIH/RSoUxa7Wk1CNZllKYRw2BhB8qLNP6YF4fim19
bq3A1gq8DVcAeOHAQWwF/nQunoTinwRxSBj+2b0v2R8//Jeos0rY2oQx3gyyDNk3NCA7CEDE
ARmlFa9jF3Y5SWQYDtsoE1KAK+Ga0yvIKXQno76qTSKwlhCoK3MVBBXqqEwZ+4xJDAGz8RG7
nO+13S1TLuNoTyluecUOtr8MxTLCaViAFK5lYsxmittoZ9SlMlVsggR45b5kgZP/k0O/be/t
fxlVX9lBAIQdgfnsqY4Rr8aysNtOzHTaI10vuOGhHBriR9R2tpyhg18AsM/YOLE8JG9wmQeI
QhRJDKDuqriamAN93I5grFcpT4E0JIgHcPsyrEUemm8Yp8bqlEc8C8WQhTUmeUdYNf/0piUP
wuAQYbwoFSnsKBaIZBULVdmPQQ2K3QQSkm8/Yj0yS2Q57o5Ejfkg+MJgOPeY+8YqoUHmgrao
E//WWJDjQKXIzkSKAuwIeeRruLVmvCgfjkBEsCklUPdIKPQfP6M8v7H1sbUCWyvwtlkBwQC9
3zFO2THpzQMFcBpgd2cX7WP3nLbf2POaPdT+5dp8ZegWKIpSoska8Sihk+zUUpe1xS57S5mY
bARWUnSyX8nRlXrtAeji/RbVXI1gH4ggpIBcoutMcsR2tYY297adXC6zrVH9gezigfJw4Azw
74LtFRKzAgEFaKb+kH2ghPLEwAyaWkEGEhkv1iosf7Vkl+xBVIAjGiXMOWHbO75jH2/eZV+8
NmvbQJwF7Cj8pA/ii8VhDZEaEMonsPZ2n1OiEADdsoMJCEUgdg3U9REGlpgwaqAc4mi1SwWZ
0aclZF6po6vKEqxDVL/LcoXNlgnly21KEAqJEhKCklAeOC+1X9m5SZvOU9QWbWMqUEIBYlG+
v2BHhTFG91VYZfjH8VupAcUHxSzS8UIIUt4nIj4iRZS8h8WaoGRsTsFDkPijT7pWjTcU3/rc
WoGtFXh7rABCV06a+YUZt71CT8cOpZ6xX4n/hzUBj08OA9DwfFAfgnZpCZ9lqKtJCD2CGvFg
k1gzAjCCJkJJOqKuTwLpCQD7y2M7UZXFIBEE4SIBASoH+PUALFwHtlJ9ewK06kPfEsjrXrgf
UIY+69vROHQfrxnxb9s4bCikC5ThYlWS/RV2ZbGLzBVEisxDbWtacWzDUAi08de/g/pqj5Vl
hCJWkie1BEuPNXQZA8DdyiAAp0LqO1g7Jt2jLPUSnPBlY7GIC5TV9dbWobynKF+/dR3lh7sh
T9dRflQ+uh/uzS09ywXIz8e6cZmqIzPuRcJ1FcMdjw3XZGCy4SJFI3EeX4RI/M7Wx9YKbK3A
/5MVQHUam60ycUlCaudL8o61wLZ2+019LYMaatdfv6nGbrOSKAVRPfUIaW0TOsErrS0TgLF0
oNBb2kpaAbQi5e5HadVOJhGsSFgUuIN+f+tjawW2VuBtvAJlTtSY7/kMExhRdHYrAJQEqOuT
SkWc/ArykhTUSIRy1pdenaP2dLpPILfYqO3VpX8+fmmcQqE38C5RQstrefLR8FRAC+ATYmUk
ALqdJAG2klNx4fLn+lPDFeUhTw61FC1B9Hvre2sFtlZgawW2VmBrBTa1Av8H/1JsixJlFs4A
AAAASUVORK5CYII=
--------------36A59D9C8B42F2E40AFB95BB--

--------------793932BBFDA6BF2AA90469C4--


From nobody Wed Mar  1 06:11:20 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E231B1295E8 for <oauth@ietfa.amsl.com>; Wed,  1 Mar 2017 06:11:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level: 
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CLfRPj2PJaiL for <oauth@ietfa.amsl.com>; Wed,  1 Mar 2017 06:11:16 -0800 (PST)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99ABB1295E2 for <oauth@ietf.org>; Wed,  1 Mar 2017 06:11:16 -0800 (PST)
Received: by mail-qk0-x230.google.com with SMTP id u188so71813556qkc.2 for <oauth@ietf.org>; Wed, 01 Mar 2017 06:11:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vPdOW6WkywI3U9oghSRouqOEudUdXzrUrx6+rNtd+aM=; b=VCoEy5HrWsh3dtP+F0JNgD2kmONPeQ+u5pnJfE+x4+cfc5Pnb6f7oGGOIRaUKycmJ4 +gWyZ1AzMD1OHAfeUKPbOXoWkr2Tv8nRr4FKP8myuMOdF916od3yQdspdIk9EU1Xz01f zkZZJCqqp5J4VutOehJV2Tpg0E0aYH2rb5T7Qhv/v2yGN+JOXzvyPtEM31PI6f8BwOag qIPtdVSHUkt7jZicHCM70UjQMVPNqYPyq9uhUe0UbZmhzAZEGOOXmClaJUgeOkPobbO3 qg1eTRIT7v86/XvKLXxSdvLQOcs6fWP6BLSWn5NGMAdmsomZTXpT1xaWwKzxWdotC7Hb G3fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vPdOW6WkywI3U9oghSRouqOEudUdXzrUrx6+rNtd+aM=; b=Vu1mswJGPPFnY5HxWYKwJj8XyLozRZKsjmRLCgG3ZrtDQmZbV6qW9CeZoNWibSI+6r 5ZQFDc+j+XVUh3znxpdjXb4PldxIzeoSJQwaeNaGakCB7qynPVp11XfvX3zf4mAz8crC uVdC2R2d59O9El8gVdmrnDNrzjyLlfu2Bs3e+YVnlslB7/jRTfx3hqRWRmqxUvqzqghr Bb0LLIeJjpJHLCysiQ5lm5bezkdvu58lpHs+lKtsZqixhf8Q+Ml/dsBUCd0kR1R9WIzK GGqHm+yMmwKRTrrcNCbvfqzEcmu9xXCV6v0+BAMhOX+OGSB6qGaoCPoD4tFu0OYgnjHB 9sFw==
X-Gm-Message-State: AMke39laKG0Hae9SCYDV93pVWO5nMjokpNx2lAwzDQ+kcTjnzBlFSTi1GYUK6co9vRLrmGabFBwltxT7BoSZMg==
X-Received: by 10.237.44.229 with SMTP id g92mr9950772qtd.204.1488377475562; Wed, 01 Mar 2017 06:11:15 -0800 (PST)
MIME-Version: 1.0
References: <0f05922f-ac63-1585-9da1-d54ceda25623@gmx.net> <CA+k3eCRN4m5rpSzhb+O+GVPjmUaJt22LUP8LGmi80J8v932zpQ@mail.gmail.com>
In-Reply-To: <CA+k3eCRN4m5rpSzhb+O+GVPjmUaJt22LUP8LGmi80J8v932zpQ@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Wed, 01 Mar 2017 14:11:03 +0000
Message-ID: <CABzCy2CRy66OMzxPAtWYZ--D0HNxoodf16zbcTo=Th9FmTrz1w@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>,  Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=94eb2c1249e6b938090549abe2d5
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LwUowt0ch7ZSNMpe_w4sfB1xI10>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to the IESG -- Short Working Group Last Call
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 14:11:19 -0000

--94eb2c1249e6b938090549abe2d5
Content-Type: text/plain; charset=UTF-8

It looks generally good. Thanks William and John for creating it.

I spotted a few nits.

NS1: MUST is not a recommendation
================================
In 8.5, it says:

(which is a recommended in Section 7.1.1
<https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-7.1.1>)

However, in 7.1.1, it is a MUST, i.e., required instead of recommended. So,
"recommended" in the above sentence needs to be changed to "required".


NS2: Dynamically registered client can be treated as a confidential client
=======================================================
In 8.9
<https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.9>.
it says:

Authorization servers that still require a shared secret for native app
clients MUST treat the client as a public client

As it is a MUST, we have to qualify it a little more as it is ok to treat
it as a confidential client if the client does dynamically register the
copy and obtain shared secret that is only shared between the copy of the
app and the server.

Suggests:

Authorization servers that still require a statically included shared
secret for native app clients MUST treat the client as a public client

NS3: Sever Mix-up
======================
8.11
<https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.11>.
talks about mix-up mitigation but misses one of the points. Specifically:

* the app MUST store the redirect uri in the request with the "session" and
MUST verify that it exactly matches with the URI of the endpoint that it
received the response.

Cheers,

Nat Sakimura



On Wed, Mar 1, 2017 at 5:51 AM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> -07 LGTM
>
> On Feb 20, 2017 2:53 AM, "Hannes Tschofenig" <hannes.tschofenig@gmx.net>
> wrote:
>
> Hi all,
>
> after the working group last call of the "OAuth 2.0 for Native Apps"
> document July last year (see
> https://www.ietf.org/mail-archive/web/oauth/current/msg16534.html) I
> had, as a shepherd, collected IPR confirmations (see
> https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html) and
> produced a shepherd writeup (see
> https://www.ietf.org/mail-archive/web/oauth/current/msg16702.html).
>
> Since version -03 and the current version -07 a fair amount of text has
> been changed, see
>
> https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/id/draft-ietf-oauth-native-apps-03.txt&url2=https://tools.ietf.org/id/draft-ietf-oauth-native-apps-07.txt
>
> Although most of those changes are editorial and normative changes have
> been discussed on the mailing list I believe it is fair to let the group
> take a brief look at the final version.
>
> For this reason we will issue a short, one week, working group last call
> before pushing the document to the IESG.
>
> So, please provide your comments to the list no later than February 27th.
>
> Here is the link to the document again:
> https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07
>
> Ciao
> Hannes & Derek
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation

--94eb2c1249e6b938090549abe2d5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div>It looks generally good. Thanks William and John =
for creating it.=C2=A0</div><div><br></div><div>I spotted a few nits.=C2=A0=
</div><div><br></div>NS1: MUST is not a recommendation<div>=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D</div><div>In 8.5, it says: <br><br>(which is a recommended in <a hre=
f=3D"https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-7.=
1.1">Section 7.1.1</a>)<br><br>However, in 7.1.1, it is a MUST, i.e., requi=
red instead of recommended. So, &quot;recommended&quot; in the above senten=
ce needs to be changed to &quot;required&quot;. <br><br><br>NS2: Dynamicall=
y registered client can be treated as a confidential client<div>=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D</div><div>In <a href=3D"https://tools.ietf.org/html/draft-ietf-oauth=
-native-apps-07#section-8.9">8.9</a>. it says: <br><br>Authorization server=
s that still require a shared secret for native app clients MUST treat the =
client as a public client<br><br>As it is a MUST, we have to qualify it a l=
ittle more as it is ok to treat it as a confidential client if the client d=
oes dynamically register the copy and obtain shared secret that is only sha=
red between the copy of the app and the server.=C2=A0<div><br></div><div>Su=
ggests: <br><br>Authorization servers that still require a statically inclu=
ded shared secret for native app clients MUST treat the client as a public =
client<br><br>NS3: Sever Mix-up</div><div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</div><div><a href=3D"https://tools.ietf.o=
rg/html/draft-ietf-oauth-native-apps-07#section-8.11">8.11</a>. talks about=
 mix-up mitigation but misses one of the points. Specifically:=C2=A0</div><=
div><br></div><div>* the app MUST store the redirect uri=C2=A0in the reques=
t with the &quot;session&quot; and MUST verify that it exactly matches with=
 the URI of the endpoint that it received the response.=C2=A0</div><div><br=
></div><div>Cheers,=C2=A0</div><div><br></div><div>Nat Sakimura<br><div><br=
></div><div><br></div></div></div></div></div><br><div class=3D"gmail_quote=
"><div dir=3D"ltr">On Wed, Mar 1, 2017 at 5:51 AM Brian Campbell &lt;<a hre=
f=3D"mailto:bcampbell@pingidentity.com">bcampbell@pingidentity.com</a>&gt; =
wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8e=
x;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"auto" class=3D"g=
mail_msg">-07 LGTM</div><div class=3D"gmail_extra gmail_msg"><br class=3D"g=
mail_msg"><div class=3D"gmail_quote gmail_msg">On Feb 20, 2017 2:53 AM, &qu=
ot;Hannes Tschofenig&quot; &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net"=
 class=3D"gmail_msg" target=3D"_blank">hannes.tschofenig@gmx.net</a>&gt; wr=
ote:<br type=3D"attribution" class=3D"gmail_msg"><blockquote class=3D"gmail=
_quote gmail_msg" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pad=
ding-left:1ex">Hi all,<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
after the working group last call of the &quot;OAuth 2.0 for Native Apps&qu=
ot;<br class=3D"gmail_msg">
document July last year (see<br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg16534.htm=
l" rel=3D"noreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.iet=
f.org/mail-archive/web/oauth/current/msg16534.html</a>) I<br class=3D"gmail=
_msg">
had, as a shepherd, collected IPR confirmations (see<br class=3D"gmail_msg"=
>
<a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg16672.htm=
l" rel=3D"noreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.iet=
f.org/mail-archive/web/oauth/current/msg16672.html</a>) and<br class=3D"gma=
il_msg">
produced a shepherd writeup (see<br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg16702.htm=
l" rel=3D"noreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.iet=
f.org/mail-archive/web/oauth/current/msg16702.html</a>).<br class=3D"gmail_=
msg">
<br class=3D"gmail_msg">
Since version -03 and the current version -07 a fair amount of text has<br =
class=3D"gmail_msg">
been changed, see<br class=3D"gmail_msg">
<a href=3D"https://tools.ietf.org/rfcdiff?url1=3Dhttps://tools.ietf.org/id/=
draft-ietf-oauth-native-apps-03.txt&amp;url2=3Dhttps://tools.ietf.org/id/dr=
aft-ietf-oauth-native-apps-07.txt" rel=3D"noreferrer" class=3D"gmail_msg" t=
arget=3D"_blank">https://tools.ietf.org/rfcdiff?url1=3Dhttps://tools.ietf.o=
rg/id/draft-ietf-oauth-native-apps-03.txt&amp;url2=3Dhttps://tools.ietf.org=
/id/draft-ietf-oauth-native-apps-07.txt</a><br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Although most of those changes are editorial and normative changes have<br =
class=3D"gmail_msg">
been discussed on the mailing list I believe it is fair to let the group<br=
 class=3D"gmail_msg">
take a brief look at the final version.<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
For this reason we will issue a short, one week, working group last call<br=
 class=3D"gmail_msg">
before pushing the document to the IESG.<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
So, please provide your comments to the list no later than February 27th.<b=
r class=3D"gmail_msg">
<br class=3D"gmail_msg">
Here is the link to the document again:<br class=3D"gmail_msg">
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07" rel=
=3D"noreferrer" class=3D"gmail_msg" target=3D"_blank">https://tools.ietf.or=
g/html/draft-ietf-oauth-native-apps-07</a><br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Ciao<br class=3D"gmail_msg">
Hannes &amp; Derek<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">_______________________________________________<br =
class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listinfo=
/oauth</a><br class=3D"gmail_msg">
<br class=3D"gmail_msg"></blockquote></div></div>
_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listinfo=
/oauth</a><br class=3D"gmail_msg">
</blockquote></div><div dir=3D"ltr">-- <br></div><div data-smartmail=3D"gma=
il_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>

--94eb2c1249e6b938090549abe2d5--


From nobody Wed Mar  1 09:25:11 2017
Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id DDB1E1204D9; Wed,  1 Mar 2017 09:25:02 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: "The IESG" <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.46.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148838910290.7012.7881193315246042639.idtracker@ietfa.amsl.com>
Date: Wed, 01 Mar 2017 09:25:02 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gTdQhqyKD4qZx4x2puZ3H7vYMTw>
Cc: oauth-chairs@ietf.org, draft-ietf-oauth-amr-values@ietf.org, oauth@ietf.org
Subject: [OAUTH-WG] Alexey Melnikov's No Objection on draft-ietf-oauth-amr-values-06: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 17:25:03 -0000

Alexey Melnikov has entered the following ballot position for
draft-ietf-oauth-amr-values-06: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you for addressing by DISCUSS and comment.



From nobody Thu Mar  2 04:28:49 2017
Return-Path: <piedjingkie@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9729129982; Thu,  2 Mar 2017 04:28:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.493
X-Spam-Level: 
X-Spam-Status: No, score=-0.493 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KR1BoTLKyG8K; Thu,  2 Mar 2017 04:28:46 -0800 (PST)
Received: from mail-ot0-x22a.google.com (mail-ot0-x22a.google.com [IPv6:2607:f8b0:4003:c0f::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A104F12997F; Thu,  2 Mar 2017 04:28:46 -0800 (PST)
Received: by mail-ot0-x22a.google.com with SMTP id x10so50777652otb.1; Thu, 02 Mar 2017 04:28:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to:cc; bh=q6S/FDdjBaTN2mUOZbWzwR1nW96w880CJG2ATpfq8BM=; b=QTpZ7oKifUABUZNcdt3rCWxW+uMt4RMtNgkztZyNE3MTIjAtEqbYS/2tWYZuns19jy lvV97x6GvJ5SsChFMDMggR+oFQ14Od6Ea+8eB3l1Y7Ala4m5BxSq/49HeieSPnvkE4JE O+dtlrRfy7JSinU8iq3zjIZkyfadeOQ7UV7kRpxUeqaeNJfqspgCOXly89v76owQiJ3T oQM///x4kbLxd1VM7vebrrIauA1Oohst/85SGnEGs02vgtIoT5snCBpTC2PBPi8/b24E R19DgQi1pq6YXVgmR99pQM35vn6SQZYzEjvt3gqXdyNtB0jDPVu/c95SwZruyKqw1QN4 6SqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=q6S/FDdjBaTN2mUOZbWzwR1nW96w880CJG2ATpfq8BM=; b=SM/RLAjE8/Qg+Rl0W75mAkEi3TsNAd1I9hscAan8zBZgwYfptFCxf8HsbNdNx1PHz3 zHZQipkB685oTKg0fzqnxWX7wmLNvKSDvvTO6J1n6mkE10YOklwSHr7uPwzqfJZVXSxn lVb719rFsYgkdHwg6H+ekL6/weE2kTx5+2E/07gq852YvXn4xOxcnxtTEOaIIa4kYtIu gtZzHJUU6KuFu8epJEwAieAJzsPc/4Liyqq4e0ORUEdSk/vG+8nLL3Am34h5cPESwFIP qnLYrv+2GJhOL2XuHITEekMeMmVurRrw3IjeIVB4B/XWAOjkdm8O8XSBXFKzrb+loL5H iB6Q==
X-Gm-Message-State: AMke39nzVZ3M5r/FDduoQDbhBhubWPDlzRkIc4TR1ovic/3nzLDOz8TOakXKVGWqEK+84ze70ngoULmfeF1zlA==
X-Received: by 10.157.22.133 with SMTP id c5mr3999769ote.258.1488457725924; Thu, 02 Mar 2017 04:28:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.245.227 with HTTP; Thu, 2 Mar 2017 04:28:45 -0800 (PST)
From: Jingkie Pied <piedjingkie@gmail.com>
Date: Thu, 2 Mar 2017 20:28:45 +0800
Message-ID: <CAGp2R_OyXH6=98CrsCC-jbfvnQs03oYNnCKGR+kcf3haQV2YMg@mail.gmail.com>
To: oauth-owner@ietf.org
Content-Type: multipart/alternative; boundary=001a113e53e6045c7a0549be92d6
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xftkIo-gSVCgM80bIpy-Rp5r1Wk>
Cc: oauth-chairs@ietf.org, draft-ietf-oauth-amr-values@ietf.org, oauth@ietf.org
Subject: [OAUTH-WG] HELP PLEASE!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 12:28:48 -0000

--001a113e53e6045c7a0549be92d6
Content-Type: text/plain; charset=UTF-8

Date: Thursday,  March 2, 2017 08:28:31 PM
 Re: Pushing "OAuth 2.0 for Native Apps" to the IESG
From: Jingkie Pied <piedjingkie@gmail.com>
Subject: [OAUTH-WG] Alexey Melnikov's No Objection on
        draft-ietf-oauth-amr-values-06: (with COMMENT)
Message-ID:
        <148838910290.7012.7881193315246042639.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"

Alexey Melnikov has entered the following ballot position for
draft-ietf-oauth-amr-values-06: No Objection

HELP PLEASE!

This kind of mail caught my attention.
I've been receiving this kind of forum for a couple of months without
paying
attention to the messages because I can't understand
the topic though I know i'm using that kind of native app and I thought it
was just
for the owners and developers whose updating my mobile app, which is is
still
don't know until now if i'm the main character here.


I need someone who can enlighten me.

If I was the one that you are waiting to answer, I apologize for not paying
attention to the messages from you.
And I am willing to answer what do you want to know, I am willing to
cooperate and follow instructions to help in this issue.


I'm still hoping that I am not the ''CONTRIBUTOR'' in the mailings.

I am hoping to receive a quick response and regarding to this matter.

Regards to all!

--001a113e53e6045c7a0549be92d6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><span style=3D"font-size:12.8px">Date: Thursday, =C2=A0</s=
pan><span style=3D"font-size:12.8px">March 2, 2017 08:28:31 PM</span><div><=
div><span style=3D"font-size:12.8px">=C2=A0Re: Pushing &quot;OAuth 2.0 for =
Native Apps&quot; to the IESG =C2=A0</span><div><span style=3D"font-size:12=
.8px">From: Jingkie Pied &lt;<a href=3D"mailto:piedjingkie@gmail.com">piedj=
ingkie@gmail.com</a>&gt;=C2=A0</span><span style=3D"font-size:12.8px"><br><=
/span></div><div><span style=3D"font-size:12.8px">Subject: [OAUTH-WG] Alexe=
y Melnikov&#39;s No Objection on</span><br style=3D"font-size:12.8px"><span=
 style=3D"font-size:12.8px">=C2=A0 =C2=A0 =C2=A0 =C2=A0 draft-ietf-oauth-am=
r-values-</span><wbr style=3D"font-size:12.8px"><span style=3D"font-size:12=
.8px">06: (with COMMENT)</span><br style=3D"font-size:12.8px"><span style=
=3D"font-size:12.8px">Message-ID:</span><br style=3D"font-size:12.8px"><spa=
n style=3D"font-size:12.8px">=C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;</span><a href=
=3D"mailto:148838910290.7012.7881193315246042639.idtracker@ietfa.amsl.com" =
style=3D"font-size:12.8px">148838910290.7012.<wbr>7881193315246042639.idtra=
cker@<wbr>ietfa.amsl.com</a><span style=3D"font-size:12.8px">&gt;</span><br=
 style=3D"font-size:12.8px"><span style=3D"font-size:12.8px">Content-Type: =
text/plain; charset=3D&quot;utf-8&quot;</span><br style=3D"font-size:12.8px=
"><br style=3D"font-size:12.8px"><span style=3D"font-size:12.8px">Alexey Me=
lnikov has entered the following ballot position for</span><br style=3D"fon=
t-size:12.8px"><span style=3D"font-size:12.8px">draft-ietf-oauth-amr-values=
-</span><wbr style=3D"font-size:12.8px"><span style=3D"font-size:12.8px">06=
: No Objection</span><div><span style=3D"font-size:12.8px"><br></span></div=
><div><span style=3D"font-size:12.8px">HELP PLEASE!</span></div><div><span =
style=3D"font-size:12.8px"><br></span></div><div><span style=3D"font-size:1=
2.8px">This kind of mail caught my attention.=C2=A0</span></div><div><span =
style=3D"font-size:12.8px">I&#39;ve been receiving this kind of forum for a=
 couple of months without paying=C2=A0</span></div><div><span style=3D"font=
-size:12.8px">attention to the messages because I can&#39;t understand=C2=
=A0</span></div><div><span style=3D"font-size:12.8px">the topic though I kn=
ow i&#39;m using that kind of native app and I thought it was just=C2=A0</s=
pan></div><div><span style=3D"font-size:12.8px">for the owners=C2=A0and dev=
elopers whose updating my mobile app, which is is still</span></div><div><s=
pan style=3D"font-size:12.8px">don&#39;t know until now if i&#39;m the main=
 character here.=C2=A0</span></div><div><span style=3D"font-size:12.8px"><b=
r></span></div><div><span style=3D"font-size:12.8px"><br></span></div><div>=
<span style=3D"font-size:12.8px">I need someone who can enlighten me.=C2=A0=
</span></div><div><span style=3D"font-size:12.8px"><br></span></div><div><s=
pan style=3D"font-size:12.8px">If I was the one that you are waiting to ans=
wer, I apologize for not paying attention to the messages from you.</span><=
/div><div><span style=3D"font-size:12.8px">And I am willing to answer what =
do you want to know, I am willing to cooperate and follow instructions to h=
elp in this issue.=C2=A0</span></div><div><span style=3D"font-size:12.8px">=
<br></span></div><div><span style=3D"font-size:12.8px"><br></span></div><di=
v><span style=3D"font-size:12.8px">I&#39;m still hoping that I am not the &=
#39;&#39;CONTRIBUTOR&#39;&#39; in the mailings.</span></div><div><span styl=
e=3D"font-size:12.8px"><br></span></div><div><span style=3D"font-size:12.8p=
x">I am hoping to receive a quick response and regarding to this matter.=C2=
=A0</span></div><div><span style=3D"font-size:12.8px"><br></span></div><div=
><span style=3D"font-size:12.8px">Regards to all!</span></div></div></div><=
/div></div>

--001a113e53e6045c7a0549be92d6--


From nobody Thu Mar  2 10:55:40 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 789701295EE for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 10:55:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hyST96hqgo_v for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 10:55:37 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D6251295BC for <oauth@ietf.org>; Thu,  2 Mar 2017 10:55:37 -0800 (PST)
Received: by mail-qk0-x22b.google.com with SMTP id m67so23891586qkf.2 for <oauth@ietf.org>; Thu, 02 Mar 2017 10:55:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to;  bh=TJsgHmeIq5TwEtO7yquZ+u7T57xS2jfB1db7Y8+8EqA=; b=WtB7OKKwwoJEHwxnMgS0SLvkuWi0g86L8Cx5es9WzEhyMs7F6xXGMZESVUtZp6eaNG bSTUrTys2G4namAz6Cahp1QxVkmCTctxfLLa732SA6u4DcmdE0jd9m4S06Z/M91Eczz6 MIjAYagJp8OpZ7zig2aSCIM5PY2TMEwiyhjG5zRgc0RBHGcVC9RaRTK4VXwH9ls7RTm3 lD8NlPt/rGHP/yj+tXeV7MOzU/ey5xCavQX7KVBsrxNOaHw09SUlGEk16FQtBS8AYnZL 9XXy6N7WfnoMxoBrJQ/D7hyL7vXjTbNNxduJ7twa8gIximSp/lNh5Le6O0sf8WcCTOxJ CAvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=TJsgHmeIq5TwEtO7yquZ+u7T57xS2jfB1db7Y8+8EqA=; b=sBGtXxdbU1xg/OrNigB3HJ2tsZH44vIgNCSmzfxmuwGYuuOMufvbDAresHaUk4DEmo WsIwUtTe+hzMzFveqnZeAbyYgY5Q906gg9EzqWrDcMIfrNsK9jWXSo9Zo2i3lk01HFGq TE8EknuYG8KcIrmZuzddpmLZlfw4cWyxnGHcN0IzLhnyd3+V56Lk7gAptuwUxrrRQ1Zj l2lz2rFMdMX1ybmhCowfqNJN/EgSgspJbF7WYOXX5+3M/igXalYGIWwrDVxiG5KBPIyD dLjiY/kI6y/cFC/Kl+inceLL7FcWKQZypgWgBGFmSNOt6IQ9LsM/9RklJbHLaUlwXx4u f7gw==
X-Gm-Message-State: AMke39n/wIaAHU3jHoPfckm0f3H0FikR2N8USnVYt4sTcwT39N8Y4T0fv3znOnWn3LCeugHa3PjgMGDdPUaG4w==
X-Received: by 10.237.39.222 with SMTP id m30mr12097782qtg.21.1488480936038; Thu, 02 Mar 2017 10:55:36 -0800 (PST)
MIME-Version: 1.0
References: <7d639f9c-aecf-5b9b-be56-e16fd5437551@gmx.net>
In-Reply-To: <7d639f9c-aecf-5b9b-be56-e16fd5437551@gmx.net>
From: Nat Sakimura <sakimura@gmail.com>
Date: Thu, 02 Mar 2017 18:55:25 +0000
Message-ID: <CABzCy2CeOzrdiX874431A-S=oqVT3iBtQ4js=acDS3O5sa5c_g@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=f403045f434273053c0549c3f9dc
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3iTJieaZlupdYhUCF1DhzbcaeFQ>
Subject: Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 18:55:38 -0000

--f403045f434273053c0549c3f9dc
Content-Type: text/plain; charset=UTF-8

Great!

On Mon, Feb 20, 2017 at 8:02 PM Hannes Tschofenig <hannes.tschofenig@gmx.net>
wrote:

> Hi all,
>
> earlier this month we issued a call for adoption of the OAuth security
> topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
> response was quite positive on the list (as well as during the last f2f
> meeting).
>
> For this reason, we ask the authors to submit a WG version of the
> document and to discuss new content for the document in preparation for
> the next meeting.
>
> Note that the intention of the document is to discuss security topics as
> they relate to the work in the OAuth working group. As this initial
> document already does, it describes a problem statement and outlines
> various ways to mitigate the problems. I expect the working group to
> decide which solution approach is most appropriate and to detail it (at
> a specification level) in a separate document (some of those documents
> already exist in the working group). This should help us make decisions
> that are not just point solutions for specific problems but rather
> consider the big picture.
>
> Ciao
> Hannes & Derek
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation

--f403045f434273053c0549c3f9dc
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Great!</div><br><div class=3D"gmail_quote"><div dir=3D"ltr=
">On Mon, Feb 20, 2017 at 8:02 PM Hannes Tschofenig &lt;<a href=3D"mailto:h=
annes.tschofenig@gmx.net">hannes.tschofenig@gmx.net</a>&gt; wrote:<br></div=
><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1=
px #ccc solid;padding-left:1ex">Hi all,<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
earlier this month we issued a call for adoption of the OAuth security<br c=
lass=3D"gmail_msg">
topics draft, see draft-lodderstedt-oauth-security-topics-00, and the<br cl=
ass=3D"gmail_msg">
response was quite positive on the list (as well as during the last f2f<br =
class=3D"gmail_msg">
meeting).<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
For this reason, we ask the authors to submit a WG version of the<br class=
=3D"gmail_msg">
document and to discuss new content for the document in preparation for<br =
class=3D"gmail_msg">
the next meeting.<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Note that the intention of the document is to discuss security topics as<br=
 class=3D"gmail_msg">
they relate to the work in the OAuth working group. As this initial<br clas=
s=3D"gmail_msg">
document already does, it describes a problem statement and outlines<br cla=
ss=3D"gmail_msg">
various ways to mitigate the problems. I expect the working group to<br cla=
ss=3D"gmail_msg">
decide which solution approach is most appropriate and to detail it (at<br =
class=3D"gmail_msg">
a specification level) in a separate document (some of those documents<br c=
lass=3D"gmail_msg">
already exist in the working group). This should help us make decisions<br =
class=3D"gmail_msg">
that are not just point solutions for specific problems but rather<br class=
=3D"gmail_msg">
consider the big picture.<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Ciao<br class=3D"gmail_msg">
Hannes &amp; Derek<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listinfo=
/oauth</a><br class=3D"gmail_msg">
</blockquote></div><div dir=3D"ltr">-- <br></div><div data-smartmail=3D"gma=
il_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>

--f403045f434273053c0549c3f9dc--


From nobody Thu Mar  2 14:50:07 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F778128874 for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 14:50:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WrV4OH1SfoA3 for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 14:50:04 -0800 (PST)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00E1C127A90 for <oauth@ietf.org>; Thu,  2 Mar 2017 14:50:04 -0800 (PST)
Received: by mail-yw0-x231.google.com with SMTP id o4so7658409ywd.3 for <oauth@ietf.org>; Thu, 02 Mar 2017 14:50:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kiYiYzJBZx1Cnz8LE3tOtiFPIHlTRf0m2QJGt+5qL4U=; b=bJfXiCZC/ZTupVPZaXK4NoC0XtIUGgLcvpzc0Gs2/CxNzEu2zLtQ5BCLWbnM+ITE8f fiszVfYqNv02/V8jYDCrVv3kBWVQo1BRNtHVgvRzw9c1JuSr2BpNBMalr9zoQrOQH8/1 GTXfuN9y0WqAmq+5nDAC8z5cAzJft2AxSPhZE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kiYiYzJBZx1Cnz8LE3tOtiFPIHlTRf0m2QJGt+5qL4U=; b=hCPG3eNhieaDcRvjS6sQ6jkB7iHdCeVnXAqOwiACbM7av6fMFnn9fgjqJKzOX7enor xoGSZoefTA/N709ePgBP1QdGLlN7FBftB7RxUPLq8RUXEFfbyELLrTuB+cOsh7wmW1tm LokOLGqyAoHffD8h4uB7n0VMnNikJDQS63w5J0Abw0Dvn3gYGY7cNSI6neBX3zCFJNMe 3Clhzq63cFMueDxAlKYn0eaOuCZttBZE/jp/zasVwR9+gtU2bIQ306uHPbn5jsllsYg5 aEeHvfqXLFm10m4A2BFA2nHZqjxluxP8HFM7Q4POQ5E+BJ4prhNtFj01OhkqIxjnLl10 LXhA==
X-Gm-Message-State: AMke39l8SMH9S/mvUD2r1zgRVjeWbLHlO0f4Yh5vsch3D6Pl7MRPgEkNssb/wthxAZbQbH2DP1d93lXySYFtdTuG
X-Received: by 10.37.78.195 with SMTP id c186mr6402832ybb.180.1488495003095; Thu, 02 Mar 2017 14:50:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.43.4 with HTTP; Thu, 2 Mar 2017 14:49:32 -0800 (PST)
In-Reply-To: <CAAP42hBGV7gCpr9xYvcTR+xq_XRDdFE6TY7WX+Sar+p+XeUgRw@mail.gmail.com>
References: <148821758095.21176.8129728266233946666.idtracker@ietfa.amsl.com> <CAAP42hBGV7gCpr9xYvcTR+xq_XRDdFE6TY7WX+Sar+p+XeUgRw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 2 Mar 2017 15:49:32 -0700
Message-ID: <CA+k3eCRf4yyn-Wa=tYPOocRSVtiMz7dJp3bF0S2KVB03bTp9PA@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Content-Type: multipart/alternative; boundary=001a113e88fae8f2dd0549c73f8f
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/l8JYlhoDhiI4KG98-zK9r9qyO1I>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 22:50:06 -0000

--001a113e88fae8f2dd0549c73f8f
Content-Type: text/plain; charset=UTF-8

Two little nits about endpoint naming:

Section 2
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-2>
defines "device endpoint", which is used in the document everywhere except
the new metadata sections (section 4
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-4> and
7.3.1
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-7.3.1>)
that use the term "device authorization endpoint.", Not a big deal but
potentially a little confusing.

The example in section 3.1
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-3.1>
is supposed to be showing a POST to the device endpoint but the Request-URI
in the Request-Line is "/token", which *could* be the device endpoint but
is probably just a copy/paste error and source of unneeded confusion.



On Mon, Feb 27, 2017 at 11:14 AM, William Denniss <wdenniss@google.com>
wrote:

> My coauthors and I posted draft 04 of the OAuth 2.0 Device Flow for
> Browserless and Input Constrained Devices draft today.
>
> Key changes:
>
>    1. Title updated to reflect specificity of devices that use this flow.
>    2. User interaction section expanded.
>    3. OAuth 2.0 Metadata
>    <https://tools.ietf.org/html/draft-ietf-oauth-discovery> for the
>    device authorization endpoint added.
>    4. User interaction section expanded.
>    5. Security Considerations section added.
>    6. Usability Considerations section added.
>
> Please give it a look!
>
> On Mon, Feb 27, 2017 at 9:46 AM, <internet-drafts@ietf.org> wrote:
>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Web Authorization Protocol of the IETF.
>>
>>         Title           : OAuth 2.0 Device Flow for Browserless and Input
>> Constrained Devices
>>         Authors         : William Denniss
>>                           John Bradley
>>                           Michael B. Jones
>>                           Hannes Tschofenig
>>         Filename        : draft-ietf-oauth-device-flow-04.txt
>>         Pages           : 15
>>         Date            : 2017-02-27
>>
>> Abstract:
>>    This OAuth 2.0 authorization flow for browserless and input
>>    constrained devices, often referred to as the device flow, enables
>>    OAuth clients to request user authorization from devices that have an
>>    Internet connection, but don't have an easy input method (such as a
>>    smart TV, media console, picture frame, or printer), or lack a
>>    suitable browser for a more traditional OAuth flow.  This
>>    authorization flow instructs the user to perform the authorization
>>    request on a secondary device, such as a smartphone.  There is no
>>    requirement for communication between the constrained device and the
>>    user's secondary device.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
>>
>> There's also a htmlized version available at:
>> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-04
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a113e88fae8f2dd0549c73f8f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Two little nits about endpoint naming:<br><br></=
div><a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#=
section-2">Section 2</a> defines &quot;device endpoint&quot;, which is used=
 in the document everywhere except the new metadata sections (<a href=3D"ht=
tps://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-4">sectio=
n 4</a> and <a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-device-=
flow-04#section-7.3.1">7.3.1</a>) that use the term &quot;device authorizat=
ion endpoint.&quot;, Not a big deal but potentially a little confusing. <br=
><br></div>The example in <a href=3D"https://tools.ietf.org/html/draft-ietf=
-oauth-device-flow-04#section-3.1">section 3.1</a> is supposed to be showin=
g a POST to the device endpoint but the Request-URI in the Request-Line is =
&quot;/token&quot;, which *could* be the device endpoint but is probably ju=
st a copy/paste error and source of unneeded confusion. <br><div><br>=C2=A0=
<br></div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">O=
n Mon, Feb 27, 2017 at 11:14 AM, William Denniss <span dir=3D"ltr">&lt;<a h=
ref=3D"mailto:wdenniss@google.com" target=3D"_blank">wdenniss@google.com</a=
>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 =
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div=
>My coauthors and I posted draft 04 of the OAuth 2.0 Device Flow for Browse=
rless and Input Constrained Devices draft today.</div><div><br></div>Key ch=
anges:<div><ol><li>Title updated to reflect specificity of devices that use=
 this flow.</li><li>User interaction section expanded.</li><li>OAuth 2.0 <a=
 href=3D"https://tools.ietf.org/html/draft-ietf-oauth-discovery" target=3D"=
_blank">Metadata</a> for the device authorization endpoint added.<br></li><=
li>User interaction section expanded.</li><li>Security Considerations secti=
on added.<br></li><li>Usability Considerations section added.</li></ol></di=
v><div><div class=3D"gmail_extra">Please give it a look!</div><div><div cla=
ss=3D"h5"><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mon,=
 Feb 27, 2017 at 9:46 AM,  <span dir=3D"ltr">&lt;<a href=3D"mailto:internet=
-drafts@ietf.org" target=3D"_blank">internet-drafts@ietf.org</a>&gt;</span>=
 wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br>
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Device Flow for Browserless and Input Constrained Devices<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Will=
iam Denniss<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Michael B. Jones<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Hannes Tschofenig<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-device-flow-0<wbr>4.txt<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 15<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2017-02-27<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0This OAuth 2.0 authorization flow for browserless and input<br=
>
=C2=A0 =C2=A0constrained devices, often referred to as the device flow, ena=
bles<br>
=C2=A0 =C2=A0OAuth clients to request user authorization from devices that =
have an<br>
=C2=A0 =C2=A0Internet connection, but don&#39;t have an easy input method (=
such as a<br>
=C2=A0 =C2=A0smart TV, media console, picture frame, or printer), or lack a=
<br>
=C2=A0 =C2=A0suitable browser for a more traditional OAuth flow.=C2=A0 This=
<br>
=C2=A0 =C2=A0authorization flow instructs the user to perform the authoriza=
tion<br>
=C2=A0 =C2=A0request on a secondary device, such as a smartphone.=C2=A0 The=
re is no<br>
=C2=A0 =C2=A0requirement for communication between the constrained device a=
nd the<br>
=C2=A0 =C2=A0user&#39;s secondary device.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/" =
rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/d<wbr>oc/=
draft-ietf-oauth-device-flo<wbr>w/</a><br>
<br>
There&#39;s also a htmlized version available at:<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04" rel=
=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/dr<wbr>aft-ie=
tf-oauth-device-flow-04</a><br>
<br>
A diff from the previous version is available at:<br>
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-device-flow=
-04" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/rfcdiff?u<wb=
r>rl2=3Ddraft-ietf-oauth-device-fl<wbr>ow-04</a><br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a>.<br>
<br>
Internet-Drafts are also available by anonymous FTP at:<br>
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.ietf.org/internet-dr<wbr>afts/</a><br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
</blockquote></div><br></div></div></div></div></div>
<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--001a113e88fae8f2dd0549c73f8f--


From nobody Thu Mar  2 18:13:47 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C341293FF for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 18:13:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7a_DIgRJk8Dv for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 18:13:44 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BF1E1293EB for <oauth@ietf.org>; Thu,  2 Mar 2017 18:13:44 -0800 (PST)
Received: by mail-qk0-x232.google.com with SMTP id n127so155452480qkf.0 for <oauth@ietf.org>; Thu, 02 Mar 2017 18:13:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lS06K8oH7bo9E72gHlSxTIIkTtr6Bv0jdrES68dAf/Y=; b=h8pKty1dIawcy/GGXV2k1FjsPt1lj+RmiJjFVF4tCohaXB6URybt7DpTF/CAD39/Hx +8wBXuCxoapA9cf46+ukim67XWtCm0N6sj1BwBL2nNUzt8svfEWk2gqzgJF3EoHdC/4Q a99Ei3s+1Q/wxZLEqOk8UAhOk7WSDw0YP/E5fNGWkXEMJgGzolXGc+SUjAMkBZEQOZ3w +cIqPFKEvs0/xZWboH+LwDgqCDXPy9r920ImlqGyXfTSn+RHBkSfE+RPoh2sNH1Nngq9 l5LoLTQyLcvmTlTHLsWPGoNHPPptpljG5P6hxhce1sB+BPCMWspZJkNSPeONrVW8uk3K AR4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lS06K8oH7bo9E72gHlSxTIIkTtr6Bv0jdrES68dAf/Y=; b=dbJIWCouhZExW0Qx8jm7MAAMMaijd1S7sFDgaiy7dJUSAadOhGnzEOfGHj3ANDvvkS lRrPMXCUgGgrXm8jHedVD3uT/jixQ7sVwjggdoORfNUX4UqJnOvzHEJK62pZyDaSnRq3 hEVWcbgGp0zY56BNgeHCpr3JCeFiG0JwfEiwUWfsXoAvozRnrzEBKWgQNaEOrgVwpmg7 QUhp13MViiY8ASqOULlxWbKSseLtHa56csg8NtBfcYFtQ35XDeCE3kchN/p6JTz+ajjs xd6d0YS9SuSj//9oh6puoSojv794WXl6h/ZdNWmvsRyY8xIGSEqzfByCOWaYQJu2QsRJ dRwA==
X-Gm-Message-State: AMke39kFwSC3ctuQgCg3HWzUkDpNAhBuzJHd+nFDLDMAh1xi/OYLV1ducwildOiZ5bCoFA5NLenYCSVJQ4b9yRXa
X-Received: by 10.200.44.156 with SMTP id 28mr377389qtw.48.1488507223101; Thu, 02 Mar 2017 18:13:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Thu, 2 Mar 2017 18:13:22 -0800 (PST)
In-Reply-To: <4acb6b3e0a724da88aa040f556c01b07@HE105717.emea1.cds.t-internal.com>
References: <0f05922f-ac63-1585-9da1-d54ceda25623@gmx.net> <4acb6b3e0a724da88aa040f556c01b07@HE105717.emea1.cds.t-internal.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 2 Mar 2017 18:13:22 -0800
Message-ID: <CAAP42hBRCMMhkahQv7VbH4SRLd=jGLvWnRy5Cf-cGr25bryEdQ@mail.gmail.com>
To: Sebastian.Ebling@telekom.de
Content-Type: multipart/alternative; boundary=001a11376fac47bd190549ca182b
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Mw48tyWI3sCXiJwfOtWd6Tj8L68>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 02:13:46 -0000

--001a11376fac47bd190549ca182b
Content-Type: text/plain; charset=UTF-8

The Android Account Manager isn't standard OAuth, unlike this BCP.  Thus,
the Account Manager pattern falls under the security considerations section
"Non-Browser External User-Agents" and is officially out of scope of the
specification.

To answer your question though, this BCP *is* the Google recommended way to
do standards-based OAuth on Android. Some official references:

OAuth 2.0 for Mobile & Desktop Apps
<https://developers.google.com/identity/protocols/OAuth2InstalledApp> (which
directly references this BCP! Scroll to the bottom)
Set up SSO with Chrome Custom Tabs with Android for Work
<https://developer.android.com/work/guide.html#sso>
Your Apps at work - Google I/O 2016 <https://youtu.be/Za0OQo8DRM4?t=22m57s>
Modernizing OAuth interactions in Native Apps for Better Usability and
Security
<https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html>

NB. every time you see "AppAuth" in those docs, it's a reference to the
library that implements the pattern defined by this BCP.

The utility of Account Manager really depends on your use-case. I expect
that most people who need to deal with non-Google ASes on Android will
migrate over to the pattern outlined in this BCP.  People who deal
exclusively with the Google IdP (e.g. display a Google Sign-in button) will
likely keep doing what they're doing, which is fine.

The main drawback of the Account Manager pattern was that you need to have
an app from the authorization server (AS) installed which can't always be
guaranteed.  That's why this is less of a problem with Google's IdP, since
all phones that have the Play store come with the Google authentication
agent.

Even if you can guarantee that the authentication app will be installed,
there is overhead on the AS such as maintenance and updates for the native
authorization app component.  I participated in many discussions over a two
year period in the OAuth and OpenID communities, and the general consensus
was that requiring the AS to provide a native app was a burden, and harmful
to interop, which lead to the drafting of this BCP which doesn't require
any native code to be maintained and distributed by the AS.



On Mon, Feb 27, 2017 at 12:22 AM, <Sebastian.Ebling@telekom.de> wrote:

> Hi all,
>
> I have a question that relates to section B.2. Android Implementation
> Details.
>
> I understand this as a working group best practice. Unfortunately this
> does not necessarily meet the Google instruction for Android. There is a
> lot of documentation out there pointing to the Android Account Manager and
> I do not get these both together.
>
> Any idea?
>
> Best Regards
>
> Sebastian
>
> --
> Sebastian Ebling / sebastian.ebling@telekom.de
> Deutsche Telekom AG, Technology Enabling Platforms (PI-TEP)
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--001a11376fac47bd190549ca182b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">The Android Account Manager isn&#39;t standard OAuth, unli=
ke this BCP.=C2=A0 Thus, the Account Manager pattern falls under the securi=
ty considerations section &quot;Non-Browser External User-Agents&quot; and =
is officially out of scope of the specification.<div><div><br></div><div>To=
 answer your question though, this BCP <i>is</i> the Google recommended way=
 to do standards-based OAuth on Android. Some official references:</div><di=
v><br></div><div><a href=3D"https://developers.google.com/identity/protocol=
s/OAuth2InstalledApp">OAuth 2.0 for Mobile &amp; Desktop Apps</a>=C2=A0(whi=
ch directly references this BCP! Scroll to the bottom)<br></div><div><a hre=
f=3D"https://developer.android.com/work/guide.html#sso">Set up SSO with Chr=
ome Custom Tabs with Android for Work</a></div><div><div><a href=3D"https:/=
/youtu.be/Za0OQo8DRM4?t=3D22m57s">Your Apps at work - Google I/O 2016</a></=
div></div><div><a href=3D"https://developers.googleblog.com/2016/08/moderni=
zing-oauth-interactions-in-native-apps.html">Modernizing OAuth interactions=
 in Native Apps for Better Usability and Security</a></div><div><br></div><=
div>NB. every time you see &quot;AppAuth&quot; in those docs, it&#39;s a re=
ference to the library that implements the pattern defined by this BCP.</di=
v><div><br></div><div>The utility of Account Manager really depends on your=
 use-case. I expect that most people who need to deal with non-Google ASes =
on Android will migrate over to the pattern outlined in this BCP.=C2=A0 Peo=
ple who deal exclusively with the Google IdP (e.g. display a Google Sign-in=
 button) will likely keep doing what they&#39;re doing, which is fine.</div=
><div><br></div><div>The main drawback of the Account Manager pattern was t=
hat you need to have an app from the authorization server (AS) installed wh=
ich can&#39;t always be guaranteed.=C2=A0 That&#39;s why this is less of a =
problem with Google&#39;s IdP, since all phones that have the Play store co=
me with the Google authentication agent.</div><div><br></div><div>Even if y=
ou can guarantee that the authentication app will be installed, there is ov=
erhead on the AS such as maintenance and updates for the native authorizati=
on app component.=C2=A0 I participated in many discussions over a two year =
period in the OAuth and OpenID communities, and the general consensus was t=
hat requiring the AS to provide a native app was a burden, and harmful to i=
nterop, which lead to the drafting of this BCP which doesn&#39;t require an=
y native code to be maintained and distributed by the AS.</div><div><div><d=
iv><br></div><div><br></div><div><br><div><div class=3D"gmail_extra"><div c=
lass=3D"gmail_quote">On Mon, Feb 27, 2017 at 12:22 AM,  <span dir=3D"ltr">&=
lt;<a href=3D"mailto:Sebastian.Ebling@telekom.de" target=3D"_blank">Sebasti=
an.Ebling@telekom.de</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,20=
4);padding-left:1ex">Hi all,<br>
<br>
I have a question that relates to section B.2. Android Implementation Detai=
ls.<br>
<br>
I understand this as a working group best practice. Unfortunately this does=
 not necessarily meet the Google instruction for Android. There is a lot of=
 documentation out there pointing to the Android Account Manager and I do n=
ot get these both together.<br>
<br>
Any idea?<br>
<br>
Best Regards<br>
<span><br>
Sebastian<br>
<br>
--<br>
Sebastian=C2=A0Ebling / <a href=3D"mailto:sebastian.ebling@telekom.de" targ=
et=3D"_blank">sebastian.ebling@telekom.de</a><br>
</span><span>Deutsche Telekom AG, Technology Enabling Platforms (PI-TEP)<br=
>
<br>
<br>
<br>
</span>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
</blockquote></div><br></div></div></div></div></div></div></div>

--001a11376fac47bd190549ca182b--


From nobody Thu Mar  2 19:15:49 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49A9012965E for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 19:15:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level: 
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbPXUrChYDan for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 19:15:45 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AFDB12711D for <oauth@ietf.org>; Thu,  2 Mar 2017 19:15:45 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id 1so37753103qkl.3 for <oauth@ietf.org>; Thu, 02 Mar 2017 19:15:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/P0bsjZvf9FsvJw/BhT46/EGxoO2JGb8PXUEclqoGhc=; b=N+xEGGBQQoM9IVhkQoV2pjj+rK/hkye6Qd4JxI+V2ZgInE0XGn0diBTxAZmyoMlJLE 06/t0d5Q6QRWymhNaUMNV8TQZgRdttNnU49D+3+UWvnb56EmNuPAy+L3zAaNT/Pt9ExI 88o3Pm0WrwoHZJEhS2YD7d8Uh8OCXmXv1JEVTKD0rQmVMzDBWDPo6+UHasSPUBVKU3Jd 5QGJXnzRHDkEot4xmk89Kg37Dnag109kaUzQBoNOwTsmFUyrfN/uRmNzX4QcKQTFyZCc NeGVIHoV1D5RMSIYaNPrTyi5n7TrdzSdfOAWM69U/hTipOgkb+Ck7+nB9udWN4GPlmWo 89wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/P0bsjZvf9FsvJw/BhT46/EGxoO2JGb8PXUEclqoGhc=; b=MU1mFHvsiS6bZdK/a2CYzM1J4tEyMQPoNXzHMs0yFxK/x2kDDCAGZ2QHLy8fzwlMaD vAX//BdK1YzTJhAerKiGkPi2CiKUUt+c3QXciFNYrEP+ZQTu8Q5ZId1YpkHZVvdnSylS vbiYl09RBQPFVt9QAtiqVWY6sOWHMoYsTx7YOfBhRdvxIxTaEzRvV1i7T2VNiAUkwr+j 60QMa32W4wq4fful1BD+tgmNLfxuZy/2K3rJ6473Iv8lxCefyA2whXTae0+FdVS629aj IKUMUgAucsnAtB+84Toz1V9zUuatfx95zr6DBpS+edBVPq555Oqb5Walkekb8oBLPs0H 496w==
X-Gm-Message-State: AMke39nNplrKjbebEgk9wm6eQk2d7ewex0dkgmYJ1QF/lhfHeDYfPA3R9HCiGuXJa7wTnj8HA8W9uFpkWMLiLw==
X-Received: by 10.55.191.69 with SMTP id p66mr490251qkf.84.1488510944118; Thu, 02 Mar 2017 19:15:44 -0800 (PST)
MIME-Version: 1.0
References: <148797332573.3278.6515135380852468551.idtracker@ietfa.amsl.com> <D2329C0E-C3F8-4F69-88AE-584561E45B65@ve7jtb.com> <B021DB9E-1ECF-4278-833F-5A13EA5F3A77@oracle.com> <C08A4EBC-3935-4AF2-8C8C-926C57A2B02A@ve7jtb.com>
In-Reply-To: <C08A4EBC-3935-4AF2-8C8C-926C57A2B02A@ve7jtb.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Fri, 03 Mar 2017 03:15:33 +0000
Message-ID: <CABzCy2Dcq2ABY5YQepefychXBtJotKReauU2aB3XW3Zzr=W-ew@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary=94eb2c043d421191500549caf649
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uIbNMEA-D-S2Q8ZNEAgHlIqgXNs>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 03:15:47 -0000

--94eb2c043d421191500549caf649
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

+1

Token binding is good, but there are infrastructures that cannot deploy it
while they still need HoK in some manner.
It could be a short term thing -- perhaps 3 years, but they have to do it
now so...

I have a question about the draft.

In section 5.1, `key` is optional and when it is omitted, the server
creates a ephemeral key pair for the client.
My question is: how do you send the ephemeral private key securely to the
client?
I suppose it is returned in the similar fashion as in the case of the
symmetric, but it is not clear from my read.

Also, at that point, the authorization server has everything needed to
impersonate the client, which may not be desirable.
Is it not simpler and better to REQUIRE the `key` parameter?

Nat

On Sat, Feb 25, 2017 at 8:51 AM John Bradley <ve7jtb@ve7jtb.com> wrote:

> The European banks are interested in mutual TLS for server to server
> connections as part of PSD2/Open Banking.
>
> They have been thinking that they would have central CA and directly use
> CA certificates for all the legs.
>
> I sent them this to get them thinking that they could perhaps secure the
> token endpoint with cert based mutual TLS but allow clients to specify
> there own keys for access tokens to make key rotation and deployment easi=
er.
>
> I was also think ing that they could protect a jwks_uri with the CA
> certificate using OCSP stapling and then use mutual TLS to the token
> endpoint based on keyid and/or fingerprint. allowing for rotation of keys
> to token endpoint and better support clusters with multiple keys.
>
> I don=E2=80=99t think this has much interest outside of some verticals li=
ke
> financials.
>
> John B.
>
> On Feb 24, 2017, at 8:33 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
> I have been wondering about that myself. Interest seems to wained with th=
e
> TOKBIND work emerging. Maybe I am wrong about that?
>
> Phil
>
> Oracle Corporation, Identity Cloud Services & Identity Standards
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On Feb 24, 2017, at 1:58 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> I updated the references but haven't made any other changes.
>
> I had some questions about it so though it was worth keeping alive
> at-least for discussion.
>
> There have been some other questions and proposed changes.
>
> I will take a look through them and see if what may be worth updating.
>
> John B.
>
> Begin forwarded message:
>
> *From: *internet-drafts@ietf.org
> *Subject: **[OAUTH-WG] I-D Action:
> draft-ietf-oauth-pop-key-distribution-03.txt*
> *Date: *February 24, 2017 at 6:55:25 PM GMT-3
> *To: *<i-d-announce@ietf.org>
> *Cc: *oauth@ietf.org
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>        Title           : OAuth 2.0 Proof-of-Possession: Authorization
> Server to Client Key Distribution
>        Authors         : John Bradley
>                          Phil Hunt
>                          Michael B. Jones
>                          Hannes Tschofenig
> Filename        : draft-ietf-oauth-pop-key-distribution-03.txt
> Pages           : 18
> Date            : 2017-02-24
>
> Abstract:
>   RFC 6750 specified the bearer token concept for securing access to
>   protected resources.  Bearer tokens need to be protected in transit
>   as well as at rest.  When a client requests access to a protected
>   resource it hands-over the bearer token to the resource server.
>
>   The OAuth 2.0 Proof-of-Possession security concept extends bearer
>   token security and requires the client to demonstrate possession of a
>   key when accessing a protected resource.
>
>   This document describes how the client obtains this keying material
>   from the authorization server.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-pop-key-distribution=
-03
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--=20

Nat Sakimura

Chairman of the Board, OpenID Foundation

--94eb2c043d421191500549caf649
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">+1=C2=A0<div><br></div><div>Token binding is good, but the=
re are infrastructures that cannot deploy it while they still need HoK in s=
ome manner.=C2=A0</div><div>It could be a short term thing -- perhaps 3 yea=
rs, but they have to do it now so...=C2=A0</div><div><br></div><div>I have =
a question about the draft.=C2=A0</div><div><br></div><div>In section 5.1, =
`key` is optional and when it is omitted, the server creates a ephemeral ke=
y pair for the client.=C2=A0</div><div>My question is: how do you send the =
ephemeral private key securely to the client?=C2=A0</div><div>I suppose it =
is returned in the similar fashion as in the case of the symmetric, but it =
is not clear from my read.=C2=A0</div><div><br></div><div>Also, at that poi=
nt, the authorization server has everything needed to impersonate the clien=
t, which may not be desirable.=C2=A0</div><div>Is it not simpler and better=
 to REQUIRE the `key` parameter?=C2=A0</div><div><br></div><div>Nat</div></=
div><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Sat, Feb 25, 2017 at=
 8:51 AM John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jt=
b.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style=3D"=
word-wrap:break-word" class=3D"gmail_msg">The European banks are interested=
 in mutual TLS for server to server connections as part of PSD2/Open Bankin=
g.<div class=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gmai=
l_msg">They have been thinking that they would have central CA and directly=
 use CA certificates for all the legs. =C2=A0</div><div class=3D"gmail_msg"=
><br class=3D"gmail_msg"></div><div class=3D"gmail_msg">I sent them this to=
 get them thinking that they could perhaps secure the token endpoint with c=
ert based mutual TLS but allow clients to specify there own keys for access=
 tokens to make key rotation and deployment easier.</div><div class=3D"gmai=
l_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_msg">I was also th=
ink ing that they could protect a jwks_uri with the CA certificate using OC=
SP stapling and then use mutual TLS to the token endpoint based on keyid an=
d/or fingerprint. allowing for rotation of keys to token endpoint and bette=
r support clusters with multiple keys.</div><div class=3D"gmail_msg"><br cl=
ass=3D"gmail_msg"></div><div class=3D"gmail_msg">I don=E2=80=99t think this=
 has much interest outside of some verticals like financials.</div><div cla=
ss=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_msg">Joh=
n B.</div></div><div style=3D"word-wrap:break-word" class=3D"gmail_msg"><di=
v class=3D"gmail_msg"><div class=3D"gmail_msg"><blockquote type=3D"cite" cl=
ass=3D"gmail_msg"><div class=3D"gmail_msg">On Feb 24, 2017, at 8:33 PM, Phi=
l Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" class=3D"gmail_msg" targ=
et=3D"_blank">phil.hunt@oracle.com</a>&gt; wrote:</div><br class=3D"m_76850=
36241369891138Apple-interchange-newline gmail_msg"><div class=3D"gmail_msg"=
><div style=3D"word-wrap:break-word" class=3D"gmail_msg">I have been wonder=
ing about that myself. Interest seems to wained with the TOKBIND work emerg=
ing. Maybe I am wrong about that?<div class=3D"gmail_msg"><br class=3D"gmai=
l_msg"><div class=3D"gmail_msg">
<div style=3D"letter-spacing:normal;text-align:start;text-indent:0px;text-t=
ransform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" cla=
ss=3D"gmail_msg"><div style=3D"letter-spacing:normal;text-align:start;text-=
indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wra=
p:break-word" class=3D"gmail_msg"><div style=3D"letter-spacing:normal;text-=
align:start;text-indent:0px;text-transform:none;white-space:normal;word-spa=
cing:0px;word-wrap:break-word" class=3D"gmail_msg"><div style=3D"letter-spa=
cing:normal;text-align:start;text-indent:0px;text-transform:none;white-spac=
e:normal;word-spacing:0px;word-wrap:break-word" class=3D"gmail_msg"><div cl=
ass=3D"gmail_msg"><span class=3D"m_7685036241369891138Apple-style-span gmai=
l_msg" style=3D"border-collapse:separate;line-height:normal;border-spacing:=
0px"><div style=3D"word-wrap:break-word" class=3D"gmail_msg"><div class=3D"=
gmail_msg"><div class=3D"gmail_msg"><div class=3D"gmail_msg">Phil</div><div=
 class=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_msg"=
>Oracle Corporation, Identity Cloud Services &amp; Identity Standards</div>=
<div class=3D"gmail_msg">@independentid</div><div class=3D"gmail_msg"><a hr=
ef=3D"http://www.independentid.com/" class=3D"gmail_msg" target=3D"_blank">=
www.independentid.com</a></div></div></div></div></span><a href=3D"mailto:p=
hil.hunt@oracle.com" class=3D"gmail_msg" target=3D"_blank">phil.hunt@oracle=
.com</a></div><div class=3D"gmail_msg"><br class=3D"gmail_msg"></div></div>=
<br class=3D"m_7685036241369891138Apple-interchange-newline gmail_msg"></di=
v><br class=3D"m_7685036241369891138Apple-interchange-newline gmail_msg"></=
div><br class=3D"m_7685036241369891138Apple-interchange-newline gmail_msg">=
</div><br class=3D"m_7685036241369891138Apple-interchange-newline gmail_msg=
"><br class=3D"m_7685036241369891138Apple-interchange-newline gmail_msg">
</div>
<br class=3D"gmail_msg"><div class=3D"gmail_msg"><blockquote type=3D"cite" =
class=3D"gmail_msg"><div class=3D"gmail_msg">On Feb 24, 2017, at 1:58 PM, J=
ohn Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" class=3D"gmail_msg" ta=
rget=3D"_blank">ve7jtb@ve7jtb.com</a>&gt; wrote:</div><br class=3D"m_768503=
6241369891138Apple-interchange-newline gmail_msg"><div class=3D"gmail_msg">=
<div style=3D"word-wrap:break-word" class=3D"gmail_msg">I updated the refer=
ences but haven&#39;t made any other changes.<div class=3D"gmail_msg"><br c=
lass=3D"gmail_msg"></div><div class=3D"gmail_msg">I had some questions abou=
t it so though it was worth keeping alive at-least for discussion.</div><di=
v class=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_msg=
">There have been some other questions and proposed changes. =C2=A0</div><d=
iv class=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_ms=
g">I will take a look through them and see if what may be worth updating.</=
div><div class=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gm=
ail_msg">John B.<br class=3D"gmail_msg"><div class=3D"gmail_msg"><br class=
=3D"gmail_msg"><blockquote type=3D"cite" class=3D"gmail_msg"><div class=3D"=
gmail_msg">Begin forwarded message:</div><br class=3D"m_7685036241369891138=
Apple-interchange-newline gmail_msg"><div style=3D"margin-top:0px;margin-ri=
ght:0px;margin-bottom:0px;margin-left:0px" class=3D"gmail_msg"><span style=
=3D"font-family:-webkit-system-font,&#39;Helvetica Neue&#39;,Helvetica,sans=
-serif" class=3D"gmail_msg"><b class=3D"gmail_msg">From: </b></span><span s=
tyle=3D"font-family:-webkit-system-font,Helvetica Neue,Helvetica,sans-serif=
" class=3D"gmail_msg"><a href=3D"mailto:internet-drafts@ietf.org" class=3D"=
gmail_msg" target=3D"_blank">internet-drafts@ietf.org</a><br class=3D"gmail=
_msg"></span></div><div style=3D"margin-top:0px;margin-right:0px;margin-bot=
tom:0px;margin-left:0px" class=3D"gmail_msg"><span style=3D"font-family:-we=
bkit-system-font,&#39;Helvetica Neue&#39;,Helvetica,sans-serif" class=3D"gm=
ail_msg"><b class=3D"gmail_msg">Subject: </b></span><span style=3D"font-fam=
ily:-webkit-system-font,Helvetica Neue,Helvetica,sans-serif" class=3D"gmail=
_msg"><b class=3D"gmail_msg">[OAUTH-WG] I-D Action: draft-ietf-oauth-pop-ke=
y-distribution-03.txt</b><br class=3D"gmail_msg"></span></div><div style=3D=
"margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px" class=
=3D"gmail_msg"><span style=3D"font-family:-webkit-system-font,&#39;Helvetic=
a Neue&#39;,Helvetica,sans-serif" class=3D"gmail_msg"><b class=3D"gmail_msg=
">Date: </b></span><span style=3D"font-family:-webkit-system-font,Helvetica=
 Neue,Helvetica,sans-serif" class=3D"gmail_msg">February 24, 2017 at 6:55:2=
5 PM GMT-3<br class=3D"gmail_msg"></span></div><div style=3D"margin-top:0px=
;margin-right:0px;margin-bottom:0px;margin-left:0px" class=3D"gmail_msg"><s=
pan style=3D"font-family:-webkit-system-font,&#39;Helvetica Neue&#39;,Helve=
tica,sans-serif" class=3D"gmail_msg"><b class=3D"gmail_msg">To: </b></span>=
<span style=3D"font-family:-webkit-system-font,Helvetica Neue,Helvetica,san=
s-serif" class=3D"gmail_msg">&lt;<a href=3D"mailto:i-d-announce@ietf.org" c=
lass=3D"gmail_msg" target=3D"_blank">i-d-announce@ietf.org</a>&gt;<br class=
=3D"gmail_msg"></span></div><div style=3D"margin-top:0px;margin-right:0px;m=
argin-bottom:0px;margin-left:0px" class=3D"gmail_msg"><span style=3D"font-f=
amily:-webkit-system-font,&#39;Helvetica Neue&#39;,Helvetica,sans-serif" cl=
ass=3D"gmail_msg"><b class=3D"gmail_msg">Cc: </b></span><span style=3D"font=
-family:-webkit-system-font,Helvetica Neue,Helvetica,sans-serif" class=3D"g=
mail_msg"><a href=3D"mailto:oauth@ietf.org" class=3D"gmail_msg" target=3D"_=
blank">oauth@ietf.org</a><br class=3D"gmail_msg"></span></div><br class=3D"=
gmail_msg"><div class=3D"gmail_msg"><div class=3D"gmail_msg"><br class=3D"g=
mail_msg">A New Internet-Draft is available from the on-line Internet-Draft=
s directories.<br class=3D"gmail_msg">This draft is a work item of the Web =
Authorization Protocol of the IETF.<br class=3D"gmail_msg"><br class=3D"gma=
il_msg"> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Title =C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: OAuth 2.0 Proof-of-Possession: =
Authorization Server to Client Key Distribution<br class=3D"gmail_msg"> =C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Authors =C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0: John Bradley<br class=3D"gmail_msg"> =C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Phil Hunt<br cl=
ass=3D"gmail_msg"> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0Michael B. Jones<br class=3D"gmail_msg"> =C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Hannes Tscho=
fenig<br class=3D"gmail_msg"><span class=3D"m_7685036241369891138Apple-tab-=
span gmail_msg" style=3D"white-space:pre-wrap">	</span>Filename =C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: draft-ietf-oauth-pop-key-distribution-03=
.txt<br class=3D"gmail_msg"><span class=3D"m_7685036241369891138Apple-tab-s=
pan gmail_msg" style=3D"white-space:pre-wrap">	</span>Pages =C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: 18<br class=3D"gmail_msg"><s=
pan class=3D"m_7685036241369891138Apple-tab-span gmail_msg" style=3D"white-=
space:pre-wrap">	</span>Date =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0: 2017-02-24<br class=3D"gmail_msg"><br class=3D"gmail=
_msg">Abstract:<br class=3D"gmail_msg"> =C2=A0=C2=A0RFC 6750 specified the =
bearer token concept for securing access to<br class=3D"gmail_msg"> =C2=A0=
=C2=A0protected resources.=C2=A0 Bearer tokens need to be protected in tran=
sit<br class=3D"gmail_msg"> =C2=A0=C2=A0as well as at rest.=C2=A0 When a cl=
ient requests access to a protected<br class=3D"gmail_msg"> =C2=A0=C2=A0res=
ource it hands-over the bearer token to the resource server.<br class=3D"gm=
ail_msg"><br class=3D"gmail_msg"> =C2=A0=C2=A0The OAuth 2.0 Proof-of-Posses=
sion security concept extends bearer<br class=3D"gmail_msg"> =C2=A0=C2=A0to=
ken security and requires the client to demonstrate possession of a<br clas=
s=3D"gmail_msg"> =C2=A0=C2=A0key when accessing a protected resource.<br cl=
ass=3D"gmail_msg"><br class=3D"gmail_msg"> =C2=A0=C2=A0This document descri=
bes how the client obtains this keying material<br class=3D"gmail_msg"> =C2=
=A0=C2=A0from the authorization server.<br class=3D"gmail_msg"><br class=3D=
"gmail_msg"><br class=3D"gmail_msg">The IETF datatracker status page for th=
is draft is:<br class=3D"gmail_msg"><a href=3D"https://datatracker.ietf.org=
/doc/draft-ietf-oauth-pop-key-distribution/" class=3D"gmail_msg" target=3D"=
_blank">https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribut=
ion/</a><br class=3D"gmail_msg"><br class=3D"gmail_msg">There&#39;s also a =
htmlized version available at:<br class=3D"gmail_msg"><a href=3D"https://to=
ols.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03" class=3D"gmail_=
msg" target=3D"_blank">https://tools.ietf.org/html/draft-ietf-oauth-pop-key=
-distribution-03</a><br class=3D"gmail_msg"><br class=3D"gmail_msg">A diff =
from the previous version is available at:<br class=3D"gmail_msg"><a href=
=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-pop-key-distributi=
on-03" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/rfcdiff?u=
rl2=3Ddraft-ietf-oauth-pop-key-distribution-03</a><br class=3D"gmail_msg"><=
br class=3D"gmail_msg"><br class=3D"gmail_msg">Please note that it may take=
 a couple of minutes from the time of submission<br class=3D"gmail_msg">unt=
il the htmlized version and diff are available at <a href=3D"http://tools.i=
etf.org" class=3D"gmail_msg" target=3D"_blank">tools.ietf.org</a>.<br class=
=3D"gmail_msg"><br class=3D"gmail_msg">Internet-Drafts are also available b=
y anonymous FTP at:<br class=3D"gmail_msg"><a href=3D"ftp://ftp.ietf.org/in=
ternet-drafts/" class=3D"gmail_msg" target=3D"_blank">ftp://ftp.ietf.org/in=
ternet-drafts/</a><br class=3D"gmail_msg"><br class=3D"gmail_msg">_________=
______________________________________<br class=3D"gmail_msg">OAuth mailing=
 list<br class=3D"gmail_msg"><a href=3D"mailto:OAuth@ietf.org" class=3D"gma=
il_msg" target=3D"_blank">OAuth@ietf.org</a><br class=3D"gmail_msg"><a href=
=3D"https://www.ietf.org/mailman/listinfo/oauth" class=3D"gmail_msg" target=
=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br class=3D"gma=
il_msg"></div></div></blockquote></div><br class=3D"gmail_msg"></div></div>=
_______________________________________________<br class=3D"gmail_msg">OAut=
h mailing list<br class=3D"gmail_msg"><a href=3D"mailto:OAuth@ietf.org" cla=
ss=3D"gmail_msg" target=3D"_blank">OAuth@ietf.org</a><br class=3D"gmail_msg=
"><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" class=3D"gmail_ms=
g" target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br cla=
ss=3D"gmail_msg"></div></blockquote></div><br class=3D"gmail_msg"></div></d=
iv></div></blockquote></div><br class=3D"gmail_msg"></div></div>___________=
____________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listinfo=
/oauth</a><br class=3D"gmail_msg">
</blockquote></div><div dir=3D"ltr">-- <br></div><div data-smartmail=3D"gma=
il_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>

--94eb2c043d421191500549caf649--


From nobody Thu Mar  2 20:07:17 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0235C1296DC for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 20:07:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NEswWoUBS6SL for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 20:07:13 -0800 (PST)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFBD5129480 for <oauth@ietf.org>; Thu,  2 Mar 2017 20:07:12 -0800 (PST)
Received: by mail-io0-x235.google.com with SMTP id z13so23139012iof.2 for <oauth@ietf.org>; Thu, 02 Mar 2017 20:07:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=j1WumpSwXcCKGD2eOBg//5ERE+ljx+VD0h19ODd7gVs=; b=bC4+OzpHLR4kiU2ibzJaFyIWeTo2qzp3d4g0UvDMj2ngBWznxZ86kaoQs4v6rksNaP GcAm5NEm0Ep1/5mgU/u32uKeQEb1NLwkMOjGtnna+5nb5tfCoDYyc9dCIleFRSi8tXMJ /2d2ZDm0bP1RgIRknj3kVVkzccHFY+LxFl1ADktkneZlp90C7dMA7p0MIgrnfuP9dkq1 GqDJaDCr57NfCG/3KssAZdtmu9SkWrx7dM005vT2e9xC8zPtTXQ8Geg8BUZY1Z26oi44 QzmvmOPYID2SO+qnmZs4tiMh3MXYg9SzmS0Ms1f7bUvw/nk27YAhCCs61zKNhPnQgmhE POJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=j1WumpSwXcCKGD2eOBg//5ERE+ljx+VD0h19ODd7gVs=; b=BWt31UXNMXs5sGFeiSM3ME8EhB9DVmyuJNe76dmZ52QLRR3rvYMnBi3m9qQH1UqRcr 0onKuL+uaYTpcbbR8NXRb7RYse+AxH+oxmYiJEeVFDSV1mZwwnD+oUbEt87yEzcZnZc9 7BdMT8botJm2oOJ+cDWIaMjIvfuc9apND6GHDYUcgmYYevgE0GjhPOsxssmbv3bN1xN6 Y7AdCDnhr0sVI/bS9zwQK0FV5YOoCiZXAbP+IyY6FE3CXqrisVbIztd4Rw5YVHrOXsA3 g030oEV4DgftPZ4aRcAFyQrgVznRy/8JsyeKtesVHwPCYlCC067byaF9Jhw5NmrlD7i5 +1/A==
X-Gm-Message-State: AMke39nPtcxQ/yiWa8cYQ6b1n29cuR7dk5oih0li71wRObQjJnVTTXGp/e1SGr97V5qC8DKJdngDTpmIGf9UFgnI
X-Received: by 10.107.135.136 with SMTP id r8mr1078980ioi.36.1488514031909; Thu, 02 Mar 2017 20:07:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.167.139 with HTTP; Thu, 2 Mar 2017 20:07:11 -0800 (PST)
Received: by 10.107.167.139 with HTTP; Thu, 2 Mar 2017 20:07:11 -0800 (PST)
In-Reply-To: <CAANoGhJaP-Qa7Zi5DJkqFx5KL-z8xP0Aakbde6t7pObXbiz3_g@mail.gmail.com>
References: <148797332573.3278.6515135380852468551.idtracker@ietfa.amsl.com> <D2329C0E-C3F8-4F69-88AE-584561E45B65@ve7jtb.com> <B021DB9E-1ECF-4278-833F-5A13EA5F3A77@oracle.com> <C08A4EBC-3935-4AF2-8C8C-926C57A2B02A@ve7jtb.com> <CABzCy2Dcq2ABY5YQepefychXBtJotKReauU2aB3XW3Zzr=W-ew@mail.gmail.com> <CAANoGhK7TRZL8gxczkmeKsJS8eTu2pb=61re7ZSYH1Nta+eNHA@mail.gmail.com> <CAANoGhJaP-Qa7Zi5DJkqFx5KL-z8xP0Aakbde6t7pObXbiz3_g@mail.gmail.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Fri, 3 Mar 2017 01:07:11 -0300
Message-ID: <CAANoGhJ20KPO1cscKCVGhDWb1BrrOLkZK++E9ucqcZ2wKjQEKg@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a113ec77c21348f0549cbaefe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/94F8jAtLRZjDxXN7prb2uZMew8w>
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 04:07:15 -0000

--001a113ec77c21348f0549cbaefe
Content-Type: multipart/alternative; boundary=001a113ec77c1d8f780549cbae6f

--001a113ec77c1d8f780549cbae6f
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

The private key is encrypted to the client.  If the attacker has the
symmetric key then it would get the proof key.

I prefer the client to always provide the key, however some people believe
that mobile devices can't reliably create secure key, and it is better to
have the server create the keypair.

In both cases you are relying on the client authentication or PKCE to bind
to the correct client.

They are more or less equivalent.   I prefer the private key to never leave
the device personally.

This has been debated several times.

John B.

On Mar 3, 2017 12:15 AM, "Nat Sakimura" <sakimura@gmail.com> wrote:

+1

Token binding is good, but there are infrastructures that cannot deploy it
while they still need HoK in some manner.
It could be a short term thing -- perhaps 3 years, but they have to do it
now so...

I have a question about the draft.

In section 5.1, `key` is optional and when it is omitted, the server
creates a ephemeral key pair for the client.
My question is: how do you send the ephemeral private key securely to the
client?
I suppose it is returned in the similar fashion as in the case of the
symmetric, but it is not clear from my read.

Also, at that point, the authorization server has everything needed to
impersonate the client, which may not be desirable.
Is it not simpler and better to REQUIRE the `key` parameter?

Nat

On Sat, Feb 25, 2017 at 8:51 AM John Bradley <ve7jtb@ve7jtb.com> wrote:

> The European banks are interested in mutual TLS for server to server
> connections as part of PSD2/Open Banking.
>
> They have been thinking that they would have central CA and directly use
> CA certificates for all the legs.
>
> I sent them this to get them thinking that they could perhaps secure the
> token endpoint with cert based mutual TLS but allow clients to specify
> there own keys for access tokens to make key rotation and deployment easi=
er.
>
> I was also think ing that they could protect a jwks_uri with the CA
> certificate using OCSP stapling and then use mutual TLS to the token
> endpoint based on keyid and/or fingerprint. allowing for rotation of keys
> to token endpoint and better support clusters with multiple keys.
>
> I don=E2=80=99t think this has much interest outside of some verticals li=
ke
> financials.
>
> John B.
>
> On Feb 24, 2017, at 8:33 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
> I have been wondering about that myself. Interest seems to wained with th=
e
> TOKBIND work emerging. Maybe I am wrong about that?
>
> Phil
>
> Oracle Corporation, Identity Cloud Services & Identity Standards
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On Feb 24, 2017, at 1:58 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> I updated the references but haven't made any other changes.
>
> I had some questions about it so though it was worth keeping alive
> at-least for discussion.
>
> There have been some other questions and proposed changes.
>
> I will take a look through them and see if what may be worth updating.
>
> John B.
>
> Begin forwarded message:
>
> *From: *internet-drafts@ietf.org
> *Subject: **[OAUTH-WG] I-D Action:
> draft-ietf-oauth-pop-key-distribution-03.txt*
> *Date: *February 24, 2017 at 6:55:25 PM GMT-3
> *To: *<i-d-announce@ietf.org>
> *Cc: *oauth@ietf.org
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>        Title           : OAuth 2.0 Proof-of-Possession: Authorization
> Server to Client Key Distribution
>        Authors         : John Bradley
>                          Phil Hunt
>                          Michael B. Jones
>                          Hannes Tschofenig
> Filename        : draft-ietf-oauth-pop-key-distribution-03.txt
> Pages           : 18
> Date            : 2017-02-24
>
> Abstract:
>   RFC 6750 specified the bearer token concept for securing access to
>   protected resources.  Bearer tokens need to be protected in transit
>   as well as at rest.  When a client requests access to a protected
>   resource it hands-over the bearer token to the resource server.
>
>   The OAuth 2.0 Proof-of-Possession security concept extends bearer
>   token security and requires the client to demonstrate possession of a
>   key when accessing a protected resource.
>
>   This document describes how the client obtains this keying material
>   from the authorization server.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-pop-key-distribution=
-03
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--=20

Nat Sakimura

Chairman of the Board, OpenID Foundation

--001a113ec77c1d8f780549cbae6f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">The private key is encrypted to the client.=C2=A0 If the =
attacker has the symmetric key then it would get the proof key. =C2=A0<div =
dir=3D"auto"><br></div><div dir=3D"auto">I prefer the client to always prov=
ide the key, however some people believe that mobile devices can&#39;t reli=
ably create secure key, and it is better to have the server create the keyp=
air. =C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">In both case=
s you are relying on the client authentication or PKCE to bind to the corre=
ct client. =C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">They a=
re more or less equivalent. =C2=A0 I prefer the private key to never leave =
the device personally.=C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"a=
uto">This has been debated several times. =C2=A0</div><div dir=3D"auto"><br=
></div><div dir=3D"auto">John B. =C2=A0</div></div><div class=3D"gmail_extr=
a"><br><div class=3D"gmail_quote">On Mar 3, 2017 12:15 AM, &quot;Nat Sakimu=
ra&quot; &lt;<a href=3D"mailto:sakimura@gmail.com">sakimura@gmail.com</a>&g=
t; wrote:<br type=3D"attribution"><blockquote class=3D"quote" style=3D"marg=
in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"=
>+1=C2=A0<div><br></div><div>Token binding is good, but there are infrastru=
ctures that cannot deploy it while they still need HoK in some manner.=C2=
=A0</div><div>It could be a short term thing -- perhaps 3 years, but they h=
ave to do it now so...=C2=A0</div><div><br></div><div>I have a question abo=
ut the draft.=C2=A0</div><div><br></div><div>In section 5.1, `key` is optio=
nal and when it is omitted, the server creates a ephemeral key pair for the=
 client.=C2=A0</div><div>My question is: how do you send the ephemeral priv=
ate key securely to the client?=C2=A0</div><div>I suppose it is returned in=
 the similar fashion as in the case of the symmetric, but it is not clear f=
rom my read.=C2=A0</div><div><br></div><div>Also, at that point, the author=
ization server has everything needed to impersonate the client, which may n=
ot be desirable.=C2=A0</div><div>Is it not simpler and better to REQUIRE th=
e `key` parameter?=C2=A0</div><div><br></div><div>Nat</div></div><div class=
=3D"elided-text"><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Sat, Fe=
b 25, 2017 at 8:51 AM John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com"=
 target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt; wrote:<br></div><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;p=
adding-left:1ex"><div style=3D"word-wrap:break-word" class=3D"m_58220310874=
64534925gmail_msg">The European banks are interested in mutual TLS for serv=
er to server connections as part of PSD2/Open Banking.<div class=3D"m_58220=
31087464534925gmail_msg"><br class=3D"m_5822031087464534925gmail_msg"></div=
><div class=3D"m_5822031087464534925gmail_msg">They have been thinking that=
 they would have central CA and directly use CA certificates for all the le=
gs. =C2=A0</div><div class=3D"m_5822031087464534925gmail_msg"><br class=3D"=
m_5822031087464534925gmail_msg"></div><div class=3D"m_5822031087464534925gm=
ail_msg">I sent them this to get them thinking that they could perhaps secu=
re the token endpoint with cert based mutual TLS but allow clients to speci=
fy there own keys for access tokens to make key rotation and deployment eas=
ier.</div><div class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_5822=
031087464534925gmail_msg"></div><div class=3D"m_5822031087464534925gmail_ms=
g">I was also think ing that they could protect a jwks_uri with the CA cert=
ificate using OCSP stapling and then use mutual TLS to the token endpoint b=
ased on keyid and/or fingerprint. allowing for rotation of keys to token en=
dpoint and better support clusters with multiple keys.</div><div class=3D"m=
_5822031087464534925gmail_msg"><br class=3D"m_5822031087464534925gmail_msg"=
></div><div class=3D"m_5822031087464534925gmail_msg">I don=E2=80=99t think =
this has much interest outside of some verticals like financials.</div><div=
 class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_582203108746453492=
5gmail_msg"></div><div class=3D"m_5822031087464534925gmail_msg">John B.</di=
v></div><div style=3D"word-wrap:break-word" class=3D"m_5822031087464534925g=
mail_msg"><div class=3D"m_5822031087464534925gmail_msg"><div class=3D"m_582=
2031087464534925gmail_msg"><blockquote type=3D"cite" class=3D"m_58220310874=
64534925gmail_msg"><div class=3D"m_5822031087464534925gmail_msg">On Feb 24,=
 2017, at 8:33 PM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" cl=
ass=3D"m_5822031087464534925gmail_msg" target=3D"_blank">phil.hunt@oracle.c=
om</a>&gt; wrote:</div><br class=3D"m_5822031087464534925m_7685036241369891=
138Apple-interchange-newline m_5822031087464534925gmail_msg"><div class=3D"=
m_5822031087464534925gmail_msg"><div style=3D"word-wrap:break-word" class=
=3D"m_5822031087464534925gmail_msg">I have been wondering about that myself=
. Interest seems to wained with the TOKBIND work emerging. Maybe I am wrong=
 about that?<div class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_58=
22031087464534925gmail_msg"><div class=3D"m_5822031087464534925gmail_msg">
<div style=3D"letter-spacing:normal;text-align:start;text-indent:0px;text-t=
ransform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" cla=
ss=3D"m_5822031087464534925gmail_msg"><div style=3D"letter-spacing:normal;t=
ext-align:start;text-indent:0px;text-transform:none;white-space:normal;word=
-spacing:0px;word-wrap:break-word" class=3D"m_5822031087464534925gmail_msg"=
><div style=3D"letter-spacing:normal;text-align:start;text-indent:0px;text-=
transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" cl=
ass=3D"m_5822031087464534925gmail_msg"><div style=3D"letter-spacing:normal;=
text-align:start;text-indent:0px;text-transform:none;white-space:normal;wor=
d-spacing:0px;word-wrap:break-word" class=3D"m_5822031087464534925gmail_msg=
"><div class=3D"m_5822031087464534925gmail_msg"><span class=3D"m_5822031087=
464534925m_7685036241369891138Apple-style-span m_5822031087464534925gmail_m=
sg" style=3D"border-collapse:separate;line-height:normal;border-spacing:0px=
"><div style=3D"word-wrap:break-word" class=3D"m_5822031087464534925gmail_m=
sg"><div class=3D"m_5822031087464534925gmail_msg"><div class=3D"m_582203108=
7464534925gmail_msg"><div class=3D"m_5822031087464534925gmail_msg">Phil</di=
v><div class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_582203108746=
4534925gmail_msg"></div><div class=3D"m_5822031087464534925gmail_msg">Oracl=
e Corporation, Identity Cloud Services &amp; Identity Standards</div><div c=
lass=3D"m_5822031087464534925gmail_msg">@independentid</div><div class=3D"m=
_5822031087464534925gmail_msg"><a href=3D"http://www.independentid.com/" cl=
ass=3D"m_5822031087464534925gmail_msg" target=3D"_blank">www.independentid.=
com</a></div></div></div></div></span><a href=3D"mailto:phil.hunt@oracle.co=
m" class=3D"m_5822031087464534925gmail_msg" target=3D"_blank">phil.hunt@ora=
cle.com</a></div><div class=3D"m_5822031087464534925gmail_msg"><br class=3D=
"m_5822031087464534925gmail_msg"></div></div><br class=3D"m_582203108746453=
4925m_7685036241369891138Apple-interchange-newline m_5822031087464534925gma=
il_msg"></div><br class=3D"m_5822031087464534925m_7685036241369891138Apple-=
interchange-newline m_5822031087464534925gmail_msg"></div><br class=3D"m_58=
22031087464534925m_7685036241369891138Apple-interchange-newline m_582203108=
7464534925gmail_msg"></div><br class=3D"m_5822031087464534925m_768503624136=
9891138Apple-interchange-newline m_5822031087464534925gmail_msg"><br class=
=3D"m_5822031087464534925m_7685036241369891138Apple-interchange-newline m_5=
822031087464534925gmail_msg">
</div>
<br class=3D"m_5822031087464534925gmail_msg"><div class=3D"m_58220310874645=
34925gmail_msg"><blockquote type=3D"cite" class=3D"m_5822031087464534925gma=
il_msg"><div class=3D"m_5822031087464534925gmail_msg">On Feb 24, 2017, at 1=
:58 PM, John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" class=3D"m_58=
22031087464534925gmail_msg" target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt; wro=
te:</div><br class=3D"m_5822031087464534925m_7685036241369891138Apple-inter=
change-newline m_5822031087464534925gmail_msg"><div class=3D"m_582203108746=
4534925gmail_msg"><div style=3D"word-wrap:break-word" class=3D"m_5822031087=
464534925gmail_msg">I updated the references but haven&#39;t made any other=
 changes.<div class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_58220=
31087464534925gmail_msg"></div><div class=3D"m_5822031087464534925gmail_msg=
">I had some questions about it so though it was worth keeping alive at-lea=
st for discussion.</div><div class=3D"m_5822031087464534925gmail_msg"><br c=
lass=3D"m_5822031087464534925gmail_msg"></div><div class=3D"m_5822031087464=
534925gmail_msg">There have been some other questions and proposed changes.=
 =C2=A0</div><div class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_5=
822031087464534925gmail_msg"></div><div class=3D"m_5822031087464534925gmail=
_msg">I will take a look through them and see if what may be worth updating=
.</div><div class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_5822031=
087464534925gmail_msg"></div><div class=3D"m_5822031087464534925gmail_msg">=
John B.<br class=3D"m_5822031087464534925gmail_msg"><div class=3D"m_5822031=
087464534925gmail_msg"><br class=3D"m_5822031087464534925gmail_msg"><blockq=
uote type=3D"cite" class=3D"m_5822031087464534925gmail_msg"><div class=3D"m=
_5822031087464534925gmail_msg">Begin forwarded message:</div><br class=3D"m=
_5822031087464534925m_7685036241369891138Apple-interchange-newline m_582203=
1087464534925gmail_msg"><div style=3D"margin-top:0px;margin-right:0px;margi=
n-bottom:0px;margin-left:0px" class=3D"m_5822031087464534925gmail_msg"><spa=
n style=3D"font-family:-webkit-system-font,&#39;Helvetica Neue&#39;,Helveti=
ca,sans-serif" class=3D"m_5822031087464534925gmail_msg"><b class=3D"m_58220=
31087464534925gmail_msg">From: </b></span><span style=3D"font-family:-webki=
t-system-font,Helvetica Neue,Helvetica,sans-serif" class=3D"m_5822031087464=
534925gmail_msg"><a href=3D"mailto:internet-drafts@ietf.org" class=3D"m_582=
2031087464534925gmail_msg" target=3D"_blank">internet-drafts@ietf.org</a><b=
r class=3D"m_5822031087464534925gmail_msg"></span></div><div style=3D"margi=
n-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px" class=3D"m_58=
22031087464534925gmail_msg"><span style=3D"font-family:-webkit-system-font,=
&#39;Helvetica Neue&#39;,Helvetica,sans-serif" class=3D"m_58220310874645349=
25gmail_msg"><b class=3D"m_5822031087464534925gmail_msg">Subject: </b></spa=
n><span style=3D"font-family:-webkit-system-font,Helvetica Neue,Helvetica,s=
ans-serif" class=3D"m_5822031087464534925gmail_msg"><b class=3D"m_582203108=
7464534925gmail_msg">[OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-<wbr>d=
istribution-03.txt</b><br class=3D"m_5822031087464534925gmail_msg"></span><=
/div><div style=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margin=
-left:0px" class=3D"m_5822031087464534925gmail_msg"><span style=3D"font-fam=
ily:-webkit-system-font,&#39;Helvetica Neue&#39;,Helvetica,sans-serif" clas=
s=3D"m_5822031087464534925gmail_msg"><b class=3D"m_5822031087464534925gmail=
_msg">Date: </b></span><span style=3D"font-family:-webkit-system-font,Helve=
tica Neue,Helvetica,sans-serif" class=3D"m_5822031087464534925gmail_msg">Fe=
bruary 24, 2017 at 6:55:25 PM GMT-3<br class=3D"m_5822031087464534925gmail_=
msg"></span></div><div style=3D"margin-top:0px;margin-right:0px;margin-bott=
om:0px;margin-left:0px" class=3D"m_5822031087464534925gmail_msg"><span styl=
e=3D"font-family:-webkit-system-font,&#39;Helvetica Neue&#39;,Helvetica,san=
s-serif" class=3D"m_5822031087464534925gmail_msg"><b class=3D"m_58220310874=
64534925gmail_msg">To: </b></span><span style=3D"font-family:-webkit-system=
-font,Helvetica Neue,Helvetica,sans-serif" class=3D"m_5822031087464534925gm=
ail_msg">&lt;<a href=3D"mailto:i-d-announce@ietf.org" class=3D"m_5822031087=
464534925gmail_msg" target=3D"_blank">i-d-announce@ietf.org</a>&gt;<br clas=
s=3D"m_5822031087464534925gmail_msg"></span></div><div style=3D"margin-top:=
0px;margin-right:0px;margin-bottom:0px;margin-left:0px" class=3D"m_58220310=
87464534925gmail_msg"><span style=3D"font-family:-webkit-system-font,&#39;H=
elvetica Neue&#39;,Helvetica,sans-serif" class=3D"m_5822031087464534925gmai=
l_msg"><b class=3D"m_5822031087464534925gmail_msg">Cc: </b></span><span sty=
le=3D"font-family:-webkit-system-font,Helvetica Neue,Helvetica,sans-serif" =
class=3D"m_5822031087464534925gmail_msg"><a href=3D"mailto:oauth@ietf.org" =
class=3D"m_5822031087464534925gmail_msg" target=3D"_blank">oauth@ietf.org</=
a><br class=3D"m_5822031087464534925gmail_msg"></span></div><br class=3D"m_=
5822031087464534925gmail_msg"><div class=3D"m_5822031087464534925gmail_msg"=
><div class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_5822031087464=
534925gmail_msg">A New Internet-Draft is available from the on-line Interne=
t-Drafts directories.<br class=3D"m_5822031087464534925gmail_msg">This draf=
t is a work item of the Web Authorization Protocol of the IETF.<br class=3D=
"m_5822031087464534925gmail_msg"><br class=3D"m_5822031087464534925gmail_ms=
g"> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Title =C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: OAuth 2.0 Proof-of-Possession: Aut=
horization Server to Client Key Distribution<br class=3D"m_5822031087464534=
925gmail_msg"> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Authors =C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: John Bradley<br class=3D"m_5822031=
087464534925gmail_msg"> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0Phil Hunt<br class=3D"m_5822031087464534925gmail_ms=
g"> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0<wbr>Michael B. Jones<br class=3D"m_5822031087464534925gmail_msg"> =
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
<wbr>Hannes Tschofenig<br class=3D"m_5822031087464534925gmail_msg"><span cl=
ass=3D"m_5822031087464534925m_7685036241369891138Apple-tab-span m_582203108=
7464534925gmail_msg" style=3D"white-space:pre-wrap">	</span>Filename =C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: draft-ietf-oauth-pop-key-<wbr>distrib=
ution-03.txt<br class=3D"m_5822031087464534925gmail_msg"><span class=3D"m_5=
822031087464534925m_7685036241369891138Apple-tab-span m_5822031087464534925=
gmail_msg" style=3D"white-space:pre-wrap">	</span>Pages =C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: 18<br class=3D"m_58220310874645=
34925gmail_msg"><span class=3D"m_5822031087464534925m_7685036241369891138Ap=
ple-tab-span m_5822031087464534925gmail_msg" style=3D"white-space:pre-wrap"=
>	</span>Date =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0: 2017-02-24<br class=3D"m_5822031087464534925gmail_msg"><br class=3D=
"m_5822031087464534925gmail_msg">Abstract:<br class=3D"m_582203108746453492=
5gmail_msg"> =C2=A0=C2=A0RFC 6750 specified the bearer token concept for se=
curing access to<br class=3D"m_5822031087464534925gmail_msg"> =C2=A0=C2=A0p=
rotected resources.=C2=A0 Bearer tokens need to be protected in transit<br =
class=3D"m_5822031087464534925gmail_msg"> =C2=A0=C2=A0as well as at rest.=
=C2=A0 When a client requests access to a protected<br class=3D"m_582203108=
7464534925gmail_msg"> =C2=A0=C2=A0resource it hands-over the bearer token t=
o the resource server.<br class=3D"m_5822031087464534925gmail_msg"><br clas=
s=3D"m_5822031087464534925gmail_msg"> =C2=A0=C2=A0The OAuth 2.0 Proof-of-Po=
ssession security concept extends bearer<br class=3D"m_5822031087464534925g=
mail_msg"> =C2=A0=C2=A0token security and requires the client to demonstrat=
e possession of a<br class=3D"m_5822031087464534925gmail_msg"> =C2=A0=C2=A0=
key when accessing a protected resource.<br class=3D"m_5822031087464534925g=
mail_msg"><br class=3D"m_5822031087464534925gmail_msg"> =C2=A0=C2=A0This do=
cument describes how the client obtains this keying material<br class=3D"m_=
5822031087464534925gmail_msg"> =C2=A0=C2=A0from the authorization server.<b=
r class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_58220310874645349=
25gmail_msg"><br class=3D"m_5822031087464534925gmail_msg">The IETF datatrac=
ker status page for this draft is:<br class=3D"m_5822031087464534925gmail_m=
sg"><a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-di=
stribution/" class=3D"m_5822031087464534925gmail_msg" target=3D"_blank">htt=
ps://datatracker.ietf.org/<wbr>doc/draft-ietf-oauth-pop-key-<wbr>distributi=
on/</a><br class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_58220310=
87464534925gmail_msg">There&#39;s also a htmlized version available at:<br =
class=3D"m_5822031087464534925gmail_msg"><a href=3D"https://tools.ietf.org/=
html/draft-ietf-oauth-pop-key-distribution-03" class=3D"m_58220310874645349=
25gmail_msg" target=3D"_blank">https://tools.ietf.org/html/<wbr>draft-ietf-=
oauth-pop-key-<wbr>distribution-03</a><br class=3D"m_5822031087464534925gma=
il_msg"><br class=3D"m_5822031087464534925gmail_msg">A diff from the previo=
us version is available at:<br class=3D"m_5822031087464534925gmail_msg"><a =
href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-pop-key-distri=
bution-03" class=3D"m_5822031087464534925gmail_msg" target=3D"_blank">https=
://www.ietf.org/rfcdiff?<wbr>url2=3Ddraft-ietf-oauth-pop-key-<wbr>distribut=
ion-03</a><br class=3D"m_5822031087464534925gmail_msg"><br class=3D"m_58220=
31087464534925gmail_msg"><br class=3D"m_5822031087464534925gmail_msg">Pleas=
e note that it may take a couple of minutes from the time of submission<br =
class=3D"m_5822031087464534925gmail_msg">until the htmlized version and dif=
f are available at <a href=3D"http://tools.ietf.org" class=3D"m_58220310874=
64534925gmail_msg" target=3D"_blank">tools.ietf.org</a>.<br class=3D"m_5822=
031087464534925gmail_msg"><br class=3D"m_5822031087464534925gmail_msg">Inte=
rnet-Drafts are also available by anonymous FTP at:<br class=3D"m_582203108=
7464534925gmail_msg"><a href=3D"ftp://ftp.ietf.org/internet-drafts/" class=
=3D"m_5822031087464534925gmail_msg" target=3D"_blank">ftp://ftp.ietf.org/in=
ternet-<wbr>drafts/</a><br class=3D"m_5822031087464534925gmail_msg"><br cla=
ss=3D"m_5822031087464534925gmail_msg">______________________________<wbr>__=
_______________<br class=3D"m_5822031087464534925gmail_msg">OAuth mailing l=
ist<br class=3D"m_5822031087464534925gmail_msg"><a href=3D"mailto:OAuth@iet=
f.org" class=3D"m_5822031087464534925gmail_msg" target=3D"_blank">OAuth@iet=
f.org</a><br class=3D"m_5822031087464534925gmail_msg"><a href=3D"https://ww=
w.ietf.org/mailman/listinfo/oauth" class=3D"m_5822031087464534925gmail_msg"=
 target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br =
class=3D"m_5822031087464534925gmail_msg"></div></div></blockquote></div><br=
 class=3D"m_5822031087464534925gmail_msg"></div></div>_____________________=
_________<wbr>_________________<br class=3D"m_5822031087464534925gmail_msg"=
>OAuth mailing list<br class=3D"m_5822031087464534925gmail_msg"><a href=3D"=
mailto:OAuth@ietf.org" class=3D"m_5822031087464534925gmail_msg" target=3D"_=
blank">OAuth@ietf.org</a><br class=3D"m_5822031087464534925gmail_msg"><a hr=
ef=3D"https://www.ietf.org/mailman/listinfo/oauth" class=3D"m_5822031087464=
534925gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/<wbr>listin=
fo/oauth</a><br class=3D"m_5822031087464534925gmail_msg"></div></blockquote=
></div><br class=3D"m_5822031087464534925gmail_msg"></div></div></div></blo=
ckquote></div><br class=3D"m_5822031087464534925gmail_msg"></div></div>____=
__________________________<wbr>_________________<br class=3D"m_582203108746=
4534925gmail_msg">
OAuth mailing list<br class=3D"m_5822031087464534925gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"m_5822031087464534925gmail_msg" =
target=3D"_blank">OAuth@ietf.org</a><br class=3D"m_5822031087464534925gmail=
_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"m_5822031087464534925gmail_msg" target=3D"_blank">https://www.ietf=
.org/mailman/<wbr>listinfo/oauth</a><br class=3D"m_5822031087464534925gmail=
_msg">
</blockquote></div></div><font color=3D"#888888"><div dir=3D"ltr">-- <br></=
div><div data-smartmail=3D"gmail_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>
</font></blockquote></div><br></div>

--001a113ec77c1d8f780549cbae6f--

--001a113ec77c21348f0549cbaefe
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIAb5hKbjzZnn8961QghjTFtPQdir
USgzCQTcRtZBchq5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMwMzA0MDcxMlowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQCT1E4PW50WGA6yNzMXnjGRlyHU0VSyY6S4x/jNoZEsCezr
kNYiiUt+C3DCnGwPtOIPjBqejyjMV0NPh7R7bHGRFPCe0JN244O/y/LZuELzpCY0esSLht4DYaNK
Fielwg37xWfXBcU5C9d7gpm9DKMiJOqkb+bpytbQRz540zO/CtsUxyf6FKwgePxefwVsk8cgsIkz
ZH29s6FZ4WqcOukg6+PN/LMwlekn5vC6PqFxBwI0AP6Y8WPTHKgUaVshEGa1inWQ/+4NI/jc8J86
7D8AJngMb/1aAxRNqfkUZt7o8U9JwnYD9QSnZaMPU1LOx5Akh1Sll6QiNuqNOgmQ7rT5
--001a113ec77c21348f0549cbaefe--


From nobody Thu Mar  2 22:27:50 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 19C851296FA; Thu,  2 Mar 2017 22:27:49 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.46.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com>
Date: Thu, 02 Mar 2017 22:27:49 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yHMeARvAmG66CTrAahwdMGY8Mic>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 06:27:49 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 for Native Apps
        Authors         : William Denniss
                          John Bradley
	Filename        : draft-ietf-oauth-native-apps-08.txt
	Pages           : 20
	Date            : 2017-03-02

Abstract:
   OAuth 2.0 authorization requests from native apps should only be made
   through external user-agents, primarily the user's browser.  This
   specification details the security and usability reasons why this is
   the case, and how native apps and authorization servers can implement
   this best practice.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-08


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Thu Mar  2 22:37:49 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86F94129789 for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 22:37:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMJXBYYiTzrj for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 22:37:46 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B2A4129785 for <oauth@ietf.org>; Thu,  2 Mar 2017 22:37:46 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id h9so7067879qke.2 for <oauth@ietf.org>; Thu, 02 Mar 2017 22:37:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XWukAHM5or1DvcMd6f7d+HOv/oq0nVX4FwHA6gLZwtI=; b=I1vn5Huyl42sPRZEOA29xTS8dPMV02fukrjg3d8nz6QT1cdp6lYVt3IC1cCmfLZbj8 xfpmQZoY8eHk6eKAFuOrnfJZqFxD1RCo/Y/VZh+eHeds5E+R8uZQ9f0j0LCnY4Trhpm1 T7lpNQosKpkcl2E9zwneuTnm0luB+swxFKb2JYDn/xh2UPzxhx/LYX010qnNA4qW3awn 0IjAqHrqZr5BU8kPKxLtVhikCscNJddMychkAaTc/PpVR7l4W1TVSTuybW/qCbyVy1XO dDf9cOUjEV/UdaNwF4CxGJSqkGy4ltMALt9Xdxf+PwQ4WdG1HKAAsLOmK93KfcMOuVLW 0IuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XWukAHM5or1DvcMd6f7d+HOv/oq0nVX4FwHA6gLZwtI=; b=NZsCddYOYPPAX356o3ij3dtTvSDOmp9J7B7n7/wAkWYZKNtgUktaaViHQpIZYZF1k4 +pjmDmheRTbN1QGPXXmiOPQqSueqFO2Gu9tyOqBiUZVwjUnuiDkJZCqzDdRkM4aJkdqS kHpSB9f/YhRWp1lKuuQ76HzJJRLLqqDf4KlH0FKFIFHthEz/COr1Q38laLfaxm4wIthC HwzM2OdXz41RwdTO/C5j7WaeN5WipsnNMwZ2NaC9DkUvHLlbWhGkXDN2rJ1uB4BnM3J/ PEX7gxd47CuPhcqaSl/MH4JkLf4y1MXTLL82cB5b7Bwrppsc5BxwrrCSTcbQWVVAB/bC DW2Q==
X-Gm-Message-State: AMke39m1Qwk2Q/ZxA6jO5vqmIf/gVztXMdnQHJCUgdEbXyQorWnrGPRfAHPBEkhAmA3DOX3HZbNWjmcayndvhYLF
X-Received: by 10.200.42.78 with SMTP id l14mr1158350qtl.15.1488523065407; Thu, 02 Mar 2017 22:37:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Thu, 2 Mar 2017 22:37:24 -0800 (PST)
In-Reply-To: <CAF2hCbbL1td2jPtUO6hbuKXQ2b8S6v3E0ymOwqnL4zv=sAqSGw@mail.gmail.com>
References: <CAF2hCbYL_hi1_kAXhYDcY7vx+iVA0Gf664BN+2jS2OOEGU16eQ@mail.gmail.com> <CAAP42hA5=Pv5avFgaWcnUQqrSjL2oAViybi3V7ixr+yNVFcj_g@mail.gmail.com> <304c520f-e531-2ac8-f93f-b91aae11253c@free.fr> <CAAP42hAV+-AGemqUEU1yNcM70Zt9xF7m=u_Bnm_T82Ph1Wzu3A@mail.gmail.com> <DC50BBDC-ECC3-4883-93A1-B7A73F0C25ED@mit.edu> <CAF2hCbbL1td2jPtUO6hbuKXQ2b8S6v3E0ymOwqnL4zv=sAqSGw@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 2 Mar 2017 22:37:24 -0800
Message-ID: <CAAP42hCSs2OuA6NaLR98wYTD=z-wCaA-mqOEsEfRWUEg-xwiJQ@mail.gmail.com>
To: Samuel Erdtman <samuel@erdtman.se>
Content-Type: multipart/alternative; boundary=001a11403d868e57d40549cdc87f
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/shM9lslA4ymfhmimnWHwK8aCAPg>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 06:37:48 -0000

--001a11403d868e57d40549cdc87f
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thanks all for the great discussion. I tweaked the discussion on
public/confidential clients to rely more on the OAuth2 definition (it was a
bit duplicative), and I reordered the security considerations so it flows
better, but have kept the normative language for now. Let's see how it pans
out during the finalization process.

On Mon, Feb 27, 2017 at 8:47 AM, Samuel Erdtman <samuel@erdtman.se> wrote:

> Thanks for the replies.
>
> If there are no formal guidelines from IETF I think we should just procee=
d
> it is a good and informative spec, it was just to me it felt slightly of.
>
> Based on the conversation I have no objections taking this draft to RFC.
>
> //Samuel
>
> On Wed, Feb 22, 2017 at 12:09 AM, Justin Richer <jricher@mit.edu> wrote:
>
>> When I brought RFCs 7591, 7592, and 7662 up through the finalization
>> process, I learned that there are two camps out there on normative
>> requirements in the security considerations section. Some like them, as
>> long as they don=E2=80=99t contradict requirements/advice in previous se=
ctions, and
>> some don=E2=80=99t like them, preferring all normative material be in th=
e =E2=80=9Cbody=E2=80=9D of
>> the spec itself. I was given the impression that it was more of a stylis=
tic
>> choice than anything, but I can only speak from my personal experience.
>>
>>  =E2=80=94 Justin
>>
>> On Feb 21, 2017, at 3:17 PM, William Denniss <wdenniss@google.com> wrote=
:
>>
>> The only real requirement in that section I guess is the use of PKCE
>> (8.2).  That requirement could be moved to the body of the doc, while
>> keeping the longer discussing around code interception in the security
>> considerations.  To me the remaining text are indeed security best
>> practices / clarifications.
>>
>> Other OAuth WG RFCs have requirement level capitalization in the Securit=
y
>> Section like RFC7591. I always assumed these were best-practice security
>> requirements. But if the style is really not to do this, the requirement
>> level capitalization could be dropped from that section in the native ap=
ps
>> BCP.
>>
>> On Tue, Feb 21, 2017 at 12:50 AM, Denis <denis.ietf@free.fr> wrote:
>>
>>>
>>> I *don't thin**k* it's normal to have normative text in the Security
>>> Considerations, hence I support Samuel's position.
>>>
>>> Let us look at the first MUST from RFC 6749 in the Security
>>> Considerations section:
>>>
>>>    The authorization server *MUST *authenticate the client *whenever po=
ssible*.
>>> This sentence is incorrect. The right sentence should be :
>>>
>>>    The authorization server *should *authenticate the client whenever p=
ossible.
>>>
>>> RFC 6749 is not an example to follow.
>>>
>>> Denis
>>>
>>>
>>> I do think it's normal to have normative text in the Security
>>> Considerations.  RFC6749 has a lengthy Security Considerations section
>>> <https://tools.ietf.org/html/rfc6749#section-10> with a lot of
>>> normative text.
>>>
>>> Think of it this way: Sections 4 to 7 describe how to use native app UR=
I
>>> schemes to perform OAuth flows from the app to browser and back. If you
>>> only read those sections, you could have a functioning (but potentially
>>> insecure) OAuth flow in a native app. The security section adds some
>>> security requirements and clarifications for implementing Sections 4-7,
>>> like using PKCE, and more.
>>>
>>> Reviewing sub-section by sub-section:
>>>
>>> 8.1 Definitely belongs here, as the the whole BCP is about native-app
>>> URI schemes, whereas doing OAuth in a WebView doesn't need those (as th=
e
>>> client can just pluck out the code from any redirect URI)
>>> 8.2 Requires that servers who want to follow the native apps BCP suppor=
t
>>> PKCE, and recommends that they reject requests from clients who don't.
>>> This *could* be in the main doc, but since PKCE is an existing thing, a=
nd
>>> is purely additive from a security perspective, I think this reference
>>> works fine. Originally I talked about PKCE more in the doc body, but so=
me
>>> reviewers thought it was then a little duplicative of the PKCE doc itse=
lf.
>>> 8.3 This reads like classic security considerations to me, clarifying
>>> some details of 7.3
>>> 8.4 Part of this reads a little new-ish, regarding distinguishing nativ=
e
>>> clients from web ones. But on review, I think could just be re-worded t=
o
>>> reference RFC6749 Section 2.1.
>>> 8.5 This one belongs where it is since the body of the BCP is talking
>>> about the code flow.
>>> 8.6 Totally belongs.
>>> 8.7 to 8.11 belong IMO, they are security clarifications of
>>> long-standing topics.
>>>
>>> My methodology when reviewing this was: is the text introducing a new
>>> topic directly related to native apps or sections 4-7, or does it discu=
ss
>>> an old security topic in the context of native apps, or add security
>>> related discussions of the content in 4-7. Of all those, I really only =
see
>>> a bit of new topic related to native apps in 8.4, and in actual fact it
>>> that sub-section should probably be reworded since RFC6749 already
>>> establishes the public client type, which native apps are and a referen=
ce
>>> would be more appropriate (which would reduce it to just clarifying an =
old
>>> topic).
>>>
>>> What do you think of this analysis? Do you have any specific sections o=
r
>>> text you feel are better suited in the document body?  I will take an
>>> action item to revise section 8.4.
>>>
>>> On Mon, Feb 20, 2017 at 9:57 PM, Samuel Erdtman <samuel@erdtman.se>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I just had a question on best practice. In this document a large part
>>>> of the normative text is located under Security Considerations.
>>>>
>>>> I had previously seen Security Considerations as things to think about
>>>> when implementing not so much as MUSTs and MUST NOTs.
>>>>
>>>> I think it is okay to have it this way but it surprised me a bit and
>>>> wanted to ask if there is any best practice for the Security Considera=
tions
>>>> section saying what type of information it should include.
>>>>
>>>> Best Regards
>>>> Samuel Erdtman
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/o=
auth
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>

--001a11403d868e57d40549cdc87f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks all for the great discussion. I tweaked the discuss=
ion on public/confidential clients to rely more on the OAuth2 definition (i=
t was a bit duplicative), and I reordered the security considerations so it=
 flows better, but have kept the normative language for now. Let&#39;s see =
how it pans out during the finalization process.</div><div class=3D"gmail_e=
xtra"><br><div class=3D"gmail_quote">On Mon, Feb 27, 2017 at 8:47 AM, Samue=
l Erdtman <span dir=3D"ltr">&lt;<a href=3D"mailto:samuel@erdtman.se" target=
=3D"_blank">samuel@erdtman.se</a>&gt;</span> wrote:<br><blockquote class=3D=
"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding=
-left:1ex"><div dir=3D"ltr"><div><div><div>Thanks for the replies.<br><br><=
/div>If there are no formal guidelines from IETF I think we should just pro=
ceed it is a good and informative spec, it was just to me it felt slightly =
of.<br><br></div>Based on the conversation I have no objections taking this=
 draft to RFC.<span class=3D"HOEnZb"><font color=3D"#888888"><br></font></s=
pan></div><span class=3D"HOEnZb"><font color=3D"#888888"><div><br></div>//S=
amuel<br></font></span></div><div class=3D"HOEnZb"><div class=3D"h5"><div c=
lass=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed, Feb 22, 2017 at=
 12:09 AM, Justin Richer <span dir=3D"ltr">&lt;<a href=3D"mailto:jricher@mi=
t.edu" target=3D"_blank">jricher@mit.edu</a>&gt;</span> wrote:<br><blockquo=
te class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc so=
lid;padding-left:1ex"><div style=3D"word-wrap:break-word">When I brought RF=
Cs 7591, 7592, and 7662 up through the finalization process, I learned that=
 there are two camps out there on normative requirements in the security co=
nsiderations section. Some like them, as long as they don=E2=80=99t contrad=
ict requirements/advice in previous sections, and some don=E2=80=99t like t=
hem, preferring all normative material be in the =E2=80=9Cbody=E2=80=9D of =
the spec itself. I was given the impression that it was more of a stylistic=
 choice than anything, but I can only speak from my personal experience.<sp=
an class=3D"m_-4677867841229696533HOEnZb"><font color=3D"#888888"><div><br>=
</div><div>=C2=A0=E2=80=94 Justin</div></font></span><div><div class=3D"m_-=
4677867841229696533h5"><div><br><div><blockquote type=3D"cite"><div>On Feb =
21, 2017, at 3:17 PM, William Denniss &lt;<a href=3D"mailto:wdenniss@google=
.com" target=3D"_blank">wdenniss@google.com</a>&gt; wrote:</div><br class=
=3D"m_-4677867841229696533m_-3457941091322774282Apple-interchange-newline">=
<div><div dir=3D"ltr"><div>The only real requirement in that section I gues=
s is the use of PKCE (8.2).=C2=A0 That requirement could be moved to the bo=
dy of the doc, while keeping the longer discussing around code interception=
 in the security considerations.=C2=A0 To me the remaining text are indeed =
security best practices / clarifications.</div><div><br></div><div>Other OA=
uth WG RFCs have requirement level capitalization in the Security Section l=
ike=C2=A0RFC7591. I always assumed these were best-practice security requir=
ements. But if the style is really not to do this, the requirement level ca=
pitalization could be dropped from that section in the native apps BCP.</di=
v><div><br></div><div class=3D"gmail_extra"><div class=3D"gmail_quote">On T=
ue, Feb 21, 2017 at 12:50 AM, Denis <span dir=3D"ltr">&lt;<a href=3D"mailto=
:denis.ietf@free.fr" target=3D"_blank">denis.ietf@free.fr</a>&gt;</span> wr=
ote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
;border-left:1px solid rgb(204,204,204);padding-left:1ex">
 =20
   =20
 =20
  <div bgcolor=3D"#FFFFFF">
    <div class=3D"m_-4677867841229696533m_-3457941091322774282gmail-m_70646=
36890946358366m_-4287841180983357892moz-cite-prefix"><br>
      I <b>don&#39;t thin</b><b>k</b> it&#39;s normal to have normative tex=
t in
      the Security Considerations, hence I support Samuel&#39;s position.<b=
r>
      <br>
      Let us look at the first MUST from RFC 6749 in the Security
      Considerations section:
      <pre class=3D"m_-4677867841229696533m_-3457941091322774282gmail-m_706=
4636890946358366m_-4287841180983357892newpage">   The authorization server =
<b><u>MUST</u> </b>authenticate the client <u><b>whenever possible</b></u>.

<font face=3D"Arial">This sentence is incorrect. The right sentence should =
be :</font>

   The authorization server <b>should </b>authenticate the client whenever =
possible.

RFC 6749 is not an example to follow.

Denis=20
</pre>
      <br>
    </div>
    <blockquote type=3D"cite"><div><div class=3D"m_-4677867841229696533m_-3=
457941091322774282gmail-m_7064636890946358366h5">
      <div dir=3D"ltr">I do think it&#39;s normal to have normative text in
        the Security Considerations.=C2=A0 RFC6749 has a lengthy <a href=3D=
"https://tools.ietf.org/html/rfc6749#section-10" target=3D"_blank">Security
          Considerations section</a> with a lot of normative text.
        <div><br>
        </div>
        <div>Think of it this way: Sections 4 to 7 describe how to use
          native app URI schemes to perform OAuth flows from the app to
          browser and back. If you only read those sections, you could
          have a functioning (but potentially insecure) OAuth flow in a
          native app. The security section adds some security
          requirements and clarifications for implementing Sections 4-7,
          like using PKCE, and more.</div>
        <div><br>
        </div>
        <div>Reviewing sub-section by sub-section:</div>
        <div><br>
        </div>
        <div>8.1 Definitely belongs here, as the the whole BCP is about
          native-app URI schemes, whereas doing OAuth in a WebView
          doesn&#39;t need those (as the client can just pluck out the code
          from any redirect URI)</div>
        <div>8.2 Requires that servers who want to follow the native
          apps BCP support PKCE, and recommends that they reject
          requests from clients who don&#39;t.=C2=A0 This *could* be in the=
 main
          doc, but since PKCE is an existing thing, and is purely
          additive from a security perspective, I think this reference
          works fine. Originally I talked about PKCE more in the doc
          body, but some reviewers thought it was then a little
          duplicative of the PKCE doc itself.</div>
        <div>8.3 This reads like classic security considerations to me,
          clarifying some details of 7.3</div>
        <div>8.4 Part of this reads a little new-ish, regarding
          distinguishing native clients from web ones. But on review, I
          think could just be re-worded to reference RFC6749 Section
          2.1.</div>
        <div>8.5 This one belongs where it is since the body of the BCP
          is talking about the code flow.</div>
        <div>8.6 Totally belongs.</div>
        <div>8.7 to 8.11 belong IMO, they are security clarifications of
          long-standing topics.=C2=A0</div>
        <div><br>
        </div>
        <div>My methodology when reviewing this was: is the text
          introducing a new topic directly related to native apps or
          sections 4-7, or does it discuss an old security topic in the
          context of native apps, or add security related discussions of
          the content in 4-7. Of all those, I really only see a bit of
          new topic related to native apps in 8.4, and in actual fact it
          that sub-section should probably be reworded since RFC6749
          already establishes the public client type, which native apps
          are and a reference would be more appropriate (which would
          reduce it to just clarifying an old topic).</div>
        <div><br>
        </div>
        <div>What do you think of this analysis? Do you have any
          specific sections or text you feel are better suited in the
          document body?=C2=A0 I will take an action item to revise section
          8.4.</div>
      </div>
      <div class=3D"gmail_extra"><br>
        <div class=3D"gmail_quote">On Mon, Feb 20, 2017 at 9:57 PM, Samuel
          Erdtman <span dir=3D"ltr">&lt;<a href=3D"mailto:samuel@erdtman.se=
" target=3D"_blank">samuel@erdtman.se</a>&gt;</span>
          wrote:<br>
          <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
            <div dir=3D"ltr">
              <div>
                <div>
                  <div>Hi,<br>
                    <br>
                  </div>
                  I just had a question on best practice. In this
                  document a large part of the normative text is located
                  under Security Considerations.<br>
                </div>
                <br>
                I had previously seen Security Considerations as things
                to think about when implementing not so much as MUSTs
                and MUST NOTs.<br>
                <br>
              </div>
              I think it is okay to have it this way but it surprised me
              a bit and wanted to ask if there is any best practice for
              the Security Considerations section saying what type of
              information it should include.<br>
              <div><br>
              </div>
              <div>Best Regards<span class=3D"m_-4677867841229696533m_-3457=
941091322774282gmail-m_7064636890946358366m_-4287841180983357892HOEnZb"><fo=
nt color=3D"#888888"><br>
                  </font></span></div>
              <span class=3D"m_-4677867841229696533m_-3457941091322774282gm=
ail-m_7064636890946358366m_-4287841180983357892HOEnZb"><font color=3D"#8888=
88">
                  <div>Samuel Erdtman<br>
                  </div>
                </font></span></div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class=3D"m_-4677867841229696533m_-3457941091322774282gmail-=
m_7064636890946358366m_-4287841180983357892mimeAttachmentHeader"></fieldset=
>
      <br>
      </div></div><pre>______________________________<wbr>_________________
OAuth mailing list
<a class=3D"m_-4677867841229696533m_-3457941091322774282gmail-m_70646368909=
46358366m_-4287841180983357892moz-txt-link-abbreviated" href=3D"mailto:OAut=
h@ietf.org" target=3D"_blank">OAuth@ietf.org</a>
<a class=3D"m_-4677867841229696533m_-3457941091322774282gmail-m_70646368909=
46358366m_-4287841180983357892moz-txt-link-freetext" href=3D"https://www.ie=
tf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.ietf.org/mailm=
an/l<wbr>istinfo/oauth</a>
</pre>
    </blockquote><p><br>
    </p>
  </div>

<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div></div>
______________________________<wbr>_________________<br>OAuth mailing list<=
br><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><b=
r><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"=
>https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br></div></blockquote=
></div><br></div></div></div></div><br>______________________________<wbr>_=
________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>

--001a11403d868e57d40549cdc87f--


From nobody Thu Mar  2 22:38:27 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 397D71297A8 for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 22:38:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 005kY42-Ikv5 for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 22:38:24 -0800 (PST)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AE1A1297A5 for <oauth@ietf.org>; Thu,  2 Mar 2017 22:38:24 -0800 (PST)
Received: by mail-qk0-x22d.google.com with SMTP id h9so7082694qke.2 for <oauth@ietf.org>; Thu, 02 Mar 2017 22:38:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=allIXkbKsNJRi57zIL86RHafN75r+m41tARUfUwG25A=; b=FGdq6eS+5TMV6L/Ba2eZJduIkjRNDKLIRCtDFq0mupt9hmkQD7f+EIiqxdL8fJF+Xt Tw6JeHxMl4xhBlQRFPYqpcukg2LGD/+WzUoj0MDlDv3X+LuCFUhYdRmLXgBuQ/ZyAGTK z1sH4iIyHi+Wnk70MRnBIT8PD1DveihOyo3R+yRALh1Dkb7ipW4p4KJU6m554Sgz2I+2 hBrsJfI6uEQs3P32mIrANWnq5WZIRHiXMm3hGLKHou1WPkArBwHMnq6m+sCpSV37jb8V A5r91zVTo48xPFxp0nsn4XXfvLcmytS9k3fqDwFmVNr1hilTVXVLgRrLEHYXrQY5ZIze nNqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=allIXkbKsNJRi57zIL86RHafN75r+m41tARUfUwG25A=; b=OSCDul4+lhDDKvlVHQ2VDu9ITTE14iKW6TpnyIfZzeD7oUMjp/Sconko5tNUA1ix9B BEyWpEDt7pq9wNW8kboWZEI3FIzAbbT/6VJ5kaR7p3f2SNGRDWHHrWAtIwciYwO3kyvG 7GebHHK01StzAWJSVdndbMsNSr4Jp+7UdpJzELwSiLfAmfDg6QYr9ZYDpE1OXlZAkALb 6TxgGoqd/5zIvFbvEpebZHVQcW9Ee45gfDuSx+Jq2lI2kgmcpV21OLq/LNOkwgXJ9OQo odBiOlYp/Q5X29jG1YrvTKfo46D23a81z1kg4toX4ZNFbLnsOUZ8zMUEsbkDE9gO7sry g2Iw==
X-Gm-Message-State: AMke39n5iVQGUd9HMWm35r0hXUAZNRzAsz5wegtqF5FOXL1MtL4W75uEHXFtYFl/XTp2wJpzrNxre5lfJCrVQrqg
X-Received: by 10.55.42.211 with SMTP id q80mr989853qkq.186.1488523103292; Thu, 02 Mar 2017 22:38:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Thu, 2 Mar 2017 22:38:02 -0800 (PST)
In-Reply-To: <CABzCy2CRy66OMzxPAtWYZ--D0HNxoodf16zbcTo=Th9FmTrz1w@mail.gmail.com>
References: <0f05922f-ac63-1585-9da1-d54ceda25623@gmx.net> <CA+k3eCRN4m5rpSzhb+O+GVPjmUaJt22LUP8LGmi80J8v932zpQ@mail.gmail.com> <CABzCy2CRy66OMzxPAtWYZ--D0HNxoodf16zbcTo=Th9FmTrz1w@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 2 Mar 2017 22:38:02 -0800
Message-ID: <CAAP42hDYPqck2=oDLcVJ100TMjUAVtosqDVbT4gTNATUqapY6g@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Content-Type: multipart/alternative; boundary=001a1147ae5cd06abf0549cdca0e
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RyXZ27OyS_j3F3nxjwlaxzbIb1E>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to the IESG -- Short Working Group Last Call
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 06:38:26 -0000

--001a1147ae5cd06abf0549cdca0e
Content-Type: text/plain; charset=UTF-8

Thank you for the excellent feedback Nat. I believe I have addressed all
the points you raised in the latest version (08).

On Wed, Mar 1, 2017 at 6:11 AM, Nat Sakimura <sakimura@gmail.com> wrote:

>
> It looks generally good. Thanks William and John for creating it.
>
> I spotted a few nits.
>
> NS1: MUST is not a recommendation
> ================================
> In 8.5, it says:
>
> (which is a recommended in Section 7.1.1
> <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-7.1.1>
> )
>
> However, in 7.1.1, it is a MUST, i.e., required instead of recommended.
> So, "recommended" in the above sentence needs to be changed to "required".
>
>
> NS2: Dynamically registered client can be treated as a confidential client
> =======================================================
> In 8.9
> <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.9>.
> it says:
>
> Authorization servers that still require a shared secret for native app
> clients MUST treat the client as a public client
>
> As it is a MUST, we have to qualify it a little more as it is ok to treat
> it as a confidential client if the client does dynamically register the
> copy and obtain shared secret that is only shared between the copy of the
> app and the server.
>
> Suggests:
>
> Authorization servers that still require a statically included shared
> secret for native app clients MUST treat the client as a public client
>
> NS3: Sever Mix-up
> ======================
> 8.11
> <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.11>.
> talks about mix-up mitigation but misses one of the points. Specifically:
>
> * the app MUST store the redirect uri in the request with the "session"
> and MUST verify that it exactly matches with the URI of the endpoint that
> it received the response.
>
> Cheers,
>
> Nat Sakimura
>
>
>
> On Wed, Mar 1, 2017 at 5:51 AM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> -07 LGTM
>>
>> On Feb 20, 2017 2:53 AM, "Hannes Tschofenig" <hannes.tschofenig@gmx.net>
>> wrote:
>>
>> Hi all,
>>
>> after the working group last call of the "OAuth 2.0 for Native Apps"
>> document July last year (see
>> https://www.ietf.org/mail-archive/web/oauth/current/msg16534.html) I
>> had, as a shepherd, collected IPR confirmations (see
>> https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html) and
>> produced a shepherd writeup (see
>> https://www.ietf.org/mail-archive/web/oauth/current/msg16702.html).
>>
>> Since version -03 and the current version -07 a fair amount of text has
>> been changed, see
>> https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/
>> id/draft-ietf-oauth-native-apps-03.txt&url2=https://
>> tools.ietf.org/id/draft-ietf-oauth-native-apps-07.txt
>>
>> Although most of those changes are editorial and normative changes have
>> been discussed on the mailing list I believe it is fair to let the group
>> take a brief look at the final version.
>>
>> For this reason we will issue a short, one week, working group last call
>> before pushing the document to the IESG.
>>
>> So, please provide your comments to the list no later than February 27th.
>>
>> Here is the link to the document again:
>> https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07
>>
>> Ciao
>> Hannes & Derek
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> --
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a1147ae5cd06abf0549cdca0e
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thank you for the excellent feedback Nat. I believe I have=
 addressed all the points you raised in the latest version (08).<div class=
=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed, Mar 1, 2017 at 6:11=
 AM, Nat Sakimura <span dir=3D"ltr">&lt;<a href=3D"mailto:sakimura@gmail.co=
m" target=3D"_blank">sakimura@gmail.com</a>&gt;</span> wrote:<br><blockquot=
e class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc sol=
id;padding-left:1ex"><div dir=3D"ltr"><br><div>It looks generally good. Tha=
nks William and John for creating it.=C2=A0</div><div><br></div><div>I spot=
ted a few nits.=C2=A0</div><div><br></div>NS1: MUST is not a recommendation=
<div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D</div><div>In 8.5, it says: <br><br>(which =
is a recommended in <a href=3D"https://tools.ietf.org/html/draft-ietf-oauth=
-native-apps-07#section-7.1.1" target=3D"_blank">Section 7.1.1</a>)<br><br>=
However, in 7.1.1, it is a MUST, i.e., required instead of recommended. So,=
 &quot;recommended&quot; in the above sentence needs to be changed to &quot=
;required&quot;. <br><br><br>NS2: Dynamically registered client can be trea=
ted as a confidential client<div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</div><div>In <a href=
=3D"https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.9=
" target=3D"_blank">8.9</a>. it says: <br><br>Authorization servers that st=
ill require a shared secret for native app clients MUST treat the client as=
 a public client<br><br>As it is a MUST, we have to qualify it a little mor=
e as it is ok to treat it as a confidential client if the client does dynam=
ically register the copy and obtain shared secret that is only shared betwe=
en the copy of the app and the server.=C2=A0<div><br></div><div>Suggests: <=
br><br>Authorization servers that still require a statically included share=
d secret for native app clients MUST treat the client as a public client<br=
><br>NS3: Sever Mix-up</div><div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</div><div><a href=3D"https://tools.ietf.org/html/d=
raft-ietf-oauth-native-apps-07#section-8.11" target=3D"_blank">8.11</a>. ta=
lks about mix-up mitigation but misses one of the points. Specifically:=C2=
=A0</div><div><br></div><div>* the app MUST store the redirect uri=C2=A0in =
the request with the &quot;session&quot; and MUST verify that it exactly ma=
tches with the URI of the endpoint that it received the response.=C2=A0</di=
v><div><br></div><div>Cheers,=C2=A0</div><div><br></div><div>Nat Sakimura<b=
r><div><br></div><div><br></div></div></div></div></div><br><div class=3D"g=
mail_quote"><div dir=3D"ltr">On Wed, Mar 1, 2017 at 5:51 AM Brian Campbell =
&lt;<a href=3D"mailto:bcampbell@pingidentity.com" target=3D"_blank">bcampbe=
ll@pingidentity.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">=
<div dir=3D"auto" class=3D"m_5745761100386988553m_4568414221369251267gmail_=
msg">-07 LGTM</div><div class=3D"gmail_extra m_5745761100386988553m_4568414=
221369251267gmail_msg"><br class=3D"m_5745761100386988553m_4568414221369251=
267gmail_msg"><div class=3D"gmail_quote m_5745761100386988553m_456841422136=
9251267gmail_msg"><div><div class=3D"m_5745761100386988553h5">On Feb 20, 20=
17 2:53 AM, &quot;Hannes Tschofenig&quot; &lt;<a href=3D"mailto:hannes.tsch=
ofenig@gmx.net" class=3D"m_5745761100386988553m_4568414221369251267gmail_ms=
g" target=3D"_blank">hannes.tschofenig@gmx.net</a>&gt; wrote:<br type=3D"at=
tribution" class=3D"m_5745761100386988553m_4568414221369251267gmail_msg"></=
div></div><blockquote class=3D"gmail_quote m_5745761100386988553m_456841422=
1369251267gmail_msg" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;=
padding-left:1ex"><div><div class=3D"m_5745761100386988553h5">Hi all,<br cl=
ass=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
after the working group last call of the &quot;OAuth 2.0 for Native Apps&qu=
ot;<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
document July last year (see<br class=3D"m_5745761100386988553m_45684142213=
69251267gmail_msg">
<a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg16534.htm=
l" rel=3D"noreferrer" class=3D"m_5745761100386988553m_4568414221369251267gm=
ail_msg" target=3D"_blank">https://www.ietf.org/mail-arch<wbr>ive/web/oauth=
/current/msg16534<wbr>.html</a>) I<br class=3D"m_5745761100386988553m_45684=
14221369251267gmail_msg">
had, as a shepherd, collected IPR confirmations (see<br class=3D"m_57457611=
00386988553m_4568414221369251267gmail_msg">
<a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg16672.htm=
l" rel=3D"noreferrer" class=3D"m_5745761100386988553m_4568414221369251267gm=
ail_msg" target=3D"_blank">https://www.ietf.org/mail-arch<wbr>ive/web/oauth=
/current/msg16672<wbr>.html</a>) and<br class=3D"m_5745761100386988553m_456=
8414221369251267gmail_msg">
produced a shepherd writeup (see<br class=3D"m_5745761100386988553m_4568414=
221369251267gmail_msg">
<a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg16702.htm=
l" rel=3D"noreferrer" class=3D"m_5745761100386988553m_4568414221369251267gm=
ail_msg" target=3D"_blank">https://www.ietf.org/mail-arch<wbr>ive/web/oauth=
/current/msg16702<wbr>.html</a>).<br class=3D"m_5745761100386988553m_456841=
4221369251267gmail_msg">
<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
Since version -03 and the current version -07 a fair amount of text has<br =
class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
been changed, see<br class=3D"m_5745761100386988553m_4568414221369251267gma=
il_msg">
<a href=3D"https://tools.ietf.org/rfcdiff?url1=3Dhttps://tools.ietf.org/id/=
draft-ietf-oauth-native-apps-03.txt&amp;url2=3Dhttps://tools.ietf.org/id/dr=
aft-ietf-oauth-native-apps-07.txt" rel=3D"noreferrer" class=3D"m_5745761100=
386988553m_4568414221369251267gmail_msg" target=3D"_blank">https://tools.ie=
tf.org/rfcdiff<wbr>?url1=3Dhttps://tools.ietf.org/<wbr>id/draft-ietf-oauth-=
native-<wbr>apps-03.txt&amp;url2=3Dhttps://<wbr>tools.ietf.org/id/draft-iet=
f-<wbr>oauth-native-apps-07.txt</a><br class=3D"m_5745761100386988553m_4568=
414221369251267gmail_msg">
<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
Although most of those changes are editorial and normative changes have<br =
class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
been discussed on the mailing list I believe it is fair to let the group<br=
 class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
take a brief look at the final version.<br class=3D"m_5745761100386988553m_=
4568414221369251267gmail_msg">
<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
For this reason we will issue a short, one week, working group last call<br=
 class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
before pushing the document to the IESG.<br class=3D"m_5745761100386988553m=
_4568414221369251267gmail_msg">
<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
So, please provide your comments to the list no later than February 27th.<b=
r class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
Here is the link to the document again:<br class=3D"m_5745761100386988553m_=
4568414221369251267gmail_msg">
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07" rel=
=3D"noreferrer" class=3D"m_5745761100386988553m_4568414221369251267gmail_ms=
g" target=3D"_blank">https://tools.ietf.org/html/dr<wbr>aft-ietf-oauth-nati=
ve-apps-07</a><br class=3D"m_5745761100386988553m_4568414221369251267gmail_=
msg">
<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
Ciao<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
Hannes &amp; Derek<br class=3D"m_5745761100386988553m_4568414221369251267gm=
ail_msg">
<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg">
<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg"></div></d=
iv>______________________________<wbr>_________________<br class=3D"m_57457=
61100386988553m_4568414221369251267gmail_msg">
OAuth mailing list<br class=3D"m_5745761100386988553m_4568414221369251267gm=
ail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"m_5745761100386988553m_456841422=
1369251267gmail_msg" target=3D"_blank">OAuth@ietf.org</a><br class=3D"m_574=
5761100386988553m_4568414221369251267gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"m_5745761100386988553m_4568414221369251267gmail_msg" target=3D"_bl=
ank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br class=3D"m_574=
5761100386988553m_4568414221369251267gmail_msg">
<br class=3D"m_5745761100386988553m_4568414221369251267gmail_msg"></blockqu=
ote></div></div>
______________________________<wbr>_________________<br class=3D"m_57457611=
00386988553m_4568414221369251267gmail_msg">
OAuth mailing list<br class=3D"m_5745761100386988553m_4568414221369251267gm=
ail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"m_5745761100386988553m_456841422=
1369251267gmail_msg" target=3D"_blank">OAuth@ietf.org</a><br class=3D"m_574=
5761100386988553m_4568414221369251267gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"m_5745761100386988553m_4568414221369251267gmail_msg" target=3D"_bl=
ank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><span class=3D"m_5=
745761100386988553HOEnZb"><font color=3D"#888888"><br class=3D"m_5745761100=
386988553m_4568414221369251267gmail_msg">
</font></span></blockquote></div><span class=3D"m_5745761100386988553HOEnZb=
"><font color=3D"#888888"><div dir=3D"ltr">-- <br></div><div data-smartmail=
=3D"gmail_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>
</font></span><br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div></div>

--001a1147ae5cd06abf0549cdca0e--


From nobody Thu Mar  2 22:39:28 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113B912979D for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 22:39:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bQpUbSfrxKkr for <oauth@ietfa.amsl.com>; Thu,  2 Mar 2017 22:39:25 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CB1D129793 for <oauth@ietf.org>; Thu,  2 Mar 2017 22:39:25 -0800 (PST)
Received: by mail-qk0-x22b.google.com with SMTP id n127so161674000qkf.0 for <oauth@ietf.org>; Thu, 02 Mar 2017 22:39:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=50wJUtTTN37w8G6FPptavbiPe0A1k+Yb5NTYOdvOxRQ=; b=Om8d6mecQFsdgwLu1H8Qu+I97jtbO1WZFTqv7N87vx+b/jXjLkTscGO8HOW6/SIsdz EOAqwwLLVlL+SsP0hyAYISd+SPWoQC4JWcEBaIT/KK3OS0/GoN2WxN3QBe//V6/6545n u37M8cp4gPgmQ9DOUGQModLE0Po61lQhoxbhzj3fOBn8/Rp7o90y7QA8GF222AWuE4KQ UpuwPSlb0v4Rq4uJCBUWQQya/LmLFF8rizFpBa51K/hd51wzw7S0gxXwLcnC2c+CIlfc ifVvE7Fa1NpRnYELf6jRkWzw7TEhpG28quBUfPeg5N72uwycyJE5z5ahIlCG3+xQdOH8 SOzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=50wJUtTTN37w8G6FPptavbiPe0A1k+Yb5NTYOdvOxRQ=; b=rdVa9Ks5axW5YN71hGuBrQt1YJGgSEaMDx0CWe34K2Cxi8QsdoLmZ6fijWrJLRlGG8 9asfv6nmuE8xejZ6dULPIh3zn0vTyej9HNZraGuxJBNPTzDqrCPwKsKH0RBHaud6dKnw Oh070md8geyixQqwK/Q5UeLy6LLUmeGiFdz7ZHdrfkTDLSnY3N5LzChucrwb7St9UXBz xaem8kUG1djkEQiPaQ1N+3JZodq8kkJz+zcLGC9jkNk5hSa2rlCKhz7fZLPjz64/53LF F80WH1pDbXXIThlxiFqZCojeBKwVf5Osneu9zDhFMNCOac2iNYkEdkDJX2kfBt5/zy+C h5uA==
X-Gm-Message-State: AMke39mrjpSwS/bLtbZIjPc9H2v7X0EtC5MqAelE2UZmqX9nUCh0RotCo53X8/IozQLayotHEjeAjb12bNUBNV2q
X-Received: by 10.200.40.178 with SMTP id i47mr1050824qti.259.1488523164167; Thu, 02 Mar 2017 22:39:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Thu, 2 Mar 2017 22:39:03 -0800 (PST)
In-Reply-To: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com>
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 2 Mar 2017 22:39:03 -0800
Message-ID: <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com>
To: internet-drafts@ietf.org
Content-Type: multipart/alternative; boundary=001a113f20ba7119e80549cdce15
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rM0nsMsPkDUM6O194srAGGWvO4c>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 06:39:27 -0000

--001a113f20ba7119e80549cdce15
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Changes:

=E2=80=93 Addresses feedback from the second round of WGLC.
=E2=80=93 Reordered security consideration sections to better group related=
 topics.
=E2=80=93 Added complete URI examples to each of the 3 redirect types.
=E2=80=93 Editorial pass.



On Thu, Mar 2, 2017 at 10:27 PM, <internet-drafts@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>         Title           : OAuth 2.0 for Native Apps
>         Authors         : William Denniss
>                           John Bradley
>         Filename        : draft-ietf-oauth-native-apps-08.txt
>         Pages           : 20
>         Date            : 2017-03-02
>
> Abstract:
>    OAuth 2.0 authorization requests from native apps should only be made
>    through external user-agents, primarily the user's browser.  This
>    specification details the security and usability reasons why this is
>    the case, and how native apps and authorization servers can implement
>    this best practice.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-native-apps-08
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--001a113f20ba7119e80549cdce15
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Changes:<div><br></div><div>=E2=80=93 Addresses feedback f=
rom the second round of WGLC.</div><div>=E2=80=93 Reordered security consid=
eration sections to better group related topics.</div><div>=E2=80=93 Added =
complete URI examples to each of the 3 redirect types.</div><div>=E2=80=93 =
Editorial pass.</div><div><br></div><div><br></div></div><div class=3D"gmai=
l_extra"><br><div class=3D"gmail_quote">On Thu, Mar 2, 2017 at 10:27 PM,  <=
span dir=3D"ltr">&lt;<a href=3D"mailto:internet-drafts@ietf.org" target=3D"=
_blank">internet-drafts@ietf.org</a>&gt;</span> wrote:<br><blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex"><br>
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br>
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 for Native Apps<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Will=
iam Denniss<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-native-apps-<wbr>08.txt<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 20<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2017-03-02<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0OAuth 2.0 authorization requests from native apps should only =
be made<br>
=C2=A0 =C2=A0through external user-agents, primarily the user&#39;s browser=
.=C2=A0 This<br>
=C2=A0 =C2=A0specification details the security and usability reasons why t=
his is<br>
=C2=A0 =C2=A0the case, and how native apps and authorization servers can im=
plement<br>
=C2=A0 =C2=A0this best practice.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/" =
rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/<wbr>doc/=
draft-ietf-oauth-native-<wbr>apps/</a><br>
<br>
There&#39;s also a htmlized version available at:<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08" rel=
=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/<wbr>draft-ie=
tf-oauth-native-apps-<wbr>08</a><br>
<br>
A diff from the previous version is available at:<br>
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-native-apps=
-08" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/rfcdiff?<wbr=
>url2=3Ddraft-ietf-oauth-native-<wbr>apps-08</a><br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a>.<br>
<br>
Internet-Drafts are also available by anonymous FTP at:<br>
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.ietf.org/internet-<wbr>drafts/</a><br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
</blockquote></div><br></div>

--001a113f20ba7119e80549cdce15--


From nobody Fri Mar  3 01:18:33 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26DEB12942F for <oauth@ietfa.amsl.com>; Fri,  3 Mar 2017 01:18:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level: 
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KpW2CndvEbGc for <oauth@ietfa.amsl.com>; Fri,  3 Mar 2017 01:18:29 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E923612941E for <oauth@ietf.org>; Fri,  3 Mar 2017 01:18:28 -0800 (PST)
Received: by mail-qk0-x22f.google.com with SMTP id 1so46825705qkl.3 for <oauth@ietf.org>; Fri, 03 Mar 2017 01:18:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XDU8BEEcZKU3amavHZ2gRHyfvVOeN4zU3+Ys3b6VXdQ=; b=jC5mpj3eANBj4o2taSGycRmlObj4KrMJ/BRhEDo20nBCd8G+pxGOm33MAvsWRb1gw1 iH6DxCSfWR0IXFMI7QrLarppJ82Z1AI/42qXhu4cPRhv7f/8rAH/11+3pPUqXGu2/779 7iUaaP5ls3DQ8SawR7swzoWPRrwohw+V/JRQodurs0+8Za9fB00zcfz+6Xob+T81Hai0 GjlOqJ0xra9LVo4mME0wQCLXGheF/w6KyuvZ0iAK8jRmjI2t/iq2q8gF0nCI30/ofgyZ e6aonNgzbdax6B6849myG30zll3EUMSfXfk7QobGwoSaUXHBTYCBeYI1W4O5IeSvKUWp 6uQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XDU8BEEcZKU3amavHZ2gRHyfvVOeN4zU3+Ys3b6VXdQ=; b=fGeofwIf4AWCLuEyuC5NgJqExHUkV8lURRcZ/OCEVkMYF/W1hcyoxQBTNjSEy/YzC7 P8gmGm88uR/yhqyiEJj4GUlN/946Z1T0UIUuVCaOMJcAf4rJX5TObwdgXr1kXSNOOeH5 lw2Y4L3ySIhsHKjX7DgLp0sgMYye+otHawc3Xr9IwBrAaT2x8GPJDB9gZDw6efHPhEqS E+4bf9PTwOhSLTYvqoO0U9YcAy+3Xs3uWA+vh2iSRdEXgkd8rUqZF8TppRe3Z5VwZYPV qEjWt5vHfNdvjZxNKFWwIr7NThA0sO5vna81XPUhbmVkL9wK+GDYo4Oicq/nEOs7+3aS Wwlg==
X-Gm-Message-State: AMke39nvq+xkWf7dooKtxQnj9AkkD3m5gMgSMhwYgxUG0HXugFB1MzSP2rbZlV/2zy85GlJr4RYdhDCg5KfpxQ==
X-Received: by 10.200.56.97 with SMTP id r30mr1495876qtb.229.1488532707961; Fri, 03 Mar 2017 01:18:27 -0800 (PST)
MIME-Version: 1.0
References: <148797332573.3278.6515135380852468551.idtracker@ietfa.amsl.com> <D2329C0E-C3F8-4F69-88AE-584561E45B65@ve7jtb.com> <B021DB9E-1ECF-4278-833F-5A13EA5F3A77@oracle.com> <C08A4EBC-3935-4AF2-8C8C-926C57A2B02A@ve7jtb.com> <CABzCy2Dcq2ABY5YQepefychXBtJotKReauU2aB3XW3Zzr=W-ew@mail.gmail.com> <CAANoGhK7TRZL8gxczkmeKsJS8eTu2pb=61re7ZSYH1Nta+eNHA@mail.gmail.com> <CAANoGhJaP-Qa7Zi5DJkqFx5KL-z8xP0Aakbde6t7pObXbiz3_g@mail.gmail.com> <CAANoGhJ20KPO1cscKCVGhDWb1BrrOLkZK++E9ucqcZ2wKjQEKg@mail.gmail.com>
In-Reply-To: <CAANoGhJ20KPO1cscKCVGhDWb1BrrOLkZK++E9ucqcZ2wKjQEKg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Fri, 03 Mar 2017 09:18:16 +0000
Message-ID: <CABzCy2BMG4XLm81FGaJ2TA4JWUHyqBrx5JbKZcHUmnOnsn=yCw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=001a113574964b72e80549d0070d
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/a6PcjyUWNuiQ0roqtdl6T1QTfyo>
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 09:18:31 -0000

--001a113574964b72e80549d0070d
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thanks John.

Perhaps you can add the discussion to the security consideration.

I understand the issue with mobile clients inability to get a good random
but the shift of key generation point would have a large impact on the
liability shift as well so I would probably profile it down always to
require keys to be generated by the client.

>From editorial point of view, I would appreciate if you can put
sub-headings to each topics dealt in 7. Security Considerations.

Best,

Nat

On Fri, Mar 3, 2017 at 1:07 PM John Bradley <ve7jtb@ve7jtb.com> wrote:

> The private key is encrypted to the client.  If the attacker has the
> symmetric key then it would get the proof key.
>
> I prefer the client to always provide the key, however some people believ=
e
> that mobile devices can't reliably create secure key, and it is better to
> have the server create the keypair.
>
> In both cases you are relying on the client authentication or PKCE to bin=
d
> to the correct client.
>
> They are more or less equivalent.   I prefer the private key to never
> leave the device personally.
>
> This has been debated several times.
>
> John B.
>
> On Mar 3, 2017 12:15 AM, "Nat Sakimura" <sakimura@gmail.com> wrote:
>
> +1
>
> Token binding is good, but there are infrastructures that cannot deploy i=
t
> while they still need HoK in some manner.
> It could be a short term thing -- perhaps 3 years, but they have to do it
> now so...
>
> I have a question about the draft.
>
> In section 5.1, `key` is optional and when it is omitted, the server
> creates a ephemeral key pair for the client.
> My question is: how do you send the ephemeral private key securely to the
> client?
> I suppose it is returned in the similar fashion as in the case of the
> symmetric, but it is not clear from my read.
>
> Also, at that point, the authorization server has everything needed to
> impersonate the client, which may not be desirable.
> Is it not simpler and better to REQUIRE the `key` parameter?
>
> Nat
>
> On Sat, Feb 25, 2017 at 8:51 AM John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> The European banks are interested in mutual TLS for server to server
> connections as part of PSD2/Open Banking.
>
> They have been thinking that they would have central CA and directly use
> CA certificates for all the legs.
>
> I sent them this to get them thinking that they could perhaps secure the
> token endpoint with cert based mutual TLS but allow clients to specify
> there own keys for access tokens to make key rotation and deployment easi=
er.
>
> I was also think ing that they could protect a jwks_uri with the CA
> certificate using OCSP stapling and then use mutual TLS to the token
> endpoint based on keyid and/or fingerprint. allowing for rotation of keys
> to token endpoint and better support clusters with multiple keys.
>
> I don=E2=80=99t think this has much interest outside of some verticals li=
ke
> financials.
>
> John B.
>
> On Feb 24, 2017, at 8:33 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
> I have been wondering about that myself. Interest seems to wained with th=
e
> TOKBIND work emerging. Maybe I am wrong about that?
>
> Phil
>
> Oracle Corporation, Identity Cloud Services & Identity Standards
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On Feb 24, 2017, at 1:58 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> I updated the references but haven't made any other changes.
>
> I had some questions about it so though it was worth keeping alive
> at-least for discussion.
>
> There have been some other questions and proposed changes.
>
> I will take a look through them and see if what may be worth updating.
>
> John B.
>
> Begin forwarded message:
>
> *From: *internet-drafts@ietf.org
> *Subject: **[OAUTH-WG] I-D Action:
> draft-ietf-oauth-pop-key-distribution-03.txt*
> *Date: *February 24, 2017 at 6:55:25 PM GMT-3
> *To: *<i-d-announce@ietf.org>
> *Cc: *oauth@ietf.org
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>        Title           : OAuth 2.0 Proof-of-Possession: Authorization
> Server to Client Key Distribution
>        Authors         : John Bradley
>                          Phil Hunt
>                          Michael B. Jones
>                          Hannes Tschofenig
> Filename        : draft-ietf-oauth-pop-key-distribution-03.txt
> Pages           : 18
> Date            : 2017-02-24
>
> Abstract:
>   RFC 6750 specified the bearer token concept for securing access to
>   protected resources.  Bearer tokens need to be protected in transit
>   as well as at rest.  When a client requests access to a protected
>   resource it hands-over the bearer token to the resource server.
>
>   The OAuth 2.0 Proof-of-Possession security concept extends bearer
>   token security and requires the client to demonstrate possession of a
>   key when accessing a protected resource.
>
>   This document describes how the client obtains this keying material
>   from the authorization server.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-pop-key-distribution=
-03
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> --
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>
>
> --

Nat Sakimura

Chairman of the Board, OpenID Foundation

--001a113574964b72e80549d0070d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks John.=C2=A0<div><br></div><div>Perhaps you can add =
the discussion to the security consideration.=C2=A0</div><div><br></div><di=
v>I understand the issue with mobile clients inability to get a good random=
 but the shift of key generation point would have a large impact on the lia=
bility shift as well so I would probably profile it down always to require =
keys to be generated by the client.=C2=A0</div><div><br></div><div>From edi=
torial point of view, I would appreciate if you can put sub-headings to eac=
h topics dealt in 7. Security Considerations.=C2=A0</div><div><br></div><di=
v>Best,=C2=A0</div><div><br></div><div>Nat</div></div><br><div class=3D"gma=
il_quote"><div dir=3D"ltr">On Fri, Mar 3, 2017 at 1:07 PM John Bradley &lt;=
<a href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt; wrote:<br></=
div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-lef=
t:1px #ccc solid;padding-left:1ex"><div dir=3D"auto" class=3D"gmail_msg">Th=
e private key is encrypted to the client.=C2=A0 If the attacker has the sym=
metric key then it would get the proof key. =C2=A0<div dir=3D"auto" class=
=3D"gmail_msg"><br class=3D"gmail_msg"></div><div dir=3D"auto" class=3D"gma=
il_msg">I prefer the client to always provide the key, however some people =
believe that mobile devices can&#39;t reliably create secure key, and it is=
 better to have the server create the keypair. =C2=A0</div><div dir=3D"auto=
" class=3D"gmail_msg"><br class=3D"gmail_msg"></div><div dir=3D"auto" class=
=3D"gmail_msg">In both cases you are relying on the client authentication o=
r PKCE to bind to the correct client. =C2=A0</div><div dir=3D"auto" class=
=3D"gmail_msg"><br class=3D"gmail_msg"></div><div dir=3D"auto" class=3D"gma=
il_msg">They are more or less equivalent. =C2=A0 I prefer the private key t=
o never leave the device personally.=C2=A0</div><div dir=3D"auto" class=3D"=
gmail_msg"><br class=3D"gmail_msg"></div><div dir=3D"auto" class=3D"gmail_m=
sg">This has been debated several times. =C2=A0</div><div dir=3D"auto" clas=
s=3D"gmail_msg"><br class=3D"gmail_msg"></div><div dir=3D"auto" class=3D"gm=
ail_msg">John B. =C2=A0</div></div><div class=3D"gmail_extra gmail_msg"><br=
 class=3D"gmail_msg"><div class=3D"gmail_quote gmail_msg">On Mar 3, 2017 12=
:15 AM, &quot;Nat Sakimura&quot; &lt;<a href=3D"mailto:sakimura@gmail.com" =
class=3D"gmail_msg" target=3D"_blank">sakimura@gmail.com</a>&gt; wrote:<br =
type=3D"attribution" class=3D"gmail_msg"><blockquote class=3D"m_-2523462135=
46090186quote gmail_msg" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc so=
lid;padding-left:1ex"><div dir=3D"ltr" class=3D"gmail_msg">+1=C2=A0<div cla=
ss=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_msg">Tok=
en binding is good, but there are infrastructures that cannot deploy it whi=
le they still need HoK in some manner.=C2=A0</div><div class=3D"gmail_msg">=
It could be a short term thing -- perhaps 3 years, but they have to do it n=
ow so...=C2=A0</div><div class=3D"gmail_msg"><br class=3D"gmail_msg"></div>=
<div class=3D"gmail_msg">I have a question about the draft.=C2=A0</div><div=
 class=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_msg"=
>In section 5.1, `key` is optional and when it is omitted, the server creat=
es a ephemeral key pair for the client.=C2=A0</div><div class=3D"gmail_msg"=
>My question is: how do you send the ephemeral private key securely to the =
client?=C2=A0</div><div class=3D"gmail_msg">I suppose it is returned in the=
 similar fashion as in the case of the symmetric, but it is not clear from =
my read.=C2=A0</div><div class=3D"gmail_msg"><br class=3D"gmail_msg"></div>=
<div class=3D"gmail_msg">Also, at that point, the authorization server has =
everything needed to impersonate the client, which may not be desirable.=C2=
=A0</div><div class=3D"gmail_msg">Is it not simpler and better to REQUIRE t=
he `key` parameter?=C2=A0</div><div class=3D"gmail_msg"><br class=3D"gmail_=
msg"></div><div class=3D"gmail_msg">Nat</div></div><div class=3D"m_-2523462=
13546090186elided-text gmail_msg"><br class=3D"gmail_msg"><div class=3D"gma=
il_quote gmail_msg"><div dir=3D"ltr" class=3D"gmail_msg">On Sat, Feb 25, 20=
17 at 8:51 AM John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" class=
=3D"gmail_msg" target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt; wrote:<br class=
=3D"gmail_msg"></div><blockquote class=3D"gmail_quote gmail_msg" style=3D"m=
argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style=3D=
"word-wrap:break-word" class=3D"m_-252346213546090186m_5822031087464534925g=
mail_msg gmail_msg">The European banks are interested in mutual TLS for ser=
ver to server connections as part of PSD2/Open Banking.<div class=3D"m_-252=
346213546090186m_5822031087464534925gmail_msg gmail_msg"><br class=3D"m_-25=
2346213546090186m_5822031087464534925gmail_msg gmail_msg"></div><div class=
=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">They hav=
e been thinking that they would have central CA and directly use CA certifi=
cates for all the legs. =C2=A0</div><div class=3D"m_-252346213546090186m_58=
22031087464534925gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_5=
822031087464534925gmail_msg gmail_msg"></div><div class=3D"m_-2523462135460=
90186m_5822031087464534925gmail_msg gmail_msg">I sent them this to get them=
 thinking that they could perhaps secure the token endpoint with cert based=
 mutual TLS but allow clients to specify there own keys for access tokens t=
o make key rotation and deployment easier.</div><div class=3D"m_-2523462135=
46090186m_5822031087464534925gmail_msg gmail_msg"><br class=3D"m_-252346213=
546090186m_5822031087464534925gmail_msg gmail_msg"></div><div class=3D"m_-2=
52346213546090186m_5822031087464534925gmail_msg gmail_msg">I was also think=
 ing that they could protect a jwks_uri with the CA certificate using OCSP =
stapling and then use mutual TLS to the token endpoint based on keyid and/o=
r fingerprint. allowing for rotation of keys to token endpoint and better s=
upport clusters with multiple keys.</div><div class=3D"m_-25234621354609018=
6m_5822031087464534925gmail_msg gmail_msg"><br class=3D"m_-2523462135460901=
86m_5822031087464534925gmail_msg gmail_msg"></div><div class=3D"m_-25234621=
3546090186m_5822031087464534925gmail_msg gmail_msg">I don=E2=80=99t think t=
his has much interest outside of some verticals like financials.</div><div =
class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"><br=
 class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"></=
div><div class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail=
_msg">John B.</div></div><div style=3D"word-wrap:break-word" class=3D"m_-25=
2346213546090186m_5822031087464534925gmail_msg gmail_msg"><div class=3D"m_-=
252346213546090186m_5822031087464534925gmail_msg gmail_msg"><div class=3D"m=
_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"><blockquote t=
ype=3D"cite" class=3D"m_-252346213546090186m_5822031087464534925gmail_msg g=
mail_msg"><div class=3D"m_-252346213546090186m_5822031087464534925gmail_msg=
 gmail_msg">On Feb 24, 2017, at 8:33 PM, Phil Hunt &lt;<a href=3D"mailto:ph=
il.hunt@oracle.com" class=3D"m_-252346213546090186m_5822031087464534925gmai=
l_msg gmail_msg" target=3D"_blank">phil.hunt@oracle.com</a>&gt; wrote:</div=
><br class=3D"m_-252346213546090186m_5822031087464534925m_76850362413698911=
38Apple-interchange-newline m_-252346213546090186m_5822031087464534925gmail=
_msg gmail_msg"><div class=3D"m_-252346213546090186m_5822031087464534925gma=
il_msg gmail_msg"><div style=3D"word-wrap:break-word" class=3D"m_-252346213=
546090186m_5822031087464534925gmail_msg gmail_msg">I have been wondering ab=
out that myself. Interest seems to wained with the TOKBIND work emerging. M=
aybe I am wrong about that?<div class=3D"m_-252346213546090186m_58220310874=
64534925gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_5822031087=
464534925gmail_msg gmail_msg"><div class=3D"m_-252346213546090186m_58220310=
87464534925gmail_msg gmail_msg">
<div style=3D"letter-spacing:normal;text-align:start;text-indent:0px;text-t=
ransform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" cla=
ss=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"><div s=
tyle=3D"letter-spacing:normal;text-align:start;text-indent:0px;text-transfo=
rm:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=3D"=
m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"><div style=
=3D"letter-spacing:normal;text-align:start;text-indent:0px;text-transform:n=
one;white-space:normal;word-spacing:0px;word-wrap:break-word" class=3D"m_-2=
52346213546090186m_5822031087464534925gmail_msg gmail_msg"><div style=3D"le=
tter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;wh=
ite-space:normal;word-spacing:0px;word-wrap:break-word" class=3D"m_-2523462=
13546090186m_5822031087464534925gmail_msg gmail_msg"><div class=3D"m_-25234=
6213546090186m_5822031087464534925gmail_msg gmail_msg"><span class=3D"m_-25=
2346213546090186m_5822031087464534925m_7685036241369891138Apple-style-span =
m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg" style=3D"bor=
der-collapse:separate;line-height:normal;border-spacing:0px"><div style=3D"=
word-wrap:break-word" class=3D"m_-252346213546090186m_5822031087464534925gm=
ail_msg gmail_msg"><div class=3D"m_-252346213546090186m_5822031087464534925=
gmail_msg gmail_msg"><div class=3D"m_-252346213546090186m_58220310874645349=
25gmail_msg gmail_msg"><div class=3D"m_-252346213546090186m_582203108746453=
4925gmail_msg gmail_msg">Phil</div><div class=3D"m_-252346213546090186m_582=
2031087464534925gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_58=
22031087464534925gmail_msg gmail_msg"></div><div class=3D"m_-25234621354609=
0186m_5822031087464534925gmail_msg gmail_msg">Oracle Corporation, Identity =
Cloud Services &amp; Identity Standards</div><div class=3D"m_-2523462135460=
90186m_5822031087464534925gmail_msg gmail_msg">@independentid</div><div cla=
ss=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"><a hre=
f=3D"http://www.independentid.com/" class=3D"m_-252346213546090186m_5822031=
087464534925gmail_msg gmail_msg" target=3D"_blank">www.independentid.com</a=
></div></div></div></div></span><a href=3D"mailto:phil.hunt@oracle.com" cla=
ss=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg" target=
=3D"_blank">phil.hunt@oracle.com</a></div><div class=3D"m_-2523462135460901=
86m_5822031087464534925gmail_msg gmail_msg"><br class=3D"m_-252346213546090=
186m_5822031087464534925gmail_msg gmail_msg"></div></div><br class=3D"m_-25=
2346213546090186m_5822031087464534925m_7685036241369891138Apple-interchange=
-newline m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"></d=
iv><br class=3D"m_-252346213546090186m_5822031087464534925m_768503624136989=
1138Apple-interchange-newline m_-252346213546090186m_5822031087464534925gma=
il_msg gmail_msg"></div><br class=3D"m_-252346213546090186m_582203108746453=
4925m_7685036241369891138Apple-interchange-newline m_-252346213546090186m_5=
822031087464534925gmail_msg gmail_msg"></div><br class=3D"m_-25234621354609=
0186m_5822031087464534925m_7685036241369891138Apple-interchange-newline m_-=
252346213546090186m_5822031087464534925gmail_msg gmail_msg"><br class=3D"m_=
-252346213546090186m_5822031087464534925m_7685036241369891138Apple-intercha=
nge-newline m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">
</div>
<br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"=
><div class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_ms=
g"><blockquote type=3D"cite" class=3D"m_-252346213546090186m_58220310874645=
34925gmail_msg gmail_msg"><div class=3D"m_-252346213546090186m_582203108746=
4534925gmail_msg gmail_msg">On Feb 24, 2017, at 1:58 PM, John Bradley &lt;<=
a href=3D"mailto:ve7jtb@ve7jtb.com" class=3D"m_-252346213546090186m_5822031=
087464534925gmail_msg gmail_msg" target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt=
; wrote:</div><br class=3D"m_-252346213546090186m_5822031087464534925m_7685=
036241369891138Apple-interchange-newline m_-252346213546090186m_58220310874=
64534925gmail_msg gmail_msg"><div class=3D"m_-252346213546090186m_582203108=
7464534925gmail_msg gmail_msg"><div style=3D"word-wrap:break-word" class=3D=
"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">I updated t=
he references but haven&#39;t made any other changes.<div class=3D"m_-25234=
6213546090186m_5822031087464534925gmail_msg gmail_msg"><br class=3D"m_-2523=
46213546090186m_5822031087464534925gmail_msg gmail_msg"></div><div class=3D=
"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">I had some =
questions about it so though it was worth keeping alive at-least for discus=
sion.</div><div class=3D"m_-252346213546090186m_5822031087464534925gmail_ms=
g gmail_msg"><br class=3D"m_-252346213546090186m_5822031087464534925gmail_m=
sg gmail_msg"></div><div class=3D"m_-252346213546090186m_582203108746453492=
5gmail_msg gmail_msg">There have been some other questions and proposed cha=
nges. =C2=A0</div><div class=3D"m_-252346213546090186m_5822031087464534925g=
mail_msg gmail_msg"><br class=3D"m_-252346213546090186m_5822031087464534925=
gmail_msg gmail_msg"></div><div class=3D"m_-252346213546090186m_58220310874=
64534925gmail_msg gmail_msg">I will take a look through them and see if wha=
t may be worth updating.</div><div class=3D"m_-252346213546090186m_58220310=
87464534925gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_5822031=
087464534925gmail_msg gmail_msg"></div><div class=3D"m_-252346213546090186m=
_5822031087464534925gmail_msg gmail_msg">John B.<br class=3D"m_-25234621354=
6090186m_5822031087464534925gmail_msg gmail_msg"><div class=3D"m_-252346213=
546090186m_5822031087464534925gmail_msg gmail_msg"><br class=3D"m_-25234621=
3546090186m_5822031087464534925gmail_msg gmail_msg"><blockquote type=3D"cit=
e" class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">=
<div class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg=
">Begin forwarded message:</div><br class=3D"m_-252346213546090186m_5822031=
087464534925m_7685036241369891138Apple-interchange-newline m_-2523462135460=
90186m_5822031087464534925gmail_msg gmail_msg"><div style=3D"margin-top:0px=
;margin-right:0px;margin-bottom:0px;margin-left:0px" class=3D"m_-2523462135=
46090186m_5822031087464534925gmail_msg gmail_msg"><span style=3D"font-famil=
y:-webkit-system-font,&#39;Helvetica Neue&#39;,Helvetica,sans-serif" class=
=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"><b class=
=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">From: </=
b></span><span style=3D"font-family:-webkit-system-font,Helvetica Neue,Helv=
etica,sans-serif" class=3D"m_-252346213546090186m_5822031087464534925gmail_=
msg gmail_msg"><a href=3D"mailto:internet-drafts@ietf.org" class=3D"m_-2523=
46213546090186m_5822031087464534925gmail_msg gmail_msg" target=3D"_blank">i=
nternet-drafts@ietf.org</a><br class=3D"m_-252346213546090186m_582203108746=
4534925gmail_msg gmail_msg"></span></div><div style=3D"margin-top:0px;margi=
n-right:0px;margin-bottom:0px;margin-left:0px" class=3D"m_-2523462135460901=
86m_5822031087464534925gmail_msg gmail_msg"><span style=3D"font-family:-web=
kit-system-font,&#39;Helvetica Neue&#39;,Helvetica,sans-serif" class=3D"m_-=
252346213546090186m_5822031087464534925gmail_msg gmail_msg"><b class=3D"m_-=
252346213546090186m_5822031087464534925gmail_msg gmail_msg">Subject: </b></=
span><span style=3D"font-family:-webkit-system-font,Helvetica Neue,Helvetic=
a,sans-serif" class=3D"m_-252346213546090186m_5822031087464534925gmail_msg =
gmail_msg"><b class=3D"m_-252346213546090186m_5822031087464534925gmail_msg =
gmail_msg">[OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.=
txt</b><br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gma=
il_msg"></span></div><div style=3D"margin-top:0px;margin-right:0px;margin-b=
ottom:0px;margin-left:0px" class=3D"m_-252346213546090186m_5822031087464534=
925gmail_msg gmail_msg"><span style=3D"font-family:-webkit-system-font,&#39=
;Helvetica Neue&#39;,Helvetica,sans-serif" class=3D"m_-252346213546090186m_=
5822031087464534925gmail_msg gmail_msg"><b class=3D"m_-252346213546090186m_=
5822031087464534925gmail_msg gmail_msg">Date: </b></span><span style=3D"fon=
t-family:-webkit-system-font,Helvetica Neue,Helvetica,sans-serif" class=3D"=
m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">February 24,=
 2017 at 6:55:25 PM GMT-3<br class=3D"m_-252346213546090186m_58220310874645=
34925gmail_msg gmail_msg"></span></div><div style=3D"margin-top:0px;margin-=
right:0px;margin-bottom:0px;margin-left:0px" class=3D"m_-252346213546090186=
m_5822031087464534925gmail_msg gmail_msg"><span style=3D"font-family:-webki=
t-system-font,&#39;Helvetica Neue&#39;,Helvetica,sans-serif" class=3D"m_-25=
2346213546090186m_5822031087464534925gmail_msg gmail_msg"><b class=3D"m_-25=
2346213546090186m_5822031087464534925gmail_msg gmail_msg">To: </b></span><s=
pan style=3D"font-family:-webkit-system-font,Helvetica Neue,Helvetica,sans-=
serif" class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_m=
sg">&lt;<a href=3D"mailto:i-d-announce@ietf.org" class=3D"m_-25234621354609=
0186m_5822031087464534925gmail_msg gmail_msg" target=3D"_blank">i-d-announc=
e@ietf.org</a>&gt;<br class=3D"m_-252346213546090186m_5822031087464534925gm=
ail_msg gmail_msg"></span></div><div style=3D"margin-top:0px;margin-right:0=
px;margin-bottom:0px;margin-left:0px" class=3D"m_-252346213546090186m_58220=
31087464534925gmail_msg gmail_msg"><span style=3D"font-family:-webkit-syste=
m-font,&#39;Helvetica Neue&#39;,Helvetica,sans-serif" class=3D"m_-252346213=
546090186m_5822031087464534925gmail_msg gmail_msg"><b class=3D"m_-252346213=
546090186m_5822031087464534925gmail_msg gmail_msg">Cc: </b></span><span sty=
le=3D"font-family:-webkit-system-font,Helvetica Neue,Helvetica,sans-serif" =
class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"><a =
href=3D"mailto:oauth@ietf.org" class=3D"m_-252346213546090186m_582203108746=
4534925gmail_msg gmail_msg" target=3D"_blank">oauth@ietf.org</a><br class=
=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"></span><=
/div><br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail=
_msg"><div class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gma=
il_msg"><div class=3D"m_-252346213546090186m_5822031087464534925gmail_msg g=
mail_msg"><br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg =
gmail_msg">A New Internet-Draft is available from the on-line Internet-Draf=
ts directories.<br class=3D"m_-252346213546090186m_5822031087464534925gmail=
_msg gmail_msg">This draft is a work item of the Web Authorization Protocol=
 of the IETF.<br class=3D"m_-252346213546090186m_5822031087464534925gmail_m=
sg gmail_msg"><br class=3D"m_-252346213546090186m_5822031087464534925gmail_=
msg gmail_msg"> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Title =C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: OAuth 2.0 Proof-of-Pos=
session: Authorization Server to Client Key Distribution<br class=3D"m_-252=
346213546090186m_5822031087464534925gmail_msg gmail_msg"> =C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0Authors =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0: John Bradley<br class=3D"m_-252346213546090186m_5822031087464534=
925gmail_msg gmail_msg"> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0Phil Hunt<br class=3D"m_-252346213546090186m_582=
2031087464534925gmail_msg gmail_msg"> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Michael B. Jones<br class=3D"m_-2523=
46213546090186m_5822031087464534925gmail_msg gmail_msg"> =C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Hannes Tschofenig<=
br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">=
<span class=3D"m_-252346213546090186m_5822031087464534925m_7685036241369891=
138Apple-tab-span m_-252346213546090186m_5822031087464534925gmail_msg gmail=
_msg" style=3D"white-space:pre-wrap">	</span>Filename =C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0: draft-ietf-oauth-pop-key-distribution-03.txt<br clas=
s=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"><span c=
lass=3D"m_-252346213546090186m_5822031087464534925m_7685036241369891138Appl=
e-tab-span m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg" s=
tyle=3D"white-space:pre-wrap">	</span>Pages =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: 18<br class=3D"m_-252346213546090186m_58220=
31087464534925gmail_msg gmail_msg"><span class=3D"m_-252346213546090186m_58=
22031087464534925m_7685036241369891138Apple-tab-span m_-252346213546090186m=
_5822031087464534925gmail_msg gmail_msg" style=3D"white-space:pre-wrap">	</=
span>Date =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0: 2017-02-24<br class=3D"m_-252346213546090186m_5822031087464534925gmail=
_msg gmail_msg"><br class=3D"m_-252346213546090186m_5822031087464534925gmai=
l_msg gmail_msg">Abstract:<br class=3D"m_-252346213546090186m_5822031087464=
534925gmail_msg gmail_msg"> =C2=A0=C2=A0RFC 6750 specified the bearer token=
 concept for securing access to<br class=3D"m_-252346213546090186m_58220310=
87464534925gmail_msg gmail_msg"> =C2=A0=C2=A0protected resources.=C2=A0 Bea=
rer tokens need to be protected in transit<br class=3D"m_-25234621354609018=
6m_5822031087464534925gmail_msg gmail_msg"> =C2=A0=C2=A0as well as at rest.=
=C2=A0 When a client requests access to a protected<br class=3D"m_-25234621=
3546090186m_5822031087464534925gmail_msg gmail_msg"> =C2=A0=C2=A0resource i=
t hands-over the bearer token to the resource server.<br class=3D"m_-252346=
213546090186m_5822031087464534925gmail_msg gmail_msg"><br class=3D"m_-25234=
6213546090186m_5822031087464534925gmail_msg gmail_msg"> =C2=A0=C2=A0The OAu=
th 2.0 Proof-of-Possession security concept extends bearer<br class=3D"m_-2=
52346213546090186m_5822031087464534925gmail_msg gmail_msg"> =C2=A0=C2=A0tok=
en security and requires the client to demonstrate possession of a<br class=
=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"> =C2=A0=
=C2=A0key when accessing a protected resource.<br class=3D"m_-2523462135460=
90186m_5822031087464534925gmail_msg gmail_msg"><br class=3D"m_-252346213546=
090186m_5822031087464534925gmail_msg gmail_msg"> =C2=A0=C2=A0This document =
describes how the client obtains this keying material<br class=3D"m_-252346=
213546090186m_5822031087464534925gmail_msg gmail_msg"> =C2=A0=C2=A0from the=
 authorization server.<br class=3D"m_-252346213546090186m_58220310874645349=
25gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_5822031087464534=
925gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_582203108746453=
4925gmail_msg gmail_msg">The IETF datatracker status page for this draft is=
:<br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg=
"><a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-dist=
ribution/" class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gma=
il_msg" target=3D"_blank">https://datatracker.ietf.org/doc/draft-ietf-oauth=
-pop-key-distribution/</a><br class=3D"m_-252346213546090186m_5822031087464=
534925gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_582203108746=
4534925gmail_msg gmail_msg">There&#39;s also a htmlized version available a=
t:<br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_ms=
g"><a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribu=
tion-03" class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail=
_msg" target=3D"_blank">https://tools.ietf.org/html/draft-ietf-oauth-pop-ke=
y-distribution-03</a><br class=3D"m_-252346213546090186m_582203108746453492=
5gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_58220310874645349=
25gmail_msg gmail_msg">A diff from the previous version is available at:<br=
 class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"><a=
 href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-pop-key-distr=
ibution-03" class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gm=
ail_msg" target=3D"_blank">https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-o=
auth-pop-key-distribution-03</a><br class=3D"m_-252346213546090186m_5822031=
087464534925gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_582203=
1087464534925gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_58220=
31087464534925gmail_msg gmail_msg">Please note that it may take a couple of=
 minutes from the time of submission<br class=3D"m_-252346213546090186m_582=
2031087464534925gmail_msg gmail_msg">until the htmlized version and diff ar=
e available at <a href=3D"http://tools.ietf.org" class=3D"m_-25234621354609=
0186m_5822031087464534925gmail_msg gmail_msg" target=3D"_blank">tools.ietf.=
org</a>.<br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gm=
ail_msg"><br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg g=
mail_msg">Internet-Drafts are also available by anonymous FTP at:<br class=
=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg"><a href=
=3D"ftp://ftp.ietf.org/internet-drafts/" class=3D"m_-252346213546090186m_58=
22031087464534925gmail_msg gmail_msg" target=3D"_blank">ftp://ftp.ietf.org/=
internet-drafts/</a><br class=3D"m_-252346213546090186m_5822031087464534925=
gmail_msg gmail_msg"><br class=3D"m_-252346213546090186m_582203108746453492=
5gmail_msg gmail_msg">_______________________________________________<br cl=
ass=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">OAuth=
 mailing list<br class=3D"m_-252346213546090186m_5822031087464534925gmail_m=
sg gmail_msg"><a href=3D"mailto:OAuth@ietf.org" class=3D"m_-252346213546090=
186m_5822031087464534925gmail_msg gmail_msg" target=3D"_blank">OAuth@ietf.o=
rg</a><br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmai=
l_msg"><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" class=3D"m_-=
252346213546090186m_5822031087464534925gmail_msg gmail_msg" target=3D"_blan=
k">https://www.ietf.org/mailman/listinfo/oauth</a><br class=3D"m_-252346213=
546090186m_5822031087464534925gmail_msg gmail_msg"></div></div></blockquote=
></div><br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gma=
il_msg"></div></div>_______________________________________________<br clas=
s=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">OAuth m=
ailing list<br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg=
 gmail_msg"><a href=3D"mailto:OAuth@ietf.org" class=3D"m_-25234621354609018=
6m_5822031087464534925gmail_msg gmail_msg" target=3D"_blank">OAuth@ietf.org=
</a><br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_=
msg"><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" class=3D"m_-25=
2346213546090186m_5822031087464534925gmail_msg gmail_msg" target=3D"_blank"=
>https://www.ietf.org/mailman/listinfo/oauth</a><br class=3D"m_-25234621354=
6090186m_5822031087464534925gmail_msg gmail_msg"></div></blockquote></div><=
br class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">=
</div></div></div></blockquote></div><br class=3D"m_-252346213546090186m_58=
22031087464534925gmail_msg gmail_msg"></div></div>_________________________=
______________________<br class=3D"m_-252346213546090186m_58220310874645349=
25gmail_msg gmail_msg">
OAuth mailing list<br class=3D"m_-252346213546090186m_5822031087464534925gm=
ail_msg gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"m_-252346213546090186m_582203108=
7464534925gmail_msg gmail_msg" target=3D"_blank">OAuth@ietf.org</a><br clas=
s=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg" tar=
get=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br class=3D"=
m_-252346213546090186m_5822031087464534925gmail_msg gmail_msg">
</blockquote></div></div><font color=3D"#888888" class=3D"gmail_msg"><div d=
ir=3D"ltr" class=3D"gmail_msg">-- <br class=3D"gmail_msg"></div><div data-s=
martmail=3D"gmail_signature" class=3D"gmail_msg"><p dir=3D"ltr" class=3D"gm=
ail_msg">Nat Sakimura</p>
<p dir=3D"ltr" class=3D"gmail_msg">Chairman of the Board, OpenID Foundation=
</p>
</div>
</font></blockquote></div><br class=3D"gmail_msg"></div>
</blockquote></div><div dir=3D"ltr">-- <br></div><div data-smartmail=3D"gma=
il_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>

--001a113574964b72e80549d0070d--


From nobody Fri Mar  3 04:10:48 2017
Return-Path: <ludwig@sics.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A243912984A for <oauth@ietfa.amsl.com>; Fri,  3 Mar 2017 04:10:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sics.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y0_WoXrdvy5b for <oauth@ietfa.amsl.com>; Fri,  3 Mar 2017 04:10:46 -0800 (PST)
Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8E531297F7 for <oauth@ietf.org>; Fri,  3 Mar 2017 04:10:45 -0800 (PST)
Received: by mail-lf0-x22f.google.com with SMTP id y193so46435419lfd.3 for <oauth@ietf.org>; Fri, 03 Mar 2017 04:10:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sics.se; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=5/UuHQUU7ES4AJasupLV90w7Cgr/vnOgO0tPA86Isn4=; b=KjOat1fQMYkVasvAUKGnEWS/9EkGVaSCDR21qpMlY2CNvjDH7lCqxrjCMk/VmQxJiz JE5aMVy349gl1ePfjQvdGWrPK9i/kdzFo8nPIIKcVRbx9mOWF1mEfBZaqMAHSK0zGbYm qdmOvXxw32C84JyfF+io/6rtoRJzcpLtQL3FplEHyz7ZMuzVhlWsXSrSqIhnKpF5H2aB BokY0w51VIEp4ejByB2zbCg9iLupkiabMCKzRtuyvxb5qhRcFOuqRP6y08fYk4ZQiwXN uzKnFu5dSsTJgK9m0w0WMYkD3PBHQdLT3PbpfyMiggYHnuRfyaG8plciuO4/38kQYXWN dG/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=5/UuHQUU7ES4AJasupLV90w7Cgr/vnOgO0tPA86Isn4=; b=q6esf2TbgaSrmDvVPPp9/UBPkZfg2GzlK7xqPdVJh9An5puStzKrnS2YE6cM8l7+VO OiQN2CWUaBuqH2dCwyAXvf67mIocySsC3MV7AFk2XK0Ah1DSH/vWepvKLYT4NPmLeg8J lp1ietmV1k++DW+oIxY9zyCqlnO33XmresHvVZLdrf9cApEafDTBC39gYvTCUabyITg/ vIqJ2cJP09ZfjAJ4AO88QRwTl5KT2JyhePI2vm0GYt1Pb4d/H6k1EH4suASegy1pZVpC 9cy5PSx2KVIhMSZ1U6btY5iqxiTfUMufaDmZpsOBDf5VztOLSEs0s8TuvdJOgpgDmVzD tNCQ==
X-Gm-Message-State: AMke39l6qX+6hHJhY2vjij4lubNYGGTcKz/Ue4QQ378JJCo/hL237GYd652kGmhUHxn49pVY
X-Received: by 10.25.221.195 with SMTP id w64mr750855lfi.31.1488543043655; Fri, 03 Mar 2017 04:10:43 -0800 (PST)
Received: from [192.168.0.166] ([85.235.12.155]) by smtp.gmail.com with ESMTPSA id a11sm2305395lfh.37.2017.03.03.04.10.42 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Mar 2017 04:10:42 -0800 (PST)
To: oauth@ietf.org
References: <148797332573.3278.6515135380852468551.idtracker@ietfa.amsl.com> <D2329C0E-C3F8-4F69-88AE-584561E45B65@ve7jtb.com>
From: Ludwig Seitz <ludwig@sics.se>
Message-ID: <be3b92bc-323a-70ca-b675-4596c7adbd26@sics.se>
Date: Fri, 3 Mar 2017 13:10:41 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <D2329C0E-C3F8-4F69-88AE-584561E45B65@ve7jtb.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms010906030509020008000900"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/T95jdUj2VAM95jUFstoH8XjaV58>
Subject: Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 12:10:47 -0000

This is a cryptographically signed message in MIME format.

--------------ms010906030509020008000900
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: quoted-printable

On 2017-02-24 22:58, John Bradley wrote:
> I updated the references but haven't made any other changes.
>
> I had some questions about it so though it was worth keeping alive
> at-least for discussion.
>
> There have been some other questions and proposed changes.
>
> I will take a look through them and see if what may be worth updating.
>
> John B.
>
>

Question about the 'aud' parameter: Wouldn't it be useful to allow other =

values than URIs for that one?

One could easily imagine a group identifier as value of that field,=20
where the RS internally resolves whether it is part of that group and=20
therefore the target audience of that token.

Regards,

Ludwig

--=20
Ludwig Seitz, PhD
Security Lab, RISE ICT/SICS
Phone +46(0)70-349 92 51


--------------ms010906030509020008000900
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CtQwggTqMIID0qADAgECAhAU4QcxMULaotNy8Yzm2pESMA0GCSqGSIb3DQEBCwUAMHUxCzAJ
BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll
bnQgQ0EwHhcNMTYwMzE0MDkzNDMyWhcNMTcwMzE0MDkzNDMyWjA4MRcwFQYDVQQDDA5sdWR3
aWdAc2ljcy5zZTEdMBsGCSqGSIb3DQEJARYObHVkd2lnQHNpY3Muc2UwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC9kgmm82Op78D9DXYNJrQW5bUdSxElnOC/CzAK/enHn+uF
B/RLo8alI6Ukd35qsAtcje0I3e/RtbkRnkEuhKneH+aDRofy7YaWQO61CjIlcdndTx8FEmXK
/swcafYX5PbyzQFGgApwtWFkVXcq3R87CDB3VbkHzTHIBmfwZ4hhDeEyuJoSuWEVWQppfTji
/GpVLiDx6s+Zqm3qI5EkjvhQ+jX3tJxXqUf4w1BY6/sBLfvr7TOPGPoAmi6B2UOgyDSfX3c0
+jzlYFLNb6Eqc7uGvaQi7VN39kAJXz9f+qL/wokaNjboK3/JyTG/ikxsWymzO9E0/U9apn2Y
z5SVUGSDAgMBAAGjggGxMIIBrTAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUH
AwIGCCsGAQUFBwMEMAkGA1UdEwQCMAAwHQYDVR0OBBYEFN37NX1Db3Xp23cbQI1MpYPUMw84
MB8GA1UdIwQYMBaAFCSBbDlhvkkPj7cbRivJKLUnSG1oMG8GCCsGAQUFBwEBBGMwYTAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDkGCCsGAQUFBzAChi1odHRwOi8v
YWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zY2EuY2xpZW50MS5jcnQwOAYDVR0fBDEwLzAtoCug
KYYnaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNsaWVudDEuY3JsMBkGA1UdEQQSMBCB
Dmx1ZHdpZ0BzaWNzLnNlMCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBG
BgNVHSAEPzA9MDsGCysGAQQBgbU3AQIEMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3Rh
cnRzc2wuY29tL3BvbGljeTANBgkqhkiG9w0BAQsFAAOCAQEAUy78MN+soYHwIz+6m9mMkzPF
KfgIq7sLupWnis7K5U66U9zfKOVDReyfUvPmar7P7Tb9uNNrUlkk3lSISplqU30TMnVbtK5D
I0mxdpa1hZxIAa8uWQnAh/oYJJYaMziKxpZgsUjel6/ZnD0z/QsuHo763I1boi2ghe4Knj0f
qFO79ErRr9aJJBfQlFVwQ4gRoYtMz18/usC3eqGxFz8a/LCeRMWeZJagGJ/St1WW1HUBmMFd
vRFweeUdCvDbzK+WjqbxhXyi7b0sH65lWIjINCBVQ0AvqOwm/aXEWcIQlAIJjr2kEC6c0VY6
V1aP16BAKooEgGGOTrmcDGeteXZRyjCCBeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEw
DQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x
KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMT
IFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMw
MTIxNjAxMDAwNVowdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAn
BgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFy
dENvbSBDbGFzcyAxIENsaWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL192vfDon2D9luC/dtbX64eG3XAtRmvmCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGt
TCRk9dEDBlmixEd8QiLkUfvHpJX/xKnmVkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdf
a89VLnUztRr2cgmCfyO9Otrh7LJDPG+4D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx
7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PIdopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4D
IM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuuN0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFg
MA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0T
AQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNv
bS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEEWjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5z
dGFydHNzbC5jb20wMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRz
L2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvv
GqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0gBDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wB
i4StDwECW5zhIycjBL008HACblIf26HY0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspB
OB/y5uzSns1lZwh7sG96bYBZpcGzGxpFNjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvets
D+bjyOngCIVeC/GmsmtbuLOzJ606tEc9uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyI
NBfCBJb+e29bLafgu6JqjOUJ9eXXj20p6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA
0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOvZ3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf
1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOumZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/
tdfrBzez76xtDsK0KfUDHt1/q59BvDI7RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH
2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO/ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9
VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsNJQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp
/2deoprGevfnxWB+vHNQiu85o6MxggPMMIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQG
A1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0Q29tIENsYXNzIDEgQ2xpZW50IENBAhAU4QcxMULa
otNy8Yzm2pESMA0GCWCGSAFlAwQCAQUAoIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB
MBwGCSqGSIb3DQEJBTEPFw0xNzAzMDMxMjEwNDFaMC8GCSqGSIb3DQEJBDEiBCDCSv3a6fEB
MxodaeTaAy65UZhMdrzzGM6ElrPjPv9ivjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQB
KjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkG
A1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVu
dCBDQQIQFOEHMTFC2qLTcvGM5tqREjCBnAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UE
BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBD
QQIQFOEHMTFC2qLTcvGM5tqREjANBgkqhkiG9w0BAQEFAASCAQAMJ3ZWLe1H2HuEN0TY8/7S
BbeqBtLVOFPtWToSP4kaoL8MokjzkChygsPWqujVHZM/trhNx9DrCou+f1Wui4b12TltAXPt
hpfpJfDHXF7rsYowoqjTMS7bs9KDJ95x3l+aaDU08sKKDhaV0CYx3bA54C8qXw8TG8Ex4fBo
IS9pAFgNem+Oag8FgkSgHVGptXHBi9Hpz5kfw1f0vbbTLZ9ei+jd+eIEBcUGCrtOLMNmN9W6
9J7zZlBzMZbV2URtm9GkSADwVVsQ7CluZslakgI76KQWIGqf/B/MCHDSU85FXViImBioJci9
BFlO7VaRZcpL43wLRhEsRvOkr+9xkt9QAAAAAAAA
--------------ms010906030509020008000900--


From nobody Fri Mar  3 11:48:11 2017
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAD73129608 for <oauth@ietfa.amsl.com>; Fri,  3 Mar 2017 11:48:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.102
X-Spam-Level: 
X-Spam-Status: No, score=0.102 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.122] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VdNLgVd6xgIw for <oauth@ietfa.amsl.com>; Fri,  3 Mar 2017 11:48:06 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0094.outbound.protection.outlook.com [104.47.36.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B56EF1295C2 for <oauth@ietf.org>; Fri,  3 Mar 2017 11:48:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Lnh6Zp2mxrr3HjzOTJ05V78OK81egf3kcIkML31Nd3E=; b=iEif9ozBHs6ztw6Vaz3dd3GgWvmRiXPan787za/Bcz5wnYeep2tq3lrCh8q4QI8f0wttwtQfonwNcIROphN02imJXPJppD8YiDuELlNPGHfdmQu650v1N5Cy1WLaOCrPJ66yufclsGBjF5FbeMgjN1xeSFT6iFCDf96FUl0x2y4=
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com (10.163.226.27) by SN1PR0301MB2029.namprd03.prod.outlook.com (10.163.226.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.933.12; Fri, 3 Mar 2017 19:48:03 +0000
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) by SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) with mapi id 15.01.0933.020; Fri, 3 Mar 2017 19:48:03 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Nat Sakimura <sakimura@gmail.com>, John Bradley <ve7jtb@ve7jtb.com>, "Phil Hunt" <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
Thread-Index: AQHSjvkxDkQWPiI6ZEWWjG0QZ/SlkqGCeuSAgAEUyGA=
Date: Fri, 3 Mar 2017 19:48:03 +0000
Message-ID: <SN1PR0301MB20290A881592DE06DF0BDB74A62B0@SN1PR0301MB2029.namprd03.prod.outlook.com>
References: <148797332573.3278.6515135380852468551.idtracker@ietfa.amsl.com> <D2329C0E-C3F8-4F69-88AE-584561E45B65@ve7jtb.com> <B021DB9E-1ECF-4278-833F-5A13EA5F3A77@oracle.com> <C08A4EBC-3935-4AF2-8C8C-926C57A2B02A@ve7jtb.com> <CABzCy2Dcq2ABY5YQepefychXBtJotKReauU2aB3XW3Zzr=W-ew@mail.gmail.com>
In-Reply-To: <CABzCy2Dcq2ABY5YQepefychXBtJotKReauU2aB3XW3Zzr=W-ew@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [78.129.189.2]
x-ms-office365-filtering-correlation-id: 3f4449ab-c1f2-49f1-6589-08d4626e34e1
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:SN1PR0301MB2029; 
x-microsoft-exchange-diagnostics: 1; SN1PR0301MB2029; 7:mrO4pm94GuRcugJRC/Mavv4B1GPCZbTC+3kcMYiASew3ik0y3xRO4iFV56ypRHo25P15Pu4qDK+RLf6Fv1XGrD1SxUNRxF6r6q8c0jBcp25+aU9s9uZPImJpbhULnAW4+0k1G6r0pHtuLfFEa65+m4vUX+uEuGvWT71eV5tm0xOdlZQu1+F3sWb7qFTCwAMBof7PqkqJuY/8vk4zRUopbaAZJlXffI2PNYWDkipSg7d8hFDQkhK+SvACthWxouSAG0oM9uyGgWkMxqSCxUD4fDmMMW+lLSuK3Ye0f69SIzx2Tta0TgcHCnxsbEQAscgEvmTh3kF5a7qVT3G2Nzg9uyn7xYSDjOZ+sYssDDIA6fs=
x-microsoft-antispam-prvs: <SN1PR0301MB20292BB23B0870BAC880D1D3A62B0@SN1PR0301MB2029.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(192374486261705)(189930954265078)(219752817060721)(21748063052155)(146099531331640);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123564025)(20161123560025)(20161123558025)(20161123555025)(6072148); SRVR:SN1PR0301MB2029; BCL:0; PCL:0; RULEID:; SRVR:SN1PR0301MB2029; 
x-forefront-prvs: 0235CBE7D0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39840400002)(39410400002)(39450400003)(39850400002)(39860400002)(377424004)(24454002)(377454003)(53546006)(230783001)(189998001)(77096006)(7696004)(14971765001)(6506006)(229853002)(5660300001)(39060400002)(2950100002)(6436002)(66066001)(38730400002)(4326008)(606005)(68736007)(6246003)(53936002)(93886004)(122556002)(8676002)(81166006)(86612001)(8936002)(10290500002)(106116001)(8990500004)(33656002)(55016002)(99286003)(25786008)(7736002)(7906003)(86362001)(74316002)(54896002)(6306002)(2906002)(236005)(790700001)(9686003)(92566002)(10090500001)(3280700002)(5005710100001)(102836003)(3846002)(3660700001)(6116002)(50986999)(54356999)(76176999)(2900100001)(19609705001)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR0301MB2029; H:SN1PR0301MB2029.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SN1PR0301MB20290A881592DE06DF0BDB74A62B0SN1PR0301MB2029_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2017 19:48:03.7006 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR0301MB2029
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/i5iE3BN3He8t1kZ0rpejNYi0qRQ>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 19:48:09 -0000

--_000_SN1PR0301MB20290A881592DE06DF0BDB74A62B0SN1PR0301MB2029_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SSBhbHNvIHRoaW5rIHRoYXQgdGhpcyBjYW4gYmUgdXNlZnVsIG91dHNpZGUgb2YgVG9rZW4gQmlu
ZGluZyBhcyB0aGlzIHdlIGhhdmUgYmVlbiBsb29raW5nIGF0IHVzZSBjYXNlcyBmb3Igb2ZmbGlu
ZSBhY2Nlc3MgdG9rZW5zIChvciBJRCBUb2tlbnMpLCBhbmQgdGhpcyBzb3J0IG9mIGZvcm1zIHRo
ZSBiYXNpcyBmb3IgdGhpcyBhcHByb2FjaA0KDQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJv
dW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBOYXQgU2FraW11cmENClNlbnQ6IFRodXJzZGF5
LCBNYXJjaCAyLCAyMDE3IDc6MTYgUE0NClRvOiBKb2huIEJyYWRsZXkgPHZlN2p0YkB2ZTdqdGIu
Y29tPjsgUGhpbCBIdW50IDxwaGlsLmh1bnRAb3JhY2xlLmNvbT4NCkNjOiA8b2F1dGhAaWV0Zi5v
cmc+IDxvYXV0aEBpZXRmLm9yZz4NClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIEktRCBBY3Rpb246
IGRyYWZ0LWlldGYtb2F1dGgtcG9wLWtleS1kaXN0cmlidXRpb24tMDMudHh0DQoNCisxDQoNClRv
a2VuIGJpbmRpbmcgaXMgZ29vZCwgYnV0IHRoZXJlIGFyZSBpbmZyYXN0cnVjdHVyZXMgdGhhdCBj
YW5ub3QgZGVwbG95IGl0IHdoaWxlIHRoZXkgc3RpbGwgbmVlZCBIb0sgaW4gc29tZSBtYW5uZXIu
DQpJdCBjb3VsZCBiZSBhIHNob3J0IHRlcm0gdGhpbmcgLS0gcGVyaGFwcyAzIHllYXJzLCBidXQg
dGhleSBoYXZlIHRvIGRvIGl0IG5vdyBzby4uLg0KDQpJIGhhdmUgYSBxdWVzdGlvbiBhYm91dCB0
aGUgZHJhZnQuDQoNCkluIHNlY3Rpb24gNS4xLCBga2V5YCBpcyBvcHRpb25hbCBhbmQgd2hlbiBp
dCBpcyBvbWl0dGVkLCB0aGUgc2VydmVyIGNyZWF0ZXMgYSBlcGhlbWVyYWwga2V5IHBhaXIgZm9y
IHRoZSBjbGllbnQuDQpNeSBxdWVzdGlvbiBpczogaG93IGRvIHlvdSBzZW5kIHRoZSBlcGhlbWVy
YWwgcHJpdmF0ZSBrZXkgc2VjdXJlbHkgdG8gdGhlIGNsaWVudD8NCkkgc3VwcG9zZSBpdCBpcyBy
ZXR1cm5lZCBpbiB0aGUgc2ltaWxhciBmYXNoaW9uIGFzIGluIHRoZSBjYXNlIG9mIHRoZSBzeW1t
ZXRyaWMsIGJ1dCBpdCBpcyBub3QgY2xlYXIgZnJvbSBteSByZWFkLg0KDQpBbHNvLCBhdCB0aGF0
IHBvaW50LCB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIgaGFzIGV2ZXJ5dGhpbmcgbmVlZGVkIHRv
IGltcGVyc29uYXRlIHRoZSBjbGllbnQsIHdoaWNoIG1heSBub3QgYmUgZGVzaXJhYmxlLg0KSXMg
aXQgbm90IHNpbXBsZXIgYW5kIGJldHRlciB0byBSRVFVSVJFIHRoZSBga2V5YCBwYXJhbWV0ZXI/
DQoNCk5hdA0KDQpPbiBTYXQsIEZlYiAyNSwgMjAxNyBhdCA4OjUxIEFNIEpvaG4gQnJhZGxleSA8
dmU3anRiQHZlN2p0Yi5jb208bWFpbHRvOnZlN2p0YkB2ZTdqdGIuY29tPj4gd3JvdGU6DQpUaGUg
RXVyb3BlYW4gYmFua3MgYXJlIGludGVyZXN0ZWQgaW4gbXV0dWFsIFRMUyBmb3Igc2VydmVyIHRv
IHNlcnZlciBjb25uZWN0aW9ucyBhcyBwYXJ0IG9mIFBTRDIvT3BlbiBCYW5raW5nLg0KDQpUaGV5
IGhhdmUgYmVlbiB0aGlua2luZyB0aGF0IHRoZXkgd291bGQgaGF2ZSBjZW50cmFsIENBIGFuZCBk
aXJlY3RseSB1c2UgQ0EgY2VydGlmaWNhdGVzIGZvciBhbGwgdGhlIGxlZ3MuDQoNCkkgc2VudCB0
aGVtIHRoaXMgdG8gZ2V0IHRoZW0gdGhpbmtpbmcgdGhhdCB0aGV5IGNvdWxkIHBlcmhhcHMgc2Vj
dXJlIHRoZSB0b2tlbiBlbmRwb2ludCB3aXRoIGNlcnQgYmFzZWQgbXV0dWFsIFRMUyBidXQgYWxs
b3cgY2xpZW50cyB0byBzcGVjaWZ5IHRoZXJlIG93biBrZXlzIGZvciBhY2Nlc3MgdG9rZW5zIHRv
IG1ha2Uga2V5IHJvdGF0aW9uIGFuZCBkZXBsb3ltZW50IGVhc2llci4NCg0KSSB3YXMgYWxzbyB0
aGluayBpbmcgdGhhdCB0aGV5IGNvdWxkIHByb3RlY3QgYSBqd2tzX3VyaSB3aXRoIHRoZSBDQSBj
ZXJ0aWZpY2F0ZSB1c2luZyBPQ1NQIHN0YXBsaW5nIGFuZCB0aGVuIHVzZSBtdXR1YWwgVExTIHRv
IHRoZSB0b2tlbiBlbmRwb2ludCBiYXNlZCBvbiBrZXlpZCBhbmQvb3IgZmluZ2VycHJpbnQuIGFs
bG93aW5nIGZvciByb3RhdGlvbiBvZiBrZXlzIHRvIHRva2VuIGVuZHBvaW50IGFuZCBiZXR0ZXIg
c3VwcG9ydCBjbHVzdGVycyB3aXRoIG11bHRpcGxlIGtleXMuDQoNCkkgZG9u4oCZdCB0aGluayB0
aGlzIGhhcyBtdWNoIGludGVyZXN0IG91dHNpZGUgb2Ygc29tZSB2ZXJ0aWNhbHMgbGlrZSBmaW5h
bmNpYWxzLg0KDQpKb2huIEIuDQpPbiBGZWIgMjQsIDIwMTcsIGF0IDg6MzMgUE0sIFBoaWwgSHVu
dCA8cGhpbC5odW50QG9yYWNsZS5jb208bWFpbHRvOnBoaWwuaHVudEBvcmFjbGUuY29tPj4gd3Jv
dGU6DQoNCkkgaGF2ZSBiZWVuIHdvbmRlcmluZyBhYm91dCB0aGF0IG15c2VsZi4gSW50ZXJlc3Qg
c2VlbXMgdG8gd2FpbmVkIHdpdGggdGhlIFRPS0JJTkQgd29yayBlbWVyZ2luZy4gTWF5YmUgSSBh
bSB3cm9uZyBhYm91dCB0aGF0Pw0KDQpQaGlsDQoNCk9yYWNsZSBDb3Jwb3JhdGlvbiwgSWRlbnRp
dHkgQ2xvdWQgU2VydmljZXMgJiBJZGVudGl0eSBTdGFuZGFyZHMNCkBpbmRlcGVuZGVudGlkDQp3
d3cuaW5kZXBlbmRlbnRpZC5jb208aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91
dGxvb2suY29tLz91cmw9aHR0cCUzQSUyRiUyRnd3dy5pbmRlcGVuZGVudGlkLmNvbSUyRiZkYXRh
PTAyJTdDMDElN0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbSU3Q2E2NmQwYjNkNTRkMjQ3MTExZGM4
MDhkNDYxZTM5OTgwJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3
QzYzNjI0MTA3NzU2MTAyNjkzNyZzZGF0YT1XZE5ZOFVCeTVsWU5GN0xtaTlyeXh4Umc0UCUyQmdQ
T1RYb0FRbGNaVkUlMkZVMCUzRCZyZXNlcnZlZD0wPg0KcGhpbC5odW50QG9yYWNsZS5jb208bWFp
bHRvOnBoaWwuaHVudEBvcmFjbGUuY29tPg0KDQoNCg0KDQoNCg0KT24gRmViIDI0LCAyMDE3LCBh
dCAxOjU4IFBNLCBKb2huIEJyYWRsZXkgPHZlN2p0YkB2ZTdqdGIuY29tPG1haWx0bzp2ZTdqdGJA
dmU3anRiLmNvbT4+IHdyb3RlOg0KDQpJIHVwZGF0ZWQgdGhlIHJlZmVyZW5jZXMgYnV0IGhhdmVu
J3QgbWFkZSBhbnkgb3RoZXIgY2hhbmdlcy4NCg0KSSBoYWQgc29tZSBxdWVzdGlvbnMgYWJvdXQg
aXQgc28gdGhvdWdoIGl0IHdhcyB3b3J0aCBrZWVwaW5nIGFsaXZlIGF0LWxlYXN0IGZvciBkaXNj
dXNzaW9uLg0KDQpUaGVyZSBoYXZlIGJlZW4gc29tZSBvdGhlciBxdWVzdGlvbnMgYW5kIHByb3Bv
c2VkIGNoYW5nZXMuDQoNCkkgd2lsbCB0YWtlIGEgbG9vayB0aHJvdWdoIHRoZW0gYW5kIHNlZSBp
ZiB3aGF0IG1heSBiZSB3b3J0aCB1cGRhdGluZy4NCg0KSm9obiBCLg0KDQoNCkJlZ2luIGZvcndh
cmRlZCBtZXNzYWdlOg0KDQpGcm9tOiBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc8bWFpbHRvOmlu
dGVybmV0LWRyYWZ0c0BpZXRmLm9yZz4NClN1YmplY3Q6IFtPQVVUSC1XR10gSS1EIEFjdGlvbjog
ZHJhZnQtaWV0Zi1vYXV0aC1wb3Ata2V5LWRpc3RyaWJ1dGlvbi0wMy50eHQNCkRhdGU6IEZlYnJ1
YXJ5IDI0LCAyMDE3IGF0IDY6NTU6MjUgUE0gR01ULTMNClRvOiA8aS1kLWFubm91bmNlQGlldGYu
b3JnPG1haWx0bzppLWQtYW5ub3VuY2VAaWV0Zi5vcmc+Pg0KQ2M6IG9hdXRoQGlldGYub3JnPG1h
aWx0bzpvYXV0aEBpZXRmLm9yZz4NCg0KDQpBIE5ldyBJbnRlcm5ldC1EcmFmdCBpcyBhdmFpbGFi
bGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFmdHMgZGlyZWN0b3JpZXMuDQpUaGlzIGRy
YWZ0IGlzIGEgd29yayBpdGVtIG9mIHRoZSBXZWIgQXV0aG9yaXphdGlvbiBQcm90b2NvbCBvZiB0
aGUgSUVURi4NCg0KICAgICAgIFRpdGxlICAgICAgICAgICA6IE9BdXRoIDIuMCBQcm9vZi1vZi1Q
b3NzZXNzaW9uOiBBdXRob3JpemF0aW9uIFNlcnZlciB0byBDbGllbnQgS2V5IERpc3RyaWJ1dGlv
bg0KICAgICAgIEF1dGhvcnMgICAgICAgICA6IEpvaG4gQnJhZGxleQ0KICAgICAgICAgICAgICAg
ICAgICAgICAgIFBoaWwgSHVudA0KICAgICAgICAgICAgICAgICAgICAgICAgIE1pY2hhZWwgQi4g
Sm9uZXMNCiAgICAgICAgICAgICAgICAgICAgICAgICBIYW5uZXMgVHNjaG9mZW5pZw0KRmlsZW5h
bWUgICAgICAgIDogZHJhZnQtaWV0Zi1vYXV0aC1wb3Ata2V5LWRpc3RyaWJ1dGlvbi0wMy50eHQN
ClBhZ2VzICAgICAgICAgICA6IDE4DQpEYXRlICAgICAgICAgICAgOiAyMDE3LTAyLTI0DQoNCkFi
c3RyYWN0Og0KICBSRkMgNjc1MCBzcGVjaWZpZWQgdGhlIGJlYXJlciB0b2tlbiBjb25jZXB0IGZv
ciBzZWN1cmluZyBhY2Nlc3MgdG8NCiAgcHJvdGVjdGVkIHJlc291cmNlcy4gIEJlYXJlciB0b2tl
bnMgbmVlZCB0byBiZSBwcm90ZWN0ZWQgaW4gdHJhbnNpdA0KICBhcyB3ZWxsIGFzIGF0IHJlc3Qu
ICBXaGVuIGEgY2xpZW50IHJlcXVlc3RzIGFjY2VzcyB0byBhIHByb3RlY3RlZA0KICByZXNvdXJj
ZSBpdCBoYW5kcy1vdmVyIHRoZSBiZWFyZXIgdG9rZW4gdG8gdGhlIHJlc291cmNlIHNlcnZlci4N
Cg0KICBUaGUgT0F1dGggMi4wIFByb29mLW9mLVBvc3Nlc3Npb24gc2VjdXJpdHkgY29uY2VwdCBl
eHRlbmRzIGJlYXJlcg0KICB0b2tlbiBzZWN1cml0eSBhbmQgcmVxdWlyZXMgdGhlIGNsaWVudCB0
byBkZW1vbnN0cmF0ZSBwb3NzZXNzaW9uIG9mIGENCiAga2V5IHdoZW4gYWNjZXNzaW5nIGEgcHJv
dGVjdGVkIHJlc291cmNlLg0KDQogIFRoaXMgZG9jdW1lbnQgZGVzY3JpYmVzIGhvdyB0aGUgY2xp
ZW50IG9idGFpbnMgdGhpcyBrZXlpbmcgbWF0ZXJpYWwNCiAgZnJvbSB0aGUgYXV0aG9yaXphdGlv
biBzZXJ2ZXIuDQoNCg0KVGhlIElFVEYgZGF0YXRyYWNrZXIgc3RhdHVzIHBhZ2UgZm9yIHRoaXMg
ZHJhZnQgaXM6DQpodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW9h
dXRoLXBvcC1rZXktZGlzdHJpYnV0aW9uLzxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rp
b24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRmRhdGF0cmFja2VyLmlldGYub3JnJTJG
ZG9jJTJGZHJhZnQtaWV0Zi1vYXV0aC1wb3Ata2V5LWRpc3RyaWJ1dGlvbiUyRiZkYXRhPTAyJTdD
MDElN0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbSU3Q2E2NmQwYjNkNTRkMjQ3MTExZGM4MDhkNDYx
ZTM5OTgwJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0
MTA3NzU2MTAyNjkzNyZzZGF0YT1odTZWaWclMkY5R1RWRHVRb3k5V2s3d2xUYW14UXdRVHNKSnFo
dFVKblZMa0UlM0QmcmVzZXJ2ZWQ9MD4NCg0KVGhlcmUncyBhbHNvIGEgaHRtbGl6ZWQgdmVyc2lv
biBhdmFpbGFibGUgYXQ6DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1v
YXV0aC1wb3Ata2V5LWRpc3RyaWJ1dGlvbi0wMzxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3Rl
Y3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRnRvb2xzLmlldGYub3JnJTJGaHRt
bCUyRmRyYWZ0LWlldGYtb2F1dGgtcG9wLWtleS1kaXN0cmlidXRpb24tMDMmZGF0YT0wMiU3QzAx
JTdDdG9ueW5hZCU0MG1pY3Jvc29mdC5jb20lN0NhNjZkMGIzZDU0ZDI0NzExMWRjODA4ZDQ2MWUz
OTk4MCU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDEw
Nzc1NjEwMjY5Mzcmc2RhdGE9MUF5QnJLRnhleXBQTlJoaTlLTk9TNGYlMkZqd2JaJTJCeDJRWDJM
dEtrN3p1c3clM0QmcmVzZXJ2ZWQ9MD4NCg0KQSBkaWZmIGZyb20gdGhlIHByZXZpb3VzIHZlcnNp
b24gaXMgYXZhaWxhYmxlIGF0Og0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvcmZjZGlmZj91cmwyPWRy
YWZ0LWlldGYtb2F1dGgtcG9wLWtleS1kaXN0cmlidXRpb24tMDM8aHR0cHM6Ly9uYTAxLnNhZmVs
aW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5v
cmclMkZyZmNkaWZmJTNGdXJsMiUzRGRyYWZ0LWlldGYtb2F1dGgtcG9wLWtleS1kaXN0cmlidXRp
b24tMDMmZGF0YT0wMiU3QzAxJTdDdG9ueW5hZCU0MG1pY3Jvc29mdC5jb20lN0NhNjZkMGIzZDU0
ZDI0NzExMWRjODA4ZDQ2MWUzOTk4MCU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3
JTdDMSU3QzAlN0M2MzYyNDEwNzc1NjEwMjY5Mzcmc2RhdGE9bmJCUm9jS3hVZ2ZHYzVVRzljSnl2
UFR6QU92JTJCT01TQm9jUEJlczl5c1hFJTNEJnJlc2VydmVkPTA+DQoNCg0KUGxlYXNlIG5vdGUg
dGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBsZSBvZiBtaW51dGVzIGZyb20gdGhlIHRpbWUgb2Ygc3Vi
bWlzc2lvbg0KdW50aWwgdGhlIGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJs
ZSBhdCB0b29scy5pZXRmLm9yZzxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0
bG9vay5jb20vP3VybD1odHRwJTNBJTJGJTJGdG9vbHMuaWV0Zi5vcmcmZGF0YT0wMiU3QzAxJTdD
dG9ueW5hZCU0MG1pY3Jvc29mdC5jb20lN0NhNjZkMGIzZDU0ZDI0NzExMWRjODA4ZDQ2MWUzOTk4
MCU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDEwNzc1
NjEwMjY5Mzcmc2RhdGE9V3R0czBVRzhmNUhUYjlHOFlNNHBUdWZHUDZyRnZuZm5JSHZpMUFzbmFo
cyUzRCZyZXNlcnZlZD0wPi4NCg0KSW50ZXJuZXQtRHJhZnRzIGFyZSBhbHNvIGF2YWlsYWJsZSBi
eSBhbm9ueW1vdXMgRlRQIGF0Og0KZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy8N
Cg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRo
IG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0
cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxodHRwczovL25hMDEuc2Fm
ZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRnd3dy5pZXRm
Lm9yZyUyRm1haWxtYW4lMkZsaXN0aW5mbyUyRm9hdXRoJmRhdGE9MDIlN0MwMSU3Q3RvbnluYWQl
NDBtaWNyb3NvZnQuY29tJTdDYTY2ZDBiM2Q1NGQyNDcxMTFkYzgwOGQ0NjFlMzk5ODAlN0M3MmY5
ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2MjQxMDc3NTYxMDI2OTM3
JnNkYXRhPXVUS1FBVEpWb1glMkZSdkNCa0dKT3Y0NEttWE11cTB6M0d2T2dpbyUyQlBOQTRFJTNE
JnJlc2VydmVkPTA+DQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBp
ZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8aHR0
cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0El
MkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZvYXV0aCZkYXRhPTAyJTdD
MDElN0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbSU3Q2E2NmQwYjNkNTRkMjQ3MTExZGM4MDhkNDYx
ZTM5OTgwJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0
MTA3NzU2MTAyNjkzNyZzZGF0YT11VEtRQVRKVm9YJTJGUnZDQmtHSk92NDRLbVhNdXEwejNHdk9n
aW8lMkJQTkE0RSUzRCZyZXNlcnZlZD0wPg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3Jn
PG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlz
dGluZm8vb2F1dGg8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29t
Lz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZv
YXV0aCZkYXRhPTAyJTdDMDElN0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbSU3Q2E2NmQwYjNkNTRk
MjQ3MTExZGM4MDhkNDYxZTM5OTgwJTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDcl
N0MxJTdDMCU3QzYzNjI0MTA3NzU2MTAyNjkzNyZzZGF0YT11VEtRQVRKVm9YJTJGUnZDQmtHSk92
NDRLbVhNdXEwejNHdk9naW8lMkJQTkE0RSUzRCZyZXNlcnZlZD0wPg0KLS0NCg0KTmF0IFNha2lt
dXJhDQoNCkNoYWlybWFuIG9mIHRoZSBCb2FyZCwgT3BlbklEIEZvdW5kYXRpb24NCg==

--_000_SN1PR0301MB20290A881592DE06DF0BDB74A62B0SN1PR0301MB2029_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiSGVsdmV0aWNhIE5ldWUiO30NCi8qIFN0
eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9y
bWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTox
MS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFu
Lk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0
ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtG
b2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQt
ZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYu
bXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3At
YWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0
bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToi
Q2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLm03Njg1MDM2MjQxMzY5ODkxMTM4YXBwbGUtc3R5
bGUtc3Bhbg0KCXttc28tc3R5bGUtbmFtZTptXzc2ODUwMzYyNDEzNjk4OTExMzhhcHBsZS1zdHls
ZS1zcGFuO30NCnNwYW4uZ21haWxtc2cNCgl7bXNvLXN0eWxlLW5hbWU6Z21haWxfbXNnO30NCnNw
YW4ubTc2ODUwMzYyNDEzNjk4OTExMzhhcHBsZS10YWItc3Bhbg0KCXttc28tc3R5bGUtbmFtZTpt
Xzc2ODUwMzYyNDEzNjk4OTExMzhhcHBsZS10YWItc3Bhbjt9DQpzcGFuLkVtYWlsU3R5bGUyMg0K
CXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs
c2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1z
dHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlm
O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4w
aW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0
aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZh
dWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwh
LS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86
aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFb
ZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9
InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+SSBhbHNvIHRoaW5rIHRoYXQgdGhpcyBjYW4gYmUgdXNlZnVsIG91dHNpZGUgb2YgVG9rZW4g
QmluZGluZyBhcyB0aGlzIHdlIGhhdmUgYmVlbiBsb29raW5nIGF0IHVzZSBjYXNlcyBmb3Igb2Zm
bGluZSBhY2Nlc3MgdG9rZW5zIChvciBJRCBUb2tlbnMpLCBhbmQgdGhpcyBzb3J0IG9mIGZvcm1z
IHRoZSBiYXNpcyBmb3IgdGhpcyBhcHByb2FjaA0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48YSBuYW1lPSJfTWFpbEVuZENvbXBvc2UiPjxvOnA+Jm5ic3A7PC9vOnA+PC9h
PjwvcD4NCjxzcGFuIHN0eWxlPSJtc28tYm9va21hcms6X01haWxFbmRDb21wb3NlIj48L3NwYW4+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj5Gcm9tOjwvYj4gT0F1dGggW21haWx0bzpvYXV0aC1i
b3VuY2VzQGlldGYub3JnXSA8Yj5PbiBCZWhhbGYgT2YNCjwvYj5OYXQgU2FraW11cmE8YnI+DQo8
Yj5TZW50OjwvYj4gVGh1cnNkYXksIE1hcmNoIDIsIDIwMTcgNzoxNiBQTTxicj4NCjxiPlRvOjwv
Yj4gSm9obiBCcmFkbGV5ICZsdDt2ZTdqdGJAdmU3anRiLmNvbSZndDs7IFBoaWwgSHVudCAmbHQ7
cGhpbC5odW50QG9yYWNsZS5jb20mZ3Q7PGJyPg0KPGI+Q2M6PC9iPiAmbHQ7b2F1dGhAaWV0Zi5v
cmcmZ3Q7ICZsdDtvYXV0aEBpZXRmLm9yZyZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtP
QVVUSC1XR10gSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1vYXV0aC1wb3Ata2V5LWRpc3RyaWJ1dGlv
bi0wMy50eHQ8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiYjNDM7MSZuYnNwOzxvOnA+
PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+
PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VG9rZW4gYmluZGluZyBp
cyBnb29kLCBidXQgdGhlcmUgYXJlIGluZnJhc3RydWN0dXJlcyB0aGF0IGNhbm5vdCBkZXBsb3kg
aXQgd2hpbGUgdGhleSBzdGlsbCBuZWVkIEhvSyBpbiBzb21lIG1hbm5lci4mbmJzcDs8bzpwPjwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkl0IGNvdWxkIGJl
IGEgc2hvcnQgdGVybSB0aGluZyAtLSBwZXJoYXBzIDMgeWVhcnMsIGJ1dCB0aGV5IGhhdmUgdG8g
ZG8gaXQgbm93IHNvLi4uJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPkkgaGF2ZSBhIHF1ZXN0aW9uIGFib3V0IHRoZSBkcmFmdC4mbmJz
cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
SW4gc2VjdGlvbiA1LjEsIGBrZXlgIGlzIG9wdGlvbmFsIGFuZCB3aGVuIGl0IGlzIG9taXR0ZWQs
IHRoZSBzZXJ2ZXIgY3JlYXRlcyBhIGVwaGVtZXJhbCBrZXkgcGFpciBmb3IgdGhlIGNsaWVudC4m
bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
Pk15IHF1ZXN0aW9uIGlzOiBob3cgZG8geW91IHNlbmQgdGhlIGVwaGVtZXJhbCBwcml2YXRlIGtl
eSBzZWN1cmVseSB0byB0aGUgY2xpZW50PyZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSBzdXBwb3NlIGl0IGlzIHJldHVybmVkIGluIHRo
ZSBzaW1pbGFyIGZhc2hpb24gYXMgaW4gdGhlIGNhc2Ugb2YgdGhlIHN5bW1ldHJpYywgYnV0IGl0
IGlzIG5vdCBjbGVhciBmcm9tIG15IHJlYWQuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkFsc28sIGF0IHRoYXQgcG9pbnQsIHRoZSBh
dXRob3JpemF0aW9uIHNlcnZlciBoYXMgZXZlcnl0aGluZyBuZWVkZWQgdG8gaW1wZXJzb25hdGUg
dGhlIGNsaWVudCwgd2hpY2ggbWF5IG5vdCBiZSBkZXNpcmFibGUuJm5ic3A7PG86cD48L286cD48
L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JcyBpdCBub3Qgc2ltcGxl
ciBhbmQgYmV0dGVyIHRvIFJFUVVJUkUgdGhlIGBrZXlgIHBhcmFtZXRlcj8mbmJzcDs8bzpwPjwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+TmF0PG86cD48
L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz
cDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIFNhdCwg
RmViIDI1LCAyMDE3IGF0IDg6NTEgQU0gSm9obiBCcmFkbGV5ICZsdDs8YSBocmVmPSJtYWlsdG86
dmU3anRiQHZlN2p0Yi5jb20iPnZlN2p0YkB2ZTdqdGIuY29tPC9hPiZndDsgd3JvdGU6PG86cD48
L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXIt
bGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2lu
LWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+VGhlIEV1cm9wZWFuIGJhbmtzIGFyZSBpbnRlcmVzdGVkIGluIG11dHVhbCBUTFMgZm9yIHNl
cnZlciB0byBzZXJ2ZXIgY29ubmVjdGlvbnMgYXMgcGFydCBvZiBQU0QyL09wZW4gQmFua2luZy48
bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoZXkgaGF2ZSBi
ZWVuIHRoaW5raW5nIHRoYXQgdGhleSB3b3VsZCBoYXZlIGNlbnRyYWwgQ0EgYW5kIGRpcmVjdGx5
IHVzZSBDQSBjZXJ0aWZpY2F0ZXMgZm9yIGFsbCB0aGUgbGVncy4gJm5ic3A7PG86cD48L286cD48
L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw
PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgc2VudCB0aGVtIHRo
aXMgdG8gZ2V0IHRoZW0gdGhpbmtpbmcgdGhhdCB0aGV5IGNvdWxkIHBlcmhhcHMgc2VjdXJlIHRo
ZSB0b2tlbiBlbmRwb2ludCB3aXRoIGNlcnQgYmFzZWQgbXV0dWFsIFRMUyBidXQgYWxsb3cgY2xp
ZW50cyB0byBzcGVjaWZ5IHRoZXJlIG93biBrZXlzIGZvciBhY2Nlc3MgdG9rZW5zIHRvIG1ha2Ug
a2V5IHJvdGF0aW9uIGFuZCBkZXBsb3ltZW50IGVhc2llci48bzpwPjwvbzpwPjwvcD4NCjwvZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k
aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSB3YXMgYWxzbyB0aGluayBpbmcgdGhh
dCB0aGV5IGNvdWxkIHByb3RlY3QgYSBqd2tzX3VyaSB3aXRoIHRoZSBDQSBjZXJ0aWZpY2F0ZSB1
c2luZyBPQ1NQIHN0YXBsaW5nIGFuZCB0aGVuIHVzZSBtdXR1YWwgVExTIHRvIHRoZSB0b2tlbiBl
bmRwb2ludCBiYXNlZCBvbiBrZXlpZCBhbmQvb3IgZmluZ2VycHJpbnQuIGFsbG93aW5nIGZvciBy
b3RhdGlvbiBvZiBrZXlzIHRvIHRva2VuIGVuZHBvaW50IGFuZCBiZXR0ZXINCiBzdXBwb3J0IGNs
dXN0ZXJzIHdpdGggbXVsdGlwbGUga2V5cy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSBkb27igJl0IHRoaW5rIHRoaXMgaGFzIG11Y2ggaW50
ZXJlc3Qgb3V0c2lkZSBvZiBzb21lIHZlcnRpY2FscyBsaWtlIGZpbmFuY2lhbHMuPG86cD48L286
cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkpvaG4gQi48bzpw
PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8YmxvY2tx
dW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBGZWIgMjQsIDIwMTcsIGF0IDg6MzMgUE0sIFBoaWwg
SHVudCAmbHQ7PGEgaHJlZj0ibWFpbHRvOnBoaWwuaHVudEBvcmFjbGUuY29tIiB0YXJnZXQ9Il9i
bGFuayI+cGhpbC5odW50QG9yYWNsZS5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgaGF2ZSBiZWVuIHdvbmRlcmluZyBhYm91
dCB0aGF0IG15c2VsZi4gSW50ZXJlc3Qgc2VlbXMgdG8gd2FpbmVkIHdpdGggdGhlIFRPS0JJTkQg
d29yayBlbWVyZ2luZy4gTWF5YmUgSSBhbSB3cm9uZyBhYm91dCB0aGF0PzxvOnA+PC9vOnA+PC9w
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRp
dj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlBoaWw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k
aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T3JhY2xlIENvcnBvcmF0aW9uLCBJZGVu
dGl0eSBDbG91ZCBTZXJ2aWNlcyAmYW1wOyBJZGVudGl0eSBTdGFuZGFyZHM8bzpwPjwvbzpwPjwv
cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkBpbmRlcGVuZGVudGlkPG86
cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YSBocmVm
PSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRw
JTNBJTJGJTJGd3d3LmluZGVwZW5kZW50aWQuY29tJTJGJmFtcDtkYXRhPTAyJTdDMDElN0N0b255
bmFkJTQwbWljcm9zb2Z0LmNvbSU3Q2E2NmQwYjNkNTRkMjQ3MTExZGM4MDhkNDYxZTM5OTgwJTdD
NzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0MTA3NzU2MTAy
NjkzNyZhbXA7c2RhdGE9V2ROWThVQnk1bFlORjdMbWk5cnl4eFJnNFAlMkJnUE9UWG9BUWxjWlZF
JTJGVTAlM0QmYW1wO3Jlc2VydmVkPTAiIHRhcmdldD0iX2JsYW5rIj53d3cuaW5kZXBlbmRlbnRp
ZC5jb208L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxhIGhyZWY9Im1haWx0bzpwaGlsLmh1bnRAb3JhY2xlLmNv
bSIgdGFyZ2V0PSJfYmxhbmsiPnBoaWwuaHVudEBvcmFjbGUuY29tPC9hPjxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48
L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286
cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48
bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m
bmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4w
cHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24g
RmViIDI0LCAyMDE3LCBhdCAxOjU4IFBNLCBKb2huIEJyYWRsZXkgJmx0OzxhIGhyZWY9Im1haWx0
bzp2ZTdqdGJAdmU3anRiLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPnZlN2p0YkB2ZTdqdGIuY29tPC9h
PiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij5JIHVwZGF0ZWQgdGhlIHJlZmVyZW5jZXMgYnV0IGhhdmVuJ3QgbWFkZSBhbnkgb3RoZXIgY2hh
bmdlcy48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZu
YnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgaGFk
IHNvbWUgcXVlc3Rpb25zIGFib3V0IGl0IHNvIHRob3VnaCBpdCB3YXMgd29ydGgga2VlcGluZyBh
bGl2ZSBhdC1sZWFzdCBmb3IgZGlzY3Vzc2lvbi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhlcmUgaGF2ZSBiZWVuIHNvbWUgb3RoZXIgcXVl
c3Rpb25zIGFuZCBwcm9wb3NlZCBjaGFuZ2VzLiAmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k
aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSB3aWxsIHRha2UgYSBsb29rIHRocm91
Z2ggdGhlbSBhbmQgc2VlIGlmIHdoYXQgbWF5IGJlIHdvcnRoIHVwZGF0aW5nLjxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286
cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Kb2huIEIuPG86cD48
L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyPg0KPG86cD48
L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90
dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5CZWdpbiBmb3J3YXJkZWQg
bWVzc2FnZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86
cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gY2xh
c3M9ImdtYWlsbXNnIj48Yj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNh
IE5ldWUmcXVvdDsiPkZyb206DQo8L3NwYW4+PC9iPjwvc3Bhbj48c3BhbiBjbGFzcz0iZ21haWxt
c2ciPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EgTmV1ZSZxdW90OyI+
PGEgaHJlZj0ibWFpbHRvOmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsi
PmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZzwvYT48L3NwYW4+PC9zcGFuPjxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gY2xhc3M9ImdtYWls
bXNnIj48Yj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhIE5ldWUmcXVv
dDsiPlN1YmplY3Q6IFtPQVVUSC1XR10gSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1vYXV0aC1wb3At
a2V5LWRpc3RyaWJ1dGlvbi0wMy50eHQ8L3NwYW4+PC9iPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGNsYXNzPSJnbWFpbG1z
ZyI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSBOZXVlJnF1b3Q7
Ij5EYXRlOg0KPC9zcGFuPjwvYj48L3NwYW4+PHNwYW4gY2xhc3M9ImdtYWlsbXNnIj48c3BhbiBz
dHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhIE5ldWUmcXVvdDsiPkZlYnJ1YXJ5IDI0
LCAyMDE3IGF0IDY6NTU6MjUgUE0gR01ULTM8L3NwYW4+PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gY2xhc3M9ImdtYWlsbXNn
Ij48Yj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhIE5ldWUmcXVvdDsi
PlRvOg0KPC9zcGFuPjwvYj48L3NwYW4+PHNwYW4gY2xhc3M9ImdtYWlsbXNnIj48c3BhbiBzdHls
ZT0iZm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhIE5ldWUmcXVvdDsiPiZsdDs8YSBocmVmPSJt
YWlsdG86aS1kLWFubm91bmNlQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+aS1kLWFubm91bmNl
QGlldGYub3JnPC9hPiZndDs8L3NwYW4+PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gY2xhc3M9ImdtYWlsbXNnIj48Yj48c3Bh
biBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhIE5ldWUmcXVvdDsiPkNjOg0KPC9z
cGFuPjwvYj48L3NwYW4+PHNwYW4gY2xhc3M9ImdtYWlsbXNnIj48c3BhbiBzdHlsZT0iZm9udC1m
YW1pbHk6JnF1b3Q7SGVsdmV0aWNhIE5ldWUmcXVvdDsiPjxhIGhyZWY9Im1haWx0bzpvYXV0aEBp
ZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm9hdXRoQGlldGYub3JnPC9hPjwvc3Bhbj48L3NwYW4+
PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQpBIE5l
dyBJbnRlcm5ldC1EcmFmdCBpcyBhdmFpbGFibGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1E
cmFmdHMgZGlyZWN0b3JpZXMuPGJyPg0KVGhpcyBkcmFmdCBpcyBhIHdvcmsgaXRlbSBvZiB0aGUg
V2ViIEF1dGhvcml6YXRpb24gUHJvdG9jb2wgb2YgdGhlIElFVEYuPGJyPg0KPGJyPg0KJm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7VGl0bGUgJm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7OiBPQXV0aCAyLjAg
UHJvb2Ytb2YtUG9zc2Vzc2lvbjogQXV0aG9yaXphdGlvbiBTZXJ2ZXIgdG8gQ2xpZW50IEtleSBE
aXN0cmlidXRpb248YnI+DQombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDtBdXRob3JzICZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OzogSm9obiBCcmFkbGV5PGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
UGhpbCBIdW50PGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7TWljaGFl
bCBCLiBKb25lczxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwO0hhbm5l
cyBUc2Nob2ZlbmlnPGJyPg0KRmlsZW5hbWUgJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7OiBkcmFmdC1pZXRmLW9hdXRoLXBvcC1rZXktZGlzdHJpYnV0aW9uLTAzLnR4
dDxicj4NClBhZ2VzICZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOzogMTg8YnI+DQpEYXRlICZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzogMjAxNy0wMi0yNDxicj4N
Cjxicj4NCkFic3RyYWN0Ojxicj4NCiZuYnNwOyZuYnNwO1JGQyA2NzUwIHNwZWNpZmllZCB0aGUg
YmVhcmVyIHRva2VuIGNvbmNlcHQgZm9yIHNlY3VyaW5nIGFjY2VzcyB0bzxicj4NCiZuYnNwOyZu
YnNwO3Byb3RlY3RlZCByZXNvdXJjZXMuJm5ic3A7IEJlYXJlciB0b2tlbnMgbmVlZCB0byBiZSBw
cm90ZWN0ZWQgaW4gdHJhbnNpdDxicj4NCiZuYnNwOyZuYnNwO2FzIHdlbGwgYXMgYXQgcmVzdC4m
bmJzcDsgV2hlbiBhIGNsaWVudCByZXF1ZXN0cyBhY2Nlc3MgdG8gYSBwcm90ZWN0ZWQ8YnI+DQom
bmJzcDsmbmJzcDtyZXNvdXJjZSBpdCBoYW5kcy1vdmVyIHRoZSBiZWFyZXIgdG9rZW4gdG8gdGhl
IHJlc291cmNlIHNlcnZlci48YnI+DQo8YnI+DQombmJzcDsmbmJzcDtUaGUgT0F1dGggMi4wIFBy
b29mLW9mLVBvc3Nlc3Npb24gc2VjdXJpdHkgY29uY2VwdCBleHRlbmRzIGJlYXJlcjxicj4NCiZu
YnNwOyZuYnNwO3Rva2VuIHNlY3VyaXR5IGFuZCByZXF1aXJlcyB0aGUgY2xpZW50IHRvIGRlbW9u
c3RyYXRlIHBvc3Nlc3Npb24gb2YgYTxicj4NCiZuYnNwOyZuYnNwO2tleSB3aGVuIGFjY2Vzc2lu
ZyBhIHByb3RlY3RlZCByZXNvdXJjZS48YnI+DQo8YnI+DQombmJzcDsmbmJzcDtUaGlzIGRvY3Vt
ZW50IGRlc2NyaWJlcyBob3cgdGhlIGNsaWVudCBvYnRhaW5zIHRoaXMga2V5aW5nIG1hdGVyaWFs
PGJyPg0KJm5ic3A7Jm5ic3A7ZnJvbSB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIuPGJyPg0KPGJy
Pg0KPGJyPg0KVGhlIElFVEYgZGF0YXRyYWNrZXIgc3RhdHVzIHBhZ2UgZm9yIHRoaXMgZHJhZnQg
aXM6PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxv
b2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZkYXRhdHJhY2tlci5pZXRmLm9yZyUyRmRvYyUyRmRy
YWZ0LWlldGYtb2F1dGgtcG9wLWtleS1kaXN0cmlidXRpb24lMkYmYW1wO2RhdGE9MDIlN0MwMSU3
Q3RvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdDYTY2ZDBiM2Q1NGQyNDcxMTFkYzgwOGQ0NjFlMzk5
ODAlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2MjQxMDc3
NTYxMDI2OTM3JmFtcDtzZGF0YT1odTZWaWclMkY5R1RWRHVRb3k5V2s3d2xUYW14UXdRVHNKSnFo
dFVKblZMa0UlM0QmYW1wO3Jlc2VydmVkPTAiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2RhdGF0
cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRoLXBvcC1rZXktZGlzdHJpYnV0aW9u
LzwvYT48YnI+DQo8YnI+DQpUaGVyZSdzIGFsc28gYSBodG1saXplZCB2ZXJzaW9uIGF2YWlsYWJs
ZSBhdDo8YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0
bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRnRvb2xzLmlldGYub3JnJTJGaHRtbCUyRmRyYWZ0
LWlldGYtb2F1dGgtcG9wLWtleS1kaXN0cmlidXRpb24tMDMmYW1wO2RhdGE9MDIlN0MwMSU3Q3Rv
bnluYWQlNDBtaWNyb3NvZnQuY29tJTdDYTY2ZDBiM2Q1NGQyNDcxMTFkYzgwOGQ0NjFlMzk5ODAl
N0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2MjQxMDc3NTYx
MDI2OTM3JmFtcDtzZGF0YT0xQXlCcktGeGV5cFBOUmhpOUtOT1M0ZiUyRmp3YlolMkJ4MlFYMkx0
S2s3enVzdyUzRCZhbXA7cmVzZXJ2ZWQ9MCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vdG9vbHMu
aWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXBvcC1rZXktZGlzdHJpYnV0aW9uLTAzPC9h
Pjxicj4NCjxicj4NCkEgZGlmZiBmcm9tIHRoZSBwcmV2aW91cyB2ZXJzaW9uIGlzIGF2YWlsYWJs
ZSBhdDo8YnI+DQo8YSBocmVmPSJodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0
bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRnd3dy5pZXRmLm9yZyUyRnJmY2RpZmYlM0Z1cmwy
JTNEZHJhZnQtaWV0Zi1vYXV0aC1wb3Ata2V5LWRpc3RyaWJ1dGlvbi0wMyZhbXA7ZGF0YT0wMiU3
QzAxJTdDdG9ueW5hZCU0MG1pY3Jvc29mdC5jb20lN0NhNjZkMGIzZDU0ZDI0NzExMWRjODA4ZDQ2
MWUzOTk4MCU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2MzYy
NDEwNzc1NjEwMjY5MzcmYW1wO3NkYXRhPW5iQlJvY0t4VWdmR2M1VUc5Y0p5dlBUekFPdiUyQk9N
U0JvY1BCZXM5eXNYRSUzRCZhbXA7cmVzZXJ2ZWQ9MCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8v
d3d3LmlldGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1pZXRmLW9hdXRoLXBvcC1rZXktZGlzdHJp
YnV0aW9uLTAzPC9hPjxicj4NCjxicj4NCjxicj4NClBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRh
a2UgYSBjb3VwbGUgb2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb248YnI+DQp1
bnRpbCB0aGUgaHRtbGl6ZWQgdmVyc2lvbiBhbmQgZGlmZiBhcmUgYXZhaWxhYmxlIGF0IDxhIGhy
ZWY9Imh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0
dHAlM0ElMkYlMkZ0b29scy5pZXRmLm9yZyZhbXA7ZGF0YT0wMiU3QzAxJTdDdG9ueW5hZCU0MG1p
Y3Jvc29mdC5jb20lN0NhNjZkMGIzZDU0ZDI0NzExMWRjODA4ZDQ2MWUzOTk4MCU3QzcyZjk4OGJm
ODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDEwNzc1NjEwMjY5MzcmYW1w
O3NkYXRhPVd0dHMwVUc4ZjVIVGI5RzhZTTRwVHVmR1A2ckZ2bmZuSUh2aTFBc25haHMlM0QmYW1w
O3Jlc2VydmVkPTAiIHRhcmdldD0iX2JsYW5rIj4NCnRvb2xzLmlldGYub3JnPC9hPi48YnI+DQo8
YnI+DQpJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255bW91cyBGVFAg
YXQ6PGJyPg0KPGEgaHJlZj0iZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy8iIHRh
cmdldD0iX2JsYW5rIj5mdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLzwvYT48YnI+
DQo8YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxi
cj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9y
ZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBz
Oi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJG
JTJGd3d3LmlldGYub3JnJTJGbWFpbG1hbiUyRmxpc3RpbmZvJTJGb2F1dGgmYW1wO2RhdGE9MDIl
N0MwMSU3Q3RvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdDYTY2ZDBiM2Q1NGQyNDcxMTFkYzgwOGQ0
NjFlMzk5ODAlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2
MjQxMDc3NTYxMDI2OTM3JmFtcDtzZGF0YT11VEtRQVRKVm9YJTJGUnZDQmtHSk92NDRLbVhNdXEw
ejNHdk9naW8lMkJQTkE0RSUzRCZhbXA7cmVzZXJ2ZWQ9MCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBz
Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48L3A+
DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxi
cj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9y
ZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBz
Oi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJG
JTJGd3d3LmlldGYub3JnJTJGbWFpbG1hbiUyRmxpc3RpbmZvJTJGb2F1dGgmYW1wO2RhdGE9MDIl
N0MwMSU3Q3RvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdDYTY2ZDBiM2Q1NGQyNDcxMTFkYzgwOGQ0
NjFlMzk5ODAlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2
MjQxMDc3NTYxMDI2OTM3JmFtcDtzZGF0YT11VEtRQVRKVm9YJTJGUnZDQmtHSk92NDRLbVhNdXEw
ejNHdk9naW8lMkJQTkE0RSUzRCZhbXA7cmVzZXJ2ZWQ9MCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBz
Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48L3A+
DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86
cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+
DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k
aXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPl9fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFpbGluZyBsaXN0PGJyPg0KPGEg
aHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+T0F1dGhAaWV0Zi5v
cmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91
dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlz
dGluZm8lMkZvYXV0aCZhbXA7ZGF0YT0wMiU3QzAxJTdDdG9ueW5hZCU0MG1pY3Jvc29mdC5jb20l
N0NhNjZkMGIzZDU0ZDI0NzExMWRjODA4ZDQ2MWUzOTk4MCU3QzcyZjk4OGJmODZmMTQxYWY5MWFi
MmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDEwNzc1NjEwMjY5MzcmYW1wO3NkYXRhPXVUS1FB
VEpWb1glMkZSdkNCa0dKT3Y0NEttWE11cTB6M0d2T2dpbyUyQlBOQTRFJTNEJmFtcDtyZXNlcnZl
ZD0wIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5m
by9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tIDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K
PHA+TmF0IFNha2ltdXJhPG86cD48L286cD48L3A+DQo8cD5DaGFpcm1hbiBvZiB0aGUgQm9hcmQs
IE9wZW5JRCBGb3VuZGF0aW9uPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5
Pg0KPC9odG1sPg0K

--_000_SN1PR0301MB20290A881592DE06DF0BDB74A62B0SN1PR0301MB2029_--


From nobody Fri Mar  3 13:52:59 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E3E11295DC for <oauth@ietfa.amsl.com>; Fri,  3 Mar 2017 13:52:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5uFTaAyW5c_V for <oauth@ietfa.amsl.com>; Fri,  3 Mar 2017 13:52:55 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51FD9129633 for <oauth@ietf.org>; Fri,  3 Mar 2017 13:52:54 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id n127so198705514qkf.0 for <oauth@ietf.org>; Fri, 03 Mar 2017 13:52:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=qmza62/j4sh87hYlmIwB0a06cZFdMDItU79kcs2aoBA=; b=pCx5vbwkIwWz9mdT5+5iYeghDlcsYdBc1GJ5BaAMLAd8ynjNr/xZJwgrICti2tYrHW 06cQP3/4pRvkW0MkoOCkcfekMDxfupEUoTZ0EOsOaGXe8E3eriXEdwys36VXbjo1pHN6 HL7mvVIV/wKUpP0AX9mpdiIuTRgw1iGtzqdDRPULonyqruahs9ZCR1Lj+RrFjADYAOyK bKkBkldtAsnmfXOTUB2D8NPxW4iEUSX43uow322/J83fNQ2Ea4TGlg1C41Ek8ZimmdLu 3DwStR/y9pCI8iGS+kZMSR957DZxbBuoyFN0Hop+NE7kRrQVR2Hfoel7+nZj7NelShwX fuqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=qmza62/j4sh87hYlmIwB0a06cZFdMDItU79kcs2aoBA=; b=RtFr10/VOUctGfcQAc58Q5f+XUBas1Gqbh7A/OhaPPOm3uRzM8I/QQH0n5gKzs6NWl YiP+UPkC2BBqXF0DLbGE2lNkUXRfeSeoPYtidRlRrAW6y/io75NadPY5bnElqhmfh1F5 MgShoKADROilfDw3KSWpTgOmTYywgj+y9R3TuS2rp8aFYxrnHPFcXi8P2+oB8656V/Ph 1Ha4PpLrRSnHJ087lG9CHRFeQt3pdPX80YTDki1vGzhr+tRqmwz2DtNvg8s/mTQDcmBq 0bwcDyUxFEgKQDpcLuH9KbatqaF8GvQL9nkrfpu+sz1Y/CRVTkUZZ4yJ/ImRJwK7uEBW cJCA==
X-Gm-Message-State: AMke39nnTq1a+VHoxXjLiz2WV8xJPajb+IwPoHp+6+zDY+ZPYbccaVyVBeeW3KvEYsHsKA2o
X-Received: by 10.200.36.43 with SMTP id c40mr5429561qtc.161.1488577974043; Fri, 03 Mar 2017 13:52:54 -0800 (PST)
Received: from jbradley-r.lan ([191.115.100.98]) by smtp.gmail.com with ESMTPSA id q67sm3868778qkl.48.2017.03.03.13.52.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Mar 2017 13:52:53 -0800 (PST)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <C3DB1CD2-5E9C-4EDE-B58A-580424FC9D60@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Fri, 3 Mar 2017 18:52:44 -0300
In-Reply-To: <be3b92bc-323a-70ca-b675-4596c7adbd26@sics.se>
To: Ludwig Seitz <ludwig@sics.se>
References: <148797332573.3278.6515135380852468551.idtracker@ietfa.amsl.com> <D2329C0E-C3F8-4F69-88AE-584561E45B65@ve7jtb.com> <be3b92bc-323a-70ca-b675-4596c7adbd26@sics.se>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a114338f66093880549da9197"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uKV_PFNy6OLNOuFHmcOdhY5_5ao>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 21:52:57 -0000

--001a114338f66093880549da9197
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_D5DED35A-8D97-40B5-ABD2-1BDF0977912D"


--Apple-Mail=_D5DED35A-8D97-40B5-ABD2-1BDF0977912D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

We rethought aud in =
https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators

We wanted it to work with bearer tokens so that the AS could put a =
audience in the token that could not be faked by a malicious RS.=20
For the bearer token use case it needs to be a URI to avoid the client =
being tricked.

For a PoP token it could be logical if the token proof presentment =
mechanism is secure against RS spoofing.

Presentment mechanisms that are bound to TLS by a EKM or via mutual TLS =
are OK.
At the application layer the presentment would need sign over the =
resource URI to prevent forwarding.
Something that used only a signature over a challenge would still rely =
on there being a unspoofable  audience in the AT itself.

You could securely do a secure logical resource for bearer.

It could be something like the RS would provide its logical resource URI =
as part of a authenticate response along with the scopes required.

The client could de-refrence the logical scope URI to retrieve a JSON =
object containing back pointers to the physical resource URI covered by =
that logical audience.
It could also contain other RS meta-data.

We do something like that in connect to allow multiple redirect URI to =
generate the same pairwise identifier.=20
=
http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentif=
ierValidation =
<http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdenti=
fierValidation>

RS discovery has been shuffled aside in the WG foe the moment.

I would be OK with res/aud being a logical identifier if it points to =
meta-data like aud in id_tokens points to meta-data for the AS.

I think making res/aud a free form string would come back and bite us on =
the ass.

John B.


> On Mar 3, 2017, at 9:10 AM, Ludwig Seitz <ludwig@sics.se> wrote:
>=20
> On 2017-02-24 22:58, John Bradley wrote:
>> I updated the references but haven't made any other changes.
>>=20
>> I had some questions about it so though it was worth keeping alive
>> at-least for discussion.
>>=20
>> There have been some other questions and proposed changes.
>>=20
>> I will take a look through them and see if what may be worth =
updating.
>>=20
>> John B.
>>=20
>>=20
>=20
> Question about the 'aud' parameter: Wouldn't it be useful to allow =
other values than URIs for that one?
>=20
> One could easily imagine a group identifier as value of that field, =
where the RS internally resolves whether it is part of that group and =
therefore the target audience of that token.
>=20
> Regards,
>=20
> Ludwig
>=20
> --=20
> Ludwig Seitz, PhD
> Security Lab, RISE ICT/SICS
> Phone +46(0)70-349 92 51
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_D5DED35A-8D97-40B5-ABD2-1BDF0977912D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><div class=3D"">We rethought aud in&nbsp;<a =
href=3D"https://tools.ietf.org/html/draft-campbell-oauth-resource-indicato=
rs" =
class=3D"">https://tools.ietf.org/html/draft-campbell-oauth-resource-indic=
ators</a></div><div class=3D""><br class=3D""></div><div class=3D"">We =
wanted it to work with bearer tokens so that the AS could put a audience =
in the token that could not be faked by a malicious RS.&nbsp;</div><div =
class=3D"">For the bearer token use case it needs to be a URI to avoid =
the client being tricked.</div><div class=3D""><br class=3D""></div><div =
class=3D"">For a PoP token it could be logical if the token proof =
presentment mechanism is secure against RS spoofing.</div><div =
class=3D""><br class=3D""></div><div class=3D"">Presentment mechanisms =
that are bound to TLS by a EKM or via mutual TLS are OK.</div><div =
class=3D"">At the application layer the presentment would need sign over =
the resource URI to prevent forwarding.</div><div class=3D"">Something =
that used only a signature over a challenge would still rely on there =
being a unspoofable &nbsp;audience in the AT itself.</div><div =
class=3D""><br class=3D""></div><div class=3D"">You could securely do a =
secure logical resource for bearer.</div><div class=3D""><br =
class=3D""></div><div class=3D"">It could be something like the RS would =
provide its logical resource URI as part of a authenticate response =
along with the scopes required.</div><div class=3D""><br =
class=3D""></div><div class=3D"">The client could de-refrence the =
logical scope URI to retrieve a JSON object containing back pointers to =
the physical resource URI covered by that logical audience.</div><div =
class=3D"">It could also contain other RS meta-data.</div><div =
class=3D""><br class=3D""></div><div class=3D"">We do something like =
that in connect to allow multiple redirect URI to generate the same =
pairwise identifier.&nbsp;</div><div class=3D""><a =
href=3D"http://openid.net/specs/openid-connect-registration-1_0.html#Secto=
rIdentifierValidation" =
class=3D"">http://openid.net/specs/openid-connect-registration-1_0.html#Se=
ctorIdentifierValidation</a></div><div class=3D""><br =
class=3D""></div><div class=3D"">RS discovery has been shuffled aside in =
the WG foe the moment.</div><div class=3D""><br class=3D""></div><div =
class=3D"">I would be OK with res/aud being a logical identifier if it =
points to meta-data like aud in id_tokens points to meta-data for the =
AS.</div><div class=3D""><br class=3D""></div><div class=3D"">I think =
making res/aud a free form string would come back and bite us on the =
ass.</div><div class=3D""><br class=3D""></div><div class=3D"">John =
B.</div><div class=3D""><br class=3D""></div><div class=3D""><br =
class=3D""></div><div class=3D""><div><blockquote type=3D"cite" =
class=3D""><div class=3D"">On Mar 3, 2017, at 9:10 AM, Ludwig Seitz =
&lt;<a href=3D"mailto:ludwig@sics.se" class=3D"">ludwig@sics.se</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><div =
class=3D"">On 2017-02-24 22:58, John Bradley wrote:<br =
class=3D""><blockquote type=3D"cite" class=3D"">I updated the references =
but haven't made any other changes.<br class=3D""><br class=3D"">I had =
some questions about it so though it was worth keeping alive<br =
class=3D"">at-least for discussion.<br class=3D""><br class=3D"">There =
have been some other questions and proposed changes.<br class=3D""><br =
class=3D"">I will take a look through them and see if what may be worth =
updating.<br class=3D""><br class=3D"">John B.<br class=3D""><br =
class=3D""><br class=3D""></blockquote><br class=3D"">Question about the =
'aud' parameter: Wouldn't it be useful to allow other values than URIs =
for that one?<br class=3D""><br class=3D"">One could easily imagine a =
group identifier as value of that field, where the RS internally =
resolves whether it is part of that group and therefore the target =
audience of that token.<br class=3D""><br class=3D"">Regards,<br =
class=3D""><br class=3D"">Ludwig<br class=3D""><br class=3D"">-- <br =
class=3D"">Ludwig Seitz, PhD<br class=3D"">Security Lab, RISE =
ICT/SICS<br class=3D"">Phone +46(0)70-349 92 51<br class=3D""><br =
class=3D"">_______________________________________________<br =
class=3D"">OAuth mailing list<br class=3D""><a =
href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth<br =
class=3D""></div></div></blockquote></div><br =
class=3D""></div></body></html>=

--Apple-Mail=_D5DED35A-8D97-40B5-ABD2-1BDF0977912D--

--001a114338f66093880549da9197
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIO/QQ6qo1meCljrhAesw8NVoYSar
hSV7AByw6sfxLIqDMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMwMzIxNTI1NFowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQBEYpuQiIqrvtNJIPKkvhfQ8h+a210VmJELeUOwfsP83KuH
hE0VUDO/NqzBhDdAVA22MA3GF8dBVyQwklNpgkSmaOU+/BXyEBrRNx2qrG0Jt3BjdC9jmAE5YDXV
3xQlsqkb4eS5Akw3CQH+G0ni2jmhIpLVGpL7jSd8sS9TppEbgi9/46Eamr3Edsg1DPYToaw53/ZN
7U7pBNgkLbvpIJmWcJlfC5CPcmxqs7Kx8snfUA+rYRFZaZS+A7LiZq8lz+mfh8kW35v6jBayVW6F
ux3HaGx4N6YFEQ1N3Atk9EzX6nuSxJ5j1qiZ0SQeLlE40V8sTRklgC4bvJBsbmV8WhPA
--001a114338f66093880549da9197--


From nobody Fri Mar  3 15:58:52 2017
Return-Path: <agenda@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 50EBB1299D8; Fri,  3 Mar 2017 15:55:28 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "\"IETF Secretariat\"" <agenda@ietf.org>
To: <oauth-chairs@ietf.org>, <smccammon@amsl.com>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.46.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com>
Date: Fri, 03 Mar 2017 15:55:28 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eTKr9OlM6jKpiMcWmW8Z7MQ1tfo>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 23:55:29 -0000

Dear Stephanie McCammon,

The session(s) that you have requested have been scheduled.
Below is the scheduled session information followed by
the original request. 

oauth Session 1 (2:30:00)
    Friday, Morning Session I 0900-1130
    Room Name: Zurich C size: 100
    ---------------------------------------------
    oauth Session 2 (1:00:00)
    Monday, Afternoon Session III 1710-1810
    Room Name: Zurich C size: 100
    ---------------------------------------------
    


Request Information:


---------------------------------------------------------
Working Group Name: Web Authorization Protocol
Area Name: Security Area
Session Requester: Stephanie McCammon

Number of Sessions: 2
Length of Session(s):  2.5 Hours, 1 Hour
Number of Attendees: 50
Conflicts to Avoid: 
 First Priority: saag core tls tokbind




People who must be present:
  Hannes Tschofenig
  Kathleen Moriarty
  Derek Atkins

Resources Requested:
  Projector in room

Special Requests:
  Please avoid conflict with sec area BoFs.
---------------------------------------------------------


From nobody Sat Mar  4 10:10:51 2017
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB9F0129457 for <oauth@ietfa.amsl.com>; Sat,  4 Mar 2017 10:10:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level: 
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ViB7KHCrqjD5 for <oauth@ietfa.amsl.com>; Sat,  4 Mar 2017 10:10:47 -0800 (PST)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D0791293F5 for <oauth@ietf.org>; Sat,  4 Mar 2017 10:10:47 -0800 (PST)
Received: from [87.143.161.176] (helo=[192.168.71.161]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1ckE8i-0002Wk-Jc; Sat, 04 Mar 2017 19:10:44 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_3E59D022-D3DE-4437-A458-3124895F55D0"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Sat, 4 Mar 2017 19:10:44 +0100
In-Reply-To: <7d639f9c-aecf-5b9b-be56-e16fd5437551@gmx.net>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
References: <7d639f9c-aecf-5b9b-be56-e16fd5437551@gmx.net>
X-Mailer: Apple Mail (2.3259)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QNbIZW6v8UbwrFqFJ-v0bb5CptU>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Mar 2017 18:10:50 -0000

--Apple-Mail=_3E59D022-D3DE-4437-A458-3124895F55D0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Hi Hannes,

just for clarification: as far as I remember the proposal in Seoul was =
to turn the document into a BCP.=20

Is this consistent with your expectation?

kind regards,
Torsten.

> Am 20.02.2017 um 12:02 schrieb Hannes Tschofenig =
<Hannes.Tschofenig@gmx.net>:
>=20
> Hi all,
>=20
> earlier this month we issued a call for adoption of the OAuth security
> topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
> response was quite positive on the list (as well as during the last =
f2f
> meeting).
>=20
> For this reason, we ask the authors to submit a WG version of the
> document and to discuss new content for the document in preparation =
for
> the next meeting.
>=20
> Note that the intention of the document is to discuss security topics =
as
> they relate to the work in the OAuth working group. As this initial
> document already does, it describes a problem statement and outlines
> various ways to mitigate the problems. I expect the working group to
> decide which solution approach is most appropriate and to detail it =
(at
> a specification level) in a separate document (some of those documents
> already exist in the working group). This should help us make =
decisions
> that are not just point solutions for specific problems but rather
> consider the big picture.
>=20
> Ciao
> Hannes & Derek
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_3E59D022-D3DE-4437-A458-3124895F55D0
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/DCCBK8w
ggOXoAMCAQICEQDgI8sVEoNTia1hbnpUZ2shMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAlNF
MRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5l
dHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMTQxMjIyMDAwMDAw
WhcNMjAwNTMwMTA0ODM4WjCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hl
c3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNV
BAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAibEN2npTGU5wUh28VqYGJre4SeCW
51Gr8fBaE0kVo7SMG2C8elFCp3mMpCLfF2FOkdV2IwoU00oCf7YdCYBupQQ92bq7Fv6hh6kuQ1JD
FnyvMlDIpk9a6QjYz5MlnHuI6DBk5qT4VoD9KiQUMxeZrETlaYujRgZLwjPU6UCfBrCxrJNAubUI
kzqcKlOjENs9IGE8VQOO2U52JQIhKfqjfHF2T+7hX4Hp+1SA28N7NVK3hN4iPSwwLTF/Wb1SN7Az
aS1D6/rWpfGXd2dRjNnuJ+u8pQc4doykqTj/34z1A6xJvsr3c5k6DzKrnJU6Ez0ORjpXdGFQvsZA
P8vk4p+iIQIDAQABo4IBFzCCARMwHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYD
VR0OBBYEFJJha4LhoqCqT+xn8cKj97SAAMHsMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAG
AQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAw
RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJu
YWxDQVJvb3QuY3JsMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNl
cnRydXN0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAGypurFXBOquIxdjtzVXzqmthK8AJECOZD8Vm
am+x9bS1d14PAmEA330F/hKzpICAAPz7HVtqcgIKQbwFusFY1SbC6tVNhPv+gpjPWBvjImOcUvi7
BTarfVil3qs7Y+Xa1XPv7OD7e+Kj//BCI5zKto1NPuRLGAOyqC3U2LtCS5BphRDbpjc06HvgARCl
nMo6x59PiDRuimXQGoq7qdzKyjbR9PzCZCk1r9axp3ER0gNDsY8+muyeMlP0dpLKhjQHuSzK5hxK
2JkNwYbikJL7WkJqIyEQ6WXH9dW7fuqMhSACYurROgcsWcWZM/I4ieW26RZ6H3kU9koQGib6fIr7
mzCCBUUwggQtoAMCAQICEDPbmsaqwjeZa3PxA3uZ8LQwDQYJKoZIhvcNAQELBQAwgZsxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY
BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQg
QXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzAxMDkwMDAwMDBaFw0xODAx
MDkyMzU5NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5AbG9kZGVyc3RlZHQubmV0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArsGSzZyz9Lq9SRW9Sve5K8n5lWhplOCE6HH3gMye
12DjOpkFFZt0b73t27G17Xsp6WUxHhNevf7ck0AUpvYUPCHBqVGJSIWF9hWAoSFCgQACOoh/cDFb
zz1PsMY8El7OmIus4JXtY4/VdoSIhFP3hzATbNAg32Kp+N8vtTuKTwbgnizJSyzZTYrsttn3LmwY
17HU+U9vXloMus5U/ln4ADZx0zyyDSsA6gtPxXYJpbgSTnHckVZ5zfR80guIZ538Y2qqsqt5VaSR
SR2oQzE/HETkKc/odPVhqBrXLyvnSFkCPrAXV07rcvwkPvHZeYVu4QdVWyO2HIQ4i2x9r5m7SwID
AQABo4IB9TCCAfEwHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFPng
HgVxOZ7GSji/IW4YJMBj02PHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ
MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7
BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2
Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw
gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu
dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
Y3NwLmNvbW9kb2NhLmNvbTAiBgNVHREEGzAZgRd0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDANBgkq
hkiG9w0BAQsFAAOCAQEAAmueyHjiyL1qYgfe+hVSsGuKlgcvjCAfG8Jaq48tC0IjP8pH/tGi4uL9
CHVfLnV3pLDnjg6M2uvpEBp7crZZcnSPLeVss+tkhwv+F7ISYQyT4flNkqVUb8nfewbCPcIN13Ob
fpU7rlXoIarEEplQo4SuymYVluQxTLOFKm5QOMF4JBMw/rjy4t95J7Mdp9NFUzQrKPJDaJ2Jr/Tc
TXFcjLvNVmMBjK0959a9v1/1miRHd1DBsTh1KvBigEOUNMxvT5uUtB6/tioDZqBDDk8Gvdno/xmy
e3YiasS7JgMREq5WcXqpWGu5kMFZMGPEvyPHeBZeqxx3amf4ImVnZ6WvgzGCA8MwggO/AgEBMIGw
MIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEDPbmsaqwjeZa3Px
A3uZ8LQwCQYFKw4DAhoFAKCCAecwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTcwMzA0MTgxMDQ0WjAjBgkqhkiG9w0BCQQxFgQUsQtmn3tB0aMEVx9nnwoBABeIBpow
gcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFu
Y2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/
BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVt
YWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UE
BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG
A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBB
dXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MA0GCSqG
SIb3DQEBAQUABIIBAKcAfRwoq+W85zH9WLmXVtxvljHaDb9nSwCsLU0+Xh/AVHbFU3ob+WQOqcss
55wfStBEQdAvPn1OLtv7EPdGdZOiAFiXFCbTy40YqoZmnMwUFElEMHWJqFVGtz8kdN8A7cDn8xv+
EEVcUOrgdDgISdsuwgEDnYFb04Gm8UF8yjMcTB0TTL8RKAy3zxlOkQYUohuEPD8POJg9wZv07cha
qYIVik1R3x/q+EKwGpkI1DyEIU4a+4kHl7WRcaRkKZfZnJttRLvZ9xhnYfWg97ZP7C1HIQDbLieV
RQFpoPluu41DzjALb8zpYyZBKvWJyxc5UUnb2Y+r3b2OjR5bUgIGr1kAAAAAAAA=
--Apple-Mail=_3E59D022-D3DE-4437-A458-3124895F55D0--


From nobody Sun Mar  5 15:17:35 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25ABA129447 for <oauth@ietfa.amsl.com>; Sun,  5 Mar 2017 15:17:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2oFxCLVgLLWs for <oauth@ietfa.amsl.com>; Sun,  5 Mar 2017 15:17:32 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A624126579 for <oauth@ietf.org>; Sun,  5 Mar 2017 15:17:32 -0800 (PST)
Received: by mail-qk0-x22f.google.com with SMTP id 1so129199939qkl.3 for <oauth@ietf.org>; Sun, 05 Mar 2017 15:17:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=lb23Rc38Y2+r59lqObG+kxQfBImuUcR8a6nJrHbxFaY=; b=tt6UM3kj5qHqlFdZU/Uy7GzGJnzqcbB1GFC95wRxm6Navu03LFsVxZZzT7ncni/uh4 NSKRk2S8GTYdVWouQ1Y+GQ3n4ybxgNbJgciJA/ud7/3A7YYOotO2lwMr5WNC5OefYhbW uvAY0GSwgDK7kEzuMy9omhfs3KaqMczQ275Lu/JCeNwwX9VmeLD6yRNBw9vjS+oTyjmC QYlbC2bmhmqNtAW2ui4ketM26YS56Upz6WjsX6EOtHVGkkTPYt5iAoryXAFd53voHna7 e1oZS3T/nM1h3gpegmbwHGG4XP7cCOKypi2j3uB251nnC5OoQpDiVT3NHow9LD5Czgf2 kniA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=lb23Rc38Y2+r59lqObG+kxQfBImuUcR8a6nJrHbxFaY=; b=qPOl2j8VO8nJWtbu8d0BPm4ws2IWOcj2Au7gyzDvKXHnqmF/o3njejEdYip35wV+1t vON/s7jSnFexbTwSv0klYJkxj9S5OlImvRXOqRlE04kfytlKgNs6xYIJnRA8/x/h/StI m7OAyiNvFLG050Q0MXHoGCESVyZf0GhpG2Bs/s0KzcyN4rekF1NtB3ol2u8IBsznPBRC x+NfX1xXoGDZiHakoFY7XZilf+WuFvc8pd3In1+Lq17mpJG+PjkESXuotfzeM9WI/X9Y OIYH772jJPdTwcIYw3f04BVDrd5mC/u6tcTtleNKo7nOBqadJiZwmRspMQU6s38Kv4MP DB9Q==
X-Gm-Message-State: AMke39kK93i1liNnP5ixYirokMOuAT2s5FVubSEkeBW3gMIrMlZd8PX5JYGBf6AKPP/I+Z1M
X-Received: by 10.55.4.146 with SMTP id 140mr13958383qke.23.1488755851611; Sun, 05 Mar 2017 15:17:31 -0800 (PST)
Received: from [192.168.86.130] ([191.115.68.238]) by smtp.gmail.com with ESMTPSA id r189sm12226901qkf.58.2017.03.05.15.17.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 05 Mar 2017 15:17:30 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>
Date: Sun, 5 Mar 2017 20:17:27 -0300
Message-Id: <89D9AE0C-F1B4-49D1-8BD3-49A44667FB6F@ve7jtb.com>
References: <7d639f9c-aecf-5b9b-be56-e16fd5437551@gmx.net> <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a114c9c7ab4a494054a03fbf0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9HFDMDpUxKvWbsCxlCAOmG91MQE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Mar 2017 23:17:34 -0000

--001a114c9c7ab4a494054a03fbf0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

A BCP is still assigned a RFC number. =20

The intent is to have BCP number as well. =20

EG BCP195=E2=80=99s current instance is RFC 7525.

The intent is to have a BCP series but the process is largely the same =
as I understand it.

John B.


> On Mar 4, 2017, at 3:10 PM, Torsten Lodderstedt =
<torsten@lodderstedt.net> wrote:
>=20
> Hi Hannes,
>=20
> just for clarification: as far as I remember the proposal in Seoul was =
to turn the document into a BCP.=20
>=20
> Is this consistent with your expectation?
>=20
> kind regards,
> Torsten.
>=20
>> Am 20.02.2017 um 12:02 schrieb Hannes Tschofenig =
<Hannes.Tschofenig@gmx.net>:
>>=20
>> Hi all,
>>=20
>> earlier this month we issued a call for adoption of the OAuth =
security
>> topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
>> response was quite positive on the list (as well as during the last =
f2f
>> meeting).
>>=20
>> For this reason, we ask the authors to submit a WG version of the
>> document and to discuss new content for the document in preparation =
for
>> the next meeting.
>>=20
>> Note that the intention of the document is to discuss security topics =
as
>> they relate to the work in the OAuth working group. As this initial
>> document already does, it describes a problem statement and outlines
>> various ways to mitigate the problems. I expect the working group to
>> decide which solution approach is most appropriate and to detail it =
(at
>> a specification level) in a separate document (some of those =
documents
>> already exist in the working group). This should help us make =
decisions
>> that are not just point solutions for specific problems but rather
>> consider the big picture.
>>=20
>> Ciao
>> Hannes & Derek
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--001a114c9c7ab4a494054a03fbf0
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEICdU+EiDOJ+NHERa4IpFvgHGRQdg
2rS3vtiAP+LZdkqsMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMwNTIzMTczMVowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQBa2ZUxYFlHrickZej1fPo7G2T1p2C7tMvFHEvLQIl/36GZ
gH1HLI63U1wxc7N2ZReqB+SyRZmRHAP/Y1Y4UIpbHw6e5qA6UoQexW9006TnSYBhZzsTbC4YrMb2
4/PaflC9ak/+xlBQYSg5ljaYeL/WiNq066UWeqQirxmao45CVhbIalKXqCT/bPxgR9voex/VgvVa
q7a2GIPsSRdSQDdk5PCfaFh/n5c047ueEL2FbPo8/qk35IpTyWmNtWEeh/Iyc8eG5fGQDPSv2tz5
FX4D7NioIA1WDrtAdiLIOXTw/Owsp7MPGvecZsZCrqLtMmWJC+iISqgHEcBN10bKXxjZ
--001a114c9c7ab4a494054a03fbf0--


From nobody Sun Mar  5 22:13:48 2017
Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECEF1129401 for <oauth@ietfa.amsl.com>; Sun,  5 Mar 2017 22:13:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0p_ZUdjfMKPT for <oauth@ietfa.amsl.com>; Sun,  5 Mar 2017 22:13:44 -0800 (PST)
Received: from mail-ot0-x233.google.com (mail-ot0-x233.google.com [IPv6:2607:f8b0:4003:c0f::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B40AA127071 for <oauth@ietf.org>; Sun,  5 Mar 2017 22:13:44 -0800 (PST)
Received: by mail-ot0-x233.google.com with SMTP id x37so61624012ota.2 for <oauth@ietf.org>; Sun, 05 Mar 2017 22:13:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=muHKbPjdvlwDKuFw90o2907TN/C+hE3Q6j3V3ysQdjg=; b=nIe4FysxoGdEcffiBbEfThFo17LssamF4Mifm4I/QMhHqu3PgMAojVZ6TRiTxrGWxg DTUsZrjPFYk2bF6Ly7h1wWK59oVtx4o3CPRbfLvHdIuwUoso23ghgTYMhKCkuCaKySWV Feu9gLLsxq8533twxnQea5HG/7pLloUnanLOR1LIP+xIZSi9kARUCpgQMU+f3bHGfMA+ BzEW3FE8xZVVtHLpNfeSwAs0OEwR3UOZq3sXpXk9GC+qRiIBJZtFJQUA27h1jYrzvTeV JqTsg2b59Rd1e7NXyY4gqEBdJ4EQXGyEu/GB7LsH+Fm657ZlPiE++Fhe8+FqhA+IKpsU Hr2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=muHKbPjdvlwDKuFw90o2907TN/C+hE3Q6j3V3ysQdjg=; b=NE98uLPXsrJqJvKKOiLbrBfNQ+JPz3Ui+EKM++A2+X9BmTCdPB6fmNCygvfCLuI64v rM5evW76VW/INmJAna2emG8EagNg9NHQ26VVsLku5vf9mEc3ar4Jmryb9VxQr4yVYAzB 31lpfs1eDjtnJMegkB7i1Z0AY8sFJ0mxYhKOYWbes1RCb3Z8jFlwuDHrydInb8oLah6Q c+rgipkdX/oT5i4W346CcmEiVrSHk/CF0uljwFKb5pg2q8Ir/ZF9qizi8Me9i7ofIRF7 iMnMb/i2Mu5BQM5JAREC4rQpF2adCzIXFFdAjZMcc4TZVhk0eKa+We7gESsGkBPdL9uz M0Gw==
X-Gm-Message-State: AMke39lzYQ92VDugPmaph/9mnMA/2GH0AQTm8e8NRSBrJ7QLCQt0BQ3ljLrtwl4q5iJr54s2VBonjlFpodhNKA==
X-Received: by 10.157.43.110 with SMTP id f43mr8152641otd.132.1488780824002; Sun, 05 Mar 2017 22:13:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.125.40 with HTTP; Sun, 5 Mar 2017 22:13:43 -0800 (PST)
In-Reply-To: <CAAP42hCSs2OuA6NaLR98wYTD=z-wCaA-mqOEsEfRWUEg-xwiJQ@mail.gmail.com>
References: <CAF2hCbYL_hi1_kAXhYDcY7vx+iVA0Gf664BN+2jS2OOEGU16eQ@mail.gmail.com> <CAAP42hA5=Pv5avFgaWcnUQqrSjL2oAViybi3V7ixr+yNVFcj_g@mail.gmail.com> <304c520f-e531-2ac8-f93f-b91aae11253c@free.fr> <CAAP42hAV+-AGemqUEU1yNcM70Zt9xF7m=u_Bnm_T82Ph1Wzu3A@mail.gmail.com> <DC50BBDC-ECC3-4883-93A1-B7A73F0C25ED@mit.edu> <CAF2hCbbL1td2jPtUO6hbuKXQ2b8S6v3E0ymOwqnL4zv=sAqSGw@mail.gmail.com> <CAAP42hCSs2OuA6NaLR98wYTD=z-wCaA-mqOEsEfRWUEg-xwiJQ@mail.gmail.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Mon, 6 Mar 2017 07:13:43 +0100
Message-ID: <CAF2hCbbZZcz87Z+Sn7S8L7S_5KgZAq1pkSfE8kojdAiZ_diNuw@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Content-Type: multipart/alternative; boundary=001a11c162bc29d647054a09cca5
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AKrt4Ld3uATG5RRftKF6yzL1wBw>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 06:13:47 -0000

--001a11c162bc29d647054a09cca5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thanks Denis!

On Fri, Mar 3, 2017 at 7:37 AM, William Denniss <wdenniss@google.com> wrote=
:

> Thanks all for the great discussion. I tweaked the discussion on
> public/confidential clients to rely more on the OAuth2 definition (it was=
 a
> bit duplicative), and I reordered the security considerations so it flows
> better, but have kept the normative language for now. Let's see how it pa=
ns
> out during the finalization process.
>
> On Mon, Feb 27, 2017 at 8:47 AM, Samuel Erdtman <samuel@erdtman.se> wrote=
:
>
>> Thanks for the replies.
>>
>> If there are no formal guidelines from IETF I think we should just
>> proceed it is a good and informative spec, it was just to me it felt
>> slightly of.
>>
>> Based on the conversation I have no objections taking this draft to RFC.
>>
>> //Samuel
>>
>> On Wed, Feb 22, 2017 at 12:09 AM, Justin Richer <jricher@mit.edu> wrote:
>>
>>> When I brought RFCs 7591, 7592, and 7662 up through the finalization
>>> process, I learned that there are two camps out there on normative
>>> requirements in the security considerations section. Some like them, as
>>> long as they don=E2=80=99t contradict requirements/advice in previous s=
ections, and
>>> some don=E2=80=99t like them, preferring all normative material be in t=
he =E2=80=9Cbody=E2=80=9D of
>>> the spec itself. I was given the impression that it was more of a styli=
stic
>>> choice than anything, but I can only speak from my personal experience.
>>>
>>>  =E2=80=94 Justin
>>>
>>> On Feb 21, 2017, at 3:17 PM, William Denniss <wdenniss@google.com>
>>> wrote:
>>>
>>> The only real requirement in that section I guess is the use of PKCE
>>> (8.2).  That requirement could be moved to the body of the doc, while
>>> keeping the longer discussing around code interception in the security
>>> considerations.  To me the remaining text are indeed security best
>>> practices / clarifications.
>>>
>>> Other OAuth WG RFCs have requirement level capitalization in the
>>> Security Section like RFC7591. I always assumed these were best-practic=
e
>>> security requirements. But if the style is really not to do this, the
>>> requirement level capitalization could be dropped from that section in =
the
>>> native apps BCP.
>>>
>>> On Tue, Feb 21, 2017 at 12:50 AM, Denis <denis.ietf@free.fr> wrote:
>>>
>>>>
>>>> I *don't thin**k* it's normal to have normative text in the Security
>>>> Considerations, hence I support Samuel's position.
>>>>
>>>> Let us look at the first MUST from RFC 6749 in the Security
>>>> Considerations section:
>>>>
>>>>    The authorization server *MUST *authenticate the client *whenever p=
ossible*.
>>>> This sentence is incorrect. The right sentence should be :
>>>>
>>>>    The authorization server *should *authenticate the client whenever =
possible.
>>>>
>>>> RFC 6749 is not an example to follow.
>>>>
>>>> Denis
>>>>
>>>>
>>>> I do think it's normal to have normative text in the Security
>>>> Considerations.  RFC6749 has a lengthy Security Considerations section
>>>> <https://tools.ietf.org/html/rfc6749#section-10> with a lot of
>>>> normative text.
>>>>
>>>> Think of it this way: Sections 4 to 7 describe how to use native app
>>>> URI schemes to perform OAuth flows from the app to browser and back. I=
f you
>>>> only read those sections, you could have a functioning (but potentiall=
y
>>>> insecure) OAuth flow in a native app. The security section adds some
>>>> security requirements and clarifications for implementing Sections 4-7=
,
>>>> like using PKCE, and more.
>>>>
>>>> Reviewing sub-section by sub-section:
>>>>
>>>> 8.1 Definitely belongs here, as the the whole BCP is about native-app
>>>> URI schemes, whereas doing OAuth in a WebView doesn't need those (as t=
he
>>>> client can just pluck out the code from any redirect URI)
>>>> 8.2 Requires that servers who want to follow the native apps BCP
>>>> support PKCE, and recommends that they reject requests from clients wh=
o
>>>> don't.  This *could* be in the main doc, but since PKCE is an existing
>>>> thing, and is purely additive from a security perspective, I think thi=
s
>>>> reference works fine. Originally I talked about PKCE more in the doc b=
ody,
>>>> but some reviewers thought it was then a little duplicative of the PKC=
E doc
>>>> itself.
>>>> 8.3 This reads like classic security considerations to me, clarifying
>>>> some details of 7.3
>>>> 8.4 Part of this reads a little new-ish, regarding distinguishing
>>>> native clients from web ones. But on review, I think could just be
>>>> re-worded to reference RFC6749 Section 2.1.
>>>> 8.5 This one belongs where it is since the body of the BCP is talking
>>>> about the code flow.
>>>> 8.6 Totally belongs.
>>>> 8.7 to 8.11 belong IMO, they are security clarifications of
>>>> long-standing topics.
>>>>
>>>> My methodology when reviewing this was: is the text introducing a new
>>>> topic directly related to native apps or sections 4-7, or does it disc=
uss
>>>> an old security topic in the context of native apps, or add security
>>>> related discussions of the content in 4-7. Of all those, I really only=
 see
>>>> a bit of new topic related to native apps in 8.4, and in actual fact i=
t
>>>> that sub-section should probably be reworded since RFC6749 already
>>>> establishes the public client type, which native apps are and a refere=
nce
>>>> would be more appropriate (which would reduce it to just clarifying an=
 old
>>>> topic).
>>>>
>>>> What do you think of this analysis? Do you have any specific sections
>>>> or text you feel are better suited in the document body?  I will take =
an
>>>> action item to revise section 8.4.
>>>>
>>>> On Mon, Feb 20, 2017 at 9:57 PM, Samuel Erdtman <samuel@erdtman.se>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I just had a question on best practice. In this document a large part
>>>>> of the normative text is located under Security Considerations.
>>>>>
>>>>> I had previously seen Security Considerations as things to think abou=
t
>>>>> when implementing not so much as MUSTs and MUST NOTs.
>>>>>
>>>>> I think it is okay to have it this way but it surprised me a bit and
>>>>> wanted to ask if there is any best practice for the Security Consider=
ations
>>>>> section saying what type of information it should include.
>>>>>
>>>>> Best Regards
>>>>> Samuel Erdtman
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/=
oauth
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>

--001a11c162bc29d647054a09cca5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks Denis!<br></div><div class=3D"gmail_extra"><br><div=
 class=3D"gmail_quote">On Fri, Mar 3, 2017 at 7:37 AM, William Denniss <spa=
n dir=3D"ltr">&lt;<a href=3D"mailto:wdenniss@google.com" target=3D"_blank">=
wdenniss@google.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quo=
te" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"=
><div dir=3D"ltr">Thanks all for the great discussion. I tweaked the discus=
sion on public/confidential clients to rely more on the OAuth2 definition (=
it was a bit duplicative), and I reordered the security considerations so i=
t flows better, but have kept the normative language for now. Let&#39;s see=
 how it pans out during the finalization process.</div><div class=3D"HOEnZb=
"><div class=3D"h5"><div class=3D"gmail_extra"><br><div class=3D"gmail_quot=
e">On Mon, Feb 27, 2017 at 8:47 AM, Samuel Erdtman <span dir=3D"ltr">&lt;<a=
 href=3D"mailto:samuel@erdtman.se" target=3D"_blank">samuel@erdtman.se</a>&=
gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 =
0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div><=
div><div>Thanks for the replies.<br><br></div>If there are no formal guidel=
ines from IETF I think we should just proceed it is a good and informative =
spec, it was just to me it felt slightly of.<br><br></div>Based on the conv=
ersation I have no objections taking this draft to RFC.<span class=3D"m_821=
2664180285547125HOEnZb"><font color=3D"#888888"><br></font></span></div><sp=
an class=3D"m_8212664180285547125HOEnZb"><font color=3D"#888888"><div><br><=
/div>//Samuel<br></font></span></div><div class=3D"m_8212664180285547125HOE=
nZb"><div class=3D"m_8212664180285547125h5"><div class=3D"gmail_extra"><br>=
<div class=3D"gmail_quote">On Wed, Feb 22, 2017 at 12:09 AM, Justin Richer =
<span dir=3D"ltr">&lt;<a href=3D"mailto:jricher@mit.edu" target=3D"_blank">=
jricher@mit.edu</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" =
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><di=
v style=3D"word-wrap:break-word">When I brought RFCs 7591, 7592, and 7662 u=
p through the finalization process, I learned that there are two camps out =
there on normative requirements in the security considerations section. Som=
e like them, as long as they don=E2=80=99t contradict requirements/advice i=
n previous sections, and some don=E2=80=99t like them, preferring all norma=
tive material be in the =E2=80=9Cbody=E2=80=9D of the spec itself. I was gi=
ven the impression that it was more of a stylistic choice than anything, bu=
t I can only speak from my personal experience.<span class=3D"m_82126641802=
85547125m_-4677867841229696533HOEnZb"><font color=3D"#888888"><div><br></di=
v><div>=C2=A0=E2=80=94 Justin</div></font></span><div><div class=3D"m_82126=
64180285547125m_-4677867841229696533h5"><div><br><div><blockquote type=3D"c=
ite"><div>On Feb 21, 2017, at 3:17 PM, William Denniss &lt;<a href=3D"mailt=
o:wdenniss@google.com" target=3D"_blank">wdenniss@google.com</a>&gt; wrote:=
</div><br class=3D"m_8212664180285547125m_-4677867841229696533m_-3457941091=
322774282Apple-interchange-newline"><div><div dir=3D"ltr"><div>The only rea=
l requirement in that section I guess is the use of PKCE (8.2).=C2=A0 That =
requirement could be moved to the body of the doc, while keeping the longer=
 discussing around code interception in the security considerations.=C2=A0 =
To me the remaining text are indeed security best practices / clarification=
s.</div><div><br></div><div>Other OAuth WG RFCs have requirement level capi=
talization in the Security Section like=C2=A0RFC7591. I always assumed thes=
e were best-practice security requirements. But if the style is really not =
to do this, the requirement level capitalization could be dropped from that=
 section in the native apps BCP.</div><div><br></div><div class=3D"gmail_ex=
tra"><div class=3D"gmail_quote">On Tue, Feb 21, 2017 at 12:50 AM, Denis <sp=
an dir=3D"ltr">&lt;<a href=3D"mailto:denis.ietf@free.fr" target=3D"_blank">=
denis.ietf@free.fr</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex">
 =20
   =20
 =20
  <div bgcolor=3D"#FFFFFF">
    <div class=3D"m_8212664180285547125m_-4677867841229696533m_-34579410913=
22774282gmail-m_7064636890946358366m_-4287841180983357892moz-cite-prefix"><=
br>
      I <b>don&#39;t thin</b><b>k</b> it&#39;s normal to have normative tex=
t in
      the Security Considerations, hence I support Samuel&#39;s position.<b=
r>
      <br>
      Let us look at the first MUST from RFC 6749 in the Security
      Considerations section:
      <pre class=3D"m_8212664180285547125m_-4677867841229696533m_-345794109=
1322774282gmail-m_7064636890946358366m_-4287841180983357892newpage">   The =
authorization server <b><u>MUST</u> </b>authenticate the client <u><b>whene=
ver possible</b></u>.

<font face=3D"Arial">This sentence is incorrect. The right sentence should =
be :</font>

   The authorization server <b>should </b>authenticate the client whenever =
possible.

RFC 6749 is not an example to follow.

Denis=20
</pre>
      <br>
    </div>
    <blockquote type=3D"cite"><div><div class=3D"m_8212664180285547125m_-46=
77867841229696533m_-3457941091322774282gmail-m_7064636890946358366h5">
      <div dir=3D"ltr">I do think it&#39;s normal to have normative text in
        the Security Considerations.=C2=A0 RFC6749 has a lengthy <a href=3D=
"https://tools.ietf.org/html/rfc6749#section-10" target=3D"_blank">Security
          Considerations section</a> with a lot of normative text.
        <div><br>
        </div>
        <div>Think of it this way: Sections 4 to 7 describe how to use
          native app URI schemes to perform OAuth flows from the app to
          browser and back. If you only read those sections, you could
          have a functioning (but potentially insecure) OAuth flow in a
          native app. The security section adds some security
          requirements and clarifications for implementing Sections 4-7,
          like using PKCE, and more.</div>
        <div><br>
        </div>
        <div>Reviewing sub-section by sub-section:</div>
        <div><br>
        </div>
        <div>8.1 Definitely belongs here, as the the whole BCP is about
          native-app URI schemes, whereas doing OAuth in a WebView
          doesn&#39;t need those (as the client can just pluck out the code
          from any redirect URI)</div>
        <div>8.2 Requires that servers who want to follow the native
          apps BCP support PKCE, and recommends that they reject
          requests from clients who don&#39;t.=C2=A0 This *could* be in the=
 main
          doc, but since PKCE is an existing thing, and is purely
          additive from a security perspective, I think this reference
          works fine. Originally I talked about PKCE more in the doc
          body, but some reviewers thought it was then a little
          duplicative of the PKCE doc itself.</div>
        <div>8.3 This reads like classic security considerations to me,
          clarifying some details of 7.3</div>
        <div>8.4 Part of this reads a little new-ish, regarding
          distinguishing native clients from web ones. But on review, I
          think could just be re-worded to reference RFC6749 Section
          2.1.</div>
        <div>8.5 This one belongs where it is since the body of the BCP
          is talking about the code flow.</div>
        <div>8.6 Totally belongs.</div>
        <div>8.7 to 8.11 belong IMO, they are security clarifications of
          long-standing topics.=C2=A0</div>
        <div><br>
        </div>
        <div>My methodology when reviewing this was: is the text
          introducing a new topic directly related to native apps or
          sections 4-7, or does it discuss an old security topic in the
          context of native apps, or add security related discussions of
          the content in 4-7. Of all those, I really only see a bit of
          new topic related to native apps in 8.4, and in actual fact it
          that sub-section should probably be reworded since RFC6749
          already establishes the public client type, which native apps
          are and a reference would be more appropriate (which would
          reduce it to just clarifying an old topic).</div>
        <div><br>
        </div>
        <div>What do you think of this analysis? Do you have any
          specific sections or text you feel are better suited in the
          document body?=C2=A0 I will take an action item to revise section
          8.4.</div>
      </div>
      <div class=3D"gmail_extra"><br>
        <div class=3D"gmail_quote">On Mon, Feb 20, 2017 at 9:57 PM, Samuel
          Erdtman <span dir=3D"ltr">&lt;<a href=3D"mailto:samuel@erdtman.se=
" target=3D"_blank">samuel@erdtman.se</a>&gt;</span>
          wrote:<br>
          <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
            <div dir=3D"ltr">
              <div>
                <div>
                  <div>Hi,<br>
                    <br>
                  </div>
                  I just had a question on best practice. In this
                  document a large part of the normative text is located
                  under Security Considerations.<br>
                </div>
                <br>
                I had previously seen Security Considerations as things
                to think about when implementing not so much as MUSTs
                and MUST NOTs.<br>
                <br>
              </div>
              I think it is okay to have it this way but it surprised me
              a bit and wanted to ask if there is any best practice for
              the Security Considerations section saying what type of
              information it should include.<br>
              <div><br>
              </div>
              <div>Best Regards<span class=3D"m_8212664180285547125m_-46778=
67841229696533m_-3457941091322774282gmail-m_7064636890946358366m_-428784118=
0983357892HOEnZb"><font color=3D"#888888"><br>
                  </font></span></div>
              <span class=3D"m_8212664180285547125m_-4677867841229696533m_-=
3457941091322774282gmail-m_7064636890946358366m_-4287841180983357892HOEnZb"=
><font color=3D"#888888">
                  <div>Samuel Erdtman<br>
                  </div>
                </font></span></div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class=3D"m_8212664180285547125m_-4677867841229696533m_-3457=
941091322774282gmail-m_7064636890946358366m_-4287841180983357892mimeAttachm=
entHeader"></fieldset>
      <br>
      </div></div><pre>______________________________<wbr>_________________
OAuth mailing list
<a class=3D"m_8212664180285547125m_-4677867841229696533m_-34579410913227742=
82gmail-m_7064636890946358366m_-4287841180983357892moz-txt-link-abbreviated=
" href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a>
<a class=3D"m_8212664180285547125m_-4677867841229696533m_-34579410913227742=
82gmail-m_7064636890946358366m_-4287841180983357892moz-txt-link-freetext" h=
ref=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https=
://www.ietf.org/mailman/l<wbr>istinfo/oauth</a>
</pre>
    </blockquote><p><br>
    </p>
  </div>

<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div></div>
______________________________<wbr>_________________<br>OAuth mailing list<=
br><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><b=
r><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"=
>https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br></div></blockquote=
></div><br></div></div></div></div><br>______________________________<wbr>_=
________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>

--001a11c162bc29d647054a09cca5--


From nobody Mon Mar  6 07:05:49 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C5F129533 for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 07:05:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level: 
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fw8Va3aW7eCZ for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 07:05:47 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AED73128824 for <oauth@ietf.org>; Mon,  6 Mar 2017 07:05:46 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0Mey7N-1cvXJ80Wr3-00OVFe; Mon, 06 Mar 2017 16:05:43 +0100
To: Torsten Lodderstedt <torsten@lodderstedt.net>
References: <7d639f9c-aecf-5b9b-be56-e16fd5437551@gmx.net> <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <df464b3a-b2dd-8564-decd-95b4616f7b5c@gmx.net>
Date: Mon, 6 Mar 2017 16:05:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="vU5S6B8SWjAuB6kbGOoXHe0q3SoEjtfEP"
X-Provags-ID: V03:K0:Etr3ojoKU/rW5iu64J4VNi4oSFeQwrOVXnyZ5ns9K7GL0xfz+JQ luqmzEym9XUooFbcYu7jaBuvEKI/kAE86fEqq2k9KiDCC6aBEiZ2LssvW5BnwvmqddbRh89 Whym2xf22NTyIOiJUGpLXVKHFkUsjLkL4zi0SV4w/IbDcStX5BK4FlMlCc8MVLc/o1bJffO YefYcUnU3O/EojsbbSUng==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Ghvfs8uqH2U=:Zv7yyTXsgpXF0/LrisEoOR s+I2Vj/46UlkIP37lHgfy9U+3NaqW9f6XHQ+5Uu+RLqZJMvwkMdWDJ1ETGp9KvB/9vwZg6Qrm fWD/vuxJw5lJViAmpr7XqAZ2bVkhDl1AfuqMEthWDlqa+L7sG3EEnD/sgaiE5C7MTsR03ztmi A5+oBiaFVXgezBtMbdpPk7hSpTwsEatWwCknTjd6h2aFR1bRClQGC2FB7wpWUIQWbv2SbZwJx vg6jgchjUJ5+9ufmKLuRfPjq0zB+TPf25fWv7uRs8MsvQdUbaS5dbB0WT5lWjFq1i/kM/s9oa JMMNaN3CSvfzulZl9RwnHcPxUI+ylHQ0KdjLMQmhXa8fCrdd+KsAJsrH70TgMpq38UvYOpxad WXqoPiVb9NSgh5bBJ8escJO6njRNARvlvhfuYSBU7rD9gzP6hZrRxjvvS+hE1KLAiE8uWjRTJ Ld6j+cyVFK1RyMKsBb5Gl/XMGEcgEQs+7UM9/bmDqjMSYXWxyBemRaxUdrSiHNeAJl5R780AL zswg/ANMmXd9ex4Q9SU9KaW/2+nccHRtivso6NBGrhUYsmWBKuDi7IeKkP76OmotnWLb6UKw9 3UIrLzrAXxZbIbj858TdUpXw4/an2ikQFqwk2ir/AuFiNSs6ONgICAi2M+/On7TGXE5C6Q5UV D8gXXZtuOj/hifhIJSc7N2YOBj6Hz58ut9a+PPHGRKK/PRz603B317evy32sJ/jIRSF4AmZRa p0s6RCBVsLyoEYASSPrd7NZxACCif5KC8FElOgEsHWNa7d/clM/H8ZMUet4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/spt9XInU9kO4lFHo0ZPgO7wMRj0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 15:05:48 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--vU5S6B8SWjAuB6kbGOoXHe0q3SoEjtfEP
Content-Type: multipart/mixed; boundary="Qp4JjjGBOKwecd4FEXSqgijoFAQuMjNbw";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <df464b3a-b2dd-8564-decd-95b4616f7b5c@gmx.net>
Subject: Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for
 Adoption
References: <7d639f9c-aecf-5b9b-be56-e16fd5437551@gmx.net>
 <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>
In-Reply-To: <483CE8FA-4AE3-4130-8D7A-AD74892442A4@lodderstedt.net>

--Qp4JjjGBOKwecd4FEXSqgijoFAQuMjNbw
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Yes, this matches my understanding of the discussions at the Seoul meetin=
g.

On 03/04/2017 07:10 PM, Torsten Lodderstedt wrote:
> Hi Hannes,
>=20
> just for clarification: as far as I remember the proposal in Seoul was =
to turn the document into a BCP.=20
>=20
> Is this consistent with your expectation?
>=20
> kind regards,
> Torsten.
>=20
>> Am 20.02.2017 um 12:02 schrieb Hannes Tschofenig <Hannes.Tschofenig@gm=
x.net>:
>>
>> Hi all,
>>
>> earlier this month we issued a call for adoption of the OAuth security=

>> topics draft, see draft-lodderstedt-oauth-security-topics-00, and the
>> response was quite positive on the list (as well as during the last f2=
f
>> meeting).
>>
>> For this reason, we ask the authors to submit a WG version of the
>> document and to discuss new content for the document in preparation fo=
r
>> the next meeting.
>>
>> Note that the intention of the document is to discuss security topics =
as
>> they relate to the work in the OAuth working group. As this initial
>> document already does, it describes a problem statement and outlines
>> various ways to mitigate the problems. I expect the working group to
>> decide which solution approach is most appropriate and to detail it (a=
t
>> a specification level) in a separate document (some of those documents=

>> already exist in the working group). This should help us make decision=
s
>> that are not just point solutions for specific problems but rather
>> consider the big picture.
>>
>> Ciao
>> Hannes & Derek
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20


--Qp4JjjGBOKwecd4FEXSqgijoFAQuMjNbw--

--vU5S6B8SWjAuB6kbGOoXHe0q3SoEjtfEP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYvXq/AAoJEGhJURNOOiAtM38H/0cN8/H6fGOjMquz2XglIeMT
+uj9omhgrpipyF1gaxbU2iMUftFNRWf9H7nUO0np2RCTRpNUPqeisLvSksAcjm4s
namf9IXsNiCzXKSZBlgi7ZjACtLTJavW8pkTkJsTE5VrLrkV1+6ZceD3c8P0HrbS
wQgeUckaRsb57WGsIGgfh+5rwY3TsyKwUacpfGnClDdH2/ZsYTJqOvbcRVNNedij
OfVoPoFEFt/3TiaMFYG09eQvm8quj38Lhyj1rBfluG5ZI1fJ9IE5kCXeIsi324fx
WOrvT3anidtwFyAek8rLSoxTpCgTPmprVQMeTUmk6db7/E4langbrxtynoas94o=
=Qd4C
-----END PGP SIGNATURE-----

--vU5S6B8SWjAuB6kbGOoXHe0q3SoEjtfEP--


From nobody Mon Mar  6 07:38:11 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BE8D12951E for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 07:38:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level: 
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGW5qIeltxUT for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 07:38:08 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 459C6129525 for <oauth@ietf.org>; Mon,  6 Mar 2017 07:38:06 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LkTSx-1c9f5B0SPD-00cMpv; Mon, 06 Mar 2017 16:37:58 +0100
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <c0ad73c9-4d4b-d62b-2782-c060037deb7d@gmx.net> <CY4PR21MB0504DD37A2BE778F76D6B14EF55E0@CY4PR21MB0504.namprd21.prod.outlook.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <96b7e141-26a0-f48a-4cc4-5964ae78db42@gmx.net>
Date: Mon, 6 Mar 2017 16:37:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CY4PR21MB0504DD37A2BE778F76D6B14EF55E0@CY4PR21MB0504.namprd21.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="emxrtKaTU2Ra6R26ub7goxpNP4X1s0aHF"
X-Provags-ID: V03:K0:279nEFsDdZ+zpxeFYmsW1SISEnz4aCBXP3dcRnxZm1vhR7nDurj IoCBMRjFdbSPAUVRtN4Dgkpb0/u9pgwkrunUid576paBJqsX06+P7oQKepXnKK8RvJLDa/D +ivi8g0EzaNAo7wIJaF7KjRNor1u3dnjSkWxIm9hl4lBwtADzbL4eU1Kr0OnX7l/WMUhpdg m15Iw36fbwAH+aTJ5rKcQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:yo7uJQa5tFg=:2G/A1MCFEhZGGSKyV8oHnq y+eBRnDACAYbqg+KZQe1nlSnE0wIYzRRyh0CxaQmmp/IsSkMEr1ZV4mIiAxB33U/dFSPGCLUf KuU1lanGLAU76Ribpcv/IOJmXK34ddr+uY1+UhR8Tnji5ILHedsHwMz/LG0T4w34CQ9isNYUF 5itqKPnoxEQSasEUsM/50JmNzVyLjPkkFlZl0UJc/nhCM3Tje8+cLaYyeApwteB+6+AhUOmtN EvMFUplsnEI7nSedWjqpJSP1b+bxFZYw0VKOhrycQazXPEVb8ZT9h+a4KGjco9isGcqYPf1C6 a4WLgxZft79jqrCpAFIw+pwTflzH2RVPrnGMu1BDZh8oI/KGdC7TxfWN1PCdnPtGL/zeyi4bN mXBwl6jHrnxaSuIYWSlL1oFnbSEQUxijuyfIGM74kz2/kZCMkVg6NffzL5GrTpjKYHdSI9qvb AgVsDV6JeNxR70PPCNXY+a6c0g9nv2Ic98txzLSiXrk/Y51GLUxD58TpScuTWahF7nAt/j3NW TUJxm2fEZsiQ1ihHUMBvGIOcVlY77haDntxDpYPrGcc6rhwJYdeu8WBmSpKyvqw95UWLDtqgZ CtwxGurRSJO9KlQEjG811AhuW6llfMdPnOvQ16TN1AgVQ5fph1FqBaPZ0IeqOsy3ScdseqWp/ HW/QELYkvUAQl5py4HNfbf8yfsVHWl0D9eevuLNz8yuS/jLkjdtTR4gNsUHvBJrVm6oezV0+h JYfIIFUwDt+C+6gMTlg73xYGdeaCekNiibexpV2BeGyWMMKA5sPHjtxGXEoSt0jz9/wDid3nS HY3945xlzso8cJc5YwgkhLcpuIJqNd9ppd8m6YlMCSk8n4Yb1E7DuZERxofs/3ecYPskW6XxE cwKzQrwj4Bl9VmKsIcn4lEHyH2yHnk6iyn4pLOA72MLW75i5IaUhI1OIcR9QFTmp3BSfEzV5c aqJ899NIy25x/bCrhuv0IHWtgKzYtllG08jBjbBSv2XZ/oblmcbFdZbMQoZTfck8XQrjXWPSG JA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/250ZXw0nlF9my-f2M9rxdD_c00Q>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization Server Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 15:38:10 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--emxrtKaTU2Ra6R26ub7goxpNP4X1s0aHF
Content-Type: multipart/mixed; boundary="wKSjRRGAdra9HjSq078M0vQ4cd2VpAq15";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org"
 <oauth@ietf.org>
Message-ID: <96b7e141-26a0-f48a-4cc4-5964ae78db42@gmx.net>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization
 Server Metadata
References: <c0ad73c9-4d4b-d62b-2782-c060037deb7d@gmx.net>
 <CY4PR21MB0504DD37A2BE778F76D6B14EF55E0@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB0504DD37A2BE778F76D6B14EF55E0@CY4PR21MB0504.namprd21.prod.outlook.com>

--wKSjRRGAdra9HjSq078M0vQ4cd2VpAq15
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Mike, Hi all,

as a shepherd I have reviewed the draft and I only have a few minor
comments.

RFC 2246 is included in the normative reference section but not
mentioned in the text.

[RFC2246]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
              RFC 2246, DOI 10.17487/RFC2246, January 1999,
              <http://www.rfc-editor.org/info/rfc2246>.
		=09
The same is true for these references:


   [RFC7565]  Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565,
              DOI 10.17487/RFC7565, May 2015,
              <http://www.rfc-editor.org/info/rfc7565>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <http://www.rfc-editor.org/info/rfc3986>.	=09

   [JWA]      Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
              DOI 10.17487/RFC7518, May 2015,
              <http://tools.ietf.org/html/rfc7518>.

The description of this claim sounds a bit strange.

   jwks_uri
      OPTIONAL.  URL of the authorization server's JWK Set [JWK]
      document.  This contains the signing key(s) the client uses to
      validate signatures from the authorization server.  The JWK Set
      MAY also contain the server's encryption key(s), which are used by
      clients to encrypt requests to the server.  When both signing and
      encryption keys are made available, a "use" (public key use)
      parameter value is REQUIRED for all keys in the referenced JWK Set
      to indicate each key's intended usage.
=09

Instead of saying "This contains the signing key(s) the client uses to
validate signatures from the authorization server."  I would say
something like:

"The JWK, once retrieved from the indicate URL, contains the public
key(s) the client uses to validate signatures from the authorization
server."

Could you also explain how you anticipate these keys to be used? The
meta data may be digitally signed by the authorization server. You
obviously need the public key corresponding to the private key used for
signing to the meta-data JSON payload. You seem to be suggesting to
include a URL to that key inside the message itself. If you are not
using HTTPS then you are toast. If you use an HTTPS-based then you are
essentially relying on the trust anchors in the browser for security. Is
that what you want?

Is this mechanism supposed to work with symmetric as well as asymmetric
keys?

Ciao
Hannes

On 02/20/2017 05:33 PM, Mike Jones wrote:
> Per working group feedback, the document now reflects the singular miss=
ion of documenting OAuth Authorization Server Metadata as it is actually =
used in practice.  I believe that the document today accomplishes this mi=
ssion and is ready for publication.
>=20
> 				-- Mike
>=20
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofe=
nig
> Sent: Monday, February 20, 2017 1:46 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization =
Server Metadata
>=20
> Hi all,
>=20
> it was roughly a year ago when we issued a working group last call on d=
raft-ietf-oauth-discovery, see https://www.ietf.org/mail-archive/web/oaut=
h/current/msg15796.html. Lots of feedback resulted in a significant restr=
ucturing of the document.
>=20
> The authors of the draft now believe it is ready for a second WGLC and =
hence we would like to start a 2-week review period.
>=20
> Please provide your review comments no later than March 6th.
>=20
> Here is the link to the document again:
> https://tools.ietf.org/html/draft-ietf-oauth-discovery-05
>=20
> Ciao
> Hannes & Derek
>=20


--wKSjRRGAdra9HjSq078M0vQ4cd2VpAq15--

--emxrtKaTU2Ra6R26ub7goxpNP4X1s0aHF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYvYJUAAoJEGhJURNOOiAt5ywH+weSOSGk7cU93snenmHDnXA8
QnotuYAXC43NXDv8buLfPg+Pb8Yx46HKxzzADfmugBewjpDmBjxM8cYFhiNibWsV
jQgkzKum4j6un8ZSetpPe5OuK0oWUYR5SoDwQXOwIzoP95arI80KNMuKuZmrmZqp
nINZcqIVJg0S6rG+oGsdCDYwts49GxhZ9w1e41aaPKS2nu009dFKsvDmXtjyeT3J
/981dn0LfQFMYeVoJU+rmYbO90ObaaHXEPdF2l7xiVllNUU6EqfptlpJI0yO3XDa
LlEYGri2Vb/5lhTjUHM7E5YO4GQ3hTVvLewXGGNw3SMH9j6MYUKBSRA8S6VOb44=
=1CzO
-----END PGP SIGNATURE-----

--emxrtKaTU2Ra6R26ub7goxpNP4X1s0aHF--


From nobody Mon Mar  6 08:00:10 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C2A2129875 for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 08:00:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level: 
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DKhTL2JWLAeR for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 08:00:07 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A031612986F for <oauth@ietf.org>; Mon,  6 Mar 2017 08:00:06 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0Lkjuq-1cATlw0tqG-00aRcp for <oauth@ietf.org>; Mon, 06 Mar 2017 17:00:04 +0100
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net>
Date: Mon, 6 Mar 2017 17:00:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rM72WNWWmCCtCv0aCOeSQeVWSeUP6TMIO"
X-Provags-ID: V03:K0:/k73aa/2ijwD1xOBKSTdlKBYm69X0qs6ZNukqNTxSUxEa1ovRig A7aW+7rkE4HgyQ3yuJZPll20gf/Tt1nXL9Q7OKg0n8451o2lbIHettqsRCm0lU1C2030gQC 5qPN1UTs1Uo6K8BDV3GXU0zd5Ob8rUd+CDi3DcoS7Jen8f1PxveDj/+yJ1yUIIbvA8dofF7 v5JNIkcljMUzNSkF4G4qg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Zhix7hdx8D4=:orP0vsMmfh3EBuZ/kYlK/M XIy2nkMaLAQpZRymQhH8/9R08BHbMoIK84xu8vstJYCoTuBNLsBEOtTQpqWcZIbZRM6BpUDz5 YS6Z1RERjMVvYH84HmRS0aJDfk68kj+EBhHD3d5Tse9L4vHBw5jKSCa33NcSx/58f1JmJ9XP+ 7Ielmf380TYjGKKqPCnJlabgdgCC5Tc0/2kRFkZu6tI+8kb6Fu8XRa944bZrAuWM/x1TesCBs 909cKj/LXRJJDEuDBu/rF/rdwHm83zKcfkwMMCGnzfiSzeEo7lyZdQEpJad5wjG93xXNs0O4i s/9tH1JgeMmqONDkdvQR14VWUgXXyp0bJpJAz4RWYnEatWC6hkFaaOoSwU/6HYs1DaNKKcV6Z NpJN2IVa5zE9xPnYuLgMQKOqLjdM3FcXfbUPLGgZW1bjsipdatEwDkob2NbKZThcv3jmCbSll gBNZ+yZtbR83R3GMoXJRle1BFgCVytLIQMDB0VXrO8jWfFCfz0Wa+Da3ruvPnedns7dL+HX5a lEkNSgisTQLCpPG20ReL73QUkBVtcp6sXmdIwC/b8LwnI4/fbqDMLLoP/dWYxfpeV2fnVcp52 4mqSrBFXwwEBTDqSxyvaszcXJD3w+0VnP/2x1nRtr8mOQwuN4VuTrn4SGFkMKrRcLdKYyYQwZ yr2hLqQctAjTY6UGOZ5dznzolUF8YZYE8Wy3qG26M/RB+1/35gNzL8ooqyI9xBM5mcN5UJpiR gnufwDFpsX1rrAb4wtl2BGR5u0P0i4L+Mvjy9o08Ku16B5hw1QDr5FcpVA4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/z29wChpDx4Wwr30hm4LGmbqDheU>
Subject: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 16:00:08 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--rM72WNWWmCCtCv0aCOeSQeVWSeUP6TMIO
Content-Type: multipart/mixed; boundary="1bOELnHhR1gapGdTKs9gixWdtmTTwLI3S";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net>
Subject: Updated Shepherd Write-Up for Native Apps document

--1bOELnHhR1gapGdTKs9gixWdtmTTwLI3S
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Here is the shepherd write-up:
https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-w=
riteups/Writeup_OAuth_NativeApps.txt

Feedback appreciated. I will also do another shepherd review.

Ciao
Hannes


--1bOELnHhR1gapGdTKs9gixWdtmTTwLI3S--

--rM72WNWWmCCtCv0aCOeSQeVWSeUP6TMIO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYvYeCAAoJEGhJURNOOiAtFFkH/1R0SNpgDkT2tqUDAo76ntTw
ZJJ0eCpO0g4X+x87D1lSs3jsoFu7crWVcGf9w3v1yR933QQRdPnzFu4RzZA0WMCZ
jMsdJ8rwwXP2FZRmjDcs1P5TgnCxk1rC+A3s+309V9WaAtFTnppOCP4Hypl48y5W
YpxzgNs8wvdSJqcGXxnIB1RsGeM25AcqT/blx2FCU1X4ruEsxvnkbvyPPIU111Wv
NOFCsGGsPi+22qajilMnjb39hlyh+8hHXYqSLhHbmfuW1jLrzP3kW4lmogkAGj6E
iVaCyRlY6ckmohCXTR1eOhkPjP/hYG/q7OCIoJeIshgvkRWyx5GjeIuMRHqH9nI=
=psKQ
-----END PGP SIGNATURE-----

--rM72WNWWmCCtCv0aCOeSQeVWSeUP6TMIO--


From nobody Mon Mar  6 09:29:32 2017
Return-Path: <prvs=2311a292c=Sebastian.Ebling@telekom.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D960412948F for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 09:29:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.32
X-Spam-Level: 
X-Spam-Status: No, score=-4.32 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6O7PYvId4PKd for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 09:29:28 -0800 (PST)
Received: from MAILOUT31.telekom.de (MAILOUT31.telekom.de [80.149.113.193]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A662129442 for <oauth@ietf.org>; Mon,  6 Mar 2017 09:29:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1488821367; x=1520357367; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=W1U7xoI0A8711vByNsQ98cD50dx81AgWMN5WfTqoW7A=; b=wGNfe7iIT5Bae30jztMd19+sbsvS/TdzBMXfv0QkDKcYKuWjwfbZLCkG DgcdXS2/+e046ft4XuOoiJ3jrdA8npJ34uUU7hCmmopouI6HThwja0Wt+ 7rVUiug1jsQkTGSOiJXlMMdrCjMpkDrAewuhaKDUDBrGr9qSwFdD0vzCo xYjSs/SlW5qrWhKTI7SA1/I78AHWgHFDt8TdMwCfaP3sO4/Z5UAhZK0fG WUZ6PPjMvbHGsgy1DYwbYG6p+tUnHYZac1H4WKFwnJbi6zPWq69zbz11H RNVqkVBqTXMPNtMmKU7BfWFReSB3elXZZZYz+ebw2S2k/oV+cuN9WsTXi Q==;
Received: from q4de8psa169.blf.telekom.de ([10.151.13.200]) by MAILOUT31.telekom.de with ESMTP/TLS/RC4-SHA; 06 Mar 2017 18:29:13 +0100
X-IronPort-AV: E=Sophos;i="5.35,254,1484002800";  d="scan'208,217";a="1276819604"
Received: from he105717.emea1.cds.t-internal.com ([10.169.118.53]) by q4de8psazkj.blf.telekom.de with ESMTP/TLS/AES256-SHA; 06 Mar 2017 18:29:13 +0100
Received: from HE105717.EMEA1.cds.t-internal.com (10.169.118.53) by HE105717.emea1.cds.t-internal.com (10.169.118.53) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 6 Mar 2017 18:29:13 +0100
Received: from HE105717.EMEA1.cds.t-internal.com ([fe80::5881:9115:c037:89f8]) by HE105717.emea1.cds.t-internal.com ([fe80::5881:9115:c037:89f8%26]) with mapi id 15.00.1263.000; Mon, 6 Mar 2017 18:29:13 +0100
From: <Sebastian.Ebling@telekom.de>
To: <wdenniss@google.com>
Thread-Topic: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
Thread-Index: AQHSk8PJXZV5QjQC30KF0ZRZ8+KIk6GHgF8Q
Date: Mon, 6 Mar 2017 17:29:13 +0000
Message-ID: <3e60f71398b34f339058905d12e073af@HE105717.emea1.cds.t-internal.com>
References: <0f05922f-ac63-1585-9da1-d54ceda25623@gmx.net> <4acb6b3e0a724da88aa040f556c01b07@HE105717.emea1.cds.t-internal.com> <CAAP42hBRCMMhkahQv7VbH4SRLd=jGLvWnRy5Cf-cGr25bryEdQ@mail.gmail.com>
In-Reply-To: <CAAP42hBRCMMhkahQv7VbH4SRLd=jGLvWnRy5Cf-cGr25bryEdQ@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.157.118.197]
Content-Type: multipart/alternative; boundary="_000_3e60f71398b34f339058905d12e073afHE105717emea1cdstintern_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CkrGPeCSbfjQPCfHaZSAkuNx_XI>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 17:29:31 -0000

--_000_3e60f71398b34f339058905d12e073afHE105717emea1cdstintern_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SGkgV2lsbGlhbSwNCg0KVGhhbmsgeW91IHZlcnkgbXVjaCBmb3IgeW91ciB2ZXJ5IGRldGFpbGVk
IHJlc3BvbnNlIQ0KDQpNYXkgYmUgSSB3YXMgYSBiaXQgZ3J1ZmYuIEkgc2ltcGx5IGV4cGVjdGVk
IGJlc3QgcHJhY3RpY2VzIGFib3V0IEFuZHJvaWQgQWNjb3VudCBNYW5hZ2VyIHZzLiBuYXRpdmUg
T0F1dGggaW4gdGhlIEFuZHJvaWQgSW1wbGVtZW50YXRpb24gRGV0YWlscyBzZWN0aW9uLiBJIGRp
ZCBub3QgcmVhbGl6ZSwgdGhhdCBpdCBpcyBhZGRyZXNzZWQgYnkg4oCcTm9uLUJyb3dzZXIgRXh0
ZXJuYWwgVXNlci1BZ2VudHPigJ0gd2l0aGluIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucy4N
Cg0KTmV2ZXJ0aGVsZXNzLCBJIGhpZ2hseSBhcHByZWNpYXRlIHRoaXMgQkNQIGRvY3VtZW50IGFu
ZCBhbHNvIHRoZSB3b3JrIHRoYXQgaGFzIGJlZW4gZG9uZSBpbiBiZWhpbmQgdG8gaW1wcm92ZSBi
cm93c2VyIGludGVncmF0aW9uIGluIEFuZHJvaWQgYW5kIGlPUy4NCg0KQmVzdCByZWdhcmRzDQoN
ClNlYmFzdGlhbg0KDQotLQ0KU2ViYXN0aWFuIEVibGluZyAvIHNlYmFzdGlhbi5lYmxpbmdAdGVs
ZWtvbS5kZSAvICs0OSA2MTUxIDU4MzgyMDc8dGVsOis0OTYxNTE2ODA3MTM1Pg0KRGV1dHNjaGUg
VGVsZWtvbSBBRywgVGVjaG5vbG9neSBFbmFibGluZyBQbGF0Zm9ybXMgKFBJLVRFUCkNCg0KDQoN
ClZvbjogV2lsbGlhbSBEZW5uaXNzIFttYWlsdG86d2Rlbm5pc3NAZ29vZ2xlLmNvbV0NCkdlc2Vu
ZGV0OiBGcmVpdGFnLCAzLiBNw6RyeiAyMDE3IDAzOjEzDQpBbjogRWJsaW5nLCBTZWJhc3RpYW4N
CkNjOiBvYXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5vcmc+DQpCZXRyZWZmOiBSZTog
W09BVVRILVdHXSByZXZpZXcgZHJhZnQtaWV0Zi1vYXV0aC1uYXRpdmUtYXBwcy0wNw0KDQpUaGUg
QW5kcm9pZCBBY2NvdW50IE1hbmFnZXIgaXNuJ3Qgc3RhbmRhcmQgT0F1dGgsIHVubGlrZSB0aGlz
IEJDUC4gIFRodXMsIHRoZSBBY2NvdW50IE1hbmFnZXIgcGF0dGVybiBmYWxscyB1bmRlciB0aGUg
c2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgc2VjdGlvbiAiTm9uLUJyb3dzZXIgRXh0ZXJuYWwgVXNl
ci1BZ2VudHMiIGFuZCBpcyBvZmZpY2lhbGx5IG91dCBvZiBzY29wZSBvZiB0aGUgc3BlY2lmaWNh
dGlvbi4NCg0KVG8gYW5zd2VyIHlvdXIgcXVlc3Rpb24gdGhvdWdoLCB0aGlzIEJDUCBpcyB0aGUg
R29vZ2xlIHJlY29tbWVuZGVkIHdheSB0byBkbyBzdGFuZGFyZHMtYmFzZWQgT0F1dGggb24gQW5k
cm9pZC4gU29tZSBvZmZpY2lhbCByZWZlcmVuY2VzOg0KDQpPQXV0aCAyLjAgZm9yIE1vYmlsZSAm
IERlc2t0b3AgQXBwczxodHRwczovL2RldmVsb3BlcnMuZ29vZ2xlLmNvbS9pZGVudGl0eS9wcm90
b2NvbHMvT0F1dGgySW5zdGFsbGVkQXBwPiAod2hpY2ggZGlyZWN0bHkgcmVmZXJlbmNlcyB0aGlz
IEJDUCEgU2Nyb2xsIHRvIHRoZSBib3R0b20pDQpTZXQgdXAgU1NPIHdpdGggQ2hyb21lIEN1c3Rv
bSBUYWJzIHdpdGggQW5kcm9pZCBmb3IgV29yazxodHRwczovL2RldmVsb3Blci5hbmRyb2lkLmNv
bS93b3JrL2d1aWRlLmh0bWwjc3NvPg0KWW91ciBBcHBzIGF0IHdvcmsgLSBHb29nbGUgSS9PIDIw
MTY8aHR0cHM6Ly95b3V0dS5iZS9aYTBPUW84RFJNND90PTIybTU3cz4NCk1vZGVybml6aW5nIE9B
dXRoIGludGVyYWN0aW9ucyBpbiBOYXRpdmUgQXBwcyBmb3IgQmV0dGVyIFVzYWJpbGl0eSBhbmQg
U2VjdXJpdHk8aHR0cHM6Ly9kZXZlbG9wZXJzLmdvb2dsZWJsb2cuY29tLzIwMTYvMDgvbW9kZXJu
aXppbmctb2F1dGgtaW50ZXJhY3Rpb25zLWluLW5hdGl2ZS1hcHBzLmh0bWw+DQoNCk5CLiBldmVy
eSB0aW1lIHlvdSBzZWUgIkFwcEF1dGgiIGluIHRob3NlIGRvY3MsIGl0J3MgYSByZWZlcmVuY2Ug
dG8gdGhlIGxpYnJhcnkgdGhhdCBpbXBsZW1lbnRzIHRoZSBwYXR0ZXJuIGRlZmluZWQgYnkgdGhp
cyBCQ1AuDQoNClRoZSB1dGlsaXR5IG9mIEFjY291bnQgTWFuYWdlciByZWFsbHkgZGVwZW5kcyBv
biB5b3VyIHVzZS1jYXNlLiBJIGV4cGVjdCB0aGF0IG1vc3QgcGVvcGxlIHdobyBuZWVkIHRvIGRl
YWwgd2l0aCBub24tR29vZ2xlIEFTZXMgb24gQW5kcm9pZCB3aWxsIG1pZ3JhdGUgb3ZlciB0byB0
aGUgcGF0dGVybiBvdXRsaW5lZCBpbiB0aGlzIEJDUC4gIFBlb3BsZSB3aG8gZGVhbCBleGNsdXNp
dmVseSB3aXRoIHRoZSBHb29nbGUgSWRQIChlLmcuIGRpc3BsYXkgYSBHb29nbGUgU2lnbi1pbiBi
dXR0b24pIHdpbGwgbGlrZWx5IGtlZXAgZG9pbmcgd2hhdCB0aGV5J3JlIGRvaW5nLCB3aGljaCBp
cyBmaW5lLg0KDQpUaGUgbWFpbiBkcmF3YmFjayBvZiB0aGUgQWNjb3VudCBNYW5hZ2VyIHBhdHRl
cm4gd2FzIHRoYXQgeW91IG5lZWQgdG8gaGF2ZSBhbiBhcHAgZnJvbSB0aGUgYXV0aG9yaXphdGlv
biBzZXJ2ZXIgKEFTKSBpbnN0YWxsZWQgd2hpY2ggY2FuJ3QgYWx3YXlzIGJlIGd1YXJhbnRlZWQu
ICBUaGF0J3Mgd2h5IHRoaXMgaXMgbGVzcyBvZiBhIHByb2JsZW0gd2l0aCBHb29nbGUncyBJZFAs
IHNpbmNlIGFsbCBwaG9uZXMgdGhhdCBoYXZlIHRoZSBQbGF5IHN0b3JlIGNvbWUgd2l0aCB0aGUg
R29vZ2xlIGF1dGhlbnRpY2F0aW9uIGFnZW50Lg0KDQpFdmVuIGlmIHlvdSBjYW4gZ3VhcmFudGVl
IHRoYXQgdGhlIGF1dGhlbnRpY2F0aW9uIGFwcCB3aWxsIGJlIGluc3RhbGxlZCwgdGhlcmUgaXMg
b3ZlcmhlYWQgb24gdGhlIEFTIHN1Y2ggYXMgbWFpbnRlbmFuY2UgYW5kIHVwZGF0ZXMgZm9yIHRo
ZSBuYXRpdmUgYXV0aG9yaXphdGlvbiBhcHAgY29tcG9uZW50LiAgSSBwYXJ0aWNpcGF0ZWQgaW4g
bWFueSBkaXNjdXNzaW9ucyBvdmVyIGEgdHdvIHllYXIgcGVyaW9kIGluIHRoZSBPQXV0aCBhbmQg
T3BlbklEIGNvbW11bml0aWVzLCBhbmQgdGhlIGdlbmVyYWwgY29uc2Vuc3VzIHdhcyB0aGF0IHJl
cXVpcmluZyB0aGUgQVMgdG8gcHJvdmlkZSBhIG5hdGl2ZSBhcHAgd2FzIGEgYnVyZGVuLCBhbmQg
aGFybWZ1bCB0byBpbnRlcm9wLCB3aGljaCBsZWFkIHRvIHRoZSBkcmFmdGluZyBvZiB0aGlzIEJD
UCB3aGljaCBkb2Vzbid0IHJlcXVpcmUgYW55IG5hdGl2ZSBjb2RlIHRvIGJlIG1haW50YWluZWQg
YW5kIGRpc3RyaWJ1dGVkIGJ5IHRoZSBBUy4NCg0KDQoNCk9uIE1vbiwgRmViIDI3LCAyMDE3IGF0
IDEyOjIyIEFNLCA8U2ViYXN0aWFuLkVibGluZ0B0ZWxla29tLmRlPG1haWx0bzpTZWJhc3RpYW4u
RWJsaW5nQHRlbGVrb20uZGU+PiB3cm90ZToNCkhpIGFsbCwNCg0KSSBoYXZlIGEgcXVlc3Rpb24g
dGhhdCByZWxhdGVzIHRvIHNlY3Rpb24gQi4yLiBBbmRyb2lkIEltcGxlbWVudGF0aW9uIERldGFp
bHMuDQoNCkkgdW5kZXJzdGFuZCB0aGlzIGFzIGEgd29ya2luZyBncm91cCBiZXN0IHByYWN0aWNl
LiBVbmZvcnR1bmF0ZWx5IHRoaXMgZG9lcyBub3QgbmVjZXNzYXJpbHkgbWVldCB0aGUgR29vZ2xl
IGluc3RydWN0aW9uIGZvciBBbmRyb2lkLiBUaGVyZSBpcyBhIGxvdCBvZiBkb2N1bWVudGF0aW9u
IG91dCB0aGVyZSBwb2ludGluZyB0byB0aGUgQW5kcm9pZCBBY2NvdW50IE1hbmFnZXIgYW5kIEkg
ZG8gbm90IGdldCB0aGVzZSBib3RoIHRvZ2V0aGVyLg0KDQpBbnkgaWRlYT8NCg0KQmVzdCBSZWdh
cmRzDQoNClNlYmFzdGlhbg0KDQotLQ0KU2ViYXN0aWFuIEVibGluZyAvIHNlYmFzdGlhbi5lYmxp
bmdAdGVsZWtvbS5kZTxtYWlsdG86c2ViYXN0aWFuLmVibGluZ0B0ZWxla29tLmRlPg0KRGV1dHNj
aGUgVGVsZWtvbSBBRywgVGVjaG5vbG9neSBFbmFibGluZyBQbGF0Zm9ybXMgKFBJLVRFUCkNCg0K
DQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0
aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0
dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCg0K

--_000_3e60f71398b34f339058905d12e073afHE105717emea1cdstintern_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2
IDQgMyA1IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBs
aS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9t
Oi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJv
bWFuIiwic2VyaWYiO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph
OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5
Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNv
QWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0FjZXRhdGUNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJTcHJlY2hibGFzZW50ZXh0IFpjaG4iOw0KCW1hcmdp
bjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTo4LjBwdDsNCglmb250
LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0Kc3Bhbi5FLU1haWxGb3JtYXR2b3JsYWdl
MTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGli
cmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uU3ByZWNoYmxhc2VudGV4
dFpjaG4NCgl7bXNvLXN0eWxlLW5hbWU6IlNwcmVjaGJsYXNlbnRleHQgWmNobiI7DQoJbXNvLXN0
eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOlNwcmVjaGJsYXNlbnRleHQ7DQoJZm9u
dC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1z
dHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNl
Y3Rpb24xDQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3MC44NXB0IDcwLjg1cHQg
Mi4wY20gNzAuODVwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30N
Ci0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6
ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBn
dGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2
OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0t
LT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkRFIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4N
CjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBs
YW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs
aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkhpIFdpbGxp
YW0sPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu
Zz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli
cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNw
OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1V
UyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90
OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoYW5rIHlvdSB2ZXJ5IG11
Y2ggZm9yIHlvdXIgdmVyeSBkZXRhaWxlZCByZXNwb25zZSE8bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6
ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm
JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7
Y29sb3I6IzFGNDk3RCI+TWF5IGJlIEkgd2FzIGEgYml0IGdydWZmLiBJIHNpbXBseSBleHBlY3Rl
ZCBiZXN0IHByYWN0aWNlcyBhYm91dCBBbmRyb2lkIEFjY291bnQgTWFuYWdlciB2cy4gbmF0aXZl
IE9BdXRoIGluIHRoZSBBbmRyb2lkIEltcGxlbWVudGF0aW9uIERldGFpbHMNCiBzZWN0aW9uLiBJ
IGRpZCBub3QgcmVhbGl6ZSwgdGhhdCBpdCBpcyBhZGRyZXNzZWQgYnkg4oCcTm9uLUJyb3dzZXIg
RXh0ZXJuYWwgVXNlci1BZ2VudHPigJ0gd2l0aGluIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9u
cy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n
PSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy
aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVT
IiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7
LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+TmV2ZXJ0aGVsZXNzLCBJIGhp
Z2hseSBhcHByZWNpYXRlIHRoaXMgQkNQIGRvY3VtZW50IGFuZCBhbHNvIHRoZSB3b3JrIHRoYXQg
aGFzIGJlZW4gZG9uZSBpbiBiZWhpbmQgdG8gaW1wcm92ZSBicm93c2VyIGludGVncmF0aW9uIGlu
IEFuZHJvaWQgYW5kDQogaU9TLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh
bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG
NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx
dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5C
ZXN0IHJlZ2FyZHM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1
b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxh
bmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp
YnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+U2ViYXN0aWFu
PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9
ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz
YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv
bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv
cjpibGFjayI+LS0NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJiYWNrZ3JvdW5kOiNGMkYyRjIiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0
O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj
b2xvcjpibGFjayI+U2ViYXN0aWFuJm5ic3A7RWJsaW5nIC8NCjwvc3Bhbj48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh
bnMtc2VyaWYmcXVvdDs7Y29sb3I6YmxhY2siPnNlYmFzdGlhbi5lYmxpbmdAdGVsZWtvbS5kZSAv
DQo8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7
Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxhIGhy
ZWY9InRlbDomIzQzOzQ5NjE1MTY4MDcxMzUiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+JiM0
Mzs0OSA2MTUxDQo8L3NwYW4+PHNwYW4gbGFuZz0iUFQtQlIiPjU4MzgyMDc8L3NwYW4+PC9hPjwv
c3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp
YnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+
PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOiNGMkYy
RjIiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli
cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+RGV1dHNjaGUgVGVs
ZWtvbSBBRywNCjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls
eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6YmxhY2si
PlRlY2hub2xvZ3kgRW5hYmxpbmcgUGxhdGZvcm1zIChQSS1URVApPG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7
Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv
bG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh
bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG
NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx
dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48
bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3Jk
ZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250
LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Vm9uOjwv
c3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7
VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBXaWxsaWFtIERlbm5pc3MgWzxh
IGhyZWY9Im1haWx0bzp3ZGVubmlzc0Bnb29nbGUuY29tIj5tYWlsdG86d2Rlbm5pc3NAZ29vZ2xl
LmNvbTwvYT5dDQo8YnI+DQo8Yj5HZXNlbmRldDo8L2I+IEZyZWl0YWcsIDMuIDwvc3Bhbj48c3Bh
biBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7
VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPk3DpHJ6IDIwMTcgMDM6MTM8YnI+
DQo8Yj5Bbjo8L2I+IEVibGluZywgU2ViYXN0aWFuPGJyPg0KPGI+Q2M6PC9iPiA8L3NwYW4+PHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7
LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyI+
PHNwYW4gbGFuZz0iRU4tVVMiPm9hdXRoQGlldGYub3JnPC9zcGFuPjwvYT48L3NwYW4+PHNwYW4g
bGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rh
aG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnI+DQo8Yj5CZXRyZWZmOjwvYj4g
UmU6IFtPQVVUSC1XR10gcmV2aWV3IGRyYWZ0LWlldGYtb2F1dGgtbmF0aXZlLWFwcHMtMDc8bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxh
bmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPlRoZSBBbmRyb2lkIEFjY291bnQgTWFuYWdl
ciBpc24ndCBzdGFuZGFyZCBPQXV0aCwgdW5saWtlIHRoaXMgQkNQLiZuYnNwOyBUaHVzLCB0aGUg
QWNjb3VudCBNYW5hZ2VyIHBhdHRlcm4gZmFsbHMgdW5kZXIgdGhlIHNlY3VyaXR5IGNvbnNpZGVy
YXRpb25zIHNlY3Rpb24gJnF1b3Q7Tm9uLUJyb3dzZXIgRXh0ZXJuYWwgVXNlci1BZ2VudHMmcXVv
dDsgYW5kIGlzIG9mZmljaWFsbHkgb3V0IG9mIHNjb3BlIG9mDQogdGhlIHNwZWNpZmljYXRpb24u
PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPlRvIGFuc3dl
ciB5b3VyIHF1ZXN0aW9uIHRob3VnaCwgdGhpcyBCQ1AgPGk+DQppczwvaT4gdGhlIEdvb2dsZSBy
ZWNvbW1lbmRlZCB3YXkgdG8gZG8gc3RhbmRhcmRzLWJhc2VkIE9BdXRoIG9uIEFuZHJvaWQuIFNv
bWUgb2ZmaWNpYWwgcmVmZXJlbmNlczo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8
L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEg
aHJlZj0iaHR0cHM6Ly9kZXZlbG9wZXJzLmdvb2dsZS5jb20vaWRlbnRpdHkvcHJvdG9jb2xzL09B
dXRoMkluc3RhbGxlZEFwcCI+PHNwYW4gbGFuZz0iRU4tVVMiPk9BdXRoIDIuMCBmb3IgTW9iaWxl
ICZhbXA7IERlc2t0b3AgQXBwczwvc3Bhbj48L2E+PHNwYW4gbGFuZz0iRU4tVVMiPiZuYnNwOyh3
aGljaCBkaXJlY3RseSByZWZlcmVuY2VzIHRoaXMgQkNQISBTY3JvbGwgdG8gdGhlIGJvdHRvbSk8
bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48YSBocmVmPSJodHRwczovL2RldmVsb3Blci5hbmRyb2lkLmNvbS93b3JrL2d1aWRlLmh0bWwj
c3NvIj48c3BhbiBsYW5nPSJFTi1VUyI+U2V0IHVwIFNTTyB3aXRoIENocm9tZSBDdXN0b20gVGFi
cyB3aXRoIEFuZHJvaWQgZm9yIFdvcms8L3NwYW4+PC9hPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PGEgaHJlZj0iaHR0cHM6Ly95b3V0dS5iZS9aYTBPUW84RFJNND90PTIybTU3cyI+PHNw
YW4gbGFuZz0iRU4tVVMiPllvdXIgQXBwcyBhdCB3b3JrIC0gR29vZ2xlIEkvTyAyMDE2PC9zcGFu
PjwvYT48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8
L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YSBocmVmPSJodHRwczovL2RldmVs
b3BlcnMuZ29vZ2xlYmxvZy5jb20vMjAxNi8wOC9tb2Rlcm5pemluZy1vYXV0aC1pbnRlcmFjdGlv
bnMtaW4tbmF0aXZlLWFwcHMuaHRtbCI+PHNwYW4gbGFuZz0iRU4tVVMiPk1vZGVybml6aW5nIE9B
dXRoIGludGVyYWN0aW9ucyBpbiBOYXRpdmUgQXBwcyBmb3IgQmV0dGVyIFVzYWJpbGl0eSBhbmQg
U2VjdXJpdHk8L3NwYW4+PC9hPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1V
UyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPk5CLiBldmVyeSB0aW1lIHlvdSBzZWUgJnF1
b3Q7QXBwQXV0aCZxdW90OyBpbiB0aG9zZSBkb2NzLCBpdCdzIGEgcmVmZXJlbmNlIHRvIHRoZSBs
aWJyYXJ5IHRoYXQgaW1wbGVtZW50cyB0aGUgcGF0dGVybiBkZWZpbmVkIGJ5IHRoaXMgQkNQLjxv
OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+VGhlIHV0aWxp
dHkgb2YgQWNjb3VudCBNYW5hZ2VyIHJlYWxseSBkZXBlbmRzIG9uIHlvdXIgdXNlLWNhc2UuIEkg
ZXhwZWN0IHRoYXQgbW9zdCBwZW9wbGUgd2hvIG5lZWQgdG8gZGVhbCB3aXRoIG5vbi1Hb29nbGUg
QVNlcyBvbiBBbmRyb2lkIHdpbGwgbWlncmF0ZSBvdmVyIHRvIHRoZSBwYXR0ZXJuIG91dGxpbmVk
IGluIHRoaXMgQkNQLiZuYnNwOyBQZW9wbGUgd2hvIGRlYWwgZXhjbHVzaXZlbHkNCiB3aXRoIHRo
ZSBHb29nbGUgSWRQIChlLmcuIGRpc3BsYXkgYSBHb29nbGUgU2lnbi1pbiBidXR0b24pIHdpbGwg
bGlrZWx5IGtlZXAgZG9pbmcgd2hhdCB0aGV5J3JlIGRvaW5nLCB3aGljaCBpcyBmaW5lLjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+VGhlIG1haW4gZHJh
d2JhY2sgb2YgdGhlIEFjY291bnQgTWFuYWdlciBwYXR0ZXJuIHdhcyB0aGF0IHlvdSBuZWVkIHRv
IGhhdmUgYW4gYXBwIGZyb20gdGhlIGF1dGhvcml6YXRpb24gc2VydmVyIChBUykgaW5zdGFsbGVk
IHdoaWNoIGNhbid0IGFsd2F5cyBiZSBndWFyYW50ZWVkLiZuYnNwOyBUaGF0J3Mgd2h5IHRoaXMg
aXMgbGVzcyBvZiBhIHByb2JsZW0gd2l0aCBHb29nbGUncyBJZFAsDQogc2luY2UgYWxsIHBob25l
cyB0aGF0IGhhdmUgdGhlIFBsYXkgc3RvcmUgY29tZSB3aXRoIHRoZSBHb29nbGUgYXV0aGVudGlj
YXRpb24gYWdlbnQuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu
PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO
LVVTIj5FdmVuIGlmIHlvdSBjYW4gZ3VhcmFudGVlIHRoYXQgdGhlIGF1dGhlbnRpY2F0aW9uIGFw
cCB3aWxsIGJlIGluc3RhbGxlZCwgdGhlcmUgaXMgb3ZlcmhlYWQgb24gdGhlIEFTIHN1Y2ggYXMg
bWFpbnRlbmFuY2UgYW5kIHVwZGF0ZXMgZm9yIHRoZSBuYXRpdmUgYXV0aG9yaXphdGlvbiBhcHAg
Y29tcG9uZW50LiZuYnNwOyBJIHBhcnRpY2lwYXRlZCBpbiBtYW55IGRpc2N1c3Npb25zIG92ZXIN
CiBhIHR3byB5ZWFyIHBlcmlvZCBpbiB0aGUgT0F1dGggYW5kIE9wZW5JRCBjb21tdW5pdGllcywg
YW5kIHRoZSBnZW5lcmFsIGNvbnNlbnN1cyB3YXMgdGhhdCByZXF1aXJpbmcgdGhlIEFTIHRvIHBy
b3ZpZGUgYSBuYXRpdmUgYXBwIHdhcyBhIGJ1cmRlbiwgYW5kIGhhcm1mdWwgdG8gaW50ZXJvcCwg
d2hpY2ggbGVhZCB0byB0aGUgZHJhZnRpbmcgb2YgdGhpcyBCQ1Agd2hpY2ggZG9lc24ndCByZXF1
aXJlIGFueSBuYXRpdmUgY29kZSB0byBiZSBtYWludGFpbmVkDQogYW5kIGRpc3RyaWJ1dGVkIGJ5
IHRoZSBBUy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwv
bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh
biBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIGxhbmc9IkVOLVVTIj5PbiBNb24sIEZlYiAyNywgMjAxNyBhdCAxMjoyMiBBTSwgJmx0
Ozwvc3Bhbj48YSBocmVmPSJtYWlsdG86U2ViYXN0aWFuLkVibGluZ0B0ZWxla29tLmRlIiB0YXJn
ZXQ9Il9ibGFuayI+PHNwYW4gbGFuZz0iRU4tVVMiPlNlYmFzdGlhbi5FYmxpbmdAdGVsZWtvbS5k
ZTwvc3Bhbj48L2E+PHNwYW4gbGFuZz0iRU4tVVMiPiZndDsgd3JvdGU6PG86cD48L286cD48L3Nw
YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPkhpIGFsbCw8
YnI+DQo8YnI+DQpJIGhhdmUgYSBxdWVzdGlvbiB0aGF0IHJlbGF0ZXMgdG8gc2VjdGlvbiBCLjIu
IEFuZHJvaWQgSW1wbGVtZW50YXRpb24gRGV0YWlscy48YnI+DQo8YnI+DQpJIHVuZGVyc3RhbmQg
dGhpcyBhcyBhIHdvcmtpbmcgZ3JvdXAgYmVzdCBwcmFjdGljZS4gVW5mb3J0dW5hdGVseSB0aGlz
IGRvZXMgbm90IG5lY2Vzc2FyaWx5IG1lZXQgdGhlIEdvb2dsZSBpbnN0cnVjdGlvbiBmb3IgQW5k
cm9pZC4gVGhlcmUgaXMgYSBsb3Qgb2YgZG9jdW1lbnRhdGlvbiBvdXQgdGhlcmUgcG9pbnRpbmcg
dG8gdGhlIEFuZHJvaWQgQWNjb3VudCBNYW5hZ2VyIGFuZCBJIGRvIG5vdCBnZXQgdGhlc2UgYm90
aCB0b2dldGhlci48YnI+DQo8YnI+DQpBbnkgaWRlYT88YnI+DQo8YnI+DQpCZXN0IFJlZ2FyZHM8
YnI+DQo8YnI+DQpTZWJhc3RpYW48YnI+DQo8YnI+DQotLTxicj4NClNlYmFzdGlhbiZuYnNwO0Vi
bGluZyAvIDwvc3Bhbj48YSBocmVmPSJtYWlsdG86c2ViYXN0aWFuLmVibGluZ0B0ZWxla29tLmRl
IiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gbGFuZz0iRU4tVVMiPnNlYmFzdGlhbi5lYmxpbmdAdGVs
ZWtvbS5kZTwvc3Bhbj48L2E+PHNwYW4gbGFuZz0iRU4tVVMiPjxicj4NCkRldXRzY2hlIFRlbGVr
b20gQUcsIFRlY2hub2xvZ3kgRW5hYmxpbmcgUGxhdGZvcm1zIChQSS1URVApPGJyPg0KPGJyPg0K
PGJyPg0KPGJyPg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X188YnI+DQpPQXV0aCBtYWlsaW5nIGxpc3Q8YnI+DQo8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOk9B
dXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gbGFuZz0iRU4tVVMiPk9BdXRoQGll
dGYub3JnPC9zcGFuPjwvYT48c3BhbiBsYW5nPSJFTi1VUyI+PGJyPg0KPC9zcGFuPjxhIGhyZWY9
Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiIHRhcmdldD0iX2Js
YW5rIj48c3BhbiBsYW5nPSJFTi1VUyI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0
aW5mby9vYXV0aDwvc3Bhbj48L2E+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+PC9vOnA+PC9zcGFu
PjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2
Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_3e60f71398b34f339058905d12e073afHE105717emea1cdstintern_--


From nobody Mon Mar  6 11:41:13 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20B041299AF; Mon,  6 Mar 2017 11:41:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level: 
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQfJEQpvNeu7; Mon,  6 Mar 2017 11:41:10 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 311CD1294AF; Mon,  6 Mar 2017 11:41:10 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MFgxF-1cWLv400Pd-00Edo1; Mon, 06 Mar 2017 20:41:07 +0100
To: William Denniss <wdenniss@google.com>, internet-drafts@ietf.org
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com> <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <a6596083-6a19-e644-403c-4c1686eba492@gmx.net>
Date: Mon, 6 Mar 2017 20:41:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fo9NmDLA1mMKtD424QQW8axIrJuGvgGsD"
X-Provags-ID: V03:K0:HvgVMfCJIQte8v5snZW9QcjvnrlKlBx0AtZ3eG43FKhUeN37lOm cvrkI7WsdeXbgEEbOyfLzZeRfbQ/TOnvEbq+uanmZk6TTOL4s92Ks0auhhYrgc1znOVdeOX uJeGkTPkuwycJSAJKCguHWLRhMmlveVxSfWHTr1uKdPh97ASt3RlD4xhXxlLTgRhqV3XNTw LHbHqLgTuegSF6CU+FPpg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:tGsBmUoozAc=:0fA76di2yffippJXHPQg4K zsDm/8jUP5RrB/M3oX95YsutdowNb358w4zJ0fde4eMm0rYsyXvqrhqfm/nOghKXHlre5/Oaa kS4wSzXXDB+tztsVV6kgpHpGSJat6tI+SiiHPeACvaEFuUwvx4lb/btUKo9O4EZn8hS9zUMQI xL9ADdhTv/H+WfxIlmjYKlvDpJhAxlHc112zvPn5TdpFCZwHnofhdsh4tiH2gzT9/cw94Sc3n rRlxxq1lMe8NIL2WLciS0m/SQxNvamWc2eHwaA/WkLVyhjeTyr4mNkgakg/BRI6GbA5eyTxiH kTXUmRac8HGyDB5QFN2Rk+pdLOuSg96u+yJW4+/vUHQRYKSjQAQ68h1J53zE9PywP6AaHYAPK GAd2KbM+zF893U2buTpCU+cIonMhaxsiLxk5xU9+cVXVl31zIbBZmF/eEfc3GqswvMvYsY5SX sW/YvhKNWH9LxYxiXBZNtxONYXND3uWl24XBMyLzsRyTPXtkvCagVrJfb4mUQJSlCz7TQcWx/ D2w+AM6t8Rld5L6hZhiOmWj5crqrTzdRqiNrzaU7dCrmac6Z8eZK0XMjuC+nu+30wE7RL0F51 hUKzVlXSZRaKrx0lfVyv6LPinxJ9jIKlBo+3wVgnimrFbA+KPpLXD9HQvaketYH5lzwk1ueov wsLEX9LuJPF7wDC6nSMA6QXj4rPBj6uhYs4VjvbznXvYmdDqzwMufVC6HDv7QM8n1LnXFAx2n +kWm3U5iL/817Wri4PFaU9c4TSnXjRLm2PTQxA+NtFuFcqY8q7+lqTEWRFI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AuzR86bJZcDCkInm-5q7O7aVx7I>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 19:41:12 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fo9NmDLA1mMKtD424QQW8axIrJuGvgGsD
Content-Type: multipart/mixed; boundary="KCctBeeV3wBgw5G0IFT81FW41g4otxXlW";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: William Denniss <wdenniss@google.com>, internet-drafts@ietf.org
Cc: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <a6596083-6a19-e644-403c-4c1686eba492@gmx.net>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com>
 <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com>
In-Reply-To: <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com>

--KCctBeeV3wBgw5G0IFT81FW41g4otxXlW
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Hi William, Hi John,

I just re-read version -8 of the document again.

Two minor remarks only.

Editorial issue: Why do you need to introduce a single sub-section
within Section 7.1. (namely Section 7.1.1)?

Background question: You note that embedded user agents have the
disadvantage that the app that hosts the embedded user-agent can access
the user's full authentication credential. This is certainly true for
password-based authentication mechanisms but I wonder whether this is
also true for strong authentication techniques, such as those used by
FIDO combined with token binding. Have you looked into more modern
authentication techniques as well and their security implication?

Ciao
Hannes

On 03/03/2017 07:39 AM, William Denniss wrote:
> Changes:
>=20
> =96 Addresses feedback from the second round of WGLC.
> =96 Reordered security consideration sections to better group related t=
opics.
> =96 Added complete URI examples to each of the 3 redirect types.
> =96 Editorial pass.
>=20
>=20
>=20
> On Thu, Mar 2, 2017 at 10:27 PM, <internet-drafts@ietf.org
> <mailto:internet-drafts@ietf.org>> wrote:
>=20
>=20
>     A New Internet-Draft is available from the on-line Internet-Drafts
>     directories.
>     This draft is a work item of the Web Authorization Protocol of the =
IETF.
>=20
>             Title           : OAuth 2.0 for Native Apps
>             Authors         : William Denniss
>                               John Bradley
>             Filename        : draft-ietf-oauth-native-apps-08.txt
>             Pages           : 20
>             Date            : 2017-03-02
>=20
>     Abstract:
>        OAuth 2.0 authorization requests from native apps should only be=
 made
>        through external user-agents, primarily the user's browser.  Thi=
s
>        specification details the security and usability reasons why thi=
s is
>        the case, and how native apps and authorization servers can impl=
ement
>        this best practice.
>=20
>=20
>     The IETF datatracker status page for this draft is:
>     https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
>     <https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/>
>=20
>     There's also a htmlized version available at:
>     https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08
>     <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08>
>=20
>     A diff from the previous version is available at:
>     https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-native-apps-08=

>     <https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-native-apps-0=
8>
>=20
>=20
>     Please note that it may take a couple of minutes from the time of
>     submission
>     until the htmlized version and diff are available at tools.ietf.org=

>     <http://tools.ietf.org>.
>=20
>     Internet-Drafts are also available by anonymous FTP at:
>     ftp://ftp.ietf.org/internet-drafts/
>     <ftp://ftp.ietf.org/internet-drafts/>
>=20
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>     <https://www.ietf.org/mailman/listinfo/oauth>
>=20
>=20
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20


--KCctBeeV3wBgw5G0IFT81FW41g4otxXlW--

--fo9NmDLA1mMKtD424QQW8axIrJuGvgGsD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYvbtRAAoJEGhJURNOOiAtXlIH/3NLhBvARB5EBuDNJSTLHUI0
ANyt5vQ15vBnbP2kSe3TTet+TJHMqxggGmVBWKqnZdcAy0CYz5uIxmcNhPc/7B5W
aQfenPXIubssdVd2UVl5fE2OEDEZhjfQh3g8zuQd/wMAFc7/WMVXX63N2Im4Tr86
gPeukpZ2M0m6ERadaJ9U6N3XCXIqtV684ep//5+KONoeMjauEQKYWeNVPsDHZwFp
hCOJEkgXqQhovoNYo45cISH79Q1ClB8p2C7x2rTxZOZ6mN9INzePqiEBU8qt44W5
lp/udPaIUG3PICNAWCYQxvTFbJBzuR63SA+HJvA4eHmCABJiSE3hAmuNKHY7F+s=
=GDd2
-----END PGP SIGNATURE-----

--fo9NmDLA1mMKtD424QQW8axIrJuGvgGsD--


From nobody Mon Mar  6 12:16:12 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ACDF1294C9 for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 12:16:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level: 
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkBNsUtYRVnM for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 12:16:09 -0800 (PST)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED27A1294C0 for <oauth@ietf.org>; Mon,  6 Mar 2017 12:16:08 -0800 (PST)
Received: by mail-qk0-x230.google.com with SMTP id 1so173207848qkl.3 for <oauth@ietf.org>; Mon, 06 Mar 2017 12:16:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=ZRJvSpWdR74US6m6/fzkZKJDdBAnC3ZgeRf0skHibsw=; b=t4yixdUkFJgENXQgccQE2yzUYmE0TOWP5YVjhpAENGm397o4YSexgAGqZteo+v2Cxb s7SpYUQ8+F49XVwCxnbnluGyomM3qhYDBylc5XK9IYmwUx6kmpBBisadGaOIlm1QCCqV DZqGFZNegQ1ZJB1mUmh9CHbTDHHG5nlEqkeOczlblWQTGX4Z813/vGZZLApgPLBmMY9D jSdbZ5K+kn0Vh5njyvPs4Vfl7op3JOVhu2OWAXy0PnAIxcmJj83BhxX4JwJVextXrFZ1 y3szbUw1iYxUXLxO5I8oE2kHJyb8aKZMNLqx4CI/qNTCoFcCvuQxYDueJXcOE0ckI4mU 6+1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=ZRJvSpWdR74US6m6/fzkZKJDdBAnC3ZgeRf0skHibsw=; b=Y2c2DXdUgWL+KT+CKenXZ1oiLYEB2FHj90XlYfBW1sj6w/vQk7SGRhH5zaUFGonBNr hxPkyVcIjxYO9tbDCCeK35U6ETaQlgybj1lBBfvOowB4GT937lpCqM15zpdTjAkaDG0z Fj1I8OUjE20iZ0jtPjl5rTkaGEI9/OGFL6xnJ9aPi2wtdPUjflVk//w5NCXm8Zm7K2b1 QiOUK7UE7M0nAzIKuJAUPy9JnPb+80O55m7wOUk+GVjZ+9heoVV9swTm7XJ2HUk3cQbx WbhjAQ75hBmRBNUMoj7nmcEIdjV3pndOn5PFahC/v7D+Nk0FE8O8+XHwYEruzAi1dTTw EYyg==
X-Gm-Message-State: AMke39kWITv7K2q/+U5sNQ5q248DouzPToTf3DtXTOqd9k2dv2QFWvCKF+d4B+G7R8CBphUT
X-Received: by 10.200.3.81 with SMTP id w17mr16794471qtg.36.1488831367694; Mon, 06 Mar 2017 12:16:07 -0800 (PST)
Received: from [192.168.86.130] ([191.115.68.238]) by smtp.gmail.com with ESMTPSA id c144sm14099088qkg.8.2017.03.06.12.16.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Mar 2017 12:16:06 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <a6596083-6a19-e644-403c-4c1686eba492@gmx.net>
Date: Mon, 6 Mar 2017 17:16:03 -0300
Message-Id: <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com>
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com> <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com> <a6596083-6a19-e644-403c-4c1686eba492@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="f4030435b7e0d496f8054a159046"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WapHyjX6TTKJw0kcasKP75Fhgek>
Cc: internet-drafts@ietf.org, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 20:16:11 -0000

--f4030435b7e0d496f8054a159046
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On fido I can tell you that for security reasons U2F wont work from a =
web-view currently.

Once we move to Web Auth (Fido 2) where the OS provides a API for apps =
to call to get the token it will work but the tokens are audianced to =
the app based on its developer key and bundle_id so that a app cant ask =
for a token for a different site to do correlation.=20

It is true that Fido UAF currently requires a web-view to work as the =
authenticator is effectively compiled in to each application, and that =
application has access to the private keys on most platforms (Samsung =
knox being the only exception to that that I know of where the keys are =
managed by a common API to hardware key storage, but they are scoped =
like U2F as well)

So for the most part it is true and that unless you use the browser to =
get the Fido token the audience is for the app.
Example  Salesforce creates native app that may use enterprise SSO via =
SAML, and the enterprise may use Fido as a authentication factor.
If they use the webview + fido API approach the app can only get a token =
for SalesForce based on its signing key.  It could fire up the web-view =
and do U2F authentication with the enterprise after Salesforec has =
redirected the user.  However it will give every enterprise a token =
audience to Salesforce with a salesforce specific key.   If there is a =
second app for say Slack if they do the same thing the enterprise would =
get a slack audienced token and a slack key forcing a separate =
registration.=20

The recommended alternative is that the app use a custom tab for the =
user to SalesForce and that redirect to the enterprise.
The enterprise gets the same token/key with the correct audience from =
all apps on the device using the browser or custom tab.=20
The user may not need to signin a second time, and if they do there Fido =
token will not need to be re-registerd.

The Fido API approach really only works for first party apps like PayPal =
if the the app is not doing federation and paypal is doing the =
authentication for there own app.

Token binding private keys have similar issues.   The pool of private =
keys will probably not be shared between apps, and not between the app =
and the browser (Win 10 may be an exception but it is not documented =
yet)

In the case of using AppAuth with token binding the browser maintains =
the keys so the enterprise would be able to see the same key and use the =
same cookies across all AppAuth Apps.

You can include token binding in your app, however the token bindings =
and cookies are going to be sand boxed per app. =20
Depending on implementation the app gets access to the cookie, but =
perhaps not to the private token binding key.  (At least I don't think =
it will in Android embedded webview).

We could expand on this later in an update to the BCP once Web =
Authentication and Token Binding are final.

There are still some unknowns, but in general for any sort of =
SSO/Federation 3rd party app I don=E2=80=99t see recommending anything =
other than a custom tab/ view controller/ external browser.

William can take the formatting question:)

John B.
> On Mar 6, 2017, at 4:41 PM, Hannes Tschofenig =
<hannes.tschofenig@gmx.net> wrote:
>=20
> Hi William, Hi John,
>=20
> I just re-read version -8 of the document again.
>=20
> Two minor remarks only.
>=20
> Editorial issue: Why do you need to introduce a single sub-section
> within Section 7.1. (namely Section 7.1.1)?
>=20
> Background question: You note that embedded user agents have the
> disadvantage that the app that hosts the embedded user-agent can =
access
> the user's full authentication credential. This is certainly true for
> password-based authentication mechanisms but I wonder whether this is
> also true for strong authentication techniques, such as those used by
> FIDO combined with token binding. Have you looked into more modern
> authentication techniques as well and their security implication?
>=20
> Ciao
> Hannes
>=20
> On 03/03/2017 07:39 AM, William Denniss wrote:
>> Changes:
>>=20
>> =E2=80=93 Addresses feedback from the second round of WGLC.
>> =E2=80=93 Reordered security consideration sections to better group =
related topics.
>> =E2=80=93 Added complete URI examples to each of the 3 redirect =
types.
>> =E2=80=93 Editorial pass.
>>=20
>>=20
>>=20
>> On Thu, Mar 2, 2017 at 10:27 PM, <internet-drafts@ietf.org
>> <mailto:internet-drafts@ietf.org>> wrote:
>>=20
>>=20
>>    A New Internet-Draft is available from the on-line Internet-Drafts
>>    directories.
>>    This draft is a work item of the Web Authorization Protocol of the =
IETF.
>>=20
>>            Title           : OAuth 2.0 for Native Apps
>>            Authors         : William Denniss
>>                              John Bradley
>>            Filename        : draft-ietf-oauth-native-apps-08.txt
>>            Pages           : 20
>>            Date            : 2017-03-02
>>=20
>>    Abstract:
>>       OAuth 2.0 authorization requests from native apps should only =
be made
>>       through external user-agents, primarily the user's browser.  =
This
>>       specification details the security and usability reasons why =
this is
>>       the case, and how native apps and authorization servers can =
implement
>>       this best practice.
>>=20
>>=20
>>    The IETF datatracker status page for this draft is:
>>    https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
>>    <https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/>
>>=20
>>    There's also a htmlized version available at:
>>    https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08
>>    <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08>
>>=20
>>    A diff from the previous version is available at:
>>    https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-native-apps-08
>>    =
<https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-native-apps-08>
>>=20
>>=20
>>    Please note that it may take a couple of minutes from the time of
>>    submission
>>    until the htmlized version and diff are available at =
tools.ietf.org
>>    <http://tools.ietf.org>.
>>=20
>>    Internet-Drafts are also available by anonymous FTP at:
>>    ftp://ftp.ietf.org/internet-drafts/
>>    <ftp://ftp.ietf.org/internet-drafts/>
>>=20
>>    _______________________________________________
>>    OAuth mailing list
>>    OAuth@ietf.org <mailto:OAuth@ietf.org>
>>    https://www.ietf.org/mailman/listinfo/oauth
>>    <https://www.ietf.org/mailman/listinfo/oauth>
>>=20
>>=20
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--f4030435b7e0d496f8054a159046
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIDNIWaHsl26xtPsrpjk2MfnNyp3O
KgP90zxK732ZD2bKMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMwNjIwMTYwOFowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQCvpCuilywdjihXeLSf3p9UmYHaIvD9q5TeNROJDTD8Vio8
AzPc9oe51/MUg/BXQKbKqT8DKNLB6670CzYmzF9FxLFraaNnW6GlRShjkCkme5lZk4ZBIoPa46vN
EOyrvZ04XPLC4g74/AnCLGi5CvYlX/3874zLrJH9tDUZYe/69ED/VFc0JnMsH0YXWXmkrDpc8VY5
T1P9i+Q/3k2psNYCGeq7pGB1QAZBsEQZMLlV1cqtu/wCDgccmSoeq63CRMwZ5FRLHrBmqy2NRIp7
bXvsoxZdDt7xBO9YxZ907fLKmEusK0GlvaZstYbHCnTmsuWiDT4/bWxupyZoH3DwNZ+9
--f4030435b7e0d496f8054a159046--


From nobody Mon Mar  6 12:32:38 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DB011299FE for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 12:32:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kS_D3el98_W5 for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 12:32:34 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 324EC1299FB for <oauth@ietf.org>; Mon,  6 Mar 2017 12:32:34 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id 1so174009453qkl.3 for <oauth@ietf.org>; Mon, 06 Mar 2017 12:32:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=PJjVa0wL6JMZ6IthBOk4+1QHODpZRPw/7nX3c46/2+M=; b=euCN719QEZK9yKjkkCdGdbI7IJW7HLyIv2GApQ/HLlaIeVZyHjpwoxsdzfHhTSekL4 84xaPzvTQOwZ/w/fWf03vRz4tBcnN3Pc2y0F+SUygUXHjf3liPAf9tZBykcaedWHFOyW WqDJkEKJjAgqQgmRdkHWUeYWcutKqdthHVzloHv1t1h9/nKQeMxZ0myJacZu7DreVsjv yFaLNirFNwWZJ1jhRBPQlk6rB4XaGbg0n+Jot120ieG9s9LWSBUrkmDeyTkeoUbC5ybB GkAeXpbsS/i+Jro0Sz6vhqSJa2SRbuYYz67Kt5FlQ7k2ZzLOYcnVVXHdLHFX9vFazwJB FD8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=PJjVa0wL6JMZ6IthBOk4+1QHODpZRPw/7nX3c46/2+M=; b=Cy0vkCKSs/tRY4W0K7NCbKW/d99O6aCZBpp9gh3wiGvpyuMe2LKbzxD/bIo6sNasvF 7dGXkJy/QE7+6KwWJbItKprq2xwStXkiQkjVtUYvXnINFB3HwRe/GM9XP4TNvx7KktWq 5H9uRoA9V/V59LqTkMXnrVl9d0HypJLk+XiI3JFn57CQz3cAOkyn2c3ta2MDoySCucCA b43v3RvhgzEhTOs4apumQxB5dJp9LxDlWBA5HYHBVd5zIzVrfVi4sPQa0JEyFhHt2EKp YABiXb4OAJKshki124F6e9rYT+vEKbxNzszgLx7vdyop1xUFxJgrTQjIVElqLWsmHwil JJbg==
X-Gm-Message-State: AMke39kNpy46isCdxk0jrtw6IhpDSTvBdbZwiyWtJ17x9TcalEq6rO6MZw0q2s6YTZjSd9AP
X-Received: by 10.55.197.82 with SMTP id p79mr15866723qki.24.1488832353097; Mon, 06 Mar 2017 12:32:33 -0800 (PST)
Received: from [192.168.86.130] ([191.115.68.238]) by smtp.gmail.com with ESMTPSA id x19sm11128831qtc.23.2017.03.06.12.32.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Mar 2017 12:32:32 -0800 (PST)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <5BB041E0-86DB-4881-85AC-44F9DD2217B4@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 6 Mar 2017 17:32:29 -0300
In-Reply-To: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a1149d2c68d4527054a15cb48"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8VO564fI35plEuaM6TOp4iD6y_g>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 20:32:36 -0000

--001a1149d2c68d4527054a15cb48
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_62355E0B-0B71-4545-AF96-D2CC43721788"


--Apple-Mail=_62355E0B-0B71-4545-AF96-D2CC43721788
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

You may want to note that RFC6749 itself recommends agains embedded for =
security reasons:
An embedded user-agent poses a security challenge because resource
      owners are authenticating in an unidentified window without access
      to the visual protections found in most external user-agents.  An
      embedded user-agent educates end-users to trust unidentified
      requests for authentication (making phishing attacks easier to
      execute).

However 6749 did not explicitly mention that for 3rd party OAuth Apps =
using an embedded user Agent  the 3rd party gets access to the password =
defeating one of the main goals of OAuth in keeping the =
password/credential out of the hands of the client.  This document makes =
that clearer.

John B.


> On Mar 6, 2017, at 1:00 PM, Hannes Tschofenig =
<hannes.tschofenig@gmx.net> wrote:
>=20
> Here is the shepherd write-up:
> =
https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-wr=
iteups/Writeup_OAuth_NativeApps.txt
>=20
> Feedback appreciated. I will also do another shepherd review.
>=20
> Ciao
> Hannes
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_62355E0B-0B71-4545-AF96-D2CC43721788
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">You may want to note that RFC6749 itself recommends agains =
embedded for security reasons:<div class=3D""><pre class=3D"newpage" =
style=3D"font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; =
break-before: page; font-variant-ligatures: normal; orphans: 2; widows: =
2;">An embedded user-agent poses a security challenge because resource
      owners are authenticating in an unidentified window without access
      to the visual protections found in most external user-agents.  An
      embedded user-agent educates end-users to trust unidentified
      requests for authentication (making phishing attacks easier to
      execute).
</pre><div class=3D""><br class=3D""></div><div class=3D"">However 6749 =
did not explicitly mention that for 3rd party OAuth Apps using an =
embedded user Agent &nbsp;the 3rd party gets access to the password =
defeating one of the main goals of OAuth in keeping the =
password/credential out of the hands of the client. &nbsp;This document =
makes that clearer.</div><div class=3D""><br class=3D""></div><div =
class=3D"">John B.</div><div class=3D""><br class=3D""></div><div =
class=3D""><br class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D"">On Mar 6, 2017, at 1:00 PM, Hannes Tschofenig &lt;<a =
href=3D"mailto:hannes.tschofenig@gmx.net" =
class=3D"">hannes.tschofenig@gmx.net</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">Here =
is the shepherd write-up:<br class=3D""><a =
href=3D"https://github.com/hannestschofenig/tschofenig-ids/blob/master/she=
pherd-writeups/Writeup_OAuth_NativeApps.txt" =
class=3D"">https://github.com/hannestschofenig/tschofenig-ids/blob/master/=
shepherd-writeups/Writeup_OAuth_NativeApps.txt</a><br class=3D""><br =
class=3D"">Feedback appreciated. I will also do another shepherd =
review.<br class=3D""><br class=3D"">Ciao<br class=3D"">Hannes<br =
class=3D""><br =
class=3D"">_______________________________________________<br =
class=3D"">OAuth mailing list<br class=3D"">OAuth@ietf.org<br =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth<br =
class=3D""></div></div></blockquote></div><br =
class=3D""></div></div></body></html>=

--Apple-Mail=_62355E0B-0B71-4545-AF96-D2CC43721788--

--001a1149d2c68d4527054a15cb48
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIIUagXuulkrcZoeifuR3LwMOU5MT
99ZVEEUd7wdrNWLrMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMwNjIwMzIzM1owaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQBTTHxN2ZwPPlsYF8O8L2x6lepPhS2XCyQGFGQkGt6WeIMc
RSjTwY0g3BqtycG2NkC18scqZt184RE80scTqNGdGY99dqOvBCn3mhHEOyJWEqv1HDeTkVpH+pja
zjLO5NfgOVBcIJZeUIhw3pP9ktNb9JwU9l1wO6kVgg+KKh+IlSd7uNsa3FqDwaG8C/kI0FGyJ2O5
sJrQGg3xVHclZbMbWjpIT4j7QO2IeFiFS5nism7TW+LlF68mrKCOMhlZyUQQycZLIZMsvIMGxORJ
YCdnzkAORw0Qe21fWEnWRmC1vBUGXy38o15LW809tNU4ZeoEOvijae0xPbOE680z/mJv
--001a1149d2c68d4527054a15cb48--


From nobody Mon Mar  6 12:38:11 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4AE9129A00; Mon,  6 Mar 2017 12:38:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level: 
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PUnm5sYasUf5; Mon,  6 Mar 2017 12:38:04 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0113.outbound.protection.outlook.com [104.47.40.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EEB81299DC; Mon,  6 Mar 2017 12:38:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=lCWbAqh3R09CKV4Vm4hK1bBL+ycUEm3LTcR5M5yraRs=; b=jLaZNhE7QjwJGnXmWnie9ZM74PTYYMFf0MTGVLLRr/yCUTicRLhmygddJWDNJG1cv+fZ02qvITSf2ZDx6EzP0juflWp9bZNwtqi53a3zUMeU52elBgThEP4/e0h3VBSMgLeODwZ59nTuGjL+u1+s/d3vjekE9ksts+Yu9XA3b2E=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Mon, 6 Mar 2017 20:38:02 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Mon, 6 Mar 2017 20:38:02 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>
Thread-Topic: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
Thread-Index: AQHSe97H5hXZpqeBE0CT6lHMY4yQFKFUP6sAgAABIQCAAB5D0IAAXXiAgAAdOACAAABqIIAAA2uAgAAA3wCAAAAzAIAAAO4AgAAAVZCAAAOFgIAqgOKggAkWs0A=
Date: Mon, 6 Mar 2017 20:38:01 +0000
Message-ID: <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com> <c0e62125-14e6-2390-87e3-72a2422f732f@bogus.com> <d9d0f5ae-6dcd-98cc-6113-96e937332b60@cs.tcd.ie> <BN3PR03MB23559422F9C2474DB04094FEF54D0@BN3PR03MB2355.namprd03.prod.outlook.com> <27d6181c-eb72-b17b-ed18-db018991e44c@cs.tcd.ie> <SN1PR0301MB2029EF1377E24CD330C5C929A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie> <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie> <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie> <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.83.32]
x-ms-office365-filtering-correlation-id: 4da7079b-ed7c-4304-5ebf-08d464d0af37
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0504; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0504; 7:VsKhME0UIsuMUqfWH5dOoT6YWSNYoURjDKWiL3zTHWFBTsfjyKoZ2Qs2q+Wuh0yKfgr0vNAYjX+2I+eiHDzVh3CZUvvtw6H6Vrh3m4rPa/kxPOeaKWXIA1FRQ7LY1k7SeXsjoTAH/YwB/wz88CSR/wUJA1om27J9SM4pTZ5n9qAa2VUFY8XbmHmV/8hBs5uhJJBsrD4JTb+tsyNScDCYxSMClISJK12OY4jlA17qKpd14IFprUQdqrFj/rjDdslI/A4cGvIlfjQmqU/5XHblyJXOEnYkscQ+23VpA0hAh4Tl717uy0OyKe4vVMtbLJTYNOF54mKZbveOq+SufCDpb2NCYZVObU95/Wy6gLefbhc=
x-microsoft-antispam-prvs: <CY4PR21MB05043C3D5158C7A8893AEEF9F52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(120809045254105)(21532816269658); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123562025)(20161123555025)(20161123564025)(20161123558025)(6072148); SRVR:CY4PR21MB0504; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0504; 
x-forefront-prvs: 0238AEEDB0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(7916002)(39410400002)(39450400003)(39840400002)(39860400002)(39850400002)(377454003)(40224003)(13464003)(24454002)(51914003)(2900100001)(229853002)(305945005)(99286003)(3660700001)(54356999)(8990500004)(3280700002)(8676002)(10090500001)(2421001)(106116001)(966004)(2906002)(5005710100001)(86612001)(8936002)(189998001)(2561002)(10290500002)(551544002)(74316002)(7736002)(81166006)(33656002)(86362001)(53936002)(4326008)(25786008)(102836003)(230783001)(93886004)(76176999)(6246003)(6306002)(50986999)(3846002)(122556002)(2950100002)(53546006)(92566002)(6506006)(9686003)(66066001)(5660300001)(54906002)(77096006)(6436002)(1511001)(7696004)(55016002)(6116002)(38730400002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0504; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2017 20:38:02.0328 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RCG2V_KWTbFLa5R8Z0a1rflXFjk>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 20:38:07 -0000

SGkgU3RlcGhlbi4gIFRoZSBjaGFuZ2VzIGluIGRyYWZ0IC0wNiB3ZXJlIGludGVuZGVkIHRvIGFk
ZHJlc3MgeW91ciBESVNDVVNTIHBvaW50cy4gIEFyZSB5b3Ugc2F0aXNmaWVkIHdpdGggdGhlc2Ug
Y2hhbmdlcyBvciBhcmUgdGhlcmUgYWRkaXRpb25hbCBjaGFuZ2VzIHlvdSB3YW50PyAgSSdtIGFz
a2luZyBwYXJ0bHkgYmVjYXVzZSBpdCdzIGEgd2VlayBub3cgdW50aWwgdGhlIHN1Ym1pc3Npb24g
Y3V0b2ZmIGFuZCBpZiBhZGRpdGlvbmFsIGNoYW5nZXMgYXJlIG5lZWRlZCwgSSdkIGxpa2UgdG8g
bWFrZSB0aGVtIHRoaXMgd2Vlay4NCg0KCQkJCVRoYW5rcywNCgkJCQktLSBNaWtlDQoNCi0tLS0t
T3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBNaWtlIEpvbmVzIFttYWlsdG86TWljaGFlbC5K
b25lc0BtaWNyb3NvZnQuY29tXSANClNlbnQ6IFR1ZXNkYXksIEZlYnJ1YXJ5IDI4LCAyMDE3IDY6
MTcgUE0NClRvOiBTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWU+OyBB
bnRob255IE5hZGFsaW4gPHRvbnluYWRAbWljcm9zb2Z0LmNvbT47IGpvZWwgamFlZ2dsaSA8am9l
bGphQGJvZ3VzLmNvbT47IFRoZSBJRVNHIDxpZXNnQGlldGYub3JnPg0KQ2M6IG9hdXRoLWNoYWly
c0BpZXRmLm9yZzsgZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnOyBvYXV0aEBp
ZXRmLm9yZw0KU3ViamVjdDogUkU6IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3Vz
cyBvbiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQoNCkhp
IFN0ZXBoZW4sDQoNCkRyYWZ0IC0wNiBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQt
aWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA2IGFkZHMgcmVmZXJlbmNlcyBmb3IgYWxsIG9mIHRoZSBk
ZWZpbmVkICJhbXIiIHZhbHVlcy4gIFRoYW5rcyBmb3IgdGFraW5nIHRoZSB0aW1lIHRvIGhhdmUg
YSB0aG91Z2h0ZnVsIGRpc2N1c3Npb24uDQoNCgkJCQktLSBNaWtlDQoNCi0tLS0tT3JpZ2luYWwg
TWVzc2FnZS0tLS0tDQpGcm9tOiBTdGVwaGVuIEZhcnJlbGwgW21haWx0bzpzdGVwaGVuLmZhcnJl
bGxAY3MudGNkLmllXSANClNlbnQ6IFdlZG5lc2RheSwgRmVicnVhcnkgMSwgMjAxNyA0OjQ1IFBN
DQpUbzogTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPjsgQW50aG9ueSBO
YWRhbGluIDx0b255bmFkQG1pY3Jvc29mdC5jb20+OyBqb2VsIGphZWdnbGkgPGpvZWxqYUBib2d1
cy5jb20+OyBUaGUgSUVTRyA8aWVzZ0BpZXRmLm9yZz4NCkNjOiBvYXV0aC1jaGFpcnNAaWV0Zi5v
cmc7IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzsgb2F1dGhAaWV0Zi5vcmcN
ClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIFN0ZXBoZW4gRmFycmVsbCdzIERpc2N1c3Mgb24gZHJh
ZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA1OiAod2l0aCBESVNDVVNTKQ0KDQoNCg0KT24gMDIv
MDIvMTcgMDA6MzUsIE1pa2UgSm9uZXMgd3JvdGU6DQo+IFlvdSBjYW4gY2FsbCBtZSBsYXp5IGlm
IHlvdSB3YW50LiANCg0KSSBkb24ndCB0aGluayB5b3UncmUgbGF6eTotKSBXZXJlIEkgdG8gZ3Vl
c3MgSSdkIGd1ZXNzIHRoYXQNCmludGVyb3AgZm9yIHRoZXNlIHdhc24ndCBhIHByaW9yaXR5IGFu
ZCB0aGF0IHdlJ3JlIGRlZmluaW5nDQp0aGVtIGEgYml0IGVhcmx5IGFuZCBhIGxpdHRsZSB0b28g
Z2VuZXJpY2FsbHkuDQoNCj4gU29tZSBvZiB0aGVtIGFyZSBzbyB3ZWxsIGtub3duLA0KPiBzdWNo
IGFzICJwYXNzd29yZCIgb3IgIlBJTiIgaXQgZGlkbid0IHNlZW0gd29ydGh3aGlsZSB0byB0cnkg
dG8gdHJhY2sNCj4gZG93biBhIHJlZmVyZW5jZS4gDQoNClN1cmUsIHRob3NlIGFyZSBmaW5lLiBU
aGUgb25seSBpc3N1ZXMgd291bGQgYmUgaWYgdGhlcmUncw0KYSBzdHJpbmcya2V5IGZ1bmN0aW9u
IHNvbWV3aGVyZSBidXQgSSBkb24ndCBleHBlY3QgdGhlcmUNCmlzIGluIHRoaXMgY29udGV4dC4N
Cg0KPiBCdXQgSSdtIHdpbGxpbmcgdG8gd29yayB3aXRoIG90aGVycyB0byBmaW5kIGRlY2VudA0K
PiByZWZlcmVuY2VzIGZvciB0aGUgcmVzdCBvZiB0aGVtLCBpZiB5b3UgYmVsaWV2ZSB0aGF0IHdv
dWxkIGltcHJvdmUNCj4gdGhlIHF1YWxpdHkgb2YgdGhlIHNwZWNpZmljYXRpb24uDQoNCkkgZG8g
dGhpbmsgaXQgd291bGQsIGVzcCBmb3IgY2FzZXMgd2hlcmUgdGhlcmUgYXJlIGtub3duDQpkaWZm
ZXJlbnQgb3B0aW9ucyAoZS5nLiBvdHApIG9yIGxpa2VseSBpbGwtZGVmaW5lZCBvcg0KcHJvcHJp
ZXRhcnkgZm9ybWF0cy4gTXkgZ3Vlc3MgaXMgdGhhdCBzb21lIGJpb21ldHJpY3MgZml0DQp0aGF0
IGxhdHRlciBidXQgSSBjb3VsZCBiZSB3cm9uZy4gSWYgdGhleSBkbywgdGhlbiBvbmUNCnJ1bnMg
aW50byB0aGUgcHJvYmxlbSBvZiBoYXZpbmcgdG8gZGVwZW5kIG9uIG1hZ2ljIG51bWJlcnMNCmlu
IHRoZSBlbmNvZGluZ3Mgb3Igc2ltaWxhciB0byBkaXN0aW5ndWlzaCB3aGljaCBpcyByZWFsbHkN
CmVycm9yIHByb25lIGFuZCBsaWtlbHkgdG8gbGVhZCB0byB3aGF0IG91ciBsZWFybmVkDQp0cmFu
c3BvcnQgY2h1bXMgYXJlIGNhbGxpbmcgb3NzaWZpY2F0aW9uOy0pDQoNCkNoZWVycywNClMuDQoN
Cg0KPiANCj4gQmVzdCB3aXNoZXMsIC0tIE1pa2UNCj4gDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2Fn
ZS0tLS0tIEZyb206IFN0ZXBoZW4gRmFycmVsbA0KPiBbbWFpbHRvOnN0ZXBoZW4uZmFycmVsbEBj
cy50Y2QuaWVdIFNlbnQ6IFdlZG5lc2RheSwgRmVicnVhcnkgMSwgMjAxNw0KPiA0OjMxIFBNIFRv
OiBNaWtlIEpvbmVzIDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20+OyBBbnRob255IE5hZGFs
aW4NCj4gPHRvbnluYWRAbWljcm9zb2Z0LmNvbT47IGpvZWwgamFlZ2dsaSA8am9lbGphQGJvZ3Vz
LmNvbT47IFRoZSBJRVNHDQo+IDxpZXNnQGlldGYub3JnPiBDYzogb2F1dGgtY2hhaXJzQGlldGYu
b3JnOw0KPiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5vcmc7IG9hdXRoQGlldGYu
b3JnIFN1YmplY3Q6IFJlOg0KPiBbT0FVVEgtV0ddIFN0ZXBoZW4gRmFycmVsbCdzIERpc2N1c3Mg
b24NCj4gZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA1OiAod2l0aCBESVNDVVNTKQ0KPiAN
Cj4gDQo+IA0KPiBPbiAwMi8wMi8xNyAwMDoyOCwgTWlrZSBKb25lcyB3cm90ZToNCj4+IFRoZSBv
dGhlciBjYXNlIG9mIGtub3duIGludGVyb3AgdGVzdGluZyBvZiAiYW1yIiB2YWx1ZXMgaXMgZm9y
DQo+PiBNT0RSTkEgKE9wZW5JRCBDb25uZWN0IE1vYmlsZSBQcm9maWxlKSBpbXBsZW1lbnRhdGlv
bnMuICBUaGVyZSdzIGENCj4+IHJlZmVyZW5jZSB0byBpdHMgdXNlIG9mICJhbXIiIHZhbHVlcyBp
biB0aGUgc3BlYy4NCj4gDQo+IFllYWgsIGlpcmMsIHRoYXQgb25lIHNlZW1lZCBvayAoYXNzdW1p
bmcgdGhlIHJlZmVyZW5jZSB0ZWxscyBtZSB3aGF0DQo+IGNvZGUgdG8gd3JpdGUgd2hpY2ggSSBh
c3N1bWUgaXQgZG9lcykuDQo+IA0KPiBJJ20gc3RpbGwgbm90IHNlZWluZyB3aHkgc29tZSBkbyBo
YXZlIHN1ZmZpY2llbnQgcmVmZXJlbmNlcyBhbmQNCj4gb3RoZXJzIGRvIG5vdC4NCj4gDQo+IElz
IHRoZXJlIHNvbWUgZGlmZmljdWx0eSB3aXRoIGZpbmRpbmcgcmVmZXJlbmNlcyBvciBzb21ldGhp
bmc/DQo+IA0KPiBTDQo+IA0KPj4gDQo+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBGcm9t
OiBBbnRob255IE5hZGFsaW4gU2VudDogV2VkbmVzZGF5LCANCj4+IEZlYnJ1YXJ5IDEsIDIwMTcg
NDoyNyBQTSBUbzogU3RlcGhlbiBGYXJyZWxsIA0KPj4gPHN0ZXBoZW4uZmFycmVsbEBjcy50Y2Qu
aWU+OyBNaWtlIEpvbmVzIA0KPj4gPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT47IGpvZWwg
amFlZ2dsaSA8am9lbGphQGJvZ3VzLmNvbT47DQo+PiBUaGUgSUVTRyA8aWVzZ0BpZXRmLm9yZz4g
Q2M6IG9hdXRoLWNoYWlyc0BpZXRmLm9yZzsgDQo+PiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1
ZXNAaWV0Zi5vcmc7IG9hdXRoQGlldGYub3JnIFN1YmplY3Q6IFJFOiANCj4+IFtPQVVUSC1XR10g
U3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3VzcyBvbiANCj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZh
bHVlcy0wNTogKHdpdGggRElTQ1VTUykNCj4+IA0KPj4gV2UgaGF2ZSBpbnRlcm9wZWQgYmV0d2Vl
biBGSURPIGF1dGhlbnRpY2F0b3JzIHZlbmRvcnMgYW5kIFdpbmRvd3MgDQo+PiBIZWxsbw0KPj4g
DQo+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBGcm9tOiBTdGVwaGVuIEZhcnJlbGwgDQo+
PiBbbWFpbHRvOnN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWVdIFNlbnQ6IFdlZG5lc2RheSwgRmVi
cnVhcnkgMSwNCj4+IDIwMTcgNDoyNCBQTSBUbzogTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0Bt
aWNyb3NvZnQuY29tPjsgQW50aG9ueQ0KPj4gTmFkYWxpbiA8dG9ueW5hZEBtaWNyb3NvZnQuY29t
Pjsgam9lbCBqYWVnZ2xpIDxqb2VsamFAYm9ndXMuY29tPjsNCj4+IFRoZSBJRVNHIDxpZXNnQGll
dGYub3JnPiBDYzogb2F1dGgtY2hhaXJzQGlldGYub3JnOyANCj4+IGRyYWZ0LWlldGYtb2F1dGgt
YW1yLXZhbHVlc0BpZXRmLm9yZzsgb2F1dGhAaWV0Zi5vcmcgU3ViamVjdDogUmU6IA0KPj4gW09B
VVRILVdHXSBTdGVwaGVuIEZhcnJlbGwncyBEaXNjdXNzIG9uIA0KPj4gZHJhZnQtaWV0Zi1vYXV0
aC1hbXItdmFsdWVzLTA1OiAod2l0aCBESVNDVVNTKQ0KPj4gDQo+PiANCj4+IA0KPj4gT24gMDIv
MDIvMTcgMDA6MjEsIE1pa2UgSm9uZXMgd3JvdGU6DQo+Pj4gVGhhbmtzLCBUb255LiAgSSBjYW4g
YWRkIHRoYXQgcmVmZXJlbmNlLg0KPj4+IA0KPj4+IFN0ZXBoZW4sIHRoZSBzZXRzIG9mIGluaXRp
YWwgdmFsdWVzIHdlcmUgY2hvc2VuIGZyb20gdGhvc2UgdXNlZA0KPj4+IGluIHByYWN0aWNlIGJ5
IE1pY3Jvc29mdCBhbmQgR29vZ2xlIGluIHJlYWwgZGVwbG95bWVudHMuDQo+PiANCj4+IEdlbnVp
bmUgcXVlc3Rpb25zOiBkbyB5b3UgYWltIHRvIGhhdmUgaW50ZXJvcCBiZXR3ZWVuIHRob3NlIA0K
Pj4gZGVwbG95bWVudHM/IFdoYXQgaWYgSSB3YW50ZWQgdG8gd3JpdGUgY29kZSB0aGF0J2QgaW50
ZXJvcCB3aXRoDQo+PiBtc2Z0IG9yIGdvb2dsZT8NCj4+IA0KPj4gUy4NCj4+IA0KPj4+IA0KPj4+
IEFib3V0ICJvdHAiLCB0aGVyZSBhcmUgZXhpc3RpbmcgdXNlIGNhc2VzIGZvciBpbmRpY2F0aW5n
IHRoYXQgYW4gDQo+Pj4gT1RQIHdhcyB1c2VkLiAgSSdtIG5vdCBhd2FyZSBvZiBhbnkgb2YgdGhl
c2UgdXNlIGNhc2VzIHdoZXJlIHRoZQ0KPj4+ICBkaXN0aW5jdGlvbiBiZXR3ZWVuIFRPVFAgYW5k
IEhPVFAgaXMgaW1wb3J0YW50LiAgVGh1cywgaGF2aW5nIA0KPj4+ICJvdHAiIG5vdyBtYWtlcyBz
ZW5zZSwgd2hlcmUgaGF2aW5nICJob3RwIiBhbmQgInRvdHAiIG5vdw0KPj4+IGRvZXNuJ3QuDQo+
Pj4gDQo+Pj4gU3RlcGhlbiwgdGhpcyBtYXkgc2VlbSBsaWtlIHNwbGl0dGluZyBoYWlycywgYnV0
IHRoZSByZWdpc3RyeSANCj4+PiBpbnN0cnVjdGlvbnMgZm9yICJTcGVjaWZpY2F0aW9uIERvY3Vt
ZW50KHMpIiBhcmUgYWJvdXQgaGF2aW5nIGEgDQo+Pj4gcmVmZXJlbmNlIGZvciB0aGUgZG9jdW1l
bnQgd2hlcmUgdGhlIEF1dGhlbnRpY2F0aW9uIE1ldGhvZCANCj4+PiBSZWZlcmVuY2UgTmFtZSAo
c3VjaCBhcyAib3RwIikgaXMgZGVmaW5lZC4gIEluIGFsbCBjYXNlcyBmb3IgdGhlIA0KPj4+IGlu
aXRpYWwgdmFsdWVzLCB0aGlzIGlzIHRoZSBSRkMtdG8tYmUsIHNvIHRoZSByZWdpc3RyeQ0KPj4+
IGluc3RydWN0aW9ucyBhcmUgc2F0aXNmaWVkLiAgSWYgc29tZW9uZSB3ZXJlLCBmb3IgaW5zdGFu
Y2UsIHRvDQo+Pj4gZGVmaW5lIHRoZSBzdHJpbmcgImhvdHAiLCBpdCB3b3VsZCBiZSBpbmN1bWJl
bnQgb24gdGhlIHBlcnNvbg0KPj4+IHJlcXVlc3RpbmcgaXRzIHJlZ2lzdHJhdGlvbiB0byBwcm92
aWRlIGEgVVJMIHRvIHRoZSBkb2N1bWVudA0KPj4+IHdoZXJlIHRoZSBzdHJpbmcgImhvdHAiIGlz
IGRlZmluZWQuICBBbHNvIGhhdmluZyBhIHJlZmVyZW5jZSB0bw0KPj4+IFJGQyA0MjI2IGluIHRo
YXQgZG9jdW1lbnQgd291bGQgYmUgYSBnb29kIHRoaW5nLCBidXQgdGhhdCBpc24ndA0KPj4+IHdo
YXQgdGhlIHJlZ2lzdHJ5IGluc3RydWN0aW9ucyBhcmUgYWJvdXQuDQo+Pj4gDQo+Pj4gQWxsIHRo
YXQgc2FpZCwgSSBjYW4gbG9vayBhdCBhbHNvIGZpbmRpbmcgYXBwcm9wcmlhdGUgcmVmZXJlbmNl
cyANCj4+PiBmb3IgdGhlIHJlbWFpbmluZyB2YWx1ZXMgdGhhdCBkb24ndCBjdXJyZW50bHkgaGF2
ZSB0aGVtLg0KPj4+IChBbnlvbmUgZ290IGEgZ29vZCByZWZlcmVuY2UgZm9yIHBhc3N3b3JkIG9y
IFBJTiB0byBzdWdnZXN0LCBmb3IgDQo+Pj4gaW5zdGFuY2U/KQ0KPj4+IA0KPj4+IC0tIE1pa2UN
Cj4+PiANCj4+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBGcm9tOiBBbnRob255IE5hZGFs
aW4gU2VudDogV2VkbmVzZGF5LA0KPj4+ICBGZWJydWFyeSAxLCAyMDE3IDQ6MTAgUE0gVG86IFN0
ZXBoZW4gRmFycmVsbCANCj4+PiA8c3RlcGhlbi5mYXJyZWxsQGNzLnRjZC5pZT47IE1pa2UgSm9u
ZXMgDQo+Pj4gPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT47IGpvZWwgamFlZ2dsaSA8am9l
bGphQGJvZ3VzLmNvbT47IA0KPj4+IFRoZSBJRVNHIDxpZXNnQGlldGYub3JnPiBDYzogb2F1dGgt
Y2hhaXJzQGlldGYub3JnOyANCj4+PiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5v
cmc7IG9hdXRoQGlldGYub3JnIFN1YmplY3Q6IFJFOg0KPj4+ICBbT0FVVEgtV0ddIFN0ZXBoZW4g
RmFycmVsbCdzIERpc2N1c3Mgb24gDQo+Pj4gZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA1
OiAod2l0aCBESVNDVVNTKQ0KPj4+IA0KPj4+IE5JU1QgYXNrZWQgZm9yIHRoZSBhZGRpdGlvbiBv
ZiBJUklTIChhcyB0aGV5IGFyZSBzZWVpbmcgbW9yZSB1c2UgDQo+Pj4gb2YgSVJJUyBvdmVyIHJl
dGluYSBkdWUgdG8gdGhlIGFjY3VyYWN5IG9mIGlyaXMpICBhcyB0aGV5IGhhdmUgDQo+Pj4gYmVl
biBkb2luZyBzaWduaWZpY2FudCB0ZXN0aW5nIG9uIHZhcmlvdXMgaXJpcyBkZXZpY2VzIGFuZA0K
Pj4+IGNvbnRpbnVlIHRvIGRvIHNvLCBoZXJlIGlzIGEgcmVwb3J0IHRoYXQgTklTVCByZWxlYXNl
ZCANCj4+PiBodHRwOi8vMjAxMC0yMDE0LmNvbW1lcmNlLmdvdi9ibG9nLzIwMTIvMDQvMjMvbmlz
dC1pcmlzLXJlY29nbml0aW9uLXJlcG9ydC1ldmFsdWF0ZXMtbmVlZGxlLWhheXN0YWNrLXNlYXJj
aC1jYXBhYmlsaXR5Lmh0bWwNCj4+Pg0KPj4+DQo+Pj4NCj4+Pg0KPg0KPj4+IA0KLS0tLS1Pcmln
aW5hbCBNZXNzYWdlLS0tLS0gRnJvbTogU3RlcGhlbiBGYXJyZWxsDQo+Pj4gW21haWx0bzpzdGVw
aGVuLmZhcnJlbGxAY3MudGNkLmllXSBTZW50OiBXZWRuZXNkYXksIEZlYnJ1YXJ5IDEsIA0KPj4+
IDIwMTcgMjoyNiBQTSBUbzogTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29t
Pjsgam9lbCANCj4+PiBqYWVnZ2xpIDxqb2VsamFAYm9ndXMuY29tPjsgVGhlIElFU0cgPGllc2dA
aWV0Zi5vcmc+IENjOiANCj4+PiBvYXV0aC1jaGFpcnNAaWV0Zi5vcmc7IGRyYWZ0LWlldGYtb2F1
dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzsgDQo+Pj4gb2F1dGhAaWV0Zi5vcmcgU3ViamVjdDogUmU6
IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3VzcyANCj4+PiBvbiBkcmFmdC1pZXRm
LW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQo+Pj4gDQo+Pj4gDQo+Pj4gSGkg
TWlrZSwNCj4+PiANCj4+PiBPbiAwMS8wMi8xNyAxNzowMCwgTWlrZSBKb25lcyB3cm90ZToNCj4+
Pj4gVGhhbmtzIGZvciB0aGUgZGlzY3Vzc2lvbiwgU3RlcGhlbi4NCj4+Pj4gDQo+Pj4+IFRvIHlv
dXIgcG9pbnQgYWJvdXQgIm90cCIsIHRoZSB3b3JraW5nIGdyb3VwIGRpc2N1c3NlZCB0aGlzDQo+
Pj4+IHZlcnkgcG9pbnQuICBUaGV5IGV4cGxpY2l0bHkgZGVjaWRlZCBub3QgdG8gaW50cm9kdWNl
ICJob3RwIg0KPj4+PiBhbmQgInRvdHAiIGlkZW50aWZpZXJzIGJlY2F1c2Ugbm8gb25lIGhhZCBh
IHVzZSBjYXNlIGluIHdoaWNoDQo+Pj4+IHRoZSBkaXN0aW5jdGlvbiBtYXR0ZXJlZC4NCj4+PiAN
Cj4+PiBUaGVuIEknbSBub3QgZm9sbG93aW5nIHdoeSBhZGRpbmcgIm90cCIgdG8gdGhlIHJlZ2lz
dHJ5IG5vdyBpcyBhIA0KPj4+IGdvb2QgcGxhbi4NCj4+PiANCj4+PiBJZiB0aGVyZSdzIGEgdXNl
LWNhc2Ugbm93LCB0aGVuIGFkZGluZyBhbiBlbnRyeSB3aXRoIGEgZ29vZCANCj4+PiByZWZlcmVu
Y2UgdG8gdGhlIHJlbGV2YW50IHNwZWMgc2VlbXMgcmlnaHQuDQo+Pj4gDQo+Pj4gSWYgdGhlcmUn
cyBubyB1c2UtY2FzZSBub3csIHRoZW4gbm90IGFkZGluZyBpdCB0byB0aGUgcmVnaXN0cnkgDQo+
Pj4gc2VlbXMgcmlnaHQuIChNZW50aW9uaW5nIGl0IGFzIGEgcG9zc2libGUgZnV0dXJlIGVudHJ5
IHdvdWxkIGJlIA0KPj4+IGZpbmUuKQ0KPj4+IA0KPj4+IEkgdGhpbmsgdGhlIHNhbWUgbG9naWMg
d291bGQgYXBwbHkgZm9yIGFsbCB0aGUgdmFsdWVzIHRoYXQgdGhpcyANCj4+PiBzcGVjIGFkZHMg
dG8gdGhlIHJlZ2lzdHJ5LiBXaHkgaXMgdGhhdCB3cm9uZz8NCj4+PiANCj4+Pj4gT3RoZXJzIGNh
biBjZXJ0YWlubHkgaW50cm9kdWNlIHRob3NlIGlkZW50aWZpZXJzIGFuZCByZWdpc3RlciANCj4+
Pj4gdGhlbSBpZiB0aGV5IGRvIGhhdmUgc3VjaCBhIHVzZSBjYXNlLCBvbmNlIHRoZSByZWdpc3Ry
eSBoYXMNCj4+Pj4gYmVlbiBlc3RhYmxpc2hlZC4gIEJ1dCB0aGUgd29ya2luZyBncm91cCB3YW50
ZWQgdG8gYmUNCj4+Pj4gY29uc2VydmF0aXZlIGFib3V0IHRoZSBpZGVudGlmaWVycyBpbnRyb2R1
Y2VkIHRvIHByaW1lIHRoZQ0KPj4+PiByZWdpc3RyeSwgYW5kIHRoaXMgaXMgc3VjaCBhIGNhc2Uu
DQo+Pj4+IA0KPj4+PiBXaGF0IGlkZW50aWZpZXJzIHRvIHVzZSBhbmQgcmVnaXN0ZXIgd2lsbCBh
bHdheXMgYmUgYSBiYWxhbmNpbmcNCj4+Pj4gIGFjdC4gWW91IHdhbnQgdG8gYmUgYXMgc3BlY2lm
aWMgYXMgbmVjZXNzYXJ5IHRvIGFkZCBwcmFjdGljYWwgDQo+Pj4+IGFuZCB1c2FibGUgdmFsdWUs
IGJ1dCBub3Qgc28gc3BlY2lmaWMgYXMgdG8gbWFrZSB0aGluZ3MgDQo+Pj4+IHVubmVjZXNzYXJp
bHkgYnJpdHRsZS4NCj4+PiANCj4+PiBFaC4uLiBkb24ndCB3ZSB3YW50IGludGVyb3A/IElzbid0
IHRoYXQgdGhlIHByaW1hcnkgZ29hbCBoZXJlPw0KPj4+IA0KPj4+PiBXaGlsZSBzb21lIG1pZ2h0
IHNheSB0aGVyZSdzIGEgZGlmZmVyZW5jZSBiZXR3ZWVuIHNlcmlhbCBudW1iZXINCj4+Pj4gIHJh
bmdlcyBvZiBwYXJ0aWN1bGFyIGF1dGhlbnRpY2F0aW9uIGRldmljZXMsIGdvaW5nIHRoZXJlIGlz
IA0KPj4+PiBjbGVhcmx5IGluIHRoZSB3ZWVkcy4gIE9uIHRoZSBvdGhlciBoYW5kLCB3aGlsZSB0
aGVyZSB1c2VkIHRvDQo+Pj4+IGJlIGFuICJleWUiIGlkZW50aWZpZXIsIEVsYWluZSBOZXd0b24g
b2YgTklTVCBwb2ludGVkIG91dCB0aGF0DQo+Pj4+IHRoZXJlIGFyZSBzaWduaWZpY2FudCBkaWZm
ZXJlbmNlcyBiZXR3ZWVuIHJldGluYSBhbmQgaXJpcw0KPj4+PiBtYXRjaGluZywgc28gImV5ZSIg
d2FzIHJlcGxhY2VkIHdpdGggInJldGluYSIgYW5kICJpcmlzIi4NCj4+Pj4gQ29tbW9uIHNlbnNl
IGluZm9ybWVkIGJ5IGFjdHVhbCBkYXRhIGlzIHRoZSBrZXkgaGVyZS4NCj4+PiANCj4+PiBUaGF0
J3MgYW5vdGhlciBnb29kIGV4YW1wbGUuIFRoZXJlJ3Mgbm8gcmVmZXJlbmNlIGZvciAiaXJpcy4i
IElmIA0KPj4+IHRoYXQgaXMgdXNlZCBpbiBzb21lIHByb3RvY29sLCB0aGVuIHdoYXQgZm9ybWF0
KHMpIGFyZSBleHBlY3RlZA0KPj4+IHRvIGJlIHN1cHBvcnRlZD8gV2hlcmUgZG8gSSBmaW5kIHRo
YXQgc3BlYz8gSWYgd2UgY2FuIGFuc3dlcg0KPj4+IHRoYXQsIHRoZW4gZ3JlYXQsIGxldCdzIGFk
ZCB0aGUgZGV0YWlscy4gSWYgbm90LCB0aGVuIEknZCBzdWdnZXN0DQo+Pj4gd2Ugb21pdCAiaXJp
cyIgYW5kIGxlYXZlIGl0ICd0aWxsIGxhdGVyIHRvIGFkZCBhbiBlbnRyeSBmb3IgdGhhdC4NCj4+
PiBBbmQgYWdhaW4sIGluY2x1ZGluZyB0ZXh0IHdpdGggImlyaXMiIGFzIGFuIGV4YW1wbGUgaXMg
anVzdCBmaW5lLA0KPj4+IGFsbCBJJ20gYXNraW5nIGlzIHRoYXQgd2Ugb25seSBhZGQgdGhlIHJl
Z2lzdHJ5IGVudHJ5IGlmIHdlIGNhbg0KPj4+IG1lZXQgdGhlIHNhbWUgYmFyIHRoYXQgd2UncmUg
YXNraW5nIHRoZSBERSB0byBpbXBvc2Ugb24gbGF0ZXIgDQo+Pj4gYWRkaXRpb25zLg0KPj4+IA0K
Pj4+IEFuZCB0aGUgc2FtZSBmb3IgYWxsIHRoZSBvdGhlcnMuLi4NCj4+PiANCj4+PiBDaGVlcnMs
IFMuDQo+Pj4gDQo+Pj4gDQo+Pj4+IA0KPj4+PiBUaGUgcG9pbnQgb2YgdGhlIHJlZ2lzdHJ5IHJl
cXVpcmluZyBhIHNwZWNpZmljYXRpb24gcmVmZXJlbmNlDQo+Pj4+IGlzIHNvIHBlb3BsZSB1c2lu
ZyB0aGUgcmVnaXN0cnkgY2FuIHRlbGwgd2hlcmUgdGhlIGlkZW50aWZpZXINCj4+Pj4gaXMgZGVm
aW5lZC4gRm9yIGFsbCB0aGUgaW5pdGlhbCB2YWx1ZXMsIHRoYXQgcmVxdWlyZW1lbnQgaXMgDQo+
Pj4+IHNhdGlzZmllZCwgc2luY2UgdGhlIHJlZmVyZW5jZSB3aWxsIGJlIHRvIHRoZSBuZXcgUkZD
LiAgSQ0KPj4+PiB0aGluayB0aGF0IGFsaWducyB3aXRoIHRoZSBwb2ludCB0aGF0IEpvZWwgd2Fz
IG1ha2luZy4NCj4+Pj4gDQo+Pj4+IFlvdXIgdGhvdWdodHM/DQo+Pj4+IA0KPj4+PiAtLSBNaWtl
DQo+Pj4+IA0KPj4+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBGcm9tOiBPQXV0aCANCj4+
Pj4gW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgU3RlcGhlbiBG
YXJyZWxsIA0KPj4+PiBTZW50OiBXZWRuZXNkYXksIEZlYnJ1YXJ5IDEsIDIwMTcgNzowMyBBTSBU
bzogam9lbCBqYWVnZ2xpIA0KPj4+PiA8am9lbGphQGJvZ3VzLmNvbT47IFRoZSBJRVNHIDxpZXNn
QGlldGYub3JnPiBDYzogDQo+Pj4+IG9hdXRoLWNoYWlyc0BpZXRmLm9yZzsgZHJhZnQtaWV0Zi1v
YXV0aC1hbXItdmFsdWVzQGlldGYub3JnOyANCj4+Pj4gb2F1dGhAaWV0Zi5vcmcgU3ViamVjdDog
UmU6IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MNCj4+Pj4gRGlzY3VzcyBvbiBkcmFmdC1p
ZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQo+Pj4+IA0KPj4+PiANCj4+
Pj4gDQo+Pj4+IE9uIDAxLzAyLzE3IDE0OjU4LCBqb2VsIGphZWdnbGkgd3JvdGU6DQo+Pj4+PiBP
biAxLzMxLzE3IDg6MjYgQU0sIFN0ZXBoZW4gRmFycmVsbCB3cm90ZToNCj4+Pj4+PiBTdGVwaGVu
IEZhcnJlbGwgaGFzIGVudGVyZWQgdGhlIGZvbGxvd2luZyBiYWxsb3QgcG9zaXRpb24NCj4+Pj4+
PiBmb3IgZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA1OiBEaXNjdXNzDQo+Pj4+Pj4gDQo+
Pj4+Pj4gV2hlbiByZXNwb25kaW5nLCBwbGVhc2Uga2VlcCB0aGUgc3ViamVjdCBsaW5lIGludGFj
dCBhbmQgDQo+Pj4+Pj4gcmVwbHkgdG8gYWxsIGVtYWlsIGFkZHJlc3NlcyBpbmNsdWRlZCBpbiB0
aGUgVG8gYW5kIENDDQo+Pj4+Pj4gbGluZXMuIChGZWVsIGZyZWUgdG8gY3V0IHRoaXMgaW50cm9k
dWN0b3J5IHBhcmFncmFwaCwNCj4+Pj4+PiBob3dldmVyLikNCj4+Pj4+PiANCj4+Pj4+PiANCj4+
Pj4+PiBQbGVhc2UgcmVmZXIgdG8gDQo+Pj4+Pj4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvaWVzZy9z
dGF0ZW1lbnQvZGlzY3Vzcy1jcml0ZXJpYS5odG1sDQo+Pj4+Pj4gZm9yIG1vcmUgaW5mb3JtYXRp
b24gYWJvdXQgSUVTRyBESVNDVVNTIGFuZCBDT01NRU5UDQo+Pj4+Pj4gcG9zaXRpb25zLg0KPj4+
Pj4+IA0KPj4+Pj4+IA0KPj4+Pj4+IFRoZSBkb2N1bWVudCwgYWxvbmcgd2l0aCBvdGhlciBiYWxs
b3QgcG9zaXRpb25zLCBjYW4gYmUNCj4+Pj4+PiBmb3VuZCBoZXJlOiANCj4+Pj4+PiBodHRwczov
L2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMvDQo+
Pj4+Pj4NCj4+Pj4+Pg0KPj4+Pj4+DQo+Pj4+Pj4NCj4+Pj4+Pg0KPg0KPj4+Pj4+IA0KLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tDQo+Pj4+Pj4gDQo+Pj4+Pj4gDQo+Pj4gDQo+Pj4+Pj4gDQo+PiAtDQo+Pj4+Pj4gRElT
Q1VTUzogDQo+Pj4+Pj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQo+Pj4+Pj4NCj4+Pj4+Pg0KPj4+DQo+Pj4+Pj4N
Cj4+DQo+Pj4+Pj4NCj4NCj4+Pj4+PiANCi0NCj4+Pj4+PiANCj4+Pj4+PiBUaGlzIHNwZWNpZmlj
YXRpb24gc2VlbXMgdG8gbWUgdG8gYnJlYWsgaXQncyBvd24gcnVsZXMuIFlvdQ0KPj4+Pj4+ICBz
dGF0ZSB0aGF0IHJlZ2lzdHJhdGlvbnMgc2hvdWxkIGluY2x1ZGUgYSByZWZlcmVuY2UgdG8gYSAN
Cj4+Pj4+PiBzcGVjaWZpY2F0aW9uIHRvIGltcHJvdmUgaW50ZXJvcC4gQW5kIHlldCwgZm9yIHRo
ZSBzdHJpbmdzDQo+Pj4+Pj4gIGFkZGVkIGhlcmUgKGUuZy4gb3RwKSB5b3UgZG9uJ3QgZG8gdGhh
dCAocmVmZXJyaW5nIHRvDQo+Pj4+Pj4gc2VjdGlvbiAyIHdpbGwgbm90IGltcHJvdmUgaW50ZXJv
cCkgYW5kIHRoZXJlIGFyZSBkaWZmZXJlbnQNCj4+Pj4+PiB3YXlzIGluIHdoaWNoIG1hbnkgb2Yg
dGhlIG1ldGhvZHMgaW4gc2VjdGlvbiAyIGNhbiBiZSBkb25lLg0KPj4+Pj4+IFNvIEkgdGhpbmsg
eW91IG5lZWQgdG8gYWRkIGEgYnVuY2ggbW9yZSByZWZlcmVuY2VzLg0KPj4+Pj4gDQo+Pj4+PiBO
b3QgY2xlYXIgdG8gbWUgdGhhdCB0aGUgZG9jdW1lbnQgY3JlYXRpbmcgdGhlIHJlZ2lzdHJ5DQo+
Pj4+PiBuZWVkcyB0byBhZGhlcmUgdG8gdGhlIHJ1bGVzIGZvciBmdXJ0aGVyIGFsbG9jYXRpb25z
IGluIG9yZGVyDQo+Pj4+PiB0byBwcmVwb3VsYXRlIHRoZSByZWdpc3RyeS4gdGhhdCBpcyBwZXJo
YXBzIGFuIGFwcGVhbCB0bw0KPj4+Pj4gZnV0dXJlIGNvbnNpc3RlbmN5Lg0KPj4+PiANCj4+Pj4g
U3VyZSAtIEknbSBhbGwgZm9yIGEgc21hdHRlcmluZyBvZiBpbmNvbnNpc3RlbmN5Oi0pDQo+Pj4+
IA0KPj4+PiBCdXQgSSB0aGluayB0aGUgbGFjayBvZiBzcGVjcyBpbiBzb21lIG9mIHRoZXNlIGNh
c2VzIGNvdWxkIA0KPj4+PiBpbXBhY3Qgb24gaW50ZXJvcCwgZS5nLiBpbiB0aGUgb3RwIGNhc2Us
IHRoZXkgcXVvdGUgdHdvIFJGQ3MNCj4+Pj4gYW5kIHlldCBvbmx5IGhhdmUgb25lIHZhbHVlLiBU
aGF0IHNlZW1zIGEgYml0IGJyb2tlbiB0byBtZSwgc28NCj4+Pj4gdGhlIGRpc2N1c3MgaXNuJ3Qg
cmVhbGx5IGFib3V0IHRoZSBmb3JtYWxpc20uDQo+Pj4+IA0KPj4+PiBTLg0KPj4+PiANCj4+Pj4g
DQo+Pj4+Pj4gDQo+Pj4+Pj4gDQo+Pj4+Pj4gDQo+Pj4+PiANCj4+Pj4+IA0KPj4+PiANCj4+PiAN
Cj4+IA0KPiANCg0K


From nobody Mon Mar  6 14:10:16 2017
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F9C51299EB; Mon,  6 Mar 2017 14:10:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level: 
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oaK6Huip20Bz; Mon,  6 Mar 2017 14:10:07 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E89E3129488; Mon,  6 Mar 2017 14:10:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 499D3BED6; Mon,  6 Mar 2017 22:10:04 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-ee2prWnrE1; Mon,  6 Mar 2017 22:10:00 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 30097BED5; Mon,  6 Mar 2017 22:10:00 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1488838200; bh=lq9AZDoLnZl/5Botw1+FaQLwjJx/DBYOaTfTlx3yKsU=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=VcqHl2xxdLVzUvDHPxH3icOGJP3fjSm8LOlSHAb8itG6wD1hIFUjBbG+bppS1FbAJ JI+mZ+dwPTPdYqkZpyTAj3TZ/57IP+af6I98cj3WpVg0/Z3vbtAJ2vEhQhOLG5A1Fh haYj+pTbSAVd7DXAO4TDAEefX255GJSATkxnoyqk=
To: Mike Jones <Michael.Jones@microsoft.com>, Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com> <d9d0f5ae-6dcd-98cc-6113-96e937332b60@cs.tcd.ie> <BN3PR03MB23559422F9C2474DB04094FEF54D0@BN3PR03MB2355.namprd03.prod.outlook.com> <27d6181c-eb72-b17b-ed18-db018991e44c@cs.tcd.ie> <SN1PR0301MB2029EF1377E24CD330C5C929A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie> <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie> <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie> <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie>
Date: Mon, 6 Mar 2017 22:09:59 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uclXBi9feVTNM5qUmSf7r1NciLoLRbM7n"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LnQKn1ps8I3V8ZQs9CFIFc39AC8>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 22:10:10 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--uclXBi9feVTNM5qUmSf7r1NciLoLRbM7n
Content-Type: multipart/mixed; boundary="u1eK8dtqa4WFefjUj1WcfCnTsw26ImliK";
 protected-headers="v1"
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: Mike Jones <Michael.Jones@microsoft.com>,
 Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>,
 The IESG <iesg@ietf.org>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>,
 "draft-ietf-oauth-amr-values@ietf.org"
 <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on
 draft-ietf-oauth-amr-values-05: (with DISCUSS)
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com>
 <c0e62125-14e6-2390-87e3-72a2422f732f@bogus.com>
 <d9d0f5ae-6dcd-98cc-6113-96e937332b60@cs.tcd.ie>
 <BN3PR03MB23559422F9C2474DB04094FEF54D0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <27d6181c-eb72-b17b-ed18-db018991e44c@cs.tcd.ie>
 <SN1PR0301MB2029EF1377E24CD330C5C929A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com>
 <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie>
 <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com>
 <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie>
 <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie>
 <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
 <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com>

--u1eK8dtqa4WFefjUj1WcfCnTsw26ImliK
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Hi Mike,

Apologies - I updated the discuss ballot text [1] on Feb 28 but
must've not sent it as an email or something. Anyway...

   [1] https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ballo=
t/

On 06/03/17 20:38, Mike Jones wrote:
> Hi Stephen.  The changes in draft -06 were intended to address your
> DISCUSS points.  Are you satisfied with these changes or are there
> additional changes you want?  I'm asking partly because it's a week
> now until the submission cutoff and if additional changes are needed,
> I'd like to make them this week.

So I do think there's still work to be done, may as well
copy the new ballot text here:

"
I think we still have the problem that the values
"defined" here (e.g. "fpt") are under specified to a
significant degree. RFC4949 does not tell anyone
how to achieve interop with "fpt" (nor any of the
other cases where you refer to 4949 I think). There
is therefore no utility in "defining" "fpt" as it will
not achieve interop and in fact is more likely to
cause confusion than interop. If the solution of
actually defining the meaning of things like
"fpt" is not achievable then perhaps it will be
better to only define those for which we can get
interop ("pwd" and one or two others) and leave
the definition of the rest for later. (In saying that
I do recall that one of the authors said that there
are implementations that use some of these
type-names, but the point of RFCs is not to "bless"
such things, but to achieve interop.)
"

Cheers,
S.

>=20
> Thanks, -- Mike
>=20
> -----Original Message----- From: Mike Jones
> [mailto:Michael.Jones@microsoft.com] Sent: Tuesday, February 28, 2017
> 6:17 PM To: Stephen Farrell <stephen.farrell@cs.tcd.ie>; Anthony
> Nadalin <tonynad@microsoft.com>; joel jaeggli <joelja@bogus.com>; The
> IESG <iesg@ietf.org> Cc: oauth-chairs@ietf.org;
> draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: RE:
> [OAUTH-WG] Stephen Farrell's Discuss on
> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
> Hi Stephen,
>=20
> Draft -06 https://tools.ietf.org/html/draft-ietf-oauth-amr-values-06
> adds references for all of the defined "amr" values.  Thanks for
> taking the time to have a thoughtful discussion.
>=20
> -- Mike
>=20
> -----Original Message----- From: Stephen Farrell
> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1, 2017
> 4:45 PM To: Mike Jones <Michael.Jones@microsoft.com>; Anthony Nadalin
> <tonynad@microsoft.com>; joel jaeggli <joelja@bogus.com>; The IESG
> <iesg@ietf.org> Cc: oauth-chairs@ietf.org;
> draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: Re:
> [OAUTH-WG] Stephen Farrell's Discuss on
> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>=20
>=20
> On 02/02/17 00:35, Mike Jones wrote:
>> You can call me lazy if you want.
>=20
> I don't think you're lazy:-) Were I to guess I'd guess that interop
> for these wasn't a priority and that we're defining them a bit early
> and a little too generically.
>=20
>> Some of them are so well known, such as "password" or "PIN" it
>> didn't seem worthwhile to try to track down a reference.
>=20
> Sure, those are fine. The only issues would be if there's a
> string2key function somewhere but I don't expect there is in this
> context.
>=20
>> But I'm willing to work with others to find decent references for
>> the rest of them, if you believe that would improve the quality of
>> the specification.
>=20
> I do think it would, esp for cases where there are known different
> options (e.g. otp) or likely ill-defined or proprietary formats. My
> guess is that some biometrics fit that latter but I could be wrong.
> If they do, then one runs into the problem of having to depend on
> magic numbers in the encodings or similar to distinguish which is
> really error prone and likely to lead to what our learned transport
> chums are calling ossification;-)
>=20
> Cheers, S.
>=20
>=20
>>=20
>> Best wishes, -- Mike
>>=20
>> -----Original Message----- From: Stephen Farrell=20
>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1,
>> 2017 4:31 PM To: Mike Jones <Michael.Jones@microsoft.com>; Anthony
>> Nadalin <tonynad@microsoft.com>; joel jaeggli <joelja@bogus.com>;
>> The IESG <iesg@ietf.org> Cc: oauth-chairs@ietf.org;=20
>> draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: Re:=20
>> [OAUTH-WG] Stephen Farrell's Discuss on=20
>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>=20
>>=20
>>=20
>> On 02/02/17 00:28, Mike Jones wrote:
>>> The other case of known interop testing of "amr" values is for=20
>>> MODRNA (OpenID Connect Mobile Profile) implementations.  There's
>>> a reference to its use of "amr" values in the spec.
>>=20
>> Yeah, iirc, that one seemed ok (assuming the reference tells me
>> what code to write which I assume it does).
>>=20
>> I'm still not seeing why some do have sufficient references and=20
>> others do not.
>>=20
>> Is there some difficulty with finding references or something?
>>=20
>> S
>>=20
>>>=20
>>> -----Original Message----- From: Anthony Nadalin Sent: Wednesday,
>>>  February 1, 2017 4:27 PM To: Stephen Farrell=20
>>> <stephen.farrell@cs.tcd.ie>; Mike Jones=20
>>> <Michael.Jones@microsoft.com>; joel jaeggli <joelja@bogus.com>;=20
>>> The IESG <iesg@ietf.org> Cc: oauth-chairs@ietf.org;=20
>>> draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: RE:
>>>  [OAUTH-WG] Stephen Farrell's Discuss on=20
>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>>=20
>>> We have interoped between FIDO authenticators vendors and Windows
>>>  Hello
>>>=20
>>> -----Original Message----- From: Stephen Farrell=20
>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1,=20
>>> 2017 4:24 PM To: Mike Jones <Michael.Jones@microsoft.com>;
>>> Anthony Nadalin <tonynad@microsoft.com>; joel jaeggli
>>> <joelja@bogus.com>; The IESG <iesg@ietf.org> Cc:
>>> oauth-chairs@ietf.org; draft-ietf-oauth-amr-values@ietf.org;
>>> oauth@ietf.org Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss
>>> on draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>>=20
>>>=20
>>>=20
>>> On 02/02/17 00:21, Mike Jones wrote:
>>>> Thanks, Tony.  I can add that reference.
>>>>=20
>>>> Stephen, the sets of initial values were chosen from those
>>>> used in practice by Microsoft and Google in real deployments.
>>>=20
>>> Genuine questions: do you aim to have interop between those=20
>>> deployments? What if I wanted to write code that'd interop with=20
>>> msft or google?
>>>=20
>>> S.
>>>=20
>>>>=20
>>>> About "otp", there are existing use cases for indicating that
>>>> an OTP was used.  I'm not aware of any of these use cases where
>>>> the distinction between TOTP and HOTP is important.  Thus,
>>>> having "otp" now makes sense, where having "hotp" and "totp"
>>>> now doesn't.
>>>>=20
>>>> Stephen, this may seem like splitting hairs, but the registry=20
>>>> instructions for "Specification Document(s)" are about having a
>>>>  reference for the document where the Authentication Method=20
>>>> Reference Name (such as "otp") is defined.  In all cases for
>>>> the initial values, this is the RFC-to-be, so the registry=20
>>>> instructions are satisfied.  If someone were, for instance, to=20
>>>> define the string "hotp", it would be incumbent on the person=20
>>>> requesting its registration to provide a URL to the document=20
>>>> where the string "hotp" is defined.  Also having a reference
>>>> to RFC 4226 in that document would be a good thing, but that
>>>> isn't what the registry instructions are about.
>>>>=20
>>>> All that said, I can look at also finding appropriate
>>>> references for the remaining values that don't currently have
>>>> them. (Anyone got a good reference for password or PIN to
>>>> suggest, for instance?)
>>>>=20
>>>> -- Mike
>>>>=20
>>>> -----Original Message----- From: Anthony Nadalin Sent:
>>>> Wednesday, February 1, 2017 4:10 PM To: Stephen Farrell=20
>>>> <stephen.farrell@cs.tcd.ie>; Mike Jones=20
>>>> <Michael.Jones@microsoft.com>; joel jaeggli <joelja@bogus.com>;
>>>>  The IESG <iesg@ietf.org> Cc: oauth-chairs@ietf.org;=20
>>>> draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject:
>>>> RE: [OAUTH-WG] Stephen Farrell's Discuss on=20
>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>>>=20
>>>> NIST asked for the addition of IRIS (as they are seeing more
>>>> use of IRIS over retina due to the accuracy of iris)  as they
>>>> have been doing significant testing on various iris devices
>>>> and continue to do so, here is a report that NIST released=20
>>>> http://2010-2014.commerce.gov/blog/2012/04/23/nist-iris-recognition-=
report-evaluates-needle-haystack-search-capability.html
>>>>
>>>>
>>>>
>>>>
>>
>>>>
>
>>>>=20
-----Original Message----- From: Stephen Farrell
>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1,
>>>>  2017 2:26 PM To: Mike Jones <Michael.Jones@microsoft.com>;
>>>> joel jaeggli <joelja@bogus.com>; The IESG <iesg@ietf.org> Cc:=20
>>>> oauth-chairs@ietf.org; draft-ietf-oauth-amr-values@ietf.org;=20
>>>> oauth@ietf.org Subject: Re: [OAUTH-WG] Stephen Farrell's
>>>> Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>>>=20
>>>>=20
>>>> Hi Mike,
>>>>=20
>>>> On 01/02/17 17:00, Mike Jones wrote:
>>>>> Thanks for the discussion, Stephen.
>>>>>=20
>>>>> To your point about "otp", the working group discussed this=20
>>>>> very point.  They explicitly decided not to introduce "hotp"=20
>>>>> and "totp" identifiers because no one had a use case in
>>>>> which the distinction mattered.
>>>>=20
>>>> Then I'm not following why adding "otp" to the registry now is
>>>> a good plan.
>>>>=20
>>>> If there's a use-case now, then adding an entry with a good=20
>>>> reference to the relevant spec seems right.
>>>>=20
>>>> If there's no use-case now, then not adding it to the registry
>>>>  seems right. (Mentioning it as a possible future entry would
>>>> be fine.)
>>>>=20
>>>> I think the same logic would apply for all the values that this
>>>>  spec adds to the registry. Why is that wrong?
>>>>=20
>>>>> Others can certainly introduce those identifiers and register
>>>>>  them if they do have such a use case, once the registry has=20
>>>>> been established.  But the working group wanted to be=20
>>>>> conservative about the identifiers introduced to prime the=20
>>>>> registry, and this is such a case.
>>>>>=20
>>>>> What identifiers to use and register will always be a
>>>>> balancing act. You want to be as specific as necessary to add
>>>>> practical and usable value, but not so specific as to make
>>>>> things unnecessarily brittle.
>>>>=20
>>>> Eh... don't we want interop? Isn't that the primary goal here?
>>>>=20
>>>>> While some might say there's a difference between serial
>>>>> number ranges of particular authentication devices, going
>>>>> there is clearly in the weeds.  On the other hand, while
>>>>> there used to be an "eye" identifier, Elaine Newton of NIST
>>>>> pointed out that there are significant differences between
>>>>> retina and iris matching, so "eye" was replaced with "retina"
>>>>> and "iris". Common sense informed by actual data is the key
>>>>> here.
>>>>=20
>>>> That's another good example. There's no reference for "iris."
>>>> If that is used in some protocol, then what format(s) are
>>>> expected to be supported? Where do I find that spec? If we can
>>>> answer that, then great, let's add the details. If not, then
>>>> I'd suggest we omit "iris" and leave it 'till later to add an
>>>> entry for that. And again, including text with "iris" as an
>>>> example is just fine, all I'm asking is that we only add the
>>>> registry entry if we can meet the same bar that we're asking
>>>> the DE to impose on later additions.
>>>>=20
>>>> And the same for all the others...
>>>>=20
>>>> Cheers, S.
>>>>=20
>>>>=20
>>>>>=20
>>>>> The point of the registry requiring a specification
>>>>> reference is so people using the registry can tell where the
>>>>> identifier is defined. For all the initial values, that
>>>>> requirement is satisfied, since the reference will be to the
>>>>> new RFC.  I think that aligns with the point that Joel was
>>>>> making.
>>>>>=20
>>>>> Your thoughts?
>>>>>=20
>>>>> -- Mike
>>>>>=20
>>>>> -----Original Message----- From: OAuth=20
>>>>> [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen Farrell
>>>>>  Sent: Wednesday, February 1, 2017 7:03 AM To: joel jaeggli=20
>>>>> <joelja@bogus.com>; The IESG <iesg@ietf.org> Cc:=20
>>>>> oauth-chairs@ietf.org; draft-ietf-oauth-amr-values@ietf.org;
>>>>>  oauth@ietf.org Subject: Re: [OAUTH-WG] Stephen Farrell's=20
>>>>> Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> On 01/02/17 14:58, joel jaeggli wrote:
>>>>>> On 1/31/17 8:26 AM, Stephen Farrell wrote:
>>>>>>> Stephen Farrell has entered the following ballot
>>>>>>> position for draft-ietf-oauth-amr-values-05: Discuss
>>>>>>>=20
>>>>>>> When responding, please keep the subject line intact and
>>>>>>>  reply to all email addresses included in the To and CC=20
>>>>>>> lines. (Feel free to cut this introductory paragraph,=20
>>>>>>> however.)
>>>>>>>=20
>>>>>>>=20
>>>>>>> Please refer to=20
>>>>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>>>>>
>>>>>>>=20
for more information about IESG DISCUSS and COMMENT
>>>>>>> positions.
>>>>>>>=20
>>>>>>>=20
>>>>>>> The document, along with other ballot positions, can be=20
>>>>>>> found here:=20
>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>
>>>>>>>
>
>>>>>>>=20
---------------------------------------------------------------------
>>>>>>>=20
>>>>>>>=20
>>>>=20
>>>>>>>=20
>>> -
>>>>>>> DISCUSS:=20
>>>>>>> -----------------------------------------------------------------=
----
>>>>>>>
>>>>>>>
>>>>
>>>>>>>
>>>
>>>>>>>
>>
>>>>>>>
>
>>>>>>>=20
-
>>>>>>>=20
>>>>>>> This specification seems to me to break it's own rules.
>>>>>>> You state that registrations should include a reference
>>>>>>> to a specification to improve interop. And yet, for the
>>>>>>> strings added here (e.g. otp) you don't do that
>>>>>>> (referring to section 2 will not improve interop) and
>>>>>>> there are different ways in which many of the methods in
>>>>>>> section 2 can be done. So I think you need to add a bunch
>>>>>>> more references.
>>>>>>=20
>>>>>> Not clear to me that the document creating the registry=20
>>>>>> needs to adhere to the rules for further allocations in
>>>>>> order to prepoulate the registry. that is perhaps an appeal
>>>>>> to future consistency.
>>>>>=20
>>>>> Sure - I'm all for a smattering of inconsistency:-)
>>>>>=20
>>>>> But I think the lack of specs in some of these cases could=20
>>>>> impact on interop, e.g. in the otp case, they quote two RFCs=20
>>>>> and yet only have one value. That seems a bit broken to me,
>>>>> so the discuss isn't really about the formalism.
>>>>>=20
>>>>> S.
>>>>>=20
>>>>>=20
>>>>>>>=20
>>>>>>>=20
>>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>=20
>>>>=20
>>>=20
>>=20
>=20


--u1eK8dtqa4WFefjUj1WcfCnTsw26ImliK--

--uclXBi9feVTNM5qUmSf7r1NciLoLRbM7n
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYvd43AAoJEC88hzaAX42iLCEH/04bN8A9Rfbtqkg5B/Vcp/Xs
2QD6mojsqP2fPjhUDOQsuzfpj5YK2f0K4bTDxZlOx/9IibD/vRQrFL83meaFafYO
j24wCqqg27hQHgzGpJ9lVnsdti+LlXH8MOjQrRhu/F9YovznhjUl24B+y+be3rD8
cVq4VGWWcnSK2fnpKH0XOtMAatUiF84H6kLDHIQdJ7x3/2nO4p8G4X6pJdDRpIMK
rJDUAj2v6ySELsVhnj/ISrK3m5HpoKRLHTst2FtZKdak1wpAwUtr713zb5t6jDI9
hLJmqRKBpbYEzdNP7Z67vgaDAs9U66R05qkEFRDLqP/Ja5a5+h23wE2kmgcQxFw=
=qgGb
-----END PGP SIGNATURE-----

--uclXBi9feVTNM5qUmSf7r1NciLoLRbM7n--


From nobody Mon Mar  6 14:34:18 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98EF6129515; Mon,  6 Mar 2017 14:34:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level: 
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3wsLCxEJVlA5; Mon,  6 Mar 2017 14:34:12 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0136.outbound.protection.outlook.com [104.47.37.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 795CF1294EB; Mon,  6 Mar 2017 14:34:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=XWDGgc8K7toJvZzgDqRSNTMvz3M9Rcwmhi1KvzxI3mo=; b=dfsfAhOQj1DTOiR3utIKf0WRzPoY+ZjlU2K7r1ZLy6lCLq89OQdxHQWe21Psvcd50BpQJwRRzuEa6u+9ezkXQk5Ma4Gwuiwm8C5VEv+ClL649uU28dJAVA4cU5iwfsgUgxndKcXIwhIIOR5TOjwJLRibjOCUcq5NQ9Ffi9inxUA=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Mon, 6 Mar 2017 22:34:03 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Mon, 6 Mar 2017 22:34:03 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>
Thread-Topic: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
Thread-Index: AQHSe97H5hXZpqeBE0CT6lHMY4yQFKFUP6sAgAABIQCAAB5D0IAAXXiAgAAdOACAAABqIIAAA2uAgAAA3wCAAAAzAIAAAO4AgAAAVZCAAAOFgIAqgOKggAkWs0CAABoJgIAAAbuQ
Date: Mon, 6 Mar 2017 22:34:03 +0000
Message-ID: <CY4PR21MB050481D8CF7B8551D21F38A8F52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com> <d9d0f5ae-6dcd-98cc-6113-96e937332b60@cs.tcd.ie> <BN3PR03MB23559422F9C2474DB04094FEF54D0@BN3PR03MB2355.namprd03.prod.outlook.com> <27d6181c-eb72-b17b-ed18-db018991e44c@cs.tcd.ie> <SN1PR0301MB2029EF1377E24CD330C5C929A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie> <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie> <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie> <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com> <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie>
In-Reply-To: <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:1::36]
x-ms-office365-filtering-correlation-id: 2255d871-1550-48ac-0f50-08d464e0e479
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0504; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0504; 7:eItR9Fdi3OemjRVJsuIikptZIsScsmeyrLfwXgCXbb3w/XqdidCf5JXUCpUYQfhh8AbG4wng+6i2tCqRxScEfMCTJsy6qLPMRkDoNJg/9MWK3ZgSFMyLVqPKRbjQkyQ0KihcQ691PtFesXKZ1HhfEHggDaB8S/8jSh+3VZYSRkj5rYrzRZgWcPc85+JjUM8RdtOtjTiQDtHQ2b+nDJOMCK/LEuDPg/ZsSWnEsFBEhJQTf+EfgVYFlKouuUg7BOU1zeP1zSwh4im1cb0JPX4fxTOMl++EE3jho+bXyjG429prdNoWfZ3MxHpJvAdFuJs+RRJ7EvYRJucy1VDzQZQQ1mfdA6KthEDq2Un0h+95Zlg=
x-microsoft-antispam-prvs: <CY4PR21MB050448AA1CC6DFCC572EDC1BF52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(120809045254105)(21748063052155)(21532816269658); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123560025)(20161123555025)(20161123562025)(20161123564025)(6042181)(6072148); SRVR:CY4PR21MB0504; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0504; 
x-forefront-prvs: 0238AEEDB0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(13464003)(24454002)(377454003)(50986999)(6306002)(53936002)(122556002)(2950100002)(53946003)(53546006)(230783001)(93886004)(25786008)(4326008)(102836003)(6246003)(76176999)(1511001)(6116002)(86362001)(38730400002)(7696004)(55016002)(5660300001)(54906002)(6506006)(9686003)(54896002)(92566002)(606005)(236005)(77096006)(6436002)(790700001)(10090500001)(106116001)(2421001)(966004)(54356999)(8990500004)(2900100001)(3660700001)(229853002)(3280700002)(8676002)(551544002)(2561002)(10290500002)(189998001)(33656002)(81166006)(7906003)(7736002)(74316002)(2906002)(8936002)(5005710100001)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0504; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050481D8CF7B8551D21F38A8F52C0CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2017 22:34:03.2761 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6fglPMY8xriRcvZijHuXRtcetcc>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 22:34:17 -0000

--_000_CY4PR21MB050481D8CF7B8551D21F38A8F52C0CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmtzIGZvciB0aGUgcmVwbHksIFN0ZXBoZW4uICBJJ2xsIHRyeSB0byBmaW5kIGJldHRlciBp
bnRlcm9wLXByb2R1Y2luZyByZWZlcmVuY2VzIHdoZXJlIHBvc3NpYmxlLg0KDQoNCg0KSW4gc29t
ZSBjYXNlcywgaG93ZXZlciwgdGhlIHZhbHVlcyBhcmUgaW50ZW50aW9uYWxseSBpbnRlbmRlZCB0
byBwcm92aWRlIGFuIGlkZW50aWZpZXIgZm9yIGEgZmFtaWx5IG9mIGNsb3NlbHktcmVsYXRlZCBt
ZXRob2RzLCBzdWNoIGFzICJvdHAiLCB3aGljaCBjb3ZlcnMgYm90aCB0aW1lLWJhc2VkIGFuZCBI
TUFDLWJhc2VkIE9UUHMuICBNYW55IHJlbHlpbmcgcGFydGllcyB3aWxsIGJlIGNvbnRlbnQgdG8g
a25vdyB0aGF0IGFuIE9UUCBoYXMgYmVlbiB1c2VkIGluIGFkZGl0aW9uIHRvIGEgcGFzc3dvcmQu
ICBUaGUgZGlzdGluY3Rpb24gYmV0d2VlbiB3aGljaCBraW5kIG9mIE9UUCB3YXMgdXNlZCBpcyBu
b3QgdXNlZnVsIHRvIHRoZW0uICBUaHVzLCB0aGVyZSdzIGEgc2luZ2xlIGlkZW50aWZpZXIgdGhh
dCBjYW4gYmUgc2F0aXNmaWVkIGluIHR3byBvciBtb3JlIG5lYXJseSBlcXVpdmFsZW50IHdheXMu
ICBJIGNvbnNpZGVyIHRoaXMgdG8gYmUgYSBmZWF0dXJlIC0gbm90IGEgYnVnLg0KDQoNCg0KU2lt
aWxhcmx5LCB0aGVyZSdzIGEgd2hvbGUgcmFuZ2Ugb2YgbnVhbmNlcyBiZXR3ZWVuIGRpZmZlcmVu
dCBmaW5nZXJwcmludCBtYXRjaGluZyBhbGdvcml0aG1zLiAgVGhleSBkaWZmZXIgaW4gZmFsc2Ug
cG9zaXRpdmUgYW5kIGZhbHNlIG5lZ2F0aXZlIHJhdGVzIG92ZXIgZGlmZmVyZW50IHBvcHVsYXRp
b24gc2FtcGxlcyBhbmQgYWxzbyBkaWZmZXIgYmFzZWQgb24gdGhlIGtpbmQgYW5kIG1vZGVsIG9m
IGZpbmdlcnByaW50IHNlbnNvciB1c2VkLiAgTGlrZSB0aGUgT1RQIGNhc2UsIG1hbnkgUlBzIHdp
bGwgYmUgY29udGVudCB0byBrbm93IHRoYXQgYSBmaW5nZXJwcmludCBtYXRjaCBtYXMgbWFkZSwg
d2l0aG91dCBkZWx2aW5nIGludG8gYW5kIGRpZmZlcmVudGlhdGluZyBiYXNlZCBvbiBldmVyeSBh
c3BlY3Qgb2YgdGhlIGltcGxlbWVudGF0aW9uIG9mIGZpbmdlcnByaW50IGNhcHR1cmUgYW5kIG1h
dGNoLiAgVGhvc2UgdGhhdCB3YW50IG1vcmUgcHJlY2lzaW9uIHRoYW4gdGhpcyBjYW4gYWx3YXlz
IGRlZmluZSBuZXcgImFtciIgdmFsdWVzLiAgQnV0ICJmcHQiIGlzIGZpbmUgYXMgaXMgZm9yIHdo
YXQgSSBiZWxpZXZlIHdpbGwgYmUgdGhlIDkwKyUgY2FzZS4NCg0KDQoNClVsdGltYXRlbHksIHRo
ZSBSUCBpcyBkZXBlbmRpbmcgdXBvbiB0aGUgSWRlbnRpdHkgUHJvdmlkZXIgdG8gZG8gcmVhc29u
YWJsZSB0aGluZ3MuICBJZiBpdCBkaWRuJ3QgdHJ1c3QgdGhlIElkUCB0byBkbyBzbywgaXQgaGFz
IG5vIGJ1c2luZXNzIHVzaW5nIGl0LiAgVGhlICJhbXIiIHZhbHVlIGxldHMgdGhlIElkUCBzaWdu
YWwgdG8gdGhlIFJQIGFkZGl0aW9uYWwgaW5mb3JtYXRpb24gYWJvdXQgd2hhdCBpdCBkaWQsIGZv
ciB0aGUgY2FzZXMgaW4gd2hpY2ggdGhhdCBpbmZvcm1hdGlvbiBpcyB1c2VmdWwgdG8gdGhlIFJQ
Lg0KDQoNCg0KUmVkdWNpbmcgdGhpcyB0byB0aGUgcG9pbnQgb2YgYWJzdXJkaXR5LCB0aGUgUlAg
d291bGQgYWxtb3N0IG5ldmVyIGNhcmUgYWJvdXQgdGhlIG1ha2UsIG1vZGVsLCBhbmQgc2VyaWFs
IG51bWJlciBvZiB0aGUgZmluZ2VycHJpbnQgcmVhZGVyIG9yIE9UUC4gIFZhbHVlcyBjb3VsZCBi
ZSBkZWZpbmVkIHRvIHByb3ZpZGUgdGhhdCBncmFudWxhcml0eS4gIEJ1dCBtYWtpbmcgdGhvc2Ug
ZmluZS1ncmFpbmVkIGRpc3RpbmN0aW9ucyBhcmUgbm90IHVzZWZ1bCBpbiBwcmFjdGljZS4NCg0K
DQoNClBsZWFzZSBjb25zaWRlciB0aGUgZXhpc3RpbmcgZGVmaW5pdGlvbnMgaW4gbGlnaHQgb2Yg
dGhhdCByZWR1Y3RpbyBhZCBhYnN1cmR1bS4gIFRoZSBleGlzdGluZyB2YWx1ZXMgb25seSBtYWtl
IGRpc3RpbmN0aW9ucyB0aGF0IGFyZSBrbm93biB0byBiZSB1c2VmdWwgdG8gUlBzLiAgU2xpY2lu
ZyB0aGluZ3MgbW9yZSBmaW5lbHkgdGhhbiB3b3VsZCBiZSB1c2VkIGluIHByYWN0aWNlIGFjdHVh
bGx5IGh1cnRzIGludGVyb3AsIHJhdGhlciB0aGFuIGhlbHBpbmcgaXQsIGJlY2F1c2UgaXQgd291
bGQgZm9yY2UgYWxsIFJQcyB0byByZWNvZ25pemUgdGhhdCBzZXZlcmFsIG9yIG1hbnkgZGlmZmVy
ZW50IHZhbHVlcyBhY3R1YWxseSBtZWFuIHRoZSBzYW1lIHRoaW5nIHRvIHRoZW0uDQoNCg0KDQog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgLS0gTWlrZQ0KDQoNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IFN0
ZXBoZW4gRmFycmVsbCBbbWFpbHRvOnN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWVdDQpTZW50OiBN
b25kYXksIE1hcmNoIDYsIDIwMTcgMjoxMCBQTQ0KVG86IE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9u
ZXNAbWljcm9zb2Z0LmNvbT47IEFudGhvbnkgTmFkYWxpbiA8dG9ueW5hZEBtaWNyb3NvZnQuY29t
Pjsgam9lbCBqYWVnZ2xpIDxqb2VsamFAYm9ndXMuY29tPjsgVGhlIElFU0cgPGllc2dAaWV0Zi5v
cmc+DQpDYzogb2F1dGgtY2hhaXJzQGlldGYub3JnOyBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1
ZXNAaWV0Zi5vcmc7IG9hdXRoQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBTdGVw
aGVuIEZhcnJlbGwncyBEaXNjdXNzIG9uIGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNTog
KHdpdGggRElTQ1VTUykNCg0KDQoNCg0KDQpIaSBNaWtlLA0KDQoNCg0KQXBvbG9naWVzIC0gSSB1
cGRhdGVkIHRoZSBkaXNjdXNzIGJhbGxvdCB0ZXh0IFsxXSBvbiBGZWIgMjggYnV0IG11c3QndmUg
bm90IHNlbnQgaXQgYXMgYW4gZW1haWwgb3Igc29tZXRoaW5nLiBBbnl3YXkuLi4NCg0KDQoNCiAg
IFsxXSBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRoLWFt
ci12YWx1ZXMvYmFsbG90Lw0KDQoNCg0KT24gMDYvMDMvMTcgMjA6MzgsIE1pa2UgSm9uZXMgd3Jv
dGU6DQoNCj4gSGkgU3RlcGhlbi4gIFRoZSBjaGFuZ2VzIGluIGRyYWZ0IC0wNiB3ZXJlIGludGVu
ZGVkIHRvIGFkZHJlc3MgeW91cg0KDQo+IERJU0NVU1MgcG9pbnRzLiAgQXJlIHlvdSBzYXRpc2Zp
ZWQgd2l0aCB0aGVzZSBjaGFuZ2VzIG9yIGFyZSB0aGVyZQ0KDQo+IGFkZGl0aW9uYWwgY2hhbmdl
cyB5b3Ugd2FudD8gIEknbSBhc2tpbmcgcGFydGx5IGJlY2F1c2UgaXQncyBhIHdlZWsNCg0KPiBu
b3cgdW50aWwgdGhlIHN1Ym1pc3Npb24gY3V0b2ZmIGFuZCBpZiBhZGRpdGlvbmFsIGNoYW5nZXMg
YXJlIG5lZWRlZCwNCg0KPiBJJ2QgbGlrZSB0byBtYWtlIHRoZW0gdGhpcyB3ZWVrLg0KDQoNCg0K
U28gSSBkbyB0aGluayB0aGVyZSdzIHN0aWxsIHdvcmsgdG8gYmUgZG9uZSwgbWF5IGFzIHdlbGwg
Y29weSB0aGUgbmV3IGJhbGxvdCB0ZXh0IGhlcmU6DQoNCg0KDQoiDQoNCkkgdGhpbmsgd2Ugc3Rp
bGwgaGF2ZSB0aGUgcHJvYmxlbSB0aGF0IHRoZSB2YWx1ZXMgImRlZmluZWQiIGhlcmUgKGUuZy4g
ImZwdCIpIGFyZSB1bmRlciBzcGVjaWZpZWQgdG8gYSBzaWduaWZpY2FudCBkZWdyZWUuIFJGQzQ5
NDkgZG9lcyBub3QgdGVsbCBhbnlvbmUgaG93IHRvIGFjaGlldmUgaW50ZXJvcCB3aXRoICJmcHQi
IChub3IgYW55IG9mIHRoZSBvdGhlciBjYXNlcyB3aGVyZSB5b3UgcmVmZXIgdG8gNDk0OSBJIHRo
aW5rKS4gVGhlcmUgaXMgdGhlcmVmb3JlIG5vIHV0aWxpdHkgaW4gImRlZmluaW5nIiAiZnB0IiBh
cyBpdCB3aWxsIG5vdCBhY2hpZXZlIGludGVyb3AgYW5kIGluIGZhY3QgaXMgbW9yZSBsaWtlbHkg
dG8gY2F1c2UgY29uZnVzaW9uIHRoYW4gaW50ZXJvcC4gSWYgdGhlIHNvbHV0aW9uIG9mIGFjdHVh
bGx5IGRlZmluaW5nIHRoZSBtZWFuaW5nIG9mIHRoaW5ncyBsaWtlICJmcHQiIGlzIG5vdCBhY2hp
ZXZhYmxlIHRoZW4gcGVyaGFwcyBpdCB3aWxsIGJlIGJldHRlciB0byBvbmx5IGRlZmluZSB0aG9z
ZSBmb3Igd2hpY2ggd2UgY2FuIGdldCBpbnRlcm9wICgicHdkIiBhbmQgb25lIG9yIHR3byBvdGhl
cnMpIGFuZCBsZWF2ZSB0aGUgZGVmaW5pdGlvbiBvZiB0aGUgcmVzdCBmb3IgbGF0ZXIuIChJbiBz
YXlpbmcgdGhhdCBJIGRvIHJlY2FsbCB0aGF0IG9uZSBvZiB0aGUgYXV0aG9ycyBzYWlkIHRoYXQg
dGhlcmUgYXJlIGltcGxlbWVudGF0aW9ucyB0aGF0IHVzZSBzb21lIG9mIHRoZXNlIHR5cGUtbmFt
ZXMsIGJ1dCB0aGUgcG9pbnQgb2YgUkZDcyBpcyBub3QgdG8gImJsZXNzIg0KDQpzdWNoIHRoaW5n
cywgYnV0IHRvIGFjaGlldmUgaW50ZXJvcC4pDQoNCiINCg0KDQoNCkNoZWVycywNCg0KUy4NCg0K
DQoNCj4NCg0KPiBUaGFua3MsIC0tIE1pa2UNCg0KPg0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2Fn
ZS0tLS0tIEZyb206IE1pa2UgSm9uZXMNCg0KPiBbbWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9z
b2Z0LmNvbV0gU2VudDogVHVlc2RheSwgRmVicnVhcnkgMjgsIDIwMTcNCg0KPiA2OjE3IFBNIFRv
OiBTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWU8bWFpbHRvOnN0ZXBo
ZW4uZmFycmVsbEBjcy50Y2QuaWU+PjsgQW50aG9ueQ0KDQo+IE5hZGFsaW4gPHRvbnluYWRAbWlj
cm9zb2Z0LmNvbTxtYWlsdG86dG9ueW5hZEBtaWNyb3NvZnQuY29tPj47IGpvZWwgamFlZ2dsaSA8
am9lbGphQGJvZ3VzLmNvbTxtYWlsdG86am9lbGphQGJvZ3VzLmNvbT4+OyBUaGUNCg0KPiBJRVNH
IDxpZXNnQGlldGYub3JnPG1haWx0bzppZXNnQGlldGYub3JnPj4gQ2M6IG9hdXRoLWNoYWlyc0Bp
ZXRmLm9yZzxtYWlsdG86b2F1dGgtY2hhaXJzQGlldGYub3JnPjsNCg0KPiBkcmFmdC1pZXRmLW9h
dXRoLWFtci12YWx1ZXNAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVl
c0BpZXRmLm9yZz47IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4gU3ViamVj
dDogUkU6DQoNCj4gW09BVVRILVdHXSBTdGVwaGVuIEZhcnJlbGwncyBEaXNjdXNzIG9uDQoNCj4g
ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA1OiAod2l0aCBESVNDVVNTKQ0KDQo+DQoNCj4g
SGkgU3RlcGhlbiwNCg0KPg0KDQo+IERyYWZ0IC0wNiBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0
bWwvZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA2DQoNCj4gYWRkcyByZWZlcmVuY2VzIGZv
ciBhbGwgb2YgdGhlIGRlZmluZWQgImFtciIgdmFsdWVzLiAgVGhhbmtzIGZvcg0KDQo+IHRha2lu
ZyB0aGUgdGltZSB0byBoYXZlIGEgdGhvdWdodGZ1bCBkaXNjdXNzaW9uLg0KDQo+DQoNCj4gLS0g
TWlrZQ0KDQo+DQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0gRnJvbTogU3RlcGhlbiBG
YXJyZWxsDQoNCj4gW21haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllXSBTZW50OiBXZWRu
ZXNkYXksIEZlYnJ1YXJ5IDEsIDIwMTcNCg0KPiA0OjQ1IFBNIFRvOiBNaWtlIEpvbmVzIDxNaWNo
YWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNv
bT4+OyBBbnRob255IE5hZGFsaW4NCg0KPiA8dG9ueW5hZEBtaWNyb3NvZnQuY29tPG1haWx0bzp0
b255bmFkQG1pY3Jvc29mdC5jb20+Pjsgam9lbCBqYWVnZ2xpIDxqb2VsamFAYm9ndXMuY29tPG1h
aWx0bzpqb2VsamFAYm9ndXMuY29tPj47IFRoZSBJRVNHDQoNCj4gPGllc2dAaWV0Zi5vcmc8bWFp
bHRvOmllc2dAaWV0Zi5vcmc+PiBDYzogb2F1dGgtY2hhaXJzQGlldGYub3JnPG1haWx0bzpvYXV0
aC1jaGFpcnNAaWV0Zi5vcmc+Ow0KDQo+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRm
Lm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnPjsgb2F1dGhA
aWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPiBTdWJqZWN0OiBSZToNCg0KPiBbT0FVVEgt
V0ddIFN0ZXBoZW4gRmFycmVsbCdzIERpc2N1c3Mgb24NCg0KPiBkcmFmdC1pZXRmLW9hdXRoLWFt
ci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQoNCj4NCg0KPg0KDQo+DQoNCj4gT24gMDIvMDIv
MTcgMDA6MzUsIE1pa2UgSm9uZXMgd3JvdGU6DQoNCj4+IFlvdSBjYW4gY2FsbCBtZSBsYXp5IGlm
IHlvdSB3YW50Lg0KDQo+DQoNCj4gSSBkb24ndCB0aGluayB5b3UncmUgbGF6eTotKSBXZXJlIEkg
dG8gZ3Vlc3MgSSdkIGd1ZXNzIHRoYXQgaW50ZXJvcA0KDQo+IGZvciB0aGVzZSB3YXNuJ3QgYSBw
cmlvcml0eSBhbmQgdGhhdCB3ZSdyZSBkZWZpbmluZyB0aGVtIGEgYml0IGVhcmx5DQoNCj4gYW5k
IGEgbGl0dGxlIHRvbyBnZW5lcmljYWxseS4NCg0KPg0KDQo+PiBTb21lIG9mIHRoZW0gYXJlIHNv
IHdlbGwga25vd24sIHN1Y2ggYXMgInBhc3N3b3JkIiBvciAiUElOIiBpdCBkaWRuJ3QNCg0KPj4g
c2VlbSB3b3J0aHdoaWxlIHRvIHRyeSB0byB0cmFjayBkb3duIGEgcmVmZXJlbmNlLg0KDQo+DQoN
Cj4gU3VyZSwgdGhvc2UgYXJlIGZpbmUuIFRoZSBvbmx5IGlzc3VlcyB3b3VsZCBiZSBpZiB0aGVy
ZSdzIGEgc3RyaW5nMmtleQ0KDQo+IGZ1bmN0aW9uIHNvbWV3aGVyZSBidXQgSSBkb24ndCBleHBl
Y3QgdGhlcmUgaXMgaW4gdGhpcyBjb250ZXh0Lg0KDQo+DQoNCj4+IEJ1dCBJJ20gd2lsbGluZyB0
byB3b3JrIHdpdGggb3RoZXJzIHRvIGZpbmQgZGVjZW50IHJlZmVyZW5jZXMgZm9yIHRoZQ0KDQo+
PiByZXN0IG9mIHRoZW0sIGlmIHlvdSBiZWxpZXZlIHRoYXQgd291bGQgaW1wcm92ZSB0aGUgcXVh
bGl0eSBvZiB0aGUNCg0KPj4gc3BlY2lmaWNhdGlvbi4NCg0KPg0KDQo+IEkgZG8gdGhpbmsgaXQg
d291bGQsIGVzcCBmb3IgY2FzZXMgd2hlcmUgdGhlcmUgYXJlIGtub3duIGRpZmZlcmVudA0KDQo+
IG9wdGlvbnMgKGUuZy4gb3RwKSBvciBsaWtlbHkgaWxsLWRlZmluZWQgb3IgcHJvcHJpZXRhcnkg
Zm9ybWF0cy4gTXkNCg0KPiBndWVzcyBpcyB0aGF0IHNvbWUgYmlvbWV0cmljcyBmaXQgdGhhdCBs
YXR0ZXIgYnV0IEkgY291bGQgYmUgd3JvbmcuDQoNCj4gSWYgdGhleSBkbywgdGhlbiBvbmUgcnVu
cyBpbnRvIHRoZSBwcm9ibGVtIG9mIGhhdmluZyB0byBkZXBlbmQgb24NCg0KPiBtYWdpYyBudW1i
ZXJzIGluIHRoZSBlbmNvZGluZ3Mgb3Igc2ltaWxhciB0byBkaXN0aW5ndWlzaCB3aGljaCBpcw0K
DQo+IHJlYWxseSBlcnJvciBwcm9uZSBhbmQgbGlrZWx5IHRvIGxlYWQgdG8gd2hhdCBvdXIgbGVh
cm5lZCB0cmFuc3BvcnQNCg0KPiBjaHVtcyBhcmUgY2FsbGluZyBvc3NpZmljYXRpb247LSkNCg0K
Pg0KDQo+IENoZWVycywgUy4NCg0KPg0KDQo+DQoNCj4+DQoNCj4+IEJlc3Qgd2lzaGVzLCAtLSBN
aWtlDQoNCj4+DQoNCj4+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tIEZyb206IFN0ZXBoZW4g
RmFycmVsbA0KDQo+PiBbbWFpbHRvOnN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWVdIFNlbnQ6IFdl
ZG5lc2RheSwgRmVicnVhcnkgMSwNCg0KPj4gMjAxNyA0OjMxIFBNIFRvOiBNaWtlIEpvbmVzIDxN
aWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0
LmNvbT4+OyBBbnRob255DQoNCj4+IE5hZGFsaW4gPHRvbnluYWRAbWljcm9zb2Z0LmNvbTxtYWls
dG86dG9ueW5hZEBtaWNyb3NvZnQuY29tPj47IGpvZWwgamFlZ2dsaSA8am9lbGphQGJvZ3VzLmNv
bTxtYWlsdG86am9lbGphQGJvZ3VzLmNvbT4+OyBUaGUNCg0KPj4gSUVTRyA8aWVzZ0BpZXRmLm9y
ZzxtYWlsdG86aWVzZ0BpZXRmLm9yZz4+IENjOiBvYXV0aC1jaGFpcnNAaWV0Zi5vcmc8bWFpbHRv
Om9hdXRoLWNoYWlyc0BpZXRmLm9yZz47DQoNCj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVl
c0BpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnPjsg
b2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPiBTdWJqZWN0OiBSZToNCg0KPj4g
W09BVVRILVdHXSBTdGVwaGVuIEZhcnJlbGwncyBEaXNjdXNzIG9uDQoNCj4+IGRyYWZ0LWlldGYt
b2F1dGgtYW1yLXZhbHVlcy0wNTogKHdpdGggRElTQ1VTUykNCg0KPj4NCg0KPj4NCg0KPj4NCg0K
Pj4gT24gMDIvMDIvMTcgMDA6MjgsIE1pa2UgSm9uZXMgd3JvdGU6DQoNCj4+PiBUaGUgb3RoZXIg
Y2FzZSBvZiBrbm93biBpbnRlcm9wIHRlc3Rpbmcgb2YgImFtciIgdmFsdWVzIGlzIGZvcg0KDQo+
Pj4gTU9EUk5BIChPcGVuSUQgQ29ubmVjdCBNb2JpbGUgUHJvZmlsZSkgaW1wbGVtZW50YXRpb25z
LiAgVGhlcmUncyBhDQoNCj4+PiByZWZlcmVuY2UgdG8gaXRzIHVzZSBvZiAiYW1yIiB2YWx1ZXMg
aW4gdGhlIHNwZWMuDQoNCj4+DQoNCj4+IFllYWgsIGlpcmMsIHRoYXQgb25lIHNlZW1lZCBvayAo
YXNzdW1pbmcgdGhlIHJlZmVyZW5jZSB0ZWxscyBtZSB3aGF0DQoNCj4+IGNvZGUgdG8gd3JpdGUg
d2hpY2ggSSBhc3N1bWUgaXQgZG9lcykuDQoNCj4+DQoNCj4+IEknbSBzdGlsbCBub3Qgc2VlaW5n
IHdoeSBzb21lIGRvIGhhdmUgc3VmZmljaWVudCByZWZlcmVuY2VzIGFuZA0KDQo+PiBvdGhlcnMg
ZG8gbm90Lg0KDQo+Pg0KDQo+PiBJcyB0aGVyZSBzb21lIGRpZmZpY3VsdHkgd2l0aCBmaW5kaW5n
IHJlZmVyZW5jZXMgb3Igc29tZXRoaW5nPw0KDQo+Pg0KDQo+PiBTDQoNCj4+DQoNCj4+Pg0KDQo+
Pj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0gRnJvbTogQW50aG9ueSBOYWRhbGluIFNlbnQ6
IFdlZG5lc2RheSwNCg0KPj4+IEZlYnJ1YXJ5IDEsIDIwMTcgNDoyNyBQTSBUbzogU3RlcGhlbiBG
YXJyZWxsDQoNCj4+PiA8c3RlcGhlbi5mYXJyZWxsQGNzLnRjZC5pZTxtYWlsdG86c3RlcGhlbi5m
YXJyZWxsQGNzLnRjZC5pZT4+OyBNaWtlIEpvbmVzDQoNCj4+PiA8TWljaGFlbC5Kb25lc0BtaWNy
b3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20+Pjsgam9lbCBqYWVn
Z2xpIDxqb2VsamFAYm9ndXMuY29tPG1haWx0bzpqb2VsamFAYm9ndXMuY29tPj47IFRoZQ0KDQo+
Pj4gSUVTRyA8aWVzZ0BpZXRmLm9yZzxtYWlsdG86aWVzZ0BpZXRmLm9yZz4+IENjOiBvYXV0aC1j
aGFpcnNAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoLWNoYWlyc0BpZXRmLm9yZz47DQoNCj4+PiBkcmFm
dC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgt
YW1yLXZhbHVlc0BpZXRmLm9yZz47IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9y
Zz4gU3ViamVjdDogUkU6DQoNCj4+PiAgW09BVVRILVdHXSBTdGVwaGVuIEZhcnJlbGwncyBEaXNj
dXNzIG9uDQoNCj4+PiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NV
U1MpDQoNCj4+Pg0KDQo+Pj4gV2UgaGF2ZSBpbnRlcm9wZWQgYmV0d2VlbiBGSURPIGF1dGhlbnRp
Y2F0b3JzIHZlbmRvcnMgYW5kIFdpbmRvd3MNCg0KPj4+IEhlbGxvDQoNCj4+Pg0KDQo+Pj4gLS0t
LS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0gRnJvbTogU3RlcGhlbiBGYXJyZWxsDQoNCj4+PiBbbWFp
bHRvOnN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWVdIFNlbnQ6IFdlZG5lc2RheSwgRmVicnVhcnkg
MSwNCg0KPj4+IDIwMTcgNDoyNCBQTSBUbzogTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNy
b3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20+PjsgQW50aG9ueQ0K
DQo+Pj4gTmFkYWxpbiA8dG9ueW5hZEBtaWNyb3NvZnQuY29tPG1haWx0bzp0b255bmFkQG1pY3Jv
c29mdC5jb20+Pjsgam9lbCBqYWVnZ2xpIDxqb2VsamFAYm9ndXMuY29tPG1haWx0bzpqb2VsamFA
Ym9ndXMuY29tPj47DQoNCj4+PiBUaGUgSUVTRyA8aWVzZ0BpZXRmLm9yZzxtYWlsdG86aWVzZ0Bp
ZXRmLm9yZz4+IENjOg0KDQo+Pj4gb2F1dGgtY2hhaXJzQGlldGYub3JnPG1haWx0bzpvYXV0aC1j
aGFpcnNAaWV0Zi5vcmc+OyBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5vcmc8bWFp
bHRvOmRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZz47DQoNCj4+PiBvYXV0aEBp
ZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5vcmc+IFN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIFN0
ZXBoZW4gRmFycmVsbCdzIERpc2N1c3Mgb24NCg0KPj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZh
bHVlcy0wNTogKHdpdGggRElTQ1VTUykNCg0KPj4+DQoNCj4+Pg0KDQo+Pj4NCg0KPj4+IE9uIDAy
LzAyLzE3IDAwOjIxLCBNaWtlIEpvbmVzIHdyb3RlOg0KDQo+Pj4+IFRoYW5rcywgVG9ueS4gIEkg
Y2FuIGFkZCB0aGF0IHJlZmVyZW5jZS4NCg0KPj4+Pg0KDQo+Pj4+IFN0ZXBoZW4sIHRoZSBzZXRz
IG9mIGluaXRpYWwgdmFsdWVzIHdlcmUgY2hvc2VuIGZyb20gdGhvc2UgdXNlZCBpbg0KDQo+Pj4+
IHByYWN0aWNlIGJ5IE1pY3Jvc29mdCBhbmQgR29vZ2xlIGluIHJlYWwgZGVwbG95bWVudHMuDQoN
Cj4+Pg0KDQo+Pj4gR2VudWluZSBxdWVzdGlvbnM6IGRvIHlvdSBhaW0gdG8gaGF2ZSBpbnRlcm9w
IGJldHdlZW4gdGhvc2UNCg0KPj4+IGRlcGxveW1lbnRzPyBXaGF0IGlmIEkgd2FudGVkIHRvIHdy
aXRlIGNvZGUgdGhhdCdkIGludGVyb3Agd2l0aCBtc2Z0DQoNCj4+PiBvciBnb29nbGU/DQoNCj4+
Pg0KDQo+Pj4gUy4NCg0KPj4+DQoNCj4+Pj4NCg0KPj4+PiBBYm91dCAib3RwIiwgdGhlcmUgYXJl
IGV4aXN0aW5nIHVzZSBjYXNlcyBmb3IgaW5kaWNhdGluZyB0aGF0IGFuDQoNCj4+Pj4gT1RQIHdh
cyB1c2VkLiAgSSdtIG5vdCBhd2FyZSBvZiBhbnkgb2YgdGhlc2UgdXNlIGNhc2VzIHdoZXJlIHRo
ZQ0KDQo+Pj4+IGRpc3RpbmN0aW9uIGJldHdlZW4gVE9UUCBhbmQgSE9UUCBpcyBpbXBvcnRhbnQu
ICBUaHVzLCBoYXZpbmcgIm90cCINCg0KPj4+PiBub3cgbWFrZXMgc2Vuc2UsIHdoZXJlIGhhdmlu
ZyAiaG90cCIgYW5kICJ0b3RwIg0KDQo+Pj4+IG5vdyBkb2Vzbid0Lg0KDQo+Pj4+DQoNCj4+Pj4g
U3RlcGhlbiwgdGhpcyBtYXkgc2VlbSBsaWtlIHNwbGl0dGluZyBoYWlycywgYnV0IHRoZSByZWdp
c3RyeQ0KDQo+Pj4+IGluc3RydWN0aW9ucyBmb3IgIlNwZWNpZmljYXRpb24gRG9jdW1lbnQocyki
IGFyZSBhYm91dCBoYXZpbmcgYQ0KDQo+Pj4+IHJlZmVyZW5jZSBmb3IgdGhlIGRvY3VtZW50IHdo
ZXJlIHRoZSBBdXRoZW50aWNhdGlvbiBNZXRob2QNCg0KPj4+PiBSZWZlcmVuY2UgTmFtZSAoc3Vj
aCBhcyAib3RwIikgaXMgZGVmaW5lZC4gIEluIGFsbCBjYXNlcyBmb3IgdGhlDQoNCj4+Pj4gaW5p
dGlhbCB2YWx1ZXMsIHRoaXMgaXMgdGhlIFJGQy10by1iZSwgc28gdGhlIHJlZ2lzdHJ5IGluc3Ry
dWN0aW9ucw0KDQo+Pj4+IGFyZSBzYXRpc2ZpZWQuICBJZiBzb21lb25lIHdlcmUsIGZvciBpbnN0
YW5jZSwgdG8gZGVmaW5lIHRoZSBzdHJpbmcNCg0KPj4+PiAiaG90cCIsIGl0IHdvdWxkIGJlIGlu
Y3VtYmVudCBvbiB0aGUgcGVyc29uIHJlcXVlc3RpbmcgaXRzDQoNCj4+Pj4gcmVnaXN0cmF0aW9u
IHRvIHByb3ZpZGUgYSBVUkwgdG8gdGhlIGRvY3VtZW50IHdoZXJlIHRoZSBzdHJpbmcNCg0KPj4+
PiAiaG90cCIgaXMgZGVmaW5lZC4gIEFsc28gaGF2aW5nIGEgcmVmZXJlbmNlIHRvIFJGQyA0MjI2
IGluIHRoYXQNCg0KPj4+PiBkb2N1bWVudCB3b3VsZCBiZSBhIGdvb2QgdGhpbmcsIGJ1dCB0aGF0
IGlzbid0IHdoYXQgdGhlIHJlZ2lzdHJ5DQoNCj4+Pj4gaW5zdHJ1Y3Rpb25zIGFyZSBhYm91dC4N
Cg0KPj4+Pg0KDQo+Pj4+IEFsbCB0aGF0IHNhaWQsIEkgY2FuIGxvb2sgYXQgYWxzbyBmaW5kaW5n
IGFwcHJvcHJpYXRlIHJlZmVyZW5jZXMNCg0KPj4+PiBmb3IgdGhlIHJlbWFpbmluZyB2YWx1ZXMg
dGhhdCBkb24ndCBjdXJyZW50bHkgaGF2ZSB0aGVtLiAoQW55b25lDQoNCj4+Pj4gZ290IGEgZ29v
ZCByZWZlcmVuY2UgZm9yIHBhc3N3b3JkIG9yIFBJTiB0byBzdWdnZXN0LCBmb3IgaW5zdGFuY2U/
KQ0KDQo+Pj4+DQoNCj4+Pj4gLS0gTWlrZQ0KDQo+Pj4+DQoNCj4+Pj4gLS0tLS1PcmlnaW5hbCBN
ZXNzYWdlLS0tLS0gRnJvbTogQW50aG9ueSBOYWRhbGluIFNlbnQ6DQoNCj4+Pj4gV2VkbmVzZGF5
LCBGZWJydWFyeSAxLCAyMDE3IDQ6MTAgUE0gVG86IFN0ZXBoZW4gRmFycmVsbA0KDQo+Pj4+IDxz
dGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPG1haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmll
Pj47IE1pa2UgSm9uZXMNCg0KPj4+PiA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0
bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20+Pjsgam9lbCBqYWVnZ2xpIDxqb2VsamFAYm9n
dXMuY29tPG1haWx0bzpqb2VsamFAYm9ndXMuY29tPj47DQoNCj4+Pj4gVGhlIElFU0cgPGllc2dA
aWV0Zi5vcmc8bWFpbHRvOmllc2dAaWV0Zi5vcmc+PiBDYzogb2F1dGgtY2hhaXJzQGlldGYub3Jn
PG1haWx0bzpvYXV0aC1jaGFpcnNAaWV0Zi5vcmc+Ow0KDQo+Pj4+IGRyYWZ0LWlldGYtb2F1dGgt
YW1yLXZhbHVlc0BpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGll
dGYub3JnPjsgb2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPiBTdWJqZWN0Og0K
DQo+Pj4+IFJFOiBbT0FVVEgtV0ddIFN0ZXBoZW4gRmFycmVsbCdzIERpc2N1c3Mgb24NCg0KPj4+
PiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQoNCj4+Pj4N
Cg0KPj4+PiBOSVNUIGFza2VkIGZvciB0aGUgYWRkaXRpb24gb2YgSVJJUyAoYXMgdGhleSBhcmUg
c2VlaW5nIG1vcmUgdXNlIG9mDQoNCj4+Pj4gSVJJUyBvdmVyIHJldGluYSBkdWUgdG8gdGhlIGFj
Y3VyYWN5IG9mIGlyaXMpICBhcyB0aGV5IGhhdmUgYmVlbg0KDQo+Pj4+IGRvaW5nIHNpZ25pZmlj
YW50IHRlc3Rpbmcgb24gdmFyaW91cyBpcmlzIGRldmljZXMgYW5kIGNvbnRpbnVlIHRvDQoNCj4+
Pj4gZG8gc28sIGhlcmUgaXMgYSByZXBvcnQgdGhhdCBOSVNUIHJlbGVhc2VkDQoNCj4+Pj4gaHR0
cDovLzIwMTAtMjAxNC5jb21tZXJjZS5nb3YvYmxvZy8yMDEyLzA0LzIzL25pc3QtaXJpcy1yZWNv
Z25pdGlvbg0KDQo+Pj4+IC1yZXBvcnQtZXZhbHVhdGVzLW5lZWRsZS1oYXlzdGFjay1zZWFyY2gt
Y2FwYWJpbGl0eS5odG1sDQoNCj4+Pj4NCg0KPj4+Pg0KDQo+Pj4+DQoNCj4+Pj4NCg0KPj4NCg0K
Pj4+Pg0KDQo+DQoNCj4+Pj4NCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0gRnJvbTogU3Rl
cGhlbiBGYXJyZWxsDQoNCj4+Pj4gW21haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllXSBT
ZW50OiBXZWRuZXNkYXksIEZlYnJ1YXJ5IDEsDQoNCj4+Pj4gIDIwMTcgMjoyNiBQTSBUbzogTWlr
ZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVz
QG1pY3Jvc29mdC5jb20+Pjsgam9lbA0KDQo+Pj4+IGphZWdnbGkgPGpvZWxqYUBib2d1cy5jb208
bWFpbHRvOmpvZWxqYUBib2d1cy5jb20+PjsgVGhlIElFU0cgPGllc2dAaWV0Zi5vcmc8bWFpbHRv
Omllc2dAaWV0Zi5vcmc+PiBDYzoNCg0KPj4+PiBvYXV0aC1jaGFpcnNAaWV0Zi5vcmc8bWFpbHRv
Om9hdXRoLWNoYWlyc0BpZXRmLm9yZz47IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRm
Lm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnPjsNCg0KPj4+
PiBvYXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5vcmc+IFN1YmplY3Q6IFJlOiBbT0FV
VEgtV0ddIFN0ZXBoZW4gRmFycmVsbCdzIERpc2N1c3Mgb24NCg0KPj4+PiBkcmFmdC1pZXRmLW9h
dXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQoNCj4+Pj4NCg0KPj4+Pg0KDQo+Pj4+
IEhpIE1pa2UsDQoNCj4+Pj4NCg0KPj4+PiBPbiAwMS8wMi8xNyAxNzowMCwgTWlrZSBKb25lcyB3
cm90ZToNCg0KPj4+Pj4gVGhhbmtzIGZvciB0aGUgZGlzY3Vzc2lvbiwgU3RlcGhlbi4NCg0KPj4+
Pj4NCg0KPj4+Pj4gVG8geW91ciBwb2ludCBhYm91dCAib3RwIiwgdGhlIHdvcmtpbmcgZ3JvdXAg
ZGlzY3Vzc2VkIHRoaXMgdmVyeQ0KDQo+Pj4+PiBwb2ludC4gIFRoZXkgZXhwbGljaXRseSBkZWNp
ZGVkIG5vdCB0byBpbnRyb2R1Y2UgImhvdHAiDQoNCj4+Pj4+IGFuZCAidG90cCIgaWRlbnRpZmll
cnMgYmVjYXVzZSBubyBvbmUgaGFkIGEgdXNlIGNhc2UgaW4gd2hpY2ggdGhlDQoNCj4+Pj4+IGRp
c3RpbmN0aW9uIG1hdHRlcmVkLg0KDQo+Pj4+DQoNCj4+Pj4gVGhlbiBJJ20gbm90IGZvbGxvd2lu
ZyB3aHkgYWRkaW5nICJvdHAiIHRvIHRoZSByZWdpc3RyeSBub3cgaXMgYQ0KDQo+Pj4+IGdvb2Qg
cGxhbi4NCg0KPj4+Pg0KDQo+Pj4+IElmIHRoZXJlJ3MgYSB1c2UtY2FzZSBub3csIHRoZW4gYWRk
aW5nIGFuIGVudHJ5IHdpdGggYSBnb29kDQoNCj4+Pj4gcmVmZXJlbmNlIHRvIHRoZSByZWxldmFu
dCBzcGVjIHNlZW1zIHJpZ2h0Lg0KDQo+Pj4+DQoNCj4+Pj4gSWYgdGhlcmUncyBubyB1c2UtY2Fz
ZSBub3csIHRoZW4gbm90IGFkZGluZyBpdCB0byB0aGUgcmVnaXN0cnkNCg0KPj4+PiBzZWVtcyBy
aWdodC4gKE1lbnRpb25pbmcgaXQgYXMgYSBwb3NzaWJsZSBmdXR1cmUgZW50cnkgd291bGQgYmUN
Cg0KPj4+PiBmaW5lLikNCg0KPj4+Pg0KDQo+Pj4+IEkgdGhpbmsgdGhlIHNhbWUgbG9naWMgd291
bGQgYXBwbHkgZm9yIGFsbCB0aGUgdmFsdWVzIHRoYXQgdGhpcw0KDQo+Pj4+IHNwZWMgYWRkcyB0
byB0aGUgcmVnaXN0cnkuIFdoeSBpcyB0aGF0IHdyb25nPw0KDQo+Pj4+DQoNCj4+Pj4+IE90aGVy
cyBjYW4gY2VydGFpbmx5IGludHJvZHVjZSB0aG9zZSBpZGVudGlmaWVycyBhbmQgcmVnaXN0ZXIN
Cg0KPj4+Pj4gdGhlbSBpZiB0aGV5IGRvIGhhdmUgc3VjaCBhIHVzZSBjYXNlLCBvbmNlIHRoZSBy
ZWdpc3RyeSBoYXMgYmVlbg0KDQo+Pj4+PiBlc3RhYmxpc2hlZC4gIEJ1dCB0aGUgd29ya2luZyBn
cm91cCB3YW50ZWQgdG8gYmUgY29uc2VydmF0aXZlDQoNCj4+Pj4+IGFib3V0IHRoZSBpZGVudGlm
aWVycyBpbnRyb2R1Y2VkIHRvIHByaW1lIHRoZSByZWdpc3RyeSwgYW5kIHRoaXMNCg0KPj4+Pj4g
aXMgc3VjaCBhIGNhc2UuDQoNCj4+Pj4+DQoNCj4+Pj4+IFdoYXQgaWRlbnRpZmllcnMgdG8gdXNl
IGFuZCByZWdpc3RlciB3aWxsIGFsd2F5cyBiZSBhIGJhbGFuY2luZw0KDQo+Pj4+PiBhY3QuIFlv
dSB3YW50IHRvIGJlIGFzIHNwZWNpZmljIGFzIG5lY2Vzc2FyeSB0byBhZGQgcHJhY3RpY2FsIGFu
ZA0KDQo+Pj4+PiB1c2FibGUgdmFsdWUsIGJ1dCBub3Qgc28gc3BlY2lmaWMgYXMgdG8gbWFrZSB0
aGluZ3MgdW5uZWNlc3NhcmlseQ0KDQo+Pj4+PiBicml0dGxlLg0KDQo+Pj4+DQoNCj4+Pj4gRWgu
Li4gZG9uJ3Qgd2Ugd2FudCBpbnRlcm9wPyBJc24ndCB0aGF0IHRoZSBwcmltYXJ5IGdvYWwgaGVy
ZT8NCg0KPj4+Pg0KDQo+Pj4+PiBXaGlsZSBzb21lIG1pZ2h0IHNheSB0aGVyZSdzIGEgZGlmZmVy
ZW5jZSBiZXR3ZWVuIHNlcmlhbCBudW1iZXINCg0KPj4+Pj4gcmFuZ2VzIG9mIHBhcnRpY3VsYXIg
YXV0aGVudGljYXRpb24gZGV2aWNlcywgZ29pbmcgdGhlcmUgaXMNCg0KPj4+Pj4gY2xlYXJseSBp
biB0aGUgd2VlZHMuICBPbiB0aGUgb3RoZXIgaGFuZCwgd2hpbGUgdGhlcmUgdXNlZCB0byBiZQ0K
DQo+Pj4+PiBhbiAiZXllIiBpZGVudGlmaWVyLCBFbGFpbmUgTmV3dG9uIG9mIE5JU1QgcG9pbnRl
ZCBvdXQgdGhhdCB0aGVyZQ0KDQo+Pj4+PiBhcmUgc2lnbmlmaWNhbnQgZGlmZmVyZW5jZXMgYmV0
d2VlbiByZXRpbmEgYW5kIGlyaXMgbWF0Y2hpbmcsIHNvDQoNCj4+Pj4+ICJleWUiIHdhcyByZXBs
YWNlZCB3aXRoICJyZXRpbmEiDQoNCj4+Pj4+IGFuZCAiaXJpcyIuIENvbW1vbiBzZW5zZSBpbmZv
cm1lZCBieSBhY3R1YWwgZGF0YSBpcyB0aGUga2V5IGhlcmUuDQoNCj4+Pj4NCg0KPj4+PiBUaGF0
J3MgYW5vdGhlciBnb29kIGV4YW1wbGUuIFRoZXJlJ3Mgbm8gcmVmZXJlbmNlIGZvciAiaXJpcy4i
DQoNCj4+Pj4gSWYgdGhhdCBpcyB1c2VkIGluIHNvbWUgcHJvdG9jb2wsIHRoZW4gd2hhdCBmb3Jt
YXQocykgYXJlIGV4cGVjdGVkDQoNCj4+Pj4gdG8gYmUgc3VwcG9ydGVkPyBXaGVyZSBkbyBJIGZp
bmQgdGhhdCBzcGVjPyBJZiB3ZSBjYW4gYW5zd2VyIHRoYXQsDQoNCj4+Pj4gdGhlbiBncmVhdCwg
bGV0J3MgYWRkIHRoZSBkZXRhaWxzLiBJZiBub3QsIHRoZW4gSSdkIHN1Z2dlc3Qgd2Ugb21pdA0K
DQo+Pj4+ICJpcmlzIiBhbmQgbGVhdmUgaXQgJ3RpbGwgbGF0ZXIgdG8gYWRkIGFuIGVudHJ5IGZv
ciB0aGF0LiBBbmQNCg0KPj4+PiBhZ2FpbiwgaW5jbHVkaW5nIHRleHQgd2l0aCAiaXJpcyIgYXMg
YW4gZXhhbXBsZSBpcyBqdXN0IGZpbmUsIGFsbA0KDQo+Pj4+IEknbSBhc2tpbmcgaXMgdGhhdCB3
ZSBvbmx5IGFkZCB0aGUgcmVnaXN0cnkgZW50cnkgaWYgd2UgY2FuIG1lZXQNCg0KPj4+PiB0aGUg
c2FtZSBiYXIgdGhhdCB3ZSdyZSBhc2tpbmcgdGhlIERFIHRvIGltcG9zZSBvbiBsYXRlciBhZGRp
dGlvbnMuDQoNCj4+Pj4NCg0KPj4+PiBBbmQgdGhlIHNhbWUgZm9yIGFsbCB0aGUgb3RoZXJzLi4u
DQoNCj4+Pj4NCg0KPj4+PiBDaGVlcnMsIFMuDQoNCj4+Pj4NCg0KPj4+Pg0KDQo+Pj4+Pg0KDQo+
Pj4+PiBUaGUgcG9pbnQgb2YgdGhlIHJlZ2lzdHJ5IHJlcXVpcmluZyBhIHNwZWNpZmljYXRpb24g
cmVmZXJlbmNlIGlzDQoNCj4+Pj4+IHNvIHBlb3BsZSB1c2luZyB0aGUgcmVnaXN0cnkgY2FuIHRl
bGwgd2hlcmUgdGhlIGlkZW50aWZpZXIgaXMNCg0KPj4+Pj4gZGVmaW5lZC4gRm9yIGFsbCB0aGUg
aW5pdGlhbCB2YWx1ZXMsIHRoYXQgcmVxdWlyZW1lbnQgaXMNCg0KPj4+Pj4gc2F0aXNmaWVkLCBz
aW5jZSB0aGUgcmVmZXJlbmNlIHdpbGwgYmUgdG8gdGhlIG5ldyBSRkMuICBJIHRoaW5rDQoNCj4+
Pj4+IHRoYXQgYWxpZ25zIHdpdGggdGhlIHBvaW50IHRoYXQgSm9lbCB3YXMgbWFraW5nLg0KDQo+
Pj4+Pg0KDQo+Pj4+PiBZb3VyIHRob3VnaHRzPw0KDQo+Pj4+Pg0KDQo+Pj4+PiAtLSBNaWtlDQoN
Cj4+Pj4+DQoNCj4+Pj4+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tIEZyb206IE9BdXRoDQoN
Cj4+Pj4+IFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIFN0ZXBo
ZW4gRmFycmVsbA0KDQo+Pj4+PiAgU2VudDogV2VkbmVzZGF5LCBGZWJydWFyeSAxLCAyMDE3IDc6
MDMgQU0gVG86IGpvZWwgamFlZ2dsaQ0KDQo+Pj4+PiA8am9lbGphQGJvZ3VzLmNvbTxtYWlsdG86
am9lbGphQGJvZ3VzLmNvbT4+OyBUaGUgSUVTRyA8aWVzZ0BpZXRmLm9yZzxtYWlsdG86aWVzZ0Bp
ZXRmLm9yZz4+IENjOg0KDQo+Pj4+PiBvYXV0aC1jaGFpcnNAaWV0Zi5vcmc8bWFpbHRvOm9hdXRo
LWNoYWlyc0BpZXRmLm9yZz47IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzxt
YWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnPjsNCg0KPj4+Pj4gIG9h
dXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4gU3ViamVjdDogUmU6IFtPQVVUSC1X
R10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3Vzcw0KDQo+Pj4+PiBvbiBkcmFmdC1pZXRmLW9hdXRo
LWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQoNCj4+Pj4+DQoNCj4+Pj4+DQoNCj4+Pj4+
DQoNCj4+Pj4+IE9uIDAxLzAyLzE3IDE0OjU4LCBqb2VsIGphZWdnbGkgd3JvdGU6DQoNCj4+Pj4+
PiBPbiAxLzMxLzE3IDg6MjYgQU0sIFN0ZXBoZW4gRmFycmVsbCB3cm90ZToNCg0KPj4+Pj4+PiBT
dGVwaGVuIEZhcnJlbGwgaGFzIGVudGVyZWQgdGhlIGZvbGxvd2luZyBiYWxsb3QgcG9zaXRpb24g
Zm9yDQoNCj4+Pj4+Pj4gZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA1OiBEaXNjdXNzDQoN
Cj4+Pj4+Pj4NCg0KPj4+Pj4+PiBXaGVuIHJlc3BvbmRpbmcsIHBsZWFzZSBrZWVwIHRoZSBzdWJq
ZWN0IGxpbmUgaW50YWN0IGFuZCAgcmVwbHkNCg0KPj4+Pj4+PiB0byBhbGwgZW1haWwgYWRkcmVz
c2VzIGluY2x1ZGVkIGluIHRoZSBUbyBhbmQgQ0MgbGluZXMuIChGZWVsDQoNCj4+Pj4+Pj4gZnJl
ZSB0byBjdXQgdGhpcyBpbnRyb2R1Y3RvcnkgcGFyYWdyYXBoLA0KDQo+Pj4+Pj4+IGhvd2V2ZXIu
KQ0KDQo+Pj4+Pj4+DQoNCj4+Pj4+Pj4NCg0KPj4+Pj4+PiBQbGVhc2UgcmVmZXIgdG8NCg0KPj4+
Pj4+PiBodHRwczovL3d3dy5pZXRmLm9yZy9pZXNnL3N0YXRlbWVudC9kaXNjdXNzLWNyaXRlcmlh
Lmh0bWwNCg0KPj4+Pj4+Pg0KDQo+Pj4+Pj4+DQoNCmZvciBtb3JlIGluZm9ybWF0aW9uIGFib3V0
IElFU0cgRElTQ1VTUyBhbmQgQ09NTUVOVA0KDQo+Pj4+Pj4+IHBvc2l0aW9ucy4NCg0KPj4+Pj4+
Pg0KDQo+Pj4+Pj4+DQoNCj4+Pj4+Pj4gVGhlIGRvY3VtZW50LCBhbG9uZyB3aXRoIG90aGVyIGJh
bGxvdCBwb3NpdGlvbnMsIGNhbiBiZSBmb3VuZA0KDQo+Pj4+Pj4+IGhlcmU6DQoNCj4+Pj4+Pj4g
aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFs
dWVzLw0KDQo+Pj4+Pj4+DQoNCj4+Pj4+Pj4NCg0KPj4+Pj4+Pg0KDQo+Pj4+Pj4+DQoNCj4+Pj4+
Pj4NCg0KPj4NCg0KPj4+Pj4+Pg0KDQo+DQoNCj4+Pj4+Pj4NCg0KLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNCj4+
Pj4+Pj4NCg0KPj4+Pj4+Pg0KDQo+Pj4+DQoNCj4+Pj4+Pj4NCg0KPj4+IC0NCg0KPj4+Pj4+PiBE
SVNDVVNTOg0KDQo+Pj4+Pj4+IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KPj4+Pj4+PiAtLS0tLQ0KDQo+Pj4+Pj4+DQoN
Cj4+Pj4+Pj4NCg0KPj4+Pg0KDQo+Pj4+Pj4+DQoNCj4+Pg0KDQo+Pj4+Pj4+DQoNCj4+DQoNCj4+
Pj4+Pj4NCg0KPg0KDQo+Pj4+Pj4+DQoNCi0NCg0KPj4+Pj4+Pg0KDQo+Pj4+Pj4+IFRoaXMgc3Bl
Y2lmaWNhdGlvbiBzZWVtcyB0byBtZSB0byBicmVhayBpdCdzIG93biBydWxlcy4NCg0KPj4+Pj4+
PiBZb3Ugc3RhdGUgdGhhdCByZWdpc3RyYXRpb25zIHNob3VsZCBpbmNsdWRlIGEgcmVmZXJlbmNl
IHRvIGENCg0KPj4+Pj4+PiBzcGVjaWZpY2F0aW9uIHRvIGltcHJvdmUgaW50ZXJvcC4gQW5kIHll
dCwgZm9yIHRoZSBzdHJpbmdzIGFkZGVkDQoNCj4+Pj4+Pj4gaGVyZSAoZS5nLiBvdHApIHlvdSBk
b24ndCBkbyB0aGF0IChyZWZlcnJpbmcgdG8gc2VjdGlvbiAyIHdpbGwNCg0KPj4+Pj4+PiBub3Qg
aW1wcm92ZSBpbnRlcm9wKSBhbmQgdGhlcmUgYXJlIGRpZmZlcmVudCB3YXlzIGluIHdoaWNoIG1h
bnkNCg0KPj4+Pj4+PiBvZiB0aGUgbWV0aG9kcyBpbiBzZWN0aW9uIDIgY2FuIGJlIGRvbmUuIFNv
IEkgdGhpbmsgeW91IG5lZWQgdG8NCg0KPj4+Pj4+PiBhZGQgYSBidW5jaCBtb3JlIHJlZmVyZW5j
ZXMuDQoNCj4+Pj4+Pg0KDQo+Pj4+Pj4gTm90IGNsZWFyIHRvIG1lIHRoYXQgdGhlIGRvY3VtZW50
IGNyZWF0aW5nIHRoZSByZWdpc3RyeSBuZWVkcyB0bw0KDQo+Pj4+Pj4gYWRoZXJlIHRvIHRoZSBy
dWxlcyBmb3IgZnVydGhlciBhbGxvY2F0aW9ucyBpbiBvcmRlciB0bw0KDQo+Pj4+Pj4gcHJlcG91
bGF0ZSB0aGUgcmVnaXN0cnkuIHRoYXQgaXMgcGVyaGFwcyBhbiBhcHBlYWwgdG8gZnV0dXJlDQoN
Cj4+Pj4+PiBjb25zaXN0ZW5jeS4NCg0KPj4+Pj4NCg0KPj4+Pj4gU3VyZSAtIEknbSBhbGwgZm9y
IGEgc21hdHRlcmluZyBvZiBpbmNvbnNpc3RlbmN5Oi0pDQoNCj4+Pj4+DQoNCj4+Pj4+IEJ1dCBJ
IHRoaW5rIHRoZSBsYWNrIG9mIHNwZWNzIGluIHNvbWUgb2YgdGhlc2UgY2FzZXMgY291bGQgaW1w
YWN0DQoNCj4+Pj4+IG9uIGludGVyb3AsIGUuZy4gaW4gdGhlIG90cCBjYXNlLCB0aGV5IHF1b3Rl
IHR3byBSRkNzIGFuZCB5ZXQgb25seQ0KDQo+Pj4+PiBoYXZlIG9uZSB2YWx1ZS4gVGhhdCBzZWVt
cyBhIGJpdCBicm9rZW4gdG8gbWUsIHNvIHRoZSBkaXNjdXNzDQoNCj4+Pj4+IGlzbid0IHJlYWxs
eSBhYm91dCB0aGUgZm9ybWFsaXNtLg0KDQo+Pj4+Pg0KDQo+Pj4+PiBTLg0KDQo+Pj4+Pg0KDQo+
Pj4+Pg0KDQo+Pj4+Pj4+DQoNCj4+Pj4+Pj4NCg0KPj4+Pj4+Pg0KDQo+Pj4+Pj4NCg0KPj4+Pj4+
DQoNCj4+Pj4+DQoNCj4+Pj4NCg0KPj4+DQoNCj4+DQoNCj4NCg0KDQo=

--_000_CY4PR21MB050481D8CF7B8551D21F38A8F52C0CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph
OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu
Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjoj
OTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29QbGFpblRleHQsIGxp
Lk1zb1BsYWluVGV4dCwgZGl2Lk1zb1BsYWluVGV4dA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7
DQoJbXNvLXN0eWxlLWxpbms6IlBsYWluIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJn
aW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2Fs
aWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLlBsYWluVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6
IlBsYWluIFRleHQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1s
aW5rOiJQbGFpbiBUZXh0IjsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQou
TXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTt9DQpAcGFnZSBXb3Jk
U2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGlu
IDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9z
dHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVk
aXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28g
OV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJl
ZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9o
ZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4N
CjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5UaGFu
a3MgZm9yIHRoZSByZXBseSwgU3RlcGhlbi4mbmJzcDsgSSdsbCB0cnkgdG8gZmluZCBiZXR0ZXIg
aW50ZXJvcC1wcm9kdWNpbmcgcmVmZXJlbmNlcyB3aGVyZSBwb3NzaWJsZS48bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb1BsYWluVGV4dCI+SW4gc29tZSBjYXNlcywgaG93ZXZlciwgdGhlIHZhbHVlcyBhcmUg
aW50ZW50aW9uYWxseSBpbnRlbmRlZCB0byBwcm92aWRlIGFuIGlkZW50aWZpZXIgZm9yIGEgZmFt
aWx5IG9mIGNsb3NlbHktcmVsYXRlZCBtZXRob2RzLCBzdWNoIGFzICZxdW90O290cCZxdW90Oywg
d2hpY2ggY292ZXJzIGJvdGggdGltZS1iYXNlZCBhbmQgSE1BQy1iYXNlZCBPVFBzLiZuYnNwOyBN
YW55IHJlbHlpbmcgcGFydGllcyB3aWxsIGJlIGNvbnRlbnQgdG8NCiBrbm93IHRoYXQgYW4gT1RQ
IGhhcyBiZWVuIHVzZWQgaW4gYWRkaXRpb24gdG8gYSBwYXNzd29yZC4mbmJzcDsgVGhlIGRpc3Rp
bmN0aW9uIGJldHdlZW4gd2hpY2gga2luZCBvZiBPVFAgd2FzIHVzZWQgaXMgbm90IHVzZWZ1bCB0
byB0aGVtLiZuYnNwOyBUaHVzLCB0aGVyZSdzIGEgc2luZ2xlIGlkZW50aWZpZXIgdGhhdCBjYW4g
YmUgc2F0aXNmaWVkIGluIHR3byBvciBtb3JlIG5lYXJseSBlcXVpdmFsZW50IHdheXMuJm5ic3A7
IEkgY29uc2lkZXIgdGhpcyB0byBiZSBhIGZlYXR1cmUNCiAtIG5vdCBhIGJ1Zy48bzpwPjwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb1BsYWluVGV4dCI+U2ltaWxhcmx5LCB0aGVyZSdzIGEgd2hvbGUgcmFuZ2Ugb2Yg
bnVhbmNlcyBiZXR3ZWVuIGRpZmZlcmVudCBmaW5nZXJwcmludCBtYXRjaGluZyBhbGdvcml0aG1z
LiZuYnNwOyBUaGV5IGRpZmZlciBpbiBmYWxzZSBwb3NpdGl2ZSBhbmQgZmFsc2UgbmVnYXRpdmUg
cmF0ZXMgb3ZlciBkaWZmZXJlbnQgcG9wdWxhdGlvbiBzYW1wbGVzIGFuZCBhbHNvIGRpZmZlciBi
YXNlZCBvbiB0aGUga2luZCBhbmQgbW9kZWwgb2YgZmluZ2VycHJpbnQNCiBzZW5zb3IgdXNlZC4g
Jm5ic3A7TGlrZSB0aGUgT1RQIGNhc2UsIG1hbnkgUlBzIHdpbGwgYmUgY29udGVudCB0byBrbm93
IHRoYXQgYSBmaW5nZXJwcmludCBtYXRjaCBtYXMgbWFkZSwgd2l0aG91dCBkZWx2aW5nIGludG8g
YW5kIGRpZmZlcmVudGlhdGluZyBiYXNlZCBvbiBldmVyeSBhc3BlY3Qgb2YgdGhlIGltcGxlbWVu
dGF0aW9uIG9mIGZpbmdlcnByaW50IGNhcHR1cmUgYW5kIG1hdGNoLiZuYnNwOyBUaG9zZSB0aGF0
IHdhbnQgbW9yZSBwcmVjaXNpb24gdGhhbg0KIHRoaXMgY2FuIGFsd2F5cyBkZWZpbmUgbmV3ICZx
dW90O2FtciZxdW90OyB2YWx1ZXMuJm5ic3A7IEJ1dCAmcXVvdDtmcHQmcXVvdDsgaXMgZmluZSBh
cyBpcyBmb3Igd2hhdCBJIGJlbGlldmUgd2lsbCBiZSB0aGUgOTAmIzQzOyUgY2FzZS48bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VWx0aW1hdGVseSwgdGhlIFJQIGlzIGRlcGVuZGluZyB1
cG9uIHRoZSBJZGVudGl0eSBQcm92aWRlciB0byBkbyByZWFzb25hYmxlIHRoaW5ncy4mbmJzcDsg
SWYgaXQgZGlkbid0IHRydXN0IHRoZSBJZFAgdG8gZG8gc28sIGl0IGhhcyBubyBidXNpbmVzcyB1
c2luZyBpdC4mbmJzcDsgVGhlICZxdW90O2FtciZxdW90OyB2YWx1ZSBsZXRzIHRoZSBJZFAgc2ln
bmFsIHRvIHRoZSBSUCBhZGRpdGlvbmFsIGluZm9ybWF0aW9uIGFib3V0IHdoYXQgaXQNCiBkaWQs
IGZvciB0aGUgY2FzZXMgaW4gd2hpY2ggdGhhdCBpbmZvcm1hdGlvbiBpcyB1c2VmdWwgdG8gdGhl
IFJQLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5SZWR1Y2luZyB0aGlzIHRvIHRoZSBw
b2ludCBvZiBhYnN1cmRpdHksIHRoZSBSUCB3b3VsZCBhbG1vc3QgbmV2ZXIgY2FyZSBhYm91dCB0
aGUgbWFrZSwgbW9kZWwsIGFuZCBzZXJpYWwgbnVtYmVyIG9mIHRoZSBmaW5nZXJwcmludCByZWFk
ZXIgb3IgT1RQLiZuYnNwOyBWYWx1ZXMNCjxpPmNvdWxkPC9pPiBiZSBkZWZpbmVkIHRvIHByb3Zp
ZGUgdGhhdCBncmFudWxhcml0eS4mbmJzcDsgQnV0IG1ha2luZyB0aG9zZSBmaW5lLWdyYWluZWQg
ZGlzdGluY3Rpb25zIGFyZSBub3QgdXNlZnVsIGluIHByYWN0aWNlLjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvUGxhaW5UZXh0Ij5QbGVhc2UgY29uc2lkZXIgdGhlIGV4aXN0aW5nIGRlZmluaXRpb25zIGlu
IGxpZ2h0IG9mIHRoYXQNCjxpPnJlZHVjdGlvIGFkIGFic3VyZHVtPC9pPi4mbmJzcDsgVGhlIGV4
aXN0aW5nIHZhbHVlcyBvbmx5IG1ha2UgZGlzdGluY3Rpb25zIHRoYXQgYXJlIGtub3duIHRvIGJl
IHVzZWZ1bCB0byBSUHMuJm5ic3A7IFNsaWNpbmcgdGhpbmdzIG1vcmUgZmluZWx5IHRoYW4gd291
bGQgYmUgdXNlZCBpbiBwcmFjdGljZSBhY3R1YWxseSBodXJ0cyBpbnRlcm9wLCByYXRoZXIgdGhh
biBoZWxwaW5nIGl0LCBiZWNhdXNlIGl0IHdvdWxkIGZvcmNlIGFsbCBSUHMgdG8gcmVjb2duaXpl
DQogdGhhdCBzZXZlcmFsIG9yIG1hbnkgZGlmZmVyZW50IHZhbHVlcyBhY3R1YWxseSBtZWFuIHRo
ZSBzYW1lIHRoaW5nIHRvIHRoZW0uPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29QbGFpblRleHQiPi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tPGJyPg0KRnJvbTogU3RlcGhl
biBGYXJyZWxsIFttYWlsdG86c3RlcGhlbi5mYXJyZWxsQGNzLnRjZC5pZV0gPGJyPg0KU2VudDog
TW9uZGF5LCBNYXJjaCA2LCAyMDE3IDI6MTAgUE08YnI+DQpUbzogTWlrZSBKb25lcyAmbHQ7TWlj
aGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tJmd0OzsgQW50aG9ueSBOYWRhbGluICZsdDt0b255bmFk
QG1pY3Jvc29mdC5jb20mZ3Q7OyBqb2VsIGphZWdnbGkgJmx0O2pvZWxqYUBib2d1cy5jb20mZ3Q7
OyBUaGUgSUVTRyAmbHQ7aWVzZ0BpZXRmLm9yZyZndDs8YnI+DQpDYzogb2F1dGgtY2hhaXJzQGll
dGYub3JnOyBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5vcmc7IG9hdXRoQGlldGYu
b3JnPGJyPg0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3Vz
cyBvbiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpPC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl
eHQiPkhpIE1pa2UsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpw
PiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkFwb2xvZ2llcyAtIEkg
dXBkYXRlZCB0aGUgZGlzY3VzcyBiYWxsb3QgdGV4dCBbMV0gb24gRmViIDI4IGJ1dCBtdXN0J3Zl
IG5vdCBzZW50IGl0IGFzIGFuIGVtYWlsIG9yIHNvbWV0aGluZy4gQW55d2F5Li4uPG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPiZuYnNwOyZuYnNwOyBbMV0gPGEgaHJlZj0iaHR0cHM6Ly9k
YXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzL2JhbGxv
dC8iPg0KPHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUi
Pmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtb2F1dGgtYW1yLXZh
bHVlcy9iYWxsb3QvPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp
blRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+T24g
MDYvMDMvMTcgMjA6MzgsIE1pa2UgSm9uZXMgd3JvdGU6PG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IEhpIFN0ZXBoZW4uJm5ic3A7IFRoZSBjaGFuZ2VzIGluIGRy
YWZ0IC0wNiB3ZXJlIGludGVuZGVkIHRvIGFkZHJlc3MgeW91cg0KPG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IERJU0NVU1MgcG9pbnRzLiZuYnNwOyBBcmUgeW91
IHNhdGlzZmllZCB3aXRoIHRoZXNlIGNoYW5nZXMgb3IgYXJlIHRoZXJlDQo8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgYWRkaXRpb25hbCBjaGFuZ2VzIHlvdSB3
YW50PyZuYnNwOyBJJ20gYXNraW5nIHBhcnRseSBiZWNhdXNlIGl0J3MgYSB3ZWVrDQo8bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgbm93IHVudGlsIHRoZSBzdWJt
aXNzaW9uIGN1dG9mZiBhbmQgaWYgYWRkaXRpb25hbCBjaGFuZ2VzIGFyZSBuZWVkZWQsDQo8bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgSSdkIGxpa2UgdG8gbWFr
ZSB0aGVtIHRoaXMgd2Vlay48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi
PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+U28gSSBkbyB0
aGluayB0aGVyZSdzIHN0aWxsIHdvcmsgdG8gYmUgZG9uZSwgbWF5IGFzIHdlbGwgY29weSB0aGUg
bmV3IGJhbGxvdCB0ZXh0IGhlcmU6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZxdW90
OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+SSB0aGluayB3ZSBzdGls
bCBoYXZlIHRoZSBwcm9ibGVtIHRoYXQgdGhlIHZhbHVlcyAmcXVvdDtkZWZpbmVkJnF1b3Q7IGhl
cmUgKGUuZy4gJnF1b3Q7ZnB0JnF1b3Q7KSBhcmUgdW5kZXIgc3BlY2lmaWVkIHRvIGEgc2lnbmlm
aWNhbnQgZGVncmVlLiBSRkM0OTQ5IGRvZXMgbm90IHRlbGwgYW55b25lIGhvdyB0byBhY2hpZXZl
IGludGVyb3Agd2l0aCAmcXVvdDtmcHQmcXVvdDsgKG5vciBhbnkgb2YgdGhlIG90aGVyIGNhc2Vz
IHdoZXJlIHlvdSByZWZlciB0bw0KIDQ5NDkgSSB0aGluaykuIFRoZXJlIGlzIHRoZXJlZm9yZSBu
byB1dGlsaXR5IGluICZxdW90O2RlZmluaW5nJnF1b3Q7ICZxdW90O2ZwdCZxdW90OyBhcyBpdCB3
aWxsIG5vdCBhY2hpZXZlIGludGVyb3AgYW5kIGluIGZhY3QgaXMgbW9yZSBsaWtlbHkgdG8gY2F1
c2UgY29uZnVzaW9uIHRoYW4gaW50ZXJvcC4gSWYgdGhlIHNvbHV0aW9uIG9mIGFjdHVhbGx5IGRl
ZmluaW5nIHRoZSBtZWFuaW5nIG9mIHRoaW5ncyBsaWtlICZxdW90O2ZwdCZxdW90OyBpcyBub3Qg
YWNoaWV2YWJsZSB0aGVuIHBlcmhhcHMNCiBpdCB3aWxsIGJlIGJldHRlciB0byBvbmx5IGRlZmlu
ZSB0aG9zZSBmb3Igd2hpY2ggd2UgY2FuIGdldCBpbnRlcm9wICgmcXVvdDtwd2QmcXVvdDsgYW5k
IG9uZSBvciB0d28gb3RoZXJzKSBhbmQgbGVhdmUgdGhlIGRlZmluaXRpb24gb2YgdGhlIHJlc3Qg
Zm9yIGxhdGVyLiAoSW4gc2F5aW5nIHRoYXQgSSBkbyByZWNhbGwgdGhhdCBvbmUgb2YgdGhlIGF1
dGhvcnMgc2FpZCB0aGF0IHRoZXJlIGFyZSBpbXBsZW1lbnRhdGlvbnMgdGhhdCB1c2Ugc29tZSBv
ZiB0aGVzZQ0KIHR5cGUtbmFtZXMsIGJ1dCB0aGUgcG9pbnQgb2YgUkZDcyBpcyBub3QgdG8gJnF1
b3Q7Ymxlc3MmcXVvdDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPnN1
Y2ggdGhpbmdzLCBidXQgdG8gYWNoaWV2ZSBpbnRlcm9wLik8bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29QbGFpblRleHQiPiZxdW90OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs
YWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5D
aGVlcnMsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5TLjxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b1BsYWluVGV4dCI+Jmd0OyBUaGFua3MsIC0tIE1pa2U8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mZ3Q7IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tIEZyb206IE1pa2UgSm9uZXMgPG86
cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IFs8YSBocmVmPSJtYWls
dG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93
dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0
LmNvbTwvc3Bhbj48L2E+XSBTZW50OiBUdWVzZGF5LCBGZWJydWFyeSAyOCwgMjAxNzxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA2OjE3IFBNIFRvOiBTdGVwaGVu
IEZhcnJlbGwgJmx0OzxhIGhyZWY9Im1haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllIj48
c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+c3RlcGhl
bi5mYXJyZWxsQGNzLnRjZC5pZTwvc3Bhbj48L2E+Jmd0OzsgQW50aG9ueQ0KPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IE5hZGFsaW4gJmx0OzxhIGhyZWY9Im1h
aWx0bzp0b255bmFkQG1pY3Jvc29mdC5jb20iPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0
O3RleHQtZGVjb3JhdGlvbjpub25lIj50b255bmFkQG1pY3Jvc29mdC5jb208L3NwYW4+PC9hPiZn
dDs7IGpvZWwgamFlZ2dsaSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmpvZWxqYUBib2d1cy5jb20iPjxz
cGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5qb2VsamFA
Ym9ndXMuY29tPC9zcGFuPjwvYT4mZ3Q7Ow0KIFRoZSA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29QbGFpblRleHQiPiZndDsgSUVTRyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmllc2dAaWV0Zi5v
cmciPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5p
ZXNnQGlldGYub3JnPC9zcGFuPjwvYT4mZ3Q7IENjOg0KPGEgaHJlZj0ibWFpbHRvOm9hdXRoLWNo
YWlyc0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0
aW9uOm5vbmUiPm9hdXRoLWNoYWlyc0BpZXRmLm9yZzwvc3Bhbj48L2E+Ow0KPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxhIGhyZWY9Im1haWx0bzpkcmFmdC1p
ZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0
ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5kcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0
Zi5vcmc8L3NwYW4+PC9hPjsNCjxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyI+PHNwYW4g
c3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPm9hdXRoQGlldGYu
b3JnPC9zcGFuPjwvYT4gU3ViamVjdDogUkU6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
UGxhaW5UZXh0Ij4mZ3Q7IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3VzcyBvbjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBkcmFmdC1pZXRmLW9h
dXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpPG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu
VGV4dCI+Jmd0OyBIaSBTdGVwaGVuLDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu
VGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsg
RHJhZnQgLTA2IDxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRm
LW9hdXRoLWFtci12YWx1ZXMtMDYiPg0KPHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4
dC1kZWNvcmF0aW9uOm5vbmUiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRm
LW9hdXRoLWFtci12YWx1ZXMtMDY8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb1BsYWluVGV4dCI+Jmd0OyBhZGRzIHJlZmVyZW5jZXMgZm9yIGFsbCBvZiB0aGUgZGVmaW5l
ZCAmcXVvdDthbXImcXVvdDsgdmFsdWVzLiZuYnNwOyBUaGFua3MgZm9yDQo8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgdGFraW5nIHRoZSB0aW1lIHRvIGhhdmUg
YSB0aG91Z2h0ZnVsIGRpc2N1c3Npb24uPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0
OyAtLSBNaWtlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAtLS0tLU9yaWdpbmFs
IE1lc3NhZ2UtLS0tLSBGcm9tOiBTdGVwaGVuIEZhcnJlbGwgPG86cD48L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IFs8YSBocmVmPSJtYWlsdG86c3RlcGhlbi5mYXJyZWxs
QGNzLnRjZC5pZSI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9u
Om5vbmUiPm1haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPC9zcGFuPjwvYT5dIFNlbnQ6
IFdlZG5lc2RheSwgRmVicnVhcnkgMSwgMjAxNzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b1BsYWluVGV4dCI+Jmd0OyA0OjQ1IFBNIFRvOiBNaWtlIEpvbmVzICZsdDs8YSBocmVmPSJtYWls
dG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93
dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPC9z
cGFuPjwvYT4mZ3Q7OyBBbnRob255IE5hZGFsaW4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb1BsYWluVGV4dCI+Jmd0OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOnRvbnluYWRAbWljcm9zb2Z0
LmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUi
PnRvbnluYWRAbWljcm9zb2Z0LmNvbTwvc3Bhbj48L2E+Jmd0Ozsgam9lbCBqYWVnZ2xpICZsdDs8
YSBocmVmPSJtYWlsdG86am9lbGphQGJvZ3VzLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRv
d3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmpvZWxqYUBib2d1cy5jb208L3NwYW4+PC9hPiZn
dDs7DQogVGhlIElFU0cgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m
Z3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86aWVzZ0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9y
OndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmllc2dAaWV0Zi5vcmc8L3NwYW4+PC9h
PiZndDsgQ2M6DQo8YSBocmVmPSJtYWlsdG86b2F1dGgtY2hhaXJzQGlldGYub3JnIj48c3BhbiBz
dHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+b2F1dGgtY2hhaXJz
QGlldGYub3JnPC9zcGFuPjwvYT47DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp
blRleHQiPiZndDsgPGEgaHJlZj0ibWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0Bp
ZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5v
bmUiPmRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzwvc3Bhbj48L2E+Ow0KPGEg
aHJlZj0ibWFpbHRvOm9hdXRoQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4
dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+b2F1dGhAaWV0Zi5vcmc8L3NwYW4+PC9hPiBTdWJqZWN0
OiBSZTo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgW09BVVRI
LVdHXSBTdGVwaGVuIEZhcnJlbGwncyBEaXNjdXNzIG9uPG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNTogKHdp
dGggRElTQ1VTUyk8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsg
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29QbGFpblRleHQiPiZndDsgT24gMDIvMDIvMTcgMDA6MzUsIE1pa2UgSm9uZXMgd3Jv
dGU6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyBZb3Ug
Y2FuIGNhbGwgbWUgbGF6eSBpZiB5b3Ugd2FudC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0
Ij4mZ3Q7IEkgZG9uJ3QgdGhpbmsgeW91J3JlIGxhenk6LSkgV2VyZSBJIHRvIGd1ZXNzIEknZCBn
dWVzcyB0aGF0IGludGVyb3ANCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4
dCI+Jmd0OyBmb3IgdGhlc2Ugd2Fzbid0IGEgcHJpb3JpdHkgYW5kIHRoYXQgd2UncmUgZGVmaW5p
bmcgdGhlbSBhIGJpdCBlYXJseQ0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mZ3Q7IGFuZCBhIGxpdHRsZSB0b28gZ2VuZXJpY2FsbHkuPG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b1BsYWluVGV4dCI+Jmd0OyZndDsgU29tZSBvZiB0aGVtIGFyZSBzbyB3ZWxsIGtub3duLCBzdWNo
IGFzICZxdW90O3Bhc3N3b3JkJnF1b3Q7IG9yICZxdW90O1BJTiZxdW90OyBpdCBkaWRuJ3QNCjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsgc2VlbSB3b3J0
aHdoaWxlIHRvIHRyeSB0byB0cmFjayBkb3duIGEgcmVmZXJlbmNlLjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29QbGFpblRleHQiPiZndDsgU3VyZSwgdGhvc2UgYXJlIGZpbmUuIFRoZSBvbmx5IGlzc3VlcyB3
b3VsZCBiZSBpZiB0aGVyZSdzIGEgc3RyaW5nMmtleQ0KPG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IGZ1bmN0aW9uIHNvbWV3aGVyZSBidXQgSSBkb24ndCBleHBl
Y3QgdGhlcmUgaXMgaW4gdGhpcyBjb250ZXh0LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi
PiZndDsmZ3Q7IEJ1dCBJJ20gd2lsbGluZyB0byB3b3JrIHdpdGggb3RoZXJzIHRvIGZpbmQgZGVj
ZW50IHJlZmVyZW5jZXMgZm9yIHRoZQ0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7Jmd0OyByZXN0IG9mIHRoZW0sIGlmIHlvdSBiZWxpZXZlIHRoYXQgd291bGQg
aW1wcm92ZSB0aGUgcXVhbGl0eSBvZiB0aGUNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b1BsYWluVGV4dCI+Jmd0OyZndDsgc3BlY2lmaWNhdGlvbi48bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7IEkgZG8gdGhpbmsgaXQgd291bGQsIGVzcCBmb3IgY2FzZXMgd2hlcmUgdGhl
cmUgYXJlIGtub3duIGRpZmZlcmVudA0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7IG9wdGlvbnMgKGUuZy4gb3RwKSBvciBsaWtlbHkgaWxsLWRlZmluZWQgb3Ig
cHJvcHJpZXRhcnkgZm9ybWF0cy4gTXkNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs
YWluVGV4dCI+Jmd0OyBndWVzcyBpcyB0aGF0IHNvbWUgYmlvbWV0cmljcyBmaXQgdGhhdCBsYXR0
ZXIgYnV0IEkgY291bGQgYmUgd3JvbmcuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7IElmIHRoZXkgZG8sIHRoZW4gb25lIHJ1bnMgaW50byB0aGUgcHJvYmxlbSBv
ZiBoYXZpbmcgdG8gZGVwZW5kIG9uDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp
blRleHQiPiZndDsgbWFnaWMgbnVtYmVycyBpbiB0aGUgZW5jb2RpbmdzIG9yIHNpbWlsYXIgdG8g
ZGlzdGluZ3Vpc2ggd2hpY2ggaXMNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu
VGV4dCI+Jmd0OyByZWFsbHkgZXJyb3IgcHJvbmUgYW5kIGxpa2VseSB0byBsZWFkIHRvIHdoYXQg
b3VyIGxlYXJuZWQgdHJhbnNwb3J0DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp
blRleHQiPiZndDsgY2h1bXMgYXJlIGNhbGxpbmcgb3NzaWZpY2F0aW9uOy0pPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBDaGVlcnMsIFMuPG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu
VGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsm
Z3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsgQmVz
dCB3aXNoZXMsIC0tIE1pa2U8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi
PiZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZn
dDsgLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0gRnJvbTogU3RlcGhlbiBGYXJyZWxsIDxvOnA+
DQo8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyBbPGEgaHJlZj0i
bWFpbHRvOnN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWUiPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5k
b3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5tYWlsdG86c3RlcGhlbi5mYXJyZWxsQGNzLnRj
ZC5pZTwvc3Bhbj48L2E+XSBTZW50OiBXZWRuZXNkYXksIEZlYnJ1YXJ5IDEsPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyAyMDE3IDQ6MzEgUE0gVG86IE1p
a2UgSm9uZXMgJmx0OzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20i
PjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5NaWNo
YWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L3NwYW4+PC9hPiZndDs7IEFudGhvbnkNCjxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsgTmFkYWxpbiAmbHQ7PGEg
aHJlZj0ibWFpbHRvOnRvbnluYWRAbWljcm9zb2Z0LmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOndp
bmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPnRvbnluYWRAbWljcm9zb2Z0LmNvbTwvc3Bh
bj48L2E+Jmd0Ozsgam9lbCBqYWVnZ2xpICZsdDs8YSBocmVmPSJtYWlsdG86am9lbGphQGJvZ3Vz
LmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUi
PmpvZWxqYUBib2d1cy5jb208L3NwYW4+PC9hPiZndDs7DQogVGhlIDxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsgSUVTRyAmbHQ7PGEgaHJlZj0ibWFpbHRv
Omllc2dAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3Jh
dGlvbjpub25lIj5pZXNnQGlldGYub3JnPC9zcGFuPjwvYT4mZ3Q7IENjOg0KPGEgaHJlZj0ibWFp
bHRvOm9hdXRoLWNoYWlyc0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7
dGV4dC1kZWNvcmF0aW9uOm5vbmUiPm9hdXRoLWNoYWlyc0BpZXRmLm9yZzwvc3Bhbj48L2E+Ow0K
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyA8YSBocmVm
PSJtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnIj4NCjxzcGFuIHN0
eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5kcmFmdC1pZXRmLW9h
dXRoLWFtci12YWx1ZXNAaWV0Zi5vcmc8L3NwYW4+PC9hPjsNCjxhIGhyZWY9Im1haWx0bzpvYXV0
aEBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9u
Om5vbmUiPm9hdXRoQGlldGYub3JnPC9zcGFuPjwvYT4gU3ViamVjdDogUmU6PG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyBbT0FVVEgtV0ddIFN0ZXBoZW4g
RmFycmVsbCdzIERpc2N1c3Mgb248bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl
eHQiPiZndDsmZ3Q7IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNTogKHdpdGggRElTQ1VT
Uyk8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7IDxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsgPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7IE9uIDAyLzAyLzE3IDAwOjI4LCBNaWtlIEpv
bmVzIHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZn
dDsmZ3Q7IFRoZSBvdGhlciBjYXNlIG9mIGtub3duIGludGVyb3AgdGVzdGluZyBvZiAmcXVvdDth
bXImcXVvdDsgdmFsdWVzIGlzIGZvcg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7Jmd0OyZndDsgTU9EUk5BIChPcGVuSUQgQ29ubmVjdCBNb2JpbGUgUHJvZmls
ZSkgaW1wbGVtZW50YXRpb25zLiZuYnNwOyBUaGVyZSdzIGENCjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7IHJlZmVyZW5jZSB0byBpdHMgdXNlIG9m
ICZxdW90O2FtciZxdW90OyB2YWx1ZXMgaW4gdGhlIHNwZWMuPG86cD48L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29QbGFpblRleHQiPiZndDsmZ3Q7IFllYWgsIGlpcmMsIHRoYXQgb25lIHNlZW1lZCBvayAoYXNz
dW1pbmcgdGhlIHJlZmVyZW5jZSB0ZWxscyBtZSB3aGF0DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7IGNvZGUgdG8gd3JpdGUgd2hpY2ggSSBhc3N1bWUg
aXQgZG9lcykuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0
OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7IEknbSBz
dGlsbCBub3Qgc2VlaW5nIHdoeSBzb21lIGRvIGhhdmUgc3VmZmljaWVudCByZWZlcmVuY2VzIGFu
ZA0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyBvdGhl
cnMgZG8gbm90LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZn
dDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyBJcyB0
aGVyZSBzb21lIGRpZmZpY3VsdHkgd2l0aCBmaW5kaW5nIHJlZmVyZW5jZXMgb3Igc29tZXRoaW5n
PzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsgPG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyBTPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0t
LSBGcm9tOiBBbnRob255IE5hZGFsaW4gU2VudDogV2VkbmVzZGF5LCZuYnNwOw0KPG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsgRmVicnVhcnkgMSwg
MjAxNyA0OjI3IFBNIFRvOiBTdGVwaGVuIEZhcnJlbGwgPG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsgJmx0OzxhIGhyZWY9Im1haWx0bzpzdGVwaGVu
LmZhcnJlbGxAY3MudGNkLmllIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRl
Y29yYXRpb246bm9uZSI+c3RlcGhlbi5mYXJyZWxsQGNzLnRjZC5pZTwvc3Bhbj48L2E+Jmd0Ozsg
TWlrZSBKb25lcw0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7
Jmd0OyZndDsgJmx0OzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20i
PjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5NaWNo
YWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L3NwYW4+PC9hPiZndDs7IGpvZWwgamFlZ2dsaSAmbHQ7
PGEgaHJlZj0ibWFpbHRvOmpvZWxqYUBib2d1cy5jb20iPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5k
b3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5qb2VsamFAYm9ndXMuY29tPC9zcGFuPjwvYT4m
Z3Q7Ow0KIFRoZSA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsm
Z3Q7Jmd0OyBJRVNHICZsdDs8YSBocmVmPSJtYWlsdG86aWVzZ0BpZXRmLm9yZyI+PHNwYW4gc3R5
bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmllc2dAaWV0Zi5vcmc8
L3NwYW4+PC9hPiZndDsgQ2M6DQo8YSBocmVmPSJtYWlsdG86b2F1dGgtY2hhaXJzQGlldGYub3Jn
Ij48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+b2F1
dGgtY2hhaXJzQGlldGYub3JnPC9zcGFuPjwvYT47DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyA8YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1v
YXV0aC1hbXItdmFsdWVzQGlldGYub3JnIj4NCjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0
O3RleHQtZGVjb3JhdGlvbjpub25lIj5kcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5v
cmc8L3NwYW4+PC9hPjsNCjxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyI+PHNwYW4gc3R5
bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPm9hdXRoQGlldGYub3Jn
PC9zcGFuPjwvYT4gU3ViamVjdDogUkU6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmbmJzcDsgW09BVVRILVdHXSBTdGVwaGVuIEZhcnJlbGwncyBE
aXNjdXNzIG9uPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0
OyZndDsgZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA1OiAod2l0aCBESVNDVVNTKTxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7IDxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7IFdlIGhhdmUgaW50
ZXJvcGVkIGJldHdlZW4gRklETyBhdXRoZW50aWNhdG9ycyB2ZW5kb3JzIGFuZCBXaW5kb3dzJm5i
c3A7DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0
OyBIZWxsbzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsm
Z3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7
IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tIEZyb206IFN0ZXBoZW4gRmFycmVsbCA8bzpwPg0K
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7IFs8YSBocmVm
PSJtYWlsdG86c3RlcGhlbi5mYXJyZWxsQGNzLnRjZC5pZSI+PHNwYW4gc3R5bGU9ImNvbG9yOndp
bmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPm1haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3Mu
dGNkLmllPC9zcGFuPjwvYT5dIFNlbnQ6IFdlZG5lc2RheSwgRmVicnVhcnkgMSw8bzpwPjwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyAyMDE3IDQ6MjQgUE0g
VG86IE1pa2UgSm9uZXMgJmx0OzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29m
dC5jb20iPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25l
Ij5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L3NwYW4+PC9hPiZndDs7IEFudGhvbnkNCjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7IE5hZGFs
aW4gJmx0OzxhIGhyZWY9Im1haWx0bzp0b255bmFkQG1pY3Jvc29mdC5jb20iPjxzcGFuIHN0eWxl
PSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj50b255bmFkQG1pY3Jvc29m
dC5jb208L3NwYW4+PC9hPiZndDs7IGpvZWwgamFlZ2dsaSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmpv
ZWxqYUBib2d1cy5jb20iPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3Jh
dGlvbjpub25lIj5qb2VsamFAYm9ndXMuY29tPC9zcGFuPjwvYT4mZ3Q7Ow0KPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsgVGhlIElFU0cgJmx0Ozxh
IGhyZWY9Im1haWx0bzppZXNnQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4
dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aWVzZ0BpZXRmLm9yZzwvc3Bhbj48L2E+Jmd0OyBDYzo8
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyA8YSBo
cmVmPSJtYWlsdG86b2F1dGgtY2hhaXJzQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6d2lu
ZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+b2F1dGgtY2hhaXJzQGlldGYub3JnPC9zcGFu
PjwvYT47DQo8YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYu
b3JnIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+
ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnPC9zcGFuPjwvYT47PG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsgPGEgaHJlZj0ibWFp
bHRvOm9hdXRoQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRl
Y29yYXRpb246bm9uZSI+b2F1dGhAaWV0Zi5vcmc8L3NwYW4+PC9hPiBTdWJqZWN0OiBSZTogW09B
VVRILVdHXSBTdGVwaGVuIEZhcnJlbGwncyBEaXNjdXNzIG9uDQo8bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyBkcmFmdC1pZXRmLW9hdXRoLWFtci12
YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0
Ij4mZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m
Z3Q7Jmd0OyZndDsgT24gMDIvMDIvMTcgMDA6MjEsIE1pa2UgSm9uZXMgd3JvdGU6PG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IFRoYW5rcywg
VG9ueS4mbmJzcDsgSSBjYW4gYWRkIHRoYXQgcmVmZXJlbmNlLjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgU3RlcGhlbiwgdGhlIHNldHMg
b2YgaW5pdGlhbCB2YWx1ZXMgd2VyZSBjaG9zZW4gZnJvbSB0aG9zZSB1c2VkIGluDQo8bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgcHJhY3Rp
Y2UgYnkgTWljcm9zb2Z0IGFuZCBHb29nbGUgaW4gcmVhbCBkZXBsb3ltZW50cy48bzpwPjwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyBHZW51aW5lIHF1ZXN0aW9u
czogZG8geW91IGFpbSB0byBoYXZlIGludGVyb3AgYmV0d2VlbiB0aG9zZQ0KPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsgZGVwbG95bWVudHM/IFdo
YXQgaWYgSSB3YW50ZWQgdG8gd3JpdGUgY29kZSB0aGF0J2QgaW50ZXJvcCB3aXRoIG1zZnQNCjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7IG9yIGdv
b2dsZT88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0
OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyBT
LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7IDxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyA8
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsg
QWJvdXQgJnF1b3Q7b3RwJnF1b3Q7LCB0aGVyZSBhcmUgZXhpc3RpbmcgdXNlIGNhc2VzIGZvciBp
bmRpY2F0aW5nIHRoYXQgYW4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4
dCI+Jmd0OyZndDsmZ3Q7Jmd0OyBPVFAgd2FzIHVzZWQuJm5ic3A7IEknbSBub3QgYXdhcmUgb2Yg
YW55IG9mIHRoZXNlIHVzZSBjYXNlcyB3aGVyZSB0aGUNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyBkaXN0aW5jdGlvbiBiZXR3ZWVuIFRP
VFAgYW5kIEhPVFAgaXMgaW1wb3J0YW50LiZuYnNwOyBUaHVzLCBoYXZpbmcgJnF1b3Q7b3RwJnF1
b3Q7DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0
OyZndDsgbm93IG1ha2VzIHNlbnNlLCB3aGVyZSBoYXZpbmcgJnF1b3Q7aG90cCZxdW90OyBhbmQg
JnF1b3Q7dG90cCZxdW90OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+
Jmd0OyZndDsmZ3Q7Jmd0OyBub3cgZG9lc24ndC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IFN0ZXBoZW4sIHRoaXMgbWF5IHNlZW0gbGlr
ZSBzcGxpdHRpbmcgaGFpcnMsIGJ1dCB0aGUgcmVnaXN0cnkNCjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyBpbnN0cnVjdGlvbnMgZm9yICZx
dW90O1NwZWNpZmljYXRpb24gRG9jdW1lbnQocykmcXVvdDsgYXJlIGFib3V0IGhhdmluZyBhJm5i
c3A7DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0
OyZndDsgcmVmZXJlbmNlIGZvciB0aGUgZG9jdW1lbnQgd2hlcmUgdGhlIEF1dGhlbnRpY2F0aW9u
IE1ldGhvZA0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0
OyZndDsmZ3Q7IFJlZmVyZW5jZSBOYW1lIChzdWNoIGFzICZxdW90O290cCZxdW90OykgaXMgZGVm
aW5lZC4mbmJzcDsgSW4gYWxsIGNhc2VzIGZvciB0aGUNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyBpbml0aWFsIHZhbHVlcywgdGhpcyBp
cyB0aGUgUkZDLXRvLWJlLCBzbyB0aGUgcmVnaXN0cnkgaW5zdHJ1Y3Rpb25zDQo8bzpwPjwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgYXJlIHNhdGlz
ZmllZC4mbmJzcDsgSWYgc29tZW9uZSB3ZXJlLCBmb3IgaW5zdGFuY2UsIHRvIGRlZmluZSB0aGUg
c3RyaW5nDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7
Jmd0OyZndDsgJnF1b3Q7aG90cCZxdW90OywgaXQgd291bGQgYmUgaW5jdW1iZW50IG9uIHRoZSBw
ZXJzb24gcmVxdWVzdGluZyBpdHMNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu
VGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyByZWdpc3RyYXRpb24gdG8gcHJvdmlkZSBhIFVSTCB0byB0
aGUgZG9jdW1lbnQgd2hlcmUgdGhlIHN0cmluZw0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7ICZxdW90O2hvdHAmcXVvdDsgaXMgZGVmaW5l
ZC4mbmJzcDsgQWxzbyBoYXZpbmcgYSByZWZlcmVuY2UgdG8gUkZDIDQyMjYgaW4gdGhhdA0KPG86
cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IGRv
Y3VtZW50IHdvdWxkIGJlIGEgZ29vZCB0aGluZywgYnV0IHRoYXQgaXNuJ3Qgd2hhdCB0aGUgcmVn
aXN0cnkNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsm
Z3Q7Jmd0OyBpbnN0cnVjdGlvbnMgYXJlIGFib3V0LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgQWxsIHRoYXQgc2FpZCwgSSBjYW4gbG9v
ayBhdCBhbHNvIGZpbmRpbmcgYXBwcm9wcmlhdGUgcmVmZXJlbmNlcw0KPG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IGZvciB0aGUgcmVtYWlu
aW5nIHZhbHVlcyB0aGF0IGRvbid0IGN1cnJlbnRseSBoYXZlIHRoZW0uIChBbnlvbmUNCjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyBnb3Qg
YSBnb29kIHJlZmVyZW5jZSBmb3IgcGFzc3dvcmQgb3IgUElOIHRvIHN1Z2dlc3QsIGZvciBpbnN0
YW5jZT8pPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZn
dDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsm
Z3Q7Jmd0OyAtLSBNaWtlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m
Z3Q7Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+
Jmd0OyZndDsmZ3Q7Jmd0OyAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBGcm9tOiBBbnRob255
IE5hZGFsaW4gU2VudDo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZn
dDsmZ3Q7Jmd0OyZndDsgV2VkbmVzZGF5LCBGZWJydWFyeSAxLCAyMDE3IDQ6MTAgUE0gVG86IFN0
ZXBoZW4gRmFycmVsbA0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m
Z3Q7Jmd0OyZndDsmZ3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86c3RlcGhlbi5mYXJyZWxsQGNzLnRj
ZC5pZSI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUi
PnN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWU8L3NwYW4+PC9hPiZndDs7IE1pa2UgSm9uZXMNCjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyAm
bHQ7PGEgaHJlZj0ibWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSI+PHNwYW4gc3R5
bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPk1pY2hhZWwuSm9uZXNA
bWljcm9zb2Z0LmNvbTwvc3Bhbj48L2E+Jmd0Ozsgam9lbCBqYWVnZ2xpICZsdDs8YSBocmVmPSJt
YWlsdG86am9lbGphQGJvZ3VzLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4
dC1kZWNvcmF0aW9uOm5vbmUiPmpvZWxqYUBib2d1cy5jb208L3NwYW4+PC9hPiZndDs7Jm5ic3A7
DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZn
dDsgVGhlIElFU0cgJmx0OzxhIGhyZWY9Im1haWx0bzppZXNnQGlldGYub3JnIj48c3BhbiBzdHls
ZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aWVzZ0BpZXRmLm9yZzwv
c3Bhbj48L2E+Jmd0OyBDYzoNCjxhIGhyZWY9Im1haWx0bzpvYXV0aC1jaGFpcnNAaWV0Zi5vcmci
PjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5vYXV0
aC1jaGFpcnNAaWV0Zi5vcmc8L3NwYW4+PC9hPjsNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyA8YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0
Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnIj4NCjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0
ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5kcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0
Zi5vcmc8L3NwYW4+PC9hPjsNCjxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyI+PHNwYW4g
c3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPm9hdXRoQGlldGYu
b3JnPC9zcGFuPjwvYT4gU3ViamVjdDo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp
blRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgUkU6IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3Mg
RGlzY3VzcyBvbjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZn
dDsmZ3Q7Jmd0OyBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1Mp
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7
IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0
OyBOSVNUIGFza2VkIGZvciB0aGUgYWRkaXRpb24gb2YgSVJJUyAoYXMgdGhleSBhcmUgc2VlaW5n
IG1vcmUgdXNlIG9mDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZn
dDsmZ3Q7Jmd0OyZndDsgSVJJUyBvdmVyIHJldGluYSBkdWUgdG8gdGhlIGFjY3VyYWN5IG9mIGly
aXMpJm5ic3A7IGFzIHRoZXkgaGF2ZSBiZWVuDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgZG9pbmcgc2lnbmlmaWNhbnQgdGVzdGluZyBv
biB2YXJpb3VzIGlyaXMgZGV2aWNlcyBhbmQgY29udGludWUgdG8NCjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyBkbyBzbywgaGVyZSBpcyBh
IHJlcG9ydCB0aGF0IE5JU1QgcmVsZWFzZWQgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
UGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IDxhIGhyZWY9Imh0dHA6Ly8yMDEwLTIwMTQuY29t
bWVyY2UuZ292L2Jsb2cvMjAxMi8wNC8yMy9uaXN0LWlyaXMtcmVjb2duaXRpb24iPg0KPHNwYW4g
c3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmh0dHA6Ly8yMDEw
LTIwMTQuY29tbWVyY2UuZ292L2Jsb2cvMjAxMi8wNC8yMy9uaXN0LWlyaXMtcmVjb2duaXRpb248
L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZn
dDsmZ3Q7Jmd0OyAtcmVwb3J0LWV2YWx1YXRlcy1uZWVkbGUtaGF5c3RhY2stc2VhcmNoLWNhcGFi
aWxpdHkuaHRtbDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZn
dDsmZ3Q7Jmd0OzxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+
Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu
VGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDs8bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDs8bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDs8bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4tLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBGcm9tOiBTdGVwaGVu
IEZhcnJlbGw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7
Jmd0OyZndDsgWzxhIGhyZWY9Im1haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllIj48c3Bh
biBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+bWFpbHRvOnN0
ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWU8L3NwYW4+PC9hPl0gU2VudDogV2VkbmVzZGF5LCBGZWJy
dWFyeSAxLDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsm
Z3Q7Jmd0OyZuYnNwOyAyMDE3IDI6MjYgUE0gVG86IE1pa2UgSm9uZXMgJmx0OzxhIGhyZWY9Im1h
aWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20iPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5k
b3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208
L3NwYW4+PC9hPiZndDs7IGpvZWwNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu
VGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyBqYWVnZ2xpICZsdDs8YSBocmVmPSJtYWlsdG86am9lbGph
QGJvZ3VzLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9u
Om5vbmUiPmpvZWxqYUBib2d1cy5jb208L3NwYW4+PC9hPiZndDs7IFRoZSBJRVNHICZsdDs8YSBo
cmVmPSJtYWlsdG86aWVzZ0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7
dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmllc2dAaWV0Zi5vcmc8L3NwYW4+PC9hPiZndDsNCiBDYzo8
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsg
PGEgaHJlZj0ibWFpbHRvOm9hdXRoLWNoYWlyc0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9y
OndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPm9hdXRoLWNoYWlyc0BpZXRmLm9yZzwv
c3Bhbj48L2E+Ow0KPGEgaHJlZj0ibWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0Bp
ZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5v
bmUiPmRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzwvc3Bhbj48L2E+OzxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyA8YSBo
cmVmPSJtYWlsdG86b2F1dGhAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0
O3RleHQtZGVjb3JhdGlvbjpub25lIj5vYXV0aEBpZXRmLm9yZzwvc3Bhbj48L2E+IFN1YmplY3Q6
IFJlOiBbT0FVVEgtV0ddIFN0ZXBoZW4gRmFycmVsbCdzIERpc2N1c3Mgb24NCjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyBkcmFmdC1pZXRm
LW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpPG86cD48L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgSGkgTWlrZSw8bzpwPjwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IE9uIDAxLzAy
LzE3IDE3OjAwLCBNaWtlIEpvbmVzIHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgVGhhbmtzIGZvciB0aGUgZGlzY3Vzc2lv
biwgU3RlcGhlbi48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsm
Z3Q7Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+
Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgVG8geW91ciBwb2ludCBhYm91dCAmcXVvdDtvdHAmcXVvdDss
IHRoZSB3b3JraW5nIGdyb3VwIGRpc2N1c3NlZCB0aGlzIHZlcnkNCjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgcG9pbnQuJm5ic3A7
IFRoZXkgZXhwbGljaXRseSBkZWNpZGVkIG5vdCB0byBpbnRyb2R1Y2UgJnF1b3Q7aG90cCZxdW90
OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0
OyZndDsgYW5kICZxdW90O3RvdHAmcXVvdDsgaWRlbnRpZmllcnMgYmVjYXVzZSBubyBvbmUgaGFk
IGEgdXNlIGNhc2UgaW4gd2hpY2ggdGhlDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q
bGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IGRpc3RpbmN0aW9uIG1hdHRlcmVkLjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgVGhl
biBJJ20gbm90IGZvbGxvd2luZyB3aHkgYWRkaW5nICZxdW90O290cCZxdW90OyB0byB0aGUgcmVn
aXN0cnkgbm93IGlzIGENCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+
Jmd0OyZndDsmZ3Q7Jmd0OyBnb29kIHBsYW4uPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
UGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyBJZiB0aGVyZSdzIGEgdXNlLWNhc2Ugbm93LCB0
aGVuIGFkZGluZyBhbiBlbnRyeSB3aXRoIGEgZ29vZA0KPG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IHJlZmVyZW5jZSB0byB0aGUgcmVsZXZh
bnQgc3BlYyBzZWVtcyByaWdodC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl
eHQiPiZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IElmIHRoZXJlJ3Mgbm8gdXNlLWNhc2Ugbm93LCB0aGVuIG5v
dCBhZGRpbmcgaXQgdG8gdGhlIHJlZ2lzdHJ5Jm5ic3A7DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgc2VlbXMgcmlnaHQuIChNZW50aW9u
aW5nIGl0IGFzIGEgcG9zc2libGUgZnV0dXJlIGVudHJ5IHdvdWxkIGJlDQo8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgZmluZS4pPG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IDxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyBJIHRo
aW5rIHRoZSBzYW1lIGxvZ2ljIHdvdWxkIGFwcGx5IGZvciBhbGwgdGhlIHZhbHVlcyB0aGF0IHRo
aXMmbmJzcDsNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZn
dDsmZ3Q7Jmd0OyBzcGVjIGFkZHMgdG8gdGhlIHJlZ2lzdHJ5LiBXaHkgaXMgdGhhdCB3cm9uZz88
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsg
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7
Jmd0OyBPdGhlcnMgY2FuIGNlcnRhaW5seSBpbnRyb2R1Y2UgdGhvc2UgaWRlbnRpZmllcnMgYW5k
IHJlZ2lzdGVyJm5ic3A7DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi
PiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IHRoZW0gaWYgdGhleSBkbyBoYXZlIHN1Y2ggYSB1c2UgY2Fz
ZSwgb25jZSB0aGUgcmVnaXN0cnkgaGFzIGJlZW4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgZXN0YWJsaXNoZWQuJm5ic3A7IEJ1
dCB0aGUgd29ya2luZyBncm91cCB3YW50ZWQgdG8gYmUgY29uc2VydmF0aXZlDQo8bzpwPjwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IGFib3V0
IHRoZSBpZGVudGlmaWVycyBpbnRyb2R1Y2VkIHRvIHByaW1lIHRoZSByZWdpc3RyeSwgYW5kIHRo
aXMNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7
Jmd0OyZndDsgaXMgc3VjaCBhIGNhc2UuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IFdoYXQgaWRlbnRpZmllcnMgdG8gdXNl
IGFuZCByZWdpc3RlciB3aWxsIGFsd2F5cyBiZSBhIGJhbGFuY2luZw0KPG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBhY3QuIFlvdSB3
YW50IHRvIGJlIGFzIHNwZWNpZmljIGFzIG5lY2Vzc2FyeSB0byBhZGQgcHJhY3RpY2FsIGFuZA0K
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7
Jmd0OyB1c2FibGUgdmFsdWUsIGJ1dCBub3Qgc28gc3BlY2lmaWMgYXMgdG8gbWFrZSB0aGluZ3Mg
dW5uZWNlc3NhcmlseQ0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m
Z3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBicml0dGxlLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z
b1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgRWguLi4gZG9uJ3Qgd2Ugd2FudCBpbnRlcm9w
PyBJc24ndCB0aGF0IHRoZSBwcmltYXJ5IGdvYWwgaGVyZT88bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBXaGlsZSBzb21lIG1pZ2h0
IHNheSB0aGVyZSdzIGEgZGlmZmVyZW5jZSBiZXR3ZWVuIHNlcmlhbCBudW1iZXINCjxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgcmFu
Z2VzIG9mIHBhcnRpY3VsYXIgYXV0aGVudGljYXRpb24gZGV2aWNlcywgZ29pbmcgdGhlcmUgaXMN
CjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0
OyZndDsgY2xlYXJseSBpbiB0aGUgd2VlZHMuJm5ic3A7IE9uIHRoZSBvdGhlciBoYW5kLCB3aGls
ZSB0aGVyZSB1c2VkIHRvIGJlDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl
eHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IGFuICZxdW90O2V5ZSZxdW90OyBpZGVudGlmaWVyLCBF
bGFpbmUgTmV3dG9uIG9mIE5JU1QgcG9pbnRlZCBvdXQgdGhhdCB0aGVyZQ0KPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBhcmUgc2ln
bmlmaWNhbnQgZGlmZmVyZW5jZXMgYmV0d2VlbiByZXRpbmEgYW5kIGlyaXMgbWF0Y2hpbmcsIHNv
DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZn
dDsmZ3Q7ICZxdW90O2V5ZSZxdW90OyB3YXMgcmVwbGFjZWQgd2l0aCAmcXVvdDtyZXRpbmEmcXVv
dDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZn
dDsmZ3Q7IGFuZCAmcXVvdDtpcmlzJnF1b3Q7LiBDb21tb24gc2Vuc2UgaW5mb3JtZWQgYnkgYWN0
dWFsIGRhdGEgaXMgdGhlIGtleSBoZXJlLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs
YWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q
bGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgVGhhdCdzIGFub3RoZXIgZ29vZCBleGFtcGxlLiBU
aGVyZSdzIG5vIHJlZmVyZW5jZSBmb3IgJnF1b3Q7aXJpcy4mcXVvdDs8bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgSWYgdGhhdCBpcyB1c2Vk
IGluIHNvbWUgcHJvdG9jb2wsIHRoZW4gd2hhdCBmb3JtYXQocykgYXJlIGV4cGVjdGVkDQo8bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgdG8g
YmUgc3VwcG9ydGVkPyBXaGVyZSBkbyBJIGZpbmQgdGhhdCBzcGVjPyBJZiB3ZSBjYW4gYW5zd2Vy
IHRoYXQsDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7
Jmd0OyZndDsgdGhlbiBncmVhdCwgbGV0J3MgYWRkIHRoZSBkZXRhaWxzLiBJZiBub3QsIHRoZW4g
SSdkIHN1Z2dlc3Qgd2Ugb21pdA0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7ICZxdW90O2lyaXMmcXVvdDsgYW5kIGxlYXZlIGl0ICd0aWxs
IGxhdGVyIHRvIGFkZCBhbiBlbnRyeSBmb3IgdGhhdC4gQW5kDQo8bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgYWdhaW4sIGluY2x1ZGluZyB0
ZXh0IHdpdGggJnF1b3Q7aXJpcyZxdW90OyBhcyBhbiBleGFtcGxlIGlzIGp1c3QgZmluZSwgYWxs
DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZn
dDsgSSdtIGFza2luZyBpcyB0aGF0IHdlIG9ubHkgYWRkIHRoZSByZWdpc3RyeSBlbnRyeSBpZiB3
ZSBjYW4gbWVldA0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7
Jmd0OyZndDsmZ3Q7IHRoZSBzYW1lIGJhciB0aGF0IHdlJ3JlIGFza2luZyB0aGUgREUgdG8gaW1w
b3NlIG9uIGxhdGVyIGFkZGl0aW9ucy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp
blRleHQiPiZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7IEFuZCB0aGUgc2FtZSBmb3IgYWxsIHRoZSBvdGhlcnMu
Li48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZn
dDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsm
Z3Q7IENoZWVycywgUy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZn
dDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m
Z3Q7Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+
Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBUaGUgcG9pbnQgb2YgdGhlIHJlZ2lzdHJ5IHJlcXVp
cmluZyBhIHNwZWNpZmljYXRpb24gcmVmZXJlbmNlIGlzDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IHNvIHBlb3BsZSB1c2luZyB0
aGUgcmVnaXN0cnkgY2FuIHRlbGwgd2hlcmUgdGhlIGlkZW50aWZpZXIgaXMNCjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgZGVmaW5l
ZC4gRm9yIGFsbCB0aGUgaW5pdGlhbCB2YWx1ZXMsIHRoYXQgcmVxdWlyZW1lbnQgaXMNCjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsg
c2F0aXNmaWVkLCBzaW5jZSB0aGUgcmVmZXJlbmNlIHdpbGwgYmUgdG8gdGhlIG5ldyBSRkMuJm5i
c3A7IEkgdGhpbmsNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0
OyZndDsmZ3Q7Jmd0OyZndDsgdGhhdCBhbGlnbnMgd2l0aCB0aGUgcG9pbnQgdGhhdCBKb2VsIHdh
cyBtYWtpbmcuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0
OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZn
dDsmZ3Q7Jmd0OyZndDsmZ3Q7IFlvdXIgdGhvdWdodHM/PG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IC0tIE1pa2U8bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IDxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZn
dDsgLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0gRnJvbTogT0F1dGggPG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBbPGEgaHJlZj0i
bWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0
ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5tYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZzwv
c3Bhbj48L2E+XSBPbiBCZWhhbGYgT2YgU3RlcGhlbiBGYXJyZWxsPG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyBTZW50OiBX
ZWRuZXNkYXksIEZlYnJ1YXJ5IDEsIDIwMTcgNzowMyBBTSBUbzogam9lbCBqYWVnZ2xpDQo8bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7
ICZsdDs8YSBocmVmPSJtYWlsdG86am9lbGphQGJvZ3VzLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9y
OndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmpvZWxqYUBib2d1cy5jb208L3NwYW4+
PC9hPiZndDs7IFRoZSBJRVNHICZsdDs8YSBocmVmPSJtYWlsdG86aWVzZ0BpZXRmLm9yZyI+PHNw
YW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmllc2dAaWV0
Zi5vcmc8L3NwYW4+PC9hPiZndDsNCiBDYzo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q
bGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IDxhIGhyZWY9Im1haWx0bzpvYXV0aC1jaGFp
cnNAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlv
bjpub25lIj5vYXV0aC1jaGFpcnNAaWV0Zi5vcmc8L3NwYW4+PC9hPjsNCjxhIGhyZWY9Im1haWx0
bzpkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xv
cjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5kcmFmdC1pZXRmLW9hdXRoLWFtci12
YWx1ZXNAaWV0Zi5vcmc8L3NwYW4+PC9hPjs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q
bGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7IDxhIGhyZWY9Im1haWx0bzpvYXV0
aEBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9u
Om5vbmUiPm9hdXRoQGlldGYub3JnPC9zcGFuPjwvYT4gU3ViamVjdDogUmU6IFtPQVVUSC1XR10g
U3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3Vzcw0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
UGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBvbiBkcmFmdC1pZXRmLW9hdXRoLWFtci12
YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBPbiAwMS8wMi8xNyAx
NDo1OCwgam9lbCBqYWVnZ2xpIHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs
YWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IE9uIDEvMzEvMTcgODoyNiBBTSwgU3Rl
cGhlbiBGYXJyZWxsIHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4
dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBTdGVwaGVuIEZhcnJlbGwgaGFzIGVudGVy
ZWQgdGhlIGZvbGxvd2luZyBiYWxsb3QgcG9zaXRpb24gZm9yDQo8bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgZHJhZnQt
aWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA1OiBEaXNjdXNzPG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0
OyBXaGVuIHJlc3BvbmRpbmcsIHBsZWFzZSBrZWVwIHRoZSBzdWJqZWN0IGxpbmUgaW50YWN0IGFu
ZCZuYnNwOyByZXBseQ0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m
Z3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IHRvIGFsbCBlbWFpbCBhZGRyZXNzZXMgaW5jbHVk
ZWQgaW4gdGhlIFRvIGFuZCBDQyBsaW5lcy4gKEZlZWwNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBmcmVlIHRvIGN1
dCB0aGlzIGludHJvZHVjdG9yeSBwYXJhZ3JhcGgsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IGhvd2V2ZXIuKTxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsm
Z3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7
Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IFBsZWFzZSByZWZlciB0bzxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7
Jmd0OyA8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9pZXNnL3N0YXRlbWVudC9kaXNjdXNz
LWNyaXRlcmlhLmh0bWwiPg0KPHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNv
cmF0aW9uOm5vbmUiPmh0dHBzOi8vd3d3LmlldGYub3JnL2llc2cvc3RhdGVtZW50L2Rpc2N1c3Mt
Y3JpdGVyaWEuaHRtbDwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD4mbmJzcDs8L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IDxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Zm9yIG1vcmUgaW5mb3JtYXRp
b24gYWJvdXQgSUVTRyBESVNDVVNTIGFuZCBDT01NRU5UPG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IHBvc2l0aW9ucy48
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsm
Z3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7
Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs
YWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBUaGUgZG9jdW1lbnQsIGFsb25n
IHdpdGggb3RoZXIgYmFsbG90IHBvc2l0aW9ucywgY2FuIGJlIGZvdW5kDQo8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsg
aGVyZTo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0
OyZndDsmZ3Q7Jmd0OyZndDsgPGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9k
b2MvZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLyI+DQo8c3BhbiBzdHlsZT0iY29sb3I6d2lu
ZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9y
Zy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLzwvc3Bhbj48L2E+PG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7
PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZn
dDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD4mbmJzcDs8L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86
cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsm
Z3Q7Jmd0OyZndDsmZ3Q7PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mZ3Q7Jmd0OzxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4
dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OzxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7
Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0
OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZn
dDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp
blRleHQiPiZndDsmZ3Q7Jmd0OyAtPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IERJU0NVU1M6IDxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyAt
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZn
dDsmZ3Q7Jmd0OyZndDsmZ3Q7IC0tLS0tPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD4mbmJzcDs8L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86
cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsm
Z3Q7PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0
OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
UGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDs8bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDs8bzpwPiZuYnNwOzwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7PG86cD4mbmJzcDs8L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7
PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7PG86cD4m
bmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7
Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+LTxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZn
dDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsm
Z3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgVGhpcyBzcGVjaWZpY2F0aW9uIHNlZW1zIHRvIG1lIHRv
IGJyZWFrIGl0J3Mgb3duIHJ1bGVzLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu
VGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBZb3Ugc3RhdGUgdGhhdCByZWdpc3Ry
YXRpb25zIHNob3VsZCBpbmNsdWRlIGEgcmVmZXJlbmNlIHRvIGENCjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBzcGVj
aWZpY2F0aW9uIHRvIGltcHJvdmUgaW50ZXJvcC4gQW5kIHlldCwgZm9yIHRoZSBzdHJpbmdzIGFk
ZGVkDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0
OyZndDsmZ3Q7Jmd0OyZndDsgaGVyZSAoZS5nLiBvdHApIHlvdSBkb24ndCBkbyB0aGF0IChyZWZl
cnJpbmcgdG8gc2VjdGlvbiAyIHdpbGwNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs
YWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBub3QgaW1wcm92ZSBpbnRlcm9w
KSBhbmQgdGhlcmUgYXJlIGRpZmZlcmVudCB3YXlzIGluIHdoaWNoIG1hbnkNCjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0
OyBvZiB0aGUgbWV0aG9kcyBpbiBzZWN0aW9uIDIgY2FuIGJlIGRvbmUuIFNvIEkgdGhpbmsgeW91
IG5lZWQgdG8NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZn
dDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBhZGQgYSBidW5jaCBtb3JlIHJlZmVyZW5jZXMuPG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZn
dDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsm
Z3Q7Jmd0OyZndDsgTm90IGNsZWFyIHRvIG1lIHRoYXQgdGhlIGRvY3VtZW50IGNyZWF0aW5nIHRo
ZSByZWdpc3RyeSBuZWVkcyB0bw0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgYWRoZXJlIHRvIHRoZSBydWxlcyBmb3IgZnVy
dGhlciBhbGxvY2F0aW9ucyBpbiBvcmRlciB0bw0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgcHJlcG91bGF0ZSB0aGUgcmVn
aXN0cnkuIHRoYXQgaXMgcGVyaGFwcyBhbiBhcHBlYWwgdG8gZnV0dXJlDQo8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBjb25z
aXN0ZW5jeS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7
Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0
OyZndDsmZ3Q7Jmd0OyZndDsgU3VyZSAtIEknbSBhbGwgZm9yIGEgc21hdHRlcmluZyBvZiBpbmNv
bnNpc3RlbmN5Oi0pPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7
Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi
PiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IEJ1dCBJIHRoaW5rIHRoZSBsYWNrIG9mIHNwZWNzIGluIHNv
bWUgb2YgdGhlc2UgY2FzZXMgY291bGQgaW1wYWN0DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IG9uIGludGVyb3AsIGUuZy4gaW4g
dGhlIG90cCBjYXNlLCB0aGV5IHF1b3RlIHR3byBSRkNzIGFuZCB5ZXQgb25seQ0KPG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBoYXZl
IG9uZSB2YWx1ZS4gVGhhdCBzZWVtcyBhIGJpdCBicm9rZW4gdG8gbWUsIHNvIHRoZSBkaXNjdXNz
DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZn
dDsmZ3Q7IGlzbid0IHJlYWxseSBhYm91dCB0aGUgZm9ybWFsaXNtLjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBTLjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsg
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jmd0OyZndDsmZ3Q7
Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0
OyZndDsmZ3Q7Jmd0OyZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0
Ij4mZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb1BsYWluVGV4dCI+Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyA8bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0OyZndDsmZ3Q7
Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7Jmd0
OyZndDsmZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZn
dDsmZ3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsm
Z3Q7Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmZ3Q7
IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k
aXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_CY4PR21MB050481D8CF7B8551D21F38A8F52C0CY4PR21MB0504namp_--


From nobody Mon Mar  6 14:39:11 2017
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1BD61294A6; Mon,  6 Mar 2017 14:39:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level: 
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7q2kyBQOcxF; Mon,  6 Mar 2017 14:39:04 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B22E9129493; Mon,  6 Mar 2017 14:39:03 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 5369EBEBB; Mon,  6 Mar 2017 22:39:01 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jx0sHdsBpP9B; Mon,  6 Mar 2017 22:38:55 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 38221BED5; Mon,  6 Mar 2017 22:38:54 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1488839935; bh=uRCsquwKlqqq3+p8dB5jEKfx538gnH6APCkuL1uD+cE=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=tP4LFt8CTTm0kKRp1l6X3nI7KYhALWe/TNMdnfUHXzJkMZSxs9K2ssQ08Il7rf3BY 9upi7i0kHuNFNtEgxocyl/GXLmDLk5T55flxm8PhKAx2Fg1EwNWc3tYdYsvpd7DeOp ro1kFkjjD1427rQN5ji+Bsv6raNQk/bRoZORwOcQ=
To: Mike Jones <Michael.Jones@microsoft.com>, Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com> <27d6181c-eb72-b17b-ed18-db018991e44c@cs.tcd.ie> <SN1PR0301MB2029EF1377E24CD330C5C929A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie> <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie> <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie> <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com> <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie> <CY4PR21MB050481D8CF7B8551D21F38A8F52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <a78de3c1-7d73-8147-8540-0bc23fca366d@cs.tcd.ie>
Date: Mon, 6 Mar 2017 22:38:53 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CY4PR21MB050481D8CF7B8551D21F38A8F52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="GiwLTeID5MhXCOgCfSqk9XNVl6PT3tF4t"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/73blVlXWKhQGAnGJ4DnrDvhKTs4>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 22:39:07 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--GiwLTeID5MhXCOgCfSqk9XNVl6PT3tF4t
Content-Type: multipart/mixed; boundary="4HFbwMNclg6IK33Il12x2Kf9QNSsxOwuQ";
 protected-headers="v1"
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: Mike Jones <Michael.Jones@microsoft.com>,
 Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>,
 The IESG <iesg@ietf.org>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>,
 "draft-ietf-oauth-amr-values@ietf.org"
 <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <a78de3c1-7d73-8147-8540-0bc23fca366d@cs.tcd.ie>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on
 draft-ietf-oauth-amr-values-05: (with DISCUSS)
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com>
 <d9d0f5ae-6dcd-98cc-6113-96e937332b60@cs.tcd.ie>
 <BN3PR03MB23559422F9C2474DB04094FEF54D0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <27d6181c-eb72-b17b-ed18-db018991e44c@cs.tcd.ie>
 <SN1PR0301MB2029EF1377E24CD330C5C929A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com>
 <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie>
 <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com>
 <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie>
 <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie>
 <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
 <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
 <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie>
 <CY4PR21MB050481D8CF7B8551D21F38A8F52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB050481D8CF7B8551D21F38A8F52C0@CY4PR21MB0504.namprd21.prod.outlook.com>

--4HFbwMNclg6IK33Il12x2Kf9QNSsxOwuQ
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Hi Mike,

On 06/03/17 22:34, Mike Jones wrote:
> Thanks for the reply, Stephen.  I'll try to find better
> interop-producing references where possible.
>=20
>=20
> In some cases, however, the values are intentionally intended to
> provide an identifier for a family of closely-related methods, such
> as "otp", which covers both time-based and HMAC-based OTPs.=20

Hmm. I don't recall text saying that in the draft, but it's
possible that I missed it - can you point me at that?

I do agree that if the semantics here were "some otp was used"
then it would not be necessary to specify exactly which OTP
scheme was used. But that wasn't how I read what this spec
was doing. (Again, that could be me getting the wrong end of
the stick.)

S.


> Many
> relying parties will be content to know that an OTP has been used in
> addition to a password.  The distinction between which kind of OTP
> was used is not useful to them.  Thus, there's a single identifier
> that can be satisfied in two or more nearly equivalent ways.  I
> consider this to be a feature - not a bug.
>=20
>=20
>=20
> Similarly, there's a whole range of nuances between different
> fingerprint matching algorithms.  They differ in false positive and
> false negative rates over different population samples and also
> differ based on the kind and model of fingerprint sensor used.  Like
> the OTP case, many RPs will be content to know that a fingerprint
> match mas made, without delving into and differentiating based on
> every aspect of the implementation of fingerprint capture and match.
> Those that want more precision than this can always define new "amr"
> values.  But "fpt" is fine as is for what I believe will be the 90+%
> case.
>=20
>=20
>=20
> Ultimately, the RP is depending upon the Identity Provider to do
> reasonable things.  If it didn't trust the IdP to do so, it has no
> business using it.  The "amr" value lets the IdP signal to the RP
> additional information about what it did, for the cases in which that
> information is useful to the RP.
>=20
>=20
>=20
> Reducing this to the point of absurdity, the RP would almost never
> care about the make, model, and serial number of the fingerprint
> reader or OTP.  Values could be defined to provide that granularity.
> But making those fine-grained distinctions are not useful in
> practice.
>=20
>=20
>=20
> Please consider the existing definitions in light of that reductio ad
> absurdum.  The existing values only make distinctions that are known
> to be useful to RPs.  Slicing things more finely than would be used
> in practice actually hurts interop, rather than helping it, because
> it would force all RPs to recognize that several or many different
> values actually mean the same thing to them.
>=20
>=20
>=20
> -- Mike
>=20
>=20
>=20
> -----Original Message----- From: Stephen Farrell
> [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, March 6, 2017 2:10
> PM To: Mike Jones <Michael.Jones@microsoft.com>; Anthony Nadalin
> <tonynad@microsoft.com>; joel jaeggli <joelja@bogus.com>; The IESG
> <iesg@ietf.org> Cc: oauth-chairs@ietf.org;
> draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: Re:
> [OAUTH-WG] Stephen Farrell's Discuss on
> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>=20
>=20
>=20
>=20
> Hi Mike,
>=20
>=20
>=20
> Apologies - I updated the discuss ballot text [1] on Feb 28 but
> must've not sent it as an email or something. Anyway...
>=20
>=20
>=20
> [1]
> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ballot/
>=20
>=20
>=20
> On 06/03/17 20:38, Mike Jones wrote:
>=20
>> Hi Stephen.  The changes in draft -06 were intended to address
>> your
>=20
>> DISCUSS points.  Are you satisfied with these changes or are there
>=20
>> additional changes you want?  I'm asking partly because it's a
>> week
>=20
>> now until the submission cutoff and if additional changes are
>> needed,
>=20
>> I'd like to make them this week.
>=20
>=20
>=20
> So I do think there's still work to be done, may as well copy the new
> ballot text here:
>=20
>=20
>=20
> "
>=20
> I think we still have the problem that the values "defined" here
> (e.g. "fpt") are under specified to a significant degree. RFC4949
> does not tell anyone how to achieve interop with "fpt" (nor any of
> the other cases where you refer to 4949 I think). There is therefore
> no utility in "defining" "fpt" as it will not achieve interop and in
> fact is more likely to cause confusion than interop. If the solution
> of actually defining the meaning of things like "fpt" is not
> achievable then perhaps it will be better to only define those for
> which we can get interop ("pwd" and one or two others) and leave the
> definition of the rest for later. (In saying that I do recall that
> one of the authors said that there are implementations that use some
> of these type-names, but the point of RFCs is not to "bless"
>=20
> such things, but to achieve interop.)
>=20
> "
>=20
>=20
>=20
> Cheers,
>=20
> S.
>=20
>=20
>=20
>>=20
>=20
>> Thanks, -- Mike
>=20
>>=20
>=20
>> -----Original Message----- From: Mike Jones
>=20
>> [mailto:Michael.Jones@microsoft.com] Sent: Tuesday, February 28,
>> 2017
>=20
>> 6:17 PM To: Stephen Farrell
>> <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>;
>> Anthony
>=20
>> Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>; joel
>> jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The
>=20
>> IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>=20
>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-value=
s@ietf.org>;
>> oauth@ietf.org<mailto:oauth@ietf.org> Subject: RE:
>=20
>> [OAUTH-WG] Stephen Farrell's Discuss on
>=20
>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>>=20
>=20
>> Hi Stephen,
>=20
>>=20
>=20
>> Draft -06
>> https://tools.ietf.org/html/draft-ietf-oauth-amr-values-06
>=20
>> adds references for all of the defined "amr" values.  Thanks for
>=20
>> taking the time to have a thoughtful discussion.
>=20
>>=20
>=20
>> -- Mike
>=20
>>=20
>=20
>> -----Original Message----- From: Stephen Farrell
>=20
>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1,
>> 2017
>=20
>> 4:45 PM To: Mike Jones
>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;
>> Anthony Nadalin
>=20
>> <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>; joel jaeggli
>> <joelja@bogus.com<mailto:joelja@bogus.com>>; The IESG
>=20
>> <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>=20
>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-value=
s@ietf.org>;
>> oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re:
>=20
>> [OAUTH-WG] Stephen Farrell's Discuss on
>=20
>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>>=20
>=20
>>=20
>=20
>>=20
>=20
>> On 02/02/17 00:35, Mike Jones wrote:
>=20
>>> You can call me lazy if you want.
>=20
>>=20
>=20
>> I don't think you're lazy:-) Were I to guess I'd guess that
>> interop
>=20
>> for these wasn't a priority and that we're defining them a bit
>> early
>=20
>> and a little too generically.
>=20
>>=20
>=20
>>> Some of them are so well known, such as "password" or "PIN" it
>>> didn't
>=20
>>> seem worthwhile to try to track down a reference.
>=20
>>=20
>=20
>> Sure, those are fine. The only issues would be if there's a
>> string2key
>=20
>> function somewhere but I don't expect there is in this context.
>=20
>>=20
>=20
>>> But I'm willing to work with others to find decent references for
>>> the
>=20
>>> rest of them, if you believe that would improve the quality of
>>> the
>=20
>>> specification.
>=20
>>=20
>=20
>> I do think it would, esp for cases where there are known different
>=20
>> options (e.g. otp) or likely ill-defined or proprietary formats.
>> My
>=20
>> guess is that some biometrics fit that latter but I could be
>> wrong.
>=20
>> If they do, then one runs into the problem of having to depend on
>=20
>> magic numbers in the encodings or similar to distinguish which is
>=20
>> really error prone and likely to lead to what our learned
>> transport
>=20
>> chums are calling ossification;-)
>=20
>>=20
>=20
>> Cheers, S.
>=20
>>=20
>=20
>>=20
>=20
>>>=20
>=20
>>> Best wishes, -- Mike
>=20
>>>=20
>=20
>>> -----Original Message----- From: Stephen Farrell
>=20
>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1,
>=20
>>> 2017 4:31 PM To: Mike Jones
>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;
>>> Anthony
>=20
>>> Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>;
>>> joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The
>=20
>>> IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>=20
>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-valu=
es@ietf.org>;
>>> oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re:
>=20
>>> [OAUTH-WG] Stephen Farrell's Discuss on
>=20
>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>>>=20
>=20
>>>=20
>=20
>>>=20
>=20
>>> On 02/02/17 00:28, Mike Jones wrote:
>=20
>>>> The other case of known interop testing of "amr" values is for
>=20
>>>> MODRNA (OpenID Connect Mobile Profile) implementations.
>>>> There's a
>=20
>>>> reference to its use of "amr" values in the spec.
>=20
>>>=20
>=20
>>> Yeah, iirc, that one seemed ok (assuming the reference tells me
>>> what
>=20
>>> code to write which I assume it does).
>=20
>>>=20
>=20
>>> I'm still not seeing why some do have sufficient references and
>=20
>>> others do not.
>=20
>>>=20
>=20
>>> Is there some difficulty with finding references or something?
>=20
>>>=20
>=20
>>> S
>=20
>>>=20
>=20
>>>>=20
>=20
>>>> -----Original Message----- From: Anthony Nadalin Sent:
>>>> Wednesday,
>=20
>>>> February 1, 2017 4:27 PM To: Stephen Farrell
>=20
>>>> <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>;
>>>> Mike Jones
>=20
>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;
>>>> joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The
>=20
>>>> IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>=20
>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-val=
ues@ietf.org>;
>>>> oauth@ietf.org<mailto:oauth@ietf.org> Subject: RE:
>=20
>>>> [OAUTH-WG] Stephen Farrell's Discuss on
>=20
>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>>>>=20
>=20
>>>> We have interoped between FIDO authenticators vendors and
>>>> Windows
>=20
>>>> Hello
>=20
>>>>=20
>=20
>>>> -----Original Message----- From: Stephen Farrell
>=20
>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February
>>>> 1,
>=20
>>>> 2017 4:24 PM To: Mike Jones
>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;
>>>> Anthony
>=20
>>>> Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>;
>>>> joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>;
>=20
>>>> The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>=20
>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-val=
ues@ietf.org>;
>
>>>>  oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG]
>>>> Stephen Farrell's Discuss on
>=20
>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>>>>=20
>=20
>>>>=20
>=20
>>>>=20
>=20
>>>> On 02/02/17 00:21, Mike Jones wrote:
>=20
>>>>> Thanks, Tony.  I can add that reference.
>=20
>>>>>=20
>=20
>>>>> Stephen, the sets of initial values were chosen from those
>>>>> used in
>=20
>>>>> practice by Microsoft and Google in real deployments.
>=20
>>>>=20
>=20
>>>> Genuine questions: do you aim to have interop between those
>=20
>>>> deployments? What if I wanted to write code that'd interop with
>>>> msft
>=20
>>>> or google?
>=20
>>>>=20
>=20
>>>> S.
>=20
>>>>=20
>=20
>>>>>=20
>=20
>>>>> About "otp", there are existing use cases for indicating that
>>>>> an
>=20
>>>>> OTP was used.  I'm not aware of any of these use cases where
>>>>> the
>=20
>>>>> distinction between TOTP and HOTP is important.  Thus, having
>>>>> "otp"
>=20
>>>>> now makes sense, where having "hotp" and "totp"
>=20
>>>>> now doesn't.
>=20
>>>>>=20
>=20
>>>>> Stephen, this may seem like splitting hairs, but the
>>>>> registry
>=20
>>>>> instructions for "Specification Document(s)" are about having
>>>>> a
>=20
>>>>> reference for the document where the Authentication Method
>=20
>>>>> Reference Name (such as "otp") is defined.  In all cases for
>>>>> the
>=20
>>>>> initial values, this is the RFC-to-be, so the registry
>>>>> instructions
>=20
>>>>> are satisfied.  If someone were, for instance, to define the
>>>>> string
>=20
>>>>> "hotp", it would be incumbent on the person requesting its
>=20
>>>>> registration to provide a URL to the document where the
>>>>> string
>=20
>>>>> "hotp" is defined.  Also having a reference to RFC 4226 in
>>>>> that
>=20
>>>>> document would be a good thing, but that isn't what the
>>>>> registry
>=20
>>>>> instructions are about.
>=20
>>>>>=20
>=20
>>>>> All that said, I can look at also finding appropriate
>>>>> references
>=20
>>>>> for the remaining values that don't currently have them.
>>>>> (Anyone
>=20
>>>>> got a good reference for password or PIN to suggest, for
>>>>> instance?)
>=20
>>>>>=20
>=20
>>>>> -- Mike
>=20
>>>>>=20
>=20
>>>>> -----Original Message----- From: Anthony Nadalin Sent:
>=20
>>>>> Wednesday, February 1, 2017 4:10 PM To: Stephen Farrell
>=20
>>>>> <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>;
>>>>> Mike Jones
>=20
>>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;
>>>>> joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>;
>=20
>>>>> The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>=20
>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-va=
lues@ietf.org>;
>>>>> oauth@ietf.org<mailto:oauth@ietf.org> Subject:
>=20
>>>>> RE: [OAUTH-WG] Stephen Farrell's Discuss on
>=20
>>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>>>>>=20
>=20
>>>>> NIST asked for the addition of IRIS (as they are seeing more
>>>>> use of
>=20
>>>>> IRIS over retina due to the accuracy of iris)  as they have
>>>>> been
>=20
>>>>> doing significant testing on various iris devices and
>>>>> continue to
>=20
>>>>> do so, here is a report that NIST released
>=20
>>>>> http://2010-2014.commerce.gov/blog/2012/04/23/nist-iris-recognition=

>
>>>>>  -report-evaluates-needle-haystack-search-capability.html
>=20
>>>>>=20
>=20
>>>>>=20
>=20
>>>>>=20
>=20
>>>>>=20
>=20
>>>=20
>=20
>>>>>=20
>=20
>>=20
>=20
>>>>>=20
>=20
> -----Original Message----- From: Stephen Farrell
>=20
>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February
>>>>> 1,
>=20
>>>>> 2017 2:26 PM To: Mike Jones
>>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;
>>>>> joel
>=20
>>>>> jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The IESG
>>>>> <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>=20
>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-va=
lues@ietf.org>;
>
>>>>>  oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re:
>>>>> [OAUTH-WG] Stephen Farrell's Discuss on
>=20
>>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>>>>>=20
>=20
>>>>>=20
>=20
>>>>> Hi Mike,
>=20
>>>>>=20
>=20
>>>>> On 01/02/17 17:00, Mike Jones wrote:
>=20
>>>>>> Thanks for the discussion, Stephen.
>=20
>>>>>>=20
>=20
>>>>>> To your point about "otp", the working group discussed this
>>>>>> very
>=20
>>>>>> point.  They explicitly decided not to introduce "hotp"
>=20
>>>>>> and "totp" identifiers because no one had a use case in
>>>>>> which the
>=20
>>>>>> distinction mattered.
>=20
>>>>>=20
>=20
>>>>> Then I'm not following why adding "otp" to the registry now
>>>>> is a
>=20
>>>>> good plan.
>=20
>>>>>=20
>=20
>>>>> If there's a use-case now, then adding an entry with a good
>=20
>>>>> reference to the relevant spec seems right.
>=20
>>>>>=20
>=20
>>>>> If there's no use-case now, then not adding it to the
>>>>> registry
>=20
>>>>> seems right. (Mentioning it as a possible future entry would
>>>>> be
>=20
>>>>> fine.)
>=20
>>>>>=20
>=20
>>>>> I think the same logic would apply for all the values that
>>>>> this
>=20
>>>>> spec adds to the registry. Why is that wrong?
>=20
>>>>>=20
>=20
>>>>>> Others can certainly introduce those identifiers and
>>>>>> register
>=20
>>>>>> them if they do have such a use case, once the registry has
>>>>>> been
>=20
>>>>>> established.  But the working group wanted to be
>>>>>> conservative
>=20
>>>>>> about the identifiers introduced to prime the registry, and
>>>>>> this
>=20
>>>>>> is such a case.
>=20
>>>>>>=20
>=20
>>>>>> What identifiers to use and register will always be a
>>>>>> balancing
>=20
>>>>>> act. You want to be as specific as necessary to add
>>>>>> practical and
>=20
>>>>>> usable value, but not so specific as to make things
>>>>>> unnecessarily
>=20
>>>>>> brittle.
>=20
>>>>>=20
>=20
>>>>> Eh... don't we want interop? Isn't that the primary goal
>>>>> here?
>=20
>>>>>=20
>=20
>>>>>> While some might say there's a difference between serial
>>>>>> number
>=20
>>>>>> ranges of particular authentication devices, going there
>>>>>> is
>=20
>>>>>> clearly in the weeds.  On the other hand, while there used
>>>>>> to be
>=20
>>>>>> an "eye" identifier, Elaine Newton of NIST pointed out that
>>>>>> there
>=20
>>>>>> are significant differences between retina and iris
>>>>>> matching, so
>=20
>>>>>> "eye" was replaced with "retina"
>=20
>>>>>> and "iris". Common sense informed by actual data is the key
>>>>>> here.
>=20
>>>>>=20
>=20
>>>>> That's another good example. There's no reference for
>>>>> "iris."
>=20
>>>>> If that is used in some protocol, then what format(s) are
>>>>> expected
>=20
>>>>> to be supported? Where do I find that spec? If we can answer
>>>>> that,
>=20
>>>>> then great, let's add the details. If not, then I'd suggest
>>>>> we omit
>=20
>>>>> "iris" and leave it 'till later to add an entry for that.
>>>>> And
>=20
>>>>> again, including text with "iris" as an example is just fine,
>>>>> all
>=20
>>>>> I'm asking is that we only add the registry entry if we can
>>>>> meet
>=20
>>>>> the same bar that we're asking the DE to impose on later
>>>>> additions.
>=20
>>>>>=20
>=20
>>>>> And the same for all the others...
>=20
>>>>>=20
>=20
>>>>> Cheers, S.
>=20
>>>>>=20
>=20
>>>>>=20
>=20
>>>>>>=20
>=20
>>>>>> The point of the registry requiring a specification
>>>>>> reference is
>=20
>>>>>> so people using the registry can tell where the identifier
>>>>>> is
>=20
>>>>>> defined. For all the initial values, that requirement is
>=20
>>>>>> satisfied, since the reference will be to the new RFC.  I
>>>>>> think
>=20
>>>>>> that aligns with the point that Joel was making.
>=20
>>>>>>=20
>=20
>>>>>> Your thoughts?
>=20
>>>>>>=20
>=20
>>>>>> -- Mike
>=20
>>>>>>=20
>=20
>>>>>> -----Original Message----- From: OAuth
>=20
>>>>>> [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen
>>>>>> Farrell
>=20
>>>>>> Sent: Wednesday, February 1, 2017 7:03 AM To: joel jaeggli
>=20
>>>>>> <joelja@bogus.com<mailto:joelja@bogus.com>>; The IESG
>>>>>> <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>=20
>>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-v=
alues@ietf.org>;
>
>>>>>>  oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re:
>>>>>> [OAUTH-WG] Stephen Farrell's Discuss
>=20
>>>>>> on draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>>>>>>=20
>=20
>>>>>>=20
>=20
>>>>>>=20
>=20
>>>>>> On 01/02/17 14:58, joel jaeggli wrote:
>=20
>>>>>>> On 1/31/17 8:26 AM, Stephen Farrell wrote:
>=20
>>>>>>>> Stephen Farrell has entered the following ballot
>>>>>>>> position for
>=20
>>>>>>>> draft-ietf-oauth-amr-values-05: Discuss
>=20
>>>>>>>>=20
>=20
>>>>>>>> When responding, please keep the subject line intact
>>>>>>>> and  reply
>=20
>>>>>>>> to all email addresses included in the To and CC lines.
>>>>>>>> (Feel
>=20
>>>>>>>> free to cut this introductory paragraph,
>=20
>>>>>>>> however.)
>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>>>>> Please refer to
>=20
>>>>>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html
>
>>>>>>>>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
> for more information about IESG DISCUSS and COMMENT
>=20
>>>>>>>> positions.
>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>>>>> The document, along with other ballot positions, can be
>>>>>>>> found
>=20
>>>>>>>> here:
>=20
>>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/
>
>>>>>>>>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>=20
>=20
>>>>>>>>=20
>=20
>>=20
>=20
>>>>>>>>=20
>=20
> ---------------------------------------------------------------------
>
>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>> -
>=20
>>>>>>>> DISCUSS:
>=20
>>>>>>>> ----------------------------------------------------------------=

>
>>>>>>>>  -----
>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>=20
>=20
>>>>>>>>=20
>=20
>>>=20
>=20
>>>>>>>>=20
>=20
>>=20
>=20
>>>>>>>>=20
>=20
> -
>=20
>>>>>>>>=20
>=20
>>>>>>>> This specification seems to me to break it's own
>>>>>>>> rules.
>=20
>>>>>>>> You state that registrations should include a reference
>>>>>>>> to a
>=20
>>>>>>>> specification to improve interop. And yet, for the
>>>>>>>> strings added
>=20
>>>>>>>> here (e.g. otp) you don't do that (referring to section
>>>>>>>> 2 will
>=20
>>>>>>>> not improve interop) and there are different ways in
>>>>>>>> which many
>=20
>>>>>>>> of the methods in section 2 can be done. So I think you
>>>>>>>> need to
>=20
>>>>>>>> add a bunch more references.
>=20
>>>>>>>=20
>=20
>>>>>>> Not clear to me that the document creating the registry
>>>>>>> needs to
>=20
>>>>>>> adhere to the rules for further allocations in order to
>=20
>>>>>>> prepoulate the registry. that is perhaps an appeal to
>>>>>>> future
>=20
>>>>>>> consistency.
>=20
>>>>>>=20
>=20
>>>>>> Sure - I'm all for a smattering of inconsistency:-)
>=20
>>>>>>=20
>=20
>>>>>> But I think the lack of specs in some of these cases could
>>>>>> impact
>=20
>>>>>> on interop, e.g. in the otp case, they quote two RFCs and
>>>>>> yet only
>=20
>>>>>> have one value. That seems a bit broken to me, so the
>>>>>> discuss
>=20
>>>>>> isn't really about the formalism.
>=20
>>>>>>=20
>=20
>>>>>> S.
>=20
>>>>>>=20
>=20
>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>>>>>=20
>=20
>>>>>>>=20
>=20
>>>>>>>=20
>=20
>>>>>>=20
>=20
>>>>>=20
>=20
>>>>=20
>=20
>>>=20
>=20
>>=20
>=20
>=20


--4HFbwMNclg6IK33Il12x2Kf9QNSsxOwuQ--

--GiwLTeID5MhXCOgCfSqk9XNVl6PT3tF4t
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYveT9AAoJEC88hzaAX42i8FEH/0+SlOgidrGlCACl4xa3rQrk
VNiljKN2ktwfBbDfsPpj87aq1C/gv76oYcDT/jrh6bljmTJtXEG3uMrQb2AbS71P
GvYdtuKoedsDTEk0hxNH236GiW5MfkRn12UMBDIjIrSVl5iTBIvP+oqo2hwdVUFK
Dd03Oh8jf/+6kgr0OCxz981bqCeFksSVKKgQK9NKFEtFV73IeU6f7nhhDTpw3BGE
m5kZU6c4m+tMroEri2Y7yGUTmOLHvA6lKvl8vP7X55mTImGM7CwBLURlDAvRjyII
2cnD09dRXtdHyMFNnnS7o5aWbRH4pn778jP15O8r9HI+TrJiYXFJyNq93U/aB1Y=
=ac0P
-----END PGP SIGNATURE-----

--GiwLTeID5MhXCOgCfSqk9XNVl6PT3tF4t--


From nobody Mon Mar  6 16:51:58 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D4B1129A76 for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 16:51:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5kptJ90Pe00j for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 16:51:56 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E763D129AB7 for <oauth@ietf.org>; Mon,  6 Mar 2017 16:50:15 -0800 (PST)
Received: by mail-qk0-x232.google.com with SMTP id p64so65195026qke.1 for <oauth@ietf.org>; Mon, 06 Mar 2017 16:50:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nwrrvGqq8E6/mTOGpX2yqGna0Szd6a6ns/pBubO/TXo=; b=qQD+08r1QfNj50utuXYQiQiaUiOrCUxgjYi/4qa9u7u4vaJIxnZoJ5dYXsjbrY63DW mtoQK3rpprXLai9OvASePm5f2roT21BRYQ8+vR/S/bGweOY9krJUsNUV6SkgDMT7Gmdw a1S5ojX+aFWy6GW1ZzE8SmlmZFTVkFVfynhNo0BYhrEUu20zS2z9vCbVsOSk4aTxWyDD QyXsR4EQm8mkJmQIMOeXPE8lj1jPnqrW79LJnxiVALgMuNmZA/rrQZuWaYPc8tAS+yqr +zyH449BPssl/GwYnTRT5cL77sqtwOujACLjoOU5mBN+GK/dMSLJVHuCh76xlLsYgzsz S/Ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nwrrvGqq8E6/mTOGpX2yqGna0Szd6a6ns/pBubO/TXo=; b=dBmS1AyPWzlcA3JeG8yeY9ZQP2etuZzU/BciyF3JfovCUThD6QcJzQ7cZCIWVsKnQl rNvNWoLmM12YOj3PNUodgevIIpAy04o9oliW3f47Vh/gxEQ0ljNwy3a4o/zPGUPRaS1E Znm2k7J72v/00iRjU+tGxSKDegUUUovI7asLs4MrtZ7BrxWwK2dSkuYVMvFPb0nzpXoc dul2LwAUrY6hqajmRQ+r7i4WQNtryLGlyP+YFWmUizXCl4SqDvbhWeZGJxrtBL+px9bO f+Z7MeyVxjPOIxpM9EcrY7iZoYQgmUTh5KYqRW2d/U3abnzLRweVv9/YrtQh/jW4pK90 GyTg==
X-Gm-Message-State: AMke39l9S0+fir/BuSRJczh8zNXozOpU5fyZ4trNbbWFcL5SWruwCJIXZi4/2TFCHWSsPGECsiuQgQu3HviauYTB
X-Received: by 10.200.42.78 with SMTP id l14mr19696738qtl.15.1488847814807; Mon, 06 Mar 2017 16:50:14 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Mon, 6 Mar 2017 16:49:54 -0800 (PST)
In-Reply-To: <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com>
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com> <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com> <a6596083-6a19-e644-403c-4c1686eba492@gmx.net> <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 6 Mar 2017 16:49:54 -0800
Message-ID: <CAAP42hC+z6xO2xdcADELWKgBZT1vdCiW1kYLvy1ohCMWo-SdpQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=001a11403d8620e0f8054a1965de
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BHjixb50gNFMAtwFAKoHHGQx3n4>
Cc: internet-drafts@ietf.org, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 00:51:57 -0000

--001a11403d8620e0f8054a1965de
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Section 7.1.1 can probably be rolled up into Section 7.1, I agree it's a
bit out of place. I'll do that in -09.

+1 with the plan that this BCP documents the current state, and we can rev
it if and when that changes.

One comment to add: password eavesdropping isn't the only threat from
WebView, the app is basically in total control and can do other things like
modify the contents of the page, interact with it (like faking a click on
the "Approve" button), copy out the session cookie, etc.



On Mon, Mar 6, 2017 at 12:16 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> On fido I can tell you that for security reasons U2F wont work from a
> web-view currently.
>
> Once we move to Web Auth (Fido 2) where the OS provides a API for apps to
> call to get the token it will work but the tokens are audianced to the ap=
p
> based on its developer key and bundle_id so that a app cant ask for a tok=
en
> for a different site to do correlation.
>
> It is true that Fido UAF currently requires a web-view to work as the
> authenticator is effectively compiled in to each application, and that
> application has access to the private keys on most platforms (Samsung kno=
x
> being the only exception to that that I know of where the keys are manage=
d
> by a common API to hardware key storage, but they are scoped like U2F as
> well)
>
> So for the most part it is true and that unless you use the browser to ge=
t
> the Fido token the audience is for the app.
> Example  Salesforce creates native app that may use enterprise SSO via
> SAML, and the enterprise may use Fido as a authentication factor.
> If they use the webview + fido API approach the app can only get a token
> for SalesForce based on its signing key.  It could fire up the web-view a=
nd
> do U2F authentication with the enterprise after Salesforec has redirected
> the user.  However it will give every enterprise a token audience to
> Salesforce with a salesforce specific key.   If there is a second app for
> say Slack if they do the same thing the enterprise would get a slack
> audienced token and a slack key forcing a separate registration.
>
> The recommended alternative is that the app use a custom tab for the user
> to SalesForce and that redirect to the enterprise.
> The enterprise gets the same token/key with the correct audience from all
> apps on the device using the browser or custom tab.
> The user may not need to signin a second time, and if they do there Fido
> token will not need to be re-registerd.
>
> The Fido API approach really only works for first party apps like PayPal
> if the the app is not doing federation and paypal is doing the
> authentication for there own app.
>
> Token binding private keys have similar issues.   The pool of private key=
s
> will probably not be shared between apps, and not between the app and the
> browser (Win 10 may be an exception but it is not documented yet)
>
> In the case of using AppAuth with token binding the browser maintains the
> keys so the enterprise would be able to see the same key and use the same
> cookies across all AppAuth Apps.
>
> You can include token binding in your app, however the token bindings and
> cookies are going to be sand boxed per app.
> Depending on implementation the app gets access to the cookie, but perhap=
s
> not to the private token binding key.  (At least I don't think it will in
> Android embedded webview).
>
> We could expand on this later in an update to the BCP once Web
> Authentication and Token Binding are final.
>
> There are still some unknowns, but in general for any sort of
> SSO/Federation 3rd party app I don=E2=80=99t see recommending anything ot=
her than a
> custom tab/ view controller/ external browser.
>
> William can take the formatting question:)
>
> John B.
> > On Mar 6, 2017, at 4:41 PM, Hannes Tschofenig <hannes.tschofenig@gmx.ne=
t>
> wrote:
> >
> > Hi William, Hi John,
> >
> > I just re-read version -8 of the document again.
> >
> > Two minor remarks only.
> >
> > Editorial issue: Why do you need to introduce a single sub-section
> > within Section 7.1. (namely Section 7.1.1)?
> >
> > Background question: You note that embedded user agents have the
> > disadvantage that the app that hosts the embedded user-agent can access
> > the user's full authentication credential. This is certainly true for
> > password-based authentication mechanisms but I wonder whether this is
> > also true for strong authentication techniques, such as those used by
> > FIDO combined with token binding. Have you looked into more modern
> > authentication techniques as well and their security implication?
> >
> > Ciao
> > Hannes
> >
> > On 03/03/2017 07:39 AM, William Denniss wrote:
> >> Changes:
> >>
> >> =E2=80=93 Addresses feedback from the second round of WGLC.
> >> =E2=80=93 Reordered security consideration sections to better group re=
lated
> topics.
> >> =E2=80=93 Added complete URI examples to each of the 3 redirect types.
> >> =E2=80=93 Editorial pass.
> >>
> >>
> >>
> >> On Thu, Mar 2, 2017 at 10:27 PM, <internet-drafts@ietf.org
> >> <mailto:internet-drafts@ietf.org>> wrote:
> >>
> >>
> >>    A New Internet-Draft is available from the on-line Internet-Drafts
> >>    directories.
> >>    This draft is a work item of the Web Authorization Protocol of the
> IETF.
> >>
> >>            Title           : OAuth 2.0 for Native Apps
> >>            Authors         : William Denniss
> >>                              John Bradley
> >>            Filename        : draft-ietf-oauth-native-apps-08.txt
> >>            Pages           : 20
> >>            Date            : 2017-03-02
> >>
> >>    Abstract:
> >>       OAuth 2.0 authorization requests from native apps should only be
> made
> >>       through external user-agents, primarily the user's browser.  Thi=
s
> >>       specification details the security and usability reasons why thi=
s
> is
> >>       the case, and how native apps and authorization servers can
> implement
> >>       this best practice.
> >>
> >>
> >>    The IETF datatracker status page for this draft is:
> >>    https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
> >>    <https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/>
> >>
> >>    There's also a htmlized version available at:
> >>    https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08
> >>    <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08>
> >>
> >>    A diff from the previous version is available at:
> >>    https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-native-apps-08
> >>    <https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-native-apps-0=
8>
> >>
> >>
> >>    Please note that it may take a couple of minutes from the time of
> >>    submission
> >>    until the htmlized version and diff are available at tools.ietf.org
> >>    <http://tools.ietf.org>.
> >>
> >>    Internet-Drafts are also available by anonymous FTP at:
> >>    ftp://ftp.ietf.org/internet-drafts/
> >>    <ftp://ftp.ietf.org/internet-drafts/>
> >>
> >>    _______________________________________________
> >>    OAuth mailing list
> >>    OAuth@ietf.org <mailto:OAuth@ietf.org>
> >>    https://www.ietf.org/mailman/listinfo/oauth
> >>    <https://www.ietf.org/mailman/listinfo/oauth>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a11403d8620e0f8054a1965de
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Section 7.1.1 can probably be rolled up into Section 7.1, =
I agree it&#39;s a bit out of place. I&#39;ll do that in -09.<div><br></div=
><div><div>+1 with the plan that this BCP documents the current state, and =
we can rev it if and when that changes.</div></div><div><br></div><div>One =
comment to add: password eavesdropping isn&#39;t the only threat from WebVi=
ew, the app is basically in total control and can do other things like modi=
fy the contents of the page, interact with it (like faking a click on the &=
quot;Approve&quot; button), copy out the session cookie, etc.</div><div><br=
></div><div><br></div></div><div class=3D"gmail_extra"><br><div class=3D"gm=
ail_quote">On Mon, Mar 6, 2017 at 12:16 PM, John Bradley <span dir=3D"ltr">=
&lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.co=
m</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margi=
n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On fido I can tel=
l you that for security reasons U2F wont work from a web-view currently.<br=
>
<br>
Once we move to Web Auth (Fido 2) where the OS provides a API for apps to c=
all to get the token it will work but the tokens are audianced to the app b=
ased on its developer key and bundle_id so that a app cant ask for a token =
for a different site to do correlation.<br>
<br>
It is true that Fido UAF currently requires a web-view to work as the authe=
nticator is effectively compiled in to each application, and that applicati=
on has access to the private keys on most platforms (Samsung knox being the=
 only exception to that that I know of where the keys are managed by a comm=
on API to hardware key storage, but they are scoped like U2F as well)<br>
<br>
So for the most part it is true and that unless you use the browser to get =
the Fido token the audience is for the app.<br>
Example=C2=A0 Salesforce creates native app that may use enterprise SSO via=
 SAML, and the enterprise may use Fido as a authentication factor.<br>
If they use the webview + fido API approach the app can only get a token fo=
r SalesForce based on its signing key.=C2=A0 It could fire up the web-view =
and do U2F authentication with the enterprise after Salesforec has redirect=
ed the user.=C2=A0 However it will give every enterprise a token audience t=
o Salesforce with a salesforce specific key.=C2=A0 =C2=A0If there is a seco=
nd app for say Slack if they do the same thing the enterprise would get a s=
lack audienced token and a slack key forcing a separate registration.<br>
<br>
The recommended alternative is that the app use a custom tab for the user t=
o SalesForce and that redirect to the enterprise.<br>
The enterprise gets the same token/key with the correct audience from all a=
pps on the device using the browser or custom tab.<br>
The user may not need to signin a second time, and if they do there Fido to=
ken will not need to be re-registerd.<br>
<br>
The Fido API approach really only works for first party apps like PayPal if=
 the the app is not doing federation and paypal is doing the authentication=
 for there own app.<br>
<br>
Token binding private keys have similar issues.=C2=A0 =C2=A0The pool of pri=
vate keys will probably not be shared between apps, and not between the app=
 and the browser (Win 10 may be an exception but it is not documented yet)<=
br>
<br>
In the case of using AppAuth with token binding the browser maintains the k=
eys so the enterprise would be able to see the same key and use the same co=
okies across all AppAuth Apps.<br>
<br>
You can include token binding in your app, however the token bindings and c=
ookies are going to be sand boxed per app.<br>
Depending on implementation the app gets access to the cookie, but perhaps =
not to the private token binding key.=C2=A0 (At least I don&#39;t think it =
will in Android embedded webview).<br>
<br>
We could expand on this later in an update to the BCP once Web Authenticati=
on and Token Binding are final.<br>
<br>
There are still some unknowns, but in general for any sort of SSO/Federatio=
n 3rd party app I don=E2=80=99t see recommending anything other than a cust=
om tab/ view controller/ external browser.<br>
<br>
William can take the formatting question:)<br>
<br>
John B.<br>
<div class=3D"HOEnZb"><div class=3D"h5">&gt; On Mar 6, 2017, at 4:41 PM, Ha=
nnes Tschofenig &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net">hannes.tsc=
hofenig@gmx.net</a>&gt; wrote:<br>
&gt;<br>
&gt; Hi William, Hi John,<br>
&gt;<br>
&gt; I just re-read version -8 of the document again.<br>
&gt;<br>
&gt; Two minor remarks only.<br>
&gt;<br>
&gt; Editorial issue: Why do you need to introduce a single sub-section<br>
&gt; within Section 7.1. (namely Section 7.1.1)?<br>
&gt;<br>
&gt; Background question: You note that embedded user agents have the<br>
&gt; disadvantage that the app that hosts the embedded user-agent can acces=
s<br>
&gt; the user&#39;s full authentication credential. This is certainly true =
for<br>
&gt; password-based authentication mechanisms but I wonder whether this is<=
br>
&gt; also true for strong authentication techniques, such as those used by<=
br>
&gt; FIDO combined with token binding. Have you looked into more modern<br>
&gt; authentication techniques as well and their security implication?<br>
&gt;<br>
&gt; Ciao<br>
&gt; Hannes<br>
&gt;<br>
&gt; On 03/03/2017 07:39 AM, William Denniss wrote:<br>
&gt;&gt; Changes:<br>
&gt;&gt;<br>
&gt;&gt; =E2=80=93 Addresses feedback from the second round of WGLC.<br>
&gt;&gt; =E2=80=93 Reordered security consideration sections to better grou=
p related topics.<br>
&gt;&gt; =E2=80=93 Added complete URI examples to each of the 3 redirect ty=
pes.<br>
&gt;&gt; =E2=80=93 Editorial pass.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; On Thu, Mar 2, 2017 at 10:27 PM, &lt;<a href=3D"mailto:internet-dr=
afts@ietf.org">internet-drafts@ietf.org</a><br>
&gt;&gt; &lt;mailto:<a href=3D"mailto:internet-drafts@ietf.org">internet-dr=
afts@ietf.<wbr>org</a>&gt;&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;=C2=A0 =C2=A0 A New Internet-Draft is available from the on-line In=
ternet-Drafts<br>
&gt;&gt;=C2=A0 =C2=A0 directories.<br>
&gt;&gt;=C2=A0 =C2=A0 This draft is a work item of the Web Authorization Pr=
otocol of the IETF.<br>
&gt;&gt;<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0: OAuth 2.0 for Native Apps<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0: William Denniss<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 John Bradley<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 : draft-ietf-oauth-native-apps-<wbr>08.txt<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0: 20<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 : 2017-03-02<br>
&gt;&gt;<br>
&gt;&gt;=C2=A0 =C2=A0 Abstract:<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0OAuth 2.0 authorization requests from na=
tive apps should only be made<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0through external user-agents, primarily =
the user&#39;s browser.=C2=A0 This<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0specification details the security and u=
sability reasons why this is<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0the case, and how native apps and author=
ization servers can implement<br>
&gt;&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0this best practice.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;=C2=A0 =C2=A0 The IETF datatracker status page for this draft is:<b=
r>
&gt;&gt;=C2=A0 =C2=A0 <a href=3D"https://datatracker.ietf.org/doc/draft-iet=
f-oauth-native-apps/" rel=3D"noreferrer" target=3D"_blank">https://datatrac=
ker.ietf.org/<wbr>doc/draft-ietf-oauth-native-<wbr>apps/</a><br>
&gt;&gt;=C2=A0 =C2=A0 &lt;<a href=3D"https://datatracker.ietf.org/doc/draft=
-ietf-oauth-native-apps/" rel=3D"noreferrer" target=3D"_blank">https://data=
tracker.ietf.org/<wbr>doc/draft-ietf-oauth-native-<wbr>apps/</a>&gt;<br>
&gt;&gt;<br>
&gt;&gt;=C2=A0 =C2=A0 There&#39;s also a htmlized version available at:<br>
&gt;&gt;=C2=A0 =C2=A0 <a href=3D"https://tools.ietf.org/html/draft-ietf-oau=
th-native-apps-08" rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.=
org/html/<wbr>draft-ietf-oauth-native-apps-<wbr>08</a><br>
&gt;&gt;=C2=A0 =C2=A0 &lt;<a href=3D"https://tools.ietf.org/html/draft-ietf=
-oauth-native-apps-08" rel=3D"noreferrer" target=3D"_blank">https://tools.i=
etf.org/html/<wbr>draft-ietf-oauth-native-apps-<wbr>08</a>&gt;<br>
&gt;&gt;<br>
&gt;&gt;=C2=A0 =C2=A0 A diff from the previous version is available at:<br>
&gt;&gt;=C2=A0 =C2=A0 <a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-=
ietf-oauth-native-apps-08" rel=3D"noreferrer" target=3D"_blank">https://www=
.ietf.org/rfcdiff?<wbr>url2=3Ddraft-ietf-oauth-native-<wbr>apps-08</a><br>
&gt;&gt;=C2=A0 =C2=A0 &lt;<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddr=
aft-ietf-oauth-native-apps-08" rel=3D"noreferrer" target=3D"_blank">https:/=
/www.ietf.org/rfcdiff?<wbr>url2=3Ddraft-ietf-oauth-native-<wbr>apps-08</a>&=
gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;=C2=A0 =C2=A0 Please note that it may take a couple of minutes from=
 the time of<br>
&gt;&gt;=C2=A0 =C2=A0 submission<br>
&gt;&gt;=C2=A0 =C2=A0 until the htmlized version and diff are available at =
<a href=3D"http://tools.ietf.org" rel=3D"noreferrer" target=3D"_blank">tool=
s.ietf.org</a><br>
&gt;&gt;=C2=A0 =C2=A0 &lt;<a href=3D"http://tools.ietf.org" rel=3D"noreferr=
er" target=3D"_blank">http://tools.ietf.org</a>&gt;.<br>
&gt;&gt;<br>
&gt;&gt;=C2=A0 =C2=A0 Internet-Drafts are also available by anonymous FTP a=
t:<br>
&gt;&gt;=C2=A0 =C2=A0 <a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=
=3D"noreferrer" target=3D"_blank">ftp://ftp.ietf.org/internet-<wbr>drafts/<=
/a><br>
&gt;&gt;=C2=A0 =C2=A0 &lt;<a href=3D"ftp://ftp.ietf.org/internet-drafts/" r=
el=3D"noreferrer" target=3D"_blank">ftp://ftp.ietf.org/internet-<wbr>drafts=
/</a>&gt;<br>
&gt;&gt;<br>
&gt;&gt;=C2=A0 =C2=A0 ______________________________<wbr>_________________<=
br>
&gt;&gt;=C2=A0 =C2=A0 OAuth mailing list<br>
&gt;&gt;=C2=A0 =C2=A0 <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a> =
&lt;mailto:<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>&gt;<br>
&gt;&gt;=C2=A0 =C2=A0 <a href=3D"https://www.ietf.org/mailman/listinfo/oaut=
h" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/mailman/<wbr>l=
istinfo/oauth</a><br>
&gt;&gt;=C2=A0 =C2=A0 &lt;<a href=3D"https://www.ietf.org/mailman/listinfo/=
oauth" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/mailman/<w=
br>listinfo/oauth</a>&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"nor=
eferrer" target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth=
</a><br>
&gt;&gt;<br>
&gt;<br>
&gt; ______________________________<wbr>_________________<br>
&gt; OAuth mailing list<br>
&gt; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"norefer=
rer" target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a>=
<br>
<br>
</div></div></blockquote></div><br></div>

--001a11403d8620e0f8054a1965de--


From nobody Mon Mar  6 18:32:46 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DDAA129418; Mon,  6 Mar 2017 18:32:44 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.46.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148885396444.15003.17836337220373686072.idtracker@ietfa.amsl.com>
Date: Mon, 06 Mar 2017 18:32:44 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TuD_pvhqRcAurzWkHL2tqWd4raY>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-09.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 02:32:44 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 for Native Apps
        Authors         : William Denniss
                          John Bradley
	Filename        : draft-ietf-oauth-native-apps-09.txt
	Pages           : 19
	Date            : 2017-03-06

Abstract:
   OAuth 2.0 authorization requests from native apps should only be made
   through external user-agents, primarily the user's browser.  This
   specification details the security and usability reasons why this is
   the case, and how native apps and authorization servers can implement
   this best practice.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-native-apps-09

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-09


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Mon Mar  6 18:42:07 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1A96129A85 for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 18:42:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tdm2kSCDqd-d for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 18:42:05 -0800 (PST)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1D69129A74 for <oauth@ietf.org>; Mon,  6 Mar 2017 18:42:04 -0800 (PST)
Received: by mail-qk0-x22d.google.com with SMTP id p64so68317962qke.1 for <oauth@ietf.org>; Mon, 06 Mar 2017 18:42:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=SSLVqWBijbC/Mf/ORFc7VXG/glrjFIGzdzOhJBUaH4U=; b=A5trVaJK3jzY4a293Z4GOapYCdtaaOdJkdst6MMEkz4UJrkULoNIZoj0MGFX0n1ouI wsdt4dZlhQSwplupwO7Y9Kw7FrC44I4ug+ywuugfuUfaj/PyNn+FaistrqIBg+xNcR9c W69mWC6crIsMjkrnxk/Gx5niJp9SIiwCh/xboE5wF5DUGGhnLiVG5hDd0bmwWj7DupLl 7qA7M1C/+b4+lViR9cyBCLN+XToCXKseb/c7Nd6AZOC9lIfARvifLp6luUixmVOo+PZl WL6q/tjc4ayY8vGhFcY/EGsZpkxc2QntTgiH8/7jHt5iGiY4TGdG3P2wxp8Ug0sdjTq0 KJ8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=SSLVqWBijbC/Mf/ORFc7VXG/glrjFIGzdzOhJBUaH4U=; b=UAsmgarcLJ77u5a48srTJcxWcL35NxHhNyDJRtfElYGUEj4GWNB28wFUd7tjuA9Wjt O4RWLZjDmoU+aL8aM0BCGu/nQii1na739y31N4KRI+tzPUecJ09EqgPqfcbSDB8gnW+D +4SAXU55xA2jsbnfgBwcb06xOoDjNc0wslMzmT2v3+fKfOyC6wet0zgHW6AVIH7I6z8X 7tmwS55frxIqJr0fwEmUaU44ZtMJCpdXerIWoZG8AsYobb/CBcU6hyFrOmidEQlSSA2y swyFq6Qm0CIZ5R7Iux2nNkpa5Ojoi1bUjXSX8ZOpUDhPpr9cDbSCbiVusImIIZTYeCPs Zsuw==
X-Gm-Message-State: AMke39msdF07MzWBUvJeyO+eOU7CskuMJtqkwF9BpSPJb/tHmrE3twHGss4eYlfUvkuLzsg3XjEOUgtyrIuvufIk
X-Received: by 10.55.33.198 with SMTP id f67mr18212211qki.119.1488854523662; Mon, 06 Mar 2017 18:42:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Mon, 6 Mar 2017 18:41:43 -0800 (PST)
In-Reply-To: <148885396444.15003.17836337220373686072.idtracker@ietfa.amsl.com>
References: <148885396444.15003.17836337220373686072.idtracker@ietfa.amsl.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 6 Mar 2017 18:41:43 -0800
Message-ID: <CAAP42hBSBX+JaCKJeCeh7wmXzwHjAo2SSSUWNkLV2LENDfeD1w@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a1140018e01d77c054a1af51d
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JfPOokb_HKP5ynormX9ISxcQ-RY>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-09.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 02:42:07 -0000

--001a1140018e01d77c054a1af51d
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Editorial changes only in this version.

=E2=80=93 Section 7.1.1 was reintegrated into Section 7.1 on Hannes' sugges=
tion.
One security consideration from that section was moved to Section 8.7.
=E2=80=93 Other minor nits fixed.

Thank you to everyone who reviewed the document during the recent WGLC!

I believe this document is now complete, and ready for publication.

On Mon, Mar 6, 2017 at 6:32 PM, <internet-drafts@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>         Title           : OAuth 2.0 for Native Apps
>         Authors         : William Denniss
>                           John Bradley
>         Filename        : draft-ietf-oauth-native-apps-09.txt
>         Pages           : 19
>         Date            : 2017-03-06
>
> Abstract:
>    OAuth 2.0 authorization requests from native apps should only be made
>    through external user-agents, primarily the user's browser.  This
>    specification details the security and usability reasons why this is
>    the case, and how native apps and authorization servers can implement
>    this best practice.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-native-apps-09
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-native-apps-09
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--001a1140018e01d77c054a1af51d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Editorial changes only in this version.<div><br><div>=E2=
=80=93 Section 7.1.1 was reintegrated into Section 7.1 on Hannes&#39; sugge=
stion. One security consideration from that section was moved to Section 8.=
7.<br></div><div>=E2=80=93 Other minor nits fixed.</div><div><br></div><div=
>Thank you to everyone who reviewed the document during the recent WGLC!</d=
iv><div><br></div><div>I believe this document is now complete, and ready f=
or publication.</div></div></div><div class=3D"gmail_extra"><br><div class=
=3D"gmail_quote">On Mon, Mar 6, 2017 at 6:32 PM,  <span dir=3D"ltr">&lt;<a =
href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">internet-drafts@=
ietf.org</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br>
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 for Native Apps<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Will=
iam Denniss<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-native-apps-<wbr>09.txt<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 19<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2017-03-06<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0OAuth 2.0 authorization requests from native apps should only =
be made<br>
=C2=A0 =C2=A0through external user-agents, primarily the user&#39;s browser=
.=C2=A0 This<br>
=C2=A0 =C2=A0specification details the security and usability reasons why t=
his is<br>
=C2=A0 =C2=A0the case, and how native apps and authorization servers can im=
plement<br>
=C2=A0 =C2=A0this best practice.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/" =
rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/<wbr>doc/=
draft-ietf-oauth-native-<wbr>apps/</a><br>
<br>
There&#39;s also a htmlized version available at:<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-native-apps-09" rel=
=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/<wbr>draft-ie=
tf-oauth-native-apps-<wbr>09</a><br>
<br>
A diff from the previous version is available at:<br>
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-native-apps=
-09" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/rfcdiff?<wbr=
>url2=3Ddraft-ietf-oauth-native-<wbr>apps-09</a><br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a>.<br>
<br>
Internet-Drafts are also available by anonymous FTP at:<br>
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.ietf.org/internet-<wbr>drafts/</a><br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
</blockquote></div><br></div>

--001a1140018e01d77c054a1af51d--


From nobody Mon Mar  6 23:13:03 2017
Return-Path: <n-sakimura@nri.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4A23129611 for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 23:13:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NEbA8Hm3EgOz for <oauth@ietfa.amsl.com>; Mon,  6 Mar 2017 23:12:59 -0800 (PST)
Received: from nrifs04.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F2D5129610 for <oauth@ietf.org>; Mon,  6 Mar 2017 23:12:59 -0800 (PST)
Received: from nrimmfm052.index.or.jp (unknown [172.19.246.144]) by nrifs04.index.or.jp (Postfix) with ESMTP id 41D54472EE0 for <oauth@ietf.org>; Tue,  7 Mar 2017 16:12:58 +0900 (JST)
Received: from index.or.jp (unknown [172.19.246.151]) by nrimmfm052.index.or.jp (Postfix) with ESMTP id DAF3E4E0046 for <oauth@ietf.org>; Tue,  7 Mar 2017 16:12:57 +0900 (JST)
Received: from nriea05.index.or.jp (localhost.localdomain [127.0.0.1]) by pps.mf051 (8.15.0.59/8.15.0.59) with SMTP id v277CvKx020766 for <oauth@ietf.org>; Tue, 7 Mar 2017 16:12:57 +0900
Received: from nrims00a.nri.co.jp ([192.50.135.11]) by nriea05.index.or.jp with ESMTP id v277CvHx020763 for <oauth@ietf.org>; Tue, 07 Mar 2017 16:12:57 +0900
Received: from nrims00a.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id v277CvM7013305; Tue, 7 Mar 2017 16:12:57 +0900
Received: (from mailnull@localhost) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id v277CvQf013304; Tue, 7 Mar 2017 16:12:57 +0900
X-Authentication-Warning: nrims00a.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf12.index.or.jp ([172.100.25.21]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id v277Cvo6013301 for <oauth@ietf.org>; Tue, 7 Mar 2017 16:12:57 +0900
From: "Nat Sakimura" <n-sakimura@nri.co.jp>
To: <oauth@ietf.org>
References: <147067404527.23058.17317554291756036969.idtracker@ietfa.amsl.com>
In-Reply-To: <147067404527.23058.17317554291756036969.idtracker@ietfa.amsl.com>
Date: Tue, 7 Mar 2017 16:13:02 +0900
Message-ID: <05e001d29712$424a5960$c6df0c20$@nri.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJEXKM2G+bF+beV7D3Q4gZV2EIx56ClZ7FA
Content-Language: ja
X-MailAdviser: 20141126
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zIJzr2uC62y5LsQZeiQYKCQaNUA>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 07:13:02 -0000

Hi Justin, John, and Hannes

Is there an appetite to change the draft in such a way as: 

- do not wrap access token itself. It could include at_hash though. 
  Rationale: Pop access token can be pretty large and I do not want to
double base64url encode. 
- perhaps change ts to string to accommodate nonce like string. 

Essentially, what I want to do is not the http signing but just the pop
based 
client authentication, which is very simple. 
While I was writing it up, it occurred that if the above modification were
done, your draft will be a superset of what I wanted to do. 

My write up is here: http://bit.ly/oauth-jpop

Financial API uses cases needs something like that. 
(Another possibility is a sender confirmation.) 

Best, 

Nat Sakimura

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.


> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of
> internet-drafts@ietf.org
> Sent: Tuesday, August 9, 2016 1:34 AM
> To: i-d-announce@ietf.org
> Cc: oauth@ietf.org
> Subject: [OAUTH-WG] I-D Action:
draft-ietf-oauth-signed-http-request-03.txt
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol of the IETF.
> 
>         Title           : A Method for Signing HTTP Requests for OAuth
>         Authors         : Justin Richer
>                           John Bradley
>                           Hannes Tschofenig
> 	Filename        : draft-ietf-oauth-signed-http-request-03.txt
> 	Pages           : 13
> 	Date            : 2016-08-08
> 
> Abstract:
>    This document a method for offering data origin authentication and
>    integrity protection of HTTP requests.  To convey the relevant data
>    items in the request a JSON-based encapsulation is used and the JSON
>    Web Signature (JWS) technique is re-used.  JWS offers integrity
>    protection using symmetric as well as asymmetric cryptography.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
> 
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-signed-http-request-03
> 
> 
> Please note that it may take a couple of minutes from the time of
submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Tue Mar  7 00:16:48 2017
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 915431293F0; Tue,  7 Mar 2017 00:16:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level: 
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6DqnVpIcizcF; Tue,  7 Mar 2017 00:16:44 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0109.outbound.protection.outlook.com [104.47.38.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DAA8128DF6; Tue,  7 Mar 2017 00:16:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=DjyKGGijEJbD+6Wlf53qEMeXBmpmsvCll5toNLnhsuQ=; b=UkZJr9nFYVuJRbCzReqgpZ+UGVWB8Z4HiYI371WE1BP68WUwQ/yVkwp8K18svOhLkEcImIX7Y64F/S8XcRohY6uf9GW+rl5oErwInKWwXLpMocSpsgEHZgH7hXk6I/EOy0aBMRkqKfGWucXno+xoF0GGLPjY0+iVsTxdg4LLXjU=
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com (10.163.226.27) by SN1PR0301MB2030.namprd03.prod.outlook.com (10.163.226.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.12; Tue, 7 Mar 2017 08:16:18 +0000
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) by SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) with mapi id 15.01.0947.020; Tue, 7 Mar 2017 08:16:18 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
Thread-Index: AQHSk+dMOuSnAwqhvEuPiji5kSEkmKGCqeOAgAWRfoCAAAnFgIAAyPFg
Date: Tue, 7 Mar 2017 08:16:18 +0000
Message-ID: <SN1PR0301MB2029E928A385D315D37EBFABA62F0@SN1PR0301MB2029.namprd03.prod.outlook.com>
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com> <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com> <a6596083-6a19-e644-403c-4c1686eba492@gmx.net> <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com>
In-Reply-To: <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: ve7jtb.com; dkim=none (message not signed) header.d=none;ve7jtb.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [77.241.226.6]
x-ms-office365-filtering-correlation-id: 598821fa-58d8-48d7-05a9-08d465323b32
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:SN1PR0301MB2030; 
x-microsoft-exchange-diagnostics: 1; SN1PR0301MB2030; 7:Bn0AHG12WdDNpmcn9S39UUJjp88HVxeeP0S3akn/O86CKN41srhTBLDShj6ww1sqz8FALXu+KNaE3hyf0sT+wXjcA3hFiAKLozY51QN5g7CVeYci4vs+rXOGgeNWhaIkddsz89NprUDyGMYX6Fy42sd7gnTTCwPfkSiq5xFBIy8Klnh8DYVAUI17kXaDUefosh1l/B88mY0k4lJV1QoS19NA6SyC/JmoGVtUaY6KUDIHAcGW7c5olM1/ntPr5CkzOVi2WLbpRxSj6Mzl4jVZhZEuxc40Sn2Di56n5fqt8mcquzLeePQNlj8GSXKTmj9+rLg7FrhnpTEHByjwZ4z/JwVTTo/PmbS9BDFsNTqXYGQ=
x-microsoft-antispam-prvs: <SN1PR0301MB20307EAA953716D954B55D89A62F0@SN1PR0301MB2030.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(189930954265078)(248736688235697)(219752817060721); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123562025)(20161123558025)(20161123564025)(20161123560025)(6072148); SRVR:SN1PR0301MB2030; BCL:0; PCL:0; RULEID:; SRVR:SN1PR0301MB2030; 
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39840400002)(39850400002)(39860400002)(39450400003)(377454003)(377424004)(24454002)(13464003)(10290500002)(33656002)(5660300001)(122556002)(66066001)(3846002)(2950100002)(102836003)(6306002)(6116002)(8990500004)(106116001)(229853002)(3280700002)(7736002)(77096006)(3660700001)(74316002)(305945005)(6506006)(8936002)(7696004)(8676002)(54906002)(9686003)(93886004)(5005710100001)(4326008)(575784001)(86362001)(55016002)(99286003)(10090500001)(25786008)(50986999)(53936002)(230783001)(81166006)(54356999)(76176999)(2906002)(189998001)(2900100001)(6436002)(38730400002)(53546006)(6246003)(92566002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR0301MB2030; H:SN1PR0301MB2029.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2017 08:16:18.0424 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR0301MB2030
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DvkLGPDJQuveQPxCnFyzfLnKif0>
Cc: "internet-drafts@ietf.org" <internet-drafts@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 08:16:46 -0000

Tm90IHRydWUgSm9obiwgdGhlIENUQVAgc3VwcG9ydCB0aGF0IGlzIGN1cnJlbnQgd291bGQgc3Vw
cG9ydCB0aGUgd2ViLXZpZXcgdy9vIGFueSBjaGFuZ2VzIA0KDQotLS0tLU9yaWdpbmFsIE1lc3Nh
Z2UtLS0tLQ0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBC
ZWhhbGYgT2YgSm9obiBCcmFkbGV5DQpTZW50OiBNb25kYXksIE1hcmNoIDYsIDIwMTcgMTI6MTYg
UE0NClRvOiBIYW5uZXMgVHNjaG9mZW5pZyA8aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldD4NCkNj
OiBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc7IG9hdXRoQGlldGYub3JnDQpTdWJqZWN0OiBSZTog
W09BVVRILVdHXSBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLW9hdXRoLW5hdGl2ZS1hcHBzLTA4LnR4
dA0KDQpPbiBmaWRvIEkgY2FuIHRlbGwgeW91IHRoYXQgZm9yIHNlY3VyaXR5IHJlYXNvbnMgVTJG
IHdvbnQgd29yayBmcm9tIGEgd2ViLXZpZXcgY3VycmVudGx5Lg0KDQpPbmNlIHdlIG1vdmUgdG8g
V2ViIEF1dGggKEZpZG8gMikgd2hlcmUgdGhlIE9TIHByb3ZpZGVzIGEgQVBJIGZvciBhcHBzIHRv
IGNhbGwgdG8gZ2V0IHRoZSB0b2tlbiBpdCB3aWxsIHdvcmsgYnV0IHRoZSB0b2tlbnMgYXJlIGF1
ZGlhbmNlZCB0byB0aGUgYXBwIGJhc2VkIG9uIGl0cyBkZXZlbG9wZXIga2V5IGFuZCBidW5kbGVf
aWQgc28gdGhhdCBhIGFwcCBjYW50IGFzayBmb3IgYSB0b2tlbiBmb3IgYSBkaWZmZXJlbnQgc2l0
ZSB0byBkbyBjb3JyZWxhdGlvbi4gDQoNCkl0IGlzIHRydWUgdGhhdCBGaWRvIFVBRiBjdXJyZW50
bHkgcmVxdWlyZXMgYSB3ZWItdmlldyB0byB3b3JrIGFzIHRoZSBhdXRoZW50aWNhdG9yIGlzIGVm
ZmVjdGl2ZWx5IGNvbXBpbGVkIGluIHRvIGVhY2ggYXBwbGljYXRpb24sIGFuZCB0aGF0IGFwcGxp
Y2F0aW9uIGhhcyBhY2Nlc3MgdG8gdGhlIHByaXZhdGUga2V5cyBvbiBtb3N0IHBsYXRmb3JtcyAo
U2Ftc3VuZyBrbm94IGJlaW5nIHRoZSBvbmx5IGV4Y2VwdGlvbiB0byB0aGF0IHRoYXQgSSBrbm93
IG9mIHdoZXJlIHRoZSBrZXlzIGFyZSBtYW5hZ2VkIGJ5IGEgY29tbW9uIEFQSSB0byBoYXJkd2Fy
ZSBrZXkgc3RvcmFnZSwgYnV0IHRoZXkgYXJlIHNjb3BlZCBsaWtlIFUyRiBhcyB3ZWxsKQ0KDQpT
byBmb3IgdGhlIG1vc3QgcGFydCBpdCBpcyB0cnVlIGFuZCB0aGF0IHVubGVzcyB5b3UgdXNlIHRo
ZSBicm93c2VyIHRvIGdldCB0aGUgRmlkbyB0b2tlbiB0aGUgYXVkaWVuY2UgaXMgZm9yIHRoZSBh
cHAuDQpFeGFtcGxlICBTYWxlc2ZvcmNlIGNyZWF0ZXMgbmF0aXZlIGFwcCB0aGF0IG1heSB1c2Ug
ZW50ZXJwcmlzZSBTU08gdmlhIFNBTUwsIGFuZCB0aGUgZW50ZXJwcmlzZSBtYXkgdXNlIEZpZG8g
YXMgYSBhdXRoZW50aWNhdGlvbiBmYWN0b3IuDQpJZiB0aGV5IHVzZSB0aGUgd2VidmlldyArIGZp
ZG8gQVBJIGFwcHJvYWNoIHRoZSBhcHAgY2FuIG9ubHkgZ2V0IGEgdG9rZW4gZm9yIFNhbGVzRm9y
Y2UgYmFzZWQgb24gaXRzIHNpZ25pbmcga2V5LiAgSXQgY291bGQgZmlyZSB1cCB0aGUgd2ViLXZp
ZXcgYW5kIGRvIFUyRiBhdXRoZW50aWNhdGlvbiB3aXRoIHRoZSBlbnRlcnByaXNlIGFmdGVyIFNh
bGVzZm9yZWMgaGFzIHJlZGlyZWN0ZWQgdGhlIHVzZXIuICBIb3dldmVyIGl0IHdpbGwgZ2l2ZSBl
dmVyeSBlbnRlcnByaXNlIGEgdG9rZW4gYXVkaWVuY2UgdG8gU2FsZXNmb3JjZSB3aXRoIGEgc2Fs
ZXNmb3JjZSBzcGVjaWZpYyBrZXkuICAgSWYgdGhlcmUgaXMgYSBzZWNvbmQgYXBwIGZvciBzYXkg
U2xhY2sgaWYgdGhleSBkbyB0aGUgc2FtZSB0aGluZyB0aGUgZW50ZXJwcmlzZSB3b3VsZCBnZXQg
YSBzbGFjayBhdWRpZW5jZWQgdG9rZW4gYW5kIGEgc2xhY2sga2V5IGZvcmNpbmcgYSBzZXBhcmF0
ZSByZWdpc3RyYXRpb24uIA0KDQpUaGUgcmVjb21tZW5kZWQgYWx0ZXJuYXRpdmUgaXMgdGhhdCB0
aGUgYXBwIHVzZSBhIGN1c3RvbSB0YWIgZm9yIHRoZSB1c2VyIHRvIFNhbGVzRm9yY2UgYW5kIHRo
YXQgcmVkaXJlY3QgdG8gdGhlIGVudGVycHJpc2UuDQpUaGUgZW50ZXJwcmlzZSBnZXRzIHRoZSBz
YW1lIHRva2VuL2tleSB3aXRoIHRoZSBjb3JyZWN0IGF1ZGllbmNlIGZyb20gYWxsIGFwcHMgb24g
dGhlIGRldmljZSB1c2luZyB0aGUgYnJvd3NlciBvciBjdXN0b20gdGFiLiANClRoZSB1c2VyIG1h
eSBub3QgbmVlZCB0byBzaWduaW4gYSBzZWNvbmQgdGltZSwgYW5kIGlmIHRoZXkgZG8gdGhlcmUg
RmlkbyB0b2tlbiB3aWxsIG5vdCBuZWVkIHRvIGJlIHJlLXJlZ2lzdGVyZC4NCg0KVGhlIEZpZG8g
QVBJIGFwcHJvYWNoIHJlYWxseSBvbmx5IHdvcmtzIGZvciBmaXJzdCBwYXJ0eSBhcHBzIGxpa2Ug
UGF5UGFsIGlmIHRoZSB0aGUgYXBwIGlzIG5vdCBkb2luZyBmZWRlcmF0aW9uIGFuZCBwYXlwYWwg
aXMgZG9pbmcgdGhlIGF1dGhlbnRpY2F0aW9uIGZvciB0aGVyZSBvd24gYXBwLg0KDQpUb2tlbiBi
aW5kaW5nIHByaXZhdGUga2V5cyBoYXZlIHNpbWlsYXIgaXNzdWVzLiAgIFRoZSBwb29sIG9mIHBy
aXZhdGUga2V5cyB3aWxsIHByb2JhYmx5IG5vdCBiZSBzaGFyZWQgYmV0d2VlbiBhcHBzLCBhbmQg
bm90IGJldHdlZW4gdGhlIGFwcCBhbmQgdGhlIGJyb3dzZXIgKFdpbiAxMCBtYXkgYmUgYW4gZXhj
ZXB0aW9uIGJ1dCBpdCBpcyBub3QgZG9jdW1lbnRlZCB5ZXQpDQoNCkluIHRoZSBjYXNlIG9mIHVz
aW5nIEFwcEF1dGggd2l0aCB0b2tlbiBiaW5kaW5nIHRoZSBicm93c2VyIG1haW50YWlucyB0aGUg
a2V5cyBzbyB0aGUgZW50ZXJwcmlzZSB3b3VsZCBiZSBhYmxlIHRvIHNlZSB0aGUgc2FtZSBrZXkg
YW5kIHVzZSB0aGUgc2FtZSBjb29raWVzIGFjcm9zcyBhbGwgQXBwQXV0aCBBcHBzLg0KDQpZb3Ug
Y2FuIGluY2x1ZGUgdG9rZW4gYmluZGluZyBpbiB5b3VyIGFwcCwgaG93ZXZlciB0aGUgdG9rZW4g
YmluZGluZ3MgYW5kIGNvb2tpZXMgYXJlIGdvaW5nIHRvIGJlIHNhbmQgYm94ZWQgcGVyIGFwcC4g
IA0KRGVwZW5kaW5nIG9uIGltcGxlbWVudGF0aW9uIHRoZSBhcHAgZ2V0cyBhY2Nlc3MgdG8gdGhl
IGNvb2tpZSwgYnV0IHBlcmhhcHMgbm90IHRvIHRoZSBwcml2YXRlIHRva2VuIGJpbmRpbmcga2V5
LiAgKEF0IGxlYXN0IEkgZG9uJ3QgdGhpbmsgaXQgd2lsbCBpbiBBbmRyb2lkIGVtYmVkZGVkIHdl
YnZpZXcpLg0KDQpXZSBjb3VsZCBleHBhbmQgb24gdGhpcyBsYXRlciBpbiBhbiB1cGRhdGUgdG8g
dGhlIEJDUCBvbmNlIFdlYiBBdXRoZW50aWNhdGlvbiBhbmQgVG9rZW4gQmluZGluZyBhcmUgZmlu
YWwuDQoNClRoZXJlIGFyZSBzdGlsbCBzb21lIHVua25vd25zLCBidXQgaW4gZ2VuZXJhbCBmb3Ig
YW55IHNvcnQgb2YgU1NPL0ZlZGVyYXRpb24gM3JkIHBhcnR5IGFwcCBJIGRvbuKAmXQgc2VlIHJl
Y29tbWVuZGluZyBhbnl0aGluZyBvdGhlciB0aGFuIGEgY3VzdG9tIHRhYi8gdmlldyBjb250cm9s
bGVyLyBleHRlcm5hbCBicm93c2VyLg0KDQpXaWxsaWFtIGNhbiB0YWtlIHRoZSBmb3JtYXR0aW5n
IHF1ZXN0aW9uOikNCg0KSm9obiBCLg0KPiBPbiBNYXIgNiwgMjAxNywgYXQgNDo0MSBQTSwgSGFu
bmVzIFRzY2hvZmVuaWcgPGhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ+IHdyb3RlOg0KPiANCj4g
SGkgV2lsbGlhbSwgSGkgSm9obiwNCj4gDQo+IEkganVzdCByZS1yZWFkIHZlcnNpb24gLTggb2Yg
dGhlIGRvY3VtZW50IGFnYWluLg0KPiANCj4gVHdvIG1pbm9yIHJlbWFya3Mgb25seS4NCj4gDQo+
IEVkaXRvcmlhbCBpc3N1ZTogV2h5IGRvIHlvdSBuZWVkIHRvIGludHJvZHVjZSBhIHNpbmdsZSBz
dWItc2VjdGlvbiANCj4gd2l0aGluIFNlY3Rpb24gNy4xLiAobmFtZWx5IFNlY3Rpb24gNy4xLjEp
Pw0KPiANCj4gQmFja2dyb3VuZCBxdWVzdGlvbjogWW91IG5vdGUgdGhhdCBlbWJlZGRlZCB1c2Vy
IGFnZW50cyBoYXZlIHRoZSANCj4gZGlzYWR2YW50YWdlIHRoYXQgdGhlIGFwcCB0aGF0IGhvc3Rz
IHRoZSBlbWJlZGRlZCB1c2VyLWFnZW50IGNhbiANCj4gYWNjZXNzIHRoZSB1c2VyJ3MgZnVsbCBh
dXRoZW50aWNhdGlvbiBjcmVkZW50aWFsLiBUaGlzIGlzIGNlcnRhaW5seSANCj4gdHJ1ZSBmb3Ig
cGFzc3dvcmQtYmFzZWQgYXV0aGVudGljYXRpb24gbWVjaGFuaXNtcyBidXQgSSB3b25kZXIgd2hl
dGhlciANCj4gdGhpcyBpcyBhbHNvIHRydWUgZm9yIHN0cm9uZyBhdXRoZW50aWNhdGlvbiB0ZWNo
bmlxdWVzLCBzdWNoIGFzIHRob3NlIA0KPiB1c2VkIGJ5IEZJRE8gY29tYmluZWQgd2l0aCB0b2tl
biBiaW5kaW5nLiBIYXZlIHlvdSBsb29rZWQgaW50byBtb3JlIA0KPiBtb2Rlcm4gYXV0aGVudGlj
YXRpb24gdGVjaG5pcXVlcyBhcyB3ZWxsIGFuZCB0aGVpciBzZWN1cml0eSBpbXBsaWNhdGlvbj8N
Cj4gDQo+IENpYW8NCj4gSGFubmVzDQo+IA0KPiBPbiAwMy8wMy8yMDE3IDA3OjM5IEFNLCBXaWxs
aWFtIERlbm5pc3Mgd3JvdGU6DQo+PiBDaGFuZ2VzOg0KPj4gDQo+PiDigJMgQWRkcmVzc2VzIGZl
ZWRiYWNrIGZyb20gdGhlIHNlY29uZCByb3VuZCBvZiBXR0xDLg0KPj4g4oCTIFJlb3JkZXJlZCBz
ZWN1cml0eSBjb25zaWRlcmF0aW9uIHNlY3Rpb25zIHRvIGJldHRlciBncm91cCByZWxhdGVkIHRv
cGljcy4NCj4+IOKAkyBBZGRlZCBjb21wbGV0ZSBVUkkgZXhhbXBsZXMgdG8gZWFjaCBvZiB0aGUg
MyByZWRpcmVjdCB0eXBlcy4NCj4+IOKAkyBFZGl0b3JpYWwgcGFzcy4NCj4+IA0KPj4gDQo+PiAN
Cj4+IE9uIFRodSwgTWFyIDIsIDIwMTcgYXQgMTA6MjcgUE0sIDxpbnRlcm5ldC1kcmFmdHNAaWV0
Zi5vcmcgDQo+PiA8bWFpbHRvOmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZz4+IHdyb3RlOg0KPj4g
DQo+PiANCj4+ICAgIEEgTmV3IEludGVybmV0LURyYWZ0IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBv
bi1saW5lIEludGVybmV0LURyYWZ0cw0KPj4gICAgZGlyZWN0b3JpZXMuDQo+PiAgICBUaGlzIGRy
YWZ0IGlzIGEgd29yayBpdGVtIG9mIHRoZSBXZWIgQXV0aG9yaXphdGlvbiBQcm90b2NvbCBvZiB0
aGUgSUVURi4NCj4+IA0KPj4gICAgICAgICAgICBUaXRsZSAgICAgICAgICAgOiBPQXV0aCAyLjAg
Zm9yIE5hdGl2ZSBBcHBzDQo+PiAgICAgICAgICAgIEF1dGhvcnMgICAgICAgICA6IFdpbGxpYW0g
RGVubmlzcw0KPj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKb2huIEJyYWRsZXkNCj4+
ICAgICAgICAgICAgRmlsZW5hbWUgICAgICAgIDogZHJhZnQtaWV0Zi1vYXV0aC1uYXRpdmUtYXBw
cy0wOC50eHQNCj4+ICAgICAgICAgICAgUGFnZXMgICAgICAgICAgIDogMjANCj4+ICAgICAgICAg
ICAgRGF0ZSAgICAgICAgICAgIDogMjAxNy0wMy0wMg0KPj4gDQo+PiAgICBBYnN0cmFjdDoNCj4+
ICAgICAgIE9BdXRoIDIuMCBhdXRob3JpemF0aW9uIHJlcXVlc3RzIGZyb20gbmF0aXZlIGFwcHMg
c2hvdWxkIG9ubHkgYmUgbWFkZQ0KPj4gICAgICAgdGhyb3VnaCBleHRlcm5hbCB1c2VyLWFnZW50
cywgcHJpbWFyaWx5IHRoZSB1c2VyJ3MgYnJvd3Nlci4gIFRoaXMNCj4+ICAgICAgIHNwZWNpZmlj
YXRpb24gZGV0YWlscyB0aGUgc2VjdXJpdHkgYW5kIHVzYWJpbGl0eSByZWFzb25zIHdoeSB0aGlz
IGlzDQo+PiAgICAgICB0aGUgY2FzZSwgYW5kIGhvdyBuYXRpdmUgYXBwcyBhbmQgYXV0aG9yaXph
dGlvbiBzZXJ2ZXJzIGNhbiBpbXBsZW1lbnQNCj4+ICAgICAgIHRoaXMgYmVzdCBwcmFjdGljZS4N
Cj4+IA0KPj4gDQo+PiAgICBUaGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFnZSBmb3IgdGhp
cyBkcmFmdCBpczoNCj4+ICAgIGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRs
b29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGZGF0YXRyYWNrZXIuaWV0Zi5vcmclMkZkb2MlMkZk
cmFmdC1pZXRmLW9hdXRoLW5hdGl2ZS1hcHBzJTJGJmRhdGE9MDIlN0MwMSU3Q3RvbnluYWQlNDBt
aWNyb3NvZnQuY29tJTdDZWZmMDkyZTZiMjg5NGFjZThmODQwOGQ0NjRjZGE0ZDUlN0M3MmY5ODhi
Zjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2MjQ0MjgxODEwMDc4NDk3JnNk
YXRhPVlRMGRjU1ZpcmFuVng0c2pIN2FlRnJFWXZUZ2JRTTNPcnVvSyUyRlI3RVphayUzRCZyZXNl
cnZlZD0wDQo+PiAgICANCj4+IDxodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0
bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRmRhdA0KPj4gYXRyYWNrZXIuaWV0Zi5vcmclMkZk
b2MlMkZkcmFmdC1pZXRmLW9hdXRoLW5hdGl2ZS1hcHBzJTJGJmRhdGE9MDIlN0MwDQo+PiAxJTdD
dG9ueW5hZCU0MG1pY3Jvc29mdC5jb20lN0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRk
NSU3QzcyZjkNCj4+IDg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0
NDI4MTgxMDA3ODQ5NyZzZGF0YT1ZUTBkYw0KPj4gU1ZpcmFuVng0c2pIN2FlRnJFWXZUZ2JRTTNP
cnVvSyUyRlI3RVphayUzRCZyZXNlcnZlZD0wPg0KPj4gDQo+PiAgICBUaGVyZSdzIGFsc28gYSBo
dG1saXplZCB2ZXJzaW9uIGF2YWlsYWJsZSBhdDoNCj4+ICAgIGh0dHBzOi8vbmEwMS5zYWZlbGlu
a3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGdG9vbHMuaWV0Zi5v
cmclMkZodG1sJTJGZHJhZnQtaWV0Zi1vYXV0aC1uYXRpdmUtYXBwcy0wOCZkYXRhPTAyJTdDMDEl
N0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbSU3Q2VmZjA5MmU2YjI4OTRhY2U4Zjg0MDhkNDY0Y2Rh
NGQ1JTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0NDI4
MTgxMDA3ODQ5NyZzZGF0YT1pcHlWTGFYaGVmandoSVBxdTRWeW0zTm1pJTJGWFBFUjhoeUtCRHZQ
JTJGQVZDdyUzRCZyZXNlcnZlZD0wDQo+PiAgICANCj4+IDxodHRwczovL25hMDEuc2FmZWxpbmtz
LnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRnRvbw0KPj4gbHMuaWV0
Zi5vcmclMkZodG1sJTJGZHJhZnQtaWV0Zi1vYXV0aC1uYXRpdmUtYXBwcy0wOCZkYXRhPTAyJTdD
MDElN0N0DQo+PiBvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdDZWZmMDkyZTZiMjg5NGFjZThmODQw
OGQ0NjRjZGE0ZDUlN0M3MmY5ODhiZjgNCj4+IDZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3
QzAlN0M2MzYyNDQyODE4MTAwODg1MDEmc2RhdGE9cEZKZGlaZDJuaQ0KPj4gU3hpdVh0VGhHOE9F
MzJyakh4b0o4VTBqc29DbWlhcUtjJTNEJnJlc2VydmVkPTA+DQo+PiANCj4+ICAgIEEgZGlmZiBm
cm9tIHRoZSBwcmV2aW91cyB2ZXJzaW9uIGlzIGF2YWlsYWJsZSBhdDoNCj4+ICAgIGh0dHBzOi8v
bmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJG
d3d3LmlldGYub3JnJTJGcmZjZGlmZiUzRnVybDIlM0RkcmFmdC1pZXRmLW9hdXRoLW5hdGl2ZS1h
cHBzLTA4JmRhdGE9MDIlN0MwMSU3Q3RvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdDZWZmMDkyZTZi
Mjg5NGFjZThmODQwOGQ0NjRjZGE0ZDUlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0
NyU3QzElN0MwJTdDNjM2MjQ0MjgxODEwMDg4NTAxJnNkYXRhPTBKT2VqWUklMkY5dlNGcGg0ZHRl
WjZnMTZOYnZMUnkzN2VycFJVQXcycSUyRlc4JTNEJnJlc2VydmVkPTANCj4+ICAgIA0KPj4gPGh0
dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNB
JTJGJTJGd3d3DQo+PiAuaWV0Zi5vcmclMkZyZmNkaWZmJTNGdXJsMiUzRGRyYWZ0LWlldGYtb2F1
dGgtbmF0aXZlLWFwcHMtMDgmZGF0YT0wMiUNCj4+IDdDMDElN0N0b255bmFkJTQwbWljcm9zb2Z0
LmNvbSU3Q2VmZjA5MmU2YjI4OTRhY2U4Zjg0MDhkNDY0Y2RhNGQ1JTdDNw0KPj4gMmY5ODhiZjg2
ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2MjQ0MjgxODEwMDg4NTAxJnNkYXRh
PTBKDQo+PiBPZWpZSSUyRjl2U0ZwaDRkdGVaNmcxNk5idkxSeTM3ZXJwUlVBdzJxJTJGVzglM0Qm
cmVzZXJ2ZWQ9MD4NCj4+IA0KPj4gDQo+PiAgICBQbGVhc2Ugbm90ZSB0aGF0IGl0IG1heSB0YWtl
IGEgY291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBvZg0KPj4gICAgc3VibWlzc2lvbg0K
Pj4gICAgdW50aWwgdGhlIGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJsZSBh
dCB0b29scy5pZXRmLm9yZw0KPj4gICAgPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlv
bi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM0ElMkYlMkZ0b29scy5pZXRmLm9yZyZkYXRhPTAyJTdD
MDElN0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbSU3Q2VmZjA5MmU2YjI4OTRhY2U4Zjg0MDhkNDY0
Y2RhNGQ1JTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0
NDI4MTgxMDA4ODUwMSZzZGF0YT1zRHluZnFleTBydTBWbTQlMkZQRWgwTUExSUt0a3JxbURuUSUy
Qm1QQ1AlMkI2SzYwJTNEJnJlc2VydmVkPTA+Lg0KPj4gDQo+PiAgICBJbnRlcm5ldC1EcmFmdHMg
YXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255bW91cyBGVFAgYXQ6DQo+PiAgICBmdHA6Ly9mdHAu
aWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLw0KPj4gICAgPGZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRl
cm5ldC1kcmFmdHMvPg0KPj4gDQo+PiAgICBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fXw0KPj4gICAgT0F1dGggbWFpbGluZyBsaXN0DQo+PiAgICBPQXV0aEBp
ZXRmLm9yZyA8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KPj4gICAgaHR0cHM6Ly9uYTAxLnNhZmVs
aW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5v
cmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZvYXV0aCZkYXRhPTAyJTdDMDElN0N0b255bmFkJTQw
bWljcm9zb2Z0LmNvbSU3Q2VmZjA5MmU2YjI4OTRhY2U4Zjg0MDhkNDY0Y2RhNGQ1JTdDNzJmOTg4
YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0NDI4MTgxMDA4ODUwMSZz
ZGF0YT0xNEd6dFpMWSUyQm5RTmJoUjVicWpTN2NSWVVTbG90cHI2Slh0RlhwZHVHdUklM0QmcmVz
ZXJ2ZWQ9MA0KPj4gICAgDQo+PiA8aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91
dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cNCj4+IC5pZXRmLm9yZyUyRm1haWxtYW4l
MkZsaXN0aW5mbyUyRm9hdXRoJmRhdGE9MDIlN0MwMSU3Q3RvbnluYWQlNDBtaWNybw0KPj4gc29m
dC5jb20lN0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3QzcyZjk4OGJmODZmMTQx
YWY5MWFiMmQ3DQo+PiBjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0NDI4MTgxMDA4ODUwMSZzZGF0
YT0xNEd6dFpMWSUyQm5RTmJoUjVicWpTN2MNCj4+IFJZVVNsb3RwcjZKWHRGWHBkdUd1SSUzRCZy
ZXNlcnZlZD0wPg0KPj4gDQo+PiANCj4+IA0KPj4gDQo+PiBfX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fXw0KPj4gT0F1dGggbWFpbGluZyBsaXN0DQo+PiBPQXV0
aEBpZXRmLm9yZw0KPj4gaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2su
Y29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cuDQo+PiBpZXRmLm9yZyUyRm1haWxtYW4lMkZsaXN0
aW5mbyUyRm9hdXRoJmRhdGE9MDIlN0MwMSU3Q3RvbnluYWQlNDBtaWNyb3MNCj4+IG9mdC5jb20l
N0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3QzcyZjk4OGJmODZmMTQxYWY5MWFi
MmQ3Yw0KPj4gZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0NDI4MTgxMDA4ODUwMSZzZGF0YT0xNEd6
dFpMWSUyQm5RTmJoUjVicWpTN2NSDQo+PiBZVVNsb3RwcjZKWHRGWHBkdUd1SSUzRCZyZXNlcnZl
ZD0wDQo+PiANCj4gDQo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fDQo+IE9BdXRoIG1haWxpbmcgbGlzdA0KPiBPQXV0aEBpZXRmLm9yZw0KPiBodHRwczov
L25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUy
Rnd3dy5pDQo+IGV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZvYXV0aCZkYXRhPTAyJTdD
MDElN0N0b255bmFkJTQwbWljcm9zb2YNCj4gdC5jb20lN0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4
ZDQ2NGNkYTRkNSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMQ0KPiAxZGI0NyU3QzElN0Mw
JTdDNjM2MjQ0MjgxODEwMDg4NTAxJnNkYXRhPTE0R3p0WkxZJTJCblFOYmhSNWJxalM3Y1JZVVNs
DQo+IG90cHI2Slh0RlhwZHVHdUklM0QmcmVzZXJ2ZWQ9MA0KDQo=


From nobody Tue Mar  7 00:17:51 2017
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85FE41293F0 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 00:17:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gzgJSGqSt50a for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 00:17:49 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0139.outbound.protection.outlook.com [104.47.38.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50142127A90 for <oauth@ietf.org>; Tue,  7 Mar 2017 00:17:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TMm8Llqptz9/Kxja6Q6CTLS9eH0qKGGVtEf3mc98IW0=; b=BFnl+sYy2QDKLHk0sTs/7W1IEBmWn3ly/GaMpdcphSBnUclisorEnOaw2vgIEBwq/QQWmmYCduA0Hy17bkerZf5cvjK6LynisecaM/15nZXRJgfVE0j0Fp/E5NBwa2m5HUg5F8CI8QQf0tbJSS9fUehoneC24bXeXG3/dWWeKRY=
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com (10.163.226.27) by SN1PR0301MB2030.namprd03.prod.outlook.com (10.163.226.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.12; Tue, 7 Mar 2017 08:17:47 +0000
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) by SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) with mapi id 15.01.0947.020; Tue, 7 Mar 2017 08:17:47 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
Thread-Index: AQHSlpMJiBqdCdddNUe0Gmp8kta8QqGJCSvg
Date: Tue, 7 Mar 2017 08:17:47 +0000
Message-ID: <SN1PR0301MB2029162EB879130632E1A804A62F0@SN1PR0301MB2029.namprd03.prod.outlook.com>
References: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net>
In-Reply-To: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: gmx.net; dkim=none (message not signed) header.d=none;gmx.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [77.241.226.6]
x-ms-office365-filtering-correlation-id: f4c67281-c16b-4843-26e1-08d465327078
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:SN1PR0301MB2030; 
x-microsoft-exchange-diagnostics: 1; SN1PR0301MB2030; 7:4ezatwR0m2gS9BbTtc/x5T34OdLaTFAlLGpd1dKu0EGPbtcwIuIz5lSFGtZB/zGoTtegUFOYDtgBgDDn0fPOTkJYQ7AOaoqwE77k8SO3xmOqFdk9r8bdG6OHrNdJCFq6zeQ1mgQXorkoUUA63/gU2bPySi0Q2H1UBJFarsEQWU/BiFxtYIRdGTEoBZ4QjaR2iIYxxv2c8/9nwr/QQl4TvVVoRIEm36s24ZyVoczIA3RoH+c+08Nh+GzRFaBsLe8oTv29kBTB1zmoangVR0Pj9SxT0stTC5vQQ/lNC+/4ikiFGU74Dzre4pupa3CGhl3W1XCCMjRZ96AqnMqNLARttFMDtA7VlkLObodq+F9K8i4=
x-microsoft-antispam-prvs: <SN1PR0301MB20304A461FEA3B0A4C5F2565A62F0@SN1PR0301MB2030.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078)(219752817060721);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123560025)(20161123558025)(20161123562025)(20161123555025)(6072148); SRVR:SN1PR0301MB2030; BCL:0; PCL:0; RULEID:; SRVR:SN1PR0301MB2030; 
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39840400002)(39850400002)(39860400002)(39450400003)(377454003)(13464003)(10290500002)(15650500001)(33656002)(5660300001)(122556002)(66066001)(3846002)(2950100002)(102836003)(6306002)(6116002)(8990500004)(106116001)(229853002)(3280700002)(7736002)(77096006)(3660700001)(74316002)(305945005)(6506006)(8936002)(7696004)(8676002)(9686003)(5005710100001)(575784001)(86362001)(55016002)(99286003)(10090500001)(25786008)(50986999)(53936002)(81166006)(54356999)(76176999)(2906002)(2501003)(189998001)(2900100001)(6436002)(38730400002)(53546006)(6246003)(92566002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR0301MB2030; H:SN1PR0301MB2029.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2017 08:17:47.4212 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR0301MB2030
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/q6HzJ0lH_32i2fogkrpUjarvlmY>
Subject: Re: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 08:17:50 -0000

SSdtIHN0aWxsIGdldHRpbmcgZmVlZGJhY2sgb24gdGhlIFdpbmRvd3MgZXhhbXBsZXMgdGhhdCBh
cmUgcG9pbnRlZCB0byBieSB0aGUgc3BlYywgc2luY2UgaXQncyBub3QgYSBzaW1wbGUgY2FzZSBv
biBXaW5kb3dzIA0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogT0F1dGggW21h
aWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgSGFubmVzIFRzY2hvZmVu
aWcNClNlbnQ6IE1vbmRheSwgTWFyY2ggNiwgMjAxNyA4OjAwIEFNDQpUbzogb2F1dGhAaWV0Zi5v
cmcNClN1YmplY3Q6IFtPQVVUSC1XR10gVXBkYXRlZCBTaGVwaGVyZCBXcml0ZS1VcCBmb3IgTmF0
aXZlIEFwcHMgZG9jdW1lbnQNCg0KSGVyZSBpcyB0aGUgc2hlcGhlcmQgd3JpdGUtdXA6DQpodHRw
czovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUy
RiUyRmdpdGh1Yi5jb20lMkZoYW5uZXN0c2Nob2ZlbmlnJTJGdHNjaG9mZW5pZy1pZHMlMkZibG9i
JTJGbWFzdGVyJTJGc2hlcGhlcmQtd3JpdGV1cHMlMkZXcml0ZXVwX09BdXRoX05hdGl2ZUFwcHMu
dHh0JmRhdGE9MDIlN0MwMSU3Q3RvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdDOWE5ZWM5ZjA5MGM3
NGUzNGZiMWEwOGQ0NjRhOWUwYTAlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3
QzElN0MwJTdDNjM2MjQ0MTI4MTY1NDY5MDYzJnNkYXRhPW9sc1NjODFsTUFxdmxmQUVCUENYWTlD
a0lHdjg4VzJQdCUyQmtHajh5VDJhWSUzRCZyZXNlcnZlZD0wDQoNCkZlZWRiYWNrIGFwcHJlY2lh
dGVkLiBJIHdpbGwgYWxzbyBkbyBhbm90aGVyIHNoZXBoZXJkIHJldmlldy4NCg0KQ2lhbw0KSGFu
bmVzDQoNCg==


From nobody Tue Mar  7 00:23:36 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31E58129510 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 00:23:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level: 
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sE8IzNTmYroA for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 00:23:33 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3EA4127A90 for <oauth@ietf.org>; Tue,  7 Mar 2017 00:23:32 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx102 [212.227.17.168]) with ESMTPSA (Nemesis) id 0Lxu7U-1cFJaz3BK8-015GxS; Tue, 07 Mar 2017 09:23:25 +0100
To: Anthony Nadalin <tonynad@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net> <SN1PR0301MB2029162EB879130632E1A804A62F0@SN1PR0301MB2029.namprd03.prod.outlook.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <b260eb1d-bad5-10fb-f732-6efb987be6b0@gmx.net>
Date: Tue, 7 Mar 2017 09:23:23 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <SN1PR0301MB2029162EB879130632E1A804A62F0@SN1PR0301MB2029.namprd03.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="d6iA0Hh2HTa15qkU7fOG1qgnfoknCl9Hr"
X-Provags-ID: V03:K0:EA6/fWrrpHyf2g9rvzzUAZ1NJalAEHPl/qzljyLBKZsZ//MKeQI VAs0OY9kQJLJX59urtame4TLNNlI4W9k/sfZBFmxySXwTxVVDq3kRciuWU3Anmk+HWa9Jot vhCD/NXnVa0I3LaLyr84JEMdBjISJ3C58C1obdLLtMkV3f6DzW7ef1LOYxDifOjMR72w62u 3CuxFl9yC8ewO2Udpdd6A==
X-UI-Out-Filterresults: notjunk:1;V01:K0:hhWw9F7pzrs=:sWI153m23vDFTKR6JwkTt5 giQelJy7W33WyHErf0JJbfskrLI4nOttXjqZA6II06/xDmk9jrqRK8102NmM3dAv8pOT63yYb kajIyC5C2blEw8BUHCmkpl5eM38zM58pnBRey/j3u7TwQ4gfo3L+dzKFQ7rAlsg5w+lTxAv+X FVa2vXqzB4SlL+YxWsw46fS80r1F74uIAzarQP+U42h4+Le9yg/11KeooicxFp1vPe/0JHyOf gjqCPMcajS+t2p2zIelQecnz/UDMF0ZXjOSI2d1QtO6kfTvCUIL3SVp3Xi/oy8II/uXs8UAoE A9mctaw8xlzKIsFK2TglEOY1vsRYvggH5uPWQ6NFYjwm/JJOlB/fik7/zPObrBq/eUUgxsiYV fzYqb64Rc511UKWehgzZkbkXdUNTZKqWAHJsiHpMFhzOE7ZVS41aYlqqrADR4kO9pndDOyt53 rQxo1ZNI5shpvuzpp67fAnXNup8A/eDsebiR+EB03eK3YSWA5TKMPgwo020t3DnjNDMP0VwrN ftmftgIRNNWrnBRQLXr0yV+ngOJbMqu+7TOUl9rgFvCsSaxV0bus0gm32vSNJqy6cQswECrRh DSnO1gVWbfj0nHDFwuvUp7bACWllpx098AZsqZMzZI0CJRwfLKdSfM4ffex4kNLPLkYZDR+8t qfKacxQbKFB8iQVJ/0OjehulWcw+6OXfe7C1BDDTlsJGZ0y+lFAd5dgpY28TFHJjOpWm+qA+i /nWsEU5cpFnu5JyGTi5r8UBz3oluQvY/lzVAjYLiLwb7cBUq3Jx5I+YRrwk=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Zt3HF1z1v7CmuOJaDsPugjuWndQ>
Subject: Re: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 08:23:34 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--d6iA0Hh2HTa15qkU7fOG1qgnfoknCl9Hr
Content-Type: multipart/mixed; boundary="pVAX9do0qfftsmMs27cu4W37AxAexwL58";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: Anthony Nadalin <tonynad@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <b260eb1d-bad5-10fb-f732-6efb987be6b0@gmx.net>
Subject: Re: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
References: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net>
 <SN1PR0301MB2029162EB879130632E1A804A62F0@SN1PR0301MB2029.namprd03.prod.outlook.com>
In-Reply-To: <SN1PR0301MB2029162EB879130632E1A804A62F0@SN1PR0301MB2029.namprd03.prod.outlook.com>

--pVAX9do0qfftsmMs27cu4W37AxAexwL58
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Tony

thanks for the feedback. I have requested publication of the document a
few minutes ago already and we will incorporate any remarks from my
co-workers as part of the IETF-wide last call.

Ciao
Hannes

On 03/07/2017 09:17 AM, Anthony Nadalin wrote:
> I'm still getting feedback on the Windows examples that are pointed to =
by the spec, since it's not a simple case on Windows=20
>=20
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofe=
nig
> Sent: Monday, March 6, 2017 8:00 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
>=20
> Here is the shepherd write-up:
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgith=
ub.com%2Fhannestschofenig%2Ftschofenig-ids%2Fblob%2Fmaster%2Fshepherd-wri=
teups%2FWriteup_OAuth_NativeApps.txt&data=3D02%7C01%7Ctonynad%40microsoft=
=2Ecom%7C9a9ec9f090c74e34fb1a08d464a9e0a0%7C72f988bf86f141af91ab2d7cd011d=
b47%7C1%7C0%7C636244128165469063&sdata=3DolsSc81lMAqvlfAEBPCXY9CkIGv88W2P=
t%2BkGj8yT2aY%3D&reserved=3D0
>=20
> Feedback appreciated. I will also do another shepherd review.
>=20
> Ciao
> Hannes
>=20


--pVAX9do0qfftsmMs27cu4W37AxAexwL58--

--d6iA0Hh2HTa15qkU7fOG1qgnfoknCl9Hr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYvm38AAoJEGhJURNOOiAtJ90H/1+8Iw14Bs6L6oTARyI09KIm
BFZGyx+6pPRvZnOUW8B0qvQbBNfbb1DtzSlT96/3Baiq7G8WPRrZD98nrFvWqQEe
PCjNPVw9K/rG3HL7Vmn8xTpKMxGLrKJmKLzYEXo39v4MZPDZEDvztqpjtkL4JZdf
gamaaZ+VgBZ7oUcTYH85NGF6Dc1K1CI7S8H9k0dxTk+RNCS7LjSeYj0Nuce04bdP
mRmcjdf5dY3Fyuz/cH3UqXDKloQc5hn8oOACNDBxPZ3/NunYLzAZUI+qL2hbSZWq
SBu6Mu9jSHQZD6RvFtTBqxKq1NIbEKlY1Gf5VLxLoCB6Z03NtV29uCJ5+yxTeX4=
=tsNr
-----END PGP SIGNATURE-----

--d6iA0Hh2HTa15qkU7fOG1qgnfoknCl9Hr--


From nobody Tue Mar  7 02:59:05 2017
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB860129413 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 02:59:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level: 
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2DKEqBeYgA3 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 02:59:00 -0800 (PST)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B759126DFB for <oauth@ietf.org>; Tue,  7 Mar 2017 02:59:00 -0800 (PST)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 052187803C6; Tue,  7 Mar 2017 11:58:57 +0100 (CET)
To: Nat Sakimura <n-sakimura@nri.co.jp>, oauth@ietf.org
References: <147067404527.23058.17317554291756036969.idtracker@ietfa.amsl.com> <05e001d29712$424a5960$c6df0c20$@nri.co.jp>
From: Denis <denis.ietf@free.fr>
Message-ID: <34babded-e458-e4e2-4582-26063e304276@free.fr>
Date: Tue, 7 Mar 2017 11:58:58 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <05e001d29712$424a5960$c6df0c20$@nri.co.jp>
Content-Type: multipart/alternative; boundary="------------E11565B25B58AA778141CF3F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Oqz9khfdI1ShqZTvu0_YnqQc8Jg>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 10:59:04 -0000

This is a multi-part message in MIME format.
--------------E11565B25B58AA778141CF3F
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

Hi Nat,

I see that you are now back to the list.

Please take note that "draft-ietf-oauth-signed-http-request-03.txt" has 
expired on February 9, 2017 .

You said: "perhaps change ts to string to accommodate nonce like string"

In this draft, ts is defined as:

    ts RECOMMENDED.  The timestamp.  This integer provides replay
       protection of the signed JSON object.  Its value MUST be a number
       containing an integer value representing number of whole integer
       seconds from midnight, January 1, 1970 GMT.

Section 7 is silent about replay protection and this is the single 
instance where "ts" is mentioned in the document.

Hence it is rather hazy to understand how to deal with this value which 
is misnamed since it should rather be called:
"iat" which means "Issued At".

A "nonce" is a concept which does not exist in OAuth 2.0 documents (but 
which does exist in Open ID Connect documents).

The core of the discussion is to explain how to achieve *replay 
protection of the signed JSON object*.

I sent an email on Fri, 17 Feb 2017 21:51:18 +0100 with the following 
title :
Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwsreq-11.txt>
(The OAuth 2.0 Authorization Framework: JWT Secured Authorization 
Request (JAR)) to Proposed Standard
and _I got no response_.

Please take a look at*ITEM 1* in the email from Friday, 17 February 2017 
which addresses replay protection of the signed JSON object
and proposes a solution for OAuth 2.0 (which could be used as well by 
Open ID Connect).

I take the opportunity of this email to comment on the individual draft 
you posted at: http://bit.ly/oauth-jpop
and which is called: draft-sakimura-oauth-jpop-00

The Abstract states:

    Only the party *in possession of* a corresponding cryptographic key
    with the Jpop token can use it to get access
    to the associated resources unlike in the case of the bearer token
    described in [RFC6750]
    <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/Nat/oauth-rjwtprof/raw/tip/draft-sakimura-oauth-jpop.xml#RFC6750>
    where any party in
    possession of the access token can access the resource.

The text should rather be changed into:

    Only the party *able to use* a corresponding cryptographic key with
    the Jpop token can use it to get access
    to the associated resources

You know that in case of a collusion between clients, this method will 
be ineffective.

Simply stating in the Security Considerations section "The client's 
secret key must be kept securely. " is insufficient.

Also the text is speaking of a nonce which is not a value that has been 
registered by IANA.

Denis

> Hi Justin, John, and Hannes
>
> Is there an appetite to change the draft in such a way as:
>
> - do not wrap access token itself. It could include at_hash though.
>    Rationale: Pop access token can be pretty large and I do not want to
>    double base64url encode.
> - perhaps change ts to string to accommodate nonce like string.
>
> Essentially, what I want to do is not the http signing but just the pop
> based client authentication, which is very simple.
>
> While I was writing it up, it occurred that if the above modification were
> done, your draft will be a superset of what I wanted to do.
>
> My write up is here: http://bit.ly/oauth-jpop
>
> Financial API uses cases needs something like that.
> (Another possibility is a sender confirmation.)
>
> Best,
>
> Nat Sakimura
>
> --
> PLEASE READ :This e-mail is confidential and intended for the
> named recipient only. If you are not an intended recipient,
> please notify the sender  and delete this e-mail.
>
>
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of
>> internet-drafts@ietf.org
>> Sent: Tuesday, August 9, 2016 1:34 AM
>> To: i-d-announce@ietf.org
>> Cc: oauth@ietf.org
>> Subject: [OAUTH-WG] I-D Action:
> draft-ietf-oauth-signed-http-request-03.txt
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Web Authorization Protocol of the IETF.
>>
>>          Title           : A Method for Signing HTTP Requests for OAuth
>>          Authors         : Justin Richer
>>                            John Bradley
>>                            Hannes Tschofenig
>> 	Filename        : draft-ietf-oauth-signed-http-request-03.txt
>> 	Pages           : 13
>> 	Date            : 2016-08-08
>>
>> Abstract:
>>     This document a method for offering data origin authentication and
>>     integrity protection of HTTP requests.  To convey the relevant data
>>     items in the request a JSON-based encapsulation is used and the JSON
>>     Web Signature (JWS) technique is re-used.  JWS offers integrity
>>     protection using symmetric as well as asymmetric cryptography.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
>>
>> There's also a htmlized version available at:
>> https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-signed-http-request-03
>>
>>
>> Please note that it may take a couple of minutes from the time of
> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



--------------E11565B25B58AA778141CF3F
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Hi Nat,<br>
      <br>
      I see that you are now back to the list.<br>
      <br>
      Please take note that
      "draft-ietf-oauth-signed-http-request-03.txt" has expired on
      February 9, 2017 .<br>
      <br>
      You said: "<font color="#000099">perhaps change ts to string to
        accommodate nonce like string</font>"
      <br>
      <br>
      In this draft, ts is defined as:<br>
      <br>
         ts RECOMMENDED.  The timestamp.  This integer provides replay<br>
            protection of the signed JSON object.  Its value MUST be a
      number<br>
            containing an integer value representing number of whole
      integer<br>
            seconds from midnight, January 1, 1970 GMT.<br>
      <br>
      Section 7 is silent about replay protection and this is the single
      instance where "ts" is mentioned in the document.<br>
      <br>
      Hence it is rather hazy to understand how to deal with this value
      which is misnamed since it should rather be called: <br>
      "iat" which means "Issued At".<br>
      <br>
      A "nonce" is a concept which does not exist in OAuth 2.0 documents
      (but which does exist in Open ID Connect documents).<br>
      <br>
      The core of the discussion is to explain how to achieve <b>replay
        protection of the signed JSON object</b>. <br>
      <br>
      I sent an email on Fri, 17 Feb 2017 21:51:18 +0100 with the
      following title :<br>
      <font color="#000099">Re: [OAUTH-WG] Last Call:
        &lt;draft-ietf-oauth-jwsreq-11.txt&gt; <br>
        (The OAuth 2.0 Authorization Framework: JWT Secured
        Authorization Request (JAR)) to Proposed Standard</font><br>
      and <u>I got no response</u>.<br>
      <br>
      Please take a look at<b> ITEM 1</b> in the email from Friday, 17
      February 2017 which addresses replay protection of the signed JSON
      object<br>
      and proposes a solution for OAuth 2.0 (which could be used as well
      by Open ID Connect).<br>
      <br>
      I take the opportunity of this email to comment on the individual
      draft you posted at:  <font color="#000099"><a class="moz-txt-link-freetext" href="http://bit.ly/oauth-jpop">http://bit.ly/oauth-jpop</a>
      </font><br>
      and which is called: <span class="filename"><font color="#000099">draft-sakimura-oauth-jpop-00</font><br>
        <br>
        The Abstract states:</span><br>
      <blockquote>Only the party <b>in possession of</b> a
        corresponding cryptographic key with the Jpop token can use it
        to get access <br>
        to the associated resources unlike in the case of the bearer
        token described in <a
href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&amp;format=ascii&amp;mode=html&amp;type=ascii&amp;url=https://bitbucket.org/Nat/oauth-rjwtprof/raw/tip/draft-sakimura-oauth-jpop.xml#RFC6750">[RFC6750]</a>
        where any party in <br>
        possession of the access token can access the resource. <br>
      </blockquote>
      The text should rather be changed into:<br>
      <blockquote>Only the party <b>able to use</b> a corresponding
        cryptographic key with the Jpop token can use it to get access <br>
        to the associated resources<br>
      </blockquote>
      You know that in case of a collusion between clients, this method
      will be ineffective. <br>
      <br>
      Simply stating in the Security Considerations section "The
      client's secret key must be kept securely. " is insufficient.<br>
      <br>
      Also the text is speaking of a nonce which is not a value that has
      been registered by IANA.<br>
      <br>
      Denis<br>
      <br>
    </div>
    <blockquote cite="mid:05e001d29712$424a5960$c6df0c20$@nri.co.jp"
      type="cite">
      <pre wrap="">Hi Justin, John, and Hannes

Is there an appetite to change the draft in such a way as: 

- do not wrap access token itself. It could include at_hash though. 
  Rationale: Pop access token can be pretty large and I do not want to
  double base64url encode. 
- perhaps change ts to string to accommodate nonce like string. 

Essentially, what I want to do is not the http signing but just the pop
based client authentication, which is very simple. 

While I was writing it up, it occurred that if the above modification were
done, your draft will be a superset of what I wanted to do. 

My write up is here: <a class="moz-txt-link-freetext" href="http://bit.ly/oauth-jpop">http://bit.ly/oauth-jpop</a>

Financial API uses cases needs something like that. 
(Another possibility is a sender confirmation.) 

Best, 

Nat Sakimura

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.


</pre>
      <blockquote type="cite">
        <pre wrap="">-----Original Message-----
From: OAuth [<a class="moz-txt-link-freetext" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] On Behalf Of
<a class="moz-txt-link-abbreviated" href="mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a>
Sent: Tuesday, August 9, 2016 1:34 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:i-d-announce@ietf.org">i-d-announce@ietf.org</a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:oauth@ietf.org">oauth@ietf.org</a>
Subject: [OAUTH-WG] I-D Action:
</pre>
      </blockquote>
      <pre wrap="">draft-ietf-oauth-signed-http-request-03.txt
</pre>
      <blockquote type="cite">
        <pre wrap="">

A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : A Method for Signing HTTP Requests for OAuth
        Authors         : Justin Richer
                          John Bradley
                          Hannes Tschofenig
	Filename        : draft-ietf-oauth-signed-http-request-03.txt
	Pages           : 13
	Date            : 2016-08-08

Abstract:
   This document a method for offering data origin authentication and
   integrity protection of HTTP requests.  To convey the relevant data
   items in the request a JSON-based encapsulation is used and the JSON
   Web Signature (JWS) technique is re-used.  JWS offers integrity
   protection using symmetric as well as asymmetric cryptography.


The IETF datatracker status page for this draft is:
<a class="moz-txt-link-freetext" href="https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/">https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/</a>

There's also a htmlized version available at:
<a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03">https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03</a>

A diff from the previous version is available at:
<a class="moz-txt-link-freetext" href="https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-signed-http-request-03">https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-signed-http-request-03</a>


Please note that it may take a couple of minutes from the time of
</pre>
      </blockquote>
      <pre wrap="">submission
</pre>
      <blockquote type="cite">
        <pre wrap="">until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
<a class="moz-txt-link-freetext" href="ftp://ftp.ietf.org/internet-drafts/">ftp://ftp.ietf.org/internet-drafts/</a>

_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
      </blockquote>
      <pre wrap="">
_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>

--------------E11565B25B58AA778141CF3F--


From nobody Tue Mar  7 04:25:55 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2030012940A for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 04:25:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level: 
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.229, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0wSpRgt8KG2M for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 04:25:52 -0800 (PST)
Received: from mail-qk0-f174.google.com (mail-qk0-f174.google.com [209.85.220.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1786C128AC9 for <oauth@ietf.org>; Tue,  7 Mar 2017 04:25:52 -0800 (PST)
Received: by mail-qk0-f174.google.com with SMTP id v125so224791qkh.2 for <oauth@ietf.org>; Tue, 07 Mar 2017 04:25:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=rm4222rfQmWOo3HCsTeBDq8+i+KjwCJ7qSX+5wuYRd8=; b=D0akG7hmv74E5Z5JwiXNLumm0jkns107i68e+D0VUYwI6UDQagBOka5LhF+DFNtjP1 Zrv/Bq2sXt7YQ/VuLAsKogvk75xRjjEGuGBN0eaiVC/XzfpnTzitevex5OFgOotGp4uq P3OZWJ9oWWcONOfXjFHGmOiYrQ99u8/qqmmJ15x8ju3dnrzD4JC7t4XcC/4RClhnZwQE YwdYBHDZ2dPsFoPBMYl46hcckivVS3soA3D/YoKq2qDFxKQqAKjUitL/bUFGiA2RbJxh VlFk1+XC6SD2mGRw53msSZgGJHU+NuVNAQv8g5NM6P2nP4NTUr92PjmXH58hDR7RRLtH TFBw==
X-Gm-Message-State: AMke39kAmJ/8S8Co556BcNL8U3bzVDUX6CNaU1vsQPymQWjRNClGlsB5DeeahIJIhopXAm4qnytg5cqg9wX3PA==
X-Received: by 10.237.44.229 with SMTP id g92mr20532866qtd.204.1488889551006;  Tue, 07 Mar 2017 04:25:51 -0800 (PST)
MIME-Version: 1.0
References: <147067404527.23058.17317554291756036969.idtracker@ietfa.amsl.com> <05e001d29712$424a5960$c6df0c20$@nri.co.jp> <34babded-e458-e4e2-4582-26063e304276@free.fr>
In-Reply-To: <34babded-e458-e4e2-4582-26063e304276@free.fr>
From: Nat Sakimura <n-sakimura@nri.co.jp>
Date: Tue, 07 Mar 2017 12:25:40 +0000
Message-ID: <CABzCy2C00tJitbd+zhRS8+xMx1yFCc-apBHM5PfG+GOM6WemRQ@mail.gmail.com>
To: Denis <denis.ietf@free.fr>, oauth@ietf.org
Content-Type: multipart/alternative; boundary=94eb2c1249e6cc379f054a231cbe
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/V0nPnAulhf83Vz1kG6HO9UAH9Iw>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 12:25:54 -0000

--94eb2c1249e6cc379f054a231cbe
Content-Type: text/plain; charset=UTF-8

Thanks Denis,

Yes. As currently specified, ts is an integer. My previous mail requested
it to be string instead so that I can used it as a nonce generated in the
style of H(timestamp|client_id|key) etc. I agree this is the place to
discuss replay protection etc. (Not in JAR, which is just a container
format.)

And, I have not yet posted oauth-jpop as an I-D :-) It is still in my repo
only and it has got more things to be done before it can be posted.
Hopefully, I can add more text and post it by Friday this week to make the
deadline for the next IETF.

Best,

Nat



On Tue, Mar 7, 2017 at 7:59 PM Denis <denis.ietf@free.fr> wrote:

> Hi Nat,
>
> I see that you are now back to the list.
>
> Please take note that "draft-ietf-oauth-signed-http-request-03.txt" has
> expired on February 9, 2017 .
>
> You said: "perhaps change ts to string to accommodate nonce like string"
>
> In this draft, ts is defined as:
>
>    ts RECOMMENDED.  The timestamp.  This integer provides replay
>       protection of the signed JSON object.  Its value MUST be a number
>       containing an integer value representing number of whole integer
>       seconds from midnight, January 1, 1970 GMT.
>
> Section 7 is silent about replay protection and this is the single
> instance where "ts" is mentioned in the document.
>
> Hence it is rather hazy to understand how to deal with this value which is
> misnamed since it should rather be called:
> "iat" which means "Issued At".
>
> A "nonce" is a concept which does not exist in OAuth 2.0 documents (but
> which does exist in Open ID Connect documents).
>
> The core of the discussion is to explain how to achieve *replay
> protection of the signed JSON object*.
>
> I sent an email on Fri, 17 Feb 2017 21:51:18 +0100 with the following
> title :
> Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwsreq-11.txt>
> (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request
> (JAR)) to Proposed Standard
> and *I got no response*.
>
> Please take a look at* ITEM 1* in the email from Friday, 17 February 2017
> which addresses replay protection of the signed JSON object
> and proposes a solution for OAuth 2.0 (which could be used as well by Open
> ID Connect).
>
> I take the opportunity of this email to comment on the individual draft
> you posted at:  http://bit.ly/oauth-jpop
> and which is called: draft-sakimura-oauth-jpop-00
>
> The Abstract states:
>
> Only the party *in possession of* a corresponding cryptographic key with
> the Jpop token can use it to get access
> to the associated resources unlike in the case of the bearer token
> described in [RFC6750]
> <https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/Nat/oauth-rjwtprof/raw/tip/draft-sakimura-oauth-jpop.xml#RFC6750>
> where any party in
> possession of the access token can access the resource.
>
> The text should rather be changed into:
>
> Only the party *able to use* a corresponding cryptographic key with the
> Jpop token can use it to get access
> to the associated resources
>
> You know that in case of a collusion between clients, this method will be
> ineffective.
>
> Simply stating in the Security Considerations section "The client's secret
> key must be kept securely. " is insufficient.
>
> Also the text is speaking of a nonce which is not a value that has been
> registered by IANA.
>
>
> Denis
>
> Hi Justin, John, and Hannes
>
> Is there an appetite to change the draft in such a way as:
>
> - do not wrap access token itself. It could include at_hash though.
>   Rationale: Pop access token can be pretty large and I do not want to
>   double base64url encode.
> - perhaps change ts to string to accommodate nonce like string.
>
> Essentially, what I want to do is not the http signing but just the pop
> based client authentication, which is very simple.
>
> While I was writing it up, it occurred that if the above modification were
> done, your draft will be a superset of what I wanted to do.
>
> My write up is here: http://bit.ly/oauth-jpop
>
> Financial API uses cases needs something like that.
> (Another possibility is a sender confirmation.)
>
> Best,
>
> Nat Sakimura
>
> --
> PLEASE READ :This e-mail is confidential and intended for the
> named recipient only. If you are not an intended recipient,
> please notify the sender  and delete this e-mail.
>
>
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] On Behalf Ofinternet-drafts@ietf.org
> Sent: Tuesday, August 9, 2016 1:34 AM
> To: i-d-announce@ietf.org
> Cc: oauth@ietf.org
> Subject: [OAUTH-WG] I-D Action:
>
> draft-ietf-oauth-signed-http-request-03.txt
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>         Title           : A Method for Signing HTTP Requests for OAuth
>         Authors         : Justin Richer
>                           John Bradley
>                           Hannes Tschofenig
> 	Filename        : draft-ietf-oauth-signed-http-request-03.txt
> 	Pages           : 13
> 	Date            : 2016-08-08
>
> Abstract:
>    This document a method for offering data origin authentication and
>    integrity protection of HTTP requests.  To convey the relevant data
>    items in the request a JSON-based encapsulation is used and the JSON
>    Web Signature (JWS) technique is re-used.  JWS offers integrity
>    protection using symmetric as well as asymmetric cryptography.
>
>
> The IETF datatracker status page for this draft is:https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
>
> There's also a htmlized version available at:https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03
>
> A diff from the previous version is available at:https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-signed-http-request-03
>
>
> Please note that it may take a couple of minutes from the time of
>
> submission
>
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation

--94eb2c1249e6cc379f054a231cbe
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks Denis,=C2=A0<div><br></div><div>Yes. As currently s=
pecified, ts is an integer. My previous mail requested it to be string inst=
ead so that I can used it as a nonce generated in the style of H(timestamp|=
client_id|key) etc. I agree this is the place to discuss replay protection =
etc. (Not in JAR, which is just a container format.)=C2=A0<br><div><br></di=
v><div>And, I have not yet posted oauth-jpop as an I-D :-) It is still in m=
y repo only and it has got more things to be done before it can be posted. =
Hopefully, I can add more text and post it by Friday this week to make the =
deadline for the next IETF.=C2=A0</div></div><div><br></div><div>Best,=C2=
=A0</div><div><br></div><div>Nat</div><div><br></div><div><br></div></div><=
br><div class=3D"gmail_quote"><div dir=3D"ltr">On Tue, Mar 7, 2017 at 7:59 =
PM Denis &lt;<a href=3D"mailto:denis.ietf@free.fr">denis.ietf@free.fr</a>&g=
t; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">
 =20
   =20
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000" class=3D"gmail_msg">
    <div class=3D"m_7306600581705944491moz-cite-prefix gmail_msg">Hi Nat,<b=
r class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      I see that you are now back to the list.<br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      Please take note that
      &quot;draft-ietf-oauth-signed-http-request-03.txt&quot; has expired o=
n
      February 9, 2017 .<br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      You said: &quot;<font color=3D"#000099" class=3D"gmail_msg">perhaps c=
hange ts to string to
        accommodate nonce like string</font>&quot;
      <br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      In this draft, ts is defined as:<br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      =C2=A0=C2=A0 ts RECOMMENDED.=C2=A0 The timestamp.=C2=A0 This integer =
provides replay<br class=3D"gmail_msg">
      =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 protection of the signed JSON object.=
=C2=A0 Its value MUST be a
      number<br class=3D"gmail_msg">
      =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 containing an integer value representi=
ng number of whole
      integer<br class=3D"gmail_msg">
      =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 seconds from midnight, January 1, 1970=
 GMT.<br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      Section 7 is silent about replay protection and this is the single
      instance where &quot;ts&quot; is mentioned in the document.<br class=
=3D"gmail_msg">
      <br class=3D"gmail_msg">
      Hence it is rather hazy to understand how to deal with this value
      which is misnamed since it should rather be called: <br class=3D"gmai=
l_msg">
      &quot;iat&quot; which means &quot;Issued At&quot;.<br class=3D"gmail_=
msg">
      <br class=3D"gmail_msg">
      A &quot;nonce&quot; is a concept which does not exist in OAuth 2.0 do=
cuments
      (but which does exist in Open ID Connect documents).<br class=3D"gmai=
l_msg">
      <br class=3D"gmail_msg">
      The core of the discussion is to explain how to achieve <b class=3D"g=
mail_msg">replay
        protection of the signed JSON object</b>. <br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      I sent an email on Fri, 17 Feb 2017 21:51:18 +0100 with the
      following title :<br class=3D"gmail_msg">
      <font color=3D"#000099" class=3D"gmail_msg">Re: [OAUTH-WG] Last Call:
        &lt;draft-ietf-oauth-jwsreq-11.txt&gt; <br class=3D"gmail_msg">
        (The OAuth 2.0 Authorization Framework: JWT Secured
        Authorization Request (JAR)) to Proposed Standard</font><br class=
=3D"gmail_msg">
      and <u class=3D"gmail_msg">I got no response</u>.<br class=3D"gmail_m=
sg">
      <br class=3D"gmail_msg">
      Please take a look at<b class=3D"gmail_msg"> ITEM 1</b> in the email =
from Friday, 17
      February 2017 which addresses replay protection of the signed JSON
      object<br class=3D"gmail_msg">
      and proposes a solution for OAuth 2.0 (which could be used as well
      by Open ID Connect).<br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      I take the opportunity of this email to comment on the individual
      draft you posted at:=C2=A0 <font color=3D"#000099" class=3D"gmail_msg=
"><a class=3D"m_7306600581705944491moz-txt-link-freetext gmail_msg" href=3D=
"http://bit.ly/oauth-jpop" target=3D"_blank">http://bit.ly/oauth-jpop</a>
      </font><br class=3D"gmail_msg">
      and which is called: <span class=3D"m_7306600581705944491filename gma=
il_msg"><font color=3D"#000099" class=3D"gmail_msg">draft-sakimura-oauth-jp=
op-00</font><br class=3D"gmail_msg">
        <br class=3D"gmail_msg">
        The Abstract states:</span><br class=3D"gmail_msg">
      <blockquote class=3D"gmail_msg">Only the party <b class=3D"gmail_msg"=
>in possession of</b> a
        corresponding cryptographic key with the Jpop token can use it
        to get access <br class=3D"gmail_msg">
        to the associated resources unlike in the case of the bearer
        token described in <a href=3D"https://xml2rfc.tools.ietf.org/cgi-bi=
n/xml2rfc.cgi?Submit=3DSubmit&amp;format=3Dascii&amp;mode=3Dhtml&amp;type=
=3Dascii&amp;url=3Dhttps://bitbucket.org/Nat/oauth-rjwtprof/raw/tip/draft-s=
akimura-oauth-jpop.xml#RFC6750" class=3D"gmail_msg" target=3D"_blank">[RFC6=
750]</a>
        where any party in <br class=3D"gmail_msg">
        possession of the access token can access the resource. <br class=
=3D"gmail_msg">
      </blockquote>
      The text should rather be changed into:<br class=3D"gmail_msg">
      <blockquote class=3D"gmail_msg">Only the party <b class=3D"gmail_msg"=
>able to use</b> a corresponding
        cryptographic key with the Jpop token can use it to get access <br =
class=3D"gmail_msg">
        to the associated resources<br class=3D"gmail_msg">
      </blockquote>
      You know that in case of a collusion between clients, this method
      will be ineffective. <br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      Simply stating in the Security Considerations section &quot;The
      client&#39;s secret key must be kept securely. &quot; is insufficient=
.<br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      Also the text is speaking of a nonce which is not a value that has
      been registered by IANA.</div></div><div bgcolor=3D"#FFFFFF" text=3D"=
#000000" class=3D"gmail_msg"><div class=3D"m_7306600581705944491moz-cite-pr=
efix gmail_msg"><br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
      Denis<br class=3D"gmail_msg">
      <br class=3D"gmail_msg">
    </div></div><div bgcolor=3D"#FFFFFF" text=3D"#000000" class=3D"gmail_ms=
g">
    <blockquote type=3D"cite" class=3D"gmail_msg">
      <pre class=3D"gmail_msg">Hi Justin, John, and Hannes

Is there an appetite to change the draft in such a way as:=20

- do not wrap access token itself. It could include at_hash though.=20
  Rationale: Pop access token can be pretty large and I do not want to
  double base64url encode.=20
- perhaps change ts to string to accommodate nonce like string.=20

Essentially, what I want to do is not the http signing but just the pop
based client authentication, which is very simple.=20

While I was writing it up, it occurred that if the above modification were
done, your draft will be a superset of what I wanted to do.=20

My write up is here: <a class=3D"m_7306600581705944491moz-txt-link-freetext=
 gmail_msg" href=3D"http://bit.ly/oauth-jpop" target=3D"_blank">http://bit.=
ly/oauth-jpop</a>

Financial API uses cases needs something like that.=20
(Another possibility is a sender confirmation.)=20

Best,=20

Nat Sakimura

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.


</pre>
      <blockquote type=3D"cite" class=3D"gmail_msg">
        <pre class=3D"gmail_msg">-----Original Message-----
From: OAuth [<a class=3D"m_7306600581705944491moz-txt-link-freetext gmail_m=
sg" href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">mailto:oauth-b=
ounces@ietf.org</a>] On Behalf Of
<a class=3D"m_7306600581705944491moz-txt-link-abbreviated gmail_msg" href=
=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">internet-drafts@ietf=
.org</a>
Sent: Tuesday, August 9, 2016 1:34 AM
To: <a class=3D"m_7306600581705944491moz-txt-link-abbreviated gmail_msg" hr=
ef=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i-d-announce@ietf.org=
</a>
Cc: <a class=3D"m_7306600581705944491moz-txt-link-abbreviated gmail_msg" hr=
ef=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.org</a>
Subject: [OAUTH-WG] I-D Action:
</pre>
      </blockquote>
      <pre class=3D"gmail_msg">draft-ietf-oauth-signed-http-request-03.txt
</pre>
      <blockquote type=3D"cite" class=3D"gmail_msg">
        <pre class=3D"gmail_msg">

A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : A Method for Signing HTTP Requests for OAuth
        Authors         : Justin Richer
                          John Bradley
                          Hannes Tschofenig
	Filename        : draft-ietf-oauth-signed-http-request-03.txt
	Pages           : 13
	Date            : 2016-08-08

Abstract:
   This document a method for offering data origin authentication and
   integrity protection of HTTP requests.  To convey the relevant data
   items in the request a JSON-based encapsulation is used and the JSON
   Web Signature (JWS) technique is re-used.  JWS offers integrity
   protection using symmetric as well as asymmetric cryptography.


The IETF datatracker status page for this draft is:
<a class=3D"m_7306600581705944491moz-txt-link-freetext gmail_msg" href=3D"h=
ttps://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/" targ=
et=3D"_blank">https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http=
-request/</a>

There&#39;s also a htmlized version available at:
<a class=3D"m_7306600581705944491moz-txt-link-freetext gmail_msg" href=3D"h=
ttps://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03" target=
=3D"_blank">https://tools.ietf.org/html/draft-ietf-oauth-signed-http-reques=
t-03</a>

A diff from the previous version is available at:
<a class=3D"m_7306600581705944491moz-txt-link-freetext gmail_msg" href=3D"h=
ttps://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-signed-http-request-03"=
 target=3D"_blank">https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-sig=
ned-http-request-03</a>


Please note that it may take a couple of minutes from the time of
</pre>
      </blockquote>
      <pre class=3D"gmail_msg">submission
</pre>
      <blockquote type=3D"cite" class=3D"gmail_msg">
        <pre class=3D"gmail_msg">until the htmlized version and diff are av=
ailable at <a href=3D"http://tools.ietf.org" class=3D"gmail_msg" target=3D"=
_blank">tools.ietf.org</a>.

Internet-Drafts are also available by anonymous FTP at:
<a class=3D"m_7306600581705944491moz-txt-link-freetext gmail_msg" href=3D"f=
tp://ftp.ietf.org/internet-drafts/" target=3D"_blank">ftp://ftp.ietf.org/in=
ternet-drafts/</a>

_______________________________________________
OAuth mailing list
<a class=3D"m_7306600581705944491moz-txt-link-abbreviated gmail_msg" href=
=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a>
<a class=3D"m_7306600581705944491moz-txt-link-freetext gmail_msg" href=3D"h=
ttps://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.i=
etf.org/mailman/listinfo/oauth</a>
</pre>
      </blockquote>
      <pre class=3D"gmail_msg">
_______________________________________________
OAuth mailing list
<a class=3D"m_7306600581705944491moz-txt-link-abbreviated gmail_msg" href=
=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a>
<a class=3D"m_7306600581705944491moz-txt-link-freetext gmail_msg" href=3D"h=
ttps://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.i=
etf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <p class=3D"gmail_msg"><br class=3D"gmail_msg">
    </p>
  </div>

_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listinfo=
/oauth</a><br class=3D"gmail_msg">
</blockquote></div><div dir=3D"ltr">-- <br></div><div data-smartmail=3D"gma=
il_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>

--94eb2c1249e6cc379f054a231cbe--


From nobody Tue Mar  7 08:18:51 2017
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66013126DFB for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 07:31:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0n9IU2Ujbh7D for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 07:31:05 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E53B3128B44 for <oauth@ietf.org>; Tue,  7 Mar 2017 07:30:59 -0800 (PST)
X-AuditID: 12074425-143ff70000005535-db-58bed232c20f
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id FF.00.21813.232DEB85; Tue,  7 Mar 2017 10:30:58 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v27FUweF001857; Tue, 7 Mar 2017 10:30:58 -0500
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v27FUte0004179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 7 Mar 2017 10:30:57 -0500
To: Nat Sakimura <n-sakimura@nri.co.jp>, oauth@ietf.org
References: <147067404527.23058.17317554291756036969.idtracker@ietfa.amsl.com> <05e001d29712$424a5960$c6df0c20$@nri.co.jp>
From: Justin Richer <jricher@mit.edu>
Message-ID: <8ec702a8-2f13-09cb-6875-0ae6f1f7e366@mit.edu>
Date: Tue, 7 Mar 2017 10:30:51 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <05e001d29712$424a5960$c6df0c20$@nri.co.jp>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrAIsWRmVeSWpSXmKPExsUixCmqrGt0aV+Ewfw55ha7bh9htDj59hWb A5PHkiU/gcSv84wBTFFcNimpOZllqUX6dglcGYcP/mMseC9dsW/2a+YGxk+iXYycHBICJhJL Lx1nAbGFBNqYJCa8Ve1i5AKyNzBKHN48lxnCuc0ksWD7b7AqYYFAia1bNjOB2CIC5hL7r05k h+iukXh3czeYzSagKjF9TQtYDa+AlcSsz5sZQWwWARWJ2VO3g9WICsRI7O2/D1UjKHFy5hOw +ZwCFhKPToIs5uRgFrCVuDN3N5QtL7H97RzmCYz8s5C0zEJSNgtJ2QJG5lWMsim5Vbq5iZk5 xanJusXJiXl5qUW6Fnq5mSV6qSmlmxhBAcnuorqDcc5fr0OMAhyMSjy8H07tixBiTSwrrsw9 xCjJwaQkynuqByjEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhDd3B1CONyWxsiq1KB8mJc3BoiTO K67RGCEkkJ5YkpqdmlqQWgSTleHgUJLg3XABqFGwKDU9tSItM6cEIc3EwQkynAdoeNxFkOHF BYm5xZnpEPlTjIpS4rxNIM0CIImM0jy4XlDCSHh72PQVozjQK8K810CqeIDJBq77FdBgJqDB 2q57QQaXJCKkpBoYTdOfqZU+5dn15uIlF5lTG6R6bgT0ZZm6C31+dWKuy5WkKYu5F3GvErOT +r3r6rH6fc8bpb7Z2aYI9Ilt4O5xDq2Ks+CqvyD+4tN196hnT/jb0z9tO50zO3NPxZdQ6xRz Ha9lSUwPSy7lykewWlu/3X6yunrx07qfTIc9nAPuRq0su5PwJFtZiaU4I9FQi7moOBEAzQOc G/MCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/avUpvOMc0uK9lfBxXUeDkcLFu0Y>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 15:31:20 -0000

What you describe as your minimum case is what I intended to be the 
minimum case for this document. I opted to put the token inside the 
payload instead of a hash because then we wouldn't need an additional 
header to carry the token, and the client wouldn't be required to do an 
additional crypto operation outside of the JOSE process.

  -- Justin


On 3/7/2017 2:13 AM, Nat Sakimura wrote:
> Hi Justin, John, and Hannes
>
> Is there an appetite to change the draft in such a way as:
>
> - do not wrap access token itself. It could include at_hash though.
>    Rationale: Pop access token can be pretty large and I do not want to
> double base64url encode.
> - perhaps change ts to string to accommodate nonce like string.
>
> Essentially, what I want to do is not the http signing but just the pop
> based
> client authentication, which is very simple.
> While I was writing it up, it occurred that if the above modification were
> done, your draft will be a superset of what I wanted to do.
>
> My write up is here: http://bit.ly/oauth-jpop
>
> Financial API uses cases needs something like that.
> (Another possibility is a sender confirmation.)
>
> Best,
>
> Nat Sakimura
>
> --
> PLEASE READ :This e-mail is confidential and intended for the
> named recipient only. If you are not an intended recipient,
> please notify the sender  and delete this e-mail.
>
>
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of
>> internet-drafts@ietf.org
>> Sent: Tuesday, August 9, 2016 1:34 AM
>> To: i-d-announce@ietf.org
>> Cc: oauth@ietf.org
>> Subject: [OAUTH-WG] I-D Action:
> draft-ietf-oauth-signed-http-request-03.txt
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Web Authorization Protocol of the IETF.
>>
>>          Title           : A Method for Signing HTTP Requests for OAuth
>>          Authors         : Justin Richer
>>                            John Bradley
>>                            Hannes Tschofenig
>> 	Filename        : draft-ietf-oauth-signed-http-request-03.txt
>> 	Pages           : 13
>> 	Date            : 2016-08-08
>>
>> Abstract:
>>     This document a method for offering data origin authentication and
>>     integrity protection of HTTP requests.  To convey the relevant data
>>     items in the request a JSON-based encapsulation is used and the JSON
>>     Web Signature (JWS) technique is re-used.  JWS offers integrity
>>     protection using symmetric as well as asymmetric cryptography.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
>>
>> There's also a htmlized version available at:
>> https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-signed-http-request-03
>>
>>
>> Please note that it may take a couple of minutes from the time of
> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Tue Mar  7 09:17:35 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 705731295AF; Tue,  7 Mar 2017 09:17:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sD1LM90eROFz; Tue,  7 Mar 2017 09:17:26 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0096.outbound.protection.outlook.com [104.47.42.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCDA41294F0; Tue,  7 Mar 2017 09:17:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tHWec7fnRpaftioKyKoSiOBxo9zcgJUYzIkF5b/yC0c=; b=T1BZMmTgRYptrmNJfFgjmXpeOHLBrilyBhxZxcQsc/AjHmQfsfJ4Z6x+gLabBS9M++Y4ACIEm5ZnAxHuXxOneQlV7F/xjhD2oy64FhfCxfObyVff0n0xPiRo929whKkHcXzKdWM36ogEKAKYlUyfliBAg9Rz38aJqCrAo/+PGBs=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Tue, 7 Mar 2017 17:17:20 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Tue, 7 Mar 2017 17:17:20 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>
Thread-Topic: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
Thread-Index: AQHSe97H5hXZpqeBE0CT6lHMY4yQFKFUP6sAgAABIQCAAB5D0IAAXXiAgAAdOACAAABqIIAAA2uAgAAA3wCAAAAzAIAAAO4AgAAAVZCAAAOFgIAqgOKggAkWs0CAABoJgIAAAbuQgAAGWICAATemAA==
Date: Tue, 7 Mar 2017 17:17:20 +0000
Message-ID: <CY4PR21MB0504A12F9CE5E8A66C0B790AF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com> <27d6181c-eb72-b17b-ed18-db018991e44c@cs.tcd.ie> <SN1PR0301MB2029EF1377E24CD330C5C929A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie> <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie> <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie> <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com> <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie> <CY4PR21MB050481D8CF7B8551D21F38A8F52C0@CY4PR21MB0504.namprd21.prod.outlook.com> <a78de3c1-7d73-8147-8540-0bc23fca366d@cs.tcd.ie>
In-Reply-To: <a78de3c1-7d73-8147-8540-0bc23fca366d@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.83.32]
x-ms-office365-filtering-correlation-id: d9b72d2d-488d-4aa8-0362-08d4657dd014
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0502; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:Nb8yGCrAWj2c/uU98KEHgmn8HCirQ8QqzfuhpEiRoMSZ8JOPSaElSpGwAuJGQiTxSI4xr+NjsrPEXjRkFvB0hUnqgwjJ0ey9VqHGLlks7/Q1+diMOtXoN3/Czf7w2ehskuojVEOf11XjOlHyNSTqw/HCkd6EzZmBDzkznjquwkN6+jvQA8cZi8PC+h6WNcVC8wwMvJdDH+K7OzRuC35R86UGBtQbCXdtQCmUVl0wq2eezt4t0E4c7buXDa6KDaO93Osdte//NDu+TjeZQqqfBbjgL7SBrLBguoueiVZJT3ve5iT05VRKGZQvTrYnSQnrdzEah2VJuGxR1V9/u8B0qWwZX6b1ODep0XcsEm6d8c0=
x-microsoft-antispam-prvs: <CY4PR21MB0502471C60CEF79A7DB71983F52F0@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(120809045254105)(21532816269658); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123555025)(20161123562025)(20161123558025)(20161123564025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502; 
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(39410400002)(39860400002)(39840400002)(39850400002)(13464003)(40224003)(377454003)(24454002)(51914003)(305945005)(1720100001)(10290500002)(54356999)(2900100001)(2561002)(122556002)(33656002)(50986999)(6506006)(7696004)(9686003)(106116001)(1511001)(7736002)(189998001)(6306002)(55016002)(93886004)(53946003)(54906002)(99286003)(74316002)(5660300001)(966004)(230783001)(8676002)(53546006)(5005710100001)(3846002)(66066001)(6116002)(10090500001)(6436002)(6246003)(2950100002)(25786008)(86612001)(38730400002)(102836003)(3660700001)(77096006)(81166006)(551544002)(53936002)(8936002)(3280700002)(76176999)(4326008)(86362001)(229853002)(8990500004)(2906002)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2017 17:17:20.0831 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3PSdek6RoMOPOqoTeMS7NsFIvVQ>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 17:17:29 -0000

WW91J3JlIHJpZ2h0LCBTdGVwaGVuLiAgUmUtcmVhZGluZyB0aGUgc3BlYywgaXQgZG9lc24ndCBz
YXkgdGhhdCwgYW5kIGl0IHNob3VsZC4gIFNvbWV0aW1lcyBpdCB0YWtlcyBzb21lb25lIGdpdmlu
ZyBhIHNwZWMgYSBmcmVzaCByZWFkIHRvIHVuY292ZXIgdGhpbmdzIHRoYXQgdGhlIGF1dGhvcnMg
dW5kZXJzdG9vZCBhbmQgaW50ZW5kZWQgYnV0IGZhaWxlZCB0byBiZSBjYXB0dXJlZCBpbiB0aGUg
dGV4dC4gIFRoaXMgaXMgc3VjaCBhIGNhc2UgLSBzbyB0aGFua3MuDQoNCkknbGwgYWRkIHRoaXMg
aW5mb3JtYXRpb24sIHdoaWNoIGlzIG5lY2Vzc2FyeSB0byB1bmRlcnN0YW5kIHRoZSBpbnRlbnQs
IGFuZCB0aGVuIHJlcHVibGlzaC4NCg0KCQkJCS0tIE1pa2UNCg0KLS0tLS1PcmlnaW5hbCBNZXNz
YWdlLS0tLS0NCkZyb206IFN0ZXBoZW4gRmFycmVsbCBbbWFpbHRvOnN0ZXBoZW4uZmFycmVsbEBj
cy50Y2QuaWVdIA0KU2VudDogTW9uZGF5LCBNYXJjaCA2LCAyMDE3IDI6MzkgUE0NClRvOiBNaWtl
IEpvbmVzIDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20+OyBBbnRob255IE5hZGFsaW4gPHRv
bnluYWRAbWljcm9zb2Z0LmNvbT47IGpvZWwgamFlZ2dsaSA8am9lbGphQGJvZ3VzLmNvbT47IFRo
ZSBJRVNHIDxpZXNnQGlldGYub3JnPg0KQ2M6IG9hdXRoLWNoYWlyc0BpZXRmLm9yZzsgZHJhZnQt
aWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnOyBvYXV0aEBpZXRmLm9yZw0KU3ViamVjdDog
UmU6IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3VzcyBvbiBkcmFmdC1pZXRmLW9h
dXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQoNCg0KSGkgTWlrZSwNCg0KT24gMDYv
MDMvMTcgMjI6MzQsIE1pa2UgSm9uZXMgd3JvdGU6DQo+IFRoYW5rcyBmb3IgdGhlIHJlcGx5LCBT
dGVwaGVuLiAgSSdsbCB0cnkgdG8gZmluZCBiZXR0ZXIgDQo+IGludGVyb3AtcHJvZHVjaW5nIHJl
ZmVyZW5jZXMgd2hlcmUgcG9zc2libGUuDQo+IA0KPiANCj4gSW4gc29tZSBjYXNlcywgaG93ZXZl
ciwgdGhlIHZhbHVlcyBhcmUgaW50ZW50aW9uYWxseSBpbnRlbmRlZCB0byANCj4gcHJvdmlkZSBh
biBpZGVudGlmaWVyIGZvciBhIGZhbWlseSBvZiBjbG9zZWx5LXJlbGF0ZWQgbWV0aG9kcywgc3Vj
aCBhcyANCj4gIm90cCIsIHdoaWNoIGNvdmVycyBib3RoIHRpbWUtYmFzZWQgYW5kIEhNQUMtYmFz
ZWQgT1RQcy4NCg0KSG1tLiBJIGRvbid0IHJlY2FsbCB0ZXh0IHNheWluZyB0aGF0IGluIHRoZSBk
cmFmdCwgYnV0IGl0J3MgcG9zc2libGUgdGhhdCBJIG1pc3NlZCBpdCAtIGNhbiB5b3UgcG9pbnQg
bWUgYXQgdGhhdD8NCg0KSSBkbyBhZ3JlZSB0aGF0IGlmIHRoZSBzZW1hbnRpY3MgaGVyZSB3ZXJl
ICJzb21lIG90cCB3YXMgdXNlZCINCnRoZW4gaXQgd291bGQgbm90IGJlIG5lY2Vzc2FyeSB0byBz
cGVjaWZ5IGV4YWN0bHkgd2hpY2ggT1RQIHNjaGVtZSB3YXMgdXNlZC4gQnV0IHRoYXQgd2Fzbid0
IGhvdyBJIHJlYWQgd2hhdCB0aGlzIHNwZWMgd2FzIGRvaW5nLiAoQWdhaW4sIHRoYXQgY291bGQg
YmUgbWUgZ2V0dGluZyB0aGUgd3JvbmcgZW5kIG9mIHRoZSBzdGljay4pDQoNClMuDQoNCg0KPiBN
YW55DQo+IHJlbHlpbmcgcGFydGllcyB3aWxsIGJlIGNvbnRlbnQgdG8ga25vdyB0aGF0IGFuIE9U
UCBoYXMgYmVlbiB1c2VkIGluIA0KPiBhZGRpdGlvbiB0byBhIHBhc3N3b3JkLiAgVGhlIGRpc3Rp
bmN0aW9uIGJldHdlZW4gd2hpY2gga2luZCBvZiBPVFAgd2FzIA0KPiB1c2VkIGlzIG5vdCB1c2Vm
dWwgdG8gdGhlbS4gIFRodXMsIHRoZXJlJ3MgYSBzaW5nbGUgaWRlbnRpZmllciB0aGF0IA0KPiBj
YW4gYmUgc2F0aXNmaWVkIGluIHR3byBvciBtb3JlIG5lYXJseSBlcXVpdmFsZW50IHdheXMuICBJ
IGNvbnNpZGVyIA0KPiB0aGlzIHRvIGJlIGEgZmVhdHVyZSAtIG5vdCBhIGJ1Zy4NCj4gDQo+IA0K
PiANCj4gU2ltaWxhcmx5LCB0aGVyZSdzIGEgd2hvbGUgcmFuZ2Ugb2YgbnVhbmNlcyBiZXR3ZWVu
IGRpZmZlcmVudCANCj4gZmluZ2VycHJpbnQgbWF0Y2hpbmcgYWxnb3JpdGhtcy4gIFRoZXkgZGlm
ZmVyIGluIGZhbHNlIHBvc2l0aXZlIGFuZCANCj4gZmFsc2UgbmVnYXRpdmUgcmF0ZXMgb3ZlciBk
aWZmZXJlbnQgcG9wdWxhdGlvbiBzYW1wbGVzIGFuZCBhbHNvIGRpZmZlciANCj4gYmFzZWQgb24g
dGhlIGtpbmQgYW5kIG1vZGVsIG9mIGZpbmdlcnByaW50IHNlbnNvciB1c2VkLiAgTGlrZSB0aGUg
T1RQIA0KPiBjYXNlLCBtYW55IFJQcyB3aWxsIGJlIGNvbnRlbnQgdG8ga25vdyB0aGF0IGEgZmlu
Z2VycHJpbnQgbWF0Y2ggbWFzIA0KPiBtYWRlLCB3aXRob3V0IGRlbHZpbmcgaW50byBhbmQgZGlm
ZmVyZW50aWF0aW5nIGJhc2VkIG9uIGV2ZXJ5IGFzcGVjdCANCj4gb2YgdGhlIGltcGxlbWVudGF0
aW9uIG9mIGZpbmdlcnByaW50IGNhcHR1cmUgYW5kIG1hdGNoLg0KPiBUaG9zZSB0aGF0IHdhbnQg
bW9yZSBwcmVjaXNpb24gdGhhbiB0aGlzIGNhbiBhbHdheXMgZGVmaW5lIG5ldyAiYW1yIg0KPiB2
YWx1ZXMuICBCdXQgImZwdCIgaXMgZmluZSBhcyBpcyBmb3Igd2hhdCBJIGJlbGlldmUgd2lsbCBi
ZSB0aGUgOTArJSANCj4gY2FzZS4NCj4gDQo+IA0KPiANCj4gVWx0aW1hdGVseSwgdGhlIFJQIGlz
IGRlcGVuZGluZyB1cG9uIHRoZSBJZGVudGl0eSBQcm92aWRlciB0byBkbyANCj4gcmVhc29uYWJs
ZSB0aGluZ3MuICBJZiBpdCBkaWRuJ3QgdHJ1c3QgdGhlIElkUCB0byBkbyBzbywgaXQgaGFzIG5v
IA0KPiBidXNpbmVzcyB1c2luZyBpdC4gIFRoZSAiYW1yIiB2YWx1ZSBsZXRzIHRoZSBJZFAgc2ln
bmFsIHRvIHRoZSBSUCANCj4gYWRkaXRpb25hbCBpbmZvcm1hdGlvbiBhYm91dCB3aGF0IGl0IGRp
ZCwgZm9yIHRoZSBjYXNlcyBpbiB3aGljaCB0aGF0IA0KPiBpbmZvcm1hdGlvbiBpcyB1c2VmdWwg
dG8gdGhlIFJQLg0KPiANCj4gDQo+IA0KPiBSZWR1Y2luZyB0aGlzIHRvIHRoZSBwb2ludCBvZiBh
YnN1cmRpdHksIHRoZSBSUCB3b3VsZCBhbG1vc3QgbmV2ZXIgDQo+IGNhcmUgYWJvdXQgdGhlIG1h
a2UsIG1vZGVsLCBhbmQgc2VyaWFsIG51bWJlciBvZiB0aGUgZmluZ2VycHJpbnQgDQo+IHJlYWRl
ciBvciBPVFAuICBWYWx1ZXMgY291bGQgYmUgZGVmaW5lZCB0byBwcm92aWRlIHRoYXQgZ3JhbnVs
YXJpdHkuDQo+IEJ1dCBtYWtpbmcgdGhvc2UgZmluZS1ncmFpbmVkIGRpc3RpbmN0aW9ucyBhcmUg
bm90IHVzZWZ1bCBpbiBwcmFjdGljZS4NCj4gDQo+IA0KPiANCj4gUGxlYXNlIGNvbnNpZGVyIHRo
ZSBleGlzdGluZyBkZWZpbml0aW9ucyBpbiBsaWdodCBvZiB0aGF0IHJlZHVjdGlvIGFkIA0KPiBh
YnN1cmR1bS4gIFRoZSBleGlzdGluZyB2YWx1ZXMgb25seSBtYWtlIGRpc3RpbmN0aW9ucyB0aGF0
IGFyZSBrbm93biANCj4gdG8gYmUgdXNlZnVsIHRvIFJQcy4gIFNsaWNpbmcgdGhpbmdzIG1vcmUg
ZmluZWx5IHRoYW4gd291bGQgYmUgdXNlZCBpbiANCj4gcHJhY3RpY2UgYWN0dWFsbHkgaHVydHMg
aW50ZXJvcCwgcmF0aGVyIHRoYW4gaGVscGluZyBpdCwgYmVjYXVzZSBpdCANCj4gd291bGQgZm9y
Y2UgYWxsIFJQcyB0byByZWNvZ25pemUgdGhhdCBzZXZlcmFsIG9yIG1hbnkgZGlmZmVyZW50IHZh
bHVlcyANCj4gYWN0dWFsbHkgbWVhbiB0aGUgc2FtZSB0aGluZyB0byB0aGVtLg0KPiANCj4gDQo+
IA0KPiAtLSBNaWtlDQo+IA0KPiANCj4gDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tIEZy
b206IFN0ZXBoZW4gRmFycmVsbCANCj4gW21haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmll
XSBTZW50OiBNb25kYXksIE1hcmNoIDYsIDIwMTcgMjoxMCBQTSANCj4gVG86IE1pa2UgSm9uZXMg
PE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT47IEFudGhvbnkgTmFkYWxpbiANCj4gPHRvbnlu
YWRAbWljcm9zb2Z0LmNvbT47IGpvZWwgamFlZ2dsaSA8am9lbGphQGJvZ3VzLmNvbT47IFRoZSBJ
RVNHIA0KPiA8aWVzZ0BpZXRmLm9yZz4gQ2M6IG9hdXRoLWNoYWlyc0BpZXRmLm9yZzsgDQo+IGRy
YWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzsgb2F1dGhAaWV0Zi5vcmcgU3ViamVj
dDogUmU6DQo+IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3VzcyBvbg0KPiBkcmFm
dC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQo+IA0KPiANCj4gDQo+
IA0KPiANCj4gSGkgTWlrZSwNCj4gDQo+IA0KPiANCj4gQXBvbG9naWVzIC0gSSB1cGRhdGVkIHRo
ZSBkaXNjdXNzIGJhbGxvdCB0ZXh0IFsxXSBvbiBGZWIgMjggYnV0IA0KPiBtdXN0J3ZlIG5vdCBz
ZW50IGl0IGFzIGFuIGVtYWlsIG9yIHNvbWV0aGluZy4gQW55d2F5Li4uDQo+IA0KPiANCj4gDQo+
IFsxXQ0KPiBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRo
LWFtci12YWx1ZXMvYmFsbG90Lw0KPiANCj4gDQo+IA0KPiBPbiAwNi8wMy8xNyAyMDozOCwgTWlr
ZSBKb25lcyB3cm90ZToNCj4gDQo+PiBIaSBTdGVwaGVuLiAgVGhlIGNoYW5nZXMgaW4gZHJhZnQg
LTA2IHdlcmUgaW50ZW5kZWQgdG8gYWRkcmVzcyB5b3VyDQo+IA0KPj4gRElTQ1VTUyBwb2ludHMu
ICBBcmUgeW91IHNhdGlzZmllZCB3aXRoIHRoZXNlIGNoYW5nZXMgb3IgYXJlIHRoZXJlDQo+IA0K
Pj4gYWRkaXRpb25hbCBjaGFuZ2VzIHlvdSB3YW50PyAgSSdtIGFza2luZyBwYXJ0bHkgYmVjYXVz
ZSBpdCdzIGEgd2Vlaw0KPiANCj4+IG5vdyB1bnRpbCB0aGUgc3VibWlzc2lvbiBjdXRvZmYgYW5k
IGlmIGFkZGl0aW9uYWwgY2hhbmdlcyBhcmUgbmVlZGVkLA0KPiANCj4+IEknZCBsaWtlIHRvIG1h
a2UgdGhlbSB0aGlzIHdlZWsuDQo+IA0KPiANCj4gDQo+IFNvIEkgZG8gdGhpbmsgdGhlcmUncyBz
dGlsbCB3b3JrIHRvIGJlIGRvbmUsIG1heSBhcyB3ZWxsIGNvcHkgdGhlIG5ldyANCj4gYmFsbG90
IHRleHQgaGVyZToNCj4gDQo+IA0KPiANCj4gIg0KPiANCj4gSSB0aGluayB3ZSBzdGlsbCBoYXZl
IHRoZSBwcm9ibGVtIHRoYXQgdGhlIHZhbHVlcyAiZGVmaW5lZCIgaGVyZSAoZS5nLiANCj4gImZw
dCIpIGFyZSB1bmRlciBzcGVjaWZpZWQgdG8gYSBzaWduaWZpY2FudCBkZWdyZWUuIFJGQzQ5NDkg
ZG9lcyBub3QgDQo+IHRlbGwgYW55b25lIGhvdyB0byBhY2hpZXZlIGludGVyb3Agd2l0aCAiZnB0
IiAobm9yIGFueSBvZiB0aGUgb3RoZXIgDQo+IGNhc2VzIHdoZXJlIHlvdSByZWZlciB0byA0OTQ5
IEkgdGhpbmspLiBUaGVyZSBpcyB0aGVyZWZvcmUgbm8gdXRpbGl0eSANCj4gaW4gImRlZmluaW5n
IiAiZnB0IiBhcyBpdCB3aWxsIG5vdCBhY2hpZXZlIGludGVyb3AgYW5kIGluIGZhY3QgaXMgbW9y
ZSANCj4gbGlrZWx5IHRvIGNhdXNlIGNvbmZ1c2lvbiB0aGFuIGludGVyb3AuIElmIHRoZSBzb2x1
dGlvbiBvZiBhY3R1YWxseSANCj4gZGVmaW5pbmcgdGhlIG1lYW5pbmcgb2YgdGhpbmdzIGxpa2Ug
ImZwdCIgaXMgbm90IGFjaGlldmFibGUgdGhlbiANCj4gcGVyaGFwcyBpdCB3aWxsIGJlIGJldHRl
ciB0byBvbmx5IGRlZmluZSB0aG9zZSBmb3Igd2hpY2ggd2UgY2FuIGdldCANCj4gaW50ZXJvcCAo
InB3ZCIgYW5kIG9uZSBvciB0d28gb3RoZXJzKSBhbmQgbGVhdmUgdGhlIGRlZmluaXRpb24gb2Yg
dGhlIA0KPiByZXN0IGZvciBsYXRlci4gKEluIHNheWluZyB0aGF0IEkgZG8gcmVjYWxsIHRoYXQg
b25lIG9mIHRoZSBhdXRob3JzIA0KPiBzYWlkIHRoYXQgdGhlcmUgYXJlIGltcGxlbWVudGF0aW9u
cyB0aGF0IHVzZSBzb21lIG9mIHRoZXNlIHR5cGUtbmFtZXMsIA0KPiBidXQgdGhlIHBvaW50IG9m
IFJGQ3MgaXMgbm90IHRvICJibGVzcyINCj4gDQo+IHN1Y2ggdGhpbmdzLCBidXQgdG8gYWNoaWV2
ZSBpbnRlcm9wLikNCj4gDQo+ICINCj4gDQo+IA0KPiANCj4gQ2hlZXJzLA0KPiANCj4gUy4NCj4g
DQo+IA0KPiANCj4+IA0KPiANCj4+IFRoYW5rcywgLS0gTWlrZQ0KPiANCj4+IA0KPiANCj4+IC0t
LS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tIEZyb206IE1pa2UgSm9uZXMNCj4gDQo+PiBbbWFpbHRv
Ok1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbV0gU2VudDogVHVlc2RheSwgRmVicnVhcnkgMjgs
DQo+PiAyMDE3DQo+IA0KPj4gNjoxNyBQTSBUbzogU3RlcGhlbiBGYXJyZWxsDQo+PiA8c3RlcGhl
bi5mYXJyZWxsQGNzLnRjZC5pZTxtYWlsdG86c3RlcGhlbi5mYXJyZWxsQGNzLnRjZC5pZT4+Ow0K
Pj4gQW50aG9ueQ0KPiANCj4+IE5hZGFsaW4gPHRvbnluYWRAbWljcm9zb2Z0LmNvbTxtYWlsdG86
dG9ueW5hZEBtaWNyb3NvZnQuY29tPj47IGpvZWwgDQo+PiBqYWVnZ2xpIDxqb2VsamFAYm9ndXMu
Y29tPG1haWx0bzpqb2VsamFAYm9ndXMuY29tPj47IFRoZQ0KPiANCj4+IElFU0cgPGllc2dAaWV0
Zi5vcmc8bWFpbHRvOmllc2dAaWV0Zi5vcmc+PiBDYzoNCj4+IG9hdXRoLWNoYWlyc0BpZXRmLm9y
ZzxtYWlsdG86b2F1dGgtY2hhaXJzQGlldGYub3JnPjsNCj4gDQo+PiBkcmFmdC1pZXRmLW9hdXRo
LWFtci12YWx1ZXNAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHUNCj4+
IGVzQGlldGYub3JnPjsgb2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPiBTdWJq
ZWN0OiBSRToNCj4gDQo+PiBbT0FVVEgtV0ddIFN0ZXBoZW4gRmFycmVsbCdzIERpc2N1c3Mgb24N
Cj4gDQo+PiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQo+
IA0KPj4gDQo+IA0KPj4gSGkgU3RlcGhlbiwNCj4gDQo+PiANCj4gDQo+PiBEcmFmdCAtMDYNCj4+
IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMt
MDYNCj4gDQo+PiBhZGRzIHJlZmVyZW5jZXMgZm9yIGFsbCBvZiB0aGUgZGVmaW5lZCAiYW1yIiB2
YWx1ZXMuICBUaGFua3MgZm9yDQo+IA0KPj4gdGFraW5nIHRoZSB0aW1lIHRvIGhhdmUgYSB0aG91
Z2h0ZnVsIGRpc2N1c3Npb24uDQo+IA0KPj4gDQo+IA0KPj4gLS0gTWlrZQ0KPiANCj4+IA0KPiAN
Cj4+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tIEZyb206IFN0ZXBoZW4gRmFycmVsbA0KPiAN
Cj4+IFttYWlsdG86c3RlcGhlbi5mYXJyZWxsQGNzLnRjZC5pZV0gU2VudDogV2VkbmVzZGF5LCBG
ZWJydWFyeSAxLA0KPj4gMjAxNw0KPiANCj4+IDQ6NDUgUE0gVG86IE1pa2UgSm9uZXMNCj4+IDxN
aWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0
LmNvbT4+Ow0KPj4gQW50aG9ueSBOYWRhbGluDQo+IA0KPj4gPHRvbnluYWRAbWljcm9zb2Z0LmNv
bTxtYWlsdG86dG9ueW5hZEBtaWNyb3NvZnQuY29tPj47IGpvZWwgamFlZ2dsaSANCj4+IDxqb2Vs
amFAYm9ndXMuY29tPG1haWx0bzpqb2VsamFAYm9ndXMuY29tPj47IFRoZSBJRVNHDQo+IA0KPj4g
PGllc2dAaWV0Zi5vcmc8bWFpbHRvOmllc2dAaWV0Zi5vcmc+PiBDYzoNCj4+IG9hdXRoLWNoYWly
c0BpZXRmLm9yZzxtYWlsdG86b2F1dGgtY2hhaXJzQGlldGYub3JnPjsNCj4gDQo+PiBkcmFmdC1p
ZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgtYW1y
LXZhbHUNCj4+IGVzQGlldGYub3JnPjsgb2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYu
b3JnPiBTdWJqZWN0OiBSZToNCj4gDQo+PiBbT0FVVEgtV0ddIFN0ZXBoZW4gRmFycmVsbCdzIERp
c2N1c3Mgb24NCj4gDQo+PiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJ
U0NVU1MpDQo+IA0KPj4gDQo+IA0KPj4gDQo+IA0KPj4gDQo+IA0KPj4gT24gMDIvMDIvMTcgMDA6
MzUsIE1pa2UgSm9uZXMgd3JvdGU6DQo+IA0KPj4+IFlvdSBjYW4gY2FsbCBtZSBsYXp5IGlmIHlv
dSB3YW50Lg0KPiANCj4+IA0KPiANCj4+IEkgZG9uJ3QgdGhpbmsgeW91J3JlIGxhenk6LSkgV2Vy
ZSBJIHRvIGd1ZXNzIEknZCBndWVzcyB0aGF0IGludGVyb3ANCj4gDQo+PiBmb3IgdGhlc2Ugd2Fz
bid0IGEgcHJpb3JpdHkgYW5kIHRoYXQgd2UncmUgZGVmaW5pbmcgdGhlbSBhIGJpdCBlYXJseQ0K
PiANCj4+IGFuZCBhIGxpdHRsZSB0b28gZ2VuZXJpY2FsbHkuDQo+IA0KPj4gDQo+IA0KPj4+IFNv
bWUgb2YgdGhlbSBhcmUgc28gd2VsbCBrbm93biwgc3VjaCBhcyAicGFzc3dvcmQiIG9yICJQSU4i
IGl0IA0KPj4+IGRpZG4ndA0KPiANCj4+PiBzZWVtIHdvcnRod2hpbGUgdG8gdHJ5IHRvIHRyYWNr
IGRvd24gYSByZWZlcmVuY2UuDQo+IA0KPj4gDQo+IA0KPj4gU3VyZSwgdGhvc2UgYXJlIGZpbmUu
IFRoZSBvbmx5IGlzc3VlcyB3b3VsZCBiZSBpZiB0aGVyZSdzIGEgDQo+PiBzdHJpbmcya2V5DQo+
IA0KPj4gZnVuY3Rpb24gc29tZXdoZXJlIGJ1dCBJIGRvbid0IGV4cGVjdCB0aGVyZSBpcyBpbiB0
aGlzIGNvbnRleHQuDQo+IA0KPj4gDQo+IA0KPj4+IEJ1dCBJJ20gd2lsbGluZyB0byB3b3JrIHdp
dGggb3RoZXJzIHRvIGZpbmQgZGVjZW50IHJlZmVyZW5jZXMgZm9yIA0KPj4+IHRoZQ0KPiANCj4+
PiByZXN0IG9mIHRoZW0sIGlmIHlvdSBiZWxpZXZlIHRoYXQgd291bGQgaW1wcm92ZSB0aGUgcXVh
bGl0eSBvZiB0aGUNCj4gDQo+Pj4gc3BlY2lmaWNhdGlvbi4NCj4gDQo+PiANCj4gDQo+PiBJIGRv
IHRoaW5rIGl0IHdvdWxkLCBlc3AgZm9yIGNhc2VzIHdoZXJlIHRoZXJlIGFyZSBrbm93biBkaWZm
ZXJlbnQNCj4gDQo+PiBvcHRpb25zIChlLmcuIG90cCkgb3IgbGlrZWx5IGlsbC1kZWZpbmVkIG9y
IHByb3ByaWV0YXJ5IGZvcm1hdHMuDQo+PiBNeQ0KPiANCj4+IGd1ZXNzIGlzIHRoYXQgc29tZSBi
aW9tZXRyaWNzIGZpdCB0aGF0IGxhdHRlciBidXQgSSBjb3VsZCBiZSB3cm9uZy4NCj4gDQo+PiBJ
ZiB0aGV5IGRvLCB0aGVuIG9uZSBydW5zIGludG8gdGhlIHByb2JsZW0gb2YgaGF2aW5nIHRvIGRl
cGVuZCBvbg0KPiANCj4+IG1hZ2ljIG51bWJlcnMgaW4gdGhlIGVuY29kaW5ncyBvciBzaW1pbGFy
IHRvIGRpc3Rpbmd1aXNoIHdoaWNoIGlzDQo+IA0KPj4gcmVhbGx5IGVycm9yIHByb25lIGFuZCBs
aWtlbHkgdG8gbGVhZCB0byB3aGF0IG91ciBsZWFybmVkIHRyYW5zcG9ydA0KPiANCj4+IGNodW1z
IGFyZSBjYWxsaW5nIG9zc2lmaWNhdGlvbjstKQ0KPiANCj4+IA0KPiANCj4+IENoZWVycywgUy4N
Cj4gDQo+PiANCj4gDQo+PiANCj4gDQo+Pj4gDQo+IA0KPj4+IEJlc3Qgd2lzaGVzLCAtLSBNaWtl
DQo+IA0KPj4+IA0KPiANCj4+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBGcm9tOiBTdGVw
aGVuIEZhcnJlbGwNCj4gDQo+Pj4gW21haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllXSBT
ZW50OiBXZWRuZXNkYXksIEZlYnJ1YXJ5IDEsDQo+IA0KPj4+IDIwMTcgNDozMSBQTSBUbzogTWlr
ZSBKb25lcw0KPj4+IDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hhZWwu
Sm9uZXNAbWljcm9zb2Z0LmNvbT4+Ow0KPj4+IEFudGhvbnkNCj4gDQo+Pj4gTmFkYWxpbiA8dG9u
eW5hZEBtaWNyb3NvZnQuY29tPG1haWx0bzp0b255bmFkQG1pY3Jvc29mdC5jb20+PjsNCj4+PiBq
b2VsIGphZWdnbGkgPGpvZWxqYUBib2d1cy5jb208bWFpbHRvOmpvZWxqYUBib2d1cy5jb20+Pjsg
VGhlDQo+IA0KPj4+IElFU0cgPGllc2dAaWV0Zi5vcmc8bWFpbHRvOmllc2dAaWV0Zi5vcmc+PiBD
YzoNCj4+PiBvYXV0aC1jaGFpcnNAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoLWNoYWlyc0BpZXRmLm9y
Zz47DQo+IA0KPj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzxtYWlsdG86
ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsDQo+Pj4gdWVzQGlldGYub3JnPjsgb2F1dGhAaWV0Zi5v
cmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPiBTdWJqZWN0OiBSZToNCj4gDQo+Pj4gW09BVVRILVdH
XSBTdGVwaGVuIEZhcnJlbGwncyBEaXNjdXNzIG9uDQo+IA0KPj4+IGRyYWZ0LWlldGYtb2F1dGgt
YW1yLXZhbHVlcy0wNTogKHdpdGggRElTQ1VTUykNCj4gDQo+Pj4gDQo+IA0KPj4+IA0KPiANCj4+
PiANCj4gDQo+Pj4gT24gMDIvMDIvMTcgMDA6MjgsIE1pa2UgSm9uZXMgd3JvdGU6DQo+IA0KPj4+
PiBUaGUgb3RoZXIgY2FzZSBvZiBrbm93biBpbnRlcm9wIHRlc3Rpbmcgb2YgImFtciIgdmFsdWVz
IGlzIGZvcg0KPiANCj4+Pj4gTU9EUk5BIChPcGVuSUQgQ29ubmVjdCBNb2JpbGUgUHJvZmlsZSkg
aW1wbGVtZW50YXRpb25zLg0KPj4+PiBUaGVyZSdzIGENCj4gDQo+Pj4+IHJlZmVyZW5jZSB0byBp
dHMgdXNlIG9mICJhbXIiIHZhbHVlcyBpbiB0aGUgc3BlYy4NCj4gDQo+Pj4gDQo+IA0KPj4+IFll
YWgsIGlpcmMsIHRoYXQgb25lIHNlZW1lZCBvayAoYXNzdW1pbmcgdGhlIHJlZmVyZW5jZSB0ZWxs
cyBtZSB3aGF0DQo+IA0KPj4+IGNvZGUgdG8gd3JpdGUgd2hpY2ggSSBhc3N1bWUgaXQgZG9lcyku
DQo+IA0KPj4+IA0KPiANCj4+PiBJJ20gc3RpbGwgbm90IHNlZWluZyB3aHkgc29tZSBkbyBoYXZl
IHN1ZmZpY2llbnQgcmVmZXJlbmNlcyBhbmQNCj4gDQo+Pj4gb3RoZXJzIGRvIG5vdC4NCj4gDQo+
Pj4gDQo+IA0KPj4+IElzIHRoZXJlIHNvbWUgZGlmZmljdWx0eSB3aXRoIGZpbmRpbmcgcmVmZXJl
bmNlcyBvciBzb21ldGhpbmc/DQo+IA0KPj4+IA0KPiANCj4+PiBTDQo+IA0KPj4+IA0KPiANCj4+
Pj4gDQo+IA0KPj4+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBGcm9tOiBBbnRob255IE5h
ZGFsaW4gU2VudDoNCj4+Pj4gV2VkbmVzZGF5LA0KPiANCj4+Pj4gRmVicnVhcnkgMSwgMjAxNyA0
OjI3IFBNIFRvOiBTdGVwaGVuIEZhcnJlbGwNCj4gDQo+Pj4+IDxzdGVwaGVuLmZhcnJlbGxAY3Mu
dGNkLmllPG1haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPj47DQo+Pj4+IE1pa2UgSm9u
ZXMNCj4gDQo+Pj4+IDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hhZWwu
Sm9uZXNAbWljcm9zb2Z0LmNvbT4+Ow0KPj4+PiBqb2VsIGphZWdnbGkgPGpvZWxqYUBib2d1cy5j
b208bWFpbHRvOmpvZWxqYUBib2d1cy5jb20+PjsgVGhlDQo+IA0KPj4+PiBJRVNHIDxpZXNnQGll
dGYub3JnPG1haWx0bzppZXNnQGlldGYub3JnPj4gQ2M6DQo+Pj4+IG9hdXRoLWNoYWlyc0BpZXRm
Lm9yZzxtYWlsdG86b2F1dGgtY2hhaXJzQGlldGYub3JnPjsNCj4gDQo+Pj4+IGRyYWZ0LWlldGYt
b2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmEN
Cj4+Pj4gbHVlc0BpZXRmLm9yZz47IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9y
Zz4gU3ViamVjdDogUkU6DQo+IA0KPj4+PiBbT0FVVEgtV0ddIFN0ZXBoZW4gRmFycmVsbCdzIERp
c2N1c3Mgb24NCj4gDQo+Pj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNTogKHdpdGgg
RElTQ1VTUykNCj4gDQo+Pj4+IA0KPiANCj4+Pj4gV2UgaGF2ZSBpbnRlcm9wZWQgYmV0d2VlbiBG
SURPIGF1dGhlbnRpY2F0b3JzIHZlbmRvcnMgYW5kIFdpbmRvd3MNCj4gDQo+Pj4+IEhlbGxvDQo+
IA0KPj4+PiANCj4gDQo+Pj4+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tIEZyb206IFN0ZXBo
ZW4gRmFycmVsbA0KPiANCj4+Pj4gW21haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllXSBT
ZW50OiBXZWRuZXNkYXksIEZlYnJ1YXJ5IDEsDQo+IA0KPj4+PiAyMDE3IDQ6MjQgUE0gVG86IE1p
a2UgSm9uZXMNCj4+Pj4gPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTxtYWlsdG86TWljaGFl
bC5Kb25lc0BtaWNyb3NvZnQuY29tPj47DQo+Pj4+IEFudGhvbnkNCj4gDQo+Pj4+IE5hZGFsaW4g
PHRvbnluYWRAbWljcm9zb2Z0LmNvbTxtYWlsdG86dG9ueW5hZEBtaWNyb3NvZnQuY29tPj47DQo+
Pj4+IGpvZWwgamFlZ2dsaSA8am9lbGphQGJvZ3VzLmNvbTxtYWlsdG86am9lbGphQGJvZ3VzLmNv
bT4+Ow0KPiANCj4+Pj4gVGhlIElFU0cgPGllc2dAaWV0Zi5vcmc8bWFpbHRvOmllc2dAaWV0Zi5v
cmc+PiBDYzoNCj4gDQo+Pj4+IG9hdXRoLWNoYWlyc0BpZXRmLm9yZzxtYWlsdG86b2F1dGgtY2hh
aXJzQGlldGYub3JnPjsNCj4+Pj4gZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3Jn
PG1haWx0bzpkcmFmdC1pZXRmLW9hdXRoLWFtci12YQ0KPj4+PiBsdWVzQGlldGYub3JnPjsNCj4N
Cj4+Pj4gIG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4gU3ViamVjdDogUmU6
IFtPQVVUSC1XR10gDQo+Pj4+IFN0ZXBoZW4gRmFycmVsbCdzIERpc2N1c3Mgb24NCj4gDQo+Pj4+
IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNTogKHdpdGggRElTQ1VTUykNCj4gDQo+Pj4+
IA0KPiANCj4+Pj4gDQo+IA0KPj4+PiANCj4gDQo+Pj4+IE9uIDAyLzAyLzE3IDAwOjIxLCBNaWtl
IEpvbmVzIHdyb3RlOg0KPiANCj4+Pj4+IFRoYW5rcywgVG9ueS4gIEkgY2FuIGFkZCB0aGF0IHJl
ZmVyZW5jZS4NCj4gDQo+Pj4+PiANCj4gDQo+Pj4+PiBTdGVwaGVuLCB0aGUgc2V0cyBvZiBpbml0
aWFsIHZhbHVlcyB3ZXJlIGNob3NlbiBmcm9tIHRob3NlIHVzZWQgaW4NCj4gDQo+Pj4+PiBwcmFj
dGljZSBieSBNaWNyb3NvZnQgYW5kIEdvb2dsZSBpbiByZWFsIGRlcGxveW1lbnRzLg0KPiANCj4+
Pj4gDQo+IA0KPj4+PiBHZW51aW5lIHF1ZXN0aW9uczogZG8geW91IGFpbSB0byBoYXZlIGludGVy
b3AgYmV0d2VlbiB0aG9zZQ0KPiANCj4+Pj4gZGVwbG95bWVudHM/IFdoYXQgaWYgSSB3YW50ZWQg
dG8gd3JpdGUgY29kZSB0aGF0J2QgaW50ZXJvcCB3aXRoIA0KPj4+PiBtc2Z0DQo+IA0KPj4+PiBv
ciBnb29nbGU/DQo+IA0KPj4+PiANCj4gDQo+Pj4+IFMuDQo+IA0KPj4+PiANCj4gDQo+Pj4+PiAN
Cj4gDQo+Pj4+PiBBYm91dCAib3RwIiwgdGhlcmUgYXJlIGV4aXN0aW5nIHVzZSBjYXNlcyBmb3Ig
aW5kaWNhdGluZyB0aGF0IGFuDQo+IA0KPj4+Pj4gT1RQIHdhcyB1c2VkLiAgSSdtIG5vdCBhd2Fy
ZSBvZiBhbnkgb2YgdGhlc2UgdXNlIGNhc2VzIHdoZXJlIHRoZQ0KPiANCj4+Pj4+IGRpc3RpbmN0
aW9uIGJldHdlZW4gVE9UUCBhbmQgSE9UUCBpcyBpbXBvcnRhbnQuICBUaHVzLCBoYXZpbmcgDQo+
Pj4+PiAib3RwIg0KPiANCj4+Pj4+IG5vdyBtYWtlcyBzZW5zZSwgd2hlcmUgaGF2aW5nICJob3Rw
IiBhbmQgInRvdHAiDQo+IA0KPj4+Pj4gbm93IGRvZXNuJ3QuDQo+IA0KPj4+Pj4gDQo+IA0KPj4+
Pj4gU3RlcGhlbiwgdGhpcyBtYXkgc2VlbSBsaWtlIHNwbGl0dGluZyBoYWlycywgYnV0IHRoZSBy
ZWdpc3RyeQ0KPiANCj4+Pj4+IGluc3RydWN0aW9ucyBmb3IgIlNwZWNpZmljYXRpb24gRG9jdW1l
bnQocykiIGFyZSBhYm91dCBoYXZpbmcgYQ0KPiANCj4+Pj4+IHJlZmVyZW5jZSBmb3IgdGhlIGRv
Y3VtZW50IHdoZXJlIHRoZSBBdXRoZW50aWNhdGlvbiBNZXRob2QNCj4gDQo+Pj4+PiBSZWZlcmVu
Y2UgTmFtZSAoc3VjaCBhcyAib3RwIikgaXMgZGVmaW5lZC4gIEluIGFsbCBjYXNlcyBmb3IgdGhl
DQo+IA0KPj4+Pj4gaW5pdGlhbCB2YWx1ZXMsIHRoaXMgaXMgdGhlIFJGQy10by1iZSwgc28gdGhl
IHJlZ2lzdHJ5IA0KPj4+Pj4gaW5zdHJ1Y3Rpb25zDQo+IA0KPj4+Pj4gYXJlIHNhdGlzZmllZC4g
IElmIHNvbWVvbmUgd2VyZSwgZm9yIGluc3RhbmNlLCB0byBkZWZpbmUgdGhlIA0KPj4+Pj4gc3Ry
aW5nDQo+IA0KPj4+Pj4gImhvdHAiLCBpdCB3b3VsZCBiZSBpbmN1bWJlbnQgb24gdGhlIHBlcnNv
biByZXF1ZXN0aW5nIGl0cw0KPiANCj4+Pj4+IHJlZ2lzdHJhdGlvbiB0byBwcm92aWRlIGEgVVJM
IHRvIHRoZSBkb2N1bWVudCB3aGVyZSB0aGUgc3RyaW5nDQo+IA0KPj4+Pj4gImhvdHAiIGlzIGRl
ZmluZWQuICBBbHNvIGhhdmluZyBhIHJlZmVyZW5jZSB0byBSRkMgNDIyNiBpbiB0aGF0DQo+IA0K
Pj4+Pj4gZG9jdW1lbnQgd291bGQgYmUgYSBnb29kIHRoaW5nLCBidXQgdGhhdCBpc24ndCB3aGF0
IHRoZSByZWdpc3RyeQ0KPiANCj4+Pj4+IGluc3RydWN0aW9ucyBhcmUgYWJvdXQuDQo+IA0KPj4+
Pj4gDQo+IA0KPj4+Pj4gQWxsIHRoYXQgc2FpZCwgSSBjYW4gbG9vayBhdCBhbHNvIGZpbmRpbmcg
YXBwcm9wcmlhdGUgcmVmZXJlbmNlcw0KPiANCj4+Pj4+IGZvciB0aGUgcmVtYWluaW5nIHZhbHVl
cyB0aGF0IGRvbid0IGN1cnJlbnRseSBoYXZlIHRoZW0uDQo+Pj4+PiAoQW55b25lDQo+IA0KPj4+
Pj4gZ290IGEgZ29vZCByZWZlcmVuY2UgZm9yIHBhc3N3b3JkIG9yIFBJTiB0byBzdWdnZXN0LCBm
b3INCj4+Pj4+IGluc3RhbmNlPykNCj4gDQo+Pj4+PiANCj4gDQo+Pj4+PiAtLSBNaWtlDQo+IA0K
Pj4+Pj4gDQo+IA0KPj4+Pj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0gRnJvbTogQW50aG9u
eSBOYWRhbGluIFNlbnQ6DQo+IA0KPj4+Pj4gV2VkbmVzZGF5LCBGZWJydWFyeSAxLCAyMDE3IDQ6
MTAgUE0gVG86IFN0ZXBoZW4gRmFycmVsbA0KPiANCj4+Pj4+IDxzdGVwaGVuLmZhcnJlbGxAY3Mu
dGNkLmllPG1haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPj47DQo+Pj4+PiBNaWtlIEpv
bmVzDQo+IA0KPj4+Pj4gPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTxtYWlsdG86TWljaGFl
bC5Kb25lc0BtaWNyb3NvZnQuY29tPj47DQo+Pj4+PiBqb2VsIGphZWdnbGkgPGpvZWxqYUBib2d1
cy5jb208bWFpbHRvOmpvZWxqYUBib2d1cy5jb20+PjsNCj4gDQo+Pj4+PiBUaGUgSUVTRyA8aWVz
Z0BpZXRmLm9yZzxtYWlsdG86aWVzZ0BpZXRmLm9yZz4+IENjOg0KPj4+Pj4gb2F1dGgtY2hhaXJz
QGlldGYub3JnPG1haWx0bzpvYXV0aC1jaGFpcnNAaWV0Zi5vcmc+Ow0KPiANCj4+Pj4+IGRyYWZ0
LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1h
bXItdg0KPj4+Pj4gYWx1ZXNAaWV0Zi5vcmc+OyBvYXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhA
aWV0Zi5vcmc+IFN1YmplY3Q6DQo+IA0KPj4+Pj4gUkU6IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJy
ZWxsJ3MgRGlzY3VzcyBvbg0KPiANCj4+Pj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0w
NTogKHdpdGggRElTQ1VTUykNCj4gDQo+Pj4+PiANCj4gDQo+Pj4+PiBOSVNUIGFza2VkIGZvciB0
aGUgYWRkaXRpb24gb2YgSVJJUyAoYXMgdGhleSBhcmUgc2VlaW5nIG1vcmUgdXNlIA0KPj4+Pj4g
b2YNCj4gDQo+Pj4+PiBJUklTIG92ZXIgcmV0aW5hIGR1ZSB0byB0aGUgYWNjdXJhY3kgb2YgaXJp
cykgIGFzIHRoZXkgaGF2ZSBiZWVuDQo+IA0KPj4+Pj4gZG9pbmcgc2lnbmlmaWNhbnQgdGVzdGlu
ZyBvbiB2YXJpb3VzIGlyaXMgZGV2aWNlcyBhbmQgY29udGludWUgdG8NCj4gDQo+Pj4+PiBkbyBz
bywgaGVyZSBpcyBhIHJlcG9ydCB0aGF0IE5JU1QgcmVsZWFzZWQNCj4gDQo+Pj4+PiBodHRwOi8v
MjAxMC0yMDE0LmNvbW1lcmNlLmdvdi9ibG9nLzIwMTIvMDQvMjMvbmlzdC1pcmlzLXJlY29nbml0
aW8NCj4+Pj4+IG4NCj4NCj4+Pj4+ICAtcmVwb3J0LWV2YWx1YXRlcy1uZWVkbGUtaGF5c3RhY2st
c2VhcmNoLWNhcGFiaWxpdHkuaHRtbA0KPiANCj4+Pj4+IA0KPiANCj4+Pj4+IA0KPiANCj4+Pj4+
IA0KPiANCj4+Pj4+IA0KPiANCj4+PiANCj4gDQo+Pj4+PiANCj4gDQo+PiANCj4gDQo+Pj4+PiAN
Cj4gDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tIEZyb206IFN0ZXBoZW4gRmFycmVsbA0K
PiANCj4+Pj4+IFttYWlsdG86c3RlcGhlbi5mYXJyZWxsQGNzLnRjZC5pZV0gU2VudDogV2VkbmVz
ZGF5LCBGZWJydWFyeSAxLA0KPiANCj4+Pj4+IDIwMTcgMjoyNiBQTSBUbzogTWlrZSBKb25lcw0K
Pj4+Pj4gPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTxtYWlsdG86TWljaGFlbC5Kb25lc0Bt
aWNyb3NvZnQuY29tPj47DQo+Pj4+PiBqb2VsDQo+IA0KPj4+Pj4gamFlZ2dsaSA8am9lbGphQGJv
Z3VzLmNvbTxtYWlsdG86am9lbGphQGJvZ3VzLmNvbT4+OyBUaGUgSUVTRyANCj4+Pj4+IDxpZXNn
QGlldGYub3JnPG1haWx0bzppZXNnQGlldGYub3JnPj4gQ2M6DQo+IA0KPj4+Pj4gb2F1dGgtY2hh
aXJzQGlldGYub3JnPG1haWx0bzpvYXV0aC1jaGFpcnNAaWV0Zi5vcmc+Ow0KPj4+Pj4gZHJhZnQt
aWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLW9hdXRoLWFt
ci12DQo+Pj4+PiBhbHVlc0BpZXRmLm9yZz47DQo+DQo+Pj4+PiAgb2F1dGhAaWV0Zi5vcmc8bWFp
bHRvOm9hdXRoQGlldGYub3JnPiBTdWJqZWN0OiBSZToNCj4+Pj4+IFtPQVVUSC1XR10gU3RlcGhl
biBGYXJyZWxsJ3MgRGlzY3VzcyBvbg0KPiANCj4+Pj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZh
bHVlcy0wNTogKHdpdGggRElTQ1VTUykNCj4gDQo+Pj4+PiANCj4gDQo+Pj4+PiANCj4gDQo+Pj4+
PiBIaSBNaWtlLA0KPiANCj4+Pj4+IA0KPiANCj4+Pj4+IE9uIDAxLzAyLzE3IDE3OjAwLCBNaWtl
IEpvbmVzIHdyb3RlOg0KPiANCj4+Pj4+PiBUaGFua3MgZm9yIHRoZSBkaXNjdXNzaW9uLCBTdGVw
aGVuLg0KPiANCj4+Pj4+PiANCj4gDQo+Pj4+Pj4gVG8geW91ciBwb2ludCBhYm91dCAib3RwIiwg
dGhlIHdvcmtpbmcgZ3JvdXAgZGlzY3Vzc2VkIHRoaXMgdmVyeQ0KPiANCj4+Pj4+PiBwb2ludC4g
IFRoZXkgZXhwbGljaXRseSBkZWNpZGVkIG5vdCB0byBpbnRyb2R1Y2UgImhvdHAiDQo+IA0KPj4+
Pj4+IGFuZCAidG90cCIgaWRlbnRpZmllcnMgYmVjYXVzZSBubyBvbmUgaGFkIGEgdXNlIGNhc2Ug
aW4gd2hpY2ggdGhlDQo+IA0KPj4+Pj4+IGRpc3RpbmN0aW9uIG1hdHRlcmVkLg0KPiANCj4+Pj4+
IA0KPiANCj4+Pj4+IFRoZW4gSSdtIG5vdCBmb2xsb3dpbmcgd2h5IGFkZGluZyAib3RwIiB0byB0
aGUgcmVnaXN0cnkgbm93IGlzIGENCj4gDQo+Pj4+PiBnb29kIHBsYW4uDQo+IA0KPj4+Pj4gDQo+
IA0KPj4+Pj4gSWYgdGhlcmUncyBhIHVzZS1jYXNlIG5vdywgdGhlbiBhZGRpbmcgYW4gZW50cnkg
d2l0aCBhIGdvb2QNCj4gDQo+Pj4+PiByZWZlcmVuY2UgdG8gdGhlIHJlbGV2YW50IHNwZWMgc2Vl
bXMgcmlnaHQuDQo+IA0KPj4+Pj4gDQo+IA0KPj4+Pj4gSWYgdGhlcmUncyBubyB1c2UtY2FzZSBu
b3csIHRoZW4gbm90IGFkZGluZyBpdCB0byB0aGUgcmVnaXN0cnkNCj4gDQo+Pj4+PiBzZWVtcyBy
aWdodC4gKE1lbnRpb25pbmcgaXQgYXMgYSBwb3NzaWJsZSBmdXR1cmUgZW50cnkgd291bGQgYmUN
Cj4gDQo+Pj4+PiBmaW5lLikNCj4gDQo+Pj4+PiANCj4gDQo+Pj4+PiBJIHRoaW5rIHRoZSBzYW1l
IGxvZ2ljIHdvdWxkIGFwcGx5IGZvciBhbGwgdGhlIHZhbHVlcyB0aGF0IHRoaXMNCj4gDQo+Pj4+
PiBzcGVjIGFkZHMgdG8gdGhlIHJlZ2lzdHJ5LiBXaHkgaXMgdGhhdCB3cm9uZz8NCj4gDQo+Pj4+
PiANCj4gDQo+Pj4+Pj4gT3RoZXJzIGNhbiBjZXJ0YWlubHkgaW50cm9kdWNlIHRob3NlIGlkZW50
aWZpZXJzIGFuZCByZWdpc3Rlcg0KPiANCj4+Pj4+PiB0aGVtIGlmIHRoZXkgZG8gaGF2ZSBzdWNo
IGEgdXNlIGNhc2UsIG9uY2UgdGhlIHJlZ2lzdHJ5IGhhcyBiZWVuDQo+IA0KPj4+Pj4+IGVzdGFi
bGlzaGVkLiAgQnV0IHRoZSB3b3JraW5nIGdyb3VwIHdhbnRlZCB0byBiZSBjb25zZXJ2YXRpdmUN
Cj4gDQo+Pj4+Pj4gYWJvdXQgdGhlIGlkZW50aWZpZXJzIGludHJvZHVjZWQgdG8gcHJpbWUgdGhl
IHJlZ2lzdHJ5LCBhbmQgdGhpcw0KPiANCj4+Pj4+PiBpcyBzdWNoIGEgY2FzZS4NCj4gDQo+Pj4+
Pj4gDQo+IA0KPj4+Pj4+IFdoYXQgaWRlbnRpZmllcnMgdG8gdXNlIGFuZCByZWdpc3RlciB3aWxs
IGFsd2F5cyBiZSBhIGJhbGFuY2luZw0KPiANCj4+Pj4+PiBhY3QuIFlvdSB3YW50IHRvIGJlIGFz
IHNwZWNpZmljIGFzIG5lY2Vzc2FyeSB0byBhZGQgcHJhY3RpY2FsIGFuZA0KPiANCj4+Pj4+PiB1
c2FibGUgdmFsdWUsIGJ1dCBub3Qgc28gc3BlY2lmaWMgYXMgdG8gbWFrZSB0aGluZ3MgdW5uZWNl
c3NhcmlseQ0KPiANCj4+Pj4+PiBicml0dGxlLg0KPiANCj4+Pj4+IA0KPiANCj4+Pj4+IEVoLi4u
IGRvbid0IHdlIHdhbnQgaW50ZXJvcD8gSXNuJ3QgdGhhdCB0aGUgcHJpbWFyeSBnb2FsIGhlcmU/
DQo+IA0KPj4+Pj4gDQo+IA0KPj4+Pj4+IFdoaWxlIHNvbWUgbWlnaHQgc2F5IHRoZXJlJ3MgYSBk
aWZmZXJlbmNlIGJldHdlZW4gc2VyaWFsIG51bWJlcg0KPiANCj4+Pj4+PiByYW5nZXMgb2YgcGFy
dGljdWxhciBhdXRoZW50aWNhdGlvbiBkZXZpY2VzLCBnb2luZyB0aGVyZSBpcw0KPiANCj4+Pj4+
PiBjbGVhcmx5IGluIHRoZSB3ZWVkcy4gIE9uIHRoZSBvdGhlciBoYW5kLCB3aGlsZSB0aGVyZSB1
c2VkIHRvIGJlDQo+IA0KPj4+Pj4+IGFuICJleWUiIGlkZW50aWZpZXIsIEVsYWluZSBOZXd0b24g
b2YgTklTVCBwb2ludGVkIG91dCB0aGF0IHRoZXJlDQo+IA0KPj4+Pj4+IGFyZSBzaWduaWZpY2Fu
dCBkaWZmZXJlbmNlcyBiZXR3ZWVuIHJldGluYSBhbmQgaXJpcyBtYXRjaGluZywgc28NCj4gDQo+
Pj4+Pj4gImV5ZSIgd2FzIHJlcGxhY2VkIHdpdGggInJldGluYSINCj4gDQo+Pj4+Pj4gYW5kICJp
cmlzIi4gQ29tbW9uIHNlbnNlIGluZm9ybWVkIGJ5IGFjdHVhbCBkYXRhIGlzIHRoZSBrZXkgaGVy
ZS4NCj4gDQo+Pj4+PiANCj4gDQo+Pj4+PiBUaGF0J3MgYW5vdGhlciBnb29kIGV4YW1wbGUuIFRo
ZXJlJ3Mgbm8gcmVmZXJlbmNlIGZvcg0KPj4+Pj4gImlyaXMuIg0KPiANCj4+Pj4+IElmIHRoYXQg
aXMgdXNlZCBpbiBzb21lIHByb3RvY29sLCB0aGVuIHdoYXQgZm9ybWF0KHMpIGFyZQ0KPj4+Pj4g
ZXhwZWN0ZWQNCj4gDQo+Pj4+PiB0byBiZSBzdXBwb3J0ZWQ/IFdoZXJlIGRvIEkgZmluZCB0aGF0
IHNwZWM/IElmIHdlIGNhbiBhbnN3ZXINCj4+Pj4+IHRoYXQsDQo+IA0KPj4+Pj4gdGhlbiBncmVh
dCwgbGV0J3MgYWRkIHRoZSBkZXRhaWxzLiBJZiBub3QsIHRoZW4gSSdkIHN1Z2dlc3QNCj4+Pj4+
IHdlIG9taXQNCj4gDQo+Pj4+PiAiaXJpcyIgYW5kIGxlYXZlIGl0ICd0aWxsIGxhdGVyIHRvIGFk
ZCBhbiBlbnRyeSBmb3IgdGhhdC4NCj4+Pj4+IEFuZA0KPiANCj4+Pj4+IGFnYWluLCBpbmNsdWRp
bmcgdGV4dCB3aXRoICJpcmlzIiBhcyBhbiBleGFtcGxlIGlzIGp1c3QgZmluZSwNCj4+Pj4+IGFs
bA0KPiANCj4+Pj4+IEknbSBhc2tpbmcgaXMgdGhhdCB3ZSBvbmx5IGFkZCB0aGUgcmVnaXN0cnkg
ZW50cnkgaWYgd2UgY2FuDQo+Pj4+PiBtZWV0DQo+IA0KPj4+Pj4gdGhlIHNhbWUgYmFyIHRoYXQg
d2UncmUgYXNraW5nIHRoZSBERSB0byBpbXBvc2Ugb24gbGF0ZXINCj4+Pj4+IGFkZGl0aW9ucy4N
Cj4gDQo+Pj4+PiANCj4gDQo+Pj4+PiBBbmQgdGhlIHNhbWUgZm9yIGFsbCB0aGUgb3RoZXJzLi4u
DQo+IA0KPj4+Pj4gDQo+IA0KPj4+Pj4gQ2hlZXJzLCBTLg0KPiANCj4+Pj4+IA0KPiANCj4+Pj4+
IA0KPiANCj4+Pj4+PiANCj4gDQo+Pj4+Pj4gVGhlIHBvaW50IG9mIHRoZSByZWdpc3RyeSByZXF1
aXJpbmcgYSBzcGVjaWZpY2F0aW9uDQo+Pj4+Pj4gcmVmZXJlbmNlIGlzDQo+IA0KPj4+Pj4+IHNv
IHBlb3BsZSB1c2luZyB0aGUgcmVnaXN0cnkgY2FuIHRlbGwgd2hlcmUgdGhlIGlkZW50aWZpZXIN
Cj4+Pj4+PiBpcw0KPiANCj4+Pj4+PiBkZWZpbmVkLiBGb3IgYWxsIHRoZSBpbml0aWFsIHZhbHVl
cywgdGhhdCByZXF1aXJlbWVudCBpcw0KPiANCj4+Pj4+PiBzYXRpc2ZpZWQsIHNpbmNlIHRoZSBy
ZWZlcmVuY2Ugd2lsbCBiZSB0byB0aGUgbmV3IFJGQy4gIEkNCj4+Pj4+PiB0aGluaw0KPiANCj4+
Pj4+PiB0aGF0IGFsaWducyB3aXRoIHRoZSBwb2ludCB0aGF0IEpvZWwgd2FzIG1ha2luZy4NCj4g
DQo+Pj4+Pj4gDQo+IA0KPj4+Pj4+IFlvdXIgdGhvdWdodHM/DQo+IA0KPj4+Pj4+IA0KPiANCj4+
Pj4+PiAtLSBNaWtlDQo+IA0KPj4+Pj4+IA0KPiANCj4+Pj4+PiAtLS0tLU9yaWdpbmFsIE1lc3Nh
Z2UtLS0tLSBGcm9tOiBPQXV0aA0KPiANCj4+Pj4+PiBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0
Zi5vcmddIE9uIEJlaGFsZiBPZiBTdGVwaGVuDQo+Pj4+Pj4gRmFycmVsbA0KPiANCj4+Pj4+PiBT
ZW50OiBXZWRuZXNkYXksIEZlYnJ1YXJ5IDEsIDIwMTcgNzowMyBBTSBUbzogam9lbCBqYWVnZ2xp
DQo+IA0KPj4+Pj4+IDxqb2VsamFAYm9ndXMuY29tPG1haWx0bzpqb2VsamFAYm9ndXMuY29tPj47
IFRoZSBJRVNHDQo+Pj4+Pj4gPGllc2dAaWV0Zi5vcmc8bWFpbHRvOmllc2dAaWV0Zi5vcmc+PiBD
YzoNCj4gDQo+Pj4+Pj4gb2F1dGgtY2hhaXJzQGlldGYub3JnPG1haWx0bzpvYXV0aC1jaGFpcnNA
aWV0Zi5vcmc+Ow0KPj4+Pj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzxt
YWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnPjsNCj4NCj4+Pj4+PiAg
b2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPiBTdWJqZWN0OiBSZToNCj4+Pj4+
PiBbT0FVVEgtV0ddIFN0ZXBoZW4gRmFycmVsbCdzIERpc2N1c3MNCj4gDQo+Pj4+Pj4gb24gZHJh
ZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA1OiAod2l0aCBESVNDVVNTKQ0KPiANCj4+Pj4+PiAN
Cj4gDQo+Pj4+Pj4gDQo+IA0KPj4+Pj4+IA0KPiANCj4+Pj4+PiBPbiAwMS8wMi8xNyAxNDo1OCwg
am9lbCBqYWVnZ2xpIHdyb3RlOg0KPiANCj4+Pj4+Pj4gT24gMS8zMS8xNyA4OjI2IEFNLCBTdGVw
aGVuIEZhcnJlbGwgd3JvdGU6DQo+IA0KPj4+Pj4+Pj4gU3RlcGhlbiBGYXJyZWxsIGhhcyBlbnRl
cmVkIHRoZSBmb2xsb3dpbmcgYmFsbG90DQo+Pj4+Pj4+PiBwb3NpdGlvbiBmb3INCj4gDQo+Pj4+
Pj4+PiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6IERpc2N1c3MNCj4gDQo+Pj4+Pj4+
PiANCj4gDQo+Pj4+Pj4+PiBXaGVuIHJlc3BvbmRpbmcsIHBsZWFzZSBrZWVwIHRoZSBzdWJqZWN0
IGxpbmUgaW50YWN0DQo+Pj4+Pj4+PiBhbmQgIHJlcGx5DQo+IA0KPj4+Pj4+Pj4gdG8gYWxsIGVt
YWlsIGFkZHJlc3NlcyBpbmNsdWRlZCBpbiB0aGUgVG8gYW5kIENDIGxpbmVzLg0KPj4+Pj4+Pj4g
KEZlZWwNCj4gDQo+Pj4+Pj4+PiBmcmVlIHRvIGN1dCB0aGlzIGludHJvZHVjdG9yeSBwYXJhZ3Jh
cGgsDQo+IA0KPj4+Pj4+Pj4gaG93ZXZlci4pDQo+IA0KPj4+Pj4+Pj4gDQo+IA0KPj4+Pj4+Pj4g
DQo+IA0KPj4+Pj4+Pj4gUGxlYXNlIHJlZmVyIHRvDQo+IA0KPj4+Pj4+Pj4gaHR0cHM6Ly93d3cu
aWV0Zi5vcmcvaWVzZy9zdGF0ZW1lbnQvZGlzY3Vzcy1jcml0ZXJpYS5odG1sDQo+DQo+Pj4+Pj4+
PiANCj4+Pj4+Pj4+IA0KPiANCj4+Pj4+Pj4+IA0KPiANCj4gZm9yIG1vcmUgaW5mb3JtYXRpb24g
YWJvdXQgSUVTRyBESVNDVVNTIGFuZCBDT01NRU5UDQo+IA0KPj4+Pj4+Pj4gcG9zaXRpb25zLg0K
PiANCj4+Pj4+Pj4+IA0KPiANCj4+Pj4+Pj4+IA0KPiANCj4+Pj4+Pj4+IFRoZSBkb2N1bWVudCwg
YWxvbmcgd2l0aCBvdGhlciBiYWxsb3QgcG9zaXRpb25zLCBjYW4gYmUNCj4+Pj4+Pj4+IGZvdW5k
DQo+IA0KPj4+Pj4+Pj4gaGVyZToNCj4gDQo+Pj4+Pj4+PiBodHRwczovL2RhdGF0cmFja2VyLmll
dGYub3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMvDQo+DQo+Pj4+Pj4+PiANCj4+
Pj4+Pj4+IA0KPiANCj4+Pj4+Pj4+IA0KPiANCj4+Pj4+Pj4+IA0KPiANCj4+Pj4+Pj4+IA0KPiAN
Cj4+Pj4+Pj4+IA0KPiANCj4+PiANCj4gDQo+Pj4+Pj4+PiANCj4gDQo+PiANCj4gDQo+Pj4+Pj4+
PiANCj4gDQo+IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KPg0KPiANCj4+Pj4+Pj4+IA0KPiANCj4+Pj4+Pj4+IA0K
PiANCj4+Pj4+IA0KPiANCj4+Pj4+Pj4+IA0KPiANCj4+Pj4gLQ0KPiANCj4+Pj4+Pj4+IERJU0NV
U1M6DQo+IA0KPj4+Pj4+Pj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KPg0KPj4+Pj4+Pj4gIC0tLS0tDQo+IA0KPj4+Pj4+
Pj4gDQo+IA0KPj4+Pj4+Pj4gDQo+IA0KPj4+Pj4gDQo+IA0KPj4+Pj4+Pj4gDQo+IA0KPj4+PiAN
Cj4gDQo+Pj4+Pj4+PiANCj4gDQo+Pj4gDQo+IA0KPj4+Pj4+Pj4gDQo+IA0KPj4gDQo+IA0KPj4+
Pj4+Pj4gDQo+IA0KPiAtDQo+IA0KPj4+Pj4+Pj4gDQo+IA0KPj4+Pj4+Pj4gVGhpcyBzcGVjaWZp
Y2F0aW9uIHNlZW1zIHRvIG1lIHRvIGJyZWFrIGl0J3Mgb3duDQo+Pj4+Pj4+PiBydWxlcy4NCj4g
DQo+Pj4+Pj4+PiBZb3Ugc3RhdGUgdGhhdCByZWdpc3RyYXRpb25zIHNob3VsZCBpbmNsdWRlIGEg
cmVmZXJlbmNlDQo+Pj4+Pj4+PiB0byBhDQo+IA0KPj4+Pj4+Pj4gc3BlY2lmaWNhdGlvbiB0byBp
bXByb3ZlIGludGVyb3AuIEFuZCB5ZXQsIGZvciB0aGUNCj4+Pj4+Pj4+IHN0cmluZ3MgYWRkZWQN
Cj4gDQo+Pj4+Pj4+PiBoZXJlIChlLmcuIG90cCkgeW91IGRvbid0IGRvIHRoYXQgKHJlZmVycmlu
ZyB0byBzZWN0aW9uDQo+Pj4+Pj4+PiAyIHdpbGwNCj4gDQo+Pj4+Pj4+PiBub3QgaW1wcm92ZSBp
bnRlcm9wKSBhbmQgdGhlcmUgYXJlIGRpZmZlcmVudCB3YXlzIGluDQo+Pj4+Pj4+PiB3aGljaCBt
YW55DQo+IA0KPj4+Pj4+Pj4gb2YgdGhlIG1ldGhvZHMgaW4gc2VjdGlvbiAyIGNhbiBiZSBkb25l
LiBTbyBJIHRoaW5rIHlvdQ0KPj4+Pj4+Pj4gbmVlZCB0bw0KPiANCj4+Pj4+Pj4+IGFkZCBhIGJ1
bmNoIG1vcmUgcmVmZXJlbmNlcy4NCj4gDQo+Pj4+Pj4+IA0KPiANCj4+Pj4+Pj4gTm90IGNsZWFy
IHRvIG1lIHRoYXQgdGhlIGRvY3VtZW50IGNyZWF0aW5nIHRoZSByZWdpc3RyeQ0KPj4+Pj4+PiBu
ZWVkcyB0bw0KPiANCj4+Pj4+Pj4gYWRoZXJlIHRvIHRoZSBydWxlcyBmb3IgZnVydGhlciBhbGxv
Y2F0aW9ucyBpbiBvcmRlciB0bw0KPiANCj4+Pj4+Pj4gcHJlcG91bGF0ZSB0aGUgcmVnaXN0cnku
IHRoYXQgaXMgcGVyaGFwcyBhbiBhcHBlYWwgdG8NCj4+Pj4+Pj4gZnV0dXJlDQo+IA0KPj4+Pj4+
PiBjb25zaXN0ZW5jeS4NCj4gDQo+Pj4+Pj4gDQo+IA0KPj4+Pj4+IFN1cmUgLSBJJ20gYWxsIGZv
ciBhIHNtYXR0ZXJpbmcgb2YgaW5jb25zaXN0ZW5jeTotKQ0KPiANCj4+Pj4+PiANCj4gDQo+Pj4+
Pj4gQnV0IEkgdGhpbmsgdGhlIGxhY2sgb2Ygc3BlY3MgaW4gc29tZSBvZiB0aGVzZSBjYXNlcyBj
b3VsZA0KPj4+Pj4+IGltcGFjdA0KPiANCj4+Pj4+PiBvbiBpbnRlcm9wLCBlLmcuIGluIHRoZSBv
dHAgY2FzZSwgdGhleSBxdW90ZSB0d28gUkZDcyBhbmQNCj4+Pj4+PiB5ZXQgb25seQ0KPiANCj4+
Pj4+PiBoYXZlIG9uZSB2YWx1ZS4gVGhhdCBzZWVtcyBhIGJpdCBicm9rZW4gdG8gbWUsIHNvIHRo
ZQ0KPj4+Pj4+IGRpc2N1c3MNCj4gDQo+Pj4+Pj4gaXNuJ3QgcmVhbGx5IGFib3V0IHRoZSBmb3Jt
YWxpc20uDQo+IA0KPj4+Pj4+IA0KPiANCj4+Pj4+PiBTLg0KPiANCj4+Pj4+PiANCj4gDQo+Pj4+
Pj4gDQo+IA0KPj4+Pj4+Pj4gDQo+IA0KPj4+Pj4+Pj4gDQo+IA0KPj4+Pj4+Pj4gDQo+IA0KPj4+
Pj4+PiANCj4gDQo+Pj4+Pj4+IA0KPiANCj4+Pj4+PiANCj4gDQo+Pj4+PiANCj4gDQo+Pj4+IA0K
PiANCj4+PiANCj4gDQo+PiANCj4gDQo+IA0KDQo=


From nobody Tue Mar  7 09:48:36 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B7711295E3 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 09:48:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxnBSgv173FR for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 09:48:31 -0800 (PST)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C51B1295ED for <oauth@ietf.org>; Tue,  7 Mar 2017 09:48:31 -0800 (PST)
Received: by mail-qk0-x231.google.com with SMTP id y76so16319386qkb.0 for <oauth@ietf.org>; Tue, 07 Mar 2017 09:48:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lVxNCoZQm76Q0ZkV1V1bpqSOHCw1WbpAVYQplfPX6PM=; b=ShvuuEBDWQMpZ4fzfaYnLfXCoTZ7Y4CpX4dW6ixk1u/h5iwrB4MUs7oo3hMEPN2Jx/ YpOct1xje1WS32rOQbd5gpmBkj+nbrcPjaM7Y1ha4qy5w7zOqdEEru8t7mH72ozdW1Zm sY/45fuUVCJmoKadFF8TCmgOn33rUjaZylJ1xD/miTE16JY+1ftoj5QaHJHr7daoU/qe sWLATu8yFKyrqbjWN5CvPDZ/CYkVBxp9NAuFfzyGmcN15eOLerrXcEKdlFK9ecJsVHmd OeiVHI2ZIteKrsNU/19Ajw3fdGAgJkyxNMLT6o//mLAoWdjJaInaNEtQSTolYi0pDJGw hf0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=lVxNCoZQm76Q0ZkV1V1bpqSOHCw1WbpAVYQplfPX6PM=; b=lkap9tyTNgWXzEo5slbsq0HoHFo1t1cHOERDxZj+iUU76enu/dOlK5ilhpYhlio0CE +eL5h0mnXJuhblhmuxOdGubwI+B8b0R3QZ3ZvwiDm2o+R5MzIv7BQBBrNz+S6T/OJDPR R/FMW9+fRRn24A1f3w1ycdJxR0o9LzZBTT/TCsvyJAvEf5rgxylMkx7woYR4SbCC3o3u 9iLdTd+92q8FnzKue+06s9fAhCo07NywTYfLjOwolF7arMvTbWyZhlUuN0K2vH383S8V s7cJTqeJ1eqIrf71fssfYTk+aVkrt3Qwc6mRgUOnjFZit4XwpSg/kjyew4PImoGMQ+J2 r3iw==
X-Gm-Message-State: AMke39md1DVe7KJzUtrEp6dg0ABI6oQULBs4shy+SWLumQSkIUWiBoknxQKYTPkulw/O4peVVIUcWs6QIBVtyltI
X-Received: by 10.200.35.36 with SMTP id a33mr1966848qta.216.1488908910410; Tue, 07 Mar 2017 09:48:30 -0800 (PST)
MIME-Version: 1.0
References: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net> <SN1PR0301MB2029162EB879130632E1A804A62F0@SN1PR0301MB2029.namprd03.prod.outlook.com> <b260eb1d-bad5-10fb-f732-6efb987be6b0@gmx.net>
In-Reply-To: <b260eb1d-bad5-10fb-f732-6efb987be6b0@gmx.net>
From: William Denniss <wdenniss@google.com>
Date: Tue, 07 Mar 2017 17:48:20 +0000
Message-ID: <CAAP42hAsvoE2d=xp-PLJz_7m3GgZG=02Q7h7MZgCK-XnZoFTZg@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>,  "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a113a7db8b5a278054a279e54
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QGewjr0rlT_jAAwjTKOHLRQZkD4>
Subject: Re: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 17:48:34 -0000

--001a113a7db8b5a278054a279e54
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

If you dislike the GitHub examples I referenced, I'm willing to remove the
reference.

FYI, I reworked the Windows implementation details section in the Appendix
after Buenos Aires, following technical discussions with Vittorio. Now it
includes the Authentication Broker pattern.

On Tue, Mar 7, 2017 at 12:23 AM Hannes Tschofenig <hannes.tschofenig@gmx.ne=
t>
wrote:

Hi Tony

thanks for the feedback. I have requested publication of the document a
few minutes ago already and we will incorporate any remarks from my
co-workers as part of the IETF-wide last call.

Ciao
Hannes

On 03/07/2017 09:17 AM, Anthony Nadalin wrote:
> I'm still getting feedback on the Windows examples that are pointed to by
the spec, since it's not a simple case on Windows
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofeni=
g
> Sent: Monday, March 6, 2017 8:00 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
>
> Here is the shepherd write-up:
>
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgithub.c=
om%2Fhannestschofenig%2Ftschofenig-ids%2Fblob%2Fmaster%2Fshepherd-writeups%=
2FWriteup_OAuth_NativeApps.txt&data=3D02%7C01%7Ctonynad%40microsoft.com%7C9=
a9ec9f090c74e34fb1a08d464a9e0a0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%=
7C636244128165469063&sdata=3DolsSc81lMAqvlfAEBPCXY9CkIGv88W2Pt%2BkGj8yT2aY%=
3D&reserved=3D0
>
> Feedback appreciated. I will also do another shepherd review.
>
> Ciao
> Hannes
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--001a113a7db8b5a278054a279e54
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div>If you dislike the GitHub examples I referenced, I&#39;m willing to re=
move the reference.</div><div><br></div><div>FYI, I reworked the Windows im=
plementation details section in the Appendix after Buenos Aires, following =
technical discussions with Vittorio. Now it includes the Authentication Bro=
ker pattern.=C2=A0<br></div><div><br class=3D"gmail_msg"><div class=3D"gmai=
l_quote gmail_msg"><div class=3D"gmail_msg">On Tue, Mar 7, 2017 at 12:23 AM=
 Hannes Tschofenig &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net" class=
=3D"gmail_msg" target=3D"_blank">hannes.tschofenig@gmx.net</a>&gt; wrote:<b=
r class=3D"gmail_msg"></div><blockquote class=3D"gmail_quote gmail_msg" sty=
le=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Ton=
y<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
thanks for the feedback. I have requested publication of the document a<br =
class=3D"gmail_msg">
few minutes ago already and we will incorporate any remarks from my<br clas=
s=3D"gmail_msg">
co-workers as part of the IETF-wide last call.<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Ciao<br class=3D"gmail_msg">
Hannes<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
On 03/07/2017 09:17 AM, Anthony Nadalin wrote:<br class=3D"gmail_msg">
&gt; I&#39;m still getting feedback on the Windows examples that are pointe=
d to by the spec, since it&#39;s not a simple case on Windows<br class=3D"g=
mail_msg">
&gt;<br class=3D"gmail_msg">
&gt; -----Original Message-----<br class=3D"gmail_msg">
&gt; From: OAuth [mailto:<a href=3D"mailto:oauth-bounces@ietf.org" class=3D=
"gmail_msg" target=3D"_blank">oauth-bounces@ietf.org</a>] On Behalf Of Hann=
es Tschofenig<br class=3D"gmail_msg">
&gt; Sent: Monday, March 6, 2017 8:00 AM<br class=3D"gmail_msg">
&gt; To: <a href=3D"mailto:oauth@ietf.org" class=3D"gmail_msg" target=3D"_b=
lank">oauth@ietf.org</a><br class=3D"gmail_msg">
&gt; Subject: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document=
<br class=3D"gmail_msg">
&gt;<br class=3D"gmail_msg">
&gt; Here is the shepherd write-up:<br class=3D"gmail_msg">
&gt; <a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%=
3A%2F%2Fgithub.com%2Fhannestschofenig%2Ftschofenig-ids%2Fblob%2Fmaster%2Fsh=
epherd-writeups%2FWriteup_OAuth_NativeApps.txt&amp;data=3D02%7C01%7Ctonynad=
%40microsoft.com%7C9a9ec9f090c74e34fb1a08d464a9e0a0%7C72f988bf86f141af91ab2=
d7cd011db47%7C1%7C0%7C636244128165469063&amp;sdata=3DolsSc81lMAqvlfAEBPCXY9=
CkIGv88W2Pt%2BkGj8yT2aY%3D&amp;reserved=3D0" rel=3D"noreferrer" class=3D"gm=
ail_msg" target=3D"_blank">https://na01.safelinks.protection.outlook.com/?u=
rl=3Dhttps%3A%2F%2Fgithub.com%2Fhannestschofenig%2Ftschofenig-ids%2Fblob%2F=
master%2Fshepherd-writeups%2FWriteup_OAuth_NativeApps.txt&amp;data=3D02%7C0=
1%7Ctonynad%40microsoft.com%7C9a9ec9f090c74e34fb1a08d464a9e0a0%7C72f988bf86=
f141af91ab2d7cd011db47%7C1%7C0%7C636244128165469063&amp;sdata=3DolsSc81lMAq=
vlfAEBPCXY9CkIGv88W2Pt%2BkGj8yT2aY%3D&amp;reserved=3D0</a><br class=3D"gmai=
l_msg">
&gt;<br class=3D"gmail_msg">
&gt; Feedback appreciated. I will also do another shepherd review.<br class=
=3D"gmail_msg">
&gt;<br class=3D"gmail_msg">
&gt; Ciao<br class=3D"gmail_msg">
&gt; Hannes<br class=3D"gmail_msg">
&gt;<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listinfo=
/oauth</a><br class=3D"gmail_msg">
</blockquote></div></div>

--001a113a7db8b5a278054a279e54--


From nobody Tue Mar  7 09:51:30 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 088ED129467 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 09:51:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level: 
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DPRj7ARGNmrh for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 09:51:26 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B181612954B for <oauth@ietf.org>; Tue,  7 Mar 2017 09:50:56 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx103 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MSdRI-1csuTZ3LTY-00RbhC for <oauth@ietf.org>; Tue, 07 Mar 2017 18:50:54 +0100
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <4602a58b-58c1-d41e-26cb-025eec8a6d8b@gmx.net>
Date: Tue, 7 Mar 2017 18:50:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="gwlftHm2d6H53jOkCX8oh02F98OSkBIkH"
X-Provags-ID: V03:K0:Emp7J5mBi2bwHLLvQIFubb5XoO246nDrL/7zQ7qCG+DPAa74E20 Q2rlJqSgj37k0GggqvhSGbqRjLJ5NBUz/vVMfwEOjXR+E+tNX0jM5TXWwWS/DUb5dWtyT1l 4dg3/nQEiaC1vsBuhbS9a0jsMQkk4SPa16HOJHtYLTEfgoMBeCbvFikzqq7FqXkSU2QjAKp u/nEVj3yp79OWqBzxAfTw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:PjoXhcuWg2k=:ijbBJQrUNFiYrqfqBOg0j6 pZJd7I7wxBPgdfm7HLniG3nGxHPgya76hJIJdBGnvJFuSK9SHjyj1/rUXCEYrLMHb7obgwzNF SjfRrdZRXNIk8OWOlgQGN0mFMFAICVu1Q+KeF56vRsJnbx7LqlXU7vR8q6GzVUr0RLKEJVPFp SMFEDA4bMplbFc+wxRM5xs5/QX2RqmZ5v8MSuPl5C7bAaRSBaXoJX6UE48lx5zsr5LaoV7rFr g4RMiG3UcvNUwQ6gs6h69l+vAHr/S9miE6r94cDNe/PiIrbCF8/H88T5cT5uF5+mG1QS6AaGT rcGMh/x5Tf+g2cvUQXcs9qsl3cN7Sv8AgU00Bkh8Y0nES7a1tBj1bx7QA2+5B8pLbms5nLGg+ SjmwX3oqC0apMI5W7LZK2riXn661uF9V2pGbQ84FELbWpQ+HBxTvmnsrxFunELCsJGy+ylAV3 56hT9YGGMv4oSlNzV2qckFboGfBVD3wEfQeHcEAFAjvw3NMHHqJtwtI14/WPF9QX5uxCvpyZu X25ektT599T8Gs4LvykNAG6kiTJ+SDx2L1fcTLtuTfr/4J0xBKyMC+Iztj8c0ROnzP8aIbMwZ l39wrU4W/IyWtBZ7fi3PDMDtag78Gabkn9yD+vw6fEM2h9CPprcPDRghRRLpY11BsjBpKD4iW 7JGVq0qofTUuedwMGCeKfAk6/4GSIw0XrDYHHWNL288wpyW2KT41dlrppjydyzK5TGxnNHTx4 gQ9KZt0R4Ql1pnvJ4V20Pr3Sxc18pirrQne+aZTqqT166SD85zRDw98D3pk=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/moyiZ_9yNnIVZvf3Gyo9c9Muozo>
Subject: [OAUTH-WG] OAuth 2.0 Authorization Server Metadata: IPR Confirmation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 17:51:28 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--gwlftHm2d6H53jOkCX8oh02F98OSkBIkH
Content-Type: multipart/mixed; boundary="x7SkBsaEmipFu941jGW6ddpucNu3Tic5R";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <4602a58b-58c1-d41e-26cb-025eec8a6d8b@gmx.net>
Subject: OAuth 2.0 Authorization Server Metadata: IPR Confirmation

--x7SkBsaEmipFu941jGW6ddpucNu3Tic5R
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi John, Mike, Nat,

I am working on the shepherd writeup for the "OAuth 2.0 Authorization
Server Metadata" document:
https://tools.ietf.org/html/draft-ietf-oauth-discovery-05

One item in the template requires me to indicate whether each document
author has confirmed that any and all appropriate IPR disclosures
required for full conformance with the provisions of BCP 78 and BCP 79
have already been filed.

Could you please confirm?

Ciao
Hannes




--x7SkBsaEmipFu941jGW6ddpucNu3Tic5R--

--gwlftHm2d6H53jOkCX8oh02F98OSkBIkH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYvvL8AAoJEGhJURNOOiAtMQUH/1H1BK0V315qwveij7trleQP
5krbZ5DBe7lnY1tUnhDIDQd/982vNduyeA/gl30jbSPI1xaUdY+eGkpawprcrLrD
z4rXpxPvXKClCC72VP3Riy4gMc68/KMxi2h1PV0IOHJPhOgRE1kSktR3jcbteO5+
RHdrhwo8so8MhTBXruUHmDcKbz5R84oZ2PPtJCiICQhMuqOxnqjKSt25XG8EE3H2
9hsUl2BxD+MSU678kxlkUoZszleeW/anW+s+PrPdTYk/iXhQkiMT3W9Hq3DJctxl
crNwDOfRDigO7m+DLCcj2i8soWIBxvVPrIfmyZGgOT8FlHDr1Z8J7JM8VAkH4Wo=
=pTvU
-----END PGP SIGNATURE-----

--gwlftHm2d6H53jOkCX8oh02F98OSkBIkH--


From nobody Tue Mar  7 10:02:22 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0687D129442 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 10:02:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ehc7-az7A4oh for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 10:02:19 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98B7F12948C for <oauth@ietf.org>; Tue,  7 Mar 2017 10:02:13 -0800 (PST)
Received: by mail-qk0-x22b.google.com with SMTP id 1so16629201qkl.3 for <oauth@ietf.org>; Tue, 07 Mar 2017 10:02:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=GqA19WbQQ3jomw2nniA1V0XRYVJRiobm8Tsjeqs0qvc=; b=mlPFDhxLI2C2oFqNzsO/LwJUzuE4ghlQ06cPngxRygCX+YobVUnWPJ5xcDdUQcKJq5 3WkwXP1KpTI1yupS9CoP+YEBC0BPJdH124ooX/EGJdi16PNUIbNKmW+tGJUMcnzWQy4Q G+bKDPlXcQso5Od3euI+LhxjfhqwFnss1KMeSX4w74M9qT58G481nP1xknX9Sqb0zCmG ae9RZ1kjtoM0ZTmZMpdn9p7GvL80eMjN6iKM5o8H9tDZ8EnbruTufSY9IX0fh455gMx+ JFKHS7H9XBuyUS9jgleyUD3wwRAkvGUk38ek+bLGdtpeL1rrI9Pb/Fd9Sz85wF8uuoZf bH/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=GqA19WbQQ3jomw2nniA1V0XRYVJRiobm8Tsjeqs0qvc=; b=WZqcRkdxoHBTLkKJrEv5iXI/RoMCi2ZQGoz0oxQ2ZBos+5xBLF8PO7KRWkYqAOQAAw RI2mhb9NmOjBwwGwf1kVzvbV19GGZ9VO9RMEU6t9yzvG57fansDVLiwYXAf/jC/BM1E0 rqRcz603nPU0bvTwyACh1eHq6gGdDdyyEhD9O1MYF4zKZzVyQfoSSi0+5f40KdG/4gXl ZWR3g0LjJKh3pmnSD4dUiANhb55YzpveMhDtqpwUQjBN3OFFHJ5QGysT+PgZOsfTzxpJ v3OVEYD7dOKAaD1N7DHGP9qmQrS4VSIPmjYZnm68weqOZKtZM7LpAzEC9+b1IfheZJQL vMaQ==
X-Gm-Message-State: AMke39mjr4NhDBBBV02Ah2u7VKF1JR1TPqnDiEoxGbO19MiQwBO9qHq5SN3fEpKUtcf6trJ4
X-Received: by 10.55.17.206 with SMTP id 75mr2077524qkr.156.1488909732597; Tue, 07 Mar 2017 10:02:12 -0800 (PST)
Received: from [192.168.86.130] ([191.115.23.99]) by smtp.gmail.com with ESMTPSA id n19sm464947qtn.35.2017.03.07.10.02.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Mar 2017 10:02:11 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4602a58b-58c1-d41e-26cb-025eec8a6d8b@gmx.net>
Date: Tue, 7 Mar 2017 15:02:09 -0300
Message-Id: <4935886D-8E92-45AB-9EF8-BDA4E38C86A9@ve7jtb.com>
References: <4602a58b-58c1-d41e-26cb-025eec8a6d8b@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a1146c91eb9dd56054a27cf93"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6HBU0gV_i4dOuCZjo5bvdLYo0kg>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Authorization Server Metadata: IPR Confirmation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 18:02:21 -0000

--001a1146c91eb9dd56054a27cf93
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

I have no IPR disclosures to make.

John B.
> On Mar 7, 2017, at 2:50 PM, Hannes Tschofenig =
<hannes.tschofenig@gmx.net> wrote:
>=20
> Hi John, Mike, Nat,
>=20
> I am working on the shepherd writeup for the "OAuth 2.0 Authorization
> Server Metadata" document:
> https://tools.ietf.org/html/draft-ietf-oauth-discovery-05
>=20
> One item in the template requires me to indicate whether each document
> author has confirmed that any and all appropriate IPR disclosures
> required for full conformance with the provisions of BCP 78 and BCP 79
> have already been filed.
>=20
> Could you please confirm?
>=20
> Ciao
> Hannes
>=20
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--001a1146c91eb9dd56054a27cf93
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIOw4yI8fzABwON1ZkIyvYX0FqsB7
Ns8PONv/RVWCvNkSMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMwNzE4MDIxMlowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQDNWItNLe3cPq+1ryUA0f0t7wmhptPgI79dnzM7db7OmDeu
F3OPdMI+Kfli/1rYwOMGLMo6079SQjaTizMnHJgMFAfmrOmkChzkzVx2JS9YhDEMP87UYkDd8FyO
QyoGiSFbA/1qPjYfR8rvLgHj7cyV+6k4d+rXaGzclcdM2SzzF0MnR5EO3qz4E57nyrZt23RXD6PB
bt6C10sEOPm66Di67fnWJ2L130zPPO3KFLfr+rtfLbmKjt9KPagM/Cx962JXGjnsGt2Tjnoeq4Fn
xOb2Ilv7L6eLkt1QdVzwr/55RMMcwRI2FM5sK9sfo9uK5eCNjqw8d5Uow81nmsckvGfP
--001a1146c91eb9dd56054a27cf93--


From nobody Tue Mar  7 10:04:57 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72319129462 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 10:04:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6iiep-P9R6r for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 10:04:54 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0132.outbound.protection.outlook.com [104.47.32.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B0E612945A for <oauth@ietf.org>; Tue,  7 Mar 2017 10:04:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EsCnWU5FvzfiKE6+5ZKXrT/92V8N7zEwGXMjpANSJy4=; b=gs6S/VZGsajuCA7Za4KVoCNYrlHoHbZivtOS53PUInpVrG0xhJRwWClQVXriUxBd3Ichl7y3S3yjc35yQEzqRtmdMUvUaC4iafYwRCUYpIgBCkV7/Gu60iuxIcCarUHHWazLKCl31zN7hhaqvUR8LWOjjVWRzrlKHBuw1wxaM6I=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Tue, 7 Mar 2017 18:04:53 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Tue, 7 Mar 2017 18:04:53 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] OAuth 2.0 Authorization Server Metadata: IPR Confirmation
Thread-Index: AQHSl2t/XVwqnBddKE2Vxe8CRfSTEqGJqwmAgAAAbPA=
Date: Tue, 7 Mar 2017 18:04:52 +0000
Message-ID: <CY4PR21MB05040C360896A966BDCE563AF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4602a58b-58c1-d41e-26cb-025eec8a6d8b@gmx.net> <4935886D-8E92-45AB-9EF8-BDA4E38C86A9@ve7jtb.com>
In-Reply-To: <4935886D-8E92-45AB-9EF8-BDA4E38C86A9@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: ve7jtb.com; dkim=none (message not signed) header.d=none;ve7jtb.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.83.32]
x-ms-office365-filtering-correlation-id: 1cc08835-9bf7-4d3f-881d-08d465847498
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0502; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:nfvcE8o3WgkX82shte4djOnt8d8/FASwA8Kl1ag5ysFrFLMzTLtgN5n/SDJnLwTPxqtXbENU45U0DAcx2WuV5NLV9kJg8panA3sAmPyrN5807DQbqHny4h9XzbReCtmbT9K62CA2+Eb3oGLLPnUk3mFTuKrWBaU76Odxhy3DrDxXbtlxcLRMryl3m8Xqd1xsed6DuBX8/N13Zm+Qhsj3LzOZ1wW+TesznRGKNIBTmhGc7YKu1STA0BhLmQDDIYlQapTuttHCHjQX55mEqV1GrjpTH7GB8JZ2HXxkrwNBwTPNxAxy6KdSXgvqQahetq2+nx5agJpSPXoZdQ07PqyK4VSzPTUmvA+Cku1b80UrBcc=
x-microsoft-antispam-prvs: <CY4PR21MB0502FC16DCFA9A2B97B57261F52F0@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(248736688235697);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123555025)(20161123562025)(20161123558025)(20161123564025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502; 
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39850400002)(39860400002)(39840400002)(39410400002)(39450400003)(24454002)(377454003)(13464003)(86612001)(2950100002)(25786008)(38730400002)(102836003)(6436002)(10090500001)(6246003)(8676002)(53546006)(5660300001)(3846002)(66066001)(6116002)(5005710100001)(4326008)(76176999)(86362001)(8990500004)(229853002)(2906002)(8936002)(3660700001)(77096006)(81166006)(3280700002)(53936002)(54356999)(122556002)(33656002)(2900100001)(305945005)(10290500002)(7736002)(55016002)(6306002)(189998001)(99286003)(74316002)(6506006)(7696004)(9686003)(50986999)(106116001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2017 18:04:52.9441 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YREafwg3VAYB01vHg1CVtv_G88E>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Authorization Server Metadata: IPR Confirmation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 18:04:56 -0000

I am aware of no IPR encumbrances for this specification.

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Tuesday, March 7, 2017 10:02 AM
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.0 Authorization Server Metadata: IPR Confir=
mation

I have no IPR disclosures to make.

John B.
> On Mar 7, 2017, at 2:50 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net>=
 wrote:
>=20
> Hi John, Mike, Nat,
>=20
> I am working on the shepherd writeup for the "OAuth 2.0 Authorization=20
> Server Metadata" document:
> https://tools.ietf.org/html/draft-ietf-oauth-discovery-05
>=20
> One item in the template requires me to indicate whether each document=20
> author has confirmed that any and all appropriate IPR disclosures=20
> required for full conformance with the provisions of BCP 78 and BCP 79=20
> have already been filed.
>=20
> Could you please confirm?
>=20
> Ciao
> Hannes
>=20
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Tue Mar  7 10:10:55 2017
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 211F21294FB; Tue,  7 Mar 2017 10:10:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level: 
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DFYRjXEjHT1N; Tue,  7 Mar 2017 10:10:45 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AE401294EE; Tue,  7 Mar 2017 10:10:45 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7BFBFBE38; Tue,  7 Mar 2017 18:10:43 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tNlBT6Ohq7Z; Tue,  7 Mar 2017 18:10:40 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 68794BE55; Tue,  7 Mar 2017 18:10:39 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1488910240; bh=g7PdIEmwsnBBEJVDs2iZTwN3XEGS92NSkP2DzmwdJ4M=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=TbRCQDKw7qnoZOyuou8707+IUBqAcFdnau8wde/EEzZ94GET8dhkFBut8FIiETj59 JA+TBYXLHl6i39sd2G1n8o8HwIGQ4QbXWzIwJFX46bv+BmCDOsbhJdJr/W63IpBeLY e8h0z/dGTdde0IGbqRHP/VhlKlsa/flAw4P+MFnA=
To: Mike Jones <Michael.Jones@microsoft.com>, Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com> <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie> <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie> <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie> <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com> <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie> <CY4PR21MB050481D8CF7B8551D21F38A8F52C0@CY4PR21MB0504.namprd21.prod.outlook.com> <a78de3c1-7d73-8147-8540-0bc23fca366d@cs.tcd.ie> <CY4PR21MB0504A12F9CE5E8A66C0B790AF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <da9a6295-8d8a-0d4d-e095-702bf679729d@cs.tcd.ie>
Date: Tue, 7 Mar 2017 18:10:38 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CY4PR21MB0504A12F9CE5E8A66C0B790AF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="OMSItXHpSXaumCNRTlLIVDap7hMpirI6l"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Z2FBaYkZD1INBwu0Yk-M5FfZLyE>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 18:10:49 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--OMSItXHpSXaumCNRTlLIVDap7hMpirI6l
Content-Type: multipart/mixed; boundary="BDS7w19efmia0633le3oNEhcItceLTmtt";
 protected-headers="v1"
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: Mike Jones <Michael.Jones@microsoft.com>,
 Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>,
 The IESG <iesg@ietf.org>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>,
 "draft-ietf-oauth-amr-values@ietf.org"
 <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <da9a6295-8d8a-0d4d-e095-702bf679729d@cs.tcd.ie>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on
 draft-ietf-oauth-amr-values-05: (with DISCUSS)
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com>
 <27d6181c-eb72-b17b-ed18-db018991e44c@cs.tcd.ie>
 <SN1PR0301MB2029EF1377E24CD330C5C929A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com>
 <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie>
 <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com>
 <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie>
 <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com>
 <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie>
 <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
 <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
 <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie>
 <CY4PR21MB050481D8CF7B8551D21F38A8F52C0@CY4PR21MB0504.namprd21.prod.outlook.com>
 <a78de3c1-7d73-8147-8540-0bc23fca366d@cs.tcd.ie>
 <CY4PR21MB0504A12F9CE5E8A66C0B790AF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB0504A12F9CE5E8A66C0B790AF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>

--BDS7w19efmia0633le3oNEhcItceLTmtt
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable



On 07/03/17 17:17, Mike Jones wrote:
> You're right, Stephen.  Re-reading the spec, it doesn't say that, and
> it should.  Sometimes it takes someone giving a spec a fresh read to
> uncover things that the authors understood and intended but failed to
> be captured in the text.  This is such a case - so thanks.
>=20
> I'll add this information, which is necessary to understand the
> intent, and then republish.

Ah good, that explains the disconnect.

Cheers,
S.

>=20
> -- Mike
>=20
> -----Original Message----- From: Stephen Farrell
> [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, March 6, 2017 2:39
> PM To: Mike Jones <Michael.Jones@microsoft.com>; Anthony Nadalin
> <tonynad@microsoft.com>; joel jaeggli <joelja@bogus.com>; The IESG
> <iesg@ietf.org> Cc: oauth-chairs@ietf.org;
> draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: Re:
> [OAUTH-WG] Stephen Farrell's Discuss on
> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>=20
>=20
> Hi Mike,
>=20
> On 06/03/17 22:34, Mike Jones wrote:
>> Thanks for the reply, Stephen.  I'll try to find better=20
>> interop-producing references where possible.
>>=20
>>=20
>> In some cases, however, the values are intentionally intended to=20
>> provide an identifier for a family of closely-related methods, such
>> as "otp", which covers both time-based and HMAC-based OTPs.
>=20
> Hmm. I don't recall text saying that in the draft, but it's possible
> that I missed it - can you point me at that?
>=20
> I do agree that if the semantics here were "some otp was used" then
> it would not be necessary to specify exactly which OTP scheme was
> used. But that wasn't how I read what this spec was doing. (Again,
> that could be me getting the wrong end of the stick.)
>=20
> S.
>=20
>=20
>> Many relying parties will be content to know that an OTP has been
>> used in addition to a password.  The distinction between which kind
>> of OTP was used is not useful to them.  Thus, there's a single
>> identifier that can be satisfied in two or more nearly equivalent
>> ways.  I consider this to be a feature - not a bug.
>>=20
>>=20
>>=20
>> Similarly, there's a whole range of nuances between different=20
>> fingerprint matching algorithms.  They differ in false positive and
>>  false negative rates over different population samples and also
>> differ based on the kind and model of fingerprint sensor used.
>> Like the OTP case, many RPs will be content to know that a
>> fingerprint match mas made, without delving into and
>> differentiating based on every aspect of the implementation of
>> fingerprint capture and match. Those that want more precision than
>> this can always define new "amr" values.  But "fpt" is fine as is
>> for what I believe will be the 90+% case.
>>=20
>>=20
>>=20
>> Ultimately, the RP is depending upon the Identity Provider to do=20
>> reasonable things.  If it didn't trust the IdP to do so, it has no
>>  business using it.  The "amr" value lets the IdP signal to the RP
>>  additional information about what it did, for the cases in which
>> that information is useful to the RP.
>>=20
>>=20
>>=20
>> Reducing this to the point of absurdity, the RP would almost never
>>  care about the make, model, and serial number of the fingerprint=20
>> reader or OTP.  Values could be defined to provide that
>> granularity. But making those fine-grained distinctions are not
>> useful in practice.
>>=20
>>=20
>>=20
>> Please consider the existing definitions in light of that reductio
>> ad absurdum.  The existing values only make distinctions that are
>> known to be useful to RPs.  Slicing things more finely than would
>> be used in practice actually hurts interop, rather than helping it,
>> because it would force all RPs to recognize that several or many
>> different values actually mean the same thing to them.
>>=20
>>=20
>>=20
>> -- Mike
>>=20
>>=20
>>=20
>> -----Original Message----- From: Stephen Farrell=20
>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, March 6, 2017 2:10
>> PM To: Mike Jones <Michael.Jones@microsoft.com>; Anthony Nadalin=20
>> <tonynad@microsoft.com>; joel jaeggli <joelja@bogus.com>; The IESG
>>  <iesg@ietf.org> Cc: oauth-chairs@ietf.org;=20
>> draft-ietf-oauth-amr-values@ietf.org; oauth@ietf.org Subject: Re:=20
>> [OAUTH-WG] Stephen Farrell's Discuss on=20
>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>=20
>>=20
>>=20
>>=20
>>=20
>> Hi Mike,
>>=20
>>=20
>>=20
>> Apologies - I updated the discuss ballot text [1] on Feb 28 but=20
>> must've not sent it as an email or something. Anyway...
>>=20
>>=20
>>=20
>> [1]=20
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ballot/
>>
>>
>>
>>
>>=20
On 06/03/17 20:38, Mike Jones wrote:
>>=20
>>> Hi Stephen.  The changes in draft -06 were intended to address
>>> your
>>=20
>>> DISCUSS points.  Are you satisfied with these changes or are
>>> there
>>=20
>>> additional changes you want?  I'm asking partly because it's a
>>> week
>>=20
>>> now until the submission cutoff and if additional changes are
>>> needed,
>>=20
>>> I'd like to make them this week.
>>=20
>>=20
>>=20
>> So I do think there's still work to be done, may as well copy the
>> new ballot text here:
>>=20
>>=20
>>=20
>> "
>>=20
>> I think we still have the problem that the values "defined" here
>> (e.g. "fpt") are under specified to a significant degree. RFC4949
>> does not tell anyone how to achieve interop with "fpt" (nor any of
>> the other cases where you refer to 4949 I think). There is
>> therefore no utility in "defining" "fpt" as it will not achieve
>> interop and in fact is more likely to cause confusion than interop.
>> If the solution of actually defining the meaning of things like
>> "fpt" is not achievable then perhaps it will be better to only
>> define those for which we can get interop ("pwd" and one or two
>> others) and leave the definition of the rest for later. (In saying
>> that I do recall that one of the authors said that there are
>> implementations that use some of these type-names, but the point of
>> RFCs is not to "bless"
>>=20
>> such things, but to achieve interop.)
>>=20
>> "
>>=20
>>=20
>>=20
>> Cheers,
>>=20
>> S.
>>=20
>>=20
>>=20
>>>=20
>>=20
>>> Thanks, -- Mike
>>=20
>>>=20
>>=20
>>> -----Original Message----- From: Mike Jones
>>=20
>>> [mailto:Michael.Jones@microsoft.com] Sent: Tuesday, February 28,=20
>>> 2017
>>=20
>>> 6:17 PM To: Stephen Farrell=20
>>> <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>;=20
>>> Anthony
>>=20
>>> Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>;
>>> joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The
>>=20
>>> IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:=20
>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>>=20
>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-valu=

>>>
>>>=20
es@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: RE:
>>=20
>>> [OAUTH-WG] Stephen Farrell's Discuss on
>>=20
>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>=20
>>>=20
>>=20
>>> Hi Stephen,
>>=20
>>>=20
>>=20
>>> Draft -06=20
>>> https://tools.ietf.org/html/draft-ietf-oauth-amr-values-06
>>=20
>>> adds references for all of the defined "amr" values.  Thanks for
>>=20
>>> taking the time to have a thoughtful discussion.
>>=20
>>>=20
>>=20
>>> -- Mike
>>=20
>>>=20
>>=20
>>> -----Original Message----- From: Stephen Farrell
>>=20
>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February 1,=20
>>> 2017
>>=20
>>> 4:45 PM To: Mike Jones=20
>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;
>>>
>>>=20
Anthony Nadalin
>>=20
>>> <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>; joel
>>> jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The IESG
>>=20
>>> <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:=20
>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>>=20
>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-valu=

>>>
>>>=20
es@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re:
>>=20
>>> [OAUTH-WG] Stephen Farrell's Discuss on
>>=20
>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>=20
>>>=20
>>=20
>>>=20
>>=20
>>>=20
>>=20
>>> On 02/02/17 00:35, Mike Jones wrote:
>>=20
>>>> You can call me lazy if you want.
>>=20
>>>=20
>>=20
>>> I don't think you're lazy:-) Were I to guess I'd guess that
>>> interop
>>=20
>>> for these wasn't a priority and that we're defining them a bit
>>> early
>>=20
>>> and a little too generically.
>>=20
>>>=20
>>=20
>>>> Some of them are so well known, such as "password" or "PIN" it
>>>>  didn't
>>=20
>>>> seem worthwhile to try to track down a reference.
>>=20
>>>=20
>>=20
>>> Sure, those are fine. The only issues would be if there's a=20
>>> string2key
>>=20
>>> function somewhere but I don't expect there is in this context.
>>=20
>>>=20
>>=20
>>>> But I'm willing to work with others to find decent references
>>>> for the
>>=20
>>>> rest of them, if you believe that would improve the quality of
>>>> the
>>=20
>>>> specification.
>>=20
>>>=20
>>=20
>>> I do think it would, esp for cases where there are known
>>> different
>>=20
>>> options (e.g. otp) or likely ill-defined or proprietary formats.=20
>>> My
>>=20
>>> guess is that some biometrics fit that latter but I could be
>>> wrong.
>>=20
>>> If they do, then one runs into the problem of having to depend
>>> on
>>=20
>>> magic numbers in the encodings or similar to distinguish which
>>> is
>>=20
>>> really error prone and likely to lead to what our learned
>>> transport
>>=20
>>> chums are calling ossification;-)
>>=20
>>>=20
>>=20
>>> Cheers, S.
>>=20
>>>=20
>>=20
>>>=20
>>=20
>>>>=20
>>=20
>>>> Best wishes, -- Mike
>>=20
>>>>=20
>>=20
>>>> -----Original Message----- From: Stephen Farrell
>>=20
>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February
>>>> 1,
>>=20
>>>> 2017 4:31 PM To: Mike Jones=20
>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;
>>>>
>>>>=20
Anthony
>>=20
>>>> Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>;=20
>>>> joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The
>>=20
>>>> IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:=20
>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>>=20
>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-val=

>>>>
>>>>=20
ues@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re:
>>=20
>>>> [OAUTH-WG] Stephen Farrell's Discuss on
>>=20
>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>=20
>>>>=20
>>=20
>>>>=20
>>=20
>>>>=20
>>=20
>>>> On 02/02/17 00:28, Mike Jones wrote:
>>=20
>>>>> The other case of known interop testing of "amr" values is
>>>>> for
>>=20
>>>>> MODRNA (OpenID Connect Mobile Profile) implementations.=20
>>>>> There's a
>>=20
>>>>> reference to its use of "amr" values in the spec.
>>=20
>>>>=20
>>=20
>>>> Yeah, iirc, that one seemed ok (assuming the reference tells me
>>>> what
>>=20
>>>> code to write which I assume it does).
>>=20
>>>>=20
>>=20
>>>> I'm still not seeing why some do have sufficient references
>>>> and
>>=20
>>>> others do not.
>>=20
>>>>=20
>>=20
>>>> Is there some difficulty with finding references or something?
>>=20
>>>>=20
>>=20
>>>> S
>>=20
>>>>=20
>>=20
>>>>>=20
>>=20
>>>>> -----Original Message----- From: Anthony Nadalin Sent:=20
>>>>> Wednesday,
>>=20
>>>>> February 1, 2017 4:27 PM To: Stephen Farrell
>>=20
>>>>> <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>;
>>>>>
>>>>>=20
Mike Jones
>>=20
>>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;
>>>>>
>>>>>=20
joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The
>>=20
>>>>> IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:=20
>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>>=20
>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-va=

>>>>>
>>>>>=20
lues@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: RE:
>>=20
>>>>> [OAUTH-WG] Stephen Farrell's Discuss on
>>=20
>>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>=20
>>>>>=20
>>=20
>>>>> We have interoped between FIDO authenticators vendors and
>>>>> Windows
>>=20
>>>>> Hello
>>=20
>>>>>=20
>>=20
>>>>> -----Original Message----- From: Stephen Farrell
>>=20
>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, February
>>>>> 1,
>>=20
>>>>> 2017 4:24 PM To: Mike Jones=20
>>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;
>>>>>
>>>>>=20
Anthony
>>=20
>>>>> Nadalin
>>>>> <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>; joel
>>>>> jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>;
>>=20
>>>>> The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>>=20
>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;=20
>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-va=

>>>>>
>>>>>=20
lues@ietf.org>;
>>=20
>>>>> oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG]
>>>>>  Stephen Farrell's Discuss on
>>=20
>>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>=20
>>>>>=20
>>=20
>>>>>=20
>>=20
>>>>>=20
>>=20
>>>>> On 02/02/17 00:21, Mike Jones wrote:
>>=20
>>>>>> Thanks, Tony.  I can add that reference.
>>=20
>>>>>>=20
>>=20
>>>>>> Stephen, the sets of initial values were chosen from those
>>>>>> used in
>>=20
>>>>>> practice by Microsoft and Google in real deployments.
>>=20
>>>>>=20
>>=20
>>>>> Genuine questions: do you aim to have interop between those
>>=20
>>>>> deployments? What if I wanted to write code that'd interop
>>>>> with msft
>>=20
>>>>> or google?
>>=20
>>>>>=20
>>=20
>>>>> S.
>>=20
>>>>>=20
>>=20
>>>>>>=20
>>=20
>>>>>> About "otp", there are existing use cases for indicating
>>>>>> that an
>>=20
>>>>>> OTP was used.  I'm not aware of any of these use cases
>>>>>> where the
>>=20
>>>>>> distinction between TOTP and HOTP is important.  Thus,
>>>>>> having "otp"
>>=20
>>>>>> now makes sense, where having "hotp" and "totp"
>>=20
>>>>>> now doesn't.
>>=20
>>>>>>=20
>>=20
>>>>>> Stephen, this may seem like splitting hairs, but the
>>>>>> registry
>>=20
>>>>>> instructions for "Specification Document(s)" are about
>>>>>> having a
>>=20
>>>>>> reference for the document where the Authentication Method
>>=20
>>>>>> Reference Name (such as "otp") is defined.  In all cases
>>>>>> for the
>>=20
>>>>>> initial values, this is the RFC-to-be, so the registry=20
>>>>>> instructions
>>=20
>>>>>> are satisfied.  If someone were, for instance, to define
>>>>>> the string
>>=20
>>>>>> "hotp", it would be incumbent on the person requesting its
>>=20
>>>>>> registration to provide a URL to the document where the
>>>>>> string
>>=20
>>>>>> "hotp" is defined.  Also having a reference to RFC 4226 in
>>>>>> that
>>=20
>>>>>> document would be a good thing, but that isn't what the
>>>>>> registry
>>=20
>>>>>> instructions are about.
>>=20
>>>>>>=20
>>=20
>>>>>> All that said, I can look at also finding appropriate
>>>>>> references
>>=20
>>>>>> for the remaining values that don't currently have them.=20
>>>>>> (Anyone
>>=20
>>>>>> got a good reference for password or PIN to suggest, for=20
>>>>>> instance?)
>>=20
>>>>>>=20
>>=20
>>>>>> -- Mike
>>=20
>>>>>>=20
>>=20
>>>>>> -----Original Message----- From: Anthony Nadalin Sent:
>>=20
>>>>>> Wednesday, February 1, 2017 4:10 PM To: Stephen Farrell
>>=20
>>>>>> <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>;
>>>>>>
>>>>>>=20
Mike Jones
>>=20
>>>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;=

>>>>>>
>>>>>>=20
joel jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>;
>>=20
>>>>>> The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:=20
>>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;
>>=20
>>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-v=

>>>>>>
>>>>>>=20
alues@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org> Subject:
>>=20
>>>>>> RE: [OAUTH-WG] Stephen Farrell's Discuss on
>>=20
>>>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>=20
>>>>>>=20
>>=20
>>>>>> NIST asked for the addition of IRIS (as they are seeing
>>>>>> more use of
>>=20
>>>>>> IRIS over retina due to the accuracy of iris)  as they have
>>>>>> been
>>=20
>>>>>> doing significant testing on various iris devices and
>>>>>> continue to
>>=20
>>>>>> do so, here is a report that NIST released
>>=20
>>>>>> http://2010-2014.commerce.gov/blog/2012/04/23/nist-iris-recognitio=

>>>>>>
>>>>>>=20
n
>>=20
>>>>>> -report-evaluates-needle-haystack-search-capability.html
>>=20
>>>>>>=20
>>=20
>>>>>>=20
>>=20
>>>>>>=20
>>=20
>>>>>>=20
>>=20
>>>>=20
>>=20
>>>>>>=20
>>=20
>>>=20
>>=20
>>>>>>=20
>>=20
>> -----Original Message----- From: Stephen Farrell
>>=20
>>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday,
>>>>>> February 1,
>>=20
>>>>>> 2017 2:26 PM To: Mike Jones=20
>>>>>> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>;=

>>>>>>
>>>>>>=20
joel
>>=20
>>>>>> jaeggli <joelja@bogus.com<mailto:joelja@bogus.com>>; The
>>>>>> IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>>=20
>>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;=20
>>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-v=

>>>>>>
>>>>>>=20
alues@ietf.org>;
>>=20
>>>>>> oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re:=20
>>>>>> [OAUTH-WG] Stephen Farrell's Discuss on
>>=20
>>>>>> draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>=20
>>>>>>=20
>>=20
>>>>>>=20
>>=20
>>>>>> Hi Mike,
>>=20
>>>>>>=20
>>=20
>>>>>> On 01/02/17 17:00, Mike Jones wrote:
>>=20
>>>>>>> Thanks for the discussion, Stephen.
>>=20
>>>>>>>=20
>>=20
>>>>>>> To your point about "otp", the working group discussed
>>>>>>> this very
>>=20
>>>>>>> point.  They explicitly decided not to introduce "hotp"
>>=20
>>>>>>> and "totp" identifiers because no one had a use case in
>>>>>>> which the
>>=20
>>>>>>> distinction mattered.
>>=20
>>>>>>=20
>>=20
>>>>>> Then I'm not following why adding "otp" to the registry now
>>>>>> is a
>>=20
>>>>>> good plan.
>>=20
>>>>>>=20
>>=20
>>>>>> If there's a use-case now, then adding an entry with a
>>>>>> good
>>=20
>>>>>> reference to the relevant spec seems right.
>>=20
>>>>>>=20
>>=20
>>>>>> If there's no use-case now, then not adding it to the
>>>>>> registry
>>=20
>>>>>> seems right. (Mentioning it as a possible future entry
>>>>>> would be
>>=20
>>>>>> fine.)
>>=20
>>>>>>=20
>>=20
>>>>>> I think the same logic would apply for all the values that
>>>>>> this
>>=20
>>>>>> spec adds to the registry. Why is that wrong?
>>=20
>>>>>>=20
>>=20
>>>>>>> Others can certainly introduce those identifiers and
>>>>>>> register
>>=20
>>>>>>> them if they do have such a use case, once the registry
>>>>>>> has been
>>=20
>>>>>>> established.  But the working group wanted to be
>>>>>>> conservative
>>=20
>>>>>>> about the identifiers introduced to prime the registry,
>>>>>>> and this
>>=20
>>>>>>> is such a case.
>>=20
>>>>>>>=20
>>=20
>>>>>>> What identifiers to use and register will always be a
>>>>>>> balancing
>>=20
>>>>>>> act. You want to be as specific as necessary to add
>>>>>>> practical and
>>=20
>>>>>>> usable value, but not so specific as to make things
>>>>>>> unnecessarily
>>=20
>>>>>>> brittle.
>>=20
>>>>>>=20
>>=20
>>>>>> Eh... don't we want interop? Isn't that the primary goal
>>>>>> here?
>>=20
>>>>>>=20
>>=20
>>>>>>> While some might say there's a difference between serial
>>>>>>> number
>>=20
>>>>>>> ranges of particular authentication devices, going there
>>>>>>> is
>>=20
>>>>>>> clearly in the weeds.  On the other hand, while there
>>>>>>> used to be
>>=20
>>>>>>> an "eye" identifier, Elaine Newton of NIST pointed out
>>>>>>> that there
>>=20
>>>>>>> are significant differences between retina and iris
>>>>>>> matching, so
>>=20
>>>>>>> "eye" was replaced with "retina"
>>=20
>>>>>>> and "iris". Common sense informed by actual data is the
>>>>>>> key here.
>>=20
>>>>>>=20
>>=20
>>>>>> That's another good example. There's no reference for=20
>>>>>> "iris."
>>=20
>>>>>> If that is used in some protocol, then what format(s) are=20
>>>>>> expected
>>=20
>>>>>> to be supported? Where do I find that spec? If we can
>>>>>> answer that,
>>=20
>>>>>> then great, let's add the details. If not, then I'd
>>>>>> suggest we omit
>>=20
>>>>>> "iris" and leave it 'till later to add an entry for that.=20
>>>>>> And
>>=20
>>>>>> again, including text with "iris" as an example is just
>>>>>> fine, all
>>=20
>>>>>> I'm asking is that we only add the registry entry if we
>>>>>> can meet
>>=20
>>>>>> the same bar that we're asking the DE to impose on later=20
>>>>>> additions.
>>=20
>>>>>>=20
>>=20
>>>>>> And the same for all the others...
>>=20
>>>>>>=20
>>=20
>>>>>> Cheers, S.
>>=20
>>>>>>=20
>>=20
>>>>>>=20
>>=20
>>>>>>>=20
>>=20
>>>>>>> The point of the registry requiring a specification=20
>>>>>>> reference is
>>=20
>>>>>>> so people using the registry can tell where the
>>>>>>> identifier is
>>=20
>>>>>>> defined. For all the initial values, that requirement is
>>=20
>>>>>>> satisfied, since the reference will be to the new RFC.
>>>>>>> I think
>>=20
>>>>>>> that aligns with the point that Joel was making.
>>=20
>>>>>>>=20
>>=20
>>>>>>> Your thoughts?
>>=20
>>>>>>>=20
>>=20
>>>>>>> -- Mike
>>=20
>>>>>>>=20
>>=20
>>>>>>> -----Original Message----- From: OAuth
>>=20
>>>>>>> [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen=20
>>>>>>> Farrell
>>=20
>>>>>>> Sent: Wednesday, February 1, 2017 7:03 AM To: joel
>>>>>>> jaeggli
>>=20
>>>>>>> <joelja@bogus.com<mailto:joelja@bogus.com>>; The IESG=20
>>>>>>> <iesg@ietf.org<mailto:iesg@ietf.org>> Cc:
>>=20
>>>>>>> oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>;=20
>>>>>>> draft-ietf-oauth-amr-values@ietf.org<mailto:draft-ietf-oauth-amr-=
values@ietf.org>;
>>
>>>>>>>
>>>>>>>=20
oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re:
>>>>>>> [OAUTH-WG] Stephen Farrell's Discuss
>>=20
>>>>>>> on draft-ietf-oauth-amr-values-05: (with DISCUSS)
>>=20
>>>>>>>=20
>>=20
>>>>>>>=20
>>=20
>>>>>>>=20
>>=20
>>>>>>> On 01/02/17 14:58, joel jaeggli wrote:
>>=20
>>>>>>>> On 1/31/17 8:26 AM, Stephen Farrell wrote:
>>=20
>>>>>>>>> Stephen Farrell has entered the following ballot=20
>>>>>>>>> position for
>>=20
>>>>>>>>> draft-ietf-oauth-amr-values-05: Discuss
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>> When responding, please keep the subject line intact=20
>>>>>>>>> and  reply
>>=20
>>>>>>>>> to all email addresses included in the To and CC
>>>>>>>>> lines. (Feel
>>=20
>>>>>>>>> free to cut this introductory paragraph,
>>=20
>>>>>>>>> however.)
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>> Please refer to
>>=20
>>>>>>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html
>>
>>>>>>>>>
>>>>>>>>>
>>
>>>>>>>>>
>>
>>
>>>>>>>>>=20
for more information about IESG DISCUSS and COMMENT
>>=20
>>>>>>>>> positions.
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>> The document, along with other ballot positions, can
>>>>>>>>> be found
>>=20
>>>>>>>>> here:
>>=20
>>>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/
>>
>>>>>>>>>
>>>>>>>>>
>>
>>>>>>>>>
>>
>>>>>>>>>
>>
>>>>>>>>>
>>
>>>>>>>>>
>>
>>>>
>>
>>>>>>>>>
>>
>>>
>>
>>>>>>>>>
>>
>>
>>>>>>>>>=20
---------------------------------------------------------------------
>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>> -
>>=20
>>>>>>>>> DISCUSS:
>>=20
>>>>>>>>> ---------------------------------------------------------------=
-
>>
>>>>>>>>>
>>>>>>>>>=20
-----
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>=20
>>=20
>>>>>>>>>=20
>>=20
>> -
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>> This specification seems to me to break it's own=20
>>>>>>>>> rules.
>>=20
>>>>>>>>> You state that registrations should include a
>>>>>>>>> reference to a
>>=20
>>>>>>>>> specification to improve interop. And yet, for the=20
>>>>>>>>> strings added
>>=20
>>>>>>>>> here (e.g. otp) you don't do that (referring to
>>>>>>>>> section 2 will
>>=20
>>>>>>>>> not improve interop) and there are different ways in=20
>>>>>>>>> which many
>>=20
>>>>>>>>> of the methods in section 2 can be done. So I think
>>>>>>>>> you need to
>>=20
>>>>>>>>> add a bunch more references.
>>=20
>>>>>>>>=20
>>=20
>>>>>>>> Not clear to me that the document creating the
>>>>>>>> registry needs to
>>=20
>>>>>>>> adhere to the rules for further allocations in order
>>>>>>>> to
>>=20
>>>>>>>> prepoulate the registry. that is perhaps an appeal to=20
>>>>>>>> future
>>=20
>>>>>>>> consistency.
>>=20
>>>>>>>=20
>>=20
>>>>>>> Sure - I'm all for a smattering of inconsistency:-)
>>=20
>>>>>>>=20
>>=20
>>>>>>> But I think the lack of specs in some of these cases
>>>>>>> could impact
>>=20
>>>>>>> on interop, e.g. in the otp case, they quote two RFCs
>>>>>>> and yet only
>>=20
>>>>>>> have one value. That seems a bit broken to me, so the=20
>>>>>>> discuss
>>=20
>>>>>>> isn't really about the formalism.
>>=20
>>>>>>>=20
>>=20
>>>>>>> S.
>>=20
>>>>>>>=20
>>=20
>>>>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>>=20
>>=20
>>>>>>>>=20
>>=20
>>>>>>>>=20
>>=20
>>>>>>>=20
>>=20
>>>>>>=20
>>=20
>>>>>=20
>>=20
>>>>=20
>>=20
>>>=20
>>=20
>>=20
>=20


--BDS7w19efmia0633le3oNEhcItceLTmtt--

--OMSItXHpSXaumCNRTlLIVDap7hMpirI6l
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYvvefAAoJEC88hzaAX42i5gsH/3tegwiO51Zvty1XiBILhUCi
IbaWGijJ/T0zA6HtCb/lHxKuAsJattfCFopTzIfTBwZ/mVnvVwxxmrSQoOrEKVAL
NJ4KOG9xwf5D5R6a/zYQlE22D9KzejOgwoLTjAWFtd1B9D6CttuHiXYGtRTqq9Fi
UnhvEfJuh3ero13ykiiJpVJDOZBUmqkHL1crfWRfRQrCw8BL8CM5N8honNxmqzB9
uemAF2zpQxTRDpWmvM4hk1It9P1mp9Bur4XeYXNKkfytVCCNLYUcm8RkvXU5iZoY
jNnIIdz2hIsLjzURieX3LKHlDSzXA+cO7X04Ae9DETpHXsKe2Lg+5tRQ7d9vtvo=
=uSlo
-----END PGP SIGNATURE-----

--OMSItXHpSXaumCNRTlLIVDap7hMpirI6l--


From nobody Tue Mar  7 10:45:41 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EDE41295C1 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 10:45:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level: 
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sZecV89q_lB4 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 10:45:39 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89D361295C2 for <oauth@ietf.org>; Tue,  7 Mar 2017 10:45:38 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MEFIm-1cVree2VeS-00FQkT; Tue, 07 Mar 2017 19:45:32 +0100
To: "oauth@ietf.org" <oauth@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <70253643-d036-e333-f94d-597039206777@gmx.net>
Date: Tue, 7 Mar 2017 19:45:30 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="0vsdxhHpj0N9wWmID59el7bundtCXfl9c"
X-Provags-ID: V03:K0:aY6G0jwWbWwsx1qMaORBWWtuNwcOjIaV99/BHJxq151geYIeA/t 0FnY9wg1s4R6pbCL3wHRjsSw21pSmAK35ewz4lwOFc/SYfOsU1jwwyvcvfQs4lShmntz9Dg kkCf8Kk/piPeWnUSr208UwR6Gf7LE9Px/+lPV/C7kVDUFr2PVbhYOpNNOYpOWszyA2bpk86 vXBbXnjJ7R89+bZZAlEKg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:63IIohA2XEM=:XNG7FyHu/tRb7BNiJx7V4q 3WZ4eoanhfZszgePrX/bL1pj9kbc6F1naAGjhm03yD/vMskB0jpXguRN0MfiqFfcqUUcrqKg9 2iBvArTlz96/oYRi3lM7jsB9Uw9uQWznSVNcj8r0jUghzeCKiFqwUEvJBmpg5bnyLEZyqKgio fHY/9yEluSuypuNBuyOym+OrbuMUJzj3dKVQvGqmTsWaf6mEaWHXZeRme8BCM/kFieOweLbDg jypv4LmBE4qnp/1nk5JW0Ey4Yrj+AvK4aZPo3Of4V8ZyqiwozPFBlsUtOpMTiP4gcmk6dwht4 LF1vtsV+O/jo4syJF4moUJ4UbO07waPX6ATnSuTJQTJyohTqdzQG8iNTJPxoEVZv6Qt7a2VLm T9iWZW9zwgr1C3FdwbQssZviq1hxmKx1tLdKLJ17+YJ2gkHWt5UubTPd15m3+O+kD/L3nODTA 45VWNZlRGCERDx/p12UtJx/iJ9ZHTmcZqkYJyxBCLV6L/pY+k0b5vVtIhtURzQ3h7dkot6zDa /ibJPesXM3PAICCld/7OhWum/MzbTCeZC36+u//ae+FvQy3g1D0F0kreie8XQziIYjmtoYo+6 rhaimpMFFsK3buRablrxBiISePGTwXigY+fpbva/SEKxfwl4cejUFx4/4sTZRud2qwm1umVXW EppQRIS45q/UXYI5YirqQlSuruqY/5iIhoSXNqsNPXZgs4rys7s1KYh/5XvceDSfFSgLhI6H3 X0qi2LvIbbW2wSBMXrWx2VM1ghoA3pREMond6mtBAGVaxGyXryWqx3axN88=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/T3KqnoyMetyDFSyRelZki9x955c>
Subject: [OAUTH-WG] Shepherd writeup for OAuth 2.0 Authorization Server Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 18:45:40 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--0vsdxhHpj0N9wWmID59el7bundtCXfl9c
Content-Type: multipart/mixed; boundary="4u3rkuApNIinwbWhSLnA9cHGkqaP69XlC";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
Message-ID: <70253643-d036-e333-f94d-597039206777@gmx.net>
Subject: Shepherd writeup for OAuth 2.0 Authorization Server Metadata

--4u3rkuApNIinwbWhSLnA9cHGkqaP69XlC
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

here is the write-up:
https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-w=
riteups/Writeup_OAuth_Metadata.txt

I need your feedback on the following issues:

1) Implementation & deployment status of the spec

2) Working group summary (see below)
(Particularly asking Phil whether this is a correct summary.)

3) There are four normative references to non-IETF specifications (see
below). I am wondering whether these are indeed necessary (as normative
references).

4) Any other feedback?

Ciao
Hannes

----

Working Group Summary

   Work on a discovery mechanism for OAuth was planned since a long
   time but it took till late 2015 before a document was submitted
   to the group, which re-used work done in the OpenID Foundation.
   When the WGLC was started in 2016, see
   https://www.ietf.org/mail-archive/web/oauth/current/msg15796.html,
   feedback resulted in significant restructuring of the document.

   Now, almost a year later these concerns have been resolved and
   the document is ready for publication.


----

   [UNICODE]  The Unicode Consortium, "The Unicode Standard",
              <http://www.unicode.org/versions/latest/>.

   [USA15]    Davis, M. and K. Whistler, "Unicode Normalization Forms",
              Unicode Standard Annex 15, June 2015,
              <http://www.unicode.org/reports/tr15/>.

   [OAuth.Post]
              Jones, M. and B. Campbell, "OAuth 2.0 Form Post Response
              Mode", April 2015, <http://openid.net/specs/
              oauth-v2-form-post-response-mode-1_0.html>.

   [OAuth.Responses]
              de Medeiros, B., Ed., Scurtescu, M., Tarjan, P., and M.
              Jones, "OAuth 2.0 Multiple Response Type Encoding
              Practices", February 2014,
<http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html>.


--4u3rkuApNIinwbWhSLnA9cHGkqaP69XlC--

--0vsdxhHpj0N9wWmID59el7bundtCXfl9c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYvv/LAAoJEGhJURNOOiAtftUIAIILyrfVGfHEX8BqcrNU6itS
kp70ktyefWgEwD5yTL/eReDj/iGotbBW+Us1znZdD5s7X72FBP+puhkqsAVK6/UD
1y92mP00zluQAuVyguTFCfBPPKhH55OpWAD4KQuh4WBP+J9KBRIuH7NNVKnxZO4M
R5T8zW5BaE36y+fEfnX3Ga44MshwdHciI3YAuVe9Rsbjn7DhoFYC0HnWebARoBFP
SQWSqyLsTbA/vdYEb8wQzfLIEGKguS6cHEkQsNq1FJIpeIWpahRFwKMMds6QZ1JU
CDTCT8Yg93A0POkiQIJps/EKg29CiSlj6Sf9fjRvUSfMYgD7YXECSqHjT3WJ7QI=
=5qVI
-----END PGP SIGNATURE-----

--0vsdxhHpj0N9wWmID59el7bundtCXfl9c--


From nobody Tue Mar  7 10:59:00 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C9041295C1 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 10:58:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level: 
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1Yp6Rt-BQr4 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 10:58:57 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0122.outbound.protection.outlook.com [104.47.41.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F20061294A4 for <oauth@ietf.org>; Tue,  7 Mar 2017 10:58:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=aQCy7K93zyrjUWs2ULHwe0wtsu8R/RYbxPHekwj08jM=; b=Hyq5CFRKa75J5MqsNqoJSjPnsblaVzeZQncOUqPnfdsu+s07sv0LzSNtP92pbeePdLC6C+lImksbz4HCtPbheDuNxoDggtY3iFaYWr5wx5bPy9hdR+NH5JqpkrnND+YbNgHq2ZWie8/Tf7ICNbJk8HmyTFCdzFXjdZ8ONBM0DEQ=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Tue, 7 Mar 2017 18:58:55 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Tue, 7 Mar 2017 18:58:55 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Shepherd writeup for OAuth 2.0 Authorization Server Metadata
Thread-Index: AQHSl3MLVHZAp/vDF0KH24VnD0LyP6GJt4PA
Date: Tue, 7 Mar 2017 18:58:55 +0000
Message-ID: <CY4PR21MB0504CEE31B03DDEDEB50B79DF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <70253643-d036-e333-f94d-597039206777@gmx.net>
In-Reply-To: <70253643-d036-e333-f94d-597039206777@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: gmx.net; dkim=none (message not signed) header.d=none;gmx.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.83.32]
x-ms-office365-filtering-correlation-id: c3c6c9ce-6f95-4cd8-aea3-08d4658c0146
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0502; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:QqoxYiW6Pqhylj7IvB1HZJKPDKZoiik+8GMF18YQwQS/9YCbJ2BH0bwhh1VU5Vm0VsTuN9tp3yrpGWE7n7Aym68oy3opHCKLu2DSmNc6DrTRbqDsOndpOr7XViCcWj0uYC39HlkfK42bUtgKgRVI25ANxrjImquTR391YkMc1GmuJq5E6ImY5acgFerwzXl7sbwq0tofLipMusqeDUs7ph8U4CbFXPSu0DsMJHJtP2rxLZ/AOY8fDff6YoTAkTTtGGkt7Kn+p9vWlh1p9liQT01dOakAe7AYDKuHbGLNBDfijtfToWAY6lmBOM3BEvmisKpbuBIaC/uQkn0XWn6DlQsRUqeLl/jcFtfEcg+h20w=
x-microsoft-antispam-prvs: <CY4PR21MB0502831DBCAC95E07BB1EE36F52F0@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(20558992708506)(166708455590820)(146099531331640); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123555025)(20161123564025)(20161123562025)(20161123560025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502; 
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39450400003)(39860400002)(39850400002)(13464003)(377454003)(53754006)(305945005)(10290500002)(54356999)(2900100001)(122556002)(33656002)(50986999)(7696004)(9686003)(6506006)(106116001)(7736002)(189998001)(6306002)(55016002)(99286003)(74316002)(5660300001)(53546006)(5005710100001)(53376002)(66066001)(3846002)(6116002)(10090500001)(6436002)(6246003)(2501003)(38730400002)(2950100002)(25786008)(86612001)(102836003)(3660700001)(77096006)(8936002)(53936002)(3280700002)(76176999)(86362001)(229853002)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2017 18:58:55.5747 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DFidmliHKPoFSrYsiWdhci_HlN8>
Subject: Re: [OAUTH-WG] Shepherd writeup for OAuth 2.0 Authorization Server Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 18:58:59 -0000

UmVwbGllcyBpbmxpbmUuLi4NCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IE9B
dXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEhhbm5lcyBU
c2Nob2ZlbmlnDQpTZW50OiBUdWVzZGF5LCBNYXJjaCA3LCAyMDE3IDEwOjQ2IEFNDQpUbzogb2F1
dGhAaWV0Zi5vcmc7IFBoaWwgSHVudCA8cGhpbC5odW50QG9yYWNsZS5jb20+DQpTdWJqZWN0OiBb
T0FVVEgtV0ddIFNoZXBoZXJkIHdyaXRldXAgZm9yIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFNl
cnZlciBNZXRhZGF0YQ0KDQpIaSBhbGwsDQoNCmhlcmUgaXMgdGhlIHdyaXRlLXVwOg0KaHR0cHM6
Ly9naXRodWIuY29tL2hhbm5lc3RzY2hvZmVuaWcvdHNjaG9mZW5pZy1pZHMvYmxvYi9tYXN0ZXIv
c2hlcGhlcmQtd3JpdGV1cHMvV3JpdGV1cF9PQXV0aF9NZXRhZGF0YS50eHQNCg0KSSBuZWVkIHlv
dXIgZmVlZGJhY2sgb24gdGhlIGZvbGxvd2luZyBpc3N1ZXM6DQoNCjEpIEltcGxlbWVudGF0aW9u
ICYgZGVwbG95bWVudCBzdGF0dXMgb2YgdGhlIHNwZWMNCg0KTWljcm9zb2Z0IGhhcyBhdCBsZWFz
dCBmb3VyIGRlcGxveW1lbnRzIG9mIHRoZSBzcGVjaWZpY2F0aW9uLiAgV2lsbGlhbSBEZW5uaXNz
IGhhcyBzYWlkIHRoYXQgR29vZ2xlIHVzZXMgdGhlIHNwZWNpZmljYXRpb24uICBJIGJlbGlldmUg
dGhhdCBQaW5nIElkZW50aXR5IGFsc28gdXNlcyBpdC4gIFRoZSBzcGVjaWZpY2F0aW9uIGlzIHVz
ZWQgYnkgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtdG9rZW4t
YmluZGluZy0wMSBhbmQgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1
dGgtZGV2aWNlLWZsb3ctMDQuDQoNCjIpIFdvcmtpbmcgZ3JvdXAgc3VtbWFyeSAoc2VlIGJlbG93
KQ0KKFBhcnRpY3VsYXJseSBhc2tpbmcgUGhpbCB3aGV0aGVyIHRoaXMgaXMgYSBjb3JyZWN0IHN1
bW1hcnkuKQ0KDQpSYXRoZXIgdGhhbiBzYXlpbmcgImZlZWRiYWNrIHJlc3VsdGVkIGluIHNpZ25p
ZmljYW50IHJlc3RydWN0dXJpbmcgb2YgdGhlIGRvY3VtZW50IiBJIHdvdWxkIHNheSAiZmVlZGJh
Y2sgcmVzdWx0ZWQgaW4gZm9jdXNpbmcgdGhlIHNjb3BlIG9mIHRoZSBzcGVjaWZpY2F0aW9uLCBy
ZW1vdmluZyBldmVyeXRoaW5nIGV4Y2VwdCBmb3IgdGhlIGF1dGhvcml6YXRpb24gc2VydmVyIG1l
dGFkYXRhLCB3aGljaCByZW1haW5lZCB1bmNoYW5nZWQiLg0KDQozKSBUaGVyZSBhcmUgZm91ciBu
b3JtYXRpdmUgcmVmZXJlbmNlcyB0byBub24tSUVURiBzcGVjaWZpY2F0aW9ucyAoc2VlIGJlbG93
KS4gSSBhbSB3b25kZXJpbmcgd2hldGhlciB0aGVzZSBhcmUgaW5kZWVkIG5lY2Vzc2FyeSAoYXMg
bm9ybWF0aXZlIHJlZmVyZW5jZXMpLg0KDQpJIGJlbGlldmUgdGhhdCB0aGVzZSBub3JtYXRpdmUg
cmVmZXJlbmNlcyBhcmUgYWxsIG5lY2Vzc2FyeSwgYmVjYXVzZSB0aGV5IHByb3ZpZGUgaW5mb3Jt
YXRpb24gbmVjZXNzYXJ5IHRvIGltcGxlbWVudCBub3JtYXRpdmUgcG9ydGlvbnMgb2YgdGhlIHNw
ZWNpZmljYXRpb24uDQoNCjQpIEFueSBvdGhlciBmZWVkYmFjaz8NCg0KR2xhZCB0aGlzIGlzIGZp
bmlzaGluZyENCg0KQ2lhbw0KSGFubmVzDQoNCi0tLS0NCg0KV29ya2luZyBHcm91cCBTdW1tYXJ5
DQoNCiAgIFdvcmsgb24gYSBkaXNjb3ZlcnkgbWVjaGFuaXNtIGZvciBPQXV0aCB3YXMgcGxhbm5l
ZCBzaW5jZSBhIGxvbmcNCiAgIHRpbWUgYnV0IGl0IHRvb2sgdGlsbCBsYXRlIDIwMTUgYmVmb3Jl
IGEgZG9jdW1lbnQgd2FzIHN1Ym1pdHRlZA0KICAgdG8gdGhlIGdyb3VwLCB3aGljaCByZS11c2Vk
IHdvcmsgZG9uZSBpbiB0aGUgT3BlbklEIEZvdW5kYXRpb24uDQogICBXaGVuIHRoZSBXR0xDIHdh
cyBzdGFydGVkIGluIDIwMTYsIHNlZQ0KICAgaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbC1hcmNo
aXZlL3dlYi9vYXV0aC9jdXJyZW50L21zZzE1Nzk2Lmh0bWwsDQogICBmZWVkYmFjayByZXN1bHRl
ZCBpbiBzaWduaWZpY2FudCByZXN0cnVjdHVyaW5nIG9mIHRoZSBkb2N1bWVudC4NCg0KICAgTm93
LCBhbG1vc3QgYSB5ZWFyIGxhdGVyIHRoZXNlIGNvbmNlcm5zIGhhdmUgYmVlbiByZXNvbHZlZCBh
bmQNCiAgIHRoZSBkb2N1bWVudCBpcyByZWFkeSBmb3IgcHVibGljYXRpb24uDQoNCg0KLS0tLQ0K
DQogICBbVU5JQ09ERV0gIFRoZSBVbmljb2RlIENvbnNvcnRpdW0sICJUaGUgVW5pY29kZSBTdGFu
ZGFyZCIsDQogICAgICAgICAgICAgIDxodHRwOi8vd3d3LnVuaWNvZGUub3JnL3ZlcnNpb25zL2xh
dGVzdC8+Lg0KDQogICBbVVNBMTVdICAgIERhdmlzLCBNLiBhbmQgSy4gV2hpc3RsZXIsICJVbmlj
b2RlIE5vcm1hbGl6YXRpb24gRm9ybXMiLA0KICAgICAgICAgICAgICBVbmljb2RlIFN0YW5kYXJk
IEFubmV4IDE1LCBKdW5lIDIwMTUsDQogICAgICAgICAgICAgIDxodHRwOi8vd3d3LnVuaWNvZGUu
b3JnL3JlcG9ydHMvdHIxNS8+Lg0KDQogICBbT0F1dGguUG9zdF0NCiAgICAgICAgICAgICAgSm9u
ZXMsIE0uIGFuZCBCLiBDYW1wYmVsbCwgIk9BdXRoIDIuMCBGb3JtIFBvc3QgUmVzcG9uc2UNCiAg
ICAgICAgICAgICAgTW9kZSIsIEFwcmlsIDIwMTUsIDxodHRwOi8vb3BlbmlkLm5ldC9zcGVjcy8N
CiAgICAgICAgICAgICAgb2F1dGgtdjItZm9ybS1wb3N0LXJlc3BvbnNlLW1vZGUtMV8wLmh0bWw+
Lg0KDQogICBbT0F1dGguUmVzcG9uc2VzXQ0KICAgICAgICAgICAgICBkZSBNZWRlaXJvcywgQi4s
IEVkLiwgU2N1cnRlc2N1LCBNLiwgVGFyamFuLCBQLiwgYW5kIE0uDQogICAgICAgICAgICAgIEpv
bmVzLCAiT0F1dGggMi4wIE11bHRpcGxlIFJlc3BvbnNlIFR5cGUgRW5jb2RpbmcNCiAgICAgICAg
ICAgICAgUHJhY3RpY2VzIiwgRmVicnVhcnkgMjAxNCwgPGh0dHA6Ly9vcGVuaWQubmV0L3NwZWNz
L29hdXRoLXYyLW11bHRpcGxlLXJlc3BvbnNlLXR5cGVzLTFfMC5odG1sPi4NCg0K


From nobody Tue Mar  7 11:07:22 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 045EB129490 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 11:07:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level: 
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kcSXoxH7HYbQ for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 11:07:14 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DBF412949F for <oauth@ietf.org>; Tue,  7 Mar 2017 11:07:13 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MRGTX-1cq78B3XbD-00UZBs; Tue, 07 Mar 2017 20:07:05 +0100
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
References: <70253643-d036-e333-f94d-597039206777@gmx.net> <CY4PR21MB0504CEE31B03DDEDEB50B79DF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <fe5beedf-1f2e-cf15-f70d-361edacb47e7@gmx.net>
Date: Tue, 7 Mar 2017 20:07:03 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CY4PR21MB0504CEE31B03DDEDEB50B79DF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="IQgdUcC3KBS3JJOoCm7UGa2Ir2a7b8SSn"
X-Provags-ID: V03:K0:37AjLeq0nz/nvK5fG8ALi8/2P0b2qcNDI9IXRRiksKxfRKxNSp3 di+He0gJ41ssmT3lSh621/SRJKp5jetqq4xZE1FlJWU90dnnE868hHyCVPrToAFeD1s7c/l HCOheGOj4NgS6HmPJa3Qm+WI7V1hJj1gfdDDSEjzpIqi0MSdyChSn3zm91iinEMg604MAWJ i2EkbrkVyAZv5KaMwrmpw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Ff0v/WrYgbA=:SrOTcI5VA7flZ+ChTVuZv5 A4RPpAq5BgCkvCN0kYwKBhfJJDyF033L21KEe6LQT+y+k61cStVaawlKdteJgqLMyaFBeqMpj /gJODt2DsFY4XdHNc4mkSen7JWt6I4jzbODWOyAoQrFC0KVLMASg29Lg8Y3a1lxNUYA4cfVhn UKCKHtNPPIUh9h3iWtfh1j+K2ZGmfTMDo4l4pBKKtUBk2iSv53wZrlV1K7Gy3LlkiXMVZBSiA aZsC/JLIMROWHGrYk7rL+XQFByMCYS9z5Ob0M+f5sLeN1zuL7v/2dcOg2INNdc10u/hH/wzpF F41ss1XXjsnGDa2aIkyt7I2ju/v1I9HJWs5O6KmCMCErppPHZnRZutqz9+yfSQFBHk8iRimkR rdjwGJ0iK3X7JeOtiTqKoikT4fLNWTS7ARCcrFi+ST6SdyjXPOaaV9dxGvf+L4g7FsL2zDGhC z7UBMlNBJG+VSllxAQN4cB0kSaPq+fngdxE9SC82TIOYXERHJjUt9rHBnq+NO2K+Zt5CTGmEw fMSmCP7RWqf0Q1b0SJBmw16Z1RWi43biy1hhWxeenDa5RkXNcC1K2D3xNmdrBl8Mcf5hMmL8/ aWgYyBe/MFj4AIq1H4napqDYn93OhTVcmYOGhC1EGXlL1LvH0wbJo9qau9jqP47nSwyLwnur/ xWfEwDOMBcnXkBwHt79atOaOh+c0ptoZiogE/68LkOtXywbrCVFclHsHxbyWDUQMHAqnqT9TE t+AozHhdOLBUflnH/LH31GmCfJoZ9up6b3c03vBhzODVN6m5J9DG7YFCDK0=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6UqpkO5xk5_g9cyhgt63pNizty0>
Subject: Re: [OAUTH-WG] Shepherd writeup for OAuth 2.0 Authorization Server Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 19:07:21 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--IQgdUcC3KBS3JJOoCm7UGa2Ir2a7b8SSn
Content-Type: multipart/mixed; boundary="HR79cSFHnTKU758WwLQSUnCE6WBX6IWLu";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org"
 <oauth@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
Message-ID: <fe5beedf-1f2e-cf15-f70d-361edacb47e7@gmx.net>
Subject: Re: [OAUTH-WG] Shepherd writeup for OAuth 2.0 Authorization Server
 Metadata
References: <70253643-d036-e333-f94d-597039206777@gmx.net>
 <CY4PR21MB0504CEE31B03DDEDEB50B79DF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB0504CEE31B03DDEDEB50B79DF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>

--HR79cSFHnTKU758WwLQSUnCE6WBX6IWLu
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Mike

thanks for the quick response and for the wording suggestions.

Regarding the implementations are OpenID Connect implementations
required to implement this functionality?

On 03/07/2017 07:58 PM, Mike Jones wrote:
> 1) Implementation & deployment status of the spec
>=20
> Microsoft has at least four deployments of the specification.
> William Denniss has said that Google uses the specification.  I
> believe that Ping Identity also uses it.  The specification is used
> by https://tools.ietf.org/html/draft-ietf-oauth-token-binding-01 and
> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04.

Ciao
Hannes


--HR79cSFHnTKU758WwLQSUnCE6WBX6IWLu--

--IQgdUcC3KBS3JJOoCm7UGa2Ir2a7b8SSn
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJYvwTXAAoJEGhJURNOOiAta4oH/3k1mwDcq3B29dKdFKe2wLjQ
So0xONXZFApK5tP1S1pz+r+5djmfSINQkHl1kZGZ2byfgW2PigDsk1SfX6jQTjPZ
K63ZIBzXd+zMRco8gFwvO4rqmlirDhiEJGZbblMi038j5LmoS23HNPqvpcHp5EoX
sQ6oqdecmq/v73yAVIFG0R+3B6uxroXb86tzsufvvt0Vssfsc3uWUhdbBi0cNNS3
3bjv67+345+hMEs1Ho6x15tuZ69Q3fvBeqh76LrRYoLXHTKtfvq6w7TQ7daEQ/ZX
frx05e7hMSYALnI1RoxI6uj6sxKtx76ibXuZvG3BcBVX4RvgBCaokC7sTVZwN6s=
=FDFa
-----END PGP SIGNATURE-----

--IQgdUcC3KBS3JJOoCm7UGa2Ir2a7b8SSn--


From nobody Tue Mar  7 11:15:08 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F4B912948F for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 11:15:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level: 
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Icu0CClDz9Zs for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 11:15:04 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0109.outbound.protection.outlook.com [104.47.32.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3768E129426 for <oauth@ietf.org>; Tue,  7 Mar 2017 11:15:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=4hS/bj9jQYFHAv0egmevN7E0sQjxm0y345FZElqZYV0=; b=RaWTYwEgVTRN86+1O7qFwZT/LE7XJCIClojDadHIe4Ppuwma5OE2uvJYIUFX/hETotwIYlziYglHXaw0eaDVilyWdGoCDasYoXpUIq5rMerJkL1ujTidHVbreLuu1DJj7sOgTWcvAjrlSX08UypfiF3RZWYfjKIsG53yA9j8imk=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Tue, 7 Mar 2017 19:15:01 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Tue, 7 Mar 2017 19:15:01 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Shepherd writeup for OAuth 2.0 Authorization Server Metadata
Thread-Index: AQHSl3YIKIEalHSRaE6f6IzeTF3l+aGJvWRg
Date: Tue, 7 Mar 2017 19:15:01 +0000
Message-ID: <CY4PR21MB050414CEA13A865348AD036FF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <70253643-d036-e333-f94d-597039206777@gmx.net> <CY4PR21MB0504CEE31B03DDEDEB50B79DF52F0@CY4PR21MB0504.namprd21.prod.outlook.com> <fe5beedf-1f2e-cf15-f70d-361edacb47e7@gmx.net>
In-Reply-To: <fe5beedf-1f2e-cf15-f70d-361edacb47e7@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: gmx.net; dkim=none (message not signed) header.d=none;gmx.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.83.32]
x-ms-office365-filtering-correlation-id: b38f0c3b-6960-48a9-4744-08d4658e412a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0504; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0504; 7:iMV/MAYBr0G9b9yG/gHzuhpeJjy01w7w6iZ/3KuD4D8dyNOJTWPPMnZSHISUKik34QXaEBXtPi6llOGPYx2BWiGiyCFODNUhl2Cc9Znq0RQwd6EfCfsIcqwJFZJ0DQOdO7WwGTKVwfro0fG01HzZqLwh4T4ZXb9vxaeZy44m+yOxBs96UmUC7GsX0bhFFYXZvDmrbSFjoEeg7mdGVP4TARm/zXM4nBGYfCcAi7AAxbC2hOPDGe7CWmgec8N4G5iQvP6Qju1g8ikX8mIF5mYTMr+qw6/Qk8VOahjCMU06inNMJUvOz0rkCf/i9kmdew44Xwyr9HPyNuJ4X6dayTYM5smedymqts+U3Sv6WskY93o=
x-microsoft-antispam-prvs: <CY4PR21MB050415449F6A1BBCF6B96BAEF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(248736688235697)(21532816269658)(146099531331640); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123555025)(20161123564025)(20161123562025)(20161123560025)(6072148); SRVR:CY4PR21MB0504; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0504; 
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(39410400002)(39450400003)(39840400002)(39850400002)(39860400002)(377454003)(13464003)(24454002)(51914003)(99286003)(3660700001)(3280700002)(229853002)(8990500004)(305945005)(8676002)(2900100001)(106116001)(10090500001)(54356999)(2501003)(966004)(7736002)(8936002)(2906002)(86612001)(5005710100001)(10290500002)(33656002)(74316002)(81166006)(189998001)(76176999)(53376002)(102836003)(50986999)(6246003)(3846002)(6306002)(2950100002)(53936002)(25786008)(53546006)(122556002)(6506006)(5660300001)(9686003)(66066001)(77096006)(6436002)(6116002)(38730400002)(55016002)(7696004)(86362001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0504; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2017 19:15:01.8142 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jvvnTfsd-OoQ397bcOiEwc8P1g0>
Subject: Re: [OAUTH-WG] Shepherd writeup for OAuth 2.0 Authorization Server Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 19:15:06 -0000

T3BlbklEIENvbm5lY3QgaW1wbGVtZW50YXRpb25zIGFyZSBub3QgcmVxdWlyZWQgdG8gaW1wbGVt
ZW50IHRoaXMgZnVuY3Rpb25hbGl0eSBidXQgbW9zdCBkbywgYnkgdmlydHVlIG9mIGltcGxlbWVu
dGluZyB0aGUgT3BlbklEIENvbm5lY3QgbWV0YWRhdGEgc3BlY2lmaWVkIGluIGh0dHBzOi8vb3Bl
bmlkLm5ldC9zcGVjcy9vcGVuaWQtY29ubmVjdC1kaXNjb3ZlcnktMV8wLmh0bWwjUHJvdmlkZXJN
ZXRhZGF0YS4gIFRoZSBPQXV0aCBBUyBNZXRhZGF0YSBzcGVjIGlzIGludGVudGlvbmFsbHkgY29t
cGF0aWJsZSB3aXRoIHRoaXMgc3BlY2lmaWNhdGlvbi4NCg0KSWYgeW91IHdhbnQgdG8gaW5jbHVk
ZSB0aGUgY29tcGF0aWJsZSBPcGVuSUQgQ29ubmVjdCBleGFtcGxlcywgdGhlcmUgYXJlIDM0IEFT
cyBhbmQgOSBjbGllbnRzIGxpc3RlZCBhdCBodHRwOi8vb3BlbmlkLm5ldC9jZXJ0aWZpY2F0aW9u
LyB0aGF0IGltcGxlbWVudCBtZXRhZGF0YSBjb21wYXRpYmxlIHdpdGggdGhlIEFTIG1ldGFkYXRh
IHNwZWNpZmljYXRpb24uICBTZWUgdGhlICJDb25maWcgT1AiIGFuZCAiQ29uZmlnIFJQIiBjb2x1
bW5zLg0KDQpUaGUgdXNhZ2UgZXhhbXBsZXMgSSBwcm92aWRlZCBpbiBteSBwcmV2aW91cyByZXBs
eSB3ZXJlIGFsbCBPQXV0aCBleGFtcGxlcyB0aGF0IGRpZCBub3QgYXNzdW1lIGFuIGltcGxlbWVu
dGF0aW9uIG9mIE9wZW5JRCBDb25uZWN0Lg0KDQoJCQkJQmVzdCB3aXNoZXMsDQoJCQkJLS0gTWlr
ZQ0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogSGFubmVzIFRzY2hvZmVuaWcg
W21haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0XSANClNlbnQ6IFR1ZXNkYXksIE1hcmNo
IDcsIDIwMTcgMTE6MDcgQU0NClRvOiBNaWtlIEpvbmVzIDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29m
dC5jb20+OyBvYXV0aEBpZXRmLm9yZzsgUGhpbCBIdW50IDxwaGlsLmh1bnRAb3JhY2xlLmNvbT4N
ClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIFNoZXBoZXJkIHdyaXRldXAgZm9yIE9BdXRoIDIuMCBB
dXRob3JpemF0aW9uIFNlcnZlciBNZXRhZGF0YQ0KDQpIaSBNaWtlDQoNCnRoYW5rcyBmb3IgdGhl
IHF1aWNrIHJlc3BvbnNlIGFuZCBmb3IgdGhlIHdvcmRpbmcgc3VnZ2VzdGlvbnMuDQoNClJlZ2Fy
ZGluZyB0aGUgaW1wbGVtZW50YXRpb25zIGFyZSBPcGVuSUQgQ29ubmVjdCBpbXBsZW1lbnRhdGlv
bnMgcmVxdWlyZWQgdG8gaW1wbGVtZW50IHRoaXMgZnVuY3Rpb25hbGl0eT8NCg0KT24gMDMvMDcv
MjAxNyAwNzo1OCBQTSwgTWlrZSBKb25lcyB3cm90ZToNCj4gMSkgSW1wbGVtZW50YXRpb24gJiBk
ZXBsb3ltZW50IHN0YXR1cyBvZiB0aGUgc3BlYw0KPiANCj4gTWljcm9zb2Z0IGhhcyBhdCBsZWFz
dCBmb3VyIGRlcGxveW1lbnRzIG9mIHRoZSBzcGVjaWZpY2F0aW9uLg0KPiBXaWxsaWFtIERlbm5p
c3MgaGFzIHNhaWQgdGhhdCBHb29nbGUgdXNlcyB0aGUgc3BlY2lmaWNhdGlvbi4gIEkgDQo+IGJl
bGlldmUgdGhhdCBQaW5nIElkZW50aXR5IGFsc28gdXNlcyBpdC4gIFRoZSBzcGVjaWZpY2F0aW9u
IGlzIHVzZWQgYnkgDQo+IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9h
dXRoLXRva2VuLWJpbmRpbmctMDEgYW5kIA0KPiBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwv
ZHJhZnQtaWV0Zi1vYXV0aC1kZXZpY2UtZmxvdy0wNC4NCg0KQ2lhbw0KSGFubmVzDQoNCg==


From nobody Tue Mar  7 12:08:17 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF84C129426 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 12:08:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.477
X-Spam-Level: 
X-Spam-Status: No, score=-1.477 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.122] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZZmACCOnYTXg for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 12:08:13 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE9FA129573 for <oauth@ietf.org>; Tue,  7 Mar 2017 12:08:12 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id 1so22909087qkl.3 for <oauth@ietf.org>; Tue, 07 Mar 2017 12:08:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=tWwRlR7/9SbG2FT0HsYagDjizDWQVYlAmPf5oQqSHAc=; b=qBOPGFg4YI8IdIxklerUBps7hbs0SutQ1kAXb30kImn6FD+xwbcxGXCO5IyBaFsqSU QuTSm6Gc8qrAOjPLJoxu9cZfKcdYrOBuDOH4B9b8lq96dIjxLp050nhLN3cjunU8i82J K+Xm1OtprHlhG2i6I3y3OUuxzVc7Ld1Xkbv7j0mlFmKKqnT0F5xzjhbMF7xEY358qfDL BnIyDkiCnIinLYpI7CKIyPx9mOs6LZrYuPgsHlhzYUWcBQkrSp5G8AZgRaes7Yrq8oyF 3CnTTDLNuF4Ot0NRyUKoEh1EQ0597gqNYl19xnDGinpcGb1u9+vk5wXxWB0d481IVTUs fbXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=tWwRlR7/9SbG2FT0HsYagDjizDWQVYlAmPf5oQqSHAc=; b=kjCng2ETSEhSuv/2qheeebnW6jkGe+VA05RZ4kdJ2UEfodjW4Oza/6pZUF6js5tK0o axPs1sk8OejhaSZV8z2u0h+E0p8kZakmu8slVFSkg+AxbkNh0ILnfQPO0YCOeHiMuFoC jELKVe71ozoYxNipDgpe+ruqqJWwXvF7gb/djcA8Mye3f1vkAe1dbvypa+kS5mawpoK3 OV2+Y9iDivIPfHWSO+Y8aIry94ng7tafrtFyXeLOrhANHF/yKw51OMLLJpq7FRoP2XEN 9e2peUnfRwXPP03RSprEKjonKeWLGyE0qUbynerZhGtL5qC78eSjzd82tuQkZuG6hMUc Zqvg==
X-Gm-Message-State: AMke39nesqO3mG6Db73pUxitp43CQxGpz42gdpb1f7dVRdLhQS0HMPVPMT3WkWARpIWKp5q1
X-Received: by 10.55.121.194 with SMTP id u185mr2694227qkc.56.1488917291447; Tue, 07 Mar 2017 12:08:11 -0800 (PST)
Received: from [192.168.8.100] ([181.201.20.83]) by smtp.gmail.com with ESMTPSA id m78sm670990qki.44.2017.03.07.12.08.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Mar 2017 12:08:10 -0800 (PST)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <C16D1076-1CF0-4A76-BFC4-35E35E420799@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 7 Mar 2017 17:08:06 -0300
In-Reply-To: <SN1PR0301MB2029E928A385D315D37EBFABA62F0@SN1PR0301MB2029.namprd03.prod.outlook.com>
To: Anthony Nadalin <tonynad@microsoft.com>
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com> <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com> <a6596083-6a19-e644-403c-4c1686eba492@gmx.net> <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com> <SN1PR0301MB2029E928A385D315D37EBFABA62F0@SN1PR0301MB2029.namprd03.prod.outlook.com>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="94eb2c05a19647abb7054a2992bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/blYHNeSxL6bJalJvbMowONXqMNA>
Cc: "internet-drafts@ietf.org" <internet-drafts@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 20:08:16 -0000

--94eb2c05a19647abb7054a2992bd
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_E260B750-5BB4-4425-93EB-99E05C16C7EB"


--Apple-Mail=_E260B750-5BB4-4425-93EB-99E05C16C7EB
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

That is theory that CTAP should let web-views work. =20

I just ran a test on the current shipping Android build. U2F is only =
working from the View controller and system browser. =20
Web-view is not currently exposing CTAP.

I believe that is also the case on iOS, but haven't built a app to test =
it.

This first version of the BCP doesn=E2=80=99t go into advanced issues =
around Web Auth/Fido in detail.  We know that currently WebView/View =
controller/Token Agent work with existing CTAP implementations.=20

Once we have systems deployed that can use CTAP from a web view we can =
update the BCP.

We may also have a definitional problem, we consider the Windows token =
broker in SSO mode to fit the model of a view controller/Web View in =
that it is sandboxed from the app , rather than considering it a =
web-view.   I know that the token broker can support WebAuthentication =
(CTAP 2) in recent RS2 builds of Win 10. =20

John B.


> On Mar 7, 2017, at 5:16 AM, Anthony Nadalin <tonynad@microsoft.com> =
wrote:
>=20
> Not true John, the CTAP support that is current would support the =
web-view w/o any changes=20
>=20
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org =
<mailto:oauth-bounces@ietf.org>] On Behalf Of John Bradley
> Sent: Monday, March 6, 2017 12:16 PM
> To: Hannes Tschofenig <hannes.tschofenig@gmx.net =
<mailto:hannes.tschofenig@gmx.net>>
> Cc: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>; =
oauth@ietf.org <mailto:oauth@ietf.org>
> Subject: Re: [OAUTH-WG] I-D Action: =
draft-ietf-oauth-native-apps-08.txt
>=20
> On fido I can tell you that for security reasons U2F wont work from a =
web-view currently.
>=20
> Once we move to Web Auth (Fido 2) where the OS provides a API for apps =
to call to get the token it will work but the tokens are audianced to =
the app based on its developer key and bundle_id so that a app cant ask =
for a token for a different site to do correlation.=20
>=20
> It is true that Fido UAF currently requires a web-view to work as the =
authenticator is effectively compiled in to each application, and that =
application has access to the private keys on most platforms (Samsung =
knox being the only exception to that that I know of where the keys are =
managed by a common API to hardware key storage, but they are scoped =
like U2F as well)
>=20
> So for the most part it is true and that unless you use the browser to =
get the Fido token the audience is for the app.
> Example  Salesforce creates native app that may use enterprise SSO via =
SAML, and the enterprise may use Fido as a authentication factor.
> If they use the webview + fido API approach the app can only get a =
token for SalesForce based on its signing key.  It could fire up the =
web-view and do U2F authentication with the enterprise after Salesforec =
has redirected the user.  However it will give every enterprise a token =
audience to Salesforce with a salesforce specific key.   If there is a =
second app for say Slack if they do the same thing the enterprise would =
get a slack audienced token and a slack key forcing a separate =
registration.=20
>=20
> The recommended alternative is that the app use a custom tab for the =
user to SalesForce and that redirect to the enterprise.
> The enterprise gets the same token/key with the correct audience from =
all apps on the device using the browser or custom tab.=20
> The user may not need to signin a second time, and if they do there =
Fido token will not need to be re-registerd.
>=20
> The Fido API approach really only works for first party apps like =
PayPal if the the app is not doing federation and paypal is doing the =
authentication for there own app.
>=20
> Token binding private keys have similar issues.   The pool of private =
keys will probably not be shared between apps, and not between the app =
and the browser (Win 10 may be an exception but it is not documented =
yet)
>=20
> In the case of using AppAuth with token binding the browser maintains =
the keys so the enterprise would be able to see the same key and use the =
same cookies across all AppAuth Apps.
>=20
> You can include token binding in your app, however the token bindings =
and cookies are going to be sand boxed per app. =20
> Depending on implementation the app gets access to the cookie, but =
perhaps not to the private token binding key.  (At least I don't think =
it will in Android embedded webview).
>=20
> We could expand on this later in an update to the BCP once Web =
Authentication and Token Binding are final.
>=20
> There are still some unknowns, but in general for any sort of =
SSO/Federation 3rd party app I don=E2=80=99t see recommending anything =
other than a custom tab/ view controller/ external browser.
>=20
> William can take the formatting question:)
>=20
> John B.
>> On Mar 6, 2017, at 4:41 PM, Hannes Tschofenig =
<hannes.tschofenig@gmx.net> wrote:
>>=20
>> Hi William, Hi John,
>>=20
>> I just re-read version -8 of the document again.
>>=20
>> Two minor remarks only.
>>=20
>> Editorial issue: Why do you need to introduce a single sub-section=20
>> within Section 7.1. (namely Section 7.1.1)?
>>=20
>> Background question: You note that embedded user agents have the=20
>> disadvantage that the app that hosts the embedded user-agent can=20
>> access the user's full authentication credential. This is certainly=20=

>> true for password-based authentication mechanisms but I wonder =
whether=20
>> this is also true for strong authentication techniques, such as those=20=

>> used by FIDO combined with token binding. Have you looked into more=20=

>> modern authentication techniques as well and their security =
implication?
>>=20
>> Ciao
>> Hannes
>>=20
>> On 03/03/2017 07:39 AM, William Denniss wrote:
>>> Changes:
>>>=20
>>> =E2=80=93 Addresses feedback from the second round of WGLC.
>>> =E2=80=93 Reordered security consideration sections to better group =
related topics.
>>> =E2=80=93 Added complete URI examples to each of the 3 redirect =
types.
>>> =E2=80=93 Editorial pass.
>>>=20
>>>=20
>>>=20
>>> On Thu, Mar 2, 2017 at 10:27 PM, <internet-drafts@ietf.org=20
>>> <mailto:internet-drafts@ietf.org>> wrote:
>>>=20
>>>=20
>>>   A New Internet-Draft is available from the on-line Internet-Drafts
>>>   directories.
>>>   This draft is a work item of the Web Authorization Protocol of the =
IETF.
>>>=20
>>>           Title           : OAuth 2.0 for Native Apps
>>>           Authors         : William Denniss
>>>                             John Bradley
>>>           Filename        : draft-ietf-oauth-native-apps-08.txt
>>>           Pages           : 20
>>>           Date            : 2017-03-02
>>>=20
>>>   Abstract:
>>>      OAuth 2.0 authorization requests from native apps should only =
be made
>>>      through external user-agents, primarily the user's browser.  =
This
>>>      specification details the security and usability reasons why =
this is
>>>      the case, and how native apps and authorization servers can =
implement
>>>      this best practice.
>>>=20
>>>=20
>>>   The IETF datatracker status page for this draft is:
>>>   =
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatra=
cker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-native-apps%2F&data=3D02%7C01%7Cton=
ynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af=
91ab2d7cd011db47%7C1%7C0%7C636244281810078497&sdata=3DYQ0dcSViranVx4sjH7ae=
FrEYvTgbQM3OruoK%2FR7EZak%3D&reserved=3D0 =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatr=
acker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-native-apps%2F&data=3D02%7C01%7Cto=
nynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141a=
f91ab2d7cd011db47%7C1%7C0%7C636244281810078497&sdata=3DYQ0dcSViranVx4sjH7a=
eFrEYvTgbQM3OruoK%2FR7EZak%3D&reserved=3D0>
>>>=20
>>> =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdat =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdat>
>>> atracker.ietf.org =
<http://atracker.ietf.org/>%2Fdoc%2Fdraft-ietf-oauth-native-apps%2F&data=3D=
02%7C0
>>> 1%7Ctonynad%40microsoft.com =
<http://40microsoft.com/>%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f9
>>> =
88bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&sdata=3DYQ0dc
>>> SViranVx4sjH7aeFrEYvTgbQM3OruoK%2FR7EZak%3D&reserved=3D0>
>>>=20
>>>   There's also a htmlized version available at:
>>>   =
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftools.i=
etf.org%2Fhtml%2Fdraft-ietf-oauth-native-apps-08&data=3D02%7C01%7Ctonynad%=
40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2=
d7cd011db47%7C1%7C0%7C636244281810078497&sdata=3DipyVLaXhefjwhIPqu4Vym3Nmi=
%2FXPER8hyKBDvP%2FAVCw%3D&reserved=3D0 =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftools.=
ietf.org%2Fhtml%2Fdraft-ietf-oauth-native-apps-08&data=3D02%7C01%7Ctonynad=
%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab=
2d7cd011db47%7C1%7C0%7C636244281810078497&sdata=3DipyVLaXhefjwhIPqu4Vym3Nm=
i%2FXPER8hyKBDvP%2FAVCw%3D&reserved=3D0>
>>>=20
>>> =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftoo =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftoo>
>>> ls.ietf.org =
<http://ls.ietf.org/>%2Fhtml%2Fdraft-ietf-oauth-native-apps-08&data=3D02%7=
C01%7Ct
>>> onynad%40microsoft.com =
<http://40microsoft.com/>%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf8
>>> =
6f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&sdata=3DpFJdiZd2ni
>>> SxiuXtThG8OE32rjHxoJ8U0jsoCmiaqKc%3D&reserved=3D0>
>>>=20
>>>   A diff from the previous version is available at:
>>>   =
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.iet=
f.org%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-native-apps-08&data=3D02%7C01%7C=
tonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f14=
1af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&sdata=3D0JOejYI%2F9vSFph4=
dteZ6g16NbvLRy37erpRUAw2q%2FW8%3D&reserved=3D0 =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie=
tf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-native-apps-08&data=3D02%7C01%7=
Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f1=
41af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&sdata=3D0JOejYI%2F9vSFph=
4dteZ6g16NbvLRy37erpRUAw2q%2FW8%3D&reserved=3D0>
>>>=20
>>> =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww>
>>> .ietf.org =
<http://ietf.org/>%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-native-apps-08&data=
=3D02%
>>> 7C01%7Ctonynad%40microsoft.com =
<http://40microsoft.com/>%7Ceff092e6b2894ace8f8408d464cda4d5%7C7
>>> =
2f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&sdata=3D0J
>>> OejYI%2F9vSFph4dteZ6g16NbvLRy37erpRUAw2q%2FW8%3D&reserved=3D0>
>>>=20
>>>=20
>>>   Please note that it may take a couple of minutes from the time of
>>>   submission
>>>   until the htmlized version and diff are available at =
tools.ietf.org <http://tools.ietf.org/>
>>>   =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Ftools.i=
etf.org&data=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d=
464cda4d5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&=
sdata=3DsDynfqey0ru0Vm4%2FPEh0MA1IKtkrqmDnQ%2BmPCP%2B6K60%3D&reserved=3D0 =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Ftools.i=
etf.org&data=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d=
464cda4d5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&=
sdata=3DsDynfqey0ru0Vm4%2FPEh0MA1IKtkrqmDnQ%2BmPCP%2B6K60%3D&reserved=3D0>=
>.
>>>=20
>>>   Internet-Drafts are also available by anonymous FTP at:
>>>   ftp://ftp.ietf.org/internet-drafts/ =
<ftp://ftp.ietf.org/internet-drafts/>
>>>   <ftp://ftp.ietf.org/internet-drafts/ =
<ftp://ftp.ietf.org/internet-drafts/>>
>>>=20
>>>   _______________________________________________
>>>   OAuth mailing list
>>>   OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org =
<mailto:OAuth@ietf.org>>
>>>   =
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.iet=
f.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%40microsoft.co=
m%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd011db47%7C=
1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7cRYUSlotpr6JXtFX=
pduGuI%3D&reserved=3D0 =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie=
tf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%40microsoft.c=
om%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd011db47%7=
C1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7cRYUSlotpr6JXtF=
XpduGuI%3D&reserved=3D0>
>>>=20
>>> =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww>
>>> .ietf.org =
<http://ietf.org/>%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%4=
0micro
>>> soft.com =
<http://soft.com/>%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91=
ab2d7
>>> =
cd011db47%7C1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7c
>>> RYUSlotpr6JXtFXpduGuI%3D&reserved=3D0>
>>>=20
>>>=20
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww=
 <https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww>.=

>>> ietf.org =
<http://ietf.org/>%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%4=
0micros
>>> oft.com =
<http://oft.com/>%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91a=
b2d7c
>>> =
d011db47%7C1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7cR
>>> YUSlotpr6JXtFXpduGuI%3D&reserved=3D0
>>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> =
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.i =
<https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.i>=

>> etf.org =
<http://etf.org/>%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%40=
microsof
>> t.com =
<http://t.com/>%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2=
d7cd01
>> =
1db47%7C1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7cRYUSl
>> otpr6JXtFXpduGuI%3D&reserved=3D0


--Apple-Mail=_E260B750-5BB4-4425-93EB-99E05C16C7EB
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">That is theory that CTAP should let web-views work. =
&nbsp;<div class=3D""><br class=3D""></div><div class=3D"">I just ran a =
test on the current shipping Android build. U2F is only working from the =
View controller and system browser. &nbsp;</div><div class=3D"">Web-view =
is not currently exposing CTAP.</div><div class=3D""><br =
class=3D""></div><div class=3D"">I believe that is also the case on iOS, =
but haven't built a app to test it.</div><div class=3D""><br =
class=3D""></div><div class=3D"">This first version of the BCP doesn=E2=80=
=99t go into advanced issues around Web Auth/Fido in detail. &nbsp;We =
know that currently WebView/View controller/Token Agent work with =
existing CTAP implementations.&nbsp;</div><div class=3D""><br =
class=3D""></div><div class=3D"">Once we have systems deployed that can =
use CTAP from a web view we can update the BCP.</div><div class=3D""><br =
class=3D""></div><div class=3D"">We may also have a definitional =
problem, we consider the Windows token broker in SSO mode to fit the =
model of a view controller/Web View in that it is sandboxed from the app =
, rather than considering it a web-view. &nbsp; I know that the token =
broker can support WebAuthentication (CTAP 2) in recent RS2 builds of =
Win 10. &nbsp;</div><div class=3D""><br class=3D""></div><div =
class=3D"">John B.</div><div class=3D""><br class=3D""></div><div =
class=3D""><br class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D"">On Mar 7, 2017, at 5:16 AM, Anthony Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com" =
class=3D"">tonynad@microsoft.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><span =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; float: none; display: inline =
!important;" class=3D"">Not true John, the CTAP support that is current =
would support the web-view w/o any changes<span =
class=3D"Apple-converted-space">&nbsp;</span></span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><br style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;" class=3D""><span style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: =
inline !important;" class=3D"">-----Original Message-----</span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">From: OAuth =
[</span><a href=3D"mailto:oauth-bounces@ietf.org" style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px;" =
class=3D"">mailto:oauth-bounces@ietf.org</a><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">] On Behalf Of John =
Bradley</span><br style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D""><span =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; float: none; display: inline =
!important;" class=3D"">Sent: Monday, March 6, 2017 12:16 PM</span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">To: Hannes =
Tschofenig &lt;</span><a href=3D"mailto:hannes.tschofenig@gmx.net" =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" =
class=3D"">hannes.tschofenig@gmx.net</a><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">&gt;</span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">Cc:<span =
class=3D"Apple-converted-space">&nbsp;</span></span><a =
href=3D"mailto:internet-drafts@ietf.org" style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px;" =
class=3D"">internet-drafts@ietf.org</a><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">;<span =
class=3D"Apple-converted-space">&nbsp;</span></span><a =
href=3D"mailto:oauth@ietf.org" style=3D"font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant-caps: normal; =
font-weight: normal; letter-spacing: normal; orphans: auto; text-align: =
start; text-indent: 0px; text-transform: none; white-space: normal; =
widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px;" class=3D"">oauth@ietf.org</a><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">Subject: Re: =
[OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt</span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><br style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;" class=3D""><span style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: =
inline !important;" class=3D"">On fido I can tell you that for security =
reasons U2F wont work from a web-view currently.</span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><br style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;" class=3D""><span style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: =
inline !important;" class=3D"">Once we move to Web Auth (Fido 2) where =
the OS provides a API for apps to call to get the token it will work but =
the tokens are audianced to the app based on its developer key and =
bundle_id so that a app cant ask for a token for a different site to do =
correlation.<span class=3D"Apple-converted-space">&nbsp;</span></span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><br style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;" class=3D""><span style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: =
inline !important;" class=3D"">It is true that Fido UAF currently =
requires a web-view to work as the authenticator is effectively compiled =
in to each application, and that application has access to the private =
keys on most platforms (Samsung knox being the only exception to that =
that I know of where the keys are managed by a common API to hardware =
key storage, but they are scoped like U2F as well)</span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><br style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;" class=3D""><span style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: =
inline !important;" class=3D"">So for the most part it is true and that =
unless you use the browser to get the Fido token the audience is for the =
app.</span><br style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D""><span =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; float: none; display: inline =
!important;" class=3D"">Example &nbsp;Salesforce creates native app that =
may use enterprise SSO via SAML, and the enterprise may use Fido as a =
authentication factor.</span><br style=3D"font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant-caps: normal; =
font-weight: normal; letter-spacing: normal; orphans: auto; text-align: =
start; text-indent: 0px; text-transform: none; white-space: normal; =
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" =
class=3D""><span style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: =
inline !important;" class=3D"">If they use the webview + fido API =
approach the app can only get a token for SalesForce based on its =
signing key. &nbsp;It could fire up the web-view and do U2F =
authentication with the enterprise after Salesforec has redirected the =
user. &nbsp;However it will give every enterprise a token audience to =
Salesforce with a salesforce specific key. &nbsp;&nbsp;If there is a =
second app for say Slack if they do the same thing the enterprise would =
get a slack audienced token and a slack key forcing a separate =
registration.<span class=3D"Apple-converted-space">&nbsp;</span></span><br=
 style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><br style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;" class=3D""><span style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: =
inline !important;" class=3D"">The recommended alternative is that the =
app use a custom tab for the user to SalesForce and that redirect to the =
enterprise.</span><br style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D""><span =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; float: none; display: inline =
!important;" class=3D"">The enterprise gets the same token/key with the =
correct audience from all apps on the device using the browser or custom =
tab.<span class=3D"Apple-converted-space">&nbsp;</span></span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">The user may not =
need to signin a second time, and if they do there Fido token will not =
need to be re-registerd.</span><br style=3D"font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant-caps: normal; =
font-weight: normal; letter-spacing: normal; orphans: auto; text-align: =
start; text-indent: 0px; text-transform: none; white-space: normal; =
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" =
class=3D""><br style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D""><span =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; float: none; display: inline =
!important;" class=3D"">The Fido API approach really only works for =
first party apps like PayPal if the the app is not doing federation and =
paypal is doing the authentication for there own app.</span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><br style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;" class=3D""><span style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: =
inline !important;" class=3D"">Token binding private keys have similar =
issues. &nbsp;&nbsp;The pool of private keys will probably not be shared =
between apps, and not between the app and the browser (Win 10 may be an =
exception but it is not documented yet)</span><br style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;" class=3D""><br style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D""><span =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; float: none; display: inline =
!important;" class=3D"">In the case of using AppAuth with token binding =
the browser maintains the keys so the enterprise would be able to see =
the same key and use the same cookies across all AppAuth Apps.</span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><br style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;" class=3D""><span style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: =
inline !important;" class=3D"">You can include token binding in your =
app, however the token bindings and cookies are going to be sand boxed =
per app. &nbsp;</span><br style=3D"font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; orphans: auto; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; widows: =
auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D""><span=
 style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; float: none; display: inline =
!important;" class=3D"">Depending on implementation the app gets access =
to the cookie, but perhaps not to the private token binding key. =
&nbsp;(At least I don't think it will in Android embedded =
webview).</span><br style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D""><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">We could expand on =
this later in an update to the BCP once Web Authentication and Token =
Binding are final.</span><br style=3D"font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; orphans: auto; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; widows: =
auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D""><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">There are still =
some unknowns, but in general for any sort of SSO/Federation 3rd party =
app I don=E2=80=99t see recommending anything other than a custom tab/ =
view controller/ external browser.</span><br style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;" class=3D""><br style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D""><span =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; float: none; display: inline =
!important;" class=3D"">William can take the formatting =
question:)</span><br style=3D"font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant-caps: normal; font-weight: normal; =
letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; widows: auto; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=3D""><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><span style=3D"font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
float: none; display: inline !important;" class=3D"">John B.</span><br =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px;" class=3D""><blockquote type=3D"cite" =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" =
class=3D"">On Mar 6, 2017, at 4:41 PM, Hannes Tschofenig &lt;<a =
href=3D"mailto:hannes.tschofenig@gmx.net" =
class=3D"">hannes.tschofenig@gmx.net</a>&gt; wrote:<br class=3D""><br =
class=3D"">Hi William, Hi John,<br class=3D""><br class=3D"">I just =
re-read version -8 of the document again.<br class=3D""><br class=3D"">Two=
 minor remarks only.<br class=3D""><br class=3D"">Editorial issue: Why =
do you need to introduce a single sub-section<span =
class=3D"Apple-converted-space">&nbsp;</span><br class=3D"">within =
Section 7.1. (namely Section 7.1.1)?<br class=3D""><br =
class=3D"">Background question: You note that embedded user agents have =
the<span class=3D"Apple-converted-space">&nbsp;</span><br =
class=3D"">disadvantage that the app that hosts the embedded user-agent =
can<span class=3D"Apple-converted-space">&nbsp;</span><br =
class=3D"">access the user's full authentication credential. This is =
certainly<span class=3D"Apple-converted-space">&nbsp;</span><br =
class=3D"">true for password-based authentication mechanisms but I =
wonder whether<span class=3D"Apple-converted-space">&nbsp;</span><br =
class=3D"">this is also true for strong authentication techniques, such =
as those<span class=3D"Apple-converted-space">&nbsp;</span><br =
class=3D"">used by FIDO combined with token binding. Have you looked =
into more<span class=3D"Apple-converted-space">&nbsp;</span><br =
class=3D"">modern authentication techniques as well and their security =
implication?<br class=3D""><br class=3D"">Ciao<br class=3D"">Hannes<br =
class=3D""><br class=3D"">On 03/03/2017 07:39 AM, William Denniss =
wrote:<br class=3D""><blockquote type=3D"cite" class=3D"">Changes:<br =
class=3D""><br class=3D"">=E2=80=93 Addresses feedback from the second =
round of WGLC.<br class=3D"">=E2=80=93 Reordered security consideration =
sections to better group related topics.<br class=3D"">=E2=80=93 Added =
complete URI examples to each of the 3 redirect types.<br class=3D"">=E2=80=
=93 Editorial pass.<br class=3D""><br class=3D""><br class=3D""><br =
class=3D"">On Thu, Mar 2, 2017 at 10:27 PM, &lt;<a =
href=3D"mailto:internet-drafts@ietf.org" =
class=3D"">internet-drafts@ietf.org</a><span =
class=3D"Apple-converted-space">&nbsp;</span><br class=3D"">&lt;<a =
href=3D"mailto:internet-drafts@ietf.org" =
class=3D"">mailto:internet-drafts@ietf.org</a>&gt;&gt; wrote:<br =
class=3D""><br class=3D""><br class=3D"">&nbsp;&nbsp;A New =
Internet-Draft is available from the on-line Internet-Drafts<br =
class=3D"">&nbsp;&nbsp;directories.<br class=3D"">&nbsp;&nbsp;This draft =
is a work item of the Web Authorization Protocol of the IETF.<br =
class=3D""><br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Tit=
le &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: OAuth =
2.0 for Native Apps<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Aut=
hors &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: William =
Denniss<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;John Bradley<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Fil=
ename &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: =
draft-ietf-oauth-native-apps-08.txt<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Pag=
es &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: 20<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Dat=
e &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: =
2017-03-02<br class=3D""><br class=3D"">&nbsp;&nbsp;Abstract:<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;OAuth 2.0 authorization =
requests from native apps should only be made<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;through external user-agents, =
primarily the user's browser. &nbsp;This<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;specification details the =
security and usability reasons why this is<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;the case, and how native apps =
and authorization servers can implement<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;this best practice.<br =
class=3D""><br class=3D""><br class=3D"">&nbsp;&nbsp;The IETF =
datatracker status page for this draft is:<br class=3D"">&nbsp;&nbsp;<a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-native-apps%2F&amp;data=3D0=
2%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f9=
88bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&amp;sdata=3DYQ0d=
cSViranVx4sjH7aeFrEYvTgbQM3OruoK%2FR7EZak%3D&amp;reserved=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-native-apps%2F&amp;data=3D=
02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f=
988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&amp;sdata=3DYQ0=
dcSViranVx4sjH7aeFrEYvTgbQM3OruoK%2FR7EZak%3D&amp;reserved=3D0</a><br =
class=3D""><br class=3D"">&lt;<a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fdat" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fdat</a><br class=3D""><a href=3D"http://atracker.ietf.org/" =
class=3D"">atracker.ietf.org</a>%2Fdoc%2Fdraft-ietf-oauth-native-apps%2F&a=
mp;data=3D02%7C0<br class=3D"">1%7Ctonynad%<a =
href=3D"http://40microsoft.com/" =
class=3D"">40microsoft.com</a>%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f9<b=
r =
class=3D"">88bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&amp;s=
data=3DYQ0dc<br =
class=3D"">SViranVx4sjH7aeFrEYvTgbQM3OruoK%2FR7EZak%3D&amp;reserved=3D0&gt=
;<br class=3D""><br class=3D"">&nbsp;&nbsp;There's also a htmlized =
version available at:<br class=3D"">&nbsp;&nbsp;<a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-native-apps-08&amp;data=3D02%7C0=
1%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf8=
6f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&amp;sdata=3DipyVLaXhe=
fjwhIPqu4Vym3Nmi%2FXPER8hyKBDvP%2FAVCw%3D&amp;reserved=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-native-apps-08&amp;data=3D02%=
7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988=
bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&amp;sdata=3DipyVLa=
XhefjwhIPqu4Vym3Nmi%2FXPER8hyKBDvP%2FAVCw%3D&amp;reserved=3D0</a><br =
class=3D""><br class=3D"">&lt;<a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Ftoo" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Ftoo</a><br class=3D""><a href=3D"http://ls.ietf.org/" =
class=3D"">ls.ietf.org</a>%2Fhtml%2Fdraft-ietf-oauth-native-apps-08&amp;da=
ta=3D02%7C01%7Ct<br class=3D"">onynad%<a href=3D"http://40microsoft.com/" =
class=3D"">40microsoft.com</a>%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988=
bf8<br =
class=3D"">6f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&amp;sdata=3D=
pFJdiZd2ni<br =
class=3D"">SxiuXtThG8OE32rjHxoJ8U0jsoCmiaqKc%3D&amp;reserved=3D0&gt;<br =
class=3D""><br class=3D"">&nbsp;&nbsp;A diff from the previous version =
is available at:<br class=3D"">&nbsp;&nbsp;<a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-native-apps-08&amp;data=3D=
02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f=
988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&amp;sdata=3D0JO=
ejYI%2F9vSFph4dteZ6g16NbvLRy37erpRUAw2q%2FW8%3D&amp;reserved=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-native-apps-08&amp;da=
ta=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%=
7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&amp;sdata=3D=
0JOejYI%2F9vSFph4dteZ6g16NbvLRy37erpRUAw2q%2FW8%3D&amp;reserved=3D0</a><br=
 class=3D""><br class=3D"">&lt;<a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fwww" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww</a><br class=3D"">.<a href=3D"http://ietf.org/" =
class=3D"">ietf.org</a>%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-native-apps-08=
&amp;data=3D02%<br class=3D"">7C01%7Ctonynad%<a =
href=3D"http://40microsoft.com/" =
class=3D"">40microsoft.com</a>%7Ceff092e6b2894ace8f8408d464cda4d5%7C7<br =
class=3D"">2f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&am=
p;sdata=3D0J<br =
class=3D"">OejYI%2F9vSFph4dteZ6g16NbvLRy37erpRUAw2q%2FW8%3D&amp;reserved=3D=
0&gt;<br class=3D""><br class=3D""><br class=3D"">&nbsp;&nbsp;Please =
note that it may take a couple of minutes from the time of<br =
class=3D"">&nbsp;&nbsp;submission<br class=3D"">&nbsp;&nbsp;until the =
htmlized version and diff are available at<span =
class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"http://tools.ietf.org/" class=3D"">tools.ietf.org</a><br =
class=3D"">&nbsp;&nbsp;&lt;<a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2F=
tools.ietf.org&amp;data=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b289=
4ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63624428=
1810088501&amp;sdata=3DsDynfqey0ru0Vm4%2FPEh0MA1IKtkrqmDnQ%2BmPCP%2B6K60%3=
D&amp;reserved=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F=
%2Ftools.ietf.org&amp;data=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b=
2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63624=
4281810088501&amp;sdata=3DsDynfqey0ru0Vm4%2FPEh0MA1IKtkrqmDnQ%2BmPCP%2B6K6=
0%3D&amp;reserved=3D0</a>&gt;.<br class=3D""><br =
class=3D"">&nbsp;&nbsp;Internet-Drafts are also available by anonymous =
FTP at:<br class=3D"">&nbsp;&nbsp;<a =
href=3D"ftp://ftp.ietf.org/internet-drafts/" =
class=3D"">ftp://ftp.ietf.org/internet-drafts/</a><br =
class=3D"">&nbsp;&nbsp;&lt;<a href=3D"ftp://ftp.ietf.org/internet-drafts/"=
 class=3D"">ftp://ftp.ietf.org/internet-drafts/</a>&gt;<br class=3D""><br =
class=3D"">&nbsp;&nbsp;_______________________________________________<br =
class=3D"">&nbsp;&nbsp;OAuth mailing list<br class=3D"">&nbsp;&nbsp;<a =
href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><span =
class=3D"Apple-converted-space">&nbsp;</span>&lt;<a =
href=3D"mailto:OAuth@ietf.org" class=3D"">mailto:OAuth@ietf.org</a>&gt;<br=
 class=3D"">&nbsp;&nbsp;<a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7Ctonynad%40=
microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7=
cd011db47%7C1%7C0%7C636244281810088501&amp;sdata=3D14GztZLY%2BnQNbhR5bqjS7=
cRYUSlotpr6JXtFXpduGuI%3D&amp;reserved=3D0" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7Ctonynad=
%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab=
2d7cd011db47%7C1%7C0%7C636244281810088501&amp;sdata=3D14GztZLY%2BnQNbhR5bq=
jS7cRYUSlotpr6JXtFXpduGuI%3D&amp;reserved=3D0</a><br class=3D""><br =
class=3D"">&lt;<a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fwww" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww</a><br class=3D"">.<a href=3D"http://ietf.org/" =
class=3D"">ietf.org</a>%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C=
tonynad%40micro<br class=3D""><a href=3D"http://soft.com/" =
class=3D"">soft.com</a>%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f14=
1af91ab2d7<br =
class=3D"">cd011db47%7C1%7C0%7C636244281810088501&amp;sdata=3D14GztZLY%2Bn=
QNbhR5bqjS7c<br class=3D"">RYUSlotpr6JXtFXpduGuI%3D&amp;reserved=3D0&gt;<b=
r class=3D""><br class=3D""><br class=3D""><br class=3D""><br =
class=3D"">_______________________________________________<br =
class=3D"">OAuth mailing list<br class=3D""><a =
href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D""><a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fwww" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww</a>.<br class=3D""><a href=3D"http://ietf.org/" =
class=3D"">ietf.org</a>%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C=
tonynad%40micros<br class=3D""><a href=3D"http://oft.com/" =
class=3D"">oft.com</a>%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141=
af91ab2d7c<br =
class=3D"">d011db47%7C1%7C0%7C636244281810088501&amp;sdata=3D14GztZLY%2BnQ=
NbhR5bqjS7cR<br class=3D"">YUSlotpr6JXtFXpduGuI%3D&amp;reserved=3D0<br =
class=3D""><br class=3D""></blockquote><br =
class=3D"">_______________________________________________<br =
class=3D"">OAuth mailing list<br class=3D""><a =
href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D""><a =
href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fwww.i" =
class=3D"">https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww.i</a><br class=3D""><a href=3D"http://etf.org/" =
class=3D"">etf.org</a>%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7Ct=
onynad%40microsof<br class=3D""><a href=3D"http://t.com/" =
class=3D"">t.com</a>%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af=
91ab2d7cd01<br =
class=3D"">1db47%7C1%7C0%7C636244281810088501&amp;sdata=3D14GztZLY%2BnQNbh=
R5bqjS7cRYUSl<br =
class=3D"">otpr6JXtFXpduGuI%3D&amp;reserved=3D0</blockquote></div></blockq=
uote></div><br class=3D""></div></body></html>=

--Apple-Mail=_E260B750-5BB4-4425-93EB-99E05C16C7EB--

--94eb2c05a19647abb7054a2992bd
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIHPLvTKlHoT9FmsPPFIGhGo/7Wtb
0yYS+YlX1dTf0lyQMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMwNzIwMDgxMVowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQCixe3ZaeKV+o2n9rjvD1Ju6Ubo5GuPZuaVNnazFhz3hV0f
UzTm0dUhnhAm7psrax6swBfe4S+mXXu4k9DLhzfAq9oQg+T08C7+6zFXN0Bkb1KQ75OO1LA2muV7
CSrJ5Wl/T4ZvMG/CxdAC3xHgxfp/QBqpnxz2t40B1sR49/EsOgRaJalmDXWD8MOZSrrApHerV0go
QHVZLETUAgMX/wMnDTsRx60Kx8qyGT/rYV76F4D+eybLyUEcKRgyaKyG+54IalvY+rWN9J5w+76/
iIkHnul2p3Tcg/MlQt2VRjZ9mfy7CSM/ssLNtD6M/HgIKV1YYwQ0A9ilINIbvMi3bN8L
--94eb2c05a19647abb7054a2992bd--


From nobody Tue Mar  7 12:35:48 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28B34129473 for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 12:35:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.485
X-Spam-Level: 
X-Spam-Status: No, score=-1.485 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_10_20=0.093, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.122] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XqEAFx8sWCmq for <oauth@ietfa.amsl.com>; Tue,  7 Mar 2017 12:35:44 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F59F129428 for <oauth@ietf.org>; Tue,  7 Mar 2017 12:35:44 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id p64so24618869qke.1 for <oauth@ietf.org>; Tue, 07 Mar 2017 12:35:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jfKbNA7/Y1hl+ihbtRXdUcaRykwgtVe9QXP+gJokqG0=; b=C0wxzi0OTcGRXeL+tU7y1fCM5j5okfv2JLNudM2pgYHCwg+Opn+l75xy3213pYKG2j DZUZZ/RAUu4mSGvIrKX1A/laMEo4/QrCzHV8+Bo2y6x4d0OdzcPpTYWsJU/i9DNiY/wK feCNm1OU0+n7HJqqBuhQI+Mou5pj7NaErR/y8geDvSwLv8wRkJ5RhJKduXspg7XgJxxP FvvtQ/rldPdogsTFefkfqnmnLcoSgP5UflfbQ+g6Rlvuk8tYft9yUEs7iNOervBqcl6S P16GcU9tQ0hd1473MCKPNl+YcmdIPkldDoLwFTgD4fT92requ7/ycqogQ4PkyXcbTyhl jn7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jfKbNA7/Y1hl+ihbtRXdUcaRykwgtVe9QXP+gJokqG0=; b=HYu7ArDbIG1XZ4iv338ef0jSlhjq3C6wzb553TkQPQi4mPG3HuSTC9eBc2REbxFmo1 9eM+OD9Mj28gnqXG8F1qNlLm3xnVga4vNHNE+yxyWcQIvz6JhbG5pvF6aVU9sazVQErF LqvkznpQw0onspNzM2o6YkyyVUb1x+0YLvPyFumzvUDhIetMXH+28XoHRLm6CRAB/jUE NfHBJ4FNs64kfLxNvwAnvnjW58MzJukTYMIZx73NXXN4OLGIoA2cHnkDW9+ffauJA/x6 oJldwMIghx4IVlTPl5MdjHgrfgWLxpEoqHM5j2D+xo3SJWdwip9LOaqv++UbQJszZ96O b0AQ==
X-Gm-Message-State: AMke39nairUZyJ6E2isT62TcYEU9p4+fVKz4v8YrtQ5CjTAbeiOtrVrXjYvU5UMcVX7TORwsIJ8Bm7gNtnvu5MLU
X-Received: by 10.55.41.232 with SMTP id p101mr2753376qkp.186.1488918942904; Tue, 07 Mar 2017 12:35:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Tue, 7 Mar 2017 12:35:22 -0800 (PST)
In-Reply-To: <C16D1076-1CF0-4A76-BFC4-35E35E420799@ve7jtb.com>
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com> <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com> <a6596083-6a19-e644-403c-4c1686eba492@gmx.net> <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com> <SN1PR0301MB2029E928A385D315D37EBFABA62F0@SN1PR0301MB2029.namprd03.prod.outlook.com> <C16D1076-1CF0-4A76-BFC4-35E35E420799@ve7jtb.com>
From: William Denniss <wdenniss@google.com>
Date: Tue, 7 Mar 2017 12:35:22 -0800
Message-ID: <CAAP42hDyRzVGT3P5pL5afb6GVBFV7mYFcwLvYp0djEJ60yBgBQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=001a11473f96b166a5054a29f44d
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vlA9iqsLJw52IV-KsTkDfGtuEgY>
Cc: "internet-drafts@ietf.org" <internet-drafts@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 20:35:47 -0000

--001a11473f96b166a5054a29f44d
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

That's an important distinction. It's not a "web-view vs browser" question,
but an "embedded user-agent vs external user-agent" question.  If something
is named "webview" but has all the attributes of an external use-agent,
then it's still an external user-agent for the purpose of the BCP.

I tried to be careful to always use the term "embedded user-agent"
following the nomenclature of RFC6749, e.g. title of Section 8.1. Webview
is referenced in a few places, for example Sec 8.1 says "In typical
web-view based implementations of embedded user-agents", as most embedded
user-agents do happen to use technology called webview =E2=80=93 but there'=
s no
normative text that means something named "webview" but that is actually an
external user-agent can't be used.

External user-agent is defined in the spec as such:

   "external user-agent"  A user-agent capable of handling the
      authorization request that is a separate entity to the native app
      making the request (such as a browser), such that the app cannot
      access the cookie storage or modify the page content.



Earlier versions were not as careful with the terms, but it was tightened
up and clarified for this very reason.

Regarding the Windows broker, it is explicitly mentioned as an external
user agent in the implementation details appendix (emphasis added):

 Universal Windows Platform (UWP) apps can use the Web Authentication
   Broker API in SSO mode as an *external user-agent* for authorization
   flows=E2=80=A6


I've had the same experiance as you John, and have not seen U2F work on any
implementation of webview that I've used (including iOS, Android, and
Windows using the old-style embedded IE control).

+1 to update the BCP when and if the best current practice changes. I
believe it does accurately capture the best current practice as of today.

On Tue, Mar 7, 2017 at 12:08 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> That is theory that CTAP should let web-views work.
>
> I just ran a test on the current shipping Android build. U2F is only
> working from the View controller and system browser.
> Web-view is not currently exposing CTAP.
>
> I believe that is also the case on iOS, but haven't built a app to test i=
t.
>
> This first version of the BCP doesn=E2=80=99t go into advanced issues aro=
und Web
> Auth/Fido in detail.  We know that currently WebView/View controller/Toke=
n
> Agent work with existing CTAP implementations.
>
> Once we have systems deployed that can use CTAP from a web view we can
> update the BCP.
>
> We may also have a definitional problem, we consider the Windows token
> broker in SSO mode to fit the model of a view controller/Web View in that
> it is sandboxed from the app , rather than considering it a web-view.   I
> know that the token broker can support WebAuthentication (CTAP 2) in rece=
nt
> RS2 builds of Win 10.
>
> John B.
>
>
> On Mar 7, 2017, at 5:16 AM, Anthony Nadalin <tonynad@microsoft.com> wrote=
:
>
> Not true John, the CTAP support that is current would support the web-vie=
w
> w/o any changes
>
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] On
> Behalf Of John Bradley
> Sent: Monday, March 6, 2017 12:16 PM
> To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
> Cc: internet-drafts@ietf.org; oauth@ietf.org
> Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
>
> On fido I can tell you that for security reasons U2F wont work from a
> web-view currently.
>
> Once we move to Web Auth (Fido 2) where the OS provides a API for apps to
> call to get the token it will work but the tokens are audianced to the ap=
p
> based on its developer key and bundle_id so that a app cant ask for a tok=
en
> for a different site to do correlation.
>
> It is true that Fido UAF currently requires a web-view to work as the
> authenticator is effectively compiled in to each application, and that
> application has access to the private keys on most platforms (Samsung kno=
x
> being the only exception to that that I know of where the keys are manage=
d
> by a common API to hardware key storage, but they are scoped like U2F as
> well)
>
> So for the most part it is true and that unless you use the browser to ge=
t
> the Fido token the audience is for the app.
> Example  Salesforce creates native app that may use enterprise SSO via
> SAML, and the enterprise may use Fido as a authentication factor.
> If they use the webview + fido API approach the app can only get a token
> for SalesForce based on its signing key.  It could fire up the web-view a=
nd
> do U2F authentication with the enterprise after Salesforec has redirected
> the user.  However it will give every enterprise a token audience to
> Salesforce with a salesforce specific key.   If there is a second app for
> say Slack if they do the same thing the enterprise would get a slack
> audienced token and a slack key forcing a separate registration.
>
> The recommended alternative is that the app use a custom tab for the user
> to SalesForce and that redirect to the enterprise.
> The enterprise gets the same token/key with the correct audience from all
> apps on the device using the browser or custom tab.
> The user may not need to signin a second time, and if they do there Fido
> token will not need to be re-registerd.
>
> The Fido API approach really only works for first party apps like PayPal
> if the the app is not doing federation and paypal is doing the
> authentication for there own app.
>
> Token binding private keys have similar issues.   The pool of private key=
s
> will probably not be shared between apps, and not between the app and the
> browser (Win 10 may be an exception but it is not documented yet)
>
> In the case of using AppAuth with token binding the browser maintains the
> keys so the enterprise would be able to see the same key and use the same
> cookies across all AppAuth Apps.
>
> You can include token binding in your app, however the token bindings and
> cookies are going to be sand boxed per app.
> Depending on implementation the app gets access to the cookie, but perhap=
s
> not to the private token binding key.  (At least I don't think it will in
> Android embedded webview).
>
> We could expand on this later in an update to the BCP once Web
> Authentication and Token Binding are final.
>
> There are still some unknowns, but in general for any sort of
> SSO/Federation 3rd party app I don=E2=80=99t see recommending anything ot=
her than a
> custom tab/ view controller/ external browser.
>
> William can take the formatting question:)
>
> John B.
>
> On Mar 6, 2017, at 4:41 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net>
> wrote:
>
> Hi William, Hi John,
>
> I just re-read version -8 of the document again.
>
> Two minor remarks only.
>
> Editorial issue: Why do you need to introduce a single sub-section
> within Section 7.1. (namely Section 7.1.1)?
>
> Background question: You note that embedded user agents have the
> disadvantage that the app that hosts the embedded user-agent can
> access the user's full authentication credential. This is certainly
> true for password-based authentication mechanisms but I wonder whether
> this is also true for strong authentication techniques, such as those
> used by FIDO combined with token binding. Have you looked into more
> modern authentication techniques as well and their security implication?
>
> Ciao
> Hannes
>
> On 03/03/2017 07:39 AM, William Denniss wrote:
>
> Changes:
>
> =E2=80=93 Addresses feedback from the second round of WGLC.
> =E2=80=93 Reordered security consideration sections to better group relat=
ed topics.
> =E2=80=93 Added complete URI examples to each of the 3 redirect types.
> =E2=80=93 Editorial pass.
>
>
>
> On Thu, Mar 2, 2017 at 10:27 PM, <internet-drafts@ietf.org
> <mailto:internet-drafts@ietf.org <internet-drafts@ietf.org>>> wrote:
>
>
>   A New Internet-Draft is available from the on-line Internet-Drafts
>   directories.
>   This draft is a work item of the Web Authorization Protocol of the IETF=
.
>
>           Title           : OAuth 2.0 for Native Apps
>           Authors         : William Denniss
>                             John Bradley
>           Filename        : draft-ietf-oauth-native-apps-08.txt
>           Pages           : 20
>           Date            : 2017-03-02
>
>   Abstract:
>      OAuth 2.0 authorization requests from native apps should only be mad=
e
>      through external user-agents, primarily the user's browser.  This
>      specification details the security and usability reasons why this is
>      the case, and how native apps and authorization servers can implemen=
t
>      this best practice.
>
>
>   The IETF datatracker status page for this draft is:
>   https://na01.safelinks.protection.outlook.com/?url=3Dhttps%
> 3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-
> native-apps%2F&data=3D02%7C01%7Ctonynad%40microsoft.com%7Cef
> f092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd01
> 1db47%7C1%7C0%7C636244281810078497&sdata=3DYQ0dcSViranVx4sjH7a
> eFrEYvTgbQM3OruoK%2FR7EZak%3D&reserved=3D0
>
> <https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdat
> atracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-native-apps%2F&data=3D02%7C0
> 1%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f9
> 88bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&sdata=3DYQ0dc
> SViranVx4sjH7aeFrEYvTgbQM3OruoK%2FR7EZak%3D&reserved=3D0>
>
>   There's also a htmlized version available at:
>   https://na01.safelinks.protection.outlook.com/?url=3Dhttps%
> 3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-native-
> apps-08&data=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b28
> 94ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C636244281810078497&sdata=3DipyVLaXhefjwhIPqu4Vym3Nm
> i%2FXPER8hyKBDvP%2FAVCw%3D&reserved=3D0
>
> <https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftoo
> ls.ietf.org%2Fhtml%2Fdraft-ietf-oauth-native-apps-08&data=3D02%7C01%7Ct
> onynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf8
> 6f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&sdata=3DpFJdiZd2ni
> SxiuXtThG8OE32rjHxoJ8U0jsoCmiaqKc%3D&reserved=3D0>
>
>   A diff from the previous version is available at:
>   https://na01.safelinks.protection.outlook.com/?url=3Dhttps%
> 3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-
> native-apps-08&data=3D02%7C01%7Ctonynad%40microsoft.com%7Cef
> f092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd01
> 1db47%7C1%7C0%7C636244281810088501&sdata=3D0JOejYI%2F9vSFph4dt
> eZ6g16NbvLRy37erpRUAw2q%2FW8%3D&reserved=3D0
>
> <https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww
> .ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-native-apps-08&data=3D02%
> 7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C7
> 2f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&sdata=3D0J
> OejYI%2F9vSFph4dteZ6g16NbvLRy37erpRUAw2q%2FW8%3D&reserved=3D0>
>
>
>   Please note that it may take a couple of minutes from the time of
>   submission
>   until the htmlized version and diff are available at tools.ietf.org
>   <https://na01.safelinks.protection.outlook.com/?url=3Dhttp%
> 3A%2F%2Ftools.ietf.org&data=3D02%7C01%7Ctonynad%40microsoft.
> com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91a
> b2d7cd011db47%7C1%7C0%7C636244281810088501&sdata=3DsDynfqey0ru
> 0Vm4%2FPEh0MA1IKtkrqmDnQ%2BmPCP%2B6K60%3D&reserved=3D0>.
>
>   Internet-Drafts are also available by anonymous FTP at:
>   ftp://ftp.ietf.org/internet-drafts/
>   <ftp://ftp.ietf.org/internet-drafts/>
>
>   _______________________________________________
>   OAuth mailing list
>   OAuth@ietf.org <mailto:OAuth@ietf.org <OAuth@ietf.org>>
>   https://na01.safelinks.protection.outlook.com/?url=3Dhttps%
> 3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%
> 7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d4
> 64cda4d5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244
> 281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7cRYUSlotpr6JXtFXpd
> uGuI%3D&reserved=3D0
>
> <https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww
> .ietf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%40micro
> soft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7
> cd011db47%7C1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7c
> RYUSlotpr6JXtFXpduGuI%3D&reserved=3D0>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.
> ietf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%40micros
> oft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7c
> d011db47%7C1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7cR
> YUSlotpr6JXtFXpduGuI%3D&reserved=3D0
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.i
> etf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%40microsof
> t.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd01
> 1db47%7C1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7cRYUSl
> otpr6JXtFXpduGuI%3D&reserved=3D0
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--001a11473f96b166a5054a29f44d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">That&#39;s an important distinction. It&#39;s not a &quot;=
web-view vs browser&quot; question, but an &quot;embedded user-agent vs ext=
ernal user-agent&quot; question.=C2=A0 If something is named &quot;webview&=
quot; but has all the attributes of an external use-agent, then it&#39;s st=
ill an external user-agent for the purpose of the BCP.<div><div><br></div><=
div>I tried to be careful to always use the term &quot;embedded user-agent&=
quot; following the nomenclature of RFC6749, e.g. title of Section 8.1. Web=
view is referenced in a few places, for example Sec 8.1 says &quot;In typic=
al web-view based implementations of embedded user-agents&quot;, as most em=
bedded user-agents do happen to use technology called webview =E2=80=93 but=
 there&#39;s no normative text that means something named &quot;webview&quo=
t; but that is actually an external user-agent can&#39;t be used.</div><div=
><br></div><div>External user-agent is defined in the spec as such:</div><d=
iv><br></div><div><pre class=3D"m_-6000036849972542875gmail-newpage" style=
=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">=
   &quot;external user-agent&quot;  A user-agent capable of handling the
      authorization request that is a separate entity to the native app
      making the request (such as a browser), such that the app cannot
      access the cookie storage or modify the page content.</pre></div><div=
><br></div><div><br></div><div>Earlier versions were not as careful with th=
e terms, but it was tightened up and clarified for this very reason.</div><=
div><br></div><div>Regarding the Windows broker, it is explicitly mentioned=
 as an external user agent in the implementation details appendix (emphasis=
 added):=C2=A0</div><div><br></div><div><pre class=3D"m_-600003684997254287=
5gmail-newpage" style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0=
px;color:rgb(0,0,0)"> Universal Windows Platform (UWP) apps can use the Web=
 Authentication
   Broker API in SSO mode as an <b>external user-agent</b> for authorizatio=
n
   flows=E2=80=A6</pre></div><div><br></div><div><div class=3D"gmail_extra"=
>I&#39;ve had the same experiance as you John, and have not seen U2F work o=
n any implementation of webview that I&#39;ve used (including iOS, Android,=
 and Windows using the old-style embedded IE control).</div><div class=3D"g=
mail_extra"><br></div><div class=3D"gmail_extra">+1 to update the BCP when =
and if the best current practice changes. I believe it does accurately capt=
ure the best current practice as of today.<br></div><div class=3D"gmail_ext=
ra"><br></div><div class=3D"gmail_extra"><div class=3D"gmail_quote">On Tue,=
 Mar 7, 2017 at 12:08 PM, John Bradley <span dir=3D"ltr">&lt;<a href=3D"mai=
lto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt;</span> w=
rote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style=3D"wo=
rd-wrap:break-word">That is theory that CTAP should let web-views work. =C2=
=A0<div><br></div><div>I just ran a test on the current shipping Android bu=
ild. U2F is only working from the View controller and system browser. =C2=
=A0</div><div>Web-view is not currently exposing CTAP.</div><div><br></div>=
<div>I believe that is also the case on iOS, but haven&#39;t built a app to=
 test it.</div><div><br></div><div>This first version of the BCP doesn=E2=
=80=99t go into advanced issues around Web Auth/Fido in detail.=C2=A0 We kn=
ow that currently WebView/View controller/Token Agent work with existing CT=
AP implementations.=C2=A0</div><div><br></div><div>Once we have systems dep=
loyed that can use CTAP from a web view we can update the BCP.</div><div><b=
r></div><div>We may also have a definitional problem, we consider the Windo=
ws token broker in SSO mode to fit the model of a view controller/Web View =
in that it is sandboxed from the app , rather than considering it a web-vie=
w. =C2=A0 I know that the token broker can support WebAuthentication (CTAP =
2) in recent RS2 builds of Win 10. =C2=A0</div><div><br></div><div>John B.<=
/div><div><br></div><div><br><div><blockquote type=3D"cite"><div>On Mar 7, =
2017, at 5:16 AM, Anthony Nadalin &lt;<a href=3D"mailto:tonynad@microsoft.c=
om" target=3D"_blank">tonynad@microsoft.com</a>&gt; wrote:</div><br class=
=3D"m_-6000036849972542875gmail-m_8814585839802216220Apple-interchange-newl=
ine"><div><span style=3D"font-family:helvetica;font-size:12px;font-style:no=
rmal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text=
-align:start;text-indent:0px;text-transform:none;white-space:normal;word-sp=
acing:0px;float:none;display:inline">Not true John, the CTAP support that i=
s current would support the web-view w/o any changes<span class=3D"m_-60000=
36849972542875gmail-m_8814585839802216220Apple-converted-space">=C2=A0</spa=
n></span><div><div class=3D"m_-6000036849972542875gmail-h5"><br style=3D"fo=
nt-family:helvetica;font-size:12px;font-style:normal;font-variant-caps:norm=
al;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0p=
x;text-transform:none;white-space:normal;word-spacing:0px"><br style=3D"fon=
t-family:helvetica;font-size:12px;font-style:normal;font-variant-caps:norma=
l;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px=
;text-transform:none;white-space:normal;word-spacing:0px"><span style=3D"fo=
nt-family:helvetica;font-size:12px;font-style:normal;font-variant-caps:norm=
al;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0p=
x;text-transform:none;white-space:normal;word-spacing:0px;float:none;displa=
y:inline">-----Original Message-----</span><br style=3D"font-family:helveti=
ca;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:no=
rmal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:=
none;white-space:normal;word-spacing:0px"><span style=3D"font-family:helvet=
ica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:n=
ormal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform=
:none;white-space:normal;word-spacing:0px;float:none;display:inline">From: =
OAuth [</span><a href=3D"mailto:oauth-bounces@ietf.org" style=3D"font-famil=
y:helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-=
weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-t=
ransform:none;white-space:normal;word-spacing:0px" target=3D"_blank">mailto=
:oauth-bounces@ietf.org</a><span style=3D"font-family:helvetica;font-size:1=
2px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-sp=
acing:normal;text-align:start;text-indent:0px;text-transform:none;white-spa=
ce:normal;word-spacing:0px;float:none;display:inline"><wbr>] On Behalf Of J=
ohn Bradley</span><br style=3D"font-family:helvetica;font-size:12px;font-st=
yle:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:norma=
l;text-align:start;text-indent:0px;text-transform:none;white-space:normal;w=
ord-spacing:0px"><span style=3D"font-family:helvetica;font-size:12px;font-s=
tyle:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:norm=
al;text-align:start;text-indent:0px;text-transform:none;white-space:normal;=
word-spacing:0px;float:none;display:inline">Sent: Monday, March 6, 2017 12:=
16 PM</span><br style=3D"font-family:helvetica;font-size:12px;font-style:no=
rmal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text=
-align:start;text-indent:0px;text-transform:none;white-space:normal;word-sp=
acing:0px"><span style=3D"font-family:helvetica;font-size:12px;font-style:n=
ormal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px;float:none;display:inline">To: Hannes Tschofenig &lt;</span><a h=
ref=3D"mailto:hannes.tschofenig@gmx.net" style=3D"font-family:helvetica;fon=
t-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;l=
etter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;w=
hite-space:normal;word-spacing:0px" target=3D"_blank">hannes.tschofenig@gmx=
.net</a><span style=3D"font-family:helvetica;font-size:12px;font-style:norm=
al;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-a=
lign:start;text-indent:0px;text-transform:none;white-space:normal;word-spac=
ing:0px;float:none;display:inline">&gt;</span><br style=3D"font-family:helv=
etica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight=
:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transfo=
rm:none;white-space:normal;word-spacing:0px"><span style=3D"font-family:hel=
vetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weigh=
t:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transf=
orm:none;white-space:normal;word-spacing:0px;float:none;display:inline">Cc:=
<span class=3D"m_-6000036849972542875gmail-m_8814585839802216220Apple-conve=
rted-space">=C2=A0</span></span><a href=3D"mailto:internet-drafts@ietf.org"=
 style=3D"font-family:helvetica;font-size:12px;font-style:normal;font-varia=
nt-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;te=
xt-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" targ=
et=3D"_blank">internet-drafts@ietf.org</a><span style=3D"font-family:helvet=
ica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:n=
ormal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform=
:none;white-space:normal;word-spacing:0px;float:none;display:inline">;<span=
 class=3D"m_-6000036849972542875gmail-m_8814585839802216220Apple-converted-=
space">=C2=A0</span></span><a href=3D"mailto:oauth@ietf.org" style=3D"font-=
family:helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;=
font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;t=
ext-transform:none;white-space:normal;word-spacing:0px" target=3D"_blank"><=
wbr>oauth@ietf.org</a><br style=3D"font-family:helvetica;font-size:12px;fon=
t-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:n=
ormal;text-align:start;text-indent:0px;text-transform:none;white-space:norm=
al;word-spacing:0px"><span style=3D"font-family:helvetica;font-size:12px;fo=
nt-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:=
normal;text-align:start;text-indent:0px;text-transform:none;white-space:nor=
mal;word-spacing:0px;float:none;display:inline">Subject: Re: [OAUTH-WG] I-D=
 Action: draft-ietf-oauth-native-apps-0<wbr>8.txt</span><br style=3D"font-f=
amily:helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;f=
ont-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;te=
xt-transform:none;white-space:normal;word-spacing:0px"><br style=3D"font-fa=
mily:helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;fo=
nt-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;tex=
t-transform:none;white-space:normal;word-spacing:0px"><span style=3D"font-f=
amily:helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;f=
ont-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;te=
xt-transform:none;white-space:normal;word-spacing:0px;float:none;display:in=
line">On fido I can tell you that for security reasons U2F wont work from a=
 web-view currently.</span><br style=3D"font-family:helvetica;font-size:12p=
x;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spac=
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space=
:normal;word-spacing:0px"><br style=3D"font-family:helvetica;font-size:12px=
;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spaci=
ng:normal;text-align:start;text-indent:0px;text-transform:none;white-space:=
normal;word-spacing:0px"><span style=3D"font-family:helvetica;font-size:12p=
x;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spac=
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space=
:normal;word-spacing:0px;float:none;display:inline">Once we move to Web Aut=
h (Fido 2) where the OS provides a API for apps to call to get the token it=
 will work but the tokens are audianced to the app based on its developer k=
ey and bundle_id so that a app cant ask for a token for a different site to=
 do correlation.<span class=3D"m_-6000036849972542875gmail-m_88145858398022=
16220Apple-converted-space">=C2=A0</span></span><br style=3D"font-family:he=
lvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weig=
ht:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-trans=
form:none;white-space:normal;word-spacing:0px"><br style=3D"font-family:hel=
vetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weigh=
t:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transf=
orm:none;white-space:normal;word-spacing:0px"><span style=3D"font-family:he=
lvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weig=
ht:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-trans=
form:none;white-space:normal;word-spacing:0px;float:none;display:inline">It=
 is true that Fido UAF currently requires a web-view to work as the authent=
icator is effectively compiled in to each application, and that application=
 has access to the private keys on most platforms (Samsung knox being the o=
nly exception to that that I know of where the keys are managed by a common=
 API to hardware key storage, but they are scoped like U2F as well)</span><=
br style=3D"font-family:helvetica;font-size:12px;font-style:normal;font-var=
iant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;=
text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><b=
r style=3D"font-family:helvetica;font-size:12px;font-style:normal;font-vari=
ant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;t=
ext-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><sp=
an style=3D"font-family:helvetica;font-size:12px;font-style:normal;font-var=
iant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;=
text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;flo=
at:none;display:inline">So for the most part it is true and that unless you=
 use the browser to get the Fido token the audience is for the app.</span><=
br style=3D"font-family:helvetica;font-size:12px;font-style:normal;font-var=
iant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;=
text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><s=
pan style=3D"font-family:helvetica;font-size:12px;font-style:normal;font-va=
riant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start=
;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;fl=
oat:none;display:inline">Example =C2=A0Salesforce creates native app that m=
ay use enterprise SSO via SAML, and the enterprise may use Fido as a authen=
tication factor.</span><br style=3D"font-family:helvetica;font-size:12px;fo=
nt-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:=
normal;text-align:start;text-indent:0px;text-transform:none;white-space:nor=
mal;word-spacing:0px"><span style=3D"font-family:helvetica;font-size:12px;f=
ont-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing=
:normal;text-align:start;text-indent:0px;text-transform:none;white-space:no=
rmal;word-spacing:0px;float:none;display:inline">If they use the webview + =
fido API approach the app can only get a token for SalesForce based on its =
signing key.=C2=A0 It could fire up the web-view and do U2F authentication =
with the enterprise after Salesforec has redirected the user.=C2=A0 However=
 it will give every enterprise a token audience to Salesforce with a salesf=
orce specific key. =C2=A0=C2=A0If there is a second app for say Slack if th=
ey do the same thing the enterprise would get a slack audienced token and a=
 slack key forcing a separate registration.<span class=3D"m_-60000368499725=
42875gmail-m_8814585839802216220Apple-converted-space">=C2=A0</span></span>=
<br style=3D"font-family:helvetica;font-size:12px;font-style:normal;font-va=
riant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start=
;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><=
br style=3D"font-family:helvetica;font-size:12px;font-style:normal;font-var=
iant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;=
text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><s=
pan style=3D"font-family:helvetica;font-size:12px;font-style:normal;font-va=
riant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start=
;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;fl=
oat:none;display:inline">The recommended alternative is that the app use a =
custom tab for the user to SalesForce and that redirect to the enterprise.<=
/span><br style=3D"font-family:helvetica;font-size:12px;font-style:normal;f=
ont-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align=
:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:=
0px"><span style=3D"font-family:helvetica;font-size:12px;font-style:normal;=
font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-alig=
n:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing=
:0px;float:none;display:inline">The enterprise gets the same token/key with=
 the correct audience from all apps on the device using the browser or cust=
om tab.<span class=3D"m_-6000036849972542875gmail-m_8814585839802216220Appl=
e-converted-space">=C2=A0</span></span><br style=3D"font-family:helvetica;f=
ont-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal=
;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none=
;white-space:normal;word-spacing:0px"><span style=3D"font-family:helvetica;=
font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:norma=
l;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:non=
e;white-space:normal;word-spacing:0px;float:none;display:inline">The user m=
ay not need to signin a second time, and if they do there Fido token will n=
ot need to be re-registerd.</span><br style=3D"font-family:helvetica;font-s=
ize:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;lett=
er-spacing:normal;text-align:start;text-indent:0px;text-transform:none;whit=
e-space:normal;word-spacing:0px"><br style=3D"font-family:helvetica;font-si=
ze:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;lette=
r-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white=
-space:normal;word-spacing:0px"><span style=3D"font-family:helvetica;font-s=
ize:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;lett=
er-spacing:normal;text-align:start;text-indent:0px;text-transform:none;whit=
e-space:normal;word-spacing:0px;float:none;display:inline">The Fido API app=
roach really only works for first party apps like PayPal if the the app is =
not doing federation and paypal is doing the authentication for there own a=
pp.</span><br style=3D"font-family:helvetica;font-size:12px;font-style:norm=
al;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-a=
lign:start;text-indent:0px;text-transform:none;white-space:normal;word-spac=
ing:0px"><br style=3D"font-family:helvetica;font-size:12px;font-style:norma=
l;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-al=
ign:start;text-indent:0px;text-transform:none;white-space:normal;word-spaci=
ng:0px"><span style=3D"font-family:helvetica;font-size:12px;font-style:norm=
al;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-a=
lign:start;text-indent:0px;text-transform:none;white-space:normal;word-spac=
ing:0px;float:none;display:inline">Token binding private keys have similar =
issues. =C2=A0=C2=A0The pool of private keys will probably not be shared be=
tween apps, and not between the app and the browser (Win 10 may be an excep=
tion but it is not documented yet)</span><br style=3D"font-family:helvetica=
;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:norm=
al;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:no=
ne;white-space:normal;word-spacing:0px"><br style=3D"font-family:helvetica;=
font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:norma=
l;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:non=
e;white-space:normal;word-spacing:0px"><span style=3D"font-family:helvetica=
;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:norm=
al;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:no=
ne;white-space:normal;word-spacing:0px;float:none;display:inline">In the ca=
se of using AppAuth with token binding the browser maintains the keys so th=
e enterprise would be able to see the same key and use the same cookies acr=
oss all AppAuth Apps.</span><br style=3D"font-family:helvetica;font-size:12=
px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spa=
cing:normal;text-align:start;text-indent:0px;text-transform:none;white-spac=
e:normal;word-spacing:0px"><br style=3D"font-family:helvetica;font-size:12p=
x;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spac=
ing:normal;text-align:start;text-indent:0px;text-transform:none;white-space=
:normal;word-spacing:0px"><span style=3D"font-family:helvetica;font-size:12=
px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spa=
cing:normal;text-align:start;text-indent:0px;text-transform:none;white-spac=
e:normal;word-spacing:0px;float:none;display:inline">You can include token =
binding in your app, however the token bindings and cookies are going to be=
 sand boxed per app. =C2=A0</span><br style=3D"font-family:helvetica;font-s=
ize:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;lett=
er-spacing:normal;text-align:start;text-indent:0px;text-transform:none;whit=
e-space:normal;word-spacing:0px"><span style=3D"font-family:helvetica;font-=
size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;let=
ter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;whi=
te-space:normal;word-spacing:0px;float:none;display:inline">Depending on im=
plementation the app gets access to the cookie, but perhaps not to the priv=
ate token binding key. =C2=A0(At least I don&#39;t think it will in Android=
 embedded webview).</span><br style=3D"font-family:helvetica;font-size:12px=
;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spaci=
ng:normal;text-align:start;text-indent:0px;text-transform:none;white-space:=
normal;word-spacing:0px"><br style=3D"font-family:helvetica;font-size:12px;=
font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacin=
g:normal;text-align:start;text-indent:0px;text-transform:none;white-space:n=
ormal;word-spacing:0px"><span style=3D"font-family:helvetica;font-size:12px=
;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spaci=
ng:normal;text-align:start;text-indent:0px;text-transform:none;white-space:=
normal;word-spacing:0px;float:none;display:inline">We could expand on this =
later in an update to the BCP once Web Authentication and Token Binding are=
 final.</span><br style=3D"font-family:helvetica;font-size:12px;font-style:=
normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;te=
xt-align:start;text-indent:0px;text-transform:none;white-space:normal;word-=
spacing:0px"><br style=3D"font-family:helvetica;font-size:12px;font-style:n=
ormal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px"><span style=3D"font-family:helvetica;font-size:12px;font-style:=
normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;te=
xt-align:start;text-indent:0px;text-transform:none;white-space:normal;word-=
spacing:0px;float:none;display:inline">There are still some unknowns, but i=
n general for any sort of SSO/Federation 3rd party app I don=E2=80=99t see =
recommending anything other than a custom tab/ view controller/ external br=
owser.</span><br style=3D"font-family:helvetica;font-size:12px;font-style:n=
ormal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px"><br style=3D"font-family:helvetica;font-size:12px;font-style:no=
rmal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text=
-align:start;text-indent:0px;text-transform:none;white-space:normal;word-sp=
acing:0px"><span style=3D"font-family:helvetica;font-size:12px;font-style:n=
ormal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px;float:none;display:inline">William can take the formatting quest=
ion:)</span><br style=3D"font-family:helvetica;font-size:12px;font-style:no=
rmal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text=
-align:start;text-indent:0px;text-transform:none;white-space:normal;word-sp=
acing:0px"><br style=3D"font-family:helvetica;font-size:12px;font-style:nor=
mal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-=
align:start;text-indent:0px;text-transform:none;white-space:normal;word-spa=
cing:0px"><span style=3D"font-family:helvetica;font-size:12px;font-style:no=
rmal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text=
-align:start;text-indent:0px;text-transform:none;white-space:normal;word-sp=
acing:0px;float:none;display:inline">John B.</span><br style=3D"font-family=
:helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-w=
eight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-tr=
ansform:none;white-space:normal;word-spacing:0px"></div></div><blockquote t=
ype=3D"cite" style=3D"font-family:helvetica;font-size:12px;font-style:norma=
l;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-al=
ign:start;text-indent:0px;text-transform:none;white-space:normal;word-spaci=
ng:0px"><div><div class=3D"m_-6000036849972542875gmail-h5">On Mar 6, 2017, =
at 4:41 PM, Hannes Tschofenig &lt;<a href=3D"mailto:hannes.tschofenig@gmx.n=
et" target=3D"_blank">hannes.tschofenig@gmx.net</a>&gt; wrote:<br><br>Hi Wi=
lliam, Hi John,<br><br>I just re-read version -8 of the document again.<br>=
<br>Two minor remarks only.<br><br>Editorial issue: Why do you need to intr=
oduce a single sub-section<span class=3D"m_-6000036849972542875gmail-m_8814=
585839802216220Apple-converted-space">=C2=A0</span><br>within Section 7.1. =
(namely Section 7.1.1)?<br><br>Background question: You note that embedded =
user agents have the<span class=3D"m_-6000036849972542875gmail-m_8814585839=
802216220Apple-converted-space">=C2=A0</span><br>disadvantage that the app =
that hosts the embedded user-agent can<span class=3D"m_-6000036849972542875=
gmail-m_8814585839802216220Apple-converted-space">=C2=A0</span><br>access t=
he user&#39;s full authentication credential. This is certainly<span class=
=3D"m_-6000036849972542875gmail-m_8814585839802216220Apple-converted-space"=
>=C2=A0</span><br>true for password-based authentication mechanisms but I w=
onder whether<span class=3D"m_-6000036849972542875gmail-m_88145858398022162=
20Apple-converted-space">=C2=A0</span><br>this is also true for strong auth=
entication techniques, such as those<span class=3D"m_-6000036849972542875gm=
ail-m_8814585839802216220Apple-converted-space">=C2=A0</span><br>used by FI=
DO combined with token binding. Have you looked into more<span class=3D"m_-=
6000036849972542875gmail-m_8814585839802216220Apple-converted-space">=C2=A0=
</span><br>modern authentication techniques as well and their security impl=
ication?<br><br>Ciao<br>Hannes<br><br>On 03/03/2017 07:39 AM, William Denni=
ss wrote:<br></div></div><blockquote type=3D"cite"><div><div class=3D"m_-60=
00036849972542875gmail-h5">Changes:<br><br>=E2=80=93 Addresses feedback fro=
m the second round of WGLC.<br>=E2=80=93 Reordered security consideration s=
ections to better group related topics.<br>=E2=80=93 Added complete URI exa=
mples to each of the 3 redirect types.<br>=E2=80=93 Editorial pass.<br><br>=
<br><br>On Thu, Mar 2, 2017 at 10:27 PM, &lt;<a href=3D"mailto:internet-dra=
fts@ietf.org" target=3D"_blank">internet-drafts@ietf.org</a><span class=3D"=
m_-6000036849972542875gmail-m_8814585839802216220Apple-converted-space">=C2=
=A0</span><br>&lt;<a href=3D"mailto:internet-drafts@ietf.org" target=3D"_bl=
ank">mailto:internet-drafts@ietf.o<wbr>rg</a>&gt;&gt; wrote:<br><br><br>=C2=
=A0=C2=A0A New Internet-Draft is available from the on-line Internet-Drafts=
<br>=C2=A0=C2=A0directories.<br>=C2=A0=C2=A0This draft is a work item of th=
e Web Authorization Protocol of the IETF.<br><br>=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Title =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0: OAuth 2.0 for Native Apps<br>=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Authors =C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0: William Denniss<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Jo<wbr>hn=
 Bradley<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Fil=
ename =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: draft-ietf-oauth-native-a=
pps-0<wbr>8.txt<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0Pages =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: 2=
0<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Date =C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: 2017-03-02=
<br><br>=C2=A0=C2=A0Abstract:<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0OAuth 2.0 au=
thorization requests from native apps should only be made<br>=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0through external user-agents, primarily the user&#39;s br=
owser.=C2=A0 This<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0specification details th=
e security and usability reasons why this is<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0the case, and how native apps and authorization servers can implement<br=
>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0this best practice.<br><br><br>=C2=A0=C2=A0T=
he IETF datatracker status page for this draft is:<br></div></div>=C2=A0=C2=
=A0<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A=
%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-native-apps%2F&amp;data=
=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C7=
2f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&amp;sdata=3DYQ=
0dcSViranVx4sjH7aeFrEYvTgbQM3OruoK%2FR7EZak%3D&amp;reserved=3D0" target=3D"=
_blank">https://na01.safelinks.prote<wbr>ction.outlook.com/?url=3Dhttps%<wb=
r>3A%2F%2Fdatatracker.ietf.org%<wbr>2Fdoc%2Fdraft-ietf-oauth-<wbr>native-ap=
ps%2F&amp;data=3D02%7C01%<wbr>7Ctonynad%40microsoft.com%7Cef<wbr>f092e6b289=
4ace8f8408d464cda4d5<wbr>%7C72f988bf86f141af91ab2d7cd01<wbr>1db47%7C1%7C0%7=
C63624428181007<wbr>8497&amp;sdata=3DYQ0dcSViranVx4sjH7a<wbr>eFrEYvTgbQM3Or=
uoK%2FR7EZak%3D&amp;<wbr>reserved=3D0</a><br><br>&lt;<a href=3D"https://na0=
1.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdat" target=3D"_bla=
nk">https://na01.safelinks.protec<wbr>tion.outlook.com/?url=3Dhttps%<wbr>3A=
%2F%2Fdat</a><br><a href=3D"http://atracker.ietf.org/" target=3D"_blank">at=
racker.ietf.org</a>%2Fdoc%2Fdraf<wbr>t-ietf-oauth-native-apps%2F&amp;<wbr>d=
ata=3D02%7C0<br>1%7Ctonynad%<a href=3D"http://40microsoft.com/" target=3D"_=
blank">40microsoft.com</a>%7C<wbr>eff092e6b2894ace8f8408d464cda4<wbr>d5%7C7=
2f9<br>88bf86f141af91ab2d7cd011db47%7<wbr>C1%7C0%7C636244281810078497&amp;s=
d<wbr>ata=3DYQ0dc<br>SViranVx4sjH7aeFrEYvTgbQM3Oruo<wbr>K%2FR7EZak%3D&amp;r=
eserved=3D0&gt;<span class=3D"m_-6000036849972542875gmail-"><br><br>=C2=A0=
=C2=A0There&#39;s also a htmlized version available at:<br></span>=C2=A0=C2=
=A0<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A=
%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-native-apps-08&amp;data=3D02=
%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988=
bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&amp;sdata=3DipyVLaX=
hefjwhIPqu4Vym3Nmi%2FXPER8hyKBDvP%2FAVCw%3D&amp;reserved=3D0" target=3D"_bl=
ank">https://na01.safelinks.prote<wbr>ction.outlook.com/?url=3Dhttps%<wbr>3=
A%2F%2Ftools.ietf.org%2Fhtml%<wbr>2Fdraft-ietf-oauth-native-<wbr>apps-08&am=
p;data=3D02%7C01%7Ctonynad<wbr>%40microsoft.com%7Ceff092e6b28<wbr>94ace8f84=
08d464cda4d5%7C72f988<wbr>bf86f141af91ab2d7cd011db47%<wbr>7C1%7C0%7C6362442=
81810078497&amp;<wbr>sdata=3DipyVLaXhefjwhIPqu4Vym3Nm<wbr>i%2FXPER8hyKBDvP%=
2FAVCw%3D&amp;res<wbr>erved=3D0</a><br><br>&lt;<a href=3D"https://na01.safe=
links.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftoo" target=3D"_blank">ht=
tps://na01.safelinks.protec<wbr>tion.outlook.com/?url=3Dhttps%<wbr>3A%2F%2F=
too</a><br><a href=3D"http://ls.ietf.org/" target=3D"_blank">ls.ietf.org</a=
>%2Fhtml%2Fdraft-iet<wbr>f-oauth-native-apps-08&amp;data=3D<wbr>02%7C01%7Ct=
<br>onynad%<a href=3D"http://40microsoft.com/" target=3D"_blank">40microsof=
t.com</a>%7Ceff09<wbr>2e6b2894ace8f8408d464cda4d5%<wbr>7C72f988bf8<br>6f141=
af91ab2d7cd011db47%7C1%7C<wbr>0%7C636244281810088501&amp;sdata=3D<wbr>pFJdi=
Zd2ni<br>SxiuXtThG8OE32rjHxoJ8U0jsoCmia<wbr>qKc%3D&amp;reserved=3D0&gt;<spa=
n class=3D"m_-6000036849972542875gmail-"><br><br>=C2=A0=C2=A0A diff from th=
e previous version is available at:<br></span>=C2=A0=C2=A0<a href=3D"https:=
//na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2=
Frfcdiff%3Furl2%3Ddraft-ietf-oauth-native-apps-08&amp;data=3D02%7C01%7Ctony=
nad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91=
ab2d7cd011db47%7C1%7C0%7C636244281810088501&amp;sdata=3D0JOejYI%2F9vSFph4dt=
eZ6g16NbvLRy37erpRUAw2q%2FW8%3D&amp;reserved=3D0" target=3D"_blank">https:/=
/na01.safelinks.prote<wbr>ction.outlook.com/?url=3Dhttps%<wbr>3A%2F%2Fwww.i=
etf.org%2Frfcdiff<wbr>%3Furl2%3Ddraft-ietf-oauth-<wbr>native-apps-08&amp;da=
ta=3D02%7C01%<wbr>7Ctonynad%40microsoft.com%7Cef<wbr>f092e6b2894ace8f8408d4=
64cda4d5<wbr>%7C72f988bf86f141af91ab2d7cd01<wbr>1db47%7C1%7C0%7C63624428181=
008<wbr>8501&amp;sdata=3D0JOejYI%2F9vSFph4dt<wbr>eZ6g16NbvLRy37erpRUAw2q%2F=
W8%<wbr>3D&amp;reserved=3D0</a><br><br>&lt;<a href=3D"https://na01.safelink=
s.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww" target=3D"_blank">https:=
//na01.safelinks.protec<wbr>tion.outlook.com/?url=3Dhttps%<wbr>3A%2F%2Fwww<=
/a><br>.<a href=3D"http://ietf.org/" target=3D"_blank">ietf.org</a>%2Frfcdi=
ff%3Furl2%3Dd<wbr>raft-ietf-oauth-native-apps-<wbr>08&amp;data=3D02%<br>7C0=
1%7Ctonynad%<a href=3D"http://40microsoft.com/" target=3D"_blank">40microso=
ft.com</a><wbr>%7Ceff092e6b2894ace8f8408d464c<wbr>da4d5%7C7<br>2f988bf86f14=
1af91ab2d7cd011db4<wbr>7%7C1%7C0%7C636244281810088501<wbr>&amp;sdata=3D0J<b=
r>OejYI%2F9vSFph4dteZ6g16NbvLRy3<wbr>7erpRUAw2q%2FW8%3D&amp;reserved=3D0&gt=
;<span class=3D"m_-6000036849972542875gmail-"><br><br><br>=C2=A0=C2=A0Pleas=
e note that it may take a couple of minutes from the time of<br>=C2=A0=C2=
=A0submission<br>=C2=A0=C2=A0until the htmlized version and diff are availa=
ble at<span class=3D"m_-6000036849972542875gmail-m_8814585839802216220Apple=
-converted-space">=C2=A0</span><a href=3D"http://tools.ietf.org/" target=3D=
"_blank">tools.ietf.org</a><br></span>=C2=A0=C2=A0&lt;<a href=3D"https://na=
01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Ftools.ietf.org&amp;=
data=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5=
%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&amp;sdata=
=3DsDynfqey0ru0Vm4%2FPEh0MA1IKtkrqmDnQ%2BmPCP%2B6K60%3D&amp;reserved=3D0" t=
arget=3D"_blank">https://na01.safelinks.prot<wbr>ection.outlook.com/?url=3D=
http%<wbr>3A%2F%2Ftools.ietf.org&amp;data=3D<wbr>02%7C01%7Ctonynad%40micros=
oft.<wbr>com%7Ceff092e6b2894ace8f8408d4<wbr>64cda4d5%7C72f988bf86f141af91a<=
wbr>b2d7cd011db47%7C1%7C0%7C636244<wbr>281810088501&amp;sdata=3DsDynfqey0ru=
<wbr>0Vm4%2FPEh0MA1IKtkrqmDnQ%<wbr>2BmPCP%2B6K60%3D&amp;reserved=3D0</a>&gt=
;.<span class=3D"m_-6000036849972542875gmail-"><br><br>=C2=A0=C2=A0Internet=
-Drafts are also available by anonymous FTP at:<br>=C2=A0=C2=A0<a href=3D"f=
tp://ftp.ietf.org/internet-drafts/" target=3D"_blank">ftp://ftp.ietf.org/in=
ternet-<wbr>drafts/</a><br>=C2=A0=C2=A0&lt;<a href=3D"ftp://ftp.ietf.org/in=
ternet-drafts/" target=3D"_blank">ftp://ftp.ietf.org/internet<wbr>-drafts/<=
/a>&gt;<br><br>=C2=A0=C2=A0____________________________<wbr>_______________=
____<br>=C2=A0=C2=A0OAuth mailing list<br>=C2=A0=C2=A0<a href=3D"mailto:OAu=
th@ietf.org" target=3D"_blank">OAuth@ietf.org</a><span class=3D"m_-60000368=
49972542875gmail-m_8814585839802216220Apple-converted-space">=C2=A0</span>&=
lt;<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">mailto:OAuth<wbr>@ie=
tf.org</a>&gt;<br></span>=C2=A0=C2=A0<a href=3D"https://na01.safelinks.prot=
ection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2=
Foauth&amp;data=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f840=
8d464cda4d5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501=
&amp;sdata=3D14GztZLY%2BnQNbhR5bqjS7cRYUSlotpr6JXtFXpduGuI%3D&amp;reserved=
=3D0" target=3D"_blank">https://na01.safelinks.prote<wbr>ction.outlook.com/=
?url=3Dhttps%<wbr>3A%2F%2Fwww.ietf.org%2Fmailman<wbr>%2Flistinfo%2Foauth&am=
p;data=3D02%<wbr>7C01%7Ctonynad%40microsoft.<wbr>com%7Ceff092e6b2894ace8f84=
08d4<wbr>64cda4d5%7C72f988bf86f141af91a<wbr>b2d7cd011db47%7C1%7C0%7C636244<=
wbr>281810088501&amp;sdata=3D14GztZLY%2B<wbr>nQNbhR5bqjS7cRYUSlotpr6JXtFXpd=
<wbr>uGuI%3D&amp;reserved=3D0</a><br><br>&lt;<a href=3D"https://na01.safeli=
nks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww" target=3D"_blank">http=
s://na01.safelinks.protec<wbr>tion.outlook.com/?url=3Dhttps%<wbr>3A%2F%2Fww=
w</a><br>.<a href=3D"http://ietf.org/" target=3D"_blank">ietf.org</a>%2Fmai=
lman%2Flistinfo<wbr>%2Foauth&amp;data=3D02%7C01%<wbr>7Ctonynad%40micro<br><=
a href=3D"http://soft.com/" target=3D"_blank">soft.com</a>%7Ceff092e6b2894a=
ce8f8<wbr>408d464cda4d5%<wbr>7C72f988bf86f141af91ab2d7<br>cd011db47%7C1%7C0=
%7C6362442818<wbr>10088501&amp;sdata=3D14GztZLY%<wbr>2BnQNbhR5bqjS7c<br>RYU=
Slotpr6JXtFXpduGuI%3D&amp;reser<wbr>ved=3D0&gt;<span class=3D"m_-6000036849=
972542875gmail-"><br><br><br><br><br>______________________________<wbr>___=
______________<br>OAuth mailing list<br><a href=3D"mailto:OAuth@ietf.org" t=
arget=3D"_blank">OAuth@ietf.org</a><br></span><a href=3D"https://na01.safel=
inks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww" target=3D"_blank">htt=
ps://na01.safelinks.protect<wbr>ion.outlook.com/?url=3Dhttps%3A%<wbr>2F%2Fw=
ww</a>.<br><a href=3D"http://ietf.org/" target=3D"_blank">ietf.org</a>%2Fma=
ilman%2Flistinfo%<wbr>2Foauth&amp;data=3D02%7C01%7Ctonynad<wbr>%40micros<br=
><a href=3D"http://oft.com/" target=3D"_blank">oft.com</a>%7Ceff092e6b2894a=
ce8f84<wbr>08d464cda4d5%7C72f988bf86f141a<wbr>f91ab2d7c<br>d011db47%7C1%7C0=
%7C63624428181<wbr>0088501&amp;sdata=3D14GztZLY%<wbr>2BnQNbhR5bqjS7cR<br>YU=
Slotpr6JXtFXpduGuI%3D&amp;reserv<wbr>ed=3D0<br><br></blockquote><span class=
=3D"m_-6000036849972542875gmail-"><br>______________________________<wbr>__=
_______________<br>OAuth mailing list<br><a href=3D"mailto:OAuth@ietf.org" =
target=3D"_blank">OAuth@ietf.org</a><br></span><a href=3D"https://na01.safe=
links.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.i" target=3D"_blank">=
https://na01.safelinks.protect<wbr>ion.outlook.com/?url=3Dhttps%3A%<wbr>2F%=
2Fwww.i</a><br><a href=3D"http://etf.org/" target=3D"_blank">etf.org</a>%2F=
mailman%2Flistinfo%2<wbr>Foauth&amp;data=3D02%7C01%7Ctonynad%<wbr>40microso=
f<br><a href=3D"http://t.com/" target=3D"_blank">t.com</a>%7Ceff092e6b2894a=
ce8f8408<wbr>d464cda4d5%7C72f988bf86f141af9<wbr>1ab2d7cd01<br>1db47%7C1%7C0=
%7C63624428181008<wbr>8501&amp;sdata=3D14GztZLY%<wbr>2BnQNbhR5bqjS7cRYUSl<b=
r>otpr6JXtFXpduGuI%3D&amp;reserved=3D0</blockquote></div></blockquote></div=
><br></div></div><br>______________________________<wbr>_________________<b=
r>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div></div></div></div>

--001a11473f96b166a5054a29f44d--


From nobody Wed Mar  8 21:52:00 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C910F127ABE; Wed,  8 Mar 2017 21:51:54 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.47.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148903871476.20090.9776981099465629661@ietfa.amsl.com>
Date: Wed, 08 Mar 2017 21:51:54 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BGpWcTuE2Opda3Tm4VgVwJwv6a8>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-amr-values-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 05:51:55 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : Authentication Method Reference Values
        Authors         : Michael B. Jones
                          Phil Hunt
                          Anthony Nadalin
	Filename        : draft-ietf-oauth-amr-values-07.txt
	Pages           : 15
	Date            : 2017-03-08

Abstract:
   The "amr" (Authentication Methods References) claim is defined and
   registered in the IANA "JSON Web Token Claims" registry but no
   standard Authentication Method Reference values are currently
   defined.  This specification establishes a registry for
   Authentication Method Reference values and defines an initial set of
   Authentication Method Reference values.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-amr-values-07

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-amr-values-07


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Wed Mar  8 21:53:27 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 441EF129400; Wed,  8 Mar 2017 21:53:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MpFnXb06FGz7; Wed,  8 Mar 2017 21:53:19 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0135.outbound.protection.outlook.com [104.47.41.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B2F3127ABE; Wed,  8 Mar 2017 21:53:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Ai6rrUS6AGeHx8XCSkAFXvUIJrdDChn7U0iQqHz3zK4=; b=Tl9o3xxILlrP3E4OWt++tvj7om+IjeOl4U+UIcR7cW19HrxxNhlgL9hH/IVzJjy3U7oBhT2uCi2xQgJaRFhEQajNnSNcjuSBW/8IR20djhsmjGwQIqWVZlC3azcc6cC38HOia+9mDJmiSg4FNQ7RvZHdZbxuo/i8LAGTRVHIpgM=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Thu, 9 Mar 2017 05:53:16 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Thu, 9 Mar 2017 05:53:16 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Anthony Nadalin <tonynad@microsoft.com>, joel jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>
Thread-Topic: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
Thread-Index: AQHSe97H5hXZpqeBE0CT6lHMY4yQFKFUP6sAgAABIQCAAB5D0IAAXXiAgAAdOACAAABqIIAAA2uAgAAA3wCAAAAzAIAAAO4AgAAAVZCAAAOFgIAqgOKggAkWs0CAABoJgIAAAbuQgAAGWICAATemAIAAD7wAgAJUoqA=
Date: Thu, 9 Mar 2017 05:53:15 +0000
Message-ID: <CY4PR21MB0504A295ED2CDA35A1377239F5210@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148587998454.2480.4991718024003414319.idtracker@ietfa.amsl.com> <BN3PR03MB2355204C821E8E1807143F95F54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <268ffcf0-2f90-049e-1a3c-03b39d62c338@cs.tcd.ie> <SN1PR0301MB2029F5A8F803768C1D764543A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com> <BN3PR03MB2355831A747ED03DC3B6608CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <da5d0f13-58c8-734a-4edf-5988a8aa7aed@cs.tcd.ie> <BN3PR03MB23555D125FBA8EC4ECCA5A9CF54C0@BN3PR03MB2355.namprd03.prod.outlook.com> <2972e6a5-2bdb-3047-2086-271730dfc3ef@cs.tcd.ie> <CY4PR21MB05045C7B1A47A7AC9CFA362EF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB0504360DE5B915C42B17C02DF52C0@CY4PR21MB0504.namprd21.prod.outlook.com> <a6f3617e-bdd9-114b-4025-b957efa12bc2@cs.tcd.ie> <CY4PR21MB050481D8CF7B8551D21F38A8F52C0@CY4PR21MB0504.namprd21.prod.outlook.com> <a78de3c1-7d73-8147-8540-0bc23fca366d@cs.tcd.ie> <CY4PR21MB0504A12F9CE5E8A66C0B790AF52F0@CY4PR21MB0504.namprd21.prod.outlook.com> <da9a6295-8d8a-0d4d-e095-702bf679729d@cs.tcd.ie>
In-Reply-To: <da9a6295-8d8a-0d4d-e095-702bf679729d@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.93.167]
x-ms-office365-filtering-correlation-id: 288d236c-1c1e-4542-48f5-08d466b094b9
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0504; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0504; 7:zUZRyhzdLiPrg3g/jDPXLBpIcDYqK0Dc81iaDXdG8XVgGrrGgPNCexdyLps5pNmyQxmHZ9zs6LGdTHLP4OEIeJbD6xh0ie/qLRsJrCc3sr5z+iecyvndaILuUhiJ4kxLMUSwSoDMHTIHHUbGL9jBYlXhcntlCRiCCB0tI5pRXHmNxIA5dNTOj7/lkjS6dBMhrYcZKb+rTl6DtuC5OMb34PW4Rq85Hns61GJ6CbrNP1xT9CcVebRZ7P64/KN96hmr4XJDArXkWRHpf32OSYfU2b4WS5NqAKTx+bk/xq+89A3BW0uNqBW1Tos70T/MAZ88SZI/Pk+MAfrhyJZR4c4G9hP0OLt13kIWqMX2kDFTa90=
x-microsoft-antispam-prvs: <CY4PR21MB05042D0995A19F5A5B335417F5210@CY4PR21MB0504.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(120809045254105)(21532816269658); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123560025)(20161123564025)(20161123555025)(20161123562025)(6072148); SRVR:CY4PR21MB0504; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0504; 
x-forefront-prvs: 0241D5F98C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39840400002)(39450400003)(39860400002)(39850400002)(377454003)(40224003)(13464003)(24454002)(43784003)(51914003)(99286003)(8676002)(1720100001)(3660700001)(305945005)(3280700002)(229853002)(2900100001)(54356999)(106116001)(10090500001)(966004)(77096006)(2906002)(189998001)(8936002)(7736002)(74316002)(5005710100001)(551544002)(2561002)(33656002)(10290500002)(81166006)(86612001)(230783001)(6246003)(50986999)(102836003)(93886004)(122556002)(6306002)(3846002)(53546006)(53946003)(53936002)(25786008)(4326008)(9686003)(5660300001)(6436002)(54906002)(66066001)(55016002)(7696004)(6506006)(38730400002)(86362001)(2950100002)(6116002)(1511001)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0504; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2017 05:53:15.9508 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NoWNwjGwPUvmaZHO8_dt-Sz0s90>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 05:53:22 -0000

SGkgU3RlcGhlbiwNCg0KSSd2ZSBhZGRlZCB0ZXh0IHRvIHRoZSBpbnRyb2R1Y3Rpb24gZXhwbGFp
bmluZyB0aGF0IHRoZSB2YWx1ZXMgYXJlIGludGVuZGVkIHRvIHByb3ZpZGUgaWRlbnRpZmllcnMg
Zm9yIGZhbWlsaWVzIG9mIGNsb3NlbHktcmVsYXRlZCBhdXRoZW50aWNhdGlvbiBtZXRob2RzLCBi
YXNlZCBvbiBvdXIgZGlzY3Vzc2lvbiBvZiB0aGlzIHRvcGljLiAgU2VlIHRoZSBkaWZmcyBhdCBo
dHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFs
dWVzLTA3LiAgSG9wZWZ1bGx5IHRoaXMgY2xhcmlmaWVzIHRoaW5ncyBzdWZmaWNpZW50bHkgdG8g
c2F0aXNmeSB0aGUgaW50ZW50IG9mIHlvdXIgRElTQ1VTUywgU3RlcGhlbi4gIExldCBtZSBrbm93
Lg0KDQpJIGFsc28gdXBkYXRlZCB0aGUgTU9EUk5BIEF1dGhlbnRpY2F0aW9uIFByb2ZpbGUgcmVm
ZXJlbmNlLg0KDQoJCQkJVGhhbmtzIGFnYWluLA0KCQkJCS0tIE1pa2UNCg0KLS0tLS1PcmlnaW5h
bCBNZXNzYWdlLS0tLS0NCkZyb206IFN0ZXBoZW4gRmFycmVsbCBbbWFpbHRvOnN0ZXBoZW4uZmFy
cmVsbEBjcy50Y2QuaWVdIA0KU2VudDogVHVlc2RheSwgTWFyY2ggNywgMjAxNyAxMDoxMSBBTQ0K
VG86IE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT47IEFudGhvbnkgTmFk
YWxpbiA8dG9ueW5hZEBtaWNyb3NvZnQuY29tPjsgam9lbCBqYWVnZ2xpIDxqb2VsamFAYm9ndXMu
Y29tPjsgVGhlIElFU0cgPGllc2dAaWV0Zi5vcmc+DQpDYzogb2F1dGgtY2hhaXJzQGlldGYub3Jn
OyBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5vcmc7IG9hdXRoQGlldGYub3JnDQpT
dWJqZWN0OiBSZTogW09BVVRILVdHXSBTdGVwaGVuIEZhcnJlbGwncyBEaXNjdXNzIG9uIGRyYWZ0
LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNTogKHdpdGggRElTQ1VTUykNCg0KDQoNCk9uIDA3LzAz
LzE3IDE3OjE3LCBNaWtlIEpvbmVzIHdyb3RlOg0KPiBZb3UncmUgcmlnaHQsIFN0ZXBoZW4uICBS
ZS1yZWFkaW5nIHRoZSBzcGVjLCBpdCBkb2Vzbid0IHNheSB0aGF0LCBhbmQgDQo+IGl0IHNob3Vs
ZC4gIFNvbWV0aW1lcyBpdCB0YWtlcyBzb21lb25lIGdpdmluZyBhIHNwZWMgYSBmcmVzaCByZWFk
IHRvIA0KPiB1bmNvdmVyIHRoaW5ncyB0aGF0IHRoZSBhdXRob3JzIHVuZGVyc3Rvb2QgYW5kIGlu
dGVuZGVkIGJ1dCBmYWlsZWQgdG8gDQo+IGJlIGNhcHR1cmVkIGluIHRoZSB0ZXh0LiAgVGhpcyBp
cyBzdWNoIGEgY2FzZSAtIHNvIHRoYW5rcy4NCj4gDQo+IEknbGwgYWRkIHRoaXMgaW5mb3JtYXRp
b24sIHdoaWNoIGlzIG5lY2Vzc2FyeSB0byB1bmRlcnN0YW5kIHRoZSANCj4gaW50ZW50LCBhbmQg
dGhlbiByZXB1Ymxpc2guDQoNCkFoIGdvb2QsIHRoYXQgZXhwbGFpbnMgdGhlIGRpc2Nvbm5lY3Qu
DQoNCkNoZWVycywNClMuDQoNCj4gDQo+IC0tIE1pa2UNCj4gDQo+IC0tLS0tT3JpZ2luYWwgTWVz
c2FnZS0tLS0tIEZyb206IFN0ZXBoZW4gRmFycmVsbCANCj4gW21haWx0bzpzdGVwaGVuLmZhcnJl
bGxAY3MudGNkLmllXSBTZW50OiBNb25kYXksIE1hcmNoIDYsIDIwMTcgMjozOSBQTSANCj4gVG86
IE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT47IEFudGhvbnkgTmFkYWxp
biANCj4gPHRvbnluYWRAbWljcm9zb2Z0LmNvbT47IGpvZWwgamFlZ2dsaSA8am9lbGphQGJvZ3Vz
LmNvbT47IFRoZSBJRVNHIA0KPiA8aWVzZ0BpZXRmLm9yZz4gQ2M6IG9hdXRoLWNoYWlyc0BpZXRm
Lm9yZzsgDQo+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzsgb2F1dGhAaWV0
Zi5vcmcgU3ViamVjdDogUmU6DQo+IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3Vz
cyBvbg0KPiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQo+
IA0KPiANCj4gSGkgTWlrZSwNCj4gDQo+IE9uIDA2LzAzLzE3IDIyOjM0LCBNaWtlIEpvbmVzIHdy
b3RlOg0KPj4gVGhhbmtzIGZvciB0aGUgcmVwbHksIFN0ZXBoZW4uICBJJ2xsIHRyeSB0byBmaW5k
IGJldHRlciANCj4+IGludGVyb3AtcHJvZHVjaW5nIHJlZmVyZW5jZXMgd2hlcmUgcG9zc2libGUu
DQo+PiANCj4+IA0KPj4gSW4gc29tZSBjYXNlcywgaG93ZXZlciwgdGhlIHZhbHVlcyBhcmUgaW50
ZW50aW9uYWxseSBpbnRlbmRlZCB0byANCj4+IHByb3ZpZGUgYW4gaWRlbnRpZmllciBmb3IgYSBm
YW1pbHkgb2YgY2xvc2VseS1yZWxhdGVkIG1ldGhvZHMsIHN1Y2ggDQo+PiBhcyAib3RwIiwgd2hp
Y2ggY292ZXJzIGJvdGggdGltZS1iYXNlZCBhbmQgSE1BQy1iYXNlZCBPVFBzLg0KPiANCj4gSG1t
LiBJIGRvbid0IHJlY2FsbCB0ZXh0IHNheWluZyB0aGF0IGluIHRoZSBkcmFmdCwgYnV0IGl0J3Mg
cG9zc2libGUgDQo+IHRoYXQgSSBtaXNzZWQgaXQgLSBjYW4geW91IHBvaW50IG1lIGF0IHRoYXQ/
DQo+IA0KPiBJIGRvIGFncmVlIHRoYXQgaWYgdGhlIHNlbWFudGljcyBoZXJlIHdlcmUgInNvbWUg
b3RwIHdhcyB1c2VkIiB0aGVuIGl0IA0KPiB3b3VsZCBub3QgYmUgbmVjZXNzYXJ5IHRvIHNwZWNp
ZnkgZXhhY3RseSB3aGljaCBPVFAgc2NoZW1lIHdhcyB1c2VkLiANCj4gQnV0IHRoYXQgd2Fzbid0
IGhvdyBJIHJlYWQgd2hhdCB0aGlzIHNwZWMgd2FzIGRvaW5nLiAoQWdhaW4sIHRoYXQgDQo+IGNv
dWxkIGJlIG1lIGdldHRpbmcgdGhlIHdyb25nIGVuZCBvZiB0aGUgc3RpY2suKQ0KPiANCj4gUy4N
Cj4gDQo+IA0KPj4gTWFueSByZWx5aW5nIHBhcnRpZXMgd2lsbCBiZSBjb250ZW50IHRvIGtub3cg
dGhhdCBhbiBPVFAgaGFzIGJlZW4gDQo+PiB1c2VkIGluIGFkZGl0aW9uIHRvIGEgcGFzc3dvcmQu
ICBUaGUgZGlzdGluY3Rpb24gYmV0d2VlbiB3aGljaCBraW5kIA0KPj4gb2YgT1RQIHdhcyB1c2Vk
IGlzIG5vdCB1c2VmdWwgdG8gdGhlbS4gIFRodXMsIHRoZXJlJ3MgYSBzaW5nbGUgDQo+PiBpZGVu
dGlmaWVyIHRoYXQgY2FuIGJlIHNhdGlzZmllZCBpbiB0d28gb3IgbW9yZSBuZWFybHkgZXF1aXZh
bGVudCANCj4+IHdheXMuICBJIGNvbnNpZGVyIHRoaXMgdG8gYmUgYSBmZWF0dXJlIC0gbm90IGEg
YnVnLg0KPj4gDQo+PiANCj4+IA0KPj4gU2ltaWxhcmx5LCB0aGVyZSdzIGEgd2hvbGUgcmFuZ2Ug
b2YgbnVhbmNlcyBiZXR3ZWVuIGRpZmZlcmVudCANCj4+IGZpbmdlcnByaW50IG1hdGNoaW5nIGFs
Z29yaXRobXMuICBUaGV5IGRpZmZlciBpbiBmYWxzZSBwb3NpdGl2ZSBhbmQgIA0KPj4gZmFsc2Ug
bmVnYXRpdmUgcmF0ZXMgb3ZlciBkaWZmZXJlbnQgcG9wdWxhdGlvbiBzYW1wbGVzIGFuZCBhbHNv
IA0KPj4gZGlmZmVyIGJhc2VkIG9uIHRoZSBraW5kIGFuZCBtb2RlbCBvZiBmaW5nZXJwcmludCBz
ZW5zb3IgdXNlZC4NCj4+IExpa2UgdGhlIE9UUCBjYXNlLCBtYW55IFJQcyB3aWxsIGJlIGNvbnRl
bnQgdG8ga25vdyB0aGF0IGEgDQo+PiBmaW5nZXJwcmludCBtYXRjaCBtYXMgbWFkZSwgd2l0aG91
dCBkZWx2aW5nIGludG8gYW5kIGRpZmZlcmVudGlhdGluZyANCj4+IGJhc2VkIG9uIGV2ZXJ5IGFz
cGVjdCBvZiB0aGUgaW1wbGVtZW50YXRpb24gb2YgZmluZ2VycHJpbnQgY2FwdHVyZSANCj4+IGFu
ZCBtYXRjaC4gVGhvc2UgdGhhdCB3YW50IG1vcmUgcHJlY2lzaW9uIHRoYW4gdGhpcyBjYW4gYWx3
YXlzIGRlZmluZSANCj4+IG5ldyAiYW1yIiB2YWx1ZXMuICBCdXQgImZwdCIgaXMgZmluZSBhcyBp
cyBmb3Igd2hhdCBJIGJlbGlldmUgd2lsbCBiZSANCj4+IHRoZSA5MCslIGNhc2UuDQo+PiANCj4+
IA0KPj4gDQo+PiBVbHRpbWF0ZWx5LCB0aGUgUlAgaXMgZGVwZW5kaW5nIHVwb24gdGhlIElkZW50
aXR5IFByb3ZpZGVyIHRvIGRvIA0KPj4gcmVhc29uYWJsZSB0aGluZ3MuICBJZiBpdCBkaWRuJ3Qg
dHJ1c3QgdGhlIElkUCB0byBkbyBzbywgaXQgaGFzIG5vICANCj4+IGJ1c2luZXNzIHVzaW5nIGl0
LiAgVGhlICJhbXIiIHZhbHVlIGxldHMgdGhlIElkUCBzaWduYWwgdG8gdGhlIFJQICANCj4+IGFk
ZGl0aW9uYWwgaW5mb3JtYXRpb24gYWJvdXQgd2hhdCBpdCBkaWQsIGZvciB0aGUgY2FzZXMgaW4g
d2hpY2ggdGhhdCANCj4+IGluZm9ybWF0aW9uIGlzIHVzZWZ1bCB0byB0aGUgUlAuDQo+PiANCj4+
IA0KPj4gDQo+PiBSZWR1Y2luZyB0aGlzIHRvIHRoZSBwb2ludCBvZiBhYnN1cmRpdHksIHRoZSBS
UCB3b3VsZCBhbG1vc3QgbmV2ZXIgIA0KPj4gY2FyZSBhYm91dCB0aGUgbWFrZSwgbW9kZWwsIGFu
ZCBzZXJpYWwgbnVtYmVyIG9mIHRoZSBmaW5nZXJwcmludCANCj4+IHJlYWRlciBvciBPVFAuICBW
YWx1ZXMgY291bGQgYmUgZGVmaW5lZCB0byBwcm92aWRlIHRoYXQgZ3JhbnVsYXJpdHkuIA0KPj4g
QnV0IG1ha2luZyB0aG9zZSBmaW5lLWdyYWluZWQgZGlzdGluY3Rpb25zIGFyZSBub3QgdXNlZnVs
IGluIA0KPj4gcHJhY3RpY2UuDQo+PiANCj4+IA0KPj4gDQo+PiBQbGVhc2UgY29uc2lkZXIgdGhl
IGV4aXN0aW5nIGRlZmluaXRpb25zIGluIGxpZ2h0IG9mIHRoYXQgcmVkdWN0aW8gYWQgDQo+PiBh
YnN1cmR1bS4gIFRoZSBleGlzdGluZyB2YWx1ZXMgb25seSBtYWtlIGRpc3RpbmN0aW9ucyB0aGF0
IGFyZSBrbm93biANCj4+IHRvIGJlIHVzZWZ1bCB0byBSUHMuICBTbGljaW5nIHRoaW5ncyBtb3Jl
IGZpbmVseSB0aGFuIHdvdWxkIGJlIHVzZWQgDQo+PiBpbiBwcmFjdGljZSBhY3R1YWxseSBodXJ0
cyBpbnRlcm9wLCByYXRoZXIgdGhhbiBoZWxwaW5nIGl0LCBiZWNhdXNlIA0KPj4gaXQgd291bGQg
Zm9yY2UgYWxsIFJQcyB0byByZWNvZ25pemUgdGhhdCBzZXZlcmFsIG9yIG1hbnkgZGlmZmVyZW50
IA0KPj4gdmFsdWVzIGFjdHVhbGx5IG1lYW4gdGhlIHNhbWUgdGhpbmcgdG8gdGhlbS4NCj4+IA0K
Pj4gDQo+PiANCj4+IC0tIE1pa2UNCj4+IA0KPj4gDQo+PiANCj4+IC0tLS0tT3JpZ2luYWwgTWVz
c2FnZS0tLS0tIEZyb206IFN0ZXBoZW4gRmFycmVsbCANCj4+IFttYWlsdG86c3RlcGhlbi5mYXJy
ZWxsQGNzLnRjZC5pZV0gU2VudDogTW9uZGF5LCBNYXJjaCA2LCAyMDE3IDI6MTAgDQo+PiBQTSBU
bzogTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPjsgQW50aG9ueSBOYWRh
bGluIA0KPj4gPHRvbnluYWRAbWljcm9zb2Z0LmNvbT47IGpvZWwgamFlZ2dsaSA8am9lbGphQGJv
Z3VzLmNvbT47IFRoZSBJRVNHICANCj4+IDxpZXNnQGlldGYub3JnPiBDYzogb2F1dGgtY2hhaXJz
QGlldGYub3JnOyANCj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzsgb2F1
dGhAaWV0Zi5vcmcgU3ViamVjdDogUmU6DQo+PiBbT0FVVEgtV0ddIFN0ZXBoZW4gRmFycmVsbCdz
IERpc2N1c3Mgb24NCj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNTogKHdpdGggRElT
Q1VTUykNCj4+IA0KPj4gDQo+PiANCj4+IA0KPj4gDQo+PiBIaSBNaWtlLA0KPj4gDQo+PiANCj4+
IA0KPj4gQXBvbG9naWVzIC0gSSB1cGRhdGVkIHRoZSBkaXNjdXNzIGJhbGxvdCB0ZXh0IFsxXSBv
biBGZWIgMjggYnV0IA0KPj4gbXVzdCd2ZSBub3Qgc2VudCBpdCBhcyBhbiBlbWFpbCBvciBzb21l
dGhpbmcuIEFueXdheS4uLg0KPj4gDQo+PiANCj4+IA0KPj4gWzFdDQo+PiBodHRwczovL2RhdGF0
cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMvYmFsbG90Lw0K
Pj4NCj4+DQo+Pg0KPj4NCj4+IA0KT24gMDYvMDMvMTcgMjA6MzgsIE1pa2UgSm9uZXMgd3JvdGU6
DQo+PiANCj4+PiBIaSBTdGVwaGVuLiAgVGhlIGNoYW5nZXMgaW4gZHJhZnQgLTA2IHdlcmUgaW50
ZW5kZWQgdG8gYWRkcmVzcyB5b3VyDQo+PiANCj4+PiBESVNDVVNTIHBvaW50cy4gIEFyZSB5b3Ug
c2F0aXNmaWVkIHdpdGggdGhlc2UgY2hhbmdlcyBvciBhcmUgdGhlcmUNCj4+IA0KPj4+IGFkZGl0
aW9uYWwgY2hhbmdlcyB5b3Ugd2FudD8gIEknbSBhc2tpbmcgcGFydGx5IGJlY2F1c2UgaXQncyBh
IHdlZWsNCj4+IA0KPj4+IG5vdyB1bnRpbCB0aGUgc3VibWlzc2lvbiBjdXRvZmYgYW5kIGlmIGFk
ZGl0aW9uYWwgY2hhbmdlcyBhcmUgDQo+Pj4gbmVlZGVkLA0KPj4gDQo+Pj4gSSdkIGxpa2UgdG8g
bWFrZSB0aGVtIHRoaXMgd2Vlay4NCj4+IA0KPj4gDQo+PiANCj4+IFNvIEkgZG8gdGhpbmsgdGhl
cmUncyBzdGlsbCB3b3JrIHRvIGJlIGRvbmUsIG1heSBhcyB3ZWxsIGNvcHkgdGhlIG5ldyANCj4+
IGJhbGxvdCB0ZXh0IGhlcmU6DQo+PiANCj4+IA0KPj4gDQo+PiAiDQo+PiANCj4+IEkgdGhpbmsg
d2Ugc3RpbGwgaGF2ZSB0aGUgcHJvYmxlbSB0aGF0IHRoZSB2YWx1ZXMgImRlZmluZWQiIGhlcmUg
DQo+PiAoZS5nLiAiZnB0IikgYXJlIHVuZGVyIHNwZWNpZmllZCB0byBhIHNpZ25pZmljYW50IGRl
Z3JlZS4gUkZDNDk0OSANCj4+IGRvZXMgbm90IHRlbGwgYW55b25lIGhvdyB0byBhY2hpZXZlIGlu
dGVyb3Agd2l0aCAiZnB0IiAobm9yIGFueSBvZiANCj4+IHRoZSBvdGhlciBjYXNlcyB3aGVyZSB5
b3UgcmVmZXIgdG8gNDk0OSBJIHRoaW5rKS4gVGhlcmUgaXMgdGhlcmVmb3JlIA0KPj4gbm8gdXRp
bGl0eSBpbiAiZGVmaW5pbmciICJmcHQiIGFzIGl0IHdpbGwgbm90IGFjaGlldmUgaW50ZXJvcCBh
bmQgaW4gDQo+PiBmYWN0IGlzIG1vcmUgbGlrZWx5IHRvIGNhdXNlIGNvbmZ1c2lvbiB0aGFuIGlu
dGVyb3AuDQo+PiBJZiB0aGUgc29sdXRpb24gb2YgYWN0dWFsbHkgZGVmaW5pbmcgdGhlIG1lYW5p
bmcgb2YgdGhpbmdzIGxpa2UgImZwdCIgDQo+PiBpcyBub3QgYWNoaWV2YWJsZSB0aGVuIHBlcmhh
cHMgaXQgd2lsbCBiZSBiZXR0ZXIgdG8gb25seSBkZWZpbmUgdGhvc2UgDQo+PiBmb3Igd2hpY2gg
d2UgY2FuIGdldCBpbnRlcm9wICgicHdkIiBhbmQgb25lIG9yIHR3bw0KPj4gb3RoZXJzKSBhbmQg
bGVhdmUgdGhlIGRlZmluaXRpb24gb2YgdGhlIHJlc3QgZm9yIGxhdGVyLiAoSW4gc2F5aW5nIA0K
Pj4gdGhhdCBJIGRvIHJlY2FsbCB0aGF0IG9uZSBvZiB0aGUgYXV0aG9ycyBzYWlkIHRoYXQgdGhl
cmUgYXJlIA0KPj4gaW1wbGVtZW50YXRpb25zIHRoYXQgdXNlIHNvbWUgb2YgdGhlc2UgdHlwZS1u
YW1lcywgYnV0IHRoZSBwb2ludCBvZiANCj4+IFJGQ3MgaXMgbm90IHRvICJibGVzcyINCj4+IA0K
Pj4gc3VjaCB0aGluZ3MsIGJ1dCB0byBhY2hpZXZlIGludGVyb3AuKQ0KPj4gDQo+PiAiDQo+PiAN
Cj4+IA0KPj4gDQo+PiBDaGVlcnMsDQo+PiANCj4+IFMuDQo+PiANCj4+IA0KPj4gDQo+Pj4gDQo+
PiANCj4+PiBUaGFua3MsIC0tIE1pa2UNCj4+IA0KPj4+IA0KPj4gDQo+Pj4gLS0tLS1PcmlnaW5h
bCBNZXNzYWdlLS0tLS0gRnJvbTogTWlrZSBKb25lcw0KPj4gDQo+Pj4gW21haWx0bzpNaWNoYWVs
LkpvbmVzQG1pY3Jvc29mdC5jb21dIFNlbnQ6IFR1ZXNkYXksIEZlYnJ1YXJ5IDI4LA0KPj4+IDIw
MTcNCj4+IA0KPj4+IDY6MTcgUE0gVG86IFN0ZXBoZW4gRmFycmVsbA0KPj4+IDxzdGVwaGVuLmZh
cnJlbGxAY3MudGNkLmllPG1haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPj47DQo+Pj4g
QW50aG9ueQ0KPj4gDQo+Pj4gTmFkYWxpbiA8dG9ueW5hZEBtaWNyb3NvZnQuY29tPG1haWx0bzp0
b255bmFkQG1pY3Jvc29mdC5jb20+PjsNCj4+PiBqb2VsIGphZWdnbGkgPGpvZWxqYUBib2d1cy5j
b208bWFpbHRvOmpvZWxqYUBib2d1cy5jb20+PjsgVGhlDQo+PiANCj4+PiBJRVNHIDxpZXNnQGll
dGYub3JnPG1haWx0bzppZXNnQGlldGYub3JnPj4gQ2M6IA0KPj4+IG9hdXRoLWNoYWlyc0BpZXRm
Lm9yZzxtYWlsdG86b2F1dGgtY2hhaXJzQGlldGYub3JnPjsNCj4+IA0KPj4+IGRyYWZ0LWlldGYt
b2F1dGgtYW1yLXZhbHVlc0BpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFs
DQo+Pj4gdQ0KPj4+DQo+Pj4gDQplc0BpZXRmLm9yZz47IG9hdXRoQGlldGYub3JnPG1haWx0bzpv
YXV0aEBpZXRmLm9yZz4gU3ViamVjdDogUkU6DQo+PiANCj4+PiBbT0FVVEgtV0ddIFN0ZXBoZW4g
RmFycmVsbCdzIERpc2N1c3Mgb24NCj4+IA0KPj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVl
cy0wNTogKHdpdGggRElTQ1VTUykNCj4+IA0KPj4+IA0KPj4gDQo+Pj4gSGkgU3RlcGhlbiwNCj4+
IA0KPj4+IA0KPj4gDQo+Pj4gRHJhZnQgLTA2DQo+Pj4gaHR0cHM6Ly90b29scy5pZXRmLm9yZy9o
dG1sL2RyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNg0KPj4gDQo+Pj4gYWRkcyByZWZlcmVu
Y2VzIGZvciBhbGwgb2YgdGhlIGRlZmluZWQgImFtciIgdmFsdWVzLiAgVGhhbmtzIGZvcg0KPj4g
DQo+Pj4gdGFraW5nIHRoZSB0aW1lIHRvIGhhdmUgYSB0aG91Z2h0ZnVsIGRpc2N1c3Npb24uDQo+
PiANCj4+PiANCj4+IA0KPj4+IC0tIE1pa2UNCj4+IA0KPj4+IA0KPj4gDQo+Pj4gLS0tLS1Pcmln
aW5hbCBNZXNzYWdlLS0tLS0gRnJvbTogU3RlcGhlbiBGYXJyZWxsDQo+PiANCj4+PiBbbWFpbHRv
OnN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWVdIFNlbnQ6IFdlZG5lc2RheSwgRmVicnVhcnkgMSwN
Cj4+PiAyMDE3DQo+PiANCj4+PiA0OjQ1IFBNIFRvOiBNaWtlIEpvbmVzDQo+Pj4gPE1pY2hhZWwu
Sm9uZXNAbWljcm9zb2Z0LmNvbTxtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPj47
DQo+Pj4NCj4+PiANCkFudGhvbnkgTmFkYWxpbg0KPj4gDQo+Pj4gPHRvbnluYWRAbWljcm9zb2Z0
LmNvbTxtYWlsdG86dG9ueW5hZEBtaWNyb3NvZnQuY29tPj47IGpvZWwgamFlZ2dsaSANCj4+PiA8
am9lbGphQGJvZ3VzLmNvbTxtYWlsdG86am9lbGphQGJvZ3VzLmNvbT4+OyBUaGUgSUVTRw0KPj4g
DQo+Pj4gPGllc2dAaWV0Zi5vcmc8bWFpbHRvOmllc2dAaWV0Zi5vcmc+PiBDYzogDQo+Pj4gb2F1
dGgtY2hhaXJzQGlldGYub3JnPG1haWx0bzpvYXV0aC1jaGFpcnNAaWV0Zi5vcmc+Ow0KPj4gDQo+
Pj4gZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRm
LW9hdXRoLWFtci12YWwNCj4+PiB1DQo+Pj4NCj4+PiANCmVzQGlldGYub3JnPjsgb2F1dGhAaWV0
Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPiBTdWJqZWN0OiBSZToNCj4+IA0KPj4+IFtPQVVU
SC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3VzcyBvbg0KPj4gDQo+Pj4gZHJhZnQtaWV0Zi1v
YXV0aC1hbXItdmFsdWVzLTA1OiAod2l0aCBESVNDVVNTKQ0KPj4gDQo+Pj4gDQo+PiANCj4+PiAN
Cj4+IA0KPj4+IA0KPj4gDQo+Pj4gT24gMDIvMDIvMTcgMDA6MzUsIE1pa2UgSm9uZXMgd3JvdGU6
DQo+PiANCj4+Pj4gWW91IGNhbiBjYWxsIG1lIGxhenkgaWYgeW91IHdhbnQuDQo+PiANCj4+PiAN
Cj4+IA0KPj4+IEkgZG9uJ3QgdGhpbmsgeW91J3JlIGxhenk6LSkgV2VyZSBJIHRvIGd1ZXNzIEkn
ZCBndWVzcyB0aGF0IGludGVyb3ANCj4+IA0KPj4+IGZvciB0aGVzZSB3YXNuJ3QgYSBwcmlvcml0
eSBhbmQgdGhhdCB3ZSdyZSBkZWZpbmluZyB0aGVtIGEgYml0IGVhcmx5DQo+PiANCj4+PiBhbmQg
YSBsaXR0bGUgdG9vIGdlbmVyaWNhbGx5Lg0KPj4gDQo+Pj4gDQo+PiANCj4+Pj4gU29tZSBvZiB0
aGVtIGFyZSBzbyB3ZWxsIGtub3duLCBzdWNoIGFzICJwYXNzd29yZCIgb3IgIlBJTiIgaXQgIA0K
Pj4+PiBkaWRuJ3QNCj4+IA0KPj4+PiBzZWVtIHdvcnRod2hpbGUgdG8gdHJ5IHRvIHRyYWNrIGRv
d24gYSByZWZlcmVuY2UuDQo+PiANCj4+PiANCj4+IA0KPj4+IFN1cmUsIHRob3NlIGFyZSBmaW5l
LiBUaGUgb25seSBpc3N1ZXMgd291bGQgYmUgaWYgdGhlcmUncyBhIA0KPj4+IHN0cmluZzJrZXkN
Cj4+IA0KPj4+IGZ1bmN0aW9uIHNvbWV3aGVyZSBidXQgSSBkb24ndCBleHBlY3QgdGhlcmUgaXMg
aW4gdGhpcyBjb250ZXh0Lg0KPj4gDQo+Pj4gDQo+PiANCj4+Pj4gQnV0IEknbSB3aWxsaW5nIHRv
IHdvcmsgd2l0aCBvdGhlcnMgdG8gZmluZCBkZWNlbnQgcmVmZXJlbmNlcyBmb3IgDQo+Pj4+IHRo
ZQ0KPj4gDQo+Pj4+IHJlc3Qgb2YgdGhlbSwgaWYgeW91IGJlbGlldmUgdGhhdCB3b3VsZCBpbXBy
b3ZlIHRoZSBxdWFsaXR5IG9mIHRoZQ0KPj4gDQo+Pj4+IHNwZWNpZmljYXRpb24uDQo+PiANCj4+
PiANCj4+IA0KPj4+IEkgZG8gdGhpbmsgaXQgd291bGQsIGVzcCBmb3IgY2FzZXMgd2hlcmUgdGhl
cmUgYXJlIGtub3duIGRpZmZlcmVudA0KPj4gDQo+Pj4gb3B0aW9ucyAoZS5nLiBvdHApIG9yIGxp
a2VseSBpbGwtZGVmaW5lZCBvciBwcm9wcmlldGFyeSBmb3JtYXRzLiANCj4+PiBNeQ0KPj4gDQo+
Pj4gZ3Vlc3MgaXMgdGhhdCBzb21lIGJpb21ldHJpY3MgZml0IHRoYXQgbGF0dGVyIGJ1dCBJIGNv
dWxkIGJlIHdyb25nLg0KPj4gDQo+Pj4gSWYgdGhleSBkbywgdGhlbiBvbmUgcnVucyBpbnRvIHRo
ZSBwcm9ibGVtIG9mIGhhdmluZyB0byBkZXBlbmQgb24NCj4+IA0KPj4+IG1hZ2ljIG51bWJlcnMg
aW4gdGhlIGVuY29kaW5ncyBvciBzaW1pbGFyIHRvIGRpc3Rpbmd1aXNoIHdoaWNoIGlzDQo+PiAN
Cj4+PiByZWFsbHkgZXJyb3IgcHJvbmUgYW5kIGxpa2VseSB0byBsZWFkIHRvIHdoYXQgb3VyIGxl
YXJuZWQgdHJhbnNwb3J0DQo+PiANCj4+PiBjaHVtcyBhcmUgY2FsbGluZyBvc3NpZmljYXRpb247
LSkNCj4+IA0KPj4+IA0KPj4gDQo+Pj4gQ2hlZXJzLCBTLg0KPj4gDQo+Pj4gDQo+PiANCj4+PiAN
Cj4+IA0KPj4+PiANCj4+IA0KPj4+PiBCZXN0IHdpc2hlcywgLS0gTWlrZQ0KPj4gDQo+Pj4+IA0K
Pj4gDQo+Pj4+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tIEZyb206IFN0ZXBoZW4gRmFycmVs
bA0KPj4gDQo+Pj4+IFttYWlsdG86c3RlcGhlbi5mYXJyZWxsQGNzLnRjZC5pZV0gU2VudDogV2Vk
bmVzZGF5LCBGZWJydWFyeSAxLA0KPj4gDQo+Pj4+IDIwMTcgNDozMSBQTSBUbzogTWlrZSBKb25l
cw0KPj4+PiA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVz
QG1pY3Jvc29mdC5jb20+PjsNCj4+Pj4NCj4+Pj4gDQpBbnRob255DQo+PiANCj4+Pj4gTmFkYWxp
biA8dG9ueW5hZEBtaWNyb3NvZnQuY29tPG1haWx0bzp0b255bmFkQG1pY3Jvc29mdC5jb20+PjsN
Cj4+Pj4gam9lbCBqYWVnZ2xpIDxqb2VsamFAYm9ndXMuY29tPG1haWx0bzpqb2VsamFAYm9ndXMu
Y29tPj47IFRoZQ0KPj4gDQo+Pj4+IElFU0cgPGllc2dAaWV0Zi5vcmc8bWFpbHRvOmllc2dAaWV0
Zi5vcmc+PiBDYzogDQo+Pj4+IG9hdXRoLWNoYWlyc0BpZXRmLm9yZzxtYWlsdG86b2F1dGgtY2hh
aXJzQGlldGYub3JnPjsNCj4+IA0KPj4+PiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0
Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhDQo+Pj4+IGwNCj4+Pj4NCj4+Pj4g
DQp1ZXNAaWV0Zi5vcmc+OyBvYXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5vcmc+IFN1
YmplY3Q6IFJlOg0KPj4gDQo+Pj4+IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3Vz
cyBvbg0KPj4gDQo+Pj4+IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNTogKHdpdGggRElT
Q1VTUykNCj4+IA0KPj4+PiANCj4+IA0KPj4+PiANCj4+IA0KPj4+PiANCj4+IA0KPj4+PiBPbiAw
Mi8wMi8xNyAwMDoyOCwgTWlrZSBKb25lcyB3cm90ZToNCj4+IA0KPj4+Pj4gVGhlIG90aGVyIGNh
c2Ugb2Yga25vd24gaW50ZXJvcCB0ZXN0aW5nIG9mICJhbXIiIHZhbHVlcyBpcyBmb3INCj4+IA0K
Pj4+Pj4gTU9EUk5BIChPcGVuSUQgQ29ubmVjdCBNb2JpbGUgUHJvZmlsZSkgaW1wbGVtZW50YXRp
b25zLiANCj4+Pj4+IFRoZXJlJ3MgYQ0KPj4gDQo+Pj4+PiByZWZlcmVuY2UgdG8gaXRzIHVzZSBv
ZiAiYW1yIiB2YWx1ZXMgaW4gdGhlIHNwZWMuDQo+PiANCj4+Pj4gDQo+PiANCj4+Pj4gWWVhaCwg
aWlyYywgdGhhdCBvbmUgc2VlbWVkIG9rIChhc3N1bWluZyB0aGUgcmVmZXJlbmNlIHRlbGxzIG1l
IA0KPj4+PiB3aGF0DQo+PiANCj4+Pj4gY29kZSB0byB3cml0ZSB3aGljaCBJIGFzc3VtZSBpdCBk
b2VzKS4NCj4+IA0KPj4+PiANCj4+IA0KPj4+PiBJJ20gc3RpbGwgbm90IHNlZWluZyB3aHkgc29t
ZSBkbyBoYXZlIHN1ZmZpY2llbnQgcmVmZXJlbmNlcyBhbmQNCj4+IA0KPj4+PiBvdGhlcnMgZG8g
bm90Lg0KPj4gDQo+Pj4+IA0KPj4gDQo+Pj4+IElzIHRoZXJlIHNvbWUgZGlmZmljdWx0eSB3aXRo
IGZpbmRpbmcgcmVmZXJlbmNlcyBvciBzb21ldGhpbmc/DQo+PiANCj4+Pj4gDQo+PiANCj4+Pj4g
Uw0KPj4gDQo+Pj4+IA0KPj4gDQo+Pj4+PiANCj4+IA0KPj4+Pj4gLS0tLS1PcmlnaW5hbCBNZXNz
YWdlLS0tLS0gRnJvbTogQW50aG9ueSBOYWRhbGluIFNlbnQ6IA0KPj4+Pj4gV2VkbmVzZGF5LA0K
Pj4gDQo+Pj4+PiBGZWJydWFyeSAxLCAyMDE3IDQ6MjcgUE0gVG86IFN0ZXBoZW4gRmFycmVsbA0K
Pj4gDQo+Pj4+PiA8c3RlcGhlbi5mYXJyZWxsQGNzLnRjZC5pZTxtYWlsdG86c3RlcGhlbi5mYXJy
ZWxsQGNzLnRjZC5pZT4+Ow0KPj4+Pj4NCj4+Pj4+IA0KTWlrZSBKb25lcw0KPj4gDQo+Pj4+PiA8
TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29m
dC5jb20+PjsNCj4+Pj4+DQo+Pj4+PiANCmpvZWwgamFlZ2dsaSA8am9lbGphQGJvZ3VzLmNvbTxt
YWlsdG86am9lbGphQGJvZ3VzLmNvbT4+OyBUaGUNCj4+IA0KPj4+Pj4gSUVTRyA8aWVzZ0BpZXRm
Lm9yZzxtYWlsdG86aWVzZ0BpZXRmLm9yZz4+IENjOiANCj4+Pj4+IG9hdXRoLWNoYWlyc0BpZXRm
Lm9yZzxtYWlsdG86b2F1dGgtY2hhaXJzQGlldGYub3JnPjsNCj4+IA0KPj4+Pj4gZHJhZnQtaWV0
Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLW9hdXRoLWFtci12
DQo+Pj4+PiBhDQo+Pj4+Pg0KPj4+Pj4gDQpsdWVzQGlldGYub3JnPjsgb2F1dGhAaWV0Zi5vcmc8
bWFpbHRvOm9hdXRoQGlldGYub3JnPiBTdWJqZWN0OiBSRToNCj4+IA0KPj4+Pj4gW09BVVRILVdH
XSBTdGVwaGVuIEZhcnJlbGwncyBEaXNjdXNzIG9uDQo+PiANCj4+Pj4+IGRyYWZ0LWlldGYtb2F1
dGgtYW1yLXZhbHVlcy0wNTogKHdpdGggRElTQ1VTUykNCj4+IA0KPj4+Pj4gDQo+PiANCj4+Pj4+
IFdlIGhhdmUgaW50ZXJvcGVkIGJldHdlZW4gRklETyBhdXRoZW50aWNhdG9ycyB2ZW5kb3JzIGFu
ZCBXaW5kb3dzDQo+PiANCj4+Pj4+IEhlbGxvDQo+PiANCj4+Pj4+IA0KPj4gDQo+Pj4+PiAtLS0t
LU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBGcm9tOiBTdGVwaGVuIEZhcnJlbGwNCj4+IA0KPj4+Pj4g
W21haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllXSBTZW50OiBXZWRuZXNkYXksIEZlYnJ1
YXJ5IDEsDQo+PiANCj4+Pj4+IDIwMTcgNDoyNCBQTSBUbzogTWlrZSBKb25lcw0KPj4+Pj4gPE1p
Y2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTxtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQu
Y29tPj47DQo+Pj4+Pg0KPj4+Pj4gDQpBbnRob255DQo+PiANCj4+Pj4+IE5hZGFsaW4NCj4+Pj4+
IDx0b255bmFkQG1pY3Jvc29mdC5jb208bWFpbHRvOnRvbnluYWRAbWljcm9zb2Z0LmNvbT4+OyBq
b2VsIA0KPj4+Pj4gamFlZ2dsaSA8am9lbGphQGJvZ3VzLmNvbTxtYWlsdG86am9lbGphQGJvZ3Vz
LmNvbT4+Ow0KPj4gDQo+Pj4+PiBUaGUgSUVTRyA8aWVzZ0BpZXRmLm9yZzxtYWlsdG86aWVzZ0Bp
ZXRmLm9yZz4+IENjOg0KPj4gDQo+Pj4+PiBvYXV0aC1jaGFpcnNAaWV0Zi5vcmc8bWFpbHRvOm9h
dXRoLWNoYWlyc0BpZXRmLm9yZz47DQo+Pj4+PiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNA
aWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgtYW1yLXYNCj4+Pj4+IGENCj4+Pj4+DQo+
Pj4+PiANCmx1ZXNAaWV0Zi5vcmc+Ow0KPj4gDQo+Pj4+PiBvYXV0aEBpZXRmLm9yZzxtYWlsdG86
b2F1dGhAaWV0Zi5vcmc+IFN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddICANCj4+Pj4+IFN0ZXBoZW4g
RmFycmVsbCdzIERpc2N1c3Mgb24NCj4+IA0KPj4+Pj4gZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFs
dWVzLTA1OiAod2l0aCBESVNDVVNTKQ0KPj4gDQo+Pj4+PiANCj4+IA0KPj4+Pj4gDQo+PiANCj4+
Pj4+IA0KPj4gDQo+Pj4+PiBPbiAwMi8wMi8xNyAwMDoyMSwgTWlrZSBKb25lcyB3cm90ZToNCj4+
IA0KPj4+Pj4+IFRoYW5rcywgVG9ueS4gIEkgY2FuIGFkZCB0aGF0IHJlZmVyZW5jZS4NCj4+IA0K
Pj4+Pj4+IA0KPj4gDQo+Pj4+Pj4gU3RlcGhlbiwgdGhlIHNldHMgb2YgaW5pdGlhbCB2YWx1ZXMg
d2VyZSBjaG9zZW4gZnJvbSB0aG9zZSB1c2VkIA0KPj4+Pj4+IGluDQo+PiANCj4+Pj4+PiBwcmFj
dGljZSBieSBNaWNyb3NvZnQgYW5kIEdvb2dsZSBpbiByZWFsIGRlcGxveW1lbnRzLg0KPj4gDQo+
Pj4+PiANCj4+IA0KPj4+Pj4gR2VudWluZSBxdWVzdGlvbnM6IGRvIHlvdSBhaW0gdG8gaGF2ZSBp
bnRlcm9wIGJldHdlZW4gdGhvc2UNCj4+IA0KPj4+Pj4gZGVwbG95bWVudHM/IFdoYXQgaWYgSSB3
YW50ZWQgdG8gd3JpdGUgY29kZSB0aGF0J2QgaW50ZXJvcCB3aXRoIA0KPj4+Pj4gbXNmdA0KPj4g
DQo+Pj4+PiBvciBnb29nbGU/DQo+PiANCj4+Pj4+IA0KPj4gDQo+Pj4+PiBTLg0KPj4gDQo+Pj4+
PiANCj4+IA0KPj4+Pj4+IA0KPj4gDQo+Pj4+Pj4gQWJvdXQgIm90cCIsIHRoZXJlIGFyZSBleGlz
dGluZyB1c2UgY2FzZXMgZm9yIGluZGljYXRpbmcgdGhhdCBhbg0KPj4gDQo+Pj4+Pj4gT1RQIHdh
cyB1c2VkLiAgSSdtIG5vdCBhd2FyZSBvZiBhbnkgb2YgdGhlc2UgdXNlIGNhc2VzIHdoZXJlIHRo
ZQ0KPj4gDQo+Pj4+Pj4gZGlzdGluY3Rpb24gYmV0d2VlbiBUT1RQIGFuZCBIT1RQIGlzIGltcG9y
dGFudC4gIFRodXMsIGhhdmluZyANCj4+Pj4+PiAib3RwIg0KPj4gDQo+Pj4+Pj4gbm93IG1ha2Vz
IHNlbnNlLCB3aGVyZSBoYXZpbmcgImhvdHAiIGFuZCAidG90cCINCj4+IA0KPj4+Pj4+IG5vdyBk
b2Vzbid0Lg0KPj4gDQo+Pj4+Pj4gDQo+PiANCj4+Pj4+PiBTdGVwaGVuLCB0aGlzIG1heSBzZWVt
IGxpa2Ugc3BsaXR0aW5nIGhhaXJzLCBidXQgdGhlIHJlZ2lzdHJ5DQo+PiANCj4+Pj4+PiBpbnN0
cnVjdGlvbnMgZm9yICJTcGVjaWZpY2F0aW9uIERvY3VtZW50KHMpIiBhcmUgYWJvdXQgaGF2aW5n
IGENCj4+IA0KPj4+Pj4+IHJlZmVyZW5jZSBmb3IgdGhlIGRvY3VtZW50IHdoZXJlIHRoZSBBdXRo
ZW50aWNhdGlvbiBNZXRob2QNCj4+IA0KPj4+Pj4+IFJlZmVyZW5jZSBOYW1lIChzdWNoIGFzICJv
dHAiKSBpcyBkZWZpbmVkLiAgSW4gYWxsIGNhc2VzIGZvciB0aGUNCj4+IA0KPj4+Pj4+IGluaXRp
YWwgdmFsdWVzLCB0aGlzIGlzIHRoZSBSRkMtdG8tYmUsIHNvIHRoZSByZWdpc3RyeSANCj4+Pj4+
PiBpbnN0cnVjdGlvbnMNCj4+IA0KPj4+Pj4+IGFyZSBzYXRpc2ZpZWQuICBJZiBzb21lb25lIHdl
cmUsIGZvciBpbnN0YW5jZSwgdG8gZGVmaW5lIHRoZSANCj4+Pj4+PiBzdHJpbmcNCj4+IA0KPj4+
Pj4+ICJob3RwIiwgaXQgd291bGQgYmUgaW5jdW1iZW50IG9uIHRoZSBwZXJzb24gcmVxdWVzdGlu
ZyBpdHMNCj4+IA0KPj4+Pj4+IHJlZ2lzdHJhdGlvbiB0byBwcm92aWRlIGEgVVJMIHRvIHRoZSBk
b2N1bWVudCB3aGVyZSB0aGUgc3RyaW5nDQo+PiANCj4+Pj4+PiAiaG90cCIgaXMgZGVmaW5lZC4g
IEFsc28gaGF2aW5nIGEgcmVmZXJlbmNlIHRvIFJGQyA0MjI2IGluIHRoYXQNCj4+IA0KPj4+Pj4+
IGRvY3VtZW50IHdvdWxkIGJlIGEgZ29vZCB0aGluZywgYnV0IHRoYXQgaXNuJ3Qgd2hhdCB0aGUg
cmVnaXN0cnkNCj4+IA0KPj4+Pj4+IGluc3RydWN0aW9ucyBhcmUgYWJvdXQuDQo+PiANCj4+Pj4+
PiANCj4+IA0KPj4+Pj4+IEFsbCB0aGF0IHNhaWQsIEkgY2FuIGxvb2sgYXQgYWxzbyBmaW5kaW5n
IGFwcHJvcHJpYXRlIHJlZmVyZW5jZXMNCj4+IA0KPj4+Pj4+IGZvciB0aGUgcmVtYWluaW5nIHZh
bHVlcyB0aGF0IGRvbid0IGN1cnJlbnRseSBoYXZlIHRoZW0uIA0KPj4+Pj4+IChBbnlvbmUNCj4+
IA0KPj4+Pj4+IGdvdCBhIGdvb2QgcmVmZXJlbmNlIGZvciBwYXNzd29yZCBvciBQSU4gdG8gc3Vn
Z2VzdCwgZm9yDQo+Pj4+Pj4gaW5zdGFuY2U/KQ0KPj4gDQo+Pj4+Pj4gDQo+PiANCj4+Pj4+PiAt
LSBNaWtlDQo+PiANCj4+Pj4+PiANCj4+IA0KPj4+Pj4+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0t
LS0tIEZyb206IEFudGhvbnkgTmFkYWxpbiBTZW50Og0KPj4gDQo+Pj4+Pj4gV2VkbmVzZGF5LCBG
ZWJydWFyeSAxLCAyMDE3IDQ6MTAgUE0gVG86IFN0ZXBoZW4gRmFycmVsbA0KPj4gDQo+Pj4+Pj4g
PHN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWU8bWFpbHRvOnN0ZXBoZW4uZmFycmVsbEBjcy50Y2Qu
aWU+PjsNCj4+Pj4+Pg0KPj4+Pj4+IA0KTWlrZSBKb25lcw0KPj4gDQo+Pj4+Pj4gPE1pY2hhZWwu
Sm9uZXNAbWljcm9zb2Z0LmNvbTxtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPj4N
Cj4+Pj4+PiA7DQo+Pj4+Pj4NCj4+Pj4+PiANCmpvZWwgamFlZ2dsaSA8am9lbGphQGJvZ3VzLmNv
bTxtYWlsdG86am9lbGphQGJvZ3VzLmNvbT4+Ow0KPj4gDQo+Pj4+Pj4gVGhlIElFU0cgPGllc2dA
aWV0Zi5vcmc8bWFpbHRvOmllc2dAaWV0Zi5vcmc+PiBDYzogDQo+Pj4+Pj4gb2F1dGgtY2hhaXJz
QGlldGYub3JnPG1haWx0bzpvYXV0aC1jaGFpcnNAaWV0Zi5vcmc+Ow0KPj4gDQo+Pj4+Pj4gZHJh
ZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLW9hdXRo
LWFtci0NCj4+Pj4+PiB2DQo+Pj4+Pj4NCj4+Pj4+PiANCmFsdWVzQGlldGYub3JnPjsgb2F1dGhA
aWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPiBTdWJqZWN0Og0KPj4gDQo+Pj4+Pj4gUkU6
IFtPQVVUSC1XR10gU3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3VzcyBvbg0KPj4gDQo+Pj4+Pj4gZHJh
ZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA1OiAod2l0aCBESVNDVVNTKQ0KPj4gDQo+Pj4+Pj4g
DQo+PiANCj4+Pj4+PiBOSVNUIGFza2VkIGZvciB0aGUgYWRkaXRpb24gb2YgSVJJUyAoYXMgdGhl
eSBhcmUgc2VlaW5nIG1vcmUgdXNlIA0KPj4+Pj4+IG9mDQo+PiANCj4+Pj4+PiBJUklTIG92ZXIg
cmV0aW5hIGR1ZSB0byB0aGUgYWNjdXJhY3kgb2YgaXJpcykgIGFzIHRoZXkgaGF2ZSBiZWVuDQo+
PiANCj4+Pj4+PiBkb2luZyBzaWduaWZpY2FudCB0ZXN0aW5nIG9uIHZhcmlvdXMgaXJpcyBkZXZp
Y2VzIGFuZCBjb250aW51ZSB0bw0KPj4gDQo+Pj4+Pj4gZG8gc28sIGhlcmUgaXMgYSByZXBvcnQg
dGhhdCBOSVNUIHJlbGVhc2VkDQo+PiANCj4+Pj4+PiBodHRwOi8vMjAxMC0yMDE0LmNvbW1lcmNl
Lmdvdi9ibG9nLzIwMTIvMDQvMjMvbmlzdC1pcmlzLXJlY29nbml0aQ0KPj4+Pj4+IG8NCj4+Pj4+
Pg0KPj4+Pj4+IA0Kbg0KPj4gDQo+Pj4+Pj4gLXJlcG9ydC1ldmFsdWF0ZXMtbmVlZGxlLWhheXN0
YWNrLXNlYXJjaC1jYXBhYmlsaXR5Lmh0bWwNCj4+IA0KPj4+Pj4+IA0KPj4gDQo+Pj4+Pj4gDQo+
PiANCj4+Pj4+PiANCj4+IA0KPj4+Pj4+IA0KPj4gDQo+Pj4+IA0KPj4gDQo+Pj4+Pj4gDQo+PiAN
Cj4+PiANCj4+IA0KPj4+Pj4+IA0KPj4gDQo+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBG
cm9tOiBTdGVwaGVuIEZhcnJlbGwNCj4+IA0KPj4+Pj4+IFttYWlsdG86c3RlcGhlbi5mYXJyZWxs
QGNzLnRjZC5pZV0gU2VudDogV2VkbmVzZGF5LCBGZWJydWFyeSAxLA0KPj4gDQo+Pj4+Pj4gMjAx
NyAyOjI2IFBNIFRvOiBNaWtlIEpvbmVzDQo+Pj4+Pj4gPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0
LmNvbTxtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPj4NCj4+Pj4+PiA7DQo+Pj4+
Pj4NCj4+Pj4+PiANCmpvZWwNCj4+IA0KPj4+Pj4+IGphZWdnbGkgPGpvZWxqYUBib2d1cy5jb208
bWFpbHRvOmpvZWxqYUBib2d1cy5jb20+PjsgVGhlIElFU0cgDQo+Pj4+Pj4gPGllc2dAaWV0Zi5v
cmc8bWFpbHRvOmllc2dAaWV0Zi5vcmc+PiBDYzoNCj4+IA0KPj4+Pj4+IG9hdXRoLWNoYWlyc0Bp
ZXRmLm9yZzxtYWlsdG86b2F1dGgtY2hhaXJzQGlldGYub3JnPjsNCj4+Pj4+PiBkcmFmdC1pZXRm
LW9hdXRoLWFtci12YWx1ZXNAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtb2F1dGgtYW1yLQ0K
Pj4+Pj4+IHYNCj4+Pj4+Pg0KPj4+Pj4+IA0KYWx1ZXNAaWV0Zi5vcmc+Ow0KPj4gDQo+Pj4+Pj4g
b2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPiBTdWJqZWN0OiBSZTogDQo+Pj4+
Pj4gW09BVVRILVdHXSBTdGVwaGVuIEZhcnJlbGwncyBEaXNjdXNzIG9uDQo+PiANCj4+Pj4+PiBk
cmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDU6ICh3aXRoIERJU0NVU1MpDQo+PiANCj4+Pj4+
PiANCj4+IA0KPj4+Pj4+IA0KPj4gDQo+Pj4+Pj4gSGkgTWlrZSwNCj4+IA0KPj4+Pj4+IA0KPj4g
DQo+Pj4+Pj4gT24gMDEvMDIvMTcgMTc6MDAsIE1pa2UgSm9uZXMgd3JvdGU6DQo+PiANCj4+Pj4+
Pj4gVGhhbmtzIGZvciB0aGUgZGlzY3Vzc2lvbiwgU3RlcGhlbi4NCj4+IA0KPj4+Pj4+PiANCj4+
IA0KPj4+Pj4+PiBUbyB5b3VyIHBvaW50IGFib3V0ICJvdHAiLCB0aGUgd29ya2luZyBncm91cCBk
aXNjdXNzZWQgdGhpcyB2ZXJ5DQo+PiANCj4+Pj4+Pj4gcG9pbnQuICBUaGV5IGV4cGxpY2l0bHkg
ZGVjaWRlZCBub3QgdG8gaW50cm9kdWNlICJob3RwIg0KPj4gDQo+Pj4+Pj4+IGFuZCAidG90cCIg
aWRlbnRpZmllcnMgYmVjYXVzZSBubyBvbmUgaGFkIGEgdXNlIGNhc2UgaW4gd2hpY2ggDQo+Pj4+
Pj4+IHRoZQ0KPj4gDQo+Pj4+Pj4+IGRpc3RpbmN0aW9uIG1hdHRlcmVkLg0KPj4gDQo+Pj4+Pj4g
DQo+PiANCj4+Pj4+PiBUaGVuIEknbSBub3QgZm9sbG93aW5nIHdoeSBhZGRpbmcgIm90cCIgdG8g
dGhlIHJlZ2lzdHJ5IG5vdyBpcyBhDQo+PiANCj4+Pj4+PiBnb29kIHBsYW4uDQo+PiANCj4+Pj4+
PiANCj4+IA0KPj4+Pj4+IElmIHRoZXJlJ3MgYSB1c2UtY2FzZSBub3csIHRoZW4gYWRkaW5nIGFu
IGVudHJ5IHdpdGggYSBnb29kDQo+PiANCj4+Pj4+PiByZWZlcmVuY2UgdG8gdGhlIHJlbGV2YW50
IHNwZWMgc2VlbXMgcmlnaHQuDQo+PiANCj4+Pj4+PiANCj4+IA0KPj4+Pj4+IElmIHRoZXJlJ3Mg
bm8gdXNlLWNhc2Ugbm93LCB0aGVuIG5vdCBhZGRpbmcgaXQgdG8gdGhlIHJlZ2lzdHJ5DQo+PiAN
Cj4+Pj4+PiBzZWVtcyByaWdodC4gKE1lbnRpb25pbmcgaXQgYXMgYSBwb3NzaWJsZSBmdXR1cmUg
ZW50cnkgd291bGQgYmUNCj4+IA0KPj4+Pj4+IGZpbmUuKQ0KPj4gDQo+Pj4+Pj4gDQo+PiANCj4+
Pj4+PiBJIHRoaW5rIHRoZSBzYW1lIGxvZ2ljIHdvdWxkIGFwcGx5IGZvciBhbGwgdGhlIHZhbHVl
cyB0aGF0IHRoaXMNCj4+IA0KPj4+Pj4+IHNwZWMgYWRkcyB0byB0aGUgcmVnaXN0cnkuIFdoeSBp
cyB0aGF0IHdyb25nPw0KPj4gDQo+Pj4+Pj4gDQo+PiANCj4+Pj4+Pj4gT3RoZXJzIGNhbiBjZXJ0
YWlubHkgaW50cm9kdWNlIHRob3NlIGlkZW50aWZpZXJzIGFuZCByZWdpc3Rlcg0KPj4gDQo+Pj4+
Pj4+IHRoZW0gaWYgdGhleSBkbyBoYXZlIHN1Y2ggYSB1c2UgY2FzZSwgb25jZSB0aGUgcmVnaXN0
cnkgaGFzIGJlZW4NCj4+IA0KPj4+Pj4+PiBlc3RhYmxpc2hlZC4gIEJ1dCB0aGUgd29ya2luZyBn
cm91cCB3YW50ZWQgdG8gYmUgY29uc2VydmF0aXZlDQo+PiANCj4+Pj4+Pj4gYWJvdXQgdGhlIGlk
ZW50aWZpZXJzIGludHJvZHVjZWQgdG8gcHJpbWUgdGhlIHJlZ2lzdHJ5LCBhbmQgdGhpcw0KPj4g
DQo+Pj4+Pj4+IGlzIHN1Y2ggYSBjYXNlLg0KPj4gDQo+Pj4+Pj4+IA0KPj4gDQo+Pj4+Pj4+IFdo
YXQgaWRlbnRpZmllcnMgdG8gdXNlIGFuZCByZWdpc3RlciB3aWxsIGFsd2F5cyBiZSBhIGJhbGFu
Y2luZw0KPj4gDQo+Pj4+Pj4+IGFjdC4gWW91IHdhbnQgdG8gYmUgYXMgc3BlY2lmaWMgYXMgbmVj
ZXNzYXJ5IHRvIGFkZCBwcmFjdGljYWwgDQo+Pj4+Pj4+IGFuZA0KPj4gDQo+Pj4+Pj4+IHVzYWJs
ZSB2YWx1ZSwgYnV0IG5vdCBzbyBzcGVjaWZpYyBhcyB0byBtYWtlIHRoaW5ncyANCj4+Pj4+Pj4g
dW5uZWNlc3NhcmlseQ0KPj4gDQo+Pj4+Pj4+IGJyaXR0bGUuDQo+PiANCj4+Pj4+PiANCj4+IA0K
Pj4+Pj4+IEVoLi4uIGRvbid0IHdlIHdhbnQgaW50ZXJvcD8gSXNuJ3QgdGhhdCB0aGUgcHJpbWFy
eSBnb2FsIGhlcmU/DQo+PiANCj4+Pj4+PiANCj4+IA0KPj4+Pj4+PiBXaGlsZSBzb21lIG1pZ2h0
IHNheSB0aGVyZSdzIGEgZGlmZmVyZW5jZSBiZXR3ZWVuIHNlcmlhbCBudW1iZXINCj4+IA0KPj4+
Pj4+PiByYW5nZXMgb2YgcGFydGljdWxhciBhdXRoZW50aWNhdGlvbiBkZXZpY2VzLCBnb2luZyB0
aGVyZSBpcw0KPj4gDQo+Pj4+Pj4+IGNsZWFybHkgaW4gdGhlIHdlZWRzLiAgT24gdGhlIG90aGVy
IGhhbmQsIHdoaWxlIHRoZXJlIHVzZWQgdG8gYmUNCj4+IA0KPj4+Pj4+PiBhbiAiZXllIiBpZGVu
dGlmaWVyLCBFbGFpbmUgTmV3dG9uIG9mIE5JU1QgcG9pbnRlZCBvdXQgdGhhdCANCj4+Pj4+Pj4g
dGhlcmUNCj4+IA0KPj4+Pj4+PiBhcmUgc2lnbmlmaWNhbnQgZGlmZmVyZW5jZXMgYmV0d2VlbiBy
ZXRpbmEgYW5kIGlyaXMgbWF0Y2hpbmcsIHNvDQo+PiANCj4+Pj4+Pj4gImV5ZSIgd2FzIHJlcGxh
Y2VkIHdpdGggInJldGluYSINCj4+IA0KPj4+Pj4+PiBhbmQgImlyaXMiLiBDb21tb24gc2Vuc2Ug
aW5mb3JtZWQgYnkgYWN0dWFsIGRhdGEgaXMgdGhlIGtleSANCj4+Pj4+Pj4gaGVyZS4NCj4+IA0K
Pj4+Pj4+IA0KPj4gDQo+Pj4+Pj4gVGhhdCdzIGFub3RoZXIgZ29vZCBleGFtcGxlLiBUaGVyZSdz
IG5vIHJlZmVyZW5jZSBmb3IgImlyaXMuIg0KPj4gDQo+Pj4+Pj4gSWYgdGhhdCBpcyB1c2VkIGlu
IHNvbWUgcHJvdG9jb2wsIHRoZW4gd2hhdCBmb3JtYXQocykgYXJlIA0KPj4+Pj4+IGV4cGVjdGVk
DQo+PiANCj4+Pj4+PiB0byBiZSBzdXBwb3J0ZWQ/IFdoZXJlIGRvIEkgZmluZCB0aGF0IHNwZWM/
IElmIHdlIGNhbiBhbnN3ZXIgDQo+Pj4+Pj4gdGhhdCwNCj4+IA0KPj4+Pj4+IHRoZW4gZ3JlYXQs
IGxldCdzIGFkZCB0aGUgZGV0YWlscy4gSWYgbm90LCB0aGVuIEknZCBzdWdnZXN0IHdlIA0KPj4+
Pj4+IG9taXQNCj4+IA0KPj4+Pj4+ICJpcmlzIiBhbmQgbGVhdmUgaXQgJ3RpbGwgbGF0ZXIgdG8g
YWRkIGFuIGVudHJ5IGZvciB0aGF0LiANCj4+Pj4+PiBBbmQNCj4+IA0KPj4+Pj4+IGFnYWluLCBp
bmNsdWRpbmcgdGV4dCB3aXRoICJpcmlzIiBhcyBhbiBleGFtcGxlIGlzIGp1c3QgZmluZSwgYWxs
DQo+PiANCj4+Pj4+PiBJJ20gYXNraW5nIGlzIHRoYXQgd2Ugb25seSBhZGQgdGhlIHJlZ2lzdHJ5
IGVudHJ5IGlmIHdlIGNhbiBtZWV0DQo+PiANCj4+Pj4+PiB0aGUgc2FtZSBiYXIgdGhhdCB3ZSdy
ZSBhc2tpbmcgdGhlIERFIHRvIGltcG9zZSBvbiBsYXRlciANCj4+Pj4+PiBhZGRpdGlvbnMuDQo+
PiANCj4+Pj4+PiANCj4+IA0KPj4+Pj4+IEFuZCB0aGUgc2FtZSBmb3IgYWxsIHRoZSBvdGhlcnMu
Li4NCj4+IA0KPj4+Pj4+IA0KPj4gDQo+Pj4+Pj4gQ2hlZXJzLCBTLg0KPj4gDQo+Pj4+Pj4gDQo+
PiANCj4+Pj4+PiANCj4+IA0KPj4+Pj4+PiANCj4+IA0KPj4+Pj4+PiBUaGUgcG9pbnQgb2YgdGhl
IHJlZ2lzdHJ5IHJlcXVpcmluZyBhIHNwZWNpZmljYXRpb24gcmVmZXJlbmNlIGlzDQo+PiANCj4+
Pj4+Pj4gc28gcGVvcGxlIHVzaW5nIHRoZSByZWdpc3RyeSBjYW4gdGVsbCB3aGVyZSB0aGUgaWRl
bnRpZmllciBpcw0KPj4gDQo+Pj4+Pj4+IGRlZmluZWQuIEZvciBhbGwgdGhlIGluaXRpYWwgdmFs
dWVzLCB0aGF0IHJlcXVpcmVtZW50IGlzDQo+PiANCj4+Pj4+Pj4gc2F0aXNmaWVkLCBzaW5jZSB0
aGUgcmVmZXJlbmNlIHdpbGwgYmUgdG8gdGhlIG5ldyBSRkMuDQo+Pj4+Pj4+IEkgdGhpbmsNCj4+
IA0KPj4+Pj4+PiB0aGF0IGFsaWducyB3aXRoIHRoZSBwb2ludCB0aGF0IEpvZWwgd2FzIG1ha2lu
Zy4NCj4+IA0KPj4+Pj4+PiANCj4+IA0KPj4+Pj4+PiBZb3VyIHRob3VnaHRzPw0KPj4gDQo+Pj4+
Pj4+IA0KPj4gDQo+Pj4+Pj4+IC0tIE1pa2UNCj4+IA0KPj4+Pj4+PiANCj4+IA0KPj4+Pj4+PiAt
LS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSBGcm9tOiBPQXV0aA0KPj4gDQo+Pj4+Pj4+IFttYWls
dG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIFN0ZXBoZW4gRmFycmVsbA0K
Pj4gDQo+Pj4+Pj4+IFNlbnQ6IFdlZG5lc2RheSwgRmVicnVhcnkgMSwgMjAxNyA3OjAzIEFNIFRv
OiBqb2VsIGphZWdnbGkNCj4+IA0KPj4+Pj4+PiA8am9lbGphQGJvZ3VzLmNvbTxtYWlsdG86am9l
bGphQGJvZ3VzLmNvbT4+OyBUaGUgSUVTRyANCj4+Pj4+Pj4gPGllc2dAaWV0Zi5vcmc8bWFpbHRv
Omllc2dAaWV0Zi5vcmc+PiBDYzoNCj4+IA0KPj4+Pj4+PiBvYXV0aC1jaGFpcnNAaWV0Zi5vcmc8
bWFpbHRvOm9hdXRoLWNoYWlyc0BpZXRmLm9yZz47DQo+Pj4+Pj4+IGRyYWZ0LWlldGYtb2F1dGgt
YW1yLXZhbHVlc0BpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1vYXV0aC1hbXINCj4+Pj4+Pj4g
LXZhbHVlc0BpZXRmLm9yZz47DQo+Pg0KPj4+Pj4+Pg0KPj4+Pj4+PiANCm9hdXRoQGlldGYub3Jn
PG1haWx0bzpvYXV0aEBpZXRmLm9yZz4gU3ViamVjdDogUmU6DQo+Pj4+Pj4+IFtPQVVUSC1XR10g
U3RlcGhlbiBGYXJyZWxsJ3MgRGlzY3Vzcw0KPj4gDQo+Pj4+Pj4+IG9uIGRyYWZ0LWlldGYtb2F1
dGgtYW1yLXZhbHVlcy0wNTogKHdpdGggRElTQ1VTUykNCj4+IA0KPj4+Pj4+PiANCj4+IA0KPj4+
Pj4+PiANCj4+IA0KPj4+Pj4+PiANCj4+IA0KPj4+Pj4+PiBPbiAwMS8wMi8xNyAxNDo1OCwgam9l
bCBqYWVnZ2xpIHdyb3RlOg0KPj4gDQo+Pj4+Pj4+PiBPbiAxLzMxLzE3IDg6MjYgQU0sIFN0ZXBo
ZW4gRmFycmVsbCB3cm90ZToNCj4+IA0KPj4+Pj4+Pj4+IFN0ZXBoZW4gRmFycmVsbCBoYXMgZW50
ZXJlZCB0aGUgZm9sbG93aW5nIGJhbGxvdCBwb3NpdGlvbiBmb3INCj4+IA0KPj4+Pj4+Pj4+IGRy
YWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNTogRGlzY3Vzcw0KPj4gDQo+Pj4+Pj4+Pj4gDQo+
PiANCj4+Pj4+Pj4+PiBXaGVuIHJlc3BvbmRpbmcsIHBsZWFzZSBrZWVwIHRoZSBzdWJqZWN0IGxp
bmUgaW50YWN0IGFuZCAgDQo+Pj4+Pj4+Pj4gcmVwbHkNCj4+IA0KPj4+Pj4+Pj4+IHRvIGFsbCBl
bWFpbCBhZGRyZXNzZXMgaW5jbHVkZWQgaW4gdGhlIFRvIGFuZCBDQyBsaW5lcy4gKEZlZWwNCj4+
IA0KPj4+Pj4+Pj4+IGZyZWUgdG8gY3V0IHRoaXMgaW50cm9kdWN0b3J5IHBhcmFncmFwaCwNCj4+
IA0KPj4+Pj4+Pj4+IGhvd2V2ZXIuKQ0KPj4gDQo+Pj4+Pj4+Pj4gDQo+PiANCj4+Pj4+Pj4+PiAN
Cj4+IA0KPj4+Pj4+Pj4+IFBsZWFzZSByZWZlciB0bw0KPj4gDQo+Pj4+Pj4+Pj4gaHR0cHM6Ly93
d3cuaWV0Zi5vcmcvaWVzZy9zdGF0ZW1lbnQvZGlzY3Vzcy1jcml0ZXJpYS5odG1sDQo+Pg0KPj4+
Pj4+Pj4+DQo+Pj4+Pj4+Pj4NCj4+DQo+Pj4+Pj4+Pj4NCj4+DQo+Pg0KPj4+Pj4+Pj4+IA0KZm9y
IG1vcmUgaW5mb3JtYXRpb24gYWJvdXQgSUVTRyBESVNDVVNTIGFuZCBDT01NRU5UDQo+PiANCj4+
Pj4+Pj4+PiBwb3NpdGlvbnMuDQo+PiANCj4+Pj4+Pj4+PiANCj4+IA0KPj4+Pj4+Pj4+IA0KPj4g
DQo+Pj4+Pj4+Pj4gVGhlIGRvY3VtZW50LCBhbG9uZyB3aXRoIG90aGVyIGJhbGxvdCBwb3NpdGlv
bnMsIGNhbiBiZSBmb3VuZA0KPj4gDQo+Pj4+Pj4+Pj4gaGVyZToNCj4+IA0KPj4+Pj4+Pj4+IGh0
dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVl
cy8NCj4+DQo+Pj4+Pj4+Pj4NCj4+Pj4+Pj4+Pg0KPj4NCj4+Pj4+Pj4+Pg0KPj4NCj4+Pj4+Pj4+
Pg0KPj4NCj4+Pj4+Pj4+Pg0KPj4NCj4+Pj4+Pj4+Pg0KPj4NCj4+Pj4NCj4+DQo+Pj4+Pj4+Pj4N
Cj4+DQo+Pj4NCj4+DQo+Pj4+Pj4+Pj4NCj4+DQo+Pg0KPj4+Pj4+Pj4+IA0KLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
DQo+PiANCj4+IA0KPj4+Pj4+Pj4+IA0KPj4gDQo+Pj4+Pj4+Pj4gDQo+PiANCj4+Pj4+PiANCj4+
IA0KPj4+Pj4+Pj4+IA0KPj4gDQo+Pj4+PiAtDQo+PiANCj4+Pj4+Pj4+PiBESVNDVVNTOg0KPj4g
DQo+Pj4+Pj4+Pj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0NCj4+Pj4+Pj4+PiAtLQ0KPj4NCj4+Pj4+Pj4+Pg0KPj4+Pj4+Pj4+
IA0KLS0tLS0NCj4+IA0KPj4+Pj4+Pj4+IA0KPj4gDQo+Pj4+Pj4+Pj4gDQo+PiANCj4+Pj4+PiAN
Cj4+IA0KPj4+Pj4+Pj4+IA0KPj4gDQo+Pj4+PiANCj4+IA0KPj4+Pj4+Pj4+IA0KPj4gDQo+Pj4+
IA0KPj4gDQo+Pj4+Pj4+Pj4gDQo+PiANCj4+PiANCj4+IA0KPj4+Pj4+Pj4+IA0KPj4gDQo+PiAt
DQo+PiANCj4+Pj4+Pj4+PiANCj4+IA0KPj4+Pj4+Pj4+IFRoaXMgc3BlY2lmaWNhdGlvbiBzZWVt
cyB0byBtZSB0byBicmVhayBpdCdzIG93biBydWxlcy4NCj4+IA0KPj4+Pj4+Pj4+IFlvdSBzdGF0
ZSB0aGF0IHJlZ2lzdHJhdGlvbnMgc2hvdWxkIGluY2x1ZGUgYSByZWZlcmVuY2UgdG8gYQ0KPj4g
DQo+Pj4+Pj4+Pj4gc3BlY2lmaWNhdGlvbiB0byBpbXByb3ZlIGludGVyb3AuIEFuZCB5ZXQsIGZv
ciB0aGUgc3RyaW5ncyANCj4+Pj4+Pj4+PiBhZGRlZA0KPj4gDQo+Pj4+Pj4+Pj4gaGVyZSAoZS5n
LiBvdHApIHlvdSBkb24ndCBkbyB0aGF0IChyZWZlcnJpbmcgdG8gc2VjdGlvbiAyIHdpbGwNCj4+
IA0KPj4+Pj4+Pj4+IG5vdCBpbXByb3ZlIGludGVyb3ApIGFuZCB0aGVyZSBhcmUgZGlmZmVyZW50
IHdheXMgaW4gd2hpY2ggDQo+Pj4+Pj4+Pj4gbWFueQ0KPj4gDQo+Pj4+Pj4+Pj4gb2YgdGhlIG1l
dGhvZHMgaW4gc2VjdGlvbiAyIGNhbiBiZSBkb25lLiBTbyBJIHRoaW5rIHlvdSBuZWVkIA0KPj4+
Pj4+Pj4+IHRvDQo+PiANCj4+Pj4+Pj4+PiBhZGQgYSBidW5jaCBtb3JlIHJlZmVyZW5jZXMuDQo+
PiANCj4+Pj4+Pj4+IA0KPj4gDQo+Pj4+Pj4+PiBOb3QgY2xlYXIgdG8gbWUgdGhhdCB0aGUgZG9j
dW1lbnQgY3JlYXRpbmcgdGhlIHJlZ2lzdHJ5IG5lZWRzIA0KPj4+Pj4+Pj4gdG8NCj4+IA0KPj4+
Pj4+Pj4gYWRoZXJlIHRvIHRoZSBydWxlcyBmb3IgZnVydGhlciBhbGxvY2F0aW9ucyBpbiBvcmRl
ciB0bw0KPj4gDQo+Pj4+Pj4+PiBwcmVwb3VsYXRlIHRoZSByZWdpc3RyeS4gdGhhdCBpcyBwZXJo
YXBzIGFuIGFwcGVhbCB0byBmdXR1cmUNCj4+IA0KPj4+Pj4+Pj4gY29uc2lzdGVuY3kuDQo+PiAN
Cj4+Pj4+Pj4gDQo+PiANCj4+Pj4+Pj4gU3VyZSAtIEknbSBhbGwgZm9yIGEgc21hdHRlcmluZyBv
ZiBpbmNvbnNpc3RlbmN5Oi0pDQo+PiANCj4+Pj4+Pj4gDQo+PiANCj4+Pj4+Pj4gQnV0IEkgdGhp
bmsgdGhlIGxhY2sgb2Ygc3BlY3MgaW4gc29tZSBvZiB0aGVzZSBjYXNlcyBjb3VsZCANCj4+Pj4+
Pj4gaW1wYWN0DQo+PiANCj4+Pj4+Pj4gb24gaW50ZXJvcCwgZS5nLiBpbiB0aGUgb3RwIGNhc2Us
IHRoZXkgcXVvdGUgdHdvIFJGQ3MgYW5kIHlldCANCj4+Pj4+Pj4gb25seQ0KPj4gDQo+Pj4+Pj4+
IGhhdmUgb25lIHZhbHVlLiBUaGF0IHNlZW1zIGEgYml0IGJyb2tlbiB0byBtZSwgc28gdGhlIGRp
c2N1c3MNCj4+IA0KPj4+Pj4+PiBpc24ndCByZWFsbHkgYWJvdXQgdGhlIGZvcm1hbGlzbS4NCj4+
IA0KPj4+Pj4+PiANCj4+IA0KPj4+Pj4+PiBTLg0KPj4gDQo+Pj4+Pj4+IA0KPj4gDQo+Pj4+Pj4+
IA0KPj4gDQo+Pj4+Pj4+Pj4gDQo+PiANCj4+Pj4+Pj4+PiANCj4+IA0KPj4+Pj4+Pj4+IA0KPj4g
DQo+Pj4+Pj4+PiANCj4+IA0KPj4+Pj4+Pj4gDQo+PiANCj4+Pj4+Pj4gDQo+PiANCj4+Pj4+PiAN
Cj4+IA0KPj4+Pj4gDQo+PiANCj4+Pj4gDQo+PiANCj4+PiANCj4+IA0KPj4gDQo+IA0KDQo=


From nobody Fri Mar 10 18:02:03 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 26D511294CC; Fri, 10 Mar 2017 18:02:03 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.47.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148919772312.2936.6929581996103187149@ietfa.amsl.com>
Date: Fri, 10 Mar 2017 18:02:03 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wG59DpBEbgF1qJVJXsQeGmD2nE0>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-discovery-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 02:02:03 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 Authorization Server Metadata
        Authors         : Michael B. Jones
                          Nat Sakimura
                          John Bradley
	Filename        : draft-ietf-oauth-discovery-06.txt
	Pages           : 22
	Date            : 2017-03-10

Abstract:
   This specification defines a metadata format that an OAuth 2.0 client
   can use to obtain the information needed to interact with an OAuth
   2.0 authorization server, including its endpoint locations and
   authorization server capabilities.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-discovery/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-discovery-06

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-discovery-06


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Fri Mar 10 18:07:22 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D79AB129514 for <oauth@ietfa.amsl.com>; Fri, 10 Mar 2017 18:07:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level: 
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2a5oZ9w5qnsm for <oauth@ietfa.amsl.com>; Fri, 10 Mar 2017 18:07:19 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0121.outbound.protection.outlook.com [104.47.36.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB2C8129503 for <oauth@ietf.org>; Fri, 10 Mar 2017 18:07:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wCk/1X7e8F0mWMQZE26U8oq9+V0PfuLNNC1nb7TXgXc=; b=UNaEPp3FpVsCtJngSeLbG0TPpdTljfxqx6Upp9Nwv+un259lT0ARXQ/jElwcIocjCILxh+i2y9JNPB3KhEbRfw/wE3QCcn9PX+TE7vX45oiGw0le0F2HOopPGm13OchWtHfenijaBfr5s0KImFDPAaSsltFVO6lkzWw+TS+88cM=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Sat, 11 Mar 2017 02:07:17 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.022; Sat, 11 Mar 2017 02:07:17 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth Authorization Server Metadata spec incorporating WGLC feedback
Thread-Index: AdKaCIr9F4iYVPNUR5e0ATjT3hGWRw==
Date: Sat, 11 Mar 2017 02:07:17 +0000
Message-ID: <CY4PR21MB050493334563F57FF7FD2812F5230@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:e::36]
x-ms-office365-filtering-correlation-id: 218d2a1a-51a0-4aaf-7303-08d468235809
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0503; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:8T+QI/bMB46gJlkaawi7jIwgviBYyky45bTk49qabfioOABxq0oFRMUxk9lxJ0abnrk3H9du3kaq9+YcUrgi2nDffJ9hk01QIpsDeb23E0yi60ImHdc6xfCbA9oOWgvGCzLLDbAaZJ1K/MokWEFpnrttC86hAzcf6H2oegqi1eKRNd+pn9tE1Xs+saRd/6y6gi1xyTAMf3mdbXOgtNO9qzXDscHTm64aF6d0U0qnI2VXJU6HADOwvn7in+wxOw/9/XJ1aq41Ko1u07dBdl36bm7pCBYMLhvirSlnkQGhTgRJEfWO7pt4hGn5XONCg8gC7+5UQwiNlaRBx+0XGLhJozhhE+BET5MT/yxXQL07Rtw=
x-microsoft-antispam-prvs: <CY4PR21MB05030B2168736AC148E40E0CF5230@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(31418570063057)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123555025)(20161123560025)(20161123564025)(20161123558025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503; 
x-forefront-prvs: 0243E5FD68
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39860400002)(39850400002)(39410400002)(39840400002)(209900001)(5630700001)(6916009)(189998001)(2351001)(2501003)(2900100001)(6116002)(102836003)(790700001)(99286003)(5005710100001)(25786008)(5660300001)(7696004)(122556002)(77096006)(8990500004)(55016002)(5640700003)(10290500002)(74316002)(7736002)(966004)(10090500001)(6436002)(6506006)(33656002)(236005)(54356999)(9686003)(7906003)(50986999)(6306002)(54896002)(606005)(38730400002)(86612001)(53936002)(86362001)(3280700002)(8936002)(8676002)(2906002)(110136004)(53376002)(81166006)(3660700001)(1730700003)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050493334563F57FF7FD2812F5230CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2017 02:07:17.3058 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/I4nm9UDdt4b8x3JKtLrYz8u-sI0>
Subject: [OAUTH-WG] OAuth Authorization Server Metadata spec incorporating WGLC feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 02:07:21 -0000

--_000_CY4PR21MB050493334563F57FF7FD2812F5230CY4PR21MB0504namp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

The OAuth Authorization Server Metadata specification has been updated to i=
ncorporate the working group last call feedback received.  Thanks to Willia=
m Denniss and Hannes Tschofenig for their reviews.  Use of the "https" sche=
me for the "jwks_uri" URL is now required.  The precedence of signed metada=
ta values over unsigned values was clarified.  Unused references were remov=
ed.

The specification is available at:

*         https://tools.ietf.org/html/draft-ietf-oauth-discovery-06

An HTML-formatted version is also available at:

*         http://self-issued.info/docs/draft-ietf-oauth-discovery-06.html

                                                                -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=3D1655 and =
as @selfissued<https://twitter.com/selfissued>.

--_000_CY4PR21MB050493334563F57FF7FD2812F5230CY4PR21MB0504namp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:0in;
	margin-left:.5in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
/* List Definitions */
@list l0
	{mso-list-id:358236313;
	mso-list-type:hybrid;
	mso-list-template-ids:-1391949820 67698689 67698691 67698693 67698689 6769=
8691 67698693 67698689 67698691 67698693;}
@list l0:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l0:level2
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:"Courier New";}
@list l0:level3
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Wingdings;}
@list l0:level4
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l0:level5
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:"Courier New";}
@list l0:level6
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Wingdings;}
@list l0:level7
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l0:level8
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:"Courier New";}
@list l0:level9
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Wingdings;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">The OAuth Authorization Server Metadata specificatio=
n has been updated to incorporate the working group last call feedback rece=
ived.&nbsp; Thanks to William Denniss and Hannes Tschofenig for their revie=
ws.&nbsp; Use of the &#8220;<span style=3D"font-family:&quot;Courier New&qu=
ot;">https</span>&#8221;
 scheme for the &#8220;<span style=3D"font-family:&quot;Courier New&quot;">=
jwks_uri</span>&#8221; URL is now required.&nbsp; The precedence of signed =
metadata values over unsigned values was clarified.&nbsp; Unused references=
 were removed.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">The specification is available at:<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo1"><![if !supportLists]><span style=3D"font-family:Symbol"><span style=
=3D"mso-list:Ignore">&middot;<span style=3D"font:7.0pt &quot;Times New Roma=
n&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><a href=3D"https://tools.ietf.org/html/draft=
-ietf-oauth-discovery-06">https://tools.ietf.org/html/draft-ietf-oauth-disc=
overy-06</a><o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">An HTML-formatted version is also available at:<o:p>=
</o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo1"><![if !supportLists]><span style=3D"font-family:Symbol"><span style=
=3D"mso-list:Ignore">&middot;<span style=3D"font:7.0pt &quot;Times New Roma=
n&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><a href=3D"http://self-issued.info/docs/draf=
t-ietf-oauth-discovery-06.html">http://self-issued.info/docs/draft-ietf-oau=
th-discovery-06.html</a><o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">P.S.&nbsp; This notice was also posted at <a href=3D=
"http://self-issued.info/?p=3D1655">
http://self-issued.info/?p=3D1655</a> and as <a href=3D"https://twitter.com=
/selfissued">
@selfissued</a>.<o:p></o:p></p>
</div>
</body>
</html>

--_000_CY4PR21MB050493334563F57FF7FD2812F5230CY4PR21MB0504namp_--


From nobody Fri Mar 10 18:08:49 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCDDF129510 for <oauth@ietfa.amsl.com>; Fri, 10 Mar 2017 18:08:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nz5Ix-xd6GK9 for <oauth@ietfa.amsl.com>; Fri, 10 Mar 2017 18:08:46 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0133.outbound.protection.outlook.com [104.47.36.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E5AD129514 for <oauth@ietf.org>; Fri, 10 Mar 2017 18:08:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=UmorfcIIiuVb6VbZsoZl7YrCJFdEFG6bYoWjy428afs=; b=eUbOTwTMr+6IKUBHVNlFcIdWviUV1GhkBwIqdAh6a7+RDcn/nwOjCjwc38pP3/rDyytu1pH1tS9pUalyWQwBf4bjxdbh236WgZh/zPJc2Kw4NNBl/PkNEOfrX1vXvuoqLKbVqTALl+Qpt+UCZYRerv+Ce8uglhaCWkHLYWmtsOs=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Sat, 11 Mar 2017 02:08:44 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.022; Sat, 11 Mar 2017 02:08:44 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: William Denniss <wdenniss@google.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization Server Metadata
Thread-Index: AQHSi93G2DiLgd6STkWd6z/5eE5XY6GOq5ag
Date: Sat, 11 Mar 2017 02:08:43 +0000
Message-ID: <CY4PR21MB0504B4508A7C459994025A7FF5230@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <c0ad73c9-4d4b-d62b-2782-c060037deb7d@gmx.net> <CAAP42hBuiFTTmnrZPGjnhNNM_idaoqh4kdkULmBGEsmNg_YRYA@mail.gmail.com>
In-Reply-To: <CAAP42hBuiFTTmnrZPGjnhNNM_idaoqh4kdkULmBGEsmNg_YRYA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:e::36]
x-ms-office365-filtering-correlation-id: 665e84f2-7237-45f1-966f-08d468238bab
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0503; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:dog5vNVeLqwclEcvkzU5JH6Ffg2WoJ4OaydtyoO8oshYVSVfzb6PeTmCKEb1QLD6+4+2o59QqsvyJn5OyBG3d/YadbUP87Us+8ffQfnPbb42/SEjO0KmQBsBmIbTCIN89MX5rni+2Nqh85hJ/ntDlNeXT8bMLs27SAdSG4RLbtS7lldUVXIJ4nqUy4HIeDfNYI0My3C72wG6DfTJWLVVAPgXAt4CxO7MRiNmBi1UlOdco3y7U57fGRhwfvjBKfGZqHw7Ust4eqySnkutEz/pwVIv8CEDFcjwTDNjpFfkYkro9BH0vPME2PbCkaShvyS6kd8XfJu2+fPgu7skK8riF1nGjO14grTIlct/FsNAfaU=
x-microsoft-antispam-prvs: <CY4PR21MB050391579F907316F9E70C13F5230@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(131327999870524)(248736688235697)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123555025)(20161123560025)(20161123564025)(20161123558025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503; 
x-forefront-prvs: 0243E5FD68
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39860400002)(39850400002)(39410400002)(39840400002)(53754006)(24454002)(377454003)(2950100002)(189998001)(2900100001)(6116002)(102836003)(790700001)(99286003)(5005710100001)(25786008)(5660300001)(7696004)(122556002)(77096006)(8990500004)(55016002)(10290500002)(19609705001)(106116001)(74316002)(7736002)(10090500001)(6436002)(4326008)(6506006)(33656002)(236005)(54356999)(9686003)(7906003)(53546006)(50986999)(6306002)(76176999)(54896002)(606005)(38730400002)(86612001)(53936002)(86362001)(3280700002)(8936002)(8676002)(2906002)(81166006)(3660700001)(6246003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504B4508A7C459994025A7FF5230CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2017 02:08:44.0262 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AmRnmCOGkGP8YXQCfhOKfxyDEAc>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization Server Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 02:08:48 -0000

--_000_CY4PR21MB0504B4508A7C459994025A7FF5230CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmtzIGEgYnVuY2ggZm9yIHlvdXIgcmV2aWV3LCBXaWxsaWFtLiAgRHJhZnQgLTA2IGluY29y
cG9yYXRlcyB0aGUgcmVzdWx0cyBvZiB5b3VyIGZlZWRiYWNrLiAgUmVwbGllcyBhcmUgaW5saW5l
Lg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNA
aWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBXaWxsaWFtIERlbm5pc3MNClNlbnQ6IE1vbmRheSwgRmVi
cnVhcnkgMjAsIDIwMTcgNDo1OSBQTQ0KVG86IEhhbm5lcyBUc2Nob2ZlbmlnIDxoYW5uZXMudHNj
aG9mZW5pZ0BnbXgubmV0Pg0KQ2M6IG9hdXRoQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW09BVVRI
LVdHXSBXb3JraW5nIEdyb3VwIExhc3QgQ2FsbCBvbiBPQXV0aCAyLjAgQXV0aG9yaXphdGlvbiBT
ZXJ2ZXIgTWV0YWRhdGENCg0KSSBoYXZlIHJldmlld2VkIHZlcnNpb24gMDUuIFR3byBtaW5vciBj
b21tZW50cyByZWdhcmRpbmcgU2VjdGlvbiAyLjE6DQoNCjEuIFNob3VsZCB3ZSBjbGFyaWZ5IHRo
YXQgYWxnOm5vbmUgaXNuJ3Qgc3VwcG9ydGVkIGZvciB0aGUgc2lnbmVkX21ldGFkYXRhIEpXVCAo
c2luY2UgaXQgd291bGQgYmUgY29udHJhZGljdG9yeSk/DQoNCkl0IGFscmVhZHkgc2F5cyDigJxU
aGUgc2lnbmVkIG1ldGFkYXRhIE1VU1QgYmUgZGlnaXRhbGx5IHNpZ25lZCBvciBNQUNlZCB1c2lu
ZyBKU09OIFdlYiBTaWduYXR1cmUgKEpXUykgW0pXU13igJ0uICBHaXZlbiB0aGF0IOKAnGFsZ+KA
nTog4oCcbm9uZeKAnSBkb2VzbuKAmXQgc2F0aXNmeSB0aGlzIE1VU1QsIEkgZG9u4oCZdCB0aGlu
ayB3ZSBuZWVkIHRvIHNheSBhbnl0aGluZyBhZGRpdGlvbmFsIGFib3V0IGl0Lg0KDQoyLiBSZTog
Im1ldGFkYXRhIHZhbHVlcyBjb252ZXllZCBpbiB0aGUgc2lnbmVkIG1ldGFkYXRhIE1VU1QgdGFr
ZSBwcmVjZWRlbmNlIG92ZXIgdGhvc2UgY29udmV5ZWQgdXNpbmcgcGxhaW4gSlNPTiBlbGVtZW50
cy4iICBEb2VzIHRoaXMgaW1wbHkgdGhhdCAqYWxsKiB2YWx1ZXMgaW4gdGhlIHBsYWluIEpTT04g
ZWxlbWVudHMgc2hvdWxkIGJlIGlnbm9yZWQgd2hlbiB0aGUgc2lnbmVkX21ldGFkYXRhIGlzIGJl
aW5nIHVzZWQgKG5vdCBqdXN0IG9uZXMgcHJlc2VudCBpbiB0aGUgSldUKT8gSWYgbm90LCBzaG91
bGQgaXQ/DQoNClRoaXMgaXMgYSBnb29kIHJlcXVlc3QgZm9yIGNsYXJpZmljYXRpb24uICBJdOKA
mXMgYmVlbiB1cGRhdGVkIHRvIHNheSDigJxJZiB0aGUgY29uc3VtZXIgb2YgdGhlIG1ldGFkYXRh
IHN1cHBvcnRzIHNpZ25lZCBtZXRhZGF0YSwgbWV0YWRhdGEgdmFsdWVzIGNvbnZleWVkIGluIHRo
ZSBzaWduZWQgbWV0YWRhdGEgTVVTVCB0YWtlIHByZWNlZGVuY2Ugb3ZlciB0aGUgY29ycmVzcG9u
ZGluZyB2YWx1ZXMgY29udmV5ZWQgdXNpbmcgcGxhaW4gSlNPTiBlbGVtZW50cy7igJ0NCg0KT3Zl
cmFsbCwgSSBzdHJvbmdseSBzdXBwb3J0IHRoZSBwdWJsaXNoaW5nIG9mIHRoaXMgZG9jdW1lbnQg
YXMgYW4gUkZDIGZvciB0aGUgZm9sbG93aW5nIHJlYXNvbnM6DQoNCkhhdmluZyAibWFjaGluZSBy
ZWFkYWJsZSIgY29uZmlndXJhdGlvbiBtZXRhZGF0YSBwdWJsaXNoZWQgYnkgYXV0aG9yaXphdGlv
biBzZXJ2ZXJzIGlzIGEgdXNlZnVsIGNvbmNlcHQuIFRoZSBHb29nbGUgYXV0aG9yaXphdGlvbiBz
ZXJ2ZXIgKGxpa2UgbWFueSBvdGhlcnMpIHB1Ymxpc2hlcyBtZXRhZGF0YSBjb21wbGlhbnQgd2l0
aCB0aGlzIHNwZWNpZmljYXRpb24sIGFuZCB0aGUgQXBwQXV0aCBzZXJpZXMgb2YgY2xpZW50IGxp
YnJhcmllcyBhcmUgY2FwYWJsZSBvZiBjb25zdW1pbmcgaXQuDQoNCldpdGhvdXQgdGhpcyBzdGFu
ZGFyZGl6ZWQgbWFjaGluZS1yZWFkYWJsZSBtZXRhZGF0YSwgZGV2ZWxvcGVycyBtdXN0IHJlYWQg
ZG9jdW1lbnRhdGlvbiB0byBleHRyYWN0IHRoZSByZWxldmFudCBpbmZvcm1hdGlvbiwgYW5kIGNv
bmZpZ3VyZSBjbGllbnRzIG1hbnVhbGx5LiBUaGlzIGlzIGN1bWJlcnNvbWUsIGVycm9yIHByb25l
LCBhbmQgbWF5IGdldCBvdXQgb2YgZGF0ZS4NCg0KVGhpcyBzcGVjaWZpY2F0aW9uIGNhbiBhbHNv
IGhlbHAgcHJldmVudCBvbmUgY2F0ZWdvcnkgb2YgIm1peCB1cCIgYXR0YWNrIGluIHN5c3RlbXMg
d2hpY2ggYWxsb3cgc2VsZi1yZWdpc3RyYXRpb24gb2YgT0F1dGggZW5kcG9pbnRzIGZvciBjb25u
ZWN0ZWQgc2VydmljZXMuIFJhdGhlciB0aGFuIHRoZSBkZXZlbG9wZXIgc3VwcGx5aW5nIGJvdGgg
dGhlIGF1dGhvcml6YXRpb24gYW5kIHRva2VuIGVuZHBvaW50cyB0aGVtc2VsdmVzICh3aGljaCBt
YXkgZW5hYmxlIHRoZW0gdG8gc3BlY2lmeSBhIG1hbGljaW91cyB0b2tlbiBlbmRwb2ludCksIHN1
Y2ggYSBzeXN0ZW0gY2FuIHVzZSB0aGUgdG9rZW4gZW5kcG9pbnQgc3BlY2lmaWVkIGluIHRoZSBh
dXRob3JpemF0aW9uIHNlcnZlcidzIG1ldGFkYXRhLCB0aHVzIHByZXZlbnRpbmcgdGhpcyBjYXRl
Z29yeSBvZiBhdHRhY2sgKGFuZCBzaW1wbGlmeWluZyB0aGUgcmVnaXN0cmF0aW9uIHByb2Nlc3Mg
dG8gYm9vdCkuDQoNCg0KT24gTW9uLCBGZWIgMjAsIDIwMTcgYXQgMTo0NSBBTSwgSGFubmVzIFRz
Y2hvZmVuaWcgPGhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ8bWFpbHRvOmhhbm5lcy50c2Nob2Zl
bmlnQGdteC5uZXQ+PiB3cm90ZToNCkhpIGFsbCwNCg0KaXQgd2FzIHJvdWdobHkgYSB5ZWFyIGFn
byB3aGVuIHdlIGlzc3VlZCBhIHdvcmtpbmcgZ3JvdXAgbGFzdCBjYWxsIG9uDQpkcmFmdC1pZXRm
LW9hdXRoLWRpc2NvdmVyeSwgc2VlDQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsLWFyY2hpdmUv
d2ViL29hdXRoL2N1cnJlbnQvbXNnMTU3OTYuaHRtbC4gTG90cw0Kb2YgZmVlZGJhY2sgcmVzdWx0
ZWQgaW4gYSBzaWduaWZpY2FudCByZXN0cnVjdHVyaW5nIG9mIHRoZSBkb2N1bWVudC4NCg0KVGhl
IGF1dGhvcnMgb2YgdGhlIGRyYWZ0IG5vdyBiZWxpZXZlIGl0IGlzIHJlYWR5IGZvciBhIHNlY29u
ZCBXR0xDIGFuZA0KaGVuY2Ugd2Ugd291bGQgbGlrZSB0byBzdGFydCBhIDItd2VlayByZXZpZXcg
cGVyaW9kLg0KDQpQbGVhc2UgcHJvdmlkZSB5b3VyIHJldmlldyBjb21tZW50cyBubyBsYXRlciB0
aGFuIE1hcmNoIDZ0aC4NCg0KSGVyZSBpcyB0aGUgbGluayB0byB0aGUgZG9jdW1lbnQgYWdhaW46
DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1kaXNjb3Zlcnkt
MDUNCg0KQ2lhbw0KSGFubmVzICYgRGVyZWsNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9y
ZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp
c3RpbmZvL29hdXRoDQoNCg==

--_000_CY4PR21MB0504B4508A7C459994025A7FF5230CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpWZXJkYW5hOw0KCXBhbm9zZS0xOjIgMTEg
NiA0IDMgNSA0IDQgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwg
bGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRv
bTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBS
b21hbiIsc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJp
b3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6
dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6
OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KY2l0ZQ0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJZm9udC1zdHlsZTpub3JtYWw7fQ0KcC5tc29ub3Jt
YWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29u
b3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCglt
c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXpl
OjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9DQpzcGFuLkVt
YWlsU3R5bGUxOA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWls
eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjojMDAyMDYwO30NCi5Nc29DaHBEZWZhdWx0
DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixz
YW5zLXNlcmlmO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCglt
YXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdl
OldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86
c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2Vu
ZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVk
aXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+
PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1
ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1
b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMwMDIwNjAiPlRoYW5rcyBhIGJ1bmNo
IGZvciB5b3VyIHJldmlldywgV2lsbGlhbS4mbmJzcDsgRHJhZnQgLTA2IGluY29ycG9yYXRlcyB0
aGUgcmVzdWx0cyBvZiB5b3VyIGZlZWRiYWNrLiZuYnNwOyBSZXBsaWVzIGFyZSBpbmxpbmUuPG86
cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlm
O2NvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90
O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj4mbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5
OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNw
OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2Vy
aWYiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh
bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiBPQXV0aCBbbWFpbHRvOm9hdXRo
LWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPldpbGxpYW0gRGVubmlzczxi
cj4NCjxiPlNlbnQ6PC9iPiBNb25kYXksIEZlYnJ1YXJ5IDIwLCAyMDE3IDQ6NTkgUE08YnI+DQo8
Yj5Ubzo8L2I+IEhhbm5lcyBUc2Nob2ZlbmlnICZsdDtoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0
Jmd0Ozxicj4NCjxiPkNjOjwvYj4gb2F1dGhAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4g
UmU6IFtPQVVUSC1XR10gV29ya2luZyBHcm91cCBMYXN0IENhbGwgb24gT0F1dGggMi4wIEF1dGhv
cml6YXRpb24gU2VydmVyIE1ldGFkYXRhPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+SSBoYXZlIHJldmlld2VkIHZlcnNpb24gMDUuIFR3byBtaW5vciBjb21tZW50cyByZWdh
cmRpbmcgU2VjdGlvbiZuYnNwOzIuMTo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj4xLiBTaG91bGQgd2UgY2xhcmlmeSB0aGF0IGFsZzpub25lIGlzbid0IHN1cHBvcnRlZCBm
b3IgdGhlIHNpZ25lZF9tZXRhZGF0YSBKV1QgKHNpbmNlIGl0IHdvdWxkIGJlIGNvbnRyYWRpY3Rv
cnkpPzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt
ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj5JdCBh
bHJlYWR5IHNheXMg4oCcPC9zcGFuPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1zaXplOjEw
LjBwdDtmb250LWZhbWlseTomcXVvdDtWZXJkYW5hJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6Ymxh
Y2siPlRoZSBzaWduZWQgbWV0YWRhdGEgTVVTVCBiZSBkaWdpdGFsbHkgc2lnbmVkIG9yDQogTUFD
ZWQgdXNpbmcgSlNPTiBXZWIgU2lnbmF0dXJlIChKV1MpIDxjaXRlPltKV1NdPC9jaXRlPjwvc3Bh
bj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp
JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+4oCdLiZuYnNwOyBHaXZlbiB0aGF0IOKA
nGFsZ+KAnTog4oCcbm9uZeKAnSBkb2VzbuKAmXQgc2F0aXNmeSB0aGlzIE1VU1QsIEkgZG9u4oCZ
dCB0aGluayB3ZSBuZWVkIHRvIHNheSBhbnl0aGluZyBhZGRpdGlvbmFsIGFib3V0IGl0LjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtj
b2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Mi4gUmU6ICZxdW90O21ldGFkYXRhIHZhbHVl
cyBjb252ZXllZCBpbiB0aGUgc2lnbmVkIG1ldGFkYXRhIE1VU1QgdGFrZSBwcmVjZWRlbmNlIG92
ZXIgdGhvc2UgY29udmV5ZWQgdXNpbmcgcGxhaW4gSlNPTiBlbGVtZW50cy4mcXVvdDsgJm5ic3A7
RG9lcyB0aGlzIGltcGx5IHRoYXQgKmFsbCogdmFsdWVzIGluIHRoZSBwbGFpbiBKU09OIGVsZW1l
bnRzIHNob3VsZCBiZSBpZ25vcmVkIHdoZW4gdGhlIHNpZ25lZF9tZXRhZGF0YSBpcyBiZWluZw0K
IHVzZWQgKG5vdCBqdXN0IG9uZXMgcHJlc2VudCBpbiB0aGUgSldUKT8gSWYgbm90LCBzaG91bGQg
aXQ/PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0
O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYw
Ij5UaGlzIGlzIGEgZ29vZCByZXF1ZXN0IGZvciBjbGFyaWZpY2F0aW9uLiZuYnNwOyBJdOKAmXMg
YmVlbiB1cGRhdGVkIHRvIHNheSDigJxJZiB0aGUgY29uc3VtZXIgb2YgdGhlIG1ldGFkYXRhIHN1
cHBvcnRzIHNpZ25lZCBtZXRhZGF0YSwgbWV0YWRhdGEgdmFsdWVzIGNvbnZleWVkIGluIHRoZQ0K
IHNpZ25lZCBtZXRhZGF0YSBNVVNUIHRha2UgcHJlY2VkZW5jZSBvdmVyIDxiPnRoZSBjb3JyZXNw
b25kaW5nIHZhbHVlczwvYj4gY29udmV5ZWQgdXNpbmcgcGxhaW4gSlNPTiBlbGVtZW50cy7igJ08
bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPk92ZXJhbGwsIEkgc3Ryb25nbHkgc3VwcG9ydCB0aGUgcHVibGlzaGluZyBvZiB0aGlzIGRv
Y3VtZW50IGFzIGFuIFJGQyBmb3IgdGhlIGZvbGxvd2luZyByZWFzb25zOjxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48
L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IYXZpbmcgJnF1b3Q7bWFj
aGluZSByZWFkYWJsZSZxdW90OyBjb25maWd1cmF0aW9uIG1ldGFkYXRhIHB1Ymxpc2hlZCBieSBh
dXRob3JpemF0aW9uIHNlcnZlcnMgaXMgYSB1c2VmdWwgY29uY2VwdC4gVGhlIEdvb2dsZSBhdXRo
b3JpemF0aW9uIHNlcnZlciAobGlrZSBtYW55IG90aGVycykgcHVibGlzaGVzIG1ldGFkYXRhIGNv
bXBsaWFudCB3aXRoIHRoaXMgc3BlY2lmaWNhdGlvbiwgYW5kIHRoZSBBcHBBdXRoIHNlcmllcyBv
Zg0KIGNsaWVudCBsaWJyYXJpZXMgYXJlIGNhcGFibGUgb2YgY29uc3VtaW5nIGl0LjxvOnA+PC9v
OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8
L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5XaXRob3V0IHRo
aXMgc3RhbmRhcmRpemVkIG1hY2hpbmUtcmVhZGFibGUgbWV0YWRhdGEsIGRldmVsb3BlcnMgbXVz
dCByZWFkIGRvY3VtZW50YXRpb24gdG8gZXh0cmFjdCB0aGUgcmVsZXZhbnQgaW5mb3JtYXRpb24s
IGFuZCBjb25maWd1cmUgY2xpZW50cyBtYW51YWxseS4gVGhpcyBpcyBjdW1iZXJzb21lLCBlcnJv
ciBwcm9uZSwgYW5kIG1heSBnZXQgb3V0IG9mIGRhdGUuPG86cD48L286cD48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoaXMgc3BlY2lmaWNhdGlvbiBjYW4gYWxz
byBoZWxwIHByZXZlbnQgb25lIGNhdGVnb3J5IG9mICZxdW90O21peCB1cCZxdW90OyBhdHRhY2sg
aW4gc3lzdGVtcyB3aGljaCBhbGxvdyBzZWxmLXJlZ2lzdHJhdGlvbiBvZiBPQXV0aCBlbmRwb2lu
dHMgZm9yIGNvbm5lY3RlZCBzZXJ2aWNlcy4gUmF0aGVyIHRoYW4gdGhlIGRldmVsb3BlciBzdXBw
bHlpbmcgYm90aCB0aGUgYXV0aG9yaXphdGlvbiBhbmQgdG9rZW4gZW5kcG9pbnRzDQogdGhlbXNl
bHZlcyAod2hpY2ggbWF5IGVuYWJsZSB0aGVtIHRvIHNwZWNpZnkgYSBtYWxpY2lvdXMgdG9rZW4g
ZW5kcG9pbnQpLCBzdWNoIGEgc3lzdGVtIGNhbiB1c2UgdGhlIHRva2VuIGVuZHBvaW50IHNwZWNp
ZmllZCBpbiB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIncyBtZXRhZGF0YSwgdGh1cyBwcmV2ZW50
aW5nIHRoaXMgY2F0ZWdvcnkgb2YgYXR0YWNrIChhbmQgc2ltcGxpZnlpbmcgdGhlIHJlZ2lzdHJh
dGlvbiBwcm9jZXNzIHRvIGJvb3QpLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K
PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+
Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIE1vbiwgRmVi
IDIwLCAyMDE3IGF0IDE6NDUgQU0sIEhhbm5lcyBUc2Nob2ZlbmlnICZsdDs8YSBocmVmPSJtYWls
dG86aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldCIgdGFyZ2V0PSJfYmxhbmsiPmhhbm5lcy50c2No
b2ZlbmlnQGdteC5uZXQ8L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3Rl
IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRp
bmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPkhpIGFs
bCw8YnI+DQo8YnI+DQppdCB3YXMgcm91Z2hseSBhIHllYXIgYWdvIHdoZW4gd2UgaXNzdWVkIGEg
d29ya2luZyBncm91cCBsYXN0IGNhbGwgb248YnI+DQpkcmFmdC1pZXRmLW9hdXRoLWRpc2NvdmVy
eSwgc2VlPGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dl
Yi9vYXV0aC9jdXJyZW50L21zZzE1Nzk2Lmh0bWwiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3
dy5pZXRmLm9yZy9tYWlsLWFyY2hpdmUvd2ViL29hdXRoL2N1cnJlbnQvbXNnMTU3OTYuaHRtbDwv
YT4uIExvdHM8YnI+DQpvZiBmZWVkYmFjayByZXN1bHRlZCBpbiBhIHNpZ25pZmljYW50IHJlc3Ry
dWN0dXJpbmcgb2YgdGhlIGRvY3VtZW50Ljxicj4NCjxicj4NClRoZSBhdXRob3JzIG9mIHRoZSBk
cmFmdCBub3cgYmVsaWV2ZSBpdCBpcyByZWFkeSBmb3IgYSBzZWNvbmQgV0dMQyBhbmQ8YnI+DQpo
ZW5jZSB3ZSB3b3VsZCBsaWtlIHRvIHN0YXJ0IGEgMi13ZWVrIHJldmlldyBwZXJpb2QuPGJyPg0K
PGJyPg0KUGxlYXNlIHByb3ZpZGUgeW91ciByZXZpZXcgY29tbWVudHMgbm8gbGF0ZXIgdGhhbiBN
YXJjaCA2dGguPGJyPg0KPGJyPg0KSGVyZSBpcyB0aGUgbGluayB0byB0aGUgZG9jdW1lbnQgYWdh
aW46PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt
b2F1dGgtZGlzY292ZXJ5LTA1IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly90b29scy5pZXRmLm9y
Zy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtZGlzY292ZXJ5LTA1PC9hPjxicj4NCjxicj4NCkNpYW88
YnI+DQpIYW5uZXMgJmFtcDsgRGVyZWs8YnI+DQo8YnI+DQo8YnI+DQpfX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxi
cj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJy
Pg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aCIg
dGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1
dGg8L2E+PG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4N
CjwvaHRtbD4NCg==

--_000_CY4PR21MB0504B4508A7C459994025A7FF5230CY4PR21MB0504namp_--


From nobody Fri Mar 10 18:09:18 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 648B5129538 for <oauth@ietfa.amsl.com>; Fri, 10 Mar 2017 18:09:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level: 
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u5szstpY57W4 for <oauth@ietfa.amsl.com>; Fri, 10 Mar 2017 18:09:05 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0116.outbound.protection.outlook.com [104.47.36.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CBA112953A for <oauth@ietf.org>; Fri, 10 Mar 2017 18:08:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=IZEbLwhhMD6KU+vh1VJONyqATK3/V4AajVDJe4QbydU=; b=Oj08yCVp6B8rk8GAyXqy2pqTlRpi5e7738Wl9/+bmm7iJnHtZKx01wel7D3THShnNN65p9LHSqmrO8005P7ZHkqmS24JQZvbfOjLVVTWY3FNmCsVJVjoGoht4sVGzGXH/15x7/q+JRQ+MnOlYqbXZ7JOVEe0jKSLU5xSc/GPsG0=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Sat, 11 Mar 2017 02:08:57 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.022; Sat, 11 Mar 2017 02:08:57 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization Server Metadata
Thread-Index: AQHSlo+ld6BPSzrHt0yZ00/LNl1b0KGOmKOw
Date: Sat, 11 Mar 2017 02:08:56 +0000
Message-ID: <CY4PR21MB050432D2BE1C533EE9139A29F5230@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <c0ad73c9-4d4b-d62b-2782-c060037deb7d@gmx.net> <CY4PR21MB0504DD37A2BE778F76D6B14EF55E0@CY4PR21MB0504.namprd21.prod.outlook.com> <96b7e141-26a0-f48a-4cc4-5964ae78db42@gmx.net>
In-Reply-To: <96b7e141-26a0-f48a-4cc4-5964ae78db42@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: gmx.net; dkim=none (message not signed) header.d=none;gmx.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:e::36]
x-ms-office365-filtering-correlation-id: 6b03921e-b2a1-498c-6924-08d46823935a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0503; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:pz4R2b3YC0wdSBYxEcGU1myccx6Qwaw33CW6NMVj7PEK8tgALYxNaGDphZnx2PGqbETDXNYBxdNW26RdZDXF8DqIbKXj64sFANtrsL2eb2DSfMaWrLpTVCUqFtnLbP38rQ+ZJggbVgoBmPDJS3sf+sb0DC4kETztBHle1JDUNq22jIxkgBUWi7+hvSbzrxr0O4cqUKIyNzmqLGKkOUCbqo3wKEPXNBnzEEIxpC4ud8wQvPe8UoctToT6MyUuLYenQ1IH6MuKaBUEp+rbIP7agDduRM/cd2HPCZPB7IUzEhfwG1pUVMl1wOqRR7hbb+Djmuyda2syhAzvEWi5DajOkRoXA0/uqn3abZMS9mGo0M4=
x-microsoft-antispam-prvs: <CY4PR21MB05037E64336FB928A8522B91F5230@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(248736688235697)(21748063052155)(17755550239193); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123555025)(20161123560025)(20161123564025)(20161123558025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503; 
x-forefront-prvs: 0243E5FD68
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39860400002)(39850400002)(39410400002)(39840400002)(53754006)(24454002)(13464003)(377454003)(2950100002)(189998001)(2501003)(2900100001)(6116002)(102836003)(790700001)(99286003)(5005710100001)(25786008)(5660300001)(7696004)(122556002)(77096006)(8990500004)(55016002)(10290500002)(106116001)(74316002)(7736002)(10090500001)(6436002)(6506006)(33656002)(236005)(54356999)(9686003)(7906003)(53546006)(50986999)(6306002)(76176999)(54896002)(606005)(38730400002)(86612001)(53936002)(86362001)(3280700002)(8936002)(8676002)(2906002)(81166006)(3660700001)(6246003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050432D2BE1C533EE9139A29F5230CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2017 02:08:56.8520 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9-IRuGgyEWKIK4qsnZfLHq6Qrqo>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization Server Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 02:09:07 -0000

--_000_CY4PR21MB050432D2BE1C533EE9139A29F5230CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmtzIGEgbG90IGZvciB5b3VyIHJldmlldywgSGFubmVzLiAgRHJhZnQgLTA2IGluY29ycG9y
YXRlcyB5b3VyIGZlZWRiYWNrLiAgUmVwbGllcyBhcmUgaW5saW5lIGJlbG93Lg0KDQoNCg0KICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIFRoYW5rcywNCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2Fn
ZS0tLS0tDQpGcm9tOiBIYW5uZXMgVHNjaG9mZW5pZyBbbWFpbHRvOmhhbm5lcy50c2Nob2Zlbmln
QGdteC5uZXRdDQpTZW50OiBNb25kYXksIE1hcmNoIDYsIDIwMTcgNzozOCBBTQ0KVG86IE1pa2Ug
Sm9uZXMgPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT47IG9hdXRoQGlldGYub3JnDQpTdWJq
ZWN0OiBSZTogW09BVVRILVdHXSBXb3JraW5nIEdyb3VwIExhc3QgQ2FsbCBvbiBPQXV0aCAyLjAg
QXV0aG9yaXphdGlvbiBTZXJ2ZXIgTWV0YWRhdGENCg0KDQoNCkhpIE1pa2UsIEhpIGFsbCwNCg0K
DQoNCmFzIGEgc2hlcGhlcmQgSSBoYXZlIHJldmlld2VkIHRoZSBkcmFmdCBhbmQgSSBvbmx5IGhh
dmUgYSBmZXcgbWlub3IgY29tbWVudHMuDQoNCg0KDQpSRkMgMjI0NiBpcyBpbmNsdWRlZCBpbiB0
aGUgbm9ybWF0aXZlIHJlZmVyZW5jZSBzZWN0aW9uIGJ1dCBub3QgbWVudGlvbmVkIGluIHRoZSB0
ZXh0Lg0KDQoNCg0KW1JGQzIyNDZdICBEaWVya3MsIFQuIGFuZCBDLiBBbGxlbiwgIlRoZSBUTFMg
UHJvdG9jb2wgVmVyc2lvbiAxLjAiLA0KDQogICAgICAgICAgICAgIFJGQyAyMjQ2LCBET0kgMTAu
MTc0ODcvUkZDMjI0NiwgSmFudWFyeSAxOTk5LA0KDQogICAgICAgICAgICAgIDxodHRwOi8vd3d3
LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjMjI0Nj4uDQoNCg0KDQpUaGUgc2FtZSBpcyB0cnVlIGZv
ciB0aGVzZSByZWZlcmVuY2VzOg0KDQoNCg0KICAgW1JGQzc1NjVdICBTYWludC1BbmRyZSwgUC4s
ICJUaGUgJ2FjY3QnIFVSSSBTY2hlbWUiLCBSRkMgNzU2NSwNCg0KICAgICAgICAgICAgICBET0kg
MTAuMTc0ODcvUkZDNzU2NSwgTWF5IDIwMTUsDQoNCiAgICAgICAgICAgICAgPGh0dHA6Ly93d3cu
cmZjLWVkaXRvci5vcmcvaW5mby9yZmM3NTY1Pi4NCg0KDQoNCiAgIFtSRkMzOTg2XSAgQmVybmVy
cy1MZWUsIFQuLCBGaWVsZGluZywgUi4sIGFuZCBMLiBNYXNpbnRlciwgIlVuaWZvcm0NCg0KICAg
ICAgICAgICAgICBSZXNvdXJjZSBJZGVudGlmaWVyIChVUkkpOiBHZW5lcmljIFN5bnRheCIsIFNU
RCA2NiwNCg0KICAgICAgICAgICAgICBSRkMgMzk4NiwgRE9JIDEwLjE3NDg3L1JGQzM5ODYsIEph
bnVhcnkgMjAwNSwNCg0KICAgICAgICAgICAgICA8aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9p
bmZvL3JmYzM5ODY+Lg0KDQoNCg0KICAgW0pXQV0gICAgICBKb25lcywgTS4sICJKU09OIFdlYiBB
bGdvcml0aG1zIChKV0EpIiwgUkZDIDc1MTgsDQoNCiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3
L1JGQzc1MTgsIE1heSAyMDE1LA0KDQogICAgICAgICAgICAgIDxodHRwOi8vdG9vbHMuaWV0Zi5v
cmcvaHRtbC9yZmM3NTE4Pi4NCg0KDQoNClRoZXNlIHJlZmVyZW5jZXMgaGF2ZSBhbGwgYmVlbiBy
ZW1vdmVkLg0KDQoNCg0KVGhlIGRlc2NyaXB0aW9uIG9mIHRoaXMgY2xhaW0gc291bmRzIGEgYml0
IHN0cmFuZ2UuDQoNCg0KDQogICBqd2tzX3VyaQ0KDQogICAgICBPUFRJT05BTC4gIFVSTCBvZiB0
aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIncyBKV0sgU2V0IFtKV0tdDQoNCiAgICAgIGRvY3VtZW50
LiAgVGhpcyBjb250YWlucyB0aGUgc2lnbmluZyBrZXkocykgdGhlIGNsaWVudCB1c2VzIHRvDQoN
CiAgICAgIHZhbGlkYXRlIHNpZ25hdHVyZXMgZnJvbSB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIu
ICBUaGUgSldLIFNldA0KDQogICAgICBNQVkgYWxzbyBjb250YWluIHRoZSBzZXJ2ZXIncyBlbmNy
eXB0aW9uIGtleShzKSwgd2hpY2ggYXJlIHVzZWQgYnkNCg0KICAgICAgY2xpZW50cyB0byBlbmNy
eXB0IHJlcXVlc3RzIHRvIHRoZSBzZXJ2ZXIuICBXaGVuIGJvdGggc2lnbmluZyBhbmQNCg0KICAg
ICAgZW5jcnlwdGlvbiBrZXlzIGFyZSBtYWRlIGF2YWlsYWJsZSwgYSAidXNlIiAocHVibGljIGtl
eSB1c2UpDQoNCiAgICAgIHBhcmFtZXRlciB2YWx1ZSBpcyBSRVFVSVJFRCBmb3IgYWxsIGtleXMg
aW4gdGhlIHJlZmVyZW5jZWQgSldLIFNldA0KDQogICAgICB0byBpbmRpY2F0ZSBlYWNoIGtleSdz
IGludGVuZGVkIHVzYWdlLg0KDQoNCg0KSW5zdGVhZCBvZiBzYXlpbmcgIlRoaXMgY29udGFpbnMg
dGhlIHNpZ25pbmcga2V5KHMpIHRoZSBjbGllbnQgdXNlcyB0byB2YWxpZGF0ZSBzaWduYXR1cmVz
IGZyb20gdGhlIGF1dGhvcml6YXRpb24gc2VydmVyLiIgIEkgd291bGQgc2F5IHNvbWV0aGluZyBs
aWtlOg0KDQoNCg0KIlRoZSBKV0ssIG9uY2UgcmV0cmlldmVkIGZyb20gdGhlIGluZGljYXRlIFVS
TCwgY29udGFpbnMgdGhlIHB1YmxpYw0KDQprZXkocykgdGhlIGNsaWVudCB1c2VzIHRvIHZhbGlk
YXRlIHNpZ25hdHVyZXMgZnJvbSB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIuIg0KDQoNCg0KR29v
ZCBjYXRjaC4gIFJhdGhlciB0aGFuIHNheWluZyDigJxUaGlzIGNvbnRhaW5z4oCdLCBpdCBub3cg
c2F5cyDigJxUaGUgcmVmZXJlbmNlZCBkb2N1bWVudCBjb250YWluc+KAnS4NCg0KDQoNCkNvdWxk
IHlvdSBhbHNvIGV4cGxhaW4gaG93IHlvdSBhbnRpY2lwYXRlIHRoZXNlIGtleXMgdG8gYmUgdXNl
ZD8gVGhlIG1ldGEgZGF0YSBtYXkgYmUgZGlnaXRhbGx5IHNpZ25lZCBieSB0aGUgYXV0aG9yaXph
dGlvbiBzZXJ2ZXIuIFlvdSBvYnZpb3VzbHkgbmVlZCB0aGUgcHVibGljIGtleSBjb3JyZXNwb25k
aW5nIHRvIHRoZSBwcml2YXRlIGtleSB1c2VkIGZvciBzaWduaW5nIHRvIHRoZSBtZXRhLWRhdGEg
SlNPTiBwYXlsb2FkLiBZb3Ugc2VlbSB0byBiZSBzdWdnZXN0aW5nIHRvIGluY2x1ZGUgYSBVUkwg
dG8gdGhhdCBrZXkgaW5zaWRlIHRoZSBtZXNzYWdlIGl0c2VsZi4gSWYgeW91IGFyZSBub3QgdXNp
bmcgSFRUUFMgdGhlbiB5b3UgYXJlIHRvYXN0LiBJZiB5b3UgdXNlIGFuIEhUVFBTLWJhc2VkIHRo
ZW4geW91IGFyZSBlc3NlbnRpYWxseSByZWx5aW5nIG9uIHRoZSB0cnVzdCBhbmNob3JzIGluIHRo
ZSBicm93c2VyIGZvciBzZWN1cml0eS4gSXMgdGhhdCB3aGF0IHlvdSB3YW50Pw0KDQoNCg0KVGhl
IFVSTCBpcyBub3cgZXhwbGljaXRseSByZXF1aXJlZCB0byB1c2UgdGhlIGh0dHBzIHNjaGVtZS4g
IFRoaXMgcmVxdWlyZW1lbnQgaGFzIG5vdyBiZWVuIG1hZGUgZXhwbGljaXQgaW4gdGhlIGp3a3Nf
dXJpIGRlZmluaXRpb24uDQoNCg0KDQpZZXMsIHlvdeKAmXJlIHJlbHlpbmcgb24gdGhlIHRydXN0
IGFuY2hvcnMgaW4gdGhlIGJyb3dzZXIgZm9yIHNlY3VyaXR5LiAgVGhhdOKAmXMgd2h5IHRoZSBp
c3N1ZXIgcmVxdWlyZXMgdXNlIG9mIHRoZSBodHRwcyBzY2hlbWUgKG1lYW5pbmcgdGhhdCB0aGF0
IHRoZSBBUyBtZXRhZGF0YSB3aWxsIGJlIHJldHJpZXZlZCBmcm9tIGFuIGh0dHBzIFVSTCkuICBU
aGUgdXNlIG9mIFRMUyBmb3IgdGhlIGp3a3NfdXJpIGlzIGFub3RoZXIgY2FzZSBvZiB0aGlzIHJl
bGlhbmNlLg0KDQoNCg0KSXMgdGhpcyBtZWNoYW5pc20gc3VwcG9zZWQgdG8gd29yayB3aXRoIHN5
bW1ldHJpYyBhcyB3ZWxsIGFzIGFzeW1tZXRyaWMga2V5cz8NCg0KDQoNCk5vLiAgR2l2ZW4gdGhh
dCB0aGUgSldLUyBTZXQgaXMgcHVibGljLCBpdCBtdXN0IGNvbnRhaW4gb25seSBwdWJsaWMga2V5
cy4NCg0KDQoNCkNpYW8NCg0KSGFubmVzDQoNCg0KDQpPbiAwMi8yMC8yMDE3IDA1OjMzIFBNLCBN
aWtlIEpvbmVzIHdyb3RlOg0KDQo+IFBlciB3b3JraW5nIGdyb3VwIGZlZWRiYWNrLCB0aGUgZG9j
dW1lbnQgbm93IHJlZmxlY3RzIHRoZSBzaW5ndWxhciBtaXNzaW9uIG9mIGRvY3VtZW50aW5nIE9B
dXRoIEF1dGhvcml6YXRpb24gU2VydmVyIE1ldGFkYXRhIGFzIGl0IGlzIGFjdHVhbGx5IHVzZWQg
aW4gcHJhY3RpY2UuICBJIGJlbGlldmUgdGhhdCB0aGUgZG9jdW1lbnQgdG9kYXkgYWNjb21wbGlz
aGVzIHRoaXMgbWlzc2lvbiBhbmQgaXMgcmVhZHkgZm9yIHB1YmxpY2F0aW9uLg0KDQo+DQoNCj4g
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgLS0gTWlrZQ0KDQo+DQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCg0KPiBGcm9t
OiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBIYW5u
ZXMNCg0KPiBUc2Nob2ZlbmlnDQoNCj4gU2VudDogTW9uZGF5LCBGZWJydWFyeSAyMCwgMjAxNyAx
OjQ2IEFNDQoNCj4gVG86IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4NCg0K
PiBTdWJqZWN0OiBbT0FVVEgtV0ddIFdvcmtpbmcgR3JvdXAgTGFzdCBDYWxsIG9uIE9BdXRoIDIu
MCBBdXRob3JpemF0aW9uDQoNCj4gU2VydmVyIE1ldGFkYXRhDQoNCj4NCg0KPiBIaSBhbGwsDQoN
Cj4NCg0KPiBpdCB3YXMgcm91Z2hseSBhIHllYXIgYWdvIHdoZW4gd2UgaXNzdWVkIGEgd29ya2lu
ZyBncm91cCBsYXN0IGNhbGwgb24gZHJhZnQtaWV0Zi1vYXV0aC1kaXNjb3ZlcnksIHNlZSBodHRw
czovL3d3dy5pZXRmLm9yZy9tYWlsLWFyY2hpdmUvd2ViL29hdXRoL2N1cnJlbnQvbXNnMTU3OTYu
aHRtbC4gTG90cyBvZiBmZWVkYmFjayByZXN1bHRlZCBpbiBhIHNpZ25pZmljYW50IHJlc3RydWN0
dXJpbmcgb2YgdGhlIGRvY3VtZW50Lg0KDQo+DQoNCj4gVGhlIGF1dGhvcnMgb2YgdGhlIGRyYWZ0
IG5vdyBiZWxpZXZlIGl0IGlzIHJlYWR5IGZvciBhIHNlY29uZCBXR0xDIGFuZCBoZW5jZSB3ZSB3
b3VsZCBsaWtlIHRvIHN0YXJ0IGEgMi13ZWVrIHJldmlldyBwZXJpb2QuDQoNCj4NCg0KPiBQbGVh
c2UgcHJvdmlkZSB5b3VyIHJldmlldyBjb21tZW50cyBubyBsYXRlciB0aGFuIE1hcmNoIDZ0aC4N
Cg0KPg0KDQo+IEhlcmUgaXMgdGhlIGxpbmsgdG8gdGhlIGRvY3VtZW50IGFnYWluOg0KDQo+IGh0
dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWRpc2NvdmVyeS0wNQ0K
DQo+DQoNCj4gQ2lhbw0KDQo+IEhhbm5lcyAmIERlcmVrDQoNCj4NCg0KDQo=

--_000_CY4PR21MB050432D2BE1C533EE9139A29F5230CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph
OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu
Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjoj
OTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29QbGFpblRleHQsIGxp
Lk1zb1BsYWluVGV4dCwgZGl2Lk1zb1BsYWluVGV4dA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7
DQoJbXNvLXN0eWxlLWxpbms6IlBsYWluIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJn
aW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2Fs
aWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLlBsYWluVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6
IlBsYWluIFRleHQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1s
aW5rOiJQbGFpbiBUZXh0IjsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQou
TXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWls
eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVp
biAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2Vj
dGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28g
OV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+
DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5
b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9v
OnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4t
VVMiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0
aW9uMSI+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2
MCI+VGhhbmtzIGEgbG90IGZvciB5b3VyIHJldmlldywgSGFubmVzLiZuYnNwOyBEcmFmdCAtMDYg
aW5jb3Jwb3JhdGVzIHlvdXIgZmVlZGJhY2suJm5ic3A7IFJlcGxpZXMgYXJlIGlubGluZSBiZWxv
dy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBz
dHlsZT0iY29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPiZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGFua3MsPG86cD48L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAi
PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPi0t
LS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tPGJyPg0KRnJvbTogSGFubmVzIFRzY2hvZmVuaWcgW21h
aWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0XSA8YnI+DQpTZW50OiBNb25kYXksIE1hcmNo
IDYsIDIwMTcgNzozOCBBTTxicj4NClRvOiBNaWtlIEpvbmVzICZsdDtNaWNoYWVsLkpvbmVzQG1p
Y3Jvc29mdC5jb20mZ3Q7OyBvYXV0aEBpZXRmLm9yZzxicj4NClN1YmplY3Q6IFJlOiBbT0FVVEgt
V0ddIFdvcmtpbmcgR3JvdXAgTGFzdCBDYWxsIG9uIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIFNl
cnZlciBNZXRhZGF0YTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+SGkgTWlrZSwgSGkgYWxsLDxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5hcyBhIHNoZXBoZXJkIEkgaGF2ZSByZXZpZXdlZCB0aGUg
ZHJhZnQgYW5kIEkgb25seSBoYXZlIGEgZmV3IG1pbm9yIGNvbW1lbnRzLjxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij5SRkMgMjI0NiBpcyBpbmNsdWRlZCBpbiB0aGUgbm9ybWF0aXZlIHJl
ZmVyZW5jZSBzZWN0aW9uIGJ1dCBub3QgbWVudGlvbmVkIGluIHRoZSB0ZXh0LjxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvUGxhaW5UZXh0Ij5bUkZDMjI0Nl0mbmJzcDsgRGllcmtzLCBULiBhbmQgQy4gQWxs
ZW4sICZxdW90O1RoZSBUTFMgUHJvdG9jb2wgVmVyc2lvbiAxLjAmcXVvdDssPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgUkZDIDIy
NDYsIERPSSAxMC4xNzQ4Ny9SRkMyMjQ2LCBKYW51YXJ5IDE5OTksPG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJmx0OzxhIGhyZWY9
Imh0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmMyMjQ2Ij48c3BhbiBzdHlsZT0iY29s
b3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cDovL3d3dy5yZmMtZWRpdG9y
Lm9yZy9pbmZvL3JmYzIyNDY8L3NwYW4+PC9hPiZndDsuPG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5U
aGUgc2FtZSBpcyB0cnVlIGZvciB0aGVzZSByZWZlcmVuY2VzOjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
UGxhaW5UZXh0Ij4mbmJzcDsmbmJzcDsgW1JGQzc1NjVdJm5ic3A7IFNhaW50LUFuZHJlLCBQLiwg
JnF1b3Q7VGhlICdhY2N0JyBVUkkgU2NoZW1lJnF1b3Q7LCBSRkMgNzU2NSw8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBET0kgMTAu
MTc0ODcvUkZDNzU2NSwgTWF5IDIwMTUsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJmx0OzxhIGhyZWY9Imh0dHA6Ly93d3cucmZj
LWVkaXRvci5vcmcvaW5mby9yZmM3NTY1Ij48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0
ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzc1
NjU8L3NwYW4+PC9hPiZndDsuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0
Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZuYnNwOyZu
YnNwOyBbUkZDMzk4Nl0mbmJzcDsgQmVybmVycy1MZWUsIFQuLCBGaWVsZGluZywgUi4sIGFuZCBM
LiBNYXNpbnRlciwgJnF1b3Q7VW5pZm9ybTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs
YWluVGV4dCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFJlc291cmNlIElkZW50aWZpZXIgKFVSSSk6
IEdlbmVyaWMgU3ludGF4JnF1b3Q7LCBTVEQgNjYsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvUGxhaW5UZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgUkZDIDM5ODYsIERPSSAxMC4xNzQ4
Ny9SRkMzOTg2LCBKYW51YXJ5IDIwMDUsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh
aW5UZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJmx0OzxhIGhyZWY9Imh0dHA6Ly93d3cucmZj
LWVkaXRvci5vcmcvaW5mby9yZmMzOTg2Ij48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0
ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzM5
ODY8L3NwYW4+PC9hPiZndDsuJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7Jm5ic3A7IFtKV0FdJm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEpvbmVzLCBNLiwgJnF1b3Q7SlNPTiBXZWIgQWxn
b3JpdGhtcyAoSldBKSZxdW90OywgUkZDIDc1MTgsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvUGxhaW5UZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgRE9JIDEwLjE3NDg3L1JGQzc1MTgs
IE1heSAyMDE1LDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7ICZsdDs8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9y
ZmM3NTE4Ij48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9u
ZSI+aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjNzUxODwvc3Bhbj48L2E+Jmd0Oy48bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPlRo
ZXNlIHJlZmVyZW5jZXMgaGF2ZSBhbGwgYmVlbiByZW1vdmVkLjwvc3Bhbj48c3BhbiBzdHlsZT0i
Y29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl
eHQiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhlIGRlc2NyaXB0aW9uIG9mIHRoaXMgY2xhaW0g
c291bmRzIGEgYml0IHN0cmFuZ2UuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZuYnNw
OyZuYnNwOyBqd2tzX3VyaTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IE9QVElPTkFMLiZuYnNwOyBVUkwgb2YgdGhl
IGF1dGhvcml6YXRpb24gc2VydmVyJ3MgSldLIFNldCBbSldLXTxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGRvY3Vt
ZW50LiZuYnNwOyBUaGlzIGNvbnRhaW5zIHRoZSBzaWduaW5nIGtleShzKSB0aGUgY2xpZW50IHVz
ZXMgdG88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyB2YWxpZGF0ZSBzaWduYXR1cmVzIGZyb20gdGhlIGF1dGhvcml6
YXRpb24gc2VydmVyLiZuYnNwOyBUaGUgSldLIFNldDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb1BsYWluVGV4dCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IE1BWSBhbHNvIGNv
bnRhaW4gdGhlIHNlcnZlcidzIGVuY3J5cHRpb24ga2V5KHMpLCB3aGljaCBhcmUgdXNlZCBieTxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7IGNsaWVudHMgdG8gZW5jcnlwdCByZXF1ZXN0cyB0byB0aGUgc2VydmVyLiZu
YnNwOyBXaGVuIGJvdGggc2lnbmluZyBhbmQ8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q
bGFpblRleHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBlbmNyeXB0aW9uIGtleXMg
YXJlIG1hZGUgYXZhaWxhYmxlLCBhICZxdW90O3VzZSZxdW90OyAocHVibGljIGtleSB1c2UpPG86
cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsgcGFyYW1ldGVyIHZhbHVlIGlzIFJFUVVJUkVEIGZvciBhbGwga2V5cyBpbiB0
aGUgcmVmZXJlbmNlZCBKV0sgU2V0PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgdG8gaW5kaWNhdGUgZWFjaCBrZXkn
cyBpbnRlbmRlZCB1c2FnZS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi
PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+SW5zdGVhZCBv
ZiBzYXlpbmcgJnF1b3Q7VGhpcyBjb250YWlucyB0aGUgc2lnbmluZyBrZXkocykgdGhlIGNsaWVu
dCB1c2VzIHRvIHZhbGlkYXRlIHNpZ25hdHVyZXMgZnJvbSB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2
ZXIuJnF1b3Q7Jm5ic3A7IEkgd291bGQgc2F5IHNvbWV0aGluZyBsaWtlOjxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvUGxhaW5UZXh0Ij4mcXVvdDtUaGUgSldLLCBvbmNlIHJldHJpZXZlZCBmcm9tIHRoZSBp
bmRpY2F0ZSBVUkwsIGNvbnRhaW5zIHRoZSBwdWJsaWM8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29QbGFpblRleHQiPmtleShzKSB0aGUgY2xpZW50IHVzZXMgdG8gdmFsaWRhdGUgc2lnbmF0
dXJlcyBmcm9tIHRoZSBhdXRob3JpemF0aW9uIHNlcnZlci4mcXVvdDs8bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPkdvb2QgY2F0Y2guJm5i
c3A7IFJhdGhlciB0aGFuIHNheWluZyDigJxUaGlzIGNvbnRhaW5z4oCdLCBpdCBub3cgc2F5cyDi
gJxUaGUgcmVmZXJlbmNlZCBkb2N1bWVudCBjb250YWluc+KAnS48L3NwYW4+PHNwYW4gc3R5bGU9
ImNvbG9yOmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkNvdWxkIHlvdSBhbHNvIGV4cGxhaW4gaG93IHlv
dSBhbnRpY2lwYXRlIHRoZXNlIGtleXMgdG8gYmUgdXNlZD8gVGhlIG1ldGEgZGF0YSBtYXkgYmUg
ZGlnaXRhbGx5IHNpZ25lZCBieSB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIuIFlvdSBvYnZpb3Vz
bHkgbmVlZCB0aGUgcHVibGljIGtleSBjb3JyZXNwb25kaW5nIHRvIHRoZSBwcml2YXRlIGtleSB1
c2VkIGZvciBzaWduaW5nIHRvIHRoZSBtZXRhLWRhdGENCiBKU09OIHBheWxvYWQuIFlvdSBzZWVt
IHRvIGJlIHN1Z2dlc3RpbmcgdG8gaW5jbHVkZSBhIFVSTCB0byB0aGF0IGtleSBpbnNpZGUgdGhl
IG1lc3NhZ2UgaXRzZWxmLiBJZiB5b3UgYXJlIG5vdCB1c2luZyBIVFRQUyB0aGVuIHlvdSBhcmUg
dG9hc3QuIElmIHlvdSB1c2UgYW4gSFRUUFMtYmFzZWQgdGhlbiB5b3UgYXJlIGVzc2VudGlhbGx5
IHJlbHlpbmcgb24gdGhlIHRydXN0IGFuY2hvcnMgaW4gdGhlIGJyb3dzZXIgZm9yIHNlY3VyaXR5
LiBJcyB0aGF0DQogd2hhdCB5b3Ugd2FudD88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q
bGFpblRleHQiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwv
c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAw
MjA2MCI+VGhlIFVSTCBpcyBub3cgZXhwbGljaXRseSByZXF1aXJlZCB0byB1c2UgdGhlIGh0dHBz
IHNjaGVtZS4mbmJzcDsgVGhpcyByZXF1aXJlbWVudCBoYXMgbm93IGJlZW4gbWFkZSBleHBsaWNp
dCBpbiB0aGUgandrc191cmkgZGVmaW5pdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+PG86cD4mbmJz
cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9
ImNvbG9yOiMwMDIwNjAiPlllcywgeW914oCZcmUgcmVseWluZyBvbiB0aGUgdHJ1c3QgYW5jaG9y
cyBpbiB0aGUgYnJvd3NlciBmb3Igc2VjdXJpdHkuJm5ic3A7IFRoYXTigJlzIHdoeSB0aGUgaXNz
dWVyIHJlcXVpcmVzIHVzZSBvZiB0aGUgaHR0cHMgc2NoZW1lIChtZWFuaW5nIHRoYXQgdGhhdCB0
aGUgQVMgbWV0YWRhdGEgd2lsbCBiZSByZXRyaWV2ZWQgZnJvbSBhbiBodHRwcyBVUkwpLiZuYnNw
OyBUaGUgdXNlDQogb2YgVExTIGZvciB0aGUgandrc191cmkgaXMgYW5vdGhlciBjYXNlIG9mIHRo
aXMgcmVsaWFuY2UuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4
dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5JcyB0aGlz
IG1lY2hhbmlzbSBzdXBwb3NlZCB0byB3b3JrIHdpdGggc3ltbWV0cmljIGFzIHdlbGwgYXMgYXN5
bW1ldHJpYyBrZXlzPzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNw
YW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxw
IGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDAyMDYwIj5Oby4mbmJz
cDsgR2l2ZW4gdGhhdCB0aGUgSldLUyBTZXQgaXMgcHVibGljLCBpdCBtdXN0IGNvbnRhaW4gb25s
eSBwdWJsaWMga2V5cy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U
ZXh0Ij48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkNpYW88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29QbGFpblRleHQiPkhhbm5lczxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu
VGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5PbiAw
Mi8yMC8yMDE3IDA1OjMzIFBNLCBNaWtlIEpvbmVzIHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBQZXIgd29ya2luZyBncm91cCBmZWVkYmFjaywgdGhl
IGRvY3VtZW50IG5vdyByZWZsZWN0cyB0aGUgc2luZ3VsYXIgbWlzc2lvbiBvZiBkb2N1bWVudGlu
ZyBPQXV0aCBBdXRob3JpemF0aW9uIFNlcnZlciBNZXRhZGF0YSBhcyBpdCBpcyBhY3R1YWxseSB1
c2VkIGluIHByYWN0aWNlLiZuYnNwOyBJIGJlbGlldmUgdGhhdCB0aGUgZG9jdW1lbnQgdG9kYXkg
YWNjb21wbGlzaGVzIHRoaXMgbWlzc2lvbiBhbmQgaXMgcmVhZHkNCiBmb3IgcHVibGljYXRpb24u
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0t
LS08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgRnJvbTogT0F1
dGggWzxhIGhyZWY9Im1haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnIj48c3BhbiBzdHlsZT0i
Y29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+bWFpbHRvOm9hdXRoLWJvdW5j
ZXNAaWV0Zi5vcmc8L3NwYW4+PC9hPl0gT24gQmVoYWxmIE9mIEhhbm5lcw0KPG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IFRzY2hvZmVuaWc8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgU2VudDogTW9uZGF5LCBGZWJydWFyeSAy
MCwgMjAxNyAxOjQ2IEFNPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m
Z3Q7IFRvOiA8YSBocmVmPSJtYWlsdG86b2F1dGhAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xv
cjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5vYXV0aEBpZXRmLm9yZzwvc3Bhbj48
L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IFN1YmplY3Q6
IFtPQVVUSC1XR10gV29ya2luZyBHcm91cCBMYXN0IENhbGwgb24gT0F1dGggMi4wIEF1dGhvcml6
YXRpb24NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBTZXJ2
ZXIgTWV0YWRhdGE8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsg
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IEhpIGFsbCw8bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IGl0IHdhcyByb3VnaGx5IGEgeWVhciBhZ28g
d2hlbiB3ZSBpc3N1ZWQgYSB3b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBvbiBkcmFmdC1pZXRmLW9h
dXRoLWRpc2NvdmVyeSwgc2VlDQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsLWFy
Y2hpdmUvd2ViL29hdXRoL2N1cnJlbnQvbXNnMTU3OTYuaHRtbCI+PHNwYW4gc3R5bGU9ImNvbG9y
OndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmh0dHBzOi8vd3d3LmlldGYub3JnL21h
aWwtYXJjaGl2ZS93ZWIvb2F1dGgvY3VycmVudC9tc2cxNTc5Ni5odG1sPC9zcGFuPjwvYT4uIExv
dHMgb2YgZmVlZGJhY2sgcmVzdWx0ZWQgaW4gYSBzaWduaWZpY2FudCByZXN0cnVjdHVyaW5nDQog
b2YgdGhlIGRvY3VtZW50LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+
Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgVGhlIGF1
dGhvcnMgb2YgdGhlIGRyYWZ0IG5vdyBiZWxpZXZlIGl0IGlzIHJlYWR5IGZvciBhIHNlY29uZCBX
R0xDIGFuZCBoZW5jZSB3ZSB3b3VsZCBsaWtlIHRvIHN0YXJ0IGEgMi13ZWVrIHJldmlldyBwZXJp
b2QuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBQbGVhc2UgcHJvdmlkZSB5b3Vy
IHJldmlldyBjb21tZW50cyBubyBsYXRlciB0aGFuIE1hcmNoIDZ0aC48bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i
TXNvUGxhaW5UZXh0Ij4mZ3Q7IEhlcmUgaXMgdGhlIGxpbmsgdG8gdGhlIGRvY3VtZW50IGFnYWlu
OjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8YSBocmVmPSJo
dHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1kaXNjb3ZlcnktMDUi
Pg0KPHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmh0
dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWRpc2NvdmVyeS0wNTwv
c3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBDaWFvPG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IEhhbm5lcyAmYW1wOyBEZXJlazxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwv
cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+
DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_CY4PR21MB050432D2BE1C533EE9139A29F5230CY4PR21MB0504namp_--


From nobody Sat Mar 11 11:10:11 2017
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80983129567 for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 11:10:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level: 
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3yuM1-wjt43w for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 11:10:08 -0800 (PST)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A084129561 for <oauth@ietf.org>; Sat, 11 Mar 2017 11:10:08 -0800 (PST)
X-AuditID: 1209190d-a5fff70000001515-7e-58c44b8ed90e
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id 46.BB.05397.E8B44C85; Sat, 11 Mar 2017 14:10:07 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v2BJA63G027372 for <oauth@ietf.org>; Sat, 11 Mar 2017 14:10:06 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2BJA4fv011574 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Sat, 11 Mar 2017 14:10:05 -0500
From: Justin Richer <jricher@mit.edu>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Message-Id: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu>
Date: Sat, 11 Mar 2017 14:10:04 -0500
To: "<oauth@ietf.org>" <oauth@ietf.org>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLIsWRmVeSWpSXmKPExsUixCmqrdvvfSTC4Px9NouTb1+xOTB6LFny kymAMYrLJiU1J7MstUjfLoEr4/Kx0ywFmzkrDs8QaGA8y97FyMkhIWAice70FyCbi0NIoI1J 4trs82wQzjFGie7pHxlBqoQEvjFJXN5dCWKzCahKTF/TwgRiMwuoS/yZd4kZwtaWWLbwNZjN K6AvMfvMJRYQW1hAS2LP17esEHEriR/vl7OB2CxAc25O+A42XwRozprzP5kgLpKVePtrCfME Rt5ZSFbMQrJiFpIVCxiZVzHKpuRW6eYmZuYUpybrFicn5uWlFuka6eVmluilppRuYgSHkiTv DsZ/d70OMQpwMCrx8Da4HIkQYk0sK67MPcQoycGkJMr7+8uhCCG+pPyUyozE4oz4otKc1OJD jBIczEoivKccgcp5UxIrq1KL8mFS0hwsSuK84hqNEUIC6YklqdmpqQWpRTBZGQ4OJQledi+g RsGi1PTUirTMnBKENBMHJ8hwHqDhviA1vMUFibnFmekQ+VOMilLivFc8gRICIImM0jy4XlCs J7w9bPqKURzoFWFeOZB2HmCagOt+BTSYCWjwNL6DIINLEhFSUg2Mpzn+nHgSLOu3fZHg9R2f b95+9lr+oVvNq6UBt08e/tVkId2XnLeNp3DJp2On3NjOPneyDuKy+xpz+/OMO0ezrTcWhiTk vmqbNktn5WIF5e/7ru8Qf1IrY6bT+Ptbiua03/us1OT+RhtWbD+xlHl9QJrVnY0aYU/9ciM/ 7jsf4+gT0/Hj/wn95UosxRmJhlrMRcWJAF5lYSbQAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Jv61gI2UacF9Ny0h-E191DF2jUA>
Subject: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 19:10:09 -0000

We=E2=80=99re implementing support for the device code draft and had a =
question on what the =E2=80=9Cexpiration=E2=80=9D of the code refers to. =
Obviously, once the code has expired it can no longer be used. But when =
should the expiration count from? Say I have a code that=E2=80=99s good =
for 60 seconds, do I start the timer as soon as I issue the code to the =
client? Do I reset the timer when the user approves the client, to =
another 60 seconds? Or does that 60 seconds count for the entire =
transaction?

My read on it is the latter-- one timeout for the entire lifetime of the =
code regardless of its current state, with no resets. But I didn=E2=80=99t=
 find good guidance in the document itself.


Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D =
parameter to the device endpoint. This parameter is required and it has =
a single, required value, with no registry or other possibility of =
extension. What=E2=80=99s the point? If it=E2=80=99s for =
=E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll note that this is *not* the =
authorization endpoint (as the user is not present) and such constraints =
need not apply here.

 =E2=80=94 Justin=


From nobody Sat Mar 11 11:54:39 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAE49129590 for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 11:54:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GB7WuQfHyQMV for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 11:54:36 -0800 (PST)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 590AA129468 for <oauth@ietf.org>; Sat, 11 Mar 2017 11:54:36 -0800 (PST)
Received: by mail-qk0-x231.google.com with SMTP id v125so196040695qkh.2 for <oauth@ietf.org>; Sat, 11 Mar 2017 11:54:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cz5F54PS/9ZUNwATF+C3P+1dWLIX+hW2Vj3RBGlwTdI=; b=DE1ewVUMxcusiR/dIku/wQ8Tyk8FUyevd4+1fpCuwlO26mUzvrt1jmwZShD7mSSSOl yYpGUXFgjRp/Ac0/LTZkyluqcwvBVs3zAygybeoCf9rN/e5YhXx6D56CajgBc1T448yG 7vteP8R+sFN7wX4M76QPHVbrS6V9s5gDJW1UUy2eqy3Zm/k1SfOUbfy9vruBRmrYaWAZ UHY5x2Ix03Yrh4B4i5WMUoI3OxEvZ+jRetNdWTLpacnkrEKEbqUN9jTm9hVRG/O3vse0 tpMjqj5SmYg+li+7FvXR0wwKFB/IxoIWqtD8zh4a6CJNupB003xfYRGoe18tYhZjm9eH dyjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cz5F54PS/9ZUNwATF+C3P+1dWLIX+hW2Vj3RBGlwTdI=; b=p10k1XWeeAvce9FN+hSvaUe7JM2Fc98DUI4T9mgHCQmpPQEA1+CoSAcU3Ojp+jDZXp AGLsMOvfNeKyqh8X68reaE8lrI8g7iq2hslgjzg9fMd7U7B7vruKy2AVsH8+5F3wRV/O MdntIgvXGJIhqea5q/Ud6boBNAFIGNihjWEUBqUSsMc7xawRtXDrFj6usdREvZHYfq03 RLmIvvE1VGi6xdGMKOud6nnXokKDKbllrcOGLed7VfekCR5kzXap661ZH6dyePgC9R3k 8IfyM/wGXzTeQFKvCzUBEP6v+vjC286GL2+Ou0MeOD3BoGv3lia5X1kOcbDCypXEowIe LYXw==
X-Gm-Message-State: AFeK/H3xzQKzjqDDnjKbid2yg8PUZOVMMjc7seVIV04V/7ZDtSnErAlfT6aLZaxxnqdUe68E6Q1hG9Cgd/pYEQQ0
X-Received: by 10.55.221.89 with SMTP id n86mr9736157qki.186.1489262075156; Sat, 11 Mar 2017 11:54:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Sat, 11 Mar 2017 11:54:14 -0800 (PST)
In-Reply-To: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu>
From: William Denniss <wdenniss@google.com>
Date: Sat, 11 Mar 2017 11:54:14 -0800
Message-ID: <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary=001a1149a61af8012b054a79d85e
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5r4v6kWj-jBqUMNa0xlsEqQBJJ0>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 19:54:38 -0000

--001a1149a61af8012b054a79d85e
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sat, Mar 11, 2017 at 11:10 AM, Justin Richer <jricher@mit.edu> wrote:

> We=E2=80=99re implementing support for the device code draft and had a qu=
estion on
> what the =E2=80=9Cexpiration=E2=80=9D of the code refers to. Obviously, o=
nce the code has
> expired it can no longer be used. But when should the expiration count
> from? Say I have a code that=E2=80=99s good for 60 seconds, do I start th=
e timer as
> soon as I issue the code to the client? Do I reset the timer when the use=
r
> approves the client, to another 60 seconds? Or does that 60 seconds count
> for the entire transaction?
>
> My read on it is the latter-- one timeout for the entire lifetime of the
> code regardless of its current state, with no resets. But I didn=E2=80=99=
t find
> good guidance in the document itself.
>

It's the expiry of the user_code and device_code pair, at which point the
device will need to start-over with a new device authorization request.
The device wouldn't *have* to start a timer, as they will get an error
during polling:

   expired_token
      The "device_code" has expired.  The client will need to make a new
      Device Authorization Request.


We should add some guidelines around expiry behavior.

Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D parame=
ter to the
> device endpoint. This parameter is required and it has a single, required
> value, with no registry or other possibility of extension. What=E2=80=99s=
 the
> point? If it=E2=80=99s for =E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll no=
te that this is *not* the
> authorization endpoint (as the user is not present) and such constraints
> need not apply here.
>

Good points here. At a guess, it bled in from the OAuth spec. If it's not
needed, we should remove it.

--001a1149a61af8012b054a79d85e
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On S=
at, Mar 11, 2017 at 11:10 AM, Justin Richer <span dir=3D"ltr">&lt;<a href=
=3D"mailto:jricher@mit.edu" target=3D"_blank">jricher@mit.edu</a>&gt;</span=
> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">We=E2=80=99re=
 implementing support for the device code draft and had a question on what =
the =E2=80=9Cexpiration=E2=80=9D of the code refers to. Obviously, once the=
 code has expired it can no longer be used. But when should the expiration =
count from? Say I have a code that=E2=80=99s good for 60 seconds, do I star=
t the timer as soon as I issue the code to the client? Do I reset the timer=
 when the user approves the client, to another 60 seconds? Or does that 60 =
seconds count for the entire transaction?<br>
<br>
My read on it is the latter-- one timeout for the entire lifetime of the co=
de regardless of its current state, with no resets. But I didn=E2=80=99t fi=
nd good guidance in the document itself.<br></blockquote><div><br></div><di=
v>It&#39;s the expiry of the user_code and device_code pair, at which point=
 the device will need to start-over with a new device authorization request=
.=C2=A0 The device wouldn&#39;t *have* to start a timer, as they will get a=
n error during polling:</div><div><br></div><div><pre class=3D"gmail-newpag=
e" style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(=
0,0,0)">   expired_token
      The &quot;device_code&quot; has expired.  The client will need to mak=
e a new
      Device Authorization Request.</pre></div><div><br></div><div>We shoul=
d add some guidelines around expiry behavior.</div><div><br></div><blockquo=
te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">
Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D parame=
ter to the device endpoint. This parameter is required and it has a single,=
 required value, with no registry or other possibility of extension. What=
=E2=80=99s the point? If it=E2=80=99s for =E2=80=9Cparallelism=E2=80=9D, I=
=E2=80=99ll note that this is *not* the authorization endpoint (as the user=
 is not present) and such constraints need not apply here.<br></blockquote>=
<div><br></div><div>Good points here. At a guess, it bled in from the OAuth=
 spec. If it&#39;s not needed, we should remove it.</div><div><br></div></d=
iv></div></div>

--001a1149a61af8012b054a79d85e--


From nobody Sat Mar 11 12:41:04 2017
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13CC01295B9 for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 12:41:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level: 
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8dPf0WiyUCl2 for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 12:41:03 -0800 (PST)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4241129442 for <oauth@ietf.org>; Sat, 11 Mar 2017 12:41:02 -0800 (PST)
X-AuditID: 1209190f-033ff7000000330c-f7-58c460dcdca3
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id 43.73.13068.CD064C85; Sat, 11 Mar 2017 15:41:01 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v2BKexWY016809; Sat, 11 Mar 2017 15:40:59 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2BKev8l004104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 11 Mar 2017 15:40:58 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FA6DF883-5641-4FE5-890F-6924FBB5AE3F"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Sat, 11 Mar 2017 15:40:57 -0500
In-Reply-To: <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileLIzCtJLcpLzFFi42IRYrdT0b2bcCTC4NtHdouTb1+xWWya08zu wOSxYFOpx5IlP5kCmKK4bFJSczLLUov07RK4MhpXL2ApeG1W8fRxF2MD4xK9LkZODgkBE4mZ /7cydjFycQgJtDFJXP+2lAXC2cgoMaH5DhOE85BJom/iGSaQFjYBVYnpa1rAbF4BK4m3+xaz dTFycDALJEn8PJMLEdaXmH3mEguILSxgKbHmxjQwmwWode/7HWwgNqdAoMTRRXeZIVrVJdpP uoCERQQ0JV6ePQB1QyOjxMFLx1ghLpWVePtrCfMERv5ZCNtmIdkGYjMLaEssW/iaGcLWlNjf vRyLuIZE57eJrAsY2VYxyqbkVunmJmbmFKcm6xYnJ+blpRbpmujlZpbopaaUbmIEBTWnJP8O xjkN3ocYBTgYlXh4G1yORAixJpYVV+YeYpTkYFIS5f395VCEEF9SfkplRmJxRnxRaU5q8SFG CQ5mJRHeU45A5bwpiZVVqUX5MClpDhYlcV5xjcYIIYH0xJLU7NTUgtQimKwMB4eSBO/3eKBG waLU9NSKtMycEoQ0EwcnyHAeoOEKCSDDiwsSc4sz0yHypxgVpcR5GUCaBUASGaV5cL2gpJPw 9rDpK0ZxoFeEeaVB2nmACQuu+xXQYCagwdP4DoIMLklESEk1MFoKL3aVPJ0wfWGKis+876ZV K7PY8xda2Um+mdBvdKJxbyenXFeih9+5srM5FotWfLnpmeK/ULOFy7svm/f0Oxexa2u3nMr0 Krmi9FNxy2Smx3U3jcOe99pERIqon9j9tCtyw/qtGVxN7gs+Hj6qe2W24E2Td48z1T6Htm8N rLE8wHN3utf6XiWW4oxEQy3mouJEAKKp22sVAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/i6doPepIe1vf5IzYT0CHobznKF8>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 20:41:04 -0000

--Apple-Mail=_FA6DF883-5641-4FE5-890F-6924FBB5AE3F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> On Mar 11, 2017, at 2:54 PM, William Denniss <wdenniss@google.com> =
wrote:
>=20
> On Sat, Mar 11, 2017 at 11:10 AM, Justin Richer <jricher@mit.edu =
<mailto:jricher@mit.edu>> wrote:
> We=E2=80=99re implementing support for the device code draft and had a =
question on what the =E2=80=9Cexpiration=E2=80=9D of the code refers to. =
Obviously, once the code has expired it can no longer be used. But when =
should the expiration count from? Say I have a code that=E2=80=99s good =
for 60 seconds, do I start the timer as soon as I issue the code to the =
client? Do I reset the timer when the user approves the client, to =
another 60 seconds? Or does that 60 seconds count for the entire =
transaction?
>=20
> My read on it is the latter-- one timeout for the entire lifetime of =
the code regardless of its current state, with no resets. But I didn=E2=80=
=99t find good guidance in the document itself.
>=20
> It's the expiry of the user_code and device_code pair, at which point =
the device will need to start-over with a new device authorization =
request.  The device wouldn't *have* to start a timer, as they will get =
an error during polling:
>=20
>    expired_token
>       The "device_code" has expired.  The client will need to make a =
new
>       Device Authorization Request.
>=20
> We should add some guidelines around expiry behavior.

OK, so it really is one expiration for the whole thing. The device =
doesn=E2=80=99t need to care (and I=E2=80=99ll bet you right now that, =
just like with access tokens, the overwhelmingly vast majority of =
devices won=E2=80=99t care about expires_in), but the authorization =
server certainly does, and we wanted to know the right place to set the =
timers.

>=20
> Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D =
parameter to the device endpoint. This parameter is required and it has =
a single, required value, with no registry or other possibility of =
extension. What=E2=80=99s the point? If it=E2=80=99s for =
=E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll note that this is *not* the =
authorization endpoint (as the user is not present) and such constraints =
need not apply here.
>=20
> Good points here. At a guess, it bled in from the OAuth spec. If it's =
not needed, we should remove it.
>=20

I=E2=80=99d vote for removal, I don=E2=80=99t see the point.

 =E2=80=94 Justin


--Apple-Mail=_FA6DF883-5641-4FE5-890F-6924FBB5AE3F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><br class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D"">On Mar 11, 2017, at 2:54 PM, William Denniss &lt;<a =
href=3D"mailto:wdenniss@google.com" class=3D"">wdenniss@google.com</a>&gt;=
 wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><meta=
 http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8" =
class=3D""><div dir=3D"ltr" class=3D""><div class=3D"gmail_extra"><div =
class=3D"gmail_quote">On Sat, Mar 11, 2017 at 11:10 AM, Justin Richer =
<span dir=3D"ltr" class=3D"">&lt;<a href=3D"mailto:jricher@mit.edu" =
target=3D"_blank" class=3D"">jricher@mit.edu</a>&gt;</span> wrote:<br =
class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">We=E2=80=99=
re implementing support for the device code draft and had a question on =
what the =E2=80=9Cexpiration=E2=80=9D of the code refers to. Obviously, =
once the code has expired it can no longer be used. But when should the =
expiration count from? Say I have a code that=E2=80=99s good for 60 =
seconds, do I start the timer as soon as I issue the code to the client? =
Do I reset the timer when the user approves the client, to another 60 =
seconds? Or does that 60 seconds count for the entire transaction?<br =
class=3D"">
<br class=3D"">
My read on it is the latter-- one timeout for the entire lifetime of the =
code regardless of its current state, with no resets. But I didn=E2=80=99t=
 find good guidance in the document itself.<br =
class=3D""></blockquote><div class=3D""><br class=3D""></div><div =
class=3D"">It's the expiry of the user_code and device_code pair, at =
which point the device will need to start-over with a new device =
authorization request.&nbsp; The device wouldn't *have* to start a =
timer, as they will get an error during polling:</div><div class=3D""><br =
class=3D""></div><div class=3D""><pre class=3D"gmail-newpage" =
style=3D"font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px;">   =
expired_token
      The "device_code" has expired.  The client will need to make a new
      Device Authorization Request.</pre></div><div class=3D""><br =
class=3D""></div><div class=3D"">We should add some guidelines around =
expiry behavior.</div></div></div></div></div></blockquote><div><br =
class=3D""></div><div>OK, so it really is one expiration for the whole =
thing. The device doesn=E2=80=99t need to care (and I=E2=80=99ll bet you =
right now that, just like with access tokens, the overwhelmingly vast =
majority of devices won=E2=80=99t care about expires_in), but the =
authorization server certainly does, and we wanted to know the right =
place to set the timers.</div><br class=3D""><blockquote type=3D"cite" =
class=3D""><div class=3D""><div dir=3D"ltr" class=3D""><div =
class=3D"gmail_extra"><div class=3D"gmail_quote"><div class=3D""><br =
class=3D""></div><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D =
parameter to the device endpoint. This parameter is required and it has =
a single, required value, with no registry or other possibility of =
extension. What=E2=80=99s the point? If it=E2=80=99s for =
=E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll note that this is *not* the =
authorization endpoint (as the user is not present) and such constraints =
need not apply here.<br class=3D""></blockquote><div class=3D""><br =
class=3D""></div><div class=3D"">Good points here. At a guess, it bled =
in from the OAuth spec. If it's not needed, we should remove =
it.</div><div class=3D""><br class=3D""></div></div></div></div>
</div></blockquote></div><br class=3D""><div class=3D"">I=E2=80=99d vote =
for removal, I don=E2=80=99t see the point.</div><div class=3D""><br =
class=3D""></div><div class=3D"">&nbsp;=E2=80=94 Justin</div><div =
class=3D""><br class=3D""></div></body></html>=

--Apple-Mail=_FA6DF883-5641-4FE5-890F-6924FBB5AE3F--


From nobody Sat Mar 11 12:54:41 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F5BA1295C3 for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 12:54:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Q4xmiMvTWtM for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 12:54:38 -0800 (PST)
Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A46F71295BF for <oauth@ietf.org>; Sat, 11 Mar 2017 12:54:38 -0800 (PST)
Received: by mail-qt0-x22e.google.com with SMTP id i34so10723730qtc.0 for <oauth@ietf.org>; Sat, 11 Mar 2017 12:54:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mhmWg3+6Cg/DtMxvNBqJtmLsiJM5YIH8inWNo5eriWw=; b=wQnDteCXQQWMeq1EuGzlck+RgWNW6qkjv31mSYK1YlcdPOjSU7cZXHZoMt5qtO3os/ HhXH1bz0FWGSCLMvgfRmSr7Zqe6u9DCpYjLmA7lJWkFjiuLK/UojQUz/x5XduXLlqBaE zbVuLdzqsNMFFU56LzzGaU3g24oL8aEUZ39wz1Ne/3W1PbacNQ5kD/LS1Fdot94dyUuB lkrBpPvRK0NG59L7shMGj6ycRQzSK1kq1VKjiogRKtPHaQ+NThr90Luq6CnizD0PSWNF t6oPIseKGHLlS2XGZ60F3d8qiFM6WTXOMBl3NY5OM/V2Z1znY3R75UNDSGCYzZVAniIO y9gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mhmWg3+6Cg/DtMxvNBqJtmLsiJM5YIH8inWNo5eriWw=; b=SWXFVaDPFbBv6ZUlCU1ZZYQ0QiWhm6e1QCFWJVDPXzTffnGBOwn4W12zVrngjfcZqn f+ENUJ5Ur9Vty7mffUxBQAtdGtn2ySRL/FR32yW6l9LUQxAAapGJOOOyvNClEhLIXaUx 5OAnSdHVfmq8XtD/mx2V3UFtnlSjKIANCbSxwUg9tPoJLm6DPk++MeizjfraS7XUwxJU u4cdACOa0s6GnuQOT5Im8xto8wqcwM242dWzPiLMksj0Pnc+LFu0T7sLgskP9sWs1axr FSGPMvSd1L6Mmq5qptTRXBrYlENwMIMeLDqiLfLByEepsACCMiROCJq2E3ZbIJ0Dz77T L8dQ==
X-Gm-Message-State: AMke39le5QJkxBbdUVRkIhRqWHwStWFtAuAYUQlTXJ0x4jmn3kL5fJupe15+iomoE8TsS5bpPek3gnHWtSszmG6G
X-Received: by 10.200.48.171 with SMTP id v40mr27259312qta.80.1489265677474; Sat, 11 Mar 2017 12:54:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Sat, 11 Mar 2017 12:54:17 -0800 (PST)
In-Reply-To: <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com> <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu>
From: William Denniss <wdenniss@google.com>
Date: Sat, 11 Mar 2017 12:54:17 -0800
Message-ID: <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary=001a113a15e8af1fda054a7aafa3
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1dlJSD_UpcbNJR4nPbzy-G4QJEM>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 20:54:40 -0000

--001a113a15e8af1fda054a7aafa3
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer <jricher@mit.edu> wrote:

>
> On Mar 11, 2017, at 2:54 PM, William Denniss <wdenniss@google.com> wrote:
>
> On Sat, Mar 11, 2017 at 11:10 AM, Justin Richer <jricher@mit.edu> wrote:
>
>> We=E2=80=99re implementing support for the device code draft and had a q=
uestion
>> on what the =E2=80=9Cexpiration=E2=80=9D of the code refers to. Obviousl=
y, once the code
>> has expired it can no longer be used. But when should the expiration cou=
nt
>> from? Say I have a code that=E2=80=99s good for 60 seconds, do I start t=
he timer as
>> soon as I issue the code to the client? Do I reset the timer when the us=
er
>> approves the client, to another 60 seconds? Or does that 60 seconds coun=
t
>> for the entire transaction?
>>
>> My read on it is the latter-- one timeout for the entire lifetime of the
>> code regardless of its current state, with no resets. But I didn=E2=80=
=99t find
>> good guidance in the document itself.
>>
>
> It's the expiry of the user_code and device_code pair, at which point the
> device will need to start-over with a new device authorization request.
> The device wouldn't *have* to start a timer, as they will get an error
> during polling:
>
>    expired_token
>       The "device_code" has expired.  The client will need to make a new
>       Device Authorization Request.
>
>
> We should add some guidelines around expiry behavior.
>
>
> OK, so it really is one expiration for the whole thing. The device doesn=
=E2=80=99t
> need to care (and I=E2=80=99ll bet you right now that, just like with acc=
ess
> tokens, the overwhelmingly vast majority of devices won=E2=80=99t care ab=
out
> expires_in), but the authorization server certainly does, and we wanted t=
o
> know the right place to set the timers.
>
>
You're probably right that most ignore expires_in, and I think that's fine.
As long as the client handles errors correctly, it'll work out OK.

Agree that we should add some documentation. One piece of advice for the AS
would be not to make it too short, else users won't be able to complete the
flow in time.

We use a 30 minute expiry.


> Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D para=
meter to the
>> device endpoint. This parameter is required and it has a single, require=
d
>> value, with no registry or other possibility of extension. What=E2=80=99=
s the
>> point? If it=E2=80=99s for =E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll n=
ote that this is *not* the
>> authorization endpoint (as the user is not present) and such constraints
>> need not apply here.
>>
>
> Good points here. At a guess, it bled in from the OAuth spec. If it's not
> needed, we should remove it.
>
>
> I=E2=80=99d vote for removal, I don=E2=80=99t see the point.
>
>  =E2=80=94 Justin
>
>

--001a113a15e8af1fda054a7aafa3
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">=
On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer <span dir=3D"ltr">&lt;<a hr=
ef=3D"mailto:jricher@mit.edu" target=3D"_blank">jricher@mit.edu</a>&gt;</sp=
an> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex"><div style=3D"word-wrap:break-=
word"><br><div><span class=3D""><blockquote type=3D"cite"><div>On Mar 11, 2=
017, at 2:54 PM, William Denniss &lt;<a href=3D"mailto:wdenniss@google.com"=
 target=3D"_blank">wdenniss@google.com</a>&gt; wrote:</div><br class=3D"m_-=
4445006181832635000Apple-interchange-newline"><div><div dir=3D"ltr"><div cl=
ass=3D"gmail_extra"><div class=3D"gmail_quote">On Sat, Mar 11, 2017 at 11:1=
0 AM, Justin Richer <span dir=3D"ltr">&lt;<a href=3D"mailto:jricher@mit.edu=
" target=3D"_blank">jricher@mit.edu</a>&gt;</span> wrote:<br><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
 rgb(204,204,204);padding-left:1ex">We=E2=80=99re implementing support for =
the device code draft and had a question on what the =E2=80=9Cexpiration=E2=
=80=9D of the code refers to. Obviously, once the code has expired it can n=
o longer be used. But when should the expiration count from? Say I have a c=
ode that=E2=80=99s good for 60 seconds, do I start the timer as soon as I i=
ssue the code to the client? Do I reset the timer when the user approves th=
e client, to another 60 seconds? Or does that 60 seconds count for the enti=
re transaction?<br>
<br>
My read on it is the latter-- one timeout for the entire lifetime of the co=
de regardless of its current state, with no resets. But I didn=E2=80=99t fi=
nd good guidance in the document itself.<br></blockquote><div><br></div><di=
v>It&#39;s the expiry of the user_code and device_code pair, at which point=
 the device will need to start-over with a new device authorization request=
.=C2=A0 The device wouldn&#39;t *have* to start a timer, as they will get a=
n error during polling:</div><div><br></div><div><pre class=3D"m_-444500618=
1832635000gmail-newpage" style=3D"font-size:13.3333px;margin-top:0px;margin=
-bottom:0px">   expired_token
      The &quot;device_code&quot; has expired.  The client will need to mak=
e a new
      Device Authorization Request.</pre></div><div><br></div><div>We shoul=
d add some guidelines around expiry behavior.</div></div></div></div></div>=
</blockquote><div><br></div></span><div>OK, so it really is one expiration =
for the whole thing. The device doesn=E2=80=99t need to care (and I=E2=80=
=99ll bet you right now that, just like with access tokens, the overwhelmin=
gly vast majority of devices won=E2=80=99t care about expires_in), but the =
authorization server certainly does, and we wanted to know the right place =
to set the timers.</div><span class=3D""><br></span></div></div></blockquot=
e><div><br></div><div>You&#39;re probably right that most ignore expires_in=
, and I think that&#39;s fine. As long as the client handles errors correct=
ly, it&#39;ll work out OK.</div><div><br></div><div>Agree that we should ad=
d some documentation. One piece of advice for the AS would be not to make i=
t too short, else users won&#39;t be able to complete the flow in time.=C2=
=A0</div><div><br></div><div>We use a 30 minute expiry.</div><div><br></div=
><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1=
px #ccc solid;padding-left:1ex"><div style=3D"word-wrap:break-word"><div><s=
pan class=3D""><blockquote type=3D"cite"><div><div dir=3D"ltr"><div class=
=3D"gmail_extra"><div class=3D"gmail_quote"><div><br></div><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid r=
gb(204,204,204);padding-left:1ex">
Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D parame=
ter to the device endpoint. This parameter is required and it has a single,=
 required value, with no registry or other possibility of extension. What=
=E2=80=99s the point? If it=E2=80=99s for =E2=80=9Cparallelism=E2=80=9D, I=
=E2=80=99ll note that this is *not* the authorization endpoint (as the user=
 is not present) and such constraints need not apply here.<br></blockquote>=
<div><br></div><div>Good points here. At a guess, it bled in from the OAuth=
 spec. If it&#39;s not needed, we should remove it.</div><div><br></div></d=
iv></div></div>
</div></blockquote></span></div><br><div>I=E2=80=99d vote for removal, I do=
n=E2=80=99t see the point.</div><span class=3D"HOEnZb"><font color=3D"#8888=
88"><div><br></div><div>=C2=A0=E2=80=94 Justin</div><div><br></div></font><=
/span></div></blockquote></div><br></div></div>

--001a113a15e8af1fda054a7aafa3--


From nobody Sat Mar 11 13:46:18 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08DA81295DB for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 13:46:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level: 
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xinWwKQI0_Fz for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 13:46:14 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0092.outbound.protection.outlook.com [104.47.40.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AAC81295C9 for <oauth@ietf.org>; Sat, 11 Mar 2017 13:46:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uJ+PXB2iFPSDwploQxlp7uhAYD6XBfod/8MUh7eKZPk=; b=Byq5KYolXWPfM202P/TW7cq686+JYnt06rZaODOUMk3oapxVPEezmU8D66q5qg0bH3WkiJ9CM2PJ79ZmOZnWrahssdZcFPxDnpsT8a/cfCQbUr9BfwhucZjhEEN3hgBaBexp63J5AgfLZrIsjCP44audmDiiQnn37N0UXJaflvU=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Sat, 11 Mar 2017 21:46:12 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.022; Sat, 11 Mar 2017 21:46:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: William Denniss <wdenniss@google.com>, Justin Richer <jricher@mit.edu>
Thread-Topic: [OAUTH-WG] Device Code expiration and syntax
Thread-Index: AQHSmpsdXlwJ3/sQwE+4v2nL6A4fqqGQDU4AgAANDYCAAAO6gIAADfkA
Date: Sat, 11 Mar 2017 21:46:12 +0000
Message-ID: <CY4PR21MB05041D4776423586F0B1EA32F5230@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com> <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu> <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com>
In-Reply-To: <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.93.167]
x-ms-office365-filtering-correlation-id: eeded083-5fc1-46e3-a13e-08d468c8095f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254007)(48565401081); SRVR:CY4PR21MB0504; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0504; 7:41nBn793B+xEd9HkuwSwlV8VcsQs0o1oByAQcQQ8osvbY57FwY19tssAvmNDyVYW30sDAfSJ1Djdg6IGh/Ilm6FoH1G+n0HqcJZDYj1+DZK2NsV6L4/Cq6UpdY773njuUhiOxQvyCli2SvoA33tz0Q66qA+TDIh2e4LZCeARhjt/+i7CsTL5F3y3MP/RWj4RWT0IcAmAWYBqU3LhNnfkY9rno5A3ymQQesQQugQJfrwALsWJ35+pmApeWLAJ8Y5OttbHYJVc0Ci21I0Nj9mpmyrJhwvZDBDIXnzD9FnVXZKLg+NPJN0yXZ2AroTfRHz6RTlTaqUJfYOfBfula7VY8xXSsf8Ug+yMHQqBnBll2Xg=
x-microsoft-antispam-prvs: <CY4PR21MB050407ECDCAE64FB9EF601BBF5230@CY4PR21MB0504.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(211936372134217)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(6072148); SRVR:CY4PR21MB0504; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0504; 
x-forefront-prvs: 0243E5FD68
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39860400002)(39450400003)(39850400002)(24454002)(377454003)(8676002)(122556002)(4326008)(81166006)(6306002)(3280700002)(3660700001)(99286003)(54896002)(9686003)(2950100002)(25786008)(55016002)(6436002)(5660300001)(2906002)(7696004)(33656002)(236005)(19609705001)(7736002)(74316002)(8936002)(2900100001)(86362001)(86612001)(5005710100001)(189998001)(50986999)(10090500001)(10290500002)(93886004)(53936002)(966004)(2171002)(53376002)(6246003)(38730400002)(77096006)(6506006)(53546006)(102836003)(66066001)(54356999)(76176999)(790700001)(6116002)(3846002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0504; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05041D4776423586F0B1EA32F5230CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2017 21:46:12.4341 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/D-t7syJxLJQ-YS9d4OIjrYz6U80>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 21:46:17 -0000

--_000_CY4PR21MB05041D4776423586F0B1EA32F5230CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhlIHByZS1DaGljYWdvIHN1Ym1pc3Npb24gZGVhZGxpbmUgaXMgTW9uZGF5IGFmdGVybm9vbiAo
c2VlIGh0dHA6Ly9pZXRmLm9yZy9tZWV0aW5nL2ltcG9ydGFudC1kYXRlcy5odG1sI2lldGY5OCku
ICBXb3VsZCB5b3UgaGF2ZSB0aW1lIHRvIGNoZWNrIHByb3Bvc2VkIGVkaXRzIGludG8gR2l0SHVi
IGZvciB0aGUgZWRpdG9ycyB0byByZXZpZXcgYmVmb3JlIHRoYXQsIFdpbGxpYW0/DQoNCiAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtl
DQoNCkZyb206IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxm
IE9mIFdpbGxpYW0gRGVubmlzcw0KU2VudDogU2F0dXJkYXksIE1hcmNoIDExLCAyMDE3IDEyOjU0
IFBNDQpUbzogSnVzdGluIFJpY2hlciA8anJpY2hlckBtaXQuZWR1Pg0KQ2M6IDxvYXV0aEBpZXRm
Lm9yZz4gPG9hdXRoQGlldGYub3JnPg0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gRGV2aWNlIENv
ZGUgZXhwaXJhdGlvbiBhbmQgc3ludGF4DQoNCg0KT24gU2F0LCBNYXIgMTEsIDIwMTcgYXQgMTI6
NDAgUE0sIEp1c3RpbiBSaWNoZXIgPGpyaWNoZXJAbWl0LmVkdTxtYWlsdG86anJpY2hlckBtaXQu
ZWR1Pj4gd3JvdGU6DQoNCk9uIE1hciAxMSwgMjAxNywgYXQgMjo1NCBQTSwgV2lsbGlhbSBEZW5u
aXNzIDx3ZGVubmlzc0Bnb29nbGUuY29tPG1haWx0bzp3ZGVubmlzc0Bnb29nbGUuY29tPj4gd3Jv
dGU6DQoNCk9uIFNhdCwgTWFyIDExLCAyMDE3IGF0IDExOjEwIEFNLCBKdXN0aW4gUmljaGVyIDxq
cmljaGVyQG1pdC5lZHU8bWFpbHRvOmpyaWNoZXJAbWl0LmVkdT4+IHdyb3RlOg0KV2XigJlyZSBp
bXBsZW1lbnRpbmcgc3VwcG9ydCBmb3IgdGhlIGRldmljZSBjb2RlIGRyYWZ0IGFuZCBoYWQgYSBx
dWVzdGlvbiBvbiB3aGF0IHRoZSDigJxleHBpcmF0aW9u4oCdIG9mIHRoZSBjb2RlIHJlZmVycyB0
by4gT2J2aW91c2x5LCBvbmNlIHRoZSBjb2RlIGhhcyBleHBpcmVkIGl0IGNhbiBubyBsb25nZXIg
YmUgdXNlZC4gQnV0IHdoZW4gc2hvdWxkIHRoZSBleHBpcmF0aW9uIGNvdW50IGZyb20/IFNheSBJ
IGhhdmUgYSBjb2RlIHRoYXTigJlzIGdvb2QgZm9yIDYwIHNlY29uZHMsIGRvIEkgc3RhcnQgdGhl
IHRpbWVyIGFzIHNvb24gYXMgSSBpc3N1ZSB0aGUgY29kZSB0byB0aGUgY2xpZW50PyBEbyBJIHJl
c2V0IHRoZSB0aW1lciB3aGVuIHRoZSB1c2VyIGFwcHJvdmVzIHRoZSBjbGllbnQsIHRvIGFub3Ro
ZXIgNjAgc2Vjb25kcz8gT3IgZG9lcyB0aGF0IDYwIHNlY29uZHMgY291bnQgZm9yIHRoZSBlbnRp
cmUgdHJhbnNhY3Rpb24/DQoNCk15IHJlYWQgb24gaXQgaXMgdGhlIGxhdHRlci0tIG9uZSB0aW1l
b3V0IGZvciB0aGUgZW50aXJlIGxpZmV0aW1lIG9mIHRoZSBjb2RlIHJlZ2FyZGxlc3Mgb2YgaXRz
IGN1cnJlbnQgc3RhdGUsIHdpdGggbm8gcmVzZXRzLiBCdXQgSSBkaWRu4oCZdCBmaW5kIGdvb2Qg
Z3VpZGFuY2UgaW4gdGhlIGRvY3VtZW50IGl0c2VsZi4NCg0KSXQncyB0aGUgZXhwaXJ5IG9mIHRo
ZSB1c2VyX2NvZGUgYW5kIGRldmljZV9jb2RlIHBhaXIsIGF0IHdoaWNoIHBvaW50IHRoZSBkZXZp
Y2Ugd2lsbCBuZWVkIHRvIHN0YXJ0LW92ZXIgd2l0aCBhIG5ldyBkZXZpY2UgYXV0aG9yaXphdGlv
biByZXF1ZXN0LiAgVGhlIGRldmljZSB3b3VsZG4ndCAqaGF2ZSogdG8gc3RhcnQgYSB0aW1lciwg
YXMgdGhleSB3aWxsIGdldCBhbiBlcnJvciBkdXJpbmcgcG9sbGluZzoNCg0KDQogICBleHBpcmVk
X3Rva2VuDQoNCiAgICAgIFRoZSAiZGV2aWNlX2NvZGUiIGhhcyBleHBpcmVkLiAgVGhlIGNsaWVu
dCB3aWxsIG5lZWQgdG8gbWFrZSBhIG5ldw0KDQogICAgICBEZXZpY2UgQXV0aG9yaXphdGlvbiBS
ZXF1ZXN0Lg0KDQpXZSBzaG91bGQgYWRkIHNvbWUgZ3VpZGVsaW5lcyBhcm91bmQgZXhwaXJ5IGJl
aGF2aW9yLg0KDQpPSywgc28gaXQgcmVhbGx5IGlzIG9uZSBleHBpcmF0aW9uIGZvciB0aGUgd2hv
bGUgdGhpbmcuIFRoZSBkZXZpY2UgZG9lc27igJl0IG5lZWQgdG8gY2FyZSAoYW5kIEnigJlsbCBi
ZXQgeW91IHJpZ2h0IG5vdyB0aGF0LCBqdXN0IGxpa2Ugd2l0aCBhY2Nlc3MgdG9rZW5zLCB0aGUg
b3ZlcndoZWxtaW5nbHkgdmFzdCBtYWpvcml0eSBvZiBkZXZpY2VzIHdvbuKAmXQgY2FyZSBhYm91
dCBleHBpcmVzX2luKSwgYnV0IHRoZSBhdXRob3JpemF0aW9uIHNlcnZlciBjZXJ0YWlubHkgZG9l
cywgYW5kIHdlIHdhbnRlZCB0byBrbm93IHRoZSByaWdodCBwbGFjZSB0byBzZXQgdGhlIHRpbWVy
cy4NCg0KDQpZb3UncmUgcHJvYmFibHkgcmlnaHQgdGhhdCBtb3N0IGlnbm9yZSBleHBpcmVzX2lu
LCBhbmQgSSB0aGluayB0aGF0J3MgZmluZS4gQXMgbG9uZyBhcyB0aGUgY2xpZW50IGhhbmRsZXMg
ZXJyb3JzIGNvcnJlY3RseSwgaXQnbGwgd29yayBvdXQgT0suDQoNCkFncmVlIHRoYXQgd2Ugc2hv
dWxkIGFkZCBzb21lIGRvY3VtZW50YXRpb24uIE9uZSBwaWVjZSBvZiBhZHZpY2UgZm9yIHRoZSBB
UyB3b3VsZCBiZSBub3QgdG8gbWFrZSBpdCB0b28gc2hvcnQsIGVsc2UgdXNlcnMgd29uJ3QgYmUg
YWJsZSB0byBjb21wbGV0ZSB0aGUgZmxvdyBpbiB0aW1lLg0KDQpXZSB1c2UgYSAzMCBtaW51dGUg
ZXhwaXJ5Lg0KDQoNClNlY29uZGx5LCBJIGhhZCBhIHF1ZXN0aW9uIGFib3V0IHRoZSDigJxyZXNw
b25zZV90eXBl4oCdIHBhcmFtZXRlciB0byB0aGUgZGV2aWNlIGVuZHBvaW50LiBUaGlzIHBhcmFt
ZXRlciBpcyByZXF1aXJlZCBhbmQgaXQgaGFzIGEgc2luZ2xlLCByZXF1aXJlZCB2YWx1ZSwgd2l0
aCBubyByZWdpc3RyeSBvciBvdGhlciBwb3NzaWJpbGl0eSBvZiBleHRlbnNpb24uIFdoYXTigJlz
IHRoZSBwb2ludD8gSWYgaXTigJlzIGZvciDigJxwYXJhbGxlbGlzbeKAnSwgSeKAmWxsIG5vdGUg
dGhhdCB0aGlzIGlzICpub3QqIHRoZSBhdXRob3JpemF0aW9uIGVuZHBvaW50IChhcyB0aGUgdXNl
ciBpcyBub3QgcHJlc2VudCkgYW5kIHN1Y2ggY29uc3RyYWludHMgbmVlZCBub3QgYXBwbHkgaGVy
ZS4NCg0KR29vZCBwb2ludHMgaGVyZS4gQXQgYSBndWVzcywgaXQgYmxlZCBpbiBmcm9tIHRoZSBP
QXV0aCBzcGVjLiBJZiBpdCdzIG5vdCBuZWVkZWQsIHdlIHNob3VsZCByZW1vdmUgaXQuDQoNCg0K
SeKAmWQgdm90ZSBmb3IgcmVtb3ZhbCwgSSBkb27igJl0IHNlZSB0aGUgcG9pbnQuDQoNCiDigJQg
SnVzdGluDQoNCg0K

--_000_CY4PR21MB05041D4776423586F0B1EA32F5230CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx
IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws
IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0
b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixz
YW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZp
c2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5
Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0KCXtt
c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVk
IENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6
ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpwLm1zb25vcm1hbDAsIGxp
Lm1zb25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsN
Cgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTEuMHB0
Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uSFRNTFByZWZvcm1h
dHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1z
by1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQi
Ow0KCWZvbnQtZmFtaWx5OiJDb25zb2xhcyIsc2VyaWY7fQ0Kc3Bhbi5ob2VuemINCgl7bXNvLXN0
eWxlLW5hbWU6aG9lbnpiO30NCnNwYW4uRW1haWxTdHlsZTIxDQoJe21zby1zdHlsZS10eXBlOnBl
cnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9y
OiMwMDIwNjA7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7
DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KQHBhZ2UgV29yZFNlY3Rpb24x
DQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9
DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEt
LVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlk
bWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+
DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0
YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxi
b2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9
IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6
IzAwMjA2MCI+VGhlIHByZS1DaGljYWdvIHN1Ym1pc3Npb24gZGVhZGxpbmUgaXMgTW9uZGF5IGFm
dGVybm9vbiAoc2VlIGh0dHA6Ly9pZXRmLm9yZy9tZWV0aW5nL2ltcG9ydGFudC1kYXRlcy5odG1s
I2lldGY5OCkuJm5ic3A7IFdvdWxkIHlvdSBoYXZlIHRpbWUgdG8gY2hlY2sgcHJvcG9zZWQgZWRp
dHMgaW50byBHaXRIdWIgZm9yIHRoZSBlZGl0b3JzIHRvIHJldmlldyBiZWZvcmUgdGhhdCwNCiBX
aWxsaWFtPzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IHN0eWxlPSJjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YSBuYW1lPSJfTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0
eWxlPSJjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L2E+PC9wPg0KPHNw
YW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPjwvc3Bhbj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxiPkZyb206PC9iPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0
Zi5vcmddIDxiPk9uIEJlaGFsZiBPZg0KPC9iPldpbGxpYW0gRGVubmlzczxicj4NCjxiPlNlbnQ6
PC9iPiBTYXR1cmRheSwgTWFyY2ggMTEsIDIwMTcgMTI6NTQgUE08YnI+DQo8Yj5Ubzo8L2I+IEp1
c3RpbiBSaWNoZXIgJmx0O2pyaWNoZXJAbWl0LmVkdSZndDs8YnI+DQo8Yj5DYzo8L2I+ICZsdDtv
YXV0aEBpZXRmLm9yZyZndDsgJmx0O29hdXRoQGlldGYub3JnJmd0Ozxicj4NCjxiPlN1YmplY3Q6
PC9iPiBSZTogW09BVVRILVdHXSBEZXZpY2UgQ29kZSBleHBpcmF0aW9uIGFuZCBzeW50YXg8bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K
PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBTYXQsIE1hciAxMSwgMjAxNyBhdCAxMjo0
MCBQTSwgSnVzdGluIFJpY2hlciAmbHQ7PGEgaHJlZj0ibWFpbHRvOmpyaWNoZXJAbWl0LmVkdSIg
dGFyZ2V0PSJfYmxhbmsiPmpyaWNoZXJAbWl0LmVkdTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+
PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICND
Q0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDtt
YXJnaW4tcmlnaHQ6MGluIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw
OzwvbzpwPjwvcD4NCjxkaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDtt
YXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBNYXIg
MTEsIDIwMTcsIGF0IDI6NTQgUE0sIFdpbGxpYW0gRGVubmlzcyAmbHQ7PGEgaHJlZj0ibWFpbHRv
OndkZW5uaXNzQGdvb2dsZS5jb20iIHRhcmdldD0iX2JsYW5rIj53ZGVubmlzc0Bnb29nbGUuY29t
PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPk9uIFNhdCwgTWFyIDExLCAyMDE3IGF0IDExOjEwIEFNLCBKdXN0
aW4gUmljaGVyICZsdDs8YSBocmVmPSJtYWlsdG86anJpY2hlckBtaXQuZWR1IiB0YXJnZXQ9Il9i
bGFuayI+anJpY2hlckBtaXQuZWR1PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8Ymxv
Y2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBw
dDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdo
dDowaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+V2XigJlyZSBpbXBsZW1lbnRpbmcgc3VwcG9y
dCBmb3IgdGhlIGRldmljZSBjb2RlIGRyYWZ0IGFuZCBoYWQgYSBxdWVzdGlvbiBvbiB3aGF0IHRo
ZSDigJxleHBpcmF0aW9u4oCdIG9mIHRoZSBjb2RlIHJlZmVycyB0by4gT2J2aW91c2x5LCBvbmNl
IHRoZSBjb2RlIGhhcyBleHBpcmVkIGl0IGNhbiBubyBsb25nZXIgYmUgdXNlZC4gQnV0IHdoZW4g
c2hvdWxkIHRoZSBleHBpcmF0aW9uIGNvdW50IGZyb20/IFNheSBJIGhhdmUNCiBhIGNvZGUgdGhh
dOKAmXMgZ29vZCBmb3IgNjAgc2Vjb25kcywgZG8gSSBzdGFydCB0aGUgdGltZXIgYXMgc29vbiBh
cyBJIGlzc3VlIHRoZSBjb2RlIHRvIHRoZSBjbGllbnQ/IERvIEkgcmVzZXQgdGhlIHRpbWVyIHdo
ZW4gdGhlIHVzZXIgYXBwcm92ZXMgdGhlIGNsaWVudCwgdG8gYW5vdGhlciA2MCBzZWNvbmRzPyBP
ciBkb2VzIHRoYXQgNjAgc2Vjb25kcyBjb3VudCBmb3IgdGhlIGVudGlyZSB0cmFuc2FjdGlvbj88
YnI+DQo8YnI+DQpNeSByZWFkIG9uIGl0IGlzIHRoZSBsYXR0ZXItLSBvbmUgdGltZW91dCBmb3Ig
dGhlIGVudGlyZSBsaWZldGltZSBvZiB0aGUgY29kZSByZWdhcmRsZXNzIG9mIGl0cyBjdXJyZW50
IHN0YXRlLCB3aXRoIG5vIHJlc2V0cy4gQnV0IEkgZGlkbuKAmXQgZmluZCBnb29kIGd1aWRhbmNl
IGluIHRoZSBkb2N1bWVudCBpdHNlbGYuPG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JdCdzIHRoZSBleHBpcnkgb2YgdGhlIHVzZXJf
Y29kZSBhbmQgZGV2aWNlX2NvZGUgcGFpciwgYXQgd2hpY2ggcG9pbnQgdGhlIGRldmljZSB3aWxs
IG5lZWQgdG8gc3RhcnQtb3ZlciB3aXRoIGEgbmV3IGRldmljZSBhdXRob3JpemF0aW9uIHJlcXVl
c3QuJm5ic3A7IFRoZSBkZXZpY2Ugd291bGRuJ3QgKmhhdmUqIHRvIHN0YXJ0IGEgdGltZXIsIGFz
IHRoZXkgd2lsbCBnZXQgYW4gZXJyb3IgZHVyaW5nIHBvbGxpbmc6PG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N
CjwvZGl2Pg0KPGRpdj4NCjxwcmU+Jm5ic3A7Jm5ic3A7IGV4cGlyZWRfdG9rZW48bzpwPjwvbzpw
PjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhlICZxdW90O2Rl
dmljZV9jb2RlJnF1b3Q7IGhhcyBleHBpcmVkLiZuYnNwOyBUaGUgY2xpZW50IHdpbGwgbmVlZCB0
byBtYWtlIGEgbmV3PG86cD48L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7IERldmljZSBBdXRob3JpemF0aW9uIFJlcXVlc3QuPG86cD48L286cD48L3ByZT4N
CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+V2Ugc2hvdWxkIGFkZCBzb21l
IGd1aWRlbGluZXMgYXJvdW5kIGV4cGlyeSBiZWhhdmlvci48bzpwPjwvbzpwPjwvcD4NCjwvZGl2
Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PSywgc28gaXQgcmVhbGx5IGlzIG9uZSBleHBpcmF0aW9u
IGZvciB0aGUgd2hvbGUgdGhpbmcuIFRoZSBkZXZpY2UgZG9lc27igJl0IG5lZWQgdG8gY2FyZSAo
YW5kIEnigJlsbCBiZXQgeW91IHJpZ2h0IG5vdyB0aGF0LCBqdXN0IGxpa2Ugd2l0aCBhY2Nlc3Mg
dG9rZW5zLCB0aGUgb3ZlcndoZWxtaW5nbHkgdmFzdCBtYWpvcml0eSBvZiBkZXZpY2VzIHdvbuKA
mXQgY2FyZSBhYm91dCBleHBpcmVzX2luKSwgYnV0IHRoZSBhdXRob3JpemF0aW9uDQogc2VydmVy
IGNlcnRhaW5seSBkb2VzLCBhbmQgd2Ugd2FudGVkIHRvIGtub3cgdGhlIHJpZ2h0IHBsYWNlIHRv
IHNldCB0aGUgdGltZXJzLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Zb3UncmUgcHJvYmFibHkgcmlnaHQgdGhh
dCBtb3N0IGlnbm9yZSBleHBpcmVzX2luLCBhbmQgSSB0aGluayB0aGF0J3MgZmluZS4gQXMgbG9u
ZyBhcyB0aGUgY2xpZW50IGhhbmRsZXMgZXJyb3JzIGNvcnJlY3RseSwgaXQnbGwgd29yayBvdXQg
T0suPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PkFncmVlIHRoYXQgd2Ugc2hvdWxkIGFkZCBzb21lIGRvY3VtZW50YXRpb24uIE9uZSBwaWVjZSBv
ZiBhZHZpY2UgZm9yIHRoZSBBUyB3b3VsZCBiZSBub3QgdG8gbWFrZSBpdCB0b28gc2hvcnQsIGVs
c2UgdXNlcnMgd29uJ3QgYmUgYWJsZSB0byBjb21wbGV0ZSB0aGUgZmxvdyBpbiB0aW1lLiZuYnNw
OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86
cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5X
ZSB1c2UgYSAzMCBtaW51dGUgZXhwaXJ5LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxibG9j
a3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0
O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0
OjBpbiI+DQo8ZGl2Pg0KPGRpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0
O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJs
b2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4w
cHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmln
aHQ6MGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNlY29uZGx5LCBJIGhhZCBhIHF1ZXN0aW9u
IGFib3V0IHRoZSDigJxyZXNwb25zZV90eXBl4oCdIHBhcmFtZXRlciB0byB0aGUgZGV2aWNlIGVu
ZHBvaW50LiBUaGlzIHBhcmFtZXRlciBpcyByZXF1aXJlZCBhbmQgaXQgaGFzIGEgc2luZ2xlLCBy
ZXF1aXJlZCB2YWx1ZSwgd2l0aCBubyByZWdpc3RyeSBvciBvdGhlciBwb3NzaWJpbGl0eSBvZiBl
eHRlbnNpb24uIFdoYXTigJlzIHRoZSBwb2ludD8gSWYgaXTigJlzIGZvciDigJxwYXJhbGxlbGlz
beKAnSwNCiBJ4oCZbGwgbm90ZSB0aGF0IHRoaXMgaXMgKm5vdCogdGhlIGF1dGhvcml6YXRpb24g
ZW5kcG9pbnQgKGFzIHRoZSB1c2VyIGlzIG5vdCBwcmVzZW50KSBhbmQgc3VjaCBjb25zdHJhaW50
cyBuZWVkIG5vdCBhcHBseSBoZXJlLjxvOnA+PC9vOnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+R29vZCBwb2ludHMgaGVyZS4gQXQgYSBndWVzcywg
aXQgYmxlZCBpbiBmcm9tIHRoZSBPQXV0aCBzcGVjLiBJZiBpdCdzIG5vdCBuZWVkZWQsIHdlIHNo
b3VsZCByZW1vdmUgaXQuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N
CjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkni
gJlkIHZvdGUgZm9yIHJlbW92YWwsIEkgZG9u4oCZdCBzZWUgdGhlIHBvaW50LjxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNv
bG9yOiM4ODg4ODgiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij4mbmJzcDvi
gJQgSnVzdGluPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPjxvOnA+Jm5ic3A7PC9vOnA+
PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_CY4PR21MB05041D4776423586F0B1EA32F5230CY4PR21MB0504namp_--


From nobody Sat Mar 11 17:52:14 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B4721294C2 for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 17:52:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58G8In-CNJcr for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 17:52:11 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A04E1294E8 for <oauth@ietf.org>; Sat, 11 Mar 2017 17:52:11 -0800 (PST)
Received: by mail-qk0-x22b.google.com with SMTP id p64so202836443qke.1 for <oauth@ietf.org>; Sat, 11 Mar 2017 17:52:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oLu97QJa4z6IQ81wsTNyOAzd6sjZldAmlfkX/QeIOrM=; b=iuF/9ImiA4sIeD/8HEE9FBRHMqQTDhclsQdcaXfZlMX5Hhwh7kdtWVqTyo9QGKP2kI BiX1vHxib9x60J+7aMj902AmhhyBGbECekOlQzl0sOiyCy3PLzjGlZhOmavZ3TqaV0sI hWZyxIZSrh7X9Y/LFSUlu3CDLRKcKoJUAnqE0BYNWnfl5688WYwLIYayfTf0z4i/1LZ6 WuUs00hGT4Qg06j53rYboN795Pi2zFaImBQDTI21tWCaNhK/CeXKyuNgb7MUzIKx/5F/ xcnqFQR2OEmVvytUurUHne1AOiYpDqgt6w/reoeSy4m1A5iYNpX3nZzBogQ1RLrupkjF AxVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oLu97QJa4z6IQ81wsTNyOAzd6sjZldAmlfkX/QeIOrM=; b=pbplv5K8rcMlA/dfINCFs+4LTO6qclMDy1++jNkgvnvEJyboYsCej3oSdoHzmzOhXC 1qeNSg4qZHSf+9Myv7arvn9Zsp8QjoLQ2/bgUWHreYDOczQCs7qHjwt7dy2JCJ0kuH/1 Mf9UTTeG9Mb0frFKjAxs5QevhVPpPc+OsaGTP1r5ASEG8IRtNqkugxeRw2QUW+EE8FC7 ynJhI/+PUh143c7ydy4oLRCKMJdiFT9oyvbhJ0NGecPs2jGRxzRmcssAq6ZzFcMJO+Ul j75pYo8Z0RECVoQcEvBOx3bav9jve4QBGsAPQ6PGDyoySrp3HQaLw6N1m0hiBEUy+nUH OzEQ==
X-Gm-Message-State: AMke39lFfxM0ibgaduEPl7bCegsCP/OY8Kj+prjGoI82h/hsLMJmUl6ue3nCzgOoXrTjPy0Eep4QRAZZoxo7SuGY
X-Received: by 10.55.139.70 with SMTP id n67mr23806632qkd.286.1489283529925; Sat, 11 Mar 2017 17:52:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Sat, 11 Mar 2017 17:51:49 -0800 (PST)
In-Reply-To: <CA+k3eCRf4yyn-Wa=tYPOocRSVtiMz7dJp3bF0S2KVB03bTp9PA@mail.gmail.com>
References: <148821758095.21176.8129728266233946666.idtracker@ietfa.amsl.com> <CAAP42hBGV7gCpr9xYvcTR+xq_XRDdFE6TY7WX+Sar+p+XeUgRw@mail.gmail.com> <CA+k3eCRf4yyn-Wa=tYPOocRSVtiMz7dJp3bF0S2KVB03bTp9PA@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Sat, 11 Mar 2017 17:51:49 -0800
Message-ID: <CAAP42hD=waZvGSPFRD-c6tXY-gz4TK0iQ+T5OCmHRdw3NQRRSA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary=94eb2c088490c5e5ab054a7ed7f7
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZTpCKCvimROBiVNIflohBsjgDp4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 01:52:13 -0000

--94eb2c088490c5e5ab054a7ed7f7
Content-Type: text/plain; charset=UTF-8

Thanks for the review Brian!

On Thu, Mar 2, 2017 at 2:49 PM, Brian Campbell <bcampbell@pingidentity.com>
wrote:

> Two little nits about endpoint naming:
>
> Section 2
> <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-2>
> defines "device endpoint", which is used in the document everywhere except
> the new metadata sections (section 4
> <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-4>
> and 7.3.1
> <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-7.3.1>)
> that use the term "device authorization endpoint.", Not a big deal but
> potentially a little confusing.
>

It should be "device authorization endpoint" everywhere to be as clear as
possible. I fixed the reference in Section 2, didn't find any other "device
endpoint" instances.


>
> The example in section 3.1
> <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-3.1>
> is supposed to be showing a POST to the device endpoint but the Request-URI
> in the Request-Line is "/token", which *could* be the device endpoint but
> is probably just a copy/paste error and source of unneeded confusion.
>

Fixed in the next update, thanks!


>
>
> On Mon, Feb 27, 2017 at 11:14 AM, William Denniss <wdenniss@google.com>
> wrote:
>
>> My coauthors and I posted draft 04 of the OAuth 2.0 Device Flow for
>> Browserless and Input Constrained Devices draft today.
>>
>> Key changes:
>>
>>    1. Title updated to reflect specificity of devices that use this flow.
>>    2. User interaction section expanded.
>>    3. OAuth 2.0 Metadata
>>    <https://tools.ietf.org/html/draft-ietf-oauth-discovery> for the
>>    device authorization endpoint added.
>>    4. User interaction section expanded.
>>    5. Security Considerations section added.
>>    6. Usability Considerations section added.
>>
>> Please give it a look!
>>
>> On Mon, Feb 27, 2017 at 9:46 AM, <internet-drafts@ietf.org> wrote:
>>
>>>
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>> directories.
>>> This draft is a work item of the Web Authorization Protocol of the IETF.
>>>
>>>         Title           : OAuth 2.0 Device Flow for Browserless and
>>> Input Constrained Devices
>>>         Authors         : William Denniss
>>>                           John Bradley
>>>                           Michael B. Jones
>>>                           Hannes Tschofenig
>>>         Filename        : draft-ietf-oauth-device-flow-04.txt
>>>         Pages           : 15
>>>         Date            : 2017-02-27
>>>
>>> Abstract:
>>>    This OAuth 2.0 authorization flow for browserless and input
>>>    constrained devices, often referred to as the device flow, enables
>>>    OAuth clients to request user authorization from devices that have an
>>>    Internet connection, but don't have an easy input method (such as a
>>>    smart TV, media console, picture frame, or printer), or lack a
>>>    suitable browser for a more traditional OAuth flow.  This
>>>    authorization flow instructs the user to perform the authorization
>>>    request on a secondary device, such as a smartphone.  There is no
>>>    requirement for communication between the constrained device and the
>>>    user's secondary device.
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
>>>
>>> There's also a htmlized version available at:
>>> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04
>>>
>>> A diff from the previous version is available at:
>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-04
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of
>>> submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>

--94eb2c088490c5e5ab054a7ed7f7
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks for the review Brian!<br><div class=3D"gmail_extra"=
><br><div class=3D"gmail_quote">On Thu, Mar 2, 2017 at 2:49 PM, Brian Campb=
ell <span dir=3D"ltr">&lt;<a href=3D"mailto:bcampbell@pingidentity.com" tar=
get=3D"_blank">bcampbell@pingidentity.com</a>&gt;</span> wrote:<br><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc s=
olid;padding-left:1ex"><div dir=3D"ltr"><div><div>Two little nits about end=
point naming:<br><br></div><a href=3D"https://tools.ietf.org/html/draft-iet=
f-oauth-device-flow-04#section-2" target=3D"_blank">Section 2</a> defines &=
quot;device endpoint&quot;, which is used in the document everywhere except=
 the new metadata sections (<a href=3D"https://tools.ietf.org/html/draft-ie=
tf-oauth-device-flow-04#section-4" target=3D"_blank">section 4</a> and <a h=
ref=3D"https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-=
7.3.1" target=3D"_blank">7.3.1</a>) that use the term &quot;device authoriz=
ation endpoint.&quot;, Not a big deal but potentially a little confusing. <=
br></div></div></blockquote><div><br></div><div>It should be &quot;device a=
uthorization endpoint&quot; everywhere to be as clear as possible. I fixed =
the reference in Section 2, didn&#39;t find any other &quot;device endpoint=
&quot; instances.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div=
 dir=3D"ltr"><div><br></div>The example in <a href=3D"https://tools.ietf.or=
g/html/draft-ietf-oauth-device-flow-04#section-3.1" target=3D"_blank">secti=
on 3.1</a> is supposed to be showing a POST to the device endpoint but the =
Request-URI in the Request-Line is &quot;/token&quot;, which *could* be the=
 device endpoint but is probably just a copy/paste error and source of unne=
eded confusion.=C2=A0</div></blockquote><div><br></div><div>Fixed in the ne=
xt update, thanks!</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" =
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><di=
v dir=3D"ltr"><div>=C2=A0<br></div></div><div class=3D"HOEnZb"><div class=
=3D"h5"><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mon, F=
eb 27, 2017 at 11:14 AM, William Denniss <span dir=3D"ltr">&lt;<a href=3D"m=
ailto:wdenniss@google.com" target=3D"_blank">wdenniss@google.com</a>&gt;</s=
pan> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex=
;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div>My coau=
thors and I posted draft 04 of the OAuth 2.0 Device Flow for Browserless an=
d Input Constrained Devices draft today.</div><div><br></div>Key changes:<d=
iv><ol><li>Title updated to reflect specificity of devices that use this fl=
ow.</li><li>User interaction section expanded.</li><li>OAuth 2.0 <a href=3D=
"https://tools.ietf.org/html/draft-ietf-oauth-discovery" target=3D"_blank">=
Metadata</a> for the device authorization endpoint added.<br></li><li>User =
interaction section expanded.</li><li>Security Considerations section added=
.<br></li><li>Usability Considerations section added.</li></ol></div><div><=
div class=3D"gmail_extra">Please give it a look!</div><div><div class=3D"m_=
8120978937327967034h5"><div class=3D"gmail_extra"><br><div class=3D"gmail_q=
uote">On Mon, Feb 27, 2017 at 9:46 AM,  <span dir=3D"ltr">&lt;<a href=3D"ma=
ilto:internet-drafts@ietf.org" target=3D"_blank">internet-drafts@ietf.org</=
a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><=
br>
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br>
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Device Flow for Browserless and Input Constrained Devices<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Will=
iam Denniss<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Michael B. Jones<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Hannes Tschofenig<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-device-flow-0<wbr>4.txt<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 15<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2017-02-27<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0This OAuth 2.0 authorization flow for browserless and input<br=
>
=C2=A0 =C2=A0constrained devices, often referred to as the device flow, ena=
bles<br>
=C2=A0 =C2=A0OAuth clients to request user authorization from devices that =
have an<br>
=C2=A0 =C2=A0Internet connection, but don&#39;t have an easy input method (=
such as a<br>
=C2=A0 =C2=A0smart TV, media console, picture frame, or printer), or lack a=
<br>
=C2=A0 =C2=A0suitable browser for a more traditional OAuth flow.=C2=A0 This=
<br>
=C2=A0 =C2=A0authorization flow instructs the user to perform the authoriza=
tion<br>
=C2=A0 =C2=A0request on a secondary device, such as a smartphone.=C2=A0 The=
re is no<br>
=C2=A0 =C2=A0requirement for communication between the constrained device a=
nd the<br>
=C2=A0 =C2=A0user&#39;s secondary device.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/" =
rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/d<wbr>oc/=
draft-ietf-oauth-device-flo<wbr>w/</a><br>
<br>
There&#39;s also a htmlized version available at:<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04" rel=
=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/dr<wbr>aft-ie=
tf-oauth-device-flow-04</a><br>
<br>
A diff from the previous version is available at:<br>
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-device-flow=
-04" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/rfcdiff?u<wb=
r>rl2=3Ddraft-ietf-oauth-device-fl<wbr>ow-04</a><br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a>.<br>
<br>
Internet-Drafts are also available by anonymous FTP at:<br>
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.ietf.org/internet-dr<wbr>afts/</a><br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
</blockquote></div><br></div></div></div></div></div>
<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>

--94eb2c088490c5e5ab054a7ed7f7--


From nobody Sat Mar 11 18:59:47 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C96A312986A for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 18:59:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fAAKcGIy860Y for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 18:59:43 -0800 (PST)
Received: from mail-qt0-x231.google.com (mail-qt0-x231.google.com [IPv6:2607:f8b0:400d:c0d::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC6A51294CC for <oauth@ietf.org>; Sat, 11 Mar 2017 18:59:43 -0800 (PST)
Received: by mail-qt0-x231.google.com with SMTP id n21so13038209qta.1 for <oauth@ietf.org>; Sat, 11 Mar 2017 18:59:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oYAvuSzfOuBrrieA2nLorpvkJu1mtiLu8zvWy5Rq1PI=; b=fowNB4NE9kk4RrJlZ7K2eODjwbSYPr4LzfZity4jqpM2v2DH/fG94iRUMWZxnlsKs+ DwdWkdSfY4KSsZFXBREqI1PLjkBhEIoHJABzy3HfK1geFxWQX0V+h0psM1cIooTMQKtg f/vl/9m2Yy2x/suj5pawUyARmrA4uaNqFEs9w6Pvv8mhzQ6XvCqQ9l8+WkiqMDpxEKdi XoU1hUQe8s/I3ndftuKj4I9qrF7H24XsaUrMd0ti9i+goi3eWYiSRQWBRoOG24h+XIUR eotfKdnWt01X/JF06UD2HwhutsQBcEs3lXrWnazksVEnYe3Fp5Thwp6gPFbOmiCkflNK vJAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oYAvuSzfOuBrrieA2nLorpvkJu1mtiLu8zvWy5Rq1PI=; b=hNEc1mHjYOVofuFqCNCqxF1phk5myEEQMeVL+OjSBTVPGrSDqYYzb9MU08CemYpmkp WkiejBcJnFkttn2dZ/03PbXsZPGO4F6Q9UScsy6TMKOT39MiqBv/c5sxuZItHEdFa1eK px3eVDLaJYDra1Rj//8iYrY/MtYGFP3V98Db2IVjYtzSxPVA3wyE7S+ondDiAxGjU9M2 kKBQ6RVR8dHgsuObTRYpH3zWmW4e+EYNuA5ocgg7nTTKWmtTditZztn5i81LgBPHtFKF 112F/Oj577FaGiZFgu1Cbl0zZKTXUlARWd3Q+3boCLAOPZl1cPwBFS5znme79M2RSzVI 5KCA==
X-Gm-Message-State: AMke39m+h/vbxfmPt8h061XCjUjKYTm8Zqt0ULR4hsUltoMVmcP3Qcf5RiRhYb2dqqNVJiSIdfnSd6+z2mUdNLqn
X-Received: by 10.200.42.78 with SMTP id l14mr28345721qtl.15.1489287582347; Sat, 11 Mar 2017 18:59:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Sat, 11 Mar 2017 18:59:21 -0800 (PST)
In-Reply-To: <CY4PR21MB05041D4776423586F0B1EA32F5230@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com> <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu> <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com> <CY4PR21MB05041D4776423586F0B1EA32F5230@CY4PR21MB0504.namprd21.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Sat, 11 Mar 2017 18:59:21 -0800
Message-ID: <CAAP42hDF=86Atz+NO=HaJM8Vm9pi9JhaAihueu-W=nQ3OAXhmg@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=001a11403d8650c977054a7fc948
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OONSA6EphVjS6R_KoVoivSts8Tw>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 02:59:46 -0000

--001a11403d8650c977054a7fc948
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Sure thing. Changes are staged here:
https://github.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/3/files

Includes the normative change suggested by Justin. PTAL.

On Sat, Mar 11, 2017 at 1:46 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> The pre-Chicago submission deadline is Monday afternoon (see
> http://ietf.org/meeting/important-dates.html#ietf98).  Would you have
> time to check proposed edits into GitHub for the editors to review before
> that, William?
>
>
>
>                                                        -- Mike
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *William
> Denniss
> *Sent:* Saturday, March 11, 2017 12:54 PM
> *To:* Justin Richer <jricher@mit.edu>
> *Cc:* <oauth@ietf.org> <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] Device Code expiration and syntax
>
>
>
>
>
> On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer <jricher@mit.edu> wrote:
>
>
>
> On Mar 11, 2017, at 2:54 PM, William Denniss <wdenniss@google.com> wrote:
>
>
>
> On Sat, Mar 11, 2017 at 11:10 AM, Justin Richer <jricher@mit.edu> wrote:
>
> We=E2=80=99re implementing support for the device code draft and had a qu=
estion on
> what the =E2=80=9Cexpiration=E2=80=9D of the code refers to. Obviously, o=
nce the code has
> expired it can no longer be used. But when should the expiration count
> from? Say I have a code that=E2=80=99s good for 60 seconds, do I start th=
e timer as
> soon as I issue the code to the client? Do I reset the timer when the use=
r
> approves the client, to another 60 seconds? Or does that 60 seconds count
> for the entire transaction?
>
> My read on it is the latter-- one timeout for the entire lifetime of the
> code regardless of its current state, with no resets. But I didn=E2=80=99=
t find
> good guidance in the document itself.
>
>
>
> It's the expiry of the user_code and device_code pair, at which point the
> device will need to start-over with a new device authorization request.
> The device wouldn't *have* to start a timer, as they will get an error
> during polling:
>
>
>
>    expired_token
>
>       The "device_code" has expired.  The client will need to make a new
>
>       Device Authorization Request.
>
>
>
> We should add some guidelines around expiry behavior.
>
>
>
> OK, so it really is one expiration for the whole thing. The device doesn=
=E2=80=99t
> need to care (and I=E2=80=99ll bet you right now that, just like with acc=
ess
> tokens, the overwhelmingly vast majority of devices won=E2=80=99t care ab=
out
> expires_in), but the authorization server certainly does, and we wanted t=
o
> know the right place to set the timers.
>
>
>
>
>
> You're probably right that most ignore expires_in, and I think that's
> fine. As long as the client handles errors correctly, it'll work out OK.
>
>
>
> Agree that we should add some documentation. One piece of advice for the
> AS would be not to make it too short, else users won't be able to complet=
e
> the flow in time.
>
>
>
> We use a 30 minute expiry.
>
>
>
>
>
> Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D para=
meter to the
> device endpoint. This parameter is required and it has a single, required
> value, with no registry or other possibility of extension. What=E2=80=99s=
 the
> point? If it=E2=80=99s for =E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll no=
te that this is *not* the
> authorization endpoint (as the user is not present) and such constraints
> need not apply here.
>
>
>
> Good points here. At a guess, it bled in from the OAuth spec. If it's not
> needed, we should remove it.
>
>
>
>
>
> I=E2=80=99d vote for removal, I don=E2=80=99t see the point.
>
>
>
>  =E2=80=94 Justin
>
>
>
>
>

--001a11403d8650c977054a7fc948
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Sure thing. Changes are staged here:=C2=A0<a href=3D"https=
://github.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/3/files">htt=
ps://github.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/3/files</a=
><div><br></div><div>Includes the normative change suggested by Justin. PTA=
L.</div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On =
Sat, Mar 11, 2017 at 1:46 PM, Mike Jones <span dir=3D"ltr">&lt;<a href=3D"m=
ailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@microsof=
t.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"m=
argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"m_4409726083736463284WordSection1">
<p class=3D"MsoNormal"><span style=3D"color:#002060">The pre-Chicago submis=
sion deadline is Monday afternoon (see <a href=3D"http://ietf.org/meeting/i=
mportant-dates.html#ietf98" target=3D"_blank">http://ietf.org/meeting/<wbr>=
important-dates.html#ietf98</a>).=C2=A0 Would you have time to check propos=
ed edits into GitHub for the editors to review before that,
 William?<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#002060"><u></u>=C2=A0<u></u></=
span></p>
<p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 -- Mike<u></u><u></u></span></p>
<p class=3D"MsoNormal"><a name=3D"m_4409726083736463284__MailEndCompose"><s=
pan style=3D"color:#002060"><u></u>=C2=A0<u></u></span></a></p>
<span></span>
<p class=3D"MsoNormal"><b>From:</b> OAuth [mailto:<a href=3D"mailto:oauth-b=
ounces@ietf.org" target=3D"_blank">oauth-bounces@ietf.org</a><wbr>] <b>On B=
ehalf Of
</b>William Denniss<br>
<b>Sent:</b> Saturday, March 11, 2017 12:54 PM<br>
<b>To:</b> Justin Richer &lt;<a href=3D"mailto:jricher@mit.edu" target=3D"_=
blank">jricher@mit.edu</a>&gt;<br>
<b>Cc:</b> &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ie=
tf.org</a>&gt; &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oaut=
h@ietf.org</a>&gt;<br>
<b>Subject:</b> Re: [OAUTH-WG] Device Code expiration and syntax<u></u><u><=
/u></p><div><div class=3D"h5">
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<p class=3D"MsoNormal">On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer &lt;=
<a href=3D"mailto:jricher@mit.edu" target=3D"_blank">jricher@mit.edu</a>&gt=
; wrote:<u></u><u></u></p>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal">On Mar 11, 2017, at 2:54 PM, William Denniss &lt;<a =
href=3D"mailto:wdenniss@google.com" target=3D"_blank">wdenniss@google.com</=
a>&gt; wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal">On Sat, Mar 11, 2017 at 11:10 AM, Justin Richer &lt;=
<a href=3D"mailto:jricher@mit.edu" target=3D"_blank">jricher@mit.edu</a>&gt=
; wrote:<u></u><u></u></p>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class=3D"MsoNormal">We=E2=80=99re implementing support for the device co=
de draft and had a question on what the =E2=80=9Cexpiration=E2=80=9D of the=
 code refers to. Obviously, once the code has expired it can no longer be u=
sed. But when should the expiration count from? Say I have
 a code that=E2=80=99s good for 60 seconds, do I start the timer as soon as=
 I issue the code to the client? Do I reset the timer when the user approve=
s the client, to another 60 seconds? Or does that 60 seconds count for the =
entire transaction?<br>
<br>
My read on it is the latter-- one timeout for the entire lifetime of the co=
de regardless of its current state, with no resets. But I didn=E2=80=99t fi=
nd good guidance in the document itself.<u></u><u></u></p>
</blockquote>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">It&#39;s the expiry of the user_code and device_code=
 pair, at which point the device will need to start-over with a new device =
authorization request.=C2=A0 The device wouldn&#39;t *have* to start a time=
r, as they will get an error during polling:<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<pre>=C2=A0=C2=A0 expired_token<u></u><u></u></pre>
<pre>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The &quot;device_code&quot; has expired=
.=C2=A0 The client will need to make a new<u></u><u></u></pre>
<pre>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Device Authorization Request.<u></u><u>=
</u></pre>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">We should add some guidelines around expiry behavior=
.<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">OK, so it really is one expiration for the whole thi=
ng. The device doesn=E2=80=99t need to care (and I=E2=80=99ll bet you right=
 now that, just like with access tokens, the overwhelmingly vast majority o=
f devices won=E2=80=99t care about expires_in), but the authorization
 server certainly does, and we wanted to know the right place to set the ti=
mers.<u></u><u></u></p>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
</div>
</blockquote>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">You&#39;re probably right that most ignore expires_i=
n, and I think that&#39;s fine. As long as the client handles errors correc=
tly, it&#39;ll work out OK.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Agree that we should add some documentation. One pie=
ce of advice for the AS would be not to make it too short, else users won&#=
39;t be able to complete the flow in time.=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">We use a 30 minute expiry.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class=3D"MsoNormal">Secondly, I had a question about the =E2=80=9Crespon=
se_type=E2=80=9D parameter to the device endpoint. This parameter is requir=
ed and it has a single, required value, with no registry or other possibili=
ty of extension. What=E2=80=99s the point? If it=E2=80=99s for =E2=80=9Cpar=
allelism=E2=80=9D,
 I=E2=80=99ll note that this is *not* the authorization endpoint (as the us=
er is not present) and such constraints need not apply here.<u></u><u></u><=
/p>
</blockquote>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Good points here. At a guess, it bled in from the OA=
uth spec. If it&#39;s not needed, we should remove it.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<p class=3D"MsoNormal">I=E2=80=99d vote for removal, I don=E2=80=99t see th=
e point.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"color:#888888"><u></u>=C2=A0<u></u></=
span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"color:#888888">=C2=A0=E2=80=94 Justin=
<u></u><u></u></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"color:#888888"><u></u>=C2=A0<u></u></=
span></p>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
</div>
</div></div></div>
</div>

</blockquote></div><br></div>

--001a11403d8650c977054a7fc948--


From nobody Sun Mar 12 12:28:16 2017
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05F311294C7 for <oauth@ietfa.amsl.com>; Sun, 12 Mar 2017 12:28:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.622
X-Spam-Level: 
X-Spam-Status: No, score=-2.622 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F39pedcEi6a3 for <oauth@ietfa.amsl.com>; Sun, 12 Mar 2017 12:28:12 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 493241294AB for <oauth@ietf.org>; Sun, 12 Mar 2017 12:28:12 -0700 (PDT)
Received: from [80.140.199.98] (helo=[192.168.71.143]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1cn9A0-0005ig-8Z for oauth@ietf.org; Sun, 12 Mar 2017 20:28:08 +0100
To: "oauth@ietf.org" <oauth@ietf.org>
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-ID: <ed9a8430-5c80-6be3-8b5d-1759c4218919@lodderstedt.net>
Date: Sun, 12 Mar 2017 20:28:09 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VJpAenJCb8wAe3ogSIEUn1WWmdk>
Subject: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 19:28:15 -0000

Hi all,

the OAuth WG and the ETH Zurich will organize another workshop on OAuth 
security (after the one last year in Trier).

Please find the Call for Papers below.

kind regards,
Torsten.

C a l l     F o r     P a p e r s

Second OAuth Security Workshop (OSW 2017)

Zurich, Switzerland -- July 10-11, 2017

WWW:https://zisc.ethz.ch/oauth-security-workshop-2017-cfp/

===============================================================================

Overview

The OAuth Security Workshop (OSW) focuses on improving security of the
OAuth standard and related Internet protocols. This workshop brings
together the IETF OAuth Working Group and security experts from
research, industry, and standardization to this end. The workshop is
hosted by the Zurich Information Security and Privacy Center at ETH Zurich.

While the standardization process of OAuth ensures extensive reviews
(both security and non-security related), further analysis by security
experts from academia and industry is essential to ensure high quality
specifications. Contributions to this workshop can help to improve the
security of the Web and the Internet.


Scope

We seek position papers related to the security of OAuth, OpenID
Connect, and other technologies using OAuth under the hood.
Contributions regarding technologies that are used in OAuth, such as
JOSE, or impact the security of OAuth, such as Web technology, are also
welcome.


Important Dates

Position paper submission deadline: May 2, 2017 (AoE, UTC-12).
Author notification: May 15, 2017.
Registration deadline: June 16, 2017.
Workshop: July 10 and July 11, 2017.


Invited Speakers

Cas Cremers, University of Oxford


Submission

We welcome position papers that describe existing work, raise new
requirements, highlight challenges, write-ups of implementation and
deployment experience, lessons-learned from successful or failed
attempts, and ideas on how to improve OAuth and OAuth extensions.

Position papers submitted to the OAuth Security Workshop may report on
(unpublished) work in progress, be submitted to other places, and may
even have already appeared or been accepted elsewhere.

Submissions must be in PDF format and should feature reasonable margins
and formatting. There is no page limit, but the submission should be
brief (ideally not more than 3-5 pages). Submissions should not be
anonymized.

Submission Website:https://easychair.org/conferences/?conf=osw17


Publication and Presentation

One of the authors of the accepted position paper is expected to present
the paper at the workshop.

All presentations and papers will be put online but there will be no
formal proceedings. Authors of accepted papers will have the option to
revise their papers before they are put online.


IPR Policy

The workshop will have no expectation of IPR disclosure or licensing
related to its submissions. Authors are responsible for obtaining
appropriate publication clearances.


Program Committee

Chairs
David Basin (ETH Zurich)
Torsten Lodderstedt (YES Europe)

Members
John Bradley (Ping Identity)
Ralf KĂĽsters (University of Stuttgart)
Chris Mitchell (Royal Holloway University of London)
Anthony Nadalin (Microsoft)
Nat Sakimura (Nomura Research Institute)
Ralf Sasse (ETH Zurich)
Jörg Schwenk (Ruhr University Bochum)
Hannes Tschofenig (IETF OAuth Working Group Co-Chair)


From nobody Sun Mar 12 12:28:57 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 381401294D5 for <oauth@ietfa.amsl.com>; Sun, 12 Mar 2017 12:28:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xVsACMDpKQdm for <oauth@ietfa.amsl.com>; Sun, 12 Mar 2017 12:28:54 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0136.outbound.protection.outlook.com [104.47.34.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 577F81294AB for <oauth@ietf.org>; Sun, 12 Mar 2017 12:28:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=GIM08vTl9jWiP5XnzgTj0kRF3vT7XyA5Z1/h6mKFzk0=; b=gS0Tx7xGNUDYcViYiqgKRdmdzibeE7wnzX+nlpAek8wbNKmJYLVyv4EAWf1iXR2KK98X9gnSmdGPcbNqSF7B4CAOlKIbRRF3WD0m21GE21Znwi2mtLqvWBGM+XX0hlR9u6BP82Ttaz0PZVcX+J0LCHTci2EQHwg8pR3Wt1sfD0E=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Sun, 12 Mar 2017 19:28:53 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.023; Sun, 12 Mar 2017 19:28:53 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: William Denniss <wdenniss@google.com>
Thread-Topic: [OAUTH-WG] Device Code expiration and syntax
Thread-Index: AQHSmpsdXlwJ3/sQwE+4v2nL6A4fqqGQDU4AgAANDYCAAAO6gIAADfkAgABYB4CAARRA4A==
Date: Sun, 12 Mar 2017 19:28:52 +0000
Message-ID: <CY4PR21MB050417103B692C096AD66F80F5220@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com> <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu> <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com> <CY4PR21MB05041D4776423586F0B1EA32F5230@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hDF=86Atz+NO=HaJM8Vm9pi9JhaAihueu-W=nQ3OAXhmg@mail.gmail.com>
In-Reply-To: <CAAP42hDF=86Atz+NO=HaJM8Vm9pi9JhaAihueu-W=nQ3OAXhmg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.93.167]
x-ms-office365-filtering-correlation-id: 7234f594-42e5-43d1-057f-08d4697e04ac
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254007)(48565401081); SRVR:CY4PR21MB0503; 
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:5z0fl+Uh23azWBzAGFyhwc0Shm9KBzoMiAuAWLAknOCknxRKKamTx43T433Bu2dkFCelDgTzfn3m7l1s7lPpVUbDDbQf/nF5Pa8ekO0y5WLs6Kvr4DuPFjaX4blkvcM3S5/6DvJJ2FQ4SxWDcsrQw3edB22iTeqTCyROU2hOrc0IJR2EtfRHLfI/hYiGnMUpsNtMr8iPtGbhU/kFTQ79LPINLWvoszy2xUMIQc61RWsdn23SKex71M49dRCfycOE3CF5aDCC8PCyyN/iHzhYsdRcb7eGTzqQrXUL7j0R04TUD0QK0wlhS1AN+XOOt+1ktI2Smw1oV8P7CaSyrjR9eg9EU2jgxEhienQ62W932+U=
x-microsoft-antispam-prvs: <CY4PR21MB05032B08EBC05FDAC2D9B265F5220@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(211936372134217)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503; 
x-forefront-prvs: 0244637DEA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39840400002)(39410400002)(39450400003)(39850400002)(39860400002)(24454002)(377454003)(86362001)(2950100002)(6916009)(189998001)(66066001)(110136004)(38730400002)(53376002)(5660300001)(53936002)(6246003)(8936002)(76176999)(966004)(54356999)(3846002)(102836003)(790700001)(6116002)(50986999)(81166006)(2900100001)(8676002)(122556002)(74316002)(106116001)(7906003)(86612001)(93886004)(7736002)(19609705001)(6506006)(6306002)(54896002)(4326008)(6436002)(53546006)(236005)(5005710100001)(9686003)(551934003)(606005)(55016002)(25786008)(99286003)(8990500004)(3280700002)(3660700001)(229853002)(77096006)(33656002)(10090500001)(10290500002)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050417103B692C096AD66F80F5220CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2017 19:28:52.8628 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8ZnHrYsDiCyz1B_ZmTqD3MlawmE>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 19:28:56 -0000

--_000_CY4PR21MB050417103B692C096AD66F80F5220CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmtzIGZvciBkb2luZyB0aGlzLCBXaWxsaWFtLiAgSSBhZGRlZCBvbmUgY29tbWVudCB0byB0
aGUgcHVsbCByZXF1ZXN0LiAgQWZ0ZXIgYWRkcmVzc2luZyBpdCwgSSBzdXBwb3J0IHRoaXMgbmV3
IHZlcnNpb24gYmVpbmcgcHVibGlzaGVkLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBXaWxsaWFtIERlbm5p
c3MgW21haWx0bzp3ZGVubmlzc0Bnb29nbGUuY29tXQ0KU2VudDogU2F0dXJkYXksIE1hcmNoIDEx
LCAyMDE3IDY6NTkgUE0NClRvOiBNaWtlIEpvbmVzIDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5j
b20+DQpDYzogSnVzdGluIFJpY2hlciA8anJpY2hlckBtaXQuZWR1PjsgPG9hdXRoQGlldGYub3Jn
PiA8b2F1dGhAaWV0Zi5vcmc+DQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBEZXZpY2UgQ29kZSBl
eHBpcmF0aW9uIGFuZCBzeW50YXgNCg0KU3VyZSB0aGluZy4gQ2hhbmdlcyBhcmUgc3RhZ2VkIGhl
cmU6IGh0dHBzOi8vZ2l0aHViLmNvbS9XaWxsaWFtRGVubmlzcy9kcmFmdC1pZXRmLW9hdXRoLWRl
dmljZS1mbG93L3B1bGwvMy9maWxlcw0KDQpJbmNsdWRlcyB0aGUgbm9ybWF0aXZlIGNoYW5nZSBz
dWdnZXN0ZWQgYnkgSnVzdGluLiBQVEFMLg0KDQpPbiBTYXQsIE1hciAxMSwgMjAxNyBhdCAxOjQ2
IFBNLCBNaWtlIEpvbmVzIDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hh
ZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT4+IHdyb3RlOg0KVGhlIHByZS1DaGljYWdvIHN1Ym1pc3Np
b24gZGVhZGxpbmUgaXMgTW9uZGF5IGFmdGVybm9vbiAoc2VlIGh0dHA6Ly9pZXRmLm9yZy9tZWV0
aW5nL2ltcG9ydGFudC1kYXRlcy5odG1sI2lldGY5OCkuICBXb3VsZCB5b3UgaGF2ZSB0aW1lIHRv
IGNoZWNrIHByb3Bvc2VkIGVkaXRzIGludG8gR2l0SHViIGZvciB0aGUgZWRpdG9ycyB0byByZXZp
ZXcgYmVmb3JlIHRoYXQsIFdpbGxpYW0/DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IE9BdXRoIFttYWlsdG86
b2F1dGgtYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZz5dIE9u
IEJlaGFsZiBPZiBXaWxsaWFtIERlbm5pc3MNClNlbnQ6IFNhdHVyZGF5LCBNYXJjaCAxMSwgMjAx
NyAxMjo1NCBQTQ0KVG86IEp1c3RpbiBSaWNoZXIgPGpyaWNoZXJAbWl0LmVkdTxtYWlsdG86anJp
Y2hlckBtaXQuZWR1Pj4NCkNjOiA8b2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3Jn
Pj4gPG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTog
W09BVVRILVdHXSBEZXZpY2UgQ29kZSBleHBpcmF0aW9uIGFuZCBzeW50YXgNCg0KDQpPbiBTYXQs
IE1hciAxMSwgMjAxNyBhdCAxMjo0MCBQTSwgSnVzdGluIFJpY2hlciA8anJpY2hlckBtaXQuZWR1
PG1haWx0bzpqcmljaGVyQG1pdC5lZHU+PiB3cm90ZToNCg0KT24gTWFyIDExLCAyMDE3LCBhdCAy
OjU0IFBNLCBXaWxsaWFtIERlbm5pc3MgPHdkZW5uaXNzQGdvb2dsZS5jb208bWFpbHRvOndkZW5u
aXNzQGdvb2dsZS5jb20+PiB3cm90ZToNCg0KT24gU2F0LCBNYXIgMTEsIDIwMTcgYXQgMTE6MTAg
QU0sIEp1c3RpbiBSaWNoZXIgPGpyaWNoZXJAbWl0LmVkdTxtYWlsdG86anJpY2hlckBtaXQuZWR1
Pj4gd3JvdGU6DQpXZeKAmXJlIGltcGxlbWVudGluZyBzdXBwb3J0IGZvciB0aGUgZGV2aWNlIGNv
ZGUgZHJhZnQgYW5kIGhhZCBhIHF1ZXN0aW9uIG9uIHdoYXQgdGhlIOKAnGV4cGlyYXRpb27igJ0g
b2YgdGhlIGNvZGUgcmVmZXJzIHRvLiBPYnZpb3VzbHksIG9uY2UgdGhlIGNvZGUgaGFzIGV4cGly
ZWQgaXQgY2FuIG5vIGxvbmdlciBiZSB1c2VkLiBCdXQgd2hlbiBzaG91bGQgdGhlIGV4cGlyYXRp
b24gY291bnQgZnJvbT8gU2F5IEkgaGF2ZSBhIGNvZGUgdGhhdOKAmXMgZ29vZCBmb3IgNjAgc2Vj
b25kcywgZG8gSSBzdGFydCB0aGUgdGltZXIgYXMgc29vbiBhcyBJIGlzc3VlIHRoZSBjb2RlIHRv
IHRoZSBjbGllbnQ/IERvIEkgcmVzZXQgdGhlIHRpbWVyIHdoZW4gdGhlIHVzZXIgYXBwcm92ZXMg
dGhlIGNsaWVudCwgdG8gYW5vdGhlciA2MCBzZWNvbmRzPyBPciBkb2VzIHRoYXQgNjAgc2Vjb25k
cyBjb3VudCBmb3IgdGhlIGVudGlyZSB0cmFuc2FjdGlvbj8NCg0KTXkgcmVhZCBvbiBpdCBpcyB0
aGUgbGF0dGVyLS0gb25lIHRpbWVvdXQgZm9yIHRoZSBlbnRpcmUgbGlmZXRpbWUgb2YgdGhlIGNv
ZGUgcmVnYXJkbGVzcyBvZiBpdHMgY3VycmVudCBzdGF0ZSwgd2l0aCBubyByZXNldHMuIEJ1dCBJ
IGRpZG7igJl0IGZpbmQgZ29vZCBndWlkYW5jZSBpbiB0aGUgZG9jdW1lbnQgaXRzZWxmLg0KDQpJ
dCdzIHRoZSBleHBpcnkgb2YgdGhlIHVzZXJfY29kZSBhbmQgZGV2aWNlX2NvZGUgcGFpciwgYXQg
d2hpY2ggcG9pbnQgdGhlIGRldmljZSB3aWxsIG5lZWQgdG8gc3RhcnQtb3ZlciB3aXRoIGEgbmV3
IGRldmljZSBhdXRob3JpemF0aW9uIHJlcXVlc3QuICBUaGUgZGV2aWNlIHdvdWxkbid0ICpoYXZl
KiB0byBzdGFydCBhIHRpbWVyLCBhcyB0aGV5IHdpbGwgZ2V0IGFuIGVycm9yIGR1cmluZyBwb2xs
aW5nOg0KDQoNCiAgIGV4cGlyZWRfdG9rZW4NCg0KICAgICAgVGhlICJkZXZpY2VfY29kZSIgaGFz
IGV4cGlyZWQuICBUaGUgY2xpZW50IHdpbGwgbmVlZCB0byBtYWtlIGEgbmV3DQoNCiAgICAgIERl
dmljZSBBdXRob3JpemF0aW9uIFJlcXVlc3QuDQoNCldlIHNob3VsZCBhZGQgc29tZSBndWlkZWxp
bmVzIGFyb3VuZCBleHBpcnkgYmVoYXZpb3IuDQoNCk9LLCBzbyBpdCByZWFsbHkgaXMgb25lIGV4
cGlyYXRpb24gZm9yIHRoZSB3aG9sZSB0aGluZy4gVGhlIGRldmljZSBkb2VzbuKAmXQgbmVlZCB0
byBjYXJlIChhbmQgSeKAmWxsIGJldCB5b3UgcmlnaHQgbm93IHRoYXQsIGp1c3QgbGlrZSB3aXRo
IGFjY2VzcyB0b2tlbnMsIHRoZSBvdmVyd2hlbG1pbmdseSB2YXN0IG1ham9yaXR5IG9mIGRldmlj
ZXMgd29u4oCZdCBjYXJlIGFib3V0IGV4cGlyZXNfaW4pLCBidXQgdGhlIGF1dGhvcml6YXRpb24g
c2VydmVyIGNlcnRhaW5seSBkb2VzLCBhbmQgd2Ugd2FudGVkIHRvIGtub3cgdGhlIHJpZ2h0IHBs
YWNlIHRvIHNldCB0aGUgdGltZXJzLg0KDQoNCllvdSdyZSBwcm9iYWJseSByaWdodCB0aGF0IG1v
c3QgaWdub3JlIGV4cGlyZXNfaW4sIGFuZCBJIHRoaW5rIHRoYXQncyBmaW5lLiBBcyBsb25nIGFz
IHRoZSBjbGllbnQgaGFuZGxlcyBlcnJvcnMgY29ycmVjdGx5LCBpdCdsbCB3b3JrIG91dCBPSy4N
Cg0KQWdyZWUgdGhhdCB3ZSBzaG91bGQgYWRkIHNvbWUgZG9jdW1lbnRhdGlvbi4gT25lIHBpZWNl
IG9mIGFkdmljZSBmb3IgdGhlIEFTIHdvdWxkIGJlIG5vdCB0byBtYWtlIGl0IHRvbyBzaG9ydCwg
ZWxzZSB1c2VycyB3b24ndCBiZSBhYmxlIHRvIGNvbXBsZXRlIHRoZSBmbG93IGluIHRpbWUuDQoN
CldlIHVzZSBhIDMwIG1pbnV0ZSBleHBpcnkuDQoNCg0KU2Vjb25kbHksIEkgaGFkIGEgcXVlc3Rp
b24gYWJvdXQgdGhlIOKAnHJlc3BvbnNlX3R5cGXigJ0gcGFyYW1ldGVyIHRvIHRoZSBkZXZpY2Ug
ZW5kcG9pbnQuIFRoaXMgcGFyYW1ldGVyIGlzIHJlcXVpcmVkIGFuZCBpdCBoYXMgYSBzaW5nbGUs
IHJlcXVpcmVkIHZhbHVlLCB3aXRoIG5vIHJlZ2lzdHJ5IG9yIG90aGVyIHBvc3NpYmlsaXR5IG9m
IGV4dGVuc2lvbi4gV2hhdOKAmXMgdGhlIHBvaW50PyBJZiBpdOKAmXMgZm9yIOKAnHBhcmFsbGVs
aXNt4oCdLCBJ4oCZbGwgbm90ZSB0aGF0IHRoaXMgaXMgKm5vdCogdGhlIGF1dGhvcml6YXRpb24g
ZW5kcG9pbnQgKGFzIHRoZSB1c2VyIGlzIG5vdCBwcmVzZW50KSBhbmQgc3VjaCBjb25zdHJhaW50
cyBuZWVkIG5vdCBhcHBseSBoZXJlLg0KDQpHb29kIHBvaW50cyBoZXJlLiBBdCBhIGd1ZXNzLCBp
dCBibGVkIGluIGZyb20gdGhlIE9BdXRoIHNwZWMuIElmIGl0J3Mgbm90IG5lZWRlZCwgd2Ugc2hv
dWxkIHJlbW92ZSBpdC4NCg0KDQpJ4oCZZCB2b3RlIGZvciByZW1vdmFsLCBJIGRvbuKAmXQgc2Vl
IHRoZSBwb2ludC4NCg0KIOKAlCBKdXN0aW4NCg0KDQoNCg==

--_000_CY4PR21MB050417103B692C096AD66F80F5220CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx
IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws
IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0
b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixz
YW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZp
c2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5
Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0KCXtt
c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVk
IENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6
ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpwLm1zb25vcm1hbDAsIGxp
Lm1zb25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsN
Cgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTEuMHB0
Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uSFRNTFByZWZvcm1h
dHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1z
by1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQi
Ow0KCWZvbnQtZmFtaWx5OkNvbnNvbGFzO30NCnNwYW4uRW1haWxTdHlsZTIwDQoJe21zby1zdHls
ZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlm
Ow0KCWNvbG9yOiMwMDIwNjA7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhw
b3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KQHBhZ2UgV29y
ZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBp
biAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwv
c3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJl
ZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNv
IDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0i
ZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwv
aGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxk
aXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls
ZT0iY29sb3I6IzAwMjA2MCI+VGhhbmtzIGZvciBkb2luZyB0aGlzLCBXaWxsaWFtLiZuYnNwOyBJ
IGFkZGVkIG9uZSBjb21tZW50IHRvIHRoZSBwdWxsIHJlcXVlc3QuJm5ic3A7IEFmdGVyIGFkZHJl
c3NpbmcgaXQsIEkgc3VwcG9ydCB0aGlzIG5ldyB2ZXJzaW9uIGJlaW5nIHB1Ymxpc2hlZC48bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29s
b3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PGEgbmFtZT0iX01haWxFbmRDb21wb3NlIj48c3BhbiBzdHlsZT0iY29sb3I6
IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9hPjwvcD4NCjxzcGFuIHN0eWxlPSJt
c28tYm9va21hcms6X01haWxFbmRDb21wb3NlIj48L3NwYW4+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48Yj5Gcm9tOjwvYj4gV2lsbGlhbSBEZW5uaXNzIFttYWlsdG86d2Rlbm5pc3NAZ29vZ2xlLmNv
bV0gPGJyPg0KPGI+U2VudDo8L2I+IFNhdHVyZGF5LCBNYXJjaCAxMSwgMjAxNyA2OjU5IFBNPGJy
Pg0KPGI+VG86PC9iPiBNaWtlIEpvbmVzICZsdDtNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20m
Z3Q7PGJyPg0KPGI+Q2M6PC9iPiBKdXN0aW4gUmljaGVyICZsdDtqcmljaGVyQG1pdC5lZHUmZ3Q7
OyAmbHQ7b2F1dGhAaWV0Zi5vcmcmZ3Q7ICZsdDtvYXV0aEBpZXRmLm9yZyZndDs8YnI+DQo8Yj5T
dWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gRGV2aWNlIENvZGUgZXhwaXJhdGlvbiBhbmQgc3lu
dGF4PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw
PjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5TdXJlIHRoaW5nLiBDaGFuZ2VzIGFy
ZSBzdGFnZWQgaGVyZTombmJzcDs8YSBocmVmPSJodHRwczovL2dpdGh1Yi5jb20vV2lsbGlhbURl
bm5pc3MvZHJhZnQtaWV0Zi1vYXV0aC1kZXZpY2UtZmxvdy9wdWxsLzMvZmlsZXMiPmh0dHBzOi8v
Z2l0aHViLmNvbS9XaWxsaWFtRGVubmlzcy9kcmFmdC1pZXRmLW9hdXRoLWRldmljZS1mbG93L3B1
bGwvMy9maWxlczwvYT48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPkluY2x1ZGVzIHRoZSBub3JtYXRpdmUgY2hhbmdlIHN1Z2dlc3RlZCBieSBKdXN0aW4uIFBU
QUwuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
Pk9uIFNhdCwgTWFyIDExLCAyMDE3IGF0IDE6NDYgUE0sIE1pa2UgSm9uZXMgJmx0OzxhIGhyZWY9
Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20iIHRhcmdldD0iX2JsYW5rIj5NaWNo
YWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxi
bG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEu
MHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJp
Z2h0OjBpbiI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5
bGU9ImNvbG9yOiMwMDIwNjAiPlRoZSBwcmUtQ2hpY2FnbyBzdWJtaXNzaW9uIGRlYWRsaW5lIGlz
IE1vbmRheSBhZnRlcm5vb24gKHNlZQ0KPGEgaHJlZj0iaHR0cDovL2lldGYub3JnL21lZXRpbmcv
aW1wb3J0YW50LWRhdGVzLmh0bWwjaWV0Zjk4IiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL2lldGYu
b3JnL21lZXRpbmcvaW1wb3J0YW50LWRhdGVzLmh0bWwjaWV0Zjk4PC9hPikuJm5ic3A7IFdvdWxk
IHlvdSBoYXZlIHRpbWUgdG8gY2hlY2sgcHJvcG9zZWQgZWRpdHMgaW50byBHaXRIdWIgZm9yIHRo
ZSBlZGl0b3JzIHRvIHJldmlldyBiZWZvcmUgdGhhdCwgV2lsbGlhbT88L3NwYW4+PG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1
dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMDAyMDYw
Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz
cGFuIHN0eWxlPSJjb2xvcjojMDAyMDYwIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsgLS0gTWlrZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6
YXV0byI+PGEgbmFtZT0ibV80NDA5NzI2MDgzNzM2NDYzMjg0X19NYWlsRW5kQ29tcG9zZSI+PHNw
YW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPiZuYnNwOzwvc3Bhbj48L2E+PG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxiPkZyb206PC9iPiBPQXV0aCBbbWFpbHRvOjxhIGhy
ZWY9Im1haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+b2F1dGgt
Ym91bmNlc0BpZXRmLm9yZzwvYT5dDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPldpbGxpYW0gRGVubmlz
czxicj4NCjxiPlNlbnQ6PC9iPiBTYXR1cmRheSwgTWFyY2ggMTEsIDIwMTcgMTI6NTQgUE08YnI+
DQo8Yj5Ubzo8L2I+IEp1c3RpbiBSaWNoZXIgJmx0OzxhIGhyZWY9Im1haWx0bzpqcmljaGVyQG1p
dC5lZHUiIHRhcmdldD0iX2JsYW5rIj5qcmljaGVyQG1pdC5lZHU8L2E+Jmd0Ozxicj4NCjxiPkNj
OjwvYj4gJmx0OzxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsi
Pm9hdXRoQGlldGYub3JnPC9hPiZndDsgJmx0OzxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9y
ZyIgdGFyZ2V0PSJfYmxhbmsiPm9hdXRoQGlldGYub3JnPC9hPiZndDs8YnI+DQo8Yj5TdWJqZWN0
OjwvYj4gUmU6IFtPQVVUSC1XR10gRGV2aWNlIENvZGUgZXhwaXJhdGlvbiBhbmQgc3ludGF4PG86
cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7
PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5i
c3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z
by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5PbiBTYXQs
IE1hciAxMSwgMjAxNyBhdCAxMjo0MCBQTSwgSnVzdGluIFJpY2hlciAmbHQ7PGEgaHJlZj0ibWFp
bHRvOmpyaWNoZXJAbWl0LmVkdSIgdGFyZ2V0PSJfYmxhbmsiPmpyaWNoZXJAbWl0LmVkdTwvYT4m
Z3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25l
O2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBw
dDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFy
Z2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z
by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8
bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBw
dDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk9u
IE1hciAxMSwgMjAxNywgYXQgMjo1NCBQTSwgV2lsbGlhbSBEZW5uaXNzICZsdDs8YSBocmVmPSJt
YWlsdG86d2Rlbm5pc3NAZ29vZ2xlLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPndkZW5uaXNzQGdvb2ds
ZS5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t
LWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk9uIFNhdCwgTWFyIDExLCAyMDE3IGF0IDExOjEw
IEFNLCBKdXN0aW4gUmljaGVyICZsdDs8YSBocmVmPSJtYWlsdG86anJpY2hlckBtaXQuZWR1IiB0
YXJnZXQ9Il9ibGFuayI+anJpY2hlckBtaXQuZWR1PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48
L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0ND
Q0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21h
cmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy
Z2luLWJvdHRvbS1hbHQ6YXV0byI+V2XigJlyZSBpbXBsZW1lbnRpbmcgc3VwcG9ydCBmb3IgdGhl
IGRldmljZSBjb2RlIGRyYWZ0IGFuZCBoYWQgYSBxdWVzdGlvbiBvbiB3aGF0IHRoZSDigJxleHBp
cmF0aW9u4oCdIG9mIHRoZSBjb2RlIHJlZmVycyB0by4gT2J2aW91c2x5LCBvbmNlIHRoZSBjb2Rl
IGhhcyBleHBpcmVkIGl0IGNhbiBubyBsb25nZXIgYmUNCiB1c2VkLiBCdXQgd2hlbiBzaG91bGQg
dGhlIGV4cGlyYXRpb24gY291bnQgZnJvbT8gU2F5IEkgaGF2ZSBhIGNvZGUgdGhhdOKAmXMgZ29v
ZCBmb3IgNjAgc2Vjb25kcywgZG8gSSBzdGFydCB0aGUgdGltZXIgYXMgc29vbiBhcyBJIGlzc3Vl
IHRoZSBjb2RlIHRvIHRoZSBjbGllbnQ/IERvIEkgcmVzZXQgdGhlIHRpbWVyIHdoZW4gdGhlIHVz
ZXIgYXBwcm92ZXMgdGhlIGNsaWVudCwgdG8gYW5vdGhlciA2MCBzZWNvbmRzPyBPciBkb2VzIHRo
YXQgNjAgc2Vjb25kcw0KIGNvdW50IGZvciB0aGUgZW50aXJlIHRyYW5zYWN0aW9uPzxicj4NCjxi
cj4NCk15IHJlYWQgb24gaXQgaXMgdGhlIGxhdHRlci0tIG9uZSB0aW1lb3V0IGZvciB0aGUgZW50
aXJlIGxpZmV0aW1lIG9mIHRoZSBjb2RlIHJlZ2FyZGxlc3Mgb2YgaXRzIGN1cnJlbnQgc3RhdGUs
IHdpdGggbm8gcmVzZXRzLiBCdXQgSSBkaWRu4oCZdCBmaW5kIGdvb2QgZ3VpZGFuY2UgaW4gdGhl
IGRvY3VtZW50IGl0c2VsZi48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h
cmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z
by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JdCdzIHRoZSBleHBpcnkgb2YgdGhlIHVzZXJfY29k
ZSBhbmQgZGV2aWNlX2NvZGUgcGFpciwgYXQgd2hpY2ggcG9pbnQgdGhlIGRldmljZSB3aWxsIG5l
ZWQgdG8gc3RhcnQtb3ZlciB3aXRoIGEgbmV3IGRldmljZSBhdXRob3JpemF0aW9uIHJlcXVlc3Qu
Jm5ic3A7IFRoZSBkZXZpY2Ugd291bGRuJ3QgKmhhdmUqIHRvDQogc3RhcnQgYSB0aW1lciwgYXMg
dGhleSB3aWxsIGdldCBhbiBlcnJvciBkdXJpbmcgcG9sbGluZzo8bzpwPjwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h
bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+
DQo8L2Rpdj4NCjxkaXY+DQo8cHJlPiZuYnNwOyZuYnNwOyBleHBpcmVkX3Rva2VuPG86cD48L286
cD48L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFRoZSAmcXVvdDtk
ZXZpY2VfY29kZSZxdW90OyBoYXMgZXhwaXJlZC4mbmJzcDsgVGhlIGNsaWVudCB3aWxsIG5lZWQg
dG8gbWFrZSBhIG5ldzxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyBEZXZpY2UgQXV0aG9yaXphdGlvbiBSZXF1ZXN0LjxvOnA+PC9vOnA+PC9wcmU+
DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10
b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn
aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5XZSBzaG91bGQgYWRk
IHNvbWUgZ3VpZGVsaW5lcyBhcm91bmQgZXhwaXJ5IGJlaGF2aW9yLjxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5PSywgc28gaXQgcmVhbGx5IGlzIG9uZSBl
eHBpcmF0aW9uIGZvciB0aGUgd2hvbGUgdGhpbmcuIFRoZSBkZXZpY2UgZG9lc27igJl0IG5lZWQg
dG8gY2FyZSAoYW5kIEnigJlsbCBiZXQgeW91IHJpZ2h0IG5vdyB0aGF0LCBqdXN0IGxpa2Ugd2l0
aCBhY2Nlc3MgdG9rZW5zLCB0aGUgb3ZlcndoZWxtaW5nbHkgdmFzdCBtYWpvcml0eQ0KIG9mIGRl
dmljZXMgd29u4oCZdCBjYXJlIGFib3V0IGV4cGlyZXNfaW4pLCBidXQgdGhlIGF1dGhvcml6YXRp
b24gc2VydmVyIGNlcnRhaW5seSBkb2VzLCBhbmQgd2Ugd2FudGVkIHRvIGtub3cgdGhlIHJpZ2h0
IHBsYWNlIHRvIHNldCB0aGUgdGltZXJzLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv
YmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9v
OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t
YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5Zb3UncmUgcHJv
YmFibHkgcmlnaHQgdGhhdCBtb3N0IGlnbm9yZSBleHBpcmVzX2luLCBhbmQgSSB0aGluayB0aGF0
J3MgZmluZS4gQXMgbG9uZyBhcyB0aGUgY2xpZW50IGhhbmRsZXMgZXJyb3JzIGNvcnJlY3RseSwg
aXQnbGwgd29yayBvdXQgT0suPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvIj5BZ3JlZSB0aGF0IHdlIHNob3VsZCBhZGQgc29tZSBkb2N1bWVu
dGF0aW9uLiBPbmUgcGllY2Ugb2YgYWR2aWNlIGZvciB0aGUgQVMgd291bGQgYmUgbm90IHRvIG1h
a2UgaXQgdG9vIHNob3J0LCBlbHNlIHVzZXJzIHdvbid0IGJlIGFibGUgdG8gY29tcGxldGUgdGhl
IGZsb3cgaW4gdGltZS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu
LWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h
cmdpbi1ib3R0b20tYWx0OmF1dG8iPldlIHVzZSBhIDMwIG1pbnV0ZSBleHBpcnkuPG86cD48L286
cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h
cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+
PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVy
LWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdp
bi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90
dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6
NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0K
PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0
bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp
dj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0ND
Q0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFy
Z2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvIj5TZWNvbmRseSwgSSBoYWQgYSBxdWVzdGlvbiBhYm91dCB0aGUg
4oCccmVzcG9uc2VfdHlwZeKAnSBwYXJhbWV0ZXIgdG8gdGhlIGRldmljZSBlbmRwb2ludC4gVGhp
cyBwYXJhbWV0ZXIgaXMgcmVxdWlyZWQgYW5kIGl0IGhhcyBhIHNpbmdsZSwgcmVxdWlyZWQgdmFs
dWUsIHdpdGggbm8gcmVnaXN0cnkgb3Igb3RoZXINCiBwb3NzaWJpbGl0eSBvZiBleHRlbnNpb24u
IFdoYXTigJlzIHRoZSBwb2ludD8gSWYgaXTigJlzIGZvciDigJxwYXJhbGxlbGlzbeKAnSwgSeKA
mWxsIG5vdGUgdGhhdCB0aGlzIGlzICpub3QqIHRoZSBhdXRob3JpemF0aW9uIGVuZHBvaW50IChh
cyB0aGUgdXNlciBpcyBub3QgcHJlc2VudCkgYW5kIHN1Y2ggY29uc3RyYWludHMgbmVlZCBub3Qg
YXBwbHkgaGVyZS48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvIj5Hb29kIHBvaW50cyBoZXJlLiBBdCBhIGd1ZXNzLCBpdCBibGVk
IGluIGZyb20gdGhlIE9BdXRoIHNwZWMuIElmIGl0J3Mgbm90IG5lZWRlZCwgd2Ugc2hvdWxkIHJl
bW92ZSBpdC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6
YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rp
dj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i
PiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+SeKA
mWQgdm90ZSBmb3IgcmVtb3ZhbCwgSSBkb27igJl0IHNlZSB0aGUgcG9pbnQuPG86cD48L286cD48
L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJj
b2xvcjojODg4ODg4Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij4mbmJz
cDvigJQgSnVzdGluPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t
Ym90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+Jm5ic3A7PC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9k
aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_CY4PR21MB050417103B692C096AD66F80F5220CY4PR21MB0504namp_--


From nobody Sun Mar 12 14:15:44 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B520F1293FB for <oauth@ietfa.amsl.com>; Sun, 12 Mar 2017 14:15:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.012
X-Spam-Level: 
X-Spam-Status: No, score=-3.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g4Wi21mj6xxF for <oauth@ietfa.amsl.com>; Sun, 12 Mar 2017 14:15:40 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0090.outbound.protection.outlook.com [104.47.36.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2422126CD8 for <oauth@ietf.org>; Sun, 12 Mar 2017 14:15:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kKBKTh8ub6K1yszcRiWoPgSWf7EB+fh1FBP1ddesjpU=; b=duJT2rNWlvI99gb4EzQmAP/Di1R4/CxtLG5CGsACwrdL5dZKpTW3Q5O6wEfMqdXTCbTqzL3tP8gjF7NqhK2344GRMruNLzK3JeW+Z51747CcTRhWTH9zBA/nkiedtk/WCXH+BvfNje5foEC2eU0nsC+F7M3HT+avjgilljXHKjw=
Received: from BN6PR21MB0500.namprd21.prod.outlook.com (10.172.112.10) by BN6PR21MB0499.namprd21.prod.outlook.com (10.172.112.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Sun, 12 Mar 2017 21:15:37 +0000
Received: from BN6PR21MB0500.namprd21.prod.outlook.com ([10.172.112.10]) by BN6PR21MB0500.namprd21.prod.outlook.com ([10.172.112.10]) with mapi id 15.01.0991.000; Sun, 12 Mar 2017 21:15:37 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)
Thread-Index: AQHSm2bQLtnJM11UhkObPM0YZgvrwaGRs9Mg
Date: Sun, 12 Mar 2017 21:15:37 +0000
Message-ID: <BN6PR21MB05003786286B93ECF604D923F5220@BN6PR21MB0500.namprd21.prod.outlook.com>
References: <ed9a8430-5c80-6be3-8b5d-1759c4218919@lodderstedt.net>
In-Reply-To: <ed9a8430-5c80-6be3-8b5d-1759c4218919@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: lodderstedt.net; dkim=none (message not signed) header.d=none;lodderstedt.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.93.167]
x-microsoft-exchange-diagnostics: 1; BN6PR21MB0499; 7:4R93aAGGeKAk0aAp86BJAgk1hQqqk9qcm6bSceuG2agNiIZ0ASM3v0dOFqq1Z9toeCS/kLepnEnNDF+bLVudeRjJ2ovAFynEs0ap0KW/UZEabrn0HhdYVhZB+PBh143tWK/0bbixrh4bk8Q7uL2jkSN8K9b+sUMrpo8sxIo8dhZ26/7P8UKGN+0f6Mz58dU+998aZOX6KrFMtKKrKt2AyEhzWuYFVQYA3lNWvn7hG+H2IA4NCdxqZS6w2sLtulWGrNYcDwBrCqPmVt065TLWkhxnuhi79fwwy37+4pd8ZE5xE/rt96e5MlZcG4/m05oA2yVS6kHIseIWgczo0s/XIaBwxETCOnIEpHba2eFg10o=
x-ms-office365-filtering-correlation-id: 84267349-d139-49e5-c981-08d4698cee15
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BN6PR21MB0499; 
x-microsoft-antispam-prvs: <BN6PR21MB0499DF7C127B265C66C8FCADF5220@BN6PR21MB0499.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(209352067349851)(192374486261705)(21532816269658); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123562025)(20161123555025)(20161123560025)(20161123564025)(6072148); SRVR:BN6PR21MB0499; BCL:0; PCL:0; RULEID:; SRVR:BN6PR21MB0499; 
x-forefront-prvs: 0244637DEA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39850400002)(39840400002)(39860400002)(39410400002)(53754006)(377454003)(13464003)(10290500002)(5005710100001)(38730400002)(6246003)(3846002)(8990500004)(102836003)(66066001)(189998001)(53936002)(6116002)(10090500001)(229853002)(99286003)(77096006)(6306002)(9686003)(55016002)(6506006)(6436002)(25786008)(53546006)(33656002)(86362001)(86612001)(3280700002)(3660700001)(8676002)(81166006)(2906002)(8936002)(305945005)(7736002)(15650500001)(2900100001)(74316002)(2950100002)(2501003)(122556002)(54356999)(76176999)(5660300001)(106116001)(50986999)(225293001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR21MB0499; H:BN6PR21MB0500.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2017 21:15:37.4273 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR21MB0499
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/slunz0UB0knaHzP3Ep94Tj0S4Wk>
Subject: Re: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 21:15:42 -0000

QXJlIE1vbmRheS1UdWVzZGF5LCBKdWx5IDEwLTExIHJlYWxseSB0aGUgcmlnaHQgZGF0ZXM/ICBJ
J20gYXNraW5nIGJlY2F1c2UgSUVURiBpbiBQcmFndWUgZG9lc24ndCBzdGFydCB1bnRpbCBTdW5k
YXksIEp1bHkgMTZ0aC4gIFRoYXQgbGVhdmVzIDQgZGF5cyBkZWFkIHRpbWUgaW4gYmV0d2VlbiBm
b3IgdGhvc2Ugb2YgdXMgd2hvIGFyZSBhdHRlbmRpbmcgYm90aC4NCg0KV2hlbiBJIHdhcyBmaXJz
dCB0b2xkIGFib3V0IHRoaXMgd29ya3Nob3AsIEkgd2FzIHRvbGQgdGhhdCBpdCB3b3VsZCBiZSBz
b21ldGltZSBXZWRuZXNkYXktRnJpZGF5IHRoYXQgd2Vlay4gIENhbiBpdCBiZSBtb3ZlZCBiYWNr
IHRvIHRob3NlIGRhdGVzPyAgVGhhdCB3b3VsZCBiZSBhIGJpZyBoZWxwIGZvciB0aG9zZSBvZiB1
cyB0cmF2ZWxsaW5nIGRpc3RhbmNlcyB0byBhdHRlbmQuDQoNCk9yIGlzIHRoZXJlIGFsc28gYW5v
dGhlciBldmVudCBpbiB0aGUgV2VkbmVzZGF5LUZyaWRheSB0aW1lZnJhbWUgdGhhdCBwZW9wbGUg
c2hvdWxkIGFsc28gYmUgY29uc2lkZXJpbmcgYXR0ZW5kaW5nPw0KDQoJCQkJVGhhbmtzLA0KCQkJ
CS0tIE1pa2UNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IE9BdXRoIFttYWls
dG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIFRvcnN0ZW4gTG9kZGVyc3Rl
ZHQNClNlbnQ6IFN1bmRheSwgTWFyY2ggMTIsIDIwMTcgMTI6MjggUE0NClRvOiBvYXV0aEBpZXRm
Lm9yZw0KU3ViamVjdDogW09BVVRILVdHXSBTZWNvbmQgT0F1dGggU2VjdXJpdHkgV29ya3Nob3Ag
KENhbGwgZm9yIFBhcGVycykNCg0KSGkgYWxsLA0KDQp0aGUgT0F1dGggV0cgYW5kIHRoZSBFVEgg
WnVyaWNoIHdpbGwgb3JnYW5pemUgYW5vdGhlciB3b3Jrc2hvcCBvbiBPQXV0aCBzZWN1cml0eSAo
YWZ0ZXIgdGhlIG9uZSBsYXN0IHllYXIgaW4gVHJpZXIpLg0KDQpQbGVhc2UgZmluZCB0aGUgQ2Fs
bCBmb3IgUGFwZXJzIGJlbG93Lg0KDQpraW5kIHJlZ2FyZHMsDQpUb3JzdGVuLg0KDQpDIGEgbCBs
ICAgICBGIG8gciAgICAgUCBhIHAgZSByIHMNCg0KU2Vjb25kIE9BdXRoIFNlY3VyaXR5IFdvcmtz
aG9wIChPU1cgMjAxNykNCg0KWnVyaWNoLCBTd2l0emVybGFuZCAtLSBKdWx5IDEwLTExLCAyMDE3
DQoNCldXVzpodHRwczovL3ppc2MuZXRoei5jaC9vYXV0aC1zZWN1cml0eS13b3Jrc2hvcC0yMDE3
LWNmcC8NCg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQpPdmVydmlldw0KDQpUaGUgT0F1dGgg
U2VjdXJpdHkgV29ya3Nob3AgKE9TVykgZm9jdXNlcyBvbiBpbXByb3Zpbmcgc2VjdXJpdHkgb2Yg
dGhlIE9BdXRoIHN0YW5kYXJkIGFuZCByZWxhdGVkIEludGVybmV0IHByb3RvY29scy4gVGhpcyB3
b3Jrc2hvcCBicmluZ3MgdG9nZXRoZXIgdGhlIElFVEYgT0F1dGggV29ya2luZyBHcm91cCBhbmQg
c2VjdXJpdHkgZXhwZXJ0cyBmcm9tIHJlc2VhcmNoLCBpbmR1c3RyeSwgYW5kIHN0YW5kYXJkaXph
dGlvbiB0byB0aGlzIGVuZC4gVGhlIHdvcmtzaG9wIGlzIGhvc3RlZCBieSB0aGUgWnVyaWNoIElu
Zm9ybWF0aW9uIFNlY3VyaXR5IGFuZCBQcml2YWN5IENlbnRlciBhdCBFVEggWnVyaWNoLg0KDQpX
aGlsZSB0aGUgc3RhbmRhcmRpemF0aW9uIHByb2Nlc3Mgb2YgT0F1dGggZW5zdXJlcyBleHRlbnNp
dmUgcmV2aWV3cyAoYm90aCBzZWN1cml0eSBhbmQgbm9uLXNlY3VyaXR5IHJlbGF0ZWQpLCBmdXJ0
aGVyIGFuYWx5c2lzIGJ5IHNlY3VyaXR5IGV4cGVydHMgZnJvbSBhY2FkZW1pYSBhbmQgaW5kdXN0
cnkgaXMgZXNzZW50aWFsIHRvIGVuc3VyZSBoaWdoIHF1YWxpdHkgc3BlY2lmaWNhdGlvbnMuIENv
bnRyaWJ1dGlvbnMgdG8gdGhpcyB3b3Jrc2hvcCBjYW4gaGVscCB0byBpbXByb3ZlIHRoZSBzZWN1
cml0eSBvZiB0aGUgV2ViIGFuZCB0aGUgSW50ZXJuZXQuDQoNCg0KU2NvcGUNCg0KV2Ugc2VlayBw
b3NpdGlvbiBwYXBlcnMgcmVsYXRlZCB0byB0aGUgc2VjdXJpdHkgb2YgT0F1dGgsIE9wZW5JRCBD
b25uZWN0LCBhbmQgb3RoZXIgdGVjaG5vbG9naWVzIHVzaW5nIE9BdXRoIHVuZGVyIHRoZSBob29k
Lg0KQ29udHJpYnV0aW9ucyByZWdhcmRpbmcgdGVjaG5vbG9naWVzIHRoYXQgYXJlIHVzZWQgaW4g
T0F1dGgsIHN1Y2ggYXMgSk9TRSwgb3IgaW1wYWN0IHRoZSBzZWN1cml0eSBvZiBPQXV0aCwgc3Vj
aCBhcyBXZWIgdGVjaG5vbG9neSwgYXJlIGFsc28gd2VsY29tZS4NCg0KDQpJbXBvcnRhbnQgRGF0
ZXMNCg0KUG9zaXRpb24gcGFwZXIgc3VibWlzc2lvbiBkZWFkbGluZTogTWF5IDIsIDIwMTcgKEFv
RSwgVVRDLTEyKS4NCkF1dGhvciBub3RpZmljYXRpb246IE1heSAxNSwgMjAxNy4NClJlZ2lzdHJh
dGlvbiBkZWFkbGluZTogSnVuZSAxNiwgMjAxNy4NCldvcmtzaG9wOiBKdWx5IDEwIGFuZCBKdWx5
IDExLCAyMDE3Lg0KDQoNCkludml0ZWQgU3BlYWtlcnMNCg0KQ2FzIENyZW1lcnMsIFVuaXZlcnNp
dHkgb2YgT3hmb3JkDQoNCg0KU3VibWlzc2lvbg0KDQpXZSB3ZWxjb21lIHBvc2l0aW9uIHBhcGVy
cyB0aGF0IGRlc2NyaWJlIGV4aXN0aW5nIHdvcmssIHJhaXNlIG5ldyByZXF1aXJlbWVudHMsIGhp
Z2hsaWdodCBjaGFsbGVuZ2VzLCB3cml0ZS11cHMgb2YgaW1wbGVtZW50YXRpb24gYW5kIGRlcGxv
eW1lbnQgZXhwZXJpZW5jZSwgbGVzc29ucy1sZWFybmVkIGZyb20gc3VjY2Vzc2Z1bCBvciBmYWls
ZWQgYXR0ZW1wdHMsIGFuZCBpZGVhcyBvbiBob3cgdG8gaW1wcm92ZSBPQXV0aCBhbmQgT0F1dGgg
ZXh0ZW5zaW9ucy4NCg0KUG9zaXRpb24gcGFwZXJzIHN1Ym1pdHRlZCB0byB0aGUgT0F1dGggU2Vj
dXJpdHkgV29ya3Nob3AgbWF5IHJlcG9ydCBvbg0KKHVucHVibGlzaGVkKSB3b3JrIGluIHByb2dy
ZXNzLCBiZSBzdWJtaXR0ZWQgdG8gb3RoZXIgcGxhY2VzLCBhbmQgbWF5IGV2ZW4gaGF2ZSBhbHJl
YWR5IGFwcGVhcmVkIG9yIGJlZW4gYWNjZXB0ZWQgZWxzZXdoZXJlLg0KDQpTdWJtaXNzaW9ucyBt
dXN0IGJlIGluIFBERiBmb3JtYXQgYW5kIHNob3VsZCBmZWF0dXJlIHJlYXNvbmFibGUgbWFyZ2lu
cyBhbmQgZm9ybWF0dGluZy4gVGhlcmUgaXMgbm8gcGFnZSBsaW1pdCwgYnV0IHRoZSBzdWJtaXNz
aW9uIHNob3VsZCBiZSBicmllZiAoaWRlYWxseSBub3QgbW9yZSB0aGFuIDMtNSBwYWdlcykuIFN1
Ym1pc3Npb25zIHNob3VsZCBub3QgYmUgYW5vbnltaXplZC4NCg0KU3VibWlzc2lvbiBXZWJzaXRl
Omh0dHBzOi8vZWFzeWNoYWlyLm9yZy9jb25mZXJlbmNlcy8/Y29uZj1vc3cxNw0KDQoNClB1Ymxp
Y2F0aW9uIGFuZCBQcmVzZW50YXRpb24NCg0KT25lIG9mIHRoZSBhdXRob3JzIG9mIHRoZSBhY2Nl
cHRlZCBwb3NpdGlvbiBwYXBlciBpcyBleHBlY3RlZCB0byBwcmVzZW50IHRoZSBwYXBlciBhdCB0
aGUgd29ya3Nob3AuDQoNCkFsbCBwcmVzZW50YXRpb25zIGFuZCBwYXBlcnMgd2lsbCBiZSBwdXQg
b25saW5lIGJ1dCB0aGVyZSB3aWxsIGJlIG5vIGZvcm1hbCBwcm9jZWVkaW5ncy4gQXV0aG9ycyBv
ZiBhY2NlcHRlZCBwYXBlcnMgd2lsbCBoYXZlIHRoZSBvcHRpb24gdG8gcmV2aXNlIHRoZWlyIHBh
cGVycyBiZWZvcmUgdGhleSBhcmUgcHV0IG9ubGluZS4NCg0KDQpJUFIgUG9saWN5DQoNClRoZSB3
b3Jrc2hvcCB3aWxsIGhhdmUgbm8gZXhwZWN0YXRpb24gb2YgSVBSIGRpc2Nsb3N1cmUgb3IgbGlj
ZW5zaW5nIHJlbGF0ZWQgdG8gaXRzIHN1Ym1pc3Npb25zLiBBdXRob3JzIGFyZSByZXNwb25zaWJs
ZSBmb3Igb2J0YWluaW5nIGFwcHJvcHJpYXRlIHB1YmxpY2F0aW9uIGNsZWFyYW5jZXMuDQoNCg0K
UHJvZ3JhbSBDb21taXR0ZWUNCg0KQ2hhaXJzDQpEYXZpZCBCYXNpbiAoRVRIIFp1cmljaCkNClRv
cnN0ZW4gTG9kZGVyc3RlZHQgKFlFUyBFdXJvcGUpDQoNCk1lbWJlcnMNCkpvaG4gQnJhZGxleSAo
UGluZyBJZGVudGl0eSkNClJhbGYgS8O8c3RlcnMgKFVuaXZlcnNpdHkgb2YgU3R1dHRnYXJ0KQ0K
Q2hyaXMgTWl0Y2hlbGwgKFJveWFsIEhvbGxvd2F5IFVuaXZlcnNpdHkgb2YgTG9uZG9uKSBBbnRo
b255IE5hZGFsaW4gKE1pY3Jvc29mdCkgTmF0IFNha2ltdXJhIChOb211cmEgUmVzZWFyY2ggSW5z
dGl0dXRlKSBSYWxmIFNhc3NlIChFVEggWnVyaWNoKSBKw7ZyZyBTY2h3ZW5rIChSdWhyIFVuaXZl
cnNpdHkgQm9jaHVtKSBIYW5uZXMgVHNjaG9mZW5pZyAoSUVURiBPQXV0aCBXb3JraW5nIEdyb3Vw
IENvLUNoYWlyKQ0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZw0KaHR0cHM6Ly93d3cuaWV0
Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0K


From nobody Sun Mar 12 14:42:55 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D035512943A for <oauth@ietfa.amsl.com>; Sun, 12 Mar 2017 14:42:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5WzZUIXeGDhK for <oauth@ietfa.amsl.com>; Sun, 12 Mar 2017 14:42:52 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B19BD1293DA for <oauth@ietf.org>; Sun, 12 Mar 2017 14:42:51 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id x35so20540010qtc.2 for <oauth@ietf.org>; Sun, 12 Mar 2017 14:42:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=KaBUsXxF9xzGnNBiFBxPsHmoauHCVpV7kjXxRNFsGOU=; b=TYZSRbmTnv9hdtWXCkzqf3fpZwZdjiH0Xh8nJgBmPTJdD8B1CFHNJgbBabxQGRfSLg L6rxfnIpPIpYUs3Vl5+G/bn+at2x+u1HQ+kxzeSEoIQ313YbrTwDuMl/QFj5twGbFYQP SkDwOhY1um5Ejd04PHNWsLDY1t4OPXfELyEcP/1rKMOlM6okIwT0OGuHH/ZVpeLu0mkc kduNMaYn3XYD5f4+D07QNlX42wkGI9VywMoFDrGjEjapizY0cOngTc1ps+Yo52LzG83Z 7XWUQZh/SyuqO8jAO29Kt0nyUqchpmMjVvjfspXypEY3lYePVCSf86A4Cdt4XMdpHJML RKDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KaBUsXxF9xzGnNBiFBxPsHmoauHCVpV7kjXxRNFsGOU=; b=V+50N8YA3zr4n4fB79xsHr91XuJ/zH/NS2uZOmc8AR9cg+rnJbABPDUt4dUmqJsnwE 3SrhJwpFvcXrTOOJaJOJ9/tYWB/YFly0PoK/ej1zP/kw+jPTggylf9Wnhlbf04KbM3ec An8LqSYkLrrRp/LE8kbk7UDk8ficpi0AtviHGm3TSmf2n/4Qjc81hIFv8Vp2vlh6myFQ kx5ODDtYJ5LfiVQuAfclqDMoB63oui9T+HCSnC9T8SSbXQmxrlyDDCDOp6zEpWMBKxIi GBDqDWRwEzC+EGbDDUTmSlP9YFNGJ8bdm8V4FeED2uTk2Prz3Q9mNLgY5EVKfPaVJFdv Ebhw==
X-Gm-Message-State: AMke39m7yaIGEeG0b+7UdanvYnAn5xUAlsJaqGiqlkvIdKaKTq4xlcCapZ0Q7/Luyiet3BbwtBV07dRwCSj0owvb
X-Received: by 10.200.40.178 with SMTP id i47mr29487982qti.259.1489354970590;  Sun, 12 Mar 2017 14:42:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Sun, 12 Mar 2017 14:42:30 -0700 (PDT)
In-Reply-To: <CY4PR21MB050417103B692C096AD66F80F5220@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com> <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu> <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com> <CY4PR21MB05041D4776423586F0B1EA32F5230@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hDF=86Atz+NO=HaJM8Vm9pi9JhaAihueu-W=nQ3OAXhmg@mail.gmail.com> <CY4PR21MB050417103B692C096AD66F80F5220@CY4PR21MB0504.namprd21.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Sun, 12 Mar 2017 14:42:30 -0700
Message-ID: <CAAP42hATwrm9kbb+-0JuGhhfJC6QbBMx54wOAaVY26VST5V4Pw@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=001a113f20baf7ce7a054a8f79e7
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uChcyVSKry8BTb4LoQvVBAIG_pw>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 21:42:54 -0000

--001a113f20baf7ce7a054a8f79e7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thanks for your review Mike, the PR
<https://github.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/3> has
been updated to address your comment.

On Sun, Mar 12, 2017 at 12:28 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Thanks for doing this, William.  I added one comment to the pull request.
> After addressing it, I support this new version being published.
>
>
>
>                                                        -- Mike
>
>
>
> *From:* William Denniss [mailto:wdenniss@google.com]
> *Sent:* Saturday, March 11, 2017 6:59 PM
> *To:* Mike Jones <Michael.Jones@microsoft.com>
> *Cc:* Justin Richer <jricher@mit.edu>; <oauth@ietf.org> <oauth@ietf.org>
>
> *Subject:* Re: [OAUTH-WG] Device Code expiration and syntax
>
>
>
> Sure thing. Changes are staged here: https://github.com/Willi
> amDenniss/draft-ietf-oauth-device-flow/pull/3/files
>
>
>
> Includes the normative change suggested by Justin. PTAL.
>
>
>
> On Sat, Mar 11, 2017 at 1:46 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> The pre-Chicago submission deadline is Monday afternoon (see
> http://ietf.org/meeting/important-dates.html#ietf98).  Would you have
> time to check proposed edits into GitHub for the editors to review before
> that, William?
>
>
>
>                                                        -- Mike
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *William
> Denniss
> *Sent:* Saturday, March 11, 2017 12:54 PM
> *To:* Justin Richer <jricher@mit.edu>
> *Cc:* <oauth@ietf.org> <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] Device Code expiration and syntax
>
>
>
>
>
> On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer <jricher@mit.edu> wrote:
>
>
>
> On Mar 11, 2017, at 2:54 PM, William Denniss <wdenniss@google.com> wrote:
>
>
>
> On Sat, Mar 11, 2017 at 11:10 AM, Justin Richer <jricher@mit.edu> wrote:
>
> We=E2=80=99re implementing support for the device code draft and had a qu=
estion on
> what the =E2=80=9Cexpiration=E2=80=9D of the code refers to. Obviously, o=
nce the code has
> expired it can no longer be used. But when should the expiration count
> from? Say I have a code that=E2=80=99s good for 60 seconds, do I start th=
e timer as
> soon as I issue the code to the client? Do I reset the timer when the use=
r
> approves the client, to another 60 seconds? Or does that 60 seconds count
> for the entire transaction?
>
> My read on it is the latter-- one timeout for the entire lifetime of the
> code regardless of its current state, with no resets. But I didn=E2=80=99=
t find
> good guidance in the document itself.
>
>
>
> It's the expiry of the user_code and device_code pair, at which point the
> device will need to start-over with a new device authorization request.
> The device wouldn't *have* to start a timer, as they will get an error
> during polling:
>
>
>
>    expired_token
>
>       The "device_code" has expired.  The client will need to make a new
>
>       Device Authorization Request.
>
>
>
> We should add some guidelines around expiry behavior.
>
>
>
> OK, so it really is one expiration for the whole thing. The device doesn=
=E2=80=99t
> need to care (and I=E2=80=99ll bet you right now that, just like with acc=
ess
> tokens, the overwhelmingly vast majority of devices won=E2=80=99t care ab=
out
> expires_in), but the authorization server certainly does, and we wanted t=
o
> know the right place to set the timers.
>
>
>
>
>
> You're probably right that most ignore expires_in, and I think that's
> fine. As long as the client handles errors correctly, it'll work out OK.
>
>
>
> Agree that we should add some documentation. One piece of advice for the
> AS would be not to make it too short, else users won't be able to complet=
e
> the flow in time.
>
>
>
> We use a 30 minute expiry.
>
>
>
>
>
> Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D para=
meter to the
> device endpoint. This parameter is required and it has a single, required
> value, with no registry or other possibility of extension. What=E2=80=99s=
 the
> point? If it=E2=80=99s for =E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll no=
te that this is *not* the
> authorization endpoint (as the user is not present) and such constraints
> need not apply here.
>
>
>
> Good points here. At a guess, it bled in from the OAuth spec. If it's not
> needed, we should remove it.
>
>
>
>
>
> I=E2=80=99d vote for removal, I don=E2=80=99t see the point.
>
>
>
>  =E2=80=94 Justin
>
>
>
>
>
>
>

--001a113f20baf7ce7a054a8f79e7
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks for your review Mike, the <a href=3D"https://github=
.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/3" target=3D"_blank">=
PR</a> has been updated to address your comment.<div class=3D"gmail_extra">=
<br><div class=3D"gmail_quote">On Sun, Mar 12, 2017 at 12:28 PM, Mike Jones=
 <span dir=3D"ltr">&lt;<a href=3D"mailto:Michael.Jones@microsoft.com" targe=
t=3D"_blank">Michael.Jones@microsoft.com</a>&gt;</span> wrote:<br><blockquo=
te class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc so=
lid;padding-left:1ex">





<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"m_-3855680332051646903m_-7066165382008337428WordSection1">
<p class=3D"MsoNormal"><span style=3D"color:#002060">Thanks for doing this,=
 William.=C2=A0 I added one comment to the pull request.=C2=A0 After addres=
sing it, I support this new version being published.<u></u><u></u></span></=
p>
<p class=3D"MsoNormal"><span style=3D"color:#002060"><u></u>=C2=A0<u></u></=
span></p>
<p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 -- Mike<u></u><u></u></span></p>
<p class=3D"MsoNormal"><a name=3D"m_-3855680332051646903_m_-706616538200833=
7428__MailEndCompose"><span style=3D"color:#002060"><u></u>=C2=A0<u></u></s=
pan></a></p>
<span></span>
<p class=3D"MsoNormal"><b>From:</b> William Denniss [mailto:<a href=3D"mail=
to:wdenniss@google.com" target=3D"_blank">wdenniss@google.com</a>] <br>
<b>Sent:</b> Saturday, March 11, 2017 6:59 PM<br>
<b>To:</b> Mike Jones &lt;<a href=3D"mailto:Michael.Jones@microsoft.com" ta=
rget=3D"_blank">Michael.Jones@microsoft.com</a>&gt;<br>
<b>Cc:</b> Justin Richer &lt;<a href=3D"mailto:jricher@mit.edu" target=3D"_=
blank">jricher@mit.edu</a>&gt;; &lt;<a href=3D"mailto:oauth@ietf.org" targe=
t=3D"_blank">oauth@ietf.org</a>&gt; &lt;<a href=3D"mailto:oauth@ietf.org" t=
arget=3D"_blank">oauth@ietf.org</a>&gt;</p><div><div class=3D"m_-3855680332=
051646903h5"><br>
<b>Subject:</b> Re: [OAUTH-WG] Device Code expiration and syntax<u></u><u><=
/u></div></div><p></p><div><div class=3D"m_-3855680332051646903h5">
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<p class=3D"MsoNormal">Sure thing. Changes are staged here:=C2=A0<a href=3D=
"https://github.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/3/file=
s" target=3D"_blank">https://github.com/Willi<wbr>amDenniss/draft-ietf-oaut=
h-<wbr>device-flow/pull/3/files</a><u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Includes the normative change suggested by Justin. P=
TAL.<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<p class=3D"MsoNormal">On Sat, Mar 11, 2017 at 1:46 PM, Mike Jones &lt;<a h=
ref=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@=
microsoft.com</a>&gt; wrote:<u></u><u></u></p>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"color:#002060">The pre-Chicago submis=
sion deadline is Monday afternoon (see
<a href=3D"http://ietf.org/meeting/important-dates.html#ietf98" target=3D"_=
blank">http://ietf.org/meeting/import<wbr>ant-dates.html#ietf98</a>).=C2=A0=
 Would you have time to check proposed edits into GitHub for the editors to=
 review before that, William?</span><u></u><u></u></p>
<p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0</span><u></u><u=
></u></p>
<p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 -- Mike</span><u></u><u></u></p>
<p class=3D"MsoNormal"><a name=3D"m_-3855680332051646903_m_-706616538200833=
7428_m_4409726083736463284__MailEndCompose"><span style=3D"color:#002060">=
=C2=A0</span></a><u></u><u></u></p>
<p class=3D"MsoNormal"><b>From:</b> OAuth [mailto:<a href=3D"mailto:oauth-b=
ounces@ietf.org" target=3D"_blank">oauth-bounces@ietf.org</a><wbr>]
<b>On Behalf Of </b>William Denniss<br>
<b>Sent:</b> Saturday, March 11, 2017 12:54 PM<br>
<b>To:</b> Justin Richer &lt;<a href=3D"mailto:jricher@mit.edu" target=3D"_=
blank">jricher@mit.edu</a>&gt;<br>
<b>Cc:</b> &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ie=
tf.org</a>&gt; &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oaut=
h@ietf.org</a>&gt;<br>
<b>Subject:</b> Re: [OAUTH-WG] Device Code expiration and syntax<u></u><u><=
/u></p>
<div>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
<div>
<p class=3D"MsoNormal">On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer &lt;=
<a href=3D"mailto:jricher@mit.edu" target=3D"_blank">jricher@mit.edu</a>&gt=
; wrote:<u></u><u></u></p>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
<div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal">On Mar 11, 2017, at 2:54 PM, William Denniss &lt;<a =
href=3D"mailto:wdenniss@google.com" target=3D"_blank">wdenniss@google.com</=
a>&gt; wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal">On Sat, Mar 11, 2017 at 11:10 AM, Justin Richer &lt;=
<a href=3D"mailto:jricher@mit.edu" target=3D"_blank">jricher@mit.edu</a>&gt=
; wrote:<u></u><u></u></p>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<p class=3D"MsoNormal">We=E2=80=99re implementing support for the device co=
de draft and had a question on what the =E2=80=9Cexpiration=E2=80=9D of the=
 code refers to. Obviously, once the code has expired it can no longer be
 used. But when should the expiration count from? Say I have a code that=E2=
=80=99s good for 60 seconds, do I start the timer as soon as I issue the co=
de to the client? Do I reset the timer when the user approves the client, t=
o another 60 seconds? Or does that 60 seconds
 count for the entire transaction?<br>
<br>
My read on it is the latter-- one timeout for the entire lifetime of the co=
de regardless of its current state, with no resets. But I didn=E2=80=99t fi=
nd good guidance in the document itself.<u></u><u></u></p>
</blockquote>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">It&#39;s the expiry of the user_code and device_code=
 pair, at which point the device will need to start-over with a new device =
authorization request.=C2=A0 The device wouldn&#39;t *have* to
 start a timer, as they will get an error during polling:<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
<div>
<pre>=C2=A0=C2=A0 expired_token<u></u><u></u></pre>
<pre>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The &quot;device_code&quot; has expired=
.=C2=A0 The client will need to make a new<u></u><u></u></pre>
<pre>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Device Authorization Request.<u></u><u>=
</u></pre>
</div>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">We should add some guidelines around expiry behavior=
.<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">OK, so it really is one expiration for the whole thi=
ng. The device doesn=E2=80=99t need to care (and I=E2=80=99ll bet you right=
 now that, just like with access tokens, the overwhelmingly vast majority
 of devices won=E2=80=99t care about expires_in), but the authorization ser=
ver certainly does, and we wanted to know the right place to set the timers=
.<u></u><u></u></p>
</div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">You&#39;re probably right that most ignore expires_i=
n, and I think that&#39;s fine. As long as the client handles errors correc=
tly, it&#39;ll work out OK.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Agree that we should add some documentation. One pie=
ce of advice for the AS would be not to make it too short, else users won&#=
39;t be able to complete the flow in time.=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">We use a 30 minute expiry.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<p class=3D"MsoNormal">Secondly, I had a question about the =E2=80=9Crespon=
se_type=E2=80=9D parameter to the device endpoint. This parameter is requir=
ed and it has a single, required value, with no registry or other
 possibility of extension. What=E2=80=99s the point? If it=E2=80=99s for =
=E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll note that this is *not* the aut=
horization endpoint (as the user is not present) and such constraints need =
not apply here.<u></u><u></u></p>
</blockquote>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Good points here. At a guess, it bled in from the OA=
uth spec. If it&#39;s not needed, we should remove it.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
<div>
<p class=3D"MsoNormal">I=E2=80=99d vote for removal, I don=E2=80=99t see th=
e point.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"color:#888888">=C2=A0</span><u></u><u=
></u></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"color:#888888">=C2=A0=E2=80=94 Justin=
</span><u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"color:#888888">=C2=A0</span><u></u><u=
></u></p>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal">=C2=A0<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
</div></div></div>
</div>

</blockquote></div><br></div></div>

--001a113f20baf7ce7a054a8f79e7--


From nobody Mon Mar 13 01:37:41 2017
Return-Path: <prvs=238615e03=Axel.Nennker@telekom.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F48C129555; Mon, 13 Mar 2017 01:37:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.178
X-Spam-Level: 
X-Spam-Status: No, score=-3.178 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.122] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2UuGjLrvy4Z; Mon, 13 Mar 2017 01:37:36 -0700 (PDT)
Received: from MAILOUT11.telekom.de (MAILOUT11.telekom.de [80.149.113.179]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAD9212954B; Mon, 13 Mar 2017 01:37:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1489394255; x=1520930255; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ILCqp06ClteBB+SsgbP27So60zWCyuaaxsJ+5JJgzIM=; b=kvHPHgpwoRuigGAkV9g+H8c0MYBCjcYaOYVPHOTtetMgsoFvgkG21iCE e4tppOwBMe6EUzNnLZWe1S+Dg76xJQh5nA+GD8wW5OLesSer64bzazWcV oMGS9CMDM+0ySQVMmY2YvW+E+kkteWomyPUtMcv2Q7XHx0o3NLUTDWTwI sX8+suD9vK8LvWKTTXbX+r41sZD5zL5Ysggo0Lr+/OxQCBivhSW64I0xr CqX0Cc0FAeOuttC+K1X/8FPQaVYYTUbliDtWoxMvBpNnqkjMtMMB3eVaE zsd5qa9P6hQAdjYw9qSf0QtXM8fSE9u6vay8tks6ukVMexmhyA1PgTi2O Q==;
Received: from s4de8nsazdfe010.bmbg.telekom.de ([10.175.246.202]) by MAILOUT11.telekom.de with ESMTP/TLS/RC4-SHA; 13 Mar 2017 09:36:37 +0100
X-IronPort-AV: E=Sophos;i="5.36,158,1486422000";  d="scan'208,217";a="1099445300"
Received: from he101659.emea1.cds.t-internal.com ([10.134.226.19]) by q4de8nsa015.bmbg.telekom.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Mar 2017 09:35:34 +0100
Received: from HE101654.emea1.cds.t-internal.com (10.134.226.15) by HE101659.emea1.cds.t-internal.com (10.134.226.19) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 13 Mar 2017 09:35:33 +0100
Received: from HE101654.emea1.cds.t-internal.com ([fe80::c5be:f1ce:9ef6:7491]) by HE101654.emea1.cds.t-internal.com ([fe80::c5be:f1ce:9ef6:7491%27]) with mapi id 15.00.1263.000; Mon, 13 Mar 2017 09:35:32 +0100
From: <Axel.Nennker@telekom.de>
To: <wdenniss@google.com>, <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
Thread-Index: AQHSl4J49HtomXElAE+FUOYW00zL4KGSehJQ
Date: Mon, 13 Mar 2017 08:35:32 +0000
Message-ID: <fa44cd7ea1c740ec8fd244ebd57f79d7@HE101654.emea1.cds.t-internal.com>
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com> <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com> <a6596083-6a19-e644-403c-4c1686eba492@gmx.net> <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com> <SN1PR0301MB2029E928A385D315D37EBFABA62F0@SN1PR0301MB2029.namprd03.prod.outlook.com> <C16D1076-1CF0-4A76-BFC4-35E35E420799@ve7jtb.com> <CAAP42hDyRzVGT3P5pL5afb6GVBFV7mYFcwLvYp0djEJ60yBgBQ@mail.gmail.com>
In-Reply-To: <CAAP42hDyRzVGT3P5pL5afb6GVBFV7mYFcwLvYp0djEJ60yBgBQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.117.48.45]
Content-Type: multipart/alternative; boundary="_000_fa44cd7ea1c740ec8fd244ebd57f79d7HE101654emea1cdstintern_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gwWFGrI0VHvZu_uFDoDGNVSOHpQ>
Cc: internet-drafts@ietf.org, oauth@ietf.org
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 08:37:39 -0000

--_000_fa44cd7ea1c740ec8fd244ebd57f79d7HE101654emea1cdstintern_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SGksDQoNClRoZXJlIGlzIGFuIGV4dHJhIOKAnHdoZXJl4oCdIGluIHRoaXMgVGVybWlub2xvZ3kg
ZGVmaW5pdGlvbjoNCg0KInJldmVyc2UgZG9tYWluIG5hbWUgbm90YXRpb24iICBBIG5hbWluZyBj
b252ZW50aW9uIGJhc2VkIG9uIHRoZQ0KICAgICAgZG9tYWluIG5hbWUgc3lzdGVtLCBidXQgd2hl
cmUgd2hlcmUgdGhlIGRvbWFpbiBjb21wb25lbnRzIGFyZQ0KICAgICAgcmV2ZXJzZWQsIGZvciBl
eGFtcGxlICJhcHAuZXhhbXBsZS5jb20iIGJlY29tZXMgImNvbS5leGFtcGxlLmFwcCIuDQpodHRw
czovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1uYXRpdmUtYXBwcy0wOQ0K
DQpjaGVlcnMNCkF4ZWwNCg0KDQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0
Zi5vcmddIE9uIEJlaGFsZiBPZiBXaWxsaWFtIERlbm5pc3MNClNlbnQ6IFR1ZXNkYXksIE1hcmNo
IDA3LCAyMDE3IDk6MzUgUE0NClRvOiBKb2huIEJyYWRsZXkNCkNjOiBpbnRlcm5ldC1kcmFmdHNA
aWV0Zi5vcmc7IG9hdXRoQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBJLUQgQWN0
aW9uOiBkcmFmdC1pZXRmLW9hdXRoLW5hdGl2ZS1hcHBzLTA4LnR4dA0KDQpUaGF0J3MgYW4gaW1w
b3J0YW50IGRpc3RpbmN0aW9uLiBJdCdzIG5vdCBhICJ3ZWItdmlldyB2cyBicm93c2VyIiBxdWVz
dGlvbiwgYnV0IGFuICJlbWJlZGRlZCB1c2VyLWFnZW50IHZzIGV4dGVybmFsIHVzZXItYWdlbnQi
IHF1ZXN0aW9uLiAgSWYgc29tZXRoaW5nIGlzIG5hbWVkICJ3ZWJ2aWV3IiBidXQgaGFzIGFsbCB0
aGUgYXR0cmlidXRlcyBvZiBhbiBleHRlcm5hbCB1c2UtYWdlbnQsIHRoZW4gaXQncyBzdGlsbCBh
biBleHRlcm5hbCB1c2VyLWFnZW50IGZvciB0aGUgcHVycG9zZSBvZiB0aGUgQkNQLg0KDQpJIHRy
aWVkIHRvIGJlIGNhcmVmdWwgdG8gYWx3YXlzIHVzZSB0aGUgdGVybSAiZW1iZWRkZWQgdXNlci1h
Z2VudCIgZm9sbG93aW5nIHRoZSBub21lbmNsYXR1cmUgb2YgUkZDNjc0OSwgZS5nLiB0aXRsZSBv
ZiBTZWN0aW9uIDguMS4gV2VidmlldyBpcyByZWZlcmVuY2VkIGluIGEgZmV3IHBsYWNlcywgZm9y
IGV4YW1wbGUgU2VjIDguMSBzYXlzICJJbiB0eXBpY2FsIHdlYi12aWV3IGJhc2VkIGltcGxlbWVu
dGF0aW9ucyBvZiBlbWJlZGRlZCB1c2VyLWFnZW50cyIsIGFzIG1vc3QgZW1iZWRkZWQgdXNlci1h
Z2VudHMgZG8gaGFwcGVuIHRvIHVzZSB0ZWNobm9sb2d5IGNhbGxlZCB3ZWJ2aWV3IOKAkyBidXQg
dGhlcmUncyBubyBub3JtYXRpdmUgdGV4dCB0aGF0IG1lYW5zIHNvbWV0aGluZyBuYW1lZCAid2Vi
dmlldyIgYnV0IHRoYXQgaXMgYWN0dWFsbHkgYW4gZXh0ZXJuYWwgdXNlci1hZ2VudCBjYW4ndCBi
ZSB1c2VkLg0KDQpFeHRlcm5hbCB1c2VyLWFnZW50IGlzIGRlZmluZWQgaW4gdGhlIHNwZWMgYXMg
c3VjaDoNCg0KDQogICAiZXh0ZXJuYWwgdXNlci1hZ2VudCIgIEEgdXNlci1hZ2VudCBjYXBhYmxl
IG9mIGhhbmRsaW5nIHRoZQ0KDQogICAgICBhdXRob3JpemF0aW9uIHJlcXVlc3QgdGhhdCBpcyBh
IHNlcGFyYXRlIGVudGl0eSB0byB0aGUgbmF0aXZlIGFwcA0KDQogICAgICBtYWtpbmcgdGhlIHJl
cXVlc3QgKHN1Y2ggYXMgYSBicm93c2VyKSwgc3VjaCB0aGF0IHRoZSBhcHAgY2Fubm90DQoNCiAg
ICAgIGFjY2VzcyB0aGUgY29va2llIHN0b3JhZ2Ugb3IgbW9kaWZ5IHRoZSBwYWdlIGNvbnRlbnQu
DQoNCg0KRWFybGllciB2ZXJzaW9ucyB3ZXJlIG5vdCBhcyBjYXJlZnVsIHdpdGggdGhlIHRlcm1z
LCBidXQgaXQgd2FzIHRpZ2h0ZW5lZCB1cCBhbmQgY2xhcmlmaWVkIGZvciB0aGlzIHZlcnkgcmVh
c29uLg0KDQpSZWdhcmRpbmcgdGhlIFdpbmRvd3MgYnJva2VyLCBpdCBpcyBleHBsaWNpdGx5IG1l
bnRpb25lZCBhcyBhbiBleHRlcm5hbCB1c2VyIGFnZW50IGluIHRoZSBpbXBsZW1lbnRhdGlvbiBk
ZXRhaWxzIGFwcGVuZGl4IChlbXBoYXNpcyBhZGRlZCk6DQoNCg0KIFVuaXZlcnNhbCBXaW5kb3dz
IFBsYXRmb3JtIChVV1ApIGFwcHMgY2FuIHVzZSB0aGUgV2ViIEF1dGhlbnRpY2F0aW9uDQoNCiAg
IEJyb2tlciBBUEkgaW4gU1NPIG1vZGUgYXMgYW4gZXh0ZXJuYWwgdXNlci1hZ2VudCBmb3IgYXV0
aG9yaXphdGlvbg0KDQogICBmbG93c+KApg0KDQpJJ3ZlIGhhZCB0aGUgc2FtZSBleHBlcmlhbmNl
IGFzIHlvdSBKb2huLCBhbmQgaGF2ZSBub3Qgc2VlbiBVMkYgd29yayBvbiBhbnkgaW1wbGVtZW50
YXRpb24gb2Ygd2VidmlldyB0aGF0IEkndmUgdXNlZCAoaW5jbHVkaW5nIGlPUywgQW5kcm9pZCwg
YW5kIFdpbmRvd3MgdXNpbmcgdGhlIG9sZC1zdHlsZSBlbWJlZGRlZCBJRSBjb250cm9sKS4NCg0K
KzEgdG8gdXBkYXRlIHRoZSBCQ1Agd2hlbiBhbmQgaWYgdGhlIGJlc3QgY3VycmVudCBwcmFjdGlj
ZSBjaGFuZ2VzLiBJIGJlbGlldmUgaXQgZG9lcyBhY2N1cmF0ZWx5IGNhcHR1cmUgdGhlIGJlc3Qg
Y3VycmVudCBwcmFjdGljZSBhcyBvZiB0b2RheS4NCg0KT24gVHVlLCBNYXIgNywgMjAxNyBhdCAx
MjowOCBQTSwgSm9obiBCcmFkbGV5IDx2ZTdqdGJAdmU3anRiLmNvbTxtYWlsdG86dmU3anRiQHZl
N2p0Yi5jb20+PiB3cm90ZToNClRoYXQgaXMgdGhlb3J5IHRoYXQgQ1RBUCBzaG91bGQgbGV0IHdl
Yi12aWV3cyB3b3JrLg0KDQpJIGp1c3QgcmFuIGEgdGVzdCBvbiB0aGUgY3VycmVudCBzaGlwcGlu
ZyBBbmRyb2lkIGJ1aWxkLiBVMkYgaXMgb25seSB3b3JraW5nIGZyb20gdGhlIFZpZXcgY29udHJv
bGxlciBhbmQgc3lzdGVtIGJyb3dzZXIuDQpXZWItdmlldyBpcyBub3QgY3VycmVudGx5IGV4cG9z
aW5nIENUQVAuDQoNCkkgYmVsaWV2ZSB0aGF0IGlzIGFsc28gdGhlIGNhc2Ugb24gaU9TLCBidXQg
aGF2ZW4ndCBidWlsdCBhIGFwcCB0byB0ZXN0IGl0Lg0KDQpUaGlzIGZpcnN0IHZlcnNpb24gb2Yg
dGhlIEJDUCBkb2VzbuKAmXQgZ28gaW50byBhZHZhbmNlZCBpc3N1ZXMgYXJvdW5kIFdlYiBBdXRo
L0ZpZG8gaW4gZGV0YWlsLiAgV2Uga25vdyB0aGF0IGN1cnJlbnRseSBXZWJWaWV3L1ZpZXcgY29u
dHJvbGxlci9Ub2tlbiBBZ2VudCB3b3JrIHdpdGggZXhpc3RpbmcgQ1RBUCBpbXBsZW1lbnRhdGlv
bnMuDQoNCk9uY2Ugd2UgaGF2ZSBzeXN0ZW1zIGRlcGxveWVkIHRoYXQgY2FuIHVzZSBDVEFQIGZy
b20gYSB3ZWIgdmlldyB3ZSBjYW4gdXBkYXRlIHRoZSBCQ1AuDQoNCldlIG1heSBhbHNvIGhhdmUg
YSBkZWZpbml0aW9uYWwgcHJvYmxlbSwgd2UgY29uc2lkZXIgdGhlIFdpbmRvd3MgdG9rZW4gYnJv
a2VyIGluIFNTTyBtb2RlIHRvIGZpdCB0aGUgbW9kZWwgb2YgYSB2aWV3IGNvbnRyb2xsZXIvV2Vi
IFZpZXcgaW4gdGhhdCBpdCBpcyBzYW5kYm94ZWQgZnJvbSB0aGUgYXBwICwgcmF0aGVyIHRoYW4g
Y29uc2lkZXJpbmcgaXQgYSB3ZWItdmlldy4gICBJIGtub3cgdGhhdCB0aGUgdG9rZW4gYnJva2Vy
IGNhbiBzdXBwb3J0IFdlYkF1dGhlbnRpY2F0aW9uIChDVEFQIDIpIGluIHJlY2VudCBSUzIgYnVp
bGRzIG9mIFdpbiAxMC4NCg0KSm9obiBCLg0KDQoNCk9uIE1hciA3LCAyMDE3LCBhdCA1OjE2IEFN
LCBBbnRob255IE5hZGFsaW4gPHRvbnluYWRAbWljcm9zb2Z0LmNvbTxtYWlsdG86dG9ueW5hZEBt
aWNyb3NvZnQuY29tPj4gd3JvdGU6DQoNCk5vdCB0cnVlIEpvaG4sIHRoZSBDVEFQIHN1cHBvcnQg
dGhhdCBpcyBjdXJyZW50IHdvdWxkIHN1cHBvcnQgdGhlIHdlYi12aWV3IHcvbyBhbnkgY2hhbmdl
cw0KDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9h
dXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBKb2huIEJyYWRsZXkNClNlbnQ6IE1v
bmRheSwgTWFyY2ggNiwgMjAxNyAxMjoxNiBQTQ0KVG86IEhhbm5lcyBUc2Nob2ZlbmlnIDxoYW5u
ZXMudHNjaG9mZW5pZ0BnbXgubmV0PG1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0Pj4N
CkNjOiBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc8bWFpbHRvOmludGVybmV0LWRyYWZ0c0BpZXRm
Lm9yZz47IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4NClN1YmplY3Q6IFJl
OiBbT0FVVEgtV0ddIEktRCBBY3Rpb246IGRyYWZ0LWlldGYtb2F1dGgtbmF0aXZlLWFwcHMtMDgu
dHh0DQoNCk9uIGZpZG8gSSBjYW4gdGVsbCB5b3UgdGhhdCBmb3Igc2VjdXJpdHkgcmVhc29ucyBV
MkYgd29udCB3b3JrIGZyb20gYSB3ZWItdmlldyBjdXJyZW50bHkuDQoNCk9uY2Ugd2UgbW92ZSB0
byBXZWIgQXV0aCAoRmlkbyAyKSB3aGVyZSB0aGUgT1MgcHJvdmlkZXMgYSBBUEkgZm9yIGFwcHMg
dG8gY2FsbCB0byBnZXQgdGhlIHRva2VuIGl0IHdpbGwgd29yayBidXQgdGhlIHRva2VucyBhcmUg
YXVkaWFuY2VkIHRvIHRoZSBhcHAgYmFzZWQgb24gaXRzIGRldmVsb3BlciBrZXkgYW5kIGJ1bmRs
ZV9pZCBzbyB0aGF0IGEgYXBwIGNhbnQgYXNrIGZvciBhIHRva2VuIGZvciBhIGRpZmZlcmVudCBz
aXRlIHRvIGRvIGNvcnJlbGF0aW9uLg0KDQpJdCBpcyB0cnVlIHRoYXQgRmlkbyBVQUYgY3VycmVu
dGx5IHJlcXVpcmVzIGEgd2ViLXZpZXcgdG8gd29yayBhcyB0aGUgYXV0aGVudGljYXRvciBpcyBl
ZmZlY3RpdmVseSBjb21waWxlZCBpbiB0byBlYWNoIGFwcGxpY2F0aW9uLCBhbmQgdGhhdCBhcHBs
aWNhdGlvbiBoYXMgYWNjZXNzIHRvIHRoZSBwcml2YXRlIGtleXMgb24gbW9zdCBwbGF0Zm9ybXMg
KFNhbXN1bmcga25veCBiZWluZyB0aGUgb25seSBleGNlcHRpb24gdG8gdGhhdCB0aGF0IEkga25v
dyBvZiB3aGVyZSB0aGUga2V5cyBhcmUgbWFuYWdlZCBieSBhIGNvbW1vbiBBUEkgdG8gaGFyZHdh
cmUga2V5IHN0b3JhZ2UsIGJ1dCB0aGV5IGFyZSBzY29wZWQgbGlrZSBVMkYgYXMgd2VsbCkNCg0K
U28gZm9yIHRoZSBtb3N0IHBhcnQgaXQgaXMgdHJ1ZSBhbmQgdGhhdCB1bmxlc3MgeW91IHVzZSB0
aGUgYnJvd3NlciB0byBnZXQgdGhlIEZpZG8gdG9rZW4gdGhlIGF1ZGllbmNlIGlzIGZvciB0aGUg
YXBwLg0KRXhhbXBsZSAgU2FsZXNmb3JjZSBjcmVhdGVzIG5hdGl2ZSBhcHAgdGhhdCBtYXkgdXNl
IGVudGVycHJpc2UgU1NPIHZpYSBTQU1MLCBhbmQgdGhlIGVudGVycHJpc2UgbWF5IHVzZSBGaWRv
IGFzIGEgYXV0aGVudGljYXRpb24gZmFjdG9yLg0KSWYgdGhleSB1c2UgdGhlIHdlYnZpZXcgKyBm
aWRvIEFQSSBhcHByb2FjaCB0aGUgYXBwIGNhbiBvbmx5IGdldCBhIHRva2VuIGZvciBTYWxlc0Zv
cmNlIGJhc2VkIG9uIGl0cyBzaWduaW5nIGtleS4gIEl0IGNvdWxkIGZpcmUgdXAgdGhlIHdlYi12
aWV3IGFuZCBkbyBVMkYgYXV0aGVudGljYXRpb24gd2l0aCB0aGUgZW50ZXJwcmlzZSBhZnRlciBT
YWxlc2ZvcmVjIGhhcyByZWRpcmVjdGVkIHRoZSB1c2VyLiAgSG93ZXZlciBpdCB3aWxsIGdpdmUg
ZXZlcnkgZW50ZXJwcmlzZSBhIHRva2VuIGF1ZGllbmNlIHRvIFNhbGVzZm9yY2Ugd2l0aCBhIHNh
bGVzZm9yY2Ugc3BlY2lmaWMga2V5LiAgIElmIHRoZXJlIGlzIGEgc2Vjb25kIGFwcCBmb3Igc2F5
IFNsYWNrIGlmIHRoZXkgZG8gdGhlIHNhbWUgdGhpbmcgdGhlIGVudGVycHJpc2Ugd291bGQgZ2V0
IGEgc2xhY2sgYXVkaWVuY2VkIHRva2VuIGFuZCBhIHNsYWNrIGtleSBmb3JjaW5nIGEgc2VwYXJh
dGUgcmVnaXN0cmF0aW9uLg0KDQpUaGUgcmVjb21tZW5kZWQgYWx0ZXJuYXRpdmUgaXMgdGhhdCB0
aGUgYXBwIHVzZSBhIGN1c3RvbSB0YWIgZm9yIHRoZSB1c2VyIHRvIFNhbGVzRm9yY2UgYW5kIHRo
YXQgcmVkaXJlY3QgdG8gdGhlIGVudGVycHJpc2UuDQpUaGUgZW50ZXJwcmlzZSBnZXRzIHRoZSBz
YW1lIHRva2VuL2tleSB3aXRoIHRoZSBjb3JyZWN0IGF1ZGllbmNlIGZyb20gYWxsIGFwcHMgb24g
dGhlIGRldmljZSB1c2luZyB0aGUgYnJvd3NlciBvciBjdXN0b20gdGFiLg0KVGhlIHVzZXIgbWF5
IG5vdCBuZWVkIHRvIHNpZ25pbiBhIHNlY29uZCB0aW1lLCBhbmQgaWYgdGhleSBkbyB0aGVyZSBG
aWRvIHRva2VuIHdpbGwgbm90IG5lZWQgdG8gYmUgcmUtcmVnaXN0ZXJkLg0KDQpUaGUgRmlkbyBB
UEkgYXBwcm9hY2ggcmVhbGx5IG9ubHkgd29ya3MgZm9yIGZpcnN0IHBhcnR5IGFwcHMgbGlrZSBQ
YXlQYWwgaWYgdGhlIHRoZSBhcHAgaXMgbm90IGRvaW5nIGZlZGVyYXRpb24gYW5kIHBheXBhbCBp
cyBkb2luZyB0aGUgYXV0aGVudGljYXRpb24gZm9yIHRoZXJlIG93biBhcHAuDQoNClRva2VuIGJp
bmRpbmcgcHJpdmF0ZSBrZXlzIGhhdmUgc2ltaWxhciBpc3N1ZXMuICAgVGhlIHBvb2wgb2YgcHJp
dmF0ZSBrZXlzIHdpbGwgcHJvYmFibHkgbm90IGJlIHNoYXJlZCBiZXR3ZWVuIGFwcHMsIGFuZCBu
b3QgYmV0d2VlbiB0aGUgYXBwIGFuZCB0aGUgYnJvd3NlciAoV2luIDEwIG1heSBiZSBhbiBleGNl
cHRpb24gYnV0IGl0IGlzIG5vdCBkb2N1bWVudGVkIHlldCkNCg0KSW4gdGhlIGNhc2Ugb2YgdXNp
bmcgQXBwQXV0aCB3aXRoIHRva2VuIGJpbmRpbmcgdGhlIGJyb3dzZXIgbWFpbnRhaW5zIHRoZSBr
ZXlzIHNvIHRoZSBlbnRlcnByaXNlIHdvdWxkIGJlIGFibGUgdG8gc2VlIHRoZSBzYW1lIGtleSBh
bmQgdXNlIHRoZSBzYW1lIGNvb2tpZXMgYWNyb3NzIGFsbCBBcHBBdXRoIEFwcHMuDQoNCllvdSBj
YW4gaW5jbHVkZSB0b2tlbiBiaW5kaW5nIGluIHlvdXIgYXBwLCBob3dldmVyIHRoZSB0b2tlbiBi
aW5kaW5ncyBhbmQgY29va2llcyBhcmUgZ29pbmcgdG8gYmUgc2FuZCBib3hlZCBwZXIgYXBwLg0K
RGVwZW5kaW5nIG9uIGltcGxlbWVudGF0aW9uIHRoZSBhcHAgZ2V0cyBhY2Nlc3MgdG8gdGhlIGNv
b2tpZSwgYnV0IHBlcmhhcHMgbm90IHRvIHRoZSBwcml2YXRlIHRva2VuIGJpbmRpbmcga2V5LiAg
KEF0IGxlYXN0IEkgZG9uJ3QgdGhpbmsgaXQgd2lsbCBpbiBBbmRyb2lkIGVtYmVkZGVkIHdlYnZp
ZXcpLg0KDQpXZSBjb3VsZCBleHBhbmQgb24gdGhpcyBsYXRlciBpbiBhbiB1cGRhdGUgdG8gdGhl
IEJDUCBvbmNlIFdlYiBBdXRoZW50aWNhdGlvbiBhbmQgVG9rZW4gQmluZGluZyBhcmUgZmluYWwu
DQoNClRoZXJlIGFyZSBzdGlsbCBzb21lIHVua25vd25zLCBidXQgaW4gZ2VuZXJhbCBmb3IgYW55
IHNvcnQgb2YgU1NPL0ZlZGVyYXRpb24gM3JkIHBhcnR5IGFwcCBJIGRvbuKAmXQgc2VlIHJlY29t
bWVuZGluZyBhbnl0aGluZyBvdGhlciB0aGFuIGEgY3VzdG9tIHRhYi8gdmlldyBjb250cm9sbGVy
LyBleHRlcm5hbCBicm93c2VyLg0KDQpXaWxsaWFtIGNhbiB0YWtlIHRoZSBmb3JtYXR0aW5nIHF1
ZXN0aW9uOikNCg0KSm9obiBCLg0KT24gTWFyIDYsIDIwMTcsIGF0IDQ6NDEgUE0sIEhhbm5lcyBU
c2Nob2ZlbmlnIDxoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0PG1haWx0bzpoYW5uZXMudHNjaG9m
ZW5pZ0BnbXgubmV0Pj4gd3JvdGU6DQoNCkhpIFdpbGxpYW0sIEhpIEpvaG4sDQoNCkkganVzdCBy
ZS1yZWFkIHZlcnNpb24gLTggb2YgdGhlIGRvY3VtZW50IGFnYWluLg0KDQpUd28gbWlub3IgcmVt
YXJrcyBvbmx5Lg0KDQpFZGl0b3JpYWwgaXNzdWU6IFdoeSBkbyB5b3UgbmVlZCB0byBpbnRyb2R1
Y2UgYSBzaW5nbGUgc3ViLXNlY3Rpb24NCndpdGhpbiBTZWN0aW9uIDcuMS4gKG5hbWVseSBTZWN0
aW9uIDcuMS4xKT8NCg0KQmFja2dyb3VuZCBxdWVzdGlvbjogWW91IG5vdGUgdGhhdCBlbWJlZGRl
ZCB1c2VyIGFnZW50cyBoYXZlIHRoZQ0KZGlzYWR2YW50YWdlIHRoYXQgdGhlIGFwcCB0aGF0IGhv
c3RzIHRoZSBlbWJlZGRlZCB1c2VyLWFnZW50IGNhbg0KYWNjZXNzIHRoZSB1c2VyJ3MgZnVsbCBh
dXRoZW50aWNhdGlvbiBjcmVkZW50aWFsLiBUaGlzIGlzIGNlcnRhaW5seQ0KdHJ1ZSBmb3IgcGFz
c3dvcmQtYmFzZWQgYXV0aGVudGljYXRpb24gbWVjaGFuaXNtcyBidXQgSSB3b25kZXIgd2hldGhl
cg0KdGhpcyBpcyBhbHNvIHRydWUgZm9yIHN0cm9uZyBhdXRoZW50aWNhdGlvbiB0ZWNobmlxdWVz
LCBzdWNoIGFzIHRob3NlDQp1c2VkIGJ5IEZJRE8gY29tYmluZWQgd2l0aCB0b2tlbiBiaW5kaW5n
LiBIYXZlIHlvdSBsb29rZWQgaW50byBtb3JlDQptb2Rlcm4gYXV0aGVudGljYXRpb24gdGVjaG5p
cXVlcyBhcyB3ZWxsIGFuZCB0aGVpciBzZWN1cml0eSBpbXBsaWNhdGlvbj8NCg0KQ2lhbw0KSGFu
bmVzDQoNCk9uIDAzLzAzLzIwMTcgMDc6MzkgQU0sIFdpbGxpYW0gRGVubmlzcyB3cm90ZToNCkNo
YW5nZXM6DQoNCuKAkyBBZGRyZXNzZXMgZmVlZGJhY2sgZnJvbSB0aGUgc2Vjb25kIHJvdW5kIG9m
IFdHTEMuDQrigJMgUmVvcmRlcmVkIHNlY3VyaXR5IGNvbnNpZGVyYXRpb24gc2VjdGlvbnMgdG8g
YmV0dGVyIGdyb3VwIHJlbGF0ZWQgdG9waWNzLg0K4oCTIEFkZGVkIGNvbXBsZXRlIFVSSSBleGFt
cGxlcyB0byBlYWNoIG9mIHRoZSAzIHJlZGlyZWN0IHR5cGVzLg0K4oCTIEVkaXRvcmlhbCBwYXNz
Lg0KDQoNCg0KT24gVGh1LCBNYXIgMiwgMjAxNyBhdCAxMDoyNyBQTSwgPGludGVybmV0LWRyYWZ0
c0BpZXRmLm9yZzxtYWlsdG86aW50ZXJuZXQtZHJhZnRzQGlldGYub3JnPg0KPG1haWx0bzppbnRl
cm5ldC1kcmFmdHNAaWV0Zi5vcmc+PiB3cm90ZToNCg0KDQogIEEgTmV3IEludGVybmV0LURyYWZ0
IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBvbi1saW5lIEludGVybmV0LURyYWZ0cw0KICBkaXJlY3Rv
cmllcy4NCiAgVGhpcyBkcmFmdCBpcyBhIHdvcmsgaXRlbSBvZiB0aGUgV2ViIEF1dGhvcml6YXRp
b24gUHJvdG9jb2wgb2YgdGhlIElFVEYuDQoNCiAgICAgICAgICBUaXRsZSAgICAgICAgICAgOiBP
QXV0aCAyLjAgZm9yIE5hdGl2ZSBBcHBzDQogICAgICAgICAgQXV0aG9ycyAgICAgICAgIDogV2ls
bGlhbSBEZW5uaXNzDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgSm9obiBCcmFkbGV5DQog
ICAgICAgICAgRmlsZW5hbWUgICAgICAgIDogZHJhZnQtaWV0Zi1vYXV0aC1uYXRpdmUtYXBwcy0w
OC50eHQNCiAgICAgICAgICBQYWdlcyAgICAgICAgICAgOiAyMA0KICAgICAgICAgIERhdGUgICAg
ICAgICAgICA6IDIwMTctMDMtMDINCg0KICBBYnN0cmFjdDoNCiAgICAgT0F1dGggMi4wIGF1dGhv
cml6YXRpb24gcmVxdWVzdHMgZnJvbSBuYXRpdmUgYXBwcyBzaG91bGQgb25seSBiZSBtYWRlDQog
ICAgIHRocm91Z2ggZXh0ZXJuYWwgdXNlci1hZ2VudHMsIHByaW1hcmlseSB0aGUgdXNlcidzIGJy
b3dzZXIuICBUaGlzDQogICAgIHNwZWNpZmljYXRpb24gZGV0YWlscyB0aGUgc2VjdXJpdHkgYW5k
IHVzYWJpbGl0eSByZWFzb25zIHdoeSB0aGlzIGlzDQogICAgIHRoZSBjYXNlLCBhbmQgaG93IG5h
dGl2ZSBhcHBzIGFuZCBhdXRob3JpemF0aW9uIHNlcnZlcnMgY2FuIGltcGxlbWVudA0KICAgICB0
aGlzIGJlc3QgcHJhY3RpY2UuDQoNCg0KICBUaGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFn
ZSBmb3IgdGhpcyBkcmFmdCBpczoNCiAgaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9u
Lm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZkYXRhdHJhY2tlci5pZXRmLm9yZyUyRmRv
YyUyRmRyYWZ0LWlldGYtb2F1dGgtbmF0aXZlLWFwcHMlMkYmZGF0YT0wMiU3QzAxJTdDdG9ueW5h
ZCU0MG1pY3Jvc29mdC5jb20lN0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3Qzcy
Zjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDQyODE4MTAwNzg0
OTcmc2RhdGE9WVEwZGNTVmlyYW5WeDRzakg3YWVGckVZdlRnYlFNM09ydW9LJTJGUjdFWmFrJTNE
JnJlc2VydmVkPTANCg0KPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29r
LmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGZGF0DQphdHJhY2tlci5pZXRmLm9yZzxodHRwOi8vYXRy
YWNrZXIuaWV0Zi5vcmcvPiUyRmRvYyUyRmRyYWZ0LWlldGYtb2F1dGgtbmF0aXZlLWFwcHMlMkYm
ZGF0YT0wMiU3QzANCjElN0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbTxodHRwOi8vNDBtaWNyb3Nv
ZnQuY29tLz4lN0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3QzcyZjkNCjg4YmY4
NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0NDI4MTgxMDA3ODQ5NyZzZGF0
YT1ZUTBkYw0KU1ZpcmFuVng0c2pIN2FlRnJFWXZUZ2JRTTNPcnVvSyUyRlI3RVphayUzRCZyZXNl
cnZlZD0wPg0KDQogIFRoZXJlJ3MgYWxzbyBhIGh0bWxpemVkIHZlcnNpb24gYXZhaWxhYmxlIGF0
Og0KICBodHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1o
dHRwcyUzQSUyRiUyRnRvb2xzLmlldGYub3JnJTJGaHRtbCUyRmRyYWZ0LWlldGYtb2F1dGgtbmF0
aXZlLWFwcHMtMDgmZGF0YT0wMiU3QzAxJTdDdG9ueW5hZCU0MG1pY3Jvc29mdC5jb20lN0NlZmYw
OTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2Qw
MTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDQyODE4MTAwNzg0OTcmc2RhdGE9aXB5VkxhWGhlZmp3aElQ
cXU0VnltM05taSUyRlhQRVI4aHlLQkR2UCUyRkFWQ3clM0QmcmVzZXJ2ZWQ9MA0KDQo8aHR0cHM6
Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYl
MkZ0b28NCmxzLmlldGYub3JnPGh0dHA6Ly9scy5pZXRmLm9yZy8+JTJGaHRtbCUyRmRyYWZ0LWll
dGYtb2F1dGgtbmF0aXZlLWFwcHMtMDgmZGF0YT0wMiU3QzAxJTdDdA0Kb255bmFkJTQwbWljcm9z
b2Z0LmNvbTxodHRwOi8vNDBtaWNyb3NvZnQuY29tLz4lN0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4
ZDQ2NGNkYTRkNSU3QzcyZjk4OGJmOA0KNmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3
QzYzNjI0NDI4MTgxMDA4ODUwMSZzZGF0YT1wRkpkaVpkMm5pDQpTeGl1WHRUaEc4T0UzMnJqSHhv
SjhVMGpzb0NtaWFxS2MlM0QmcmVzZXJ2ZWQ9MD4NCg0KICBBIGRpZmYgZnJvbSB0aGUgcHJldmlv
dXMgdmVyc2lvbiBpcyBhdmFpbGFibGUgYXQ6DQogIGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJv
dGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3LmlldGYub3JnJTJGcmZj
ZGlmZiUzRnVybDIlM0RkcmFmdC1pZXRmLW9hdXRoLW5hdGl2ZS1hcHBzLTA4JmRhdGE9MDIlN0Mw
MSU3Q3RvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdDZWZmMDkyZTZiMjg5NGFjZThmODQwOGQ0NjRj
ZGE0ZDUlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2MjQ0
MjgxODEwMDg4NTAxJnNkYXRhPTBKT2VqWUklMkY5dlNGcGg0ZHRlWjZnMTZOYnZMUnkzN2VycFJV
QXcycSUyRlc4JTNEJnJlc2VydmVkPTANCg0KPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVj
dGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3DQouaWV0Zi5vcmc8aHR0cDov
L2lldGYub3JnLz4lMkZyZmNkaWZmJTNGdXJsMiUzRGRyYWZ0LWlldGYtb2F1dGgtbmF0aXZlLWFw
cHMtMDgmZGF0YT0wMiUNCjdDMDElN0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbTxodHRwOi8vNDBt
aWNyb3NvZnQuY29tLz4lN0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3QzcNCjJm
OTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0NDI4MTgxMDA4ODUw
MSZzZGF0YT0wSg0KT2VqWUklMkY5dlNGcGg0ZHRlWjZnMTZOYnZMUnkzN2VycFJVQXcycSUyRlc4
JTNEJnJlc2VydmVkPTA+DQoNCg0KICBQbGVhc2Ugbm90ZSB0aGF0IGl0IG1heSB0YWtlIGEgY291
cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBvZg0KICBzdWJtaXNzaW9uDQogIHVudGlsIHRo
ZSBodG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQgdG9vbHMuaWV0Zi5v
cmc8aHR0cDovL3Rvb2xzLmlldGYub3JnLz4NCiAgPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJv
dGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM0ElMkYlMkZ0b29scy5pZXRmLm9yZyZkYXRh
PTAyJTdDMDElN0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbSU3Q2VmZjA5MmU2YjI4OTRhY2U4Zjg0
MDhkNDY0Y2RhNGQ1JTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3
QzYzNjI0NDI4MTgxMDA4ODUwMSZzZGF0YT1zRHluZnFleTBydTBWbTQlMkZQRWgwTUExSUt0a3Jx
bURuUSUyQm1QQ1AlMkI2SzYwJTNEJnJlc2VydmVkPTA+Lg0KDQogIEludGVybmV0LURyYWZ0cyBh
cmUgYWxzbyBhdmFpbGFibGUgYnkgYW5vbnltb3VzIEZUUCBhdDoNCiAgZnRwOi8vZnRwLmlldGYu
b3JnL2ludGVybmV0LWRyYWZ0cy8NCiAgPGZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFm
dHMvPg0KDQogIF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
DQogIE9BdXRoIG1haWxpbmcgbGlzdA0KICBPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0
Zi5vcmc+IDxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQogIGh0dHBzOi8vbmEwMS5zYWZlbGlua3Mu
cHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3LmlldGYub3JnJTJG
bWFpbG1hbiUyRmxpc3RpbmZvJTJGb2F1dGgmZGF0YT0wMiU3QzAxJTdDdG9ueW5hZCU0MG1pY3Jv
c29mdC5jb20lN0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3QzcyZjk4OGJmODZm
MTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDQyODE4MTAwODg1MDEmc2RhdGE9
MTRHenRaTFklMkJuUU5iaFI1YnFqUzdjUllVU2xvdHByNkpYdEZYcGR1R3VJJTNEJnJlc2VydmVk
PTANCg0KPGh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJs
PWh0dHBzJTNBJTJGJTJGd3d3DQouaWV0Zi5vcmc8aHR0cDovL2lldGYub3JnLz4lMkZtYWlsbWFu
JTJGbGlzdGluZm8lMkZvYXV0aCZkYXRhPTAyJTdDMDElN0N0b255bmFkJTQwbWljcm8NCnNvZnQu
Y29tPGh0dHA6Ly9zb2Z0LmNvbS8+JTdDZWZmMDkyZTZiMjg5NGFjZThmODQwOGQ0NjRjZGE0ZDUl
N0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkNw0KY2QwMTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDQyODE4
MTAwODg1MDEmc2RhdGE9MTRHenRaTFklMkJuUU5iaFI1YnFqUzdjDQpSWVVTbG90cHI2Slh0Rlhw
ZHVHdUklM0QmcmVzZXJ2ZWQ9MD4NCg0KDQoNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8
bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9u
Lm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cuDQppZXRmLm9yZzxodHRwOi8vaWV0
Zi5vcmcvPiUyRm1haWxtYW4lMkZsaXN0aW5mbyUyRm9hdXRoJmRhdGE9MDIlN0MwMSU3Q3Rvbnlu
YWQlNDBtaWNyb3MNCm9mdC5jb208aHR0cDovL29mdC5jb20vPiU3Q2VmZjA5MmU2YjI4OTRhY2U4
Zjg0MDhkNDY0Y2RhNGQ1JTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjDQpkMDExZGI0NyU3QzEl
N0MwJTdDNjM2MjQ0MjgxODEwMDg4NTAxJnNkYXRhPTE0R3p0WkxZJTJCblFOYmhSNWJxalM3Y1IN
CllVU2xvdHByNkpYdEZYcGR1R3VJJTNEJnJlc2VydmVkPTANCg0KX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhA
aWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5w
cm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cuaQ0KZXRmLm9yZzxo
dHRwOi8vZXRmLm9yZy8+JTJGbWFpbG1hbiUyRmxpc3RpbmZvJTJGb2F1dGgmZGF0YT0wMiU3QzAx
JTdDdG9ueW5hZCU0MG1pY3Jvc29mDQp0LmNvbTxodHRwOi8vdC5jb20vPiU3Q2VmZjA5MmU2YjI4
OTRhY2U4Zjg0MDhkNDY0Y2RhNGQ1JTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxDQoxZGI0
NyU3QzElN0MwJTdDNjM2MjQ0MjgxODEwMDg4NTAxJnNkYXRhPTE0R3p0WkxZJTJCblFOYmhSNWJx
alM3Y1JZVVNsDQpvdHByNkpYdEZYcGR1R3VJJTNEJnJlc2VydmVkPTANCg0KDQpfX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0
DQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRm
Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQoNCg==

--_000_fa44cd7ea1c740ec8fd244ebd57f79d7HE101654emea1cdstintern_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN
Cgl7Zm9udC1mYW1pbHk6SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0
O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg
MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5v
c2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNv
bnNvbGFzOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDIgMiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmlu
aXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21h
cmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJ
Zm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsInNlcmlmIjt9DQphOmxpbmssIHNwYW4uTXNv
SHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQt
ZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxv
d2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNv
cmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1z
dHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdp
bi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3Vy
aWVyIE5ldyI7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCBD
aGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6
OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4uSFRNTFBy
ZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIi
Ow0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3Jt
YXR0ZWQiOw0KCWZvbnQtZmFtaWx5OiJDb25zb2xhcyIsInNlcmlmIjt9DQpzcGFuLm0tNjAwMDAz
Njg0OTk3MjU0Mjg3NWdtYWlsLW04ODE0NTg1ODM5ODAyMjE2MjIwYXBwbGUtY29udmVydGVkLXNw
YWNlDQoJe21zby1zdHlsZS1uYW1lOm1fLTYwMDAwMzY4NDk5NzI1NDI4NzVnbWFpbC1tXzg4MTQ1
ODU4Mzk4MDIyMTYyMjBhcHBsZS1jb252ZXJ0ZWQtc3BhY2U7fQ0Kc3Bhbi5tLTYwMDAwMzY4NDk5
NzI1NDI4NzVnbWFpbC0NCgl7bXNvLXN0eWxlLW5hbWU6bV8tNjAwMDAzNjg0OTk3MjU0Mjg3NWdt
YWlsLTt9DQpzcGFuLkJhbGxvb25UZXh0Q2hhcg0KCXttc28tc3R5bGUtbmFtZToiQmFsbG9vbiBU
ZXh0IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFs
bG9vbiBUZXh0IjsNCglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0Kc3Bhbi5F
bWFpbFN0eWxlMjMNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1p
bHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZh
dWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp
Iiwic2Fucy1zZXJpZiI7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6NjEyLjBwdCA3OTIu
MHB0Ow0KCW1hcmdpbjo3MC44NXB0IDcwLjg1cHQgMi4wY20gNzAuODVwdDt9DQpkaXYuV29yZFNl
Y3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNv
IDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAv
Pg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxh
eW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwv
bzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVO
LVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9u
MSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm
b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s
b3I6IzFGNDk3RCI+SGksPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy
aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z
ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5UaGVyZSBpcyBhbiBleHRyYSDigJx3aGVyZeKAnSBp
biB0aGlzIFRlcm1pbm9sb2d5IGRlZmluaXRpb246PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p
bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5
N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3
JnF1b3Q7Ij4mcXVvdDtyZXZlcnNlIGRvbWFpbiBuYW1lIG5vdGF0aW9uJnF1b3Q7Jm5ic3A7IEEg
bmFtaW5nIGNvbnZlbnRpb24gYmFzZWQgb24gdGhlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p
bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyBkb21haW4gbmFtZSBzeXN0ZW0sIGJ1dCB3aGVyZSB3aGVyZSB0aGUgZG9tYWluIGNvbXBvbmVu
dHMgYXJlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv
dDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyByZXZlcnNlZCwgZm9yIGV4YW1wbGUg
JnF1b3Q7YXBwLmV4YW1wbGUuY29tJnF1b3Q7IGJlY29tZXMgJnF1b3Q7Y29tLmV4YW1wbGUuYXBw
JnF1b3Q7LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1
b3Q7Ij48YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0
aC1uYXRpdmUtYXBwcy0wOSI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt
b2F1dGgtbmF0aXZlLWFwcHMtMDk8L2E+DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom
cXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p
bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPmNoZWVyczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQt
ZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5BeGVsPG86cD48L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u
dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y
OiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli
cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNw
OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fu
cy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu
MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7
Ij4gT0F1dGggW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXQ0KPGI+T24gQmVoYWxmIE9m
IDwvYj5XaWxsaWFtIERlbm5pc3M8YnI+DQo8Yj5TZW50OjwvYj4gVHVlc2RheSwgTWFyY2ggMDcs
IDIwMTcgOTozNSBQTTxicj4NCjxiPlRvOjwvYj4gSm9obiBCcmFkbGV5PGJyPg0KPGI+Q2M6PC9i
PiBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc7IG9hdXRoQGlldGYub3JnPGJyPg0KPGI+U3ViamVj
dDo8L2I+IFJlOiBbT0FVVEgtV0ddIEktRCBBY3Rpb246IGRyYWZ0LWlldGYtb2F1dGgtbmF0aXZl
LWFwcHMtMDgudHh0PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhhdCdz
IGFuIGltcG9ydGFudCBkaXN0aW5jdGlvbi4gSXQncyBub3QgYSAmcXVvdDt3ZWItdmlldyB2cyBi
cm93c2VyJnF1b3Q7IHF1ZXN0aW9uLCBidXQgYW4gJnF1b3Q7ZW1iZWRkZWQgdXNlci1hZ2VudCB2
cyBleHRlcm5hbCB1c2VyLWFnZW50JnF1b3Q7IHF1ZXN0aW9uLiZuYnNwOyBJZiBzb21ldGhpbmcg
aXMgbmFtZWQgJnF1b3Q7d2VidmlldyZxdW90OyBidXQgaGFzIGFsbCB0aGUgYXR0cmlidXRlcyBv
ZiBhbiBleHRlcm5hbCB1c2UtYWdlbnQsIHRoZW4gaXQncyBzdGlsbA0KIGFuIGV4dGVybmFsIHVz
ZXItYWdlbnQgZm9yIHRoZSBwdXJwb3NlIG9mIHRoZSBCQ1AuPG86cD48L286cD48L3A+DQo8ZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k
aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSB0cmllZCB0byBiZSBjYXJlZnVsIHRv
IGFsd2F5cyB1c2UgdGhlIHRlcm0gJnF1b3Q7ZW1iZWRkZWQgdXNlci1hZ2VudCZxdW90OyBmb2xs
b3dpbmcgdGhlIG5vbWVuY2xhdHVyZSBvZiBSRkM2NzQ5LCBlLmcuIHRpdGxlIG9mIFNlY3Rpb24g
OC4xLiBXZWJ2aWV3IGlzIHJlZmVyZW5jZWQgaW4gYSBmZXcgcGxhY2VzLCBmb3IgZXhhbXBsZSBT
ZWMgOC4xIHNheXMgJnF1b3Q7SW4gdHlwaWNhbCB3ZWItdmlldyBiYXNlZCBpbXBsZW1lbnRhdGlv
bnMNCiBvZiBlbWJlZGRlZCB1c2VyLWFnZW50cyZxdW90OywgYXMgbW9zdCBlbWJlZGRlZCB1c2Vy
LWFnZW50cyBkbyBoYXBwZW4gdG8gdXNlIHRlY2hub2xvZ3kgY2FsbGVkIHdlYnZpZXcg4oCTIGJ1
dCB0aGVyZSdzIG5vIG5vcm1hdGl2ZSB0ZXh0IHRoYXQgbWVhbnMgc29tZXRoaW5nIG5hbWVkICZx
dW90O3dlYnZpZXcmcXVvdDsgYnV0IHRoYXQgaXMgYWN0dWFsbHkgYW4gZXh0ZXJuYWwgdXNlci1h
Z2VudCBjYW4ndCBiZSB1c2VkLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj5FeHRlcm5hbCB1c2VyLWFnZW50IGlzIGRlZmluZWQgaW4gdGhlIHNw
ZWMgYXMgc3VjaDo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHByZT48c3BhbiBz
dHlsZT0iY29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyAmcXVvdDtleHRlcm5hbCB1c2VyLWFnZW50
JnF1b3Q7Jm5ic3A7IEEgdXNlci1hZ2VudCBjYXBhYmxlIG9mIGhhbmRsaW5nIHRoZTxvOnA+PC9v
OnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhdXRob3JpemF0aW9uIHJlcXVlc3QgdGhhdCBpcyBhIHNl
cGFyYXRlIGVudGl0eSB0byB0aGUgbmF0aXZlIGFwcDxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0K
PHByZT48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyBtYWtpbmcgdGhlIHJlcXVlc3QgKHN1Y2ggYXMgYSBicm93c2VyKSwgc3VjaCB0aGF0IHRo
ZSBhcHAgY2Fubm90PG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJj
b2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGFjY2VzcyB0aGUgY29v
a2llIHN0b3JhZ2Ugb3IgbW9kaWZ5IHRoZSBwYWdlIGNvbnRlbnQuPG86cD48L286cD48L3NwYW4+
PC9wcmU+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+RWFybGllciB2
ZXJzaW9ucyB3ZXJlIG5vdCBhcyBjYXJlZnVsIHdpdGggdGhlIHRlcm1zLCBidXQgaXQgd2FzIHRp
Z2h0ZW5lZCB1cCBhbmQgY2xhcmlmaWVkIGZvciB0aGlzIHZlcnkgcmVhc29uLjxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286
cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5SZWdhcmRpbmcgdGhl
IFdpbmRvd3MgYnJva2VyLCBpdCBpcyBleHBsaWNpdGx5IG1lbnRpb25lZCBhcyBhbiBleHRlcm5h
bCB1c2VyIGFnZW50IGluIHRoZSBpbXBsZW1lbnRhdGlvbiBkZXRhaWxzIGFwcGVuZGl4IChlbXBo
YXNpcyBhZGRlZCk6Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwcmU+
PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4gVW5pdmVyc2FsIFdpbmRvd3MgUGxhdGZvcm0gKFVX
UCkgYXBwcyBjYW4gdXNlIHRoZSBXZWIgQXV0aGVudGljYXRpb248bzpwPjwvbzpwPjwvc3Bhbj48
L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgQnJva2Vy
IEFQSSBpbiBTU08gbW9kZSBhcyBhbiA8Yj5leHRlcm5hbCB1c2VyLWFnZW50PC9iPiBmb3IgYXV0
aG9yaXphdGlvbjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHlsZT0iY29s
b3I6YmxhY2siPiZuYnNwOyZuYnNwOyBmbG93c+KApjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+
DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSd2ZSBoYWQgdGhl
IHNhbWUgZXhwZXJpYW5jZSBhcyB5b3UgSm9obiwgYW5kIGhhdmUgbm90IHNlZW4gVTJGIHdvcmsg
b24gYW55IGltcGxlbWVudGF0aW9uIG9mIHdlYnZpZXcgdGhhdCBJJ3ZlIHVzZWQgKGluY2x1ZGlu
ZyBpT1MsIEFuZHJvaWQsIGFuZCBXaW5kb3dzIHVzaW5nIHRoZSBvbGQtc3R5bGUgZW1iZWRkZWQg
SUUgY29udHJvbCkuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPiYjNDM7MSB0byB1cGRhdGUgdGhlIEJDUCB3aGVuIGFuZCBpZiB0aGUgYmVzdCBj
dXJyZW50IHByYWN0aWNlIGNoYW5nZXMuIEkgYmVsaWV2ZSBpdCBkb2VzIGFjY3VyYXRlbHkgY2Fw
dHVyZSB0aGUgYmVzdCBjdXJyZW50IHByYWN0aWNlIGFzIG9mIHRvZGF5LjxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48
L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gVHVlLCBN
YXIgNywgMjAxNyBhdCAxMjowOCBQTSwgSm9obiBCcmFkbGV5ICZsdDs8YSBocmVmPSJtYWlsdG86
dmU3anRiQHZlN2p0Yi5jb20iIHRhcmdldD0iX2JsYW5rIj52ZTdqdGJAdmU3anRiLmNvbTwvYT4m
Z3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRo
YXQgaXMgdGhlb3J5IHRoYXQgQ1RBUCBzaG91bGQgbGV0IHdlYi12aWV3cyB3b3JrLiAmbmJzcDs8
bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkganVzdCByYW4g
YSB0ZXN0IG9uIHRoZSBjdXJyZW50IHNoaXBwaW5nIEFuZHJvaWQgYnVpbGQuIFUyRiBpcyBvbmx5
IHdvcmtpbmcgZnJvbSB0aGUgVmlldyBjb250cm9sbGVyIGFuZCBzeXN0ZW0gYnJvd3Nlci4gJm5i
c3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5X
ZWItdmlldyBpcyBub3QgY3VycmVudGx5IGV4cG9zaW5nIENUQVAuPG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N
CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgYmVsaWV2ZSB0aGF0IGlzIGFs
c28gdGhlIGNhc2Ugb24gaU9TLCBidXQgaGF2ZW4ndCBidWlsdCBhIGFwcCB0byB0ZXN0IGl0Ljxv
OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m
bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGlz
IGZpcnN0IHZlcnNpb24gb2YgdGhlIEJDUCBkb2VzbuKAmXQgZ28gaW50byBhZHZhbmNlZCBpc3N1
ZXMgYXJvdW5kIFdlYiBBdXRoL0ZpZG8gaW4gZGV0YWlsLiZuYnNwOyBXZSBrbm93IHRoYXQgY3Vy
cmVudGx5IFdlYlZpZXcvVmlldyBjb250cm9sbGVyL1Rva2VuIEFnZW50IHdvcmsgd2l0aCBleGlz
dGluZyBDVEFQIGltcGxlbWVudGF0aW9ucy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T25jZSB3ZSBoYXZlIHN5c3RlbXMgZGVwbG95
ZWQgdGhhdCBjYW4gdXNlIENUQVAgZnJvbSBhIHdlYiB2aWV3IHdlIGNhbiB1cGRhdGUgdGhlIEJD
UC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
V2UgbWF5IGFsc28gaGF2ZSBhIGRlZmluaXRpb25hbCBwcm9ibGVtLCB3ZSBjb25zaWRlciB0aGUg
V2luZG93cyB0b2tlbiBicm9rZXIgaW4gU1NPIG1vZGUgdG8gZml0IHRoZSBtb2RlbCBvZiBhIHZp
ZXcgY29udHJvbGxlci9XZWIgVmlldyBpbiB0aGF0IGl0IGlzIHNhbmRib3hlZCBmcm9tIHRoZSBh
cHAgLCByYXRoZXIgdGhhbiBjb25zaWRlcmluZyBpdCBhIHdlYi12aWV3LiAmbmJzcDsgSSBrbm93
IHRoYXQgdGhlIHRva2VuDQogYnJva2VyIGNhbiBzdXBwb3J0IFdlYkF1dGhlbnRpY2F0aW9uIChD
VEFQIDIpIGluIHJlY2VudCBSUzIgYnVpbGRzIG9mIFdpbiAxMC4gJm5ic3A7PG86cD48L286cD48
L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw
PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkpvaG4gQi48bzpwPjwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz
cDs8L286cD48L3A+DQo8ZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7
bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gTWFy
IDcsIDIwMTcsIGF0IDU6MTYgQU0sIEFudGhvbnkgTmFkYWxpbiAmbHQ7PGEgaHJlZj0ibWFpbHRv
OnRvbnluYWRAbWljcm9zb2Z0LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPnRvbnluYWRAbWljcm9zb2Z0
LmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGlj
YSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Ob3QgdHJ1ZSBKb2huLCB0aGUgQ1RBUCBz
dXBwb3J0IHRoYXQgaXMgY3VycmVudCB3b3VsZCBzdXBwb3J0IHRoZSB3ZWItdmlldyB3L28gYW55
IGNoYW5nZXM8c3BhbiBjbGFzcz0ibS02MDAwMDM2ODQ5OTcyNTQyODc1Z21haWwtbTg4MTQ1ODU4
Mzk4MDIyMTYyMjBhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PG86
cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0
eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZx
dW90O3NhbnMtc2VyaWYmcXVvdDsiPjxicj4NCjxicj4NCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0t
LS0tPGJyPg0KRnJvbTogT0F1dGggWzwvc3Bhbj48YSBocmVmPSJtYWlsdG86b2F1dGgtYm91bmNl
c0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7
Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsi
Pm1haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnPC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5z
LXNlcmlmJnF1b3Q7Ij5dIE9uIEJlaGFsZg0KIE9mIEpvaG4gQnJhZGxleTxicj4NClNlbnQ6IE1v
bmRheSwgTWFyY2ggNiwgMjAxNyAxMjoxNiBQTTxicj4NClRvOiBIYW5uZXMgVHNjaG9mZW5pZyAm
bHQ7PC9zcGFuPjxhIGhyZWY9Im1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0IiB0YXJn
ZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVv
dDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+aGFubmVzLnRzY2hvZmVu
aWdAZ214Lm5ldDwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZh
bWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jmd0Ozxi
cj4NCkNjOjxzcGFuIGNsYXNzPSJtLTYwMDAwMzY4NDk5NzI1NDI4NzVnbWFpbC1tODgxNDU4NTgz
OTgwMjIxNjIyMGFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvc3Bhbj48YSBo
cmVmPSJtYWlsdG86aW50ZXJuZXQtZHJhZnRzQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVv
dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+aW50ZXJuZXQtZHJhZnRzQGlldGYub3JnPC9zcGFu
PjwvYT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZl
dGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij47PHNwYW4gY2xhc3M9Im0tNjAwMDAz
Njg0OTk3MjU0Mjg3NWdtYWlsLW04ODE0NTg1ODM5ODAyMjE2MjIwYXBwbGUtY29udmVydGVkLXNw
YWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIg
dGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPm9hdXRoQGlldGYu
b3JnPC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZx
dW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnI+DQpTdWJqZWN0
OiBSZTogW09BVVRILVdHXSBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLW9hdXRoLW5hdGl2ZS1hcHBz
LTA4LnR4dDxicj4NCjxicj4NCk9uIGZpZG8gSSBjYW4gdGVsbCB5b3UgdGhhdCBmb3Igc2VjdXJp
dHkgcmVhc29ucyBVMkYgd29udCB3b3JrIGZyb20gYSB3ZWItdmlldyBjdXJyZW50bHkuPGJyPg0K
PGJyPg0KT25jZSB3ZSBtb3ZlIHRvIFdlYiBBdXRoIChGaWRvIDIpIHdoZXJlIHRoZSBPUyBwcm92
aWRlcyBhIEFQSSBmb3IgYXBwcyB0byBjYWxsIHRvIGdldCB0aGUgdG9rZW4gaXQgd2lsbCB3b3Jr
IGJ1dCB0aGUgdG9rZW5zIGFyZSBhdWRpYW5jZWQgdG8gdGhlIGFwcCBiYXNlZCBvbiBpdHMgZGV2
ZWxvcGVyIGtleSBhbmQgYnVuZGxlX2lkIHNvIHRoYXQgYSBhcHAgY2FudCBhc2sgZm9yIGEgdG9r
ZW4gZm9yIGEgZGlmZmVyZW50IHNpdGUgdG8gZG8gY29ycmVsYXRpb24uPHNwYW4gY2xhc3M9Im0t
NjAwMDAzNjg0OTk3MjU0Mjg3NWdtYWlsLW04ODE0NTg1ODM5ODAyMjE2MjIwYXBwbGUtY29udmVy
dGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PGJyPg0KPGJyPg0KSXQgaXMgdHJ1ZSB0aGF0IEZpZG8g
VUFGIGN1cnJlbnRseSByZXF1aXJlcyBhIHdlYi12aWV3IHRvIHdvcmsgYXMgdGhlIGF1dGhlbnRp
Y2F0b3IgaXMgZWZmZWN0aXZlbHkgY29tcGlsZWQgaW4gdG8gZWFjaCBhcHBsaWNhdGlvbiwgYW5k
IHRoYXQgYXBwbGljYXRpb24gaGFzIGFjY2VzcyB0byB0aGUgcHJpdmF0ZSBrZXlzIG9uIG1vc3Qg
cGxhdGZvcm1zIChTYW1zdW5nIGtub3ggYmVpbmcgdGhlIG9ubHkgZXhjZXB0aW9uIHRvIHRoYXQg
dGhhdCBJIGtub3cNCiBvZiB3aGVyZSB0aGUga2V5cyBhcmUgbWFuYWdlZCBieSBhIGNvbW1vbiBB
UEkgdG8gaGFyZHdhcmUga2V5IHN0b3JhZ2UsIGJ1dCB0aGV5IGFyZSBzY29wZWQgbGlrZSBVMkYg
YXMgd2VsbCk8YnI+DQo8YnI+DQpTbyBmb3IgdGhlIG1vc3QgcGFydCBpdCBpcyB0cnVlIGFuZCB0
aGF0IHVubGVzcyB5b3UgdXNlIHRoZSBicm93c2VyIHRvIGdldCB0aGUgRmlkbyB0b2tlbiB0aGUg
YXVkaWVuY2UgaXMgZm9yIHRoZSBhcHAuPGJyPg0KRXhhbXBsZSAmbmJzcDtTYWxlc2ZvcmNlIGNy
ZWF0ZXMgbmF0aXZlIGFwcCB0aGF0IG1heSB1c2UgZW50ZXJwcmlzZSBTU08gdmlhIFNBTUwsIGFu
ZCB0aGUgZW50ZXJwcmlzZSBtYXkgdXNlIEZpZG8gYXMgYSBhdXRoZW50aWNhdGlvbiBmYWN0b3Iu
PGJyPg0KSWYgdGhleSB1c2UgdGhlIHdlYnZpZXcgJiM0MzsgZmlkbyBBUEkgYXBwcm9hY2ggdGhl
IGFwcCBjYW4gb25seSBnZXQgYSB0b2tlbiBmb3IgU2FsZXNGb3JjZSBiYXNlZCBvbiBpdHMgc2ln
bmluZyBrZXkuJm5ic3A7IEl0IGNvdWxkIGZpcmUgdXAgdGhlIHdlYi12aWV3IGFuZCBkbyBVMkYg
YXV0aGVudGljYXRpb24gd2l0aCB0aGUgZW50ZXJwcmlzZSBhZnRlciBTYWxlc2ZvcmVjIGhhcyBy
ZWRpcmVjdGVkIHRoZSB1c2VyLiZuYnNwOyBIb3dldmVyIGl0IHdpbGwgZ2l2ZSBldmVyeQ0KIGVu
dGVycHJpc2UgYSB0b2tlbiBhdWRpZW5jZSB0byBTYWxlc2ZvcmNlIHdpdGggYSBzYWxlc2ZvcmNl
IHNwZWNpZmljIGtleS4gJm5ic3A7Jm5ic3A7SWYgdGhlcmUgaXMgYSBzZWNvbmQgYXBwIGZvciBz
YXkgU2xhY2sgaWYgdGhleSBkbyB0aGUgc2FtZSB0aGluZyB0aGUgZW50ZXJwcmlzZSB3b3VsZCBn
ZXQgYSBzbGFjayBhdWRpZW5jZWQgdG9rZW4gYW5kIGEgc2xhY2sga2V5IGZvcmNpbmcgYSBzZXBh
cmF0ZSByZWdpc3RyYXRpb24uPHNwYW4gY2xhc3M9Im0tNjAwMDAzNjg0OTk3MjU0Mjg3NWdtYWls
LW04ODE0NTg1ODM5ODAyMjE2MjIwYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+
PGJyPg0KPGJyPg0KVGhlIHJlY29tbWVuZGVkIGFsdGVybmF0aXZlIGlzIHRoYXQgdGhlIGFwcCB1
c2UgYSBjdXN0b20gdGFiIGZvciB0aGUgdXNlciB0byBTYWxlc0ZvcmNlIGFuZCB0aGF0IHJlZGly
ZWN0IHRvIHRoZSBlbnRlcnByaXNlLjxicj4NClRoZSBlbnRlcnByaXNlIGdldHMgdGhlIHNhbWUg
dG9rZW4va2V5IHdpdGggdGhlIGNvcnJlY3QgYXVkaWVuY2UgZnJvbSBhbGwgYXBwcyBvbiB0aGUg
ZGV2aWNlIHVzaW5nIHRoZSBicm93c2VyIG9yIGN1c3RvbSB0YWIuPHNwYW4gY2xhc3M9Im0tNjAw
MDAzNjg0OTk3MjU0Mjg3NWdtYWlsLW04ODE0NTg1ODM5ODAyMjE2MjIwYXBwbGUtY29udmVydGVk
LXNwYWNlIj4mbmJzcDs8L3NwYW4+PGJyPg0KVGhlIHVzZXIgbWF5IG5vdCBuZWVkIHRvIHNpZ25p
biBhIHNlY29uZCB0aW1lLCBhbmQgaWYgdGhleSBkbyB0aGVyZSBGaWRvIHRva2VuIHdpbGwgbm90
IG5lZWQgdG8gYmUgcmUtcmVnaXN0ZXJkLjxicj4NCjxicj4NClRoZSBGaWRvIEFQSSBhcHByb2Fj
aCByZWFsbHkgb25seSB3b3JrcyBmb3IgZmlyc3QgcGFydHkgYXBwcyBsaWtlIFBheVBhbCBpZiB0
aGUgdGhlIGFwcCBpcyBub3QgZG9pbmcgZmVkZXJhdGlvbiBhbmQgcGF5cGFsIGlzIGRvaW5nIHRo
ZSBhdXRoZW50aWNhdGlvbiBmb3IgdGhlcmUgb3duIGFwcC48YnI+DQo8YnI+DQpUb2tlbiBiaW5k
aW5nIHByaXZhdGUga2V5cyBoYXZlIHNpbWlsYXIgaXNzdWVzLiAmbmJzcDsmbmJzcDtUaGUgcG9v
bCBvZiBwcml2YXRlIGtleXMgd2lsbCBwcm9iYWJseSBub3QgYmUgc2hhcmVkIGJldHdlZW4gYXBw
cywgYW5kIG5vdCBiZXR3ZWVuIHRoZSBhcHAgYW5kIHRoZSBicm93c2VyIChXaW4gMTAgbWF5IGJl
IGFuIGV4Y2VwdGlvbiBidXQgaXQgaXMgbm90IGRvY3VtZW50ZWQgeWV0KTxicj4NCjxicj4NCklu
IHRoZSBjYXNlIG9mIHVzaW5nIEFwcEF1dGggd2l0aCB0b2tlbiBiaW5kaW5nIHRoZSBicm93c2Vy
IG1haW50YWlucyB0aGUga2V5cyBzbyB0aGUgZW50ZXJwcmlzZSB3b3VsZCBiZSBhYmxlIHRvIHNl
ZSB0aGUgc2FtZSBrZXkgYW5kIHVzZSB0aGUgc2FtZSBjb29raWVzIGFjcm9zcyBhbGwgQXBwQXV0
aCBBcHBzLjxicj4NCjxicj4NCllvdSBjYW4gaW5jbHVkZSB0b2tlbiBiaW5kaW5nIGluIHlvdXIg
YXBwLCBob3dldmVyIHRoZSB0b2tlbiBiaW5kaW5ncyBhbmQgY29va2llcyBhcmUgZ29pbmcgdG8g
YmUgc2FuZCBib3hlZCBwZXIgYXBwLiAmbmJzcDs8YnI+DQpEZXBlbmRpbmcgb24gaW1wbGVtZW50
YXRpb24gdGhlIGFwcCBnZXRzIGFjY2VzcyB0byB0aGUgY29va2llLCBidXQgcGVyaGFwcyBub3Qg
dG8gdGhlIHByaXZhdGUgdG9rZW4gYmluZGluZyBrZXkuICZuYnNwOyhBdCBsZWFzdCBJIGRvbid0
IHRoaW5rIGl0IHdpbGwgaW4gQW5kcm9pZCBlbWJlZGRlZCB3ZWJ2aWV3KS48YnI+DQo8YnI+DQpX
ZSBjb3VsZCBleHBhbmQgb24gdGhpcyBsYXRlciBpbiBhbiB1cGRhdGUgdG8gdGhlIEJDUCBvbmNl
IFdlYiBBdXRoZW50aWNhdGlvbiBhbmQgVG9rZW4gQmluZGluZyBhcmUgZmluYWwuPGJyPg0KPGJy
Pg0KVGhlcmUgYXJlIHN0aWxsIHNvbWUgdW5rbm93bnMsIGJ1dCBpbiBnZW5lcmFsIGZvciBhbnkg
c29ydCBvZiBTU08vRmVkZXJhdGlvbiAzcmQgcGFydHkgYXBwIEkgZG9u4oCZdCBzZWUgcmVjb21t
ZW5kaW5nIGFueXRoaW5nIG90aGVyIHRoYW4gYSBjdXN0b20gdGFiLyB2aWV3IGNvbnRyb2xsZXIv
IGV4dGVybmFsIGJyb3dzZXIuPGJyPg0KPGJyPg0KV2lsbGlhbSBjYW4gdGFrZSB0aGUgZm9ybWF0
dGluZyBxdWVzdGlvbjopPGJyPg0KPGJyPg0KSm9obiBCLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJn
aW4tYm90dG9tOjUuMHB0O2ZvbnQtdmFyaWFudC1jYXBzOm5vcm1hbDt0ZXh0LWFsaWduOnN0YXJ0
O3dvcmQtc3BhY2luZzowcHgiPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZx
dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5PbiBNYXIgNiwgMjAxNywgYXQgNDo0MSBQTSwg
SGFubmVzIFRzY2hvZmVuaWcgJmx0OzxhIGhyZWY9Im1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0Bn
bXgubmV0IiB0YXJnZXQ9Il9ibGFuayI+aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDwvYT4mZ3Q7
IHdyb3RlOjxicj4NCjxicj4NCkhpIFdpbGxpYW0sIEhpIEpvaG4sPGJyPg0KPGJyPg0KSSBqdXN0
IHJlLXJlYWQgdmVyc2lvbiAtOCBvZiB0aGUgZG9jdW1lbnQgYWdhaW4uPGJyPg0KPGJyPg0KVHdv
IG1pbm9yIHJlbWFya3Mgb25seS48YnI+DQo8YnI+DQpFZGl0b3JpYWwgaXNzdWU6IFdoeSBkbyB5
b3UgbmVlZCB0byBpbnRyb2R1Y2UgYSBzaW5nbGUgc3ViLXNlY3Rpb248c3BhbiBjbGFzcz0ibS02
MDAwMDM2ODQ5OTcyNTQyODc1Z21haWwtbTg4MTQ1ODU4Mzk4MDIyMTYyMjBhcHBsZS1jb252ZXJ0
ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YnI+DQp3aXRoaW4gU2VjdGlvbiA3LjEuIChuYW1lbHkg
U2VjdGlvbiA3LjEuMSk/PGJyPg0KPGJyPg0KQmFja2dyb3VuZCBxdWVzdGlvbjogWW91IG5vdGUg
dGhhdCBlbWJlZGRlZCB1c2VyIGFnZW50cyBoYXZlIHRoZTxzcGFuIGNsYXNzPSJtLTYwMDAwMzY4
NDk5NzI1NDI4NzVnbWFpbC1tODgxNDU4NTgzOTgwMjIxNjIyMGFwcGxlLWNvbnZlcnRlZC1zcGFj
ZSI+Jm5ic3A7PC9zcGFuPjxicj4NCmRpc2FkdmFudGFnZSB0aGF0IHRoZSBhcHAgdGhhdCBob3N0
cyB0aGUgZW1iZWRkZWQgdXNlci1hZ2VudCBjYW48c3BhbiBjbGFzcz0ibS02MDAwMDM2ODQ5OTcy
NTQyODc1Z21haWwtbTg4MTQ1ODU4Mzk4MDIyMTYyMjBhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZu
YnNwOzwvc3Bhbj48YnI+DQphY2Nlc3MgdGhlIHVzZXIncyBmdWxsIGF1dGhlbnRpY2F0aW9uIGNy
ZWRlbnRpYWwuIFRoaXMgaXMgY2VydGFpbmx5PHNwYW4gY2xhc3M9Im0tNjAwMDAzNjg0OTk3MjU0
Mjg3NWdtYWlsLW04ODE0NTg1ODM5ODAyMjE2MjIwYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJz
cDs8L3NwYW4+PGJyPg0KdHJ1ZSBmb3IgcGFzc3dvcmQtYmFzZWQgYXV0aGVudGljYXRpb24gbWVj
aGFuaXNtcyBidXQgSSB3b25kZXIgd2hldGhlcjxzcGFuIGNsYXNzPSJtLTYwMDAwMzY4NDk5NzI1
NDI4NzVnbWFpbC1tODgxNDU4NTgzOTgwMjIxNjIyMGFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5i
c3A7PC9zcGFuPjxicj4NCnRoaXMgaXMgYWxzbyB0cnVlIGZvciBzdHJvbmcgYXV0aGVudGljYXRp
b24gdGVjaG5pcXVlcywgc3VjaCBhcyB0aG9zZTxzcGFuIGNsYXNzPSJtLTYwMDAwMzY4NDk5NzI1
NDI4NzVnbWFpbC1tODgxNDU4NTgzOTgwMjIxNjIyMGFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5i
c3A7PC9zcGFuPjxicj4NCnVzZWQgYnkgRklETyBjb21iaW5lZCB3aXRoIHRva2VuIGJpbmRpbmcu
IEhhdmUgeW91IGxvb2tlZCBpbnRvIG1vcmU8c3BhbiBjbGFzcz0ibS02MDAwMDM2ODQ5OTcyNTQy
ODc1Z21haWwtbTg4MTQ1ODU4Mzk4MDIyMTYyMjBhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNw
Ozwvc3Bhbj48YnI+DQptb2Rlcm4gYXV0aGVudGljYXRpb24gdGVjaG5pcXVlcyBhcyB3ZWxsIGFu
ZCB0aGVpciBzZWN1cml0eSBpbXBsaWNhdGlvbj88YnI+DQo8YnI+DQpDaWFvPGJyPg0KSGFubmVz
PGJyPg0KPGJyPg0KT24gMDMvMDMvMjAxNyAwNzozOSBBTSwgV2lsbGlhbSBEZW5uaXNzIHdyb3Rl
OjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHls
ZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZh
bWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Q2hhbmdl
czo8YnI+DQo8YnI+DQrigJMgQWRkcmVzc2VzIGZlZWRiYWNrIGZyb20gdGhlIHNlY29uZCByb3Vu
ZCBvZiBXR0xDLjxicj4NCuKAkyBSZW9yZGVyZWQgc2VjdXJpdHkgY29uc2lkZXJhdGlvbiBzZWN0
aW9ucyB0byBiZXR0ZXIgZ3JvdXAgcmVsYXRlZCB0b3BpY3MuPGJyPg0K4oCTIEFkZGVkIGNvbXBs
ZXRlIFVSSSBleGFtcGxlcyB0byBlYWNoIG9mIHRoZSAzIHJlZGlyZWN0IHR5cGVzLjxicj4NCuKA
kyBFZGl0b3JpYWwgcGFzcy48YnI+DQo8YnI+DQo8YnI+DQo8YnI+DQpPbiBUaHUsIE1hciAyLCAy
MDE3IGF0IDEwOjI3IFBNLCAmbHQ7PGEgaHJlZj0ibWFpbHRvOmludGVybmV0LWRyYWZ0c0BpZXRm
Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZzwvYT48c3BhbiBj
bGFzcz0ibS02MDAwMDM2ODQ5OTcyNTQyODc1Z21haWwtbTg4MTQ1ODU4Mzk4MDIyMTYyMjBhcHBs
ZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YnI+DQombHQ7PGEgaHJlZj0ibWFpbHRv
OmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm1haWx0bzppbnRlcm5l
dC1kcmFmdHNAaWV0Zi5vcmc8L2E+Jmd0OyZndDsgd3JvdGU6PGJyPg0KPGJyPg0KPGJyPg0KJm5i
c3A7Jm5ic3A7QSBOZXcgSW50ZXJuZXQtRHJhZnQgaXMgYXZhaWxhYmxlIGZyb20gdGhlIG9uLWxp
bmUgSW50ZXJuZXQtRHJhZnRzPGJyPg0KJm5ic3A7Jm5ic3A7ZGlyZWN0b3JpZXMuPGJyPg0KJm5i
c3A7Jm5ic3A7VGhpcyBkcmFmdCBpcyBhIHdvcmsgaXRlbSBvZiB0aGUgV2ViIEF1dGhvcml6YXRp
b24gUHJvdG9jb2wgb2YgdGhlIElFVEYuPGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7VGl0bGUgJm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7OiBPQXV0aCAy
LjAgZm9yIE5hdGl2ZSBBcHBzPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7QXV0aG9ycyAmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs6IFdpbGxpYW0gRGVubmlzczxicj4NCiZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwO0pvaG4gQnJhZGxl
eTxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwO0ZpbGVuYW1lICZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOzogZHJhZnQtaWV0Zi1vYXV0aC1uYXRpdmUtYXBwcy0wOC50eHQ8YnI+DQombmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDtQYWdlcyAm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDs6IDIwPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7RGF0ZSAmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs6IDIwMTctMDMtMDI8YnI+DQo8YnI+DQombmJz
cDsmbmJzcDtBYnN0cmFjdDo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDtPQXV0
aCAyLjAgYXV0aG9yaXphdGlvbiByZXF1ZXN0cyBmcm9tIG5hdGl2ZSBhcHBzIHNob3VsZCBvbmx5
IGJlIG1hZGU8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDt0aHJvdWdoIGV4dGVy
bmFsIHVzZXItYWdlbnRzLCBwcmltYXJpbHkgdGhlIHVzZXIncyBicm93c2VyLiZuYnNwOyBUaGlz
PGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7c3BlY2lmaWNhdGlvbiBkZXRhaWxz
IHRoZSBzZWN1cml0eSBhbmQgdXNhYmlsaXR5IHJlYXNvbnMgd2h5IHRoaXMgaXM8YnI+DQombmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDt0aGUgY2FzZSwgYW5kIGhvdyBuYXRpdmUgYXBwcyBh
bmQgYXV0aG9yaXphdGlvbiBzZXJ2ZXJzIGNhbiBpbXBsZW1lbnQ8YnI+DQombmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDt0aGlzIGJlc3QgcHJhY3RpY2UuPGJyPg0KPGJyPg0KPGJyPg0KJm5i
c3A7Jm5ic3A7VGhlIElFVEYgZGF0YXRyYWNrZXIgc3RhdHVzIHBhZ2UgZm9yIHRoaXMgZHJhZnQg
aXM6PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJp
ZiZxdW90OyI+Jm5ic3A7Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90
ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZkYXRhdHJhY2tlci5pZXRmLm9y
ZyUyRmRvYyUyRmRyYWZ0LWlldGYtb2F1dGgtbmF0aXZlLWFwcHMlMkYmYW1wO2RhdGE9MDIlN0Mw
MSU3Q3RvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdDZWZmMDkyZTZiMjg5NGFjZThmODQwOGQ0NjRj
ZGE0ZDUlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2MjQ0
MjgxODEwMDc4NDk3JmFtcDtzZGF0YT1ZUTBkY1NWaXJhblZ4NHNqSDdhZUZyRVl2VGdiUU0zT3J1
b0slMkZSN0VaYWslM0QmYW1wO3Jlc2VydmVkPTAiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL25h
MDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRmRh
dGF0cmFja2VyLmlldGYub3JnJTJGZG9jJTJGZHJhZnQtaWV0Zi1vYXV0aC1uYXRpdmUtYXBwcyUy
RiZhbXA7ZGF0YT0wMiU3QzAxJTdDdG9ueW5hZCU0MG1pY3Jvc29mdC5jb20lN0NlZmYwOTJlNmIy
ODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3
JTdDMSU3QzAlN0M2MzYyNDQyODE4MTAwNzg0OTcmYW1wO3NkYXRhPVlRMGRjU1ZpcmFuVng0c2pI
N2FlRnJFWXZUZ2JRTTNPcnVvSyUyRlI3RVphayUzRCZhbXA7cmVzZXJ2ZWQ9MDwvYT48YnI+DQo8
YnI+DQombHQ7PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxv
b2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZkYXQiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL25h
MDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRmRh
dDwvYT48YnI+DQo8YSBocmVmPSJodHRwOi8vYXRyYWNrZXIuaWV0Zi5vcmcvIiB0YXJnZXQ9Il9i
bGFuayI+YXRyYWNrZXIuaWV0Zi5vcmc8L2E+JTJGZG9jJTJGZHJhZnQtaWV0Zi1vYXV0aC1uYXRp
dmUtYXBwcyUyRiZhbXA7ZGF0YT0wMiU3QzA8YnI+DQoxJTdDdG9ueW5hZCU8YSBocmVmPSJodHRw
Oi8vNDBtaWNyb3NvZnQuY29tLyIgdGFyZ2V0PSJfYmxhbmsiPjQwbWljcm9zb2Z0LmNvbTwvYT4l
N0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3QzcyZjk8YnI+DQo4OGJmODZmMTQx
YWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDQyODE4MTAwNzg0OTcmYW1wO3NkYXRh
PVlRMGRjPGJyPg0KU1ZpcmFuVng0c2pIN2FlRnJFWXZUZ2JRTTNPcnVvSyUyRlI3RVphayUzRCZh
bXA7cmVzZXJ2ZWQ9MCZndDs8YnI+DQo8YnI+DQo8c3BhbiBjbGFzcz0ibS02MDAwMDM2ODQ5OTcy
NTQyODc1Z21haWwtIj4mbmJzcDsmbmJzcDtUaGVyZSdzIGFsc28gYSBodG1saXplZCB2ZXJzaW9u
IGF2YWlsYWJsZSBhdDo8L3NwYW4+PGJyPg0KJm5ic3A7Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly9u
YTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ0
b29scy5pZXRmLm9yZyUyRmh0bWwlMkZkcmFmdC1pZXRmLW9hdXRoLW5hdGl2ZS1hcHBzLTA4JmFt
cDtkYXRhPTAyJTdDMDElN0N0b255bmFkJTQwbWljcm9zb2Z0LmNvbSU3Q2VmZjA5MmU2YjI4OTRh
Y2U4Zjg0MDhkNDY0Y2RhNGQ1JTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0Mx
JTdDMCU3QzYzNjI0NDI4MTgxMDA3ODQ5NyZhbXA7c2RhdGE9aXB5VkxhWGhlZmp3aElQcXU0Vnlt
M05taSUyRlhQRVI4aHlLQkR2UCUyRkFWQ3clM0QmYW1wO3Jlc2VydmVkPTAiIHRhcmdldD0iX2Js
YW5rIj5odHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1o
dHRwcyUzQSUyRiUyRnRvb2xzLmlldGYub3JnJTJGaHRtbCUyRmRyYWZ0LWlldGYtb2F1dGgtbmF0
aXZlLWFwcHMtMDgmYW1wO2RhdGE9MDIlN0MwMSU3Q3RvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdD
ZWZmMDkyZTZiMjg5NGFjZThmODQwOGQ0NjRjZGE0ZDUlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJk
N2NkMDExZGI0NyU3QzElN0MwJTdDNjM2MjQ0MjgxODEwMDc4NDk3JmFtcDtzZGF0YT1pcHlWTGFY
aGVmandoSVBxdTRWeW0zTm1pJTJGWFBFUjhoeUtCRHZQJTJGQVZDdyUzRCZhbXA7cmVzZXJ2ZWQ9
MDwvYT48YnI+DQo8YnI+DQombHQ7PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90
ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ0b28iIHRhcmdldD0iX2JsYW5r
Ij5odHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRw
cyUzQSUyRiUyRnRvbzwvYT48YnI+DQo8YSBocmVmPSJodHRwOi8vbHMuaWV0Zi5vcmcvIiB0YXJn
ZXQ9Il9ibGFuayI+bHMuaWV0Zi5vcmc8L2E+JTJGaHRtbCUyRmRyYWZ0LWlldGYtb2F1dGgtbmF0
aXZlLWFwcHMtMDgmYW1wO2RhdGE9MDIlN0MwMSU3Q3Q8YnI+DQpvbnluYWQlPGEgaHJlZj0iaHR0
cDovLzQwbWljcm9zb2Z0LmNvbS8iIHRhcmdldD0iX2JsYW5rIj40MG1pY3Jvc29mdC5jb208L2E+
JTdDZWZmMDkyZTZiMjg5NGFjZThmODQwOGQ0NjRjZGE0ZDUlN0M3MmY5ODhiZjg8YnI+DQo2ZjE0
MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2MjQ0MjgxODEwMDg4NTAxJmFtcDtzZGF0
YT1wRkpkaVpkMm5pPGJyPg0KU3hpdVh0VGhHOE9FMzJyakh4b0o4VTBqc29DbWlhcUtjJTNEJmFt
cDtyZXNlcnZlZD0wJmd0Ozxicj4NCjxicj4NCjxzcGFuIGNsYXNzPSJtLTYwMDAwMzY4NDk5NzI1
NDI4NzVnbWFpbC0iPiZuYnNwOyZuYnNwO0EgZGlmZiBmcm9tIHRoZSBwcmV2aW91cyB2ZXJzaW9u
IGlzIGF2YWlsYWJsZSBhdDo8L3NwYW4+PGJyPg0KJm5ic3A7Jm5ic3A7PGEgaHJlZj0iaHR0cHM6
Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYl
MkZ3d3cuaWV0Zi5vcmclMkZyZmNkaWZmJTNGdXJsMiUzRGRyYWZ0LWlldGYtb2F1dGgtbmF0aXZl
LWFwcHMtMDgmYW1wO2RhdGE9MDIlN0MwMSU3Q3RvbnluYWQlNDBtaWNyb3NvZnQuY29tJTdDZWZm
MDkyZTZiMjg5NGFjZThmODQwOGQ0NjRjZGE0ZDUlN0M3MmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2Nk
MDExZGI0NyU3QzElN0MwJTdDNjM2MjQ0MjgxODEwMDg4NTAxJmFtcDtzZGF0YT0wSk9lallJJTJG
OXZTRnBoNGR0ZVo2ZzE2TmJ2TFJ5MzdlcnBSVUF3MnElMkZXOCUzRCZhbXA7cmVzZXJ2ZWQ9MCIg
dGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29r
LmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3LmlldGYub3JnJTJGcmZjZGlmZiUzRnVybDIlM0Rk
cmFmdC1pZXRmLW9hdXRoLW5hdGl2ZS1hcHBzLTA4JmFtcDtkYXRhPTAyJTdDMDElN0N0b255bmFk
JTQwbWljcm9zb2Z0LmNvbSU3Q2VmZjA5MmU2YjI4OTRhY2U4Zjg0MDhkNDY0Y2RhNGQ1JTdDNzJm
OTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0NDI4MTgxMDA4ODUw
MSZhbXA7c2RhdGE9MEpPZWpZSSUyRjl2U0ZwaDRkdGVaNmcxNk5idkxSeTM3ZXJwUlVBdzJxJTJG
VzglM0QmYW1wO3Jlc2VydmVkPTA8L2E+PGJyPg0KPGJyPg0KJmx0OzxhIGhyZWY9Imh0dHBzOi8v
bmEwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJG
d3d3IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91
dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3c8L2E+PGJyPg0KLjxhIGhyZWY9Imh0dHA6
Ly9pZXRmLm9yZy8iIHRhcmdldD0iX2JsYW5rIj5pZXRmLm9yZzwvYT4lMkZyZmNkaWZmJTNGdXJs
MiUzRGRyYWZ0LWlldGYtb2F1dGgtbmF0aXZlLWFwcHMtMDgmYW1wO2RhdGE9MDIlPGJyPg0KN0Mw
MSU3Q3RvbnluYWQlPGEgaHJlZj0iaHR0cDovLzQwbWljcm9zb2Z0LmNvbS8iIHRhcmdldD0iX2Js
YW5rIj40MG1pY3Jvc29mdC5jb208L2E+JTdDZWZmMDkyZTZiMjg5NGFjZThmODQwOGQ0NjRjZGE0
ZDUlN0M3PGJyPg0KMmY5ODhiZjg2ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2
MjQ0MjgxODEwMDg4NTAxJmFtcDtzZGF0YT0wSjxicj4NCk9lallJJTJGOXZTRnBoNGR0ZVo2ZzE2
TmJ2TFJ5MzdlcnBSVUF3MnElMkZXOCUzRCZhbXA7cmVzZXJ2ZWQ9MCZndDs8YnI+DQo8YnI+DQo8
YnI+DQo8c3BhbiBjbGFzcz0ibS02MDAwMDM2ODQ5OTcyNTQyODc1Z21haWwtIj4mbmJzcDsmbmJz
cDtQbGVhc2Ugbm90ZSB0aGF0IGl0IG1heSB0YWtlIGEgY291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0
aGUgdGltZSBvZjwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0ibS02MDAwMDM2ODQ5OTcyNTQyODc1
Z21haWwtIj4mbmJzcDsmbmJzcDtzdWJtaXNzaW9uPC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJt
LTYwMDAwMzY4NDk5NzI1NDI4NzVnbWFpbC0iPiZuYnNwOyZuYnNwO3VudGlsIHRoZSBodG1saXpl
ZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQ8L3NwYW4+PHNwYW4gY2xhc3M9Im0t
NjAwMDAzNjg0OTk3MjU0Mjg3NWdtYWlsLW04ODE0NTg1ODM5ODAyMjE2MjIwYXBwbGUtY29udmVy
dGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PHNwYW4gY2xhc3M9Im0tNjAwMDAzNjg0OTk3MjU0Mjg3
NWdtYWlsLSI+PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnLyIgdGFyZ2V0PSJfYmxhbmsi
PnRvb2xzLmlldGYub3JnPC9hPjwvc3Bhbj48YnI+DQombmJzcDsmbmJzcDsmbHQ7PGEgaHJlZj0i
aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cCUz
QSUyRiUyRnRvb2xzLmlldGYub3JnJmFtcDtkYXRhPTAyJTdDMDElN0N0b255bmFkJTQwbWljcm9z
b2Z0LmNvbSU3Q2VmZjA5MmU2YjI4OTRhY2U4Zjg0MDhkNDY0Y2RhNGQ1JTdDNzJmOTg4YmY4NmYx
NDFhZjkxYWIyZDdjZDAxMWRiNDclN0MxJTdDMCU3QzYzNjI0NDI4MTgxMDA4ODUwMSZhbXA7c2Rh
dGE9c0R5bmZxZXkwcnUwVm00JTJGUEVoME1BMUlLdGtycW1EblElMkJtUENQJTJCNks2MCUzRCZh
bXA7cmVzZXJ2ZWQ9MCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJv
dGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHAlM0ElMkYlMkZ0b29scy5pZXRmLm9yZyZhbXA7
ZGF0YT0wMiU3QzAxJTdDdG9ueW5hZCU0MG1pY3Jvc29mdC5jb20lN0NlZmYwOTJlNmIyODk0YWNl
OGY4NDA4ZDQ2NGNkYTRkNSU3QzcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3
QzAlN0M2MzYyNDQyODE4MTAwODg1MDEmYW1wO3NkYXRhPXNEeW5mcWV5MHJ1MFZtNCUyRlBFaDBN
QTFJS3RrcnFtRG5RJTJCbVBDUCUyQjZLNjAlM0QmYW1wO3Jlc2VydmVkPTA8L2E+Jmd0Oy48YnI+
DQo8YnI+DQo8c3BhbiBjbGFzcz0ibS02MDAwMDM2ODQ5OTcyNTQyODc1Z21haWwtIj4mbmJzcDsm
bmJzcDtJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255bW91cyBGVFAg
YXQ6PC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJtLTYwMDAwMzY4NDk5NzI1NDI4NzVnbWFpbC0i
PiZuYnNwOyZuYnNwOzxhIGhyZWY9ImZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMv
IiB0YXJnZXQ9Il9ibGFuayI+ZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy88L2E+
PC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJtLTYwMDAwMzY4NDk5NzI1NDI4NzVnbWFpbC0iPiZu
YnNwOyZuYnNwOyZsdDs8YSBocmVmPSJmdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRz
LyIgdGFyZ2V0PSJfYmxhbmsiPmZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvPC9h
PiZndDs8L3NwYW4+PGJyPg0KPGJyPg0KPHNwYW4gY2xhc3M9Im0tNjAwMDAzNjg0OTk3MjU0Mjg3
NWdtYWlsLSI+Jm5ic3A7Jm5ic3A7X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX188L3NwYW4+PGJyPg0KPHNwYW4gY2xhc3M9Im0tNjAwMDAzNjg0OTk3MjU0Mjg3
NWdtYWlsLSI+Jm5ic3A7Jm5ic3A7T0F1dGggbWFpbGluZyBsaXN0PC9zcGFuPjxicj4NCjxzcGFu
IGNsYXNzPSJtLTYwMDAwMzY4NDk5NzI1NDI4NzVnbWFpbC0iPiZuYnNwOyZuYnNwOzxhIGhyZWY9
Im1haWx0bzpPQXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9h
Pjwvc3Bhbj48c3BhbiBjbGFzcz0ibS02MDAwMDM2ODQ5OTcyNTQyODc1Z21haWwtbTg4MTQ1ODU4
Mzk4MDIyMTYyMjBhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48c3BhbiBjbGFz
cz0ibS02MDAwMDM2ODQ5OTcyNTQyODc1Z21haWwtIj4mbHQ7PGEgaHJlZj0ibWFpbHRvOk9BdXRo
QGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+bWFpbHRvOk9BdXRoQGlldGYub3JnPC9hPiZndDs8
L3NwYW4+PGJyPg0KJm5ic3A7Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5w
cm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZt
YWlsbWFuJTJGbGlzdGluZm8lMkZvYXV0aCZhbXA7ZGF0YT0wMiU3QzAxJTdDdG9ueW5hZCU0MG1p
Y3Jvc29mdC5jb20lN0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3QzcyZjk4OGJm
ODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDQyODE4MTAwODg1MDEmYW1w
O3NkYXRhPTE0R3p0WkxZJTJCblFOYmhSNWJxalM3Y1JZVVNsb3RwcjZKWHRGWHBkdUd1SSUzRCZh
bXA7cmVzZXJ2ZWQ9MCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vbmEwMS5zYWZlbGlua3MucHJv
dGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3LmlldGYub3JnJTJGbWFp
bG1hbiUyRmxpc3RpbmZvJTJGb2F1dGgmYW1wO2RhdGE9MDIlN0MwMSU3Q3RvbnluYWQlNDBtaWNy
b3NvZnQuY29tJTdDZWZmMDkyZTZiMjg5NGFjZThmODQwOGQ0NjRjZGE0ZDUlN0M3MmY5ODhiZjg2
ZjE0MWFmOTFhYjJkN2NkMDExZGI0NyU3QzElN0MwJTdDNjM2MjQ0MjgxODEwMDg4NTAxJmFtcDtz
ZGF0YT0xNEd6dFpMWSUyQm5RTmJoUjVicWpTN2NSWVVTbG90cHI2Slh0RlhwZHVHdUklM0QmYW1w
O3Jlc2VydmVkPTA8L2E+PGJyPg0KPGJyPg0KJmx0OzxhIGhyZWY9Imh0dHBzOi8vbmEwMS5zYWZl
bGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3IiB0YXJn
ZXQ9Il9ibGFuayI+aHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29t
Lz91cmw9aHR0cHMlM0ElMkYlMkZ3d3c8L2E+PGJyPg0KLjxhIGhyZWY9Imh0dHA6Ly9pZXRmLm9y
Zy8iIHRhcmdldD0iX2JsYW5rIj5pZXRmLm9yZzwvYT4lMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZv
YXV0aCZhbXA7ZGF0YT0wMiU3QzAxJTdDdG9ueW5hZCU0MG1pY3JvPGJyPg0KPGEgaHJlZj0iaHR0
cDovL3NvZnQuY29tLyIgdGFyZ2V0PSJfYmxhbmsiPnNvZnQuY29tPC9hPiU3Q2VmZjA5MmU2YjI4
OTRhY2U4Zjg0MDhkNDY0Y2RhNGQ1JTdDNzJmOTg4YmY4NmYxNDFhZjkxYWIyZDc8YnI+DQpjZDAx
MWRiNDclN0MxJTdDMCU3QzYzNjI0NDI4MTgxMDA4ODUwMSZhbXA7c2RhdGE9MTRHenRaTFklMkJu
UU5iaFI1YnFqUzdjPGJyPg0KUllVU2xvdHByNkpYdEZYcGR1R3VJJTNEJmFtcDtyZXNlcnZlZD0w
Jmd0Ozxicj4NCjxicj4NCjxicj4NCjxicj4NCjxicj4NCjxzcGFuIGNsYXNzPSJtLTYwMDAwMzY4
NDk5NzI1NDI4NzVnbWFpbC0iPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fPC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJtLTYwMDAwMzY4NDk5NzI1NDI4NzVn
bWFpbC0iPk9BdXRoIG1haWxpbmcgbGlzdDwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0ibS02MDAw
MDM2ODQ5OTcyNTQyODc1Z21haWwtIj48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciIHRh
cmdldD0iX2JsYW5rIj5PQXV0aEBpZXRmLm9yZzwvYT48L3NwYW4+PGJyPg0KPGEgaHJlZj0iaHR0
cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0El
MkYlMkZ3d3ciIHRhcmdldD0iX2JsYW5rIj5odHRwczovL25hMDEuc2FmZWxpbmtzLnByb3RlY3Rp
b24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRnd3dzwvYT4uPGJyPg0KPGEgaHJlZj0i
aHR0cDovL2lldGYub3JnLyIgdGFyZ2V0PSJfYmxhbmsiPmlldGYub3JnPC9hPiUyRm1haWxtYW4l
MkZsaXN0aW5mbyUyRm9hdXRoJmFtcDtkYXRhPTAyJTdDMDElN0N0b255bmFkJTQwbWljcm9zPGJy
Pg0KPGEgaHJlZj0iaHR0cDovL29mdC5jb20vIiB0YXJnZXQ9Il9ibGFuayI+b2Z0LmNvbTwvYT4l
N0NlZmYwOTJlNmIyODk0YWNlOGY4NDA4ZDQ2NGNkYTRkNSU3QzcyZjk4OGJmODZmMTQxYWY5MWFi
MmQ3Yzxicj4NCmQwMTFkYjQ3JTdDMSU3QzAlN0M2MzYyNDQyODE4MTAwODg1MDEmYW1wO3NkYXRh
PTE0R3p0WkxZJTJCblFOYmhSNWJxalM3Y1I8YnI+DQpZVVNsb3RwcjZKWHRGWHBkdUd1SSUzRCZh
bXA7cmVzZXJ2ZWQ9MDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxicj4NCjxzcGFu
IGNsYXNzPSJtLTYwMDAwMzY4NDk5NzI1NDI4NzVnbWFpbC0iPl9fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fPC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJtLTYw
MDAwMzY4NDk5NzI1NDI4NzVnbWFpbC0iPk9BdXRoIG1haWxpbmcgbGlzdDwvc3Bhbj48YnI+DQo8
c3BhbiBjbGFzcz0ibS02MDAwMDM2ODQ5OTcyNTQyODc1Z21haWwtIj48YSBocmVmPSJtYWlsdG86
T0F1dGhAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5PQXV0aEBpZXRmLm9yZzwvYT48L3NwYW4+
PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9uYTAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2su
Y29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3cuaSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vbmEw
MS5zYWZlbGlua3MucHJvdGVjdGlvbi5vdXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGd3d3
Lmk8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cDovL2V0Zi5vcmcvIiB0YXJnZXQ9Il9ibGFuayI+ZXRm
Lm9yZzwvYT4lMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZvYXV0aCZhbXA7ZGF0YT0wMiU3QzAxJTdD
dG9ueW5hZCU0MG1pY3Jvc29mPGJyPg0KPGEgaHJlZj0iaHR0cDovL3QuY29tLyIgdGFyZ2V0PSJf
YmxhbmsiPnQuY29tPC9hPiU3Q2VmZjA5MmU2YjI4OTRhY2U4Zjg0MDhkNDY0Y2RhNGQ1JTdDNzJm
OTg4YmY4NmYxNDFhZjkxYWIyZDdjZDAxPGJyPg0KMWRiNDclN0MxJTdDMCU3QzYzNjI0NDI4MTgx
MDA4ODUwMSZhbXA7c2RhdGE9MTRHenRaTFklMkJuUU5iaFI1YnFqUzdjUllVU2w8YnI+DQpvdHBy
NkpYdEZYcGR1R3VJJTNEJmFtcDtyZXNlcnZlZD0wPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9i
bG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJyPg0KX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpPQXV0aCBtYWlsaW5nIGxp
c3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5P
QXV0aEBpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWls
bWFuL2xpc3RpbmZvL29hdXRoIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcv
bWFpbG1hbi9saXN0aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k
aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_fa44cd7ea1c740ec8fd244ebd57f79d7HE101654emea1cdstintern_--


From nobody Mon Mar 13 04:48:14 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC334127A90 for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 04:48:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prAoojsoq-VO for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 04:48:10 -0700 (PDT)
Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC888127735 for <oauth@ietf.org>; Mon, 13 Mar 2017 04:48:10 -0700 (PDT)
Received: by mail-pf0-x230.google.com with SMTP id w189so68432969pfb.0 for <oauth@ietf.org>; Mon, 13 Mar 2017 04:48:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/JVsybUzYGX6oIYYSYCkLdKh+ya4YYQhQT2jgIzYeQA=; b=NUv9BYEEhuF9bDL2kj3NVipbC8bg3/jNZljnZzged2tql+69YSwuTYap0ZT9huK2Qr YMWislXUbAdUoElTFRLHju4xiH5z4RDtmNLRb4Bv3/409J08QuqNImmSKz3K6YZGcBvM F9i1fSHLmzU8/O28Q1jBAWmCtCxAAjwjP09r8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/JVsybUzYGX6oIYYSYCkLdKh+ya4YYQhQT2jgIzYeQA=; b=Y5iPGTDrRqZAnROGx+iIuSzW0FOmlcqlf/LUJJLHs71CwsFfj3EAzY57QLnibx+GCn o8ZPzXuPVQ4mFy2/I384h8hCsuzr1WyqQs34Txu1yX47AuFVvD3h0euMJik7oH8xbFEI Q/eZArRKh5jrT0r90nhx59/5Z+k7f7N8wBc12LpI53+Ud60M+E2SJNAPUjoGKE36q5Ec mMzatnAY29SZ0H0e72744HcqAZJjqjOXE5onXZzKcE2TRdqVj8qkG57CfjNUOwbuukhM BYYcChcK7Mc0ZUkIeIsF7QF3hXeGzP/QbEPuGGt5yq98gIBx14aFkmkdxbCXr6A9iGea BIwQ==
X-Gm-Message-State: AMke39ldOA1S8kbiGwcuCfOrxG7I+aa6qZ86hc7m2LIG/P9sh9DVnbKlRg+4cwNm4XTd8DZxo7XNd5bA1RF78Sc0
X-Received: by 10.99.119.2 with SMTP id s2mr36818938pgc.153.1489405690209; Mon, 13 Mar 2017 04:48:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.163.162 with HTTP; Mon, 13 Mar 2017 04:47:39 -0700 (PDT)
In-Reply-To: <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com> <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu> <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 13 Mar 2017 05:47:39 -0600
Message-ID: <CA+k3eCRsF6cdzypnV8a0hpqRDLetgKBC++EjLqQ5u_c5b17tfw@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Content-Type: multipart/alternative; boundary=f403045c04281784a9054a9b4975
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2AyhAIShyfFQIzhlvUGntsiLBg0>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 11:48:12 -0000

--f403045c04281784a9054a9b4975
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sat, Mar 11, 2017 at 1:54 PM, William Denniss <wdenniss@google.com>
wrote:

>
> On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer <jricher@mit.edu> wrote:
>
>>
>>
>> Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D par=
ameter to the
>>> device endpoint. This parameter is required and it has a single, requir=
ed
>>> value, with no registry or other possibility of extension. What=E2=80=
=99s the
>>> point? If it=E2=80=99s for =E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll =
note that this is *not* the
>>> authorization endpoint (as the user is not present) and such constraint=
s
>>> need not apply here.
>>>
>>
>> Good points here. At a guess, it bled in from the OAuth spec. If it's no=
t
>> needed, we should remove it.
>>
>>
>> I=E2=80=99d vote for removal, I don=E2=80=99t see the point.
>>
>
+1 on removal of the =E2=80=9Cresponse_type=E2=80=9D parameter from the Dev=
ice
Authorization Request

--f403045c04281784a9054a9b4975
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Sat, Mar 11, 2017 at 1:54 PM, William Denniss <span dir=3D"ltr">&lt;=
<a href=3D"mailto:wdenniss@google.com" target=3D"_blank">wdenniss@google.co=
m</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
"><div dir=3D"ltr"><div class=3D"gmail_extra"><br><div class=3D"gmail_quote=
"><span class=3D"gmail-">On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer <s=
pan dir=3D"ltr">&lt;<a href=3D"mailto:jricher@mit.edu" target=3D"_blank">jr=
icher@mit.edu</a>&gt;</span> wrote:<br></span><span class=3D"gmail-"><block=
quote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1=
px solid rgb(204,204,204);padding-left:1ex"><br><div style=3D"overflow-wrap=
: break-word;"><div><span><blockquote type=3D"cite"><div><div dir=3D"ltr"><=
div class=3D"gmail_extra"><div class=3D"gmail_quote"><div><br></div><blockq=
uote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1p=
x solid rgb(204,204,204);padding-left:1ex">
Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D parame=
ter to the device endpoint. This parameter is required and it has a single,=
 required value, with no registry or other possibility of extension. What=
=E2=80=99s the point? If it=E2=80=99s for =E2=80=9Cparallelism=E2=80=9D, I=
=E2=80=99ll note that this is *not* the authorization endpoint (as the user=
 is not present) and such constraints need not apply here.<br></blockquote>=
<div><br></div><div>Good points here. At a guess, it bled in from the OAuth=
 spec. If it&#39;s not needed, we should remove it.</div><div><br></div></d=
iv></div></div>
</div></blockquote></span></div><br><div>I=E2=80=99d vote for removal, I do=
n=E2=80=99t see the point.</div><span class=3D"gmail-m_-4062259653004224023=
HOEnZb"></span></div></blockquote></span></div></div></div></blockquote><di=
v><br></div><div>+1 on <span class=3D"gmail-">removal of the =E2=80=9Crespo=
nse_type=E2=80=9D parameter from the Device Authorization Request<br></span=
></div><div>=C2=A0<br></div></div><br></div></div>

--f403045c04281784a9054a9b4975--


From nobody Mon Mar 13 08:27:39 2017
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id DA1CF1294A2; Mon, 13 Mar 2017 08:27:37 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: "The IESG" <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.47.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148941885788.17035.8404645820700119652.idtracker@ietfa.amsl.com>
Date: Mon, 13 Mar 2017 08:27:37 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oQwenw-2Q129_kOsA0h8bY_u71M>
Cc: oauth-chairs@ietf.org, draft-ietf-oauth-amr-values@ietf.org, oauth@ietf.org
Subject: [OAUTH-WG] Stephen Farrell's No Objection on draft-ietf-oauth-amr-values-07: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 15:27:38 -0000

Stephen Farrell has entered the following ballot position for
draft-ietf-oauth-amr-values-07: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------


Thanks for clarifying that amr represents classes of auth methods and 
not (always) individual methods, that all makes more sense now;-)

I think you might usefully add the phrase "classes of" (or similar) to
the draft in a few places to help folks understand that, in particular,
I spotted two places where I think something like that'd be good:

1. in the definition, I'd suggest:

OLD:

 amr
      OPTIONAL.  Authentication Methods References.  JSON array of
      strings that are identifiers for authentication methods used in
      the authentication. 

NEW:

 amr
      OPTIONAL.  Authentication Methods References.  JSON array of
      strings that are identifiers for classes of authentication methods
used in
      the authentication. 

2. In the IANA considerations and DE guidance, maybe make the name
of the new registry reflect that these are classes, in case someone
gets
confused only having looked at the IANA pages without reading the RFC,
and perhaps point the DE guidance back to the top bit where you explain
this stuff and add "classes of" in a few places in the template to save
the DEs having to explain that over and over to people who just copy
templates.

Thanks,
S.



From nobody Mon Mar 13 09:13:10 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FA3F129762; Mon, 13 Mar 2017 09:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3QpO9OyVV31G; Mon, 13 Mar 2017 09:13:07 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0091.outbound.protection.outlook.com [104.47.37.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B96FA129715; Mon, 13 Mar 2017 09:13:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EkKITotkx1z6bRodz3UVfKjI+4GlqsbR0/Gt8elwchQ=; b=FBnFiBlHJYiYfqBO/1Fi6M1vKD3jKBE4s1iJbV8PXQyV5GR9eFxLpxj7kZEQzYoK0nRPACfvcKWxZyJ2VziCt+DaRxgPyMMocu8arqWh/RHs2ebNnro7uYINDlwcmTXUKT5S9Jcv942psn8ir6aqaDfH+YfJ4+I7Ywa8hbu9D+8=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Mon, 13 Mar 2017 16:13:06 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0991.000; Mon, 13 Mar 2017 16:13:06 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's No Objection on draft-ietf-oauth-amr-values-07: (with COMMENT)
Thread-Index: AQHSnA5b54CrGexD90GVFF1tRC62u6GS8ReA
Date: Mon, 13 Mar 2017 16:13:06 +0000
Message-ID: <CY4PR21MB0504AC9100FDB87A7BEDA459F5250@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148941885788.17035.8404645820700119652.idtracker@ietfa.amsl.com>
In-Reply-To: <148941885788.17035.8404645820700119652.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.93.167]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:o2odQqaZI6zQZBnyrIm2UUkWBlapTT78qBP5UrHpJGi9GJ9DEhh8y7txOn12dHR2OkiE4Dvj6kTXolADo5SvT1kZSG1fNMbbKOluPchwtUepvP8WwneqlasXGMFtmu9CJF6Ig5cudQj4jKsqF/ZRUKsa2nLTGFt2E+OjPMtBuJZYMtpr4dKj9OC6TBPgdN66+1rRSGMObb50REKSwNJVDbYLpDlsvPNflwSnZfW1hy4R/NnftB/k/sIm+KXAO9Otrrbi1Kya1IYFcUZ1IgUaOejH6epKRzZtf5PLnF4xeYa+nXr7OosW6w7ChQHAJZU63PPzYuYRlxfZLdzJ6p7qCXJBN4xoZh1FC+MVHIHeuAE=
x-ms-office365-filtering-correlation-id: bfcdd32b-cba1-4f4a-dcd3-08d46a2bd575
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254009)(48565401081); SRVR:CY4PR21MB0502; 
x-microsoft-antispam-prvs: <CY4PR21MB05023BB2B9D8C2A218D5C24FF5250@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(120809045254105)(248736688235697); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123558025)(20161123555025)(20161123560025)(20161123564025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502; 
x-forefront-prvs: 0245702D7B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39850400002)(39860400002)(39840400002)(39410400002)(39450400003)(377454003)(2950100002)(7696004)(54356999)(50986999)(76176999)(53546006)(3846002)(6116002)(102836003)(4326008)(3280700002)(5660300001)(3660700001)(2900100001)(77096006)(25786008)(189998001)(6506006)(106116001)(99286003)(54906002)(229853002)(6306002)(6436002)(55016002)(9686003)(33656002)(53936002)(5005710100001)(10290500002)(81166006)(8676002)(10090500001)(8990500004)(74316002)(66066001)(8936002)(2906002)(7736002)(122556002)(6246003)(86362001)(86612001)(38730400002)(230783001)(305945005); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2017 16:13:06.0739 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XZSI0mxHHjmICE5rwk7XG1oimh0>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's No Objection on draft-ietf-oauth-amr-values-07: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 16:13:09 -0000

VGhhbmtzLCBTdGVwaGVuLiAgSSdsbCB0cnkgdG8gYXBwbHkgdGhlIHN1Z2dlc3RlZCBjaGFuZ2Vz
IGJlZm9yZSB0aGUgY3V0b2ZmLg0KDQoJCQkJLS0gTWlrZQ0KDQotLS0tLU9yaWdpbmFsIE1lc3Nh
Z2UtLS0tLQ0KRnJvbTogU3RlcGhlbiBGYXJyZWxsIFttYWlsdG86c3RlcGhlbi5mYXJyZWxsQGNz
LnRjZC5pZV0gDQpTZW50OiBNb25kYXksIE1hcmNoIDEzLCAyMDE3IDg6MjggQU0NClRvOiBUaGUg
SUVTRyA8aWVzZ0BpZXRmLm9yZz4NCkNjOiBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXNAaWV0
Zi5vcmc7IEhhbm5lcyBUc2Nob2ZlbmlnIDxIYW5uZXMuVHNjaG9mZW5pZ0BnbXgubmV0Pjsgb2F1
dGgtY2hhaXJzQGlldGYub3JnOyBIYW5uZXMuVHNjaG9mZW5pZ0BnbXgubmV0OyBvYXV0aEBpZXRm
Lm9yZw0KU3ViamVjdDogU3RlcGhlbiBGYXJyZWxsJ3MgTm8gT2JqZWN0aW9uIG9uIGRyYWZ0LWll
dGYtb2F1dGgtYW1yLXZhbHVlcy0wNzogKHdpdGggQ09NTUVOVCkNCg0KU3RlcGhlbiBGYXJyZWxs
IGhhcyBlbnRlcmVkIHRoZSBmb2xsb3dpbmcgYmFsbG90IHBvc2l0aW9uIGZvcg0KZHJhZnQtaWV0
Zi1vYXV0aC1hbXItdmFsdWVzLTA3OiBObyBPYmplY3Rpb24NCg0KV2hlbiByZXNwb25kaW5nLCBw
bGVhc2Uga2VlcCB0aGUgc3ViamVjdCBsaW5lIGludGFjdCBhbmQgcmVwbHkgdG8gYWxsIGVtYWls
IGFkZHJlc3NlcyBpbmNsdWRlZCBpbiB0aGUgVG8gYW5kIENDIGxpbmVzLiAoRmVlbCBmcmVlIHRv
IGN1dCB0aGlzIGludHJvZHVjdG9yeSBwYXJhZ3JhcGgsIGhvd2V2ZXIuKQ0KDQoNClBsZWFzZSBy
ZWZlciB0byBodHRwczovL3d3dy5pZXRmLm9yZy9pZXNnL3N0YXRlbWVudC9kaXNjdXNzLWNyaXRl
cmlhLmh0bWwNCmZvciBtb3JlIGluZm9ybWF0aW9uIGFib3V0IElFU0cgRElTQ1VTUyBhbmQgQ09N
TUVOVCBwb3NpdGlvbnMuDQoNCg0KVGhlIGRvY3VtZW50LCBhbG9uZyB3aXRoIG90aGVyIGJhbGxv
dCBwb3NpdGlvbnMsIGNhbiBiZSBmb3VuZCBoZXJlOg0KaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRm
Lm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLw0KDQoNCg0KLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LQ0KQ09NTUVOVDoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KDQpUaGFua3MgZm9yIGNsYXJpZnlpbmcgdGhh
dCBhbXIgcmVwcmVzZW50cyBjbGFzc2VzIG9mIGF1dGggbWV0aG9kcyBhbmQgbm90IChhbHdheXMp
IGluZGl2aWR1YWwgbWV0aG9kcywgdGhhdCBhbGwgbWFrZXMgbW9yZSBzZW5zZSBub3c7LSkNCg0K
SSB0aGluayB5b3UgbWlnaHQgdXNlZnVsbHkgYWRkIHRoZSBwaHJhc2UgImNsYXNzZXMgb2YiIChv
ciBzaW1pbGFyKSB0byB0aGUgZHJhZnQgaW4gYSBmZXcgcGxhY2VzIHRvIGhlbHAgZm9sa3MgdW5k
ZXJzdGFuZCB0aGF0LCBpbiBwYXJ0aWN1bGFyLCBJIHNwb3R0ZWQgdHdvIHBsYWNlcyB3aGVyZSBJ
IHRoaW5rIHNvbWV0aGluZyBsaWtlIHRoYXQnZCBiZSBnb29kOg0KDQoxLiBpbiB0aGUgZGVmaW5p
dGlvbiwgSSdkIHN1Z2dlc3Q6DQoNCk9MRDoNCg0KIGFtcg0KICAgICAgT1BUSU9OQUwuICBBdXRo
ZW50aWNhdGlvbiBNZXRob2RzIFJlZmVyZW5jZXMuICBKU09OIGFycmF5IG9mDQogICAgICBzdHJp
bmdzIHRoYXQgYXJlIGlkZW50aWZpZXJzIGZvciBhdXRoZW50aWNhdGlvbiBtZXRob2RzIHVzZWQg
aW4NCiAgICAgIHRoZSBhdXRoZW50aWNhdGlvbi4gDQoNCk5FVzoNCg0KIGFtcg0KICAgICAgT1BU
SU9OQUwuICBBdXRoZW50aWNhdGlvbiBNZXRob2RzIFJlZmVyZW5jZXMuICBKU09OIGFycmF5IG9m
DQogICAgICBzdHJpbmdzIHRoYXQgYXJlIGlkZW50aWZpZXJzIGZvciBjbGFzc2VzIG9mIGF1dGhl
bnRpY2F0aW9uIG1ldGhvZHMgdXNlZCBpbg0KICAgICAgdGhlIGF1dGhlbnRpY2F0aW9uLiANCg0K
Mi4gSW4gdGhlIElBTkEgY29uc2lkZXJhdGlvbnMgYW5kIERFIGd1aWRhbmNlLCBtYXliZSBtYWtl
IHRoZSBuYW1lIG9mIHRoZSBuZXcgcmVnaXN0cnkgcmVmbGVjdCB0aGF0IHRoZXNlIGFyZSBjbGFz
c2VzLCBpbiBjYXNlIHNvbWVvbmUgZ2V0cyBjb25mdXNlZCBvbmx5IGhhdmluZyBsb29rZWQgYXQg
dGhlIElBTkEgcGFnZXMgd2l0aG91dCByZWFkaW5nIHRoZSBSRkMsIGFuZCBwZXJoYXBzIHBvaW50
IHRoZSBERSBndWlkYW5jZSBiYWNrIHRvIHRoZSB0b3AgYml0IHdoZXJlIHlvdSBleHBsYWluIHRo
aXMgc3R1ZmYgYW5kIGFkZCAiY2xhc3NlcyBvZiIgaW4gYSBmZXcgcGxhY2VzIGluIHRoZSB0ZW1w
bGF0ZSB0byBzYXZlIHRoZSBERXMgaGF2aW5nIHRvIGV4cGxhaW4gdGhhdCBvdmVyIGFuZCBvdmVy
IHRvIHBlb3BsZSB3aG8ganVzdCBjb3B5IHRlbXBsYXRlcy4NCg0KVGhhbmtzLA0KUy4NCg0KDQo=


From nobody Mon Mar 13 09:48:54 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 287BE129872 for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 09:48:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.578
X-Spam-Level: 
X-Spam-Status: No, score=-1.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.122] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fh5rSP1AJekv for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 09:48:48 -0700 (PDT)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D73B12985B for <oauth@ietf.org>; Mon, 13 Mar 2017 09:48:45 -0700 (PDT)
Received: by mail-qk0-x235.google.com with SMTP id y76so227434720qkb.0 for <oauth@ietf.org>; Mon, 13 Mar 2017 09:48:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7ZjFQCGI/U/xciR+X+KZOvFASyl2fw8B0CZVqxR1r8A=; b=ixdRpwEpJxRsfNF2z0uI7jmcMkos8AjhrgyZVHuI54DBVpL/LYAJr1pJD22KwDt9Fj /5vXDJ+IggkwE9jJdnbEXbTB2xm7Ss+DtDD19QDeeKlsGwoUieg+FGMWjUroFFsEFNQn 97OY8/yJggBdf2Hx2nvZmSD6C22MLC97+siIfWFaTY3tYYp/DMThvp45ai96EAF+F0TZ jUICd4YgKukbzC05wpTHojYpun0JU1JSmPX7IThy9wx9t0fRsYrIR3sxF1Rk05jrzeJF pxM8qcGKEy58jJPTSwB+SGiZ+CPDt73hIkxQsTxqfcBtAsUhqJRJEqEHAEl3yM6PNSGh 2VZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7ZjFQCGI/U/xciR+X+KZOvFASyl2fw8B0CZVqxR1r8A=; b=b+p/jGyFm1hRfxn/D4XzuX5fDIpwfqzaCm/NmP1XXtZgzjovxSfbB8U0prwtVflfkH 60hXV4k7zq5lkhdeQ7C4gFcUOgmm07tmw60JgXb90t5AhqwUKjLGs0cMKjvEylD5VvoW FJnzjL6y4q0i+O3pQEP5SdBuf2sQ5DLEzBTc601cl8Y+oEV5EYkL9kdNZ7XuZqAIRrZq MlC/UKr9FWQGX5Uz7LHbdrhG/nVAEcJgAmsg5Lf+wItIYF15RH2YTzu9l81NnNxLAWYx l4HQQbVIJcZ9uhbvNhany84aghXy+u6a3vVZniSkrKNHnPG9G6NpX+gPK0RxnDZDO1+/ v2ig==
X-Gm-Message-State: AMke39nfy1GsFPhkKGZimG1ONi9T5SaQsE73mvPsPN2bhpLgUt+NWNlE6GXX34KAWofJz4tSCQcK/MozZYsRVeMj
X-Received: by 10.55.139.70 with SMTP id n67mr29737975qkd.286.1489423724107; Mon, 13 Mar 2017 09:48:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Mon, 13 Mar 2017 09:48:23 -0700 (PDT)
In-Reply-To: <fa44cd7ea1c740ec8fd244ebd57f79d7@HE101654.emea1.cds.t-internal.com>
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com> <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com> <a6596083-6a19-e644-403c-4c1686eba492@gmx.net> <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com> <SN1PR0301MB2029E928A385D315D37EBFABA62F0@SN1PR0301MB2029.namprd03.prod.outlook.com> <C16D1076-1CF0-4A76-BFC4-35E35E420799@ve7jtb.com> <CAAP42hDyRzVGT3P5pL5afb6GVBFV7mYFcwLvYp0djEJ60yBgBQ@mail.gmail.com> <fa44cd7ea1c740ec8fd244ebd57f79d7@HE101654.emea1.cds.t-internal.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 13 Mar 2017 09:48:23 -0700
Message-ID: <CAAP42hCcoD59c3P=SShDKm8_4N-rvWjjxL=5XLD6+m=4yuu5JQ@mail.gmail.com>
To: Axel.Nennker@telekom.de
Content-Type: multipart/alternative; boundary=94eb2c088490ff40dc054a9f7b74
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SlWfe1gBaZxCGz01e3GDw_CZfGE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 16:48:51 -0000

--94eb2c088490ff40dc054a9f7b74
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thanks! I've corrected that in my local copy.

On Mon, Mar 13, 2017 at 1:35 AM, <Axel.Nennker@telekom.de> wrote:

> Hi,
>
>
>
> There is an extra =E2=80=9Cwhere=E2=80=9D in this Terminology definition:
>
>
>
> "reverse domain name notation"  A naming convention based on the
>
>       domain name system, but where where the domain components are
>
>       reversed, for example "app.example.com" becomes "com.example.app".
>
> https://tools.ietf.org/html/draft-ietf-oauth-native-apps-09
>
>
>
> cheers
>
> Axel
>
>
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *William
> Denniss
> *Sent:* Tuesday, March 07, 2017 9:35 PM
> *To:* John Bradley
>
> *Cc:* internet-drafts@ietf.org; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
>
>
>
> That's an important distinction. It's not a "web-view vs browser"
> question, but an "embedded user-agent vs external user-agent" question.  =
If
> something is named "webview" but has all the attributes of an external
> use-agent, then it's still an external user-agent for the purpose of the
> BCP.
>
>
>
> I tried to be careful to always use the term "embedded user-agent"
> following the nomenclature of RFC6749, e.g. title of Section 8.1. Webview
> is referenced in a few places, for example Sec 8.1 says "In typical
> web-view based implementations of embedded user-agents", as most embedded
> user-agents do happen to use technology called webview =E2=80=93 but ther=
e's no
> normative text that means something named "webview" but that is actually =
an
> external user-agent can't be used.
>
>
>
> External user-agent is defined in the spec as such:
>
>
>
>    "external user-agent"  A user-agent capable of handling the
>
>       authorization request that is a separate entity to the native app
>
>       making the request (such as a browser), such that the app cannot
>
>       access the cookie storage or modify the page content.
>
>
>
>
>
> Earlier versions were not as careful with the terms, but it was tightened
> up and clarified for this very reason.
>
>
>
> Regarding the Windows broker, it is explicitly mentioned as an external
> user agent in the implementation details appendix (emphasis added):
>
>
>
>  Universal Windows Platform (UWP) apps can use the Web Authentication
>
>    Broker API in SSO mode as an *external user-agent* for authorization
>
>    flows=E2=80=A6
>
>
>
> I've had the same experiance as you John, and have not seen U2F work on
> any implementation of webview that I've used (including iOS, Android, and
> Windows using the old-style embedded IE control).
>
>
>
> +1 to update the BCP when and if the best current practice changes. I
> believe it does accurately capture the best current practice as of today.
>
>
>
> On Tue, Mar 7, 2017 at 12:08 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> That is theory that CTAP should let web-views work.
>
>
>
> I just ran a test on the current shipping Android build. U2F is only
> working from the View controller and system browser.
>
> Web-view is not currently exposing CTAP.
>
>
>
> I believe that is also the case on iOS, but haven't built a app to test i=
t.
>
>
>
> This first version of the BCP doesn=E2=80=99t go into advanced issues aro=
und Web
> Auth/Fido in detail.  We know that currently WebView/View controller/Toke=
n
> Agent work with existing CTAP implementations.
>
>
>
> Once we have systems deployed that can use CTAP from a web view we can
> update the BCP.
>
>
>
> We may also have a definitional problem, we consider the Windows token
> broker in SSO mode to fit the model of a view controller/Web View in that
> it is sandboxed from the app , rather than considering it a web-view.   I
> know that the token broker can support WebAuthentication (CTAP 2) in rece=
nt
> RS2 builds of Win 10.
>
>
>
> John B.
>
>
>
>
>
> On Mar 7, 2017, at 5:16 AM, Anthony Nadalin <tonynad@microsoft.com> wrote=
:
>
>
>
> Not true John, the CTAP support that is current would support the web-vie=
w
> w/o any changes
>
>
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] On
> Behalf Of John Bradley
> Sent: Monday, March 6, 2017 12:16 PM
> To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
> Cc: internet-drafts@ietf.org; oauth@ietf.org
> Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
>
> On fido I can tell you that for security reasons U2F wont work from a
> web-view currently.
>
> Once we move to Web Auth (Fido 2) where the OS provides a API for apps to
> call to get the token it will work but the tokens are audianced to the ap=
p
> based on its developer key and bundle_id so that a app cant ask for a tok=
en
> for a different site to do correlation.
>
> It is true that Fido UAF currently requires a web-view to work as the
> authenticator is effectively compiled in to each application, and that
> application has access to the private keys on most platforms (Samsung kno=
x
> being the only exception to that that I know of where the keys are manage=
d
> by a common API to hardware key storage, but they are scoped like U2F as
> well)
>
> So for the most part it is true and that unless you use the browser to ge=
t
> the Fido token the audience is for the app.
> Example  Salesforce creates native app that may use enterprise SSO via
> SAML, and the enterprise may use Fido as a authentication factor.
> If they use the webview + fido API approach the app can only get a token
> for SalesForce based on its signing key.  It could fire up the web-view a=
nd
> do U2F authentication with the enterprise after Salesforec has redirected
> the user.  However it will give every enterprise a token audience to
> Salesforce with a salesforce specific key.   If there is a second app for
> say Slack if they do the same thing the enterprise would get a slack
> audienced token and a slack key forcing a separate registration.
>
> The recommended alternative is that the app use a custom tab for the user
> to SalesForce and that redirect to the enterprise.
> The enterprise gets the same token/key with the correct audience from all
> apps on the device using the browser or custom tab.
> The user may not need to signin a second time, and if they do there Fido
> token will not need to be re-registerd.
>
> The Fido API approach really only works for first party apps like PayPal
> if the the app is not doing federation and paypal is doing the
> authentication for there own app.
>
> Token binding private keys have similar issues.   The pool of private key=
s
> will probably not be shared between apps, and not between the app and the
> browser (Win 10 may be an exception but it is not documented yet)
>
> In the case of using AppAuth with token binding the browser maintains the
> keys so the enterprise would be able to see the same key and use the same
> cookies across all AppAuth Apps.
>
> You can include token binding in your app, however the token bindings and
> cookies are going to be sand boxed per app.
> Depending on implementation the app gets access to the cookie, but perhap=
s
> not to the private token binding key.  (At least I don't think it will in
> Android embedded webview).
>
> We could expand on this later in an update to the BCP once Web
> Authentication and Token Binding are final.
>
> There are still some unknowns, but in general for any sort of
> SSO/Federation 3rd party app I don=E2=80=99t see recommending anything ot=
her than a
> custom tab/ view controller/ external browser.
>
> William can take the formatting question:)
>
> John B.
>
> On Mar 6, 2017, at 4:41 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net>
> wrote:
>
> Hi William, Hi John,
>
> I just re-read version -8 of the document again.
>
> Two minor remarks only.
>
> Editorial issue: Why do you need to introduce a single sub-section
> within Section 7.1. (namely Section 7.1.1)?
>
> Background question: You note that embedded user agents have the
> disadvantage that the app that hosts the embedded user-agent can
> access the user's full authentication credential. This is certainly
> true for password-based authentication mechanisms but I wonder whether
> this is also true for strong authentication techniques, such as those
> used by FIDO combined with token binding. Have you looked into more
> modern authentication techniques as well and their security implication?
>
> Ciao
> Hannes
>
> On 03/03/2017 07:39 AM, William Denniss wrote:
>
> Changes:
>
> =E2=80=93 Addresses feedback from the second round of WGLC.
> =E2=80=93 Reordered security consideration sections to better group relat=
ed topics.
> =E2=80=93 Added complete URI examples to each of the 3 redirect types.
> =E2=80=93 Editorial pass.
>
>
>
> On Thu, Mar 2, 2017 at 10:27 PM, <internet-drafts@ietf.org
> <mailto:internet-drafts@ietf.org <internet-drafts@ietf.org>>> wrote:
>
>
>   A New Internet-Draft is available from the on-line Internet-Drafts
>   directories.
>   This draft is a work item of the Web Authorization Protocol of the IETF=
.
>
>           Title           : OAuth 2.0 for Native Apps
>           Authors         : William Denniss
>                             John Bradley
>           Filename        : draft-ietf-oauth-native-apps-08.txt
>           Pages           : 20
>           Date            : 2017-03-02
>
>   Abstract:
>      OAuth 2.0 authorization requests from native apps should only be mad=
e
>      through external user-agents, primarily the user's browser.  This
>      specification details the security and usability reasons why this is
>      the case, and how native apps and authorization servers can implemen=
t
>      this best practice.
>
>
>   The IETF datatracker status page for this draft is:
>
>   https://na01.safelinks.protection.outlook.com/?url=3D
> https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-
> oauth-native-apps%2F&data=3D02%7C01%7Ctonynad%40microsoft.com%
> 7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C0%7C636244281810078497&sdata=3DYQ0dcSViranVx4sjH7aeFrEYvTgbQM
> 3OruoK%2FR7EZak%3D&reserved=3D0
>
> <https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdat
> atracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-native-apps%2F&data=3D02%7C0
> 1%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f9
> 88bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&sdata=3DYQ0dc
> SViranVx4sjH7aeFrEYvTgbQM3OruoK%2FR7EZak%3D&reserved=3D0>
>
>   There's also a htmlized version available at:
>   https://na01.safelinks.protection.outlook.com/?url=3D
> https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-
> native-apps-08&data=3D02%7C01%7Ctonynad%40microsoft.com%
> 7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C0%7C636244281810078497&sdata=3DipyVLaXhefjwhIPqu4Vym3Nmi%
> 2FXPER8hyKBDvP%2FAVCw%3D&reserved=3D0
>
> <https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftoo
> ls.ietf.org%2Fhtml%2Fdraft-ietf-oauth-native-apps-08&data=3D02%7C01%7Ct
> onynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf8
> 6f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&sdata=3DpFJdiZd2ni
> SxiuXtThG8OE32rjHxoJ8U0jsoCmiaqKc%3D&reserved=3D0>
>
>   A diff from the previous version is available at:
>   https://na01.safelinks.protection.outlook.com/?url=3D
> https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-
> oauth-native-apps-08&data=3D02%7C01%7Ctonynad%40microsoft.com%
> 7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C0%7C636244281810088501&sdata=3D0JOejYI%
> 2F9vSFph4dteZ6g16NbvLRy37erpRUAw2q%2FW8%3D&reserved=3D0
>
> <https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww
> .ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-native-apps-08&data=3D02%
> 7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C7
> 2f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&sdata=3D0J
> OejYI%2F9vSFph4dteZ6g16NbvLRy37erpRUAw2q%2FW8%3D&reserved=3D0>
>
>
>   Please note that it may take a couple of minutes from the time of
>   submission
>   until the htmlized version and diff are available at tools.ietf.org
>   <https://na01.safelinks.protection.outlook.com/?url=3D
> http%3A%2F%2Ftools.ietf.org&data=3D02%7C01%7Ctonynad%40microsoft.com%
> 7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C0%7C636244281810088501&sdata=3DsDynfqey0ru0Vm4%
> 2FPEh0MA1IKtkrqmDnQ%2BmPCP%2B6K60%3D&reserved=3D0>.
>
>   Internet-Drafts are also available by anonymous FTP at:
>   ftp://ftp.ietf.org/internet-drafts/
>   <ftp://ftp.ietf.org/internet-drafts/>
>
>   _______________________________________________
>   OAuth mailing list
>   OAuth@ietf.org <mailto:OAuth@ietf.org <OAuth@ietf.org>>
>   https://na01.safelinks.protection.outlook.com/?url=3D
> https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&
> data=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4=
d5%
> 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&sdata=3D
> 14GztZLY%2BnQNbhR5bqjS7cRYUSlotpr6JXtFXpduGuI%3D&reserved=3D0
>
> <https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww
> .ietf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%40micro
> soft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7
> cd011db47%7C1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7c
> RYUSlotpr6JXtFXpduGuI%3D&reserved=3D0>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.
> ietf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%40micros
> oft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7c
> d011db47%7C1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7cR
> YUSlotpr6JXtFXpduGuI%3D&reserved=3D0
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.i
> etf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7Ctonynad%40microsof
> t.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd01
> 1db47%7C1%7C0%7C636244281810088501&sdata=3D14GztZLY%2BnQNbhR5bqjS7cRYUSl
> otpr6JXtFXpduGuI%3D&reserved=3D0
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

--94eb2c088490ff40dc054a9f7b74
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks! I&#39;ve corrected that in my local copy.</div><di=
v class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mon, Mar 13, 2017=
 at 1:35 AM,  <span dir=3D"ltr">&lt;<a href=3D"mailto:Axel.Nennker@telekom.=
de" target=3D"_blank">Axel.Nennker@telekom.de</a>&gt;</span> wrote:<br><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #c=
cc solid;padding-left:1ex">





<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"m_7581401428283703047WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">Hi,<u></u><u></u></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u>=C2=A0<u></u></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">There is an extra =E2=80=
=9Cwhere=E2=80=9D in this Terminology definition:<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u>=C2=A0<u></u></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Co=
urier New&quot;">&quot;reverse domain name notation&quot;=C2=A0 A naming co=
nvention based on the<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Co=
urier New&quot;">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 domain name system, but whe=
re where the domain components are<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Co=
urier New&quot;">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 reversed, for example &quot=
;<a href=3D"http://app.example.com" target=3D"_blank">app.example.com</a>&q=
uot; becomes &quot;com.example.app&quot;.<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Co=
urier New&quot;"><a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-na=
tive-apps-09" target=3D"_blank">https://tools.ietf.org/html/<wbr>draft-ietf=
-oauth-native-apps-<wbr>09</a>
<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Co=
urier New&quot;"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Co=
urier New&quot;">cheers<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Co=
urier New&quot;">Axel<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u>=C2=A0<u></u></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u>=C2=A0<u></u></spa=
n></p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:&quot=
;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> OAuth [m=
ailto:<a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bou=
nces@ietf.org</a><wbr>]
<b>On Behalf Of </b>William Denniss<br>
<b>Sent:</b> Tuesday, March 07, 2017 9:35 PM<br>
<b>To:</b> John Bradley</span></p><div><div class=3D"h5"><br>
<b>Cc:</b> <a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">in=
ternet-drafts@ietf.org</a>; <a href=3D"mailto:oauth@ietf.org" target=3D"_bl=
ank">oauth@ietf.org</a><br>
<b>Subject:</b> Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-<wb=
r>08.txt<u></u><u></u></div></div><p></p><div><div class=3D"h5">
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<p class=3D"MsoNormal">That&#39;s an important distinction. It&#39;s not a =
&quot;web-view vs browser&quot; question, but an &quot;embedded user-agent =
vs external user-agent&quot; question.=C2=A0 If something is named &quot;we=
bview&quot; but has all the attributes of an external use-agent, then it&#3=
9;s still
 an external user-agent for the purpose of the BCP.<u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">I tried to be careful to always use the term &quot;e=
mbedded user-agent&quot; following the nomenclature of RFC6749, e.g. title =
of Section 8.1. Webview is referenced in a few places, for example Sec 8.1 =
says &quot;In typical web-view based implementations
 of embedded user-agents&quot;, as most embedded user-agents do happen to u=
se technology called webview =E2=80=93 but there&#39;s no normative text th=
at means something named &quot;webview&quot; but that is actually an extern=
al user-agent can&#39;t be used.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">External user-agent is defined in the spec as such:<=
u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<pre><span style=3D"color:black">=C2=A0=C2=A0 &quot;external user-agent&quo=
t;=C2=A0 A user-agent capable of handling the<u></u><u></u></span></pre>
<pre><span style=3D"color:black">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 authorizati=
on request that is a separate entity to the native app<u></u><u></u></span>=
</pre>
<pre><span style=3D"color:black">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 making the =
request (such as a browser), such that the app cannot<u></u><u></u></span><=
/pre>
<pre><span style=3D"color:black">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 access the =
cookie storage or modify the page content.<u></u><u></u></span></pre>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Earlier versions were not as careful with the terms,=
 but it was tightened up and clarified for this very reason.<u></u><u></u><=
/p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Regarding the Windows broker, it is explicitly menti=
oned as an external user agent in the implementation details appendix (emph=
asis added):=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<pre><span style=3D"color:black"> Universal Windows Platform (UWP) apps can=
 use the Web Authentication<u></u><u></u></span></pre>
<pre><span style=3D"color:black">=C2=A0=C2=A0 Broker API in SSO mode as an =
<b>external user-agent</b> for authorization<u></u><u></u></span></pre>
<pre><span style=3D"color:black">=C2=A0=C2=A0 flows=E2=80=A6<u></u><u></u><=
/span></pre>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">I&#39;ve had the same experiance as you John, and ha=
ve not seen U2F work on any implementation of webview that I&#39;ve used (i=
ncluding iOS, Android, and Windows using the old-style embedded IE control)=
.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">+1 to update the BCP when and if the best current pr=
actice changes. I believe it does accurately capture the best current pract=
ice as of today.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">On Tue, Mar 7, 2017 at 12:08 PM, John Bradley &lt;<a=
 href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>&=
gt; wrote:<u></u><u></u></p>
<div>
<p class=3D"MsoNormal">That is theory that CTAP should let web-views work. =
=C2=A0<u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">I just ran a test on the current shipping Android bu=
ild. U2F is only working from the View controller and system browser. =C2=
=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Web-view is not currently exposing CTAP.<u></u><u></=
u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">I believe that is also the case on iOS, but haven&#3=
9;t built a app to test it.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">This first version of the BCP doesn=E2=80=99t go int=
o advanced issues around Web Auth/Fido in detail.=C2=A0 We know that curren=
tly WebView/View controller/Token Agent work with existing CTAP implementat=
ions.=C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Once we have systems deployed that can use CTAP from=
 a web view we can update the BCP.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">We may also have a definitional problem, we consider=
 the Windows token broker in SSO mode to fit the model of a view controller=
/Web View in that it is sandboxed from the app , rather than considering it=
 a web-view. =C2=A0 I know that the token
 broker can support WebAuthentication (CTAP 2) in recent RS2 builds of Win =
10. =C2=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">John B.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal">On Mar 7, 2017, at 5:16 AM, Anthony Nadalin &lt;<a h=
ref=3D"mailto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsoft.co=
m</a>&gt; wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">Not true John, the CTAP support that i=
s current would support the web-view w/o any changes<span class=3D"m_758140=
1428283703047m-6000036849972542875gmail-m8814585839802216220apple-converted=
-space">=C2=A0</span></span><u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;"><br>
<br>
-----Original Message-----<br>
From: OAuth [</span><a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_bl=
ank"><span style=3D"font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot=
;sans-serif&quot;">mailto:oauth-bounces@ietf.org</span></a><span style=3D"f=
ont-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><w=
br>] On Behalf
 Of John Bradley<br>
Sent: Monday, March 6, 2017 12:16 PM<br>
To: Hannes Tschofenig &lt;</span><a href=3D"mailto:hannes.tschofenig@gmx.ne=
t" target=3D"_blank"><span style=3D"font-size:9.0pt;font-family:&quot;Helve=
tica&quot;,&quot;sans-serif&quot;">hannes.tschofenig@gmx.net</span></a><spa=
n style=3D"font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-ser=
if&quot;">&gt;<br>
Cc:<span class=3D"m_7581401428283703047m-6000036849972542875gmail-m88145858=
39802216220apple-converted-space">=C2=A0</span></span><a href=3D"mailto:int=
ernet-drafts@ietf.org" target=3D"_blank"><span style=3D"font-size:9.0pt;fon=
t-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">internet-drafts@ietf=
.org</span></a><span style=3D"font-size:9.0pt;font-family:&quot;Helvetica&q=
uot;,&quot;sans-serif&quot;">;<span class=3D"m_7581401428283703047m-6000036=
849972542875gmail-m8814585839802216220apple-converted-space">=C2=A0</span><=
/span><a href=3D"mailto:oauth@ietf.org" target=3D"_blank"><span style=3D"fo=
nt-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><wb=
r>oauth@ietf.org</span></a><span style=3D"font-size:9.0pt;font-family:&quot=
;Helvetica&quot;,&quot;sans-serif&quot;"><br>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-<wbr>08.tx=
t<br>
<br>
On fido I can tell you that for security reasons U2F wont work from a web-v=
iew currently.<br>
<br>
Once we move to Web Auth (Fido 2) where the OS provides a API for apps to c=
all to get the token it will work but the tokens are audianced to the app b=
ased on its developer key and bundle_id so that a app cant ask for a token =
for a different site to do correlation.<span class=3D"m_7581401428283703047=
m-6000036849972542875gmail-m8814585839802216220apple-converted-space">=C2=
=A0</span><br>
<br>
It is true that Fido UAF currently requires a web-view to work as the authe=
nticator is effectively compiled in to each application, and that applicati=
on has access to the private keys on most platforms (Samsung knox being the=
 only exception to that that I know
 of where the keys are managed by a common API to hardware key storage, but=
 they are scoped like U2F as well)<br>
<br>
So for the most part it is true and that unless you use the browser to get =
the Fido token the audience is for the app.<br>
Example =C2=A0Salesforce creates native app that may use enterprise SSO via=
 SAML, and the enterprise may use Fido as a authentication factor.<br>
If they use the webview + fido API approach the app can only get a token fo=
r SalesForce based on its signing key.=C2=A0 It could fire up the web-view =
and do U2F authentication with the enterprise after Salesforec has redirect=
ed the user.=C2=A0 However it will give every
 enterprise a token audience to Salesforce with a salesforce specific key. =
=C2=A0=C2=A0If there is a second app for say Slack if they do the same thin=
g the enterprise would get a slack audienced token and a slack key forcing =
a separate registration.<span class=3D"m_7581401428283703047m-6000036849972=
542875gmail-m8814585839802216220apple-converted-space">=C2=A0</span><br>
<br>
The recommended alternative is that the app use a custom tab for the user t=
o SalesForce and that redirect to the enterprise.<br>
The enterprise gets the same token/key with the correct audience from all a=
pps on the device using the browser or custom tab.<span class=3D"m_75814014=
28283703047m-6000036849972542875gmail-m8814585839802216220apple-converted-s=
pace">=C2=A0</span><br>
The user may not need to signin a second time, and if they do there Fido to=
ken will not need to be re-registerd.<br>
<br>
The Fido API approach really only works for first party apps like PayPal if=
 the the app is not doing federation and paypal is doing the authentication=
 for there own app.<br>
<br>
Token binding private keys have similar issues. =C2=A0=C2=A0The pool of pri=
vate keys will probably not be shared between apps, and not between the app=
 and the browser (Win 10 may be an exception but it is not documented yet)<=
br>
<br>
In the case of using AppAuth with token binding the browser maintains the k=
eys so the enterprise would be able to see the same key and use the same co=
okies across all AppAuth Apps.<br>
<br>
You can include token binding in your app, however the token bindings and c=
ookies are going to be sand boxed per app. =C2=A0<br>
Depending on implementation the app gets access to the cookie, but perhaps =
not to the private token binding key. =C2=A0(At least I don&#39;t think it =
will in Android embedded webview).<br>
<br>
We could expand on this later in an update to the BCP once Web Authenticati=
on and Token Binding are final.<br>
<br>
There are still some unknowns, but in general for any sort of SSO/Federatio=
n 3rd party app I don=E2=80=99t see recommending anything other than a cust=
om tab/ view controller/ external browser.<br>
<br>
William can take the formatting question:)<br>
<br>
John B.</span><u></u><u></u></p>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt;font-variant-caps=
:normal;text-align:start;word-spacing:0px">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">On Mar 6, 2017, at 4:41 PM, Hannes Tsc=
hofenig &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net" target=3D"_blank">=
hannes.tschofenig@gmx.net</a>&gt; wrote:<br>
<br>
Hi William, Hi John,<br>
<br>
I just re-read version -8 of the document again.<br>
<br>
Two minor remarks only.<br>
<br>
Editorial issue: Why do you need to introduce a single sub-section<span cla=
ss=3D"m_7581401428283703047m-6000036849972542875gmail-m8814585839802216220a=
pple-converted-space">=C2=A0</span><br>
within Section 7.1. (namely Section 7.1.1)?<br>
<br>
Background question: You note that embedded user agents have the<span class=
=3D"m_7581401428283703047m-6000036849972542875gmail-m8814585839802216220app=
le-converted-space">=C2=A0</span><br>
disadvantage that the app that hosts the embedded user-agent can<span class=
=3D"m_7581401428283703047m-6000036849972542875gmail-m8814585839802216220app=
le-converted-space">=C2=A0</span><br>
access the user&#39;s full authentication credential. This is certainly<spa=
n class=3D"m_7581401428283703047m-6000036849972542875gmail-m881458583980221=
6220apple-converted-space">=C2=A0</span><br>
true for password-based authentication mechanisms but I wonder whether<span=
 class=3D"m_7581401428283703047m-6000036849972542875gmail-m8814585839802216=
220apple-converted-space">=C2=A0</span><br>
this is also true for strong authentication techniques, such as those<span =
class=3D"m_7581401428283703047m-6000036849972542875gmail-m88145858398022162=
20apple-converted-space">=C2=A0</span><br>
used by FIDO combined with token binding. Have you looked into more<span cl=
ass=3D"m_7581401428283703047m-6000036849972542875gmail-m8814585839802216220=
apple-converted-space">=C2=A0</span><br>
modern authentication techniques as well and their security implication?<br=
>
<br>
Ciao<br>
Hannes<br>
<br>
On 03/03/2017 07:39 AM, William Denniss wrote:<u></u><u></u></span></p>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">Changes:<br>
<br>
=E2=80=93 Addresses feedback from the second round of WGLC.<br>
=E2=80=93 Reordered security consideration sections to better group related=
 topics.<br>
=E2=80=93 Added complete URI examples to each of the 3 redirect types.<br>
=E2=80=93 Editorial pass.<br>
<br>
<br>
<br>
On Thu, Mar 2, 2017 at 10:27 PM, &lt;<a href=3D"mailto:internet-drafts@ietf=
.org" target=3D"_blank">internet-drafts@ietf.org</a><span class=3D"m_758140=
1428283703047m-6000036849972542875gmail-m8814585839802216220apple-converted=
-space">=C2=A0</span><br>
&lt;<a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">mailto:in=
ternet-drafts@ietf.<wbr>org</a>&gt;&gt; wrote:<br>
<br>
<br>
=C2=A0=C2=A0A New Internet-Draft is available from the on-line Internet-Dra=
fts<br>
=C2=A0=C2=A0directories.<br>
=C2=A0=C2=A0This draft is a work item of the Web Authorization Protocol of =
the IETF.<br>
<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Title =C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: OAuth 2.0 for Native A=
pps<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Authors =C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: William Denniss<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0<wbr>John Bradley<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Filename =C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: draft-ietf-oauth-native-apps-<wbr>08.=
txt<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Pages =C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: 20<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Date =C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: 2017-03-02<br>
<br>
=C2=A0=C2=A0Abstract:<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0OAuth 2.0 authorization requests from native =
apps should only be made<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0through external user-agents, primarily the u=
ser&#39;s browser.=C2=A0 This<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0specification details the security and usabil=
ity reasons why this is<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0the case, and how native apps and authorizati=
on servers can implement<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0this best practice.<br>
<br>
<br>
=C2=A0=C2=A0The IETF datatracker status page for this draft is:<u></u><u></=
u></span></p>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D"font-s=
ize:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">=C2=A0=
=C2=A0<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps=
%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-native-apps%2F&amp;d=
ata=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%=
7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&amp;sdata=
=3DYQ0dcSViranVx4sjH7aeFrEYvTgbQM3OruoK%2FR7EZak%3D&amp;reserved=3D0" targe=
t=3D"_blank">https://na01.safelinks.<wbr>protection.outlook.com/?url=3D<wbr=
>https%3A%2F%2Fdatatracker.<wbr>ietf.org%2Fdoc%2Fdraft-ietf-<wbr>oauth-nati=
ve-apps%2F&amp;data=3D02%<wbr>7C01%7Ctonynad%40microsoft.<wbr>com%<wbr>7Cef=
f092e6b2894ace8f8408d464cd<wbr>a4d5%<wbr>7C72f988bf86f141af91ab2d7cd011<wbr=
>db47%7C1%7C0%<wbr>7C636244281810078497&amp;sdata=3D<wbr>YQ0dcSViranVx4sjH7=
aeFrEYvTgbQM<wbr>3OruoK%2FR7EZak%3D&amp;reserved=3D0</a><br>
<br>
&lt;<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3=
A%2F%2Fdat" target=3D"_blank">https://na01.safelinks.<wbr>protection.outloo=
k.com/?url=3D<wbr>https%3A%2F%2Fdat</a><br>
<a href=3D"http://atracker.ietf.org/" target=3D"_blank">atracker.ietf.org</=
a>%2Fdoc%<wbr>2Fdraft-ietf-oauth-native-<wbr>apps%2F&amp;data=3D02%7C0<br>
1%7Ctonynad%<a href=3D"http://40microsoft.com/" target=3D"_blank">40microso=
ft.com</a>%<wbr>7Ceff092e6b2894ace8f8408d464cd<wbr>a4d5%7C72f9<br>
88bf86f141af91ab2d7cd011db47%<wbr>7C1%7C0%7C636244281810078497&amp;<wbr>sda=
ta=3DYQ0dc<br>
SViranVx4sjH7aeFrEYvTgbQM3Oruo<wbr>K%2FR7EZak%3D&amp;reserved=3D0&gt;<br>
<br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0There&#39;s also a htmlized version available at:</span><br>
=C2=A0=C2=A0<a href=3D"https://na01.safelinks.protection.outlook.com/?url=
=3Dhttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-native-apps-08&am=
p;data=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4=
d5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810078497&amp;sdat=
a=3DipyVLaXhefjwhIPqu4Vym3Nmi%2FXPER8hyKBDvP%2FAVCw%3D&amp;reserved=3D0" ta=
rget=3D"_blank">https://na01.safelinks.<wbr>protection.outlook.com/?url=3D<=
wbr>https%3A%2F%2Ftools.ietf.org%<wbr>2Fhtml%2Fdraft-ietf-oauth-<wbr>native=
-apps-08&amp;data=3D02%7C01%<wbr>7Ctonynad%40microsoft.com%<wbr>7Ceff092e6b=
2894ace8f8408d464cd<wbr>a4d5%<wbr>7C72f988bf86f141af91ab2d7cd011<wbr>db47%7=
C1%7C0%<wbr>7C636244281810078497&amp;sdata=3D<wbr>ipyVLaXhefjwhIPqu4Vym3Nmi=
%<wbr>2FXPER8hyKBDvP%2FAVCw%3D&amp;<wbr>reserved=3D0</a><br>
<br>
&lt;<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3=
A%2F%2Ftoo" target=3D"_blank">https://na01.safelinks.<wbr>protection.outloo=
k.com/?url=3D<wbr>https%3A%2F%2Ftoo</a><br>
<a href=3D"http://ls.ietf.org/" target=3D"_blank">ls.ietf.org</a>%2Fhtml%2F=
draft-<wbr>ietf-oauth-native-apps-08&amp;<wbr>data=3D02%7C01%7Ct<br>
onynad%<a href=3D"http://40microsoft.com/" target=3D"_blank">40microsoft.co=
m</a>%<wbr>7Ceff092e6b2894ace8f8408d464cd<wbr>a4d5%7C72f988bf8<br>
6f141af91ab2d7cd011db47%7C1%<wbr>7C0%7C636244281810088501&amp;<wbr>sdata=3D=
pFJdiZd2ni<br>
SxiuXtThG8OE32rjHxoJ8U0jsoCmia<wbr>qKc%3D&amp;reserved=3D0&gt;<br>
<br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0A diff from the previous version is available at:</span><br>
=C2=A0=C2=A0<a href=3D"https://na01.safelinks.protection.outlook.com/?url=
=3Dhttps%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-native-ap=
ps-08&amp;data=3D02%7C01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408=
d464cda4d5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&=
amp;sdata=3D0JOejYI%2F9vSFph4dteZ6g16NbvLRy37erpRUAw2q%2FW8%3D&amp;reserved=
=3D0" target=3D"_blank">https://na01.safelinks.<wbr>protection.outlook.com/=
?url=3D<wbr>https%3A%2F%2Fwww.ietf.org%<wbr>2Frfcdiff%3Furl2%3Ddraft-ietf-<=
wbr>oauth-native-apps-08&amp;data=3D02%<wbr>7C01%7Ctonynad%40microsoft.<wbr=
>com%<wbr>7Ceff092e6b2894ace8f8408d464cd<wbr>a4d5%<wbr>7C72f988bf86f141af91=
ab2d7cd011<wbr>db47%7C1%7C0%<wbr>7C636244281810088501&amp;sdata=3D<wbr>0JOe=
jYI%<wbr>2F9vSFph4dteZ6g16NbvLRy37erpRU<wbr>Aw2q%2FW8%3D&amp;reserved=3D0</=
a><br>
<br>
&lt;<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3=
A%2F%2Fwww" target=3D"_blank">https://na01.safelinks.<wbr>protection.outloo=
k.com/?url=3D<wbr>https%3A%2F%2Fwww</a><br>
.<a href=3D"http://ietf.org/" target=3D"_blank">ietf.org</a>%2Frfcdiff%3Fur=
l2%<wbr>3Ddraft-ietf-oauth-native-<wbr>apps-08&amp;data=3D02%<br>
7C01%7Ctonynad%<a href=3D"http://40microsoft.com/" target=3D"_blank">40micr=
osoft.com</a><wbr>%<wbr>7Ceff092e6b2894ace8f8408d464cd<wbr>a4d5%7C7<br>
2f988bf86f141af91ab2d7cd011db4<wbr>7%7C1%7C0%<wbr>7C636244281810088501&amp;=
sdata=3D0J<br>
OejYI%<wbr>2F9vSFph4dteZ6g16NbvLRy37erpRU<wbr>Aw2q%2FW8%3D&amp;reserved=3D0=
&gt;<br>
<br>
<br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0Please note that it may take a couple of minutes from the time of</span>=
<br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0submission</span><br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0until the htmlized version and diff are available at</span><span class=
=3D"m_7581401428283703047m-6000036849972542875gmail-m8814585839802216220app=
le-converted-space">=C2=A0</span><span class=3D"m_7581401428283703047m-6000=
036849972542875gmail-"><a href=3D"http://tools.ietf.org/" target=3D"_blank"=
>tools.ietf.org</a></span><br>
=C2=A0=C2=A0&lt;<a href=3D"https://na01.safelinks.protection.outlook.com/?u=
rl=3Dhttp%3A%2F%2Ftools.ietf.org&amp;data=3D02%7C01%7Ctonynad%40microsoft.c=
om%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf86f141af91ab2d7cd011db47%7C=
1%7C0%7C636244281810088501&amp;sdata=3DsDynfqey0ru0Vm4%2FPEh0MA1IKtkrqmDnQ%=
2BmPCP%2B6K60%3D&amp;reserved=3D0" target=3D"_blank">https://na01.safelinks=
.<wbr>protection.outlook.com/?url=3D<wbr>http%3A%2F%2Ftools.ietf.org&amp;<w=
br>data=3D02%7C01%7Ctonynad%<wbr>40microsoft.com%<wbr>7Ceff092e6b2894ace8f8=
408d464cd<wbr>a4d5%<wbr>7C72f988bf86f141af91ab2d7cd011<wbr>db47%7C1%7C0%<wb=
r>7C636244281810088501&amp;sdata=3D<wbr>sDynfqey0ru0Vm4%<wbr>2FPEh0MA1IKtkr=
qmDnQ%2BmPCP%<wbr>2B6K60%3D&amp;reserved=3D0</a>&gt;.<br>
<br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0Internet-Drafts are also available by anonymous FTP at:</span><br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0<a href=3D"ftp://ftp.ietf.org/internet-drafts/" target=3D"_blank">ftp://=
ftp.ietf.org/internet-<wbr>drafts/</a></span><br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0&lt;<a href=3D"ftp://ftp.ietf.org/internet-drafts/" target=3D"_blank">ft=
p://ftp.ietf.org/<wbr>internet-drafts/</a>&gt;</span><br>
<br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0____________________________<wbr>___________________</span><br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0OAuth mailing list</span><br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">=C2=A0=C2=
=A0<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a></=
span><span class=3D"m_7581401428283703047m-6000036849972542875gmail-m881458=
5839802216220apple-converted-space">=C2=A0</span><span class=3D"m_758140142=
8283703047m-6000036849972542875gmail-">&lt;<a href=3D"mailto:OAuth@ietf.org=
" target=3D"_blank">mailto:<wbr>OAuth@ietf.org</a>&gt;</span><br>
=C2=A0=C2=A0<a href=3D"https://na01.safelinks.protection.outlook.com/?url=
=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C=
01%7Ctonynad%40microsoft.com%7Ceff092e6b2894ace8f8408d464cda4d5%7C72f988bf8=
6f141af91ab2d7cd011db47%7C1%7C0%7C636244281810088501&amp;sdata=3D14GztZLY%2=
BnQNbhR5bqjS7cRYUSlotpr6JXtFXpduGuI%3D&amp;reserved=3D0" target=3D"_blank">=
https://na01.safelinks.<wbr>protection.outlook.com/?url=3D<wbr>https%3A%2F%=
2Fwww.ietf.org%<wbr>2Fmailman%2Flistinfo%2Foauth&amp;<wbr>data=3D02%7C01%7C=
tonynad%<wbr>40microsoft.com%<wbr>7Ceff092e6b2894ace8f8408d464cd<wbr>a4d5%<=
wbr>7C72f988bf86f141af91ab2d7cd011<wbr>db47%7C1%7C0%<wbr>7C6362442818100885=
01&amp;sdata=3D<wbr>14GztZLY%<wbr>2BnQNbhR5bqjS7cRYUSlotpr6JXtFX<wbr>pduGuI=
%3D&amp;reserved=3D0</a><br>
<br>
&lt;<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3=
A%2F%2Fwww" target=3D"_blank">https://na01.safelinks.<wbr>protection.outloo=
k.com/?url=3D<wbr>https%3A%2F%2Fwww</a><br>
.<a href=3D"http://ietf.org/" target=3D"_blank">ietf.org</a>%2Fmailman%<wbr=
>2Flistinfo%2Foauth&amp;data=3D02%<wbr>7C01%7Ctonynad%40micro<br>
<a href=3D"http://soft.com/" target=3D"_blank">soft.com</a>%<wbr>7Ceff092e6=
b2894ace8f8408d464cd<wbr>a4d5%7C72f988bf86f141af91ab2d7<br>
cd011db47%7C1%7C0%<wbr>7C636244281810088501&amp;sdata=3D<wbr>14GztZLY%2BnQN=
bhR5bqjS7c<br>
RYUSlotpr6JXtFXpduGuI%3D&amp;<wbr>reserved=3D0&gt;<br>
<br>
<br>
<br>
<br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">__________=
____________________<wbr>_________________</span><br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">OAuth mail=
ing list</span><br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-"><a href=3D=
"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a></span><br>
<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F=
%2Fwww" target=3D"_blank">https://na01.safelinks.<wbr>protection.outlook.co=
m/?url=3D<wbr>https%3A%2F%2Fwww</a>.<br>
<a href=3D"http://ietf.org/" target=3D"_blank">ietf.org</a>%2Fmailman%2Flis=
tinfo%<wbr>2Foauth&amp;data=3D02%7C01%<wbr>7Ctonynad%40micros<br>
<a href=3D"http://oft.com/" target=3D"_blank">oft.com</a>%<wbr>7Ceff092e6b2=
894ace8f8408d464cd<wbr>a4d5%<wbr>7C72f988bf86f141af91ab2d7c<br>
d011db47%7C1%7C0%<wbr>7C636244281810088501&amp;sdata=3D<wbr>14GztZLY%2BnQNb=
hR5bqjS7cR<br>
YUSlotpr6JXtFXpduGuI%3D&amp;<wbr>reserved=3D0<u></u><u></u></span></p>
</blockquote>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;"><br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">__________=
____________________<wbr>_________________</span><br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-">OAuth mail=
ing list</span><br>
<span class=3D"m_7581401428283703047m-6000036849972542875gmail-"><a href=3D=
"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a></span><br>
<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F=
%2Fwww.i" target=3D"_blank">https://na01.safelinks.<wbr>protection.outlook.=
com/?url=3D<wbr>https%3A%2F%2Fwww.i</a><br>
<a href=3D"http://etf.org/" target=3D"_blank">etf.org</a>%2Fmailman%2Flisti=
nfo%<wbr>2Foauth&amp;data=3D02%7C01%<wbr>7Ctonynad%40microsof<br>
<a href=3D"http://t.com/" target=3D"_blank">t.com</a>%<wbr>7Ceff092e6b2894a=
ce8f8408d464cd<wbr>a4d5%<wbr>7C72f988bf86f141af91ab2d7cd01<br>
1db47%7C1%7C0%<wbr>7C636244281810088501&amp;sdata=3D<wbr>14GztZLY%2BnQNbhR5=
bqjS7cRYUSl<br>
otpr6JXtFXpduGuI%3D&amp;reserved=3D0<u></u><u></u></span></p>
</blockquote>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/<wbr>listinfo/oauth</a><u></u><u></u></p>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
</div>
</div>
</div>
</div>
</div></div></div>
</div>

</blockquote></div><br></div>

--94eb2c088490ff40dc054a9f7b74--


From nobody Mon Mar 13 10:39:06 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BDF11298CA; Mon, 13 Mar 2017 10:39:02 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.47.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148942674236.16952.15561615494772839871@ietfa.amsl.com>
Date: Mon, 13 Mar 2017 10:39:02 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/74_1CmXkeac07qYlb3Iw4D3LlVA>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 17:39:02 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 Device Flow for Browserless and Input Constrained Devices
        Authors         : William Denniss
                          John Bradley
                          Michael B. Jones
                          Hannes Tschofenig
	Filename        : draft-ietf-oauth-device-flow-05.txt
	Pages           : 15
	Date            : 2017-03-13

Abstract:
   This OAuth 2.0 authorization flow for browserless and input
   constrained devices, often referred to as the device flow, enables
   OAuth clients to request user authorization from devices that have an
   Internet connection, but don't have an easy input method (such as a
   smart TV, media console, picture frame, or printer), or lack a
   suitable browser for a more traditional OAuth flow.  This
   authorization flow instructs the user to perform the authorization
   request on a secondary device, such as a smartphone.  There is no
   requirement for communication between the constrained device and the
   user's secondary device.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-05

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-05


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Mon Mar 13 11:44:26 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97415129A53 for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 11:44:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.44
X-Spam-Level: 
X-Spam-Status: No, score=-2.44 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m3fe1AskCI3O for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 11:44:22 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 633B91299CF for <oauth@ietf.org>; Mon, 13 Mar 2017 11:44:22 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id r45so38994652qte.3 for <oauth@ietf.org>; Mon, 13 Mar 2017 11:44:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=RF2n2meuCVGA5yJ2m5UROD2AKK252DK0iXrzTPzG+pY=; b=tY3Yax8y7eb8+AbqQDWGYoHV8+PScJ/ciOAuKvDXpNR/p598zvEaHB8a/yoxJe6dvs MwsXtN3THracJAbWusHnkFGQS3ErUFaDpTr+HbL+ANRfw45V6e4e7OLZMK++pSVtSln0 R7Ey9Nm5eLcEj46YNg29v6smePrjwAo+tqgUs2OKUZ42ZMpeh409j41pizjoPmIdxE+9 6/2c2DCBW0SwN039Y6ijQWzoOwuWnrkRba/PahC0YUbczWo3jqf5CxPcVGQRl8wu/HxA 7dZFCvPTYkvem0rHxph5dXTFnjHDRp9w7yGwgg9asyEv6tNvYwcePYojp9Zy/3TuaYge k8Ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=RF2n2meuCVGA5yJ2m5UROD2AKK252DK0iXrzTPzG+pY=; b=Iqf+V3ZXInjzYQ20whllmzSdf5gBF3+u/P1Y4s3mmnX2xmT0O8lefe4rNaTtqMZfId 0HIcdrKo/iHJr1yJNzN3yrryU7dgKl3ZosdowF0ibxU6sr+sZfx8v7jG+S/oi1T9G+hm vpyjamzYIzXh4uyfWC4Fa5Nj4K1pbqh2nPMv2T+zci3cyudknhLLy+37NwWQFOgFtNwb l/LkVQruk2e7hDl1HZk5e6F/apgdMz+Xc5DtFwlXADG7UtZ2WLaB87rnbfQEtHyvz0zE awyHdJfWFNl9ISdeyPuJmAaWl3tqgSQf1T0jkybVOau2am5ejH/tGrvVpkuQeI5PevMg GheA==
X-Gm-Message-State: AMke39lB+klj1RDRvZu7y7xp8CHh6a3fj3HbE4jVvCbhV739l5zmpwp26mX47pHY6KTrmPqrKYT4SNLGLJ8xTDvY
X-Received: by 10.200.42.78 with SMTP id l14mr35967186qtl.15.1489430661162; Mon, 13 Mar 2017 11:44:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Mon, 13 Mar 2017 11:44:00 -0700 (PDT)
In-Reply-To: <148942674236.16952.15561615494772839871@ietfa.amsl.com>
References: <148942674236.16952.15561615494772839871@ietfa.amsl.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 13 Mar 2017 11:44:00 -0700
Message-ID: <CAAP42hCqie8_T67KueLmtGSfVjz_cvu47BJrUnohjS0QnLiopw@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>, Justin Richer <jricher@mit.edu>,  Brian Campbell <bcampbell@pingidentity.com>,  "Manger, James" <James.H.Manger@team.telstra.com>, Mike Jones <Michael.Jones@microsoft.com>,  Hannes Tschofenig <hannes.tschofenig@arm.com>, John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=001a11403d867a6421054aa119a3
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OvOOLFG1o9Ze04UgKlj_o449ncY>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 18:44:24 -0000

--001a11403d867a6421054aa119a3
Content-Type: text/plain; charset=UTF-8

Version -05 addresses comments from the work group, includes normative
changes:

   o  response_type parameter removed from authorization request.
   o  Added option for clients to include the user_code on the
      verification URI.
   o  Clarified token expiry, and other nits.


Thank you Roshni Chandrashekhar, Brian Campbell, James Manager, and Justin
Richer for your valuable feedback. Thank you to my co-author Mike Jones for
reviewing and correcting all changes that resulted, and for the quality
pass on the doc.

On Mon, Mar 13, 2017 at 10:39 AM, <internet-drafts@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>         Title           : OAuth 2.0 Device Flow for Browserless and Input
> Constrained Devices
>         Authors         : William Denniss
>                           John Bradley
>                           Michael B. Jones
>                           Hannes Tschofenig
>         Filename        : draft-ietf-oauth-device-flow-05.txt
>         Pages           : 15
>         Date            : 2017-03-13
>
> Abstract:
>    This OAuth 2.0 authorization flow for browserless and input
>    constrained devices, often referred to as the device flow, enables
>    OAuth clients to request user authorization from devices that have an
>    Internet connection, but don't have an easy input method (such as a
>    smart TV, media console, picture frame, or printer), or lack a
>    suitable browser for a more traditional OAuth flow.  This
>    authorization flow instructs the user to perform the authorization
>    request on a secondary device, such as a smartphone.  There is no
>    requirement for communication between the constrained device and the
>    user's secondary device.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-05
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-05
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--001a11403d867a6421054aa119a3
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Version -05 addresses comments from the work group, includ=
es normative changes:=C2=A0<div><br></div><div><pre class=3D"gmail-m_532600=
3279160418275gmail-newpage" style=3D"font-size:13.3333px;margin-top:0px;mar=
gin-bottom:0px;color:rgb(0,0,0)">   o  response_type parameter removed from=
 authorization request.
   o  Added option for clients to include the user_code on the
      verification URI.
   o  Clarified token expiry, and other nits.</pre><pre class=3D"gmail-m_53=
26003279160418275gmail-newpage" style=3D"font-size:13.3333px;margin-top:0px=
;margin-bottom:0px;color:rgb(0,0,0)"><br></pre>Thank you Roshni Chandrashek=
har,=C2=A0Brian Campbell, James Manager, and Justin Richer for your valuabl=
e feedback. Thank you to my co-author Mike Jones for reviewing and correcti=
ng all changes that resulted, and for the quality pass on the doc.</div><di=
v class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mon, Mar 13, 2017=
 at 10:39 AM,  <span dir=3D"ltr">&lt;<a href=3D"mailto:internet-drafts@ietf=
.org" target=3D"_blank">internet-drafts@ietf.org</a>&gt;</span> wrote:<br><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex"><br>
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br>
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Device Flow for Browserless and Input Constrained Devices<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Will=
iam Denniss<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Michael B. Jones<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Hannes Tschofenig<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-device-flow-0<wbr>5.txt<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 15<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2017-03-13<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0This OAuth 2.0 authorization flow for browserless and input<br=
>
=C2=A0 =C2=A0constrained devices, often referred to as the device flow, ena=
bles<br>
=C2=A0 =C2=A0OAuth clients to request user authorization from devices that =
have an<br>
=C2=A0 =C2=A0Internet connection, but don&#39;t have an easy input method (=
such as a<br>
=C2=A0 =C2=A0smart TV, media console, picture frame, or printer), or lack a=
<br>
=C2=A0 =C2=A0suitable browser for a more traditional OAuth flow.=C2=A0 This=
<br>
=C2=A0 =C2=A0authorization flow instructs the user to perform the authoriza=
tion<br>
=C2=A0 =C2=A0request on a secondary device, such as a smartphone.=C2=A0 The=
re is no<br>
=C2=A0 =C2=A0requirement for communication between the constrained device a=
nd the<br>
=C2=A0 =C2=A0user&#39;s secondary device.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/" =
rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/d<wbr>oc/=
draft-ietf-oauth-device-flo<wbr>w/</a><br>
<br>
There&#39;s also a htmlized version available at:<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-device-flow-05" rel=
=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/dr<wbr>aft-ie=
tf-oauth-device-flow-05</a><br>
<br>
A diff from the previous version is available at:<br>
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-device-flow=
-05" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/rfcdiff?u<wb=
r>rl2=3Ddraft-ietf-oauth-device-fl<wbr>ow-05</a><br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a>.<br>
<br>
Internet-Drafts are also available by anonymous FTP at:<br>
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.ietf.org/internet-dr<wbr>afts/</a><br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
</blockquote></div><br></div></div>

--001a11403d867a6421054aa119a3--


From nobody Mon Mar 13 12:46:49 2017
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26C71129481 for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 12:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level: 
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LiNwfyvjMe3Y for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 12:46:44 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BC0F129406 for <oauth@ietf.org>; Mon, 13 Mar 2017 12:46:43 -0700 (PDT)
Received: from [80.140.199.98] (helo=[192.168.71.161]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1cnVvU-0002yI-N0; Mon, 13 Mar 2017 20:46:40 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <269DD0EC-FCBF-4691-9BAA-2B8F144C0353@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_7A8335EF-53BF-4823-9C01-BFA875E00683"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 13 Mar 2017 20:46:38 +0100
In-Reply-To: <BN6PR21MB05003786286B93ECF604D923F5220@BN6PR21MB0500.namprd21.prod.outlook.com>
To: Mike Jones <Michael.Jones@microsoft.com>
References: <ed9a8430-5c80-6be3-8b5d-1759c4218919@lodderstedt.net> <BN6PR21MB05003786286B93ECF604D923F5220@BN6PR21MB0500.namprd21.prod.outlook.com>
X-Mailer: Apple Mail (2.3259)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7sGHK3WJUOD_zKdCAAVVfslmgoQ>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 19:46:48 -0000

--Apple-Mail=_7A8335EF-53BF-4823-9C01-BFA875E00683
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Mike,

yes, those are the right dates. There are restrictions from the host's =
side, that=E2=80=99s why the workshop needs to take place on Monday and =
Tuesday. As far as I remember the host was clear about that from the =
beginning.=20

best regards,
Torsten.

> Am 12.03.2017 um 22:15 schrieb Mike Jones =
<Michael.Jones@microsoft.com>:
>=20
> Are Monday-Tuesday, July 10-11 really the right dates?  I'm asking =
because IETF in Prague doesn't start until Sunday, July 16th.  That =
leaves 4 days dead time in between for those of us who are attending =
both.
>=20
> When I was first told about this workshop, I was told that it would be =
sometime Wednesday-Friday that week.  Can it be moved back to those =
dates?  That would be a big help for those of us travelling distances to =
attend.
>=20
> Or is there also another event in the Wednesday-Friday timeframe that =
people should also be considering attending?
>=20
> 				Thanks,
> 				-- Mike
>=20
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Torsten =
Lodderstedt
> Sent: Sunday, March 12, 2017 12:28 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)
>=20
> Hi all,
>=20
> the OAuth WG and the ETH Zurich will organize another workshop on =
OAuth security (after the one last year in Trier).
>=20
> Please find the Call for Papers below.
>=20
> kind regards,
> Torsten.
>=20
> C a l l     F o r     P a p e r s
>=20
> Second OAuth Security Workshop (OSW 2017)
>=20
> Zurich, Switzerland -- July 10-11, 2017
>=20
> WWW:https://zisc.ethz.ch/oauth-security-workshop-2017-cfp/
>=20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
>=20
> Overview
>=20
> The OAuth Security Workshop (OSW) focuses on improving security of the =
OAuth standard and related Internet protocols. This workshop brings =
together the IETF OAuth Working Group and security experts from =
research, industry, and standardization to this end. The workshop is =
hosted by the Zurich Information Security and Privacy Center at ETH =
Zurich.
>=20
> While the standardization process of OAuth ensures extensive reviews =
(both security and non-security related), further analysis by security =
experts from academia and industry is essential to ensure high quality =
specifications. Contributions to this workshop can help to improve the =
security of the Web and the Internet.
>=20
>=20
> Scope
>=20
> We seek position papers related to the security of OAuth, OpenID =
Connect, and other technologies using OAuth under the hood.
> Contributions regarding technologies that are used in OAuth, such as =
JOSE, or impact the security of OAuth, such as Web technology, are also =
welcome.
>=20
>=20
> Important Dates
>=20
> Position paper submission deadline: May 2, 2017 (AoE, UTC-12).
> Author notification: May 15, 2017.
> Registration deadline: June 16, 2017.
> Workshop: July 10 and July 11, 2017.
>=20
>=20
> Invited Speakers
>=20
> Cas Cremers, University of Oxford
>=20
>=20
> Submission
>=20
> We welcome position papers that describe existing work, raise new =
requirements, highlight challenges, write-ups of implementation and =
deployment experience, lessons-learned from successful or failed =
attempts, and ideas on how to improve OAuth and OAuth extensions.
>=20
> Position papers submitted to the OAuth Security Workshop may report on
> (unpublished) work in progress, be submitted to other places, and may =
even have already appeared or been accepted elsewhere.
>=20
> Submissions must be in PDF format and should feature reasonable =
margins and formatting. There is no page limit, but the submission =
should be brief (ideally not more than 3-5 pages). Submissions should =
not be anonymized.
>=20
> Submission Website:https://easychair.org/conferences/?conf=3Dosw17
>=20
>=20
> Publication and Presentation
>=20
> One of the authors of the accepted position paper is expected to =
present the paper at the workshop.
>=20
> All presentations and papers will be put online but there will be no =
formal proceedings. Authors of accepted papers will have the option to =
revise their papers before they are put online.
>=20
>=20
> IPR Policy
>=20
> The workshop will have no expectation of IPR disclosure or licensing =
related to its submissions. Authors are responsible for obtaining =
appropriate publication clearances.
>=20
>=20
> Program Committee
>=20
> Chairs
> David Basin (ETH Zurich)
> Torsten Lodderstedt (YES Europe)
>=20
> Members
> John Bradley (Ping Identity)
> Ralf K=C3=BCsters (University of Stuttgart)
> Chris Mitchell (Royal Holloway University of London) Anthony Nadalin =
(Microsoft) Nat Sakimura (Nomura Research Institute) Ralf Sasse (ETH =
Zurich) J=C3=B6rg Schwenk (Ruhr University Bochum) Hannes Tschofenig =
(IETF OAuth Working Group Co-Chair)
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_7A8335EF-53BF-4823-9C01-BFA875E00683
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/DCCBK8w
ggOXoAMCAQICEQDgI8sVEoNTia1hbnpUZ2shMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAlNF
MRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5l
dHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMTQxMjIyMDAwMDAw
WhcNMjAwNTMwMTA0ODM4WjCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hl
c3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNV
BAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAibEN2npTGU5wUh28VqYGJre4SeCW
51Gr8fBaE0kVo7SMG2C8elFCp3mMpCLfF2FOkdV2IwoU00oCf7YdCYBupQQ92bq7Fv6hh6kuQ1JD
FnyvMlDIpk9a6QjYz5MlnHuI6DBk5qT4VoD9KiQUMxeZrETlaYujRgZLwjPU6UCfBrCxrJNAubUI
kzqcKlOjENs9IGE8VQOO2U52JQIhKfqjfHF2T+7hX4Hp+1SA28N7NVK3hN4iPSwwLTF/Wb1SN7Az
aS1D6/rWpfGXd2dRjNnuJ+u8pQc4doykqTj/34z1A6xJvsr3c5k6DzKrnJU6Ez0ORjpXdGFQvsZA
P8vk4p+iIQIDAQABo4IBFzCCARMwHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYD
VR0OBBYEFJJha4LhoqCqT+xn8cKj97SAAMHsMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAG
AQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAw
RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJu
YWxDQVJvb3QuY3JsMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNl
cnRydXN0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAGypurFXBOquIxdjtzVXzqmthK8AJECOZD8Vm
am+x9bS1d14PAmEA330F/hKzpICAAPz7HVtqcgIKQbwFusFY1SbC6tVNhPv+gpjPWBvjImOcUvi7
BTarfVil3qs7Y+Xa1XPv7OD7e+Kj//BCI5zKto1NPuRLGAOyqC3U2LtCS5BphRDbpjc06HvgARCl
nMo6x59PiDRuimXQGoq7qdzKyjbR9PzCZCk1r9axp3ER0gNDsY8+muyeMlP0dpLKhjQHuSzK5hxK
2JkNwYbikJL7WkJqIyEQ6WXH9dW7fuqMhSACYurROgcsWcWZM/I4ieW26RZ6H3kU9koQGib6fIr7
mzCCBUUwggQtoAMCAQICEDPbmsaqwjeZa3PxA3uZ8LQwDQYJKoZIhvcNAQELBQAwgZsxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY
BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQg
QXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzAxMDkwMDAwMDBaFw0xODAx
MDkyMzU5NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5AbG9kZGVyc3RlZHQubmV0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArsGSzZyz9Lq9SRW9Sve5K8n5lWhplOCE6HH3gMye
12DjOpkFFZt0b73t27G17Xsp6WUxHhNevf7ck0AUpvYUPCHBqVGJSIWF9hWAoSFCgQACOoh/cDFb
zz1PsMY8El7OmIus4JXtY4/VdoSIhFP3hzATbNAg32Kp+N8vtTuKTwbgnizJSyzZTYrsttn3LmwY
17HU+U9vXloMus5U/ln4ADZx0zyyDSsA6gtPxXYJpbgSTnHckVZ5zfR80guIZ538Y2qqsqt5VaSR
SR2oQzE/HETkKc/odPVhqBrXLyvnSFkCPrAXV07rcvwkPvHZeYVu4QdVWyO2HIQ4i2x9r5m7SwID
AQABo4IB9TCCAfEwHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFPng
HgVxOZ7GSji/IW4YJMBj02PHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ
MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7
BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2
Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw
gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu
dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
Y3NwLmNvbW9kb2NhLmNvbTAiBgNVHREEGzAZgRd0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDANBgkq
hkiG9w0BAQsFAAOCAQEAAmueyHjiyL1qYgfe+hVSsGuKlgcvjCAfG8Jaq48tC0IjP8pH/tGi4uL9
CHVfLnV3pLDnjg6M2uvpEBp7crZZcnSPLeVss+tkhwv+F7ISYQyT4flNkqVUb8nfewbCPcIN13Ob
fpU7rlXoIarEEplQo4SuymYVluQxTLOFKm5QOMF4JBMw/rjy4t95J7Mdp9NFUzQrKPJDaJ2Jr/Tc
TXFcjLvNVmMBjK0959a9v1/1miRHd1DBsTh1KvBigEOUNMxvT5uUtB6/tioDZqBDDk8Gvdno/xmy
e3YiasS7JgMREq5WcXqpWGu5kMFZMGPEvyPHeBZeqxx3amf4ImVnZ6WvgzGCA8MwggO/AgEBMIGw
MIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEDPbmsaqwjeZa3Px
A3uZ8LQwCQYFKw4DAhoFAKCCAecwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTcwMzEzMTk0NjM5WjAjBgkqhkiG9w0BCQQxFgQUxnx+nPg42WNIQkuCryMFJVmIurow
gcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFu
Y2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/
BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVt
YWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UE
BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG
A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBB
dXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MA0GCSqG
SIb3DQEBAQUABIIBAEZHP3VLrb9/d6LFpw1ffOzudUXG7xF4JuvPqZaZntR3UMSQslvtQMRTDEU+
+HmuhDIovOaZxcYClRopA0N6WPuAZE8YaXaQCUiIcR4ozzpHSoFf1ops8kHTMe1SPG6zk0O33Y4a
x7CjafyPJVbquKz5a3wAT77DQldWitVJo9cwfiWErdf4Ob3MEMv+l4vDK8flAtEIo+nHi31vXg6x
fGuc/IkrypNgQjLtyDB0AvoPsWYP4hgji7wCuJp7lQurR0sND4yxvLoMr+a2toZXNMyTFZROn9Pt
gyq1CDabVpSozsJIwp+nr+GTE5J1/rB1rNFiNkgIX3vSZN+SzKaVBXsAAAAAAAA=
--Apple-Mail=_7A8335EF-53BF-4823-9C01-BFA875E00683--


From nobody Mon Mar 13 12:59:38 2017
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36BCB129AF1 for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 12:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level: 
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dva6dER7UnVN for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 12:59:34 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0065.outbound.protection.outlook.com [104.47.36.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D139129AEE for <oauth@ietf.org>; Mon, 13 Mar 2017 12:59:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/h7Byi1xxQJyvjMAcqWHlhD9SDP8mfMjMjzWExkqgc0=; b=x7I+KPsUOLMP3lD4agngHQGszYRylL6XP+yGpxwy4xt/azNKyx6gxeuS1bmQ24PmiPXTq9KGwgCkRYl+azaRaMPwt5E8WP/4CMbHOBuuMHT/kL1sEkIpO+FXJ2VaLb0t4zIkxN0h1yZ4wPmXCCyxhHFf1OQ1lG6NOH/+d/JeSFU=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1031.namprd02.prod.outlook.com (10.161.203.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.17; Mon, 13 Mar 2017 19:59:31 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0961.021; Mon, 13 Mar 2017 19:59:31 +0000
From: Antonio Sanso <asanso@adobe.com>
To: "<oauth@ietf.org>" <oauth@ietf.org>
Thread-Topic: Critical vulnerability in JSON Web Encryption (#JWE) - RFC 7516 Invalid Curve Attack 
Thread-Index: AQHSnDRTr2o8qZRb/UWAQbK2O+rfCg==
Date: Mon, 13 Mar 2017 19:59:30 +0000
Message-ID: <AA6C5BBA-E21B-4BA2-8D76-FEC05C770383@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [85.5.8.6]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1031; 7:NRz2ZRA40FRJvu4Nzphfy/OCrv8SOwKT738/39sKeODBMP3+4/iHxCshLDseMLHqvQKazJKT5Bntbed5dR1RS+X+MN0GNfi49lBjyOEK20L48DlH4aRp0clCmsyRurM2EdJBB82bXFqcJh+TsxnGaBDl+O8aSYwCUGHYbzjrgfuI8hzIXgRlWfGtd1zKETyOklQAzy4wo5CAYy2SuJkYrhRmO1StNef8qud4aLczC9yKc4c5e/oqHohUUKEcv8GcSayP2i8v+L0a8OyLhexolkXbGCe4CashiTvFIRGxjcXm4eQlVw7Uj3yAF9A3NgPiRrDnAcDzvOLSX2bpRIrq+Q==; 20:2Fj5lUcgxPq6pqmyGrcOMJRs3uj5JS0aizh3GPO78qrLEin6JjSzo98jXsf7JVE0xE7s8yuBqdQZHudNjhefR18HF5++UlFj7scQmroEQDMQpgzAHkZ7+PYlbF8nYjkc3BycTxkTwOGaonPgGhdkZRA8Mwm9pvewVPFrkTzB31s=
x-ms-office365-filtering-correlation-id: bf0db5c5-37b5-434f-3909-08d46a4b76ca
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BY1PR0201MB1031; 
x-microsoft-antispam-prvs: <BY1PR0201MB1031AB2C3A6D7A2CDE645C50D9250@BY1PR0201MB1031.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123562025)(20161123560025)(20161123564025)(20161123555025)(6072148)(6042181); SRVR:BY1PR0201MB1031; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1031; 
x-forefront-prvs: 0245702D7B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(122556002)(66066001)(2906002)(10090500001)(38730400002)(966004)(3280700002)(53936002)(110136004)(93376004)(6506006)(77096006)(6486002)(5660300001)(86362001)(54356999)(82746002)(83716003)(50986999)(15188555004)(3846002)(6116002)(102836003)(106116001)(81166006)(8676002)(33656002)(36756003)(3660700001)(8936002)(189998001)(25786008)(99286003)(305945005)(7736002)(6306002)(6436002)(6512007)(558084003)(2900100001)(569964009)(491001)(104396002)(15302535012); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1031; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:nov; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <84B2C06CF66C034D8A03A32792D75499@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2017 19:59:30.5700 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1031
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Uj49yvjxf4w4o8pi1tuPRKlJNgw>
Subject: [OAUTH-WG] Critical vulnerability in JSON Web Encryption (#JWE) - RFC 7516 Invalid Curve Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 19:59:36 -0000

hi *,

sorry for cross posting with the jose mailing list

http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.=
html

regards

antonio=


From nobody Mon Mar 13 13:02:03 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8AE8129B02 for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 13:01:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2_35l8XwPIKY for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 13:01:47 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B144129AFD for <oauth@ietf.org>; Mon, 13 Mar 2017 13:01:45 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id x35so40691873qtc.2 for <oauth@ietf.org>; Mon, 13 Mar 2017 13:01:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=qEFzlGwTGGPklDKCLCTXADBAi4wjki1fe1RX7rwoK/g=; b=J92Lu0iXtYr2s2YEtZH1SqdqCx5veC8PpXsyCLIblLh2TnEOZPsxhU2XIls6uqiMWw YKM6iYQq1WUr8liMZj6YxCI4Ic7W+RM+1zbj5UX5m0v8aLiwUvL87osG/BJIWTi9CQiz ISRGSsXJ6YClTKFYJmpHC91Gq0f7DVL4klfl0H6NFTE63o1U/uzCwuy0s52bUjJshRvM ZR3iAf0OAiuSsXoQ+/2TWKM4PphPADiYfSaqvmgDbnFBo3X6o8s9yiBnqw6f+ZIW63uN MtoCRup3j2o5gGVgn6dhP1gZl9+df2qsIUZC+oEJG8MKYsg8isuyNEOOCTB0V2SEYCBF B3AA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=qEFzlGwTGGPklDKCLCTXADBAi4wjki1fe1RX7rwoK/g=; b=QiZIOwmBtiRdVk3CG67f8cG1b9+LigItz7QoX5gj5yfjTy4zwPJtYFZE74+vR/HiOL 24UusNBED9K33OI2oHZHLxUBV/2igxFEy2G1OLQZNKYWRTrGw67yivg07ofCEa5bP75I /59gvvAP3FMU/dCUzOg3++yPrBjcp6l+XHfr1JdK4XvAjxq+FUu2os/6sZyp2E1RN//C enyXTLlWS9JoVk2mkH60poGO2q0mS9dXvaxjROlWHYxwnuJN3Thu9qRpFpdGo8khMWCi XSepeXXwCX5rFEi33SeNLltUlBi5f37E0LK2h8nH4821ou880/2kxRpkANNLCKlNG/Jn qfFQ==
X-Gm-Message-State: AMke39nlACrQ7hS4rwPuQNQTAeVVVgi+SJ625KtJpcJ7UrDpFu8nsMu+LAE30Tf8BUmPMVZn
X-Received: by 10.200.58.101 with SMTP id w92mr36991599qte.292.1489435304036;  Mon, 13 Mar 2017 13:01:44 -0700 (PDT)
Received: from jbradley-r.lan ([191.115.39.204]) by smtp.gmail.com with ESMTPSA id i125sm12858801qkf.52.2017.03.13.13.01.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Mar 2017 13:01:42 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <269DD0EC-FCBF-4691-9BAA-2B8F144C0353@lodderstedt.net>
Date: Mon, 13 Mar 2017 17:01:26 -0300
Message-Id: <3A9170DD-0861-478D-A9DD-9A55DC930B8D@ve7jtb.com>
References: <ed9a8430-5c80-6be3-8b5d-1759c4218919@lodderstedt.net> <BN6PR21MB05003786286B93ECF604D923F5220@BN6PR21MB0500.namprd21.prod.outlook.com> <269DD0EC-FCBF-4691-9BAA-2B8F144C0353@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a114fd9083c1de7054aa22e8a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CLbBFOWRDpwmDa55Bi1NRfe8ZOs>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 20:01:50 -0000

--001a114fd9083c1de7054aa22e8a
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

I did point out earlier when I discovered the dates, that I similarly =
asked for it to be later in the week.
It is probably fine for Europeans but it will stop many people from =
being able to attend including myself unless I can come up with other =
meetings in Europe to fill those days.

If we cant move it then we will have to live with it and attend or not.

John B.

> On Mar 13, 2017, at 4:46 PM, Torsten Lodderstedt =
<torsten@lodderstedt.net> wrote:
>=20
> Hi Mike,
>=20
> yes, those are the right dates. There are restrictions from the host's =
side, that=E2=80=99s why the workshop needs to take place on Monday and =
Tuesday. As far as I remember the host was clear about that from the =
beginning.=20
>=20
> best regards,
> Torsten.
>=20
>> Am 12.03.2017 um 22:15 schrieb Mike Jones =
<Michael.Jones@microsoft.com>:
>>=20
>> Are Monday-Tuesday, July 10-11 really the right dates?  I'm asking =
because IETF in Prague doesn't start until Sunday, July 16th.  That =
leaves 4 days dead time in between for those of us who are attending =
both.
>>=20
>> When I was first told about this workshop, I was told that it would =
be sometime Wednesday-Friday that week.  Can it be moved back to those =
dates?  That would be a big help for those of us travelling distances to =
attend.
>>=20
>> Or is there also another event in the Wednesday-Friday timeframe that =
people should also be considering attending?
>>=20
>> 				Thanks,
>> 				-- Mike
>>=20
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Torsten =
Lodderstedt
>> Sent: Sunday, March 12, 2017 12:28 PM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] Second OAuth Security Workshop (Call for Papers)
>>=20
>> Hi all,
>>=20
>> the OAuth WG and the ETH Zurich will organize another workshop on =
OAuth security (after the one last year in Trier).
>>=20
>> Please find the Call for Papers below.
>>=20
>> kind regards,
>> Torsten.
>>=20
>> C a l l     F o r     P a p e r s
>>=20
>> Second OAuth Security Workshop (OSW 2017)
>>=20
>> Zurich, Switzerland -- July 10-11, 2017
>>=20
>> WWW:https://zisc.ethz.ch/oauth-security-workshop-2017-cfp/
>>=20
>> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
>>=20
>> Overview
>>=20
>> The OAuth Security Workshop (OSW) focuses on improving security of =
the OAuth standard and related Internet protocols. This workshop brings =
together the IETF OAuth Working Group and security experts from =
research, industry, and standardization to this end. The workshop is =
hosted by the Zurich Information Security and Privacy Center at ETH =
Zurich.
>>=20
>> While the standardization process of OAuth ensures extensive reviews =
(both security and non-security related), further analysis by security =
experts from academia and industry is essential to ensure high quality =
specifications. Contributions to this workshop can help to improve the =
security of the Web and the Internet.
>>=20
>>=20
>> Scope
>>=20
>> We seek position papers related to the security of OAuth, OpenID =
Connect, and other technologies using OAuth under the hood.
>> Contributions regarding technologies that are used in OAuth, such as =
JOSE, or impact the security of OAuth, such as Web technology, are also =
welcome.
>>=20
>>=20
>> Important Dates
>>=20
>> Position paper submission deadline: May 2, 2017 (AoE, UTC-12).
>> Author notification: May 15, 2017.
>> Registration deadline: June 16, 2017.
>> Workshop: July 10 and July 11, 2017.
>>=20
>>=20
>> Invited Speakers
>>=20
>> Cas Cremers, University of Oxford
>>=20
>>=20
>> Submission
>>=20
>> We welcome position papers that describe existing work, raise new =
requirements, highlight challenges, write-ups of implementation and =
deployment experience, lessons-learned from successful or failed =
attempts, and ideas on how to improve OAuth and OAuth extensions.
>>=20
>> Position papers submitted to the OAuth Security Workshop may report =
on
>> (unpublished) work in progress, be submitted to other places, and may =
even have already appeared or been accepted elsewhere.
>>=20
>> Submissions must be in PDF format and should feature reasonable =
margins and formatting. There is no page limit, but the submission =
should be brief (ideally not more than 3-5 pages). Submissions should =
not be anonymized.
>>=20
>> Submission Website:https://easychair.org/conferences/?conf=3Dosw17
>>=20
>>=20
>> Publication and Presentation
>>=20
>> One of the authors of the accepted position paper is expected to =
present the paper at the workshop.
>>=20
>> All presentations and papers will be put online but there will be no =
formal proceedings. Authors of accepted papers will have the option to =
revise their papers before they are put online.
>>=20
>>=20
>> IPR Policy
>>=20
>> The workshop will have no expectation of IPR disclosure or licensing =
related to its submissions. Authors are responsible for obtaining =
appropriate publication clearances.
>>=20
>>=20
>> Program Committee
>>=20
>> Chairs
>> David Basin (ETH Zurich)
>> Torsten Lodderstedt (YES Europe)
>>=20
>> Members
>> John Bradley (Ping Identity)
>> Ralf K=C3=BCsters (University of Stuttgart)
>> Chris Mitchell (Royal Holloway University of London) Anthony Nadalin =
(Microsoft) Nat Sakimura (Nomura Research Institute) Ralf Sasse (ETH =
Zurich) J=C3=B6rg Schwenk (Ruhr University Bochum) Hannes Tschofenig =
(IETF OAuth Working Group Co-Chair)
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--001a114fd9083c1de7054aa22e8a
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEINgAvJycJfykkDe+U5DWKeLDDaC8
M5JZAQw2p08t8YuSMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMxMzIwMDE0NFowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQDWedgcKE1EEtBkp6OYw/xS2q4h3NSWxcmbRuYXCK52P5xI
SXPz19+rwzuXwP4xksNUEaZWqmPQLb1Yix3bSehGAzrnGExNcWmwTAJApglVvaEJ4iQCCDk5wThI
S4t/CV3TeJtoide8WyS8SgqvBcKxfoBOPJ1nQfxQUhr91Bhe9lnIc7gKNnABdhJbC4PVMQsaKFWW
Tq0fJjxap+6ax4qVFkE0Kt5RrlCZO/Dm1rhPQ0OwdCp0tshJGmgva6/8an0Pai2XfSx9GXQjqRF9
fNOXqEoqsA/UgRoLYTLtPgeEaS9V3FJYtq57omh6P42hlJCtYlb0z18UHwcXX+WiH7sm
--001a114fd9083c1de7054aa22e8a--


From nobody Mon Mar 13 14:14:49 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E4EDA129BA8; Mon, 13 Mar 2017 14:14:47 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.47.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148943968790.20370.17735775296781507437@ietfa.amsl.com>
Date: Mon, 13 Mar 2017 14:14:47 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/A0qlyMNIViBcqU-BHBo8up-k-rI>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-binding-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 21:14:48 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 Token Binding
        Authors         : Michael B. Jones
                          John Bradley
                          Brian Campbell
                          William Denniss
	Filename        : draft-ietf-oauth-token-binding-02.txt
	Pages           : 26
	Date            : 2017-03-13

Abstract:
   This specification enables OAuth 2.0 implementations to apply Token
   Binding to Access Tokens, Authorization Codes, and Refresh Tokens.
   This cryptographically binds these tokens to a client's Token Binding
   key pair, possession of which is proven on the TLS connections over
   which the tokens are intended to be used.  This use of Token Binding
   protects these tokens from man-in-the-middle and token export and
   replay attacks.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-binding/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-binding-02


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Mon Mar 13 14:32:16 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE4E9129B87 for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 14:32:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.739
X-Spam-Level: 
X-Spam-Status: No, score=-1.739 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EfPfdBbyHgQv for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 14:32:12 -0700 (PDT)
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9683129B52 for <oauth@ietf.org>; Mon, 13 Mar 2017 14:32:12 -0700 (PDT)
Received: by mail-pg0-x233.google.com with SMTP id g2so53228928pge.3 for <oauth@ietf.org>; Mon, 13 Mar 2017 14:32:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=VC8kLjlZM6O6jZoBo1G8ELoYx3AM7meVj87HxWLGrUY=; b=YkC6TNf7hRPaguh1p/DW8amKhEalKHEd4GHe7qEFGJ58p7Yctc6wlpEeSBOckHQCoV IgOC1npNUBzpcdyqeARUiJc4AWInH6BSxJGJD2HRYW1DORSnAlQoAhsg6Za0X0MkHCqE IgJnQr1iEi1Sm95HsSOC9Rjw+ujTola5yaIkQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=VC8kLjlZM6O6jZoBo1G8ELoYx3AM7meVj87HxWLGrUY=; b=hk17hm7KEY6huevMhdhFM+Gf7f78j0ZT6aJXiAoyKBjCI2gCLqGJ3NumXXj7KZ2Upa zyF9AzOdwGogBvzHu/lGHugSpxujcGbcebAnU/wpBq6eoqFRH2QnMIAMOUjHq7uQADZf aWkUF3invlX2A4ipcgwJlcIPQLqOMkmtG+WrEp65/26HkOI8omp4sW+VaaOPV+RztVBk kKieKPTFbneOSeOkjhrkB4hQ6BqJE4rhRvrnwwwAe+pLENmDESSALcEZKN7fpfS5Fmio VfrMWUeueBw8IxBc5b08oMSAj/hobV+OP+SHj2K2ebCsbpjzREa90JCmLQIfjwVg+t8I WTdA==
X-Gm-Message-State: AMke39l6VlU+PLb7qN4c6XC25Oq8rK/+ekmzZihrRlfYhNS2sixRcUaGK3tlesRnbebwHD1E106qsJx53SwJK3/H
X-Received: by 10.99.247.83 with SMTP id f19mr39297642pgk.158.1489440732147; Mon, 13 Mar 2017 14:32:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.163.162 with HTTP; Mon, 13 Mar 2017 14:31:41 -0700 (PDT)
In-Reply-To: <148943968790.20370.17735775296781507437@ietfa.amsl.com>
References: <148943968790.20370.17735775296781507437@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 13 Mar 2017 15:31:41 -0600
Message-ID: <CA+k3eCS5tgF0zpGhTbvasJry1XJTqi9_1HeJ+nCKWLHcmjOQMw@mail.gmail.com>
To: oauth <oauth@ietf.org>, IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary=001a114c325cc11bd6054aa37197
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5fErVJRImciwEsZ3CL8g6FXyZ4o>
Subject: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-token-binding-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 21:32:15 -0000

--001a114c325cc11bd6054aa37197
Content-Type: text/plain; charset=UTF-8

I'm pleased to announce that (with the diligent help of my distinguished
co-authors) draft -02 of "OAuth 2.0 Token Binding"
<https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02> has been
published. The changes from the prior draft are listed below with support
for Token Binding of authorization codes and lots of new examples being the
largest changes.

   o  Added a section on Token Binding for authorization codes with one
      variation for native clients and one for web server clients.
   o  Updated language to reflect that the binding is to the token
      binding key pair and that proof-of-possession of that key is done
      on the TLS connection.
   o  Added a bunch of examples.
   o  Added a few Open Issues so they are tracked in the document.
   o  Updated the Token Binding and OAuth Metadata references.
   o  Added William Denniss as an author.


---------- Forwarded message ----------
From: <internet-drafts@ietf.org>
Date: Mon, Mar 13, 2017 at 3:14 PM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-binding-02.txt
To: i-d-announce@ietf.org
Cc: oauth@ietf.org



A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 Token Binding
        Authors         : Michael B. Jones
                          John Bradley
                          Brian Campbell
                          William Denniss
        Filename        : draft-ietf-oauth-token-binding-02.txt
        Pages           : 26
        Date            : 2017-03-13

Abstract:
   This specification enables OAuth 2.0 implementations to apply Token
   Binding to Access Tokens, Authorization Codes, and Refresh Tokens.
   This cryptographically binds these tokens to a client's Token Binding
   key pair, possession of which is proven on the TLS connections over
   which the tokens are intended to be used.  This use of Token Binding
   protects these tokens from man-in-the-middle and token export and
   replay attacks.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-binding/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-binding-02


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--001a114c325cc11bd6054aa37197
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I&#39;m pleased to announce that (with the diligent help o=
f my distinguished co-authors) <a href=3D"https://tools.ietf.org/html/draft=
-ietf-oauth-token-binding-02">draft -02 of &quot;OAuth 2.0 Token Binding&qu=
ot;</a> has been published. The changes from the prior draft are listed bel=
ow with support for Token Binding of authorization codes and lots of new ex=
amples being the largest changes. <br><div><br>=C2=A0=C2=A0 o=C2=A0 Added a=
 section on Token Binding for authorization codes with one<br>=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 variation for native clients and one for web server clie=
nts.<br>=C2=A0=C2=A0 o=C2=A0 Updated language to reflect that the binding i=
s to the token<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 binding key pair and that =
proof-of-possession of that key is done<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 o=
n the TLS connection.<br>=C2=A0=C2=A0 o=C2=A0 Added a bunch of examples.<br=
>=C2=A0=C2=A0 o=C2=A0 Added a few Open Issues so they are tracked in the do=
cument.<br>=C2=A0=C2=A0 o=C2=A0 Updated the Token Binding and OAuth Metadat=
a references.<br>=C2=A0=C2=A0 o=C2=A0 Added William Denniss as an author.<b=
r><br><br><div class=3D"gmail_quote">---------- Forwarded message ---------=
-<br>From: <b class=3D"gmail_sendername"></b> <span dir=3D"ltr">&lt;<a href=
=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">internet-drafts@ietf=
.org</a>&gt;</span><br>Date: Mon, Mar 13, 2017 at 3:14 PM<br>Subject: [OAUT=
H-WG] I-D Action: draft-ietf-oauth-token-<wbr>binding-02.txt<br>To: <a href=
=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i-d-announce@ietf.org</=
a><br>Cc: <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.or=
g</a><br><br><br><br>
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br>
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Token Binding<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Mich=
ael B. Jones<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Brian Campbell<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 William Denniss<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-token-binding<wbr>-02.txt<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 26<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2017-03-13<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0This specification enables OAuth 2.0 implementations to apply =
Token<br>
=C2=A0 =C2=A0Binding to Access Tokens, Authorization Codes, and Refresh Tok=
ens.<br>
=C2=A0 =C2=A0This cryptographically binds these tokens to a client&#39;s To=
ken Binding<br>
=C2=A0 =C2=A0key pair, possession of which is proven on the TLS connections=
 over<br>
=C2=A0 =C2=A0which the tokens are intended to be used.=C2=A0 This use of To=
ken Binding<br>
=C2=A0 =C2=A0protects these tokens from man-in-the-middle and token export =
and<br>
=C2=A0 =C2=A0replay attacks.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-token-binding/=
" rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/d<wbr>o=
c/draft-ietf-oauth-token-bind<wbr>ing/</a><br>
<br>
There&#39;s also a htmlized version available at:<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02" r=
el=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/dr<wbr>aft-=
ietf-oauth-token-binding-<wbr>02</a><br>
<br>
A diff from the previous version is available at:<br>
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-bindi=
ng-02" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/rfcdiff?u<=
wbr>rl2=3Ddraft-ietf-oauth-token-bin<wbr>ding-02</a><br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a>.<br>
<br>
Internet-Drafts are also available by anonymous FTP at:<br>
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.ietf.org/internet-dr<wbr>afts/</a><br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
</div><br></div></div>

--001a114c325cc11bd6054aa37197--


From nobody Mon Mar 13 14:56:39 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B6C0112943A; Mon, 13 Mar 2017 14:56:37 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.47.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148944219773.20365.1674918974021330410@ietfa.amsl.com>
Date: Mon, 13 Mar 2017 14:56:37 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nWeSldgHXcfdQtSNr1tJjHA4wiM>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-amr-values-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 21:56:37 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : Authentication Method Reference Values
        Authors         : Michael B. Jones
                          Phil Hunt
                          Anthony Nadalin
	Filename        : draft-ietf-oauth-amr-values-08.txt
	Pages           : 15
	Date            : 2017-03-13

Abstract:
   The "amr" (Authentication Methods References) claim is defined and
   registered in the IANA "JSON Web Token Claims" registry but no
   standard Authentication Method Reference values are currently
   defined.  This specification establishes a registry for
   Authentication Method Reference values and defines an initial set of
   Authentication Method Reference values.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-amr-values-08

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-amr-values-08


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Mon Mar 13 15:01:06 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C39C1293FB; Mon, 13 Mar 2017 15:01:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hbgL8oVM3hYq; Mon, 13 Mar 2017 15:01:01 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0120.outbound.protection.outlook.com [104.47.40.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4AAB129BD8; Mon, 13 Mar 2017 15:01:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=oPXhBAleyHWC37fBERPCq3plHG8N9is7c7mJcw8udIA=; b=d8omCn2p2fPtfB6Db1GdC38D2wOWQUjHzyN+I5mvJcF+jemqRmmPSjRaHxXyycxgKwGXwZKF8GCl2eKXNlzwf0FanGImmlhXVWNuYqnsoceWL4nq9ntT+qmX5gyhhd6fL63aQhsoLMo/87M9h4ADrcvJnSHKUqm8+HuvnuTi9qA=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Mon, 13 Mar 2017 22:01:00 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0991.000; Mon, 13 Mar 2017 22:01:00 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's No Objection on draft-ietf-oauth-amr-values-07: (with COMMENT)
Thread-Index: AQHSnA5b54CrGexD90GVFF1tRC62u6GTUZ5Q
Date: Mon, 13 Mar 2017 22:00:59 +0000
Message-ID: <CY4PR21MB0504FC7EFC62C09F73D16BE4F5250@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148941885788.17035.8404645820700119652.idtracker@ietfa.amsl.com>
In-Reply-To: <148941885788.17035.8404645820700119652.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:4::36]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:F5kARFlAzTO5QYSLW9fPEgE9/lQiITVCDJnn99T6+TrYpxaRT632UtjWd3QZXDufrGfyhhcpzbuz/v9dgl9TgSi5joYNB8Gx8btYMxJW3vqFROMeVBLkczRLPDBjWm6zg1xOqrkLhxsGEYK7m7JbheWlD3uhIJXKlR3Cm/WblxMIA9mdtFS/PSHg6yrqJjFMt9O1XSjG1+TgTm7BeT7Db5gF64BSim/WV1aBCExAqbnWYkjLyiHzd2VAKUneFvcUqdF125Ss6Qba+zAatfK93prNnIPOThbZdPyQFkxkAuv5ENeu+wzVXIg9PwHKA24c3DzQku/iWSOFWVmlUHjwXFzoiwmdxrKmjSrzgaz/ExQ=
x-ms-office365-filtering-correlation-id: 4433f9dd-925a-4df0-c1aa-08d46a5c6f3b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254010)(48565401081); SRVR:CY4PR21MB0503; 
x-microsoft-antispam-prvs: <CY4PR21MB05033886599462F52AB38EB4F5250@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715)(120809045254105)(248736688235697); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123560025)(20161123562025)(20161123555025)(20161123564025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503; 
x-forefront-prvs: 0245702D7B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39850400002)(39840400002)(39860400002)(39450400003)(13464003)(377454003)(43784003)(10090500001)(8936002)(86612001)(74316002)(3660700001)(3280700002)(33656002)(2900100001)(2906002)(6436002)(50986999)(76176999)(54356999)(25786008)(6306002)(54906002)(6506006)(99286003)(6116002)(55016002)(102836003)(38730400002)(77096006)(229853002)(5660300001)(230783001)(7696004)(4326008)(53936002)(6246003)(10290500002)(122556002)(81166006)(5005710100001)(8676002)(305945005)(189998001)(106116001)(86362001)(53546007)(7736002)(2950100002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2017 22:01:00.0093 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sFRcOqspU6wVlfMJ1boaFuCWsnA>
Cc: "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-amr-values@ietf.org" <draft-ietf-oauth-amr-values@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Stephen Farrell's No Objection on draft-ietf-oauth-amr-values-07: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 22:01:03 -0000

SGkgU3RlcGhlbiwNCg0KUGVyIHlvdXIgc3VnZ2VzdGlvbiwgSSBhZGRlZCB0ZXh0IGluIHRoZSBJ
QU5BIFJlZ2lzdHJhdGlvbiBUZW1wbGF0ZSBzYXlpbmcgdGhhdCBuYW1lcyBjYW4gYmUgZm9yIGZh
bWlsaWVzIG9mIGNsb3NlbHktcmVsYXRlZCBhdXRoZW50aWNhdGlvbiBtZXRob2RzLiAgVGhhdCB3
YXksIGV2ZW4gaWYgcGVvcGxlIGRvbid0IHJlYWQgdGhlIHNwZWMsIHdoZW4gdGhleSB0cnkgdG8g
cmVnaXN0ZXIgdmFsdWVzLCB0aGV5IHNob3VsZCBzZWUgdGhlIGRlc2NyaXB0aW9uLg0KDQpJIGNh
bid0IGNoYW5nZSB0aGUgZGVmaW5pdGlvbiBhcyB5b3Ugc3VnZ2VzdGVkLCBzaW5jZSB0aGF0J3Mg
YWN0dWFsbHkgcXVvdGVkIGZyb20gYSBkaWZmZXJlbnQgZmluYWwgc3BlY2lmaWNhdGlvbi4gIFRo
ZSBnb29kIG5ld3MsIGhvd2V2ZXIsIGlzIHRoYXQgdGhlIG5leHQgc2VudGVuY2UgYWZ0ZXIgdGhl
IGRlZmluaXRpb24gaXMgYWJvdXQgdmFsdWVzIHR5cGljYWxseSBiZWluZyBmb3IgZmFtaWxpZXMg
b2YgY2xvc2VseS1yZWxhdGVkIGF1dGhlbnRpY2F0aW9uIG1ldGhvZHMsIHNvIEkgdGhpbmsgd2Un
cmUgY292ZXJlZCB0aGVyZSB0b28uDQoNClRoYW5rcyBhZ2FpbiBmb3IgdGhlIGNhcmVmdWwgcmVh
ZCwgYXMgYWx3YXlzIQ0KDQoJCQkJQ2hlZXJzLA0KCQkJCS0tIE1pa2UNCg0KLS0tLS1PcmlnaW5h
bCBNZXNzYWdlLS0tLS0NCkZyb206IFN0ZXBoZW4gRmFycmVsbCBbbWFpbHRvOnN0ZXBoZW4uZmFy
cmVsbEBjcy50Y2QuaWVdIA0KU2VudDogTW9uZGF5LCBNYXJjaCAxMywgMjAxNyA4OjI4IEFNDQpU
bzogVGhlIElFU0cgPGllc2dAaWV0Zi5vcmc+DQpDYzogZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFs
dWVzQGlldGYub3JnOyBIYW5uZXMgVHNjaG9mZW5pZyA8SGFubmVzLlRzY2hvZmVuaWdAZ214Lm5l
dD47IG9hdXRoLWNoYWlyc0BpZXRmLm9yZzsgSGFubmVzLlRzY2hvZmVuaWdAZ214Lm5ldDsgb2F1
dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFN0ZXBoZW4gRmFycmVsbCdzIE5vIE9iamVjdGlvbiBvbiBk
cmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMtMDc6ICh3aXRoIENPTU1FTlQpDQoNClN0ZXBoZW4g
RmFycmVsbCBoYXMgZW50ZXJlZCB0aGUgZm9sbG93aW5nIGJhbGxvdCBwb3NpdGlvbiBmb3INCmRy
YWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy0wNzogTm8gT2JqZWN0aW9uDQoNCldoZW4gcmVzcG9u
ZGluZywgcGxlYXNlIGtlZXAgdGhlIHN1YmplY3QgbGluZSBpbnRhY3QgYW5kIHJlcGx5IHRvIGFs
bCBlbWFpbCBhZGRyZXNzZXMgaW5jbHVkZWQgaW4gdGhlIFRvIGFuZCBDQyBsaW5lcy4gKEZlZWwg
ZnJlZSB0byBjdXQgdGhpcyBpbnRyb2R1Y3RvcnkgcGFyYWdyYXBoLCBob3dldmVyLikNCg0KDQpQ
bGVhc2UgcmVmZXIgdG8gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvaWVzZy9zdGF0ZW1lbnQvZGlzY3Vz
cy1jcml0ZXJpYS5odG1sDQpmb3IgbW9yZSBpbmZvcm1hdGlvbiBhYm91dCBJRVNHIERJU0NVU1Mg
YW5kIENPTU1FTlQgcG9zaXRpb25zLg0KDQoNClRoZSBkb2N1bWVudCwgYWxvbmcgd2l0aCBvdGhl
ciBiYWxsb3QgcG9zaXRpb25zLCBjYW4gYmUgZm91bmQgaGVyZToNCmh0dHBzOi8vZGF0YXRyYWNr
ZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy8NCg0KDQoNCi0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0NCkNPTU1FTlQ6DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNCg0KVGhhbmtzIGZvciBjbGFyaWZ5
aW5nIHRoYXQgYW1yIHJlcHJlc2VudHMgY2xhc3NlcyBvZiBhdXRoIG1ldGhvZHMgYW5kIG5vdCAo
YWx3YXlzKSBpbmRpdmlkdWFsIG1ldGhvZHMsIHRoYXQgYWxsIG1ha2VzIG1vcmUgc2Vuc2Ugbm93
Oy0pDQoNCkkgdGhpbmsgeW91IG1pZ2h0IHVzZWZ1bGx5IGFkZCB0aGUgcGhyYXNlICJjbGFzc2Vz
IG9mIiAob3Igc2ltaWxhcikgdG8gdGhlIGRyYWZ0IGluIGEgZmV3IHBsYWNlcyB0byBoZWxwIGZv
bGtzIHVuZGVyc3RhbmQgdGhhdCwgaW4gcGFydGljdWxhciwgSSBzcG90dGVkIHR3byBwbGFjZXMg
d2hlcmUgSSB0aGluayBzb21ldGhpbmcgbGlrZSB0aGF0J2QgYmUgZ29vZDoNCg0KMS4gaW4gdGhl
IGRlZmluaXRpb24sIEknZCBzdWdnZXN0Og0KDQpPTEQ6DQoNCiBhbXINCiAgICAgIE9QVElPTkFM
LiAgQXV0aGVudGljYXRpb24gTWV0aG9kcyBSZWZlcmVuY2VzLiAgSlNPTiBhcnJheSBvZg0KICAg
ICAgc3RyaW5ncyB0aGF0IGFyZSBpZGVudGlmaWVycyBmb3IgYXV0aGVudGljYXRpb24gbWV0aG9k
cyB1c2VkIGluDQogICAgICB0aGUgYXV0aGVudGljYXRpb24uIA0KDQpORVc6DQoNCiBhbXINCiAg
ICAgIE9QVElPTkFMLiAgQXV0aGVudGljYXRpb24gTWV0aG9kcyBSZWZlcmVuY2VzLiAgSlNPTiBh
cnJheSBvZg0KICAgICAgc3RyaW5ncyB0aGF0IGFyZSBpZGVudGlmaWVycyBmb3IgY2xhc3NlcyBv
ZiBhdXRoZW50aWNhdGlvbiBtZXRob2RzIHVzZWQgaW4NCiAgICAgIHRoZSBhdXRoZW50aWNhdGlv
bi4gDQoNCjIuIEluIHRoZSBJQU5BIGNvbnNpZGVyYXRpb25zIGFuZCBERSBndWlkYW5jZSwgbWF5
YmUgbWFrZSB0aGUgbmFtZSBvZiB0aGUgbmV3IHJlZ2lzdHJ5IHJlZmxlY3QgdGhhdCB0aGVzZSBh
cmUgY2xhc3NlcywgaW4gY2FzZSBzb21lb25lIGdldHMgY29uZnVzZWQgb25seSBoYXZpbmcgbG9v
a2VkIGF0IHRoZSBJQU5BIHBhZ2VzIHdpdGhvdXQgcmVhZGluZyB0aGUgUkZDLCBhbmQgcGVyaGFw
cyBwb2ludCB0aGUgREUgZ3VpZGFuY2UgYmFjayB0byB0aGUgdG9wIGJpdCB3aGVyZSB5b3UgZXhw
bGFpbiB0aGlzIHN0dWZmIGFuZCBhZGQgImNsYXNzZXMgb2YiIGluIGEgZmV3IHBsYWNlcyBpbiB0
aGUgdGVtcGxhdGUgdG8gc2F2ZSB0aGUgREVzIGhhdmluZyB0byBleHBsYWluIHRoYXQgb3ZlciBh
bmQgb3ZlciB0byBwZW9wbGUgd2hvIGp1c3QgY29weSB0ZW1wbGF0ZXMuDQoNClRoYW5rcywNClMu
DQoNCg0K


From nobody Mon Mar 13 16:22:18 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1337C129951 for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 16:22:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTFCNdbbHNKF for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 16:22:14 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0098.outbound.protection.outlook.com [104.47.37.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCAFE129562 for <oauth@ietf.org>; Mon, 13 Mar 2017 16:22:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gFucxrcLFr0fCZ9JxL4Cv//MvkfLj58z6VLooNjbCso=; b=PJdaoUCuQ53MC7hPazn/394MdoFI/ctjsrUiIut/Lrc5AoyR4UC5XV6xN3CBKmKmiTOxpwz5MZOG3PJrQSZKMt5oSoDmdZteE4YfzAGAQ0bGAFI5Hdv0mhhpaTPYwXT8gxpG9oKKMrq+MqIL0BKFyEyrhAm1NHTRhcaF7WsBkZ4=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Mon, 13 Mar 2017 23:22:12 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0991.000; Mon, 13 Mar 2017 23:22:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: William Denniss <wdenniss@google.com>, "oauth@ietf.org" <oauth@ietf.org>,  Justin Richer <jricher@mit.edu>, Brian Campbell <bcampbell@pingidentity.com>,  "Manger, James" <James.H.Manger@team.telstra.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-05.txt
Thread-Index: AQHSnCDFMP+fuaDKRk2CFxsx5BE+9qGTG00AgABNYkA=
Date: Mon, 13 Mar 2017 23:22:11 +0000
Message-ID: <CY4PR21MB050432297FB6052A3405776AF5250@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148942674236.16952.15561615494772839871@ietfa.amsl.com> <CAAP42hCqie8_T67KueLmtGSfVjz_cvu47BJrUnohjS0QnLiopw@mail.gmail.com>
In-Reply-To: <CAAP42hCqie8_T67KueLmtGSfVjz_cvu47BJrUnohjS0QnLiopw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:4::36]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:l+pVkxd/cbznu9uOKjcMtCk6nMU74LOwDkjtIXUnUFSzDnzML9JMlOwQW1q0rbLpPQMrk/uBNG8z3GgoWflyeLQcgK52jv5hBVVrga3Go6Wryrw0XbHEYdqmPL38QLMmM2ZjG7OUq6NBCd8c00ovr1PnmORQFTKah6eK+bAmHYRdF4xGYTkHQ6cXP9B9R7t7KOPN1CEAjRLv415AsWTUF9NJocb58PctYy8L4edJkdXYSyAYLBvyO44K93xXD2r5u5F5TX1G7c/t2Uf5xnXtfCrPFFJ0qhZ67h3Mjd1KbDiThVMaxOiA9WgVgZM1HfEzTvoTEui4obEjL1+ZFICir6eSmeQ3QtDp86pukWQR+tM=
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-ms-office365-filtering-correlation-id: 078be76e-59d8-4e23-bb8b-08d46a67c71b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254010)(48565401081); SRVR:CY4PR21MB0503; 
x-microsoft-antispam-prvs: <CY4PR21MB050314C8B8F773A388E145EDF5250@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(180628864354917)(120809045254105)(31418570063057)(272811157607776)(211936372134217)(21748063052155)(67441168502697);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123564025)(20161123555025)(20161123560025)(20161123562025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503; 
x-forefront-prvs: 0245702D7B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400002)(39410400002)(39450400003)(39840400002)(39860400002)(209900001)(377424004)(377454003)(69234005)(24454002)(10090500001)(8936002)(86612001)(74316002)(2501003)(3660700001)(3280700002)(33656002)(2900100001)(2906002)(6436002)(50986999)(76176999)(54356999)(9686003)(25786008)(790700001)(606005)(14971765001)(6506006)(6306002)(54896002)(102836003)(99286003)(236005)(55016002)(6116002)(8656002)(77096006)(38730400002)(53386004)(229853002)(5660300001)(230783001)(7696004)(6246003)(966004)(53936002)(53376002)(2171002)(10290500002)(5005710100001)(122556002)(81166006)(8676002)(7906003)(8990500004)(189998001)(106116001)(53546007)(86362001)(2950100002)(7736002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050432297FB6052A3405776AF5250CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2017 23:22:11.7769 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LMQEhGpL5fGCmORX_voBiqh57U8>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 23:22:16 -0000

--_000_CY4PR21MB050432297FB6052A3405776AF5250CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

RllJLCBJIGJsb2dnZWQgYWJvdXQgdGhpcyBhdCBodHRwOi8vc2VsZi1pc3N1ZWQuaW5mby8/cD0x
NjU3IGFuZCBhcyBAc2VsZmlzc3VlZDxodHRwczovL3R3aXR0ZXIuY29tL3NlbGZpc3N1ZWQ+Lg0K
DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBXaWxsaWFtIERlbm5pc3MgW21haWx0bzp3ZGVubmlz
c0Bnb29nbGUuY29tXQ0KU2VudDogTW9uZGF5LCBNYXJjaCAxMywgMjAxNyAxMTo0NCBBTQ0KVG86
IG9hdXRoQGlldGYub3JnOyBKdXN0aW4gUmljaGVyIDxqcmljaGVyQG1pdC5lZHU+OyBCcmlhbiBD
YW1wYmVsbCA8YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb20+OyBNYW5nZXIsIEphbWVzIDxKYW1l
cy5ILk1hbmdlckB0ZWFtLnRlbHN0cmEuY29tPjsgTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0Bt
aWNyb3NvZnQuY29tPjsgSGFubmVzIFRzY2hvZmVuaWcgPEhhbm5lcy5Uc2Nob2ZlbmlnQGFybS5j
b20+OyBKb2huIEJyYWRsZXkgPHZlN2p0YkB2ZTdqdGIuY29tPg0KU3ViamVjdDogUmU6IFtPQVVU
SC1XR10gSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1vYXV0aC1kZXZpY2UtZmxvdy0wNS50eHQNCg0K
VmVyc2lvbiAtMDUgYWRkcmVzc2VzIGNvbW1lbnRzIGZyb20gdGhlIHdvcmsgZ3JvdXAsIGluY2x1
ZGVzIG5vcm1hdGl2ZSBjaGFuZ2VzOg0KDQoNCiAgIG8gIHJlc3BvbnNlX3R5cGUgcGFyYW1ldGVy
IHJlbW92ZWQgZnJvbSBhdXRob3JpemF0aW9uIHJlcXVlc3QuDQoNCiAgIG8gIEFkZGVkIG9wdGlv
biBmb3IgY2xpZW50cyB0byBpbmNsdWRlIHRoZSB1c2VyX2NvZGUgb24gdGhlDQoNCiAgICAgIHZl
cmlmaWNhdGlvbiBVUkkuDQoNCiAgIG8gIENsYXJpZmllZCB0b2tlbiBleHBpcnksIGFuZCBvdGhl
ciBuaXRzLg0KDQoNClRoYW5rIHlvdSBSb3NobmkgQ2hhbmRyYXNoZWtoYXIsIEJyaWFuIENhbXBi
ZWxsLCBKYW1lcyBNYW5hZ2VyLCBhbmQgSnVzdGluIFJpY2hlciBmb3IgeW91ciB2YWx1YWJsZSBm
ZWVkYmFjay4gVGhhbmsgeW91IHRvIG15IGNvLWF1dGhvciBNaWtlIEpvbmVzIGZvciByZXZpZXdp
bmcgYW5kIGNvcnJlY3RpbmcgYWxsIGNoYW5nZXMgdGhhdCByZXN1bHRlZCwgYW5kIGZvciB0aGUg
cXVhbGl0eSBwYXNzIG9uIHRoZSBkb2MuDQoNCk9uIE1vbiwgTWFyIDEzLCAyMDE3IGF0IDEwOjM5
IEFNLCA8aW50ZXJuZXQtZHJhZnRzQGlldGYub3JnPG1haWx0bzppbnRlcm5ldC1kcmFmdHNAaWV0
Zi5vcmc+PiB3cm90ZToNCg0KQSBOZXcgSW50ZXJuZXQtRHJhZnQgaXMgYXZhaWxhYmxlIGZyb20g
dGhlIG9uLWxpbmUgSW50ZXJuZXQtRHJhZnRzIGRpcmVjdG9yaWVzLg0KVGhpcyBkcmFmdCBpcyBh
IHdvcmsgaXRlbSBvZiB0aGUgV2ViIEF1dGhvcml6YXRpb24gUHJvdG9jb2wgb2YgdGhlIElFVEYu
DQoNCiAgICAgICAgVGl0bGUgICAgICAgICAgIDogT0F1dGggMi4wIERldmljZSBGbG93IGZvciBC
cm93c2VybGVzcyBhbmQgSW5wdXQgQ29uc3RyYWluZWQgRGV2aWNlcw0KICAgICAgICBBdXRob3Jz
ICAgICAgICAgOiBXaWxsaWFtIERlbm5pc3MNCiAgICAgICAgICAgICAgICAgICAgICAgICAgSm9o
biBCcmFkbGV5DQogICAgICAgICAgICAgICAgICAgICAgICAgIE1pY2hhZWwgQi4gSm9uZXMNCiAg
ICAgICAgICAgICAgICAgICAgICAgICAgSGFubmVzIFRzY2hvZmVuaWcNCiAgICAgICAgRmlsZW5h
bWUgICAgICAgIDogZHJhZnQtaWV0Zi1vYXV0aC1kZXZpY2UtZmxvdy0wNS50eHQNCiAgICAgICAg
UGFnZXMgICAgICAgICAgIDogMTUNCiAgICAgICAgRGF0ZSAgICAgICAgICAgIDogMjAxNy0wMy0x
Mw0KDQpBYnN0cmFjdDoNCiAgIFRoaXMgT0F1dGggMi4wIGF1dGhvcml6YXRpb24gZmxvdyBmb3Ig
YnJvd3Nlcmxlc3MgYW5kIGlucHV0DQogICBjb25zdHJhaW5lZCBkZXZpY2VzLCBvZnRlbiByZWZl
cnJlZCB0byBhcyB0aGUgZGV2aWNlIGZsb3csIGVuYWJsZXMNCiAgIE9BdXRoIGNsaWVudHMgdG8g
cmVxdWVzdCB1c2VyIGF1dGhvcml6YXRpb24gZnJvbSBkZXZpY2VzIHRoYXQgaGF2ZSBhbg0KICAg
SW50ZXJuZXQgY29ubmVjdGlvbiwgYnV0IGRvbid0IGhhdmUgYW4gZWFzeSBpbnB1dCBtZXRob2Qg
KHN1Y2ggYXMgYQ0KICAgc21hcnQgVFYsIG1lZGlhIGNvbnNvbGUsIHBpY3R1cmUgZnJhbWUsIG9y
IHByaW50ZXIpLCBvciBsYWNrIGENCiAgIHN1aXRhYmxlIGJyb3dzZXIgZm9yIGEgbW9yZSB0cmFk
aXRpb25hbCBPQXV0aCBmbG93LiAgVGhpcw0KICAgYXV0aG9yaXphdGlvbiBmbG93IGluc3RydWN0
cyB0aGUgdXNlciB0byBwZXJmb3JtIHRoZSBhdXRob3JpemF0aW9uDQogICByZXF1ZXN0IG9uIGEg
c2Vjb25kYXJ5IGRldmljZSwgc3VjaCBhcyBhIHNtYXJ0cGhvbmUuICBUaGVyZSBpcyBubw0KICAg
cmVxdWlyZW1lbnQgZm9yIGNvbW11bmljYXRpb24gYmV0d2VlbiB0aGUgY29uc3RyYWluZWQgZGV2
aWNlIGFuZCB0aGUNCiAgIHVzZXIncyBzZWNvbmRhcnkgZGV2aWNlLg0KDQoNClRoZSBJRVRGIGRh
dGF0cmFja2VyIHN0YXR1cyBwYWdlIGZvciB0aGlzIGRyYWZ0IGlzOg0KaHR0cHM6Ly9kYXRhdHJh
Y2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1kZXZpY2UtZmxvdy8NCg0KVGhlcmUn
cyBhbHNvIGEgaHRtbGl6ZWQgdmVyc2lvbiBhdmFpbGFibGUgYXQ6DQpodHRwczovL3Rvb2xzLmll
dGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1kZXZpY2UtZmxvdy0wNQ0KDQpBIGRpZmYgZnJv
bSB0aGUgcHJldmlvdXMgdmVyc2lvbiBpcyBhdmFpbGFibGUgYXQ6DQpodHRwczovL3d3dy5pZXRm
Lm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0Zi1vYXV0aC1kZXZpY2UtZmxvdy0wNQ0KDQoNClBs
ZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2UgYSBjb3VwbGUgb2YgbWludXRlcyBmcm9tIHRoZSB0
aW1lIG9mIHN1Ym1pc3Npb24NCnVudGlsIHRoZSBodG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFy
ZSBhdmFpbGFibGUgYXQgdG9vbHMuaWV0Zi5vcmc8aHR0cDovL3Rvb2xzLmlldGYub3JnPi4NCg0K
SW50ZXJuZXQtRHJhZnRzIGFyZSBhbHNvIGF2YWlsYWJsZSBieSBhbm9ueW1vdXMgRlRQIGF0Og0K
ZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy8NCg0KX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhA
aWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp
bG1hbi9saXN0aW5mby9vYXV0aA0KDQo=

--_000_CY4PR21MB050432297FB6052A3405776AF5250CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx
IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws
IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0
b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcg
Um9tYW4iLHNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph
OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5
Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0
dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQt
c2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpwLm1zb25vcm1hbDAs
IGxpLm1zb25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1h
bDsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTIu
MHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4uSFRNTFBy
ZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIi
Ow0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3Jt
YXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFzO30NCnNwYW4uRW1haWxTdHlsZTIwDQoJe21z
by1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5z
LXNlcmlmOw0KCWNvbG9yOiMwMDIwNjA7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5
cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KQHBh
Z2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBp
biAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30N
Ci0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6
ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBn
dGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2
OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0t
LT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxl
Ij4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0idGV4dC1hbGlnbjpqdXN0aWZ5Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250
LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+RllJ
LCBJIGJsb2dnZWQgYWJvdXQgdGhpcyBhdA0KPC9zcGFuPjxhIGhyZWY9Imh0dHA6Ly9zZWxmLWlz
c3VlZC5pbmZvLz9wPTE2NTciPmh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvLz9wPTE2NTc8L2E+PHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90
OyxzYW5zLXNlcmlmO2NvbG9yOiMwMDIwNjAiPiBhbmQgYXMNCjwvc3Bhbj48YSBocmVmPSJodHRw
czovL3R3aXR0ZXIuY29tL3NlbGZpc3N1ZWQiPkBzZWxmaXNzdWVkPC9hPjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJp
Zjtjb2xvcjojMDAyMDYwIj4uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9InRleHQtYWxpZ246anVzdGlmeSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox
MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMw
MDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJ0ZXh0LWFsaWduOmp1c3RpZnkiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0
O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYw
Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTwvc3Bhbj48bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj
MDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp
YnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1z
aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiBX
aWxsaWFtIERlbm5pc3MgW21haWx0bzp3ZGVubmlzc0Bnb29nbGUuY29tXQ0KPGJyPg0KPGI+U2Vu
dDo8L2I+IE1vbmRheSwgTWFyY2ggMTMsIDIwMTcgMTE6NDQgQU08YnI+DQo8Yj5Ubzo8L2I+IG9h
dXRoQGlldGYub3JnOyBKdXN0aW4gUmljaGVyICZsdDtqcmljaGVyQG1pdC5lZHUmZ3Q7OyBCcmlh
biBDYW1wYmVsbCAmbHQ7YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb20mZ3Q7OyBNYW5nZXIsIEph
bWVzICZsdDtKYW1lcy5ILk1hbmdlckB0ZWFtLnRlbHN0cmEuY29tJmd0OzsgTWlrZSBKb25lcyAm
bHQ7TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tJmd0OzsgSGFubmVzIFRzY2hvZmVuaWcgJmx0
O0hhbm5lcy5Uc2Nob2ZlbmlnQGFybS5jb20mZ3Q7OyBKb2huIEJyYWRsZXkgJmx0O3ZlN2p0YkB2
ZTdqdGIuY29tJmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBJLUQgQWN0
aW9uOiBkcmFmdC1pZXRmLW9hdXRoLWRldmljZS1mbG93LTA1LnR4dDxvOnA+PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlZlcnNpb24gLTA1IGFkZHJlc3NlcyBjb21tZW50cyBmcm9t
IHRoZSB3b3JrIGdyb3VwLCBpbmNsdWRlcyBub3JtYXRpdmUgY2hhbmdlczombmJzcDs8bzpwPjwv
bzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv
cD4NCjwvZGl2Pg0KPGRpdj4NCjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDsm
bmJzcDsgbyZuYnNwOyByZXNwb25zZV90eXBlIHBhcmFtZXRlciByZW1vdmVkIGZyb20gYXV0aG9y
aXphdGlvbiByZXF1ZXN0LjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHls
ZT0iY29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyBvJm5ic3A7IEFkZGVkIG9wdGlvbiBmb3IgY2xp
ZW50cyB0byBpbmNsdWRlIHRoZSB1c2VyX2NvZGUgb24gdGhlPG86cD48L286cD48L3NwYW4+PC9w
cmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7IHZlcmlmaWNhdGlvbiBVUkkuPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJl
PjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IG8mbmJzcDsgQ2xhcmlmaWVk
IHRva2VuIGV4cGlyeSwgYW5kIG90aGVyIG5pdHMuPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8
cHJlPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w
cmU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGFuayB5b3UgUm9zaG5pIENoYW5kcmFzaGVraGFy
LCZuYnNwO0JyaWFuIENhbXBiZWxsLCBKYW1lcyBNYW5hZ2VyLCBhbmQgSnVzdGluIFJpY2hlciBm
b3IgeW91ciB2YWx1YWJsZSBmZWVkYmFjay4gVGhhbmsgeW91IHRvIG15IGNvLWF1dGhvciBNaWtl
IEpvbmVzIGZvciByZXZpZXdpbmcgYW5kIGNvcnJlY3RpbmcgYWxsIGNoYW5nZXMgdGhhdCByZXN1
bHRlZCwgYW5kIGZvciB0aGUgcXVhbGl0eSBwYXNzIG9uIHRoZSBkb2MuPG86cD48L286cD48L3A+
DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv
cD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBNb24sIE1hciAxMywgMjAxNyBhdCAx
MDozOSBBTSwgJmx0OzxhIGhyZWY9Im1haWx0bzppbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmciIHRh
cmdldD0iX2JsYW5rIj5pbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc8L2E+Jmd0OyB3cm90ZTo8bzpw
PjwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpz
b2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6
NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQpBIE5l
dyBJbnRlcm5ldC1EcmFmdCBpcyBhdmFpbGFibGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1E
cmFmdHMgZGlyZWN0b3JpZXMuPGJyPg0KVGhpcyBkcmFmdCBpcyBhIHdvcmsgaXRlbSBvZiB0aGUg
V2ViIEF1dGhvcml6YXRpb24gUHJvdG9jb2wgb2YgdGhlIElFVEYuPGJyPg0KPGJyPg0KJm5ic3A7
ICZuYnNwOyAmbmJzcDsgJm5ic3A7IFRpdGxlJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu
YnNwOyAmbmJzcDs6IE9BdXRoIDIuMCBEZXZpY2UgRmxvdyBmb3IgQnJvd3Nlcmxlc3MgYW5kIElu
cHV0IENvbnN0cmFpbmVkIERldmljZXM8YnI+DQombmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg
QXV0aG9ycyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs6IFdpbGxpYW0gRGVubmlz
czxicj4NCiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm
bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBKb2huIEJyYWRsZXk8YnI+
DQombmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7
ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgTWljaGFlbCBCLiBKb25lczxicj4N
CiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg
Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBIYW5uZXMgVHNjaG9mZW5pZzxicj4N
CiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBGaWxlbmFtZSZuYnNwOyAmbmJzcDsgJm5ic3A7
ICZuYnNwOyA6IGRyYWZ0LWlldGYtb2F1dGgtZGV2aWNlLWZsb3ctMDUudHh0PGJyPg0KJm5ic3A7
ICZuYnNwOyAmbmJzcDsgJm5ic3A7IFBhZ2VzJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu
YnNwOyAmbmJzcDs6IDE1PGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IERhdGUmbmJz
cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyA6IDIwMTctMDMtMTM8YnI+DQo8
YnI+DQpBYnN0cmFjdDo8YnI+DQombmJzcDsgJm5ic3A7VGhpcyBPQXV0aCAyLjAgYXV0aG9yaXph
dGlvbiBmbG93IGZvciBicm93c2VybGVzcyBhbmQgaW5wdXQ8YnI+DQombmJzcDsgJm5ic3A7Y29u
c3RyYWluZWQgZGV2aWNlcywgb2Z0ZW4gcmVmZXJyZWQgdG8gYXMgdGhlIGRldmljZSBmbG93LCBl
bmFibGVzPGJyPg0KJm5ic3A7ICZuYnNwO09BdXRoIGNsaWVudHMgdG8gcmVxdWVzdCB1c2VyIGF1
dGhvcml6YXRpb24gZnJvbSBkZXZpY2VzIHRoYXQgaGF2ZSBhbjxicj4NCiZuYnNwOyAmbmJzcDtJ
bnRlcm5ldCBjb25uZWN0aW9uLCBidXQgZG9uJ3QgaGF2ZSBhbiBlYXN5IGlucHV0IG1ldGhvZCAo
c3VjaCBhcyBhPGJyPg0KJm5ic3A7ICZuYnNwO3NtYXJ0IFRWLCBtZWRpYSBjb25zb2xlLCBwaWN0
dXJlIGZyYW1lLCBvciBwcmludGVyKSwgb3IgbGFjayBhPGJyPg0KJm5ic3A7ICZuYnNwO3N1aXRh
YmxlIGJyb3dzZXIgZm9yIGEgbW9yZSB0cmFkaXRpb25hbCBPQXV0aCBmbG93LiZuYnNwOyBUaGlz
PGJyPg0KJm5ic3A7ICZuYnNwO2F1dGhvcml6YXRpb24gZmxvdyBpbnN0cnVjdHMgdGhlIHVzZXIg
dG8gcGVyZm9ybSB0aGUgYXV0aG9yaXphdGlvbjxicj4NCiZuYnNwOyAmbmJzcDtyZXF1ZXN0IG9u
IGEgc2Vjb25kYXJ5IGRldmljZSwgc3VjaCBhcyBhIHNtYXJ0cGhvbmUuJm5ic3A7IFRoZXJlIGlz
IG5vPGJyPg0KJm5ic3A7ICZuYnNwO3JlcXVpcmVtZW50IGZvciBjb21tdW5pY2F0aW9uIGJldHdl
ZW4gdGhlIGNvbnN0cmFpbmVkIGRldmljZSBhbmQgdGhlPGJyPg0KJm5ic3A7ICZuYnNwO3VzZXIn
cyBzZWNvbmRhcnkgZGV2aWNlLjxicj4NCjxicj4NCjxicj4NClRoZSBJRVRGIGRhdGF0cmFja2Vy
IHN0YXR1cyBwYWdlIGZvciB0aGlzIGRyYWZ0IGlzOjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vZGF0
YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtb2F1dGgtZGV2aWNlLWZsb3cvIiB0YXJn
ZXQ9Il9ibGFuayI+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1v
YXV0aC1kZXZpY2UtZmxvdy88L2E+PGJyPg0KPGJyPg0KVGhlcmUncyBhbHNvIGEgaHRtbGl6ZWQg
dmVyc2lvbiBhdmFpbGFibGUgYXQ6PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9y
Zy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtZGV2aWNlLWZsb3ctMDUiIHRhcmdldD0iX2JsYW5rIj5o
dHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1kZXZpY2UtZmxvdy0w
NTwvYT48YnI+DQo8YnI+DQpBIGRpZmYgZnJvbSB0aGUgcHJldmlvdXMgdmVyc2lvbiBpcyBhdmFp
bGFibGUgYXQ6PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvcmZjZGlmZj91cmwy
PWRyYWZ0LWlldGYtb2F1dGgtZGV2aWNlLWZsb3ctMDUiIHRhcmdldD0iX2JsYW5rIj5odHRwczov
L3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0Zi1vYXV0aC1kZXZpY2UtZmxvdy0w
NTwvYT48YnI+DQo8YnI+DQo8YnI+DQpQbGVhc2Ugbm90ZSB0aGF0IGl0IG1heSB0YWtlIGEgY291
cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBvZiBzdWJtaXNzaW9uPGJyPg0KdW50aWwgdGhl
IGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJsZSBhdCA8YSBocmVmPSJodHRw
Oi8vdG9vbHMuaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj4NCnRvb2xzLmlldGYub3JnPC9hPi48
YnI+DQo8YnI+DQpJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255bW91
cyBGVFAgYXQ6PGJyPg0KPGEgaHJlZj0iZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0
cy8iIHRhcmdldD0iX2JsYW5rIj5mdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLzwv
YT48YnI+DQo8YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBp
ZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9
Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiIHRhcmdldD0iX2Js
YW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxvOnA+
PC9vOnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwv
aHRtbD4NCg==

--_000_CY4PR21MB050432297FB6052A3405776AF5250CY4PR21MB0504namp_--


From nobody Mon Mar 13 17:43:45 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2078C129462; Mon, 13 Mar 2017 17:43:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4FShRdyDclu; Mon, 13 Mar 2017 17:43:35 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0090.outbound.protection.outlook.com [104.47.34.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42A72129410; Mon, 13 Mar 2017 17:43:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=vI0p+9O3oFAkdpKWaz1Mx0sfDXse/H0+AD2hpj/5iuA=; b=ZjAvrRLR56Pn+IHVaRTCyGbtkztm/NRS1hrA8SvEn7fm1oxOy+XUxSBTczBS0wYhkd4WioPuSQ+Dv4X3z9XnLSqPMva1rEo9qfRZx5qm/yQ/JbRiIwwJpVWgnmbdIrbLB0BbHUbZQELaBpILk6vLQ2dY+ECdX3AZyn9ILcc4lno=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Tue, 14 Mar 2017 00:43:34 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0991.000; Tue, 14 Mar 2017 00:43:34 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>, oauth <oauth@ietf.org>, "IETF Tokbind WG" <unbearable@ietf.org>
Thread-Topic: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-token-binding-02.txt
Thread-Index: AQHSnEFNkgAXqWGVdUiR3jYbkJVSzqGTfxTw
Date: Tue, 14 Mar 2017 00:43:33 +0000
Message-ID: <CY4PR21MB05049486BD14F62A70E64653F5240@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148943968790.20370.17735775296781507437@ietfa.amsl.com> <CA+k3eCS5tgF0zpGhTbvasJry1XJTqi9_1HeJ+nCKWLHcmjOQMw@mail.gmail.com>
In-Reply-To: <CA+k3eCS5tgF0zpGhTbvasJry1XJTqi9_1HeJ+nCKWLHcmjOQMw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: pingidentity.com; dkim=none (message not signed) header.d=none;pingidentity.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:4::36]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0504; 7:k4CjOcRQzhvsIEWQNMjKNcsTW+MIyXphL+keGI6x6jznECs5GioodBQZwMH4RsArmF4qVEgUG/T3EuhWTfYvEL1xNLpoJSCNporiY6DFJq332jH6GwpvKAwFXH6bpgl0CNugqAEh7SZOOPTD3LCRxT8JJ00umEwrcgJzxpTsNzaUCqvEIP6wbKEGZ4hxB2pCFvqBK75Hwba/ZpSPVRRbUleJUOw3irWfjXyorr7b4131IELRzZTlb3Q+TSroEFOSqha1aBkYdr1GHCWPAXZZUtHzNoryPwkxZzNZsu+Kdc/FPpXzl12S8YAQXmnO3rinhwwueL6fwwit4v0A/uHA2UI/6+UoTyrKb17NVo7M0G0=
x-ms-office365-filtering-correlation-id: ba0f373c-db8a-4739-50f9-08d46a732519
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254011)(48565401081); SRVR:CY4PR21MB0504; 
x-microsoft-antispam-prvs: <CY4PR21MB05048D200819C40C26F8CB40F5240@CY4PR21MB0504.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(31418570063057)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123560025)(20161123562025)(20161123564025)(20161123555025)(6072148); SRVR:CY4PR21MB0504; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0504; 
x-forefront-prvs: 02462830BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39860400002)(39850400002)(39840400002)(39450400003)(209900001)(69234005)(377454003)(22974007)(377424004)(8676002)(122556002)(81166006)(99286003)(6306002)(2950100002)(7696004)(6436002)(55016002)(25786008)(606005)(3660700001)(5660300001)(3280700002)(2906002)(9686003)(14971765001)(53546007)(236005)(54896002)(7906003)(74316002)(8936002)(7736002)(2900100001)(33656002)(86362001)(86612001)(8990500004)(106116001)(189998001)(10090500001)(50986999)(230783001)(5005710100001)(10290500002)(53936002)(77096006)(966004)(229853002)(53376002)(6246003)(38730400002)(53386004)(102836003)(76176999)(54356999)(790700001)(6506006)(6116002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0504; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05049486BD14F62A70E64653F5240CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2017 00:43:34.0010 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9uvHWbjUAJXLI2uwM1vMLjR3i4k>
Subject: Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-token-binding-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 00:43:38 -0000

--_000_CY4PR21MB05049486BD14F62A70E64653F5240CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

RllJLCBJIGJsb2dnZWQgYWJvdXQgdGhpcyBhdCBodHRwOi8vc2VsZi1pc3N1ZWQuaW5mby8/cD0x
NjYwIGFuZCBhcyBAc2VsZmlzc3VlZDxodHRwczovL3R3aXR0ZXIuY29tL3NlbGZpc3N1ZWQ+Lg0K
DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0
Zi5vcmddIE9uIEJlaGFsZiBPZiBCcmlhbiBDYW1wYmVsbA0KU2VudDogTW9uZGF5LCBNYXJjaCAx
MywgMjAxNyAyOjMyIFBNDQpUbzogb2F1dGggPG9hdXRoQGlldGYub3JnPjsgSUVURiBUb2tiaW5k
IFdHIDx1bmJlYXJhYmxlQGlldGYub3JnPg0KU3ViamVjdDogW09BVVRILVdHXSBGd2Q6IEktRCBB
Y3Rpb246IGRyYWZ0LWlldGYtb2F1dGgtdG9rZW4tYmluZGluZy0wMi50eHQNCg0KSSdtIHBsZWFz
ZWQgdG8gYW5ub3VuY2UgdGhhdCAod2l0aCB0aGUgZGlsaWdlbnQgaGVscCBvZiBteSBkaXN0aW5n
dWlzaGVkIGNvLWF1dGhvcnMpIGRyYWZ0IC0wMiBvZiAiT0F1dGggMi4wIFRva2VuIEJpbmRpbmci
PGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXRva2VuLWJpbmRp
bmctMDI+IGhhcyBiZWVuIHB1Ymxpc2hlZC4gVGhlIGNoYW5nZXMgZnJvbSB0aGUgcHJpb3IgZHJh
ZnQgYXJlIGxpc3RlZCBiZWxvdyB3aXRoIHN1cHBvcnQgZm9yIFRva2VuIEJpbmRpbmcgb2YgYXV0
aG9yaXphdGlvbiBjb2RlcyBhbmQgbG90cyBvZiBuZXcgZXhhbXBsZXMgYmVpbmcgdGhlIGxhcmdl
c3QgY2hhbmdlcy4NCg0KICAgbyAgQWRkZWQgYSBzZWN0aW9uIG9uIFRva2VuIEJpbmRpbmcgZm9y
IGF1dGhvcml6YXRpb24gY29kZXMgd2l0aCBvbmUNCiAgICAgIHZhcmlhdGlvbiBmb3IgbmF0aXZl
IGNsaWVudHMgYW5kIG9uZSBmb3Igd2ViIHNlcnZlciBjbGllbnRzLg0KICAgbyAgVXBkYXRlZCBs
YW5ndWFnZSB0byByZWZsZWN0IHRoYXQgdGhlIGJpbmRpbmcgaXMgdG8gdGhlIHRva2VuDQogICAg
ICBiaW5kaW5nIGtleSBwYWlyIGFuZCB0aGF0IHByb29mLW9mLXBvc3Nlc3Npb24gb2YgdGhhdCBr
ZXkgaXMgZG9uZQ0KICAgICAgb24gdGhlIFRMUyBjb25uZWN0aW9uLg0KICAgbyAgQWRkZWQgYSBi
dW5jaCBvZiBleGFtcGxlcy4NCiAgIG8gIEFkZGVkIGEgZmV3IE9wZW4gSXNzdWVzIHNvIHRoZXkg
YXJlIHRyYWNrZWQgaW4gdGhlIGRvY3VtZW50Lg0KICAgbyAgVXBkYXRlZCB0aGUgVG9rZW4gQmlu
ZGluZyBhbmQgT0F1dGggTWV0YWRhdGEgcmVmZXJlbmNlcy4NCiAgIG8gIEFkZGVkIFdpbGxpYW0g
RGVubmlzcyBhcyBhbiBhdXRob3IuDQoNCi0tLS0tLS0tLS0gRm9yd2FyZGVkIG1lc3NhZ2UgLS0t
LS0tLS0tLQ0KRnJvbTogPGludGVybmV0LWRyYWZ0c0BpZXRmLm9yZzxtYWlsdG86aW50ZXJuZXQt
ZHJhZnRzQGlldGYub3JnPj4NCkRhdGU6IE1vbiwgTWFyIDEzLCAyMDE3IGF0IDM6MTQgUE0NClN1
YmplY3Q6IFtPQVVUSC1XR10gSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1vYXV0aC10b2tlbi1iaW5k
aW5nLTAyLnR4dA0KVG86IGktZC1hbm5vdW5jZUBpZXRmLm9yZzxtYWlsdG86aS1kLWFubm91bmNl
QGlldGYub3JnPg0KQ2M6IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4NCg0K
DQoNCkEgTmV3IEludGVybmV0LURyYWZ0IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBvbi1saW5lIElu
dGVybmV0LURyYWZ0cyBkaXJlY3Rvcmllcy4NClRoaXMgZHJhZnQgaXMgYSB3b3JrIGl0ZW0gb2Yg
dGhlIFdlYiBBdXRob3JpemF0aW9uIFByb3RvY29sIG9mIHRoZSBJRVRGLg0KDQogICAgICAgIFRp
dGxlICAgICAgICAgICA6IE9BdXRoIDIuMCBUb2tlbiBCaW5kaW5nDQogICAgICAgIEF1dGhvcnMg
ICAgICAgICA6IE1pY2hhZWwgQi4gSm9uZXMNCiAgICAgICAgICAgICAgICAgICAgICAgICAgSm9o
biBCcmFkbGV5DQogICAgICAgICAgICAgICAgICAgICAgICAgIEJyaWFuIENhbXBiZWxsDQogICAg
ICAgICAgICAgICAgICAgICAgICAgIFdpbGxpYW0gRGVubmlzcw0KICAgICAgICBGaWxlbmFtZSAg
ICAgICAgOiBkcmFmdC1pZXRmLW9hdXRoLXRva2VuLWJpbmRpbmctMDIudHh0DQogICAgICAgIFBh
Z2VzICAgICAgICAgICA6IDI2DQogICAgICAgIERhdGUgICAgICAgICAgICA6IDIwMTctMDMtMTMN
Cg0KQWJzdHJhY3Q6DQogICBUaGlzIHNwZWNpZmljYXRpb24gZW5hYmxlcyBPQXV0aCAyLjAgaW1w
bGVtZW50YXRpb25zIHRvIGFwcGx5IFRva2VuDQogICBCaW5kaW5nIHRvIEFjY2VzcyBUb2tlbnMs
IEF1dGhvcml6YXRpb24gQ29kZXMsIGFuZCBSZWZyZXNoIFRva2Vucy4NCiAgIFRoaXMgY3J5cHRv
Z3JhcGhpY2FsbHkgYmluZHMgdGhlc2UgdG9rZW5zIHRvIGEgY2xpZW50J3MgVG9rZW4gQmluZGlu
Zw0KICAga2V5IHBhaXIsIHBvc3Nlc3Npb24gb2Ygd2hpY2ggaXMgcHJvdmVuIG9uIHRoZSBUTFMg
Y29ubmVjdGlvbnMgb3Zlcg0KICAgd2hpY2ggdGhlIHRva2VucyBhcmUgaW50ZW5kZWQgdG8gYmUg
dXNlZC4gIFRoaXMgdXNlIG9mIFRva2VuIEJpbmRpbmcNCiAgIHByb3RlY3RzIHRoZXNlIHRva2Vu
cyBmcm9tIG1hbi1pbi10aGUtbWlkZGxlIGFuZCB0b2tlbiBleHBvcnQgYW5kDQogICByZXBsYXkg
YXR0YWNrcy4NCg0KDQpUaGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFnZSBmb3IgdGhpcyBk
cmFmdCBpczoNCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtb2F1
dGgtdG9rZW4tYmluZGluZy8NCg0KVGhlcmUncyBhbHNvIGEgaHRtbGl6ZWQgdmVyc2lvbiBhdmFp
bGFibGUgYXQ6DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC10
b2tlbi1iaW5kaW5nLTAyDQoNCkEgZGlmZiBmcm9tIHRoZSBwcmV2aW91cyB2ZXJzaW9uIGlzIGF2
YWlsYWJsZSBhdDoNCmh0dHBzOi8vd3d3LmlldGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1pZXRm
LW9hdXRoLXRva2VuLWJpbmRpbmctMDINCg0KDQpQbGVhc2Ugbm90ZSB0aGF0IGl0IG1heSB0YWtl
IGEgY291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBvZiBzdWJtaXNzaW9uDQp1bnRpbCB0
aGUgaHRtbGl6ZWQgdmVyc2lvbiBhbmQgZGlmZiBhcmUgYXZhaWxhYmxlIGF0IHRvb2xzLmlldGYu
b3JnPGh0dHA6Ly90b29scy5pZXRmLm9yZz4uDQoNCkludGVybmV0LURyYWZ0cyBhcmUgYWxzbyBh
dmFpbGFibGUgYnkgYW5vbnltb3VzIEZUUCBhdDoNCmZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRlcm5l
dC1kcmFmdHMvDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRm
Lm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCg0K

--_000_CY4PR21MB05049486BD14F62A70E64653F5240CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9
DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj
b2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu
Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpw
dXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1z
b25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCglt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4t
Ym90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTIuMHB0Ow0K
CWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4uRW1haWxTdHlsZTE4
DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp
IixzYW5zLXNlcmlmOw0KCWNvbG9yOiMwMDIwNjA7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0
eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7
fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBp
biAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rp
b24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1
bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEt
LVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzpp
ZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtl
bmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0i
cHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0idGV4dC1hbGlnbjpqdXN0aWZ5Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2
MCI+RllJLCBJIGJsb2dnZWQgYWJvdXQgdGhpcyBhdA0KPC9zcGFuPjxhIGhyZWY9Imh0dHA6Ly9z
ZWxmLWlzc3VlZC5pbmZvLz9wPTE2NjAiPmh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvLz9wPTE2NjA8
L2E+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy
aSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMwMDIwNjAiPiBhbmQgYXMNCjwvc3Bhbj48YSBocmVm
PSJodHRwczovL3R3aXR0ZXIuY29tL3NlbGZpc3N1ZWQiPkBzZWxmaXNzdWVkPC9hPjxzcGFuIHN0
eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fu
cy1zZXJpZjtjb2xvcjojMDAyMDYwIj4uPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1
b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xv
cjojMDAyMDYwIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxv
OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJp
Zjtjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom
cXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHls
ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMt
c2VyaWYiPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhh
bGYgT2YgPC9iPkJyaWFuIENhbXBiZWxsPGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwgTWFyY2gg
MTMsIDIwMTcgMjozMiBQTTxicj4NCjxiPlRvOjwvYj4gb2F1dGggJmx0O29hdXRoQGlldGYub3Jn
Jmd0OzsgSUVURiBUb2tiaW5kIFdHICZsdDt1bmJlYXJhYmxlQGlldGYub3JnJmd0Ozxicj4NCjxi
PlN1YmplY3Q6PC9iPiBbT0FVVEgtV0ddIEZ3ZDogSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1vYXV0
aC10b2tlbi1iaW5kaW5nLTAyLnR4dDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPkknbSBwbGVhc2VkIHRvIGFubm91bmNlIHRoYXQgKHdpdGggdGhlIGRpbGlnZW50IGhlbHAg
b2YgbXkgZGlzdGluZ3Vpc2hlZCBjby1hdXRob3JzKQ0KPGEgaHJlZj0iaHR0cHM6Ly90b29scy5p
ZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtdG9rZW4tYmluZGluZy0wMiI+ZHJhZnQgLTAy
IG9mICZxdW90O09BdXRoIDIuMCBUb2tlbiBCaW5kaW5nJnF1b3Q7PC9hPiBoYXMgYmVlbiBwdWJs
aXNoZWQuIFRoZSBjaGFuZ2VzIGZyb20gdGhlIHByaW9yIGRyYWZ0IGFyZSBsaXN0ZWQgYmVsb3cg
d2l0aCBzdXBwb3J0IGZvciBUb2tlbiBCaW5kaW5nIG9mIGF1dGhvcml6YXRpb24gY29kZXMgYW5k
IGxvdHMgb2YgbmV3IGV4YW1wbGVzDQogYmVpbmcgdGhlIGxhcmdlc3QgY2hhbmdlcy4gPG86cD48
L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0
b206MTIuMHB0Ij48YnI+DQombmJzcDsmbmJzcDsgbyZuYnNwOyBBZGRlZCBhIHNlY3Rpb24gb24g
VG9rZW4gQmluZGluZyBmb3IgYXV0aG9yaXphdGlvbiBjb2RlcyB3aXRoIG9uZTxicj4NCiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB2YXJpYXRpb24gZm9yIG5hdGl2ZSBjbGllbnRzIGFu
ZCBvbmUgZm9yIHdlYiBzZXJ2ZXIgY2xpZW50cy48YnI+DQombmJzcDsmbmJzcDsgbyZuYnNwOyBV
cGRhdGVkIGxhbmd1YWdlIHRvIHJlZmxlY3QgdGhhdCB0aGUgYmluZGluZyBpcyB0byB0aGUgdG9r
ZW48YnI+DQombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgYmluZGluZyBrZXkgcGFpciBh
bmQgdGhhdCBwcm9vZi1vZi1wb3NzZXNzaW9uIG9mIHRoYXQga2V5IGlzIGRvbmU8YnI+DQombmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgb24gdGhlIFRMUyBjb25uZWN0aW9uLjxicj4NCiZu
YnNwOyZuYnNwOyBvJm5ic3A7IEFkZGVkIGEgYnVuY2ggb2YgZXhhbXBsZXMuPGJyPg0KJm5ic3A7
Jm5ic3A7IG8mbmJzcDsgQWRkZWQgYSBmZXcgT3BlbiBJc3N1ZXMgc28gdGhleSBhcmUgdHJhY2tl
ZCBpbiB0aGUgZG9jdW1lbnQuPGJyPg0KJm5ic3A7Jm5ic3A7IG8mbmJzcDsgVXBkYXRlZCB0aGUg
VG9rZW4gQmluZGluZyBhbmQgT0F1dGggTWV0YWRhdGEgcmVmZXJlbmNlcy48YnI+DQombmJzcDsm
bmJzcDsgbyZuYnNwOyBBZGRlZCBXaWxsaWFtIERlbm5pc3MgYXMgYW4gYXV0aG9yLjxicj4NCjxi
cj4NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tLS0tLS0t
LS0gRm9yd2FyZGVkIG1lc3NhZ2UgLS0tLS0tLS0tLTxicj4NCkZyb206ICZsdDs8YSBocmVmPSJt
YWlsdG86aW50ZXJuZXQtZHJhZnRzQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+aW50ZXJuZXQt
ZHJhZnRzQGlldGYub3JnPC9hPiZndDs8YnI+DQpEYXRlOiBNb24sIE1hciAxMywgMjAxNyBhdCAz
OjE0IFBNPGJyPg0KU3ViamVjdDogW09BVVRILVdHXSBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLW9h
dXRoLXRva2VuLWJpbmRpbmctMDIudHh0PGJyPg0KVG86IDxhIGhyZWY9Im1haWx0bzppLWQtYW5u
b3VuY2VAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5pLWQtYW5ub3VuY2VAaWV0Zi5vcmc8L2E+
PGJyPg0KQ2M6IDxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsi
Pm9hdXRoQGlldGYub3JnPC9hPjxicj4NCjxicj4NCjxicj4NCjxicj4NCkEgTmV3IEludGVybmV0
LURyYWZ0IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBvbi1saW5lIEludGVybmV0LURyYWZ0cyBkaXJl
Y3Rvcmllcy48YnI+DQpUaGlzIGRyYWZ0IGlzIGEgd29yayBpdGVtIG9mIHRoZSBXZWIgQXV0aG9y
aXphdGlvbiBQcm90b2NvbCBvZiB0aGUgSUVURi48YnI+DQo8YnI+DQombmJzcDsgJm5ic3A7ICZu
YnNwOyAmbmJzcDsgVGl0bGUmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw
OzogT0F1dGggMi4wIFRva2VuIEJpbmRpbmc8YnI+DQombmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz
cDsgQXV0aG9ycyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs6IE1pY2hhZWwgQi4g
Sm9uZXM8YnI+DQombmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz
cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgSm9obiBCcmFkbGV5
PGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu
YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IEJyaWFuIENhbXBiZWxsPGJy
Pg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw
OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IFdpbGxpYW0gRGVubmlzczxicj4N
CiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBGaWxlbmFtZSZuYnNwOyAmbmJzcDsgJm5ic3A7
ICZuYnNwOyA6IGRyYWZ0LWlldGYtb2F1dGgtdG9rZW4tYmluZGluZy0wMi50eHQ8YnI+DQombmJz
cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgUGFnZXMmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg
Jm5ic3A7ICZuYnNwOzogMjY8YnI+DQombmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgRGF0ZSZu
YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IDogMjAxNy0wMy0xMzxicj4N
Cjxicj4NCkFic3RyYWN0Ojxicj4NCiZuYnNwOyAmbmJzcDtUaGlzIHNwZWNpZmljYXRpb24gZW5h
YmxlcyBPQXV0aCAyLjAgaW1wbGVtZW50YXRpb25zIHRvIGFwcGx5IFRva2VuPGJyPg0KJm5ic3A7
ICZuYnNwO0JpbmRpbmcgdG8gQWNjZXNzIFRva2VucywgQXV0aG9yaXphdGlvbiBDb2RlcywgYW5k
IFJlZnJlc2ggVG9rZW5zLjxicj4NCiZuYnNwOyAmbmJzcDtUaGlzIGNyeXB0b2dyYXBoaWNhbGx5
IGJpbmRzIHRoZXNlIHRva2VucyB0byBhIGNsaWVudCdzIFRva2VuIEJpbmRpbmc8YnI+DQombmJz
cDsgJm5ic3A7a2V5IHBhaXIsIHBvc3Nlc3Npb24gb2Ygd2hpY2ggaXMgcHJvdmVuIG9uIHRoZSBU
TFMgY29ubmVjdGlvbnMgb3Zlcjxicj4NCiZuYnNwOyAmbmJzcDt3aGljaCB0aGUgdG9rZW5zIGFy
ZSBpbnRlbmRlZCB0byBiZSB1c2VkLiZuYnNwOyBUaGlzIHVzZSBvZiBUb2tlbiBCaW5kaW5nPGJy
Pg0KJm5ic3A7ICZuYnNwO3Byb3RlY3RzIHRoZXNlIHRva2VucyBmcm9tIG1hbi1pbi10aGUtbWlk
ZGxlIGFuZCB0b2tlbiBleHBvcnQgYW5kPGJyPg0KJm5ic3A7ICZuYnNwO3JlcGxheSBhdHRhY2tz
Ljxicj4NCjxicj4NCjxicj4NClRoZSBJRVRGIGRhdGF0cmFja2VyIHN0YXR1cyBwYWdlIGZvciB0
aGlzIGRyYWZ0IGlzOjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcv
ZG9jL2RyYWZ0LWlldGYtb2F1dGgtdG9rZW4tYmluZGluZy8iIHRhcmdldD0iX2JsYW5rIj5odHRw
czovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRoLXRva2VuLWJpbmRp
bmcvPC9hPjxicj4NCjxicj4NClRoZXJlJ3MgYWxzbyBhIGh0bWxpemVkIHZlcnNpb24gYXZhaWxh
YmxlIGF0Ojxicj4NCjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1p
ZXRmLW9hdXRoLXRva2VuLWJpbmRpbmctMDIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3Rvb2xz
LmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC10b2tlbi1iaW5kaW5nLTAyPC9hPjxicj4N
Cjxicj4NCkEgZGlmZiBmcm9tIHRoZSBwcmV2aW91cyB2ZXJzaW9uIGlzIGF2YWlsYWJsZSBhdDo8
YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0
Zi1vYXV0aC10b2tlbi1iaW5kaW5nLTAyIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0
Zi5vcmcvcmZjZGlmZj91cmwyPWRyYWZ0LWlldGYtb2F1dGgtdG9rZW4tYmluZGluZy0wMjwvYT48
YnI+DQo8YnI+DQo8YnI+DQpQbGVhc2Ugbm90ZSB0aGF0IGl0IG1heSB0YWtlIGEgY291cGxlIG9m
IG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBvZiBzdWJtaXNzaW9uPGJyPg0KdW50aWwgdGhlIGh0bWxp
emVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJsZSBhdCA8YSBocmVmPSJodHRwOi8vdG9v
bHMuaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj4NCnRvb2xzLmlldGYub3JnPC9hPi48YnI+DQo8
YnI+DQpJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255bW91cyBGVFAg
YXQ6PGJyPg0KPGEgaHJlZj0iZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy8iIHRh
cmdldD0iX2JsYW5rIj5mdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLzwvYT48YnI+
DQo8YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxi
cj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9y
ZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBz
Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiIHRhcmdldD0iX2JsYW5rIj5o
dHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_CY4PR21MB05049486BD14F62A70E64653F5240CY4PR21MB0504namp_--


From nobody Mon Mar 13 18:31:33 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63A2D129673 for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 18:31:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level: 
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6B2Vv5R4HNh for <oauth@ietfa.amsl.com>; Mon, 13 Mar 2017 18:31:29 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0138.outbound.protection.outlook.com [104.47.34.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44AF912944D for <oauth@ietf.org>; Mon, 13 Mar 2017 18:31:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Ypea7YlKE3nK8RRuVMiOKFYojPWQ9MpJdGbRcv4MlWY=; b=EgZsRFFUbx2YfwOXdeaeWVrFerQhJq6e7pyBUqcdTtINx2bsry6j/AFVy3nfRGj+f/FabxcI2iA2keWi1UvQ2NZWAvkSymocTX1ofTN0fQjov2fvjHpuqL4zKjauDgJkNyUAV3sxUSbyPpoX7LoxwyrQzQe/LIx2/v1lCTV6KV0=
Received: from BN6PR21MB0500.namprd21.prod.outlook.com (10.172.112.10) by BN6PR21MB0497.namprd21.prod.outlook.com (10.172.112.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Tue, 14 Mar 2017 01:31:27 +0000
Received: from BN6PR21MB0500.namprd21.prod.outlook.com ([10.172.112.10]) by BN6PR21MB0500.namprd21.prod.outlook.com ([10.172.112.10]) with mapi id 15.01.0991.002; Tue, 14 Mar 2017 01:31:27 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: =?Windows-1252?Q?AMR_Values_specification_addressing_Stephen_Farrell=92s_?= =?Windows-1252?Q?comments?=
Thread-Index: AdKcXs1FZE+cFHA/Tgmuqu7tBOIt6Q==
Date: Tue, 14 Mar 2017 01:31:27 +0000
Message-ID: <BN6PR21MB050094ABF7296C7C5AE12A2DF5240@BN6PR21MB0500.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:4::36]
x-microsoft-exchange-diagnostics: 1; BN6PR21MB0497; 7:iKMtT6cUQfcs7F/LDGo+ORld+VTvHw2IAlmfMWHUwPhSqs1TDaj4vl8RvmFFQdNhcMMZBilqw2rQ5ZJiru5n/ZiV8Bd7oW2h7zgdr8g+OT10M7Vf7FDTEe2B6AlMeyMSknMblHAg3nxshnoXFbr5OnYVTshnxi+BlHf9+jnXKAZkIQ6LyfMt+0C+YW9AIbg3C52UmKnv5LBFI6qEvNxvraPTelMOq/BsP8rtRIYxXYSEbkdltysjiqQOVzQTDiX23aZDI+az+hnr6EBOeEf6EHRvtWQ+ByCCchRuuGXoCgML8qiw2AZg8iqZM3US3iyxSmLXKwqjNpCQpSIGnr4IKdbz5cupY0MW45kxdnenWZc=
x-ms-office365-filtering-correlation-id: 2314708d-c251-4f88-342f-08d46a79d5d9
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254011)(48565401081); SRVR:BN6PR21MB0497; 
x-microsoft-antispam-prvs: <BN6PR21MB04973CEA0A05C06493B89E74F5240@BN6PR21MB0497.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(31418570063057)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123564025)(20161123562025)(20161123560025)(20161123558025)(6072148); SRVR:BN6PR21MB0497; BCL:0; PCL:0; RULEID:; SRVR:BN6PR21MB0497; 
x-forefront-prvs: 02462830BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400002)(39450400003)(39860400002)(39840400002)(39410400002)(209900001)(43784003)(69234005)(8936002)(3660700001)(2501003)(5660300001)(6306002)(8990500004)(236005)(9686003)(74316002)(3280700002)(54896002)(7696004)(53936002)(33656002)(55016002)(5640700003)(25786008)(6916009)(10290500002)(5005710100001)(77096006)(99286003)(5630700001)(606005)(10090500001)(6506006)(6436002)(122556002)(7736002)(189998001)(86362001)(1730700003)(966004)(2906002)(81166006)(2900100001)(4326008)(53376002)(38730400002)(110136004)(6116002)(86612001)(50986999)(790700001)(7906003)(54356999)(102836003)(2351001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR21MB0497; H:BN6PR21MB0500.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR21MB050094ABF7296C7C5AE12A2DF5240BN6PR21MB0500namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2017 01:31:27.5049 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR21MB0497
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/I90qs5JMarVCNsPV2G3NnHady1I>
Subject: [OAUTH-WG] =?windows-1252?q?AMR_Values_specification_addressing_S?= =?windows-1252?q?tephen_Farrell=92s_comments?=
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 01:31:31 -0000

--_000_BN6PR21MB050094ABF7296C7C5AE12A2DF5240BN6PR21MB0500namp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Security area director Stephen Farrell had asked us to make it as clear as =
possible to people who might be registering new =93amr=94 values that names=
 can identify families of closely-related authentication methods.  This is =
now said right in the IANA Registration Template, so that people who might =
not have read the spec can=92t miss it.

FYI, all the previous IESG DISCUSSes have now been cleared<https://datatrac=
ker.ietf.org/doc/draft-ietf-oauth-amr-values/ballot/>, so hopefully that me=
ans this is the last version to be published before the Authentication Meth=
od Reference Values specification becomes an RFC.

Thanks again to Stephen for his always-thorough reviews of the specificatio=
n.

The specification is available at:

=B7         https://tools.ietf.org/html/draft-ietf-oauth-amr-values-08

An HTML-formatted version is also available at:

=B7         http://self-issued.info/docs/draft-ietf-oauth-amr-values-08.htm=
l

                                                                -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=3D1663 and =
as @selfissued<https://twitter.com/selfissued>.

--_000_BN6PR21MB050094ABF7296C7C5AE12A2DF5240BN6PR21MB0500namp_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:0in;
	margin-left:.5in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
/* List Definitions */
@list l0
	{mso-list-id:682316326;
	mso-list-type:hybrid;
	mso-list-template-ids:968547896 67698689 67698691 67698693 67698689 676986=
91 67698693 67698689 67698691 67698693;}
@list l0:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l0:level2
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:"Courier New";}
@list l0:level3
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Wingdings;}
@list l0:level4
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l0:level5
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:"Courier New";}
@list l0:level6
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Wingdings;}
@list l0:level7
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l0:level8
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:"Courier New";}
@list l0:level9
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Wingdings;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Security area director Stephen Farrell had asked us =
to make it as clear as possible to people who might be registering new =93<=
span style=3D"font-family:&quot;Courier New&quot;">amr</span>=94 values tha=
t names can identify families of closely-related authentication
 methods.&nbsp; This is now said right in the IANA Registration Template, s=
o that people who might not have read the spec can=92t miss it.<o:p></o:p><=
/p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">FYI, <a href=3D"https://datatracker.ietf.org/doc/dra=
ft-ietf-oauth-amr-values/ballot/">
all the previous IESG DISCUSSes have now been cleared</a>, so hopefully tha=
t means this is the last version to be published before the Authentication =
Method Reference Values specification becomes an RFC.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Thanks again to Stephen for his always-thorough revi=
ews of the specification.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">The specification is available at:<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo1"><![if !supportLists]><span style=3D"font-family:Symbol"><span style=
=3D"mso-list:Ignore">=B7<span style=3D"font:7.0pt &quot;Times New Roman&quo=
t;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><a href=3D"https://tools.ietf.org/html/draft=
-ietf-oauth-amr-values-08">https://tools.ietf.org/html/draft-ietf-oauth-amr=
-values-08</a><o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">An HTML-formatted version is also available at:<o:p>=
</o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo1"><![if !supportLists]><span style=3D"font-family:Symbol"><span style=
=3D"mso-list:Ignore">=B7<span style=3D"font:7.0pt &quot;Times New Roman&quo=
t;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><a href=3D"http://self-issued.info/docs/draf=
t-ietf-oauth-amr-values-08.html">http://self-issued.info/docs/draft-ietf-oa=
uth-amr-values-08.html</a><o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">P.S.&nbsp; This notice was also posted at <a href=3D=
"http://self-issued.info/?p=3D1663">
http://self-issued.info/?p=3D1663</a> and as <a href=3D"https://twitter.com=
/selfissued">
@selfissued</a>.<o:p></o:p></p>
</div>
</body>
</html>

--_000_BN6PR21MB050094ABF7296C7C5AE12A2DF5240BN6PR21MB0500namp_--


From nobody Wed Mar 15 08:43:10 2017
Return-Path: <mike@gluu.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5780F1316B0 for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 08:43:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level: 
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=gluu.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gqTNHxD6KdZD for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 08:43:07 -0700 (PDT)
Received: from webmail.gluu.org (webmail.gluu.org [104.130.217.77]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C46FE1316AE for <oauth@ietf.org>; Wed, 15 Mar 2017 08:43:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by webmail.gluu.org (Postfix) with ESMTP id EAEBEB4203 for <oauth@ietf.org>; Wed, 15 Mar 2017 11:43:06 -0400 (EDT)
Authentication-Results: webmail.gluu.org (amavisd-new); dkim=pass reason="pass (just generated, assumed good)" header.d=gluu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gluu.org; h= user-agent:message-id:references:in-reply-to:organization :subject:subject:to:from:from:date:date :content-transfer-encoding:content-type:content-type :mime-version; s=dkim; t=1489592586; x=1490456587; bh=3U8xiV8iWH kvGgUD4/BcyrD47ff1gRpI+qK/Xk8khJ8=; b=YEyOeBc/y2cSXSiXVzPl12PafH 4KrsfsAEROtNl6/aduekcdFydmRVXqA60NOT5k1t4oym9SekTVkDvnCQlxZ995kb P207NPeMzwkFe0gWejvfy22yPCD3Rd4hC8VQQtNMvbAp/qvvNEBo0ApPpOjL9pTs D4Q1FSqgfMj2iVG34=
Received: from webmail.gluu.org ([127.0.0.1]) by localhost (webmail.gluu.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tErY7J2jmWwo for <oauth@ietf.org>; Wed, 15 Mar 2017 11:43:06 -0400 (EDT)
Received: from webmail.gluu.org (localhost [127.0.0.1]) by webmail.gluu.org (Postfix) with ESMTPSA id BDA89B41AA for <oauth@ietf.org>; Wed, 15 Mar 2017 11:43:06 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 15 Mar 2017 10:43:06 -0500
From: Mike Schwartz <mike@gluu.org>
To: oauth@ietf.org
Organization: Gluu
In-Reply-To: <mailman.539.1489455092.6649.oauth@ietf.org>
References: <mailman.539.1489455092.6649.oauth@ietf.org>
Message-ID: <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org>
X-Sender: mike@gluu.org
User-Agent: Roundcube Webmail
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HlfdPBoDsBGjg8GUBfgCo9oavfk>
Subject: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 15:43:09 -0000

Sorry to be the bearer of bad news, but here's a negative review of 
JOSE:

JOSE (Javascript Object Signing and Encryption) is a Bad Standard That 
Everyone Should Avoid
  
https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid

- Mike


From nobody Wed Mar 15 08:46:29 2017
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C23951316B0 for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 08:46:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hnHQZ1Y_Ol7a for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 08:46:26 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C3661316B6 for <oauth@ietf.org>; Wed, 15 Mar 2017 08:46:25 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id n11so26371593wma.0 for <oauth@ietf.org>; Wed, 15 Mar 2017 08:46:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=WfEnqmCseSuUxJR63DPYCsypKMe4qNoSd4a/5e4Vp/M=; b=qkh+9iPvxUZQayx+lvJDFjx0jefUnh0I4hWTqvhYHTAliQhcYA+xeBTRPMLbftPjUa t+bw2/nqN7H8kCSfdCtQFfmBnBugaK67QXtJFu/8UYxpBqMpknJkBo9yfRVA46iDmL/A x5B8oD9/XpqXQd6xneaQH8Q4Ba6+Ifz+ks13j6RQ4Jz2CQXoyEGesrriwvUHvqKFUyMc HjVOeGhnCJZ/5Vt5yiUwuRVKIBCroB46EnZLNNx3lA6hMV7N81SHfSQAQCT1yPg66hyc DHXMwEiZULFoWPHn+ULylv7x3BhvQ1twdicDhJCHmgn4x5yDiqP9kS+6D5HYbVTHNE6c CJQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=WfEnqmCseSuUxJR63DPYCsypKMe4qNoSd4a/5e4Vp/M=; b=M86Ezd4sVit9f/JjAOvBHaRvQxaLB+O5C0LxCQvp1ReQhfVESMwt6O4HzfJXrl88Zh 7P9T1COgege6Ds9hft8dVwtBXFREd0EJu2ao4AZ3soJXFjsfZyupdL2VSQ/sMQm/etQI IxiqrGigQHFPl0kvFZrQMbTCTPPiEwqxQT46I3+0RXPLyknkeFRUex+wUpUHZQy9NmdL ZM+aaPpugPKFiXM3CJeaUfal8XK3pIQJ74uoghsNGq6qE+hJZwhY5pshZ9oehxRVDl8L JlT3LQMSErSivSdHF9PfCOXHjcR2RREAX4e/sf+FzHzSCcepl+u9s57Vguv56UzR4YG6 muOw==
X-Gm-Message-State: AFeK/H3ragEbV//KJUhFTXlsoz17jw1g0n9coUi0tcIgrHmPrhHdWn3YWG6oEKUMaMCqGA==
X-Received: by 10.28.199.132 with SMTP id x126mr4771820wmf.37.1489592783697; Wed, 15 Mar 2017 08:46:23 -0700 (PDT)
Received: from [192.168.2.7] ([79.97.121.181]) by smtp.googlemail.com with ESMTPSA id 198sm946012wmn.11.2017.03.15.08.46.22 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Mar 2017 08:46:22 -0700 (PDT)
To: oauth@ietf.org
References: <mailman.539.1489455092.6649.oauth@ietf.org> <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com>
Date: Wed, 15 Mar 2017 15:46:22 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ttfuyXZH2Mcfim06NboWw8iuY0w>
Subject: Re: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 15:46:28 -0000

and everyone should now start using the most secure alternative proposed 
in that very light in analysis article :-)

Sergey
On 15/03/17 15:43, Mike Schwartz wrote:
> Sorry to be the bearer of bad news, but here's a negative review of JOSE:
>
> JOSE (Javascript Object Signing and Encryption) is a Bad Standard That
> Everyone Should Avoid
>
> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid
>
>
> - Mike
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Wed Mar 15 09:34:10 2017
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1557613172A for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 09:34:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level: 
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W_o8SIVvRfeo for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 09:34:07 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30946131728 for <oauth@ietf.org>; Wed, 15 Mar 2017 09:33:58 -0700 (PDT)
X-AuditID: 12074424-5afff7000000756e-d7-58c96cf4b3a0
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id 85.74.30062.4FC69C85; Wed, 15 Mar 2017 12:33:56 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v2FGXt4O011137 for <oauth@ietf.org>; Wed, 15 Mar 2017 12:33:56 -0400
Received: from [192.168.128.50] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2FGXsx6005757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Wed, 15 Mar 2017 12:33:55 -0400
From: Justin Richer <jricher@mit.edu>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Message-Id: <84F3FF68-9020-402E-B0AF-4F28ADBD377C@mit.edu>
Date: Wed, 15 Mar 2017 12:33:52 -0400
To: "<oauth@ietf.org>" <oauth@ietf.org>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJIsWRmVeSWpSXmKPExsUixG6novsl52SEwfwJ0hYn375ic2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXxr22DsaC40wVHRvaGRsYJzN1MXJySAiYSDx8dpgVxBYSaGOS mNak3MXIBWQfY5SYc/MbK4TzgUniUtciFpAqNgFVielrWsC6mQXUJf7Mu8QMYWtLLFv4Gszm FdCXmH3mEli9sICOxKPOJnaIuJXEo/8ngWo4OFiA5ly/EAYSFgEas+b8T6iDZCXe/lrCPIGR dxaSDbOQbJiFZMMCRuZVjLIpuVW6uYmZOcWpybrFyYl5ealFuuZ6uZkleqkppZsYwaHkorKD sbvH+xCjAAejEg/vBN+TEUKsiWXFlbmHGCU5mJREeU86AYX4kvJTKjMSizPii0pzUosPMUpw MCuJ8LZlAeV4UxIrq1KL8mFS0hwsSuK84hqNEUIC6YklqdmpqQWpRTBZGQ4OJQlei2ygRsGi 1PTUirTMnBKENBMHJ8hwHqDhjSA1vMUFibnFmekQ+VOMuhw3jh94wyTEkpeflyolzssDUiQA UpRRmgc3B5QCEt4eNn3FKA70ljDvYpAqHmD6gJv0CmgJE9CStx9OgCwpSURISTUwzuK97Mlg fz7g3Ot9ZpuEnu1gzo+fw1sc7R7C285j87XEKLZSVuK41JTw/bevCV5ev9lKRcX388TA6+5N Hxvjaku2Nz75wblg+tFvZ00Ew983qhj9tNnKt+h91Y6qhELdqRNNJjOdz/npFhzjo/294YfX QutPswUkDB3bvr+be1/jrfMskZ/iSizFGYmGWsxFxYkANlNxXtwCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jYMRQy6PHTuJ7S8qo-sGZ0Urg54>
Subject: [OAUTH-WG] Error Responses in Device Code Spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 16:34:08 -0000

Unless I=E2=80=99m missing something, the current device code spec =
doesn=E2=80=99t specify errors from the device code endpoint, only from =
the token endpoint. What are people implementing in practice? We=E2=80=99r=
e using token endpoint style errors (invalid_client, inavlid_grant_type, =
etc).

 =E2=80=94 Justin=


From nobody Wed Mar 15 12:50:08 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC0113170E for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 12:50:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xe18YZhCrlo4 for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 12:50:04 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0108.outbound.protection.outlook.com [104.47.42.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02F0A1316A7 for <oauth@ietf.org>; Wed, 15 Mar 2017 12:50:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rCGvBoBCcR/nNLWwt1qlYimSl9ENA47vowpclfSrGPs=; b=Z8TIPHvr/x6nbxu2babLXUKUA3nham5xQnjdkmKNuJ+OnFv0UCeUp573pJS8nLD9rtwH9R+hWtRMNa7HGvbA0kKnBXuk5jxHHo7v0aj2Pw8Y77EOuljd3/WwS5KH+qPPfhfOuW/NFE8/8EaT2eWAVBzukTAjf0W9dI7wh3flQRs=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Wed, 15 Mar 2017 19:50:02 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0991.003; Wed, 15 Mar 2017 19:50:02 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] More Criticism of JOSE
Thread-Index: AQHSnaLc8rEEDhIYtU+PeFy9Q2RU+KGWC1EAgABCAdA=
Date: Wed, 15 Mar 2017 19:50:02 +0000
Message-ID: <CY4PR21MB0504F80C01BF3378DE3794C6F5270@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <mailman.539.1489455092.6649.oauth@ietf.org> <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org> <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com>
In-Reply-To: <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:4::36]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:HcSlMPVtg2vcnKPiPOdJyG0vCwmlZSG4wO0Q62qUNU7xauNRbplzqyupCO+e+z3elWO+dVvsDLjtgJdIhySWt4A3RitsOGqL1mAZ+c065vGz1VP/domV3i9llOHyJ0D4MYwhmGVPo+i2A1A/WesQubU/Q+InCPtubnl5rhFlwj3PwWb08OXJiCbtzzD7iJd+bXbvtrArDscUJuUobUUim1SWUNbXKsi6c2OTmr5LPSOI7UStRR4ROxkrygzLyxDsJsfs9UiThDUq1sGwCAQS/NIzMcW5BCIqUCu+1+m53UDbjJAmnv9XrlkyFpetVsut1AinurLJO9kcyd989M69oIxv6jgE5zV5hvGQBiL/Pjo=
x-ms-office365-filtering-correlation-id: 302498fc-1780-4909-672b-08d46bdc78b2
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254024)(48565401081); SRVR:CY4PR21MB0502; 
x-microsoft-antispam-prvs: <CY4PR21MB050234D437972AF2C531484DF5270@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(93006012)(93001012)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123562025)(20161123560025)(20161123558025)(20161123564025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502; 
x-forefront-prvs: 02475B2A01
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39850400002)(39860400002)(39840400002)(39410400002)(13464003)(377454003)(24454002)(53824002)(7696004)(38730400002)(189998001)(5660300001)(122556002)(53546007)(8990500004)(77096006)(5005710100001)(25786008)(10290500002)(6506006)(2906002)(2950100002)(2501003)(6436002)(229853002)(6246003)(86362001)(8936002)(39060400002)(2900100001)(53936002)(33656002)(8676002)(9686003)(3660700001)(6306002)(7736002)(81166006)(55016002)(86612001)(50986999)(54356999)(76176999)(3280700002)(102836003)(10090500001)(74316002)(6116002)(99286003)(305945005); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2017 19:50:02.6886 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7g4WEyo0eTQ4cNXqgAcO5kUG1Fo>
Subject: Re: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 19:50:06 -0000

The bulk of this seems to be about applications that don't verify that the =
crypto algorithms that were used in a JWT are acceptable in the application=
 context.  While I know that some people would like crypto to be magic pixi=
e dust that you can sprinkle on an application to get crypto goodness, it w=
ill never be that simple.  Crypto algorithms that are thought to be good to=
day will be deprecated later.  Apps that keep allowing them to be used will=
 be vulnerable.  The JOSE specs requiring that applications be aware of the=
 algorithms used is a good and necessary thing for long-term security - not=
 a problem with the specs.

That said, of course some implementers will get things wrong.  To the exten=
t that we can help them understand what they actually need to do to use the=
 specifications securely, we obviously should.  Perhaps we should write an =
article for oauth.net talking about some of these issues?  Maybe a few of u=
s can get together in Chicago and work on that.

I'm looking forward to seeing many of you in 1.5 weeks!

				-- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey Beryozkin
Sent: Wednesday, March 15, 2017 8:46 AM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] More Criticism of JOSE

and everyone should now start using the most secure alternative proposed in=
 that very light in analysis article :-)

Sergey
On 15/03/17 15:43, Mike Schwartz wrote:
> Sorry to be the bearer of bad news, but here's a negative review of JOSE:
>
> JOSE (Javascript Object Signing and Encryption) is a Bad Standard That=20
> Everyone Should Avoid
>
> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard
> -that-everyone-should-avoid
>
>
> - Mike
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


From nobody Wed Mar 15 13:40:08 2017
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D1E2131840 for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 13:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pd2yoYxnT5KZ for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 13:40:04 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0078.outbound.protection.outlook.com [104.47.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E905131833 for <oauth@ietf.org>; Wed, 15 Mar 2017 13:40:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=iM8tqyJXNuyFquW4bQ9gGgn1VlzwMmEWoHSMYItofIU=; b=YWlI79mVJN4vJhUhFK243M4bi5i+pWegX/IKzYTUg0+4cGeEOeUtlpjNySAciSC4Z9p6zxnEVBkHtPl0u3/cyfVTWb1M8yDxGKdeny+LS2qg/m2GjZQffsNyVcrt4F+d/ow/+oId5ihxbWv9Q5Ok/5MMFJaYVxpbz5O8S8nCapI=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1029.namprd02.prod.outlook.com (10.161.203.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.17; Wed, 15 Mar 2017 20:40:02 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0961.022; Wed, 15 Mar 2017 20:40:01 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Mike Jones <Michael.Jones@microsoft.com>
CC: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] More Criticism of JOSE
Thread-Index: AQHSnaLcfb3Kwkg0yEKlvL9IqrhKmKGWC1EAgABEFACAAA37AA==
Date: Wed, 15 Mar 2017 20:40:01 +0000
Message-ID: <78BE56B7-0253-4635-AB46-F724A8536082@adobe.com>
References: <mailman.539.1489455092.6649.oauth@ietf.org> <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org> <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com> <CY4PR21MB0504F80C01BF3378DE3794C6F5270@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB0504F80C01BF3378DE3794C6F5270@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: microsoft.com; dkim=none (message not signed) header.d=none;microsoft.com; dmarc=none action=none header.from=adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a02:1205:5050:8060:499e:64bb:bff8:d14a]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1029; 7:hYC/CEzxfP1uvurj2Ng42tPMAhO6rFrA/5QOq9qHzZa/94Dp02akyLDRl4eyYqidHDcg74F642TdzobjXA4jYe3H5wIDh7QEtF4mGuuZ6jCxWo16Boxoms0YLpdvm98gmwRkbc24z/U6HYHZeRWNnE9lN/64r+iTgCFCS3rMvgqoW7YRiPqujzN51Hws7Xttfai8oUrjVZQh9SUSxVsXQDplsCwLEgoBKPstL/V8Fs0hRDvjsirIe0C5gJ2/fJAG1Px98QbH8K9rMKg1Rt1xpNgCS5PIIftOSpsIgHXCWAeVYdAuwTv3yihR16pqbItpUyQm3n5pj4qSg13UfnpBhQ==; 20:ysu/wsExKAWxMIJ64Xlf4s2mpROvCgg63QBHCb90A8m0qD/4X/Q/qr71lHiQWizKOjoZoUr09mNe5k4Mjm+C8Mi4jQb3pD298wHY+GWSY8zxvU5e/BBIB/gpWKxdOfaA8KXmzEOspX0p0O5WkDVg7HktExruXPDPskeX8f20H2o=
x-ms-office365-filtering-correlation-id: 5ccddfbe-09d8-4f70-9468-08d46be3744d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BY1PR0201MB1029; 
x-microsoft-antispam-prvs: <BY1PR0201MB102962E31D27363AFF3C8CD5D9270@BY1PR0201MB1029.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123564025)(20161123560025)(20161123562025)(20161123555025)(6072148); SRVR:BY1PR0201MB1029; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1029; 
x-forefront-prvs: 02475B2A01
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(6009001)(39450400003)(39850400002)(39840400002)(39860400002)(39410400002)(53824002)(24454002)(377454003)(13464003)(110136004)(6246003)(2561002)(93886004)(53546007)(38730400002)(81166006)(4326008)(2421001)(36756003)(39060400002)(8936002)(2950100002)(2900100001)(6916009)(1511001)(53936002)(6512007)(6306002)(99286003)(189998001)(6436002)(76176999)(77096006)(6506006)(54356999)(54906002)(6486002)(8666007)(5660300001)(8676002)(50986999)(25786008)(82746002)(229853002)(7736002)(305945005)(6116002)(102836003)(2906002)(3660700001)(3280700002)(83716003)(122556002)(86362001)(10090500001)(33656002)(104396002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1029; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <82B2A28E32C07B49802E0DDE23A4E80A@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2017 20:40:01.6415 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1029
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1c5Bz9q6IyMtiUt-FdGY9vj1hgQ>
Subject: Re: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 20:40:07 -0000

hi Mike,

while I am the original author of one of the mentioned article in the blog =
post (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-jso=
n-web.html) I do not share entirely the criticism.
Said that, I must really admit that some of the cryptographic choices made =
specially in JWE are really questionable.

regards

antonio

On Mar 15, 2017, at 8:50 PM, Mike Jones <Michael.Jones@microsoft.com> wrote=
:

> The bulk of this seems to be about applications that don't verify that th=
e crypto algorithms that were used in a JWT are acceptable in the applicati=
on context.  While I know that some people would like crypto to be magic pi=
xie dust that you can sprinkle on an application to get crypto goodness, it=
 will never be that simple.  Crypto algorithms that are thought to be good =
today will be deprecated later.  Apps that keep allowing them to be used wi=
ll be vulnerable.  The JOSE specs requiring that applications be aware of t=
he algorithms used is a good and necessary thing for long-term security - n=
ot a problem with the specs.
>=20
> That said, of course some implementers will get things wrong.  To the ext=
ent that we can help them understand what they actually need to do to use t=
he specifications securely, we obviously should.  Perhaps we should write a=
n article for oauth.net talking about some of these issues?  Maybe a few of=
 us can get together in Chicago and work on that.
>=20
> I'm looking forward to seeing many of you in 1.5 weeks!
>=20
> 				-- Mike
>=20
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey Beryozkin
> Sent: Wednesday, March 15, 2017 8:46 AM
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] More Criticism of JOSE
>=20
> and everyone should now start using the most secure alternative proposed =
in that very light in analysis article :-)
>=20
> Sergey
> On 15/03/17 15:43, Mike Schwartz wrote:
>> Sorry to be the bearer of bad news, but here's a negative review of JOSE=
:
>>=20
>> JOSE (Javascript Object Signing and Encryption) is a Bad Standard That=20
>> Everyone Should Avoid
>>=20
>> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard
>> -that-everyone-should-avoid
>>=20
>>=20
>> - Mike
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Wed Mar 15 14:06:48 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6FC7131848 for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 14:06:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.797
X-Spam-Level: 
X-Spam-Status: No, score=-4.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9UidxhB5j6V for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 14:06:45 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0107.outbound.protection.outlook.com [104.47.40.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05F59131840 for <oauth@ietf.org>; Wed, 15 Mar 2017 14:06:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=KZwef34rKkSEZovCcpdglTb8VOuheuQiMric8R/jnSc=; b=mPRPwnVYpEfVZokz4A072jkX48ura9esgk7n1FyQZKCTmXTgRa7N0qef10yrUfU1Z96yXWXT/V+MKbMI3IiFWQ5Q4VhhRytsWoc7VPyzk5w1A2PHO7ltGSj9d1Jm4GcdXg5MgN5mOUkG8TIu0yQq2e0hO+x4NVTtOv+PaC7T43Y=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Wed, 15 Mar 2017 21:06:43 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0991.003; Wed, 15 Mar 2017 21:06:43 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Antonio Sanso <asanso@adobe.com>
CC: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] More Criticism of JOSE
Thread-Index: AQHSnaLc8rEEDhIYtU+PeFy9Q2RU+KGWC1EAgABCAdCAABAKgIAAB0zA
Date: Wed, 15 Mar 2017 21:06:43 +0000
Message-ID: <CY4PR21MB0504E2A254D753F8BA3E99CBF5270@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <mailman.539.1489455092.6649.oauth@ietf.org> <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org> <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com> <CY4PR21MB0504F80C01BF3378DE3794C6F5270@CY4PR21MB0504.namprd21.prod.outlook.com> <78BE56B7-0253-4635-AB46-F724A8536082@adobe.com>
In-Reply-To: <78BE56B7-0253-4635-AB46-F724A8536082@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: adobe.com; dkim=none (message not signed) header.d=none;adobe.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:4::36]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0504; 7:QA5QhMtvezQ7O9KY2bJ5ocvu9n8OgWR7pYs6V8Se71h6DbggaFGlD09FjOv50Rp9IZhiv18AXxXpbz/yagTnSQxVN8FSPn+mL74dfPMlN4bltFQa6yrquieXIPG82lr708Tt24xeLMD3zt3y9xOWXndwqbEhOMHIIrdiUBQqSBlhXri65/nnXiUnxaEnqvoMt3+j8tAZWwDMhqdnQv2jdakHA+Ct/0nGvtOtzhCIgsNp6NFq/az3Vbcbx0m2ePkRpqSR/YYAHPPhAvXt0ddUz/6bpOBbNbQJU3ppvVcp3JQoUJ8JDp440JLYD0DuqWR9CxPdPke5MlXXvYblcE7FvRUBM7K3iohZlHJOktpEPWM=
x-ms-office365-filtering-correlation-id: 30063a4b-6218-4c34-ec49-08d46be72f17
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254025)(48565401081); SRVR:CY4PR21MB0504; 
x-microsoft-antispam-prvs: <CY4PR21MB05042920C71867AC5AC37AEDF5270@CY4PR21MB0504.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(93006012)(93001012)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123560025)(20161123558025)(20161123562025)(20161123564025)(6072148); SRVR:CY4PR21MB0504; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0504; 
x-forefront-prvs: 02475B2A01
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39850400002)(39450400003)(39410400002)(39860400002)(39840400002)(377454003)(53824002)(24454002)(13464003)(39060400002)(86362001)(2906002)(3660700001)(102836003)(2900100001)(38730400002)(8990500004)(6116002)(53936002)(74316002)(53546007)(110136004)(7736002)(6246003)(305945005)(76176999)(93886004)(7696004)(6306002)(9686003)(5660300001)(10090500001)(54356999)(54906002)(99286003)(50986999)(55016002)(3280700002)(6436002)(6506006)(229853002)(10290500002)(5005710100001)(25786008)(2950100002)(8936002)(6916009)(8676002)(86612001)(33656002)(122556002)(4326008)(77096006)(81166006)(189998001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0504; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2017 21:06:43.4554 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GOzNNse_JGzI5s84gkgjRAdR30k>
Subject: Re: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 21:06:47 -0000

Will you be in Chicago, Antonio?  If so, maybe you can sit down with us and=
 work on advice to implementers.

				Cheers,
				-- Mike

-----Original Message-----
From: Antonio Sanso [mailto:asanso@adobe.com]=20
Sent: Wednesday, March 15, 2017 1:40 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Sergey Beryozkin <sberyozkin@gmail.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] More Criticism of JOSE

hi Mike,

while I am the original author of one of the mentioned article in the blog =
post (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-jso=
n-web.html) I do not share entirely the criticism.
Said that, I must really admit that some of the cryptographic choices made =
specially in JWE are really questionable.

regards

antonio

On Mar 15, 2017, at 8:50 PM, Mike Jones <Michael.Jones@microsoft.com> wrote=
:

> The bulk of this seems to be about applications that don't verify that th=
e crypto algorithms that were used in a JWT are acceptable in the applicati=
on context.  While I know that some people would like crypto to be magic pi=
xie dust that you can sprinkle on an application to get crypto goodness, it=
 will never be that simple.  Crypto algorithms that are thought to be good =
today will be deprecated later.  Apps that keep allowing them to be used wi=
ll be vulnerable.  The JOSE specs requiring that applications be aware of t=
he algorithms used is a good and necessary thing for long-term security - n=
ot a problem with the specs.
>=20
> That said, of course some implementers will get things wrong.  To the ext=
ent that we can help them understand what they actually need to do to use t=
he specifications securely, we obviously should.  Perhaps we should write a=
n article for oauth.net talking about some of these issues?  Maybe a few of=
 us can get together in Chicago and work on that.
>=20
> I'm looking forward to seeing many of you in 1.5 weeks!
>=20
> 				-- Mike
>=20
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey=20
> Beryozkin
> Sent: Wednesday, March 15, 2017 8:46 AM
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] More Criticism of JOSE
>=20
> and everyone should now start using the most secure alternative=20
> proposed in that very light in analysis article :-)
>=20
> Sergey
> On 15/03/17 15:43, Mike Schwartz wrote:
>> Sorry to be the bearer of bad news, but here's a negative review of JOSE=
:
>>=20
>> JOSE (Javascript Object Signing and Encryption) is a Bad Standard=20
>> That Everyone Should Avoid
>>=20
>> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standar
>> d
>> -that-everyone-should-avoid
>>=20
>>=20
>> - Mike
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From nobody Wed Mar 15 14:16:56 2017
Return-Path: <cabo@tzi.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0435A131840 for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 14:16:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J404YsxCuk-2 for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 14:16:54 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C99E7131830 for <oauth@ietf.org>; Wed, 15 Mar 2017 14:16:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [134.102.201.11]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id v2FLGkks024022; Wed, 15 Mar 2017 22:16:46 +0100 (CET)
Received: from [192.168.217.124] (p5DCCCDC2.dip0.t-ipconnect.de [93.204.205.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3vk4DG3mHKzDJ2W; Wed, 15 Mar 2017 22:16:46 +0100 (CET)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CY4PR21MB0504E2A254D753F8BA3E99CBF5270@CY4PR21MB0504.namprd21.prod.outlook.com>
Date: Wed, 15 Mar 2017 22:16:45 +0100
Cc: Antonio Sanso <asanso@adobe.com>, "oauth@ietf.org" <oauth@ietf.org>
X-Mao-Original-Outgoing-Id: 511305405.565243-0a7a79e4db8077f38bd8fed93739e43c
Content-Transfer-Encoding: quoted-printable
Message-Id: <EAC67437-81C0-4246-9BF6-392B4C879100@tzi.org>
References: <mailman.539.1489455092.6649.oauth@ietf.org> <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org> <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com> <CY4PR21MB0504F80C01BF3378DE3794C6F5270@CY4PR21MB0504.namprd21.prod.outlook.com> <78BE56B7-0253-4635-AB46-F724A8536082@adobe.com> <CY4PR21MB0504E2A254D753F8BA3E99CBF5270@CY4PR21MB0504.namprd21.prod.outlook.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ufMenopZeGyrjpvRLJT5wCLC6aA>
Subject: Re: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 21:16:55 -0000

> On 15 Mar 2017, at 22:06, Mike Jones <Michael.Jones@microsoft.com> =
wrote:
>=20
> Will you be in Chicago, Antonio?  If so, maybe you can sit down with =
us and work on advice to implementers.

And maybe we can also work out what part of that advice (and possibly =
which additional advice) applies to COSE.

Gr=C3=BC=C3=9Fe, Carsten



From nobody Wed Mar 15 16:15:29 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEE8E129C70 for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 16:15:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rDk5d8DVknIO for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 16:15:25 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C618129C4C for <oauth@ietf.org>; Wed, 15 Mar 2017 16:15:25 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id 1so26230701qkl.3 for <oauth@ietf.org>; Wed, 15 Mar 2017 16:15:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=pUFM38fmAnVumQNnjMxp1bQ6HN3fgAbht76AZY7IBx4=; b=lYVP/9hfojQIWhivVgwzcrNzPWVT+2hv6TsfMqI3fNMQxyeNaNzk90ofjmcYP9ueTP B7ocvTMhHgjflY5AGs+A/h86th1LJ1SqmgBgDmklyqu9po/2Jb2pgI0fgPH+3r3XNLS0 syG+s4SmQWujw+Z5+fn4T7OjHD+oyW2cB0zLbIPfh7Vbn3hSO+9xVllACppOdDJjlX9v 2W0zd/+unohI+uI9wUbbjuFryptr0purOd47wNL5BsE56D3MBCiMYyrR74Lpxc9tI/6W LgDvYOyukNm8bxLeVCULYdzQitJLCgFicRjhvMr4zlKcnBpn1ZteKEvCz8zFsXwh/T2E SzbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=pUFM38fmAnVumQNnjMxp1bQ6HN3fgAbht76AZY7IBx4=; b=Y85iH0Te+yyUVMJ2lGRP8eTOppu0vkfUMGmL0UKOgWY3m6g7n6mUxlviV0DQPEnCn8 9BEqbqiJcwfPljBz57B5fPXRx7UBFl+QiB5SW5JnzjI0b79QdRj3akbJer/zMuI3mVle mfkPWqhB2qCPYgA93rzE/JmxgyyzuoEG9g1Ympfn8k51DYjYmLKM1itp/Vdvenn8NRoe dE8DjsliLBfPzOTSP8dZBxsM9CytJk2HpGnvmnQ615DNknCSOssAPbm6TInHJCaRt0iy 0x+jZ7ZotOvgGfUL4fdTRbxRBVXlGXAXlrwoC84MMSKPPkQFUKnCkpOP9Cki62Cxiadn 2cxQ==
X-Gm-Message-State: AFeK/H2PgCvHWQbF1/7ATbRAXS95NF4Jhr6YpmqvvXYGFZ+XPbboEgi/EWgZO+552OHLF2cw
X-Received: by 10.55.149.197 with SMTP id x188mr5841154qkd.70.1489619724739; Wed, 15 Mar 2017 16:15:24 -0700 (PDT)
Received: from [192.168.8.100] ([181.201.174.76]) by smtp.gmail.com with ESMTPSA id f128sm2344411qkd.62.2017.03.15.16.15.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Mar 2017 16:15:23 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <69CC44FD-27B3-40DD-8D8A-B3D18D09B804@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 15 Mar 2017 20:15:20 -0300
In-Reply-To: <CA+k3eCRsF6cdzypnV8a0hpqRDLetgKBC++EjLqQ5u_c5b17tfw@mail.gmail.com>
Cc: William Denniss <wdenniss@google.com>, "<oauth@ietf.org>" <oauth@ietf.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com> <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu> <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com> <CA+k3eCRsF6cdzypnV8a0hpqRDLetgKBC++EjLqQ5u_c5b17tfw@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="94eb2c0831228dccd2054acd1e06"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wI92fnTfJe5Qz9xl9ACQRu3kDc0>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 23:15:28 -0000

--94eb2c0831228dccd2054acd1e06
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_8B36E6F1-A0CE-40F5-83FA-EEA37490C1D7"


--Apple-Mail=_8B36E6F1-A0CE-40F5-83FA-EEA37490C1D7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I think response mode is only needed if you are overloading a existing =
authorization endpoint.

URI are cheep so I don=E2=80=99t see the value.



> On Mar 13, 2017, at 8:47 AM, Brian Campbell =
<bcampbell@pingidentity.com> wrote:
>=20
>=20
>=20
> On Sat, Mar 11, 2017 at 1:54 PM, William Denniss <wdenniss@google.com =
<mailto:wdenniss@google.com>> wrote:
>=20
> On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer <jricher@mit.edu =
<mailto:jricher@mit.edu>> wrote:
>=20
>>=20
>> Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D =
parameter to the device endpoint. This parameter is required and it has =
a single, required value, with no registry or other possibility of =
extension. What=E2=80=99s the point? If it=E2=80=99s for =
=E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll note that this is *not* the =
authorization endpoint (as the user is not present) and such constraints =
need not apply here.
>>=20
>> Good points here. At a guess, it bled in from the OAuth spec. If it's =
not needed, we should remove it.
>>=20
>=20
> I=E2=80=99d vote for removal, I don=E2=80=99t see the point.
>=20
> +1 on removal of the =E2=80=9Cresponse_type=E2=80=9D parameter from =
the Device Authorization Request
> =20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_8B36E6F1-A0CE-40F5-83FA-EEA37490C1D7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">I think response mode is only needed if you are overloading a =
existing authorization endpoint.<div class=3D""><br class=3D""></div><div =
class=3D"">URI are cheep so I don=E2=80=99t see the value.<br =
class=3D""><div class=3D""><br class=3D""></div><div class=3D""><br =
class=3D""></div><div class=3D""><br class=3D""></div><div =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">On =
Mar 13, 2017, at 8:47 AM, Brian Campbell &lt;<a =
href=3D"mailto:bcampbell@pingidentity.com" =
class=3D"">bcampbell@pingidentity.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div dir=3D"ltr" =
class=3D""><br class=3D""><div class=3D"gmail_extra"><br class=3D""><div =
class=3D"gmail_quote">On Sat, Mar 11, 2017 at 1:54 PM, William Denniss =
<span dir=3D"ltr" class=3D"">&lt;<a href=3D"mailto:wdenniss@google.com" =
target=3D"_blank" class=3D"">wdenniss@google.com</a>&gt;</span> =
wrote:<br class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0px=
 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr" class=3D""><div =
class=3D"gmail_extra"><br class=3D""><div class=3D"gmail_quote"><span =
class=3D"gmail-">On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer <span =
dir=3D"ltr" class=3D"">&lt;<a href=3D"mailto:jricher@mit.edu" =
target=3D"_blank" class=3D"">jricher@mit.edu</a>&gt;</span> wrote:<br =
class=3D""></span><span class=3D"gmail-"><blockquote class=3D"gmail_quote"=
 style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex"><br class=3D""><div =
style=3D"overflow-wrap: break-word;" class=3D""><div class=3D""><span =
class=3D""><blockquote type=3D"cite" class=3D""><div class=3D""><div =
dir=3D"ltr" class=3D""><div class=3D"gmail_extra"><div =
class=3D"gmail_quote"><div class=3D""><br class=3D""></div><blockquote =
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">
Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D =
parameter to the device endpoint. This parameter is required and it has =
a single, required value, with no registry or other possibility of =
extension. What=E2=80=99s the point? If it=E2=80=99s for =
=E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll note that this is *not* the =
authorization endpoint (as the user is not present) and such constraints =
need not apply here.<br class=3D""></blockquote><div class=3D""><br =
class=3D""></div><div class=3D"">Good points here. At a guess, it bled =
in from the OAuth spec. If it's not needed, we should remove =
it.</div><div class=3D""><br class=3D""></div></div></div></div>
</div></blockquote></span></div><br class=3D""><div class=3D"">I=E2=80=99d=
 vote for removal, I don=E2=80=99t see the point.</div><span =
class=3D"gmail-m_-4062259653004224023HOEnZb"></span></div></blockquote></s=
pan></div></div></div></blockquote><div class=3D""><br =
class=3D""></div><div class=3D"">+1 on <span class=3D"gmail-">removal of =
the =E2=80=9Cresponse_type=E2=80=9D parameter from the Device =
Authorization Request<br class=3D""></span></div><div class=3D"">&nbsp;<br=
 class=3D""></div></div><br class=3D""></div></div>
_______________________________________________<br class=3D"">OAuth =
mailing list<br class=3D""><a href=3D"mailto:OAuth@ietf.org" =
class=3D"">OAuth@ietf.org</a><br =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth<br =
class=3D""></div></blockquote></div><br =
class=3D""></div></div></body></html>=

--Apple-Mail=_8B36E6F1-A0CE-40F5-83FA-EEA37490C1D7--

--94eb2c0831228dccd2054acd1e06
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIHxEBvNKWRtPxFlbgAY1YDtZ3pBr
GyRHgLZg8GkeorGdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMxNTIzMTUyNFowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQDPgSHUCDvsVH6LjiL6HSDuBRw2foRayK3NR+9vRkSlnhtL
LfKfnPsckwF4Bv5iove2PLKuA5GN4+YAjf59x355Mh5HEjNqHwA58QIVYLGm4KzMvIP8WOcsbAuQ
/t3dwp1KPBfK/r3hV06u2AaKQce4Nsi1ceqzZh87tIu8k/iWC6s5tK8MaxXEebVbjQbl12YvhygH
SXBor+5whK0hsG04gTS/RpreZ1aIVG5V72pykv1cFp5DkXw2IgmFoPZbgOQWYdZDv49+TGUB5JjR
fq3klhAuHL1TNoArbue1sc4V3nU4uNHeGTEPDeEM28ja36FsSpkMa1DKEaz+/6nyFHqy
--94eb2c0831228dccd2054acd1e06--


From nobody Wed Mar 15 16:18:56 2017
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6CDC129C62 for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 16:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b072X307ixlo for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 16:18:53 -0700 (PDT)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3601129C66 for <oauth@ietf.org>; Wed, 15 Mar 2017 16:18:52 -0700 (PDT)
Received: by mail-qk0-x233.google.com with SMTP id v127so26296415qkb.2 for <oauth@ietf.org>; Wed, 15 Mar 2017 16:18:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=41/Ixf4qc+JLl29K6ZKHQ0jFFLyB89ZU35JgGMcCZ5g=; b=sKdLC5iTGEpCTafb7CXDJENcHVzHw+ApRr2qKmxkO632pPk/2P3c4Y5U/FhliJt3Rn YTolrpVLRgASFnYPGPFlTytSRzXjQttI0NDNiAomwdmVS9gnGLXrogKmEjZfQQao7Mgm xczDDkjBOulcbV63Ft7SC/le0XmXAPhaYrSSqDbhRPM8LDyXxziQyyoudMk5wSJK+tTq OHg/2aOQVJ3kNb8RRaq2mn22xFv0zVeUeTCY3CdAEZkCvqfq6ZoBJoSNwJr1f8S9p8/M msRwed1Tc5GEsCRFwWa5Bd3790B7fQuGgq5x/dj00f3uoV81DfiLQXVPyV/EgTExk//C 9HCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=41/Ixf4qc+JLl29K6ZKHQ0jFFLyB89ZU35JgGMcCZ5g=; b=Ksbc8X3i4d0MXJ1H1Ze6RD7ckSv15beKzRQZiXKYiuojjVhxS9P7Fjn78ALzABsXY8 GOdnpBO7Uzapci4BNrIHt916r+EFk0DK13MW/UPcUx2rPGXmJh/BsAfL5B2FUSxRH0zr sJavkOaUR1V53JCGcI9xyFmDUOOO8lwMLRYBVx6DIdrSn+ZCjysZf5pKJCYNNkmXHFQ+ WtTIu1sCtTcutYmHqeT25sPIQyxsE1JVXw2kK8nNPFuVCd7GsNLqgEAadzPUH5I4cXgg W/9TaueXEW2Mh76NQHQleQrecpxckDMU2JKoM3XPN4ADAnD8MLrd477Nnurv2NmCHgOY le9Q==
X-Gm-Message-State: AFeK/H1vVyHzBOmIHD4Q/AMHeNwue5Vv5+h+biXSW7c/Mhqle+0Tbft9n6nBlMx/eU/2PYt2Ir2dVgbZHjnWfLZQ
X-Received: by 10.55.38.149 with SMTP id m21mr5238311qkm.119.1489619931754; Wed, 15 Mar 2017 16:18:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Wed, 15 Mar 2017 16:18:31 -0700 (PDT)
In-Reply-To: <69CC44FD-27B3-40DD-8D8A-B3D18D09B804@ve7jtb.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com> <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu> <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com> <CA+k3eCRsF6cdzypnV8a0hpqRDLetgKBC++EjLqQ5u_c5b17tfw@mail.gmail.com> <69CC44FD-27B3-40DD-8D8A-B3D18D09B804@ve7jtb.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 15 Mar 2017 16:18:31 -0700
Message-ID: <CAAP42hB+S418Y-hQ7WPYtwcXpV-0Wm8hqLjoj5DiBNsGKf8bBQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a11457fbae25bd1054acd2ada
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XQjitxmaGv8JAiucUjC85oijsBE>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 23:18:55 -0000

--001a11457fbae25bd1054acd2ada
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Yes, I think this bled over from the original spec.

Google's Device endpoint doesn't use a response_type param.

It's removed in -05.

On Wed, Mar 15, 2017 at 4:15 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> I think response mode is only needed if you are overloading a existing
> authorization endpoint.
>
> URI are cheep so I don=E2=80=99t see the value.
>
>
>
> On Mar 13, 2017, at 8:47 AM, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>
>
> On Sat, Mar 11, 2017 at 1:54 PM, William Denniss <wdenniss@google.com>
> wrote:
>
>>
>> On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer <jricher@mit.edu> wrote:
>>
>>>
>>>
>>> Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D pa=
rameter to the
>>>> device endpoint. This parameter is required and it has a single, requi=
red
>>>> value, with no registry or other possibility of extension. What=E2=80=
=99s the
>>>> point? If it=E2=80=99s for =E2=80=9Cparallelism=E2=80=9D, I=E2=80=99ll=
 note that this is *not* the
>>>> authorization endpoint (as the user is not present) and such constrain=
ts
>>>> need not apply here.
>>>>
>>>
>>> Good points here. At a guess, it bled in from the OAuth spec. If it's
>>> not needed, we should remove it.
>>>
>>>
>>> I=E2=80=99d vote for removal, I don=E2=80=99t see the point.
>>>
>>
> +1 on removal of the =E2=80=9Cresponse_type=E2=80=9D parameter from the D=
evice
> Authorization Request
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

--001a11457fbae25bd1054acd2ada
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Yes, I think this bled over from the original spec.=C2=A0<=
div><br></div><div>Google&#39;s Device endpoint doesn&#39;t use a response_=
type param.<div><br></div><div>It&#39;s removed in -05.</div></div></div><d=
iv class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed, Mar 15, 201=
7 at 4:15 PM, John Bradley <span dir=3D"ltr">&lt;<a href=3D"mailto:ve7jtb@v=
e7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt;</span> wrote:<br><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex"><div style=3D"word-wrap:break-word">I think res=
ponse mode is only needed if you are overloading a existing authorization e=
ndpoint.<div><br></div><div>URI are cheep so I don=E2=80=99t see the value.=
<br><div><br></div><div><br></div><div><br></div><div><div><blockquote type=
=3D"cite"><div><div class=3D"h5"><div>On Mar 13, 2017, at 8:47 AM, Brian Ca=
mpbell &lt;<a href=3D"mailto:bcampbell@pingidentity.com" target=3D"_blank">=
bcampbell@pingidentity.com</a>&gt; wrote:</div><br class=3D"m_5459808369695=
154635Apple-interchange-newline"></div></div><div><div><div class=3D"h5"><d=
iv dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quote=
">On Sat, Mar 11, 2017 at 1:54 PM, William Denniss <span dir=3D"ltr">&lt;<a=
 href=3D"mailto:wdenniss@google.com" target=3D"_blank">wdenniss@google.com<=
/a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">=
<div dir=3D"ltr"><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">=
<span class=3D"m_5459808369695154635gmail-">On Sat, Mar 11, 2017 at 12:40 P=
M, Justin Richer <span dir=3D"ltr">&lt;<a href=3D"mailto:jricher@mit.edu" t=
arget=3D"_blank">jricher@mit.edu</a>&gt;</span> wrote:<br></span><span clas=
s=3D"m_5459808369695154635gmail-"><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex"><br><div><div><span><blockquote type=3D"cite"><div><div dir=3D"l=
tr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><div><br></div><b=
lockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-le=
ft:1px solid rgb(204,204,204);padding-left:1ex">
Secondly, I had a question about the =E2=80=9Cresponse_type=E2=80=9D parame=
ter to the device endpoint. This parameter is required and it has a single,=
 required value, with no registry or other possibility of extension. What=
=E2=80=99s the point? If it=E2=80=99s for =E2=80=9Cparallelism=E2=80=9D, I=
=E2=80=99ll note that this is *not* the authorization endpoint (as the user=
 is not present) and such constraints need not apply here.<br></blockquote>=
<div><br></div><div>Good points here. At a guess, it bled in from the OAuth=
 spec. If it&#39;s not needed, we should remove it.</div><div><br></div></d=
iv></div></div>
</div></blockquote></span></div><br><div>I=E2=80=99d vote for removal, I do=
n=E2=80=99t see the point.</div><span class=3D"m_5459808369695154635gmail-m=
_-4062259653004224023HOEnZb"></span></div></blockquote></span></div></div><=
/div></blockquote><div><br></div><div>+1 on <span class=3D"m_54598083696951=
54635gmail-">removal of the =E2=80=9Cresponse_type=E2=80=9D parameter from =
the Device Authorization Request<br></span></div><div>=C2=A0<br></div></div=
><br></div></div></div></div><span class=3D"">
______________________________<wbr>_________________<br>OAuth mailing list<=
br><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><b=
r><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"=
>https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br></span></div></blo=
ckquote></div><br></div></div></div></blockquote></div><br></div>

--001a11457fbae25bd1054acd2ada--


From nobody Thu Mar 16 01:31:48 2017
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 250EF12704B for <oauth@ietfa.amsl.com>; Thu, 16 Mar 2017 01:31:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level: 
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5TYPv8ZxWPxj for <oauth@ietfa.amsl.com>; Thu, 16 Mar 2017 01:31:44 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0047.outbound.protection.outlook.com [104.47.37.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51605126E3A for <oauth@ietf.org>; Thu, 16 Mar 2017 01:31:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rGKnpQ7kMBMMwRs4c/bx0JLzGQUO78n8cHYJ5lnYgBU=; b=XCNygjR89iWO6vJPyptNZbdktzh+1Oy4P9PZM9Q8eVeeA0FMW0kDyVU0TlgI/hDnqEN/Y/ns2wfSKUQF3xaIWuHMfcmPO/OcSYGUlQiXMkU0aP+O22+DDvMJ4Hs9dnX1ccIikuc6kPlQgFfXocs9x8G29aqE/OrGc2yMKJeV/VI=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1032.namprd02.prod.outlook.com (10.161.203.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.17; Thu, 16 Mar 2017 08:31:41 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0961.022; Thu, 16 Mar 2017 08:31:40 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Mike Jones <Michael.Jones@microsoft.com>
CC: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] More Criticism of JOSE
Thread-Index: AQHSnaLcfb3Kwkg0yEKlvL9IqrhKmKGWC1EAgABEFACAAA37AIAAB3KAgAC/YAA=
Date: Thu, 16 Mar 2017 08:31:40 +0000
Message-ID: <1005993A-7250-4752-B5A6-AB718F246AED@adobe.com>
References: <mailman.539.1489455092.6649.oauth@ietf.org> <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org> <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com> <CY4PR21MB0504F80C01BF3378DE3794C6F5270@CY4PR21MB0504.namprd21.prod.outlook.com> <78BE56B7-0253-4635-AB46-F724A8536082@adobe.com> <CY4PR21MB0504E2A254D753F8BA3E99CBF5270@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB0504E2A254D753F8BA3E99CBF5270@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: microsoft.com; dkim=none (message not signed) header.d=none;microsoft.com; dmarc=none action=none header.from=adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.147.117.11]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1032; 7:0vgsgBaWHm2zt1R2T5prWModl4h5J71ApzY69v2KWOWz8d96TKSnXYw9Mb1Ouons05XsSPrx2wZrFBG4sVhmotcOv48EbsxYE+9MJo6/1U9axFgu5SqCXV5MWoBZt9AhZcj8Zkty7ObbrLJ9gMxSTqYIEJoZid0L5cZ5kUGFvHlN2Saii7kdmwFnpR3cj3EAl7vEd06TDRR4tGgyhJW14GY94ucb0gXqLsYAWuBM5H73A6Hqfbcb2GQ/kynj1Okbx7VnKuY/2GYD8681gUs2qk7ZtM8UKUtxbY674XvdZLBM0S15jhDnJNA+ekvPFnaybDlRYri4o6r/EI03peapKw==; 20:tHiey++WHtwv06Qhk9bmGObM8G8Ue6jlsAHd95X2L8jpavfGQ2O+oi/wvjBN+ImrhHhm9HcdMlyLlcMHHxTAz/1lUVlVqAYcVW1vlvKqsQbvrSfXYG/4ts2y/VHaq16zauRZyavCxuvnIQ4r+u/Kho+PuNdQtEj3sVa9CS2lJO8=
x-ms-office365-filtering-correlation-id: d580f13c-69d8-4314-b360-08d46c46deda
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BY1PR0201MB1032; 
x-microsoft-antispam-prvs: <BY1PR0201MB10324ED1DA312203015EDA8CD9260@BY1PR0201MB1032.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123564025)(20161123558025)(20161123562025)(20161123555025)(6072148); SRVR:BY1PR0201MB1032; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1032; 
x-forefront-prvs: 024847EE92
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39860400002)(39850400002)(39840400002)(39410400002)(39450400003)(24454002)(377454003)(53824002)(13464003)(8666007)(6512007)(4326008)(6486002)(6306002)(305945005)(81166006)(25786008)(53936002)(122556002)(77096006)(3660700001)(229853002)(2421001)(93886004)(39060400002)(3280700002)(6246003)(76176999)(38730400002)(7736002)(33656002)(2906002)(110136004)(50986999)(54906002)(54356999)(8676002)(99286003)(2561002)(6116002)(3846002)(102836003)(83716003)(8936002)(66066001)(5660300001)(1511001)(6436002)(82746002)(53546007)(2900100001)(10090500001)(6506006)(189998001)(2950100002)(6916009)(36756003)(86362001)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1032; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <09A1200E1E0B8F4F9B161DB1E80528AF@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2017 08:31:40.6592 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1032
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-u2eKUp9k6ARQMpv7nB97nYmX74>
Subject: Re: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 08:31:47 -0000

hi Mike

On Mar 15, 2017, at 10:06 PM, Mike Jones <Michael.Jones@microsoft.com> wrot=
e:

> Will you be in Chicago, Antonio?  If so, maybe you can sit down with us a=
nd work on advice to implementers.

Unluckily not. FWIW I will be at https://zisc.ethz.ch/oauth-security-worksh=
op-2017-cfp/. And I=92d be glad to sit down with you and try to help if you=
 are around=85.

regards

antonio


>=20
> 				Cheers,
> 				-- Mike
>=20
> -----Original Message-----
> From: Antonio Sanso [mailto:asanso@adobe.com]=20
> Sent: Wednesday, March 15, 2017 1:40 PM
> To: Mike Jones <Michael.Jones@microsoft.com>
> Cc: Sergey Beryozkin <sberyozkin@gmail.com>; oauth@ietf.org
> Subject: Re: [OAUTH-WG] More Criticism of JOSE
>=20
> hi Mike,
>=20
> while I am the original author of one of the mentioned article in the blo=
g post (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-j=
son-web.html) I do not share entirely the criticism.
> Said that, I must really admit that some of the cryptographic choices mad=
e specially in JWE are really questionable.
>=20
> regards
>=20
> antonio
>=20
> On Mar 15, 2017, at 8:50 PM, Mike Jones <Michael.Jones@microsoft.com> wro=
te:
>=20
>> The bulk of this seems to be about applications that don't verify that t=
he crypto algorithms that were used in a JWT are acceptable in the applicat=
ion context.  While I know that some people would like crypto to be magic p=
ixie dust that you can sprinkle on an application to get crypto goodness, i=
t will never be that simple.  Crypto algorithms that are thought to be good=
 today will be deprecated later.  Apps that keep allowing them to be used w=
ill be vulnerable.  The JOSE specs requiring that applications be aware of =
the algorithms used is a good and necessary thing for long-term security - =
not a problem with the specs.
>>=20
>> That said, of course some implementers will get things wrong.  To the ex=
tent that we can help them understand what they actually need to do to use =
the specifications securely, we obviously should.  Perhaps we should write =
an article for oauth.net talking about some of these issues?  Maybe a few o=
f us can get together in Chicago and work on that.
>>=20
>> I'm looking forward to seeing many of you in 1.5 weeks!
>>=20
>> 				-- Mike
>>=20
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey=20
>> Beryozkin
>> Sent: Wednesday, March 15, 2017 8:46 AM
>> To: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] More Criticism of JOSE
>>=20
>> and everyone should now start using the most secure alternative=20
>> proposed in that very light in analysis article :-)
>>=20
>> Sergey
>> On 15/03/17 15:43, Mike Schwartz wrote:
>>> Sorry to be the bearer of bad news, but here's a negative review of JOS=
E:
>>>=20
>>> JOSE (Javascript Object Signing and Encryption) is a Bad Standard=20
>>> That Everyone Should Avoid
>>>=20
>>> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standar
>>> d
>>> -that-everyone-should-avoid
>>>=20
>>>=20
>>> - Mike
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20


From nobody Thu Mar 16 07:06:06 2017
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9E5D1294CC for <oauth@ietfa.amsl.com>; Thu, 16 Mar 2017 07:06:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level: 
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XV8lh79OZIE3 for <oauth@ietfa.amsl.com>; Thu, 16 Mar 2017 07:06:00 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18F1A1294F5 for <oauth@ietf.org>; Thu, 16 Mar 2017 07:05:56 -0700 (PDT)
X-AuditID: 12074422-567ff70000005d34-38-58ca9bc19f53
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id D3.C0.23860.1CB9AC85; Thu, 16 Mar 2017 10:05:54 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v2GE5rTC017920; Thu, 16 Mar 2017 10:05:53 -0400
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2GE5pop000525 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 16 Mar 2017 10:05:52 -0400
To: William Denniss <wdenniss@google.com>, John Bradley <ve7jtb@ve7jtb.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com> <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu> <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com> <CA+k3eCRsF6cdzypnV8a0hpqRDLetgKBC++EjLqQ5u_c5b17tfw@mail.gmail.com> <69CC44FD-27B3-40DD-8D8A-B3D18D09B804@ve7jtb.com> <CAAP42hB+S418Y-hQ7WPYtwcXpV-0Wm8hqLjoj5DiBNsGKf8bBQ@mail.gmail.com>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
From: Justin Richer <jricher@mit.edu>
Message-ID: <dbc722a9-900d-9c76-cfba-08886b937a50@mit.edu>
Date: Thu, 16 Mar 2017 10:05:49 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAAP42hB+S418Y-hQ7WPYtwcXpV-0Wm8hqLjoj5DiBNsGKf8bBQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------523DA4D015E9EB04CF647EFA"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprFKsWRmVeSWpSXmKPExsUixCmqrXto9qkIg1+bDCxOvn3FZrH67l82 i01zmtkdmD0WbCr1WLLkJ5PH7dsbWQKYo7hsUlJzMstSi/TtErgydtyZxlLQXlGx4cpZpgbG u8ZdjJwcEgImEuu7G5i6GLk4hATamCRu9vSyQjgbGSVePdkElbnNJPFp314WkBZhAUuJNTem gdkiAt4SX+79ZIYo2s0s8XDdCiCHg4NZQF2i/aQLSA2bgKrE9DUtTCA2r4CVxJoJrxhBbBag +Lzfd9lBbFGBGImWJR8YIWoEJU7OfAI2n1MgUOLF4fdgcWaBMIkbLX+ZJzDyz0JSNgtJCsK2 lbgzdzeULS/RvHU2lK0rsWjbCnZk8QWMbKsYZVNyq3RzEzNzilOTdYuTE/PyUot0TfVyM0v0 UlNKNzGCgp3dRWkH48R/XocYBTgYlXh4X/ifjBBiTSwrrsw9xCjJwaQkyqtlfipCiC8pP6Uy I7E4I76oNCe1+BCjBAezkghvHDDGhHhTEiurUovyYVLSHCxK4rziGo0RQgLpiSWp2ampBalF MFkZDg4lCd6QWUCNgkWp6akVaZk5JQhpJg5OkOE8QMOzQGp4iwsSc4sz0yHypxh1ORb92/2G SYglLz8vVUqct2cmUJEASFFGaR7cHFCSSnh72PQVozjQW8K870FG8QATHNykV0BLmICWvP1w AmRJSSJCSqqBUXwD2/pj6maFIcdOvHhbGPr7a9yfHNkL/yPuf+vPzqmNu9syS3Jio4SyrEH2 srPPpkQUTP2U1svn9SxoQxTH355HN5R8e1eEP2adcesBk9i+De170z/fFw4z2uaTpdUht1hh c2Nb2QpN5Z2nEmML3kzWtF+S9dnK0S794NToB30n+ydsPB0Uo8RSnJFoqMVcVJwIAPvK/EIt AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JRqjCZMEIaLT_PYLUl2SLUAXlhY>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 14:06:02 -0000

This is a multi-part message in MIME format.
--------------523DA4D015E9EB04CF647EFA
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit

Funny thing, I went to remove it from our implementation, and we were 
already ignoring it completely.

Also, our implementation was just pushed to the master branch and will 
be in the next release: 
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/

  -- Justin


On 3/15/2017 7:18 PM, William Denniss wrote:
> Yes, I think this bled over from the original spec.
>
> Google's Device endpoint doesn't use a response_type param.
>
> It's removed in -05.
>
> On Wed, Mar 15, 2017 at 4:15 PM, John Bradley <ve7jtb@ve7jtb.com 
> <mailto:ve7jtb@ve7jtb.com>> wrote:
>
>     I think response mode is only needed if you are overloading a
>     existing authorization endpoint.
>
>     URI are cheep so I don’t see the value.
>
>
>
>>     On Mar 13, 2017, at 8:47 AM, Brian Campbell
>>     <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>
>>     wrote:
>>
>>
>>
>>     On Sat, Mar 11, 2017 at 1:54 PM, William Denniss
>>     <wdenniss@google.com <mailto:wdenniss@google.com>> wrote:
>>
>>
>>         On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer
>>         <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
>>
>>
>>>
>>>                 Secondly, I had a question about the “response_type”
>>>                 parameter to the device endpoint. This parameter is
>>>                 required and it has a single, required value, with
>>>                 no registry or other possibility of extension.
>>>                 What’s the point? If it’s for “parallelism”, I’ll
>>>                 note that this is *not* the authorization endpoint
>>>                 (as the user is not present) and such constraints
>>>                 need not apply here.
>>>
>>>
>>>             Good points here. At a guess, it bled in from the OAuth
>>>             spec. If it's not needed, we should remove it.
>>>
>>
>>             I’d vote for removal, I don’t see the point.
>>
>>
>>     +1 on removal of the “response_type” parameter from the Device
>>     Authorization Request
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>     <https://www.ietf.org/mailman/listinfo/oauth>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------523DA4D015E9EB04CF647EFA
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Funny thing, I went to remove it from our implementation, and we
      were already ignoring it completely. <br>
    </p>
    <p>Also, our implementation was just pushed to the master branch and
      will be in the next release:
      <a class="moz-txt-link-freetext" href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/</a><br>
    </p>
    <p> -- Justin<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 3/15/2017 7:18 PM, William Denniss
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAAP42hB+S418Y-hQ7WPYtwcXpV-0Wm8hqLjoj5DiBNsGKf8bBQ@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <div dir="ltr">Yes, I think this bled over from the original
        spec. 
        <div><br>
        </div>
        <div>Google's Device endpoint doesn't use a response_type param.
          <div><br>
          </div>
          <div>It's removed in -05.</div>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, Mar 15, 2017 at 4:15 PM, John
          Bradley <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div style="word-wrap:break-word">I think response mode is
              only needed if you are overloading a existing
              authorization endpoint.
              <div><br>
              </div>
              <div>URI are cheep so I don’t see the value.<br>
                <div><br>
                </div>
                <div><br>
                </div>
                <div><br>
                </div>
                <div>
                  <div>
                    <blockquote type="cite">
                      <div>
                        <div class="h5">
                          <div>On Mar 13, 2017, at 8:47 AM, Brian
                            Campbell &lt;<a moz-do-not-send="true"
                              href="mailto:bcampbell@pingidentity.com"
                              target="_blank">bcampbell@pingidentity.com</a>&gt;
                            wrote:</div>
                          <br
                            class="m_5459808369695154635Apple-interchange-newline">
                        </div>
                      </div>
                      <div>
                        <div>
                          <div class="h5">
                            <div dir="ltr"><br>
                              <div class="gmail_extra"><br>
                                <div class="gmail_quote">On Sat, Mar 11,
                                  2017 at 1:54 PM, William Denniss <span
                                    dir="ltr">&lt;<a
                                      moz-do-not-send="true"
                                      href="mailto:wdenniss@google.com"
                                      target="_blank">wdenniss@google.com</a>&gt;</span>
                                  wrote:<br>
                                  <blockquote class="gmail_quote"
                                    style="margin:0px 0px 0px
                                    0.8ex;border-left:1px solid
                                    rgb(204,204,204);padding-left:1ex">
                                    <div dir="ltr">
                                      <div class="gmail_extra"><br>
                                        <div class="gmail_quote"><span
                                            class="m_5459808369695154635gmail-">On
                                            Sat, Mar 11, 2017 at 12:40
                                            PM, Justin Richer <span
                                              dir="ltr">&lt;<a
                                                moz-do-not-send="true"
                                                href="mailto:jricher@mit.edu"
                                                target="_blank">jricher@mit.edu</a>&gt;</span>
                                            wrote:<br>
                                          </span><span
                                            class="m_5459808369695154635gmail-">
                                            <blockquote
                                              class="gmail_quote"
                                              style="margin:0px 0px 0px
                                              0.8ex;border-left:1px
                                              solid
                                              rgb(204,204,204);padding-left:1ex"><br>
                                              <div>
                                                <div><span>
                                                    <blockquote
                                                      type="cite">
                                                      <div>
                                                        <div dir="ltr">
                                                          <div
                                                          class="gmail_extra">
                                                          <div
                                                          class="gmail_quote">
                                                          <div><br>
                                                          </div>
                                                          <blockquote
                                                          class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid
                                                          rgb(204,204,204);padding-left:1ex">
                                                          Secondly, I
                                                          had a question
                                                          about the
                                                          “response_type”
                                                          parameter to
                                                          the device
                                                          endpoint. This
                                                          parameter is
                                                          required and
                                                          it has a
                                                          single,
                                                          required
                                                          value, with no
                                                          registry or
                                                          other
                                                          possibility of
                                                          extension.
                                                          What’s the
                                                          point? If it’s
                                                          for
                                                          “parallelism”,
                                                          I’ll note that
                                                          this is *not*
                                                          the
                                                          authorization
                                                          endpoint (as
                                                          the user is
                                                          not present)
                                                          and such
                                                          constraints
                                                          need not apply
                                                          here.<br>
                                                          </blockquote>
                                                          <div><br>
                                                          </div>
                                                          <div>Good
                                                          points here.
                                                          At a guess, it
                                                          bled in from
                                                          the OAuth
                                                          spec. If it's
                                                          not needed, we
                                                          should remove
                                                          it.</div>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                        </div>
                                                      </div>
                                                    </blockquote>
                                                  </span></div>
                                                <br>
                                                <div>I’d vote for
                                                  removal, I don’t see
                                                  the point.</div>
                                                <span
                                                  class="m_5459808369695154635gmail-m_-4062259653004224023HOEnZb"></span></div>
                                            </blockquote>
                                          </span></div>
                                      </div>
                                    </div>
                                  </blockquote>
                                  <div><br>
                                  </div>
                                  <div>+1 on <span
                                      class="m_5459808369695154635gmail-">removal
                                      of the “response_type” parameter
                                      from the Device Authorization
                                      Request<br>
                                    </span></div>
                                  <div> <br>
                                  </div>
                                </div>
                                <br>
                              </div>
                            </div>
                          </div>
                        </div>
                        <span class="">
                          ______________________________<wbr>_________________<br>
                          OAuth mailing list<br>
                          <a moz-do-not-send="true"
                            href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a><br>
                          <a moz-do-not-send="true"
                            href="https://www.ietf.org/mailman/listinfo/oauth"
                            target="_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
                        </span></div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------523DA4D015E9EB04CF647EFA--


From nobody Thu Mar 16 12:36:18 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B53BD129A16 for <oauth@ietfa.amsl.com>; Thu, 16 Mar 2017 12:36:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjdcDA-D0nSz for <oauth@ietfa.amsl.com>; Thu, 16 Mar 2017 12:36:13 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0091.outbound.protection.outlook.com [104.47.36.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B737A1299E5 for <oauth@ietf.org>; Thu, 16 Mar 2017 12:36:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=iAxUC3KAQRU1MeGTPEMWfAqVUkd3EtkdKqK+GqUlEnk=; b=RQyF8tkA1lGs2iXekZrZNcPmaO/c309kse6LxiB0XRVMCuOeHBeJjGLE5TuvnTx6H2+nHJXnVCXEhBdCIDF77qGLx/v/p6vXunJGi6wBF6L5/LZBu+KzgCee96O0QeAq/6oYFSkhmYsgbl8lVM7OvKqq1OJhIuJr5NLC8MtEWsI=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Thu, 16 Mar 2017 19:36:12 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0991.003; Thu, 16 Mar 2017 19:36:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Antonio Sanso <asanso@adobe.com>
CC: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] More Criticism of JOSE
Thread-Index: AQHSnaLc8rEEDhIYtU+PeFy9Q2RU+KGWC1EAgABCAdCAABAKgIAAB0zAgAC/igCAALmqPQ==
Date: Thu, 16 Mar 2017 19:36:11 +0000
Message-ID: <CY4PR21MB050463E4943A4FF1FECDAF1AF5260@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <mailman.539.1489455092.6649.oauth@ietf.org> <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org> <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com> <CY4PR21MB0504F80C01BF3378DE3794C6F5270@CY4PR21MB0504.namprd21.prod.outlook.com> <78BE56B7-0253-4635-AB46-F724A8536082@adobe.com> <CY4PR21MB0504E2A254D753F8BA3E99CBF5270@CY4PR21MB0504.namprd21.prod.outlook.com>, <1005993A-7250-4752-B5A6-AB718F246AED@adobe.com>
In-Reply-To: <1005993A-7250-4752-B5A6-AB718F246AED@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: adobe.com; dkim=none (message not signed) header.d=none;adobe.com; dmarc=none action=none header.from=microsoft.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [107.77.205.139]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:xyYtkP5dIAiZAOQw+VkRwMiPhhH1iq5poHMlPEntn4WUPYNF/bsc+2u60fUmqn+5KTU1c3qE+4GmE22eV3aO1pREa4P95yBXeDvud/pMzFSzhRfukHpg01vo8+VSkPeGZIhTDQ79xCuQ+s918QsKWE3q7jBrJsAcK1OhIWEJubWFvW7W61vv255pIh7znTLU+x8aC82UsldUXf4gq2p7nyugOiueJ7LKcbpQecgGoKQyXzu6AwmXeLA2CgopnqD/SNkxBTk161KThlFuCVn2oGpw9jkPFCYM3j2GRcnUhEiuI+1jU//gyVvd4wguEoQonEuIL2hVDxD9uUVYx+kN8ys9zoG7+WyOWfVFilz4xI8=
x-ms-office365-filtering-correlation-id: cabc8496-43ab-40d8-0d6e-08d46ca3b40b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254036)(48565401081); SRVR:CY4PR21MB0502; 
x-microsoft-antispam-prvs: <CY4PR21MB050289AE8803C6BE467C68CDF5260@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(192374486261705); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(93006012)(93001012)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123560025)(20161123564025)(20161123562025)(20161123555025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502; 
x-forefront-prvs: 024847EE92
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39850400002)(39450400003)(39840400002)(39860400002)(53824002)(377454003)(13464003)(24454002)(7736002)(8676002)(3660700001)(6306002)(54896002)(236005)(9686003)(39060400002)(2900100001)(6116002)(53936002)(54906002)(33656002)(3846002)(102836003)(74316002)(10090500001)(8936002)(54356999)(50986999)(76176999)(86612001)(7906003)(55016002)(99286003)(3280700002)(81166006)(25786008)(8990500004)(122556002)(5660300001)(7696004)(38730400002)(93886004)(189998001)(53546007)(110136004)(2906002)(6506006)(4326008)(6246003)(2950100002)(229853002)(6436002)(6916009)(606005)(86362001)(10290500002)(77096006)(5005710100001)(66066001)(19627235001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050463E4943A4FF1FECDAF1AF5260CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2017 19:36:11.9942 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6wfcpp-aR2xIHnw3ScdxoisaQ1s>
Subject: Re: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 19:36:17 -0000

--_000_CY4PR21MB050463E4943A4FF1FECDAF1AF5260CY4PR21MB0504namp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

It would be great to talk to you at the OAuth security worship, Antonio.



Cheers,

-- Mike



From: Antonio Sanso<mailto:asanso@adobe.com>
Sent: Thursday, March 16, 2017 1:31 AM
To: Mike Jones<mailto:Michael.Jones@microsoft.com>
Cc: Sergey Beryozkin<mailto:sberyozkin@gmail.com>; oauth@ietf.org<mailto:oa=
uth@ietf.org>
Subject: Re: [OAUTH-WG] More Criticism of JOSE



hi Mike

On Mar 15, 2017, at 10:06 PM, Mike Jones <Michael.Jones@microsoft.com> wrot=
e:

> Will you be in Chicago, Antonio?  If so, maybe you can sit down with us a=
nd work on advice to implementers.

Unluckily not. FWIW I will be at https://zisc.ethz.ch/oauth-security-worksh=
op-2017-cfp/. And I=92d be glad to sit down with you and try to help if you=
 are around=85.

regards

antonio


>
>                                Cheers,
>                                -- Mike
>
> -----Original Message-----
> From: Antonio Sanso [mailto:asanso@adobe.com]
> Sent: Wednesday, March 15, 2017 1:40 PM
> To: Mike Jones <Michael.Jones@microsoft.com>
> Cc: Sergey Beryozkin <sberyozkin@gmail.com>; oauth@ietf.org
> Subject: Re: [OAUTH-WG] More Criticism of JOSE
>
> hi Mike,
>
> while I am the original author of one of the mentioned article in the blo=
g post (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-j=
son-web.html) I do not share entirely the criticism.
> Said that, I must really admit that some of the cryptographic choices mad=
e specially in JWE are really questionable.
>
> regards
>
> antonio
>
> On Mar 15, 2017, at 8:50 PM, Mike Jones <Michael.Jones@microsoft.com> wro=
te:
>
>> The bulk of this seems to be about applications that don't verify that t=
he crypto algorithms that were used in a JWT are acceptable in the applicat=
ion context.  While I know that some people would like crypto to be magic p=
ixie dust that you can sprinkle on an application to get crypto goodness, i=
t will never be that simple.  Crypto algorithms that are thought to be good=
 today will be deprecated later.  Apps that keep allowing them to be used w=
ill be vulnerable.  The JOSE specs requiring that applications be aware of =
the algorithms used is a good and necessary thing for long-term security - =
not a problem with the specs.
>>
>> That said, of course some implementers will get things wrong.  To the ex=
tent that we can help them understand what they actually need to do to use =
the specifications securely, we obviously should.  Perhaps we should write =
an article for oauth.net talking about some of these issues?  Maybe a few o=
f us can get together in Chicago and work on that.
>>
>> I'm looking forward to seeing many of you in 1.5 weeks!
>>
>>                               -- Mike
>>
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey
>> Beryozkin
>> Sent: Wednesday, March 15, 2017 8:46 AM
>> To: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] More Criticism of JOSE
>>
>> and everyone should now start using the most secure alternative
>> proposed in that very light in analysis article :-)
>>
>> Sergey
>> On 15/03/17 15:43, Mike Schwartz wrote:
>>> Sorry to be the bearer of bad news, but here's a negative review of JOS=
E:
>>>
>>> JOSE (Javascript Object Signing and Encryption) is a Bad Standard
>>> That Everyone Should Avoid
>>>
>>> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standar
>>> d
>>> -that-everyone-should-avoid
>>>
>>>
>>> - Mike
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>


--_000_CY4PR21MB050463E4943A4FF1FECDAF1AF5260CY4PR21MB0504namp_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<meta name=3D"Generator" content=3D"Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; pad=
ding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<meta name=3D"x_Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style>
<!--
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif}
a:x_link, span.x_MsoHyperlink
	{color:blue;
	text-decoration:underline}
a:x_visited, span.x_MsoHyperlinkFollowed
	{color:#954F72;
	text-decoration:underline}
.x_MsoChpDefault
	{}
div.x_WordSection1
	{}
-->
</style>
<div lang=3D"EN-US" link=3D"blue" vlink=3D"#954F72">
<div class=3D"x_WordSection1">
<p class=3D"x_MsoNormal">It would be great to talk to you at the OAuth secu=
rity worship, Antonio.</p>
<p class=3D"x_MsoNormal">&nbsp;</p>
<p class=3D"x_MsoNormal">Cheers,</p>
<p class=3D"x_MsoNormal">-- Mike</p>
<p class=3D"x_MsoNormal">&nbsp;</p>
<div style=3D"border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0i=
n 0in 0in">
<p class=3D"x_MsoNormal" style=3D"border:none; padding:0in"><b>From: </b><a=
 href=3D"mailto:asanso@adobe.com">Antonio Sanso</a><br>
<b>Sent: </b>Thursday, March 16, 2017 1:31 AM<br>
<b>To: </b><a href=3D"mailto:Michael.Jones@microsoft.com">Mike Jones</a><br=
>
<b>Cc: </b><a href=3D"mailto:sberyozkin@gmail.com">Sergey Beryozkin</a>; <a=
 href=3D"mailto:oauth@ietf.org">
oauth@ietf.org</a><br>
<b>Subject: </b>Re: [OAUTH-WG] More Criticism of JOSE</p>
</div>
<p class=3D"x_MsoNormal">&nbsp;</p>
</div>
</div>
<font size=3D"2"><span style=3D"font-size:10pt;">
<div class=3D"PlainText">hi Mike<br>
<br>
On Mar 15, 2017, at 10:06 PM, Mike Jones &lt;Michael.Jones@microsoft.com&gt=
; wrote:<br>
<br>
&gt; Will you be in Chicago, Antonio?&nbsp; If so, maybe you can sit down w=
ith us and work on advice to implementers.<br>
<br>
Unluckily not. FWIW I will be at <a href=3D"https://zisc.ethz.ch/oauth-secu=
rity-workshop-2017-cfp/">
https://zisc.ethz.ch/oauth-security-workshop-2017-cfp/</a>. And I=92d be gl=
ad to sit down with you and try to help if you are around=85.<br>
<br>
regards<br>
<br>
antonio<br>
<br>
<br>
&gt; <br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Cheers,<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<br>
&gt; <br>
&gt; -----Original Message-----<br>
&gt; From: Antonio Sanso [<a href=3D"mailto:asanso@adobe.com">mailto:asanso=
@adobe.com</a>]
<br>
&gt; Sent: Wednesday, March 15, 2017 1:40 PM<br>
&gt; To: Mike Jones &lt;Michael.Jones@microsoft.com&gt;<br>
&gt; Cc: Sergey Beryozkin &lt;sberyozkin@gmail.com&gt;; oauth@ietf.org<br>
&gt; Subject: Re: [OAUTH-WG] More Criticism of JOSE<br>
&gt; <br>
&gt; hi Mike,<br>
&gt; <br>
&gt; while I am the original author of one of the mentioned article in the =
blog post (<a href=3D"http://blog.intothesymmetry.com/2017/03/critical-vuln=
erability-in-json-web.html">http://blog.intothesymmetry.com/2017/03/critica=
l-vulnerability-in-json-web.html</a>)
 I do not share entirely the criticism.<br>
&gt; Said that, I must really admit that some of the cryptographic choices =
made specially in JWE are really questionable.<br>
&gt; <br>
&gt; regards<br>
&gt; <br>
&gt; antonio<br>
&gt; <br>
&gt; On Mar 15, 2017, at 8:50 PM, Mike Jones &lt;Michael.Jones@microsoft.co=
m&gt; wrote:<br>
&gt; <br>
&gt;&gt; The bulk of this seems to be about applications that don't verify =
that the crypto algorithms that were used in a JWT are acceptable in the ap=
plication context.&nbsp; While I know that some people would like crypto to=
 be magic pixie dust that you can sprinkle
 on an application to get crypto goodness, it will never be that simple.&nb=
sp; Crypto algorithms that are thought to be good today will be deprecated =
later.&nbsp; Apps that keep allowing them to be used will be vulnerable.&nb=
sp; The JOSE specs requiring that applications
 be aware of the algorithms used is a good and necessary thing for long-ter=
m security - not a problem with the specs.<br>
&gt;&gt; <br>
&gt;&gt; That said, of course some implementers will get things wrong.&nbsp=
; To the extent that we can help them understand what they actually need to=
 do to use the specifications securely, we obviously should.&nbsp; Perhaps =
we should write an article for oauth.net talking
 about some of these issues?&nbsp; Maybe a few of us can get together in Ch=
icago and work on that.<br>
&gt;&gt; <br>
&gt;&gt; I'm looking forward to seeing many of you in 1.5 weeks!<br>
&gt;&gt; <br>
&gt;&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<br>
&gt;&gt; <br>
&gt;&gt; -----Original Message-----<br>
&gt;&gt; From: OAuth [<a href=3D"mailto:oauth-bounces@ietf.org">mailto:oaut=
h-bounces@ietf.org</a>] On Behalf Of Sergey
<br>
&gt;&gt; Beryozkin<br>
&gt;&gt; Sent: Wednesday, March 15, 2017 8:46 AM<br>
&gt;&gt; To: oauth@ietf.org<br>
&gt;&gt; Subject: Re: [OAUTH-WG] More Criticism of JOSE<br>
&gt;&gt; <br>
&gt;&gt; and everyone should now start using the most secure alternative <b=
r>
&gt;&gt; proposed in that very light in analysis article :-)<br>
&gt;&gt; <br>
&gt;&gt; Sergey<br>
&gt;&gt; On 15/03/17 15:43, Mike Schwartz wrote:<br>
&gt;&gt;&gt; Sorry to be the bearer of bad news, but here's a negative revi=
ew of JOSE:<br>
&gt;&gt;&gt; <br>
&gt;&gt;&gt; JOSE (Javascript Object Signing and Encryption) is a Bad Stand=
ard <br>
&gt;&gt;&gt; That Everyone Should Avoid<br>
&gt;&gt;&gt; <br>
&gt;&gt;&gt; <a href=3D"https://paragonie.com/blog/2017/03/jwt-json-web-tok=
ens-is-bad-standar">
https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standar</a><b=
r>
&gt;&gt;&gt; d<br>
&gt;&gt;&gt; -that-everyone-should-avoid<br>
&gt;&gt;&gt; <br>
&gt;&gt;&gt; <br>
&gt;&gt;&gt; - Mike<br>
&gt;&gt;&gt; <br>
&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt; OAuth mailing list<br>
&gt;&gt;&gt; OAuth@ietf.org<br>
&gt;&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https:=
//www.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt; <br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; OAuth@ietf.org<br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://ww=
w.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt; <br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; OAuth@ietf.org<br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://ww=
w.ietf.org/mailman/listinfo/oauth</a><br>
&gt; <br>
<br>
</div>
</span></font>
</body>
</html>

--_000_CY4PR21MB050463E4943A4FF1FECDAF1AF5260CY4PR21MB0504namp_--


From nobody Fri Mar 17 08:09:57 2017
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71CB5129488 for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 08:09:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-GA3YhwFZRt for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 08:09:54 -0700 (PDT)
Received: from mail-ot0-x236.google.com (mail-ot0-x236.google.com [IPv6:2607:f8b0:4003:c0f::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4632B12947A for <oauth@ietf.org>; Fri, 17 Mar 2017 08:09:53 -0700 (PDT)
Received: by mail-ot0-x236.google.com with SMTP id o24so93903006otb.1 for <oauth@ietf.org>; Fri, 17 Mar 2017 08:09:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:date:subject:message-id :to; bh=Q0fd1M4C3JD1lJYeb8Znvt0tyosJkMOQWNa7WMRhUg8=; b=c1ykKJLiMV+PzQM1qpBTypISH1kXiga3jhG4C6/gu6wB93/08SKfFKmKExuGk6rJ0J 8g4ix5B9NPy0Qse0Jgem/CnaNDSI6aYAo40TfxoL40uivpfzp1Icb57MmJacIEygNTjM PSceXrA+NaQtwVquzHI+TCfg+PUOR3ZxBIG4GObBOFoPsp+fDDQ1ovw8OlgjzjQJY9Hh VBbXYRhkSFgnH/KnnIQ50HMGhk1/+CqXHQRxE57cEDDpCiXYk90NX0UGeauIiwI5WP4L oNsCo1thsf1+Se5mRdakYqV4VEiZem9oyBCuaYMN7ppsBFy/Li6/rwvjB/9AF+NCA65R ECpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version:date :subject:message-id:to; bh=Q0fd1M4C3JD1lJYeb8Znvt0tyosJkMOQWNa7WMRhUg8=; b=bVXNZuwrmBVkblHfC6tgGXEVuBAOZXJSFMPGEAF7c0gWf5zGEpMzmJbjSXyGi/SXRf 4OBpK4zB2flQWt+SeukMe5K8jh0/p7gqQImQ0zyMByT3Eqq/6HqvRnAMk4f82INItKaY Op+aveWY92FSsS2JCUCYvtx8TcV4cAWol/BAAvfayPhJn5mt7xBJBCx89GPzSYOPyS15 bcTDt5PYVWBbCrg0+IVlSNiu5aBpLJxHWqI5P29K0kccXnaMP8xjo/h3Mec6OSiUkg3Z u9cKLrF118LKGaJ+Ecq60O846dV2z95vV8F917BuknN1LEln1IBShegPT2517fnyiyAU 2eJQ==
X-Gm-Message-State: AFeK/H33MH8goGVXErxenrV3yNeaW6Q5TdOOV70o3gcNuBiLf15YkY7kAHVO6CAKGO+h3BME
X-Received: by 10.202.183.138 with SMTP id h132mr6930207oif.95.1489763392584;  Fri, 17 Mar 2017 08:09:52 -0700 (PDT)
Received: from [10.195.123.102] (mobile-166-173-186-133.mycingular.net. [166.173.186.133]) by smtp.gmail.com with ESMTPSA id c35sm3488508otb.48.2017.03.17.08.09.51 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Mar 2017 08:09:52 -0700 (PDT)
From: Jim Manico <jim@manicode.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Fri, 17 Mar 2017 09:09:51 -0600
Message-Id: <411649D9-563A-49DA-8151-80DF5F45F3F8@manicode.com>
To: IETF OAUTH <oauth@ietf.org>
X-Mailer: iPhone Mail (14D27)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ktDCV8ydNF-L-A_mAHluV6jDIxU>
Subject: [OAUTH-WG] Token Binding Presentations?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 15:09:55 -0000

Hello OAuthers,

I'm trying to get my head around token binding beyond the RFC. Are there any=
 presentations or other media on token binding that any of you are aware of?=
 My google-fu is coming up empty.

Thanks and Aloha,
- Jim=


From nobody Fri Mar 17 10:43:07 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A694127419 for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 10:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2A2YyUCBXZd9 for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 10:43:04 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7947A120725 for <oauth@ietf.org>; Fri, 17 Mar 2017 10:43:04 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id v127so70409517qkb.2 for <oauth@ietf.org>; Fri, 17 Mar 2017 10:43:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=j47oLB7Sk48cB6xi3bDwYM3i57LPTdH8HY5eElTbi6k=; b=B6BImITkdJDk4U2dWrVIsWAHrYSC8uQk+EN7sRLF5OfCVuE3lJre/ne1f/tsuv84kz 5yYY4OZ0P8LLGOsZe95gUMrhybAOJq6S5CIjpR9Q2+875Q6FEnQCvlXItToNVslnDr0z njy87qhWWhEU5Q3smtRsYv7H5NxAqlRQJXxSyjOifix0yqoSHNapSka2WaIAWEIwh7ol wzwwD4uukF8UsKipPTY9u8gIqWjHd65+Q253KRh4pfWNnRtBcWRVEg6yQf0+zq7XkSBj CPTdgVYwAROMHXSAmcwTo9/44e8FTHkIWnUvibHofEYCLDdfWSpuWHxB3kUrHbi+a0nB cWdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=j47oLB7Sk48cB6xi3bDwYM3i57LPTdH8HY5eElTbi6k=; b=sBlpKtR5OAEKnorzRY52NLsoPDqk0MiqmntW+pnCFtnt2YQBcmpJNR29n4aroIzo+X zhcuhlRcXoDaaT42nJ2fr4T/mgqhHh98xJCKmyIi2h2ePD/WweGuRRh/lMgriNeTljRg lDgz6sPz3ouZKOsVEUSnGRjsdC8D5GCkuaM+GeM9oNIjhkerTwR4eHG2y41Pwg++f8kg TeqgVo3O0MsyXmV5YiiOMz2s+EP70vZ3ckFOLeK8qe0cPZqayD99wouCVszpqQeGs2y4 uDA7KAuANMCOZqRhtLuN92AzlcRaFlmQT9X4nd1LefIs5Oz9ADS0IpjWcJ+xKRSA4+4c HumA==
X-Gm-Message-State: AFeK/H20QJ3KrzaOLaDeXBrDkpmWXhrde6NYzxeZ07TC6LZxslid9MkydXMRrCTb6VSMtI5e
X-Received: by 10.55.16.230 with SMTP id 99mr15178488qkq.295.1489772583489; Fri, 17 Mar 2017 10:43:03 -0700 (PDT)
Received: from jbradley-r.lan ([191.115.0.180]) by smtp.gmail.com with ESMTPSA id z196sm6380338qkb.11.2017.03.17.10.43.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Mar 2017 10:43:02 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <7D4461D3-A779-4FFF-A467-9C2FA4BAE991@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Fri, 17 Mar 2017 14:42:59 -0300
In-Reply-To: <411649D9-563A-49DA-8151-80DF5F45F3F8@manicode.com>
Cc: IETF OAUTH <oauth@ietf.org>
To: Jim Manico <jim@manicode.com>
References: <411649D9-563A-49DA-8151-80DF5F45F3F8@manicode.com>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a11459ca2a6a0b8054af0b5df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KUfp5XG10DSqFYKfXyH--nUCMzE>
Subject: Re: [OAUTH-WG] Token Binding Presentations?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 17:43:06 -0000

--001a11459ca2a6a0b8054af0b5df
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_853581F6-0510-4482-98BB-271E501F33BD"


--Apple-Mail=_853581F6-0510-4482-98BB-271E501F33BD
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

This has some of the basic info, but needs some updating.   =
http://www.browserauth.net/ <http://www.browserauth.net/>

Other than that there are the specs in the Token binding WG and the one =
we just updated for OAuth.

With Microsoft supporting it in RS2 coming out in a month or so I would =
hope to see some developer documentation from them soon.

John B.

> On Mar 17, 2017, at 12:09 PM, Jim Manico <jim@manicode.com> wrote:
>=20
> Hello OAuthers,
>=20
> I'm trying to get my head around token binding beyond the RFC. Are =
there any presentations or other media on token binding that any of you =
are aware of? My google-fu is coming up empty.
>=20
> Thanks and Aloha,
> - Jim
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_853581F6-0510-4482-98BB-271E501F33BD
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">This has some of the basic info, but needs some updating. =
&nbsp;&nbsp;<a href=3D"http://www.browserauth.net/" =
class=3D"">http://www.browserauth.net/</a><div class=3D""><br =
class=3D""></div><div class=3D"">Other than that there are the specs in =
the Token binding WG and the one we just updated for OAuth.</div><div =
class=3D""><br class=3D""></div><div class=3D"">With Microsoft =
supporting it in RS2 coming out in a month or so I would hope to see =
some developer documentation from them soon.</div><div class=3D""><br =
class=3D""></div><div class=3D"">John B.</div><div class=3D""><br =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">On =
Mar 17, 2017, at 12:09 PM, Jim Manico &lt;<a =
href=3D"mailto:jim@manicode.com" class=3D"">jim@manicode.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><div =
class=3D"">Hello OAuthers,<br class=3D""><br class=3D"">I'm trying to =
get my head around token binding beyond the RFC. Are there any =
presentations or other media on token binding that any of you are aware =
of? My google-fu is coming up empty.<br class=3D""><br class=3D"">Thanks =
and Aloha,<br class=3D"">- Jim<br =
class=3D"">_______________________________________________<br =
class=3D"">OAuth mailing list<br class=3D""><a =
href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth<br =
class=3D""></div></div></blockquote></div><br =
class=3D""></div></body></html>=

--Apple-Mail=_853581F6-0510-4482-98BB-271E501F33BD--

--001a11459ca2a6a0b8054af0b5df
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIDgavaa+62up6hc1V0HiTDVrupsT
fHVtxS7WZ+gp7dkiMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMxNzE3NDMwM1owaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQCOLIpWGA9H9Vy2rB+pyWxx70XuSAdncNXGLrh93/JDghhK
MYi9Zpxfdo842ljlsLeNSK2OvlOrv9nSkZgJIcbPPrdIcoWHokTjhPq6Kd+ef6aRSF200fMqqfIS
dutXfVLndxhM2ujtwoVPbnYKU5HpxyWL0QEo0YhiE9fFJCkOeu2+p5+dSsUEFMpClB0AH4K39tzc
84BYjdc7IHa5QE2ip4aamZEkYWH6Z9w6yozcItPGoBIPjaE3yQFoEd+8pPWteQxYa5VT3FH8kDre
Hq+VCCjSxLNpq4Fp62ENzVNTa257Lsg80L2COuDGuS52rbx51DmQL4/GhzuwMgsMKFVZ
--001a11459ca2a6a0b8054af0b5df--


From nobody Fri Mar 17 10:59:07 2017
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EECC21273E2 for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 10:59:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.796
X-Spam-Level: 
X-Spam-Status: No, score=-4.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W_UrPGlo858k for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 10:59:04 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0135.outbound.protection.outlook.com [104.47.38.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0175127735 for <oauth@ietf.org>; Fri, 17 Mar 2017 10:59:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Z1pVLPA5wpfpZFFGrof1NSOzhXjrcR2XnNR/eXX2PxU=; b=KlKxTDSlm2lUEXP34cHO5tXQgamQKWruscRHerYbpwD/ag7HiHSBY7ZDYFI9HsqR39pUJmyqNO6uPK9CmXmpAUKDJQ8vAWQFY5XGTQJ8mNOXBqoMzaVDKF7fqJE7HHMz9hJdC839zNLIG3MrbP40Y9RydxDddyPXAX4lyf2GbtU=
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com (10.163.226.27) by SN1PR0301MB2030.namprd03.prod.outlook.com (10.163.226.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.977.11; Fri, 17 Mar 2017 17:59:01 +0000
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) by SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) with mapi id 15.01.0977.013; Fri, 17 Mar 2017 17:59:01 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Jim Manico <jim@manicode.com>
CC: IETF OAUTH <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Token Binding Presentations?
Thread-Index: AQHSnzCVs9lfOXXa+0qTHJmybfCijaGZTXSAgAAD5RA=
Date: Fri, 17 Mar 2017 17:59:01 +0000
Message-ID: <SN1PR0301MB20291FD3A379F49B97867DCDA6390@SN1PR0301MB2029.namprd03.prod.outlook.com>
References: <411649D9-563A-49DA-8151-80DF5F45F3F8@manicode.com> <7D4461D3-A779-4FFF-A467-9C2FA4BAE991@ve7jtb.com>
In-Reply-To: <7D4461D3-A779-4FFF-A467-9C2FA4BAE991@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: ve7jtb.com; dkim=none (message not signed) header.d=none;ve7jtb.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:4::2b9]
x-microsoft-exchange-diagnostics: 1; SN1PR0301MB2030; 7:d7D+3Uy1dInDybBvvXYk9mA0D/oeMhIj8U4fvHEWKgXS1v1GTMNqkQQna2qvIKhnB98vMJkQ9/oVikFEKcwi4aCzmSWFZHdazY8wLrV2w51kwTI7ssjyhhejE665iZn+Y+PoWTr+PO+ppqu1S9HupvsH84qQovuXsBvBDBkfaYGbAxWbz0h0NU0LqEqDw9mVYk2fEeChFhJmNkIyCORiMWktQCOtXSFzEbFkkYVPK/cnNlM7wz1MX1TPTBeXuL2vc9EPowYM+vgPVvOPET5IjYNH0QPQ2lEtqhMH5HZ09uNvBAWrXEGqGwlAzP/Rnb0rYcAKtDfunoOWZ3/FujogK5kKsKakntf0bBH8vlLQ22E=
x-ms-office365-filtering-correlation-id: 12434dfb-d173-428c-34ea-08d46d5f4b3b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254051)(48565401081); SRVR:SN1PR0301MB2030; 
x-microsoft-antispam-prvs: <SN1PR0301MB2030463FCC652E5E12691B8EA6390@SN1PR0301MB2030.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123564025)(20161123555025)(20161123560025)(20161123558025)(6072148); SRVR:SN1PR0301MB2030; BCL:0; PCL:0; RULEID:; SRVR:SN1PR0301MB2030; 
x-forefront-prvs: 0249EFCB0B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(39840400002)(39860400002)(39450400003)(39410400002)(39850400002)(377454003)(24454002)(10290500002)(7696004)(10090500001)(8990500004)(2900100001)(5005710100001)(8936002)(122556002)(81166006)(74316002)(77096006)(86612001)(86362001)(2950100002)(19609705001)(236005)(53936002)(5660300001)(6246003)(38730400002)(53546008)(7906003)(229853002)(7736002)(6506006)(6436002)(606005)(4326008)(3660700001)(3280700002)(76176999)(54356999)(50986999)(25786008)(9686003)(33656002)(8676002)(2906002)(966004)(189998001)(790700001)(102836003)(99286003)(6116002)(54896002)(6306002)(55016002)(42262002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR0301MB2030; H:SN1PR0301MB2029.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SN1PR0301MB20291FD3A379F49B97867DCDA6390SN1PR0301MB2029_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2017 17:59:01.5699 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR0301MB2030
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wGyPFsTQ0O_QJU3bRM6BV2XTg4w>
Subject: Re: [OAUTH-WG] Token Binding Presentations?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 17:59:06 -0000

--_000_SN1PR0301MB20291FD3A379F49B97867DCDA6390SN1PR0301MB2029_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I'm unaware of any support for "OAuth" Token Binding from Microsoft, so I a=
ssume you are talking just about Token Binding cookies

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Friday, March 17, 2017 10:43 AM
To: Jim Manico <jim@manicode.com>
Cc: IETF OAUTH <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Token Binding Presentations?

This has some of the basic info, but needs some updating.   http://www.brow=
serauth.net/

Other than that there are the specs in the Token binding WG and the one we =
just updated for OAuth.

With Microsoft supporting it in RS2 coming out in a month or so I would hop=
e to see some developer documentation from them soon.

John B.

On Mar 17, 2017, at 12:09 PM, Jim Manico <jim@manicode.com<mailto:jim@manic=
ode.com>> wrote:

Hello OAuthers,

I'm trying to get my head around token binding beyond the RFC. Are there an=
y presentations or other media on token binding that any of you are aware o=
f? My google-fu is coming up empty.

Thanks and Aloha,
- Jim
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


--_000_SN1PR0301MB20291FD3A379F49B97867DCDA6390SN1PR0301MB2029_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">I&#8217;m unaware of any support for &#8220;OAuth&#8=
221; Token Binding from Microsoft, so I assume you are talking just about T=
oken Binding cookies
<o:p></o:p></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><o:p>&nbsp;</o:p></a></p=
>
<span style=3D"mso-bookmark:_MailEndCompose"></span>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b>From:</b> OAuth [mailto:oauth-bounces@ietf.org] <=
b>On Behalf Of
</b>John Bradley<br>
<b>Sent:</b> Friday, March 17, 2017 10:43 AM<br>
<b>To:</b> Jim Manico &lt;jim@manicode.com&gt;<br>
<b>Cc:</b> IETF OAUTH &lt;oauth@ietf.org&gt;<br>
<b>Subject:</b> Re: [OAUTH-WG] Token Binding Presentations?<o:p></o:p></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">This has some of the basic info, but needs some upda=
ting. &nbsp;&nbsp;<a href=3D"http://www.browserauth.net/">http://www.browse=
rauth.net/</a><o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Other than that there are the specs in the Token bin=
ding WG and the one we just updated for OAuth.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">With Microsoft supporting it in RS2 coming out in a =
month or so I would hope to see some developer documentation from them soon=
.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal">On Mar 17, 2017, at 12:09 PM, Jim Manico &lt;<a href=
=3D"mailto:jim@manicode.com">jim@manicode.com</a>&gt; wrote:<o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<p class=3D"MsoNormal">Hello OAuthers,<br>
<br>
I'm trying to get my head around token binding beyond the RFC. Are there an=
y presentations or other media on token binding that any of you are aware o=
f? My google-fu is coming up empty.<br>
<br>
Thanks and Aloha,<br>
- Jim<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.or=
g/mailman/listinfo/oauth</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</body>
</html>

--_000_SN1PR0301MB20291FD3A379F49B97867DCDA6390SN1PR0301MB2029_--


From nobody Fri Mar 17 11:09:45 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AC2F124D68 for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 11:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cs0QkORgp07t for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 11:09:41 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1229712894E for <oauth@ietf.org>; Fri, 17 Mar 2017 11:09:40 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id v127so71012383qkb.2 for <oauth@ietf.org>; Fri, 17 Mar 2017 11:09:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=B3dteBEQDUA4W/lS4yT5f5jFwnGGxMVlVBE5oXhUqC0=; b=z9ZxwPR7bg2x34fhDuwKuSRsIVVLp+HBDOK3FnDPIFG6fz5QDcWweNmX24uOANShxt i68aa/FEJ42tFI42Fp9z/3vqXbN/d+5Gqp9vVJDy0UtJBaAvbR52ZjlRXVBF2A9kxgQP g1jy8PRwpVSXUISu8VgWtr2XSgGo1KDHtRefdM/xmadgmH4XadVRCrGv1Srp+SugdKeL FAPQn/s90+ae297xS0j0A+XoH3ffgOYdXTomlldDGZHbNsSxYJXJqGnZmhEHosgUAyJ9 GUwHPhlI9h5IKsaEbMp13Cqs6pDjTSw4ZNKoClhwsiSuP+Ju6p7zqQuN8jxep55P0udx iqFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=B3dteBEQDUA4W/lS4yT5f5jFwnGGxMVlVBE5oXhUqC0=; b=pDJjU6unqU8uzgoz60DOzHYNM8pZfw9/ALTn2viFOaR0xSLyhVaKSmw2Fb7GcDzBzt 69AzhEgrZVwljIfciQg5BnYm/OD3KYZ+2zrtjuH1oTO7GjijhoSScOVmgjLEJEm1L4GE 57I0fZ/vKjD2AsfwnEkIgNzE9q1bWd2QjSOuUZ2tAxmNLgluV4NM+XdXwWZ266UwX2M4 j3IIrvlQ06BqWMjM+7x7BPzcPGonbV16h4zUiAIPnVC3ic0zWITNuTOd4e6L/4Wm2nQe E5053/3SgMCxZ05VsWJOuOm5sKzyyQ/3+04yCKliXPqpe1dYB9HNhyBAK249FTE5ygih PR6Q==
X-Gm-Message-State: AFeK/H1y+t4gvaGiRmUWOFix6hSkfD8g7vDvmSNqralY2xOTZnmGdBTN8bcpzPrnjX6QuE9D
X-Received: by 10.55.103.10 with SMTP id b10mr13767628qkc.207.1489774180061; Fri, 17 Mar 2017 11:09:40 -0700 (PDT)
Received: from [192.168.86.177] ([191.115.0.180]) by smtp.gmail.com with ESMTPSA id m62sm6420696qkf.31.2017.03.17.11.09.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Mar 2017 11:09:39 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <AF566AF4-E305-41DD-A29F-D8350759E9CD@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Fri, 17 Mar 2017 15:09:36 -0300
In-Reply-To: <SN1PR0301MB20291FD3A379F49B97867DCDA6390@SN1PR0301MB2029.namprd03.prod.outlook.com>
Cc: Jim Manico <jim@manicode.com>, IETF OAUTH <oauth@ietf.org>
To: Anthony Nadalin <tonynad@microsoft.com>
References: <411649D9-563A-49DA-8151-80DF5F45F3F8@manicode.com> <7D4461D3-A779-4FFF-A467-9C2FA4BAE991@ve7jtb.com> <SN1PR0301MB20291FD3A379F49B97867DCDA6390@SN1PR0301MB2029.namprd03.prod.outlook.com>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a1148513cd004ea054af1140d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1q4tlTO-P4WlKU7sNw5cKpi7zlA>
Subject: Re: [OAUTH-WG] Token Binding Presentations?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 18:09:44 -0000

--001a1148513cd004ea054af1140d
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_9599FB39-AF9F-4D2E-9766-980B260DB085"


--Apple-Mail=_9599FB39-AF9F-4D2E-9766-980B260DB085
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Yes I was referring to support for token binding at the TLS level in =
Edge & IE and perhaps other HTTP API support. for token binding =
negotiation on TLS connections. =20

Not support for things built on top of token binding.  =20

IIS being updated to token bind cookies is another matter that I haven't =
seen any timing on.

Chrome on most if not all platforms and Edge on RS2 i believe should all =
support servers token binding cookies in the 3 to 6 month timeframe to =
be conservative.

I know Google has already turned on token binding negotiation for some =
web parts of Google.

John B.




> On Mar 17, 2017, at 2:59 PM, Anthony Nadalin <tonynad@microsoft.com> =
wrote:
>=20
> I=E2=80=99m unaware of any support for =E2=80=9COAuth=E2=80=9D Token =
Binding from Microsoft, so I assume you are talking just about Token =
Binding cookies
> =C2=A0 <>
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
> Sent: Friday, March 17, 2017 10:43 AM
> To: Jim Manico <jim@manicode.com>
> Cc: IETF OAUTH <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Token Binding Presentations?
> =20
> This has some of the basic info, but needs some updating.   =
http://www.browserauth.net/ <http://www.browserauth.net/>
> =20
> Other than that there are the specs in the Token binding WG and the =
one we just updated for OAuth.
> =20
> With Microsoft supporting it in RS2 coming out in a month or so I =
would hope to see some developer documentation from them soon.
> =20
> John B.
> =20
> On Mar 17, 2017, at 12:09 PM, Jim Manico <jim@manicode.com =
<mailto:jim@manicode.com>> wrote:
> =20
> Hello OAuthers,
>=20
> I'm trying to get my head around token binding beyond the RFC. Are =
there any presentations or other media on token binding that any of you =
are aware of? My google-fu is coming up empty.
>=20
> Thanks and Aloha,
> - Jim
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>

--Apple-Mail=_9599FB39-AF9F-4D2E-9766-980B260DB085
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Yes I was referring to support for token binding at the TLS =
level in Edge &amp; IE and perhaps other HTTP API support. for token =
binding negotiation on TLS connections. &nbsp;<div class=3D""><br =
class=3D""></div><div class=3D"">Not support for things built on top of =
token binding. &nbsp;&nbsp;</div><div class=3D""><br class=3D""></div><div=
 class=3D"">IIS being updated to token bind cookies is another matter =
that I haven't seen any timing on.</div><div class=3D""><br =
class=3D""></div><div class=3D"">Chrome on most if not all platforms and =
Edge on RS2 i believe should all support servers token binding cookies =
in the 3 to 6 month timeframe to be conservative.</div><div class=3D""><br=
 class=3D""></div><div class=3D"">I know Google has already turned on =
token binding negotiation for some web parts of Google.</div><div =
class=3D""><br class=3D""></div><div class=3D"">John B.</div><div =
class=3D""><br class=3D""></div><div class=3D""><br class=3D""></div><div =
class=3D""><br class=3D""></div><div class=3D""><br class=3D""></div><div =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">On =
Mar 17, 2017, at 2:59 PM, Anthony Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com" =
class=3D"">tonynad@microsoft.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div =
class=3D"WordSection1" style=3D"page: WordSection1; font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; orphans: auto; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: =
0px;"><div style=3D"margin: 0in 0in 0.0001pt; font-size: 11pt; =
font-family: Calibri, sans-serif;" class=3D"">I=E2=80=99m unaware of any =
support for =E2=80=9COAuth=E2=80=9D Token Binding from Microsoft, so I =
assume you are talking just about Token Binding cookies<o:p =
class=3D""></o:p></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 11pt; font-family: Calibri, sans-serif;" class=3D""><a =
name=3D"_MailEndCompose" class=3D""><o:p =
class=3D"">&nbsp;</o:p></a></div><span class=3D""></span><div =
class=3D""><div style=3D"border-style: solid none none; =
border-top-color: rgb(225, 225, 225); border-top-width: 1pt; padding: =
3pt 0in 0in;" class=3D""><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 11pt; font-family: Calibri, sans-serif;" class=3D""><b =
class=3D"">From:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>OAuth [<a =
href=3D"mailto:oauth-bounces@ietf.org" =
class=3D"">mailto:oauth-bounces@ietf.org</a>]<span =
class=3D"Apple-converted-space">&nbsp;</span><b class=3D"">On Behalf =
Of<span class=3D"Apple-converted-space">&nbsp;</span></b>John Bradley<br =
class=3D""><b class=3D"">Sent:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Friday, March 17, 2017 =
10:43 AM<br class=3D""><b class=3D"">To:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Jim Manico &lt;<a =
href=3D"mailto:jim@manicode.com" class=3D"">jim@manicode.com</a>&gt;<br =
class=3D""><b class=3D"">Cc:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>IETF OAUTH &lt;<a =
href=3D"mailto:oauth@ietf.org" class=3D"">oauth@ietf.org</a>&gt;<br =
class=3D""><b class=3D"">Subject:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Re: [OAUTH-WG] Token =
Binding Presentations?<o:p class=3D""></o:p></div></div></div><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: =
Calibri, sans-serif;" class=3D""><o:p class=3D"">&nbsp;</o:p></div><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: =
Calibri, sans-serif;" class=3D"">This has some of the basic info, but =
needs some updating. &nbsp;&nbsp;<a href=3D"http://www.browserauth.net/" =
style=3D"color: purple; text-decoration: underline;" =
class=3D"">http://www.browserauth.net/</a><o:p class=3D""></o:p></div><div=
 class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 11pt; =
font-family: Calibri, sans-serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" =
class=3D"">Other than that there are the specs in the Token binding WG =
and the one we just updated for OAuth.<o:p =
class=3D""></o:p></div></div><div class=3D""><div style=3D"margin: 0in =
0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" =
class=3D""><o:p class=3D"">&nbsp;</o:p></div></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: =
Calibri, sans-serif;" class=3D"">With Microsoft supporting it in RS2 =
coming out in a month or so I would hope to see some developer =
documentation from them soon.<o:p class=3D""></o:p></div></div><div =
class=3D""><div style=3D"margin: 0in 0in 0.0001pt; font-size: 11pt; =
font-family: Calibri, sans-serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div></div><div class=3D""><div style=3D"margin: =
0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" =
class=3D"">John B.<o:p class=3D""></o:p></div></div><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: =
Calibri, sans-serif;" class=3D""><o:p class=3D"">&nbsp;</o:p></div><div =
class=3D""><blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt;" =
class=3D""><div class=3D""><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 11pt; font-family: Calibri, sans-serif;" class=3D"">On Mar =
17, 2017, at 12:09 PM, Jim Manico &lt;<a href=3D"mailto:jim@manicode.com" =
style=3D"color: purple; text-decoration: underline;" =
class=3D"">jim@manicode.com</a>&gt; wrote:<o:p =
class=3D""></o:p></div></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 11pt; font-family: Calibri, sans-serif;" class=3D""><o:p =
class=3D"">&nbsp;</o:p></div><div class=3D""><div class=3D""><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: =
Calibri, sans-serif;" class=3D"">Hello OAuthers,<br class=3D""><br =
class=3D"">I'm trying to get my head around token binding beyond the =
RFC. Are there any presentations or other media on token binding that =
any of you are aware of? My google-fu is coming up empty.<br =
class=3D""><br class=3D"">Thanks and Aloha,<br class=3D"">- Jim<br =
class=3D"">_______________________________________________<br =
class=3D"">OAuth mailing list<br class=3D""><a =
href=3D"mailto:OAuth@ietf.org" style=3D"color: purple; text-decoration: =
underline;" class=3D"">OAuth@ietf.org</a><br class=3D""><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth" style=3D"color: =
purple; text-decoration: underline;" =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth</a></div></div></di=
v></blockquote></div></div></div></div></blockquote></div><br =
class=3D""></div></body></html>=

--Apple-Mail=_9599FB39-AF9F-4D2E-9766-980B260DB085--

--001a1148513cd004ea054af1140d
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIGb1cL1Da2RjsKTCxB0fxI+ans79
9jsHDVYKsHJFe7HsMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMxNzE4MDk0MFowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQCy+yt4Mskgzr384QncV4G7edy9up8KIqgx5gqRg7xEFa/j
WG9lRHAWveiec9XseDl65Ck14KSFp0vnPMepOyF9/znsZ9l60xEZQztHasP881xL8jB4QodMsr+B
Yk126kHR5LNOZ/qfrQ+GowmyrNdfv3pn49itYP84lyvSBFez5xipjMGHx3iP8xRyPyDEARKuQfMd
5xSSz6J2Vhwg58IKYWkk9F0fPrpt9hDcM0k86ZVEmeqtq9hiWSGbqQrZiPBhEdMVn++OOwvDh13S
Y4/sjN9NdX/Loq9O/LDqGttT61WS7xbe5bdSmYnPtZ1ltYcWsXvZlzHHf6GBysv/jOSc
--001a1148513cd004ea054af1140d--


From nobody Fri Mar 17 11:11:33 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7554F12894E for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 11:11:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RB-5E2MfofeV for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 11:11:29 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 104B0124D68 for <oauth@ietf.org>; Fri, 17 Mar 2017 11:11:29 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id e129so1963205pfh.0 for <oauth@ietf.org>; Fri, 17 Mar 2017 11:11:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=EXbW3EsgArKxQtRdDmrjIT7w1znQ3XMOqke7sEtt3/g=; b=SrTLlDfTfHTMAecMoboVZAtUqvZ4uWE9hP4bnvZ8cWUVk0VY0wMh+KaQYCj5xjXpXA L+tadOg5922hFHD3k8Heh4Ewk1ZZZfVPfNeljfRrOuLZZGIbY9scIPt9fKbVihIT8uNL CidVuAERAlnwOHsoqtzoDGS45izEqZKKpkM2o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=EXbW3EsgArKxQtRdDmrjIT7w1znQ3XMOqke7sEtt3/g=; b=T0YdVACdrtQzGwmxfJ278T7a38MqglpgWA/gFKYtHN/6OaiqfLOxj/nkxIb/h1E6Le 3dr3hgXRfolDoI/4V7mgBz7LhC8W9/YpotUPkrW/b2hknTuIhMQ7/kPhRcthFnEn4JjE iR7aOgFxnYgP3/kxYet+XSIoYEV3LGrpGO6HUcgO85bAvJbZ40awaSgMYVVHgl89jjKC w1Z5Sjx1x2tv1M192NEH9UV7neix+xMMgFvu989dG6xw6BdgUr/K+5bCLVOJunpQz6xG HBpmUEwpP1Rn6ZRS4HOKS8Fft62qcX3NmzpkF3KycutEZV8YrEQ+LIH1uNpeLXUIRFsa EJWA==
X-Gm-Message-State: AFeK/H2u4hDiH/uAM3/nUIIrJs3u6SbwXeGiOkEEC2yuRzJv/Fj8qAFBJb1R8cplttI0RxY/yfLvSiAVCMZPS8h5
X-Received: by 10.98.216.202 with SMTP id e193mr18340513pfg.80.1489774288556;  Fri, 17 Mar 2017 11:11:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.170.138 with HTTP; Fri, 17 Mar 2017 11:10:58 -0700 (PDT)
In-Reply-To: <411649D9-563A-49DA-8151-80DF5F45F3F8@manicode.com>
References: <411649D9-563A-49DA-8151-80DF5F45F3F8@manicode.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 17 Mar 2017 12:10:58 -0600
Message-ID: <CA+k3eCR4-fxCyRHSvPGDn1s9gnpksUrVPBOAMm9wzJ2wW7=Jwg@mail.gmail.com>
To: Jim Manico <jim@manicode.com>, Dirk Balfanz <balfanz@google.com>
Cc: IETF OAUTH <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a114672be43edeb054af11b72
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pk-n8A9tcBrd64YwTN3cO506E3Y>
Subject: Re: [OAUTH-WG] Token Binding Presentations?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 18:11:31 -0000

--001a114672be43edeb054af11b72
Content-Type: text/plain; charset=UTF-8

Dirk gave this preso nearly 2 years ago https://www.slideshare.net/
CloudIDSummit/cis-2015-intro-to-token-binding-over-http-cis-2015 which is
out of date but has the main concepts, I think. There's also this
http://www.browserauth.net/token-binding page by him.

I'm planing on a doing a presentation on Token Binding at CIS
<https://www.cloudidentitysummit.com> this summer. But that's not until
June and none of the content exists yet.

Otherwise the draft specs are probably the best bet at this point. And they
are all still in draft, though some are more stable than others, they may
still change.

Token Binding:
https://tools.ietf.org/html/draft-ietf-tokbind-https-08
https://tools.ietf.org/html/draft-ietf-tokbind-protocol-13
https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-07

Application in OAuth:
https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02

Application in OpenID Connect:
http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html




On Fri, Mar 17, 2017 at 9:09 AM, Jim Manico <jim@manicode.com> wrote:

> Hello OAuthers,
>
> I'm trying to get my head around token binding beyond the RFC. Are there
> any presentations or other media on token binding that any of you are aware
> of? My google-fu is coming up empty.
>
> Thanks and Aloha,
> - Jim
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--001a114672be43edeb054af11b72
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><div>Dirk gave this preso nearly 2 years ago <a =
href=3D"https://www.slideshare.net/CloudIDSummit/cis-2015-intro-to-token-bi=
nding-over-http-cis-2015" target=3D"_blank">https://www.slideshare.net/<wbr=
>CloudIDSummit/cis-2015-intro-<wbr>to-token-binding-over-http-<wbr>cis-2015=
</a> which is out of date but has the main concepts, I think. There&#39;s a=
lso this <a href=3D"http://www.browserauth.net/token-binding" target=3D"_bl=
ank">http://www.browserauth.net/<wbr>token-binding</a> page by him. <br><br=
></div><div>I&#39;m planing on a doing a presentation on Token Binding at <=
a href=3D"https://www.cloudidentitysummit.com">CIS</a> this summer. But tha=
t&#39;s not until June and none of the content exists yet. <br></div><div><=
br></div>Otherwise the draft specs are probably the best bet at this point.=
 And they are all still in draft, though some are more stable than others, =
they may still change. <br><br>Token Binding:<br><a href=3D"https://tools.i=
etf.org/html/draft-ietf-tokbind-https-08">https://tools.ietf.org/html/draft=
-ietf-tokbind-https-08</a><br><a href=3D"https://tools.ietf.org/html/draft-=
ietf-tokbind-protocol-13">https://tools.ietf.org/html/draft-ietf-tokbind-pr=
otocol-13</a><br><a href=3D"https://tools.ietf.org/html/draft-ietf-tokbind-=
negotiation-07">https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-=
07</a><br><br></div>Application in OAuth:<br><a href=3D"https://tools.ietf.=
org/html/draft-ietf-oauth-token-binding-02">https://tools.ietf.org/html/dra=
ft-ietf-oauth-token-binding-02</a><br><br></div>Application in OpenID Conne=
ct:<br><a href=3D"http://openid.net/specs/openid-connect-token-bound-authen=
tication-1_0.html">http://openid.net/specs/openid-connect-token-bound-authe=
ntication-1_0.html</a><br><br><br><div><div><br><div><div><div><div class=
=3D"gmail_extra"><br><div class=3D"gmail_quote">On Fri, Mar 17, 2017 at 9:0=
9 AM, Jim Manico <span dir=3D"ltr">&lt;<a href=3D"mailto:jim@manicode.com" =
target=3D"_blank">jim@manicode.com</a>&gt;</span> wrote:<br><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">Hello OAuthers,<br>
<br>
I&#39;m trying to get my head around token binding beyond the RFC. Are ther=
e any presentations or other media on token binding that any of you are awa=
re of? My google-fu is coming up empty.<br>
<br>
Thanks and Aloha,<br>
- Jim<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
</blockquote></div><br></div></div></div></div></div></div></div>

--001a114672be43edeb054af11b72--


From nobody Fri Mar 17 11:14:38 2017
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 215EB1294ED for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 11:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level: 
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKkN07EFIzsB for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 11:14:34 -0700 (PDT)
Received: from mail-ot0-x22d.google.com (mail-ot0-x22d.google.com [IPv6:2607:f8b0:4003:c0f::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4AB2120227 for <oauth@ietf.org>; Fri, 17 Mar 2017 11:14:34 -0700 (PDT)
Received: by mail-ot0-x22d.google.com with SMTP id a12so30684382ota.0 for <oauth@ietf.org>; Fri, 17 Mar 2017 11:14:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=eWgL8pOJvoMFBH9zh4/PVf7iNFngqG1i1dnidYVN3hI=; b=zCQE6OxCO3k6T98P2geSdyh0V0qSKeoBkLFuiHOrc2IiH9T7YZL7StCbLVrzrKSUAm QU11WaoEARg/Kqlz55Ur9ZiuNeHGuOT/I5gbwhgwDuc5caASea/q2x5MX6B22RkDo1RF e3ep5kwqHKLV6JJHP8Omlopn4LEZ5ViJvoYExqgtme3cnmVm2TdJaByyE0CuZU5KHYsr TKgKxEjdpSLMfBiQvwVzuaty7DYQu16V7VGi7P4uMBOgZSs5ED6HlzLs32IMa0/dF4BP b9oyozzEP447R1iit/VIMDbhZz7/Kmo+5K6clqDNNVF+aG/Fvs4QQq88WkGfVRxmz3d9 9dCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=eWgL8pOJvoMFBH9zh4/PVf7iNFngqG1i1dnidYVN3hI=; b=FsQsWAoQsFxX76MquDWFRXlta+ZQhSubCdThPSKV7cwtTMQ+86ViKgCqhc1dUSg580 NbC0QxdnAKLeHaIhFWFNJdijAdHNXaHkF25Tn185kSITyz4wDtnJQYDHXHgdl4pA5zyJ T+M79UmX8GaD86kLuoxZxOmFuXvSjZPcWZfftrHOKaBD63VJyV9jyll1JMKjRN6E1hxz YYK12iOXBOuPqFsHPoRO/rG70PyNBXNoJSOYIehfTFxMb5PDjBbYa3iiD71gLutz3jEw RGwND1AnADN+wIbCMlMoeWWVKXAV6+VPX2yhs2BNHGwTXGFjyydtIr5OOuysoGaKyy4T qEgg==
X-Gm-Message-State: AFeK/H3mkcJXAlLmjs5aTxNj5QpMOYoYtSN9iKngGNZwy/6LWawBiciGdwTmba+emRCSZkMq
X-Received: by 10.202.51.10 with SMTP id z10mr8478110oiz.214.1489774473988; Fri, 17 Mar 2017 11:14:33 -0700 (PDT)
Received: from heembo.local (mobile-166-173-186-133.mycingular.net. [166.173.186.133]) by smtp.googlemail.com with ESMTPSA id u131sm3741566oig.24.2017.03.17.11.14.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Mar 2017 11:14:33 -0700 (PDT)
To: Brian Campbell <bcampbell@pingidentity.com>, Dirk Balfanz <balfanz@google.com>
References: <411649D9-563A-49DA-8151-80DF5F45F3F8@manicode.com> <CA+k3eCR4-fxCyRHSvPGDn1s9gnpksUrVPBOAMm9wzJ2wW7=Jwg@mail.gmail.com>
Cc: IETF OAUTH <oauth@ietf.org>
From: Jim Manico <jim@manicode.com>
Message-ID: <3c3b863f-570d-8f5f-c912-870a7ffcbccf@manicode.com>
Date: Fri, 17 Mar 2017 12:14:29 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCR4-fxCyRHSvPGDn1s9gnpksUrVPBOAMm9wzJ2wW7=Jwg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------9C7A8A1AF445EC4EB5215E08"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lY2lTmyaNC3pVOHwtuDVX-l-JTE>
Subject: Re: [OAUTH-WG] Token Binding Presentations?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 18:14:37 -0000

This is a multi-part message in MIME format.
--------------9C7A8A1AF445EC4EB5215E08
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Brian (and John),

Thank you both for the references. Perfect.

Aloha, Jim


On 3/17/17 12:10 PM, Brian Campbell wrote:
> Dirk gave this preso nearly 2 years ago
> https://www.slideshare.net/CloudIDSummit/cis-2015-intro-to-token-binding-over-http-cis-2015
> <https://www.slideshare.net/CloudIDSummit/cis-2015-intro-to-token-binding-over-http-cis-2015>
> which is out of date but has the main concepts, I think. There's also
> this http://www.browserauth.net/token-binding
> <http://www.browserauth.net/token-binding> page by him.
>
> I'm planing on a doing a presentation on Token Binding at CIS
> <https://www.cloudidentitysummit.com> this summer. But that's not
> until June and none of the content exists yet.
>
> Otherwise the draft specs are probably the best bet at this point. And
> they are all still in draft, though some are more stable than others,
> they may still change.
>
> Token Binding:
> https://tools.ietf.org/html/draft-ietf-tokbind-https-08
> https://tools.ietf.org/html/draft-ietf-tokbind-protocol-13
> https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-07
>
> Application in OAuth:
> https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02
>
> Application in OpenID Connect:
> http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html
>
>
>
>
> On Fri, Mar 17, 2017 at 9:09 AM, Jim Manico <jim@manicode.com
> <mailto:jim@manicode.com>> wrote:
>
>     Hello OAuthers,
>
>     I'm trying to get my head around token binding beyond the RFC. Are
>     there any presentations or other media on token binding that any
>     of you are aware of? My google-fu is coming up empty.
>
>     Thanks and Aloha,
>     - Jim
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>     <https://www.ietf.org/mailman/listinfo/oauth>
>
>

-- 
Jim Manico
Manicode Security
https://www.manicode.com


--------------9C7A8A1AF445EC4EB5215E08
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Brian (and John),</p>
    <p>Thank you both for the references. Perfect.</p>
    <p>Aloha, Jim<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 3/17/17 12:10 PM, Brian Campbell
      wrote:<br>
    </div>
    <blockquote
cite="mid:CA+k3eCR4-fxCyRHSvPGDn1s9gnpksUrVPBOAMm9wzJ2wW7=Jwg@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>Dirk gave this preso nearly 2 years ago <a
                moz-do-not-send="true"
href="https://www.slideshare.net/CloudIDSummit/cis-2015-intro-to-token-binding-over-http-cis-2015"
                target="_blank">https://www.slideshare.net/<wbr>CloudIDSummit/cis-2015-intro-<wbr>to-token-binding-over-http-<wbr>cis-2015</a>
              which is out of date but has the main concepts, I think.
              There's also this <a moz-do-not-send="true"
                href="http://www.browserauth.net/token-binding"
                target="_blank">http://www.browserauth.net/<wbr>token-binding</a>
              page by him. <br>
              <br>
            </div>
            <div>I'm planing on a doing a presentation on Token Binding
              at <a moz-do-not-send="true"
                href="https://www.cloudidentitysummit.com">CIS</a> this
              summer. But that's not until June and none of the content
              exists yet. <br>
            </div>
            <div><br>
            </div>
            Otherwise the draft specs are probably the best bet at this
            point. And they are all still in draft, though some are more
            stable than others, they may still change. <br>
            <br>
            Token Binding:<br>
            <a moz-do-not-send="true"
              href="https://tools.ietf.org/html/draft-ietf-tokbind-https-08">https://tools.ietf.org/html/draft-ietf-tokbind-https-08</a><br>
            <a moz-do-not-send="true"
              href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol-13">https://tools.ietf.org/html/draft-ietf-tokbind-protocol-13</a><br>
            <a moz-do-not-send="true"
              href="https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-07">https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-07</a><br>
            <br>
          </div>
          Application in OAuth:<br>
          <a moz-do-not-send="true"
            href="https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02">https://tools.ietf.org/html/draft-ietf-oauth-token-binding-02</a><br>
          <br>
        </div>
        Application in OpenID Connect:<br>
        <a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html">http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html</a><br>
        <br>
        <br>
        <div>
          <div><br>
            <div>
              <div>
                <div>
                  <div class="gmail_extra"><br>
                    <div class="gmail_quote">On Fri, Mar 17, 2017 at
                      9:09 AM, Jim Manico <span dir="ltr">&lt;<a
                          moz-do-not-send="true"
                          href="mailto:jim@manicode.com" target="_blank">jim@manicode.com</a>&gt;</span>
                      wrote:<br>
                      <blockquote class="gmail_quote" style="margin:0px
                        0px 0px 0.8ex;border-left:1px solid
                        rgb(204,204,204);padding-left:1ex">Hello
                        OAuthers,<br>
                        <br>
                        I'm trying to get my head around token binding
                        beyond the RFC. Are there any presentations or
                        other media on token binding that any of you are
                        aware of? My google-fu is coming up empty.<br>
                        <br>
                        Thanks and Aloha,<br>
                        - Jim<br>
                        ______________________________<wbr>_________________<br>
                        OAuth mailing list<br>
                        <a moz-do-not-send="true"
                          href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a><br>
                        <a moz-do-not-send="true"
                          href="https://www.ietf.org/mailman/listinfo/oauth"
                          rel="noreferrer" target="_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
                      </blockquote>
                    </div>
                    <br>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Jim Manico
Manicode Security
<a class="moz-txt-link-freetext" href="https://www.manicode.com">https://www.manicode.com</a></pre>
  </body>
</html>

--------------9C7A8A1AF445EC4EB5215E08--


From nobody Fri Mar 17 17:53:55 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10AA912967F for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 17:53:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.798
X-Spam-Level: 
X-Spam-Status: No, score=-4.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sZUh2Ei3H9zO for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 17:53:51 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0130.outbound.protection.outlook.com [104.47.41.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 256CE12966D for <oauth@ietf.org>; Fri, 17 Mar 2017 17:52:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EDjnU0srWXIlCMaeSP80M3YmMli2W+YZj/s8xGbcqWs=; b=c5P4Jj0AJTXTgt1xPTUv1YKYfI7zNOVVaCDNfojq2qpQWg/O7i6xqrQNO+JrbRYG393brfD/Ny7J7m8Ig/Pp+NkH3QJJg35JYX2k+8ykrPecZZxoe85+etsPAfPOFw+FI7rKp3/k1ZTuovBsTxdvLPiGi9A0x2wee7VgJafrxdE=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Sat, 18 Mar 2017 00:52:19 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0991.010; Sat, 18 Mar 2017 00:52:19 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>, Derek Atkins <derek@ihtfp.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF	98
Thread-Index: AQHSlHpYBYszZC9gCUaT8YQxsR4LiqGZ2FUg
Date: Sat, 18 Mar 2017 00:52:19 +0000
Message-ID: <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com>
In-Reply-To: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:8::72e]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:rv7Gw3MCM5l/prXe8M15bCcYREvLuALqo5iAB+/+kv9zwhmtFeeAsA8431bO8sCODbgPw3Dc3MSiSf14EzDdfg+sH8cri3KoYcHdIH2b8pvUoLe8bcSBYgjSlcqXLXKQK2DOHjgEd32PvtFTZVOaCR3YSQDWvYkgn6AbNpijkeucUGSdMjoD2xbkx1C9+LLa+vVUlH5HbHDLULpwQzeC/xo1h6EqMbhAJuS4l2ZJ9eeYcZvNuOJteytbAgxZxfjNpBiS8QG7BhBbCAayTUTBTkpjbwOVvioUG9/8unWL+7RKAFImWf09ayXhFRMGqCZUnSFOSVZHSXn7Kyhb9VPqEVA95TCNN6FrmMfR58kl5b0=
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-ms-office365-filtering-correlation-id: 1bf30ca0-c4cf-482d-ddb6-08d46d990803
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254055)(48565401081); SRVR:CY4PR21MB0503; 
x-microsoft-antispam-prvs: <CY4PR21MB050364F1376C98FF9A20DDEDF5380@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(93006021)(93001021)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123560025)(20161123564025)(20161123558025)(20161123555025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503; 
x-forefront-prvs: 0250B840C1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39850400002)(39410400002)(39450400003)(39840400002)(39860400002)(51414003)(13464003)(377454003)(33656002)(8936002)(3280700002)(2906002)(3660700001)(50986999)(54356999)(6116002)(102836003)(76176999)(5005710100001)(10090500001)(74316002)(8990500004)(10290500002)(7736002)(305945005)(81166006)(122556002)(189998001)(86362001)(2900100001)(77096006)(6506006)(86612001)(229853002)(2950100002)(6436002)(53546008)(9686003)(5660300001)(6306002)(4326008)(7696004)(53936002)(25786008)(38730400002)(55016002)(99286003)(2501003)(6246003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2017 00:52:19.6005 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DZXe1L8R8rlxlGcqOK4nqM4833U>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF	98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Mar 2017 00:53:54 -0000

Hi Chairs,

I'd like to request that the following presentations be added to the agenda=
:

	OAuth Token Exchange (draft-ietf-oauth-token-exchange) - Mike Jones - 15 m=
inutes
	OAuth Authorization Server Metadata (draft-ietf-oauth-discovery) - Mike Jo=
nes - 15 minutes

I'd also talked with Brian Campbell and I think he wants to lead this discu=
ssion, in part based on his implementation experience:

	OAuth Token Binding (draft-ietf-oauth-token-binding) - Brian Campbell - 30=
 minutes

(Brian may suggest a different amount of time)

I agree that William Dennis should present about the OAuth Device Flow (dra=
ft-ietf-oauth-device-flow).

For completeness, I don't think a presentation is needed about OAuth AMR Va=
lues (draft-ietf-oauth-amr-values) because it's now completed its IESG revi=
ew.

I'll look forward to seeing many of you in just over a week!

				-- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of "IETF Secretariat"
Sent: Friday, March 3, 2017 3:55 PM
To: oauth-chairs@ietf.org; smccammon@amsl.com
Cc: oauth@ietf.org
Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF=
 98

Dear Stephanie McCammon,

The session(s) that you have requested have been scheduled.
Below is the scheduled session information followed by the original request=
.=20

oauth Session 1 (2:30:00)
    Friday, Morning Session I 0900-1130
    Room Name: Zurich C size: 100
    ---------------------------------------------
    oauth Session 2 (1:00:00)
    Monday, Afternoon Session III 1710-1810
    Room Name: Zurich C size: 100
    ---------------------------------------------
   =20


Request Information:


---------------------------------------------------------
Working Group Name: Web Authorization Protocol Area Name: Security Area Ses=
sion Requester: Stephanie McCammon

Number of Sessions: 2
Length of Session(s):  2.5 Hours, 1 Hour Number of Attendees: 50 Conflicts =
to Avoid:=20
 First Priority: saag core tls tokbind




People who must be present:
  Hannes Tschofenig
  Kathleen Moriarty
  Derek Atkins

Resources Requested:
  Projector in room

Special Requests:
  Please avoid conflict with sec area BoFs.
---------------------------------------------------------

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


From nobody Fri Mar 17 18:35:07 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60D33129684 for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 18:35:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B1z3WWhm4DG3 for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 18:35:02 -0700 (PDT)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 093DD129681 for <oauth@ietf.org>; Fri, 17 Mar 2017 18:34:20 -0700 (PDT)
Received: by mail-pg0-x22d.google.com with SMTP id b129so50872074pgc.2 for <oauth@ietf.org>; Fri, 17 Mar 2017 18:34:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+9ly/+HkMCJ6PFzzJqpB8nVV9vJ7IXO1B6H4mazZwz4=; b=Esm01OwJmay3nIWqdCTkfRW1JH3JEKXz9o7S7KqEfG1gBShTPzCGkBMJp8ODy7ZN6W Cw00Cdw38/WcR1z1aW8auoVIeu2dGw1z+pSAtebeIG70wCHHO66Nrj0s55rgUC0rchd6 akZn1oPv1LpfJud8pOCDhTGmd78zA1CjtDZkA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+9ly/+HkMCJ6PFzzJqpB8nVV9vJ7IXO1B6H4mazZwz4=; b=tStUYeJ2D1b6vwTeS7aIOoHNDIXIEAWcIqxXJ0MAE5Cqp6GvQySg9cXl01B20nwsKg GcL8IT/GRNmgaxU6XAvwjI50dIFBA2URHJpYSff31DBsE+MM9LsVx0mAPF1ncpHhO4z4 2XUqHde7RzuSoe/IkUqtdHnmaS5nPy8m90a1yjYF66WAsGgL/TFF+9Q2D6/8+kvkKlxg Q+dUJ/gZVLvuSRil8gTACEoXjqxou2Gqbyh/dLsQMLDbeO0Lv8epApWXVu0975cU9TuT tN9v1EtvRdAEfBGEIm8zFxsuKvmYD1YL22i5ihhAt66TdWGA8aOpM+4wOg2hnonnunR5 XE1Q==
X-Gm-Message-State: AFeK/H2xWIAT7xeo7tfRuEwfnMiz7NIogzljkvU3F+XqlYAJoXJbdMak5APa3AZBRgjXQ3NTREmgh/jMPo44vjin
X-Received: by 10.99.157.143 with SMTP id i137mr19132806pgd.132.1489800859539;  Fri, 17 Mar 2017 18:34:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.170.138 with HTTP; Fri, 17 Mar 2017 18:34:19 -0700 (PDT)
Received: by 10.100.170.138 with HTTP; Fri, 17 Mar 2017 18:34:19 -0700 (PDT)
In-Reply-To: <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 17 Mar 2017 19:34:19 -0600
Message-ID: <CA+k3eCTWDH2z-Ndf+RYDuYC1Wa3GaEEzoNL29juf+tcOnyBCpA@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Derek Atkins <derek@ihtfp.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>,  "oauth@ietf.org" <oauth@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Type: multipart/alternative; boundary=94eb2c192b9a04f697054af74b4f
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cEGtDMzLZpwLKMBeuY3qGWH_WQE>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Mar 2017 01:35:05 -0000

--94eb2c192b9a04f697054af74b4f
Content-Type: text/plain; charset=UTF-8

Thanks Mike, 30 minutes sounds about right for OAuth Token Binding

On Mar 17, 2017 6:54 PM, "Mike Jones" <Michael.Jones@microsoft.com> wrote:

> Hi Chairs,
>
> I'd like to request that the following presentations be added to the
> agenda:
>
>         OAuth Token Exchange (draft-ietf-oauth-token-exchange) - Mike
> Jones - 15 minutes
>         OAuth Authorization Server Metadata (draft-ietf-oauth-discovery) -
> Mike Jones - 15 minutes
>
> I'd also talked with Brian Campbell and I think he wants to lead this
> discussion, in part based on his implementation experience:
>
>         OAuth Token Binding (draft-ietf-oauth-token-binding) - Brian
> Campbell - 30 minutes
>
> (Brian may suggest a different amount of time)
>
> I agree that William Dennis should present about the OAuth Device Flow
> (draft-ietf-oauth-device-flow).
>
> For completeness, I don't think a presentation is needed about OAuth AMR
> Values (draft-ietf-oauth-amr-values) because it's now completed its IESG
> review.
>
> I'll look forward to seeing many of you in just over a week!
>
>                                 -- Mike
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of "IETF
> Secretariat"
> Sent: Friday, March 3, 2017 3:55 PM
> To: oauth-chairs@ietf.org; smccammon@amsl.com
> Cc: oauth@ietf.org
> Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for
> IETF 98
>
> Dear Stephanie McCammon,
>
> The session(s) that you have requested have been scheduled.
> Below is the scheduled session information followed by the original
> request.
>
> oauth Session 1 (2:30:00)
>     Friday, Morning Session I 0900-1130
>     Room Name: Zurich C size: 100
>     ---------------------------------------------
>     oauth Session 2 (1:00:00)
>     Monday, Afternoon Session III 1710-1810
>     Room Name: Zurich C size: 100
>     ---------------------------------------------
>
>
>
> Request Information:
>
>
> ---------------------------------------------------------
> Working Group Name: Web Authorization Protocol Area Name: Security Area
> Session Requester: Stephanie McCammon
>
> Number of Sessions: 2
> Length of Session(s):  2.5 Hours, 1 Hour Number of Attendees: 50 Conflicts
> to Avoid:
>  First Priority: saag core tls tokbind
>
>
>
>
> People who must be present:
>   Hannes Tschofenig
>   Kathleen Moriarty
>   Derek Atkins
>
> Resources Requested:
>   Projector in room
>
> Special Requests:
>   Please avoid conflict with sec area BoFs.
> ---------------------------------------------------------
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--94eb2c192b9a04f697054af74b4f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Thanks Mike, 30 minutes sounds about right for=C2=A0<span=
 style=3D"font-family:sans-serif">OAuth Token Binding</span></div><div clas=
s=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mar 17, 2017 6:54 PM, &=
quot;Mike Jones&quot; &lt;<a href=3D"mailto:Michael.Jones@microsoft.com">Mi=
chael.Jones@microsoft.com</a>&gt; wrote:<br type=3D"attribution"><blockquot=
e class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc sol=
id;padding-left:1ex">Hi Chairs,<br>
<br>
I&#39;d like to request that the following presentations be added to the ag=
enda:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OAuth Token Exchange (draft-ietf-oauth-token-<w=
br>exchange) - Mike Jones - 15 minutes<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OAuth Authorization Server Metadata (draft-ietf=
-oauth-discovery) - Mike Jones - 15 minutes<br>
<br>
I&#39;d also talked with Brian Campbell and I think he wants to lead this d=
iscussion, in part based on his implementation experience:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OAuth Token Binding (draft-ietf-oauth-token-<wb=
r>binding) - Brian Campbell - 30 minutes<br>
<br>
(Brian may suggest a different amount of time)<br>
<br>
I agree that William Dennis should present about the OAuth Device Flow (dra=
ft-ietf-oauth-device-flow)<wbr>.<br>
<br>
For completeness, I don&#39;t think a presentation is needed about OAuth AM=
R Values (draft-ietf-oauth-amr-values) because it&#39;s now completed its I=
ESG review.<br>
<br>
I&#39;ll look forward to seeing many of you in just over a week!<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -- Mike<br>
<br>
-----Original Message-----<br>
From: OAuth [mailto:<a href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces=
@ietf.org</a><wbr>] On Behalf Of &quot;IETF Secretariat&quot;<br>
Sent: Friday, March 3, 2017 3:55 PM<br>
To: <a href=3D"mailto:oauth-chairs@ietf.org">oauth-chairs@ietf.org</a>; <a =
href=3D"mailto:smccammon@amsl.com">smccammon@amsl.com</a><br>
Cc: <a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a><br>
Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF=
 98<br>
<br>
Dear Stephanie McCammon,<br>
<br>
The session(s) that you have requested have been scheduled.<br>
Below is the scheduled session information followed by the original request=
.<br>
<br>
oauth Session 1 (2:30:00)<br>
=C2=A0 =C2=A0 Friday, Morning Session I 0900-1130<br>
=C2=A0 =C2=A0 Room Name: Zurich C size: 100<br>
=C2=A0 =C2=A0 ------------------------------<wbr>---------------<br>
=C2=A0 =C2=A0 oauth Session 2 (1:00:00)<br>
=C2=A0 =C2=A0 Monday, Afternoon Session III 1710-1810<br>
=C2=A0 =C2=A0 Room Name: Zurich C size: 100<br>
=C2=A0 =C2=A0 ------------------------------<wbr>---------------<br>
<br>
<br>
<br>
Request Information:<br>
<br>
<br>
------------------------------<wbr>---------------------------<br>
Working Group Name: Web Authorization Protocol Area Name: Security Area Ses=
sion Requester: Stephanie McCammon<br>
<br>
Number of Sessions: 2<br>
Length of Session(s):=C2=A0 2.5 Hours, 1 Hour Number of Attendees: 50 Confl=
icts to Avoid:<br>
=C2=A0First Priority: saag core tls tokbind<br>
<br>
<br>
<br>
<br>
People who must be present:<br>
=C2=A0 Hannes Tschofenig<br>
=C2=A0 Kathleen Moriarty<br>
=C2=A0 Derek Atkins<br>
<br>
Resources Requested:<br>
=C2=A0 Projector in room<br>
<br>
Special Requests:<br>
=C2=A0 Please avoid conflict with sec area BoFs.<br>
------------------------------<wbr>---------------------------<br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
</blockquote></div></div>

--94eb2c192b9a04f697054af74b4f--


From nobody Mon Mar 20 14:55:01 2017
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 296FB126DFB for <oauth@ietfa.amsl.com>; Mon, 20 Mar 2017 14:55:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level: 
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xov4pNAU83fs for <oauth@ietfa.amsl.com>; Mon, 20 Mar 2017 14:54:58 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A0751276AF for <oauth@ietf.org>; Mon, 20 Mar 2017 14:54:58 -0700 (PDT)
X-AuditID: 1209190c-e17ff700000052cb-7b-58d04fb039cc
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id ED.F1.21195.0BF40D85; Mon, 20 Mar 2017 17:54:57 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v2KLstv2027068 for <oauth@ietf.org>; Mon, 20 Mar 2017 17:54:56 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2KLsst8011854 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Mon, 20 Mar 2017 17:54:55 -0400
From: Justin Richer <jricher@mit.edu>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Message-Id: <8DDE1093-B6DC-43D1-8DAD-54AD7DD6C0B7@mit.edu>
Date: Mon, 20 Mar 2017 17:54:53 -0400
To: "<oauth@ietf.org>" <oauth@ietf.org>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrOIsWRmVeSWpSXmKPExsUixCmqrLvR/0KEwd5ZXBYn375ic2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXxuylXxgLVrNWTPp+mLWBcQNLFyM7h4SAicTkgC5GTg4hgTYm iV8zNbsYuYDsY4wSK379YoFwvjFJ/Jnfzw5SxSagKjF9TQsTiM0soC7xZ94lZghbW2LZwtdg Nq+AvsTsM5dYQGxhASmJW12r2SHiVhLz/rxk62Lk4GABmnPoWg5IWARozJrzP8FGSgjISrz9 tYR5AiPvLCQbZiHZMAvJhgWMzKsYZVNyq3RzEzNzilOTdYuTE/PyUot0DfVyM0v0UlNKNzGC w0iSZwfjmTdehxgFOBiVeHhXXDkfIcSaWFZcmXuIUZKDSUmUt8r3QoQQX1J+SmVGYnFGfFFp TmrxIUYJDmYlEd5aD6Acb0piZVVqUT5MSpqDRUmcV0KjMUJIID2xJDU7NbUgtQgmK8PBoSTB 2+QH1ChYlJqeWpGWmVOCkGbi4AQZzgM0PBVkMW9xQWJucWY6RP4Uoy7HjeMH3jAJseTl56VK ifMmghQJgBRllObBzQHFf8Lbw6avGMWB3hLm1QVZxwNMHXCTXgEtYQJasuzGGZAlJYkIKakG RhFr9dmc3BITXwtFFcpLC0n1lvtGm2zSXj739f/7qzVnGR5ocT/AsDomvYybs+4oM/tHsUWy aauCj048+flJ4d7Xcty7Ntxr/+4ndVDxx8+P82KbDy8viU/cqMke/tHy1MKUm4+eVs/7s+vp QoGJqjc9nvndNaj9vf/2+5SFtxtXB/74oyK66LcSS3FGoqEWc1FxIgBBOCoj2gIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rlaur_EIo7730AM6ufd9NsivZ-U>
Subject: [OAUTH-WG] OAuth 2 In Action
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 21:55:00 -0000

Hi everyone,

A lot of you have already seen the news, but I=E2=80=99m happy to say =
that my book with Antonio Sanso, OAuth 2 In Action, is finally out and =
available for purchase worldwide! The biggest sites for this are the =
publisher=E2=80=99s site:

https://www.manning.com/books/oauth-2-in-action

And Amazon:

https://www.amazon.com/OAuth-2-Action-Justin-Richer/dp/161729327X/

Thank you to everyone in the community who=E2=80=99s had input into the =
book, and especially this working group. Without you, this book =
wouldn=E2=80=99t exist at all =E2=80=94 since there=E2=80=99d be nothing =
to write about. :)

See you in Chicago,

 =E2=80=94 Justin=


From nobody Tue Mar 21 06:09:01 2017
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1304E12949F for <oauth@ietfa.amsl.com>; Tue, 21 Mar 2017 06:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level: 
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tj2DpPxs_xeB for <oauth@ietfa.amsl.com>; Tue, 21 Mar 2017 06:08:57 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3C9E1205D3 for <oauth@ietf.org>; Tue, 21 Mar 2017 06:08:56 -0700 (PDT)
Received: from [212.202.243.194] (helo=[10.1.90.22]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1cqJWq-0003Qr-AD; Tue, 21 Mar 2017 14:08:48 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_5B5A2B36-5FDD-4D88-9987-2B941930554B"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 21 Mar 2017 14:08:43 +0100
In-Reply-To: <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Derek Atkins <derek@ihtfp.com>
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com>
X-Mailer: Apple Mail (2.3259)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P_j2m3vG9TKF8QrRDHTx_dzlxYM>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF	98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 13:09:00 -0000

--Apple-Mail=_5B5A2B36-5FDD-4D88-9987-2B941930554B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Chairs,

I would like to request 5 minutes on Monday to briefly present the =
status of the security document. This is mainly to raise awareness in =
the group since I didn=E2=80=99t get that much input on it since Seoul.

kind regards,
Torsten.

> Am 18.03.2017 um 01:52 schrieb Mike Jones =
<Michael.Jones@microsoft.com>:
>=20
> Hi Chairs,
>=20
> I'd like to request that the following presentations be added to the =
agenda:
>=20
> 	OAuth Token Exchange (draft-ietf-oauth-token-exchange) - Mike =
Jones - 15 minutes
> 	OAuth Authorization Server Metadata (draft-ietf-oauth-discovery) =
- Mike Jones - 15 minutes
>=20
> I'd also talked with Brian Campbell and I think he wants to lead this =
discussion, in part based on his implementation experience:
>=20
> 	OAuth Token Binding (draft-ietf-oauth-token-binding) - Brian =
Campbell - 30 minutes
>=20
> (Brian may suggest a different amount of time)
>=20
> I agree that William Dennis should present about the OAuth Device Flow =
(draft-ietf-oauth-device-flow).
>=20
> For completeness, I don't think a presentation is needed about OAuth =
AMR Values (draft-ietf-oauth-amr-values) because it's now completed its =
IESG review.
>=20
> I'll look forward to seeing many of you in just over a week!
>=20
> 				-- Mike
>=20
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of "IETF =
Secretariat"
> Sent: Friday, March 3, 2017 3:55 PM
> To: oauth-chairs@ietf.org; smccammon@amsl.com
> Cc: oauth@ietf.org
> Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for =
IETF 98
>=20
> Dear Stephanie McCammon,
>=20
> The session(s) that you have requested have been scheduled.
> Below is the scheduled session information followed by the original =
request.=20
>=20
> oauth Session 1 (2:30:00)
>    Friday, Morning Session I 0900-1130
>    Room Name: Zurich C size: 100
>    ---------------------------------------------
>    oauth Session 2 (1:00:00)
>    Monday, Afternoon Session III 1710-1810
>    Room Name: Zurich C size: 100
>    ---------------------------------------------
>=20
>=20
>=20
> Request Information:
>=20
>=20
> ---------------------------------------------------------
> Working Group Name: Web Authorization Protocol Area Name: Security =
Area Session Requester: Stephanie McCammon
>=20
> Number of Sessions: 2
> Length of Session(s):  2.5 Hours, 1 Hour Number of Attendees: 50 =
Conflicts to Avoid:=20
> First Priority: saag core tls tokbind
>=20
>=20
>=20
>=20
> People who must be present:
>  Hannes Tschofenig
>  Kathleen Moriarty
>  Derek Atkins
>=20
> Resources Requested:
>  Projector in room
>=20
> Special Requests:
>  Please avoid conflict with sec area BoFs.
> ---------------------------------------------------------
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_5B5A2B36-5FDD-4D88-9987-2B941930554B
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/DCCBK8w
ggOXoAMCAQICEQDgI8sVEoNTia1hbnpUZ2shMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAlNF
MRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5l
dHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMTQxMjIyMDAwMDAw
WhcNMjAwNTMwMTA0ODM4WjCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hl
c3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNV
BAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAibEN2npTGU5wUh28VqYGJre4SeCW
51Gr8fBaE0kVo7SMG2C8elFCp3mMpCLfF2FOkdV2IwoU00oCf7YdCYBupQQ92bq7Fv6hh6kuQ1JD
FnyvMlDIpk9a6QjYz5MlnHuI6DBk5qT4VoD9KiQUMxeZrETlaYujRgZLwjPU6UCfBrCxrJNAubUI
kzqcKlOjENs9IGE8VQOO2U52JQIhKfqjfHF2T+7hX4Hp+1SA28N7NVK3hN4iPSwwLTF/Wb1SN7Az
aS1D6/rWpfGXd2dRjNnuJ+u8pQc4doykqTj/34z1A6xJvsr3c5k6DzKrnJU6Ez0ORjpXdGFQvsZA
P8vk4p+iIQIDAQABo4IBFzCCARMwHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYD
VR0OBBYEFJJha4LhoqCqT+xn8cKj97SAAMHsMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAG
AQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAw
RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJu
YWxDQVJvb3QuY3JsMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNl
cnRydXN0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAGypurFXBOquIxdjtzVXzqmthK8AJECOZD8Vm
am+x9bS1d14PAmEA330F/hKzpICAAPz7HVtqcgIKQbwFusFY1SbC6tVNhPv+gpjPWBvjImOcUvi7
BTarfVil3qs7Y+Xa1XPv7OD7e+Kj//BCI5zKto1NPuRLGAOyqC3U2LtCS5BphRDbpjc06HvgARCl
nMo6x59PiDRuimXQGoq7qdzKyjbR9PzCZCk1r9axp3ER0gNDsY8+muyeMlP0dpLKhjQHuSzK5hxK
2JkNwYbikJL7WkJqIyEQ6WXH9dW7fuqMhSACYurROgcsWcWZM/I4ieW26RZ6H3kU9koQGib6fIr7
mzCCBUUwggQtoAMCAQICEDPbmsaqwjeZa3PxA3uZ8LQwDQYJKoZIhvcNAQELBQAwgZsxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY
BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQg
QXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzAxMDkwMDAwMDBaFw0xODAx
MDkyMzU5NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5AbG9kZGVyc3RlZHQubmV0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArsGSzZyz9Lq9SRW9Sve5K8n5lWhplOCE6HH3gMye
12DjOpkFFZt0b73t27G17Xsp6WUxHhNevf7ck0AUpvYUPCHBqVGJSIWF9hWAoSFCgQACOoh/cDFb
zz1PsMY8El7OmIus4JXtY4/VdoSIhFP3hzATbNAg32Kp+N8vtTuKTwbgnizJSyzZTYrsttn3LmwY
17HU+U9vXloMus5U/ln4ADZx0zyyDSsA6gtPxXYJpbgSTnHckVZ5zfR80guIZ538Y2qqsqt5VaSR
SR2oQzE/HETkKc/odPVhqBrXLyvnSFkCPrAXV07rcvwkPvHZeYVu4QdVWyO2HIQ4i2x9r5m7SwID
AQABo4IB9TCCAfEwHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFPng
HgVxOZ7GSji/IW4YJMBj02PHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ
MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7
BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2
Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw
gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu
dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
Y3NwLmNvbW9kb2NhLmNvbTAiBgNVHREEGzAZgRd0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDANBgkq
hkiG9w0BAQsFAAOCAQEAAmueyHjiyL1qYgfe+hVSsGuKlgcvjCAfG8Jaq48tC0IjP8pH/tGi4uL9
CHVfLnV3pLDnjg6M2uvpEBp7crZZcnSPLeVss+tkhwv+F7ISYQyT4flNkqVUb8nfewbCPcIN13Ob
fpU7rlXoIarEEplQo4SuymYVluQxTLOFKm5QOMF4JBMw/rjy4t95J7Mdp9NFUzQrKPJDaJ2Jr/Tc
TXFcjLvNVmMBjK0959a9v1/1miRHd1DBsTh1KvBigEOUNMxvT5uUtB6/tioDZqBDDk8Gvdno/xmy
e3YiasS7JgMREq5WcXqpWGu5kMFZMGPEvyPHeBZeqxx3amf4ImVnZ6WvgzGCA8MwggO/AgEBMIGw
MIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEDPbmsaqwjeZa3Px
A3uZ8LQwCQYFKw4DAhoFAKCCAecwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTcwMzIxMTMwODQ0WjAjBgkqhkiG9w0BCQQxFgQU2eCIa0NUX0xlMKVhUSD05683tBsw
gcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFu
Y2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/
BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVt
YWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UE
BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG
A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBB
dXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MA0GCSqG
SIb3DQEBAQUABIIBACgvDJkC6WMUGDacrldFEbolUFoRdc6n7OY8Qjy6zAZEfTCLLLwxQUpj7rRr
NolaqgQDjhcQkB15FbLNaWUzicTj5QgPWBd5w+FZFsAUz8QkSk8/iT8oDedk9aPPkIu8JKNxjlUG
GyG3a2JBxyP8ALI93IMEGZIgcfA48yM7q9f04lrSn9jYntGEVxN3McXgkqIwV4VSYuRiJ+vbBAEI
6vsU02hotql5Zhy43yQcJKj2SBiygkM4Gmhc7d9YjxBJeEl0XK5HcWdKclZUcCuMeEoDdA04B5DC
vDtd9UlGgAGtdgYo8nGwiS/YwUYU804WS6PdRB7KeK4v6SlPL9DcG44AAAAAAAA=
--Apple-Mail=_5B5A2B36-5FDD-4D88-9987-2B941930554B--


From nobody Tue Mar 21 06:27:55 2017
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD498129408 for <oauth@ietfa.amsl.com>; Tue, 21 Mar 2017 06:27:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level: 
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zq2-5OlhYPpI for <oauth@ietfa.amsl.com>; Tue, 21 Mar 2017 06:27:51 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0074.outbound.protection.outlook.com [104.47.38.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C74F3129871 for <oauth@ietf.org>; Tue, 21 Mar 2017 06:27:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8ouil8eqnWEozAwz8bvMEYi8IVa+GHC2vP21cOVIcOw=; b=H1wjAoLzKQoQxOuod34kqgAE21XgtgkxAxPliQVRlzW58t3lwMK1Kj5KLAYrumKSV+Uu8JpIozwu0QN2TBuYHCSUgkg9uKGbzUmknhdbiQBW28zrb4FQYAhYk4zulVMaRSZ3XmSLgembcgETet3TzLRpvc6W3dLKZcNWEAYDndM=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1031.namprd02.prod.outlook.com (10.161.203.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.977.11; Tue, 21 Mar 2017 13:27:47 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0977.020; Tue, 21 Mar 2017 13:27:46 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
CC: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Derek Atkins <derek@ihtfp.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF	98
Thread-Index: AQHSlHpTuX+dWYTQIk+9SMzoEGCrgKGZ2tWAgAWEvoCAAAVaAA==
Date: Tue, 21 Mar 2017 13:27:45 +0000
Message-ID: <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com>
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com> <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net>
In-Reply-To: <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: lodderstedt.net; dkim=none (message not signed) header.d=none;lodderstedt.net; dmarc=none action=none header.from=adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.147.117.11]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1031; 7:hUzUJ0RC11/fChW95V0EC6EHS7Nyn2yvK1M/WwOu/FAzfKynsRa2B3NldBrqgDwl4UuD3IQVGa3tx/TOxrtQiOnV/G6GfYrU8GhjmJmzJ2elyaRWX0AyCKSOtpzcZL0syAZYllOOMW5dr7pauGJZrU1Bt0qD0iJN3/u0+3XdIWwF8s2R1OTSWMX6tvJJuTDpKr2SYClVsHuoBc+/6s5NZZ9IF7rpHrfDv7VOm25HX3nxGrK1hZ68GcoQYBZ7N1yCeVzdcujok77/uShtyuldxDxUe81saWuNhpgVSlhImVF1z9AysOSXBP5kCskYF6Fq/F0HEak5+4zUk8aVmwZkaA==; 20:B2Q2bxlaI9rLAeaZ03t2UC/a10rGTBjNF+hYunGEHm51Co+AGioZmntKGtph9ORYJjEfP5EzcyohyecnY2FwcOXEi5+0Cxlk587gKczCEhSTrQhi0ykhGaGRkTF1rPDwwzA3J2zEAGD9K8HLRXwCfn6+Wmh2GrX8rPR987DqYFY=
x-ms-office365-filtering-correlation-id: e3984e39-ecf1-4b83-0b06-08d4705e1053
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081); SRVR:BY1PR0201MB1031; 
x-microsoft-antispam-prvs: <BY1PR0201MB10313A9443617D2BF88999E2D93D0@BY1PR0201MB1031.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(189930954265078)(219752817060721); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123555025)(20161123560025)(20161123558025)(20161123562025)(6072148); SRVR:BY1PR0201MB1031; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1031; 
x-forefront-prvs: 02530BD3AA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39410400002)(39450400003)(39850400002)(39840400002)(39860400002)(13464003)(497574002)(51414003)(24454002)(377454003)(54356999)(76176999)(3660700001)(77096006)(50986999)(7906003)(606005)(25786008)(122556002)(575784001)(2906002)(86362001)(36756003)(6506006)(6436002)(66066001)(102836003)(3846002)(6116002)(2950100002)(7736002)(6486002)(3280700002)(189998001)(5660300001)(38730400002)(6916009)(33656002)(54906002)(6246003)(110136004)(82746002)(2900100001)(554214002)(83716003)(99286003)(53936002)(229853002)(10090500001)(53546009)(236005)(4326008)(81166006)(6306002)(54896002)(6512007)(8936002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1031; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_2452F93FBC4D4F42AD4C85A0672BFBE8adobecom_"
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2017 13:27:45.9279 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1031
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4-upcT9xMpQmTxRE7fShk2pOfk4>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF	98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 13:27:54 -0000

--_000_2452F93FBC4D4F42AD4C85A0672BFBE8adobecom_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

hi Torsten,

good one. I personally I am looking forward to see this particular document=
 find its way.

IMHO this is something much needed.

regards

antonio

On Mar 21, 2017, at 2:08 PM, Torsten Lodderstedt <torsten@lodderstedt.net<m=
ailto:torsten@lodderstedt.net>> wrote:

Hi Chairs,

I would like to request 5 minutes on Monday to briefly present the status o=
f the security document. This is mainly to raise awareness in the group sin=
ce I didn=92t get that much input on it since Seoul.

kind regards,
Torsten.

Am 18.03.2017 um 01:52 schrieb Mike Jones <Michael.Jones@microsoft.com<mail=
to:Michael.Jones@microsoft.com>>:

Hi Chairs,

I'd like to request that the following presentations be added to the agenda=
:

OAuth Token Exchange (draft-ietf-oauth-token-exchange) - Mike Jones - 15 mi=
nutes
OAuth Authorization Server Metadata (draft-ietf-oauth-discovery) - Mike Jon=
es - 15 minutes

I'd also talked with Brian Campbell and I think he wants to lead this discu=
ssion, in part based on his implementation experience:

OAuth Token Binding (draft-ietf-oauth-token-binding) - Brian Campbell - 30 =
minutes

(Brian may suggest a different amount of time)

I agree that William Dennis should present about the OAuth Device Flow (dra=
ft-ietf-oauth-device-flow).

For completeness, I don't think a presentation is needed about OAuth AMR Va=
lues (draft-ietf-oauth-amr-values) because it's now completed its IESG revi=
ew.

I'll look forward to seeing many of you in just over a week!

-- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of "IETF Secretariat"
Sent: Friday, March 3, 2017 3:55 PM
To: oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; smccammon@amsl.com=
<mailto:smccammon@amsl.com>
Cc: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF=
 98

Dear Stephanie McCammon,

The session(s) that you have requested have been scheduled.
Below is the scheduled session information followed by the original request=
.

oauth Session 1 (2:30:00)
  Friday, Morning Session I 0900-1130
  Room Name: Zurich C size: 100
  ---------------------------------------------
  oauth Session 2 (1:00:00)
  Monday, Afternoon Session III 1710-1810
  Room Name: Zurich C size: 100
  ---------------------------------------------



Request Information:


---------------------------------------------------------
Working Group Name: Web Authorization Protocol Area Name: Security Area Ses=
sion Requester: Stephanie McCammon

Number of Sessions: 2
Length of Session(s):  2.5 Hours, 1 Hour Number of Attendees: 50 Conflicts =
to Avoid:
First Priority: saag core tls tokbind




People who must be present:
Hannes Tschofenig
Kathleen Moriarty
Derek Atkins

Resources Requested:
Projector in room

Special Requests:
Please avoid conflict with sec area BoFs.
---------------------------------------------------------

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf=
.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd40=
8d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106=
&sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=3D0

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf=
.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd40=
8d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106=
&sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=3D0

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf=
.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd40=
8d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122=
&sdata=3D5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&reserved=3D0


--_000_2452F93FBC4D4F42AD4C85A0672BFBE8adobecom_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <ABCAD6823EC0EF43BDCB9FACF2A85BFF@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
hi Torsten,
<div><br>
</div>
<div>good one. I personally I am looking forward to see this particular doc=
ument find its way.</div>
<div><br>
</div>
<div>IMHO this is something much needed.</div>
<div><br>
</div>
<div>regards</div>
<div><br>
</div>
<div>antonio</div>
<div><br>
<div>
<div>On Mar 21, 2017, at 2:08 PM, Torsten Lodderstedt &lt;<a href=3D"mailto=
:torsten@lodderstedt.net">torsten@lodderstedt.net</a>&gt; wrote:</div>
<br class=3D"Apple-interchange-newline">
<blockquote type=3D"cite">
<div style=3D"font-size: 12px; font-style: normal; font-variant: normal; fo=
nt-weight: normal; letter-spacing: normal; line-height: normal; orphans: au=
to; text-align: start; text-indent: 0px; text-transform: none; white-space:=
 normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
Hi Chairs,<br>
<br>
I would like to request 5 minutes on Monday to briefly present the status o=
f the security document. This is mainly to raise awareness in the group sin=
ce I didn=92t get that much input on it since Seoul.<br>
<br>
kind regards,<br>
Torsten.<br>
<br>
<blockquote type=3D"cite">Am 18.03.2017 um 01:52 schrieb Mike Jones &lt;<a =
href=3D"mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>=
&gt;:<br>
<br>
Hi Chairs,<br>
<br>
I'd like to request that the following presentations be added to the agenda=
:<br>
<br>
<span class=3D"Apple-tab-span" style=3D"white-space: pre;"></span>OAuth Tok=
en Exchange (draft-ietf-oauth-token-exchange) - Mike Jones - 15 minutes<br>
<span class=3D"Apple-tab-span" style=3D"white-space: pre;"></span>OAuth Aut=
horization Server Metadata (draft-ietf-oauth-discovery) - Mike Jones - 15 m=
inutes<br>
<br>
I'd also talked with Brian Campbell and I think he wants to lead this discu=
ssion, in part based on his implementation experience:<br>
<br>
<span class=3D"Apple-tab-span" style=3D"white-space: pre;"></span>OAuth Tok=
en Binding (draft-ietf-oauth-token-binding) - Brian Campbell - 30 minutes<b=
r>
<br>
(Brian may suggest a different amount of time)<br>
<br>
I agree that William Dennis should present about the OAuth Device Flow (dra=
ft-ietf-oauth-device-flow).<br>
<br>
For completeness, I don't think a presentation is needed about OAuth AMR Va=
lues (draft-ietf-oauth-amr-values) because it's now completed its IESG revi=
ew.<br>
<br>
I'll look forward to seeing many of you in just over a week!<br>
<br>
<span class=3D"Apple-tab-span" style=3D"white-space: pre;"></span><span cla=
ss=3D"Apple-tab-span" style=3D"white-space: pre;"></span><span class=3D"App=
le-tab-span" style=3D"white-space: pre;"></span><span class=3D"Apple-tab-sp=
an" style=3D"white-space: pre;"></span>-- Mike<br>
<br>
-----Original Message-----<br>
From: OAuth [<a href=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces=
@ietf.org</a>] On Behalf Of &quot;IETF Secretariat&quot;<br>
Sent: Friday, March 3, 2017 3:55 PM<br>
To: <a href=3D"mailto:oauth-chairs@ietf.org">oauth-chairs@ietf.org</a>; <a =
href=3D"mailto:smccammon@amsl.com">
smccammon@amsl.com</a><br>
Cc: <a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a><br>
Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF=
 98<br>
<br>
Dear Stephanie McCammon,<br>
<br>
The session(s) that you have requested have been scheduled.<br>
Below is the scheduled session information followed by the original request=
.<span class=3D"Apple-converted-space">&nbsp;</span><br>
<br>
oauth Session 1 (2:30:00)<br>
&nbsp;&nbsp;Friday, Morning Session I 0900-1130<br>
&nbsp;&nbsp;Room Name: Zurich C size: 100<br>
&nbsp;&nbsp;---------------------------------------------<br>
&nbsp;&nbsp;oauth Session 2 (1:00:00)<br>
&nbsp;&nbsp;Monday, Afternoon Session III 1710-1810<br>
&nbsp;&nbsp;Room Name: Zurich C size: 100<br>
&nbsp;&nbsp;---------------------------------------------<br>
<br>
<br>
<br>
Request Information:<br>
<br>
<br>
---------------------------------------------------------<br>
Working Group Name: Web Authorization Protocol Area Name: Security Area Ses=
sion Requester: Stephanie McCammon<br>
<br>
Number of Sessions: 2<br>
Length of Session(s): &nbsp;2.5 Hours, 1 Hour Number of Attendees: 50 Confl=
icts to Avoid:<span class=3D"Apple-converted-space">&nbsp;</span><br>
First Priority: saag core tls tokbind<br>
<br>
<br>
<br>
<br>
People who must be present:<br>
Hannes Tschofenig<br>
Kathleen Moriarty<br>
Derek Atkins<br>
<br>
Resources Requested:<br>
Projector in room<br>
<br>
Special Requests:<br>
Please avoid conflict with sec area BoFs.<br>
---------------------------------------------------------<br>
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F=
%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d07=
b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636=
256985463058106&amp;sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6=
aQ%3D&amp;reserved=3D0">https://na01.safelinks.protection.outlook.com/?url=
=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C=
01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1=
%7C0%7C0%7C636256985463058106&amp;sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0AT=
uL30ap%2B3bLX6aQ%3D&amp;reserved=3D0</a><br>
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F=
%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d07=
b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636=
256985463058106&amp;sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6=
aQ%3D&amp;reserved=3D0">https://na01.safelinks.protection.outlook.com/?url=
=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C=
01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1=
%7C0%7C0%7C636256985463058106&amp;sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0AT=
uL30ap%2B3bLX6aQ%3D&amp;reserved=3D0</a><br>
</blockquote>
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F=
%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d07=
b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636=
256985463068122&amp;sdata=3D5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4=
%3D&amp;reserved=3D0">https://na01.safelinks.protection.outlook.com/?url=3D=
https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%=
7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C=
0%7C0%7C636256985463068122&amp;sdata=3D5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b=
9elwhL%2BA4%3D&amp;reserved=3D0</a></div>
</blockquote>
</div>
<br>
</div>
</body>
</html>

--_000_2452F93FBC4D4F42AD4C85A0672BFBE8adobecom_--


From nobody Tue Mar 21 07:01:04 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E63212958B for <oauth@ietfa.amsl.com>; Tue, 21 Mar 2017 07:01:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level: 
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRSw_-WRJLNc for <oauth@ietfa.amsl.com>; Tue, 21 Mar 2017 07:00:55 -0700 (PDT)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01C80129408 for <oauth@ietf.org>; Tue, 21 Mar 2017 07:00:54 -0700 (PDT)
Received: by mail-qk0-x235.google.com with SMTP id 1so135267622qkl.3 for <oauth@ietf.org>; Tue, 21 Mar 2017 07:00:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+G6YRHiR0ykmmKANQNQYHk4UZIifR5TrlEQIKEAwn6s=; b=OB5RaCvmNN1HNZDDVZgCLV6/9Wflu18H9wxryfaJVMe2oxkapHnUT2XbMt0kCnVhQI JBBMZnidhAQ/qKz7PwDBrgjHKVHcDK6xkfZEs9QIvgmBS1oi5IHRMTm4GOh3Lsfiw5Jo PYuwlgoDMHHSWSQOOf63l2DOu2oWaggSDJI/DXUQVQOaOXBLcNawmzxcWhK5QbJHBXb6 lHakBsV/ojuFRuQAjTgX0H82QaOgvx1g03jZSFm304o4qwt7dwvpkGpi6WaJ17o4ZXH9 pR1iE5UMM57lyPUIVmzU+G1fMbkFaARmkykxQ1sI/jFpTswiNnCgVnlHGdhfaGCGjANn 9nWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+G6YRHiR0ykmmKANQNQYHk4UZIifR5TrlEQIKEAwn6s=; b=HH6j4v2E6x8qq9BxaUbbkrigQoQFqIqQdoTgp7uQu4o7gjsyXSpMao44ly+UXZ+5Jy AHlJmgvM5+Xh/mNl9uShMWtinDGGzT3RVnWeUs6HCnAIoqktl99OA0kU9zFfv+Mq4wNp /3XxDliNoz0coibvFtSWnxQpPTcPCtixLam+9VTVLLV2FT5wbnUVfYu16V8Rz8H5qo+I G3dXe+E24ydWYcSyCWAdqgp5tcQpj20g/IA/ZpxNCfn8t+XCvsFyeYEWxp29QhF5HP/R Y6/bE7ViVEs3DcSWDVfFr/XxPY6wxFtF5V1pOoZSyPyqrijtrGwEGL0eMSZ08vUWKw95 bpBw==
X-Gm-Message-State: AFeK/H2+8wjjGtvx7ApGj1z9l3DqaI7vawrK2ZpJc3+99/04i9q9U4bmr+Ujik1m8XpAWw/zpsdYvT8qqKrrJA==
X-Received: by 10.55.92.195 with SMTP id q186mr27852906qkb.84.1490104854026; Tue, 21 Mar 2017 07:00:54 -0700 (PDT)
MIME-Version: 1.0
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com> <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net> <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com>
In-Reply-To: <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 21 Mar 2017 14:00:42 +0000
Message-ID: <CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com>
To: Antonio Sanso <asanso@adobe.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Derek Atkins <derek@ihtfp.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a114e486c80ad65054b3e1297
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XOBDH-epGcQHQ2b4aR5NOlSu4WE>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 14:01:01 -0000

--001a114e486c80ad65054b3e1297
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

HI Chairs,

I would also like to ask 5 min. on Monday (as I cannot be on Friday) for
The OAuth 2.0 Authorization Framework: JWT Pop Token Usage [1].

[1] https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01

It is capturing strong and rather urgent demands from the financial sector
and would be great if it can be considered in the WG.

Best,

Nat Sakimura

On Tue, Mar 21, 2017 at 10:28 PM Antonio Sanso <asanso@adobe.com> wrote:

hi Torsten,

good one. I personally I am looking forward to see this particular document
find its way.

IMHO this is something much needed.

regards

antonio

On Mar 21, 2017, at 2:08 PM, Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

Hi Chairs,

I would like to request 5 minutes on Monday to briefly present the status
of the security document. This is mainly to raise awareness in the group
since I didn=E2=80=99t get that much input on it since Seoul.

kind regards,
Torsten.

Am 18.03.2017 um 01:52 schrieb Mike Jones <Michael.Jones@microsoft.com>:

Hi Chairs,

I'd like to request that the following presentations be added to the agenda=
:

OAuth Token Exchange (draft-ietf-oauth-token-exchange) - Mike Jones - 15
minutes
OAuth Authorization Server Metadata (draft-ietf-oauth-discovery) - Mike
Jones - 15 minutes

I'd also talked with Brian Campbell and I think he wants to lead this
discussion, in part based on his implementation experience:

OAuth Token Binding (draft-ietf-oauth-token-binding) - Brian Campbell - 30
minutes

(Brian may suggest a different amount of time)

I agree that William Dennis should present about the OAuth Device Flow
(draft-ietf-oauth-device-flow).

For completeness, I don't think a presentation is needed about OAuth AMR
Values (draft-ietf-oauth-amr-values) because it's now completed its IESG
review.

I'll look forward to seeing many of you in just over a week!

-- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] On
Behalf Of "IETF Secretariat"
Sent: Friday, March 3, 2017 3:55 PM
To: oauth-chairs@ietf.org; smccammon@amsl.com
Cc: oauth@ietf.org
Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF
98

Dear Stephanie McCammon,

The session(s) that you have requested have been scheduled.
Below is the scheduled session information followed by the original request=
.


oauth Session 1 (2:30:00)
  Friday, Morning Session I 0900-1130
  Room Name: Zurich C size: 100
  ---------------------------------------------
  oauth Session 2 (1:00:00)
  Monday, Afternoon Session III 1710-1810
  Room Name: Zurich C size: 100
  ---------------------------------------------



Request Information:


---------------------------------------------------------
Working Group Name: Web Authorization Protocol Area Name: Security Area
Session Requester: Stephanie McCammon

Number of Sessions: 2
Length of Session(s):  2.5 Hours, 1 Hour Number of Attendees: 50 Conflicts
to Avoid:
First Priority: saag core tls tokbind




People who must be present:
Hannes Tschofenig
Kathleen Moriarty
Derek Atkins

Resources Requested:
Projector in room

Special Requests:
Please avoid conflict with sec area BoFs.
---------------------------------------------------------

_______________________________________________
OAuth mailing list
OAuth@ietf.org

https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf=
.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd40=
8d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106=
&sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=3D0



_______________________________________________
OAuth mailing list
OAuth@ietf.org

https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf=
.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd40=
8d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106=
&sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=3D0


_______________________________________________
OAuth mailing list
OAuth@ietf.org

https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf=
.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd40=
8d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122=
&sdata=3D5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&reserved=3D0


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--=20

Nat Sakimura

Chairman of the Board, OpenID Foundation

--001a114e486c80ad65054b3e1297
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr" class=3D"gmail_msg">HI Chairs,=C2=A0<div =
class=3D"gmail_msg"><br class=3D"gmail_msg"></div><div class=3D"gmail_msg">=
I would also like to ask 5 min. on Monday (as I cannot be on Friday) for=C2=
=A0</div>The OAuth 2.0 Authorization Framework: JWT Pop Token Usage [1].=C2=
=A0</div><div dir=3D"ltr" class=3D"gmail_msg"><br></div><div dir=3D"ltr" cl=
ass=3D"gmail_msg">[1]=C2=A0<a href=3D"https://tools.ietf.org/html/draft-sak=
imura-oauth-jpop-01">https://tools.ietf.org/html/draft-sakimura-oauth-jpop-=
01</a></div><div dir=3D"ltr" class=3D"gmail_msg"><br></div><div class=3D"gm=
ail_msg">It is capturing strong and rather urgent demands from the financia=
l sector and would be great if it can be considered in the WG.=C2=A0</div><=
div class=3D"gmail_msg"><br></div><div class=3D"gmail_msg">Best,=C2=A0</div=
><div class=3D"gmail_msg"><br></div><div class=3D"gmail_msg">Nat Sakimura</=
div><br class=3D"gmail_msg"><div class=3D"gmail_quote gmail_msg"><div dir=
=3D"ltr" class=3D"gmail_msg">On Tue, Mar 21, 2017 at 10:28 PM Antonio Sanso=
 &lt;<a href=3D"mailto:asanso@adobe.com" class=3D"gmail_msg" target=3D"_bla=
nk">asanso@adobe.com</a>&gt; wrote:<br class=3D"gmail_msg"></div><blockquot=
e class=3D"gmail_quote gmail_msg" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">



<div style=3D"word-wrap:break-word" class=3D"gmail_msg">
hi Torsten,
<div class=3D"gmail_msg"><br class=3D"gmail_msg">
</div>
<div class=3D"gmail_msg">good one. I personally I am looking forward to see=
 this particular document find its way.</div>
<div class=3D"gmail_msg"><br class=3D"gmail_msg">
</div>
<div class=3D"gmail_msg">IMHO this is something much needed.</div>
<div class=3D"gmail_msg"><br class=3D"gmail_msg">
</div>
<div class=3D"gmail_msg">regards</div>
<div class=3D"gmail_msg"><br class=3D"gmail_msg">
</div>
<div class=3D"gmail_msg">antonio</div>
<div class=3D"gmail_msg"><br class=3D"gmail_msg">
<div class=3D"gmail_msg"></div></div></div><div style=3D"word-wrap:break-wo=
rd" class=3D"gmail_msg"><div class=3D"gmail_msg"><div class=3D"gmail_msg">
<div class=3D"gmail_msg">On Mar 21, 2017, at 2:08 PM, Torsten Lodderstedt &=
lt;<a href=3D"mailto:torsten@lodderstedt.net" class=3D"gmail_msg" target=3D=
"_blank">torsten@lodderstedt.net</a>&gt; wrote:</div>
<br class=3D"m_3319639624494689827m_5030357770178240766Apple-interchange-ne=
wline gmail_msg">
</div></div></div><div style=3D"word-wrap:break-word" class=3D"gmail_msg"><=
div class=3D"gmail_msg"><div class=3D"gmail_msg"><blockquote type=3D"cite" =
class=3D"gmail_msg"><div style=3D"font-size:12px;font-style:normal;font-var=
iant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px" class=3D"gmail_msg">
Hi Chairs,<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
I would like to request 5 minutes on Monday to briefly present the status o=
f the security document. This is mainly to raise awareness in the group sin=
ce I didn=E2=80=99t get that much input on it since Seoul.<br class=3D"gmai=
l_msg">
<br class=3D"gmail_msg">
kind regards,<br class=3D"gmail_msg">
Torsten.<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
</div></blockquote></div></div></div><div style=3D"word-wrap:break-word" cl=
ass=3D"gmail_msg"><div class=3D"gmail_msg"><div class=3D"gmail_msg"><blockq=
uote type=3D"cite" class=3D"gmail_msg"><div style=3D"font-size:12px;font-st=
yle:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;lin=
e-height:normal;text-align:start;text-indent:0px;text-transform:none;white-=
space:normal;word-spacing:0px" class=3D"gmail_msg"><blockquote type=3D"cite=
" class=3D"gmail_msg">Am 18.03.2017 um 01:52 schrieb Mike Jones &lt;<a href=
=3D"mailto:Michael.Jones@microsoft.com" class=3D"gmail_msg" target=3D"_blan=
k">Michael.Jones@microsoft.com</a>&gt;:<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Hi Chairs,<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
I&#39;d like to request that the following presentations be added to the ag=
enda:<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
<span class=3D"m_3319639624494689827m_5030357770178240766Apple-tab-span gma=
il_msg" style=3D"white-space:pre-wrap"></span>OAuth Token Exchange (draft-i=
etf-oauth-token-exchange) - Mike Jones - 15 minutes<br class=3D"gmail_msg">
<span class=3D"m_3319639624494689827m_5030357770178240766Apple-tab-span gma=
il_msg" style=3D"white-space:pre-wrap"></span>OAuth Authorization Server Me=
tadata (draft-ietf-oauth-discovery) - Mike Jones - 15 minutes<br class=3D"g=
mail_msg">
<br class=3D"gmail_msg">
I&#39;d also talked with Brian Campbell and I think he wants to lead this d=
iscussion, in part based on his implementation experience:<br class=3D"gmai=
l_msg">
<br class=3D"gmail_msg">
<span class=3D"m_3319639624494689827m_5030357770178240766Apple-tab-span gma=
il_msg" style=3D"white-space:pre-wrap"></span>OAuth Token Binding (draft-ie=
tf-oauth-token-binding) - Brian Campbell - 30 minutes<br class=3D"gmail_msg=
">
<br class=3D"gmail_msg">
(Brian may suggest a different amount of time)<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
I agree that William Dennis should present about the OAuth Device Flow (dra=
ft-ietf-oauth-device-flow).<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
For completeness, I don&#39;t think a presentation is needed about OAuth AM=
R Values (draft-ietf-oauth-amr-values) because it&#39;s now completed its I=
ESG review.<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
I&#39;ll look forward to seeing many of you in just over a week!<br class=
=3D"gmail_msg">
<br class=3D"gmail_msg">
<span class=3D"m_3319639624494689827m_5030357770178240766Apple-tab-span gma=
il_msg" style=3D"white-space:pre-wrap"></span><span class=3D"m_331963962449=
4689827m_5030357770178240766Apple-tab-span gmail_msg" style=3D"white-space:=
pre-wrap"></span><span class=3D"m_3319639624494689827m_5030357770178240766A=
pple-tab-span gmail_msg" style=3D"white-space:pre-wrap"></span><span class=
=3D"m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" sty=
le=3D"white-space:pre-wrap"></span>-- Mike<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
-----Original Message-----<br class=3D"gmail_msg">
From: OAuth [<a href=3D"mailto:oauth-bounces@ietf.org" class=3D"gmail_msg" =
target=3D"_blank">mailto:oauth-bounces@ietf.org</a>] On Behalf Of &quot;IET=
F Secretariat&quot;<br class=3D"gmail_msg">
Sent: Friday, March 3, 2017 3:55 PM<br class=3D"gmail_msg">
To: <a href=3D"mailto:oauth-chairs@ietf.org" class=3D"gmail_msg" target=3D"=
_blank">oauth-chairs@ietf.org</a>; <a href=3D"mailto:smccammon@amsl.com" cl=
ass=3D"gmail_msg" target=3D"_blank">
smccammon@amsl.com</a><br class=3D"gmail_msg">
Cc: <a href=3D"mailto:oauth@ietf.org" class=3D"gmail_msg" target=3D"_blank"=
>oauth@ietf.org</a><br class=3D"gmail_msg">
Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF=
 98<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Dear Stephanie McCammon,<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
The session(s) that you have requested have been scheduled.<br class=3D"gma=
il_msg">
Below is the scheduled session information followed by the original request=
.<span class=3D"m_3319639624494689827m_5030357770178240766Apple-converted-s=
pace gmail_msg">=C2=A0</span><br class=3D"gmail_msg">
<br class=3D"gmail_msg">
oauth Session 1 (2:30:00)<br class=3D"gmail_msg">
=C2=A0=C2=A0Friday, Morning Session I 0900-1130<br class=3D"gmail_msg">
=C2=A0=C2=A0Room Name: Zurich C size: 100<br class=3D"gmail_msg">
=C2=A0=C2=A0---------------------------------------------<br class=3D"gmail=
_msg">
=C2=A0=C2=A0oauth Session 2 (1:00:00)<br class=3D"gmail_msg">
=C2=A0=C2=A0Monday, Afternoon Session III 1710-1810<br class=3D"gmail_msg">
=C2=A0=C2=A0Room Name: Zurich C size: 100<br class=3D"gmail_msg">
=C2=A0=C2=A0---------------------------------------------<br class=3D"gmail=
_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Request Information:<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
---------------------------------------------------------<br class=3D"gmail=
_msg">
Working Group Name: Web Authorization Protocol Area Name: Security Area Ses=
sion Requester: Stephanie McCammon<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Number of Sessions: 2<br class=3D"gmail_msg">
Length of Session(s): =C2=A02.5 Hours, 1 Hour Number of Attendees: 50 Confl=
icts to Avoid:<span class=3D"m_3319639624494689827m_5030357770178240766Appl=
e-converted-space gmail_msg">=C2=A0</span><br class=3D"gmail_msg">
First Priority: saag core tls tokbind<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
People who must be present:<br class=3D"gmail_msg">
Hannes Tschofenig<br class=3D"gmail_msg">
Kathleen Moriarty<br class=3D"gmail_msg">
Derek Atkins<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Resources Requested:<br class=3D"gmail_msg">
Projector in room<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Special Requests:<br class=3D"gmail_msg">
Please avoid conflict with sec area BoFs.<br class=3D"gmail_msg">
---------------------------------------------------------<br class=3D"gmail=
_msg">
<br class=3D"gmail_msg">
_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
</blockquote></div></blockquote></div></div></div><div style=3D"word-wrap:b=
reak-word" class=3D"gmail_msg"><div class=3D"gmail_msg"><div class=3D"gmail=
_msg"><blockquote type=3D"cite" class=3D"gmail_msg"><div style=3D"font-size=
:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spaci=
ng:normal;line-height:normal;text-align:start;text-indent:0px;text-transfor=
m:none;white-space:normal;word-spacing:0px" class=3D"gmail_msg"><blockquote=
 type=3D"cite" class=3D"gmail_msg"><a href=3D"https://na01.safelinks.protec=
tion.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fo=
auth&amp;data=3D02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b3=
4438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=3DFYIqTvgn1%2F=
pjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=3D0" class=3D"gmail_m=
sg" target=3D"_blank">https://na01.safelinks.protection.outlook.com/?url=3D=
https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%=
7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C=
0%7C0%7C636256985463058106&amp;sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL3=
0ap%2B3bLX6aQ%3D&amp;reserved=3D0</a></blockquote></div></blockquote></div>=
</div></div><div style=3D"word-wrap:break-word" class=3D"gmail_msg"><div cl=
ass=3D"gmail_msg"><div class=3D"gmail_msg"><blockquote type=3D"cite" class=
=3D"gmail_msg"><div style=3D"font-size:12px;font-style:normal;font-variant:=
normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-ali=
gn:start;text-indent:0px;text-transform:none;white-space:normal;word-spacin=
g:0px" class=3D"gmail_msg"><blockquote type=3D"cite" class=3D"gmail_msg"><b=
r class=3D"gmail_msg">
<br class=3D"gmail_msg">
_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
</blockquote></div></blockquote></div></div></div><div style=3D"word-wrap:b=
reak-word" class=3D"gmail_msg"><div class=3D"gmail_msg"><div class=3D"gmail=
_msg"><blockquote type=3D"cite" class=3D"gmail_msg"><div style=3D"font-size=
:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spaci=
ng:normal;line-height:normal;text-align:start;text-indent:0px;text-transfor=
m:none;white-space:normal;word-spacing:0px" class=3D"gmail_msg"><blockquote=
 type=3D"cite" class=3D"gmail_msg"><a href=3D"https://na01.safelinks.protec=
tion.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fo=
auth&amp;data=3D02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b3=
4438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=3DFYIqTvgn1%2F=
pjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=3D0" class=3D"gmail_m=
sg" target=3D"_blank">https://na01.safelinks.protection.outlook.com/?url=3D=
https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%=
7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C=
0%7C0%7C636256985463058106&amp;sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL3=
0ap%2B3bLX6aQ%3D&amp;reserved=3D0</a><br class=3D"gmail_msg">
</blockquote></div></blockquote></div></div></div><div style=3D"word-wrap:b=
reak-word" class=3D"gmail_msg"><div class=3D"gmail_msg"><div class=3D"gmail=
_msg"><blockquote type=3D"cite" class=3D"gmail_msg"><div style=3D"font-size=
:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spaci=
ng:normal;line-height:normal;text-align:start;text-indent:0px;text-transfor=
m:none;white-space:normal;word-spacing:0px" class=3D"gmail_msg">
<br class=3D"gmail_msg">
_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
</div></blockquote></div></div></div><div style=3D"word-wrap:break-word" cl=
ass=3D"gmail_msg"><div class=3D"gmail_msg"><div class=3D"gmail_msg"><blockq=
uote type=3D"cite" class=3D"gmail_msg"><div style=3D"font-size:12px;font-st=
yle:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;lin=
e-height:normal;text-align:start;text-indent:0px;text-transform:none;white-=
space:normal;word-spacing:0px" class=3D"gmail_msg"><a href=3D"https://na01.=
safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailma=
n%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73=
a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&amp;sdat=
a=3D5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&amp;reserved=3D0" cl=
ass=3D"gmail_msg" target=3D"_blank">https://na01.safelinks.protection.outlo=
ok.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;d=
ata=3D02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed=
2c178decee1%7C0%7C0%7C636256985463068122&amp;sdata=3D5CIJnWs2VdLM9FUWt%2FWl=
OxIilp5N2vfr7b9elwhL%2BA4%3D&amp;reserved=3D0</a></div>
</blockquote>
</div>
<br class=3D"gmail_msg">
</div>
</div>

_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listinfo=
/oauth</a><br class=3D"gmail_msg">
</blockquote></div></div><div dir=3D"ltr">-- <br></div><div data-smartmail=
=3D"gmail_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>

--001a114e486c80ad65054b3e1297--


From nobody Tue Mar 21 07:48:03 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D50A12998B for <oauth@ietfa.amsl.com>; Tue, 21 Mar 2017 07:47:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id puutcZ-t6M3R for <oauth@ietfa.amsl.com>; Tue, 21 Mar 2017 07:47:40 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 164BA1299AC for <oauth@ietf.org>; Tue, 21 Mar 2017 07:47:39 -0700 (PDT)
Received: from [192.168.91.181] ([45.59.213.66]) by mail.gmx.com (mrgmx103 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MWkZL-1cfcnF1dn9-00Xx41; Tue, 21 Mar 2017 15:47:35 +0100
To: "oauth@ietf.org" <oauth@ietf.org>
Cc: hannes.tschofenig@arm.com
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <cbcdf187-7606-dfc4-137d-b74f1379fb40@gmx.net>
Date: Tue, 21 Mar 2017 15:47:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="gpgSNN3Jhs45oxWB9k0da8NauDVjGvADK"
X-Provags-ID: V03:K0:LHSpiGN6BDfYPe8P21scmDQpx3/7fgK71Wir8j/cECi0NQT3/kb wSLyKsNAaJQ+dC0qaW+FhErRE2oqVEZ6MTI2DIQV0cbM709spef4YcmbvQZuksHb1c8PDAB 0MjQVck9AnIR2EjNda8lgS+nlscG/aYn4UuNnrMZ0gYHE3ss0hTgLHAxOog4/AbxPSSDh2V 4bVZlAS/WIjc3H5Jv9MZg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:aWnXYU4CMo4=:cQuLzQByCMuoP7c2DL6CTd B72Rh2EXeIlae5VZ9VARy8OP8w3JPAyM/H0J+BHDgtVkI7klMDEksC6DLeCJVf1oLg/aThpBP ef4Bqm0zUwVOFybFp31xWkQVlKjo1J1mj/zAAg0hGbFQbnZWjbal3MtZfYiMN2xAaU1hIl9i8 h6KwT7LDwz/qbLsE2adTcpvIUkdAfOWSWMeN+OiLdcahdE6uxTbg8+CTYEI2WG/mcVLPLMrAb bOv+KCTMWjtQXEf0WJfdasl2oQRTH3z+yK4qrqKvY9HwXLUpxAXmsrtvi7MASpq8qWXxKm1BV iBasA8070NOK++gCQmF+JNeeC6ePflHZVqxUprLKwZQFUR24huc10GnOhpNVXBpumDkUNtKQm HbuVdYQ6nfKXaM2GnPKi91pnhyLM0L9EM7VOvGSNezHt63oLSudMEZzlTVmv2RctzcOxUKOb5 Q6GpgyGGOiy3Ujq0FxctGjIfcW9X5mVL/l0ApqjV4JdKXX9Pan+Ktd+6rPrmJ42QqQuTg63v5 WFbetdGf0ROgoS4bHKmlFXgxoMwsJkVkvcOt5cxA1/+2/rMsUS3vvV/vtHvR7QewqnCeKo0YV 9CAJpQjGCvY5iN3DjTM2Fm8lX54c/CyvGgvzIQSELcR8qYTfDqQBqyL5sF1ZZHxgV1dUk7HPh ha2Yj/2Jg3wARXTDmqElRXgP9zOzAUqnsIf76Ifo9HIV960TJ/87K0NS6Kat5vx7KFcivrhYn pNVvveVE4ibIxuumlopFG03j7ngZvMv1CFNRX/5sYG78j9bDL1hrBfl9Ah4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/c8FmFfQaUibJTnyx4kQ5UlX8Cvk>
Subject: [OAUTH-WG] OAuth Agenda
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 14:47:52 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--gpgSNN3Jhs45oxWB9k0da8NauDVjGvADK
Content-Type: multipart/mixed; boundary="ClewLI5wMardDr6XAeadLrnELGju60hgg";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Cc: hannes.tschofenig@arm.com
Message-ID: <cbcdf187-7606-dfc4-137d-b74f1379fb40@gmx.net>
Subject: OAuth Agenda

--ClewLI5wMardDr6XAeadLrnELGju60hgg
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Here is the latest snapshot of the agenda:
https://datatracker.ietf.org/doc/agenda-98-oauth/

Let me know if there are any changes needed.

Ciao
Hannes


--ClewLI5wMardDr6XAeadLrnELGju60hgg--

--gpgSNN3Jhs45oxWB9k0da8NauDVjGvADK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJY0T0EAAoJEGhJURNOOiAtxOcH/jPCXUv++vPwxgCmEJeWsAu7
wgXfIC46pR7A3LB4QFbWKDX1RDk61rai0fIllw/GgHhMVoVSIs2IDUMjL2Jnw8kU
f0Yd27ReFNJtnsnIc2f5WP9kNITux5v2QGY6lLBdhyCL2SrxebHHQjPt5loAcH7w
Y7lcxwH8tRRmSScrwA2Rj/UZLzkPRu7z6OiZrPOpOo2rG2UY+F4w0rdVRq47bV8c
4t1E2HxhFhKgmkBSfs7fOgDkhBL+vI4deMfV9CyXJE929XvUQys5/mGRV2o5SO7/
QN8lGLejKlCnIaFEGIYPGr2BuLpuke2aJ0p8wcNrVit23Jy4SdEkrZ/5fbQkzyU=
=FLtu
-----END PGP SIGNATURE-----

--gpgSNN3Jhs45oxWB9k0da8NauDVjGvADK--


From nobody Tue Mar 21 10:40:23 2017
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A8CE129C30 for <oauth@ietfa.amsl.com>; Tue, 21 Mar 2017 10:40:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHGuYXbHftyt for <oauth@ietfa.amsl.com>; Tue, 21 Mar 2017 10:40:06 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5D5D129BDB for <oauth@ietf.org>; Tue, 21 Mar 2017 10:39:49 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id o126so82771328pfb.3 for <oauth@ietf.org>; Tue, 21 Mar 2017 10:39:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to:cc; bh=Aysu38zq4I+4W6CMI7hYhyR7C841hrDKMMHr3i2dwJ0=; b=RTgj2GVXuk0rB1tTfioHH3le7e1GTnlazmzR3JZ7nCzgotltLSh3KE3e4uG0e7+kUo YDfD7oX8zd4iqa9V8I/hmePJC6p0rXavUny9m18FXvgiWF8LreuD2i5htE6Djxqdz5SO NNjQYtbSEk/TeyBKOgNs/0nYoraWQm4e02U9Ax1R6S7o5TQ9toDu9cN5239S6LNKIi/U tqt1tfWXUEAXZIbRljAZj+b1CWFQjnnNH5Jaeicf44COLIRo4VLCU2w1f2w4qgnKOIqE uDTpf3SKICS4VsHTU1N4GPBWBZ4mNV2a1kEG4uOf+nHK+jGuwMzn9fijCK9Jlg15ii+M G3iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=Aysu38zq4I+4W6CMI7hYhyR7C841hrDKMMHr3i2dwJ0=; b=WjhZvGEcbkbR2f795wI2VDqFmOLB7/+Cyct+vUjGj/0EnFVKDQ1Nt7q9HVWSWpuGws PtGBx7jHSVQbAPFQGG1My0FYkIVUJdH6vaJWIvh709MczBcaNdeKe6EIQ+yDglZJgo6r 9fo+SeEVniCmqZHmYQqEOPplsAH+X/9fRNp5QMovkdgD4r4koh9Y144wi0bnHnBKCTn4 CaiPQzPkOnNBxlhR7hrOZqTJTP6Zgxb49cvdpU/a6hlEKQrc9vy5cuYsGlt0yrX5rWFp A/B0rzHJqssIbGcgG9yu+qbX6vodmRUQQ1ZYH7FNcSQ4VAHkpuzQ7MUJONblr3Mo3nIr of6g==
X-Gm-Message-State: AFeK/H2WvWBaAWdjOsDkMtvSqfWo6nJlUfJIBCgRYpsdikv3UDaneR6g7M1b083mTzYi9e9ia95+SGH79i462A==
X-Received: by 10.98.10.83 with SMTP id s80mr41924906pfi.27.1490117989371; Tue, 21 Mar 2017 10:39:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.177.199 with HTTP; Tue, 21 Mar 2017 10:39:49 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 21 Mar 2017 13:39:49 -0400
Message-ID: <CAHbuEH6UUu2QUWip5caOjQt9ZzqeORT7Fn2hzYFfeJNaz-3Vgw@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YdScfVmAmKvhVLQaphAzyTtXxXA>
Subject: [OAUTH-WG] Chair volunteers
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 17:40:19 -0000

Hello,

If you are interested in charing OAuth, please send a direct message
to Stephen, Eric, and me.

A big thank you to Derek for his work in OAuth and we hope to have his
continued participation in the working group!

-- 

Best regards,
Kathleen


From nobody Wed Mar 22 03:15:13 2017
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E95F1316BE for <oauth@ietfa.amsl.com>; Wed, 22 Mar 2017 03:15:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KWvZ5N6URcjX for <oauth@ietfa.amsl.com>; Wed, 22 Mar 2017 03:15:06 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDECA1316BB for <oauth@ietf.org>; Wed, 22 Mar 2017 03:15:05 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 8CF83780368 for <oauth@ietf.org>; Wed, 22 Mar 2017 11:15:03 +0100 (CET)
To: oauth@ietf.org
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com> <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net> <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com> <CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <9c814ef0-4df3-35ed-5453-dd8cad91b910@free.fr>
Date: Wed, 22 Mar 2017 11:15:04 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------4A25F65CEAFD14D4FBB3BAAD"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/o4BLAhX8Lxg47E0fg2-rFI8agO0>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 10:15:10 -0000

This is a multi-part message in MIME format.
--------------4A25F65CEAFD14D4FBB3BAAD
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit

Hi Nat,


I have several comments on draft-sakimura-oauth-jpop-01 related to 
security or privacy.


1.The abstract states:

Only the party in possession of a corresponding cryptographic key with 
the Jpop token can use it to get access
to the associated resources unlike in the case of the bearer token 
described in [RFC6750] where any party
in possession of the access token can access the resource.

This is incorrect.

Replace with:

Any party able to use a corresponding private cryptographic key with the 
Jpop token can use it to get access
to the associated resources unlike in the case of the bearer token 
described in [RFC6750] where any party
in possession of the access token can access the resource.

2.In section 3, the text states:

audThe identifier of the resource server.

According to the content of RFC 7800:

The "aud" (audience) claim identifies the recipients that the JWT is 
intended for. The interpretation of audience values is application specific.

Replace with:

audThe recipients that the JWT is intended for (the interpretation of 
audience values is application specific).

3.In section 3, the text states:

cnfThe confirmation method.

Their semantics are defined in [RFC7519] and [RFC7800]


This is incorrect: cnf is neither defined in [RFC7519] nor in [RFC7800].

4.In section 6.2, the text states:

For this, the following steps are taken:

1.The client prepares a nonce.

2.The client creates JWS compact serialization over the nonce


    JSON Web Token Claims are listed at:
    https://www.iana.org/assignments/jwt/jwt.xhtml

"nonce" has not been defined by the IANA, but is mentioned in OpenID 
Connect Core 1.0 incorporating errata set 1. It is described as :

nonce

String value used to associate a Client session with an ID Token, and to 
mitigate replay attacks. The value is passed through
unmodified from the Authentication Request to the ID Token. If present 
in the ID Token, Clients MUST verify that the nonce
Claim Value is equal to the value of the nonceparameter sent in the 
Authentication Request. If present in the Authentication Request,
Authorization Servers MUST include a nonceClaim in the ID Token with the 
Claim Value being the nonce value sent in the Authentication Request.
Authorization Servers SHOULD perform no other processing on noncevalues 
used. The noncevalue is a case sensitive string.

I have several observations:

a)there is some difficulty to mandate the use of a parameter that is not 
registered by IANA.

b)the further processing of the nonce is not indicated in the text

c) The last sentence from the above description states: "Authorization 
Servers SHOULD perform no other processing on noncevalues used"
There is a practical problem with such a sentence since Authorization 
Servers would need to remember nonces for ever.
Either that sentence should be deleted or the nonce shall be only used 
with a UTC time parameter included in the Authentication Request.

In any case, the definition of a nonce as specified in OpenID Connect 
Core 1.0 incorporating errata set 1 should not be used and another 
parameter
(e.g. rdn for random) should be defined and registered by IANA and used 
in combination with a UTC time parameter included in the Authentication 
Request.
In this way, only the rdn received during the last X minutes will need 
to be remembered by the Authorization Servers.


5.The title of section 9.1 is: "Certificate validation"

Change the title of this section into :

"9.1. Common Name Constrained Token"

6.In section 9.1, the text states:

The "cn" JWT confirmation method relies its security property on the

X.509 client certificate authentication.

Replace with:

The "cn" JWT confirmation method relies its security property by the 
inclusion of the Common Name (CN)
that is part of the Distinguished Name (DN) of an X.509 certificate. The 
JWT is linked to the common name
included in the certificate. Such a method is not privacy friendly since 
it allows an easy linkage between
all the accounts of a given user on different resource servers.

7.Add a new section 9.2 to deal with the case of the cid.

Proposed text:

9.2. Client ID Constrained Token

The "cid" JWT confirmation method relies its security property on the 
assumption that the cid legitimately
used by one server cannot be used by another user. It also relies on the 
assumption that the authentication data
associated with "cid" combined with the "iss" will only be used by the 
legitimate user. This method is ineffective
in case of a collusion between two users, since one user can perform all 
the computations needed by the other user.

8.In section 9.2, the text states:

The client’s secret key must be kept securely. Otherwise, the notion of 
PoP breaks down.

The PKIX group from the IETF is using the vocabulary private key / 
public key when asymmetric cryptography is being used
and secret key when symmetric algorithms are being used (let us call a 
spade a spade).

However, keeping a client's private key securely is not the right 
wording either. If the key is kept securely in a secure element
(e.g. smart card), this is not enough, since the holder of the secure 
element may use this key for himself ... or worse for the benefit of 
someone else.

Proposed change :

9.3. Key Constrained Token

This method has four variants.

When the JWT contains a jwk, the JWT confirmation method relies its 
security property on the assumption that the private key
associated with the public key contained in the access token will only 
be used by the legitimate user. In order to avoid an easy linkage
between user's accounts, this method presents the advantage that the key 
pair can be changed for every JWT. However, this method
is ineffective in case of a collusion between two users, since one user 
can perform all the computations needed by the other user.

When the JWT contains a jwkt#s256, the server must have a prior 
knowledge of the public key and the method relies its security property
on the assumption that the private key associated with the public key 
contained in the access token will only be used by the legitimate user.
Hence, this method is ineffective in case of a collusion between two 
users, since one user can perform all the computations needed
by the other user.

When the JWT contains a x5t#s256, the server must have a prior knowledge 
of the public key certificate. The JWT is then linked to a hash value
of a certificate included in the JWT. The server knows a unique 
identifier of the user. Such a method is not privacy friendly since it 
allows
an easy linkage between all the accounts of a given user on different 
resource servers.

When the JWT contains a jwe, the JWT confirmation method relies its 
security property on the assumption that the secret key included
in the JWT will only be used by the legitimate user. In order to avoid 
an easy linkage between user's accounts, this method presents
the advantage that the secret key can be changed for every JWT. However, 
this method is ineffective in case of a collusion between two users,
since one user can perform all the computations needed by the other user.

9.The text states in section 9.3:

9.3.Audi_a_nce Restriction

When using the signature method the client must specify to the AS the 
aud it intends to send the token to, so that it can be included in the AT.

A malicious RS could receive a AT with no aud or a logical audience and 
then replay the AT and jws-on-nonce to the actual server.


Proposed change in order to address privacy concerns :

9.4.Audi_e_nce Restriction

When using the signature method, the client must specify to the AS the 
aud it intends to send the token to, so that it can be included in the AT.

RFC 7800 states that the interpretation of audience values is 
application specific. If a fixed value is being used, e.g. a URL of the 
server,
then the authorization server can easily know where the access tokens 
will be used and thus is in a position to act as Big Brother.
It is thus recommended to use a different value in the aud claims for 
each access token that contains no semantics in it but that the resource 
server
can easily recognize.//

If a malicious RS receives an AT with no aud or a logical audience in it 
then it can replay the AT and jws-on-nonce to another server.

Denis


> HI Chairs,
>
> I would also like to ask 5 min. on Monday (as I cannot be on Friday) for
> The OAuth 2.0 Authorization Framework: JWT Pop Token Usage [1].
>
> [1] https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01
>
> It is capturing strong and rather urgent demands from the financial 
> sector and would be great if it can be considered in the WG.
>
> Best,
>
> Nat Sakimura
>
> On Tue, Mar 21, 2017 at 10:28 PM Antonio Sanso <asanso@adobe.com 
> <mailto:asanso@adobe.com>> wrote:
>
>     hi Torsten,
>
>     good one. I personally I am looking forward to see this particular
>     document find its way.
>
>     IMHO this is something much needed.
>
>     regards
>
>     antonio
>
>     On Mar 21, 2017, at 2:08 PM, Torsten Lodderstedt
>     <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>
>>     Hi Chairs,
>>
>>     I would like to request 5 minutes on Monday to briefly present
>>     the status of the security document. This is mainly to raise
>>     awareness in the group since I didn’t get that much input on it
>>     since Seoul.
>>
>>     kind regards,
>>     Torsten.
>>
>>>     Am 18.03.2017 um 01:52 schrieb Mike Jones
>>>     <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>:
>>>
>>>     Hi Chairs,
>>>
>>>     I'd like to request that the following presentations be added to
>>>     the agenda:
>>>
>>>     OAuth Token Exchange (draft-ietf-oauth-token-exchange) - Mike
>>>     Jones - 15 minutes
>>>     OAuth Authorization Server Metadata (draft-ietf-oauth-discovery)
>>>     - Mike Jones - 15 minutes
>>>
>>>     I'd also talked with Brian Campbell and I think he wants to lead
>>>     this discussion, in part based on his implementation experience:
>>>
>>>     OAuth Token Binding (draft-ietf-oauth-token-binding) - Brian
>>>     Campbell - 30 minutes
>>>
>>>     (Brian may suggest a different amount of time)
>>>
>>>     I agree that William Dennis should present about the OAuth
>>>     Device Flow (draft-ietf-oauth-device-flow).
>>>
>>>     For completeness, I don't think a presentation is needed about
>>>     OAuth AMR Values (draft-ietf-oauth-amr-values) because it's now
>>>     completed its IESG review.
>>>
>>>     I'll look forward to seeing many of you in just over a week!
>>>
>>>     -- Mike
>>>
>>>     -----Original Message-----
>>>     From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of "IETF
>>>     Secretariat"
>>>     Sent: Friday, March 3, 2017 3:55 PM
>>>     To: oauth-chairs@ietf.org <mailto:oauth-chairs@ietf.org>;
>>>     smccammon@amsl.com <mailto:smccammon@amsl.com>
>>>     Cc: oauth@ietf.org <mailto:oauth@ietf.org>
>>>     Subject: [OAUTH-WG] oauth - Requested sessions have been
>>>     scheduled for IETF 98
>>>
>>>     Dear Stephanie McCammon,
>>>
>>>     The session(s) that you have requested have been scheduled.
>>>     Below is the scheduled session information followed by the
>>>     original request.
>>>
>>>     oauth Session 1 (2:30:00)
>>>       Friday, Morning Session I 0900-1130
>>>       Room Name: Zurich C size: 100
>>>       ---------------------------------------------
>>>       oauth Session 2 (1:00:00)
>>>       Monday, Afternoon Session III 1710-1810
>>>       Room Name: Zurich C size: 100
>>>       ---------------------------------------------
>>>
>>>
>>>
>>>     Request Information:
>>>
>>>
>>>     ---------------------------------------------------------
>>>     Working Group Name: Web Authorization Protocol Area Name:
>>>     Security Area Session Requester: Stephanie McCammon
>>>
>>>     Number of Sessions: 2
>>>     Length of Session(s):  2.5 Hours, 1 Hour Number of Attendees: 50
>>>     Conflicts to Avoid:
>>>     First Priority: saag core tls tokbind
>>>
>>>
>>>
>>>
>>>     People who must be present:
>>>     Hannes Tschofenig
>>>     Kathleen Moriarty
>>>     Derek Atkins
>>>
>>>     Resources Requested:
>>>     Projector in room
>>>
>>>     Special Requests:
>>>     Please avoid conflict with sec area BoFs.
>>>     ---------------------------------------------------------
>>>
>>>     _______________________________________________
>>>     OAuth mailing list
>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>     https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=0
>>>
>>>
>>>     _______________________________________________
>>>     OAuth mailing list
>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>     https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=0
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&sdata=5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&reserved=0
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
> -- 
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



--------------4A25F65CEAFD14D4FBB3BAAD
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <meta name="ProgId" content="Word.Document">
      <meta name="Generator" content="Microsoft Word 9">
      <meta name="Originator" content="Microsoft Word 9">
      <link rel="File-List"
href="file:///C:/Users/Denis/AppData/Local/Temp/msoclip1/01/clip_filelist.xml">
      <!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:View>Normal</w:View>
  <w:Zoom>0</w:Zoom>
  <w:HyphenationZone>21</w:HyphenationZone>
  <w:DoNotOptimizeForBrowser/>
 </w:WordDocument>
</xml><![endif]-->
      <style>
<!--
 /* Font Definitions */
@font-face
	{font-family:"Arial Unicode MS";
	panose-1:2 11 6 4 2 2 2 2 2 4;
	mso-font-charset:128;
	mso-generic-font-family:swiss;
	mso-font-pitch:variable;
	mso-font-signature:-1 -369098753 63 0 4129279 0;}
@font-face
	{font-family:"\@Arial Unicode MS";
	panose-1:2 11 6 4 2 2 2 2 2 4;
	mso-font-charset:128;
	mso-generic-font-family:swiss;
	mso-font-pitch:variable;
	mso-font-signature:-1 -369098753 63 0 4129279 0;}
 /* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0cm;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
h2
	{margin-right:0cm;
	mso-margin-top-alt:auto;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	mso-pagination:widow-orphan;
	mso-outline-level:2;
	font-size:18.0pt;
	font-family:"Arial Unicode MS";}
tt
	{mso-ascii-font-family:"Arial Unicode MS";
	mso-fareast-font-family:"Arial Unicode MS";
	mso-hansi-font-family:"Arial Unicode MS";
	mso-bidi-font-family:"Arial Unicode MS";}
@page Section1
	{size:612.0pt 792.0pt;
	margin:70.85pt 70.85pt 70.85pt 70.85pt;
	mso-header-margin:36.0pt;
	mso-footer-margin:36.0pt;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
 /* List Definitions */
@list l0
	{mso-list-id:903101071;
	mso-list-type:hybrid;
	mso-list-template-ids:1965310052 67895311 67895321 67895323 67895311 67895321 67895323 67895311 67895321 67895323;}
@list l1
	{mso-list-id:1316422012;
	mso-list-type:hybrid;
	mso-list-template-ids:228589576 -1887393842 67895321 67895323 67895311 67895321 67895323 67895311 67895321 67895323;}
@list l1:level1
	{mso-level-number-format:alpha-lower;
	mso-level-text:"%1\)";
	mso-level-tab-stop:36.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
ol
	{margin-bottom:0cm;}
ul
	{margin-bottom:0cm;}
-->
</style></div>
    <meta http-equiv="Content-Type" content="text/html;
      charset=windows-1252">
    <meta name="ProgId" content="Word.Document">
    <meta name="Generator" content="Microsoft Word 9">
    <meta name="Originator" content="Microsoft Word 9">
    <link rel="File-List"
href="file:///C:/Users/Denis/AppData/Local/Temp/msoclip1/03/clip_filelist.xml">
    <!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:View>Normal</w:View>
  <w:Zoom>0</w:Zoom>
  <w:HyphenationZone>21</w:HyphenationZone>
  <w:DoNotOptimizeForBrowser/>
 </w:WordDocument>
</xml><![endif]-->
    <style>
<!--
 /* Font Definitions */
@font-face
	{font-family:"Arial Unicode MS";
	panose-1:2 11 6 4 2 2 2 2 2 4;
	mso-font-charset:128;
	mso-generic-font-family:swiss;
	mso-font-pitch:variable;
	mso-font-signature:-1 -369098753 63 0 4129279 0;}
@font-face
	{font-family:"\@Arial Unicode MS";
	panose-1:2 11 6 4 2 2 2 2 2 4;
	mso-font-charset:128;
	mso-generic-font-family:swiss;
	mso-font-pitch:variable;
	mso-font-signature:-1 -369098753 63 0 4129279 0;}
 /* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0cm;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
h2
	{margin-right:0cm;
	mso-margin-top-alt:auto;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	mso-pagination:widow-orphan;
	mso-outline-level:2;
	font-size:18.0pt;
	font-family:"Arial Unicode MS";}
tt
	{mso-ascii-font-family:"Arial Unicode MS";
	mso-fareast-font-family:"Arial Unicode MS";
	mso-hansi-font-family:"Arial Unicode MS";
	mso-bidi-font-family:"Arial Unicode MS";}
@page Section1
	{size:612.0pt 792.0pt;
	margin:70.85pt 70.85pt 70.85pt 70.85pt;
	mso-header-margin:36.0pt;
	mso-footer-margin:36.0pt;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
 /* List Definitions */
@list l0
	{mso-list-id:903101071;
	mso-list-type:hybrid;
	mso-list-template-ids:1965310052 67895311 67895321 67895323 67895311 67895321 67895323 67895311 67895321 67895323;}
@list l1
	{mso-list-id:1316422012;
	mso-list-type:hybrid;
	mso-list-template-ids:228589576 -1887393842 67895321 67895323 67895311 67895321 67895323 67895311 67895321 67895323;}
@list l1:level1
	{mso-level-number-format:alpha-lower;
	mso-level-text:"%1\)";
	mso-level-tab-stop:36.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
ol
	{margin-bottom:0cm;}
ul
	{margin-bottom:0cm;}
-->
</style>
    <meta http-equiv="Content-Type" content="text/html;
      charset=windows-1252">
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">Hi Nat,</span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><br>
      </span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">I have several
        comments on draft-sakimura-oauth-jpop-01 related to security or
        privacy.</span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><br>
      <span style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">
        <!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-begin'></span><span style="mso-spacerun:
yes"> </span>AUTONUM </span><![endif]--><span style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportFields]-->1.<!--[endif]--></span><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-end'></span></span><![endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-US" lang="EN-US">
        The abstract states:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">Only the party in
        possession of a corresponding
        cryptographic key with the Jpop token can use it to get access <br>
        to the
        associated resources unlike in the case of the bearer token
        described in
        [RFC6750] where any party <br>
        in possession of the access token can access the
        resource.<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">This is incorrect.<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">Replace with:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">Any party able to
        use a corresponding private
        cryptographic key with the Jpop token can use it to get access <br>
        to the
        associated resources unlike in the case of the bearer token
        described in
        [RFC6750] where any party <br>
        in possession of the access token can access the
        resource.<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-begin'></span><span style="mso-spacerun:
yes"> </span>AUTONUM </span><![endif]--><span style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportFields]-->2.<!--[endif]--></span><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-end'></span></span><![endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-US" lang="EN-US">
        In section 3, the text
        states:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><span
          style="mso-spacerun: yes"> 
        </span>aud<span style="mso-spacerun: yes">  </span>The
        identifier of the
        resource server.<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">According to the
        content of RFC 7800:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">The "aud" (audience)
        claim identifies
        the recipients that the JWT is intended for. The interpretation
        of audience
        values is application specific.<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">Replace with:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><span
          style="mso-spacerun: yes"> 
        </span>aud<span style="mso-spacerun: yes">  </span>The
        recipients that the JWT
        is intended for (the interpretation of audience values is
        application
        specific).<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-begin'></span><span style="mso-spacerun:
yes"> </span>AUTONUM </span><![endif]--><span style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportFields]-->3.<!--[endif]--></span><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-end'></span></span><![endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-US" lang="EN-US">
        In section 3, the text
        states: <o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">cnf<span
          style="mso-spacerun: yes">  </span>The
        confirmation method.<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><span
          style="mso-spacerun: yes">   </span>Their
        semantics are defined in [RFC7519] and [RFC7800]<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><br>
        This is incorrect: cnf is neither defined in
        [RFC7519] nor in [RFC7800].<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-begin'></span><span style="mso-spacerun:
yes"> </span>AUTONUM </span><![endif]--><span style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportFields]-->4.<!--[endif]--></span><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-end'></span></span><![endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-US" lang="EN-US">
        In section 6.2, the text
        states:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:36.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">For this, the
        following steps are taken:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:36.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><span
          style="mso-spacerun: yes">  
        </span>1.<span style="mso-spacerun: yes">  </span>The client
        prepares a nonce.<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:36.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><span
          style="mso-spacerun: yes">  
        </span>2.<span style="mso-spacerun: yes">  </span>The client
        creates JWS
        compact serialization over the nonce<o:p></o:p></span></p>
    <h2><span style="font-size:12.0pt;mso-bidi-font-size:18.0pt;
        font-family:Arial;mso-ansi-language:EN-GB;font-weight:normal"
        lang="EN-GB">JSON Web Token
        Claims are listed at: <span style="color:blue"><a class="moz-txt-link-freetext" href="https://www.iana.org/assignments/jwt/jwt.xhtml">https://www.iana.org/assignments/jwt/jwt.xhtml</a></span><o:p></o:p></span></h2>
    <p class="MsoNormal"><span
        style="font-family:Arial;mso-ansi-language:
        EN-GB" lang="EN-GB">"nonce" has not been defined by the IANA,
        but is mentioned in
        OpenID Connect Core 1.0 incorporating errata set 1. It is
        described as :<o:p></o:p></span></p>
    <p class="MsoNormal"><span
        style="font-family:Arial;mso-ansi-language:
        EN-GB" lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal"><span
        style="font-family:Arial;mso-ansi-language:
        EN-GB" lang="EN-GB">nonce</span><span
        style="font-family:Arial;mso-fareast-font-family:
        &quot;Arial Unicode MS&quot;;mso-ansi-language:EN-GB"
        lang="EN-GB"><o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-left:36.0pt"><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">String
        value used to
        associate a Client session with an ID Token, and to mitigate
        replay attacks.
        The value is passed through <br>
        unmodified from the Authentication Request to the
        ID Token. If present in the ID Token, Clients MUST verify that
        the </span><tt><span
          style="mso-ansi-font-size:12.0pt;font-family:Arial;mso-ansi-language:
          EN-GB" lang="EN-GB">nonce</span></tt><span
        style="font-family:Arial;mso-ansi-language:
        EN-GB" lang="EN-GB"><br>
        Claim Value is equal to the value of the </span><tt><span
style="mso-ansi-font-size:12.0pt;font-family:Arial;mso-ansi-language:EN-GB"
          lang="EN-GB">nonce</span></tt><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">
        parameter sent in
        the Authentication Request. If present in the Authentication
        Request,
        <br>
        Authorization Servers MUST include a </span><tt><span
style="mso-ansi-font-size:12.0pt;font-family:Arial;mso-ansi-language:EN-GB"
          lang="EN-GB">nonce</span></tt><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">
        Claim in the ID
        Token with the Claim Value being the nonce value sent in the
        Authentication
        Request. <br>
        <font color="#3333ff">Authorization Servers SHOULD perform no
          other processing on </font></span><font color="#3333ff"><tt><span
style="mso-ansi-font-size:12.0pt;font-family:Arial;mso-ansi-language:
            EN-GB" lang="EN-GB">nonce</span></tt></font><span
        style="font-family:Arial;mso-ansi-language:
        EN-GB" lang="EN-GB"><font color="#000099"><font color="#3333ff">
            values used</font>.</font> The </span><tt><span
          style="mso-ansi-font-size:
          12.0pt;font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">nonce</span></tt><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">
        value is a case
        sensitive string. <o:p></o:p></span></p>
    <p class="MsoNormal"><span
        style="font-family:Arial;mso-ansi-language:
        EN-GB" lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:2.0pt;margin-right:0cm;margin-bottom:2.0pt;
      margin-left:0cm"><span style="font-family:Arial;mso-ansi-language:
        EN-GB" lang="EN-GB">I have several observations:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:2.0pt;
      margin-left:36.0pt;text-indent:-18.0pt;mso-list:l1 level1
      lfo2;tab-stops:list 36.0pt"><!--[if !supportLists]--><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">a)<span
          style="font:7.0pt &quot;Times New Roman&quot;">     </span></span><!--[endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">there
        is some
        difficulty to mandate the use of a parameter that is not
        registered by IANA.<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:2.0pt;
      margin-left:36.0pt;text-indent:-18.0pt;mso-list:l1 level1
      lfo2;tab-stops:list 36.0pt"><!--[if !supportLists]--><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">b)<span
          style="font:7.0pt &quot;Times New Roman&quot;">     </span></span><!--[endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">the
        further
        processing of the nonce is not indicated in the text</span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:2.0pt;
      margin-left:36.0pt;text-indent:-18.0pt;mso-list:l1 level1
      lfo2;tab-stops:list 36.0pt"><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">c) 
        The last sentence from the above description states: "</span><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB"><font
          color="#3333ff"><span
            style="font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">Authorization Servers SHOULD perform no other
            processing on </span><tt><span
              style="mso-ansi-font-size:12.0pt;font-family:Arial;mso-ansi-language:
              EN-GB" lang="EN-GB">nonce</span></tt></font><span
          style="font-family:Arial;mso-ansi-language:
          EN-GB" lang="EN-GB"><font color="#3333ff"> values used</font>"<br>
        </span>There is a practical problem with such a sentence since </span><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB"><span
          style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB"><span
            style="font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">Authorization Servers would need to remember
            nonces for ever. <br>
            Either that sentence should be deleted or the nonce shall be
            only used with a UTC time parameter included in the </span></span></span><span
        style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">Authentication
        Request.</span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-GB" lang="EN-GB"><!--[if !supportEmptyParas]-->
      </span><font face="Arial">In any case, the definition of </font><span
        style="font-family:Arial;mso-ansi-language:
        EN-GB" lang="EN-GB">a nonce as specified in OpenID Connect Core
        1.0 incorporating errata set 1 should not be used and another
        parameter <br>
        (e.g. rdn for random) should be defined and registered by IANA
        and used in combination with </span><span
        style="font-family:Arial;mso-ansi-language:
        EN-GB" lang="EN-GB"><span
          style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB"><span
            style="font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span
              style="font-family:Arial;mso-ansi-language:EN-GB"
              lang="EN-GB">a UTC time parameter included in the </span></span></span><span
          style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">Authentication
          Request</span>.<br>
        In this way, only the rdn received during the last X minutes
        will need to be remembered by </span><span
        style="font-family:Arial;mso-ansi-language:
        EN-GB" lang="EN-GB"><span
          style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB"></span><span
          style="font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB"><span
            style="font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span
              style="font-family:Arial;mso-ansi-language:EN-GB"
              lang="EN-GB">the Authorization Servers</span></span></span>.<br>
      </span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><br>
      <span style="font-family:
        Arial;mso-ansi-language:EN-GB" lang="EN-GB"><!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-begin'></span><span style="mso-spacerun:
yes"> </span>AUTONUM </span><![endif]--><span style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportFields]-->5.<!--[endif]--></span><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-end'></span></span><![endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-US" lang="EN-US">
        The title of section 9.1 is:
        "Certificate validation"<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">Change the title of
        this section into :<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">"9.1. Common Name
        Constrained Token"<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-begin'></span><span style="mso-spacerun:
yes"> </span>AUTONUM </span><![endif]--><span style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportFields]-->6.<!--[endif]--></span><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-end'></span></span><![endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-US" lang="EN-US">
        In section 9.1, the text
        states:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">The "cn" JWT
        confirmation method
        relies its security property on the<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><span
          style="mso-spacerun: yes">   </span>X.509
        client certificate authentication. <o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">Replace with:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">The "cn" JWT
        confirmation method
        relies its security property by the inclusion of the Common Name
        (CN) <br>
        that is
        part of the Distinguished Name (DN) of an X.509 certificate. The
        JWT is linked
        to the common name <br>
        included in the certificate. Such a method is not privacy
        friendly since it allows an easy linkage between <br>
        all the accounts of a given
        user on different resource servers.<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-begin'></span><span style="mso-spacerun:
yes"> </span>AUTONUM </span><![endif]--><span style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportFields]-->7.<!--[endif]--></span><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-end'></span></span><![endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-US" lang="EN-US">
        Add a new section 9.2 to
        deal with the case of the cid. <o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">Proposed text: <o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">9.2. Client ID
        Constrained Token<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">The "cid" JWT
        confirmation method
        relies its security property on the assumption that the cid
        legitimately <br>
        used
        by one server cannot be used by another user. It also relies on
        the assumption
        that the authentication data <br>
        associated with "cid" combined with the
        "iss" will only be used by the legitimate user. This method is
        ineffective <br>
        in case of a collusion between two users, since one user can
        perform all the computations needed by the other user.<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-begin'></span><span style="mso-spacerun:
yes"> </span>AUTONUM </span><![endif]--><span style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportFields]-->8.<!--[endif]--></span><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-end'></span></span><![endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-US" lang="EN-US">
        In section 9.2, the text
        states:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">The client’s secret
        key must be kept securely.
        Otherwise, the notion of PoP breaks down.<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">The PKIX group from
        the IETF is using the
        vocabulary private key / public key when asymmetric cryptography
        is being used
        <br>
        and secret key when symmetric algorithms are being used (let us
        call a spade a
        spade).<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">However, keeping a
        client's private key securely
        is not the right wording either. If the key is kept securely in
        a secure
        element <br>
        (e.g. smart card), this is not enough, since the holder of the
        secure
        element may use this key for himself ... or worse for the
        benefit of someone
        else.<br>
        <br>
        <o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">Proposed change :<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">9.3. Key Constrained
        Token<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">This method has four
        variants. <o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">When the JWT
        contains a jwk, the JWT
        confirmation method relies its security property on the
        assumption that the
        private key <br>
        associated with the public key contained in the access token
        will
        only be used by the legitimate user. In order to avoid an easy
        linkage<br>
        between
        user's accounts, this method presents the advantage that the key
        pair can be
        changed for every JWT. However, this method <br>
        is ineffective in case of a
        collusion between two users, since one user can perform all the
        computations
        needed by the other user.<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">When the JWT
        contains a jwkt#s256, the server
        must have a prior knowledge of the public key and the method
        relies its
        security property <br>
        on the assumption that the private key associated with the
        public key contained in the access token will only be used by
        the legitimate
        user. <br>
        Hence, this method is ineffective in case of a collusion between
        two
        users, since one user can perform all the computations needed <br>
        by the other
        user.<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">When the JWT
        contains a x5t#s256, the server
        must have a prior knowledge of the public key certificate. The
        JWT is then
        linked to a hash value <br>
        of a certificate included in the JWT. The server knows a
        unique identifier of the user. Such a method is not privacy
        friendly since it
        allows <br>
        an easy linkage between all the accounts of a given user on
        different
        resource servers.<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">When the JWT
        contains a jwe, the JWT
        confirmation method relies its security property on the
        assumption that the
        secret key included <br>
        in the JWT will only be used by the legitimate user. In
        order to avoid an easy linkage between user's accounts, this
        method presents
        <br>
        the advantage that the secret key can be changed for every JWT.
        However, this
        method is ineffective in case of a collusion between two users,
        <br>
        since one user
        can perform all the computations needed by the other user.<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-begin'></span><span style="mso-spacerun:
yes"> </span>AUTONUM </span><![endif]--><span style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportFields]-->9.<!--[endif]--></span><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-end'></span></span><![endif]--><span
        style="font-family:Arial;mso-ansi-language:EN-US" lang="EN-US">
        The text states in section
        9.3:<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">9.3.<span
          style="mso-spacerun: yes"> 
        </span>Audi<u>a</u>nce Restriction<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">When using the
        signature method the client must
        specify to the AS the aud it intends to send the token to, so
        that it can be
        included in the AT.<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">A malicious RS could
        receive a AT with no aud or
        a logical audience and then replay the AT and jws-on-nonce to
        the actual
        server.<o:p></o:p></span></p>
    <p class="MsoNormal" style="margin-top:6.0pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"><br>
        Proposed change in order to address privacy concerns :<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">9.4.<span
          style="mso-spacerun: yes"> 
        </span>Audi<u>e</u>nce Restriction<o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">When using the
        signature method, the client must
        specify to the AS the aud it intends to send the token to, so
        that it can be
        included in the AT. <o:p></o:p></span></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><font color="#000099"><span
          style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US">RFC 7800 states
          that the interpretation of
          audience values is application specific. If a fixed value is
          being used, e.g. a
          URL of the server, <br>
          then the authorization server can easily know where the
          access tokens will be used and thus is in a position to act as
          Big Brother. <br>
          It
          is thus recommended to use a different value in the aud claims
          for each access
          token that contains no semantics in it but that the resource
          server <br>
          can easily
          recognize.</span></font><i><span style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></i></p>
    <p class="MsoNormal"
      style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
      margin-left:27.0pt;margin-bottom:.0001pt"><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US">If a malicious RS
        receives an AT with no aud or
        a logical audience in it then it can replay the AT and
        jws-on-nonce to another
        server.<br>
      </span><span style="font-size:11.0pt;mso-bidi-font-size:12.0pt;
        font-family:Arial;mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
    <p><span style="font-size:
11.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;mso-ansi-language:EN-US"
        lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span><font
        size="+1"><span style="font-size:
11.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;mso-ansi-language:EN-US"
          lang="EN-US">Denis</span></font></p>
    <p><font size="+1"><span style="font-size:
11.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;mso-ansi-language:EN-US"
          lang="EN-US"><br>
        </span></font></p>
    <blockquote
cite="mid:CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div dir="ltr" class="gmail_msg">HI Chairs, 
          <div class="gmail_msg"><br class="gmail_msg">
          </div>
          <div class="gmail_msg">I would also like to ask 5 min. on
            Monday (as I cannot be on Friday) for </div>
          The OAuth 2.0 Authorization Framework: JWT Pop Token Usage
          [1]. </div>
        <div dir="ltr" class="gmail_msg"><br>
        </div>
        <div dir="ltr" class="gmail_msg">[1] <a moz-do-not-send="true"
            href="https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01">https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01</a></div>
        <div dir="ltr" class="gmail_msg"><br>
        </div>
        <div class="gmail_msg">It is capturing strong and rather urgent
          demands from the financial sector and would be great if it can
          be considered in the WG. </div>
        <div class="gmail_msg"><br>
        </div>
        <div class="gmail_msg">Best, </div>
        <div class="gmail_msg"><br>
        </div>
        <div class="gmail_msg">Nat Sakimura</div>
        <br class="gmail_msg">
        <div class="gmail_quote gmail_msg">
          <div dir="ltr" class="gmail_msg">On Tue, Mar 21, 2017 at 10:28
            PM Antonio Sanso &lt;<a moz-do-not-send="true"
              href="mailto:asanso@adobe.com" class="gmail_msg"
              target="_blank">asanso@adobe.com</a>&gt; wrote:<br
              class="gmail_msg">
          </div>
          <blockquote class="gmail_quote gmail_msg" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div style="word-wrap:break-word" class="gmail_msg">
              hi Torsten,
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
              <div class="gmail_msg">good one. I personally I am looking
                forward to see this particular document find its way.</div>
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
              <div class="gmail_msg">IMHO this is something much needed.</div>
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
              <div class="gmail_msg">regards</div>
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
              <div class="gmail_msg">antonio</div>
              <div class="gmail_msg"><br class="gmail_msg">
              </div>
            </div>
            <div style="word-wrap:break-word" class="gmail_msg">
              <div class="gmail_msg">
                <div class="gmail_msg">
                  <div class="gmail_msg">On Mar 21, 2017, at 2:08 PM,
                    Torsten Lodderstedt &lt;<a moz-do-not-send="true"
                      href="mailto:torsten@lodderstedt.net"
                      class="gmail_msg" target="_blank">torsten@lodderstedt.net</a>&gt;
                    wrote:</div>
                  <br
class="m_3319639624494689827m_5030357770178240766Apple-interchange-newline
                    gmail_msg">
                </div>
              </div>
            </div>
            <div style="word-wrap:break-word" class="gmail_msg">
              <div class="gmail_msg">
                <div class="gmail_msg">
                  <blockquote type="cite" class="gmail_msg">
                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                      class="gmail_msg">
                      Hi Chairs,<br class="gmail_msg">
                      <br class="gmail_msg">
                      I would like to request 5 minutes on Monday to
                      briefly present the status of the security
                      document. This is mainly to raise awareness in the
                      group since I didn’t get that much input on it
                      since Seoul.<br class="gmail_msg">
                      <br class="gmail_msg">
                      kind regards,<br class="gmail_msg">
                      Torsten.<br class="gmail_msg">
                      <br class="gmail_msg">
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style="word-wrap:break-word" class="gmail_msg">
              <div class="gmail_msg">
                <div class="gmail_msg">
                  <blockquote type="cite" class="gmail_msg">
                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                      class="gmail_msg">
                      <blockquote type="cite" class="gmail_msg">Am
                        18.03.2017 um 01:52 schrieb Mike Jones &lt;<a
                          moz-do-not-send="true"
                          href="mailto:Michael.Jones@microsoft.com"
                          class="gmail_msg" target="_blank">Michael.Jones@microsoft.com</a>&gt;:<br
                          class="gmail_msg">
                        <br class="gmail_msg">
                        Hi Chairs,<br class="gmail_msg">
                        <br class="gmail_msg">
                        I'd like to request that the following
                        presentations be added to the agenda:<br
                          class="gmail_msg">
                        <br class="gmail_msg">
                        <span class="m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>OAuth
                        Token Exchange (draft-ietf-oauth-token-exchange)
                        - Mike Jones - 15 minutes<br class="gmail_msg">
                        <span class="m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>OAuth
                        Authorization Server Metadata
                        (draft-ietf-oauth-discovery) - Mike Jones - 15
                        minutes<br class="gmail_msg">
                        <br class="gmail_msg">
                        I'd also talked with Brian Campbell and I think
                        he wants to lead this discussion, in part based
                        on his implementation experience:<br
                          class="gmail_msg">
                        <br class="gmail_msg">
                        <span class="m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>OAuth
                        Token Binding (draft-ietf-oauth-token-binding) -
                        Brian Campbell - 30 minutes<br class="gmail_msg">
                        <br class="gmail_msg">
                        (Brian may suggest a different amount of time)<br
                          class="gmail_msg">
                        <br class="gmail_msg">
                        I agree that William Dennis should present about
                        the OAuth Device Flow
                        (draft-ietf-oauth-device-flow).<br
                          class="gmail_msg">
                        <br class="gmail_msg">
                        For completeness, I don't think a presentation
                        is needed about OAuth AMR Values
                        (draft-ietf-oauth-amr-values) because it's now
                        completed its IESG review.<br class="gmail_msg">
                        <br class="gmail_msg">
                        I'll look forward to seeing many of you in just
                        over a week!<br class="gmail_msg">
                        <br class="gmail_msg">
                        <span class="m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span><span class="m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span><span class="m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span><span class="m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>--
                        Mike<br class="gmail_msg">
                        <br class="gmail_msg">
                        -----Original Message-----<br class="gmail_msg">
                        From: OAuth [<a moz-do-not-send="true"
                          href="mailto:oauth-bounces@ietf.org"
                          class="gmail_msg" target="_blank">mailto:oauth-bounces@ietf.org</a>]
                        On Behalf Of "IETF Secretariat"<br
                          class="gmail_msg">
                        Sent: Friday, March 3, 2017 3:55 PM<br
                          class="gmail_msg">
                        To: <a moz-do-not-send="true"
                          href="mailto:oauth-chairs@ietf.org"
                          class="gmail_msg" target="_blank">oauth-chairs@ietf.org</a>;
                        <a moz-do-not-send="true"
                          href="mailto:smccammon@amsl.com"
                          class="gmail_msg" target="_blank">
                          smccammon@amsl.com</a><br class="gmail_msg">
                        Cc: <a moz-do-not-send="true"
                          href="mailto:oauth@ietf.org" class="gmail_msg"
                          target="_blank">oauth@ietf.org</a><br
                          class="gmail_msg">
                        Subject: [OAUTH-WG] oauth - Requested sessions
                        have been scheduled for IETF 98<br
                          class="gmail_msg">
                        <br class="gmail_msg">
                        Dear Stephanie McCammon,<br class="gmail_msg">
                        <br class="gmail_msg">
                        The session(s) that you have requested have been
                        scheduled.<br class="gmail_msg">
                        Below is the scheduled session information
                        followed by the original request.<span
                          class="m_3319639624494689827m_5030357770178240766Apple-converted-space
                          gmail_msg"> </span><br class="gmail_msg">
                        <br class="gmail_msg">
                        oauth Session 1 (2:30:00)<br class="gmail_msg">
                          Friday, Morning Session I 0900-1130<br
                          class="gmail_msg">
                          Room Name: Zurich C size: 100<br
                          class="gmail_msg">
                          ---------------------------------------------<br
                          class="gmail_msg">
                          oauth Session 2 (1:00:00)<br class="gmail_msg">
                          Monday, Afternoon Session III 1710-1810<br
                          class="gmail_msg">
                          Room Name: Zurich C size: 100<br
                          class="gmail_msg">
                          ---------------------------------------------<br
                          class="gmail_msg">
                        <br class="gmail_msg">
                        <br class="gmail_msg">
                        <br class="gmail_msg">
                        Request Information:<br class="gmail_msg">
                        <br class="gmail_msg">
                        <br class="gmail_msg">
---------------------------------------------------------<br
                          class="gmail_msg">
                        Working Group Name: Web Authorization Protocol
                        Area Name: Security Area Session Requester:
                        Stephanie McCammon<br class="gmail_msg">
                        <br class="gmail_msg">
                        Number of Sessions: 2<br class="gmail_msg">
                        Length of Session(s):  2.5 Hours, 1 Hour Number
                        of Attendees: 50 Conflicts to Avoid:<span
                          class="m_3319639624494689827m_5030357770178240766Apple-converted-space
                          gmail_msg"> </span><br class="gmail_msg">
                        First Priority: saag core tls tokbind<br
                          class="gmail_msg">
                        <br class="gmail_msg">
                        <br class="gmail_msg">
                        <br class="gmail_msg">
                        <br class="gmail_msg">
                        People who must be present:<br class="gmail_msg">
                        Hannes Tschofenig<br class="gmail_msg">
                        Kathleen Moriarty<br class="gmail_msg">
                        Derek Atkins<br class="gmail_msg">
                        <br class="gmail_msg">
                        Resources Requested:<br class="gmail_msg">
                        Projector in room<br class="gmail_msg">
                        <br class="gmail_msg">
                        Special Requests:<br class="gmail_msg">
                        Please avoid conflict with sec area BoFs.<br
                          class="gmail_msg">
---------------------------------------------------------<br
                          class="gmail_msg">
                        <br class="gmail_msg">
                        _______________________________________________<br
                          class="gmail_msg">
                        OAuth mailing list<br class="gmail_msg">
                        <a moz-do-not-send="true"
                          href="mailto:OAuth@ietf.org" class="gmail_msg"
                          target="_blank">OAuth@ietf.org</a><br
                          class="gmail_msg">
                      </blockquote>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style="word-wrap:break-word" class="gmail_msg">
              <div class="gmail_msg">
                <div class="gmail_msg">
                  <blockquote type="cite" class="gmail_msg">
                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                      class="gmail_msg">
                      <blockquote type="cite" class="gmail_msg"><a
                          moz-do-not-send="true"
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0"
                          class="gmail_msg" target="_blank">https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0</a></blockquote>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style="word-wrap:break-word" class="gmail_msg">
              <div class="gmail_msg">
                <div class="gmail_msg">
                  <blockquote type="cite" class="gmail_msg">
                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                      class="gmail_msg">
                      <blockquote type="cite" class="gmail_msg"><br
                          class="gmail_msg">
                        <br class="gmail_msg">
                        _______________________________________________<br
                          class="gmail_msg">
                        OAuth mailing list<br class="gmail_msg">
                        <a moz-do-not-send="true"
                          href="mailto:OAuth@ietf.org" class="gmail_msg"
                          target="_blank">OAuth@ietf.org</a><br
                          class="gmail_msg">
                      </blockquote>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style="word-wrap:break-word" class="gmail_msg">
              <div class="gmail_msg">
                <div class="gmail_msg">
                  <blockquote type="cite" class="gmail_msg">
                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                      class="gmail_msg">
                      <blockquote type="cite" class="gmail_msg"><a
                          moz-do-not-send="true"
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0"
                          class="gmail_msg" target="_blank">https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0</a><br
                          class="gmail_msg">
                      </blockquote>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style="word-wrap:break-word" class="gmail_msg">
              <div class="gmail_msg">
                <div class="gmail_msg">
                  <blockquote type="cite" class="gmail_msg">
                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                      class="gmail_msg">
                      <br class="gmail_msg">
                      _______________________________________________<br
                        class="gmail_msg">
                      OAuth mailing list<br class="gmail_msg">
                      <a moz-do-not-send="true"
                        href="mailto:OAuth@ietf.org" class="gmail_msg"
                        target="_blank">OAuth@ietf.org</a><br
                        class="gmail_msg">
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style="word-wrap:break-word" class="gmail_msg">
              <div class="gmail_msg">
                <div class="gmail_msg">
                  <blockquote type="cite" class="gmail_msg">
                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                      class="gmail_msg"><a moz-do-not-send="true"
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&amp;sdata=5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&amp;reserved=0"
                        class="gmail_msg" target="_blank">https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&amp;sdata=5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&amp;reserved=0</a></div>
                  </blockquote>
                </div>
                <br class="gmail_msg">
              </div>
            </div>
            _______________________________________________<br
              class="gmail_msg">
            OAuth mailing list<br class="gmail_msg">
            <a moz-do-not-send="true" href="mailto:OAuth@ietf.org"
              class="gmail_msg" target="_blank">OAuth@ietf.org</a><br
              class="gmail_msg">
            <a moz-do-not-send="true"
              href="https://www.ietf.org/mailman/listinfo/oauth"
              rel="noreferrer" class="gmail_msg" target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br
              class="gmail_msg">
          </blockquote>
        </div>
      </div>
      <div dir="ltr">-- <br>
      </div>
      <div data-smartmail="gmail_signature">
        <p dir="ltr">Nat Sakimura</p>
        <p dir="ltr">Chairman of the Board, OpenID Foundation</p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>

--------------4A25F65CEAFD14D4FBB3BAAD--


From nobody Wed Mar 22 03:32:09 2017
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5D551296C1 for <oauth@ietfa.amsl.com>; Wed, 22 Mar 2017 03:32:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vXus4IKNAqpF for <oauth@ietfa.amsl.com>; Wed, 22 Mar 2017 03:32:00 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE5691316B5 for <oauth@ietf.org>; Wed, 22 Mar 2017 03:31:59 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id EDF5E7803FB; Wed, 22 Mar 2017 11:31:55 +0100 (CET)
References: <c5a3d992-5807-0c72-0d0b-e4eb3e9391b8@free.fr>
To: Nat Sakimura <nat@sakimura.org>
Cc: oauth <oauth@ietf.org>
From: Denis <denis.ietf@free.fr>
X-Forwarded-Message-Id: <c5a3d992-5807-0c72-0d0b-e4eb3e9391b8@free.fr>
Message-ID: <29149d40-230f-f83c-1c09-6ba8db4b7759@free.fr>
Date: Wed, 22 Mar 2017 11:31:57 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <c5a3d992-5807-0c72-0d0b-e4eb3e9391b8@free.fr>
Content-Type: multipart/alternative; boundary="------------1D8A97523D12651E0649B91D"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5KCyHfktRftdZL6MliyA48iamUs>
Subject: [OAUTH-WG] Fwd: Re: Last Call: <draft-ietf-oauth-jwsreq-11.txt> (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 10:32:08 -0000

This is a multi-part message in MIME format.
--------------1D8A97523D12651E0649B91D
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi Nat,

draft-ietf-oauth-jwsreq-12 has been issued on February 13, 2017 since 
the time I posted comments on draft-ietf-oauth-jwsreq-11
on Fri, 17 Feb 2017 21:51:18 +0100

However, you omitted to respond to this email that contains 7 important 
topics.

ITEM 1 directly relates to the nonce issue I am pointing in another 
email from today.

Denis

=============================================================================================

Hi Nat,

Thank you for the forwarding of the detailed responses made by John.
Instead of replying between the lines, I have grouped my concerns under 
7 items that are detailed below.

======================================================================

ITEM 1

======================================================================

RFC 6749 states in section 10.2 (from the security considerations 
section on page 54):

The authorization server SHOULD NOT process repeated authorization 
requests automatically
(without active resource owner interaction) without authenticating the 
client or relying on other measures
to ensure that the repeated request comes from the original client and 
not an impersonator.

With such a vague guidance that are dozens of possibilities, none of 
them is being defined.

How would two implementations be able to interoperate ? The answer is 
simple: they can't.

Nevertheless, replay protection of a Token Request should be addressed 
in the current draft and presently it isn't.
In order to address this concern, I make a proposal.

An Authorization Server should be able to "easily" check (i.e. without 
losing to much computing time in order to decrease
the efficiency of DoS attacks) whether a Token Request is a replay or 
not from a previous Token Request.

ISO/IEC 10181-2:1996 (Information technology -- Open Systems 
Interconnection -- Security frameworks for open systems:
Authentication framework) published more than 20 years ago defines two 
methods: the use of challenges or the use of unique numbers.
Unique numbers are also called "nonces" (as a contraction of "number 
once") but their meaning is fully different from the meaning made by
the OpenID Connect Core specification, since a unique number as defined 
in that specification is in fact a "challenge" as defined by ISO/IEC 
10181-2.


Hereafter is the definition of a nonce as defined in the OpenID Connect 
Core specification:

nonce

String value used to associate a Client session with an ID Token, and to 
mitigate replay attacks. The value is passed through unmodified
from the Authentication Request to the ID Token. If present in the ID 
Token, Clients MUST verify that the nonceClaim Value is equal to
µthe value of the nonceparameter sent in the Authentication Request. If 
present in the Authentication Request, Authorization Servers MUST
include a nonceClaim in the ID Token with the Claim Value being the 
nonce value sent in the Authentication Request. Authorization Servers
SHOULD perform no other processing on noncevalues used. The noncevalue 
is a case sensitive string.


A unique number (according to ISO/IEC 10181-2) is generated by a client 
and is used by a server to check the freshness of a request
without the need for the server to remember it more than a couple or a 
dozen of minutes. It is composed of a UTC time and a random number.
A unique number is generated by the client and checked by the 
Authorization Server.

Similarly, in order to allow a Client to verify that the Access Token 
corresponds to the content of the Authorization Request,
some data SHOULD be included in the Access Token.

The OpenID Connect Core specification has defined a "nonce" that allows 
to perform the second check, but not to perform the first one.

In order to avoid the Authorization Server to remember unique numbers 
(as defined in ISO/IEC 10181-2) for ever, each Authorization Request needs
to contain a UTC time, so that unique numbers that are out of a time 
window (of, let us say, a couple or a dozen of minutes) can be removed
from the memory the Authorization Server.

Fortunately, RFC 7519, Section 4.1.6 has defined "iat" which means 
"Issued At".

This means that the Authorization Request as defined in the draft 
specification SHALL contain a unique number that consists of
both a "iat" parameter and a random number.

Let us call that second parameter "rdn" for "random number" and let us 
register it at IANA it /within this future RFC/ as a being an int32,
which is quite sufficient for the intended purpose.

rdn

Integer value used by a Client in an Authentication Request for two 
purposes. Firstly, when associated with a "iat" parameter,
to allow an Authorization Server to detect the replay of an 
Authentication Request and secondly to allow a Client to check
the freshness of an Access Token. In order to detect the replay of an 
Authentication Request, the Authorization Server MUST
be able to (a) use a local clock loosely synchronized with the UTC, and 
(b) construct a table where the "iat" parameter and
the "rdn" parameter from each well-formed and accepted Authentication 
Request are memorized. Only the "iat" parameters
and the "rdn" parameters received during a short time window (e.g. a 
couple or dozen of minutes) need to be memorized.

After checking that the Authentication Request is well formed, its 
processing SHOULD continue by checking that the "iat" parameter.
If the "iat" parameters is outside the time window, the Authentication 
Request SHALL be discarded by the Authorization Server.
If the "iat" parameters is inside the time window, the Authorization 
Server SHALL check if the "iat" parameter associated
with that "rdn" parameter are not already memorized in the table. If it 
is the case, the Authentication Request SHALL be discarded
by the Authorization Server. Otherwise, the Authentication Request is 
not a replay of a previous Authentication Request and
the processing of the Authentication Request SHOULD continue.

The value of the rdn parameter is passed through unmodified from the 
Authentication Request to the Authorization Server.
It MAY be included in the Access Token by the Authorization Server. If 
present in the Access Token, Clients MUST verify
that the rdn Claim Value is equal to the value of the rdn parameter sent 
in the Authentication Request and if it is not the case,
the Access Token SHALL be discarded.

Note that this allows to optimize the number of parameters without the 
need to use the nonce parameter (as defined in the OpenID Connect Core 
specification)
which is not defined in any RFC for the moment.

The end result of this argumentation is that the Authorization Request - 
as defined in this draft specification -
SHALL contain both an "iat" parameter and a "rdn" parameter. Please take 
a look at the next item before expressing a position on this item.

======================================================================

ITEM 2

======================================================================

Nat: The implementer of this document needs to consult RFC6749 closely 
anyway as all the verification requirements still holds,
so as an editor, I would rather keep it as it is. It is not "reader 
friendly" but cannot go wrong with the approach to just referencing RFC6749.

John: There are 4 flows in RFC6749. In each flow, there is a sub-section 
dedicated to the Authorization request.
In them, the parameters used in the authorization request are very 
clearly indicated. (...) Thus, it would be misleading just to say
the parameters defined in 4.1.1, 4.2.1, etc. As an editor, I feel better 
with the current language because it is at least not wrong nor misleading.

I proposed:

   Object *MUST contain a client_id parameter* and SHOULD contain a
    "iss" (issuer) *parameter* and an "aud" (audience) *parameter*, with
    their semantics being the same as defined in the JWT RFC7519]
    specification.

John:  I am kind of ok with the proposed text but if we do you want to 
single out `client_id`, perhaps a reason should be added.
There are other REQUIRED parameters in the Authorization Request defined 
in RFC6749, you know.

The mandatory parameters to be included in the request should be 
identified. They are composed of :

(a)the common denominator of the REQUIRED parameters defined in 4.1.1, 
4.2.1, etc,

(b)the parameters that are necessary to address the detection of the 
replay of previous well-formed requests, and

(c)the parameters that are necessary to address the detection of the 
replay of a previous well-formed token.

The common denominator of the REQUIRED parameters defined in 4.1.1, 
4.2.1, etc, is the client_id parameter (indicated as "REQUIRED").

The parameters that are necessary to address the detection of the two 
cases of replay are the "iat" and the "rdn" parameters.

As a reader, I feel better to know which parameters are REQUIRED, 
leaving other details in RFC 6749.

As a conclusion, the draft should indicate that the following parameters 
are always REQUIRED: client_id, iat and rdn.

Hence my proposal:

*Object MUST contain a "client_id" parameter, i.e. **a string 
representing the registration information
provided by the end-user that is unique to the authorization server,**an 
"iat" parameter and
a "rdn" parameter and SHOULD contain a "iss" (issuer) parameter and an 
"aud" (audience) parameter,
with their semantics being the same as defined in the JWT [RFC7519] 
specification.*

======================================================================

ITEM 3

======================================================================

Nat: ABC attack is out of scope for OAuth. It is not a new attack. The 
resource owner handing a bearer token
to another party willfully is not a threat in the bearer token model.

Nat: ABC attack is out of scope of RFC 6749 and RFC6750. They can be 
dealt with in POP document but not this one.

Denis: RFC 6749 (The OAuth 2.0 Authorization Framework) has been 
published in October 2012. RFC 6819 (OAuth 2.0 Threat Model and Security 
Considerations)
has been published in January 2013, hence after RFC 6749, so RFC 6749 
could not reference RFC 6819. /The carriage had been placed before the 
horse/.

RFC 6819 implicitly talks about the ABC attack in section 5.1.6:

5.1.6.Access Tokens

The following measures should be used to protect access tokens:

(...).

oEnsure that client applications do not share tokens with 3rd parties.

You said:"They can be dealt with in POP document".

Unfortunately, at the present time, this is not the case.

The key point is that none of the documents issued by the OAuth WG 
(neither by the Tokbind WG) indicates how to
"Ensure that client applications do not share tokens with 3rd parties".

The charter of the Tokbind WG (unbearable) states (see: 
https://datatracker.ietf.org/wg/tokbind/charter) :

"It is a goal of this working group to enable defense against attacks 
that involve unauthorized replay of security tokens.
Other issues associated with the use of security tokens are out of scope".

However, draft-ietf-tokbind-protocol-13 (The Token Binding Protocol 
Version 1.0) /issued yesterday/ explicitly states:

The Token Binding protocol does not prevent cooperating clients from

sharing a bound token. A client could intentionally export a bound

token with the corresponding Token Binding private key, or perform

signatures using this key on behalf of another client.

So neither the OAuth WG nor the TokBind WG have, at this time, a draft 
that is potentially able to counter the ABC attack.

So saying that the "ABC attack is out of scope for OAuth" is not the 
right wording.
Saying that the "ABC attack has not been taken into consideration for 
OAuth 2.0" is *a fact*.
That *fact *should not be hidden in the current draft.

Since it is unlikely that RFC 6819 will be soon replaced by another RFC, 
it is necessary to mention that threat in the security considerations 
section.
This does not mean that this threat shall be solved in the current 
draft, but readers should be aware that the ABC attack is not countered 
using this draft.

A text along the following one should be added into the security 
consideration section:

In case of a cooperation between clients, the format of the JWT Secured 
Authorization Request
described in this document does not prevent a client from asking a token 
to an Authorization Server
that, once being obtained, may be successfully passed from one client to 
another one without
the resource server to which it is intended being able to notice it.

Note that a /different/ format of a signed request would be one piece of 
a puzzle able to solve it.

======================================================================

ITEM 4

======================================================================

Hereafter is another topic both about the "client_id" and "collection 
minimization" which apparently do not related to each other
... but they do as it is explained below.


1) The draft states:

The signature MUST be validated against the appropriate key for that
"client_id" and algorithm.

I commented:

The important point is to provide guidance on how to map the client_id 
parameter with the appropriate key. There is none at the present time.


I suggested to add:

Identifying the appropriate key MUST be done according to section 6 of 
RFC 7515
and using the Registered Header Parameter Names defined in section 4.1 
of RFC 7515,
e.g. using the Header Parameters "jku", "jwk", "kid", "x5u", "x5c", 
"x5t", or "x5t#S256".

There was no comment/opinion from John about this proposal.


2)About "collection minimization"

The introduction states on page 4:

(d) (collection minimization) The request can be signed by a third party
attesting that the authorization request is compliant to certain
policy.

However, later on, there is the following explanation:

In addition, it allows requests to be prepared by a third party
so that a client application cannot request more permissions
than previously agreed.

John explained:

The third party indeed signs the request on behalf of the client as the 
result of verification that the permission is the same as previously 
agreed.

The value of `client_id` will be the requesting party.

The value of `iss` can be the third party.

But setting aside that, I guess your point actually is on the use of the 
word "request". Authorization request is the entire thing that travels
from the client and not a part of it, and that is a fair point. Having 
said that, I have a problem with your use of the word "verified". What 
about this?

(d) (collection minimization) The data being requested can be
attested by a third party that is compliant to collection
minimization principle.


3) Denis proposal to solve this comment:

After:

*The signature MUST be validated against the appropriate key for that 
"client_id" and algorithm.*

I suggest to add:

*Identifying the appropriate key MUST be done according to section 6 of 
RFC 7515
and using the Registered Header Parameter Names defined in section 4.1 
of RFC 7515,
e.g. using the Header Parameters "jku", "jwk", "kid", "x5u", "x5c", 
"x5t", or "x5t#S256".
That key may be either associated with the client_id which is a **string 
unique to the authorization
server representing the registration information originally provided by 
the end-user or
***associated *with a third party with which the authorization server 
has a trust relationship with it. ***

I also propose to change item d) in the following way:

(d) (collection minimization) The request can be signed by a third party
*rather than by an end-user *attesting that the authorization request
is compliant to certain policy. (...)

======================================================================

ITEM 5

======================================================================

One the following issue, I believe that I agree with John on the 
rational. However, John was unclear whether he accepted the proposed change
or an alternative one capturing the same concept.



The introduction states on page 4:

      (a) (integrity protection) The request can be signed so that the 
integrity of the request can be checked;

This should be changed into:

      (a) (integrity protection) The request can be authenticated either 
using a digital signature or using encryption under a secret key
so that the integrity of the request can be checked;

Reject.

This paragraph is talking about the integrity protection and not the 
source authentication.

And even for source authentication, saying that encryption under a 
secret key is not accurate as it was discussed earlier in the WG mail.

I am not sure if "Introduction" needs to state everything that is 
explained later. The idea of introduction probably is to give main points.
The list is not an exhaustive list of the benefit of using JWT as the 
authorization request format. For example, being able to encrypt
the request, which is not listed there, has an advantage of preventing 
MITB to eavesdrop the request. So I think it is ok as is.

Integrity protection cannot be verified without knowing the source of 
the information.

Using encryption (which supports at the same time an integrity service 
when secret keys are being used) is another way to be able to check the 
integrity of the request.

So I maintain may comment.


John: I think the issue is that if you encrypt with a asymmetric 
algorithm then the receiver has no idea who encrypted it.

Denis response: That is correct.

John: If encrypted with a symmetric key (not secret key) then you know 
that it came from someone who has access to that key. That works because 
we only support AEAD encryption.

Denis response: That is correct (/except than for me, since a symmetric 
key is a perfect synonym for a secret key/) :-)

John: You can use asymmetric encryption but you need to sign first if 
you want to know who it is from.

Denis response: It does not matter.

My proposal is to change the sentence into:

(a) (integrity protection) The request can be authenticated either using 
a digital signature or using encryption
under a /symmetric/ key so that the integrity of the request can be checked;

If you believe something should be changed in that proposal, please make 
another proposal.

======================================================================

ITEM 6

======================================================================

10. Section 11.1 states:

*11.1. Collection limitation

*

*When the Client is being granted access to a protected resource**
containing personal data, the Client SHOULD limit the collection of
personal data to that which is within the bounds of applicable law
    and strictly necessary for the specified purpose(s).*

  The /presentation/ of personal data should be limited whether or not 
the protected resource contains personal data.


We have trouble to understand each other.

1° This condition applies at the time of the request, not at the time of 
the granting.

2° The protected resource may contain either personal data or public 
data or both, so there is no need to specify "personal data".

3° Personal data is /presented /by the client, it is not /collected/.


In blue, you have the changes I propose:

*When the Client requests an access to a protected resource containing
personal data, the Client SHOULD limit the presentation of personal
data to that which is within the bounds of applicable law and strictly 
necessary
for the specified purpose(s).*

======================================================================

ITEM 7

======================================================================

John: This specification draws from OpenID Connect for some examples of 
extension parameters such as nonce.

On page 16 the text states:

*The following is an example of the Claims in a Request Object before*

*base64url encoding and signing.Note that it includes extension*

*variables such as "nonce" and "max_age".*

The key point is whether it is appropriate */in the main body of this 
document/ *to provide examples that include parameters
such as "nonce" and "max_age" that are not described in any RFC. The 
text does not even indicate where these extensions
are coming from. It would be more appropriate to use extensions that are 
defined in IETF RFCs.

Since the replay protection of the request MUST be achieved, remove 
*"nonce": "n-0S6_WzA2Mj**"*and replace it with:

*   "iat": 1487354400*

*   "rdn": 7945123 *

remove: *"max_age": 86400*

*
*

and finally remove: *N**ote that it includes extension**variables such 
as "nonce" and "max_age".

*

Denis



> Hi Denis,
>
> Thought John's response went to you as well but apparently not.
>
> My replies inline:
>
> On Fri, Feb 10, 2017 at 6:15 AM, Denis <denis.ietf@free.fr 
> <mailto:denis.ietf@free.fr>> wrote:
>
>     Hi Nat,
>
>     My replies to your proposed disposition of comments are embedded
>     in the text.
>
> [snip]
>
>>          Section 4 states:
>>
>>         *A Request Object (Section 2.1) is used to provide authorization
>>         request parameters for an OAuth 2.0 authorization request.It
>>         contains OAuth 2.0 [RFC6749] authorization request parameters
>>         including extension parameters**.*
>>
>>         RFC 6749 contains 75 pages, but does not contain a single
>>         occurrence of the wording "authorization request parameter"
>>         nor of "extension parameter".
>>         There should be either references to one or more specific
>>         sections of this document or, even better, a list of the
>>         mandatory/recommended/possible
>>         authorization request parameters as well as a list of
>>         mandatory/recommended/possible extension parameters should be
>>         included in this document.
>>
>>         A clear distinction should be made between the parameters
>>         used to authenticate the request and the other ones.
>>
>>
>>     Reject.
>>     There are 4 flows in RFC6749. In each flow, there is a
>>     sub-section dedicated to the Authorization request.
>>     In them, the parameters used in the authorization request are
>>     very clearly indicated. For example,
>>
>>
>>             4.1.1
>>             <https://tools.ietf.org/html/rfc6749#section-4.1.1>.
>>             Authorization Request
>>
>>
>>
>>         The client constructs the request URI by adding the following
>>         parameters to the query component of the authorization endpoint URI ...
>>     It is very difficult to miss.
>>
>>     Then, the possibility for the extension parameters are discussed
>>     in 8.2. Needless to say, those extension parameters are going to
>>     be discussed in other specifications.
>>     Thus, it would be misleading just to say the parameters defined
>>     in 4.1.1, 4.2.1, etc.
>>     As an editor, I feel better with the current language because it
>>     is at least not wrong nor misleading.
>
>     draft-ietf-oauth-jwsreq-11states on page 7.
>
>     To sign, JSON Web Signature (JWS) [RFC7515] is used.The result is a
>
>     JWS signed JWT [RFC7519].If signed, the Authorization Request
>
>     Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience)
>
>     as members, with their semantics being the same as defined in the JWT
>
>     [RFC7519] specification.
>
>     This should be changed into:
>
>     To sign, JSON Web Signature (JWS) [RFC7515] is used.The result is a
>
>     JWS signed JWT [RFC7519].If signed, the Authorization Request
>
>     Object *MUST contain a client_id parameter* and SHOULD contain a
>     "iss" (issuer) *parameter* and an "aud" (audience) *parameter*, with
>     their semantics being the same as defined in the JWT RFC7519]
>     specification.
>
>  I am kind of ok with the proposed text but if we do you want to 
> single out `client_id`, perhpas a reason should be added.
> There are other REQIURED parameters in the Auhtorization Request 
> defined in RFC6749, you know.
>
>     In section 5.2. Message Signature or MAC Validation, the text states:
>
>     When validating a JWS, the following steps are performed.
>
>     (...)
>
>     See Section 10.6 for security considerations on algorithm
>
>     validation.
>
>     There is no section 10.6 in this document. It seems to be section 10.3
>
>     Anyway, it is not the right place to place requirements in a
>     security considerations section and the appropriate text
>     should be moved in the main body of the document.
>
>
> Sorry, I cannot find the text you are refering to.
>
>     RFC 6749 states in clause 4.Obtaining Authorization on page
>
>     6.2.JWS Signed Request Object
>
>     To perform JWS Signature Validation, the "alg" Header Parameter in
>
>     the JOSE Header MUST match the value of the pre-registered algorithm.
>
>     The signature MUST be validated against the appropriate key for that
>
>     "client_id" and algorithm.
>
>     The important point is to provide guidance on how to map the
>     client_idparameter with the appropriate key.
>     There is none at the present time.
>
>     Add:
>
>     Identifying the appropriate key MUST be done according to section 6
>     of RFC 7515 and using the Registered Header Parameter Names defined
>     in section 4.1 of RFC 7515, e.g. using the Header Parameters "jku",
>     "jwk", "kid", "x5u", "x5c", "x5t", or "x5t#S256".
>
>
>>     4. The introduction states on page 4:
>>
>>              (a) (integrity protection) The request can be signed so
>>         that the integrity of the request can be checked;
>>
>>         This should be changed into:
>>
>>              (a) (integrity protection) The request can be
>>         authenticated either using a digital signature or using
>>         encryption under a secret key
>>                   so that the integrity of the request can be checked;
>>
>>
>>     Reject.
>>     This paragraph is talking about the integrity protection and not
>>     the source authentication.
>>     And even for source authentication, saying that encryption under
>>     a secret key is not accurate as it was discussed earlier in the
>>     WG mail.
>>
>>     I am not sure if "Introduction" needs to state everything that is
>>     explained later. The idea of introduction probably is to give
>>     main points. The list is not an exhaustive list of the benefit of
>>     using JWT as the authorization request format. For example, being
>>     able to encrypt the request, which is not listed there, has an
>>     advantage of preventing MITB to eavesdrop the request. So I think
>>     it is ok as is.
>>
>     Integrity protection cannot be verified without knowing the source
>     of the information.
>
>     Using encryption (which supports at the same time
>     an integrity service when secret keys are being used) is another
>     way to be able to check the integrity of the request.
>
>     So I maintain may comment.
>
>
> I think the issue is that if you encrypt with a asymmetric algorithm 
> then the receiver has no idea who encrypted it.
> If encrypted with a symmetric key (not secret key) then you know that 
> it came from someone who has access to that key.
> That works because we only support AEAD encryption.
>
> You can use asymmetric encryption but you need to sign first if you 
> want to know who it is from.
>
>
>>     5. The introduction states on page 4:
>>
>>         (d) (collection minimization) The request can be *signed* by
>>         a third party attesting that the authorization request is
>>         compliant tocertain policy.
>>
>>         The request is not /signed/ by a third party.
>>
>>         However, later on, there is the following explanation:
>>
>>         In addition, it allows requests to be prepared by a third
>>         party so that a client application cannot request
>>            more permissions than previously agreed.
>>
>>          If it is the intent, the sentence should be rephrased as:
>>
>>         (d) (collection minimization) The request can be *verified*
>>         by a third party attesting that the authorization request is
>>         compliant tocertain policy.
>>
>>     Reject
>>     The third party indeed signs the request on behalf of the client
>>     as the result of verification that the permission is the same as
>>     previously agreed.
>
>     If it were the case, the client_id would indicate the name of the
>     third party and the name of the user would be missing (or vice versa).
>
>
> The value of `client_id` will be the requesting party.
> The value of `iss` can be the third party.
> But setting aside that, I guess your point actually is on the use of 
> the word "request". Authorization request is the entire thing that 
> travels from the client and not a part of it, and that is a fair 
> point. Having said that, I have a problem with your use of the word 
> "verified". What about this?
>>
>>     (d) (collection minimization) The data being requested can be
>>     *attested *by a third party that is compliant to collection
>>     minimization principle.
>>
>
>
>>          6. Section 10.1. the text states:
>>
>>         *When sending the authorization request object through "request"
>>         parameter, it MUST either be signed using JWS [RFC7515] or
>>         encrypted
>>         using JWE [RFC7516] with then considered appropriate algorithm.*
>>
>>          The wording"with then considered appropriate algorithm"is
>>         too vague. This should be changed into:
>>
>>         *When sending the authorization request object through "request"
>>         parameter, it MUST either be signed using JWS [RFC7515] or
>>         encrypted
>>         using JWE [RFC7516] using a symmetric key algorithm.*
>>
>>         Reject.
>>
>>     In the above sentence, "*with then considered appropriate
>>     algorithm*"  applies both on JWS and JWE.
>>     The intent of the phrase is that a vulnerable algorithm should
>>     not be used.
>>
>>     Also, I do not understand why the algorithm has to be symmetric
>>     key algorithm.
>
>     Maybe, this explains why you didn't understand the previous
>     comment. With public key encryption, it is not possible to
>     authenticate
>     the source of the request, while it is possible with secret key
>     encryption when the encrypted data includes a cryptographic checksum
>     like a hash value and an error propagation method for the
>     encryption algorithm.
>
>
> I understand this. My point is that this subsection is not talking 
> about what you just stated. This is a security consideration pointing 
> out that an alogrithm which has not become vulnerable must be used.
>
> What you describe should instead go below the list (a)(b)(c) in 
> section 5 or section 10.3.
> "when symmetric keys are being used" probably is a bit too open to 
> interpretation. John is now creating a text on it.
>
>     So I maintain my comment.
>
>
>>          7. Section 10.2 states:
>>
>>         This means that the request object is going to be prepared
>>         fresh each
>>         time an authorization request is madeand caching cannot be used.
>>
>>          What are the implications ? Is it required/recommended to
>>         use a nonce ? The text should be made clearer.
>>
>>     Reject.
>>     The implication is given right after the sentence. There is no
>>     variable called "nonce" in RFC6749. Since this document is just
>>     defining
>>     another encoding method for OAuth 2.0 authorization request as a
>>     framework, it does not mandate these.
>>     An extension specification should define those requirements.
>
>     Note that this section belongs to the security considerations
>     section which SHOULD NOT be normative and should only provide
>     guidance.
>
>     The sentence right after is the following:
>
>     It has a performance disadvantage, but where such disadvantage is
>
>     permissible, it should be considered.
>
>     It does not provide any guidance.
>
>
> Does it not? It is providing a guidance that the implementation should 
> consider not using cached request and create the request afresh each 
> time so that the entire request can be signed etc.
>
>     The key point is that a parameter able to detect replay needs to
>     be included in the request. This should be indicated in the
>     normative part.
>
>
> This security consideration is not about the replay attack but request 
> tampering.
>
>     It is unfortunate that RFC 7515 has not addressed replay
>     protection of JWS and only mentions the problem is section 10.10
>     which is in the
>     security considerations section. Here it is:
>
>     10.10.Replay Protection
>
>     While not directly in scope for this specification, note that
>
>     applications using JWS (or JWE) objects can thwart replay attacks by
>
>     including a unique message identifier as integrity-protected content
>
>     in the JWS (or JWE) message and having the recipient verify that the
>
>     message has not been previously received or acted upon.
>
>     The text on page 7 should be changed into:
>
>     To sign, JSON Web Signature (JWS) [RFC7515] is used.The result is a
>     JWS signed JWT [RFC7519].If signed, the Authorization Request
>     Object *MUST contain a client_id parameter* *and a "nonce"*
>     *extension
>     **parameter* *allowing to detect replay attacks *and SHOULD
>     contain an "iss"
>     (issuer) *parameter* and an "aud" (audience) *parameter*, with their
>     semantics being the same as defined in the JWT specification[RFC7519].
>
>     Note that Page 7 uses the "nonce" parameter in the example.
>
>
> I agree that inclusion of nonce etc. to thwart the replay attack has 
> to be done in the normative section and not in the security 
> consideration.
> Having said that, as I stated before, this specification is just 
> defining another encoding for RFC6749. As the result, the replay 
> protection etc. has to be deferred to an extension spec, such as OIDC.
>
>
>         JSON Web Token Claims are listed at:
>         https://www.iana.org/assignments/jwt/jwt.xhtml
>         <https://www.iana.org/assignments/jwt/jwt.xhtml>
>
>     "Nonce" is mentioned in OpenID Connect Core 1.0 incorporating
>     errata set 1.
>
>     It is described as :
>
>     nonce
>
>     	
>
>     Value used to associate a Client session with an ID Token
>
>
>     This is too restrictive since now a nonce should be included in a
>     JWS token.
>
>     The registration is as follows:
>
>       * Parameter name: nonce
>       * Parameter usage location: Authorization Request
>       * Change controller: OpenID Foundation Artifact Binding Working
>         Group - openid-specs-ab@lists.openid.net
>         <mailto:openid-specs-ab@lists.openid.net>
>       * Specification document(s): Section 3.1.2
>         <http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint>of
>         this document
>       * Related information: None
>
>
>     Section 3.1.2 states:
>
>
>           3.1.2.  Authorization Endpoint
>
>     The Authorization Endpoint performs Authentication of the
>     End-User. This is done by sending the User Agent to the
>     Authorization Server's
>     Authorization Endpoint for Authentication and Authorization, using
>     request parameters defined by OAuth 2.0 and additional parameters
>     and parameter values defined by OpenID Connect.
>
>     Communication with the Authorization Endpoint MUST utilize TLS.
>     See Section 16.17
>     <http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements>for
>     more information on using TLS
>
>     This has nothing to do with the nonce. Hence the nonce
>     registration information has been badly defined.
>
>     The OpenID specification also states:
>
>
>     "The Client SHOULD check the noncevalue for replay attacks. The
>     precise method for detecting replay attacks is Client specific".
>
>     This does not allow to interoperate.
>
>     Rather than correcting the registration information in the OpenID
>     specification, it would be better to suppress it from the OpenID
>     specification
>     and incorporate it within an IETF RFC.
>
>
> Out of scope for this specification.
> Also, you should discuss something on OIDC on a sperarate list, not here.
>
>     In order to avoid nonces to be kept in a memory for ever, a good
>     practice is to split the nonce in two parts:
>
>       * one of them includes a UTC NumericDate using the format
>         defined in RFC 7519,and
>       * the other one includes a random number.
>
>
>     In this way only recent nonces (e.g. received during the last 5
>     minutes) need to be kept in memory.
>     Three or fourbytes for the random number will be sufficient.
>
>     In order to *allow for interoperability,* a format should be
>     specified.
>
>
>     I propose a NumericDate defining the UTC time concatenated with a
>     random number with three bytes.
>
>     "Nonce" has not been officially registered by IANA. An IANA
>     Considerations section should be added in draft-ietf-oauth-jwsreq-*
>     *to register the "nonce" parameter.
>
>
> Everything related to nonce is out of scope. You should write a new I-D.
>
>     On page 14, section 6.2., after the previous proposed text which is:
>
>     Identifying the appropriate key MUST be done according to section 6
>     of RFC 7515 and using the Registered Header Parameter Names defined
>     in section 4.1 of RFC 7515, e.g. using the Header Parameters "jku",
>     "jwk", "kid", "x5u", "x5c", "x5t", or "x5t#S256".
>
>     I proposed to add the following text:
>
>     To perform JWS Signature Validation, the "nonce" Header Parameter in
>
>     the JOSE Header MUST be present and MUST be checked to verify that
>     the signed request is not the replay of a previous signed request.
>
>     A section defining the nonce parameter should be added.
>
>
> [snip]
>
>
>>          9. Section 10.3 states at its very end:
>>
>>         An extension specification
>>         should be created as a preventive measure to address potential
>>         vulnerabilities that have not yet been identified.
>>
>>
>>         Writing a document for vulnerabilities that have not yet been
>>         identified is speculative. It would rather be better
>>         either to remove this sentence or to explain what is meant by it.
>>
>>     Reject.
>>     It is referring to the first paragraph of the sub-section. Also,
>>     precaution when security is in question is a good thing.
>
>     This sentence is simply useless and thus should be deleted. Hence,
>     I maintain this comment.
>
>
> Agree to disagree.
>
>
>>         10. Section 11.1 states:
>>
>>         *11.1.Collection limitation*
>>
>>         *When the Client is being granted access to a protected resource
>>         containing personal data, the Client SHOULD limit the
>>         collection of
>>         personal data to that which is within the bounds of
>>         applicable law
>>         and strictly necessary for the specified purpose(s).***
>>
>>          The /presentation/ of personal data should be limited
>>         whether or not the protected resource contains personal data.
>>
>>         It is proposed to change this text into:
>>
>>         *When the Client requests an access to a protected resource,
>>         the Client
>>         SHOULD limit the presentation of personal data to that which
>>         is within
>>         the bounds of applicable law and strictly necessary for the
>>         specified
>>         purpose(s).*
>>
>>     Reject.
>>     You are not getting what OAuth does. The party that holds
>>     personal data is the authorization server / resource.
>>     It is not the client. The client is the party who is getting
>>     those "resources" which may contain personal data.
>>     Yes, the client can provide some personal data to the resource
>>     depending on what that resource endpoint is, but that is out of
>>     scope for OAuth.
>>     As far as OAuth is concerned, what is being sent from the client
>>     to the resource is the access token.
>
>     The dispute is whether the protected resource contains or not
>     personal data.
>     The data contained by the protected resource may well be public
>     data (or/and personal data).
>     It does not need to be only "personal data".
>
>     Hence, I maintain my comment.
>
>
> I do not understand your comment now. Your previous proposeal seems to 
> be unrelated to the above comment.
>
>
>>         **
>>
>>          11. Section 11.2.1 states:
>>
>>         11.2.1.Request Disclosure
>>
>>         This specification allows extension parameters.
>>
>>          It would be useful to name either all of them or some of
>>         them. RFC 6749 is not crystal clear about this.
>>
>>     Noted.
>>     RFC6749 only defines how to define extension parameters.
>>     This specification draws from OpenID Connect for some examples of
>>     extension parameters such as nonce.
>>     See section 4 for example.
>
>
>     See my earlier comments where client_id and nonce shall be mandatory.
>
>
>
> client_id is mandatory in RFC6749. Nonce is not defined in RFC6749 and 
> hence out of scope for this specification.
>
>     Denis
>
>
> [snip]
>
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en



--------------1D8A97523D12651E0649B91D
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p><font face="Arial">Hi Nat,</font></p>
    <p><font face="Arial">draft-ietf-oauth-jwsreq-12 has been issued on
        February 13, 2017 since the time I posted comments on
        draft-ietf-oauth-jwsreq-11 <br>
        on Fri, 17 Feb 2017 21:51:18 +0100</font></p>
    <p><font face="Arial">However, you omitted to respond to this email
        that contains 7 important topics.</font></p>
    <p><font face="Arial">ITEM 1 directly relates to the nonce issue I
        am pointing in another email from today.<br>
      </font></p>
    <p><font face="Arial">Denis</font><br>
    </p>
=============================================================================================<br>
    <div class="moz-forward-container"><br>
      <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
      <div class="moz-cite-prefix"><font face="Arial">Hi Nat,<br>
          <br>
          Thank you for the forwarding of the detailed responses made by
          John.</font><span style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US"><br>
          Instead of replying between the lines, I have grouped my
          concerns under 7 items that are detailed below.<o:p></o:p></span>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">                                                                     
            </span>ITEM 1<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">RFC 6749 states in section 10.2 (from the
            security considerations section on page 54):<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:27.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">The authorization server SHOULD NOT process
            repeated authorization requests automatically <br>
            (without active resource owner interaction) without
            authenticating the client or relying on other measures <br>
            to ensure that the repeated request comes from the original
            client and not an impersonator.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">With such a vague guidance that are dozens of
            possibilities, none of them is being defined. <o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">How would two implementations be able to
            interoperate ? The answer is simple: they can't. <br>
          </span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">Nevertheless, <span style="color:blue">replay
              protection of a Token Request should be addressed in the
              current draft</span> and presently it isn't. <br>
            In order to address this concern, I make a proposal.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">An Authorization Server should be able to
            "easily" check (i.e. without losing to much computing time
            in order to decrease <br>
            the efficiency of DoS attacks) whether a Token Request is a
            replay or not from a previous Token Request. <o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">ISO/IEC 10181-2:1996 (Information technology --
            Open Systems Interconnection -- Security frameworks for open
            systems: <br>
            Authentication framework) published more than 20 years ago
            defines two methods: the use of challenges or the use of
            unique numbers. <br>
          </span><span style="font-family:
            Arial;mso-ansi-language:EN-US" lang="EN-US"><span
              style="font-family: Arial;mso-ansi-language:EN-US"
              lang="EN-US">Unique numbers </span>are also called
            "nonces" (as a contraction of "number once") but their
            meaning is fully different from the meaning made by <br>
            the OpenID Connect Core specification, since a unique number
            as defined in that specification is in fact a "challenge" as
            defined by ISO/IEC 10181-2.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><br>
            Hereafter is the definition of a nonce as defined in the
            OpenID Connect Core specification: <o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span><font
            size="+1"><span style="mso-ansi-language:EN-US" lang="EN-US">nonce</span><span
              style="font-family:&quot;Arial Unicode
              MS&quot;;mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></font><font
            size="+1"> </font></p>
        <p class="MsoNormal" style="margin-left:36.0pt"><font size="+1"><span
style="background:yellow;mso-highlight:yellow;mso-ansi-language:EN-US"
              lang="EN-US">String value used to associate a Client
              session with an ID Token</span><span
              style="mso-ansi-language:EN-US" lang="EN-US">, and to
              mitigate replay attacks. The value is passed through
              unmodified <br>
              from the Authentication Request to the ID Token. If
              present in the ID Token, Clients MUST verify that the </span><tt><span
                style="mso-ansi-font-size:12.0pt;font-family:&quot;Arial
                Unicode MS&quot;; mso-ansi-language:EN-US" lang="EN-US">nonce</span></tt><span
              style="mso-ansi-language: EN-US" lang="EN-US"> Claim Value
              is equal to <br>
              µthe value of the </span><tt><span
                style="mso-ansi-font-size:12.0pt;font-family:&quot;Arial
                Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US">nonce</span></tt><span
              style="mso-ansi-language:EN-US" lang="EN-US"> parameter
              sent in the Authentication Request. If present in the
              Authentication Request, Authorization Servers MUST <br>
              include a </span><tt><span
                style="mso-ansi-font-size:12.0pt;font-family:&quot;Arial
                Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US">nonce</span></tt><span
              style="mso-ansi-language:EN-US" lang="EN-US"> Claim in the
              ID Token with the Claim Value being the nonce value sent
              in the Authentication Request. Authorization Servers <br>
              SHOULD perform no other processing on </span><tt><span
                style="mso-ansi-font-size:12.0pt;
                font-family:&quot;Arial Unicode
                MS&quot;;mso-ansi-language:EN-US" lang="EN-US">nonce</span></tt><span
              style="mso-ansi-language:EN-US" lang="EN-US"> values used.
              The </span><tt><span
                style="mso-ansi-font-size:12.0pt;font-family:&quot;Arial
                Unicode MS&quot;; mso-ansi-language:EN-US" lang="EN-US">nonce</span></tt></font><span
            style="mso-ansi-language: EN-US" lang="EN-US"><font
              size="+1"> value is a case sensitive string. </font><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><br>
            A unique number (according to ISO/IEC 10181-2) is generated
            by a client and is used by a server to check the freshness
            of a request <br>
            without the need for the server to remember it more than a
            couple or a dozen of minutes. It is composed of a UTC time
            and a random number. <br>
            A unique number is generated by the client and checked by
            the Authorization Server. <o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">Similarly, <span style="color:blue">in order
              to allow a Client to verify that the Access Token
              corresponds to the content of the Authorization Request</span>,<br>
          </span><span style="font-family:
            Arial;mso-ansi-language:EN-US" lang="EN-US"><span
              style="font-family: Arial;mso-ansi-language:EN-US"
              lang="EN-US">some data</span> SHOULD be included in the
            Access Token.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">The OpenID Connect Core specification has
            defined a "nonce" that allows to perform the second check,
            but not to perform the first one. <o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">In order to avoid the Authorization Server to
            remember unique numbers (as defined in ISO/IEC 10181-2) for
            ever, each Authorization Request needs <br>
            to contain a UTC time, so that unique numbers that are out
            of a time window (of, let us say, a couple or a dozen of
            minutes) can be removed <br>
            from the memory the Authorization Server.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">Fortunately, RFC 7519, Section 4.1.6 has
            defined "iat" which means "Issued At".<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family:
            Arial;color:blue;mso-ansi-language:EN-US" lang="EN-US">This
            means that the Authorization Request as defined in the draft
            specification SHALL contain a unique number that consists of
            <br>
            both a "iat" parameter and a random number. <o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">Let us call that second parameter "rdn" for
            "random number" and let us register it at IANA it <i>within
              this future RFC</i> as a being an int32,<br>
            which is quite sufficient for the intended purpose.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><font size="+1"><span
              style="mso-ansi-language:EN-US" lang="EN-US">rdn</span><span
              style="font-family:&quot;Arial Unicode
              MS&quot;;mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></font></p>
        <font size="+1"> </font>
        <p class="MsoNormal" style="margin-left:36.0pt"><font size="+1"><span
              style="mso-ansi-language:EN-US" lang="EN-US">Integer value
              used by a Client in an Authentication Request for two
              purposes. Firstly, when associated with a "iat" parameter,
              <br>
              to allow an Authorization Server to detect the replay of
              an Authentication Request and secondly to allow a Client
              to check <br>
              the freshness of an Access Token. In order to detect the
              replay of an Authentication Request, the Authorization
              Server MUST <br>
              be able to (a) use a local clock loosely synchronized with
              the UTC, and (b) construct a table where the "iat"
              parameter and <br>
              the "rdn" parameter from each well-formed and accepted
              Authentication Request are memorized. Only the "iat"
              parameters <br>
              and the "rdn" parameters received during a short time
              window (e.g. a couple or dozen of minutes) need to be
              memorized. <o:p></o:p></span></font></p>
        <font size="+1"> </font>
        <p class="MsoNormal" style="margin-left:36.0pt"><font size="+1"><span
              style="mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></font></p>
        <font size="+1"> </font>
        <p class="MsoNormal" style="margin-left:36.0pt"><font size="+1"><span
              style="mso-ansi-language:EN-US" lang="EN-US">After
              checking that the Authentication Request is well formed,
              its processing SHOULD continue by checking that the "iat"
              parameter. <br>
              If the "iat" parameters is outside the time window, the
              Authentication Request SHALL be discarded by the
              Authorization Server. <br>
              If the "iat" parameters is inside the time window, the
              Authorization Server SHALL check if the "iat" parameter
              associated <br>
              with that "rdn" parameter are not already memorized in the
              table. If it is the case, the Authentication Request SHALL
              be discarded <br>
              by the Authorization Server. Otherwise, the Authentication
              Request is not a replay of a previous Authentication
              Request and <br>
              the processing of the Authentication Request SHOULD
              continue.<o:p></o:p></span></font></p>
        <font size="+1"> </font>
        <p class="MsoNormal" style="margin-left:36.0pt"><font size="+1"><span
              style="mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></font></p>
        <font size="+1"> </font>
        <p class="MsoNormal" style="margin-left:36.0pt"><span
            style="mso-ansi-language:EN-US" lang="EN-US"><font size="+1">The
              value of the rdn parameter is passed through unmodified
              from the Authentication Request to the Authorization
              Server. <br>
              It MAY be included in the Access Token by the
              Authorization Server. If present in the Access Token,
              Clients MUST verify <br>
              that the rdn Claim Value is equal to the value of the rdn
              parameter sent in the Authentication Request and if it is
              not the case, <br>
              the Access Token SHALL be discarded.</font><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">Note that this allows to optimize the number of
            parameters without the need to use the nonce parameter (</span><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><span style="font-family:
              Arial;mso-ansi-language:EN-US" lang="EN-US">as defined in
              the OpenID Connect Core specification)</span><br>
            which is not defined in any RFC for the moment.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">The end result of this argumentation is that
            the Authorization Request - as defined in this draft
            specification - <span
              style="background:yellow;mso-highlight:yellow"><br>
              SHALL contain both an "iat" parameter and a "rdn"
              parameter</span>. Please take a look at the next item
            before expressing a position on this item.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">                                                                     
            </span>ITEM 2<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><font size="+1"><span
              style="font-family: Arial;mso-ansi-language:EN-US"
              lang="EN-US">Nat: </span><span style="mso-ansi-language:
              EN-US" lang="EN-US">The implementer of this document needs
              to consult RFC6749 closely anyway as all the verification
              requirements still holds, <br>
              so as an editor, I would rather keep it as it is. It is
              not "reader friendly" but cannot go wrong with the
              approach to just referencing RFC6749.</span></font><span
            style="font-family:Arial;mso-ansi-language:EN-US"
            lang="EN-US"><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><font size="+1"><span
              style="font-family:Arial;mso-ansi-language: EN-US"
              lang="EN-US">John: </span></font><span
            style="mso-ansi-language:EN-US" lang="EN-US"><font size="+1">There
              are 4 flows in RFC6749. In each flow, there is a
              sub-section dedicated to the Authorization request. <br>
              In them, the parameters used in the authorization request
              are very clearly indicated. (...) Thus, it would be
              misleading just to say <br>
              the parameters defined in 4.1.1, 4.2.1, etc. As an editor,
              I feel better with the current language because it is at
              least not wrong nor misleading.</font><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-ansi-language:EN-US"
            lang="EN-US"><font size="+1">I proposed:</font><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <div style="border:none;border-left:solid #CCCCCC
          .5pt;padding:0cm 0cm 0cm 6.0pt">
          <p class="gmail-m5930343257793777031msoplaintext"
            style="margin-top:0cm;
margin-right:0cm;margin-bottom:0cm;margin-left:4.8pt;margin-bottom:.0001pt;
            border:none;mso-border-left-alt:solid #CCCCCC
            .5pt;padding:0cm;mso-padding-alt: 0cm 0cm 0cm 6.0pt"><span
              style="font-family:Arial;mso-ansi-language: EN-GB"
              lang="EN-GB">  Object <b>MUST contain a client_id
                parameter</b> and SHOULD contain a<br>
                 "iss" (issuer) <b>parameter</b> and an "aud"
              (audience) <b>parameter</b>, with <br>
                 their semantics being the same as defined in the JWT
              RFC7519] <br>
                 specification. <o:p></o:p></span></p>
        </div>
        <p class="MsoNormal"><span style="mso-ansi-language:EN-GB"
            lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-ansi-language:EN-GB"
            lang="EN-GB"><font size="+1">John:  I am kind of ok with the
              proposed text but if we do you want to single out
              `client_id`, perhaps a reason should be added. <br>
              There are other REQUIRED parameters in the Authorization
              Request defined in RFC6749, you know.</font><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">The mandatory parameters to be included in the
            request should be identified. They are composed of :<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
margin-left:36.0pt;margin-bottom:.0001pt;text-indent:-18.0pt;mso-list:l0
          level1 lfo2; tab-stops:list 36.0pt"><!--[if !supportLists]--><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">(a)<span style="font:7.0pt &quot;Times New
              Roman&quot;">   </span></span><!--[endif]--><span
            style="font-family:Arial;mso-ansi-language: EN-US"
            lang="EN-US">the common denominator of the REQUIRED
            parameters defined in 4.1.1, 4.2.1, etc, <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
margin-left:36.0pt;margin-bottom:.0001pt;text-indent:-18.0pt;mso-list:l0
          level1 lfo2; tab-stops:list 36.0pt"><!--[if !supportLists]--><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">(b)<span style="font:7.0pt &quot;Times New
              Roman&quot;">   </span></span><!--[endif]--><span
            style="font-family:Arial;mso-ansi-language: EN-US"
            lang="EN-US">the parameters that are necessary to address
            the detection of the replay of previous well-formed
            requests, and<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
margin-left:36.0pt;margin-bottom:.0001pt;text-indent:-18.0pt;mso-list:l0
          level1 lfo2; tab-stops:list 36.0pt"><!--[if !supportLists]--><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">(c)<span style="font:7.0pt &quot;Times New
              Roman&quot;">   </span></span><!--[endif]--><span
            style="font-family:Arial;mso-ansi-language: EN-US"
            lang="EN-US">the parameters that are necessary to address
            the detection of the replay of a previous well-formed token.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">The common denominator of the REQUIRED
            parameters defined in 4.1.1, 4.2.1, etc, is the client_id
            parameter (indicated as "REQUIRED").<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">The parameters that are necessary to address
            the detection of the two cases of replay are the "iat" and
            the "rdn" parameters.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US">As a
            reader, I feel better to know which parameters are REQUIRED,
            leaving other details in </span><span
            style="font-family:Arial; mso-ansi-language:EN-US"
            lang="EN-US">RFC 6749.</span><span
            style="mso-bidi-font-size:
            12.5pt;font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US"><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US">As a
            conclusion, the draft should indicate that the following
            parameters are always REQUIRED: </span><span
            style="font-family:Arial;
            color:blue;mso-ansi-language:EN-US" lang="EN-US">client_id,
            iat and rdn</span><span
            style="font-family:Arial;mso-ansi-language:EN-US"
            lang="EN-US">.</span></p>
        <p class="MsoNormal"><font face="Arial">Hence my proposal:</font><br>
          <span style="font-family:Arial;mso-ansi-language:EN-US"
            lang="EN-US"><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-ansi-language:EN-GB"
            lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <div style="border:none;border-left:solid #CCCCCC
          .5pt;padding:0cm 0cm 0cm 6.0pt">
          <p class="gmail-m5930343257793777031msoplaintext"
            style="margin-top:0cm;
margin-right:0cm;margin-bottom:0cm;margin-left:4.8pt;margin-bottom:.0001pt;
            border:none;mso-border-left-alt:solid #CCCCCC
            .5pt;padding:0cm;mso-padding-alt: 0cm 0cm 0cm 6.0pt"><b><span
                style="font-family:&quot;Courier New&quot;;
                mso-ansi-language:EN-GB" lang="EN-GB">Object MUST
                contain a "client_id" parameter, i.e. </span></b><b><span
                style="font-family:&quot;Courier New&quot;;
                mso-ansi-language:EN-US" lang="EN-US">a string
                representing the registration information <br>
                provided by the end-user that is unique to the
                authorization server,</span></b><b><span
                style="font-family:&quot;Courier
                New&quot;;mso-ansi-language:EN-GB" lang="EN-GB"> an
                "iat" parameter and <br>
                a "rdn" parameter and SHOULD contain a "iss" (issuer)
                parameter and an "aud" (audience) parameter, <br>
                with their semantics being the same as defined in the
                JWT [RFC7519] specification.<o:p></o:p></span></b></p>
        </div>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">                                              
            </span><span style="mso-spacerun: yes">                       </span>ITEM
            3<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><font size="+1"><span
              style="font-family:Arial;mso-ansi-language: EN-US"
              lang="EN-US">Nat: </span><span
              style="mso-ansi-language:EN-US" lang="EN-US">ABC attack is
              out of scope for OAuth. It is not a new attack. The
              resource owner handing a bearer token <br>
              to another party willfully is not a threat in the bearer
              token model. </span><span style="font-family:&quot;Arial
              Unicode MS&quot;; mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></font></p>
        <font size="+1"> </font>
        <p class="MsoNormal"><font size="+1"><span
              style="mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></font></p>
        <font size="+1"> </font>
        <p class="MsoNormal"><font size="+1"><span
              style="font-family:Arial;mso-ansi-language: EN-US"
              lang="EN-US">Nat</span></font><span
            style="mso-ansi-language:EN-US" lang="EN-US"><font size="+1">:
              ABC attack is out of scope of RFC 6749 and RFC6750. They
              can be dealt with in POP document but not this one. </font><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">Denis: RFC 6749 (The OAuth 2.0 Authorization
            Framework) has been published in October 2012. RFC 6819
            (OAuth 2.0 Threat Model and Security Considerations) <br>
            has been published in January 2013, hence after RFC 6749, so
            RFC 6749 could not reference RFC 6819. <i>The carriage had
              been placed before the horse</i>. <o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">RFC 6819 implicitly talks about the ABC attack
            in section 5.1.6: <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:36.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">5.1.6.<span style="mso-spacerun: yes">  </span>Access
            Tokens<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:36.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><span style="mso-spacerun: yes">   </span>The
            following measures should be used to protect access tokens:<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:36.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><span style="mso-spacerun: yes">   </span>(...).<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:36.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><span style="mso-spacerun: yes">   </span>o<span
              style="mso-spacerun: yes">  </span><span
              style="color:#3366FF">Ensure that client applications do
              not share tokens with 3rd parties</span>.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">You said:</span><span
            style="mso-ansi-language:EN-US" lang="EN-US"> <font
              size="+1">"They can be dealt with in POP document". </font><font
              face="Arial"><br>
            </font></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="mso-ansi-language:EN-US" lang="EN-US"><font
              face="Arial">U</font></span><span
            style="font-family:Arial;mso-ansi-language: EN-US"
            lang="EN-US">nfortunately, at the present time, this is not
            the case<font size="+1">.</font><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">The key point is that none of the documents
            issued by the OAuth WG (neither by the Tokbind WG) indicates
            how to <br>
            "Ensure that client applications do not share tokens with
            3rd parties".<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">The charter of the Tokbind WG (unbearable)
            states (see: <cite><span
                style="color:#3366FF;font-style:normal"><a
                  moz-do-not-send="true" class="moz-txt-link-freetext"
                  href="https://datatracker.ietf.org/wg/tokbind/charter">https://datatracker.ietf.org/wg/tokbind/charter</a></span></cite>)
            :<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:27.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">"It is a goal of this working group to enable
            defense against attacks that involve unauthorized replay of
            security tokens. <br>
            Other issues associated with the use of security tokens are
            out of scope". <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:27.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-ansi-language:EN-US" lang="EN-US">However,
            draft-ietf-tokbind-protocol-13 (The Token Binding Protocol
            Version 1.0) <font color="#000099"><i>issued yesterday</i></font>
            explicitly states:<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-left:36.0pt"><span
            style="mso-bidi-font-size:9.0pt;font-family:&quot;Courier
            New&quot;;mso-ansi-language: EN-US" lang="EN-US">The Token
            Binding protocol does not prevent cooperating clients from</span><span
            style="mso-bidi-font-size:9.0pt;font-family:&quot;Courier
            New&quot;; mso-fareast-font-family:&quot;Arial Unicode
            MS&quot;;mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-left:36.0pt"><span
            style="mso-bidi-font-size:9.0pt;font-family:&quot;Courier
            New&quot;;mso-ansi-language: EN-US" lang="EN-US">sharing a
            bound token. A client could intentionally export a bound<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-left:36.0pt"><span
            style="mso-bidi-font-size:9.0pt;font-family:&quot;Courier
            New&quot;;mso-ansi-language: EN-US" lang="EN-US">token with
            the corresponding Token Binding private key, or perform<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-left:36.0pt"><span
            style="mso-bidi-font-size:9.0pt;font-family:&quot;Courier
            New&quot;;mso-ansi-language: EN-US" lang="EN-US">signatures
            using this key on behalf of another client.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">So neither the OAuth WG nor the TokBind WG
            have, at this time, a draft that is potentially able to
            counter the ABC attack.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">So saying that the "ABC attack is out of scope
            for OAuth" is not the right wording. <br>
            Saying that the "<span style="color:blue">ABC attack has not
              been taken into consideration for OAuth 2.0</span>" is <b>a
              fact</b>. <br>
            That <b>fact </b>should not be hidden in the current
            draft. <o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">Since it is unlikely that RFC 6819 will be soon
            replaced by another RFC, it is necessary to mention that
            threat in the security considerations section. <br>
            This does not mean that this threat shall be solved in the
            current draft, but readers should be aware that the ABC
            attack is not countered using this draft. <o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">A text along the following one should be added
            into the security consideration section:<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-left:36.0pt"><span
            style="mso-bidi-font-size:9.0pt;font-family:&quot;Courier
            New&quot;;mso-ansi-language: EN-US" lang="EN-US">In case of
            a cooperation between clients, the format of the JWT Secured
            Authorization Request <br>
            described in this document does not prevent a client from
            asking a token to an Authorization Server <br>
            that, once being obtained, may be successfully passed from
            one client to another one without <br>
            the resource server to which it is intended being able to
            notice it.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">Note that a <i>different</i> format of a
            signed request would be one piece of a puzzle able to solve
            it.</span><span
            style="font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">                                                                     
            </span>ITEM 4<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">Hereafter is another topic both about the </span><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">"client_id" and "collection minimization" which
            apparently do not related to each other<br>
            ... but they do as it is explained below. 
            <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><br>
          </span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US">1) The draft states:<o:p></o:p></span></p>
        <p class="gmail-m5930343257793777031msoplaintext"
          style="margin-left:36.0pt"><span
            style="font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">The signature MUST be validated against the
            appropriate key for that<span style="background:aqua"><br>
            </span>"client_id" and algorithm.<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">I commented:<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
          margin-left:36.0pt"><span
            style="font-family:Arial;mso-ansi-language: EN-GB"
            lang="EN-GB">The important point is to provide guidance on
            how to map the client_id parameter with the appropriate key.
            There is none at the present time.<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><br>
          </span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">I suggested to add:<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
          margin-left:36.0pt"><span
            style="font-family:Courier;mso-ansi-language: EN-GB"
            lang="EN-GB">Identifying the appropriate key MUST be done
            according to section 6 of RFC 7515 <br>
            and using the Registered Header Parameter Names defined in
            section 4.1 of RFC 7515, <br>
            e.g. using the Header Parameters "jku", "jwk", "kid", "x5u",
            "x5c", "x5t", or "x5t#S256".</span><span
            style="mso-ansi-language:EN-GB" lang="EN-GB"><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">There was no comment/opinion from John about
            this proposal.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><br>
          </span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">2)<span style="mso-spacerun: yes">  </span>About
            "collection minimization"<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">The introduction states on page 4:<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family:
            Courier;mso-bidi-font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">   </span>(d)
            (collection minimization) The request can be signed by a
            third party <br>
            <span style="mso-spacerun: yes">       </span>attesting
            that the authorization request is compliant to certain <br>
            <span style="mso-spacerun: yes">   </span><span
              style="mso-spacerun: yes">    </span>policy.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">However, later on, there is the following
            explanation:<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family:
            Courier;mso-bidi-font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">   </span>In
            addition, it allows requests to be prepared by a third party
            <br>
            <span style="mso-spacerun: yes">   </span>so that a client
            application cannot request more permissions <br>
            <span style="mso-spacerun: yes">   </span>than previously
            agreed. <o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">John explained: <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:27.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">The third party indeed signs the request on
            behalf of the client as the result of verification that the
            permission is the same as previously agreed. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:27.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">The value of `client_id` will be the requesting
            party. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:27.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">The value of `iss` can be the third party. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:27.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">But setting aside that, I guess your point
            actually is on the use of the word "request". Authorization
            request is the entire thing that travels <br>
            from the client and not a part of it, and that is a fair
            point. Having said that, I have a problem with your use of
            the word "verified". What about this? <o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family:
            Courier;mso-bidi-font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">   </span>(d)
            (collection minimization) The data being requested can be <br>
            <span style="mso-spacerun: yes">       </span>attested by a
            third party that is compliant to collection <br>
            <span style="mso-spacerun: yes">       </span>minimization
            principle.<span style="mso-spacerun: yes">  </span><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><br>
            3) Denis proposal to solve this comment:<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">After:<o:p></o:p></span></p>
        <p class="gmail-m5930343257793777031msoplaintext"
          style="margin-left:27.0pt"><b><span
              style="font-family:&quot;Courier
              New&quot;;mso-ansi-language:EN-GB" lang="EN-GB">The
              signature MUST be validated against the appropriate key
              for that "client_id" and algorithm.<o:p></o:p></span></b></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">I suggest to add:<br>
            <br>
            <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
          margin-left:27.0pt"><b><span style="font-family:&quot;Courier
              New&quot;; mso-ansi-language:EN-GB" lang="EN-GB">Identifying
              the appropriate key MUST be done according to section 6 of
              RFC 7515 <br>
              and using the Registered Header Parameter Names defined in
              section 4.1 of RFC 7515, <br>
              e.g. using the Header Parameters "jku", "jwk", "kid",
              "x5u", "x5c", "x5t", or "x5t#S256".<span
                style="mso-spacerun: yes">  <br>
              </span>That key may be either associated with the
              client_id which is a </span></b><b><span
              style="font-family:&quot;Courier New&quot;;
              mso-ansi-language:EN-US" lang="EN-US">string unique to the
              authorization <br>
              server representing the registration information
              originally provided by the end-user or <br>
            </span></b><b><span style="font-family:&quot;Courier
              New&quot;; mso-ansi-language:EN-US" lang="EN-US"><b><span
                  style="font-family:&quot;Courier New&quot;;
                  mso-ansi-language:EN-GB" lang="EN-GB">associated </span></b>with
              a third party with which the authorization server has a
              trust relationship with it. </span></b><b><span
              style="font-family:&quot;Courier
              New&quot;;mso-ansi-language: EN-GB" lang="EN-GB"><o:p></o:p></span></b></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">I also propose to change item d) in the
            following way:
            <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family:
            Courier;mso-bidi-font-family:Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">   </span>(d)
            (collection minimization) The request can be signed by a
            third party <br>
            <span style="mso-spacerun: yes">       </span><b><span
                style="color:blue">rather than by an end-user </span></b>attesting
            that the authorization request <br>
            <span style="mso-spacerun: yes">       </span>is compliant
            to certain policy. (...)<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">                                                                     
            </span>ITEM 5<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US">One
            the following issue, I believe that I agree with John on the
            rational. However, John was unclear whether he accepted the
            proposed change <br>
            or an alternative one capturing the same concept.</span></p>
        <p class="MsoNormal"><br>
        </p>
        <p class="MsoNormal"><br>
          <span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US"><o:p></o:p></span></p>
        <div style="border:none;border-left:solid #CCCCCC
          .75pt;padding:0cm 0cm 0cm 6.0pt">
          <p class="MsoNormal"
            style="margin-right:36.0pt;mso-margin-top-alt:auto;
mso-margin-bottom-alt:auto;margin-left:40.8pt;border:none;mso-border-left-alt:
            solid #CCCCCC .75pt;padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span class="gmail-m5930343257793777031gmailmsg"><span
                style="font-family: Arial;mso-ansi-language:EN-GB"
                lang="EN-GB">The introduction states on page 4:</span></span><span
              style="font-family:&quot;Arial Unicode
              MS&quot;;mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
        </div>
        <div style="border:none;border-left:solid #CCCCCC
          .75pt;padding:0cm 0cm 0cm 6.0pt">
          <p class="msonormalgmail-m5930343257793777031gmailmsg"
            style="margin-top:0cm;
margin-right:36.0pt;margin-bottom:0cm;margin-left:45.6pt;margin-bottom:.0001pt;
            border:none;mso-border-left-alt:solid #CCCCCC
            .75pt;padding:0cm;mso-padding-alt: 0cm 0cm 0cm 6.0pt"><span
              class="gmail-m5930343257793777031gmailmsg"><span
                style="font-family:Arial;mso-ansi-language:EN-US"
                lang="EN-US">     (a) (integrity protection) The request
                can be signed so that the integrity of the request can
                be checked</span></span><span
class="gmail-m5930343257793777031m5262665161593131067deletegmail-m5930343257793777031gmailmsg"><span
                style="font-family:Arial;mso-ansi-language:EN-US"
                lang="EN-US"> </span></span><span
              class="gmail-m5930343257793777031gmailmsg"><span
                style="font-family: Arial;mso-ansi-language:EN-US"
                lang="EN-US">; </span></span><span
              style="mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
          <p class="msonormalgmail-m5930343257793777031gmailmsg"
            style="margin-top:0cm;
margin-right:36.0pt;margin-bottom:0cm;margin-left:45.6pt;margin-bottom:.0001pt;
            border:none;mso-border-left-alt:solid #CCCCCC
            .75pt;padding:0cm;mso-padding-alt: 0cm 0cm 0cm 6.0pt"><span
              class="gmail-m5930343257793777031gmailmsg"><span
                style="font-family:Arial;mso-ansi-language:EN-US"
                lang="EN-US"> </span></span><span
              style="mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
          <p class="msonormalgmail-m5930343257793777031gmailmsg"
            style="margin-top:0cm;
margin-right:36.0pt;margin-bottom:0cm;margin-left:45.6pt;margin-bottom:.0001pt;
            border:none;mso-border-left-alt:solid #CCCCCC
            .75pt;padding:0cm;mso-padding-alt: 0cm 0cm 0cm 6.0pt"><span
              class="gmail-m5930343257793777031gmailmsg"><span
                style="font-family:Arial;mso-ansi-language:EN-US"
                lang="EN-US">This should be changed into:</span></span><span
              style="mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
          <p class="msonormalgmail-m5930343257793777031gmailmsg"
            style="margin-top:0cm;
margin-right:36.0pt;margin-bottom:0cm;margin-left:45.6pt;margin-bottom:.0001pt;
            border:none;mso-border-left-alt:solid #CCCCCC
            .75pt;padding:0cm;mso-padding-alt: 0cm 0cm 0cm 6.0pt"><span
              class="gmail-m5930343257793777031gmailmsg"><span
                style="font-family:Arial;mso-ansi-language:EN-US"
                lang="EN-US"> </span></span><span
              style="mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
          <p class="msonormalgmail-m5930343257793777031gmailmsg"
            style="margin-top:0cm;
margin-right:36.0pt;margin-bottom:0cm;margin-left:45.6pt;margin-bottom:.0001pt;
            border:none;mso-border-left-alt:solid #CCCCCC
            .75pt;padding:0cm;mso-padding-alt: 0cm 0cm 0cm 6.0pt"><span
              class="gmail-m5930343257793777031gmailmsg"><span
                style="font-family:Arial;mso-ansi-language:EN-US"
                lang="EN-US">     (a) (integrity protection) The request
                can be authenticated either using a digital signature or
                using encryption under a secret key </span></span><span
              style="font-family:Arial;mso-ansi-language:EN-US"
              lang="EN-US"><br>
              <span class="gmail-m5930343257793777031gmailmsg">         
                so that the integrity of the request can be checked</span><span
class="gmail-m5930343257793777031m5262665161593131067deletegmail-m5930343257793777031gmailmsg">
              </span><span class="gmail-m5930343257793777031gmailmsg">;</span></span><span
              style="mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
        </div>
        <div style="border:none;border-left:solid #CCCCCC
          .75pt;padding:0cm 0cm 0cm 6.0pt">
          <p class="MsoNormal"
            style="margin-right:36.0pt;mso-margin-top-alt:auto;
mso-margin-bottom-alt:auto;margin-left:40.8pt;border:none;mso-border-left-alt:
            solid #CCCCCC .75pt;padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span style="mso-ansi-language:EN-US" lang="EN-US">Reject. <o:p></o:p></span></p>
          <p class="MsoNormal"
            style="margin-right:36.0pt;mso-margin-top-alt:auto;
mso-margin-bottom-alt:auto;margin-left:40.8pt;border:none;mso-border-left-alt:
            solid #CCCCCC .75pt;padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><font size="+1"><span style="mso-ansi-language:EN-US"
                lang="EN-US">This paragraph is talking about the
                integrity protection and not the source authentication. <o:p></o:p></span></font></p>
          <font size="+1"> </font>
          <p class="MsoNormal"
            style="margin-right:36.0pt;mso-margin-top-alt:auto;
mso-margin-bottom-alt:auto;margin-left:40.8pt;border:none;mso-border-left-alt:
            solid #CCCCCC .75pt;padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><font size="+1"><span style="mso-ansi-language:EN-US"
                lang="EN-US">And even for source authentication, saying
                that encryption under a secret key is not accurate as it
                was discussed earlier in the WG mail. <o:p></o:p></span></font></p>
          <font size="+1"> </font>
          <p class="MsoNormal"
            style="margin-right:36.0pt;mso-margin-top-alt:auto;
mso-margin-bottom-alt:auto;margin-left:40.8pt;border:none;mso-border-left-alt:
            solid #CCCCCC .75pt;padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span style="mso-ansi-language:EN-US" lang="EN-US"><font
                size="+1">I am not sure if "Introduction" needs to state
                everything that is explained later. The idea of
                introduction probably is to give main points. <br>
                The list is not an exhaustive list of the benefit of
                using JWT as the authorization request format. For
                example, being able to encrypt <br>
                the request, which is not listed there, has an advantage
                of preventing MITB to eavesdrop the request. So I think
                it is ok as is. <br>
                <br>
              </font><o:p></o:p></span></p>
        </div>
        <div style="border:none;border-left:solid #CCCCCC
          .75pt;padding:0cm 0cm 0cm 6.0pt">
          <p class="MsoNormal"
            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
            margin-left:4.8pt;border:none;mso-border-left-alt:solid
            #CCCCCC .75pt; padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span
              style="font-family:Arial;mso-ansi-language:EN-US"
              lang="EN-US">Integrity protection cannot be verified
              without knowing the source of the information.</span><span
              style="mso-ansi-language:EN-US" lang="EN-US"> <br>
              <br>
              <o:p></o:p></span></p>
          <p class="MsoNormal"
            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
            margin-left:4.8pt;border:none;mso-border-left-alt:solid
            #CCCCCC .75pt; padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span
              style="font-family:Arial;mso-ansi-language:EN-US"
              lang="EN-US">Using encryption (which supports at the same
              time an integrity service when secret keys are being used)
              is another way to be able to check the integrity of the
              request. </span><span style="mso-ansi-language:EN-US"
              lang="EN-US"><o:p></o:p></span></p>
          <p class="MsoNormal"
            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
            margin-left:4.8pt;border:none;mso-border-left-alt:solid
            #CCCCCC .75pt; padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span
              style="font-family:Arial;mso-ansi-language:EN-US"
              lang="EN-US">So I maintain may comment.</span><span
              style="mso-ansi-language:EN-US" lang="EN-US"><o:p></o:p></span></p>
        </div>
        <p class="MsoNormal"><span
            style="mso-bidi-font-size:9.0pt;font-family:
            Arial;color:#212121;mso-ansi-language:EN-US" lang="EN-US"><br>
          </span></p>
        <p class="MsoNormal"><span
            style="mso-bidi-font-size:9.0pt;font-family:
            Arial;color:#212121;mso-ansi-language:EN-US" lang="EN-US">John:
            I think the issue is that if you encrypt with a asymmetric
            algorithm then the receiver has no idea who encrypted it. <o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="mso-bidi-font-size:9.0pt;font-family:
            Arial;color:#212121;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="mso-bidi-font-size:9.0pt;font-family:
            Arial;color:#212121;mso-ansi-language:EN-US" lang="EN-US">Denis
            response: That is correct.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-ansi-language:EN-US"
            lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="mso-bidi-font-size:9.0pt;font-family:
            Arial;color:#212121;mso-ansi-language:EN-US" lang="EN-US">John:
            If encrypted with a symmetric key (not secret key) then you
            know that it came from someone who has access to that
            key. That works because we only support AEAD encryption.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="mso-bidi-font-size:9.0pt;font-family:
            Arial;color:#212121;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="mso-bidi-font-size:9.0pt;font-family:
            Arial;color:#212121;mso-ansi-language:EN-US" lang="EN-US">Denis
            response: That is correct (<i>except than for me, since a
              symmetric key is a perfect synonym for a secret key</i>)
            :-)<o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="mso-bidi-font-size:9.0pt;font-family:
            Arial;color:#212121;mso-ansi-language:EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span
            style="mso-bidi-font-size:9.0pt;font-family:
            Arial;color:#212121;mso-ansi-language:EN-US" lang="EN-US">John:
            You can use asymmetric encryption but you need to sign first
            if you want to know who it is from.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US">Denis
            response: It does not matter. <o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US">My
            proposal is to change the sentence into:<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="mso-bidi-font-size:12.5pt;
            font-family:Arial;mso-fareast-font-family:&quot;Arial
            Unicode MS&quot;;mso-ansi-language: EN-US" lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-left:27.0pt"><span
            class="gmail-m5930343257793777031gmailmsg"><span
              style="font-family: Arial;mso-ansi-language:EN-US"
              lang="EN-US">(a) (integrity protection) The request can be
              authenticated either using a digital signature or using
              encryption <br>
              under a <i><span style="color:blue">symmetric</span></i>
              key so that the integrity of the request can be checked</span></span><span
class="gmail-m5930343257793777031m5262665161593131067deletegmail-m5930343257793777031gmailmsg"><span
              style="font-family:Arial;mso-ansi-language:EN-US"
              lang="EN-US"> </span></span><span
            class="gmail-m5930343257793777031gmailmsg"><span
              style="font-family: Arial;mso-ansi-language:EN-US"
              lang="EN-US">;<o:p></o:p></span></span></p>
        <p class="MsoNormal"><span
            class="gmail-m5930343257793777031gmailmsg"><span
              style="font-family:Arial;mso-ansi-language:EN-US"
              lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></span></p>
        <p class="MsoNormal"><span
            class="gmail-m5930343257793777031gmailmsg"><span
              style="font-family:Arial;mso-ansi-language:EN-US"
              lang="EN-US">If you believe something should be changed in
              that proposal, please make another proposal.<o:p></o:p></span></span></p>
        <p class="MsoNormal"><span
            class="gmail-m5930343257793777031gmailmsg"><span
              style="font-family:Arial;mso-ansi-language:EN-US"
              lang="EN-US"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">                   
            </span><span style="mso-spacerun: yes">                                                  </span>ITEM
            6<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <div style="border:none;border-left:solid #CCCCCC
          .75pt;padding:0cm 0cm 0cm 6.0pt">
          <p
class="gmail-m5930343257793777031m5262665161593131067msoplaintextgmail-m5930343257793777031gmailmsg"
style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:4.8pt;
            margin-bottom:.0001pt;border:none;mso-border-left-alt:solid
            #CCCCCC .75pt; padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span class="gmail-m5930343257793777031gmailmsg"><span
                style="font-family:
                Arial;color:#222222;mso-ansi-language:EN-GB"
                lang="EN-GB">10. Section 11.1 states:<br>
                <br>
              </span></span><span style="font-family:Arial"><o:p></o:p></span></p>
          <p
class="gmail-m5930343257793777031m5262665161593131067msoplaintextgmail-m5930343257793777031gmailmsg"
style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:4.8pt;
            margin-bottom:.0001pt;border:none;mso-border-left-alt:solid
            #CCCCCC .75pt; padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span class="gmail-m5930343257793777031gmailmsg"><span
                style="font-family:
                Arial;color:#222222;mso-ansi-language:EN-GB"
                lang="EN-GB"> </span></span><span
              class="gmail-m5930343257793777031gmailmsg"><b><span
                  style="font-family:
Courier;mso-bidi-font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">11.1. 
                  Collection limitation<br>
                  <br>
                </span></b></span><span style="font-family:Courier;
              mso-bidi-font-family:Arial"><o:p></o:p></span></p>
        </div>
        <div style="border:none;border-left:solid #CCCCCC
          .75pt;padding:0cm 0cm 0cm 6.0pt">
          <p
class="gmail-m5930343257793777031m5262665161593131067msoplaintextgmail-m5930343257793777031gmailmsg"
style="margin-top:0cm;margin-right:-32.4pt;margin-bottom:0cm;margin-left:4.8pt;
            margin-bottom:.0001pt;border:none;mso-border-left-alt:solid
            #CCCCCC .75pt; padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span class="gmail-m5930343257793777031gmailmsg"><b><span
                  style="font-family:
Courier;mso-bidi-font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">   
                  When the Client <span style="color:blue">is being
                    granted</span> access to a protected resource</span></b></span><b><span
                style="font-family:
Courier;mso-bidi-font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB"><br>
                <span class="gmail-m5930343257793777031gmailmsg">   <span
                    style="color:blue">containing personal data</span>,
                  the Client SHOULD limit the <span style="color:blue">collection</span>
                  of</span><br>
                <span class="gmail-m5930343257793777031gmailmsg">  
                  personal data to that which is within the bounds of
                  applicable law</span><br>
                <span class="gmail-m5930343257793777031gmailmsg">   and
                  strictly necessary for the specified purpose(s).<o:p></o:p></span></span></b></p>
          <p
class="gmail-m5930343257793777031m5262665161593131067msoplaintextgmail-m5930343257793777031gmailmsg"
style="margin-top:0cm;margin-right:-32.4pt;margin-bottom:0cm;margin-left:4.8pt;
            margin-bottom:.0001pt;border:none;mso-border-left-alt:solid
            #CCCCCC .75pt; padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span
style="font-family:Courier;mso-bidi-font-family:Arial;mso-ansi-language:EN-GB"
              lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        </div>
        <div style="border:none;border-left:solid #CCCCCC
          .75pt;padding:0cm 0cm 0cm 6.0pt">
          <p
class="gmail-m5930343257793777031m5262665161593131067msoplaintextgmail-m5930343257793777031gmailmsg"
style="margin-top:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:4.8pt;
            margin-bottom:.0001pt;border:none;mso-border-left-alt:solid
            #CCCCCC .75pt; padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span class="gmail-m5930343257793777031gmailmsg"><span
                style="font-family:
                Arial;color:#222222;mso-ansi-language:EN-GB"
                lang="EN-GB"> The <i>presentation</i> of personal data
                should be limited whether or not the protected resource
                contains personal data.</span></span><span
              style="font-family:Arial; mso-ansi-language:EN-GB"
              lang="EN-GB"> <span
                class="gmail-m5930343257793777031gmailmsg"><span
                  style="color:#222222"><br>
                     </span></span><o:p></o:p></span></p>
        </div>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><br>
            We have trouble to understand each other.<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:27.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">1° This condition applies at the time of the
            request, not at the time of the granting.<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:27.0pt;margin-bottom:.0001pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">2° The <span
              class="gmail-m5930343257793777031gmailmsg">protected
              resource may contain either personal data or public data
              or both, so there is no need to specify "personal data".<o:p></o:p></span></span></p>
        <p class="MsoNormal"
          style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;
          margin-left:27.0pt;margin-bottom:.0001pt"><span
            class="gmail-m5930343257793777031gmailmsg"><span
              style="font-family: Arial;mso-ansi-language:EN-GB"
              lang="EN-GB">3° Personal data is <i>presented </i>by the
              client, it is not <i>collected</i>.<o:p></o:p></span></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><br>
            In blue, you have the changes I propose:<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <div style="border:none;border-left:solid #CCCCCC
          .75pt;padding:0cm 0cm 0cm 6.0pt">
          <p
class="gmail-m5930343257793777031m5262665161593131067msoplaintextgmail-m5930343257793777031gmailmsg"
style="margin-top:0cm;margin-right:-41.4pt;margin-bottom:0cm;margin-left:4.8pt;
            margin-bottom:.0001pt;border:none;mso-border-left-alt:solid
            #CCCCCC .75pt; padding:0cm;mso-padding-alt:0cm 0cm 0cm
            6.0pt"><span class="gmail-m5930343257793777031gmailmsg"><b><span
                  style="font-family:
Courier;mso-bidi-font-family:Arial;mso-ansi-language:EN-GB" lang="EN-GB">When
                  the Client <span style="color:blue">requests an</span>
                  access to a protected resource <s><span
                      style="color:blue">containing <br>
                      personal data</span></s>, the Client SHOULD limit
                  the <span style="color:blue">presentation</span> of
                  personal <br>
                  data to that which is within the bounds of applicable
                  law and strictly necessary <br>
                  for the specified purpose(s).</span></b></span><span
              style="font-family:Courier;mso-ansi-language:EN-GB"
              lang="EN-GB"><o:p></o:p></span></p>
        </div>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="mso-spacerun: yes">                                                                     
            </span>ITEM 7<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">======================================================================<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">John: </span><span style="mso-ansi-language:
            EN-GB" lang="EN-GB">T<font size="+1">his specification draws
              from OpenID Connect for some examples of extension
              parameters such as nonce.</font><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">On page 16 the text states:<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><!--[if !supportEmptyParas]--> <!--[endif]--><o:p></o:p></span></p>
        <p class="MsoNormal"><b><span style="font-family:&quot;Courier
              New&quot;; mso-ansi-language:EN-GB" lang="EN-GB"><span
                style="mso-spacerun: yes">   </span>The following is an
              example of the Claims in a Request Object before<o:p></o:p></span></b></p>
        <p class="MsoNormal"><b><span style="font-family:&quot;Courier
              New&quot;; mso-ansi-language:EN-GB" lang="EN-GB"><span
                style="mso-spacerun: yes">   </span>base64url encoding
              and signing.<span style="mso-spacerun: yes">  </span>Note
              that it includes extension<o:p></o:p></span></b></p>
        <p class="MsoNormal"><b><span style="font-family:&quot;Courier
              New&quot;; mso-ansi-language:EN-GB" lang="EN-GB"><span
                style="mso-spacerun: yes">   </span>variables such as
              "nonce" and "max_age".<o:p></o:p></span></b></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">The key point is whether it is appropriate <b><i>in
                the main body of this document</i> </b>to provide
            examples that include parameters <br>
            such as "nonce" and "max_age" that are not described in any
            RFC. The text does not even indicate where these extensions
            <br>
            are coming from. It would be more appropriate to use
            extensions that are defined in IETF RFCs.<o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB"><span style="font-family:Arial;
              mso-ansi-language:EN-GB" lang="EN-GB">Since the replay
              protection of the request MUST be achieved, r</span>emove
          </span><b><span style="font-family:&quot;Courier
              New&quot;;mso-ansi-language:EN-GB" lang="EN-GB">"<font
                size="+1">nonce</font>": "</span><font size="+1"><span
                style="font-family:&quot;Courier
                New&quot;;mso-ansi-language:EN-GB" lang="EN-GB">n-0S6_WzA2Mj</span><span
                style="font-family:Arial; mso-ansi-language:EN-GB"
                lang="EN-GB"></span></font></b><b><span
              style="font-family:Arial; mso-ansi-language:EN-GB"
              lang="EN-GB">"</span></b><span style="font-family:
            Arial;mso-ansi-language:EN-GB" lang="EN-GB"> and replace it
            with:</span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><b><font
              face="Courier New">   "iat": 1487354400</font></b><br>
        </p>
        <p class="MsoNormal" style="margin-top:6.0pt"><b><span
              style="font-family:&quot;Courier
              New&quot;;mso-ansi-language:EN-GB" lang="EN-GB">   "rdn":
              7945123 </span></b><span style="font-family:Arial;
            mso-ansi-language:EN-GB" lang="EN-GB"><o:p></o:p></span></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><span
            style="font-family: Arial;mso-ansi-language:EN-GB"
            lang="EN-GB">remove: </span><b><span
              style="font-family:&quot;Courier
              New&quot;;mso-ansi-language:EN-GB" lang="EN-GB">"max_age":
              86400</span></b></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><b><span
              style="font-family:&quot;Courier
              New&quot;;mso-ansi-language:EN-GB" lang="EN-GB"><br>
            </span></b></p>
        <span
          style="font-size:12.0pt;font-family:Arial;mso-fareast-font-family:
          &quot;Times New
Roman&quot;;mso-ansi-language:EN-GB;mso-fareast-language:FR;mso-bidi-language:AR-SA"
          lang="EN-GB">and finally remove:  </span><span
          style="font-family:&quot;Courier New&quot;;
          mso-ansi-language:EN-GB" lang="EN-GB"><b><font size="+1">N</font></b><b>ote
            that it includes extension</b></span><b><span
            style="font-family:&quot;Courier New&quot;;
            mso-ansi-language:EN-GB" lang="EN-GB"> variables such as
            "nonce" and "max_age".<br>
            <br>
          </span></b>
        <p class="MsoNormal" style="margin-top:6.0pt"><!--[if !supportEmptyParas]--><font
            face="Arial">Denis</font></p>
        <p class="MsoNormal" style="margin-top:6.0pt"><br>
          <span style="font-family: Arial;mso-ansi-language:EN-US"
            lang="EN-US"><!--[endif]--><o:p></o:p></span></p>
        <meta name="ProgId" content="Word.Document">
        <meta name="Generator" content="Microsoft Word 9">
        <meta name="Originator" content="Microsoft Word 9">
        <link rel="File-List"
href="file:///C:/Users/Denis/AppData/Local/Temp/msoclip1/01/clip_filelist.xml">
        <!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:View>Normal</w:View>
  <w:Zoom>0</w:Zoom>
  <w:HyphenationZone>21</w:HyphenationZone>
  <w:DoNotOptimizeForBrowser/>
 </w:WordDocument>
</xml><![endif]-->
        <style>
<!--
 /* Font Definitions */
@font-face
	{font-family:Courier;
	panose-1:0 0 0 0 0 0 0 0 0 0;
	mso-font-charset:0;
	mso-generic-font-family:modern;
	mso-font-format:other;
	mso-font-pitch:fixed;
	mso-font-signature:3 0 0 0 1 0;}
@font-face
	{font-family:"Arial Unicode MS";
	panose-1:2 11 6 4 2 2 2 2 2 4;
	mso-font-charset:128;
	mso-generic-font-family:swiss;
	mso-font-pitch:variable;
	mso-font-signature:-1 -369098753 63 0 4129279 0;}
@font-face
	{font-family:"\@Arial Unicode MS";
	panose-1:2 11 6 4 2 2 2 2 2 4;
	mso-font-charset:128;
	mso-generic-font-family:swiss;
	mso-font-pitch:variable;
	mso-font-signature:-1 -369098753 63 0 4129279 0;}
 /* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0cm;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
tt
	{mso-ascii-font-family:"Arial Unicode MS";
	mso-fareast-font-family:"Arial Unicode MS";
	mso-hansi-font-family:"Arial Unicode MS";
	mso-bidi-font-family:"Arial Unicode MS";}
p.msonormalgmailmsg, li.msonormalgmailmsg, div.msonormalgmailmsg
	{mso-style-name:"msonormal gmail_msg";
	margin-right:0cm;
	mso-margin-top-alt:auto;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Arial Unicode MS";}
span.gmailmsg
	{mso-style-name:gmail_msg;}
p.gmailmsg1, li.gmailmsg1, div.gmailmsg1
	{mso-style-name:gmail_msg1;
	margin-right:0cm;
	mso-margin-top-alt:auto;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Arial Unicode MS";}
p.m-6341618592265943516msonormalgmailmsggmailmsg, li.m-6341618592265943516msonormalgmailmsggmailmsg, div.m-6341618592265943516msonormalgmailmsggmailmsg
	{mso-style-name:"m_-6341618592265943516msonormalgmailmsg gmail_msg";
	margin-right:0cm;
	mso-margin-top-alt:auto;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Arial Unicode MS";}
span.m-6341618592265943516gmailmsggmailmsg
	{mso-style-name:"m_-6341618592265943516gmailmsg gmail_msg";}
p.gmail-m5930343257793777031msoplaintext, li.gmail-m5930343257793777031msoplaintext, div.gmail-m5930343257793777031msoplaintext
	{mso-style-name:gmail-m_5930343257793777031msoplaintext;
	margin-right:0cm;
	mso-margin-top-alt:auto;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Arial Unicode MS";}
span.gmail-m5930343257793777031gmailmsg
	{mso-style-name:gmail-m_5930343257793777031gmail_msg;}
p.msonormalgmail-m5930343257793777031gmailmsg, li.msonormalgmail-m5930343257793777031gmailmsg, div.msonormalgmail-m5930343257793777031gmailmsg
	{mso-style-name:"msonormal gmail-m_5930343257793777031gmail_msg";
	margin-right:0cm;
	mso-margin-top-alt:auto;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Arial Unicode MS";}
span.gmail-m5930343257793777031m5262665161593131067deletegmail-m5930343257793777031gmailmsg
	{mso-style-name:"gmail-m_5930343257793777031m_5262665161593131067delete gmail-m_5930343257793777031gmail_msg";}
p.gmail-m5930343257793777031m5262665161593131067msoplaintextgmail-m5930343257793777031gmailmsg, li.gmail-m5930343257793777031m5262665161593131067msoplaintextgmail-m5930343257793777031gmailmsg, div.gmail-m5930343257793777031m5262665161593131067msoplaintextgmail-m5930343257793777031gmailmsg
	{mso-style-name:"gmail-m_5930343257793777031m_5262665161593131067msoplaintext gmail-m_5930343257793777031gmail_msg";
	margin-right:0cm;
	mso-margin-top-alt:auto;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Arial Unicode MS";}
@page Section1
	{size:595.3pt 841.9pt;
	margin:70.85pt 70.85pt 70.85pt 70.85pt;
	mso-header-margin:35.4pt;
	mso-footer-margin:35.4pt;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
 /* List Definitions */
@list l0
	{mso-list-id:1554853532;
	mso-list-type:hybrid;
	mso-list-template-ids:-103882308 -169322900 67895321 67895323 67895311 67895321 67895323 67895311 67895321 67895323;}
@list l0:level1
	{mso-level-number-format:alpha-lower;
	mso-level-text:"\(%1\)";
	mso-level-tab-stop:36.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l1
	{mso-list-id:1851916945;
	mso-list-type:hybrid;
	mso-list-template-ids:1295262054 67895311 67895321 67895323 67895311 67895321 67895323 67895311 67895321 67895323;}
ol
	{margin-bottom:0cm;}
ul
	{margin-bottom:0cm;}
-->
</style><br>
      </div>
      <blockquote
cite="mid:CABzCy2BjAPFjXz8r5tX6u5dw2aKALb=Z3a9TsKUUJewLbgcF1g@mail.gmail.com"
        type="cite">
        <div dir="ltr">Hi Denis, 
          <div><br>
          </div>
          <div>Thought John's response went to you as well but
            apparently not. </div>
          <div><br>
          </div>
          <div>My replies inline: </div>
          <div class="gmail_extra"><br>
            <div class="gmail_quote">On Fri, Feb 10, 2017 at 6:15 AM,
              Denis <span dir="ltr">&lt;<a moz-do-not-send="true"
                  href="mailto:denis.ietf@free.fr" target="_blank">denis.ietf@free.fr</a>&gt;</span>
              wrote:<br>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <div
                    class="gmail-m_5930343257793777031moz-cite-prefix">Hi
                    Nat,<br>
                    <br>
                    My replies to your proposed disposition of comments
                    are embedded in the text.<br>
                  </div>
                </div>
              </blockquote>
              <div>[snip] </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_quote">
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div bgcolor="#FFFFFF"
                            class="gmail-m_5930343257793777031gmail_msg">
                            <div
                              class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                              gmail-m_5930343257793777031gmail_msg">
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"
                                style="margin-top:6pt"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> Section 4 states:</span></p>
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> </span><b
                                  class="gmail-m_5930343257793777031gmail_msg"><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB"><span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>A Request Object (Section
                                    2.1) is used to provide
                                    authorization<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>request parameters for an
                                    OAuth 2.0 authorization request.<span
class="gmail-m_5930343257793777031gmail_msg">  </span><span
                                      class="gmail-m_5930343257793777031gmail_msg">It<br>
                                         </span>contains OAuth 2.0
                                    [RFC6749] authorization request
                                    parameters<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>including extension
                                    parameters</span></b><b
                                  class="gmail-m_5930343257793777031gmail_msg"><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB">.<span
                                      class="gmail-m_5930343257793777031gmail_msg"> 
                                    </span></span></b></p>
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB">RFC 6749 contains 75
                                  pages, but does not contain a single
                                  occurrence of the wording
                                  "authorization request parameter" nor
                                  of "extension parameter". <br
                                    class="gmail-m_5930343257793777031gmail_msg">
                                  There should be either references to
                                  one or more specific sections of this
                                  document or, even better, a list of
                                  the mandatory/recommended/possible <br
class="gmail-m_5930343257793777031gmail_msg">
                                  authorization request parameters as
                                  well as a list of
                                  mandatory/recommended/possible
                                  extension parameters should be
                                  included in this document.</span></p>
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"><font
class="gmail-m_5930343257793777031gmail_msg" face="Arial">A clear
                                  distinction should be made between the
                                  parameters used to authenticate the
                                  request and the other ones.</font></p>
                            </div>
                          </div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>Reject. </div>
                        <div>There are 4 flows in RFC6749. In each flow,
                          there is a sub-section dedicated to the
                          Authorization request. </div>
                        <div>In them, the parameters used in the
                          authorization request are very clearly
                          indicated. For example, </div>
                        <div><br>
                        </div>
                        <div>
                          <pre class="gmail-m_5930343257793777031inbox-inbox-newpage" style="font-size:13.3333px;margin-top:0px;margin-bottom:0px"><span class="gmail-m_5930343257793777031inbox-inbox-h4" style="line-height:0pt;display:inline;font-size:1em;font-weight:bold"><h4 style="line-height:0pt;display:inline;font-size:1em"><a moz-do-not-send="true" class="gmail-m_5930343257793777031inbox-inbox-selflink" href="https://tools.ietf.org/html/rfc6749#section-4.1.1" style="color:black;text-decoration:none" target="_blank">4.1.1</a>.  Authorization Request</h4></span>

   The client constructs the request URI by adding the following
   parameters to the query component of the authorization endpoint URI ... </pre>
                          It is very difficult to miss. </div>
                        <div><br>
                        </div>
                        <div>Then, the possibility for the extension
                          parameters are discussed in 8.2. Needless to
                          say, those extension parameters are going to
                          be discussed in other specifications. </div>
                        <div>Thus, it would be misleading just to say
                          the parameters defined in 4.1.1, 4.2.1, etc. </div>
                        <div>As an editor, I feel better with the
                          current language because it is at least not
                          wrong nor misleading. <br>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                  <p class="MsoNormal"><span lang="EN-GB">draft-ietf-oauth-jwsreq-11</span><span
                      lang="EN-GB"><font face="Arial"> states on page 7</font>.</span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>To sign, JSON Web
                      Signature (JWS) [RFC7515] is used.<span>  </span>The
                      result is a</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>JWS signed JWT
                      [RFC7519].<span>  </span>If signed, the
                      Authorization Request</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>Object SHOULD
                      contain the Claims "iss" (issuer) and "aud"
                      (audience)</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>as members, with
                      their semantics being the same as defined in the
                      JWT</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>[RFC7519]
                      specification.</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"> </span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB">This should be changed into:</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"> </span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>To sign, JSON Web
                      Signature (JWS) [RFC7515] is used.<span>  </span>The
                      result is a</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>JWS signed JWT
                      [RFC7519].<span>  </span>If signed, the
                      Authorization Request</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>Object <b>MUST
                        contain a client_id parameter</b> and SHOULD
                      contain a<br>
                      <span>   </span>"iss" (issuer) <b>parameter</b>
                      and an "aud" (audience) <b>parameter</b>, with <br>
                      <span>   </span>their semantics being the same as
                      defined in the JWT RFC7519] <br>
                      <span>   </span>specification.</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"> </span></p>
                </div>
              </blockquote>
              <div> I am kind of ok with the proposed text but if we do
                you want to single out `client_id`, perhpas a reason
                should be added. </div>
              <div>There are other REQIURED parameters in the
                Auhtorization Request defined in RFC6749, you know. </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"></span></p>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB">In section 5.2. Message Signature
                        or MAC Validation, the text states:</span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB"> </span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB"><span>   </span>When validating a
                        JWS, the following steps are performed.</span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB"> </span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB">(...)</span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB"><span>       </span>See Section
                        10.6 for security considerations on algorithm</span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB"><span>       </span>validation.</span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB"> </span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB">There is no section 10.6 in this
                        document. It seems to be section 10.3</span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB">Anyway, it is not the right place
                        to place requirements in a security
                        considerations section and the appropriate text
                        <br>
                        should be moved in the main body of the
                        document.</span></font></p>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>Sorry, I cannot find the text you are refering to. </div>
              <div> </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB"></span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB"> </span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><span lang="EN-GB"><font
                        face="Arial">RFC 6749 states in clause 4.<span> 
                        </span>Obtaining Authorization on page </font></span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB">6.2.<span>  </span>JWS Signed
                      Request Object</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"> </span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>To perform JWS
                      Signature Validation, the "alg" Header Parameter
                      in</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>the JOSE Header <span
style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;background-color:lime">MUST</span>
                      match the value of the pre-registered algorithm.</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span><span
style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;background-color:aqua">The
                        signature MUST be validated against the
                        appropriate key for that</span></span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>"client_id" and
                      algorithm.</span><span lang="EN-GB"></span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB">The important point is to provide
                        guidance on how to map the </span>client_id<span
                        lang="EN-GB"> parameter with the appropriate
                        key. <br>
                        There is none at the present time.</span><span
                        lang="EN-GB"></span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><font face="Arial"><span
                        lang="EN-GB"> </span></font></p>
                  <font face="Arial"> </font>
                  <p class="MsoNormal"><span lang="EN-GB"><font
                        face="Arial">Add:</font></span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:courier"
                      lang="EN-GB"><span>   </span>Identifying the
                      appropriate key MUST be done according to section
                      6 <br>
                      <span>   </span>of RFC 7515 and using the
                      Registered Header Parameter Names defined <br>
                      <span>   </span>in section 4.1 of RFC 7515, e.g.
                      using the Header Parameters "jku", <br>
                      <span>   </span>"jwk", "kid", "x5u", "x5c",
                      "x5t", or "x5t#S256".</span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <br>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_quote">
                        <div> <span style="font-family:arial"
                            class="gmail-m_5930343257793777031gmail_msg"
                            lang="EN-GB"></span><span
                            style="font-family:arial"
                            class="gmail-m_5930343257793777031gmail_msg"
                            lang="EN-GB">4. The introduction states on
                            page 4:</span></div>
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div bgcolor="#FFFFFF"
                            class="gmail-m_5930343257793777031gmail_msg">
                            <div
                              class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                              gmail-m_5930343257793777031gmail_msg">
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"
                                style="margin-top:6pt"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"> </span></p>
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US">     (a) (integrity
                                  protection) The request can be signed
                                  so that the integrity of the request
                                  can be checked<span
                                    class="gmail-m_5930343257793777031m_5262665161593131067delete
gmail-m_5930343257793777031gmail_msg"> </span>; </span><span
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US"></span></p>
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US"> </span></p>
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US">This should be changed
                                  into:</span></p>
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US"> </span></p>
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US">     (a) (integrity
                                  protection) The request can be
                                  authenticated either using a digital
                                  signature or using encryption under a
                                  secret key <br
                                    class="gmail-m_5930343257793777031gmail_msg">
                                            so that the integrity of the
                                  request can be checked<span
                                    class="gmail-m_5930343257793777031m_5262665161593131067delete
gmail-m_5930343257793777031gmail_msg"> </span>;</span></p>
                            </div>
                          </div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>Reject. </div>
                        <div>
                          <div>This paragraph is talking about the
                            integrity protection and not the source
                            authentication. </div>
                          <div>And even for source authentication,
                            saying that encryption under a secret key is
                            not accurate as it was discussed earlier in
                            the WG mail. </div>
                        </div>
                        <div><br>
                        </div>
                        <div>I am not sure if "Introduction" needs to
                          state everything that is explained later. The
                          idea of introduction probably is to give main
                          points. The list is not an exhaustive list of
                          the benefit of using JWT as the authorization
                          request format. For example, being able to
                          encrypt the request, which is not listed
                          there, has an advantage of preventing MITB to
                          eavesdrop the request. So I think it is ok as
                          is. </div>
                        <div><br>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-US">Integrity protection cannot be
                      verified without knowing the source of the
                      information.</span> </p>
                </div>
              </blockquote>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-US">Using encryption (which supports at
                      the same time <br>
                      an integrity service when secret keys are being
                      used) is another way to be able to check the
                      integrity of the request. </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-US"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-US">So I maintain may comment.</span></p>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div><span
                  style="color:rgb(33,33,33);font-family:sans-serif;font-size:13px">I
                  think the issue is that if you encrypt with a
                  asymmetric algorithm then the receiver has no idea who
                  encrypted it. </span>
                <div class="gmail_msg"
                  style="color:rgb(33,33,33);font-family:sans-serif;font-size:13px">If
                  encrypted with a symmetric key (not secret key) then
                  you know that it came from someone who has access to
                  that key. </div>
                <div class="gmail_msg"
                  style="color:rgb(33,33,33);font-family:sans-serif;font-size:13px">That
                  works because we only support AEAD encryption.</div>
                <div class="gmail_msg"
                  style="color:rgb(33,33,33);font-family:sans-serif;font-size:13px"><br
                    class="gmail_msg">
                </div>
                <div class="gmail_msg"
                  style="color:rgb(33,33,33);font-family:sans-serif;font-size:13px">You
                  can use asymmetric encryption but you need to sign
                  first if you want to know who it is from.</div>
              </div>
              <div> </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><br>
                    <span style="font-family:arial" lang="EN-US"></span></p>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_quote">
                        <div> <span style="font-family:arial"
                            class="gmail-m_5930343257793777031gmail_msg"
                            lang="EN-GB">5. The introduction states on
                            page 4:</span></div>
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div bgcolor="#FFFFFF"
                            class="gmail-m_5930343257793777031gmail_msg">
                            <div
                              class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                              gmail-m_5930343257793777031gmail_msg">
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> </span></p>
                              <p class="MsoNormal
                                gmail-m_5930343257793777031gmail_msg"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US">(d) (collection
                                  minimization) The request can be <b
                                    class="gmail-m_5930343257793777031gmail_msg">signed</b>
                                  by a third party attesting that the
                                  authorization request is compliant <span
class="gmail-m_5930343257793777031m_5262665161593131067delete
                                    gmail-m_5930343257793777031gmail_msg">to</span></span><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-US"> </span><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US">certain policy.</span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US">The request is not <i
                                    class="gmail-m_5930343257793777031gmail_msg">signed</i>
                                  by a third party. <br
                                    class="gmail-m_5930343257793777031gmail_msg">
                                </span></p>
                            </div>
                          </div>
                        </blockquote>
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div bgcolor="#FFFFFF"
                            class="gmail-m_5930343257793777031gmail_msg">
                            <div
                              class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                              gmail-m_5930343257793777031gmail_msg">
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US">However, later on, there
                                  is the following explanation: <br>
                                </span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US"><span
                                    class="gmail-m_5930343257793777031gmail_msg">  
                                  </span>In addition, it allows requests
                                  to be prepared by a third party so
                                  that a client application cannot
                                  request <br
                                    class="gmail-m_5930343257793777031gmail_msg">
                                     more permissions than <span
                                    class="gmail-m_5930343257793777031gmail_msg">pr</span>eviously
                                  agreed.<span
                                    class="gmail-m_5930343257793777031gmail_msg"> 
                                  </span></span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:arial;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US"> If it is the intent, the
                                  sentence should be rephrased as: <br>
                                </span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
                                  style="font-family:arial"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US">(d) (collection
                                  minimization) The request can be <b
                                    class="gmail-m_5930343257793777031gmail_msg">verified</b>
                                  by a third party attesting that the
                                  authorization request is compliant <span
class="gmail-m_5930343257793777031m_5262665161593131067delete
                                    gmail-m_5930343257793777031gmail_msg">to</span></span><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-US"> </span><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US">certain policy. <br>
                                </span></p>
                            </div>
                          </div>
                        </blockquote>
                        <div>Reject</div>
                        <div>The third party indeed signs the request on
                          behalf of the client as the result of
                          verification that the permission is the same
                          as previously agreed.  <br>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-US">If it were the case, the client_id
                      would indicate the name of the third party and the
                      name of the user would be missing (or vice versa).</span></p>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>The value of `client_id` will be the requesting
                party. </div>
              <div>The value of `iss` can be the third party. </div>
              <div>But setting aside that, I guess your point actually
                is on the use of the word "request". Authorization
                request is the entire thing that travels from the client
                and not a part of it, and that is a fair point. Having
                said that, I have a problem with your use of the word
                "verified". What about this? </div>
              <div>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div class="gmail_quote">
                      <blockquote class="gmail_quote" style="margin:0px
                        0px 0px 0.8ex;border-left:1px solid
                        rgb(204,204,204);padding-left:1ex">
                        <div bgcolor="#FFFFFF"
                          class="gmail-m_5930343257793777031gmail_msg">
                          <div
                            class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                            gmail-m_5930343257793777031gmail_msg">
                            <p
                              class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                              gmail-m_5930343257793777031gmail_msg"><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-US"><font
                                  face="arial">(d) (collection
                                  minimization) The data being requested
                                  can be </font><b
                                  style="font-family:arial">attested </b><font
                                  face="arial">by a third party that is
                                  compliant </font><span
                                  class="gmail-m_5930343257793777031m_5262665161593131067delete
                                  gmail-m_5930343257793777031gmail_msg"><font
                                    face="arial">to</font> collection
                                  minimization principle</span></span><span
class="gmail-m_5930343257793777031gmail_msg"
                                style="font-size:12pt;font-family:verdana"
                                lang="EN-US">. </span> </p>
                          </div>
                        </div>
                      </blockquote>
                    </div>
                  </div>
                </blockquote>
              </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><br>
                  </p>
                  <br>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_quote">
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div bgcolor="#FFFFFF"
                            class="gmail-m_5930343257793777031gmail_msg">
                            <div
                              class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                              gmail-m_5930343257793777031gmail_msg">
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US"></span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US"> 6. Section 10.1. the
                                  text states: <br>
                                </span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><b
class="gmail-m_5930343257793777031gmail_msg"><span
                                    class="gmail-m_5930343257793777031gmail_msg"
                                    lang="EN-GB"><span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>When sending the
                                    authorization request object through
                                    "request"<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>parameter, it MUST either be
                                    signed using JWS [RFC7515] or
                                    encrypted<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>using JWE [RFC7516] with then
                                    considered appropriate algorithm.</span></b></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:arial;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> The wording"</span><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB"> with then
                                  considered appropriate algorithm"</span><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> is too vague. This
                                  should be changed into:</span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><b
class="gmail-m_5930343257793777031gmail_msg"><span
                                    class="gmail-m_5930343257793777031gmail_msg"
                                    lang="EN-GB"><span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>When sending the
                                    authorization request object through
                                    "request"<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>parameter, it MUST either be
                                    signed using JWS [RFC7515] or
                                    encrypted<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>using JWE [RFC7516] <span
                                      style="color:blue"
                                      class="gmail-m_5930343257793777031gmail_msg">using
                                      a symmetric key algorithm</span>.</span></b></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> </span>Reject. </p>
                            </div>
                          </div>
                        </blockquote>
                        <div>In the above sentence, "<b
                            class="gmail-m_5930343257793777031gmail_msg"><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB">with then
                              considered appropriate algorithm</span></b>"
                           applies both on JWS and JWE. </div>
                        <div>The intent of the phrase is that a
                          vulnerable algorithm should not be used. </div>
                        <div><br>
                        </div>
                        <div>Also, I do not understand why the algorithm
                          has to be symmetric key algorithm. <br>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">Maybe, this explains why you didn't
                      understand the previous comment. With public key
                      encryption, it is not possible to authenticate <br>
                      the source of the request, while it is possible
                      with secret key encryption when the encrypted data
                      includes a cryptographic checksum <br>
                      like a hash value and an error propagation method
                      for the encryption algorithm.</span></p>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>I understand this. My point is that this subsection
                is not talking about what you just stated. This is a
                security consideration pointing out that an alogrithm
                which has not become vulnerable must be used. </div>
              <div><br>
              </div>
              <div>What you describe should instead go below the list
                (a)(b)(c) in section 5 or section 10.3. </div>
              <div>"<span style="color:rgb(0,0,0);font-size:13.3333px">when
                  symmetric keys are being used" probably is a bit too
                  open to interpretation. John is now creating a text on
                  it. </span></div>
              <div> </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"></span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">So I maintain my comment.</span><br>
                  </p>
                  <br>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_quote">
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div bgcolor="#FFFFFF"
                            class="gmail-m_5930343257793777031gmail_msg">
                            <div
                              class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                              gmail-m_5930343257793777031gmail_msg">
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"></span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> 7. Section 10.2 states:
                                  <br>
                                </span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB"><span
                                    class="gmail-m_5930343257793777031gmail_msg">  
                                  </span>This means that the request
                                  object is going to be <span
                                    class="gmail-m_5930343257793777031gmail_msg">prepared
                                    fresh each<br>
                                       </span>time an authorization
                                  request is made</span><span
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> and caching cannot be
                                  used.<span
                                    class="gmail-m_5930343257793777031gmail_msg"> 
                                  </span></span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> What are the
                                  implications ? Is it
                                  required/recommended to use a nonce ?
                                  The text should be made clearer. </span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"></span></p>
                            </div>
                          </div>
                        </blockquote>
                        <div>Reject. </div>
                        <div>The implication is given right after the
                          sentence. There is no variable called "nonce"
                          in RFC6749. Since this document is just
                          defining <br>
                          another encoding method for OAuth 2.0
                          authorization request as a framework, it does
                          not mandate these. <br>
                          An extension specification should define those
                          requirements. <br>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">Note that this section belongs to the
                      security considerations section which SHOULD NOT
                      be normative and should only provide guidance. </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">The sentence right after is the
                      following:</span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>It has a performance
                      disadvantage, but where such disadvantage is</span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>permissible, it
                      should be considered.</span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">It does not provide any guidance.</span></p>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>Does it not? It is providing a guidance that the
                implementation should consider not using cached request
                and create the request afresh each time so that the
                entire request can be signed etc. </div>
              <div> </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">The key point is that a parameter
                      able to detect replay needs to be included in the
                      request. This should be indicated in the normative
                      part. <br>
                    </span></p>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>This security consideration is not about the replay
                attack but request tampering. </div>
              <div><br>
              </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">It is unfortunate that RFC 7515 has
                      not addressed replay protection of JWS and only
                      mentions the problem is section 10.10 which is in
                      the <br>
                      security considerations section. Here it is:</span> </p>
                </div>
              </blockquote>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"></span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:courier"
                      lang="EN-GB">10.10.<span>  </span>Replay
                      Protection</span></p>
                  <p class="MsoNormal"><span style="font-family:courier"
                      lang="EN-GB"><span>   </span>While not directly
                      in scope for this specification, note that</span></p>
                  <p class="MsoNormal"><span style="font-family:courier"
                      lang="EN-GB"><span>   </span>applications using
                      JWS (or JWE) objects can thwart replay attacks by</span></p>
                  <p class="MsoNormal"><span style="font-family:courier"
                      lang="EN-GB"><span>   </span>including a unique
                      message identifier as integrity-protected content</span></p>
                  <p class="MsoNormal"><span style="font-family:courier"
                      lang="EN-GB"><span>   </span>in the JWS (or JWE)
                      message and having the recipient verify that the</span></p>
                  <p class="MsoNormal"><span style="font-family:courier"
                      lang="EN-GB"><span>   </span>message has not been
                      previously received or acted upon.</span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">The text on page 7 should be changed
                      into:</span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>To sign, JSON Web
                      Signature (JWS) [RFC7515] is used.<span>  </span>The
                      result is a<br>
                      <span>   </span>JWS signed JWT [RFC7519].<span> 
                      </span>If signed, the Authorization Request<br>
                      <span>   </span>Object <b>MUST contain a
                        client_id parameter</b> <b>and a "nonce"</b> <b>extension
                        <br>
                      </b><span>   </span><b>parameter</b> </span><b><span
                        style="font-size:12pt;font-family:courier"
                        lang="EN-GB">allowing to detect replay attacks </span></b><span
                      lang="EN-GB">and SHOULD contain an "iss" <br>
                      <span>   </span>(issuer) <b>parameter</b> and an
                      "aud" (audience) <b>parameter</b>, with their <br>
                      <span>   </span>semantics being the same as
                      defined in the JWT specification[RFC7519].</span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">Note that Page 7 uses the "nonce"
                      parameter in the example.</span></p>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>
                <div>I agree that inclusion of nonce etc. to thwart the
                  replay attack has to be done in the normative section
                  and not in the security consideration. </div>
                <div>Having said that, as I stated before, this
                  specification is just defining another encoding for
                  RFC6749. As the result, the replay protection etc. has
                  to be deferred to an extension spec, such as OIDC. </div>
                <div> </div>
              </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <h2><span
                      style="font-size:12pt;font-family:arial;font-weight:normal"
                      lang="EN-GB">JSON Web Token Claims are listed at:
                      <span style="color:blue"><a moz-do-not-send="true"
class="gmail-m_5930343257793777031moz-txt-link-freetext"
                          href="https://www.iana.org/assignments/jwt/jwt.xhtml"
                          target="_blank">https://www.iana.org/<wbr>assignments/jwt/jwt.xhtml</a></span></span></h2>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">"Nonce" is mentioned in OpenID
                      Connect Core 1.0 incorporating errata set 1. </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">It is described as :</span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <table border="0" cellpadding="0">
                    <tbody>
                      <tr>
                        <td style="padding:0.75pt">
                          <p class="MsoNormal"><span lang="EN-GB">nonce</span><span
                              lang="EN-GB"></span></p>
                        </td>
                        <td style="padding:0.75pt">
                          <p class="MsoNormal"><span lang="EN-GB">Value
                              used to associate a Client session with an
                              ID Token</span><span lang="EN-GB"></span></p>
                        </td>
                      </tr>
                    </tbody>
                  </table>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"><br>
                    </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">This is too restrictive since now a
                      nonce should be included in a JWS token.</span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">The registration is as follows:</span></p>
                  <ul type="disc">
                    <li class="MsoNormal"><span lang="EN-GB">Parameter
                        name: </span><tt><span
                          style="font-family:arial" lang="EN-GB">nonce</span></tt><span
                        lang="EN-GB"> </span><span lang="EN-GB"></span></li>
                    <li class="MsoNormal"><span lang="EN-GB">Parameter
                        usage location: Authorization Request </span></li>
                    <li class="MsoNormal"><span lang="EN-GB">Change
                        controller: OpenID Foundation Artifact Binding
                        Working Group - <a moz-do-not-send="true"
                          class="gmail-m_5930343257793777031moz-txt-link-abbreviated"
                          href="mailto:openid-specs-ab@lists.openid.net"
                          target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>
                      </span></li>
                    <li class="MsoNormal"><span lang="EN-GB">Specification
                        document(s): </span><span><a
                          moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint"
                          target="_blank"><span lang="EN-GB">Section 3.1.2</span></a></span><span
                        lang="EN-GB"> of this document </span></li>
                    <li class="MsoNormal"><span>Related information:
                        None </span></li>
                  </ul>
                  <p class="MsoNormal"><br>
                  </p>
                </div>
              </blockquote>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">Section 3.1.2 states:</span></p>
                  <h3 style="margin-left:36pt"><span
                      style="font-size:12pt;font-family:arial"
                      lang="EN-GB">3.1.2.  Authorization Endpoint</span></h3>
                  <p style="margin:0cm 0cm 0.0001pt 36pt"><span
                      style="font-family:arial" lang="EN-GB">The
                      Authorization Endpoint performs Authentication of
                      the End-User. This is done by sending the User
                      Agent to the Authorization Server's <br>
                      Authorization Endpoint for Authentication and
                      Authorization, using request parameters defined by
                      OAuth 2.0 and additional parameters <br>
                      and parameter values defined by OpenID Connect. </span></p>
                  <p style="margin:0cm 0cm 0.0001pt 36pt"><span
                      style="font-family:arial" lang="EN-GB"> </span></p>
                  <p style="margin:0cm 0cm 0.0001pt 36pt"><span
                      style="font-family:arial" lang="EN-GB">Communication
                      with the Authorization Endpoint MUST utilize TLS.
                      See </span><span style="font-family:arial"><a
                        moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements"
                        target="_blank"><span lang="EN-GB">Section 16.17</span></a></span><span
                      style="font-family:arial" lang="EN-GB"> for more
                      information on using TLS</span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">This has nothing to do with the
                      nonce. Hence the nonce registration information
                      has been badly defined. </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">The OpenID specification also states:</span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"><br>
                    </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"></span><span lang="EN-GB"> </span></p>
                  <p class="MsoNormal" style="margin-left:27pt"><font
                      face="Arial"><span lang="EN-GB">"The Client SHOULD
                        check the </span>nonce</font><span lang="EN-GB"><font
                        face="Arial"> value for replay attacks. The
                        precise method for detecting replay attacks is
                        Client specific".</font></span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">This does not allow to interoperate.</span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">Rather than correcting the
                      registration information in the OpenID
                      specification, it would be better to suppress it
                      from the OpenID specification <br>
                      and incorporate it within an IETF RFC.</span></p>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>Out of scope for this specification. </div>
              <div>Also, you should discuss something on OIDC on a
                sperarate list, not here. </div>
              <div> </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"></span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">In order to avoid nonces to be kept
                      in a memory for ever, a good practice is to split
                      the nonce in two parts: <br>
                    </span></p>
                  <ul>
                    <li><span style="font-family:arial" lang="EN-GB">one
                        of them includes a UTC </span><font
                        face="Arial"><span lang="EN-GB">NumericDate
                          using the format defined in RFC 7519,</span></font><span
                        style="font-family:arial" lang="EN-GB"> and </span></li>
                    <li><span style="font-family:arial" lang="EN-GB">the
                        other one includes a random number. <br>
                      </span></li>
                  </ul>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"><br>
                      In this way only recent nonces (e.g. received
                      during the last 5 minutes) need to be kept in
                      memory. <br>
                      Three or four<span> </span>bytes for the random
                      number will be sufficient.</span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">In order to <b>allow for
                        interoperability,</b> a format should be
                      specified.</span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"><br>
                    </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">I propose a NumericDate defining the
                      UTC time concatenated with a random number with
                      three bytes.</span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">"Nonce" has not been officially
                      registered by IANA. An IANA Considerations section
                      should be added in </span><span
                      class="gmail-m_5930343257793777031gmailmsg"><span
                        style="font-family:arial" lang="EN-US">draft-ietf-oauth-jwsreq-<b>
                          <br>
                        </b></span></span><span
                      style="font-family:arial" lang="EN-GB">to register
                      the "nonce" parameter.</span></p>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>Everything related to nonce is out of scope. You
                should write a new I-D. </div>
              <div> </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF">
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"></span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">On page 14, section 6.2., after the
                      previous proposed text which is:</span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:courier"
                      lang="EN-GB"><span>   </span>Identifying the
                      appropriate key MUST be done according to section
                      6 <br>
                      <span>   </span>of RFC 7515 and using the
                      Registered Header Parameter Names defined <br>
                      <span>   </span>in section 4.1 of RFC 7515, e.g.
                      using the Header Parameters "jku", <br>
                      <span>   </span>"jwk", "kid", "x5u", "x5c",
                      "x5t", or "x5t#S256".</span></p>
                  <p class="MsoNormal"><span style="font-family:courier"
                      lang="EN-GB"> </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB">I proposed to add the following text:
                    </span></p>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"> </span></p>
                  <p class="gmail-m_5930343257793777031MsoPlainText"><span
                      lang="EN-GB"><span>   </span>To perform JWS
                      Signature Validation, the "nonce" Header Parameter
                      in</span></p>
                  <p class="MsoNormal"><span lang="EN-GB"><span>   </span>the
                      JOSE Header MUST be present and MUST be checked to
                      verify that <br>
                      <span>   </span>the signed request is not the
                      replay of a previous signed request.</span></p>
                  <p class="MsoNormal"><span lang="EN-GB"> </span></p>
                  <span lang="EN-GB">A section defining the nonce
                    parameter should be added.</span></div>
              </blockquote>
              <div><br>
              </div>
              <div>[snip] </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF"><br>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_quote">
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div bgcolor="#FFFFFF"
                            class="gmail-m_5930343257793777031gmail_msg">
                            <div
                              class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                              gmail-m_5930343257793777031gmail_msg">
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-US"> 9. Section 10.3 states
                                  at its very end:</span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB"> <span
                                    class="gmail-m_5930343257793777031gmail_msg">  
                                  </span>An extension specification<br>
                                  <span
                                    class="gmail-m_5930343257793777031gmail_msg">  
                                  </span>should be created as a
                                  preventive measure to address
                                  potential<br>
                                  <span
                                    class="gmail-m_5930343257793777031gmail_msg">  
                                  </span>vulnerabilities that have not
                                  yet been identified.</span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"><br>
                                </span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB">Writing a document for
                                  vulnerabilities that have not yet been
                                  identified is speculative. It would
                                  rather be better <br
                                    class="gmail-m_5930343257793777031gmail_msg">
                                  either to remove this sentence or to
                                  explain what is meant by it.</span></p>
                            </div>
                          </div>
                        </blockquote>
                        <div>Reject. </div>
                        <div>It is referring to the first paragraph of
                          the sub-section. Also, precaution when
                          security is in question is a good thing. <span
style="color:rgb(34,34,34);font-family:verdana;font-size:12pt"> <br>
                          </span></div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                  <p class="MsoNormal"><span
                      style="font-family:verdana;color:rgb(34,34,34)"
                      lang="EN-GB">This sentence is simply useless and
                      thus should be deleted. Hence, I maintain this
                      comment.</span></p>
                  <br>
                </div>
              </blockquote>
              <div>Agree to disagree. </div>
              <div> </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF"> <br>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_quote">
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div bgcolor="#FFFFFF"
                            class="gmail-m_5930343257793777031gmail_msg">
                            <div
                              class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                              gmail-m_5930343257793777031gmail_msg">
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB">10. Section 11.1 states:</span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> </span><b
                                  class="gmail-m_5930343257793777031gmail_msg"><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB">11.1.<span
                                      class="gmail-m_5930343257793777031gmail_msg"> 
                                    </span>Collection limitation</span></b></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><b
class="gmail-m_5930343257793777031gmail_msg"><span
                                    class="gmail-m_5930343257793777031gmail_msg"
                                    lang="EN-GB"> <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>When the Client is being
                                    granted access to a protected
                                    resource<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>containing personal data, the
                                    Client SHOULD limit the collection
                                    of<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>personal data to that which
                                    is within the bounds of applicable
                                    law<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>and strictly necessary for
                                    the specified purpose(s).</span></b><b
class="gmail-m_5930343257793777031gmail_msg"><span
                                    style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB"></span></b></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> The <i
                                    class="gmail-m_5930343257793777031gmail_msg">presentation</i>
                                  of personal data should be limited
                                  whether or not the protected resource
                                  contains personal data.</span> <br>
                              </p>
                            </div>
                          </div>
                        </blockquote>
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div bgcolor="#FFFFFF"
                            class="gmail-m_5930343257793777031gmail_msg">
                            <div
                              class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                              gmail-m_5930343257793777031gmail_msg">
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB">It is proposed to change
                                  this text into: <br>
                                </span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><b
class="gmail-m_5930343257793777031gmail_msg"><span
                                    class="gmail-m_5930343257793777031gmail_msg"
                                    lang="EN-GB"><span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>When the Client requests an
                                    access to a protected resource, the
                                    Client<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>SHOULD limit the presentation
                                    of personal data to that which is
                                    within<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>the bounds of applicable law
                                    and strictly necessary for the
                                    specified<br>
                                    <span
                                      class="gmail-m_5930343257793777031gmail_msg">  
                                    </span>purpose(s).</span></b></p>
                            </div>
                          </div>
                        </blockquote>
                        <div>Reject. </div>
                        <div>You are not getting what OAuth does. The
                          party that holds personal data is the
                          authorization server / resource. </div>
                        <div>It is not the client. The client is the
                          party who is getting those "resources" which
                          may contain personal data. </div>
                        <div>Yes, the client can provide some personal
                          data to the resource depending on what that
                          resource endpoint is, but that is out of scope
                          for OAuth. </div>
                        <div>As far as OAuth is concerned, what is being
                          sent from the client to the resource is the
                          access token. <br>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                  <div
style="border-top:none;border-right:none;border-bottom:none;border-left:0.5pt
                    solid rgb(204,204,204);padding:0cm 0cm 0cm 6pt">
                    <p
class="gmail-m_5930343257793777031m5262665161593131067msoplaintextgmailmsg"
                      style="margin:0cm 0cm 0.0001pt
                      4.8pt;border:none;padding:0cm"><span
                        style="font-family:arial" lang="EN-GB">The
                        dispute is whether the <span
                          class="gmail-m_5930343257793777031gmailmsg">protected
                          resource contains or not personal data. <br>
                          The data contained by the protected resource
                          may well be public data (or/and personal
                          data). <br>
                          It does not need to be only "personal data".</span></span></p>
                    <p
class="gmail-m_5930343257793777031m5262665161593131067msoplaintextgmailmsg"
                      style="margin:0cm 0cm 0.0001pt
                      4.8pt;border:none;padding:0cm"><span
                        class="gmail-m_5930343257793777031gmailmsg"><span
                          style="font-family:arial" lang="EN-GB"> </span></span></p>
                    <p
class="gmail-m_5930343257793777031m5262665161593131067msoplaintextgmailmsg"
                      style="margin:0cm 0cm 0.0001pt
                      4.8pt;border:none;padding:0cm"><span
                        class="gmail-m_5930343257793777031gmailmsg"><span
                          style="font-family:arial" lang="EN-GB">Hence,
                          I maintain my comment.</span></span></p>
                  </div>
                  <br>
                </div>
              </blockquote>
              <div>I do not understand your comment now. Your previous
                proposeal seems to be unrelated to the above comment. </div>
              <div> </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF"> <br>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_quote">
                        <blockquote class="gmail_quote"
                          style="margin:0px 0px 0px
                          0.8ex;border-left:1px solid
                          rgb(204,204,204);padding-left:1ex">
                          <div bgcolor="#FFFFFF"
                            class="gmail-m_5930343257793777031gmail_msg">
                            <div
                              class="gmail-m_5930343257793777031m_5262665161593131067moz-cite-prefix
                              gmail-m_5930343257793777031gmail_msg">
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><b
class="gmail-m_5930343257793777031gmail_msg"><span
                                    style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB"></span></b></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> 11. Section 11.2.1
                                  states: <br>
                                </span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB">11.2.1.<span
                                    class="gmail-m_5930343257793777031gmail_msg"> 
                                  </span>Request Disclosure <br>
                                </span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB"><span
                                    class="gmail-m_5930343257793777031gmail_msg">  
                                  </span>This specification allows
                                  extension parameters. </span><span
                                  style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
class="gmail-m_5930343257793777031gmail_msg" lang="EN-GB"></span></p>
                              <p
                                class="gmail-m_5930343257793777031m_5262665161593131067MsoPlainText
                                gmail-m_5930343257793777031gmail_msg"><span
style="font-size:12pt;font-family:verdana;color:rgb(34,34,34)"
                                  class="gmail-m_5930343257793777031gmail_msg"
                                  lang="EN-GB"> It would be useful to
                                  name either all of them or some of
                                  them. RFC 6749 is not crystal clear
                                  about this.</span></p>
                            </div>
                          </div>
                        </blockquote>
                        <div>Noted. </div>
                        <div>RFC6749 only defines how to define
                          extension parameters. </div>
                        <div>This specification draws from OpenID
                          Connect for some examples of extension
                          parameters such as nonce. </div>
                        <div>See section 4 for example.  <br>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                  <p class="MsoNormal"><span style="font-family:arial"
                      lang="EN-GB"><br>
                      See my earlier comments where client_id and nonce
                      shall be mandatory.</span></p>
                  <br>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>client_id is mandatory in RFC6749. Nonce is not
                defined in RFC6749 and hence out of scope for this
                specification. </div>
              <div> </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div bgcolor="#FFFFFF"> Denis</div>
              </blockquote>
              <div><br>
              </div>
              <div>[snip] </div>
            </div>
            <div><br>
            </div>
            -- <br>
            <div class="gmail_signature">Nat Sakimura (=nat)
              <div>Chairman, OpenID Foundation<br>
                <a moz-do-not-send="true"
                  href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
                @_nat_en</div>
            </div>
          </div>
        </div>
      </blockquote>
      <p><br>
      </p>
    </div>
  </body>
</html>

--------------1D8A97523D12651E0649B91D--


From nobody Wed Mar 22 15:38:35 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 217811273E2 for <oauth@ietfa.amsl.com>; Wed, 22 Mar 2017 15:38:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level: 
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Qr3sTxi124h for <oauth@ietfa.amsl.com>; Wed, 22 Mar 2017 15:38:32 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1376B12709D for <oauth@ietf.org>; Wed, 22 Mar 2017 15:38:31 -0700 (PDT)
Received: from [192.168.91.181] ([45.59.213.66]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LraSn-1cC9092Q2P-013Pvo; Wed, 22 Mar 2017 23:38:25 +0100
References: <CAHbuEH6UUu2QUWip5caOjQt9ZzqeORT7Fn2hzYFfeJNaz-3Vgw@mail.gmail.com>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
To: Derek Atkins <derek@ihtfp.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <0b495b42-50a8-62da-499a-351fdd2eada3@gmx.net>
Date: Wed, 22 Mar 2017 23:38:18 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAHbuEH6UUu2QUWip5caOjQt9ZzqeORT7Fn2hzYFfeJNaz-3Vgw@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ukHRt3qvSFkmDgVnrlhtlujnEQTDq1dnK"
X-Provags-ID: V03:K0:autTBNWm6dxxOPg3ZWSbSj3boBHtK0ajhL54/Z9XLea+ciEAP1r +4HyjWDMe24vOnHes1huvXDgOf0nTI+8OEzy2z73ttzu+CGzdfaxU9Cu1u3GpnZ0f6h+DNN Zsl47dr3wLzDx/C7FKj6WVxTGOxI/APYFyjphO2KocgVZh2frJeELsGyLCQrSfAvTfYPnTp 03A+lGuj7TeHWBdZg+pYg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:7BRBxSSV754=:apxW/YznHmD2fNnFS6Atj9 3yO1oSDFkFVx3kaNg557c5WsnSIkjYSoieyjbv9SIb9ecxdzrPiUhrYTkUGyDNefMdl5ajDBD mQSBNr1PRQeFtVei9t88R6z/Arg3QBKUYo3TfA6WvF929MP77cm47d7m+h0GmmVIj4CAJUHUT MV5ZUOXkpsKKF5+C4ZpB5a0M8YXWhOS3ojVWxTG0J32Fn6RV323ijYugqdy8MGq1IW3lsDy4C PlndH4IAJqhCzdwdKaGUf3sohhI+tMv3MCw1OaBcwO64C/Q9FvxKI5rkLyTCOZ2CoaTY2KfhE KMR3kQTMJTFGnsOvTvdy94M5Zux7JRkgfwmX4Ajqv7DbNpsAFX10AP72NuvJpWVpaaz4FSN4P lKYdUVfgMlpHP4xi4XnrHM2NPvi2qVebj2DGfIPLSH/CVRcWFvIMc56ls7lewSxiK7jBFXcmk wbPiMymCyOfbDr2I9TNkpO13KEHe/tE2QtSWErt0yH6h0UKEyRQY9g8hObzCl4Bvn9OHHtUNr rOrecmBYFX9byLXmTehTFhfR/C0KfigLHFtRi/eA/2Lmtygtt2NBTpWfip5Hu0lO8YICAuF+e 22xRkdQdtSbiNquXygfV+5m0IDDRNSX7PDYD0s1qWjPXY7aw4F/s79NOwaw3gQHysPHmzC79B lvOlwiMVvqk9LPYz+gOyG98VXGrWVuR6glehf73aJWyG5vGfWM84/772TThMdtwFCZzrUZccQ ZUaBHCwlNWYljHSTugzg3JZU/fMzl9SBdGcS+/LiOsPNeHe7nRJ4h100gCs=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QlQdHfkfsopBIEqjikSYl5Dpbo4>
Subject: Re: [OAUTH-WG] Chair volunteers
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 22:38:34 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--ukHRt3qvSFkmDgVnrlhtlujnEQTDq1dnK
Content-Type: multipart/mixed; boundary="ULbheV1bhtJ6vw3VfVvDxowE2W1obk4Qg";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: Derek Atkins <derek@ihtfp.com>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>,
 "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <0b495b42-50a8-62da-499a-351fdd2eada3@gmx.net>
Subject: Re: [OAUTH-WG] Chair volunteers
References: <CAHbuEH6UUu2QUWip5caOjQt9ZzqeORT7Fn2hzYFfeJNaz-3Vgw@mail.gmail.com>
In-Reply-To: <CAHbuEH6UUu2QUWip5caOjQt9ZzqeORT7Fn2hzYFfeJNaz-3Vgw@mail.gmail.com>

--ULbheV1bhtJ6vw3VfVvDxowE2W1obk4Qg
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable



On 03/21/2017 06:39 PM, Kathleen Moriarty wrote:
> A big thank you to Derek for his work in OAuth and we hope to have his
> continued participation in the working group!

Big thanks to Derek for doing the job for such a long time. It has been
a pleasure to work with you!

Ciao
Hannes


--ULbheV1bhtJ6vw3VfVvDxowE2W1obk4Qg--

--ukHRt3qvSFkmDgVnrlhtlujnEQTDq1dnK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJY0vzaAAoJEGhJURNOOiAtChwIAJ6QvnA9iynfmZo66tlMNYYr
RYdbi/8w2RAJsEfy/fLchbYp/xkwSfDLt7zLyGK/xkEnEBVJnvB898xLvHyKEpAE
EqxaQo+Qiebt2PxUW/ikiOIlHXsayGxvw+vo/q9PXBejQuoyGzuiqg0VO/93ExWb
cb/SuZVqzj+Tqlj2k50uoCZKqTv2XHimcuBHnUeFRWx+r2Qo3moXtGU2EUS96+IE
7639mjLLekih+2KX9YNz3RMN77bWNszZSd1BQYkgnGtTpIvU7eWl02I2hB6qeUlw
oO7ApAmyIQ9/NkdJSPvnyWTV8Guun7uElXFPBWPLv+jVo0doeBjXVcGDNsQ0gbU=
=NS+p
-----END PGP SIGNATURE-----

--ukHRt3qvSFkmDgVnrlhtlujnEQTDq1dnK--


From nobody Thu Mar 23 12:33:50 2017
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C02921315D3 for <oauth@ietfa.amsl.com>; Thu, 23 Mar 2017 12:33:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level: 
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aucGnokrxpAA for <oauth@ietfa.amsl.com>; Thu, 23 Mar 2017 12:33:45 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27403129C03 for <oauth@ietf.org>; Thu, 23 Mar 2017 12:33:44 -0700 (PDT)
Received: from [212.202.243.194] (helo=[10.1.90.22]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1cr8UP-0003hX-Ar; Thu, 23 Mar 2017 20:33:41 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <868B60C8-E9CE-4EDA-836B-268354C857F1@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_E53EF17B-4251-4E7B-8729-05181F8C71CD"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Thu, 23 Mar 2017 20:33:40 +0100
In-Reply-To: <cbcdf187-7606-dfc4-137d-b74f1379fb40@gmx.net>
Cc: "oauth@ietf.org" <oauth@ietf.org>, hannes.tschofenig@arm.com
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
References: <cbcdf187-7606-dfc4-137d-b74f1379fb40@gmx.net>
X-Mailer: Apple Mail (2.3259)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TMbFmNQ2TfbeQAzTxBH2hWaxxkU>
Subject: Re: [OAUTH-WG] OAuth Agenda
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 19:33:49 -0000

--Apple-Mail=_E53EF17B-4251-4E7B-8729-05181F8C71CD
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Hannes,

I had asked for 5 minutes on Monday (because I want to raise awareness =
with respect of the security draft). Would it be possible to adjust the =
agenda accordingly?

kind regards,
Torsten (w/o =E2=80=9Eh=E2=80=9C).

> Am 21.03.2017 um 15:47 schrieb Hannes Tschofenig =
<Hannes.Tschofenig@gmx.net>:
>=20
> Here is the latest snapshot of the agenda:
> https://datatracker.ietf.org/doc/agenda-98-oauth/
>=20
> Let me know if there are any changes needed.
>=20
> Ciao
> Hannes
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_E53EF17B-4251-4E7B-8729-05181F8C71CD
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/DCCBK8w
ggOXoAMCAQICEQDgI8sVEoNTia1hbnpUZ2shMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAlNF
MRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5l
dHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMTQxMjIyMDAwMDAw
WhcNMjAwNTMwMTA0ODM4WjCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hl
c3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNV
BAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAibEN2npTGU5wUh28VqYGJre4SeCW
51Gr8fBaE0kVo7SMG2C8elFCp3mMpCLfF2FOkdV2IwoU00oCf7YdCYBupQQ92bq7Fv6hh6kuQ1JD
FnyvMlDIpk9a6QjYz5MlnHuI6DBk5qT4VoD9KiQUMxeZrETlaYujRgZLwjPU6UCfBrCxrJNAubUI
kzqcKlOjENs9IGE8VQOO2U52JQIhKfqjfHF2T+7hX4Hp+1SA28N7NVK3hN4iPSwwLTF/Wb1SN7Az
aS1D6/rWpfGXd2dRjNnuJ+u8pQc4doykqTj/34z1A6xJvsr3c5k6DzKrnJU6Ez0ORjpXdGFQvsZA
P8vk4p+iIQIDAQABo4IBFzCCARMwHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYD
VR0OBBYEFJJha4LhoqCqT+xn8cKj97SAAMHsMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAG
AQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAw
RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJu
YWxDQVJvb3QuY3JsMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNl
cnRydXN0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAGypurFXBOquIxdjtzVXzqmthK8AJECOZD8Vm
am+x9bS1d14PAmEA330F/hKzpICAAPz7HVtqcgIKQbwFusFY1SbC6tVNhPv+gpjPWBvjImOcUvi7
BTarfVil3qs7Y+Xa1XPv7OD7e+Kj//BCI5zKto1NPuRLGAOyqC3U2LtCS5BphRDbpjc06HvgARCl
nMo6x59PiDRuimXQGoq7qdzKyjbR9PzCZCk1r9axp3ER0gNDsY8+muyeMlP0dpLKhjQHuSzK5hxK
2JkNwYbikJL7WkJqIyEQ6WXH9dW7fuqMhSACYurROgcsWcWZM/I4ieW26RZ6H3kU9koQGib6fIr7
mzCCBUUwggQtoAMCAQICEDPbmsaqwjeZa3PxA3uZ8LQwDQYJKoZIhvcNAQELBQAwgZsxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY
BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQg
QXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzAxMDkwMDAwMDBaFw0xODAx
MDkyMzU5NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5AbG9kZGVyc3RlZHQubmV0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArsGSzZyz9Lq9SRW9Sve5K8n5lWhplOCE6HH3gMye
12DjOpkFFZt0b73t27G17Xsp6WUxHhNevf7ck0AUpvYUPCHBqVGJSIWF9hWAoSFCgQACOoh/cDFb
zz1PsMY8El7OmIus4JXtY4/VdoSIhFP3hzATbNAg32Kp+N8vtTuKTwbgnizJSyzZTYrsttn3LmwY
17HU+U9vXloMus5U/ln4ADZx0zyyDSsA6gtPxXYJpbgSTnHckVZ5zfR80guIZ538Y2qqsqt5VaSR
SR2oQzE/HETkKc/odPVhqBrXLyvnSFkCPrAXV07rcvwkPvHZeYVu4QdVWyO2HIQ4i2x9r5m7SwID
AQABo4IB9TCCAfEwHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFPng
HgVxOZ7GSji/IW4YJMBj02PHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ
MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7
BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2
Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw
gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu
dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
Y3NwLmNvbW9kb2NhLmNvbTAiBgNVHREEGzAZgRd0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDANBgkq
hkiG9w0BAQsFAAOCAQEAAmueyHjiyL1qYgfe+hVSsGuKlgcvjCAfG8Jaq48tC0IjP8pH/tGi4uL9
CHVfLnV3pLDnjg6M2uvpEBp7crZZcnSPLeVss+tkhwv+F7ISYQyT4flNkqVUb8nfewbCPcIN13Ob
fpU7rlXoIarEEplQo4SuymYVluQxTLOFKm5QOMF4JBMw/rjy4t95J7Mdp9NFUzQrKPJDaJ2Jr/Tc
TXFcjLvNVmMBjK0959a9v1/1miRHd1DBsTh1KvBigEOUNMxvT5uUtB6/tioDZqBDDk8Gvdno/xmy
e3YiasS7JgMREq5WcXqpWGu5kMFZMGPEvyPHeBZeqxx3amf4ImVnZ6WvgzGCA8MwggO/AgEBMIGw
MIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEDPbmsaqwjeZa3Px
A3uZ8LQwCQYFKw4DAhoFAKCCAecwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTcwMzIzMTkzMzQwWjAjBgkqhkiG9w0BCQQxFgQUGEgLQJ2G+HB/uM3ht0ruOhaDHNsw
gcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFu
Y2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/
BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVt
YWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UE
BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG
A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBB
dXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MA0GCSqG
SIb3DQEBAQUABIIBABOJ+80Z74WWj3/pINrIZULR2x1GJF39jAwyIfAVxl3i7LrO2bYBMD7Tl+lg
QHooejkXZj7B/Loc0RymHY1ru9QLKDdnwQoTcIT5YwednGGRlsb18/64GqmdnIsCRDHz1iw7cRo3
myyHOFfIwZpIief7mF9xfCK0U1Eg3f/VdesjvzrKM76086P0lx+j92alnoIaXU4oyIH0qh8zUcQk
RTOo58rtVoD0Inaceu8NVnVdxLbxMPSyYTah05VHN6vfbDqbbTVVJlTkCL/wPqqxm6gul8EzCK18
Wej/uuD7QKa3A1pCCl6O1DBw4IvVfsDDUaL8cBsI4qIwXp2xrBn7w0oAAAAAAAA=
--Apple-Mail=_E53EF17B-4251-4E7B-8729-05181F8C71CD--


From nobody Thu Mar 23 16:00:42 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C508129505 for <oauth@ietfa.amsl.com>; Thu, 23 Mar 2017 16:00:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level: 
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vo0EaLccrpab for <oauth@ietfa.amsl.com>; Thu, 23 Mar 2017 16:00:38 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC7B129515 for <oauth@ietf.org>; Thu, 23 Mar 2017 16:00:38 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id n21so188702626qta.1 for <oauth@ietf.org>; Thu, 23 Mar 2017 16:00:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cpRw2SebIYwCC5lEv9i+DakNWRg/Y3H6LA/jKuaOTY4=; b=lEgn+L4NrKv0Lud7TxZ8bQrfNT05fqvs4mlJZcT+YQiXR7kXMw6+HXSRbBFyAIVKtz EXlxOSu4+30Y/SpT2U4cSQYq2qXRD3u3yz9VnD+r9bzUxWCc2t11XjSAFS0JiQ2gfuyL gfxgmMMrMINNoDAGKDRPJHdyiWH+ZgIekmQfXX3vMFfLDc/Asbtbq/dqb73oFMHXsTzi +NoyYIUa3MvTKbYa5MZTH/rmy0Q0cLBZoH3qAhHdtlSAaOVRncfmJQdKT/YPIlp4xc8q YAv1h9/3bpSeifbV4yBPje8f8M1BPEyoAsMiX8WmyaHm5XVgH2MLZDzcCDGQS9FfhU8Y zusg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cpRw2SebIYwCC5lEv9i+DakNWRg/Y3H6LA/jKuaOTY4=; b=nBjRND1BLPqLQ1sSMmDtsYQRkbf7brWelLna0Bk58lUhcgG2xe3qpIUjAv/g9PYNJw tNV95dYeEE2APJCoqBl+D28uKzRImWd9zFfaOzXjpcNWd0iX5IzOQc9PTM4uneOOO3tb B5Tr1VhYhcWAWqeBXK9J3pu27a8D1fNee+N57MV7sgbkcebjm1rzOS1ezUztYcTHjqqW PUL8RfE7l1NVGnEQ22RRyKVHLcFNWHmZYauJb75qI0xlYWH6YfbLRvGGstQTzwGnI25I cL0d2Yp0EvPpf3AS/LdknlB++GdPsl4VcGLVHUBhzMHPujQv+/xoeHJPgTrRl9xZl3Kj cXow==
X-Gm-Message-State: AFeK/H2WhK+QjMJXEIsLpDZI42wMDGIvDW9Xjoi2wMov4m0YkvI+08+4NgEPSR4c5epOgsCTGf/9lQPO8wNjFA==
X-Received: by 10.200.44.36 with SMTP id d33mr5302314qta.198.1490310037026; Thu, 23 Mar 2017 16:00:37 -0700 (PDT)
MIME-Version: 1.0
References: <cbcdf187-7606-dfc4-137d-b74f1379fb40@gmx.net> <868B60C8-E9CE-4EDA-836B-268354C857F1@lodderstedt.net>
In-Reply-To: <868B60C8-E9CE-4EDA-836B-268354C857F1@lodderstedt.net>
From: Nat Sakimura <sakimura@gmail.com>
Date: Thu, 23 Mar 2017 23:00:25 +0000
Message-ID: <CABzCy2CMkCvmktuwmhB7dL+31BCOr9uyUKte1usVvwxuBpxTxw@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Cc: hannes.tschofenig@arm.com, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a1140298c5cc119054b6dd851
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DWFJfzq-2Z_LeroC0LO3zxh8uaA>
Subject: Re: [OAUTH-WG] OAuth Agenda
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 23:00:41 -0000

--001a1140298c5cc119054b6dd851
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi

As I wrote in my original mail, I asked for 5 minutes on Monday as I cannot
be in Chicago Friday. I have to be landed in Tokyo on March 31 which is the
last day of the fiscal year so I have to leave Chicago on Thursday. Could
it be adjusted accordingly as well? Also, I am hoping that doing it early
on in the week will facilitate the discussion during the week as it will be
pretty much the first time for the WG to get exposed to it.

Best,

Nat

On Fri, Mar 24, 2017, 4:34 AM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> Hi Hannes,
>
> I had asked for 5 minutes on Monday (because I want to raise awareness
> with respect of the security draft). Would it be possible to adjust the
> agenda accordingly?
>
> kind regards,
> Torsten (w/o =E2=80=9Eh=E2=80=9C).
>
> > Am 21.03.2017 um 15:47 schrieb Hannes Tschofenig <
> Hannes.Tschofenig@gmx.net>:
> >
> > Here is the latest snapshot of the agenda:
> > https://datatracker.ietf.org/doc/agenda-98-oauth/
> >
> > Let me know if there are any changes needed.
> >
> > Ciao
> > Hannes
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--=20

Nat Sakimura

Chairman of the Board, OpenID Foundation

--001a1140298c5cc119054b6dd851
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">Hi </p>
<p dir=3D"ltr">As I wrote in my original mail, I asked for 5 minutes on Mon=
day as I cannot be in Chicago Friday. I have to be landed in Tokyo on March=
 31 which is the last day of the fiscal year so I have to leave Chicago on =
Thursday. Could it be adjusted accordingly as well? Also, I am hoping that =
doing it early on in the week will facilitate the discussion during the wee=
k as it will be pretty much the first time for the WG to get exposed to it.=
 </p>
<p dir=3D"ltr">Best, </p>
<p dir=3D"ltr">Nat </p>
<br><div class=3D"gmail_quote"><div dir=3D"ltr">On Fri, Mar 24, 2017, 4:34 =
AM Torsten Lodderstedt &lt;<a href=3D"mailto:torsten@lodderstedt.net">torst=
en@lodderstedt.net</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote=
" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">H=
i Hannes,<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
I had asked for 5 minutes on Monday (because I want to raise awareness with=
 respect of the security draft). Would it be possible to adjust the agenda =
accordingly?<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
kind regards,<br class=3D"gmail_msg">
Torsten (w/o =E2=80=9Eh=E2=80=9C).<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
&gt; Am 21.03.2017 um 15:47 schrieb Hannes Tschofenig &lt;<a href=3D"mailto=
:Hannes.Tschofenig@gmx.net" class=3D"gmail_msg" target=3D"_blank">Hannes.Ts=
chofenig@gmx.net</a>&gt;:<br class=3D"gmail_msg">
&gt;<br class=3D"gmail_msg">
&gt; Here is the latest snapshot of the agenda:<br class=3D"gmail_msg">
&gt; <a href=3D"https://datatracker.ietf.org/doc/agenda-98-oauth/" rel=3D"n=
oreferrer" class=3D"gmail_msg" target=3D"_blank">https://datatracker.ietf.o=
rg/doc/agenda-98-oauth/</a><br class=3D"gmail_msg">
&gt;<br class=3D"gmail_msg">
&gt; Let me know if there are any changes needed.<br class=3D"gmail_msg">
&gt;<br class=3D"gmail_msg">
&gt; Ciao<br class=3D"gmail_msg">
&gt; Hannes<br class=3D"gmail_msg">
&gt;<br class=3D"gmail_msg">
&gt; _______________________________________________<br class=3D"gmail_msg"=
>
&gt; OAuth mailing list<br class=3D"gmail_msg">
&gt; <a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank=
">OAuth@ietf.org</a><br class=3D"gmail_msg">
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"norefer=
rer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/lis=
tinfo/oauth</a><br class=3D"gmail_msg">
<br class=3D"gmail_msg">
_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listinfo=
/oauth</a><br class=3D"gmail_msg">
</blockquote></div><div dir=3D"ltr">-- <br></div><div data-smartmail=3D"gma=
il_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>

--001a1140298c5cc119054b6dd851--


From nobody Fri Mar 24 01:51:28 2017
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 362FF12E76A for <oauth@ietfa.amsl.com>; Fri, 24 Mar 2017 01:51:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level: 
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9ir-O-hrO1H for <oauth@ietfa.amsl.com>; Fri, 24 Mar 2017 01:51:22 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F42E1294E9 for <oauth@ietf.org>; Fri, 24 Mar 2017 01:51:21 -0700 (PDT)
Received: from [192.168.0.14] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 92F9E780333 for <oauth@ietf.org>; Fri, 24 Mar 2017 09:51:18 +0100 (CET)
To: oauth <oauth@ietf.org>
From: Denis <denis.ietf@free.fr>
Message-ID: <1f3a6bb2-6312-027c-31fe-87dc355db073@free.fr>
Date: Fri, 24 Mar 2017 09:51:18 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------7A801C84D79569B3A71ACEB4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7EWTC77iKzHGIvLj77s7_PsU6sw>
Subject: [OAUTH-WG] Comments on draft-ietf-oauth-pop-key-distribution-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 08:51:26 -0000

This is a multi-part message in MIME format.
--------------7A801C84D79569B3A71ACEB4
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

I have 2 comments.


1.At the bottom of page 13, the text states:

      Token replay is also not possible since an eavesdropper will also 
have to obtain the corresponding private key or shared secret
      that is bound to the access token.

Saying "Token replay is also not possible" is incorrect, since it is 
only true in the case of an eavesdropper. So this case is restricted
to eavesdroppers only: this should be said upfront. Note that this is 
the /stealing /of an access token by an eavesdropper.

Proposed change:

*Token stealing by an eavesdropper is not possible*since the 
eavesdropper will also have to obtain the corresponding private key
      or shared secret that is bound to the access token.

Since it is important to say first that confidentiality protection is 
needed, this sentence should be moved on the next page after the 
following sentences:

*The authorization server MUST offer confidentiality protection for
any interactions with the client.This step is extremely important
since the client will obtain the session key from the authorization
server for use with a specific access token.Not using
confidentiality protection exposes this secret (and the access token)
to an eavesdropper thereby making the OAuth 2.0 proof-of-possession
security model completely insecure.*


2.Then the text states:

*Similarly to the security recommendations for the bearer token
specification [12] developers MUST ensure that the ephemeral
credentials (i.e., the private key or the session key) is not leaked
to third parties.An adversary in possession of the ephemeral
credentials bound to the access token will be able to impersonate the
client.Be aware that this is a real risk with many smart phone app
and Web development environments.*

After that text, add:


      Two users can voluntarily agree to use a specific piece of 
software that will allow one user who has legitimately obtained an 
access token
      to transmit it to another user with the keying material or to 
transmit it to another user while making the appropriate cryptographic 
computations
      for the benefit of the other user so that this other user can 
successfully use that access token. As soon as someone will develop that 
piece
     of software and make it publicly available, everybody will be able 
to use it.

RFC 6819 (OAuth 2.0 Threat Model and Security Considerations) issued in 
January 2013 has not identified this threat and hence does not suggest
      any means to counter it.Whatever kind of cryptographic is being 
used, when two users collaborate, a software-only solution will be 
unable to prevent
      the transfer of an attribute of a user that possess it to another 
user that does not possess it. The use of a secure element simply 
protecting the confidentiality
      and the integrity of some secret key or private key will be 
ineffective to counter this collusion attack. Additional functional and 
security properties are required
      for the secure element.

Denis




--------------7A801C84D79569B3A71ACEB4
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    </p>
    <p class="MsoNormal" style="margin-top:6.0pt">
      <meta name="ProgId" content="Word.Document">
      <meta name="Generator" content="Microsoft Word 9">
      <meta name="Originator" content="Microsoft Word 9">
      <link rel="File-List"
href="file:///C:/Users/Denis/AppData/Local/Temp/msoclip1/01/clip_filelist.xml">
      <!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:View>Normal</w:View>
  <w:Zoom>0</w:Zoom>
  <w:HyphenationZone>21</w:HyphenationZone>
  <w:DoNotOptimizeForBrowser/>
 </w:WordDocument>
</xml><![endif]-->
      <style>
<!--
 /* Font Definitions */
@font-face
	{font-family:Courier;
	panose-1:0 0 0 0 0 0 0 0 0 0;
	mso-font-charset:0;
	mso-generic-font-family:modern;
	mso-font-format:other;
	mso-font-pitch:fixed;
	mso-font-signature:3 0 0 0 1 0;}
 /* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0cm;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
p.p1a, li.p1a, div.p1a
	{mso-style-name:p1a;
	mso-style-next:Normal;
	margin:0cm;
	margin-bottom:.0001pt;
	text-align:justify;
	line-height:12.0pt;
	mso-pagination:widow-orphan;
	font-size:10.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";
	mso-ansi-language:EN-US;
	mso-fareast-language:X-NONE;}
@page Section1
	{size:595.3pt 841.9pt;
	margin:70.85pt 70.85pt 70.85pt 70.85pt;
	mso-header-margin:35.4pt;
	mso-footer-margin:35.4pt;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
--></style>
      <p class="MsoNormal" style="margin-top:6.0pt"><span
          style="font-family:Arial;mso-ansi-language:
          EN-US" lang="EN-US">I have 2 comments. <br>
        </span></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><span
          style="font-family:Arial;mso-ansi-language:
          EN-US" lang="EN-US"><br>
        </span></p>
      <span style="font-family:Arial;mso-ansi-language:
        EN-US" lang="EN-US">1.<!--[endif]--></span><span
        style="font-family:
        Arial;mso-ansi-language:EN-US" lang="EN-US"> <span
          style="mso-spacerun:
          yes"> </span>At the bottom of page 13, the text states:
        <!--[endif]--><o:p></o:p></span>
      <p class="MsoNormal" style="margin-top:6.0pt"><span
          style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US">     Token replay
          is also not possible since an
          eavesdropper will also have to obtain the corresponding
          private key or shared
          secret <br>
               that is bound to the access token.</span></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><span
          style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US">Saying "</span><span
          style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US"><span
            style="font-family:
            Arial;mso-ansi-language:EN-US" lang="EN-US">Token replay is
            also not possible" is incorrect, since it is only true in
            the case of an eavesdropper. So t</span>his case is
          restricted <br>
          to eavesdroppers only: this should be said upfront. Note that
          this is the <i>stealing </i>of an access token by an
          eavesdropper.
          <!--[endif]--><o:p></o:p></span></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><span
          style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US">Proposed change: <o:p></o:p></span></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><b><span
            style="font-family:Arial;mso-ansi-language:EN-US"
            lang="EN-US">     <font color="#3333ff">Token stealing by
              an
              eavesdropper is not possible</font></span></b><span
          style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US"> since the
          eavesdropper will also have to obtain
          the corresponding private key <br>
               or shared secret that is bound to the access
          token.</span></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><span
          style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US">Since it is
          important to say first that
          confidentiality protection is needed, this sentence should be
          moved on the next
          page after the following sentences: 
          <!--[endif]--><o:p></o:p></span></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><b><span
style="font-family:Courier;mso-bidi-font-family:Arial;mso-ansi-language:EN-US"
            lang="EN-US"><span style="mso-spacerun: yes">   </span>The
            authorization server MUST offer
            confidentiality protection for<br>
            <span style="mso-spacerun: yes">   </span>any interactions
            with the client.<span style="mso-spacerun: yes">  </span>This
            step is extremely important<br>
            <span style="mso-spacerun: yes">   </span>since the client
            will obtain the session
            key from the authorization<br>
            <span style="mso-spacerun: yes">   </span>server for use
            with a specific access
            token.<span style="mso-spacerun: yes">  </span>Not using<br>
            <span style="mso-spacerun: yes">   </span>confidentiality
            protection exposes this
            secret (and the access token)<br>
            <span style="mso-spacerun: yes">   </span>to an
            eavesdropper thereby making the OAuth
            2.0 proof-of-possession<br>
            <span style="mso-spacerun: yes">   </span>security model
            completely insecure.<o:p></o:p></span></b></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-begin'></span><span style="mso-spacerun: yes"> </span>AUTONUM
</span><![endif]--><span style="font-family:Arial;mso-ansi-language:
          EN-US" lang="EN-US"><!--[if !supportFields]--><br>
          2.<!--[endif]--></span><!--[if supportFields]><span
lang=EN-US style='font-family:Arial;mso-ansi-language:EN-US'><span
style='mso-element:field-end'></span></span><![endif]--><span
          style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US"> <span
            style="mso-spacerun:
            yes"> </span>Then the text states:
          <!--[endif]--><o:p></o:p></span></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><b><span
            style="font-family:&quot;Courier
            New&quot;;mso-ansi-language:EN-US" lang="EN-US"><span
              style="mso-spacerun: yes">   </span>Similarly to the
            security recommendations
            for the bearer token<br>
            <span style="mso-spacerun: yes">   </span>specification
            [12] developers MUST ensure
            that the ephemeral<br>
            <span style="mso-spacerun: yes">   </span>credentials
            (i.e., the private key or the
            session key) is not leaked<br>
            <span style="mso-spacerun: yes">   </span>to third parties.<span
              style="mso-spacerun:
              yes">  </span>An adversary in possession of the ephemeral<br>
            <span style="mso-spacerun: yes">   </span>credentials bound
            to the access token will
            be able to impersonate the<br>
            <span style="mso-spacerun: yes">   </span>client.<span
              style="mso-spacerun: yes"> 
            </span>Be aware that this is a real risk with many smart
            phone app<br>
            <span style="mso-spacerun: yes">   </span>and Web
            development environments.<o:p></o:p></span></b></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><span
          style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US">After that text,
          add:</span><br>
      </p>
      <span style="mso-bidi-font-size:
        10.0pt;font-family:Arial;mso-ansi-language:EN-US" lang="EN-US"><br>
        <font color="#3333ff">     Two users can voluntarily
          agree to use a specific piece of software that will allow one
          user who has
          legitimately obtained an access token <br>
               to transmit it to another user with the
          keying material or to transmit it to another user while making
          the appropriate
          cryptographic computations <br>
               for the benefit of the other user so that this other
          user can successfully use that access token. </font></span><font
        face="Arial" color="#3333ff">As soon as someone will develop
        that piece <br>
            of software and make it publicly available, everybody will
        be able to use it.</font><br>
    </p>
    <p><font color="#3333ff">
      </font>
      <p class="MsoNormal"
        style="margin-top:6.0pt;mso-margin-bottom-alt:auto"><font
          color="#3333ff"><span style="font-family: Arial;" lang="EN-US">    
            RFC
            6819 (OAuth 2.0 Threat Model and Security Considerations)
            issued in January
            2013 has not identified this threat and hence does not
            suggest <br>
                 any means to
            counter it.</span></font><span
          style="font-size:12.0pt;font-family:Arial;mso-fareast-font-family:
          &quot;Times New
Roman&quot;;mso-ansi-language:EN-US;mso-fareast-language:FR;mso-bidi-language:AR-SA"
          lang="EN-US"><font color="#3333ff"> Whatever kind of
            cryptographic is being used, when two users
            collaborate, a software-only solution will be unable to
            prevent <br>
                 the transfer of
            an attribute of a user that possess it to another user that
            does not possess it.
            <u1:p></u1:p></font><span style="color:black"><font
              color="#3333ff">The use of a secure element simply
              protecting the confidentiality <br>
                   and the integrity of some secret key or private
              key will be ineffective to counter this collusion attack.
              Additional
              functional and security properties are required <br>
                   for the secure element. </font><u1:p></u1:p></span></span><font
          size="+1"><span style="font-size:
            12.0pt;mso-bidi-font-size:10.0pt;font-family:Arial"
            lang="EN-US"></span></font></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><font face="Arial">Denis</font></p>
      <p class="MsoNormal" style="margin-top:6.0pt"><br>
        <span style="font-family:
          Arial;mso-ansi-language:EN-US" lang="EN-US"><!--[endif]--><o:p></o:p></span></p>
    </p>
    <p><br>
    </p>
  </body>
</html>

--------------7A801C84D79569B3A71ACEB4--


From nobody Fri Mar 24 09:15:31 2017
Return-Path: <dave.tonge@bluespeckfinancial.co.uk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC87E1270FC for <oauth@ietfa.amsl.com>; Fri, 24 Mar 2017 09:15:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obYUSP3zDvGq for <oauth@ietfa.amsl.com>; Fri, 24 Mar 2017 09:15:27 -0700 (PDT)
Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 448311296ED for <oauth@ietf.org>; Fri, 24 Mar 2017 09:15:26 -0700 (PDT)
Received: by mail-it0-x22c.google.com with SMTP id y18so5528671itc.1 for <oauth@ietf.org>; Fri, 24 Mar 2017 09:15:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:from:date:message-id:subject:to; bh=voreSWZmCm28FoxpZWWAejI6sEHn0oQpj9vorjdprMM=; b=aTxWlss0Gc4r+puaYdb/70DiL4p09/4VwY0SxyS0qQbMaXN95B8hyVxh/WNAs7SdKP MGzx/E6vV2N8DixvhcG1Nt+9NM+YFBgzU0Mi/t2cUv251Yox8sYIlwcWRoT323+880f5 Jx8FxGwfTkAT/7gy9E0/dbJC3pK19tCmnedpg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=voreSWZmCm28FoxpZWWAejI6sEHn0oQpj9vorjdprMM=; b=XsAY6bPDzD16VBQjmStB0EZv48+j+ostAjnjczPQjYg2ZaTMEmg0arjtJKkxw3bpBY tCx8QcQhD62bPU2IRrPTuP96DmXTOasJeOfOia0lUk1FTsqSoJxnWpUzb2hEWI3LLhtp jtXkWEz26ncT22Tt4+4syWMPYAuirVKLMKeDjY4pUXkKue69z5lH6qfcS45NQPoZP+Wn R9vapbGUL/mOiCkd8gxlCD9YbhqgotelKqUgLVnIhFd6GtkmDk6QOzAKxICQOfgNhlfp 0AUIKntXopTgODZui52YPw59LjQ79tJMUNPQcy/8iWihtdJbQ3ZP2SCFhrgr6H/qYsmu /icw==
X-Gm-Message-State: AFeK/H1aT9ty4DV84NkILTwy4QGw+Zi3VbA2MoBudjrDSskkRYUqt8JSbtg5smuEQcYjjuIx/UxA0jXbZFtZaHfm
X-Received: by 10.107.55.68 with SMTP id e65mr9228359ioa.145.1490372126115; Fri, 24 Mar 2017 09:15:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.223 with HTTP; Fri, 24 Mar 2017 09:15:05 -0700 (PDT)
From: Dave Tonge <dave.tonge@momentumft.co.uk>
Date: Fri, 24 Mar 2017 16:15:05 +0000
Message-ID: <CAP-T6TSUm=-UQnp8XrjqUs71R7zHkO43ajuOFiJB20ovx_7Xkw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary=001a114ac87e292809054b7c4d04
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cbiUriAyUFmLcCtLD4-GhyVbLpw>
Subject: [OAUTH-WG] JWT Secured Authorization Request: Inconsistencies with request_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 16:15:30 -0000

--001a114ac87e292809054b7c4d04
Content-Type: text/plain; charset=UTF-8

Hi Nat and John

I have some questions re the JWT Secured Authorization Request spec
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-12

*1. Does the request_uri always have to be an URL? *
If the request object is hosted by the client then it makes sense, but if
10.3.d is followed and the AS provides an endpoint where the client can
exchange a request object for a "Request Object URI" then it would seem
acceptable for that uri to be an urn. Only the AS would need to be able to
fetch the request object and therefore there would be no need for the
request object to be made available via https.

*2. Should the mechanism described in 10.3.d be explained in 5.2?*
I think that 10.3.d could be widely used as it solves a number of problems
- however it is currently not clearly defined in either OIDC Core
or jwsreq.

*3. The spec seems inconsistent on the use of HTTPS*
Subject to any discussion re request_uris always being urls, there seems to
be an inconsistency between 5.2 and 5.2.1

5.2:

 The scheme used in the "request_uri" value *MUST be "https",
   unless* the target Request Object is signed in a way that is
   verifiable by the Authorization Server.


5.2.1

The Client stores the Request Object resource either locally or
   remotely at a URL the Authorization Server can access.  *The URL MUST
   be HTTPS URL*.  This URL is the Request Object URI, "request_uri".



Thanks

-- 
Dave Tonge
CT
O, Momentum Financial Technology

--001a114ac87e292809054b7c4d04
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:&quot;tr=
ebuchet ms&quot;,sans-serif">Hi Nat and John</div><div class=3D"gmail_defau=
lt" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><br></div><di=
v class=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,san=
s-serif">I have some questions re the JWT Secured Authorization Request spe=
c</div><div class=3D"gmail_default"><font face=3D"trebuchet ms, sans-serif"=
><a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-12">https:/=
/tools.ietf.org/html/draft-ietf-oauth-jwsreq-12</a></font><br></div><div cl=
ass=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-se=
rif"><br></div><div class=3D"gmail_default" style=3D"font-family:&quot;treb=
uchet ms&quot;,sans-serif"><b>1. Does the request_uri always have to be an =
URL?=C2=A0</b></div><div class=3D"gmail_default" style=3D"font-family:&quot=
;trebuchet ms&quot;,sans-serif">If the request object is hosted by the clie=
nt then it=C2=A0makes sense, but if 10.3.d is followed and the AS provides =
an endpoint where the client can exchange a request object for a &quot;Requ=
est Object URI&quot; then it would seem acceptable for that=C2=A0uri to be =
an=C2=A0urn.=C2=A0Only the AS would need to be able to fetch the request ob=
ject and therefore there would be no need for the request object to be made=
 available via https.<br></div><div class=3D"gmail_default" style=3D"font-f=
amily:&quot;trebuchet ms&quot;,sans-serif"><br></div><div class=3D"gmail_de=
fault" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><b>2. Shou=
ld the mechanism described in 10.3.d be explained in 5.2?</b></div><div cla=
ss=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-ser=
if">I think that 10.3.d could be widely used as it solves a number of probl=
ems - however it is currently not clearly defined in either OIDC Core or=C2=
=A0jwsreq.=C2=A0</div><div class=3D"gmail_default" style=3D"font-family:&qu=
ot;trebuchet ms&quot;,sans-serif"><br></div><div class=3D"gmail_default" st=
yle=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><b>3. The spec seem=
s inconsistent on the use of HTTPS</b></div><div class=3D"gmail_default" st=
yle=3D"font-family:&quot;trebuchet ms&quot;,sans-serif">Subject to any disc=
ussion re request_uris always being urls, there seems to be an inconsistenc=
y between 5.2 and 5.2.1=C2=A0</div><div class=3D"gmail_default" style=3D"fo=
nt-family:&quot;trebuchet ms&quot;,sans-serif"><br></div><div class=3D"gmai=
l_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif">5.2:=
=C2=A0</div><div class=3D"gmail_default" style=3D"font-family:&quot;trebuch=
et ms&quot;,sans-serif"><pre class=3D"gmail-newpage" style=3D"font-size:13.=
3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"> The scheme used =
in the &quot;request_uri&quot; value <b>MUST be &quot;https&quot;,
   unless</b> the target Request Object is signed in a way that is
   verifiable by the Authorization Server.</pre><pre class=3D"gmail-newpage=
" style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0=
,0,0)"><br></pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px;=
margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"><pre class=3D"gmail-newp=
age" style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px">5.2.1</=
pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px;margin-top:0p=
x;margin-bottom:0px">The Client stores the Request Object resource either l=
ocally or
   remotely at a URL the Authorization Server can access.  <b>The URL MUST
   be HTTPS URL</b>.  This URL is the Request Object URI, &quot;request_uri=
&quot;.</pre></pre></div><br clear=3D"all"><div><br></div><div><div class=
=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif=
">Thanks</div></div><div><br></div>-- <br><div class=3D"gmail_signature"><d=
iv dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div styl=
e=3D"font-size:1em;font-weight:bold;line-height:1.4"><div style=3D"color:rg=
b(97,97,97);font-family:&quot;open sans&quot;;font-size:14px;font-weight:no=
rmal;line-height:21px"><div style=3D"font-family:arial,helvetica,sans-serif=
;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><=
div style=3D"font-size:14px;font-weight:normal;color:rgb(51,51,51);font-fam=
ily:lato,&quot;open sans&quot;,arial,sans-serif;line-height:normal"><div st=
yle=3D"color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4"=
>Dave Tonge</div><div style=3D"font-size:0.8125em;line-height:1.4">CT<div c=
lass=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-s=
erif;display:inline">O, Momentum Financial Technology</div></div></div></di=
v></div></div></div></div></div></div></div>
</div>

--001a114ac87e292809054b7c4d04--


From nobody Fri Mar 24 10:14:33 2017
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D3F31275AB for <oauth@ietfa.amsl.com>; Fri, 24 Mar 2017 10:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level: 
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HHF6hwlHbwAT for <oauth@ietfa.amsl.com>; Fri, 24 Mar 2017 10:14:27 -0700 (PDT)
Received: from mail-pg0-x231.google.com (mail-pg0-x231.google.com [IPv6:2607:f8b0:400e:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62F5D1297C4 for <oauth@ietf.org>; Fri, 24 Mar 2017 10:14:22 -0700 (PDT)
Received: by mail-pg0-x231.google.com with SMTP id t143so4036131pgb.2 for <oauth@ietf.org>; Fri, 24 Mar 2017 10:14:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xtL0Iy0PUo326o8Y7w8Y30LZq5AxTS80cN+7Wu3DFFU=; b=HoGZ/cB22fDQiD6j8Z2lADiOTDqu6ocw5D976hRN0QgBIcgSCUVg0W5OcTqcCxkbN+ kv1VaSteZ26lCa/O1XzgMCp95X+yMrL1/Rt5l1kKXiGZVPB0YPK1GtQgdYeCbsI0fyE0 X4McFP21oEFSVKBW4Ji1z7dzNvzd9iA+jdJUjE+3HfHh6nHRQfUTQIcL0BdA1sP5RUW6 LGfTFx+hi/DZ+YIEppcl8AuWPCsKIPDU0mZt5oiTRivwxSCurFVwZnR8rOwM9ZgFAWYI XTCrzrShEFVHlkhcfQobN6Tx5kC6+FmGQ3mHyDFcUlKfE6+ZTBLqT5LBpoJLWaYdwO0X NpfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xtL0Iy0PUo326o8Y7w8Y30LZq5AxTS80cN+7Wu3DFFU=; b=sq6lC51ZRu7kUhUcKStEgWWg8mcALj4me3qRbvO+GcSP1uSZf8f5dR8mON451kVa// TcQS0FgGbJisL3CXx7z7ZF5gCvCV8a/H4No6CWHeTffWN4XlQ8/ABVo5iSFcxw1xDdsI BYBxGiIsGePIjdoXJav4YRnM3fVqeOlZZzifFUOxVU3aSeTYLF59GfeHWx/1YJ7RV4o2 Vqm/auOoeT7gMkI6Jq4UPTXdlbo7cFhtBaKipmzrIIHeOo5LoyUjyh7ZzptliVdC7DWN Lp3OkRyfnJK2+JsvX/hJz/ej8P9/qaW7yuQZCXAd3A8DbQSxtwN7KFG3PnvKFkxuhCLH o/oA==
X-Gm-Message-State: AFeK/H37inIXAFbJUfn93BlQikGxFPPaTBGhXKt75TEsNwOnSqXycYsw6lsAAD6lBYNWgQPC
X-Received: by 10.99.60.12 with SMTP id j12mr7164694pga.233.1490375661768; Fri, 24 Mar 2017 10:14:21 -0700 (PDT)
Received: from [10.110.63.188] (mobile-166-176-187-98.mycingular.net. [166.176.187.98]) by smtp.gmail.com with ESMTPSA id n185sm5804852pga.9.2017.03.24.10.14.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Mar 2017 10:14:21 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-C469E3F2-7BCD-4717-BA67-3A027445242C
Mime-Version: 1.0 (1.0)
From: Jim Manico <jim@manicode.com>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <CAP-T6TSUm=-UQnp8XrjqUs71R7zHkO43ajuOFiJB20ovx_7Xkw@mail.gmail.com>
Date: Fri, 24 Mar 2017 10:14:19 -0700
Cc: oauth@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <9CDF68D5-B041-4E58-BFFE-F1F8A48640E9@manicode.com>
References: <CAP-T6TSUm=-UQnp8XrjqUs71R7zHkO43ajuOFiJB20ovx_7Xkw@mail.gmail.com>
To: Dave Tonge <dave.tonge@momentumft.co.uk>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tzC9I1FICwbrFLW4eFTp1i6P-5A>
Subject: Re: [OAUTH-WG] JWT Secured Authorization Request: Inconsistencies with request_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 17:14:30 -0000

--Apple-Mail-C469E3F2-7BCD-4717-BA67-3A027445242C
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable

=46rom a security POV please force HTTPS as we see in 5.2.1. The only perfor=
mance problem with HTTPS is that it's not used enough. There is no good reas=
on for a security framework to support HTTP.

Aloha,
Jim

> On Mar 24, 2017, at 9:15 AM, Dave Tonge <dave.tonge@momentumft.co.uk> wrot=
e:
>=20
> Hi Nat and John
>=20
> I have some questions re the JWT Secured Authorization Request spec
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-12
>=20
> 1. Does the request_uri always have to be an URL?=20
> If the request object is hosted by the client then it makes sense, but if 1=
0.3.d is followed and the AS provides an endpoint where the client can excha=
nge a request object for a "Request Object URI" then it would seem acceptabl=
e for that uri to be an urn. Only the AS would need to be able to fetch the r=
equest object and therefore there would be no need for the request object to=
 be made available via https.
>=20
> 2. Should the mechanism described in 10.3.d be explained in 5.2?
> I think that 10.3.d could be widely used as it solves a number of problems=
 - however it is currently not clearly defined in either OIDC Core or jwsreq=
.=20
>=20
> 3. The spec seems inconsistent on the use of HTTPS
> Subject to any discussion re request_uris always being urls, there seems t=
o be an inconsistency between 5.2 and 5.2.1=20
>=20
> 5.2:=20
>  The scheme used in the "request_uri" value MUST be "https",
>    unless the target Request Object is signed in a way that is
>    verifiable by the Authorization Server.
>=20
> 5.2.1
> The Client stores the Request Object resource either locally or
>    remotely at a URL the Authorization Server can access.  The URL MUST
>    be HTTPS URL.  This URL is the Request Object URI, "request_uri".
>=20
>=20
> Thanks
>=20
> --=20
> Dave Tonge
> CTO, Momentum Financial Technology
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-C469E3F2-7BCD-4717-BA67-3A027445242C
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div>=46rom a security POV please force HTT=
PS as we see in 5.2.1. The only performance problem with HTTPS is that it's n=
ot used enough. There is no good reason for a security framework to support H=
TTP.</div><div id=3D"AppleMailSignature"><br></div><div id=3D"AppleMailSigna=
ture">Aloha,</div><div id=3D"AppleMailSignature">Jim<br></div><div><br>On Ma=
r 24, 2017, at 9:15 AM, Dave Tonge &lt;<a href=3D"mailto:dave.tonge@momentum=
ft.co.uk">dave.tonge@momentumft.co.uk</a>&gt; wrote:<br><br></div><blockquot=
e type=3D"cite"><div><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"=
font-family:&quot;trebuchet ms&quot;,sans-serif">Hi Nat and John</div><div c=
lass=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-se=
rif"><br></div><div class=3D"gmail_default" style=3D"font-family:&quot;trebu=
chet ms&quot;,sans-serif">I have some questions re the JWT Secured Authoriza=
tion Request spec</div><div class=3D"gmail_default"><font face=3D"trebuchet m=
s, sans-serif"><a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-jwsre=
q-12">https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-12</a></font><br><=
/div><div class=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&qu=
ot;,sans-serif"><br></div><div class=3D"gmail_default" style=3D"font-family:=
&quot;trebuchet ms&quot;,sans-serif"><b>1. Does the request_uri always have t=
o be an URL?&nbsp;</b></div><div class=3D"gmail_default" style=3D"font-famil=
y:&quot;trebuchet ms&quot;,sans-serif">If the request object is hosted by th=
e client then it&nbsp;makes sense, but if 10.3.d is followed and the AS prov=
ides an endpoint where the client can exchange a request object for a "Reque=
st Object URI" then it would seem acceptable for that&nbsp;uri to be an&nbsp=
;urn.&nbsp;Only the AS would need to be able to fetch the request object and=
 therefore there would be no need for the request object to be made availabl=
e via https.<br></div><div class=3D"gmail_default" style=3D"font-family:&quo=
t;trebuchet ms&quot;,sans-serif"><br></div><div class=3D"gmail_default" styl=
e=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><b>2. Should the mecha=
nism described in 10.3.d be explained in 5.2?</b></div><div class=3D"gmail_d=
efault" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif">I think th=
at 10.3.d could be widely used as it solves a number of problems - however i=
t is currently not clearly defined in either OIDC Core or&nbsp;jwsreq.&nbsp;=
</div><div class=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&q=
uot;,sans-serif"><br></div><div class=3D"gmail_default" style=3D"font-family=
:&quot;trebuchet ms&quot;,sans-serif"><b>3. The spec seems inconsistent on t=
he use of HTTPS</b></div><div class=3D"gmail_default" style=3D"font-family:&=
quot;trebuchet ms&quot;,sans-serif">Subject to any discussion re request_uri=
s always being urls, there seems to be an inconsistency between 5.2 and 5.2.=
1&nbsp;</div><div class=3D"gmail_default" style=3D"font-family:&quot;trebuch=
et ms&quot;,sans-serif"><br></div><div class=3D"gmail_default" style=3D"font=
-family:&quot;trebuchet ms&quot;,sans-serif">5.2:&nbsp;</div><div class=3D"g=
mail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><pre=
 class=3D"gmail-newpage" style=3D"font-size:13.3333px;margin-top:0px;margin-=
bottom:0px;color:rgb(0,0,0)"> The scheme used in the "request_uri" value <b>=
MUST be "https",
   unless</b> the target Request Object is signed in a way that is
   verifiable by the Authorization Server.</pre><pre class=3D"gmail-newpage"=
 style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0=
,0)"><br></pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px;mar=
gin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"><pre class=3D"gmail-newpage"=
 style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px">5.2.1</pre><=
pre class=3D"gmail-newpage" style=3D"font-size:13.3333px;margin-top:0px;marg=
in-bottom:0px">The Client stores the Request Object resource either locally o=
r
   remotely at a URL the Authorization Server can access.  <b>The URL MUST
   be HTTPS URL</b>.  This URL is the Request Object URI, "request_uri".</pr=
e></pre></div><br clear=3D"all"><div><br></div><div><div class=3D"gmail_defa=
ult" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif">Thanks</div><=
/div><div><br></div>-- <br><div class=3D"gmail_signature"><div dir=3D"ltr"><=
div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:1e=
m;font-weight:bold;line-height:1.4"><div style=3D"color:rgb(97,97,97);font-f=
amily:&quot;open sans&quot;;font-size:14px;font-weight:normal;line-height:21=
px"><div style=3D"font-family:arial,helvetica,sans-serif;font-size:0.925em;l=
ine-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style=3D"font-siz=
e:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,&quot;open sa=
ns&quot;,arial,sans-serif;line-height:normal"><div style=3D"color:rgb(0,164,=
183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div st=
yle=3D"font-size:0.8125em;line-height:1.4">CT<div class=3D"gmail_default" st=
yle=3D"font-family:&quot;trebuchet ms&quot;,sans-serif;display:inline">O, Mo=
mentum Financial Technology</div></div></div></div></div></div></div></div><=
/div></div></div>
</div>
</div></blockquote><blockquote type=3D"cite"><div><span>____________________=
___________________________</span><br><span>OAuth mailing list</span><br><sp=
an><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a></span><br><span><a h=
ref=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mai=
lman/listinfo/oauth</a></span><br></div></blockquote></body></html>=

--Apple-Mail-C469E3F2-7BCD-4717-BA67-3A027445242C--


From nobody Sun Mar 26 09:37:36 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FCC312964B for <oauth@ietfa.amsl.com>; Sun, 26 Mar 2017 09:37:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ELsN5RTewvtK for <oauth@ietfa.amsl.com>; Sun, 26 Mar 2017 09:37:30 -0700 (PDT)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E4DD1295B3 for <oauth@ietf.org>; Sun, 26 Mar 2017 09:37:30 -0700 (PDT)
Received: by mail-qt0-x22a.google.com with SMTP id i34so21913500qtc.0 for <oauth@ietf.org>; Sun, 26 Mar 2017 09:37:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to;  bh=CmqzKP0T4T+l6RBtxGDaT8Y3wCnO7gw35hGfRraqPwk=; b=qF7ShQGWeXIVb0A1XFP4AtCN910Uu4aCxemAc/YotijZeKFK157ZZZOg7RypDcFUqM SDUI8KtAxeCvxy2XVBNMzJRxuFNAskdhq3loqDd7BQOSe2Ei/MP4fG9fAnqQQXKDv1j6 H9wa3TrvlSiXUZbllZOSAEtm17uzIyP7oPOgRWKP+qCPOebeqXhb0AWjApRIiHFze0DM 6ew8eMgO4143GCdiiWaNgNkxQZEjEzwzTN7YVPFs5KgYHIT3CC+BUZQSj+pkNdDtkOSs bFL4Tw3UAMoE7nN5ZBE4aSW0NHNpy8jnlVSrDnSX4u6CS7NUEDmLgC5ooghMd5zdfz5j T3UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=CmqzKP0T4T+l6RBtxGDaT8Y3wCnO7gw35hGfRraqPwk=; b=nDYSfz4D4BojUGkV8+8NbsYaC6+FTeYVZPiKipoqK9V+zK7OZyYGru2Ay+p5hKO+OV wD2WAb9DrkTmp3YzKHKpTDQJ7IXBuqizmaW3QO0FxXLG4LwIBYx8pn/gBH4hGzAdiuE5 tu95tWaNMQKRZCk6pMqiXCYbLJnp2GTiRHruoIU2DXccLcRyZt30PBeX+CROJdBvVw06 HSK5XBpsNSQFUTRNEZTlvS5XyAk4DRNZgI1qJPXshJEhQ5x3MKvDViub885o6WQ0gyZv kf/IHuCuuqavCxEfb+/5dmYRvJcR+HAh8JrbrfCzwxVCBO1aft/7StYeWpZu7y9jv+Pm 6yFA==
X-Gm-Message-State: AFeK/H2VgKwkEdYFvfKWEOgWe1TdxPf0koPshY7oSyulj2THqQF3ikdQ8ObrA5X3X+kpNRzAA7Zp12UUJKGT7Q==
X-Received: by 10.200.44.36 with SMTP id d33mr18462355qta.198.1490546248920; Sun, 26 Mar 2017 09:37:28 -0700 (PDT)
MIME-Version: 1.0
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com> <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net> <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com> <CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com> <9c814ef0-4df3-35ed-5453-dd8cad91b910@free.fr>
In-Reply-To: <9c814ef0-4df3-35ed-5453-dd8cad91b910@free.fr>
From: Nat Sakimura <sakimura@gmail.com>
Date: Sun, 26 Mar 2017 16:37:18 +0000
Message-ID: <CABzCy2AqK0rCRRZ1w_KXiKNbzjqwSx+OMS2nSXnfjLsuE-cgvg@mail.gmail.com>
To: Denis <denis.ietf@free.fr>, oauth@ietf.org
Content-Type: multipart/alternative; boundary=001a1140298cb038ef054ba4d70a
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Hkl5Bk_n11BCqUl_rwcLAFmbu4I>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 16:37:34 -0000

--001a1140298cb038ef054ba4d70a
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Denis,

Thanks.

Is it possible to file these separately at
https://bitbucket.org/Nat/oauth-rjwtprof/issues?status=3Dnew&status=3Dopen =
so
that each issue can be closed separately? (You need to login to bitbucket
to do so.) Pull request would be nice, too, but we are going to do a bit of
surgery on the spec as of now, so it might be wise to wait till after that
to avoid conflicts.

Also, it is not yet a WG document so please support it become one.

Best,

Nat Sakimura

On Wed, Mar 22, 2017 at 5:15 AM Denis <denis.ietf@free.fr> wrote:

> Hi Nat,
>
>
> I have several comments on draft-sakimura-oauth-jpop-01 related to
> security or privacy.
>
>
> 1. The abstract states:
>
> Only the party in possession of a corresponding cryptographic key with th=
e
> Jpop token can use it to get access
> to the associated resources unlike in the case of the bearer token
> described in [RFC6750] where any party
> in possession of the access token can access the resource.
>
> This is incorrect.
>
> Replace with:
>
> Any party able to use a corresponding private cryptographic key with the
> Jpop token can use it to get access
> to the associated resources unlike in the case of the bearer token
> described in [RFC6750] where any party
> in possession of the access token can access the resource.
>
>
>
> 2. In section 3, the text states:
>
>   aud  The identifier of the resource server.
>
> According to the content of RFC 7800:
>
> The "aud" (audience) claim identifies the recipients that the JWT is
> intended for. The interpretation of audience values is application specif=
ic.
>
> Replace with:
>
>   aud  The recipients that the JWT is intended for (the interpretation of
> audience values is application specific).
>
>
>
> 3. In section 3, the text states:
>
> cnf  The confirmation method.
>
>    Their semantics are defined in [RFC7519] and [RFC7800]
>
>
> This is incorrect: cnf is neither defined in [RFC7519] nor in [RFC7800].
>
>
>
> 4. In section 6.2, the text states:
>
> For this, the following steps are taken:
>
>    1.  The client prepares a nonce.
>
>    2.  The client creates JWS compact serialization over the nonce
> JSON Web Token Claims are listed at:
> https://www.iana.org/assignments/jwt/jwt.xhtml
>
> "nonce" has not been defined by the IANA, but is mentioned in OpenID
> Connect Core 1.0 incorporating errata set 1. It is described as :
>
>
>
> nonce
>
> String value used to associate a Client session with an ID Token, and to
> mitigate replay attacks. The value is passed through
> unmodified from the Authentication Request to the ID Token. If present in
> the ID Token, Clients MUST verify that the nonce
> Claim Value is equal to the value of the nonce parameter sent in the
> Authentication Request. If present in the Authentication Request,
> Authorization Servers MUST include a nonce Claim in the ID Token with the
> Claim Value being the nonce value sent in the Authentication Request.
> Authorization Servers SHOULD perform no other processing on nonce values
> used. The nonce value is a case sensitive string.
>
>
>
> I have several observations:
>
> a)     there is some difficulty to mandate the use of a parameter that is
> not registered by IANA.
>
> b)     the further processing of the nonce is not indicated in the text
>
> c)  The last sentence from the above description states: "Authorization
> Servers SHOULD perform no other processing on nonce values used"
> There is a practical problem with such a sentence since Authorization
> Servers would need to remember nonces for ever.
> Either that sentence should be deleted or the nonce shall be only used
> with a UTC time parameter included in the Authentication Request.
>
> In any case, the definition of a nonce as specified in OpenID Connect
> Core 1.0 incorporating errata set 1 should not be used and another
> parameter
> (e.g. rdn for random) should be defined and registered by IANA and used i=
n
> combination with a UTC time parameter included in the Authentication
> Request.
> In this way, only the rdn received during the last X minutes will need to
> be remembered by the Authorization Servers.
>
>
> 5. The title of section 9.1 is: "Certificate validation"
>
> Change the title of this section into :
>
> "9.1. Common Name Constrained Token"
>
>
>
> 6. In section 9.1, the text states:
>
> The "cn" JWT confirmation method relies its security property on the
>
>    X.509 client certificate authentication.
>
> Replace with:
>
> The "cn" JWT confirmation method relies its security property by the
> inclusion of the Common Name (CN)
> that is part of the Distinguished Name (DN) of an X.509 certificate. The
> JWT is linked to the common name
> included in the certificate. Such a method is not privacy friendly since
> it allows an easy linkage between
> all the accounts of a given user on different resource servers.
>
>
>
> 7. Add a new section 9.2 to deal with the case of the cid.
>
> Proposed text:
>
> 9.2. Client ID Constrained Token
>
> The "cid" JWT confirmation method relies its security property on the
> assumption that the cid legitimately
> used by one server cannot be used by another user. It also relies on the
> assumption that the authentication data
> associated with "cid" combined with the "iss" will only be used by the
> legitimate user. This method is ineffective
> in case of a collusion between two users, since one user can perform all
> the computations needed by the other user.
>
>
>
> 8. In section 9.2, the text states:
>
> The client=E2=80=99s secret key must be kept securely. Otherwise, the not=
ion of
> PoP breaks down.
>
> The PKIX group from the IETF is using the vocabulary private key / public
> key when asymmetric cryptography is being used
> and secret key when symmetric algorithms are being used (let us call a
> spade a spade).
>
> However, keeping a client's private key securely is not the right wording
> either. If the key is kept securely in a secure element
> (e.g. smart card), this is not enough, since the holder of the secure
> element may use this key for himself ... or worse for the benefit of
> someone else.
>
> Proposed change :
>
> 9.3. Key Constrained Token
>
> This method has four variants.
>
> When the JWT contains a jwk, the JWT confirmation method relies its
> security property on the assumption that the private key
> associated with the public key contained in the access token will only be
> used by the legitimate user. In order to avoid an easy linkage
> between user's accounts, this method presents the advantage that the key
> pair can be changed for every JWT. However, this method
> is ineffective in case of a collusion between two users, since one user
> can perform all the computations needed by the other user.
>
> When the JWT contains a jwkt#s256, the server must have a prior knowledge
> of the public key and the method relies its security property
> on the assumption that the private key associated with the public key
> contained in the access token will only be used by the legitimate user.
> Hence, this method is ineffective in case of a collusion between two
> users, since one user can perform all the computations needed
> by the other user.
>
> When the JWT contains a x5t#s256, the server must have a prior knowledge
> of the public key certificate. The JWT is then linked to a hash value
> of a certificate included in the JWT. The server knows a unique identifie=
r
> of the user. Such a method is not privacy friendly since it allows
> an easy linkage between all the accounts of a given user on different
> resource servers.
>
> When the JWT contains a jwe, the JWT confirmation method relies its
> security property on the assumption that the secret key included
> in the JWT will only be used by the legitimate user. In order to avoid an
> easy linkage between user's accounts, this method presents
> the advantage that the secret key can be changed for every JWT. However,
> this method is ineffective in case of a collusion between two users,
> since one user can perform all the computations needed by the other user.
>
>
>
> 9. The text states in section 9.3:
>
> 9.3.  Audi*a*nce Restriction
>
> When using the signature method the client must specify to the AS the aud
> it intends to send the token to, so that it can be included in the AT.
>
> A malicious RS could receive a AT with no aud or a logical audience and
> then replay the AT and jws-on-nonce to the actual server.
>
>
> Proposed change in order to address privacy concerns :
>
> 9.4.  Audi*e*nce Restriction
>
> When using the signature method, the client must specify to the AS the au=
d
> it intends to send the token to, so that it can be included in the AT.
>
> RFC 7800 states that the interpretation of audience values is application
> specific. If a fixed value is being used, e.g. a URL of the server,
> then the authorization server can easily know where the access tokens wil=
l
> be used and thus is in a position to act as Big Brother.
> It is thus recommended to use a different value in the aud claims for eac=
h
> access token that contains no semantics in it but that the resource serve=
r
> can easily recognize.
>
> If a malicious RS receives an AT with no aud or a logical audience in it
> then it can replay the AT and jws-on-nonce to another server.
>
>  Denis
>
>
> HI Chairs,
>
> I would also like to ask 5 min. on Monday (as I cannot be on Friday) for
> The OAuth 2.0 Authorization Framework: JWT Pop Token Usage [1].
>
> [1] https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01
>
> It is capturing strong and rather urgent demands from the financial secto=
r
> and would be great if it can be considered in the WG.
>
> Best,
>
> Nat Sakimura
>
> On Tue, Mar 21, 2017 at 10:28 PM Antonio Sanso <asanso@adobe.com> wrote:
>
> hi Torsten,
>
> good one. I personally I am looking forward to see this particular
> document find its way.
>
> IMHO this is something much needed.
>
> regards
>
> antonio
>
> On Mar 21, 2017, at 2:08 PM, Torsten Lodderstedt <torsten@lodderstedt.net=
>
> wrote:
>
> Hi Chairs,
>
> I would like to request 5 minutes on Monday to briefly present the status
> of the security document. This is mainly to raise awareness in the group
> since I didn=E2=80=99t get that much input on it since Seoul.
>
> kind regards,
> Torsten.
>
> Am 18.03.2017 um 01:52 schrieb Mike Jones <Michael.Jones@microsoft.com>:
>
> Hi Chairs,
>
> I'd like to request that the following presentations be added to the
> agenda:
>
> OAuth Token Exchange (draft-ietf-oauth-token-exchange) - Mike Jones - 15
> minutes
> OAuth Authorization Server Metadata (draft-ietf-oauth-discovery) - Mike
> Jones - 15 minutes
>
> I'd also talked with Brian Campbell and I think he wants to lead this
> discussion, in part based on his implementation experience:
>
> OAuth Token Binding (draft-ietf-oauth-token-binding) - Brian Campbell - 3=
0
> minutes
>
> (Brian may suggest a different amount of time)
>
> I agree that William Dennis should present about the OAuth Device Flow
> (draft-ietf-oauth-device-flow).
>
> For completeness, I don't think a presentation is needed about OAuth AMR
> Values (draft-ietf-oauth-amr-values) because it's now completed its IESG
> review.
>
> I'll look forward to seeing many of you in just over a week!
>
> -- Mike
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] On
> Behalf Of "IETF Secretariat"
> Sent: Friday, March 3, 2017 3:55 PM
> To: oauth-chairs@ietf.org; smccammon@amsl.com
> Cc: oauth@ietf.org
> Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for
> IETF 98
>
> Dear Stephanie McCammon,
>
> The session(s) that you have requested have been scheduled.
> Below is the scheduled session information followed by the original
> request.
>
> oauth Session 1 (2:30:00)
>   Friday, Morning Session I 0900-1130
>   Room Name: Zurich C size: 100
>   ---------------------------------------------
>   oauth Session 2 (1:00:00)
>   Monday, Afternoon Session III 1710-1810
>   Room Name: Zurich C size: 100
>   ---------------------------------------------
>
>
>
> Request Information:
>
>
> ---------------------------------------------------------
> Working Group Name: Web Authorization Protocol Area Name: Security Area
> Session Requester: Stephanie McCammon
>
> Number of Sessions: 2
> Length of Session(s):  2.5 Hours, 1 Hour Number of Attendees: 50 Conflict=
s
> to Avoid:
> First Priority: saag core tls tokbind
>
>
>
>
> People who must be present:
> Hannes Tschofenig
> Kathleen Moriarty
> Derek Atkins
>
> Resources Requested:
> Projector in room
>
> Special Requests:
> Please avoid conflict with sec area BoFs.
> ---------------------------------------------------------
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
>
>
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie=
tf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd=
408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C6362569854630581=
06&sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=3D=
0
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
>
>
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie=
tf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd=
408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C6362569854630581=
06&sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=3D=
0
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
>
>
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie=
tf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd=
408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C6362569854630681=
22&sdata=3D5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&reserved=3D0
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> --
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oau=
th
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--=20

Nat Sakimura

Chairman of the Board, OpenID Foundation

--001a1140298cb038ef054ba4d70a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Denis,=C2=A0<div><br></div><div>Thanks.=C2=A0<div><br><=
/div><div>Is it possible to file these separately at=C2=A0<a href=3D"https:=
//bitbucket.org/Nat/oauth-rjwtprof/issues?status=3Dnew&amp;status=3Dopen">h=
ttps://bitbucket.org/Nat/oauth-rjwtprof/issues?status=3Dnew&amp;status=3Dop=
en</a>=C2=A0so that each issue=C2=A0can be closed separately? (You need to =
login to bitbucket to do so.) Pull request would be nice, too, but we are g=
oing to do a bit of surgery on the spec as of now, so it might be wise to w=
ait till after that to avoid conflicts.=C2=A0</div></div><div><br></div><di=
v>Also, it is not yet a WG document so please support it become one.=C2=A0<=
/div><div><br></div><div>Best,=C2=A0</div><div><br></div><div>Nat Sakimura<=
/div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Wed, Mar 22, =
2017 at 5:15 AM Denis &lt;<a href=3D"mailto:denis.ietf@free.fr">denis.ietf@=
free.fr</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"=
margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
 =20
   =20
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000" class=3D"gmail_msg">
    <div class=3D"m_-6515445798692939327moz-cite-prefix gmail_msg">
     =20
     =20
     =20
     =20
     =20
     =20
      </div>
   =20
   =20
   =20
   =20
   =20
   =20
   =20
   =20
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">Hi Nat,</span></p=
>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"><br class=3D"gmai=
l_msg">
      </span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">I have several
        comments on draft-sakimura-oauth-jpop-01 related to security or
        privacy.</span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><br class=
=3D"gmail_msg">
      <span style=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">
        <u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">1.</span><span st=
yle=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">
        The abstract states:<u class=3D"gmail_msg"></u><u class=3D"gmail_ms=
g"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">Only the party i=
n
        possession of a corresponding
        cryptographic key with the Jpop token can use it to get access <br =
class=3D"gmail_msg">
        to the
        associated resources unlike in the case of the bearer token
        described in
        [RFC6750] where any party <br class=3D"gmail_msg">
        in possession of the access token can access the
        resource.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></sp=
an></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">This is incorrect=
.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">Replace with:<u c=
lass=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">Any party able t=
o
        use a corresponding private
        cryptographic key with the Jpop token can use it to get access <br =
class=3D"gmail_msg">
        to the
        associated resources unlike in the case of the bearer token
        described in
        [RFC6750] where any party <br class=3D"gmail_msg">
        in possession of the access token can access the
        resource.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></sp=
an></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">=C2=A0<u class=3D=
"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">2.</span><span st=
yle=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">
        In section 3, the text
        states:<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span=
></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"><span class=3D"g=
mail_msg">=C2=A0
        </span>aud<span class=3D"gmail_msg">=C2=A0 </span>The
        identifier of the
        resource server.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"><=
/u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">According to the
        content of RFC 7800:<u class=3D"gmail_msg"></u><u class=3D"gmail_ms=
g"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">The &quot;aud&qu=
ot; (audience)
        claim identifies
        the recipients that the JWT is intended for. The interpretation
        of audience
        values is application specific.<u class=3D"gmail_msg"></u><u class=
=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">Replace with:<u c=
lass=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"><span class=3D"g=
mail_msg">=C2=A0
        </span>aud<span class=3D"gmail_msg">=C2=A0 </span>The
        recipients that the JWT
        is intended for (the interpretation of audience values is
        application
        specific).<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></s=
pan></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">=C2=A0<u class=
=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">3.</span><span st=
yle=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">
        In section 3, the text
        states: <u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></spa=
n></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">cnf<span class=
=3D"gmail_msg">=C2=A0 </span>The
        confirmation method.<u class=3D"gmail_msg"></u><u class=3D"gmail_ms=
g"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"><span class=3D"g=
mail_msg">=C2=A0=C2=A0 </span>Their
        semantics are defined in [RFC7519] and [RFC7800]<u class=3D"gmail_m=
sg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"><br class=3D"gmai=
l_msg">
        This is incorrect: cnf is neither defined in
        [RFC7519] nor in [RFC7800].<u class=3D"gmail_msg"></u><u class=3D"g=
mail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">=C2=A0<u class=3D=
"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">4.</span><span st=
yle=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">
        In section 6.2, the text
        states:<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span=
></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">For this, the
        following steps are taken:<u class=3D"gmail_msg"></u><u class=3D"gm=
ail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"><span class=3D"g=
mail_msg">=C2=A0=C2=A0
        </span>1.<span class=3D"gmail_msg">=C2=A0 </span>The client
        prepares a nonce.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg">=
</u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"><span class=3D"g=
mail_msg">=C2=A0=C2=A0
        </span>2.<span class=3D"gmail_msg">=C2=A0 </span>The client
        creates JWS
        compact serialization over the nonce<u class=3D"gmail_msg"></u><u c=
lass=3D"gmail_msg"></u></span></p>
    <h2 class=3D"gmail_msg"><span style=3D"font-size:12.0pt;font-family:Ari=
al;font-weight:normal" lang=3D"EN-GB" class=3D"gmail_msg">JSON Web Token
        Claims are listed at: <span style=3D"color:blue" class=3D"gmail_msg=
"><a class=3D"m_-6515445798692939327moz-txt-link-freetext gmail_msg" href=
=3D"https://www.iana.org/assignments/jwt/jwt.xhtml" target=3D"_blank">https=
://www.iana.org/assignments/jwt/jwt.xhtml</a></span><u class=3D"gmail_msg">=
</u><u class=3D"gmail_msg"></u></span></h2>
    <p class=3D"MsoNormal gmail_msg"><span style=3D"font-family:Arial" lang=
=3D"EN-GB" class=3D"gmail_msg">&quot;nonce&quot; has not been defined by th=
e IANA,
        but is mentioned in
        OpenID Connect Core 1.0 incorporating errata set 1. It is
        described as :<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u=
></span></p>
    <p class=3D"MsoNormal gmail_msg"><span style=3D"font-family:Arial" lang=
=3D"EN-GB" class=3D"gmail_msg">=C2=A0<u class=3D"gmail_msg"></u><u class=3D=
"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg"><span style=3D"font-family:Arial" lang=
=3D"EN-GB" class=3D"gmail_msg">nonce</span><span style=3D"font-family:Arial=
" lang=3D"EN-GB" class=3D"gmail_msg"><u class=3D"gmail_msg"></u><u class=3D=
"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-left:36.0pt"><span sty=
le=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">String
        value used to
        associate a Client session with an ID Token, and to mitigate
        replay attacks.
        The value is passed through <br class=3D"gmail_msg">
        unmodified from the Authentication Request to the
        ID Token. If present in the ID Token, Clients MUST verify that
        the </span><tt class=3D"gmail_msg"><span style=3D"font-family:Arial=
" lang=3D"EN-GB" class=3D"gmail_msg">nonce</span></tt><span style=3D"font-f=
amily:Arial" lang=3D"EN-GB" class=3D"gmail_msg"><br class=3D"gmail_msg">
        Claim Value is equal to the value of the </span><tt class=3D"gmail_=
msg"><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">n=
once</span></tt><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"g=
mail_msg">
        parameter sent in
        the Authentication Request. If present in the Authentication
        Request,
        <br class=3D"gmail_msg">
        Authorization Servers MUST include a </span><tt class=3D"gmail_msg"=
><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">nonce=
</span></tt><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail=
_msg">
        Claim in the ID
        Token with the Claim Value being the nonce value sent in the
        Authentication
        Request. <br class=3D"gmail_msg">
        <font color=3D"#3333ff" class=3D"gmail_msg">Authorization Servers S=
HOULD perform no
          other processing on </font></span><font color=3D"#3333ff" class=
=3D"gmail_msg"><tt class=3D"gmail_msg"><span style=3D"font-family:Arial" la=
ng=3D"EN-GB" class=3D"gmail_msg">nonce</span></tt></font><span style=3D"fon=
t-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg"><font color=3D"#000099" =
class=3D"gmail_msg"><font color=3D"#3333ff" class=3D"gmail_msg">
            values used</font>.</font> The </span><tt class=3D"gmail_msg"><=
span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">nonce</=
span></tt><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_m=
sg">
        value is a case
        sensitive string. <u class=3D"gmail_msg"></u><u class=3D"gmail_msg"=
></u></span></p>
    <p class=3D"MsoNormal gmail_msg"><span style=3D"font-family:Arial" lang=
=3D"EN-GB" class=3D"gmail_msg">=C2=A0<u class=3D"gmail_msg"></u><u class=3D=
"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:2.0pt;margin-right=
:0cm;margin-bottom:2.0pt;margin-left:0cm"><span style=3D"font-family:Arial"=
 lang=3D"EN-GB" class=3D"gmail_msg">I have several observations:<u class=3D=
"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span style=3D"font-family:Ari=
al" lang=3D"EN-GB" class=3D"gmail_msg">a)<span style=3D"font:7.0pt &quot;Ti=
mes New Roman&quot;" class=3D"gmail_msg">=C2=A0=C2=A0=C2=A0=C2=A0 </span></=
span><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">t=
here
        is some
        difficulty to mandate the use of a parameter that is not
        registered by IANA.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg=
"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span style=3D"font-family:Ari=
al" lang=3D"EN-GB" class=3D"gmail_msg">b)<span style=3D"font:7.0pt &quot;Ti=
mes New Roman&quot;" class=3D"gmail_msg">=C2=A0=C2=A0=C2=A0=C2=A0 </span></=
span><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">t=
he
        further
        processing of the nonce is not indicated in the text</span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span style=3D"font-family:Ari=
al" lang=3D"EN-GB" class=3D"gmail_msg">c)=C2=A0
        The last sentence from the above description states: &quot;</span><=
span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg"><font c=
olor=3D"#3333ff" class=3D"gmail_msg"><span style=3D"font-family:Arial" lang=
=3D"EN-GB" class=3D"gmail_msg">Authorization Servers SHOULD perform no othe=
r
            processing on </span><tt class=3D"gmail_msg"><span style=3D"fon=
t-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">nonce</span></tt></font>=
<span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg"><font =
color=3D"#3333ff" class=3D"gmail_msg"> values used</font>&quot;<br class=3D=
"gmail_msg">
        </span>There is a practical problem with such a sentence since </sp=
an><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg"><sp=
an style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg"><span sty=
le=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">Authorization S=
ervers would need to remember
            nonces for ever. <br class=3D"gmail_msg">
            Either that sentence should be deleted or the nonce shall be
            only used with a UTC time parameter included in the </span></sp=
an></span><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_m=
sg">Authentication
        Request.</span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">
      </span><font face=3D"Arial" class=3D"gmail_msg">In any case, the defi=
nition of </font><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"=
gmail_msg">a nonce as specified in OpenID Connect Core
        1.0 incorporating errata set 1 should not be used and another
        parameter <br class=3D"gmail_msg">
        (e.g. rdn for random) should be defined and registered by IANA
        and used in combination with </span><span style=3D"font-family:Aria=
l" lang=3D"EN-GB" class=3D"gmail_msg"><span style=3D"font-family:Arial" lan=
g=3D"EN-GB" class=3D"gmail_msg"><span style=3D"font-family:Arial" lang=3D"E=
N-GB" class=3D"gmail_msg"><span style=3D"font-family:Arial" lang=3D"EN-GB" =
class=3D"gmail_msg">a UTC time parameter included in the </span></span></sp=
an><span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">Aut=
hentication
          Request</span>.<br class=3D"gmail_msg">
        In this way, only the rdn received during the last X minutes
        will need to be remembered by </span><span style=3D"font-family:Ari=
al" lang=3D"EN-GB" class=3D"gmail_msg"><span style=3D"font-family:Arial" la=
ng=3D"EN-GB" class=3D"gmail_msg"></span><span style=3D"font-family:Arial" l=
ang=3D"EN-GB" class=3D"gmail_msg"><span style=3D"font-family:Arial" lang=3D=
"EN-GB" class=3D"gmail_msg"><span style=3D"font-family:Arial" lang=3D"EN-GB=
" class=3D"gmail_msg">the Authorization Servers</span></span></span>.<br cl=
ass=3D"gmail_msg">
      </span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><br class=
=3D"gmail_msg">
      <span style=3D"font-family:Arial" lang=3D"EN-GB" class=3D"gmail_msg">=
<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">5.</span><span st=
yle=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">
        The title of section 9.1 is:
        &quot;Certificate validation&quot;<u class=3D"gmail_msg"></u><u cla=
ss=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">Change the title =
of
        this section into :<u class=3D"gmail_msg"></u><u class=3D"gmail_msg=
"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">&quot;9.1. Commo=
n Name
        Constrained Token&quot;<u class=3D"gmail_msg"></u><u class=3D"gmail=
_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">=C2=A0<u class=3D=
"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">6.</span><span st=
yle=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">
        In section 9.1, the text
        states:<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span=
></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">The &quot;cn&quo=
t; JWT
        confirmation method
        relies its security property on the<u class=3D"gmail_msg"></u><u cl=
ass=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"><span class=3D"g=
mail_msg">=C2=A0=C2=A0 </span>X.509
        client certificate authentication. <u class=3D"gmail_msg"></u><u cl=
ass=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">Replace with:<u c=
lass=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">The &quot;cn&quo=
t; JWT
        confirmation method
        relies its security property by the inclusion of the Common Name
        (CN) <br class=3D"gmail_msg">
        that is
        part of the Distinguished Name (DN) of an X.509 certificate. The
        JWT is linked
        to the common name <br class=3D"gmail_msg">
        included in the certificate. Such a method is not privacy
        friendly since it allows an easy linkage between <br class=3D"gmail=
_msg">
        all the accounts of a given
        user on different resource servers.<u class=3D"gmail_msg"></u><u cl=
ass=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">=C2=A0<u class=3D=
"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">7.</span><span st=
yle=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">
        Add a new section 9.2 to
        deal with the case of the cid. <u class=3D"gmail_msg"></u><u class=
=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">Proposed text: <u=
 class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">9.2. Client ID
        Constrained Token<u class=3D"gmail_msg"></u><u class=3D"gmail_msg">=
</u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">The &quot;cid&qu=
ot; JWT
        confirmation method
        relies its security property on the assumption that the cid
        legitimately <br class=3D"gmail_msg">
        used
        by one server cannot be used by another user. It also relies on
        the assumption
        that the authentication data <br class=3D"gmail_msg">
        associated with &quot;cid&quot; combined with the
        &quot;iss&quot; will only be used by the legitimate user. This meth=
od is
        ineffective <br class=3D"gmail_msg">
        in case of a collusion between two users, since one user can
        perform all the computations needed by the other user.<u class=3D"g=
mail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">=C2=A0<u class=3D=
"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">8.</span><span st=
yle=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">
        In section 9.2, the text
        states:<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span=
></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">The client=E2=80=
=99s secret
        key must be kept securely.
        Otherwise, the notion of PoP breaks down.<u class=3D"gmail_msg"></u=
><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">The PKIX group fr=
om
        the IETF is using the
        vocabulary private key / public key when asymmetric cryptography
        is being used
        <br class=3D"gmail_msg">
        and secret key when symmetric algorithms are being used (let us
        call a spade a
        spade).<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span=
></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">However, keeping =
a
        client&#39;s private key securely
        is not the right wording either. If the key is kept securely in
        a secure
        element <br class=3D"gmail_msg">
        (e.g. smart card), this is not enough, since the holder of the
        secure
        element may use this key for himself ... or worse for the
        benefit of someone
        else.<br class=3D"gmail_msg">
        <br class=3D"gmail_msg">
        <u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">Proposed change :=
<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">9.3. Key Constra=
ined
        Token<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span><=
/p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">This method has =
four
        variants. <u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></s=
pan></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">When the JWT
        contains a jwk, the JWT
        confirmation method relies its security property on the
        assumption that the
        private key <br class=3D"gmail_msg">
        associated with the public key contained in the access token
        will
        only be used by the legitimate user. In order to avoid an easy
        linkage<br class=3D"gmail_msg">
        between
        user&#39;s accounts, this method presents the advantage that the ke=
y
        pair can be
        changed for every JWT. However, this method <br class=3D"gmail_msg"=
>
        is ineffective in case of a
        collusion between two users, since one user can perform all the
        computations
        needed by the other user.<u class=3D"gmail_msg"></u><u class=3D"gma=
il_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">When the JWT
        contains a jwkt#s256, the server
        must have a prior knowledge of the public key and the method
        relies its
        security property <br class=3D"gmail_msg">
        on the assumption that the private key associated with the
        public key contained in the access token will only be used by
        the legitimate
        user. <br class=3D"gmail_msg">
        Hence, this method is ineffective in case of a collusion between
        two
        users, since one user can perform all the computations needed <br c=
lass=3D"gmail_msg">
        by the other
        user.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span><=
/p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">When the JWT
        contains a x5t#s256, the server
        must have a prior knowledge of the public key certificate. The
        JWT is then
        linked to a hash value <br class=3D"gmail_msg">
        of a certificate included in the JWT. The server knows a
        unique identifier of the user. Such a method is not privacy
        friendly since it
        allows <br class=3D"gmail_msg">
        an easy linkage between all the accounts of a given user on
        different
        resource servers.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg">=
</u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">When the JWT
        contains a jwe, the JWT
        confirmation method relies its security property on the
        assumption that the
        secret key included <br class=3D"gmail_msg">
        in the JWT will only be used by the legitimate user. In
        order to avoid an easy linkage between user&#39;s accounts, this
        method presents
        <br class=3D"gmail_msg">
        the advantage that the secret key can be changed for every JWT.
        However, this
        method is ineffective in case of a collusion between two users,
        <br class=3D"gmail_msg">
        since one user
        can perform all the computations needed by the other user.<u class=
=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">=C2=A0<u class=3D=
"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">9.</span><span st=
yle=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">
        The text states in section
        9.3:<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></=
p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">9.3.<span class=
=3D"gmail_msg">=C2=A0
        </span>Audi<u class=3D"gmail_msg">a</u>nce Restriction<u class=3D"g=
mail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">When using the
        signature method the client must
        specify to the AS the aud it intends to send the token to, so
        that it can be
        included in the AT.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg=
"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">A malicious RS c=
ould
        receive a AT with no aud or
        a logical audience and then replay the AT and jws-on-nonce to
        the actual
        server.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span=
></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><span style=
=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"><br class=3D"gmai=
l_msg">
        Proposed change in order to address privacy concerns :<u class=3D"g=
mail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">9.4.<span class=
=3D"gmail_msg">=C2=A0
        </span>Audi<u class=3D"gmail_msg">e</u>nce Restriction<u class=3D"g=
mail_msg"></u><u class=3D"gmail_msg"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">When using the
        signature method, the client must
        specify to the AS the aud it intends to send the token to, so
        that it can be
        included in the AT. <u class=3D"gmail_msg"></u><u class=3D"gmail_ms=
g"></u></span></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><font colo=
r=3D"#000099" class=3D"gmail_msg"><span style=3D"font-family:Arial" lang=3D=
"EN-US" class=3D"gmail_msg">RFC 7800 states
          that the interpretation of
          audience values is application specific. If a fixed value is
          being used, e.g. a
          URL of the server, <br class=3D"gmail_msg">
          then the authorization server can easily know where the
          access tokens will be used and thus is in a position to act as
          Big Brother. <br class=3D"gmail_msg">
          It
          is thus recommended to use a different value in the aud claims
          for each access
          token that contains no semantics in it but that the resource
          server <br class=3D"gmail_msg">
          can easily
          recognize.</span></font><i class=3D"gmail_msg"><span style=3D"fon=
t-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"><u class=3D"gmail_msg"><=
/u><u class=3D"gmail_msg"></u></span></i></p>
    <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;margin-right=
:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span styl=
e=3D"font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg">If a malicious R=
S
        receives an AT with no aud or
        a logical audience in it then it can replay the AT and
        jws-on-nonce to another
        server.<br class=3D"gmail_msg">
      </span><span style=3D"font-size:11.0pt;font-family:Arial" lang=3D"EN-=
US" class=3D"gmail_msg"><u class=3D"gmail_msg"></u><u class=3D"gmail_msg"><=
/u></span></p></div><div bgcolor=3D"#FFFFFF" text=3D"#000000" class=3D"gmai=
l_msg">
    <p class=3D"gmail_msg"><span style=3D"font-size:11.0pt;font-family:Aria=
l" lang=3D"EN-US" class=3D"gmail_msg">=C2=A0<u class=3D"gmail_msg"></u><u c=
lass=3D"gmail_msg"></u></span><font size=3D"+1" class=3D"gmail_msg"><span s=
tyle=3D"font-size:11.0pt;font-family:Arial" lang=3D"EN-US" class=3D"gmail_m=
sg">Denis</span></font></p></div><div bgcolor=3D"#FFFFFF" text=3D"#000000" =
class=3D"gmail_msg">
    <p class=3D"gmail_msg"><font size=3D"+1" class=3D"gmail_msg"><span styl=
e=3D"font-size:11.0pt;font-family:Arial" lang=3D"EN-US" class=3D"gmail_msg"=
><br class=3D"gmail_msg">
        </span></font></p>
    <blockquote type=3D"cite" class=3D"gmail_msg">
      <div dir=3D"ltr" class=3D"gmail_msg">
        <div dir=3D"ltr" class=3D"gmail_msg">HI Chairs,=C2=A0
          <div class=3D"gmail_msg"><br class=3D"gmail_msg">
          </div>
          <div class=3D"gmail_msg">I would also like to ask 5 min. on
            Monday (as I cannot be on Friday) for=C2=A0</div>
          The OAuth 2.0 Authorization Framework: JWT Pop Token Usage
          [1].=C2=A0</div>
        <div dir=3D"ltr" class=3D"gmail_msg"><br class=3D"gmail_msg">
        </div>
        <div dir=3D"ltr" class=3D"gmail_msg">[1]=C2=A0<a href=3D"https://to=
ols.ietf.org/html/draft-sakimura-oauth-jpop-01" class=3D"gmail_msg" target=
=3D"_blank">https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01</a></d=
iv>
        <div dir=3D"ltr" class=3D"gmail_msg"><br class=3D"gmail_msg">
        </div>
        <div class=3D"gmail_msg">It is capturing strong and rather urgent
          demands from the financial sector and would be great if it can
          be considered in the WG.=C2=A0</div>
        <div class=3D"gmail_msg"><br class=3D"gmail_msg">
        </div>
        <div class=3D"gmail_msg">Best,=C2=A0</div>
        <div class=3D"gmail_msg"><br class=3D"gmail_msg">
        </div>
        <div class=3D"gmail_msg">Nat Sakimura</div>
        <br class=3D"gmail_msg">
        <div class=3D"gmail_quote gmail_msg">
          <div dir=3D"ltr" class=3D"gmail_msg">On Tue, Mar 21, 2017 at 10:2=
8
            PM Antonio Sanso &lt;<a href=3D"mailto:asanso@adobe.com" class=
=3D"gmail_msg" target=3D"_blank">asanso@adobe.com</a>&gt; wrote:<br class=
=3D"gmail_msg">
          </div>
          <blockquote class=3D"gmail_quote gmail_msg" style=3D"margin:0 0 0=
 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div style=3D"word-wrap:break-word" class=3D"gmail_msg">
              hi Torsten,
              <div class=3D"gmail_msg"><br class=3D"gmail_msg">
              </div>
              <div class=3D"gmail_msg">good one. I personally I am looking
                forward to see this particular document find its way.</div>
              <div class=3D"gmail_msg"><br class=3D"gmail_msg">
              </div>
              <div class=3D"gmail_msg">IMHO this is something much needed.<=
/div>
              <div class=3D"gmail_msg"><br class=3D"gmail_msg">
              </div>
              <div class=3D"gmail_msg">regards</div>
              <div class=3D"gmail_msg"><br class=3D"gmail_msg">
              </div>
              <div class=3D"gmail_msg">antonio</div>
              <div class=3D"gmail_msg"><br class=3D"gmail_msg">
              </div>
            </div>
            <div style=3D"word-wrap:break-word" class=3D"gmail_msg">
              <div class=3D"gmail_msg">
                <div class=3D"gmail_msg">
                  <div class=3D"gmail_msg">On Mar 21, 2017, at 2:08 PM,
                    Torsten Lodderstedt &lt;<a href=3D"mailto:torsten@lodde=
rstedt.net" class=3D"gmail_msg" target=3D"_blank">torsten@lodderstedt.net</=
a>&gt;
                    wrote:</div>
                  <br class=3D"m_-6515445798692939327m_3319639624494689827m=
_5030357770178240766Apple-interchange-newline gmail_msg">
                </div>
              </div>
            </div>
            <div style=3D"word-wrap:break-word" class=3D"gmail_msg">
              <div class=3D"gmail_msg">
                <div class=3D"gmail_msg">
                  <blockquote type=3D"cite" class=3D"gmail_msg">
                    <div style=3D"font-size:12px;font-style:normal;font-var=
iant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px" class=3D"gmail_msg">
                      Hi Chairs,<br class=3D"gmail_msg">
                      <br class=3D"gmail_msg">
                      I would like to request 5 minutes on Monday to
                      briefly present the status of the security
                      document. This is mainly to raise awareness in the
                      group since I didn=E2=80=99t get that much input on i=
t
                      since Seoul.<br class=3D"gmail_msg">
                      <br class=3D"gmail_msg">
                      kind regards,<br class=3D"gmail_msg">
                      Torsten.<br class=3D"gmail_msg">
                      <br class=3D"gmail_msg">
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style=3D"word-wrap:break-word" class=3D"gmail_msg">
              <div class=3D"gmail_msg">
                <div class=3D"gmail_msg">
                  <blockquote type=3D"cite" class=3D"gmail_msg">
                    <div style=3D"font-size:12px;font-style:normal;font-var=
iant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px" class=3D"gmail_msg">
                      <blockquote type=3D"cite" class=3D"gmail_msg">Am
                        18.03.2017 um 01:52 schrieb Mike Jones &lt;<a href=
=3D"mailto:Michael.Jones@microsoft.com" class=3D"gmail_msg" target=3D"_blan=
k">Michael.Jones@microsoft.com</a>&gt;:<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        Hi Chairs,<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        I&#39;d like to request that the following
                        presentations be added to the agenda:<br class=3D"g=
mail_msg">
                        <br class=3D"gmail_msg">
                        <span class=3D"m_-6515445798692939327m_331963962449=
4689827m_5030357770178240766Apple-tab-span gmail_msg" style=3D"white-space:=
pre-wrap"></span>OAuth
                        Token Exchange (draft-ietf-oauth-token-exchange)
                        - Mike Jones - 15 minutes<br class=3D"gmail_msg">
                        <span class=3D"m_-6515445798692939327m_331963962449=
4689827m_5030357770178240766Apple-tab-span gmail_msg" style=3D"white-space:=
pre-wrap"></span>OAuth
                        Authorization Server Metadata
                        (draft-ietf-oauth-discovery) - Mike Jones - 15
                        minutes<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        I&#39;d also talked with Brian Campbell and I think
                        he wants to lead this discussion, in part based
                        on his implementation experience:<br class=3D"gmail=
_msg">
                        <br class=3D"gmail_msg">
                        <span class=3D"m_-6515445798692939327m_331963962449=
4689827m_5030357770178240766Apple-tab-span gmail_msg" style=3D"white-space:=
pre-wrap"></span>OAuth
                        Token Binding (draft-ietf-oauth-token-binding) -
                        Brian Campbell - 30 minutes<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        (Brian may suggest a different amount of time)<br c=
lass=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        I agree that William Dennis should present about
                        the OAuth Device Flow
                        (draft-ietf-oauth-device-flow).<br class=3D"gmail_m=
sg">
                        <br class=3D"gmail_msg">
                        For completeness, I don&#39;t think a presentation
                        is needed about OAuth AMR Values
                        (draft-ietf-oauth-amr-values) because it&#39;s now
                        completed its IESG review.<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        I&#39;ll look forward to seeing many of you in just
                        over a week!<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        <span class=3D"m_-6515445798692939327m_331963962449=
4689827m_5030357770178240766Apple-tab-span gmail_msg" style=3D"white-space:=
pre-wrap"></span><span class=3D"m_-6515445798692939327m_3319639624494689827=
m_5030357770178240766Apple-tab-span gmail_msg" style=3D"white-space:pre-wra=
p"></span><span class=3D"m_-6515445798692939327m_3319639624494689827m_50303=
57770178240766Apple-tab-span gmail_msg" style=3D"white-space:pre-wrap"></sp=
an><span class=3D"m_-6515445798692939327m_3319639624494689827m_503035777017=
8240766Apple-tab-span gmail_msg" style=3D"white-space:pre-wrap"></span>--
                        Mike<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        -----Original Message-----<br class=3D"gmail_msg">
                        From: OAuth [<a href=3D"mailto:oauth-bounces@ietf.o=
rg" class=3D"gmail_msg" target=3D"_blank">mailto:oauth-bounces@ietf.org</a>=
]
                        On Behalf Of &quot;IETF Secretariat&quot;<br class=
=3D"gmail_msg">
                        Sent: Friday, March 3, 2017 3:55 PM<br class=3D"gma=
il_msg">
                        To: <a href=3D"mailto:oauth-chairs@ietf.org" class=
=3D"gmail_msg" target=3D"_blank">oauth-chairs@ietf.org</a>;
                        <a href=3D"mailto:smccammon@amsl.com" class=3D"gmai=
l_msg" target=3D"_blank">
                          smccammon@amsl.com</a><br class=3D"gmail_msg">
                        Cc: <a href=3D"mailto:oauth@ietf.org" class=3D"gmai=
l_msg" target=3D"_blank">oauth@ietf.org</a><br class=3D"gmail_msg">
                        Subject: [OAUTH-WG] oauth - Requested sessions
                        have been scheduled for IETF 98<br class=3D"gmail_m=
sg">
                        <br class=3D"gmail_msg">
                        Dear Stephanie McCammon,<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        The session(s) that you have requested have been
                        scheduled.<br class=3D"gmail_msg">
                        Below is the scheduled session information
                        followed by the original request.<span class=3D"m_-=
6515445798692939327m_3319639624494689827m_5030357770178240766Apple-converte=
d-space gmail_msg">=C2=A0</span><br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        oauth Session 1 (2:30:00)<br class=3D"gmail_msg">
                        =C2=A0=C2=A0Friday, Morning Session I 0900-1130<br =
class=3D"gmail_msg">
                        =C2=A0=C2=A0Room Name: Zurich C size: 100<br class=
=3D"gmail_msg">
                        =C2=A0=C2=A0---------------------------------------=
------<br class=3D"gmail_msg">
                        =C2=A0=C2=A0oauth Session 2 (1:00:00)<br class=3D"g=
mail_msg">
                        =C2=A0=C2=A0Monday, Afternoon Session III 1710-1810=
<br class=3D"gmail_msg">
                        =C2=A0=C2=A0Room Name: Zurich C size: 100<br class=
=3D"gmail_msg">
                        =C2=A0=C2=A0---------------------------------------=
------<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        Request Information:<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
---------------------------------------------------------<br class=3D"gmail=
_msg">
                        Working Group Name: Web Authorization Protocol
                        Area Name: Security Area Session Requester:
                        Stephanie McCammon<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        Number of Sessions: 2<br class=3D"gmail_msg">
                        Length of Session(s): =C2=A02.5 Hours, 1 Hour Numbe=
r
                        of Attendees: 50 Conflicts to Avoid:<span class=3D"=
m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-conve=
rted-space gmail_msg">=C2=A0</span><br class=3D"gmail_msg">
                        First Priority: saag core tls tokbind<br class=3D"g=
mail_msg">
                        <br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        People who must be present:<br class=3D"gmail_msg">
                        Hannes Tschofenig<br class=3D"gmail_msg">
                        Kathleen Moriarty<br class=3D"gmail_msg">
                        Derek Atkins<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        Resources Requested:<br class=3D"gmail_msg">
                        Projector in room<br class=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        Special Requests:<br class=3D"gmail_msg">
                        Please avoid conflict with sec area BoFs.<br class=
=3D"gmail_msg">
---------------------------------------------------------<br class=3D"gmail=
_msg">
                        <br class=3D"gmail_msg">
                        _______________________________________________<br =
class=3D"gmail_msg">
                        OAuth mailing list<br class=3D"gmail_msg">
                        <a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_ms=
g" target=3D"_blank">OAuth@ietf.org</a><br class=3D"gmail_msg">
                      </blockquote>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style=3D"word-wrap:break-word" class=3D"gmail_msg">
              <div class=3D"gmail_msg">
                <div class=3D"gmail_msg">
                  <blockquote type=3D"cite" class=3D"gmail_msg">
                    <div style=3D"font-size:12px;font-style:normal;font-var=
iant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px" class=3D"gmail_msg">
                      <blockquote type=3D"cite" class=3D"gmail_msg"><a href=
=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.=
ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d07b9729a4=
cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C6362569854=
63058106&amp;sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&a=
mp;reserved=3D0" class=3D"gmail_msg" target=3D"_blank">https://na01.safelin=
ks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flis=
tinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa=
7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=3DFYI=
qTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=3D0</a></blo=
ckquote>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style=3D"word-wrap:break-word" class=3D"gmail_msg">
              <div class=3D"gmail_msg">
                <div class=3D"gmail_msg">
                  <blockquote type=3D"cite" class=3D"gmail_msg">
                    <div style=3D"font-size:12px;font-style:normal;font-var=
iant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px" class=3D"gmail_msg">
                      <blockquote type=3D"cite" class=3D"gmail_msg"><br cla=
ss=3D"gmail_msg">
                        <br class=3D"gmail_msg">
                        _______________________________________________<br =
class=3D"gmail_msg">
                        OAuth mailing list<br class=3D"gmail_msg">
                        <a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_ms=
g" target=3D"_blank">OAuth@ietf.org</a><br class=3D"gmail_msg">
                      </blockquote>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style=3D"word-wrap:break-word" class=3D"gmail_msg">
              <div class=3D"gmail_msg">
                <div class=3D"gmail_msg">
                  <blockquote type=3D"cite" class=3D"gmail_msg">
                    <div style=3D"font-size:12px;font-style:normal;font-var=
iant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px" class=3D"gmail_msg">
                      <blockquote type=3D"cite" class=3D"gmail_msg"><a href=
=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.=
ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d07b9729a4=
cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C6362569854=
63058106&amp;sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&a=
mp;reserved=3D0" class=3D"gmail_msg" target=3D"_blank">https://na01.safelin=
ks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flis=
tinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa=
7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=3DFYI=
qTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=3D0</a><br c=
lass=3D"gmail_msg">
                      </blockquote>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style=3D"word-wrap:break-word" class=3D"gmail_msg">
              <div class=3D"gmail_msg">
                <div class=3D"gmail_msg">
                  <blockquote type=3D"cite" class=3D"gmail_msg">
                    <div style=3D"font-size:12px;font-style:normal;font-var=
iant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px" class=3D"gmail_msg">
                      <br class=3D"gmail_msg">
                      _______________________________________________<br cl=
ass=3D"gmail_msg">
                      OAuth mailing list<br class=3D"gmail_msg">
                      <a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg"=
 target=3D"_blank">OAuth@ietf.org</a><br class=3D"gmail_msg">
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <div style=3D"word-wrap:break-word" class=3D"gmail_msg">
              <div class=3D"gmail_msg">
                <div class=3D"gmail_msg">
                  <blockquote type=3D"cite" class=3D"gmail_msg">
                    <div style=3D"font-size:12px;font-style:normal;font-var=
iant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;tex=
t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s=
pacing:0px" class=3D"gmail_msg"><a href=3D"https://na01.safelinks.protectio=
n.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foaut=
h&amp;data=3D02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b3443=
8794aed2c178decee1%7C0%7C0%7C636256985463068122&amp;sdata=3D5CIJnWs2VdLM9FU=
Wt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&amp;reserved=3D0" class=3D"gmail_msg" t=
arget=3D"_blank">https://na01.safelinks.protection.outlook.com/?url=3Dhttps=
%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C=
254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0=
%7C636256985463068122&amp;sdata=3D5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwh=
L%2BA4%3D&amp;reserved=3D0</a></div>
                  </blockquote>
                </div>
                <br class=3D"gmail_msg">
              </div>
            </div>
            _______________________________________________<br class=3D"gma=
il_msg">
            OAuth mailing list<br class=3D"gmail_msg">
            <a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D=
"_blank">OAuth@ietf.org</a><br class=3D"gmail_msg">
            <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"=
noreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mail=
man/listinfo/oauth</a><br class=3D"gmail_msg">
          </blockquote>
        </div>
      </div>
      <div dir=3D"ltr" class=3D"gmail_msg">-- <br class=3D"gmail_msg">
      </div>
      <div data-smartmail=3D"gmail_signature" class=3D"gmail_msg">
        <p dir=3D"ltr" class=3D"gmail_msg">Nat Sakimura</p>
        <p dir=3D"ltr" class=3D"gmail_msg">Chairman of the Board, OpenID Fo=
undation</p>
      </div>
      <br class=3D"gmail_msg">
      <fieldset class=3D"m_-6515445798692939327mimeAttachmentHeader gmail_m=
sg"></fieldset>
      <br class=3D"gmail_msg">
      <pre class=3D"gmail_msg">____________________________________________=
___
OAuth mailing list
<a class=3D"m_-6515445798692939327moz-txt-link-abbreviated gmail_msg" href=
=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a>
<a class=3D"m_-6515445798692939327moz-txt-link-freetext gmail_msg" href=3D"=
https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.=
ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <p class=3D"gmail_msg"><br class=3D"gmail_msg">
    </p>
  </div>

_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listinfo=
/oauth</a><br class=3D"gmail_msg">
</blockquote></div><div dir=3D"ltr">-- <br></div><div data-smartmail=3D"gma=
il_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>

--001a1140298cb038ef054ba4d70a--


From nobody Sun Mar 26 12:36:51 2017
Return-Path: <ietf-secretariat-reply@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BF16C12969C for <oauth@ietf.org>; Sun, 26 Mar 2017 12:36:49 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: <oauth@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.48.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149055700978.14917.4230255327076356853.idtracker@ietfa.amsl.com>
Date: Sun, 26 Mar 2017 12:36:49 -0700
From: IETF Secretariat <ietf-secretariat-reply@ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ANPRB9SxEHQtoa0jKJRacMBuOWc>
Subject: [OAUTH-WG] Milestones changed for oauth WG
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 19:36:50 -0000

Changed milestone "Submit 'OAuth 2.0 for Native Apps' to the IESG",
resolved as "Done".

Changed milestone "Submit 'OAuth 2.0 Authorization Server Discovery
Metadata' to the IESG", set due date to March 2017 from April 2016.

Changed milestone "Submit 'OAuth 2.0 Mix-Up Mitigation'to the IESG",
set due date to July 2017 from June 2016.

Changed milestone "Submit 'OAuth 2.0 Token Exchange' to the IESG for
consideration as a Proposed Standard", set due date to July 2017 from
July 2016.

Changed milestone "Submit 'OAuth 2.0 Security: Closing Open
Redirectors in OAuth' to the IESG", set due date to July 2017 from
July 2016.

Changed milestone "Submit 'OAuth 2.0 Proof-of-Possession:
Authorization Server to Client Key Distribution' to the IESG", set due
date to July 2017 from July 2016.

Changed milestone "Submit 'A Method for Signing HTTP Requests for
OAuth' to IESG", set due date to July 2017 from July 2016.

Changed milestone "Submit 'OAuth 2.0 Device Flow' to the IESG", set
due date to July 2017 from October 2016.

URL: https://datatracker.ietf.org/wg/oauth/about/


From nobody Sun Mar 26 12:51:57 2017
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8841E1296A3 for <oauth@ietfa.amsl.com>; Sun, 26 Mar 2017 12:51:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.029
X-Spam-Level: 
X-Spam-Status: No, score=-1.029 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Zk6OgRnlSO4 for <oauth@ietfa.amsl.com>; Sun, 26 Mar 2017 12:51:52 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BC7712969B for <oauth@ietf.org>; Sun, 26 Mar 2017 12:51:52 -0700 (PDT)
Received: from [31.133.133.240] (helo=dhcp-85f0.meeting.ietf.org) by smtprelay05.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1csECb-0003X8-Ny; Sun, 26 Mar 2017 21:51:49 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <9199091B-5D7F-4D66-9EC5-CB0EF2D3CF6D@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_5AC98A42-0416-4D4C-81C4-A294BF2EB57D"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Sun, 26 Mar 2017 16:00:10 +0200
In-Reply-To: <CA+k3eCTE1NM90QcZRFR0jATCqdeJWyTRUb6Ryp52n9FRg6aGpA@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <148416124213.8244.5842562779051799977.idtracker@ietfa.amsl.com> <CA+k3eCTE1NM90QcZRFR0jATCqdeJWyTRUb6Ryp52n9FRg6aGpA@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wwPJ8sK8A3qE0WKltsuYmwjpm_0>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 19:51:55 -0000

--Apple-Mail=_5AC98A42-0416-4D4C-81C4-A294BF2EB57D
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_9005F070-9B35-4159-B58B-9D90E7929427"


--Apple-Mail=_9005F070-9B35-4159-B58B-9D90E7929427
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Brian,

thanks for the clarification around resource, audience and scope.=20

Here are my comments on the draft:

In section 2.1 it states: =E2=80=9EMultiple "resource" parameters may be =
used to indicate
      that the issued token is intended to be used at the multiple
      resources listed.=E2=80=9C

Can you please explain the rational in more detail? I don=E2=80=99t =
understand why there is a need to ask for access tokens, which are good =
for multiple resources at once. This is a request type more or less =
exclusively used in server to server scenarios, right? So the only =
reason I can think of is call reduction.=20

On the other side, this feature increases the AS's complexity, e.g. its =
policy may prohibit to issue tokens for multiple resources in general or =
the particular set the client is asking for. How shall the AS handles =
such cases?

And it is getting even more complicated given there could also be =
multiple audience values and the client could mix them:=20

"Multiple "audience" parameters
      may be used to indicate that the issued token is intended to be
      used at the multiple audiences listed.  The "audience" and
      "resource" parameters may be used together to indicate multiple
      target services with a mix of logical names and physical
      locations.=E2=80=9C

And in the end the client may add some scope values to the =E2=80=9Emeal=E2=
=80=9C, which brings us to=20

=E2=80=9EEffectively, the requested access rights of the
   token are the cartesian product of all the scopes at all the target
   services."

I personally would suggest to drop support for multiple audience and =
resource parameters and make audience and resource mutual exclusive. I =
think this is sufficient and much easier to implement.

kind regards,
Torsten.


> Am 11.01.2017 um 20:04 schrieb Brian Campbell =
<bcampbell@pingidentity.com>:
>=20
> Draft -07 of "OAuth 2.0 Token Exchange" has been published. The =
primary change in -07 is the addition of a description of the =
relationship between audience/resource/scope, which was a request or =
comment that came up during the f2f meeting in Seoul.=20
>=20
> Excerpted from the Document History:
>=20
>    -07
>=20
>    o  Fixed typo (desecration -> discretion).
>    o  Added an explanation of the relationship between scope, audience
>       and resource in the request and added an "invalid_target" error
>       code enabling the AS to tell the client that the requested
>       audiences/resources were too broad.
>=20
>=20
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
> Date: Wed, Jan 11, 2017 at 12:00 PM
> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
> To: i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>
> Cc: oauth@ietf.org <mailto:oauth@ietf.org>
>=20
>=20
>=20
> A New Internet-Draft is available from the on-line Internet-Drafts =
directories.
> This draft is a work item of the Web Authorization Protocol of the =
IETF.
>=20
>         Title           : OAuth 2.0 Token Exchange
>         Authors         : Michael B. Jones
>                           Anthony Nadalin
>                           Brian Campbell
>                           John Bradley
>                           Chuck Mortimore
>         Filename        : draft-ietf-oauth-token-exchange-07.txt
>         Pages           : 31
>         Date            : 2017-01-11
>=20
> Abstract:
>    This specification defines a protocol for an HTTP- and JSON- based
>    Security Token Service (STS) by defining how to request and obtain
>    security tokens from OAuth 2.0 authorization servers, including
>    security tokens employing impersonation and delegation.
>=20
>=20
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ =
<https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/>
>=20
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07 =
<https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07>
>=20
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-exchange-07 =
<https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-exchange-07>
>=20
>=20
> Please note that it may take a couple of minutes from the time of =
submission
> until the htmlized version and diff are available at tools.ietf.org =
<http://tools.ietf.org/>.
>=20
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/ =
<ftp://ftp.ietf.org/internet-drafts/>
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_9005F070-9B35-4159-B58B-9D90E7929427
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Hi Brian,<div class=3D""><br class=3D""></div><div =
class=3D"">thanks for the clarification around resource, audience and =
scope.&nbsp;</div><div class=3D""><br class=3D""></div><div =
class=3D""><div class=3D"">Here are my comments on the draft:</div><div =
class=3D""><br class=3D""></div><div class=3D"">In section 2.1 it =
states: =E2=80=9EMultiple "resource" parameters may be used to =
indicate</div><div class=3D"">&nbsp; &nbsp; &nbsp; that the issued token =
is intended to be used at the multiple</div><div class=3D"">&nbsp; =
&nbsp; &nbsp; resources listed.=E2=80=9C</div><div class=3D""><br =
class=3D""></div><div class=3D"">Can you please explain the rational in =
more detail? I don=E2=80=99t understand why there is a need to ask for =
access tokens, which are good for multiple resources at once. This is a =
request type more or less exclusively used in server to server =
scenarios, right? So the only reason I can think of is call =
reduction.&nbsp;</div><div class=3D""><br class=3D""></div><div =
class=3D"">On the other side, this feature increases the AS's =
complexity, e.g. its policy may prohibit to issue tokens for multiple =
resources in general or the particular set the client is asking for. How =
shall the AS handles such cases?</div><div class=3D""><br =
class=3D""></div><div class=3D"">And it is getting even more complicated =
given there could also be multiple audience values and the client could =
mix them:&nbsp;</div><div class=3D""><br class=3D""></div><div =
class=3D"">"Multiple "audience" parameters</div><div class=3D"">&nbsp; =
&nbsp; &nbsp; may be used to indicate that the issued token is intended =
to be</div><div class=3D"">&nbsp; &nbsp; &nbsp; used at the multiple =
audiences listed. &nbsp;The "audience" and</div><div class=3D"">&nbsp; =
&nbsp; &nbsp; "resource" parameters may be used together to indicate =
multiple</div><div class=3D"">&nbsp; &nbsp; &nbsp; target services with =
a mix of logical names and physical</div><div class=3D"">&nbsp; &nbsp; =
&nbsp; locations.=E2=80=9C</div><div class=3D""><br class=3D""></div><div =
class=3D"">And in the end the client may add some scope values to the =
=E2=80=9Emeal=E2=80=9C, which brings us to&nbsp;</div><div class=3D""><br =
class=3D""></div><div class=3D"">=E2=80=9EEffectively, the requested =
access rights of the</div><div class=3D"">&nbsp; &nbsp;token are the =
cartesian product of all the scopes at all the target</div><div =
class=3D"">&nbsp; &nbsp;services."</div><div class=3D""><br =
class=3D""></div><div class=3D"">I personally would suggest to drop =
support for multiple audience and resource parameters and make audience =
and resource mutual exclusive. I think this is sufficient and much =
easier to implement.</div><div class=3D""><br class=3D""></div><div =
class=3D"">kind regards,</div><div class=3D"">Torsten.</div><div =
class=3D""><br class=3D""></div><div class=3D""><br =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">Am =
11.01.2017 um 20:04 schrieb Brian Campbell &lt;<a =
href=3D"mailto:bcampbell@pingidentity.com" =
class=3D"">bcampbell@pingidentity.com</a>&gt;:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div dir=3D"ltr" =
class=3D"">Draft -07 of "OAuth 2.0 <span =
class=3D"m_6317541698219329431gmail-il">Token</span> <span =
class=3D"m_6317541698219329431gmail-il">Exchange</span>"
 has been published. The primary change in -07 is the addition of a=20
description of the relationship between audience/resource/scope, which=20=

was a request or comment that came up during the f2f meeting in Seoul. =
<br class=3D""><br class=3D"">Excerpted from the Document History:<br =
class=3D""><br class=3D"">&nbsp;&nbsp; -07<br class=3D""><br =
class=3D"">&nbsp;&nbsp; o&nbsp; Fixed typo (desecration -&gt; =
discretion).<br class=3D"">&nbsp;&nbsp; o&nbsp; Added an explanation of =
the relationship between scope, audience<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and resource in the request =
and added an "invalid_target" error<br =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; code enabling the AS to tell =
the client that the requested<br class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 audiences/resources were too broad.<br class=3D""><br class=3D""><br =
class=3D""><div class=3D"gmail_quote">---------- Forwarded message =
----------<br class=3D"">From: <b class=3D"gmail_sendername"></b> <span =
dir=3D"ltr" class=3D"">&lt;<a href=3D"mailto:internet-drafts@ietf.org" =
target=3D"_blank" class=3D"">internet-drafts@ietf.org</a>&gt;</span><br =
class=3D"">Date: Wed, Jan 11, 2017 at 12:00 PM<br class=3D"">Subject: =
[OAUTH-WG] I-D Action: draft-ietf-oauth-token-<wbr =
class=3D"">exchange-07.txt<br class=3D"">To: <a =
href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank" =
class=3D"">i-d-announce@ietf.org</a><br class=3D"">Cc: <a =
href=3D"mailto:oauth@ietf.org" target=3D"_blank" =
class=3D"">oauth@ietf.org</a><br class=3D""><br class=3D""><br =
class=3D""><br class=3D"">
A New Internet-Draft is available from the on-line Internet-Drafts =
directories.<br class=3D"">
This draft is a work item of the Web Authorization Protocol of the =
IETF.<br class=3D"">
<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; Title&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;: OAuth 2.0 Token Exchange<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; Authors&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;: =
Michael B. Jones<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; Anthony Nadalin<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; Brian Campbell<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; John Bradley<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; Chuck Mortimore<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; Filename&nbsp; &nbsp; &nbsp; &nbsp; : =
draft-ietf-oauth-token-exchang<wbr class=3D"">e-07.txt<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; Pages&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;: 31<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; Date&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; : 2017-01-11<br class=3D"">
<br class=3D"">
Abstract:<br class=3D"">
&nbsp; &nbsp;This specification defines a protocol for an HTTP- and =
JSON- based<br class=3D"">
&nbsp; &nbsp;Security Token Service (STS) by defining how to request and =
obtain<br class=3D"">
&nbsp; &nbsp;security tokens from OAuth 2.0 authorization servers, =
including<br class=3D"">
&nbsp; &nbsp;security tokens employing impersonation and delegation.<br =
class=3D"">
<br class=3D"">
<br class=3D"">
The IETF datatracker status page for this draft is:<br class=3D"">
<a =
href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/"=
 rel=3D"noreferrer" target=3D"_blank" =
class=3D"">https://datatracker.ietf.org/d<wbr =
class=3D"">oc/draft-ietf-oauth-token-exch<wbr class=3D"">ange/</a><br =
class=3D"">
<br class=3D"">
There's also a htmlized version available at:<br class=3D"">
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07"=
 rel=3D"noreferrer" target=3D"_blank" =
class=3D"">https://tools.ietf.org/html/dr<wbr =
class=3D"">aft-ietf-oauth-token-exchange-<wbr class=3D"">07</a><br =
class=3D"">
<br class=3D"">
A diff from the previous version is available at:<br class=3D"">
<a =
href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-exchang=
e-07" rel=3D"noreferrer" target=3D"_blank" =
class=3D"">https://www.ietf.org/rfcdiff?u<wbr =
class=3D"">rl2=3Ddraft-ietf-oauth-token-exc<wbr class=3D"">hange-07</a><br=
 class=3D"">
<br class=3D"">
<br class=3D"">
Please note that it may take a couple of minutes from the time of =
submission<br class=3D"">
until the htmlized version and diff are available at <a =
href=3D"http://tools.ietf.org/" rel=3D"noreferrer" target=3D"_blank" =
class=3D"">tools.ietf.org</a>.<br class=3D"">
<br class=3D"">
Internet-Drafts are also available by anonymous FTP at:<br class=3D"">
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=3D"noreferrer" =
target=3D"_blank" class=3D"">ftp://ftp.ietf.org/internet-dr<wbr =
class=3D"">afts/</a><br class=3D"">
<br class=3D"">
______________________________<wbr class=3D"">_________________<br =
class=3D"">
OAuth mailing list<br class=3D"">
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank" =
class=3D"">OAuth@ietf.org</a><br class=3D"">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer"=
 target=3D"_blank" class=3D"">https://www.ietf.org/mailman/l<wbr =
class=3D"">istinfo/oauth</a><br class=3D"">
</div><br class=3D""></div>
_______________________________________________<br class=3D"">OAuth =
mailing list<br class=3D""><a href=3D"mailto:OAuth@ietf.org" =
class=3D"">OAuth@ietf.org</a><br =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth<br =
class=3D""></div></blockquote></div><br =
class=3D""></div></div></body></html>=

--Apple-Mail=_9005F070-9B35-4159-B58B-9D90E7929427--

--Apple-Mail=_5AC98A42-0416-4D4C-81C4-A294BF2EB57D
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/DCCBK8w
ggOXoAMCAQICEQDgI8sVEoNTia1hbnpUZ2shMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAlNF
MRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5l
dHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMTQxMjIyMDAwMDAw
WhcNMjAwNTMwMTA0ODM4WjCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hl
c3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNV
BAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAibEN2npTGU5wUh28VqYGJre4SeCW
51Gr8fBaE0kVo7SMG2C8elFCp3mMpCLfF2FOkdV2IwoU00oCf7YdCYBupQQ92bq7Fv6hh6kuQ1JD
FnyvMlDIpk9a6QjYz5MlnHuI6DBk5qT4VoD9KiQUMxeZrETlaYujRgZLwjPU6UCfBrCxrJNAubUI
kzqcKlOjENs9IGE8VQOO2U52JQIhKfqjfHF2T+7hX4Hp+1SA28N7NVK3hN4iPSwwLTF/Wb1SN7Az
aS1D6/rWpfGXd2dRjNnuJ+u8pQc4doykqTj/34z1A6xJvsr3c5k6DzKrnJU6Ez0ORjpXdGFQvsZA
P8vk4p+iIQIDAQABo4IBFzCCARMwHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYD
VR0OBBYEFJJha4LhoqCqT+xn8cKj97SAAMHsMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAG
AQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAw
RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJu
YWxDQVJvb3QuY3JsMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNl
cnRydXN0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAGypurFXBOquIxdjtzVXzqmthK8AJECOZD8Vm
am+x9bS1d14PAmEA330F/hKzpICAAPz7HVtqcgIKQbwFusFY1SbC6tVNhPv+gpjPWBvjImOcUvi7
BTarfVil3qs7Y+Xa1XPv7OD7e+Kj//BCI5zKto1NPuRLGAOyqC3U2LtCS5BphRDbpjc06HvgARCl
nMo6x59PiDRuimXQGoq7qdzKyjbR9PzCZCk1r9axp3ER0gNDsY8+muyeMlP0dpLKhjQHuSzK5hxK
2JkNwYbikJL7WkJqIyEQ6WXH9dW7fuqMhSACYurROgcsWcWZM/I4ieW26RZ6H3kU9koQGib6fIr7
mzCCBUUwggQtoAMCAQICEDPbmsaqwjeZa3PxA3uZ8LQwDQYJKoZIhvcNAQELBQAwgZsxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY
BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQg
QXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzAxMDkwMDAwMDBaFw0xODAx
MDkyMzU5NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5AbG9kZGVyc3RlZHQubmV0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArsGSzZyz9Lq9SRW9Sve5K8n5lWhplOCE6HH3gMye
12DjOpkFFZt0b73t27G17Xsp6WUxHhNevf7ck0AUpvYUPCHBqVGJSIWF9hWAoSFCgQACOoh/cDFb
zz1PsMY8El7OmIus4JXtY4/VdoSIhFP3hzATbNAg32Kp+N8vtTuKTwbgnizJSyzZTYrsttn3LmwY
17HU+U9vXloMus5U/ln4ADZx0zyyDSsA6gtPxXYJpbgSTnHckVZ5zfR80guIZ538Y2qqsqt5VaSR
SR2oQzE/HETkKc/odPVhqBrXLyvnSFkCPrAXV07rcvwkPvHZeYVu4QdVWyO2HIQ4i2x9r5m7SwID
AQABo4IB9TCCAfEwHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFPng
HgVxOZ7GSji/IW4YJMBj02PHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ
MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7
BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2
Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw
gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu
dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
Y3NwLmNvbW9kb2NhLmNvbTAiBgNVHREEGzAZgRd0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDANBgkq
hkiG9w0BAQsFAAOCAQEAAmueyHjiyL1qYgfe+hVSsGuKlgcvjCAfG8Jaq48tC0IjP8pH/tGi4uL9
CHVfLnV3pLDnjg6M2uvpEBp7crZZcnSPLeVss+tkhwv+F7ISYQyT4flNkqVUb8nfewbCPcIN13Ob
fpU7rlXoIarEEplQo4SuymYVluQxTLOFKm5QOMF4JBMw/rjy4t95J7Mdp9NFUzQrKPJDaJ2Jr/Tc
TXFcjLvNVmMBjK0959a9v1/1miRHd1DBsTh1KvBigEOUNMxvT5uUtB6/tioDZqBDDk8Gvdno/xmy
e3YiasS7JgMREq5WcXqpWGu5kMFZMGPEvyPHeBZeqxx3amf4ImVnZ6WvgzGCA8MwggO/AgEBMIGw
MIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEDPbmsaqwjeZa3Px
A3uZ8LQwCQYFKw4DAhoFAKCCAecwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTcwMzI2MTQwMDEwWjAjBgkqhkiG9w0BCQQxFgQUEbmX/l6ZlmQcXet8fCmr4sxiu8Mw
gcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFu
Y2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/
BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVt
YWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UE
BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG
A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBB
dXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MA0GCSqG
SIb3DQEBAQUABIIBAJeG0RMJc+pep34Bl4JGqtNah7DsWOGvahYuQSUaJD5oTK/quRK/nw3fhN6t
0wCIpZfShW4gXgimXMoz1c+yIeZIowg46ML2e3oI59yKe/W5QZnsxgaRZFdWpBi/02seEZaB/5S+
/LMsvQ6hJMNgfBCt/Pwi6cDF5cCMFNLH7OLBLq76Bk01J6EhUfq5nQwUPwGc2mQXJALMMOX88QZE
Vke64F+iwz6IM+IMVDnlKbWMLh0g+5n9970woRsZ0h+5oqT/lXRRGy6PmJET7FQbAYlS8+pfxaPh
LkrBesEkB+QVsW8rKE2pz4YWGtTdR08zj+Rpm/OeI0jv7NPNwC5BuowAAAAAAAA=
--Apple-Mail=_5AC98A42-0416-4D4C-81C4-A294BF2EB57D--


From nobody Sun Mar 26 13:12:42 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FF4B120727 for <oauth@ietfa.amsl.com>; Sun, 26 Mar 2017 13:12:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level: 
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12GUOAey_2cU for <oauth@ietfa.amsl.com>; Sun, 26 Mar 2017 13:12:38 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1B9A127275 for <oauth@ietf.org>; Sun, 26 Mar 2017 13:12:37 -0700 (PDT)
Received: from [192.168.91.182] ([31.133.136.32]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0LcT2M-1cTasP1uz8-00jmnV for <oauth@ietf.org>; Sun, 26 Mar 2017 22:12:35 +0200
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <fe76b7ea-b1b1-d79b-6e4d-bdfb11c2163b@gmx.net>
Date: Sun, 26 Mar 2017 22:12:33 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="iQ4i548pXdaWCrHP2TI9h27cE8H3pUcSU"
X-Provags-ID: V03:K0:DnS/r7SND9ZrlYccj1UOYiC+EGOcVg7HHSrjJEtAxKrxQsisrOP WMSRBxH7KspczqMIFirjaE5EUu8QNl5xx48urwr0QoPsHqgYRobe1vABSsZKz8+nzh6fXo6 q/L7RW9z5Ltr9KNhaUA808kT+leFCdIQkEf/HmI16a2GmGbSBResxexPvc3ldu1ug3Oqshm V7PIS+B/JUvj0bd6FpPCw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Yw67D7ZTjRg=:Tlql5XupPX+LKG99Y2jitC /i4X2Kvqdh+BV3XI1We74L4wdA+k31y1t8j0bo7XTieg5IYzBzijNGOcDpHob3l/thULJQeZB R/JxmD1gIAtH/N7mnlJFRmwzElnj8rH7dIpMw2jzZceEGUpm86Swb0f3PUv6xf2DQkYH+q3z/ d+H4QsR47thgNrASfQ8E1G77zoMnho9aJA9dH4e7gZyS01NpA7/Ojq1P2KS6odCLXOwskiCjr ZhLnqv02OCNSKs60n3Lq6GRVxckcrcvgkkMBh3j7vaY8+QYtggvxhVEXOho9UHB9aqgHXk2Ia xONUtBFiCwa6XMK4kwXCkVE3IdITpeYBgpwEtC7fU4stXxg++zwqONt/iHhrP55CKcMqnXEl1 Tw4VABVSTCI8565j01V3agO2+g4XxEhCIq5xP04UFEBt52PzeVl8hsQSzb2FewHLi4ehAC/ub jtsQtj/sjvGkPXMmkG9MwIdsnRl4AyJt4KdGHmXQSsZGK0U2ditnhPuRHvEbQsQ5CrTVslQBa 8TlD1SY5625rkOMUIHJdngVIe2670C5zo1GCwIPwPDFPID5m7Ynj5IZgmem/trFuFBrCUFKhl EYg9Jn5L22+hY5HSm6y7tnx+xBo+BxS9uo2zF1qCMYJzaGOImobnZ/S5BRXAC2Z+t6z8pzgor A4YIwR8PugtP138De8i5cSrr3jNKoW8FZrlf3IymIi+aIaCFXwH2CUb8/OpcopfXtP+XtvyV9 gq+nZqmZwioj9U7B0tyvxx57/4ZL6EulKFXzRFCoYXbfWtBOqhWHdp0C+XA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/n0Kpk3oaQ_U_wWEbEoTBoBsSNo0>
Subject: [OAUTH-WG] Shepherd Update for AS Server Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 20:12:41 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--iQ4i548pXdaWCrHP2TI9h27cE8H3pUcSU
Content-Type: multipart/mixed; boundary="WTfXTM3BCU4wDGB9HCpKQAjj9VHoNbA8e";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <fe76b7ea-b1b1-d79b-6e4d-bdfb11c2163b@gmx.net>
Subject: Shepherd Update for AS Server Metadata

--WTfXTM3BCU4wDGB9HCpKQAjj9VHoNbA8e
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

I have updated the shepherd writeup for version -06 of the  "OAuth 2.0
Authorization Server Metadata" draft in preparation for the meeting. If
everything goes well then we will submit this document to the IESG
during the IETF meeting week.

Comments appreciated!

Here is the most recent version:
https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-w=
riteups/Writeup_OAuth_Metadata.txt

Ciao
Hannes

-----------

Shepherd Write-Up for "OAuth 2.0 Authorization Server Metadata"
<draft-ietf-oauth-discovery-06>

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

This specification is targeting a 'Proposed Standard'. The
type of RFC is indicated and contains protocols elements.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

   This specification defines a metadata format that an OAuth 2.0 client
   can use to obtain the information needed to interact with an OAuth
   2.0 authorization server, including its endpoint locations and
   authorization server capabilities.

Working Group Summary

   Work on a discovery mechanism for OAuth was planned since a long
   time but it took till late 2015 before a document was submitted
   to the group, which re-used work done in the OpenID Foundation.
   When the WGLC was started in 2016, see
   https://www.ietf.org/mail-archive/web/oauth/current/msg15796.html,
   feedback resulted in refocusing the scope of the specification,
   removing everything except for the authorization server metadata.

   Now, almost a year later these concerns have been resolved and
   the document is ready for publication.

Document Quality

  Are there existing implementations of the protocol? Have a
  significant number of vendors indicated their plan to
  implement the specification? Are there any reviewers that
  merit special mention as having done a thorough review,
  e.g., one that resulted in important changes or a
  conclusion that the document had no substantive issues? If
  there was a MIB Doctor, Media Type or other expert review,
  what was its course (briefly)? In the case of a Media Type
  review, on what date was the request posted?

  The document scope has been changed to capture current deployment
  practice.

  There are 34 authorization server and 9 OAuth client implementations
  listed at http://openid.net/certification/ that implement metadata
  compatible with the AS metadata specification.
  (See the "Config OP" and "Config RP" columns.)

  Microsoft and Google are using this specification in deployment.

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

Hannes Tschofenig is the document shepherd and the responsible area
director is Kathleen Moriarty.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The document shepherd was involved in the working group review process
and verified the document for correctness.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

There are no concerns regarding the document reviews.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

This document would benefit from security and internationalization review=
s.
Particularly Section 4 of the document explaining string operations
deserves a review.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

The document shepherd has no concerns with the document.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

The authors have confirmed full conformance with the provisions of BCP 78=

and BCP 79:

John: https://www.ietf.org/mail-archive/web/oauth/current/msg17060.html
Mike: https://www.ietf.org/mail-archive/web/oauth/current/msg17061.html
Nat: TBD

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosures have been filed for this document.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it?

There is consensus in the working group for publishing this
document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

Nobody threatened an appeal or expressed extreme discontent with the
current version of the document.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

The shepherd checked the document.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

No formal review is needed.

(13) Have all references within this document been identified as
either normative or informative?

Yes. The references are split into normative and informative references.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

The RFCs listed in the normative reference section are all finalized.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

There are four normative references to non-IETF specifications:

   [UNICODE]  The Unicode Consortium, "The Unicode Standard",
              <http://www.unicode.org/versions/latest/>.

   [USA15]    Davis, M. and K. Whistler, "Unicode Normalization Forms",
              Unicode Standard Annex 15, June 2015,
              <http://www.unicode.org/reports/tr15/>.

   [OAuth.Post]
              Jones, M. and B. Campbell, "OAuth 2.0 Form Post Response
              Mode", April 2015, <http://openid.net/specs/
              oauth-v2-form-post-response-mode-1_0.html>.

   [OAuth.Responses]
              de Medeiros, B., Ed., Scurtescu, M., Tarjan, P., and M.
              Jones, "OAuth 2.0 Multiple Response Type Encoding
              Practices", February 2014, <http://openid.net/specs/
              oauth-v2-multiple-response-types-1_0.html>.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

This document does not change the status of an existing RFC.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

This document does not request any actions by IANA.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

There is no text in formal languages in the document.


--WTfXTM3BCU4wDGB9HCpKQAjj9VHoNbA8e--

--iQ4i548pXdaWCrHP2TI9h27cE8H3pUcSU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJY2CCxAAoJEGhJURNOOiAtThUH/iKMIvgUJVdXjC3QKOnFLk7r
wRcg62LQL4wu0kSy3cstL0FFjEiFTL7DGku46J9Adq6GAM2ZrDnTwEPzjfyBtHF3
o5Nb1jGEe1WduaBAZo5a03BjzFWhaBqfpYOwCAOhmsKA2n/ciYkaXQ80OoetteQ6
T+CEmYAoKgkKaerf48hkrVsMUxUMx+Yhi2NRf8KBT59XRaASyaLZC4FHm8De7Tkh
YuOO68hS+cSMRgnsE1ZCF2lw2GpHkSOXncB1jTIqFH41cJ467j8CcmNMICrTkVAo
9sk7p4O2E4L2aVJNuzk4bG1E47xxlVcoMN6lpczG99KqsHm00tY+X1GjCxY/HQk=
=9lTD
-----END PGP SIGNATURE-----

--iQ4i548pXdaWCrHP2TI9h27cE8H3pUcSU--


From nobody Sun Mar 26 14:45:35 2017
Return-Path: <ietf-secretariat-reply@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 991C71296D1 for <oauth@ietf.org>; Sun, 26 Mar 2017 14:45:34 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: <oauth@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.48.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149056473462.14969.4220149844945413704.idtracker@ietfa.amsl.com>
Date: Sun, 26 Mar 2017 14:45:34 -0700
From: IETF Secretariat <ietf-secretariat-reply@ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QGwZklj0aw0zf8v1ncYq0xS-XoM>
Subject: [OAUTH-WG] Milestones changed for oauth WG
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 21:45:34 -0000

Changed milestone "Submit 'OAuth 2.0 Device Flow' to the IESG", set
due date to April 2017 from July 2017.

Changed milestone "Submit 'OAuth 2.0 Token Exchange' to the IESG for
consideration as a Proposed Standard", set due date to May 2017 from
July 2017.

URL: https://datatracker.ietf.org/wg/oauth/about/


From nobody Sun Mar 26 15:18:34 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A04BA1296ED for <oauth@ietfa.amsl.com>; Sun, 26 Mar 2017 15:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.011
X-Spam-Level: 
X-Spam-Status: No, score=-3.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqgKuc5DOSbo for <oauth@ietfa.amsl.com>; Sun, 26 Mar 2017 15:18:29 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0120.outbound.protection.outlook.com [104.47.33.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34AF91296EE for <oauth@ietf.org>; Sun, 26 Mar 2017 15:18:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Z1T82zhM62U5Q54jciSf0lxiCvkr8CA7SI9i/OqgC7E=; b=XDzdMqltRpwTGrAbgtLDQE2w5SjiFiJd5to0xWXB/8GofjWaJ6evNEDl2XvRkN0mlcjw4La7ngt2W37SSFBmIinKycN149gKuEfJxGHxWnH5EYsmqLubaRQZs1/ZccJx4KE9xRu74cu6aGqVWxHVwYrpc+Si+TdWNbDNatJpOUQ=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.0; Sun, 26 Mar 2017 22:18:26 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1019.002; Sun, 26 Mar 2017 22:18:26 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Shepherd Update for AS Server Metadata
Thread-Index: AQHSpm1XlaTAcuTFkkq2I3dLXu842qGnsOv5
Date: Sun, 26 Mar 2017 22:18:26 +0000
Message-ID: <CY4PR21MB0504F0D1319EBA85B6CC4A42F5300@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <fe76b7ea-b1b1-d79b-6e4d-bdfb11c2163b@gmx.net>
In-Reply-To: <fe76b7ea-b1b1-d79b-6e4d-bdfb11c2163b@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: gmx.net; dkim=none (message not signed) header.d=none;gmx.net; dmarc=none action=none header.from=microsoft.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [107.77.208.68]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:K9kI/DTilXSRVzbfRLT+fO0JMaw82Jk0vThZHaHlN2AtpyszqGh70eUPJlgd4TmCpOTFJ2uKSXX67IzQRYrkV2BxMQIOkodmVi6kWFcIhf3aO9OxEG6K6u71a3BZP8WH4qIHPieqaXVL0KsY8b8nZqezyDxiG2obfRGH60Lu2e5tTpya2YMON4ZoA7UR5XSuD+B3Cbc+bZ9NVbERvtKZyELalnQkJGe4ix0T8YIM//4Zidsa0cNpt8YKlOYI2gMsI/I0sc8in7kjU9T9UZ6A0DyHuVK5UN2CLjZtqkM7DraKVvvy0KxHKuYc489sj/bh139BXgsP7znW87C3bvuCax833Gf9QIR45F2o0Jfseck=
x-ms-office365-filtering-correlation-id: 3a706c3f-aba4-4925-3e53-08d474960619
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423019)(201703031133025);  SRVR:CY4PR21MB0503; 
x-microsoft-antispam-prvs: <CY4PR21MB05039CC59C872BD256FB832BF5300@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(20558992708506)(166708455590820)(192374486261705)(35073007944872)(248736688235697)(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040410)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006021)(93001021)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123558025)(201703131423035)(201702281528035)(201703061421035)(201703061406035)(20161123560025)(20161123555025)(20161123562025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503; 
x-forefront-prvs: 0258E7CCD4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39400400002)(39410400002)(39860400002)(39850400002)(39450400003)(39840400002)(377454003)(53754006)(8936002)(2906002)(7736002)(3846002)(102836003)(6116002)(8676002)(81166006)(33656002)(10710500007)(3280700002)(15650500001)(66066001)(54356999)(50986999)(76176999)(3660700001)(74316002)(2420400007)(25786009)(10090500001)(5660300001)(7696004)(53546009)(6306002)(7110500001)(189998001)(55016002)(99286003)(54896002)(53936002)(236005)(966004)(6506006)(38730400002)(77096006)(9686003)(606005)(53376002)(6246003)(6436002)(86362001)(7906003)(5005710100001)(10290500002)(122556002)(86612001)(2950100002)(18265965002)(19627235001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504F0D1319EBA85B6CC4A42F5300CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2017 22:18:26.0304 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0obdvsuIQ3dsrgkc9CD6qoIrnA8>
Subject: Re: [OAUTH-WG] Shepherd Update for AS Server Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 22:18:33 -0000

--_000_CY4PR21MB0504F0D1319EBA85B6CC4A42F5300CY4PR21MB0504namp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Actually, there are IANA actions =96 creating and populating a registry. Pl=
ease update the shepherd review accordingly.



Other than that, it looks good.



Thanks,

-- Mike



From: Hannes Tschofenig<mailto:hannes.tschofenig@gmx.net>
Sent: Sunday, March 26, 2017 3:12 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [OAUTH-WG] Shepherd Update for AS Server Metadata



Hi all,

I have updated the shepherd writeup for version -06 of the  "OAuth 2.0
Authorization Server Metadata" draft in preparation for the meeting. If
everything goes well then we will submit this document to the IESG
during the IETF meeting week.

Comments appreciated!

Here is the most recent version:
https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-wri=
teups/Writeup_OAuth_Metadata.txt

Ciao
Hannes

-----------

Shepherd Write-Up for "OAuth 2.0 Authorization Server Metadata"
<draft-ietf-oauth-discovery-06>

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

This specification is targeting a 'Proposed Standard'. The
type of RFC is indicated and contains protocols elements.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

   This specification defines a metadata format that an OAuth 2.0 client
   can use to obtain the information needed to interact with an OAuth
   2.0 authorization server, including its endpoint locations and
   authorization server capabilities.

Working Group Summary

   Work on a discovery mechanism for OAuth was planned since a long
   time but it took till late 2015 before a document was submitted
   to the group, which re-used work done in the OpenID Foundation.
   When the WGLC was started in 2016, see
   https://www.ietf.org/mail-archive/web/oauth/current/msg15796.html,
   feedback resulted in refocusing the scope of the specification,
   removing everything except for the authorization server metadata.

   Now, almost a year later these concerns have been resolved and
   the document is ready for publication.

Document Quality

  Are there existing implementations of the protocol? Have a
  significant number of vendors indicated their plan to
  implement the specification? Are there any reviewers that
  merit special mention as having done a thorough review,
  e.g., one that resulted in important changes or a
  conclusion that the document had no substantive issues? If
  there was a MIB Doctor, Media Type or other expert review,
  what was its course (briefly)? In the case of a Media Type
  review, on what date was the request posted?

  The document scope has been changed to capture current deployment
  practice.

  There are 34 authorization server and 9 OAuth client implementations
  listed at http://openid.net/certification/ that implement metadata
  compatible with the AS metadata specification.
  (See the "Config OP" and "Config RP" columns.)

  Microsoft and Google are using this specification in deployment.

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

Hannes Tschofenig is the document shepherd and the responsible area
director is Kathleen Moriarty.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The document shepherd was involved in the working group review process
and verified the document for correctness.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

There are no concerns regarding the document reviews.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

This document would benefit from security and internationalization reviews.
Particularly Section 4 of the document explaining string operations
deserves a review.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

The document shepherd has no concerns with the document.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

The authors have confirmed full conformance with the provisions of BCP 78
and BCP 79:

John: https://www.ietf.org/mail-archive/web/oauth/current/msg17060.html
Mike: https://www.ietf.org/mail-archive/web/oauth/current/msg17061.html
Nat: TBD

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosures have been filed for this document.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it?

There is consensus in the working group for publishing this
document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

Nobody threatened an appeal or expressed extreme discontent with the
current version of the document.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

The shepherd checked the document.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

No formal review is needed.

(13) Have all references within this document been identified as
either normative or informative?

Yes. The references are split into normative and informative references.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

The RFCs listed in the normative reference section are all finalized.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

There are four normative references to non-IETF specifications:

   [UNICODE]  The Unicode Consortium, "The Unicode Standard",
              <http://www.unicode.org/versions/latest/>.

   [USA15]    Davis, M. and K. Whistler, "Unicode Normalization Forms",
              Unicode Standard Annex 15, June 2015,
              <http://www.unicode.org/reports/tr15/>.

   [OAuth.Post]
              Jones, M. and B. Campbell, "OAuth 2.0 Form Post Response
              Mode", April 2015, <http://openid.net/specs/
              oauth-v2-form-post-response-mode-1_0.html>.

   [OAuth.Responses]
              de Medeiros, B., Ed., Scurtescu, M., Tarjan, P., and M.
              Jones, "OAuth 2.0 Multiple Response Type Encoding
              Practices", February 2014, <http://openid.net/specs/
              oauth-v2-multiple-response-types-1_0.html>.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

This document does not change the status of an existing RFC.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

This document does not request any actions by IANA.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

There is no text in formal languages in the document.


--_000_CY4PR21MB0504F0D1319EBA85B6CC4A42F5300CY4PR21MB0504namp_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<meta name=3D"Generator" content=3D"Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; pad=
ding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<meta name=3D"x_Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style>
<!--
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif}
a:x_link, span.x_MsoHyperlink
	{color:blue;
	text-decoration:underline}
a:x_visited, span.x_MsoHyperlinkFollowed
	{color:#954F72;
	text-decoration:underline}
.x_MsoChpDefault
	{}
div.x_WordSection1
	{}
-->
</style>
<div lang=3D"EN-US" link=3D"blue" vlink=3D"#954F72">
<div class=3D"x_WordSection1">
<p class=3D"x_MsoNormal">Actually, there are IANA actions =96 creating and =
populating a registry. Please update the shepherd review accordingly.</p>
<p class=3D"x_MsoNormal">&nbsp;</p>
<p class=3D"x_MsoNormal">Other than that, it looks good.</p>
<p class=3D"x_MsoNormal">&nbsp;</p>
<p class=3D"x_MsoNormal">Thanks,</p>
<p class=3D"x_MsoNormal">-- Mike</p>
<p class=3D"x_MsoNormal">&nbsp;</p>
<div style=3D"border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0i=
n 0in 0in">
<p class=3D"x_MsoNormal" style=3D"border:none; padding:0in"><b>From: </b><a=
 href=3D"mailto:hannes.tschofenig@gmx.net">Hannes Tschofenig</a><br>
<b>Sent: </b>Sunday, March 26, 2017 3:12 PM<br>
<b>To: </b><a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a><br>
<b>Subject: </b>[OAUTH-WG] Shepherd Update for AS Server Metadata</p>
</div>
<p class=3D"x_MsoNormal">&nbsp;</p>
</div>
</div>
<font size=3D"2"><span style=3D"font-size:10pt;">
<div class=3D"PlainText">Hi all,<br>
<br>
I have updated the shepherd writeup for version -06 of the&nbsp; &quot;OAut=
h 2.0<br>
Authorization Server Metadata&quot; draft in preparation for the meeting. I=
f<br>
everything goes well then we will submit this document to the IESG<br>
during the IETF meeting week.<br>
<br>
Comments appreciated!<br>
<br>
Here is the most recent version:<br>
<a href=3D"https://github.com/hannestschofenig/tschofenig-ids/blob/master/s=
hepherd-writeups/Writeup_OAuth_Metadata.txt">https://github.com/hannestscho=
fenig/tschofenig-ids/blob/master/shepherd-writeups/Writeup_OAuth_Metadata.t=
xt</a><br>
<br>
Ciao<br>
Hannes<br>
<br>
-----------<br>
<br>
Shepherd Write-Up for &quot;OAuth 2.0 Authorization Server Metadata&quot;<b=
r>
&lt;draft-ietf-oauth-discovery-06&gt;<br>
<br>
(1) What type of RFC is being requested (BCP, Proposed Standard,<br>
Internet Standard, Informational, Experimental, or Historic)?&nbsp; Why<br>
is this the proper type of RFC?&nbsp; Is this type of RFC indicated in the<=
br>
title page header?<br>
<br>
This specification is targeting a 'Proposed Standard'. The<br>
type of RFC is indicated and contains protocols elements.<br>
<br>
(2) The IESG approval announcement includes a Document Announcement<br>
Write-Up. Please provide such a Document Announcement Write-Up. Recent<br>
examples can be found in the &quot;Action&quot; announcements for approved<=
br>
documents. The approval announcement contains the following sections:<br>
<br>
Technical Summary<br>
<br>
&nbsp;&nbsp; This specification defines a metadata format that an OAuth 2.0=
 client<br>
&nbsp;&nbsp; can use to obtain the information needed to interact with an O=
Auth<br>
&nbsp;&nbsp; 2.0 authorization server, including its endpoint locations and=
<br>
&nbsp;&nbsp; authorization server capabilities.<br>
<br>
Working Group Summary<br>
<br>
&nbsp;&nbsp; Work on a discovery mechanism for OAuth was planned since a lo=
ng<br>
&nbsp;&nbsp; time but it took till late 2015 before a document was submitte=
d<br>
&nbsp;&nbsp; to the group, which re-used work done in the OpenID Foundation=
.<br>
&nbsp;&nbsp; When the WGLC was started in 2016, see<br>
&nbsp;&nbsp; <a href=3D"https://www.ietf.org/mail-archive/web/oauth/current=
/msg15796.html">https://www.ietf.org/mail-archive/web/oauth/current/msg1579=
6.html</a>,<br>
&nbsp;&nbsp; feedback resulted in refocusing the scope of the specification=
,<br>
&nbsp;&nbsp; removing everything except for the authorization server metada=
ta.<br>
<br>
&nbsp;&nbsp; Now, almost a year later these concerns have been resolved and=
<br>
&nbsp;&nbsp; the document is ready for publication.<br>
<br>
Document Quality<br>
<br>
&nbsp; Are there existing implementations of the protocol? Have a<br>
&nbsp; significant number of vendors indicated their plan to<br>
&nbsp; implement the specification? Are there any reviewers that<br>
&nbsp; merit special mention as having done a thorough review,<br>
&nbsp; e.g., one that resulted in important changes or a<br>
&nbsp; conclusion that the document had no substantive issues? If<br>
&nbsp; there was a MIB Doctor, Media Type or other expert review,<br>
&nbsp; what was its course (briefly)? In the case of a Media Type<br>
&nbsp; review, on what date was the request posted?<br>
<br>
&nbsp; The document scope has been changed to capture current deployment<br=
>
&nbsp; practice.<br>
<br>
&nbsp; There are 34 authorization server and 9 OAuth client implementations=
<br>
&nbsp; listed at <a href=3D"http://openid.net/certification/">http://openid=
.net/certification/</a> that implement metadata<br>
&nbsp; compatible with the AS metadata specification.<br>
&nbsp; (See the &quot;Config OP&quot; and &quot;Config RP&quot; columns.)<b=
r>
<br>
&nbsp; Microsoft and Google are using this specification in deployment.<br>
<br>
Personnel<br>
<br>
&nbsp; Who is the Document Shepherd? Who is the Responsible Area<br>
&nbsp; Director?<br>
<br>
Hannes Tschofenig is the document shepherd and the responsible area<br>
director is Kathleen Moriarty.<br>
<br>
(3) Briefly describe the review of this document that was performed by<br>
the Document Shepherd.&nbsp; If this version of the document is not ready<b=
r>
for publication, please explain why the document is being forwarded to<br>
the IESG.<br>
<br>
The document shepherd was involved in the working group review process<br>
and verified the document for correctness.<br>
<br>
(4) Does the document Shepherd have any concerns about the depth or<br>
breadth of the reviews that have been performed?<br>
<br>
There are no concerns regarding the document reviews.<br>
<br>
(5) Do portions of the document need review from a particular or from<br>
broader perspective, e.g., security, operational complexity, AAA, DNS,<br>
DHCP, XML, or internationalization? If so, describe the review that<br>
took place.<br>
<br>
This document would benefit from security and internationalization reviews.=
<br>
Particularly Section 4 of the document explaining string operations<br>
deserves a review.<br>
<br>
(6) Describe any specific concerns or issues that the Document Shepherd<br>
has with this document that the Responsible Area Director and/or the<br>
IESG should be aware of? For example, perhaps he or she is uncomfortable<br=
>
with certain parts of the document, or has concerns whether there really<br=
>
is a need for it. In any event, if the WG has discussed those issues and<br=
>
has indicated that it still wishes to advance the document, detail those<br=
>
concerns here.<br>
<br>
The document shepherd has no concerns with the document.<br>
<br>
(7) Has each author confirmed that any and all appropriate IPR<br>
disclosures required for full conformance with the provisions of BCP 78<br>
and BCP 79 have already been filed. If not, explain why.<br>
<br>
The authors have confirmed full conformance with the provisions of BCP 78<b=
r>
and BCP 79:<br>
<br>
John: <a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg170=
60.html">
https://www.ietf.org/mail-archive/web/oauth/current/msg17060.html</a><br>
Mike: <a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg170=
61.html">
https://www.ietf.org/mail-archive/web/oauth/current/msg17061.html</a><br>
Nat: TBD<br>
<br>
(8) Has an IPR disclosure been filed that references this document?<br>
If so, summarize any WG discussion and conclusion regarding the IPR<br>
disclosures.<br>
<br>
No IPR disclosures have been filed for this document.<br>
<br>
(9) How solid is the WG consensus behind this document? Does it<br>
represent the strong concurrence of a few individuals, with others<br>
being silent, or does the WG as a whole understand and agree with it?<br>
<br>
There is consensus in the working group for publishing this<br>
document.<br>
<br>
(10) Has anyone threatened an appeal or otherwise indicated extreme<br>
discontent? If so, please summarise the areas of conflict in separate<br>
email messages to the Responsible Area Director. (It should be in a<br>
separate email because this questionnaire is publicly available.)<br>
<br>
Nobody threatened an appeal or expressed extreme discontent with the<br>
current version of the document.<br>
<br>
(11) Identify any ID nits the Document Shepherd has found in this<br>
document. (See <a href=3D"http://www.ietf.org/tools/idnits/">http://www.iet=
f.org/tools/idnits/</a> and the Internet-Drafts<br>
Checklist). Boilerplate checks are not enough; this check needs to be<br>
thorough.<br>
<br>
The shepherd checked the document.<br>
<br>
(12) Describe how the document meets any required formal review<br>
criteria, such as the MIB Doctor, media type, and URI type reviews.<br>
<br>
No formal review is needed.<br>
<br>
(13) Have all references within this document been identified as<br>
either normative or informative?<br>
<br>
Yes. The references are split into normative and informative references.<br=
>
<br>
(14) Are there normative references to documents that are not ready for<br>
advancement or are otherwise in an unclear state? If such normative<br>
references exist, what is the plan for their completion?<br>
<br>
The RFCs listed in the normative reference section are all finalized.<br>
<br>
(15) Are there downward normative references references (see RFC 3967)?<br>
If so, list these downward references to support the Area Director in<br>
the Last Call procedure.<br>
<br>
There are four normative references to non-IETF specifications:<br>
<br>
&nbsp;&nbsp; [UNICODE]&nbsp; The Unicode Consortium, &quot;The Unicode Stan=
dard&quot;,<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; &lt;<a href=3D"http://www.unicode.org/versions/latest/">http://www.unic=
ode.org/versions/latest/</a>&gt;.<br>
<br>
&nbsp;&nbsp; [USA15]&nbsp;&nbsp;&nbsp; Davis, M. and K. Whistler, &quot;Uni=
code Normalization Forms&quot;,<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; Unicode Standard Annex 15, June 2015,<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; &lt;<a href=3D"http://www.unicode.org/reports/tr15/">http://www.unicode=
.org/reports/tr15/</a>&gt;.<br>
<br>
&nbsp;&nbsp; [OAuth.Post]<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; Jones, M. and B. Campbell, &quot;OAuth 2.0 Form Post Response<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; Mode&quot;, April 2015, &lt;<a href=3D""></a>http://openid.net/specs/<b=
r>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; oauth-v2-form-post-response-mode-1_0.html&gt;.<br>
<br>
&nbsp;&nbsp; [OAuth.Responses]<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; de Medeiros, B., Ed., Scurtescu, M., Tarjan, P., and M.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; Jones, &quot;OAuth 2.0 Multiple Response Type Encoding<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; Practices&quot;, February 2014, &lt;<a href=3D""></a>http://openid.net/=
specs/<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; oauth-v2-multiple-response-types-1_0.html&gt;.<br>
<br>
(16) Will publication of this document change the status of any<br>
existing RFCs? Are those RFCs listed on the title page header, listed<br>
in the abstract, and discussed in the introduction? If the RFCs are not<br>
listed in the Abstract and Introduction, explain why, and point to the<br>
part of the document where the relationship of this document to the<br>
other RFCs is discussed. If this information is not in the document,<br>
explain why the WG considers it unnecessary.<br>
<br>
This document does not change the status of an existing RFC.<br>
<br>
(17) Describe the Document Shepherd's review of the IANA considerations<br>
section, especially with regard to its consistency with the body of the<br>
document. Confirm that all protocol extensions that the document makes<br>
are associated with the appropriate reservations in IANA registries.<br>
Confirm that any referenced IANA registries have been clearly<br>
identified. Confirm that newly created IANA registries include a<br>
detailed specification of the initial contents for the registry, that<br>
allocations procedures for future registrations are defined, and a<br>
reasonable name for the new registry has been suggested (see RFC 5226).<br>
<br>
This document does not request any actions by IANA.<br>
<br>
(18) List any new IANA registries that require Expert Review for future<br>
allocations. Provide any public guidance that the IESG would find<br>
useful in selecting the IANA Experts for these new registries.<br>
<br>
None.<br>
<br>
(19) Describe reviews and automated checks performed by the Document<br>
Shepherd to validate sections of the document written in a formal<br>
language, such as XML code, BNF rules, MIB definitions, etc.<br>
<br>
There is no text in formal languages in the document.<br>
<br>
</div>
</span></font>
</body>
</html>

--_000_CY4PR21MB0504F0D1319EBA85B6CC4A42F5300CY4PR21MB0504namp_--


From nobody Mon Mar 27 01:46:54 2017
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 147641294CF for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 01:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.608
X-Spam-Level: 
X-Spam-Status: No, score=-0.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kptCHw5SWhgn for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 01:46:42 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6FAD1294B8 for <oauth@ietf.org>; Mon, 27 Mar 2017 01:46:41 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 6E37178039D; Mon, 27 Mar 2017 10:46:38 +0200 (CEST)
To: Nat Sakimura <sakimura@gmail.com>, oauth@ietf.org
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com> <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net> <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com> <CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com> <9c814ef0-4df3-35ed-5453-dd8cad91b910@free.fr> <CABzCy2AqK0rCRRZ1w_KXiKNbzjqwSx+OMS2nSXnfjLsuE-cgvg@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <45feb0e5-d1e3-ca5a-e8c1-f9b44768d09b@free.fr>
Date: Mon, 27 Mar 2017 10:46:41 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CABzCy2AqK0rCRRZ1w_KXiKNbzjqwSx+OMS2nSXnfjLsuE-cgvg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------54E61668499F5CFFC49EA366"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Np9xaUqP-smWiBDWULJTJ6KP9PU>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 08:46:48 -0000

This is a multi-part message in MIME format.
--------------54E61668499F5CFFC49EA366
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi Nat,

At present, I do not support the adoption of this document as a WG 
document since the different techniques
that are being proposed have severe problems:

  * When the JWT contains a jwk , jwkt#s256 or jwe, the method is
    ineffective in case of a collusion between two users (ABC attack).
  * When the JWT contains a x5t#s256, the JWT is linked to a hash value
    of a certificate included in the JWT.
    The server then knows a unique identifier of the user. Such a method
    allows an easy linkage between all the accounts
    of a given user on different resource servers, even when the JWT
    only contains non-directly identifiable attributes.
    Hence, it does not respect 'privacy by design' principles.

In addition, if a fixed value is being used for the audience restriction 
parameter, e.g. a URL of the server, then the authorization server
can easily know where the access tokens will be used and thus it will be 
in a position to act as Big Brother.

You may however continue to progress this document as an individual 
contribution.

Denis

PS. I will not subscribe to bitbucket.org because I don't agree with the 
conditions of this site.


> Hi Denis,
>
> Thanks.
>
> Is it possible to file these separately at 
> https://bitbucket.org/Nat/oauth-rjwtprof/issues?status=new&status=open so 
> that each issue can be closed separately? (You need to login to 
> bitbucket to do so.) Pull request would be nice, too, but we are going 
> to do a bit of surgery on the spec as of now, so it might be wise to 
> wait till after that to avoid conflicts.
>
> Also, it is not yet a WG document so please support it become one.
>
> Best,
>
> Nat Sakimura
>
> On Wed, Mar 22, 2017 at 5:15 AM Denis <denis.ietf@free.fr 
> <mailto:denis.ietf@free.fr>> wrote:
>
>     Hi Nat,
>
>
>     I have several comments on draft-sakimura-oauth-jpop-01 related to
>     security or privacy.
>
>
>     1.The abstract states:
>
>     Only the party in possession of a corresponding cryptographic key
>     with the Jpop token can use it to get access
>     to the associated resources unlike in the case of the bearer token
>     described in [RFC6750] where any party
>     in possession of the access token can access the resource.
>
>     This is incorrect.
>
>     Replace with:
>
>     Any party able to use a corresponding private cryptographic key
>     with the Jpop token can use it to get access
>     to the associated resources unlike in the case of the bearer token
>     described in [RFC6750] where any party
>     in possession of the access token can access the resource.
>
>     2.In section 3, the text states:
>
>     audThe identifier of the resource server.
>
>     According to the content of RFC 7800:
>
>     The "aud" (audience) claim identifies the recipients that the JWT
>     is intended for. The interpretation of audience values is
>     application specific.
>
>     Replace with:
>
>     audThe recipients that the JWT is intended for (the interpretation
>     of audience values is application specific).
>
>     3.In section 3, the text states:
>
>     cnfThe confirmation method.
>
>     Their semantics are defined in [RFC7519] and [RFC7800]
>
>
>     This is incorrect: cnf is neither defined in [RFC7519] nor in
>     [RFC7800].
>
>     4.In section 6.2, the text states:
>
>     For this, the following steps are taken:
>
>     1.The client prepares a nonce.
>
>     2.The client creates JWS compact serialization over the nonce
>
>
>         JSON Web Token Claims are listed at:
>         https://www.iana.org/assignments/jwt/jwt.xhtml
>
>     "nonce" has not been defined by the IANA, but is mentioned in
>     OpenID Connect Core 1.0 incorporating errata set 1. It is
>     described as :
>
>     nonce
>
>     String value used to associate a Client session with an ID Token,
>     and to mitigate replay attacks. The value is passed through
>     unmodified from the Authentication Request to the ID Token. If
>     present in the ID Token, Clients MUST verify that the nonce
>     Claim Value is equal to the value of the nonceparameter sent in
>     the Authentication Request. If present in the Authentication Request,
>     Authorization Servers MUST include a nonceClaim in the ID Token
>     with the Claim Value being the nonce value sent in the
>     Authentication Request.
>     Authorization Servers SHOULD perform no other processing on
>     noncevalues used. The noncevalue is a case sensitive string.
>
>     I have several observations:
>
>     a)there is some difficulty to mandate the use of a parameter that
>     is not registered by IANA.
>
>     b)the further processing of the nonce is not indicated in the text
>
>     c) The last sentence from the above description states:
>     "Authorization Servers SHOULD perform no other processing on
>     noncevalues used"
>     There is a practical problem with such a sentence since
>     Authorization Servers would need to remember nonces for ever.
>     Either that sentence should be deleted or the nonce shall be only
>     used with a UTC time parameter included in the Authentication Request.
>
>     In any case, the definition of a nonce as specified in OpenID
>     Connect Core 1.0 incorporating errata set 1 should not be used and
>     another parameter
>     (e.g. rdn for random) should be defined and registered by IANA and
>     used in combination with a UTC time parameter included in the
>     Authentication Request.
>     In this way, only the rdn received during the last X minutes will
>     need to be remembered by the Authorization Servers.
>
>
>     5.The title of section 9.1 is: "Certificate validation"
>
>     Change the title of this section into :
>
>     "9.1. Common Name Constrained Token"
>
>     6.In section 9.1, the text states:
>
>     The "cn" JWT confirmation method relies its security property on the
>
>     X.509 client certificate authentication.
>
>     Replace with:
>
>     The "cn" JWT confirmation method relies its security property by
>     the inclusion of the Common Name (CN)
>     that is part of the Distinguished Name (DN) of an X.509
>     certificate. The JWT is linked to the common name
>     included in the certificate. Such a method is not privacy friendly
>     since it allows an easy linkage between
>     all the accounts of a given user on different resource servers.
>
>     7.Add a new section 9.2 to deal with the case of the cid.
>
>     Proposed text:
>
>     9.2. Client ID Constrained Token
>
>     The "cid" JWT confirmation method relies its security property on
>     the assumption that the cid legitimately
>     used by one server cannot be used by another user. It also relies
>     on the assumption that the authentication data
>     associated with "cid" combined with the "iss" will only be used by
>     the legitimate user. This method is ineffective
>     in case of a collusion between two users, since one user can
>     perform all the computations needed by the other user.
>
>     8.In section 9.2, the text states:
>
>     The client’s secret key must be kept securely. Otherwise, the
>     notion of PoP breaks down.
>
>     The PKIX group from the IETF is using the vocabulary private key /
>     public key when asymmetric cryptography is being used
>     and secret key when symmetric algorithms are being used (let us
>     call a spade a spade).
>
>     However, keeping a client's private key securely is not the right
>     wording either. If the key is kept securely in a secure element
>     (e.g. smart card), this is not enough, since the holder of the
>     secure element may use this key for himself ... or worse for the
>     benefit of someone else.
>
>     Proposed change :
>
>     9.3. Key Constrained Token
>
>     This method has four variants.
>
>     When the JWT contains a jwk, the JWT confirmation method relies
>     its security property on the assumption that the private key
>     associated with the public key contained in the access token will
>     only be used by the legitimate user. In order to avoid an easy linkage
>     between user's accounts, this method presents the advantage that
>     the key pair can be changed for every JWT. However, this method
>     is ineffective in case of a collusion between two users, since one
>     user can perform all the computations needed by the other user.
>
>     When the JWT contains a jwkt#s256, the server must have a prior
>     knowledge of the public key and the method relies its security
>     property
>     on the assumption that the private key associated with the public
>     key contained in the access token will only be used by the
>     legitimate user.
>     Hence, this method is ineffective in case of a collusion between
>     two users, since one user can perform all the computations needed
>     by the other user.
>
>     When the JWT contains a x5t#s256, the server must have a prior
>     knowledge of the public key certificate. The JWT is then linked to
>     a hash value
>     of a certificate included in the JWT. The server knows a unique
>     identifier of the user. Such a method is not privacy friendly
>     since it allows
>     an easy linkage between all the accounts of a given user on
>     different resource servers.
>
>     When the JWT contains a jwe, the JWT confirmation method relies
>     its security property on the assumption that the secret key included
>     in the JWT will only be used by the legitimate user. In order to
>     avoid an easy linkage between user's accounts, this method presents
>     the advantage that the secret key can be changed for every JWT.
>     However, this method is ineffective in case of a collusion between
>     two users,
>     since one user can perform all the computations needed by the
>     other user.
>
>     9.The text states in section 9.3:
>
>     9.3.Audi_a_nce Restriction
>
>     When using the signature method the client must specify to the AS
>     the aud it intends to send the token to, so that it can be
>     included in the AT.
>
>     A malicious RS could receive a AT with no aud or a logical
>     audience and then replay the AT and jws-on-nonce to the actual server.
>
>
>     Proposed change in order to address privacy concerns :
>
>     9.4.Audi_e_nce Restriction
>
>     When using the signature method, the client must specify to the AS
>     the aud it intends to send the token to, so that it can be
>     included in the AT.
>
>     RFC 7800 states that the interpretation of audience values is
>     application specific. If a fixed value is being used, e.g. a URL
>     of the server,
>     then the authorization server can easily know where the access
>     tokens will be used and thus is in a position to act as Big Brother.
>     It is thus recommended to use a different value in the aud claims
>     for each access token that contains no semantics in it but that
>     the resource server
>     can easily recognize.//
>
>     If a malicious RS receives an AT with no aud or a logical audience
>     in it then it can replay the AT and jws-on-nonce to another server.
>
>     Denis
>
>
>>     HI Chairs,
>>
>>     I would also like to ask 5 min. on Monday (as I cannot be on
>>     Friday) for
>>     The OAuth 2.0 Authorization Framework: JWT Pop Token Usage [1].
>>
>>     [1] https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01
>>
>>     It is capturing strong and rather urgent demands from the
>>     financial sector and would be great if it can be considered in
>>     the WG.
>>
>>     Best,
>>
>>     Nat Sakimura
>>
>>     On Tue, Mar 21, 2017 at 10:28 PM Antonio Sanso <asanso@adobe.com
>>     <mailto:asanso@adobe.com>> wrote:
>>
>>         hi Torsten,
>>
>>         good one. I personally I am looking forward to see this
>>         particular document find its way.
>>
>>         IMHO this is something much needed.
>>
>>         regards
>>
>>         antonio
>>
>>         On Mar 21, 2017, at 2:08 PM, Torsten Lodderstedt
>>         <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>
>>>         Hi Chairs,
>>>
>>>         I would like to request 5 minutes on Monday to briefly
>>>         present the status of the security document. This is mainly
>>>         to raise awareness in the group since I didn’t get that much
>>>         input on it since Seoul.
>>>
>>>         kind regards,
>>>         Torsten.
>>>
>>>>         Am 18.03.2017 um 01:52 schrieb Mike Jones
>>>>         <Michael.Jones@microsoft.com
>>>>         <mailto:Michael.Jones@microsoft.com>>:
>>>>
>>>>         Hi Chairs,
>>>>
>>>>         I'd like to request that the following presentations be
>>>>         added to the agenda:
>>>>
>>>>         OAuth Token Exchange (draft-ietf-oauth-token-exchange) -
>>>>         Mike Jones - 15 minutes
>>>>         OAuth Authorization Server Metadata
>>>>         (draft-ietf-oauth-discovery) - Mike Jones - 15 minutes
>>>>
>>>>         I'd also talked with Brian Campbell and I think he wants to
>>>>         lead this discussion, in part based on his implementation
>>>>         experience:
>>>>
>>>>         OAuth Token Binding (draft-ietf-oauth-token-binding) -
>>>>         Brian Campbell - 30 minutes
>>>>
>>>>         (Brian may suggest a different amount of time)
>>>>
>>>>         I agree that William Dennis should present about the OAuth
>>>>         Device Flow (draft-ietf-oauth-device-flow).
>>>>
>>>>         For completeness, I don't think a presentation is needed
>>>>         about OAuth AMR Values (draft-ietf-oauth-amr-values)
>>>>         because it's now completed its IESG review.
>>>>
>>>>         I'll look forward to seeing many of you in just over a week!
>>>>
>>>>         -- Mike
>>>>
>>>>         -----Original Message-----
>>>>         From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of
>>>>         "IETF Secretariat"
>>>>         Sent: Friday, March 3, 2017 3:55 PM
>>>>         To: oauth-chairs@ietf.org <mailto:oauth-chairs@ietf.org>;
>>>>         smccammon@amsl.com <mailto:smccammon@amsl.com>
>>>>         Cc: oauth@ietf.org <mailto:oauth@ietf.org>
>>>>         Subject: [OAUTH-WG] oauth - Requested sessions have been
>>>>         scheduled for IETF 98
>>>>
>>>>         Dear Stephanie McCammon,
>>>>
>>>>         The session(s) that you have requested have been scheduled.
>>>>         Below is the scheduled session information followed by the
>>>>         original request.
>>>>
>>>>         oauth Session 1 (2:30:00)
>>>>           Friday, Morning Session I 0900-1130
>>>>           Room Name: Zurich C size: 100
>>>>           ---------------------------------------------
>>>>           oauth Session 2 (1:00:00)
>>>>           Monday, Afternoon Session III 1710-1810
>>>>           Room Name: Zurich C size: 100
>>>>           ---------------------------------------------
>>>>
>>>>
>>>>
>>>>         Request Information:
>>>>
>>>>
>>>>         ---------------------------------------------------------
>>>>         Working Group Name: Web Authorization Protocol Area Name:
>>>>         Security Area Session Requester: Stephanie McCammon
>>>>
>>>>         Number of Sessions: 2
>>>>         Length of Session(s):  2.5 Hours, 1 Hour Number of
>>>>         Attendees: 50 Conflicts to Avoid:
>>>>         First Priority: saag core tls tokbind
>>>>
>>>>
>>>>
>>>>
>>>>         People who must be present:
>>>>         Hannes Tschofenig
>>>>         Kathleen Moriarty
>>>>         Derek Atkins
>>>>
>>>>         Resources Requested:
>>>>         Projector in room
>>>>
>>>>         Special Requests:
>>>>         Please avoid conflict with sec area BoFs.
>>>>         ---------------------------------------------------------
>>>>
>>>>         _______________________________________________
>>>>         OAuth mailing list
>>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=0
>>>>
>>>>
>>>>         _______________________________________________
>>>>         OAuth mailing list
>>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=0
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&sdata=5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&reserved=0
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>     -- 
>>
>>     Nat Sakimura
>>
>>     Chairman of the Board, OpenID Foundation
>>
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
> -- 
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>


--------------54E61668499F5CFFC49EA366
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix"><font face="Arial">Hi Nat,<br>
        <br>
        At present, I do not support the adoption of this document as a
        WG document since the different techniques <br>
        that are being proposed have severe problems:<br>
        <br>
      </font>
      <ul>
        <li><font face="Arial"><span class="gmail_msg" lang="EN-US">When
              the JWT contains a jwk , </span><span class="gmail_msg"
              lang="EN-US">jwkt#s256 or </span><span class="gmail_msg"
              lang="EN-US">jwe, the </span><span class="gmail_msg"
              lang="EN-US">method is ineffective in case of a collusion
              between two users (ABC attack).</span></font></li>
        <li><font face="Arial">When the <span class="gmail_msg"
              lang="EN-US">JWT contains a x5t#s256, the JWT is linked to
              a hash value of a certificate included in the JWT.</span></font><font
            face="Arial"><span class="gmail_msg" lang="EN-US"><br>
              The server then knows a unique identifier of the user.
              Such a method allows an easy linkage between all the
              accounts</span></font><font face="Arial"><span
              class="gmail_msg" lang="EN-US"><br>
              of a given user on different resource servers, even when
              the JWT only </span></font><font face="Arial"><span
              class="gmail_msg" lang="EN-US"><font face="Arial">contains
                <font color="#3333ff">non-directly identifiable
                  attributes</font></font>.<br>
              Hence, it does not respect '<font color="#3333ff">privacy
                by design</font>' principles.</span></font><br>
          <font face="Arial"><span class="gmail_msg" lang="EN-US"></span></font></li>
      </ul>
      <font face="Arial">In addition, i</font><font face="Arial"><font
          class="gmail_msg" color="#000099"><span
            style="font-family:Arial" class="gmail_msg" lang="EN-US"><font
              color="#000000">f a fixed value is being used for the
              audience restriction parameter, e.g. a URL of the server,
              then the authorization server <br>
              can easily know where the access tokens will be used and
              thus <font color="#3333ff">it will be in a position to
                act as Big Brother</font>.<br>
              <br>
              You may however continue to progress this document as an
              individual contribution.<br>
              <br>
              Denis<br>
              <br>
              PS. I will not subscribe to bitbucket.org because I don't
              agree with the conditions of this site.<br>
              <br>
            </font></span></font></font><br>
    </div>
    <blockquote
cite="mid:CABzCy2AqK0rCRRZ1w_KXiKNbzjqwSx+OMS2nSXnfjLsuE-cgvg@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi Denis, 
        <div><br>
        </div>
        <div>Thanks. 
          <div><br>
          </div>
          <div>Is it possible to file these separately at <a
              moz-do-not-send="true"
href="https://bitbucket.org/Nat/oauth-rjwtprof/issues?status=new&amp;status=open">https://bitbucket.org/Nat/oauth-rjwtprof/issues?status=new&amp;status=open</a> so
            that each issue can be closed separately? (You need to login
            to bitbucket to do so.) Pull request would be nice, too, but
            we are going to do a bit of surgery on the spec as of now,
            so it might be wise to wait till after that to avoid
            conflicts. </div>
        </div>
        <div><br>
        </div>
        <div>Also, it is not yet a WG document so please support it
          become one. </div>
        <div><br>
        </div>
        <div>Best, </div>
        <div><br>
        </div>
        <div>Nat Sakimura</div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Wed, Mar 22, 2017 at 5:15 AM Denis &lt;<a
            moz-do-not-send="true" href="mailto:denis.ietf@free.fr">denis.ietf@free.fr</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
            <div class="m_-6515445798692939327moz-cite-prefix gmail_msg">
            </div>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">Hi
                Nat,</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"><br
                  class="gmail_msg">
              </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">I
                have several comments on draft-sakimura-oauth-jpop-01
                related to security or privacy.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><br
                class="gmail_msg">
              <span style="font-family:Arial" class="gmail_msg"
                lang="EN-US"> </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">1.</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">
                The abstract states:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">Only
                the party in possession of a corresponding cryptographic
                key with the Jpop token can use it to get access <br
                  class="gmail_msg">
                to the associated resources unlike in the case of the
                bearer token described in [RFC6750] where any party <br
                  class="gmail_msg">
                in possession of the access token can access the
                resource.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">This
                is incorrect.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">Replace
                with:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">Any
                party able to use a corresponding private cryptographic
                key with the Jpop token can use it to get access <br
                  class="gmail_msg">
                to the associated resources unlike in the case of the
                bearer token described in [RFC6750] where any party <br
                  class="gmail_msg">
                in possession of the access token can access the
                resource.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"> </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">2.</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">
                In section 3, the text states:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"><span
                  class="gmail_msg">  </span>aud<span class="gmail_msg"> 
                </span>The identifier of the resource server.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">According
                to the content of RFC 7800:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">The
                "aud" (audience) claim identifies the recipients that
                the JWT is intended for. The interpretation of audience
                values is application specific.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">Replace
                with:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"><span
                  class="gmail_msg">  </span>aud<span class="gmail_msg"> 
                </span>The recipients that the JWT is intended for (the
                interpretation of audience values is application
                specific).</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"> </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">3.</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">
                In section 3, the text states: </span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">cnf<span
                  class="gmail_msg">  </span>The confirmation method.</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"><span
                  class="gmail_msg">   </span>Their semantics are
                defined in [RFC7519] and [RFC7800]</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"><br
                  class="gmail_msg">
                This is incorrect: cnf is neither defined in [RFC7519]
                nor in [RFC7800].</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"> </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">4.</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">
                In section 6.2, the text states:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">For
                this, the following steps are taken:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"><span
                  class="gmail_msg">   </span>1.<span class="gmail_msg"> 
                </span>The client prepares a nonce.</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"><span
                  class="gmail_msg">   </span>2.<span class="gmail_msg"> 
                </span>The client creates JWS compact serialization over
                the nonce</span></p>
            <h2 class="gmail_msg"><span
                style="font-size:12.0pt;font-family:Arial;font-weight:normal"
                class="gmail_msg" lang="EN-GB">JSON Web Token Claims are
                listed at: <span style="color:blue" class="gmail_msg"><a
                    moz-do-not-send="true"
                    class="m_-6515445798692939327moz-txt-link-freetext
                    gmail_msg"
                    href="https://www.iana.org/assignments/jwt/jwt.xhtml"
                    target="_blank">https://www.iana.org/assignments/jwt/jwt.xhtml</a></span></span></h2>
            <p class="MsoNormal gmail_msg"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">"nonce"
                has not been defined by the IANA, but is mentioned in
                OpenID Connect Core 1.0 incorporating errata set 1. It
                is described as :</span></p>
            <p class="MsoNormal gmail_msg"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB"> </span></p>
            <p class="MsoNormal gmail_msg"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">nonce</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB"></span></p>
            <p class="MsoNormal gmail_msg" style="margin-left:36.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">String
                value used to associate a Client session with an ID
                Token, and to mitigate replay attacks. The value is
                passed through <br class="gmail_msg">
                unmodified from the Authentication Request to the ID
                Token. If present in the ID Token, Clients MUST verify
                that the </span><tt class="gmail_msg"><span
                  style="font-family:Arial" class="gmail_msg"
                  lang="EN-GB">nonce</span></tt><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB"><br
                  class="gmail_msg">
                Claim Value is equal to the value of the </span><tt
                class="gmail_msg"><span style="font-family:Arial"
                  class="gmail_msg" lang="EN-GB">nonce</span></tt><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">
                parameter sent in the Authentication Request. If present
                in the Authentication Request, <br class="gmail_msg">
                Authorization Servers MUST include a </span><tt
                class="gmail_msg"><span style="font-family:Arial"
                  class="gmail_msg" lang="EN-GB">nonce</span></tt><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">
                Claim in the ID Token with the Claim Value being the
                nonce value sent in the Authentication Request. <br
                  class="gmail_msg">
                <font class="gmail_msg" color="#3333ff">Authorization
                  Servers SHOULD perform no other processing on </font></span><font
                class="gmail_msg" color="#3333ff"><tt class="gmail_msg"><span
                    style="font-family:Arial" class="gmail_msg"
                    lang="EN-GB">nonce</span></tt></font><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB"><font
                  class="gmail_msg" color="#000099"><font
                    class="gmail_msg" color="#3333ff"> values used</font>.</font>
                The </span><tt class="gmail_msg"><span
                  style="font-family:Arial" class="gmail_msg"
                  lang="EN-GB">nonce</span></tt><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">
                value is a case sensitive string. </span></p>
            <p class="MsoNormal gmail_msg"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB"> </span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:2.0pt;margin-right:0cm;margin-bottom:2.0pt;margin-left:0cm"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">I
                have several observations:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">a)<span
                  style="font:7.0pt &quot;Times New Roman&quot;"
                  class="gmail_msg">     </span></span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">there
                is some difficulty to mandate the use of a parameter
                that is not registered by IANA.</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">b)<span
                  style="font:7.0pt &quot;Times New Roman&quot;"
                  class="gmail_msg">     </span></span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">the
                further processing of the nonce is not indicated in the
                text</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">c) 
                The last sentence from the above description states: "</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB"><font
                  class="gmail_msg" color="#3333ff"><span
                    style="font-family:Arial" class="gmail_msg"
                    lang="EN-GB">Authorization Servers SHOULD perform no
                    other processing on </span><tt class="gmail_msg"><span
                      style="font-family:Arial" class="gmail_msg"
                      lang="EN-GB">nonce</span></tt></font><span
                  style="font-family:Arial" class="gmail_msg"
                  lang="EN-GB"><font class="gmail_msg" color="#3333ff">
                    values used</font>"<br class="gmail_msg">
                </span>There is a practical problem with such a sentence
                since </span><span style="font-family:Arial"
                class="gmail_msg" lang="EN-GB"><span
                  style="font-family:Arial" class="gmail_msg"
                  lang="EN-GB"><span style="font-family:Arial"
                    class="gmail_msg" lang="EN-GB">Authorization Servers
                    would need to remember nonces for ever. <br
                      class="gmail_msg">
                    Either that sentence should be deleted or the nonce
                    shall be only used with a UTC time parameter
                    included in the </span></span></span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">Authentication
                Request.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">
              </span><font class="gmail_msg" face="Arial">In any case,
                the definition of </font><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB">a
                nonce as specified in OpenID Connect Core 1.0
                incorporating errata set 1 should not be used and
                another parameter <br class="gmail_msg">
                (e.g. rdn for random) should be defined and registered
                by IANA and used in combination with </span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB"><span
                  style="font-family:Arial" class="gmail_msg"
                  lang="EN-GB"><span style="font-family:Arial"
                    class="gmail_msg" lang="EN-GB"><span
                      style="font-family:Arial" class="gmail_msg"
                      lang="EN-GB">a UTC time parameter included in the
                    </span></span></span><span style="font-family:Arial"
                  class="gmail_msg" lang="EN-GB">Authentication Request</span>.<br
                  class="gmail_msg">
                In this way, only the rdn received during the last X
                minutes will need to be remembered by </span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-GB"><span
                  style="font-family:Arial" class="gmail_msg"
                  lang="EN-GB"></span><span style="font-family:Arial"
                  class="gmail_msg" lang="EN-GB"><span
                    style="font-family:Arial" class="gmail_msg"
                    lang="EN-GB"><span style="font-family:Arial"
                      class="gmail_msg" lang="EN-GB">the Authorization
                      Servers</span></span></span>.<br class="gmail_msg">
              </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><br
                class="gmail_msg">
              <span style="font-family:Arial" class="gmail_msg"
                lang="EN-GB"></span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">5.</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">
                The title of section 9.1 is: "Certificate validation"</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">Change
                the title of this section into :</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">"9.1.
                Common Name Constrained Token"</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"> </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">6.</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">
                In section 9.1, the text states:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">The
                "cn" JWT confirmation method relies its security
                property on the</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"><span
                  class="gmail_msg">   </span>X.509 client certificate
                authentication. </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">Replace
                with:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">The
                "cn" JWT confirmation method relies its security
                property by the inclusion of the Common Name (CN) <br
                  class="gmail_msg">
                that is part of the Distinguished Name (DN) of an X.509
                certificate. The JWT is linked to the common name <br
                  class="gmail_msg">
                included in the certificate. Such a method is not
                privacy friendly since it allows an easy linkage between
                <br class="gmail_msg">
                all the accounts of a given user on different resource
                servers.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"> </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">7.</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">
                Add a new section 9.2 to deal with the case of the cid.
              </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">Proposed
                text: </span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">9.2.
                Client ID Constrained Token</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">The
                "cid" JWT confirmation method relies its security
                property on the assumption that the cid legitimately <br
                  class="gmail_msg">
                used by one server cannot be used by another user. It
                also relies on the assumption that the authentication
                data <br class="gmail_msg">
                associated with "cid" combined with the "iss" will only
                be used by the legitimate user. This method is
                ineffective <br class="gmail_msg">
                in case of a collusion between two users, since one user
                can perform all the computations needed by the other
                user.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"> </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">8.</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">
                In section 9.2, the text states:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">The
                client’s secret key must be kept securely. Otherwise,
                the notion of PoP breaks down.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">The
                PKIX group from the IETF is using the vocabulary private
                key / public key when asymmetric cryptography is being
                used <br class="gmail_msg">
                and secret key when symmetric algorithms are being used
                (let us call a spade a spade).</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">However,
                keeping a client's private key securely is not the right
                wording either. If the key is kept securely in a secure
                element <br class="gmail_msg">
                (e.g. smart card), this is not enough, since the holder
                of the secure element may use this key for himself ...
                or worse for the benefit of someone else.<br
                  class="gmail_msg">
                <br class="gmail_msg">
              </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">Proposed
                change :</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">9.3.
                Key Constrained Token</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">This
                method has four variants. </span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">When
                the JWT contains a jwk, the JWT confirmation method
                relies its security property on the assumption that the
                private key <br class="gmail_msg">
                associated with the public key contained in the access
                token will only be used by the legitimate user. In order
                to avoid an easy linkage<br class="gmail_msg">
                between user's accounts, this method presents the
                advantage that the key pair can be changed for every
                JWT. However, this method <br class="gmail_msg">
                is ineffective in case of a collusion between two users,
                since one user can perform all the computations needed
                by the other user.</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">When
                the JWT contains a jwkt#s256, the server must have a
                prior knowledge of the public key and the method relies
                its security property <br class="gmail_msg">
                on the assumption that the private key associated with
                the public key contained in the access token will only
                be used by the legitimate user. <br class="gmail_msg">
                Hence, this method is ineffective in case of a collusion
                between two users, since one user can perform all the
                computations needed <br class="gmail_msg">
                by the other user.</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">When
                the JWT contains a x5t#s256, the server must have a
                prior knowledge of the public key certificate. The JWT
                is then linked to a hash value <br class="gmail_msg">
                of a certificate included in the JWT. The server knows a
                unique identifier of the user. Such a method is not
                privacy friendly since it allows <br class="gmail_msg">
                an easy linkage between all the accounts of a given user
                on different resource servers.</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">When
                the JWT contains a jwe, the JWT confirmation method
                relies its security property on the assumption that the
                secret key included <br class="gmail_msg">
                in the JWT will only be used by the legitimate user. In
                order to avoid an easy linkage between user's accounts,
                this method presents <br class="gmail_msg">
                the advantage that the secret key can be changed for
                every JWT. However, this method is ineffective in case
                of a collusion between two users, <br class="gmail_msg">
                since one user can perform all the computations needed
                by the other user.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"> </span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">9.</span><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">
                The text states in section 9.3:</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">9.3.<span
                  class="gmail_msg">  </span>Audi<u class="gmail_msg">a</u>nce
                Restriction</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">When
                using the signature method the client must specify to
                the AS the aud it intends to send the token to, so that
                it can be included in the AT.</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">A
                malicious RS could receive a AT with no aud or a logical
                audience and then replay the AT and jws-on-nonce to the
                actual server.</span></p>
            <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US"><br
                  class="gmail_msg">
                Proposed change in order to address privacy concerns :</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">9.4.<span
                  class="gmail_msg">  </span>Audi<u class="gmail_msg">e</u>nce
                Restriction</span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">When
                using the signature method, the client must specify to
                the AS the aud it intends to send the token to, so that
                it can be included in the AT. </span></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><font
                class="gmail_msg" color="#000099"><span
                  style="font-family:Arial" class="gmail_msg"
                  lang="EN-US">RFC 7800 states that the interpretation
                  of audience values is application specific. If a fixed
                  value is being used, e.g. a URL of the server, <br
                    class="gmail_msg">
                  then the authorization server can easily know where
                  the access tokens will be used and thus is in a
                  position to act as Big Brother. <br class="gmail_msg">
                  It is thus recommended to use a different value in the
                  aud claims for each access token that contains no
                  semantics in it but that the resource server <br
                    class="gmail_msg">
                  can easily recognize.</span></font><i
                class="gmail_msg"><span style="font-family:Arial"
                  class="gmail_msg" lang="EN-US"></span></i></p>
            <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                style="font-family:Arial" class="gmail_msg" lang="EN-US">If
                a malicious RS receives an AT with no aud or a logical
                audience in it then it can replay the AT and
                jws-on-nonce to another server.<br class="gmail_msg">
              </span><span style="font-size:11.0pt;font-family:Arial"
                class="gmail_msg" lang="EN-US"></span></p>
          </div>
          <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
            <p class="gmail_msg"><span
                style="font-size:11.0pt;font-family:Arial"
                class="gmail_msg" lang="EN-US"> </span><font
                class="gmail_msg" size="+1"><span
                  style="font-size:11.0pt;font-family:Arial"
                  class="gmail_msg" lang="EN-US">Denis</span></font></p>
          </div>
          <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
            <p class="gmail_msg"><font class="gmail_msg" size="+1"><span
                  style="font-size:11.0pt;font-family:Arial"
                  class="gmail_msg" lang="EN-US"><br class="gmail_msg">
                </span></font></p>
            <blockquote type="cite" class="gmail_msg">
              <div dir="ltr" class="gmail_msg">
                <div dir="ltr" class="gmail_msg">HI Chairs, 
                  <div class="gmail_msg"><br class="gmail_msg">
                  </div>
                  <div class="gmail_msg">I would also like to ask 5 min.
                    on Monday (as I cannot be on Friday) for </div>
                  The OAuth 2.0 Authorization Framework: JWT Pop Token
                  Usage [1]. </div>
                <div dir="ltr" class="gmail_msg"><br class="gmail_msg">
                </div>
                <div dir="ltr" class="gmail_msg">[1] <a
                    moz-do-not-send="true"
                    href="https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01"
                    class="gmail_msg" target="_blank">https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01</a></div>
                <div dir="ltr" class="gmail_msg"><br class="gmail_msg">
                </div>
                <div class="gmail_msg">It is capturing strong and rather
                  urgent demands from the financial sector and would be
                  great if it can be considered in the WG. </div>
                <div class="gmail_msg"><br class="gmail_msg">
                </div>
                <div class="gmail_msg">Best, </div>
                <div class="gmail_msg"><br class="gmail_msg">
                </div>
                <div class="gmail_msg">Nat Sakimura</div>
                <br class="gmail_msg">
                <div class="gmail_quote gmail_msg">
                  <div dir="ltr" class="gmail_msg">On Tue, Mar 21, 2017
                    at 10:28 PM Antonio Sanso &lt;<a
                      moz-do-not-send="true"
                      href="mailto:asanso@adobe.com" class="gmail_msg"
                      target="_blank">asanso@adobe.com</a>&gt; wrote:<br
                      class="gmail_msg">
                  </div>
                  <blockquote class="gmail_quote gmail_msg"
                    style="margin:0 0 0 .8ex;border-left:1px #ccc
                    solid;padding-left:1ex">
                    <div style="word-wrap:break-word" class="gmail_msg">
                      hi Torsten,
                      <div class="gmail_msg"><br class="gmail_msg">
                      </div>
                      <div class="gmail_msg">good one. I personally I am
                        looking forward to see this particular document
                        find its way.</div>
                      <div class="gmail_msg"><br class="gmail_msg">
                      </div>
                      <div class="gmail_msg">IMHO this is something much
                        needed.</div>
                      <div class="gmail_msg"><br class="gmail_msg">
                      </div>
                      <div class="gmail_msg">regards</div>
                      <div class="gmail_msg"><br class="gmail_msg">
                      </div>
                      <div class="gmail_msg">antonio</div>
                      <div class="gmail_msg"><br class="gmail_msg">
                      </div>
                    </div>
                    <div style="word-wrap:break-word" class="gmail_msg">
                      <div class="gmail_msg">
                        <div class="gmail_msg">
                          <div class="gmail_msg">On Mar 21, 2017, at
                            2:08 PM, Torsten Lodderstedt &lt;<a
                              moz-do-not-send="true"
                              href="mailto:torsten@lodderstedt.net"
                              class="gmail_msg" target="_blank">torsten@lodderstedt.net</a>&gt;
                            wrote:</div>
                          <br
class="m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-interchange-newline
                            gmail_msg">
                        </div>
                      </div>
                    </div>
                    <div style="word-wrap:break-word" class="gmail_msg">
                      <div class="gmail_msg">
                        <div class="gmail_msg">
                          <blockquote type="cite" class="gmail_msg">
                            <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                              class="gmail_msg"> Hi Chairs,<br
                                class="gmail_msg">
                              <br class="gmail_msg">
                              I would like to request 5 minutes on
                              Monday to briefly present the status of
                              the security document. This is mainly to
                              raise awareness in the group since I
                              didn’t get that much input on it since
                              Seoul.<br class="gmail_msg">
                              <br class="gmail_msg">
                              kind regards,<br class="gmail_msg">
                              Torsten.<br class="gmail_msg">
                              <br class="gmail_msg">
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style="word-wrap:break-word" class="gmail_msg">
                      <div class="gmail_msg">
                        <div class="gmail_msg">
                          <blockquote type="cite" class="gmail_msg">
                            <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                              class="gmail_msg">
                              <blockquote type="cite" class="gmail_msg">Am
                                18.03.2017 um 01:52 schrieb Mike Jones
                                &lt;<a moz-do-not-send="true"
                                  href="mailto:Michael.Jones@microsoft.com"
                                  class="gmail_msg" target="_blank">Michael.Jones@microsoft.com</a>&gt;:<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                Hi Chairs,<br class="gmail_msg">
                                <br class="gmail_msg">
                                I'd like to request that the following
                                presentations be added to the agenda:<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                <span class="m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>OAuth
                                Token Exchange
                                (draft-ietf-oauth-token-exchange) - Mike
                                Jones - 15 minutes<br class="gmail_msg">
                                <span class="m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>OAuth
                                Authorization Server Metadata
                                (draft-ietf-oauth-discovery) - Mike
                                Jones - 15 minutes<br class="gmail_msg">
                                <br class="gmail_msg">
                                I'd also talked with Brian Campbell and
                                I think he wants to lead this
                                discussion, in part based on his
                                implementation experience:<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                <span class="m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>OAuth
                                Token Binding
                                (draft-ietf-oauth-token-binding) - Brian
                                Campbell - 30 minutes<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                (Brian may suggest a different amount of
                                time)<br class="gmail_msg">
                                <br class="gmail_msg">
                                I agree that William Dennis should
                                present about the OAuth Device Flow
                                (draft-ietf-oauth-device-flow).<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                For completeness, I don't think a
                                presentation is needed about OAuth AMR
                                Values (draft-ietf-oauth-amr-values)
                                because it's now completed its IESG
                                review.<br class="gmail_msg">
                                <br class="gmail_msg">
                                I'll look forward to seeing many of you
                                in just over a week!<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                <span class="m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span><span class="m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span><span class="m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span><span class="m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>--
                                Mike<br class="gmail_msg">
                                <br class="gmail_msg">
                                -----Original Message-----<br
                                  class="gmail_msg">
                                From: OAuth [<a moz-do-not-send="true"
                                  href="mailto:oauth-bounces@ietf.org"
                                  class="gmail_msg" target="_blank">mailto:oauth-bounces@ietf.org</a>]
                                On Behalf Of "IETF Secretariat"<br
                                  class="gmail_msg">
                                Sent: Friday, March 3, 2017 3:55 PM<br
                                  class="gmail_msg">
                                To: <a moz-do-not-send="true"
                                  href="mailto:oauth-chairs@ietf.org"
                                  class="gmail_msg" target="_blank">oauth-chairs@ietf.org</a>;
                                <a moz-do-not-send="true"
                                  href="mailto:smccammon@amsl.com"
                                  class="gmail_msg" target="_blank">
                                  smccammon@amsl.com</a><br
                                  class="gmail_msg">
                                Cc: <a moz-do-not-send="true"
                                  href="mailto:oauth@ietf.org"
                                  class="gmail_msg" target="_blank">oauth@ietf.org</a><br
                                  class="gmail_msg">
                                Subject: [OAUTH-WG] oauth - Requested
                                sessions have been scheduled for IETF 98<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                Dear Stephanie McCammon,<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                The session(s) that you have requested
                                have been scheduled.<br
                                  class="gmail_msg">
                                Below is the scheduled session
                                information followed by the original
                                request.<span
class="m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-converted-space
                                  gmail_msg"> </span><br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                oauth Session 1 (2:30:00)<br
                                  class="gmail_msg">
                                  Friday, Morning Session I 0900-1130<br
                                  class="gmail_msg">
                                  Room Name: Zurich C size: 100<br
                                  class="gmail_msg">
  ---------------------------------------------<br class="gmail_msg">
                                  oauth Session 2 (1:00:00)<br
                                  class="gmail_msg">
                                  Monday, Afternoon Session III
                                1710-1810<br class="gmail_msg">
                                  Room Name: Zurich C size: 100<br
                                  class="gmail_msg">
  ---------------------------------------------<br class="gmail_msg">
                                <br class="gmail_msg">
                                <br class="gmail_msg">
                                <br class="gmail_msg">
                                Request Information:<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                <br class="gmail_msg">
---------------------------------------------------------<br
                                  class="gmail_msg">
                                Working Group Name: Web Authorization
                                Protocol Area Name: Security Area
                                Session Requester: Stephanie McCammon<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                Number of Sessions: 2<br
                                  class="gmail_msg">
                                Length of Session(s):  2.5 Hours, 1 Hour
                                Number of Attendees: 50 Conflicts to
                                Avoid:<span
class="m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-converted-space
                                  gmail_msg"> </span><br
                                  class="gmail_msg">
                                First Priority: saag core tls tokbind<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
                                <br class="gmail_msg">
                                <br class="gmail_msg">
                                <br class="gmail_msg">
                                People who must be present:<br
                                  class="gmail_msg">
                                Hannes Tschofenig<br class="gmail_msg">
                                Kathleen Moriarty<br class="gmail_msg">
                                Derek Atkins<br class="gmail_msg">
                                <br class="gmail_msg">
                                Resources Requested:<br
                                  class="gmail_msg">
                                Projector in room<br class="gmail_msg">
                                <br class="gmail_msg">
                                Special Requests:<br class="gmail_msg">
                                Please avoid conflict with sec area
                                BoFs.<br class="gmail_msg">
---------------------------------------------------------<br
                                  class="gmail_msg">
                                <br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
                                OAuth mailing list<br class="gmail_msg">
                                <a moz-do-not-send="true"
                                  href="mailto:OAuth@ietf.org"
                                  class="gmail_msg" target="_blank">OAuth@ietf.org</a><br
                                  class="gmail_msg">
                              </blockquote>
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style="word-wrap:break-word" class="gmail_msg">
                      <div class="gmail_msg">
                        <div class="gmail_msg">
                          <blockquote type="cite" class="gmail_msg">
                            <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                              class="gmail_msg">
                              <blockquote type="cite" class="gmail_msg"><a
                                  moz-do-not-send="true"
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0"
                                  class="gmail_msg" target="_blank">https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0</a></blockquote>
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style="word-wrap:break-word" class="gmail_msg">
                      <div class="gmail_msg">
                        <div class="gmail_msg">
                          <blockquote type="cite" class="gmail_msg">
                            <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                              class="gmail_msg">
                              <blockquote type="cite" class="gmail_msg"><br
                                  class="gmail_msg">
                                <br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
                                OAuth mailing list<br class="gmail_msg">
                                <a moz-do-not-send="true"
                                  href="mailto:OAuth@ietf.org"
                                  class="gmail_msg" target="_blank">OAuth@ietf.org</a><br
                                  class="gmail_msg">
                              </blockquote>
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style="word-wrap:break-word" class="gmail_msg">
                      <div class="gmail_msg">
                        <div class="gmail_msg">
                          <blockquote type="cite" class="gmail_msg">
                            <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                              class="gmail_msg">
                              <blockquote type="cite" class="gmail_msg"><a
                                  moz-do-not-send="true"
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0"
                                  class="gmail_msg" target="_blank">https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0</a><br
                                  class="gmail_msg">
                              </blockquote>
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style="word-wrap:break-word" class="gmail_msg">
                      <div class="gmail_msg">
                        <div class="gmail_msg">
                          <blockquote type="cite" class="gmail_msg">
                            <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                              class="gmail_msg"> <br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
                              OAuth mailing list<br class="gmail_msg">
                              <a moz-do-not-send="true"
                                href="mailto:OAuth@ietf.org"
                                class="gmail_msg" target="_blank">OAuth@ietf.org</a><br
                                class="gmail_msg">
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style="word-wrap:break-word" class="gmail_msg">
                      <div class="gmail_msg">
                        <div class="gmail_msg">
                          <blockquote type="cite" class="gmail_msg">
                            <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                              class="gmail_msg"><a
                                moz-do-not-send="true"
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&amp;sdata=5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&amp;reserved=0"
                                class="gmail_msg" target="_blank">https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&amp;sdata=5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&amp;reserved=0</a></div>
                          </blockquote>
                        </div>
                        <br class="gmail_msg">
                      </div>
                    </div>
                    _______________________________________________<br
                      class="gmail_msg">
                    OAuth mailing list<br class="gmail_msg">
                    <a moz-do-not-send="true"
                      href="mailto:OAuth@ietf.org" class="gmail_msg"
                      target="_blank">OAuth@ietf.org</a><br
                      class="gmail_msg">
                    <a moz-do-not-send="true"
                      href="https://www.ietf.org/mailman/listinfo/oauth"
                      rel="noreferrer" class="gmail_msg" target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br
                      class="gmail_msg">
                  </blockquote>
                </div>
              </div>
              <div dir="ltr" class="gmail_msg">-- <br class="gmail_msg">
              </div>
              <div data-smartmail="gmail_signature" class="gmail_msg">
                <p dir="ltr" class="gmail_msg">Nat Sakimura</p>
                <p dir="ltr" class="gmail_msg">Chairman of the Board,
                  OpenID Foundation</p>
              </div>
              <br class="gmail_msg">
              <fieldset
                class="m_-6515445798692939327mimeAttachmentHeader
                gmail_msg"></fieldset>
              <br class="gmail_msg">
              <pre class="gmail_msg">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="m_-6515445798692939327moz-txt-link-abbreviated gmail_msg" href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="m_-6515445798692939327moz-txt-link-freetext gmail_msg" href="https://www.ietf.org/mailman/listinfo/oauth" target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
            </blockquote>
            <p class="gmail_msg"><br class="gmail_msg">
            </p>
          </div>
          _______________________________________________<br
            class="gmail_msg">
          OAuth mailing list<br class="gmail_msg">
          <a moz-do-not-send="true" href="mailto:OAuth@ietf.org"
            class="gmail_msg" target="_blank">OAuth@ietf.org</a><br
            class="gmail_msg">
          <a moz-do-not-send="true"
            href="https://www.ietf.org/mailman/listinfo/oauth"
            rel="noreferrer" class="gmail_msg" target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br
            class="gmail_msg">
        </blockquote>
      </div>
      <div dir="ltr">-- <br>
      </div>
      <div data-smartmail="gmail_signature">
        <p dir="ltr">Nat Sakimura</p>
        <p dir="ltr">Chairman of the Board, OpenID Foundation</p>
      </div>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>

--------------54E61668499F5CFFC49EA366--


From nobody Mon Mar 27 05:27:06 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FAA0127449 for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 05:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.009
X-Spam-Level: 
X-Spam-Status: No, score=-0.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O286Yx8_DRgv for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 05:27:01 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA96612940D for <oauth@ietf.org>; Mon, 27 Mar 2017 05:27:00 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id r45so35346001qte.3 for <oauth@ietf.org>; Mon, 27 Mar 2017 05:27:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to;  bh=ST7TXJlhOMxkDEuT6gV2CcEoaYUWYwSfgA6d3FpffWI=; b=tcjU/ADAoUXrFz9fJEoHbXU5fIvf16jk1zjvd6/KG+oEEzvs9TFpjCs2Df3/r1ojRq XFpMyHXqYsQX19I01KzS+ay2Cxl96S8tApfVVlwUbeQ8nP1nA+XViTVJT5OBjb8o0Hi2 k7VLjNbL6LWIzFmse2p6qxt++VSSN9hc47qm+pRTrH9yopFJ4aE9QDqmt2lkEovY5O+p kCGn4r2qlpMgkp7WesRF4bsVHOA4G2HGL8/VNyMSOQTzhOk6/5e7JZT5Jc2FvufQzuBn CB0uaTUuCXCKbddJOlI2+HTD8hOIaCkcPtx7uRf8ft2Fk1T8fN0r9UiRwW8f5uKAu9Mm C8Fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ST7TXJlhOMxkDEuT6gV2CcEoaYUWYwSfgA6d3FpffWI=; b=siIh+nCX2o05kLa7U6yNP4rI7xURqkNAcKhKR8uXTx0jN1PmaYEGVRA3gXSLK54XdU i+DaC5MP0G12QXiYKgPvz1aWZYkZPAJs58rlBHowxIoSZZ9nNfOXxbbK60d2LkmEjPKy TSB3N+WOz8xGgHH3DBLUYRevBkP0zvAg3qTsU8Vhl1nG1ZvS3xKZKTbm4ESvpgTG2a1P b3Fkz/oWT/eNwi7hrsJBwYxD1nrUFIhwen0q9km+QCBcfQZqynxhCnOmat7+tE/DedKC pkMI7Niuenj1cfHTG+G7a2LmAfA3iZ+X4gkZtzVicIUPrg4hcAN1832mrjaYqAB65NtD 7vjQ==
X-Gm-Message-State: AFeK/H2QfkcQODwgsOutSqdh0Z/rLgY1YoJCay2kATWAeWA6UutS1rUWtDv9rXweSnaiLq20vqKoMAytukfrbQ==
X-Received: by 10.200.52.135 with SMTP id w7mr20669125qtb.136.1490617619513; Mon, 27 Mar 2017 05:26:59 -0700 (PDT)
MIME-Version: 1.0
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com> <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net> <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com> <CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com> <9c814ef0-4df3-35ed-5453-dd8cad91b910@free.fr> <CABzCy2AqK0rCRRZ1w_KXiKNbzjqwSx+OMS2nSXnfjLsuE-cgvg@mail.gmail.com> <45feb0e5-d1e3-ca5a-e8c1-f9b44768d09b@free.fr>
In-Reply-To: <45feb0e5-d1e3-ca5a-e8c1-f9b44768d09b@free.fr>
From: Nat Sakimura <sakimura@gmail.com>
Date: Mon, 27 Mar 2017 12:26:49 +0000
Message-ID: <CABzCy2BFC5KaFpoEfDfMaU2cr6CJT+53Gkghmzjk75qzW+KKyA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>, oauth@ietf.org
Content-Type: multipart/alternative; boundary=001a1141a706b518bf054bb575b5
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FbF0r44x61Lip3pV0ss-FG4bH4w>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 12:27:05 -0000

--001a1141a706b518bf054bb575b5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

HI.

As pointed out in saag, the OAuth WG is not dealing with ABC attack. It is
out of scope for now at least.
The certs used is the certs of the client and not the subject/user. It is
the client authentication, not the user authentication.
In addition, authorization server knowing where the user is going with this
token is not an issue here.
The protected resource and the authorization server belongs to the same
administrative domain.

Best,

Nat


On Mon, Mar 27, 2017 at 3:46 AM Denis <denis.ietf@free.fr> wrote:

> Hi Nat,
>
> At present, I do not support the adoption of this document as a WG
> document since the different techniques
> that are being proposed have severe problems:
>
>
>    - When the JWT contains a jwk , jwkt#s256 or jwe, the method is
>    ineffective in case of a collusion between two users (ABC attack).
>    - When the JWT contains a x5t#s256, the JWT is linked to a hash value
>    of a certificate included in the JWT.
>    The server then knows a unique identifier of the user. Such a method
>    allows an easy linkage between all the accounts
>    of a given user on different resource servers, even when the JWT only =
contains
>    non-directly identifiable attributes.
>    Hence, it does not respect 'privacy by design' principles.
>
> In addition, if a fixed value is being used for the audience restriction
> parameter, e.g. a URL of the server, then the authorization server
> can easily know where the access tokens will be used and thus it will be
> in a position to act as Big Brother.
>
> You may however continue to progress this document as an individual
> contribution.
>
>
> Denis
>
> PS. I will not subscribe to bitbucket.org because I don't agree with the
> conditions of this site.
>
>
> Hi Denis,
>
> Thanks.
>
> Is it possible to file these separately at
> https://bitbucket.org/Nat/oauth-rjwtprof/issues?status=3Dnew&status=3Dope=
n so
> that each issue can be closed separately? (You need to login to bitbucket
> to do so.) Pull request would be nice, too, but we are going to do a bit =
of
> surgery on the spec as of now, so it might be wise to wait till after tha=
t
> to avoid conflicts.
>
> Also, it is not yet a WG document so please support it become one.
>
> Best,
>
> Nat Sakimura
>
> On Wed, Mar 22, 2017 at 5:15 AM Denis <denis.ietf@free.fr> wrote:
>
> Hi Nat,
>
>
> I have several comments on draft-sakimura-oauth-jpop-01 related to
> security or privacy.
>
>
> 1. The abstract states:
>
> Only the party in possession of a corresponding cryptographic key with th=
e
> Jpop token can use it to get access
> to the associated resources unlike in the case of the bearer token
> described in [RFC6750] where any party
> in possession of the access token can access the resource.
>
> This is incorrect.
>
> Replace with:
>
> Any party able to use a corresponding private cryptographic key with the
> Jpop token can use it to get access
> to the associated resources unlike in the case of the bearer token
> described in [RFC6750] where any party
> in possession of the access token can access the resource.
>
>
>
> 2. In section 3, the text states:
>
>   aud  The identifier of the resource server.
>
> According to the content of RFC 7800:
>
> The "aud" (audience) claim identifies the recipients that the JWT is
> intended for. The interpretation of audience values is application specif=
ic.
>
> Replace with:
>
>   aud  The recipients that the JWT is intended for (the interpretation of
> audience values is application specific).
>
>
>
> 3. In section 3, the text states:
>
> cnf  The confirmation method.
>
>    Their semantics are defined in [RFC7519] and [RFC7800]
>
>
> This is incorrect: cnf is neither defined in [RFC7519] nor in [RFC7800].
>
>
>
> 4. In section 6.2, the text states:
>
> For this, the following steps are taken:
>
>    1.  The client prepares a nonce.
>
>    2.  The client creates JWS compact serialization over the nonce
> JSON Web Token Claims are listed at:
> https://www.iana.org/assignments/jwt/jwt.xhtml
>
> "nonce" has not been defined by the IANA, but is mentioned in OpenID
> Connect Core 1.0 incorporating errata set 1. It is described as :
>
>
>
> nonce
>
> String value used to associate a Client session with an ID Token, and to
> mitigate replay attacks. The value is passed through
> unmodified from the Authentication Request to the ID Token. If present in
> the ID Token, Clients MUST verify that the nonce
> Claim Value is equal to the value of the nonce parameter sent in the
> Authentication Request. If present in the Authentication Request,
> Authorization Servers MUST include a nonce Claim in the ID Token with the
> Claim Value being the nonce value sent in the Authentication Request.
> Authorization Servers SHOULD perform no other processing on nonce values
> used. The nonce value is a case sensitive string.
>
>
>
> I have several observations:
>
> a)     there is some difficulty to mandate the use of a parameter that is
> not registered by IANA.
>
> b)     the further processing of the nonce is not indicated in the text
>
> c)  The last sentence from the above description states: "Authorization
> Servers SHOULD perform no other processing on nonce values used"
> There is a practical problem with such a sentence since Authorization
> Servers would need to remember nonces for ever.
> Either that sentence should be deleted or the nonce shall be only used
> with a UTC time parameter included in the Authentication Request.
>
> In any case, the definition of a nonce as specified in OpenID Connect
> Core 1.0 incorporating errata set 1 should not be used and another
> parameter
> (e.g. rdn for random) should be defined and registered by IANA and used i=
n
> combination with a UTC time parameter included in the Authentication
> Request.
> In this way, only the rdn received during the last X minutes will need to
> be remembered by the Authorization Servers.
>
>
> 5. The title of section 9.1 is: "Certificate validation"
>
> Change the title of this section into :
>
> "9.1. Common Name Constrained Token"
>
>
>
> 6. In section 9.1, the text states:
>
> The "cn" JWT confirmation method relies its security property on the
>
>    X.509 client certificate authentication.
>
> Replace with:
>
> The "cn" JWT confirmation method relies its security property by the
> inclusion of the Common Name (CN)
> that is part of the Distinguished Name (DN) of an X.509 certificate. The
> JWT is linked to the common name
> included in the certificate. Such a method is not privacy friendly since
> it allows an easy linkage between
> all the accounts of a given user on different resource servers.
>
>
>
> 7. Add a new section 9.2 to deal with the case of the cid.
>
> Proposed text:
>
> 9.2. Client ID Constrained Token
>
> The "cid" JWT confirmation method relies its security property on the
> assumption that the cid legitimately
> used by one server cannot be used by another user. It also relies on the
> assumption that the authentication data
> associated with "cid" combined with the "iss" will only be used by the
> legitimate user. This method is ineffective
> in case of a collusion between two users, since one user can perform all
> the computations needed by the other user.
>
>
>
> 8. In section 9.2, the text states:
>
> The client=E2=80=99s secret key must be kept securely. Otherwise, the not=
ion of
> PoP breaks down.
>
> The PKIX group from the IETF is using the vocabulary private key / public
> key when asymmetric cryptography is being used
> and secret key when symmetric algorithms are being used (let us call a
> spade a spade).
>
> However, keeping a client's private key securely is not the right wording
> either. If the key is kept securely in a secure element
> (e.g. smart card), this is not enough, since the holder of the secure
> element may use this key for himself ... or worse for the benefit of
> someone else.
>
> Proposed change :
>
> 9.3. Key Constrained Token
>
> This method has four variants.
>
> When the JWT contains a jwk, the JWT confirmation method relies its
> security property on the assumption that the private key
> associated with the public key contained in the access token will only be
> used by the legitimate user. In order to avoid an easy linkage
> between user's accounts, this method presents the advantage that the key
> pair can be changed for every JWT. However, this method
> is ineffective in case of a collusion between two users, since one user
> can perform all the computations needed by the other user.
>
> When the JWT contains a jwkt#s256, the server must have a prior knowledge
> of the public key and the method relies its security property
> on the assumption that the private key associated with the public key
> contained in the access token will only be used by the legitimate user.
> Hence, this method is ineffective in case of a collusion between two
> users, since one user can perform all the computations needed
> by the other user.
>
> When the JWT contains a x5t#s256, the server must have a prior knowledge
> of the public key certificate. The JWT is then linked to a hash value
> of a certificate included in the JWT. The server knows a unique identifie=
r
> of the user. Such a method is not privacy friendly since it allows
> an easy linkage between all the accounts of a given user on different
> resource servers.
>
> When the JWT contains a jwe, the JWT confirmation method relies its
> security property on the assumption that the secret key included
> in the JWT will only be used by the legitimate user. In order to avoid an
> easy linkage between user's accounts, this method presents
> the advantage that the secret key can be changed for every JWT. However,
> this method is ineffective in case of a collusion between two users,
> since one user can perform all the computations needed by the other user.
>
>
>
> 9. The text states in section 9.3:
>
> 9.3.  Audi*a*nce Restriction
>
> When using the signature method the client must specify to the AS the aud
> it intends to send the token to, so that it can be included in the AT.
>
> A malicious RS could receive a AT with no aud or a logical audience and
> then replay the AT and jws-on-nonce to the actual server.
>
>
> Proposed change in order to address privacy concerns :
>
> 9.4.  Audi*e*nce Restriction
>
> When using the signature method, the client must specify to the AS the au=
d
> it intends to send the token to, so that it can be included in the AT.
>
> RFC 7800 states that the interpretation of audience values is application
> specific. If a fixed value is being used, e.g. a URL of the server,
> then the authorization server can easily know where the access tokens wil=
l
> be used and thus is in a position to act as Big Brother.
> It is thus recommended to use a different value in the aud claims for eac=
h
> access token that contains no semantics in it but that the resource serve=
r
> can easily recognize.
>
> If a malicious RS receives an AT with no aud or a logical audience in it
> then it can replay the AT and jws-on-nonce to another server.
>
>  Denis
>
>
> HI Chairs,
>
> I would also like to ask 5 min. on Monday (as I cannot be on Friday) for
> The OAuth 2.0 Authorization Framework: JWT Pop Token Usage [1].
>
> [1] https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01
>
> It is capturing strong and rather urgent demands from the financial secto=
r
> and would be great if it can be considered in the WG.
>
> Best,
>
> Nat Sakimura
>
> On Tue, Mar 21, 2017 at 10:28 PM Antonio Sanso <asanso@adobe.com> wrote:
>
> hi Torsten,
>
> good one. I personally I am looking forward to see this particular
> document find its way.
>
> IMHO this is something much needed.
>
> regards
>
> antonio
>
> On Mar 21, 2017, at 2:08 PM, Torsten Lodderstedt <torsten@lodderstedt.net=
>
> wrote:
>
> Hi Chairs,
>
> I would like to request 5 minutes on Monday to briefly present the status
> of the security document. This is mainly to raise awareness in the group
> since I didn=E2=80=99t get that much input on it since Seoul.
>
> kind regards,
> Torsten.
>
> Am 18.03.2017 um 01:52 schrieb Mike Jones <Michael.Jones@microsoft.com>:
>
> Hi Chairs,
>
> I'd like to request that the following presentations be added to the
> agenda:
>
> OAuth Token Exchange (draft-ietf-oauth-token-exchange) - Mike Jones - 15
> minutes
> OAuth Authorization Server Metadata (draft-ietf-oauth-discovery) - Mike
> Jones - 15 minutes
>
> I'd also talked with Brian Campbell and I think he wants to lead this
> discussion, in part based on his implementation experience:
>
> OAuth Token Binding (draft-ietf-oauth-token-binding) - Brian Campbell - 3=
0
> minutes
>
> (Brian may suggest a different amount of time)
>
> I agree that William Dennis should present about the OAuth Device Flow
> (draft-ietf-oauth-device-flow).
>
> For completeness, I don't think a presentation is needed about OAuth AMR
> Values (draft-ietf-oauth-amr-values) because it's now completed its IESG
> review.
>
> I'll look forward to seeing many of you in just over a week!
>
> -- Mike
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] On
> Behalf Of "IETF Secretariat"
> Sent: Friday, March 3, 2017 3:55 PM
> To: oauth-chairs@ietf.org; smccammon@amsl.com
> Cc: oauth@ietf.org
> Subject: [OAUTH-WG] oauth - Requested sessions have been scheduled for
> IETF 98
>
> Dear Stephanie McCammon,
>
> The session(s) that you have requested have been scheduled.
> Below is the scheduled session information followed by the original
> request.
>
> oauth Session 1 (2:30:00)
>   Friday, Morning Session I 0900-1130
>   Room Name: Zurich C size: 100
>   ---------------------------------------------
>   oauth Session 2 (1:00:00)
>   Monday, Afternoon Session III 1710-1810
>   Room Name: Zurich C size: 100
>   ---------------------------------------------
>
>
>
> Request Information:
>
>
> ---------------------------------------------------------
> Working Group Name: Web Authorization Protocol Area Name: Security Area
> Session Requester: Stephanie McCammon
>
> Number of Sessions: 2
> Length of Session(s):  2.5 Hours, 1 Hour Number of Attendees: 50 Conflict=
s
> to Avoid:
> First Priority: saag core tls tokbind
>
>
>
>
> People who must be present:
> Hannes Tschofenig
> Kathleen Moriarty
> Derek Atkins
>
> Resources Requested:
> Projector in room
>
> Special Requests:
> Please avoid conflict with sec area BoFs.
> ---------------------------------------------------------
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
>
>
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie=
tf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd=
408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C6362569854630581=
06&sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=3D=
0
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
>
>
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie=
tf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd=
408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C6362569854630581=
06&sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=3D=
0
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
>
>
> https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie=
tf.org%2Fmailman%2Flistinfo%2Foauth&data=3D02%7C01%7C%7C254d07b9729a4cfc8dd=
408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C6362569854630681=
22&sdata=3D5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&reserved=3D0
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> --
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oau=
th
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> --
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>
>
> --

Nat Sakimura

Chairman of the Board, OpenID Foundation

--001a1141a706b518bf054bb575b5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">HI.=C2=A0<div><br></div><div>As pointed out in saag, the O=
Auth WG is not dealing with ABC attack. It is out of scope for now at least=
.=C2=A0<div>The certs used is the certs of the client and not the subject/u=
ser. It is the client authentication, not the user authentication.=C2=A0</d=
iv><div>In addition, authorization server knowing where the user is going w=
ith this token is not an issue here.=C2=A0</div><div>The protected resource=
 and the authorization server belongs to the same administrative domain.=C2=
=A0</div><div><br></div><div>Best,=C2=A0</div><div><br></div><div>Nat</div>=
<div><br></div></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr">=
On Mon, Mar 27, 2017 at 3:46 AM Denis &lt;<a href=3D"mailto:denis.ietf@free=
.fr">denis.ietf@free.fr</a>&gt; wrote:<br></div><blockquote class=3D"gmail_=
quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1=
ex">
 =20
   =20
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000" class=3D"gmail_msg">
    <div class=3D"m_-523616603530752702moz-cite-prefix gmail_msg"><font fac=
e=3D"Arial" class=3D"gmail_msg">Hi Nat,<br class=3D"gmail_msg">
        <br class=3D"gmail_msg">
        At present, I do not support the adoption of this document as a
        WG document since the different techniques <br class=3D"gmail_msg">
        that are being proposed have severe problems:<br class=3D"gmail_msg=
">
        <br class=3D"gmail_msg">
      </font>
      <ul class=3D"gmail_msg">
        <li class=3D"gmail_msg"><font face=3D"Arial" class=3D"gmail_msg"><s=
pan class=3D"gmail_msg" lang=3D"EN-US">When
              the JWT contains a jwk , </span><span class=3D"gmail_msg" lan=
g=3D"EN-US">jwkt#s256 or </span><span class=3D"gmail_msg" lang=3D"EN-US">jw=
e, the </span><span class=3D"gmail_msg" lang=3D"EN-US">method is ineffectiv=
e in case of a collusion
              between two users (ABC attack).</span></font></li>
        <li class=3D"gmail_msg"><font face=3D"Arial" class=3D"gmail_msg">Wh=
en the <span class=3D"gmail_msg" lang=3D"EN-US">JWT contains a x5t#s256, th=
e JWT is linked to
              a hash value of a certificate included in the JWT.</span></fo=
nt><font face=3D"Arial" class=3D"gmail_msg"><span class=3D"gmail_msg" lang=
=3D"EN-US"><br class=3D"gmail_msg">
              The server then knows a unique identifier of the user.
              Such a method allows an easy linkage between all the
              accounts</span></font><font face=3D"Arial" class=3D"gmail_msg=
"><span class=3D"gmail_msg" lang=3D"EN-US"><br class=3D"gmail_msg">
              of a given user on different resource servers, even when
              the JWT only </span></font><font face=3D"Arial" class=3D"gmai=
l_msg"><span class=3D"gmail_msg" lang=3D"EN-US"><font face=3D"Arial" class=
=3D"gmail_msg">contains
                <font color=3D"#3333ff" class=3D"gmail_msg">non-directly id=
entifiable
                  attributes</font></font>.<br class=3D"gmail_msg">
              Hence, it does not respect &#39;<font color=3D"#3333ff" class=
=3D"gmail_msg">privacy
                by design</font>&#39; principles.</span></font><br class=3D=
"gmail_msg">
          <font face=3D"Arial" class=3D"gmail_msg"><span class=3D"gmail_msg=
" lang=3D"EN-US"></span></font></li>
      </ul>
      <font face=3D"Arial" class=3D"gmail_msg">In addition, i</font><font f=
ace=3D"Arial" class=3D"gmail_msg"><font class=3D"gmail_msg" color=3D"#00009=
9"><span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><fo=
nt color=3D"#000000" class=3D"gmail_msg">f a fixed value is being used for =
the
              audience restriction parameter, e.g. a URL of the server,
              then the authorization server <br class=3D"gmail_msg">
              can easily know where the access tokens will be used and
              thus <font color=3D"#3333ff" class=3D"gmail_msg">it will be i=
n a position to
                act as Big Brother</font>.<br class=3D"gmail_msg">
              <br class=3D"gmail_msg">
              You may however continue to progress this document as an
              individual contribution.</font></span></font></font></div></d=
iv><div bgcolor=3D"#FFFFFF" text=3D"#000000" class=3D"gmail_msg"><div class=
=3D"m_-523616603530752702moz-cite-prefix gmail_msg"><font face=3D"Arial" cl=
ass=3D"gmail_msg"><font class=3D"gmail_msg" color=3D"#000099"><span style=
=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><font color=3D"#0=
00000" class=3D"gmail_msg"><br class=3D"gmail_msg">
              <br class=3D"gmail_msg">
              Denis<br class=3D"gmail_msg">
              </font></span></font></font></div></div><div bgcolor=3D"#FFFF=
FF" text=3D"#000000" class=3D"gmail_msg"><div class=3D"m_-52361660353075270=
2moz-cite-prefix gmail_msg"><font face=3D"Arial" class=3D"gmail_msg"><font =
class=3D"gmail_msg" color=3D"#000099"><span style=3D"font-family:Arial" cla=
ss=3D"gmail_msg" lang=3D"EN-US"><font color=3D"#000000" class=3D"gmail_msg"=
><br class=3D"gmail_msg">
              PS. I will not subscribe to <a href=3D"http://bitbucket.org" =
class=3D"gmail_msg" target=3D"_blank">bitbucket.org</a> because I don&#39;t
              agree with the conditions of this site.<br class=3D"gmail_msg=
">
              <br class=3D"gmail_msg">
            </font></span></font></font><br class=3D"gmail_msg">
    </div></div><div bgcolor=3D"#FFFFFF" text=3D"#000000" class=3D"gmail_ms=
g">
    <blockquote type=3D"cite" class=3D"gmail_msg">
      <div dir=3D"ltr" class=3D"gmail_msg">Hi Denis,=C2=A0
        <div class=3D"gmail_msg"><br class=3D"gmail_msg">
        </div>
        <div class=3D"gmail_msg">Thanks.=C2=A0
          <div class=3D"gmail_msg"><br class=3D"gmail_msg">
          </div>
          <div class=3D"gmail_msg">Is it possible to file these separately =
at=C2=A0<a href=3D"https://bitbucket.org/Nat/oauth-rjwtprof/issues?status=
=3Dnew&amp;status=3Dopen" class=3D"gmail_msg" target=3D"_blank">https://bit=
bucket.org/Nat/oauth-rjwtprof/issues?status=3Dnew&amp;status=3Dopen</a>=C2=
=A0so
            that each issue=C2=A0can be closed separately? (You need to log=
in
            to bitbucket to do so.) Pull request would be nice, too, but
            we are going to do a bit of surgery on the spec as of now,
            so it might be wise to wait till after that to avoid
            conflicts.=C2=A0</div>
        </div>
        <div class=3D"gmail_msg"><br class=3D"gmail_msg">
        </div>
        <div class=3D"gmail_msg">Also, it is not yet a WG document so pleas=
e support it
          become one.=C2=A0</div>
        <div class=3D"gmail_msg"><br class=3D"gmail_msg">
        </div>
        <div class=3D"gmail_msg">Best,=C2=A0</div>
        <div class=3D"gmail_msg"><br class=3D"gmail_msg">
        </div>
        <div class=3D"gmail_msg">Nat Sakimura</div>
      </div>
      <br class=3D"gmail_msg">
      <div class=3D"gmail_quote gmail_msg">
        <div dir=3D"ltr" class=3D"gmail_msg">On Wed, Mar 22, 2017 at 5:15 A=
M Denis &lt;<a href=3D"mailto:denis.ietf@free.fr" class=3D"gmail_msg" targe=
t=3D"_blank">denis.ietf@free.fr</a>&gt;
          wrote:<br class=3D"gmail_msg">
        </div>
        <blockquote class=3D"gmail_quote gmail_msg" style=3D"margin:0 0 0 .=
8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor=3D"#FFFFFF" text=3D"#000000" class=3D"gmail_msg">
            <div class=3D"m_-523616603530752702m_-6515445798692939327moz-ci=
te-prefix gmail_msg">
            </div>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">Hi
                Nat,</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><br class=
=3D"gmail_msg">
              </span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">I
                have several comments on draft-sakimura-oauth-jpop-01
                related to security or privacy.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><br=
 class=3D"gmail_msg">
              <span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D=
"EN-US"> </span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">1.</span>=
<span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">
                The abstract states:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">Only
                the party in possession of a corresponding cryptographic
                key with the Jpop token can use it to get access <br class=
=3D"gmail_msg">
                to the associated resources unlike in the case of the
                bearer token described in [RFC6750] where any party <br cla=
ss=3D"gmail_msg">
                in possession of the access token can access the
                resource.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">This
                is incorrect.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">Replace
                with:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">Any
                party able to use a corresponding private cryptographic
                key with the Jpop token can use it to get access <br class=
=3D"gmail_msg">
                to the associated resources unlike in the case of the
                bearer token described in [RFC6750] where any party <br cla=
ss=3D"gmail_msg">
                in possession of the access token can access the
                resource.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">=C2=A0</s=
pan></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">2.</span>=
<span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">
                In section 3, the text states:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><span cl=
ass=3D"gmail_msg">=C2=A0 </span>aud<span class=3D"gmail_msg">=C2=A0
                </span>The identifier of the resource server.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">According
                to the content of RFC 7800:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">The
                &quot;aud&quot; (audience) claim identifies the recipients =
that
                the JWT is intended for. The interpretation of audience
                values is application specific.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">Replace
                with:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><span cl=
ass=3D"gmail_msg">=C2=A0 </span>aud<span class=3D"gmail_msg">=C2=A0
                </span>The recipients that the JWT is intended for (the
                interpretation of audience values is application
                specific).</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">=C2=A0</=
span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">3.</span>=
<span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">
                In section 3, the text states: </span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">cnf<span=
 class=3D"gmail_msg">=C2=A0 </span>The confirmation method.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><span cl=
ass=3D"gmail_msg">=C2=A0=C2=A0 </span>Their semantics are
                defined in [RFC7519] and [RFC7800]</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><br class=
=3D"gmail_msg">
                This is incorrect: cnf is neither defined in [RFC7519]
                nor in [RFC7800].</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">=C2=A0</s=
pan></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">4.</span>=
<span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">
                In section 6.2, the text states:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">For
                this, the following steps are taken:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><span cl=
ass=3D"gmail_msg">=C2=A0=C2=A0 </span>1.<span class=3D"gmail_msg">=C2=A0
                </span>The client prepares a nonce.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><span cl=
ass=3D"gmail_msg">=C2=A0=C2=A0 </span>2.<span class=3D"gmail_msg">=C2=A0
                </span>The client creates JWS compact serialization over
                the nonce</span></p>
            <h2 class=3D"gmail_msg"><span style=3D"font-size:12.0pt;font-fa=
mily:Arial;font-weight:normal" class=3D"gmail_msg" lang=3D"EN-GB">JSON Web =
Token Claims are
                listed at: <span style=3D"color:blue" class=3D"gmail_msg"><=
a class=3D"m_-523616603530752702m_-6515445798692939327moz-txt-link-freetext=
 gmail_msg" href=3D"https://www.iana.org/assignments/jwt/jwt.xhtml" target=
=3D"_blank">https://www.iana.org/assignments/jwt/jwt.xhtml</a></span></span=
></h2>
            <p class=3D"MsoNormal gmail_msg"><span style=3D"font-family:Ari=
al" class=3D"gmail_msg" lang=3D"EN-GB">&quot;nonce&quot;
                has not been defined by the IANA, but is mentioned in
                OpenID Connect Core 1.0 incorporating errata set 1. It
                is described as :</span></p>
            <p class=3D"MsoNormal gmail_msg"><span style=3D"font-family:Ari=
al" class=3D"gmail_msg" lang=3D"EN-GB">=C2=A0</span></p>
            <p class=3D"MsoNormal gmail_msg"><span style=3D"font-family:Ari=
al" class=3D"gmail_msg" lang=3D"EN-GB">nonce</span><span style=3D"font-fami=
ly:Arial" class=3D"gmail_msg" lang=3D"EN-GB"></span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-left:36.0pt"><=
span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB">String
                value used to associate a Client session with an ID
                Token, and to mitigate replay attacks. The value is
                passed through <br class=3D"gmail_msg">
                unmodified from the Authentication Request to the ID
                Token. If present in the ID Token, Clients MUST verify
                that the </span><tt class=3D"gmail_msg"><span style=3D"font=
-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB">nonce</span></tt><span st=
yle=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB"><br class=3D"g=
mail_msg">
                Claim Value is equal to the value of the </span><tt class=
=3D"gmail_msg"><span style=3D"font-family:Arial" class=3D"gmail_msg" lang=
=3D"EN-GB">nonce</span></tt><span style=3D"font-family:Arial" class=3D"gmai=
l_msg" lang=3D"EN-GB">
                parameter sent in the Authentication Request. If present
                in the Authentication Request, <br class=3D"gmail_msg">
                Authorization Servers MUST include a </span><tt class=3D"gm=
ail_msg"><span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-G=
B">nonce</span></tt><span style=3D"font-family:Arial" class=3D"gmail_msg" l=
ang=3D"EN-GB">
                Claim in the ID Token with the Claim Value being the
                nonce value sent in the Authentication Request. <br class=
=3D"gmail_msg">
                <font class=3D"gmail_msg" color=3D"#3333ff">Authorization
                  Servers SHOULD perform no other processing on </font></sp=
an><font class=3D"gmail_msg" color=3D"#3333ff"><tt class=3D"gmail_msg"><spa=
n style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB">nonce</spa=
n></tt></font><span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D=
"EN-GB"><font class=3D"gmail_msg" color=3D"#000099"><font class=3D"gmail_ms=
g" color=3D"#3333ff"> values used</font>.</font>
                The </span><tt class=3D"gmail_msg"><span style=3D"font-fami=
ly:Arial" class=3D"gmail_msg" lang=3D"EN-GB">nonce</span></tt><span style=
=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB">
                value is a case sensitive string. </span></p>
            <p class=3D"MsoNormal gmail_msg"><span style=3D"font-family:Ari=
al" class=3D"gmail_msg" lang=3D"EN-GB">=C2=A0</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:2.0pt;marg=
in-right:0cm;margin-bottom:2.0pt;margin-left:0cm"><span style=3D"font-famil=
y:Arial" class=3D"gmail_msg" lang=3D"EN-GB">I
                have several observations:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span style=3D"font-fa=
mily:Arial" class=3D"gmail_msg" lang=3D"EN-GB">a)<span style=3D"font:7.0pt =
&quot;Times New Roman&quot;" class=3D"gmail_msg">=C2=A0=C2=A0=C2=A0=C2=A0 <=
/span></span><span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"=
EN-GB">there
                is some difficulty to mandate the use of a parameter
                that is not registered by IANA.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span style=3D"font-fa=
mily:Arial" class=3D"gmail_msg" lang=3D"EN-GB">b)<span style=3D"font:7.0pt =
&quot;Times New Roman&quot;" class=3D"gmail_msg">=C2=A0=C2=A0=C2=A0=C2=A0 <=
/span></span><span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"=
EN-GB">the
                further processing of the nonce is not indicated in the
                text</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span style=3D"font-fa=
mily:Arial" class=3D"gmail_msg" lang=3D"EN-GB">c)=C2=A0
                The last sentence from the above description states: &quot;=
</span><span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB"=
><font class=3D"gmail_msg" color=3D"#3333ff"><span style=3D"font-family:Ari=
al" class=3D"gmail_msg" lang=3D"EN-GB">Authorization Servers SHOULD perform=
 no
                    other processing on </span><tt class=3D"gmail_msg"><spa=
n style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB">nonce</spa=
n></tt></font><span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D=
"EN-GB"><font class=3D"gmail_msg" color=3D"#3333ff">
                    values used</font>&quot;<br class=3D"gmail_msg">
                </span>There is a practical problem with such a sentence
                since </span><span style=3D"font-family:Arial" class=3D"gma=
il_msg" lang=3D"EN-GB"><span style=3D"font-family:Arial" class=3D"gmail_msg=
" lang=3D"EN-GB"><span style=3D"font-family:Arial" class=3D"gmail_msg" lang=
=3D"EN-GB">Authorization Servers
                    would need to remember nonces for ever. <br class=3D"gm=
ail_msg">
                    Either that sentence should be deleted or the nonce
                    shall be only used with a UTC time parameter
                    included in the </span></span></span><span style=3D"fon=
t-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB">Authentication
                Request.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB">
              </span><font class=3D"gmail_msg" face=3D"Arial">In any case,
                the definition of </font><span style=3D"font-family:Arial" =
class=3D"gmail_msg" lang=3D"EN-GB">a
                nonce as specified in OpenID Connect Core 1.0
                incorporating errata set 1 should not be used and
                another parameter <br class=3D"gmail_msg">
                (e.g. rdn for random) should be defined and registered
                by IANA and used in combination with </span><span style=3D"=
font-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB"><span style=3D"font-f=
amily:Arial" class=3D"gmail_msg" lang=3D"EN-GB"><span style=3D"font-family:=
Arial" class=3D"gmail_msg" lang=3D"EN-GB"><span style=3D"font-family:Arial"=
 class=3D"gmail_msg" lang=3D"EN-GB">a UTC time parameter included in the
                    </span></span></span><span style=3D"font-family:Arial" =
class=3D"gmail_msg" lang=3D"EN-GB">Authentication Request</span>.<br class=
=3D"gmail_msg">
                In this way, only the rdn received during the last X
                minutes will need to be remembered by </span><span style=3D=
"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB"><span style=3D"font-=
family:Arial" class=3D"gmail_msg" lang=3D"EN-GB"></span><span style=3D"font=
-family:Arial" class=3D"gmail_msg" lang=3D"EN-GB"><span style=3D"font-famil=
y:Arial" class=3D"gmail_msg" lang=3D"EN-GB"><span style=3D"font-family:Aria=
l" class=3D"gmail_msg" lang=3D"EN-GB">the Authorization
                      Servers</span></span></span>.<br class=3D"gmail_msg">
              </span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><br=
 class=3D"gmail_msg">
              <span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D=
"EN-GB"></span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">5.</span>=
<span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">
                The title of section 9.1 is: &quot;Certificate validation&q=
uot;</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">Change
                the title of this section into :</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">&quot;9.=
1.
                Common Name Constrained Token&quot;</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">=C2=A0</s=
pan></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">6.</span>=
<span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">
                In section 9.1, the text states:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">The
                &quot;cn&quot; JWT confirmation method relies its security
                property on the</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><span cl=
ass=3D"gmail_msg">=C2=A0=C2=A0 </span>X.509 client certificate
                authentication. </span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">Replace
                with:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">The
                &quot;cn&quot; JWT confirmation method relies its security
                property by the inclusion of the Common Name (CN) <br class=
=3D"gmail_msg">
                that is part of the Distinguished Name (DN) of an X.509
                certificate. The JWT is linked to the common name <br class=
=3D"gmail_msg">
                included in the certificate. Such a method is not
                privacy friendly since it allows an easy linkage between
                <br class=3D"gmail_msg">
                all the accounts of a given user on different resource
                servers.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">=C2=A0</s=
pan></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">7.</span>=
<span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">
                Add a new section 9.2 to deal with the case of the cid.
              </span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">Proposed
                text: </span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">9.2.
                Client ID Constrained Token</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">The
                &quot;cid&quot; JWT confirmation method relies its security
                property on the assumption that the cid legitimately <br cl=
ass=3D"gmail_msg">
                used by one server cannot be used by another user. It
                also relies on the assumption that the authentication
                data <br class=3D"gmail_msg">
                associated with &quot;cid&quot; combined with the &quot;iss=
&quot; will only
                be used by the legitimate user. This method is
                ineffective <br class=3D"gmail_msg">
                in case of a collusion between two users, since one user
                can perform all the computations needed by the other
                user.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">=C2=A0</s=
pan></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">8.</span>=
<span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">
                In section 9.2, the text states:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">The
                client=E2=80=99s secret key must be kept securely. Otherwis=
e,
                the notion of PoP breaks down.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">The
                PKIX group from the IETF is using the vocabulary private
                key / public key when asymmetric cryptography is being
                used <br class=3D"gmail_msg">
                and secret key when symmetric algorithms are being used
                (let us call a spade a spade).</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">However,
                keeping a client&#39;s private key securely is not the righ=
t
                wording either. If the key is kept securely in a secure
                element <br class=3D"gmail_msg">
                (e.g. smart card), this is not enough, since the holder
                of the secure element may use this key for himself ...
                or worse for the benefit of someone else.<br class=3D"gmail=
_msg">
                <br class=3D"gmail_msg">
              </span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">Proposed
                change :</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">9.3.
                Key Constrained Token</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">This
                method has four variants. </span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">When
                the JWT contains a jwk, the JWT confirmation method
                relies its security property on the assumption that the
                private key <br class=3D"gmail_msg">
                associated with the public key contained in the access
                token will only be used by the legitimate user. In order
                to avoid an easy linkage<br class=3D"gmail_msg">
                between user&#39;s accounts, this method presents the
                advantage that the key pair can be changed for every
                JWT. However, this method <br class=3D"gmail_msg">
                is ineffective in case of a collusion between two users,
                since one user can perform all the computations needed
                by the other user.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">When
                the JWT contains a jwkt#s256, the server must have a
                prior knowledge of the public key and the method relies
                its security property <br class=3D"gmail_msg">
                on the assumption that the private key associated with
                the public key contained in the access token will only
                be used by the legitimate user. <br class=3D"gmail_msg">
                Hence, this method is ineffective in case of a collusion
                between two users, since one user can perform all the
                computations needed <br class=3D"gmail_msg">
                by the other user.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">When
                the JWT contains a x5t#s256, the server must have a
                prior knowledge of the public key certificate. The JWT
                is then linked to a hash value <br class=3D"gmail_msg">
                of a certificate included in the JWT. The server knows a
                unique identifier of the user. Such a method is not
                privacy friendly since it allows <br class=3D"gmail_msg">
                an easy linkage between all the accounts of a given user
                on different resource servers.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">When
                the JWT contains a jwe, the JWT confirmation method
                relies its security property on the assumption that the
                secret key included <br class=3D"gmail_msg">
                in the JWT will only be used by the legitimate user. In
                order to avoid an easy linkage between user&#39;s accounts,
                this method presents <br class=3D"gmail_msg">
                the advantage that the secret key can be changed for
                every JWT. However, this method is ineffective in case
                of a collusion between two users, <br class=3D"gmail_msg">
                since one user can perform all the computations needed
                by the other user.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">=C2=A0</s=
pan></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">9.</span>=
<span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">
                The text states in section 9.3:</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">9.3.<spa=
n class=3D"gmail_msg">=C2=A0 </span>Audi<u class=3D"gmail_msg">a</u>nce
                Restriction</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">When
                using the signature method the client must specify to
                the AS the aud it intends to send the token to, so that
                it can be included in the AT.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">A
                malicious RS could receive a AT with no aud or a logical
                audience and then replay the AT and jws-on-nonce to the
                actual server.</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt"><sp=
an style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"><br class=
=3D"gmail_msg">
                Proposed change in order to address privacy concerns :</spa=
n></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">9.4.<spa=
n class=3D"gmail_msg">=C2=A0 </span>Audi<u class=3D"gmail_msg">e</u>nce
                Restriction</span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">When
                using the signature method, the client must specify to
                the AS the aud it intends to send the token to, so that
                it can be included in the AT. </span></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><f=
ont class=3D"gmail_msg" color=3D"#000099"><span style=3D"font-family:Arial"=
 class=3D"gmail_msg" lang=3D"EN-US">RFC 7800 states that the interpretation
                  of audience values is application specific. If a fixed
                  value is being used, e.g. a URL of the server, <br class=
=3D"gmail_msg">
                  then the authorization server can easily know where
                  the access tokens will be used and thus is in a
                  position to act as Big Brother. <br class=3D"gmail_msg">
                  It is thus recommended to use a different value in the
                  aud claims for each access token that contains no
                  semantics in it but that the resource server <br class=3D=
"gmail_msg">
                  can easily recognize.</span></font><i class=3D"gmail_msg"=
><span style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US"></spa=
n></i></p>
            <p class=3D"MsoNormal gmail_msg" style=3D"margin-top:6.0pt;marg=
in-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><s=
pan style=3D"font-family:Arial" class=3D"gmail_msg" lang=3D"EN-US">If
                a malicious RS receives an AT with no aud or a logical
                audience in it then it can replay the AT and
                jws-on-nonce to another server.<br class=3D"gmail_msg">
              </span><span style=3D"font-size:11.0pt;font-family:Arial" cla=
ss=3D"gmail_msg" lang=3D"EN-US"></span></p>
          </div>
          <div bgcolor=3D"#FFFFFF" text=3D"#000000" class=3D"gmail_msg">
            <p class=3D"gmail_msg"><span style=3D"font-size:11.0pt;font-fam=
ily:Arial" class=3D"gmail_msg" lang=3D"EN-US">=C2=A0</span><font class=3D"g=
mail_msg" size=3D"+1"><span style=3D"font-size:11.0pt;font-family:Arial" cl=
ass=3D"gmail_msg" lang=3D"EN-US">Denis</span></font></p>
          </div>
          <div bgcolor=3D"#FFFFFF" text=3D"#000000" class=3D"gmail_msg">
            <p class=3D"gmail_msg"><font class=3D"gmail_msg" size=3D"+1"><s=
pan style=3D"font-size:11.0pt;font-family:Arial" class=3D"gmail_msg" lang=
=3D"EN-US"><br class=3D"gmail_msg">
                </span></font></p>
            <blockquote type=3D"cite" class=3D"gmail_msg">
              <div dir=3D"ltr" class=3D"gmail_msg">
                <div dir=3D"ltr" class=3D"gmail_msg">HI Chairs,=C2=A0
                  <div class=3D"gmail_msg"><br class=3D"gmail_msg">
                  </div>
                  <div class=3D"gmail_msg">I would also like to ask 5 min.
                    on Monday (as I cannot be on Friday) for=C2=A0</div>
                  The OAuth 2.0 Authorization Framework: JWT Pop Token
                  Usage [1].=C2=A0</div>
                <div dir=3D"ltr" class=3D"gmail_msg"><br class=3D"gmail_msg=
">
                </div>
                <div dir=3D"ltr" class=3D"gmail_msg">[1]=C2=A0<a href=3D"ht=
tps://tools.ietf.org/html/draft-sakimura-oauth-jpop-01" class=3D"gmail_msg"=
 target=3D"_blank">https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01=
</a></div>
                <div dir=3D"ltr" class=3D"gmail_msg"><br class=3D"gmail_msg=
">
                </div>
                <div class=3D"gmail_msg">It is capturing strong and rather
                  urgent demands from the financial sector and would be
                  great if it can be considered in the WG.=C2=A0</div>
                <div class=3D"gmail_msg"><br class=3D"gmail_msg">
                </div>
                <div class=3D"gmail_msg">Best,=C2=A0</div>
                <div class=3D"gmail_msg"><br class=3D"gmail_msg">
                </div>
                <div class=3D"gmail_msg">Nat Sakimura</div>
                <br class=3D"gmail_msg">
                <div class=3D"gmail_quote gmail_msg">
                  <div dir=3D"ltr" class=3D"gmail_msg">On Tue, Mar 21, 2017
                    at 10:28 PM Antonio Sanso &lt;<a href=3D"mailto:asanso@=
adobe.com" class=3D"gmail_msg" target=3D"_blank">asanso@adobe.com</a>&gt; w=
rote:<br class=3D"gmail_msg">
                  </div>
                  <blockquote class=3D"gmail_quote gmail_msg" style=3D"marg=
in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                    <div style=3D"word-wrap:break-word" class=3D"gmail_msg"=
>
                      hi Torsten,
                      <div class=3D"gmail_msg"><br class=3D"gmail_msg">
                      </div>
                      <div class=3D"gmail_msg">good one. I personally I am
                        looking forward to see this particular document
                        find its way.</div>
                      <div class=3D"gmail_msg"><br class=3D"gmail_msg">
                      </div>
                      <div class=3D"gmail_msg">IMHO this is something much
                        needed.</div>
                      <div class=3D"gmail_msg"><br class=3D"gmail_msg">
                      </div>
                      <div class=3D"gmail_msg">regards</div>
                      <div class=3D"gmail_msg"><br class=3D"gmail_msg">
                      </div>
                      <div class=3D"gmail_msg">antonio</div>
                      <div class=3D"gmail_msg"><br class=3D"gmail_msg">
                      </div>
                    </div>
                    <div style=3D"word-wrap:break-word" class=3D"gmail_msg"=
>
                      <div class=3D"gmail_msg">
                        <div class=3D"gmail_msg">
                          <div class=3D"gmail_msg">On Mar 21, 2017, at
                            2:08 PM, Torsten Lodderstedt &lt;<a href=3D"mai=
lto:torsten@lodderstedt.net" class=3D"gmail_msg" target=3D"_blank">torsten@=
lodderstedt.net</a>&gt;
                            wrote:</div>
                          <br class=3D"m_-523616603530752702m_-651544579869=
2939327m_3319639624494689827m_5030357770178240766Apple-interchange-newline =
gmail_msg">
                        </div>
                      </div>
                    </div>
                    <div style=3D"word-wrap:break-word" class=3D"gmail_msg"=
>
                      <div class=3D"gmail_msg">
                        <div class=3D"gmail_msg">
                          <blockquote type=3D"cite" class=3D"gmail_msg">
                            <div style=3D"font-size:12px;font-style:normal;=
font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:no=
rmal;text-align:start;text-indent:0px;text-transform:none;white-space:norma=
l;word-spacing:0px" class=3D"gmail_msg"> Hi Chairs,<br class=3D"gmail_msg">
                              <br class=3D"gmail_msg">
                              I would like to request 5 minutes on
                              Monday to briefly present the status of
                              the security document. This is mainly to
                              raise awareness in the group since I
                              didn=E2=80=99t get that much input on it sinc=
e
                              Seoul.<br class=3D"gmail_msg">
                              <br class=3D"gmail_msg">
                              kind regards,<br class=3D"gmail_msg">
                              Torsten.<br class=3D"gmail_msg">
                              <br class=3D"gmail_msg">
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style=3D"word-wrap:break-word" class=3D"gmail_msg"=
>
                      <div class=3D"gmail_msg">
                        <div class=3D"gmail_msg">
                          <blockquote type=3D"cite" class=3D"gmail_msg">
                            <div style=3D"font-size:12px;font-style:normal;=
font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:no=
rmal;text-align:start;text-indent:0px;text-transform:none;white-space:norma=
l;word-spacing:0px" class=3D"gmail_msg">
                              <blockquote type=3D"cite" class=3D"gmail_msg"=
>Am
                                18.03.2017 um 01:52 schrieb Mike Jones
                                &lt;<a href=3D"mailto:Michael.Jones@microso=
ft.com" class=3D"gmail_msg" target=3D"_blank">Michael.Jones@microsoft.com</=
a>&gt;:<br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                Hi Chairs,<br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                I&#39;d like to request that the following
                                presentations be added to the agenda:<br cl=
ass=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                <span class=3D"m_-523616603530752702m_-6515=
445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gma=
il_msg" style=3D"white-space:pre-wrap"></span>OAuth
                                Token Exchange
                                (draft-ietf-oauth-token-exchange) - Mike
                                Jones - 15 minutes<br class=3D"gmail_msg">
                                <span class=3D"m_-523616603530752702m_-6515=
445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gma=
il_msg" style=3D"white-space:pre-wrap"></span>OAuth
                                Authorization Server Metadata
                                (draft-ietf-oauth-discovery) - Mike
                                Jones - 15 minutes<br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                I&#39;d also talked with Brian Campbell and
                                I think he wants to lead this
                                discussion, in part based on his
                                implementation experience:<br class=3D"gmai=
l_msg">
                                <br class=3D"gmail_msg">
                                <span class=3D"m_-523616603530752702m_-6515=
445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gma=
il_msg" style=3D"white-space:pre-wrap"></span>OAuth
                                Token Binding
                                (draft-ietf-oauth-token-binding) - Brian
                                Campbell - 30 minutes<br class=3D"gmail_msg=
">
                                <br class=3D"gmail_msg">
                                (Brian may suggest a different amount of
                                time)<br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                I agree that William Dennis should
                                present about the OAuth Device Flow
                                (draft-ietf-oauth-device-flow).<br class=3D=
"gmail_msg">
                                <br class=3D"gmail_msg">
                                For completeness, I don&#39;t think a
                                presentation is needed about OAuth AMR
                                Values (draft-ietf-oauth-amr-values)
                                because it&#39;s now completed its IESG
                                review.<br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                I&#39;ll look forward to seeing many of you
                                in just over a week!<br class=3D"gmail_msg"=
>
                                <br class=3D"gmail_msg">
                                <span class=3D"m_-523616603530752702m_-6515=
445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gma=
il_msg" style=3D"white-space:pre-wrap"></span><span class=3D"m_-52361660353=
0752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Appl=
e-tab-span gmail_msg" style=3D"white-space:pre-wrap"></span><span class=3D"=
m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_503035777=
0178240766Apple-tab-span gmail_msg" style=3D"white-space:pre-wrap"></span><=
span class=3D"m_-523616603530752702m_-6515445798692939327m_3319639624494689=
827m_5030357770178240766Apple-tab-span gmail_msg" style=3D"white-space:pre-=
wrap"></span>--
                                Mike<br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                -----Original Message-----<br class=3D"gmai=
l_msg">
                                From: OAuth [<a href=3D"mailto:oauth-bounce=
s@ietf.org" class=3D"gmail_msg" target=3D"_blank">mailto:oauth-bounces@ietf=
.org</a>]
                                On Behalf Of &quot;IETF Secretariat&quot;<b=
r class=3D"gmail_msg">
                                Sent: Friday, March 3, 2017 3:55 PM<br clas=
s=3D"gmail_msg">
                                To: <a href=3D"mailto:oauth-chairs@ietf.org=
" class=3D"gmail_msg" target=3D"_blank">oauth-chairs@ietf.org</a>;
                                <a href=3D"mailto:smccammon@amsl.com" class=
=3D"gmail_msg" target=3D"_blank">
                                  smccammon@amsl.com</a><br class=3D"gmail_=
msg">
                                Cc: <a href=3D"mailto:oauth@ietf.org" class=
=3D"gmail_msg" target=3D"_blank">oauth@ietf.org</a><br class=3D"gmail_msg">
                                Subject: [OAUTH-WG] oauth - Requested
                                sessions have been scheduled for IETF 98<br=
 class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                Dear Stephanie McCammon,<br class=3D"gmail_=
msg">
                                <br class=3D"gmail_msg">
                                The session(s) that you have requested
                                have been scheduled.<br class=3D"gmail_msg"=
>
                                Below is the scheduled session
                                information followed by the original
                                request.<span class=3D"m_-52361660353075270=
2m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-conv=
erted-space gmail_msg">=C2=A0</span><br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                oauth Session 1 (2:30:00)<br class=3D"gmail=
_msg">
                                =C2=A0=C2=A0Friday, Morning Session I 0900-=
1130<br class=3D"gmail_msg">
                                =C2=A0=C2=A0Room Name: Zurich C size: 100<b=
r class=3D"gmail_msg">
=C2=A0=C2=A0---------------------------------------------<br class=3D"gmail=
_msg">
                                =C2=A0=C2=A0oauth Session 2 (1:00:00)<br cl=
ass=3D"gmail_msg">
                                =C2=A0=C2=A0Monday, Afternoon Session III
                                1710-1810<br class=3D"gmail_msg">
                                =C2=A0=C2=A0Room Name: Zurich C size: 100<b=
r class=3D"gmail_msg">
=C2=A0=C2=A0---------------------------------------------<br class=3D"gmail=
_msg">
                                <br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                Request Information:<br class=3D"gmail_msg"=
>
                                <br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
---------------------------------------------------------<br class=3D"gmail=
_msg">
                                Working Group Name: Web Authorization
                                Protocol Area Name: Security Area
                                Session Requester: Stephanie McCammon<br cl=
ass=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                Number of Sessions: 2<br class=3D"gmail_msg=
">
                                Length of Session(s): =C2=A02.5 Hours, 1 Ho=
ur
                                Number of Attendees: 50 Conflicts to
                                Avoid:<span class=3D"m_-523616603530752702m=
_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-conver=
ted-space gmail_msg">=C2=A0</span><br class=3D"gmail_msg">
                                First Priority: saag core tls tokbind<br cl=
ass=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                People who must be present:<br class=3D"gma=
il_msg">
                                Hannes Tschofenig<br class=3D"gmail_msg">
                                Kathleen Moriarty<br class=3D"gmail_msg">
                                Derek Atkins<br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                Resources Requested:<br class=3D"gmail_msg"=
>
                                Projector in room<br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
                                Special Requests:<br class=3D"gmail_msg">
                                Please avoid conflict with sec area
                                BoFs.<br class=3D"gmail_msg">
---------------------------------------------------------<br class=3D"gmail=
_msg">
                                <br class=3D"gmail_msg">
_______________________________________________<br class=3D"gmail_msg">
                                OAuth mailing list<br class=3D"gmail_msg">
                                <a href=3D"mailto:OAuth@ietf.org" class=3D"=
gmail_msg" target=3D"_blank">OAuth@ietf.org</a><br class=3D"gmail_msg">
                              </blockquote>
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style=3D"word-wrap:break-word" class=3D"gmail_msg"=
>
                      <div class=3D"gmail_msg">
                        <div class=3D"gmail_msg">
                          <blockquote type=3D"cite" class=3D"gmail_msg">
                            <div style=3D"font-size:12px;font-style:normal;=
font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:no=
rmal;text-align:start;text-indent:0px;text-transform:none;white-space:norma=
l;word-spacing:0px" class=3D"gmail_msg">
                              <blockquote type=3D"cite" class=3D"gmail_msg"=
><a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d0=
7b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C63=
6256985463058106&amp;sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX=
6aQ%3D&amp;reserved=3D0" class=3D"gmail_msg" target=3D"_blank">https://na01=
.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailm=
an%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b7=
3a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sda=
ta=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=3D0<=
/a></blockquote>
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style=3D"word-wrap:break-word" class=3D"gmail_msg"=
>
                      <div class=3D"gmail_msg">
                        <div class=3D"gmail_msg">
                          <blockquote type=3D"cite" class=3D"gmail_msg">
                            <div style=3D"font-size:12px;font-style:normal;=
font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:no=
rmal;text-align:start;text-indent:0px;text-transform:none;white-space:norma=
l;word-spacing:0px" class=3D"gmail_msg">
                              <blockquote type=3D"cite" class=3D"gmail_msg"=
><br class=3D"gmail_msg">
                                <br class=3D"gmail_msg">
_______________________________________________<br class=3D"gmail_msg">
                                OAuth mailing list<br class=3D"gmail_msg">
                                <a href=3D"mailto:OAuth@ietf.org" class=3D"=
gmail_msg" target=3D"_blank">OAuth@ietf.org</a><br class=3D"gmail_msg">
                              </blockquote>
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style=3D"word-wrap:break-word" class=3D"gmail_msg"=
>
                      <div class=3D"gmail_msg">
                        <div class=3D"gmail_msg">
                          <blockquote type=3D"cite" class=3D"gmail_msg">
                            <div style=3D"font-size:12px;font-style:normal;=
font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:no=
rmal;text-align:start;text-indent:0px;text-transform:none;white-space:norma=
l;word-spacing:0px" class=3D"gmail_msg">
                              <blockquote type=3D"cite" class=3D"gmail_msg"=
><a href=3D"https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d0=
7b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C63=
6256985463058106&amp;sdata=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX=
6aQ%3D&amp;reserved=3D0" class=3D"gmail_msg" target=3D"_blank">https://na01=
.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailm=
an%2Flistinfo%2Foauth&amp;data=3D02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b7=
3a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sda=
ta=3DFYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=3D0<=
/a><br class=3D"gmail_msg">
                              </blockquote>
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style=3D"word-wrap:break-word" class=3D"gmail_msg"=
>
                      <div class=3D"gmail_msg">
                        <div class=3D"gmail_msg">
                          <blockquote type=3D"cite" class=3D"gmail_msg">
                            <div style=3D"font-size:12px;font-style:normal;=
font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:no=
rmal;text-align:start;text-indent:0px;text-transform:none;white-space:norma=
l;word-spacing:0px" class=3D"gmail_msg"> <br class=3D"gmail_msg">
_______________________________________________<br class=3D"gmail_msg">
                              OAuth mailing list<br class=3D"gmail_msg">
                              <a href=3D"mailto:OAuth@ietf.org" class=3D"gm=
ail_msg" target=3D"_blank">OAuth@ietf.org</a><br class=3D"gmail_msg">
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                    <div style=3D"word-wrap:break-word" class=3D"gmail_msg"=
>
                      <div class=3D"gmail_msg">
                        <div class=3D"gmail_msg">
                          <blockquote type=3D"cite" class=3D"gmail_msg">
                            <div style=3D"font-size:12px;font-style:normal;=
font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:no=
rmal;text-align:start;text-indent:0px;text-transform:none;white-space:norma=
l;word-spacing:0px" class=3D"gmail_msg"><a href=3D"https://na01.safelinks.p=
rotection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinf=
o%2Foauth&amp;data=3D02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b=
5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&amp;sdata=3D5CIJnWs=
2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&amp;reserved=3D0" class=3D"gmai=
l_msg" target=3D"_blank">https://na01.safelinks.protection.outlook.com/?url=
=3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=3D02%7C=
01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1=
%7C0%7C0%7C636256985463068122&amp;sdata=3D5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vf=
r7b9elwhL%2BA4%3D&amp;reserved=3D0</a></div>
                          </blockquote>
                        </div>
                        <br class=3D"gmail_msg">
                      </div>
                    </div>
                    _______________________________________________<br clas=
s=3D"gmail_msg">
                    OAuth mailing list<br class=3D"gmail_msg">
                    <a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" t=
arget=3D"_blank">OAuth@ietf.org</a><br class=3D"gmail_msg">
                    <a href=3D"https://www.ietf.org/mailman/listinfo/oauth"=
 rel=3D"noreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.=
org/mailman/listinfo/oauth</a><br class=3D"gmail_msg">
                  </blockquote>
                </div>
              </div>
              <div dir=3D"ltr" class=3D"gmail_msg">-- <br class=3D"gmail_ms=
g">
              </div>
              <div data-smartmail=3D"gmail_signature" class=3D"gmail_msg">
                <p dir=3D"ltr" class=3D"gmail_msg">Nat Sakimura</p>
                <p dir=3D"ltr" class=3D"gmail_msg">Chairman of the Board,
                  OpenID Foundation</p>
              </div>
              <br class=3D"gmail_msg">
              <fieldset class=3D"m_-523616603530752702m_-651544579869293932=
7mimeAttachmentHeader gmail_msg"></fieldset>
              <br class=3D"gmail_msg">
              <pre class=3D"gmail_msg">____________________________________=
___________
OAuth mailing list
<a class=3D"m_-523616603530752702m_-6515445798692939327moz-txt-link-abbrevi=
ated gmail_msg" href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf=
.org</a>
<a class=3D"m_-523616603530752702m_-6515445798692939327moz-txt-link-freetex=
t gmail_msg" href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D=
"_blank">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
            </blockquote>
            <p class=3D"gmail_msg"><br class=3D"gmail_msg">
            </p>
          </div>
          _______________________________________________<br class=3D"gmail=
_msg">
          OAuth mailing list<br class=3D"gmail_msg">
          <a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_=
blank">OAuth@ietf.org</a><br class=3D"gmail_msg">
          <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"no=
referrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailma=
n/listinfo/oauth</a><br class=3D"gmail_msg">
        </blockquote>
      </div>
      <div dir=3D"ltr" class=3D"gmail_msg">-- <br class=3D"gmail_msg">
      </div>
      <div data-smartmail=3D"gmail_signature" class=3D"gmail_msg">
        <p dir=3D"ltr" class=3D"gmail_msg">Nat Sakimura</p>
        <p dir=3D"ltr" class=3D"gmail_msg">Chairman of the Board, OpenID Fo=
undation</p>
      </div>
    </blockquote>
    <p class=3D"gmail_msg"><br class=3D"gmail_msg">
    </p>
  </div></blockquote></div><div dir=3D"ltr">-- <br></div><div data-smartmai=
l=3D"gmail_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>

--001a1141a706b518bf054bb575b5--


From nobody Mon Mar 27 06:08:50 2017
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B5AA127333 for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 06:08:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.628
X-Spam-Level: 
X-Spam-Status: No, score=-0.628 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEhUgG8nJghQ for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 06:08:43 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1670312940A for <oauth@ietf.org>; Mon, 27 Mar 2017 06:08:42 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 357C27803C8; Mon, 27 Mar 2017 15:08:38 +0200 (CEST)
To: Nat Sakimura <sakimura@gmail.com>, oauth@ietf.org
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com> <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net> <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com> <CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com> <9c814ef0-4df3-35ed-5453-dd8cad91b910@free.fr> <CABzCy2AqK0rCRRZ1w_KXiKNbzjqwSx+OMS2nSXnfjLsuE-cgvg@mail.gmail.com> <45feb0e5-d1e3-ca5a-e8c1-f9b44768d09b@free.fr> <CABzCy2BFC5KaFpoEfDfMaU2cr6CJT+53Gkghmzjk75qzW+KKyA@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <4339d9a5-f886-bd75-7b2a-c714b0c9321f@free.fr>
Date: Mon, 27 Mar 2017 15:08:39 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CABzCy2BFC5KaFpoEfDfMaU2cr6CJT+53Gkghmzjk75qzW+KKyA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------CF6450018FEDCCBAA107D355"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/okjZoKPBrWTEouIZ4VdbwYSOF5g>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 13:08:49 -0000

This is a multi-part message in MIME format.
--------------CF6450018FEDCCBAA107D355
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi Nat,
> HI.
>
> As pointed out in saag, the OAuth WG is not dealing with ABC attack. 
> It is out of scope for now at least.

A threat along the ABC attack is not mentioned in RFC 6819 : OAuth 2.0 
Threat Model and Security Considerations (2013).
Hence, nobody attempted to find a solution ... for a threat that had not 
been identified.

draft-ietf-oauth-token-binding-02 is a document form the OAuth WG. Since 
this threat has not been identified in RFC 6813,
it does not contain any proposal to counter that threat. However, this 
threat is now identified. Should this threat be addressed
by sticking our heads in the sand ?

A basic property of the current Token Binding mechanisms being developed 
both by the OAuth WG and the Token Binding WG
is that a specific piece of software voluntarily installed by a client 
can export any token and perform all the needed computations
so that any token can successfully be usedby another client. It is NOT 
the replay of a token, since the token is not used at any
time by the legitimate owner, but is used by an illegitimateuser.

> The certs used is the certs of the client and not the subject/user. It 
> is the client authentication, not the user authentication.

If the user is always using the same client, then the end-result is 
nearly the same.

> In addition, authorization server knowing where the user is going with 
> this token is not an issue here.
> The protected resource and the authorization server belongs to the 
> same administrative domain.

OAuth 2.0 was originally limited to this scope but has been expanded to 
be used in other contexts where the protected resource
and the authorization server do not necessarily belong to the same 
administrative domain. Hence, mandating the use of a URI is
against privacy principles. More flexibility is needed.

Denis

>
> Best,
>
> Nat
>
>
> On Mon, Mar 27, 2017 at 3:46 AM Denis <denis.ietf@free.fr 
> <mailto:denis.ietf@free.fr>> wrote:
>
>     Hi Nat,
>
>     At present, I do not support the adoption of this document as a WG
>     document since the different techniques
>     that are being proposed have severe problems:
>
>       * When the JWT contains a jwk , jwkt#s256 or jwe, the method is
>         ineffective in case of a collusion between two users (ABC attack).
>       * When the JWT contains a x5t#s256, the JWT is linked to a hash
>         value of a certificate included in the JWT.
>         The server then knows a unique identifier of the user. Such a
>         method allows an easy linkage between all the accounts
>         of a given user on different resource servers, even when the
>         JWT only contains non-directly identifiable attributes.
>         Hence, it does not respect 'privacy by design' principles.
>
>     In addition, if a fixed value is being used for the audience
>     restriction parameter, e.g. a URL of the server, then the
>     authorization server
>     can easily know where the access tokens will be used and thus it
>     will be in a position to act as Big Brother.
>
>     You may however continue to progress this document as an
>     individual contribution.
>
>
>     Denis
>
>     PS. I will not subscribe to bitbucket.org <http://bitbucket.org>
>     because I don't agree with the conditions of this site.
>
>
>>     Hi Denis,
>>
>>     Thanks.
>>
>>     Is it possible to file these separately at
>>     https://bitbucket.org/Nat/oauth-rjwtprof/issues?status=new&status=open so
>>     that each issue can be closed separately? (You need to login to
>>     bitbucket to do so.) Pull request would be nice, too, but we are
>>     going to do a bit of surgery on the spec as of now, so it might
>>     be wise to wait till after that to avoid conflicts.
>>
>>     Also, it is not yet a WG document so please support it become one.
>>
>>     Best,
>>
>>     Nat Sakimura
>>
>>     On Wed, Mar 22, 2017 at 5:15 AM Denis <denis.ietf@free.fr
>>     <mailto:denis.ietf@free.fr>> wrote:
>>
>>         Hi Nat,
>>
>>
>>         I have several comments on draft-sakimura-oauth-jpop-01
>>         related to security or privacy.
>>
>>
>>         1.The abstract states:
>>
>>         Only the party in possession of a corresponding cryptographic
>>         key with the Jpop token can use it to get access
>>         to the associated resources unlike in the case of the bearer
>>         token described in [RFC6750] where any party
>>         in possession of the access token can access the resource.
>>
>>         This is incorrect.
>>
>>         Replace with:
>>
>>         Any party able to use a corresponding private cryptographic
>>         key with the Jpop token can use it to get access
>>         to the associated resources unlike in the case of the bearer
>>         token described in [RFC6750] where any party
>>         in possession of the access token can access the resource.
>>
>>         2.In section 3, the text states:
>>
>>         audThe identifier of the resource server.
>>
>>         According to the content of RFC 7800:
>>
>>         The "aud" (audience) claim identifies the recipients that the
>>         JWT is intended for. The interpretation of audience values is
>>         application specific.
>>
>>         Replace with:
>>
>>         audThe recipients that the JWT is intended for (the
>>         interpretation of audience values is application specific).
>>
>>         3.In section 3, the text states:
>>
>>         cnfThe confirmation method.
>>
>>         Their semantics are defined in [RFC7519] and [RFC7800]
>>
>>
>>         This is incorrect: cnf is neither defined in [RFC7519] nor in
>>         [RFC7800].
>>
>>         4.In section 6.2, the text states:
>>
>>         For this, the following steps are taken:
>>
>>         1.The client prepares a nonce.
>>
>>         2.The client creates JWS compact serialization over the nonce
>>
>>
>>             JSON Web Token Claims are listed at:
>>             https://www.iana.org/assignments/jwt/jwt.xhtml
>>
>>         "nonce" has not been defined by the IANA, but is mentioned in
>>         OpenID Connect Core 1.0 incorporating errata set 1. It is
>>         described as :
>>
>>         nonce
>>
>>         String value used to associate a Client session with an ID
>>         Token, and to mitigate replay attacks. The value is passed
>>         through
>>         unmodified from the Authentication Request to the ID Token.
>>         If present in the ID Token, Clients MUST verify that the nonce
>>         Claim Value is equal to the value of the nonceparameter sent
>>         in the Authentication Request. If present in the
>>         Authentication Request,
>>         Authorization Servers MUST include a nonceClaim in the ID
>>         Token with the Claim Value being the nonce value sent in the
>>         Authentication Request.
>>         Authorization Servers SHOULD perform no other processing on
>>         noncevalues used. The noncevalue is a case sensitive string.
>>
>>         I have several observations:
>>
>>         a)there is some difficulty to mandate the use of a parameter
>>         that is not registered by IANA.
>>
>>         b)the further processing of the nonce is not indicated in the
>>         text
>>
>>         c)  The last sentence from the above description states:
>>         "Authorization Servers SHOULD perform no other processing on
>>         noncevalues used"
>>         There is a practical problem with such a sentence since
>>         Authorization Servers would need to remember nonces for ever.
>>         Either that sentence should be deleted or the nonce shall be
>>         only used with a UTC time parameter included in the
>>         Authentication Request.
>>
>>         In any case, the definition of a nonce as specified in OpenID
>>         Connect Core 1.0 incorporating errata set 1 should not be
>>         used and another parameter
>>         (e.g. rdn for random) should be defined and registered by
>>         IANA and used in combination with a UTC time parameter
>>         included in the Authentication Request.
>>         In this way, only the rdn received during the last X minutes
>>         will need to be remembered by the Authorization Servers.
>>
>>
>>         5.The title of section 9.1 is: "Certificate validation"
>>
>>         Change the title of this section into :
>>
>>         "9.1. Common Name Constrained Token"
>>
>>         6.In section 9.1, the text states:
>>
>>         The "cn" JWT confirmation method relies its security property
>>         on the
>>
>>         X.509 client certificate authentication.
>>
>>         Replace with:
>>
>>         The "cn" JWT confirmation method relies its security property
>>         by the inclusion of the Common Name (CN)
>>         that is part of the Distinguished Name (DN) of an X.509
>>         certificate. The JWT is linked to the common name
>>         included in the certificate. Such a method is not privacy
>>         friendly since it allows an easy linkage between
>>         all the accounts of a given user on different resource servers.
>>
>>         7.Add a new section 9.2 to deal with the case of the cid.
>>
>>         Proposed text:
>>
>>         9.2. Client ID Constrained Token
>>
>>         The "cid" JWT confirmation method relies its security
>>         property on the assumption that the cid legitimately
>>         used by one server cannot be used by another user. It also
>>         relies on the assumption that the authentication data
>>         associated with "cid" combined with the "iss" will only be
>>         used by the legitimate user. This method is ineffective
>>         in case of a collusion between two users, since one user can
>>         perform all the computations needed by the other user.
>>
>>         8.In section 9.2, the text states:
>>
>>         The client’s secret key must be kept securely. Otherwise, the
>>         notion of PoP breaks down.
>>
>>         The PKIX group from the IETF is using the vocabulary private
>>         key / public key when asymmetric cryptography is being used
>>         and secret key when symmetric algorithms are being used (let
>>         us call a spade a spade).
>>
>>         However, keeping a client's private key securely is not the
>>         right wording either. If the key is kept securely in a secure
>>         element
>>         (e.g. smart card), this is not enough, since the holder of
>>         the secure element may use this key for himself ... or worse
>>         for the benefit of someone else.
>>
>>         Proposed change :
>>
>>         9.3. Key Constrained Token
>>
>>         This method has four variants.
>>
>>         When the JWT contains a jwk, the JWT confirmation method
>>         relies its security property on the assumption that the
>>         private key
>>         associated with the public key contained in the access token
>>         will only be used by the legitimate user. In order to avoid
>>         an easy linkage
>>         between user's accounts, this method presents the advantage
>>         that the key pair can be changed for every JWT. However, this
>>         method
>>         is ineffective in case of a collusion between two users,
>>         since one user can perform all the computations needed by the
>>         other user.
>>
>>         When the JWT contains a jwkt#s256, the server must have a
>>         prior knowledge of the public key and the method relies its
>>         security property
>>         on the assumption that the private key associated with the
>>         public key contained in the access token will only be used by
>>         the legitimate user.
>>         Hence, this method is ineffective in case of a collusion
>>         between two users, since one user can perform all the
>>         computations needed
>>         by the other user.
>>
>>         When the JWT contains a x5t#s256, the server must have a
>>         prior knowledge of the public key certificate. The JWT is
>>         then linked to a hash value
>>         of a certificate included in the JWT. The server knows a
>>         unique identifier of the user. Such a method is not privacy
>>         friendly since it allows
>>         an easy linkage between all the accounts of a given user on
>>         different resource servers.
>>
>>         When the JWT contains a jwe, the JWT confirmation method
>>         relies its security property on the assumption that the
>>         secret key included
>>         in the JWT will only be used by the legitimate user. In order
>>         to avoid an easy linkage between user's accounts, this method
>>         presents
>>         the advantage that the secret key can be changed for every
>>         JWT. However, this method is ineffective in case of a
>>         collusion between two users,
>>         since one user can perform all the computations needed by the
>>         other user.
>>
>>         9.The text states in section 9.3:
>>
>>         9.3.Audi_a_nce Restriction
>>
>>         When using the signature method the client must specify to
>>         the AS the aud it intends to send the token to, so that it
>>         can be included in the AT.
>>
>>         A malicious RS could receive a AT with no aud or a logical
>>         audience and then replay the AT and jws-on-nonce to the
>>         actual server.
>>
>>
>>         Proposed change in order to address privacy concerns :
>>
>>         9.4.Audi_e_nce Restriction
>>
>>         When using the signature method, the client must specify to
>>         the AS the aud it intends to send the token to, so that it
>>         can be included in the AT.
>>
>>         RFC 7800 states that the interpretation of audience values is
>>         application specific. If a fixed value is being used, e.g. a
>>         URL of the server,
>>         then the authorization server can easily know where the
>>         access tokens will be used and thus is in a position to act
>>         as Big Brother.
>>         It is thus recommended to use a different value in the aud
>>         claims for each access token that contains no semantics in it
>>         but that the resource server
>>         can easily recognize.//
>>
>>         If a malicious RS receives an AT with no aud or a logical
>>         audience in it then it can replay the AT and jws-on-nonce to
>>         another server.
>>
>>         Denis
>>
>>
>>>         HI Chairs,
>>>
>>>         I would also like to ask 5 min. on Monday (as I cannot be on
>>>         Friday) for
>>>         The OAuth 2.0 Authorization Framework: JWT Pop Token Usage [1].
>>>
>>>         [1] https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01
>>>
>>>         It is capturing strong and rather urgent demands from the
>>>         financial sector and would be great if it can be considered
>>>         in the WG.
>>>
>>>         Best,
>>>
>>>         Nat Sakimura
>>>
>>>         On Tue, Mar 21, 2017 at 10:28 PM Antonio Sanso
>>>         <asanso@adobe.com <mailto:asanso@adobe.com>> wrote:
>>>
>>>             hi Torsten,
>>>
>>>             good one. I personally I am looking forward to see this
>>>             particular document find its way.
>>>
>>>             IMHO this is something much needed.
>>>
>>>             regards
>>>
>>>             antonio
>>>
>>>             On Mar 21, 2017, at 2:08 PM, Torsten Lodderstedt
>>>             <torsten@lodderstedt.net
>>>             <mailto:torsten@lodderstedt.net>> wrote:
>>>
>>>>             Hi Chairs,
>>>>
>>>>             I would like to request 5 minutes on Monday to briefly
>>>>             present the status of the security document. This is
>>>>             mainly to raise awareness in the group since I didn’t
>>>>             get that much input on it since Seoul.
>>>>
>>>>             kind regards,
>>>>             Torsten.
>>>>
>>>>>             Am 18.03.2017 um 01:52 schrieb Mike Jones
>>>>>             <Michael.Jones@microsoft.com
>>>>>             <mailto:Michael.Jones@microsoft.com>>:
>>>>>
>>>>>             Hi Chairs,
>>>>>
>>>>>             I'd like to request that the following presentations
>>>>>             be added to the agenda:
>>>>>
>>>>>             OAuth Token Exchange (draft-ietf-oauth-token-exchange)
>>>>>             - Mike Jones - 15 minutes
>>>>>             OAuth Authorization Server Metadata
>>>>>             (draft-ietf-oauth-discovery) - Mike Jones - 15 minutes
>>>>>
>>>>>             I'd also talked with Brian Campbell and I think he
>>>>>             wants to lead this discussion, in part based on his
>>>>>             implementation experience:
>>>>>
>>>>>             OAuth Token Binding (draft-ietf-oauth-token-binding) -
>>>>>             Brian Campbell - 30 minutes
>>>>>
>>>>>             (Brian may suggest a different amount of time)
>>>>>
>>>>>             I agree that William Dennis should present about the
>>>>>             OAuth Device Flow (draft-ietf-oauth-device-flow).
>>>>>
>>>>>             For completeness, I don't think a presentation is
>>>>>             needed about OAuth AMR Values
>>>>>             (draft-ietf-oauth-amr-values) because it's now
>>>>>             completed its IESG review.
>>>>>
>>>>>             I'll look forward to seeing many of you in just over a
>>>>>             week!
>>>>>
>>>>>             -- Mike
>>>>>
>>>>>             -----Original Message-----
>>>>>             From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf
>>>>>             Of "IETF Secretariat"
>>>>>             Sent: Friday, March 3, 2017 3:55 PM
>>>>>             To: oauth-chairs@ietf.org
>>>>>             <mailto:oauth-chairs@ietf.org>; smccammon@amsl.com
>>>>>             <mailto:smccammon@amsl.com>
>>>>>             Cc: oauth@ietf.org <mailto:oauth@ietf.org>
>>>>>             Subject: [OAUTH-WG] oauth - Requested sessions have
>>>>>             been scheduled for IETF 98
>>>>>
>>>>>             Dear Stephanie McCammon,
>>>>>
>>>>>             The session(s) that you have requested have been
>>>>>             scheduled.
>>>>>             Below is the scheduled session information followed by
>>>>>             the original request.
>>>>>
>>>>>             oauth Session 1 (2:30:00)
>>>>>               Friday, Morning Session I 0900-1130
>>>>>               Room Name: Zurich C size: 100
>>>>>               ---------------------------------------------
>>>>>               oauth Session 2 (1:00:00)
>>>>>               Monday, Afternoon Session III 1710-1810
>>>>>               Room Name: Zurich C size: 100
>>>>>               ---------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>             Request Information:
>>>>>
>>>>>
>>>>>             ---------------------------------------------------------
>>>>>             Working Group Name: Web Authorization Protocol Area
>>>>>             Name: Security Area Session Requester: Stephanie McCammon
>>>>>
>>>>>             Number of Sessions: 2
>>>>>             Length of Session(s):  2.5 Hours, 1 Hour Number of
>>>>>             Attendees: 50 Conflicts to Avoid:
>>>>>             First Priority: saag core tls tokbind
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>             People who must be present:
>>>>>             Hannes Tschofenig
>>>>>             Kathleen Moriarty
>>>>>             Derek Atkins
>>>>>
>>>>>             Resources Requested:
>>>>>             Projector in room
>>>>>
>>>>>             Special Requests:
>>>>>             Please avoid conflict with sec area BoFs.
>>>>>             ---------------------------------------------------------
>>>>>
>>>>>             _______________________________________________
>>>>>             OAuth mailing list
>>>>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>             https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=0
>>>>>
>>>>>
>>>>>             _______________________________________________
>>>>>             OAuth mailing list
>>>>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>             https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=0
>>>>
>>>>             _______________________________________________
>>>>             OAuth mailing list
>>>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>             https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&sdata=5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&reserved=0
>>>
>>>             _______________________________________________
>>>             OAuth mailing list
>>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>         -- 
>>>
>>>         Nat Sakimura
>>>
>>>         Chairman of the Board, OpenID Foundation
>>>
>>>
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>     -- 
>>
>>     Nat Sakimura
>>
>>     Chairman of the Board, OpenID Foundation
>>
>
> -- 
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>


--------------CF6450018FEDCCBAA107D355
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Hi Nat,<br>
    </div>
    <blockquote
cite="mid:CABzCy2BFC5KaFpoEfDfMaU2cr6CJT+53Gkghmzjk75qzW+KKyA@mail.gmail.com"
      type="cite">
      <div dir="ltr">HI. 
        <div><br>
        </div>
        <div>As pointed out in saag, the OAuth WG is not dealing with
          ABC attack. It is out of scope for now at least. <br>
        </div>
      </div>
    </blockquote>
    <font face="Arial"><br>
      A threat along the ABC attack is not mentioned in RFC 6819 : OAuth
      2.0 Threat Model and Security Considerations (2013).</font><font
      face="Arial"><br>
      Hence, nobody attempted to find a solution ... for a threat that
      had not been identified. <br>
    </font>
    <p><font face="Arial">draft-ietf-oauth-token-binding-02 is a
        document form the OAuth WG. Since this threat has not been
        identified in RFC 6813, <br>
        it does not contain any proposal to counter that threat.
        However, this threat is now identified. Should this threat be
        addressed <br>
        by sticking our heads in the sand ?</font></p>
    <font face="Arial">A basic property of the current Token Binding
      mechanisms </font><font face="Arial"><font face="Arial">being
        developed both by the OAuth WG and the </font><font
        face="Arial"><font face="Arial">Token Binding WG </font></font><br>
      is that a specific piece of software </font><font face="Arial">voluntarily
      installed by a client can export any token and perform all the
      needed computations <br>
      so that any token can successfully be used</font><font
      face="Arial"> by another client. It is NOT the replay of a token,
      since the token is not used at any <br>
      time by the legitimate owner, but is used by an illegitimate</font><font
      face="Arial"> user.</font><br>
    <br>
    <blockquote
cite="mid:CABzCy2BFC5KaFpoEfDfMaU2cr6CJT+53Gkghmzjk75qzW+KKyA@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>The certs used is the certs of the client and not the
            subject/user. It is the client authentication, not the user
            authentication. <br>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    <font face="Arial">If the user is always using the same client, then
      the end-result is nearly the same.</font><br>
    <br>
    <blockquote
cite="mid:CABzCy2BFC5KaFpoEfDfMaU2cr6CJT+53Gkghmzjk75qzW+KKyA@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>In addition, authorization server knowing where the user
            is going with this token is not an issue here. </div>
          <div>The protected resource and the authorization server
            belongs to the same administrative domain. <br>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    <font face="Arial">OAuth 2.0 was originally limited to this scope
      but has been expanded to be used in other contexts where the
      protected resource <br>
      and the authorization server do not necessarily belong to the same
      administrative domain. Hence, mandating the use of a URI is <br>
      against privacy principles. More flexibility is needed.<br>
      <br>
      Denis</font><br>
    <br>
    <blockquote
cite="mid:CABzCy2BFC5KaFpoEfDfMaU2cr6CJT+53Gkghmzjk75qzW+KKyA@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div><br>
          </div>
          <div>Best, </div>
          <div><br>
          </div>
          <div>Nat</div>
          <div><br>
          </div>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Mon, Mar 27, 2017 at 3:46 AM Denis &lt;<a
            moz-do-not-send="true" href="mailto:denis.ietf@free.fr">denis.ietf@free.fr</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
            <div class="m_-523616603530752702moz-cite-prefix gmail_msg"><font
                class="gmail_msg" face="Arial">Hi Nat,<br
                  class="gmail_msg">
                <br class="gmail_msg">
                At present, I do not support the adoption of this
                document as a WG document since the different techniques
                <br class="gmail_msg">
                that are being proposed have severe problems:<br
                  class="gmail_msg">
                <br class="gmail_msg">
              </font>
              <ul class="gmail_msg">
                <li class="gmail_msg"><font class="gmail_msg"
                    face="Arial"><span class="gmail_msg" lang="EN-US">When
                      the JWT contains a jwk , </span><span
                      class="gmail_msg" lang="EN-US">jwkt#s256 or </span><span
                      class="gmail_msg" lang="EN-US">jwe, the </span><span
                      class="gmail_msg" lang="EN-US">method is
                      ineffective in case of a collusion between two
                      users (ABC attack).</span></font></li>
                <li class="gmail_msg"><font class="gmail_msg"
                    face="Arial">When the <span class="gmail_msg"
                      lang="EN-US">JWT contains a x5t#s256, the JWT is
                      linked to a hash value of a certificate included
                      in the JWT.</span></font><font class="gmail_msg"
                    face="Arial"><span class="gmail_msg" lang="EN-US"><br
                        class="gmail_msg">
                      The server then knows a unique identifier of the
                      user. Such a method allows an easy linkage between
                      all the accounts</span></font><font
                    class="gmail_msg" face="Arial"><span
                      class="gmail_msg" lang="EN-US"><br
                        class="gmail_msg">
                      of a given user on different resource servers,
                      even when the JWT only </span></font><font
                    class="gmail_msg" face="Arial"><span
                      class="gmail_msg" lang="EN-US"><font
                        class="gmail_msg" face="Arial">contains <font
                          class="gmail_msg" color="#3333ff">non-directly
                          identifiable attributes</font></font>.<br
                        class="gmail_msg">
                      Hence, it does not respect '<font
                        class="gmail_msg" color="#3333ff">privacy by
                        design</font>' principles.</span></font><br
                    class="gmail_msg">
                  <font class="gmail_msg" face="Arial"><span
                      class="gmail_msg" lang="EN-US"></span></font></li>
              </ul>
              <font class="gmail_msg" face="Arial">In addition, i</font><font
                class="gmail_msg" face="Arial"><font class="gmail_msg"
                  color="#000099"><span style="font-family:Arial"
                    class="gmail_msg" lang="EN-US"><font
                      class="gmail_msg" color="#000000">f a fixed value
                      is being used for the audience restriction
                      parameter, e.g. a URL of the server, then the
                      authorization server <br class="gmail_msg">
                      can easily know where the access tokens will be
                      used and thus <font class="gmail_msg"
                        color="#3333ff">it will be in a position to act
                        as Big Brother</font>.<br class="gmail_msg">
                      <br class="gmail_msg">
                      You may however continue to progress this document
                      as an individual contribution.</font></span></font></font></div>
          </div>
          <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
            <div class="m_-523616603530752702moz-cite-prefix gmail_msg"><font
                class="gmail_msg" face="Arial"><font class="gmail_msg"
                  color="#000099"><span style="font-family:Arial"
                    class="gmail_msg" lang="EN-US"><font
                      class="gmail_msg" color="#000000"><br
                        class="gmail_msg">
                      <br class="gmail_msg">
                      Denis<br class="gmail_msg">
                    </font></span></font></font></div>
          </div>
          <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
            <div class="m_-523616603530752702moz-cite-prefix gmail_msg"><font
                class="gmail_msg" face="Arial"><font class="gmail_msg"
                  color="#000099"><span style="font-family:Arial"
                    class="gmail_msg" lang="EN-US"><font
                      class="gmail_msg" color="#000000"><br
                        class="gmail_msg">
                      PS. I will not subscribe to <a
                        moz-do-not-send="true"
                        href="http://bitbucket.org" class="gmail_msg"
                        target="_blank">bitbucket.org</a> because I
                      don't agree with the conditions of this site.<br
                        class="gmail_msg">
                      <br class="gmail_msg">
                    </font></span></font></font><br class="gmail_msg">
            </div>
          </div>
          <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
            <blockquote type="cite" class="gmail_msg">
              <div dir="ltr" class="gmail_msg">Hi Denis, 
                <div class="gmail_msg"><br class="gmail_msg">
                </div>
                <div class="gmail_msg">Thanks. 
                  <div class="gmail_msg"><br class="gmail_msg">
                  </div>
                  <div class="gmail_msg">Is it possible to file these
                    separately at <a moz-do-not-send="true"
href="https://bitbucket.org/Nat/oauth-rjwtprof/issues?status=new&amp;status=open"
                      class="gmail_msg" target="_blank">https://bitbucket.org/Nat/oauth-rjwtprof/issues?status=new&amp;status=open</a> so
                    that each issue can be closed separately? (You need
                    to login to bitbucket to do so.) Pull request would
                    be nice, too, but we are going to do a bit of
                    surgery on the spec as of now, so it might be wise
                    to wait till after that to avoid conflicts. </div>
                </div>
                <div class="gmail_msg"><br class="gmail_msg">
                </div>
                <div class="gmail_msg">Also, it is not yet a WG document
                  so please support it become one. </div>
                <div class="gmail_msg"><br class="gmail_msg">
                </div>
                <div class="gmail_msg">Best, </div>
                <div class="gmail_msg"><br class="gmail_msg">
                </div>
                <div class="gmail_msg">Nat Sakimura</div>
              </div>
              <br class="gmail_msg">
              <div class="gmail_quote gmail_msg">
                <div dir="ltr" class="gmail_msg">On Wed, Mar 22, 2017 at
                  5:15 AM Denis &lt;<a moz-do-not-send="true"
                    href="mailto:denis.ietf@free.fr" class="gmail_msg"
                    target="_blank">denis.ietf@free.fr</a>&gt; wrote:<br
                    class="gmail_msg">
                </div>
                <blockquote class="gmail_quote gmail_msg"
                  style="margin:0 0 0 .8ex;border-left:1px #ccc
                  solid;padding-left:1ex">
                  <div bgcolor="#FFFFFF" text="#000000"
                    class="gmail_msg">
                    <div
                      class="m_-523616603530752702m_-6515445798692939327moz-cite-prefix
                      gmail_msg"> </div>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">Hi Nat,</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"><br class="gmail_msg">
                      </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">I have several comments on
                        draft-sakimura-oauth-jpop-01 related to security
                        or privacy.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><br class="gmail_msg">
                      <span style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">1.</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> The abstract states:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">Only the party in possession of a
                        corresponding cryptographic key with the Jpop
                        token can use it to get access <br
                          class="gmail_msg">
                        to the associated resources unlike in the case
                        of the bearer token described in [RFC6750] where
                        any party <br class="gmail_msg">
                        in possession of the access token can access the
                        resource.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">This is incorrect.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">Replace with:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">Any party able to use a
                        corresponding private cryptographic key with the
                        Jpop token can use it to get access <br
                          class="gmail_msg">
                        to the associated resources unlike in the case
                        of the bearer token described in [RFC6750] where
                        any party <br class="gmail_msg">
                        in possession of the access token can access the
                        resource.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">2.</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> In section 3, the text states:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"><span class="gmail_msg">  </span>aud<span
                          class="gmail_msg">  </span>The identifier of
                        the resource server.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">According to the content of RFC
                        7800:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">The "aud" (audience) claim
                        identifies the recipients that the JWT is
                        intended for. The interpretation of audience
                        values is application specific.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">Replace with:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"><span class="gmail_msg">  </span>aud<span
                          class="gmail_msg">  </span>The recipients
                        that the JWT is intended for (the interpretation
                        of audience values is application specific).</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">3.</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> In section 3, the text states: </span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">cnf<span class="gmail_msg">  </span>The
                        confirmation method.</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"><span class="gmail_msg">   </span>Their
                        semantics are defined in [RFC7519] and [RFC7800]</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"><br class="gmail_msg">
                        This is incorrect: cnf is neither defined in
                        [RFC7519] nor in [RFC7800].</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">4.</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> In section 6.2, the text states:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">For this, the following steps are
                        taken:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"><span class="gmail_msg">   </span>1.<span
                          class="gmail_msg">  </span>The client
                        prepares a nonce.</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:36.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"><span class="gmail_msg">   </span>2.<span
                          class="gmail_msg">  </span>The client creates
                        JWS compact serialization over the nonce</span></p>
                    <h2 class="gmail_msg"><span
                        style="font-size:12.0pt;font-family:Arial;font-weight:normal"
                        class="gmail_msg" lang="EN-GB">JSON Web Token
                        Claims are listed at: <span style="color:blue"
                          class="gmail_msg"><a moz-do-not-send="true"
                            class="m_-523616603530752702m_-6515445798692939327moz-txt-link-freetext
                            gmail_msg"
                            href="https://www.iana.org/assignments/jwt/jwt.xhtml"
                            target="_blank">https://www.iana.org/assignments/jwt/jwt.xhtml</a></span></span></h2>
                    <p class="MsoNormal gmail_msg"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB">"nonce" has not been defined by the
                        IANA, but is mentioned in OpenID Connect Core
                        1.0 incorporating errata set 1. It is described
                        as :</span></p>
                    <p class="MsoNormal gmail_msg"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"> </span></p>
                    <p class="MsoNormal gmail_msg"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB">nonce</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"></span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-left:36.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB">String value used to associate a
                        Client session with an ID Token, and to mitigate
                        replay attacks. The value is passed through <br
                          class="gmail_msg">
                        unmodified from the Authentication Request to
                        the ID Token. If present in the ID Token,
                        Clients MUST verify that the </span><tt
                        class="gmail_msg"><span
                          style="font-family:Arial" class="gmail_msg"
                          lang="EN-GB">nonce</span></tt><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"><br class="gmail_msg">
                        Claim Value is equal to the value of the </span><tt
                        class="gmail_msg"><span
                          style="font-family:Arial" class="gmail_msg"
                          lang="EN-GB">nonce</span></tt><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"> parameter sent in the
                        Authentication Request. If present in the
                        Authentication Request, <br class="gmail_msg">
                        Authorization Servers MUST include a </span><tt
                        class="gmail_msg"><span
                          style="font-family:Arial" class="gmail_msg"
                          lang="EN-GB">nonce</span></tt><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"> Claim in the ID Token with the
                        Claim Value being the nonce value sent in the
                        Authentication Request. <br class="gmail_msg">
                        <font class="gmail_msg" color="#3333ff">Authorization
                          Servers SHOULD perform no other processing on
                        </font></span><font class="gmail_msg"
                        color="#3333ff"><tt class="gmail_msg"><span
                            style="font-family:Arial" class="gmail_msg"
                            lang="EN-GB">nonce</span></tt></font><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"><font class="gmail_msg"
                          color="#000099"><font class="gmail_msg"
                            color="#3333ff"> values used</font>.</font>
                        The </span><tt class="gmail_msg"><span
                          style="font-family:Arial" class="gmail_msg"
                          lang="EN-GB">nonce</span></tt><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"> value is a case sensitive string.
                      </span></p>
                    <p class="MsoNormal gmail_msg"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"> </span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:2.0pt;margin-right:0cm;margin-bottom:2.0pt;margin-left:0cm"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB">I have several observations:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB">a)<span style="font:7.0pt
                          &quot;Times New Roman&quot;" class="gmail_msg">    
                        </span></span><span style="font-family:Arial"
                        class="gmail_msg" lang="EN-GB">there is some
                        difficulty to mandate the use of a parameter
                        that is not registered by IANA.</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB">b)<span style="font:7.0pt
                          &quot;Times New Roman&quot;" class="gmail_msg">    
                        </span></span><span style="font-family:Arial"
                        class="gmail_msg" lang="EN-GB">the further
                        processing of the nonce is not indicated in the
                        text</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:2.0pt;margin-left:36.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB">c)  The last sentence from the
                        above description states: "</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"><font class="gmail_msg"
                          color="#3333ff"><span
                            style="font-family:Arial" class="gmail_msg"
                            lang="EN-GB">Authorization Servers SHOULD
                            perform no other processing on </span><tt
                            class="gmail_msg"><span
                              style="font-family:Arial"
                              class="gmail_msg" lang="EN-GB">nonce</span></tt></font><span
                          style="font-family:Arial" class="gmail_msg"
                          lang="EN-GB"><font class="gmail_msg"
                            color="#3333ff"> values used</font>"<br
                            class="gmail_msg">
                        </span>There is a practical problem with such a
                        sentence since </span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"><span style="font-family:Arial"
                          class="gmail_msg" lang="EN-GB"><span
                            style="font-family:Arial" class="gmail_msg"
                            lang="EN-GB">Authorization Servers would
                            need to remember nonces for ever. <br
                              class="gmail_msg">
                            Either that sentence should be deleted or
                            the nonce shall be only used with a UTC time
                            parameter included in the </span></span></span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB">Authentication Request.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"> </span><font class="gmail_msg"
                        face="Arial">In any case, the definition of </font><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB">a nonce as specified in OpenID
                        Connect Core 1.0 incorporating errata set 1
                        should not be used and another parameter <br
                          class="gmail_msg">
                        (e.g. rdn for random) should be defined and
                        registered by IANA and used in combination with
                      </span><span style="font-family:Arial"
                        class="gmail_msg" lang="EN-GB"><span
                          style="font-family:Arial" class="gmail_msg"
                          lang="EN-GB"><span style="font-family:Arial"
                            class="gmail_msg" lang="EN-GB"><span
                              style="font-family:Arial"
                              class="gmail_msg" lang="EN-GB">a UTC time
                              parameter included in the </span></span></span><span
                          style="font-family:Arial" class="gmail_msg"
                          lang="EN-GB">Authentication Request</span>.<br
                          class="gmail_msg">
                        In this way, only the rdn received during the
                        last X minutes will need to be remembered by </span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"><span style="font-family:Arial"
                          class="gmail_msg" lang="EN-GB"></span><span
                          style="font-family:Arial" class="gmail_msg"
                          lang="EN-GB"><span style="font-family:Arial"
                            class="gmail_msg" lang="EN-GB"><span
                              style="font-family:Arial"
                              class="gmail_msg" lang="EN-GB">the
                              Authorization Servers</span></span></span>.<br
                          class="gmail_msg">
                      </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><br class="gmail_msg">
                      <span style="font-family:Arial" class="gmail_msg"
                        lang="EN-GB"></span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">5.</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> The title of section 9.1 is:
                        "Certificate validation"</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">Change the title of this section
                        into :</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">"9.1. Common Name Constrained
                        Token"</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">6.</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> In section 9.1, the text states:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">The "cn" JWT confirmation method
                        relies its security property on the</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"><span class="gmail_msg">   </span>X.509
                        client certificate authentication. </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">Replace with:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">The "cn" JWT confirmation method
                        relies its security property by the inclusion of
                        the Common Name (CN) <br class="gmail_msg">
                        that is part of the Distinguished Name (DN) of
                        an X.509 certificate. The JWT is linked to the
                        common name <br class="gmail_msg">
                        included in the certificate. Such a method is
                        not privacy friendly since it allows an easy
                        linkage between <br class="gmail_msg">
                        all the accounts of a given user on different
                        resource servers.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">7.</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> Add a new section 9.2 to deal with
                        the case of the cid. </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">Proposed text: </span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">9.2. Client ID Constrained Token</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">The "cid" JWT confirmation method
                        relies its security property on the assumption
                        that the cid legitimately <br class="gmail_msg">
                        used by one server cannot be used by another
                        user. It also relies on the assumption that the
                        authentication data <br class="gmail_msg">
                        associated with "cid" combined with the "iss"
                        will only be used by the legitimate user. This
                        method is ineffective <br class="gmail_msg">
                        in case of a collusion between two users, since
                        one user can perform all the computations needed
                        by the other user.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">8.</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> In section 9.2, the text states:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">The client’s secret key must be
                        kept securely. Otherwise, the notion of PoP
                        breaks down.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">The PKIX group from the IETF is
                        using the vocabulary private key / public key
                        when asymmetric cryptography is being used <br
                          class="gmail_msg">
                        and secret key when symmetric algorithms are
                        being used (let us call a spade a spade).</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">However, keeping a client's private
                        key securely is not the right wording either. If
                        the key is kept securely in a secure element <br
                          class="gmail_msg">
                        (e.g. smart card), this is not enough, since the
                        holder of the secure element may use this key
                        for himself ... or worse for the benefit of
                        someone else.<br class="gmail_msg">
                        <br class="gmail_msg">
                      </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">Proposed change :</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">9.3. Key Constrained Token</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">This method has four variants. </span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">When the JWT contains a jwk, the
                        JWT confirmation method relies its security
                        property on the assumption that the private key
                        <br class="gmail_msg">
                        associated with the public key contained in the
                        access token will only be used by the legitimate
                        user. In order to avoid an easy linkage<br
                          class="gmail_msg">
                        between user's accounts, this method presents
                        the advantage that the key pair can be changed
                        for every JWT. However, this method <br
                          class="gmail_msg">
                        is ineffective in case of a collusion between
                        two users, since one user can perform all the
                        computations needed by the other user.</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">When the JWT contains a jwkt#s256,
                        the server must have a prior knowledge of the
                        public key and the method relies its security
                        property <br class="gmail_msg">
                        on the assumption that the private key
                        associated with the public key contained in the
                        access token will only be used by the legitimate
                        user. <br class="gmail_msg">
                        Hence, this method is ineffective in case of a
                        collusion between two users, since one user can
                        perform all the computations needed <br
                          class="gmail_msg">
                        by the other user.</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">When the JWT contains a x5t#s256,
                        the server must have a prior knowledge of the
                        public key certificate. The JWT is then linked
                        to a hash value <br class="gmail_msg">
                        of a certificate included in the JWT. The server
                        knows a unique identifier of the user. Such a
                        method is not privacy friendly since it allows <br
                          class="gmail_msg">
                        an easy linkage between all the accounts of a
                        given user on different resource servers.</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">When the JWT contains a jwe, the
                        JWT confirmation method relies its security
                        property on the assumption that the secret key
                        included <br class="gmail_msg">
                        in the JWT will only be used by the legitimate
                        user. In order to avoid an easy linkage between
                        user's accounts, this method presents <br
                          class="gmail_msg">
                        the advantage that the secret key can be changed
                        for every JWT. However, this method is
                        ineffective in case of a collusion between two
                        users, <br class="gmail_msg">
                        since one user can perform all the computations
                        needed by the other user.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> </span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">9.</span><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"> The text states in section 9.3:</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">9.3.<span class="gmail_msg">  </span>Audi<u
                          class="gmail_msg">a</u>nce Restriction</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">When using the signature method the
                        client must specify to the AS the aud it intends
                        to send the token to, so that it can be included
                        in the AT.</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">A malicious RS could receive a AT
                        with no aud or a logical audience and then
                        replay the AT and jws-on-nonce to the actual
                        server.</span></p>
                    <p class="MsoNormal gmail_msg"
                      style="margin-top:6.0pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US"><br class="gmail_msg">
                        Proposed change in order to address privacy
                        concerns :</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">9.4.<span class="gmail_msg">  </span>Audi<u
                          class="gmail_msg">e</u>nce Restriction</span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">When using the signature method,
                        the client must specify to the AS the aud it
                        intends to send the token to, so that it can be
                        included in the AT. </span></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><font
                        class="gmail_msg" color="#000099"><span
                          style="font-family:Arial" class="gmail_msg"
                          lang="EN-US">RFC 7800 states that the
                          interpretation of audience values is
                          application specific. If a fixed value is
                          being used, e.g. a URL of the server, <br
                            class="gmail_msg">
                          then the authorization server can easily know
                          where the access tokens will be used and thus
                          is in a position to act as Big Brother. <br
                            class="gmail_msg">
                          It is thus recommended to use a different
                          value in the aud claims for each access token
                          that contains no semantics in it but that the
                          resource server <br class="gmail_msg">
                          can easily recognize.</span></font><i
                        class="gmail_msg"><span
                          style="font-family:Arial" class="gmail_msg"
                          lang="EN-US"></span></i></p>
                    <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><span
                        style="font-family:Arial" class="gmail_msg"
                        lang="EN-US">If a malicious RS receives an AT
                        with no aud or a logical audience in it then it
                        can replay the AT and jws-on-nonce to another
                        server.<br class="gmail_msg">
                      </span><span
                        style="font-size:11.0pt;font-family:Arial"
                        class="gmail_msg" lang="EN-US"></span></p>
                  </div>
                  <div bgcolor="#FFFFFF" text="#000000"
                    class="gmail_msg">
                    <p class="gmail_msg"><span
                        style="font-size:11.0pt;font-family:Arial"
                        class="gmail_msg" lang="EN-US"> </span><font
                        class="gmail_msg" size="+1"><span
                          style="font-size:11.0pt;font-family:Arial"
                          class="gmail_msg" lang="EN-US">Denis</span></font></p>
                  </div>
                  <div bgcolor="#FFFFFF" text="#000000"
                    class="gmail_msg">
                    <p class="gmail_msg"><font class="gmail_msg"
                        size="+1"><span
                          style="font-size:11.0pt;font-family:Arial"
                          class="gmail_msg" lang="EN-US"><br
                            class="gmail_msg">
                        </span></font></p>
                    <blockquote type="cite" class="gmail_msg">
                      <div dir="ltr" class="gmail_msg">
                        <div dir="ltr" class="gmail_msg">HI Chairs, 
                          <div class="gmail_msg"><br class="gmail_msg">
                          </div>
                          <div class="gmail_msg">I would also like to
                            ask 5 min. on Monday (as I cannot be on
                            Friday) for </div>
                          The OAuth 2.0 Authorization Framework: JWT Pop
                          Token Usage [1]. </div>
                        <div dir="ltr" class="gmail_msg"><br
                            class="gmail_msg">
                        </div>
                        <div dir="ltr" class="gmail_msg">[1] <a
                            moz-do-not-send="true"
                            href="https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01"
                            class="gmail_msg" target="_blank">https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01</a></div>
                        <div dir="ltr" class="gmail_msg"><br
                            class="gmail_msg">
                        </div>
                        <div class="gmail_msg">It is capturing strong
                          and rather urgent demands from the financial
                          sector and would be great if it can be
                          considered in the WG. </div>
                        <div class="gmail_msg"><br class="gmail_msg">
                        </div>
                        <div class="gmail_msg">Best, </div>
                        <div class="gmail_msg"><br class="gmail_msg">
                        </div>
                        <div class="gmail_msg">Nat Sakimura</div>
                        <br class="gmail_msg">
                        <div class="gmail_quote gmail_msg">
                          <div dir="ltr" class="gmail_msg">On Tue, Mar
                            21, 2017 at 10:28 PM Antonio Sanso &lt;<a
                              moz-do-not-send="true"
                              href="mailto:asanso@adobe.com"
                              class="gmail_msg" target="_blank">asanso@adobe.com</a>&gt;
                            wrote:<br class="gmail_msg">
                          </div>
                          <blockquote class="gmail_quote gmail_msg"
                            style="margin:0 0 0 .8ex;border-left:1px
                            #ccc solid;padding-left:1ex">
                            <div style="word-wrap:break-word"
                              class="gmail_msg"> hi Torsten,
                              <div class="gmail_msg"><br
                                  class="gmail_msg">
                              </div>
                              <div class="gmail_msg">good one. I
                                personally I am looking forward to see
                                this particular document find its way.</div>
                              <div class="gmail_msg"><br
                                  class="gmail_msg">
                              </div>
                              <div class="gmail_msg">IMHO this is
                                something much needed.</div>
                              <div class="gmail_msg"><br
                                  class="gmail_msg">
                              </div>
                              <div class="gmail_msg">regards</div>
                              <div class="gmail_msg"><br
                                  class="gmail_msg">
                              </div>
                              <div class="gmail_msg">antonio</div>
                              <div class="gmail_msg"><br
                                  class="gmail_msg">
                              </div>
                            </div>
                            <div style="word-wrap:break-word"
                              class="gmail_msg">
                              <div class="gmail_msg">
                                <div class="gmail_msg">
                                  <div class="gmail_msg">On Mar 21,
                                    2017, at 2:08 PM, Torsten
                                    Lodderstedt &lt;<a
                                      moz-do-not-send="true"
                                      href="mailto:torsten@lodderstedt.net"
                                      class="gmail_msg" target="_blank">torsten@lodderstedt.net</a>&gt;
                                    wrote:</div>
                                  <br
class="m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-interchange-newline
                                    gmail_msg">
                                </div>
                              </div>
                            </div>
                            <div style="word-wrap:break-word"
                              class="gmail_msg">
                              <div class="gmail_msg">
                                <div class="gmail_msg">
                                  <blockquote type="cite"
                                    class="gmail_msg">
                                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                                      class="gmail_msg"> Hi Chairs,<br
                                        class="gmail_msg">
                                      <br class="gmail_msg">
                                      I would like to request 5 minutes
                                      on Monday to briefly present the
                                      status of the security document.
                                      This is mainly to raise awareness
                                      in the group since I didn’t get
                                      that much input on it since Seoul.<br
                                        class="gmail_msg">
                                      <br class="gmail_msg">
                                      kind regards,<br class="gmail_msg">
                                      Torsten.<br class="gmail_msg">
                                      <br class="gmail_msg">
                                    </div>
                                  </blockquote>
                                </div>
                              </div>
                            </div>
                            <div style="word-wrap:break-word"
                              class="gmail_msg">
                              <div class="gmail_msg">
                                <div class="gmail_msg">
                                  <blockquote type="cite"
                                    class="gmail_msg">
                                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                                      class="gmail_msg">
                                      <blockquote type="cite"
                                        class="gmail_msg">Am 18.03.2017
                                        um 01:52 schrieb Mike Jones &lt;<a
                                          moz-do-not-send="true"
                                          href="mailto:Michael.Jones@microsoft.com"
                                          class="gmail_msg"
                                          target="_blank">Michael.Jones@microsoft.com</a>&gt;:<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        Hi Chairs,<br class="gmail_msg">
                                        <br class="gmail_msg">
                                        I'd like to request that the
                                        following presentations be added
                                        to the agenda:<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        <span class="m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>OAuth
                                        Token Exchange
                                        (draft-ietf-oauth-token-exchange)
                                        - Mike Jones - 15 minutes<br
                                          class="gmail_msg">
                                        <span class="m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>OAuth
                                        Authorization Server Metadata
                                        (draft-ietf-oauth-discovery) -
                                        Mike Jones - 15 minutes<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        I'd also talked with Brian
                                        Campbell and I think he wants to
                                        lead this discussion, in part
                                        based on his implementation
                                        experience:<br class="gmail_msg">
                                        <br class="gmail_msg">
                                        <span class="m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>OAuth
                                        Token Binding
                                        (draft-ietf-oauth-token-binding)
                                        - Brian Campbell - 30 minutes<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        (Brian may suggest a different
                                        amount of time)<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        I agree that William Dennis
                                        should present about the OAuth
                                        Device Flow
                                        (draft-ietf-oauth-device-flow).<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        For completeness, I don't think
                                        a presentation is needed about
                                        OAuth AMR Values
                                        (draft-ietf-oauth-amr-values)
                                        because it's now completed its
                                        IESG review.<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        I'll look forward to seeing many
                                        of you in just over a week!<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        <span class="m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span><span class="m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span><span class="m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span><span class="m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-tab-span gmail_msg" style="white-space:pre-wrap"></span>--
                                        Mike<br class="gmail_msg">
                                        <br class="gmail_msg">
                                        -----Original Message-----<br
                                          class="gmail_msg">
                                        From: OAuth [<a
                                          moz-do-not-send="true"
                                          href="mailto:oauth-bounces@ietf.org"
                                          class="gmail_msg"
                                          target="_blank">mailto:oauth-bounces@ietf.org</a>]
                                        On Behalf Of "IETF Secretariat"<br
                                          class="gmail_msg">
                                        Sent: Friday, March 3, 2017 3:55
                                        PM<br class="gmail_msg">
                                        To: <a moz-do-not-send="true"
                                          href="mailto:oauth-chairs@ietf.org"
                                          class="gmail_msg"
                                          target="_blank">oauth-chairs@ietf.org</a>;
                                        <a moz-do-not-send="true"
                                          href="mailto:smccammon@amsl.com"
                                          class="gmail_msg"
                                          target="_blank">
                                          smccammon@amsl.com</a><br
                                          class="gmail_msg">
                                        Cc: <a moz-do-not-send="true"
                                          href="mailto:oauth@ietf.org"
                                          class="gmail_msg"
                                          target="_blank">oauth@ietf.org</a><br
                                          class="gmail_msg">
                                        Subject: [OAUTH-WG] oauth -
                                        Requested sessions have been
                                        scheduled for IETF 98<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        Dear Stephanie McCammon,<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        The session(s) that you have
                                        requested have been scheduled.<br
                                          class="gmail_msg">
                                        Below is the scheduled session
                                        information followed by the
                                        original request.<span
class="m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-converted-space
                                          gmail_msg"> </span><br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        oauth Session 1 (2:30:00)<br
                                          class="gmail_msg">
                                          Friday, Morning Session I
                                        0900-1130<br class="gmail_msg">
                                          Room Name: Zurich C size: 100<br
                                          class="gmail_msg">
  ---------------------------------------------<br class="gmail_msg">
                                          oauth Session 2 (1:00:00)<br
                                          class="gmail_msg">
                                          Monday, Afternoon Session III
                                        1710-1810<br class="gmail_msg">
                                          Room Name: Zurich C size: 100<br
                                          class="gmail_msg">
  ---------------------------------------------<br class="gmail_msg">
                                        <br class="gmail_msg">
                                        <br class="gmail_msg">
                                        <br class="gmail_msg">
                                        Request Information:<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        <br class="gmail_msg">
---------------------------------------------------------<br
                                          class="gmail_msg">
                                        Working Group Name: Web
                                        Authorization Protocol Area
                                        Name: Security Area Session
                                        Requester: Stephanie McCammon<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        Number of Sessions: 2<br
                                          class="gmail_msg">
                                        Length of Session(s):  2.5
                                        Hours, 1 Hour Number of
                                        Attendees: 50 Conflicts to
                                        Avoid:<span
class="m_-523616603530752702m_-6515445798692939327m_3319639624494689827m_5030357770178240766Apple-converted-space
                                          gmail_msg"> </span><br
                                          class="gmail_msg">
                                        First Priority: saag core tls
                                        tokbind<br class="gmail_msg">
                                        <br class="gmail_msg">
                                        <br class="gmail_msg">
                                        <br class="gmail_msg">
                                        <br class="gmail_msg">
                                        People who must be present:<br
                                          class="gmail_msg">
                                        Hannes Tschofenig<br
                                          class="gmail_msg">
                                        Kathleen Moriarty<br
                                          class="gmail_msg">
                                        Derek Atkins<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        Resources Requested:<br
                                          class="gmail_msg">
                                        Projector in room<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
                                        Special Requests:<br
                                          class="gmail_msg">
                                        Please avoid conflict with sec
                                        area BoFs.<br class="gmail_msg">
---------------------------------------------------------<br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
                                        OAuth mailing list<br
                                          class="gmail_msg">
                                        <a moz-do-not-send="true"
                                          href="mailto:OAuth@ietf.org"
                                          class="gmail_msg"
                                          target="_blank">OAuth@ietf.org</a><br
                                          class="gmail_msg">
                                      </blockquote>
                                    </div>
                                  </blockquote>
                                </div>
                              </div>
                            </div>
                            <div style="word-wrap:break-word"
                              class="gmail_msg">
                              <div class="gmail_msg">
                                <div class="gmail_msg">
                                  <blockquote type="cite"
                                    class="gmail_msg">
                                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                                      class="gmail_msg">
                                      <blockquote type="cite"
                                        class="gmail_msg"><a
                                          moz-do-not-send="true"
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0"
                                          class="gmail_msg"
                                          target="_blank">https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0</a></blockquote>
                                    </div>
                                  </blockquote>
                                </div>
                              </div>
                            </div>
                            <div style="word-wrap:break-word"
                              class="gmail_msg">
                              <div class="gmail_msg">
                                <div class="gmail_msg">
                                  <blockquote type="cite"
                                    class="gmail_msg">
                                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                                      class="gmail_msg">
                                      <blockquote type="cite"
                                        class="gmail_msg"><br
                                          class="gmail_msg">
                                        <br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
                                        OAuth mailing list<br
                                          class="gmail_msg">
                                        <a moz-do-not-send="true"
                                          href="mailto:OAuth@ietf.org"
                                          class="gmail_msg"
                                          target="_blank">OAuth@ietf.org</a><br
                                          class="gmail_msg">
                                      </blockquote>
                                    </div>
                                  </blockquote>
                                </div>
                              </div>
                            </div>
                            <div style="word-wrap:break-word"
                              class="gmail_msg">
                              <div class="gmail_msg">
                                <div class="gmail_msg">
                                  <blockquote type="cite"
                                    class="gmail_msg">
                                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                                      class="gmail_msg">
                                      <blockquote type="cite"
                                        class="gmail_msg"><a
                                          moz-do-not-send="true"
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0"
                                          class="gmail_msg"
                                          target="_blank">https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&amp;sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&amp;reserved=0</a><br
                                          class="gmail_msg">
                                      </blockquote>
                                    </div>
                                  </blockquote>
                                </div>
                              </div>
                            </div>
                            <div style="word-wrap:break-word"
                              class="gmail_msg">
                              <div class="gmail_msg">
                                <div class="gmail_msg">
                                  <blockquote type="cite"
                                    class="gmail_msg">
                                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                                      class="gmail_msg"> <br
                                        class="gmail_msg">
_______________________________________________<br class="gmail_msg">
                                      OAuth mailing list<br
                                        class="gmail_msg">
                                      <a moz-do-not-send="true"
                                        href="mailto:OAuth@ietf.org"
                                        class="gmail_msg"
                                        target="_blank">OAuth@ietf.org</a><br
                                        class="gmail_msg">
                                    </div>
                                  </blockquote>
                                </div>
                              </div>
                            </div>
                            <div style="word-wrap:break-word"
                              class="gmail_msg">
                              <div class="gmail_msg">
                                <div class="gmail_msg">
                                  <blockquote type="cite"
                                    class="gmail_msg">
                                    <div
style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"
                                      class="gmail_msg"><a
                                        moz-do-not-send="true"
href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&amp;sdata=5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&amp;reserved=0"
                                        class="gmail_msg"
                                        target="_blank">https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&amp;sdata=5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&amp;reserved=0</a></div>
                                  </blockquote>
                                </div>
                                <br class="gmail_msg">
                              </div>
                            </div>
_______________________________________________<br class="gmail_msg">
                            OAuth mailing list<br class="gmail_msg">
                            <a moz-do-not-send="true"
                              href="mailto:OAuth@ietf.org"
                              class="gmail_msg" target="_blank">OAuth@ietf.org</a><br
                              class="gmail_msg">
                            <a moz-do-not-send="true"
                              href="https://www.ietf.org/mailman/listinfo/oauth"
                              rel="noreferrer" class="gmail_msg"
                              target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br
                              class="gmail_msg">
                          </blockquote>
                        </div>
                      </div>
                      <div dir="ltr" class="gmail_msg">-- <br
                          class="gmail_msg">
                      </div>
                      <div data-smartmail="gmail_signature"
                        class="gmail_msg">
                        <p dir="ltr" class="gmail_msg">Nat Sakimura</p>
                        <p dir="ltr" class="gmail_msg">Chairman of the
                          Board, OpenID Foundation</p>
                      </div>
                      <br class="gmail_msg">
                      <fieldset
                        class="m_-523616603530752702m_-6515445798692939327mimeAttachmentHeader
                        gmail_msg"></fieldset>
                      <br class="gmail_msg">
                      <pre class="gmail_msg">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="m_-523616603530752702m_-6515445798692939327moz-txt-link-abbreviated gmail_msg" href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="m_-523616603530752702m_-6515445798692939327moz-txt-link-freetext gmail_msg" href="https://www.ietf.org/mailman/listinfo/oauth" target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                    </blockquote>
                    <p class="gmail_msg"><br class="gmail_msg">
                    </p>
                  </div>
                  _______________________________________________<br
                    class="gmail_msg">
                  OAuth mailing list<br class="gmail_msg">
                  <a moz-do-not-send="true" href="mailto:OAuth@ietf.org"
                    class="gmail_msg" target="_blank">OAuth@ietf.org</a><br
                    class="gmail_msg">
                  <a moz-do-not-send="true"
                    href="https://www.ietf.org/mailman/listinfo/oauth"
                    rel="noreferrer" class="gmail_msg" target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br
                    class="gmail_msg">
                </blockquote>
              </div>
              <div dir="ltr" class="gmail_msg">-- <br class="gmail_msg">
              </div>
              <div data-smartmail="gmail_signature" class="gmail_msg">
                <p dir="ltr" class="gmail_msg">Nat Sakimura</p>
                <p dir="ltr" class="gmail_msg">Chairman of the Board,
                  OpenID Foundation</p>
              </div>
            </blockquote>
            <p class="gmail_msg"><br class="gmail_msg">
            </p>
          </div>
        </blockquote>
      </div>
      <div dir="ltr">-- <br>
      </div>
      <div data-smartmail="gmail_signature">
        <p dir="ltr">Nat Sakimura</p>
        <p dir="ltr">Chairman of the Board, OpenID Foundation</p>
      </div>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>

--------------CF6450018FEDCCBAA107D355--


From nobody Mon Mar 27 06:45:15 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F925129422 for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 06:45:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aa-w5U_qvkIP for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 06:45:06 -0700 (PDT)
Received: from mail-pg0-x229.google.com (mail-pg0-x229.google.com [IPv6:2607:f8b0:400e:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 315AE12778E for <oauth@ietf.org>; Mon, 27 Mar 2017 06:45:05 -0700 (PDT)
Received: by mail-pg0-x229.google.com with SMTP id 21so40679080pgg.1 for <oauth@ietf.org>; Mon, 27 Mar 2017 06:45:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WK8pcEazT2S8RI74Y4O+BPrB5/t62sZHkuI4eA6+L/4=; b=LTmncJ9MLjEESlBQuHvi5T+YOJhGbx8Lq2jI/h2qJRN1duzDPJuc0asCG2DDbJ/qUs VWx6PNoII+tzTtWxCqSK2AJUBuID00hey0oOKFWBv7Jf/4JlGQS8q3V+9Z5mGpRkU1FQ PMTmwssw+N4jkbfSjYxFWYGaQkWohnYJ3vmm0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WK8pcEazT2S8RI74Y4O+BPrB5/t62sZHkuI4eA6+L/4=; b=FeupEH6/ZfYhTVw6nGlyocdhPvNmQd9ESMRSsYvmqS9ZDRpjZRLhrkTJ4YyYdPsPYn rBCcohrZ6kwTVVXhGg78w9XpOxWHEjvt7D//PDKjNJukRH0bXxk1FNvUDDg2PSUw9D2g V/6/BDeIm7oTpoGegoKh1hvy/xF8PwW6bbtlOzb3Gxgmz/TcEQt7lRoWc2ZSOQ5wzFK6 AvCbEXgtr3igiKhf2H045dus5jDeO5ydcXH5u92Wy3LOT88Vc/AjxkAIlh8midpDBNYb jC9dVQteqkRpOO1YVJSwqrVmpUWbLISflWeAwy4dwhJfb68ycdZcZQV5sZgD3MtsUZZF YKdQ==
X-Gm-Message-State: AFeK/H29VxIUV82obbwMwadvLca9pMuQ9NUVMfcyN9Kj/ba5UxBhLZv1ndBexuVYOrf1cGg5yIVAbjComXoOPbLK
X-Received: by 10.98.72.66 with SMTP id v63mr25510841pfa.8.1490622304431; Mon, 27 Mar 2017 06:45:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.170.138 with HTTP; Mon, 27 Mar 2017 06:44:33 -0700 (PDT)
In-Reply-To: <9199091B-5D7F-4D66-9EC5-CB0EF2D3CF6D@lodderstedt.net>
References: <148416124213.8244.5842562779051799977.idtracker@ietfa.amsl.com> <CA+k3eCTE1NM90QcZRFR0jATCqdeJWyTRUb6Ryp52n9FRg6aGpA@mail.gmail.com> <9199091B-5D7F-4D66-9EC5-CB0EF2D3CF6D@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 27 Mar 2017 08:44:33 -0500
Message-ID: <CA+k3eCTjmifjsbec80vGTE5Hw4ws7oARuaatDk4RYOLK26-87Q@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c0b7a2ef34e04054bb68cbf
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xXFby2tMe984i2wbwOdEr4Xjk2o>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 13:45:14 -0000

--94eb2c0b7a2ef34e04054bb68cbf
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thanks for the review and question, Torsten.

The desire to support multiple audience/resource values in the request came
up during a review and discussion among the authors of the document when
preparing the -03 draft. As I recall, it was said that both Salesforce and
Microsoft had use-cases for it. I incorporated support for it into the
draft acting in the role of editor.

>From an individual perspective, I tend to agree with you that allowing for
multiple audiences/resources adds a lot of complexity that's like not
needed in many (or most) cases. And I would personally be open to making
audience and resource mutual exclusive and single valued. A question for
the WG I suppose.

The "invalid_target" error code that was added in -07 was intended to give
the AS a standard way to deal with the complexity and reject request with
multiple audiences/resources that it doesn't understand or is unwilling or
unable to process. It was intended as a compromise, of sorts, to allow for
the multiples but provide an easy out of saying it can't be supported based
on whatever implementation or policy of the AS.




On Sun, Mar 26, 2017 at 9:00 AM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

> Hi Brian,
>
> thanks for the clarification around resource, audience and scope.
>
> Here are my comments on the draft:
>
> In section 2.1 it states: =E2=80=9EMultiple "resource" parameters may be =
used to
> indicate
>       that the issued token is intended to be used at the multiple
>       resources listed.=E2=80=9C
>
> Can you please explain the rational in more detail? I don=E2=80=99t under=
stand why
> there is a need to ask for access tokens, which are good for multiple
> resources at once. This is a request type more or less exclusively used i=
n
> server to server scenarios, right? So the only reason I can think of is
> call reduction.
>
> On the other side, this feature increases the AS's complexity, e.g. its
> policy may prohibit to issue tokens for multiple resources in general or
> the particular set the client is asking for. How shall the AS handles suc=
h
> cases?
>
> And it is getting even more complicated given there could also be multipl=
e
> audience values and the client could mix them:
>
> "Multiple "audience" parameters
>       may be used to indicate that the issued token is intended to be
>       used at the multiple audiences listed.  The "audience" and
>       "resource" parameters may be used together to indicate multiple
>       target services with a mix of logical names and physical
>       locations.=E2=80=9C
>
> And in the end the client may add some scope values to the =E2=80=9Emeal=
=E2=80=9C, which
> brings us to
>
> =E2=80=9EEffectively, the requested access rights of the
>    token are the cartesian product of all the scopes at all the target
>    services."
>
> I personally would suggest to drop support for multiple audience and
> resource parameters and make audience and resource mutual exclusive. I
> think this is sufficient and much easier to implement.
>
> kind regards,
> Torsten.
>
>
> Am 11.01.2017 um 20:04 schrieb Brian Campbell <bcampbell@pingidentity.com
> >:
>
> Draft -07 of "OAuth 2.0 Token Exchange" has been published. The primary
> change in -07 is the addition of a description of the relationship betwee=
n
> audience/resource/scope, which was a request or comment that came up duri=
ng
> the f2f meeting in Seoul.
>
> Excerpted from the Document History:
>
>    -07
>
>    o  Fixed typo (desecration -> discretion).
>    o  Added an explanation of the relationship between scope, audience
>       and resource in the request and added an "invalid_target" error
>       code enabling the AS to tell the client that the requested
>       audiences/resources were too broad.
>
>
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org>
> Date: Wed, Jan 11, 2017 at 12:00 PM
> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
> To: i-d-announce@ietf.org
> Cc: oauth@ietf.org
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>         Title           : OAuth 2.0 Token Exchange
>         Authors         : Michael B. Jones
>                           Anthony Nadalin
>                           Brian Campbell
>                           John Bradley
>                           Chuck Mortimore
>         Filename        : draft-ietf-oauth-token-exchange-07.txt
>         Pages           : 31
>         Date            : 2017-01-11
>
> Abstract:
>    This specification defines a protocol for an HTTP- and JSON- based
>    Security Token Service (STS) by defining how to request and obtain
>    security tokens from OAuth 2.0 authorization servers, including
>    security tokens employing impersonation and delegation.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-exchange-07
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

--94eb2c0b7a2ef34e04054bb68cbf
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Thanks for the review and question, Torsten. <br=
><br></div>The desire to support multiple audience/resource values in the r=
equest came up during a review and discussion among the authors of the docu=
ment when preparing the -03 draft. As I recall, it was said that both Sales=
force and Microsoft had use-cases for it. I incorporated support for it int=
o the draft acting in the role of editor.<br><br></div><div>From an individ=
ual perspective, I tend to agree with you that allowing for multiple audien=
ces/resources adds a lot of complexity that&#39;s like not needed in many (=
or most) cases. And I would personally be open to making audience and resou=
rce mutual exclusive and single valued. A question for the WG I suppose.<br=
><br></div><div>The &quot;invalid_target&quot; error code that was added in=
 -07 was intended to give the AS a standard way to deal with the complexity=
 and reject request with multiple audiences/resources that it doesn&#39;t u=
nderstand or is unwilling or unable to process. It was intended as a compro=
mise, of sorts, to allow for the multiples but provide an easy out of sayin=
g it can&#39;t be supported based on whatever implementation or policy of t=
he AS. <br></div><div>=C2=A0 <br></div><div><br><br></div></div><div class=
=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sun, Mar 26, 2017 at 9:0=
0 AM, Torsten Lodderstedt <span dir=3D"ltr">&lt;<a href=3D"mailto:torsten@l=
odderstedt.net" target=3D"_blank">torsten@lodderstedt.net</a>&gt;</span> wr=
ote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border=
-left:1px #ccc solid;padding-left:1ex"><div style=3D"word-wrap:break-word">=
Hi Brian,<div><br></div><div>thanks for the clarification around resource, =
audience and scope.=C2=A0</div><div><br></div><div><div>Here are my comment=
s on the draft:</div><div><br></div><div>In section 2.1 it states: =E2=80=
=9EMultiple &quot;resource&quot; parameters may be used to indicate</div><d=
iv>=C2=A0 =C2=A0 =C2=A0 that the issued token is intended to be used at the=
 multiple</div><div>=C2=A0 =C2=A0 =C2=A0 resources listed.=E2=80=9C</div><d=
iv><br></div><div>Can you please explain the rational in more detail? I don=
=E2=80=99t understand why there is a need to ask for access tokens, which a=
re good for multiple resources at once. This is a request type more or less=
 exclusively used in server to server scenarios, right? So the only reason =
I can think of is call reduction.=C2=A0</div><div><br></div><div>On the oth=
er side, this feature increases the AS&#39;s complexity, e.g. its policy ma=
y prohibit to issue tokens for multiple resources in general or the particu=
lar set the client is asking for. How shall the AS handles such cases?</div=
><div><br></div><div>And it is getting even more complicated given there co=
uld also be multiple audience values and the client could mix them:=C2=A0</=
div><div><br></div><div>&quot;Multiple &quot;audience&quot; parameters</div=
><div>=C2=A0 =C2=A0 =C2=A0 may be used to indicate that the issued token is=
 intended to be</div><div>=C2=A0 =C2=A0 =C2=A0 used at the multiple audienc=
es listed.=C2=A0 The &quot;audience&quot; and</div><div>=C2=A0 =C2=A0 =C2=
=A0 &quot;resource&quot; parameters may be used together to indicate multip=
le</div><div>=C2=A0 =C2=A0 =C2=A0 target services with a mix of logical nam=
es and physical</div><div>=C2=A0 =C2=A0 =C2=A0 locations.=E2=80=9C</div><di=
v><br></div><div>And in the end the client may add some scope values to the=
 =E2=80=9Emeal=E2=80=9C, which brings us to=C2=A0</div><div><br></div><div>=
=E2=80=9EEffectively, the requested access rights of the</div><div>=C2=A0 =
=C2=A0token are the cartesian product of all the scopes at all the target</=
div><div>=C2=A0 =C2=A0services.&quot;</div><div><br></div><div>I personally=
 would suggest to drop support for multiple audience and resource parameter=
s and make audience and resource mutual exclusive. I think this is sufficie=
nt and much easier to implement.</div><div><br></div><div>kind regards,</di=
v><div>Torsten.</div><div><div class=3D"h5"><div><br></div><div><br><div><b=
lockquote type=3D"cite"><div>Am 11.01.2017 um 20:04 schrieb Brian Campbell =
&lt;<a href=3D"mailto:bcampbell@pingidentity.com" target=3D"_blank">bcampbe=
ll@pingidentity.com</a>&gt;:</div><br class=3D"m_-945284380411239355Apple-i=
nterchange-newline"><div><div dir=3D"ltr">Draft -07 of &quot;OAuth 2.0 <spa=
n class=3D"m_-945284380411239355m_6317541698219329431gmail-il">Token</span>=
 <span class=3D"m_-945284380411239355m_6317541698219329431gmail-il">Exchang=
e</span>&quot;
 has been published. The primary change in -07 is the addition of a=20
description of the relationship between audience/resource/scope, which=20
was a request or comment that came up during the f2f meeting in Seoul. <br>=
<br>Excerpted from the Document History:<br><br>=C2=A0=C2=A0 -07<br><br>=C2=
=A0=C2=A0 o=C2=A0 Fixed typo (desecration -&gt; discretion).<br>=C2=A0=C2=
=A0 o=C2=A0 Added an explanation of the relationship between scope, audienc=
e<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 and resource in the request and added a=
n &quot;invalid_target&quot; error<br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 code e=
nabling the AS to tell the client that the requested<br>=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 audiences/resources were too broad.<br><br><br><div class=3D"g=
mail_quote">---------- Forwarded message ----------<br>From: <b class=3D"gm=
ail_sendername"></b> <span dir=3D"ltr">&lt;<a href=3D"mailto:internet-draft=
s@ietf.org" target=3D"_blank">internet-drafts@ietf.org</a>&gt;</span><br>Da=
te: Wed, Jan 11, 2017 at 12:00 PM<br>Subject: [OAUTH-WG] I-D Action: draft-=
ietf-oauth-token-exchang<wbr>e-07.txt<br>To: <a href=3D"mailto:i-d-announce=
@ietf.org" target=3D"_blank">i-d-announce@ietf.org</a><br>Cc: <a href=3D"ma=
ilto:oauth@ietf.org" target=3D"_blank">oauth@ietf.org</a><br><br><br><br>
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br>
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Token Exchange<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Mich=
ael B. Jones<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Anthony Nadalin<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Brian Campbell<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Chuck Mortimore<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-token-exchang<wbr>e-07.txt<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 31<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2017-01-11<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0This specification defines a protocol for an HTTP- and JSON- b=
ased<br>
=C2=A0 =C2=A0Security Token Service (STS) by defining how to request and ob=
tain<br>
=C2=A0 =C2=A0security tokens from OAuth 2.0 authorization servers, includin=
g<br>
=C2=A0 =C2=A0security tokens employing impersonation and delegation.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange=
/" rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/d<wbr>=
oc/draft-ietf-oauth-token-exch<wbr>ange/</a><br>
<br>
There&#39;s also a htmlized version available at:<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07" =
rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/dr<wbr>aft=
-ietf-oauth-token-exchange-<wbr>07</a><br>
<br>
A diff from the previous version is available at:<br>
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-excha=
nge-07" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/rfcdiff?u=
<wbr>rl2=3Ddraft-ietf-oauth-token-exc<wbr>hange-07</a><br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org/" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a>.<br>
<br>
Internet-Drafts are also available by anonymous FTP at:<br>
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.ietf.org/internet-dr<wbr>afts/</a><br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
</div><br></div>
______________________________<wbr>_________________<br>OAuth mailing list<=
br><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><b=
r><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"=
>https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br></div></blockquote=
></div><br></div></div></div></div></div></blockquote></div><br></div>

--94eb2c0b7a2ef34e04054bb68cbf--


From nobody Mon Mar 27 06:48:37 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CFF712778E for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 06:48:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level: 
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iv8XA4yR2Q_Q for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 06:48:32 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0121.outbound.protection.outlook.com [104.47.40.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9AF512940A for <oauth@ietf.org>; Mon, 27 Mar 2017 06:48:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fLPR3vp2otM55udD5q7ic+CNK3GM6ezLoWiyHEegALg=; b=H5ih+Cu+nQDSsJ6SJzBdBGNEuXBWgu/hCQ+JMNnJ/zaaD5cun/xTZnzgYvkmvXbD+kJ6we2B89SFrmiayeZ468pz+84qyKNHB75KrNcqVv/khF1g1hOQ3FPdFB8mU3Xb3x9kRMLrxINBfU4llaFqzUkwHlb+X58ie/k3mCVRpVw=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.0; Mon, 27 Mar 2017 13:48:30 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1019.002; Mon, 27 Mar 2017 13:48:30 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
Thread-Index: AQHSpmpvztgQVPNWLkiOErdrdaCr6qGos7OAgAAAu5A=
Date: Mon, 27 Mar 2017 13:48:30 +0000
Message-ID: <CY4PR21MB050479DBD8A7AB6342682209F5330@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148416124213.8244.5842562779051799977.idtracker@ietfa.amsl.com> <CA+k3eCTE1NM90QcZRFR0jATCqdeJWyTRUb6Ryp52n9FRg6aGpA@mail.gmail.com> <9199091B-5D7F-4D66-9EC5-CB0EF2D3CF6D@lodderstedt.net> <CA+k3eCTjmifjsbec80vGTE5Hw4ws7oARuaatDk4RYOLK26-87Q@mail.gmail.com>
In-Reply-To: <CA+k3eCTjmifjsbec80vGTE5Hw4ws7oARuaatDk4RYOLK26-87Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: pingidentity.com; dkim=none (message not signed) header.d=none;pingidentity.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:67c:370:128:6105:54cc:dfb6:784e]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:1r1x7hyecr9jZpuc+6STlMyXPkBwCXDqb4wk8aaD7fVsBbQds1PJC8CfrP+z9zAn7Uj2PsR7R511vlHDgjUGm8dpf0p/aFdaR6rTB50fwPSAO3zm33v/8kx38n8bxicEAyQBGuB7D6AJXEnu5xZ7cIBrQiT7jfQJn7fwrbwmJd9j4qFbZjqEkvfJ+x4mKpAabUAqcvC6ieN28ROjNs2IrMepTp8Yl5mfe8PkaWoA01dO98UlidZqObh4SR9UR6lRCL63sPpYv/rtu0lYPT7p/AYsoJbU6mQdtgyIejkH15O+NPTZOIDSMWEaeSOspfu0WZLwBJfUitv9RPOW/ySu2J4Th7Q9UJvJ0T6p8qFcRdE=
x-ms-office365-filtering-correlation-id: 60aaed87-7311-4290-c5f6-08d47517f407
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423045)(201703031133051);  SRVR:CY4PR21MB0502; 
x-microsoft-antispam-prvs: <CY4PR21MB0502B92E7686714F273D6346F5330@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(192374486261705)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040420)(601004)(2401047)(8121501046)(5005006)(10201501046)(93006021)(93001021)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123564025)(20161123555025)(201703131423045)(201702281528045)(201703011903045)(201703061421045)(20161123558025)(20161123562025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502; 
x-forefront-prvs: 02596AB7DA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400002)(39450400003)(39860400002)(39410400002)(39840400002)(39400400002)(24454002)(22974007)(377424004)(51914003)(377454003)(77096006)(606005)(6506006)(6436002)(19609705001)(55016002)(10090500001)(99286003)(38730400002)(236005)(9686003)(54896002)(53936002)(14971765001)(7906003)(102836003)(122556002)(74316002)(8936002)(6116002)(790700001)(86362001)(3280700002)(10290500002)(6306002)(2950100002)(25786009)(189998001)(53546009)(81166006)(8676002)(230783001)(93886004)(33656002)(229853002)(2900100001)(3660700001)(5005710100001)(6246003)(7696004)(76176999)(50986999)(4326008)(2906002)(54356999)(5660300001)(7736002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050479DBD8A7AB6342682209F5330CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2017 13:48:30.2198 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P2BWkYK91ocuatmMVHN4NMfJLG0>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 13:48:35 -0000

--_000_CY4PR21MB050479DBD8A7AB6342682209F5330CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

Rm9yIHRoZSBzYW1lIHJlYXNvbiB0aGF0IHRoZSDigJxhdWTigJ0gY2xhaW0gaXMgbXVsdGktdmFs
dWVkIGluIEpXVHMsIHRoZSBhdWRpZW5jZSBuZWVkcyB0byBzdGF5IG11bHRpLXZhbHVlZCBpbiBU
b2tlbiBFeGNoYW5nZS4gIERpdHRvIGZvciByZXNvdXJjZXMuDQoNCiAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUaGFua3MsDQogICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpG
cm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBC
cmlhbiBDYW1wYmVsbA0KU2VudDogTW9uZGF5LCBNYXJjaCAyNywgMjAxNyA4OjQ1IEFNDQpUbzog
VG9yc3RlbiBMb2RkZXJzdGVkdCA8dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ+DQpDYzogb2F1dGgg
PG9hdXRoQGlldGYub3JnPg0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gSS1EIEFjdGlvbjogZHJh
ZnQtaWV0Zi1vYXV0aC10b2tlbi1leGNoYW5nZS0wNy50eHQNCg0KVGhhbmtzIGZvciB0aGUgcmV2
aWV3IGFuZCBxdWVzdGlvbiwgVG9yc3Rlbi4NClRoZSBkZXNpcmUgdG8gc3VwcG9ydCBtdWx0aXBs
ZSBhdWRpZW5jZS9yZXNvdXJjZSB2YWx1ZXMgaW4gdGhlIHJlcXVlc3QgY2FtZSB1cCBkdXJpbmcg
YSByZXZpZXcgYW5kIGRpc2N1c3Npb24gYW1vbmcgdGhlIGF1dGhvcnMgb2YgdGhlIGRvY3VtZW50
IHdoZW4gcHJlcGFyaW5nIHRoZSAtMDMgZHJhZnQuIEFzIEkgcmVjYWxsLCBpdCB3YXMgc2FpZCB0
aGF0IGJvdGggU2FsZXNmb3JjZSBhbmQgTWljcm9zb2Z0IGhhZCB1c2UtY2FzZXMgZm9yIGl0LiBJ
IGluY29ycG9yYXRlZCBzdXBwb3J0IGZvciBpdCBpbnRvIHRoZSBkcmFmdCBhY3RpbmcgaW4gdGhl
IHJvbGUgb2YgZWRpdG9yLg0KRnJvbSBhbiBpbmRpdmlkdWFsIHBlcnNwZWN0aXZlLCBJIHRlbmQg
dG8gYWdyZWUgd2l0aCB5b3UgdGhhdCBhbGxvd2luZyBmb3IgbXVsdGlwbGUgYXVkaWVuY2VzL3Jl
c291cmNlcyBhZGRzIGEgbG90IG9mIGNvbXBsZXhpdHkgdGhhdCdzIGxpa2Ugbm90IG5lZWRlZCBp
biBtYW55IChvciBtb3N0KSBjYXNlcy4gQW5kIEkgd291bGQgcGVyc29uYWxseSBiZSBvcGVuIHRv
IG1ha2luZyBhdWRpZW5jZSBhbmQgcmVzb3VyY2UgbXV0dWFsIGV4Y2x1c2l2ZSBhbmQgc2luZ2xl
IHZhbHVlZC4gQSBxdWVzdGlvbiBmb3IgdGhlIFdHIEkgc3VwcG9zZS4NClRoZSAiaW52YWxpZF90
YXJnZXQiIGVycm9yIGNvZGUgdGhhdCB3YXMgYWRkZWQgaW4gLTA3IHdhcyBpbnRlbmRlZCB0byBn
aXZlIHRoZSBBUyBhIHN0YW5kYXJkIHdheSB0byBkZWFsIHdpdGggdGhlIGNvbXBsZXhpdHkgYW5k
IHJlamVjdCByZXF1ZXN0IHdpdGggbXVsdGlwbGUgYXVkaWVuY2VzL3Jlc291cmNlcyB0aGF0IGl0
IGRvZXNuJ3QgdW5kZXJzdGFuZCBvciBpcyB1bndpbGxpbmcgb3IgdW5hYmxlIHRvIHByb2Nlc3Mu
IEl0IHdhcyBpbnRlbmRlZCBhcyBhIGNvbXByb21pc2UsIG9mIHNvcnRzLCB0byBhbGxvdyBmb3Ig
dGhlIG11bHRpcGxlcyBidXQgcHJvdmlkZSBhbiBlYXN5IG91dCBvZiBzYXlpbmcgaXQgY2FuJ3Qg
YmUgc3VwcG9ydGVkIGJhc2VkIG9uIHdoYXRldmVyIGltcGxlbWVudGF0aW9uIG9yIHBvbGljeSBv
ZiB0aGUgQVMuDQoNCg0KDQpPbiBTdW4sIE1hciAyNiwgMjAxNyBhdCA5OjAwIEFNLCBUb3JzdGVu
IExvZGRlcnN0ZWR0IDx0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDxtYWlsdG86dG9yc3RlbkBsb2Rk
ZXJzdGVkdC5uZXQ+PiB3cm90ZToNCkhpIEJyaWFuLA0KDQp0aGFua3MgZm9yIHRoZSBjbGFyaWZp
Y2F0aW9uIGFyb3VuZCByZXNvdXJjZSwgYXVkaWVuY2UgYW5kIHNjb3BlLg0KDQpIZXJlIGFyZSBt
eSBjb21tZW50cyBvbiB0aGUgZHJhZnQ6DQoNCkluIHNlY3Rpb24gMi4xIGl0IHN0YXRlczog4oCe
TXVsdGlwbGUgInJlc291cmNlIiBwYXJhbWV0ZXJzIG1heSBiZSB1c2VkIHRvIGluZGljYXRlDQog
ICAgICB0aGF0IHRoZSBpc3N1ZWQgdG9rZW4gaXMgaW50ZW5kZWQgdG8gYmUgdXNlZCBhdCB0aGUg
bXVsdGlwbGUNCiAgICAgIHJlc291cmNlcyBsaXN0ZWQu4oCcDQoNCkNhbiB5b3UgcGxlYXNlIGV4
cGxhaW4gdGhlIHJhdGlvbmFsIGluIG1vcmUgZGV0YWlsPyBJIGRvbuKAmXQgdW5kZXJzdGFuZCB3
aHkgdGhlcmUgaXMgYSBuZWVkIHRvIGFzayBmb3IgYWNjZXNzIHRva2Vucywgd2hpY2ggYXJlIGdv
b2QgZm9yIG11bHRpcGxlIHJlc291cmNlcyBhdCBvbmNlLiBUaGlzIGlzIGEgcmVxdWVzdCB0eXBl
IG1vcmUgb3IgbGVzcyBleGNsdXNpdmVseSB1c2VkIGluIHNlcnZlciB0byBzZXJ2ZXIgc2NlbmFy
aW9zLCByaWdodD8gU28gdGhlIG9ubHkgcmVhc29uIEkgY2FuIHRoaW5rIG9mIGlzIGNhbGwgcmVk
dWN0aW9uLg0KDQpPbiB0aGUgb3RoZXIgc2lkZSwgdGhpcyBmZWF0dXJlIGluY3JlYXNlcyB0aGUg
QVMncyBjb21wbGV4aXR5LCBlLmcuIGl0cyBwb2xpY3kgbWF5IHByb2hpYml0IHRvIGlzc3VlIHRv
a2VucyBmb3IgbXVsdGlwbGUgcmVzb3VyY2VzIGluIGdlbmVyYWwgb3IgdGhlIHBhcnRpY3VsYXIg
c2V0IHRoZSBjbGllbnQgaXMgYXNraW5nIGZvci4gSG93IHNoYWxsIHRoZSBBUyBoYW5kbGVzIHN1
Y2ggY2FzZXM/DQoNCkFuZCBpdCBpcyBnZXR0aW5nIGV2ZW4gbW9yZSBjb21wbGljYXRlZCBnaXZl
biB0aGVyZSBjb3VsZCBhbHNvIGJlIG11bHRpcGxlIGF1ZGllbmNlIHZhbHVlcyBhbmQgdGhlIGNs
aWVudCBjb3VsZCBtaXggdGhlbToNCg0KIk11bHRpcGxlICJhdWRpZW5jZSIgcGFyYW1ldGVycw0K
ICAgICAgbWF5IGJlIHVzZWQgdG8gaW5kaWNhdGUgdGhhdCB0aGUgaXNzdWVkIHRva2VuIGlzIGlu
dGVuZGVkIHRvIGJlDQogICAgICB1c2VkIGF0IHRoZSBtdWx0aXBsZSBhdWRpZW5jZXMgbGlzdGVk
LiAgVGhlICJhdWRpZW5jZSIgYW5kDQogICAgICAicmVzb3VyY2UiIHBhcmFtZXRlcnMgbWF5IGJl
IHVzZWQgdG9nZXRoZXIgdG8gaW5kaWNhdGUgbXVsdGlwbGUNCiAgICAgIHRhcmdldCBzZXJ2aWNl
cyB3aXRoIGEgbWl4IG9mIGxvZ2ljYWwgbmFtZXMgYW5kIHBoeXNpY2FsDQogICAgICBsb2NhdGlv
bnMu4oCcDQoNCkFuZCBpbiB0aGUgZW5kIHRoZSBjbGllbnQgbWF5IGFkZCBzb21lIHNjb3BlIHZh
bHVlcyB0byB0aGUg4oCebWVhbOKAnCwgd2hpY2ggYnJpbmdzIHVzIHRvDQoNCuKAnkVmZmVjdGl2
ZWx5LCB0aGUgcmVxdWVzdGVkIGFjY2VzcyByaWdodHMgb2YgdGhlDQogICB0b2tlbiBhcmUgdGhl
IGNhcnRlc2lhbiBwcm9kdWN0IG9mIGFsbCB0aGUgc2NvcGVzIGF0IGFsbCB0aGUgdGFyZ2V0DQog
ICBzZXJ2aWNlcy4iDQoNCkkgcGVyc29uYWxseSB3b3VsZCBzdWdnZXN0IHRvIGRyb3Agc3VwcG9y
dCBmb3IgbXVsdGlwbGUgYXVkaWVuY2UgYW5kIHJlc291cmNlIHBhcmFtZXRlcnMgYW5kIG1ha2Ug
YXVkaWVuY2UgYW5kIHJlc291cmNlIG11dHVhbCBleGNsdXNpdmUuIEkgdGhpbmsgdGhpcyBpcyBz
dWZmaWNpZW50IGFuZCBtdWNoIGVhc2llciB0byBpbXBsZW1lbnQuDQoNCmtpbmQgcmVnYXJkcywN
ClRvcnN0ZW4uDQoNCg0KQW0gMTEuMDEuMjAxNyB1bSAyMDowNCBzY2hyaWViIEJyaWFuIENhbXBi
ZWxsIDxiY2FtcGJlbGxAcGluZ2lkZW50aXR5LmNvbTxtYWlsdG86YmNhbXBiZWxsQHBpbmdpZGVu
dGl0eS5jb20+PjoNCg0KRHJhZnQgLTA3IG9mICJPQXV0aCAyLjAgVG9rZW4gRXhjaGFuZ2UiIGhh
cyBiZWVuIHB1Ymxpc2hlZC4gVGhlIHByaW1hcnkgY2hhbmdlIGluIC0wNyBpcyB0aGUgYWRkaXRp
b24gb2YgYSBkZXNjcmlwdGlvbiBvZiB0aGUgcmVsYXRpb25zaGlwIGJldHdlZW4gYXVkaWVuY2Uv
cmVzb3VyY2Uvc2NvcGUsIHdoaWNoIHdhcyBhIHJlcXVlc3Qgb3IgY29tbWVudCB0aGF0IGNhbWUg
dXAgZHVyaW5nIHRoZSBmMmYgbWVldGluZyBpbiBTZW91bC4NCg0KRXhjZXJwdGVkIGZyb20gdGhl
IERvY3VtZW50IEhpc3Rvcnk6DQoNCiAgIC0wNw0KDQogICBvICBGaXhlZCB0eXBvIChkZXNlY3Jh
dGlvbiAtPiBkaXNjcmV0aW9uKS4NCiAgIG8gIEFkZGVkIGFuIGV4cGxhbmF0aW9uIG9mIHRoZSBy
ZWxhdGlvbnNoaXAgYmV0d2VlbiBzY29wZSwgYXVkaWVuY2UNCiAgICAgIGFuZCByZXNvdXJjZSBp
biB0aGUgcmVxdWVzdCBhbmQgYWRkZWQgYW4gImludmFsaWRfdGFyZ2V0IiBlcnJvcg0KICAgICAg
Y29kZSBlbmFibGluZyB0aGUgQVMgdG8gdGVsbCB0aGUgY2xpZW50IHRoYXQgdGhlIHJlcXVlc3Rl
ZA0KICAgICAgYXVkaWVuY2VzL3Jlc291cmNlcyB3ZXJlIHRvbyBicm9hZC4NCg0KLS0tLS0tLS0t
LSBGb3J3YXJkZWQgbWVzc2FnZSAtLS0tLS0tLS0tDQpGcm9tOiA8aW50ZXJuZXQtZHJhZnRzQGll
dGYub3JnPG1haWx0bzppbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc+Pg0KRGF0ZTogV2VkLCBKYW4g
MTEsIDIwMTcgYXQgMTI6MDAgUE0NClN1YmplY3Q6IFtPQVVUSC1XR10gSS1EIEFjdGlvbjogZHJh
ZnQtaWV0Zi1vYXV0aC10b2tlbi1leGNoYW5nZS0wNy50eHQNClRvOiBpLWQtYW5ub3VuY2VAaWV0
Zi5vcmc8bWFpbHRvOmktZC1hbm5vdW5jZUBpZXRmLm9yZz4NCkNjOiBvYXV0aEBpZXRmLm9yZzxt
YWlsdG86b2F1dGhAaWV0Zi5vcmc+DQoNCg0KDQpBIE5ldyBJbnRlcm5ldC1EcmFmdCBpcyBhdmFp
bGFibGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFmdHMgZGlyZWN0b3JpZXMuDQpUaGlz
IGRyYWZ0IGlzIGEgd29yayBpdGVtIG9mIHRoZSBXZWIgQXV0aG9yaXphdGlvbiBQcm90b2NvbCBv
ZiB0aGUgSUVURi4NCg0KICAgICAgICBUaXRsZSAgICAgICAgICAgOiBPQXV0aCAyLjAgVG9rZW4g
RXhjaGFuZ2UNCiAgICAgICAgQXV0aG9ycyAgICAgICAgIDogTWljaGFlbCBCLiBKb25lcw0KICAg
ICAgICAgICAgICAgICAgICAgICAgICBBbnRob255IE5hZGFsaW4NCiAgICAgICAgICAgICAgICAg
ICAgICAgICAgQnJpYW4gQ2FtcGJlbGwNCiAgICAgICAgICAgICAgICAgICAgICAgICAgSm9obiBC
cmFkbGV5DQogICAgICAgICAgICAgICAgICAgICAgICAgIENodWNrIE1vcnRpbW9yZQ0KICAgICAg
ICBGaWxlbmFtZSAgICAgICAgOiBkcmFmdC1pZXRmLW9hdXRoLXRva2VuLWV4Y2hhbmdlLTA3LnR4
dA0KICAgICAgICBQYWdlcyAgICAgICAgICAgOiAzMQ0KICAgICAgICBEYXRlICAgICAgICAgICAg
OiAyMDE3LTAxLTExDQoNCkFic3RyYWN0Og0KICAgVGhpcyBzcGVjaWZpY2F0aW9uIGRlZmluZXMg
YSBwcm90b2NvbCBmb3IgYW4gSFRUUC0gYW5kIEpTT04tIGJhc2VkDQogICBTZWN1cml0eSBUb2tl
biBTZXJ2aWNlIChTVFMpIGJ5IGRlZmluaW5nIGhvdyB0byByZXF1ZXN0IGFuZCBvYnRhaW4NCiAg
IHNlY3VyaXR5IHRva2VucyBmcm9tIE9BdXRoIDIuMCBhdXRob3JpemF0aW9uIHNlcnZlcnMsIGlu
Y2x1ZGluZw0KICAgc2VjdXJpdHkgdG9rZW5zIGVtcGxveWluZyBpbXBlcnNvbmF0aW9uIGFuZCBk
ZWxlZ2F0aW9uLg0KDQoNClRoZSBJRVRGIGRhdGF0cmFja2VyIHN0YXR1cyBwYWdlIGZvciB0aGlz
IGRyYWZ0IGlzOg0KaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1v
YXV0aC10b2tlbi1leGNoYW5nZS8NCg0KVGhlcmUncyBhbHNvIGEgaHRtbGl6ZWQgdmVyc2lvbiBh
dmFpbGFibGUgYXQ6DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0
aC10b2tlbi1leGNoYW5nZS0wNw0KDQpBIGRpZmYgZnJvbSB0aGUgcHJldmlvdXMgdmVyc2lvbiBp
cyBhdmFpbGFibGUgYXQ6DQpodHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQt
aWV0Zi1vYXV0aC10b2tlbi1leGNoYW5nZS0wNw0KDQoNClBsZWFzZSBub3RlIHRoYXQgaXQgbWF5
IHRha2UgYSBjb3VwbGUgb2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb24NCnVu
dGlsIHRoZSBodG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQgdG9vbHMu
aWV0Zi5vcmc8aHR0cDovL3Rvb2xzLmlldGYub3JnLz4uDQoNCkludGVybmV0LURyYWZ0cyBhcmUg
YWxzbyBhdmFpbGFibGUgYnkgYW5vbnltb3VzIEZUUCBhdDoNCmZ0cDovL2Z0cC5pZXRmLm9yZy9p
bnRlcm5ldC1kcmFmdHMvDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0
aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgN
Cg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRo
IG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0
cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KDQoNCg==

--_000_CY4PR21MB050479DBD8A7AB6342682209F5330CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph
OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z
b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw
bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25v
cm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4tYm90
dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZv
bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4ubS05NDUyODQzODA0MTEyMzkz
NTVtNjMxNzU0MTY5ODIxOTMyOTQzMWdtYWlsLWlsDQoJe21zby1zdHlsZS1uYW1lOm1fLTk0NTI4
NDM4MDQxMTIzOTM1NW1fNjMxNzU0MTY5ODIxOTMyOTQzMWdtYWlsLWlsO30NCnNwYW4uRW1haWxT
dHlsZTE5DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJD
YWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiMwMDIwNjA7fQ0KLk1zb0NocERlZmF1bHQNCgl7
bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMt
c2VyaWY7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdp
bjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29y
ZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFw
ZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZd
LS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+
DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3ht
bD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2
bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+Rm9yIHRoZSBzYW1lIHJlYXNvbiB0
aGF0IHRoZSDigJxhdWTigJ0gY2xhaW0gaXMgbXVsdGktdmFsdWVkIGluIEpXVHMsIHRoZSBhdWRp
ZW5jZSBuZWVkcyB0byBzdGF5IG11bHRpLXZhbHVlZCBpbiBUb2tlbiBFeGNoYW5nZS4mbmJzcDsg
RGl0dG8gZm9yIHJlc291cmNlcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48L3Nw
YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAi
PiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGFua3MsPG86cD48L286
cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMw
MDIwNjAiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86
cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEgbmFtZT0iX01haWxF
bmRDb21wb3NlIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48
L3NwYW4+PC9hPjwvcD4NCjxzcGFuIHN0eWxlPSJtc28tYm9va21hcms6X01haWxFbmRDb21wb3Nl
Ij48L3NwYW4+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj5Gcm9tOjwvYj4gT0F1dGggW21haWx0
bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSA8Yj5PbiBCZWhhbGYgT2YNCjwvYj5CcmlhbiBDYW1w
YmVsbDxicj4NCjxiPlNlbnQ6PC9iPiBNb25kYXksIE1hcmNoIDI3LCAyMDE3IDg6NDUgQU08YnI+
DQo8Yj5Ubzo8L2I+IFRvcnN0ZW4gTG9kZGVyc3RlZHQgJmx0O3RvcnN0ZW5AbG9kZGVyc3RlZHQu
bmV0Jmd0Ozxicj4NCjxiPkNjOjwvYj4gb2F1dGggJmx0O29hdXRoQGlldGYub3JnJmd0Ozxicj4N
CjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRILVdHXSBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLW9h
dXRoLXRva2VuLWV4Y2hhbmdlLTA3LnR4dDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPlRoYW5rcyBmb3IgdGhl
IHJldmlldyBhbmQgcXVlc3Rpb24sIFRvcnN0ZW4uDQo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5UaGUgZGVz
aXJlIHRvIHN1cHBvcnQgbXVsdGlwbGUgYXVkaWVuY2UvcmVzb3VyY2UgdmFsdWVzIGluIHRoZSBy
ZXF1ZXN0IGNhbWUgdXAgZHVyaW5nIGEgcmV2aWV3IGFuZCBkaXNjdXNzaW9uIGFtb25nIHRoZSBh
dXRob3JzIG9mIHRoZSBkb2N1bWVudCB3aGVuIHByZXBhcmluZyB0aGUgLTAzIGRyYWZ0LiBBcyBJ
IHJlY2FsbCwgaXQgd2FzIHNhaWQgdGhhdCBib3RoDQogU2FsZXNmb3JjZSBhbmQgTWljcm9zb2Z0
IGhhZCB1c2UtY2FzZXMgZm9yIGl0LiBJIGluY29ycG9yYXRlZCBzdXBwb3J0IGZvciBpdCBpbnRv
IHRoZSBkcmFmdCBhY3RpbmcgaW4gdGhlIHJvbGUgb2YgZWRpdG9yLjxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206
MTIuMHB0Ij5Gcm9tIGFuIGluZGl2aWR1YWwgcGVyc3BlY3RpdmUsIEkgdGVuZCB0byBhZ3JlZSB3
aXRoIHlvdSB0aGF0IGFsbG93aW5nIGZvciBtdWx0aXBsZSBhdWRpZW5jZXMvcmVzb3VyY2VzIGFk
ZHMgYSBsb3Qgb2YgY29tcGxleGl0eSB0aGF0J3MgbGlrZSBub3QgbmVlZGVkIGluIG1hbnkgKG9y
IG1vc3QpIGNhc2VzLiBBbmQgSSB3b3VsZCBwZXJzb25hbGx5IGJlIG9wZW4NCiB0byBtYWtpbmcg
YXVkaWVuY2UgYW5kIHJlc291cmNlIG11dHVhbCBleGNsdXNpdmUgYW5kIHNpbmdsZSB2YWx1ZWQu
IEEgcXVlc3Rpb24gZm9yIHRoZSBXRyBJIHN1cHBvc2UuPG86cD48L286cD48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGUgJnF1b3Q7aW52YWxpZF90YXJnZXQmcXVv
dDsgZXJyb3IgY29kZSB0aGF0IHdhcyBhZGRlZCBpbiAtMDcgd2FzIGludGVuZGVkIHRvIGdpdmUg
dGhlIEFTIGEgc3RhbmRhcmQgd2F5IHRvIGRlYWwgd2l0aCB0aGUgY29tcGxleGl0eSBhbmQgcmVq
ZWN0IHJlcXVlc3Qgd2l0aCBtdWx0aXBsZSBhdWRpZW5jZXMvcmVzb3VyY2VzIHRoYXQgaXQgZG9l
c24ndCB1bmRlcnN0YW5kIG9yIGlzIHVud2lsbGluZyBvciB1bmFibGUgdG8gcHJvY2Vzcy4NCiBJ
dCB3YXMgaW50ZW5kZWQgYXMgYSBjb21wcm9taXNlLCBvZiBzb3J0cywgdG8gYWxsb3cgZm9yIHRo
ZSBtdWx0aXBsZXMgYnV0IHByb3ZpZGUgYW4gZWFzeSBvdXQgb2Ygc2F5aW5nIGl0IGNhbid0IGJl
IHN1cHBvcnRlZCBiYXNlZCBvbiB3aGF0ZXZlciBpbXBsZW1lbnRhdGlvbiBvciBwb2xpY3kgb2Yg
dGhlIEFTLg0KPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj4mbmJzcDsgPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw
OzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBTdW4sIE1hciAyNiwg
MjAxNyBhdCA5OjAwIEFNLCBUb3JzdGVuIExvZGRlcnN0ZWR0ICZsdDs8YSBocmVmPSJtYWlsdG86
dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQiIHRhcmdldD0iX2JsYW5rIj50b3JzdGVuQGxvZGRlcnN0
ZWR0Lm5ldDwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9
ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4g
MGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGluIj4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IaSBCcmlhbiw8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPnRoYW5rcyBmb3IgdGhlIGNsYXJpZmljYXRpb24gYXJvdW5k
IHJlc291cmNlLCBhdWRpZW5jZSBhbmQgc2NvcGUuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IZXJlIGFyZSBteSBjb21t
ZW50cyBvbiB0aGUgZHJhZnQ6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPkluIHNlY3Rpb24gMi4xIGl0IHN0YXRlczog4oCeTXVsdGlwbGUgJnF1
b3Q7cmVzb3VyY2UmcXVvdDsgcGFyYW1ldGVycyBtYXkgYmUgdXNlZCB0byBpbmRpY2F0ZTxvOnA+
PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7ICZu
YnNwOyAmbmJzcDsgdGhhdCB0aGUgaXNzdWVkIHRva2VuIGlzIGludGVuZGVkIHRvIGJlIHVzZWQg
YXQgdGhlIG11bHRpcGxlPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj4mbmJzcDsgJm5ic3A7ICZuYnNwOyByZXNvdXJjZXMgbGlzdGVkLuKAnDxvOnA+
PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz
cDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5DYW4geW91
IHBsZWFzZSBleHBsYWluIHRoZSByYXRpb25hbCBpbiBtb3JlIGRldGFpbD8gSSBkb27igJl0IHVu
ZGVyc3RhbmQgd2h5IHRoZXJlIGlzIGEgbmVlZCB0byBhc2sgZm9yIGFjY2VzcyB0b2tlbnMsIHdo
aWNoIGFyZSBnb29kIGZvciBtdWx0aXBsZSByZXNvdXJjZXMgYXQgb25jZS4gVGhpcyBpcyBhIHJl
cXVlc3QgdHlwZSBtb3JlIG9yIGxlc3MgZXhjbHVzaXZlbHkgdXNlZCBpbiBzZXJ2ZXIgdG8gc2Vy
dmVyDQogc2NlbmFyaW9zLCByaWdodD8gU28gdGhlIG9ubHkgcmVhc29uIEkgY2FuIHRoaW5rIG9m
IGlzIGNhbGwgcmVkdWN0aW9uLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiB0aGUgb3RoZXIgc2lkZSwgdGhpcyBmZWF0dXJlIGlu
Y3JlYXNlcyB0aGUgQVMncyBjb21wbGV4aXR5LCBlLmcuIGl0cyBwb2xpY3kgbWF5IHByb2hpYml0
IHRvIGlzc3VlIHRva2VucyBmb3IgbXVsdGlwbGUgcmVzb3VyY2VzIGluIGdlbmVyYWwgb3IgdGhl
IHBhcnRpY3VsYXIgc2V0IHRoZSBjbGllbnQgaXMgYXNraW5nIGZvci4gSG93IHNoYWxsIHRoZSBB
UyBoYW5kbGVzIHN1Y2ggY2FzZXM/PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPkFuZCBpdCBpcyBnZXR0aW5nIGV2ZW4gbW9yZSBjb21wbGljYXRl
ZCBnaXZlbiB0aGVyZSBjb3VsZCBhbHNvIGJlIG11bHRpcGxlIGF1ZGllbmNlIHZhbHVlcyBhbmQg
dGhlIGNsaWVudCBjb3VsZCBtaXggdGhlbTombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+JnF1b3Q7TXVsdGlwbGUgJnF1b3Q7YXVkaWVu
Y2UmcXVvdDsgcGFyYW1ldGVyczxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgbWF5IGJlIHVzZWQgdG8gaW5kaWNh
dGUgdGhhdCB0aGUgaXNzdWVkIHRva2VuIGlzIGludGVuZGVkIHRvIGJlPG86cD48L286cD48L3A+
DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgJm5ic3A7ICZuYnNw
OyB1c2VkIGF0IHRoZSBtdWx0aXBsZSBhdWRpZW5jZXMgbGlzdGVkLiZuYnNwOyBUaGUgJnF1b3Q7
YXVkaWVuY2UmcXVvdDsgYW5kPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmcXVvdDtyZXNvdXJjZSZxdW90OyBw
YXJhbWV0ZXJzIG1heSBiZSB1c2VkIHRvZ2V0aGVyIHRvIGluZGljYXRlIG11bHRpcGxlPG86cD48
L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgJm5i
c3A7ICZuYnNwOyB0YXJnZXQgc2VydmljZXMgd2l0aCBhIG1peCBvZiBsb2dpY2FsIG5hbWVzIGFu
ZCBwaHlzaWNhbDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgbG9jYXRpb25zLuKAnDxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+
DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BbmQgaW4gdGhlIGVuZCB0aGUg
Y2xpZW50IG1heSBhZGQgc29tZSBzY29wZSB2YWx1ZXMgdG8gdGhlIOKAnm1lYWzigJwsIHdoaWNo
IGJyaW5ncyB1cyB0byZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj7igJ5FZmZlY3RpdmVseSwgdGhlIHJlcXVlc3RlZCBhY2Nlc3Mgcmln
aHRzIG9mIHRoZTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+Jm5ic3A7ICZuYnNwO3Rva2VuIGFyZSB0aGUgY2FydGVzaWFuIHByb2R1Y3Qgb2YgYWxs
IHRoZSBzY29wZXMgYXQgYWxsIHRoZSB0YXJnZXQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyAmbmJzcDtzZXJ2aWNlcy4mcXVvdDs8bzpw
PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i
c3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSBwZXJz
b25hbGx5IHdvdWxkIHN1Z2dlc3QgdG8gZHJvcCBzdXBwb3J0IGZvciBtdWx0aXBsZSBhdWRpZW5j
ZSBhbmQgcmVzb3VyY2UgcGFyYW1ldGVycyBhbmQgbWFrZSBhdWRpZW5jZSBhbmQgcmVzb3VyY2Ug
bXV0dWFsIGV4Y2x1c2l2ZS4gSSB0aGluayB0aGlzIGlzIHN1ZmZpY2llbnQgYW5kIG11Y2ggZWFz
aWVyIHRvIGltcGxlbWVudC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+a2luZCByZWdhcmRzLDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VG9yc3Rlbi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286
cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv
bzpwPjwvcD4NCjxkaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJn
aW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BbSAxMS4wMS4y
MDE3IHVtIDIwOjA0IHNjaHJpZWIgQnJpYW4gQ2FtcGJlbGwgJmx0OzxhIGhyZWY9Im1haWx0bzpi
Y2FtcGJlbGxAcGluZ2lkZW50aXR5LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmJjYW1wYmVsbEBwaW5n
aWRlbnRpdHkuY29tPC9hPiZndDs6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPkRyYWZ0IC0wNyBvZiAmcXVv
dDtPQXV0aCAyLjAgPHNwYW4gY2xhc3M9Im0tOTQ1Mjg0MzgwNDExMjM5MzU1bTYzMTc1NDE2OTgy
MTkzMjk0MzFnbWFpbC1pbCI+DQpUb2tlbjwvc3Bhbj4gPHNwYW4gY2xhc3M9Im0tOTQ1Mjg0Mzgw
NDExMjM5MzU1bTYzMTc1NDE2OTgyMTkzMjk0MzFnbWFpbC1pbCI+RXhjaGFuZ2U8L3NwYW4+JnF1
b3Q7IGhhcyBiZWVuIHB1Ymxpc2hlZC4gVGhlIHByaW1hcnkgY2hhbmdlIGluIC0wNyBpcyB0aGUg
YWRkaXRpb24gb2YgYSBkZXNjcmlwdGlvbiBvZiB0aGUgcmVsYXRpb25zaGlwIGJldHdlZW4gYXVk
aWVuY2UvcmVzb3VyY2Uvc2NvcGUsIHdoaWNoIHdhcyBhIHJlcXVlc3Qgb3IgY29tbWVudCB0aGF0
DQogY2FtZSB1cCBkdXJpbmcgdGhlIGYyZiBtZWV0aW5nIGluIFNlb3VsLiA8YnI+DQo8YnI+DQpF
eGNlcnB0ZWQgZnJvbSB0aGUgRG9jdW1lbnQgSGlzdG9yeTo8YnI+DQo8YnI+DQombmJzcDsmbmJz
cDsgLTA3PGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7IG8mbmJzcDsgRml4ZWQgdHlwbyAoZGVzZWNy
YXRpb24gLSZndDsgZGlzY3JldGlvbikuPGJyPg0KJm5ic3A7Jm5ic3A7IG8mbmJzcDsgQWRkZWQg
YW4gZXhwbGFuYXRpb24gb2YgdGhlIHJlbGF0aW9uc2hpcCBiZXR3ZWVuIHNjb3BlLCBhdWRpZW5j
ZTxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhbmQgcmVzb3VyY2UgaW4gdGhl
IHJlcXVlc3QgYW5kIGFkZGVkIGFuICZxdW90O2ludmFsaWRfdGFyZ2V0JnF1b3Q7IGVycm9yPGJy
Pg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGNvZGUgZW5hYmxpbmcgdGhlIEFTIHRv
IHRlbGwgdGhlIGNsaWVudCB0aGF0IHRoZSByZXF1ZXN0ZWQ8YnI+DQombmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsgYXVkaWVuY2VzL3Jlc291cmNlcyB3ZXJlIHRvbyBicm9hZC48YnI+DQo8
YnI+DQo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tLS0tLS0t
LS0tIEZvcndhcmRlZCBtZXNzYWdlIC0tLS0tLS0tLS08YnI+DQpGcm9tOiAmbHQ7PGEgaHJlZj0i
bWFpbHRvOmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmludGVybmV0
LWRyYWZ0c0BpZXRmLm9yZzwvYT4mZ3Q7PGJyPg0KRGF0ZTogV2VkLCBKYW4gMTEsIDIwMTcgYXQg
MTI6MDAgUE08YnI+DQpTdWJqZWN0OiBbT0FVVEgtV0ddIEktRCBBY3Rpb246IGRyYWZ0LWlldGYt
b2F1dGgtdG9rZW4tZXhjaGFuZ2UtMDcudHh0PGJyPg0KVG86IDxhIGhyZWY9Im1haWx0bzppLWQt
YW5ub3VuY2VAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5pLWQtYW5ub3VuY2VAaWV0Zi5vcmc8
L2E+PGJyPg0KQ2M6IDxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxh
bmsiPm9hdXRoQGlldGYub3JnPC9hPjxicj4NCjxicj4NCjxicj4NCjxicj4NCkEgTmV3IEludGVy
bmV0LURyYWZ0IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBvbi1saW5lIEludGVybmV0LURyYWZ0cyBk
aXJlY3Rvcmllcy48YnI+DQpUaGlzIGRyYWZ0IGlzIGEgd29yayBpdGVtIG9mIHRoZSBXZWIgQXV0
aG9yaXphdGlvbiBQcm90b2NvbCBvZiB0aGUgSUVURi48YnI+DQo8YnI+DQombmJzcDsgJm5ic3A7
ICZuYnNwOyAmbmJzcDsgVGl0bGUmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu
YnNwOzogT0F1dGggMi4wIFRva2VuIEV4Y2hhbmdlPGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsg
Jm5ic3A7IEF1dGhvcnMmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7OiBNaWNoYWVs
IEIuIEpvbmVzPGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg
Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IEFudGhvbnkg
TmFkYWxpbjxicj4NCiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu
YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBCcmlhbiBDYW1w
YmVsbDxicj4NCiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw
OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBKb2huIEJyYWRsZXk8
YnI+DQombmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i
c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgQ2h1Y2sgTW9ydGltb3JlPGJy
Pg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IEZpbGVuYW1lJm5ic3A7ICZuYnNwOyAmbmJz
cDsgJm5ic3A7IDogZHJhZnQtaWV0Zi1vYXV0aC10b2tlbi1leGNoYW5nZS0wNy50eHQ8YnI+DQom
bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgUGFnZXMmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz
cDsgJm5ic3A7ICZuYnNwOzogMzE8YnI+DQombmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgRGF0
ZSZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IDogMjAxNy0wMS0xMTxi
cj4NCjxicj4NCkFic3RyYWN0Ojxicj4NCiZuYnNwOyAmbmJzcDtUaGlzIHNwZWNpZmljYXRpb24g
ZGVmaW5lcyBhIHByb3RvY29sIGZvciBhbiBIVFRQLSBhbmQgSlNPTi0gYmFzZWQ8YnI+DQombmJz
cDsgJm5ic3A7U2VjdXJpdHkgVG9rZW4gU2VydmljZSAoU1RTKSBieSBkZWZpbmluZyBob3cgdG8g
cmVxdWVzdCBhbmQgb2J0YWluPGJyPg0KJm5ic3A7ICZuYnNwO3NlY3VyaXR5IHRva2VucyBmcm9t
IE9BdXRoIDIuMCBhdXRob3JpemF0aW9uIHNlcnZlcnMsIGluY2x1ZGluZzxicj4NCiZuYnNwOyAm
bmJzcDtzZWN1cml0eSB0b2tlbnMgZW1wbG95aW5nIGltcGVyc29uYXRpb24gYW5kIGRlbGVnYXRp
b24uPGJyPg0KPGJyPg0KPGJyPg0KVGhlIElFVEYgZGF0YXRyYWNrZXIgc3RhdHVzIHBhZ2UgZm9y
IHRoaXMgZHJhZnQgaXM6PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9y
Zy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC10b2tlbi1leGNoYW5nZS8iIHRhcmdldD0iX2JsYW5rIj5o
dHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRoLXRva2VuLWV4
Y2hhbmdlLzwvYT48YnI+DQo8YnI+DQpUaGVyZSdzIGFsc28gYSBodG1saXplZCB2ZXJzaW9uIGF2
YWlsYWJsZSBhdDo8YnI+DQo8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh
ZnQtaWV0Zi1vYXV0aC10b2tlbi1leGNoYW5nZS0wNyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8v
dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLXRva2VuLWV4Y2hhbmdlLTA3PC9h
Pjxicj4NCjxicj4NCkEgZGlmZiBmcm9tIHRoZSBwcmV2aW91cyB2ZXJzaW9uIGlzIGF2YWlsYWJs
ZSBhdDo8YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJh
ZnQtaWV0Zi1vYXV0aC10b2tlbi1leGNoYW5nZS0wNyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8v
d3d3LmlldGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1pZXRmLW9hdXRoLXRva2VuLWV4Y2hhbmdl
LTA3PC9hPjxicj4NCjxicj4NCjxicj4NClBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2UgYSBj
b3VwbGUgb2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb248YnI+DQp1bnRpbCB0
aGUgaHRtbGl6ZWQgdmVyc2lvbiBhbmQgZGlmZiBhcmUgYXZhaWxhYmxlIGF0IDxhIGhyZWY9Imh0
dHA6Ly90b29scy5pZXRmLm9yZy8iIHRhcmdldD0iX2JsYW5rIj4NCnRvb2xzLmlldGYub3JnPC9h
Pi48YnI+DQo8YnI+DQpJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255
bW91cyBGVFAgYXQ6PGJyPg0KPGEgaHJlZj0iZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRy
YWZ0cy8iIHRhcmdldD0iX2JsYW5rIj5mdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRz
LzwvYT48YnI+DQo8YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0
aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhy
ZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiIHRhcmdldD0i
X2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxv
OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv
bzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+X19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpPQXV0aCBtYWlsaW5nIGxpc3Q8YnI+
DQo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5PQXV0aEBp
ZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp
c3RpbmZvL29hdXRoIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1h
bi9saXN0aW5mby9vYXV0aDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3Rl
Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8
L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_CY4PR21MB050479DBD8A7AB6342682209F5330CY4PR21MB0504namp_--


From nobody Mon Mar 27 09:31:26 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E5FEB1267BB; Mon, 27 Mar 2017 09:31:23 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.48.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149063228392.30557.3815696692412964113@ietfa.amsl.com>
Date: Mon, 27 Mar 2017 09:31:23 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bBvmc1mi-mtdv3HHNS2w_UhUdUY>
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-binding-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 16:31:24 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 Token Binding
        Authors         : Michael B. Jones
                          John Bradley
                          Brian Campbell
                          William Denniss
	Filename        : draft-ietf-oauth-token-binding-03.txt
	Pages           : 26
	Date            : 2017-03-27

Abstract:
   This specification enables OAuth 2.0 implementations to apply Token
   Binding to Access Tokens, Authorization Codes, and Refresh Tokens.
   This cryptographically binds these tokens to a client's Token Binding
   key pair, possession of which is proven on the TLS connections over
   which the tokens are intended to be used.  This use of Token Binding
   protects these tokens from man-in-the-middle and token export and
   replay attacks.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-binding/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-binding-03
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding-03

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-binding-03


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Mon Mar 27 09:33:08 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6D0A127B57 for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 09:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iV5kv-pDvaJi for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 09:33:04 -0700 (PDT)
Received: from mail-pg0-x236.google.com (mail-pg0-x236.google.com [IPv6:2607:f8b0:400e:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB618124D6C for <oauth@ietf.org>; Mon, 27 Mar 2017 09:33:04 -0700 (PDT)
Received: by mail-pg0-x236.google.com with SMTP id 81so30548474pgh.2 for <oauth@ietf.org>; Mon, 27 Mar 2017 09:33:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=LtjUFO8vBHF85SbqmABlIN0rwbyUfTI2FjkfU7G6TQE=; b=KhG4U4at4nE4BaAuNMM+uqdSMgUxs4LdcX1CmENWMeIlud/fXy1b9sCIVM23zku9C2 /yRZJGlISGxmooGc7x320Qu/b6SyKvAqbcwbN0GAOI+RUSKPCQ2jZI9Sd1ipTaIhQuXt o47SX/Xt4anZMqT6/XG/WJtvanDoCGH75Wgz4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=LtjUFO8vBHF85SbqmABlIN0rwbyUfTI2FjkfU7G6TQE=; b=QAz7z0zzqeiKvTqwbJg7OK+A5Dxm4ihpgFUA5vWbgAF67JizDJ847VjT6KqB/ccnLY iYREz2aYIEShcziFcDndaDHnLevba5XilPP0uwgvIQMdH+X1CUvDk6M3MwpgSRd6pvdC 32J5RUA2Ow8YGC7PQN8/XlpVGeEmgggnii7zofRpJv6V3LfkxSUI+odaUr0XJPG/E//N XUQXGWx1rw2Kh8Vd62EJ9KRNljb5TmroiL8UEVTb/yeEPTcyimX1/+qjbfO+FIacyDjz uwkBRFl3PMkyCtumgoWdBR9n9WOJF2UUVBD8NQGcG8mDkfYKBkkvI4jkZoJE1h+gSZeL uFsw==
X-Gm-Message-State: AFeK/H0b+0WBWGK3Y8pNd/5Wcac9mTmTt11etowyWV1PqZDQTOjKvq3xxRAKfC+omUzwL0xVT1v/YZ1NBXxxoq0V
X-Received: by 10.98.159.82 with SMTP id g79mr26526701pfe.189.1490632384059; Mon, 27 Mar 2017 09:33:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.170.138 with HTTP; Mon, 27 Mar 2017 09:32:33 -0700 (PDT)
In-Reply-To: <149063228392.30557.3815696692412964113@ietfa.amsl.com>
References: <149063228392.30557.3815696692412964113@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 27 Mar 2017 11:32:33 -0500
Message-ID: <CA+k3eCTG7RB6SD8756FpHm30DOJgRgWUko7Dtv1y6L_GhnxiKA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c0a542ebe378d054bb8e5c9
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eUDxIdhJOkj5TjE9Tvf21QVh72E>
Subject: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-token-binding-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 16:33:07 -0000

--94eb2c0a542ebe378d054bb8e5c9
Content-Type: text/plain; charset=UTF-8

-03 only fixes a few mistakes in and around the examples that I noticed
preparing the slides for the IETF 98 Chicago meeting.

---------- Forwarded message ----------
From: <internet-drafts@ietf.org>
Date: Mon, Mar 27, 2017 at 11:31 AM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-binding-03.txt
To: i-d-announce@ietf.org
Cc: oauth@ietf.org



A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 Token Binding
        Authors         : Michael B. Jones
                          John Bradley
                          Brian Campbell
                          William Denniss
        Filename        : draft-ietf-oauth-token-binding-03.txt
        Pages           : 26
        Date            : 2017-03-27

Abstract:
   This specification enables OAuth 2.0 implementations to apply Token
   Binding to Access Tokens, Authorization Codes, and Refresh Tokens.
   This cryptographically binds these tokens to a client's Token Binding
   key pair, possession of which is proven on the TLS connections over
   which the tokens are intended to be used.  This use of Token Binding
   protects these tokens from man-in-the-middle and token export and
   replay attacks.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-binding/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-binding-03
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding-03

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-binding-03


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--94eb2c0a542ebe378d054bb8e5c9
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">-03 only fixes a few mistakes in and around the examples t=
hat I noticed preparing the slides for the IETF 98 Chicago meeting. <br><br=
><div><div><div><div class=3D"gmail_quote">---------- Forwarded message ---=
-------<br>From: <b class=3D"gmail_sendername"></b> <span dir=3D"ltr">&lt;<=
a href=3D"mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a>&gt;=
</span><br>Date: Mon, Mar 27, 2017 at 11:31 AM<br>Subject: [OAUTH-WG] I-D A=
ction: draft-ietf-oauth-token-binding-03.txt<br>To: <a href=3D"mailto:i-d-a=
nnounce@ietf.org">i-d-announce@ietf.org</a><br>Cc: <a href=3D"mailto:oauth@=
ietf.org">oauth@ietf.org</a><br><br><br><br>
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br>
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Token Binding<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Mich=
ael B. Jones<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Brian Campbell<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 William Denniss<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-token-<wbr>binding-03.txt<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 26<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2017-03-27<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0This specification enables OAuth 2.0 implementations to apply =
Token<br>
=C2=A0 =C2=A0Binding to Access Tokens, Authorization Codes, and Refresh Tok=
ens.<br>
=C2=A0 =C2=A0This cryptographically binds these tokens to a client&#39;s To=
ken Binding<br>
=C2=A0 =C2=A0key pair, possession of which is proven on the TLS connections=
 over<br>
=C2=A0 =C2=A0which the tokens are intended to be used.=C2=A0 This use of To=
ken Binding<br>
=C2=A0 =C2=A0protects these tokens from man-in-the-middle and token export =
and<br>
=C2=A0 =C2=A0replay attacks.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-token-binding/=
" rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/<wbr>do=
c/draft-ietf-oauth-token-<wbr>binding/</a><br>
<br>
There are also htmlized versions available at:<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-token-binding-03" r=
el=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/<wbr>draft-=
ietf-oauth-token-<wbr>binding-03</a><br>
<a href=3D"https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-bin=
ding-03" rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/=
<wbr>doc/html/draft-ietf-oauth-<wbr>token-binding-03</a><br>
<br>
A diff from the previous version is available at:<br>
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-bindi=
ng-03" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/rfcdiff?<w=
br>url2=3Ddraft-ietf-oauth-token-<wbr>binding-03</a><br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a>.<br>
<br>
Internet-Drafts are also available by anonymous FTP at:<br>
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" rel=3D"noreferrer" target=
=3D"_blank">ftp://ftp.ietf.org/internet-<wbr>drafts/</a><br>
<br>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
</div><br></div></div></div></div>

--94eb2c0a542ebe378d054bb8e5c9--


From nobody Mon Mar 27 09:35:50 2017
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8E212947C for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 09:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level: 
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rl_EjxYxdOfR for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 09:35:36 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82B17128708 for <oauth@ietf.org>; Mon, 27 Mar 2017 09:35:32 -0700 (PDT)
Received: from [212.202.243.194] (helo=[10.1.90.22]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1csXc9-0002TI-8H; Mon, 27 Mar 2017 18:35:30 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <30B37ED3-6E3B-4739-9917-BDEC198CA027@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_02533810-B69E-4BFB-B3DE-B4EA1E12ABAB"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 27 Mar 2017 11:35:26 -0500
In-Reply-To: <CY4PR21MB050479DBD8A7AB6342682209F5330@CY4PR21MB0504.namprd21.prod.outlook.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, oauth <oauth@ietf.org>
To: Mike Jones <Michael.Jones@microsoft.com>
References: <148416124213.8244.5842562779051799977.idtracker@ietfa.amsl.com> <CA+k3eCTE1NM90QcZRFR0jATCqdeJWyTRUb6Ryp52n9FRg6aGpA@mail.gmail.com> <9199091B-5D7F-4D66-9EC5-CB0EF2D3CF6D@lodderstedt.net> <CA+k3eCTjmifjsbec80vGTE5Hw4ws7oARuaatDk4RYOLK26-87Q@mail.gmail.com> <CY4PR21MB050479DBD8A7AB6342682209F5330@CY4PR21MB0504.namprd21.prod.outlook.com>
X-Mailer: Apple Mail (2.3259)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/E03FO_pgibxzlV6uVluJqDci0sY>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 16:35:48 -0000

--Apple-Mail=_02533810-B69E-4BFB-B3DE-B4EA1E12ABAB
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_32FC0180-E6C0-4D23-97E2-A89A6BC27347"


--Apple-Mail=_32FC0180-E6C0-4D23-97E2-A89A6BC27347
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

May I ask you to explain this reason?

> Am 27.03.2017 um 08:48 schrieb Mike Jones =
<Michael.Jones@microsoft.com>:
>=20
> For the same reason that the =E2=80=9Caud=E2=80=9D claim is =
multi-valued in JWTs, the audience needs to stay multi-valued in Token =
Exchange.  Ditto for resources.
> =20
>                                                        Thanks,
>                                                        -- Mike
> =C2=A0 <>
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian =
Campbell
> Sent: Monday, March 27, 2017 8:45 AM
> To: Torsten Lodderstedt <torsten@lodderstedt.net>
> Cc: oauth <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] I-D Action: =
draft-ietf-oauth-token-exchange-07.txt
> =20
> Thanks for the review and question, Torsten.
>=20
> The desire to support multiple audience/resource values in the request =
came up during a review and discussion among the authors of the document =
when preparing the -03 draft. As I recall, it was said that both =
Salesforce and Microsoft had use-cases for it. I incorporated support =
for it into the draft acting in the role of editor.
>=20
> =46rom an individual perspective, I tend to agree with you that =
allowing for multiple audiences/resources adds a lot of complexity =
that's like not needed in many (or most) cases. And I would personally =
be open to making audience and resource mutual exclusive and single =
valued. A question for the WG I suppose.
>=20
> The "invalid_target" error code that was added in -07 was intended to =
give the AS a standard way to deal with the complexity and reject =
request with multiple audiences/resources that it doesn't understand or =
is unwilling or unable to process. It was intended as a compromise, of =
sorts, to allow for the multiples but provide an easy out of saying it =
can't be supported based on whatever implementation or policy of the AS.
> =20
> =20
>=20
> =20
> On Sun, Mar 26, 2017 at 9:00 AM, Torsten Lodderstedt =
<torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
> Hi Brian,
> =20
> thanks for the clarification around resource, audience and scope.=20
> =20
> Here are my comments on the draft:
> =20
> In section 2.1 it states: =E2=80=9EMultiple "resource" parameters may =
be used to indicate
>       that the issued token is intended to be used at the multiple
>       resources listed.=E2=80=9C
> =20
> Can you please explain the rational in more detail? I don=E2=80=99t =
understand why there is a need to ask for access tokens, which are good =
for multiple resources at once. This is a request type more or less =
exclusively used in server to server scenarios, right? So the only =
reason I can think of is call reduction.=20
> =20
> On the other side, this feature increases the AS's complexity, e.g. =
its policy may prohibit to issue tokens for multiple resources in =
general or the particular set the client is asking for. How shall the AS =
handles such cases?
> =20
> And it is getting even more complicated given there could also be =
multiple audience values and the client could mix them:=20
> =20
> "Multiple "audience" parameters
>       may be used to indicate that the issued token is intended to be
>       used at the multiple audiences listed.  The "audience" and
>       "resource" parameters may be used together to indicate multiple
>       target services with a mix of logical names and physical
>       locations.=E2=80=9C
> =20
> And in the end the client may add some scope values to the =E2=80=9Emeal=
=E2=80=9C, which brings us to=20
> =20
> =E2=80=9EEffectively, the requested access rights of the
>    token are the cartesian product of all the scopes at all the target
>    services."
> =20
> I personally would suggest to drop support for multiple audience and =
resource parameters and make audience and resource mutual exclusive. I =
think this is sufficient and much easier to implement.
> =20
> kind regards,
> Torsten.
> =20
> =20
> Am 11.01.2017 um 20:04 schrieb Brian Campbell =
<bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>:
> =20
> Draft -07 of "OAuth 2.0 Token Exchange" has been published. The =
primary change in -07 is the addition of a description of the =
relationship between audience/resource/scope, which was a request or =
comment that came up during the f2f meeting in Seoul.=20
>=20
> Excerpted from the Document History:
>=20
>    -07
>=20
>    o  Fixed typo (desecration -> discretion).
>    o  Added an explanation of the relationship between scope, audience
>       and resource in the request and added an "invalid_target" error
>       code enabling the AS to tell the client that the requested
>       audiences/resources were too broad.
>=20
>=20
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
> Date: Wed, Jan 11, 2017 at 12:00 PM
> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
> To: i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>
> Cc: oauth@ietf.org <mailto:oauth@ietf.org>
>=20
>=20
>=20
> A New Internet-Draft is available from the on-line Internet-Drafts =
directories.
> This draft is a work item of the Web Authorization Protocol of the =
IETF.
>=20
>         Title           : OAuth 2.0 Token Exchange
>         Authors         : Michael B. Jones
>                           Anthony Nadalin
>                           Brian Campbell
>                           John Bradley
>                           Chuck Mortimore
>         Filename        : draft-ietf-oauth-token-exchange-07.txt
>         Pages           : 31
>         Date            : 2017-01-11
>=20
> Abstract:
>    This specification defines a protocol for an HTTP- and JSON- based
>    Security Token Service (STS) by defining how to request and obtain
>    security tokens from OAuth 2.0 authorization servers, including
>    security tokens employing impersonation and delegation.
>=20
>=20
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ =
<https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/>
>=20
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07 =
<https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07>
>=20
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-exchange-07 =
<https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-exchange-07>
>=20
>=20
> Please note that it may take a couple of minutes from the time of =
submission
> until the htmlized version and diff are available at tools.ietf.org =
<http://tools.ietf.org/>.
>=20
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/ =
<ftp://ftp.ietf.org/internet-drafts/>
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
> =20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
> =20
> =20


--Apple-Mail=_32FC0180-E6C0-4D23-97E2-A89A6BC27347
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">May I ask you to explain this reason?<div class=3D""><br =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">Am =
27.03.2017 um 08:48 schrieb Mike Jones &lt;<a =
href=3D"mailto:Michael.Jones@microsoft.com" =
class=3D"">Michael.Jones@microsoft.com</a>&gt;:</div><br =
class=3D"Apple-interchange-newline"><div class=3D"">

<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8" =
class=3D"">
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)" =
class=3D"">
<style class=3D""><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.m-945284380411239355m6317541698219329431gmail-il
	=
{mso-style-name:m_-945284380411239355m_6317541698219329431gmail-il;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:#002060;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->

<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple" class=3D"">
<div class=3D"WordSection1"><p class=3D"MsoNormal"><span =
style=3D"color:#002060" class=3D"">For the same reason that the =
=E2=80=9Caud=E2=80=9D claim is multi-valued in JWTs, the audience needs =
to stay multi-valued in Token Exchange.&nbsp; Ditto for resources.<o:p =
class=3D""></o:p></span></p><p class=3D"MsoNormal"><span =
style=3D"color:#002060" class=3D""><o:p =
class=3D"">&nbsp;</o:p></span></p><p class=3D"MsoNormal"><span =
style=3D"color:#002060" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Thanks,<o:p =
class=3D""></o:p></span></p><p class=3D"MsoNormal"><span =
style=3D"color:#002060" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<o:p =
class=3D""></o:p></span></p><p class=3D"MsoNormal"><a =
name=3D"_MailEndCompose" class=3D""><span style=3D"color:#002060" =
class=3D""><o:p class=3D"">&nbsp;</o:p></span></a></p>
<span style=3D"mso-bookmark:_MailEndCompose" class=3D""></span><p =
class=3D"MsoNormal"><b class=3D"">From:</b> OAuth [<a =
href=3D"mailto:oauth-bounces@ietf.org" =
class=3D"">mailto:oauth-bounces@ietf.org</a>] <b class=3D"">On Behalf Of
</b>Brian Campbell<br class=3D"">
<b class=3D"">Sent:</b> Monday, March 27, 2017 8:45 AM<br class=3D"">
<b class=3D"">To:</b> Torsten Lodderstedt &lt;<a =
href=3D"mailto:torsten@lodderstedt.net" =
class=3D"">torsten@lodderstedt.net</a>&gt;<br class=3D"">
<b class=3D"">Cc:</b> oauth &lt;<a href=3D"mailto:oauth@ietf.org" =
class=3D"">oauth@ietf.org</a>&gt;<br class=3D"">
<b class=3D"">Subject:</b> Re: [OAUTH-WG] I-D Action: =
draft-ietf-oauth-token-exchange-07.txt<o:p class=3D""></o:p></p><p =
class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
<div class=3D"">
<div class=3D"">
<div class=3D""><p class=3D"MsoNormal" =
style=3D"margin-bottom:12.0pt">Thanks for the review and question, =
Torsten.
<o:p class=3D""></o:p></p>
</div><p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">The desire =
to support multiple audience/resource values in the request came up =
during a review and discussion among the authors of the document when =
preparing the -03 draft. As I recall, it was said that both
 Salesforce and Microsoft had use-cases for it. I incorporated support =
for it into the draft acting in the role of editor.<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">=46r=
om an individual perspective, I tend to agree with you that allowing for =
multiple audiences/resources adds a lot of complexity that's like not =
needed in many (or most) cases. And I would personally be open
 to making audience and resource mutual exclusive and single valued. A =
question for the WG I suppose.<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">The "invalid_target" error code =
that was added in -07 was intended to give the AS a standard way to deal =
with the complexity and reject request with multiple audiences/resources =
that it doesn't understand or is unwilling or unable to process.
 It was intended as a compromise, of sorts, to allow for the multiples =
but provide an easy out of saying it can't be supported based on =
whatever implementation or policy of the AS.
<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">&nbsp; <o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p=
 class=3D"">&nbsp;</o:p></p>
</div>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
<div class=3D""><p class=3D"MsoNormal">On Sun, Mar 26, 2017 at 9:00 AM, =
Torsten Lodderstedt &lt;<a href=3D"mailto:torsten@lodderstedt.net" =
target=3D"_blank" class=3D"">torsten@lodderstedt.net</a>&gt; wrote:<o:p =
class=3D""></o:p></p>
<blockquote style=3D"border:none;border-left:solid #CCCCCC =
1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in" =
class=3D"">
<div class=3D""><p class=3D"MsoNormal">Hi Brian,<o:p class=3D""></o:p></p>=

<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">thanks for the clarification =
around resource, audience and scope.&nbsp;<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D"">
<div class=3D""><p class=3D"MsoNormal">Here are my comments on the =
draft:<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">In section 2.1 it states: =
=E2=80=9EMultiple "resource" parameters may be used to indicate<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp; that the =
issued token is intended to be used at the multiple<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp; resources =
listed.=E2=80=9C<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">Can you please explain the =
rational in more detail? I don=E2=80=99t understand why there is a need =
to ask for access tokens, which are good for multiple resources at once. =
This is a request type more or less exclusively used in server to server
 scenarios, right? So the only reason I can think of is call =
reduction.&nbsp;<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">On the other side, this feature =
increases the AS's complexity, e.g. its policy may prohibit to issue =
tokens for multiple resources in general or the particular set the =
client is asking for. How shall the AS handles such cases?<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">And it is getting even more =
complicated given there could also be multiple audience values and the =
client could mix them:&nbsp;<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">"Multiple "audience" =
parameters<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp; may be used =
to indicate that the issued token is intended to be<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp; used at the =
multiple audiences listed.&nbsp; The "audience" and<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp; "resource" =
parameters may be used together to indicate multiple<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp; target =
services with a mix of logical names and physical<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp; =
locations.=E2=80=9C<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">And in the end the client may add =
some scope values to the =E2=80=9Emeal=E2=80=9C, which brings us =
to&nbsp;<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">=E2=80=9EEffectively, the =
requested access rights of the<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">&nbsp; &nbsp;token are the =
cartesian product of all the scopes at all the target<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">&nbsp; &nbsp;services."<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">I personally would suggest to =
drop support for multiple audience and resource parameters and make =
audience and resource mutual exclusive. I think this is sufficient and =
much easier to implement.<o:p class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">kind regards,<o:p =
class=3D""></o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal">Torsten.<o:p class=3D""></o:p></p>
</div>
<div class=3D"">
<div class=3D"">
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
<div class=3D""><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
<div class=3D"">
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt" class=3D"">
<div class=3D""><p class=3D"MsoNormal">Am 11.01.2017 um 20:04 schrieb =
Brian Campbell &lt;<a href=3D"mailto:bcampbell@pingidentity.com" =
target=3D"_blank" class=3D"">bcampbell@pingidentity.com</a>&gt;:<o:p =
class=3D""></o:p></p>
</div><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
<div class=3D"">
<div class=3D""><p class=3D"MsoNormal" =
style=3D"margin-bottom:12.0pt">Draft -07 of "OAuth 2.0 <span =
class=3D"m-945284380411239355m6317541698219329431gmail-il">
Token</span> <span =
class=3D"m-945284380411239355m6317541698219329431gmail-il">Exchange</span>=
" has been published. The primary change in -07 is the addition of a =
description of the relationship between audience/resource/scope, which =
was a request or comment that
 came up during the f2f meeting in Seoul. <br class=3D"">
<br class=3D"">
Excerpted from the Document History:<br class=3D"">
<br class=3D"">
&nbsp;&nbsp; -07<br class=3D"">
<br class=3D"">
&nbsp;&nbsp; o&nbsp; Fixed typo (desecration -&gt; discretion).<br =
class=3D"">
&nbsp;&nbsp; o&nbsp; Added an explanation of the relationship between =
scope, audience<br class=3D"">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and resource in the request and added an =
"invalid_target" error<br class=3D"">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; code enabling the AS to tell the client =
that the requested<br class=3D"">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; audiences/resources were too broad.<br =
class=3D"">
<br class=3D"">
<o:p class=3D""></o:p></p>
<div class=3D""><p class=3D"MsoNormal">---------- Forwarded message =
----------<br class=3D"">
From: &lt;<a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank" =
class=3D"">internet-drafts@ietf.org</a>&gt;<br class=3D"">
Date: Wed, Jan 11, 2017 at 12:00 PM<br class=3D"">
Subject: [OAUTH-WG] I-D Action: =
draft-ietf-oauth-token-exchange-07.txt<br class=3D"">
To: <a href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank" =
class=3D"">i-d-announce@ietf.org</a><br class=3D"">
Cc: <a href=3D"mailto:oauth@ietf.org" target=3D"_blank" =
class=3D"">oauth@ietf.org</a><br class=3D"">
<br class=3D"">
<br class=3D"">
<br class=3D"">
A New Internet-Draft is available from the on-line Internet-Drafts =
directories.<br class=3D"">
This draft is a work item of the Web Authorization Protocol of the =
IETF.<br class=3D"">
<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; Title&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;: OAuth 2.0 Token Exchange<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; Authors&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;: =
Michael B. Jones<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; Anthony Nadalin<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; Brian Campbell<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; John Bradley<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; Chuck Mortimore<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; Filename&nbsp; &nbsp; &nbsp; &nbsp; : =
draft-ietf-oauth-token-exchange-07.txt<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; Pages&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;: 31<br class=3D"">
&nbsp; &nbsp; &nbsp; &nbsp; Date&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; : 2017-01-11<br class=3D"">
<br class=3D"">
Abstract:<br class=3D"">
&nbsp; &nbsp;This specification defines a protocol for an HTTP- and =
JSON- based<br class=3D"">
&nbsp; &nbsp;Security Token Service (STS) by defining how to request and =
obtain<br class=3D"">
&nbsp; &nbsp;security tokens from OAuth 2.0 authorization servers, =
including<br class=3D"">
&nbsp; &nbsp;security tokens employing impersonation and delegation.<br =
class=3D"">
<br class=3D"">
<br class=3D"">
The IETF datatracker status page for this draft is:<br class=3D"">
<a =
href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/"=
 target=3D"_blank" =
class=3D"">https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchang=
e/</a><br class=3D"">
<br class=3D"">
There's also a htmlized version available at:<br class=3D"">
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07"=
 target=3D"_blank" =
class=3D"">https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07<=
/a><br class=3D"">
<br class=3D"">
A diff from the previous version is available at:<br class=3D"">
<a =
href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-exchang=
e-07" target=3D"_blank" =
class=3D"">https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-exch=
ange-07</a><br class=3D"">
<br class=3D"">
<br class=3D"">
Please note that it may take a couple of minutes from the time of =
submission<br class=3D"">
until the htmlized version and diff are available at <a =
href=3D"http://tools.ietf.org/" target=3D"_blank" class=3D"">
tools.ietf.org</a>.<br class=3D"">
<br class=3D"">
Internet-Drafts are also available by anonymous FTP at:<br class=3D"">
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" target=3D"_blank" =
class=3D"">ftp://ftp.ietf.org/internet-drafts/</a><br class=3D"">
<br class=3D"">
_______________________________________________<br class=3D"">
OAuth mailing list<br class=3D"">
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank" =
class=3D"">OAuth@ietf.org</a><br class=3D"">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank" =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth</a><o:p =
class=3D""></o:p></p>
</div><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div><p =
class=3D"MsoNormal">_______________________________________________<br =
class=3D"">
OAuth mailing list<br class=3D"">
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank" =
class=3D"">OAuth@ietf.org</a><br class=3D"">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank" =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth</a><o:p =
class=3D""></o:p></p>
</div>
</blockquote>
</div><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p>
</div>
</div>
</div>

</div></blockquote></div><br class=3D""></div></body></html>=

--Apple-Mail=_32FC0180-E6C0-4D23-97E2-A89A6BC27347--

--Apple-Mail=_02533810-B69E-4BFB-B3DE-B4EA1E12ABAB
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/DCCBK8w
ggOXoAMCAQICEQDgI8sVEoNTia1hbnpUZ2shMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAlNF
MRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5l
dHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMTQxMjIyMDAwMDAw
WhcNMjAwNTMwMTA0ODM4WjCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hl
c3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNV
BAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAibEN2npTGU5wUh28VqYGJre4SeCW
51Gr8fBaE0kVo7SMG2C8elFCp3mMpCLfF2FOkdV2IwoU00oCf7YdCYBupQQ92bq7Fv6hh6kuQ1JD
FnyvMlDIpk9a6QjYz5MlnHuI6DBk5qT4VoD9KiQUMxeZrETlaYujRgZLwjPU6UCfBrCxrJNAubUI
kzqcKlOjENs9IGE8VQOO2U52JQIhKfqjfHF2T+7hX4Hp+1SA28N7NVK3hN4iPSwwLTF/Wb1SN7Az
aS1D6/rWpfGXd2dRjNnuJ+u8pQc4doykqTj/34z1A6xJvsr3c5k6DzKrnJU6Ez0ORjpXdGFQvsZA
P8vk4p+iIQIDAQABo4IBFzCCARMwHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYD
VR0OBBYEFJJha4LhoqCqT+xn8cKj97SAAMHsMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAG
AQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAw
RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJu
YWxDQVJvb3QuY3JsMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNl
cnRydXN0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAGypurFXBOquIxdjtzVXzqmthK8AJECOZD8Vm
am+x9bS1d14PAmEA330F/hKzpICAAPz7HVtqcgIKQbwFusFY1SbC6tVNhPv+gpjPWBvjImOcUvi7
BTarfVil3qs7Y+Xa1XPv7OD7e+Kj//BCI5zKto1NPuRLGAOyqC3U2LtCS5BphRDbpjc06HvgARCl
nMo6x59PiDRuimXQGoq7qdzKyjbR9PzCZCk1r9axp3ER0gNDsY8+muyeMlP0dpLKhjQHuSzK5hxK
2JkNwYbikJL7WkJqIyEQ6WXH9dW7fuqMhSACYurROgcsWcWZM/I4ieW26RZ6H3kU9koQGib6fIr7
mzCCBUUwggQtoAMCAQICEDPbmsaqwjeZa3PxA3uZ8LQwDQYJKoZIhvcNAQELBQAwgZsxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY
BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQg
QXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzAxMDkwMDAwMDBaFw0xODAx
MDkyMzU5NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5AbG9kZGVyc3RlZHQubmV0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArsGSzZyz9Lq9SRW9Sve5K8n5lWhplOCE6HH3gMye
12DjOpkFFZt0b73t27G17Xsp6WUxHhNevf7ck0AUpvYUPCHBqVGJSIWF9hWAoSFCgQACOoh/cDFb
zz1PsMY8El7OmIus4JXtY4/VdoSIhFP3hzATbNAg32Kp+N8vtTuKTwbgnizJSyzZTYrsttn3LmwY
17HU+U9vXloMus5U/ln4ADZx0zyyDSsA6gtPxXYJpbgSTnHckVZ5zfR80guIZ538Y2qqsqt5VaSR
SR2oQzE/HETkKc/odPVhqBrXLyvnSFkCPrAXV07rcvwkPvHZeYVu4QdVWyO2HIQ4i2x9r5m7SwID
AQABo4IB9TCCAfEwHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFPng
HgVxOZ7GSji/IW4YJMBj02PHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ
MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7
BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2
Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw
gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu
dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
Y3NwLmNvbW9kb2NhLmNvbTAiBgNVHREEGzAZgRd0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDANBgkq
hkiG9w0BAQsFAAOCAQEAAmueyHjiyL1qYgfe+hVSsGuKlgcvjCAfG8Jaq48tC0IjP8pH/tGi4uL9
CHVfLnV3pLDnjg6M2uvpEBp7crZZcnSPLeVss+tkhwv+F7ISYQyT4flNkqVUb8nfewbCPcIN13Ob
fpU7rlXoIarEEplQo4SuymYVluQxTLOFKm5QOMF4JBMw/rjy4t95J7Mdp9NFUzQrKPJDaJ2Jr/Tc
TXFcjLvNVmMBjK0959a9v1/1miRHd1DBsTh1KvBigEOUNMxvT5uUtB6/tioDZqBDDk8Gvdno/xmy
e3YiasS7JgMREq5WcXqpWGu5kMFZMGPEvyPHeBZeqxx3amf4ImVnZ6WvgzGCA8MwggO/AgEBMIGw
MIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEDPbmsaqwjeZa3Px
A3uZ8LQwCQYFKw4DAhoFAKCCAecwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTcwMzI3MTYzNTI2WjAjBgkqhkiG9w0BCQQxFgQUiT1z2xUX2BTXMPmmnsoTaHTbj6Ew
gcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFu
Y2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/
BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVt
YWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UE
BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG
A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBB
dXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MA0GCSqG
SIb3DQEBAQUABIIBAI5UNfgV36oVqu3rvuIBT5aFU9OhgwBNDmiizxcHPzg3Ao9B+otjUuu+qpMF
y/Mm+ZYWcVZTCp2CyRH6Ma9q9e1THfLiYY4npSwNO/xH7EOhtt5x13Srj+hntvSGjjdSN4vxrg1r
c8ku1QtVn/Yha/qlU4SBmFnGy04Meu8nBBlfjM8FDZgn8CTDhyqSJPV85qHBviOqJuOZefLvVgvp
hNiDzKQRFHOq4P+ELmyoMWg+S+ck3Q7KKnhcT662HjHmw9hkC7Wa6fpN2wtkp15duqce688+6APa
VF7RHVBPGl4E9jVlhpOHgiOoB1Vw83E1VpnrwaG8geJNICT1tzyf7+kAAAAAAAA=
--Apple-Mail=_02533810-B69E-4BFB-B3DE-B4EA1E12ABAB--


From nobody Mon Mar 27 09:59:07 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 97EAE1293E8; Mon, 27 Mar 2017 09:59:00 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.48.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149063394057.30587.10922557272422571533@ietfa.amsl.com>
Date: Mon, 27 Mar 2017 09:59:00 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uy2skIlWX9o38zMxUkt0QEH8GZg>
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 16:59:01 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth Security Topics
        Authors         : Torsten Lodderstedt
                          John Bradley
                          Andrey Labunets
	Filename        : draft-ietf-oauth-security-topics-00.txt
	Pages           : 15
	Date            : 2017-03-12

Abstract:
   This draft gives a comprehensive overview on open OAuth security
   topics.  It is intended to serve as a working document for the OAuth
   working group to systematically capture and discuss these security
   topics and respective mitigations and eventually recommend best
   current practice and also OAuth extensions needed to cope with the
   respective security threats.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-00
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-00


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Mon Mar 27 13:18:24 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CC66129627; Mon, 27 Mar 2017 13:18:23 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.48.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149064590354.30646.10744204381966843303@ietfa.amsl.com>
Date: Mon, 27 Mar 2017 13:18:23 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/elx7wCI-_7bxKRrvjyS6EULpv7g>
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 20:18:24 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth Security Topics
        Authors         : Torsten Lodderstedt
                          John Bradley
                          Andrey Labunets
	Filename        : draft-ietf-oauth-security-topics-01.txt
	Pages           : 15
	Date            : 2017-03-27

Abstract:
   This draft gives a comprehensive overview on open OAuth security
   topics.  It is intended to serve as a working document for the OAuth
   working group to systematically capture and discuss these security
   topics and respective mitigations and eventually recommend best
   current practice and also OAuth extensions needed to cope with the
   respective security threats.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-01
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-01


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Mon Mar 27 14:52:51 2017
Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C04F127A91 for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 14:52:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level: 
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tpvcccEaqq3a for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 14:52:48 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BF19126D05 for <oauth@ietf.org>; Mon, 27 Mar 2017 14:52:48 -0700 (PDT)
X-AuditID: 1209190e-8f3ff7000000626d-e0-58d989aef564
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id D7.58.25197.EA989D85; Mon, 27 Mar 2017 17:52:47 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v2RLqjW8024742; Mon, 27 Mar 2017 17:52:45 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2RLqfK0004558 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 27 Mar 2017 17:52:44 -0400
Date: Mon, 27 Mar 2017 16:52:41 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Denis <denis.ietf@free.fr>
Cc: Nat Sakimura <sakimura@gmail.com>, oauth@ietf.org
Message-ID: <20170327215240.GI30306@kduck.kaduk.org>
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com> <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net> <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com> <CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com> <9c814ef0-4df3-35ed-5453-dd8cad91b910@free.fr> <CABzCy2AqK0rCRRZ1w_KXiKNbzjqwSx+OMS2nSXnfjLsuE-cgvg@mail.gmail.com> <45feb0e5-d1e3-ca5a-e8c1-f9b44768d09b@free.fr> <CABzCy2BFC5KaFpoEfDfMaU2cr6CJT+53Gkghmzjk75qzW+KKyA@mail.gmail.com> <4339d9a5-f886-bd75-7b2a-c714b0c9321f@free.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4339d9a5-f886-bd75-7b2a-c714b0c9321f@free.fr>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrEIsWRmVeSWpSXmKPExsUixG6noru+82aEwZXfUhbru+wsTr59xWZx 5tYKRgdmj/51n1k9ds66y+6xZMlPpgDmKC6blNSczLLUIn27BK6MudsnMRf84K04NnMFSwNj I3cXIyeHhICJROv+2SwgtpBAG5PEwmN1XYxcQPZGRokD7w+yQzhXmST2L7rJ2MXIwcEioCrR 9F8LpIFNQEWiofsyM4gtIiAnsereNTCbWcBUYsaan8wg5cICIRJt07xAwrxAu9btmsUEMfIr i8SnmUtYIRKCEidnPmGB6NWSuPHvJRNIL7OAtMTyfxwgYU4Ba4l9P/8xgtiiAsoSDTMeME9g FJiFpHsWku5ZCN0LGJlXMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Rrr5WaW6KWmlG5iBAUtpyTf DsZJDd6HGAU4GJV4eDX4b0YIsSaWFVfmHmKU5GBSEuWVswYK8SXlp1RmJBZnxBeV5qQWH2KU 4GBWEuF90gqU401JrKxKLcqHSUlzsCiJ84prNEYICaQnlqRmp6YWpBbBZGU4OJQkeLU7gBoF i1LTUyvSMnNKENJMHJwgw3mAhueA1PAWFyTmFmemQ+RPMSpKifPKgiQEQBIZpXlwvaCkIpG9 v+YVozjQK8K8V0CqeIAJCa77FdBgJqDBh+ffABlckoiQkmpgXBP2NsbP5PfLpvUGx47qcFee Spgwy+/ffotZ96Ri2Lr8Lmk6/os5KPH3w/H191WYuvQvX2q3kwz/e0nLiq1WdedS3ZPXVQri g/YZ5RYKKu/edkFVTe9jzE4Oc+OAxTkyf6f2JP+bbvdba27e9Ihsz/ecjRMLfmSwBZoLKzZO 8Sjb+cD1zmZxJZbijERDLeai4kQAvZnZxgUDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dSC2RoTxfbVBlneb3J8M3EEEXRo>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 21:52:50 -0000

On Mon, Mar 27, 2017 at 03:08:39PM +0200, Denis wrote:
> Hi Nat,
> > HI.
> >
> > As pointed out in saag, the OAuth WG is not dealing with ABC attack. 
> > It is out of scope for now at least.
> 
> A threat along the ABC attack is not mentioned in RFC 6819 : OAuth 2.0 
> Threat Model and Security Considerations (2013).
> Hence, nobody attempted to find a solution ... for a threat that had not 
> been identified.
> 
> draft-ietf-oauth-token-binding-02 is a document form the OAuth WG. Since 
> this threat has not been identified in RFC 6813,
> it does not contain any proposal to counter that threat. However, this 
> threat is now identified. Should this threat be addressed
> by sticking our heads in the sand ?

I am not sure that everyone in this conversation agrees on the same
definition of "threat model" that is in use.  The definition that I
am using involves choosing a specific set of attacker capabilities
to attempt to counter, and explictly does not include considering
an all-powerful attacker or considering all conceivable potential
"threats".  That is to say, the discovery of a new potential threat
need not necessate a modification to the threat model, as the new
threat  may require an attacker capability against which we are not
trying to defend.

-Ben

> A basic property of the current Token Binding mechanisms being developed 
> both by the OAuth WG and the Token Binding WG
> is that a specific piece of software voluntarily installed by a client 
> can export any token and perform all the needed computations
> so that any token can successfully be usedby another client. It is NOT 
> the replay of a token, since the token is not used at any
> time by the legitimate owner, but is used by an illegitimateuser.
> 


From nobody Mon Mar 27 15:08:11 2017
Return-Path: <n-sakimura@nri.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0339A124D68 for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 15:08:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LiA-cP-H5RZz for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 15:08:06 -0700 (PDT)
Received: from nrifs03.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBC2126BFD for <oauth@ietf.org>; Mon, 27 Mar 2017 15:08:06 -0700 (PDT)
Received: from nrimmfm052.index.or.jp (unknown [172.19.246.144]) by nrifs03.index.or.jp (Postfix) with ESMTP id 4001217EA44 for <oauth@ietf.org>; Tue, 28 Mar 2017 07:08:05 +0900 (JST)
Received: from index.or.jp (unknown [172.19.246.151]) by nrimmfm052.index.or.jp (Postfix) with ESMTP id DE7784E0046 for <oauth@ietf.org>; Tue, 28 Mar 2017 07:08:04 +0900 (JST)
Received: from nriea02.index.or.jp (localhost.localdomain [127.0.0.1]) by pps.mf051 (8.15.0.59/8.15.0.59) with SMTP id v2RM84ZR016301 for <oauth@ietf.org>; Tue, 28 Mar 2017 07:08:04 +0900
Received: from nrims00a.nri.co.jp ([192.50.135.11]) by nriea02.index.or.jp with ESMTP id v2RM846J016298 for <oauth@ietf.org>; Tue, 28 Mar 2017 07:08:04 +0900
Received: from nrims00a.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id v2RM84WG044915; Tue, 28 Mar 2017 07:08:04 +0900
Received: (from mailnull@localhost) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id v2RM84QT044914; Tue, 28 Mar 2017 07:08:04 +0900
X-Authentication-Warning: nrims00a.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf14.index.or.jp ([172.100.25.23]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id v2RM848M044911 for <oauth@ietf.org>; Tue, 28 Mar 2017 07:08:04 +0900
Received: from NatRZ4 (unknown [172.21.163.92]) by nrivpnfs02.index.or.jp (Postfix) with ESMTP id 359B358162 for <oauth@ietf.org>; Tue, 28 Mar 2017 07:08:03 +0900 (JST)
From: "Nat Sakimura" <n-sakimura@nri.co.jp>
To: <oauth@ietf.org>
References: <149064360264.30545.2285043198479818697.idtracker@ietfa.amsl.com>
In-Reply-To: <149064360264.30545.2285043198479818697.idtracker@ietfa.amsl.com>
Date: Mon, 27 Mar 2017 17:08:07 -0500
Message-ID: <00dc01d2a746$9dd818a0$d98849e0$@nri.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQEyrWEIUKplehIiOiYfXrJATYsqZ6LpMjCA
Content-Language: ja
X-MailAdviser: 20141126
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9fdQcSp89V54LJQyQEtGOEMSAW4>
Subject: [OAUTH-WG] FW: New Version Notification for draft-sakimura-oauth-jpop-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 22:08:09 -0000

FYI

-----Original Message-----
From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]=20
Sent: Monday, March 27, 2017 2:40 PM
To: Nat Sakimura <n-sakimura@nri.co.jp>; Kepeng Li =
<kepeng.lkp@alibaba-inc.com>; John Bradley <ve7jtb@ve7jtb.com>
Subject: New Version Notification for draft-sakimura-oauth-jpop-04.txt


A new version of I-D, draft-sakimura-oauth-jpop-04.txt has been =
successfully submitted by Nat Sakimura and posted to the IETF =
repository.

Name:		draft-sakimura-oauth-jpop
Revision:	04
Title:		The OAuth 2.0 Authorization Framework: JWT Pop Token Usage
Document date:	2017-03-27
Group:		Individual Submission
Pages:		14
URL:            =
https://www.ietf.org/internet-drafts/draft-sakimura-oauth-jpop-04.txt
Status:         =
https://datatracker.ietf.org/doc/draft-sakimura-oauth-jpop/
Htmlized:       https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04
Htmlized:       =
https://datatracker.ietf.org/doc/html/draft-sakimura-oauth-jpop-04
Diff:           =
https://www.ietf.org/rfcdiff?url2=3Ddraft-sakimura-oauth-jpop-04

Abstract:
   This specification describes how to use JWT POP (Jpop) tokens that
   were obtained through [POPKD] in HTTP requests to access OAuth 2.0
   protected resources.  Only the party in possession of the
   corresponding cryptographic key for the Jpop token can use it to get
   access to the associated resources unlike in the case of the bearer
   token described in [RFC6750] where any party in posession of the
   access token can access the resource.


                                                                         =
        =20


Please note that it may take a couple of minutes from the time of =
submission until the htmlized version and diff are available at =
tools.ietf.org.

The IETF Secretariat

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.


From nobody Mon Mar 27 15:26:32 2017
Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6E89126BFD for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 15:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level: 
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tswty0IQIktF for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 15:26:29 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 544C7129685 for <oauth@ietf.org>; Mon, 27 Mar 2017 15:26:29 -0700 (PDT)
X-AuditID: 12074425-343ff70000005c09-58-58d99193153a
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id 35.3A.23561.39199D85; Mon, 27 Mar 2017 18:26:28 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v2RMQQ0Y030397; Mon, 27 Mar 2017 18:26:27 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2RMQNv3014280 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 27 Mar 2017 18:26:26 -0400
Date: Mon, 27 Mar 2017 17:26:23 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Denis <denis.ietf@free.fr>
Cc: oauth@ietf.org
Message-ID: <20170327222622.GJ30306@kduck.kaduk.org>
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com> <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net> <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com> <CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com> <9c814ef0-4df3-35ed-5453-dd8cad91b910@free.fr> <CABzCy2AqK0rCRRZ1w_KXiKNbzjqwSx+OMS2nSXnfjLsuE-cgvg@mail.gmail.com> <45feb0e5-d1e3-ca5a-e8c1-f9b44768d09b@free.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <45feb0e5-d1e3-ca5a-e8c1-f9b44768d09b@free.fr>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixCmqrDtl4s0Ig+t/RS3Wd9lZnHz7is2B yaN/3WdWjyVLfjIFMEVx2aSk5mSWpRbp2yVwZfz48561YBJTxfc9DewNjDcYuxg5OSQETCQe tRxn62Lk4hASaGOS2Pq3gwXC2cgosezeN2YI5yqTxNtnL9lAWlgEVCUWbf7BAmKzCahINHRf ZgaxRQTkJFbduwZmMwsISXy41ARUw8EhLBAi0TbNCyTMC7Tta/cWqAV/mSVuH1nNBpEQlDg5 8wkLRK+WxI1/L5lAepkFpCWW/+MACXMKWEu827EYrFxUQFmiYcYD5gmMArOQdM9C0j0LoXsB I/MqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXQu93MwSvdSU0k2MoCBld1HdwTjnr9chRgEORiUe 3gs8NyOEWBPLiitzDzFKcjApifLKWQOF+JLyUyozEosz4otKc1KLDzFKcDArifA+aQXK8aYk VlalFuXDpKQ5WJTEecU1GiOEBNITS1KzU1MLUotgsjIcHEoSvMUTgBoFi1LTUyvSMnNKENJM HJwgw3mAhhuC1PAWFyTmFmemQ+RPMepy3Dh+4A2TEEtefl6qlDhvMEiRAEhRRmke3BxQcpHI 3l/zilEc6C1h3kUgVTzAxAQ36RXQEiagJYfn3wBZUpKIkJJqYPSV0vTscmUuW5Dnef3QUpFU e4vXf20keR8ukb7CtpnR+PLeUveCE+xsZgqTVm88cqvI6MfptQt1rQLW7137rdVtetq11x2x By3nHE/vV5hnln9tQdP0ede/TN7IOKFa+1NQ1XaNnvCHbQwljcu4+rVP3uRmmrxr/qVswQRH qdIvlhN2Lk78qabEUpyRaKjFXFScCADVrNlVCQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TaxRSiV0AXortm3X13dDT-5Qmr8>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 22:26:31 -0000

On Mon, Mar 27, 2017 at 10:46:41AM +0200, Denis wrote:
> You may however continue to progress this document as an individual 
> contribution.

[obligatory note that Denis is not in a position to grant or deny
permission to adopt the document as a WG document]

-Ben


From nobody Mon Mar 27 23:32:53 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD53A128B4E for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 23:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0ulsJpOn48t for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 23:32:48 -0700 (PDT)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B3A6126BF6 for <oauth@ietf.org>; Mon, 27 Mar 2017 23:32:48 -0700 (PDT)
Received: by mail-qt0-x22a.google.com with SMTP id x35so56224143qtc.2 for <oauth@ietf.org>; Mon, 27 Mar 2017 23:32:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Sylfaai/WsOEk+lK7+QRtWba8M2o8vNRJhH6YL0u55A=; b=T9F9cwne3qxrbMGE9F9mGSBVaIaU+2X/g3CT8/90sGkAj7Jo4770bfDuOIBPWPSfzN yvOKbpsqQn2MxJtgHYtRhyCS4DkH7NuSRc3XKEEwVXoLSKC11CVAW5tUYVRwwppmjqcZ 6SYkvwQtpbLeuJLymb4DkIHiqEw9RvDUW9SXVUzlj/5Ycf9i1V4FGUgkQpw3wg3nO0kE 5zXojdn2D2/xyF3yREhH3kuJ+NcuHfCdc+W5Koo2x0lCf+2u65mqHOoW6U1ljYnTi7wF 7l0N7+7tPApRy93kzjyGtFfbh6k0zc5uG+VTALBTJyE9+qM7cMg1wzxEkEweFjQFQ+da 0uDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Sylfaai/WsOEk+lK7+QRtWba8M2o8vNRJhH6YL0u55A=; b=h5EpCETsYQ2yhZSYMX0UMeTpFlsgZ9wS6XHaA1V9R37vheo03qY6HkG4CXXxcnDxgP Z6BUMr25kf7RAq1GxPQgkYfUqUcyocve67i92TVINnMGWKvDdNcO3mcocgM4QpqT2IgR cdkBE6CirUV1Z1Y6IzBd7SWZ5qdnZS20gkKnWCREXvv5NrSbv442RJXyZsXu3jAdCl/K ljR+NnKgeT8DLnEdFAJtXFeP0IBY++uMXjRzWiSswj1IUG9HUsElkzmMIZ+P8w31NRqC XBy3ZxM/nptYKDyILpRtGLYDnv7LOxT5dKqliQU1yEbPPfZGmRKNXEpFF16W46kR5HNV dUlQ==
X-Gm-Message-State: AFeK/H1nSsmLxleqAALjsNGhgeClO+6X8C0lMBL4GYlmtRBFmYhgi2vyIJSaiuZ3ge7UA2abUVubQLOkY0Ur4w==
X-Received: by 10.200.43.85 with SMTP id 21mr23795643qtv.81.1490682766972; Mon, 27 Mar 2017 23:32:46 -0700 (PDT)
MIME-Version: 1.0
References: <148416124213.8244.5842562779051799977.idtracker@ietfa.amsl.com> <CA+k3eCTE1NM90QcZRFR0jATCqdeJWyTRUb6Ryp52n9FRg6aGpA@mail.gmail.com> <9199091B-5D7F-4D66-9EC5-CB0EF2D3CF6D@lodderstedt.net> <CA+k3eCTjmifjsbec80vGTE5Hw4ws7oARuaatDk4RYOLK26-87Q@mail.gmail.com> <CY4PR21MB050479DBD8A7AB6342682209F5330@CY4PR21MB0504.namprd21.prod.outlook.com> <30B37ED3-6E3B-4739-9917-BDEC198CA027@lodderstedt.net>
In-Reply-To: <30B37ED3-6E3B-4739-9917-BDEC198CA027@lodderstedt.net>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 28 Mar 2017 06:32:36 +0000
Message-ID: <CABzCy2ArQ29xtyzT+t4i1fq9XZT+fMLgsw5oV75aFTkvVf8tgw@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Mike Jones <Michael.Jones@microsoft.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a114087f0cc7705054bc4a0fc
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dm54GeIK7LxWWnItOCvV8VW8WRE>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 06:32:51 -0000

--001a114087f0cc7705054bc4a0fc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

There are cases where tokens are supposed to be consumed at multiple places
and the `aud` needed to capture them. That's why `aud` is a multi-valued
field.

On Mon, Mar 27, 2017 at 11:35 AM Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

> May I ask you to explain this reason?
>
> Am 27.03.2017 um 08:48 schrieb Mike Jones <Michael.Jones@microsoft.com>:
>
> For the same reason that the =E2=80=9Caud=E2=80=9D claim is multi-valued =
in JWTs, the
> audience needs to stay multi-valued in Token Exchange.  Ditto for resourc=
es.
>
>
>
>                                                        Thanks,
>
>                                                        -- Mike
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] *O=
n
> Behalf Of *Brian Campbell
> *Sent:* Monday, March 27, 2017 8:45 AM
> *To:* Torsten Lodderstedt <torsten@lodderstedt.net>
> *Cc:* oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] I-D Action:
> draft-ietf-oauth-token-exchange-07.txt
>
>
>
> Thanks for the review and question, Torsten.
>
> The desire to support multiple audience/resource values in the request
> came up during a review and discussion among the authors of the document
> when preparing the -03 draft. As I recall, it was said that both Salesfor=
ce
> and Microsoft had use-cases for it. I incorporated support for it into th=
e
> draft acting in the role of editor.
>
> From an individual perspective, I tend to agree with you that allowing fo=
r
> multiple audiences/resources adds a lot of complexity that's like not
> needed in many (or most) cases. And I would personally be open to making
> audience and resource mutual exclusive and single valued. A question for
> the WG I suppose.
>
> The "invalid_target" error code that was added in -07 was intended to giv=
e
> the AS a standard way to deal with the complexity and reject request with
> multiple audiences/resources that it doesn't understand or is unwilling o=
r
> unable to process. It was intended as a compromise, of sorts, to allow fo=
r
> the multiples but provide an easy out of saying it can't be supported bas=
ed
> on whatever implementation or policy of the AS.
>
>
>
>
>
>
>
> On Sun, Mar 26, 2017 at 9:00 AM, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
> Hi Brian,
>
>
>
> thanks for the clarification around resource, audience and scope.
>
>
>
> Here are my comments on the draft:
>
>
>
> In section 2.1 it states: =E2=80=9EMultiple "resource" parameters may be =
used to
> indicate
>
>       that the issued token is intended to be used at the multiple
>
>       resources listed.=E2=80=9C
>
>
>
> Can you please explain the rational in more detail? I don=E2=80=99t under=
stand why
> there is a need to ask for access tokens, which are good for multiple
> resources at once. This is a request type more or less exclusively used i=
n
> server to server scenarios, right? So the only reason I can think of is
> call reduction.
>
>
>
> On the other side, this feature increases the AS's complexity, e.g. its
> policy may prohibit to issue tokens for multiple resources in general or
> the particular set the client is asking for. How shall the AS handles suc=
h
> cases?
>
>
>
> And it is getting even more complicated given there could also be multipl=
e
> audience values and the client could mix them:
>
>
>
> "Multiple "audience" parameters
>
>       may be used to indicate that the issued token is intended to be
>
>       used at the multiple audiences listed.  The "audience" and
>
>       "resource" parameters may be used together to indicate multiple
>
>       target services with a mix of logical names and physical
>
>       locations.=E2=80=9C
>
>
>
> And in the end the client may add some scope values to the =E2=80=9Emeal=
=E2=80=9C, which
> brings us to
>
>
>
> =E2=80=9EEffectively, the requested access rights of the
>
>    token are the cartesian product of all the scopes at all the target
>
>    services."
>
>
>
> I personally would suggest to drop support for multiple audience and
> resource parameters and make audience and resource mutual exclusive. I
> think this is sufficient and much easier to implement.
>
>
>
> kind regards,
>
> Torsten.
>
>
>
>
>
> Am 11.01.2017 um 20:04 schrieb Brian Campbell <bcampbell@pingidentity.com
> >:
>
>
>
> Draft -07 of "OAuth 2.0 Token Exchange" has been published. The primary
> change in -07 is the addition of a description of the relationship betwee=
n
> audience/resource/scope, which was a request or comment that came up duri=
ng
> the f2f meeting in Seoul.
>
> Excerpted from the Document History:
>
>    -07
>
>    o  Fixed typo (desecration -> discretion).
>    o  Added an explanation of the relationship between scope, audience
>       and resource in the request and added an "invalid_target" error
>       code enabling the AS to tell the client that the requested
>       audiences/resources were too broad.
>
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org>
> Date: Wed, Jan 11, 2017 at 12:00 PM
> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
> To: i-d-announce@ietf.org
> Cc: oauth@ietf.org
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>         Title           : OAuth 2.0 Token Exchange
>         Authors         : Michael B. Jones
>                           Anthony Nadalin
>                           Brian Campbell
>                           John Bradley
>                           Chuck Mortimore
>         Filename        : draft-ietf-oauth-token-exchange-07.txt
>         Pages           : 31
>         Date            : 2017-01-11
>
> Abstract:
>    This specification defines a protocol for an HTTP- and JSON- based
>    Security Token Service (STS) by defining how to request and obtain
>    security tokens from OAuth 2.0 authorization servers, including
>    security tokens employing impersonation and delegation.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-exchange-07
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--=20

Nat Sakimura

Chairman of the Board, OpenID Foundation

--001a114087f0cc7705054bc4a0fc
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">There are cases where tokens are supposed to be consumed a=
t multiple places and the `aud` needed to capture them. That&#39;s why `aud=
` is a multi-valued field.=C2=A0</div><br><div class=3D"gmail_quote"><div d=
ir=3D"ltr">On Mon, Mar 27, 2017 at 11:35 AM Torsten Lodderstedt &lt;<a href=
=3D"mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>&gt; wrote:<=
br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;borde=
r-left:1px #ccc solid;padding-left:1ex"><div style=3D"word-wrap:break-word"=
 class=3D"gmail_msg">May I ask you to explain this reason?</div><div style=
=3D"word-wrap:break-word" class=3D"gmail_msg"><div class=3D"gmail_msg"><br =
class=3D"gmail_msg"><div class=3D"gmail_msg"><blockquote type=3D"cite" clas=
s=3D"gmail_msg"><div class=3D"gmail_msg">Am 27.03.2017 um 08:48 schrieb Mik=
e Jones &lt;<a href=3D"mailto:Michael.Jones@microsoft.com" class=3D"gmail_m=
sg" target=3D"_blank">Michael.Jones@microsoft.com</a>&gt;:</div><br class=
=3D"m_-7650545162212992110Apple-interchange-newline gmail_msg"><div class=
=3D"gmail_msg">





<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple" class=3D"gmail_msg">
<div class=3D"m_-7650545162212992110WordSection1 gmail_msg"><p class=3D"Mso=
Normal gmail_msg"><span style=3D"color:#002060" class=3D"gmail_msg">For the=
 same reason that the =E2=80=9Caud=E2=80=9D claim is multi-valued in JWTs, =
the audience needs to stay multi-valued in Token Exchange.=C2=A0 Ditto for =
resources.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p>=
<p class=3D"MsoNormal gmail_msg"><span style=3D"color:#002060" class=3D"gma=
il_msg"><u class=3D"gmail_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></span>=
</p><p class=3D"MsoNormal gmail_msg"><span style=3D"color:#002060" class=3D=
"gmail_msg">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thanks,<u class=3D"gmail_msg"></u><u c=
lass=3D"gmail_msg"></u></span></p><p class=3D"MsoNormal gmail_msg"><span st=
yle=3D"color:#002060" class=3D"gmail_msg">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike<=
u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></span></p><p class=3D=
"MsoNormal gmail_msg"><a name=3D"m_-7650545162212992110__MailEndCompose" cl=
ass=3D"gmail_msg"><span style=3D"color:#002060" class=3D"gmail_msg"><u clas=
s=3D"gmail_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></span></a></p>
<span class=3D"gmail_msg"></span><p class=3D"MsoNormal gmail_msg"><b class=
=3D"gmail_msg">From:</b> OAuth [<a href=3D"mailto:oauth-bounces@ietf.org" c=
lass=3D"gmail_msg" target=3D"_blank">mailto:oauth-bounces@ietf.org</a>] <b =
class=3D"gmail_msg">On Behalf Of
</b>Brian Campbell<br class=3D"gmail_msg">
<b class=3D"gmail_msg">Sent:</b> Monday, March 27, 2017 8:45 AM<br class=3D=
"gmail_msg">
<b class=3D"gmail_msg">To:</b> Torsten Lodderstedt &lt;<a href=3D"mailto:to=
rsten@lodderstedt.net" class=3D"gmail_msg" target=3D"_blank">torsten@lodder=
stedt.net</a>&gt;<br class=3D"gmail_msg">
<b class=3D"gmail_msg">Cc:</b> oauth &lt;<a href=3D"mailto:oauth@ietf.org" =
class=3D"gmail_msg" target=3D"_blank">oauth@ietf.org</a>&gt;<br class=3D"gm=
ail_msg">
<b class=3D"gmail_msg">Subject:</b> Re: [OAUTH-WG] I-D Action: draft-ietf-o=
auth-token-exchange-07.txt<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"=
></u></p><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail_msg"></u>=C2=A0=
<u class=3D"gmail_msg"></u></p>
<div class=3D"gmail_msg">
<div class=3D"gmail_msg">
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg" style=3D"margin-b=
ottom:12.0pt">Thanks for the review and question, Torsten.
<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div><p class=3D"MsoNormal gmail_msg" style=3D"margin-bottom:12.0pt">The d=
esire to support multiple audience/resource values in the request came up d=
uring a review and discussion among the authors of the document when prepar=
ing the -03 draft. As I recall, it was said that both
 Salesforce and Microsoft had use-cases for it. I incorporated support for =
it into the draft acting in the role of editor.<u class=3D"gmail_msg"></u><=
u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg" style=3D"margin-b=
ottom:12.0pt">From an individual perspective, I tend to agree with you that=
 allowing for multiple audiences/resources adds a lot of complexity that&#3=
9;s like not needed in many (or most) cases. And I would personally be open
 to making audience and resource mutual exclusive and single valued. A ques=
tion for the WG I suppose.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"=
></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">The &quot;invalid=
_target&quot; error code that was added in -07 was intended to give the AS =
a standard way to deal with the complexity and reject request with multiple=
 audiences/resources that it doesn&#39;t understand or is unwilling or unab=
le to process.
 It was intended as a compromise, of sorts, to allow for the multiples but =
provide an easy out of saying it can&#39;t be supported based on whatever i=
mplementation or policy of the AS.
<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=C2=A0 <u class=
=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg" style=3D"margin-b=
ottom:12.0pt"><u class=3D"gmail_msg"></u>=C2=A0<u class=3D"gmail_msg"></u><=
/p>
</div>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">On Sun, Mar 26, 2=
017 at 9:00 AM, Torsten Lodderstedt &lt;<a href=3D"mailto:torsten@lodderste=
dt.net" class=3D"gmail_msg" target=3D"_blank">torsten@lodderstedt.net</a>&g=
t; wrote:<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in" class=3D"gmail_msg">
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">Hi Brian,<u class=
=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">thanks for the cl=
arification around resource, audience and scope.=C2=A0<u class=3D"gmail_msg=
"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg">
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">Here are my comme=
nts on the draft:<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">In section 2.1 it=
 states: =E2=80=9EMultiple &quot;resource&quot; parameters may be used to i=
ndicate<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=C2=A0 =C2=A0 =C2=
=A0 that the issued token is intended to be used at the multiple<u class=3D=
"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=C2=A0 =C2=A0 =C2=
=A0 resources listed.=E2=80=9C<u class=3D"gmail_msg"></u><u class=3D"gmail_=
msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">Can you please ex=
plain the rational in more detail? I don=E2=80=99t understand why there is =
a need to ask for access tokens, which are good for multiple resources at o=
nce. This is a request type more or less exclusively used in server to serv=
er
 scenarios, right? So the only reason I can think of is call reduction.=C2=
=A0<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">On the other side=
, this feature increases the AS&#39;s complexity, e.g. its policy may prohi=
bit to issue tokens for multiple resources in general or the particular set=
 the client is asking for. How shall the AS handles such cases?<u class=3D"=
gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">And it is getting=
 even more complicated given there could also be multiple audience values a=
nd the client could mix them:=C2=A0<u class=3D"gmail_msg"></u><u class=3D"g=
mail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">&quot;Multiple &q=
uot;audience&quot; parameters<u class=3D"gmail_msg"></u><u class=3D"gmail_m=
sg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=C2=A0 =C2=A0 =C2=
=A0 may be used to indicate that the issued token is intended to be<u class=
=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=C2=A0 =C2=A0 =C2=
=A0 used at the multiple audiences listed.=C2=A0 The &quot;audience&quot; a=
nd<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=C2=A0 =C2=A0 =C2=
=A0 &quot;resource&quot; parameters may be used together to indicate multip=
le<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=C2=A0 =C2=A0 =C2=
=A0 target services with a mix of logical names and physical<u class=3D"gma=
il_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=C2=A0 =C2=A0 =C2=
=A0 locations.=E2=80=9C<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></=
u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">And in the end th=
e client may add some scope values to the =E2=80=9Emeal=E2=80=9C, which bri=
ngs us to=C2=A0<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=E2=80=9EEffectiv=
ely, the requested access rights of the<u class=3D"gmail_msg"></u><u class=
=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=C2=A0 =C2=A0toke=
n are the cartesian product of all the scopes at all the target<u class=3D"=
gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">=C2=A0 =C2=A0serv=
ices.&quot;<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">I personally woul=
d suggest to drop support for multiple audience and resource parameters and=
 make audience and resource mutual exclusive. I think this is sufficient an=
d much easier to implement.<u class=3D"gmail_msg"></u><u class=3D"gmail_msg=
"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">kind regards,<u c=
lass=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">Torsten.<u class=
=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg">
<div class=3D"gmail_msg">
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
</div>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail=
_msg"></u>=C2=A0<u class=3D"gmail_msg"></u></p>
<div class=3D"gmail_msg">
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt" class=3D"gmail_m=
sg">
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">Am 11.01.2017 um =
20:04 schrieb Brian Campbell &lt;<a href=3D"mailto:bcampbell@pingidentity.c=
om" class=3D"gmail_msg" target=3D"_blank">bcampbell@pingidentity.com</a>&gt=
;:<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail_msg"></u>=C2=A0<u =
class=3D"gmail_msg"></u></p>
<div class=3D"gmail_msg">
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg" style=3D"margin-b=
ottom:12.0pt">Draft -07 of &quot;OAuth 2.0 <span class=3D"m_-76505451622129=
92110m-945284380411239355m6317541698219329431gmail-il gmail_msg">
Token</span> <span class=3D"m_-7650545162212992110m-945284380411239355m6317=
541698219329431gmail-il gmail_msg">Exchange</span>&quot; has been published=
. The primary change in -07 is the addition of a description of the relatio=
nship between audience/resource/scope, which was a request or comment that
 came up during the f2f meeting in Seoul. <br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Excerpted from the Document History:<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
=C2=A0=C2=A0 -07<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
=C2=A0=C2=A0 o=C2=A0 Fixed typo (desecration -&gt; discretion).<br class=3D=
"gmail_msg">
=C2=A0=C2=A0 o=C2=A0 Added an explanation of the relationship between scope=
, audience<br class=3D"gmail_msg">
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 and resource in the request and added an &qu=
ot;invalid_target&quot; error<br class=3D"gmail_msg">
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 code enabling the AS to tell the client that=
 the requested<br class=3D"gmail_msg">
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 audiences/resources were too broad.<br class=
=3D"gmail_msg">
<br class=3D"gmail_msg">
<u class=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
<div class=3D"gmail_msg"><p class=3D"MsoNormal gmail_msg">---------- Forwar=
ded message ----------<br class=3D"gmail_msg">
From: &lt;<a href=3D"mailto:internet-drafts@ietf.org" class=3D"gmail_msg" t=
arget=3D"_blank">internet-drafts@ietf.org</a>&gt;<br class=3D"gmail_msg">
Date: Wed, Jan 11, 2017 at 12:00 PM<br class=3D"gmail_msg">
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt<br c=
lass=3D"gmail_msg">
To: <a href=3D"mailto:i-d-announce@ietf.org" class=3D"gmail_msg" target=3D"=
_blank">i-d-announce@ietf.org</a><br class=3D"gmail_msg">
Cc: <a href=3D"mailto:oauth@ietf.org" class=3D"gmail_msg" target=3D"_blank"=
>oauth@ietf.org</a><br class=3D"gmail_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br class=3D"gmail_msg">
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
 class=3D"gmail_msg">
<br class=3D"gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Token Exchange<br class=3D"gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Mich=
ael B. Jones<br class=3D"gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Anthony Nadalin<br class=3D"gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Brian Campbell<br class=3D"gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br class=3D"gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Chuck Mortimore<br class=3D"gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-token-exchange-07.txt<br class=3D"gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 31<br class=3D"gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2017-01-11<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Abstract:<br class=3D"gmail_msg">
=C2=A0 =C2=A0This specification defines a protocol for an HTTP- and JSON- b=
ased<br class=3D"gmail_msg">
=C2=A0 =C2=A0Security Token Service (STS) by defining how to request and ob=
tain<br class=3D"gmail_msg">
=C2=A0 =C2=A0security tokens from OAuth 2.0 authorization servers, includin=
g<br class=3D"gmail_msg">
=C2=A0 =C2=A0security tokens employing impersonation and delegation.<br cla=
ss=3D"gmail_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
The IETF datatracker status page for this draft is:<br class=3D"gmail_msg">
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange=
/" class=3D"gmail_msg" target=3D"_blank">https://datatracker.ietf.org/doc/d=
raft-ietf-oauth-token-exchange/</a><br class=3D"gmail_msg">
<br class=3D"gmail_msg">
There&#39;s also a htmlized version available at:<br class=3D"gmail_msg">
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07" =
class=3D"gmail_msg" target=3D"_blank">https://tools.ietf.org/html/draft-iet=
f-oauth-token-exchange-07</a><br class=3D"gmail_msg">
<br class=3D"gmail_msg">
A diff from the previous version is available at:<br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-excha=
nge-07" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/rfcdiff?=
url2=3Ddraft-ietf-oauth-token-exchange-07</a><br class=3D"gmail_msg">
<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Please note that it may take a couple of minutes from the time of submissio=
n<br class=3D"gmail_msg">
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org/" class=3D"gmail_msg" target=3D"_blank">
tools.ietf.org</a>.<br class=3D"gmail_msg">
<br class=3D"gmail_msg">
Internet-Drafts are also available by anonymous FTP at:<br class=3D"gmail_m=
sg">
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" class=3D"gmail_msg" target=
=3D"_blank">ftp://ftp.ietf.org/internet-drafts/</a><br class=3D"gmail_msg">
<br class=3D"gmail_msg">
_______________________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" class=3D"gmail_msg"=
 target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><u class=
=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail_msg"></u>=C2=A0<u =
class=3D"gmail_msg"></u></p>
</div><p class=3D"MsoNormal gmail_msg">____________________________________=
___________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" class=3D"gmail_msg"=
 target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><u class=
=3D"gmail_msg"></u><u class=3D"gmail_msg"></u></p>
</div>
</blockquote>
</div><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail_msg"></u>=C2=A0<u =
class=3D"gmail_msg"></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div><p class=3D"MsoNormal gmail_msg"><u class=3D"gmail_msg"></u>=C2=A0<u =
class=3D"gmail_msg"></u></p>
</div>
</div>
</div>

</div></blockquote></div><br class=3D"gmail_msg"></div></div>______________=
_________________________________<br class=3D"gmail_msg">
OAuth mailing list<br class=3D"gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"gmail_msg" target=3D"_blank">OAu=
th@ietf.org</a><br class=3D"gmail_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listinfo=
/oauth</a><br class=3D"gmail_msg">
</blockquote></div><div dir=3D"ltr">-- <br></div><div data-smartmail=3D"gma=
il_signature"><p dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>

--001a114087f0cc7705054bc4a0fc--


From nobody Tue Mar 28 00:57:48 2017
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE871129439 for <oauth@ietfa.amsl.com>; Tue, 28 Mar 2017 00:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.618
X-Spam-Level: 
X-Spam-Status: No, score=-2.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IRtJya3ZeHVa for <oauth@ietfa.amsl.com>; Tue, 28 Mar 2017 00:57:42 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CED41129418 for <oauth@ietf.org>; Tue, 28 Mar 2017 00:57:41 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 989147803D9 for <oauth@ietf.org>; Tue, 28 Mar 2017 09:57:39 +0200 (CEST)
To: oauth@ietf.org
References: <148416124213.8244.5842562779051799977.idtracker@ietfa.amsl.com> <CA+k3eCTE1NM90QcZRFR0jATCqdeJWyTRUb6Ryp52n9FRg6aGpA@mail.gmail.com> <9199091B-5D7F-4D66-9EC5-CB0EF2D3CF6D@lodderstedt.net> <CA+k3eCTjmifjsbec80vGTE5Hw4ws7oARuaatDk4RYOLK26-87Q@mail.gmail.com> <CY4PR21MB050479DBD8A7AB6342682209F5330@CY4PR21MB0504.namprd21.prod.outlook.com> <30B37ED3-6E3B-4739-9917-BDEC198CA027@lodderstedt.net> <CABzCy2ArQ29xtyzT+t4i1fq9XZT+fMLgsw5oV75aFTkvVf8tgw@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <4dfac2ea-57e5-638f-537d-1bbda0172baf@free.fr>
Date: Tue, 28 Mar 2017 09:57:40 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CABzCy2ArQ29xtyzT+t4i1fq9XZT+fMLgsw5oV75aFTkvVf8tgw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------FDFEDD0C8A607067FC4DF855"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hZntE--EYlJiBG1q0ZRogxRn7VM>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 07:57:46 -0000

This is a multi-part message in MIME format.
--------------FDFEDD0C8A607067FC4DF855
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit


The 'aud' parameter can be multi-value ... as long as it is advertised 
that there are advantages and drawbacks to do so.

The advantage is that a single token can be consumed by more than one 
server.

The drawback is that one of these servers, depending how the access 
token is protected, might be able to re-use
the token towards one of these other servers. This may be desirable of 
some cases, but not necessarily.

These advantages and drawbacks should be advertised in the main body of 
the document and/or in the security
considerations section.

According to the content of RFC 7800:

The "aud" (audience) claim identifies the recipients that the JWT is 
intended for.
The interpretation of audience values is application specific.


So the 'aud' parameter is not necessarily a" mix of logical names and 
physical locations".

If a fixed value is being used, e.g. a URL of the server, then the 
authorization server can easily know where the access tokens
will be used and thus is in a position to act as Big Brother. It is thus 
recommended to use a different value in the aud claims
for each access token that contains no semantics in it but that the 
resource server can easily recognize.

This should be advertised in a privacy considerations section.

Denis

> There are cases where tokens are supposed to be consumed at multiple 
> places and the `aud` needed to capture them. That's why `aud` is a 
> multi-valued field.
>
> On Mon, Mar 27, 2017 at 11:35 AM Torsten Lodderstedt 
> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>
>     May I ask you to explain this reason?
>
>>     Am 27.03.2017 um 08:48 schrieb Mike Jones
>>     <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>:
>>
>>     For the same reason that the “aud” claim is multi-valued in JWTs,
>>     the audience needs to stay multi-valued in Token Exchange.  Ditto
>>     for resources.
>>
>>     Thanks,
>>
>>     -- Mike
>>
>>     *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of
>>     *Brian Campbell
>>     *Sent:* Monday, March 27, 2017 8:45 AM
>>     *To:* Torsten Lodderstedt <torsten@lodderstedt.net
>>     <mailto:torsten@lodderstedt.net>>
>>     *Cc:* oauth <oauth@ietf.org <mailto:oauth@ietf.org>>
>>     *Subject:* Re: [OAUTH-WG] I-D Action:
>>     draft-ietf-oauth-token-exchange-07.txt
>>
>>     Thanks for the review and question, Torsten.
>>
>>     The desire to support multiple audience/resource values in the
>>     request came up during a review and discussion among the authors
>>     of the document when preparing the -03 draft. As I recall, it was
>>     said that both Salesforce and Microsoft had use-cases for it. I
>>     incorporated support for it into the draft acting in the role of
>>     editor.
>>
>>     From an individual perspective, I tend to agree with you that
>>     allowing for multiple audiences/resources adds a lot of
>>     complexity that's like not needed in many (or most) cases. And I
>>     would personally be open to making audience and resource mutual
>>     exclusive and single valued. A question for the WG I suppose.
>>
>>     The "invalid_target" error code that was added in -07 was
>>     intended to give the AS a standard way to deal with the
>>     complexity and reject request with multiple audiences/resources
>>     that it doesn't understand or is unwilling or unable to process.
>>     It was intended as a compromise, of sorts, to allow for the
>>     multiples but provide an easy out of saying it can't be supported
>>     based on whatever implementation or policy of the AS.
>>
>>     On Sun, Mar 26, 2017 at 9:00 AM, Torsten Lodderstedt
>>     <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>
>>         Hi Brian,
>>
>>         thanks for the clarification around resource, audience and
>>         scope.
>>
>>         Here are my comments on the draft:
>>
>>         In section 2.1 it states: „Multiple "resource" parameters may
>>         be used to indicate
>>
>>         that the issued token is intended to be used at the multiple
>>
>>         resources listed.“
>>
>>         Can you please explain the rational in more detail? I don’t
>>         understand why there is a need to ask for access tokens,
>>         which are good for multiple resources at once. This is a
>>         request type more or less exclusively used in server to
>>         server scenarios, right? So the only reason I can think of is
>>         call reduction.
>>
>>         On the other side, this feature increases the AS's
>>         complexity, e.g. its policy may prohibit to issue tokens for
>>         multiple resources in general or the particular set the
>>         client is asking for. How shall the AS handles such cases?
>>
>>         And it is getting even more complicated given there could
>>         also be multiple audience values and the client could mix them:
>>
>>         "Multiple "audience" parameters
>>
>>         may be used to indicate that the issued token is intended to be
>>
>>         used at the multiple audiences listed.  The "audience" and
>>
>>         "resource" parameters may be used together to indicate multiple
>>
>>         target services with a mix of logical names and physical
>>
>>         locations.“
>>
>>         And in the end the client may add some scope values to the
>>         „meal“, which brings us to
>>
>>         „Effectively, the requested access rights of the
>>
>>          token are the cartesian product of all the scopes at all the
>>         target
>>
>>          services."
>>
>>         I personally would suggest to drop support for multiple
>>         audience and resource parameters and make audience and
>>         resource mutual exclusive. I think this is sufficient and
>>         much easier to implement.
>>
>>         kind regards,
>>
>>         Torsten.
>>
>>             Am 11.01.2017 um 20:04 schrieb Brian Campbell
>>             <bcampbell@pingidentity.com
>>             <mailto:bcampbell@pingidentity.com>>:
>>
>>             Draft -07 of "OAuth 2.0 Token Exchange" has been
>>             published. The primary change in -07 is the addition of a
>>             description of the relationship between
>>             audience/resource/scope, which was a request or comment
>>             that came up during the f2f meeting in Seoul.
>>
>>             Excerpted from the Document History:
>>
>>                -07
>>
>>                o  Fixed typo (desecration -> discretion).
>>                o  Added an explanation of the relationship between
>>             scope, audience
>>                   and resource in the request and added an
>>             "invalid_target" error
>>                   code enabling the AS to tell the client that the
>>             requested
>>             audiences/resources were too broad.
>>
>>             ---------- Forwarded message ----------
>>             From: <internet-drafts@ietf.org
>>             <mailto:internet-drafts@ietf.org>>
>>             Date: Wed, Jan 11, 2017 at 12:00 PM
>>             Subject: [OAUTH-WG] I-D Action:
>>             draft-ietf-oauth-token-exchange-07.txt
>>             To: i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>
>>             Cc: oauth@ietf.org <mailto:oauth@ietf.org>
>>
>>
>>
>>             A New Internet-Draft is available from the on-line
>>             Internet-Drafts directories.
>>             This draft is a work item of the Web Authorization
>>             Protocol of the IETF.
>>
>>                     Title    : OAuth 2.0 Token Exchange
>>                     Authors    : Michael B. Jones
>>                   Anthony Nadalin
>>                   Brian Campbell
>>                   John Bradley
>>                   Chuck Mortimore
>>                     Filename     : draft-ietf-oauth-token-exchange-07.txt
>>                     Pages    : 31
>>                     Date     : 2017-01-11
>>
>>             Abstract:
>>                This specification defines a protocol for an HTTP- and
>>             JSON- based
>>                Security Token Service (STS) by defining how to
>>             request and obtain
>>                security tokens from OAuth 2.0 authorization servers,
>>             including
>>                security tokens employing impersonation and delegation.
>>
>>
>>             The IETF datatracker status page for this draft is:
>>             https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
>>
>>             There's also a htmlized version available at:
>>             https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07
>>
>>             A diff from the previous version is available at:
>>             https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-07
>>
>>
>>             Please note that it may take a couple of minutes from the
>>             time of submission
>>             until the htmlized version and diff are available at
>>             tools.ietf.org <http://tools.ietf.org/>.
>>
>>             Internet-Drafts are also available by anonymous FTP at:
>>             ftp://ftp.ietf.org/internet-drafts/
>>
>>             _______________________________________________
>>             OAuth mailing list
>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>             https://www.ietf.org/mailman/listinfo/oauth
>>
>>             _______________________________________________
>>             OAuth mailing list
>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>             https://www.ietf.org/mailman/listinfo/oauth
>>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
> -- 
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



--------------FDFEDD0C8A607067FC4DF855
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix"><font face="Arial"><br>
        The 'aud' parameter can be multi-value ... as long as it is
        advertised that there are advantages and drawbacks to do so.<br>
        <br>
        The advantage is that a single token can be consumed by more
        than one server.<br>
        <br>
        The drawback is that one of these servers, depending how the
        access token is protected, might be able to re-use <br>
        the token towards one of these other servers. This may be
        desirable of some cases, but not necessarily.<br>
        <br>
        These advantages and drawbacks should be advertised in the main
        body of the document and/or in the security <br>
        considerations section.<br>
        <br>
      </font>
      <p class="MsoNormal gmail_msg" style="margin-top:6.0pt"><font
          face="Arial"><span class="gmail_msg" lang="EN-US">According to
            the content of RFC 7800:</span></font></p>
      <font face="Arial"> </font>
      <p class="MsoNormal gmail_msg"
style="margin-top:6.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:27.0pt;margin-bottom:.0001pt"><font
          face="Arial"><span class="gmail_msg" lang="EN-US">The "aud"
            (audience) claim identifies the recipients that the JWT is
            intended for. <br>
            The interpretation of audience values is application
            specific.</span></font></p>
      <font face="Arial"><br>
        So the 'aud' parameter is not necessarily a" mix of logical
        names and physical locations".<br>
        <br>
        <font class="gmail_msg"><span class="gmail_msg" lang="EN-US">If
            a fixed value is being used, e.g. a URL of the server, then
            the authorization server can easily know where the access
            tokens <br>
            will be used and thus is in a position to act as Big
            Brother. It is thus recommended to use a different value in
            the aud claims <br>
            for each access token that contains no semantics in it but
            that the resource server can easily recognize.<br>
            <br>
            This should be advertised in a privacy considerations
            section.<br>
          </span></font><br>
        Denis</font><br>
      <br>
    </div>
    <blockquote
cite="mid:CABzCy2ArQ29xtyzT+t4i1fq9XZT+fMLgsw5oV75aFTkvVf8tgw@mail.gmail.com"
      type="cite">
      <div dir="ltr">There are cases where tokens are supposed to be
        consumed at multiple places and the `aud` needed to capture
        them. That's why `aud` is a multi-valued field. </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Mon, Mar 27, 2017 at 11:35 AM Torsten
          Lodderstedt &lt;<a moz-do-not-send="true"
            href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div style="word-wrap:break-word" class="gmail_msg">May I ask
            you to explain this reason?</div>
          <div style="word-wrap:break-word" class="gmail_msg">
            <div class="gmail_msg"><br class="gmail_msg">
              <div class="gmail_msg">
                <blockquote type="cite" class="gmail_msg">
                  <div class="gmail_msg">Am 27.03.2017 um 08:48 schrieb
                    Mike Jones &lt;<a moz-do-not-send="true"
                      href="mailto:Michael.Jones@microsoft.com"
                      class="gmail_msg" target="_blank">Michael.Jones@microsoft.com</a>&gt;:</div>
                  <br
                    class="m_-7650545162212992110Apple-interchange-newline
                    gmail_msg">
                  <div class="gmail_msg">
                    <div link="blue" vlink="purple" class="gmail_msg"
                      lang="EN-US">
                      <div class="m_-7650545162212992110WordSection1
                        gmail_msg">
                        <p class="MsoNormal gmail_msg"><span
                            style="color:#002060" class="gmail_msg">For
                            the same reason that the “aud” claim is
                            multi-valued in JWTs, the audience needs to
                            stay multi-valued in Token Exchange.  Ditto
                            for resources.</span></p>
                        <p class="MsoNormal gmail_msg"><span
                            style="color:#002060" class="gmail_msg"> </span></p>
                        <p class="MsoNormal gmail_msg"><span
                            style="color:#002060" class="gmail_msg">                                                      
                            Thanks,</span></p>
                        <p class="MsoNormal gmail_msg"><span
                            style="color:#002060" class="gmail_msg">                                                      
                            -- Mike</span></p>
                        <p class="MsoNormal gmail_msg"><a
                            moz-do-not-send="true"
                            name="m_-7650545162212992110__MailEndCompose"
                            class="gmail_msg"><span
                              style="color:#002060" class="gmail_msg"> </span></a></p>
                        <span class="gmail_msg"></span>
                        <p class="MsoNormal gmail_msg"><b
                            class="gmail_msg">From:</b> OAuth [<a
                            moz-do-not-send="true"
                            href="mailto:oauth-bounces@ietf.org"
                            class="gmail_msg" target="_blank">mailto:oauth-bounces@ietf.org</a>]
                          <b class="gmail_msg">On Behalf Of
                          </b>Brian Campbell<br class="gmail_msg">
                          <b class="gmail_msg">Sent:</b> Monday, March
                          27, 2017 8:45 AM<br class="gmail_msg">
                          <b class="gmail_msg">To:</b> Torsten
                          Lodderstedt &lt;<a moz-do-not-send="true"
                            href="mailto:torsten@lodderstedt.net"
                            class="gmail_msg" target="_blank">torsten@lodderstedt.net</a>&gt;<br
                            class="gmail_msg">
                          <b class="gmail_msg">Cc:</b> oauth &lt;<a
                            moz-do-not-send="true"
                            href="mailto:oauth@ietf.org"
                            class="gmail_msg" target="_blank">oauth@ietf.org</a>&gt;<br
                            class="gmail_msg">
                          <b class="gmail_msg">Subject:</b> Re:
                          [OAUTH-WG] I-D Action:
                          draft-ietf-oauth-token-exchange-07.txt</p>
                        <p class="MsoNormal gmail_msg"> </p>
                        <div class="gmail_msg">
                          <div class="gmail_msg">
                            <div class="gmail_msg">
                              <p class="MsoNormal gmail_msg"
                                style="margin-bottom:12.0pt">Thanks for
                                the review and question, Torsten.
                              </p>
                            </div>
                            <p class="MsoNormal gmail_msg"
                              style="margin-bottom:12.0pt">The desire to
                              support multiple audience/resource values
                              in the request came up during a review and
                              discussion among the authors of the
                              document when preparing the -03 draft. As
                              I recall, it was said that both Salesforce
                              and Microsoft had use-cases for it. I
                              incorporated support for it into the draft
                              acting in the role of editor.</p>
                          </div>
                          <div class="gmail_msg">
                            <p class="MsoNormal gmail_msg"
                              style="margin-bottom:12.0pt">From an
                              individual perspective, I tend to agree
                              with you that allowing for multiple
                              audiences/resources adds a lot of
                              complexity that's like not needed in many
                              (or most) cases. And I would personally be
                              open to making audience and resource
                              mutual exclusive and single valued. A
                              question for the WG I suppose.</p>
                          </div>
                          <div class="gmail_msg">
                            <p class="MsoNormal gmail_msg">The
                              "invalid_target" error code that was added
                              in -07 was intended to give the AS a
                              standard way to deal with the complexity
                              and reject request with multiple
                              audiences/resources that it doesn't
                              understand or is unwilling or unable to
                              process. It was intended as a compromise,
                              of sorts, to allow for the multiples but
                              provide an easy out of saying it can't be
                              supported based on whatever implementation
                              or policy of the AS.
                            </p>
                          </div>
                          <div class="gmail_msg">
                            <p class="MsoNormal gmail_msg">  </p>
                          </div>
                          <div class="gmail_msg">
                            <p class="MsoNormal gmail_msg"
                              style="margin-bottom:12.0pt"> </p>
                          </div>
                        </div>
                        <div class="gmail_msg">
                          <p class="MsoNormal gmail_msg"> </p>
                          <div class="gmail_msg">
                            <p class="MsoNormal gmail_msg">On Sun, Mar
                              26, 2017 at 9:00 AM, Torsten Lodderstedt
                              &lt;<a moz-do-not-send="true"
                                href="mailto:torsten@lodderstedt.net"
                                class="gmail_msg" target="_blank">torsten@lodderstedt.net</a>&gt;
                              wrote:</p>
                            <blockquote
                              style="border:none;border-left:solid
                              #cccccc 1.0pt;padding:0in 0in 0in
                              6.0pt;margin-left:4.8pt;margin-right:0in"
                              class="gmail_msg">
                              <div class="gmail_msg">
                                <p class="MsoNormal gmail_msg">Hi Brian,</p>
                                <div class="gmail_msg">
                                  <p class="MsoNormal gmail_msg"> </p>
                                </div>
                                <div class="gmail_msg">
                                  <p class="MsoNormal gmail_msg">thanks
                                    for the clarification around
                                    resource, audience and scope. </p>
                                </div>
                                <div class="gmail_msg">
                                  <p class="MsoNormal gmail_msg"> </p>
                                </div>
                                <div class="gmail_msg">
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">Here
                                      are my comments on the draft:</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">In
                                      section 2.1 it states: „Multiple
                                      "resource" parameters may be used
                                      to indicate</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">     
                                      that the issued token is intended
                                      to be used at the multiple</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">     
                                      resources listed.“</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">Can
                                      you please explain the rational in
                                      more detail? I don’t understand
                                      why there is a need to ask for
                                      access tokens, which are good for
                                      multiple resources at once. This
                                      is a request type more or less
                                      exclusively used in server to
                                      server scenarios, right? So the
                                      only reason I can think of is call
                                      reduction. </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">On
                                      the other side, this feature
                                      increases the AS's complexity,
                                      e.g. its policy may prohibit to
                                      issue tokens for multiple
                                      resources in general or the
                                      particular set the client is
                                      asking for. How shall the AS
                                      handles such cases?</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">And
                                      it is getting even more
                                      complicated given there could also
                                      be multiple audience values and
                                      the client could mix them: </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">"Multiple
                                      "audience" parameters</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">     
                                      may be used to indicate that the
                                      issued token is intended to be</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">     
                                      used at the multiple audiences
                                      listed.  The "audience" and</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">     
                                      "resource" parameters may be used
                                      together to indicate multiple</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">     
                                      target services with a mix of
                                      logical names and physical</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">     
                                      locations.“</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">And
                                      in the end the client may add some
                                      scope values to the „meal“, which
                                      brings us to </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">„Effectively,
                                      the requested access rights of the</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> 
                                       token are the cartesian product
                                      of all the scopes at all the
                                      target</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> 
                                       services."</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">I
                                      personally would suggest to drop
                                      support for multiple audience and
                                      resource parameters and make
                                      audience and resource mutual
                                      exclusive. I think this is
                                      sufficient and much easier to
                                      implement.</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg"> </p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">kind
                                      regards,</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <p class="MsoNormal gmail_msg">Torsten.</p>
                                  </div>
                                  <div class="gmail_msg">
                                    <div class="gmail_msg">
                                      <div class="gmail_msg">
                                        <p class="MsoNormal gmail_msg"> </p>
                                      </div>
                                      <div class="gmail_msg">
                                        <p class="MsoNormal gmail_msg"> </p>
                                        <div class="gmail_msg">
                                          <blockquote
                                            style="margin-top:5.0pt;margin-bottom:5.0pt"
                                            class="gmail_msg">
                                            <div class="gmail_msg">
                                              <p class="MsoNormal
                                                gmail_msg">Am 11.01.2017
                                                um 20:04 schrieb Brian
                                                Campbell &lt;<a
                                                  moz-do-not-send="true"
href="mailto:bcampbell@pingidentity.com" class="gmail_msg"
                                                  target="_blank">bcampbell@pingidentity.com</a>&gt;:</p>
                                            </div>
                                            <p class="MsoNormal
                                              gmail_msg"> </p>
                                            <div class="gmail_msg">
                                              <div class="gmail_msg">
                                                <p class="MsoNormal
                                                  gmail_msg"
                                                  style="margin-bottom:12.0pt">Draft
                                                  -07 of "OAuth 2.0 <span
class="m_-7650545162212992110m-945284380411239355m6317541698219329431gmail-il
                                                    gmail_msg">
                                                    Token</span> <span
class="m_-7650545162212992110m-945284380411239355m6317541698219329431gmail-il
                                                    gmail_msg">Exchange</span>"
                                                  has been published.
                                                  The primary change in
                                                  -07 is the addition of
                                                  a description of the
                                                  relationship between
                                                  audience/resource/scope,
                                                  which was a request or
                                                  comment that came up
                                                  during the f2f meeting
                                                  in Seoul. <br
                                                    class="gmail_msg">
                                                  <br class="gmail_msg">
                                                  Excerpted from the
                                                  Document History:<br
                                                    class="gmail_msg">
                                                  <br class="gmail_msg">
                                                     -07<br
                                                    class="gmail_msg">
                                                  <br class="gmail_msg">
                                                     o  Fixed typo
                                                  (desecration -&gt;
                                                  discretion).<br
                                                    class="gmail_msg">
                                                     o  Added an
                                                  explanation of the
                                                  relationship between
                                                  scope, audience<br
                                                    class="gmail_msg">
                                                        and resource in
                                                  the request and added
                                                  an "invalid_target"
                                                  error<br
                                                    class="gmail_msg">
                                                        code enabling
                                                  the AS to tell the
                                                  client that the
                                                  requested<br
                                                    class="gmail_msg">
                                                       
                                                  audiences/resources
                                                  were too broad.<br
                                                    class="gmail_msg">
                                                  <br class="gmail_msg">
                                                </p>
                                                <div class="gmail_msg">
                                                  <p class="MsoNormal
                                                    gmail_msg">----------
                                                    Forwarded message
                                                    ----------<br
                                                      class="gmail_msg">
                                                    From: &lt;<a
                                                      moz-do-not-send="true"
href="mailto:internet-drafts@ietf.org" class="gmail_msg" target="_blank">internet-drafts@ietf.org</a>&gt;<br
                                                      class="gmail_msg">
                                                    Date: Wed, Jan 11,
                                                    2017 at 12:00 PM<br
                                                      class="gmail_msg">
                                                    Subject: [OAUTH-WG]
                                                    I-D Action:
                                                    draft-ietf-oauth-token-exchange-07.txt<br
                                                      class="gmail_msg">
                                                    To: <a
                                                      moz-do-not-send="true"
href="mailto:i-d-announce@ietf.org" class="gmail_msg" target="_blank">i-d-announce@ietf.org</a><br
                                                      class="gmail_msg">
                                                    Cc: <a
                                                      moz-do-not-send="true"
href="mailto:oauth@ietf.org" class="gmail_msg" target="_blank">oauth@ietf.org</a><br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    A New Internet-Draft
                                                    is available from
                                                    the on-line
                                                    Internet-Drafts
                                                    directories.<br
                                                      class="gmail_msg">
                                                    This draft is a work
                                                    item of the Web
                                                    Authorization
                                                    Protocol of the
                                                    IETF.<br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                            Title       
                                                       : OAuth 2.0 Token
                                                    Exchange<br
                                                      class="gmail_msg">
                                                            Authors     
                                                       : Michael B.
                                                    Jones<br
                                                      class="gmail_msg">
                                                                       
                                                          Anthony
                                                    Nadalin<br
                                                      class="gmail_msg">
                                                                       
                                                          Brian Campbell<br
                                                      class="gmail_msg">
                                                                       
                                                          John Bradley<br
                                                      class="gmail_msg">
                                                                       
                                                          Chuck
                                                    Mortimore<br
                                                      class="gmail_msg">
                                                            Filename   
                                                        :
                                                    draft-ietf-oauth-token-exchange-07.txt<br
                                                      class="gmail_msg">
                                                            Pages       
                                                       : 31<br
                                                      class="gmail_msg">
                                                            Date       
                                                        : 2017-01-11<br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    Abstract:<br
                                                      class="gmail_msg">
                                                       This
                                                    specification
                                                    defines a protocol
                                                    for an HTTP- and
                                                    JSON- based<br
                                                      class="gmail_msg">
                                                       Security Token
                                                    Service (STS) by
                                                    defining how to
                                                    request and obtain<br
                                                      class="gmail_msg">
                                                       security tokens
                                                    from OAuth 2.0
                                                    authorization
                                                    servers, including<br
                                                      class="gmail_msg">
                                                       security tokens
                                                    employing
                                                    impersonation and
                                                    delegation.<br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    The IETF datatracker
                                                    status page for this
                                                    draft is:<br
                                                      class="gmail_msg">
                                                    <a
                                                      moz-do-not-send="true"
href="https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/"
                                                      class="gmail_msg"
                                                      target="_blank">https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/</a><br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    There's also a
                                                    htmlized version
                                                    available at:<br
                                                      class="gmail_msg">
                                                    <a
                                                      moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07"
                                                      class="gmail_msg"
                                                      target="_blank">https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07</a><br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    A diff from the
                                                    previous version is
                                                    available at:<br
                                                      class="gmail_msg">
                                                    <a
                                                      moz-do-not-send="true"
href="https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-07"
                                                      class="gmail_msg"
                                                      target="_blank">https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-07</a><br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    Please note that it
                                                    may take a couple of
                                                    minutes from the
                                                    time of submission<br
                                                      class="gmail_msg">
                                                    until the htmlized
                                                    version and diff are
                                                    available at <a
                                                      moz-do-not-send="true"
href="http://tools.ietf.org/" class="gmail_msg" target="_blank">
                                                      tools.ietf.org</a>.<br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
                                                    Internet-Drafts are
                                                    also available by
                                                    anonymous FTP at:<br
                                                      class="gmail_msg">
                                                    <a
                                                      moz-do-not-send="true"
href="ftp://ftp.ietf.org/internet-drafts/" class="gmail_msg"
                                                      target="_blank">ftp://ftp.ietf.org/internet-drafts/</a><br
                                                      class="gmail_msg">
                                                    <br
                                                      class="gmail_msg">
_______________________________________________<br class="gmail_msg">
                                                    OAuth mailing list<br
                                                      class="gmail_msg">
                                                    <a
                                                      moz-do-not-send="true"
href="mailto:OAuth@ietf.org" class="gmail_msg" target="_blank">OAuth@ietf.org</a><br
                                                      class="gmail_msg">
                                                    <a
                                                      moz-do-not-send="true"
href="https://www.ietf.org/mailman/listinfo/oauth" class="gmail_msg"
                                                      target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a></p>
                                                </div>
                                                <p class="MsoNormal
                                                  gmail_msg"> </p>
                                              </div>
                                              <p class="MsoNormal
                                                gmail_msg">_______________________________________________<br
                                                  class="gmail_msg">
                                                OAuth mailing list<br
                                                  class="gmail_msg">
                                                <a
                                                  moz-do-not-send="true"
href="mailto:OAuth@ietf.org" class="gmail_msg" target="_blank">OAuth@ietf.org</a><br
                                                  class="gmail_msg">
                                                <a
                                                  moz-do-not-send="true"
href="https://www.ietf.org/mailman/listinfo/oauth" class="gmail_msg"
                                                  target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a></p>
                                            </div>
                                          </blockquote>
                                        </div>
                                        <p class="MsoNormal gmail_msg"> </p>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </blockquote>
                          </div>
                          <p class="MsoNormal gmail_msg"> </p>
                        </div>
                      </div>
                    </div>
                  </div>
                </blockquote>
              </div>
              <br class="gmail_msg">
            </div>
          </div>
          _______________________________________________<br
            class="gmail_msg">
          OAuth mailing list<br class="gmail_msg">
          <a moz-do-not-send="true" href="mailto:OAuth@ietf.org"
            class="gmail_msg" target="_blank">OAuth@ietf.org</a><br
            class="gmail_msg">
          <a moz-do-not-send="true"
            href="https://www.ietf.org/mailman/listinfo/oauth"
            rel="noreferrer" class="gmail_msg" target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br
            class="gmail_msg">
        </blockquote>
      </div>
      <div dir="ltr">-- <br>
      </div>
      <div data-smartmail="gmail_signature">
        <p dir="ltr">Nat Sakimura</p>
        <p dir="ltr">Chairman of the Board, OpenID Foundation</p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>

--------------FDFEDD0C8A607067FC4DF855--


From nobody Tue Mar 28 12:33:03 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6C62129564 for <oauth@ietfa.amsl.com>; Tue, 28 Mar 2017 12:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.397
X-Spam-Level: 
X-Spam-Status: No, score=-5.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.796, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4T0UlZKzZfD6 for <oauth@ietfa.amsl.com>; Tue, 28 Mar 2017 12:33:01 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A3F112955B for <oauth@ietf.org>; Tue, 28 Mar 2017 12:33:00 -0700 (PDT)
Received: from [192.168.91.186] ([31.133.136.32]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0M8ZtH-1bxOGY3RQp-00wGEI for <oauth@ietf.org>; Tue, 28 Mar 2017 21:32:58 +0200
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <7480c702-56a9-4e6b-86e1-2f24bb0b3c42@gmx.net>
Date: Tue, 28 Mar 2017 21:32:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fFJ5UXSF4qXmFqdNpSE5QXcFm5Dhaab4l"
X-Provags-ID: V03:K0:M3hybXeJYutx4OK5UZKnp1+Nlh23kLI33paaGxKvMw9ipdBiGQ2 Cm3Qv+kANmWg7UfoZkXm/VhQoTtITJp6C6G0UeHBSszn/FJrflhd+WGp7XOkzIqxQJAc/xl tunuA91M3pwMkreqpCn/9nc1uCq/QDemu+/8Fmzpx1eFNzT1Mt7O2Jy2iS5Y7/mE3DSpR9r dKyEv9ujiAv5f09MHqzMQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:N8vI57SyHiY=:RGq4bABJk7zkGrxbe5TkGk JnwwtKJBlfK+NAcXvDpn3aDvPJJSPJYd9OdwJ2vCE9Dd9z7iMHcl/Jam2SETTho4E6kIizLy+ JNIe9s3QFECICZ8YHzUA/t9QHF2kvBRJuCF61QSpRSNZXbuEsTy6u/PcTwWA9nydX12TBqbzG Yy9ooH/ftTsSM1ydywuH1yVUSywTf9eUHqlwbkGumXLk15fmtaQvcQCsCSeYeYrFtgDmyV7a2 uDP72A7G0f9+XIbx8Hd43Wsv4tbJh1qmjU5i53ovXwUunx/0mTWX8s7CuPkj356ZcCHIu/Sd+ bCzDFWuGN+QdSSLZ0LotgfFeV6M4T0vty4eUSb+YTzo7pjSnYxr8u9ynJl3mAxSTGtsp7gOBx p8InJt77lgWW8UVNrDu6vAwP0ifEyeWBHDVJg5BKjHCVXnuBDap2erqPjYaHth/V5KolpV7SX 6SRpNWo86+USFwkGsDxLiQf8Kday7zGPYqYlxs2ulJWNJ6TPbma/Aff8otvliwp/TbL7M7HBz dX4mG0rNiSxMeapDrdW8bxKsOvLtB4iDGj5vl64C6mTVPAI7Nb75csf9zJjSsfiOg05qMaEuu fAffDZlKwWo0ycIgA/RxjaXHTV4Uib943yDPSMo+QhYsvhXFpMvzvJdiv4f9HbDUz//RqP9af KeIx+KmCO6oD0I2WwN6sFlXGml1PvUUeXStWzI2gwcnYZyXjT1CN1y2IOAJL3prg+5eg4T1Ky X8qN2SZZx8VJxXlriICLxavUh1s7gODIxa+gO6f3DniPM1wHhx2jfDiMOJs=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1lkPidBJ0aj1aRY7l1jp-s_fvKo>
Subject: [OAUTH-WG] HTTP Signing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 19:33:03 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fFJ5UXSF4qXmFqdNpSE5QXcFm5Dhaab4l
Content-Type: multipart/mixed; boundary="uDPUlbHQXQeLBjB5GNu7opmqkMoO68OVO";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <7480c702-56a9-4e6b-86e1-2f24bb0b3c42@gmx.net>
Subject: HTTP Signing

--uDPUlbHQXQeLBjB5GNu7opmqkMoO68OVO
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

I met Manu after the OAuth meeting on Monday and he pointed me to his
work on HTTP signing, as described in this document:
https://tools.ietf.org/html/draft-cavage-http-signatures-06

I believe there is some synergy of work going on elsewhere in the IETF.
Since we have had challenges with some HTTP signing I wonder whether
there is something to learn from the authors of that doc.

Ciao
Hannes


--uDPUlbHQXQeLBjB5GNu7opmqkMoO68OVO--

--fFJ5UXSF4qXmFqdNpSE5QXcFm5Dhaab4l
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJY2rpoAAoJEGhJURNOOiAtR1AH/Rd7SonBChaQzDosq0hetn78
6ldgj4e5INN1p/kIxtKu9c/kmpKIuMVtHmpalsSs8YzT1h/xdJDmZCPkzqChSXHs
C3FM3A8WierLSd067r5wuQnecd5Pp6pK9Ox14y0x+yRI3TytJotHM4/hG7+0g6zm
3PETV5w5DTBs2bS1ntvy+E00xezZU+wYLQWLidkFTyZuNo+WW9JYLIgA5kbzbemm
7IPHzZEPisC+/7dxNwgD5eXCoPJ2YyCM8lpAQaP4dco2Kn7Jqhrn8jceMSy5r7fx
ppNLdivmcVw1Nvx7a+8E+Z7hVZrbi21XFxzthPhhpGKVB6MQcxmf2aryKEjBnjc=
=3GXv
-----END PGP SIGNATURE-----

--fFJ5UXSF4qXmFqdNpSE5QXcFm5Dhaab4l--


From nobody Tue Mar 28 16:17:09 2017
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C50E4129479 for <oauth@ietfa.amsl.com>; Tue, 28 Mar 2017 16:17:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level: 
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJU-hEaSd4y2 for <oauth@ietfa.amsl.com>; Tue, 28 Mar 2017 16:17:04 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94209126BFD for <oauth@ietf.org>; Tue, 28 Mar 2017 16:17:04 -0700 (PDT)
X-AuditID: 12074424-25bff700000063a9-58-58daeeefecda
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id 5B.1D.25513.FEEEAD85; Tue, 28 Mar 2017 19:17:03 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v2SNH2Au007741; Tue, 28 Mar 2017 19:17:02 -0400
Received: from [192.168.1.71] (104-182-133-163.lightspeed.cicril.sbcglobal.net [104.182.133.163]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2SNGxOX009798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 28 Mar 2017 19:17:01 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <401D280A-4872-46AC-849B-5A3CF043DAD6@mit.edu>
Content-Type: multipart/signed; boundary="Apple-Mail=_78422D3C-DD89-48A6-BE73-374890D3B218"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 28 Mar 2017 18:16:58 -0500
In-Reply-To: <7480c702-56a9-4e6b-86e1-2f24bb0b3c42@gmx.net>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <7480c702-56a9-4e6b-86e1-2f24bb0b3c42@gmx.net>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrLKsWRmVeSWpSXmKPExsUixCmqrfv+3a0IgxPr1CyW7rzHanHy7Ss2 ByaPxZv2s3ksWfKTKYApissmJTUnsyy1SN8ugSvj9+MLbAX/jCsmTDvJ3sB4SqeLkZNDQsBE YsbzlYxdjFwcQgJtTBKX951mA0kICWxklPi4wRUicY9JYvuvvcwgCTYBVYnpa1qYQGxeASuJ nY8+MIEUMQvMYJRY82YtO0RCX2L2mUssILawgIrE5Q6IBhag5ge7boAN4hSwlng05SHQNg6g ZnWJ9pMuIGERAUOJ6zOns0IcYSXxdecdNohLZSXe/lrCPIGRfxaydbOQrAOxmQWSJGbeu8kG YWtLLFv4mhnC1pTY372cBVNcQ6Lz20RWCFteYvvbOVBxS4nFM29A1dtK3OpbwARhG0jMaZ7M tICRexWjbEpulW5uYmZOcWqybnFyYl5eapGuuV5uZoleakrpJkZQTLG7qOxg7O7xPsQowMGo xMO7I+9WhBBrYllxZe4hRkkOJiVR3poDQCG+pPyUyozE4oz4otKc1OJDjCpAux5tWH2BUYol Lz8vVUmEd/4yoDrelMTKqtSifJgyaQ4WJXFecY3GCCGB9MSS1OzU1ILUIpisDAeHkgSv41ug RsGi1PTUirTMnBKENBMH5yFGCQ4eoOG8IDW8xQWJucWZ6RD5U4yKUuK8dW+AEgIgiYzSPLhe UCrM2Na6+BWjONBbwryrQdp5gGkUrvsV0GAmoMHiNmCDSxIRUlINjIeDe6U3FmneMVZh735w yF6oZ8EC87npkZwp+zfGpDPKyzGcqs4TX9fwr2mN+Wuhr3FFN6rLTvM1leXPrTS+kO00r/3Q 7KbYr+/28D3le9+QsOjvwQ/Zk3PvFTcWndPmVVgskMSomC6RM+9Izz4hjYLejZq+fFGhryZP PTthcgPDCpNdhnX1SizFGYmGWsxFxYkA0ElG1WADAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3QY37fySX4WqUTwTCUHgFuEeqEg>
Subject: Re: [OAUTH-WG] HTTP Signing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 23:17:07 -0000

--Apple-Mail=_78422D3C-DD89-48A6-BE73-374890D3B218
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_1AD87664-1ABF-4112-BD40-EC0BEC28215C"


--Apple-Mail=_1AD87664-1ABF-4112-BD40-EC0BEC28215C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

That document has been brought up and discussed several times in the =
past in relation to our own signing mechanism, and it=E2=80=99s been =
rejected each time. It has its benefits and drawbacks, as does the =
signature method that was proposed in draft-ietf-oauth-http-signing. The =
biggest drawback of the cavage document is that it is not as robust =
against HTTP message transformation as the oauth document. The oauth =
draft uses the JOSE signing mechanism (which is familiar to a lot of =
OAuth developers already) whereas the cavage draft has its own signing =
system. The cavage draft ties more directly to HTTP2, whereas the oauth =
draft ties more directly to, well, OAuth. To wit, you=E2=80=99d still =
need to define a way to present the access token itself alongside the =
signature, presumably using another header which would be signed.

The thing is, the challenge has never been with the specifics of how the =
signatures are made in the oauth draft =E2=80=94 the challenge has been =
whether to do message level signatures at all. The token binding camp =
remains convinced that referred token binding will be both universally =
available and universally applicable, and that work has very directly =
pulled interest and attention away from having a true PoP solution in a =
standard, even five years after we had a reasonably workable draft (in =
the form of the MAC token) that we could have built and run with.

 =E2=80=94 Justin

> On Mar 28, 2017, at 2:32 PM, Hannes Tschofenig =
<hannes.tschofenig@gmx.net> wrote:
>=20
> Hi all,
>=20
> I met Manu after the OAuth meeting on Monday and he pointed me to his
> work on HTTP signing, as described in this document:
> https://tools.ietf.org/html/draft-cavage-http-signatures-06
>=20
> I believe there is some synergy of work going on elsewhere in the =
IETF.
> Since we have had challenges with some HTTP signing I wonder whether
> there is something to learn from the authors of that doc.
>=20
> Ciao
> Hannes
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_1AD87664-1ABF-4112-BD40-EC0BEC28215C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">That document has been brought up and discussed several times =
in the past in relation to our own signing mechanism, and it=E2=80=99s =
been rejected each time. It has its benefits and drawbacks, as does the =
signature method that was proposed in draft-ietf-oauth-http-signing. The =
biggest drawback of the cavage document is that it is not as robust =
against HTTP message transformation as the oauth document. The oauth =
draft uses the JOSE signing mechanism (which is familiar to a lot of =
OAuth developers already) whereas the cavage draft has its own signing =
system. The cavage draft ties more directly to HTTP2, whereas the oauth =
draft ties more directly to, well, OAuth. To wit, you=E2=80=99d still =
need to define a way to present the access token itself alongside the =
signature, presumably using another header which would be =
signed.&nbsp;<div class=3D""><br class=3D""></div><div class=3D"">The =
thing is, the challenge has never been with the specifics of how the =
signatures are made in the oauth draft =E2=80=94 the challenge has been =
whether to do message level signatures <i class=3D"">at all</i>. The =
token binding camp remains convinced that referred token binding will be =
both universally available and universally applicable, and that work has =
very directly pulled interest and attention away from having a true PoP =
solution in a standard, even five years after we had a reasonably =
workable draft (in the form of the MAC token) that we could have built =
and run with.&nbsp;<br class=3D""><div class=3D""><div class=3D""><div =
class=3D""><br class=3D""></div><div class=3D"">&nbsp;=E2=80=94 =
Justin</div><div class=3D""><br class=3D""><div><blockquote type=3D"cite" =
class=3D""><div class=3D"">On Mar 28, 2017, at 2:32 PM, Hannes =
Tschofenig &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net" =
class=3D"">hannes.tschofenig@gmx.net</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">Hi =
all,<br class=3D""><br class=3D"">I met Manu after the OAuth meeting on =
Monday and he pointed me to his<br class=3D"">work on HTTP signing, as =
described in this document:<br class=3D""><a =
href=3D"https://tools.ietf.org/html/draft-cavage-http-signatures-06" =
class=3D"">https://tools.ietf.org/html/draft-cavage-http-signatures-06</a>=
<br class=3D""><br class=3D"">I believe there is some synergy of work =
going on elsewhere in the IETF.<br class=3D"">Since we have had =
challenges with some HTTP signing I wonder whether<br class=3D"">there =
is something to learn from the authors of that doc.<br class=3D""><br =
class=3D"">Ciao<br class=3D"">Hannes<br class=3D""><br =
class=3D"">_______________________________________________<br =
class=3D"">OAuth mailing list<br class=3D"">OAuth@ietf.org<br =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth<br =
class=3D""></div></div></blockquote></div><br =
class=3D""></div></div></div></div></body></html>=

--Apple-Mail=_1AD87664-1ABF-4112-BD40-EC0BEC28215C--

--Apple-Mail=_78422D3C-DD89-48A6-BE73-374890D3B218
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJY2u7rAAoJEDPAngkbd+w94tUH/2vd6NNvoTBLHChu48+jXfSo
ZK8bQ/Lb7MD85WR7v/4U+ySNWnb4F2QBFVh9CAZcwWG0AkSUhagOY/RPU1JAMrAn
WsRWlITOcluVHiZ4L/gGH8XSs2qmT1VM8ituXBc4JUszx7Si9iXOL43zl2A4L1ME
bZnWGWc0pOe8/UUZb5Nx6U7+78PqifMQvksjNXOd/DP+39Yqoc+oP4RM7Y6PTy/n
zeDoFdm57ejOSRonpE6MVOl+tfQrOnK+IRrwgtLPL4nutMF5gmi8nTRtaAbJ/DKV
KZPPhIU1du0aGkQ3DyXn6sUWkahQzK1HAki04K+rwkGda2yOgWpavm2Im9V6zZs=
=n+PJ
-----END PGP SIGNATURE-----

--Apple-Mail=_78422D3C-DD89-48A6-BE73-374890D3B218--


From nobody Wed Mar 29 13:08:49 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8ADE12995B for <oauth@ietfa.amsl.com>; Wed, 29 Mar 2017 13:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.797
X-Spam-Level: 
X-Spam-Status: No, score=-4.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rrk-1LR-rBAv for <oauth@ietfa.amsl.com>; Wed, 29 Mar 2017 13:08:40 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0109.outbound.protection.outlook.com [104.47.36.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B13BD1298D2 for <oauth@ietf.org>; Wed, 29 Mar 2017 13:08:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=NoM61mKMOv7YIb9ynw5Xvr/CSe9w/VUsKVteM9sj5tg=; b=gIoF4YBqNKQsw4ftkHNXHiajIhu7CeqgvEdk2LVzLLAlidir0qaCK39475dsffxMXIv8UVyx0kRd4BHF2ySryoBwm5dr4yZuodqtarCdaCpAmBY0aTnEgnWkPt3IgT0j4ASZE8NxWeLT/FZAirPNg7bUAwW/OjJZx8HnXx7nFGQ=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.0; Wed, 29 Mar 2017 20:08:38 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1019.008; Wed, 29 Mar 2017 20:08:38 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: oauth <oauth@ietf.org>
CC: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: JOSE/JWT Security Update Presentation
Thread-Index: AdKox9hGUhSH7/ucSU+mXltjus2wcQ==
Date: Wed, 29 Mar 2017 20:08:38 +0000
Message-ID: <CY4PR21MB0504F95D0B36D852BEF0AE9BF5350@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [67.98.107.27]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:+Co3HbD+NQ+/z2iQajl2qSBTRirAnXnxQKiDNhgWCjLaFaHGu1LpE9uU1T3iu25FMw4P0S150TOVgkF3lVJvL0cb75CXs/0WfiI3DaIkwtS5y4J12YJbKJ783Em+vToI7qghB5pofuO+7gqO+VTIGq46lNK4O4kYxM3JA4DRzVzBMz6k6x8vIfT/J/pa+74FDpocSrcz5jUYM0PquzuqkLldljo+RTeEJBrmVS9NuugTK9NizHrR3Fl6Fhzfylm/4q6xd9bOqtujp85lyXsxBMvDj/D92dKCQckejnQVEHKxG1zMNN3B1M5Q/4bCrdHsnp8KqcBrX8jRO5SfWfNHcnzvgLuPU1G1AXGRNJgGrBU=
x-ms-office365-filtering-correlation-id: f249ddc9-2bfc-4661-b042-08d476df635e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:CY4PR21MB0502; 
x-microsoft-antispam-prvs: <CY4PR21MB0502034B1D40CDD0AFBF7540F5350@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(93006046)(93001046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406075)(20161123558025)(20161123555025)(20161123564025)(20161123560025)(20161123562025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502; 
x-forefront-prvs: 0261CCEEDF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39400400002)(39840400002)(39860400002)(39410400002)(39850400002)(102836003)(3846002)(33656002)(122556002)(6916009)(6116002)(790700001)(110136004)(38730400002)(74316002)(8676002)(7110500001)(6436002)(81156014)(81166006)(189998001)(6506006)(7696004)(25786009)(8936002)(3480700004)(7736002)(39060400002)(2420400007)(77096006)(55016002)(106356001)(15650500001)(99286003)(66066001)(6306002)(54356999)(50986999)(5005710100001)(99936001)(10290500002)(54896002)(3280700002)(86612001)(53936002)(9686003)(5890100001)(4326008)(86362001)(3660700001)(2906002)(10710500007)(10090500001)(8990500004)(2900100001)(5660300001)(156073002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed; boundary="_004_CY4PR21MB0504F95D0B36D852BEF0AE9BF5350CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2017 20:08:38.2046 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Tdd28m-MNgSDmiIZ3HQd3zMm9jw>
Subject: [OAUTH-WG] JOSE/JWT Security Update Presentation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 20:08:43 -0000

--_004_CY4PR21MB0504F95D0B36D852BEF0AE9BF5350CY4PR21MB0504namp_
Content-Type: multipart/alternative;
	boundary="_000_CY4PR21MB0504F95D0B36D852BEF0AE9BF5350CY4PR21MB0504namp_"

--_000_CY4PR21MB0504F95D0B36D852BEF0AE9BF5350CY4PR21MB0504namp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Yaron Sheffer had asked me to give an update on JOSE/JWT security to the Se=
cEvent working group.  As promised during our working group meeting Monday,=
 that presentation is attached.  At the microphone, Kathleen suggested that=
 we may want to collect information about best practices for implementers a=
nd deployers and write a BCP containing them.  She said that JWT is being u=
sed in many places in the IETF at this point.

                                                       -- Mike

--_000_CY4PR21MB0504F95D0B36D852BEF0AE9BF5350CY4PR21MB0504namp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Yaron Sheffer had asked me to give an update on JOSE=
/JWT security to the SecEvent working group.&nbsp; As promised during our w=
orking group meeting Monday, that presentation is attached.&nbsp; At the mi=
crophone, Kathleen suggested that we may want
 to collect information about best practices for implementers and deployers=
 and write a BCP containing them.&nbsp; She said that JWT is being used in =
many places in the IETF at this point.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<o:p></o:p></p>
</div>
</body>
</html>

--_000_CY4PR21MB0504F95D0B36D852BEF0AE9BF5350CY4PR21MB0504namp_--

--_004_CY4PR21MB0504F95D0B36D852BEF0AE9BF5350CY4PR21MB0504namp_
Content-Type: application/pdf; name="JOSE_JWT_Security_Update_IETF_98.pdf"
Content-Description: JOSE_JWT_Security_Update_IETF_98.pdf
Content-Disposition: attachment;
	filename="JOSE_JWT_Security_Update_IETF_98.pdf"; size=149645;
	creation-date="Wed, 29 Mar 2017 20:07:18 GMT";
	modification-date="Wed, 29 Mar 2017 20:07:18 GMT"
Content-Transfer-Encoding: base64

JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFu
Zyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDMzIDAgUi9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4v
TWV0YWRhdGEgMzEwIDAgUi9WaWV3ZXJQcmVmZXJlbmNlcyAzMTEgMCBSPj4NCmVuZG9iag0KMiAw
IG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCA1L0tpZHNbIDMgMCBSIDExIDAgUiAyNSAwIFIgMjgg
MCBSIDMwIDAgUl0gPj4NCmVuZG9iag0KMyAwIG9iag0KPDwvVHlwZS9QYWdlL1BhcmVudCAyIDAg
Ui9SZXNvdXJjZXM8PC9FeHRHU3RhdGU8PC9HUzUgNSAwIFIvR1M2IDYgMCBSPj4vWE9iamVjdDw8
L0ltYWdlNyA3IDAgUj4+L0ZvbnQ8PC9GMSA5IDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0L0ltYWdl
Qi9JbWFnZUMvSW1hZ2VJXSA+Pi9NZWRpYUJveFsgMCAwIDcyMCA1NDBdIC9Db250ZW50cyA0IDAg
Ui9Hcm91cDw8L1R5cGUvR3JvdXAvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCPj4vVGFicy9T
L1N0cnVjdFBhcmVudHMgMD4+DQplbmRvYmoNCjQgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29k
ZS9MZW5ndGggNTE5Pj4NCnN0cmVhbQ0KeJytlF1vmzAUhu+R+A/nEqLF9jHGNlJVKZ9VokXrBlMv
ql4wSghTAxl1NfXfz07WZllTtZEqbvzFe5735Rg66Ey9zAsDw8UIfvkeA0YYY8g5U6A4g1gw6Erf
u+pB43v0Io2huvc9hOr5MJPIovjg9LLne199DyZWlR7UYERx+L1VklslBhf2IMJP8GIlQcQS1v52
iIzDne+lr+gI7XQ8LiBC7d6RVtkNX33H+uvviJWWEv9a1RHiEatoV9wjNZECYs2BR4pEEgpbis7W
eVUqGLfwZBPoJZyd0cVoNgZ2fg7D8S7QbT1kiidW7GWZYWbVpgjWRrZ0ubqaCJgkhEWAkhGEbO10
uNsiArrq39k3m951sAj7PKiLVV7ehVEAYR8xGBKYt015H95ANve9Sbb/JEDTTd484yL9nDcVBGXT
Hw3CD2BXhFv2CEn0DvbZJJtCiCxI9CcYreoiD0VQtW9j84/F5lwRFK7rSPyeyPPOhV6swOJyhjZ3
dZR53xbR6YxRQhJ9yBkzopm2O8lTa+zu4pZq/iWdUMc1v8pC1AGkZeGmD11tHsO+7Y3vm9vclEdI
93fF8g6MyYtVeQvXdNga065vaPa4KellXtVNbuq2oenDD+OWpm1ryu50a9aZPDAmFRJujQli/wH/
G8M3shWnA2jC5GG0MpEEOYiEk5cEvSMEfwDduxypDQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9i
ag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8
PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvQ0EgMT4+DQplbmRvYmoNCjcgMCBvYmoNCjw8L1R5
cGUvWE9iamVjdC9TdWJ0eXBlL0ltYWdlL1dpZHRoIDI4MC9IZWlnaHQgMTYwL0NvbG9yU3BhY2Uv
RGV2aWNlUkdCL0JpdHNQZXJDb21wb25lbnQgOC9JbnRlcnBvbGF0ZSBmYWxzZS9TTWFzayA4IDAg
Ui9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDM4NDU+Pg0Kc3RyZWFtDQp4nO2dsXbrrBKF9Tp/
mTJtypQp3aZMmTLtKU+ZUq3LlOc1ziP8r3Iv17PMJTAzDBICRPa3vLxkRdZmYA8gWVKWBQAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgG+u6/kz1voGDmVjv/DT1voGDmSAjXa/XLo7q
qN43cDATkZdo4e/fv9Or9w0czMQaEDlqbvW+gYOZ8M6JjNTGUR3V+wYOZmJNSE11nKM6qvcNHMxE
aBu9Z3bvM6n3DRzMhNQDsyurd84d1fsGDmbCaKS0xz67et/AwUxEna00sZH8dl71voGDmWAtJDlH
6r3PqN43cDATRttYjhrOpd43cDATWZ9ke+nIb2dR7xs4mIn1O4qX0kNs5dh8fPW+gYOZSH3CeiNa
qdgv/Diyet/AwUzoZtANw26QfhxE/T//PkXSukrdwCN1MBNKf2s/TNATQZnntFR3NqYXSWe/uEc6
XCa5SB3MBGtdo6nsZluFVGqmvgQ29mYuzRGjdJpQrDqYjLTdLV7Kbslu//X1FUqzrquuviQ29ma2
FHtDuoUfFXUwGaVG2rbl+/v75+fnnz9/wjvgItdVV18EG7OpVEs6nNHp6mA/vqr7SjtXO2+zE/s9
fXK05fPz89vb269fv9yQFEUdbVxRfVFtnKZS3cCN6s1avJlWS8JG6SJNzU1Dg/O2GynsDilynVt+
fHx0efT6+uryKDQ5qZcmkVF94WwsraweeJF6gxb3dTITaaN0kaYFGoxcHpHJ7X42bvnw8PD09HS5
XNy8bv2OKw+pO+m6Q9Ii54vyp1qBb1A/usXDOp+DtEWaBSi5gpZ///798fFRt1t2I5FLopeXFzcY
RV+kd5rmuSwOpXeqL7lBR9lgf+Cb1Q9q8bTYEzyhhW0R/95SOlL/vOFSyY0atQYjGomiJGL3Q9Iu
lSw21tUXwaX2AWtP4DvVj2hxttqra7Vk/U7LABUD+I8+lYx+rpJEURaTdJG6xZ/bNi4NvIp69RZP
q90X4IxIHkiXD5XWjVHkZ2WDMImyJly5LC5StwwxbAGUr5QGXlG9bosruV9FqyWsc5T3g6R1J0t+
Lu2W0ySyjCmlqRS5esllhNSNZL9oCby6eq0WT5ejjzu1WpL1QETFVJK0lEpebaOStD46saBsyRYg
lLYPRoshF5RdWb6u7Ocg9SotrvcAJ5rgSYZJw0lTrLq01Dem7xY/pyaRRiJ9BFSk2e9G+1zMWaAU
Q9mJHvih6ntaXFKUCjAySjUqtRpuU1daqdt0ZXgGL9so1+TEgtJ8ehnWkgFxKRxKlKqQdqUE3kC9
itksf9rstKNha94YbEhdaakY7Er2gCX9ysodE+mRKmWQpNlOpnRCpUet7DD9bjP10hbX+222FYgN
TjsaS8ro0UVNtl+aLYaSwqyf2T2Ex0TZSO1lUFJpNQ8fSm2wxTDutrF6UYuz+1eqerPTjkavK7ZW
syNUqXTRoKCXTR8alFPcFmkpidIsDr+ylMzBlJWszaSdZzc4VL3IbEoW13JaG+yDabaP8stZUaUR
lT9lt7/KZ6TZs3O1hqQolfxh2mKbfWXjVZJdkeiorrd4trYjxh+PluSHA7327ElnUdR3rn+UGmX9
7mdSfLqhX7FgH4+kqkilLUclpWZO10tCfdWjFmcl7HWbFqB+JpwKtjmMzarUavROfl7uTewWXBJd
LpdSk1gKo0srNi4aBVbZe2v57UsN1Dt6bLnf59KSbP1XfC3q7+ZZ32YHr3A5Cm25zWA3+CQ7eGWl
FRvbB8FsqfSm7Kt+kJckXHmie5kb0D58Y9tlpx/KZmxckrTFMJbilSaRrpiuzBZGas2+6u3ziG5P
OzxzvtM4jzakEtuOyjilBMVK75zqhLDSi/xLTZFvt5m5r3qXPHp7e6PHaxyePAHt88iSSqxLs2aw
NOXCHfZaTKKXU8pft/LxhlRgi2/tpfrnn3/CYrjlh4cHpbo2q6crH240c5RiaXoswNfX1wS3AUZY
/Kw3oqVZWSFWunTSki2nFCOdb6f3rHt3JpGzMeXscn8gql+j1Gdp/bMfSYjOi3a0GXG5XNrnUVQz
Vd5981HFPj8/L7vvRMs2uiQhrc961W5gXYJqID1huK0AUhm8k50WFYmkaY1DqcyskP4V+oHbx+iG
A/f+ciOSrviuWLpXHtUlbFCqWKrVpfxnQTan2JXKzrM+lwrAWitdb9k5uevthhRjUbzRF72TKVXD
HXpvp8+dsKsruR9eJfL+/u4M/HHDLbtgfU6ttVEsfei8zh120e+D1Es83VHqbcM7DUPUdq4a32/4
WpUsZ59jsCuzu1W2WcutFa4xRuTeqR6oKnbGGy2nFw1GpfUNQVlcqq50a2ESOeu6o/vrHfo9mtIq
kq7yTodjj3f8yOsK4+Sc9HHnGVwBXFxOhXoJP/haGsuyHNaqqz0XC62nzehanayfJQmpi7YkkX3g
UKTTYti7BeL3Hfb+DmX0MdZ5qBVtRs1BrrZUrF6eSJoem7nefrWJum43KIStLxWvdNnPecjAlzt+
TFwPO+9NDyOliH7d8X3FzrjW4H4EX6vRI7LpuVXuT4qf04ZjF/yyvqv0u6XS0soN0vSuXxmeLUb0
J/YJLVIzOdGsNLsT9mPU3FfhgMXPrHzrV3FaNOehgZ4sTb33ob/D0p6pl6COwvcVfrKx7d13DmGt
RoHQx7VeKik7UXr4Uul0pTIIKh7wSKlkHArTOpee0JK+69KWjivtM93epCSSWr+K09I5D7maxsQ2
Zxj+3qGPvq9IG92CsWvyXG9PJV12PJbN7mR2J7q0biT961kHZkcl45iYvaWXDV+XzooqfaYdan2p
qDrKnCeydBf8w6vDh1ob37fVqp5KtZJImaJY9sD21Zu/uMp+tg8E6/c5lfSYI70ArLRU1GihtM+U
Wt+PI/b3yGlr8Nz10YhSSaneqEE31Gp2VJKacsNXWDda9hNi/Io0GqYbZB8rwe5Kui9eaan0oySt
F2PDdG4Ep3XBHuD+0Dakkn1jyY1FqRS+W6TZAigWtTzbga3zaDpnHMgUaVaOHQRrObml07pwDWaw
Uk+1c5IcaS227JA2s6SMZDZFOtzYKJ0dB9M/Wc7gRXWe3o0oSbCKirT0rYOc3NJpXbgG/6AkdUjd
Ws2mEiFtYLEu66U1lyPZDYz5y5Yq/KgcK/l35RS3nst6/aTSRzc32/pdpNtwTc6rUIAVJ8mR1iLb
VfqTbt2slyypVCqtaLEfaY1+wKIcE+kSlsKE0mniH9HcbOun5W8g3YZr8m+zjhtk9VSyHJiUjkfG
VNognS0SW0Jpgpc+ocU+GCkLobqUSs3mVC2d1oVrcDDorzs9KDQllYxnIbYNRquaSqXSqUv1jNNn
WXS9NF3xouzZIqHXT3ra4ejmZlu/i3Qbrrez/f7yXboI8KDQLKm0lNwDWGqqndJpGYylYv1MFc5e
Jb4/cIv00c2dtn4zp3Xhev+vrHSNVnThXHUtJZWWSo93UKZDdaVZCb2on3f8lZBSOJvjlXYVSTdo
7rT1mzmtC/6qvAa3vUuptNj+w8iGQ4Y1l0q1pEtLku6t1uwu+y2i8VMOlrZO60LL65fSVFpsjyIv
NRW70v6UA32HG9y73i50pBt5yEh0lT7LthmdsuBmdDQKeA93ufCm+5VyMxGm0nJ70AGZeadLs39N
n3LgbxazjxqKor6NO7h2xwXhlMZf/RhJsMPTnoVUGsyBTyW65dDf7C9ZUXG1cXYXPmqA7oV/+Y4l
U3RppQBO2ps5uoPG3xCXymVLYllQpMEEXG/ncOgMkj+JpBhGcpTFS/6xEuFN8aT7fie6NTtrYF0x
/OjUSZrOPKdVoe8hWxJlISsNJoBuj6I7sun8FfuIA6NdpY3DX8/pBrFPjuy/3rOPPuFXvDqd7GVn
Vm5leLtBpLh5RmeRBhPgb+P19/s7PxuvUk79lk2i6AaxP3foY3p/9LahMCy2/Sqy6/3OnW0poyTR
TL94Ah1/Gse5+srdVrltXGC9JB0gsPc8ZjPF6GTLz47X75fQbDsa2iYNJiM0s33mxhp786MGsqlk
Kcm24aBKKmEkAh7JUaVHJfsfNbBhRrfnUkzLgKgsTHYVKNhPkaPWYLCo9agBJZHZsbLWcBAeK9mz
GNM5IKGkUgMv6eppMdZ6d9awA6KUvxV7DzArkpkPGguK1KOVdedUaSopfQiSCGTRO2fPQYcGxjHx
CCdfk5vg2GLgmAgYSR0VLR96aJBN5KPvJlbGQYxEoIh0XGg5q1HOSB89HLCBN+g9wKywnXPjRw10
UWelMRKBzVy/X+3gL+Fu/KiB9upRKjUOHMyHn2L5f47T+FEDqXobJ/vflboEDubjer/ngv5FTmMv
dVTvGziYD7o8m2h/R0BH9b6Bg8kY4R/i/DRpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADATh4f
3/TX05N7vfcupki2/PZX71C+UTGuqDV7RxazMxz3en5+p1ffKB4eXvXXaB4LsZTf8hotxlpxRa8x
86hKaMijPSCPCvNouKlFrUj7dhHIozFjxHh0rhZEHo0ZI8ajc7Ug8mjMGDEenasFkUdjxog8OlcL
Io/GjPGgPBotzGWWFkQejRkj8uhcof2EPDrp77DIo9JGHDyKASvfc/bySyhu2em63pHF2CPqXVKN
s/uwynjUO4gC5nBdyBwR/YQ8Om90KXO4LqTWvG78KLoXUgF5dPagqhwJdo8XeTRydCnIozHjRR4N
+NOkAvJozHiRRwNecqaAPBozXuRR3/tWSkEejRkv8gh51Bfk0Qggj07XZBHIoxHY9jss3dfvjozc
C3nUl9Lfj1zDBS34/9f4UYzcKGcvfynOMD82j3qXVOPsPjx7+Utxo+cErgtBHo1AlevrRriwxMjL
y8cErgtBHo1AlaPUwWMMuVyQRyOCPBo/xpC3t98zhbMgj8bgp+XR+zvyaESQR+PHGII8GhPk0fgx
hhjzqPvvKXaQRyPw8/LoE3k0IGfPI+PvktMYz5hHJ7pIY5o8OvVvK/5/dvjXy8tH+B6+0r/697MY
z83rbq/P+7tf+P329r/X6+sv97pcfvUuqRWjA0c2IQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAABgev4LLSFUaA0KZW5kc3RyZWFtDQplbmRvYmoNCjggMCBvYmoNCjw8L1R5cGUvWE9iamVj
dC9TdWJ0eXBlL0ltYWdlL1dpZHRoIDI4MC9IZWlnaHQgMTYwL0NvbG9yU3BhY2UvRGV2aWNlR3Jh
eS9NYXR0ZVsgMCAwIDBdIC9CaXRzUGVyQ29tcG9uZW50IDgvSW50ZXJwb2xhdGUgZmFsc2UvRmls
dGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCA4NDA+Pg0Kc3RyZWFtDQp4nO2c0VYqMRAE+f+fjseDchCz
m+pk1hli1/PQO11w8RoWbzdjjDHGGGOMMcYYYzakxU/yyLq0RlvgSR5Zl9ZoCzzJI+vSvgic5JF1
aXLb4SSPrEtrtAWe5JF1aY22wJM8si6t0RZ4kkfWpb2yPskj6/Krw2ELPMkj69LpcNACT/LIunQ7
dFvgSR5Zl4MOnRZ4kkfW5bDDrxZ4kkfW5aTDSws8ySPrctrhRwsw2XBkdT2DDk9iwOR9nES24q+b
YYfH/mDyPo5nUoufw5riSZHk8mfg/a/w8vZi0LtGdTHCCS1uex9PERPlDj8N973o/ngyWAxtg9qS
KHX/aCGP4PGWYVqUE9p0Qurgtm+jBR34hWlRTmjTAVuGaVFOaNMBW4ZpUU5o0wFbhmlRTmjTAVuG
aVFOaNMBW4ZpUU5o0wFbhmlRTmjTAVuGaVFOaNMBW4ZpUU5o0wFbrvvoRcWsfx18ywAvwgltOjNP
9rSX76iZRatyfiyTvV0q9tLFr5cD7OUAe+ljL33spY/fYLqcaNlLjNYnQss7GPxuJJU6FgNSbo1O
JjLVafSagb+aR3W4AP7vQPto9tgxvFwuvSe7Pxh1Zoefh0wm2yyIYZdLZrrNtBh2uWQW2kyKYZdL
ZqnNlBh2uWQW20yIYZdLZrmNLIZdLpmANqIYdrlkQtpIYtjlkglqI4hhl0smrA0E3RZ7VVcuBX+o
umZD5CIt9Pf2P+0qcZUY9dPhclxjhQXnNh9gL33om+T47Oul7Xtr+QT8AHn83BiOPse+t5ZPBnWn
JvlgaXgHPLmDFuVGPzy5gxblxlA8uYMW5UZiPLmDFuXGczy5gxbliwp4cgctyhdb8OQOWpQvQuHJ
HbT8aBE1uYOWpxZxkztoebSInNxBy1eL2MkdtPjvEhtjjDHGGGOM+S+snhW2I6JyphZbD7IXkKBe
PmSDQY692IuSYy/2ouTYi70oOfayr5eJx3dzgr0s77P6+ABDMTH2Im0l5NkLSIjbYCKplxeTYi+D
rezFXpSt7MVelK3spZaXicef5u3y/92ZBc7ydvESUMleSN5kiL1clmIvIGF5A3vpb2Av/Q3spb+B
vfQ32MeLMcYYY4wxxhhjjInjAwlVoyoNCmVuZHN0cmVhbQ0KZW5kb2JqDQo5IDAgb2JqDQo8PC9U
eXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YxL0Jhc2VGb250L0FyaWFsTVQvRW5jb2Rp
bmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDEwIDAgUi9GaXJzdENoYXIgMzIvTGFz
dENoYXIgMTIxL1dpZHRocyAzMDUgMCBSPj4NCmVuZG9iag0KMTAgMCBvYmoNCjw8L1R5cGUvRm9u
dERlc2NyaXB0b3IvRm9udE5hbWUvQXJpYWxNVC9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2Vu
dCA5MDUvRGVzY2VudCAtMjEwL0NhcEhlaWdodCA3MjgvQXZnV2lkdGggNDQxL01heFdpZHRoIDI2
NjUvRm9udFdlaWdodCA0MDAvWEhlaWdodCAyNTAvTGVhZGluZyAzMy9TdGVtViA0NC9Gb250QkJv
eFsgLTY2NSAtMjEwIDIwMDAgNzI4XSA+Pg0KZW5kb2JqDQoxMSAwIG9iag0KPDwvVHlwZS9QYWdl
L1BhcmVudCAyIDAgUi9SZXNvdXJjZXM8PC9FeHRHU3RhdGU8PC9HUzUgNSAwIFIvR1M2IDYgMCBS
Pj4vWE9iamVjdDw8L0ltYWdlNyA3IDAgUj4+L0ZvbnQ8PC9GMiAxMyAwIFIvRjMgMTUgMCBSL0Yx
IDkgMCBSL0Y0IDIwIDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0L0ltYWdlQi9JbWFnZUMvSW1hZ2VJ
XSA+Pi9NZWRpYUJveFsgMCAwIDcyMCA1NDBdIC9Db250ZW50cyAxMiAwIFIvR3JvdXA8PC9UeXBl
L0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQj4+L1RhYnMvUy9TdHJ1Y3RQYXJlbnRz
IDE+Pg0KZW5kb2JqDQoxMiAwIG9iag0KPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCAxMTgx
Pj4NCnN0cmVhbQ0KeJytmNtu4kgQhu+ReIe6tEdK4z7alqJIIYdRMsrO7ICUi2QuDGmId8CwxmzE
22+XIRMINo1RKwqyjen6/Lvqr+7uXOZFOkqGBXQfruDfdiuAgARBQBkLQghZAFIEkOt26/ELZO1W
52tPwnjRblEY/7k5UDTgcufu0Zd26+92C27MqJ3PMc7Wv6IyEvxwuICEDN7KsKoMG8BXMyqFf6Al
I1bePW2Xh8L8eNJu9exxw0gpuo7LhKCiIi41V/BPRUQJKIeXnHAFQxOtczdNxjqE6xm8h4LODzg/
7zxc3V1DcHEB3eu1mOvnDEIWm8H2w3T7ZrRbBjyG/gg1xZgUaMwIBaEEiTj0pzgOw6+IgHy8ffbT
iPHkdZPhb/+Me+N8tszw4MX/Bf37duum/yHGNiFtSsiB0R1CwQ0DD+lRgOdG8suLw0isKRIFHuwg
hSYqEztQ6xQtNbr/3ruBJHsBX3j3j33wz5T389Y/Y97VAq+N0ixdvGrzfeSlGTwkK/C5x0yOWrTk
zbWkETGgn9i5MOycE0E3ggojoCr/15J+nB8tqmguKlMk2GWLQxIGu2zbuvYw4b7/ZVFJuiChoSA8
qiN51AMLhHIBwbgklNdB9NJxWYFJscy1BSd0gcONLUW0DufZ5Hr5gp59C0zUFEZUwAhDwcIaGJOw
XWpJ2NiFJEIKEsd1kmyK3uaQjU28ikRSSWQNCfYfJSPoD5+8UFpthp7g2bU+w2JJ4tCdz9AT3LvW
aLbhKowGzRpL3ZyAr7ybbOifCS9fzYt0lq2vUlom/g2+6GcfbMo2dvDK1BeChHEN/DGpT52YtVCK
SFqn4Sb3wY9NyuEhVTZxGhv3obSTEZHcYdo5MfT3tNuCa97fqBMz3zS4GhR7g6ONXfxAh6uh+KZX
WHBYe1hk344sssbOXlVk3GS3kjVkxxQZc2LrPIqImbHXCLRfZKFFHObU2xk1jcVdkTGn3r4F17zI
WGOnPlRk1Sj2ImNOjPq9yKopLifjGUqSp4Vpd6/ThY3JyfyaK0nMOq+GCasdmS6tc0nW2JfrOqoK
a2iOKnYnnowdFYu9WpTjZpPMiS9LFpKAVZPgbFLQP7PJyAbU2I4POA6NOFHMneNwJya9cZxtOPts
sl9W3W+Nnxk6OCZ9f72AsrU43tjFK1tczHDJUI19TNZzJ34tqCCC16m33+JimzgnbJNgnrPPC0zC
zEyZooE72XbiJ5g5D/a4NntP22QfpYm7jso4GdbmXWYT6gQnrwCiASdmcVkJ9OS9pfjSXvRinmuf
e4ltv5CfMNGugGLYX2Qd1HKhzdKNeQM9MkyzXGNtljt2kbdIs6HGAi1eEdgqYmPnr97gjCNClaNE
O6EFVG9wbkFtzxjyIh1O9AJek/9KpXI91FkxWcHACKZ1htfmy8EkRTdbvBpt9Yv5gGQwW6KwVns7
YW+m+gEUq3qAdDqfaEzLqcHGpMT1vEmIdQ686Plkttp8Za4G3miSvFVNiz42/Q35ZVEkQ9zVfep0
Z0Uxm/7q9Fdz3fmRjNOsjNDpLQcFXrqdzQqdN3/GmMRq5ylVSAmLjLMQuf+UrIL4f8rUFWkNCmVu
ZHN0cmVhbQ0KZW5kb2JqDQoxMyAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUv
TmFtZS9GMi9CYXNlRm9udC9BcmlhbC1Cb2xkTVQvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0Zv
bnREZXNjcmlwdG9yIDE0IDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMTIyL1dpZHRocyAzMDYg
MCBSPj4NCmVuZG9iag0KMTQgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUv
QXJpYWwtQm9sZE1UL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDkwNS9EZXNjZW50IC0y
MTAvQ2FwSGVpZ2h0IDcyOC9BdmdXaWR0aCA0NzkvTWF4V2lkdGggMjYyOC9Gb250V2VpZ2h0IDcw
MC9YSGVpZ2h0IDI1MC9MZWFkaW5nIDMzL1N0ZW1WIDQ3L0ZvbnRCQm94WyAtNjI4IC0yMTAgMjAw
MCA3MjhdID4+DQplbmRvYmoNCjE1IDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UeXBlMC9C
YXNlRm9udC9CQ0RFRUUrV2luZ2RpbmdzLVJlZ3VsYXIvRW5jb2RpbmcvSWRlbnRpdHktSC9EZXNj
ZW5kYW50Rm9udHMgMTYgMCBSL1RvVW5pY29kZSAzMDcgMCBSPj4NCmVuZG9iag0KMTYgMCBvYmoN
ClsgMTcgMCBSXSANCmVuZG9iag0KMTcgMCBvYmoNCjw8L0Jhc2VGb250L0JDREVFRStXaW5nZGlu
Z3MtUmVndWxhci9TdWJ0eXBlL0NJREZvbnRUeXBlMi9UeXBlL0ZvbnQvQ0lEVG9HSURNYXAvSWRl
bnRpdHkvRFcgMTAwMC9DSURTeXN0ZW1JbmZvIDE4IDAgUi9Gb250RGVzY3JpcHRvciAxOSAwIFIv
VyAzMDkgMCBSPj4NCmVuZG9iag0KMTggMCBvYmoNCjw8L09yZGVyaW5nKElkZW50aXR5KSAvUmVn
aXN0cnkoQWRvYmUpIC9TdXBwbGVtZW50IDA+Pg0KZW5kb2JqDQoxOSAwIG9iag0KPDwvVHlwZS9G
b250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RFRUUrV2luZ2RpbmdzLVJlZ3VsYXIvRmxhZ3MgMzIv
SXRhbGljQW5nbGUgMC9Bc2NlbnQgODk5L0Rlc2NlbnQgMjA1L0NhcEhlaWdodCA3NzEvQXZnV2lk
dGggODkwL01heFdpZHRoIDEzNTkvRm9udFdlaWdodCA0MDAvWEhlaWdodCAyNTAvU3RlbVYgODkv
Rm9udEJCb3hbIDAgMjA1IDEzNTkgNzcxXSAvRm9udEZpbGUyIDMwOCAwIFI+Pg0KZW5kb2JqDQoy
MCAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHlwZTAvQmFzZUZvbnQvQXJpYWxNVC9FbmNv
ZGluZy9JZGVudGl0eS1IL0Rlc2NlbmRhbnRGb250cyAyMSAwIFIvVG9Vbmljb2RlIDMwMiAwIFI+
Pg0KZW5kb2JqDQoyMSAwIG9iag0KWyAyMiAwIFJdIA0KZW5kb2JqDQoyMiAwIG9iag0KPDwvQmFz
ZUZvbnQvQXJpYWxNVC9TdWJ0eXBlL0NJREZvbnRUeXBlMi9UeXBlL0ZvbnQvQ0lEVG9HSURNYXAv
SWRlbnRpdHkvRFcgMTAwMC9DSURTeXN0ZW1JbmZvIDIzIDAgUi9Gb250RGVzY3JpcHRvciAyNCAw
IFIvVyAzMDQgMCBSPj4NCmVuZG9iag0KMjMgMCBvYmoNCjw8L09yZGVyaW5nKElkZW50aXR5KSAv
UmVnaXN0cnkoQWRvYmUpIC9TdXBwbGVtZW50IDA+Pg0KZW5kb2JqDQoyNCAwIG9iag0KPDwvVHlw
ZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9BcmlhbE1UL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAv
QXNjZW50IDkwNS9EZXNjZW50IC0yMTAvQ2FwSGVpZ2h0IDcyOC9BdmdXaWR0aCA0NDEvTWF4V2lk
dGggMjY2NS9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9MZWFkaW5nIDMzL1N0ZW1WIDQ0L0Zv
bnRCQm94WyAtNjY1IC0yMTAgMjAwMCA3MjhdIC9Gb250RmlsZTIgMzAzIDAgUj4+DQplbmRvYmoN
CjI1IDAgb2JqDQo8PC9UeXBlL1BhZ2UvUGFyZW50IDIgMCBSL1Jlc291cmNlczw8L0V4dEdTdGF0
ZTw8L0dTNSA1IDAgUi9HUzYgNiAwIFI+Pi9YT2JqZWN0PDwvSW1hZ2U3IDcgMCBSPj4vRm9udDw8
L0YyIDEzIDAgUi9GMyAxNSAwIFIvRjQgMjAgMCBSL0YxIDkgMCBSPj4vUHJvY1NldFsvUERGL1Rl
eHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldID4+L0Fubm90c1sgMjcgMCBSXSAvTWVkaWFCb3hbIDAg
MCA3MjAgNTQwXSAvQ29udGVudHMgMjYgMCBSL0dyb3VwPDwvVHlwZS9Hcm91cC9TL1RyYW5zcGFy
ZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3RydWN0UGFyZW50cyAyPj4NCmVuZG9iag0KMjYg
MCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMTc1ND4+DQpzdHJlYW0NCnicrVpb
b5tIFH635P8wj1ApA3MFqipSLm672e1ut46Uh6YP2CE2rQEvJon87/cciGNsQyamqHKAAWa++ebM
dy7UOcuL+D6cFuT8ywX5bzhwiUtd12Wcux7xuEuUdEkeDQc370g6HDifxorMVsMBI7OXh13NXKF2
nr5/Nxz8OxyQEfTq7I9xUr3FlC/F68O51OPkqRxWl8O65BP0yshPMlA+L59OhuWphJcXw8HYPK7n
a82qcbmUTDaMy6AF/2mfaknK7pWgQpMpjOb8kYSzyCOXGdkMRZyv5MMH58vFH5fEPT0l55cVmdU8
XY8H0NnhMOfX0NtHTkRAru+RUxyTEeZyCnRILakvyHWCHXG8RyXJZ/Wrb8DGd+ssLTL7hFtpnBH7
RFjjMF3hEa+4hSxMF5H9g1xfDQej6y1BddTsWNSCME19LneQS0FxNpwGvhn3B1iKs9PXYfFjYUnC
JXX3YHkwMjTVgVXm+wzjXIApaNdVynXlBRy96iihTcpTCY/IjzC4MKAVx6JlTWhhX1DRAtZ6fFjY
0kojW1h5OInhfBEXa1ho5llxCpfkavzP3+QmmuD5KJ3m6yU8W8RZedM+0datdXUzurWJwSJkL5PR
wqOSt83mxIBBdcHQuPSwl5g6GP/bR+DmwsSE7mKEu0vKNeW6BQVYFzuDnw8/eSrwMgCblK0GN16G
6Qs4r8PGhWU6YElIYElIqtjzzpWwU3X5q/bu9tqwe3fg+c/w4P2g7IGBBtCAlZ0GHtU+jMqp4qjj
XPj05RrEXHgBDXitQXGG0LcNWnPKdFMDo0rvvLJpeOl007AZdXO9QbW5nlfurGl2QQf7dPfJh/E8
d5/8Q7IOGivxnxcFbOzlewf+OpNFNqMx2DR4hAIO82i1hvYkiQo7sPI1hbZplsC5w11ma8tzXAEH
Zwp/8hgcRQhPLBr3w87E2dFermnmCpqCrhNv1o5dlEd7tWaUYBC8K0wQ7DTKYRFArVGq34D6aKfX
hFoL8MWdUb+F3C7ergEm7MaOxk/KgM73wa9Mv6P3M2Pu4tQOMStFVecN+xZqN37vWYpcD6WIcYHh
MHQFYQl7CbMbOzjaZb0mTMztMs+fqyoofcN0j/ZhTWgZLkdntG9ZFb8XmJKVoUA3mE8Rcjqhc1T3
pFmoa0H90f6pParnnqZe0FNU38V7tIb1dWS12O4yAtFdTfN4AlRFKwNVvIuraIjdfdijrZDKAP0x
xAg+vqvCcaat6UP+GJliUN7FKRziE9im2vCFRRFOfxEID8IZkBZiepGuCoCprD+RzjU5m+URniVR
Whgxd8qHGpdYejTwDvA+IcBiXqa5o0WZC2EsBGEMMqusiwdMk5BceOAS793fY2Icm7Jh3in52WOa
lUw3IzclPvz3Mx/BA+oGbQA+Ywa5QM4SkDjgh1mjZRkxJlEeLqAlsMZFWFJpgNrF1zSvMgsoO4R6
a40uLgHoZxOQLm5kX5w1dXUbEOOidXEQ+7k/ZIjN45fRjqxindHYBKVLZrIvZcAFb8GyhXJrUwMW
0Untd7BwSFl5CxZgY7WK0mn03oSjS42rLVVmfkCV+N1UuQaul6D/OWKrg6vxdFbYykKFRw2EnARE
kdiw8acZNlQ1wyJ/mOJjK7gjrasb+0RaIxOxvWQCApp00Ib9GWMRxmmczojtgzMFTxrfEVCG6QPe
LIXet5ZZnBYmxEfr+2umoF3q9WgJXaS/1RK22Gpkjh8mSWzkqJccgmnIlVpg3Ge5CUM/mUEAouq3
gLiLpmjj+XpZ1kgNeI5W+NfsRjAa9Gg3fRajathqXP0VhTmSZaJJ9lIdQl8o2qAUc5ABU1Ave6n/
cCYoa8ZR+kFWOcJwkj2Y9pTsReW59qknWohZlroeP2L8XpjiXNmPckPmzVULnl8RanNz2asGpJfC
jICd5XstQO7zLDGh6EV6JaTQvG15duWG2JD/hWUFN0qWRus5WpFfUx8XrLo/9ZG9KPVGfbbY6h9r
ytrHMgqNPHVR6Zayhw6o8GU/ZQ/ZKShvK3vUkdVYup7Dzn8KwaLyAvmK7uC6/O43WRMI7GrlB8ju
sCAxw2RZPpchlhnexWZM+z1rgnkiOOqIgOVWVmubHYA62gG89lUqwLJnb5aqenEKm9roFls9vsoS
k/KqXjwBU6r6utqE4ipE5X0MTUh68QEct6zfgmQRT/IQjTGPoxUWk0D3lBWmELxra1VG9gnE7qxK
OJQ1gnPW9FZgpdkTPo6ndxmxPatMAkJU0Obwbfu/QGDCZ1jgmkd35LtznhVFlvxwrtfLyPkazuI0
REV2IDYusOljlhVRfjw1AQ307tcCj1EOzEis4e8zIxoQ/w8OiTcGDQplbmRzdHJlYW0NCmVuZG9i
ag0KMjcgMCBvYmoNCjw8L1N1YnR5cGUvTGluay9SZWN0WyA3MS40MjQgMzA2LjE5IDY2Mi4yNiAz
NDkuMTVdIC9CUzw8L1cgMD4+L0YgNC9BPDwvVHlwZS9BY3Rpb24vUy9VUkkvVVJJKGh0dHA6Ly9i
bG9nLmludG90aGVzeW1tZXRyeS5jb20vMjAxNy8wMy9jcml0aWNhbC12dWxuZXJhYmlsaXR5LWlu
LWpzb24td2ViLmh0bWwpID4+L1N0cnVjdFBhcmVudCAzPj4NCmVuZG9iag0KMjggMCBvYmoNCjw8
L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwvRXh0R1N0YXRlPDwvR1M1IDUgMCBS
L0dTNiA2IDAgUj4+L1hPYmplY3Q8PC9JbWFnZTcgNyAwIFI+Pi9Gb250PDwvRjIgMTMgMCBSL0Yz
IDE1IDAgUi9GNCAyMCAwIFIvRjEgOSAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dC9JbWFnZUIvSW1h
Z2VDL0ltYWdlSV0gPj4vTWVkaWFCb3hbIDAgMCA3MjAgNTQwXSAvQ29udGVudHMgMjkgMCBSL0dy
b3VwPDwvVHlwZS9Hcm91cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3Ry
dWN0UGFyZW50cyA0Pj4NCmVuZG9iag0KMjkgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9M
ZW5ndGggMTc0Nz4+DQpzdHJlYW0NCnicrVlbb9pIFH5H4j/Mo1OJ8dzHXlVIkEvVSlW7S6TVKu2D
Q1xwCpiCkyj99XvO2NxiOw4uiogvzOWbb85854I/WGXJj2ickeHnc/Kr22GEUcYYF4JZYgUjWjGy
irudf9+RRbfjfxhpMll3O5xMto2Z4Uzqg9Y/3nU7f3c75BJG9V/O0ct7cR0o+fp0jFpBnty0xk3L
yAcYlZN70tGBcK3nXXeroPOs2xk1z2sDY3g+r1CKq4p5ObzBPxNQo4gbXksqDRnDbP7HeTSJLblI
yWYq4n8l79/7n88/XhDW75PhRU5mvk5mRQiDlacZXsNoV4LIkFz/QE5xTk5sSAWsWxlFA0mu5ziQ
wO+oIqvJ/tM/wMaNNxqnWUbOetIbrMbJ+nd81hPe0/pnQs6+k+tP3c7l9Y6Vfaj8j6EqIagI3g4V
t2Q8ixtwiWNxScJDqs0hNAlzK2Yp7HAjsPdgFoP+66jksagUEZaGgTrcXJhZqANg+VEqYAxlAwx1
LAxeCQP4CupgeJ++jC7PtEe+eZ/QrKJHtKhojf/HK/yfLDO8kDPlfbm9j8fYKiMj6JNMFviQLCZ4
AatUXrS4y+9fX5hutzBTRa+0kmpeWtflAuFL73npACcpXhbfzhy8ZJ2jhPWSYYTLuyOjLHJN3AIi
1/cO1mS862mUM3D56I7b6hm/S93a46aVmlOuVIY0LK90NE0fEMvsLt+n1wHZUwDiRlMZ1AEaPKaJ
47QBStDulB1CEVJTFdZAwUOmGg5Z2EKBDA1ebpBUsEFMUVRNJ0EKJMe4Ty5Cu+c3yxA/2sEAH4eH
P7TUskNkezs1zZxlL9d/+Xj1l9EqmqSLBM56TMfp3Ee7up3BOUknvmDcwhc+k/49nvWnrMnnHO10
SvA1h462Dn6vCcDR3qUCQICqWQPgHllbgxQ04Djan5RxGEF50JqINp7kBQAnQnUAnmKwkdsmFG1k
/xCF4eqV7WikoY0aK8qqz5SwmuoyiCz9GS+AjXUTmDZKXAbDIXAFKa4B08jI0RpcDcIaqkQ1CIKx
uJYQMo5vvKSRlaPluBpQKKltS4poJbslDKCX1NaYiSMFIhdHym3U5ClFKyUtI1KASLampZWaVoAI
qa3dm3WGISQGYI2ctBLVEhwJyQNvz0krYS2D0JzyWk4yDEAbcLSS1jKOkEM+2pqM08irDEMqeR2I
GIJwBTF4umhMLU8jsArkPtStOTmNwGqmaRjWHpppCpw8zBqPzGnEVYPatzYSeRpxhYy2VlxvIIvF
DEQ2ZiDyaF2tLT8IaajgJyo/HK20VZlRkTXuAzvIjIRlTAWMadPvCXhWBu51vyfx/hw+unhftMH3
TObfbZ419gmKPgft+tthQveYD6WgiSy64lBXxXtsZ/baILTzop2AD9+b3uK7fk+9mBJSBTYsxsD+
rq0pj4F43BKKpWrm8DXsSBtnU7sjTFBTTptB5jGtyshjNMutl4zxRV5vWGYpPriaxQzTjomraKyS
DC/TuStVPLi6Rtxo9kd7rTznFaX6Fma93FjKTpj1yqN9mXolSt9HV2H+fVWYota5OeEpUMpZry4O
iLK5BYeFdYLVOuMbOEN0LXVhU9hjmNsUHg3sZTY2zfMjUZjmUOYmm5vmFspQvcUaT+NolQkhCK1h
yBtHizPVWE6Sp3GymruErgZKNo0X5Lax1iZP42sNxO2QatdgeVhj/NF4wtpUlaodCwcdsafxK6qN
761TsT1ce/T8F2fElYh3qtWAqU1qU64CMlcXqMYUufp0kotq9pxXSQFhjM+/XO00wQflrZ2KRq5k
vNzWiLPU/eLy6OrDsyQvEGeuA0Etlt6kKa1VbX7nqKkyhlgJUqfTW/Xn1alCa/eR7deDl0DicpUu
VwnQBlxyhj4MaEvBfU3nyLpFvSGQ+zmqn7ACOZs5/elx7o2n0WKCRUl41F76GK+Ic3vJvCkJUC1d
XRXx2gKtp6O9lZuron2H69DB7XmyPDaS29Co3wvQF10U4VJQRHKFb8J7CL+ck7tyrmkziHNw8Eqf
56PoTQwo95wgerPLnZsM8qacbWPMvL/rYwsEwjXaOGOY3M047OtNdJhjcAOZwo0ews69qyrmt9vm
ZhMnDvtmM3zh54uODft0tLOt2ycRoF2V9ikPil1gvAmpN7i13VJjsaXe0amKpi4gCTfv4d1gy9k2
GhEFV3Zv08JNLOPY1gWlu+B7F7AMCtr1G/evmNVxfo52twuuHMBgY2B7U1Tswe43fdiJQZZF42l8
R278YZpl6fy7f/28jP2v0SRZRFmSLvzRw22Gr67SNItXx0ta+NKnGMvxB2+pnFt+oWmqQnf+BzvK
sokNCmVuZHN0cmVhbQ0KZW5kb2JqDQozMCAwIG9iag0KPDwvVHlwZS9QYWdlL1BhcmVudCAyIDAg
Ui9SZXNvdXJjZXM8PC9FeHRHU3RhdGU8PC9HUzUgNSAwIFIvR1M2IDYgMCBSPj4vWE9iamVjdDw8
L0ltYWdlNyA3IDAgUj4+L0ZvbnQ8PC9GMiAxMyAwIFIvRjMgMTUgMCBSL0YxIDkgMCBSPj4vUHJv
Y1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldID4+L01lZGlhQm94WyAwIDAgNzIw
IDU0MF0gL0NvbnRlbnRzIDMxIDAgUi9Hcm91cDw8L1R5cGUvR3JvdXAvUy9UcmFuc3BhcmVuY3kv
Q1MvRGV2aWNlUkdCPj4vVGFicy9TL1N0cnVjdFBhcmVudHMgNT4+DQplbmRvYmoNCjMxIDAgb2Jq
DQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDY3Nz4+DQpzdHJlYW0NCnicrZVLb9pAFIX3
lvwf7tKOxHjeNlKUKuSlVkqVFqQuoiwGMxC3xqb20DT/vtdGbaBAXBrEwmNjz/nm3DNzo/PKZVOT
OhjcXsB336NACaWUcU5jiDkFJSlU1ve+nEDhe9HNUMGs9j0Gsz8vU82oUBtvT09875PvwRXOGv2t
0Vt9xVQixetylMQcnlpZ3cpSuMFZGXwFTyW8fXvut0OJH+e+N+zWjROt2UqXS8nkDl2GT5qfToiW
0E6vBBEaUlSL3s/NzMZwWcJvKYju4PQ0ur14fwn07AwGlyszV+ukMe/jZNsygxHOds1B9GE0bTxt
NBlwqgjVILUkiYDRvJmIN/8RCdVs/e4zunEffLQ/HYQ9EQydXdThA4w++N7V6MWJdTx2KJ4Azjbw
pEB9EbN/gjtFv8/PXkfihyIxEHQDKUZVLjegVvls/bkq0nJZYc0gZDRY2HKR4zAJXAnfrF1AqAOT
WwxLMYNQBcsazLhculAG0GGmOBq5UCRhW+S1TZdV5p47MOSbMVgsiNqL0evQV2/XT1B/n3yKFmSp
ySEUQTbH4oU9Hsxt4fDeuKwssK4ymObmqSv8+jjh531ONDtO+ONjRWgdas28C+NMXs6avJtiAk/o
JYY/Dsa2drCo8HjMUouJrzDuOMxx3GFi8j/EBM/andRK76Ke2BqrPsYdiRsSVkVXq5qrtuZ4acrO
gkXmpk0O8rxJRd0sDfe1+VFmk4519I8UBoadITlOGNjBzWNvGtao1ny9W45bn7L6Ed3jgamaTYRl
b9pHE4P21CvN0j2SwrquXnJwM9nClSIhgu3DfbcD4KWtI8a5cyZ9tBO4jwalc+X8IRo9L2x0Z2ZZ
0Z4N0XA5ds2j67J0tjocuE/6egNZY5fhCQhJlN4iVjuIfwE25f79DQplbmRzdHJlYW0NCmVuZG9i
ag0KMzIgMCBvYmoNCjw8L0F1dGhvcigpIC9DcmVhdGlvbkRhdGUoRDoyMDE3MDMyOTAwMDA1Ni0w
NScwMCcpIC9Nb2REYXRlKEQ6MjAxNzAzMjkwMDAwNTYtMDUnMDAnKSAvUHJvZHVjZXIo/v8ATQBp
AGMAcgBvAHMAbwBmAHQArgAgAFAAbwB3AGUAcgBQAG8AaQBuAHQArgAgADIAMAAxADYpIC9DcmVh
dG9yKP7/AE0AaQBjAHIAbwBzAG8AZgB0AK4AIABQAG8AdwBlAHIAUABvAGkAbgB0AK4AIAAyADAA
MQA2KSA+Pg0KZW5kb2JqDQo0MiAwIG9iag0KPDwvVHlwZS9PYmpTdG0vTiAyNTcvRmlyc3QgMjM1
OS9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDQ5ODU+Pg0Kc3RyZWFtDQp4nNVcXY/bOJb18wDz
tE8L9AB87Cy2Y5H6oNgYzKKSVKM73ekEqSwai8k+qGxVWSmX5JHlVNf+6v0Fu3sudeWyXKIlSzMP
i+6UZFk8JO8995DipRx4whOBL+JABIGQUSx8I1QQCR9nUotAC18bgQuBliIIRai0CD0RxrhoRBTG
IoiFlgFuE1pHIgyAZUToC6Ni3C1MHIlICunR7UpIqZSIPIED7jI4Gi0iLaQfhgLVywDFIlwPPSk0
7gu1D3w0LcRnlNdoAC7J2POERpNjXIwiIQ3aGIVCeWGEhggl0SYd4xijfeiTQjtiTygflaOdKkAP
Ne4PlSdiH0fcDCuoCG2OcV0r3I/7tDEiBl4cSwEoZdDOWAnf82E1CSOhH4aOuMngukJnjS983w+F
gVkCLxYmxBGFDewaopHosh/B0AZG1hI28nCk9hnYHTdJ9N03MKX0lAg81CA9XwRS+WRHnKCgRP8D
hZ6ifQHQBP4PAhhXenBbKAkFzgkN2Z48GAFOooyGF6UHh8YBfRXCjzC5lChu0AeyW+hZT8HbUtMV
BUfCRlJKOBZfheBAoPAB/g6BCdeE5Ccp4dMogNckfK994INDoaY2wJxhjAKSCGR8YgAc7VGD0b9I
+sQBDxRBqyVKRiqmr0AKn9yrAhEFxAvcBxfRCYqH9BUMGdlK8S+KYHuJjkUxGgsy4YRaDopHhmgG
lmsPJSSsoKlnErzREp6X4LpWPlEQzPAllTI4ARmkj3sCMiCcqiNqsw+cyH6lQDcyKXijYxhPgvs6
jonCuMdYLoMyHrkT/Y+lPdEgEcwmEUCxT35FLMAhuBn8RAShXyASDIb2wOJxRM6Ci2MtqS58pQ3h
4GZDteM+43l0Alp5ILpE8BhJERIRMTV9FYGZVDtcZQJqKr42ATUVXxtrTISGscZEWBkNH0sEn4nJ
KZoIS+0BujEBxSARyKNGk688j1pN1vaotLWpp9BCSXbyfEXRSrT0DdVIFKagsBTzIrBWUku8iNyE
iACPA0Kh+2JbB90X0zfkCc8QMnkbMD7FP/ETvJPGqgzZi3gHLuEz1QjqKOgDsTOAr5VH34aKrlm2
G6qXIkFbFCJ+TBZF9OIMYUvSBYrD9ZIMo2y9FGiKQk159oy0h6ylVK1GOPMDqoNKBQgWJe0ZaQ+5
UoVgmbIoEXgAAAoRn+4jlDig+6xOUksVxY0xpG8+xQuco6h/PnlAKctHqk1RXPhAVYriKsA3iqLc
D6isDZ+QrEFx6EcICkXB6lPPlU942pBWUh0x/KGoz76hsQERgECTVDaiM9JMit2AqFyHD6EqG2O+
R6MJhaYPrlifBEFI6kuBB1EhHaYQhPcVDUBBRFpNhIaBIjsSIRzpPmJPYGBFZaOFIlGRF0Lyjwoo
yhR4YfkW+tRSG14heQYBjdCT1AJNZ9Q3kqJQh3RG12KyUEj3GYtiA5FQaKyKiFcqpBAiximKIegT
XVMUlcBXiE3wEt6jVuAMLCQGYNxCtCnS0ygiH9FYGGn8VTS64RKd0TUSfkVqoSmiFAWa9qilFMOa
It0GsSYvK02hSiGsSHY1cVfZ0TGisc0GsoZ/QEyKNHBFeYRsOeRRCWPHNIpNGjAxylE0UwmKS4Qb
zijeYmov9RRxTRanCI0D6q+xcQ2eKYqy2LaAojuObNmQ4hXfKIrLOA7pjK4Zaj3phPHAGkXxa2zf
KGoNMVNRrBqqyfdshMOyPsUqRnj0gyLUhNQWG68R2YA0B+pOZ4QCcwgaGRHNYA2R2MQ0JAcU/Yg5
KuwRPai/HqkviIkTkDekr3yyASINEU2Ynp1NEHuIw5I8++c/zz/QTMkTH+dX86tNks8/PW7S+VVV
7hbV5Tq9n18sql2y/pT+Xn37LlusknQtXr0Ub4s83b4Q85//Krz/FPMPt8InkL/85Y9/OA/zp8tP
P0CO/1W8XmWL5LaoMeUkzHdJuViRLuoaTXWixYz2o3yGhTIBTSg/0pTSHgI6dMJohqGar4vfu7Dq
hneVhiwM69Lb91eX87e/fRJX6WJXZtWj+PfNMqnSuoN+J3bI2B86+6en9Khud2etQ530L3XTg06Q
+FTTQ29S053O8P2m6emi6vRjXJMhrA+xCyj0B9rgVbK4uy2LXb5shRJCtAWnGqaqTnMccPO4pOy3
R93YzuKRN7Af//O//71uBe5YIKK5SPKlIKp//OH1VtxkebZdpUuR5eJd8khRHbai+rjLDf9+eVUs
H7s6HNkC9AznNFtDo19+6gTw3BYbGs9PFvOnAb29ev9rK5LGAv2WXtc44TScq+w2T6pdydIUTUP7
/O3b364+v6ix9FSbi3+qgeJpQCBmjWOm4eiw4bLsjvwo7CWzrslcK1NkyU/LDfZQE12r+lCPZNqt
FpF/mvaRs6Q+n/ayWykGIxHvBTgrLvNF+bipsiIXRJbLzy8E19AtEGe0taGL7I7RwUjgi4CvI0br
DlTd62td+1rXvta1r+MTYnTan9rtz1id789u2RiM9KRjslsyBiPthUx268VgoJ/TR0upn58o1S0c
Z5hrT6lu6RiMxJRqJrjd8hHLPkrFtSjEQX2oJzZxVB9qusXxWILF7hHWnD+zUN2CMRjpiWCqWxgG
I+0Jprp1YTDQxfq2wFx+dc9PUqpbGQbjEVkvmsFSdQfkGZZvuKq6A3Iw0n64VN0BORgIhI8ZyRGI
vZM/U4+Jph4TTU1/U9Pf1PQ3Nf1NTX8zmv7Grcy05n02/7sVYzjUfsT8VNyl9WD5aa9sfreCnNPQ
hi5+d6AOh2JtMwzniNZeV1PygTxIuYf66PNx9BSI+9Dz0DC/EJGtonMWVZNMs9TWTax5y31yWG/E
k0W3PA2H+ilnoG5dGg70kC3T7aZME37O9bu1aTjgbpuK6/SmKFP7tLjN8kUqqlXaNLhbsShJ1Esa
zSSJ+Vi7hjJO/Z53kMY90aLEzdlu7VbR4VAXZZUt1ulWrJKvqSjTRZpX60fYE6qw2V2v6+ft5LrY
VY06dMvt8Cqz+w2uoJ7ETtTJZ8t0sy4e6Zq4WScPPAT6DpWTvVMZSvzVngr4GI72mDyxNtBQlMI8
jF1hXi9DsJ40xGu6MX6tRjuL9y5e1atI3H6HkeOhDMqrIs8KcZXk20Iwn1pLWCo8gm4s3r2GRQnX
fbOelY36LcNt7wZQ4cB+PVvHmoAkvpm9npWzbFbh32KWzNYz0Vq4Go39dbfO0zK5zta0Dpzlov9Z
2J9Y5XetJabRMDSytxaZJth3pmfhTM4i8afGrpEDM+iVDlVP+SilXx9Z/BWLv+/xUZ4gWaOFDk1R
oaOsvfn9q7cf5++vv4i6CV0V+OfPAHR3U08j7QvMfxbxiOpXVbX5fj6/Xhe3LzMIBYbl7eP9fVqV
jy8Xxf2c8jJzz58v8OiTLZJ1ayltdKe/ay+kjcZpBVd7qWpy2xyBPxgny9vrUZMb5Ijn4fyQ4Yja
v2yLpiOOkD27I6OIfjhBTa9frqr7RvxjB9x++pjld51B7rOAcKZI+iwgnE2kDT31kR9JOL0oA56z
cGpJBixIAeMFjBecGCb9fp3zoxPFe/TLd+lXS/swKZI8FekECdwg+wnQGaO0QzUGQ71Jt5Ch6yaV
rRzqMRgvy78m62wpFrsSU+v2wtVo0KSqksWdSG6TLN9WgpYlL27L1M6nmzoc0jK4joesWonL9TrD
7GEhXtvmv8lubrK0vdQ1uoLv2ktco3F+TNfr+yQXl5sVDFAma3FFDxWLxhCOicVg/M/fXr5+82N7
4Wtypx3yNBjn8qq97DW+dy9etleTxjdpu03x0P19e/noGVyz5uPWJH4ukSFLYchSGLIUhiyFIUth
yFLIT1gyYmnltK6MGC86yGufO1cLT8zzIj3QQgdP7A4FGAx1YRUgLcWigALQHVuB6X17gWw0OkAr
SEuW34q2fm0KzN/aa0nPKol6Hcy5ScnJSam9E8YNTjsm0u6yesRSikONBkNd7a7vs8ZEDukZDHZT
lO3lq9FIy7R5DmwvGT0D7F9V4bSx1ByWvHAp9YmpRJ8XtTrhxaFrEAdedKjiYKhf0qRsLOXQxcFY
1QpxxNOJwKGKg8HsGhxjOTRkMNamzL7uN4wFDs0YjHaX8sNR4BCGwUg3ZXHPUK5oHAr1RHuBOVN6
v2ls54pM3U9/Fq2YRxlesJcxjzKcQJWcQZWcQpXxlPA4sZQVnx8egUNNBkN9TDdp0pjSoSRxvyk5
ySHNBP2PT63ytR5CeOtM5yDCMwreH8M0aPrQDW7OH1wChywNhvq0ekjKKl2K60dhh2XMczFGH4zN
TQ7kWO8Dh4qZfr3nlKg0J57U+qZP5oS+m/MJHDpkdDDUVXHPuhc6VHQw1Nvka8JQDgkdDLXOrsuk
zNJtncJCG2lOJ54u58WDWBZ71zfODR2Ka/pDsE4w2ndH6qPk4ymHhT3OHhySdWK9G+RE6Cl5CKLc
iwuKNdhvniiaJwO+zrl/7tGEXINym6s3DcOZkKZbnSBqn6fsZfaiqCpxUS6y7X+lD9u7TLSzMPFI
3FZKRzrAGq3uTumoOu1pXyJ66ugxht9vbm51N4AcutX6YCPFZCTxTTurMhbJ7nb+bDWFlqE2lXh/
/QW8EbSHlqSehKGdeRlb1VNm6PMLkUFyxKtkSUsn+TIpl+LTKqnE5de0fCzy9ChFM7bKq1WxWy+P
cjNjwS6+FtmyndSY4L8/tbYBP0Paq5ZLSBXnmFWdY7avvdVHzceYjyy4yjtB4f0aSafAcse6y+5z
W8PpbyYiUXpn+/18vknK5LbIs9QmdSjbs8/sfHmojrIxYytr1vcdEjQY5yDl4Aj/s5vkCP7BOA/7
baqO2D67RY6AHYxT0b6w7VFmZmqjHNE6GCdrGuQI1rMbNJX/180mJvV3IreaSu4tq/hRKmBqs6YS
vFo1D43q78RwNZXhKY9wR8v7U5s1leNbO1IeLfFPbdRUnidPI67vYvp+t6RzoFQ8QPIOC8U7LBTv
sFC8w0LxDgvl8xMJz+FVPZ+2723XR8bzGY8TrooTrooTrooTrooTrooTrooTrooTrooTrurwhcZn
3dw/gHQP0Cpwl30a3PHwovh5qBPkxCi/fx1yRMphPNTszSydbWcLu4np2p4LnG3x327/6QZ/k9kG
/615mxNtdypmOa4vcaT7cvHPuCrwLV2/wffl7L7ZtOM75GpwQ0lmBGctaIpbiKTZVi9227ShsEPN
gt6HZhUwpfhxUrWSQ2fO5Q7fGT0uG56/S813COsZUNbLG3gkZe+l8Juw29Vu4a96A9sK/traqzl9
K77BkXyZPm2+8h3aPLgpiyRvoBy6PBiKNgKL6+Y5xnfI82C4AxY5xDns3XqhOI2pOI2pOI2pOI2p
ohNPCOHp9TbuyRABCp2rJyo8oWLRiNSaY/wZDPUfacUBfZRMGQuY3NYbJsv0b7uspGW3zWYrqv0C
W0rC0WRuHPIZ9S6gKt7yq3jVSUWDnNPt2MN3lJ81ZeiL9gcr0g6tHQx1sdmUxabM2Fj88pKg0KWl
iodsvRaLVZLfpqLAVEtUWbPwGjj0N4p7Dcpvsyp9Qnef0tAOQxp3WX3+ElLg0N0zoGavSU15ZPyC
EXVrz7bQ2zU0OMen9ezRXtlYFc5nd/YbYUfkR1ytoMECx2z2O/6ldsRtcFipcfV33EHaXjVKHTiU
+pzG10M+DQl1I65t9Vtcv7FnDzxsFGgQNeerHVAyNKmeIOQYXI47Qvens0eYpLQYO2sM3HmUxjpu
dv9qDeeuFeeulT4x2etjkj4xT2trLe+/6KQji78+Ed+eOQTj9x8614d4aquaqW4zwvB13hijohO9
HrQOK91DVO+yN68WN91yuHKoDv2KP+KqSjdHP0HjHeHtf+Kle4X68N3pZ2UH/JQIN7gbIB7xTvxE
pMt8UezKBOq7SYvNOqXB7S5NN9DqtLS5w9229V6Pmljhln+MprUcPhqt/ZLBaJhmX7k4euno4C2j
0FFF7+thil+KVjFHMCe1leFBysgTjDj9cqE63DNwXNacP0hFE5FeJ1WyLuokxANsSm/cbSuxKZMF
7Evzp+Y9sta6/Oj6lvVeXLsNre25TVbdJOu1nawdLEvEjgr7BwR+4VfxG7/KnLB8n9eMf8Jr5z+4
m4lIH+oX+J6cg6fjItlVq5d5erQqP7qOf2uvyj/D6X+m5kQ0/TBafZwQNocJ6GdlDxPQKna+lcuh
35Cn6cOEoSF206J/sNSNuigHyEGhT2WafiyKav6xWKfvko3g9wA+JCUCiL4V/N6CfRa2wCFnwpu0
Fb8ZzT2j+vaFaailHecR1/wDqsqLKp3/Sn8u8+XTh8Yctls/pskyLetzKtOc/5Svszy9WiXUAbpw
kQPBxjl/BnFvIDH1p9+K8u66KO7mb4rFjhTBXtmu0rSiRlbzd8miLA4+v17h78HnNxmJ2MGFKzzs
pQf31vXgttsyuZ//kN3uypT7+uvufovJhWje2hC8J1nZX9WzxG3eqRD17+tZ49rf17N2bHCS+3T7
1/pj9y/L8c+x7X/ajO7jjdCtn6sa+3s/p347ZviPgIz99YS+V/H73rp2v9tLduJ3R899i+8f/ZLO
P3pnu2tjdd+W3al7Go838h1vGevfZUROO9odMjaj/v8tweBaTR66PuhaXjpeJXE/81rjs+cHzmZd
8yX3MP7HP/wfuOa7oQ0KZW5kc3RyZWFtDQplbmRvYmoNCjU4IDAgb2JqDQo8PC9PL0xpc3QvTGlz
dE51bWJlcmluZy9Ob25lPj4NCmVuZG9iag0KNjQgMCBvYmoNCjw8L08vTGlzdC9MaXN0TnVtYmVy
aW5nL05vbmU+Pg0KZW5kb2JqDQoxMjMgMCBvYmoNCjw8L08vTGlzdC9MaXN0TnVtYmVyaW5nL05v
bmU+Pg0KZW5kb2JqDQoxMzMgMCBvYmoNCjw8L08vTGlzdC9MaXN0TnVtYmVyaW5nL05vbmU+Pg0K
ZW5kb2JqDQoxNjUgMCBvYmoNCjw8L08vTGlzdC9MaXN0TnVtYmVyaW5nL05vbmU+Pg0KZW5kb2Jq
DQoxOTYgMCBvYmoNCjw8L08vTGlzdC9MaXN0TnVtYmVyaW5nL05vbmU+Pg0KZW5kb2JqDQoyMTEg
MCBvYmoNCjw8L08vTGlzdC9MaXN0TnVtYmVyaW5nL05vbmU+Pg0KZW5kb2JqDQoyMjIgMCBvYmoN
Cjw8L08vTGlzdC9MaXN0TnVtYmVyaW5nL05vbmU+Pg0KZW5kb2JqDQoyNTMgMCBvYmoNCjw8L08v
TGlzdC9MaXN0TnVtYmVyaW5nL05vbmU+Pg0KZW5kb2JqDQoyNjcgMCBvYmoNCjw8L08vTGlzdC9M
aXN0TnVtYmVyaW5nL05vbmU+Pg0KZW5kb2JqDQoyODQgMCBvYmoNCjw8L08vTGlzdC9MaXN0TnVt
YmVyaW5nL05vbmU+Pg0KZW5kb2JqDQozMDIgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9M
ZW5ndGggMzA4Pj4NCnN0cmVhbQ0KeJyFUstqwzAQvOsrdEwPwZJfacEYEpeCD31Qtx9gS+tUUMtC
Vg7++8orNw3pIQJZzO7M7LLrqKofa60cjd7sKBpwtFdaWpjGkxVAOzgqTXhKpRJuRfgVQ2tI5MXN
PDkYat2PpCho9O6Tk7Mz3ezl2MEdiV6tBKv0kW4+q8bj5mTMNwygHWWkLKmE3hs9t+alHYBGKNvW
0ueVm7de88f4mA3QGDEPzYhRwmRaAbbVRyAF86ekxZM/JQEtr/JxUHW9+GotshPPZixm5YJ4iijh
qF1Z6a/mXILfI43vAztDbZwHpx0+aYLBNBhmoUrOMZhlIVjhs4vXYsGeX3d44J4WM55c9sT/9XQI
JQ5pYFc3TPNAe7g0Xca1bPW8C3Gy1q8BV4/zXyavNJz/DjOaRbXcH0nPr0UNCmVuZHN0cmVhbQ0K
ZW5kb2JqDQozMDMgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMTAyNTc2L0xl
bmd0aDEgMzE5MzEyPj4NCnN0cmVhbQ0KeJzsnQlgG9Wd/38zI2l0jDSj2zosjSxLTqRYju3Edhwn
8RHnLDmwCXYIxY6TEEJCAqQcbbe4SylUQKHdLqWUAmUp/y5tF9lhWwe6DW0oUAoUCqUtZyDQm0K3
S5eyLfr/3htZcYrcxHFUYft95Pedd7/fXE96bw4DBwA+FB1cv7Rr5fJvfaxrB+ge2Avgf3750s5l
Q0v2fRmE+u0Awrzl69Z2Xf7gr5aC0HAzcOrby7tOa39Xdq0G3emfA9i5cVVX97JdiXMMoDv4JtYa
+kB314or+afeAmgrA1A+s7arps5Ve3k3AI9h6FvX8YHuv35kcQfWPxfDDRuWntKz7rM7MP/6rwPY
Pzewq3/P46HOa4F782Es85uBi/aq3zjw0qeBt2B7hvO27Tl7V9NXPEng/ngPgCVzdv+Fe8AHEaxP
xfqUs3deuu3Z5ANfAd6hA3jyou1bdl3y56/deR7AQCtw1161fWv/ll9saekA4G4m7W/HCEe99xoM
P43hyu279l7yWGfNc9j2JQCLbzt36wXn6e6DZ0HQ3YhxO3buHuh/ebMnDvzhjwJEgrv6L9njWWeN
Yvm3sby6a+vefv1jjx7E7algePN5/bu2zn/qA98DQUR7ku/s2X3h3mwCbkB7geTfc8HWPV8e/tVv
gMtuAZBqgOwbwy+23fTxlsfOklveMgaMJB/cfrgqQZZPfunwX9+5+69nK2Bcj0ETzU/Apbj43TXQ
ocA7d7/zYQXyKTlsB0mMci0MggK1IACPy1b4JIDei+3ymCoIV3HXgx6M+pv0aB4X0JbCk7CNdxj1
vMWg4wm6Q5DK3g+XdFALkO5TOlSsS409qn/q3fVcvbiYG8bNnc1m8SCL6+8jawpuQ84kfkHeZfif
wgehAPxd8FHihHKsVytzF4bbcHkvKau7EE5D9xK6FnQb0Plzcaeg60fXRcKYd//f1o3xG8lSvyH7
V/0GuEH/EGxDdwv6b9cdhq8aFsAuDN+BZQ/gTmskebDMDYa74EaMvxnTBzDuFlz2YPjL6N+E5ebm
/CbxWvCRJTpDoXUbY8cqdJ/ENtbhchm61dimE5ft6K7kHoKruIeyt2M6LuFybP9KEo9uaW65ArfJ
FZi+BMtVYvhy9PvRDgMuZXSRv9c+Y+LoLsz+hSxxu3ehW078uG92/m0+bsO7C/4R9uB+f/A9cXfB
aye9nbvgXHQ+dOyYYjAYDAZjBsF9NXtvqW04XvSBqWMrg8FglBIOsvca0SnA+k0Gg8FgMBgMBoPB
YDAYDAaDwWAwGAzGyUP3XdhWKJ7cB/uPtoXBmCpwN5XaAgaDwZjJvPvY34S/j+4JdE+i+z26Z9A9
XxLTcuguhE2CA5bo1sEK3TJYhOFa9C/S/RNs1lVhPHmW6lLoJs9OCT5YOOb5qjr6fNXHMF8NrKbP
V30ETtN/H3bon4IB/dtwp2kV3InLmwUeFurb4A7DAujTXQDLuIfgU8LbcCVvhk9huTX8OrDpLoEr
iC3UHsxP0sjzTrrz0cZPwY26g5j2S1zuRmeEG/U1GH4TbuR+AzcKF8Jskkf4Nn0e60bd73BZi+m7
csvnMG4XrNIpmO8F+IxuOxgNvRDCuoy6nWAs5fb/R4Lb6spS28D4x8PfBRVjn9dC583FpdCtRJdA
V58Lk2VFqW2ezozZ/nTbl9oeBoNRCOVakeO4r2lPbRsMBhANomjII9JoiOklxBFcHNQbPhR0BB0O
/U3B8BWHbsjVEp9viFZt7Wpc8NqZC85vrJzfZUg6Gh+84ycPFMNkA7hcoCc+btw82XGTyToyZjDj
HzSTyco4BtjLlNoEBoPBYDAKwI3Rqc90WY/3LWQDc5RjZdQI5JaciaqAHwLPcS4H8SzgOA9XwwVp
IMXN5ebKHBfnamomsSdLexBwYyliG0WqmlEqBNDODb0gkPMDyvS/s9wPbxuzYARj9l0wgSn7VzCD
GdUCFlQJJFQrWFFtVGWwoSogo9pR/wIOsKM6wYHqAieqG/X/wAMuVC+4UctQ3wEfeNHvBx/6A+BH
DVIthwBqCILZP0OYqgrlqBEIo1aAihpFfRsqIYIagwrUOOr/QhVEUWdBJepsiKMmqCahKvsnmAOz
UKuppiCBWgNJ1LlQjVqL+hbUQQq1HmpQ58Hc7P/AfKoNUIvaCPWoTTAv+0dYQLUZ5qMupNoCDaiL
oBF1MTShLoEF2f+GVmhGbYOFqO3QgtqB+gdYCotQO2Ex6jJYkn0TlkMr6gpoQ10J7airqK6GDtQP
wFLUU2BZ9g1YQ3UtLEddBytQ18PK7O/hVKpdsAq1G1ZnX4fT4BTUDVRPhzWoPbA2+zvohXWoG1Ff
hzNgPfo3QRfqmdCN+kGqZ8Fp2d9CH2xA7YfTUTej/gYGoBd1C2xE3QpnoG6DTdlfw9lUt8OZqOfA
B7O/gh3Qh/5zqe6EftRdsBnjz4MB1N1U98CW7C/hfNiKegGcjXoh1b2wPfsL+BCcg3oR7EC9GPU1
uATORb0UdqF+GM5D/QjVj8Ju1H+CPagfg/Ozr8JlVAfhQtSPw17Uf4YPZQ/D5XAR6ieoXgEXZ1+B
T8IlqFfCpahXwYdRPwUfyb4Mafgo6tXwTxhzDerLcC18DPXTcBnqdfBx1OtRD8Fn4J9RPwuXo/4L
fCL7EnyO6r/CFag3wJWon4erMPVG1JfgC/Ap1JsgnX0RvghXo94M16B+ieot8GnUW+E61NvgetQv
o74At8NnUP8NPot6B/wL6lfgc9nn4U741+xz8P/gBtSvwudR/53qXXAj6tfgC6hfhy+ifoPqf8DN
qHfDl1AzcAvqEOqzMAy3ou6D21DvgduzP4f/hH/L/gy+SfVbcAfqCHwFdT/ciXov1fvgq6jfhn/P
/hT+C+5C/Q7VA/A11Pvh66jfhW+gfg/+A/Ug3J19Bh6ADOr3YSj7E3iQ6kMwjPow7Ms+DT+Ae1Af
gf9E/SF8E/VR+BbqYzCC+jjsR/0R1SfgXtQn4duoP4b/yj4FT6H+GJ6G76D+BA6gPgP3Z5+En1L9
GXwP9edwEPVZeAD1OarPw/dRX4AHUV+Eh7JPwEtUD8EPsj+Cl+ER1Ffgh6iHqb4Kj6K+Bo+h/gIe
R/0lPJF9HH5F9dfwJOpv4MfZx+C38BTq76i+Dk+j/h6eyT4Kb8BPUd+k+gf4Gep/w89R/wjPov4P
1bfg+ewP4U/wAur/wouob6M+An+Gl1DfgUOo/wcvo/6F6l/hcPYH8C68ipqF11BZn178Pv0PU7xP
/+1x9+m/HqdP//V7+vRfjdOn//I9ffovjqNPfzXfp19wVJ9+eJw+/TDt0w+/p09/hfbpr4zp01+h
ffortE9/ZUyf/vJ7+vRDtE8/RPv0Q1OwT/95ifr0p1mfzvr0KdenT/Xf6VO3Tx/vdzrr01mfXrhP
f3ga9OkA5H9bXG/xGEEQeB2dpdHpdCDoBOHI3SICiTaAUSS3kBhFXi+iGtGJBtFoFkdvQ6V5dQYD
z+t5o+bHSszFuTHDgHYCT3z8uHloiq5QCllHxgxm/IPmPYjFs2LGwVk8pTaBwWAwGIwCaN/2E/h5
8L5muqzH1IcMjHLkfUaj0WrUiSYDrxfIUMmgE3gDvU9fFAW9QU8HWCRkME1mECWcvLU4AXRjKWIb
RaqaUQKkMhMIgjA6H6Gn8xFiHnpAiyAaTSajaDIJBqImLSRaxNEBGz17sJiAJ5eFlNNhSG/S64th
skjmI6hh4/e5NJnNRzDeywS+qGfMU9//AHiprNQmMBgMBoNRAO3HbGmHcCcPNh/xfkHUk3kFMkIS
9XRQhT4cRNlMeqNJxAETGTiJ+tyoCwdYgl40mESjqM1JmMVJXBVj8xGMqYXVb8Z9KmgTB2Q+guzg
I/MRdF+LYCIYzSYBTxSLyYwfE55SVtGUq0WbuyDzEeLofIRO1JsmcyqND5uPYEyCCfTRbD7i5MFb
/aU2gcFgMBiMAmjf9tNlPmK6rMfUJzcLIebnI0QyH2GWzXqTmc5H6EbnI4xG4gRyVwR6aYjNRxy7
jSJVzSgBcshCpiG0+Qi93gA6vU5nzEP3tRFMZovFbLKYBdFstJgls2QhcxKyaXQ+QsuLp5IgClbi
12NozP0TJxUj2qmdaeOfbjSl4N0Z+uLctMGYKkygjzYXz4oZBy+HSm0Cg8FgMBgF0H7MTpdx/HRZ
j6mP0ZAfTuV9FovFbjGYJaMg6sjAyWjQCUZyzddoNum0i77oMxpNRsk4iatipR2q68dSxDaKVDWj
BCiqROYjtGeURucjTHnoAW0Ci0WSLGbJIhgtJqtFwo/FZLHIltH5CPoIh85kxJNKsJLzqpjzESYy
H0ENY/MRjAnD5iNKAq+opTaBwWAwGIwCaN/20+VqK5uPeL9gMmi3l6PL+yRJckoGi2TSGXUmPUkh
oy6z2WQ0m3WiSZTQS0Mma/6i7wnA5iMYUwt7hZXs09H/fiqC3qDXH5mPoPv6yHyE3jR2PsJuseRq
0fKaTHQ+gvgNeJqJFnESp9L4mNDOY81HULsLvgiG/ffTGc4E+mjLsbMwjhPezv7fPIPBYDDej7D5
CEYxII+2m8gj7uYjPkmyuqwGi1WbjzBr8xFmM3osFp1oNkpmHGDRIlN4PsIwliK2UaSqGSXAGbeR
2yK0GxlG5yMseei43gJWq81mlWSrwWy1yFb8YMhqdVqlXC1mi9liMVjMeFLpFPRaDGb9JE+l8bGA
KB5rPsKQl/eksON3ZjOBPlo6dhbGccI746U2gcFgMBiMAmhXH6bLfMR0WY+pj0U0k/ERGRaJdFCF
PpvN5rGJkmzRmfQ4cMIUvQ6VXPSV9EaLySZJ2iVgs2yZxFWx0t46wOYjGBPFnVDIPtXmI0TRCAbR
YJDy0H0tgdUmyzarYjNYbJLdptgU2SbZrG6bLVeLRM4lPK30OrNOIXdPiOQkk81FucAskfkIeqaN
3+dSuws+LSIW5yESxlRhAl/U1uJZMeMQ3IlSm8BgMBgMRgG0qw/T5e5vNh/xfkEyWugt5TicMtJB
FfpkWSlTjDZF0pv1EhlvGfV6SbJaJYvNqjdJZtlKBliSxSrZpUlcFSvtwSyOpYhtFKlqRgkom+sg
0xDajQxGXJJ/M2PNQ/e1FWTFbldkp90gKVan3ak47YrNLntlJVcLPXtEm01vkAwum9VmM0qizWK3
FOUCsxXtPK75iIIvgjFO5v0wjKnPBPpouXhWzDiEsrmlNoHBYDAYjAJoF9emy3zEdFmPqY/VRIdS
EjrT6LjKbncEHSbFadVLBisZb5kMehw2yVZJkQ1mHDrJilWRyS3pTuskroqV9tYB41iK2EaRqmaU
gECDi+xT7dk5k8kCRpPRKOeh+1oGh8PlctjdTqPVIXudbrvb5VCc9qDdkatFlm2yLMqywWAzeEg5
k82Ip5JkG6/ZySCjndqZNn6fS5MLPi1iKs5DJIypwgT6aHvxrJhxCIGGUpvAYDAYDEYBFKrT5e5v
Nh/xfkE2k9ERdWY6qEKf0+UKu8wOt2ywijIZb5lFgywrdtnmsBsk2eqyO2SHItsU2S1P4qpYaQ9m
01iK2EaRqmaUgPJmD7ktQpuPMJstYDQbjUoeOh+hgNPpdjsdXrcoOxWv2+v0ujHGGXI6c7Uoiox5
FUUUbaKPlDPLRsXqnszU3vgoaOex5iPoMVrw3yOYzey/JsxoJtBHO4+dhXGc6MqbS20Cg8FgMBgF
0K4+TJf5iOmyHlMfxUJGR9RZ6KAKfW63p8JjcXoVg00kAyfFIoqKYncostMhWhWb2+FUnBhyKF5F
OfGmS/sog3ksRWyjSFUzSoDaWkZui9Be9GCxSGCymEyOPHRc7wC32+t1u3xek+J2BLw+t8/rdnrd
qtudq8VuV+x2s92BJ5UYcNjtdoticsheW1FueHegndqZdoz5iIJvr7BM5v0wjKnPBPpoV/GsmHHo
1NZSm8BgMBgMRgG0qw/T5Wl0Nh/xfsEh2e0O8nE4JDqoQp/XWxYrk9w+h6gYHWS8JRlFh8Ppcihu
l9GGQyeX2+F2OhSnw+dwHLuJ8SjtowyWsRSxjSJVzSgBkXYfmY/QXvRgsVgLz0d4PGVlHpe/zGT3
OAJlfo+/zOMu81QcmY8g55vZMTof4XBY7GQ+YjK3Go3PkfmI8ftcNh/BGIcJ/OBwHzsL4zjRRdpL
bQKDwWAwGAXQrj5Ml/mI6bIeUx+HlYyknGQ+Iu8rK/PFfZLHT+cjzLn5CCd9KN5ltDnlMjIfgSGX
w8/mI47VRpGqZpSA2KogeUxDe7BCkmxglsxmdx56L4wbfL5AwOctD5icPnc4UO4rx1AAzyhvrhaX
2+l2YTHR5BTDpJzkMLvtAXtRHsB3o53amXaM+YiCb9OUJvO+WsbUZwJ9dFnxrJhx6GOrSm0Cg8Fg
MBgF8FCdLm/HY/MR7xfcNpfLTUZIbreNDqrQFwgEk0FbWbnb6DC5LSTFJLrdHq/bWUZuQrcHvGWu
Mo/L6XWVuydxl25pX60gjaWIbRSpakYJSHSrZBpCu5HBZlNAskmSNw/d114IBkOhoD8SktxBbzQU
CUYwFAomAsFcLV6v2+u1er1ms9tcScrZXFhJuacoF5i9aKd2po3f51K7C75N02Yryks2GVOFCfTR
geJZMePQJ7pLbQKDwWAwGAXwUZ0ub8ebLvMqUx+v4vV4vWXo0OelvrJQOFwbVoIRr8lt8ZLxlmIx
e8t8fq874Dc7ylwhf8Ab8Hndfm/E6z12E+NR2lcr2MZSxDaKVDWjBKQ2RcFqtSk0IMsOsMpWqz8P
vW/CD+FwJBIOVkYkb9gfi1SGKzEUCafCoVwtfr/X77f5/Waz1xwn5WSvdZKn0vj40U7tTBu/z6Xz
EQWfFpGL8xAJY6owgT66vHhWzDgMqU2lNoHBYDAYjAJoVx+my9vxpsu8ytTH7/D5/D5/GQ6LHHRQ
hb5IpGJ+hT1U6Td7JT8Zb9kls98fCPq9oaDF5XdHgiFfKOjzBn0xv+/Emy7towzyWIrYRpGqZpSA
ui1xcluE9oyS3e4Em91mC+ahc09BiEQqKyPhqkqbLxKcXVkVqcJQZaQuEsnVEgz6MG8wKJl90ixS
zu6zBX3RskmcSuMTRDu1M238+Qhqd8GnRezFeYiEMVWYwA8OtWhGzDwMdVtKbQKDwWAwGAXQLq5N
l6fRp8u8ytQn6AwEgoGgH4dFTjqoQl9lZaw55oxUBS0+Kxk4BZ1WKRgMhYM+NSx5gt7KsBpUQ0Ff
KIjDqRNvurSPMtjHUsQ2ilQ1owQ07JwNsmzX3i3scLhBdshyKA+dewpBZWVVVWUkUSUHKkPVVYnK
BIaqKhui0VwtoVAA84bKrdaAtbocyzkCcnmgyl+UG95DaKd2po0/B0ztLvgiGMdk3g/DmPpM4AdH
RfGsmHGIDTtLbQKDwWAwGAVQqU6Xp9Gny7zK1CfkLi8PlYeCOCxy00EV+qqqZi2Z5YomQlLAFlIw
zmWzhsJqJBSIRqzesK8qEg1FMRQJJUOhYzcxHtaTtxYngGMsRWyjSFUzSkDz3jmgKE7tRQ9OpxcU
p6KoeRQSrUJVVSJRFa1OyOVVak2iuqo6UVWZqGqOxXO1qGo55lVVqzVkrSXlnOWKWj47WJT5CBXt
1M608eeA6XyEs1CK01kwmjFTmMAPjljxrJhxiM17S20Cg8FgMBgF0K4+lHYId/KYLvMqUx/VEw6r
4UgIh0UeMjYivkQi2ZH0xKtVa7ms2kmKbFUj0Uq1PE5uQg8kKuNqPKqWR9WUqp5406V9tYJzLEVs
o0hVM0pAxyfrcJ96tP8k4PH4welxOmN56L6OQXX13LnVs+fNdVZUxxrnzqueh6G51e3J6lwtsVgF
5o3FZLlCXkDKeSqcsUiNGhmv2ckQQzu1CYfx54DpnJmnUIrHUzCaMVOYQB+dLJ4VMw5jxydLbQKD
wWAwGAWYRXW6PI0+XeZVpj4xf2VlrDIexWGRn4yN0BefW1u3ps43Z15MjtjJwCnms8ux+KzZsYrk
bKU8Hp47OxlLYmh2bH5sElfFlJO2EieCZyxFbKNIVTNKwOobmsDt9mo3Mvh85eD2ud2JPPS+iQTU
1TU01KWaG9zxusSihua65oa66oa61bW1uVoSiTjmTSTs9rh9CSnni7sTsfmVRbnAnEA7tXdDjN/n
UrsLvr3C5yvKSy0YUwXl+LPOLZYNMxDT6htKbQKDwWAwGAXQLq5Nl6fRp8u8ytQnUT5rVmJWogqH
ReV0UIW+hsam05uCtc0Je8yZ8GBc0GlPJKtTiXhtyqEmow2p2tm1qdnx1OyWxOwTb7q0jzL4xlLE
NopUNaMEdN25GLxen/afBIJBFbxBrzeVh/6DjBQ0Nra0NNa3tXgTjanOlrbGtpbGeS2NXU0NuVpS
qUQqVZZKOZxJx3JSLpjwpmYvTFQVw+QU2qmdaeNf6qZ2F3wRTHAy74dhTH0m8INjfvGsmHGYu+4s
tQkMBoPBYBRAu7g2XZ5Gny7zKlOflFo9J1Vdk8RhkUrGRsTX0rK4b3G4sS3lmO0mA6dU2O1I1dTW
pxIN9a7KmqqW+oZUQ10qUZdqT6VOvGnXyVuLEyA4liK2UaSqGSVg00gn+P1+7cGKcLgS/GG/vz6P
n0TXw6JF7e2Lmla0+1OL6le3r1i0on3RgvZFZyxelKulvj5VXx+YV+9y17hOwWLzwil/fXVbdfV4
zU6GerRTO9PGnwOmz5+EC6WEwwWjGTOFCTxutrB4Vsw4pE0jpTaBwWAwGIwCNFIt7RDu5DFd5lWm
PvXRutr6unlzcVxUScZU6JvX3tF5bme0ZUW9K+WtD2Bk1Ouqn9fYVJ9qWeCZNS/ZvqClvqWpvqap
fmV9/Yk3XdpHGcJjKWIbRaqaUQK2PLyazDFV0kAkUgXBSDDYlIfOPTVBR8eKFR2L1qwI1nU0da1Y
07FmRcfiFR0D7e25Wpqa6pqayhubPJ46TzcWa4zUBZtql+ef5zipNKGd2pk2/hwwff6k4NsrIpGi
vNSCMVVwH3/W1qIZMfOwbnm41CYwGAwGg1EA7erDdHkafbrMq0x9muIN85samubhuKiKDqrQt2Ll
6r2r4+1rmjx1vqZyjIv7PE0LWhY11rUtLksuqFmxuK2xbVFj/aLGtY2NJ9502clbixMgMpYitlGk
qhmlQci5IHAkyJEQCm8AHbyKEXWgos8BFZCAZlgCvXAp3AbfgH2wn6vlG/mfG1pVk+pUfWq5WqMu
Vfeol1a4Y49ms0D+F8YsmINl2qCflhl+T5lgrsxerUz28JjPQHYAFkND9g7jz97l/pL57eOHbjn0
pUOf/+1XD138+p8AXrzztUWazceJUVvYvmM7YNtiu9/2XdtWXF8D5CvheB5X/G9KkQ2i01OvRbKC
rNgdTpfb4y3z+QNB+qBLBVTG4lWzZieSc6pTNXNr6+rnzW9obFrQvLAlV8fSzmXLV6xctfoDp6xZ
u279qV3dp204vad34xmbTmB//V0EqkOw7x74JvHdN37WnxB5VvPPiD3desYVey+84Pw9u8/btfPc
HedsP3vb1s1n9py+4bTutWvaWpcsXtSysHlBU+P8efV1tXNrUtVzkonZs6riscpoRUQNh8qDAb+v
zOtxu5wOuyLbrJLFbDKKBr1O4DmY0xld1qdm4n0ZXTy6YkU1CUf7MaJ/TERfRsWoZUfnyah9NJt6
dM5WzLntb3K2ajlb8zk5RW2Bluo5amdUzTy2NKqOcBvX96D/2qXRXjXzOvWfQv3XU78V/ZEIFlA7
y7YvVTNcn9qZWXbR9nRn31Ksbshi7oh2bDVXz4EhswW9FvRlvNE9Q5x3MUc9vLezeYgHoxWNyvij
SzszvuhSYkFGiHX2b8msW9/TuTQQifRWz8lwHQPRzRmItmfkJM0CHbSZjKEjI9Jm1HPI2sDV6tCc
+9PXjCiwuS8pbYlu6d/UkxH6e0kb9iS2uzTj/fCrZUeCWLmjo+fKsakBId1Zdo5Kgun0lWrmtvU9
Y1MjRHt7sQ4sy8eW9aWXYdPX4EZc3aVia/wVvT0Z7gpsUiVrQtZKW7+t0U4S07dDzZii7dHt6R19
uGv86Qycemlk2O9v3Z89BP5ONd3dE41klgSivf1Lg0MuSJ966T5fq+o7OqV6zpBi1zbskE3OeSTr
WM/WfBr10ezEt/rU/JbliEXRlXhAZNQBFS3pieI6NRHZ2gTpgaYA/RHQy2GpzBbcI+dkTB19aaWZ
xJPyGX1MiarptwCPgOjrvzs6pj8XY4gpbwHxkuMkf6hh+qg/k0xmEglyiIgduE/RxsU0PL96zkUj
fDS6R1FxgZsP1uG27e9trsHNH4mQHXz1SCtsxkBmcH2PFlZhc2AYWmuSvRm+j6TcP5riPo2kDI6m
5Iv3RfFIvod2DO6MMZ7/kxWPs3N7c4bz/J3krVr66q7o6vUbe9TOdF9u267uPiqkpTfl03K+jLOj
RwjwOR8fEGgqHpSb8plJoEfK6GL4Z6AH9ZYR0YhHJY3h1GUZpW+Fpr3mSOQ4C41k3ySl6OJIsZyZ
mebk0eGFR4WPMk9KC2iwLs6v7t6YTpuPSsNDTWtwZW6BRzx090TUjgychmdmDP9Gsvc3EdcbyLTi
JusgGfD406JywaMyBnL+XoQcndVzlmFHl04vi6rL0n3p/pHs4OaoqkTT+/nv8d9L7+nsGz1wRrL3
Xh3ILLumF7fVdq65ek6UpKTTW4ZAiGEzrYEhjnoaO67uzaxN9kYzm5PRSLRnK67LUDNIke6+DvTx
0D4U5a5aP9TKXdW1sWe/gt9bV3X3DPMc39HX3jtUiWk9+1X8qqCxPIklkSSgkgCs5nDTDPNGmj+w
vxVgkKbqaAQND4xwQOOMo3EcDIzwWpyiNRSnDbXib42BEZ2W0jqaW4dxRi1uUMs9K5fbiCkKSbkX
ePILjSRqDGGgu6fV3Nja3LqwdTG/hMctQqKGMeZezLuQg32LuSVcYAjrPJVGj3CDQwtbA/tpTafm
cg5iThI3mI9Dy0m2MRVhe9qKn3ZkDU7b2LNvMWD9VDFHO4H0tGjE2HOIdkzkOD892SPx6dVdeASS
RHNTwDwmWSUFM1w0c1b0kghZu8yG6KURjIxmVOytMdMQLA/2ptMqfqK4VQY29GhKkrg5QaypNzO4
eTRvIIjHxJGghEXpcbUvSPqQfGsfGW3tAmyNeNKjzWUGCraG1me4M4jSP2r+UANEtfbxW1prNL0p
vRGPx0imnDScswODtmAvrQEtuZFawtEvpwH8TbCNnEsq6eSwm4yuGuLXJOmSo8v0qmjnFsxBHH7p
zsedFVG39JJcUXLSkAN/3EzcmEzki4RWnlYWjoa4XEg7fdOZs48Obs8HlxGHv1FiKa2bwHWhp2wk
syOQ2dmbzGfpJ+ucxnO7mZzgzbTwcuL68GtneWZwoB9NxO+blQNRjFiFEWrPZm0Lki/qNPnlNNCP
xchWzrWUOS95VJXYJ3DYRWFFZHUyg+vUvl61D/sQbj1u7ICa0eNS3YY/n6L9pN9Yp63POuz8cdGf
7sKyQHZbICNif7atf2uUdK4ZcrxrW5/YqEProKsnA4F0OorHEJoYW4aZsfp4xhBfSRb4tycZ7d9K
ftltIz/stmo/OdBcunVIbYHOaKQXs/Axui1xw+GJtpnIQJr8bjyzL4lbwp52pNUFaTzhz8S+Shcf
2NCH/ZqqqMtUuqv7AxjCjbCShHqxIi2jKUYyYnn6F8/sSg6dKcaOxNC/3Ukts5HWSn9EZNaNZhHp
H3rOT2Z4bxMmkpXnTt1IvxdwR5GNp4+txM3bikdVgJTGs6g797WhlV9JigZGd5hWDGN6R78A8Hgf
inFXrRvbE27KOFafekYAN2z1UPcVbRZhDvnwFVAOYSEpJKAFl4lhQ3l4RJi1L14WfuLbwmw4hI4X
Zg8ny8P7hSqhfHhhuHVEiO5zuOvktmpBxS64hqqKuhvd3egOCGS4c5YQwngF9TJ0g+juRncA3RPo
cHCISlJVdLvR3YruEEkRyoXgsBpW2qoEH5b14SrIghfeQJdFJ6CdXmzVC2vRnYXuOnS3ojPQfCRm
N7rL0B1A9yZNaRW8w5+tR9u9w1fTxb4dO+tosF8LbjqTBved3qstT1mvLZeu1LI1a9lq52nRqXZt
WTVHWzpidYNkabbW3d/mETy4kh40fA8qxz8AMsdBGG4T3JBBxwuGXEyr4NhXGa+79YCgA07gBQ62
QDh7v8ANW+11bWY+y7+B48Yw/3v+dS2Ff32fzV53a9sq/hW4G90BdAL/Cn5e5l+Gy/hDZJujLkF3
K7oD6H6E7g10Bv4Qfl7Cz4v8iyDzL0ANuiXozkJ3K7oD6N5AJ/IvoCr883TC4nla5/OY83ng+edR
Ff45XK3nUGX+WfQ9yz+Lpj013Ligbj/1JGtynnAs5/EGch6Hp26E//Hwn2fjERXHPY1H1H1CBY5S
64WK4VgtHn5lwy3nhEf4w/vUZPi2trn805BBR2YQnsaWnwYV3Tp0fej2oDOg7xn0PQOD6K5Hdxu6
DDo8ylAVdCr/CLpH0T0Dc9G1oluHzsg/MYzNjPA/Go63h9s8/OP8Q+DFLf4Y/zBdPso/SJc/5L9P
lz/AZQiXj/APDofC0GbBdMAyCi4VXNZgup7/7r5KRzjbZucP4LYLo9agW4JuLbqz0F2HzsAf4CuG
t4QdWMl98AiOrcP8MPyaLu+E243QuiPcGu/AA1AlEm9ehD6UW9Vb43xr/IYvYJBI/NOfRR+R+Ceu
QR+R+Ic/jj4i8Z0XoY9IfMsO9BGJbzwLfUTia7vRhzLC3/Ktyqpw49pzObVN5i/GrXQxbqWLcStd
DDr+YvKBP+uIbV8cTiRwi93UmpydCA/ib5tvc4OncoO3c4NbucGPcYMf5wZbuMEPcoNJbjDIDYa4
wVZu8D6uCTfFINd6z1HBBa1l3OAj3OA3uMELucE4NxjjBiu5QZVrbB3hI8Mr6+miky72tZGTDpeL
FmPvI/MR3KIRPOYj2CccQP0RuiwNtWImtULL7AuRZcW+xBItnGqu242nz0EseBB3w0F4CZ0Od9BB
PIwOYiUHsQIZdQm6s9Ddj+4NdFl0BsxdgYZfR1VGrUG3BN1Z6C5D9wY6AzXnDXQ87M6ZeDc1jBhd
kzN8LTodfxA/FfiJ8JHWciWoJJUVwnVBTg5xa0PZEN8I/5+0LwFvqkr/Pstdstyb3KTZ2qRJuqWU
AIUWKIVKLwgyCgVkqRQJi4CsClhwQZBFNhEFNxTGBRcEVLR0gRRwRIfRvzodHHF0dEZhnIroN1V0
+KMjNPnec5Jb2tF5nvmeL7f33pNz33uW9/ze9eQB/u8KOx0mRxyrB39Qf/xBReYhZnI/2cpUN9mW
vm+t/xeobvxYfeRIaIgbP4qCAiAPl6MILoD7AFTLv/dDARO790UB8iLcS+oD1fCavT7SI3QY29hb
B0P/CrSGvgrECRTPBo6EPgrHBVwf+hPUvHgw9EHgntDbxXET1ByNxDHcDoc5aXNgQGj/O5x0DTzY
WR+6i90OhlYGRoQWBPiD2akHU2vhm24PjYtMDv0K2hsWuCGk10KbB0OVgamhihRVP/bOwVBvGEI0
VewOgy0K8E7zglDTGOo3cWJZHM/Ve8jb5UnyGLm/XCL3kHPkkJwt+2WXyWnSTDaTYrKYTCbJJJiI
CZlc8eRpPcoSkC5JYzdJYFeBlzXCrixXyVQfNhF0DarLoCPJyPFD8ci6YzPRyBvCdRfG58WxBQI/
MW8oBsuKRk4YWjcgOjIuJ8fVlUVH1sljr590AOP7a6C2jmyC0GXCpDhOsqr1fpZiaUYYO9bf52f3
buvvq6lBPs+tlb5K52BH+VXDfuEyPX2NXv74upSzh9ZtHzl+Un2/F17IHlpTV8LLySSUR9Y9xFIx
zfh7fG74sGb8HbvVTGqmg/H3w8exejp4WE3NyDiu5nQojL8DOoDOd5zOBFaa0aGwKZii25miK4D3
gS6f3YDObEYFnK7AbOZ0AmZ0B2rzhw87kJ/PabxhVMtpar3hzjTvFABNQQGn8axG73CadzyrGU3d
YE4SCABJMMBJcBYKcJIAzuIk1ZdJitMk93SQ3MN7ovgyTSBFo542aNTTQBP9bz+zh0ajuGFQzcwp
LI01PW/4bDin191761wf88jDB2bWpPNbkek3zJzL7uCT1uTNHlY3M29Y+MCgKb/weAp7PChv2AE0
ZfiESQem6LOH1Q/SBw3PmzGspmHE2L5lXfq6p6OvvmN/obGxrLG+rK8RZb/wuIw9HsH6KmN9lbG+
RugjeF+IQ33spAMmNLTmyimpewOxWgC208GPH+rRFg/mGB6U47vLfxhcl73IGq2pU/KG1qlwskc9
h/Qcwh6BaLFHNparTD/y3TUox38Y700/0qDakTcURZcuq12GfMPnDUv91cIHqpYuYwxPXaO1/+kD
z4bX6TOG1S5FaGRd9/Ej6yoh+D0gy1A7nU2pbqBRZ7UOjyePpSp7QeVAVklpByGrq2B1ZnOa8Ofr
vyx9v5JJwWpypAHrQbwU1dbQuuDICQQ0woR0UugwOFbMVtTWwARrcRTXGm2khx2NotR3xOZsnEuX
pUtpXixN31Nvwiu1Bks6PoxZ0Q6OLeXNcnZGp0waYqP9aTEaAr5zb7j3hHtPuJfAvYQW685IiJKy
kNlUFrJahoVkaVjIaLUmisTDKBPOLHEPyhQibDM2+SWcZ9k9MS95lj1nd/I1aM14+kRoL9qP56H9
6DX0Bj4Hb72CmlEjYl7VMPQ4WoEeRhvBUk6GmnvQODhEqH8YZyYbUTF6Gmzl06gFaK9Dd6HDyIN9
ya/QKrSenoS31iMV5cJkxqJF6D48KrkMTUGnhLtRGRqFbkaL8erkpOT9yQeTz6HdqJn+T7IdWVEW
mglHS/Ib8c/JvwIDpqBH0A50Cj9obkI69LIaKJ9At6CdNCbg5JzkTzCCHHQbjEFAVagFHyNRaH02
+hL78Ap6JbTybLIueRyoAiiG5qKd6DDuh0eQHHFKsirZgjzQx+3Q6g5Ujw7CEUevok+wIp5LPpc8
hzJRD3Q1zKcR/QEfo4n2NYlK4JgIXCpC5fBkEfoNegu9h/Pw62SRqIgloi4uT36AXKgPmgij3QNv
nsE/kLvgWEXfFK5KDkU24MsDjNvod+hvOAsX4zG4mhSRReRJegsyQY994JiF5gG/H4PWPwMwHiQK
OUGfFV4ULkrZidNJG6xIBP0aPYFexyrMNIxr8Vr8If47uZJMI78mn9OHhX3C+/IMmPVUdBO6D72I
fsBOPABfi6/Hc/EKvBE/gHfgFvwePkuGkAlkAfmWzqVL6KvCUDjGC7XC3eIG8V7pbGJS4njij4kf
kiXJDehawMMaGP0j6EmYWTM6gT6G4xT6HIvYim1whHEOnojvhOMufB9+Bu/F+3Aj9PIe/hx/BYbt
f/FFAmabSMQPvhTzqPLILeC0PkweJyfgeI/8g/yLemkuBLv9aAWtoYtgVBvpNjia6N+ELOGEkAQ+
l4jbxafEveKL4hviOUmR14LD8PtLz7Z3b/8sgRKbEtsT9YnG5N+QG9YQbBDEcBUw+hlwzIf13g6I
ewWdxArwLgt3x4PxKODMNDwfL8G3AyfX4Z14Nx/7y/gocOkj/C2MWSUBPuZepB8ZSsbAMZXMJkvA
t3uQNJIPyU9UplZqp27anY6gMTqbLqV30O20jv6efko/pxfoJTiSgkUICblCRIgKI4RpwjLhSeFL
4Utxiviu+IVkkW6SNkhx6TtwkQbLY+Vr5Zi8VT4of2CaDuj8LWpChzpv9OHTdA0dTpvQ/aRUyISo
6A+A52loFq0igFSyF28iK3EjyRdvlwaRQXg0OidEgNdvkqfIBTKIVuGReDyaT9I/nJdcwgtwqxB+
i9qEozC3P0DLt0sKvot8KymoHhyucujzd7S3EKXvok/oKSwLT6O/CBbsxW1kDx0LKHhVGCxOQjn0
cfQyXYJXoiYyHCHLRdMWwPFo/ALohQm4BP9IkxAQjwYUldG/o7vRAvJn1AZyvAk9imcJc9D9qBSv
QF+i50EqisSbpe6SG79N5gmbSQZuRETYB7Mrx/mYii60DsfoTulb8jFahk4IFvQZfQlGf4K8TKuE
c+I4PBckYCXagJYk16A7xEnC+3gOorgaFQinQbutoCVCDtxXgVaZAjrtIEj3YdADQ2gV1PgAOaMA
FxNBQ+yE4zHQEwIgaB7I+HWgxf6AGqUJJI7miDYMWgch4d3EODQ5+TzakZyDbk4+iHqCPtiYXAEt
7kVfoK1oL16fuBMthuj0Y5DtUeJV5IR4VbIn2Uw+JuPJ9q7rC9wuwD70NRwvw5fB4hG0WfgIjUeV
yS3JPwG6u4GG3YFuAO+3FWb5DfTwK3oMlSZGkwPJq+himO8pdG1yTzKELWhuciEag46i3bKIZshR
WOM6/D7M9040m4xLLqWzE/OAD1uBCzpwaxnon3uEJcLdwr/QFpD57aBvdoHcvACSw2Qf8SQ8KEOR
bbvLaGgjwa2SHCc79AwkCq0UWWShFaNMkyS2EnoUQGYGldML+aLahYr2itHa+Yqq9gpUCWXtElz6
9M5x5DgK4AJOProUpscu6SK6iMLCMfarhDrgxVawYSIyo+1166OTDkg8w0+QGCev6FZThWQxDxQq
pIEYF7e2t6LK9jOV/gMB/jQCTwmSLNZ3qXmgOECoQAOAjlYQEsYYv2uxWNfkPP0YOOowqlhFldam
tUITrdo3qLKySms/A056gwgOFNYqtIqamj69/bBMsi5B3IF8lZVZLSXFvfvUZFBHqYPSfqXuL8tO
9X32BF5IzXh44silHxIPt7TAHKbSBnIbn4MVPcTmAGxM/tiQW9BXjCd/1HMjRX2tkgWWB4JAUZSs
35hNJkoJkk0VFrt5tZmYwdPR3aq9r/kzTIUKgnXV0RdnKkv2+NjQo4yjWns0VsEZywbbXgEX7HCW
l7OzT28cjfp1BQuyBYkShFmpCWjHveV8AjB2Wsqv20paen7ap6U3bcDec+cSX6WuLN5akbiWTBdP
Ig2NZnPQLYV2CMicsknT4ri0AT1lM8Fdd8hP2aYiqtEwpfQlxxNb2MLH2i+0aRfaYHCVsOA45m9A
dhmzIUD3OEIcfcv6l5VKMhxuDeNTj/yhavLRNXcUXpEXxdHEtUfxj9j2zSftF9+r2bz9yKuJUCLc
dUS38hEp3Ug3jZgtGkZOMxuT5SmK4d6InqJTbfHkuUZNIxOh8GOj3c4LrY2qygv/0O0WC5lot4Vs
xPaSMz1q5mL9bOTYbjZGnpGHHH0LI3CUerwet0ba1wCjc68oXL7m6OSqE4lr8Wn8t6PN2zdPfv9i
+yffJL5PmNi4dTqT/AnG7UNv83FfY8VWix/7LYLFrNjsmkOWrJj42G8uZCRQk9epyrIksl9h8B9h
qIrVJcjUhC2SaEVIC7uw6zUJ0LVbiuNHdFXcjXRHRl+Umbl4SwogVeeZZFS0xyrKiyuc3nL4A3Dw
O7v16Y1ifj3gNKmqXaRer1t0u1wa4N5i10TNqltENuNiwLvWUuIoLW6BsxSA5UhdShkryjxeYIMk
9y/zSrLHK0cKJbmwf1lE7/XUrzLwA9Q1Z32vVcuvWHT7wDHXDLh1ackaYf/9A4qahs18pG+P+7vb
+m2aOGbTfddM3NorEzj0QuIzfDd4dxY0i3GoyQKq5kWY3Fg9wsUXW3AFshAKX5A0QB44BqzfItDl
u0DGdlmZSINAn2/V2kAKUCW7gmy3tzGBACFukiXM9hV9IMHFLTD4UkC+iw23f9nBlrHXlZT3py0t
S+6NVGXOuB5GMwTHyXxyE+i7K/h6ZS4miympwlUwkDxEssTFQJQpLL6PMbs1pp1BxVVtwNMlAJd6
pAPvgHWMR/1y3ENIEY43NcELhwEKG2GOFJXxVn2ETakiNZFXkLALaHYJfC4XYjFAIDQJ6DMGnh72
4RZQMSwbkvySlAOmaIpjzYgmP6t3lZN48jM97Cp/lGJCn6KvUEJvRdjFfvSFgdZCzyJyFmRkXxPY
sIbl0FeFdr5NS+F9o9grGlupHWe4B/3RAJrcQL4bl2K8b1tiUqb4j59coE4mJr8UHOIxkMVsnOB6
mqQ2Z7OCgugKqqoXlNhZLnesoGcywTM7kMJqkEdR4KqwOlQMQtcClxaYMZ9zSuN3bek8tCSxls6A
BPPCN3qm1SqxJjVWgzRFYVdW19Hk5Tb10YK0kWyybrK/bRPNstVHhmeMcl+TeaV/QsYU95TMcf4F
8gLrzIyF7gWZ0/13kNukW63L7Rulx+Tt2tu+T8iH0ofWv9izOoY0REueRwpSYHmqkTf5PWh6a7r8
I8RDKtZ1R7W31qzn5PXtDfrDrIFWH2KBlwxCM4RsnPBQtXlbyKEoShzrjdUOm9WaKoBwQqGh2lGL
mDlQoKUwYltIBikypUlRivRgNdoWfOtehh+YeizaBldWjC3hxTQrcGwJitWRK+v0sZMapXCmFgBF
WU/C1t8kTyMPnE447XDyXxVjOGtqavwHVFecFjcuVFUhCwr1CwUIjyqjlVEGc83Zv7TE43GCQpTy
cgsjGZqntKS/Q4vk5crSxAUnd91av3To/JNPf3DHA837VqzYt++uFdfEyEks4CtemtaQSH6SSCR+
u/+xQ/iJxKPfnoPAZf438zYAxk+BQ3ARMGbBNoawBkvHzI2CxeAWMgqWFC86mKLnVFNmPRcIq8hW
ssMkvCRgM5JEQs0iVgh+x8K5a2HrhDDbPIsnT3O7AYWvdQeHa4DD1cbhCtzSMxkYDcRx9GUpog72
WmRt2VhbIg5DlEjETOthXIHXo5SqWJJaEf6BLynPqJIpZ2azYygG5o9/wHgTbJZ0UTRjxcx4Xeks
B60CCg04npPnkCS5H6ivUnKxccjJCY9+XrxUuHPwitDLI96ZBnOoAOmWgXNBUnjZh9LNDk31ZWRI
E1UmUA4HL3yjmzUNSkGXGGSC6mUEwSB7GgzY4ElQYTMMxskRGJPF6w2HNAc4VCEYSvEHbEDFLaiY
ASxaya7HS5gIk44OFaeT8A51s91BjH5O61ZnBpkYdLE61nY9NM0UhtVKJnqZfebc/qXemFSz/lhv
vDN9xCBxkHREfE06Ir9lejsgX63UKBNsC5RZtuXO5Rn3OI86v8j6wn8uS3nNeiiDBC2aSZLeCWS5
AoEsUyALNKUpK0DVoBYnzzWMcWBHHPua2DgRG1gDJoqli7hbOom7pUPc1WpLrfckKFom8vgIWYPC
SMMDdMXRVAnR+iKyigjkMMlHIbz1ABfSGCjeC1Gmf7l0gg9X2dYea3UYxnqjrVfUBuo4ZcXSIqub
/VpAy9aCmvSb5Dkkg6Ca4G6G05DXATUohmO3gNSypVX9sqySYJyWNi4kikvl0utKS68DrDmwFCBV
4M6JlAGg+vfv1xfklhtHEGowk+CjSbIgXyoj3oJnd367d8edax/HzRk//vHkhV/teeOZKcH9+4dU
zDx21/Evblzw0OObM058/PX+SS8cfW7TjD6AxOrkGcEDSIziC52shDXTp7P19QUQZiITVeALLsqz
qHbFHrRYitzBgBAsCohFap6q+DLBwQtrTAjDcoShhJFHipmOB4MOB3KWg3cLdgwm0/am9qazXDse
LWEnw0dvUfWow9UNqjDccZ3jVj8d51mozXfN8ixT73BtUDe77vHvVi1WRbUJMob+MAMC+0HTEcxS
QCru16gobsF3mDyHMslc3QyjE2F4qrMLLpydcOHsZAactdPCi8Ik7GNyFF4td3lJ7vSS3OkluTbC
bUcEo4gWITDr84fY+5FtPX1xPKA+8yQ+jAeAG3BMt3ZYhm094vjBNLiibRxeaeV/PhrrsAHtrUyM
wD9iWEtBrQNe9WKYgnQCjGqYOsJLGIjAMRTyFNVuAew0LbTbA0UClA4tLFIzfb6AmyMqwBFVUlzK
QFUcLS0ph1vaUWTWgKNKLusoGgBjCJPZFeXlRqobQ48sWPXKMytLR7mc1tr4hvnztrgac75++fZ3
Ftw4a+22xNkPX0/iu307NtatXfG060ly+8qZa9etCze9Nad+1rTHewVfvf9Y4n/PsDgyCzSgBjGY
BakkwJB3FCnJn1Jsb6xWpbQBEQ1LIhkFc4dtMQqiYVsko2DusDZGQTaliU1GQTass8nUQZM2TSaj
IBoFySiYjULajull1c5Jylxlp7JPeVsRR9FR6sMCdYLKQopEZdFipTJYQ1V9hwouSgWqIqKoECwc
IUfAcSR4l25BggAk6B2LECc3HhJFi54d6msxzJwl5VPxwjfcubLEcZmuynpuXl95dU4/eZudMBm1
qq6+iGgkTChhL7N3oNB6kL1DmmxxvIVD7x/M92BW7jyzCRXaGY0bOe18xYUKR3k5D1I39ooKoNns
djuYPZ62V8F9dZaDnfhAt5aW09ye5VTIzq7gSW8AItDoLkW3liurx5YreqRcyQ3AvWd5Ki2Of2FX
CEX9BxXBLFGVxGnJIea6IEUwTGm0tLQkZUsdOf1wqaPUneegDky2t68jTzz05puNiX542m568NI1
uxNPg+Z+pH0BKATm9eaIz4NdlblHkmFgxGkUMpT0ajuNQoaSXlInFJqZoKeUYDPCwFWVsREHbJag
2x1wMiNrtQtCMKDaMJJ94IJwF5oXuMJk5o8pPCbIMI3246DkmI7r6+Rm2s6vI7PuyN6cvT1jT8Zv
lQ+Vv/hN5gyfrXsWzbC4nRkZ79jsLluGy2ZXQc/pGaxr3bYL4mCbXXfj9DAO2QV8kulAMIa6gw3I
MU1bpK3StmqC9l/rMB/XYT6IIjQf8Rk6zLct7DyK+yE7fgQoB9Tbmn5Jl4W66rIu2izGojzQX5wH
MdA0MZbL2WjqFRUBVqizwWw09xZ7Ww+DnaRcrzHNtiTGtlIMRwuhgJphA39DcKc0nNttDwjc3Q2o
didYzvqFdsEwmMXsLOWRcPG/qTfQaRk57hwKeg25XTL4wpGJr7p3LFzbuH/LdVu67buffNx+aMy6
B45h09L7zv9PO16tbb73+DM768dUesh3LyVunZK48Me3Hqg/DdOvAqS5wW5mo+74q06WM2THITwN
U+zvFtRVrKrgTvnF3KBLtQQxKtCYo8VjLS3o1Rh0vNxuenms5U0HRi0ftGi/MyAUa9OOxxiEei7I
xMNk3T0sc1h4snNCeAGdJc8yzXfOCi81LQusN20IfGj6wOOQw2wNC1MqQJqYx5w5Pyvl8AdsWGNV
AgPz45PMF40zi2kMEjPbhZoKuuCnoBN+Cjrhp6BW4/jRMNJAVcHczh1iPre2rQfoqAENQUPogoYa
DoLWPMLbCeJyXa30TvMu8q7yCl4tTQDc4GrVVu31sKa8HjZmb5zkN0Q7QqeUreyMt7aU4eQGExjW
Aa5m5oA1FobzwjlxA12sAWY7a/xNGIsWtRvHlKr6XbkcUy7VL3KT6RcvY6okhSYsRwp51CTJzDo6
mfuVl4scWhmzldjVCWv0YoOvx9ULqodMvIEMOTqnsf2299b9LdH6xD1n93/aXjbm/tG3PPfMnctf
EMbb5veu6j34m7/OnJ744f3NbXfhkXgF3vf63jcufRp7oSb+5GOvvAKrNAPspUfcA7y/l2cnbMdV
LMAfMQlmMCpMMfUmWDArai2lhC3LGO7VUpJlN9Wa/w8aA6icRmgl3BbhVRDbZdrSAsySrUsqqs63
jdYusJiHZRuYtwseQsq1BXn0N5oVClhhsoa5rJVWpjMoEqKSnNff6SybQZu2JNpG9rc307X/vEf4
af+WRxLOxMX4X/bjr/FbjyOKxoPUZILUeFEe6k3evCw3jQryB3sxMwbxDZnYq5czJyiJ3YJONcgM
Pk9SnD/IcxRRO8scMtGxGwEJK/CHdh810orUoKIdIkfz3Qojd/MW3Vzk3JdzEV0THcwGtbFUbTrf
cYgPRDIGIqUG0srzHnbDzKb7Z3VQuKTnskrWLXvTzXW/m8/08vyMzqAvXJwegHEyqa/q58FFnqs9
V0fOKF/1Fs298Uq0Eq8QlpqWWG9RlqnLvfeizXiLsMG0xrpO2aDe5/29480Mp4KCPqRAT7t64U7M
7CLXwU5yHTTk+mB1sPY1MzYPcZI5KNqJOtqJOtpJC0Rr7XoYtIAdI7tmJ/Y4fqCxxGeIvs8QfZ+R
BPHV1lFM42ROQ75BlG8Q5RtJlfxatxGqh926m7i39XnLsDXcwPDkyfkOe9PhPDvLY5yVqTR7hxrI
TZ6uD4SzQAnUh8PF7NYzDD776QNFYWz8s1fgUd+yBC2BuKwBONeLqwW/X3J242rBqUo5XC1IndRC
eTnPl0f69U0HY4arjKAmw9VJG3RWDXj+4oVnXjv29YKbNt6XuPDxx4kLD9ywYcHc9ffcOGfTwKu3
jV+zd//aVXuov+ix+bs+ObXrxkeLehzfdDQJbv6xra/jCXPX3T1t5sZ1l5JV28Y8v3rtC3tROt/H
JCuIupPJl3MKh6whsO4FDrDtFzgsmZHndsHHEiXdGC59Dg5MB8+XOHyOHlFrtyDLvI+xUZvNhcZi
zINAVXNIEzFzNXJZ8M24fTwaK+Eat4QzHDDLhEhj9uvT33XkGToN4rK7pHfn/pKDy+J/6LVrX//W
VXHnjvQRA7NGefS86z3X5d1IF3puypqTtzxrZXBL1r3BnZ59WUezvvacCV8IZ1zhedKz30MHFs2S
SLfgGNs05lcFWCf45NiUNWxk3YaGFHbCfqgT9kMG9lkZlyNrJzpr8kIHnbUTnRUP0B1dna1tPZit
bQJba0hBgSEFBYYUFNQ6OqTAoTuIY1u0ixSACUxLQBr/HS7XZRN4BBWCb5WXPN2QE5bCRv5hCY7V
cAMoWG0pAwg873CquCXsnIXoMIApd2ow6de3kFk+uCMAvtPBM4sRzOHt5rhfvN+zYsb4lWP74/5H
bjp4Cctvbm27c/l3z7z0CXl399Lb6/etWPk0Hq8tv3nUqj8vVnzVC7Dpz6ewtjPx98T3iS8TDS+/
Rvv++uDxx7eA+QN8NyOENwgRvseZ2u8KQ6wgyWYiVQi0AkuChVSA240IyxE+bUrvOSxhtqxN4zsN
5Vwl+JtEwWRsAlSmtgFK3WyvrbmlpYXWtLRc2sN3CSeDxVXEkyBRuehl3mMxoMlPVmSt8JMbsmb7
yQJlho1MVibYSH/bMBvxZ5pkAWmFDgdSi1w4iNiWZ15Obk5FyBKqyM0NV+TkBNHU4M2Wqd75+drU
sAM75uddN5kvKNvUgvWsYFsk7XyL5EIFX8pWh5fnHuGDYjFwhx2apiIU1kMmI1mE+TKx3c90TI9B
IZX1L2PLdDmUF5h6shGZTRX/GQc9ffKPDHjuttqdvubMH979CKPJd0/qn0XiLXhevnN+1cBB0d03
DJz31LYdnpZPvn5++jNLR18zfWHiUcabZDtCYg1E7zKykc2MN0OyIVr6sVMK7lJH2dypXuxUFoxy
p6BcEjqic0X5TfqVn1IiBWSS1fqb9LvnjUqiGJX4cqVkMWJ6j5GANsI9q5FasFiM/IFRMNuMYRg1
cqrmUDW22TUeTn/fmC78yLUoYc5FDfcLuI0X+bVY663NMc01T9c20W3a2+Kb0jHtnGY1iTW4mozV
5lrrtH8q/1T/aTMLiqAKNmq1mEVBUFSbSZJlBcomSZExQmw72s6T22FZccEjQimrc7M6GhYUF7xl
DoqiKShRKU4W62ZkUr7SCSbkMLaCxbDqTiWMZst03FjhhHBKoNsELMQx1q1jlWPyKYVuU7DCvmt2
+YRMVsmrZSI/ZP/wo5T4ZMIJfz4QoaxMra0NkFaR1VbZynHaxjakohDQbezl4/fUBnd5+Ubt+HHb
8eMbxdQd4Duyzjp+ZF3w2skprTR5UqNgpyb5cPIc23pPWd9blsR+IU3Q8fEfMElx2kdXFppMCIMM
mxRMYDyllZU87Qy4z8OlOI/m0IwcyrY7KSn9I5n06Yvtv376Y/zdjqtyA6Xi4Z+uwkcTw8hkvL35
tvvuBX2yHeT8K8Cyg8dyn6V26wBgehHbqxKEq/Kq827MqzWvM0vzspaJi8211rvFu61SocdMfYXd
g55sM3hVZzvh/ezPN5F0X7XZnOEMdu9eVIQC2UFYoFAw6EAmH7yb6HjX18nO+MCWKPxdS7UvIinM
qZXiyTN6ATOhkpOZT0liQJBMbKQSh57kYrCUJhR0abdrBGe0q1UXRJQAa1exsNYUBmaFtaVk9YAx
/ix6sxjBWTDMt2LC6X2YC9yq80J6D+anRo7aVEFK7cpY+E5MLDpoiq9jlyVW0c6SUKP596pUJjT1
uZx0hxPWF9RiBXMwWE7cWY6dXmNHxl9vdnaHwKRpodOJUSqRjkw4OxWrkE7OGtuideR0ymnaSB7O
KUnl1CN5OfAspTOhvJ1E9r5be+Oc9VuvW/36lsRD+Io1A64ZedXaJxN/wTdNjVw5eeCER7Yk9ouH
a5pnT32+tPDo6jkHpveh4xyeG6uuXlR0cZesDFhw1bg7WI79xuSX4q1gSbJxMd89n0nmZxOcCl44
b87q01gpjErUmWgxWpq9Gq3L3oZ2ii/S3WozbVTfUt9Drdn/zHbYnNmO7GzaXerm6B4Ih0ao1a7r
3NWZc8UF2Xc673XupDtsOwN78XNkr+NPtgzkQlmaS8sS2LZzfbdy7saFu5VrdhAgf0ZQof6gYNYi
9mtQhP0CJyvkNRbdayy6N73olmpvJGzCoJf5V7XaxJFiygzOnJL6UUM0xhcQ1hIK6ZA8ZbzgEdvV
hLj7Fr9uAb0m2DVNEfxxWtK4EGLWDCjUL1Roaq2cLH+TNmReScjLzYc1ceaDBfPKEWbPiNvlZC6G
0PjGFYnfftGW+OjXr+Ar3/gr7jHotdI3Htr39yk3ndnw7OeE9Pn24uv45ve/wBMPnH63564Hn0l8
+8CRxFebjzKP4kmwYZNB7u2wLimPwhkO4StNKel0aEE7Mnm7SFHXfWRDikKMMWYc4hsmZi4SZgvf
V/fxGi5U3EJkhbI1g62aJZ111FLuHwiV9l8L1Q+GUP1oCFXwF4Qq/TXWRZL69L7yDr0/9csmySSa
BJMgZfqyfESyWkAHWKjk9rg8GR4q+ak3BzttcPGZAjnYY3HkoCjb/WT/9/gaHPMfQNovi1payrwe
r8fpdhGQsYKckvTGVSFI1pP4Xy9Ovqtmae3o5Q+0rE8cwOUP7O4zvOrRhaP3J34vHnZnj7ohceL4
nkRi34yS/f37DP/q+TM/dA+y31Q8A8Bhv5+2oja+Xm5JDJpMsoyowJbMYg5akUlmGHdpzr7yBHpN
2BJWiSVLFcykw8YbewQdysz8/6DMzOb/oNWUQdenpSC9BFWGYotVnW/9mSZjsZFo4lpLFDEyG6wU
fqa1Uux056TPZ4T8S0/S6KU/0XXi4f2JypcS6n7GGwgChfXAGzM6yXmTy3mzVcYd7AHWPB4mYSsh
Wdb/T37o1tTvQ9LqK/EzblgGTfmP3GhNZZdYlNKFE4c4J/6NBc5/58Be+umlL0hd+1g2+4H722+E
kd4E+rUZ9GsB3sPnnuV3+d1keiGeasrATpqfj3KcXlKAgoQrQDcbLcaSN2ijOUHJjHGksCC/i6Tn
d5L0/A5JV6vzw5QCDwun8z2WVs4Z7hSmN1s+4UjhTqGN9UJuWV2IC7MNZmcbzM7uUKrZkbAFWzqU
qoUH4ZbMyMzruyjVKi12Ic1JjbOSuTwdeSpgJ/vhF98s/L+UfQlgFOXd9zzP3Pfs7H0ku5vsbo4N
JJBwLMRmUEARkKCyHLISq3gAKgHBu8a2AipVal+ttlqwWotWy5EQUvDVlPJZbWvhbRWVevD5glIr
ymcpVSCb93memdlstP3aN2Fn/jM7bHbn+Z+//7E5jNghGZ/MVEdjkVg4RnNKxkj7M/GMkGYy1emQ
WpGkAro3iS72eRM8Oqpi00kQk5Gw+zxoUykmk1SKxjPWCFiaxVVIrSVHDIs/VYjupK1UKqkRUHDH
MgA0jI+M3rmME02vVwsSla7Rw7KOHlIjgfX6mLRnmGYPBPmREKl2XHDoMxmk3Md56Bnw2vuL+ze9
WdzY0w3a/7QRgAcyW5Jf773+rj03JsevBfC73zj+Ndj2LBg4tGLlL8Clbx4AK3uu6vuPpuVdM2d/
e9a6jXuLn3ddNg54EI88ibR9FdYdYKrt4amIEwJefwtDV4rSJmm/BCUWQllAWnEYKwhlrCC4rLAj
LyR4nsMZOeKMIRawZOKQETSfw5i7nzhlgDhlhS4VqFB2+UB2+UC2+WBnXk44tS39loTe1L8hfIIj
fGW2IOCoooQKEmq72qEuV5mJ80PZQmepqKVkG2x2yrba3ETKy3KFRmIgAHK1aQmtqqUuo2kKIHdb
YCERyLYhXxunWJLoUY22T+6Bp/bsGeDYXQNPwQWnpsLugZno07yIFNOd6J7ToJ1k46D7+WmXgLxz
I2hETFKdMO6L0g2nXBpdyiq2waQRUbr0tL0e5FKH7s1jXQdxqU/3+LNIyU93c4u9H9Fk72vr7H11
2t5XVNr7UMQuEapXjZYEu4HdwiJ5R/7K/dQmaivFNFIW1U69Rx2nWDOBTm6gaNZOveK1CTlr9rG7
Zp+4a3bSMuwgjqzZj5kD88uM9TkL523vQpFaYX7nitaBUgiEc7LEdSrFP91IOUKn3g/f/Rf34GgG
3edxgx/Sl+EIBoSJ/jMWw6u4G+Aqbp26zsOJROv1yFjp9YFID1Opi+IwFhfLWFwcYnExI0n/hix0
54WMjJE9/PFlNxEq22aBELafi89YJKkjFxJekPBa3nZvh5fxggxFakZsG/uRy89vO8Zkutnr3q5j
RqHzZCk6QAGojXody7aRitkd6C6KOkNsKfqM5F5lh5c5jB2DbhxJ2mQmbuGXXz5tSe2e+b/85i9f
BZtCm287Z+U36M/OhPt+s+RdbFNRZMheiHUGvJjc10q6alxOECfUSGO4sdK50lx6Df0Gza+W3qLf
Qq4T1vrE5atl1zP3sM8wHwmsxIAxzAEGV4wfskQz2UIn8Aa5491KzsRnu9Gx4OwZvK8g+/5uM4DP
v2udE0Z/M50+SxDD4bOY+lDobBT28aIkChJLM0yClXwsi46QRuJ8SClJEsVCBiDRQnIr0VAGFNMH
J1h6Ews2sVvZfvYQy7DnC/ic3MSDBAr5t/I03wfXdP9TDYVMk5z434Z8nw05R5sxnJAd8kcHCp3H
MDqHDUsrVj+trfiBdAvGFHBVFdqHSBECLxitQiuYvjV00fSt0SEEAQfpb46fb+Pc+OB4t+LBt/a4
FUQEZ2ieFsHQjBYRU5KBRNrpHZyfHRIsXLjgEavQPW4I5xj8qIrmkFC/2xtAZCDH4SWQzZxQ5csx
li+Hl2RHGpH+XBk2MR+/MuhcUchSGMSIopfkOIZGS0G0JzNMezbjGm1HhkESoH+856E98E3ADzwC
vzlIDZw8jhRpHXxj4OdnHoYffFRkbF5k6knPwpN2bT2AyHKxlJDAeA786Q4elrQq7S4eXfLp6H/b
xz35ldiC+0exxQcF26XF7htFu+6rLXKudfCjT/UHpKP+SjzUhymK09EnMGjbGgj1sq3QISKG1V0g
1WIbOUFTPcSdQpoUESyuhqzFlGLip1ldoUUKQEGUNUoQoSRzRAcZjgI61UsUkEHhEhrnk3/ufvIz
PcOqm3HWr62/39i/vx8XXGUdFqHcauc4T5Q3R7Y02TJky5KtgLm9GlOQeMXI6cLunzaEDEpky7vA
oYBvcJxUjLFASUhmi042LIqCgYbiGHQzScUPfjVCkBfZDfOUSRkwb6mO+825y0VelsI5xOyJxhMk
5EMiZX+YQpklsYUgat1BQV3wwajArFbWKC+jW6lMU6bpdB2TVhu0efQlzGr1Jm2tKsiQFXLqWG0W
nE5P5i1hpnq2Jj0MH6Ef4h8SNtM/5TkT6prWxEKkiKCgqGoTKyBSUC7ULwQWgFAQRElGRlLTDLxO
HWaXCc1dcDMyH6O2swmhD4zaoYiSC9o6yKwl5qWEpdwhA3kX+tgakNG1sA/tdEBNkspSLRSxRQp2
pKiEvtwARh/M70ywHWwXiyw03NztwX5QGDchFFpDA8R2YDwTHUXKDg8XMP+2ko4d9zdiHCM459rb
CcyJdsjWlODMef9JKcjxEAYPUHDwAIExp29V0HO15YpKHfx8mybhJ51aqtd6kzmtIUnqqXrH5bTR
4wi5YwQ669RMZeev6CwgbYITNRReLxXrcxaPZ4C6A3ziX9sbQBF6cOw4kETuGKgGnodBClzSFAiP
AYsAu7uY31Kcx+46/dl3z2v/IX3m1FTmt6fHMIdOY43wKLJxcRw3Qkikkg65wLvgYprb86bsOqZC
SAmQlDqy1wEnt17t8Zw9R1DIFiJ/iReQGRIgT9OCyEAo8gJDIzfidMmNoMvcCNo9vwPpKI5jXfeJ
LbnUrC3ryNO1IkTgCgkZJOR2uUNeLnfJrCyUx7BOVJuwfWkVveV/L5ZlvupOl2LZMm8tW8i2En4p
dJ74sv9s4rRzLreWIczi2iV68NBOZI6EBNpQpKxpVBOOqRAn9AjW1By6hf29U3OCNdomR+d4ZI0w
YNcbRuRom8Rnq+3uEbk6x2s+9PDi4xO9XkRW2GQFIv2Y/HxbyTyBMqm3GUmhBQrwXzZLNjraDLBL
DzyP/pqGu359poi45k7mDsQxXae78HQsFGm/w75GaVQU2D7R9IgOfIbPFw1GowxjMD45KEeZp4O9
2ksaHQyGojBRYXlmeWcFrcg8dp4415jjWeRdEFwUykfmRu8NPgKNcCVNm5Wy6B/ma/rLmMTv+pq9
eX8mwQP+hbJGDR7xIl5e3nW4eVyCgReVx94kXlfeTXrzeMGJUuYjXRWgQndNpu6ykF6KzPUM5pxS
D4cTonvzFFemd8Oxy4eQDhf/LJSYZeaXGzsKhc7oNtkkwKcs0mESJdN0Wa8GlRzNYNyMRMfjDKp5
NOVpgZnqKupysA6M/S2Y+rOeYu+L+4q7Nr8MKt74E4je/Ofv/r74BvwNuBY8tqf4k7ffK27a8TJY
8ELx78V9oAVEu4H8veIRG/FkBpCsq1QIjLQ92sWepT443Zjuu8S4xMfISiVS5FQwZONF5rAF+Yfl
0915MyPsRstjZzm0vEAyCYLhGMUTlonvkxBJRAD6Fwmp7h1X3TuulpwU9X8LPH0VhguX+ypD2YVO
e0mc5XBxOBLsYihjm6YQAErTMAAV+scA1OhgJUTrkkx6EF0CM2HdAzOXPTD/k+IrxXXg1ud/VJgx
6tvFu9ldmrm499rdxYGBZ2mw/o6F3/KrGHOeN3gf+wmSHz9VC2myAg8uymzMwHBonB/KMSaOQRtf
3FfN1bMjgtnMRLY1OCEzg50RnJYpsHOq52WuZ2+lb2HX0+vZB6kf0E9SP6Nfp14PHKGOBI+EIjE2
S9WzE1mmwD4QeijzeoZJB+ozLYFcZlpoWmxKfEr19ExemOeZ418QW1CRj89NzK26hr3SvzRza+a+
2H2ZP4XezoTlEPAjW7Q9mqNwtW9TNMeEfKF6dgLLQDpQS/O1mVCApbgk7Y2wEB9QbKqyUqehkKrk
xcgwpomUMU2kLKEVyXhDeHW9rtB63RDQi6UXr6/XFVpviY2858NIor6rHtYnXTZKumyULAluMoMM
hFySVzlEok8ir3K4bkheh8R1phOauNJK8hYOmhbMUZ5m4xXjlYKTyKBWYKPcuSJq+VmK4vVQJpOq
rA0EUjq0aJpPEdnmRb2SyLbuyHaz3RzU+OpQmybu6rAbM8uAMCz66OxYR+Y9WAGMy9Qwf1u7Ivej
x574P78uPr9lK5jyCtYD1w18sPnanyHxf6v4Poi+ffXCSxY/Vsiuzd16ST9YePAtcMWuXxZ/cnBH
8b3vNBYeBbntQPpe8Y0iurj4+5qJYcyPjyPr/xzSCCGqCt5B+DFpyhowx8YWxK8Uro0zImmfEsiW
J9sUBhPwQpEmJUwoLiG7hNk3+H63GWlB++PdVTUtHnxcUdNiOHvd2aPn3+yuyNjPo+sNZ4+ft6Yh
Iq2dHzs/cZG8MHZtbIV4k3azfpe0Tv+++rTepx/VPtQNpMsTHt3n8egeXRHNKExGAhJn4r4mNiSK
gWAkXBl8YbC/LG/TbyNzwSCVrCJ6LoQ4URMqh/Ht8NK4EiRSmdEe5dy+Sc7VTATuCxPgjyPZ10Ii
tTzVlaJTVSH4lTq4kroL/bvqjvunvkk1Dqy/irM7Fih8OOTkfrAj62g9FHujg1wj6WKym5jYUk9p
2Q92GEhZvyRYek43JnjMCdiFAJ3Eh9WQJxIJ5zzIVzHRQ7NiOQOFyEZVHD1Kzsf86HYxjKFgS14W
DlNAR14HqCKC4ehXG0/8Umo2GAh6q+mREGnYaqJtSeFc8nF4z97f3fKbP86snTNj8MSeOdfNHZGc
/n/B43c9dMH3nyg2sbtmvXzzowcq0qkLVhU7wahvrx8v8wOr6OZxN597Ne5XXDj4IfMX9o9UEz2J
1Kx4qJqyGq1MGV2qckbrZTgrGHaJCCImxcl1almuXymj5TI6VkZHXRrF5iGHIaBLAJuwavOX05cz
K+kbGCZdM4bOxc6hp/EzKqbEJ6em1lxEz+cXVsytvdurVePEA2aelEukXSLjEjUuUU34yr7YJtIu
kXGJGoxUTsVUrZpJwRRdkx6rt1RPTk9pXJDIV89JL5OXqEu1K32LQzfLt6i36Lcbq1Ir02voe+S7
1Xv07xh3pb6VfkB9SH/IX+mEzSOSGTOaiYiZOpChqLqIyYwelaEWI9Wjjrg5encURtMBdURlTRqk
2QBbSpWylSPEysoATVwnnDYo2PkNvCuQjqjGY/Zv1BqRTmmqzCZjFZVRgecYGnIgnapC5zi2Mjoi
YmEZuh/5HscC1AiSACIBhQESoB10gOVgA+BAH9hqKSMqE17v2XPwH2axSKv4CL8V9AnOF4eVzg6H
TEuls2KGqgN12O3UNDinDn8eIsJ1kdFJ5SsWy62IRfcIZEwc+eD/ZboawCxV/5gXY0URHuUkhQoz
DxMw1Mm2u5aMpNxx26UxUMgexpsT+E55gmTmBK6YmI9h0s4hGQflB0TioztBFIyIBkawBNIZIQcq
iTcUoN2MJBJXuxCwEjaPdpK6qRpSAkv6xZwcvd8XDDBBIs/YvGUW7lQXvXz79c9c1L5wYnHZ7Guu
+sZn//HEF2vYXfpzT299PDcevDWv65Y1px/7dfGvj4A3jOu+M/fslZOnXFUdvCw77onF1//yimt+
d6d27313XjKruXlp7cQdq1ftW3kDmYPRhLzaXbgWDQRJBMu5Kpd3Cc7NMvD/MsvAuVkG/l9kGZD+
ZmElYjaKfPmG2AdXdifs0qqdXALARlzjDMAO4OR1jloy0fOCo+Q/c/G2911tf8bV7kUbycGvKPQ+
Ug694akoxsDhwgcGmaPQ5qRrSj/RHkrgaEhWjCb6dXSb00KFc6fQW6xg7ilGWfW55079Fd+7x1E8
h7NiPjDRniGS0ecx84RXBCbQ5+THWpiJwlTmfGG1/hR7VOcVCnpwOzAn+oYZTF+ZQPiGUgO+DHQj
eliK6KHhZEkP2RE9LCQCIBFoD8COwPJAV4AO/NMooTevkoSpi0dICadHzraekis7Usl6SoyDoNnW
UypZT6ngx5H9kPW0kemZRsFJMpSCNxImZHGcwHnQve1dxokUlO3QGQcHoNnjxGsku0ASDR6mY88V
xdOv/b54avmec5+7/UAvu+vMtneKZ564D6h/pmed2f7ijq/vIZMfKBF5YVNxLyQ8h3Aw2+A2NLqm
gUGEY3KEYfmYUyWaGhYSl+dpPiuZHPdmQq0kB+LgRyWrJ7h0T17yqeoLzut+4J4EKadmBbqEFHHR
InyZU80JUm52DxFlwK5l4vw+iSwlihUFFkC28Z1XjXde9TQ3UzYKgUu5U40sqKdq6bTUqDQpHcrd
wt3iBqVfOa7ICaVdgQyUBeiUt4tAkQnu3NZGig/R/5ZEMSGwPkFgKSR8kPVByIroT/05IVGCuFgA
i6FAkna1uXYBdAkbBHQMgKVCqza3CIL74UYIIT7jSbDtLGxiO9gNbD97nGXZPriuW+7YbEOJnXhe
AH6EDHtCRyR8LGRP6XBqInFJpA0V+obgwO2Ujpjw/20XTYB3gg/j224HwvSttejqsbMXkJlE+Fsq
CHCA25W+2kNJFHYvSwmCC+TgmCIJmm0wsBnASQMv/wHcPjJeNQKsf2lgD7vr9Btdy2+6iakjeUMU
AvCrsfcP/2534Ooub6G1QxLosIhWxmX64EDpCnrYFS6/6UNVuAxXykOUMZ7N0K41pF0C/T3Xq9LQ
S7g8qZfxp15mgJXB19CfUZ0SYYe2mvN1VMZTZ2ZCOWosslVjQ9Oocz3TzHND86i5nnnm3JDxsPCw
Dj0hnEYzyNbxVJoNEAln/S1sizKZnaxM91/MXqxc4r+CvUJZ6r+BvUG51a+zfozOm8iJ1SG55202
eBYkTgnmvkqaYVnI8Yj7JKR+RFXTdcXnNU38VV0hFFe3drNUKIH3iunBe2uBXxATFItnYCE9DKgQ
KwiV/pDP7w+ZiihW+k1Emh5F1xOGx2cYHlNUhJCf1T0GUsboLbF0yNB1UURsgN5TyDQ9HkqIBIMR
Y5IIZlMJdMdmU370sCgWzO5N4Eq/cLgP3LvNDh4KkfDMgUhoYCASHghdMGXx5A9KEYMLguNgwZld
5Zb4ziyHxIfvEFuu1Yy9e9Gmda9LlW8Qm+uIzT1lQmFKuEXFFoE0eq6+HD8nkuCA7trQE92KxVp4
/gkg6ZoVBaoEd5bZREtVTKQL0JIB6BecimEMnduy4rVlxWuinbcZVANcOQzAj4q3/vq9VGS8BIIf
/WFWdWzEB78qXre7+NsaPugrvoJ0edv3H/xLin53IFL8+K/39tA/PzWVKaxPLD739BOORp+GJMtL
zyORhkwZZekK3aV78p5S9bo2JDdm6aQwVPzOciXRcZ9Vh6IJb8g9KX4lxLDq88jBDIOADOvMOu94
MI4eL4wXx6sTtDHmOK9kenFO2sQbzUlEq86+PEFtLcMZ6oSbw74R3CjDDFPH18r1WsYcy0wQJsj4
Fc8TLmYKwkJ5gXaxeRVYzCwRlsrXaIvNVcwtAg4bbjRv9K5h7uHvkR5k+oSd5kvMK8IbzJvCW9oB
80PmqHBU+8Bs4MhwF8WD/PQA3soC3iKF+Xk3JhyZlRXK7zNCkofDMfhRS8OUwVFQRSYGQoLKY35F
bGGLZwFJpigC/G1pNPLHvLqmqsAwVI/p9cpo2aAq04pXkgFnQK8oeb0JSkQmWqShqiYU2qcoNDIv
NA2hV1UVhRIa/cCPJC2hWApEemzRzoS0QeqXaKkP9O1Y5FiSPkvieiyj3dhn0Aa6yJISVNjn35PE
liR7wQksf4XQkfCxwrECIogIFobJ4Fp2mLjhBmr0o+tYwlqFveU7W8L2zifmwcY3SzJBIncZ5xDC
OYCj9lA0Z+LS4GjOa+8Y3EkZzQlV0Rwecrc9hvNS/VY8lvOiCJ9GD1ULBFu9ZiB4liAiimYQJeO8
xEgTvaaZk5WK5FmAqki2yhKmIKYUbxCd8wbROUxBRA2X0nKxnQ86vxyYRHeqAs4cQidfgeECMGTn
XKkV4bii8iGQLqoedQ6o+ePAAMweL94fT47yFzfAM/CF4rpVbe1zwV0DM898AeURY9oriwBPNHf8
LwV2EP9LZh33RkFEWRCglgUBjktU6iZRuJI1BMO8stJMCwY5opO8jn92psw/O1UWSQ75arpbgOEG
L8q/CF525gVxAs1MROv2YbcZxDL7oaUhggmjDY03IsbbQkSc37QmIoKpRRsTSbFQLzVqzNXgau5q
+V2OwfLBCbzIcSJHi5KCa5oTkuyTJJmjOZHGQEEAn6UTECAHC3CKzAEUcgC5D4YtUZKQyCA/T+uD
IUtUxAstqUuCSCh2WKosKwmKvnAWvJ8Ixw4LTzHzuSCYJZMASXGCovedMAmGelXNERjinONY6Jgx
YO8+wLFQK6JJuhtZqrUjs1kBeV8s6UzB1Frcj2KgzfStQWRFYmWdKIIiKswupH7pwRN2fxwOkwEB
v0RSGoIeSDDe3RbGuNb8f8i0jrHZDmQOw13SMhkFCEMcSyZakFBsiGs9cOLAbz8GyfYpZ18KYu8P
7ITX0jOLU2+7beUGsOVM98D3MEJ7/uBRJsZ8jaqlxtFVJEZrEFWxPqxG6uvU+vqcOtY/Ljqhflp9
QS3UL1Gvqe9oukddU/eDwA8jT6v+Wrf4qobMeMPUU+FnanvDu2v3hvfV/sH/Tq0wOQAqMVDhweGR
aQ51MY3BSn8WpuLBeCjbUN+SY3IN05jzGvLC/OyVwjXZ1cpa5RXlC/WLrGdciwYYozHVEhyd9IUW
1V1fB+tijVqbdr+2URvU2I3aFu1TjdZ2u+y+M68pztTHj9w5kCcsH551pZF+VI3D/apaxpFFLUQk
bUde02J0sA8+0x2ywySMpDZI0tlzQg/6YjGeKn0WakqNNDpGy3WXGZdRk4xh9QKfl0noGSd5Jecp
jrBdOpnCQasDrX1sB60pBnNiClf94h7yFMa68f1M4Uo1Gb/tFHnDKTeST/XBSyytxsLzgRKZpsyW
DJvD2DnGeDJ9gwdsYrfr63bnM6NyJGddWd3SlOvPwU05kAvimRz4xYOCWxMRTIeqGt0xNI2u+9xo
e9aWJ9+YepHbx8E418ZBzudGkr7SJBv7dUbmOY2A2ETSuBBBr0l3PEeya5xGkGxSjsyNGj9UQIoH
o9loUzZrIDVNZtkdK8XQJOOWPXIEx82Hs23H0OFheypY6T932lieO9mIIrgzmflBdUZ3UnQ2qyha
XR89AifkYjUSPZrQtBwKBmM+e5oRX6orbiOtPSSlghMqpLQPY1HjyO+Ylhq7A/JrkIBTAb/fFwhW
Z2jcCmk3qqKL6NYrfrFky/PnrjxvzNKDV4HmKevuuLlia+i6/Xeve6bdEINVz8eCX997/cLR115z
9Y8zFd+aM/Vnd11w5wU+TY2k0tJ1I86a3xnqvHe6ddn5I286fvqus8aDd2pjRu3MxvM6Lpl11o1Y
jtcgOcZ1FgZVAU0ix7cCVtFT7Bh2Csu2xbfGYTxeFWuOnR1bHt8Q5yZ4WwOtkRmBGZGCUFDn6YXA
pZElwjL1av26wHWR/vhbysHgwfD73o+DH4f/u+JQfDAeTrCNeqOviW3TLXaG3s5eyR6s+BtzylAM
v8ZwkIrGkImU/DFNxk1nQ2B3qCysKjWgWVX5UGq/DAzZkjvkLpmx+1tkIrNyyKmwOunmfY67JZ72
IEgZTx8hCTcCgWJWkm9ACs9hQo/NhL15TzNlugl2RnUT7IxdkUFQsOZSgEg7E5fCeToNYT8AG8Am
sBUcB0wctIFZgAYYOsNCC/DohQosXoBwNyB4EzAxdwPC3diR7MFiRS4N4LcMQqQtgLTPgXDlueOG
QUOYcVfYtffk3GHE/APDBcJOHLaR9jTbgHSuQAzdAyRD89st1jLDRUmLNcfbA3+zOReiq0YcPLZ5
dCX0G1R1VQ3tC5bNCxjx054V276+pdMqfvafzy+FLXO+u/rZn6xa/Sy7a+Bv98+6/zcri58WDzwG
Hnpxzr2v/nb/S68in6Z98Ch9DNmNCLzMju2Dg8ddT0Ry221Fl9BdwnAJvETl2E2LdocOdKw+26nl
FE0xZkzmQzFGBpqfF/C95sm95kk/P2/ge80TqX/1tZcIjG/sLYzGD9KtLyogHjvHe07wIu9FwQ5v
R/CH8If0D9QnjScjiqCGpSXwGnoJu0pZrnapTyk7xF5ph6IElDXKf0Naq1qkX6/fodM6QGbAyjSR
quwO9LY2UJuoQ9RxFH7pukwNvccYeutkuOcQjOGyuZ7XU5pA7E1VlCJ1ZSfKbMMnpcuolJyNI08F
Bc+WlrUTNpbDz8By7hoYa2vhBDpF+MwiTHYeYa0IYa1pMb+rvP0ua/sd5Z3M+1P7eBDn23jIa6Ry
RcIvwBOrzLuDqnjFER9+VLRlbwkgttmwrNR/hfOVl2SS1fj56NkVJ3COe4XbOIJUp1E4jP6RvABi
2Pml8Za4S89EFsJkQoRjkfNqEtUr86XepLIuPTIFp4XMGS0lADAD063bKj79+cHi31f8+e7n3o5v
Cd+xYN0zT357yX3gruDOfaACSM8CeOeWx6NLl/3qjwf2fBNpyqmIc9+z+3Ghl2jK2yTIqGm1RZ2s
smN8Y2Jz4cXShb6LYlfBK9jF4uW+jlh//DX2de874SPeI75Pg38JHyEaMRCPZyNYjU6PYJ3Kj4Qp
dWRgAhyjTodT1Km+abG5Ul69Sj3CfRg4BU5oBvDTmmzoSFPKvIdCqhLZnEnSMFVZ6lkPNQNq95C/
TqU9+jCtqv9Ddkvl9bRh7PcAw2N5OjxdHqRXsajY2tVjYvXlIR4M1rMeDguWh2hbD4HPMU94NMwT
Hrcm1OPWfnp2u+8OKdYbTKE01sydgWZzWW/eTPFuLhPn9DHnTcy/yO/j3+MHeQZz3yye5iuJCBPH
gK+0RZtwJHHO+AjhyHBlS3uZnsRRG0HNS6qRnLQL9ZG+bD3sAOr4MaQocZ1jdBuNlSRynGmkUjRK
km1NKfO6rSnbms0cQduTY7CJRzbe5jZcRF0+aGX84r13vL5qyWvf6niosXsg8eyq1T/ZfOtNj6/5
0frTT2wE9D2zJ0Ht1FRo/u43v3zp4O/2Yts8HdnmSqQr/YjjAoTjgnEq5kfRTYEtiHPkxfRS9npx
sSz47Qnl5J4fti7EVEWMTNsy32JP+U5GmFHmhPCo2CRzZmRSbLa5MHxh7DLz2shlsZu4m/wn4cmQ
QQWArgaD7QGc6qADMX2DscmAhsFEYxJP7YLPYFl1rVi/RZbaQDrnQS/SY7gd9fj/f6xxdz5ooZD9
bZIFUd2RgarbV0GiebGmvmWrCtRIHPcZpDMteL8Tu51xEA/sdh3i3nyguWQPhhpXBddOGyneStW3
uPzispmjpqxsHpdMl1goRljIVmoxwjykXQmz0HBTW8iSIobD6Bxip5MECHBTMbg9xplw0jrQ2epM
9XAawUkFftSqoIiJ6kLWgG1yiH5qP47yGSOAeUxdZlBGkwG9tCExXke9SVGi3iTebUJedGmhMetp
bix0lqk4ux7PxydJkgckyTgwjr50V8Mnv/hz8VPge/t1oIEzR6Xtd12+fuAgnK2Mz99929MgH3yi
B8SRj6KA2uK7xS+MxJZdV4MH15xz9VM4A+RFbNjF/pEKgkvtujyfCPRwY7gpbIWXh3+oPKo+rQoR
tVbdGu4PM2ECyUTiLRWCSit6TAJ+mPV5GZqjpI0+4Bv02ou1M++1mKFGblchBJ2OYxmFEgxFwwcA
KZbtHjW+hRTNZmPxlg0UCFtYBYUtFakgJz6vJbF5FVZKVIMToX/mFKn4nCKVj4hfRUruyRTmvsFT
ZCgc9UQo/DzYRSWpk0Ci3DC+tOY4oG81WomiOJY9VrAjejxyN+exGxp9hocTeU5AUY0hmlHKw+lR
gGLw+jvvBFmkQlZEd1BSwIvTnyN6ltGcpJM6Ewk4BVij7Urp6jHNeDgK0h3IUGE75cejJbdv3OiN
fGv1jIXR8aMvnLxvH/2D9Z1LW6bONR+TpnZ8ff2ZK7GeOLs4m/4I6Qk8Y6mOrFOHLLO+BjntmyFP
8XFiRbiiQc74Gqpz8ljf+fJUX56fJ18tn5L+5tdGVjfUfK36azUzajY0bGrgxybH1rU1TJWnJqfU
XZy8uO4a/vLk5XUdDV0NB2uOJj+p/rTGEwxw/j64rac25uWJp2MkqCbi53QRhkahLrzdMthYTJem
VMUUKeBvTjfjWcjl848/KxvK4g7tSuWldCi0PwiMoBXsCHYFmQa0inBOA7FCQWKFgiUrFCRWCE/i
I2c/sq0QvgpP5nOsUNDuqEAEMpinynTUKedvKvngDTpIU1VxlyHjLkPGHYYM5uOpF/V9+nv6oM7E
9TZ9FvLxXLWiO5ZqZF4nakWPYLbTq8jYtxh+R/ZsTZ1YJj2cbbghiY1T9oIhzdLp1EkY5faJGCii
cU7iqZWHnSlKh+20bydyjJA3hIQ0QFOUN8YSTx7dcaWKzNhFd53ze2uJ7vDaUant1iMdhTQIYrkg
7oQncWaNPTEJ263gGLcNrXxK2JVb5NHn3HD7upAGVm/90/Hr/us7z9/y1OI/bXrho0eeuv22zc/d
ctPmeZHZ6dFXLBi39V7Q+s7DAKx/uOvMks/33fQzuv6/+l/83a9e+hXWJ2spij5K8vqv2N2uASTf
/iDujjpkkcg+zYyhp9C7VIac8gfDLUHBo3h8NAsoPcbyPllShvkzShlXKa5vY9XklbRoNY9tGRRB
vwgCxJkJWGQIQi3Z+jDziBhG8ZBxCCS4EyP4OpHgfeRbAgjuI+LcPAkW8QAFcnyyl3TQXEDKEYIt
Y1u2Bo4H4PLApsDWwGCACUCfy0Q+l1F8Ln/50nYTgIHe3nH8lQwJJDSHKIYUDjt44ykrSLQZ4/bU
lrUCnLIDQwoS9QVJOHqB/9z2ULmP3Zl1G2o7syeGc5U7wsQOCjEsSfSYxml8WuOUKFAFpMEoDCPe
SWXxaPloryxREs0izdXUs4zFE4DsINFt+bQnMnuqPYRdOL9nbc83+lf/fHrPqqXt32lF4eBnDxSe
fHRgEXx87a0X3Xf7wG6ktdYhhmjFXbgUDyW7D1f6cl52aF4SIiaFHZD5TBlgNkSzZTTj0j15KLtx
uktwLsEjovSiA2XR1RDNltFMWY6ZcVaXdgnOJXhElL3TIWx+iGbLaKYE843Li2PxOs8SN4ibxK1i
v/ieeFzkKTEuLhe7xI3OqUPioCjFRRTw8QykRY7ePdjvvEJ9nv4GoDiWYySOT7MUs5HZxGxl+plD
DNfPHGcgxSSY/eiIYWycAc5hSqzGEFZjJPwWGGI0GddoMm7tD4NRCQmzHXOB8GWGW0G+VQizVbb8
C4UKK8pTJsN/ojsZieXw0DPyVSX2d+XgqWeIpdb19PQwf9m377SfyZw+SMHBHxdngwmEX0ywxuaX
Uj+hSyilshyX0Mrz+MMz+4pLqKVrXKGlXUJxCdVxL9N5hk2zE5lmdg3LBgWW5RkG/g9jXwIeRZUt
fO+t6tqra+lO70k6nXQ6m+mQTgiBkBSKBIxsglECEVRAgShgAAmggqAo4wDigvqcwe25zMaSsIg6
Mm/cRkXxjTq/jijziY7OmBn+9xhmHEznv/dWdacDzvdPlqrT3VVdVeeee+7ZD+vyAKjKiPEqrOGS
+ZwxKaZjInN8xNC2YxnI78frgBqXpO0yLJRb5KkyQzICrQYyBk6GIDULydToKRdQ+5VChkEWqOWK
riZy0OP9eVHruesIsQQ1TdGJo245aJlMDD+VtPRCdkSMVGqzLtjlVtyCrpUKuhSGopsPA3vGnxNu
G95r8HjWW2KXocm5Q1XpjBW0a7OTACNSufjOvvT1sZGFDSP7UuN2TmK/fu+9b9c+7J60g51z9rFX
Js/H7A7Pe+YfJHuZMe3MLnfW/yR+X3wQnSRZfTYrzmcLrzul2K1IO2ergFw71yEymvq/rjMcI2bq
U9kR4FIGEDMAyRmzaAT55czNEjK5qIc6ok71mgnimDrVh/emi75BHc+nrE34HY5lXSzXILZicuAu
kK6UbmZWSh8zn3P80xws5kr5uNDIjRJb1KnqLHYWdyU/S7yF7XE9LL7G/Tf7IXeS+5r/O/etkGdK
kothWERSp0UBvxAFIW4nTDMsG7eTqCU8zVkSTcS6SAiHLAOJPQQ1S3Sx1C0SE8irvCi1z+h2GtF2
rEgNZUtnyFhWnMJxchxkp0+W7FG25g+KQ4hl7RYwFXNqkiA/gi5HlD6BXTSAcgpiJsXLD7UDAWqu
AkFF/UNR68JcyqSE6YjQJDR0+RkSGnq6sj/rTMZqt7+RRCixmRRrkmvNY0oVmhi6dVzrapsIC8VN
DBIDKklc61w+yy4Fb0liVX6jKOTnN5Hc6H35JEX6/X1Ruttb5BR8p5mLy4HjcuYGj+wroult+3xk
9+k+nSZW4x19pdDdXjmT+UisUORS5nEWCl4fvprX20Q3JOZ+X4Cc/M3esH047JxluxCGwllpmpsm
Ya7NAlbASyrL2UupHayTyb2mjmMec0D4k6/Ti+HLn6Yfv811+LsX4Z70qoH5qHBNmnSb2ojXzwZa
xWLD+atn1iH7PWvlOWti9tDvWQHPWelyvvW8de1gu4suX7ReRcMou25FXb29rxlh7+1WdkesOJb5
NFeha5frMxc7FW9OuZhC1zLXetegi8UokRBjC0nkm6iwlIe1o10AHgGnSE+6IYnpH0MSU36OxGQT
p637CY7il4lfHRzMRLQ6ixmYwg5fzMhqRlxGTq0L+uq8tasXSPbgOcO2sY+WvbClXK4U62PFzFIa
ZbMDeHKYmT4sX20INnLg/BwMR3LgcA4cyoHzc+paRnLgcA4cyoGVnGBNNQd258BaDuzJUdf0HNjM
gY0c2JMjoOcK62YObOTAqpNSJWRyq0hEgDVZVuvi7En2pPgH/xdR1weuM1HkF6LFYiAcFRmmuCDC
5RENi4dccSioS8ficHv8sTiK40XWHd9uQIOldkua0WVQjym1W3ppaV/atIiQiYGo9ZKusQb1lRqZ
FL4hG+Yh2NkbyBidhpJmHOeQ2h6Ibw/DML1SOHulML1SmJQHMMiVwlSED1PbeZhwVapUhBVyzXDG
PxvGlzoAUKo4c5HiDHsudtizt704Do8BSNwKqBAQJs1QJp1/HpOmQgTwOZrDdxkbyGnLS1UIm/zd
Nt8uiR+Cq3vPFSpsBxPVQ3PcTp25JRHJ6wEaHbT8JrtkRgttkkmy1XIqP7kVr6fUqxhhaKp5GQUj
YyH7lyKiJelSCLNKyMl5WBA50CXzIsMVYHBfF2crtrUkXyczD/NouL+f1r2mCgk1puSqJo/XPr14
1c7CW9/88U96i+c0L7u/78r5l24YzZY+MGXuNVce3n1gIIF+1DV39ANPDexE+1avnvbIvQMfZbTX
L/G89sEvqZXF42I4D3pWP6R/zvzRc4o54+FYIh/EMN326PAh/VjgRGAwwEYFr9vrM7H2CjmfKqlu
xT1MhXXnzHx3VoWNtLtLAlRjDVDtVaZ6q0z1Vjmrt8qU38kxegR1alKBkeqt+PW3jpNTcryfZ+yE
RZmqxjLEf/KUAOGvIaLDBk4F0LLAY4E9gSMBNsCgVJ4vQ3u+DDX6MnKXj3LoM32G4RTq+F7VVTpH
dTVyVFfW4cdHLPNcVXiKn5aQzv7Yyuxpqs4O+6AyU3OH5rq39A/psz7OECVB4iWG00sNzh2GmmQ6
ZEdKhS0nwkPYElXJh4mLcZmUpFwZW0mWnBz/fA4tbX5i5fF5j0/Tpb6KJRO7n2FLd+6+eNnk2lsG
utGdN94wbsfbAy/iRWr84FdsAlOLCoJwkNDLgbyAkzb6FeUppDuAtYBAQfqByUtBpZWbKLRzs4Tr
uEWCUKePNkf76gMX621mm+/iwBzXHPEyvdPs9F0WuMF1gzhfv8G8wTc/cDPMEzmXOpuZ6ZopzVa6
mAWuBVKXIvkjLG9gDukdZnvz5niAvFnbm97uLQlTO1uYkhufbWPHUz+P4zrNuNQp4KSu240FnPR2
Chyx3CXxuhoeAl7nozzDZ8NJiHPwM8wpaaQ7Me1j2J0hsqyy5nYcj+PwHACKm1h3aV1ZQL24IEKJ
itrsHeZFmTegVZyAhS9NuCICGcfkUOtDxXE1gREhYt53Oh7mUpK+vLITi6edw+krkytPXEI0/mqG
a4Z4jesakSViHmVUe2XD9gzJrN9udcjnpM832M1dqLU+17Q2/qm7X/099K398w8+S/c/v2/znft6
79i8D3lgYuuq9B8Gjv75dlgA1bffevu9V996Ez/S5vQitghTlQkK4AeUC61Q9Av0sXqbzrZE90RR
YbRcKc6vzavNvzB/WXR7VBjtHx2+xH9JeJYwW5njnxNeLCxRFuk3+JeEj0R/6z0eOB76bcFJ78mC
E9HBqK+YrdQr8+rZ0foE9hK9Q/9C/nN+WpcNN+OLkDANzhdxy8AdHEZQwRyCCmYJKtIeLDkmQV2y
pHnSeomNUrKKWk4azJd2RJ0UyKTFZPSzbGkZO2RDIrNEoykyK6AnhVJDDsQMS3I8iVaw3YwD8P0R
GJnACz0n8EIfFnhx5tzACxpshtcqGnhR2NoQgMMiL7KBF5WnT54fc2FnazcOD7kAbsPto+ZZt4xZ
Dhc5xFyQXcWoQY3QSmYN8+V5afX6hMHkEMzmp0bvuP6uY4tXfra2Y1u18fSq1T99ZkX33vQi10tb
pk+/Z/ChJ9Nnf3Dp6IGzzFNHX3nrg7fe/B2mmonpRcwJTDU6iMBfUqrpklElqgiMQW2oR+Fa8lqC
bcHtBY8VuOo8deGWgvGe8eEZnhnhaz3XhucVrC94n/vA/JL7WvlTQC9HMaUyrxHVK5PQBKUDLUIf
Kb8PfO77Ovhl+DukQVb1hiIy7+a8ERaTit+dAsOoBQwLZBgy/QPigNagrlnaPG29xhZQ038BpReN
mv61rOlfo6Z/jZr+NSpIUaO7j4ygZmfsc/bhNKVKW2FkiObchqmWv90oOc/HfE5Eg1XWzpdQ9keN
+zw17vM+W9G2vYX5Beea9R2rfo5JP2PQP910Pn3Y5AFZLyUPVnZzqhyi5CEPJw9oOEENIx1z/TAv
c1XFzstfSv916W9vfXX5EwNFP1vd/fTuVSufTC9CwpgpsBryj6U3Pr31nxcxPz969Nevv//h60Su
uQMA9BqmDgPS7mTWmKQH6iwsZuvYi9gZ7EJ2BcuJhiAKouoxRBUwApQpMwCSWLZdgEIs6oEeFDu3
B20utv+1zTurwf3DMnIEB47y+GEyq2325nJsDVPM1le+z+x9Uu88fRMp6Epw3JjpHgf032x20zpJ
nTfBzvBBIlRiWVI+xIzMkSVz5UjbFcfjNf+OJ5oXtcy+qvnCC8dc5S1gSx9fPnH0M4nWlnk3DbxP
cNgy+BWzF+Owhi2g2njWvZnVFYLEztVAyb4sZwrktvMoHdbcagguyYGLc+BYDlyUA0ezQuS6djbm
jY0WLxHHl7THFsTWiVvFTSVPe35a9V+MKvpDAX9NW9WHflcYXY6QXgulwBxhjjhHmiPPUeaoi4XF
4mJpsbxYWaz2lfYlNJJSW1I+sqRDmiXPL51ftqJ4Rcn6kvukR5UdZTurHqh5SnpOeTLxVFlv6aul
vrKMMhfLAMUZoCQDlNlmOOcYAhRngJIMkE+i+M2Cxg4hEVckNhQtzWPl6vwQcT3GglU0TCXYEpwa
nBvcHXw3yGnBwuDS4GdBtjC4LYiCL2EyysMUTiMYLC85XCfVv3R4DCIAdUjrUPZ6fXU0soEU5YOw
ek5+Vz7Kj+TxrB1QS03lX2bM4V9aHkKLbKRaLgzBUEnQ8gTqasnptdQ5HbC3hE0Eac/qYJScGYyS
s4LUQhekYQbk03GivXKi2UMJkr2Y4VTg79sfaTxWASvIpcnXVGRqPFRkmFyFXdgSAy9kBr23vSJE
76UoUVE3r/ZILWqpXV+Lakm4RgkI2NohnT5RexjwqkwAcocEOEhuMuqwR197tESjC6VGH0SLOjz3
n0SFxBCtWuS4OO2kA8to12KfZYyHwRFOHAXmh7k19LGcUdl/05RMqG5l5XISTZGjUvaTcLBK0q93
OY3TJVYYkj1Odtmqwn5b1rcSFxQUu7xVpYZu6h6d4WJqNAzEMj4MXRfgTYEXvyxyF4dBrFhVhHIp
DMsSosRVsmFQqOcTrcCuJUw3VBmtqNywYQPI4d3Ek9E59Aa0lVMAYb5cWppfbbc2rZaDoVBePpX/
8oaCgUm/3HP7miZKE9Wovm5kw3n56fiXlPShbtiWfdrda9etro/f99rDU8eNqrh3xi0vdRh7lO5F
6xb7fMnwppd3ti967ZZ3P4JjI0tuWjB+bHEgXjtpw5TWnrLCyolrrwtcNueyhuJIvkcqSY1bN6dj
1xU/w9yqZPB/UIXrYeCHN1ILVXSYRUgelso7BPM5MJcDS6RibSmxjR+xSjCwPggBVFQJMsCni5Wa
hKVGRtb0GIhB9XvEN6esXgyLbwoc5IWLxYvn8cv49fx2ngVYfXiM38Mf4Y/xHC2l5dTUOk3nAU8y
1mmUp22pcQCnytY/KU0TxYQIm8Q14OgntgLGH0aLQQCO3LvwHOMfFuj6HffpSbJY95OMdrJYG6mU
/puckiThvYyP1tVhZFJvutYSuyCWOAy3JNK1W+JoS7ra2qSjCMT9dpAYCfcwGmj3UJqXjfTQpU3X
dFVt2tS7f7+nsqzg8V1684In0LX3QL4r/cN7Bu6bXBUi68xGvM6cYEvxbR+0PeghEjiV569DUY+P
FKg5ZQVNb12lB5YIHp8CPT4ZL9MGxj9I+YZZHXw5Mpkvx+rgiwf8xDwQorYHP7U6+E0aapFNOvDT
NdqftTf4vU7QheMn91OTlp/YG1SC8kE/POKH/ikhmr1PTA2hUyG0LPRYaE9oMMSGsm62rAPPcc71
Ej9+VnAQIRCj4jHxhMiKGcFBzAoOjgtfoo57mglEnfXU1iBSN7k4JTjM0Ov4ws83KthCBI2cbmp0
ug1iNhNidbeqqSSPlnQpYDidVcJAFQzbeVZRscFOasOiHCZ+g5qrGNnHUTJoyYRU23GCiVLqM/MP
lf9lWtZ9cNWTU3W5TzZunD5965i+R/sm3jC1vhvtGOj94YjW6TO23YUaz36MqSBE4igwFUjoWjuK
OiebPieJHnx/Ej3yZU35ucK4MBSJTSoh5EZZ+10CkAQOctkE+RJaDDFZmZsnT9PkD9a7IIgZjRJZ
tVWjUfSZkTqBbBBeqnrxHjp7idh4xYKiOlCGN1TPE2PxOuDDG/zqY+vWsuo6EMUbTSkHZWKp1Ajq
pYmgVWqH7WiWcKW4EC5Ei4RF4mpwM7wZ9QirxZulzXAzupO5m79L2CL+CDwk3iv9DDwhvQQO8nul
34BXpY/BB9I34HPpLDgtVeHHkQLAJ5WBUqlBmgosSXRZpq/Ohcm4zvE4iaQ6AEeEXULuGi3RAOh6
R3BBa4BR0zXGCn0XuVyKTFJLjldi3OD/o5VHK0EyW0agQeIFIS5KXlGUAINQ3E6vdkkSkOxcaY6X
RAZAV1KBSkywLEtcLyLxEAzvt1zrXciFIUuMIgvG5D/9NyHn/lBwoHOgMxToP9npNBTLetaMxuFV
QkkSmZPWMvSTm8ZPMvfpWOdm7tNsZE8Kwl+ku355Ml4YqPzm+fSNbOnApuuWzlyF7qJUSfIVD2Kq
NF3fvIgpK0uRxJrzy5wAHdXxNTqNRjIeJlc2lgJl6ZMZ5mrKUrCeSW/khtIbxZzwLvdQeqM2dISZ
c4QwdARZFTK3N2wW2beXyW/m2JziFN8NM9g652hK9ggzp+qFMHQEP3SElFNMgM3AWFGK5RzxVY4H
PJs9bUQzylUMP5nbOfTTnDCVLJwpXGwSvZkujnYiGefYXN7vU1Qq2H6FFWgSyx1V7A+O9Lnt4JAj
VpJAhkVfSwYDgYL1IchpmFpVhbZ5UgyIWIk1JMetYq/DBmkUelT/8Kj+Pq1h7Pg4KfUNyU8+zQsr
2HIJXWLMNrYajBG1O4k7TYLZDGCQhU0sLKrTI/m2W946WFhSx3KK6OHCYtB0sYDlZFF2C6YOPIyX
jwhhOd9dAuJ8hVDprgP1/GhhjHs808pZ/GShTb5IazUuMWdrl5lL+PnCdWYPt4ZfITzPHdYOmH/j
zoplslEGytSEu0xLmEnvKNBg3izcKTzE7FSegc+iZ+Wnlf3gAHfY/Qb7IfeR+BX7lfZH8zT3TzEi
02JrCt3qnJ0yaIvH1MrrsJWw5NZYExgCL8R5Le4mpis3z6hQiauHBj+0GsgypmLuUEHtUyr0ejhJ
NkqlSmMme5k0x+gy1hlbDMmQWMwryHDYA3Nu7Ydk5emkXXBJP0l+bdEZ/4UtL0NrQvAuUZIEWVEk
3TCwBNHW6wImVgQmWQslzR39tcELUd4wzUoX73W5eDce57jq9qqqWzA0rVISvPh0UijC4WQAQd5k
Bc1Q3Cq9PRPLAKQfDmFtpkYqeUreM7oKSSOI9SqDqfkZS4pOleBS6TaSjYsut8SpBlxq3GaQoj6X
W7LugvOoe5jBzO+Z/fCM58xCqlQEJ5/u7AxgpQD/ESbYGfj+IhEOVzTo9t+oEcG79SbyT2Dy37an
cEY2MVeNKlH04uAJrFCewPP/WB+o0aJmppEzzdRt21M3Y6hOhDB4bC9fA+n7RTPa9qRyi0gIgyf2
8lH7Q3N4MzpSzu7YAaxy4QvilebYPr6GXGYfGIUO25fPXjF7uj/3dGPwRK8UZaOAfO4ESpAvff+A
2QiqTFpJc69nKHvY9nSTGUoLPA/Xdv7VD1ke6Org8dNKFUyCgW3pFw4/18Kmnnt+V/3YA7vTfS88
V/47vFz8x0njTXTjwENvHUULz36M1u3/7l0i1WpYnvm/eOXQUaUtz6hDnFh3D5WQGFYyKFdAydOg
zLFI5BCn4qmgUQVcS1bS2UCbfYUPaibUYkG7cv60YGOH9iD7oPCw+xHtiOsId4R/SxM1y9cYYjxi
nhrS6+FoeQPcKgtJ8wp2Fj9LvtK9Ez4kPSQfRIeUN+Q33W/rHzMfiO+pv9e/kExzqPKDaWgBVc9U
fiCQRis/SBLizq/8sJDjGLv2AyfS6g+appPiD5qm6tnKD7rEaUiT9NfAayLS49naD6+pUI3nln/g
dFr+QZpqQnOSeqsSk7SrOfFWS8Iiw0GLm8atp+0YL7LcUeZWFJuKUT/JWEdNaJ2nbSkCCxH6F/rp
/vMqPVRXdjrTpPMW3S71oGmbaXWHV+wt3vG04kOTQ2p97kB+Iy3CIOc3KjF/I4P/yet9RY06LZWV
1whjRY2iFcl2LZhFHXM0fIZKI5ZC0UeEIzy4w8tCQ5jyE8GkgUTMMAmowU3ph//wZHWkKt77u/S9
8AfHPx6d/hqVwfS3rTUXps6mlYF34CWz0p2E5orS05m/YJoLoVepxQ6PWiZiN5sHl3F+ZgCNzZSf
MoeWbHfmUzUDKNnjsw6t82INiYKT+aosWSvnkHW+5NUYmYkENZOTOY9lalHZUqIOeQeTlaHjocDR
UFAnO2rupEtsuFeLQI3gvTvSWOZt13ZLjKVamIaiZTV1Otnwimj61ICZkBNKQh2pjFTr3Q8bcplZ
5pnom2XO8szKW2Qu8izK6+FWqT3GGu+avDvULcY95j2eu70PSc/KL+ovGIe9f5L+6P2bOqB/6x2M
FJiegNudLVzk88iRMKuN1zZpjBbMPoRtlDWzlYkaNE3R8eqCZeGg1+OJm5IXv9AUvHzEZckry5KH
JP/LHPkCENEjKBl5OYIih1DLfg1jxPIeQjMtucW0TDTXfNlE5iF44QENxsDFYYl8RHFmRZUaZarC
TFMGaUGUC3uTGsYQaukLR9fhpQSjcIA0FMXUTwruB/TTJ4P6yc7l/aGA3k8hTHn9Q1NByA1TI3PB
KXXStseNeXBgiAe/YNffHPyKMHja4IOyYO/gpwcaGqVYQ6Mbs4n9eY2GU5x0FtFDSbMOh/5zZPTK
8N4g6WhhSV1BTZMkik0qo9s+xoQdzd9AywY58joWCbC2eZt3TFXTRL9R6pLTN/zX8cpYYeXnfemu
cSU169rr0tc9p5eVhJdo+WzZwMMrN6xbhZacfWP3hbNmABLpBd9kl6LZgAEXUN+ABusBCrlo3Ue2
dw1ZhE926l+C5OR+2nKD9C8mOgNTX5THst3wzXvvBQjMYP4Xdbh+i8ncD/5Jv2fOruDuIPor/1cP
+oz/zIPe5d/1oJf5lz1oN7/bg3bxuzxoG7/Ng27lb/Wgs8JZL+oSuryoQ+jwIkVQvMjrEXi/osmA
0b51M98it4qg0qSCJhUegtOspGcpfxu/jWd46BnlbXKrShMWPSx/qM69EvKjhCYEQRPDbEMQBQPL
n7FNlDR+Vh84qZ8hFfQJBFo6mwaa+nXaEUZ3OjbjP0BKL2Nh9qbly5fD5c4PJH2QkSy7/V4PFCwe
2rGyR5NHU0naXiyvmDZA9nMcX5QDQ++vohWzqxrqGHh/BmJfee8/72yaVj7BP/uKIQjjspX5Gk1x
/YbicoDicgrF5SnhlBdBAXrRCf6EBx3jj3nQEf6IB+3h93jQE/wTHrSD3+FBt/O3e9AyfpkHLRAW
eNEMYYaDS6y+MMD7Uw/BnqJipLoxOqHwU568UQMxihFogtCtNSkYownV34z5HEGouhIhpglgpCYA
KeK1mOITLylNxDPaRJF5Uqcw7SDdrw/0Z/bD0ZnF5PLlGLMUnVhu9HoUFQyFHmfRScKPvTxtI92Q
yoGv+FVh5eyqkfXM/8kA7D8wCsdML2/1zZ0xBJFVoIv5Go6l2Lyb4rL0t/znPNrL/5pH/yPA+4TH
BdQt3C6gy4UFWDUXoIBx5KCkgKIEyhgpIPv8FAFB5Uc9WYJynnvAph/7iUGGdAjthPsEwK+njb/f
puta7nOt+75HADDdOPg6U4xnFAPanL47ALQwyIuFAMAcgrdYEqZvPFFhkH3nefgzEKgM4pmKJ2qg
pWlyf6NTDJAsFVnE4iu7YAp/NTv5R2d7Gznl29MEQ6/hzRra4Xwt7RKLiCnERRJNdWoDepLGaoIo
DRQ+mXHmfdOn2gVFTw21X8p49CzqAAH5NH7jSda2YTgWOTzZvqSl8OmtSbYVwomwfK2PpgLge/qC
/Ql8xbUly5XcCDJ4GPAgvMV+9DdqEgFJgnH8LfuAjdsMxXzxGfuTEyfItyxBx+EnrreBCLrt/mSk
ThSD/3nSyJkRwSFY2CswX7GH0JOWxvN49MV6iC/BrJSueB4mAblQ0xkaJ9qkk/StJqfXIdVyw6Q3
fKEl8haW6yCk3AA/RjIV0vttRy5fTyjXgG0L1zQ/lOxCx1HF9Oha7+KxAwa5vyB+4y58fxHwBL2/
MMMqAbQyQGrqf8ewkguGggGGVwNBM3QYXQ0isPCAoSZa3NB9GB0CErra8howHBnNl3tfBmq5OwGC
+c9dTylzMrndfmLcHjjdiSl0wHAKn9ir9/6AEWGMELBn5ywn8iW8X1VDUojgZZ9k0Oc5WUtMXQS1
eOEpaRiZ29ndR6mYsLogV94Co+H4hPEXjsvbmb/tzp0/HHPBYzOK4e3oeGNj+3sF5ZU1zcmL9KWL
Vl0+s21U99iSHiKhobfQnfj5K8Fu+vxGsaB7ivXJmuZzwUQNPuJF/Jgu/OTlGM9KfjAxN7Q0hFpC
MESe34efP5gPtcc85dGEUF76GQiWhxKwHASrMkjot7EwcJqi4SaCB4wN8kTfkTgygxrsVAhdxbom
y7rucpXjZz+YHwoGfb787IDqJ2tpc+AUiXW0qxD7hupk8Fxxg+9cxNiNnokluGiHN1o5prV94hVK
nlvwTW9rGjOqxb+t/JbV2ze2XjRr5o933HM/87jW5CuY0lCLV60bYVNlvK5qtH/xzCXTGto9vgXj
O7csJWv1YRiHz0LCEwIvAYT+CiD6M9bGT+11waROrNl4GIvqi+CzaRP+BcZ/4ZzjCv//z3GF/7nL
dfXQORD8q3O+GLoOSB+GE4bOEf6NcwTw98NCzjn6v3GODv56WLfP0cFC0MHOZqcAHuuUflAIEiAJ
GkALaAVTwRVgLrgOLAU3g9vAG9a113dNmzlzzpWr141qWrairGre/JJLJyrCeIsFAv6NREuaqkpK
qpqYKyN1NV5dD0SmXLLqppuuWTjhwlvXjKy9cbHpu6wdcaOb2/Fv7KqOglDHmsUdHYvXMAtjkrui
uro0thAkPz3amDx67CgtDZ5M6seO6kfxTMPQUQLm/tPjYNLe6+/Yx59z8HnHYwx4i2P1danahLP3
OHu/s898zp/z+tz9uZ+f+zp+zvdnrse8X1NXV3M/2fw9NSI1ooRA6YZa/PPz1IgRKXQZ2Q6EyBto
Y/bYgV/U1NXW0oPhG+Sz9Byy/Ts5+H4CMQ/iTQ1+lf5dKjXiM/wC7sRAO/mytXgDX6pN1g9MxNAD
NTV1KOoclOYx8BU57aO6mrpqDBBKorljeA3TwCLba4awbl4tKHVuToywGuCgynBqHFjAqhtVB6y8
QJ2GiQdNBYMkwhovb4ZOuAK1j0CsE0weeGXuVZ3EQWT3JWVFmhrJam4u02rORfOhEiQ9qoH4d+Do
1IUPThofG1k42Sf1jf71lPmeh91Tihezcwivz/kZgWk8fRQshilmCZZLwqDwAChXuHKv/iJmdRII
4C0Lkv2f9MNk/6dkEpArRQ0sTaaiDC0sxVM/MrkwTE2a+h/po3gDU496Y1dfHfPaW/jnvfO74Hq8
Sa9f0TB37qgVdEuu/SpYB5vwtSWs4Y6zCnhOLL9DhQvVVSpSUSk7kkUslBUXdwUDGfkQuroXii4A
kkePvzJQ2/kKXgGTr6Q6jzZ2dg68ggm0ob6oHpKAmuI8xmDGpzfAB9Zcf/32L9c9shZ+nPZ3PQI5
yKe/xTLNMfzMI5hZoADMsgpL80bmIV33l/OGYpa7VRUzeR5AVYH4l8Ga3dV9ptfLGAQnbsDgbZji
hLjZ++msMUjbqOSn/bX4jdpaHe9H1HRCZzwoY054ivKK+MxKhQerNH1se6hnQjJ1RfOECT+cCj9M
b4lNnbVs1zUdty2dPBOONRfFy8c3T7eCsKfnx/Xbl667dEJqFMbYe/jOkxhjPkw0UyzNb5S7Ivh+
oVweAbAA36vl5l38dv4xHmE5gGeCL+D71chd7/VoIPkJiZUnt9xppDCE77o/lezXP+lP4cElIUgk
Ctlv32TU0EkTc+ily0txDObvMq99tPq21W2XXTHjtvRbsHlpW3N65V3N07fdhXWpyR9OaB6/euXE
8fAGeH9zKn3D5gnjNmJc/wWPsQfjWgBYQkHABcpZgUP4TveygNwQHsS3+98mC2DC9JAy7YjZGehP
r0fx07F1cBws7pmWPpneBpj0h/jZK/Gz54FizGsnWnlAElC5z+ctL6kQyiMRpbwC0ywhk+rqaCl5
cB1EyXX0zIMn+7HsYT/yp2RrkMRRprS+rsh+6OzoYIXJa4+eTeRMzqt7bofC8klz7nlm7vQ1PZfN
29szorisrDiVjJVGHmgpT9ZUWDuQlOx+OVF7ffcF5du6W0bWjb3p/l8t9IeTIyKBQDi95bb8oqbm
WAGZAZ/gZyrDzxTAYu0llpsMpVqeH/SUYwospMMp8uIucbeIoIiJP0yI0KCSSJ5DhMMH8xPyWHgs
bbGgPvMweL7i0cQwxAOZhx8m/ckuLr8ktbO6Z9WEtulTboUXpF9fOsWCP1i/ccPtsJQP+fLxeF7U
s6p1fPq+dFdzHdyxefNGUgOC9BDxs2OBB1PgRKtqiQk7TLhEgR0KnC/Ay/EfWoCQq3u7H/r9Rfnd
UQ1q3gJJDRWAQ4wd3gyTnbSCCb7RTvsHkrpfXjcqjpFIlWbkycQZ5nl9qHF17+oxLT293Tf33tzU
0rOv+74d23feu+Nedmzb1nc2bXx3a1vb1nc3bnpna9t3zcdef+PYu795/RiNlMO3O4dtwNwlflB6
U3RBhLUJUrmfkw4xFXuhgqV/SgQw+U4K30tRscE5kjKas298X/ejHzSsZCaO7CzdXb2plXzjRACY
r/Gzl4H/tBZOisM1vi0+tCUP9uTBBQZsN+DdbrjaDScJcCILY4mysvzuLRwcw63lUDmHuY8sV7yV
gI8kfpI4nGCWJzYk0LTEvAS6MAHLEqMSKAHNbo9nKtbrPFwsYZoJvSBwGOMsgV7YCxSKOkzDZmMj
HupOQsRHbeyZ5E28x4yHzKPO7E9REcZlQzNTX0d6i/OJZiblIJp3M3wR8/V3cwvbH1mz9PaLveHG
jua/5R3iL1752LULHl3cUHb5xo72lZeU8mjfyJ61axpqJzY3J0rG1eSf9nT8YG5N9czVkyYubr+k
vLSptsJDcDM2PZ9JY9w0YYln7R1j4B0NcNNIeHctvHsEvLaquwq1V8HWKriovKccXVkCF+fBbhPO
N+HlJpxgwrtVeLcCFzJwPliBiSza2F1aFI1Wl5a6ugMBrbm6G8sm3bdqcKpGSp8xWrKlGlZXV4Km
ooJovqbX6DBfz9c9lQV1mMh6PQWS20GXPT2MVD/xyWCsYcx10qmPkYb3RJomnKEzF22ZH1jAZIgy
QYOpmpGNSY5vyIGzaOV49I21sDXedsf+RVc/0XOpvD+0fbXVNe2CirZFVsiKe8fd3DGypGXmiO4t
nj5z2soHr5j98NKx8+fDB1XrqtUTFjyz5qLRXQ9dFbxva8W0Za1jF11aKYk/DjZ2Xjzy8jGFd91e
NHfr3Jr6eZsv637gAjITR6TXsmPYFKZvN2i1wv+PvS8Bj7I6Gz3v+b7Z98xMJpNMJjOZJZMMWYeQ
hUAGCGRhFchKAoTsARIghFWLihBZFNwoIq3YWrdatDYixmpdcmutW62/F61rf6v22mJb6+/1Khnu
e843Mwmoffx7n/63ff7kJCfvd8753nPO+77nXc636RQaEYjql4P6PXraiaGZXOzVQhUaMSWK+wMa
uQqFfxhELUXalKMFHS0P4Rxzny9A+/n8qHG0oICvAY9JMqNukwfE6T8fHttA77/x55G9sogvshP2
3CFcc26A9o1dz3neKSpFH8aNV4fnb7NfbacBY7GRFulhnxq61dvUtFoNNaomVa9KmKeAuQI0AaSk
yAYSEjROe1KSxkFsNu2AhlBnkk2jtdq0WptVMDhG6CMkWcj6icGpjPKRO6mcjwWo5tDQ8nCIM5Fb
23GeSY8/EE+6NyN2A1zcAkNw6PApMEb++M6pyCfWRxOP9O2/5+T+e1fec5ieGTsNf26ORF57LfLC
i8/qD+x78dvHHrjGQj8+iZRegzovU/YE+vkecjTcNdVT4bnKI/g9MJQOW9JhyAXVdvBaQWa1WmmP
GYaMsMUImw1wUAeluhodnauC5Yp2BW0XYJkAxQAmJAHqyBSkhs9NbAPsg22mBKcTo48ki1MvS3Iq
dbEFHzr7QgFTmQUFXGlyBf9lYeUzZx9Pk97S5ObvofOkUxNM0KWQtPP94XOfv/Ry5Ax6N+T295OG
85/e9zTMu+zmm3dvvfce+smTkU9ffCnyOo7xEAzBwYeHjf8r8lHktbGhZ6655pH7Dl3Hr6KVR3YJ
nyDf1aQ8nHqNAtYpLlXQ+YoVChpApwPtulYYEJVKkSgYJ9WobAUmc4x3oVyjpMTYkNFQyYngSSDM
8AufnIk8mfywHFLeHgsJDwrHPhqrihyAIH0WKEZcAqlDLqQgFxJJOskhd4U3tedALf5mdWTRtQFo
CsBaLzR5oS0dOpyw1gG9SbDHCputsNcMW82w03jASHfo9uvodvU+NR0C2IKOE9FbBpKT6YDRf9hP
/X5lnmtAr58ykKYEpTZRQ0SbMzPTk+o0yTxOWZwlZ20lkBvXIy1xX+Ir2NICoskiIlPYHZiF7M2s
kheYMYEtE82doARz5C8vn4l8cnTXG7//6c/+cObFjn0HOjqHDrTvuuf+y3bffpdgb4j89tEIkCcO
vGgT57x/22/eufXVhXOuaG0f2tO8ftdYyu27d991785d96LkLo+0c2udRLzkcLhlmmuei9Y4ocQJ
+1IhmAjJiaBKhM0W6LRAowlWMBJdqYd5epiqhxo19CphBf6Ka0Xq0A6Qw0mQlCT3m1F60wfkCWa7
kwhCmtVp0Kc5VTHzHhfZOH1CzL/8CsrIpfcB8VeKsbd++nkQk2CSTaTH6sLT64cjQJ99HjIjfzr3
g7eS7s189gc/jjy3+/iJnZf+6C7IresF9SuvQWLkqcj2yEBk24On9R9ALig9jxy67qkXbzh4Pzl/
ntSi9Jhkj1M5e9cYHk9HFVovexzjd8v5Zl5SRoio4C2s/Lju/PtiIj9O5McFWB+QjeCxLSmG0S27
g10r5PVMS2QhRjmxW9nxfGxPZHficfKH7HgZ1ts5vhQSO9/O2zsI0+e959+UrZe9jP1Ukp3hhQfm
wo650FMBHWGoC0NnKdRnQlcAagNQ6YSKVKixQ6YRyBRXogiuSqis1Fe7/G73DL/e7Qo5ExNnpzj9
wmynqFKh842uTlR0L+RMaPRswUW8cXv8/gy9EPPFitAh4pYOvYaYqTNZLE4B0IfQo4Vk38FCayhb
/5YhSRlo3nZzx/ZHr6wouerVWx8+k+W85Jr+VQfXTDc8bmm84aWD333limkyVULKeeLt2XWouu1b
VQ7/Jd9qWPHDPZektxT7F5VnTF9/S2vT4f7F9pRcY8sN3UWe+YNLk/rv2VQ679oz10d+2X2kf/Hs
GfQNrd1u1xhKFjTllays8E3tuH5l9Ou8/UhBJ8kgt4bX7/VDuw8UPpuP9qZDnR0UdqhLgsok8Ju2
mPaahP062KmFHiX0KqBQgAwBplE45IRvofpwQrMTqp2AbrrVT1xGF3W5MtMS2ceXDOo0NVUTpwuJ
nOJxGoQUp0wVVw1cWaO25ooBLVWLpOm+JPyMwn4/fx0Wvy87wWp1OwV2ZQ3c7A5tPZX1uzYef2rT
bWP3taw6+dnN171/ovaLRxU1O+/uPvFW4NwVwqD5fz7SftvWanhp60OXhnufAc/Dt4P+id6eJyN/
uLfy8p8PzXvsIaj5w6fTtz3ItPYdhMiakToOUhx2b1HtVdE9SigVIcXFLrIRp0Hj0pnkzkRBT4kW
JWYUNTYLKgrGfXW3KSoJ7CnVkDUUEwfxWO6qw61X3t2W8fgpZdrqHYcXbfvFdUuEmqGHBwrqr/tZ
17m3ZSNnQvWzfOEb/2P43D3R0ShP4mimkt5wxZ582JoPgSnFU2itB+Z5oDIZ5tnr7HQuqnAVbFVB
QCwWaUrIRfyuAGEjJTlOh9sdHW9Ay0R8lI8Y/QKMMN44W2BkQd+Fwv3V47fF5+EZrxdrgnVX1g8e
bfLglByNG/dULdy3qTFVmdGx/cDCvtNX1TyO9Q2DRxs9XzHNtLn9S+asWxCQpjuxAfviOErpUtkI
8mFaOO2ACnaooFAEg87FnACNk7hS2KxUeqUWRTrOBcnO8NmAKbbm2LeqCz3RtWqClTmrDjEuBJ44
pXKt3nEIuXB4iWzk3ENXj2xi/XcLrs/nvVJQH0Y+/HVYaGB8YHrwafaWHBIM2zQKDJMEl0t1WEVV
osqpUKoFJ/vMz9go/qJcj705anxzND8PvSlGQHchDmA6Pfi7341tfv992cjJL7538qS4kuG9HaVt
NfumF9kTXvKFEt5Xw0PqM7hu1ESpULrYbalqpfJTFShUGaqtqiHVQyqZSpUA6VAAgppgsEbBRdQW
REC0CuoSVXKqUICcCgQkXiNFSow4qLFR9AWHgkbyxBD7kCdsDCXhAgyxw+CQ8rJR4MvP7QbGcxO4
QbY68slYwpNP0reBjJnoJ2Na2cjYAjo8tgAJvvr8arkN5TKJ5JIz4Wt250JdDlhzYG82VGbXZ9PK
TKgLgDUA8gA0eiHZCyovVHlgexr0pkFJGhxwQq8TulOgIQnmJoLNWmmlnQboQWMqwl4CzkRbqi3V
n0KSHA5H0J3kt9nMfuI2ul1uwe3OD7LvexsUaQqq8Du1QqrDmWJHEU1KJBR1TCj01qhxrKDgrVEe
Rkfj6AJJm182NDoKSWeN7D97duBrf3z8i4Rc9XhR8EX0GhXggYIiIWQb1/ZMs4sbb3r0tsjY6bbu
EaC3dD50y2UNuZu7wPbh2J93dHz24c2zquiCvQ/2rnt4aEH1VaeLlmz6BeiPPwiuX6zNb9l79zOb
hiNvtkceh+x8SL1//m8OHHrz6KKaox98Z9evjyzjbzr+QHgbvRMrySTrwjVFgcoALUqvTKfFzion
LU6qSqIYVDfou/W0QdmtpCkpVh9YLNKzVBD0eaUXW63SiBqr3OVIMCoSHYJcw/xSZu7wN7bVwNzO
0Hig4MZVw5wPycKFCmyhwhDEQzpp6sLbd4n513d3/GDrrFmDP+h4tF0cjswu7Vo4xV+9fl5lb6Un
d0nP0JIll9zw3M5dLxxedN32c3V5rTe0rfpO/4yydUeaOm/uCDGrvi/SDTOkt88RT9giUp+cXT5w
8YcSBb1Cxm7Weut5NtLRMbayUEbZQxv7hoeHI92yRz+fI9/7XPSdEJ/x9dQQzpcWEb+3W61SUKJW
+9hnSEBNfezVa1Rkb+lWUFCq5OhgE1BLyvEJ9tGB3BZcxnxxsMViTBrFtcOWCQv+okskBMJnb0Zc
w8Pw6JlICU0Zew+VyCB8GtGylb3v/MdUzb7tRLLCdpXS7AubgJhcpndMfzaJJjNRyhwqrQZl9WwB
m9XGsRcK2NYx/1xmkS1KdlMIqWLJ9CQEEpMCcxyrOnIVw5CdUewxyYQTSmV+3dZKke83LYosF4dR
RrykmLSFy4uKKotoUX5lPi3OrsqmjZoeDe2kUEshxWHxebOyErze0qneNGW5kipx5TjSDGZ5rtOo
U/icIPBRsd9yHkhy2RhF2Rh7Lm4nfJ4JcpHIBEPStvGR+y6Wk5DYc/eauy+tmjl4Z3fXTSHZ99m8
vFNi04p8Wt4zPyu4aF14VndNIGdxb//Vi2946Qo0kJdcsmTfF93+Io9JfkIpz8MpvxvqONK24pb+
8qK1xzvbj3QUMHrrkQzlsmzU0Olho0at9MlEqqFBuUwp55I++jxTzc+PYhAvBfCF7Bp2yOqBKx54
4okHHntMOHYAlJHPDrAncCNLhfcwcguSBeHsvenQa9hhoI0GSEggvsxMR7bGq1anYUDvclBHllOu
UXsdFpta55AZmH/D3Pry0QmRT2xN+WJ7dzZplyS+ukyhCbZKeK9g/cmddTf2l99vfnlWT01AnHlz
b8/B5enDuuz6+QvWVqQN29fcuX2ub+mVLSl3uefvbLxpxYo5A8eb6ODYyw1XLM/MbxmqpfbYLmQq
yqATveWB8ILafOAy0ZgBTW7osUK7Cbq0MKjZo6HtGtgqH5JTec4O534nbUSXboAQ/cBhL3i9U3MG
XBjTZDrl6CWnOc0Y8JHyaAgT36ZE9co22SY6ccA20KZNC120b1lUJFwsHRv3dx5sKTHn3Ny++nhf
2awdP1o/+NC3Zk/b9ONLm6tn9iycMmVRz4w5fYuDOUvWy0YO9R7b2lqQM3v21jvbO398Rc38a569
vOPJ5968fPXnT+TW7Zi/ePNCX+aCDfOqLlsxlVEBI4xUtFUu9KI2hqubQlASqg4xF6rTBr1m6NbD
Tt0BHV2ng6sxniXJA4fzIC/POK3LBbUu8LvAhaTwD7iMYAw62eve3E6rjAvVOAlCbPYtUpx7ARHc
RTNlRRO1aHRrUWGOzj22YQZpQxXdi0qy0nR5325vPd5fNmfn/esHH7w0nNt776XNhTN7FgQD1R0z
52xalpuzpP+ays2rFs+b5c6bM2fbnR0d919ZM3/fk9s6fvlv7+1aKSvPrZWoEFjQX1V1KVLhH+fB
/BfqOYwGo28pRWuwgEeD+CNuFDei1bCSk+GVBr1ZbbEKolkslh9FYUbAJ5NbZPJqGRTLQCEDmczc
aYYMc72ZmqlSpVaAGnxEYUEMZIcaStTVapqhBpXajk4YFRxKq1mtNlsxjJMrMHQflolROzGKGkXa
cEODBPZcxmt0qYbYXetG/agMnQwMakzcy2rhpdBiRJdDP2pKALYL4vYIbsEDIbOQI2Sgd6oQxI3P
XxYxbn4Knnph0Qa9xaiVizKNzqzvg3mREXHj2GY05oXBrGRHMLvQH3md7fYcxfkHcf4W4iY5ZEU4
j+QYvSkyb8CVAiRgDNCUQEpAk2fN8RGNS0M1xBrckA2Hs09k0+zsdHdQe1rI+kl6UKOOBWYtG9m1
phb0FhP4rnALf3EUe3NodJvXzb6/ziBffKfXg0VR0C0UzWie4QxvubM7UgC/eOYZW+68sT+endo8
NyNjdmPoE0hY2DnDnjJ7/SXnCV1tLK6py6m/bIlf3Dh02FM1uyRH752Zl1fiVJ57MSU37M+YlcOf
smw+/5F4GQqAl2wLV85Ph6I0KLJDjQ6qlNCogBoF1ApQj7bda7US72HvCe/9XiHfC8Rr9Lq8gtfr
d3jT1ICiQbxWTG6bw8B2wN0OmWZ8B1y6QClps5aLdxBhPNTnwZDC74mv32lF4mXJDd/6QcfQCwcq
a4+8uLP9lk2Lkk5VvtO0rxkj292Ld3/fBf0N13ZMqz3+xtD+MzcszGvYOd/9Sun677RtvnPd1AO7
UJIZJ/chJ5UoyaXh9GItVMhhDgXRazS4DNRgsFl9ROlCe60OKtXWIEHOfcV1IrPbxTc23UXj7DkK
JzFgcEc+iPw+Eh75pPfGlcGC9pvazoobIx9Gfhd5N/LWd0Pdt67rO7oyk1GbjcSDI9GQheEMpVIj
imEN5GuAaIwoQ4JGAzq5ykfAhe6lIqhSgSxImRipgxAXo7MxGWKkDCFp0QJiHMo+L83/RM+5QaEP
w4mhse30JXHjicizJyK3R3sXnsLeVRj3oRFjH8sWNVTmY08eUwUNiqIcgmyv/sfymAaOdhZiDiy7
B4V3gUIpPDV2iKaOvTsiBIWXIk+fiCgRryRNp1Ga3ChN1Xvt4LPDUBL4zXvN9GojdOhgmQ6K1VVq
Wi3CdBEGAdLSElP1XoPB7SOprtRw6olUMTXRhxGIQm9wBt3uFJMDF1LwgRQHJbkTNzjOjjsBF0TY
Prk7Jkwus8LvjosSuzrvFk//PvLh0NsnGpbe8tvDcKTurlmR/91xc2eouPvIqpFjkTuo9ti9y24+
c9WVrx2vj/zU+8LMjd9d1X1bX0nHSIyCYgPnX144QeNTUSrTKQWfTBmkVFQr2GUOEJkOKx9N4MST
GDUqXdxzc+fWbQqJDafHHhgZoYtOU/XYpygrJfC0hB2WInaBJIdVAorBr1AMBH6pkPEDuCCy7xTB
0pERTu/M8x/RdxFKIIGwtlgOCT6j0aLyKhPwpAeVKg1fhGgWyqX4nckxcG/BX1iUGHWK6Lt5zbuX
3X3fPcLdpRUe1Qj0dl/XlPmz+8z/7gvX5tHPY/Pew+e9I1yq0IBGLeDQUPFZCEHVpxZQnxOiVqpU
PrVgUQvoy6hdLNRm1CEyl4zKBOD0+UlMyZePmkrGhYuHA+yNqOj7J+UmlGAIqR8VR4dkScZobAAY
M4EiFh6Ie85GOk+ePk2zP44k0pQjkZ2oxJ+jUyPOqJyz9S4jmWGT1LtMIUaXlcAHEV1PjKSsf76C
kDXCvjHDCC0SN57LlfDIchGPldwWbj5qge0WaLBAtQUsCQk+UbCIQoI4pPm2hm7RQJcG6jQwF0mj
00l2USfbL4PtaBwNVQY6iOSjotEgExWC1UepTa7wsSe8qUqwsNeyZKH1A2XU+oVGpcst3L9lj7fh
jzEeMLXED5Pix5LbjRE0v3oGiRg2TGM3x8tyT8oj9x6InBRPAkqHJUVJNU4b2M8KB1BJHD/XjlRL
nLrGldZVRt+K8nk553NfuKgWF6GCXTCrBlCyuzqR40qFRYmBn8ZnVIFKpaMx7h6ksJbupJQq2KXt
sHa3EtqVm1GjSsuhoKWFZ7Fp4dIdMkqGOzZ8PvQQu+4nLn9s7JR4/09pjfiA0HTuDuTGHUIT97k/
El9B7WImGWR1uHyvH/a6YL8D9iVCaUJNAp2vhVItzFbCNCUUKaCCQiEFmZfYjXaXXbDbMShKYzcD
ONQap+Nv3AwgWaUv3RGA3vUEv5oe2/Xrby9bduTlXVe9ctOS5UdfvqzhYGshLWrbv7z2ms6SwrZr
xN21t7x61e5Xjy1vvOVXW69959jSc2JZ/4mOzu/1T5/Wf/fm5qP9M6LWyY001xM7mR3O2Ga92kp3
mPabqNxLzEb0pcz6FK3BR/QuPdUbghqNTm2Pm6gLzAGfgdkdGziqGzO//CgZqtGt9/ZNLVh7x+bI
70dGzu3fn1HVPeszcWM2xjXzr2ovjdTRmpa1JTVBE6f07eJnSOkU9OvfCx/bG4I9BbAvB/YFoDB5
bjItslfa6XTrfCudb4ESC1QIUCTAPE5wN3G52F61P0+r0XQYoB5JLqLzL/N2YcDTwDa0+fcYBb9/
Wp43zQa2vV7YilUOd7DK2eCkTpfDkaAJarVXG6DHsN1AWwww3wClBshEVFlK0ChRjpXYJM5EdAel
bW5+V8LYWyUt7JJ6S3zzBdPZghYUwALpmm1LiL0a6cvsZveqsteTZIxHFeaCInZViD1l8iXu1y8u
6CgorN5bVn7tJTEpWFY1f1FG1c5Ah/AlUbj6tcWuXNNuW0Weyz0uEqk5hj0Jxel9L36FXDyDcmHD
6KohnG1JZG+j8hr5LXpe9niQyyE4HOr0JKVPUrZWiyUpqFCoXEENN0Qqboi4xZTcr5iYFDCtV5IQ
9ZRzBA/XGlECWBNt4JYuf7nFZ373im9GeU3+90aoo/3EhrIf3b1z7dhKmL7v8M59kfuhaFpl0BQx
ihtd1VsbrrwtUcw/Bovq2hfz5w1qcLXaUYamk0fCm7eUwGAx7Mjdn0u3Z+3Lott8sM8Lu13Q4YLl
LtibBtuTYZsdOo1Qa4QDFHTKBG/GdC8h66bAiikwhWQYMw5nCBkZ+TNSvQ6H0kvyXfk0fzq/eZEQ
naCblu4gqcZUmpo6JX2KTXBMY25ousMWc0Mlvku3eUv3YcQvQpVIcnPW9OUrqOCPe6O2iXdjsAsl
khOYkSPEXVehXLXv8uJV8zIc83asWnliEOPoO9ovf2J3hfiAWNy0ZXa4uyaQsvjQQOf1zcGyDbe2
td+5bZ4opLWts2ZO97kLAl6zJW/RYEPNpY0FxR3X1mnLW2Y6k/PmZGaU5mXarGWL22ZUDGCM2nD5
UkZhdCmFD3iElhpWKcCHNlYMypm/QJm/wKLNF8ae524bu6fCLXwQ2Xk6skt4THjpXK7w0gmG4zrk
0iLEkUaawtMak3uSab21y0oPqAFDNunawJAMBmWwR4QtIqT5ojR2G6MayWlkBjXJoeB0Dn2lNkWf
Q0SyidJujBh1PMRFKvfM3uP9O+9YW2wXHpaZfeXNs7u2zzQ9Am8XDvS3zZ9SsLSnvzdIrx/bEFw+
f1Zucn7TZQvoYRy1EtfGahy1Af3M6fUAdRiBaHRyUaByKvrYwyFUEKjOQEAHqDrBQmAJWziwG2AT
QDsAUINIBL5OqOSwYVQ5g18s44Hl+HY+90gmHpbwPQj25vIQRm6SpRVXR/J/HpnxDBQqtWqljCot
BqgQN35xCI3Xz63pbrfFU+EXShnFnYTIp+PYfTAtPJxhBKNepzVq9T6d1qLT3qADnU67TwvdWsjQ
glYzYoOADZJtoLHBTSpgVyqoza7S2DQqn91msdtU9lu461GlgSwNJKEDYq+xgz3Zg9P2gI9PnoDo
gGMiBERwJIvUgTRKdliSHWLycU6VLkaPpyicpnAjhS4KjRSKKAQo0K7krclDycK05LpkmuxL1uuI
nXkrGgraWKw+KpEuroKRgBINJZ8lflmEBevozk2gK2s5wZuZ2FJC8yVmALtlg31s3J/hYY+TsSCf
eTszBfZUdpQbZvn0yNP3RD4z6gV00fSRc6civ3r4LotNjoM26GXvvvasNtGkBlFuNg4zHgndhSUm
Q3XuuRPoDoWWXuU3TS8vNdJPxlYHGpfOTsjbMovyp2iY1LVzf/Db4aVWi5JoTSoz0SYYVWaVgUFq
lVkDCovcotSAjGVmpUXpU5ktKpXZhm6jRacnWkIFUaMFDbrPWgseEptGo7KYtdwLVAJRjdOV3a3C
Ly1JGx+jo0b2EW3gJOHuE3uEmmWs2GDg6tzPv8PuAYkw/DPXYvvbb2aXGFRZkddfhlcia179g8Wp
UWaB+ulIA+SWLbcYyyOX0uU0NXLakZOgK4eGsfcmzldPysJOuU8mqkXQ+1zkftS4EN3nRzIKgp4r
HYHvBSfwO1PG3mxhqtX4JrsXlG3qR4eDzBHbIxkjkaLXP0nNM+mC/s+R5hsiafBbejhyXXCBJ7Wy
GNaz/aghHEKn7DXq112HkJz85nuLSSL7KqaooMIsAPFhYQqqwCAEC7F1+vk/06vpX0ChK4ba83uJ
6ifYEFVSYSHDtRYxvEH/JCjInwgZ8xDFA4RtMvI6tp17Na/7c6zOEatzI9a99C9Y9xes87G6TE20
zobnXUv/hD2WwdLzV/EeOVJem46R2W76JtbO4LV4ZkrszBysO8jPnAkt0TMN8bFWI94+fmY5rJDO
jI81C8/cxc8Mw3Ks0wxTIEZ+Kq8PxetnQX0UszWOOYc+Rw/Knpf6pWt4rVmI1YawdhevxXOjtaZ4
bTrWXs1rkb7RWnW81oa118oekWhBl0jUpxPP3c1rkRZ4Ls5IT6MzqqZv0T5eh7OV6sRYXVZ8RDhb
rOOzFQVptvxnWjQdJV+MJ6iAExR9A7qNfp/+UlCLZeJrcqeiSblHNaL+WFOro/pN+h/GkqHEUGK8
1fSrhFvMmy3Ucrn1+sQFNmK7N+lj+7IUp6Mw1ZL6Slqq68b0XZ5Uzzs+h/+ZwInMjy5MwV9nq3O6
ck/k/TZ/OKSaaijMmKYpuq/40tLu6bvK7pnxP2b+W/mWWc/PvmfOjyo+q7JWL67593+VNF+G6YcL
lmI6GU/v/ufTwux4WvKN04lFrkWnJ9Nkmkz/TdOv/yHpj5NpMv3zpcXyxa7FpZNpMk2myTSZJtNk
mkyTaTJNpsk0mb5JWjJ3Qjoymf6p0ncn02T6l05vSOmSpEsGL3nhkr8ubVl66v8tLdMsm7rsyeU7
l/+0Nq/2dO1f666pT6hPrvfUB+tD9dPr59TPr19Wv6K+rUFsuKHhN431jd9t/GWTv+mNFYtWbFrx
0IqPmvubb2r+Py2XtpxfGVy5ZmXvyg9Xtax6cbVl9bLVV63+pNXTWta6ofXp1j+saV/zkzZnW3d7
Vvv+jukdLR2nOxM7/9q1tuue/y/pif/G6Vddb3X9sevzblW3rdvfPbW7ontZ95rujd2X/4ulQ93f
6f5h9yOTaTJNpn+2RPibFmkn5u1wOZGTV4lAvOcPYV50/nXMyzC3EMv5buIlApZ7sZzBJTwvPT+M
eRmHG7GllzTxvJnnp7A8kxjOp2Ju4jnDnIt4htk7SLE2l+PJRTwsL+N5M689hS1D2PJ1zA2RzzA3
8dyLbQr52ArxXJaX8pyNs4i3L+I9FhEjYiji/RaRVJ6zc4tIAW9TwUvm8byK5wuw3yKylMO1HK7j
cAOHmzi2ZsxLEH8F5kYOmzicim1KOP4SxMzyKl67APsqQZwMruVtGnjO5liKeA5hbsQ2pYiHwakc
9vLaCp5X8RL2pF0p4mFwLc8beN58/iNSxmddxqlUhtgqMDdxOBVxlvFRlfFRlSE2VstmWobYGLyM
ly/ncANv34h5NalGnNXkFPGRWj7OWj7CWixZQBqxpBtzE+ZNvLaJ1zbz8mZefopz+RTS8HXMT2HO
fkrpY4Q9M8ceHEzmJQKXQDU/EvjzhHp6PAoLpIJ+KwqLE9rISBJ9MgrLsf1vorCCtMfbKEke/TQK
q8h+mTwK63RJssOxt4uCLuGuKAxEZn4wClOiMP9HFBZIuvn9KCxOaCMjWosyCsuJgj3rz2EFyY+3
UZKkhPuisIrMtaREYZ38oGU1e9pdFNgn2ZP/yGEZwsbkcxyWs/IULYcVrDwlicNKDgc4rMKBOunv
o7BEQwmWaCjBEg0lWJzQRqKhBEs0lGAFWZNSHIUlGkqwREMJ1umyUo5xWD1h/Bo2tsAoh7UTyvUM
Dvwbh41sbIHfcdiMcELgYw5bJrS3cjpIcOKEcjs7N1PkcArvS8KZOqFN2gTYy9sncDiLwy4OZ3M4
h8HKCeNXTuhLO6FcG5vL3cRFCkgeyUdt4yLLSTfpwP8LST/pw7/NZDvZwEvm4NEmhFneiuU9vEUO
1swi6zC5yFIs68LzN5MBftSB/zuw9RbM23lLHaYqPFqDpR1kK5Ys5tj7sN9YPwsQ+3bEPYh4XIi3
H3H2kDaE2xDegHWb4v244qPPQx3qIv74URGZwsfQihg2YFsX9tuK/TAcbWRttG0NHnVjKasdxDEO
xOfE6NDD57Hua8fTyWnhIrPxeA3WsNJWTokL5yjh6Y/O1MV7GcTaNj5fdtSJuLfiuZt4ySC2aueU
c2F5jB/VOCZGnR5+Xh+n7XR+fgdv0UHWY5+M0u08d0VHFGvr4uUDWMLotyHOwfF5sPrNOIoePHMA
qTCLt5RmFJtFKx8Tk4B23iMb81o+u86/S3oubll6Qa9MhrqQHut4Py4SwPY9fAb9cbplkjpOq4H4
fKYh3hKUgXFMC3Fk/7VyruZ/k7L+ryLrX5aDcS5VcEnYim37kB6Mj52YeqJzyua078fx9PAeFvGa
bixh1BzgvFnCJWkTr+nha2gZ5uNzZzTLR5ktRo42coq5+NrazikkzWhznEudfKyb+Wpkxxs4jvVY
uxmTRI81/NwYReeih7MA5Xd8/rGaDXwttWMvbRyjNIetvK82Lktf1a903MNlbB2XJqnXzdiC0ZbV
b4hKk4vLYnu0r54ohrYorg6e53ANc/HMWYt1HArgeZkX8P3rxtX3JdzfnEoTpSrG601cjmK8i8nR
V89e6v3L45o+gQZsJtJcNvP+YnpmE5fE7Zx67LsFfXz1tX7tTCVKt15AVWkV9UdzaVYSzNbzhuiq
ZqPdEpdeCQ9ryXTH3+YRs94xvdnJ5XsdH2uMVheuwSmcvq0cbo9y88tr/OJ1G+C6jo22FKOlXF6T
w/tYy1dyB+dNK5axeXZhi1hdbhTnqov0RiYfSSueu4H31sEpKc07Npr/jGb+hprQ5bgIx4IYDldq
XCZ7sUyidoz3HdyKrItq0HEZ/VvaPSZbX6/hGeeWxOV/YIKtlORKkpSOaF9dXCL7oqtkCp/zpqjm
lew80wytnP4Sn2PS2MfP3xDVaVIPTDNKmrYvLimtZNzCxXD+A3kRp1Arn3t/VAvHtEA7LxlE2kiS
Pm71XVzPr4vKTCA2xq/nLdfsF9g4V2pUAmO6sSM6wp4L1sM3xse1cw8/L9b6q3XUlIt0VIz2F5/N
qCZpxYnzjo1r3P8YXzWD8fUd4+EUrrX7eS+d8eOOCRLCtI/EoQHENiVuJaRRr+FjkVoOxFteqEsk
HuZGOT7AV8m6+Bhi6/pCWfrmVB3vITbLifbiQpkep8RWTsf1fycfYzqd+Ud9UcpcaEf7ieQzjdOl
F1u0TbAAm/+GPpb0dzufQcxulV6gxVsRYz/XOF/tcUoeUcxWjNMnZo/GaTRRp1x41gDXFRKv1kTn
/dWWs/VrOLopPvsBLqV9HLu0iiT7OdEu/70SELNvVegtsdrFZB4e1aPXtJSXVGMZ8+SWYk0dHlVg
aQWWZGCL/8vet8BFdZ37rr3nwQjMBtEgGoMbqohKfMdXCBEdEBSBAj5rDa/BAZEhwyBqrM1JPdRY
MV5PStRQ4gOpVYMGkaSUGmNQY65FYZj5GUltNB4Va73GGmtt6pz/WnvNMChac9Nze+7vZyb//X1r
7bXW961vfeu52dtUfn8wa6k5bB6KQ7pZbI5TykjBNRHheWyMiyUyC9PQDKRPRFk0bwyZy2TEoLRU
ljKFlT0TsQmgMTwdzTEVMbMQpvw0Ngoq8hKRS1k/x/M5UdE0DfGyu4ZdtYpnEl2azUQoBeXH8bvR
KDuelUf1p/JjGZ/o1jOWaxrNbERLpmVO5evOFBY7CzQZ6VKZ/GhWZ0XbRFaHWNxX6hLDNKCSh/O6
KumofWbzO7SNqH4J+HXWKprZII5p02m/qaDJ0JyWPw1309gMkYScBlbTVGa9GG4zWtsEFuqsldJS
U1ltqFWpDQzgZwLT3LZLYVdFlxSP0rrabg6735lKqV80v05llktiIaU1prJQGmsrejeCt2UKq8f9
UucwT4xhqaJZjVPdHhLLvFfR3uWdiowkD00UebRtPXVxebX8iD6ilOK6P4u39IN2oVaPZjaheqW6
JT+sZPTNX8mjR456Tk4zGeWZ5gKzdXmhUZ5qthSaLRnWXHPBcDk6P19OyV1kshbJKcYio2WpMXu4
rNfHGTMtxhI5qdBYkEbzJGQsNxdb5XzzotwsOctcuNxC88i0+JFj5DBKxkfIKRn5hSY5LqMgy5y1
GLHTzaYCOa44u4hKSjPlFsn5nuXkmC3ylNzM/NysjHyZS0QaM4TKReZiS5YRJMdakmExysUF2UaL
bKX1iE+TE3KzjAVFxuflIqNRNi7JNGZnG7PlfCVWzjYWZVlyC2kFmYxsozUjN79oeLQlF4IgIUO2
WjKyjUsyLItlc87DreOKnKTkTDEuKs7PsMjhM3OzLGaq2pDZRksRFTNu+MSRLNHMNHdJzHAGS0ZJ
bsEiOSknB9rJz8op5szcAjkxN8tkzs8oipCTM6yW3KzcDDk1g9WxSB41ccLoeeZieUnGcrkY1bFS
w+WYC6xyRpFcaLQsybVaUdvM5cwcMbMSolktaaDQYs4uzrLKkFBiggiPvKC5BVn5xdRQVrOcnVtU
iMaQMwqykSsXCbKQylhgHS7LLuHmgvzlcnjuEMXCnmUVuFJ3q5LSILTWFmMRrR01pod4ZHeX9TzT
IDwXUqzGJdTyllxIzTaXFOSbMzyFQukMRVU4Auprhihci62FcKhs41JqXqQxGfML76uRXk9bOMec
n29mbcH9JELOzCiCOuYCt1+5PCjcZLUWThoxwlgwvCR3cW6hMTs3Y7jZsmgEDY1Aype4Bw6JkDMK
C/NzjUVUNi2m+y7Tnau38hQJNIWNWjLPDLVp7Y1LjfnoBsyiXTsVtVaXbqXXJ1P7FzE3hK1gFCNy
LbJkoPLZEXKOBV0ETp5lyrAsQp2pGQuW00ZDdtmcia5RQI2Swbo1TfntakEVyigqMsOFqQtkm7OK
l8DoGUrvy82HZcJpiV1qK6fyfm0bwjTKNtKOqbRDt+nkklyriUZ7eFQE9yiqvet2fi5cUZFNy7Io
IxskFNP2pjWMkJeYs3NzKDUygxQWo0JFpgjaJVB0ZrEVkUU0knsJajgCFS8yYqhECbStuZW6VZVl
oCKVfsEtzZQoMZmXPKKO1NOLLQVQhvdRM8Y/pkueMcvqcrBOP4Z/Z+eyvjVJcfGMTPNSo8fwjIGI
9gqmD+1HhZ2ewm8VmTJQq0xjl86Z4VFRCxVfZIUz0REQ/VPpy48yAO1vcTFyalJs2pzolBg5PlVO
TkmaHW+IMciDo1MRHhwhz4lPi0ualSYjRUp0Yto8OSlWjk6cJ8+ITzREyDFzk1NiUlPlpBQ5fmZy
QnwM4uITpybMMsQnTpOnIF9iEmaBePREFJqWJFOBvKj4mFRa2MyYlKlxCEZPiU+IT5sXIcfGpyXS
MmNRaLScHJ2SFj8VY2eKnDwrJTkpNQbiDSg2MT4xNgVSYmbGJKYNh1TEyTGzEZBT46ITEpio6FnQ
PoXpNzUpeV5K/LS4NDkuKcEQg8gpMdAsekpCjCIKlZqaEB0/M0I2RM+MnhbDciWhlBSWjGs3Jy6G
RUFeNP6fmhaflEirMTUpMS0FwQjUMiXNnXVOfGpMhBydEp9KDRKbkoTiqTmRI4kVgnyJMUop1NRy
lxZBEhqelRrTqYshJjoBZaXSzJ6Jh+uxxjCz/QrdOxSwfUEmWS7osfrPQ7iD7Vxc91P5XiOb7Q+y
VVtU76l+q/oQ+LWqQbW3y3OK/55nI09Ogp+cBP9PPQlWnm89OQ3+//M0WGm9JyfCT06En5wIPzkR
vn80f3Iq3PVU2GWdJyfDT06Gn5wM/487GUbf7NzXZbB5whU+z/Z5xi77PmOXnR3b26mD1aPUM9TT
1C/gOhGpMzD60RW3MmaZhP3CNhVhYyjd9VnYX+7QMvjf/BLiHEzKSXf/CUihg4Y9icbpJH70L2Vn
ih+GihPVYYRMPqtpQFhWDmVd/znxH3nReS86JSFl5EikUsoh9FuZYqaYR/+dRXDriCCWiZuJStwi
bgH/tvg2+AqxAvwvxErw74g3wH8l3gH/V1VPIqgCVAFEpeqligU/TTUDfIJqFfgfq35MRNWrqlvg
v1Z9A/7vqnvgnSonUamJuogIaqvaCr5YvRz8CvUK8K+o/xf4jer/AP+m+k3wP1f/HHy5ZjQRNGM0
Y4lK85xmPPgJmufBR2oNRNDGaCFXm6CdCT5Rmwo+TTsL/GztHPBztXPBz9P+APwCrRV8sbYY/FJt
Cfhl2n8norZU+1Pwa7Svg1/rVUUEr51eO4nKq9rrIPh6XTQRdVN0K4lK9yMdaqf7sa4C/C9018H/
H90t8F/3gJQe83qUEFWPZT49iODj7aMnKh/JJxz8EJ8x4Mf6/BL8Lp994Pf7fAT+iE8T+KM+/xv8
SZ/fEdGn2acD/FWfPyH+us+fwd/yuQ3+Lz5/AX/HB5b3+avPXfB/Q+OpfAXfj4ng2+R7HPwnvjfB
/9n3FhF9v9b7E0HfU9+XqPT99LPBz9EvBP+SBLnSEekIEaWP/YKI4NfXL4SIfqF+YUTlN9gvCjEv
+r0IfrLfKfCn/a6C/6PfNaT5k99XiLnp92fE3PJXEcFf7a8mKn+Nv4aI/lr/FYh5xf8VxKz0hy8R
NfcykYSwtlZaWWlf3rKwagpsmKZDS+nm6mBD3Xwd9NRl6LJwzdEV4rpUtxzXFbA/tfy/4fqa7jXE
/ET3E/CrdaXgf6p7Hfxa3c/Ab0Dr0Ha5yVtBhP2HgY/wGQHrjfQZySz8R/DXfK4x6x3F9ZjvMdjw
OCxJ7RaIax99H1gsSA8r6ftSS7LaeJNrqgaiybBkZBI5a7klnyxbZDEuJmtNxkwLqcjPsBaQXaQ/
UcdGp2A9PzNhnkzGpiYaZDJ5VoqBjtP0S5wqokHf7cd5LfHn/4Is/TfletJ/PZbxOhJAnuF8D9KL
BDOb0rCaadKbDPCIEYgPeQojmitGIIEoV0xIi5NJcFrKDBljsZJSRM/vQ0J4SIURL4iE8pCafTf/
e2RgVmFRITnLrhfZ9Tq73qFXQVxstBQIvuw6kF0j2TWNXfPZdTW7rmXXDexazq4V9OGSsJ1d97Pr
IXY9ya5n2PUSu16jV5Gw6xR2nc2ueUsWL1ksrmLXUnZdz67l7FrJrtXsWsOu9ex6iF2PsTG2NywV
+C04b9grCHbph3bqjzYJhuXl/wfxAiGPuGpARWipBvfokJrNG93dEeBZ9A0MHag3/EKP9veDDxJo
EAKvgCeQQSQM681w7DKHkmHwomcxS45gf/k8mowhY8lzZBwZTyaQiVj7P08iyQskirz4kFIfN06k
b4s8Fg2g//7zP6D/LvgKvYX+wkBhuDBOiBJihURhtrBQyBEKhKXCKqFUWC+UC5VCtVAj1AuHhGOC
Q7gk3Ba1YqAYJo4Vp4jJ4kIxRywQl4qviWvFTWKzKkglq8JVsaoUVYFqpeoOuo4OA2KQWlaHq0eq
I9UGdbI6U12oXqZ+Vb1eXa6uVFera9T16kPqY+pmtUN9Tn1JfV19W31Po9VImkBNsCZMM1wzThOl
idUkamZrFmpyNAWapZpVmlLNek25plJTranR1GsOaY5pmjUOzTnNJc11zW3NPa1WK2kDtcHaMO1w
7ThtlDYW8+Bs7UJtjrYA89wqzG/rteXaSm21tkZbD4voMIPWMp8QxqYpNDqOxhJx6uSprzIPEabe
ZDHCtJOwNKWXFDr9tjKyJxgUmv6pQjMqFJp5V6FZZxT68kmFWuoUWrRJoStu0w8TE+GVV4kW7iy8
voBosfgRftbEvFsoW6XQN/wVumEs/X420ZRry8PLp5fnl6/n4a3lTeVX3vJ9a6QSfsvwlumtdW/t
f6uNh69skjaN3TR/06tKeFP5psZNFzbrNg9XwpsNm/M2b9hcv/lzFlZvvrml35YpW/KU0JbVW/Zu
advyjRJ6O/DtqLdz3l7PQ7vePv32nQpZsWDFJE4rFbu9s4tR1TvfbPXfOlC5t9XK4tTb0rblbFux
bQMLBW07u+36dnF70PaI7VO2p23P2/7a9orttds/3X5h+zc7AneM3hG3I33Hsh0bd+zd8cmOz3co
7RJaNa5qelV61bKq9VXVVYer2qqu7hR3Bu0cuXP6zvSdy3Zu3Llr5+GdZ3ferPatDq+Oqp5dXVi9
trq6uqn68+rbvwz45dBfGn6Zrmi1q7+i8bsLGPV9t/bdpnfPvHu9htT0rhlaE1mTXJNTs6xmnVKf
fWRf731DGe+zb9O+vfuO7Du77/p+9f7++0fuj92/cL9FqeP+2+/5vjfwvSgWev69k+9deO9ubUDt
0FpD7cLaFbVv1tbUflp76YD6QP8D4w4kH8g7UHpg+4HDBz4/cKcusG5sXVpdft3qusq6D+pa664d
1B0ceHDKwQUHlx7ceLDm4MmDV+rV9XJ9VP3cemv9hvqa+pP1F+rvvh/w/tD3De8vfH/F+2++X/P+
p+9fUur3wValfg1rON3OaROhb7sJDdyzfxOp0MYJSk0b7/024LdhStxveWseWnZo3SElv/bDyA+T
P8z+cNmH6z5UJKgPi4cDDw89rNRZOFyj5P0oQrl7pPeR8CNRR2YrWh2po1fQNk4/5/SC4u9HbnJ6
T6Ef+3Laj9NwTsdxOpnT6ZymcbqQUxOnVk5f43QDp5Wc7uW0nlPeHz9u5fQLTq9zekehTVpOe3Ma
yulITiM55fo1zeU0h1OuVxPv901rON3IaQWn1Zzu57SBU65nUzOnZzjl9my6xuldhR7VcRqotMdR
3kePr1ToJ5kKPTFFoZ+Gclqq0JPBCv2dmtMChTYncspH2FNrFHqa32/hI27rJMU7bFZOzyi0LVK5
37ZVoXbYd9gVOmYKvmKomCDOFheIR1S+qjzVB2qtxqS5q33V65jXaa9zXleAm143dWPZdYruTd1V
3R1vkYa8g8DNZ1w2fkHe1fhd9L7oc883wXeVb5VvvW8Vu1ft+4U+UHfH66Y+kP50d/T5+i36LyRR
Wi1tka5gp5DvV+13xl/09/U/1HOBtLpneUD/gJyA/IDtAWd8q3qJvfxRGn69onrF9SrtdbKXo3da
79an1L1OPjX6qW8CFwZe7LOqz64+DUG9ce9kUE7Q3qAjoDd6ney7sJ+h37Gns/sP7Z/fv5Le7f9B
/9ZeJ59JC9YGW3udDL4UfGfAuAHLBmwfsHdA64CLcoAcKcfKafJSeZO8W24LCQwZGzI/JD9kRcjq
kOqQppDmkGuhAaHhodNDq0IvfS/Su/p7qwaOHFg68PNB4xDn/g38nHOXQi8Nsg4ax2yDtMoP6ZXf
5/QXOn1Q6aDDwLlB39BrmHdYeNj8sE1htbqxLHxaNzbsdK+owcGDDYPPhcvhQ8NH4tccfmtI2JCV
Q44MuTbYMDSqVxTC18JvDU0eumXwuWFjh4QNKxi2dWjU0CiaGrHJw+qheXe/8O5+WDvRN8bp296R
znbhK+cbwl+BvznfEAWgh7Nd9Ab8cF/U73BOkHTOCfAt+rZ6X/a2On3HnL5hTt9Tp2+X03fU6Rvq
9P30eqdJXwFUAu846/TbQD8G/gzcAr4Gbjv36/+Oe/cAp7NOIoDgNEkioEJ5Aexdc/qOOfTUv+78
oX6j00o10e8GvwfYC7wL1AD7gCbgKHAMOOe0Sl7OHzKt+7D3pTv1NTF96Xvi9Si5U0/TQ/Q0QU8T
9DRBTxP0NHXRsxd7R5y+IU7fDB+IVK8DG53V0HUgdDVBVxN0NUFXE3Q1QVcTdDVBVxN0NUHXauhq
gq4DURptEfr2/SSlZaBfO/Rrh37t0K8d+rVDv3bo1w792qFbO3Rrh27t0K0durVDt3aJajVX0Q02
pG/UU1vSt/WDmU1N7G19+q4+fVOfvqdP312n7+jTt+np+/n0fXr6bv4CWKnYeUG/FFgJST9yPqP/
N+AnaDla158h7g1go7NB/xboZmAH+CrQh9V/P+41AL8BGoHfAocAT7scR/gT4ATwKdAK2IA2wA6c
g4wroB3AVdRYsWGDtMh5QTIBuUAesBjIB5YABYAZKAReBixAEWAFUEcJdZRKgGXAcmAF8AqwEnjX
+Yz0a3hpA/AboJF9oYF+sUCxroF9qyCYxsK69KsA9EsF9DsF9CsF1KrUovA7WNAEC5rcFtzoPAOL
bXxMbznDa7oRGpke0CiEfTWAfvmAfjeAfvUgmH4xAnfoVw/imDbt7EsHc1lvvQ5t6qBNHbS5Dm3q
oEkzNKmDJnXQpA6a1EGTOmhSB03qoEkdNKmDFnXQohla1EGL69DiOrS4Di2uk++7ewX9agLtGfSL
CcHOVzxsY+AeZ2BfSqDfSaBfSZjHvK0B3tYEzQzQzMC9rAJeVsF61lugm4Edzjx4WYW+Gni4p1XA
0yrgaRXwtAp4WgU8reI+T6uAp1XA0yrgaRXwtAp4WgU8rQKeVkF7KDytAp5WAU+r4PbPk3qAXwSP
MwG5QB6wGMgHlgAFgBkoBF4GLM4meFsTvK0J3tYEb2uCtzXB25rgbU3wtiZ4WxO8rQlWNWDfFc++
8TAIe28/5mNvsK9EiOxrEPRbEKI73v87j7gq6RlnizQYGOpsIb1h9TxYewKsrIV182DdPFg3D9bN
g3XzYN08WDEPVsyDFfNgpQmwTB4so5W8QfVAbyAUmOgsI0+Rg+ip/+xSVWx0Z9/CAKY88R3uOxrx
WWe6OA5IAL7vbBTTnI1dvITOd+nwkvRuvOT++S4dXpIOL0lnq4Em1KDpgbK+/dzp951mt9gns9JD
ZqVeGBUGYFQYINwhVVjXGbCuM2BdZxD7OXeJg8lc9CQDepJB6onxuzdoEGgIEAp+EJkvhYEPB4aQ
+cQXJbSjhHaUQFeFh7AqPIQS7CjBjtx2jBuHkNOOseMQxo5DpAdyHPVIeRQpjyLlUaQ66k6lFkY7
vxT7Oz8TBzpPiOucXxJvYbjzS2EEMAoYg7v+QB9ABkKBMGAYUurRxtWsPXeD7gH2Au8CNcA+oAk4
Chxjq6tq2gbkqf+Wuc6HjWmPMZbRcYz0FCKcduFZ2EfjtGOdbYKdTLCTSQyEdTFXwxrtaBc72sQu
9Yf3PAMEw25hzMIm2M5EdNS6j2wDGXLKIKcMNo2FPWNhz1j4w260jQmtaUJrmqBDmah3VooB4Hs5
68Qg0H6gT4NCLuweC3/JFIc4YyHNBGkm6FYGiSboVwa9yuA3lZBsgt8kQ8cy+E0l/CYZI5C3swU1
a+kyr/RiuwfsEP4pdpBoabQkXsrrrlL+Yc4A5PoI8t+AfS7D5y7DRpdho8so6SP43WX43WWxLzAA
kIEwYAgwzHkZpX+E0j9CiR89oIPpsXVw9Sz7Y/csb76uuos11V3PlnS3Dm2ZULoyQO+qRK+qJBF8
F8BGBKzDBmAdNgD6tqP27aj9AGEkMAoYw0aMxvs8pB0e0g6LDBCRX+ztTEQLJcJT8pinPAMajB2j
jHvfcyaj1d4QByFuMGkUw5FuCOKHOhM9vKede087PKedew4dcdrhOe1sxBnsrqW/M5bWlK8e33iI
T9+vcVefDgTfvV8v/7/yawnSa+ExtdCgFhrUwja18JTPUGotvKQWpdbCS2pR8hqUvAalrkFJa7A2
R73+5f0yAJJLoH8dpJfAS3ZDgxLUoQTS2mGt3ZDWjvpUQmI7JNLeuBsSS1C3EkgsQd1K4Fm7iUBH
b6J/oAd113tCu/Yglus8cp1HrvPIRT3sPFKfR+rzSN0CbzqFHOeR4zw86BRynWczxAnkOoFcJ5Dr
BHKdgKwTyHkCOU8g5wnkOEFU7tmFziw+D83nyhOm5IOUE0SUJjtt0mynjfih32jRb7TkV84Sshuo
xZ3hsCZshvVnifQCQFMbQKchfjqAnNJcrLZ6ShHOi0htQ2qb9Bz48ZgzJoJ/AZjs7EAuG3LZkMsm
zcD9BNxPdH4oJYOmOq+hpA5oMxMpk8ENwLiZjjLHsDJH8nLHsrLHSBNAJwHPA5FcRhQQDUxlGtqk
GCCWy4wD4t2yx0hJoN8HUoA0YBYwh9WkSpoHW1DpJf8y6b5SBOkDyR3Sc6DjybPMftOA6cAMxCUg
biZWWqmg1G4+SN0IHRt5OzXydmpErkbkakTqRt5WNjIatSsTo4hBjHZ2iDHkWREaivHgZ4DSNfRM
Z7WYiHX098FDM3E+6SPmgy5BmgLwJZAbgfZRrNMhjSEGWAf6Im48ViATwE8CngcigRdwPwqU1gMy
YSX4A+JiQGNZ3aiVOmClDm6ldPhHNSzVAUt1wFIdsFQHLNVB6wtrdcBSHSRIRDuwWsQx7TugfRW0
b4H2HSLsjBpU0d0AatEhIodoBJZAQgRszSwMOh7zdRcLIy4BcdSyIZDQKKJ1xclMUqMYw6Q1Qloj
pJVAWiOzVRJspkgrg6RGcSHS5QD54KndzMDL4JdDQoTz51z6zyG90UPyzyG5kfWCRNQ/mbVYBwnr
rm9CsxJoVgKtbNCqTIxFveNAoT/TYD74BcBCpHkJyARvBHKARYAJcXmgS0CLQZcCy4Dl8KHH7ffe
4kz4QyKzdIOYAZ8yIbwE/jGe+Wkf1MWGejQQNdNzMfMCZcQJ5C1nU1oO+WbCF9MA6m8vYfQ0sdbq
+Nb9oTdvJZdP2NBKHcwn0O+oH3zrFujZxcuUOjd8a700TIcfMAv1cY91PlyzDqXeALXhYiUVfKYD
/a0z9dPM510eSesJC8P7qnjdbGhvG/NzM6vn75mGY+DTz4FXRuQq6UWs7JRRucqj7r9HnatYnWkv
o2PFRKxNfoR1yY+wLrFhXWKD95W5PQ8leHifR1uyXmjjvbCKaTWf9Yl0tGs12rVaLEHcclg6wulg
GrJxBB6mjCMOtIrtwXEE96O4B7nHEcR1jiMdHuMIrZEDrWl7yDhic48jstumbESEpq7awBdYD09C
DZWThQY2ltCWSoenvsxs/N1nvsHuZwC/clbDxtW8h9Oxp1GcDGmKZjZoVcXGG8WmVejh1bBpGXp3
tZgNGBGXw2ycLuaC0h6+mPXyMnhEtVgEFANLgWXAcvTm4Wh1OnsoM0cHnzmqoHEV024UvOAGvOCG
2wsULaugZQf3hiruCY1sdExkY67ijz8A6Dj0Q6RRPKBETMf9DKZ1lZgFPhvUiPgc0EUAHZtyQfOA
xeDNoIWABSgClgHKOPX4854/b+VGpmUCpM9095oGSKe+eJmV9hzoeNSdlkhLm4EwfJr4sjq6Rn+l
jg18lLIxXSaztlZk0zFOy7xofjfjoZb5UHcjpUxXH3QE/5etQCLo6stjnGnk3teAfmHjvZz2jTF8
3Enn82vVv0zjp5V+gjnD1YOToK0yGjaip/ah7cvm4+X/hFGxP++Z1XwMrvKYa8q4TehoV8V743eX
qEZv6XCvwV6m63X0/hYm4yXEpAMZbNyn8tg8S31SLGDzQCNbeViBEmYB2hfm05kIoOuUzhLoCqmF
2Yl69WK3TKWkl1G6VVnDYH/O1yQoycb1sPESbMhNdbCxlCLy2OgcRnpwiTYPfRs9Vkg2qifq+gOP
uc9KnsUM6cr3klvLTg3ZqpSvriAJaxL0N5TxLJtLM2jbe8yp+bxsqo/IYqk1VUwCLRn3iM5DR6U+
LsubufVpihZ+t+H+u6zWauZ1ps4ZnFmMjfHM9tQvmd2xZlIsxmuDlP5IOQYpx5DdyD+frxk6c/Rh
OZRWuowxUslJbaC0bwfxclvMU3uXbj3cre+yZ2dru2xJfe6+u7DSSzy0hFkvHz3/ZaxGFXsxa7va
n+8YzG59XBZ1ae66SyWJ7vp6uVe6nTNNOmaadDofkh7s1PQfnZhqSKSzmTQAHc5mwQZ8CV5Hxjsv
4E4T7jThTpMwwHlBCAFs4L9EXCA7r9M4TcQb0DvzSB39Bjl7wl/azfOmUv0t4GvgNvCo503+7tl9
j/MZ/evON/Q7nGv0u0H3AHuBd4EaYB/QBBwFjjnfkLwAnXMNeYo9+9FAP2+gjp0rfvcn+v7up/l7
7t2BXiuh1yrotRJ6rYReK6HXSui1EnqthF4roddK6LUSeq2EXqvcJ26dz91RQ/Ie+Fr2twylHk8n
KjyeTqzhTydKIakUkkohqRSSSiGp9BFPJ0qhQSk0KH2MpxMV9z2dKOWW9HyOvQfo1JY+n77Anpc9
3vPpC65nXKzUzmfRaFWU2o5S29nZu1Jqw+Ocv/NS69gpfuADz5bRTijZgJIN30lfP/hSA3ypAb7U
AF9qgC81w5ea4UdW+JEVftQMP2qGHzXDj5rgN1b4jRV+Y6V/Hd3VE5WTYXff4f2m21Nh2dnc5WTY
y31eu8c5wP20hj6pCUU9vR55Rqzqcjrt5TothpXuPnBK7HufnIef0fLzWXoi5nEuizJh+VhYvvtz
SNcZJD9/JNqHPg2iNa6AJhXQpAKpmpGKPpuiz6Sa3X9l88CJ8D/UILgbLXqgTZrQJk1okya0SRNW
IglYgSRgfduMlUYC1rXN/HzBHyMsHXn3AO+BV87/DmIt1yKNdm7E2uU41nMtWMu1sPX2JNDngUjg
BdyLYucodE3XgjVdC9Y0x7Gma8GargVrm4NY07VgTdeCNc5BrHWbsKZrwZquBWu6FqzpWrCma+G7
shZ6toB1XQvxh75nPXZXZ9lufaLzq4fsrs6y3XsiJKRi362cKWLcR+wFIkijSDl2WhrMWN5AHaCc
8yV0s2alFmpg69aJD1m7vghJj7d+pVZu6LKGTXXm3beObWTr2O7aawq0mQJtzqCkKSjpjPuE0MZP
Hvrwkwcuz72f6Dx5eIrt4PzpSYbHLm4P+PcQh10c272MgKVGQ+YY7JuVHZWD76gc3e6o6Ht2ZdC2
DNqW0VNF96kgPRF0nQbS07/J/MSvs6WUEz6qm/djn8b1Rspf8T0fbaNfIXUHNL3I2uRF5hF3uEco
2s5AmgSk8TzPSWXnV3fY+ZX6gd1XAGRs42t1KmMbO4mYyHbHLhkur3NpuI2dMtA1eyos6Fqzhz1w
drLn3o9Q+lWP847j/Lzj6kPOO453c95x/BHnHVcf67xD4jO2zWPGdvV3ehJwGZJd+5LLXU4CfNHi
Z9DiZ9DiZ9DiZ1CfMr5nLrtvz1zG9syabvfFvl1GHLd9PEaeCBKJ/roOHh4Jj47EGrGY/gUMIezL
oQL994QQN5D+i0JkCH5q9s0SDRmDn5Y8h58XGY+fjr150wMlRBIf+m/SQPYs/PRkHpkPSyzAz59k
kix48zv49SJ7ybso+wB+geQgqcdKtwG/vqQJv37kGH5Pk0/w60++wO8Z0oFfMPkjfgMEURCJLKgF
NQkR9IKehAp+gh/5ntBT6EkGCn2FvmSQ8LTwNAkTBggDyGAhRAgh4cIw4VkyRBghjCARwmhhDHlW
KBfKyQjh18KvyUjhY+FjMko4Lhwno4UWoYWMEWyCjYwVHIKDPCf8Xvg9GSf8QfgDGS+cF86TCcKX
wpdkovCfwn+SScJXwlfkeeFr4S8kUvir8FfyovA34W9kskhEgUSLGlFDpopeojf2IL6insSJfqIf
mS72EfuQGWJfsS9JEJ8W+5OZ4gAxhCSJA8WBJEUME8NIqjhEHELSxGFiBJklDhdHkDniKHEUmSeO
FZ8j88Xx2HctELPFHPJT0YTdwFoxTywkPxOLxCKyUVwqLiP/IZaKpaRcXCOuIW+J68R1ZJO+WL+U
bNa/rn+dvK1fr19PKvRv6t8kv9Bv0m8ilfot+i3kHX2FvoJs1Vfq3yHb9PiRHfqd+p2kSr9bv4/s
1H+sP0b26L/Qf0n26f+o/xM5oP+z/jap1/9dUpEGyUvyIh9J3pI3OSL5SnrysdRT6kmOSr2k3uSY
FCQFkU+kflI/ckLqLwWTTyVZCiW/k8KkcHJaGiqNIDZpFHzyM2kMRo2z0kRpMvmDNFWaStBHpGnk
ihQvJRH0Ooy6N6RZ0hxyU5onzSNfS4ukleQ2EXz7+66j7xcKFvge+SwSmEKEz74BjQMSiXBWBE0D
5nNKke7B5xBy+iRoPmABliGPDnQVsJpjLacbOMqBCg7Kb0ceySNcToSaQIWe7Q26CzJo2TVAHdCA
+H6ghwnZN0XB6fkMwllZiadh1IXqcz+ofoqOxwCqeytwBnFhQAQhVDYgcMr4vXUK/9k5pBkNerH7
dPeFXXlI+xZCLm8Rd7f1d9xsC3XcOXW4LY/hRls1xekJbY7TUYCp7RbDWfsUitYA+7nWICDfns4w
DjzFKvCAbbdjt22/Y/+p/LbwU5a24aeWga5qG25LdlRRnFrdNvbU2rZJtkqkq0K6q21rGFYj3Vqk
P9yWwnCjbT1F621HQes3DuupY21zGW4jLcVJ8BTfgAc89P2coTN8gcEAnqIAPMU6u5ZhI0cj6kdx
hOOmfT7DHXs6kOMO30P4nj2nJdw+n2G4fRmDKzwWPMVk+9pHIta+oSXBXt7ymj29ZQ2QgvBchNeD
fxP4wL6L4VDbmpYme03LLXsrw6cIn7bXtPrazzDkwO4U2x0RDLtwj6LBMYHhmGM6Q6tjNsVpEbYC
bKJjhU3nsNokx6u23o5S22y0DwVvP9B60Ea0wZsMh2HrG5DtAD6HPnftrac2oM3K0WYVoNtBV7dN
RhvGutrStgDlUWRy1KPsRrR5K8oCTuugC3DqDMLAaQlhALIWMtxo28JwrC2b4XbbVgZX+t5I39sj
vyt8uK2Q4UbbXorT09HuFFa0O0UyeIoV4CncvvJBJXzliofvXGeYDX52d+nfD2LYZPdlWGcP4Ahi
2GQPZqiEf1UyfxvIUAWeYrd9KMN++0iGT+B3FM0cjfY4jkSONA4l3IY0FF9wcB9tUdvzKTx82MLg
uu9ttzB0+vAqBld4Evx3kocPL4RvZsM3t8Avt3r4JoXDXgd/qHOHL4C/4BG+An+5An/pTN+A9Ifd
4eu4fx3+SuytDFqOcofMUOEIY3CNOy5/D4bvU1jAUwwET7EMPIWv/SJDjv0bBjpGRXaOU61TwMcB
q8GvZuPYVdy/2rrKIeL+SYRvIHwDYR0gudKf2mBPp3D3txroTuEK14Gv6zY8mmGXvYGh1bGAAn1x
PUXrGfRPinMcrY5MCtzbStF6EXGAxzh2l8IW5lhni0A/Hu3YaJsARAGuvuyCiaOAw8qxguNVjlIO
OgYccRyxfQLa7Nh/ul/bmxS2dbhH0eb4BGNDM2gbo9ccl2w3Hddsd0DvOa55+Fk+Q+fYuJohz77h
tIGNdRUY67ZjnIqyGRybbNMdla1DYeeR9nOn69E/KHhfsPXDOCVjnOIU/Xspw422WoaTmDMovsG8
QdE5n33AcAw8xW3wFOfaVlLAtocokPY1hhttTQwXMaYAqPcahgWwOcWr6P+veo4BaAeKTfZxDOvs
kQyu+aTTFulATksh+tJS1L0a4f8i72ug4szKNG99kOI3QCOTjjRGxBiZiCyDmEGMESODyGAGmTRi
RJrJxFhhoGSySKrqq44MFAWybJnlIJNmMwymfqkq6g9ODg1VnHRCM2kWaaRpmomIEZHhMBmGEyOb
jRnc5976vqKoTmzdszu752zf89z3/e53f9773ve+94f0V3ZAHTK3xLnmCZlrC29PYt5MBz3fxPPo
3Cno6zQgzgNBf3Md4CkS397GvNmeO7+QBCTP3cSaQDGNNYFidKGAYXKhlGFuQUYh6mVuA3YHzKZC
B8DcFp6B2SN4BkLXndk19HlN8EvzQf1PQF8SsI4G9PY2YQj1pWL+A8gPzN5HHRRnkYdCC90Db1qw
xjjmS94cBh2dL4EtWt+6C1vNmJ+iYM/38JyN52z2fPettYV7GNtZire6YMcUV/2YD19Ym49euD+f
AHoANrw7vusMolwpkAsIPKfhGZg7A99TDVDfcIXug94pfMv1TsmbW++UUQTGSXjvH5d3KuZqMS61
C8nv5C9Y38ljc22K4p0cPGdirdyen6J4Jx3PaXh+gmeKwD5pcY5i1z4XFynetd8I+GP4ZoqHi6sM
U+Bn3x4OHcfFjoVchisLxRRv3VjcwtrtfXMD7QHi8yyHtim8i8sUos9Z1CxuUGAOlTEI5WY71/Io
fpS+VsGQuVZFEbqvXMtfK2QoefskBf0SA/t2EGFfDYpk3wuKYl/1iWPf80lgX/JJYt/weYF9vedD
7Ls9H2bfzDnCvniTyb5jk8O+V3Ocfanmc/Gz8W+Tk/FL8RukiH2R5ivsKzQVrL1/5bbQ3gfD0ggX
9tGwY0Qa9jdhD8mBfen7MkjHvuPST5PvSU9IPy/5nrRS+k3J96UXpBckP5D+lbRWcl16UfofJYYY
d8yIxBTLxX5L4oj7afxBLoV+JYcrjzfFv8nJE2QJf8VdTahLUNGvJEmuSB6zs08HeYmQ6XygkEh+
iOP8dAlQBl4KWgFUCZTiXBBfQ8iMFrQeaATUKINuTzcD7QJ0Au0WgHPAdL8AyptQJjHouZdIfpDs
pz88CGon5Dat2wOMAONIPwQ6Qcj1Qj9uVzFIfnjYn06f0RcqTyiofH4Zp4BZYAFYQtpRIIsQ2jYg
ESjj/34kwIvvGGau+tOmV1D2GOj608uHPItlyEyf//0P435Ib06e+z9kbxvkJLO0rzNLo/9/vSQm
in0fKBHIE77Pkk+/USLNkX6SkLhfxW0TLu5/xD0m4fGfiM8h0vg/js8lkfGfjj9Ooml5+j0roXyj
UP5z9Ldbwz4JqyVh3w3rgAX/a9gDEr6vaN8XSaQ0G/VGS/NgwXGw4M+SBNZGImsjKe7f4nbIAVhq
OjnI2ktm7aWw9g7F34q/TVLjJ+P/gaQJbUvCcsMsu+f2N3C2fqODSKYKQHG+fgPn5qliUJyn37gu
UApLEI+z9Gs4W7+Bc+0bo8BNlCkFxZn4jWkBcwJdFIBz7BurAii/gTLlQc84G/dV+elUJShm801a
9zbwhJApDulnQXH2/vsOP25eZ5BMyfzp9Bl9ofKEgsrHZJyKAyD7FOxoKhVpcqCBENo2IBEo4689
8fNTONtPqUAznp4v5FksQ/4b7PSdFfJhUkTKSTWpIQ3kMmknXeQaMREXGSUTZIYskhVyn2xjcKIl
SZJDknRJtqRAUi6pltRIFJJmSaekR9IvsUqGSZivczzN1zWe7rs6nkk4X6xv1Jfouwkuzuf1Rfpu
Ec77yGfyRfvs4B77LD7ic4Bb9XV5n/is4NZ83d4HPhO4Wd9l77pPA27O1+Rd9mnBeX013ru+enDj
vlrvgu8iOIuv3HvTpwJn9VV4b/ga2duTXruvCNyor8B73VcM7oYv03vVlwPO48vy6nzHwDl8yV6N
L5WVTfGqfPDMXpNP6q33xYK77ov0nvfFgSvwpXkrfengCn2HvWVezBzvsK8YOUpZ+w5fAVIsSHEg
ZRgpo75K5I71jnoPe9F/b5zX60323iJh3l4f8fajjUbWRoH3rrfYe4/W7F3y5nv7wWV5J8eWvNPg
cr0zY3PeTsJNXpysnlR40bdJ2eTZSflkJdrL9t7xlnpv3JlH3Rmo+99/TYti39Yj7Kt6/u/XRbFv
xz3Pvvz2fvZttxfi3x+fgtlOv9uWyr7PlhbwLsmCdzlJv/YTdyuBfQ2K++/7v4L1a5K7SL//IjlG
MNdfbwKwFr3eCXQB8M2v9wmUwhDEWwnxJYC6gBuAF7gF3BEwI9B5AXeBewIovxbEi7hPiJfW9QCA
hl/fIWQynJD/qvXD2+cHTaOUyep9NyajAcg2eQBIIaT3zF68HrcL+jyZBqS/O18waJ5/gH96a5l8
YXR5dBXYGN0a3R59MsaNRY7FjSWNJY+ljh0ZyxjLHssdOzFWMFY8VtpbPlY+Vjl2FkE2Jh9r6M3o
Le9NHVONqf6ur7cYfO5Y05i29+xYJ+O6xq6O9Y0ZEKy3L9/W3O64feX2xu0thO3bTya4iciJuImk
21sTyUJIncSZFBaSAouEzriH3K/oyMI6w5l1Spl1RjDrjIV1fgo2+umAjT4HG/0yOSj9c1hqCrPU
D0jPSM+QD8JS7SQ1xgF7/UjMr2P+jXw05jew2qOw2kqSAav9CMmGvf6IHIt/K36e5MYvxC+SPNju
T8hn4n8a/zPy2fifx6/Cmv8J1lzArLmIWfMXIesL/5dlpVLmMSmPMyk/y6T8HJPyT5iU2MHBO9Nv
8cSSs+QPsBeCbdzOBHIArPV/exIUe73bdN9UIqRTlAEV/vffv+enIuh+Kug58dXaVy/qc15VvHr5
Vc2rHa9eebXn1Wuvlb1W8drKa+uvbSKsv7bO9jO/5H4JbW1z21i18/blEU5aJi0jYfApXyXh0q/B
s+yLGYwZJNKYnZgdErH/6/AskfFH4FmimWeJiZ+LnyOx8W/Dv+yP/8f4H5O4+OX4ZfJc/Er8CkmM
/0X8GqG/N5/wv7kl2kYcayOetZFAJIkP31cBrxQrGSe1hPRgFvdgpvZgpvYcIJwTu4QezNYezLQe
aLwnU3iGZnug9Z584blQQImQB1rvqQhA0oOVy4lZ8f0+0EVGSU8V+GXw3iC4kLYKbPhB05xbwLa/
PMMTP1ycP78rEsBa5cJe05UcyL8rE3b2PdjRQwbS08jqoDKzMkK7pAe76J5mlo9zpQpp7f8LwKmg
pzsI2Pn39DN9cN+/j7qPBEB6TP40gPTYmWxMPvbseSb870co5ZZ1NSadQ6U/YChyNOkaLVqHVp+i
X3J06tMsnY4ufYqlC2/TkXJVn4m4T59jueow6PP0hQ4rS+nS51v6HC59ocXguKHPtFiRh+b3omyn
45a+BPwdVtuMPg2t3NIfAD+PnC7kTLPccNzVtZtrHff0Zci5xlLu6yssXkeTvspyy/FAfw71P9DX
GI4hrkcNj3Qmyx3Hjr7R6HWG62ssM85ovRp5HumbTTnOBH074gN6HUvpNo86U/S9lnlnmr7fchcp
JsQPUMM9lKqxrDnT9XbLfWeCbsLywJmp91geOXOQfg85Ryw7zjz9OMrmg78HfmQg3FmoGxmIdpbo
JwYSHHcRH4D80JuzTD81kAJtzA6koV8LA+nQwOxAJvhzA2rai6BYPdDMeMSGQywFvXM2Ir0d/XpX
bDg8oHPmGI4OdKO/OQO9TjXifodBtzBgcjwyZA3YUc8zYr1uwONspjHLiVhfz2I1yu7olwZynBX6
9IE8h9dwbGDE2W44PmBy6vSF1kVXln5lIB99XB8oRLwwUII8RQMTTpPh1MCU0244iZzdunMDs45b
r2gHypBnk2nAX+rhQIqzSkh5PFDhPGcgiGsM0oEqxLED55z1hkRWZ3B8cKDG0Ye4nsWUP22+CXtT
m3ROj75d3+gcMZwZWHCsGaoHlpx5hvNoRYcetTvHmb110n45ezEWjY77fgn1KQPjsDqa3m+oHVhx
3IDe1p0TkGcTOqyxdDqndCPQ/6zh4sBD54LOM/AY2lNQ3nCZ8joP8izpp6wE9omxc3oMGqvUuWLo
gD2sG65A8k5DD6y3ic2dLsM1a6xz09BhTcTb69aDji606HEuGSzWQyjrsB52phiGrUfRo2ZdDeUt
feC7DdXgD0Kffcjf7njwipfyhlFrFuS5aT0Gi1Jbj2NMpwZmIdth60nnQ2ib8pOwisfgU1xEt2Qt
co4bpi1al9QwZz3lijUsYhSawJ92JRqWWZ2r1jOwK8brddZqWAIte9CwYT0PTfr5LcrrGq216N22
9aLrkOGJVQFNwh5cxMjRHhkjUYMWUmWBj7NeDvBJVg3Gndr5juEg5WF74I3JlDemMv4IenTDmDHg
cR02ZqMeNi6uw/p0a4frqDHXegbpJ6iExgLrFccjY7G1A9KqrT3gS80bznPGcus1h8EgtV53GIzl
A72MtzAes8NYaaiGDTebylzHjGetDtdxo8w67DpplKP+Ir1a1+06ZWyAJ3lEPZhzneU8TVtxndH3
W0ddhzGvb8Br9Vt2INUCJPEaOTYWiQJ/0/HAqNIvuYqMTaZCVzVmAaxdtzSgdp3X51N7gM4nnTlG
raDnm5C808+z+egfCzpPHxm7aLu6fss99PqqddppN/ZZ59B3A/KoMKY3XbWGw6YVZ4rxqj3Pcc9o
tec788EXMr6E8bvpBlux45bhJCSvhT6XYTkm6yosJ9OmQo9MGMcdU79J53aZTJZb7huvaOkqYLLb
y9xeo9fW4L5Ffaz7jn7T1uDoMnnsFbAQxusWqO81jdir3DOmcfs5Z4ppwlTmnof2Stx3qed330PZ
u+41QyL4+yhb4+w1TVlcbnjdgXD3I6MWnn8G6fWwAZW1w71jmrU3OhuNBmhbZVqw14s85m+4s/EV
rX0WVu0ZaHYtot0FtFtjX3I+NCTaV+AxsqgfMyzb19EvHeVhsRuYxWiL+k/rFqzRCsu5anRhbeo0
VFu3HS6jy/rE0Wm8YeOgea8t0lllvGWLc2iNd2xJ0FKKLdJF9Om2ZNikzpYKr3IAOXfoquG6qKux
HWEpGa6DyJntUhhnbLmwZJfthOuycd5W4NJQT+XqMN41Z8EO72Es1owZtlK6Qhm2IXm1cd51xbhm
K0fOTGuHc8F43zLj6kGLlRipQttZWNcDmwwrXaNNjjl1wFYKq1DZGlzX9GV0VdWNYLXKMz4Cv2bc
MQy7Thnm9DWu67BkK7xQoz7TZaG8y4HWk6GNessN17Ap3NbkGjVk2VSum9CG1jWJtSzcNQ3PqXXN
wWPAE+p1VE5TiX1z6DD6OzN01HzG/nAoy1xtfzx0zHx+kAwdN9cOSodOmi8Oxg4VmRX6Qne2+fJg
4tAps2bw4NBpc8fgoaEzOpPN69gxXxk8PFRt7hkYGToPO6zFDgHrNfpyZPAo+Ho6301LGLsu87XB
LM85fbpJ7TpK7ce1YUgcPOY6SscX/JXB40O1et3gSczE7sGioYvm64OnIJUFUinMDkh12TxsXxF9
iE43eNq5QFeEIY3hin3dWYV0rLampcEzsKtq+PDeV7SUp3bl7EX91VitmP0YDYxn66NpBKuV2lgO
ezsn8gM694xRS23PmDF4nnoDyuvV4HdQT61jxjw6eHGoQ79JeX3j4EVngjF5UCHap1G7y+vzB6uH
rhjmjHeGevT1Jp3rlPmm7f7QNdND6+Wh6+bJwcuwAZ1+yblpnjYUOXWmRszTHTp2QxY6dkMOOjv8
vXAtGr0WraeXzlyqPWF22DEKc4Ma2MwSetpovG9VuBb1NTata9kUjbFYxn5sBj1NgCWs6vox45ZM
2A26NvRq2C1s3tbJ4i7kSbFddW2ZEhBvs/zbpjTETwynbX1uDvkjMTomm4HGmH0PTOmWGXekbtZm
dcxTW0I6a4vG7jh9s34E3iPTVBKIc/QH3En+WN9uqHYnw/Jdrh5Tnu2GO5XFR1icwebLKSb/Kb+l
YV83gxbzbbccN0yFtjvUP1PLNJXYZty5pjJ9CuIS4wP3Cb3dNu8uYHEyjZ0Jpgrduuu4voZ6DB18
I7z3iO2uuxiSpLlLTVX6THe56RxmNOaU7Z670lRjqnKf1XsQV0KTBozRum0N+qTaOG9Ks91HDeO2
B8580wHM9PNYZWZc5+l4OWdp7Jbpa6wKt5z6YbfcVIU8x40ZdGQhZzok6UfrDf5dGWp7JMijMtXb
dtBT7E7dTaZGXSNaR7qr1pRiD3drdQu2YsymMl2767ghC6vkjkltj3Z36pfsCe4uU7P9gPsqvNOO
S2Nqt6dAezp7mrsPcbrboE+3Z8JLNNpzHDOGalupc9zUbSt1W+ka4QnX2S23PNGmJey95+El+lDz
iqEIa8e6pc+ToM83FHkO0B24J+UVLVY9lTEDb610P+9Jo7wnnfGZhizK0xXTk6NbQJ4Gmu7c1OvA
y6ln8+RhHO94oimPdMYbrtAziGmT7vYNibZiTz729jNuuWEZbc0YLFQeOkc8haZGyFBiekjTTY8D
6WUsvYLxVZR3NxgrLVdd1fS8AEvYRP5bZoI854xerFk7tC9Yp8B7ahh/AxaLGvTN5lH3XbMUfL05
VlfjaWTp9TTdo2Z8M8tTYE60lXvazQftame7OdHezPh2J411Hp35kL3bozM9xPyaoeupsxerTLGn
GzuNO+41xhcy/g7jexnfoF+x92JNH4Zv7AnmjQbsQIj5MLVkoxwy95uP2uY9JsaXMd6O/P3wsVmG
Yx6Prsbe78k0HwM/QtM94+bjxnmP5138BMs/Bf9swrhjBfbM6vPtJs+CPkdn9ywF8SuMX6e8Oxky
R3o2YaU77jjGV1Ge+mSR9zyk+xMXMWzBeqexrhW7d8wnbXc9j41X6UkQexi7M1/Xba4dIvpxu31I
iv2AleY3nMIY7eXZPsFwytkIO+mkex7DKbaidQ7FmmYNp4YSKe9ZYPxB3YJx3n3HQOyeoUPmIvuI
M998yj7ubMTOZ8K1aD5tn3ImDKuGm4a1luLBZWeKpWBwebgYM6sU1giPBJvBKdI5RT22M8fUi9l0
1B+bFwc7hobNy4NXhkbNqwP5QzfNG4M9Q5PmrcFrQ9P+M7J5eyBlaI6eNIcW6SlyaNn8ZPA6dgX+
Ey472wqn2qATq3BWZadUCzdo2XtW9Z9GLZGDjqFVS9zg8NCGJWlwdGjLkjx4c2jbkjo4OfTEcmRw
EqVYPZaMwWnHA0v24NwwR9sdjqTton60OxwnnKZxdkaMs/NwEpVkOJn1OnpXkuFUfy/8HpKelIeP
0DPy8BF/v+jJHTWz8zX1S6zsHWc/XUGGM+gKMpxNU4Zz6RwcTrXkGo4NnxBqq2FynhhcHC6wlA6u
urX+2wn/jYGl3KQbLtWnYZ/TZakc3BguF+4i2KnfcnZwa7jSIhvcHj4r3DkwvQm3Cuz8bmlyJA03
CLcW/vsBP++/r0ApT5lFPvjEfcfS4OA8dkuuI3JYZlE54obl4+vGJtd1eq/GfgmFBP0SCsd+CSU8
8mRkBdnHfv0khf36yYfYr58cjmyMVJP/EPmdyP9EjrFfNvk8+2WT0pg/jMkip2M2Yu6TSvb7Ly+x
X3v5S7TxCXKYfIYQUkC+TpLJWfI3JId8F+E0uUL+C3mR9JMfkK8QE8JXiZ24yBnyKhklL5FJ8jb5
C3KP/IL8Nfkncp9cItvkN+RlCSc5StokHZJO4pL0SN4mQ5KfSFbJL8NrwuvIr8MN4Wbym3Bv+GuS
sPDp8LckUeHr4f8seS58e1+Y5A/2Hd73EcmHpR1Sr+Qj0pvS1yQV0tvS25Iz0jvSH0m+Jn0nQir5
RkRUxPOS70d8IOKQxBDxoYjvSExR34nScvuivhvVxe2P+tuoXu75qL+LsnMvRDmjpriPRb0VdZf7
QtRPora5P4v6dXQSdyEmKiaKa4mJi4nnNDGJMc9z2pifxqxznbH1sX1cT+yv9nPc6/tf2P8C99b+
D+z/MDe//+j+o9yP9398/8e5pfhvxX+L+wmRQDs17I6X/cYKXwPUA42AmiTz9Xwjr+ab+XZex3eD
6+X7eRNv5z38CD/OT4BO8bP8Ar/Er/Dr/Cb/kKf/EiCMjTCJ/Hzk5wkXWRxZTMLYX4wyuAxCuFwu
l0i4PC6PcNxnuc+SMO4k93kSzhVxRUTKfYn7EongXuReJJHcV7gzJIp7iXuJ7OfOcn9J4ti/N0/g
6rg68hz3be7bqPMSpyLvY//e/Hlo/TA5KP2R9Efk/ejTIllmPaN//SF8LjnL5/In+AK+mC/ly/lK
/iwv4+V8A6/im3gt38l38Vf5Pt7AW3kXf4P3gt7i7/Az/Dx/l7/Hr/H3+Qf8I35HHa6OVieoD6hT
kLamTlOnqzPVOeo8db66UF2iLlNXoMxuWPMH9YR6igbxGSmzQqhSn1PXqBfU9eoFfl7dqFbjXTO4
drVO3a0eV/eq+/GEzYnaox6hf7eOMEKbB/ZYO/2FvxxSD9vNI0pY/klm7X8KK3eRL8HOXyWnYOVv
kz8jGwilTEdfjvhwxEdIWcRHIz5KXoz4WMTHSHnExyMyyVcisiKyyFcjjkUcI2ci8iLyyNcijkcc
J5URX4goIl+P+FpEJXkpoiqiCrNGwv56S7WcRn9VBTZD+GagHdAB3eQ4P8yP8jf5SX6an+MXES/z
q/wGv8VvI+2JmlNHquPUSepkdSriI0CGOludqz6hLkAoVpeqy9WV6rNqGWK5ukGtQloT0rTqTnUp
7+Cvq7v46wjXwFsQX+c1fAd/he+BjiSRfx35bfZbKNF7tKVEyCFvInyS/BzhGOb+L8gfk3WE3IjS
iFLyqYgXI14keRHnIs6RTxNJ7KP9cezXg47S315pTgPSiaQ1GjQTyAGfABwI+0RzimaHIa01nIHy
6a3RzZmtCew5p/VAc15rCkvPb01rLmxNZ+n0PU0T84nlRL6kNTNQN02nZSloXSJP6xb5stYcBvqe
UtqO+E5ERWseey+Wozxtj1IRVWivSugPbfscaA1kpDS0vqfJFCxbMJ5VNhS0r/Wt+Uwv6tbCQN9F
uags9D3Vj6jXqqegEW0Gg5YTQfsiQpSN6oyWo3U2o01RN2LbwWNI6xD72N5askeP5wRK34v5RUrf
6VrLAroV66a0W5CB8r2tFYz2t1YF9C5SsW36TMdTpKKMVF9ULtoHU+u5d5UX+yZSe2tNs6e1vnmk
tXGPnMF9CZW1KkQPIs0Mko32R9RfqC00BvHBNpsi9EHUH00T6xhvVe9pQ6Rpz+i/2N+0kP6Lz9R+
KC+WQ1uaVH9aKA3kmWhtbp5qbW9JbJ1qOdg6+0y9PI12/47v3yvf79NOo6BfUc+ZIeP122j37rPm
iL/fz6KiXkJ1rcnw6+m9aGDcq55Cg/sRbPuUzrbqAn5jobW7eam1l/EiFX2yOD9XWvsD79ZbTaxd
aveiv95stTc/bPUEdJayaxuMPm4dCfQR+VtI63iLVLPTEts6EZjnQpmWQ60LLYdbl1g9ok2Cthxt
XaF1tGS1rgfsVaSCr2s52fq45VjrJtNhgXZOU6xd1JRqlzXl2lXq1zWV2g2Wdla7pZFpt1k+OXwi
9ZehYwwdarJRf2g65n/LqLaW2X3DbhuBMVdpn9A+BHT9XrbXGDK3Q20q1F+F+iVBR1QmTVMbJ/oQ
jbYtUtPZFqfpaksK6EpsM9Qfi3bztPUpJL3leOtDpmeKIi1pOaWVBq9TLae1sS1ntIkt1dqDe+oS
11mg5bz2UEut9jDjL2qPsjVXhFiPQpvF6GXtsRaN9nhLh/Yk6/8z0HJFW0Qh2l1Lj/YUo9e0p4PX
0pbr2jMtFm118NrT4tCeZ3QYdUCPbHyD1/Y8vx203NRepP1lfZzUKlqmtZdZuTmtJlhfLYvajpZl
7ZWWVW1Py4b2WsuW9nrLttbS8kTr0HDaYU2kdlQTp72pSdJOvssXPm3tE9eUYD/8LBpqX6H1iel0
HWsMsren+f3up9Qv+kRxfyDOE3HOpwTZEs1HbTFXWJ/LdqnmhH+8RRrAe/XzGb52jy0HU3HepIXM
o9D1L8iXsv4E0cC6H+KT9tBnyXsuRJ8h7QXWytB1NZQ2B/m7YCqOieiv8/367qvtuyjON83VtmQ6
DzR9bakaQ9sRTbJ2msHalkER2IeL9Yl1U/lcbdmBOUzbCd4fi/NP3BsL5Zn/xjqhudGWG5j3NB3z
js6/4Po03rYTT917C/VqbrUV7JmHIT5K9EWaO23Fe/ZE9B31iTNtpc0pbeXNaW2Vmvm2s4zPb5M1
57XJm8vaGjR321TsGe+bK9qa2Hu806y1dbF05GFUqIPxOW1aludeWydti57kI/9z5PcIifkj9ku+
/xLzL0SK1I/++9607Asjv2E3Ki+xG5W/kN6U3pZ0s7uUq+wu5Tq7S5ljdyk/Y3cpP4/6TnQSd5Ld
kCyyG5J/ZDckP2Y3JD9jNyT/TG9IwpLpDUlYOr0hCftDekMSlkVvSML+iN6QhGXjbGsg1t17hLpp
UiSPlMfJk+TJ8lT5kbpteYY8W54rP4G4QJ5RNy0vlpfKy+WV8rN1c3VP5DK8kcsb6hZpkKuAproN
xFqETnmX/Kq8r26xtkRukFvlLvmNuuW6ZblXfkt+Rz5Tt8rCRt1W3TYLT2iN7GmVQs4h95O6DXon
EPlVjEtMyClXhXF5mXwH51sHwqfYiTeP/IjM4Uw7j/AZyRuSKXIifDb8LZJP769QUkIq2L/sF/u7
QdIECZ7IOX/PwbG+B3pesNtnxDLaX7lK3oS4AXEGgpbJeA4yPs++60DIEQQJSUfgcKo+SsJIBkI4
+4XVfewXViNwOs8lUZCpgOwnhQhxpAghnhQjJLBfpX+O/WZ9IvkyKSNJsLwKcoA0ICSTRoQXyGWE
FNKE8AEyjXAIfX+LfFASJ4kjH2L/jvjybl8vLYdlX1q+tHpp49LWpe1LTxScIrKuWxGniFQkKZIV
qZc2FEfAZSiy69IU2YpcxQlFgaJYUYq0ckVl3abirEKmkCsa6moUKhrXzdZNKSoVTQotUooVnXjq
Qp1XFX0KA9pZVlgvbbNas1HDbriFevzhjkKG9mdYLUKomxKCR+FCyXlFpVJN6wK/priPmovBbzNs
K24ovCh/BP3ZYK3Q8ECRBGmymdyGS1uKu+D60Nd7kEyO3I8UO8hbSVHngYxJynBl9KWtus1LW8oE
5QHUepbVICIV0gE0vyIDzxnKFFq7Mk2ZDi11QldTDGjND2WmMofWK7ZCaxRBZaBQ5oFGohTFA8UM
DVQTynxlIcZDpSxByQbkK1NWQMIq5TmxNrTPerenbUBZr2zEeHG0t5CSciJo/2lJ5GJy/T7YVsUG
y78Xqti67roaVaLqoOqQ6nCgv0F4WjpNUx3dlTwYNF2VRUfZDyoDbSMg/wZ0WK5sho2VK9thlVdZ
rVuXNpS6Oo+yW9mr7FeaFJzSrvQoR6DRSGanU8pxRapyArmmlLPKBcU95RIbwyrlinKdalK5qXyI
lAa0ijFUPlYRWEeaSqpoovege+9A66L5Ndglpy5ho4kW6J0ohfIx0lT+EvQdvflkthPQpmAFD9Q1
dMR3xxTzLqOuCj30AOPUttT16kZWt1rdrOy/tFqXR2uA9d5iJah+ztZt1kUjpPFH+AyRZyGaz4Zk
ctBc4AT6f66uiga+IPh+uG6Tl0E/0YFb4iZeC93k19XwnSqFolK8MVat0jtj1kIeytzA7GznvbB1
tOG/Q1ausPlEW57n76pIXZpygu8Ub5WVVfwjRSq/Q0dJHa5oYLpYVZSrjqmOq06qihRW9AozUHUK
OK0qUp2Br3mkqg7o65HqvKpWdZH1/gl8kKB3RSSkZFTRoLqs0qg6VFfoLBLTlCWqImWVqodCdU11
XWVRORTJdbMBsLmtfKgaRj77rl8IjMsR+DYKNu9Vo8BN1aTqOrUd1bRqjnkZgadWBMlHVYuqZeWK
alVpV22otlTbqic8F7DwXEWXapqP9M9MPg7e9SpDsd/uFKUqBZ/EJ/OpmNsc0pLqqnTj1Nuq2/k+
dl9Ob+a7FVrmDyvxPk1lUdrVvYpyaEyGPk0pmmDvzBvT8VH3Kx5hvDDy6EWuotx/y470EfU4vbGH
fZ+D1c6qF9RLCqt6Rb2u3lQ/VD9+mdRFvyx9OfblRPUK/M8CRouuHHQs4J1ePvjyIaYTyP1ylt9T
UgtG3Pny4ZePsrXwG1j3jvz/sI9Cb2Wknt2eH0BMzucTCZB0/jjCSYQihKMIpxBOn+85fwah+nz1
Nx5+4+F5+t9phFqEi+cvsjQFwmUEDcIhhA6EK+fpr/lykS9FVqONfeRPyBeg1y+SP8W+4kvYHUjJ
n0N7MdDz18n7iCT2fuw2k4j91eub40RSUwg6AVoS9olvjsikDOMCKD8BTAnPs8CCkL4ErAjpU0La
VEg5kV8XqJi+JGAhiJ8N4jcFLAh0JeidiIfC+9mgusYFKiK4PyIVZQyt72kyBcsWjGeVDQXt62N/
mzIS1HdRrinh/XqIvKEIbX8qCONBEGXbFMotCG2KulkKShfHcGq3jzTs0aNIl4LyixTvZLFBug1+
J8oAKksU6MEgGcZD2h4XxlOkwbLP+qns0FPKT8j29FF2GDgKZO2Vc09fQmUN1UMoDW0zdCyCEWyz
Yh9E/W3u1iE79lvaelr/Q2UIpetB4yC2L6aFUiGP7DhwEugArvwWvfy/QkX9ivRZ4/UeNNDv96Ch
Ohb19F50z/wKpUtPkV+sv0gWmDuyU8BpgT8dlC/IlmVngvJU++tndi/4a9l5oDZIZ8G2Qcf/omzP
PJQpgMuAJkjvoq30ANdkgbkYmJPXBVkssr2+ZkIW8HWyUcDh5y9cBfoAA2CVMb9+wSWk3QC8QtuP
BX8ZOoZiH0LT0daFbH/fgtsQ31+45e/DHh/4XrYW6m9/m796ml+a9ct04c5u+oUZYB64G6SrZ/kh
sa9PW59C0mXDgp4pbgKTsj3rlGwamAMWQ+ra3IVsGVgV+A3/2AQg1rMl0G3gCfrBCf1/Bi5E+iHa
3YU4gSbJ9qylF5KBVNkeP33hiEAzBD1mB/VdBHR1IdffX9rHCyeAAqFc8V59XSgFyoFK4CwgA+RA
A6ACmgAt0Pk72EfwmvLb/PLvam8iFefWs9aeZ9Fg3xg810OpOObPoivPwHu1/16+92n6C50/T1v/
34sG+aKn0t9nfILrfcaa+dT2n0aXgtoP0rt2WBaYbxfu+efBhTXgPtAl4IEfgf2qWF6sm9ryI9nu
HJ6V7d0fi/NP3BsL5an/puvEhZ1dGdjcS/XPv+D6/id73wMW1XXmfc65d8YZQDSISgggIcYSQy2l
FIhB/sy/EAaGCVEKhlhKyfAnhMCEALKuodayrmv8rHEttdS1xFjWWurHUutnTWqstdYaw+Ma6rJ8
rrWstdZaY13LGoPfe353YGZgYhOSbfo8X5/znN99533f8573/L3n3nvu3Bq1KvDa22O3JqjKfxxO
mKPG5qKamVX+a6IhbRzXzPGWrybKp1949GriJvQTT33XLPLW5Xi7+Y4BqROvyeUuqOCg4OnYBfX/
1X17vkkw/KtDKMtirLiTYhfFboo9FPsoHqB4iOJRz+8TFE9RPOP5fdYThz06lyhe9Yk3fHRuMVZC
GZYYKIZq6UvCKUZ6+LFTiAsoJvjEJIppmh8lGRQtWl6IuXeITpZVvLR4eXFZsau4tthd3FK8GqHW
J6wdp9YXbyreWtzpkW+i2FXcXdxDoQ8ojxp1wPNrNWlt8qQ9RGmPUugrPuET5P8zhE3eA2wwGQqZ
aig2FLPZhlbDKjbH8ILhS+xuw5cNX2ZRhr8z/D2Lxu7fWOz+/WTwA8EPsk8HJwYnsuTgy8GX2WdD
joT8hKWE/DTkpyxt+l3T57CHpkdMj2CZf/b8OA/j2k7aA+xBxpZRv1p2dEI84YmnPEfqZ8uo7ywb
9onUtsuoby274YlnPPGWdiwSPrZIt4j6W1GoFsE/5Y2Qhf/J+OCy2mXuCaFlEufO/ACBWiAUe7yZ
Yanhc4xjj7cOe7yDsMd7uqHJsJJFGNYY1lDdrzW0U92vN/wDiw1OCP4Uiwu+FPxbtiDkaMhRFj99
7vS57IHpd0+/my38n7PLW5iOldIcmfPX+GeMgulEgkikE1SSSCI6WZQwPf47PCH0wdAS9klqmZnU
MqaP3dO/lCiYiv+VZ/xt/kem8P8WM1hQaFDoQnYvE6qB6Tj72H38a/xr/Gv8+KJg+Uxb7ZezKlrt
yxX+vbSq/x67D9+8+ASt6k+zeHznIpWdp5DGhik8RCv8X7PF+PLFw/jyRTqt9m+QpRH23yyDvUMh
i71LIRtfxDDhixhmrud6ZuEGbmRWHsyD2SP4RkYOvpHxKL6Rkctn8VnMzmfz2SyPz+VzWT6+muHA
VzMKeDSPZk58O+MxfDujkN/H72OP8/v5/Wwp/wT/BFvGH+APsCK64ljPPofvaBTzDt7BSvg2vo0t
5528kz3Bt/PtrJTv4DvYk7yLd7EVfCffyT7Pd/FdrIx38272Bb6b72blfA/fw77Ie3gPq+B7+V72
FO/lvczF+3gfq+T7+D5Whe90VPMf8h+yGv4qf5U9zX/Ef8Rq+ev8dfYMvt9Rx3/Cf8KexVc86vnP
+M9YA/85/zlz8zf4G+w5/iZ/kzXi6x7P4+seTfi6RzM/w8+wFj7IB9lKfOmjFV/6+Bt86WMVvvTx
t9Mfmf4IWz3970ON7IXxf7KL8PyTnVk+R9TnySu80GOhA8SZqGHBP3R+6w4aVmh03UHDBo2dd9B4
RGrMyJmgEY7/3NMio/4YyFd/nUcDeuuvkxvQX38de0CP/XXyAvgsSCcGmlq58n2kmveTdRz+OuT9
ZJ2CCTpdAXScE3R2BtB5zF+HvJflmkMxSv77HQWpVRiwpidqPS61Qn/xJ7SWQuvMn9BaBq3BP6FV
BJ8bJ9T4HBbr0Z0Drc8FrPOJWsX+WlSOQFolE7TOBNRaPkFrMKDWExPqvhHfK5ozrqe1UGkA7ydr
PRnA+8laKwJ4P1nr8wG8n6xVFsB7OX459S+FYgz6GcP7fJN7xWS98oD9YrLeFwP2jMl6FQH7RgT+
pTcCVAT0ngrY7pP1XAFbfrJeZcC2n6xXFbD1I8Y1uUevOmDLTtarCdi2k/WeDti6k/VqA/inQm9M
U+sHzwTwL5BeXQD/Auk9G8C/QHr1k/zjLInWG+M7Ly0X2IxWQcHQGtoa2RreammNbV3QmtCaVNBF
mNaaIdOJDrJjEN8W36Zrxe+K7xLne+J7TIhe0csU8X3xfaaKo+Io08n7h0wf/H+CD7FppHVMDJNf
IdhByiytTPhE+ZtPiJKv+ETJc7o7G4ZajjZueczVcL7lRPMiR2fDxZZTzckFlxuutJxpXlzY1nCd
jlnuroabLWebbe5ut77lUnOhu8cd1nKjecX4cUze545oudVc4ehzx6wUzfWPdbvnNyU1N43ZeazH
vXCloXmV+4A7cWVo8xqzxZ2yMrx5nfuQO31lZPNG80m3aWVs04g8tlxt3ibTr0xo3uE+6nasTGre
5T7hXroyrXlP/TH38pUZDecdOe6ylZbmFeZYt4uOvY/1uWuf72zeX3DQnbNyQfOWiccx/8aOY/6N
Hcf0xuy91/H91pvD4WYtw815Drc7hMpTPFZfY3yPHzUT62usngLVj1+9vM/6GGufcX998oOdYfem
5+qah8braWvDQMuh5nizwe1emdv8mvuUu2Wls/mIw0T2i5qPj7WT+4x79XO5zf1jfPdZ99qVpc0D
Be3u9S3rn6t6r3oZ80te9YsXxT9S3/+a+BozBh8OPsKCgkeCR9h0kk0TO8SrJDssjrMY8Yb4NfuE
vlnfzHAvnZkxFiwzrsx4m+XhS3vaGi4e47NB7vT3sy2tBmG0fV18nTFjibGEceMKI52VjF80fpEp
xhpjHVONDcYG0r4efJ08uRF8gwV7bMtv+lmw/mTM7eHJnd6JmOu9vHCsEIo8PPmPzC+Kr04pXzk/
bAFuJuyjK5zx2SVrHXNmtjeY3KUNYbmb3FUN3e4qdysdy9xt7nY6ptDvDbmOzHb3ZndHw3x3kXun
lNktuZtkaCijX+3u9lwH6e+W0cdaXUMP2arTbJElsiOteG24G91FDVvd2yn9pszNuQ6kapO/Gsrs
loatDWHucjtW6mLrlNpRrtKWowaf83DkNyccWHN7eYvouJhCsh83gubF+QgxHr7mh8Qd3nbA/Vau
f17/PBMGm8FG7VBibGIqWiAOLXDfjGsz/sDma3ZFIrVkikiHzUYPj1aDIk7+94MPz0D9LlQsFPN9
ufwaE3xE5PjxzjKFDwsmkv24x8iGf9p9pHeGH+SH/bg7mMoPU9hFV3y+/HVMJ68FKWzkW/wkdWRn
E2+kK01fbjHZaeUrKDb68bOIX07Bxkv9+PFkP5fCIooWP0koSRIRwvlCXwm7zvR8jgzsJuFMP5k8
E99kZ/kiP+5hasVhdowN8wg//m7iy7ce9nLmx9/MdDRC+lgHxYt+EnkHfBvCanbST7KC6fEeRRuN
4DZK5yuT/a2Cbffjyf7mpOBXf+hvixHG6s+/v8nx/zXGMP9oY/pXU+qFMuUp4BtazgrNSIpJWYNc
n/fw4pmi9CiLlDo/bhhTlQ4KEUqxL1/cJG2m9CkH/Li0slBqxCVlu7LTj3+C6ZRCpVCcUtqVDX6S
Xirlfn9PxHayPV/s9PdErCPboUqo2DjBk3oaNU3KQsXmx11O54dzokwJVxL9+CamoxXQMZEjbikR
fhIqv1gkziuqH5fKLzpEhDghrvjy+U2y00aBiT4x4Cc5R2PlgnCJBX7c42THyfuFU8z04/eSnTSR
xvdTHPGTdNAo2i5iRKHwKy9voxR63i70YrHI8pO4aKxcplDLL4vYCfnnklcy/0g/bjLlcYAv5geE
X6l5FI3HLgpxFC/7SQRJDHwdzSnD/JKvhMaOnuaJK7yO0hzn/X6yE2waL+SF7BRhO+/hfX7SHhoH
fTyZV/G1fvytlFcU6+RR5Hmtn2QV5SXvt60hTOGFfrIysuZiF3gkT/fj59BoPklngpOUZr6fZBGN
ZjkDJMsZgAeNyzjXVgbMwxk7KwVh1DHjE8Yn6Xz8eSPlaKwwVjC90WV0sWnGamM1MxifNT7LjEa3
8TkWZGyikRmC0ShXJ0HiW+NntWg6qw2wBeKMOM8SxTCd4R7WN+obWSbOc1k4z2XjPGfCeS53yjNA
4BnlDc+84p0jXvGZhb7BuDqoC6frhhC6TpvLeFouIvMcJ0a956h6jgpF4SP3TaebkPaxlKvWMtd6
a1n9AmuKq6Uqy1xljjRXZR+vnu86W5VX0ZZyoqKtorU60RTz1B5XrUnvqjV3mByuq1UrUvpMV1P6
KjeYYlw3qmpcPamtrp7qYVOZ61bVqorW7KGKVlftU/2VBtclj+beSmdlaNW6lD5LEP3aV728MnxC
uo3WpTWHrUsrD5rKKiOrNroOWbe6DtUsoF+xVVtcy7PXVPek9FWXVS5wXapoN12taPfY3GhLsATZ
EkwLTTmVSRNsVlgGSDpQWeoarkwz9VS0P1NX0Z7dVF1Lue9wHTW3u45a9lsGrClVu2wJ5nZbQuXl
anelpYpKm9rmqq28Vt1SmVu13xpm0lvD6i3ZG01lVa9Zw1JLrWHmjuz9qQuqjljdliCr2xZevbqy
qGqjuarmsLmq8mD2TSrDcevW+irrVssO8qy0aiB7qKYoe8i12nWmsqqqJjWyfkNqpCuFyhd6x18T
6sXv17bxenFVJvj/MvVYl2fvsi6vz6DSZsCXuuq++lz40i89qz5g2VG9trIcssbAso+oh9S7+mos
rr7qluqcSlG15qltlbuf2lZXXL3UGjOhT/hrvu8+MaEX3Knd79TSH03bNrkOPLu1urumvdpBfdDm
2lpfTjGheqFruKrQ1Wla6OqsT6pOcV2q6nWdMF11nag+4OqpdFZtqWisb6/uqS9Fifx6Qcqtikbq
842pbRVtrjPZ+23h9a3Za+qdrkOulqf2ZA89szN7yNyu1bw5yXTWnFRTiprfSLVENVVTrtVZ9lB9
W3VPahtyGNOsM8Vo4yh7nS2hvgjlG3Cdyu53napplSWivrQ0pc+61BpGNVg3oQzFrq7sVa6u+rTq
9Kf6qypc3dnnXd2VG6pNT+2Qv2qKXN2u1dWmSnkXyyi+QTMcwwzKjctpNhc0m3+B5vEKmsGNNIPX
sxmYwe8yPk8z6yzMprMxA7+P65LgPwb/keVh1s733MGOxHlIO580Tekqh65NydPldPapJ+84+fW8
5MHmVYraGqLZwzlL1w7h7IIf7zitBCTjlB+Xzsg8xo8jnyuc4SF+vI10lF+H98+lBWd/X46859jJ
Bvx4hXRcR+GwH1eeo3v9OHJPSxnb4cebQ0f5hvMGD5eujakW6j9w3U3tzNkpMfgXwDO4ayvXXXK9
6YA/LeAlMHkfT7BWuiLwcsfu/FfgnwUZ6ko7u46V4MOtBgKf2WVvu0JBruS03rZS3i2l66xBCpwb
fLgqteYIWpWzaz58wfawc/Rr0NcCreQ6KHJ21M/CPgprKHK2189CDV2JcUrha2E9K2JydbjWz4J8
Tz0L9ynq/CzEs276VeTHC6crMnmdNcb7YL2AaswoR38w1Rj1BcwB09EjQtEjZqBHzKQe0czuQo9I
RI/4NOo2acbvZvyOfQa9Izlg71DQ1jU+5W5FCR1sKfV+eX9ijQ9fx1JoDNRTkCOhxkeip34TRyWX
Qd4/do7LpjJvfJSlpjbQp+kzaATRqlyv3UP4G1lyfZx+QB9PvCKKW8f5Qh+kp6seSiH0R/EfA2P6
PbprOppL9HStoneN81X9Vv1W3aCOep8+lKLDJ8Uq3SHdUcZ118nWKn2yT5pyfblul4680Q2SrFwf
6U2lW6/P0G0iyWskselGfVIl6Or183U0F+voilU3PC7R6cP0YboifZCulPh03a477k2lu6FbrLui
o1lAV8cE/erxpiO/B3UxulM6mjt0hSQd1G321oSODBM/mairuhteD9WLuk6VxquO5grdGd1Zbwr1
pHqa+EKWQvea7ohPqerVPpVGjHqR0uzU7fbxr0hXpG5TaQ5VT5JsvSz7eKrF6mqVrrPUXknr6nSN
PulidDFquVpF0q0kjdEV6op9fLSoIyrNOCrNbFSOZN1ib0p1WI1Xh9RFJC2lHCN0Md4aUY9RCFEP
qWEkzaIS3aLSeFPuVq6oXcp1ksVRHrvVs6pPK6gb1A1Kv7pWoXOJqpJ8A9k56q0dZa9Cs44yTFZ3
qPt8+B3KduKfIP46dae3DEqbmqy0k6SPJPVqu4/EpUYq1J+VbSQpUt0+tvIUusJU2ih3g5quFvqk
uaIkKWkko/OdGqemeUulnKYQoVAtKHlyF5oa45Nqv7ilUA0oiZJWLqs+taF0Kp3inKAzthJO0k6l
X7ng9YRGurzHd4Mkq5Ve5aSPzQrRLagXiiGUvc/HYq6SKzbKu8HiMMlWK9t8Ui0SbkFnJLFL0kq5
stonXZgSJooE9X6xnqRhik0p96YUaeKyoBlA1BJ9XYlXMrwp6ewVJfoFzVnCSTmGKHE+soO4Y0Jj
QNAYEFcVvY9sBx8WHfKugoggqzvEaXHJp+xrxBrcd1GI2idOeH3he0QZ79XuvIgq0Sl6fWzm8U3C
wmku4kfIRpvwzko6kSgSeaOI5zSj8m6SVohWn5RhvEgEyTuYnMovwoRNlHq94WmcSizvSohcH0/i
+ACn+Y8XoXxe7SB555JSCH5URPno99AZl+Y/TvOf5w4M8sZunkF59qUzNvfcgdFSrGKHmOz/NP/x
VfyUT5pyXs52sT04Ywv6td+biq2nvOUcQPMft/FOn1QJrJ7Px1qURglf460dHsbDWBEPYrLUNP/x
Km8qdoMtptVFFs7Wgt3ged50WGHIf5aZjzWfYIM80SOd2nr3473bIp/CdNC58qO96+J7v+UNeeed
y6+Iep7JLrgwpehMjv304LL2xO5lbYnDid1JxY8nF+UtqyvemXi2eJDo+pK8oib5e1la8TniXbh/
sPiy5CcVJ14qKUw8m3ywaFFJcWJK8uXiayUrikfvHyzqLakoUUtqSoJK6pNPL9v8mZb7S0tmljQt
y1iWsPTGeCR7Mkp7njgi9XxjIN+KI4vTSmyJZ6Vfkvb1S/o05s+4L4H8kOUhu1q6ot77G0uypE+P
J1OZVpXMWZabZFu2uSSqZEVJXMmakviSdSWLSjaWJBdtK1ns64u0hSvCyU/ayseftOnwpC3I2Ghs
ZMFo7xC099SfOGprlFXoZV8PvsHGnvlN1PjbcQ3ZmzbLZ5PoTeokzdV+mhvFJs9TTO2qRT5bDKGx
G8zY/DbGnqSe8+RlLeL3NU8c8cRRHIXz8PzC93gq6vVcPj2R+wpMVB9sPs35nqj40NzZiKMA3arJ
nduhH+pMcuY6S511nmOjdvzkDu346TIfuZOOrZ7fY8c2n6OUtzvT6Fh+Xxsdi5zln4ocP3r03uPJ
6nu1t2zpkDs+d5ZXwhvZ+D9p3BeDyD1xTkF9wc33FfcU9Bf0FgwU7C8YKnit4DzFi/T7fMER4r9W
cIXk1xGPE4/0PS3zIvn0Vfm8V2yhs72Cmc/HU5QxCGUMxtPjEJRxOsoYht48C2UMR2lmo8ek4zqL
4/zAPLsu5RlUPnEr9+Gt8/Q/h4c3NtN/8CfXU33afRj4Y8J6thNtkEGR3bvtPSMPwAtxlDtCHZGO
Kk+sc5Q6wvPPOhoptpKkin63Eb9dxvwTDsOfrYyyPTOwK6DFcx3YhjN7LV1Nytqv8OHKK+QdaI0x
3lRr9UU5vmlENL7n6Odk9QNfiWKGE1QSuVrp9Xj5JfAq8A/62/14TrqSlmsQX146nqU2+fHiMZOW
+/HCWZ1PTXxpyjWxebwm5K+XmHeHxT8CvyaR6kTzd62Pv2s8/q728XeNx996H381XjnuEDnGeVP1
d6Ofv/8LuOmOreg9k2iruS/L8+Ed1l7VtPaSd0iDseqajlXXDKx8Zn6IlPLZ3j6cpYrkk7dcOgPl
JjBmp/nUHuShZ2rH6EGi53h4UdrRl7bHUYyHXlju1dzh3Eu5OYQuwqu5N3LTczsRhhFI9rGUV86e
coXdRbEb9b4WPLnfQ55LctgWH24Sxr9CxyS22ocv51753DMSweWRfHT3uL4K/C5yikPr4N+rotIR
+T21WAd8U2zHKDASBsn7YLd/LX/rHiY0MHnfS/slUG5x+9e3T8rIxr89T6l0N8ve9d0jK/OadvMM
qwjAXReIO3L0fXLJo9Hf/Y9wqBTvPDfZh3d+G8izd74RiPvf//Y+uZNzJ70bdYFS/1ENxL3e+j65
AXMa2RLQz4WBuDd2vE8u1d+t9gDtfSBg/Tn/QnvBx8uRNfNGoDq4Zf0w/U1EiSQau55riIh0Jnyi
/M0nROE5OuOCCq7f54ibaVuUP39uesHN/FP3dtiK88/ct9RWnFf8aJOT2Xc7Mh6Zn382v8Wx4dE5
Gmr8/K3OkLzjtpqCm3lb5gxYR/J2aals151hecX5ndbRvKH7s5wRedfj5jha8y/lnnHG5NXndzsX
5r1276gzMf9Mfo8tKp/dv8a2+NGauPj8G/k34uKdKfm3HrnlTHeIezucJochv8s5P/+qHyJfDbV8
NdSkWtrJeOeSOtJsM/Ou3HvYqc8f1sqocSaXUSudb7l8S3Tnsmj1pvmg2dRSOXJp/Zqg+e9IKrjy
aNB96Y8OOELzDxSojvC5XY7Njkit9hyWgl5HrMbJP1pQ71iQv8mxOyd8com0HN9jbfFB14b72SHv
+WX2EKJz3obZC+3psTPtJnuO3WFfSiHHvnze4LxS4iy1l9ld88pnu+y1s012d063vWXe5Zy+2IF5
l2WwLyfNUgrE04LXWk4nWVia0+mxtVTakVa8Nuw5sxfOG5xtsl6adzl2z7xj9tX2tbNdtnD7Wvt6
+ybNSuwA8+7V/WCl9duZG36FOXPW/2UHNrVnT/7l1DPnLNVyyDpo2RQTar1gXUBxxHrBctY6alPp
2Ge9YAuKPjFLtc20zbF0WU/b4qQs5nBMqAyWs5azNtWmRp8g/XgZfaxdtiaQrcuaLUuftCOteG1Y
r1lPW8NtUTY1JnTWzOgTSDUqf1nOkjTcssl6LubwFMuZgBWap5yzYliIZYElyZJBMcmSS3SaxUIx
15Iwbt8oukQX2X9F0HWP+GfxzzSKvif2MlW8Kd5kenFK/Cv58JZ4izQHxSALoryuyDU+L+VuXOdG
ypV7WC8ip+i0FdobbcX2VtsKe5utwt5uq7FvsNXbN9vW2HfaNtr32rbY9+H3Nk/cYT8I/jb7YfB3
2Y/Z9thP2nrtp2377YO21+znbEfsF2zH7Zdt/fZrpDdiGyDd8/ZR6I9Fjz1zoSVGRtiQekOW9PFj
IN+a7B22dfbd8EvSvn5Jn8b8GfMlkB+r7NthV6aTOjKt9CnPkmO7mKeO5zVmV6NHkNbXF/r9Hnss
PtRMdlcYojNmVdTaJZ2Z62b0Zx5fsnVGvzzG1GcOZTYt6ZqXk3k8+tqSrszzRK2LWURhY9TamN7I
kZkpMsTUk2ZTZlNMU0yvJ3it9Wfsk6jZmpcj7XiseGxkDmT2Zu7PvLhk08yUJZvmJUaORDkymySS
3hWSvJZ5JPMIm9rOCs4SPW8wobQz5yOGZAdlz8yeQ3Fmdlx20N0ns6MoxmUc98llyv3ff06ZQf0+
Ovae+PSsjITQxoy69MWhjfIYHZ7RlhGZbou+nFEXtTXdltFOVELUqahT0Un3xEcX3d0ZOihDdDhp
RmZERkdGF3mC11rjkuUSNVvRl6UdzcqYjYzW7NxsZ3Z5enLoYHpy9Om7OyOvZURKJL3NJCnKLs2W
V3naM/gPMaeEHmch5gRzUuYBc5I56SE90WnmDHPaQ/qsqnH7U6/TCvkUiPLKZTMorxVTjiGmGlP9
dIepnsIaoptMqyiuSe//CJ7nTL10fiNyehuik84mw5ZLlquWG+nHHt5kNVgNdOxcEmcNtdygs4E+
a6Y10hpLIdQyn84tSZZOa5qlm85ZFB7ufLjTGkphgTVNC15rlltWYTVYbmm2rOEeO6FeG+nHLMOQ
Oa0LliRbM6wWi9saazER5lpWe6x0M+/9/A8x/4RsRnSa+k0DpiHTedNF0xXTTTMzMzrGmfXmENNF
c5g5whxjnm9emJlnDjGnmNNN580mc47ZYU6UwRRHmiEUEomH4GPteoaTbF3XbJElsgMr4zYonwHI
3GTpuHmpeTnxF5rLCF3mWs2K2fHRlDZ4J6LTtMm01dSZfd3UtWTQ5DB1m7qXDGYnm3qyh0xdpj7T
QtMB0yHT0YwV9DvHdMJ0yrTUdMZ01rRWhuxkCkMkWUs8LYxbe3jPw1tM3Q/v8djqk3ZgZdwG5bcV
sluUfr1p2HTJdNV0lKRXTS2mG5oV09kpl/YcD0dpcY87aN8His7w0IdqjHmL3Yvd4QfD08JPUjho
Tpk7khVBVOmShRFHliwPj1xcm3llSfoShzl9TsycGOPFiEUyUK9IyYrIiohYJLkyeK2ZE8PLw09S
79BslUo7sDJuI/zgQzVzRzKvzO4lSwuNQ7JnhEfOiUEfi9CsGC9O8Z76hzhfGRsRQ+a2GkYmh1md
zHsXfCp3Y/3zMiCGzKmd1uMN4RbtOKf2o8zL0IkYMutMWL83GBZox1lnPmReIzzJe6fWkPiRRGdq
XZgruW5WQmp76ua7BlJ3p+5N3Zy6L/Vg6rHU3WHziT6Zejp1MPVC6uXUkTDXXfUkG01pSd2JsI/C
MQrn0tS0IBl9rHWQfC8hbJElaYes+NjYntqYejj1Wlpy6s6w+WlzZrWlRaXFhatp8WmLwreltqa2
pW5I+zD3ej/UVZO+nzk/89pfdvDcK/6A5bw9S+7yG/2/EplR/ZEsrdzLJb47zUL4MnCLnmY88Trw
CnBQ8pV7JK0cAqcf9JvAheA8qP6Y0AJ8VEPJ56Og+yXyS6BfBzYBF2s6sBMCO5mSf/tt8TZxYnX7
GVc3qnKnYQL23/1O0uqPwG+WqHtC3U30qKR5q0TFAek3wMnX/ZBxfRg0OfAZWDgMm8XA6eC0ws63
oBMEnCVxWi6s/Qqo2e9SumTZgf+k0HW68pauV9aM5IhCuXtRGVbvI/yB5PAEdQHhpyQqKaAXSH19
mMfCdwh/LPniBTWa6CcV8of/l/pZol9Fqpck6p4D7QJ2Av+3RP0K2LklUX8OOdZJvqoH/xI0C0FH
IK9Y0Guh+bAaDw8JdW9LVE5JVMERDaDbFJq9eDs0V0DnOHCPRHYPx1vUQCPQwAepBa+I7+Nr63JH
0gW8FTuk3CM9l0+1+Tn5zhwflajcI9/3E4mSFttBf0XJkf0B9BXgf0iOeBnYLzk8GvwRvCt4U4mV
KGnFBVwIab8aKcur2ZG06AZdCRyE5nHQLwOLgQ9yK6ED/jwIXAxvVdAL8LbfBXWvRNC/1DjSBwXv
IopMYDH4V5H2Ojj/IfH2VZXmcjVPV0e4V9dHqZ5GizwPb12gXwLdJZF06tDn++QeU4niZaRaCE6k
lCoXodPo4fShJ8v3DKKhGQLOlyXqngOdBv3NwCJYOAS6RkqnzYXOZuADsPASrI1KZLfhW4hE9kvY
/DF8btX6Feq5Uv0M0dPQx2bpPk86qUj1kFZGYI7E2+dxr3u7fDalzLlNo14clBwlVtI8GtKXpVQU
g34LdC9wPfRrPXypfx2cRKAFGDYqrwaHpA5J5ROwU9BfAAsLkOoSsBk6o0ArUMXd+R8Dl8t/EFAK
5TNjaulqwo2wc2VU7opthc7QbT3R9ZLWIRfSl5prR+XM8LK8uqSRIPnYka/OA/08sFVqvmu/jWeN
t9cBsXvw9l4g3mm4jfevb38fKMui8/Cxs/j2YxJHfwcau5c1a9L+u3bUA3sX75NIevQXcnf2u/+u
DyH69/pg+VxDIp0RsL9Z/TnOhdhN6zlTYBe1+gK12vc9OvKJf7WHhlfKH0DjXWUddlPK+Zz4vwGN
fbTqt4D47wDtfXkVpZBj6vZlaZ+FI5e3QTO1DIgSqVTS0fPTaA55d3jaYun5tFpw8NaqPgv5DoH+
PTAU+CoQb8nosd9Yj53K074CxO7qaQakDYcU+2h1N0E/A1wFNAO/JHujbgfwdWrrIkMy4U8lqr+S
qH9IogCqDPgc+LslTntRIoe+AMcAnWnRBuxkhf5vIV0G3CNRAV/3S9CwoL4Fzs9geQh0Jmgd8C5w
skC3Qr8ROIq8QoCxkF6D5udAG4Ga5SegD6kSDM47kC4C5z/B+Q3o74CeDv0ZwBagAP4epdgOrAPn
JWAtrD0OhOeqC6iVOhz4c3A2AMuA8cClwFIgyqg+DU803x5G6X4AhNSg+f8vkD4L+hDyjQKdC4Tn
ynlYSwPnBYlBaCMj2stQAQRf6YT9jbDzIPg28Fcj7S7YGQC2g4P616EtxFWkjYD0FVh4FNI+WABf
lwx6B+hi4AVgIvjoIbefkP2Q8HW5fgCuQs/8glxj8G/rZ8j+KUeH7qcS1V9J1D8kUQBVBnwO/N0S
p70okUNfgEM9vAM9vAN9u0P2WM2CpKdFa5YlzTRrv9VsSo5YBs09EhVIdb8EjVzUt8D5GXIfAp0J
Wge8C5ws0K3QbwSOws8QYCyk16D5OdBGoGb5CehDqgSD8w6ki8D5T3B+A/o7oKdDfwawBSiAmGfE
dmAdOC8Ba2HtcSA8V11ArdThwJ+DswFYBowHLgWWAlFG9Wl4ovn2MEr3AyCkBs3/f4H0WdCHkG8U
6FwgPFcwH6pp4LygtSnabgj4lkSalzowC3VgXupAP++Q/Rx5VQCRVumEhY3I60HwmaYP2gad1chr
F/IdALaDg/bSoe3EVdiJgPQVWHsU0j5YAF+XDHoH6GLgBWAi+OhXt5+gVQO/vew29fbbeTgLf2c0
X+71BjZIVKIkcqBgwIfAXwY8KpFBn4OjQkfZCL6m/zykC4FFwDbwr4KGBVEDHEbaOtD/BFoADeDs
AL0E9GLgC+C0AzcBVwJVoGbzu0Dw+VdAvwvpXHCugXMd9FugYU1MA6YDObAZOgXAVHAeBabA2gPA
eeB8BqiVNwj4FDg2YCIwHLgIGAv8LDS/BvwmrP07EKVWddD5N0h/APocpKGgXwH+HaRvg9ba60cS
dVq7oI3UJGAmNE/Cwk+Bs8G/D3ykEv8KfBpoBh4AvgqdFqTaAE4h6PmgByHV+NtA98s1EvWrUvQr
iXuADwGxgmIa/w8SqReVor9JTgfo/4JO/O0bcvWurWmB+9BjR7AC1N62vApaD+yEdDE092AluRv8
ddC8AA5WdEopNLeAgzc51V3gYDckra0ljXdHRTewHxZugj44Wi/X4eC8MirfxTkFTr1EvgKr33Oe
FaykcyHNACdZ0tPwXiuPA06HzWKkXQpOKLzC/lmh7To9JWtjGt6R1aG8PELzSqYSFom6dImqHrgX
/BGJrE+7Rhilqz++SqL4ivRZeVNbSyPfKmAW7IRrPsDOGehc1Oof7bJUorIHJTqNVD1yfa70a6VD
7WFWoVEspb/S1vkoRR/a9wpyWQ4OpHqUhWqPpLpjEtU85LVTa9PR07JdNA7ySoYPXUgVAk9CYLlJ
syOvNegkJ++zH5NI9XAI1zKH0HYS24BNwEQP/zRaQeIWcLpBt6EmFwBrgVdwPVILT/DmrOq5Chtd
K1tf8in3LrSatHBUIrvpKYVskaseO6fRN06jVk+jhrUcJeeER/80Zs7TsKyNoHpodoHuQukk34D6
OSc11SXaNR0sVAC/CTym9W3PWOtCzylFH5CcLLT7Uvh2UGsL9Lc+tFcL+sNM0P8AO0eQSxha+YQ2
7kDvh51NGL/HUBsRQDf4VWgdN+zYtN6l9SLtuhJo8YxQo7xzgtIlop9chz8bpL5e2+VVLi2rl+Ez
3v9WX4TnGyQa0XsNeFd8Gka6fr/HQitakHDaMPgrJK1j4Hejho9rNpGXtsv7AvxMQL4Gea1KV76E
6lqtB8LnQyhplnznXleh1Q/wWT5E0v/H2ZmAaVFc/b66q6vfF6bn7REREVmGEWGAAQcYYFjEURER
AYdFHAgSNhEREAGRGOKKG6ISUUIMkokSQ4wsIiIa44KKiBsawG1EcAHZEdEoyry3zq9art4nHzf5
nnnm32dOV5+qPnXOv6q7a7obUHI+duoiDyUeDuONKjQPoplH7Z+h6Y/nrwXHgfXA3uxdRcnFXB1v
xnKABbxk3iCbrnesSwvhEH0KrbqSe4azwIe4i5iPvIn7igXI34PT2NsfTKFZDF4ZNrDYmLuRjdE0
Ra6FhTlouguq3eA2Vwa5Cmtj3J1MsJj7nIvA47FwCP3H4L3JXVaZC23inmq+oKmNzXuTGaaUeSaZ
N3aX/mI2XpBgd/E2c6H8xI7geeFAiUxqDLBWTNtmUu94MC2aoDf6VbSwCP1iLB9y3sByN7AFyHzS
P5G994MdOWoW+jKzX0ZG9M+mRgr/cCXOPM2vQN+eGptTy2Q04/FeFvl6Sn4A5spZ+O4+sOZc3nb9
K1f0fkvsMBvXp1H+GXy1Frkve3si10dmXm17Smx+hfxr51UsN6M9dZ3s7j/T8neo8TOwFme6gjIz
kPdhYR/1fuDugaPZSfkVyB+783J3s01W2plE3R3SHrnDoDuJrGdiuYiS31JmLnIFdT3k/ByeI/nI
3mvY25e+e529uVjY6mT033G/ZTfyMBfzIuvLwRT6NQ7phQPIHyLPA7e7mDc3SvtFNo+Av3XxbMc6
y3iUqY9vn6H2hWhqJ3f+Z5A1M+QOHl7d7uTkmcIoicYkJqXkNPx2M3sHUMtSNBtArqr87uCVxP9u
codrPT3U9TVncQPH3oC8H3m/kzlWU+NOWnIInMP1C9Geov1hL8EU8WnW0Z4lgunH2Hsf+q4gV3Z6
kvMJdmhJCm+EY/E21zLeDMck1N6Ulox0lrEwm/bPdvwQTsc/04mTO2AnkfuHpdbC7ynTSd5q4N1s
Ijhnn1xvShn1qci237mXDvYAuf/mt2ZvFbGxDZ+sFjv+HxN+ayg5El4t9hMmbAiDiX6+Sctslro+
gUOWg9dyXlfT/vX4J4MevjUKbIXmd5R5EJ+8JRjUEzSH0WxBkwOWojkZvMpFqfnKynvRfAF+Scne
cq/PxmEZ7ZlOvWVwaRm1W0wxOpjp1P4FZXoL2jIi18O3s8BnpLzliukcKzgabCWoHyRnvwDfMow1
xmU38Qw+Ixg0ocwW5BzBcJEhWgRTTxIhJ3LuF9KGN7F/lXHtpFXGZZnU3oO9q7D5HfJ3+BNWDHz8
sAT9es6ivivP+f5gXM5O5x6+tHADduYiV+DVkwWDUlo7iL0bOarSjWtuvEhaW0bvT0cW/bnU9YNj
S2c/8aTUeBNyZ2z+QK/tpUxLqTF1N3aqqHcqkbMZmzdR17PUvgUk74IFYHN6syPlX0cudFHkZMp8
5OyA91ASj5kbkYl269Xa9L5oOqAhB8OlyFOwORq5Jvgiewdz1CB83g78hPN6gHypj6Y5+BF4LjxQ
huwhZ7BMDvqXgkew8Lyz4zILOZ+jvkGez1E93FggmLoZa/B8arxrj2NpSv4WzR5k2Nh6W/YyIqQY
lcyzWH7QNCOemzFaDaC/mhG9zYj2ZuTdPXI/jRoZJcOByOcg16WuN2n5c+Ae7FfS2rVOdnbA56nr
UkqWknGzwPFJ/JfRO5LX14mFmkNErnGPyOkS0KdeZhE1WpNNPEE2zMRSD2GhnFith/xIwg+CXhL5
FmtOoTxPsYNLktgWDI2LsTKyQ+Tz0Z9LLW1FDmHvcCQeHkW0r5NnKPojs9HiZHwyJehm5ZxgsUR4
IO+0YbbpvSKyzYhZcj8QHCroDaNHuspRwRTxko3YUrkPGcjVwWTReJuklgA+D9z4Atsf6Zs8LbrB
YowcJ0+IOoA8u8m+Ct4EjgfLudO1G3m2PG2Ro7LfZDeiuQeUeddCselfKajrIM8Cn0HTCXmToFcA
vo6mgr39wXw09yJHyPvAaeBi9G8hPwT+HiwGm4LdsVzDaY68LyMdZzodeRsWxrD3DNHY6xopPwys
Rv8x8lbZ67s2bBI5aIe8gb1FYF0sH0afPiLv8GqGXEgtQ5HHU/IQ1jq7FmKtN2VWoeHcVZUriSaX
8rOwuVVQp1yb3bmLxu8PPiOotmPhRfaucL1wZLGcFzgHzaXY/5CjmmIzH/tXg+eAa7BzPmX2gWdg
fxnyJsoUIecm5yVyMfoC5OuxPBM77zrPuF5m7wqu2o6n/Az036J/AW9Mcr3g7LBXg33RnOdk1zuJ
J8XOhxKr3tuCNhIkbg+j/46j6iMP5qiBtK0ndfVEdj5sSZlelJnD+e5254g8DzxAmWFgG2qvlW0i
SMnOSUtE3xI7qwXNbwWD72WvlZsIt6Cp59rmcqRa3tnTFGzv8gW5WNBrgLUGIqttgroOe1si52d/
K/3CdbFGvxBc7DzmEM31YGe3F6wP3guuoORr+KSbi3PXHnAfOBL8mJK1XKShGU/b3gV3u3tH2LnI
ZQFl1oIbOPYDzqsXOAzczzl+TpknsXw3+q3gWMcAyKOInw6UnOasgdr1OD55y7UTvJSjqpHTyJOp
azPxuV2OSpeInCKvw4FgGX13oexNwWlhM5GDPfRjQ87rGlo1gNgYTUlYLnT2AxczruVHphE5gmtc
mx0zcJ9KczdsNjZnk/ULJU4sfzYhnpvAfk2EqRwjgZ3grpux0xk+gdPUp2h6OFakTA3He4J6jOND
9NXgh+Db2Oxe3cKiQm5Nyem09o8u1/DhV9xT7QSy9sCfz/l+jTxc3hIWTAv6ikycv8BVzHDuvb/A
E8yW7v6qXBvaa705XNuKXMlT9e08T69MyXqYlYJ2bxkoJXlepvsn9zSacv+hvuSLyP4HaCYllm9h
fmtlfZegnS3LCLWPJ/uH9UZmvAUyN9BfyN3moDcj+y3SU4b7usECOd/gJqldvtjlrVEniU1WJfWS
t79YrpZ+GQguzZbCIaXSwur5lJHyX4hs6ztfskY0QSgWbK3z5MpIzZb2C6rDgraVs2WmgX6fYIq7
r2Y6K0b6cy+uSNZyWEMDwTngZrCMe02ybmG73GNRB1IbRC+rF+zeXciLwcZSY7gaWUb5A+FgyjPi
h1u5xl9NX6AxT1lsm6x8mE2Zwci84Z3VPoryKviEZ7sL0Qxk7zpk6Zd1tGpd6jPB9DXgTOnr9FDu
DT7IeMoaD/hEVZeAk8CImUY9Ss6E52V914kB0RISseDKVKHI4MoQGVyZOgP9GchdkbtS5nbK3I58
B7JcU9eTdSZ+PXMW+LVgWAkGaHqAbeQo8zZ3SN5BfhM7Mss6YO5CrgJngGXoJ9CGCjz/EEfRKnOm
PaOFsu7F4n2CZjC4SlCOtViAphL5WSV3EX8naO4DpeQiSi6SmLeyYBfe/pcNLyA2LuYei7TkXfr0
m/B1i18JeheY7+x5tZC1NH4LbO4TC1a+A7xLMDQgzwHxRouUb3FecK7EZ/CAoPkN8vfIs8F1gvLu
SKvfBO7mKBnBx8raHotPCZpySkrt9YLDeENmtvXCizl3eb/HFlq+S2q3+sbgheyV1U1biPai4En6
pSe134fnwXAsGKB/An0/arR6/zp5o6Ldm4P+U+RCMEJzK9gIfJE+fZ2YkWzaZa4WlPVIVpbeXCrn
7ueas2XOEzwucwNBPze8QriXO7czzJ9FD84wvZF7I/8G+TfIc5HncuxqGdmpsch8DD5EC58D93Mu
s4ixxrRwP3o5qm/wLrFxvMVl0iqrv5PcHwqKhy/Qr8k8TVZqefcHnQRNR4s7zRhBenlnOBuUSNuZ
KkK+mBi2jKd2hA9I7wTyxbYdRnqnwAwXdpX1rl5B2B6mlVzbRY7skPeTejWpt4e8TdLiHvGq5JTt
x7oyagc7aX8ArhU0l4DNwDsFw+bs3Y2mVFg3dHudfgJ4BWd0qsXZct3k3a9lDcxsPQF5M/ItyGiC
P6P5CM0+5DfAtwR96eWdepm1PMK/Ff/I/e0R8o5FK3dBPgn5dOSTrXyZ+EGt1I+Lz9U9co7qSuYM
gejBA9m6yHUpY/d6LbLCDA+q9sgLRM6uQ74dNGAv8Dbwz9j5DrwEHC4Irx6QqzkrNwZPQBMiD0Au
BVuBvdHLm5N3VddSctV2N/gdKH6u4ClbRfXF4Hz0MlrdQWuHgXdIjRabiwZ8hed9o9l7Ffgkc7xX
qmVN5r3ZQuaoz4HvM2vdYcfHzlkZxRZJ7d4iOcrOV/eCjZnh38AMf7E8xcvK/+VuxQNbjsjov0vQ
2tkrx3JUCjtFiZekVUVyFt5Yh9k89gpOrpanGLmc9XjKb6sWHiuTVZQW3wNfxnJjWpiHzNM05sb1
sblIMGgtFux1rtS+LDtEyboL8Z7OXsPMcBayzFo3U2YzbdtZfcjWewM9dUN11uI5rteyW+zeX1Ky
qbx9xvpcar8/W1M07O2R/UgiqvpXnF2+7JXremv5NIvrqv8iGSfl1fRqycHNaA5kGbNEY+V85J6g
WFhSLTG55IjlH2+be/adPUd52dmMbtuEh+2cxDHq/Viwo6p6SiLKZt9rZOLDyJpc20JmfYn+HMqf
Rl2uJYVEzsuw04vMB4QllGIFpjdHkJXkyuaT4CE0fHfF+kOQOYl7E6e3lXkF9zE4I1X9qMwhme8N
kzmelecxqxRr28Es910zMq6pw4xrGdaCZuGrF4P3GBdE8zX4jvCPekeekqhtrBRtGEgmduXdtIVg
bfee2gRZu0sZRY3KnI/me+RKZFtXtpKS3wcFtGS6bUngVqWqVqCcxVYZp7zjQ3wbXgeTnAL+Ulor
Z5f9hC/SquSbSaL5UolvD1PmD7xdTsnKZ+v/RuR1d/LR9qO9FttPft1E5Ni92akSA1nemp19E+TZ
dDXPprOsXcmy5qR6Pcjahuw3RM4896Sbp+f3u2fraHj3VjUrTKpZzVLNG/urWR1dzfPoatbAHGFd
xBEsHGEd+BHWtBzhufYRVrwc4Zl7Nd8erX4e3IielRtHWG9jI1uQNR72ukj07p3rhbR2ObgHjfv6
Le8Pz7JOIPs0yPqcalbC2MwXC6xXP8Lzfa8Bq9+vNFxZM+NtiB2l99LLo+UJJvMi2uxdCp5HmT8i
fwXejeZUkHXp6hbwQ/bejIwPFSsZPK6/vIdo1QPoB6O5EjwDbEz7f8Hez9F8TC9Qi7cTfAHcxNVc
E/bSO7of8uXsvR6ZNT/eLqzRF14Nt64A+XjqooUeax5UH+SxWPsLJV0tPyC7Lx5t5tsIc8BDgn4F
0UsZ7wLssOLCm8FR9RNcKV5F3wFk9ZTnvib0CjKrBTxW7Hsx6KLxQvBWkNVKHhHi0b+qbYIyU+2E
njjxrgVZ/+Oxhsq7GJwNlnOU61/i2SOKNG3z13BeI8F9ys7zNSumLMpZs5bDd2fxmdTrs75I4z3N
aivfZdPUBOXciQGfdR2aGjX/uaDzwBz27gD3Uy85pV8G7wT3Jv0i1rYi07PSLRZdG5z9edmD9uwc
G2Q5U9aYZVmjlXx5lVU3ij5K3pb4JEhGqxtAl3esZnHvWbSjoIJDhEtZ86bgCsWqNtULdGuunIf5
TwqFz7MjkCs5x/PxnjtfeMn/JehR5nmQeFAu7/4APs5RroWTkGsiP4YMOym3Xg5+81qDrl5W9Hmw
lgenZf+RoPQpLfeKwa4gDOYVsHezvD/SxnwlMV9JzFcS1ZVEvlyjMf76jyU9KDW6LzfAaWo3+B02
WbemYBXlcvNZWuI4gRVKipVOCvZWT4FkaJbVdCwu9DQR65eC+NxfnUSv7P0X8gkgvRkQaQHfiQiu
pwz9rmGt4FfI1BL8ExkveawM9MmdrPtvGnrEP5FWcS4envSJHx+295dgAfb2j2CTvlC/A1lRmSXC
lVszCWNn4eEsPZudC7Im0M7RRT5O0M5NRaY3s4wd7hsbP8CNWdf75L6ixiy8ofDSETgt677q4UY9
RknFyjrvN6Djk++R6RdF9mVhWvWO9LX9rSK/qsisKvi/ipyqIpuqyKYqsqmKbKoim6rguipyqoqc
qiKnqshE7lSAj4D3gw+DQ8BycA04m2NHIFeC24lDmMRjHZrHSlT/IuS/I7sx6A3kfNCNO/SUl+Ic
8aRy+tM4d1hIuR5n7Zz6NXvd2Ec0Kmf5bPz8EUe5aKfXFKOYYuRSr9GPLqMZJT2ixbsd5D+t/OHI
1Os/gZyR/6Wqvov/qNrFl2K/Fsw2ycrVa4FbByh77cxfyswDV/IfZGn0keI5OJFJ5PhuXTrt0Y4x
GImyjNE+OeKfSTvhEMO5B4yzAbOsgMgMiEDvZJAY89xI5zwPb3tkty5Hdrl5CehWUbqxm3z3/0SZ
LZRvhezGXzf6syLRY26gr0OPbzUe01jT/M+a7/5n7VWQujyi2mec8mFLzUzD5+w03KvhAXUSenpf
nws6JqHl6l1kIkpjU7u102S3/hs+YQ1zwFhsmiHjSU3uazJLk/WabPUd5zCL08zi/OeRnU9gHs0o
oxnXNPPYgOwO4A1NRgeMCMHXIKwYVLKXKPJpp8+814OZtYsBeMbbgMzM08f/PuOF7/xPhPisxfX5
X0LfrbWGWzS8quGcACYJ3P8wvg/CSz7Z4ZE7ykWFG3NdnNObXntkF0swp9cFDbnpkyO+K+8iyq3Q
Zg2zz3zSd2zsInwS/idzA7fe1Y0ObWWGoLEQMJcOj5M334Zkq6HXAhgvYK6uXV+XYbMdrYKBA2oP
XI/gsQBG9SYzVtYEh4K54DAwA45g9FyF3BKcCV4M9hW0o3Mlo3Alc8VKRmrBMrAY7IqdA+B2NIzO
do5SyWyzkrmoILMgj3jwmHUoN5OH/y0bXybje7W8efWTgPuTcoXu9+Ru7XQ77sndj6kyf6uuVpIt
Nb2l6bXKjJg8YqTKH/WryePV2ksnX3K52jP2kpGTvdrjR0yd6DVR9VXQ48z++apDn96D81X/AX27
56uJF/a3aOefdn5W0zJobYvN7Yh1trpItbNzg0bsyVGhOsFiC3WaOl11VxWqRI1V+cm+lKpjx5eW
qlh1U+fYa4n2tv2Nk31py9a5qki1sTzew44eHdQ4VZDsq2FngBl7ndpWlalz1S9UR3W5nWvJbFT2
Z1Q91cSOlz3t1UB/3sZ8sRqvrlTTLOdff7RUrE62Vz6x6mTnZ33VADVKyVeAJ6jJdiScYce7H8tp
yyR5aqi87aH3wJ75qmRg//PzZYaIjfp2NDlOdbbzxgvUQMvmvr3qnaim2J74jVzV2TJ5qoFqpmqp
LupMe6Vcri5Ul1ibw9UVdvT9lR3nb0pKNbRXh8erruosOyPpZ+cXY2wLRtg54lXqGnWdmqluHtV2
yiidD7YAS8BuYM9RI8ZP1f3BCnAYOBocN2rUhEl6EjgDvA28F6wEHwVXgdvBA+Dh0eMvuzQIwAis
DdYHm4BFoydeMSFoC5aC3cDuYK8xl00cEZSDg8Ch4Ehw7JjJI0YFE8Hp4I3gbHDeZRMvmxpUgg+D
j4IrwNWXTblifPAs+BK4HtwAbrZNGxFUgbvAbwVNCNYeP/GqCaYALARbgyVg5/FXjBpvysAeYG+w
P1gBDptwyejLzGhwHDgJnAbOsGYmmxvB28C7wHvB+6+QWirBxeBycDX4/CTBdeCb4EbwA3DrZHsC
Zju4BzwIfgtWC4bBFNvvYU0wD6wD1gcLpkwYNSksBNuCXcEeYPmUKcVtwiHgcHAMOB6cDE4HrwVn
grPAORbbhvPABeCD4GJwqcV24UrwafB5cC34+lR7duE74AfgJ+Au8OBVEy8bFR4WTCkwBCNQrsK1
ZZIi1eq/kH6cEf57DOyPsVxT838hu3evyxyqjmW3Npap2lnma29ZrKNlpk6WMbrYXD/d8t4ZlsPO
tFl/tmXHc3525L+TfMumdf6DbXLtoOofE6NjoPBePXXyfyF5KnNMzDkGGsuitSz/1ab1/9u/PNXs
mOi+kuiuEbg/o9wY6vzLnSuVe0xscAz07fjU5D/Y/njH7X/CvGMiM9rkft+/R21HkuaqxX8h/XhH
5X/CY9XmyWh+DGx0DPTtqN30P9geq45f8Ka4dWqDek/eoubV95p4RV4Hr8zr6ZV7Fd5wb6w3yZvu
Xe/d5s3xlnqrvTXeeu8d7wPvE2+Xd9A77Pt+Tb+WX88v8Fv4bf3O/ll+L7+/P8Qf6Y/zJ/vX+Df6
c/wN/nv+Vv8L/4D/rVY6rfN0XZ2vC3WxLtUT9TR9rX5Ur9TP6Pf0Vv2FPqC/tWSQDvKCukF+UBgU
B6VBWdAzKA8qguHB2GBSMF2F8ghBr2Oe4QUVblvjJWZlXs5oJc/wvJxxNkJrqBOj0dG0aFZUGa2I
1kZV0aHcMLdebnFuz9whuRNzZ+YuyF2auyb3vdwDGT9TJyN3/e1PRp5V1LDbicnftk5hkcw9mUWJ
9EFmnysTFyfbbm57wga3rdfbbRtKO+22Uca1K3+i+zv/nuTvVcnfB7AcNe7ZeGjjQwV5BS8VbDll
zilPN1nQZMOp60497Optuq7pZs7Lb/pF02pXQ7Mid+bNhrmcbDY6+fu2ZLso2T6fbKvcttB9G8Fr
npQrujHZ/vh3clxRclxRclzRt27bqnayLU62C5LtYbct/sBt2/RItgvcGZdMTbYzOaegZF7J4pJn
SjbwV4P2Y9tf235e+6Xt17Wvan+wQ7pDfofSDv07jOsws8P8Dks7rO2wpcOhjlHHph3LOg7qOLHj
LR0Xdlzd8Z2O+0rTrpbSzc56aVWyPeC2neon277U43UJ3d9dhibbpFW9rnXb81u7be/FyXazi4Xe
2zm+bu89fVSfOn1a9+nZZ1ifaX3m9Hm0z/N9NvfZ1zfdt2Hfkr69+47ue23f+X1X9t3Q97O+hy/I
uFov2OWslefxd+3ywvKy8kHlE8tnli8oX1G+vnxr+bf9Mv2a9uvab2C/cf1u7De/3/J+a/ttcUf3
X++OHjCUv3MGVA5YPWDDgO0DfhhYa2DhwG4DBw4cN/B6e+1i/XDhvS46Llwu76y320/cdtBEZ2PQ
Ybe9KInLi7ol23HJNtlfcYs7rmK1s1ex3vm5Yrvzx2A/2aaTbWJvcO1k29YdP/isZLvRbYfc+JOv
rBRis4e8bdjO4ftY9ePe48pPdU515kswtYKpcp0ZXBNcI/ddgrnKT5+V7m+JoiJdoU5IX5Oeoeqk
r0vfoE5K35S+SdVP35q+XTVIz0kvUPnp/emDqlVO85yWqk1OcU6xKsnZk7NHtY9eil5WHaJXoldU
ae5xuXVUp9y6uXXtrMIz4+zomOcV+CW6h+WX+nbOcZa9Tulvr11G2mupyfa6Qr40NEfNt1eWi9Vy
ex37rFqr3lSb1Rb1mdqjDqkfvMCLUquUTj2aWpJ6ku3S1Gq2y1JPsV2eetpul1jp72yXpJ5huzT1
D7bLUs+yXZ56zvpiSep5+9dSW/oFtktSa9guTb3IdlnqJbbLUy/b0ktTa+1fy2zpV9guSa1juzT1
KttlqfVsl6des6WXpV63fy23pd9guyT1JtulqbfYLkttYLs89bYtvfz/8chYe6013V4f/iceeYcz
fzT1z8QzGxPPbEo8sznxzLu2nkdT7yX+eT/xyweJXz5M/FKVeOSjxCNbEo98nHhka+KRbXjkk8Qj
nyYe+SzxyOeJR7YnHtmBR75IPLIz8ciuxCO7E4/sSTyy9//jkXlqoXpYLf0fPbIv8cj+xCMHEo98
mXjkYOKRr/DIocQjXycR803imX8lnvk28cx3RMzhxD/fJ/75IfHLkcQv1YlHss4jdpKHR9Ke80ja
dx5Ja/FIOnAeSRvnkXToPJJOOY+k084j6Rr/hUdeUq+rjarKemSXOqgOe75XM13TeSSd4zySjpxH
0rnOI+mM80g6Fo+k85xH0sc5j6RrOY+kj3ceSdd2HkmfIB5J13EeSZ/oPJKu6yImfZLzTLqe80z6
ZImYdH3nn3SDxD8NE/80SvxyqpxpOj/xS+PELwWJX05J/NLE+eW/9sieox5pmnikWeKRwsQjzROP
tEg80hKPFCUeaZV4pHXikdMSjxQnHmmDR9omHmmXeKQk8Uj7xCMdEo90xCOliUc6JR7pnHikSxIx
XRPPnE7EdEs8c0bimbLEM2c6z8hIIO2WccC7h2+pTLQDQdqOCXJ3qNj6q7vqqyqif1qmPzvdL7gn
2phIc6NNSP2tbnMizY3etdI5lHsvkeZG7yNJuQ8SaS5fCmhir/NKuWc0SA23rD5VXatuiz48WlPV
0Zo+OlrTlqM1fXy0pq1Ha9p2tKZPfqwp2m2lc9NnW92eRJob7UU6x+r2JdKxWvTp0RZ9drRFnx9t
0fajLdpxtEVfHG3RzqMt2nW0RfuPtujA0RZ9ebRFB4+2yOa+11qeotr5vayZOMU/hTf/23E+t4Sx
fqr9PWivQevbdpfZuB6qJtqIflA9ajlO3lwcqkjX4ntWg5VvOiWac9H8Ao2d/eUOs1LnZN957Kv4
SeleaIYcLX0xpQ1vgq1rr6KacMwh6vky9yK7twvHfE09BzlmKEf/5BipwT8krbLHDJHS0h7/oJT0
v3U1S03+N9I6/yusXCQtEQ/4X8q7YUwn08X6Qtb3bP3xaZv9PZdvHO/y5JnTxp/otLfZ/jxttc//
ROt5djblPfKzY5fKGilv/s+Ovd/+LPrxCXaiDbyZ/Nxl9RN/ZlP+c3rQz2wO8WSNb/ef2exhfwb9
+Nz7qM1ifsqsvt7PbLb+8bnWUZuhV18lb8b50aaNhoOezAOrfmqTJ6ZVSvpi7U9tyjedkyfeiU21
QslzuwU/s7nQ/sjbCm/7mc3b+JErlMk/syn/FTfkZzaHWY6Vb8j91GYv+yPr60t+ZrOEH3lDasOj
ehvnYW++5/OdrGDRNXWkaoa3hLfy/v3/+4UoL+dPoKyk9zLvIUvrvLgnXybR4a3hLX5WLGkmvtZS
TVmFqCOyqqby40Px13KN5+/x97pj8vw8L09zTCArRnIeznlYeXlyO8PnbGV9XVHS1p6crXCmfJnu
R52046H/pP2Z95PvMMp17I+Rcl7y3Ui5gis+qvv31qyNvDHH2HepOye9M2yghV28sFEo9418b7na
pHfpRrpQt9StdVvdQd+oZ+qb9W16lr5L363v1ffp3+uF+kH9sP6r/pteopfpx/QT+in9D/2Cflmv
12/qt/Vm/b7+SG/Tn1tbe/RefUAfNIVx1pxuzjBnmrNNd9PDnGd6mb6mvxlkhphhZqS51FxurjBT
zNXm1+Zac7250cw0t5jbzCwz29xl5ph7zL1mnplv7jcLzEJTaRaZxeZRs9ysNE+ap83fzXPmRfOK
ec1sMO+YjeY986H52HxqvjB7zAFzyHxrvjfZUIepMCeMw+PC48MTw3phQ3ve+WHjsCBsEjYNC8MW
YVHYOiwO24Xtw9KwS3hGeGZ4djg0HB5eEk7JWZGzMmdV5EdhVDPKRLWiOlG9qFF0StQ0KoxaREVR
m6h91CnqGpVF50TnRX2i8mhgVBENjYZHo6Pxma2ZzzJfZPZk9mUOZg5lvskczlTHfhzEYZyOa8aZ
uFZcJy6Mi+LiuCQujbvGf4n/Fi+LH4+fjP8ePxe/GL8Svxa/Eb+Vd1nexLxJeVPzpuddY3vubZ3W
MlVspBvZCG6mmynf9lxL27etdCsV6Da6jTK6vW6vQn2DvkGl9E36JpW2PXqzqqFv1beqmvp2fbvK
0XfqOy3H363vVrl6ro2KjO3p+1Rse/v3Kk8/oB9Qx+k/6T+pWvrP+s/qeNv7f1W1bQT8TZ1go2CJ
qmMjYZk60UbDY6qujYgn1Ek2Kp5S9Wxk/EOdbKPjBVXfRsjLqoF+Vb+qGuo39BuqkY2Wt1W+3qQ3
qcY2at5XBTZyPlKn2OjZZkeUz/Xn6lS9U+9UTfVuvVs1s9G0VxXq/Xq/aq6/1F+qFqbQFKqWpsgU
qSLT1XRVrUw30021NmWmTJ1mzjJnqWIbcd1VGxt1PVRb09P0VO1s9PVSJTYC+6r2Ngr7qw42Egep
jjYah6hSG5HDVCcblSNVZzPGjFFdzDh7JdrVTDQT1elmspmsuplpZpo6w1xjrlFlNmKvVWfaqL1e
nWUj90Z1to3emaq7jeBb1Dk2im9TPWwkz1Ln2mierXraiL5LnWejeo7qZSP7HnW+je57VW8b4fNU
Hxvl81VfG+n3qwtstC9Q5TbiF6p+NuorVX8b+YvUABv9i9VAmwGPqgttFixXg2wmrFQXmVVmlaqQ
jFCDbU48p35h8+JFNdTmxivqYpsfr6lh5i3zlvqledu8rYabf5p/qhHmXfOuGmlz5kM1yubNx2q0
zZ1P1SVmh9mhxpjdZre61Ow3+9VY85X5Sl1m/mX+pcbZnPpeXW6yJqvG29zSaoLNr5SaaHMsR11h
8yxWk2yuHaeutPl2vJpsc+5ENSU8KTxJTQ0bhA3UVTb/CtQ0m31N1DU2A5uqX9ssLFQzbCa2UL+x
2VikrrUZ2VpdZ7OyWF0ftg3bqhvCkrBE3WgztFTdFHYOO6uZYbewm7o5LAvL1C3hWeFZ6labtUPV
bTZzh6vbw9HhaDUrnBxOVnfkPJbzmJqd83jO4+rOnCdynlB32Yz21d02q0M1x2Z2TfVbm90ZdY/N
8Fpqrs3yOupem+n11H1Rw6ihmhcVRAXqdzbrm6r5NvML1e9t9rdQ91sGKFJ/iIqjYrUgKolK1ANR
aVSqFlpG6Kr+aFmhTFVG3aPu6k9Rz6inejDqHfVWD1mWKFeLLFMMVH+2bFGhHraMMVT9xbLGcLXY
Msdo9ddofDRePZL5OPOx+lvm08yn6tHMjswOtSSzO7NbLc3szexVyzJfZr5UyzNfZb5Sj2W+znyt
VmS+y3ynHs8cyRxRK2Mv9tQTsY61WhWb2Kgn41ScUqvjGnEN9VScG+eqp+Pj4uPU3+MT4hPUM3Gz
uJn6R9wybqmejU+LT1PPxe3idur5uGPcUb0Qd4m7qDXxw/HD6sX4kfgR9VK8NF6qXo5XxCvU2nhV
vEq9Ej8dP63Wxc/Gz6pX4zXxGrU+XhuvVa/F6+P16vXY/qg34jfjN9WbeWPzxqq38ibkTVAb8q7I
u0K9nTclb4p6J+/qvKvVP/N+lfcrew3me03VHN1YN9fFukR/pe/Qv9W/03/Qf9QP6b/ox/WT+u/6
OUag1/UGvVG/pz/UW/Wneocdf/aY5vor09y01HeY3qbcDDQVZqgZbkabsWa8mWSmmulmhnnQPGwe
MUvNCptHT5mW5lmzxqw1682beqPdbjYfmI/MNvO52WX2mYPmG3PYVId+GIY1w1y9w/QOT9AF4cnh
+LCDGWilYeHI8FKzLWd1FETpKIryotpR3ah+lB81iVpH7aKOUZfojOjs6Nzo/OiCqH80KBoSDYtG
RmOiiZlPMtszuzIHMt9mfohVHMV5ce24btwibh23jTvEneNu8V/jJfFj8RPxU/E/4hfil+NX8y7P
m5w3zY4HdzMSKEYCjzHAZwzQjAEBXG9g+RB+T8Hvafi9BvxeE37PgccjeDwXHs/A4zE8ngePHweP
14LHj4fHa8PjJ8DjdeDxE+HxuvD4SfB4PXj8ZBi8PgzeAAZvCIM3gp3zYefGsHMB7HwK7NwEdj4V
dm4KOzeDnQth5+awcwvYuSXsXAQ7t4I3W8Obp8GbxfBmG3izLbzZDt4sgTfbw5sd4c1SeLMTvNkZ
3uwCb3aFN0+HN7vBm2fAm2Xw5pnw5lnw5tnwZnd48xx4swe8eS682RPePA/e7AVvng9v9oY3+8Cb
feHNC+DNcsuYjVQ/GLA/3DcA7hsI310I3w2C7y6C7yrguMFw3BA47hdw3FA47mI4bhgc90s4bjgc
NwKOGwmjjYLRRsNol8BoY2C0S2G0sTDaZTDaOBjtchhtPIw2AUabCKNdAaNNgtGuhNH+D3vnHR9V
0e7xmTm7m2w2MxtIDAihF5G69CIiTYiIdBERkEAIPQkhhN4iIiBEQEoAxdB7L1JCkQ5SQ0lAehMQ
pQooxfvMbzebPV59r/et/7w5n/1ldr7nzJ4yzzP1nBMHj9YbHi0eHq0PfFkC/Fdf+K9+8F/94acG
wE8NhJ8aBD81GH5qCPzUUPipYfBTw+GnEuGnPoKfGgE/9TH81Ej4qU/gp0bBT42GnxoDP/Up/NRY
eKVx8EdJ8Eef+figMkb5v+mDvjWOGMeNdPJBF+CDKMd7fFDxv+yDNliLW7dYv7Hutu63HjKO0/+T
1tMeH3TT+qP1nvVn6y/W5zZus9rsXh9UgHxQd/igAvBBUeSDvv5DH1QusFJgtcAagbUD6wU2CGz0
Ox90SV1TN9Ud9Vg9Vb85HU6nM9iZw/mqs5SzrLOis6rzdedC51LnSuda5wZnqnO7c5dzX1C3oF5B
ff7rg/7rg/7rg/51PojlYgG6d8Ldh+F85Hxsy2fccj7Du7J0bwU6VcjidJ+GgT4NC+X/y2Rxt4xb
zA/Xzt/W1dYVz1utxiTLz+LYLnaYZbDL7DZ7xBkP4CG8KHexABbKwlhBVoyVZhVYNaafdNrQ+JlS
TzQek44wfiEdZTwlTbKNYsL6uq0f6Rs2aptaa9kGkdZxvsyEuu/MTfrwT1J8hBSfIMVfkeIzpDga
KfZHigOR4mCkmAsphiFFziy2IXpthIZ6Q8O8oeHeUKI39JE3NMIb+hgh9DgGPtDhwIeZzPmDN3Tb
s5Yf+faLjFmfW18wQV5YUApWm43ZyBsHMH/yolF0pVKdW/BOMt075I+0szsO0rUYp7c2bmWFbfpe
en2HkWndIGvWullhn3Wrob+qMNYOotQs3nQtnjU1UcZQygsU7/6P7YVOi+l7hXRff1G6GkiDfsXi
/T2L99csjkP07YGRRP4UKaod7pTc/yln6Z4x3YfA0BvAacsL6BnTM8qKMxd99BO29D097jidD0JZ
QU9PVgMc0RXoHOgiPdbs7t81shvZqXyob7zN7Nby1gpMWatYX2NBtjdtb7MQWyNbc5bb1tL2Hitg
e9/2ASvkWOhYwYo6ngYyVlq+J9uxCs6CzqKsuvMN5xuslvOo8ySr7TzrvMXCgyxBFvZe0MCggawV
9svfkyersYasGX30/bvtPfvsr/ur6Tjy0tFUok91z76/jf39CnoOvfEGwhegSTjXt3Al/v3H40d7
qmfjVmLhrBHTc2naeI7Gz2OHYR5LdB9Lwz85lmfeI/rPHYuTtaS916P+sfRJoPAglkihMWw8had4
eqvda+q301bBlaxJx1SOrmUrCrVnURTu4TnWd3BMm6EXcWSVjLtZx+w4CPIt9IH3yDnuANS6Bnrp
P3IuQnAWEtgQNoI+YyisRy6HsJlsLlvsCa2k2PW0j6mesxLiyQsNWBP6tKSwPpsNPCm5Q4MoNtFz
fhr9g+dnuI8V/CfPVTBddSrpWT86K/3ofI3BufqCzfb5tpDFeUZA3Ft4yyb66LzTjkXiPGV9SyDu
Pk+NcWwTTMf5+7M0zudcLPPxcm6Pd81zDv8TZ0ePsHDM6HR/C/IcVROMmBSAxnpYafpfF4teo6kn
Nid589KexR1Pft8xyzFbv+3WMZcJZ7jTPSKSOcYhaBu7rrs4nzmfOH9x/up86nzu1G84t6KuwlA/
EVSLo9+gWty7zEq1o23kszDmyZAnWXacYT1nKbMUaYbxm820MNVa6Xsh9PymYMwTRs1JRbE77C67
p7aqbSpSbVffqE7/a53W6gPVRrVV7dSHqr2KUB0opf9vOqVZiBwpP1GfqrFqnBqjZqgJaqqapqar
JPWZGq+S1edqopqkJqsptHYQ+auSyEk6L31LdTHBLtFiY09o8eOKK+bPg3gQs/PsPDsL4Ev5Uubg
K/lKFshX89VM8k18E1P8IX/InPw3/hsLEkoolk2UFeXoHAnyfaXkCPmxHCAHykFysBwih8phcrhM
lB+p+WqeWqAWqYVqsdqsvlQz1VfqC7VWbVRz1FK1TK1Uq9UatU59rZaoFDVLzVbL1Vy1Qq1SG9Qm
larWU/oF2Mu4Wy2MhWEkrCTOgs4xeiTPglxjJZ/bmI6qBS129h4t1AqgxcG6smiqhWykJTuOPxjH
n4PdoiUnzsLL3OAGy6VfTcly44yE4YzkwRnJy/Pz/CwfL8gLsvx8Kp/KCuAcFcQ5KoRzVJiv41+z
IjhTxfg+vo+9yk/wE6w4v8qvshJ+AX4Beq95OJsl+8gE2U/2lf1lH1aEakevyATMMnbPuS/Nymjq
Ox9e9s+aD6+6qx6qtxqsPlJdVGfVlb53Uz1YJMXFqXjVh47vIDukBrMj7Bg7yjqz5SpRDVcfkSea
QOt3YyvYJtoqnrbuQ1sQYxepbn6Vfc9ush/YI/YLe8qec38VTUuMiuE21Z+WAWoAl9zJs6khtAxT
w3gO/jLPzfPwfLyA+oSWUWoUf4W/yseonqonT+bTVQItfWnpp/rx2Xwun88X8sV05pbTeVvN1/L1
fKMaqobyLXwb/4bv5Lv5XjWClo9pGUnLaDWaH+PHVayK5Rn8DD/HL/BL/IqfttS3yKtov1IMcwr1
/QOCyuQqyAttKS90YB1ZPtaJvHMB1oX1ZoVYHzaUlWHDaanGUtgsOptL2TL2OpVkK9kbyB012R52
gNViabTUYydoqY+cEs6u0PIWu0ZLA3aDlreRdxpSi+Y25brHtDRiv9LSmD2jpQl7wX5jTbmg3NSc
+3E/9h6380DWCjmrDXJWW8pZoawdz8lzso48F8/FInkYD2OdeF6el0Uhx3WmHFeUdeHFeDHWkxfn
xVk0/5R/ymL4FMqDsXwan8bi+Aw+i/Xmc/gcNoDP4/PYQL6AL2CD+CK+iA3mS/gSNoQv48vYUL6C
r2DD+Cq+ig3HvMtEyrPr2Ef8a8q5IyjnprKP+Va+lY3i2/l2Nprv4DvYGL6L72Kf8j2c2oyUr4+y
cTyNp7EpyN1T+SmezpL5aX6aTeff8e/YDH6en2df8Iv8IvuSX+aX2UxYwFd+/n7+dN7d80pGwcc2
dPs7GSE7yI4yUnaSUbKz7CK7ym6/94m4f0Hft5GDLNZ9N0WYXoe27Za5zp+lI7vLeO863WUP2VNG
yxgZK3vJONlbxv/l3/oL6Xj3J5KVUVVVNfWaqq5eVzXUG6qmqqVqqzqqrnpT1VP1Vbh6SzVQb6uG
6h3VSDVWTVRT1Uw1Vy3Uu6qlek+1UiVUSVVKlVZllEuVVeVUeVVBVVSVVGVVRb2PGSqtxSf0Y6PF
aPIagvJmQRWgpFIqtwpTeVVBVUgVVkWUQwUqpwpS2VR2FaxC1EsqVOVQOVUuWi+PyqfyqwLqVVVc
FVWvqGKKWtTMwkvz8pRykAhmNvGSKMECxFgxlmxJ8ACWqLbI0XKM/FSOleNkkvxMjpcT5ET5uZwk
J8spcqpMltPkdDlDfiG/lDPlVzJFzpKz5RK5WC6Vy+UyuUKulKvlKrlGrpXr5Tr5tdwgN8rNcpNM
lVvlFrldbpPfyB1ykZwj58u5SlD68+Q9ZZML5U65QKbJu3Kv3CcPyt1yj/xWHpXH5EV5WV6RV+V1
eUv+IH+UP8kH8mf5q3yqLMoqz8ldcr88IA/Jw/KIPC5PyhPylEyXGfK0PCO/k+flBXlJXpPfyxvy
prwt78hH8rF8In+Rz+RzMls/5a/s8oX8TVGDV96XZ+ksNaZyRj9rRXscTqXMcMopo2mpAP9SEZ6l
MjxLFXaSlqrwJtXgTV6DN6kOb/I6vEkNeJM34E1qwpvUgjepDW9SByXUmyih6sGn1OcBdC3CeSB5
lrfgWRrAs7yNMqshD+Eh7B0eSl6mEbxMY3iZJvAyTeFlmsHLNEe51oIX5oXZu7woeZyW8DjvweO0
gsd5H6Vea3icD8jjzCAv9iX/krzYV/wr8mKzyAd9CB/UHj4oAj6oA3xQR/igSPigTvBBUfBBneGD
usAHdYUP6obSsztPJU/UA56oJzxRNDxRDDxRLDxRL5SwcfwAP0C+7yA/yOL5YX6Y9eFHyUMlwEP1
hYfqx9PJQ/WHhxoADzUQHmoQPNRgeKgh8FBD4aGGyVHknYZ7LPhvWeA/at1uCy6p7+cWo8QoWHA4
K0C2ms3Hdt02GUA2rO1aW7HZhl+GFYf52jFm9JXgpajaeo8/pvAvwqnnHXF/NvzvtNzlHovdSNa5
Aza5mKx4CyxzKVnxErLjVWTJ2o7XkR2nkiVvJwve9jurPeuxW7fVHvwP2K3u+WnksdvCZHkcM3Rz
69oR1fSXUu2oMNtESzGqC5ygWtlFWqpQ/egyWe9VWqpRPel7st6btFSn+tIPlMYjWmpQLfIXst6n
tNRiz2mpTeW/ILu1cKqTcBu3kfX6cztZr4M7yG4ll2S3Tu4ku83Gs5HdBvNgstuX+Etktzl4DrLb
l/nLZLe5eW6y2zw8D9ltPp6P7LYAL0B2W4gXIrstwouQ3b7CXyG7fZW/SnY7ho8hu53Cp5DdJvNk
stvpfDrZ7Rf8C7LbmXwm2W0KTyG7nc1nk93O5XPJbufz+WS3C/lCstvFfDHZra7jRlJtbTnZra7p
RqGm25lqbmvJbtfz9WS3G/lGstvNfDPZ7Ra+hex2G99GdvsN/4bsdiffSXa7m+8mu93L95Ld7uf7
yW6/5d+S3R7ih8huj/AjZLfH+DGy2+P8ONntKX6K7DaDZ5DdnuFnyG7P8XNktxf4BbLbS/wS2e0V
foUN8aM/NlTWl/Ux9y87+jY5s4jvybKW6jqGSGH6CWJZ8Ya46SXuFqbuicAz61hzT0x1yiOjWJIp
rhjFxVMb3jcuBC2fFE+cTnM1xTjEODGZbHqqmMrsYpqYxgLs79vfZw57O3s7FmjvaO/IpL2bPZop
ey97LxbseOh4yEIcjxyP2EuOJ44nLBRpTUGvu96eYXuO7QW2N7C9BdvbsX0Atte9wdweD+2gW8Ui
1aBaiUFHb+D9y3SkBp2D+bTcpt+4z/T7D7Pikwwl9FOz9XOpL3rjLSKBlkciFc8d0u9+yyT6SSv6
jWFc3PLGCREujurn19HnlM+am+ij+9IZtRmz1g0Tcym+C4VuiTCftfUzXZvQHqWJDHE+a31+W8Tj
eUiG2CS2iz0+W7SmT16KT6Fja+2zxSZRG8+fMsjLJumwdwt9B5U+C6V94vR7gjJ0zYqP9YnV82d3
UAp1RQP+wie+Bmb1GuTFy4kqPr9ZD++an4i5wVmxLhGEWbuCv+Aun/icnK4BjyRPfZ3f5ilZhL3g
5/E0DIPKuDSe4bPNASrn9Jxe/ewL7/Ujy1yIucf66ZT5feLHk+3Pxsxezv2z4qluPoLrp9jqq3c3
63qzkWwk78F1r5V+4nKGD+nBm/F6XPdc6/vEtnqJlTUjv1SFl+R6Xql+OvVcn60qUc0kjOvnKOp7
D0f5bKVb9I+4wF7pZwZHe5jbjijvixliBpOWyZbJTNn62Powp389/3osiGyiL8uGvO9C3i8L2ynn
/NH5IyvvvO98wDB73W3t9gg9qkJ5YwuluEMcYHnFIfIGr9j62vqy2g67w87qODY6trO6zp+c99BT
LUQy/XKmJQaIWd5t89C2p1hRypmXmUtcpXRes8Xb4tkbSK0mUquF1GojtQZeT8TFPGgyeu9+Rngm
dKO7ZUT2rIkeeQrN9FqUpoW81iJtUbTmItLiGFcJZfoaWxw7aF+nIbTTG9qFkH5mdJIYD2/lwjY5
qXxzb6M9YeZWWeFdnrDPljpH0Z5UomsTzwaQpx3JxrKJLNnTH6zvAUtlO9g+dphKzDNUXl7HHS1P
KPdaqI4aRHVQuvZUpyzNK/BqvCbln4aUi1rxdjySd+OxPIEP4ol8FE/ik6ikSqGSaKkYR/s/TiSR
JonPSD+jfRFivJhAOkFMJJ0oPif9nM6KEJPI4woxWV8pMYX8riDvm4wrOE2fB7qOQsygHCQskykH
CVsfykHCvx55VUH5qDVpa/sHpB/Y25C2sbclbQtv287+IemH9vak7XUuskeQZxX2DuSFtS+OJI20
dyLtZI8ijbJ3Ju1sJ49m72LvStrVTq1Q8tfdSbvbe5D2sPck7UkeXNij7TGkMfZY0li6+oJ8ehxp
nL03aW/y5cIeb6d9tvexJ5AmUK4X9r6UQwTl/UekjyjXC8cTyvWC8v59Up33hfMBcpLd5+7LnLCt
d5m7//ifZWG5WOaIYqDjMZ3VsVrFTeTVlYyr5eRLspNfqMfb8wF0hZdT3f0yfyZChUs0EJFiCF2l
1eKguE4OKZdRwWhkdDESjS+M9cZR45bFYslrqWJpZulhGWlJsWyynLD8ZPW3FrRWt7a0xlrHWOda
t1ozrPdtgbaitpq21mSHSbaFth22s7ZHfkF+xf3q+rXz6+c30W+p3x6/i36/+of4l/YP9+/gP8h/
iv9K/wP+V/1f2HPay9kb0pUbZp9uX2s/bL8RIALCAioFNAnoFjAiYGbAhoC0gNsOmyO/o5qjhSPa
Mcox25HqOOW4GxgQWDiwRmCrwLjAsYHzA7cHngl8KJUsJmvLNjKB6taLqfZ6Xj6hOntJahW0VwPU
JDrz/kyxEJ3D/ccin9+E3vCSJJAkkCQT+QzkM5DPTGQ8yHiQ8SYyAWQCyAQTmQgyEWSiiXwO8jnI
5yYyCWQSyCQTmQwyGWSyiUwBmQIyxUSmgkwFmWoiySDJIMkmMg1kGsg0E5kBMgNkhomkgKSApJjI
LJBZILNMZDbIbJDZJjIHZA7IHBOZCzIXZK6JzAOZBzLPROaDzAeZbyILQBaALDCRhSALQRaayCKQ
RSCLTGQxyGKQxSayBGQJyBITWQqyFGSpiSwDWQayzESWgywHWW4iK0BWgKwwkZUgK0FWmsgqkFUg
q0xkNchqkNUmsgZkDcgaE1kLshZkrYmsA1kHss5E1oOsB1lvIl+DfA3ytYlsANkAssFENoJsBNlo
IptANoFsMpHNIJtBNptIKkgqSKqJbAHZArLFRHaA7ADZYSI7QXaC7DSRXSC7QHaZyG6Q3SC7TWQP
yB6QPSayF2QvyF4T2QeyD2SfiewH2Q+y30QOgBwAOWAih0AOgRwykcMgh0EOm8gRkCMgR0zkKMhR
kKMmcgzkGMgxE0kDSQNJM5HjIMdBjpvICZATICdM5CTISZCTJnIK5BTIKRNJB0kHSTeRDJAMkAwT
OQ1yGuS0iZwBOQNyxkS+A/kO5DsTOQtyFuSsiZwDOQdyzkTOg5wHOW8iF0AugFwwkYsgF0Eumsgl
kEsgl0zkMshlkMsmcgXkCsgVE7kKchXkqolcA7kGcs1EroNcB7luIt+DfA/yvS+xoDy1oDy1mMpT
XYP1H6tV3IRmkb4gfUH6+hLUd8dqFTehXqLrwP5jtYqb0CzSGqQ1SGsT+QDkA5APTKQNSBuQNibS
FqQtSFsTaQfSDqSdiXwI8iHIhybSHqQ9SHsTiQCJAIkwkQ4gHUA6mEhHkI4gHU0kEiQSJNJEOoF0
AulkIlEgUSBRJtIZpDNIZxPpAtIFpIuJdAXpCtLVRLqBdAPpZiLdQbqDdDeRHiA9QHqYSE+QniA9
TSQaJBok2kRiQGJAYkwkFiQWJNZEeoH0AullInEgcSBxJtIbpDdIbxOJB4kHiTcRWIkdVmI3WYlu
RxFJAEkwEdiPHfZjN9kPtaN0y8auCTSLoER3oER3mEp0B0p0B0p0h6lEd6BEd6BEd5hKdAdKdAdK
dIepRHegRHegRHeYSnTHVpCtIFtNZBvINpBtJrIdZDvIdhN5CPIQ5KGJPAJ5BPLIRJ6APAF54kt0
q9R/rFZxE5pFfgL5CeQnE7kDcgfkjoncBbkLctdE7oHcA7lnIvdB7oPcN5EHIA9AHoAIFuTbJkZ/
kUKfT0n0F1VEK7kJWslN0dvTDG3l5mgrt0DPT2/0/MSj3TwI7ebBaDcPoXbzA6bfEDIb86KLU+u5
BgtnzVgbFsVi2QA2giWxZPRTo/cDIfSAIIReEITQE4IQekMQQo8IQugVQQg9IwihdwQh9JAghF4S
9Pn8zAT6oizungTc2z2OGHP8TPEO7H0g0+9ZCGXlWHXWiLVncZ691U+BWM/24Znp19ld9isP5KE8
Py/Ow/Erut6V7O4dQE0rGWXmDE+MrmEl4+pnxhxFzB2fmGOIuYsYnWIaUtSh497QCW/opDd0yueX
0/HL17xpZHjXOu0NnfGGvvOGzvqkcQ5pXPemcd671gVv6CJC7vwVirpGMtVWDfEl/T9A/2d6U7uM
o7qXeZy615py3UJqZfmJ5dRuChQrqb0jxRpqpzjFemoRZGMcY4QBmI2g09B15y9RT57pidmPmAOI
0T2YG8Ul07jIFc/V1/2Q6G90f6OrrHuJhKgialKc+zluLT1xhUVJ0jhPr31mrBKhdDxtaAnzjeeP
+Av6nbpYLCZylusr305EmmL38MOUTogIF41M8cv5embhz/gz4RKVTGQS/4JZ9bgtvyxCf/fr/fgw
2v8gU1wkp3KOr+bPTLGNOIX0iBi/boqvxGt4n7hx2ETCeGHSmegNzYq1cUU6ii/2jSU7eEKp1+Bx
PMkUn8EuUnxR3lo/u8MnXj+d0aLH8Hlt91uUvEQ/LcjCHrKHvBhvYCJj2SRmZWf0QtsVNzH9xCEr
24rlPg8xsRZMP0X/hSmuJgvHXt8yxRYna88cR8iMC2V5SffwQE+szmVLRcY/qZ/cO+IFP8vhZwU8
rEEeNoE8lPaqBeFVC6EHsrCnb12Ppbt9lvZWGAcj36MVs2BFmncU4J80rkB1CgPnQ1tjQfd7i+jz
Hn4NM3LFek8PrA5PMPeUouU9Dq3syeCLdWr8IL9BZ1z7w4KiDdJrhfi1GO055R7l8sbOxGgVld78
oWcMyx0/Uug3l+pRuZI+sbGiLsakyOYE84lvpdfiA+jzwie2trYsTjVenszTfOKLa6vmDfEc/azY
EP0eMF6JQt343Kx49ozrd2PmZfqdelmx1/lBjEMJXp0n+MQf5vodQ3eJxfvEbkCK5J0pl4f7xKdg
hG4HrV3PJ3YMLGsphS7qUTBvfBzXfodKQ57TJ7YN3lY2hOkn0tz2ia/L9XtL9XMzb/nElsY7z5pQ
aIRn5MsdHwoL0+N/qZ5YoUtuPXoiJtL1NTAW7Id8hKcn6v7Ev2NsVzC7mC3mUKrz0FO4SCyi31kn
1jGr+FpsoFLkCJWf/iKNSsYAcZLKwkBxgcok6SnRvaPS2JMAlDuLKecxsULotyuuQW/ZDqHHg06R
5VrFWSoB8URKKqmzRq9gSxiH0u+O8vTzu0eNSedDjzP3E2X0mcl8Ts/7/6TRce1lxpGNMTEJo8w6
FYFUDKRiQSpWpGJDKg6kEohU9FNqKpFPpRKaFcWscgvFcrddok5Yz3kfYyQW9xgK/b8PbsBbMPIT
9emK9SU/4X7Ej37PjIV8+iRa3M9Cbe2JP0/xtfkgWvaZ4vdQKVCcr/eUGpmxKyk2hKfw6abY6fT/
BR/Ph5hiR9D/G3wAjzbFRtP/NLLBZqZYnUtTeQte2xRbm/7P53U9pUpmbEn6P56X5tVMsVTWswE8
p6eUaf1vqSe7c/tsT27nyO0G5dSVlOePUH60IZ/7IZ/bxRnKfQFUivwEO/knzcHwzqTQfnwXdAd0
J/L4NOhn0CQo1cyZfi7qSYfTGeNQ7M+ec1qYOdU+tV8dUN+qg+qQOqyOqKPqmEpTx9UJdVKdYn/2
fKUhzIn7xFye+23cd161xt1H7vtQhDqt9kH3Qw9Av4UehB6CHoYegR6FHoOmQY9DT0BPQv+hfQrq
LH6B/gp9Cn0GfQ59Af1Nq77DlJRDBTQA6oAGarWNhH7yp/vkHT135mEWY45xxYC/wj0x5bzlcE5n
fuZvnGOG8ZVxwUiiz63fx3juOtJ3rZX2bhdKa/l51nrm2crnu882E7GNhbxtcX0PlDMvcxoXjbvM
cByktb+l8APjFoV+NNZQ+JKHV/o/uGl7+rW/ub0vZ5l3XSVhv3RLpRxr48zHQv5kr4bro/NJ373m
H+3fX1jTsyfDcYb+9z5V8F6zAiyY2CXPtvq+1GW4htd8vj3wbKlrVu4ZXlZnAWess5czztmbue8v
gjWqdJWhzjj1/Ow/vnPor9yXo9tKe1jmHC89UyPGW6P0z6zlMX3PUF600fQeWTBW4m5t7/aEMmvL
WW2yzDa8O40oamnn/RNrEmKaI0OXdNB20I7QbtDu0B7QntBoaC+t5OEyMFsg4++cV5ZA5/J391ab
7l6j+qxDt7MnQadppT1Nx56mY0/Tsafp2NN07Gk69jQde5qOPU3HnqZjT9P/8ZLeUgmzD3LyvLww
lbguat9VpxI5nNp/LajEbs+j9DwnajcO0TOhqJSdomdK8YXU/lzLN/Ht1D7FzCt+nl/lt/hdat8+
E0L4U/s3ROQS+UVR99wvUUPPDRNNREtqEXcQXUS0iBcDxDAxUoylOmAytfznUl1rJbXkU6mc3CcO
ixNUZl0U18VtcV88ES8MC3mwICPUCDMKGsWM0kYFo5pR06hnNDSaGa2Mdkak0c2INRKMQUaiMYo8
0yRjupFizDeWGquNDcZWY5dxwDhqnDLOGpeNG8ZPxkPjVwuz2CyBluyWnJa8lsKW4haX9yolQT+D
jodOgE6Efu5zJSdDp0CnQpOzrrCYAU2BzoLOhs6BzoXOg86HLoAuhC6CLoYugS6FLoMuh66AroSu
gq6GroGuha6Drod+Dd0A3QjdBN0MTYVuge6A7oTugu6G7oHuhe6D7ocegB6CHoYegR6FHoOmQY9D
T0BPQk9B06EZ0NPQM9DvoGeh56DnoRegF6GXoJehV6BXodeg16Hfa7Xgetn6QPtq9a/nY4utoR9A
20Db+tjoh9D20AhoBx/bjYR2gkZBO0O7QLv+BfuOgcZm2bo9DtobGg/FntsToNh/qi1qxdV04Go6
cDUduJoOXE3HVug26PbfexGq0aXr2VHQn6B3oHeh96D3oQ+0/htqt+4WEcdbxQLxPgdG7a27Rm5L
Z0sXS1d858z9p/sWRGSP6M6ecJ7e7rB+F06ehhHx0SXrx3XqXrJO/7geJWvF9YwuGd6pQxyFIjr8
Tej5De7eE8Zy6fcihrh/Mtc2V2KuzTZ78ZHhIx9L7idSEnMtpaiFgvOyDpfdZi2hDJHLylwRtoAS
Nm7hiZUFt6Q0dzV1lfSJCZudd1gYFWN6acw6sN4shqqEnVg8fWroxVXAJzFLyObC+8sWHZtDFrIM
u9lvaPi81HH9aqUkvpToSrTsdCUaS1IMwYUI1m+n67Wm9JjuiYvzNcIO93JJ795yK+1XX+ym8a7F
FizebV422JVNf/EPDngvoneXrtGd42Oiywa5lI70C/Zr1imyZ0x0ZNm8rjAdExD80jtdO8bF9I6J
is9fJyYuNiYuIr4rbVHAlU9zIzhnFm/RtWenUs3jI3rG5m9Sp5Yrbw5ZtqKrfDlX2cok5VvT10qu
St6vruFr/iV7Jl0OzR3BlncaN2lW9hVXEffXvNF1usZ26RSXv27zN/O/2bxRtdpV3qxTqryrVoVS
lctWqFC2iKuQ+4jC/vCImneKS+jasZMrkRf0PcPcyoxE7mQUHyASOWe3JmxZPep5SEyBSsWMqPLV
ovyffvD23CUpxSo0qFPOf/vIa/tfP1kkdWCNDp+cGnzHGd98zr0JHUfFD71R+JDRZPe9Ayx04Lyq
K21h1esO+eWHXauHp+YotOl5pyovfzz0QMqrzx9V2+4o0+XhxQqNBsfk2B49bfGvQyOKHCsamxY/
+EJE7zaHWxSv2tQob3/SZFm/vaP915/4uPgb6Rn5mt6686xLu3XffO/Xpdy4MnFNXxhl6zfdnfZD
nN+K/JOfnOn2pG/nq+2nxzZc8ua3Q/xXXBt+4r0j1Q4G9/my6KGU2V2bpFYbNenCyhZVzo+uemhk
uXnjnUO2/XhwUpH5tUZGFN17rvKQNvJGjgOV6QDWN1r7JHehHwS1V/icRG6nM2J15aFTmkdZQi0h
T54X+sQ6aVjLQ+Xn1drR46B/pX2rZyMP5SlkyekKHRZSqMKT083qxQb8WPNpwtM1JVburLjG6Wqh
V8hnecf1tuutlPopb46s0yU+PrZamTId43qU7pl5nUp3jOlZJrZ7Vx1bJjYuJrJPx/jeZbyXUV9F
XETKlaVpFVcrmz8ZptXqx7mloauBKzzzu0uMrO75gb59+/7RD3SK+xspx7uC9f4WsQS6AjKTNPx/
Z5CGziWlLGsPvOp4/1npWykrGjbqYnky8cdXd0Qd7B67/5MbWz951vbhucbzcsX0m7qsu7VK01px
X1a9miv3zp69nsWuP35w/fhWlmJvnMp756M1ITkDJzsez8sWnLzn45btfiq/NrDyumG3fs7e5XTp
gSP9414LGXji9NHQxtvLOPKVOnAt99HlN0es/MzRtveG0OE1C7UqeSti8YstQ4+Pax37rP+hqCmd
Oq6zZk+4XPy1Ej8mLp1++5VaC6aqQqFf1drXqGfzbDUtB9tPO5N8u8TyqU8vDv5506fsYZEcQzsM
2Nz0vW/u3j30Re6I3ssmjy2RUHDhktgqa3mxwVG1m5//6qHfoNYulWi8/2jEyI0vFemw0pF25N53
U94kN3ab3NiJLDfGA0r2X57ef+B8PU2dvv3ejfX/lziLQq4CbqPP5csjO+Vv3rVzNKXq48gquSqU
rVyhXIWKbkdW1fvVNfyjf4cj86xu/Mnq/6djmvgsptLmS8bGYqfqHZsdsWlevacdQ2uU/qV+2t7b
P+6dtqpo0z5bzhx02kKyze3x8sztH77TYvTVd5pkjDs0K2Je3+DpYQt+lPGPF7Tsf6PY4+ZpqwZ0
vPjzpKlf3z5d/0mP1x8UGbUmNWC3ZUHSoI/DE8Ii6i1+edeADp9+s6Pi4qetYnZ3dHz+lmt47oEX
hg5qvLZ+zw/7ha1Y/3hKcLM7G4+9U/Va7/PhjaqHLJ4qqx78tOmlNsdeu5vU+Zar/aJ3Wn9ZZ8t3
hTZtd6a/HfTlF+/cbTp7xOKrXyx4/dScOwE5wxf+uqrRvGT19ra7IQ/YvpXhpz54USV9dLZS1k11
ROOCbEqRZYMrRo/osiR/zirFXoTNDlo1L9Mxtacz0uaPDNXw8VajXwSUvVX00PWeeydM2Dhp7Oyc
EZUruJpqnM1C/mJuPVfd31+f8q6y+qs1uHj5shWrVizhquCqXLV8RVepspWiIkpV6FjJVapDpQ5R
papGlutQtmOkq2LVKhVMDvDbbDcOpK0NbcX3Vy5dPjR0Y8PpAflcLd0OsLGLXGAKucCRb/6/HCDl
ZcrJlIk/dFUpVb5sKSp9XXCBrX1cYCMXOUEfF1jjr7nAP0k7/o/83fyFzSdceI2/iGhra/1D1N3A
jMenRxxnTVXQsbnHchT7fmz5KiUy6uwxPu3zQ/mJDxdd7vxcfDcvT6P/qc4+w5rK0gAAJ3QCRmro
HWkSchMEdASlhmqoBoEoBqVLMdSICkRBcAAV6SAmdBWkqiggNlY6CAgMRXrviFKVDTgqM+Pu7P7Y
x2d/Jd+5uSd5zvnOm++cq6VzXEB/qN8YNn/x2nwYey0pL2M9647th/iT1QGvKs8nO8+IkJ4vNET5
G9p96Ngl2GHO0R5nNqdUwRdFVr9JgWTCYSkv0N5MU91LnZn6yhYc7EdpiwNg67qf1502nungBg9z
EBXT5khV79T5GGe5qyDJVvQad5rjU4NTaW02DIb4FehzTXQREWvETmHRFfp1WVderjUC3SOW7KTT
0+zHjXX0I2X54evND5nNbffF9MNePZ70Uhq3nBuYgr3kfc1QfLAJf3nwoXZ4THooQKIvp3qX8cU7
CF5Rin+7WkP+mTnbbT0gzNFS4TcX5U+D+WC01IFH8gE8f2hk/jYvSDiw94sLkt9dMPPwoOJAnShn
B+dTeG97UQ0fbycPgrM3cRszANiviEShkAcUUVTMUL+HqK3wZzr7d4IVEaxwfMDpSqGkk6Kimom+
5mcOCbR71NctTLp+joex9ff94n2J/xGCjJrefPdCEyPxlgDqVrKEhNfeF9VfmnfKPWIYmVlBNDyb
rMvY9WlP3y2fsKa7XtqBHcHd7ysWlTNqcDo9+Xlq/TJO8fzZmQQv7AJPzPAnpRgCud3XVthP51LI
flizlw39E0ezyMwiZ0QXH8vnaG/ZQV+ERS8XYLXSEmn3qa7GFo00eSzNOawONBFk2WTEX6tg1Mgo
tesNlP0MITgMliQjR496ZNhhfGqsBW63oKM2lssE+oimpL6xiZAyHz9312AR3aSiuj+1xA+XyZMa
Wcd+Dav6PJfZlrb1q2AnqCNiDezekoETDN6kowdoqS879PqhJFtYCe2mo6NmYCjAwcD8+9aEG0xH
v90xtfz91kaz1cunN0hMq9TV2IGEkwdzkB5ZquWdcIDv24e4aOhYhSEgc5APdTujBdL4g2XQXNJJ
dax0/Mgezg25AYh5rNVwBmDyxTJ9QBfQIWuRNUIP/+eWfbtMoKb2FkHbilnsUEwPoKK8Q7H9/00h
t7VgtL70+le/aMAgqwOHAqXQ+VMe6oWoBy5TUIR7jv7ylK3PjNFBeIdWHsvnugk4Ml2i/rxJQpDY
8Vw1hNGTtBxsypBnWWnJCvGBPmH50KRGYO0AK49zXWaKKHyNxeQVtgE+ZNBS7jmWsyuNNhPbX3rV
0HIxVjNl4f3c7FCoyD7VUmzSvLlEiFwGSfDmYAyj0OIgZiWCUjvOmXkDUy3Qco0QK3fWLZl/RXDe
vN2xXnwTJ9SQFlEhXUQ8hdVOM21YnUg/hu1NptHRRtgudd1vI6HcNzJiOYennMfupMk/rd7LBrWP
Suz+kLbGIcVsvz9m4ZyIQdmbAex4s38cL65GCWbbe1NIPwr+NG+ftuAsGzc/6Hivko1YY8Jr5tkQ
aISxG5QTo3ZeVi+F8Ob9mdrn057pltGWF2IiyQJ6tNbLTemOEO9M5Rk4gqd6lKDCseRRqOpIWjUr
ilSE2QtDr/ayvTu95NGIbmvlmSC+oitpXZfvE7mamgtZ55RWzxteHbgTiC5jPKlrf1IdU6A5jZkp
9iV2QvYxuwkGIUUGoRa9I5T1EV22vNMJmyYwhfOV9GLnBmM1pJ1f3rwWWxPZmSx2fxcuZT7tfqjT
JVYXeJmvK0goLm8RFvARdknycViTS44uEpHUM3RWrQN00U73TWNYTSnvGpQQ+TxdLZ9G3WXTOTlu
kC2HrUTFhKn9pRpAYmCk+j331W+Y075tvwV/ht+ACrW2oIqtpAgc2PIbuR0qAlvhz9vu/53etyln
Cvu69aLlzrsq8A1UDA5VJZpKmOQ19vJiJHfPvsl+Y5TnDYiyTzG+tYjl1o8R0Iy+n4ADpLpAruMB
FdPhjLuXoXQJ8+H1InWKklduLS45CspvBIyFCU2OYdIpzyXMayPXdJqYm0/kNxdo0qWtZp256dgh
04M2LwhtHpFBK0jnhhofNWMdppVfd7l+HXC/8t4KuLV2sT2+eFws/uJKC+d7pkfmbmYlOtdv64EM
dB3YpWUdcuKHWxmCDdJWL2ez63Ixk25fnjnq/xmcJGTCFAJiA9Azj95JoMtewS1u5wv7ayD96pP7
Dl66ScHTPBDaVbixnFwEbhQ3tNhcpX/5QpTlq973qCOS/e/0/uFG+A96s+3Um9oCAoITvuAbfB0I
jvwxv5RTGfj/eXqS2Ih5MIoBOTPPyOvYEiOngv3/jfr/0dadOtZs8Vdf4mi1lXsnSvL8uhuJpkfA
hQreZ23cWDnvNT4NuFaq0MaRFuFmV2pJU4cR5TRJ7D2nPmhZln8sSXBACByaW+a/+Gvz9EHw7ODT
axD66ki9wXlz7l7je9HDY5Eub4Oej8YsMiBCaCduyEmKe65/3Bj2T1TYtcw46FnOi7kV5QohxJZS
DqQ4wqtMoZN2uMOwhF9FDw8y8qNW65EGvki1vQSW6klPtc0QCGffCwg+ar6jlGcK82tgldLeE+mV
U+UXWDQD2swJYrNAbZm/Pc4GzAPhgrZ0cSV8UH3scKwYjhhbDQmtN8WO3/KMOZN7wKjtI7HyLu85
O9m5tGTZfQx+/HY1asJuIqR5ltfyZU1axSOr0xceDGXkeCuVYqrOSnBI+bKomkWctUZrcZUXFxcc
cay+rbkZRBQLSuUGHMY1OU7wV6eKizVrTeydKFvSq5dv60QFGUnJ6UnaWk9i57LeJd6q/cWjIlja
m4F91lesMpn0XNriYaGLWjjFF1/iTuHMqryrO8/h8ekq6kzR5z7T6giJGoeKW0JXOE7TqMHzra6V
DouNPCioPVXib0HfpqFgkhtTkOl/r5gc58P/W/QVTh9xBCqHyZ1sE7Gnkjx3uVasfUrYuCZpVr9/
GWzvEc5yodq5etR9Mju+ESm7Ca2ywXUeEaB0riFSDyschbnWcKZ/QpLoqEuYLpsGDAaoy+3n1cs/
Pjb5fohMDn61Va79nr/MtEjWnSfU1B/wPWJBQoGdV7m3isGvN9IhqSgdeZLYJYDv9vYQtULCSps/
PS40agdO77iFFYkFLMhyQTKgIyBn0CkQAeSxfcjtAPIGiYIsQESQJzVypLbjqe+cQESKVJDkv1ys
FkRPD0cC3tOJiPjTnwodCQzCaMqXs+BvkBDsz84cPaxsOtyj+iCp2D5wmmeYol/RdYf+Nwev9+lZ
4Nl+Ecv3qTivx8ormWPxapXvVnnXXyg5VRAfOXmxvZVp6eaTumh0pU8htZwpXy6OTWrIKGjdvqKx
vKifneALRZ6FjkoI+jFTfFhkRkkLN7DhV1RmgtWZ26zHFy9okVT8vJLj0NgS710MlxgmUh4Y+h5Y
hRi5mzwUHdWeIbsNrPsqd931C5Y5Khsljo+mPOHueq3Rfmi3avJT5ThW8YNuBjAmGdqsSKfFt5Xi
EzK+i8e6+hez1vYsMCSNehV17rFmh9XtQfSY6w91/eY2TJztut14bx6tWZ2u5RlAIdHIACQaye9z
xIAk0XBTm9i3szLqp1UBP34isSMnjwO8O1OS5fuTFTD1y79doUfu/nLohgRQKOAAoGT9l4xcv1zv
lJ5dK/AsF32vSTZ5Lx05S+lPXm/lyshczeh9n6fRF/MiHZYZKeRwCdMGrWY5In5uQcY/wdiLKKgc
E13SZd5wsNXRgBvcU+XCzKCPkjxhgjccyYqvbDGBQO/V4VzWBPAkVx3tF7V8QSVQf/H8kvpDYdCM
nId2YipemuPtPVzkgrYC215FRWs3seSRf+yfMUOzZBZeKG4V1Hpd0hut+XHC8QJfkKEci//GCVJz
i9+h47GMYiemrVqO1zG3+ghHI5S07Cwf9tz/lI0fYkqEJNXhhUuhT5pxHXoNxMT0sBfXLz4bY5DO
JUs382xAqlCEtnfuGl0UrY2Bz5NeOr8ENgW22oalNw0y5o4VTN5xc+B1UCSPza1kitmD/gmPhtO4
DQplbmRzdHJlYW0NCmVuZG9iag0KMzA0IDAgb2JqDQpbIDBbIDc1MF0gIDNbIDI3OF0gIDExWyAz
MzMgMzMzIDM4OV0gIDE1WyAyNzggMzMzIDI3OCAyNzggNTU2IDU1NiA1NTYgNTU2IDU1NiA1NTYg
NTU2IDU1NiA1NTYgNTU2IDI3OF0gIDM0WyA1NTZdICAzNlsgNjY3IDY2NyA3MjIgNzIyIDY2NyA2
MTFdICA0M1sgNzIyIDI3OCA1MDAgNjY3IDU1NiA4MzMgNzIyIDc3OCA2NjddICA1M1sgNzIyIDY2
NyA2MTEgNzIyXSAgNThbIDk0NF0gIDYwWyA2NjddICA2OFsgNTU2IDU1NiA1MDAgNTU2IDU1NiAy
NzggNTU2IDU1NiAyMjIgMjIyIDUwMCAyMjIgODMzIDU1NiA1NTYgNTU2IDU1NiAzMzMgNTAwIDI3
OCA1NTYgNTAwIDcyMiA1MDAgNTAwXSAgMTc3WyA1NTZdICAxNzlbIDMzMyAzMzNdICAxODJbIDIy
Ml0gXSANCmVuZG9iag0KMzA1IDAgb2JqDQpbIDI3OCAwIDAgMCAwIDAgMCAwIDMzMyAzMzMgMzg5
IDAgMjc4IDMzMyAyNzggMjc4IDU1NiA1NTYgNTU2IDU1NiA1NTYgNTU2IDU1NiA1NTYgNTU2IDU1
NiAyNzggMCAwIDAgMCA1NTYgMCA2NjcgNjY3IDcyMiA3MjIgNjY3IDYxMSAwIDcyMiAyNzggNTAw
IDY2NyA1NTYgODMzIDcyMiA3NzggNjY3IDAgNzIyIDY2NyA2MTEgNzIyIDAgOTQ0IDAgNjY3IDAg
MCAwIDAgMCAwIDAgNTU2IDU1NiA1MDAgNTU2IDU1NiAyNzggNTU2IDU1NiAyMjIgMjIyIDUwMCAy
MjIgODMzIDU1NiA1NTYgNTU2IDU1NiAzMzMgNTAwIDI3OCA1NTYgNTAwIDcyMiAwIDUwMF0gDQpl
bmRvYmoNCjMwNiAwIG9iag0KWyAyNzggMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw
IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDcyMiA3MjIgMCAwIDAgMCAwIDAgMCAwIDAg
MCAwIDcyMiAwIDAgMCAwIDY2NyAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDU1NiAwIDU1NiA2
MTEgNTU2IDAgNjExIDAgMjc4IDAgNTU2IDI3OCAwIDYxMSA2MTEgNjExIDAgMzg5IDU1NiAzMzMg
NjExIDAgNzc4IDU1NiAwIDUwMF0gDQplbmRvYmoNCjMwNyAwIG9iag0KPDwvRmlsdGVyL0ZsYXRl
RGVjb2RlL0xlbmd0aCAyMjU+Pg0Kc3RyZWFtDQp4nF2QTWrEMAyF9z6FljOLwZlZtJsQGDIUsugP
TXsAx1ZSQyMbxVnk9pXdMIUKbJDf+8SzdNvdOvIJ9BsH22OC0ZNjXMLKFmHAyZM6V+C8TXtXbjub
qLTA/bYknDsag6pr0O8iLok3OFxdGPCo9Cs7ZE8THD7bXvp+jfEbZ6QElWoacDjKoGcTX8yMoAt2
6pzoPm0nYf4cH1tEuJT+/BvGBodLNBbZ0ISqrqQaqJ+kGoXk/uk7NYz2y3B2P16zu3poi3t/z1z+
3j2UXZklT9lBCZIjeML7mmKImcrnBxbub1kNCmVuZHN0cmVhbQ0KZW5kb2JqDQozMDggMCBvYmoN
Cjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMTMwNTIvTGVuZ3RoMSAyODEwMD4+DQpzdHJl
YW0NCnic1HwJfFNV2vdz7s3WfV8gLLctLYUuSfcWChTaslUQKEurKE2T2yY2TWKSbi4MoAIWHJkR
dWBUEEEFBQO4AO6MC+46LiOi4oK7dXBGZFxo3uece9Mm0DLN6zfz+95zOf+zP+dZzz1JW4AAQCyC
AoSq2lkzprz111iABVYAbd0FC2tnKjjuUxx8F2d9fmGtLj/v1U/PAJB7sb14cdWcutaX2hYDKJ/C
/JGx1eC49Of7wgBSNDjnImO7W9ij27kTYHwyjk9ocjS3PvPDRA9AqglpLms2uByaNAjF/eqQXnyz
taspoTGiE0C3EEDlNptaO9f0di0CCNsKkGA2iwbTUfL8l0g7G+cX047YuNBibCM9GGNudXeW/qBA
/jlscu9a7UZDXq/+UYCiIzjnuVZDp4MXFD1YX4sTBJuhVVxUv+xVgJINAMPvcdhdbu9EQFoLSum4
wyk6Lnx+7DKAjGcA+IVAdaXE2uLym5dFlZ/SaFFMTDt239RLy6enfWUG6J0Xelydh81wNp8mLNV5
vfNQjvUA3tdCj/eN+FI36/kELgGJJAfRoIMyXPqtYplEQz2KbMDdNYpXFcgxn+grwcQL4ZStQdKc
WkGAipPCSacqi2yHPHUe8azoG1UAsIZKbmsmw+yQTNg4KLn/z5LmU9j939pL/Yf/3l7/r5Pyp/8d
7+qU/7Myf0IIAXJ2pJ0nnWdqEFTOnR7k4mATFZKKGg7/0njx/FB7eyEENIihEOI9A2EQivVwCMN6
BIQjRjKMggjEaIhEjIEo768QC9GIcRCDGA+xiAkQh5gI8d5fIAkSEJMZDoNExOGQhKiFZO/PMAKG
IY6E4YijQIs4GkZ4fwIBRiKmMEyFUYhpMBpxDAjef0E6pCBmQCriWEhDzIQxiOMg3XsaxjPMggzE
bBiLmAOZiLkwzvsjno/jEfWQhZgH2Yj5kOM9BQUMCyEXsQh0iMWgRyyBPO8PUAr5iGVQgDgBChEn
QhFiORR7/wmTGE6GEsQpUIpYAWXef8BUmIA4DSYiVkI5YhVMQqyGyd7vYTrDGTAFcSZUIM6CqYiz
YZr3JNRAJeIFUIU4B6YjzmV4IeLfYR7MQJwPMxEXwCzEWpjt/Q4WQg3iIrgAcTHMQVwCcxHrEHug
Hi5EvAjmIV4M8xGXwgLES6DW+y1cCgsRl8EixAZYjGhg2AhLvN+AEeoQTVCPKMJFiE1wsfdraIal
iGa4BNEClyJeBssQWxC/Ais0ILaCAdEGjYh2MCI6wOT9Ei4HEdEJTYguaEZ0M2wDs/cLaAcLYgdc
htgJLYhdYPV+DldAK+KVYEO8CuyIVzNcDg7vZ/A7uBxxBTgRV4ILcRW4Ea+BNu8JuBbaEa+DDsTV
DNdAJ+Ja6PJ+CtfDFYjdcCXiOrgKcT1c7f0EboDliL+H3yHeCCsQNzD8A6z0fgx/hFWIN8E1iBvh
OsSbGd4Cq70fwa2wBvFPsBZxE8PNcD3in6Hbexxug3WIt8N6xDvgBsQt8Hvvh7AVbkS8EzYgbmN4
F/wBcTv80fsB7ICbEO+GjYj3wM2I98ItiDvhVu/7sAv+hHgfw/thE+JuuA1xD+IxeABuR/TAHYh7
YQviPtjqfQ/2w52ID8I2xIfgLsSHYTviI7DDexQOMDwIdyMegnsQH4V7ER+Dnd534XHYhfgE3If4
JNyP+BTs9v4NnoY9iIcZ/gUeQHwGPIjPwl7vO/Ac7EN8HvYjHoEHEV+AhxBfhIe9b8NLDF+GRxBf
gQOIr8JBxNfgkPcteB0eRXwDHkP8KzyO+CY84X0T3oInEd9m+A48hYhcIL4Lh71/haPwF8T34BnE
Y/Ac4vsMP4DnvW/Ah3AE8TjDj+AFxI/hRcRP4CXv6/ApvIx4Al5B/AxeRfwcXvO+Bl/A64hfwhuI
XzH8Gv6K+A286X0VvoW3EHvgbcTv4B3Ev8PfEE/Cu95X4Hs4ivgPeA/xnwx/gGOIp+B978vwI3yA
eBo+RPwXHEf8CT7yvgQ/w8eIv8AniL/Cp4hnGPbCCe+L4IXPEAFPXIATYREqPNrDIob+WggffCg0
uBeM5rcsDiKFR6rwxRUeOfQV51FHWHB7h/yWxUGkiCg1ajAiaugrzqOO85h4oBRouSAXB5GiYtBT
EYe+4jxTg/AGmgItF0S4BJmiYzWowejYoa84z9QgvIGmQMsFqaAgUkxcCGowNm7oK84zNTq4vQMt
F6SCgkhxiaGowfjEoa9IGHwoCG+gKdByQYRLkCkhOQzVn5g89BVJgw/FB7d3dEArCFcKMiVrw1H9
w7RDX3GeqecRf6AUaPbz+MdvTNrR6KkwYvTQV4wafGh4cHsHmj0IVwoyjUyJwo+bo1KGvkIYfCgI
b6Ap8BAIUkFBJCE9GjWYkj70FWMGHzqPiQdKgZYbGdziIFJKRgwMg9SMoa84jzqC8HiahgW0/nMy
po+PgxGQMX7oK8YNPpQW3N4jAlpBhEuQabw+ASMsSz/0FbrBhzKD2zvQ7EGES5AptygJ1a8rGvqK
gsGHsoPbOzWgdR7/+I0pv2wYZEBh2dBXlA4+dB4TD5QCLZcT3OIgUvFkLWqwdPLQV5QPPnQeEw+U
Al1bH9ziINKEaSPRxcqnDX1FxeBDJcHtnRXQKgxucRCpck4q5EP1nKGvmD340JTg9s4PaJ3HP35j
qlmcgRE2Z/HQV9QOPjQjuL0DI7syuMVBpNpl42EyLF429BVLBx+6MLi9Aw+B8/jHb0xLLblQDcss
Q1/RNPjQkuD2rg5oLQhucRDJ5MyHGmh2Dn2FffChILyBppqAVn1wi4NLnPyDunjgaUHwAwBRgf8P
8c/9UR5tKwb/2fs5ST9wt0/KKxiuHTq9/0ZSsFdIOGhQQ4qTqSfnnDSdtJ50er0AJ1P6W1Gf4vNF
dGR04tlaqigpLSksyM/T63JzsrPGj8scm5E+Ji01RRg9auQI7fBhyUmJCfFxsTHRUZER4WGhIRq1
SqngOQLZ1WnTGwRPRoNHkZE2c2YObacZsMPg19HgEbBreuAcj9DApgmBMytwZtNZMyukmRV9M0m0
UA7lOdlCdZrgeaUqTThALppfh/UbqtLqBU8Pq89hdUUGa0RgIyUFVwjVyeYqwUMahGrP9HZzd3VD
FdLbGxZamVYphuZkw97QMKyGYc0zPc2xl0yfTFiFm149YS8HmgjkyjM7raraMyutirLg4dOrDSbP
vPl11VXalJT6nGwPqTSmNXogbZonKotNgUq2jUdV6VGzbQQLFQfWCXuzn+pefyAaGhuywk1pJsPS
Og9vqKd7xGR5ZqRVeWZccSI5J/sAuXthnSek8gCBhXUHYbZ3xd5ZK6qq6ulusZV1a9j0JJyedMUJ
Ld9dnWwRaLO7e43g2Tq/zn80hWJ9PRLNya5ZUJeCXKdVrxeoGAvqmARIlCTrkEnaR8WUBBbTqmlP
w2WCJyRtWpq5+7IGNNbwbg8s6ErZN3x2xUHvRzC7WuheWJeW4pmiTas3VI3YGw/dC7r2z6oQZgWO
5GTvjY6RNL03MkquhEf4V8S+MVZj02kNufapmlCO0mahi3gEo4Cc1KV5uPRSCmIpdBtLcRqmeoIa
taD+GrqjJ1BDKNOj04TuU4COkNbzbWCPQe5RpUefAlql7tLncjjuq3uysjzjx1NPUVeiaZGzyaxd
lJPd7qlJc0QLnhpUGcyrw0X1E3So8pQUauV1ByqgERueFfPrpLYAjdp9UKHLqvdwDXTkKd9IwiI6
ssI30re8IQ3d+UEWyAkeTUbfv6joxLhq8wQPSTzPsCiNY/hUC3sVyvTueXUZhu512oyG7vX1aJrp
GIrd3dPThOndDd2GA94VjWlCdFr33pqabkd1g0+kA96n1mk9FevrzQSV6imQtOGJq6zjtVy9VOO0
fH0OVITD9OnISmyMpmKmcIAr3jczH4trWEHul4r7pGKnVNwrFfdIxV1ScadUbJGKWVIxUypmSMU0
qaiQislSUS4VZVKhkgqFVPBSQSouxPJ9zMcwv4f5Hcx/wfww5ocwP4B5N+b7Md+L+R7MWzDfgfl2
zOsxX4PZiHkZo/mARHq3VOySirulYodUbJeKO6SiSiqmSsUkqSiVCrVUKKWCkwqoqMDyKOa3MR/B
/Dzm5zA/i/kRzA9i3o95D+atmP+IuQuzaWZ+fEh8SMmGA6S9YpZ6w53qDTepN9yg3mBXb7CqNzSp
N4jqDUvVGy5Sb6hXb6hTj9GkagTNKM0IzXBNsiZRE6+J1URrIjXhmlCNRqPSKDScBl9Anji+hqup
nUZqPE8ZoaZR8PxYm3aAhM6/yKNMm0Y8sTVQs3Basqc0y8OtZafZAeLdS8jvr9PSg+wgEOK97gat
XNbXQ2LWuSk5oFUzr+sxGE1KQI1YsF89+hk17a3F3g2sdwPt3cB6k8m+eZBfY1jXMBIGINyfyHlH
A2ZWW6i48+r2amBafeVSqdzPhYWiPA3alPppidGOyUy4iSnJy7WHFPSXM8MwnsPxBRGBmQ7lTM2Z
SocUwIYi6btDHkpePjFFe4jcKw9FY3cMqvK/fcn4t+mNQUfy8DGSOm4ldxHW/gyNiJsxmzBvgo2w
kdsvzcHP9EbwYG02fKE8gh/1nKy/AK5CrIJ/oeJWs55yaMTxRpz9LJaTccyIJWE0NpL1rLwarkXa
33P7ucPcYTY6BenOpjOkh9uvPIL9lN41sAc+JE/hnCvhJhw7CG/QVUh5I+yG0yQTn3XkM9LDzcNe
QvdHOi04eyPy+wQchX+SeDKZdJPHcE4st5LxIu22Auc8i88bjAp95hArsRMnuR5pnuB4rgip2rm1
3FbOwx3m6xWTlUdUsaoStZX+5hje6XiIQQkptbn4IbMRn8v7qErP64Qj88lCYia3kK3Iw7OkB58f
uBxuCmqdPjfzDYpwxZfKFuU2fI6oFqlv16iQthJUMBwESIdClKoa95iPPJvgMrzq0udKfK5CXa6C
LbAV7oSdsBcOwdN0TzgGH8Jp1E4UPlSuElJGluBTj4+TLCfXoj7W+T03kNvIfnII+XuJvM2NRqml
x4rSS1xew23mHuRe4l7mjnMnuK+573ngQ/hlfCPv4nfwu/jX+NcUMxVbFXcq3le8ryRKD9NUrCpe
dYlqHT7r1SHqFvW16j+ob1c/HJoLSShXNso1Gz+5GaELJbkKL+/dzGp78XkQHsLnCHxN5cDHK0tC
nzJSRaaTRfjUk4vwBtBKXKSzT6Lt5G5yL3kQZXkbn3fJMfIx+YZ8x57TnIpL5LL65JvH1XJLuBbu
Fm4Tdxt3H3rkfu4x7l3uQ5TxBHcKZQzjY/kEfhRfzU/HZyF/Md/JX8Pv5g/zx/getFu4YpJismKR
4hKU/TnFCcWXaElOySvTlUXKCfiYlTblcuU65R3o0T3KHlU400qsKk41UbVGtUW1X3VUdUadoE5U
p+KTq85T16qt6nb1LvUJ9Rea+0OmhlhCnKHZsAs//zxyVvQ+RH+Xh7tEpYPh5Bh6w+V8FM4SaOxx
4WpriIXbT7lT15JMtNQHcJoPgRrFc7CEvxisykY+TP0t3EtcipXkPn463A871O3kMb6B7+F3KNNV
EyV9cpv5XeoudYP6C+T0B/4mpVmdS6Yq15F7uSkY0U4yH34kp+BS3NnNjYfn4HpYS9rxhbNRcz+J
wFh7lhtN1im38fsUW/lq5XIyDi2oVR7hr4MiSMDPRpmQir6uxM+O9MMgR3+nml+B0c/jCyKtIkr9
FlG8Re7Cz1JeUHr5g+QzAF1vT3QPTPkOMU9fEJMSk54Sk7KChzMrOOgF5ZGfS1cojtBfzJ7tPab+
QdmDlMOQ/nBIg4mwvSJTodKEhMXGJw9PSQvjImMSJvJlSdpCPl8pjEnPyFFlQf6qcFJmjjzAFe3L
yuIOkOsqsoHzW6QYlZGgiybhY9ILJ6qKQdBmukflxES7i5VJbt2Now5whfuKixUHiYC89pTpzpzp
KYvuKWM5JjYJs1RKg9jZw3qTythYUlmePomQxDjMSekZY0lxQX6CmmAlMYEhfuRjzaT04qLCjLRU
dWAxm8xWLvs24efb+dZb0wlJ+/MvMTFhmYSflCKcScnlp0Zpz6jiYiP48vDIX6LKSElVROTIGeUJ
iUkzpoRH5BSkk18USTN6f/7lK0XLvD1/OVD56zRFRih35bDIM6Vhem55yvAzAomJjtRyXVnCr5/M
XFo+MjwsrSwjLi61eFxY2Fiq940Amo1owyR8Q0yAGbAQlsK2isjSyUWkflFx6QR+bmHyItTuI7XA
DRs5WVl/gCvZr9WtnoU30Aph7urxlatDtbWhK8bDkmEjC4smLEElXzyWjMlP5uZHXox3yYr4/LjO
yM6KMZ1jb5w/XV3TWTE/ny8+SFIgR9eTVIYq1fX0sH+Srtm/pDIdTGFmiD7zYw+dh/ovk+2h0+Xp
iXpsxtixGUWFqHH6wVqtViXEJyUm8dQESURF2wlJSYlqVVoqziqh+leWEGyhMRIL8pn+cQmh67CN
w2mp6fkUE+J5zw018W2vf9O1+MpLlioI54yPm6G4bOTw7jW/XFiakLiY49WbN+9abLuPTDKTys38
m1c6cgp/1uZNGzdvY33RHDL3M0tFxbW9UzKImJen55sX55QXXNz8p/mO2lqbRpeUGDazMDSs9zT3
tKLkzIwUjUaoDRmWt3bFyiWVS1qem1qoylt65tV8jQKSRzsWdM8uWPTrtzdOy8vMfLVl5jc6TBix
u73HNJswWjIhC3IxcguhBK03CW6vyNGOG5+tV+hiITxSOzYrNy+/oDAsPamouLRsYrlKRcJKJkxS
CquS0lfFxibpaLyMUoWN1OnpvOKS0rIJYUU548ZnTSyfpMrmwyJD+EPkQrxI5leEjb0xMndktjsn
J7LoILcIQnTMdJjP/HCCmU2KCORPGqFWi0nq70ejJShi4iEtFYqi04uKSyTjUWuU0LiJp8YZi2ZJ
SCQlcXEFPEkiyiQlUafHqXl+bBxvJU29L7x/rPcF0pQ/e7XhmoNFT3WNmxQSlds6/eYPyrbVrZrK
xWX+WF6QTGaO6/2S1Gh63yN1yb0PFOhnv6u7R2Fe+8feLe/3vkiKsfv2tcPDE5pv2JK7Q1Cmjy0/
pF97dyS5IKX3MVLVe4ykj+59T6XT9n437uPeQzFkRO/VMcRNT7zdsFF1gp14o+GyhxSxCYkK9dRQ
cgcGkhYxAjVF6xGcsiIE4vloFUZX6CFSBqPIxH3K2OipYVhPJhMhgYhIREmRM9KjBx39Bzx6MEsh
QJWIhyZVYp6+pCglgSSkFKWgK0NBPqC/p2Cz2OfFu1Ulv04+s44c7CTDDh8mwzrJgTPr7jx83eqn
N27cyE3v3njlpidIbO93T2y6cmO3+YFrn3zy2gfwVoTSKOcqC+mJ+zjysR5CQEV+odzgvzx9nLwX
tdhucvGpU2Rp7/ZTp3p3cCdOkYt7d9AquZhpBVRtTCshMLEiVIO3rVWwSqHE43h2RYRqhQJVwt/I
3agIAfpRU7NNoWPH7JmYMpjCajT28/TpMSlx6piSlBi1cs4vh4nxWSX/rFEx6ZfDjVj5+cyz9E2a
IT+fkMf/Ew/X9b96PvpPPrziPM+E/3sPuxGlk8N936DSH0dJdYIeVCzXOVArv5TrPGiVH8p1hd8c
JYQrf5LrKohRKeW6GlaofN/QaiBedYtcD1Xej7tJ9TDIV+2S6xFkjup9+o24gt7nwzXjWF1N/0JN
U8Tq9FdnTZpquU4gVrNXrnMQGZ8g13kojidyXeE3RwnJ8SVyXQWp8RfKdTWB+MvlugYyE3z10LA6
zU65HgamhE1yPYLbnHCG1UMpn8m3snoY5TN5B6uH+/VHU97kehzWY5MfYvV4vzlatvZ5Vh/p1z+G
rf0brWsS+/vD5X13Cvl6fbEwx2J02l32JrdQaXc67E6D22K35QpTrVZhgaXZ7HYJC0SX6GwXTbkL
zaKwxGJrNmF2CU12Gw52iE5RMIkuS7NNNAmNXUKN0+ISZtqtraJLMNhMQqXZ4LRifZqlWbTaOwSL
TcgrK9OzMazk5QoRoRGhlLQfQbvT0myxGazWLvbHjybhgjajxWQQZhntNle2MNXptHdgSWnUug1O
l+C2C0Z7q8Mqtoo2t+BGavIKt9jpZpSFJkOrBekhi3TYhWR9fDtduSgk2yhbcIp2Z7PBZrmCNugG
TtEqGlzIg8R5vmBw+SmtTx/ZjKzb7BR9kjic9naLSRQMAqqg1W6z2NtcyECfslyiW7A3CRYqE+7i
cKKebW6kxSihOLiGSWW3iZQeznUgr3bUC+tuc4tOwdXlcoutkqrpMlFSAZvd7DQ4zBYjTm9DCyL/
uKDJYBRdfTpHVRswSyw02Z3CvMpsgbLqtjuzhRaxq9FucJpoF1JACZ0GY0sjmiWbimQSTE5LO3ab
LK4W0e2mEwwO5NzgcklNh5PtmY2678wWRLcxN5tqr0NE58Kyf9smi5VqzWpC+ZCe3djGhMCNDRar
hI32ThE7Oiw2E7O90WpxyNxR2TsMqIdGA2UkV5hlEwwmk4V6crafx1psRmsbql/euMPiNguNdgSU
S5qNqqLE+rWLlrI0oQptRhTH1WY0M/6dFslMdrtV0rwZwUV9x0B3EpqtVAUykw7a4zJaXC47Fa5R
pOprtLc24rBZNLYIsmR+imm1o1H8mbK0GpqR7z4GRAPaWmKPbWvFcEEToTe0NiJPlJjbabfam5n1
5WmizWhxGq3oeTZUr9PA5qEXWkUj3YZ6jKGVehgVhonFrOe0NxqYfzusuAPOxujAaMJYxqlsGtbb
MOrNPseaZ7dIfizRMCETUhOlanKKl7fRGG1qs7FtqVn8PLXfSVHfdjrmsySNcQMaDSMqgGeHbzfZ
CO4BTimU1Y5zm1BnBnZ2UMJG5KepzUo3NxkkVpBch0hPPca6yUJXUGZNFqcoc0sHXO4uKxV2Orpu
u8FpEd1dkqytDoPRTS3U2Ga1im7JECLqpkU+rexOesww115CNUNZ7GcO6xK9vsOhWbS3im6nxShI
tqNaubwNGaf2sFu7mtl5iEdgs7QbYw4PxNx+DSwQm9usBucEYU7tBHbkL8aNqO6KcvX6vmk58jS/
aEFjW5ibGdDDmi1UEGSMuqXYanC2oCw44tdsGvhdQlVNbbIITxWRnddu6dWgQwJ2toHR3mZDIalK
+0ks7HLYmV90md1uxwSdrqOjI7fVN5yLMapzO9tQ9Q5Rx6ys6/Dxrqu3t+Gh0UXPPdzbIrkBtQu6
d6vF7ZZeVZSr6kUXTGVHEG3giW1qQwMixx3ojma/tZa+48NEHRGPPIfVIFmdnXIoA3quDQ8fwbe5
3YanfaZlnCC2NtJV/bRsvtkDssSms3MEzUxt7wsTeXumT5nWRMZBpgV3wdcAVbmTvuTwiLRZ7Qb/
TVn0yAey0Kd5e5sbTzp8J7VbjCKdYxatjrMkAhvYwUn/pBKsUAtuLG1gQnQi7gQBr2N6fIqxNgcs
YMR+O7gwN+FcASrZagdDA/ZYsGbDj7wCTEV6ViwXYF8zmHHMxVoiliLObkc04cyFOCbiyBKcZ8OZ
Jrmks5sYNWllB1tFZ5oYDUrVxmgI0AhdiDU4bmFzZ+I6K8okspYkEeXVzOSyyv3TGA0R23akLrB9
BfywXoaP3m+d1JPHpIqgfzeF2cf1wBzaGSfNjKKB6YHyR+utMscXQBvq0sI0LcAsrFM6LshmmnMy
LXfIbR8fknWcbC83jgtsVStqn0pEKduYTdwyb4F7uLGvk437eKY1ypFF5k/Som+1S+b2bH3T/XNl
S/ZLRPmkslPJmxnHFriib8QngZNpW8S2S9aDv87z2UzXIJ52rn9k+3FLS0r9bJs4GJV2pgWR0Rdk
L2hls6i/tuFMSQPnehbl080s2sS49dlJksXB0CVrXuKrnyfJOtI+/bayM9o+/iS6Dlmvdtlf+me3
Mbs5GSddmN3M0v5e7dtNDPCCftrNLDIdOItyL1Fvk2NQ0r+0A/UFI5PmXD93yrqTSn8tNDGLCzAP
o4vaw6dVN+unPS24pgt9yy6fKb5ZEg+SDZ1s7xacJUVLdp+VTMwqNJra5dkmFuMtzC7uPgoGpkOB
SeiSreYbdbD1PjmzZb/vZDU6z4gSZ/f5XgfTpLWvPZC0TSxmfL5mZX7jlD3SRP8kHaXrt4QksYGt
8a9TnXQyjWezfS3Mov1xb8Q5FuQ+UHc+u3cw/qhMjawmaSSXnSY2Ns/EdOU7k7MHOWNpje7UJnt/
oMQdjIKZnQ52uSbZy5+2QdaXxNlAvivFlIVpzshmGmXruNgpZfbTv1Om7IsmO9Oxv8+b5Zqr79wx
9MlEPd7a5wWBmnT0zXGxk9HFYs5nuUbZ8tmytK2I0moaA9Q/hbNsNrDHtDKa4nk0ZWE+0Czr+1wN
iOxdaj5Le/3SWuW3ixRF0tnQyniz+nHmZmcffbs1+8V+IDWRWcKCM43Mo03sPSV5r5Ot8NGTzkIr
04RPGt8ZY2D2lmLAZ5l+a/XHHuWnkfX7zm8H8zxX3/klvTukd5P0XhblN56PmtTfJr/rzeecWPNw
1BJwHvvzYZI14T/qlCOZlpcjZbGPgzamHZ+0vmgZ+Ewd6CSV/Nvet+7smPS9xw1ypJnkN+9genac
I1tgJLiHeJeS7GqX6TbJfmbwu3f4ODbK+qG6sPZJbvK76/W/aaitfHe9fq2bWNQ3yW8RSbMm5nHi
Wbr1raCe2yXf0qhlp8unbjvjxcLOua4Au1LvMzBqvhhqZPxa2Vz/iBBlv2k5625Fd/DdZvpP7SV9
PuPT4kCac8kW7Ofv3JtDM7sbtbI+J/MaISDufL5C/c8g3yqyZYvTu0mz3/1QugU2B8jWrzmDfEMb
yAcWsAhrY+ejEyYAvWnVstJ3y18sS+TzuyKkREfOpZZzFrWB3y1SZFv8TjODfIY1s1G37Bcmv9NS
ZKejk5239r41A482QTCfS3xe7YuTRfJdRfS7X7vB/1ODTubA7ieBkZ0/NtmSPi8diIuFaDkHO399
50UXiw431icgbR3GDH1y2S08cHWu/B7VsX3aZK+np6zOL5Z18r3BX+86qGccSjcNGinSXUuS2xJw
GvjiRTq9W5k2fPoI/DxQTf8bIPxs0n8L8o1Id2wTe4u5+3TcIZ+O5kH2tQxw+zD1nYjSLc/BfMs/
1vvvcoJ8S3HLEUttIJwjOZ0h3e0zcd045o2t7E1vGpQv2zm0h66lfur99xEpmn1xf/bbJFD6fv8M
5Guinw6oJJIs0qcBn5c7+z7JSbdIG3tTGgaVtP/dE3hDFgbweTu7zUl3OulzUjuTRuyjY2ZvLce/
sdFc6P+2QfRrGdidxv/7B+nG65vxMY7b2AoDO2dNQL+3kP5GAsBbSv+/xAGTgv3FwAggGpxN/1qA
/RSLsJ8rYdZWQd+flWvL9au0paqQ8atnrj4dQdTc1lXacdiVzhGSF6YPUSmzInluuBL0BlVolooo
yKoSjii21urn67P9ekZsG7ViBJSz50L0Bhc7w0Wmhcn00af4EVPEL9rV9chnt24i92U+ot/V9Ofr
U688qtm6KuG4fhX/DOacrTxHOC56xpPDbj5+w4LplaePtc6MyNuuj+hjlSiRqZXrGJP8IoUqjrto
al6CPo42NHHhS0T69Z5NqDQ4xLx4fSztVseFVbU5Gw22dovVKuZFITXsDY1TLTQbOtxi3ki9lnaE
xcVLHUKl6HSzb8vpF1Z5o/Uj6TAflygPL7S04i6GVvaFeOVU/aikCH1BXr6+UM/SRUkRebRZkF9Q
VFZUdpG+1o/ZRbV5SfoEaf/IxaLTUmtptmULs2zG3Lws/Thpo1TfANuKftMo7VUrOunXWy666SqS
6q8VogR+FYkC7A/lVhECO1/ct/3lV4QHQq++/v41bScfnPv98aejnmw2PH6XacR7j/70YsF91+qv
r1u+/ljLB8V3RD35xred/+i4e7m9/MmbHog4ZP7BuvHFxxfk3Ddz0qmH375kmZbb8rOuZdT203dt
vnv4Ee7j312w4NPIhm8rRiw/GPHhlOcfPL7m8WVXXJaXy29aGXfvDOHVPFfEkpxXOgsLbo7dFHvw
Q7Nu1+efHu5eP/4v61LWND1+Td0Se9uT5bsy1lzyYnRC+ZZrv174dKjtmd5nZ39wUB1za+pVxyaP
fWNU57db8l74/vPUYcee2T+jcvPwZVtHbThx6anvrvr+6vsayY2n5oR9+Hrq4ntvfmXP2vY93x2K
+OeJOUe3/mLeuid+4v41Tz/K8ej4d608pl/5rr5QpUGPVSrVhCgy9Rn6Mb62nqxOlr+UtRtdjtx2
+hU36p1+Kct8Z2QcIV6FRq/CgiOgn0r7Rism6Ev1xVsLt+av1svLjU5rwGqd5Cv+rlI5NRdnMU8d
ma4I14f6uOA1+kjaGUX3on+Ho0IOsR2jQM/cPkyf5PNvPi58Ye1UdLTSnLycooKzooJfuRJmt/z0
dd3hqhF513dtyrrlyVX3k3dGXPCKp7vOdlwz7q5Lj7x4U9wXigURf58xVgelnhMv3DR381upjQmn
p5SkXOjIW/H9utI1+7/88lbofW3RLXPH/HXn2LlX7HnEMPWf41/94oWjl37waNZ1kx+6/aGjHy/x
PvHgs8tPvRZ+x8lbe7PenLhAqy0de3rKbIxhr34V94UcxxFfZZ18691xa5PzlSGXbm5fe3Yc/0ci
49xw1Jf6h+OSIW6q0+dIm2b8u01r2Q9f/21I7puXOfODN81XXJtc1dR2yfJnDmwxZngnVd52VUxp
dPoi19G2sZYzcw8KS98M/WmrdnzPosUphndHHTvxWEHL83//4K4S8ffam8Ifrh219KqmomXK7ure
9rnHa1dsWyncvmft0m2a05/pf/outeSCaaGvHn9u9DPvLPpq5ZSHFtyVvYtc8Y9tu24o6t3y+SWX
KbdMavn0yVue6n254aeKL9Rbq75ZOd+2Y/w/Hu6Ozuy58X3V1tXzNl85WxOhH/li9B0tp7+q26PY
WbFpX+aXNybeX/5prb3mf6o383Aouz6ODzN2krGvjW1aUPfYRiU7pZIlO8k2spR9VzJT2RKhsRYz
o8GEJFnKkimEKNmKRGWXyFpSvDOoPE/1Pu/1Xtf7Ptfz11znPnPfc859fr/P+X7POdOucK3Ew1G4
OEm6Yt9I0LtTwYs8w/CCwqnUo2Vq0tjyoBvLHUZ5231DNSZ2ixBceYYtKiScX4DCNDdHhLmtp2QT
gH70X6Yk6/eUpKUodbm1ZJQGdgDbcHCcRLjY75LR18dHxsFuNf14VtOP+oh/k4H0Nf9RBsr/OQOp
oxwR6NlzxIgGZvU6qBED1H69y59UFQ96WNXSUj+36cXKol6NnD3AUTfvK9iR0Hf8Koyz6LR2tUHL
uZEw3nM5WxNPcOosNZWnqIOb0w2t6C6ezfWYFTQQlNg543LppNjHiiYe7HtW3xrngO53qfYRZJ/L
n6J8g8XzslJCkos+xm330tvpJ3hAvedDCRvMuCsAl4xxcPnK9DT6g18FU3r3IocJPM1OtjqY9lZI
eDXh4UUx6cBnCv6VCT7Wi3eHD3MzizcPtnXI79RV41Zmtw2WqCc6TSU99XynMjLHFtr77HSWv5cL
+ar+fkBBtIhQKGCvLNUde2MHQ8gLvmLrkLfXiB7LylEFAAYCpSDg8xoC2EFk0EVl5UiOZyoLDhP9
ahvfGIRCAM9vuc3CKabp4Rnkvbppuc1hO/WIAvJPG3E7ESKA0NqXuX+5RYcQBbasDRPfj3ojDw9f
mLqfr7OHt4tvEBUPu5EAAgEAyHU8yFJPHCLWi39Di/5yKqetInsO7505IrgtMznQBhgnkC5JHv+0
jD2cVbZ8jQBTOW1ISCfE2cq6PdNwDJrM92807pl5dzVcKC7zvFNxnVuwvXiXsHIfO03CaFLtfRmn
tDRneGrrHun7rCXmcLLOCLOKUpI0advu3AndcxoD59kr0k6a2OVjTuNtZQIOj6XecdybZiCEYJTg
yiSNxEvxDe9LceCyNadDZQojjSI+5kxdoa0XbL9vol0cFXZ/z4TxlSM3v+YEn/I9UsjXnMS0TRRk
dtnWBVlxCMqgbLpitXTdiZkxuw1tajZVuteGBx0A6VmovhmGXb7VcrYrR8DbWrmp8gNjlhhQTH+h
sRgWwHmhf50buQCaCKAJ1LykgaDTAHRy2GarVs8pF+8MccNQrtt6sSuP8d7///HD/EWMr1IBO8pS
c2k2mU/hfTmNxIsAjllrW9nMDJbHKnTxkXGNe4ZFZz6YJUqX4PY32E99ed68d68lSdHYZVnilGpj
840+utOvEJf2ZW72dK1YhurzudR8adUc4LCE6Y/bhxTe4G+QQkrKVKPw0GhJdoesj8ZCi6KNXdyz
RvnumrIMXzG8n4ZOnGQzXKiaNnpUNVILfIEhmCKFsdsF9DqFaYnTYa/Bd6zmil41mE2idB8ZGZfe
AW+Drlzu+sAYF1qeXJeHlB4MHswNGPDHgVpdVcltitGv1aG5Cq6Cri8V3nQIQQZztSENlnJK7npC
bPZlzISY9k5jVZ0WIZNsz5fQPRGJfpk5bTgKFR5SxEHhujBwZUnVrwEJ53H01NLinbbe+2YShP8u
JACKFL0gj0DKyyPkqQKegnhZxW9IQGf/UTJwAhxrdoPZzM7HmSIFfCm/s3l1CqGYDQYjlOMpD3fH
by1j/l3LftdNWcqP/tRNcUB0rRsCG2scUavig6pGDFZNAexnkrBRScK4SpKHzbBLlf0rKgaTwQ86
JCQX/J+IrrTsMD3SdLUMc1shSAZUm8vY6dBYRlwYI5O7imKSCAyf2UsxRmnvMPVVm+tyaybdzsce
Faww+OxIE0Xm6cA4g9QCteahSkeWHAxff953dwhZ1O/AIL7XS01+/5zbTZ35rT4iYo81+EUMS43S
2rNaOev5Vb3oT81gRbWOa7yvaUx1hJWT5b8QtIZDbgvvKs/um8P3p4uyL5sj1E2UQgvNRwYnLIIk
8z7u2MWhqhSoonE2x3kwVMyZd/hgQm2gltF+vP75qMT0mhMh40xL4eAzC6leylI5TinN/TJvpWgF
2OUPoOaVoYXTEULCcCOPZkrsgbMwNDso7wP+Kx0O/mfgBUrPtG7AuSl8oQWDQZBViyq8CcID4ZL8
JHXoWIO3ccHQAm4HL88SefEoGuD/fgsXLYRVhBl0FORHseuaIHWAZVX4rPoOHYD9u8CiA8CUjw15
uYoxh4HXs3Tlt8ZZWOSfYRAqUfbanYw5i3aohp3gz0oH1J+WzGw91z5QZ3o0t4T/SfPwNG7RtPTA
lf0SQ6QtvcEdCzzB0JezlwUnGI8VX7h8N8a8QqgZ2469IjcX37cSmW5zSNdgN3wPTNAY+eWMNXfi
w16h2A92RspDDO+dpoIm4p6YOaCwfLq44H5UWT/85nIDtLSe0Fx//KLnbNPLPIw7Qy+K/27uQvgD
Jo2UaXi+S3ARWSrnltMWYmEEo1syZ/ktxVQRuixOpayafEDlnuhzILvJHipUaHZpaDqY456NMity
OpGcEHkEYkln/ehpF6n7zZn4wK1Ld9yJcfRy5kU2OzjYAQydHAVlgmsYY7bTyXhM/Y8nCPXTCsU/
BRk/2LdbXk5ekeqWkBRtRCkqUIuA7/+kH+v14N/U/6UkakEnKd20JsyQ+/ta87CXupSvbbn48Fj4
zmMfirzn8/IjXUt6isRCWBoaiIfibcQ4xxbnxa+VzLn735yavK78qLbGwlo1r9hHDp5tj7YLwtvP
uUdiW91fPcpsu27I4W93zzMahU/iico5hm7Vchp6aZqh1vSl119ipxYAGuo6E4Ll6DQXzhrVZ2mM
7CV0HU092eTQlOqalmBzWI9jdFe7lZXNcaMsHxlixXltthh+bv/HjD1p2Z7co3oTLl+P3XaLe7/d
EKl0sV5Hl/uKQcqtOefrz/uYvE74ZgTECF9wSx4fOa7d/HrYi+2ZAygxBJESy3KHs6q4dXK6X3SS
ZGs3idTc93BNEmFoEihvJPYn7/IDBpPdbiS/oy36k4JH+OlFsq7mPb3y9TfkI1GvikPQeACdEfZL
iuB9r/8d/PtZLBxaM35agAaghlPBKYfv2WD8/niyztPNhXp11/qJOJ9d1ASgxj8l9mVXDaH+Bieq
CagDqt+dKG243G9P7K0+F+X98wN9f+UJlbqnsErp1ilcx4zdXfppG0aKl9of6BXsyjtrzNYjW/rJ
dZhtSVQgQIXoHHwHGxptPaNZey4ddSbSwPA0hmv+nM9zQrV1E63nE/hJ3kojLmJUTdkgvhnvdy3e
a59gjSnItOTTeXiPjdxSl2SwTVpP9tLcjLpAvolOwYHeeCVOcybd6VlExJZKSKwVFAUeYzFsxbNG
p1Z1k3NbGbklRUtKzaKEnlmFKxCbvt6ImCAhVcs03QZg09qVoTfHpk1u4w9UoqqPync3jtI7QOgD
3Q1WDlSkj2taRrwsYA6bt6iTHhw6a3VwSDZoUuxCAqtMsYFV/QM1c/O8tpaBXeSWiVOZyCAEBvKY
gs1HtDQ0ALrkHwPHPwD+xzI2Dj0KcH2fULfRIBjAdKvL89Rpdn3omcAI1o0r55Sm/yixIDYBG2u5
AfEfN0IQlLyVx952CTs7q49PedqoJoVWryzNrgG8N9zCinAE7HFKYYq/3IzT+b7x8ZtNTjw8TOL3
p1G/H1j9s5qEYGhAgNKetpcWl/cZuETHm8EK7bq7xkDtdlzXxMktaqZ9NoH2xg+eaY75muUwL2+6
P2Zx4ip7RPUnL/MX9ddFcnvF7M7BHsUWkTjObzlguXCu+dD1Umm4ZVq8hHSFx+e6V3jcDTBXlhfH
vA6seYv6kD1Rp3NihSmwjTfidN3M6PvIpdA6pyKthYzD0ilZ0SljA3wBH+9WvE9NKy4c17shpO9e
CFO99dwwjv2+JJ9MgUflaOQNg4SR/JgpzD2+40FjyeF3EDWhpdqoRY0aEj2jVb6OyS534z7+odDC
zgxkw02AZJuY4vV1LGYZRUOIeWImsdLhOhheJnXmiaJhqWvj8x6+Nw/r4vEYiizC0Cz9GDF6BIZm
gnJplBreJ/4ni5q/WEplpWdcawAthTI4C4BvY+yx/NjaoaGE3vcaOgQ7db6nTPCysnKyCNndlhT+
bgg9KGTzUAERd5CTcY/j9cBSa8838r8IAS/Hzzy8n2eHhsCchSozWk8DZQaqiaKW42+XRg215Yhu
pacf9Kacv/NpG7cu6f2YrMFcuVqG7iFMGDSr6GI78RDriZi4MT571UHs7GCV2fhzLK8CfnfVIlIE
3zM6c9wC92KcnHEVyuYo71cUECtd3BPXMecaNYoanSJ55FsS2RKd4Z3ZA0V5K5j+fcJ1zfpVvaIx
gv5wI967lpysGhYJkuV+ywIL+Wbs/ku2Y/HvGs9y2PAT6nm7oz8ovyHqavsM0pIeyzjnFeqKsjqU
Pm2IbblwNXXHBI2W/cGUDr/bbzuUYmPTTOAT9fxg6xeNDZfpz46VzFW21iZfLFiS5CTFpqmm/wum
UbO6DQplbmRzdHJlYW0NCmVuZG9iag0KMzA5IDAgb2JqDQpbIDBbIDUwMF0gIDEyMlsgNzQ3XSBd
IA0KZW5kb2JqDQozMTAgMCBvYmoNCjw8L1R5cGUvTWV0YWRhdGEvU3VidHlwZS9YTUwvTGVuZ3Ro
IDMwNjY+Pg0Kc3RyZWFtDQo8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJl
U3pOVGN6a2M5ZCI/Pjx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9
IjMuMS03MDEiPgo8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIv
MjItcmRmLXN5bnRheC1ucyMiPgo8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiAgeG1sbnM6
cGRmPSJodHRwOi8vbnMuYWRvYmUuY29tL3BkZi8xLjMvIj4KPHBkZjpQcm9kdWNlcj5NaWNyb3Nv
ZnTCriBQb3dlclBvaW50wq4gMjAxNjwvcGRmOlByb2R1Y2VyPjwvcmRmOkRlc2NyaXB0aW9uPgo8
cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiAgeG1sbnM6ZGM9Imh0dHA6Ly9wdXJsLm9yZy9k
Yy9lbGVtZW50cy8xLjEvIj4KPGRjOmNyZWF0b3I+PHJkZjpTZXE+PHJkZjpsaT48L3JkZjpsaT48
L3JkZjpTZXE+PC9kYzpjcmVhdG9yPjwvcmRmOkRlc2NyaXB0aW9uPgo8cmRmOkRlc2NyaXB0aW9u
IHJkZjphYm91dD0iIiAgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIj4K
PHhtcDpDcmVhdG9yVG9vbD5NaWNyb3NvZnTCriBQb3dlclBvaW50wq4gMjAxNjwveG1wOkNyZWF0
b3JUb29sPjx4bXA6Q3JlYXRlRGF0ZT4yMDE3LTAzLTI5VDAwOjAwOjU2LTA1OjAwPC94bXA6Q3Jl
YXRlRGF0ZT48eG1wOk1vZGlmeURhdGU+MjAxNy0wMy0yOVQwMDowMDo1Ni0wNTowMDwveG1wOk1v
ZGlmeURhdGU+PC9yZGY6RGVzY3JpcHRpb24+CjxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIi
ICB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyI+Cjx4bXBNTTpE
b2N1bWVudElEPnV1aWQ6OTA2MjI0QTAtNTM0RC00OThELTlDNTMtMEY4MTk0QTExOUUzPC94bXBN
TTpEb2N1bWVudElEPjx4bXBNTTpJbnN0YW5jZUlEPnV1aWQ6OTA2MjI0QTAtNTM0RC00OThELTlD
NTMtMEY4MTk0QTExOUUzPC94bXBNTTpJbnN0YW5jZUlEPjwvcmRmOkRlc2NyaXB0aW9uPgogICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAKPC9yZGY6UkRGPjwveDp4bXBtZXRhPjw/eHBhY2tldCBlbmQ9
InciPz4NCmVuZHN0cmVhbQ0KZW5kb2JqDQozMTEgMCBvYmoNCjw8L0Rpc3BsYXlEb2NUaXRsZSB0
cnVlPj4NCmVuZG9iag0KMzEyIDAgb2JqDQo8PC9UeXBlL1hSZWYvU2l6ZSAzMTIvV1sgMSA0IDJd
IC9Sb290IDEgMCBSL0luZm8gMzIgMCBSL0lEWzxBMDI0NjI5MDRENTM4RDQ5OUM1MzBGODE5NEEx
MTlFMz48QTAyNDYyOTA0RDUzOEQ0OTlDNTMwRjgxOTRBMTE5RTM+XSAvRmlsdGVyL0ZsYXRlRGVj
b2RlL0xlbmd0aCA2NjY+Pg0Kc3RyZWFtDQp4nDXVd1hPURzH8d+vsmeEhvaQQkUalJWMSCoZkb0K
KVu2yMweoRKJZI+Qkb2jZIWMjFLZM0TuPe/u/eO8nvvcc7+f5/OcP45KJT1lZWpp1VapZJKhVKBh
KNAKhUTIEejEC3RTBHreAn17gUG4wCRQYKoJxQKzCIgRmHtAtMAiUmCpBmNIE1gxxapEYO0lsAsT
2HsKHKIELkkC11yBW4bUQ2pkoyqBX/Ab/kA10AJNKP+vVJrinq68qUEDKkFFqABVoQpUhq5QE2pA
dfgLXaCzlOeboOTVAW2oBbWhtbwzW9nZEAygLuhAPagPDUAX9EAfzMAUDMEIjMEEbKAxmIMFWIIV
NAJrcIQWYAtNoCk0AzuwBwdoDq3AFVqCEziDC7SHduAG7tAG2kIn8IQO4AEdYQt0h27gBf9gM2yS
DsdPSzmcXuAP3tADfKAn+IIfjJCnOCtThsMwGAoB0Bv6QF/oB4HQHwZAEAyEQTAYhsBEmAAjYRSM
hmAIgTEwFsZBKIyHMAiHaLlfiNJvGkyFSTAZpsBsmAXTIQJmwExYDItgDsyFeTAfImEBLIQoWA7L
YAkshdWwClbASoiRi8UpxTbCBlgDa2EdrIcXsBXiIRbKIA6ewzM5KEsJSoZdkADbYDskwg5Igp1w
Xhrmr6kMOwdnYTekwB7YC/tgPxyAg3AIDsMROAqpcAyOwwlIg5NwCk7DGUiHK3AZLsBFuAS35WJO
SrFbkAFX4RpchxtwE+5CNmRCFtyBp3JCsJLwEB7APbgPufAEcuARPIaf8ApeQp5AXZ7wA77LsbFK
bBEUwmt4A/lQAG/hI3yAYngH7+EbfIVP8Bm+yOmZ4qIN8JFR5wcJCvIFhY6CIntBsfimYZQKeQJb
O5XqP7Mv1K8NCmVuZHN0cmVhbQ0KZW5kb2JqDQp4cmVmDQowIDMxMw0KMDAwMDAwMDAzMyA2NTUz
NSBmDQowMDAwMDAwMDE3IDAwMDAwIG4NCjAwMDAwMDAxNjggMDAwMDAgbg0KMDAwMDAwMDI1MiAw
MDAwMCBuDQowMDAwMDAwNTQxIDAwMDAwIG4NCjAwMDAwMDExMzQgMDAwMDAgbg0KMDAwMDAwMTE4
NyAwMDAwMCBuDQowMDAwMDAxMjQwIDAwMDAwIG4NCjAwMDAwMDUyNzggMDAwMDAgbg0KMDAwMDAw
NjMxNCAwMDAwMCBuDQowMDAwMDA2NDc3IDAwMDAwIG4NCjAwMDAwMDY3MDQgMDAwMDAgbg0KMDAw
MDAwNzAyNSAwMDAwMCBuDQowMDAwMDA4MjgyIDAwMDAwIG4NCjAwMDAwMDg0NTEgMDAwMDAgbg0K
MDAwMDAwODY4MyAwMDAwMCBuDQowMDAwMDA4ODI2IDAwMDAwIG4NCjAwMDAwMDg4NTYgMDAwMDAg
bg0KMDAwMDAwOTAyNyAwMDAwMCBuDQowMDAwMDA5MTAxIDAwMDAwIG4NCjAwMDAwMDkzNDcgMDAw
MDAgbg0KMDAwMDAwOTQ3MyAwMDAwMCBuDQowMDAwMDA5NTAzIDAwMDAwIG4NCjAwMDAwMDk2NTcg
MDAwMDAgbg0KMDAwMDAwOTczMSAwMDAwMCBuDQowMDAwMDA5OTc2IDAwMDAwIG4NCjAwMDAwMTAz
MTQgMDAwMDAgbg0KMDAwMDAxMjE0NCAwMDAwMCBuDQowMDAwMDEyMzU3IDAwMDAwIG4NCjAwMDAw
MTI2NzggMDAwMDAgbg0KMDAwMDAxNDUwMSAwMDAwMCBuDQowMDAwMDE0ODEyIDAwMDAwIG4NCjAw
MDAwMTU1NjQgMDAwMDAgbg0KMDAwMDAwMDAzNCA2NTUzNSBmDQowMDAwMDAwMDM1IDY1NTM1IGYN
CjAwMDAwMDAwMzYgNjU1MzUgZg0KMDAwMDAwMDAzNyA2NTUzNSBmDQowMDAwMDAwMDM4IDY1NTM1
IGYNCjAwMDAwMDAwMzkgNjU1MzUgZg0KMDAwMDAwMDA0MCA2NTUzNSBmDQowMDAwMDAwMDQxIDY1
NTM1IGYNCjAwMDAwMDAwNDIgNjU1MzUgZg0KMDAwMDAwMDA0MyA2NTUzNSBmDQowMDAwMDAwMDQ0
IDY1NTM1IGYNCjAwMDAwMDAwNDUgNjU1MzUgZg0KMDAwMDAwMDA0NiA2NTUzNSBmDQowMDAwMDAw
MDQ3IDY1NTM1IGYNCjAwMDAwMDAwNDggNjU1MzUgZg0KMDAwMDAwMDA0OSA2NTUzNSBmDQowMDAw
MDAwMDUwIDY1NTM1IGYNCjAwMDAwMDAwNTEgNjU1MzUgZg0KMDAwMDAwMDA1MiA2NTUzNSBmDQow
MDAwMDAwMDUzIDY1NTM1IGYNCjAwMDAwMDAwNTQgNjU1MzUgZg0KMDAwMDAwMDA1NSA2NTUzNSBm
DQowMDAwMDAwMDU2IDY1NTM1IGYNCjAwMDAwMDAwNTcgNjU1MzUgZg0KMDAwMDAwMDA1OSA2NTUz
NSBmDQowMDAwMDIwODk2IDAwMDAwIG4NCjAwMDAwMDAwNjAgNjU1MzUgZg0KMDAwMDAwMDA2MSA2
NTUzNSBmDQowMDAwMDAwMDYyIDY1NTM1IGYNCjAwMDAwMDAwNjMgNjU1MzUgZg0KMDAwMDAwMDA2
NSA2NTUzNSBmDQowMDAwMDIwOTQ2IDAwMDAwIG4NCjAwMDAwMDAwNjYgNjU1MzUgZg0KMDAwMDAw
MDA2NyA2NTUzNSBmDQowMDAwMDAwMDY4IDY1NTM1IGYNCjAwMDAwMDAwNjkgNjU1MzUgZg0KMDAw
MDAwMDA3MCA2NTUzNSBmDQowMDAwMDAwMDcxIDY1NTM1IGYNCjAwMDAwMDAwNzIgNjU1MzUgZg0K
MDAwMDAwMDA3MyA2NTUzNSBmDQowMDAwMDAwMDc0IDY1NTM1IGYNCjAwMDAwMDAwNzUgNjU1MzUg
Zg0KMDAwMDAwMDA3NiA2NTUzNSBmDQowMDAwMDAwMDc3IDY1NTM1IGYNCjAwMDAwMDAwNzggNjU1
MzUgZg0KMDAwMDAwMDA3OSA2NTUzNSBmDQowMDAwMDAwMDgwIDY1NTM1IGYNCjAwMDAwMDAwODEg
NjU1MzUgZg0KMDAwMDAwMDA4MiA2NTUzNSBmDQowMDAwMDAwMDgzIDY1NTM1IGYNCjAwMDAwMDAw
ODQgNjU1MzUgZg0KMDAwMDAwMDA4NSA2NTUzNSBmDQowMDAwMDAwMDg2IDY1NTM1IGYNCjAwMDAw
MDAwODcgNjU1MzUgZg0KMDAwMDAwMDA4OCA2NTUzNSBmDQowMDAwMDAwMDg5IDY1NTM1IGYNCjAw
MDAwMDAwOTAgNjU1MzUgZg0KMDAwMDAwMDA5MSA2NTUzNSBmDQowMDAwMDAwMDkyIDY1NTM1IGYN
CjAwMDAwMDAwOTMgNjU1MzUgZg0KMDAwMDAwMDA5NCA2NTUzNSBmDQowMDAwMDAwMDk1IDY1NTM1
IGYNCjAwMDAwMDAwOTYgNjU1MzUgZg0KMDAwMDAwMDA5NyA2NTUzNSBmDQowMDAwMDAwMDk4IDY1
NTM1IGYNCjAwMDAwMDAwOTkgNjU1MzUgZg0KMDAwMDAwMDEwMCA2NTUzNSBmDQowMDAwMDAwMTAx
IDY1NTM1IGYNCjAwMDAwMDAxMDIgNjU1MzUgZg0KMDAwMDAwMDEwMyA2NTUzNSBmDQowMDAwMDAw
MTA0IDY1NTM1IGYNCjAwMDAwMDAxMDUgNjU1MzUgZg0KMDAwMDAwMDEwNiA2NTUzNSBmDQowMDAw
MDAwMTA3IDY1NTM1IGYNCjAwMDAwMDAxMDggNjU1MzUgZg0KMDAwMDAwMDEwOSA2NTUzNSBmDQow
MDAwMDAwMTEwIDY1NTM1IGYNCjAwMDAwMDAxMTEgNjU1MzUgZg0KMDAwMDAwMDExMiA2NTUzNSBm
DQowMDAwMDAwMTEzIDY1NTM1IGYNCjAwMDAwMDAxMTQgNjU1MzUgZg0KMDAwMDAwMDExNSA2NTUz
NSBmDQowMDAwMDAwMTE2IDY1NTM1IGYNCjAwMDAwMDAxMTcgNjU1MzUgZg0KMDAwMDAwMDExOCA2
NTUzNSBmDQowMDAwMDAwMTE5IDY1NTM1IGYNCjAwMDAwMDAxMjAgNjU1MzUgZg0KMDAwMDAwMDEy
MSA2NTUzNSBmDQowMDAwMDAwMTIyIDY1NTM1IGYNCjAwMDAwMDAxMjQgNjU1MzUgZg0KMDAwMDAy
MDk5NiAwMDAwMCBuDQowMDAwMDAwMTI1IDY1NTM1IGYNCjAwMDAwMDAxMjYgNjU1MzUgZg0KMDAw
MDAwMDEyNyA2NTUzNSBmDQowMDAwMDAwMTI4IDY1NTM1IGYNCjAwMDAwMDAxMjkgNjU1MzUgZg0K
MDAwMDAwMDEzMCA2NTUzNSBmDQowMDAwMDAwMTMxIDY1NTM1IGYNCjAwMDAwMDAxMzIgNjU1MzUg
Zg0KMDAwMDAwMDEzNCA2NTUzNSBmDQowMDAwMDIxMDQ3IDAwMDAwIG4NCjAwMDAwMDAxMzUgNjU1
MzUgZg0KMDAwMDAwMDEzNiA2NTUzNSBmDQowMDAwMDAwMTM3IDY1NTM1IGYNCjAwMDAwMDAxMzgg
NjU1MzUgZg0KMDAwMDAwMDEzOSA2NTUzNSBmDQowMDAwMDAwMTQwIDY1NTM1IGYNCjAwMDAwMDAx
NDEgNjU1MzUgZg0KMDAwMDAwMDE0MiA2NTUzNSBmDQowMDAwMDAwMTQzIDY1NTM1IGYNCjAwMDAw
MDAxNDQgNjU1MzUgZg0KMDAwMDAwMDE0NSA2NTUzNSBmDQowMDAwMDAwMTQ2IDY1NTM1IGYNCjAw
MDAwMDAxNDcgNjU1MzUgZg0KMDAwMDAwMDE0OCA2NTUzNSBmDQowMDAwMDAwMTQ5IDY1NTM1IGYN
CjAwMDAwMDAxNTAgNjU1MzUgZg0KMDAwMDAwMDE1MSA2NTUzNSBmDQowMDAwMDAwMTUyIDY1NTM1
IGYNCjAwMDAwMDAxNTMgNjU1MzUgZg0KMDAwMDAwMDE1NCA2NTUzNSBmDQowMDAwMDAwMTU1IDY1
NTM1IGYNCjAwMDAwMDAxNTYgNjU1MzUgZg0KMDAwMDAwMDE1NyA2NTUzNSBmDQowMDAwMDAwMTU4
IDY1NTM1IGYNCjAwMDAwMDAxNTkgNjU1MzUgZg0KMDAwMDAwMDE2MCA2NTUzNSBmDQowMDAwMDAw
MTYxIDY1NTM1IGYNCjAwMDAwMDAxNjIgNjU1MzUgZg0KMDAwMDAwMDE2MyA2NTUzNSBmDQowMDAw
MDAwMTY0IDY1NTM1IGYNCjAwMDAwMDAxNjYgNjU1MzUgZg0KMDAwMDAyMTA5OCAwMDAwMCBuDQow
MDAwMDAwMTY3IDY1NTM1IGYNCjAwMDAwMDAxNjggNjU1MzUgZg0KMDAwMDAwMDE2OSA2NTUzNSBm
DQowMDAwMDAwMTcwIDY1NTM1IGYNCjAwMDAwMDAxNzEgNjU1MzUgZg0KMDAwMDAwMDE3MiA2NTUz
NSBmDQowMDAwMDAwMTczIDY1NTM1IGYNCjAwMDAwMDAxNzQgNjU1MzUgZg0KMDAwMDAwMDE3NSA2
NTUzNSBmDQowMDAwMDAwMTc2IDY1NTM1IGYNCjAwMDAwMDAxNzcgNjU1MzUgZg0KMDAwMDAwMDE3
OCA2NTUzNSBmDQowMDAwMDAwMTc5IDY1NTM1IGYNCjAwMDAwMDAxODAgNjU1MzUgZg0KMDAwMDAw
MDE4MSA2NTUzNSBmDQowMDAwMDAwMTgyIDY1NTM1IGYNCjAwMDAwMDAxODMgNjU1MzUgZg0KMDAw
MDAwMDE4NCA2NTUzNSBmDQowMDAwMDAwMTg1IDY1NTM1IGYNCjAwMDAwMDAxODYgNjU1MzUgZg0K
MDAwMDAwMDE4NyA2NTUzNSBmDQowMDAwMDAwMTg4IDY1NTM1IGYNCjAwMDAwMDAxODkgNjU1MzUg
Zg0KMDAwMDAwMDE5MCA2NTUzNSBmDQowMDAwMDAwMTkxIDY1NTM1IGYNCjAwMDAwMDAxOTIgNjU1
MzUgZg0KMDAwMDAwMDE5MyA2NTUzNSBmDQowMDAwMDAwMTk0IDY1NTM1IGYNCjAwMDAwMDAxOTUg
NjU1MzUgZg0KMDAwMDAwMDE5NyA2NTUzNSBmDQowMDAwMDIxMTQ5IDAwMDAwIG4NCjAwMDAwMDAx
OTggNjU1MzUgZg0KMDAwMDAwMDE5OSA2NTUzNSBmDQowMDAwMDAwMjAwIDY1NTM1IGYNCjAwMDAw
MDAyMDEgNjU1MzUgZg0KMDAwMDAwMDIwMiA2NTUzNSBmDQowMDAwMDAwMjAzIDY1NTM1IGYNCjAw
MDAwMDAyMDQgNjU1MzUgZg0KMDAwMDAwMDIwNSA2NTUzNSBmDQowMDAwMDAwMjA2IDY1NTM1IGYN
CjAwMDAwMDAyMDcgNjU1MzUgZg0KMDAwMDAwMDIwOCA2NTUzNSBmDQowMDAwMDAwMjA5IDY1NTM1
IGYNCjAwMDAwMDAyMTAgNjU1MzUgZg0KMDAwMDAwMDIxMiA2NTUzNSBmDQowMDAwMDIxMjAwIDAw
MDAwIG4NCjAwMDAwMDAyMTMgNjU1MzUgZg0KMDAwMDAwMDIxNCA2NTUzNSBmDQowMDAwMDAwMjE1
IDY1NTM1IGYNCjAwMDAwMDAyMTYgNjU1MzUgZg0KMDAwMDAwMDIxNyA2NTUzNSBmDQowMDAwMDAw
MjE4IDY1NTM1IGYNCjAwMDAwMDAyMTkgNjU1MzUgZg0KMDAwMDAwMDIyMCA2NTUzNSBmDQowMDAw
MDAwMjIxIDY1NTM1IGYNCjAwMDAwMDAyMjMgNjU1MzUgZg0KMDAwMDAyMTI1MSAwMDAwMCBuDQow
MDAwMDAwMjI0IDY1NTM1IGYNCjAwMDAwMDAyMjUgNjU1MzUgZg0KMDAwMDAwMDIyNiA2NTUzNSBm
DQowMDAwMDAwMjI3IDY1NTM1IGYNCjAwMDAwMDAyMjggNjU1MzUgZg0KMDAwMDAwMDIyOSA2NTUz
NSBmDQowMDAwMDAwMjMwIDY1NTM1IGYNCjAwMDAwMDAyMzEgNjU1MzUgZg0KMDAwMDAwMDIzMiA2
NTUzNSBmDQowMDAwMDAwMjMzIDY1NTM1IGYNCjAwMDAwMDAyMzQgNjU1MzUgZg0KMDAwMDAwMDIz
NSA2NTUzNSBmDQowMDAwMDAwMjM2IDY1NTM1IGYNCjAwMDAwMDAyMzcgNjU1MzUgZg0KMDAwMDAw
MDIzOCA2NTUzNSBmDQowMDAwMDAwMjM5IDY1NTM1IGYNCjAwMDAwMDAyNDAgNjU1MzUgZg0KMDAw
MDAwMDI0MSA2NTUzNSBmDQowMDAwMDAwMjQyIDY1NTM1IGYNCjAwMDAwMDAyNDMgNjU1MzUgZg0K
MDAwMDAwMDI0NCA2NTUzNSBmDQowMDAwMDAwMjQ1IDY1NTM1IGYNCjAwMDAwMDAyNDYgNjU1MzUg
Zg0KMDAwMDAwMDI0NyA2NTUzNSBmDQowMDAwMDAwMjQ4IDY1NTM1IGYNCjAwMDAwMDAyNDkgNjU1
MzUgZg0KMDAwMDAwMDI1MCA2NTUzNSBmDQowMDAwMDAwMjUxIDY1NTM1IGYNCjAwMDAwMDAyNTIg
NjU1MzUgZg0KMDAwMDAwMDI1NCA2NTUzNSBmDQowMDAwMDIxMzAyIDAwMDAwIG4NCjAwMDAwMDAy
NTUgNjU1MzUgZg0KMDAwMDAwMDI1NiA2NTUzNSBmDQowMDAwMDAwMjU3IDY1NTM1IGYNCjAwMDAw
MDAyNTggNjU1MzUgZg0KMDAwMDAwMDI1OSA2NTUzNSBmDQowMDAwMDAwMjYwIDY1NTM1IGYNCjAw
MDAwMDAyNjEgNjU1MzUgZg0KMDAwMDAwMDI2MiA2NTUzNSBmDQowMDAwMDAwMjYzIDY1NTM1IGYN
CjAwMDAwMDAyNjQgNjU1MzUgZg0KMDAwMDAwMDI2NSA2NTUzNSBmDQowMDAwMDAwMjY2IDY1NTM1
IGYNCjAwMDAwMDAyNjggNjU1MzUgZg0KMDAwMDAyMTM1MyAwMDAwMCBuDQowMDAwMDAwMjY5IDY1
NTM1IGYNCjAwMDAwMDAyNzAgNjU1MzUgZg0KMDAwMDAwMDI3MSA2NTUzNSBmDQowMDAwMDAwMjcy
IDY1NTM1IGYNCjAwMDAwMDAyNzMgNjU1MzUgZg0KMDAwMDAwMDI3NCA2NTUzNSBmDQowMDAwMDAw
Mjc1IDY1NTM1IGYNCjAwMDAwMDAyNzYgNjU1MzUgZg0KMDAwMDAwMDI3NyA2NTUzNSBmDQowMDAw
MDAwMjc4IDY1NTM1IGYNCjAwMDAwMDAyNzkgNjU1MzUgZg0KMDAwMDAwMDI4MCA2NTUzNSBmDQow
MDAwMDAwMjgxIDY1NTM1IGYNCjAwMDAwMDAyODIgNjU1MzUgZg0KMDAwMDAwMDI4MyA2NTUzNSBm
DQowMDAwMDAwMjg1IDY1NTM1IGYNCjAwMDAwMjE0MDQgMDAwMDAgbg0KMDAwMDAwMDI4NiA2NTUz
NSBmDQowMDAwMDAwMjg3IDY1NTM1IGYNCjAwMDAwMDAyODggNjU1MzUgZg0KMDAwMDAwMDI4OSA2
NTUzNSBmDQowMDAwMDAwMjkwIDY1NTM1IGYNCjAwMDAwMDAyOTEgNjU1MzUgZg0KMDAwMDAwMDI5
MiA2NTUzNSBmDQowMDAwMDAwMjkzIDY1NTM1IGYNCjAwMDAwMDAyOTQgNjU1MzUgZg0KMDAwMDAw
MDI5NSA2NTUzNSBmDQowMDAwMDAwMjk2IDY1NTM1IGYNCjAwMDAwMDAyOTcgNjU1MzUgZg0KMDAw
MDAwMDI5OCA2NTUzNSBmDQowMDAwMDAwMjk5IDY1NTM1IGYNCjAwMDAwMDAzMDAgNjU1MzUgZg0K
MDAwMDAwMDMwMSA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMjE0NTUgMDAwMDAg
bg0KMDAwMDAyMTgzOSAwMDAwMCBuDQowMDAwMTI0NTA5IDAwMDAwIG4NCjAwMDAxMjQ5MDIgMDAw
MDAgbg0KMDAwMDEyNTIzNiAwMDAwMCBuDQowMDAwMTI1NDg4IDAwMDAwIG4NCjAwMDAxMjU3ODkg
MDAwMDAgbg0KMDAwMDEzODkzMyAwMDAwMCBuDQowMDAwMTM4OTc3IDAwMDAwIG4NCjAwMDAxNDIx
MjcgMDAwMDAgbg0KMDAwMDE0MjE3MyAwMDAwMCBuDQp0cmFpbGVyDQo8PC9TaXplIDMxMy9Sb290
IDEgMCBSL0luZm8gMzIgMCBSL0lEWzxBMDI0NjI5MDRENTM4RDQ5OUM1MzBGODE5NEExMTlFMz48
QTAyNDYyOTA0RDUzOEQ0OTlDNTMwRjgxOTRBMTE5RTM+XSA+Pg0Kc3RhcnR4cmVmDQoxNDMwNDIN
CiUlRU9GDQp4cmVmDQowIDANCnRyYWlsZXINCjw8L1NpemUgMzEzL1Jvb3QgMSAwIFIvSW5mbyAz
MiAwIFIvSURbPEEwMjQ2MjkwNEQ1MzhENDk5QzUzMEY4MTk0QTExOUUzPjxBMDI0NjI5MDRENTM4
RDQ5OUM1MzBGODE5NEExMTlFMz5dIC9QcmV2IDE0MzA0Mi9YUmVmU3RtIDE0MjE3Mz4+DQpzdGFy
dHhyZWYNCjE0OTQ2Mg0KJSVFT0Y=

--_004_CY4PR21MB0504F95D0B36D852BEF0AE9BF5350CY4PR21MB0504namp_--


From nobody Thu Mar 30 08:03:46 2017
Return-Path: <derek@ihtfp.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 397091296C1 for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 08:03:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level: 
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNmMua5w5-8p for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 08:03:33 -0700 (PDT)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:470:e448:1::3a11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78C88129681 for <oauth@ietf.org>; Thu, 30 Mar 2017 08:03:33 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 472AAE2039; Thu, 30 Mar 2017 11:03:32 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 01202-09; Thu, 30 Mar 2017 11:03:30 -0400 (EDT)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id DF607E203F; Thu, 30 Mar 2017 11:03:29 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1490886209; bh=DsDigRL8qP1NYNCZgLobcOr8QQeUJobRPHYU9D+V+pg=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=gpZyJ79vY5hP/HQ2VWLPYGLssKQnDPVrbMa+e14nvxE+y5y3777Tpc2bq8PXIQJDB vlXwwSla700NTlM1DC0UdMm4soTOaEzO9l6P4cToLc0Q1uCq+j+8ht7ZEuMMFQZBTi BsKjGmEmEHYBm6HVNCMIXBwtzZEfhsXSYr2gtQq8=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.14.8/Submit) id v2UF3S2M023013; Thu, 30 Mar 2017 11:03:28 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: Derek Atkins <derek@ihtfp.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "oauth\@ietf.org" <oauth@ietf.org>
References: <CAHbuEH6UUu2QUWip5caOjQt9ZzqeORT7Fn2hzYFfeJNaz-3Vgw@mail.gmail.com> <0b495b42-50a8-62da-499a-351fdd2eada3@gmx.net>
Date: Thu, 30 Mar 2017 11:03:28 -0400
In-Reply-To: <0b495b42-50a8-62da-499a-351fdd2eada3@gmx.net> (Hannes Tschofenig's message of "Wed, 22 Mar 2017 23:38:18 +0100")
Message-ID: <sjmefxeajsv.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lGExU2KgL9c4_0FrkuSaHjPJzHM>
Subject: Re: [OAUTH-WG] Chair volunteers
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 15:03:35 -0000

Hi everyone,

Hannes Tschofenig <hannes.tschofenig@gmx.net> writes:

> On 03/21/2017 06:39 PM, Kathleen Moriarty wrote:
>> A big thank you to Derek for his work in OAuth and we hope to have his
>> continued participation in the working group!
>
> Big thanks to Derek for doing the job for such a long time. It has been
> a pleasure to work with you!

I must apologize for having effectively disappeared from the OAuth
group; my current position has limited my ability to do IETF work, and
lately I've had even less time to put in, and alas OAuth was a major
casualty.  I do plan to continue my involvement to the best of my ability.

I encourage people to step up and volunteer to co-chair the group.

> Ciao
> Hannes

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant


From nobody Thu Mar 30 11:38:32 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EAD4F129A23; Thu, 30 Mar 2017 11:38:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.49.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149089911092.15436.12952695214868679547@ietfa.amsl.com>
Date: Thu, 30 Mar 2017 11:38:30 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HW9uAO6beraKt-vr9yytCU4nSLs>
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 18:38:31 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)
        Authors         : Nat Sakimura
                          John Bradley
	Filename        : draft-ietf-oauth-jwsreq-13.txt
	Pages           : 27
	Date            : 2017-03-30

Abstract:
   The authorization request in OAuth 2.0 described in RFC 6749 utilizes
   query parameter serialization, which means that Authorization Request
   parameters are encoded in the URI of the request and sent through
   user agents such as web browsers.  While it is easy to implement, it
   means that (a) the communication through the user agents are not
   integrity protected and thus the parameters can be tainted, and (b)
   the source of the communication is not authenticated.  Because of
   these weaknesses, several attacks to the protocol have now been put
   forward.

   This document introduces the ability to send request parameters in a
   JSON Web Token (JWT) instead, which allows the request to be signed
   with JSON Web Signature (JWS) and/or encrypted with JSON Web
   Encryption (JWE) so that the integrity, source authentication and
   confidentiality property of the Authorization Request is attained.
   The request can be sent by value or by reference.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-13


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Thu Mar 30 13:00:16 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12CA912944B for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 13:00:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ptg_OIFIsWJ for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 13:00:12 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 819AD126B72 for <oauth@ietf.org>; Thu, 30 Mar 2017 13:00:12 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id y18so883506itc.0 for <oauth@ietf.org>; Thu, 30 Mar 2017 13:00:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=message-id:mime-version:to:from:subject:date:importance:in-reply-to :references; bh=euUrcQqbm32pQtXySKQk58Z2RxeyU6o4hL8jJqdKKPI=; b=Bx7c1EN3IFfoGE/gxr3SxYcBeEY8vtpdQzZ5Fq4UzPtQ2S16WAOdZ2SR/Ga7zWVw2I aOVy/jn26LAQ4TGdtW94jhqgkpBE8VcYWnGvK8/vWyDfzoEkahRaN/rlGdm2WixjTi0a koaL8srN2HYQKMdAGjvtz2l0xj8d1LHWxNLJSXKtJW/G5Sn5080ODio20M4z7PRSjNpd UEjiyw7E8409L+Br1SxnJcea4TSSVOYi+XOJRiwSdO8gSQ5BUUUWXsY3pZzAHkQa29AK t00Thh1QDMvMKPiiozmf9HULQ0Xjq6+VDIq4x8I3ldU+Pbq1GZwwduLVxBmRe9kxTgBY vO9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:mime-version:to:from:subject:date :importance:in-reply-to:references; bh=euUrcQqbm32pQtXySKQk58Z2RxeyU6o4hL8jJqdKKPI=; b=UseFQV4LK35Kowb4SkAxDmQPHyUx6w/qMYpsXv/olcMEx5inykcgvPXu7RWAbZkINv i/VA0LaV+xxqNvVg+zw2B4tAJTK80MlEaYb+EvZ0kOOTZxhboV6zm7cjNrumLjSMV0Cc Kj8Wx5FnBk9S9kkSWa9dji0H4rCB//RyHHJv9JVzEjYJq6oSrGmaqhugabrtYtbj4fZ4 N14Qkyw8tdaFpAQF7ipUjHBRIkupHw8aKa2sqPU+PP+SjH2Ohl+MNivMA1BvlBE8/H3Y 3wGpI1T/iWE88nOo0z+U0ddDJbIiHzaR0uP+CbwNc2nKelUdfsleEE3d9Utf/0PMzjOm z19g==
X-Gm-Message-State: AFeK/H3mXB92JQZ7Fphinc+vVjwRscndnI6Rb97qcfDD74v5sdGvgLv2rIjVp5laYRm6yG8y
X-Received: by 10.36.204.137 with SMTP id x131mr2733188itf.35.1490904011361; Thu, 30 Mar 2017 13:00:11 -0700 (PDT)
Received: from ?IPv6:::ffff:31.133.184.100? (dhcp-b864.meeting.ietf.org. [31.133.184.100]) by smtp.gmail.com with ESMTPSA id 100sm1943159iot.39.2017.03.30.13.00.09 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Mar 2017 13:00:10 -0700 (PDT)
Message-ID: <58dd63ca.e7136b0a.5e8ec.8d9e@mx.google.com>
MIME-Version: 1.0
To: IETF OAUTH <oauth@ietf.org>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 30 Mar 2017 15:00:11 -0500
Importance: normal
X-Priority: 3
In-Reply-To: <149089911092.15436.12952695214868679547@ietfa.amsl.com>
References: <149089911092.15436.12952695214868679547@ietfa.amsl.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="94eb2c05bf74024147054bf82423"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-tUrNY1X9eI_tQGI8T-IGx4xHy8>
Subject: [OAUTH-WG] FW:  I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 20:00:15 -0000

--94eb2c05bf74024147054bf82423
Content-Type: multipart/alternative;
	boundary="_61F61E41-8A9A-4F78-8B62-6C9E3A2E194E_"

--_61F61E41-8A9A-4F78-8B62-6C9E3A2E194E_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Based on feeback from the IESG we have removed some of the optionality in t=
he draft.=20

It is a shorter read than draft 12.  =20

John B.

Sent from Mail for Windows 10

From: internet-drafts@ietf.org
Sent: March 30, 2017 1:38 PM
To: i-d-announce@ietf.org
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt


A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : The OAuth 2.0 Authorization Framework: JWT Secure=
d Authorization Request (JAR)
        Authors         : Nat Sakimura
                          John Bradley
	Filename        : draft-ietf-oauth-jwsreq-13.txt
	Pages           : 27
	Date            : 2017-03-30

Abstract:
   The authorization request in OAuth 2.0 described in RFC 6749 utilizes
   query parameter serialization, which means that Authorization Request
   parameters are encoded in the URI of the request and sent through
   user agents such as web browsers.  While it is easy to implement, it
   means that (a) the communication through the user agents are not
   integrity protected and thus the parameters can be tainted, and (b)
   the source of the communication is not authenticated.  Because of
   these weaknesses, several attacks to the protocol have now been put
   forward.

   This document introduces the ability to send request parameters in a
   JSON Web Token (JWT) instead, which allows the request to be signed
   with JSON Web Signature (JWS) and/or encrypted with JSON Web
   Encryption (JWE) so that the integrity, source authentication and
   confidentiality property of the Authorization Request is attained.
   The request can be sent by value or by reference.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13


Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--_61F61E41-8A9A-4F78-8B62-6C9E3A2E194E_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/of=
fice/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta ht=
tp-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta name=
=3DGenerator content=3D"Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style></head><body lang=3DEN-CA link=3Dblue vlink=3D"#954F72"><div cla=
ss=3DWordSection1><p class=3DMsoNormal>Based on feeback from the IESG we ha=
ve removed some of the optionality in the draft. </p><p class=3DMsoNormal><=
o:p>&nbsp;</o:p></p><p class=3DMsoNormal>It is a shorter read than draft 12=
.=C2=A0=C2=A0 </p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoN=
ormal>John B.</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNo=
rmal>Sent from <a href=3D"https://go.microsoft.com/fwlink/?LinkId=3D550986"=
>Mail</a> for Windows 10</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><div =
style=3D'mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1=
.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=3DMsoNormal style=3D'border:none;p=
adding:0cm'><b>From: </b><a href=3D"mailto:internet-drafts@ietf.org">intern=
et-drafts@ietf.org</a><br><b>Sent: </b>March 30, 2017 1:38 PM<br><b>To: </b=
><a href=3D"mailto:i-d-announce@ietf.org">i-d-announce@ietf.org</a><br><b>C=
c: </b><a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a><br><b>Subject: =
</b>[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt</p></div><p class=
=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p=
><p class=3DMsoNormal>A New Internet-Draft is available from the on-line In=
ternet-Drafts directories.</p><p class=3DMsoNormal>This draft is a work ite=
m of the Web Authorization Protocol of the IETF.</p><p class=3DMsoNormal><o=
:p>&nbsp;</o:p></p><p class=3DMsoNormal>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 Title=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
 : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request=
 (JAR)</p><p class=3DMsoNormal>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 A=
uthors=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : Nat Sakimura</p><p=
 class=3DMsoNormal>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0 John Bradley</p><p class=3DMsoNormal>=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Filename=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0 : draft-ietf-oauth-jwsreq-13.txt</p><p class=3DMsoNor=
mal>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Pages=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 27</p><p class=
=3DMsoNormal>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 D=
ate=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 201=
7-03-30</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>A=
bstract:</p><p class=3DMsoNormal>=C2=A0=C2=A0 The authorization request in =
OAuth 2.0 described in RFC 6749 utilizes</p><p class=3DMsoNormal>=C2=A0=C2=
=A0 query parameter serialization, which means that Authorization Request</=
p><p class=3DMsoNormal>=C2=A0=C2=A0 parameters are encoded in the URI of th=
e request and sent through</p><p class=3DMsoNormal> =C2=A0=C2=A0user agents=
 such as web browsers.=C2=A0 While it is easy to implement, it</p><p class=
=3DMsoNormal>=C2=A0=C2=A0 means that (a) the communication through the user=
 agents are not</p><p class=3DMsoNormal>=C2=A0=C2=A0 integrity protected an=
d thus the parameters can be tainted, and (b)</p><p class=3DMsoNormal>=C2=
=A0=C2=A0 the source of the communication is not authenticated.=C2=A0 Becau=
se of</p><p class=3DMsoNormal>=C2=A0=C2=A0 these weaknesses, several attack=
s to the protocol have now been put</p><p class=3DMsoNormal>=C2=A0=C2=A0 fo=
rward.</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>=
=C2=A0=C2=A0 This document introduces the ability to send request parameter=
s in a</p><p class=3DMsoNormal>=C2=A0=C2=A0 JSON Web Token (JWT) instead, w=
hich allows the request to be signed</p><p class=3DMsoNormal>=C2=A0=C2=A0 w=
ith JSON Web Signature (JWS) and/or encrypted with JSON Web</p><p class=3DM=
soNormal>=C2=A0=C2=A0 Encryption (JWE) so that the integrity, source authen=
tication and</p><p class=3DMsoNormal>=C2=A0=C2=A0 confidentiality property =
of the Authorization Request is attained.</p><p class=3DMsoNormal>=C2=A0=C2=
=A0 The request can be sent by value or by reference.</p><p class=3DMsoNorm=
al><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=
=3DMsoNormal>The IETF datatracker status page for this draft is:</p><p clas=
s=3DMsoNormal>https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/</p>=
<p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>There are al=
so htmlized versions available at:</p><p class=3DMsoNormal>https://tools.ie=
tf.org/html/draft-ietf-oauth-jwsreq-13</p><p class=3DMsoNormal>https://data=
tracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13</p><p class=3DMsoNorma=
l><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>A diff from the previous versio=
n is available at:</p><p class=3DMsoNormal>https://www.ietf.org/rfcdiff?url=
2=3Ddraft-ietf-oauth-jwsreq-13</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p=
><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>Please note=
 that it may take a couple of minutes from the time of submission</p><p cla=
ss=3DMsoNormal>until the htmlized version and diff are available at tools.i=
etf.org.</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>=
Internet-Drafts are also available by anonymous FTP at:</p><p class=3DMsoNo=
rmal>ftp://ftp.ietf.org/internet-drafts/</p><p class=3DMsoNormal><o:p>&nbsp=
;</o:p></p><p class=3DMsoNormal>___________________________________________=
____</p><p class=3DMsoNormal>OAuth mailing list</p><p class=3DMsoNormal>OAu=
th@ietf.org</p><p class=3DMsoNormal>https://www.ietf.org/mailman/listinfo/o=
auth</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p></div></body></html>=

--_61F61E41-8A9A-4F78-8B62-6C9E3A2E194E_--


--94eb2c05bf74024147054bf82423
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIHB6RWm9QG/qtFxNTO8FzaznhSoS
Fg4yzAKd39jQyvz+MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMzMDIwMDAxMVowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQB4qodtu0Z203yv2mF9HArLc02txe5NuRXXtAPHbsFF72po
rDu96UlT6wZxzjfMHp+nC2xOY1EmKfpFaDdbhAHY2jyb1i13rn3THTzK2Hr2S1stEWS2VOOM4eSK
Wstm3hDLLNdO08CdyPii99/Lpvzu0nw4Wn/RmTyXh763o4ltMgOZC5tN6OM60bgqiDi0tnNCtPII
rZybc3fsXPDq4X+rnIeRXIV773Cz1xZztrNLUOmDqrZH9/V/AmsQr4xcCVlrn2c+NtWU/xc5rPIV
r9CVBSHGFWU58SaqgCFeo7xWaVR16AoeBgBYiWbBkFL21VZXSc7HA2lPufRiMA7X+0oJ
--94eb2c05bf74024147054bf82423--


From nobody Thu Mar 30 14:16:55 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF53D124B0A for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 14:16:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvMS-Trwv1_c for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 14:16:51 -0700 (PDT)
Received: from mail-pg0-x232.google.com (mail-pg0-x232.google.com [IPv6:2607:f8b0:400e:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2690112963F for <oauth@ietf.org>; Thu, 30 Mar 2017 14:16:05 -0700 (PDT)
Received: by mail-pg0-x232.google.com with SMTP id 81so50545202pgh.2 for <oauth@ietf.org>; Thu, 30 Mar 2017 14:16:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=xUvzku3Rugi+TCkQrruUBNrOpxARAY1MT9hQw4NyQww=; b=QCz/MuuVidLzJVJ7VrBGHjXZyrRW4dV36RcpiZBTr9ZqYv7eyHY5+gEVrsoDAjCfaP I3dMm0zVuz+/Ag8UKIFEg4BPbsdAEBuG7zSpr1K59hBZOPZgprypjwhX2yXzuWcusirI fSx0IC2uzzk/fmtwax1PF3WK0a6+5gWmf5cM8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=xUvzku3Rugi+TCkQrruUBNrOpxARAY1MT9hQw4NyQww=; b=SkIWJvJgxtYSnWLE16nWjfoEvVv85u8RlWjtKvD1FxLhdHnFrif7thfjcI6v8zaLnY kQeUELLjMQmBlcr5A7KUeoyk56cOuPBQ3IW69NGMaOK2ZKoKB5GgUkJLWJYOxpiy/QqV mgQsy4A+nC6jaH/gcC2ck41CTI0q+HG25AZLXMrTlxNQ5ZWwBFNbdc3H98wJ/rIFWK6y hBA9+OawhlOR6B1Jn9ot6NV3kdf1y2WOqb9J8wtcpYqfHGq+LUYt1sor67uqR6pEPa+r kt4dutWNdX0ELlEERWRJQo7zvfhtLFF/YoBBVmvaHOvM6JhLyU7CLCX+OiBmeFEJ6wXO LzcA==
X-Gm-Message-State: AFeK/H0rGLp61is2dcyjkuDDWJWFE2nLsrYiPTPLeedwwQ0YX4/da5Ag2kBHEb/vllwOgT3GdebdmahpbymbaT8D
X-Received: by 10.99.147.68 with SMTP id w4mr1262489pgm.32.1490908564481; Thu, 30 Mar 2017 14:16:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.165.172 with HTTP; Thu, 30 Mar 2017 14:15:34 -0700 (PDT)
In-Reply-To: <CAAX2Qa1OAoY0TOPX-19XgVrxq_63GN5obbh9VB_7851YXERfXA@mail.gmail.com>
References: <149090694651.9027.6337833834024757190.idtracker@ietfa.amsl.com> <CAAX2Qa1OAoY0TOPX-19XgVrxq_63GN5obbh9VB_7851YXERfXA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 30 Mar 2017 16:15:34 -0500
Message-ID: <CA+k3eCTZ=6vG=vpL2ZR3oDMG+LJBT8xMSoTsam8fR_0bbXf6OQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=f403045d44066133e7054bf9337c
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/boHLNyIcm6OBLr7C0bTn-V2ZHDU>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-mtls-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 21:16:54 -0000

--f403045d44066133e7054bf9337c
Content-Type: text/plain; charset=UTF-8

This document, which I hope to present and discuss briefly at tomorrow's
meeting, replaces (but keeps the feature) the Mutual TLS Authentication for
OAuth Clients
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00> that
was published leading up to the Seoul meeting
<https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html> and
adds mutual TLS sender constrained access to OAuth protected resources. The
concept for the latter was largely derived from one of the options in the
JPOP draft <https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04>. I
apologize for the 11th hour publication but hope some folks will have a
chance to read it.

---------- Forwarded message ----------
From: <internet-drafts@ietf.org>
Date: Thu, Mar 30, 2017 at 3:49 PM
Subject: New Version Notification for draft-campbell-oauth-mtls-00.txt
To: Brian Campbell <brian.d.campbell@gmail.com>, Nat Sakimura <
n-sakimura@nri.co.jp>, Torsten Lodderstedt <torsten@lodderstedt.net>, John
Bradley <ve7jtb@ve7jtb.com>



A new version of I-D, draft-campbell-oauth-mtls-00.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.

Name:           draft-campbell-oauth-mtls
Revision:       00
Title:          Mutual TLS Profiles for OAuth Clients
Document date:  2017-03-30
Group:          Individual Submission
Pages:          10
URL:            https://www.ietf.org/internet-drafts/draft-campbell-oauth-mt
ls-00.txt
Status:         https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-campbell-oauth-
mtls-00


Abstract:
   This document describes Transport Layer Security (TLS) mutual
   authentication using X.509 certificates as a mechanism for both OAuth
   client authentication to the token endpoint as well as for sender
   constrained access to OAuth protected resources.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

--f403045d44066133e7054bf9337c
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>This document, which I hope to present and discuss br=
iefly at tomorrow&#39;s meeting, replaces (but keeps the feature) the <a hr=
ef=3D"https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00" =
target=3D"_blank">Mutual TLS Authentication for OAuth Clients</a> that was =
<a href=3D"https://www.ietf.org/mail-archive/web/oauth/current/msg16704.htm=
l" target=3D"_blank">published leading up to the Seoul meeting</a> and adds=
 mutual TLS sender constrained access to OAuth protected resources. The con=
cept for the latter was largely derived from one of the options in <a href=
=3D"https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04" target=3D"_bl=
ank">the JPOP draft</a>. I apologize for the 11th hour publication but hope=
 some folks will have a chance to read it. <br></div><div><div><div><br><di=
v class=3D"gmail_quote"><div dir=3D"ltr"><div class=3D"gmail_quote">-------=
--- Forwarded message ----------<br>From: <b class=3D"gmail_sendername"></b=
> <span dir=3D"ltr">&lt;<a href=3D"mailto:internet-drafts@ietf.org" target=
=3D"_blank">internet-drafts@ietf.org</a>&gt;</span><br>Date: Thu, Mar 30, 2=
017 at 3:49 PM<br>Subject: New Version Notification for draft-campbell-oaut=
h-mtls-00.t<wbr>xt<br>To: Brian Campbell &lt;<a href=3D"mailto:brian.d.camp=
bell@gmail.com" target=3D"_blank">brian.d.campbell@gmail.com</a>&gt;, Nat S=
akimura &lt;<a href=3D"mailto:n-sakimura@nri.co.jp" target=3D"_blank">n-sak=
imura@nri.co.jp</a>&gt;, Torsten Lodderstedt &lt;<a href=3D"mailto:torsten@=
lodderstedt.net" target=3D"_blank">torsten@lodderstedt.net</a>&gt;, John Br=
adley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7=
jtb.com</a>&gt;<br><br><br><br>
A new version of I-D, draft-campbell-oauth-mtls-00.t<wbr>xt<br>
has been successfully submitted by Brian Campbell and posted to the<br>
IETF repository.<br>
<br>
Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-campbell-oauth-mtls<br>
Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A000<br>
Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Mutual TLS Profiles for OAuth Clie=
nts<br>
Document date:=C2=A0 2017-03-30<br>
Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Individual Submission<br>
Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 10<br>
URL:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"https://www.ietf.o=
rg/internet-drafts/draft-campbell-oauth-mtls-00.txt" rel=3D"noreferrer" tar=
get=3D"_blank">https://www.ietf.org/internet-<wbr>drafts/draft-campbell-oau=
th-mt<wbr>ls-00.txt</a><br>
Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://datatracker.iet=
f.org/doc/draft-campbell-oauth-mtls/" rel=3D"noreferrer" target=3D"_blank">=
https://datatracker.ietf.org/<wbr>doc/draft-campbell-oauth-mtls/</a><br>
Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://tools.ietf.org/html/=
draft-campbell-oauth-mtls-00" rel=3D"noreferrer" target=3D"_blank">https://=
tools.ietf.org/html/d<wbr>raft-campbell-oauth-mtls-00</a><br>
Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"https://datatracker.ietf.org=
/doc/html/draft-campbell-oauth-mtls-00" rel=3D"noreferrer" target=3D"_blank=
">https://datatracker.ietf.org/<wbr>doc/html/draft-campbell-oauth-<wbr>mtls=
-00</a><br>
<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0This document describes Transport Layer Security (TLS) mutual<=
br>
=C2=A0 =C2=A0authentication using X.509 certificates as a mechanism for bot=
h OAuth<br>
=C2=A0 =C2=A0client authentication to the token endpoint as well as for sen=
der<br>
=C2=A0 =C2=A0constrained access to OAuth protected resources.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" rel=3D"noreferrer" target=3D"_blank">tools.ietf.org</a>.<br>
<br>
The IETF Secretariat<br>
<br>
</div><br></div>
</div><br></div></div></div></div>

--f403045d44066133e7054bf9337c--


From nobody Thu Mar 30 14:36:23 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55202129481 for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 14:36:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.797
X-Spam-Level: 
X-Spam-Status: No, score=-4.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1JFe978ZdS6O for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 14:36:17 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0127.outbound.protection.outlook.com [104.47.33.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F15C51294FF for <oauth@ietf.org>; Thu, 30 Mar 2017 14:36:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=7SJN66Hg/ZdGPMHXimXFBDXHDc3JOORGD1T/YSnj9hE=; b=mIiSz8Blf5h8pBOfZHJB3bD4NsT5kP0+1DHSxVJmXpcsUZhGvyDZ/6SkNR4lzoO8LXss0sSqFnLEgQy80yR7EDkBzr3n165hIE0Jvl2HJa72sAM/SnsxEtOBHNYKX3oCGA+D37PPWuP8iA16bjTam9kcXckg+ctUWYJfG29VhHM=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0501.namprd21.prod.outlook.com (10.172.122.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.0; Thu, 30 Mar 2017 21:36:15 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1019.010; Thu, 30 Mar 2017 21:36:15 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, IETF OAUTH <oauth@ietf.org>
CC: Nat Sakimura <nat@sakimura.org>
Thread-Topic: [OAUTH-WG] FW:  I-D Action: draft-ietf-oauth-jwsreq-13.txt
Thread-Index: AQHSqZBEGqiPWFQcnUep+7sdCGbmVaGt55CA
Date: Thu, 30 Mar 2017 21:36:14 +0000
Message-ID: <CY4PR21MB05049EB2094DF00A482CA03EF5340@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <149089911092.15436.12952695214868679547@ietfa.amsl.com> <58dd63ca.e7136b0a.5e8ec.8d9e@mx.google.com>
In-Reply-To: <58dd63ca.e7136b0a.5e8ec.8d9e@mx.google.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: ve7jtb.com; dkim=none (message not signed) header.d=none;ve7jtb.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:67c:370:128:4802:3840:b14a:33b2]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0501; 7:vy++to++/Z9KDz2lY/kcyjMm9jfl5gWEKZrMuAwV/DPFGI/Qo4JeN1uvE9Nv+0ZAHPArxWzol8SkEzVl50kvuT3ZhVYALR7pVvAkbp0spEA1QpmvgtL3+ZKNXuwDrbhdT7AvqZFh+XKBiH9efeTru725NdMjzq0+h1bIn21TWvDiuJ2HrNqSRNBjwGgvbUnrO9GW5BI0mcZPQl9agT06kxmRE+llRBtlxuMAZJZnyNNu4aT4bjmna073wOXRsPDgEoqZ/ZMaOoGXUxFU6xLNxYgaGg29nEGLqR4ARACfeZHzbulzcqlFAkRBVaKitdTV9E8n5TJSqk2yQwvnMon5/4SdzzEcUVRvGOPlJNvd4YM=
x-ms-office365-filtering-correlation-id: d4c9116c-b28d-44fa-df14-08d477b4cb15
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081);  SRVR:CY4PR21MB0501; 
x-microsoft-antispam-prvs: <CY4PR21MB05012093DB87F0F8CDF4149CF5340@CY4PR21MB0501.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(156600954879566)(120809045254105)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(93006074)(93001074)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(201703131423075)(201703011903075)(201702281528075)(201703061421075)(20161123562025)(20161123564025)(20161123555025)(20161123560025)(6072148); SRVR:CY4PR21MB0501; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0501; 
x-forefront-prvs: 02622CEF0A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39400400002)(39410400002)(39850400002)(39860400002)(39840400002)(39450400003)(377424004)(377454003)(3905003)(2900100001)(236005)(606005)(53936002)(33656002)(122556002)(6436002)(7696004)(76176999)(2950100002)(54356999)(9686003)(8936002)(8676002)(6306002)(81166006)(54896002)(55016002)(99286003)(7736002)(50986999)(230783001)(2906002)(7906003)(10090500001)(5660300001)(790700001)(38730400002)(102836003)(6116002)(8990500004)(74316002)(4326008)(6506006)(5005710100001)(10290500002)(3280700002)(25786009)(53546009)(3660700001)(189998001)(229853002)(6246003)(77096006)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0501; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05049EB2094DF00A482CA03EF5340CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2017 21:36:14.8537 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0501
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xkYWeHNylaNoJp4WM7QIe3FvAFE>
Subject: Re: [OAUTH-WG] FW:  I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 21:36:21 -0000

--_000_CY4PR21MB05049EB2094DF00A482CA03EF5340CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SSAqYmVsaWV2ZSogdGhlIGludGVudCBpcyB0aGF0ICphbGwqIHBhcmFtZXRlcnMgbXVzdCBiZSBp
biB0aGUgcmVxdWVzdCBvYmplY3QsIGJ1dCB0aGUgc3BlYyBkb2VzbuKAmXQgYWN0dWFsbHkgc2F5
IHRoYXQsIGFzIGZhciBhcyBJIGNhbiB0ZWxsLiAgT3IgbWF5YmUgdGhlIGludGVudCBpcyB0aGF0
IHBhcmFtZXRlcnMgbXVzdCBub3QgYmUgZHVwbGljYXRlZCBiZXR3ZWVuIHRoZSBxdWVyeSBwYXJh
bWV0ZXJzIGFuZCB0aGUgcmVxdWVzdCBvYmplY3QuDQoNCk9uZSBvciB0aGUgb3RoZXIgb2YgdGhl
c2Ugc3RhdGVtZW50cyBzaG91bGQgYmUgZXhwbGljaXRseSBpbmNsdWRlZCBpbiB0aGUgc3BlY2lm
aWNhdGlvbi4gIE9mIGNvdXJzZSwgSSBjb3VsZCBoYXZlIG1pc3NlZCB0aGUgc3RhdGVtZW50IEni
gJltIGFza2luZyBmb3IgaW4gbXkgcmV2aWV3LCBpbiB3aGljaCBjYXNlIHBsZWFzZSBsZXQgbWUg
a25vdyB3aGF0IEkgbWlzc2VkLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgVGhhbmtzLA0KICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBPQXV0aCBbbWFpbHRv
Om9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBKb2huIEJyYWRsZXkNClNlbnQ6
IFRodXJzZGF5LCBNYXJjaCAzMCwgMjAxNyAzOjAwIFBNDQpUbzogSUVURiBPQVVUSCA8b2F1dGhA
aWV0Zi5vcmc+DQpTdWJqZWN0OiBbT0FVVEgtV0ddIEZXOiBJLUQgQWN0aW9uOiBkcmFmdC1pZXRm
LW9hdXRoLWp3c3JlcS0xMy50eHQNCg0KQmFzZWQgb24gZmVlYmFjayBmcm9tIHRoZSBJRVNHIHdl
IGhhdmUgcmVtb3ZlZCBzb21lIG9mIHRoZSBvcHRpb25hbGl0eSBpbiB0aGUgZHJhZnQuDQoNCkl0
IGlzIGEgc2hvcnRlciByZWFkIHRoYW4gZHJhZnQgMTIuDQoNCkpvaG4gQi4NCg0KU2VudCBmcm9t
IE1haWw8aHR0cHM6Ly9nby5taWNyb3NvZnQuY29tL2Z3bGluay8/TGlua0lkPTU1MDk4Nj4gZm9y
IFdpbmRvd3MgMTANCg0KRnJvbTogaW50ZXJuZXQtZHJhZnRzQGlldGYub3JnPG1haWx0bzppbnRl
cm5ldC1kcmFmdHNAaWV0Zi5vcmc+DQpTZW50OiBNYXJjaCAzMCwgMjAxNyAxOjM4IFBNDQpUbzog
aS1kLWFubm91bmNlQGlldGYub3JnPG1haWx0bzppLWQtYW5ub3VuY2VAaWV0Zi5vcmc+DQpDYzog
b2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPg0KU3ViamVjdDogW09BVVRILVdH
XSBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0xMy50eHQNCg0KDQpBIE5ldyBJ
bnRlcm5ldC1EcmFmdCBpcyBhdmFpbGFibGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFm
dHMgZGlyZWN0b3JpZXMuDQpUaGlzIGRyYWZ0IGlzIGEgd29yayBpdGVtIG9mIHRoZSBXZWIgQXV0
aG9yaXphdGlvbiBQcm90b2NvbCBvZiB0aGUgSUVURi4NCg0KICAgICAgICBUaXRsZSAgICAgICAg
ICAgOiBUaGUgT0F1dGggMi4wIEF1dGhvcml6YXRpb24gRnJhbWV3b3JrOiBKV1QgU2VjdXJlZCBB
dXRob3JpemF0aW9uIFJlcXVlc3QgKEpBUikNCiAgICAgICAgQXV0aG9ycyAgICAgICAgIDogTmF0
IFNha2ltdXJhDQogICAgICAgICAgICAgICAgICAgICAgICAgIEpvaG4gQnJhZGxleQ0KICAgICAg
ICAgICBGaWxlbmFtZSAgICAgICAgOiBkcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0xMy50eHQNCiAg
ICAgICAgICAgUGFnZXMgICAgICAgICAgIDogMjcNCiAgICAgICAgICAgRGF0ZSAgICAgICAgICAg
IDogMjAxNy0wMy0zMA0KDQpBYnN0cmFjdDoNCiAgIFRoZSBhdXRob3JpemF0aW9uIHJlcXVlc3Qg
aW4gT0F1dGggMi4wIGRlc2NyaWJlZCBpbiBSRkMgNjc0OSB1dGlsaXplcw0KICAgcXVlcnkgcGFy
YW1ldGVyIHNlcmlhbGl6YXRpb24sIHdoaWNoIG1lYW5zIHRoYXQgQXV0aG9yaXphdGlvbiBSZXF1
ZXN0DQogICBwYXJhbWV0ZXJzIGFyZSBlbmNvZGVkIGluIHRoZSBVUkkgb2YgdGhlIHJlcXVlc3Qg
YW5kIHNlbnQgdGhyb3VnaA0KICB1c2VyIGFnZW50cyBzdWNoIGFzIHdlYiBicm93c2Vycy4gIFdo
aWxlIGl0IGlzIGVhc3kgdG8gaW1wbGVtZW50LCBpdA0KICAgbWVhbnMgdGhhdCAoYSkgdGhlIGNv
bW11bmljYXRpb24gdGhyb3VnaCB0aGUgdXNlciBhZ2VudHMgYXJlIG5vdA0KICAgaW50ZWdyaXR5
IHByb3RlY3RlZCBhbmQgdGh1cyB0aGUgcGFyYW1ldGVycyBjYW4gYmUgdGFpbnRlZCwgYW5kIChi
KQ0KICAgdGhlIHNvdXJjZSBvZiB0aGUgY29tbXVuaWNhdGlvbiBpcyBub3QgYXV0aGVudGljYXRl
ZC4gIEJlY2F1c2Ugb2YNCiAgIHRoZXNlIHdlYWtuZXNzZXMsIHNldmVyYWwgYXR0YWNrcyB0byB0
aGUgcHJvdG9jb2wgaGF2ZSBub3cgYmVlbiBwdXQNCiAgIGZvcndhcmQuDQoNCiAgIFRoaXMgZG9j
dW1lbnQgaW50cm9kdWNlcyB0aGUgYWJpbGl0eSB0byBzZW5kIHJlcXVlc3QgcGFyYW1ldGVycyBp
biBhDQogICBKU09OIFdlYiBUb2tlbiAoSldUKSBpbnN0ZWFkLCB3aGljaCBhbGxvd3MgdGhlIHJl
cXVlc3QgdG8gYmUgc2lnbmVkDQogICB3aXRoIEpTT04gV2ViIFNpZ25hdHVyZSAoSldTKSBhbmQv
b3IgZW5jcnlwdGVkIHdpdGggSlNPTiBXZWINCiAgIEVuY3J5cHRpb24gKEpXRSkgc28gdGhhdCB0
aGUgaW50ZWdyaXR5LCBzb3VyY2UgYXV0aGVudGljYXRpb24gYW5kDQogICBjb25maWRlbnRpYWxp
dHkgcHJvcGVydHkgb2YgdGhlIEF1dGhvcml6YXRpb24gUmVxdWVzdCBpcyBhdHRhaW5lZC4NCiAg
IFRoZSByZXF1ZXN0IGNhbiBiZSBzZW50IGJ5IHZhbHVlIG9yIGJ5IHJlZmVyZW5jZS4NCg0KDQpU
aGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFnZSBmb3IgdGhpcyBkcmFmdCBpczoNCmh0dHBz
Oi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtb2F1dGgtandzcmVxLw0KDQpU
aGVyZSBhcmUgYWxzbyBodG1saXplZCB2ZXJzaW9ucyBhdmFpbGFibGUgYXQ6DQpodHRwczovL3Rv
b2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1qd3NyZXEtMTMNCmh0dHBzOi8vZGF0
YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1qd3NyZXEtMTMNCg0K
QSBkaWZmIGZyb20gdGhlIHByZXZpb3VzIHZlcnNpb24gaXMgYXZhaWxhYmxlIGF0Og0KaHR0cHM6
Ly93d3cuaWV0Zi5vcmcvcmZjZGlmZj91cmwyPWRyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEzDQoN
Cg0KUGxlYXNlIG5vdGUgdGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBsZSBvZiBtaW51dGVzIGZyb20g
dGhlIHRpbWUgb2Ygc3VibWlzc2lvbg0KdW50aWwgdGhlIGh0bWxpemVkIHZlcnNpb24gYW5kIGRp
ZmYgYXJlIGF2YWlsYWJsZSBhdCB0b29scy5pZXRmLm9yZy4NCg0KSW50ZXJuZXQtRHJhZnRzIGFy
ZSBhbHNvIGF2YWlsYWJsZSBieSBhbm9ueW1vdXMgRlRQIGF0Og0KZnRwOi8vZnRwLmlldGYub3Jn
L2ludGVybmV0LWRyYWZ0cy8NCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX18NCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9B
dXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0
aA0KDQo=

--_000_CY4PR21MB05049EB2094DF00A482CA03EF5340CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph
OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z
b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjojOTU0
RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29u
b3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNv
LW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28tbWFyZ2luLWJv
dHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjExLjBwdDsNCglm
b250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLkVtYWlsU3R5bGUxOQ0KCXtt
c28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu
cy1zZXJpZjsNCgljb2xvcjojMDAyMDYwO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10
eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24x
DQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9
DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEt
LVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlk
bWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+
DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0
YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxi
b2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNz
PSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9y
OiMwMDIwNjAiPkkgKjxiPmJlbGlldmU8L2I+KiB0aGUgaW50ZW50IGlzIHRoYXQgKjxiPmFsbDwv
Yj4qIHBhcmFtZXRlcnMgbXVzdCBiZSBpbiB0aGUgcmVxdWVzdCBvYmplY3QsIGJ1dCB0aGUgc3Bl
YyBkb2VzbuKAmXQgYWN0dWFsbHkgc2F5IHRoYXQsIGFzIGZhciBhcyBJIGNhbiB0ZWxsLiZuYnNw
OyBPciBtYXliZSB0aGUgaW50ZW50IGlzIHRoYXQgcGFyYW1ldGVycyBtdXN0IG5vdCBiZSBkdXBs
aWNhdGVkDQogYmV0d2VlbiB0aGUgcXVlcnkgcGFyYW1ldGVycyBhbmQgdGhlIHJlcXVlc3Qgb2Jq
ZWN0LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0
eWxlPSJjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+T25lIG9yIHRoZSBvdGhl
ciBvZiB0aGVzZSBzdGF0ZW1lbnRzIHNob3VsZCBiZSBleHBsaWNpdGx5IGluY2x1ZGVkIGluIHRo
ZSBzcGVjaWZpY2F0aW9uLiZuYnNwOyBPZiBjb3Vyc2UsIEkgY291bGQgaGF2ZSBtaXNzZWQgdGhl
IHN0YXRlbWVudCBJ4oCZbSBhc2tpbmcgZm9yIGluIG15IHJldmlldywgaW4gd2hpY2ggY2FzZSBw
bGVhc2UgbGV0IG1lIGtub3cgd2hhdCBJIG1pc3NlZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+PG86cD4mbmJz
cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNv
bG9yOiMwMDIwNjAiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGFu
a3MsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5
bGU9ImNvbG9yOiMwMDIwNjAiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyAmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxv
OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxhIG5hbWU9Il9NYWls
RW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+
PC9zcGFuPjwvYT48L3A+DQo8c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWlsRW5kQ29tcG9z
ZSI+PC9zcGFuPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29s
aWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxiPkZyb206PC9iPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5v
cmddIDxiPk9uIEJlaGFsZiBPZg0KPC9iPkpvaG4gQnJhZGxleTxicj4NCjxiPlNlbnQ6PC9iPiBU
aHVyc2RheSwgTWFyY2ggMzAsIDIwMTcgMzowMCBQTTxicj4NCjxiPlRvOjwvYj4gSUVURiBPQVVU
SCAmbHQ7b2F1dGhAaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFtPQVVUSC1XR10g
Rlc6IEktRCBBY3Rpb246IGRyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEzLnR4dDxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPkJhc2VkIG9u
IGZlZWJhY2sgZnJvbSB0aGUgSUVTRyB3ZSBoYXZlIHJlbW92ZWQgc29tZSBvZiB0aGUgb3B0aW9u
YWxpdHkgaW4gdGhlIGRyYWZ0Lg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5JdCBpcyBhIHNob3J0ZXIg
cmVhZCB0aGFuIGRyYWZ0IDEyLiZuYnNwOyZuYnNwOyA8bzpwPg0KPC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPiZuYnNwOzwvbzpw
Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+Sm9o
biBCLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxh
bmc9IkVOLUNBIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+U2VudCBmcm9tIDxhIGhyZWY9Imh0dHBzOi8vZ28ubWlj
cm9zb2Z0LmNvbS9md2xpbmsvP0xpbmtJZD01NTA5ODYiPg0KTWFpbDwvYT4gZm9yIFdpbmRvd3Mg
MTA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n
PSJFTi1DQSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVy
Om5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBp
biAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gbGFuZz0iRU4tQ0EiPkZyb206
IDwvc3Bhbj48L2I+PHNwYW4gbGFuZz0iRU4tQ0EiPjxhIGhyZWY9Im1haWx0bzppbnRlcm5ldC1k
cmFmdHNAaWV0Zi5vcmciPmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZzwvYT48YnI+DQo8Yj5TZW50
OiA8L2I+TWFyY2ggMzAsIDIwMTcgMTozOCBQTTxicj4NCjxiPlRvOiA8L2I+PGEgaHJlZj0ibWFp
bHRvOmktZC1hbm5vdW5jZUBpZXRmLm9yZyI+aS1kLWFubm91bmNlQGlldGYub3JnPC9hPjxicj4N
CjxiPkNjOiA8L2I+PGEgaHJlZj0ibWFpbHRvOm9hdXRoQGlldGYub3JnIj5vYXV0aEBpZXRmLm9y
ZzwvYT48YnI+DQo8Yj5TdWJqZWN0OiA8L2I+W09BVVRILVdHXSBJLUQgQWN0aW9uOiBkcmFmdC1p
ZXRmLW9hdXRoLWp3c3JlcS0xMy50eHQ8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPiZuYnNwOzwvbzpwPjwv
c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD4m
bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tQ0EiPkEgTmV3IEludGVybmV0LURyYWZ0IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBvbi1saW5l
IEludGVybmV0LURyYWZ0cyBkaXJlY3Rvcmllcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+VGhpcyBkcmFmdCBpcyBhIHdvcmsg
aXRlbSBvZiB0aGUgV2ViIEF1dGhvcml6YXRpb24gUHJvdG9jb2wgb2YgdGhlIElFVEYuPG86cD48
L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0Ei
PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg
VGl0bGUmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsgOiBUaGUgT0F1dGggMi4wIEF1dGhvcml6YXRpb24gRnJhbWV3b3JrOiBKV1QgU2Vj
dXJlZCBBdXRob3JpemF0aW9uIFJlcXVlc3QgKEpBUik8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEF1dGhvcnMmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgOiBOYXQgU2FraW11cmE8bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEpvaG4gQnJhZGxleTxvOnA+PC9vOnA+PC9zcGFuPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgRmlsZW5hbWUm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgOiBkcmFmdC1pZXRmLW9h
dXRoLWp3c3JlcS0xMy50eHQ8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFBhZ2VzJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDogMjc8bzpwPjwvbzpwPjwvc3Bh
bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IERhdGUm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsgOiAyMDE3LTAzLTMwPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5BYnN0cmFjdDo8bzpwPjwv
bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+
Jm5ic3A7Jm5ic3A7IFRoZSBhdXRob3JpemF0aW9uIHJlcXVlc3QgaW4gT0F1dGggMi4wIGRlc2Ny
aWJlZCBpbiBSRkMgNjc0OSB1dGlsaXplczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsgcXVlcnkgcGFyYW1l
dGVyIHNlcmlhbGl6YXRpb24sIHdoaWNoIG1lYW5zIHRoYXQgQXV0aG9yaXphdGlvbiBSZXF1ZXN0
PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tQ0EiPiZuYnNwOyZuYnNwOyBwYXJhbWV0ZXJzIGFyZSBlbmNvZGVkIGluIHRoZSBVUkkgb2Yg
dGhlIHJlcXVlc3QgYW5kIHNlbnQgdGhyb3VnaDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDt1c2VyIGFnZW50
cyBzdWNoIGFzIHdlYiBicm93c2Vycy4mbmJzcDsgV2hpbGUgaXQgaXMgZWFzeSB0byBpbXBsZW1l
bnQsIGl0PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
bGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNwOyBtZWFucyB0aGF0IChhKSB0aGUgY29tbXVuaWNhdGlv
biB0aHJvdWdoIHRoZSB1c2VyIGFnZW50cyBhcmUgbm90PG86cD48L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNwOyBpbnRl
Z3JpdHkgcHJvdGVjdGVkIGFuZCB0aHVzIHRoZSBwYXJhbWV0ZXJzIGNhbiBiZSB0YWludGVkLCBh
bmQgKGIpPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
bGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNwOyB0aGUgc291cmNlIG9mIHRoZSBjb21tdW5pY2F0aW9u
IGlzIG5vdCBhdXRoZW50aWNhdGVkLiZuYnNwOyBCZWNhdXNlIG9mPG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNw
OyB0aGVzZSB3ZWFrbmVzc2VzLCBzZXZlcmFsIGF0dGFja3MgdG8gdGhlIHByb3RvY29sIGhhdmUg
bm93IGJlZW4gcHV0PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNwOyBmb3J3YXJkLjxvOnA+PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPiZuYnNw
OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1D
QSI+Jm5ic3A7Jm5ic3A7IFRoaXMgZG9jdW1lbnQgaW50cm9kdWNlcyB0aGUgYWJpbGl0eSB0byBz
ZW5kIHJlcXVlc3QgcGFyYW1ldGVycyBpbiBhPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNwOyBKU09OIFdlYiBU
b2tlbiAoSldUKSBpbnN0ZWFkLCB3aGljaCBhbGxvd3MgdGhlIHJlcXVlc3QgdG8gYmUgc2lnbmVk
PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tQ0EiPiZuYnNwOyZuYnNwOyB3aXRoIEpTT04gV2ViIFNpZ25hdHVyZSAoSldTKSBhbmQvb3Ig
ZW5jcnlwdGVkIHdpdGggSlNPTiBXZWI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7IEVuY3J5cHRpb24gKEpX
RSkgc28gdGhhdCB0aGUgaW50ZWdyaXR5LCBzb3VyY2UgYXV0aGVudGljYXRpb24gYW5kPG86cD48
L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0Ei
PiZuYnNwOyZuYnNwOyBjb25maWRlbnRpYWxpdHkgcHJvcGVydHkgb2YgdGhlIEF1dGhvcml6YXRp
b24gUmVxdWVzdCBpcyBhdHRhaW5lZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7IFRoZSByZXF1ZXN0IGNh
biBiZSBzZW50IGJ5IHZhbHVlIG9yIGJ5IHJlZmVyZW5jZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD4mbmJzcDs8L286
cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxh
bmc9IkVOLUNBIj5UaGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFnZSBmb3IgdGhpcyBkcmFm
dCBpczo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBs
YW5nPSJFTi1DQSI+PGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJh
ZnQtaWV0Zi1vYXV0aC1qd3NyZXEvIj5odHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9k
cmFmdC1pZXRmLW9hdXRoLWp3c3JlcS88L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5UaGVyZSBhcmUg
YWxzbyBodG1saXplZCB2ZXJzaW9ucyBhdmFpbGFibGUgYXQ6PG86cD48L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxhIGhyZWY9Imh0dHBz
Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0xMyI+aHR0cHM6
Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEzPC9hPjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNB
Ij48YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9odG1sL2RyYWZ0LWll
dGYtb2F1dGgtandzcmVxLTEzIj5odHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9odG1s
L2RyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEzPC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPiZuYnNwOzwvbzpwPjwv
c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+QSBkaWZm
IGZyb20gdGhlIHByZXZpb3VzIHZlcnNpb24gaXMgYXZhaWxhYmxlIGF0OjxvOnA+PC9vOnA+PC9z
cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48YSBocmVm
PSJodHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0Zi1vYXV0aC1qd3Ny
ZXEtMTMiPmh0dHBzOi8vd3d3LmlldGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1pZXRmLW9hdXRo
LWp3c3JlcS0xMzwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5QbGVhc2Ugbm90
ZSB0aGF0IGl0IG1heSB0YWtlIGEgY291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBvZiBz
dWJtaXNzaW9uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gbGFuZz0iRU4tQ0EiPnVudGlsIHRoZSBodG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBh
dmFpbGFibGUgYXQgdG9vbHMuaWV0Zi5vcmcuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5JbnRlcm5ldC1E
cmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255bW91cyBGVFAgYXQ6PG86cD48L286cD48
L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxhIGhy
ZWY9ImZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvIj5mdHA6Ly9mdHAuaWV0Zi5v
cmcvaW50ZXJuZXQtZHJhZnRzLzwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPl9fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPG86cD48L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPk9BdXRoIG1haWxpbmcgbGlz
dDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9
IkVOLUNBIj48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciPk9BdXRoQGlldGYub3JnPC9h
PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9
IkVOLUNBIj48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29h
dXRoIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNB
Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4N
Cg==

--_000_CY4PR21MB05049EB2094DF00A482CA03EF5340CY4PR21MB0504namp_--


From nobody Thu Mar 30 14:44:42 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A333E129576 for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 14:44:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlAIqUT5fNxG for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 14:44:27 -0700 (PDT)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72CE41252BA for <oauth@ietf.org>; Thu, 30 Mar 2017 14:44:13 -0700 (PDT)
Received: by mail-io0-x231.google.com with SMTP id f84so28509249ioj.0 for <oauth@ietf.org>; Thu, 30 Mar 2017 14:44:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0wcCnsUPLWKL1WqP+eXqnw5Oj9ymUYNC5bBpy6asYDw=; b=tCr4iBFPt/HAMeVVEstHLgIE4MLvpmYSzuP6EEd2lIESc3Imr0X12dkYQ9bRCksZ7M i1LLY7MM9RaroBoqMA3+RK3FaHHy6nhuBphDPc8OJTphuSHFSSoMN6S4C1SWeJxD6gBF 6wXOphgnSTWwyRbyk5eEGqi4qxvP5hKXXSgRUSuZyrwRyx4weQlW0b0XvJzK52dMcPRD k1DZyBuqUtp4erKPI96JWw43Sk4Y1hcfX9/PeKMALKpyltzz0G6+XgStg99u2MlwdSKQ aYU+WYctnBVJgSPn4jVIxrOHP/I4rK0XRsqwfsY/5raE3Hcro2jCnjBMVZPwGQpsDJNa 7mpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0wcCnsUPLWKL1WqP+eXqnw5Oj9ymUYNC5bBpy6asYDw=; b=dvIlx0OKTY26tAhVfMldOrmht7v4WzEzjPR/sAMF3xX2H3TO4KALWcFnGPysMThcSG VN4O73Imh1p88Zhut4Q3I8jSk1TcefavBw7oi2gnfkfMNC3koAru8Lt/pm73sSaRa5g3 2/Hs8AB+knVGEeMh6rzlFrVQME7R2SbxIDJ6+mFqFfi/SfMaoXag8g3XEeyupfqeWw6L bT3DjRj26y0pzcAtAeCQoiTHvUCDAz5NgzMDY/bh6t5VZ1ppHIeAVE7EB7iOvX36wrMp fTXWpowL3zQErcxd24xlF0WHERKf6aLLPv6TmcFmR03nqXL7rnSz01TGKkyNNEzYVuAI Co1A==
X-Gm-Message-State: AFeK/H2O2NUs5mFdNEfWlweugT1YJ1ke9GnXg17ONFhn9HUDlM3Tg3XDZutYSk0K+4P3mmdvi47kn+S0xby1gLaD
X-Received: by 10.107.135.136 with SMTP id r8mr3289500ioi.36.1490910252626; Thu, 30 Mar 2017 14:44:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.167.139 with HTTP; Thu, 30 Mar 2017 14:44:12 -0700 (PDT)
Received: by 10.107.167.139 with HTTP; Thu, 30 Mar 2017 14:44:12 -0700 (PDT)
In-Reply-To: <CY4PR21MB05049EB2094DF00A482CA03EF5340@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <149089911092.15436.12952695214868679547@ietfa.amsl.com> <58dd63ca.e7136b0a.5e8ec.8d9e@mx.google.com> <CY4PR21MB05049EB2094DF00A482CA03EF5340@CY4PR21MB0504.namprd21.prod.outlook.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 30 Mar 2017 16:44:12 -0500
Message-ID: <CAANoGhLvwSrNTcA6+gXvkVPVoDwu3QHFoTsOfwV2BynVGQsk1A@mail.gmail.com>
To: Michael Jones <Michael.Jones@microsoft.com>
Cc: Nat Sakimura <nat@sakimura.org>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a113ec77c049ef4054bf998f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Uke1nxRlgx62EJLevZgpWCz_UwY>
Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 21:44:35 -0000

--001a113ec77c049ef4054bf998f4
Content-Type: multipart/alternative; boundary=001a113ec77c0046ea054bf99868

--001a113ec77c0046ea054bf99868
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

The intent of the change is to only allow the paramaters to be in the
signed object if a signed object is used.

This requires State, nonce etc to be in the JWT.  Only one place to check
will hopefully reduce implimentation errors.

This also allows us to remove the caching text as we now have one JWT per
request, so caching won't happen.

John B.



On Mar 30, 2017 4:36 PM, "Mike Jones" <Michael.Jones@microsoft.com> wrote:

> I **believe** the intent is that **all** parameters must be in the
> request object, but the spec doesn=E2=80=99t actually say that, as far as=
 I can
> tell.  Or maybe the intent is that parameters must not be duplicated
> between the query parameters and the request object.
>
>
>
> One or the other of these statements should be explicitly included in the
> specification.  Of course, I could have missed the statement I=E2=80=99m =
asking for
> in my review, in which case please let me know what I missed.
>
>
>
>                                                        Thanks,
>
>                                                       -- Mike
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John Bradley
> *Sent:* Thursday, March 30, 2017 3:00 PM
> *To:* IETF OAUTH <oauth@ietf.org>
> *Subject:* [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>
>
>
> Based on feeback from the IESG we have removed some of the optionality in
> the draft.
>
>
>
> It is a shorter read than draft 12.
>
>
>
> John B.
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
> Windows 10
>
>
>
> *From: *internet-drafts@ietf.org
> *Sent: *March 30, 2017 1:38 PM
> *To: *i-d-announce@ietf.org
> *Cc: *oauth@ietf.org
> *Subject: *[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
>
>
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>
>
>         Title           : The OAuth 2.0 Authorization Framework: JWT
> Secured Authorization Request (JAR)
>
>         Authors         : Nat Sakimura
>
>                           John Bradley
>
>            Filename        : draft-ietf-oauth-jwsreq-13.txt
>
>            Pages           : 27
>
>            Date            : 2017-03-30
>
>
>
> Abstract:
>
>    The authorization request in OAuth 2.0 described in RFC 6749 utilizes
>
>    query parameter serialization, which means that Authorization Request
>
>    parameters are encoded in the URI of the request and sent through
>
>   user agents such as web browsers.  While it is easy to implement, it
>
>    means that (a) the communication through the user agents are not
>
>    integrity protected and thus the parameters can be tainted, and (b)
>
>    the source of the communication is not authenticated.  Because of
>
>    these weaknesses, several attacks to the protocol have now been put
>
>    forward.
>
>
>
>    This document introduces the ability to send request parameters in a
>
>    JSON Web Token (JWT) instead, which allows the request to be signed
>
>    with JSON Web Signature (JWS) and/or encrypted with JSON Web
>
>    Encryption (JWE) so that the integrity, source authentication and
>
>    confidentiality property of the Authorization Request is attained.
>
>    The request can be sent by value or by reference.
>
>
>
>
>
> The IETF datatracker status page for this draft is:
>
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>
>
>
> There are also htmlized versions available at:
>
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13
>
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13
>
>
>
> A diff from the previous version is available at:
>
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13
>
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
>
> until the htmlized version and diff are available at tools.ietf.org.
>
>
>
> Internet-Drafts are also available by anonymous FTP at:
>
> ftp://ftp.ietf.org/internet-drafts/
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

--001a113ec77c0046ea054bf99868
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">The intent of the change is to only allow the paramaters =
to be in the signed object if a signed object is used. =C2=A0<div dir=3D"au=
to"><br></div><div dir=3D"auto">This requires State, nonce etc to be in the=
 JWT.=C2=A0 Only one place to check will hopefully reduce implimentation er=
rors. =C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">This also a=
llows us to remove the caching text as we now have one JWT per request, so =
caching won&#39;t happen. =C2=A0=C2=A0</div><div dir=3D"auto"><br></div><di=
v dir=3D"auto">John B. =C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"=
auto"><br></div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_qu=
ote">On Mar 30, 2017 4:36 PM, &quot;Mike Jones&quot; &lt;<a href=3D"mailto:=
Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>&gt; wrote:<br =
type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 =
0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang=3D"EN-US" link=3D"blue" vlink=3D"#954F72">
<div class=3D"m_3264258369573027541WordSection1">
<p class=3D"MsoNormal"><span style=3D"color:#002060">I *<b>believe</b>* the=
 intent is that *<b>all</b>* parameters must be in the request object, but =
the spec doesn=E2=80=99t actually say that, as far as I can tell.=C2=A0 Or =
maybe the intent is that parameters must not be duplicated
 between the query parameters and the request object.<u></u><u></u></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"color:#002060"><u></u>=C2=A0<u></u></=
span></p>
<p class=3D"MsoNormal"><span style=3D"color:#002060">One or the other of th=
ese statements should be explicitly included in the specification.=C2=A0 Of=
 course, I could have missed the statement I=E2=80=99m asking for in my rev=
iew, in which case please let me know what I missed.<u></u><u></u></span></=
p>
<p class=3D"MsoNormal"><span style=3D"color:#002060"><u></u>=C2=A0<u></u></=
span></p>
<p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 Thanks,<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mi=
ke<u></u><u></u></span></p>
<p class=3D"MsoNormal"><a name=3D"m_3264258369573027541__MailEndCompose"><s=
pan style=3D"color:#002060"><u></u>=C2=A0<u></u></span></a></p>
<span></span>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b>From:</b> OAuth [mailto:<a href=3D"mailto:oauth-b=
ounces@ietf.org" target=3D"_blank">oauth-bounces@ietf.org</a><wbr>] <b>On B=
ehalf Of
</b>John Bradley<br>
<b>Sent:</b> Thursday, March 30, 2017 3:00 PM<br>
<b>To:</b> IETF OAUTH &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"_blan=
k">oauth@ietf.org</a>&gt;<br>
<b>Subject:</b> [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt<u=
></u><u></u></p>
</div>
</div>
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">Based on feeback from the IESG =
we have removed some of the optionality in the draft.
<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">It is a shorter read than draft=
 12.=C2=A0=C2=A0 <u></u>
<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">John B.<u></u><u></u></span></p=
>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">Sent from <a href=3D"https://go=
.microsoft.com/fwlink/?LinkId=3D550986" target=3D"_blank">
Mail</a> for Windows 10<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span lang=3D"EN-CA">From: </span></b><span lang=
=3D"EN-CA"><a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">in=
ternet-drafts@ietf.org</a><br>
<b>Sent: </b>March 30, 2017 1:38 PM<br>
<b>To: </b><a href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i-d-a=
nnounce@ietf.org</a><br>
<b>Cc: </b><a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.o=
rg</a><br>
<b>Subject: </b>[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt<u></u=
><u></u></span></p>
</div>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">A New Internet-Draft is availab=
le from the on-line Internet-Drafts directories.<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">This draft is a work item of th=
e Web Authorization Protocol of the IETF.<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 Title=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Requ=
est (JAR)<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 Authors=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : Nat =
Sakimura<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 John Bradley<u></u><u></u></s=
pan></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Filename=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0 : draft-ietf-oauth-jwsreq-13.txt<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Pages=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0 : 27<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Date=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 2017-03-30<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">Abstract:<u></u><u></u></span><=
/p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 The authorization =
request in OAuth 2.0 described in RFC 6749 utilizes<u></u><u></u></span></p=
>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 query parameter se=
rialization, which means that Authorization Request<u></u><u></u></span></p=
>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 parameters are enc=
oded in the URI of the request and sent through<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0user agents such as=
 web browsers.=C2=A0 While it is easy to implement, it<u></u><u></u></span>=
</p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 means that (a) the=
 communication through the user agents are not<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 integrity protecte=
d and thus the parameters can be tainted, and (b)<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 the source of the =
communication is not authenticated.=C2=A0 Because of<u></u><u></u></span></=
p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 these weaknesses, =
several attacks to the protocol have now been put<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 forward.<u></u><u>=
</u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 This document intr=
oduces the ability to send request parameters in a<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 JSON Web Token (JW=
T) instead, which allows the request to be signed<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 with JSON Web Sign=
ature (JWS) and/or encrypted with JSON Web<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 Encryption (JWE) s=
o that the integrity, source authentication and<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 confidentiality pr=
operty of the Authorization Request is attained.<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 The request can be=
 sent by value or by reference.<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">The IETF datatracker status pag=
e for this draft is:<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"https://datatracker.=
ietf.org/doc/draft-ietf-oauth-jwsreq/" target=3D"_blank">https://datatracke=
r.ietf.org/<wbr>doc/draft-ietf-oauth-jwsreq/</a><u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">There are also htmlized version=
s available at:<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"https://tools.ietf.o=
rg/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https://tools.ietf.or=
g/html/<wbr>draft-ietf-oauth-jwsreq-13</a><u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"https://datatracker.=
ietf.org/doc/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https://dat=
atracker.ietf.org/<wbr>doc/html/draft-ietf-oauth-<wbr>jwsreq-13</a><u></u><=
u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">A diff from the previous versio=
n is available at:<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"https://www.ietf.org=
/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13" target=3D"_blank">https://www.i=
etf.org/rfcdiff?<wbr>url2=3Ddraft-ietf-oauth-jwsreq-<wbr>13</a><u></u><u></=
u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">Please note that it may take a =
couple of minutes from the time of submission<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">until the htmlized version and =
diff are available at <a href=3D"http://tools.ietf.org" target=3D"_blank">t=
ools.ietf.org</a>.<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">Internet-Drafts are also availa=
ble by anonymous FTP at:<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"ftp://ftp.ietf.org/i=
nternet-drafts/" target=3D"_blank">ftp://ftp.ietf.org/internet-<wbr>drafts/=
</a><u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">______________________________<=
wbr>_________________<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">OAuth mailing list<u></u><u></u=
></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"mailto:OAuth@ietf.or=
g" target=3D"_blank">OAuth@ietf.org</a><u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"https://www.ietf.org=
/mailman/listinfo/oauth" target=3D"_blank">https://www.ietf.org/mailman/<wb=
r>listinfo/oauth</a><u></u><u></u></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><u></u>=C2=A0<u></u></span></p>
</div>
</div>

</blockquote></div></div>

--001a113ec77c0046ea054bf99868--

--001a113ec77c049ef4054bf998f4
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIAd+YjBX5WfeBTqmb7VK1xwvGwqU
Jbf9dg2hZOt4Nz61MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMzMDIxNDQxMlowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQCfj/qRpHJWjFZeHB9P0Aq8/PwKrN0SzA3JOPszXZ3OwjCP
GTzDecTUY79GnpV9aYjLJcYrhC2q+erdwbBBGeimzNwKxYdOV5eZYICnUUVoZce9O5GO1KRytWom
66IWDeJF02nGoLN2NA9OmOoWflHA1wGYHS9lFnol8K+HM0+a/a5XOWi+vDvP6n0hduZxvL0CjwYq
xuhxCkcvjecL1tX6/xWdBoyKnBDe3JBdr9x+PEISOSfgY+hlxA5nEQx8V+bgjRckkbgArv/0J8r3
th+npcghu9j1vre5oMfKNuzxO7BzkxtBBgSAUXMoQ4eGwYG54SiS+qT4WnEtL35anXmK
--001a113ec77c049ef4054bf998f4--


From nobody Thu Mar 30 14:47:47 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 484ED12953D for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 14:47:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-qpt34rpPOP for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 14:47:42 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0114.outbound.protection.outlook.com [104.47.41.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8F43129672 for <oauth@ietf.org>; Thu, 30 Mar 2017 14:47:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8ZE1tl6npsVS5Gz4wqYNu/j20c8eQUFyuAt5/A5irKI=; b=E2A19ACROiYSREHpkSOP9U0ChW3P1kXqCJb6yBVH9gYvE3/mUFIRT01z+vRqUPA3yxKqll/wwa9sTU4xG6DXoXrlfpApAQQpxTaqqYWDycD4F1pZBjJyJtNicqgoHkwe4E8i0ev0CsH6QzHOXV90f5xs2/75XnrwAMVWq0qnlrg=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.0; Thu, 30 Mar 2017 21:47:36 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1019.010; Thu, 30 Mar 2017 21:47:36 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>
CC: Nat Sakimura <nat@sakimura.org>, IETF oauth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
Thread-Index: AQHSqZ7HsKjmQXFhlkS5TMD0uKNDqaGt6rhA
Date: Thu, 30 Mar 2017 21:47:36 +0000
Message-ID: <CY4PR21MB050463909C8401C981362218F5340@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <149089911092.15436.12952695214868679547@ietfa.amsl.com> <58dd63ca.e7136b0a.5e8ec.8d9e@mx.google.com> <CY4PR21MB05049EB2094DF00A482CA03EF5340@CY4PR21MB0504.namprd21.prod.outlook.com> <CAANoGhLvwSrNTcA6+gXvkVPVoDwu3QHFoTsOfwV2BynVGQsk1A@mail.gmail.com>
In-Reply-To: <CAANoGhLvwSrNTcA6+gXvkVPVoDwu3QHFoTsOfwV2BynVGQsk1A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: ve7jtb.com; dkim=none (message not signed) header.d=none;ve7jtb.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:67c:370:128:4802:3840:b14a:33b2]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:PqpuaeMyv96rnN1YXei/ve7XRBKMB3YtSsiTLBn8slJXsg2xbQJ11R7PGedkDWYd9Mkkv4iKB1MA1is6Q1SGYV3SsYqp/EwqMKvvQ5aNE0Yrp1J3fbiTmDO6gjm8K4UnfPxnbugRotedpQSn/05wZesPnbL1DMSHgC9ipe0FyosnyacKpYmSiK46FS3Fo0jZjn+fnGLU/HILJxuxjn4b0Un4TrmjmObbMhDBrTeTLXdQMdjRjcV20wuOt/DcedC5i0ZukHCUwjlq3TBFNicjp+3i0LWajvJxMe+JzzbLhR6RBt2OcEDvyKRK8ZaIzURYl/rx0EhDL4BJEcFO/9NYA7O1AITV6ekteJa5A3W6G9Y=
x-ms-office365-filtering-correlation-id: da2c8046-3de8-4ca1-6ece-08d477b66108
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081);  SRVR:CY4PR21MB0503; 
x-microsoft-antispam-prvs: <CY4PR21MB0503E35EBC364BE2F64205E4F5340@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(156600954879566)(120809045254105)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006074)(93001074)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123560025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(20161123564025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503; 
x-forefront-prvs: 02622CEF0A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39400400002)(39410400002)(39860400002)(39840400002)(39850400002)(39450400003)(377424004)(24454002)(3905003)(377454003)(3660700001)(7696004)(7736002)(54906002)(229853002)(8990500004)(7906003)(6246003)(189998001)(53936002)(230783001)(38730400002)(53386004)(54356999)(3280700002)(76176999)(99286003)(110136004)(33656002)(5005710100001)(10290500002)(77096006)(50986999)(2900100001)(8936002)(6506006)(55016002)(74316002)(102836003)(790700001)(2950100002)(6436002)(6916009)(81166006)(606005)(2906002)(10090500001)(54896002)(5660300001)(6306002)(25786009)(8676002)(19609705001)(4326008)(236005)(122556002)(9686003)(86362001)(6116002)(53546009); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050463909C8401C981362218F5340CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2017 21:47:36.0857 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_849hCndFr3lidkKAGUj1WOWXXk>
Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 21:47:45 -0000

--_000_CY4PR21MB050463909C8401C981362218F5340CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SXMgdGhlcmUgYSBjbGVhciBzdGF0ZW1lbnQgc29tZXdoZXJlIGFsb25nIHRoZSBsaW5lcyBvZiDi
gJxwYXJhbWV0ZXJzIChvdGhlciB0aGFuIOKAnHJlcXVlc3TigJ0gb3Ig4oCccmVxdWVzdF91cmni
gJ0pIGFyZSBvbmx5IGFsbG93ZWQgdG8gYmUgaW4gdGhlIHNpZ25lZCBvYmplY3QgaWYgYSBzaWdu
ZWQgb2JqZWN0IGlzIHVzZWTigJ0/ICBUaGF04oCZcyB0aGUga2luZCBvZiB0aGluZyBJIHdhcyBs
b29raW5nIGZvciBhbmQgZGlkbuKAmXQgZmluZC4NCg0KICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCkZyb206IEpvaG4gQnJhZGxl
eSBbbWFpbHRvOnZlN2p0YkB2ZTdqdGIuY29tXQ0KU2VudDogVGh1cnNkYXksIE1hcmNoIDMwLCAy
MDE3IDQ6NDQgUE0NClRvOiBNaWtlIEpvbmVzIDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20+
DQpDYzogTmF0IFNha2ltdXJhIDxuYXRAc2FraW11cmEub3JnPjsgSUVURiBvYXV0aCBXRyA8b2F1
dGhAaWV0Zi5vcmc+DQpTdWJqZWN0OiBSRTogW09BVVRILVdHXSBGVzogSS1EIEFjdGlvbjogZHJh
ZnQtaWV0Zi1vYXV0aC1qd3NyZXEtMTMudHh0DQoNClRoZSBpbnRlbnQgb2YgdGhlIGNoYW5nZSBp
cyB0byBvbmx5IGFsbG93IHRoZSBwYXJhbWF0ZXJzIHRvIGJlIGluIHRoZSBzaWduZWQgb2JqZWN0
IGlmIGEgc2lnbmVkIG9iamVjdCBpcyB1c2VkLg0KDQpUaGlzIHJlcXVpcmVzIFN0YXRlLCBub25j
ZSBldGMgdG8gYmUgaW4gdGhlIEpXVC4gIE9ubHkgb25lIHBsYWNlIHRvIGNoZWNrIHdpbGwgaG9w
ZWZ1bGx5IHJlZHVjZSBpbXBsaW1lbnRhdGlvbiBlcnJvcnMuDQoNClRoaXMgYWxzbyBhbGxvd3Mg
dXMgdG8gcmVtb3ZlIHRoZSBjYWNoaW5nIHRleHQgYXMgd2Ugbm93IGhhdmUgb25lIEpXVCBwZXIg
cmVxdWVzdCwgc28gY2FjaGluZyB3b24ndCBoYXBwZW4uDQoNCkpvaG4gQi4NCg0KDQoNCk9uIE1h
ciAzMCwgMjAxNyA0OjM2IFBNLCAiTWlrZSBKb25lcyIgPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0
LmNvbTxtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPj4gd3JvdGU6DQpJICpiZWxp
ZXZlKiB0aGUgaW50ZW50IGlzIHRoYXQgKmFsbCogcGFyYW1ldGVycyBtdXN0IGJlIGluIHRoZSBy
ZXF1ZXN0IG9iamVjdCwgYnV0IHRoZSBzcGVjIGRvZXNu4oCZdCBhY3R1YWxseSBzYXkgdGhhdCwg
YXMgZmFyIGFzIEkgY2FuIHRlbGwuICBPciBtYXliZSB0aGUgaW50ZW50IGlzIHRoYXQgcGFyYW1l
dGVycyBtdXN0IG5vdCBiZSBkdXBsaWNhdGVkIGJldHdlZW4gdGhlIHF1ZXJ5IHBhcmFtZXRlcnMg
YW5kIHRoZSByZXF1ZXN0IG9iamVjdC4NCg0KT25lIG9yIHRoZSBvdGhlciBvZiB0aGVzZSBzdGF0
ZW1lbnRzIHNob3VsZCBiZSBleHBsaWNpdGx5IGluY2x1ZGVkIGluIHRoZSBzcGVjaWZpY2F0aW9u
LiAgT2YgY291cnNlLCBJIGNvdWxkIGhhdmUgbWlzc2VkIHRoZSBzdGF0ZW1lbnQgSeKAmW0gYXNr
aW5nIGZvciBpbiBteSByZXZpZXcsIGluIHdoaWNoIGNhc2UgcGxlYXNlIGxldCBtZSBrbm93IHdo
YXQgSSBtaXNzZWQuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICBUaGFua3MsDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IE9BdXRoIFttYWlsdG86b2F1dGgt
Ym91bmNlc0BpZXRmLm9yZzxtYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZz5dIE9uIEJlaGFs
ZiBPZiBKb2huIEJyYWRsZXkNClNlbnQ6IFRodXJzZGF5LCBNYXJjaCAzMCwgMjAxNyAzOjAwIFBN
DQpUbzogSUVURiBPQVVUSCA8b2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPj4N
ClN1YmplY3Q6IFtPQVVUSC1XR10gRlc6IEktRCBBY3Rpb246IGRyYWZ0LWlldGYtb2F1dGgtandz
cmVxLTEzLnR4dA0KDQpCYXNlZCBvbiBmZWViYWNrIGZyb20gdGhlIElFU0cgd2UgaGF2ZSByZW1v
dmVkIHNvbWUgb2YgdGhlIG9wdGlvbmFsaXR5IGluIHRoZSBkcmFmdC4NCg0KSXQgaXMgYSBzaG9y
dGVyIHJlYWQgdGhhbiBkcmFmdCAxMi4NCg0KSm9obiBCLg0KDQpTZW50IGZyb20gTWFpbDxodHRw
czovL2dvLm1pY3Jvc29mdC5jb20vZndsaW5rLz9MaW5rSWQ9NTUwOTg2PiBmb3IgV2luZG93cyAx
MA0KDQpGcm9tOiBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc8bWFpbHRvOmludGVybmV0LWRyYWZ0
c0BpZXRmLm9yZz4NClNlbnQ6IE1hcmNoIDMwLCAyMDE3IDE6MzggUE0NClRvOiBpLWQtYW5ub3Vu
Y2VAaWV0Zi5vcmc8bWFpbHRvOmktZC1hbm5vdW5jZUBpZXRmLm9yZz4NCkNjOiBvYXV0aEBpZXRm
Lm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5vcmc+DQpTdWJqZWN0OiBbT0FVVEgtV0ddIEktRCBBY3Rp
b246IGRyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEzLnR4dA0KDQoNCkEgTmV3IEludGVybmV0LURy
YWZ0IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBvbi1saW5lIEludGVybmV0LURyYWZ0cyBkaXJlY3Rv
cmllcy4NClRoaXMgZHJhZnQgaXMgYSB3b3JrIGl0ZW0gb2YgdGhlIFdlYiBBdXRob3JpemF0aW9u
IFByb3RvY29sIG9mIHRoZSBJRVRGLg0KDQogICAgICAgIFRpdGxlICAgICAgICAgICA6IFRoZSBP
QXV0aCAyLjAgQXV0aG9yaXphdGlvbiBGcmFtZXdvcms6IEpXVCBTZWN1cmVkIEF1dGhvcml6YXRp
b24gUmVxdWVzdCAoSkFSKQ0KICAgICAgICBBdXRob3JzICAgICAgICAgOiBOYXQgU2FraW11cmEN
CiAgICAgICAgICAgICAgICAgICAgICAgICAgSm9obiBCcmFkbGV5DQogICAgICAgICAgIEZpbGVu
YW1lICAgICAgICA6IGRyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEzLnR4dA0KICAgICAgICAgICBQ
YWdlcyAgICAgICAgICAgOiAyNw0KICAgICAgICAgICBEYXRlICAgICAgICAgICAgOiAyMDE3LTAz
LTMwDQoNCkFic3RyYWN0Og0KICAgVGhlIGF1dGhvcml6YXRpb24gcmVxdWVzdCBpbiBPQXV0aCAy
LjAgZGVzY3JpYmVkIGluIFJGQyA2NzQ5IHV0aWxpemVzDQogICBxdWVyeSBwYXJhbWV0ZXIgc2Vy
aWFsaXphdGlvbiwgd2hpY2ggbWVhbnMgdGhhdCBBdXRob3JpemF0aW9uIFJlcXVlc3QNCiAgIHBh
cmFtZXRlcnMgYXJlIGVuY29kZWQgaW4gdGhlIFVSSSBvZiB0aGUgcmVxdWVzdCBhbmQgc2VudCB0
aHJvdWdoDQogIHVzZXIgYWdlbnRzIHN1Y2ggYXMgd2ViIGJyb3dzZXJzLiAgV2hpbGUgaXQgaXMg
ZWFzeSB0byBpbXBsZW1lbnQsIGl0DQogICBtZWFucyB0aGF0IChhKSB0aGUgY29tbXVuaWNhdGlv
biB0aHJvdWdoIHRoZSB1c2VyIGFnZW50cyBhcmUgbm90DQogICBpbnRlZ3JpdHkgcHJvdGVjdGVk
IGFuZCB0aHVzIHRoZSBwYXJhbWV0ZXJzIGNhbiBiZSB0YWludGVkLCBhbmQgKGIpDQogICB0aGUg
c291cmNlIG9mIHRoZSBjb21tdW5pY2F0aW9uIGlzIG5vdCBhdXRoZW50aWNhdGVkLiAgQmVjYXVz
ZSBvZg0KICAgdGhlc2Ugd2Vha25lc3Nlcywgc2V2ZXJhbCBhdHRhY2tzIHRvIHRoZSBwcm90b2Nv
bCBoYXZlIG5vdyBiZWVuIHB1dA0KICAgZm9yd2FyZC4NCg0KICAgVGhpcyBkb2N1bWVudCBpbnRy
b2R1Y2VzIHRoZSBhYmlsaXR5IHRvIHNlbmQgcmVxdWVzdCBwYXJhbWV0ZXJzIGluIGENCiAgIEpT
T04gV2ViIFRva2VuIChKV1QpIGluc3RlYWQsIHdoaWNoIGFsbG93cyB0aGUgcmVxdWVzdCB0byBi
ZSBzaWduZWQNCiAgIHdpdGggSlNPTiBXZWIgU2lnbmF0dXJlIChKV1MpIGFuZC9vciBlbmNyeXB0
ZWQgd2l0aCBKU09OIFdlYg0KICAgRW5jcnlwdGlvbiAoSldFKSBzbyB0aGF0IHRoZSBpbnRlZ3Jp
dHksIHNvdXJjZSBhdXRoZW50aWNhdGlvbiBhbmQNCiAgIGNvbmZpZGVudGlhbGl0eSBwcm9wZXJ0
eSBvZiB0aGUgQXV0aG9yaXphdGlvbiBSZXF1ZXN0IGlzIGF0dGFpbmVkLg0KICAgVGhlIHJlcXVl
c3QgY2FuIGJlIHNlbnQgYnkgdmFsdWUgb3IgYnkgcmVmZXJlbmNlLg0KDQoNClRoZSBJRVRGIGRh
dGF0cmFja2VyIHN0YXR1cyBwYWdlIGZvciB0aGlzIGRyYWZ0IGlzOg0KaHR0cHM6Ly9kYXRhdHJh
Y2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1qd3NyZXEvDQoNClRoZXJlIGFyZSBh
bHNvIGh0bWxpemVkIHZlcnNpb25zIGF2YWlsYWJsZSBhdDoNCmh0dHBzOi8vdG9vbHMuaWV0Zi5v
cmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0xMw0KaHR0cHM6Ly9kYXRhdHJhY2tlci5p
ZXRmLm9yZy9kb2MvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0xMw0KDQpBIGRpZmYgZnJv
bSB0aGUgcHJldmlvdXMgdmVyc2lvbiBpcyBhdmFpbGFibGUgYXQ6DQpodHRwczovL3d3dy5pZXRm
Lm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0Zi1vYXV0aC1qd3NyZXEtMTMNCg0KDQpQbGVhc2Ug
bm90ZSB0aGF0IGl0IG1heSB0YWtlIGEgY291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBv
ZiBzdWJtaXNzaW9uDQp1bnRpbCB0aGUgaHRtbGl6ZWQgdmVyc2lvbiBhbmQgZGlmZiBhcmUgYXZh
aWxhYmxlIGF0IHRvb2xzLmlldGYub3JnPGh0dHA6Ly90b29scy5pZXRmLm9yZz4uDQoNCkludGVy
bmV0LURyYWZ0cyBhcmUgYWxzbyBhdmFpbGFibGUgYnkgYW5vbnltb3VzIEZUUCBhdDoNCmZ0cDov
L2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvDQoNCl9fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYu
b3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4v
bGlzdGluZm8vb2F1dGgNCg0K

--_000_CY4PR21MB050463909C8401C981362218F5340CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph
OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z
b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw
bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25v
cm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4tYm90
dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZv
bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21z
by1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5z
LXNlcmlmOw0KCWNvbG9yOiMwMDIwNjA7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5
cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KQHBh
Z2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBp
biAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30N
Ci0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6
ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBn
dGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2
OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0t
LT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxl
Ij4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh
biBzdHlsZT0iY29sb3I6IzAwMjA2MCI+SXMgdGhlcmUgYSBjbGVhciBzdGF0ZW1lbnQgc29tZXdo
ZXJlIGFsb25nIHRoZSBsaW5lcyBvZiDigJw8L3NwYW4+cGFyYW1ldGVycyAob3RoZXIgdGhhbiDi
gJxyZXF1ZXN04oCdIG9yIOKAnHJlcXVlc3RfdXJp4oCdKSBhcmUgb25seSBhbGxvd2VkIHRvIGJl
IGluIHRoZSBzaWduZWQgb2JqZWN0IGlmIGEgc2lnbmVkIG9iamVjdCBpcyB1c2VkPHNwYW4gc3R5
bGU9ImNvbG9yOiMwMDIwNjAiPuKAnT8mbmJzcDsNCiBUaGF04oCZcyB0aGUga2luZCBvZiB0aGlu
ZyBJIHdhcyBsb29raW5nIGZvciBhbmQgZGlkbuKAmXQgZmluZC48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+PG86
cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5
bGU9ImNvbG9yOiMwMDIwNjAiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyAtLSBNaWtlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEg
bmFtZT0iX01haWxFbmRDb21wb3NlIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+PG86cD48
L286cD48L3NwYW4+PC9hPjwvcD4NCjxzcGFuIHN0eWxlPSJtc28tYm9va21hcms6X01haWxFbmRD
b21wb3NlIj48L3NwYW4+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj5Gcm9tOjwvYj4gSm9obiBC
cmFkbGV5IFttYWlsdG86dmU3anRiQHZlN2p0Yi5jb21dIDxicj4NCjxiPlNlbnQ6PC9iPiBUaHVy
c2RheSwgTWFyY2ggMzAsIDIwMTcgNDo0NCBQTTxicj4NCjxiPlRvOjwvYj4gTWlrZSBKb25lcyAm
bHQ7TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tJmd0Ozxicj4NCjxiPkNjOjwvYj4gTmF0IFNh
a2ltdXJhICZsdDtuYXRAc2FraW11cmEub3JnJmd0OzsgSUVURiBvYXV0aCBXRyAmbHQ7b2F1dGhA
aWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJFOiBbT0FVVEgtV0ddIEZXOiBJLUQg
QWN0aW9uOiBkcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0xMy50eHQ8bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPlRoZSBpbnRlbnQgb2YgdGhlIGNoYW5nZSBpcyB0byBvbmx5IGFsbG93IHRo
ZSBwYXJhbWF0ZXJzIHRvIGJlIGluIHRoZSBzaWduZWQgb2JqZWN0IGlmIGEgc2lnbmVkIG9iamVj
dCBpcyB1c2VkLiAmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPlRoaXMgcmVxdWlyZXMgU3RhdGUsIG5vbmNlIGV0YyB0byBiZSBpbiB0aGUgSldULiZu
YnNwOyBPbmx5IG9uZSBwbGFjZSB0byBjaGVjayB3aWxsIGhvcGVmdWxseSByZWR1Y2UgaW1wbGlt
ZW50YXRpb24gZXJyb3JzLiAmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhpcyBhbHNvIGFsbG93cyB1cyB0byByZW1vdmUgdGhlIGNh
Y2hpbmcgdGV4dCBhcyB3ZSBub3cgaGF2ZSBvbmUgSldUIHBlciByZXF1ZXN0LCBzbyBjYWNoaW5n
IHdvbid0IGhhcHBlbi4gJm5ic3A7Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkpvaG4gQi4gJm5ic3A7PG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N
CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw
OzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBNYXIgMzAsIDIwMTcg
NDozNiBQTSwgJnF1b3Q7TWlrZSBKb25lcyZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOk1pY2hh
ZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSI+TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPC9hPiZn
dDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7
Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0
O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowaW4iPg0KPGRpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp
bi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMDAyMDYwIj5JICo8Yj5iZWxp
ZXZlPC9iPiogdGhlIGludGVudCBpcyB0aGF0ICo8Yj5hbGw8L2I+KiBwYXJhbWV0ZXJzIG11c3Qg
YmUgaW4gdGhlIHJlcXVlc3Qgb2JqZWN0LCBidXQgdGhlIHNwZWMgZG9lc27igJl0IGFjdHVhbGx5
IHNheSB0aGF0LCBhcyBmYXIgYXMgSSBjYW4NCiB0ZWxsLiZuYnNwOyBPciBtYXliZSB0aGUgaW50
ZW50IGlzIHRoYXQgcGFyYW1ldGVycyBtdXN0IG5vdCBiZSBkdXBsaWNhdGVkIGJldHdlZW4gdGhl
IHF1ZXJ5IHBhcmFtZXRlcnMgYW5kIHRoZSByZXF1ZXN0IG9iamVjdC48L3NwYW4+PG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1
dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMDAyMDYw
Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz
cGFuIHN0eWxlPSJjb2xvcjojMDAyMDYwIj5PbmUgb3IgdGhlIG90aGVyIG9mIHRoZXNlIHN0YXRl
bWVudHMgc2hvdWxkIGJlIGV4cGxpY2l0bHkgaW5jbHVkZWQgaW4gdGhlIHNwZWNpZmljYXRpb24u
Jm5ic3A7IE9mIGNvdXJzZSwgSSBjb3VsZCBoYXZlIG1pc3NlZCB0aGUgc3RhdGVtZW50IEnigJlt
IGFza2luZyBmb3INCiBpbiBteSByZXZpZXcsIGluIHdoaWNoIGNhc2UgcGxlYXNlIGxldCBtZSBr
bm93IHdoYXQgSSBtaXNzZWQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs
dDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2
MCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFRoYW5rcyw8L3NwYW4+
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10
b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xv
cjojMDAyMDYwIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8L3NwYW4+PG86
cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At
YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxhIG5hbWU9Im1fMzI2NDI1ODM2
OTU3MzAyNzU0MV9fTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDAyMDYwIj4m
bmJzcDs8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRl
cjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAw
aW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6
YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+RnJvbTo8L2I+IE9BdXRoIFttYWls
dG86PGEgaHJlZj0ibWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5r
Ij5vYXV0aC1ib3VuY2VzQGlldGYub3JnPC9hPl0NCjxiPk9uIEJlaGFsZiBPZiA8L2I+Sm9obiBC
cmFkbGV5PGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBNYXJjaCAzMCwgMjAxNyAzOjAwIFBN
PGJyPg0KPGI+VG86PC9iPiBJRVRGIE9BVVRIICZsdDs8YSBocmVmPSJtYWlsdG86b2F1dGhAaWV0
Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5vYXV0aEBpZXRmLm9yZzwvYT4mZ3Q7PGJyPg0KPGI+U3Vi
amVjdDo8L2I+IFtPQVVUSC1XR10gRlc6IEktRCBBY3Rpb246IGRyYWZ0LWlldGYtb2F1dGgtandz
cmVxLTEzLnR4dDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h
bHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz
cGFuIGxhbmc9IkVOLUNBIj5CYXNlZCBvbiBmZWViYWNrIGZyb20gdGhlIElFU0cgd2UgaGF2ZSBy
ZW1vdmVkIHNvbWUgb2YgdGhlIG9wdGlvbmFsaXR5IGluIHRoZSBkcmFmdC4NCjwvc3Bhbj48bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h
bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZu
YnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4g
bGFuZz0iRU4tQ0EiPkl0IGlzIGEgc2hvcnRlciByZWFkIHRoYW4gZHJhZnQgMTIuJm5ic3A7Jm5i
c3A7DQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i
bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFu
IGxhbmc9IkVOLUNBIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t
YWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj5Kb2huIEIuPC9zcGFuPjxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z
by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t
dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1D
QSI+U2VudCBmcm9tDQo8YSBocmVmPSJodHRwczovL2dvLm1pY3Jvc29mdC5jb20vZndsaW5rLz9M
aW5rSWQ9NTUwOTg2IiB0YXJnZXQ9Il9ibGFuayI+TWFpbDwvYT4gZm9yIFdpbmRvd3MgMTA8L3Nw
YW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVO
LUNBIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9u
ZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBp
biI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxiPjxzcGFuIGxhbmc9IkVOLUNBIj5Gcm9tOg0K
PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1DQSI+PGEgaHJlZj0ibWFpbHRvOmludGVybmV0LWRy
YWZ0c0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZzwv
YT48YnI+DQo8Yj5TZW50OiA8L2I+TWFyY2ggMzAsIDIwMTcgMTozOCBQTTxicj4NCjxiPlRvOiA8
L2I+PGEgaHJlZj0ibWFpbHRvOmktZC1hbm5vdW5jZUBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsi
PmktZC1hbm5vdW5jZUBpZXRmLm9yZzwvYT48YnI+DQo8Yj5DYzogPC9iPjxhIGhyZWY9Im1haWx0
bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm9hdXRoQGlldGYub3JnPC9hPjxicj4N
CjxiPlN1YmplY3Q6IDwvYj5bT0FVVEgtV0ddIEktRCBBY3Rpb246IGRyYWZ0LWlldGYtb2F1dGgt
andzcmVxLTEzLnR4dDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t
LWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z
by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t
dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1D
QSI+QSBOZXcgSW50ZXJuZXQtRHJhZnQgaXMgYXZhaWxhYmxlIGZyb20gdGhlIG9uLWxpbmUgSW50
ZXJuZXQtRHJhZnRzIGRpcmVjdG9yaWVzLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv
dHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0EiPlRoaXMgZHJhZnQgaXMgYSB3b3JrIGl0
ZW0gb2YgdGhlIFdlYiBBdXRob3JpemF0aW9uIFByb3RvY29sIG9mIHRoZSBJRVRGLjwvc3Bhbj48
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv
cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0Ei
PiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNw
YW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyBUaXRsZSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyA6IFRoZSBPQXV0aCAyLjAgQXV0aG9yaXphdGlvbiBGcmFtZXdvcms6IEpXVCBT
ZWN1cmVkIEF1dGhvcml6YXRpb24gUmVxdWVzdCAoSkFSKTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t
bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBBdXRob3JzJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDogTmF0IFNha2ltdXJhPC9zcGFuPjxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEpvaG4gQnJhZGxleTwvc3Bhbj48bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6
YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBG
aWxlbmFtZSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA6IGRyYWZ0
LWlldGYtb2F1dGgtandzcmVxLTEzLnR4dDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv
dHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBQYWdlcyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA6IDI3PC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t
dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1D
QSI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7IERhdGUmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsgOiAyMDE3LTAzLTMwPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PC9zcGFuPjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w
LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1DQSI+
QWJzdHJhY3Q6PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48
c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7IFRoZSBhdXRob3JpemF0aW9uIHJlcXVlc3Qg
aW4gT0F1dGggMi4wIGRlc2NyaWJlZCBpbiBSRkMgNjc0OSB1dGlsaXplczwvc3Bhbj48bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6
YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNw
OyZuYnNwOyBxdWVyeSBwYXJhbWV0ZXIgc2VyaWFsaXphdGlvbiwgd2hpY2ggbWVhbnMgdGhhdCBB
dXRob3JpemF0aW9uIFJlcXVlc3Q8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t
YWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsgcGFyYW1ldGVycyBhcmUg
ZW5jb2RlZCBpbiB0aGUgVVJJIG9mIHRoZSByZXF1ZXN0IGFuZCBzZW50IHRocm91Z2g8L3NwYW4+
PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10
b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNB
Ij4mbmJzcDsmbmJzcDt1c2VyIGFnZW50cyBzdWNoIGFzIHdlYiBicm93c2Vycy4mbmJzcDsgV2hp
bGUgaXQgaXMgZWFzeSB0byBpbXBsZW1lbnQsIGl0PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7IG1lYW5z
IHRoYXQgKGEpIHRoZSBjb21tdW5pY2F0aW9uIHRocm91Z2ggdGhlIHVzZXIgYWdlbnRzIGFyZSBu
b3Q8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv
LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxh
bmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsgaW50ZWdyaXR5IHByb3RlY3RlZCBhbmQgdGh1cyB0aGUg
cGFyYW1ldGVycyBjYW4gYmUgdGFpbnRlZCwgYW5kIChiKTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t
bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNwOyB0
aGUgc291cmNlIG9mIHRoZSBjb21tdW5pY2F0aW9uIGlzIG5vdCBhdXRoZW50aWNhdGVkLiZuYnNw
OyBCZWNhdXNlIG9mPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv
Ij48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7IHRoZXNlIHdlYWtuZXNzZXMsIHNldmVy
YWwgYXR0YWNrcyB0byB0aGUgcHJvdG9jb2wgaGF2ZSBub3cgYmVlbiBwdXQ8L3NwYW4+PG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJz
cDsmbmJzcDsgZm9yd2FyZC48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0
OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h
cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsgVGhp
cyBkb2N1bWVudCBpbnRyb2R1Y2VzIHRoZSBhYmlsaXR5IHRvIHNlbmQgcmVxdWVzdCBwYXJhbWV0
ZXJzIGluIGE8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz
cGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsgSlNPTiBXZWIgVG9rZW4gKEpXVCkgaW5zdGVh
ZCwgd2hpY2ggYWxsb3dzIHRoZSByZXF1ZXN0IHRvIGJlIHNpZ25lZDwvc3Bhbj48bzpwPjwvbzpw
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0
bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZu
YnNwOyB3aXRoIEpTT04gV2ViIFNpZ25hdHVyZSAoSldTKSBhbmQvb3IgZW5jcnlwdGVkIHdpdGgg
SlNPTiBXZWI8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz
cGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsgRW5jcnlwdGlvbiAoSldFKSBzbyB0aGF0IHRo
ZSBpbnRlZ3JpdHksIHNvdXJjZSBhdXRoZW50aWNhdGlvbiBhbmQ8L3NwYW4+PG86cD48L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJz
cDsgY29uZmlkZW50aWFsaXR5IHByb3BlcnR5IG9mIHRoZSBBdXRob3JpemF0aW9uIFJlcXVlc3Qg
aXMgYXR0YWluZWQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv
Ij48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7IFRoZSByZXF1ZXN0IGNhbiBiZSBzZW50
IGJ5IHZhbHVlIG9yIGJ5IHJlZmVyZW5jZS48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8L3NwYW4+PG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1
dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8
L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h
cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9
IkVOLUNBIj5UaGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFnZSBmb3IgdGhpcyBkcmFmdCBp
czo8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv
LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxh
bmc9IkVOLUNBIj48YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFm
dC1pZXRmLW9hdXRoLWp3c3JlcS8iIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2RhdGF0cmFja2Vy
LmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS88L2E+PC9zcGFuPjxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7
PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t
YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5n
PSJFTi1DQSI+VGhlcmUgYXJlIGFsc28gaHRtbGl6ZWQgdmVyc2lvbnMgYXZhaWxhYmxlIGF0Ojwv
c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy
Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0i
RU4tQ0EiPjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9h
dXRoLWp3c3JlcS0xMyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRt
bC9kcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0xMzwvYT48L3NwYW4+PG86cD48L286cD48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h
cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj48YSBocmVmPSJodHRwczov
L2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEz
IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvaHRtbC9k
cmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0xMzwvYT48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp
bi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8L3NwYW4+PG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj5BIGRp
ZmYgZnJvbSB0aGUgcHJldmlvdXMgdmVyc2lvbiBpcyBhdmFpbGFibGUgYXQ6PC9zcGFuPjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs
dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1DQSI+PGEg
aHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvcmZjZGlmZj91cmwyPWRyYWZ0LWlldGYtb2F1dGgt
andzcmVxLTEzIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvcmZjZGlmZj91
cmwyPWRyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEzPC9hPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t
bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzwvc3Bhbj48
bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv
cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0Ei
PiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNw
YW4gbGFuZz0iRU4tQ0EiPlBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2UgYSBjb3VwbGUgb2Yg
bWludXRlcyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb248L3NwYW4+PG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj51bnRpbCB0aGUgaHRt
bGl6ZWQgdmVyc2lvbiBhbmQgZGlmZiBhcmUgYXZhaWxhYmxlIGF0DQo8YSBocmVmPSJodHRwOi8v
dG9vbHMuaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj50b29scy5pZXRmLm9yZzwvYT4uPC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t
dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1D
QSI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48
c3BhbiBsYW5nPSJFTi1DQSI+SW50ZXJuZXQtRHJhZnRzIGFyZSBhbHNvIGF2YWlsYWJsZSBieSBh
bm9ueW1vdXMgRlRQIGF0Ojwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6
YXV0byI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxhIGhyZWY9ImZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRl
cm5ldC1kcmFmdHMvIiB0YXJnZXQ9Il9ibGFuayI+ZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0
LWRyYWZ0cy88L2E+PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv
Ij48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t
Ym90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1DQSI+X19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX188L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj5PQXV0aCBtYWlsaW5nIGxpc3Q8L3Nw
YW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVO
LUNBIj48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5PQXV0
aEBpZXRmLm9yZzwvYT48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1
dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWls
bWFuL2xpc3RpbmZvL29hdXRoIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcv
bWFpbG1hbi9saXN0aW5mby9vYXV0aDwvYT48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8L3NwYW4+PG86cD48L286
cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_CY4PR21MB050463909C8401C981362218F5340CY4PR21MB0504namp_--


From nobody Thu Mar 30 15:33:41 2017
Return-Path: <nat@sakimura.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0389D129440 for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 15:33:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.452
X-Spam-Level: 
X-Spam-Status: No, score=-0.452 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id heblVSM2o7yF for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 15:33:37 -0700 (PDT)
Received: from www.sakimura.org (www.sakimura.org [52.69.28.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 914FB12426E for <oauth@ietf.org>; Thu, 30 Mar 2017 15:33:37 -0700 (PDT)
Received: from [172.19.249.252] ([::ffff:88.128.80.1]) (AUTH: LOGIN nat, SSL: TLSv1/SSLv3,256bits,AES256-SHA) by www.sakimura.org with ESMTPSA; Thu, 30 Mar 2017 22:33:31 +0000 id 0000000000145F9D.0000000058DD87BE.00006CBA
In-Reply-To: <CY4PR21MB050463909C8401C981362218F5340@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <149089911092.15436.12952695214868679547@ietfa.amsl.com> <58dd63ca.e7136b0a.5e8ec.8d9e@mx.google.com> <CY4PR21MB05049EB2094DF00A482CA03EF5340@CY4PR21MB0504.namprd21.prod.outlook.com> <CAANoGhLvwSrNTcA6+gXvkVPVoDwu3QHFoTsOfwV2BynVGQsk1A@mail.gmail.com> <CY4PR21MB050463909C8401C981362218F5340@CY4PR21MB0504.namprd21.prod.outlook.com>
X-Referenced-Uid: 33939
Thread-Topic: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-Blue-Identity: !l=18&o=96429&fo=115353&pl=5&po=0&qs=PREFIX&f=HTML&m=!%3ANWE2ZTdkMjktZjQ5ZC00YjUxLThkZmYtOGUyOTFlOTM1Njc1%3ASU5CT1g%3D%3AMzM5Mzk%3D%3AANSWERED&p=5&q=SHOW
User-Agent: Type for Android
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----04IWH1RJCN36T4FLPNXQFPDYNFHQN8"
Content-Transfer-Encoding: 7bit
From: Nat Sakimura <nat@sakimura.org>
Date: Thu, 30 Mar 2017 17:33:07 -0500
To: Mike Jones <Michael.Jones@microsoft.com>
CC: John Bradley <ve7jtb@ve7jtb.com>, IETF oauth WG <oauth@ietf.org>
Message-ID: <0b598482-d9d1-4a8f-8616-b19d1a3b3084@typeapp.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Mt5-KBVTf51W4a_DX5BUDdJl1Cw>
Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 22:33:40 -0000

------04IWH1RJCN36T4FLPNXQFPDYNFHQN8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
 charset=UTF-8

Not right now=2E 

As of this writing, a client can still send duplicate pa=
rameters in the query but they get ignored by the servers honoring OAuth JA=
R=2E So, it is backwards compatible with OpenID Connect in that sense (Open=
ID Connect sends duplicate manatory RFC6749 parameters as the query paramet=
ers as well just to be compliant to RFC6749)=2E Conversely, servers that do=
 not support OAuth JAR will ignore request_uri etc=2E 

On Mar 30, 2017, 4:=
47 PM, at 4:47 PM, Mike Jones <Michael=2EJones@microsoft=2Ecom> wrote:
>Is =
there a clear statement somewhere along the lines of =E2=80=9Cparameters
>(=
other than =E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D) are =
only allowed to be in the
>signed object if a signed object is used=E2=80=
=9D?  That=E2=80=99s the kind of thing I
>was looking for and didn=E2=80=99=
t find=2E
>
>                                                       -- Mike=

>From: John Bradley [mailto:ve7jtb@ve7jtb=2Ecom]
>Sent: Thursday, March 30=
, 2017 4:44 PM
>To: Mike Jones <Michael=2EJones@microsoft=2Ecom>
>Cc: Nat S=
akimura <nat@sakimura=2Eorg>; IETF oauth WG <oauth@ietf=2Eorg>
>Subject: RE=
: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13=2Etxt
>
>The intent=
 of the change is to only allow the paramaters to be in the
>signed object =
if a signed object is used=2E
>
>This requires State, nonce etc to be in th=
e JWT=2E  Only one place to
>check will hopefully reduce implimentation err=
ors=2E
>
>This also allows us to remove the caching text as we now have one=
 JWT
>per request, so caching won't happen=2E
>
>John B=2E
>
>
>
>On Mar 30=
, 2017 4:36 PM, "Mike Jones"
><Michael=2EJones@microsoft=2Ecom<mailto:Micha=
el=2EJones@microsoft=2Ecom>>
>wrote:
>I *believe* the intent is that *all* =
parameters must be in the request
>object, but the spec doesn=E2=80=99t act=
ually say that, as far as I can tell=2E 
>Or maybe the intent is that param=
eters must not be duplicated between
>the query parameters and the request =
object=2E
>
>One or the other of these statements should be explicitly incl=
uded in
>the specification=2E  Of course, I could have missed the statement=
 I=E2=80=99m
>asking for in my review, in which case please let me know wha=
t I
>missed=2E
>
>                                                       Th=
anks,
>                                                      -- Mike
>
>Fro=
m: OAuth
>[mailto:oauth-bounces@ietf=2Eorg<mailto:oauth-bounces@ietf=2Eorg>=
] On
>Behalf Of John Bradley
>Sent: Thursday, March 30, 2017 3:00 PM
>To: I=
ETF OAUTH <oauth@ietf=2Eorg<mailto:oauth@ietf=2Eorg>>
>Subject: [OAUTH-WG] =
FW: I-D Action: draft-ietf-oauth-jwsreq-13=2Etxt
>
>Based on feeback from t=
he IESG we have removed some of the optionality
>in the draft=2E
>
>It is a=
 shorter read than draft 12=2E
>
>John B=2E
>
>Sent from Mail<https://go=2E=
microsoft=2Ecom/fwlink/?LinkId=3D550986> for
>Windows 10
>
>From: internet-=
drafts@ietf=2Eorg<mailto:internet-drafts@ietf=2Eorg>
>Sent: March 30, 2017 =
1:38 PM
>To: i-d-announce@ietf=2Eorg<mailto:i-d-announce@ietf=2Eorg>
>Cc: o=
auth@ietf=2Eorg<mailto:oauth@ietf=2Eorg>
>Subject: [OAUTH-WG] I-D Action: d=
raft-ietf-oauth-jwsreq-13=2Etxt
>
>
>A New Internet-Draft is available from=
 the on-line Internet-Drafts
>directories=2E
>This draft is a work item of =
the Web Authorization Protocol of the
>IETF=2E
>
>Title           : The OAu=
th 2=2E0 Authorization Framework: JWT Secured
>Authorization Request (JAR)
=
>        Authors         : Nat Sakimura
>                          John Bra=
dley
>           Filename        : draft-ietf-oauth-jwsreq-13=2Etxt
>      =
     Pages           : 27
>           Date            : 2017-03-30
>
>Abstr=
act:
>  The authorization request in OAuth 2=2E0 described in RFC 6749 util=
izes
>  query parameter serialization, which means that Authorization Reque=
st
>   parameters are encoded in the URI of the request and sent through
> =
 user agents such as web browsers=2E  While it is easy to implement, it
>  =
 means that (a) the communication through the user agents are not
>   integ=
rity protected and thus the parameters can be tainted, and (b)
>   the sour=
ce of the communication is not authenticated=2E  Because of
>   these weakn=
esses, several attacks to the protocol have now been put
>   forward=2E
>
>=
   This document introduces the ability to send request parameters in a
>  =
 JSON Web Token (JWT) instead, which allows the request to be signed
>   wi=
th JSON Web Signature (JWS) and/or encrypted with JSON Web
>   Encryption (=
JWE) so that the integrity, source authentication and
>   confidentiality p=
roperty of the Authorization Request is attained=2E
>   The request can be =
sent by value or by reference=2E
>
>
>The IETF datatracker status page for =
this draft is:
>https://datatracker=2Eietf=2Eorg/doc/draft-ietf-oauth-jwsre=
q/
>
>There are also htmlized versions available at:
>https://tools=2Eietf=
=2Eorg/html/draft-ietf-oauth-jwsreq-13
>https://datatracker=2Eietf=2Eorg/do=
c/html/draft-ietf-oauth-jwsreq-13
>
>A diff from the previous version is av=
ailable at:
>https://www=2Eietf=2Eorg/rfcdiff?url2=3Ddraft-ietf-oauth-jwsre=
q-13
>
>
>Please note that it may take a couple of minutes from the time of=

>submission
>until the htmlized version and diff are available at
>tools=
=2Eietf=2Eorg<http://tools=2Eietf=2Eorg>=2E
>
>Internet-Drafts are also ava=
ilable by anonymous FTP at:
>ftp://ftp=2Eietf=2Eorg/internet-drafts/
>
>___=
____________________________________________
>OAuth mailing list
>OAuth@iet=
f=2Eorg<mailto:OAuth@ietf=2Eorg>
>https://www=2Eietf=2Eorg/mailman/listinfo=
/oauth

------04IWH1RJCN36T4FLPNXQFPDYNFHQN8
Content-Type: text/html;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div dir=3D"auto">Not right now=2E <br><br></div>
=
<div dir=3D"auto">As of this writing, a client can still send duplicate par=
ameters in the query but they get ignored by the servers honoring OAuth JAR=
=2E So, it is backwards compatible with OpenID Connect in that sense (OpenI=
D Connect sends duplicate manatory RFC6749 parameters as the query paramete=
rs as well just to be compliant to RFC6749)=2E Conversely, servers that do =
not support OAuth JAR will ignore request_uri etc=2E </div>
<div class=3D"g=
mail_quote" >On Mar 30, 2017, at 4:47 PM, Mike Jones &lt;<a href=3D"mailto:=
Michael=2EJones@microsoft=2Ecom" target=3D"_blank">Michael=2EJones@microsof=
t=2Ecom</a>&gt; wrote:<blockquote class=3D"gmail_quote" style=3D"margin: 0p=
t 0pt 0pt 0=2E8ex; border-left: 1px solid rgb(204, 204, 204); padding-left:=
 1ex;">
<div class=3D"WordSection1"> 
 <p class=3D"MsoNormal"><span style=
=3D"color:#002060">Is there a clear statement somewhere along the lines of =
=E2=80=9C</span>parameters (other than =E2=80=9Crequest=E2=80=9D or =E2=80=
=9Crequest_uri=E2=80=9D) are only allowed to be in the signed object if a s=
igned object is used<span style=3D"color:#002060">=E2=80=9D?&nbsp; That=E2=
=80=99s the kind of thing I was looking for and didn=E2=80=99t find=2E
   <=
/span></p><p></p><p></p> 
 <p class=3D"MsoNormal"><span style=3D"color:#002=
060">
   </span></p><p>
    &nbsp;
   </p><p></p> 
 <p class=3D"MsoNormal">=
<span style=3D"color:#002060">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike
   </span></=
p><p></p><p></p> 
 <p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span=
 style=3D"color:#002060">
    </span></a></p><p></p><p></p> 
 <span style=
=3D"mso-bookmark:_MailEndCompose"></span> 
 <p class=3D"MsoNormal"><b>From:=
</b> John Bradley [mailto:ve7jtb@ve7jtb=2Ecom] <br> <b>Sent:</b> Thursday, =
March 30, 2017 4:44 PM<br> <b>To:</b> Mike Jones &lt;Michael=2EJones@micros=
oft=2Ecom&gt;<br> <b>Cc:</b> Nat Sakimura &lt;nat@sakimura=2Eorg&gt;; IETF =
oauth WG &lt;oauth@ietf=2Eorg&gt;<br> <b>Subject:</b> RE: [OAUTH-WG] FW: I-=
D Action: draft-ietf-oauth-jwsreq-13=2Etxt
  </p><p></p> 
 <p class=3D"MsoN=
ormal">
  </p><p>
   &nbsp;
  </p> 
 <div> 
  <p class=3D"MsoNormal">The in=
tent of the change is to only allow the paramaters to be in the signed obje=
ct if a signed object is used=2E &nbsp;
   </p><p></p> 
  <div> 
   <p clas=
s=3D"MsoNormal">
    </p><p>
     &nbsp;
    </p> 
  </div> 
  <div> 
   <p=
 class=3D"MsoNormal">This requires State, nonce etc to be in the JWT=2E&nbs=
p; Only one place to check will hopefully reduce implimentation errors=2E &=
nbsp;
    </p><p></p> 
  </div> 
  <div> 
   <p class=3D"MsoNormal">
    </=
p><p>
     &nbsp;
    </p> 
  </div> 
  <div> 
   <p class=3D"MsoNormal">Th=
is also allows us to remove the caching text as we now have one JWT per req=
uest, so caching won't happen=2E &nbsp;&nbsp;
    </p><p></p> 
  </div> 
  =
<div> 
   <p class=3D"MsoNormal">
    </p><p>
     &nbsp;
    </p> 
  </div=
> 
  <div> 
   <p class=3D"MsoNormal">John B=2E &nbsp;
    </p><p></p> 
  <=
/div> 
  <div> 
   <p class=3D"MsoNormal">
    </p><p>
     &nbsp;
    </p>=
 
  </div> 
  <div> 
   <p class=3D"MsoNormal">
    </p><p>
     &nbsp;
   =
 </p> 
  </div> 
 </div> 
 <div> 
  <p class=3D"MsoNormal">
   </p><p>
    =
&nbsp;
   </p> 
  <div> 
   <p class=3D"MsoNormal">On Mar 30, 2017 4:36 PM,=
 "Mike Jones" &lt;<a href=3D"mailto:Michael=2EJones@microsoft=2Ecom">Michae=
l=2EJones@microsoft=2Ecom</a>&gt; wrote:
    </p><p></p> 
   <blockquote st=
yle=3D"border:none;border-left:solid #CCCCCC 1=2E0pt;padding:0in 0in 0in 6=
=2E0pt;margin-left:4=2E8pt;margin-right:0in"> 
    <div> 
     <div> 
     =
 <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-=
alt:auto"><span style=3D"color:#002060">I *<b>believe</b>* the intent is th=
at *<b>all</b>* parameters must be in the request object, but the spec does=
n=E2=80=99t actually say that, as far as I can tell=2E&nbsp; Or maybe the i=
ntent is that parameters must not be duplicated between the query parameter=
s and the request object=2E</span>
       </p><p></p> 
      <p class=3D"Ms=
oNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span=
 style=3D"color:#002060">&nbsp;</span>
       </p><p></p> 
      <p class=
=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"=
><span style=3D"color:#002060">One or the other of these statements should =
be explicitly included in the specification=2E&nbsp; Of course, I could hav=
e missed the statement I=E2=80=99m asking for in my review, in which case p=
lease let me know what I missed=2E</span>
       </p><p></p> 
      <p clas=
s=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto=
"><span style=3D"color:#002060">&nbsp;</span>
       </p><p></p> 
      <p =
class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto"><span style=3D"color:#002060">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Thanks,</span>=

       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-a=
lt:auto;mso-margin-bottom-alt:auto"><span style=3D"color:#002060">&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp; -- Mike</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=
=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a name=3D"m_326425=
8369573027541__MailEndCompose"><span style=3D"color:#002060">&nbsp;</span><=
/a>
       </p><p></p> 
      <div> 
       <div style=3D"border:none;borde=
r-top:solid #E1E1E1 1=2E0pt;padding:3=2E0pt 0in 0in 0in"> 
        <p class=
=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"=
><b>From:</b> OAuth [mailto:<a href=3D"mailto:oauth-bounces@ietf=2Eorg" tar=
get=3D"_blank">oauth-bounces@ietf=2Eorg</a>] <b>On Behalf Of </b>John Bradl=
ey<br> <b>Sent:</b> Thursday, March 30, 2017 3:00 PM<br> <b>To:</b> IETF OA=
UTH &lt;<a href=3D"mailto:oauth@ietf=2Eorg" target=3D"_blank">oauth@ietf=2E=
org</a>&gt;<br> <b>Subject:</b> [OAUTH-WG] FW: I-D Action: draft-ietf-oauth=
-jwsreq-13=2Etxt
         </p><p></p> 
       </div> 
      </div> 
      <=
p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"ms=
o-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">Base=
d on feeback from the IESG we have removed some of the optionality in the d=
raft=2E </span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"m=
so-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nb=
sp;</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-ma=
rgin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">It is a =
shorter read than draft 12=2E&nbsp;&nbsp; </span>
       </p><p></p> 
     =
 <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-=
alt:auto"><span lang=3D"EN-CA">&nbsp;</span>
       </p><p></p> 
      <p c=
lass=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:a=
uto"><span lang=3D"EN-CA">John B=2E</span>
       </p><p></p> 
      <p cla=
ss=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:aut=
o"><span lang=3D"EN-CA">&nbsp;</span>
       </p><p></p> 
      <p class=3D=
"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><s=
pan lang=3D"EN-CA">Sent from <a href=3D"https://go=2Emicrosoft=2Ecom/fwlink=
/?LinkId=3D550986" target=3D"_blank">Mail</a> for Windows 10</span>
       =
</p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;=
mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;</span>
       </p><=
p></p> 
      <div style=3D"border:none;border-top:solid #E1E1E1 1=2E0pt;pa=
dding:3=2E0pt 0in 0in 0in"> 
       <p class=3D"MsoNormal" style=3D"mso-mar=
gin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span lang=3D"EN-CA">From: =
</span></b><span lang=3D"EN-CA"><a href=3D"mailto:internet-drafts@ietf=2Eor=
g" target=3D"_blank">internet-drafts@ietf=2Eorg</a><br> <b>Sent: </b>March =
30, 2017 1:38 PM<br> <b>To: </b><a href=3D"mailto:i-d-announce@ietf=2Eorg" =
target=3D"_blank">i-d-announce@ietf=2Eorg</a><br> <b>Cc: </b><a href=3D"mai=
lto:oauth@ietf=2Eorg" target=3D"_blank">oauth@ietf=2Eorg</a><br> <b>Subject=
: </b>[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13=2Etxt</span>
      =
  </p><p></p> 
      </div> 
      <p class=3D"MsoNormal" style=3D"mso-marg=
in-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;</sp=
an>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-to=
p-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;</span>
 =
      </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt=
:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">A New Internet-Draft=
 is available from the on-line Internet-Drafts directories=2E</span>
      =
 </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto=
;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">This draft is a work item=
 of the Web Authorization Protocol of the IETF=2E</span>
       </p><p></p>=
 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-=
bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;</span>
       </p><p></p> 
   =
   <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-botto=
m-alt:auto"><span lang=3D"EN-CA">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 Title&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : The OA=
uth 2=2E0 Authorization Framework: JWT Secured Authorization Request (JAR)<=
/span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin=
-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Authors&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp; : Nat Sakimura</span>
       </p><p></p> 
      <p class=3D"Mso=
Normal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span =
lang=3D"EN-CA">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp; John Bradley</span>
       </p><p></p> 
      <p class=3D"M=
soNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><spa=
n lang=3D"EN-CA">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; Filename&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : draft-ietf-oauth-jw=
sreq-13=2Etxt</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=
=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA=
">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Pages&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 27</span>
       </=
p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;ms=
o-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Date&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2017-03-30</span>
       </p><p></p> 
      =
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><span lang=3D"EN-CA">&nbsp;</span>
       </p><p></p> 
      <p cl=
ass=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:au=
to"><span lang=3D"EN-CA">Abstract:</span>
       </p><p></p> 
      <p clas=
s=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto=
"><span lang=3D"EN-CA">&nbsp;&nbsp; The authorization request in OAuth 2=2E=
0 described in RFC 6749 utilizes</span>
       </p><p></p> 
      <p class=
=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"=
><span lang=3D"EN-CA">&nbsp;&nbsp; query parameter serialization, which mea=
ns that Authorization Request</span>
       </p><p></p> 
      <p class=3D"=
MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><sp=
an lang=3D"EN-CA">&nbsp;&nbsp; parameters are encoded in the URI of the req=
uest and sent through</span>
       </p><p></p> 
      <p class=3D"MsoNorma=
l" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=
=3D"EN-CA">&nbsp;&nbsp;user agents such as web browsers=2E&nbsp; While it i=
s easy to implement, it</span>
       </p><p></p> 
      <p class=3D"MsoNor=
mal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lan=
g=3D"EN-CA">&nbsp;&nbsp; means that (a) the communication through the user =
agents are not</span>
       </p><p></p> 
      <p class=3D"MsoNormal" styl=
e=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-C=
A">&nbsp;&nbsp; integrity protected and thus the parameters can be tainted,=
 and (b)</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"m=
so-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nb=
sp;&nbsp; the source of the communication is not authenticated=2E&nbsp; Bec=
ause of</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"ms=
o-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbs=
p;&nbsp; these weaknesses, several attacks to the protocol have now been pu=
t</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-marg=
in-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;&nbs=
p; forward=2E</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=
=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA=
">&nbsp;</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"m=
so-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nb=
sp;&nbsp; This document introduces the ability to send request parameters i=
n a</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-ma=
rgin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;&n=
bsp; JSON Web Token (JWT) instead, which allows the request to be signed</s=
pan>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-t=
op-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;&nbsp; w=
ith JSON Web Signature (JWS) and/or encrypted with JSON Web</span>
       <=
/p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;m=
so-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;&nbsp; Encryption (JW=
E) so that the integrity, source authentication and</span>
       </p><p></=
p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margi=
n-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;&nbsp; confidentiality proper=
ty of the Authorization Request is attained=2E</span>
       </p><p></p> 
 =
     <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bot=
tom-alt:auto"><span lang=3D"EN-CA">&nbsp;&nbsp; The request can be sent by =
value or by reference=2E</span>
       </p><p></p> 
      <p class=3D"MsoNo=
rmal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span la=
ng=3D"EN-CA">&nbsp;</span>
       </p><p></p> 
      <p class=3D"MsoNormal"=
 style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D=
"EN-CA">&nbsp;</span>
       </p><p></p> 
      <p class=3D"MsoNormal" styl=
e=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-C=
A">The IETF datatracker status page for this draft is:</span>
       </p><p=
></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-ma=
rgin-bottom-alt:auto"><span lang=3D"EN-CA"><a href=3D"https://datatracker=
=2Eietf=2Eorg/doc/draft-ietf-oauth-jwsreq/" target=3D"_blank">https://datat=
racker=2Eietf=2Eorg/doc/draft-ietf-oauth-jwsreq/</a></span>
       </p><p><=
/p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-marg=
in-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;</span>
       </p><p></p> 
=
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bo=
ttom-alt:auto"><span lang=3D"EN-CA">There are also htmlized versions availa=
ble at:</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"ms=
o-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA"><a h=
ref=3D"https://tools=2Eietf=2Eorg/html/draft-ietf-oauth-jwsreq-13" target=
=3D"_blank">https://tools=2Eietf=2Eorg/html/draft-ietf-oauth-jwsreq-13</a><=
/span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin=
-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA"><a href=3D"h=
ttps://datatracker=2Eietf=2Eorg/doc/html/draft-ietf-oauth-jwsreq-13" target=
=3D"_blank">https://datatracker=2Eietf=2Eorg/doc/html/draft-ietf-oauth-jwsr=
eq-13</a></span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"=
mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&n=
bsp;</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-m=
argin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">A diff =
from the previous version is available at:</span>
       </p><p></p> 
     =
 <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-=
alt:auto"><span lang=3D"EN-CA"><a href=3D"https://www=2Eietf=2Eorg/rfcdiff?=
url2=3Ddraft-ietf-oauth-jwsreq-13" target=3D"_blank">https://www=2Eietf=2Eo=
rg/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13</a></span>
       </p><p></p> =

      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-b=
ottom-alt:auto"><span lang=3D"EN-CA">&nbsp;</span>
       </p><p></p> 
    =
  <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom=
-alt:auto"><span lang=3D"EN-CA">&nbsp;</span>
       </p><p></p> 
      <p =
class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto"><span lang=3D"EN-CA">Please note that it may take a couple of minutes=
 from the time of submission</span>
       </p><p></p> 
      <p class=3D"M=
soNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><spa=
n lang=3D"EN-CA">until the htmlized version and diff are available at <a hr=
ef=3D"http://tools=2Eietf=2Eorg" target=3D"_blank">tools=2Eietf=2Eorg</a>=
=2E</span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-ma=
rgin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;</=
span>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-=
top-alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">Internet-Draf=
ts are also available by anonymous FTP at:</span>
       </p><p></p> 
     =
 <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-=
alt:auto"><span lang=3D"EN-CA"><a href=3D"ftp://ftp=2Eietf=2Eorg/internet-d=
rafts/" target=3D"_blank">ftp://ftp=2Eietf=2Eorg/internet-drafts/</a></span=
>
       </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-=
alt:auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">&nbsp;</span>
   =
    </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:a=
uto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA">______________________=
_________________________</span>
       </p><p></p> 
      <p class=3D"MsoN=
ormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span l=
ang=3D"EN-CA">OAuth mailing list</span>
       </p><p></p> 
      <p class=
=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"=
><span lang=3D"EN-CA"><a href=3D"mailto:OAuth@ietf=2Eorg" target=3D"_blank"=
>OAuth@ietf=2Eorg</a></span>
       </p><p></p> 
      <p class=3D"MsoNorma=
l" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang=
=3D"EN-CA"><a href=3D"https://www=2Eietf=2Eorg/mailman/listinfo/oauth" targ=
et=3D"_blank">https://www=2Eietf=2Eorg/mailman/listinfo/oauth</a></span>
  =
     </p><p></p> 
      <p class=3D"MsoNormal" style=3D"mso-margin-top-alt:=
auto;mso-margin-bottom-alt:auto"><span lang=3D"EN-CA" class=3D"">&nbsp;</sp=
an>
       </p><p></p> 
     </div> 
    </div> 
   </blockquote> 
  </div>=
 
 </div> 
</div></blockquote></div></body></html>
------04IWH1RJCN36T4FLPNXQFPDYNFHQN8--


From nobody Thu Mar 30 17:05:34 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03F4812869B for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 17:05:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ZKb-W1rNXmQ for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 17:05:15 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61A83129648 for <oauth@ietf.org>; Thu, 30 Mar 2017 17:05:13 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id b140so30284231iof.1 for <oauth@ietf.org>; Thu, 30 Mar 2017 17:05:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=egy18EATFe4BYdcGNs0xNfKcRzCYjtRE4qOpUBF/vmA=; b=pI70F4Tp/iReHH0BkAuzqycGRbi9XCQodQqoPErXGhDj9xArNk/3hu9Y9fCv5lymaz Yl2mg5C52g/O0HyEt0cPt5SshGYl9Vt0/rbsTUd2x/Wp4V50raaK9H20RkN1wD2NoUdY cQQhC1xD6S9uokwtjEZw4jxLov1HC9rRiOcZ0ZDs05UJoTsRHIod7CmKZG6ieEeydxjm DGqQJKpRV9XS7m3BibMfKUbz9ZIGxNqKqxj64+/Z4CGZ8l4/FKj0jNDIYSczlSu0NyZd 9OgjYCtYU0F6xUSkeaYvKTG66mggVvBZml0IyW+rG9PID+5ktRhEuHrHzJm7LMOBgWav I0qQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=egy18EATFe4BYdcGNs0xNfKcRzCYjtRE4qOpUBF/vmA=; b=SvS/udbpU2LthqMzgfjtfktOmJZic9IunR8naCMfVzo9lvzLJ7FX7wG8MCU+ht8pM6 OCBA0M5Tsdk6loMF+HXw7b8jfQCb4y+bHD2soUI+C7Be3wTV/O99heVYPxOEPaAvOFUX m0qrdlR9R/2lJWwx1EF+fFR2CGUVW/mU89fRfRqUhsitakRrnH8Xrd2XV/kk1WhTIrmy eMiM9IDu16IjJU9JkiRx6qAg0hypm6M/IuUheZ4yBvbWqR8vZqb9JyDribhmX7sqHciF igv3wY0oRzScJCrPmy+tcX+sBtvOqgrJQ8quzQDnWm+bBDpxZ/oa8W5kwvSHjIEXlv6p gVpw==
X-Gm-Message-State: AFeK/H1FZ/dOPAzlgT0V4Xz3smlXTGnJ0/eZbpot2j1F/UVnsF7ZumvTB0N/bfJ6aOe67c5XD55/1PCV4rfKSbKJ
X-Received: by 10.107.135.136 with SMTP id r8mr241168ioi.36.1490918712473; Thu, 30 Mar 2017 17:05:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.167.139 with HTTP; Thu, 30 Mar 2017 17:05:12 -0700 (PDT)
Received: by 10.107.167.139 with HTTP; Thu, 30 Mar 2017 17:05:12 -0700 (PDT)
In-Reply-To: <0b598482-d9d1-4a8f-8616-b19d1a3b3084@typeapp.com>
References: <149089911092.15436.12952695214868679547@ietfa.amsl.com> <58dd63ca.e7136b0a.5e8ec.8d9e@mx.google.com> <CY4PR21MB05049EB2094DF00A482CA03EF5340@CY4PR21MB0504.namprd21.prod.outlook.com> <CAANoGhLvwSrNTcA6+gXvkVPVoDwu3QHFoTsOfwV2BynVGQsk1A@mail.gmail.com> <CY4PR21MB050463909C8401C981362218F5340@CY4PR21MB0504.namprd21.prod.outlook.com> <0b598482-d9d1-4a8f-8616-b19d1a3b3084@typeapp.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 30 Mar 2017 19:05:12 -0500
Message-ID: <CAANoGhJDKgqWaqhdL6TCO7RhE==h=ZmJeKbU-cuwUZwE+siHMA@mail.gmail.com>
To: Nat Sakimura <nat@sakimura.org>
Cc: Mike Jones <Michael.Jones@microsoft.com>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a113ec77c441905054bfb90b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_1eDbE-QW0xm8trYX0YNBg8utRM>
Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 00:05:19 -0000

--001a113ec77c441905054bfb90b6
Content-Type: multipart/alternative; boundary=001a113ec77c3f278f054bfb905b

--001a113ec77c3f278f054bfb905b
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

So I think we need to make the must ignore clearer for the additional
paramaters on the authorization endpoint.

On Mar 30, 2017 17:33, "Nat Sakimura" <nat@sakimura.org> wrote:

> Not right now.
>
> As of this writing, a client can still send duplicate parameters in the
> query but they get ignored by the servers honoring OAuth JAR. So, it is
> backwards compatible with OpenID Connect in that sense (OpenID Connect
> sends duplicate manatory RFC6749 parameters as the query parameters as we=
ll
> just to be compliant to RFC6749). Conversely, servers that do not support
> OAuth JAR will ignore request_uri etc.
> On Mar 30, 2017, at 4:47 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>>
>> Is there a clear statement somewhere along the lines of =E2=80=9Cparamet=
ers
>> (other than =E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D) =
are only allowed to be in the
>> signed object if a signed object is used=E2=80=9D?  That=E2=80=99s the k=
ind of thing I
>> was looking for and didn=E2=80=99t find.
>>
>>
>>
>>                                                        -- Mike
>>
>> *From:* John Bradley [mailto:ve7jtb@ve7jtb.com]
>> *Sent:* Thursday, March 30, 2017 4:44 PM
>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>> *Cc:* Nat Sakimura <nat@sakimura.org>; IETF oauth WG <oauth@ietf.org>
>> *Subject:* RE: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>
>>
>>
>> The intent of the change is to only allow the paramaters to be in the
>> signed object if a signed object is used.
>>
>>
>>
>> This requires State, nonce etc to be in the JWT.  Only one place to chec=
k
>> will hopefully reduce implimentation errors.
>>
>>
>>
>> This also allows us to remove the caching text as we now have one JWT pe=
r
>> request, so caching won't happen.
>>
>>
>>
>> John B.
>>
>>
>>
>>
>>
>>
>>
>> On Mar 30, 2017 4:36 PM, "Mike Jones" <Michael.Jones@microsoft.com>
>> wrote:
>>
>> I **believe** the intent is that **all** parameters must be in the
>> request object, but the spec doesn=E2=80=99t actually say that, as far a=
s I can
>> tell.  Or maybe the intent is that parameters must not be duplicated
>> between the query parameters and the request object.
>>
>>
>>
>> One or the other of these statements should be explicitly included in th=
e
>> specification.  Of course, I could have missed the statement I=E2=80=99m=
 asking for
>> in my review, in which case please let me know what I missed.
>>
>>
>>
>>                                                        Thanks,
>>
>>                                                       -- Mike
>>
>>
>>
>> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John Bradle=
y
>> *Sent:* Thursday, March 30, 2017 3:00 PM
>> *To:* IETF OAUTH <oauth@ietf.org>
>> *Subject:* [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>
>>
>>
>> Based on feeback from the IESG we have removed some of the optionality i=
n
>> the draft.
>>
>>
>>
>> It is a shorter read than draft 12.
>>
>>
>>
>> John B.
>>
>>
>>
>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
>> Windows 10
>>
>>
>>
>> *From: *internet-drafts@ietf.org
>> *Sent: *March 30, 2017 1:38 PM
>> *To: *i-d-announce@ietf.org
>> *Cc: *oauth@ietf.org
>> *Subject: *[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>
>>
>>
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>>
>> This draft is a work item of the Web Authorization Protocol of the IETF.
>>
>>
>>
>>         Title           : The OAuth 2.0 Authorization Framework: JWT
>> Secured Authorization Request (JAR)
>>
>>         Authors         : Nat Sakimura
>>
>>                           John Bradley
>>
>>            Filename        : draft-ietf-oauth-jwsreq-13.txt
>>
>>            Pages           : 27
>>
>>            Date            : 2017-03-30
>>
>>
>>
>> Abstract:
>>
>>    The authorization request in OAuth 2.0 described in RFC 6749 utilizes
>>
>>    query parameter serialization, which means that Authorization Request
>>
>>    parameters are encoded in the URI of the request and sent through
>>
>>   user agents such as web browsers.  While it is easy to implement, it
>>
>>    means that (a) the communication through the user agents are not
>>
>>    integrity protected and thus the parameters can be tainted, and (b)
>>
>>    the source of the communication is not authenticated.  Because of
>>
>>    these weaknesses, several attacks to the protocol have now been put
>>
>>    forward.
>>
>>
>>
>>    This document introduces the ability to send request parameters in a
>>
>>    JSON Web Token (JWT) instead, which allows the request to be signed
>>
>>    with JSON Web Signature (JWS) and/or encrypted with JSON Web
>>
>>    Encryption (JWE) so that the integrity, source authentication and
>>
>>    confidentiality property of the Authorization Request is attained.
>>
>>    The request can be sent by value or by reference.
>>
>>
>>
>>
>>
>> The IETF datatracker status page for this draft is:
>>
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>>
>>
>>
>> There are also htmlized versions available at:
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13
>>
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13
>>
>>
>>
>> A diff from the previous version is available at:
>>
>> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13
>>
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>>
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>>
>>
>> Internet-Drafts are also available by anonymous FTP at:
>>
>> ftp://ftp.ietf.org/internet-drafts/
>>
>>
>>
>> _______________________________________________
>>
>> OAuth mailing list
>>
>> OAuth@ietf.org
>>
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>

--001a113ec77c3f278f054bfb905b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">So I think we need to make the must ignore clearer for th=
e additional paramaters on the authorization endpoint. =C2=A0</div><div cla=
ss=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mar 30, 2017 17:33, &q=
uot;Nat Sakimura&quot; &lt;<a href=3D"mailto:nat@sakimura.org">nat@sakimura=
.org</a>&gt; wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quot=
e" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">=
<div><div dir=3D"auto">Not right now. <br><br></div>
<div dir=3D"auto">As of this writing, a client can still send duplicate par=
ameters in the query but they get ignored by the servers honoring OAuth JAR=
. So, it is backwards compatible with OpenID Connect in that sense (OpenID =
Connect sends duplicate manatory RFC6749 parameters as the query parameters=
 as well just to be compliant to RFC6749). Conversely, servers that do not =
support OAuth JAR will ignore request_uri etc. </div>
<div class=3D"gmail_quote">On Mar 30, 2017, at 4:47 PM, Mike Jones &lt;<a h=
ref=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@=
microsoft.com</a>&gt; wrote:<blockquote class=3D"gmail_quote" style=3D"marg=
in:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1e=
x">
<div class=3D"m_5373696844051186387WordSection1">=20
 <p class=3D"MsoNormal"><span style=3D"color:#002060">Is there a clear stat=
ement somewhere along the lines of =E2=80=9C</span>parameters (other than =
=E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D) are only allowe=
d to be in the signed object if a signed object is used<span style=3D"color=
:#002060">=E2=80=9D?=C2=A0 That=E2=80=99s the kind of thing I was looking f=
or and didn=E2=80=99t find.
   </span></p><p></p><p></p>=20
 <p class=3D"MsoNormal"><span style=3D"color:#002060">
   </span></p><p>
    =C2=A0
   </p><p></p>=20
 <p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 -- Mike
   </span></p><p></p><p></p>=20
 <p class=3D"MsoNormal"><a name=3D"m_5373696844051186387__MailEndCompose"><=
span style=3D"color:#002060">
    </span></a></p><p></p><p></p>=20
 <span></span>=20
 <p class=3D"MsoNormal"><b>From:</b> John Bradley [mailto:<a href=3D"mailto=
:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>] <br> <b>Sent:<=
/b> Thursday, March 30, 2017 4:44 PM<br> <b>To:</b> Mike Jones &lt;<a href=
=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@mic=
rosoft.com</a>&gt;<br> <b>Cc:</b> Nat Sakimura &lt;<a href=3D"mailto:nat@sa=
kimura.org" target=3D"_blank">nat@sakimura.org</a>&gt;; IETF oauth WG &lt;<=
a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.org</a>&gt;<b=
r> <b>Subject:</b> RE: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-1=
3.txt
  </p><p></p>=20
 <p class=3D"MsoNormal">
  </p><p>
   =C2=A0
  </p>=20
 <div>=20
  <p class=3D"MsoNormal">The intent of the change is to only allow the para=
maters to be in the signed object if a signed object is used. =C2=A0
   </p><p></p>=20
  <div>=20
   <p class=3D"MsoNormal">
    </p><p>
     =C2=A0
    </p>=20
  </div>=20
  <div>=20
   <p class=3D"MsoNormal">This requires State, nonce etc to be in the JWT.=
=C2=A0 Only one place to check will hopefully reduce implimentation errors.=
 =C2=A0
    </p><p></p>=20
  </div>=20
  <div>=20
   <p class=3D"MsoNormal">
    </p><p>
     =C2=A0
    </p>=20
  </div>=20
  <div>=20
   <p class=3D"MsoNormal">This also allows us to remove the caching text as=
 we now have one JWT per request, so caching won&#39;t happen. =C2=A0=C2=A0
    </p><p></p>=20
  </div>=20
  <div>=20
   <p class=3D"MsoNormal">
    </p><p>
     =C2=A0
    </p>=20
  </div>=20
  <div>=20
   <p class=3D"MsoNormal">John B. =C2=A0
    </p><p></p>=20
  </div>=20
  <div>=20
   <p class=3D"MsoNormal">
    </p><p>
     =C2=A0
    </p>=20
  </div>=20
  <div>=20
   <p class=3D"MsoNormal">
    </p><p>
     =C2=A0
    </p>=20
  </div>=20
 </div>=20
 <div>=20
  <p class=3D"MsoNormal">
   </p><p>
    =C2=A0
   </p>=20
  <div>=20
   <p class=3D"MsoNormal">On Mar 30, 2017 4:36 PM, &quot;Mike Jones&quot; &=
lt;<a href=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael=
.Jones@microsoft.com</a>&gt; wrote:
    </p><p></p>=20
   <blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding=
:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">=20
    <div>=20
     <div>=20
      <p class=3D"MsoNormal"><span style=3D"color:#002060">I *<b>believe</b=
>* the intent is that *<b>all</b>* parameters must be in the request object=
, but the spec doesn=E2=80=99t actually say that, as far as I can tell.=C2=
=A0 Or maybe the intent is that parameters must not be duplicated between t=
he query parameters and the request object.</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span style=3D"color:#002060">One or the other=
 of these statements should be explicitly included in the specification.=C2=
=A0 Of course, I could have missed the statement I=E2=80=99m asking for in =
my review, in which case please let me know what I missed.</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 Thanks,</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
 -- Mike</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><a name=3D"m_5373696844051186387_m_32642583695=
73027541__MailEndCompose"><span style=3D"color:#002060">=C2=A0</span></a>
       </p><p></p>=20
      <div>=20
       <div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0=
pt 0in 0in 0in">=20
        <p class=3D"MsoNormal"><b>From:</b> OAuth [mailto:<a href=3D"mailto=
:oauth-bounces@ietf.org" target=3D"_blank">oauth-bounces@ietf.org</a><wbr>]=
 <b>On Behalf Of </b>John Bradley<br> <b>Sent:</b> Thursday, March 30, 2017=
 3:00 PM<br> <b>To:</b> IETF OAUTH &lt;<a href=3D"mailto:oauth@ietf.org" ta=
rget=3D"_blank">oauth@ietf.org</a>&gt;<br> <b>Subject:</b> [OAUTH-WG] FW: I=
-D Action: draft-ietf-oauth-jwsreq-13.txt
         </p><p></p>=20
       </div>=20
      </div>=20
      <p class=3D"MsoNormal">=C2=A0
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">Based on feeback from the=
 IESG we have removed some of the optionality in the draft. </span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">It is a shorter read than=
 draft 12.=C2=A0=C2=A0 </span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">John B.</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">Sent from <a href=3D"http=
s://go.microsoft.com/fwlink/?LinkId=3D550986" target=3D"_blank">Mail</a> fo=
r Windows 10</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0p=
t 0in 0in 0in">=20
       <p class=3D"MsoNormal"><b><span lang=3D"EN-CA">From: </span></b><spa=
n lang=3D"EN-CA"><a href=3D"mailto:internet-drafts@ietf.org" target=3D"_bla=
nk">internet-drafts@ietf.org</a><br> <b>Sent: </b>March 30, 2017 1:38 PM<br=
> <b>To: </b><a href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i-d=
-announce@ietf.org</a><br> <b>Cc: </b><a href=3D"mailto:oauth@ietf.org" tar=
get=3D"_blank">oauth@ietf.org</a><br> <b>Subject: </b>[OAUTH-WG] I-D Action=
: draft-ietf-oauth-jwsreq-13.txt</span>
        </p><p></p>=20
      </div>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">A New Internet-Draft is a=
vailable from the on-line Internet-Drafts directories.</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">This draft is a work item=
 of the Web Authorization Protocol of the IETF.</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 Title=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 : The OAuth 2.0 Authorization Framework: JWT Secured Authorizatio=
n Request (JAR)</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 Authors=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =
: Nat Sakimura</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 John Bradley</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Filename=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 : draft-ietf-oauth-jwsreq-13.txt</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Pages=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 27</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Date=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 2017-03-30</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">Abstract:</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 The authoriz=
ation request in OAuth 2.0 described in RFC 6749 utilizes</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 query parame=
ter serialization, which means that Authorization Request</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 parameters a=
re encoded in the URI of the request and sent through</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0user agents s=
uch as web browsers.=C2=A0 While it is easy to implement, it</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 means that (=
a) the communication through the user agents are not</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 integrity pr=
otected and thus the parameters can be tainted, and (b)</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 the source o=
f the communication is not authenticated.=C2=A0 Because of</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 these weakne=
sses, several attacks to the protocol have now been put</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 forward.</sp=
an>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 This documen=
t introduces the ability to send request parameters in a</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 JSON Web Tok=
en (JWT) instead, which allows the request to be signed</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 with JSON We=
b Signature (JWS) and/or encrypted with JSON Web</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 Encryption (=
JWE) so that the integrity, source authentication and</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 confidential=
ity property of the Authorization Request is attained.</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0=C2=A0 The request =
can be sent by value or by reference.</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">The IETF datatracker stat=
us page for this draft is:</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"https://datatr=
acker.ietf.org/doc/draft-ietf-oauth-jwsreq/" target=3D"_blank">https://data=
tracker.ietf.org/<wbr>doc/draft-ietf-oauth-jwsreq/</a></span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">There are also htmlized v=
ersions available at:</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"https://tools.=
ietf.org/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https://tools.i=
etf.org/html/<wbr>draft-ietf-oauth-jwsreq-13</a></span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"https://datatr=
acker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https=
://datatracker.ietf.org/<wbr>doc/html/draft-ietf-oauth-<wbr>jwsreq-13</a></=
span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">A diff from the previous =
version is available at:</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"https://www.ie=
tf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13" target=3D"_blank">https:/=
/www.ietf.org/rfcdiff?<wbr>url2=3Ddraft-ietf-oauth-jwsreq-<wbr>13</a></span=
>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">Please note that it may t=
ake a couple of minutes from the time of submission</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">until the htmlized versio=
n and diff are available at <a href=3D"http://tools.ietf.org" target=3D"_bl=
ank">tools.ietf.org</a>.</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">Internet-Drafts are also =
available by anonymous FTP at:</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"ftp://ftp.ietf=
.org/internet-drafts/" target=3D"_blank">ftp://ftp.ietf.org/internet-<wbr>d=
rafts/</a></span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">_________________________=
_____<wbr>_________________</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">OAuth mailing list</span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"mailto:OAuth@i=
etf.org" target=3D"_blank">OAuth@ietf.org</a></span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA"><a href=3D"https://www.ie=
tf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.ietf.org/mailm=
an/<wbr>listinfo/oauth</a></span>
       </p><p></p>=20
      <p class=3D"MsoNormal"><span lang=3D"EN-CA">=C2=A0</span>
       </p><p></p>=20
     </div>=20
    </div>=20
   </blockquote>=20
  </div>=20
 </div>=20
</div></blockquote></div></div></blockquote></div></div>

--001a113ec77c3f278f054bfb905b--

--001a113ec77c441905054bfb90b6
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIFU+X/1lZr83rhvcwypR1Gh8irjN
YHxqf/ZMubnkAaeoMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMzMTAwMDUxMlowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQB+tt+zVdOKDvHyULfnSqH/H8uF/tjNtAqtF8b8aRPMTYek
ps8Hzi4ZyMHh7GBbT0fd02Z3JZDdAmDlccYIzKt313ftk3fPVZEwWFfbMmPdRNDKhUXFDYnqcMea
/oEjt0kiyvzUAzOlFxlBhf2kArYeJhHy/UEXnisJwb3TSe2tIWtg4smd7iwY8zfUUau562Wd4BcC
EIbtGTQ8Umn8iamqmhyBvm3HcRxgKe2MDlQVxwMDXFpHucpv2NKgL+bNwgX8d0YUOwOS0c4Zu5G3
7FCb3xc+3QatcLWsIW09GASP8l7IUnmSKolTBOaVsW9UD6+EgiQeuJ6+oXTSI6yKL/7D
--001a113ec77c441905054bfb90b6--


From nobody Thu Mar 30 19:57:47 2017
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E10D129781 for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 19:57:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.897
X-Spam-Level: 
X-Spam-Status: No, score=-0.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, HTML_NONELEMENT_30_40=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xzj07y_iL8eG for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 19:57:40 -0700 (PDT)
Received: from mail-wr0-x236.google.com (mail-wr0-x236.google.com [IPv6:2a00:1450:400c:c0c::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25EDA129704 for <oauth@ietf.org>; Thu, 30 Mar 2017 19:57:40 -0700 (PDT)
Received: by mail-wr0-x236.google.com with SMTP id k6so80568589wre.2 for <oauth@ietf.org>; Thu, 30 Mar 2017 19:57:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=date:subject:message-id:references:from:to:cc:mime-version :content-transfer-encoding; bh=gwrsLsDnuJaOvTGQuho5/I+v0jDXMJkzHB9JI02OZmE=; b=o476jlW4ijcYIKQRNj4k3W36AfuINXMxd3b+12+uiPW2Ps3Gk/5SsDvFZI8ILg0t7A 2JFVfimg2ZDS9pQJ8Wuq5NMB+L0fSYzxrMF7bPRipd9I3rP0BK8VHOXsotg3x3NVk09Y LryGt2H2EuYkpsxKR3oW4/Y7Q7xNkJsX6onNFNVgrOD1QA5i4VQ/d9yZEIRCUEGaeKKk sigCByfMiC8WrpnY8S/3FaFjVl3DLUfl44qidIR7HFUSrrPGobRnol2X6AICbQ3MpnYW 41BgGaFDU7dTJDSsN0hAUT63Ph261PZccmDkNFXFAGanLJs3LUz8o8A3xedWxfXTCwQe bkkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:subject:message-id:references:from:to:cc :mime-version:content-transfer-encoding; bh=gwrsLsDnuJaOvTGQuho5/I+v0jDXMJkzHB9JI02OZmE=; b=YbmshIVwFeapMWS3PX2hjpYdd8uAAEKqvXGACPid4+E3t9x4EpaFUbTx6KQ7FnmR5g wdb0o0KcjAGaxCQLdc8PIOWhKAzbKlCtk4Ma0BYS0XR54lTWlj5ft/tK7boUqkUFMrc4 9K+CkNx/pKnyrbiD+xXNwrFL1PBwSyQWbmXWVha3pAr6RfN5dfWaX3Q+gOUlD+xNU82l LojtkacZpVyEsOwNQ8leztAy4i1d4Ua32yvu3oUgCAfUuUyyYjqvKun5kUx8qRzDNJCN 3Ui8gxgJRHyLeTN9jdoeLumE/WEv8OMlE6tN4FDKSy/JpdYefdxhhlgYzxQv6QPbG1lf zBTg==
X-Gm-Message-State: AFeK/H1wjAd3xDzvU4cusmLZ+RQ3uXkAZ8eIg/adJcoCkKvnuRvRjKzqbE7PA7rxk90VRQ==
X-Received: by 10.28.73.84 with SMTP id w81mr537049wma.113.1490929058574; Thu, 30 Mar 2017 19:57:38 -0700 (PDT)
Received: from [172.19.249.252] ([88.128.80.1]) by smtp.gmail.com with ESMTPSA id r17sm4877075wrc.47.2017.03.30.19.57.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Mar 2017 19:57:37 -0700 (PDT)
Date: Thu, 30 Mar 2017 21:57:10 -0500
X-Priority: 3
Message-ID: <n6swy6f6jws7vdnx4rs66ktg.1490929049898@email.android.com>
References: <CAANoGhJDKgqWaqhdL6TCO7RhE==h=ZmJeKbU-cuwUZwE+siHMA@mail.gmail.com>
From: "sakimura@gmail.com" <sakimura@gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Nat Sakimura <nat@sakimura.org>
Cc: IETF oauth WG <oauth@ietf.org>
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wo7zyNaceGphwKaQu1FLFomERXI>
Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 02:57:43 -0000

KzE8YnI+PGJyPlNlbnQgZnJvbSBteSBIdWF3ZWkgTW9iaWxlPGRpdiBjbGFzcz0icXVvdGUiIHN0
eWxlPSJsaW5lLWhlaWdodDogMS41Ij48YnI+PGJyPi0tLS0tLS0tIE9yaWdpbmFsIE1lc3NhZ2Ug
LS0tLS0tLS08YnI+U3ViamVjdDogUmU6IFtPQVVUSC1XR10gRlc6IEktRCBBY3Rpb246IGRyYWZ0
LWlldGYtb2F1dGgtandzcmVxLTEzLnR4dDxicj5Gcm9tOiBKb2huIEJyYWRsZXkgPHZlN2p0YkB2
ZTdqdGIuY29tPjxicj5UbzogTmF0IFNha2ltdXJhIDxuYXRAc2FraW11cmEub3JnPjxicj5DQzog
SUVURiBvYXV0aCBXRyA8b2F1dGhAaWV0Zi5vcmc+PGJyPjxicj48YnIgdHlwZT0iYXR0cmlidXRp
b24iPjxibG9ja3F1b3RlIGNsYXNzPSJxdW90ZSIgc3R5bGU9Im1hcmdpbjowIDAgMCAuOGV4O2Jv
cmRlci1sZWZ0OjFweCAjY2NjIHNvbGlkO3BhZGRpbmctbGVmdDoxZXgiPjxkaXYgZGlyPSJhdXRv
Ij5TbyBJIHRoaW5rIHdlIG5lZWQgdG8gbWFrZSB0aGUgbXVzdCBpZ25vcmUgY2xlYXJlciBmb3Ig
dGhlIGFkZGl0aW9uYWwgcGFyYW1hdGVycyBvbiB0aGUgYXV0aG9yaXphdGlvbiBlbmRwb2ludC4g
wqA8L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9leHRyYSI+PGJyPjxkaXYgY2xhc3M9ImdtYWlsX3F1
b3RlIj5PbiBNYXIgMzAsIDIwMTcgMTc6MzMsICZxdW90O05hdCBTYWtpbXVyYSZxdW90OyAmbHQ7
PGEgaHJlZj0ibWFpbHRvOm5hdEBzYWtpbXVyYS5vcmciPm5hdEBzYWtpbXVyYS5vcmc8L2E+Jmd0
OyB3cm90ZTo8YnIgdHlwZT0iYXR0cmlidXRpb24iPjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9x
dW90ZSIgc3R5bGU9Im1hcmdpbjowIDAgMCAuOGV4O2JvcmRlci1sZWZ0OjFweCAjY2NjIHNvbGlk
O3BhZGRpbmctbGVmdDoxZXgiPjxkaXY+PGRpdiBkaXI9ImF1dG8iPk5vdCByaWdodCBub3cuIDxi
cj48YnI+PC9kaXY+DQo8ZGl2IGRpcj0iYXV0byI+QXMgb2YgdGhpcyB3cml0aW5nLCBhIGNsaWVu
dCBjYW4gc3RpbGwgc2VuZCBkdXBsaWNhdGUgcGFyYW1ldGVycyBpbiB0aGUgcXVlcnkgYnV0IHRo
ZXkgZ2V0IGlnbm9yZWQgYnkgdGhlIHNlcnZlcnMgaG9ub3JpbmcgT0F1dGggSkFSLiBTbywgaXQg
aXMgYmFja3dhcmRzIGNvbXBhdGlibGUgd2l0aCBPcGVuSUQgQ29ubmVjdCBpbiB0aGF0IHNlbnNl
IChPcGVuSUQgQ29ubmVjdCBzZW5kcyBkdXBsaWNhdGUgbWFuYXRvcnkgUkZDNjc0OSBwYXJhbWV0
ZXJzIGFzIHRoZSBxdWVyeSBwYXJhbWV0ZXJzIGFzIHdlbGwganVzdCB0byBiZSBjb21wbGlhbnQg
dG8gUkZDNjc0OSkuIENvbnZlcnNlbHksIHNlcnZlcnMgdGhhdCBkbyBub3Qgc3VwcG9ydCBPQXV0
aCBKQVIgd2lsbCBpZ25vcmUgcmVxdWVzdF91cmkgZXRjLiA8L2Rpdj4NCjxkaXYgY2xhc3M9Imdt
YWlsX3F1b3RlIj5PbiBNYXIgMzAsIDIwMTcsIGF0IDQ6NDcgUE0sIE1pa2UgSm9uZXMgJmx0Ozxh
IGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20iIHRhcmdldD0iX2JsYW5r
Ij5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+Jmd0OyB3cm90ZTo8YmxvY2txdW90ZSBj
bGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MHB0IDBwdCAwcHQgMC44ZXg7Ym9yZGVy
LWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0LDIwNCk7cGFkZGluZy1sZWZ0OjFleCI+DQo8ZGl2
IGNsYXNzPSJtXzUzNzM2OTY4NDQwNTExODYzODdXb3JkU2VjdGlvbjEiPiANCiA8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+SXMgdGhlcmUgYSBjbGVhciBz
dGF0ZW1lbnQgc29tZXdoZXJlIGFsb25nIHRoZSBsaW5lcyBvZiDigJw8L3NwYW4+cGFyYW1ldGVy
cyAob3RoZXIgdGhhbiDigJxyZXF1ZXN04oCdIG9yIOKAnHJlcXVlc3RfdXJp4oCdKSBhcmUgb25s
eSBhbGxvd2VkIHRvIGJlIGluIHRoZSBzaWduZWQgb2JqZWN0IGlmIGEgc2lnbmVkIG9iamVjdCBp
cyB1c2VkPHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPuKAnT/CoCBUaGF04oCZcyB0aGUga2lu
ZCBvZiB0aGluZyBJIHdhcyBsb29raW5nIGZvciBhbmQgZGlkbuKAmXQgZmluZC4NCiAgIDwvc3Bh
bj48L3A+PHA+PC9wPjxwPjwvcD4gDQogPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9
ImNvbG9yOiMwMDIwNjAiPg0KICAgPC9zcGFuPjwvcD48cD4NCiAgICDCoA0KICAgPC9wPjxwPjwv
cD4gDQogPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDIwNjAiPsKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oDx3YnI+wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIC0t
IE1pa2UNCiAgIDwvc3Bhbj48L3A+PHA+PC9wPjxwPjwvcD4gDQogPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PGEgbmFtZT0ibV81MzczNjk2ODQ0MDUxMTg2Mzg3X19NYWlsRW5kQ29tcG9zZSI+PHNwYW4g
c3R5bGU9ImNvbG9yOiMwMDIwNjAiPg0KICAgIDwvc3Bhbj48L2E+PC9wPjxwPjwvcD48cD48L3A+
IA0KIDxzcGFuPjwvc3Bhbj4gDQogPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+RnJvbTo8L2I+IEpv
aG4gQnJhZGxleSBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzp2ZTdqdGJAdmU3anRiLmNvbSIgdGFy
Z2V0PSJfYmxhbmsiPnZlN2p0YkB2ZTdqdGIuY29tPC9hPl0gPGJyPiA8Yj5TZW50OjwvYj4gVGh1
cnNkYXksIE1hcmNoIDMwLCAyMDE3IDQ6NDQgUE08YnI+IDxiPlRvOjwvYj4gTWlrZSBKb25lcyAm
bHQ7PGEgaHJlZj0ibWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSIgdGFyZ2V0PSJf
YmxhbmsiPk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTwvYT4mZ3Q7PGJyPiA8Yj5DYzo8L2I+
IE5hdCBTYWtpbXVyYSAmbHQ7PGEgaHJlZj0ibWFpbHRvOm5hdEBzYWtpbXVyYS5vcmciIHRhcmdl
dD0iX2JsYW5rIj5uYXRAc2FraW11cmEub3JnPC9hPiZndDs7IElFVEYgb2F1dGggV0cgJmx0Ozxh
IGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm9hdXRoQGlldGYu
b3JnPC9hPiZndDs8YnI+IDxiPlN1YmplY3Q6PC9iPiBSRTogW09BVVRILVdHXSBGVzogSS1EIEFj
dGlvbjogZHJhZnQtaWV0Zi1vYXV0aC1qd3NyZXEtMTMudHh0DQogIDwvcD48cD48L3A+IA0KIDxw
IGNsYXNzPSJNc29Ob3JtYWwiPg0KICA8L3A+PHA+DQogICDCoA0KICA8L3A+IA0KIDxkaXY+IA0K
ICA8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGUgaW50ZW50IG9mIHRoZSBjaGFuZ2UgaXMgdG8gb25s
eSBhbGxvdyB0aGUgcGFyYW1hdGVycyB0byBiZSBpbiB0aGUgc2lnbmVkIG9iamVjdCBpZiBhIHNp
Z25lZCBvYmplY3QgaXMgdXNlZC4gwqANCiAgIDwvcD48cD48L3A+IA0KICA8ZGl2PiANCiAgIDxw
IGNsYXNzPSJNc29Ob3JtYWwiPg0KICAgIDwvcD48cD4NCiAgICAgwqANCiAgICA8L3A+IA0KICA8
L2Rpdj4gDQogIDxkaXY+IA0KICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhpcyByZXF1aXJlcyBT
dGF0ZSwgbm9uY2UgZXRjIHRvIGJlIGluIHRoZSBKV1QuwqAgT25seSBvbmUgcGxhY2UgdG8gY2hl
Y2sgd2lsbCBob3BlZnVsbHkgcmVkdWNlIGltcGxpbWVudGF0aW9uIGVycm9ycy4gwqANCiAgICA8
L3A+PHA+PC9wPiANCiAgPC9kaXY+IA0KICA8ZGl2PiANCiAgIDxwIGNsYXNzPSJNc29Ob3JtYWwi
Pg0KICAgIDwvcD48cD4NCiAgICAgwqANCiAgICA8L3A+IA0KICA8L2Rpdj4gDQogIDxkaXY+IA0K
ICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhpcyBhbHNvIGFsbG93cyB1cyB0byByZW1vdmUgdGhl
IGNhY2hpbmcgdGV4dCBhcyB3ZSBub3cgaGF2ZSBvbmUgSldUIHBlciByZXF1ZXN0LCBzbyBjYWNo
aW5nIHdvbiYjMzk7dCBoYXBwZW4uIMKgwqANCiAgICA8L3A+PHA+PC9wPiANCiAgPC9kaXY+IA0K
ICA8ZGl2PiANCiAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPg0KICAgIDwvcD48cD4NCiAgICAgwqAN
CiAgICA8L3A+IA0KICA8L2Rpdj4gDQogIDxkaXY+IA0KICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+
Sm9obiBCLiDCoA0KICAgIDwvcD48cD48L3A+IA0KICA8L2Rpdj4gDQogIDxkaXY+IA0KICAgPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+DQogICAgPC9wPjxwPg0KICAgICDCoA0KICAgIDwvcD4gDQogIDwv
ZGl2PiANCiAgPGRpdj4gDQogICA8cCBjbGFzcz0iTXNvTm9ybWFsIj4NCiAgICA8L3A+PHA+DQog
ICAgIMKgDQogICAgPC9wPiANCiAgPC9kaXY+IA0KIDwvZGl2PiANCiA8ZGl2PiANCiAgPHAgY2xh
c3M9Ik1zb05vcm1hbCI+DQogICA8L3A+PHA+DQogICAgwqANCiAgIDwvcD4gDQogIDxkaXY+IA0K
ICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gTWFyIDMwLCAyMDE3IDQ6MzYgUE0sICZxdW90O01p
a2UgSm9uZXMmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29m
dC5jb20iIHRhcmdldD0iX2JsYW5rIj5NaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+Jmd0
OyB3cm90ZToNCiAgICA8L3A+PHA+PC9wPiANCiAgIDxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6
bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjY2NjY2NjIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4g
Ni4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+IA0KICAgIDxkaXY+IA0K
ICAgICA8ZGl2PiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xv
cjojMDAyMDYwIj5JICo8Yj5iZWxpZXZlPC9iPiogdGhlIGludGVudCBpcyB0aGF0ICo8Yj5hbGw8
L2I+KiBwYXJhbWV0ZXJzIG11c3QgYmUgaW4gdGhlIHJlcXVlc3Qgb2JqZWN0LCBidXQgdGhlIHNw
ZWMgZG9lc27igJl0IGFjdHVhbGx5IHNheSB0aGF0LCBhcyBmYXIgYXMgSSBjYW4gdGVsbC7CoCBP
ciBtYXliZSB0aGUgaW50ZW50IGlzIHRoYXQgcGFyYW1ldGVycyBtdXN0IG5vdCBiZSBkdXBsaWNh
dGVkIGJldHdlZW4gdGhlIHF1ZXJ5IHBhcmFtZXRlcnMgYW5kIHRoZSByZXF1ZXN0IG9iamVjdC48
L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+wqA8L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4g
DQogICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwMjA2MCI+
T25lIG9yIHRoZSBvdGhlciBvZiB0aGVzZSBzdGF0ZW1lbnRzIHNob3VsZCBiZSBleHBsaWNpdGx5
IGluY2x1ZGVkIGluIHRoZSBzcGVjaWZpY2F0aW9uLsKgIE9mIGNvdXJzZSwgSSBjb3VsZCBoYXZl
IG1pc3NlZCB0aGUgc3RhdGVtZW50IEnigJltIGFza2luZyBmb3IgaW4gbXkgcmV2aWV3LCBpbiB3
aGljaCBjYXNlIHBsZWFzZSBsZXQgbWUga25vdyB3aGF0IEkgbWlzc2VkLjwvc3Bhbj4NCiAgICAg
ICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJj
b2xvcjojMDAyMDYwIj7CoDwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDAyMDYwIj7CoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqA8d2JyPsKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCBUaGFua3MsPC9zcGFu
Pg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImNvbG9yOiMwMDIwNjAiPsKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqAgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoCAtLSBNaWtlPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAg
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEgbmFtZT0ibV81MzczNjk2ODQ0MDUxMTg2Mzg3X21fMzI2
NDI1ODM2OTU3MzAyNzU0MV9fTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJjb2xvcjojMDAy
MDYwIj7CoDwvc3Bhbj48L2E+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8ZGl2PiANCiAg
ICAgICA8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNlMWUxZTEgMS4w
cHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+IA0KICAgICAgICA8cCBjbGFzcz0iTXNvTm9y
bWFsIj48Yj5Gcm9tOjwvYj4gT0F1dGggW21haWx0bzo8YSBocmVmPSJtYWlsdG86b2F1dGgtYm91
bmNlc0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8L2E+
PHdicj5dIDxiPk9uIEJlaGFsZiBPZiA8L2I+Sm9obiBCcmFkbGV5PGJyPiA8Yj5TZW50OjwvYj4g
VGh1cnNkYXksIE1hcmNoIDMwLCAyMDE3IDM6MDAgUE08YnI+IDxiPlRvOjwvYj4gSUVURiBPQVVU
SCAmbHQ7PGEgaHJlZj0ibWFpbHRvOm9hdXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+b2F1
dGhAaWV0Zi5vcmc8L2E+Jmd0Ozxicj4gPGI+U3ViamVjdDo8L2I+IFtPQVVUSC1XR10gRlc6IEkt
RCBBY3Rpb246IGRyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEzLnR4dA0KICAgICAgICAgPC9wPjxw
PjwvcD4gDQogICAgICAgPC9kaXY+IA0KICAgICAgPC9kaXY+IA0KICAgICAgPHAgY2xhc3M9Ik1z
b05vcm1hbCI+wqANCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5CYXNlZCBvbiBmZWViYWNrIGZyb20gdGhlIElFU0cgd2Ug
aGF2ZSByZW1vdmVkIHNvbWUgb2YgdGhlIG9wdGlvbmFsaXR5IGluIHRoZSBkcmFmdC4gPC9zcGFu
Pg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
bGFuZz0iRU4tQ0EiPsKgPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPkl0IGlzIGEgc2hvcnRlciByZWFkIHRo
YW4gZHJhZnQgMTIuwqDCoCA8L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+wqA8L3NwYW4+DQogICAgICAgPC9w
PjxwPjwvcD4gDQogICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+
Sm9obiBCLjwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29O
b3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj7CoDwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiAN
CiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5TZW50IGZyb20g
PGEgaHJlZj0iaHR0cHM6Ly9nby5taWNyb3NvZnQuY29tL2Z3bGluay8/TGlua0lkPTU1MDk4NiIg
dGFyZ2V0PSJfYmxhbmsiPk1haWw8L2E+IGZvciBXaW5kb3dzIDEwPC9zcGFuPg0KICAgICAgIDwv
cD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0Ei
PsKgPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPGRpdiBzdHlsZT0iYm9yZGVy
Om5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjZTFlMWUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBp
biAwaW4iPiANCiAgICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBsYW5nPSJFTi1D
QSI+RnJvbTogPC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1DQSI+PGEgaHJlZj0ibWFpbHRvOmlu
dGVybmV0LWRyYWZ0c0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmludGVybmV0LWRyYWZ0c0Bp
ZXRmLm9yZzwvYT48YnI+IDxiPlNlbnQ6IDwvYj5NYXJjaCAzMCwgMjAxNyAxOjM4IFBNPGJyPiA8
Yj5UbzogPC9iPjxhIGhyZWY9Im1haWx0bzppLWQtYW5ub3VuY2VAaWV0Zi5vcmciIHRhcmdldD0i
X2JsYW5rIj5pLWQtYW5ub3VuY2VAaWV0Zi5vcmc8L2E+PGJyPiA8Yj5DYzogPC9iPjxhIGhyZWY9
Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm9hdXRoQGlldGYub3JnPC9h
Pjxicj4gPGI+U3ViamVjdDogPC9iPltPQVVUSC1XR10gSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1v
YXV0aC1qd3NyZXEtMTMudHh0PC9zcGFuPg0KICAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDwv
ZGl2PiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj7CoDwv
c3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIGxhbmc9IkVOLUNBIj7CoDwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5BIE5ldyBJbnRlcm5ldC1EcmFm
dCBpcyBhdmFpbGFibGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFmdHMgZGlyZWN0b3Jp
ZXMuPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PHNwYW4gbGFuZz0iRU4tQ0EiPlRoaXMgZHJhZnQgaXMgYSB3b3JrIGl0ZW0gb2YgdGhlIFdl
YiBBdXRob3JpemF0aW9uIFByb3RvY29sIG9mIHRoZSBJRVRGLjwvc3Bhbj4NCiAgICAgICA8L3A+
PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj7C
oDwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIGxhbmc9IkVOLUNBIj7CoMKgwqDCoMKgwqDCoCBUaXRsZcKgwqDCoMKgwqDCoMKgwqDC
oMKgIDogVGhlIE9BdXRoIDIuMCBBdXRob3JpemF0aW9uIEZyYW1ld29yazogSldUIFNlY3VyZWQg
QXV0aG9yaXphdGlvbiBSZXF1ZXN0IChKQVIpPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0K
ICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPsKgwqDCoMKgwqDC
oMKgIEF1dGhvcnPCoMKgwqDCoMKgwqDCoMKgIDogTmF0IFNha2ltdXJhPC9zcGFuPg0KICAgICAg
IDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4t
Q0EiPsKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIEpv
aG4gQnJhZGxleTwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj7CoMKgwqDCoMKgwqDCoMKgwqDCoCBGaWxlbmFt
ZcKgwqDCoMKgwqDCoMKgIDogZHJhZnQtaWV0Zi1vYXV0aC1qd3NyZXEtMTMudHh0PC9zcGFuPg0K
ICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu
Zz0iRU4tQ0EiPsKgwqDCoMKgwqDCoMKgwqDCoMKgIFBhZ2VzwqDCoMKgwqDCoMKgwqDCoMKgwqAg
OiAyNzwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIGxhbmc9IkVOLUNBIj7CoMKgwqDCoMKgwqDCoMKgwqDCoCBEYXRlwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoCA6IDIwMTctMDMtMzA8L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQog
ICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+wqA8L3NwYW4+DQog
ICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n
PSJFTi1DQSI+QWJzdHJhY3Q6PC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPsKgwqAgVGhlIGF1dGhvcml6YXRp
b24gcmVxdWVzdCBpbiBPQXV0aCAyLjAgZGVzY3JpYmVkIGluIFJGQyA2NzQ5IHV0aWxpemVzPC9z
cGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gbGFuZz0iRU4tQ0EiPsKgwqAgcXVlcnkgcGFyYW1ldGVyIHNlcmlhbGl6YXRpb24sIHdoaWNo
IG1lYW5zIHRoYXQgQXV0aG9yaXphdGlvbiBSZXF1ZXN0PC9zcGFuPg0KICAgICAgIDwvcD48cD48
L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPsKgwqAg
cGFyYW1ldGVycyBhcmUgZW5jb2RlZCBpbiB0aGUgVVJJIG9mIHRoZSByZXF1ZXN0IGFuZCBzZW50
IHRocm91Z2g8L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+wqDCoHVzZXIgYWdlbnRzIHN1Y2ggYXMgd2ViIGJy
b3dzZXJzLsKgIFdoaWxlIGl0IGlzIGVhc3kgdG8gaW1wbGVtZW50LCBpdDwvc3Bhbj4NCiAgICAg
ICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO
LUNBIj7CoMKgIG1lYW5zIHRoYXQgKGEpIHRoZSBjb21tdW5pY2F0aW9uIHRocm91Z2ggdGhlIHVz
ZXIgYWdlbnRzIGFyZSBub3Q8L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+wqDCoCBpbnRlZ3JpdHkgcHJvdGVj
dGVkIGFuZCB0aHVzIHRoZSBwYXJhbWV0ZXJzIGNhbiBiZSB0YWludGVkLCBhbmQgKGIpPC9zcGFu
Pg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
bGFuZz0iRU4tQ0EiPsKgwqAgdGhlIHNvdXJjZSBvZiB0aGUgY29tbXVuaWNhdGlvbiBpcyBub3Qg
YXV0aGVudGljYXRlZC7CoCBCZWNhdXNlIG9mPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0K
ICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPsKgwqAgdGhlc2Ug
d2Vha25lc3Nlcywgc2V2ZXJhbCBhdHRhY2tzIHRvIHRoZSBwcm90b2NvbCBoYXZlIG5vdyBiZWVu
IHB1dDwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIGxhbmc9IkVOLUNBIj7CoMKgIGZvcndhcmQuPC9zcGFuPg0KICAgICAgIDwvcD48
cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPsKg
PC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gbGFuZz0iRU4tQ0EiPsKgwqAgVGhpcyBkb2N1bWVudCBpbnRyb2R1Y2VzIHRoZSBhYmls
aXR5IHRvIHNlbmQgcmVxdWVzdCBwYXJhbWV0ZXJzIGluIGE8L3NwYW4+DQogICAgICAgPC9wPjxw
PjwvcD4gDQogICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+wqDC
oCBKU09OIFdlYiBUb2tlbiAoSldUKSBpbnN0ZWFkLCB3aGljaCBhbGxvd3MgdGhlIHJlcXVlc3Qg
dG8gYmUgc2lnbmVkPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPsKgwqAgd2l0aCBKU09OIFdlYiBTaWduYXR1
cmUgKEpXUykgYW5kL29yIGVuY3J5cHRlZCB3aXRoIEpTT04gV2ViPC9zcGFuPg0KICAgICAgIDwv
cD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0Ei
PsKgwqAgRW5jcnlwdGlvbiAoSldFKSBzbyB0aGF0IHRoZSBpbnRlZ3JpdHksIHNvdXJjZSBhdXRo
ZW50aWNhdGlvbiBhbmQ8L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBjbGFz
cz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+wqDCoCBjb25maWRlbnRpYWxpdHkgcHJv
cGVydHkgb2YgdGhlIEF1dGhvcml6YXRpb24gUmVxdWVzdCBpcyBhdHRhaW5lZC48L3NwYW4+DQog
ICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n
PSJFTi1DQSI+wqDCoCBUaGUgcmVxdWVzdCBjYW4gYmUgc2VudCBieSB2YWx1ZSBvciBieSByZWZl
cmVuY2UuPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPsKgPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0K
ICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPsKgPC9zcGFuPg0K
ICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu
Zz0iRU4tQ0EiPlRoZSBJRVRGIGRhdGF0cmFja2VyIHN0YXR1cyBwYWdlIGZvciB0aGlzIGRyYWZ0
IGlzOjwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYu
b3JnL2RvYy9kcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS8iIHRhcmdldD0iX2JsYW5rIj5odHRwczov
L2RhdGF0cmFja2VyLmlldGYub3JnLzx3YnI+ZG9jL2RyYWZ0LWlldGYtb2F1dGgtandzcmVxLzwv
YT48L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBsYW5nPSJFTi1DQSI+wqA8L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAg
ICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+VGhlcmUgYXJlIGFsc28g
aHRtbGl6ZWQgdmVyc2lvbnMgYXZhaWxhYmxlIGF0Ojwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9w
PiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48YSBocmVm
PSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1qd3NyZXEtMTMi
IHRhcmdldD0iX2JsYW5rIj5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvPHdicj5kcmFmdC1p
ZXRmLW9hdXRoLWp3c3JlcS0xMzwvYT48L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAg
ICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+PGEgaHJlZj0iaHR0cHM6
Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0x
MyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvPHdicj5kb2Mv
aHRtbC9kcmFmdC1pZXRmLW9hdXRoLTx3YnI+andzcmVxLTEzPC9hPjwvc3Bhbj4NCiAgICAgICA8
L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNB
Ij7CoDwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5BIGRpZmYgZnJvbSB0aGUgcHJldmlvdXMgdmVyc2lvbiBp
cyBhdmFpbGFibGUgYXQ6PC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxhIGhyZWY9Imh0dHBzOi8vd3d3Lmll
dGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0xMyIgdGFyZ2V0PSJf
YmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL3JmY2RpZmY/PHdicj51cmwyPWRyYWZ0LWlldGYt
b2F1dGgtandzcmVxLTx3YnI+MTM8L2E+PC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAg
ICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPsKgPC9zcGFuPg0KICAg
ICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i
RU4tQ0EiPsKgPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPlBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2Ug
YSBjb3VwbGUgb2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb248L3NwYW4+DQog
ICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n
PSJFTi1DQSI+dW50aWwgdGhlIGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJs
ZSBhdCA8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj50b29s
cy5pZXRmLm9yZzwvYT4uPC9zcGFuPg0KICAgICAgIDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPsKgPC9zcGFuPg0KICAgICAgIDwvcD48
cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPklu
dGVybmV0LURyYWZ0cyBhcmUgYWxzbyBhdmFpbGFibGUgYnkgYW5vbnltb3VzIEZUUCBhdDo8L3Nw
YW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh
biBsYW5nPSJFTi1DQSI+PGEgaHJlZj0iZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0
cy8iIHRhcmdldD0iX2JsYW5rIj5mdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtPHdicj5kcmFm
dHMvPC9hPjwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAgIDxwIGNsYXNzPSJNc29O
b3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj7CoDwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiAN
CiAgICAgIDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX188d2JyPl9fX19fX19fX19fX19fX19fPC9zcGFuPg0KICAgICAg
IDwvcD48cD48L3A+IA0KICAgICAgPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4t
Q0EiPk9BdXRoIG1haWxpbmcgbGlzdDwvc3Bhbj4NCiAgICAgICA8L3A+PHA+PC9wPiANCiAgICAg
IDxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48YSBocmVmPSJtYWlsdG86
T0F1dGhAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5PQXV0aEBpZXRmLm9yZzwvYT48L3NwYW4+
DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBs
YW5nPSJFTi1DQSI+PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5m
by9vYXV0aCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vPHdi
cj5saXN0aW5mby9vYXV0aDwvYT48L3NwYW4+DQogICAgICAgPC9wPjxwPjwvcD4gDQogICAgICA8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+wqA8L3NwYW4+DQogICAgICAg
PC9wPjxwPjwvcD4gDQogICAgIDwvZGl2PiANCiAgICA8L2Rpdj4gDQogICA8L2Jsb2NrcXVvdGU+
IA0KICA8L2Rpdj4gDQogPC9kaXY+IA0KPC9kaXY+PC9ibG9ja3F1b3RlPjwvZGl2PjwvZGl2Pjwv
YmxvY2txdW90ZT48L2Rpdj48L2Rpdj4NCjwvYmxvY2txdW90ZT48L2Rpdj4=


From nobody Thu Mar 30 20:40:58 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5266512762F for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 20:40:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJpzOoRuyWI7 for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 20:40:52 -0700 (PDT)
Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97AF812970F for <oauth@ietf.org>; Thu, 30 Mar 2017 20:40:52 -0700 (PDT)
Received: by mail-it0-x22f.google.com with SMTP id y18so5589782itc.1 for <oauth@ietf.org>; Thu, 30 Mar 2017 20:40:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=message-id:mime-version:to:cc:from:subject:date:importance :in-reply-to:references; bh=5PBmwwd8WuEboAMt21iGCD769HpcLAEVOZRIyipzSdY=; b=QH/nIi28FIz4GbOUxewRSWVUJ8duG57HgBia+tUYtw5FPk99lXt79ZA8W3ThZiAucU HghMPq8myCd5NM0tifmA/OHnSXwH0O0SOLST6xx33u2SseriVBdS/TNY8na/RR8b+UHp eUjjx0TxWbNFc4O95J7VOELj/i/2Y4B/aQ4fpq9KjDcqOtS3KIBdX7cdSAiSR5rPlZ3e nkEt4NKMIXV/ozeGKt/g6GkbTNojKpRWTrywDdbHr6AV+ai1Xi8JltUgq1RNoxaAEHhp 8OQRlkvwXwq0ImC5mu6EMstYNtinUEIJ5NgnxnEB9nCyqYP+G67qCPqzUVrBTYQanz7W WGhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:mime-version:to:cc:from:subject:date :importance:in-reply-to:references; bh=5PBmwwd8WuEboAMt21iGCD769HpcLAEVOZRIyipzSdY=; b=DH8mT5NuQwX0WDQoRGanXSCQ6g8zvH0CG/J4KFjikdW6jIqn3qJmI/OVtVjQ/YkLg6 1q/58tEibZzcicIvevCnUxJAZncRokD0Uw36FUt3yXcGB73sQlj6Hhn5Nv/LTE0FR6wG DTQdHocWZ6JY0eVkkUUUYP76uId7nxW3PKutGQKNWje/JNO6fbpCC/A3tsrEx9tLMLz9 egnjd73QRefiXe0WKhXtsd9+QIm4mOAgVT80ztQ/Uqh96rUnwl9xvH/v3mg3zbTKtFxm i9JGp20J5p73/NFfn1hgPiS20bA6F0Stk0GDubChddZ88SXOk+xrz16U9ZwzR7ZSuxwG 0f6Q==
X-Gm-Message-State: AFeK/H1F2fz0AHNj612/Vc+ih7uNgOZaRYwyeHTTMfKtbau5qKSZd5FjPO8+eTb1WkuqgZdw
X-Received: by 10.36.129.133 with SMTP id q127mr1778389itd.89.1490931651774; Thu, 30 Mar 2017 20:40:51 -0700 (PDT)
Received: from ?IPv6:2001:67c:1233:0:41f9:d4bc:922a:fa31? ([2001:67c:1233:0:41f9:d4bc:922a:fa31]) by smtp.gmail.com with ESMTPSA id i89sm2539703ioo.52.2017.03.30.20.40.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Mar 2017 20:40:51 -0700 (PDT)
Message-ID: <58ddcfc3.5c2e6b0a.7b9e3.bbc6@mx.google.com>
MIME-Version: 1.0
To: "sakimura@gmail.com" <sakimura@gmail.com>, Nat Sakimura <nat@sakimura.org>
Cc: IETF oauth WG <oauth@ietf.org>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 30 Mar 2017 22:40:52 -0500
Importance: normal
X-Priority: 3
In-Reply-To: <n6swy6f6jws7vdnx4rs66ktg.1490929049898@email.android.com>
References: <CAANoGhJDKgqWaqhdL6TCO7RhE==h=ZmJeKbU-cuwUZwE+siHMA@mail.gmail.com> <n6swy6f6jws7vdnx4rs66ktg.1490929049898@email.android.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="94eb2c08a506817464054bfe934c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fX_HYtMh8vs9FeY6n1omzoDi-08>
Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 03:40:56 -0000

--94eb2c08a506817464054bfe934c
Content-Type: multipart/alternative;
	boundary="_3B31ABC0-E056-4046-8D7A-B6EBAA69B768_"

--_3B31ABC0-E056-4046-8D7A-B6EBAA69B768_
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="utf-8"

SXQgaXMgYSB0cmFkZSBvZmYgYmV0d2VlbiBjb21wYXRpYmlsaXR5IHdpdGggQ29ubmVjdCBhbmQg
cG9zc2libGUgY29uZmlndXJhdGlvbiBlcnJvcnMuDQoNCkluIHJlYWxpdHkgaXQgbWF5IG5vdCBi
ZSBjb21wYXRpYmxlIHdpdGggQ29ubmVjdCBpZiB0aGUgY2xpZW50IGlzIHNlbmRpbmcgc29tZSBw
YXJhbWV0ZXJzIG91dHNpZGUgdGhlIG9iamVjdCB3aXRob3V0IGluY2x1ZGluZyB0aGVtIGluIHRo
ZSBvYmplY3QgYXMgYSBDb25uZWN0IGNsaWVudCBtaWdodC4gICAgWW91IHdvdWxkIHBvdGVudGlh
bGx5IHdpbmQgdXAgZHJvcHBpbmcgc3RhdGUgb3Igbm9uY2Ugd2l0aG91dCBhbiBlcnJvci4gIA0K
DQpJIGFza2VkIE1pa2UgYW5kIGhlIHdhcyBsZWFuaW5nIHRvIG1ha2luZyBpdCBhIGVycm9yIHRv
IHNlbmQgdGhlbSBhcyBxdWVyeSBwYXJhbWV0ZXJzIGFzIHRoYXQgd291bGQgYmUgYSBjbGVhbiBj
aGFuZ2UuDQoNCkkgdGhpbmsgdGhlIGNob2ljZSBpcyBhIGJpdCBvZiBhIGdyZXkgYXJlYS4NCg0K
U2VudCBmcm9tIE1haWwgZm9yIFdpbmRvd3MgMTANCg0KRnJvbTogc2FraW11cmFAZ21haWwuY29t
DQpTZW50OiBNYXJjaCAzMCwgMjAxNyA5OjU3IFBNDQpUbzogSm9obiBCcmFkbGV5OyBOYXQgU2Fr
aW11cmENCkNjOiBJRVRGIG9hdXRoIFdHDQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBGVzogSS1E
IEFjdGlvbjogZHJhZnQtaWV0Zi1vYXV0aC1qd3NyZXEtMTMudHh0DQoNCisxDQoNClNlbnQgZnJv
bSBteSBIdWF3ZWkgTW9iaWxlDQoNCg0KLS0tLS0tLS0gT3JpZ2luYWwgTWVzc2FnZSAtLS0tLS0t
LQ0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gRlc6IEktRCBBY3Rpb246IGRyYWZ0LWlldGYtb2F1
dGgtandzcmVxLTEzLnR4dA0KRnJvbTogSm9obiBCcmFkbGV5IA0KVG86IE5hdCBTYWtpbXVyYSAN
CkNDOiBJRVRGIG9hdXRoIFdHIA0KDQoNClNvIEkgdGhpbmsgd2UgbmVlZCB0byBtYWtlIHRoZSBt
dXN0IGlnbm9yZSBjbGVhcmVyIGZvciB0aGUgYWRkaXRpb25hbCBwYXJhbWF0ZXJzIG9uIHRoZSBh
dXRob3JpemF0aW9uIGVuZHBvaW50LiDCoA0KDQpPbiBNYXIgMzAsIDIwMTcgMTc6MzMsICJOYXQg
U2FraW11cmEiIDxuYXRAc2FraW11cmEub3JnPiB3cm90ZToNCk5vdCByaWdodCBub3cuIA0KQXMg
b2YgdGhpcyB3cml0aW5nLCBhIGNsaWVudCBjYW4gc3RpbGwgc2VuZCBkdXBsaWNhdGUgcGFyYW1l
dGVycyBpbiB0aGUgcXVlcnkgYnV0IHRoZXkgZ2V0IGlnbm9yZWQgYnkgdGhlIHNlcnZlcnMgaG9u
b3JpbmcgT0F1dGggSkFSLiBTbywgaXQgaXMgYmFja3dhcmRzIGNvbXBhdGlibGUgd2l0aCBPcGVu
SUQgQ29ubmVjdCBpbiB0aGF0IHNlbnNlIChPcGVuSUQgQ29ubmVjdCBzZW5kcyBkdXBsaWNhdGUg
bWFuYXRvcnkgUkZDNjc0OSBwYXJhbWV0ZXJzIGFzIHRoZSBxdWVyeSBwYXJhbWV0ZXJzIGFzIHdl
bGwganVzdCB0byBiZSBjb21wbGlhbnQgdG8gUkZDNjc0OSkuIENvbnZlcnNlbHksIHNlcnZlcnMg
dGhhdCBkbyBub3Qgc3VwcG9ydCBPQXV0aCBKQVIgd2lsbCBpZ25vcmUgcmVxdWVzdF91cmkgZXRj
LiANCk9uIE1hciAzMCwgMjAxNywgYXQgNDo0NyBQTSwgTWlrZSBKb25lcyA8TWljaGFlbC5Kb25l
c0BtaWNyb3NvZnQuY29tPiB3cm90ZToNCklzIHRoZXJlIGEgY2xlYXIgc3RhdGVtZW50IHNvbWV3
aGVyZSBhbG9uZyB0aGUgbGluZXMgb2Yg4oCccGFyYW1ldGVycyAob3RoZXIgdGhhbiDigJxyZXF1
ZXN04oCdIG9yIOKAnHJlcXVlc3RfdXJp4oCdKSBhcmUgb25seSBhbGxvd2VkIHRvIGJlIGluIHRo
ZSBzaWduZWQgb2JqZWN0IGlmIGEgc2lnbmVkIG9iamVjdCBpcyB1c2Vk4oCdP8KgIFRoYXTigJlz
IHRoZSBraW5kIG9mIHRoaW5nIEkgd2FzIGxvb2tpbmcgZm9yIGFuZCBkaWRu4oCZdCBmaW5kLiAN
CsKgIA0KwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
IC0tIE1pa2UgDQpGcm9tOiBKb2huIEJyYWRsZXkgW21haWx0bzp2ZTdqdGJAdmU3anRiLmNvbV0g
DQpTZW50OiBUaHVyc2RheSwgTWFyY2ggMzAsIDIwMTcgNDo0NCBQTQ0KVG86IE1pa2UgSm9uZXMg
PE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT4NCkNjOiBOYXQgU2FraW11cmEgPG5hdEBzYWtp
bXVyYS5vcmc+OyBJRVRGIG9hdXRoIFdHIDxvYXV0aEBpZXRmLm9yZz4NClN1YmplY3Q6IFJFOiBb
T0FVVEgtV0ddIEZXOiBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLW9hdXRoLWp3c3JlcS0xMy50eHQg
DQrCoCANClRoZSBpbnRlbnQgb2YgdGhlIGNoYW5nZSBpcyB0byBvbmx5IGFsbG93IHRoZSBwYXJh
bWF0ZXJzIHRvIGJlIGluIHRoZSBzaWduZWQgb2JqZWN0IGlmIGEgc2lnbmVkIG9iamVjdCBpcyB1
c2VkLiDCoCANCsKgIA0KVGhpcyByZXF1aXJlcyBTdGF0ZSwgbm9uY2UgZXRjIHRvIGJlIGluIHRo
ZSBKV1QuwqAgT25seSBvbmUgcGxhY2UgdG8gY2hlY2sgd2lsbCBob3BlZnVsbHkgcmVkdWNlIGlt
cGxpbWVudGF0aW9uIGVycm9ycy4gwqAgDQrCoCANClRoaXMgYWxzbyBhbGxvd3MgdXMgdG8gcmVt
b3ZlIHRoZSBjYWNoaW5nIHRleHQgYXMgd2Ugbm93IGhhdmUgb25lIEpXVCBwZXIgcmVxdWVzdCwg
c28gY2FjaGluZyB3b24ndCBoYXBwZW4uIMKgwqAgDQrCoCANCkpvaG4gQi4gwqAgDQrCoCANCsKg
IA0KwqAgDQpPbiBNYXIgMzAsIDIwMTcgNDozNiBQTSwgIk1pa2UgSm9uZXMiIDxNaWNoYWVsLkpv
bmVzQG1pY3Jvc29mdC5jb20+IHdyb3RlOiANCkkgKmJlbGlldmUqIHRoZSBpbnRlbnQgaXMgdGhh
dCAqYWxsKiBwYXJhbWV0ZXJzIG11c3QgYmUgaW4gdGhlIHJlcXVlc3Qgb2JqZWN0LCBidXQgdGhl
IHNwZWMgZG9lc27igJl0IGFjdHVhbGx5IHNheSB0aGF0LCBhcyBmYXIgYXMgSSBjYW4gdGVsbC7C
oCBPciBtYXliZSB0aGUgaW50ZW50IGlzIHRoYXQgcGFyYW1ldGVycyBtdXN0IG5vdCBiZSBkdXBs
aWNhdGVkIGJldHdlZW4gdGhlIHF1ZXJ5IHBhcmFtZXRlcnMgYW5kIHRoZSByZXF1ZXN0IG9iamVj
dC4gDQrCoCANCk9uZSBvciB0aGUgb3RoZXIgb2YgdGhlc2Ugc3RhdGVtZW50cyBzaG91bGQgYmUg
ZXhwbGljaXRseSBpbmNsdWRlZCBpbiB0aGUgc3BlY2lmaWNhdGlvbi7CoCBPZiBjb3Vyc2UsIEkg
Y291bGQgaGF2ZSBtaXNzZWQgdGhlIHN0YXRlbWVudCBJ4oCZbSBhc2tpbmcgZm9yIGluIG15IHJl
dmlldywgaW4gd2hpY2ggY2FzZSBwbGVhc2UgbGV0IG1lIGtub3cgd2hhdCBJIG1pc3NlZC4gDQrC
oCANCsKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCBU
aGFua3MsIA0KwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoCDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
IC0tIE1pa2UgDQrCoCANCkZyb206IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9y
Z10gT24gQmVoYWxmIE9mIEpvaG4gQnJhZGxleQ0KU2VudDogVGh1cnNkYXksIE1hcmNoIDMwLCAy
MDE3IDM6MDAgUE0NClRvOiBJRVRGIE9BVVRIIDxvYXV0aEBpZXRmLm9yZz4NClN1YmplY3Q6IFtP
QVVUSC1XR10gRlc6IEktRCBBY3Rpb246IGRyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEzLnR4dCAN
CsKgIA0KQmFzZWQgb24gZmVlYmFjayBmcm9tIHRoZSBJRVNHIHdlIGhhdmUgcmVtb3ZlZCBzb21l
IG9mIHRoZSBvcHRpb25hbGl0eSBpbiB0aGUgZHJhZnQuIA0KwqAgDQpJdCBpcyBhIHNob3J0ZXIg
cmVhZCB0aGFuIGRyYWZ0IDEyLsKgwqAgDQrCoCANCkpvaG4gQi4gDQrCoCANClNlbnQgZnJvbSBN
YWlsIGZvciBXaW5kb3dzIDEwIA0KwqAgDQpGcm9tOiBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmcN
ClNlbnQ6IE1hcmNoIDMwLCAyMDE3IDE6MzggUE0NClRvOiBpLWQtYW5ub3VuY2VAaWV0Zi5vcmcN
CkNjOiBvYXV0aEBpZXRmLm9yZw0KU3ViamVjdDogW09BVVRILVdHXSBJLUQgQWN0aW9uOiBkcmFm
dC1pZXRmLW9hdXRoLWp3c3JlcS0xMy50eHQgDQrCoCANCsKgIA0KQSBOZXcgSW50ZXJuZXQtRHJh
ZnQgaXMgYXZhaWxhYmxlIGZyb20gdGhlIG9uLWxpbmUgSW50ZXJuZXQtRHJhZnRzIGRpcmVjdG9y
aWVzLiANClRoaXMgZHJhZnQgaXMgYSB3b3JrIGl0ZW0gb2YgdGhlIFdlYiBBdXRob3JpemF0aW9u
IFByb3RvY29sIG9mIHRoZSBJRVRGLiANCsKgIA0KwqDCoMKgwqDCoMKgwqAgVGl0bGXCoMKgwqDC
oMKgwqDCoMKgwqDCoCA6IFRoZSBPQXV0aCAyLjAgQXV0aG9yaXphdGlvbiBGcmFtZXdvcms6IEpX
VCBTZWN1cmVkIEF1dGhvcml6YXRpb24gUmVxdWVzdCAoSkFSKSANCsKgwqDCoMKgwqDCoMKgIEF1
dGhvcnPCoMKgwqDCoMKgwqDCoMKgIDogTmF0IFNha2ltdXJhIA0KwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgSm9obiBCcmFkbGV5IA0KwqDCoMKgwqDC
oMKgwqDCoMKgwqAgRmlsZW5hbWXCoMKgwqDCoMKgwqDCoCA6IGRyYWZ0LWlldGYtb2F1dGgtandz
cmVxLTEzLnR4dCANCsKgwqDCoMKgwqDCoMKgwqDCoMKgIFBhZ2VzwqDCoMKgwqDCoMKgwqDCoMKg
wqAgOiAyNyANCsKgwqDCoMKgwqDCoMKgwqDCoMKgIERhdGXCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
IDogMjAxNy0wMy0zMCANCsKgIA0KQWJzdHJhY3Q6IA0KwqDCoCBUaGUgYXV0aG9yaXphdGlvbiBy
ZXF1ZXN0IGluIE9BdXRoIDIuMCBkZXNjcmliZWQgaW4gUkZDIDY3NDkgdXRpbGl6ZXMgDQrCoMKg
IHF1ZXJ5IHBhcmFtZXRlciBzZXJpYWxpemF0aW9uLCB3aGljaCBtZWFucyB0aGF0IEF1dGhvcml6
YXRpb24gUmVxdWVzdCANCsKgwqAgcGFyYW1ldGVycyBhcmUgZW5jb2RlZCBpbiB0aGUgVVJJIG9m
IHRoZSByZXF1ZXN0IGFuZCBzZW50IHRocm91Z2ggDQrCoMKgdXNlciBhZ2VudHMgc3VjaCBhcyB3
ZWIgYnJvd3NlcnMuwqAgV2hpbGUgaXQgaXMgZWFzeSB0byBpbXBsZW1lbnQsIGl0IA0KwqDCoCBt
ZWFucyB0aGF0IChhKSB0aGUgY29tbXVuaWNhdGlvbiB0aHJvdWdoIHRoZSB1c2VyIGFnZW50cyBh
cmUgbm90IA0KwqDCoCBpbnRlZ3JpdHkgcHJvdGVjdGVkIGFuZCB0aHVzIHRoZSBwYXJhbWV0ZXJz
IGNhbiBiZSB0YWludGVkLCBhbmQgKGIpIA0KwqDCoCB0aGUgc291cmNlIG9mIHRoZSBjb21tdW5p
Y2F0aW9uIGlzIG5vdCBhdXRoZW50aWNhdGVkLsKgIEJlY2F1c2Ugb2YgDQrCoMKgIHRoZXNlIHdl
YWtuZXNzZXMsIHNldmVyYWwgYXR0YWNrcyB0byB0aGUgcHJvdG9jb2wgaGF2ZSBub3cgYmVlbiBw
dXQgDQrCoMKgIGZvcndhcmQuIA0KwqAgDQrCoMKgIFRoaXMgZG9jdW1lbnQgaW50cm9kdWNlcyB0
aGUgYWJpbGl0eSB0byBzZW5kIHJlcXVlc3QgcGFyYW1ldGVycyBpbiBhIA0KwqDCoCBKU09OIFdl
YiBUb2tlbiAoSldUKSBpbnN0ZWFkLCB3aGljaCBhbGxvd3MgdGhlIHJlcXVlc3QgdG8gYmUgc2ln
bmVkIA0KwqDCoCB3aXRoIEpTT04gV2ViIFNpZ25hdHVyZSAoSldTKSBhbmQvb3IgZW5jcnlwdGVk
IHdpdGggSlNPTiBXZWIgDQrCoMKgIEVuY3J5cHRpb24gKEpXRSkgc28gdGhhdCB0aGUgaW50ZWdy
aXR5LCBzb3VyY2UgYXV0aGVudGljYXRpb24gYW5kIA0KwqDCoCBjb25maWRlbnRpYWxpdHkgcHJv
cGVydHkgb2YgdGhlIEF1dGhvcml6YXRpb24gUmVxdWVzdCBpcyBhdHRhaW5lZC4gDQrCoMKgIFRo
ZSByZXF1ZXN0IGNhbiBiZSBzZW50IGJ5IHZhbHVlIG9yIGJ5IHJlZmVyZW5jZS4gDQrCoCANCsKg
IA0KVGhlIElFVEYgZGF0YXRyYWNrZXIgc3RhdHVzIHBhZ2UgZm9yIHRoaXMgZHJhZnQgaXM6IA0K
aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1qd3NyZXEv
IA0KwqAgDQpUaGVyZSBhcmUgYWxzbyBodG1saXplZCB2ZXJzaW9ucyBhdmFpbGFibGUgYXQ6IA0K
aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtandzcmVxLTEzIA0K
aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWp3
c3JlcS0xMyANCsKgIA0KQSBkaWZmIGZyb20gdGhlIHByZXZpb3VzIHZlcnNpb24gaXMgYXZhaWxh
YmxlIGF0OiANCmh0dHBzOi8vd3d3LmlldGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1pZXRmLW9h
dXRoLWp3c3JlcS0xMyANCsKgIA0KwqAgDQpQbGVhc2Ugbm90ZSB0aGF0IGl0IG1heSB0YWtlIGEg
Y291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBvZiBzdWJtaXNzaW9uIA0KdW50aWwgdGhl
IGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJsZSBhdCB0b29scy5pZXRmLm9y
Zy4gDQrCoCANCkludGVybmV0LURyYWZ0cyBhcmUgYWxzbyBhdmFpbGFibGUgYnkgYW5vbnltb3Vz
IEZUUCBhdDogDQpmdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLyANCsKgIA0KX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18gDQpPQXV0aCBtYWls
aW5nIGxpc3QgDQpPQXV0aEBpZXRmLm9yZyANCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4v
bGlzdGluZm8vb2F1dGggDQrCoCANCg0K

--_3B31ABC0-E056-4046-8D7A-B6EBAA69B768_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/of=
fice/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta ht=
tp-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta name=
=3DGenerator content=3D"Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style></head><body lang=3DEN-CA link=3Dblue vlink=3D"#954F72"><div cla=
ss=3DWordSection1><p class=3DMsoNormal>It is a trade off between compatibil=
ity with Connect and possible configuration errors.</p><p class=3DMsoNormal=
><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>In reality it may not be compati=
ble with Connect if the client is sending some parameters outside the objec=
t without including them in the object as a Connect client might.=C2=A0=C2=
=A0=C2=A0 You would potentially wind up dropping state or nonce without an =
error.=C2=A0 </p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNo=
rmal>I asked Mike and he was leaning to making it a error to send them as q=
uery parameters as that would be a clean change.</p><p class=3DMsoNormal><o=
:p>&nbsp;</o:p></p><p class=3DMsoNormal>I think the choice is a bit of a gr=
ey area.</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>=
Sent from <a href=3D"https://go.microsoft.com/fwlink/?LinkId=3D550986">Mail=
</a> for Windows 10</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><div style=
=3D'mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;=
padding:3.0pt 0cm 0cm 0cm'><p class=3DMsoNormal style=3D'border:none;paddin=
g:0cm'><b>From: </b><a href=3D"mailto:sakimura@gmail.com">sakimura@gmail.co=
m</a><br><b>Sent: </b>March 30, 2017 9:57 PM<br><b>To: </b><a href=3D"mailt=
o:ve7jtb@ve7jtb.com">John Bradley</a>; <a href=3D"mailto:nat@sakimura.org">=
Nat Sakimura</a><br><b>Cc: </b><a href=3D"mailto:oauth@ietf.org">IETF oauth=
 WG</a><br><b>Subject: </b>Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-=
jwsreq-13.txt</p></div><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=
=3DMsoNormal>+1<br><br>Sent from my Huawei Mobile</p><div><p class=3DMsoNor=
mal><br><br>-------- Original Message --------<br>Subject: Re: [OAUTH-WG] F=
W: I-D Action: draft-ietf-oauth-jwsreq-13.txt<br>From: John Bradley <br>To:=
 Nat Sakimura <br>CC: IETF oauth WG <br><br><br></p><blockquote style=3D'bo=
rder:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-=
left:4.8pt;margin-right:0cm'><div><p class=3DMsoNormal>So I think we need t=
o make the must ignore clearer for the additional paramaters on the authori=
zation endpoint. &nbsp;</p></div><div><p class=3DMsoNormal><o:p>&nbsp;</o:p=
></p><div><p class=3DMsoNormal>On Mar 30, 2017 17:33, &quot;Nat Sakimura&qu=
ot; &lt;<a href=3D"mailto:nat@sakimura.org">nat@sakimura.org</a>&gt; wrote:=
</p><blockquote style=3D'border:none;border-left:solid #CCCCCC 1.0pt;paddin=
g:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=
=3DMsoNormal style=3D'margin-bottom:12.0pt'>Not right now. </p></div><div><=
p class=3DMsoNormal>As of this writing, a client can still send duplicate p=
arameters in the query but they get ignored by the servers honoring OAuth J=
AR. So, it is backwards compatible with OpenID Connect in that sense (OpenI=
D Connect sends duplicate manatory RFC6749 parameters as the query paramete=
rs as well just to be compliant to RFC6749). Conversely, servers that do no=
t support OAuth JAR will ignore request_uri etc. </p></div><div><p class=3D=
MsoNormal>On Mar 30, 2017, at 4:47 PM, Mike Jones &lt;<a href=3D"mailto:Mic=
hael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@microsoft.com</a>=
&gt; wrote:</p><blockquote style=3D'border:none;border-left:solid #CCCCCC 1=
.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p =
class=3DMsoNormal><span style=3D'color:#002060'>Is there a clear statement =
somewhere along the lines of =E2=80=9C</span>parameters (other than =E2=80=
=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D) are only allowed to b=
e in the signed object if a signed object is used<span style=3D'color:#0020=
60'>=E2=80=9D?&nbsp; That=E2=80=99s the kind of thing I was looking for and=
 didn=E2=80=99t find. </span></p><p>&nbsp; </p><p class=3DMsoNormal><span s=
tyle=3D'color:#002060'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike </span></p><p class=
=3DMsoNormal><a name=3D"m_5373696844051186387__MailEndCompose"></a><b>From:=
</b> John Bradley [mailto:<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_b=
lank">ve7jtb@ve7jtb.com</a>] <br><b>Sent:</b> Thursday, March 30, 2017 4:44=
 PM<br><b>To:</b> Mike Jones &lt;<a href=3D"mailto:Michael.Jones@microsoft.=
com" target=3D"_blank">Michael.Jones@microsoft.com</a>&gt;<br><b>Cc:</b> Na=
t Sakimura &lt;<a href=3D"mailto:nat@sakimura.org" target=3D"_blank">nat@sa=
kimura.org</a>&gt;; IETF oauth WG &lt;<a href=3D"mailto:oauth@ietf.org" tar=
get=3D"_blank">oauth@ietf.org</a>&gt;<br><b>Subject:</b> RE: [OAUTH-WG] FW:=
 I-D Action: draft-ietf-oauth-jwsreq-13.txt </p><p>&nbsp; </p><div><p class=
=3DMsoNormal>The intent of the change is to only allow the paramaters to be=
 in the signed object if a signed object is used. &nbsp; </p><div><p>&nbsp;=
 </p></div><div><p class=3DMsoNormal>This requires State, nonce etc to be i=
n the JWT.&nbsp; Only one place to check will hopefully reduce implimentati=
on errors. &nbsp; </p></div><div><p>&nbsp; </p></div><div><p class=3DMsoNor=
mal>This also allows us to remove the caching text as we now have one JWT p=
er request, so caching won't happen. &nbsp;&nbsp; </p></div><div><p>&nbsp; =
</p></div><div><p class=3DMsoNormal>John B. &nbsp; </p></div><div><p>&nbsp;=
 </p></div><div><p>&nbsp; </p></div></div><div><p>&nbsp; </p><div><p class=
=3DMsoNormal>On Mar 30, 2017 4:36 PM, &quot;Mike Jones&quot; &lt;<a href=3D=
"mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@micros=
oft.com</a>&gt; wrote: </p><blockquote style=3D'border:none;border-left:sol=
id #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0=
pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=3DMsoNormal><sp=
an style=3D'color:#002060'>I *<b>believe</b>* the intent is that *<b>all</b=
>* parameters must be in the request object, but the spec doesn=E2=80=99t a=
ctually say that, as far as I can tell.&nbsp; Or maybe the intent is that p=
arameters must not be duplicated between the query parameters and the reque=
st object.</span> </p><p class=3DMsoNormal><span style=3D'color:#002060'>&n=
bsp;</span> </p><p class=3DMsoNormal><span style=3D'color:#002060'>One or t=
he other of these statements should be explicitly included in the specifica=
tion.&nbsp; Of course, I could have missed the statement I=E2=80=99m asking=
 for in my review, in which case please let me know what I missed.</span> <=
/p><p class=3DMsoNormal><span style=3D'color:#002060'>&nbsp;</span> </p><p =
class=3DMsoNormal><span style=3D'color:#002060'>&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Th=
anks,</span> </p><p class=3DMsoNormal><span style=3D'color:#002060'>&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp; -- Mike</span> </p><p class=3DMsoNormal><a name=3D"m_537369684405118=
6387_m_3264258369573027"><span style=3D'color:#002060'>&nbsp;</span></a> </=
p><div><div style=3D'border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0=
pt 0cm 0cm 0cm'><p class=3DMsoNormal><b>From:</b> OAuth [mailto:<a href=3D"=
mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bounces@ietf.org</a>=
] <b>On Behalf Of </b>John Bradley<br><b>Sent:</b> Thursday, March 30, 2017=
 3:00 PM<br><b>To:</b> IETF OAUTH &lt;<a href=3D"mailto:oauth@ietf.org" tar=
get=3D"_blank">oauth@ietf.org</a>&gt;<br><b>Subject:</b> [OAUTH-WG] FW: I-D=
 Action: draft-ietf-oauth-jwsreq-13.txt </p></div></div><p class=3DMsoNorma=
l>&nbsp; </p><p class=3DMsoNormal>Based on feeback from the IESG we have re=
moved some of the optionality in the draft. </p><p class=3DMsoNormal>&nbsp;=
 </p><p class=3DMsoNormal>It is a shorter read than draft 12.&nbsp;&nbsp; <=
/p><p class=3DMsoNormal>&nbsp; </p><p class=3DMsoNormal>John B. </p><p clas=
s=3DMsoNormal>&nbsp; </p><p class=3DMsoNormal>Sent from <a href=3D"https://=
go.microsoft.com/fwlink/?LinkId=3D550986" target=3D"_blank">Mail</a> for Wi=
ndows 10 </p><p class=3DMsoNormal>&nbsp; </p><div style=3D'border:none;bord=
er-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=3DMsoNormal>=
<b>From: </b><a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">=
internet-drafts@ietf.org</a><br><b>Sent: </b>March 30, 2017 1:38 PM<br><b>T=
o: </b><a href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i-d-annou=
nce@ietf.org</a><br><b>Cc: </b><a href=3D"mailto:oauth@ietf.org" target=3D"=
_blank">oauth@ietf.org</a><br><b>Subject: </b>[OAUTH-WG] I-D Action: draft-=
ietf-oauth-jwsreq-13.txt </p></div><p class=3DMsoNormal>&nbsp; </p><p class=
=3DMsoNormal>&nbsp; </p><p class=3DMsoNormal>A New Internet-Draft is availa=
ble from the on-line Internet-Drafts directories. </p><p class=3DMsoNormal>=
This draft is a work item of the Web Authorization Protocol of the IETF. </=
p><p class=3DMsoNormal>&nbsp; </p><p class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp; Title&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; : The OAuth 2.0 Authorization Framework: JWT Secured Authoriz=
ation Request (JAR) </p><p class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp; Authors&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Nat =
Sakimura </p><p class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; John Bradley </p><p class=3DMsoNormal>&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Filename&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : draft-ietf-oauth-jwsreq-13.txt </p><p =
class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; Pages&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 27 =
</p><p class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp; Date&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp; : 2017-03-30 </p><p class=3DMsoNormal>&nbsp; </p><p class=3DMsoNorma=
l>Abstract: </p><p class=3DMsoNormal>&nbsp;&nbsp; The authorization request=
 in OAuth 2.0 described in RFC 6749 utilizes </p><p class=3DMsoNormal>&nbsp=
;&nbsp; query parameter serialization, which means that Authorization Reque=
st </p><p class=3DMsoNormal>&nbsp;&nbsp; parameters are encoded in the URI =
of the request and sent through </p><p class=3DMsoNormal>&nbsp;&nbsp;user a=
gents such as web browsers.&nbsp; While it is easy to implement, it </p><p =
class=3DMsoNormal>&nbsp;&nbsp; means that (a) the communication through the=
 user agents are not </p><p class=3DMsoNormal>&nbsp;&nbsp; integrity protec=
ted and thus the parameters can be tainted, and (b) </p><p class=3DMsoNorma=
l>&nbsp;&nbsp; the source of the communication is not authenticated.&nbsp; =
Because of </p><p class=3DMsoNormal>&nbsp;&nbsp; these weaknesses, several =
attacks to the protocol have now been put </p><p class=3DMsoNormal>&nbsp;&n=
bsp; forward. </p><p class=3DMsoNormal>&nbsp; </p><p class=3DMsoNormal>&nbs=
p;&nbsp; This document introduces the ability to send request parameters in=
 a </p><p class=3DMsoNormal>&nbsp;&nbsp; JSON Web Token (JWT) instead, whic=
h allows the request to be signed </p><p class=3DMsoNormal>&nbsp;&nbsp; wit=
h JSON Web Signature (JWS) and/or encrypted with JSON Web </p><p class=3DMs=
oNormal>&nbsp;&nbsp; Encryption (JWE) so that the integrity, source authent=
ication and </p><p class=3DMsoNormal>&nbsp;&nbsp; confidentiality property =
of the Authorization Request is attained. </p><p class=3DMsoNormal>&nbsp;&n=
bsp; The request can be sent by value or by reference. </p><p class=3DMsoNo=
rmal>&nbsp; </p><p class=3DMsoNormal>&nbsp; </p><p class=3DMsoNormal>The IE=
TF datatracker status page for this draft is: </p><p class=3DMsoNormal><a h=
ref=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/" target=3D=
"_blank">https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/</a> </p>=
<p class=3DMsoNormal>&nbsp; </p><p class=3DMsoNormal>There are also htmlize=
d versions available at: </p><p class=3DMsoNormal><a href=3D"https://tools.=
ietf.org/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https://tools.i=
etf.org/html/draft-ietf-oauth-jwsreq-13</a> </p><p class=3DMsoNormal><a hre=
f=3D"https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13" targ=
et=3D"_blank">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq=
-13</a> </p><p class=3DMsoNormal>&nbsp; </p><p class=3DMsoNormal>A diff fro=
m the previous version is available at: </p><p class=3DMsoNormal><a href=3D=
"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13" target=3D"=
_blank">https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13</a> =
</p><p class=3DMsoNormal>&nbsp; </p><p class=3DMsoNormal>&nbsp; </p><p clas=
s=3DMsoNormal>Please note that it may take a couple of minutes from the tim=
e of submission </p><p class=3DMsoNormal>until the htmlized version and dif=
f are available at <a href=3D"http://tools.ietf.org" target=3D"_blank">tool=
s.ietf.org</a>. </p><p class=3DMsoNormal>&nbsp; </p><p class=3DMsoNormal>In=
ternet-Drafts are also available by anonymous FTP at: </p><p class=3DMsoNor=
mal><a href=3D"ftp://ftp.ietf.org/internet-drafts/" target=3D"_blank">ftp:/=
/ftp.ietf.org/internet-drafts/</a> </p><p class=3DMsoNormal>&nbsp; </p><p c=
lass=3DMsoNormal>_______________________________________________ </p><p cla=
ss=3DMsoNormal>OAuth mailing list </p><p class=3DMsoNormal><a href=3D"mailt=
o:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a> </p><p class=3DMsoNo=
rmal><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_bla=
nk">https://www.ietf.org/mailman/listinfo/oauth</a> </p></div></div></block=
quote></div></div></div></blockquote></div></div></blockquote></div></div><=
/blockquote></div><p class=3DMsoNormal style=3D'mso-margin-top-alt:0cm;marg=
in-right:0cm;margin-bottom:5.0pt;margin-left:19.2pt'>&nbsp; </p><p class=3D=
MsoNormal><o:p>&nbsp;</o:p></p></div></body></html>=

--_3B31ABC0-E056-4046-8D7A-B6EBAA69B768_--


--94eb2c08a506817464054bfe934c
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIDhfw6qt8mE7n5K+PXxv09Odhu4p
re+lEo8hrMCtfEDyMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMzMTAzNDA1MlowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQDJNzhsaz/lpei9om9x6nQrO78xmZaM9/Cf045LlVTeTXsq
OilSuOoSh3Ef2tytStYR2Dy6flNunHV/TyUZd1CQ4FeZh+Xc7SULC4eIXzfnSwQjmG3C27ncQ6gP
WPjAyTHdXlQMLYvX9JRKx2Lfs16Hgwc9nkO2Eml0oAuqxia6/EFBI1BCe0brG+n5WWU+lohvbGh+
GuBD4SukvaQ0xDfnpnlUX1LgYXwLKvVe3keylYPwg/W16FxtcQJFpQWiE3t0BTm4qXwNWrRaUeKM
N9QV2fI84DJZFaacGRRp0N/rwaUBlazlpaYbsSEgVeKH3BUqYAgbw80AnpjLFrf0GVxn
--94eb2c08a506817464054bfe934c--


From nobody Thu Mar 30 20:52:51 2017
Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EA11C128D2E; Thu, 30 Mar 2017 20:52:44 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.49.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149093236492.9027.7784679235688422409@ietfa.amsl.com>
Date: Thu, 30 Mar 2017 20:52:44 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IlzjM1aRK8t90RY5ruAeYirK0Lk>
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 03:52:45 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth Security Topics
        Authors         : Torsten Lodderstedt
                          John Bradley
                          Andrey Labunets
	Filename        : draft-ietf-oauth-security-topics-02.txt
	Pages           : 18
	Date            : 2017-03-30

Abstract:
   This draft gives a comprehensive overview on open OAuth security
   topics.  It is intended to serve as a working document for the OAuth
   working group to systematically capture and discuss these security
   topics and respective mitigations and eventually recommend best
   current practice and also OAuth extensions needed to cope with the
   respective security threats.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-02
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-02

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-02


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Thu Mar 30 21:01:23 2017
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 635D112947F for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 21:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22EMmZiL11tg for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 21:01:17 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E97EB1294E9 for <oauth@ietf.org>; Thu, 30 Mar 2017 21:01:15 -0700 (PDT)
Received: from [31.133.147.181] (helo=dhcp-93b5.meeting.ietf.org) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1ctnkO-0006RM-Fe; Fri, 31 Mar 2017 06:01:13 +0200
Content-Type: multipart/signed; boundary="Apple-Mail=_820A6157-75FE-41BA-BB47-051D2E8E28BD"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Priority: 3
In-Reply-To: <58ddcfc3.5c2e6b0a.7b9e3.bbc6@mx.google.com>
Date: Thu, 30 Mar 2017 23:01:08 -0500
Cc: Nat Sakimura <sakimura@gmail.com>, Nat Sakimura <nat@sakimura.org>, IETF oauth WG <oauth@ietf.org>
Message-Id: <B4C58688-6933-4E46-BA80-15E5E8B38F6F@lodderstedt.net>
References: <CAANoGhJDKgqWaqhdL6TCO7RhE==h=ZmJeKbU-cuwUZwE+siHMA@mail.gmail.com> <n6swy6f6jws7vdnx4rs66ktg.1490929049898@email.android.com> <58ddcfc3.5c2e6b0a.7b9e3.bbc6@mx.google.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.3273)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/R3sGxR-2IXdSnnRQvLBQyRr2Vn4>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 04:01:21 -0000

--Apple-Mail=_820A6157-75FE-41BA-BB47-051D2E8E28BD
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_7EA7A3DA-B781-421D-8F14-9F73508393A5"


--Apple-Mail=_7EA7A3DA-B781-421D-8F14-9F73508393A5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I had assumed using the request object is mutual exclusive to use of URI =
query parameters. Did I misinterpret the draft?

> Am 30.03.2017 um 22:40 schrieb John Bradley <ve7jtb@ve7jtb.com>:
>=20
> It is a trade off between compatibility with Connect and possible =
configuration errors.
> =20
> In reality it may not be compatible with Connect if the client is =
sending some parameters outside the object without including them in the =
object as a Connect client might.    You would potentially wind up =
dropping state or nonce without an error.=20
> =20
> I asked Mike and he was leaning to making it a error to send them as =
query parameters as that would be a clean change.
> =20
> I think the choice is a bit of a grey area.
> =20
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for =
Windows 10
> =20
> From: sakimura@gmail.com <mailto:sakimura@gmail.com>
> Sent: March 30, 2017 9:57 PM
> To: John Bradley <mailto:ve7jtb@ve7jtb.com>; Nat Sakimura =
<mailto:nat@sakimura.org>
> Cc: IETF oauth WG <mailto:oauth@ietf.org>
> Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
> =20
> +1
>=20
> Sent from my Huawei Mobile
>=20
>=20
> -------- Original Message --------
> Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
> From: John Bradley=20
> To: Nat Sakimura=20
> CC: IETF oauth WG=20
>=20
>=20
> So I think we need to make the must ignore clearer for the additional =
paramaters on the authorization endpoint. =20
> =20
> On Mar 30, 2017 17:33, "Nat Sakimura" <nat@sakimura.org =
<mailto:nat@sakimura.org>> wrote:
> Not right now.
>=20
> As of this writing, a client can still send duplicate parameters in =
the query but they get ignored by the servers honoring OAuth JAR. So, it =
is backwards compatible with OpenID Connect in that sense (OpenID =
Connect sends duplicate manatory RFC6749 parameters as the query =
parameters as well just to be compliant to RFC6749). Conversely, servers =
that do not support OAuth JAR will ignore request_uri etc.
> On Mar 30, 2017, at 4:47 PM, Mike Jones <Michael.Jones@microsoft.com =
<mailto:Michael.Jones@microsoft.com>> wrote:
> Is there a clear statement somewhere along the lines of =E2=80=9Cparamet=
ers (other than =E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D=
) are only allowed to be in the signed object if a signed object is =
used=E2=80=9D?  That=E2=80=99s the kind of thing I was looking for and =
didn=E2=80=99t find.
>  =20
>                                                        -- Mike
>  <>From: John Bradley [mailto:ve7jtb@ve7jtb.com =
<mailto:ve7jtb@ve7jtb.com>]=20
> Sent: Thursday, March 30, 2017 4:44 PM
> To: Mike Jones <Michael.Jones@microsoft.com =
<mailto:Michael.Jones@microsoft.com>>
> Cc: Nat Sakimura <nat@sakimura.org <mailto:nat@sakimura.org>>; IETF =
oauth WG <oauth@ietf.org <mailto:oauth@ietf.org>>
> Subject: RE: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>  =20
> The intent of the change is to only allow the paramaters to be in the =
signed object if a signed object is used. =20
>  =20
> This requires State, nonce etc to be in the JWT.  Only one place to =
check will hopefully reduce implimentation errors. =20
>  =20
> This also allows us to remove the caching text as we now have one JWT =
per request, so caching won't happen.  =20
>  =20
> John B. =20
>  =20
>  =20
>  =20
> On Mar 30, 2017 4:36 PM, "Mike Jones" <Michael.Jones@microsoft.com =
<mailto:Michael.Jones@microsoft.com>> wrote:
> I *believe* the intent is that *all* parameters must be in the request =
object, but the spec doesn=E2=80=99t actually say that, as far as I can =
tell.  Or maybe the intent is that parameters must not be duplicated =
between the query parameters and the request object.
>  =20
> One or the other of these statements should be explicitly included in =
the specification.  Of course, I could have missed the statement I=E2=80=99=
m asking for in my review, in which case please let me know what I =
missed.
>  =20
>                                                        Thanks,
>                                                       -- Mike
> =C2=A0 <>
> From: OAuth [mailto:oauth-bounces@ietf.org =
<mailto:oauth-bounces@ietf.org>] On Behalf Of John Bradley
> Sent: Thursday, March 30, 2017 3:00 PM
> To: IETF OAUTH <oauth@ietf.org <mailto:oauth@ietf.org>>
> Subject: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>  =20
> Based on feeback from the IESG we have removed some of the optionality =
in the draft.
>  =20
> It is a shorter read than draft 12. =20
>  =20
> John B.
>  =20
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for =
Windows 10
>  =20
> From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
> Sent: March 30, 2017 1:38 PM
> To: i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>
> Cc: oauth@ietf.org <mailto:oauth@ietf.org>
> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
>  =20
>  =20
> A New Internet-Draft is available from the on-line Internet-Drafts =
directories.
> This draft is a work item of the Web Authorization Protocol of the =
IETF.
>  =20
>         Title           : The OAuth 2.0 Authorization Framework: JWT =
Secured Authorization Request (JAR)
>         Authors         : Nat Sakimura
>                           John Bradley
>            Filename        : draft-ietf-oauth-jwsreq-13.txt
>            Pages           : 27
>            Date            : 2017-03-30
>  =20
> Abstract:
>    The authorization request in OAuth 2.0 described in RFC 6749 =
utilizes
>    query parameter serialization, which means that Authorization =
Request
>    parameters are encoded in the URI of the request and sent through
>   user agents such as web browsers.  While it is easy to implement, it
>    means that (a) the communication through the user agents are not
>    integrity protected and thus the parameters can be tainted, and (b)
>    the source of the communication is not authenticated.  Because of
>    these weaknesses, several attacks to the protocol have now been put
>    forward.
>  =20
>    This document introduces the ability to send request parameters in =
a
>    JSON Web Token (JWT) instead, which allows the request to be signed
>    with JSON Web Signature (JWS) and/or encrypted with JSON Web
>    Encryption (JWE) so that the integrity, source authentication and
>    confidentiality property of the Authorization Request is attained.
>    The request can be sent by value or by reference.
>  =20
>  =20
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ =
<https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/>
>  =20
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13 =
<https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13>
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13 =
<https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13>
>  =20
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13 =
<https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13>
>  =20
>  =20
> Please note that it may take a couple of minutes from the time of =
submission
> until the htmlized version and diff are available at tools.ietf.org =
<http://tools.ietf.org/>.
>  =20
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/ =
<ftp://ftp.ietf.org/internet-drafts/>
>  =20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth =
<https://www.ietf.org/mailman/listinfo/oauth>
>  =20
> =20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_7EA7A3DA-B781-421D-8F14-9F73508393A5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">I had assumed using the request object is mutual exclusive to =
use of URI query parameters. Did I misinterpret the draft?<div =
class=3D""><br class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D"">Am 30.03.2017 um 22:40 schrieb John Bradley &lt;<a =
href=3D"mailto:ve7jtb@ve7jtb.com" =
class=3D"">ve7jtb@ve7jtb.com</a>&gt;:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><meta =
http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8" =
class=3D""><meta name=3D"Generator" content=3D"Microsoft Word 15 =
(filtered medium)" class=3D""><style class=3D""><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><div lang=3D"EN-CA" link=3D"blue" vlink=3D"#954F72" =
class=3D""><div class=3D"WordSection1"><p class=3D"MsoNormal">It is a =
trade off between compatibility with Connect and possible configuration =
errors.</p><p class=3D"MsoNormal"><o:p class=3D"">&nbsp;</o:p></p><p =
class=3D"MsoNormal">In reality it may not be compatible with Connect if =
the client is sending some parameters outside the object without =
including them in the object as a Connect client =
might.&nbsp;&nbsp;&nbsp; You would potentially wind up dropping state or =
nonce without an error.&nbsp; </p><p class=3D"MsoNormal"><o:p =
class=3D"">&nbsp;</o:p></p><p class=3D"MsoNormal">I asked Mike and he =
was leaning to making it a error to send them as query parameters as =
that would be a clean change.</p><p class=3D"MsoNormal"><o:p =
class=3D"">&nbsp;</o:p></p><p class=3D"MsoNormal">I think the choice is =
a bit of a grey area.</p><p class=3D"MsoNormal"><o:p =
class=3D"">&nbsp;</o:p></p><p class=3D"MsoNormal">Sent from <a =
href=3D"https://go.microsoft.com/fwlink/?LinkId=3D550986" =
class=3D"">Mail</a> for Windows 10</p><p class=3D"MsoNormal"><o:p =
class=3D"">&nbsp;</o:p></p><div =
style=3D"mso-element:para-border-div;border:none;border-top:solid =
#E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm" class=3D""><p class=3D"MsoNormal"=
 style=3D"border:none;padding:0cm"><b class=3D"">From: </b><a =
href=3D"mailto:sakimura@gmail.com" class=3D"">sakimura@gmail.com</a><br =
class=3D""><b class=3D"">Sent: </b>March 30, 2017 9:57 PM<br class=3D""><b=
 class=3D"">To: </b><a href=3D"mailto:ve7jtb@ve7jtb.com" class=3D"">John =
Bradley</a>; <a href=3D"mailto:nat@sakimura.org" class=3D"">Nat =
Sakimura</a><br class=3D""><b class=3D"">Cc: </b><a =
href=3D"mailto:oauth@ietf.org" class=3D"">IETF oauth WG</a><br =
class=3D""><b class=3D"">Subject: </b>Re: [OAUTH-WG] FW: I-D Action: =
draft-ietf-oauth-jwsreq-13.txt</p></div><p class=3D"MsoNormal"><o:p =
class=3D"">&nbsp;</o:p></p><p class=3D"MsoNormal">+1<br class=3D""><br =
class=3D"">Sent from my Huawei Mobile</p><div class=3D""><p =
class=3D"MsoNormal"><br class=3D""><br class=3D"">-------- Original =
Message --------<br class=3D"">Subject: Re: [OAUTH-WG] FW: I-D Action: =
draft-ietf-oauth-jwsreq-13.txt<br class=3D"">From: John Bradley <br =
class=3D"">To: Nat Sakimura <br class=3D"">CC: IETF oauth WG <br =
class=3D""><br class=3D""><br class=3D""></p><blockquote =
style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm =
6.0pt;margin-left:4.8pt;margin-right:0cm" class=3D""><div class=3D""><p =
class=3D"MsoNormal">So I think we need to make the must ignore clearer =
for the additional paramaters on the authorization endpoint. =
&nbsp;</p></div><div class=3D""><p class=3D"MsoNormal"><o:p =
class=3D"">&nbsp;</o:p></p><div class=3D""><p class=3D"MsoNormal">On Mar =
30, 2017 17:33, "Nat Sakimura" &lt;<a href=3D"mailto:nat@sakimura.org" =
class=3D"">nat@sakimura.org</a>&gt; wrote:</p><blockquote =
style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm =
6.0pt;margin-left:4.8pt;margin-right:0cm" class=3D""><div class=3D""><div =
class=3D""><p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">Not =
right now. </p></div><div class=3D""><p class=3D"MsoNormal">As of this =
writing, a client can still send duplicate parameters in the query but =
they get ignored by the servers honoring OAuth JAR. So, it is backwards =
compatible with OpenID Connect in that sense (OpenID Connect sends =
duplicate manatory RFC6749 parameters as the query parameters as well =
just to be compliant to RFC6749). Conversely, servers that do not =
support OAuth JAR will ignore request_uri etc. </p></div><div =
class=3D""><p class=3D"MsoNormal">On Mar 30, 2017, at 4:47 PM, Mike =
Jones &lt;<a href=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank"=
 class=3D"">Michael.Jones@microsoft.com</a>&gt; wrote:</p><blockquote =
style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm =
6.0pt;margin-left:4.8pt;margin-right:0cm" class=3D""><div class=3D""><p =
class=3D"MsoNormal"><span style=3D"color:#002060" class=3D"">Is there a =
clear statement somewhere along the lines of =E2=80=9C</span>parameters =
(other than =E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D) =
are only allowed to be in the signed object if a signed object is =
used<span style=3D"color:#002060" class=3D"">=E2=80=9D?&nbsp; That=E2=80=99=
s the kind of thing I was looking for and didn=E2=80=99t find. =
</span></p><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><p class=3D"MsoNormal"><span =
style=3D"color:#002060" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike </span></p><p =
class=3D"MsoNormal"><a name=3D"m_5373696844051186387__MailEndCompose" =
class=3D""></a><b class=3D"">From:</b> John Bradley [mailto:<a =
href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank" =
class=3D"">ve7jtb@ve7jtb.com</a>] <br class=3D""><b class=3D"">Sent:</b> =
Thursday, March 30, 2017 4:44 PM<br class=3D""><b class=3D"">To:</b> =
Mike Jones &lt;<a href=3D"mailto:Michael.Jones@microsoft.com" =
target=3D"_blank" class=3D"">Michael.Jones@microsoft.com</a>&gt;<br =
class=3D""><b class=3D"">Cc:</b> Nat Sakimura &lt;<a =
href=3D"mailto:nat@sakimura.org" target=3D"_blank" =
class=3D"">nat@sakimura.org</a>&gt;; IETF oauth WG &lt;<a =
href=3D"mailto:oauth@ietf.org" target=3D"_blank" =
class=3D"">oauth@ietf.org</a>&gt;<br class=3D""><b class=3D"">Subject:</b>=
 RE: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt </p><div =
class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><div =
class=3D""><p class=3D"MsoNormal">The intent of the change is to only =
allow the paramaters to be in the signed object if a signed object is =
used. &nbsp; </p><div class=3D""><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div></div><div class=3D""><p =
class=3D"MsoNormal">This requires State, nonce etc to be in the =
JWT.&nbsp; Only one place to check will hopefully reduce implimentation =
errors. &nbsp; </p></div><div class=3D""><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div></div><div class=3D""><p =
class=3D"MsoNormal">This also allows us to remove the caching text as we =
now have one JWT per request, so caching won't happen. &nbsp;&nbsp; =
</p></div><div class=3D""><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div></div><div class=3D""><p =
class=3D"MsoNormal">John B. &nbsp; </p></div><div class=3D""><div =
class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div></div><div =
class=3D""><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div></div></div><div class=3D""><div =
class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><div =
class=3D""><p class=3D"MsoNormal">On Mar 30, 2017 4:36 PM, "Mike Jones" =
&lt;<a href=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank" =
class=3D"">Michael.Jones@microsoft.com</a>&gt; wrote: </p><blockquote =
style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.=
0pt" class=3D""><div class=3D""><div class=3D""><p =
class=3D"MsoNormal"><span style=3D"color:#002060" class=3D"">I *<b =
class=3D"">believe</b>* the intent is that *<b class=3D"">all</b>* =
parameters must be in the request object, but the spec doesn=E2=80=99t =
actually say that, as far as I can tell.&nbsp; Or maybe the intent is =
that parameters must not be duplicated between the query parameters and =
the request object.</span> </p><div class=3D""><span =
style=3D"color:#002060" class=3D"">&nbsp;</span> <br =
class=3D"webkit-block-placeholder"></div><p class=3D"MsoNormal"><span =
style=3D"color:#002060" class=3D"">One or the other of these statements =
should be explicitly included in the specification.&nbsp; Of course, I =
could have missed the statement I=E2=80=99m asking for in my review, in =
which case please let me know what I missed.</span> </p><div =
class=3D""><span style=3D"color:#002060" class=3D"">&nbsp;</span> <br =
class=3D"webkit-block-placeholder"></div><p class=3D"MsoNormal"><span =
style=3D"color:#002060" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Thanks,</span> </p><p =
class=3D"MsoNormal"><span style=3D"color:#002060" =
class=3D"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp; -- Mike</span> </p><p class=3D"MsoNormal"><a =
name=3D"m_5373696844051186387_m_3264258369573027" class=3D""><span =
style=3D"color:#002060" class=3D"">&nbsp;</span></a> </p><div =
class=3D""><div style=3D"border:none;border-top:solid #E1E1E1 =
1.0pt;padding:3.0pt 0cm 0cm 0cm" class=3D""><p class=3D"MsoNormal"><b =
class=3D"">From:</b> OAuth [mailto:<a =
href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank" =
class=3D"">oauth-bounces@ietf.org</a>] <b class=3D"">On Behalf Of =
</b>John Bradley<br class=3D""><b class=3D"">Sent:</b> Thursday, March =
30, 2017 3:00 PM<br class=3D""><b class=3D"">To:</b> IETF OAUTH &lt;<a =
href=3D"mailto:oauth@ietf.org" target=3D"_blank" =
class=3D"">oauth@ietf.org</a>&gt;<br class=3D""><b class=3D"">Subject:</b>=
 [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt =
</p></div></div><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><p class=3D"MsoNormal">Based on =
feeback from the IESG we have removed some of the optionality in the =
draft. </p><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><p class=3D"MsoNormal">It is a =
shorter read than draft 12.&nbsp;&nbsp; </p><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><p class=3D"MsoNormal">John B. =
</p><div class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><p=
 class=3D"MsoNormal">Sent from <a =
href=3D"https://go.microsoft.com/fwlink/?LinkId=3D550986" =
target=3D"_blank" class=3D"">Mail</a> for Windows 10 </p><div =
class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><div =
style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm =
0cm 0cm" class=3D""><p class=3D"MsoNormal"><b class=3D"">From: </b><a =
href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank" =
class=3D"">internet-drafts@ietf.org</a><br class=3D""><b class=3D"">Sent: =
</b>March 30, 2017 1:38 PM<br class=3D""><b class=3D"">To: </b><a =
href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank" =
class=3D"">i-d-announce@ietf.org</a><br class=3D""><b class=3D"">Cc: =
</b><a href=3D"mailto:oauth@ietf.org" target=3D"_blank" =
class=3D"">oauth@ietf.org</a><br class=3D""><b class=3D"">Subject: =
</b>[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt </p></div><div =
class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><div =
class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><p =
class=3D"MsoNormal">A New Internet-Draft is available from the on-line =
Internet-Drafts directories. </p><p class=3D"MsoNormal">This draft is a =
work item of the Web Authorization Protocol of the IETF. </p><div =
class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><p =
class=3D"MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Title&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : The =
OAuth 2.0 Authorization Framework: JWT Secured Authorization Request =
(JAR) </p><p =
class=3D"MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Authors&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Nat Sakimura =
</p><p =
class=3D"MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp; John Bradley </p><p =
class=3D"MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp; Filename&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : =
draft-ietf-oauth-jwsreq-13.txt </p><p =
class=3D"MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp; Pages&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
: 27 </p><p =
class=3D"MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp; =
Date&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : =
2017-03-30 </p><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><p class=3D"MsoNormal">Abstract: =
</p><p class=3D"MsoNormal">&nbsp;&nbsp; The authorization request in =
OAuth 2.0 described in RFC 6749 utilizes </p><p =
class=3D"MsoNormal">&nbsp;&nbsp; query parameter serialization, which =
means that Authorization Request </p><p class=3D"MsoNormal">&nbsp;&nbsp; =
parameters are encoded in the URI of the request and sent through </p><p =
class=3D"MsoNormal">&nbsp;&nbsp;user agents such as web browsers.&nbsp; =
While it is easy to implement, it </p><p class=3D"MsoNormal">&nbsp;&nbsp; =
means that (a) the communication through the user agents are not </p><p =
class=3D"MsoNormal">&nbsp;&nbsp; integrity protected and thus the =
parameters can be tainted, and (b) </p><p class=3D"MsoNormal">&nbsp;&nbsp;=
 the source of the communication is not authenticated.&nbsp; Because of =
</p><p class=3D"MsoNormal">&nbsp;&nbsp; these weaknesses, several =
attacks to the protocol have now been put </p><p =
class=3D"MsoNormal">&nbsp;&nbsp; forward. </p><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><p =
class=3D"MsoNormal">&nbsp;&nbsp; This document introduces the ability to =
send request parameters in a </p><p class=3D"MsoNormal">&nbsp;&nbsp; =
JSON Web Token (JWT) instead, which allows the request to be signed =
</p><p class=3D"MsoNormal">&nbsp;&nbsp; with JSON Web Signature (JWS) =
and/or encrypted with JSON Web </p><p class=3D"MsoNormal">&nbsp;&nbsp; =
Encryption (JWE) so that the integrity, source authentication and </p><p =
class=3D"MsoNormal">&nbsp;&nbsp; confidentiality property of the =
Authorization Request is attained. </p><p class=3D"MsoNormal">&nbsp;&nbsp;=
 The request can be sent by value or by reference. </p><div =
class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><div =
class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><p =
class=3D"MsoNormal">The IETF datatracker status page for this draft is: =
</p><p class=3D"MsoNormal"><a =
href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/" =
target=3D"_blank" =
class=3D"">https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/</a> =
</p><div class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><p=
 class=3D"MsoNormal">There are also htmlized versions available at: =
</p><p class=3D"MsoNormal"><a =
href=3D"https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13" =
target=3D"_blank" =
class=3D"">https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13</a> =
</p><p class=3D"MsoNormal"><a =
href=3D"https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13" =
target=3D"_blank" =
class=3D"">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-1=
3</a> </p><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><p class=3D"MsoNormal">A diff =
from the previous version is available at: </p><p class=3D"MsoNormal"><a =
href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13" =
target=3D"_blank" =
class=3D"">https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13<=
/a> </p><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><p class=3D"MsoNormal">Please =
note that it may take a couple of minutes from the time of submission =
</p><p class=3D"MsoNormal">until the htmlized version and diff are =
available at <a href=3D"http://tools.ietf.org/" target=3D"_blank" =
class=3D"">tools.ietf.org</a>. </p><div class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><p =
class=3D"MsoNormal">Internet-Drafts are also available by anonymous FTP =
at: </p><p class=3D"MsoNormal"><a =
href=3D"ftp://ftp.ietf.org/internet-drafts/" target=3D"_blank" =
class=3D"">ftp://ftp.ietf.org/internet-drafts/</a> </p><div =
class=3D"">&nbsp; <br class=3D"webkit-block-placeholder"></div><p =
class=3D"MsoNormal">_______________________________________________ =
</p><p class=3D"MsoNormal">OAuth mailing list </p><p =
class=3D"MsoNormal"><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank" =
class=3D"">OAuth@ietf.org</a> </p><p class=3D"MsoNormal"><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank" =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth</a> =
</p></div></div></blockquote></div></div></div></blockquote></div></div></=
blockquote></div></div></blockquote></div><div style=3D"margin-right: =
0cm; margin-bottom: 5pt; margin-left: 19.2pt;" class=3D"">&nbsp; <br =
class=3D"webkit-block-placeholder"></div><p class=3D"MsoNormal"><o:p =
class=3D"">&nbsp;</o:p></p></div></div>___________________________________=
____________<br class=3D"">OAuth mailing list<br class=3D""><a =
href=3D"mailto:OAuth@ietf.org" class=3D"">OAuth@ietf.org</a><br =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth<br =
class=3D""></div></blockquote></div><br class=3D""></div></body></html>=

--Apple-Mail=_7EA7A3DA-B781-421D-8F14-9F73508393A5--

--Apple-Mail=_820A6157-75FE-41BA-BB47-051D2E8E28BD
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/DCCBK8w
ggOXoAMCAQICEQDgI8sVEoNTia1hbnpUZ2shMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAlNF
MRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5l
dHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMTQxMjIyMDAwMDAw
WhcNMjAwNTMwMTA0ODM4WjCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hl
c3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNV
BAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAibEN2npTGU5wUh28VqYGJre4SeCW
51Gr8fBaE0kVo7SMG2C8elFCp3mMpCLfF2FOkdV2IwoU00oCf7YdCYBupQQ92bq7Fv6hh6kuQ1JD
FnyvMlDIpk9a6QjYz5MlnHuI6DBk5qT4VoD9KiQUMxeZrETlaYujRgZLwjPU6UCfBrCxrJNAubUI
kzqcKlOjENs9IGE8VQOO2U52JQIhKfqjfHF2T+7hX4Hp+1SA28N7NVK3hN4iPSwwLTF/Wb1SN7Az
aS1D6/rWpfGXd2dRjNnuJ+u8pQc4doykqTj/34z1A6xJvsr3c5k6DzKrnJU6Ez0ORjpXdGFQvsZA
P8vk4p+iIQIDAQABo4IBFzCCARMwHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYD
VR0OBBYEFJJha4LhoqCqT+xn8cKj97SAAMHsMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAG
AQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAw
RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJu
YWxDQVJvb3QuY3JsMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNl
cnRydXN0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAGypurFXBOquIxdjtzVXzqmthK8AJECOZD8Vm
am+x9bS1d14PAmEA330F/hKzpICAAPz7HVtqcgIKQbwFusFY1SbC6tVNhPv+gpjPWBvjImOcUvi7
BTarfVil3qs7Y+Xa1XPv7OD7e+Kj//BCI5zKto1NPuRLGAOyqC3U2LtCS5BphRDbpjc06HvgARCl
nMo6x59PiDRuimXQGoq7qdzKyjbR9PzCZCk1r9axp3ER0gNDsY8+muyeMlP0dpLKhjQHuSzK5hxK
2JkNwYbikJL7WkJqIyEQ6WXH9dW7fuqMhSACYurROgcsWcWZM/I4ieW26RZ6H3kU9koQGib6fIr7
mzCCBUUwggQtoAMCAQICEDPbmsaqwjeZa3PxA3uZ8LQwDQYJKoZIhvcNAQELBQAwgZsxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY
BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQg
QXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzAxMDkwMDAwMDBaFw0xODAx
MDkyMzU5NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5AbG9kZGVyc3RlZHQubmV0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArsGSzZyz9Lq9SRW9Sve5K8n5lWhplOCE6HH3gMye
12DjOpkFFZt0b73t27G17Xsp6WUxHhNevf7ck0AUpvYUPCHBqVGJSIWF9hWAoSFCgQACOoh/cDFb
zz1PsMY8El7OmIus4JXtY4/VdoSIhFP3hzATbNAg32Kp+N8vtTuKTwbgnizJSyzZTYrsttn3LmwY
17HU+U9vXloMus5U/ln4ADZx0zyyDSsA6gtPxXYJpbgSTnHckVZ5zfR80guIZ538Y2qqsqt5VaSR
SR2oQzE/HETkKc/odPVhqBrXLyvnSFkCPrAXV07rcvwkPvHZeYVu4QdVWyO2HIQ4i2x9r5m7SwID
AQABo4IB9TCCAfEwHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFPng
HgVxOZ7GSji/IW4YJMBj02PHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ
MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7
BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2
Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw
gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu
dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
Y3NwLmNvbW9kb2NhLmNvbTAiBgNVHREEGzAZgRd0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDANBgkq
hkiG9w0BAQsFAAOCAQEAAmueyHjiyL1qYgfe+hVSsGuKlgcvjCAfG8Jaq48tC0IjP8pH/tGi4uL9
CHVfLnV3pLDnjg6M2uvpEBp7crZZcnSPLeVss+tkhwv+F7ISYQyT4flNkqVUb8nfewbCPcIN13Ob
fpU7rlXoIarEEplQo4SuymYVluQxTLOFKm5QOMF4JBMw/rjy4t95J7Mdp9NFUzQrKPJDaJ2Jr/Tc
TXFcjLvNVmMBjK0959a9v1/1miRHd1DBsTh1KvBigEOUNMxvT5uUtB6/tioDZqBDDk8Gvdno/xmy
e3YiasS7JgMREq5WcXqpWGu5kMFZMGPEvyPHeBZeqxx3amf4ImVnZ6WvgzGCA8MwggO/AgEBMIGw
MIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEDPbmsaqwjeZa3Px
A3uZ8LQwCQYFKw4DAhoFAKCCAecwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTcwMzMxMDQwMTA5WjAjBgkqhkiG9w0BCQQxFgQUKkK6bgdQMYff/wS+LMzt/eJrXz0w
gcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFu
Y2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/
BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVt
YWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UE
BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG
A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBB
dXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MA0GCSqG
SIb3DQEBAQUABIIBABMks4phSAhAylkyNIWVoQLwAdueXXnU4+cBO1jA/N5WsOeNE7G4yMFISgwF
xrnt6+Gcz5MnFJCYXSEMbK7U3kYfWeGb9wDpugx0cJzeU0IGhiiFxT72g1lLmK8LONGge+TfgNmB
cM7aL5gTEnIP0QIe3VUw59wHBH7Dz9+L23p79PmKPQ7wLRv5uloJGVXKJ+UwNiddcR4Et2tynG23
riGyrqYUNY8EaaIyu/lrCiITX+akNOs505x1041WQjYa3m8Yqnz1mDwFo5HI4jOvwvEc9iZtgLGm
LXOj3UMO3pM1iKEUhMghbKdShMOf/z+bAM7tFF5Q+vJIbARsr+v4SXEAAAAAAAA=
--Apple-Mail=_820A6157-75FE-41BA-BB47-051D2E8E28BD--


From nobody Thu Mar 30 21:14:37 2017
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C7BD1294E9 for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 21:14:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNCSosYyV6xH for <oauth@ietfa.amsl.com>; Thu, 30 Mar 2017 21:14:31 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F50512949F for <oauth@ietf.org>; Thu, 30 Mar 2017 21:14:31 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id z13so32691383iof.2 for <oauth@ietf.org>; Thu, 30 Mar 2017 21:14:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=message-id:mime-version:to:cc:from:subject:date:importance :in-reply-to:references; bh=2emwtnnbbEfCxB8eahjSq52OjrqDXW5vPq78xdP3mNg=; b=R8MdUZ1oIAS1yYum11bsqGr/iFRG6OCGrT7LhnRj4v2lxXsHq9M4mNCioiL7aNfGL2 o6F7Obmguzx2JSufNfyZeTyHRfpR6pD5dLjT64gj6i+xPEeF2PEAMiR9fhzPqepwFjaW hh7FCiex+L4WhQTSI7VQBTKzltCap0EFluFS7O7hCO64peolN3VEpympE6g2j2OmWQeG f1LiOzZaLQViCRQas04yvEmSZHsjeO9OiD3guDL2rnBOLXvGxZwI+5MLgALzuAA499dw CBmyqyEvsNlBohYuzE+G5R5ZpzAFE5JN/uOegZce8pXYYiIpFCmm1JRaRKJHdHqeI+d9 yKZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:mime-version:to:cc:from:subject:date :importance:in-reply-to:references; bh=2emwtnnbbEfCxB8eahjSq52OjrqDXW5vPq78xdP3mNg=; b=XRy3N+10RM1btTehnbNuvohKg7S0G02Nw0A37BlkaKs8mW45ixz5cYxLj8WP/doHqh /yZ4OIlUbLbZNoCPmDWK9lAZZQ2Y4qaMUjmrQ9gdmKwXI9R5RLWRuecGUgObMs0eZ+c0 VfPYvEQrp4zyZg2gPGh4+yeOw1wGRFN43kQj75mFQkGE/DKcvPj0cVS6AP40Mn//WwRL RkPwmoUBYCcmKVVeBLpVtgvamWDBobAjZCz0utp+jiO7UFPYro+tAjAfgxF6FRx3zhY6 f+W5N8JwiJQCYuTnBf2XaNtDJ97Xl+ZA+F520p+M4DCTYjq1VbKs9p6F8/KQY2QPVqwU SijA==
X-Gm-Message-State: AFeK/H1yeeSp5imASQzhk2ism2ZlMt8hygHdU3HvG1B/QiNoqZ1L2eFMCraoO9gCCXLnIZQU
X-Received: by 10.107.35.198 with SMTP id j189mr999278ioj.76.1490933670661; Thu, 30 Mar 2017 21:14:30 -0700 (PDT)
Received: from ?IPv6:2001:67c:1233:0:41f9:d4bc:922a:fa31? ([2001:67c:1233:0:41f9:d4bc:922a:fa31]) by smtp.gmail.com with ESMTPSA id s97sm2571179ioi.50.2017.03.30.21.14.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Mar 2017 21:14:29 -0700 (PDT)
Message-ID: <58ddd7a5.e4886b0a.bf30d.bce7@mx.google.com>
MIME-Version: 1.0
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Nat Sakimura <sakimura@gmail.com>, Nat Sakimura <nat@sakimura.org>,  IETF oauth WG <oauth@ietf.org>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 30 Mar 2017 23:14:31 -0500
Importance: normal
X-Priority: 3
In-Reply-To: <B4C58688-6933-4E46-BA80-15E5E8B38F6F@lodderstedt.net>
References: <CAANoGhJDKgqWaqhdL6TCO7RhE==h=ZmJeKbU-cuwUZwE+siHMA@mail.gmail.com> <n6swy6f6jws7vdnx4rs66ktg.1490929049898@email.android.com> <58ddcfc3.5c2e6b0a.7b9e3.bbc6@mx.google.com> <B4C58688-6933-4E46-BA80-15E5E8B38F6F@lodderstedt.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a1140ee9ed7a8e5054bff0b06"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/M_amaS3kxep_G8LiZquHcJoHS3U>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 04:14:36 -0000

--001a1140ee9ed7a8e5054bff0b06
Content-Type: multipart/alternative;
	boundary="_B3C289E4-0156-40C6-8D58-BF3B5CAE3BE2_"

--_B3C289E4-0156-40C6-8D58-BF3B5CAE3BE2_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

They are mutually exclusive.

However there are two options as to how the authorization endpoint would tr=
eat extra query parameters like state if they are sent.

The current text causes the AS to ignore them and not return a error.  This=
 would be more backwards compatible with the request object in OpenID Conne=
ct, however in reality it may cause connect clients to send parameters as q=
uery parameters  that would be processed by a connect server that would be =
ignored by a OAuth server without any obvious error.  There may however be =
subtle errors downstream from missing parameters.

The other option is to have a cleaner breaking change from Connect and have=
 the Authorization endpoint return a error if anything other than the two n=
ew parameters are sent to the authorization endpoint.

I am leaning towards the latter as it is easier to debug,  and wont allow i=
ncompatible Connect requests to be accepted without a error.   We would hav=
e done this in Connect but couldn=E2=80=99t drop required parameters from O=
Auth in a Connect spec.

The downside for the latter is that the client would need to know if the AS=
 is supporting The Connect version or the OAuth version.

One of the typical conundrums around how to deal with doing the best going =
forward thing vs not blowing up older implementations.

In the current proposal a client could put the required parameters both pla=
ces and the same request would work on servers supporting both the Connect =
and OAuth versions.

John B.
=20
Sent from Mail for Windows 10

From: Torsten Lodderstedt
Sent: March 30, 2017 11:01 PM
To: John Bradley
Cc: Nat Sakimura; Nat Sakimura; IETF oauth WG
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt

I had assumed using the request object is mutual exclusive to use of URI qu=
ery parameters. Did I misinterpret the draft?

Am 30.03.2017 um 22:40 schrieb John Bradley <ve7jtb@ve7jtb.com>:

It is a trade off between compatibility with Connect and possible configura=
tion errors.
=C2=A0
In reality it may not be compatible with Connect if the client is sending s=
ome parameters outside the object without including them in the object as a=
 Connect client might.=C2=A0=C2=A0=C2=A0 You would potentially wind up drop=
ping state or nonce without an error.=C2=A0=20
=C2=A0
I asked Mike and he was leaning to making it a error to send them as query =
parameters as that would be a clean change.
=C2=A0
I think the choice is a bit of a grey area.
=C2=A0
Sent from Mail for Windows 10
=C2=A0
From: sakimura@gmail.com
Sent: March 30, 2017 9:57 PM
To: John Bradley; Nat Sakimura
Cc: IETF oauth WG
Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
=C2=A0
+1

Sent from my Huawei Mobile


-------- Original Message --------
Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
From: John Bradley=20
To: Nat Sakimura=20
CC: IETF oauth WG=20

So I think we need to make the must ignore clearer for the additional param=
aters on the authorization endpoint. =C2=A0
=C2=A0
On Mar 30, 2017 17:33, "Nat Sakimura" <nat@sakimura.org> wrote:
Not right now.=20
As of this writing, a client can still send duplicate parameters in the que=
ry but they get ignored by the servers honoring OAuth JAR. So, it is backwa=
rds compatible with OpenID Connect in that sense (OpenID Connect sends dupl=
icate manatory RFC6749 parameters as the query parameters as well just to b=
e compliant to RFC6749). Conversely, servers that do not support OAuth JAR =
will ignore request_uri etc.=20
On Mar 30, 2017, at 4:47 PM, Mike Jones <Michael.Jones@microsoft.com> wrote=
:
Is there a clear statement somewhere along the lines of =E2=80=9Cparameters=
 (other than =E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D) ar=
e only allowed to be in the signed object if a signed object is used=E2=80=
=9D?=C2=A0 That=E2=80=99s the kind of thing I was looking for and didn=E2=
=80=99t find.=20
=C2=A0=20
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike=20
From: John Bradley [mailto:ve7jtb@ve7jtb.com]=20
Sent: Thursday, March 30, 2017 4:44 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Nat Sakimura <nat@sakimura.org>; IETF oauth WG <oauth@ietf.org>
Subject: RE: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt=20
=C2=A0=20
The intent of the change is to only allow the paramaters to be in the signe=
d object if a signed object is used. =C2=A0=20
=C2=A0=20
This requires State, nonce etc to be in the JWT.=C2=A0 Only one place to ch=
eck will hopefully reduce implimentation errors. =C2=A0=20
=C2=A0=20
This also allows us to remove the caching text as we now have one JWT per r=
equest, so caching won't happen. =C2=A0=C2=A0=20
=C2=A0=20
John B. =C2=A0=20
=C2=A0=20
=C2=A0=20
=C2=A0=20
On Mar 30, 2017 4:36 PM, "Mike Jones" <Michael.Jones@microsoft.com> wrote:=
=20
I *believe* the intent is that *all* parameters must be in the request obje=
ct, but the spec doesn=E2=80=99t actually say that, as far as I can tell.=
=C2=A0 Or maybe the intent is that parameters must not be duplicated betwee=
n the query parameters and the request object.=20
=C2=A0=20
One or the other of these statements should be explicitly included in the s=
pecification.=C2=A0 Of course, I could have missed the statement I=E2=80=99=
m asking for in my review, in which case please let me know what I missed.=
=20
=C2=A0=20
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 Thanks,=20
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 -- Mike=20
=C2=A0=20
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Thursday, March 30, 2017 3:00 PM
To: IETF OAUTH <oauth@ietf.org>
Subject: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt=20
=C2=A0=20
Based on feeback from the IESG we have removed some of the optionality in t=
he draft.=20
=C2=A0=20
It is a shorter read than draft 12.=C2=A0=C2=A0=20
=C2=A0=20
John B.=20
=C2=A0=20
Sent from Mail for Windows 10=20
=C2=A0=20
From: internet-drafts@ietf.org
Sent: March 30, 2017 1:38 PM
To: i-d-announce@ietf.org
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt=20
=C2=A0=20
=C2=A0=20
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.=20
This draft is a work item of the Web Authorization Protocol of the IETF.=20
=C2=A0=20
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Title=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : The OAuth 2.0 Authorization Framework: =
JWT Secured Authorization Request (JAR)=20
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Authors=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 : Nat Sakimura=20
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
 John Bradley=20
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Filename=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : draft-ietf-oauth-jwsreq-13.txt=20
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Pages=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 27=20
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Date=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 2017-03-30=20
=C2=A0=20
Abstract:=20
=C2=A0=C2=A0 The authorization request in OAuth 2.0 described in RFC 6749 u=
tilizes=20
=C2=A0=C2=A0 query parameter serialization, which means that Authorization =
Request=20
=C2=A0=C2=A0 parameters are encoded in the URI of the request and sent thro=
ugh=20
=C2=A0=C2=A0user agents such as web browsers.=C2=A0 While it is easy to imp=
lement, it=20
=C2=A0=C2=A0 means that (a) the communication through the user agents are n=
ot=20
=C2=A0=C2=A0 integrity protected and thus the parameters can be tainted, an=
d (b)=20
=C2=A0=C2=A0 the source of the communication is not authenticated.=C2=A0 Be=
cause of=20
=C2=A0=C2=A0 these weaknesses, several attacks to the protocol have now bee=
n put=20
=C2=A0=C2=A0 forward.=20
=C2=A0=20
=C2=A0=C2=A0 This document introduces the ability to send request parameter=
s in a=20
=C2=A0=C2=A0 JSON Web Token (JWT) instead, which allows the request to be s=
igned=20
=C2=A0=C2=A0 with JSON Web Signature (JWS) and/or encrypted with JSON Web=20
=C2=A0=C2=A0 Encryption (JWE) so that the integrity, source authentication =
and=20
=C2=A0=C2=A0 confidentiality property of the Authorization Request is attai=
ned.=20
=C2=A0=C2=A0 The request can be sent by value or by reference.=20
=C2=A0=20
=C2=A0=20
The IETF datatracker status page for this draft is:=20
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/=20
=C2=A0=20
There are also htmlized versions available at:=20
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13=20
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13=20
=C2=A0=20
A diff from the previous version is available at:=20
https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13=20
=C2=A0=20
=C2=A0=20
Please note that it may take a couple of minutes from the time of submissio=
n=20
until the htmlized version and diff are available at tools.ietf.org.=20
=C2=A0=20
Internet-Drafts are also available by anonymous FTP at:=20
ftp://ftp.ietf.org/internet-drafts/=20
=C2=A0=20
_______________________________________________=20
OAuth mailing list=20
OAuth@ietf.org=20
https://www.ietf.org/mailman/listinfo/oauth=20
=C2=A0=20
=C2=A0
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



--_B3C289E4-0156-40C6-8D58-BF3B5CAE3BE2_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/of=
fice/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta ht=
tp-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta name=
=3DGenerator content=3D"Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style></head><body lang=3DEN-CA link=3Dblue vlink=3D"#954F72"><div cla=
ss=3DWordSection1><p class=3DMsoNormal>They are mutually exclusive.</p><p c=
lass=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>However there ar=
e two options as to how the authorization endpoint would treat extra query =
parameters like state if they are sent.</p><p class=3DMsoNormal><o:p>&nbsp;=
</o:p></p><p class=3DMsoNormal>The current text causes the AS to ignore the=
m and not return a error. =C2=A0This would be more backwards compatible wit=
h the request object in OpenID Connect, however in reality it may cause con=
nect clients to send parameters as query parameters =C2=A0that would be pro=
cessed by a connect server that would be ignored by a OAuth server without =
any obvious error.=C2=A0 There may however be subtle errors downstream from=
 missing parameters.</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=
=3DMsoNormal>The other option is to have a cleaner breaking change from Con=
nect and have the Authorization endpoint return a error if anything other t=
han the two new parameters are sent to the authorization endpoint.</p><p cl=
ass=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>I am leaning towa=
rds the latter as it is easier to debug,=C2=A0 and wont allow incompatible =
Connect requests to be accepted without a error.=C2=A0=C2=A0 We would have =
done this in Connect but couldn=E2=80=99t drop required parameters from OAu=
th in a Connect spec.</p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=
=3DMsoNormal>The downside for the latter is that the client would need to k=
now if the AS is supporting The Connect version or the OAuth version.</p><p=
 class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>One of the typ=
ical conundrums around how to deal with doing the best going forward thing =
vs not blowing up older implementations.</p><p class=3DMsoNormal><o:p>&nbsp=
;</o:p></p><p class=3DMsoNormal>In the current proposal a client could put =
the required parameters both places and the same request would work on serv=
ers supporting both the Connect and OAuth versions.</p><p class=3DMsoNormal=
><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>John B.</p><p class=3DMsoNormal>=
 </p><p class=3DMsoNormal>Sent from <a href=3D"https://go.microsoft.com/fwl=
ink/?LinkId=3D550986">Mail</a> for Windows 10</p><p class=3DMsoNormal><o:p>=
&nbsp;</o:p></p><div style=3D'mso-element:para-border-div;border:none;borde=
r-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=3DMsoNormal s=
tyle=3D'border:none;padding:0cm'><b>From: </b><a href=3D"mailto:torsten@lod=
derstedt.net">Torsten Lodderstedt</a><br><b>Sent: </b>March 30, 2017 11:01 =
PM<br><b>To: </b><a href=3D"mailto:ve7jtb@ve7jtb.com">John Bradley</a><br><=
b>Cc: </b><a href=3D"mailto:sakimura@gmail.com">Nat Sakimura</a>; <a href=
=3D"mailto:nat@sakimura.org">Nat Sakimura</a>; <a href=3D"mailto:oauth@ietf=
.org">IETF oauth WG</a><br><b>Subject: </b>Re: [OAUTH-WG] I-D Action: draft=
-ietf-oauth-jwsreq-13.txt</p></div><p class=3DMsoNormal><o:p>&nbsp;</o:p></=
p><p class=3DMsoNormal>I had assumed using the request object is mutual exc=
lusive to use of URI query parameters. Did I misinterpret the draft?<o:p></=
o:p></p><div><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><div><blockquote sty=
le=3D'margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=3DMsoNormal>Am 30=
.03.2017 um 22:40 schrieb John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.=
com">ve7jtb@ve7jtb.com</a>&gt;:<o:p></o:p></p></div><p class=3DMsoNormal><o=
:p>&nbsp;</o:p></p><div><div><p class=3DMsoNormal>It is a trade off between=
 compatibility with Connect and possible configuration errors.<o:p></o:p></=
p><p class=3DMsoNormal>&nbsp;<o:p></o:p></p><p class=3DMsoNormal>In reality=
 it may not be compatible with Connect if the client is sending some parame=
ters outside the object without including them in the object as a Connect c=
lient might.&nbsp;&nbsp;&nbsp; You would potentially wind up dropping state=
 or nonce without an error.&nbsp; <o:p></o:p></p><p class=3DMsoNormal>&nbsp=
;<o:p></o:p></p><p class=3DMsoNormal>I asked Mike and he was leaning to mak=
ing it a error to send them as query parameters as that would be a clean ch=
ange.<o:p></o:p></p><p class=3DMsoNormal>&nbsp;<o:p></o:p></p><p class=3DMs=
oNormal>I think the choice is a bit of a grey area.<o:p></o:p></p><p class=
=3DMsoNormal>&nbsp;<o:p></o:p></p><p class=3DMsoNormal>Sent from <a href=3D=
"https://go.microsoft.com/fwlink/?LinkId=3D550986">Mail</a> for Windows 10<=
o:p></o:p></p><p class=3DMsoNormal>&nbsp;<o:p></o:p></p><div style=3D'borde=
r:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=
=3DMsoNormal><b>From: </b><a href=3D"mailto:sakimura@gmail.com">sakimura@gm=
ail.com</a><br><b>Sent: </b>March 30, 2017 9:57 PM<br><b>To: </b><a href=3D=
"mailto:ve7jtb@ve7jtb.com">John Bradley</a>; <a href=3D"mailto:nat@sakimura=
.org">Nat Sakimura</a><br><b>Cc: </b><a href=3D"mailto:oauth@ietf.org">IETF=
 oauth WG</a><br><b>Subject: </b>Re: [OAUTH-WG] FW: I-D Action: draft-ietf-=
oauth-jwsreq-13.txt<o:p></o:p></p></div><p class=3DMsoNormal>&nbsp;<o:p></o=
:p></p><p class=3DMsoNormal>+1<br><br>Sent from my Huawei Mobile<o:p></o:p>=
</p><div><p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><br><br>------=
-- Original Message --------<br>Subject: Re: [OAUTH-WG] FW: I-D Action: dra=
ft-ietf-oauth-jwsreq-13.txt<br>From: John Bradley <br>To: Nat Sakimura <br>=
CC: IETF oauth WG <br><br><o:p></o:p></p><blockquote style=3D'border:none;b=
order-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;=
margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><p class=3DMsoN=
ormal style=3D'margin-left:40.8pt'>So I think we need to make the must igno=
re clearer for the additional paramaters on the authorization endpoint. &nb=
sp;<o:p></o:p></p></div><div><p class=3DMsoNormal style=3D'margin-left:40.8=
pt'>&nbsp;<o:p></o:p></p><div><p class=3DMsoNormal style=3D'margin-left:40.=
8pt'>On Mar 30, 2017 17:33, &quot;Nat Sakimura&quot; &lt;<a href=3D"mailto:=
nat@sakimura.org">nat@sakimura.org</a>&gt; wrote:<o:p></o:p></p><blockquote=
 style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6=
.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0p=
t'><div><div><p class=3DMsoNormal style=3D'mso-margin-top-alt:0cm;margin-ri=
ght:0cm;margin-bottom:12.0pt;margin-left:45.6pt'>Not right now. <o:p></o:p>=
</p></div><div><p class=3DMsoNormal style=3D'margin-left:45.6pt'>As of this=
 writing, a client can still send duplicate parameters in the query but the=
y get ignored by the servers honoring OAuth JAR. So, it is backwards compat=
ible with OpenID Connect in that sense (OpenID Connect sends duplicate mana=
tory RFC6749 parameters as the query parameters as well just to be complian=
t to RFC6749). Conversely, servers that do not support OAuth JAR will ignor=
e request_uri etc. <o:p></o:p></p></div><div><p class=3DMsoNormal style=3D'=
margin-left:45.6pt'>On Mar 30, 2017, at 4:47 PM, Mike Jones &lt;<a href=3D"=
mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@microso=
ft.com</a>&gt; wrote:<o:p></o:p></p><blockquote style=3D'border:none;border=
-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margi=
n-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><p class=3DMsoNormal=
 style=3D'margin-left:50.4pt'><span style=3D'color:#002060'>Is there a clea=
r statement somewhere along the lines of =E2=80=9C</span>parameters (other =
than =E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D) are only a=
llowed to be in the signed object if a signed object is used<span style=3D'=
color:#002060'>=E2=80=9D?&nbsp; That=E2=80=99s the kind of thing I was look=
ing for and didn=E2=80=99t find. </span><o:p></o:p></p><div><p class=3DMsoN=
ormal style=3D'margin-left:50.4pt'>&nbsp; <o:p></o:p></p></div><p class=3DM=
soNormal style=3D'margin-left:50.4pt'><span style=3D'color:#002060'>&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp; -- Mike </span><o:p></o:p></p><p class=3DMsoNormal style=
=3D'margin-left:50.4pt'><a name=3D"m_5373696844051186387__MailEndCompose"><=
/a><b>From:</b> John Bradley [mailto:<a href=3D"mailto:ve7jtb@ve7jtb.com" t=
arget=3D"_blank">ve7jtb@ve7jtb.com</a>] <br><b>Sent:</b> Thursday, March 30=
, 2017 4:44 PM<br><b>To:</b> Mike Jones &lt;<a href=3D"mailto:Michael.Jones=
@microsoft.com" target=3D"_blank">Michael.Jones@microsoft.com</a>&gt;<br><b=
>Cc:</b> Nat Sakimura &lt;<a href=3D"mailto:nat@sakimura.org" target=3D"_bl=
ank">nat@sakimura.org</a>&gt;; IETF oauth WG &lt;<a href=3D"mailto:oauth@ie=
tf.org" target=3D"_blank">oauth@ietf.org</a>&gt;<br><b>Subject:</b> RE: [OA=
UTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt <o:p></o:p></p><div>=
<p class=3DMsoNormal style=3D'margin-left:50.4pt'>&nbsp; <o:p></o:p></p></d=
iv><div><p class=3DMsoNormal style=3D'margin-left:50.4pt'>The intent of the=
 change is to only allow the paramaters to be in the signed object if a sig=
ned object is used. &nbsp; <o:p></o:p></p><div><div><p class=3DMsoNormal st=
yle=3D'margin-left:50.4pt'>&nbsp; <o:p></o:p></p></div></div><div><p class=
=3DMsoNormal style=3D'margin-left:50.4pt'>This requires State, nonce etc to=
 be in the JWT.&nbsp; Only one place to check will hopefully reduce implime=
ntation errors. &nbsp; <o:p></o:p></p></div><div><div><p class=3DMsoNormal =
style=3D'margin-left:50.4pt'>&nbsp; <o:p></o:p></p></div></div><div><p clas=
s=3DMsoNormal style=3D'margin-left:50.4pt'>This also allows us to remove th=
e caching text as we now have one JWT per request, so caching won't happen.=
 &nbsp;&nbsp; <o:p></o:p></p></div><div><div><p class=3DMsoNormal style=3D'=
margin-left:50.4pt'>&nbsp; <o:p></o:p></p></div></div><div><p class=3DMsoNo=
rmal style=3D'margin-left:50.4pt'>John B. &nbsp; <o:p></o:p></p></div><div>=
<div><p class=3DMsoNormal style=3D'margin-left:50.4pt'>&nbsp; <o:p></o:p></=
p></div></div><div><div><p class=3DMsoNormal style=3D'margin-left:50.4pt'>&=
nbsp; <o:p></o:p></p></div></div></div><div><div><p class=3DMsoNormal style=
=3D'margin-left:50.4pt'>&nbsp; <o:p></o:p></p></div><div><p class=3DMsoNorm=
al style=3D'margin-left:50.4pt'>On Mar 30, 2017 4:36 PM, &quot;Mike Jones&q=
uot; &lt;<a href=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank">M=
ichael.Jones@microsoft.com</a>&gt; wrote: <o:p></o:p></p><blockquote style=
=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;m=
argin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><di=
v><div><p class=3DMsoNormal style=3D'margin-left:55.2pt'><span style=3D'col=
or:#002060'>I *<b>believe</b>* the intent is that *<b>all</b>* parameters m=
ust be in the request object, but the spec doesn=E2=80=99t actually say tha=
t, as far as I can tell.&nbsp; Or maybe the intent is that parameters must =
not be duplicated between the query parameters and the request object.</spa=
n> <o:p></o:p></p><div><p class=3DMsoNormal style=3D'margin-left:55.2pt'><s=
pan style=3D'color:#002060'>&nbsp;</span> <o:p></o:p></p></div><p class=3DM=
soNormal style=3D'margin-left:55.2pt'><span style=3D'color:#002060'>One or =
the other of these statements should be explicitly included in the specific=
ation.&nbsp; Of course, I could have missed the statement I=E2=80=99m askin=
g for in my review, in which case please let me know what I missed.</span> =
<o:p></o:p></p><div><p class=3DMsoNormal style=3D'margin-left:55.2pt'><span=
 style=3D'color:#002060'>&nbsp;</span> <o:p></o:p></p></div><p class=3DMsoN=
ormal style=3D'margin-left:55.2pt'><span style=3D'color:#002060'>&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; Thanks,</span> <o:p></o:p></p><p class=3DMsoNormal style=3D'=
margin-left:55.2pt'><span style=3D'color:#002060'>&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike</sp=
an> <o:p></o:p></p><p class=3DMsoNormal style=3D'margin-left:55.2pt'><a nam=
e=3D"m_5373696844051186387_m_3264258369573027"><span style=3D'color:#002060=
'>&nbsp;</span></a><span style=3D'mso-bookmark:m_5373696844051186387_m_3264=
258369573027'></span> <o:p></o:p></p><div><div style=3D'border:none;border-=
top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=3DMsoNormal sty=
le=3D'margin-left:55.2pt'><b>From:</b> OAuth [mailto:<a href=3D"mailto:oaut=
h-bounces@ietf.org" target=3D"_blank">oauth-bounces@ietf.org</a>] <b>On Beh=
alf Of </b>John Bradley<br><b>Sent:</b> Thursday, March 30, 2017 3:00 PM<br=
><b>To:</b> IETF OAUTH &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"_bla=
nk">oauth@ietf.org</a>&gt;<br><b>Subject:</b> [OAUTH-WG] FW: I-D Action: dr=
aft-ietf-oauth-jwsreq-13.txt <o:p></o:p></p></div></div><div><p class=3DMso=
Normal style=3D'margin-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p class=3D=
MsoNormal style=3D'margin-left:55.2pt'>Based on feeback from the IESG we ha=
ve removed some of the optionality in the draft. <o:p></o:p></p><div><p cla=
ss=3DMsoNormal style=3D'margin-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p =
class=3DMsoNormal style=3D'margin-left:55.2pt'>It is a shorter read than dr=
aft 12.&nbsp;&nbsp; <o:p></o:p></p><div><p class=3DMsoNormal style=3D'margi=
n-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p class=3DMsoNormal style=3D'ma=
rgin-left:55.2pt'>John B. <o:p></o:p></p><div><p class=3DMsoNormal style=3D=
'margin-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p class=3DMsoNormal style=
=3D'margin-left:55.2pt'>Sent from <a href=3D"https://go.microsoft.com/fwlin=
k/?LinkId=3D550986" target=3D"_blank">Mail</a> for Windows 10 <o:p></o:p></=
p><div><p class=3DMsoNormal style=3D'margin-left:55.2pt'>&nbsp; <o:p></o:p>=
</p></div><div style=3D'border:none;border-top:solid #E1E1E1 1.0pt;padding:=
3.0pt 0cm 0cm 0cm'><p class=3DMsoNormal style=3D'margin-left:55.2pt'><b>Fro=
m: </b><a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">intern=
et-drafts@ietf.org</a><br><b>Sent: </b>March 30, 2017 1:38 PM<br><b>To: </b=
><a href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i-d-announce@ie=
tf.org</a><br><b>Cc: </b><a href=3D"mailto:oauth@ietf.org" target=3D"_blank=
">oauth@ietf.org</a><br><b>Subject: </b>[OAUTH-WG] I-D Action: draft-ietf-o=
auth-jwsreq-13.txt <o:p></o:p></p></div><div><p class=3DMsoNormal style=3D'=
margin-left:55.2pt'>&nbsp; <o:p></o:p></p></div><div><p class=3DMsoNormal s=
tyle=3D'margin-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p class=3DMsoNorma=
l style=3D'margin-left:55.2pt'>A New Internet-Draft is available from the o=
n-line Internet-Drafts directories. <o:p></o:p></p><p class=3DMsoNormal sty=
le=3D'margin-left:55.2pt'>This draft is a work item of the Web Authorizatio=
n Protocol of the IETF. <o:p></o:p></p><div><p class=3DMsoNormal style=3D'm=
argin-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p class=3DMsoNormal style=
=3D'margin-left:55.2pt'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Title&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : The OAuth 2.0 A=
uthorization Framework: JWT Secured Authorization Request (JAR) <o:p></o:p>=
</p><p class=3DMsoNormal style=3D'margin-left:55.2pt'>&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp; Authors&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; : Nat Sakimura <o:p></o:p></p><p class=3DMsoNormal style=3D'margin-left:=
55.2pt'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp; John Bradley <o:p></o:p></p><p class=3DMsoNormal style=3D'margin-l=
eft:55.2pt'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Fi=
lename&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : draft-ietf-oauth-jwsreq-=
13.txt <o:p></o:p></p><p class=3DMsoNormal style=3D'margin-left:55.2pt'>&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Pages&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 27 <o:p></o:p></p><p cla=
ss=3DMsoNormal style=3D'margin-left:55.2pt'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Date&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp; : 2017-03-30 <o:p></o:p></p><div><p class=3DMsoNo=
rmal style=3D'margin-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p class=3DMs=
oNormal style=3D'margin-left:55.2pt'>Abstract: <o:p></o:p></p><p class=3DMs=
oNormal style=3D'margin-left:55.2pt'>&nbsp;&nbsp; The authorization request=
 in OAuth 2.0 described in RFC 6749 utilizes <o:p></o:p></p><p class=3DMsoN=
ormal style=3D'margin-left:55.2pt'>&nbsp;&nbsp; query parameter serializati=
on, which means that Authorization Request <o:p></o:p></p><p class=3DMsoNor=
mal style=3D'margin-left:55.2pt'>&nbsp;&nbsp; parameters are encoded in the=
 URI of the request and sent through <o:p></o:p></p><p class=3DMsoNormal st=
yle=3D'margin-left:55.2pt'>&nbsp;&nbsp;user agents such as web browsers.&nb=
sp; While it is easy to implement, it <o:p></o:p></p><p class=3DMsoNormal s=
tyle=3D'margin-left:55.2pt'>&nbsp;&nbsp; means that (a) the communication t=
hrough the user agents are not <o:p></o:p></p><p class=3DMsoNormal style=3D=
'margin-left:55.2pt'>&nbsp;&nbsp; integrity protected and thus the paramete=
rs can be tainted, and (b) <o:p></o:p></p><p class=3DMsoNormal style=3D'mar=
gin-left:55.2pt'>&nbsp;&nbsp; the source of the communication is not authen=
ticated.&nbsp; Because of <o:p></o:p></p><p class=3DMsoNormal style=3D'marg=
in-left:55.2pt'>&nbsp;&nbsp; these weaknesses, several attacks to the proto=
col have now been put <o:p></o:p></p><p class=3DMsoNormal style=3D'margin-l=
eft:55.2pt'>&nbsp;&nbsp; forward. <o:p></o:p></p><div><p class=3DMsoNormal =
style=3D'margin-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p class=3DMsoNorm=
al style=3D'margin-left:55.2pt'>&nbsp;&nbsp; This document introduces the a=
bility to send request parameters in a <o:p></o:p></p><p class=3DMsoNormal =
style=3D'margin-left:55.2pt'>&nbsp;&nbsp; JSON Web Token (JWT) instead, whi=
ch allows the request to be signed <o:p></o:p></p><p class=3DMsoNormal styl=
e=3D'margin-left:55.2pt'>&nbsp;&nbsp; with JSON Web Signature (JWS) and/or =
encrypted with JSON Web <o:p></o:p></p><p class=3DMsoNormal style=3D'margin=
-left:55.2pt'>&nbsp;&nbsp; Encryption (JWE) so that the integrity, source a=
uthentication and <o:p></o:p></p><p class=3DMsoNormal style=3D'margin-left:=
55.2pt'>&nbsp;&nbsp; confidentiality property of the Authorization Request =
is attained. <o:p></o:p></p><p class=3DMsoNormal style=3D'margin-left:55.2p=
t'>&nbsp;&nbsp; The request can be sent by value or by reference. <o:p></o:=
p></p><div><p class=3DMsoNormal style=3D'margin-left:55.2pt'>&nbsp; <o:p></=
o:p></p></div><div><p class=3DMsoNormal style=3D'margin-left:55.2pt'>&nbsp;=
 <o:p></o:p></p></div><p class=3DMsoNormal style=3D'margin-left:55.2pt'>The=
 IETF datatracker status page for this draft is: <o:p></o:p></p><p class=3D=
MsoNormal style=3D'margin-left:55.2pt'><a href=3D"https://datatracker.ietf.=
org/doc/draft-ietf-oauth-jwsreq/" target=3D"_blank">https://datatracker.iet=
f.org/doc/draft-ietf-oauth-jwsreq/</a> <o:p></o:p></p><div><p class=3DMsoNo=
rmal style=3D'margin-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p class=3DMs=
oNormal style=3D'margin-left:55.2pt'>There are also htmlized versions avail=
able at: <o:p></o:p></p><p class=3DMsoNormal style=3D'margin-left:55.2pt'><=
a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13" target=3D=
"_blank">https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13</a> <o:p></=
o:p></p><p class=3DMsoNormal style=3D'margin-left:55.2pt'><a href=3D"https:=
//datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13" target=3D"_blan=
k">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13</a> <o:=
p></o:p></p><div><p class=3DMsoNormal style=3D'margin-left:55.2pt'>&nbsp; <=
o:p></o:p></p></div><p class=3DMsoNormal style=3D'margin-left:55.2pt'>A dif=
f from the previous version is available at: <o:p></o:p></p><p class=3DMsoN=
ormal style=3D'margin-left:55.2pt'><a href=3D"https://www.ietf.org/rfcdiff?=
url2=3Ddraft-ietf-oauth-jwsreq-13" target=3D"_blank">https://www.ietf.org/r=
fcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13</a> <o:p></o:p></p><div><p class=
=3DMsoNormal style=3D'margin-left:55.2pt'>&nbsp; <o:p></o:p></p></div><div>=
<p class=3DMsoNormal style=3D'margin-left:55.2pt'>&nbsp; <o:p></o:p></p></d=
iv><p class=3DMsoNormal style=3D'margin-left:55.2pt'>Please note that it ma=
y take a couple of minutes from the time of submission <o:p></o:p></p><p cl=
ass=3DMsoNormal style=3D'margin-left:55.2pt'>until the htmlized version and=
 diff are available at <a href=3D"http://tools.ietf.org/" target=3D"_blank"=
>tools.ietf.org</a>. <o:p></o:p></p><div><p class=3DMsoNormal style=3D'marg=
in-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p class=3DMsoNormal style=3D'm=
argin-left:55.2pt'>Internet-Drafts are also available by anonymous FTP at: =
<o:p></o:p></p><p class=3DMsoNormal style=3D'margin-left:55.2pt'><a href=3D=
"ftp://ftp.ietf.org/internet-drafts/" target=3D"_blank">ftp://ftp.ietf.org/=
internet-drafts/</a> <o:p></o:p></p><div><p class=3DMsoNormal style=3D'marg=
in-left:55.2pt'>&nbsp; <o:p></o:p></p></div><p class=3DMsoNormal style=3D'm=
argin-left:55.2pt'>_______________________________________________ <o:p></o=
:p></p><p class=3DMsoNormal style=3D'margin-left:55.2pt'>OAuth mailing list=
 <o:p></o:p></p><p class=3DMsoNormal style=3D'margin-left:55.2pt'><a href=
=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a> <o:p></o:p>=
</p><p class=3DMsoNormal style=3D'margin-left:55.2pt'><a href=3D"https://ww=
w.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.ietf.org/m=
ailman/listinfo/oauth</a> <o:p></o:p></p></div></div></blockquote></div></d=
iv></div></blockquote></div></div></blockquote></div></div></blockquote></d=
iv><div style=3D'margin-left:19.2pt;margin-bottom:5.0pt'><p class=3DMsoNorm=
al>&nbsp; <o:p></o:p></p></div><p class=3DMsoNormal>&nbsp;<o:p></o:p></p></=
div><p class=3DMsoNormal>_______________________________________________<br=
>OAuth mailing list<br><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>=
<br>https://www.ietf.org/mailman/listinfo/oauth<o:p></o:p></p></div></block=
quote></div></div><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoN=
ormal><o:p>&nbsp;</o:p></p></div></body></html>=

--_B3C289E4-0156-40C6-8D58-BF3B5CAE3BE2_--


--001a1140ee9ed7a8e5054bff0b06
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIRGwYJKoZIhvcNAQcCoIIRDDCCEQgCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gg4rMIIErzCCA5egAwIBAgIRAOAjyxUSg1OJrWFuelRnayEwDQYJKoZIhvcNAQELBQAwbzELMAkG
A1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0xNDEy
MjIwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRl
ZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJsQ3aelMZTnBSHbxW
pgYmt7hJ4JbnUavx8FoTSRWjtIwbYLx6UUKneYykIt8XYU6R1XYjChTTSgJ/th0JgG6lBD3ZursW
/qGHqS5DUkMWfK8yUMimT1rpCNjPkyWce4joMGTmpPhWgP0qJBQzF5msROVpi6NGBkvCM9TpQJ8G
sLGsk0C5tQiTOpwqU6MQ2z0gYTxVA47ZTnYlAiEp+qN8cXZP7uFfgen7VIDbw3s1UreE3iI9LDAt
MX9ZvVI3sDNpLUPr+tal8Zd3Z1GM2e4n67ylBzh2jKSpOP/fjPUDrEm+yvdzmToPMquclToTPQ5G
Old0YVC+xkA/y+Tin6IhAgMBAAGjggEXMIIBEzAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUkmFrguGioKpP7GfxwqP3tIAAwewwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgw
BgYEVR0gADBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1
c3RFeHRlcm5hbENBUm9vdC5jcmwwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbKm6sVcE6q4jF2O3NVfOqa2Er
wAkQI5kPxWZqb7H1tLV3Xg8CYQDffQX+ErOkgIAA/PsdW2pyAgpBvAW6wVjVJsLq1U2E+/6CmM9Y
G+MiY5xS+LsFNqt9WKXeqztj5drVc+/s4Pt74qP/8EIjnMq2jU0+5EsYA7KoLdTYu0JLkGmFENum
NzToe+ABEKWcyjrHn0+ING6KZdAairup3MrKNtH0/MJkKTWv1rGncRHSA0Oxjz6a7J4yU/R2ksqG
NAe5LMrmHErYmQ3BhuKQkvtaQmojIRDpZcf11bt+6oyFIAJi6tE6ByxZxZkz8jiJ5bbpFnofeRT2
ShAaJvp8ivubMIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoX
DTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYD
VQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0
ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTng
TlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/Nzgt
Hj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArH
E504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cA
Lw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3Citl
ttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTL
VBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6
xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQG
A1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4
dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5
gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKW
t9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0
cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghda
e9C8x49OhgQwggU6MIIEIqADAgECAhEA2TLMtWuXNcB2cbqZ/VgVujANBgkqhkiG9w0BAQsFADCB
mzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE3MDEwOTAwMDAw
MFoXDTE4MDEwOTIzNTk1OVowIjEgMB4GCSqGSIb3DQEJARYRdmU3anRiQHZlN2p0Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2rqobOFQ/XmzH3DG2UK1Dt6jtc+OFZ71KQoB
o8IZa/V94Ey12BPjBcoj+cjHNVsLd2QiUpMcf5sZFMX1cmvpR7TiUISgVcHe8zgiUUvN5Jn5tPDM
Kb4E34TtDEG2X5FyY35AwCl8NV/loj2D5KLid9BLdVTJjfqokjLQ/4qCQjWBjfTpIdAdr3lXfg5f
a5UPyIkphEIplM8/yGfX0W/PBl804XAL0gesLrfEMdgG58UCN1wJMgH4uRKmKU/U2Ap4W9hTpioN
M722U8x7N6P1v6MqTAWCUaskdOp+ktNxFGxOlCE7BEo/EIaWbEt5RHwDePctScDLsi56+VI3TysR
AgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQU
Yg3SsFWhMro4Abonbn1IX4JKj5QwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0l
BBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9
MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0
L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEy
NTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSB
gzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMBwGA1UdEQQVMBOBEXZlN2p0YkB2ZTdqdGIuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQCC26y+6/+SJoRQWepca+rB9eSSwaCAb8nNqA+00ZiOHb+6UbbV1xa7Z8wDIuEL
5UKbNtQ2NDArvzF9YI0xNafoV1AEmP/3+ljxQHSEI0U1p2h401sOx+nSjcwtTzACso1lw+I0oJYM
JFITOIfZy8HgFpCipBrQAp9jMJ+KSKDX3xu/hzPosfdnXp7sV1KAjkFrAtR3AnQYfJ5W8QrsmC4N
BbiAKoYWUSdklqn3v1neTG/+oOhcw7hcGZo+YmPyF9Cdy0gBtwSHPt8hluhg2TlzmqYfi0dVL/mU
jCBNUY/BFH+MBqKF7sOIRMv8ALWceVaM/NEcBciKs4eR99A4cw9ZMYICtDCCArACAQEwgbEwgZsx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRANkyzLVrlzXAdnG6mf1Y
FbowDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIAidy7a1pTL2SbRnBoK0d/cHkCRQ
yLb11XdW5DUP89f3MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3
MDMzMTA0MTQzMFowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCGSAFl
AwQCATANBgkqhkiG9w0BAQEFAASCAQBCvnkftuLnS+ShqhrHbC6h9iRZL5M5pPY9p2tL2BNQTlaW
080+rEi7Fl7xAIBmosZzoSHlgqhJhs/zPApQicdtnDiYgQkYF1swRryHgnfI6cfKIApX5tbmn2i7
RZBEu3/jKSU3JvPOh2LpKkVB33zp/IgqbZjTFBzzQZ5k7+JPSOEiomun407btEYKOSgiy5Jc0tfY
+LDEhTKfT4ll3XJ0ABMkvPmirZ2McDOOQCesESuVfoNXITm0MGKvwYS9u+aI/DOSuFLtM5GGm0b9
7LaOaHMqKMJ0x5DIREoPPRSnygD6Xkt2s6ZQ2x82xR9ycIOo2CSIkk+CfApATeJPzkQ+
--001a1140ee9ed7a8e5054bff0b06--


From nobody Fri Mar 31 02:40:57 2017
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 881711270A7 for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 02:40:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVzU7RiR3Z6r for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 02:40:51 -0700 (PDT)
Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE7CD127058 for <oauth@ietf.org>; Fri, 31 Mar 2017 02:40:50 -0700 (PDT)
Received: by mail-wr0-x22c.google.com with SMTP id k6so92162081wre.2 for <oauth@ietf.org>; Fri, 31 Mar 2017 02:40:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=AMS+nLlHYtgWAOAbR4uPcwEMO/gWnHuxMLAXbcSlADU=; b=d0LSu+ZklexqdppIGIIJjKJsFeFP+vr4b0+ix9sz8HiteWGlz4YxaWQwjts5OZ3+IT 5KlBOKkyD7dXKFqaTv02i7yC4pTig11LlsQuEwP9Id+3XnzosvD3ru5wl2CrTqAAohZJ im1ySydZyRVqLBJVZDsVvj6TTS2xUckjrvgmN/NKtJNwiP5dFKjmf3NzNakycmxyu+J8 2EO9QpO5WF9nluUV4bAPlEaovSSHjrJcHw9NA1VGHsNpxZyxBXxquKPVNSzGfSObO/LI sc5nAJoMF0VRF4V1ZvCZcMT7wTI00eqBgTNmQALyfLaRofvuiE6krgi6/rUAhWlZofQK sngQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=AMS+nLlHYtgWAOAbR4uPcwEMO/gWnHuxMLAXbcSlADU=; b=f7OWrwgoefpuoWW1BSEocMWyFJMJ1NadZB+T+sh4w8pl5YzRzRZwUc6QMKMyHT/w+J KE6QqjzBIjByYxkGH2uv6mDqKCeBRer2Nmm/wLFxfqiu9XYeE/Vm5DSPaRxK/mEtr5yk gL4eAdDO4Yg3loZ7jT9FTOCV/iL8hCFOBIksL58fzGhnB4axx3Z4w4tPxqMGhTP2M76q mkxEdB6IWM3pMMHq8DYyeODfXrCD9U1UkVG8cLdOqGIUVEoZR7oh0x7ESnC/ZxYI0zDq Yil+VXzlcbwPhESNz/L711h2ascty/JqDaLzfgm1jsyrjrUX8HDfEfoimwZjiYbKxJqo nCWQ==
X-Gm-Message-State: AFeK/H0atu6LWTaR1hmCJ2H0vAZF83uKdW06O3npHklB8uAmm0+OT09/8XcN2eYgTw46WA==
X-Received: by 10.223.134.50 with SMTP id 47mr1950805wrv.50.1490953249002; Fri, 31 Mar 2017 02:40:49 -0700 (PDT)
Received: from [10.36.226.98] ([80.169.137.53]) by smtp.googlemail.com with ESMTPSA id y65sm6000980wrb.50.2017.03.31.02.40.48 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 31 Mar 2017 02:40:48 -0700 (PDT)
To: oauth@ietf.org
References: <CAANoGhJDKgqWaqhdL6TCO7RhE==h=ZmJeKbU-cuwUZwE+siHMA@mail.gmail.com> <n6swy6f6jws7vdnx4rs66ktg.1490929049898@email.android.com> <58ddcfc3.5c2e6b0a.7b9e3.bbc6@mx.google.com> <B4C58688-6933-4E46-BA80-15E5E8B38F6F@lodderstedt.net> <58ddd7a5.e4886b0a.bf30d.bce7@mx.google.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <4bea3552-eac8-8fb4-8dd6-887ff40e59dd@gmail.com>
Date: Fri, 31 Mar 2017 10:40:47 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <58ddd7a5.e4886b0a.bf30d.bce7@mx.google.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tV39kxO0QqK-33bX8BGjLw6LwTE>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 09:40:55 -0000

Hi John

I see a line in our implementation checking that if a response_type is 
also available as a query parameter then it must match the request claim 
value.
Would it make sense to require checking all the well-known query 
parameters and if they exist - enforcing they must also be available in 
the request object ?

Sergey
On 31/03/17 05:14, John Bradley wrote:
> They are mutually exclusive.
>
>
>
> However there are two options as to how the authorization endpoint would
> treat extra query parameters like state if they are sent.
>
>
>
> The current text causes the AS to ignore them and not return a error.
>  This would be more backwards compatible with the request object in
> OpenID Connect, however in reality it may cause connect clients to send
> parameters as query parameters  that would be processed by a connect
> server that would be ignored by a OAuth server without any obvious
> error.  There may however be subtle errors downstream from missing
> parameters.
>
>
>
> The other option is to have a cleaner breaking change from Connect and
> have the Authorization endpoint return a error if anything other than
> the two new parameters are sent to the authorization endpoint.
>
>
>
> I am leaning towards the latter as it is easier to debug,  and wont
> allow incompatible Connect requests to be accepted without a error.   We
> would have done this in Connect but couldn’t drop required parameters
> from OAuth in a Connect spec.
>
>
>
> The downside for the latter is that the client would need to know if the
> AS is supporting The Connect version or the OAuth version.
>
>
>
> One of the typical conundrums around how to deal with doing the best
> going forward thing vs not blowing up older implementations.
>
>
>
> In the current proposal a client could put the required parameters both
> places and the same request would work on servers supporting both the
> Connect and OAuth versions.
>
>
>
> John B.
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
> *From: *Torsten Lodderstedt <mailto:torsten@lodderstedt.net>
> *Sent: *March 30, 2017 11:01 PM
> *To: *John Bradley <mailto:ve7jtb@ve7jtb.com>
> *Cc: *Nat Sakimura <mailto:sakimura@gmail.com>; Nat Sakimura
> <mailto:nat@sakimura.org>; IETF oauth WG <mailto:oauth@ietf.org>
> *Subject: *Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
>
>
>
> I had assumed using the request object is mutual exclusive to use of URI
> query parameters. Did I misinterpret the draft?
>
>
>
>     Am 30.03.2017 um 22:40 schrieb John Bradley <ve7jtb@ve7jtb.com
>     <mailto:ve7jtb@ve7jtb.com>>:
>
>
>
>     It is a trade off between compatibility with Connect and possible
>     configuration errors.
>
>
>
>     In reality it may not be compatible with Connect if the client is
>     sending some parameters outside the object without including them in
>     the object as a Connect client might.    You would potentially wind
>     up dropping state or nonce without an error.
>
>
>
>     I asked Mike and he was leaning to making it a error to send them as
>     query parameters as that would be a clean change.
>
>
>
>     I think the choice is a bit of a grey area.
>
>
>
>     Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
>     Windows 10
>
>
>
>     *From: *sakimura@gmail.com <mailto:sakimura@gmail.com>
>     *Sent: *March 30, 2017 9:57 PM
>     *To: *John Bradley <mailto:ve7jtb@ve7jtb.com>; Nat Sakimura
>     <mailto:nat@sakimura.org>
>     *Cc: *IETF oauth WG <mailto:oauth@ietf.org>
>     *Subject: *Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>
>
>
>     +1
>
>     Sent from my Huawei Mobile
>
>
>
>     -------- Original Message --------
>     Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>     From: John Bradley
>     To: Nat Sakimura
>     CC: IETF oauth WG
>
>         So I think we need to make the must ignore clearer for the
>         additional paramaters on the authorization endpoint.
>
>
>
>         On Mar 30, 2017 17:33, "Nat Sakimura" <nat@sakimura.org
>         <mailto:nat@sakimura.org>> wrote:
>
>             Not right now.
>
>             As of this writing, a client can still send duplicate
>             parameters in the query but they get ignored by the servers
>             honoring OAuth JAR. So, it is backwards compatible with
>             OpenID Connect in that sense (OpenID Connect sends duplicate
>             manatory RFC6749 parameters as the query parameters as well
>             just to be compliant to RFC6749). Conversely, servers that
>             do not support OAuth JAR will ignore request_uri etc.
>
>             On Mar 30, 2017, at 4:47 PM, Mike Jones
>             <Michael.Jones@microsoft.com
>             <mailto:Michael.Jones@microsoft.com>> wrote:
>
>                 Is there a clear statement somewhere along the lines of
>                 “parameters (other than “request” or “request_uri”) are
>                 only allowed to be in the signed object if a signed
>                 object is used”?  That’s the kind of thing I was looking
>                 for and didn’t find.
>
>
>
>
>                 -- Mike
>
>                 *From:* John Bradley [mailto:ve7jtb@ve7jtb.com
>                 <mailto:ve7jtb@ve7jtb.com>]
>                 *Sent:* Thursday, March 30, 2017 4:44 PM
>                 *To:* Mike Jones <Michael.Jones@microsoft.com
>                 <mailto:Michael.Jones@microsoft.com>>
>                 *Cc:* Nat Sakimura <nat@sakimura.org
>                 <mailto:nat@sakimura.org>>; IETF oauth WG
>                 <oauth@ietf.org <mailto:oauth@ietf.org>>
>                 *Subject:* RE: [OAUTH-WG] FW: I-D Action:
>                 draft-ietf-oauth-jwsreq-13.txt
>
>
>
>                 The intent of the change is to only allow the paramaters
>                 to be in the signed object if a signed object is used.
>
>
>
>                 This requires State, nonce etc to be in the JWT.  Only
>                 one place to check will hopefully reduce implimentation
>                 errors.
>
>
>
>                 This also allows us to remove the caching text as we now
>                 have one JWT per request, so caching won't happen.
>
>
>
>                 John B.
>
>
>
>
>
>
>
>                 On Mar 30, 2017 4:36 PM, "Mike Jones"
>                 <Michael.Jones@microsoft.com
>                 <mailto:Michael.Jones@microsoft.com>> wrote:
>
>                     I **believe** the intent is that **all** parameters
>                     must be in the request object, but the spec doesn’t
>                     actually say that, as far as I can tell.  Or maybe
>                     the intent is that parameters must not be duplicated
>                     between the query parameters and the request object.
>
>
>
>                     One or the other of these statements should be
>                     explicitly included in the specification.  Of
>                     course, I could have missed the statement I’m asking
>                     for in my review, in which case please let me know
>                     what I missed.
>
>
>
>
>                     Thanks,
>
>
>                                                -- Mike
>
>
>
>                     *From:* OAuth [mailto:oauth-bounces@ietf.org
>                     <mailto:oauth-bounces@ietf.org>] *On Behalf Of *John
>                     Bradley
>                     *Sent:* Thursday, March 30, 2017 3:00 PM
>                     *To:* IETF OAUTH <oauth@ietf.org
>                     <mailto:oauth@ietf.org>>
>                     *Subject:* [OAUTH-WG] FW: I-D Action:
>                     draft-ietf-oauth-jwsreq-13.txt
>
>
>
>                     Based on feeback from the IESG we have removed some
>                     of the optionality in the draft.
>
>
>
>                     It is a shorter read than draft 12.
>
>
>
>                     John B.
>
>
>
>                     Sent from Mail
>                     <https://go.microsoft.com/fwlink/?LinkId=550986> for
>                     Windows 10
>
>
>
>                     *From: *internet-drafts@ietf.org
>                     <mailto:internet-drafts@ietf.org>
>                     *Sent: *March 30, 2017 1:38 PM
>                     *To: *i-d-announce@ietf.org
>                     <mailto:i-d-announce@ietf.org>
>                     *Cc: *oauth@ietf.org <mailto:oauth@ietf.org>
>                     *Subject: *[OAUTH-WG] I-D Action:
>                     draft-ietf-oauth-jwsreq-13.txt
>
>
>
>
>
>                     A New Internet-Draft is available from the on-line
>                     Internet-Drafts directories.
>
>                     This draft is a work item of the Web Authorization
>                     Protocol of the IETF.
>
>
>
>                             Title           : The OAuth 2.0
>                     Authorization Framework: JWT Secured Authorization
>                     Request (JAR)
>
>                             Authors         : Nat Sakimura
>
>                                               John Bradley
>
>                                Filename        :
>                     draft-ietf-oauth-jwsreq-13.txt
>
>                                Pages           : 27
>
>                                Date            : 2017-03-30
>
>
>
>                     Abstract:
>
>                        The authorization request in OAuth 2.0 described
>                     in RFC 6749 utilizes
>
>                        query parameter serialization, which means that
>                     Authorization Request
>
>                        parameters are encoded in the URI of the request
>                     and sent through
>
>                       user agents such as web browsers.  While it is
>                     easy to implement, it
>
>                        means that (a) the communication through the user
>                     agents are not
>
>                        integrity protected and thus the parameters can
>                     be tainted, and (b)
>
>                        the source of the communication is not
>                     authenticated.  Because of
>
>                        these weaknesses, several attacks to the protocol
>                     have now been put
>
>                        forward.
>
>
>
>                        This document introduces the ability to send
>                     request parameters in a
>
>                        JSON Web Token (JWT) instead, which allows the
>                     request to be signed
>
>                        with JSON Web Signature (JWS) and/or encrypted
>                     with JSON Web
>
>                        Encryption (JWE) so that the integrity, source
>                     authentication and
>
>                        confidentiality property of the Authorization
>                     Request is attained.
>
>                        The request can be sent by value or by reference.
>
>
>
>
>
>                     The IETF datatracker status page for this draft is:
>
>                     https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>
>
>
>
>                     There are also htmlized versions available at:
>
>                     https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13
>
>                     https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13
>
>
>
>
>                     A diff from the previous version is available at:
>
>                     https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-13
>
>
>
>
>
>
>                     Please note that it may take a couple of minutes
>                     from the time of submission
>
>                     until the htmlized version and diff are available at
>                     tools.ietf.org <http://tools.ietf.org/>.
>
>
>
>                     Internet-Drafts are also available by anonymous FTP at:
>
>                     ftp://ftp.ietf.org/internet-drafts/
>
>
>
>                     _______________________________________________
>
>                     OAuth mailing list
>
>                     OAuth@ietf.org <mailto:OAuth@ietf.org>
>
>                     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From nobody Fri Mar 31 06:36:47 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55970120326 for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 06:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHu1h5eLQUi4 for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 06:36:40 -0700 (PDT)
Received: from mail-pg0-x235.google.com (mail-pg0-x235.google.com [IPv6:2607:f8b0:400e:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DB2E1294BD for <oauth@ietf.org>; Fri, 31 Mar 2017 06:36:40 -0700 (PDT)
Received: by mail-pg0-x235.google.com with SMTP id x125so71537148pgb.0 for <oauth@ietf.org>; Fri, 31 Mar 2017 06:36:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IPYm+m5Pjv9Hx5chgDwuAmb/MSj8EH2pj8wBxnwwB10=; b=iJjh1FR+7A9Go1y3YJ0WvoAmlgC0m1ULO1XKS0Dij1CChpLeWrkxgYUhyelK4XXDFo vmGrfNipoLKstkADYBfJ4NLDkx1BLNQUCOntuOEZZerDdnOjvS95kUN1uxGipXhn3hiH 2QjNzH/4llOrMEF4bgiV3qTsamDM8bnjxnIfE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IPYm+m5Pjv9Hx5chgDwuAmb/MSj8EH2pj8wBxnwwB10=; b=W7+kQmbrfbqP+7okV2HLvYhNTZyXD2S973KD7TIwP8LU+soQdXGZei3Av0x/n5OLjC Dp6gkKXJ/bHkk5O+4l4gpN61nXDVtgcxvvsbOTl4WZ5WpHoZdS72SHKJCAK8BT211h6l tAFiL47S8WayzjfgG7Y2P6Hzs1n7MuewJCv7cbAMlhWgGrFCCE3OFKPeTExPf9aIM0OK hp1tjSjuTkigFpPN2Z1JXqrKs7LivyQ+IzcNqX+E4zapKNOorJkythsUGgLs2m94IGMs bSpNM6spRW1bX1bYhcCUStS+JdK6j2QUG3Jg9QajliUY86aq6LjroajYIIovqxilDy6W 3siw==
X-Gm-Message-State: AFeK/H3C0tJmxSK3AmB8saZ2EpNnxFnlOM0QJn7N2ezhCORCRXdihdWFcr7NOF6V8uy40a8lgk6za7JcBzWmcdSL
X-Received: by 10.99.121.77 with SMTP id u74mr3407681pgc.200.1490967399951; Fri, 31 Mar 2017 06:36:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.165.172 with HTTP; Fri, 31 Mar 2017 06:36:09 -0700 (PDT)
In-Reply-To: <58ddd7a5.e4886b0a.bf30d.bce7@mx.google.com>
References: <CAANoGhJDKgqWaqhdL6TCO7RhE==h=ZmJeKbU-cuwUZwE+siHMA@mail.gmail.com> <n6swy6f6jws7vdnx4rs66ktg.1490929049898@email.android.com> <58ddcfc3.5c2e6b0a.7b9e3.bbc6@mx.google.com> <B4C58688-6933-4E46-BA80-15E5E8B38F6F@lodderstedt.net> <58ddd7a5.e4886b0a.bf30d.bce7@mx.google.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 31 Mar 2017 08:36:09 -0500
Message-ID: <CA+k3eCTKHRB_dKeUEurZX5vDzCw+HhEgUZiHUnyd61oNjmogRw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, IETF oauth WG <oauth@ietf.org>, Nat Sakimura <nat@sakimura.org>
Content-Type: multipart/alternative; boundary=94eb2c19beb03f08bf054c06e6e2
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/k7m1ojB50j_plJWSipA-jPjPWu8>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 13:36:44 -0000

--94eb2c19beb03f08bf054c06e6e2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

"The current text causes the AS to ignore them and not return a error. " -
except that I don't believe the current text actually specifies that
anywhere. And I think that the intent of Mike's original comment was that
-13 doesn't specify the behavior but that it needs to be revised to do so.

I'd suggest that the doc say that the client must include in the request
object (request or request_uri) all the oauth parameters that it sends. And
when request or request_uri is sent, that the AS must/should only rely on
parameter values from the request object.

I think being semi or somewhat compatible or tolerant of the Connect
variation or request/request_uri is good because it uses the same parameter
names, the same endpoint, and the same metadata names.






On Thu, Mar 30, 2017 at 11:14 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> They are mutually exclusive.
>
>
>
> However there are two options as to how the authorization endpoint would
> treat extra query parameters like state if they are sent.
>
>
>
> The current text causes the AS to ignore them and not return a error.
> This would be more backwards compatible with the request object in OpenID
> Connect, however in reality it may cause connect clients to send paramete=
rs
> as query parameters  that would be processed by a connect server that wou=
ld
> be ignored by a OAuth server without any obvious error.  There may howeve=
r
> be subtle errors downstream from missing parameters.
>
>
>
> The other option is to have a cleaner breaking change from Connect and
> have the Authorization endpoint return a error if anything other than the
> two new parameters are sent to the authorization endpoint.
>
>
>
> I am leaning towards the latter as it is easier to debug,  and wont allow
> incompatible Connect requests to be accepted without a error.   We would
> have done this in Connect but couldn=E2=80=99t drop required parameters f=
rom OAuth
> in a Connect spec.
>
>
>
> The downside for the latter is that the client would need to know if the
> AS is supporting The Connect version or the OAuth version.
>
>
>
> One of the typical conundrums around how to deal with doing the best goin=
g
> forward thing vs not blowing up older implementations.
>
>
>
> In the current proposal a client could put the required parameters both
> places and the same request would work on servers supporting both the
> Connect and OAuth versions.
>
>
>
> John B.
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
> Windows 10
>
>
>
> *From: *Torsten Lodderstedt <torsten@lodderstedt.net>
> *Sent: *March 30, 2017 11:01 PM
> *To: *John Bradley <ve7jtb@ve7jtb.com>
> *Cc: *Nat Sakimura <sakimura@gmail.com>; Nat Sakimura <nat@sakimura.org>;=
 IETF
> oauth WG <oauth@ietf.org>
> *Subject: *Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
>
>
>
> I had assumed using the request object is mutual exclusive to use of URI
> query parameters. Did I misinterpret the draft?
>
>
>
> Am 30.03.2017 um 22:40 schrieb John Bradley <ve7jtb@ve7jtb.com>:
>
>
>
> It is a trade off between compatibility with Connect and possible
> configuration errors.
>
>
>
> In reality it may not be compatible with Connect if the client is sending
> some parameters outside the object without including them in the object a=
s
> a Connect client might.    You would potentially wind up dropping state o=
r
> nonce without an error.
>
>
>
> I asked Mike and he was leaning to making it a error to send them as quer=
y
> parameters as that would be a clean change.
>
>
>
> I think the choice is a bit of a grey area.
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
> Windows 10
>
>
>
> *From: *sakimura@gmail.com
> *Sent: *March 30, 2017 9:57 PM
> *To: *John Bradley <ve7jtb@ve7jtb.com>; Nat Sakimura <nat@sakimura.org>
> *Cc: *IETF oauth WG <oauth@ietf.org>
> *Subject: *Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>
>
>
> +1
>
> Sent from my Huawei Mobile
>
>
>
> -------- Original Message --------
> Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
> From: John Bradley
> To: Nat Sakimura
> CC: IETF oauth WG
>
> So I think we need to make the must ignore clearer for the additional
> paramaters on the authorization endpoint.
>
>
>
> On Mar 30, 2017 17:33, "Nat Sakimura" <nat@sakimura.org> wrote:
>
> Not right now.
>
> As of this writing, a client can still send duplicate parameters in the
> query but they get ignored by the servers honoring OAuth JAR. So, it is
> backwards compatible with OpenID Connect in that sense (OpenID Connect
> sends duplicate manatory RFC6749 parameters as the query parameters as we=
ll
> just to be compliant to RFC6749). Conversely, servers that do not support
> OAuth JAR will ignore request_uri etc.
>
> On Mar 30, 2017, at 4:47 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> Is there a clear statement somewhere along the lines of =E2=80=9Cparamete=
rs
> (other than =E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D) a=
re only allowed to be in the
> signed object if a signed object is used=E2=80=9D?  That=E2=80=99s the ki=
nd of thing I
> was looking for and didn=E2=80=99t find.
>
>
>
>                                                        -- Mike
>
> *From:* John Bradley [mailto:ve7jtb@ve7jtb.com]
> *Sent:* Thursday, March 30, 2017 4:44 PM
> *To:* Mike Jones <Michael.Jones@microsoft.com>
> *Cc:* Nat Sakimura <nat@sakimura.org>; IETF oauth WG <oauth@ietf.org>
> *Subject:* RE: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>
>
>
> The intent of the change is to only allow the paramaters to be in the
> signed object if a signed object is used.
>
>
>
> This requires State, nonce etc to be in the JWT.  Only one place to check
> will hopefully reduce implimentation errors.
>
>
>
> This also allows us to remove the caching text as we now have one JWT per
> request, so caching won't happen.
>
>
>
> John B.
>
>
>
>
>
>
>
> On Mar 30, 2017 4:36 PM, "Mike Jones" <Michael.Jones@microsoft.com>
> wrote:
>
> I **believe** the intent is that **all** parameters must be in the
> request object, but the spec doesn=E2=80=99t actually say that, as far as=
 I can
> tell.  Or maybe the intent is that parameters must not be duplicated
> between the query parameters and the request object.
>
>
>
> One or the other of these statements should be explicitly included in the
> specification.  Of course, I could have missed the statement I=E2=80=99m =
asking for
> in my review, in which case please let me know what I missed.
>
>
>
>                                                        Thanks,
>
>                                                       -- Mike
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John Bradley
> *Sent:* Thursday, March 30, 2017 3:00 PM
> *To:* IETF OAUTH <oauth@ietf.org>
> *Subject:* [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>
>
>
> Based on feeback from the IESG we have removed some of the optionality in
> the draft.
>
>
>
> It is a shorter read than draft 12.
>
>
>
> John B.
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
> Windows 10
>
>
>
> *From: *internet-drafts@ietf.org
> *Sent: *March 30, 2017 1:38 PM
> *To: *i-d-announce@ietf.org
> *Cc: *oauth@ietf.org
> *Subject: *[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
>
>
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>
> This draft is a work item of the Web Authorization Protocol of the IETF.
>
>
>
>         Title           : The OAuth 2.0 Authorization Framework: JWT
> Secured Authorization Request (JAR)
>
>         Authors         : Nat Sakimura
>
>                           John Bradley
>
>            Filename        : draft-ietf-oauth-jwsreq-13.txt
>
>            Pages           : 27
>
>            Date            : 2017-03-30
>
>
>
> Abstract:
>
>    The authorization request in OAuth 2.0 described in RFC 6749 utilizes
>
>    query parameter serialization, which means that Authorization Request
>
>    parameters are encoded in the URI of the request and sent through
>
>   user agents such as web browsers.  While it is easy to implement, it
>
>    means that (a) the communication through the user agents are not
>
>    integrity protected and thus the parameters can be tainted, and (b)
>
>    the source of the communication is not authenticated.  Because of
>
>    these weaknesses, several attacks to the protocol have now been put
>
>    forward.
>
>
>
>    This document introduces the ability to send request parameters in a
>
>    JSON Web Token (JWT) instead, which allows the request to be signed
>
>    with JSON Web Signature (JWS) and/or encrypted with JSON Web
>
>    Encryption (JWE) so that the integrity, source authentication and
>
>    confidentiality property of the Authorization Request is attained.
>
>    The request can be sent by value or by reference.
>
>
>
>
>
> The IETF datatracker status page for this draft is:
>
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>
>
>
> There are also htmlized versions available at:
>
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13
>
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13
>
>
>
> A diff from the previous version is available at:
>
> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13
>
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
>
> until the htmlized version and diff are available at tools.ietf.org.
>
>
>
> Internet-Drafts are also available by anonymous FTP at:
>
> ftp://ftp.ietf.org/internet-drafts/
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--94eb2c19beb03f08bf054c06e6e2
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>&quot;The current text causes the AS to ignore t=
hem and not return a error. &quot; - except that I don&#39;t believe the cu=
rrent text actually specifies that anywhere. And I think that the intent of=
 Mike&#39;s original comment was that -13 doesn&#39;t specify the behavior =
but that it needs to be revised to do so.<br><br></div>I&#39;d suggest that=
 the doc say that the client must include in the request object (request or=
 request_uri) all the oauth parameters that it sends. And when request or r=
equest_uri is sent, that the AS must/should only rely on parameter values f=
rom the request object.<br><br></div>I think being semi or somewhat compati=
ble or tolerant of the Connect variation or request/request_uri is good bec=
ause it uses the same parameter names, the same endpoint, and the same meta=
data names.<br><div><br><br><div><div><div><div><br><br>=C2=A0<br></div></d=
iv></div></div></div></div><div class=3D"gmail_extra"><br><div class=3D"gma=
il_quote">On Thu, Mar 30, 2017 at 11:14 PM, John Bradley <span dir=3D"ltr">=
&lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.co=
m</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margi=
n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link=3D"blue=
" vlink=3D"#954F72" lang=3D"EN-CA"><div class=3D"m_1252146122988350906WordS=
ection1"><p class=3D"MsoNormal">They are mutually exclusive.</p><p class=3D=
"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">However there ar=
e two options as to how the authorization endpoint would treat extra query =
parameters like state if they are sent.</p><p class=3D"MsoNormal"><u></u>=
=C2=A0<u></u></p><p class=3D"MsoNormal">The current text causes the AS to i=
gnore them and not return a error.=C2=A0 This would be more backwards compa=
tible with the request object in OpenID Connect, however in reality it may =
cause connect clients to send parameters as query parameters =C2=A0that wou=
ld be processed by a connect server that would be ignored by a OAuth server=
 without any obvious error.=C2=A0 There may however be subtle errors downst=
ream from missing parameters.</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u=
></p><p class=3D"MsoNormal">The other option is to have a cleaner breaking =
change from Connect and have the Authorization endpoint return a error if a=
nything other than the two new parameters are sent to the authorization end=
point.</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNor=
mal">I am leaning towards the latter as it is easier to debug,=C2=A0 and wo=
nt allow incompatible Connect requests to be accepted without a error.=C2=
=A0=C2=A0 We would have done this in Connect but couldn=E2=80=99t drop requ=
ired parameters from OAuth in a Connect spec.</p><p class=3D"MsoNormal"><u>=
</u>=C2=A0<u></u></p><p class=3D"MsoNormal">The downside for the latter is =
that the client would need to know if the AS is supporting The Connect vers=
ion or the OAuth version.</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p=
><p class=3D"MsoNormal">One of the typical conundrums around how to deal wi=
th doing the best going forward thing vs not blowing up older implementatio=
ns.</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal=
">In the current proposal a client could put the required parameters both p=
laces and the same request would work on servers supporting both the Connec=
t and OAuth versions.</p><span class=3D""><p class=3D"MsoNormal"><u></u>=C2=
=A0<u></u></p><p class=3D"MsoNormal">John B.</p><p class=3D"MsoNormal"> </p=
><p class=3D"MsoNormal">Sent from <a href=3D"https://go.microsoft.com/fwlin=
k/?LinkId=3D550986" target=3D"_blank">Mail</a> for Windows 10</p><p class=
=3D"MsoNormal"><u></u>=C2=A0<u></u></p></span><div style=3D"border:none;bor=
der-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class=3D"MsoNorma=
l" style=3D"border:none;padding:0cm"><b>From: </b><a href=3D"mailto:torsten=
@lodderstedt.net" target=3D"_blank">Torsten Lodderstedt</a><br><b>Sent: </b=
>March 30, 2017 11:01 PM<br><b>To: </b><a href=3D"mailto:ve7jtb@ve7jtb.com"=
 target=3D"_blank">John Bradley</a><br><b>Cc: </b><a href=3D"mailto:sakimur=
a@gmail.com" target=3D"_blank">Nat Sakimura</a>; <a href=3D"mailto:nat@saki=
mura.org" target=3D"_blank">Nat Sakimura</a>; <a href=3D"mailto:oauth@ietf.=
org" target=3D"_blank">IETF oauth WG</a><br><b>Subject: </b>Re: [OAUTH-WG] =
I-D Action: draft-ietf-oauth-jwsreq-13.txt</p></div><div><div class=3D"h5">=
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">I had=
 assumed using the request object is mutual exclusive to use of URI query p=
arameters. Did I misinterpret the draft?<u></u><u></u></p><div><p class=3D"=
MsoNormal"><u></u>=C2=A0<u></u></p><div><blockquote style=3D"margin-top:5.0=
pt;margin-bottom:5.0pt"><div><p class=3D"MsoNormal">Am 30.03.2017 um 22:40 =
schrieb John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_bl=
ank">ve7jtb@ve7jtb.com</a>&gt;:<u></u><u></u></p></div><p class=3D"MsoNorma=
l"><u></u>=C2=A0<u></u></p><div><div><p class=3D"MsoNormal">It is a trade o=
ff between compatibility with Connect and possible configuration errors.<u>=
</u><u></u></p><p class=3D"MsoNormal">=C2=A0<u></u><u></u></p><p class=3D"M=
soNormal">In reality it may not be compatible with Connect if the client is=
 sending some parameters outside the object without including them in the o=
bject as a Connect client might.=C2=A0=C2=A0=C2=A0 You would potentially wi=
nd up dropping state or nonce without an error.=C2=A0 <u></u><u></u></p><p =
class=3D"MsoNormal">=C2=A0<u></u><u></u></p><p class=3D"MsoNormal">I asked =
Mike and he was leaning to making it a error to send them as query paramete=
rs as that would be a clean change.<u></u><u></u></p><p class=3D"MsoNormal"=
>=C2=A0<u></u><u></u></p><p class=3D"MsoNormal">I think the choice is a bit=
 of a grey area.<u></u><u></u></p><p class=3D"MsoNormal">=C2=A0<u></u><u></=
u></p><p class=3D"MsoNormal">Sent from <a href=3D"https://go.microsoft.com/=
fwlink/?LinkId=3D550986" target=3D"_blank">Mail</a> for Windows 10<u></u><u=
></u></p><p class=3D"MsoNormal">=C2=A0<u></u><u></u></p><div style=3D"borde=
r:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class=
=3D"MsoNormal"><b>From: </b><a href=3D"mailto:sakimura@gmail.com" target=3D=
"_blank">sakimura@gmail.com</a><br><b>Sent: </b>March 30, 2017 9:57 PM<br><=
b>To: </b><a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">John Bradl=
ey</a>; <a href=3D"mailto:nat@sakimura.org" target=3D"_blank">Nat Sakimura<=
/a><br><b>Cc: </b><a href=3D"mailto:oauth@ietf.org" target=3D"_blank">IETF =
oauth WG</a><br><b>Subject: </b>Re: [OAUTH-WG] FW: I-D Action: draft-ietf-o=
auth-jwsreq-13.txt<u></u><u></u></p></div><p class=3D"MsoNormal">=C2=A0<u><=
/u><u></u></p><p class=3D"MsoNormal">+1<br><br>Sent from my Huawei Mobile<u=
></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">=
<br><br>-------- Original Message --------<br>Subject: Re: [OAUTH-WG] FW: I=
-D Action: draft-ietf-oauth-jwsreq-13.txt<br>From: John Bradley <br>To: Nat=
 Sakimura <br>CC: IETF oauth WG <br><br><u></u><u></u></p><blockquote style=
=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;m=
argin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><di=
v><p class=3D"MsoNormal" style=3D"margin-left:40.8pt">So I think we need to=
 make the must ignore clearer for the additional paramaters on the authoriz=
ation endpoint. =C2=A0<u></u><u></u></p></div><div><p class=3D"MsoNormal" s=
tyle=3D"margin-left:40.8pt">=C2=A0<u></u><u></u></p><div><p class=3D"MsoNor=
mal" style=3D"margin-left:40.8pt">On Mar 30, 2017 17:33, &quot;Nat Sakimura=
&quot; &lt;<a href=3D"mailto:nat@sakimura.org" target=3D"_blank">nat@sakimu=
ra.org</a>&gt; wrote:<u></u><u></u></p><blockquote style=3D"border:none;bor=
der-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;ma=
rgin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><div><div><p class=3D"=
MsoNormal" style=3D"margin-right:0cm;margin-bottom:12.0pt;margin-left:45.6p=
t">Not right now. <u></u><u></u></p></div><div><p class=3D"MsoNormal" style=
=3D"margin-left:45.6pt">As of this writing, a client can still send duplica=
te parameters in the query but they get ignored by the servers honoring OAu=
th JAR. So, it is backwards compatible with OpenID Connect in that sense (O=
penID Connect sends duplicate manatory RFC6749 parameters as the query para=
meters as well just to be compliant to RFC6749). Conversely, servers that d=
o not support OAuth JAR will ignore request_uri etc. <u></u><u></u></p></di=
v><div><p class=3D"MsoNormal" style=3D"margin-left:45.6pt">On Mar 30, 2017,=
 at 4:47 PM, Mike Jones &lt;<a href=3D"mailto:Michael.Jones@microsoft.com" =
target=3D"_blank">Michael.Jones@microsoft.com</a>&gt; wrote:<u></u><u></u><=
/p><blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding=
:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;marg=
in-bottom:5.0pt"><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt"><=
span style=3D"color:#002060">Is there a clear statement somewhere along the=
 lines of =E2=80=9C</span>parameters (other than =E2=80=9Crequest=E2=80=9D =
or =E2=80=9Crequest_uri=E2=80=9D) are only allowed to be in the signed obje=
ct if a signed object is used<span style=3D"color:#002060">=E2=80=9D?=C2=A0=
 That=E2=80=99s the kind of thing I was looking for and didn=E2=80=99t find=
. </span><u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left=
:50.4pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"mar=
gin-left:50.4pt"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 -- Mike </span><u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin=
-left:50.4pt"><a name=3D"m_1252146122988350906_m_5373696844051186387__MailE=
ndCompose"></a><b>From:</b> John Bradley [mailto:<a href=3D"mailto:ve7jtb@v=
e7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>] <br><b>Sent:</b> Thursd=
ay, March 30, 2017 4:44 PM<br><b>To:</b> Mike Jones &lt;<a href=3D"mailto:M=
ichael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@microsoft.com</=
a>&gt;<br><b>Cc:</b> Nat Sakimura &lt;<a href=3D"mailto:nat@sakimura.org" t=
arget=3D"_blank">nat@sakimura.org</a>&gt;; IETF oauth WG &lt;<a href=3D"mai=
lto:oauth@ietf.org" target=3D"_blank">oauth@ietf.org</a>&gt;<br><b>Subject:=
</b> RE: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt <u></u><=
u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <=
u></u><u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:50.=
4pt">The intent of the change is to only allow the paramaters to be in the =
signed object if a signed object is used. =C2=A0 <u></u><u></u></p><div><di=
v><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><u></u>=
</p></div></div><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">Th=
is requires State, nonce etc to be in the JWT.=C2=A0 Only one place to chec=
k will hopefully reduce implimentation errors. =C2=A0 <u></u><u></u></p></d=
iv><div><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u>=
</u><u></u></p></div></div><div><p class=3D"MsoNormal" style=3D"margin-left=
:50.4pt">This also allows us to remove the caching text as we now have one =
JWT per request, so caching won&#39;t happen. =C2=A0=C2=A0 <u></u><u></u></=
p></div><div><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=
=A0 <u></u><u></u></p></div></div><div><p class=3D"MsoNormal" style=3D"marg=
in-left:50.4pt">John B. =C2=A0 <u></u><u></u></p></div><div><div><p class=
=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><u></u></p></div>=
</div><div><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 =
<u></u><u></u></p></div></div></div><div><div><p class=3D"MsoNormal" style=
=3D"margin-left:50.4pt">=C2=A0 <u></u><u></u></p></div><div><p class=3D"Mso=
Normal" style=3D"margin-left:50.4pt">On Mar 30, 2017 4:36 PM, &quot;Mike Jo=
nes&quot; &lt;<a href=3D"mailto:Michael.Jones@microsoft.com" target=3D"_bla=
nk">Michael.Jones@microsoft.com</a>&gt; wrote: <u></u><u></u></p><blockquot=
e style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0=
pt"><div><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><span sty=
le=3D"color:#002060">I *<b>believe</b>* the intent is that *<b>all</b>* par=
ameters must be in the request object, but the spec doesn=E2=80=99t actuall=
y say that, as far as I can tell.=C2=A0 Or maybe the intent is that paramet=
ers must not be duplicated between the query parameters and the request obj=
ect.</span> <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-l=
eft:55.2pt"><span style=3D"color:#002060">=C2=A0</span> <u></u><u></u></p><=
/div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><span style=3D"col=
or:#002060">One or the other of these statements should be explicitly inclu=
ded in the specification.=C2=A0 Of course, I could have missed the statemen=
t I=E2=80=99m asking for in my review, in which case please let me know wha=
t I missed.</span> <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"m=
argin-left:55.2pt"><span style=3D"color:#002060">=C2=A0</span> <u></u><u></=
u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><span style=
=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thanks,</span> <u></u><=
u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><span style=
=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike</span> <u></u><u></u></p><p cl=
ass=3D"MsoNormal" style=3D"margin-left:55.2pt"><a name=3D"m_125214612298835=
0906_m_5373696844051186387_m_3264258369573027"><span style=3D"color:#002060=
">=C2=A0</span></a><span></span> <u></u><u></u></p><div><div style=3D"borde=
r:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class=
=3D"MsoNormal" style=3D"margin-left:55.2pt"><b>From:</b> OAuth [mailto:<a h=
ref=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bounces@ietf.=
org</a><wbr>] <b>On Behalf Of </b>John Bradley<br><b>Sent:</b> Thursday, Ma=
rch 30, 2017 3:00 PM<br><b>To:</b> IETF OAUTH &lt;<a href=3D"mailto:oauth@i=
etf.org" target=3D"_blank">oauth@ietf.org</a>&gt;<br><b>Subject:</b> [OAUTH=
-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt <u></u><u></u></p></div=
></div><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u><=
/u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">Bas=
ed on feeback from the IESG we have removed some of the optionality in the =
draft. <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:5=
5.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margi=
n-left:55.2pt">It is a shorter read than draft 12.=C2=A0=C2=A0 <u></u><u></=
u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></=
u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">John=
 B. <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2=
pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-l=
eft:55.2pt">Sent from <a href=3D"https://go.microsoft.com/fwlink/?LinkId=3D=
550986" target=3D"_blank">Mail</a> for Windows 10 <u></u><u></u></p><div><p=
 class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p>=
</div><div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0p=
t 0cm 0cm 0cm"><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><b>From:=
 </b><a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">internet=
-drafts@ietf.org</a><br><b>Sent: </b>March 30, 2017 1:38 PM<br><b>To: </b><=
a href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i-d-announce@ietf=
.org</a><br><b>Cc: </b><a href=3D"mailto:oauth@ietf.org" target=3D"_blank">=
oauth@ietf.org</a><br><b>Subject: </b>[OAUTH-WG] I-D Action: draft-ietf-oau=
th-jwsreq-13.txt <u></u><u></u></p></div><div><p class=3D"MsoNormal" style=
=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p></div><div><p class=3D"Mso=
Normal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p></div><p clas=
s=3D"MsoNormal" style=3D"margin-left:55.2pt">A New Internet-Draft is availa=
ble from the on-line Internet-Drafts directories. <u></u><u></u></p><p clas=
s=3D"MsoNormal" style=3D"margin-left:55.2pt">This draft is a work item of t=
he Web Authorization Protocol of the IETF. <u></u><u></u></p><div><p class=
=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p></div>=
<p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0 Title=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 : The OAuth 2.0 Authorization Framework: JWT Secured Authoriza=
tion Request (JAR) <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin=
-left:55.2pt">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Authors=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : Nat Sakimura <u></u><u></u></p><p=
 class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 John Bradley <u></u><u>=
</u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Filename=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0 : draft-ietf-oauth-jwsreq-13.txt <u></u><u></u></p><p=
 class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Pages=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 27 <u></u><u></u></p><p class=3D"MsoNormal" s=
tyle=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 Date=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 : 2017-03-30 <u></u><u></u></p><div><p class=3D"MsoNormal" sty=
le=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNor=
mal" style=3D"margin-left:55.2pt">Abstract: <u></u><u></u></p><p class=3D"M=
soNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 The authorization reque=
st in OAuth 2.0 described in RFC 6749 utilizes <u></u><u></u></p><p class=
=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 query parameter se=
rialization, which means that Authorization Request <u></u><u></u></p><p cl=
ass=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 parameters are =
encoded in the URI of the request and sent through <u></u><u></u></p><p cla=
ss=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0user agents such =
as web browsers.=C2=A0 While it is easy to implement, it <u></u><u></u></p>=
<p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 means that=
 (a) the communication through the user agents are not <u></u><u></u></p><p=
 class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 integrity pr=
otected and thus the parameters can be tainted, and (b) <u></u><u></u></p><=
p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 the source =
of the communication is not authenticated.=C2=A0 Because of <u></u><u></u><=
/p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 these w=
eaknesses, several attacks to the protocol have now been put <u></u><u></u>=
</p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 forwar=
d. <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2p=
t">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-le=
ft:55.2pt">=C2=A0=C2=A0 This document introduces the ability to send reques=
t parameters in a <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-=
left:55.2pt">=C2=A0=C2=A0 JSON Web Token (JWT) instead, which allows the re=
quest to be signed <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin=
-left:55.2pt">=C2=A0=C2=A0 with JSON Web Signature (JWS) and/or encrypted w=
ith JSON Web <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:=
55.2pt">=C2=A0=C2=A0 Encryption (JWE) so that the integrity, source authent=
ication and <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:5=
5.2pt">=C2=A0=C2=A0 confidentiality property of the Authorization Request i=
s attained. <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:5=
5.2pt">=C2=A0=C2=A0 The request can be sent by value or by reference. <u></=
u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=
=A0 <u></u><u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-lef=
t:55.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"ma=
rgin-left:55.2pt">The IETF datatracker status page for this draft is: <u></=
u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D=
"https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/" target=3D"_blan=
k">https://datatracker.ietf.org/<wbr>doc/draft-ietf-oauth-jwsreq/</a> <u></=
u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=
=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.=
2pt">There are also htmlized versions available at: <u></u><u></u></p><p cl=
ass=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"https://tools.iet=
f.org/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https://tools.ietf=
.org/html/<wbr>draft-ietf-oauth-jwsreq-13</a> <u></u><u></u></p><p class=3D=
"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"https://datatracker.iet=
f.org/doc/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https://datatr=
acker.ietf.org/<wbr>doc/html/draft-ietf-oauth-<wbr>jwsreq-13</a> <u></u><u>=
</u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u>=
</u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">A =
diff from the previous version is available at: <u></u><u></u></p><p class=
=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"https://www.ietf.org=
/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13" target=3D"_blank">https://www.i=
etf.org/rfcdiff?<wbr>url2=3Ddraft-ietf-oauth-jwsreq-<wbr>13</a> <u></u><u><=
/u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u><=
/u><u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt=
">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-lef=
t:55.2pt">Please note that it may take a couple of minutes from the time of=
 submission <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:5=
5.2pt">until the htmlized version and diff are available at <a href=3D"http=
://tools.ietf.org/" target=3D"_blank">tools.ietf.org</a>. <u></u><u></u></p=
><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u>=
</u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">Internet-=
Drafts are also available by anonymous FTP at: <u></u><u></u></p><p class=
=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"ftp://ftp.ietf.org/i=
nternet-drafts/" target=3D"_blank">ftp://ftp.ietf.org/internet-<wbr>drafts/=
</a> <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.=
2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-=
left:55.2pt">______________________________<wbr>_________________ <u></u><u=
></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">OAuth mailing =
list <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a> <u><=
/u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=
=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://=
www.ietf.org/mailman/<wbr>listinfo/oauth</a> <u></u><u></u></p></div></div>=
</blockquote></div></div></div></blockquote></div></div></blockquote></div>=
</div></blockquote></div><div style=3D"margin-left:19.2pt;margin-bottom:5.0=
pt"><p class=3D"MsoNormal">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNo=
rmal">=C2=A0<u></u><u></u></p></div><p class=3D"MsoNormal">________________=
______________<wbr>_________________<br>OAuth mailing list<br><a href=3D"ma=
ilto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br><a href=3D"htt=
ps://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.iet=
f.org/mailman/<wbr>listinfo/oauth</a><u></u><u></u></p></div></blockquote><=
/div></div><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNo=
rmal"><u></u>=C2=A0<u></u></p></div></div></div></div><br>_________________=
_____________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--94eb2c19beb03f08bf054c06e6e2--


From nobody Fri Mar 31 06:38:41 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C833C1297DE for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 06:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03-kCpeutXY9 for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 06:38:37 -0700 (PDT)
Received: from mail-pg0-x231.google.com (mail-pg0-x231.google.com [IPv6:2607:f8b0:400e:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F1C11297BF for <oauth@ietf.org>; Fri, 31 Mar 2017 06:38:27 -0700 (PDT)
Received: by mail-pg0-x231.google.com with SMTP id 81so71654992pgh.2 for <oauth@ietf.org>; Fri, 31 Mar 2017 06:38:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gxcZDLNhYyZPRKwd4i0ztI4IP2pbOrudIDocSwgY8lA=; b=VtMoM0I4ex9ny4Sbp68KS0wLDMZikFKB2QgFovSJurd0cW2M6v7A9wSW0T59jlvTdj 2RMKl/CEjW0v278pAxYY9CxE+iJF/fVcUk7vCAkx3qM+rSMx+7VWUDtokvi1XQthDgqk kVM6SKy16yufUe/+7vfSLzju30i2oohsmFi+o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gxcZDLNhYyZPRKwd4i0ztI4IP2pbOrudIDocSwgY8lA=; b=p6zMonyvW9xJzV8dFxrPa4D/Bf4iBl512Vl36Pyhh1voJd+ijVQy4HBFOTCTqg//88 wu6OPdIs2gSlAdBmF90x45RQwOJ+vzwDB3Z6XTDfcqXQz8GmCmIrLa+7Th1KMAVzUrrK fvHI35L4t1coe1H1kX6m7qmrtxDpiwMZ7/CgaynuZE3BrBS6vCe6Ck9J8g720DZKIOvs xkR8fII4JhrleKbIElffBsUzM2YF/azOPU/DifSuHmejY3VY30OugI9FfrUDWFP0bNdd 2xpz36kCT3C3Qo+xrzmkdRjWhRUF/eksa1uasKrCJSPbQhw4BrE79pOgmuDQvm6+JqNB RuYQ==
X-Gm-Message-State: AFeK/H2jI4XJ+3FKzE5rPZO8+FVc0sBMAX2nhwqr16ck7FvTcn/5MmG7p1IT4UuVpzvQwlc5o45RHMxuaYEFo1B0
X-Received: by 10.98.220.200 with SMTP id c69mr3004080pfl.60.1490967506626; Fri, 31 Mar 2017 06:38:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.165.172 with HTTP; Fri, 31 Mar 2017 06:37:56 -0700 (PDT)
In-Reply-To: <CA+k3eCTKHRB_dKeUEurZX5vDzCw+HhEgUZiHUnyd61oNjmogRw@mail.gmail.com>
References: <CAANoGhJDKgqWaqhdL6TCO7RhE==h=ZmJeKbU-cuwUZwE+siHMA@mail.gmail.com> <n6swy6f6jws7vdnx4rs66ktg.1490929049898@email.android.com> <58ddcfc3.5c2e6b0a.7b9e3.bbc6@mx.google.com> <B4C58688-6933-4E46-BA80-15E5E8B38F6F@lodderstedt.net> <58ddd7a5.e4886b0a.bf30d.bce7@mx.google.com> <CA+k3eCTKHRB_dKeUEurZX5vDzCw+HhEgUZiHUnyd61oNjmogRw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 31 Mar 2017 08:37:56 -0500
Message-ID: <CA+k3eCR8Amr8+b+Sh9eR=VDzJme+bcB8WhkokcPpgmgaEMZMGQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, IETF oauth WG <oauth@ietf.org>, Nat Sakimura <nat@sakimura.org>
Content-Type: multipart/alternative; boundary=f403045cc42e9aced1054c06ec05
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RCjUmJ7njN-LrRWMK43JWMaeSlg>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 13:38:41 -0000

--f403045cc42e9aced1054c06ec05
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

BTW, the intro still has text about 'dynamic parameters such as "state"'
that need to be cleaned up.
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13#section-1

On Fri, Mar 31, 2017 at 8:36 AM, Brian Campbell <bcampbell@pingidentity.com=
>
wrote:

> "The current text causes the AS to ignore them and not return a error. " =
-
> except that I don't believe the current text actually specifies that
> anywhere. And I think that the intent of Mike's original comment was that
> -13 doesn't specify the behavior but that it needs to be revised to do so=
.
>
> I'd suggest that the doc say that the client must include in the request
> object (request or request_uri) all the oauth parameters that it sends. A=
nd
> when request or request_uri is sent, that the AS must/should only rely on
> parameter values from the request object.
>
> I think being semi or somewhat compatible or tolerant of the Connect
> variation or request/request_uri is good because it uses the same paramet=
er
> names, the same endpoint, and the same metadata names.
>
>
>
>
>
>
> On Thu, Mar 30, 2017 at 11:14 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> They are mutually exclusive.
>>
>>
>>
>> However there are two options as to how the authorization endpoint would
>> treat extra query parameters like state if they are sent.
>>
>>
>>
>> The current text causes the AS to ignore them and not return a error.
>> This would be more backwards compatible with the request object in OpenI=
D
>> Connect, however in reality it may cause connect clients to send paramet=
ers
>> as query parameters  that would be processed by a connect server that wo=
uld
>> be ignored by a OAuth server without any obvious error.  There may howev=
er
>> be subtle errors downstream from missing parameters.
>>
>>
>>
>> The other option is to have a cleaner breaking change from Connect and
>> have the Authorization endpoint return a error if anything other than th=
e
>> two new parameters are sent to the authorization endpoint.
>>
>>
>>
>> I am leaning towards the latter as it is easier to debug,  and wont allo=
w
>> incompatible Connect requests to be accepted without a error.   We would
>> have done this in Connect but couldn=E2=80=99t drop required parameters =
from OAuth
>> in a Connect spec.
>>
>>
>>
>> The downside for the latter is that the client would need to know if the
>> AS is supporting The Connect version or the OAuth version.
>>
>>
>>
>> One of the typical conundrums around how to deal with doing the best
>> going forward thing vs not blowing up older implementations.
>>
>>
>>
>> In the current proposal a client could put the required parameters both
>> places and the same request would work on servers supporting both the
>> Connect and OAuth versions.
>>
>>
>>
>> John B.
>>
>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
>> Windows 10
>>
>>
>>
>> *From: *Torsten Lodderstedt <torsten@lodderstedt.net>
>> *Sent: *March 30, 2017 11:01 PM
>> *To: *John Bradley <ve7jtb@ve7jtb.com>
>> *Cc: *Nat Sakimura <sakimura@gmail.com>; Nat Sakimura <nat@sakimura.org>=
;
>> IETF oauth WG <oauth@ietf.org>
>> *Subject: *Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>
>>
>>
>> I had assumed using the request object is mutual exclusive to use of URI
>> query parameters. Did I misinterpret the draft?
>>
>>
>>
>> Am 30.03.2017 um 22:40 schrieb John Bradley <ve7jtb@ve7jtb.com>:
>>
>>
>>
>> It is a trade off between compatibility with Connect and possible
>> configuration errors.
>>
>>
>>
>> In reality it may not be compatible with Connect if the client is sendin=
g
>> some parameters outside the object without including them in the object =
as
>> a Connect client might.    You would potentially wind up dropping state =
or
>> nonce without an error.
>>
>>
>>
>> I asked Mike and he was leaning to making it a error to send them as
>> query parameters as that would be a clean change.
>>
>>
>>
>> I think the choice is a bit of a grey area.
>>
>>
>>
>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
>> Windows 10
>>
>>
>>
>> *From: *sakimura@gmail.com
>> *Sent: *March 30, 2017 9:57 PM
>> *To: *John Bradley <ve7jtb@ve7jtb.com>; Nat Sakimura <nat@sakimura.org>
>> *Cc: *IETF oauth WG <oauth@ietf.org>
>> *Subject: *Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>
>>
>>
>> +1
>>
>> Sent from my Huawei Mobile
>>
>>
>>
>> -------- Original Message --------
>> Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>> From: John Bradley
>> To: Nat Sakimura
>> CC: IETF oauth WG
>>
>> So I think we need to make the must ignore clearer for the additional
>> paramaters on the authorization endpoint.
>>
>>
>>
>> On Mar 30, 2017 17:33, "Nat Sakimura" <nat@sakimura.org> wrote:
>>
>> Not right now.
>>
>> As of this writing, a client can still send duplicate parameters in the
>> query but they get ignored by the servers honoring OAuth JAR. So, it is
>> backwards compatible with OpenID Connect in that sense (OpenID Connect
>> sends duplicate manatory RFC6749 parameters as the query parameters as w=
ell
>> just to be compliant to RFC6749). Conversely, servers that do not suppor=
t
>> OAuth JAR will ignore request_uri etc.
>>
>> On Mar 30, 2017, at 4:47 PM, Mike Jones <Michael.Jones@microsoft.com>
>> wrote:
>>
>> Is there a clear statement somewhere along the lines of =E2=80=9Cparamet=
ers
>> (other than =E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D) =
are only allowed to be in the
>> signed object if a signed object is used=E2=80=9D?  That=E2=80=99s the k=
ind of thing I
>> was looking for and didn=E2=80=99t find.
>>
>>
>>
>>                                                        -- Mike
>>
>> *From:* John Bradley [mailto:ve7jtb@ve7jtb.com]
>> *Sent:* Thursday, March 30, 2017 4:44 PM
>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>> *Cc:* Nat Sakimura <nat@sakimura.org>; IETF oauth WG <oauth@ietf.org>
>> *Subject:* RE: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>
>>
>>
>> The intent of the change is to only allow the paramaters to be in the
>> signed object if a signed object is used.
>>
>>
>>
>> This requires State, nonce etc to be in the JWT.  Only one place to chec=
k
>> will hopefully reduce implimentation errors.
>>
>>
>>
>> This also allows us to remove the caching text as we now have one JWT pe=
r
>> request, so caching won't happen.
>>
>>
>>
>> John B.
>>
>>
>>
>>
>>
>>
>>
>> On Mar 30, 2017 4:36 PM, "Mike Jones" <Michael.Jones@microsoft.com>
>> wrote:
>>
>> I **believe** the intent is that **all** parameters must be in the
>> request object, but the spec doesn=E2=80=99t actually say that, as far a=
s I can
>> tell.  Or maybe the intent is that parameters must not be duplicated
>> between the query parameters and the request object.
>>
>>
>>
>> One or the other of these statements should be explicitly included in th=
e
>> specification.  Of course, I could have missed the statement I=E2=80=99m=
 asking for
>> in my review, in which case please let me know what I missed.
>>
>>
>>
>>                                                        Thanks,
>>
>>                                                       -- Mike
>>
>>
>>
>> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John Bradle=
y
>> *Sent:* Thursday, March 30, 2017 3:00 PM
>> *To:* IETF OAUTH <oauth@ietf.org>
>> *Subject:* [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>
>>
>>
>> Based on feeback from the IESG we have removed some of the optionality i=
n
>> the draft.
>>
>>
>>
>> It is a shorter read than draft 12.
>>
>>
>>
>> John B.
>>
>>
>>
>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
>> Windows 10
>>
>>
>>
>> *From: *internet-drafts@ietf.org
>> *Sent: *March 30, 2017 1:38 PM
>> *To: *i-d-announce@ietf.org
>> *Cc: *oauth@ietf.org
>> *Subject: *[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>
>>
>>
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>>
>> This draft is a work item of the Web Authorization Protocol of the IETF.
>>
>>
>>
>>         Title           : The OAuth 2.0 Authorization Framework: JWT
>> Secured Authorization Request (JAR)
>>
>>         Authors         : Nat Sakimura
>>
>>                           John Bradley
>>
>>            Filename        : draft-ietf-oauth-jwsreq-13.txt
>>
>>            Pages           : 27
>>
>>            Date            : 2017-03-30
>>
>>
>>
>> Abstract:
>>
>>    The authorization request in OAuth 2.0 described in RFC 6749 utilizes
>>
>>    query parameter serialization, which means that Authorization Request
>>
>>    parameters are encoded in the URI of the request and sent through
>>
>>   user agents such as web browsers.  While it is easy to implement, it
>>
>>    means that (a) the communication through the user agents are not
>>
>>    integrity protected and thus the parameters can be tainted, and (b)
>>
>>    the source of the communication is not authenticated.  Because of
>>
>>    these weaknesses, several attacks to the protocol have now been put
>>
>>    forward.
>>
>>
>>
>>    This document introduces the ability to send request parameters in a
>>
>>    JSON Web Token (JWT) instead, which allows the request to be signed
>>
>>    with JSON Web Signature (JWS) and/or encrypted with JSON Web
>>
>>    Encryption (JWE) so that the integrity, source authentication and
>>
>>    confidentiality property of the Authorization Request is attained.
>>
>>    The request can be sent by value or by reference.
>>
>>
>>
>>
>>
>> The IETF datatracker status page for this draft is:
>>
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>>
>>
>>
>> There are also htmlized versions available at:
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13
>>
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13
>>
>>
>>
>> A diff from the previous version is available at:
>>
>> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13
>>
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>>
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>>
>>
>> Internet-Drafts are also available by anonymous FTP at:
>>
>> ftp://ftp.ietf.org/internet-drafts/
>>
>>
>>
>> _______________________________________________
>>
>> OAuth mailing list
>>
>> OAuth@ietf.org
>>
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>

--f403045cc42e9aced1054c06ec05
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">BTW, the intro still has text about &#39;dynamic parameter=
s such as &quot;state&quot;&#39; that need to be cleaned up.=C2=A0 <a href=
=3D"https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13#section-1">https=
://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13#section-1</a> <br></div><=
div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Fri, Mar 31, 20=
17 at 8:36 AM, Brian Campbell <span dir=3D"ltr">&lt;<a href=3D"mailto:bcamp=
bell@pingidentity.com" target=3D"_blank">bcampbell@pingidentity.com</a>&gt;=
</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .=
8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div><div=
>&quot;The current text causes the AS to ignore them and not return a error=
. &quot; - except that I don&#39;t believe the current text actually specif=
ies that anywhere. And I think that the intent of Mike&#39;s original comme=
nt was that -13 doesn&#39;t specify the behavior but that it needs to be re=
vised to do so.<br><br></div>I&#39;d suggest that the doc say that the clie=
nt must include in the request object (request or request_uri) all the oaut=
h parameters that it sends. And when request or request_uri is sent, that t=
he AS must/should only rely on parameter values from the request object.<br=
><br></div>I think being semi or somewhat compatible or tolerant of the Con=
nect variation or request/request_uri is good because it uses the same para=
meter names, the same endpoint, and the same metadata names.<br><div><br><b=
r><div><div><div><div><br><br>=C2=A0<br></div></div></div></div></div></div=
><div class=3D"HOEnZb"><div class=3D"h5"><div class=3D"gmail_extra"><br><di=
v class=3D"gmail_quote">On Thu, Mar 30, 2017 at 11:14 PM, John Bradley <spa=
n dir=3D"ltr">&lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve=
7jtb@ve7jtb.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" =
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><di=
v link=3D"blue" vlink=3D"#954F72" lang=3D"EN-CA"><div class=3D"m_9111380663=
044375953m_1252146122988350906WordSection1"><p class=3D"MsoNormal">They are=
 mutually exclusive.</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p c=
lass=3D"MsoNormal">However there are two options as to how the authorizatio=
n endpoint would treat extra query parameters like state if they are sent.<=
/p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">Th=
e current text causes the AS to ignore them and not return a error.=C2=A0 T=
his would be more backwards compatible with the request object in OpenID Co=
nnect, however in reality it may cause connect clients to send parameters a=
s query parameters =C2=A0that would be processed by a connect server that w=
ould be ignored by a OAuth server without any obvious error.=C2=A0 There ma=
y however be subtle errors downstream from missing parameters.</p><p class=
=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">The other opt=
ion is to have a cleaner breaking change from Connect and have the Authoriz=
ation endpoint return a error if anything other than the two new parameters=
 are sent to the authorization endpoint.</p><p class=3D"MsoNormal"><u></u>=
=C2=A0<u></u></p><p class=3D"MsoNormal">I am leaning towards the latter as =
it is easier to debug,=C2=A0 and wont allow incompatible Connect requests t=
o be accepted without a error.=C2=A0=C2=A0 We would have done this in Conne=
ct but couldn=E2=80=99t drop required parameters from OAuth in a Connect sp=
ec.</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal=
">The downside for the latter is that the client would need to know if the =
AS is supporting The Connect version or the OAuth version.</p><p class=3D"M=
soNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">One of the typical=
 conundrums around how to deal with doing the best going forward thing vs n=
ot blowing up older implementations.</p><p class=3D"MsoNormal"><u></u>=C2=
=A0<u></u></p><p class=3D"MsoNormal">In the current proposal a client could=
 put the required parameters both places and the same request would work on=
 servers supporting both the Connect and OAuth versions.</p><span><p class=
=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">John B.</p><p=
 class=3D"MsoNormal"> </p><p class=3D"MsoNormal">Sent from <a href=3D"https=
://go.microsoft.com/fwlink/?LinkId=3D550986" target=3D"_blank">Mail</a> for=
 Windows 10</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p></span><div s=
tyle=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0c=
m"><p class=3D"MsoNormal" style=3D"border:none;padding:0cm"><b>From: </b><a=
 href=3D"mailto:torsten@lodderstedt.net" target=3D"_blank">Torsten Lodderst=
edt</a><br><b>Sent: </b>March 30, 2017 11:01 PM<br><b>To: </b><a href=3D"ma=
ilto:ve7jtb@ve7jtb.com" target=3D"_blank">John Bradley</a><br><b>Cc: </b><a=
 href=3D"mailto:sakimura@gmail.com" target=3D"_blank">Nat Sakimura</a>; <a =
href=3D"mailto:nat@sakimura.org" target=3D"_blank">Nat Sakimura</a>; <a hre=
f=3D"mailto:oauth@ietf.org" target=3D"_blank">IETF oauth WG</a><br><b>Subje=
ct: </b>Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt</p></div>=
<div><div class=3D"m_9111380663044375953h5"><p class=3D"MsoNormal"><u></u>=
=C2=A0<u></u></p><p class=3D"MsoNormal">I had assumed using the request obj=
ect is mutual exclusive to use of URI query parameters. Did I misinterpret =
the draft?<u></u><u></u></p><div><p class=3D"MsoNormal"><u></u>=C2=A0<u></u=
></p><div><blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt"><div><=
p class=3D"MsoNormal">Am 30.03.2017 um 22:40 schrieb John Bradley &lt;<a hr=
ef=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt;=
:<u></u><u></u></p></div><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><di=
v><div><p class=3D"MsoNormal">It is a trade off between compatibility with =
Connect and possible configuration errors.<u></u><u></u></p><p class=3D"Mso=
Normal">=C2=A0<u></u><u></u></p><p class=3D"MsoNormal">In reality it may no=
t be compatible with Connect if the client is sending some parameters outsi=
de the object without including them in the object as a Connect client migh=
t.=C2=A0=C2=A0=C2=A0 You would potentially wind up dropping state or nonce =
without an error.=C2=A0 <u></u><u></u></p><p class=3D"MsoNormal">=C2=A0<u><=
/u><u></u></p><p class=3D"MsoNormal">I asked Mike and he was leaning to mak=
ing it a error to send them as query parameters as that would be a clean ch=
ange.<u></u><u></u></p><p class=3D"MsoNormal">=C2=A0<u></u><u></u></p><p cl=
ass=3D"MsoNormal">I think the choice is a bit of a grey area.<u></u><u></u>=
</p><p class=3D"MsoNormal">=C2=A0<u></u><u></u></p><p class=3D"MsoNormal">S=
ent from <a href=3D"https://go.microsoft.com/fwlink/?LinkId=3D550986" targe=
t=3D"_blank">Mail</a> for Windows 10<u></u><u></u></p><p class=3D"MsoNormal=
">=C2=A0<u></u><u></u></p><div style=3D"border:none;border-top:solid #e1e1e=
1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class=3D"MsoNormal"><b>From: </b><a h=
ref=3D"mailto:sakimura@gmail.com" target=3D"_blank">sakimura@gmail.com</a><=
br><b>Sent: </b>March 30, 2017 9:57 PM<br><b>To: </b><a href=3D"mailto:ve7j=
tb@ve7jtb.com" target=3D"_blank">John Bradley</a>; <a href=3D"mailto:nat@sa=
kimura.org" target=3D"_blank">Nat Sakimura</a><br><b>Cc: </b><a href=3D"mai=
lto:oauth@ietf.org" target=3D"_blank">IETF oauth WG</a><br><b>Subject: </b>=
Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt<u></u><u></u>=
</p></div><p class=3D"MsoNormal">=C2=A0<u></u><u></u></p><p class=3D"MsoNor=
mal">+1<br><br>Sent from my Huawei Mobile<u></u><u></u></p><div><p class=3D=
"MsoNormal" style=3D"margin-bottom:12.0pt"><br><br>-------- Original Messag=
e --------<br>Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsr=
eq-13.txt<br>From: John Bradley <br>To: Nat Sakimura <br>CC: IETF oauth WG =
<br><br><u></u><u></u></p><blockquote style=3D"border:none;border-left:soli=
d #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0p=
t;margin-right:0cm;margin-bottom:5.0pt"><div><p class=3D"MsoNormal" style=
=3D"margin-left:40.8pt">So I think we need to make the must ignore clearer =
for the additional paramaters on the authorization endpoint. =C2=A0<u></u><=
u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:40.8pt">=
=C2=A0<u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:40=
.8pt">On Mar 30, 2017 17:33, &quot;Nat Sakimura&quot; &lt;<a href=3D"mailto=
:nat@sakimura.org" target=3D"_blank">nat@sakimura.org</a>&gt; wrote:<u></u>=
<u></u></p><blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt=
;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:=
0cm;margin-bottom:5.0pt"><div><div><p class=3D"MsoNormal" style=3D"margin-r=
ight:0cm;margin-bottom:12.0pt;margin-left:45.6pt">Not right now. <u></u><u>=
</u></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:45.6pt">As o=
f this writing, a client can still send duplicate parameters in the query b=
ut they get ignored by the servers honoring OAuth JAR. So, it is backwards =
compatible with OpenID Connect in that sense (OpenID Connect sends duplicat=
e manatory RFC6749 parameters as the query parameters as well just to be co=
mpliant to RFC6749). Conversely, servers that do not support OAuth JAR will=
 ignore request_uri etc. <u></u><u></u></p></div><div><p class=3D"MsoNormal=
" style=3D"margin-left:45.6pt">On Mar 30, 2017, at 4:47 PM, Mike Jones &lt;=
<a href=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael.Jo=
nes@microsoft.com</a>&gt; wrote:<u></u><u></u></p><blockquote style=3D"bord=
er:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-le=
ft:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><div><p cla=
ss=3D"MsoNormal" style=3D"margin-left:50.4pt"><span style=3D"color:#002060"=
>Is there a clear statement somewhere along the lines of =E2=80=9C</span>pa=
rameters (other than =E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=
=80=9D) are only allowed to be in the signed object if a signed object is u=
sed<span style=3D"color:#002060">=E2=80=9D?=C2=A0 That=E2=80=99s the kind o=
f thing I was looking for and didn=E2=80=99t find. </span><u></u><u></u></p=
><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><u>=
</u></p></div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt"><span sty=
le=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike </span><u></u><=
u></u></p><p class=3D"MsoNormal" style=3D"margin-left:50.4pt"><a name=3D"m_=
9111380663044375953_m_1252146122988350906_m_5373696844051186387__MailEndCom=
pose"></a><b>From:</b> John Bradley [mailto:<a href=3D"mailto:ve7jtb@ve7jtb=
.com" target=3D"_blank">ve7jtb@ve7jtb.com</a>] <br><b>Sent:</b> Thursday, M=
arch 30, 2017 4:44 PM<br><b>To:</b> Mike Jones &lt;<a href=3D"mailto:Michae=
l.Jones@microsoft.com" target=3D"_blank">Michael.Jones@microsoft.com</a>&gt=
;<br><b>Cc:</b> Nat Sakimura &lt;<a href=3D"mailto:nat@sakimura.org" target=
=3D"_blank">nat@sakimura.org</a>&gt;; IETF oauth WG &lt;<a href=3D"mailto:o=
auth@ietf.org" target=3D"_blank">oauth@ietf.org</a>&gt;<br><b>Subject:</b> =
RE: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt <u></u><u></u=
></p><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u></u=
><u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=
The intent of the change is to only allow the paramaters to be in the signe=
d object if a signed object is used. =C2=A0 <u></u><u></u></p><div><div><p =
class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><u></u></p><=
/div></div><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">This re=
quires State, nonce etc to be in the JWT.=C2=A0 Only one place to check wil=
l hopefully reduce implimentation errors. =C2=A0 <u></u><u></u></p></div><d=
iv><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><=
u></u></p></div></div><div><p class=3D"MsoNormal" style=3D"margin-left:50.4=
pt">This also allows us to remove the caching text as we now have one JWT p=
er request, so caching won&#39;t happen. =C2=A0=C2=A0 <u></u><u></u></p></d=
iv><div><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u>=
</u><u></u></p></div></div><div><p class=3D"MsoNormal" style=3D"margin-left=
:50.4pt">John B. =C2=A0 <u></u><u></u></p></div><div><div><p class=3D"MsoNo=
rmal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><u></u></p></div></div><di=
v><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><u=
></u></p></div></div></div><div><div><p class=3D"MsoNormal" style=3D"margin=
-left:50.4pt">=C2=A0 <u></u><u></u></p></div><div><p class=3D"MsoNormal" st=
yle=3D"margin-left:50.4pt">On Mar 30, 2017 4:36 PM, &quot;Mike Jones&quot; =
&lt;<a href=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michae=
l.Jones@microsoft.com</a>&gt; wrote: <u></u><u></u></p><blockquote style=3D=
"border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;marg=
in-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><div><=
div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><span style=3D"colo=
r:#002060">I *<b>believe</b>* the intent is that *<b>all</b>* parameters mu=
st be in the request object, but the spec doesn=E2=80=99t actually say that=
, as far as I can tell.=C2=A0 Or maybe the intent is that parameters must n=
ot be duplicated between the query parameters and the request object.</span=
> <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt=
"><span style=3D"color:#002060">=C2=A0</span> <u></u><u></u></p></div><p cl=
ass=3D"MsoNormal" style=3D"margin-left:55.2pt"><span style=3D"color:#002060=
">One or the other of these statements should be explicitly included in the=
 specification.=C2=A0 Of course, I could have missed the statement I=E2=80=
=99m asking for in my review, in which case please let me know what I misse=
d.</span> <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-lef=
t:55.2pt"><span style=3D"color:#002060">=C2=A0</span> <u></u><u></u></p></d=
iv><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><span style=3D"color=
:#002060">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thanks,</span> <u></u><u></u></p=
><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><span style=3D"color:#=
002060">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike</span> <u></u><u></u></p><p class=3D"MsoNo=
rmal" style=3D"margin-left:55.2pt"><a name=3D"m_9111380663044375953_m_12521=
46122988350906_m_5373696844051186387_m_3264258369573027"><span style=3D"col=
or:#002060">=C2=A0</span></a><span></span> <u></u><u></u></p><div><div styl=
e=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">=
<p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><b>From:</b> OAuth [mai=
lto:<a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bounc=
es@ietf.org</a><wbr>] <b>On Behalf Of </b>John Bradley<br><b>Sent:</b> Thur=
sday, March 30, 2017 3:00 PM<br><b>To:</b> IETF OAUTH &lt;<a href=3D"mailto=
:oauth@ietf.org" target=3D"_blank">oauth@ietf.org</a>&gt;<br><b>Subject:</b=
> [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt <u></u><u></u><=
/p></div></div><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=
=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.=
2pt">Based on feeback from the IESG we have removed some of the optionality=
 in the draft. <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margi=
n-left:55.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=
=3D"margin-left:55.2pt">It is a shorter read than draft 12.=C2=A0=C2=A0 <u>=
</u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=
=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.=
2pt">John B. <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-=
left:55.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D=
"margin-left:55.2pt">Sent from <a href=3D"https://go.microsoft.com/fwlink/?=
LinkId=3D550986" target=3D"_blank">Mail</a> for Windows 10 <u></u><u></u></=
p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u=
></u></p></div><div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;pad=
ding:3.0pt 0cm 0cm 0cm"><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"=
><b>From: </b><a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank"=
>internet-drafts@ietf.org</a><br><b>Sent: </b>March 30, 2017 1:38 PM<br><b>=
To: </b><a href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i-d-anno=
unce@ietf.org</a><br><b>Cc: </b><a href=3D"mailto:oauth@ietf.org" target=3D=
"_blank">oauth@ietf.org</a><br><b>Subject: </b>[OAUTH-WG] I-D Action: draft=
-ietf-oauth-jwsreq-13.txt <u></u><u></u></p></div><div><p class=3D"MsoNorma=
l" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p></div><div><p clas=
s=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p></div=
><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">A New Internet-Draft i=
s available from the on-line Internet-Drafts directories. <u></u><u></u></p=
><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">This draft is a work i=
tem of the Web Authorization Protocol of the IETF. <u></u><u></u></p><div><=
p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p=
></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 Title=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 : The OAuth 2.0 Authorization Framework: JWT Secured Aut=
horization Request (JAR) <u></u><u></u></p><p class=3D"MsoNormal" style=3D"=
margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Authors=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : Nat Sakimura <u></u><u></u>=
</p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 John Bradley <u><=
/u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Filename=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 : draft-ietf-oauth-jwsreq-13.txt <u></u><u></u>=
</p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Pages=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 27 <u></u><u></u></p><p class=3D"MsoNor=
mal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0 Date=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 : 2017-03-30 <u></u><u></u></p><div><p class=3D"MsoNorma=
l" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"=
MsoNormal" style=3D"margin-left:55.2pt">Abstract: <u></u><u></u></p><p clas=
s=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 The authorization=
 request in OAuth 2.0 described in RFC 6749 utilizes <u></u><u></u></p><p c=
lass=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 query paramete=
r serialization, which means that Authorization Request <u></u><u></u></p><=
p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 parameters =
are encoded in the URI of the request and sent through <u></u><u></u></p><p=
 class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0user agents s=
uch as web browsers.=C2=A0 While it is easy to implement, it <u></u><u></u>=
</p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 means =
that (a) the communication through the user agents are not <u></u><u></u></=
p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 integrit=
y protected and thus the parameters can be tainted, and (b) <u></u><u></u><=
/p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 the sou=
rce of the communication is not authenticated.=C2=A0 Because of <u></u><u><=
/u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 the=
se weaknesses, several attacks to the protocol have now been put <u></u><u>=
</u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 fo=
rward. <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:5=
5.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margi=
n-left:55.2pt">=C2=A0=C2=A0 This document introduces the ability to send re=
quest parameters in a <u></u><u></u></p><p class=3D"MsoNormal" style=3D"mar=
gin-left:55.2pt">=C2=A0=C2=A0 JSON Web Token (JWT) instead, which allows th=
e request to be signed <u></u><u></u></p><p class=3D"MsoNormal" style=3D"ma=
rgin-left:55.2pt">=C2=A0=C2=A0 with JSON Web Signature (JWS) and/or encrypt=
ed with JSON Web <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-l=
eft:55.2pt">=C2=A0=C2=A0 Encryption (JWE) so that the integrity, source aut=
hentication and <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-le=
ft:55.2pt">=C2=A0=C2=A0 confidentiality property of the Authorization Reque=
st is attained. <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-le=
ft:55.2pt">=C2=A0=C2=A0 The request can be sent by value or by reference. <=
u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=
=C2=A0 <u></u><u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-=
left:55.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D=
"margin-left:55.2pt">The IETF datatracker status page for this draft is: <u=
></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=
=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/" target=3D"_b=
lank">https://datatracker.ietf.org/d<wbr>oc/draft-ietf-oauth-jwsreq/</a> <u=
></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=
=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:=
55.2pt">There are also htmlized versions available at: <u></u><u></u></p><p=
 class=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"https://tools.=
ietf.org/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https://tools.i=
etf.org/html/dr<wbr>aft-ietf-oauth-jwsreq-13</a> <u></u><u></u></p><p class=
=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"https://datatracker.=
ietf.org/doc/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https://dat=
atracker.ietf.org/d<wbr>oc/html/draft-ietf-oauth-jwsre<wbr>q-13</a> <u></u>=
<u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 =
<u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"=
>A diff from the previous version is available at: <u></u><u></u></p><p cla=
ss=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"https://www.ietf.o=
rg/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13" target=3D"_blank">https://www=
.ietf.org/rfcdiff?u<wbr>rl2=3Ddraft-ietf-oauth-jwsreq-13</a> <u></u><u></u>=
</p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u>=
<u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=
=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:=
55.2pt">Please note that it may take a couple of minutes from the time of s=
ubmission <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.=
2pt">until the htmlized version and diff are available at <a href=3D"http:/=
/tools.ietf.org/" target=3D"_blank">tools.ietf.org</a>. <u></u><u></u></p><=
div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></=
u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">Internet-Dr=
afts are also available by anonymous FTP at: <u></u><u></u></p><p class=3D"=
MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"ftp://ftp.ietf.org/inter=
net-drafts/" target=3D"_blank">ftp://ftp.ietf.org/internet-dr<wbr>afts/</a>=
 <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"=
>=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left=
:55.2pt">______________________________<wbr>_________________ <u></u><u></u=
></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">OAuth mailing list=
 <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><a h=
ref=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a> <u></u><=
u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"ht=
tps://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.ie=
tf.org/mailman/l<wbr>istinfo/oauth</a> <u></u><u></u></p></div></div></bloc=
kquote></div></div></div></blockquote></div></div></blockquote></div></div>=
</blockquote></div><div style=3D"margin-left:19.2pt;margin-bottom:5.0pt"><p=
 class=3D"MsoNormal">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal">=
=C2=A0<u></u><u></u></p></div><p class=3D"MsoNormal">______________________=
________<wbr>_________________<br>OAuth mailing list<br><a href=3D"mailto:O=
Auth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br><a href=3D"https://w=
ww.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.ietf.org/=
mailman/l<wbr>istinfo/oauth</a><u></u><u></u></p></div></blockquote></div><=
/div><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">=
<u></u>=C2=A0<u></u></p></div></div></div></div><br>_______________________=
_______<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>

--f403045cc42e9aced1054c06ec05--


From nobody Fri Mar 31 06:40:11 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECAA7129524 for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 06:40:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1j9XPkEjK2Fx for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 06:40:06 -0700 (PDT)
Received: from mail-pg0-x234.google.com (mail-pg0-x234.google.com [IPv6:2607:f8b0:400e:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDD0B1294BD for <oauth@ietf.org>; Fri, 31 Mar 2017 06:40:05 -0700 (PDT)
Received: by mail-pg0-x234.google.com with SMTP id 21so71745114pgg.1 for <oauth@ietf.org>; Fri, 31 Mar 2017 06:40:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VdcUO+yvXop+P6GOrIrcuwsc0gnkWp3ZkXBT20DIdqg=; b=obr/HFDz9zSX+mbuGs69Ywmoasrlya6sljyagsuAdd+Q/LPMhzj7M+9izJzW15ap+n DpzHShyMIPKx/2TXRU3sNua0jY/MsTBnA4B1PkzcTCpsRJM5M071x0P49jMvXZBCME1j 3+jTCbcW9fUYOQq37qvDv1o1hFoXxp198tHl0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VdcUO+yvXop+P6GOrIrcuwsc0gnkWp3ZkXBT20DIdqg=; b=m3XK7l4vP/YR7RjLRw9MIWDgDxoZAtC8wdvtfmZM3WnBjUWR8E2+Ihz8aulLdwclag 134XTCDf3M/AQAHibzLFlu9niJbSAFcVVgyW5LKdnvHTTeji9UXPhlgxN6k9xhrt3JIh XgS5ZiWeZvSF0JebbyELOsfo8vxsNMslw8lPhDBaYXDgpgXnWIW3VoxAaiCmR9sfD8W6 imFZnmD5J/AWz1m+XRNauyOoMTLv6Zp48jsn8n9DANRiwJ7ld6XEw6q4Yz05LAqakVwr DrdmGg48npL1Sg4OdWn8fM6uXbgiqU9KDeX9AWL7B1O9QXFZblQggtiKci/I8JduZG5X /zHQ==
X-Gm-Message-State: AFeK/H204QivbqojEyAm9ZJZR6bob91JRkA6ZV8Z/sFuqE4n//q+e/gsk0E0af1d9BPhm+FiTyLhhVkhclCgW2/W
X-Received: by 10.84.232.131 with SMTP id i3mr3635400plk.172.1490967605361; Fri, 31 Mar 2017 06:40:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.165.172 with HTTP; Fri, 31 Mar 2017 06:39:34 -0700 (PDT)
In-Reply-To: <CA+k3eCR8Amr8+b+Sh9eR=VDzJme+bcB8WhkokcPpgmgaEMZMGQ@mail.gmail.com>
References: <CAANoGhJDKgqWaqhdL6TCO7RhE==h=ZmJeKbU-cuwUZwE+siHMA@mail.gmail.com> <n6swy6f6jws7vdnx4rs66ktg.1490929049898@email.android.com> <58ddcfc3.5c2e6b0a.7b9e3.bbc6@mx.google.com> <B4C58688-6933-4E46-BA80-15E5E8B38F6F@lodderstedt.net> <58ddd7a5.e4886b0a.bf30d.bce7@mx.google.com> <CA+k3eCTKHRB_dKeUEurZX5vDzCw+HhEgUZiHUnyd61oNjmogRw@mail.gmail.com> <CA+k3eCR8Amr8+b+Sh9eR=VDzJme+bcB8WhkokcPpgmgaEMZMGQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 31 Mar 2017 08:39:34 -0500
Message-ID: <CA+k3eCRzKRVA0arzDcc0Z_-Heo30NVSRcPxPQm4nD5nnqY77yw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, IETF oauth WG <oauth@ietf.org>, Nat Sakimura <nat@sakimura.org>
Content-Type: multipart/alternative; boundary=f40304361d107d5e09054c06f23b
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8oBnT3W0Ouz2aQgQjJiff68H6NY>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 13:40:10 -0000

--f40304361d107d5e09054c06f23b
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

and a typo - "If thie location is" should say "If this location is"

On Fri, Mar 31, 2017 at 8:37 AM, Brian Campbell <bcampbell@pingidentity.com=
>
wrote:

> BTW, the intro still has text about 'dynamic parameters such as "state"'
> that need to be cleaned up.  https://tools.ietf.org/html/
> draft-ietf-oauth-jwsreq-13#section-1
>
> On Fri, Mar 31, 2017 at 8:36 AM, Brian Campbell <
> bcampbell@pingidentity.com> wrote:
>
>> "The current text causes the AS to ignore them and not return a error. "
>> - except that I don't believe the current text actually specifies that
>> anywhere. And I think that the intent of Mike's original comment was tha=
t
>> -13 doesn't specify the behavior but that it needs to be revised to do s=
o.
>>
>> I'd suggest that the doc say that the client must include in the request
>> object (request or request_uri) all the oauth parameters that it sends. =
And
>> when request or request_uri is sent, that the AS must/should only rely o=
n
>> parameter values from the request object.
>>
>> I think being semi or somewhat compatible or tolerant of the Connect
>> variation or request/request_uri is good because it uses the same parame=
ter
>> names, the same endpoint, and the same metadata names.
>>
>>
>>
>>
>>
>>
>> On Thu, Mar 30, 2017 at 11:14 PM, John Bradley <ve7jtb@ve7jtb.com> wrote=
:
>>
>>> They are mutually exclusive.
>>>
>>>
>>>
>>> However there are two options as to how the authorization endpoint woul=
d
>>> treat extra query parameters like state if they are sent.
>>>
>>>
>>>
>>> The current text causes the AS to ignore them and not return a error.
>>> This would be more backwards compatible with the request object in Open=
ID
>>> Connect, however in reality it may cause connect clients to send parame=
ters
>>> as query parameters  that would be processed by a connect server that w=
ould
>>> be ignored by a OAuth server without any obvious error.  There may howe=
ver
>>> be subtle errors downstream from missing parameters.
>>>
>>>
>>>
>>> The other option is to have a cleaner breaking change from Connect and
>>> have the Authorization endpoint return a error if anything other than t=
he
>>> two new parameters are sent to the authorization endpoint.
>>>
>>>
>>>
>>> I am leaning towards the latter as it is easier to debug,  and wont
>>> allow incompatible Connect requests to be accepted without a error.   W=
e
>>> would have done this in Connect but couldn=E2=80=99t drop required para=
meters from
>>> OAuth in a Connect spec.
>>>
>>>
>>>
>>> The downside for the latter is that the client would need to know if th=
e
>>> AS is supporting The Connect version or the OAuth version.
>>>
>>>
>>>
>>> One of the typical conundrums around how to deal with doing the best
>>> going forward thing vs not blowing up older implementations.
>>>
>>>
>>>
>>> In the current proposal a client could put the required parameters both
>>> places and the same request would work on servers supporting both the
>>> Connect and OAuth versions.
>>>
>>>
>>>
>>> John B.
>>>
>>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
>>> Windows 10
>>>
>>>
>>>
>>> *From: *Torsten Lodderstedt <torsten@lodderstedt.net>
>>> *Sent: *March 30, 2017 11:01 PM
>>> *To: *John Bradley <ve7jtb@ve7jtb.com>
>>> *Cc: *Nat Sakimura <sakimura@gmail.com>; Nat Sakimura <nat@sakimura.org=
>;
>>> IETF oauth WG <oauth@ietf.org>
>>> *Subject: *Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>>
>>>
>>>
>>> I had assumed using the request object is mutual exclusive to use of UR=
I
>>> query parameters. Did I misinterpret the draft?
>>>
>>>
>>>
>>> Am 30.03.2017 um 22:40 schrieb John Bradley <ve7jtb@ve7jtb.com>:
>>>
>>>
>>>
>>> It is a trade off between compatibility with Connect and possible
>>> configuration errors.
>>>
>>>
>>>
>>> In reality it may not be compatible with Connect if the client is
>>> sending some parameters outside the object without including them in th=
e
>>> object as a Connect client might.    You would potentially wind up drop=
ping
>>> state or nonce without an error.
>>>
>>>
>>>
>>> I asked Mike and he was leaning to making it a error to send them as
>>> query parameters as that would be a clean change.
>>>
>>>
>>>
>>> I think the choice is a bit of a grey area.
>>>
>>>
>>>
>>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
>>> Windows 10
>>>
>>>
>>>
>>> *From: *sakimura@gmail.com
>>> *Sent: *March 30, 2017 9:57 PM
>>> *To: *John Bradley <ve7jtb@ve7jtb.com>; Nat Sakimura <nat@sakimura.org>
>>> *Cc: *IETF oauth WG <oauth@ietf.org>
>>> *Subject: *Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.tx=
t
>>>
>>>
>>>
>>> +1
>>>
>>> Sent from my Huawei Mobile
>>>
>>>
>>>
>>> -------- Original Message --------
>>> Subject: Re: [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>> From: John Bradley
>>> To: Nat Sakimura
>>> CC: IETF oauth WG
>>>
>>> So I think we need to make the must ignore clearer for the additional
>>> paramaters on the authorization endpoint.
>>>
>>>
>>>
>>> On Mar 30, 2017 17:33, "Nat Sakimura" <nat@sakimura.org> wrote:
>>>
>>> Not right now.
>>>
>>> As of this writing, a client can still send duplicate parameters in the
>>> query but they get ignored by the servers honoring OAuth JAR. So, it is
>>> backwards compatible with OpenID Connect in that sense (OpenID Connect
>>> sends duplicate manatory RFC6749 parameters as the query parameters as =
well
>>> just to be compliant to RFC6749). Conversely, servers that do not suppo=
rt
>>> OAuth JAR will ignore request_uri etc.
>>>
>>> On Mar 30, 2017, at 4:47 PM, Mike Jones <Michael.Jones@microsoft.com>
>>> wrote:
>>>
>>> Is there a clear statement somewhere along the lines of =E2=80=9Cparame=
ters
>>> (other than =E2=80=9Crequest=E2=80=9D or =E2=80=9Crequest_uri=E2=80=9D)=
 are only allowed to be in the
>>> signed object if a signed object is used=E2=80=9D?  That=E2=80=99s the =
kind of thing I
>>> was looking for and didn=E2=80=99t find.
>>>
>>>
>>>
>>>                                                        -- Mike
>>>
>>> *From:* John Bradley [mailto:ve7jtb@ve7jtb.com]
>>> *Sent:* Thursday, March 30, 2017 4:44 PM
>>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>>> *Cc:* Nat Sakimura <nat@sakimura.org>; IETF oauth WG <oauth@ietf.org>
>>> *Subject:* RE: [OAUTH-WG] FW: I-D Action:
>>> draft-ietf-oauth-jwsreq-13.txt
>>>
>>>
>>>
>>> The intent of the change is to only allow the paramaters to be in the
>>> signed object if a signed object is used.
>>>
>>>
>>>
>>> This requires State, nonce etc to be in the JWT.  Only one place to
>>> check will hopefully reduce implimentation errors.
>>>
>>>
>>>
>>> This also allows us to remove the caching text as we now have one JWT
>>> per request, so caching won't happen.
>>>
>>>
>>>
>>> John B.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mar 30, 2017 4:36 PM, "Mike Jones" <Michael.Jones@microsoft.com>
>>> wrote:
>>>
>>> I **believe** the intent is that **all** parameters must be in the
>>> request object, but the spec doesn=E2=80=99t actually say that, as far =
as I can
>>> tell.  Or maybe the intent is that parameters must not be duplicated
>>> between the query parameters and the request object.
>>>
>>>
>>>
>>> One or the other of these statements should be explicitly included in
>>> the specification.  Of course, I could have missed the statement I=E2=
=80=99m asking
>>> for in my review, in which case please let me know what I missed.
>>>
>>>
>>>
>>>                                                        Thanks,
>>>
>>>                                                       -- Mike
>>>
>>>
>>>
>>> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John
>>> Bradley
>>> *Sent:* Thursday, March 30, 2017 3:00 PM
>>> *To:* IETF OAUTH <oauth@ietf.org>
>>> *Subject:* [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>>
>>>
>>>
>>> Based on feeback from the IESG we have removed some of the optionality
>>> in the draft.
>>>
>>>
>>>
>>> It is a shorter read than draft 12.
>>>
>>>
>>>
>>> John B.
>>>
>>>
>>>
>>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=3D550986> for
>>> Windows 10
>>>
>>>
>>>
>>> *From: *internet-drafts@ietf.org
>>> *Sent: *March 30, 2017 1:38 PM
>>> *To: *i-d-announce@ietf.org
>>> *Cc: *oauth@ietf.org
>>> *Subject: *[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt
>>>
>>>
>>>
>>>
>>>
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>> directories.
>>>
>>> This draft is a work item of the Web Authorization Protocol of the IETF=
.
>>>
>>>
>>>
>>>         Title           : The OAuth 2.0 Authorization Framework: JWT
>>> Secured Authorization Request (JAR)
>>>
>>>         Authors         : Nat Sakimura
>>>
>>>                           John Bradley
>>>
>>>            Filename        : draft-ietf-oauth-jwsreq-13.txt
>>>
>>>            Pages           : 27
>>>
>>>            Date            : 2017-03-30
>>>
>>>
>>>
>>> Abstract:
>>>
>>>    The authorization request in OAuth 2.0 described in RFC 6749 utilize=
s
>>>
>>>    query parameter serialization, which means that Authorization Reques=
t
>>>
>>>    parameters are encoded in the URI of the request and sent through
>>>
>>>   user agents such as web browsers.  While it is easy to implement, it
>>>
>>>    means that (a) the communication through the user agents are not
>>>
>>>    integrity protected and thus the parameters can be tainted, and (b)
>>>
>>>    the source of the communication is not authenticated.  Because of
>>>
>>>    these weaknesses, several attacks to the protocol have now been put
>>>
>>>    forward.
>>>
>>>
>>>
>>>    This document introduces the ability to send request parameters in a
>>>
>>>    JSON Web Token (JWT) instead, which allows the request to be signed
>>>
>>>    with JSON Web Signature (JWS) and/or encrypted with JSON Web
>>>
>>>    Encryption (JWE) so that the integrity, source authentication and
>>>
>>>    confidentiality property of the Authorization Request is attained.
>>>
>>>    The request can be sent by value or by reference.
>>>
>>>
>>>
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>>
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>>>
>>>
>>>
>>> There are also htmlized versions available at:
>>>
>>> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-13
>>>
>>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-13
>>>
>>>
>>>
>>> A diff from the previous version is available at:
>>>
>>> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13
>>>
>>>
>>>
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of
>>> submission
>>>
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>
>>>
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>>
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> OAuth mailing list
>>>
>>> OAuth@ietf.org
>>>
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>

--f40304361d107d5e09054c06f23b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>and a typo - &quot;If thie location is&quot; should s=
ay &quot;If this location is&quot;<br></div></div><div class=3D"gmail_extra=
"><br><div class=3D"gmail_quote">On Fri, Mar 31, 2017 at 8:37 AM, Brian Cam=
pbell <span dir=3D"ltr">&lt;<a href=3D"mailto:bcampbell@pingidentity.com" t=
arget=3D"_blank">bcampbell@pingidentity.com</a>&gt;</span> wrote:<br><block=
quote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc=
 solid;padding-left:1ex"><div dir=3D"ltr">BTW, the intro still has text abo=
ut &#39;dynamic parameters such as &quot;state&quot;&#39; that need to be c=
leaned up.=C2=A0 <a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-jw=
sreq-13#section-1" target=3D"_blank">https://tools.ietf.org/html/<wbr>draft=
-ietf-oauth-jwsreq-13#<wbr>section-1</a> <br></div><div class=3D"HOEnZb"><d=
iv class=3D"h5"><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">O=
n Fri, Mar 31, 2017 at 8:36 AM, Brian Campbell <span dir=3D"ltr">&lt;<a hre=
f=3D"mailto:bcampbell@pingidentity.com" target=3D"_blank">bcampbell@pingide=
ntity.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=
=3D"ltr"><div><div>&quot;The current text causes the AS to ignore them and =
not return a error. &quot; - except that I don&#39;t believe the current te=
xt actually specifies that anywhere. And I think that the intent of Mike&#3=
9;s original comment was that -13 doesn&#39;t specify the behavior but that=
 it needs to be revised to do so.<br><br></div>I&#39;d suggest that the doc=
 say that the client must include in the request object (request or request=
_uri) all the oauth parameters that it sends. And when request or request_u=
ri is sent, that the AS must/should only rely on parameter values from the =
request object.<br><br></div>I think being semi or somewhat compatible or t=
olerant of the Connect variation or request/request_uri is good because it =
uses the same parameter names, the same endpoint, and the same metadata nam=
es.<br><div><br><br><div><div><div><div><br><br>=C2=A0<br></div></div></div=
></div></div></div><div class=3D"m_-6670009091193748832HOEnZb"><div class=
=3D"m_-6670009091193748832h5"><div class=3D"gmail_extra"><br><div class=3D"=
gmail_quote">On Thu, Mar 30, 2017 at 11:14 PM, John Bradley <span dir=3D"lt=
r">&lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb=
.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link=3D"b=
lue" vlink=3D"#954F72" lang=3D"EN-CA"><div class=3D"m_-6670009091193748832m=
_9111380663044375953m_1252146122988350906WordSection1"><p class=3D"MsoNorma=
l">They are mutually exclusive.</p><p class=3D"MsoNormal"><u></u>=C2=A0<u><=
/u></p><p class=3D"MsoNormal">However there are two options as to how the a=
uthorization endpoint would treat extra query parameters like state if they=
 are sent.</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"Ms=
oNormal">The current text causes the AS to ignore them and not return a err=
or.=C2=A0 This would be more backwards compatible with the request object i=
n OpenID Connect, however in reality it may cause connect clients to send p=
arameters as query parameters =C2=A0that would be processed by a connect se=
rver that would be ignored by a OAuth server without any obvious error.=C2=
=A0 There may however be subtle errors downstream from missing parameters.<=
/p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">Th=
e other option is to have a cleaner breaking change from Connect and have t=
he Authorization endpoint return a error if anything other than the two new=
 parameters are sent to the authorization endpoint.</p><p class=3D"MsoNorma=
l"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">I am leaning towards the =
latter as it is easier to debug,=C2=A0 and wont allow incompatible Connect =
requests to be accepted without a error.=C2=A0=C2=A0 We would have done thi=
s in Connect but couldn=E2=80=99t drop required parameters from OAuth in a =
Connect spec.</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D=
"MsoNormal">The downside for the latter is that the client would need to kn=
ow if the AS is supporting The Connect version or the OAuth version.</p><p =
class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">One of t=
he typical conundrums around how to deal with doing the best going forward =
thing vs not blowing up older implementations.</p><p class=3D"MsoNormal"><u=
></u>=C2=A0<u></u></p><p class=3D"MsoNormal">In the current proposal a clie=
nt could put the required parameters both places and the same request would=
 work on servers supporting both the Connect and OAuth versions.</p><span><=
p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">John B=
.</p><p class=3D"MsoNormal"> </p><p class=3D"MsoNormal">Sent from <a href=
=3D"https://go.microsoft.com/fwlink/?LinkId=3D550986" target=3D"_blank">Mai=
l</a> for Windows 10</p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p></sp=
an><div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0=
cm 0cm 0cm"><p class=3D"MsoNormal" style=3D"border:none;padding:0cm"><b>Fro=
m: </b><a href=3D"mailto:torsten@lodderstedt.net" target=3D"_blank">Torsten=
 Lodderstedt</a><br><b>Sent: </b>March 30, 2017 11:01 PM<br><b>To: </b><a h=
ref=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">John Bradley</a><br><b>C=
c: </b><a href=3D"mailto:sakimura@gmail.com" target=3D"_blank">Nat Sakimura=
</a>; <a href=3D"mailto:nat@sakimura.org" target=3D"_blank">Nat Sakimura</a=
>; <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">IETF oauth WG</a><br=
><b>Subject: </b>Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-13.txt<=
/p></div><div><div class=3D"m_-6670009091193748832m_9111380663044375953h5">=
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">I had=
 assumed using the request object is mutual exclusive to use of URI query p=
arameters. Did I misinterpret the draft?<u></u><u></u></p><div><p class=3D"=
MsoNormal"><u></u>=C2=A0<u></u></p><div><blockquote style=3D"margin-top:5.0=
pt;margin-bottom:5.0pt"><div><p class=3D"MsoNormal">Am 30.03.2017 um 22:40 =
schrieb John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_bl=
ank">ve7jtb@ve7jtb.com</a>&gt;:<u></u><u></u></p></div><p class=3D"MsoNorma=
l"><u></u>=C2=A0<u></u></p><div><div><p class=3D"MsoNormal">It is a trade o=
ff between compatibility with Connect and possible configuration errors.<u>=
</u><u></u></p><p class=3D"MsoNormal">=C2=A0<u></u><u></u></p><p class=3D"M=
soNormal">In reality it may not be compatible with Connect if the client is=
 sending some parameters outside the object without including them in the o=
bject as a Connect client might.=C2=A0=C2=A0=C2=A0 You would potentially wi=
nd up dropping state or nonce without an error.=C2=A0 <u></u><u></u></p><p =
class=3D"MsoNormal">=C2=A0<u></u><u></u></p><p class=3D"MsoNormal">I asked =
Mike and he was leaning to making it a error to send them as query paramete=
rs as that would be a clean change.<u></u><u></u></p><p class=3D"MsoNormal"=
>=C2=A0<u></u><u></u></p><p class=3D"MsoNormal">I think the choice is a bit=
 of a grey area.<u></u><u></u></p><p class=3D"MsoNormal">=C2=A0<u></u><u></=
u></p><p class=3D"MsoNormal">Sent from <a href=3D"https://go.microsoft.com/=
fwlink/?LinkId=3D550986" target=3D"_blank">Mail</a> for Windows 10<u></u><u=
></u></p><p class=3D"MsoNormal">=C2=A0<u></u><u></u></p><div style=3D"borde=
r:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class=
=3D"MsoNormal"><b>From: </b><a href=3D"mailto:sakimura@gmail.com" target=3D=
"_blank">sakimura@gmail.com</a><br><b>Sent: </b>March 30, 2017 9:57 PM<br><=
b>To: </b><a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">John Bradl=
ey</a>; <a href=3D"mailto:nat@sakimura.org" target=3D"_blank">Nat Sakimura<=
/a><br><b>Cc: </b><a href=3D"mailto:oauth@ietf.org" target=3D"_blank">IETF =
oauth WG</a><br><b>Subject: </b>Re: [OAUTH-WG] FW: I-D Action: draft-ietf-o=
auth-jwsreq-13.txt<u></u><u></u></p></div><p class=3D"MsoNormal">=C2=A0<u><=
/u><u></u></p><p class=3D"MsoNormal">+1<br><br>Sent from my Huawei Mobile<u=
></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">=
<br><br>-------- Original Message --------<br>Subject: Re: [OAUTH-WG] FW: I=
-D Action: draft-ietf-oauth-jwsreq-13.txt<br>From: John Bradley <br>To: Nat=
 Sakimura <br>CC: IETF oauth WG <br><br><u></u><u></u></p><blockquote style=
=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;m=
argin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><di=
v><p class=3D"MsoNormal" style=3D"margin-left:40.8pt">So I think we need to=
 make the must ignore clearer for the additional paramaters on the authoriz=
ation endpoint. =C2=A0<u></u><u></u></p></div><div><p class=3D"MsoNormal" s=
tyle=3D"margin-left:40.8pt">=C2=A0<u></u><u></u></p><div><p class=3D"MsoNor=
mal" style=3D"margin-left:40.8pt">On Mar 30, 2017 17:33, &quot;Nat Sakimura=
&quot; &lt;<a href=3D"mailto:nat@sakimura.org" target=3D"_blank">nat@sakimu=
ra.org</a>&gt; wrote:<u></u><u></u></p><blockquote style=3D"border:none;bor=
der-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;ma=
rgin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><div><div><p class=3D"=
MsoNormal" style=3D"margin-right:0cm;margin-bottom:12.0pt;margin-left:45.6p=
t">Not right now. <u></u><u></u></p></div><div><p class=3D"MsoNormal" style=
=3D"margin-left:45.6pt">As of this writing, a client can still send duplica=
te parameters in the query but they get ignored by the servers honoring OAu=
th JAR. So, it is backwards compatible with OpenID Connect in that sense (O=
penID Connect sends duplicate manatory RFC6749 parameters as the query para=
meters as well just to be compliant to RFC6749). Conversely, servers that d=
o not support OAuth JAR will ignore request_uri etc. <u></u><u></u></p></di=
v><div><p class=3D"MsoNormal" style=3D"margin-left:45.6pt">On Mar 30, 2017,=
 at 4:47 PM, Mike Jones &lt;<a href=3D"mailto:Michael.Jones@microsoft.com" =
target=3D"_blank">Michael.Jones@microsoft.com</a>&gt; wrote:<u></u><u></u><=
/p><blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding=
:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;marg=
in-bottom:5.0pt"><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt"><=
span style=3D"color:#002060">Is there a clear statement somewhere along the=
 lines of =E2=80=9C</span>parameters (other than =E2=80=9Crequest=E2=80=9D =
or =E2=80=9Crequest_uri=E2=80=9D) are only allowed to be in the signed obje=
ct if a signed object is used<span style=3D"color:#002060">=E2=80=9D?=C2=A0=
 That=E2=80=99s the kind of thing I was looking for and didn=E2=80=99t find=
. </span><u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left=
:50.4pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"mar=
gin-left:50.4pt"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 -- Mike </span><u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin=
-left:50.4pt"><a name=3D"m_-6670009091193748832_m_9111380663044375953_m_125=
2146122988350906_m_5373696844051186387__MailEndCompose"></a><b>From:</b> Jo=
hn Bradley [mailto:<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">v=
e7jtb@ve7jtb.com</a>] <br><b>Sent:</b> Thursday, March 30, 2017 4:44 PM<br>=
<b>To:</b> Mike Jones &lt;<a href=3D"mailto:Michael.Jones@microsoft.com" ta=
rget=3D"_blank">Michael.Jones@microsoft.com</a>&gt;<br><b>Cc:</b> Nat Sakim=
ura &lt;<a href=3D"mailto:nat@sakimura.org" target=3D"_blank">nat@sakimura.=
org</a>&gt;; IETF oauth WG &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"=
_blank">oauth@ietf.org</a>&gt;<br><b>Subject:</b> RE: [OAUTH-WG] FW: I-D Ac=
tion: draft-ietf-oauth-jwsreq-13.txt <u></u><u></u></p><div><p class=3D"Mso=
Normal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><u></u></p></div><div><p=
 class=3D"MsoNormal" style=3D"margin-left:50.4pt">The intent of the change =
is to only allow the paramaters to be in the signed object if a signed obje=
ct is used. =C2=A0 <u></u><u></u></p><div><div><p class=3D"MsoNormal" style=
=3D"margin-left:50.4pt">=C2=A0 <u></u><u></u></p></div></div><div><p class=
=3D"MsoNormal" style=3D"margin-left:50.4pt">This requires State, nonce etc =
to be in the JWT.=C2=A0 Only one place to check will hopefully reduce impli=
mentation errors. =C2=A0 <u></u><u></u></p></div><div><div><p class=3D"MsoN=
ormal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><u></u></p></div></div><d=
iv><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">This also allows us =
to remove the caching text as we now have one JWT per request, so caching w=
on&#39;t happen. =C2=A0=C2=A0 <u></u><u></u></p></div><div><div><p class=3D=
"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><u></u></p></div></d=
iv><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">John B. =C2=A0 =
<u></u><u></u></p></div><div><div><p class=3D"MsoNormal" style=3D"margin-le=
ft:50.4pt">=C2=A0 <u></u><u></u></p></div></div><div><div><p class=3D"MsoNo=
rmal" style=3D"margin-left:50.4pt">=C2=A0 <u></u><u></u></p></div></div></d=
iv><div><div><p class=3D"MsoNormal" style=3D"margin-left:50.4pt">=C2=A0 <u>=
</u><u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:50.4p=
t">On Mar 30, 2017 4:36 PM, &quot;Mike Jones&quot; &lt;<a href=3D"mailto:Mi=
chael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@microsoft.com</a=
>&gt; wrote: <u></u><u></u></p><blockquote style=3D"border:none;border-left=
:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top=
:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><div><div><p class=3D"MsoNorma=
l" style=3D"margin-left:55.2pt"><span style=3D"color:#002060">I *<b>believe=
</b>* the intent is that *<b>all</b>* parameters must be in the request obj=
ect, but the spec doesn=E2=80=99t actually say that, as far as I can tell.=
=C2=A0 Or maybe the intent is that parameters must not be duplicated betwee=
n the query parameters and the request object.</span> <u></u><u></u></p><di=
v><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><span style=3D"color:=
#002060">=C2=A0</span> <u></u><u></u></p></div><p class=3D"MsoNormal" style=
=3D"margin-left:55.2pt"><span style=3D"color:#002060">One or the other of t=
hese statements should be explicitly included in the specification.=C2=A0 O=
f course, I could have missed the statement I=E2=80=99m asking for in my re=
view, in which case please let me know what I missed.</span> <u></u><u></u>=
</p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><span style=3D=
"color:#002060">=C2=A0</span> <u></u><u></u></p></div><p class=3D"MsoNormal=
" style=3D"margin-left:55.2pt"><span style=3D"color:#002060">=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 Thanks,</span> <u></u><u></u></p><p class=3D"MsoNormal" =
style=3D"margin-left:55.2pt"><span style=3D"color:#002060">=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
 -- Mike</span> <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-le=
ft:55.2pt"><a name=3D"m_-6670009091193748832_m_9111380663044375953_m_125214=
6122988350906_m_5373696844051186387_m_3264258369573027"><span style=3D"colo=
r:#002060">=C2=A0</span></a><span></span> <u></u><u></u></p><div><div style=
=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><=
p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><b>From:</b> OAuth [mail=
to:<a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bounce=
s@ietf.org</a><wbr>] <b>On Behalf Of </b>John Bradley<br><b>Sent:</b> Thurs=
day, March 30, 2017 3:00 PM<br><b>To:</b> IETF OAUTH &lt;<a href=3D"mailto:=
oauth@ietf.org" target=3D"_blank">oauth@ietf.org</a>&gt;<br><b>Subject:</b>=
 [OAUTH-WG] FW: I-D Action: draft-ietf-oauth-jwsreq-13.txt <u></u><u></u></=
p></div></div><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=
=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.=
2pt">Based on feeback from the IESG we have removed some of the optionality=
 in the draft. <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margi=
n-left:55.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=
=3D"margin-left:55.2pt">It is a shorter read than draft 12.=C2=A0=C2=A0 <u>=
</u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=
=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.=
2pt">John B. <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-=
left:55.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D=
"margin-left:55.2pt">Sent from <a href=3D"https://go.microsoft.com/fwlink/?=
LinkId=3D550986" target=3D"_blank">Mail</a> for Windows 10 <u></u><u></u></=
p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u=
></u></p></div><div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;pad=
ding:3.0pt 0cm 0cm 0cm"><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"=
><b>From: </b><a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank"=
>internet-drafts@ietf.org</a><br><b>Sent: </b>March 30, 2017 1:38 PM<br><b>=
To: </b><a href=3D"mailto:i-d-announce@ietf.org" target=3D"_blank">i-d-anno=
unce@ietf.org</a><br><b>Cc: </b><a href=3D"mailto:oauth@ietf.org" target=3D=
"_blank">oauth@ietf.org</a><br><b>Subject: </b>[OAUTH-WG] I-D Action: draft=
-ietf-oauth-jwsreq-13.txt <u></u><u></u></p></div><div><p class=3D"MsoNorma=
l" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p></div><div><p clas=
s=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p></div=
><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">A New Internet-Draft i=
s available from the on-line Internet-Drafts directories. <u></u><u></u></p=
><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">This draft is a work i=
tem of the Web Authorization Protocol of the IETF. <u></u><u></u></p><div><=
p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p=
></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 Title=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 : The OAuth 2.0 Authorization Framework: JWT Secured Aut=
horization Request (JAR) <u></u><u></u></p><p class=3D"MsoNormal" style=3D"=
margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Authors=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : Nat Sakimura <u></u><u></u>=
</p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 John Bradley <u><=
/u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Filename=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 : draft-ietf-oauth-jwsreq-13.txt <u></u><u></u>=
</p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Pages=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 : 27 <u></u><u></u></p><p class=3D"MsoNor=
mal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0 Date=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 : 2017-03-30 <u></u><u></u></p><div><p class=3D"MsoNorma=
l" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"=
MsoNormal" style=3D"margin-left:55.2pt">Abstract: <u></u><u></u></p><p clas=
s=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 The authorization=
 request in OAuth 2.0 described in RFC 6749 utilizes <u></u><u></u></p><p c=
lass=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 query paramete=
r serialization, which means that Authorization Request <u></u><u></u></p><=
p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 parameters =
are encoded in the URI of the request and sent through <u></u><u></u></p><p=
 class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0user agents s=
uch as web browsers.=C2=A0 While it is easy to implement, it <u></u><u></u>=
</p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 means =
that (a) the communication through the user agents are not <u></u><u></u></=
p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 integrit=
y protected and thus the parameters can be tainted, and (b) <u></u><u></u><=
/p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 the sou=
rce of the communication is not authenticated.=C2=A0 Because of <u></u><u><=
/u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 the=
se weaknesses, several attacks to the protocol have now been put <u></u><u>=
</u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0=C2=A0 fo=
rward. <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:5=
5.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margi=
n-left:55.2pt">=C2=A0=C2=A0 This document introduces the ability to send re=
quest parameters in a <u></u><u></u></p><p class=3D"MsoNormal" style=3D"mar=
gin-left:55.2pt">=C2=A0=C2=A0 JSON Web Token (JWT) instead, which allows th=
e request to be signed <u></u><u></u></p><p class=3D"MsoNormal" style=3D"ma=
rgin-left:55.2pt">=C2=A0=C2=A0 with JSON Web Signature (JWS) and/or encrypt=
ed with JSON Web <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-l=
eft:55.2pt">=C2=A0=C2=A0 Encryption (JWE) so that the integrity, source aut=
hentication and <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-le=
ft:55.2pt">=C2=A0=C2=A0 confidentiality property of the Authorization Reque=
st is attained. <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-le=
ft:55.2pt">=C2=A0=C2=A0 The request can be sent by value or by reference. <=
u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=
=C2=A0 <u></u><u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-=
left:55.2pt">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D=
"margin-left:55.2pt">The IETF datatracker status page for this draft is: <u=
></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=
=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/" target=3D"_b=
lank">https://datatracker.ietf.org/d<wbr>oc/draft-ietf-oauth-jwsreq/</a> <u=
></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=
=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:=
55.2pt">There are also htmlized versions available at: <u></u><u></u></p><p=
 class=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"https://tools.=
ietf.org/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https://tools.i=
etf.org/html/dr<wbr>aft-ietf-oauth-jwsreq-13</a> <u></u><u></u></p><p class=
=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"https://datatracker.=
ietf.org/doc/html/draft-ietf-oauth-jwsreq-13" target=3D"_blank">https://dat=
atracker.ietf.org/d<wbr>oc/html/draft-ietf-oauth-jwsre<wbr>q-13</a> <u></u>=
<u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 =
<u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"=
>A diff from the previous version is available at: <u></u><u></u></p><p cla=
ss=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"https://www.ietf.o=
rg/rfcdiff?url2=3Ddraft-ietf-oauth-jwsreq-13" target=3D"_blank">https://www=
.ietf.org/rfcdiff?u<wbr>rl2=3Ddraft-ietf-oauth-jwsreq-13</a> <u></u><u></u>=
</p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u>=
<u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=
=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left:=
55.2pt">Please note that it may take a couple of minutes from the time of s=
ubmission <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.=
2pt">until the htmlized version and diff are available at <a href=3D"http:/=
/tools.ietf.org/" target=3D"_blank">tools.ietf.org</a>. <u></u><u></u></p><=
div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">=C2=A0 <u></u><u></=
u></p></div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">Internet-Dr=
afts are also available by anonymous FTP at: <u></u><u></u></p><p class=3D"=
MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"ftp://ftp.ietf.org/inter=
net-drafts/" target=3D"_blank">ftp://ftp.ietf.org/internet-dr<wbr>afts/</a>=
 <u></u><u></u></p><div><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"=
>=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal" style=3D"margin-left=
:55.2pt">______________________________<wbr>_________________ <u></u><u></u=
></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt">OAuth mailing list=
 <u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><a h=
ref=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a> <u></u><=
u></u></p><p class=3D"MsoNormal" style=3D"margin-left:55.2pt"><a href=3D"ht=
tps://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.ie=
tf.org/mailman/l<wbr>istinfo/oauth</a> <u></u><u></u></p></div></div></bloc=
kquote></div></div></div></blockquote></div></div></blockquote></div></div>=
</blockquote></div><div style=3D"margin-left:19.2pt;margin-bottom:5.0pt"><p=
 class=3D"MsoNormal">=C2=A0 <u></u><u></u></p></div><p class=3D"MsoNormal">=
=C2=A0<u></u><u></u></p></div><p class=3D"MsoNormal">______________________=
________<wbr>_________________<br>OAuth mailing list<br><a href=3D"mailto:O=
Auth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br><a href=3D"https://w=
ww.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.ietf.org/=
mailman/l<wbr>istinfo/oauth</a><u></u><u></u></p></div></blockquote></div><=
/div><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">=
<u></u>=C2=A0<u></u></p></div></div></div></div><br>_______________________=
_______<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>

--f40304361d107d5e09054c06f23b--


From nobody Fri Mar 31 07:59:20 2017
Return-Path: <dave.tonge@bluespeckfinancial.co.uk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A1D12987B for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 07:59:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id grdUEFi0fcHZ for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 07:59:16 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73ACE12950A for <oauth@ietf.org>; Fri, 31 Mar 2017 07:59:16 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id y18so13335489itc.1 for <oauth@ietf.org>; Fri, 31 Mar 2017 07:59:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=bPa1YSZJBLOEq2ZfJYVYg9nJOjw99IWRLv9JkTGagHM=; b=Ys9/I6s0NhacR4SjFJ9zFlbktaC6SPZdF2rRHaHP0HnPwEsmR/qEfZ6f9Kl/4ReqS2 VSBA1FMh79gC4Pn7FUWRJVIRzlGlV/bF8kUOOCXzbaG79NDHYqYDXqJp9bq3QXmVyP6I Qg7Ip4ydJFbqt+fAxB51uMD144l4ztuguj8HE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=bPa1YSZJBLOEq2ZfJYVYg9nJOjw99IWRLv9JkTGagHM=; b=NJ6kXT0uzIwpSyiQnAUcBnmXvbyvzgBDLtQjAg0cX55IrURNBKR9m4hEDBsPWcK6ix /IcH7mdCZRZDGOyOV+Y+K1toj2pM79JXHrGP4/hiJ921iBLmpEC50599h9U39pwDonD2 pKB4+BkhZ3wxipGvcR4CMh/XQlTgi91Cj61gIZAvJOagLMeg5egCTd/a0Ccon/F2kXuV PI7+/GEdxBfjQse6D0jOXbI/r+0cyBWr39o1CD9/nCc4KFhEkSi5mwtpQDoy7K1V7cUj dAk+xqO6AgrSXis9WdJekNnHJ71eys9WlzsYpcBAVWtjvzDDY48QrBdxK54lIWIrUZMm Qh4A==
X-Gm-Message-State: AFeK/H1cLrV583juaC5rKweWSgEhpoaKrxII9TMkMaVfRySmpJyFCoVY9/lVFr7bQafzU9D9NmJ7FDVOQVZXvyxV
X-Received: by 10.36.20.1 with SMTP id 1mr3771106itg.121.1490972355337; Fri, 31 Mar 2017 07:59:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.223 with HTTP; Fri, 31 Mar 2017 07:58:54 -0700 (PDT)
In-Reply-To: <CY4PR21MB0504F95D0B36D852BEF0AE9BF5350@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <CY4PR21MB0504F95D0B36D852BEF0AE9BF5350@CY4PR21MB0504.namprd21.prod.outlook.com>
From: Dave Tonge <dave.tonge@momentumft.co.uk>
Date: Fri, 31 Mar 2017 15:58:54 +0100
Message-ID: <CAP-T6TT3ZybhMALD9B=pTq0w8dADeTBZpGqmUSzEwcO6criR5A@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary=001a1143e5209c4802054c080d9a
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ldRGaLkKWQlTQ1Qcc2SGlu9rTbY>
Subject: Re: [OAUTH-WG] JOSE/JWT Security Update Presentation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 14:59:19 -0000

--001a1143e5209c4802054c080d9a
Content-Type: text/plain; charset=UTF-8

Thanks Mike

I agree with all the next steps, we need some articles to help combat the
FUD that is being spread.
Is there any action on who will write those articles?

Dave

On 29 March 2017 at 21:08, Mike Jones <Michael.Jones@microsoft.com> wrote:

> Yaron Sheffer had asked me to give an update on JOSE/JWT security to the
> SecEvent working group.  As promised during our working group meeting
> Monday, that presentation is attached.  At the microphone, Kathleen
> suggested that we may want to collect information about best practices for
> implementers and deployers and write a BCP containing them.  She said that
> JWT is being used in many places in the IETF at this point.
>
>
>
>                                                        -- Mike
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Dave Tonge

--001a1143e5209c4802054c080d9a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:trebuche=
t ms,sans-serif">Thanks Mike</div><div class=3D"gmail_default" style=3D"fon=
t-family:trebuchet ms,sans-serif"><br></div><div class=3D"gmail_default" st=
yle=3D"font-family:trebuchet ms,sans-serif">I agree with all the next steps=
, we need some articles to help combat the FUD that is being spread.</div><=
div class=3D"gmail_default" style=3D"font-family:trebuchet ms,sans-serif">I=
s there any action on who will write those articles?</div><div class=3D"gma=
il_default" style=3D"font-family:trebuchet ms,sans-serif"><br></div><div cl=
ass=3D"gmail_default" style=3D"font-family:trebuchet ms,sans-serif">Dave</d=
iv><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On 29 March 20=
17 at 21:08, Mike Jones <span dir=3D"ltr">&lt;<a href=3D"mailto:Michael.Jon=
es@microsoft.com" target=3D"_blank">Michael.Jones@microsoft.com</a>&gt;</sp=
an> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex">





<div lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"m_3486610827997118219WordSection1">
<p class=3D"MsoNormal">Yaron Sheffer had asked me to give an update on JOSE=
/JWT security to the SecEvent working group.=C2=A0 As promised during our w=
orking group meeting Monday, that presentation is attached.=C2=A0 At the mi=
crophone, Kathleen suggested that we may want
 to collect information about best practices for implementers and deployers=
 and write a BCP containing them.=C2=A0 She said that JWT is being used in =
many places in the IETF at this point.<span class=3D"HOEnZb"><font color=3D=
"#888888"><u></u><u></u></font></span></p><span class=3D"HOEnZb"><font colo=
r=3D"#888888">
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<p class=3D"MsoNormal">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike<u></u><u></u=
></p>
</font></span></div>
</div>

<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br><div cla=
ss=3D"gmail_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr">=
<div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:=
1em;font-weight:bold;line-height:1.4"><div style=3D"color:rgb(97,97,97);fon=
t-family:&#39;Open Sans&#39;;font-size:14px;font-weight:normal;line-height:=
21px"><div style=3D"font-family:Arial,Helvetica,sans-serif;font-size:0.925e=
m;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style=3D"font=
-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,&quot;op=
en sans&quot;,arial,sans-serif;line-height:normal"><div style=3D"color:rgb(=
0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div>=
<div style=3D"font-size:0.8125em;line-height:1.4"><br></div></div></div></d=
iv></div></div></div></div></div></div>
</div></div>

--001a1143e5209c4802054c080d9a--


From nobody Fri Mar 31 08:04:37 2017
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BA83129998 for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 08:04:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCYo2t8HWDIp for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 08:04:30 -0700 (PDT)
Received: from mail-pg0-x22a.google.com (mail-pg0-x22a.google.com [IPv6:2607:f8b0:400e:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DB011298CF for <oauth@ietf.org>; Fri, 31 Mar 2017 08:04:24 -0700 (PDT)
Received: by mail-pg0-x22a.google.com with SMTP id 21so73821538pgg.1 for <oauth@ietf.org>; Fri, 31 Mar 2017 08:04:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=c4QzZ2rGjfg/qnt8kutRSaoe4KUHMf+TSWrjkWcu5bQ=; b=d/hKj0+pEsAqyrZnGu9uOG3RvifCdC1QUyE8cqzUN0SHDSa6Do5eSH9fbnknzaHPlO jBu0jssQIhtWvoLHov2kvQWXXtepxae4wFSeq90i7er+B3FmOKwKsuMON/oaWQclei7S m2Zm2fm7rsr69oaJ1UaVDmP8+XdY1Wp6MJtYM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=c4QzZ2rGjfg/qnt8kutRSaoe4KUHMf+TSWrjkWcu5bQ=; b=cKFV1RaSXY43lkFFmqcUzKKDwW/m3unNRJ1bSwj43HTJX2gnC9p79lQ2HD8hFDEN37 C+JRtmqIwEnRxhQ9ROQ1MuFYY7wKeITbVKdn26ltBZfVxEjWiPpVY/aydFhY/s+kLia/ lrx1xcESS+7lEkNWS/epbmIqWFv9Pz2ED+eHrtdUYCcDXemYNXJtsREGKgeHj31YlgzT AlksKGPrfLq3ox3J/MTFz/OW0A5k/a5g/C8juuvo5m5Ki1gLN3SbShIgRrjr7RmVadVq 2wlHOAXRywNkkK1G2ELnrmNWihqWihEmvyxFsLMtZnrEnBPt9uTWwH7tKmzZZ/mOy/Cg IFSg==
X-Gm-Message-State: AFeK/H0axBigHYQ0S1jyMRUl5c6Kwq+2eRX0FN8HKM+hcyztMYa5f8/f1LUI44u8WfrS4eqVsgGh87UjMfEDgILm
X-Received: by 10.99.112.18 with SMTP id l18mr3848599pgc.142.1490972664035; Fri, 31 Mar 2017 08:04:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.165.172 with HTTP; Fri, 31 Mar 2017 08:03:53 -0700 (PDT)
In-Reply-To: <CABzCy2ArQ29xtyzT+t4i1fq9XZT+fMLgsw5oV75aFTkvVf8tgw@mail.gmail.com>
References: <148416124213.8244.5842562779051799977.idtracker@ietfa.amsl.com> <CA+k3eCTE1NM90QcZRFR0jATCqdeJWyTRUb6Ryp52n9FRg6aGpA@mail.gmail.com> <9199091B-5D7F-4D66-9EC5-CB0EF2D3CF6D@lodderstedt.net> <CA+k3eCTjmifjsbec80vGTE5Hw4ws7oARuaatDk4RYOLK26-87Q@mail.gmail.com> <CY4PR21MB050479DBD8A7AB6342682209F5330@CY4PR21MB0504.namprd21.prod.outlook.com> <30B37ED3-6E3B-4739-9917-BDEC198CA027@lodderstedt.net> <CABzCy2ArQ29xtyzT+t4i1fq9XZT+fMLgsw5oV75aFTkvVf8tgw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 31 Mar 2017 10:03:53 -0500
Message-ID: <CA+k3eCRMwS7KiCyrGm8d6Syo=SpfR65zSb0MFJ8A1ns=DVrR0g@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Mike Jones <Michael.Jones@microsoft.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=f403045c7b0a02acba054c0820ec
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Yw17UjpLA0rrYV-KiXHu3m8Vzz8>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 15:04:35 -0000

--f403045c7b0a02acba054c0820ec
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

As mentioned during the Chicago meeting the "invalid_target" error code
that was added in -07 was intended to give the AS a standard way to reject
request with multiple audiences/resources that it doesn't understand or is
unwilling or unable to process based on policy or whatever criteria . It
was intended as a compromise, of sorts, to allow for the multiple
resources/audiences in the request but provide an easy out for the AS of
saying it can't be supported based on whatever implementation or security
or policy it has.

On Tue, Mar 28, 2017 at 1:32 AM, Nat Sakimura <sakimura@gmail.com> wrote:

> There are cases where tokens are supposed to be consumed at multiple
> places and the `aud` needed to capture them. That's why `aud` is a
> multi-valued field.
>
> On Mon, Mar 27, 2017 at 11:35 AM Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
>> May I ask you to explain this reason?
>>
>> Am 27.03.2017 um 08:48 schrieb Mike Jones <Michael.Jones@microsoft.com>:
>>
>> For the same reason that the =E2=80=9Caud=E2=80=9D claim is multi-valued=
 in JWTs, the
>> audience needs to stay multi-valued in Token Exchange.  Ditto for resour=
ces.
>>
>>
>>
>>                                                        Thanks,
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] *=
On
>> Behalf Of *Brian Campbell
>> *Sent:* Monday, March 27, 2017 8:45 AM
>> *To:* Torsten Lodderstedt <torsten@lodderstedt.net>
>> *Cc:* oauth <oauth@ietf.org>
>> *Subject:* Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-
>> exchange-07.txt
>>
>>
>>
>> Thanks for the review and question, Torsten.
>>
>> The desire to support multiple audience/resource values in the request
>> came up during a review and discussion among the authors of the document
>> when preparing the -03 draft. As I recall, it was said that both Salesfo=
rce
>> and Microsoft had use-cases for it. I incorporated support for it into t=
he
>> draft acting in the role of editor.
>>
>> From an individual perspective, I tend to agree with you that allowing
>> for multiple audiences/resources adds a lot of complexity that's like no=
t
>> needed in many (or most) cases. And I would personally be open to making
>> audience and resource mutual exclusive and single valued. A question for
>> the WG I suppose.
>>
>> The "invalid_target" error code that was added in -07 was intended to
>> give the AS a standard way to deal with the complexity and reject reques=
t
>> with multiple audiences/resources that it doesn't understand or is
>> unwilling or unable to process. It was intended as a compromise, of sort=
s,
>> to allow for the multiples but provide an easy out of saying it can't be
>> supported based on whatever implementation or policy of the AS.
>>
>>
>>
>>
>>
>>
>>
>> On Sun, Mar 26, 2017 at 9:00 AM, Torsten Lodderstedt <
>> torsten@lodderstedt.net> wrote:
>>
>> Hi Brian,
>>
>>
>>
>> thanks for the clarification around resource, audience and scope.
>>
>>
>>
>> Here are my comments on the draft:
>>
>>
>>
>> In section 2.1 it states: =E2=80=9EMultiple "resource" parameters may be=
 used to
>> indicate
>>
>>       that the issued token is intended to be used at the multiple
>>
>>       resources listed.=E2=80=9C
>>
>>
>>
>> Can you please explain the rational in more detail? I don=E2=80=99t unde=
rstand
>> why there is a need to ask for access tokens, which are good for multipl=
e
>> resources at once. This is a request type more or less exclusively used =
in
>> server to server scenarios, right? So the only reason I can think of is
>> call reduction.
>>
>>
>>
>> On the other side, this feature increases the AS's complexity, e.g. its
>> policy may prohibit to issue tokens for multiple resources in general or
>> the particular set the client is asking for. How shall the AS handles su=
ch
>> cases?
>>
>>
>>
>> And it is getting even more complicated given there could also be
>> multiple audience values and the client could mix them:
>>
>>
>>
>> "Multiple "audience" parameters
>>
>>       may be used to indicate that the issued token is intended to be
>>
>>       used at the multiple audiences listed.  The "audience" and
>>
>>       "resource" parameters may be used together to indicate multiple
>>
>>       target services with a mix of logical names and physical
>>
>>       locations.=E2=80=9C
>>
>>
>>
>> And in the end the client may add some scope values to the =E2=80=9Emeal=
=E2=80=9C, which
>> brings us to
>>
>>
>>
>> =E2=80=9EEffectively, the requested access rights of the
>>
>>    token are the cartesian product of all the scopes at all the target
>>
>>    services."
>>
>>
>>
>> I personally would suggest to drop support for multiple audience and
>> resource parameters and make audience and resource mutual exclusive. I
>> think this is sufficient and much easier to implement.
>>
>>
>>
>> kind regards,
>>
>> Torsten.
>>
>>
>>
>>
>>
>> Am 11.01.2017 um 20:04 schrieb Brian Campbell <bcampbell@pingidentity.co=
m
>> >:
>>
>>
>>
>> Draft -07 of "OAuth 2.0 Token Exchange" has been published. The primary
>> change in -07 is the addition of a description of the relationship betwe=
en
>> audience/resource/scope, which was a request or comment that came up dur=
ing
>> the f2f meeting in Seoul.
>>
>> Excerpted from the Document History:
>>
>>    -07
>>
>>    o  Fixed typo (desecration -> discretion).
>>    o  Added an explanation of the relationship between scope, audience
>>       and resource in the request and added an "invalid_target" error
>>       code enabling the AS to tell the client that the requested
>>       audiences/resources were too broad.
>>
>> ---------- Forwarded message ----------
>> From: <internet-drafts@ietf.org>
>> Date: Wed, Jan 11, 2017 at 12:00 PM
>> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
>> To: i-d-announce@ietf.org
>> Cc: oauth@ietf.org
>>
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Web Authorization Protocol of the IETF.
>>
>>         Title           : OAuth 2.0 Token Exchange
>>         Authors         : Michael B. Jones
>>                           Anthony Nadalin
>>                           Brian Campbell
>>                           John Bradley
>>                           Chuck Mortimore
>>         Filename        : draft-ietf-oauth-token-exchange-07.txt
>>         Pages           : 31
>>         Date            : 2017-01-11
>>
>> Abstract:
>>    This specification defines a protocol for an HTTP- and JSON- based
>>    Security Token Service (STS) by defining how to request and obtain
>>    security tokens from OAuth 2.0 authorization servers, including
>>    security tokens employing impersonation and delegation.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
>>
>> There's also a htmlized version available at:
>> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-exchange-07
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> --
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--f403045c7b0a02acba054c0820ec
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">As mentioned during the Chicago meeting the &quot;invalid_=
target&quot; error code that was added in -07 was intended to=20
give the AS a standard way to reject=20
request with multiple audiences/resources that it doesn&#39;t understand or=
=20
is unwilling or unable to process based on policy or whatever criteria . It=
 was intended as a compromise, of=20
sorts, to allow for the multiple resources/audiences in the request but pro=
vide an easy out for the AS of saying it=20
can&#39;t be supported based on whatever implementation or security or poli=
cy it has.
 </div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Tue, Ma=
r 28, 2017 at 1:32 AM, Nat Sakimura <span dir=3D"ltr">&lt;<a href=3D"mailto=
:sakimura@gmail.com" target=3D"_blank">sakimura@gmail.com</a>&gt;</span> wr=
ote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border=
-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr">There are cases whe=
re tokens are supposed to be consumed at multiple places and the `aud` need=
ed to capture them. That&#39;s why `aud` is a multi-valued field.=C2=A0</di=
v><div class=3D"HOEnZb"><div class=3D"h5"><br><div class=3D"gmail_quote"><d=
iv dir=3D"ltr">On Mon, Mar 27, 2017 at 11:35 AM Torsten Lodderstedt &lt;<a =
href=3D"mailto:torsten@lodderstedt.net" target=3D"_blank">torsten@lodderste=
dt.net</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"m=
argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style=3D=
"word-wrap:break-word" class=3D"m_-4354184635220679769gmail_msg">May I ask =
you to explain this reason?</div><div style=3D"word-wrap:break-word" class=
=3D"m_-4354184635220679769gmail_msg"><div class=3D"m_-4354184635220679769gm=
ail_msg"><br class=3D"m_-4354184635220679769gmail_msg"><div class=3D"m_-435=
4184635220679769gmail_msg"><blockquote type=3D"cite" class=3D"m_-4354184635=
220679769gmail_msg"><div class=3D"m_-4354184635220679769gmail_msg">Am 27.03=
.2017 um 08:48 schrieb Mike Jones &lt;<a href=3D"mailto:Michael.Jones@micro=
soft.com" class=3D"m_-4354184635220679769gmail_msg" target=3D"_blank">Micha=
el.Jones@microsoft.com</a>&gt;:</div><br class=3D"m_-4354184635220679769m_-=
7650545162212992110Apple-interchange-newline m_-4354184635220679769gmail_ms=
g"><div class=3D"m_-4354184635220679769gmail_msg">





<div link=3D"blue" vlink=3D"purple" class=3D"m_-4354184635220679769gmail_ms=
g" lang=3D"EN-US">
<div class=3D"m_-4354184635220679769m_-7650545162212992110WordSection1 m_-4=
354184635220679769gmail_msg"><p class=3D"MsoNormal m_-4354184635220679769gm=
ail_msg"><span style=3D"color:#002060" class=3D"m_-4354184635220679769gmail=
_msg">For the same reason that the =E2=80=9Caud=E2=80=9D claim is multi-val=
ued in JWTs, the audience needs to stay multi-valued in Token Exchange.=C2=
=A0 Ditto for resources.<u class=3D"m_-4354184635220679769gmail_msg"></u><u=
 class=3D"m_-4354184635220679769gmail_msg"></u></span></p><p class=3D"MsoNo=
rmal m_-4354184635220679769gmail_msg"><span style=3D"color:#002060" class=
=3D"m_-4354184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmai=
l_msg"></u>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></span></=
p><p class=3D"MsoNormal m_-4354184635220679769gmail_msg"><span style=3D"col=
or:#002060" class=3D"m_-4354184635220679769gmail_msg">=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 Thanks,<u class=3D"m_-4354184635220679769gmail_msg"></u><u class=
=3D"m_-4354184635220679769gmail_msg"></u></span></p><p class=3D"MsoNormal m=
_-4354184635220679769gmail_msg"><span style=3D"color:#002060" class=3D"m_-4=
354184635220679769gmail_msg">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0<wbr>=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike<u clas=
s=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-435418463522067976=
9gmail_msg"></u></span></p><p class=3D"MsoNormal m_-4354184635220679769gmai=
l_msg"><a name=3D"m_-4354184635220679769_m_-7650545162212992110__MailEndCom=
pose" class=3D"m_-4354184635220679769gmail_msg"><span style=3D"color:#00206=
0" class=3D"m_-4354184635220679769gmail_msg"><u class=3D"m_-435418463522067=
9769gmail_msg"></u>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u><=
/span></a></p>
<span class=3D"m_-4354184635220679769gmail_msg"></span><p class=3D"MsoNorma=
l m_-4354184635220679769gmail_msg"><b class=3D"m_-4354184635220679769gmail_=
msg">From:</b> OAuth [<a href=3D"mailto:oauth-bounces@ietf.org" class=3D"m_=
-4354184635220679769gmail_msg" target=3D"_blank">mailto:oauth-bounces@ietf.=
org</a><wbr>] <b class=3D"m_-4354184635220679769gmail_msg">On Behalf Of
</b>Brian Campbell<br class=3D"m_-4354184635220679769gmail_msg">
<b class=3D"m_-4354184635220679769gmail_msg">Sent:</b> Monday, March 27, 20=
17 8:45 AM<br class=3D"m_-4354184635220679769gmail_msg">
<b class=3D"m_-4354184635220679769gmail_msg">To:</b> Torsten Lodderstedt &l=
t;<a href=3D"mailto:torsten@lodderstedt.net" class=3D"m_-435418463522067976=
9gmail_msg" target=3D"_blank">torsten@lodderstedt.net</a>&gt;<br class=3D"m=
_-4354184635220679769gmail_msg">
<b class=3D"m_-4354184635220679769gmail_msg">Cc:</b> oauth &lt;<a href=3D"m=
ailto:oauth@ietf.org" class=3D"m_-4354184635220679769gmail_msg" target=3D"_=
blank">oauth@ietf.org</a>&gt;<br class=3D"m_-4354184635220679769gmail_msg">
<b class=3D"m_-4354184635220679769gmail_msg">Subject:</b> Re: [OAUTH-WG] I-=
D Action: draft-ietf-oauth-token-<wbr>exchange-07.txt<u class=3D"m_-4354184=
635220679769gmail_msg"></u><u class=3D"m_-4354184635220679769gmail_msg"></u=
></p><p class=3D"MsoNormal m_-4354184635220679769gmail_msg"><u class=3D"m_-=
4354184635220679769gmail_msg"></u>=C2=A0<u class=3D"m_-4354184635220679769g=
mail_msg"></u></p>
<div class=3D"m_-4354184635220679769gmail_msg">
<div class=3D"m_-4354184635220679769gmail_msg">
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg" style=3D"margin-bottom:12.0pt">Thanks for the re=
view and question, Torsten.
<u class=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-43541846352=
20679769gmail_msg"></u></p>
</div><p class=3D"MsoNormal m_-4354184635220679769gmail_msg" style=3D"margi=
n-bottom:12.0pt">The desire to support multiple audience/resource values in=
 the request came up during a review and discussion among the authors of th=
e document when preparing the -03 draft. As I recall, it was said that both
 Salesforce and Microsoft had use-cases for it. I incorporated support for =
it into the draft acting in the role of editor.<u class=3D"m_-4354184635220=
679769gmail_msg"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg" style=3D"margin-bottom:12.0pt">From an individua=
l perspective, I tend to agree with you that allowing for multiple audience=
s/resources adds a lot of complexity that&#39;s like not needed in many (or=
 most) cases. And I would personally be open
 to making audience and resource mutual exclusive and single valued. A ques=
tion for the WG I suppose.<u class=3D"m_-4354184635220679769gmail_msg"></u>=
<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">The &quot;invalid_target&quot; error code that w=
as added in -07 was intended to give the AS a standard way to deal with the=
 complexity and reject request with multiple audiences/resources that it do=
esn&#39;t understand or is unwilling or unable to process.
 It was intended as a compromise, of sorts, to allow for the multiples but =
provide an easy out of saying it can&#39;t be supported based on whatever i=
mplementation or policy of the AS.
<u class=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-43541846352=
20679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=C2=A0 <u class=3D"m_-4354184635220679769gmail_m=
sg"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg" style=3D"margin-bottom:12.0pt"><u class=3D"m_-43=
54184635220679769gmail_msg"></u>=C2=A0<u class=3D"m_-4354184635220679769gma=
il_msg"></u></p>
</div>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">On Sun, Mar 26, 2017 at 9:00 AM, Torsten Lodders=
tedt &lt;<a href=3D"mailto:torsten@lodderstedt.net" class=3D"m_-43541846352=
20679769gmail_msg" target=3D"_blank">torsten@lodderstedt.net</a>&gt; wrote:=
<u class=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-43541846352=
20679769gmail_msg"></u></p>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in" class=3D"m_-43541846352=
20679769gmail_msg">
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">Hi Brian,<u class=3D"m_-4354184635220679769gmail=
_msg"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">thanks for the clarification around resource, au=
dience and scope.=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u><u =
class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg">
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">Here are my comments on the draft:<u class=3D"m_=
-4354184635220679769gmail_msg"></u><u class=3D"m_-4354184635220679769gmail_=
msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">In section 2.1 it states: =E2=80=9EMultiple &quo=
t;resource&quot; parameters may be used to indicate<u class=3D"m_-435418463=
5220679769gmail_msg"></u><u class=3D"m_-4354184635220679769gmail_msg"></u><=
/p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=C2=A0 =C2=A0 =C2=A0 that the issued token is in=
tended to be used at the multiple<u class=3D"m_-4354184635220679769gmail_ms=
g"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=C2=A0 =C2=A0 =C2=A0 resources listed.=E2=80=9C<=
u class=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-435418463522=
0679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">Can you please explain the rational in more deta=
il? I don=E2=80=99t understand why there is a need to ask for access tokens=
, which are good for multiple resources at once. This is a request type mor=
e or less exclusively used in server to server
 scenarios, right? So the only reason I can think of is call reduction.=C2=
=A0<u class=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-43541846=
35220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">On the other side, this feature increases the AS=
&#39;s complexity, e.g. its policy may prohibit to issue tokens for multipl=
e resources in general or the particular set the client is asking for. How =
shall the AS handles such cases?<u class=3D"m_-4354184635220679769gmail_msg=
"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">And it is getting even more complicated given th=
ere could also be multiple audience values and the client could mix them:=
=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-43541=
84635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">&quot;Multiple &quot;audience&quot; parameters<u=
 class=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-4354184635220=
679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=C2=A0 =C2=A0 =C2=A0 may be used to indicate tha=
t the issued token is intended to be<u class=3D"m_-4354184635220679769gmail=
_msg"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=C2=A0 =C2=A0 =C2=A0 used at the multiple audien=
ces listed.=C2=A0 The &quot;audience&quot; and<u class=3D"m_-43541846352206=
79769gmail_msg"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=C2=A0 =C2=A0 =C2=A0 &quot;resource&quot; parame=
ters may be used together to indicate multiple<u class=3D"m_-43541846352206=
79769gmail_msg"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=C2=A0 =C2=A0 =C2=A0 target services with a mix =
of logical names and physical<u class=3D"m_-4354184635220679769gmail_msg"><=
/u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=C2=A0 =C2=A0 =C2=A0 locations.=E2=80=9C<u class=
=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-4354184635220679769=
gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">And in the end the client may add some scope val=
ues to the =E2=80=9Emeal=E2=80=9C, which brings us to=C2=A0<u class=3D"m_-4=
354184635220679769gmail_msg"></u><u class=3D"m_-4354184635220679769gmail_ms=
g"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=E2=80=9EEffectively, the requested access right=
s of the<u class=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-435=
4184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=C2=A0 =C2=A0token are the cartesian product of =
all the scopes at all the target<u class=3D"m_-4354184635220679769gmail_msg=
"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">=C2=A0 =C2=A0services.&quot;<u class=3D"m_-43541=
84635220679769gmail_msg"></u><u class=3D"m_-4354184635220679769gmail_msg"><=
/u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">I personally would suggest to drop support for m=
ultiple audience and resource parameters and make audience and resource mut=
ual exclusive. I think this is sufficient and much easier to implement.<u c=
lass=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-435418463522067=
9769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">kind regards,<u class=3D"m_-4354184635220679769g=
mail_msg"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">Torsten.<u class=3D"m_-4354184635220679769gmail_=
msg"></u><u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg">
<div class=3D"m_-4354184635220679769gmail_msg">
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg"><u class=3D"m_-4354184635220679769gmail_msg"></u=
>=C2=A0<u class=3D"m_-4354184635220679769gmail_msg"></u></p>
<div class=3D"m_-4354184635220679769gmail_msg">
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt" class=3D"m_-4354=
184635220679769gmail_msg">
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">Am 11.01.2017 um 20:04 schrieb Brian Campbell &l=
t;<a href=3D"mailto:bcampbell@pingidentity.com" class=3D"m_-435418463522067=
9769gmail_msg" target=3D"_blank">bcampbell@pingidentity.com</a>&gt;:<u clas=
s=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-435418463522067976=
9gmail_msg"></u></p>
</div><p class=3D"MsoNormal m_-4354184635220679769gmail_msg"><u class=3D"m_=
-4354184635220679769gmail_msg"></u>=C2=A0<u class=3D"m_-4354184635220679769=
gmail_msg"></u></p>
<div class=3D"m_-4354184635220679769gmail_msg">
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg" style=3D"margin-bottom:12.0pt">Draft -07 of &quo=
t;OAuth 2.0 <span class=3D"m_-4354184635220679769m_-7650545162212992110m-94=
5284380411239355m6317541698219329431gmail-il m_-4354184635220679769gmail_ms=
g">
Token</span> <span class=3D"m_-4354184635220679769m_-7650545162212992110m-9=
45284380411239355m6317541698219329431gmail-il m_-4354184635220679769gmail_m=
sg">Exchange</span>&quot; has been published. The primary change in -07 is =
the addition of a description of the relationship between audience/resource=
/scope, which was a request or comment that
 came up during the f2f meeting in Seoul. <br class=3D"m_-43541846352206797=
69gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
Excerpted from the Document History:<br class=3D"m_-4354184635220679769gmai=
l_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0=C2=A0 -07<br class=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0=C2=A0 o=C2=A0 Fixed typo (desecration -&gt; discretion).<br class=3D=
"m_-4354184635220679769gmail_msg">
=C2=A0=C2=A0 o=C2=A0 Added an explanation of the relationship between scope=
, audience<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 and resource in the request and added an &qu=
ot;invalid_target&quot; error<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 code enabling the AS to tell the client that=
 the requested<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 audiences/resources were too broad.<br class=
=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
<u class=3D"m_-4354184635220679769gmail_msg"></u><u class=3D"m_-43541846352=
20679769gmail_msg"></u></p>
<div class=3D"m_-4354184635220679769gmail_msg"><p class=3D"MsoNormal m_-435=
4184635220679769gmail_msg">---------- Forwarded message ----------<br class=
=3D"m_-4354184635220679769gmail_msg">
From: &lt;<a href=3D"mailto:internet-drafts@ietf.org" class=3D"m_-435418463=
5220679769gmail_msg" target=3D"_blank">internet-drafts@ietf.org</a>&gt;<br =
class=3D"m_-4354184635220679769gmail_msg">
Date: Wed, Jan 11, 2017 at 12:00 PM<br class=3D"m_-4354184635220679769gmail=
_msg">
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-<wbr>exchange-07.txt=
<br class=3D"m_-4354184635220679769gmail_msg">
To: <a href=3D"mailto:i-d-announce@ietf.org" class=3D"m_-435418463522067976=
9gmail_msg" target=3D"_blank">i-d-announce@ietf.org</a><br class=3D"m_-4354=
184635220679769gmail_msg">
Cc: <a href=3D"mailto:oauth@ietf.org" class=3D"m_-4354184635220679769gmail_=
msg" target=3D"_blank">oauth@ietf.org</a><br class=3D"m_-435418463522067976=
9gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br class=3D"m_-4354184635220679769gmail_msg">
This draft is a work item of the Web Authorization Protocol of the IETF.<br=
 class=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 Token Exchange<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Mich=
ael B. Jones<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Anthony Nadalin<br class=3D"m_-4354184635220679769gmail_m=
sg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Brian Campbell<br class=3D"m_-4354184635220679769gmail_ms=
g">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 John Bradley<br class=3D"m_-4354184635220679769gmail_msg"=
>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 Chuck Mortimore<br class=3D"m_-4354184635220679769gmail_m=
sg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet=
f-oauth-token-<wbr>exchange-07.txt<br class=3D"m_-4354184635220679769gmail_=
msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 31<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :=
 2017-01-11<br class=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
Abstract:<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0 =C2=A0This specification defines a protocol for an HTTP- and JSON- b=
ased<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0 =C2=A0Security Token Service (STS) by defining how to request and ob=
tain<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0 =C2=A0security tokens from OAuth 2.0 authorization servers, includin=
g<br class=3D"m_-4354184635220679769gmail_msg">
=C2=A0 =C2=A0security tokens employing impersonation and delegation.<br cla=
ss=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
The IETF datatracker status page for this draft is:<br class=3D"m_-43541846=
35220679769gmail_msg">
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange=
/" class=3D"m_-4354184635220679769gmail_msg" target=3D"_blank">https://data=
tracker.ietf.org/<wbr>doc/draft-ietf-oauth-token-<wbr>exchange/</a><br clas=
s=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
There&#39;s also a htmlized version available at:<br class=3D"m_-4354184635=
220679769gmail_msg">
<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07" =
class=3D"m_-4354184635220679769gmail_msg" target=3D"_blank">https://tools.i=
etf.org/html/<wbr>draft-ietf-oauth-token-<wbr>exchange-07</a><br class=3D"m=
_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
A diff from the previous version is available at:<br class=3D"m_-4354184635=
220679769gmail_msg">
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-token-excha=
nge-07" class=3D"m_-4354184635220679769gmail_msg" target=3D"_blank">https:/=
/www.ietf.org/rfcdiff?<wbr>url2=3Ddraft-ietf-oauth-token-<wbr>exchange-07</=
a><br class=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
Please note that it may take a couple of minutes from the time of submissio=
n<br class=3D"m_-4354184635220679769gmail_msg">
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org/" class=3D"m_-4354184635220679769gmail_msg" target=3D"_blank">
tools.ietf.org</a>.<br class=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
Internet-Drafts are also available by anonymous FTP at:<br class=3D"m_-4354=
184635220679769gmail_msg">
<a href=3D"ftp://ftp.ietf.org/internet-drafts/" class=3D"m_-435418463522067=
9769gmail_msg" target=3D"_blank">ftp://ftp.ietf.org/internet-<wbr>drafts/</=
a><br class=3D"m_-4354184635220679769gmail_msg">
<br class=3D"m_-4354184635220679769gmail_msg">
______________________________<wbr>_________________<br class=3D"m_-4354184=
635220679769gmail_msg">
OAuth mailing list<br class=3D"m_-4354184635220679769gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"m_-4354184635220679769gmail_msg"=
 target=3D"_blank">OAuth@ietf.org</a><br class=3D"m_-4354184635220679769gma=
il_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" class=3D"m_-4354184=
635220679769gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/<wbr>=
listinfo/oauth</a><u class=3D"m_-4354184635220679769gmail_msg"></u><u class=
=3D"m_-4354184635220679769gmail_msg"></u></p>
</div><p class=3D"MsoNormal m_-4354184635220679769gmail_msg"><u class=3D"m_=
-4354184635220679769gmail_msg"></u>=C2=A0<u class=3D"m_-4354184635220679769=
gmail_msg"></u></p>
</div><p class=3D"MsoNormal m_-4354184635220679769gmail_msg">______________=
________________<wbr>_________________<br class=3D"m_-4354184635220679769gm=
ail_msg">
OAuth mailing list<br class=3D"m_-4354184635220679769gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"m_-4354184635220679769gmail_msg"=
 target=3D"_blank">OAuth@ietf.org</a><br class=3D"m_-4354184635220679769gma=
il_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" class=3D"m_-4354184=
635220679769gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/<wbr>=
listinfo/oauth</a><u class=3D"m_-4354184635220679769gmail_msg"></u><u class=
=3D"m_-4354184635220679769gmail_msg"></u></p>
</div>
</blockquote>
</div><p class=3D"MsoNormal m_-4354184635220679769gmail_msg"><u class=3D"m_=
-4354184635220679769gmail_msg"></u>=C2=A0<u class=3D"m_-4354184635220679769=
gmail_msg"></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div><p class=3D"MsoNormal m_-4354184635220679769gmail_msg"><u class=3D"m_=
-4354184635220679769gmail_msg"></u>=C2=A0<u class=3D"m_-4354184635220679769=
gmail_msg"></u></p>
</div>
</div>
</div>

</div></blockquote></div><br class=3D"m_-4354184635220679769gmail_msg"></di=
v></div>______________________________<wbr>_________________<br class=3D"m_=
-4354184635220679769gmail_msg">
OAuth mailing list<br class=3D"m_-4354184635220679769gmail_msg">
<a href=3D"mailto:OAuth@ietf.org" class=3D"m_-4354184635220679769gmail_msg"=
 target=3D"_blank">OAuth@ietf.org</a><br class=3D"m_-4354184635220679769gma=
il_msg">
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
class=3D"m_-4354184635220679769gmail_msg" target=3D"_blank">https://www.iet=
f.org/mailman/<wbr>listinfo/oauth</a><br class=3D"m_-4354184635220679769gma=
il_msg">
</blockquote></div></div></div><span class=3D"HOEnZb"><font color=3D"#88888=
8"><div dir=3D"ltr">-- <br></div><div data-smartmail=3D"gmail_signature"><p=
 dir=3D"ltr">Nat Sakimura</p>
<p dir=3D"ltr">Chairman of the Board, OpenID Foundation</p>
</div>
</font></span><br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--f403045c7b0a02acba054c0820ec--


From nobody Fri Mar 31 08:16:44 2017
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8F6A1243FE for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 08:16:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level: 
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TUjevVhCyiLH for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 08:16:41 -0700 (PDT)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 642F9129506 for <oauth@ietf.org>; Fri, 31 Mar 2017 08:16:41 -0700 (PDT)
Received: by mail-qk0-x22d.google.com with SMTP id d201so39651732qkc.0 for <oauth@ietf.org>; Fri, 31 Mar 2017 08:16:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RXjfnHAFje1q+rfQWKF9ljyFnOG9FGVsa7+c/zsedKI=; b=pyfpPtKfbCiSRoRQaLdoZxX4s/tLmUG+7kX6bzbZFChimfkvBqG+96zFRSLaNcX9nX UAfaNiUOzhss7JdBH249cZxepHj8fQD+rTaIniIF0nlxrtfoaSXJ8AgBTpYWJS+3+8M+ Z/PEvnAaqhPSmjfn+R0rqsqIK6XjGjPZMNFam0Wdy42AR4whvzzCO7qPjWAJpl0Qzxul da8dzX4Ssi1jquj2Zqhy1AI0UU89mwIWHWDCjQfQ0LVTNJkXvmi4rVUaEpyQgIeTWpOd VJQuj5TiNqWHbYY7TaxKMymlwLo3J2dyRPj4JJWPRcgVqFw3soWNJi6RqC6mniEwNMwI NdkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RXjfnHAFje1q+rfQWKF9ljyFnOG9FGVsa7+c/zsedKI=; b=ILJBfxXdZ0EYsB21gg66szOu6s7q23OJ3Pt/SSqlljjMuwHfZZobKROrJXA8i0c8Xu X134IRHeM0ez+jBSIAh/2MNzto2xrWLj4cSEToMQD6jT+ZVwoGAWBB5yPikHbNM5lwez 75L3okYB+Dq1qpXTPd7aKk/mR2d2SNKuQiEdhcYlpzjuClU2P7/sPqpo4cdbyUUJTMS3 cbh+6w5Cssr+zB0crFdpwJ0A6wWDzcIWcfwQPJ+rMtr4xylNrVJGiy1M1NMU32Y7n3ht YMLecyTnJFSTXwrKSeQbYdyggnFg0D//2VOK42BTTlPW1x8kkdXdRZ0jLOEyoX9pHNcA EntQ==
X-Gm-Message-State: AFeK/H0XZDoDn1DcYXEio4XVviRXqe0E0YA/UeJmgcdSoXqMRCNEKvv+YULksxhW7stXHznXMds9cXz7UQfq4g==
X-Received: by 10.55.75.70 with SMTP id y67mr2312956qka.153.1490973400489; Fri, 31 Mar 2017 08:16:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.46.230 with HTTP; Fri, 31 Mar 2017 08:16:19 -0700 (PDT)
In-Reply-To: <CAP-T6TT3ZybhMALD9B=pTq0w8dADeTBZpGqmUSzEwcO6criR5A@mail.gmail.com>
References: <CY4PR21MB0504F95D0B36D852BEF0AE9BF5350@CY4PR21MB0504.namprd21.prod.outlook.com> <CAP-T6TT3ZybhMALD9B=pTq0w8dADeTBZpGqmUSzEwcO6criR5A@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 31 Mar 2017 10:16:19 -0500
Message-ID: <CAD9ie-vJJczdNVfqGcrYzwDQb-Lt+r-WnxiTLkG_aPAWc2KFTQ@mail.gmail.com>
To: Dave Tonge <dave.tonge@momentumft.co.uk>
Cc: Mike Jones <Michael.Jones@microsoft.com>, Oauth Wrap Wg <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a114a9c18e806ac054c084b0b
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dNSdJSSdNMxmjlyVqGIEThehhrs>
Subject: Re: [OAUTH-WG] JOSE/JWT Security Update Presentation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 15:16:44 -0000

--001a114a9c18e806ac054c084b0b
Content-Type: text/plain; charset=UTF-8

Mike, Yaron Cheffer and myself have volunteered to write a JWT BCP. It is a
topic on the agenda in the OAuth meeting currently underway.

On Fri, Mar 31, 2017 at 9:58 AM, Dave Tonge <dave.tonge@momentumft.co.uk>
wrote:

> Thanks Mike
>
> I agree with all the next steps, we need some articles to help combat the
> FUD that is being spread.
> Is there any action on who will write those articles?
>
> Dave
>
> On 29 March 2017 at 21:08, Mike Jones <Michael.Jones@microsoft.com> wrote:
>
>> Yaron Sheffer had asked me to give an update on JOSE/JWT security to the
>> SecEvent working group.  As promised during our working group meeting
>> Monday, that presentation is attached.  At the microphone, Kathleen
>> suggested that we may want to collect information about best practices for
>> implementers and deployers and write a BCP containing them.  She said that
>> JWT is being used in many places in the IETF at this point.
>>
>>
>>
>>                                                        -- Mike
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>
> --
> Dave Tonge
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Subscribe to the HARDTWARE <http://hardtware.com/> mail list to learn about
projects I am working on!

--001a114a9c18e806ac054c084b0b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Mike, Yaron Cheffer and myself have volunteered to write a=
 JWT BCP. It is a topic on the agenda in the OAuth meeting currently underw=
ay.</div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Fri, =
Mar 31, 2017 at 9:58 AM, Dave Tonge <span dir=3D"ltr">&lt;<a href=3D"mailto=
:dave.tonge@momentumft.co.uk" target=3D"_blank">dave.tonge@momentumft.co.uk=
</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin=
:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><=
div class=3D"gmail_default" style=3D"font-family:trebuchet ms,sans-serif">T=
hanks Mike</div><div class=3D"gmail_default" style=3D"font-family:trebuchet=
 ms,sans-serif"><br></div><div class=3D"gmail_default" style=3D"font-family=
:trebuchet ms,sans-serif">I agree with all the next steps, we need some art=
icles to help combat the FUD that is being spread.</div><div class=3D"gmail=
_default" style=3D"font-family:trebuchet ms,sans-serif">Is there any action=
 on who will write those articles?</div><div class=3D"gmail_default" style=
=3D"font-family:trebuchet ms,sans-serif"><br></div><div class=3D"gmail_defa=
ult" style=3D"font-family:trebuchet ms,sans-serif">Dave</div><div class=3D"=
gmail_extra"><br><div class=3D"gmail_quote">On 29 March 2017 at 21:08, Mike=
 Jones <span dir=3D"ltr">&lt;<a href=3D"mailto:Michael.Jones@microsoft.com"=
 target=3D"_blank">Michael.Jones@microsoft.com</a>&gt;</span> wrote:<br><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex">





<div lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"m_-6830757077685565060m_3486610827997118219WordSection1">
<p class=3D"MsoNormal">Yaron Sheffer had asked me to give an update on JOSE=
/JWT security to the SecEvent working group.=C2=A0 As promised during our w=
orking group meeting Monday, that presentation is attached.=C2=A0 At the mi=
crophone, Kathleen suggested that we may want
 to collect information about best practices for implementers and deployers=
 and write a BCP containing them.=C2=A0 She said that JWT is being used in =
many places in the IETF at this point.<span class=3D"m_-6830757077685565060=
HOEnZb"><font color=3D"#888888"><u></u><u></u></font></span></p><span class=
=3D"m_-6830757077685565060HOEnZb"><font color=3D"#888888">
<p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p>
<p class=3D"MsoNormal">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike<u></u><u></u=
></p>
</font></span></div>
</div>

<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/oauth</a><br>
<br></blockquote></div><span class=3D"HOEnZb"><font color=3D"#888888"><br><=
br clear=3D"all"><div><br></div>-- <br><div class=3D"m_-6830757077685565060=
gmail_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr"><div d=
ir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:1em;fo=
nt-weight:bold;line-height:1.4"><div style=3D"color:rgb(97,97,97);font-fami=
ly:&#39;Open Sans&#39;;font-size:14px;font-weight:normal;line-height:21px">=
<div style=3D"font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line=
-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style=3D"font-size:=
14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,&quot;open san=
s&quot;,arial,sans-serif;line-height:normal"><div style=3D"color:rgb(0,164,=
183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div s=
tyle=3D"font-size:0.8125em;line-height:1.4"><br></div></div></div></div></d=
iv></div></div></div></div></div>
</font></span></div></div>
<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br><div cla=
ss=3D"gmail_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr">=
<div><div dir=3D"ltr"><div dir=3D"ltr"><div>Subscribe to the <a href=3D"htt=
p://hardtware.com/" target=3D"_blank">HARDTWARE</a> mail list to learn abou=
t projects I am working on!</div></div></div></div></div></div>
</div>

--001a114a9c18e806ac054c084b0b--


From nobody Fri Mar 31 09:08:02 2017
Return-Path: <dave.tonge@bluespeckfinancial.co.uk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D87B124281 for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 09:08:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2MksEcCHaHP for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 09:07:58 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 301CB12950C for <oauth@ietf.org>; Fri, 31 Mar 2017 09:07:58 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id y18so15654142itc.0 for <oauth@ietf.org>; Fri, 31 Mar 2017 09:07:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=7MbIkD4IIxP2j1ke19vp+4kORU/SZjBIdobIkS/pGSI=; b=T9bmjo0hHbEXw82ubpZoC1th9szv3lsD2LNiHkWHK/TeF51UfqNU9VtPpjY/sRLifU n5jB4vTgPk4TWxowkiFcdjW5XSVdk2ueFNd5avuaH74pvKrAAAkNhnJEbR1m0ZbZl9zK zLws+2h/PXzR8P2gM/WBVekqIBvTa52WPbm3U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=7MbIkD4IIxP2j1ke19vp+4kORU/SZjBIdobIkS/pGSI=; b=hqQlTA2dcVG2Un5tflUDln51fwJUFX4Vsmsq/dioSkWbykg7Q+lXiWXICWuAWa/92H pQjiTeWEqo6EFK5zDGiZhxNcMG0/fx22SKcH323mLasMcJO7TGUkw3tPc1/BK3fGdP2F ku99G5sgH+I89jZYRjqDFGMndJqyY0Zr8O07FXoyxOAWbI5/QLnbM0wAEHERMvhmzcQg kKicfoXbaiG6fGBfEIcjvJE+HJvBsyrp0qXMFkd1tEwvtXD1xlDmkricTyuDG025stZ+ a1HHNrkNrft9p3f1kD/EkYSklKAy8oFwaFEkAjBdMrMP8h3A+q6UI0VR0yiZaSW7Rw5y yKBA==
X-Gm-Message-State: AFeK/H25Czaxopsth0hAc1zj+7LWkYLUORpEJKC4icUixj96PGUN5DX9GiR9AeKakDICRu4KhslrErKc7Tj0thVS
X-Received: by 10.36.43.194 with SMTP id h185mr4880478ita.121.1490976477458; Fri, 31 Mar 2017 09:07:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.223 with HTTP; Fri, 31 Mar 2017 09:07:36 -0700 (PDT)
In-Reply-To: <CA+k3eCTZ=6vG=vpL2ZR3oDMG+LJBT8xMSoTsam8fR_0bbXf6OQ@mail.gmail.com>
References: <149090694651.9027.6337833834024757190.idtracker@ietfa.amsl.com> <CAAX2Qa1OAoY0TOPX-19XgVrxq_63GN5obbh9VB_7851YXERfXA@mail.gmail.com> <CA+k3eCTZ=6vG=vpL2ZR3oDMG+LJBT8xMSoTsam8fR_0bbXf6OQ@mail.gmail.com>
From: Dave Tonge <dave.tonge@momentumft.co.uk>
Date: Fri, 31 Mar 2017 17:07:36 +0100
Message-ID: <CAP-T6TRp96tvPr3L6hq4rDFE2RNRw7rMUe385RJbxgXLW78HGQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary=001a1146f4704ed638054c09034d
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TFtO1T8zBEoxg1vyNk4m6gGI9A4>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-mtls-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 16:08:00 -0000

--001a1146f4704ed638054c09034d
Content-Type: text/plain; charset=UTF-8

Hi Brian

Thanks for this - it will be very useful for open banking in Europe where
cert based auth is required by law.

I have a few suggestions around wording.
Happy to submit these via pull request if it's helpful.

1. Typo - remove can from 1:

 Mutual TLS sender constrained access tokens and mutual TLS client
authentication are distinct mechanisms that *can* don't necessarily
need to be deployed together.


2. Consistency of terminology in 2 (and throughout the document).
In section 2 the following phrases are used:

   - Mutual TLS for Client Authentication
   - Mutual TLS Client Authentication to the Token Endpoint
   - mutual TLS as client credentials
   - mutual X.509 certificate authentication

Interestingly RFC5246 does not refer to "mutual authentication" at all, but
does refer to "client authentication".
>From an OAuth perspective, surely we are more interested in the fact that
it is TLS client auth - than the fact that it is mutual. However referring
to TLS Client Authentication would bring confusion as we would have two
client definitions in play: the TLS Client and the OAuth Client

"TLS Mutual Auth" and "Mutual TLS" are established phrases in the industry
- even though they don't seem to be defined in any of the relevant specs,
however, "Mutual TLS Client Auth" isn't.

I'm not sure of the best solution for this, but would be interested as to
whether the authors considered this phrasing to be clearer?

   - Mutual TLS for Client Authentication
   -> TLS Mutual Auth for Client Authentication

   - Mutual TLS Client Authentication to the Token Endpoint
   -> TLS Mutual Auth for Client Authentication to the Token Endpoint

   - mutual TLS as client credentials
   -> TLS X509 client certificate as client credentials

Or alternatively, a definition of "Mutual TLS" could be provided earlier on
in the document.

Thanks again for your work on this spec.

Dave Tonge

--001a1146f4704ed638054c09034d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:&quot;tr=
ebuchet ms&quot;,sans-serif">Hi Brian</div><div class=3D"gmail_default" sty=
le=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><br></div><div class=
=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif=
">Thanks for this - it will be very useful for open banking in Europe where=
 cert based auth is required by law.</div><div class=3D"gmail_default" styl=
e=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><br></div><div class=
=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif=
">I have a few suggestions around wording.</div><div class=3D"gmail_default=
" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif">Happy to submit=
 these via pull request if it&#39;s helpful.</div><div class=3D"gmail_defau=
lt" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><br></div><di=
v class=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,san=
s-serif">1. Typo - remove can from 1:</div><div class=3D"gmail_default" sty=
le=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><pre class=3D"gmail-=
newpage" style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;colo=
r:rgb(0,0,0)"> </pre><pre class=3D"gmail-newpage" style=3D"font-size:13.333=
3px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">Mutual TLS sender co=
nstrained access tokens and mutual TLS client
authentication are distinct mechanisms that <b>can</b> don&#39;t necessaril=
y
need to be deployed together.</pre></div><div class=3D"gmail_default" style=
=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><br></div><div class=
=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif=
">2. Consistency of terminology in 2 (and throughout the document).</div><d=
iv class=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sa=
ns-serif">In section 2 the following phrases are used:</div><div class=3D"g=
mail_default"><ul><li><font face=3D"trebuchet ms, sans-serif">Mutual TLS fo=
r Client Authentication<br></font></li><li><font face=3D"trebuchet ms, sans=
-serif">Mutual TLS Client Authentication to the Token Endpoint<br></font></=
li><li><font face=3D"trebuchet ms, sans-serif">mutual TLS as client credent=
ials</font></li><li><font face=3D"trebuchet ms, sans-serif">mutual X.509 ce=
rtificate authentication<br></font></li></ul></div><div class=3D"gmail_defa=
ult" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif">Interestingl=
y RFC5246 does not refer to &quot;mutual authentication&quot; at all, but d=
oes refer to &quot;client authentication&quot;.</div><div class=3D"gmail_de=
fault" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif">From an OA=
uth perspective, surely we are more interested in the fact that it is TLS c=
lient auth - than the fact that it is mutual. However referring to TLS Clie=
nt Authentication would bring confusion as we would have two client definit=
ions in play: the TLS Client and the OAuth Client</div><div class=3D"gmail_=
default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif"><br></di=
v><div class=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot=
;,sans-serif">&quot;TLS Mutual Auth&quot; and &quot;Mutual TLS&quot; are es=
tablished phrases in the industry - even though they don&#39;t seem to be d=
efined in any of the relevant specs, however, &quot;Mutual TLS Client Auth&=
quot; isn&#39;t.</div><div class=3D"gmail_default" style=3D"font-family:&qu=
ot;trebuchet ms&quot;,sans-serif"><br></div><div class=3D"gmail_default" st=
yle=3D"font-family:&quot;trebuchet ms&quot;,sans-serif">I&#39;m not sure of=
 the best solution for this, but would be interested as to whether the auth=
ors considered this phrasing to be clearer?</div><div class=3D"gmail_extra"=
><ul><li><font face=3D"trebuchet ms, sans-serif">Mutual TLS for Client Auth=
entication<div class=3D"gmail_default" style=3D"font-family:&quot;trebuchet=
 ms&quot;,sans-serif;display:inline">-&gt; TLS Mutual Auth for Client Authe=
ntication</div><br></font></li><li><font face=3D"trebuchet ms, sans-serif">=
Mutual TLS Client Authentication to the Token Endpoint<div class=3D"gmail_d=
efault" style=3D"font-family:&quot;trebuchet ms&quot;,sans-serif;display:in=
line">-&gt; TLS Mutual Auth for Client Authentication to the Token Endpoint=
</div><br></font></li><li><font face=3D"trebuchet ms, sans-serif">mutual TL=
S as client credentials<div class=3D"gmail_default" style=3D"font-family:&q=
uot;trebuchet ms&quot;,sans-serif;display:inline">-&gt; TLS X509 client cer=
tificate as client credentials</div></font></li></ul><div><font face=3D"tre=
buchet ms, sans-serif"><div class=3D"gmail_default" style=3D"font-family:&q=
uot;trebuchet ms&quot;,sans-serif;display:inline">Or alternatively, a defin=
ition of &quot;Mutual TLS&quot; could be provided earlier on in the documen=
t.</div></font></div><div><font face=3D"trebuchet ms, sans-serif"><div clas=
s=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-seri=
f;display:inline"><br></div></font></div><div><font face=3D"trebuchet ms, s=
ans-serif"><div class=3D"gmail_default" style=3D"font-family:&quot;trebuche=
t ms&quot;,sans-serif;display:inline">Thanks again for your work on this sp=
ec.</div></font></div><div><font face=3D"trebuchet ms, sans-serif"><div cla=
ss=3D"gmail_default" style=3D"font-family:&quot;trebuchet ms&quot;,sans-ser=
if;display:inline"><br></div></font></div><div><font face=3D"trebuchet ms, =
sans-serif"><div class=3D"gmail_default" style=3D"font-family:&quot;trebuch=
et ms&quot;,sans-serif;display:inline">Dave Tonge</div></font></div></div><=
div class=3D"gmail_extra"><br><div class=3D"gmail_quote"><br></div>
</div></div>

--001a1146f4704ed638054c09034d--