From nobody Mon Dec 1 07:23:21 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D6031A1BFA for ; Mon, 1 Dec 2014 07:23:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g81XzkTmwPPD; Mon, 1 Dec 2014 07:23:14 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA8E1A3BA6; Mon, 1 Dec 2014 07:22:20 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: ietf-dane@dukhovni.org, draft-dukhovni-opportunistic-security@tools.ietf.org, saag@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.7.4 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20141201152220.4753.20863.idtracker@ietfa.amsl.com> Date: Mon, 01 Dec 2014 07:22:20 -0800 From: IETF Secretariat Archived-At: http://mailarchive.ietf.org/arch/msg/saag/-EIpiVBgKFEm2rTUnI6hY70pvRw Subject: [saag] ID Tracker State Update Notice: X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2014 15:23:20 -0000 IESG has approved the document and state has been changed to Approved-announcement sent ID Tracker URL: http://datatracker.ietf.org/doc/draft-dukhovni-opportunistic-security/ From nobody Mon Dec 1 11:06:45 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D0241A8967 for ; Mon, 1 Dec 2014 11:06:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, TVD_SPACE_RATIO=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0MILzwgRsOWQ; Mon, 1 Dec 2014 11:06:42 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D9B71A88F8; Mon, 1 Dec 2014 11:06:42 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: ietf-dane@dukhovni.org, draft-dukhovni-opportunistic-security@tools.ietf.org, saag@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.7.4 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20141201190642.17627.3007.idtracker@ietfa.amsl.com> Date: Mon, 01 Dec 2014 11:06:42 -0800 From: IETF Secretariat Archived-At: http://mailarchive.ietf.org/arch/msg/saag/UWSJpGitC_R7Ph-BAyHwM8UNSTk Subject: [saag] ID Tracker State Update Notice: X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2014 19:06:44 -0000 IANA action state changed to In Progress ID Tracker URL: http://datatracker.ietf.org/doc/draft-dukhovni-opportunistic-security/ From nobody Mon Dec 1 14:06:51 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 785091AC42A for ; Mon, 1 Dec 2014 14:06:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0s5CpvjEGG7j for ; Mon, 1 Dec 2014 14:06:49 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 0A9A71AC425 for ; Mon, 1 Dec 2014 14:06:49 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 5CFB4BE8E for ; Mon, 1 Dec 2014 22:06:48 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j0xbP1YyIwwc for ; Mon, 1 Dec 2014 22:06:43 +0000 (GMT) Received: from [10.87.48.11] (unknown [86.46.26.33]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 0DDC4BE57 for ; Mon, 1 Dec 2014 22:06:43 +0000 (GMT) Message-ID: <547CE671.8090700@cs.tcd.ie> Date: Mon, 01 Dec 2014 22:06:41 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: "saag@ietf.org" References: <5475E3FE.6040109@cs.tcd.ie> In-Reply-To: <5475E3FE.6040109@cs.tcd.ie> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/tgDQZdUc9wHsp2xRyR7YkffZoDc Subject: Re: [saag] pkcs#11 URI scheme X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2014 22:06:50 -0000 Various folks seem to want this for good reasons so I'll push it along. Thanks for the responses, and I hope some of you'll have time to review this in IETF LC. (I'll fwd that message here when it's gone out.) Cheers, S. On 26/11/14 14:30, Stephen Farrell wrote: > > Hiya, > > I've been asked if I'd AD sponsor this [1] draft that > defines a URI scheme for pkcs#11. Feedback is welcome > before I decide. (On/off list, whatever is ok for now.) > > Thanks, > S. > > [1] https://datatracker.ietf.org/doc/draft-pechanec-pkcs11uri/ > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > From nobody Mon Dec 1 14:06:58 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B8681AC439 for ; Mon, 1 Dec 2014 14:06:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, TVD_SPACE_RATIO=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fIjRfP8MZWOB; Mon, 1 Dec 2014 14:06:54 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CAF41AC3A8; Mon, 1 Dec 2014 14:06:52 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: ietf-dane@dukhovni.org, draft-dukhovni-opportunistic-security@tools.ietf.org, saag@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.7.4 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20141201220652.5557.6582.idtracker@ietfa.amsl.com> Date: Mon, 01 Dec 2014 14:06:52 -0800 From: IETF Secretariat Archived-At: http://mailarchive.ietf.org/arch/msg/saag/fhF9VUZ6fxeK6OzogCCk_r9Teyo Subject: [saag] ID Tracker State Update Notice: X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2014 22:06:56 -0000 IANA action state changed to No IC ID Tracker URL: http://datatracker.ietf.org/doc/draft-dukhovni-opportunistic-security/ From nobody Tue Dec 2 06:37:36 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C8BE1ACE19 for ; Tue, 2 Dec 2014 06:37:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, TVD_SPACE_RATIO=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j-9kwIBcEylh; Tue, 2 Dec 2014 06:37:29 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 92ED01ACE08; Tue, 2 Dec 2014 06:37:28 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: ietf-dane@dukhovni.org, draft-dukhovni-opportunistic-security@tools.ietf.org, saag@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.7.4 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20141202143728.30031.28839.idtracker@ietfa.amsl.com> Date: Tue, 02 Dec 2014 06:37:28 -0800 From: IETF Secretariat Archived-At: http://mailarchive.ietf.org/arch/msg/saag/iui1nc6vqk9MN-GVBNAtwdVzYmM Subject: [saag] ID Tracker State Update Notice: X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2014 14:37:31 -0000 IESG state changed to RFC Ed Queue from Approved-announcement sent ID Tracker URL: http://datatracker.ietf.org/doc/draft-dukhovni-opportunistic-security/ From nobody Tue Dec 2 08:05:36 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBB011ACE54; Tue, 2 Dec 2014 08:05:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.911 X-Spam-Level: X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aSCx3haCqxeG; Tue, 2 Dec 2014 08:05:25 -0800 (PST) Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3039B1ACE3E; Tue, 2 Dec 2014 08:04:59 -0800 (PST) Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 7026528B003D; Tue, 2 Dec 2014 11:04:58 -0500 (EST) Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 674E21F8036; Tue, 2 Dec 2014 11:04:58 -0500 (EST) Content-Type: multipart/signed; boundary="Apple-Mail=_14076ADA-7F58-4C8A-91E2-926C71D63175"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Sandra Murphy In-Reply-To: <547416B5.7030905@qti.qualcomm.com> Date: Tue, 2 Dec 2014 11:04:58 -0500 Message-Id: References: <20141125044133.22746.78939.idtracker@ietfa.amsl.com> <54740B66.7010505@qti.qualcomm.com> <1F510558-3C0E-4F30-AC99-15AF2FD50C0C@nominum.com> <547416B5.7030905@qti.qualcomm.com> To: Pete Resnick X-Mailer: Apple Mail (2.1510) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/QmiPrmavsQm4PTMt_KaLcaTkZXw Cc: The IESG , saag@ietf.org, Ted Lemon , draft-dukhovni-opportunistic-security@tools.ietf.org Subject: Re: [saag] Ted Lemon's Discuss on draft-dukhovni-opportunistic-security-05: (with DISCUSS) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2014 16:05:28 -0000 --Apple-Mail=_14076ADA-7F58-4C8A-91E2-926C71D63175 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii (sorry for late reply, holiday season intervened) On Nov 25, 2014, at 12:42 AM, Pete Resnick = wrote: > On 11/24/14 11:00 PM, Ted Lemon wrote: >> On Nov 24, 2014, at 11:53 PM, Pete Resnick = wrote: >> =20 >>> How cheap is it for an ISP to make you its customer? MiTM attacks = are way more expensive than passive attacks. >>> =20 >> Actually no, MITM attacks that just prevent attempts to encrypt are = not way more expensive than passive attacks. >=20 > But in order to do the kind of attack EFF is talking about, you have = to be on-path. Getting on-path is more expensive than listening from = off-path. >=20 Unless of course you can do a routing attack that puts you on-path. --Sandy --Apple-Mail=_14076ADA-7F58-4C8A-91E2-926C71D63175 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUfeMqAAoJEHplpQeet0IZBLgP/i3cdzApMpYdxtA8IwqhBv9z aJ8cJI4NX3as/b6ThU3qQDTFg5uAFBZzkYGvR07kQfFoLaRlTx9mG8Pax9N6x4Bn Ee5VOjyf2vHDjSmI+bZBVjggkJPtpeP7qSe6MvnOxuaEnYUt0TBZoP2ArvvAPmSH kmItpJ/ulSO9XevhsJNre5u60b3n0QSzPtiy83kO+bor9uCyqs81GiMvJXsjv3dJ 8FnURXxCkIfHt1B9f+szIlhvSARB6jkqx8wU57Tg6A55EI/VMutdUEzlFr15bvYx x00Fi0y/0OcQmfNTyr9roCNDe8/ZpYmMkX1KMkJOWtjQrAAiS4Zrnx6NczFI1xNq MUdp/Bf4RN0K8oqgcDhkcOrkS4Wm/0//nPri1n1eeLCeC4Yj0SrJWb6W9vqUkWGy rxuuh/leMu3iLEmoC0N5FCA4sJWqrV7RxEdgk2cBDVzUlAva5YXoMhAXnV9iAkPO juKu8pFGqXEIbAO7LNdt5agm/0WoZWLEKUFzBQ30oYS/JRx08IFugM9DnmbVU4/z 7bBTaupb/FOOEKKg8MZ508BPpl7uc6k7g4RbvRdOjEH4F9xZhHi0gwAsTF7aUclR JtrPLvsUQ8RBi1i+oOSslTZ7f7Q+qHoIA7h3g0O1bVu3+fWXNYGxAOcV7qNMKiM/ 0xTM3I3C/+lT4ERdnpgH =v+Ys -----END PGP SIGNATURE----- --Apple-Mail=_14076ADA-7F58-4C8A-91E2-926C71D63175-- From nobody Thu Dec 4 11:43:08 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B39401A038D for ; Thu, 4 Dec 2014 11:43:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.667 X-Spam-Level: X-Spam-Status: No, score=-1.667 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s25HtLnY5Cp6 for ; Thu, 4 Dec 2014 11:43:04 -0800 (PST) Received: from gproxy10-pub.mail.unifiedlayer.com (gproxy10-pub.mail.unifiedlayer.com [69.89.20.226]) by ietfa.amsl.com (Postfix) with SMTP id 5AA7A1A0389 for ; Thu, 4 Dec 2014 11:43:04 -0800 (PST) Received: (qmail 13881 invoked by uid 0); 4 Dec 2014 19:43:00 -0000 Received: from unknown (HELO cmgw3) (10.0.90.84) by gproxy10.mail.unifiedlayer.com with SMTP; 4 Dec 2014 19:43:00 -0000 Received: from box514.bluehost.com ([74.220.219.114]) by cmgw3 with id PXix1p0022UhLwi01Xj0gS; Thu, 04 Dec 2014 12:43:00 -0700 X-Authority-Analysis: v=2.1 cv=W++rC3mk c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=xk8Vn6ZJdw4A:10 a=IkcTkHD0fZMA:10 a=ieNpE_y6AAAA:8 a=XYUc-DgfXtMA:10 a=Fwsyk3WOAnQA:10 a=A92cGCtB03wA:10 a=48vgC7mUAAAA:8 a=BqEg4_3jAAAA:8 a=QzCXinmTEeO98uKenkIA:9 a=QEXdDO2ut3YA:10 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=3H4GSB6gujN4vM61JK/owMRMv3VvA+yMIBwVXvLZZyI=; b=axMdIxJLfNrETqE70YEGloR868M0nEjJ+1GnsP/OBXeb7cGncG0SzC+M1u4MUHHKwuQPfro72HD03WhNSbBja+eL3f7RnkVWoEKyVBsQBYK5XfNxgnjVJnY+ha/TlbDd; Received: from [24.5.2.144] (port=39111 helo=[192.168.11.19]) by box514.bluehost.com with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1XwcIi-00057t-PO for saag@ietf.org; Thu, 04 Dec 2014 12:42:56 -0700 Message-ID: <5480B93A.902@KingsMountain.com> Date: Thu, 04 Dec 2014 11:42:50 -0800 From: =JeffH User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: IETF Security Area Advisory Group Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.5.2.144 authed with jeff.hodges+kingsmountain.com} Archived-At: http://mailarchive.ietf.org/arch/msg/saag/BvpFRYmtjjM-Ny9srdssUWsqnCg Subject: [saag] fwd: Document Action: 'Opportunistic Security: Some Protection Most of the Time' to Informational RFC (draft-dukhovni-opportunistic-security-06.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2014 19:43:06 -0000 Subject: Document Action: 'Opportunistic Security: Some Protection Most of the Time' to Informational RFC (draft-dukhovni-opportunistic-security-06.txt) From: The IESG Date: Mon, 01 Dec 2014 07:22:20 -0800 To: IETF-Announce Cc: RFC Editor The IESG has approved the following document: - 'Opportunistic Security: Some Protection Most of the Time' (draft-dukhovni-opportunistic-security-06.txt) as Informational RFC This document has been reviewed in the IETF but is not the product of an IETF Working Group. The IESG contact person is Stephen Farrell. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-dukhovni-opportunistic-security/ Technical Summary This document defines the concept "Opportunistic Security" in the context of communications protocols. Protocol designs based on Opportunistic Security remove barriers to the widespread use of encryption on the Internet by using encryption even when authentication is not available, and using authentication when Working Group Summary This is an AD sponsored document and not the product of a WG. It was extensively debated on the saag list and during an extended IETF LC. The concept was also debated at the STRINT workshop. The shepherd write-up has more to say: "The document and its predecessors were discussed with great gusto over many months on the SAAG mailing list, in the UTA WG, and at two IETF meetings. There is a great deal of interest in having a common set of definitions for the ideas related ot opportunistic security, even where there might be disagreement about where it should and should not be used. The IETF Last Call on the -03 draft produced a lot of suggestions for major improvements to the language in the draft, and the author did a significant revision based on them, all without changing the design philosophy. There are probably still some people who think that the wording is not what they would want, and some who think that the whole idea is a bad one, but there was rough consensus that the document was useful and should be published. The document has had more review, and ended up getting stronger consensus for the eventual definition, than the products of many security WGs. Because this document does not define how to implement opportunistic security, there is some disagreement about its applicability to existing and future IETF protocols, but there was strong agreement that the definition was good enough for many protocols." This underwent an extended LC after work to develop -05 based on IESG and other feedback on -04. Document Quality One would not directly implement this as its a design pattern. There are Internet-drafts that are using this already in DANE, HTTPBIS and some individual drafts. Personnel Paul Hoffman is the document shepherd. Stephen Farrell is the irresponsible AD. IANA Note There is no IANA considerations section, and none is needed in this case. From nobody Fri Dec 5 08:43:35 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2BFD1AD041; Fri, 5 Dec 2014 08:43:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id beeU6Es0wsNS; Fri, 5 Dec 2014 08:43:32 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 0C2DC1A1B7D; Fri, 5 Dec 2014 08:43:20 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3C969BF0A; Fri, 5 Dec 2014 16:43:19 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jmXYFvKbK2O3; Fri, 5 Dec 2014 16:43:19 +0000 (GMT) Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 1819FBF06; Fri, 5 Dec 2014 16:43:19 +0000 (GMT) Message-ID: <5481E0A7.2090604@cs.tcd.ie> Date: Fri, 05 Dec 2014 16:43:19 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: "saag@ietf.org" , websec , "uta@ietf.org" , "ietf-http-wg@w3.org Group" , "http-auth@ietf.org" Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/yJcyrskGoE180a_wwhtB_Ie2jf8 Subject: [saag] unbearable - new mailing list to discuss better than bearer tokens... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Stephen Farrell List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2014 16:43:33 -0000 Hiya, Following up on the presentation at IETF-91 on this topic, [1] we've created a new list [2] for moving that along. The list description is: "This list is for discussion of proposals for doing better than bearer tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks." If you're interested please join in. Thanks to Vinod and Andrei for agreeing to admin the list. We'll kick off discussion in a few days when folks have had a chance to subscribe. Cheers, S. PS: Please don't reply-all to this, join the new list, wait a few days and then say what you need to say:-) [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf [2] https://www.ietf.org/mailman/listinfo/unbearable From nobody Wed Dec 17 14:45:02 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A76A01A0187 for ; Wed, 17 Dec 2014 14:45:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUL3evg10fNR for ; Wed, 17 Dec 2014 14:44:59 -0800 (PST) Received: from mail-ie0-x22b.google.com (mail-ie0-x22b.google.com [IPv6:2607:f8b0:4001:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E41231A0121 for ; Wed, 17 Dec 2014 14:44:58 -0800 (PST) Received: by mail-ie0-f171.google.com with SMTP id rl12so34005iec.16 for ; Wed, 17 Dec 2014 14:44:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9c6uKC2JVQ0vJi7Gij6gDOnzGQcSln1PJF7e9K3P+jM=; b=ZwPTtB/9qa3xwfVUk277knuL6jBNTCEoMp4XU0vZilsJyltF1vMJLUXgogjuHQTvoq 617LRwpKuoQbBBiZTIge6sTk+0VFOSmWaxC19EutlKwj+qiOh595BGPzsb+f2bkwP/Rx Cv5HhhcSMvVNA6Yb9xyMMVa3COCU8z+TWJ76Ym8OqiqWVd5W61KBqz63S8xXF43ufHJk 496LZ5QSy78OnoMlIniN0n4ZunWDWqfHkLZPdWTdBuGVsySwx28AjSEKoWjQz9AwzmY9 5dPmCshI/QrxCUZpvMrwxvLywByhL9F3+le5Ol1xAzm4HybYOyL9d8i+CvBpQXv4b0Xy 0LFQ== MIME-Version: 1.0 X-Received: by 10.50.137.97 with SMTP id qh1mr10809002igb.16.1418856297983; Wed, 17 Dec 2014 14:44:57 -0800 (PST) Received: by 10.50.122.104 with HTTP; Wed, 17 Dec 2014 14:44:57 -0800 (PST) In-Reply-To: References: Date: Wed, 17 Dec 2014 23:44:57 +0100 Message-ID: From: Jaroslav Imrich To: Jan Pechanec Content-Type: multipart/alternative; boundary=001a11c3f1f4a0f544050a7139b7 Archived-At: http://mailarchive.ietf.org/arch/msg/saag/Z3OhszQu0GkMM_r2hBeoZBq5q70 Cc: Darren J Moffat , Stef Walter , Nikos Mavrogiannopoulos , saag@ietf.org Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 22:45:01 -0000 --001a11c3f1f4a0f544050a7139b7 Content-Type: text/plain; charset=UTF-8 Hello Jan, I am CC-ing saag@ietf.org mailing list as it seems to be correct public list to discuss I-D for PKCS#11 URIs. On Tue, Dec 16, 2014 at 11:29 PM, Jan Pechanec wrote: > > > hi all, the draft is in the middle of the last call with > comments to be sent till Dec 29. There are a few nits to be fixed but > we also got two independent inquiries about adding slot attributes. > One is internal to Solaris, another is from an engineer who would like > to replace some pam_pkcs11 module config attributes with one PKCS#11 > URI. One of the attributes there is "slot_description" and apparently > it's useful and being used there. > > I think that having slot attributes is useful. > > obvious choice is this: > > pk11-slot-desc = "slot-description" "=" *pk11-pchar > pk11-slot-manuf = "slot-manufacturer" "=" *pk11-pchar > pk11-slot-id = "slot-id" "=" 1*DIGIT > I don't mind adding "slot-description" and "slot-manufacturer" if someone finds them useful but I can't recommend adding "slot-id". I personally consider referencing slot/token by its internal slotId to be a very bad habit. Nikos has already mentioned that it is "just a meaningless number, it is not guaranteed to stay the same across reboots or program restarts", "its value is implementation-specific" and I fully agree with him. SlotId happens to be unsigned long in cryptoki API but it could also be a handle or pointer without changing its meaning. I believe that "slot-description" and "slot-manufacturer" along with other token identifying path attributes should cover most use cases. But maybe you know some specific use case that explicitly requires "slot-id"? Could you please describe it in more detail? > given that we already have attrs like "library-manufacturer" > it may seem weird to have "token", "manufacturer", "model", and > "serial" instead of "token-label", "token-manufacturer", > "token-model", and "token-serial". However, we also have "object" and > "type" instead of "object-label" and "object-type" and I think it's > good to keep PKCS#11 URIs short and succinct. In other words, I plan > to add the slot attributes above without changing other names. > Please let me know if you see any issues with it. > I'll share my latest experience with you. Few days ago I was writing simple encryption application and I have decided to use PKCS#11 URIs to identify encryption keys. Then I came to the point where I needed to write down URI into the config file and I was stuck. I couldn't remember attribute names even though in past I have implemented .NET library for PKCS#11 URI parsing and building. Attributes like "token", "type" or "object" seem just unnatural to me. I don't know maybe it is because I work with PKCS#11 at programming level but I would never refer to the value of "CKA_LABEL" attribute with other name than "label". However PKCS#11 URI uses "object" attribute for object label. Maybe regular non-developer users find current names suitable and easier to understand/remember but in my ideal world I would change the attribute names to: library-description library-manufacturer library-version slot-description slot-manufacturer token-manufacturer instead of "manufacturer" token-model instead of "model" token-serial instead of "serial" token-label instead of "token" object-class instead of "type" object-label instead of "object" object-id instead of "id" I believe these names would be more appropriate for people who are already familiar with PKCS#11 and the others would have to learn them anyway. But I understand it may be too late for such a big change as there are already widely used implementations of current I-D. Regards, Jaroslav --001a11c3f1f4a0f544050a7139b7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hello Jan,

I am CC-ing=C2=A0saag@ietf.org=C2=A0maili= ng list as it seems to be correct public list to discuss I-D for PKCS#11 UR= Is.


On Tue, Dec 16, 2014 at 11:29 PM, Jan Pec= hanec <Jan.Pechanec@oracle.com> wrote:

=C2=A0 =C2=A0 =C2=A0 =C2=A0 hi all, the draft is in the middle of the last = call with
comments to be sent till Dec 29.=C2=A0 There are a few nits to be fixed but=
we also got two independent inquiries about adding slot attributes.
One is internal to Solaris, another is from an engineer who would like
to replace some pam_pkcs11 module config attributes with one PKCS#11
URI.=C2=A0 One of the attributes there is "slot_description" and = apparently
it's useful and being used there.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 I think that having slot attributes is useful.<= br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 obvious choice is this:

pk11-slot-desc=C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D "slot-description" = "=3D" *pk11-pchar
pk11-slot-manuf=C2=A0 =C2=A0 =C2=A0 =C2=A0=3D "slot-manufacturer"= "=3D" *pk11-pchar
pk11-slot-id=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D "slot-id" &quo= t;=3D" 1*DIGIT

I don't mind ad= ding "slot-description" and "slot-manufacturer" if some= one finds them useful but I can't recommend adding "slot-id".= I personally consider referencing slot/token by its internal slotId to be = a very bad habit. Nikos has already mentioned that it is "just a meaningless=C2=A0number, it is not guaranteed to stay the same across reboots or prog= ram=C2=A0restarts", "its va= lue is implementation-specific= " and I fully agree with him.=C2=A0SlotId happens to be unsigned long in cryptoki API but it could also be = a handle or pointer without changing its meaning.=C2=A0I believe that "slot-description" and "slot-manuf= acturer" along with other token identifying path attributes should cov= er most use cases. But maybe you know some specific use case that explicitl= y requires "slot-id"? Could you please describe it in more detail= ?

=C2=A0
=C2=A0 =C2=A0 =C2=A0 =C2=A0 given that we already have attrs like "lib= rary-manufacturer"
it may seem weird to have "token", "manufacturer", &quo= t;model", and
"serial" instead of "token-label", "token-manufact= urer",
"token-model", and "token-serial".=C2=A0 However, we al= so have "object" and
"type" instead of "object-label" and "object-type&= quot; and I think it's
good to keep PKCS#11 URIs short and succinct.=C2=A0 In other words, I plan<= br> to add the slot attributes above without changing other names.
Please let me know if you see any issues with it.

=
I'll share my latest experience with you. Few days ago I was= writing simple encryption application and I have decided to use PKCS#11 UR= Is to identify encryption keys. Then I came to the point where I needed to = write down URI into the config file and I was stuck. I couldn't remembe= r attribute names even though in past I have implemented .NET library for P= KCS#11 URI parsing and building. Attributes like "token", "t= ype" or "object" seem just unnatural to me. I don't know= maybe it is because I work with PKCS#11 at programming level but I would n= ever refer to the value of "CKA_LABEL" attribute with other name = than "label". However PKCS#11 URI uses "object" attribu= te for object label. Maybe regular non-developer users find current names s= uitable and easier to understand/remember but in my ideal world I would cha= nge the attribute names to:

library-descripti= on
library-manufacturer
library-version
slot-= description
slot-manufacturer
token-manufacturer instea= d of "manufacturer"
token-model instead of "model&= quot;
token-serial instead of "serial"
token-= label instead of "token"
object-class instead of "= type"
object-label instead of "object"
o= bject-id instead of "id"

I believe= these names would be more appropriate for people who are already familiar = with PKCS#11 and the others would have to learn them anyway. But I understa= nd it may be too late for such a big change as there are already widely use= d implementations of current I-D.

Regards, Jarosla= v
--001a11c3f1f4a0f544050a7139b7-- From nobody Wed Dec 17 15:02:02 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CDD71A0024; Wed, 17 Dec 2014 15:01:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.666 X-Spam-Level: X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_vL0NjMoGTZ; Wed, 17 Dec 2014 15:01:56 -0800 (PST) Received: from homiemail-a27.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 226081A000A; Wed, 17 Dec 2014 15:01:56 -0800 (PST) Received: from homiemail-a27.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a27.g.dreamhost.com (Postfix) with ESMTP id ED97D59805F; Wed, 17 Dec 2014 15:01:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=o9YjJT8r372+fN 96MO0wkerhzac=; b=riRisKBavlDni7tp36gIq/sBUVdfl7ss/IOp3NLVSFoszm Wo3udC7dCbSOg64rXFNZ9EV4GCDmNEXQq6PNRe4/ye1CCiTQ8N1tVVCaJsSaLhmR uX+iaxKevcqD4z4qIQGchTgHPki6vaIeRua8eCg0Lr/xkSQ6SzdQHuHkfmB1s= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a27.g.dreamhost.com (Postfix) with ESMTPA id 514B1598057; Wed, 17 Dec 2014 15:01:55 -0800 (PST) Date: Wed, 17 Dec 2014 17:01:54 -0600 From: Nico Williams To: Jaroslav Imrich Message-ID: <20141217230150.GB9443@localhost> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/BxHqVpYYmjd-FvdaUStZ0bMi1VY Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Jan Pechanec , Nikos Mavrogiannopoulos Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 23:01:57 -0000 On Wed, Dec 17, 2014 at 11:44:57PM +0100, Jaroslav Imrich wrote: > I am CC-ing saag@ietf.org mailing list as it seems to be correct public > list to discuss I-D for PKCS#11 URIs. For an I-D in IETF LC that should be ietf@ietf.org. Cc'ing it (and not trimming any quotes). > On Tue, Dec 16, 2014 at 11:29 PM, Jan Pechanec > wrote: > > hi all, the draft is in the middle of the last call with > > comments to be sent till Dec 29. There are a few nits to be fixed but > > we also got two independent inquiries about adding slot attributes. > > One is internal to Solaris, another is from an engineer who would like > > to replace some pam_pkcs11 module config attributes with one PKCS#11 > > URI. One of the attributes there is "slot_description" and apparently > > it's useful and being used there. > > > > I think that having slot attributes is useful. > > > > obvious choice is this: > > > > pk11-slot-desc = "slot-description" "=" *pk11-pchar > > pk11-slot-manuf = "slot-manufacturer" "=" *pk11-pchar > > pk11-slot-id = "slot-id" "=" 1*DIGIT > > > > I don't mind adding "slot-description" and "slot-manufacturer" if someone > finds them useful but I can't recommend adding "slot-id". I personally The cases I've seen where this is useful are ones where the PKCS#11 provider library provides unified access to multiple types of slots/tokens, and the application is trying to obtain user credentials from a user's removable token (smartcard). If the provider includes access to slots/token types like: software tokens, TPMs, and removable user tokens, and if any of the tokens require login even to be able to list public objects[*], then picking a slot and token carefully becomes critical to providing a user-friendly experience, and even to avoiding accidental token lockout (which would be really user-unfriendly). [*] I know, that would be rather surprising behavior, but there's at least one such non-removable token in use, as I recall. > consider referencing slot/token by its internal slotId to be a very bad > habit. Nikos has already mentioned that it is "just a meaningless number, > it is not guaranteed to stay the same across reboots or program restarts", > "its value is implementation-specific" and I fully agree with him. SlotId > happens to be unsigned long in cryptoki API but it could also be a handle > or pointer without changing its meaning. I believe that "slot-description" > and "slot-manufacturer" along with other token identifying path attributes > should cover most use cases. But maybe you know some specific use case that > explicitly requires "slot-id"? Could you please describe it in more detail? I agree that slot IDs are not reliable in general. But specific PKCS#11 provider libraries can arrange for them to be reliable. I think the descriptions of these slot-specific attributes should be very explicit about their general unreliability, and they should explain when they can be useful. > > given that we already have attrs like "library-manufacturer" > > it may seem weird to have "token", "manufacturer", "model", and > > "serial" instead of "token-label", "token-manufacturer", > > "token-model", and "token-serial". However, we also have "object" and > > "type" instead of "object-label" and "object-type" and I think it's > > good to keep PKCS#11 URIs short and succinct. In other words, I plan > > to add the slot attributes above without changing other names. > > Please let me know if you see any issues with it. > > I'll share my latest experience with you. Few days ago I was writing simple > encryption application and I have decided to use PKCS#11 URIs to identify > encryption keys. Then I came to the point where I needed to write down URI > into the config file and I was stuck. I couldn't remember attribute names > even though in past I have implemented .NET library for PKCS#11 URI parsing > and building. Attributes like "token", "type" or "object" seem just > unnatural to me. I don't know maybe it is because I work with PKCS#11 at > programming level but I would never refer to the value of "CKA_LABEL" > attribute with other name than "label". However PKCS#11 URI uses "object" > attribute for object label. Maybe regular non-developer users find current > names suitable and easier to understand/remember but in my ideal world I > would change the attribute names to: Well, it's a bit late for this sort of change, as there are existing implementations, and the change is superficial. Otherwise I'd agree with you. > library-description > library-manufacturer > library-version > slot-description > slot-manufacturer > token-manufacturer instead of "manufacturer" > token-model instead of "model" > token-serial instead of "serial" > token-label instead of "token" > object-class instead of "type" > object-label instead of "object" > object-id instead of "id" > > I believe these names would be more appropriate for people who are already > familiar with PKCS#11 and the others would have to learn them anyway. But I > understand it may be too late for such a big change as there are already > widely used implementations of current I-D. Yes. Nico -- From nobody Wed Dec 17 15:18:00 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96A541A0012; Wed, 17 Dec 2014 15:17:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EzCRLW6CCpnj; Wed, 17 Dec 2014 15:17:52 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEA4D1A0007; Wed, 17 Dec 2014 15:17:51 -0800 (PST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBHNHhqs014452 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 17 Dec 2014 23:17:44 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id sBHNHgh7009868 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 17 Dec 2014 23:17:42 GMT Received: from abhmp0020.oracle.com (abhmp0020.oracle.com [141.146.116.26]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBHNHfLc003231; Wed, 17 Dec 2014 23:17:41 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Dec 2014 15:17:41 -0800 Date: Wed, 17 Dec 2014 15:17:40 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nico Williams In-Reply-To: <20141217230150.GB9443@localhost> Message-ID: References: <20141217230150.GB9443@localhost> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/--g0R2l9dljlxEimKypeAy0Gk1o Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Nikos Mavrogiannopoulos Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 23:17:55 -0000 On Wed, 17 Dec 2014, Nico Williams wrote: >> > hi all, the draft is in the middle of the last call with >> > comments to be sent till Dec 29. There are a few nits to be fixed but >> > we also got two independent inquiries about adding slot attributes. >> > One is internal to Solaris, another is from an engineer who would like >> > to replace some pam_pkcs11 module config attributes with one PKCS#11 >> > URI. One of the attributes there is "slot_description" and apparently >> > it's useful and being used there. >> > >> > I think that having slot attributes is useful. >> > >> > obvious choice is this: >> > >> > pk11-slot-desc = "slot-description" "=" *pk11-pchar >> > pk11-slot-manuf = "slot-manufacturer" "=" *pk11-pchar >> > pk11-slot-id = "slot-id" "=" 1*DIGIT >> > >> >> I don't mind adding "slot-description" and "slot-manufacturer" if someone >> finds them useful but I can't recommend adding "slot-id". I personally > >The cases I've seen where this is useful are ones where the PKCS#11 >provider library provides unified access to multiple types of >slots/tokens, and the application is trying to obtain user credentials >from a user's removable token (smartcard). I agree that if we add slot description and manufacturer attributes, we should add slot ID as well. <...> >I think the descriptions of these slot-specific attributes should be >very explicit about their general unreliability, and they should explain >when they can be useful. agreed. J. -- Jan Pechanec From nobody Wed Dec 17 15:34:31 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 572881A000F; Wed, 17 Dec 2014 15:34:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExU7SRPK1USl; Wed, 17 Dec 2014 15:34:24 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8400C1A000D; Wed, 17 Dec 2014 15:34:24 -0800 (PST) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBHNYLAh029461 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 17 Dec 2014 23:34:22 GMT Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBHNYKl3021194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 17 Dec 2014 23:34:21 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBHNYKED021183; Wed, 17 Dec 2014 23:34:20 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Dec 2014 15:34:20 -0800 Date: Wed, 17 Dec 2014 15:34:19 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Jaroslav Imrich In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Source-IP: acsinet22.oracle.com [141.146.126.238] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/F0oFGT4Igx3rOBwLpvHgu3_I4Ew Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Nikos Mavrogiannopoulos Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 23:34:29 -0000 On Wed, 17 Dec 2014, Jaroslav Imrich wrote: >> given that we already have attrs like "library-manufacturer" >> it may seem weird to have "token", "manufacturer", "model", and >> "serial" instead of "token-label", "token-manufacturer", >> "token-model", and "token-serial". However, we also have "object" and >> "type" instead of "object-label" and "object-type" and I think it's >> good to keep PKCS#11 URIs short and succinct. In other words, I plan >> to add the slot attributes above without changing other names. >> Please let me know if you see any issues with it. >> > >I'll share my latest experience with you. Few days ago I was writing simple >encryption application and I have decided to use PKCS#11 URIs to identify >encryption keys. Then I came to the point where I needed to write down URI >into the config file and I was stuck. I couldn't remember attribute names >even though in past I have implemented .NET library for PKCS#11 URI parsing >and building. Attributes like "token", "type" or "object" seem just >unnatural to me. I don't know maybe it is because I work with PKCS#11 at >programming level but I would never refer to the value of "CKA_LABEL" >attribute with other name than "label". However PKCS#11 URI uses "object" >attribute for object label. Maybe regular non-developer users find current >names suitable and easier to understand/remember but in my ideal world I >would change the attribute names to: Jaroslav, I think that most of the users of the URI may be quite ignorant about the PKCS#11 spec. I don't think they will know about CKA_LABEL attribute, for example. The thing was to come up with some "compromise between how precisely are the URI attribute names mapped to the names in the specification and the ease of use and understanding of the URI scheme", as stated in the ID. I think it's much easier to use and read: pkcs11:object=my-key;token=my-token rather than: pkcs11:object-label=my-key;token-label=my-token where the use of "label" looks quite redundant. Please note that it's about general usability and ease of use of the URI, not how precisely it is mapped to the actual spec. that why we also chose "type" over less understandable "class" which is btw also used in the spec in text: "CK_OBJECT_CLASS is a value that identifies the classes (or types) of objects that Cryptoki recognizes." Jan -- Jan Pechanec From nobody Wed Dec 17 15:53:04 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 540FE1A0084; Wed, 17 Dec 2014 15:53:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uin1yjicJOPX; Wed, 17 Dec 2014 15:52:58 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B91741A007A; Wed, 17 Dec 2014 15:52:58 -0800 (PST) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBHNqruY013545 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 17 Dec 2014 23:52:54 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBHNqqCS023988 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 17 Dec 2014 23:52:53 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBHNqqGm023981; Wed, 17 Dec 2014 23:52:52 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Dec 2014 15:52:51 -0800 Date: Wed, 17 Dec 2014 15:52:50 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nikos Mavrogiannopoulos In-Reply-To: <1418809054.2100.9.camel@gnutls.org> Message-ID: References: <1418771511.2106.7.camel@gnutls.org> <20141216234252.GN3241@localhost> <1418809054.2100.9.camel@gnutls.org> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Source-IP: acsinet21.oracle.com [141.146.126.237] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/Y6136qeiKPdEt3k0Wz3J2FqWRgQ Cc: Darren.Moffat@oracle.com, Stef Walter , ietf@ietf.org, saag@ietf.org Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 23:53:00 -0000 On Wed, 17 Dec 2014, Nikos Mavrogiannopoulos wrote: >On Tue, 2014-12-16 at 17:42 -0600, Nico Williams wrote: >> The rationale is this: >> - you may have a PKCS#11 library with various slots, and you may have >> builtin tokens as well as removable tokens, and... > >Correct. > >> - you need to intelligently pick one at logon time so you don't prompt >> the user for PIN entry for tokens they don't have access to (e.g., >> the TPM), just the one smartcard they plugged in. > >Correct. > >> PKCS#11 is pretty lousy at this, and all we have to match on are the >> various slot and token attributes. >> There are tokens that won't let you list public objects without PIN >> entry. And there are tokens where incorrect PIN entry can lead to >> logout. And PAM has limits as to what it can do in terms of >> intelligently prompting a user for a slot/token/object. > >I don't follow how the above require the slots to be known in order to >figure where the object is. In gnutls we handle all of these use cases, >and we don't need to know the slot at all. First you iterate all slots >searching for the object, and then you login and search again. How would >knowing the slot would have helped that? hi Nikos, if I expect a token to be inserted with some key (rather then identifying the key to use) then specifying the slot where such token is to be found seems useful to me. If I understand it correctly, that's how pam_pkcs11 works. It has two configuration options for this - slot description and slot ID. I know that the slot ID is cryptoki module specific. It would have been nice if the specification supported token serial number as it does for tokens. also, the PKCS#11 URI can be used to identify PKCS#11 objects, tokens, and libraries. I think that adding attributes to add the last major element, a token, is a good idea. the updated text would have to provide information about general unreliability using the slot ID, for example. Jan. -- Jan Pechanec From nobody Wed Dec 17 15:56:21 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC3B51A006F; Wed, 17 Dec 2014 15:56:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.666 X-Spam-Level: X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qVTL6SsDw1RA; Wed, 17 Dec 2014 15:56:18 -0800 (PST) Received: from homiemail-a89.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 40BA21A0067; Wed, 17 Dec 2014 15:56:18 -0800 (PST) Received: from homiemail-a89.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTP id 1D58331805C; Wed, 17 Dec 2014 15:56:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=8B7HYv2nBjTlXw c6OPYpO0RXiow=; b=TBcnBV9ggWdTUiHOzWTIf2SeAOyn2u+XJr//gqmIddfw6e QuaYT/Ln2sugU1uSc/ww+ugRRBuOoCXSYA+u+aDKg5cdd0ZJa4Mz1sKZFtocS3sv PHtk5insKSTwpmAIRJxRQjs7p3YaICmIg7uAV9ONe0FPiPBxLI0ga4CgxQcxU= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTPA id 74B6D318059; Wed, 17 Dec 2014 15:56:17 -0800 (PST) Date: Wed, 17 Dec 2014 17:56:17 -0600 From: Nico Williams To: Jan Pechanec Message-ID: <20141217235612.GK9443@localhost> References: <1418771511.2106.7.camel@gnutls.org> <20141216234252.GN3241@localhost> <1418809054.2100.9.camel@gnutls.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/USvdoKkpY9bRZvJ_NWiyExpnfRg Cc: Darren.Moffat@oracle.com, Stef Walter , ietf@ietf.org, saag@ietf.org Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 23:56:19 -0000 On Wed, Dec 17, 2014 at 03:52:50PM -0800, Jan Pechanec wrote: > On Wed, 17 Dec 2014, Nikos Mavrogiannopoulos wrote: > >I don't follow how the above require the slots to be known in order to > >figure where the object is. In gnutls we handle all of these use cases, > >and we don't need to know the slot at all. First you iterate all slots > >searching for the object, and then you login and search again. How would > >knowing the slot would have helped that? > > hi Nikos, if I expect a token to be inserted with some key > (rather then identifying the key to use) then specifying the slot > where such token is to be found seems useful to me. If I understand > it correctly, that's how pam_pkcs11 works. It has two configuration > options for this - slot description and slot ID. That only works with a PKCS#11 implementation like Solaris' libpkcs11. In general PKCS#11 slot IDs are unreliable, and that's why Nikos objects. > I know that the slot ID is cryptoki module specific. It would > have been nice if the specification supported token serial number as > it does for tokens. It needn't be stable even for one module. > the updated text would have to provide information about > general unreliability using the slot ID, for example. Please post proposed new text. Time is running out. Nico -- From nobody Wed Dec 17 15:57:20 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A9A21A007A; Wed, 17 Dec 2014 15:57:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2oymZ0tPMWXE; Wed, 17 Dec 2014 15:57:17 -0800 (PST) Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F09FB1A0067; Wed, 17 Dec 2014 15:57:16 -0800 (PST) Received: by mail-ig0-f174.google.com with SMTP id hn15so9692956igb.13; Wed, 17 Dec 2014 15:57:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PiJ9pRkKg+lq1nkcRL7WCeADmyGhw2fR3mgaX0cVs6Y=; b=c1L/O7S1G6G4T/MI9g2+3xjqiYYczAHVvRILfC/nOMoTNLd89xXUIncmVjOY3ECT12 KxH139xdF5buqu8kzw9jmHjCAEFvaPsiigpvZiwlK6FmEUNg5tRwuyJjN7UKyByuAQB2 jpzVwjFXOhJHNDVDkNp7e5mXqSKKFD4QJgQPi9686k0GIk+5MCzUfIbi+NlhhNOWTE5C jCelU84V0poLapfw5l19IQIBfLI0WjMpJVRQmKHV4G5XVqcWc8bGCsltuUovx0123TvK P1Gj3UMepm0g6dqvo1v/9FMlpd5qfZQ6gl0m2YyJE+XVLBvJf5LQHfFFHxXsY0XBAiz9 CVcw== MIME-Version: 1.0 X-Received: by 10.107.6.34 with SMTP id 34mr41684342iog.88.1418860636110; Wed, 17 Dec 2014 15:57:16 -0800 (PST) Received: by 10.50.122.104 with HTTP; Wed, 17 Dec 2014 15:57:16 -0800 (PST) In-Reply-To: <20141217230150.GB9443@localhost> References: <20141217230150.GB9443@localhost> Date: Thu, 18 Dec 2014 00:57:16 +0100 Message-ID: From: Jaroslav Imrich To: Nico Williams Content-Type: multipart/alternative; boundary=001a113f9b743389a0050a723c4b Archived-At: http://mailarchive.ietf.org/arch/msg/saag/BsmXHnq6RVcDByv8C_5z6NPZmR8 Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Jan Pechanec , Nikos Mavrogiannopoulos Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 23:57:19 -0000 --001a113f9b743389a0050a723c4b Content-Type: text/plain; charset=UTF-8 On Thu, Dec 18, 2014 at 12:01 AM, Nico Williams wrote: > > On Wed, Dec 17, 2014 at 11:44:57PM +0100, Jaroslav Imrich wrote: > > I am CC-ing saag@ietf.org mailing list as it seems to be correct public > > list to discuss I-D for PKCS#11 URIs. > > For an I-D in IETF LC that should be ietf@ietf.org. Cc'ing it (and not > trimming any quotes). > > > On Tue, Dec 16, 2014 at 11:29 PM, Jan Pechanec > > wrote: > > > hi all, the draft is in the middle of the last call with > > > comments to be sent till Dec 29. There are a few nits to be fixed but > > > we also got two independent inquiries about adding slot attributes. > > > One is internal to Solaris, another is from an engineer who would like > > > to replace some pam_pkcs11 module config attributes with one PKCS#11 > > > URI. One of the attributes there is "slot_description" and apparently > > > it's useful and being used there. > > > > > > I think that having slot attributes is useful. > > > > > > obvious choice is this: > > > > > > pk11-slot-desc = "slot-description" "=" *pk11-pchar > > > pk11-slot-manuf = "slot-manufacturer" "=" *pk11-pchar > > > pk11-slot-id = "slot-id" "=" 1*DIGIT > > > > > > > I don't mind adding "slot-description" and "slot-manufacturer" if someone > > finds them useful but I can't recommend adding "slot-id". I personally > > The cases I've seen where this is useful are ones where the PKCS#11 > provider library provides unified access to multiple types of > slots/tokens, and the application is trying to obtain user credentials > from a user's removable token (smartcard). > > If the provider includes access to slots/token types like: software > tokens, TPMs, and removable user tokens, and if any of the tokens > require login even to be able to list public objects[*], then picking a > slot and token carefully becomes critical to providing a user-friendly > experience, and even to avoiding accidental token lockout (which would > be really user-unfriendly). > > [*] I know, that would be rather surprising behavior, but there's at > least one such non-removable token in use, as I recall. > OK but I still don't understand the role of slot-id attribute here. Could you please be more specific about the use case? Are you trying to say there exists PKCS#11 implementation that always presents i.e. TPM as slot 0, OS wide software token as slot 1 and whatever removable token you can connect as slot 2? And that you need to access that removable token and you cannot use slot-description, slot-manufacturer and neither of token attributes? So the only option left is: pkcs11:slot-id=2 ??? > > consider referencing slot/token by its internal slotId to be a very bad > > habit. Nikos has already mentioned that it is "just a meaningless number, > > it is not guaranteed to stay the same across reboots or program > restarts", > > "its value is implementation-specific" and I fully agree with him. SlotId > > happens to be unsigned long in cryptoki API but it could also be a handle > > or pointer without changing its meaning. I believe that > "slot-description" > > and "slot-manufacturer" along with other token identifying path > attributes > > should cover most use cases. But maybe you know some specific use case > that > > explicitly requires "slot-id"? Could you please describe it in more > detail? > > I agree that slot IDs are not reliable in general. But specific > PKCS#11 provider libraries can arrange for them to be reliable. > Well exactly the same thing can be said about object IDs (i.e. signature key is always presented with objectId 1, encryption key with objectId 2) and yet they are not present in the I-D. Regards, Jaroslav --001a113f9b743389a0050a723c4b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Thu, Dec 18, 2014 at 12:01 AM, Nico Williams <<= a href=3D"mailto:nico@cryptonector.com" target=3D"_blank">nico@cryptonector= .com> wrote:
On Wed, Dec = 17, 2014 at 11:44:57PM +0100, Jaroslav Imrich wrote:
> I am CC-ing saag@ie= tf.org mailing list as it seems to be correct public
> list to discuss I-D for PKCS#11 URIs.

For an I-D in IETF LC that should be ietf@ietf.org.=C2=A0 Cc'ing it (and not
trimming any quotes).

> On Tue, Dec 16, 2014 at 11:29 PM, Jan Pechanec <Jan.Pechanec@oracle.com> > wrote:
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0hi all, the draft is in the midd= le of the last call with
> > comments to be sent till Dec 29.=C2=A0 There are a few nits to be= fixed but
> > we also got two independent inquiries about adding slot attribute= s.
> > One is internal to Solaris, another is from an engineer who would= like
> > to replace some pam_pkcs11 module config attributes with one PKCS= #11
> > URI.=C2=A0 One of the attributes there is "slot_description&= quot; and apparently
> > it's useful and being used there.
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0I think that having slot attribu= tes is useful.
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0obvious choice is this:
> >
> > pk11-slot-desc=C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D "slot-descript= ion" "=3D" *pk11-pchar
> > pk11-slot-manuf=C2=A0 =C2=A0 =C2=A0 =C2=A0=3D "slot-manufact= urer" "=3D" *pk11-pchar
> > pk11-slot-id=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D "slot-id&= quot; "=3D" 1*DIGIT
> >
>
> I don't mind adding "slot-description" and "slot-ma= nufacturer" if someone
> finds them useful but I can't recommend adding "slot-id"= . I personally

The cases I've seen where this is useful are ones where the PKCS= #11
provider library provides unified access to multiple types of
slots/tokens, and the application is trying to obtain user credentials
from a user's removable token (smartcard).

If the provider includes access to slots/token types like: software
tokens, TPMs, and removable user tokens, and if any of the tokens
require login even to be able to list public objects[*], then picking a
slot and token carefully becomes critical to providing a user-friendly
experience, and even to avoiding accidental token lockout (which would
be really user-unfriendly).

[*] I know, that would be rather surprising behavior, but there's at =C2=A0 =C2=A0 least one such non-removable token in use, as I recall.

OK but I still don't understand the role= of slot-id attribute here. Could you please be more specific about the use= case?

Are you trying to say there exists PKCS#11 = implementation that always presents i.e. TPM as slot 0, OS wide software to= ken as slot 1 and whatever removable token you can connect as slot 2? And t= hat you need to access that removable token and you cannot use slot-descrip= tion, slot-manufacturer and neither of token attributes? So the only option= left is: pkcs11:slot-id=3D2 ???

=C2=A0
<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex"> > consider referencing slot/token by its internal slotId to be a very ba= d
> habit. Nikos has already mentioned that it is "just a meaningless= number,
> it is not guaranteed to stay the same across reboots or program restar= ts",
> "its value is implementation-specific" and I fully agree wit= h him. SlotId
> happens to be unsigned long in cryptoki API but it could also be a han= dle
> or pointer without changing its meaning. I believe that "slot-des= cription"
> and "slot-manufacturer" along with other token identifying p= ath attributes
> should cover most use cases. But maybe you know some specific use case= that
> explicitly requires "slot-id"? Could you please describe it = in more detail?

I agree that slot IDs are not reliable in general.=C2=A0 But specifi= c
PKCS#11 provider libraries can arrange for them to be reliable.

Well exactly the same thing can be said about obje= ct IDs (i.e. signature key is always presented with objectId 1, encryption = key with objectId 2) and yet they are not present in the I-D.=C2=A0


Regards, Jaroslav
--001a113f9b743389a0050a723c4b-- From nobody Wed Dec 17 16:07:46 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E91D1A0045; Wed, 17 Dec 2014 16:07:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.666 X-Spam-Level: X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0XUxh00HAKEx; Wed, 17 Dec 2014 16:07:43 -0800 (PST) Received: from homiemail-a96.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id AFDB81A0041; Wed, 17 Dec 2014 16:07:43 -0800 (PST) Received: from homiemail-a96.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a96.g.dreamhost.com (Postfix) with ESMTP id 6C5963B805B; Wed, 17 Dec 2014 16:07:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=c3jfm8YiIT5Mjp +N6gH0a94mFu4=; b=UeoKRYZ7cuKCu0BQMtc7tCA+1huRkZjGLlk8gTJfTla4ls 7X8jX1pOQuQXO2iIdvw+BmkBaawSDwq7hrdi3GMAGO0NQtYgVvYhvqu2/B669XF2 ZKlQHcnd5nDeBNZO3WTn65gNCfp70LuSMkfyzX/j+nyqOxvmNbRJFgejgywhE= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a96.g.dreamhost.com (Postfix) with ESMTPA id C607D3B8059; Wed, 17 Dec 2014 16:07:42 -0800 (PST) Date: Wed, 17 Dec 2014 18:07:42 -0600 From: Nico Williams To: Jaroslav Imrich Message-ID: <20141218000736.GL9443@localhost> References: <20141217230150.GB9443@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/U6atoujO-sxNKFQRJPS39tdrQXk Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Jan Pechanec , Nikos Mavrogiannopoulos Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:07:44 -0000 On Thu, Dec 18, 2014 at 12:57:16AM +0100, Jaroslav Imrich wrote: > On Thu, Dec 18, 2014 at 12:01 AM, Nico Williams > wrote: > > If the provider includes access to slots/token types like: software > > tokens, TPMs, and removable user tokens, and if any of the tokens > > require login even to be able to list public objects[*], then picking a > > slot and token carefully becomes critical to providing a user-friendly > > experience, and even to avoiding accidental token lockout (which would > > be really user-unfriendly). > > > > [*] I know, that would be rather surprising behavior, but there's at > > least one such non-removable token in use, as I recall. > > OK but I still don't understand the role of slot-id attribute here. Could > you please be more specific about the use case? > > Are you trying to say there exists PKCS#11 implementation that always > presents i.e. TPM as slot 0, OS wide software token as slot 1 and whatever > removable token you can connect as slot 2? And that you need to access that Yes. > removable token and you cannot use slot-description, slot-manufacturer and > neither of token attributes? So the only option left is: pkcs11:slot-id=2 > ??? I think so. This is really for Jan to answer. Maybe the Solaris libpkcs11 should just ensure a meaningful (stable and distinct) slot label. If that could be done then slot-id could be excluded here. Jan? > > I agree that slot IDs are not reliable in general. But specific > > PKCS#11 provider libraries can arrange for them to be reliable. > > Well exactly the same thing can be said about object IDs (i.e. signature > key is always presented with objectId 1, encryption key with objectId 2) > and yet they are not present in the I-D. Yes, and it should be said (or object ID attribute not included). Nico -- From nobody Wed Dec 17 16:15:57 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B21221A002F; Wed, 17 Dec 2014 16:15:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X-S1LK63rpkR; Wed, 17 Dec 2014 16:15:54 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE1741A0029; Wed, 17 Dec 2014 16:15:54 -0800 (PST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBI0FqZU003250 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Dec 2014 00:15:52 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id sBI0FpKI019799 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 18 Dec 2014 00:15:52 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBI0Fpdd028917; Thu, 18 Dec 2014 00:15:51 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Dec 2014 16:15:50 -0800 Date: Wed, 17 Dec 2014 16:15:49 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nico Williams In-Reply-To: <20141218000736.GL9443@localhost> Message-ID: References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/G7xQfli6IxhuFtb_-OV9rCqmBF0 Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Nikos Mavrogiannopoulos Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:15:56 -0000 On Wed, 17 Dec 2014, Nico Williams wrote: >> removable token and you cannot use slot-description, slot-manufacturer and >> neither of token attributes? So the only option left is: pkcs11:slot-id=2 >> ??? > >I think so. This is really for Jan to answer. Maybe the Solaris >libpkcs11 should just ensure a meaningful (stable and distinct) slot >label. If that could be done then slot-id could be excluded here. > >Jan? for example, metaslot on Solaris is always 0 so slot-id=0 would be reliable there to use to access the soft token. Jan. -- Jan Pechanec From nobody Wed Dec 17 16:23:08 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 995F81A00AE; Wed, 17 Dec 2014 16:23:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0eFl6WQk8Kee; Wed, 17 Dec 2014 16:23:03 -0800 (PST) Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26ABD1A0084; Wed, 17 Dec 2014 16:23:03 -0800 (PST) Received: by mail-ig0-f175.google.com with SMTP id h15so29071igd.8; Wed, 17 Dec 2014 16:23:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=P/0NCOf0IDqBjIB7VQIAPtcIjXVBvuLc+bT+BoBE6eY=; b=VUOIBaC2P/fPU/YM0uH9+vmJKZxIW2fXOMyhWn4V2YyYnPbic7tgrfPVII6YO8mFWB pVh/6XHMC5FF+5Aoy/ss6LKyn4uXC2lFJqYD/pAFeXWhmuUpKV6l5Vxq63JtAq46u07A 6v4iUuBCDmL4BOTATvolnp/Z1SXNnRMogfCg1yuxBWx30nbhAGw7kNanPgxE+HSMcxK/ mmlm6Q51FWtrnNRaO+9GvfMdFzzucWLfdm1PyHU0BEf9eAR6hrepusLKA7WO3pwOZY23 zgz2ugBIPSxyyGIvUWOkZYGnW4M6U/z81WK8DxL8lXDjPMZGARusIm338jqaH50NOFue ZMNw== MIME-Version: 1.0 X-Received: by 10.107.6.34 with SMTP id 34mr41769298iog.88.1418862182265; Wed, 17 Dec 2014 16:23:02 -0800 (PST) Received: by 10.50.122.104 with HTTP; Wed, 17 Dec 2014 16:23:02 -0800 (PST) In-Reply-To: References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> Date: Thu, 18 Dec 2014 01:23:02 +0100 Message-ID: From: Jaroslav Imrich To: Jan Pechanec Content-Type: multipart/alternative; boundary=001a113f9b745bf9ed050a72983a Archived-At: http://mailarchive.ietf.org/arch/msg/saag/Bww82mh2-lLI0XDqjCNAbdmiiYs Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Nikos Mavrogiannopoulos Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:23:04 -0000 --001a113f9b745bf9ed050a72983a Content-Type: text/plain; charset=UTF-8 On Thu, Dec 18, 2014 at 1:15 AM, Jan Pechanec wrote: > > On Wed, 17 Dec 2014, Nico Williams wrote: > > >> removable token and you cannot use slot-description, slot-manufacturer > and > >> neither of token attributes? So the only option left is: > pkcs11:slot-id=2 > >> ??? > > > >I think so. This is really for Jan to answer. Maybe the Solaris > >libpkcs11 should just ensure a meaningful (stable and distinct) slot > >label. If that could be done then slot-id could be excluded here. > > > >Jan? > > for example, metaslot on Solaris is always 0 so slot-id=0 > would be reliable there to use to access the soft token. Jan. And there is no other URI that could identify that slot without the slot-id attribute? i.e. pkcs11:slot-description=metaslot Regards, Jaroslav --001a113f9b745bf9ed050a72983a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= hu, Dec 18, 2014 at 1:15 AM, Jan Pechanec <jan.pechanec@oracle.com> wrote:
On Wed, 17 Dec 2014, = Nico Williams wrote:

>> removable token and you cannot use slot-description, slot-manufact= urer and
>> neither of token attributes? So the only option left is: pkcs11:sl= ot-id=3D2
>> ???
>
>I think so.=C2=A0 This is really for Jan to answer.=C2=A0 Maybe the Sol= aris
>libpkcs11 should just ensure a meaningful (stable and distinct) slot >label.=C2=A0 If that could be done then slot-id could be excluded here.=
>
>Jan?

=C2=A0 =C2=A0 =C2=A0 =C2=A0 for example, metaslot on Solaris is alwa= ys 0 so slot-id=3D0
would be reliable there to use to access the soft token.=C2=A0 Jan.
=C2=A0

And there is no other URI that could identify that slot without the= slot-id attribute? i.e. pkcs11:slot-description=3Dmetaslot

<= /div>
Regards, Jaroslav
--001a113f9b745bf9ed050a72983a-- From nobody Wed Dec 17 16:31:29 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FCF31A0092; Wed, 17 Dec 2014 16:31:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOfA3wLWhYlf; Wed, 17 Dec 2014 16:31:25 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A3F91A007A; Wed, 17 Dec 2014 16:31:25 -0800 (PST) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBI0VHkZ016291 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Dec 2014 00:31:18 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBI0VGGC001650 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Dec 2014 00:31:17 GMT Received: from abhmp0020.oracle.com (abhmp0020.oracle.com [141.146.116.26]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id sBI0VFc1021848; Thu, 18 Dec 2014 00:31:16 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Dec 2014 16:31:15 -0800 Date: Wed, 17 Dec 2014 16:31:13 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Jaroslav Imrich In-Reply-To: Message-ID: References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/9Awy3Ig1-WUw4HG0hHbR4oufy7c Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Nikos Mavrogiannopoulos Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:31:27 -0000 On Thu, 18 Dec 2014, Jaroslav Imrich wrote: >> >> removable token and you cannot use slot-description, slot-manufacturer >> and >> >> neither of token attributes? So the only option left is: >> pkcs11:slot-id=2 >> >> ??? >> > >> >I think so. This is really for Jan to answer. Maybe the Solaris >> >libpkcs11 should just ensure a meaningful (stable and distinct) slot >> >label. If that could be done then slot-id could be excluded here. >> > >> >Jan? >> >> for example, metaslot on Solaris is always 0 so slot-id=0 >> would be reliable there to use to access the soft token. Jan. > >And there is no other URI that could identify that slot without the slot-id >attribute? i.e. pkcs11:slot-description=metaslot hi Jaroslav, you could use the slot description to find the slot but that's not the case. The thing is that you can use slot 0 reliably there so slot-id would make sense in that context. We have attributes that can be reasonable used only in certain scenarios and not others, like "pin-value". Jan. -- Jan Pechanec From nobody Wed Dec 17 16:47:31 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6970F1A00CD; Wed, 17 Dec 2014 16:47:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.666 X-Spam-Level: X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dDyayiK8OTI3; Wed, 17 Dec 2014 16:47:24 -0800 (PST) Received: from homiemail-a70.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id C37101A008C; Wed, 17 Dec 2014 16:47:24 -0800 (PST) Received: from homiemail-a70.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTP id C4583768059; Wed, 17 Dec 2014 16:47:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=H1NffEFpztAdQD KCOlrz/MX2Hso=; b=dHHU1yV4Wba0nvmKAoIxwRA3HxSTW+PvNgM69qlImL2tiU DlcHHLiREhqMj+45U81O5uTNqpJBVPBtH7mU9VgkBsLDABTkrso4cKH0/YtRp3Bb g+cNidqj0RUeLTrfBkCI1gBuf5Xe/+3fJ5DwuqKbDJPEyYRo4Er67jMYGjQ9E= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTPA id 3244F768057; Wed, 17 Dec 2014 16:47:23 -0800 (PST) Date: Wed, 17 Dec 2014 18:47:22 -0600 From: Nico Williams To: Jaroslav Imrich Message-ID: <20141218004717.GN9443@localhost> References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/wj93y4kS-6f_WKkQlB571pNZvUg Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Jan Pechanec , Nikos Mavrogiannopoulos Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:47:25 -0000 On Thu, Dec 18, 2014 at 01:23:02AM +0100, Jaroslav Imrich wrote: > On Thu, Dec 18, 2014 at 1:15 AM, Jan Pechanec > wrote: > > >I think so. This is really for Jan to answer. Maybe the Solaris > > >libpkcs11 should just ensure a meaningful (stable and distinct) slot > > >label. If that could be done then slot-id could be excluded here. > > > > > >Jan? > > > > for example, metaslot on Solaris is always 0 so slot-id=0 > > would be reliable there to use to access the soft token. Jan. > > And there is no other URI that could identify that slot without the slot-id > attribute? i.e. pkcs11:slot-description=metaslot I would think so. Maybe Jan misunderstood my question; he certainly didn't answer it. Nico -- From nobody Wed Dec 17 17:10:22 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4635C1A00BD; Wed, 17 Dec 2014 17:10:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QU2OZwPsJ3eu; Wed, 17 Dec 2014 17:10:18 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 223521A0092; Wed, 17 Dec 2014 17:10:18 -0800 (PST) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBI1ADeF019914 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Dec 2014 01:10:13 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBI1ABUN028417 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Dec 2014 01:10:12 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id sBI1AAmo015264; Thu, 18 Dec 2014 01:10:10 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Dec 2014 17:10:09 -0800 Date: Wed, 17 Dec 2014 17:10:08 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nico Williams In-Reply-To: <20141218004717.GN9443@localhost> Message-ID: References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Source-IP: acsinet22.oracle.com [141.146.126.238] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/jmTGF7qQ8njAqGeeYXXq7WRTq2I Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Nikos Mavrogiannopoulos Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 01:10:21 -0000 On Wed, 17 Dec 2014, Nico Williams wrote: >> > >I think so. This is really for Jan to answer. Maybe the Solaris >> > >libpkcs11 should just ensure a meaningful (stable and distinct) slot >> > >label. If that could be done then slot-id could be excluded here. >> > > >> > >Jan? >> > >> > for example, metaslot on Solaris is always 0 so slot-id=0 >> > would be reliable there to use to access the soft token. Jan. >> >> And there is no other URI that could identify that slot without the slot-id >> attribute? i.e. pkcs11:slot-description=metaslot > >I would think so. Maybe Jan misunderstood my question; he certainly >didn't answer it. I did, I'm sorry. The description is distinct, "Sun Metaslot" and it's defacto stable but what I wanted to say was that I don't think it is about whether we find a way not to use the attribute since we could probably do without other attributes as well, I still think that if we add slot-description and slot-manufacturer, we should add slot-id since there are situations where it may be useful. I will draft new text including the slot-id attribute first and send it here but will not file it yet. thank you for reviewing this last minute proposals. J. -- Jan Pechanec From nobody Wed Dec 17 17:23:08 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D9A1A00BB; Wed, 17 Dec 2014 17:23:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.666 X-Spam-Level: X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id si1gzmR1cJ5M; Wed, 17 Dec 2014 17:23:06 -0800 (PST) Received: from homiemail-a70.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 1AC051A0026; Wed, 17 Dec 2014 17:23:06 -0800 (PST) Received: from homiemail-a70.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTP id BE9C4768059; Wed, 17 Dec 2014 17:23:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Wz/P8XgKoq683J JSzVU7kG72TnI=; b=gcPlqEU4CmwidsoP9vcAGRQ9WjCrwRfl2sSjPbhacCSHvq exwJBW2mdE7yHqmmunsX/A3JMiEc+jU+dkotNVNwCq1CTzTOAz1/EVwBaa9twcic XSWtdF5I8jlFy+rN7Q/MXbIAp4uP2dg3Hr+cxa2w3slYW8UQuAc2Dxt5bPBNg= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTPA id 12628768057; Wed, 17 Dec 2014 17:23:05 -0800 (PST) Date: Wed, 17 Dec 2014 19:23:04 -0600 From: Nico Williams To: Jan Pechanec Message-ID: <20141218012300.GP9443@localhost> References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/-nDEL7kgTCQLPguy3cX5Jdli_ck Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Nikos Mavrogiannopoulos Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 01:23:07 -0000 On Wed, Dec 17, 2014 at 05:10:08PM -0800, Jan Pechanec wrote: > On Wed, 17 Dec 2014, Nico Williams wrote: > >> And there is no other URI that could identify that slot without the slot-id > >> attribute? i.e. pkcs11:slot-description=metaslot > > > >I would think so. Maybe Jan misunderstood my question; he certainly > >didn't answer it. > > I did, I'm sorry. The description is distinct, "Sun Metaslot" > and it's defacto stable but what I wanted to say was that I don't This might be the reason to use slot-id in your case: that any token reader device could claim to be a "Sun Metaslot" even though it's not. When you know that slot #0 is is the "Sun Metaslot" then you can be more certain that you're getting the "Sun Metaslot" than if you use the slot label. > think it is about whether we find a way not to use the attribute since > we could probably do without other attributes as well, I still think > that if we add slot-description and slot-manufacturer, we should add > slot-id since there are situations where it may be useful. I agree now. > I will draft new text including the slot-id attribute first > and send it here but will not file it yet. > > thank you for reviewing this last minute proposals. J. Thanks, Nico -- From nobody Wed Dec 17 22:58:43 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF3A01A1EF3; Wed, 17 Dec 2014 22:58:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.21 X-Spam-Level: X-Spam-Status: No, score=-6.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfsyVGUpMV5U; Wed, 17 Dec 2014 22:58:31 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BB9D1A0058; Wed, 17 Dec 2014 22:58:31 -0800 (PST) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBI6wPCl019678 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Dec 2014 06:58:26 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBI6wOnh015257 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 18 Dec 2014 06:58:25 GMT Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBI6wN2Z021767; Thu, 18 Dec 2014 06:58:23 GMT Received: from rejewski.us.oracle.com (/10.132.148.23) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Dec 2014 22:58:23 -0800 Date: Wed, 17 Dec 2014 22:54:25 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@rejewski To: Jaroslav Imrich , Stef Walter , Nikos Mavrogiannopoulos , Darren J Moffat , Nico Williams In-Reply-To: <20141218012300.GP9443@localhost> Message-ID: References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> <20141218012300.GP9443@localhost> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-752095483-1418885666=:14405" X-Source-IP: acsinet22.oracle.com [141.146.126.238] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/2fIJNV68lnSU2wGxvr6efqGtzMo Cc: saag@ietf.org, ietf@ietf.org Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 06:58:40 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-752095483-1418885666=:14405 Content-Type: TEXT/PLAIN; charset=US-ASCII On Wed, 17 Dec 2014, Nico Williams wrote: >> I will draft new text including the slot-id attribute first >> and send it here but will not file it yet. hi, as Nikos mentioned yesterday, we discussed slot attributes in the past. It was in Nov 2010 and I forgot about it. It was a long discussion, 20+ emails, and I think the following summarizes it: - slot ID is unstable so its use is limited or even dangerous - slot description might be ok but it would still be better to choose slot simply via a number if needed (ie. not via URI) - exiting attributes are enough to identify what we need after giving it significant time thinking about it today I'd still add attributes for token description, manufacturer, and ID for this reasons: (1) as in pam_pkcs11 case, there will be scenarios where slot information will be needed. It would be nice if it could be provided via a PKCS#11 URI when we can do that for objects, tokens, libraries and even PKCS#11 module paths. (2) neither slot description nor manufacturer is enough to uniquely identify a slot and it does not have serial number as a token. While generally unstable, slot-id may be the only way to uniquely identify a slot. If stability is provided either in the module or externally, its use may be justified in such scenarios. (3) if we do not add slot attributes people will keep asking about it I drafted new text so that we can see how it would look. I think we should either add all 3 slot-* attributes or none. The draft is attached and the diff as well. There were more necessary changes but it basically comes to this: @@ -216,10 +218,13 @@ pk11-type = "type" "=" *1("public" / "private" / "cert" / "secret-key" / "data") pk11-id = "id" "=" *pk11-pchar + pk11-slot-desc = "slot-description" "=" *pk11-pchar + pk11-slot-id = "slot-id" "=" 1*DIGIT + pk11-slot-manuf = "slot-manufacturer" "=" *pk11-pchar pk11-pin-source = "pin-source" "=" *pk11-qchar pk11-pin-value = "pin-value" "=" *pk11-qchar @@ -292,6 +298,20 @@ | | the token | CK_TOKEN_INFO | | | | structure | +----------------------+---------------------+----------------------+ + | slot-description | slot description | "slotDescription" | + | | | member of | + | | | CK_SLOT_INFO | + | | | structure | + +----------------------+---------------------+----------------------+ + | slot-id | Cryptoki-assigned | decimal number of | + | | value that | "CK_SLOT_ID" type | + | | identifies a slot | | + +----------------------+---------------------+----------------------+ + | slot-manufacturer | ID of the slot | "manufacturerID" | + | | manufacturer | member of | + | | | CK_SLOT_INFO | + | | | structure | + +----------------------+---------------------+----------------------+ | token | application-defined | "label" member of | @@ -332,6 +352,13 @@ version number is mandatory. Both "M" and "N" must be decimal numbers. + Slot ID is a Cryptoki-assigned number that is not guaranteed stable + across PKCS#11 module initializations. However, slot description and + manufacturer ID may not be enough to uniquely identify a specific + reader. In situations where slot information is necessary use of + "slot-id" attribute may be justified if sufficient slot ID stability + is provided in the PKCS#11 provider itself or externaly. An empty PKCS#11 URI path attribute that does allow for an empty @@ -506,6 +534,10 @@ minor version. Resulting minor and major version numbers must be then separately compared numerically. + o value of attribute "slot-id" must be processed as a specific + scheme-based normalization permitted by Section 6.2.3 of [RFC3986] + and compared numerically. + @@ -602,6 +634,12 @@ manufacturer=Snake%20Oil,%20Inc. ?pin-value=the-pin + In the context where a slot is expected the slot can be identified + without specifying any PKCS#11 objects in any token it may be + inserted in it. + + pkcs11:slot-description=Sun%20Metaslot + I really appreciate time you already spent reviewing this ID and I'm not happy to do such last minute changes. I hope this last one would be worth it. regards, Jan. -- Jan Pechanec ---559023410-752095483-1418885666=:14405 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=pkcs11-uri-draft-16-17.diff Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=pkcs11-uri-draft-16-17.diff LS0tIGRyYWZ0LXBlY2hhbmVjLXBrY3MxMXVyaS0xNi50eHQtbm8tbGluZWJy ZWFrcwkyMDE0LTEyLTE3IDIyOjIyOjI0LjAwMDAwMDAwMCAtMDgwMA0KKysr IGRyYWZ0LXBlY2hhbmVjLXBrY3MxMXVyaS0xNy50eHQtbm8tbGluZWJyZWFr cwkyMDE0LTEyLTE3IDIyOjQxOjUxLjAwMDAwMDAwMCAtMDgwMA0KQEAgLTUs MjAgKzUsMTkgQEANCiBOZXR3b3JrIFdvcmtpbmcgR3JvdXAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSi4gUGVjaGFuZWMNCiBJ bnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBELiBNb2ZmYXQNCiBJbnRlbmRlZCBzdGF0dXM6 IFN0YW5kYXJkcyBUcmFjayAgICAgICAgICAgICAgICAgICAgICBPcmFjbGUg Q29ycG9yYXRpb24NCi1FeHBpcmVzOiBBcHJpbCAxNiwgMjAxNSAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIE9jdG9iZXIgMTMsIDIwMTQNCitF eHBpcmVzOiBKdW5lIDIwLCAyMDE1ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgRGVjZW1iZXIgMTcsIDIwMTQNCiANCiANCiAgICAgICAgICAg ICAgICAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZQ0KLSAgICAg ICAgICAgICAgICAgICAgICBkcmFmdC1wZWNoYW5lYy1wa2NzMTF1cmktMTYN CisgICAgICAgICAgICAgICAgICAgICAgZHJhZnQtcGVjaGFuZWMtcGtjczEx dXJpLTE3DQogDQogQWJzdHJhY3QNCiANCiAgICBUaGlzIG1lbW8gc3BlY2lm aWVzIGEgUEtDUyMxMSBVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVS SSkNCi0gICBTY2hlbWUgZm9yIGlkZW50aWZ5aW5nIFBLQ1MjMTEgb2JqZWN0 cyBzdG9yZWQgaW4gUEtDUyMxMSB0b2tlbnMsIGZvcg0KLSAgIGlkZW50aWZ5 aW5nIFBLQ1MjMTEgdG9rZW5zIHRoZW1zZWx2ZXMsIG9yIGZvciBpZGVudGlm eWluZyBQS0NTIzExDQotICAgbGlicmFyaWVzLiAgVGhlIFVSSSBpcyBiYXNl ZCBvbiBob3cgUEtDUyMxMSBvYmplY3RzLCB0b2tlbnMsIGFuZA0KLSAgIGxp YnJhcmllcyBhcmUgaWRlbnRpZmllZCBpbiB0aGUgUEtDUyMxMSBDcnlwdG9n cmFwaGljIFRva2VuIEludGVyZmFjZQ0KLSAgIFN0YW5kYXJkLg0KKyAgIFNj aGVtZSBmb3IgaWRlbnRpZnlpbmcgUEtDUyMxMSBvYmplY3RzIHN0b3JlZCBp biBQS0NTIzExIHRva2VucywgYW5kDQorICAgYWxzbyBmb3IgaWRlbnRpZnlp bmcgUEtDUyMxMSB0b2tlbnMsIHNsb3RzIG9yIGxpYnJhcmllcy4gIFRoZSBV UkkgaXMNCisgICBiYXNlZCBvbiBob3cgUEtDUyMxMSBvYmplY3RzLCB0b2tl bnMsIHNsb3RzLCBhbmQgbGlicmFyaWVzIGFyZQ0KKyAgIGlkZW50aWZpZWQg aW4gdGhlIFBLQ1MjMTEgQ3J5cHRvZ3JhcGhpYyBUb2tlbiBJbnRlcmZhY2Ug U3RhbmRhcmQuDQogDQogU3RhdHVzIG9mIFRoaXMgTWVtbw0KIA0KQEAgLTM1 LDcgKzM0LDcgQEANCiAgICB0aW1lLiAgSXQgaXMgaW5hcHByb3ByaWF0ZSB0 byB1c2UgSW50ZXJuZXQtRHJhZnRzIGFzIHJlZmVyZW5jZQ0KICAgIG1hdGVy aWFsIG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGluIHBy b2dyZXNzLiINCiANCi0gICBUaGlzIEludGVybmV0LURyYWZ0IHdpbGwgZXhw aXJlIG9uIEFwcmlsIDE2LCAyMDE1Lg0KKyAgIFRoaXMgSW50ZXJuZXQtRHJh ZnQgd2lsbCBleHBpcmUgb24gSnVuZSAyMCwgMjAxNS4NCiANCiBDb3B5cmln aHQgTm90aWNlDQogDQpAQCAtNjQsMTIgKzYzLDEyIEBADQogICAgICAzLjUu ICBQS0NTIzExIFVSSSBNYXRjaGluZyBHdWlkZWxpbmVzIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gIDEwDQogICAgICAzLjYuICBQS0NTIzExIFVSSSBD b21wYXJpc29uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g IDExDQogICAgNC4gIEV4YW1wbGVzIG9mIFBLQ1MjMTEgVVJJcyAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEyDQotICAgNS4gIElB TkEgQ29uc2lkZXJhdGlvbnMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gIDE1DQotICAgNi4gIFNlY3VyaXR5IENvbnNpZGVy YXRpb25zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g IDE1DQotICAgNy4gIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE1DQotICAgICA3LjEu ICBOb3JtYXRpdmUgUmVmZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gIDE1DQorICAgNS4gIElBTkEgQ29uc2lkZXJhdGlv bnMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g IDE2DQorICAgNi4gIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE2DQorICAgNy4gIFJl ZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gIDE2DQorICAgICA3LjEuICBOb3JtYXRpdmUgUmVm ZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g IDE2DQogICAgICA3LjIuICBJbmZvcm1hdGl2ZSBSZWZlcmVuY2VzICAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE2DQotICAgQXV0aG9y cycgQWRkcmVzc2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gIDE2DQorICAgQXV0aG9ycycgQWRkcmVzc2VzICAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g IDE3DQogDQogMS4gIEludHJvZHVjdGlvbg0KIA0KQEAgLTg2LDQwICs4NSw0 MiBAQA0KICAgIEl0IGlzIGRlc2lyYWJsZSBmb3IgYXBwbGljYXRpb25zIG9y IGxpYnJhcmllcyB0aGF0IHdvcmsgd2l0aCBQS0NTIzExDQogICAgdG9rZW5z IHRvIGFjY2VwdCBhIGNvbW1vbiBpZGVudGlmaWVyIHRoYXQgY29uc3VtZXJz IGNvdWxkIHVzZSB0bw0KICAgIGlkZW50aWZ5IGFuIGV4aXN0aW5nIFBLQ1Mj MTEgc3RvcmFnZSBvYmplY3QgaW4gYSBQS0NTIzExIHRva2VuLCBhbg0KLSAg IGV4aXN0aW5nIHRva2VuIGl0c2VsZiwgb3IgYW4gZXhpc3RpbmcgQ3J5cHRv a2kgbGlicmFyeSAoYWxzbyBjYWxsZWQgYQ0KLSAgIHByb2R1Y2VyLCBtb2R1 bGUsIG9yIHByb3ZpZGVyKS4gIFRoZSBzZXQgb2Ygc3RvcmFnZSBvYmplY3Qg dHlwZXMgdGhhdA0KLSAgIGNhbiBiZSBzdG9yZWQgaW4gYSBQS0NTIzExIHRv a2VuIGluY2x1ZGVzIGEgY2VydGlmaWNhdGUsIGEgcHVibGljLA0KLSAgIHBy aXZhdGUgb3Igc2VjcmV0IGtleSwgYW5kIGEgZGF0YSBvYmplY3QuICBUaGVz ZSBvYmplY3RzIGNhbiBiZQ0KLSAgIHVuaXF1ZWx5IGlkZW50aWZpYWJsZSB2 aWEgdGhlIFBLQ1MjMTEgVVJJIHNjaGVtZSBkZWZpbmVkIGluIHRoaXMNCisg ICBleGlzdGluZyB0b2tlbiBpdHNlbGYsIGEgc2xvdCwgb3IgYW4gZXhpc3Rp bmcgQ3J5cHRva2kgbGlicmFyeSAoYWxzbw0KKyAgIGNhbGxlZCBhIHByb2R1 Y2VyLCBtb2R1bGUsIG9yIHByb3ZpZGVyKS4gIFRoZSBzZXQgb2Ygc3RvcmFn ZSBvYmplY3QNCisgICB0eXBlcyB0aGF0IGNhbiBiZSBzdG9yZWQgaW4gYSBQ S0NTIzExIHRva2VuIGluY2x1ZGVzIGEgY2VydGlmaWNhdGUsIGENCisgICBw dWJsaWMsIHByaXZhdGUgb3Igc2VjcmV0IGtleSwgYW5kIGEgZGF0YSBvYmpl Y3QuICBUaGVzZSBvYmplY3RzIGNhbg0KKyAgIGJlIHVuaXF1ZWx5IGlkZW50 aWZpYWJsZSB2aWEgdGhlIFBLQ1MjMTEgVVJJIHNjaGVtZSBkZWZpbmVkIGlu IHRoaXMNCiAgICBkb2N1bWVudC4gIFRoZSBzZXQgb2YgYXR0cmlidXRlcyBk ZXNjcmliaW5nIGEgc3RvcmFnZSBvYmplY3QgY2FuDQogICAgY29udGFpbiBh biBvYmplY3QgbGFiZWwsIGl0cyB0eXBlLCBhbmQgaXRzIElELiAgVGhlIHNl dCBvZiBhdHRyaWJ1dGVzDQotICAgdGhhdCBpZGVudGlmaWVzIGEgUEtDUyMx MSB0b2tlbiBjYW4gY29udGFpbiBhIHRva2VuIGxhYmVsLCBhDQotICAgbWFu dWZhY3R1cmVyIG5hbWUsIGEgc2VyaWFsIG51bWJlciwgYW5kIGEgdG9rZW4g bW9kZWwuICBBdHRyaWJ1dGVzDQotICAgdGhhdCBjYW4gaWRlbnRpZnkgYSBD cnlwdG9raSBsaWJyYXJ5IGFyZSBhIGxpYnJhcnkgbWFudWZhY3R1cmVyLCBh DQotICAgbGlicmFyeSBkZXNjcmlwdGlvbiwgYW5kIGEgbGlicmFyeSB2ZXJz aW9uLiAgTGlicmFyeSBhdHRyaWJ1dGVzIG1heQ0KLSAgIGJlIG5lY2Vzc2Fy eSB0byB1c2UgaWYgbW9yZSB0aGFuIG9uZSBDcnlwdG9raSBsaWJyYXJ5IHBy b3ZpZGVzIGENCi0gICB0b2tlbiBhbmQvb3IgUEtDUyMxMSBvYmplY3RzIG9m IHRoZSBzYW1lIG5hbWUuICBBIHNldCBvZiBxdWVyeQ0KLSAgIGF0dHJpYnV0 ZXMgaXMgcHJvdmlkZWQgYXMgd2VsbC4NCisgICB0aGF0IGlkZW50aWZpZXMg YSBQS0NTIzExIHRva2VuIGNhbiBjb250YWluIGEgdG9rZW4gbGFiZWwsDQor ICAgbWFudWZhY3R1cmVyIG5hbWUsIHNlcmlhbCBudW1iZXIsIGFuZCB0b2tl biBtb2RlbC4gIEF0dHJpYnV0ZXMgdGhhdA0KKyAgIGNhbiBpZGVudGlmeSBh IHNsb3QgYXJlIGEgc2xvdCBJRCwgZGVzY3JpcHRpb24sIGFuZCBtYW51ZmFj dHVyZXIuDQorICAgQXR0cmlidXRlcyB0aGF0IGNhbiBpZGVudGlmeSBhIENy eXB0b2tpIGxpYnJhcnkgYXJlIGEgbGlicmFyeQ0KKyAgIG1hbnVmYWN0dXJl ciwgZGVzY3JpcHRpb24sIGFuZCB2ZXJzaW9uLiAgTGlicmFyeSBhdHRyaWJ1 dGVzIG1heSBiZQ0KKyAgIG5lY2Vzc2FyeSB0byB1c2UgaWYgbW9yZSB0aGFu IG9uZSBDcnlwdG9raSBsaWJyYXJ5IHByb3ZpZGVzIGEgdG9rZW4NCisgICBh bmQvb3IgUEtDUyMxMSBvYmplY3RzIG9mIHRoZSBzYW1lIG5hbWUuICBBIHNl dCBvZiBxdWVyeSBhdHRyaWJ1dGVzDQorICAgaXMgcHJvdmlkZWQgYXMgd2Vs bC4NCiANCiAgICBUaGUgUEtDUyMxMSBVUkkgY2Fubm90IGlkZW50aWZ5IG90 aGVyIG9iamVjdHMgZGVmaW5lZCBpbiB0aGUNCiAgICBzcGVjaWZpY2F0aW9u IFtwa2NzMTFfc3BlY10gYXNpZGUgZnJvbSBzdG9yYWdlIG9iamVjdHMuICBG b3IgZXhhbXBsZSwNCiAgICBvYmplY3RzIG5vdCBpZGVudGlmaWFibGUgYnkg YSBQS0NTIzExIFVSSSBpbmNsdWRlIGEgaGFyZHdhcmUgZmVhdHVyZQ0KICAg IGFuZCBtZWNoYW5pc20uICBOb3RlIHRoYXQgYSBDcnlwdG9raSBsaWJyYXJ5 IGRvZXMgbm90IGhhdmUgdG8gcHJvdmlkZQ0KICAgIGZvciBzdG9yYWdlIG9i amVjdHMgYXQgYWxsLiAgVGhlIFVSSSBjYW4gc3RpbGwgYmUgdXNlZCB0byBp ZGVudGlmeSBhDQotICAgc3BlY2lmaWMgUEtDUyMxMSB0b2tlbiBvciBhbiBB UEkgcHJvZHVjZXIgaW4gc3VjaCBhIGNhc2UuDQorICAgc3BlY2lmaWMgUEtD UyMxMSB0b2tlbiwgc2xvdCBvciBhbiBBUEkgcHJvZHVjZXIgaW4gc3VjaCBh IGNhc2UuDQogDQogICAgQSBzdWJzZXQgb2YgZXhpc3RpbmcgUEtDUyMxMSBz dHJ1Y3R1cmUgbWVtYmVycyBhbmQgb2JqZWN0IGF0dHJpYnV0ZXMNCiAgICB3 YXMgY2hvc2VuIGJlbGlldmVkIHRvIGJlIHN1ZmZpY2llbnQgaW4gdW5pcXVl bHkgaWRlbnRpZnlpbmcgYQ0KLSAgIFBLQ1MjMTEgdG9rZW4sIHN0b3JhZ2Ug b2JqZWN0LCBvciBsaWJyYXJ5IGluIGEgY29uZmlndXJhdGlvbiBmaWxlLCBv bg0KLSAgIGEgY29tbWFuZCBsaW5lLCBvciBpbiBhIGNvbmZpZ3VyYXRpb24g cHJvcGVydHkgb2Ygc29tZXRoaW5nIGVsc2UuDQotICAgU2hvdWxkIHRoZXJl IGJlIGEgbmVlZCBmb3IgYSBtb3JlIGNvbXBsZXggaW5mb3JtYXRpb24gZXhj aGFuZ2Ugb24NCi0gICBQS0NTIzExIGVudGl0aWVzIGEgZGlmZmVyZW50IG1l YW5zIG9mIGRhdGEgbWFyc2hhbGxpbmcgc2hvdWxkIGJlDQorICAgUEtDUyMx MSBzdG9yYWdlIG9iamVjdCwgdG9rZW4sIHNsb3QsIG9yIGxpYnJhcnkgaW4g YSBjb25maWd1cmF0aW9uDQorICAgZmlsZSwgb24gYSBjb21tYW5kIGxpbmUs IG9yIGluIGEgY29uZmlndXJhdGlvbiBwcm9wZXJ0eSBvZiBzb21ldGhpbmcN CisgICBlbHNlLiAgU2hvdWxkIHRoZXJlIGJlIGEgbmVlZCBmb3IgYSBtb3Jl IGNvbXBsZXggaW5mb3JtYXRpb24gZXhjaGFuZ2UNCisgICBvbiBQS0NTIzEx IGVudGl0aWVzIGEgZGlmZmVyZW50IG1lYW5zIG9mIGRhdGEgbWFyc2hhbGxp bmcgc2hvdWxkIGJlDQogICAgY2hvc2VuIGFjY29yZGluZ2x5Lg0KIA0KICAg IEEgUEtDUyMxMSBVUkkgaXMgbm90IGludGVuZGVkIHRvIGJlIHVzZWQgdG8g Y3JlYXRlIG5ldyBQS0NTIzExDQogICAgb2JqZWN0cyBpbiB0b2tlbnMsIG9y IHRvIGNyZWF0ZSBQS0NTIzExIHRva2Vucy4gIEl0IGlzIHNvbGVseSB0byBi ZQ0KLSAgIHVzZWQgdG8gaWRlbnRpZnkgYW5kIHdvcmsgd2l0aCBleGlzdGlu ZyBzdG9yYWdlIG9iamVjdHMgYW5kIHRva2Vucw0KLSAgIHRocm91Z2ggdGhl IFBLQ1MjMTEgQVBJLCBvciBpZGVudGlmeSBDcnlwdG9raSBsaWJyYXJpZXMg dGhlbXNlbHZlcy4NCisgICB1c2VkIHRvIGlkZW50aWZ5IGFuZCB3b3JrIHdp dGggZXhpc3Rpbmcgc3RvcmFnZSBvYmplY3RzLCB0b2tlbnMsIGFuZA0KKyAg IHNsb3RzIHRocm91Z2ggdGhlIFBLQ1MjMTEgQVBJLCBvciBpZGVudGlmeSBD cnlwdG9raSBsaWJyYXJpZXMNCisgICB0aGVtc2VsdmVzLg0KIA0KICAgIFRo ZSBVUkkgc2NoZW1lIGRlZmluZWQgaW4gdGhpcyBkb2N1bWVudCBpcyBkZXNp Z25lZCBzcGVjaWZpY2FsbHkgd2l0aA0KICAgIGEgbWFwcGluZyB0byB0aGUg UEtDUyMxMSBBUEkgaW4gbWluZC4gIFRoZSBVUkkgdXNlcyB0aGUgc2NoZW1l LCBwYXRoDQpAQCAtMTg4LDcgKzE4OSw4IEBADQogICAgICAgICAgICAgICAg ICAgICAgICAgIHBrMTEtbW9kZWwgLyBwazExLWxpYi1tYW51ZiAvDQogICAg ICAgICAgICAgICAgICAgICAgICAgIHBrMTEtbGliLXZlciAvIHBrMTEtbGli LWRlc2MgLw0KICAgICAgICAgICAgICAgICAgICAgICAgICBwazExLW9iamVj dCAvIHBrMTEtdHlwZSAvIHBrMTEtaWQgLw0KLSAgICAgICAgICAgICAgICAg ICAgICAgICBwazExLXgtcGF0dHINCisgICAgICAgICAgICAgICAgICAgICAg ICAgcGsxMS1zbG90LWRlc2MgLyBwazExLXNsb3QtbWFudWYgLw0KKyAgICAg ICAgICAgICAgICAgICAgICAgICBwazExLXNsb3QtaWQgLyBwazExLXgtcGF0 dHINCiAgIDsgUXVlcnkgY29tcG9uZW50IGFuZCBpdHMgYXR0cmlidXRlcy4g IFF1ZXJ5IG1heSBiZSBlbXB0eS4NCiAgIHBrMTEtcWF0dHIgICAgICAgICAg ID0gcGsxMS1waW4tc291cmNlIC8gcGsxMS1waW4tdmFsdWUgLw0KICAgICAg ICAgICAgICAgICAgICAgICAgICBwazExLW1vZHVsZS1uYW1lIC8gcGsxMS1t b2R1bGUtcGF0aCAvDQpAQCAtMjE2LDEwICsyMTgsMTMgQEANCiAgIHBrMTEt dHlwZSAgICAgICAgICAgID0gInR5cGUiICI9IiAqMSgicHVibGljIiAvICJw cml2YXRlIiAvICJjZXJ0IiAvDQogICAgICAgICAgICAgICAgICAgICAgICAg ICJzZWNyZXQta2V5IiAvICJkYXRhIikNCiAgIHBrMTEtaWQgICAgICAgICAg ICAgID0gImlkIiAiPSIgKnBrMTEtcGNoYXINCisgIHBrMTEtc2xvdC1tYW51 ZiAgICAgID0gInNsb3QtbWFudWZhY3R1cmVyIiAiPSIgKnBrMTEtcGNoYXIN CisgIHBrMTEtc2xvdC1kZXNjICAgICAgID0gInNsb3QtZGVzY3JpcHRpb24i ICI9IiAqcGsxMS1wY2hhcg0KKyAgcGsxMS1zbG90LWlkICAgICAgICAgPSAi c2xvdC1pZCIgIj0iIDEqRElHSVQNCiAgIHBrMTEtcGluLXNvdXJjZSAgICAg ID0gInBpbi1zb3VyY2UiICI9IiAqcGsxMS1xY2hhcg0KICAgcGsxMS1waW4t dmFsdWUgICAgICAgPSAicGluLXZhbHVlIiAiPSIgKnBrMTEtcWNoYXINCi0g IHBrMTEtbW9kdWxlLW5hbWUgICAgID0gIm1vZHVsZS1uYW1lIiA9ICpwazEx LXFjaGFyDQotICBwazExLW1vZHVsZS1wYXRoICAgICA9ICJtb2R1bGUtcGF0 aCIgPSAqcGsxMS1xY2hhcg0KKyAgcGsxMS1tb2R1bGUtbmFtZSAgICAgPSAi bW9kdWxlLW5hbWUiICI9IiAqcGsxMS1xY2hhcg0KKyAgcGsxMS1tb2R1bGUt cGF0aCAgICAgPSAibW9kdWxlLXBhdGgiICI9IiAqcGsxMS1xY2hhcg0KICAg cGsxMS14LWF0dHItbm0tY2hhciAgPSBBTFBIQSAvIERJR0lUIC8gIi0iIC8g Il8iDQogICA7IFBlcm1pdHRlZCB2YWx1ZSBvZiBhIHZlbmRvciBzcGVjaWZp YyBhdHRyaWJ1dGUgaXMgYmFzZWQgb24NCiAgIDsgd2hldGhlciB0aGUgYXR0 cmlidXRlIGlzIHVzZWQgaW4gdGhlIHBhdGggb3IgaW4gdGhlIHF1ZXJ5Lg0K QEAgLTI1OSw2ICsyNjQsNyBAQA0KICAgIHwgICAgICAgICAgICAgICAgICAg ICAgfCAgICAgICAgICAgICAgICAgICAgIHwgUEtDUyMxMSAgICAgICAgICAg ICAgfA0KICAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAg ICAgICAgICAgIHwgc3BlY2lmaWNhdGlvbiB0byAgICAgfA0KICAgICstLS0t LS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0tLS0tLS0tLS0tKw0KKyAgIHwgICAgICAgICAgICAgICAgICAg ICAgfCAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAg ICAgfA0KICAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0t LS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgIHwgaWQg ICAgICAgICAgICAgICAgICAgfCBrZXkgaWRlbnRpZmllciBmb3IgIHwgIkNL QV9JRCIgb2JqZWN0ICAgICAgfA0KICAgIHwgICAgICAgICAgICAgICAgICAg ICAgfCBvYmplY3QgICAgICAgICAgICAgIHwgYXR0cmlidXRlICAgICAgICAg ICAgfA0KQEAgLTI5Miw2ICsyOTgsMjAgQEANCiAgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgdGhlIHRva2VuICAgICAgICAgICB8IENLX1RPS0VOX0lO Rk8gICAgICAgIHwNCiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAg ICAgICAgICAgICAgICAgICB8IHN0cnVjdHVyZSAgICAgICAgICAgIHwNCiAg ICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0t LS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsNCisgICB8IHNsb3QtZGVzY3Jp cHRpb24gICAgIHwgc2xvdCBkZXNjcmlwdGlvbiAgICB8ICJzbG90RGVzY3Jp cHRpb24iICAgIHwNCisgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAg ICAgICAgICAgICAgICAgICB8IG1lbWJlciBvZiAgICAgICAgICAgIHwNCisg ICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAg ICB8IENLX1NMT1RfSU5GTyAgICAgICAgIHwNCisgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IHN0cnVjdHVyZSAg ICAgICAgICAgIHwNCisgICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsNCisg ICB8IHNsb3QtaWQgICAgICAgICAgICAgIHwgQ3J5cHRva2ktYXNzaWduZWQg ICB8IGRlY2ltYWwgbnVtYmVyIG9mICAgIHwNCisgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgdmFsdWUgdGhhdCAgICAgICAgICB8ICJDS19TTE9UX0lE IiB0eXBlICAgIHwNCisgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgaWRl bnRpZmllcyBhIHNsb3QgICB8ICAgICAgICAgICAgICAgICAgICAgIHwNCisg ICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0t LS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsNCisgICB8IHNsb3QtbWFudWZh Y3R1cmVyICAgIHwgSUQgb2YgdGhlIHNsb3QgICAgICB8ICJtYW51ZmFjdHVy ZXJJRCIgICAgIHwNCisgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgbWFu dWZhY3R1cmVyICAgICAgICB8IG1lbWJlciBvZiAgICAgICAgICAgIHwNCisg ICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAg ICB8IENLX1NMT1RfSU5GTyAgICAgICAgIHwNCisgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IHN0cnVjdHVyZSAg ICAgICAgICAgIHwNCisgICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsNCiAg ICB8IHRva2VuICAgICAgICAgICAgICAgIHwgYXBwbGljYXRpb24tZGVmaW5l ZCB8ICJsYWJlbCIgbWVtYmVyIG9mICAgIHwNCiAgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgbGFiZWwsIGFzc2lnbmVkICAgICB8IHRoZSBDS19UT0tF Tl9JTkZPICAgIHwNCiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgZHVy aW5nIHRva2VuICAgICAgICB8IHN0cnVjdHVyZSAgICAgICAgICAgIHwNCkBA IC0zMzIsNiArMzUyLDEzIEBADQogICAgdmVyc2lvbiBudW1iZXIgaXMgbWFu ZGF0b3J5LiAgQm90aCAiTSIgYW5kICJOIiBtdXN0IGJlIGRlY2ltYWwNCiAg ICBudW1iZXJzLg0KIA0KKyAgIFNsb3QgSUQgaXMgQ3J5cHRva2ktYXNzaWdu ZWQgbnVtYmVyIHRoYXQgaXMgbm90IGd1YXJhbnRlZWQgc3RhYmxlDQorICAg YWNyb3NzIFBLQ1MjMTEgbW9kdWxlIGluaXRpYWxpemF0aW9ucy4gIEhvd2V2 ZXIsIHNsb3QgZGVzY3JpcHRpb24gYW5kDQorICAgbWFudWZhY3R1cmVyIElE IG1heSBub3QgYmUgZW5vdWdoIHRvIHVuaXF1ZWx5IGlkZW50aWZ5IGEgc3Bl Y2lmaWMNCisgICByZWFkZXIuICBJbiBzaXR1YXRpb25zIHdoZXJlIHNsb3Qg aW5mb3JtYXRpb24gaXMgbmVjZXNzYXJ5IHVzZSBvZg0KKyAgICJzbG90LWlk IiBhdHRyaWJ1dGUgbWF5IGJlIGp1c3RpZmllZCBpZiBzdWZmaWNpZW50IHNs b3QgSUQgc3RhYmlsaXR5DQorICAgaXMgcHJvdmlkZWQgaW4gdGhlIFBLQ1Mj MTEgcHJvdmlkZXIgaXRzZWxmIG9yIGV4dGVybmFseS4NCisNCiAgICBBbiBl bXB0eSBQS0NTIzExIFVSSSBwYXRoIGF0dHJpYnV0ZSB0aGF0IGRvZXMgYWxs b3cgZm9yIGFuIGVtcHR5DQogICAgdmFsdWUgbWF0Y2hlcyBhIGNvcnJlc3Bv bmRpbmcgc3RydWN0dXJlIG1lbWJlciBvciBhbiBvYmplY3QgYXR0cmlidXRl DQogICAgd2l0aCBhbiBlbXB0eSB2YWx1ZS4gIE5vdGUgdGhhdCBhY2NvcmRp bmcgdG8gdGhlIFBLQ1MjMTENCkBAIC00MjEsOCArNDQ4LDggQEANCiANCiAz LjUuICBQS0NTIzExIFVSSSBNYXRjaGluZyBHdWlkZWxpbmVzDQogDQotICAg VGhlIFBLQ1MjMTEgVVJJIGNhbiBpZGVudGlmeSBQS0NTIzExIHN0b3JhZ2Ug b2JqZWN0cywgdG9rZW5zLCBvcg0KLSAgIENyeXB0b2tpIGxpYnJhcmllcy4g IE5vdGUgdGhhdCBzaW5jZSBhIFVSSSBtYXkgaWRlbnRpZnkgdGhyZWUNCisg ICBUaGUgUEtDUyMxMSBVUkkgY2FuIGlkZW50aWZ5IFBLQ1MjMTEgc3RvcmFn ZSBvYmplY3RzLCB0b2tlbnMsIHNsb3RzLA0KKyAgIG9yIENyeXB0b2tpIGxp YnJhcmllcy4gIE5vdGUgdGhhdCBzaW5jZSBhIFVSSSBtYXkgaWRlbnRpZnkg dGhyZWUNCiAgICBkaWZmZXJlbnQgdHlwZXMgb2YgZW50aXRpZXMgdGhlIGNv bnRleHQgd2l0aGluIHdoaWNoIHRoZSBVUkkgaXMgdXNlZA0KICAgIG1heSBi ZSBuZWVkZWQgdG8gZGV0ZXJtaW5lIHRoZSB0eXBlLiAgRm9yIGV4YW1wbGUs IGEgVVJJIHdpdGggb25seQ0KICAgIGxpYnJhcnkgYXR0cmlidXRlcyBtYXkg ZWl0aGVyIHJlcHJlc2VudCBhbGwgb2JqZWN0cyBpbiBhbGwgdG9rZW5zIGlu DQpAQCAtNDM0LDcgKzQ2MSw3IEBADQogICAgcmVzb3VyY2UuDQogDQogICAg byAgdGhlIGNvbnN1bWVyIG11c3Qga25vdyB3aGV0aGVyIHRoZSBVUkkgaXMg dG8gaWRlbnRpZnkgUEtDUyMxMQ0KLSAgICAgIHN0b3JhZ2Ugb2JqZWN0KHMp LCB0b2tlbihzKSwgb3IgQ3J5cHRva2kgcHJvZHVjZXIocykuDQorICAgICAg c3RvcmFnZSBvYmplY3QocyksIHRva2VuKHMpLCBzbG90KHMpLCBvciBDcnlw dG9raSBwcm9kdWNlcihzKS4NCiANCiAgICBvICBpZiB0aGUgY29uc3VtZXIg aXMgd2lsbGluZyB0byBhY2NlcHQgcXVlcnkgY29tcG9uZW50IG1vZHVsZQ0K ICAgICAgIGF0dHJpYnV0ZXMgb25seSB0aG9zZSBQS0NTIzExIHByb3ZpZGVy cyBtYXRjaGluZyB0aGVzZSBhdHRyaWJ1dGVzDQpAQCAtNDg4LDExICs1MTUs MTIgQEANCiANCiAgICBvICB2YWx1ZXMgb2YgcGF0aCBjb21wb25lbnQgYXR0 cmlidXRlcyAibGlicmFyeS1kZXNjcmlwdGlvbiIsDQogICAgICAgImxpYnJh cnktbWFudWZhY3R1cmVyIiwgIm1hbnVmYWN0dXJlciIsICJtb2RlbCIsICJv YmplY3QiLA0KLSAgICAgICJzZXJpYWwiLCAidG9rZW4iLCAidHlwZSIsIGFu ZCBxdWVyeSBjb21wb25lbnQgYXR0cmlidXRlICJtb2R1bGUtDQotICAgICAg bmFtZSIgbXVzdCBiZSBjb21wYXJlZCB1c2luZyBhIHNpbXBsZSBzdHJpbmcg Y29tcGFyaXNvbiBhcw0KLSAgICAgIHNwZWNpZmllZCBpbiBTZWN0aW9uIDYu Mi4xIG9mIFtSRkMzOTg2XSBhZnRlciB0aGUgY2FzZSBhbmQgdGhlDQotICAg ICAgcGVyY2VudC1lbmNvZGluZyBub3JtYWxpemF0aW9uIGFyZSBib3RoIGFw cGxpZWQgYXMgc3BlY2lmaWVkIGluDQotICAgICAgU2VjdGlvbiA2LjIuMiBv ZiBbUkZDMzk4Nl0uDQorICAgICAgInNlcmlhbCIsICJzbG90LWRlc2NyaXB0 aW9uIiwgInNsb3QtbWFudWZhY3R1cmVyIiwgInRva2VuIiwNCisgICAgICAi dHlwZSIsIGFuZCBxdWVyeSBjb21wb25lbnQgYXR0cmlidXRlICJtb2R1bGUt bmFtZSIgbXVzdCBiZQ0KKyAgICAgIGNvbXBhcmVkIHVzaW5nIGEgc2ltcGxl IHN0cmluZyBjb21wYXJpc29uIGFzIHNwZWNpZmllZCBpbg0KKyAgICAgIFNl Y3Rpb24gNi4yLjEgb2YgW1JGQzM5ODZdIGFmdGVyIHRoZSBjYXNlIGFuZCB0 aGUgcGVyY2VudC1lbmNvZGluZw0KKyAgICAgIG5vcm1hbGl6YXRpb24gYXJl IGJvdGggYXBwbGllZCBhcyBzcGVjaWZpZWQgaW4gU2VjdGlvbiA2LjIuMiBv Zg0KKyAgICAgIFtSRkMzOTg2XS4NCiANCiAgICBvICB2YWx1ZSBvZiBhdHRy aWJ1dGUgImlkIiBtdXN0IGJlIGNvbXBhcmVkIHVzaW5nIHRoZSBzaW1wbGUg c3RyaW5nDQogICAgICAgY29tcGFyaXNvbiBhZnRlciBhbGwgYnl0ZXMgYXJl IHBlcmNlbnQtZW5jb2RlZCB1c2luZyB1cHBlcmNhc2UNCkBAIC01MDYsNiAr NTM0LDEwIEBADQogICAgICAgbWlub3IgdmVyc2lvbi4gIFJlc3VsdGluZyBt aW5vciBhbmQgbWFqb3IgdmVyc2lvbiBudW1iZXJzIG11c3QgYmUNCiAgICAg ICB0aGVuIHNlcGFyYXRlbHkgY29tcGFyZWQgbnVtZXJpY2FsbHkuDQogDQor ICAgbyAgdmFsdWUgb2YgYXR0cmlidXRlICJzbG90LWlkIiBtdXN0IGJlIHBy b2Nlc3NlZCBhcyBhIHNwZWNpZmljDQorICAgICAgc2NoZW1lLWJhc2VkIG5v cm1hbGl6YXRpb24gcGVybWl0dGVkIGJ5IFNlY3Rpb24gNi4yLjMgb2YgW1JG QzM5ODZdDQorICAgICAgYW5kIGNvbXBhcmVkIG51bWVyaWNhbGx5Lg0KKw0K ICAgIG8gIHZhbHVlIG9mICJwaW4tc291cmNlIiwgaWYgZGVlbWVkIGNvbnRh aW5pbmcgdGhlIGZpbGVuYW1lIHdpdGggdGhlDQogICAgICAgUElOIHZhbHVl LCBtdXN0IGJlIGNvbXBhcmVkIHVzaW5nIHRoZSBzaW1wbGUgc3RyaW5nIGNv bXBhcmlzb24NCiAgICAgICBhZnRlciB0aGUgZnVsbCBzeW50YXggYmFzZWQg bm9ybWFsaXphdGlvbiBhcyBzcGVjaWZpZWQgaW4NCkBAIC01MjcsMTIgKzU1 OSwxMiBAQA0KIDQuICBFeGFtcGxlcyBvZiBQS0NTIzExIFVSSXMNCiANCiAg ICBUaGlzIHNlY3Rpb24gY29udGFpbnMgc29tZSBleGFtcGxlcyBvZiBob3cg UEtDUyMxMSB0b2tlbiBvYmplY3RzLA0KLSAgIFBLQ1MjMTEgdG9rZW5zLCBh bmQgUEtDUyMxMSBsaWJyYXJpZXMgY2FuIGJlIGlkZW50aWZpZWQgdXNpbmcg dGhlDQotICAgUEtDUyMxMSBVUkkgc2NoZW1lLiAgTm90ZSB0aGF0IGluIHNv bWUgb2YgdGhlIGZvbGxvd2luZyBleGFtcGxlcywNCi0gICBuZXdsaW5lcyBh bmQgc3BhY2VzIHdlcmUgaW5zZXJ0ZWQgZm9yIGJldHRlciByZWFkYWJpbGl0 eS4gIEFzDQotICAgc3BlY2lmaWVkIGluIEFwcGVuZGl4IEMgb2YgW1JGQzM5 ODZdLCB3aGl0ZXNwYWNlIHNob3VsZCBiZSBpZ25vcmVkDQotICAgd2hlbiBl eHRyYWN0aW5nIHRoZSBVUkkuICBBbHNvIG5vdGUgdGhhdCBhbGwgc3BhY2Vz IGFzIHBhcnQgb2YgdGhlDQotICAgVVJJIGFyZSBwZXJjZW50LWVuY29kZWQs IGFzIHNwZWNpZmllZCBpbiBBcHBlbmRpeCBBIG9mIFtSRkMzOTg2XS4NCisg ICB0b2tlbnMsIHNsb3RzLCBhbmQgbGlicmFyaWVzIGNhbiBiZSBpZGVudGlm aWVkIHVzaW5nIHRoZSBQS0NTIzExIFVSSQ0KKyAgIHNjaGVtZS4gIE5vdGUg dGhhdCBpbiBzb21lIG9mIHRoZSBmb2xsb3dpbmcgZXhhbXBsZXMsIG5ld2xp bmVzIGFuZA0KKyAgIHNwYWNlcyB3ZXJlIGluc2VydGVkIGZvciBiZXR0ZXIg cmVhZGFiaWxpdHkuICBBcyBzcGVjaWZpZWQgaW4NCisgICBBcHBlbmRpeCBD IG9mIFtSRkMzOTg2XSwgd2hpdGVzcGFjZSBzaG91bGQgYmUgaWdub3JlZCB3 aGVuIGV4dHJhY3RpbmcNCisgICB0aGUgVVJJLiAgQWxzbyBub3RlIHRoYXQg YWxsIHNwYWNlcyBhcyBwYXJ0IG9mIHRoZSBVUkkgYXJlIHBlcmNlbnQtDQor ICAgZW5jb2RlZCwgYXMgc3BlY2lmaWVkIGluIEFwcGVuZGl4IEEgb2YgW1JG QzM5ODZdLg0KIA0KICAgIEFuIGVtcHR5IFBLQ1MjMTEgVVJJIG1pZ2h0IGJl IHVzZWZ1bCB0byBQS0NTIzExIGNvbnN1bWVycy4gIFNlZQ0KICAgIFNlY3Rp b24gMy41IGZvciBtb3JlIGluZm9ybWF0aW9uIG9uIHNlbWFudGljcyBvZiBz dWNoIGEgVVJJLg0KQEAgLTYwMiw2ICs2MzQsMTIgQEANCiAgICAgICAgICAg ICBtYW51ZmFjdHVyZXI9U25ha2UlMjBPaWwsJTIwSW5jLg0KICAgICAgICAg ICAgID9waW4tdmFsdWU9dGhlLXBpbg0KIA0KKyAgIEluIHRoZSBjb250ZXh0 IHdoZXJlIGEgc2xvdCBpcyBleHBlY3RlZCB0aGUgc2xvdCBjYW4gYmUgaWRl bnRpZmllZA0KKyAgIHdpdGhvdXQgc3BlY2lmeWluZyBhbnkgUEtDUyMxMSBv YmplY3RzIGluIGFueSB0b2tlbiBpdCBtYXkgYmUNCisgICBpbnNlcnRlZCBp biBpdC4NCisNCisgICAgIHBrY3MxMTpzbG90LWRlc2NyaXB0aW9uPVN1biUy ME1ldGFzbG90DQorDQogICAgVGhlIENyeXB0b2tpIGxpYnJhcnkgYWxvbmUg Y2FuIGJlIGFsc28gaWRlbnRpZmllZCB3aXRob3V0IHNwZWNpZnlpbmcNCiAg ICBhIFBLQ1MjMTEgdG9rZW4gb3Igb2JqZWN0Lg0KIA0KQEAgLTY2OCw3ICs3 MDYsNyBAQA0KIA0KICAgIEZyb20gdGhvc2Ugc2VjdXJpdHkgY29uc2lkZXJh dGlvbnMsIFNlY3Rpb24gNy4xIG9mIFtSRkMzOTg2XSBhcHBsaWVzDQogICAg c2luY2UgdGhlcmUgaXMgbm8gZ3VhcmFudGVlIHRoYXQgdGhlIHNhbWUgUEtD UyMxMSBVUkkgd2lsbCBhbHdheXMNCi0gICBpZGVudGlmeSB0aGUgc2FtZSBv YmplY3QsIHRva2VuLCBvciBhIGxpYnJhcnkgaW4gdGhlIGZ1dHVyZS4NCisg ICBpZGVudGlmeSB0aGUgc2FtZSBvYmplY3QsIHRva2VuLCBzbG90LCBvciBh IGxpYnJhcnkgaW4gdGhlIGZ1dHVyZS4NCiANCiAgICBTZWN0aW9uIDcuMiBv ZiBbUkZDMzk4Nl0gYXBwbGllcyBzaW5jZSBieSBhY2NlcHRpbmcgcXVlcnkg Y29tcG9uZW50DQogICAgYXR0cmlidXRlcyAibW9kdWxlLW5hbWUiIG9yICJt b2R1bGUtcGF0aCIgdGhlIGNvbnN1bWVyIHBvdGVudGlhbGx5DQo= ---559023410-752095483-1418885666=:14405 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=draft-pechanec-pkcs11uri-17.txt Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=draft-pechanec-pkcs11uri-17.txt DQoNCg0KDQpOZXR3b3JrIFdvcmtpbmcgR3JvdXAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgSi4gUGVjaGFuZWMNCkludGVybmV0 LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIEQuIE1vZmZhdA0KSW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFy ZHMgVHJhY2sgICAgICAgICAgICAgICAgICAgICAgT3JhY2xlIENvcnBvcmF0 aW9uDQpFeHBpcmVzOiBKdW5lIDIwLCAyMDE1ICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgRGVjZW1iZXIgMTcsIDIwMTQNCg0KDQogICAgICAg ICAgICAgICAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZQ0KICAg ICAgICAgICAgICAgICAgICAgIGRyYWZ0LXBlY2hhbmVjLXBrY3MxMXVyaS0x Nw0KDQpBYnN0cmFjdA0KDQogICBUaGlzIG1lbW8gc3BlY2lmaWVzIGEgUEtD UyMxMSBVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSkNCiAgIFNj aGVtZSBmb3IgaWRlbnRpZnlpbmcgUEtDUyMxMSBvYmplY3RzIHN0b3JlZCBp biBQS0NTIzExIHRva2VucywgYW5kDQogICBhbHNvIGZvciBpZGVudGlmeWlu ZyBQS0NTIzExIHRva2Vucywgc2xvdHMgb3IgbGlicmFyaWVzLiAgVGhlIFVS SSBpcw0KICAgYmFzZWQgb24gaG93IFBLQ1MjMTEgb2JqZWN0cywgdG9rZW5z LCBzbG90cywgYW5kIGxpYnJhcmllcyBhcmUNCiAgIGlkZW50aWZpZWQgaW4g dGhlIFBLQ1MjMTEgQ3J5cHRvZ3JhcGhpYyBUb2tlbiBJbnRlcmZhY2UgU3Rh bmRhcmQuDQoNClN0YXR1cyBvZiBUaGlzIE1lbW8NCg0KICAgVGhpcyBJbnRl cm5ldC1EcmFmdCBpcyBzdWJtaXR0ZWQgaW4gZnVsbCBjb25mb3JtYW5jZSB3 aXRoIHRoZQ0KICAgcHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJDUCA3OS4N Cg0KICAgSW50ZXJuZXQtRHJhZnRzIGFyZSB3b3JraW5nIGRvY3VtZW50cyBv ZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmcNCiAgIFRhc2sgRm9yY2UgKElF VEYpLiAgTm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmli dXRlDQogICB3b3JraW5nIGRvY3VtZW50cyBhcyBJbnRlcm5ldC1EcmFmdHMu ICBUaGUgbGlzdCBvZiBjdXJyZW50IEludGVybmV0LQ0KICAgRHJhZnRzIGlz IGF0IGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFmdHMvY3VycmVu dC8uDQoNCiAgIEludGVybmV0LURyYWZ0cyBhcmUgZHJhZnQgZG9jdW1lbnRz IHZhbGlkIGZvciBhIG1heGltdW0gb2Ygc2l4IG1vbnRocw0KICAgYW5kIG1h eSBiZSB1cGRhdGVkLCByZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVy IGRvY3VtZW50cyBhdCBhbnkNCiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJp YXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlDQogICBt YXRlcmlhbCBvciB0byBjaXRlIHRoZW0gb3RoZXIgdGhhbiBhcyAid29yayBp biBwcm9ncmVzcy4iDQoNCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBl eHBpcmUgb24gSnVuZSAyMCwgMjAxNS4NCg0KQ29weXJpZ2h0IE5vdGljZQ0K DQogICBDb3B5cmlnaHQgKGMpIDIwMTQgSUVURiBUcnVzdCBhbmQgdGhlIHBl cnNvbnMgaWRlbnRpZmllZCBhcyB0aGUNCiAgIGRvY3VtZW50IGF1dGhvcnMu ICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQogICBUaGlzIGRvY3VtZW50IGlz IHN1YmplY3QgdG8gQkNQIDc4IGFuZCB0aGUgSUVURiBUcnVzdCdzIExlZ2Fs DQogICBQcm92aXNpb25zIFJlbGF0aW5nIHRvIElFVEYgRG9jdW1lbnRzDQog ICAoaHR0cDovL3RydXN0ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZvKSBpbiBl ZmZlY3Qgb24gdGhlIGRhdGUgb2YNCiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMg ZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50cw0KICAg Y2FyZWZ1bGx5LCBhcyB0aGV5IGRlc2NyaWJlIHlvdXIgcmlnaHRzIGFuZCBy ZXN0cmljdGlvbnMgd2l0aCByZXNwZWN0DQogICB0byB0aGlzIGRvY3VtZW50 LiAgQ29kZSBDb21wb25lbnRzIGV4dHJhY3RlZCBmcm9tIHRoaXMgZG9jdW1l bnQgbXVzdA0KICAgaW5jbHVkZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlIHRl eHQgYXMgZGVzY3JpYmVkIGluIFNlY3Rpb24gNC5lIG9mDQogICB0aGUgVHJ1 c3QgTGVnYWwgUHJvdmlzaW9ucyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQg d2FycmFudHkgYXMNCiAgIGRlc2NyaWJlZCBpbiB0aGUgU2ltcGxpZmllZCBC U0QgTGljZW5zZS4NCg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAg RXhwaXJlcyBKdW5lIDIwLCAyMDE1ICAgICAgICAgICAgICAgICBbUGFnZSAx XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVS SSBTY2hlbWUgICAgICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KVGFibGUg b2YgQ29udGVudHMNCg0KICAgMS4gIEludHJvZHVjdGlvbiAgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICAyDQog ICAyLiAgQ29udHJpYnV0b3JzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDMNCiAgIDMuICBQS0NTIzExIFVS SSBTY2hlbWUgRGVmaW5pdGlvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICAgMw0KICAgICAzLjEuICBQS0NTIzExIFVSSSBTY2hlbWUgTmFt ZSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA0DQogICAg IDMuMi4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBTdGF0dXMgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQNCiAgICAgMy4zLiAgUEtDUyMxMSBV UkkgU2NoZW1lIFN5bnRheCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuICAgNA0KICAgICAzLjQuICBQS0NTIzExIFVSSSBTY2hlbWUgUXVlcnkg QXR0cmlidXRlIFNlbWFudGljcyAgLiAuIC4gLiAuIC4gICA4DQogICAgIDMu NS4gIFBLQ1MjMTEgVVJJIE1hdGNoaW5nIEd1aWRlbGluZXMgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgMTANCiAgICAgMy42LiAgUEtDUyMxMSBVUkkg Q29tcGFyaXNvbiAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICAxMQ0KICAgNC4gIEV4YW1wbGVzIG9mIFBLQ1MjMTEgVVJJcyAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEyDQogICA1LiAgSUFO QSBDb25zaWRlcmF0aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgMTYNCiAgIDYuICBTZWN1cml0eSBDb25zaWRlcmF0 aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAx Ng0KICAgNy4gIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE2DQogICAgIDcuMS4gIE5v cm1hdGl2ZSBSZWZlcmVuY2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAgMTYNCiAgICAgNy4yLiAgSW5mb3JtYXRpdmUgUmVmZXJl bmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxNg0K ICAgQXV0aG9ycycgQWRkcmVzc2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE3DQoNCjEuICBJbnRyb2R1Y3Rp b24NCg0KICAgVGhlIFBLQ1MgIzExOiBDcnlwdG9ncmFwaGljIFRva2VuIElu dGVyZmFjZSBTdGFuZGFyZCBbcGtjczExX3NwZWNdDQogICBzcGVjaWZpZXMg YW4gQVBJLCBjYWxsZWQgQ3J5cHRva2ksIGZvciBkZXZpY2VzIHdoaWNoIGhv bGQNCiAgIGNyeXB0b2dyYXBoaWMgaW5mb3JtYXRpb24gYW5kIHBlcmZvcm0g Y3J5cHRvZ3JhcGhpYyBmdW5jdGlvbnMuDQogICBDcnlwdG9raSwgcHJvbm91 bmNlZCBjcnlwdG8ta2V5IGFuZCBzaG9ydCBmb3IgY3J5cHRvZ3JhcGhpYyB0 b2tlbg0KICAgaW50ZXJmYWNlLCBmb2xsb3dzIGEgc2ltcGxlIG9iamVjdC1i YXNlZCBhcHByb2FjaCwgYWRkcmVzc2luZyB0aGUNCiAgIGdvYWxzIG9mIHRl Y2hub2xvZ3kgaW5kZXBlbmRlbmNlIChhbnkga2luZCBvZiBkZXZpY2UgbWF5 IGJlIHVzZWQpIGFuZA0KICAgcmVzb3VyY2Ugc2hhcmluZyAobXVsdGlwbGUg YXBwbGljYXRpb25zIG1heSBhY2Nlc3MgbXVsdGlwbGUgZGV2aWNlcyksDQog ICBwcmVzZW50aW5nIGFwcGxpY2F0aW9ucyB3aXRoIGEgY29tbW9uLCBsb2dp Y2FsIHZpZXcgb2YgdGhlIGRldmljZSAtIGENCiAgIGNyeXB0b2dyYXBoaWMg dG9rZW4uDQoNCiAgIEl0IGlzIGRlc2lyYWJsZSBmb3IgYXBwbGljYXRpb25z IG9yIGxpYnJhcmllcyB0aGF0IHdvcmsgd2l0aCBQS0NTIzExDQogICB0b2tl bnMgdG8gYWNjZXB0IGEgY29tbW9uIGlkZW50aWZpZXIgdGhhdCBjb25zdW1l cnMgY291bGQgdXNlIHRvDQogICBpZGVudGlmeSBhbiBleGlzdGluZyBQS0NT IzExIHN0b3JhZ2Ugb2JqZWN0IGluIGEgUEtDUyMxMSB0b2tlbiwgYW4NCiAg IGV4aXN0aW5nIHRva2VuIGl0c2VsZiwgYSBzbG90LCBvciBhbiBleGlzdGlu ZyBDcnlwdG9raSBsaWJyYXJ5IChhbHNvDQogICBjYWxsZWQgYSBwcm9kdWNl ciwgbW9kdWxlLCBvciBwcm92aWRlcikuICBUaGUgc2V0IG9mIHN0b3JhZ2Ug b2JqZWN0DQogICB0eXBlcyB0aGF0IGNhbiBiZSBzdG9yZWQgaW4gYSBQS0NT IzExIHRva2VuIGluY2x1ZGVzIGEgY2VydGlmaWNhdGUsIGENCiAgIHB1Ymxp YywgcHJpdmF0ZSBvciBzZWNyZXQga2V5LCBhbmQgYSBkYXRhIG9iamVjdC4g IFRoZXNlIG9iamVjdHMgY2FuDQogICBiZSB1bmlxdWVseSBpZGVudGlmaWFi bGUgdmlhIHRoZSBQS0NTIzExIFVSSSBzY2hlbWUgZGVmaW5lZCBpbiB0aGlz DQogICBkb2N1bWVudC4gIFRoZSBzZXQgb2YgYXR0cmlidXRlcyBkZXNjcmli aW5nIGEgc3RvcmFnZSBvYmplY3QgY2FuDQogICBjb250YWluIGFuIG9iamVj dCBsYWJlbCwgaXRzIHR5cGUsIGFuZCBpdHMgSUQuICBUaGUgc2V0IG9mIGF0 dHJpYnV0ZXMNCiAgIHRoYXQgaWRlbnRpZmllcyBhIFBLQ1MjMTEgdG9rZW4g Y2FuIGNvbnRhaW4gYSB0b2tlbiBsYWJlbCwNCiAgIG1hbnVmYWN0dXJlciBu YW1lLCBzZXJpYWwgbnVtYmVyLCBhbmQgdG9rZW4gbW9kZWwuICBBdHRyaWJ1 dGVzIHRoYXQNCiAgIGNhbiBpZGVudGlmeSBhIHNsb3QgYXJlIGEgc2xvdCBJ RCwgZGVzY3JpcHRpb24sIGFuZCBtYW51ZmFjdHVyZXIuDQogICBBdHRyaWJ1 dGVzIHRoYXQgY2FuIGlkZW50aWZ5IGEgQ3J5cHRva2kgbGlicmFyeSBhcmUg YSBsaWJyYXJ5DQogICBtYW51ZmFjdHVyZXIsIGRlc2NyaXB0aW9uLCBhbmQg dmVyc2lvbi4gIExpYnJhcnkgYXR0cmlidXRlcyBtYXkgYmUNCiAgIG5lY2Vz c2FyeSB0byB1c2UgaWYgbW9yZSB0aGFuIG9uZSBDcnlwdG9raSBsaWJyYXJ5 IHByb3ZpZGVzIGEgdG9rZW4NCg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQg ICAgICAgICBFeHBpcmVzIEp1bmUgMjAsIDIwMTUgICAgICAgICAgICAgICAg IFtQYWdlIDJdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBL Q1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0K DQogICBhbmQvb3IgUEtDUyMxMSBvYmplY3RzIG9mIHRoZSBzYW1lIG5hbWUu ICBBIHNldCBvZiBxdWVyeSBhdHRyaWJ1dGVzDQogICBpcyBwcm92aWRlZCBh cyB3ZWxsLg0KDQogICBUaGUgUEtDUyMxMSBVUkkgY2Fubm90IGlkZW50aWZ5 IG90aGVyIG9iamVjdHMgZGVmaW5lZCBpbiB0aGUNCiAgIHNwZWNpZmljYXRp b24gW3BrY3MxMV9zcGVjXSBhc2lkZSBmcm9tIHN0b3JhZ2Ugb2JqZWN0cy4g IEZvciBleGFtcGxlLA0KICAgb2JqZWN0cyBub3QgaWRlbnRpZmlhYmxlIGJ5 IGEgUEtDUyMxMSBVUkkgaW5jbHVkZSBhIGhhcmR3YXJlIGZlYXR1cmUNCiAg IGFuZCBtZWNoYW5pc20uICBOb3RlIHRoYXQgYSBDcnlwdG9raSBsaWJyYXJ5 IGRvZXMgbm90IGhhdmUgdG8gcHJvdmlkZQ0KICAgZm9yIHN0b3JhZ2Ugb2Jq ZWN0cyBhdCBhbGwuICBUaGUgVVJJIGNhbiBzdGlsbCBiZSB1c2VkIHRvIGlk ZW50aWZ5IGENCiAgIHNwZWNpZmljIFBLQ1MjMTEgdG9rZW4sIHNsb3Qgb3Ig YW4gQVBJIHByb2R1Y2VyIGluIHN1Y2ggYSBjYXNlLg0KDQogICBBIHN1YnNl dCBvZiBleGlzdGluZyBQS0NTIzExIHN0cnVjdHVyZSBtZW1iZXJzIGFuZCBv YmplY3QgYXR0cmlidXRlcw0KICAgd2FzIGNob3NlbiBiZWxpZXZlZCB0byBi ZSBzdWZmaWNpZW50IGluIHVuaXF1ZWx5IGlkZW50aWZ5aW5nIGENCiAgIFBL Q1MjMTEgc3RvcmFnZSBvYmplY3QsIHRva2VuLCBzbG90LCBvciBsaWJyYXJ5 IGluIGEgY29uZmlndXJhdGlvbg0KICAgZmlsZSwgb24gYSBjb21tYW5kIGxp bmUsIG9yIGluIGEgY29uZmlndXJhdGlvbiBwcm9wZXJ0eSBvZiBzb21ldGhp bmcNCiAgIGVsc2UuICBTaG91bGQgdGhlcmUgYmUgYSBuZWVkIGZvciBhIG1v cmUgY29tcGxleCBpbmZvcm1hdGlvbiBleGNoYW5nZQ0KICAgb24gUEtDUyMx MSBlbnRpdGllcyBhIGRpZmZlcmVudCBtZWFucyBvZiBkYXRhIG1hcnNoYWxs aW5nIHNob3VsZCBiZQ0KICAgY2hvc2VuIGFjY29yZGluZ2x5Lg0KDQogICBB IFBLQ1MjMTEgVVJJIGlzIG5vdCBpbnRlbmRlZCB0byBiZSB1c2VkIHRvIGNy ZWF0ZSBuZXcgUEtDUyMxMQ0KICAgb2JqZWN0cyBpbiB0b2tlbnMsIG9yIHRv IGNyZWF0ZSBQS0NTIzExIHRva2Vucy4gIEl0IGlzIHNvbGVseSB0byBiZQ0K ICAgdXNlZCB0byBpZGVudGlmeSBhbmQgd29yayB3aXRoIGV4aXN0aW5nIHN0 b3JhZ2Ugb2JqZWN0cywgdG9rZW5zLCBhbmQNCiAgIHNsb3RzIHRocm91Z2gg dGhlIFBLQ1MjMTEgQVBJLCBvciBpZGVudGlmeSBDcnlwdG9raSBsaWJyYXJp ZXMNCiAgIHRoZW1zZWx2ZXMuDQoNCiAgIFRoZSBVUkkgc2NoZW1lIGRlZmlu ZWQgaW4gdGhpcyBkb2N1bWVudCBpcyBkZXNpZ25lZCBzcGVjaWZpY2FsbHkg d2l0aA0KICAgYSBtYXBwaW5nIHRvIHRoZSBQS0NTIzExIEFQSSBpbiBtaW5k LiAgVGhlIFVSSSB1c2VzIHRoZSBzY2hlbWUsIHBhdGgNCiAgIGFuZCBxdWVy eSBjb21wb25lbnRzIGRlZmluZWQgaW4gdGhlIFVuaWZvcm0gUmVzb3VyY2Ug SWRlbnRpZmllcg0KICAgKFVSSSk6IEdlbmVyaWMgU3ludGF4IFtSRkMzOTg2 XSBkb2N1bWVudC4gIFRoZSBVUkkgZG9lcyBub3QgdXNlIHRoZQ0KICAgaGll cmFyY2hpY2FsIGVsZW1lbnQgZm9yIGEgbmFtaW5nIGF1dGhvcml0eSBpbiB0 aGUgcGF0aCBzaW5jZSB0aGUNCiAgIGF1dGhvcml0eSBwYXJ0IGNvdWxkIG5v dCBiZSBtYXBwZWQgdG8gUEtDUyMxMSBBUEkgZWxlbWVudHMuICBUaGUgVVJJ DQogICBkb2VzIG5vdCB1c2UgdGhlIGZyYWdtZW50IGNvbXBvbmVudC4NCg0K ICAgSWYgYW4gYXBwbGljYXRpb24gaGFzIG5vIGFjY2VzcyB0byBhIHByb2R1 Y2VyIG9yIHByb2R1Y2VycyBvZiB0aGUNCiAgIFBLQ1MjMTEgQVBJIHRoZSBx dWVyeSBjb21wb25lbnQgbW9kdWxlIGF0dHJpYnV0ZXMgY2FuIGJlIHVzZWQu DQogICBIb3dldmVyLCB0aGUgUEtDUyMxMSBVUkkgY29uc3VtZXIgY2FuIGFs d2F5cyBkZWNpZGUgdG8gcHJvdmlkZSBpdHMNCiAgIG93biBhZGVxdWF0ZSB1 c2VyIGludGVyZmFjZSB0byBsb2NhdGUgYW5kIGxvYWQgUEtDUyMxMSBBUEkg cHJvZHVjZXJzLg0KDQoyLiAgQ29udHJpYnV0b3JzDQoNCiAgIFN0ZWYgV2Fs dGVyLCBOaWtvcyBNYXZyb2dpYW5ub3BvdWxvcywgTmljbyBXaWxsaWFtcywg RGFuIFdpbnNoaXAsIGFuZA0KICAgSmFyb3NsYXYgSW1yaWNoIGNvbnRyaWJ1 dGVkIHRvIHRoZSBkZXZlbG9wbWVudCBvZiB0aGlzIGRvY3VtZW50Lg0KDQoz LiAgUEtDUyMxMSBVUkkgU2NoZW1lIERlZmluaXRpb24NCg0KICAgSW4gYWNj b3JkYW5jZSB3aXRoIFtSRkM0Mzk1XSwgdGhpcyBzZWN0aW9uIHByb3ZpZGVz IHRoZSBpbmZvcm1hdGlvbg0KICAgcmVxdWlyZWQgdG8gcmVnaXN0ZXIgdGhl IFBLQ1MjMTEgVVJJIHNjaGVtZS4NCg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1v ZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyMCwgMjAxNSAgICAgICAgICAg ICAgICAgW1BhZ2UgM10NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBU aGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAx NA0KDQoNCjMuMS4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBOYW1lDQoNCiAgIHBr Y3MxMQ0KDQozLjIuICBQS0NTIzExIFVSSSBTY2hlbWUgU3RhdHVzDQoNCiAg IFBlcm1hbmVudC4NCg0KMy4zLiAgUEtDUyMxMSBVUkkgU2NoZW1lIFN5bnRh eA0KDQogICBUaGUgUEtDUyMxMSBVUkkgaXMgYSBzZXF1ZW5jZSBvZiBhdHRy aWJ1dGUgdmFsdWUgcGFpcnMgc2VwYXJhdGVkIGJ5IGENCiAgIHNlbWljb2xv biB0aGF0IGZvcm0gYSBvbmUgbGV2ZWwgcGF0aCBjb21wb25lbnQsIG9wdGlv bmFsbHkgZm9sbG93ZWQNCiAgIGJ5IGEgcXVlcnkuICBJbiBhY2NvcmRhbmNl IHdpdGggU2VjdGlvbiAyLjUgb2YgW1JGQzM5ODZdLCB0aGUgZGF0YQ0KICAg c2hvdWxkIGZpcnN0IGJlIGVuY29kZWQgYXMgb2N0ZXRzIGFjY29yZGluZyB0 byB0aGUgVVRGLTggY2hhcmFjdGVyDQogICBlbmNvZGluZyBbUkZDMzYyOV07 IHRoZW4gb25seSB0aG9zZSBvY3RldHMgdGhhdCBkbyBub3QgY29ycmVzcG9u ZCB0bw0KICAgY2hhcmFjdGVycyBpbiB0aGUgdW5yZXNlcnZlZCBzZXQgb3Ig dG8gcGVybWl0dGVkIGNoYXJhY3RlcnMgZnJvbSB0aGUNCiAgIHJlc2VydmVk IHNldCBzaG91bGQgYmUgcGVyY2VudC1lbmNvZGVkLiAgVGhpcyBzcGVjaWZp Y2F0aW9uIHN1Z2dlc3RzDQogICBvbmUgYWxsb3dhYmxlIGV4Y2VwdGlvbiB0 byB0aGF0IHJ1bGUgZm9yIHRoZSAiaWQiIGF0dHJpYnV0ZSwgYXMNCiAgIHN0 YXRlZCBsYXRlciBpbiB0aGlzIHNlY3Rpb24uICBHcmFtbWFyIHJ1bGVzICJ1 bnJlc2VydmVkIiBhbmQgInBjdC0NCiAgIGVuY29kZWQiIGluIHRoZSBQS0NT IzExIFVSSSBzcGVjaWZpY2F0aW9uIGJlbG93IGFyZSBpbXBvcnRlZCBmcm9t DQogICBbUkZDMzk4Nl0uICBBcyBhIHNwZWNpYWwgY2FzZSwgbm90ZSB0aGF0 IGFjY29yZGluZyB0byBBcHBlbmRpeCBBIG9mDQogICBbUkZDMzk4Nl0sIGEg c3BhY2UgbXVzdCBiZSBwZXJjZW50LWVuY29kZWQuDQoNCiAgIFBLQ1MjMTEg c3BlY2lmaWNhdGlvbiBpbXBvc2VzIHZhcmlvdXMgbGltaXRhdGlvbnMgb24g dGhlIHZhbHVlIG9mDQogICBhdHRyaWJ1dGVzLCBiZSBpdCBhIG1vcmUgcmVz dHJpY3RpdmUgY2hhcmFjdGVyIHNldCBmb3IgdGhlICJzZXJpYWwiDQogICBh dHRyaWJ1dGUgb3IgZml4ZWQgc2l6ZWQgYnVmZmVycyBmb3IgYWxtb3N0IGFs bCB0aGUgb3RoZXJzLCBpbmNsdWRpbmcNCiAgICJ0b2tlbiIsICJtYW51ZmFj dHVyZXIiLCBhbmQgIm1vZGVsIiBhdHRyaWJ1dGVzLiAgSG93ZXZlciwgdGhl DQogICBQS0NTIzExIFVSSSBub3RhdGlvbiBkb2VzIG5vdCBpbXBvc2Ugc3Vj aCBsaW1pdGF0aW9ucyBhc2lkZSBmcm9tDQogICByZW1vdmluZyBnZW5lcmlj IGFuZCBQS0NTIzExIFVSSSBkZWxpbWl0ZXJzIGZyb20gYSBwZXJtaXR0ZWQN CiAgIGNoYXJhY3RlciBzZXQuICBXZSBiZWxpZXZlIHRoYXQgYmVpbmcgdG9v IHJlc3RyaWN0aXZlIG9uIHRoZQ0KICAgYXR0cmlidXRlIHZhbHVlcyBjb3Vs ZCBsaW1pdCB0aGUgUEtDUyMxMSBVUkkgdXNlZnVsbmVzcy4gIFdoYXQgaXMN CiAgIG1vcmUsIHBvc3NpYmxlIGZ1dHVyZSBjaGFuZ2VzIHRvIHRoZSBQS0NT IzExIHNwZWNpZmljYXRpb24gc2hvdWxkIG5vdA0KICAgYWZmZWN0IGV4aXN0 aW5nIGF0dHJpYnV0ZXMuDQoNCiAgIEEgUEtDUyMxMSBVUkkgdGFrZXMgdGhl IGZvcm0gKGZvciBleHBsYW5hdGlvbiBvZiBBdWdtZW50ZWQgQk5GLCBzZWUN CiAgIFtSRkM1MjM0XSk6DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQpQZWNoYW5lYyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyMCwg MjAxNSAgICAgICAgICAgICAgICAgW1BhZ2UgNF0NCgwNCkludGVybmV0LURy YWZ0ICAgICAgICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAg ICAgRGVjZW1iZXIgMjAxNA0KDQoNCiAgcGsxMS1VUkkgICAgICAgICAgICAg PSAicGtjczExIiAiOiIgcGsxMS1wYXRoICoxKCI/IiBwazExLXF1ZXJ5KQ0K ICA7IFBhdGggY29tcG9uZW50IGFuZCBpdHMgYXR0cmlidXRlcy4gIFBhdGgg bWF5IGJlIGVtcHR5Lg0KICBwazExLXBhdGggICAgICAgICAgICA9ICoxKHBr MTEtcGF0dHIgKigiOyIgcGsxMS1wYXR0cikpDQogIHBrMTEtcGF0dHIgICAg ICAgICAgID0gcGsxMS10b2tlbiAvIHBrMTEtbWFudWYgLyBwazExLXNlcmlh bCAvDQogICAgICAgICAgICAgICAgICAgICAgICAgcGsxMS1tb2RlbCAvIHBr MTEtbGliLW1hbnVmIC8NCiAgICAgICAgICAgICAgICAgICAgICAgICBwazEx LWxpYi12ZXIgLyBwazExLWxpYi1kZXNjIC8NCiAgICAgICAgICAgICAgICAg ICAgICAgICBwazExLW9iamVjdCAvIHBrMTEtdHlwZSAvIHBrMTEtaWQgLw0K ICAgICAgICAgICAgICAgICAgICAgICAgIHBrMTEtc2xvdC1kZXNjIC8gcGsx MS1zbG90LW1hbnVmIC8NCiAgICAgICAgICAgICAgICAgICAgICAgICBwazEx LXNsb3QtaWQgLyBwazExLXgtcGF0dHINCiAgOyBRdWVyeSBjb21wb25lbnQg YW5kIGl0cyBhdHRyaWJ1dGVzLiAgUXVlcnkgbWF5IGJlIGVtcHR5Lg0KICBw azExLXFhdHRyICAgICAgICAgICA9IHBrMTEtcGluLXNvdXJjZSAvIHBrMTEt cGluLXZhbHVlIC8NCiAgICAgICAgICAgICAgICAgICAgICAgICBwazExLW1v ZHVsZS1uYW1lIC8gcGsxMS1tb2R1bGUtcGF0aCAvDQogICAgICAgICAgICAg ICAgICAgICAgICAgcGsxMS14LXFhdHRyDQogIHBrMTEtcXVlcnkgICAgICAg ICAgID0gKjEocGsxMS1xYXR0ciAqKCImIiBwazExLXFhdHRyKSkNCiAgOyBS RkMgMzk4NiBzZWN0aW9uIDIuMiBtYW5kYXRlcyBhbGwgcG90ZW50aWFsbHkg cmVzZXJ2ZWQgY2hhcmFjdGVycw0KICA7IHRoYXQgZG8gbm90IGNvbmZsaWN0 IHdpdGggYWN0dWFsIGRlbGltaXRlcnMgb2YgdGhlIFVSSSBkbyBub3QgaGF2 ZQ0KICA7IHRvIGJlIHBlcmNlbnQtZW5jb2RlZC4NCiAgcGsxMS1yZXMtYXZh aWwgICAgICAgPSAiOiIgLyAiWyIgLyAiXSIgLyAiQCIgLyAiISIgLyAiJCIg Lw0KICAgICAgICAgICAgICAgICAgICAgICAgICInIiAvICIoIiAvICIpIiAv ICIqIiAvICIrIiAvICIsIiAvICI9Ig0KICBwazExLXBhdGgtcmVzLWF2YWls ICA9IHBrMTEtcmVzLWF2YWlsIC8gIiYiDQogIDsgV2UgYWxsb3cgIi8iIGFu ZCAiPyIgaW4gdGhlIHF1ZXJ5IHRvIGJlIHVuZW5jb2RlZCBidXQgIiYiIG11 c3QNCiAgOyBiZSBlbmNvZGVkIHNpbmNlIGl0IG1heSBiZSB1c2VkIGFzIGEg ZGVsaW1pdGVyIGluIHRoZSBjb21wb25lbnQuDQogIHBrMTEtcXVlcnktcmVz LWF2YWlsID0gcGsxMS1yZXMtYXZhaWwgLyAiLyIgLyAiPyIgLyAifCINCiAg cGsxMS1wY2hhciAgICAgICAgICAgPSB1bnJlc2VydmVkIC8gcGsxMS1wYXRo LXJlcy1hdmFpbCAvIHBjdC1lbmNvZGVkDQogIHBrMTEtcWNoYXIgICAgICAg ICAgID0gdW5yZXNlcnZlZCAvIHBrMTEtcXVlcnktcmVzLWF2YWlsIC8gcGN0 LWVuY29kZWQNCiAgcGsxMS10b2tlbiAgICAgICAgICAgPSAidG9rZW4iICI9 IiAqcGsxMS1wY2hhcg0KICBwazExLW1hbnVmICAgICAgICAgICA9ICJtYW51 ZmFjdHVyZXIiICI9IiAqcGsxMS1wY2hhcg0KICBwazExLXNlcmlhbCAgICAg ICAgICA9ICJzZXJpYWwiICI9IiAqcGsxMS1wY2hhcg0KICBwazExLW1vZGVs ICAgICAgICAgICA9ICJtb2RlbCIgIj0iICpwazExLXBjaGFyDQogIHBrMTEt bGliLW1hbnVmICAgICAgID0gImxpYnJhcnktbWFudWZhY3R1cmVyIiAiPSIg KnBrMTEtcGNoYXINCiAgcGsxMS1saWItZGVzYyAgICAgICAgPSAibGlicmFy eS1kZXNjcmlwdGlvbiIgIj0iICpwazExLXBjaGFyDQogIHBrMTEtbGliLXZl ciAgICAgICAgID0gImxpYnJhcnktdmVyc2lvbiIgIj0iIDEqRElHSVQgKjEo Ii4iIDEqRElHSVQpDQogIHBrMTEtb2JqZWN0ICAgICAgICAgID0gIm9iamVj dCIgIj0iICpwazExLXBjaGFyDQogIHBrMTEtdHlwZSAgICAgICAgICAgID0g InR5cGUiICI9IiAqMSgicHVibGljIiAvICJwcml2YXRlIiAvICJjZXJ0IiAv DQogICAgICAgICAgICAgICAgICAgICAgICAgInNlY3JldC1rZXkiIC8gImRh dGEiKQ0KICBwazExLWlkICAgICAgICAgICAgICA9ICJpZCIgIj0iICpwazEx LXBjaGFyDQogIHBrMTEtc2xvdC1tYW51ZiAgICAgID0gInNsb3QtbWFudWZh Y3R1cmVyIiAiPSIgKnBrMTEtcGNoYXINCiAgcGsxMS1zbG90LWRlc2MgICAg ICAgPSAic2xvdC1kZXNjcmlwdGlvbiIgIj0iICpwazExLXBjaGFyDQogIHBr MTEtc2xvdC1pZCAgICAgICAgID0gInNsb3QtaWQiICI9IiAxKkRJR0lUDQog IHBrMTEtcGluLXNvdXJjZSAgICAgID0gInBpbi1zb3VyY2UiICI9IiAqcGsx MS1xY2hhcg0KICBwazExLXBpbi12YWx1ZSAgICAgICA9ICJwaW4tdmFsdWUi ICI9IiAqcGsxMS1xY2hhcg0KICBwazExLW1vZHVsZS1uYW1lICAgICA9ICJt b2R1bGUtbmFtZSIgIj0iICpwazExLXFjaGFyDQogIHBrMTEtbW9kdWxlLXBh dGggICAgID0gIm1vZHVsZS1wYXRoIiAiPSIgKnBrMTEtcWNoYXINCiAgcGsx MS14LWF0dHItbm0tY2hhciAgPSBBTFBIQSAvIERJR0lUIC8gIi0iIC8gIl8i DQogIDsgUGVybWl0dGVkIHZhbHVlIG9mIGEgdmVuZG9yIHNwZWNpZmljIGF0 dHJpYnV0ZSBpcyBiYXNlZCBvbg0KICA7IHdoZXRoZXIgdGhlIGF0dHJpYnV0 ZSBpcyB1c2VkIGluIHRoZSBwYXRoIG9yIGluIHRoZSBxdWVyeS4NCiAgcGsx MS14LXBhdHRyICAgICAgICAgPSAieC0iIDEqcGsxMS14LWF0dHItbm0tY2hh ciAiPSIgKnBrMTEtcGNoYXINCiAgcGsxMS14LXFhdHRyICAgICAgICAgPSAi eC0iIDEqcGsxMS14LWF0dHItbm0tY2hhciAiPSIgKnBrMTEtcWNoYXINCg0K DQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdW5lIDIw LCAyMDE1ICAgICAgICAgICAgICAgICBbUGFnZSA1XQ0KDA0KSW50ZXJuZXQt RHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAgICAg ICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgVGhlIFVSSSBwYXRoIGNvbXBv bmVudCBjb250YWlucyBhdHRyaWJ1dGVzIHRoYXQgaWRlbnRpZnkgYSByZXNv dXJjZQ0KICAgaW4gYSBvbmUgbGV2ZWwgaGllcmFyY2h5IHByb3ZpZGVkIGJ5 IENyeXB0b2tpIHByb2R1Y2Vycy4gIFRoZSBxdWVyeQ0KICAgY29tcG9uZW50 IGNhbiBjb250YWluIGEgZmV3IGF0dHJpYnV0ZXMgdGhhdCBtYXkgYmUgbmVl ZGVkIHRvIHJldHJpZXZlDQogICB0aGUgcmVzb3VyY2UgaWRlbnRpZmllZCBi eSB0aGUgVVJJIHBhdGguICBCb3RoIHBhdGggYW5kIHF1ZXJ5DQogICBjb21w b25lbnRzIG1heSBjb250YWluIHZlbmRvciBzcGVjaWZpYyBhdHRyaWJ1dGVz LiAgU3VjaCBhdHRyaWJ1dGUNCiAgIG5hbWVzIG11c3Qgc3RhcnQgd2l0aCBh biAieC0iIHByZWZpeC4gIEF0dHJpYnV0ZXMgaW4gdGhlIHBhdGgNCiAgIGNv bXBvbmVudCBhcmUgZGVsaW1pdGVkIGJ5ICc7JyBjaGFyYWN0ZXIsIGF0dHJp YnV0ZXMgaW4gdGhlIHF1ZXJ5DQogICBjb21wb25lbnQgdXNlICcmJyBhcyBh IGRlbGltaXRlci4NCg0KICAgVGhlIGdlbmVyYWwgJy8nIGRlbGltaXRlciB3 YXMgcmVtb3ZlZCBmcm9tIGF2YWlsYWJsZSBjaGFyYWN0ZXJzIHRoYXQNCiAg IGRvIG5vdCBoYXZlIHRvIGJlIHBlcmNlbnQtZW5jb2RlZCBpbiB0aGUgcGF0 aCBjb21wb25lbnQgc28gdGhhdA0KICAgZ2VuZXJpYyBVUkkgcGFyc2VycyBu ZXZlciBzcGxpdCB0aGUgcGF0aCBjb21wb25lbnQgaW50byBtdWx0aXBsZQ0K ICAgc2VnbWVudHMuICBUaGUgJy8nIGRlbGltaXRlciBjYW4gYmUgdXNlZCB1 bmVuY29kZWQgaW4gdGhlIHF1ZXJ5DQogICBjb21wb25lbnQuICBEZWxpbWl0 ZXIgJz8nIHdhcyByZW1vdmVkIHNpbmNlIHRoZSBQS0NTIzExIFVSSSB1c2Vz IGENCiAgIHF1ZXJ5IGNvbXBvbmVudC4gIERlbGltaXRlciAnIycgd2FzIHJl bW92ZWQgc28gdGhhdCBnZW5lcmljIFVSSQ0KICAgcGFyc2VycyBhcmUgbm90 IGNvbmZ1c2VkIGJ5IHVuZW5jb2RlZCBoYXNoIGNoYXJhY3RlcnMuICBBbGwg b3RoZXINCiAgIGdlbmVyaWMgZGVsaW1pdGVycyBhcmUgYWxsb3dlZCB0byBi ZSB1c2VkIHVuZW5jb2RlZCAoJzonLCAnWycsICddJywNCiAgIGFuZCAnQCcp IGluIHRoZSBQS0NTIzExIFVSSS4NCg0KICAgVGhlIGZvbGxvd2luZyB0YWJs ZSBwcmVzZW50cyBtYXBwaW5nIGJldHdlZW4gdGhlIFBLQ1MjMTEgVVJJIHBh dGgNCiAgIGNvbXBvbmVudCBhdHRyaWJ1dGVzIGFuZCB0aGUgUEtDUyMxMSBB UEkgc3RydWN0dXJlIG1lbWJlcnMgYW5kIG9iamVjdA0KICAgYXR0cmlidXRl cy4gIEdpdmVuIHRoYXQgUEtDUyMxMSBVUkkgdXNlcnMgbWF5IGJlIHF1aXRl IGlnbm9yYW50IGFib3V0DQogICB0aGUgUEtDUyMxMSBzcGVjaWZpY2F0aW9u IHRoZSBtYXBwaW5nIGlzIGEgcHJvZHVjdCBvZiBhIG5lY2Vzc2FyeQ0KICAg Y29tcHJvbWlzZSBiZXR3ZWVuIGhvdyBwcmVjaXNlbHkgYXJlIHRoZSBVUkkg YXR0cmlidXRlIG5hbWVzIG1hcHBlZA0KICAgdG8gdGhlIG5hbWVzIGluIHRo ZSBzcGVjaWZpY2F0aW9uIGFuZCB0aGUgZWFzZSBvZiB1c2UgYW5kDQogICB1 bmRlcnN0YW5kaW5nIG9mIHRoZSBVUkkgc2NoZW1lLg0KDQogICArLS0tLS0t LS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0t LS0tLS0tLS0tLS0tLS0tLSsNCiAgIHwgVVJJIGNvbXBvbmVudCBwYXRoICAg fCBBdHRyaWJ1dGUgICAgICAgICAgIHwgQXR0cmlidXRlICAgICAgICAgICAg fA0KICAgfCBhdHRyaWJ1dGUgbmFtZSAgICAgICB8IHJlcHJlc2VudHMgICAg ICAgICAgfCBjb3JyZXNwb25kcyBpbiB0aGUgICB8DQogICB8ICAgICAgICAg ICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IFBLQ1MjMTEg ICAgICAgICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAg ICAgICAgICAgICAgICAgICAgIHwgc3BlY2lmaWNhdGlvbiB0byAgICAgfA0K ICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQogICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAg fCBpZCAgICAgICAgICAgICAgICAgICB8IGtleSBpZGVudGlmaWVyIGZvciAg fCAiQ0tBX0lEIiBvYmplY3QgICAgICB8DQogICB8ICAgICAgICAgICAgICAg ICAgICAgIHwgb2JqZWN0ICAgICAgICAgICAgICB8IGF0dHJpYnV0ZSAgICAg ICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0t LS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCBs aWJyYXJ5LWRlc2NyaXB0aW9uICB8IGNoYXJhY3Rlci1zdHJpbmcgICAgfCAi bGlicmFyeURlc2NyaXB0aW9uIiB8DQogICB8ICAgICAgICAgICAgICAgICAg ICAgIHwgZGVzY3JpcHRpb24gb2YgdGhlICB8IG1lbWJlciBvZiBDS19JTkZP ICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCBsaWJyYXJ5ICAg ICAgICAgICAgIHwgc3RydWN0dXJlICAgICAgICAgICAgfA0KICAgKy0tLS0t LS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLS0rDQogICB8IGxpYnJhcnktbWFudWZhY3R1cmVy IHwgSUQgb2YgdGhlIENyeXB0b2tpICB8ICJtYW51ZmFjdHVyZXJJRCIgICAg IHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCBsaWJyYXJ5ICAgICAg ICAgICAgIHwgbWVtYmVyIG9mIHRoZSAgICAgICAgfA0KICAgfCAgICAgICAg ICAgICAgICAgICAgICB8IG1hbnVmYWN0dXJlciAgICAgICAgfCBDS19JTkZP IHN0cnVjdHVyZSAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSst LS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsN CiAgIHwgbGlicmFyeS12ZXJzaW9uICAgICAgfCBDcnlwdG9raSBsaWJyYXJ5 ICAgIHwgImxpYnJhcnlWZXJzaW9uIiAgICAgfA0KICAgfCAgICAgICAgICAg ICAgICAgICAgICB8IHZlcnNpb24gbnVtYmVyICAgICAgfCBtZW1iZXIgb2Yg Q0tfSU5GTyAgICB8DQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAgICAgICAg IEV4cGlyZXMgSnVuZSAyMCwgMjAxNSAgICAgICAgICAgICAgICAgW1BhZ2Ug Nl0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUgUEtDUyMxMSBV UkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0KDQoNCiAgIHwg ICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwg c3RydWN0dXJlICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rDQogICB8IG1hbnVmYWN0dXJlciAgICAgICAgIHwgSUQgb2YgdGhl IHRva2VuICAgICB8ICJtYW51ZmFjdHVyZXJJRCIgICAgIHwNCiAgIHwgICAg ICAgICAgICAgICAgICAgICAgfCBtYW51ZmFjdHVyZXIgICAgICAgIHwgbWVt YmVyIG9mICAgICAgICAgICAgfA0KICAgfCAgICAgICAgICAgICAgICAgICAg ICB8ICAgICAgICAgICAgICAgICAgICAgfCBDS19UT0tFTl9JTkZPICAgICAg ICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg ICAgICAgICB8IHN0cnVjdHVyZSAgICAgICAgICAgIHwNCiAgICstLS0tLS0t LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0t LS0tLS0tLS0tLS0tLS0tKw0KICAgfCBtb2RlbCAgICAgICAgICAgICAgICB8 IHRva2VuIG1vZGVsICAgICAgICAgfCAibW9kZWwiIG1lbWJlciBvZiAgICB8 DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAg ICAgICB8IENLX1RPS0VOX0lORk8gICAgICAgIHwNCiAgIHwgICAgICAgICAg ICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwgc3RydWN0dXJl ICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0t LS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQog ICB8IG9iamVjdCAgICAgICAgICAgICAgIHwgZGVzY3JpcHRpb24gKG5hbWUp ICB8ICJDS0FfTEFCRUwiIG9iamVjdCAgIHwNCiAgIHwgICAgICAgICAgICAg ICAgICAgICAgfCBvZiB0aGUgb2JqZWN0ICAgICAgIHwgYXR0cmlidXRlICAg ICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0t LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQogICB8 IHNlcmlhbCAgICAgICAgICAgICAgIHwgY2hhcmFjdGVyLXN0cmluZyAgICB8 ICJzZXJpYWxOdW1iZXIiICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAg ICAgICAgfCBzZXJpYWwgbnVtYmVyIG9mICAgIHwgbWVtYmVyIG9mICAgICAg ICAgICAgfA0KICAgfCAgICAgICAgICAgICAgICAgICAgICB8IHRoZSB0b2tl biAgICAgICAgICAgfCBDS19UT0tFTl9JTkZPICAgICAgICB8DQogICB8ICAg ICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IHN0 cnVjdHVyZSAgICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0t LS0tKw0KICAgfCBzbG90LWRlc2NyaXB0aW9uICAgICB8IHNsb3QgZGVzY3Jp cHRpb24gICAgfCAic2xvdERlc2NyaXB0aW9uIiAgICB8DQogICB8ICAgICAg ICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IG1lbWJl ciBvZiAgICAgICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAg fCAgICAgICAgICAgICAgICAgICAgIHwgQ0tfU0xPVF9JTkZPICAgICAgICAg fA0KICAgfCAgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAg ICAgICAgfCBzdHJ1Y3R1cmUgICAgICAgICAgICB8DQogICArLS0tLS0tLS0t LS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0t LS0tLS0tLS0tLS0tLSsNCiAgIHwgc2xvdC1pZCAgICAgICAgICAgICAgfCBD cnlwdG9raS1hc3NpZ25lZCAgIHwgZGVjaW1hbCBudW1iZXIgb2YgICAgfA0K ICAgfCAgICAgICAgICAgICAgICAgICAgICB8IHZhbHVlIHRoYXQgICAgICAg ICAgfCAiQ0tfU0xPVF9JRCIgdHlwZSAgICB8DQogICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgaWRlbnRpZmllcyBhIHNsb3QgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAg fCBzbG90LW1hbnVmYWN0dXJlciAgICB8IElEIG9mIHRoZSBzbG90ICAgICAg fCAibWFudWZhY3R1cmVySUQiICAgICB8DQogICB8ICAgICAgICAgICAgICAg ICAgICAgIHwgbWFudWZhY3R1cmVyICAgICAgICB8IG1lbWJlciBvZiAgICAg ICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAg ICAgICAgICAgICAgIHwgQ0tfU0xPVF9JTkZPICAgICAgICAgfA0KICAgfCAg ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgfCBz dHJ1Y3R1cmUgICAgICAgICAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSsNCiAgIHwgdG9rZW4gICAgICAgICAgICAgICAgfCBhcHBsaWNhdGlv bi1kZWZpbmVkIHwgImxhYmVsIiBtZW1iZXIgb2YgICAgfA0KICAgfCAgICAg ICAgICAgICAgICAgICAgICB8IGxhYmVsLCBhc3NpZ25lZCAgICAgfCB0aGUg Q0tfVE9LRU5fSU5GTyAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAg IHwgZHVyaW5nIHRva2VuICAgICAgICB8IHN0cnVjdHVyZSAgICAgICAgICAg IHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCBpbml0aWFsaXphdGlv biAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0t LS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0t LS0tLS0tLS0tLS0tLS0rDQogICB8IHR5cGUgICAgICAgICAgICAgICAgIHwg b2JqZWN0IGNsYXNzICh0eXBlKSB8ICJDS0FfQ0xBU1MiIG9iamVjdCAgIHwN CiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAg ICAgIHwgYXR0cmlidXRlICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0t LS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0t LS0tLS0tLS0tLS0rDQoNCiAgICBUYWJsZSAxOiBNYXBwaW5nIGJldHdlZW4g VVJJIHBhdGggY29tcG9uZW50IGF0dHJpYnV0ZXMgYW5kIFBLQ1MjMTENCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICBzcGVjaWZpY2F0aW9uIG5hbWVz DQoNCiAgIFRoZSBxdWVyeSBjb21wb25lbnQgYXR0cmlidXRlICJwaW4tc291 cmNlIiBzcGVjaWZpZXMgd2hlcmUgdGhlDQogICBhcHBsaWNhdGlvbiBvciBs aWJyYXJ5IHNob3VsZCBmaW5kIHRoZSBub3JtYWwgdXNlcidzIHRva2VuIFBJ TiwgdGhlDQogICAicGluLXZhbHVlIiBhdHRyaWJ1dGUgcHJvdmlkZXMgdGhl IG5vcm1hbCB1c2VyJ3MgUElOIHZhbHVlIGRpcmVjdGx5LA0KDQoNCg0KUGVj aGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjAsIDIwMTUg ICAgICAgICAgICAgICAgIFtQYWdlIDddDQoMDQpJbnRlcm5ldC1EcmFmdCAg ICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERl Y2VtYmVyIDIwMTQNCg0KDQogICBpZiBuZWVkZWQsIGFuZCB0aGUgIm1vZHVs ZS1uYW1lIiBhbmQgIm1vZHVsZS1wYXRoIiBhdHRyaWJ1dGVzIG1vZGlmeQ0K ICAgZGVmYXVsdCBzZXR0aW5ncyBmb3IgYWNjZXNzaW5nIFBLQ1MjMTEgcHJv dmlkZXJzLiAgRm9yIHRoZSBkZWZpbml0aW9uDQogICBvZiBhICJub3JtYWwg dXNlciIsIHNlZSBbcGtjczExX3NwZWNdLg0KDQogICBUaGUgQUJORiBydWxl cyBhYm92ZSBpcyBhIGJlc3QgZWZmb3J0IGRlZmluaXRpb24gYW5kIHRoaXMg cGFyYWdyYXBoDQogICBzcGVjaWZpZXMgYWRkaXRpb25hbCBjb25zdHJhaW50 cy4gIFRoZSBQS0NTIzExIFVSSSBtdXN0IG5vdCBjb250YWluDQogICBkdXBs aWNhdGUgYXR0cmlidXRlcyBvZiB0aGUgc2FtZSBuYW1lIGluIHRoZSBVUkkg cGF0aCBjb21wb25lbnQuICBJdA0KICAgbWVhbnMgdGhhdCBlYWNoIGF0dHJp YnV0ZSBtYXkgYmUgcHJlc2VudCBhdCBtb3N0IG9uY2UgaW4gdGhlIFBLQ1Mj MTENCiAgIFVSSSBwYXRoLiAgQXNpZGUgZnJvbSB0aGUgcXVlcnkgYXR0cmli dXRlcyBkZWZpbmVkIGluIHRoaXMgZG9jdW1lbnQsDQogICBkdXBsaWNhdGUg YXR0cmlidXRlcyBtYXkgYmUgcHJlc2VudCBpbiB0aGUgVVJJIHF1ZXJ5IGNv bXBvbmVudCBhbmQgaXQNCiAgIGlzIHVwIHRvIHRoZSBVUkkgY29uc3VtZXIg dG8gZGVjaWRlIG9uIGhvdyB0byBkZWFsIHdpdGggc3VjaA0KICAgZHVwbGlj YXRlcy4NCg0KICAgSXQgaXMgcmVjb21tZW5kZWQgdG8gcGVyY2VudC1lbmNv ZGUgdGhlIHdob2xlIHZhbHVlIG9mIHRoZSAiaWQiDQogICBhdHRyaWJ1dGUg d2hpY2ggaXMgc3VwcG9zZWQgdG8gYmUgaGFuZGxlZCBhcyBhcmJpdHJhcnkg YmluYXJ5IGRhdGEuDQoNCiAgIFRoZSAibGlicmFyeS12ZXJzaW9uIiBhdHRy aWJ1dGUgcmVwcmVzZW50cyB0aGUgbWFqb3IgYW5kIG1pbm9yDQogICB2ZXJz aW9uIG51bWJlciBvZiB0aGUgbGlicmFyeSBhbmQgaXRzIGZvcm1hdCBpcyAi TS5OIi4gIEJvdGggbnVtYmVycw0KICAgYXJlIG9uZSBieXRlIGluIHNpemUs IHNlZSB0aGUgImxpYnJhcnlWZXJzaW9uIiBtZW1iZXIgb2YgdGhlIENLX0lO Rk8NCiAgIHN0cnVjdHVyZSBpbiBbcGtjczExX3NwZWNdIGZvciBtb3JlIGlu Zm9ybWF0aW9uLiAgVmFsdWUgIk0iIGZvciB0aGUNCiAgIGF0dHJpYnV0ZSBt dXN0IGJlIGludGVycHJldGVkIGFzICJNIiBmb3IgdGhlIG1ham9yIGFuZCAi MCIgZm9yIHRoZQ0KICAgbWlub3IgdmVyc2lvbiBvZiB0aGUgbGlicmFyeS4g IElmIHRoZSBhdHRyaWJ1dGUgaXMgcHJlc2VudCB0aGUgbWFqb3INCiAgIHZl cnNpb24gbnVtYmVyIGlzIG1hbmRhdG9yeS4gIEJvdGggIk0iIGFuZCAiTiIg bXVzdCBiZSBkZWNpbWFsDQogICBudW1iZXJzLg0KDQogICBTbG90IElEIGlz IENyeXB0b2tpLWFzc2lnbmVkIG51bWJlciB0aGF0IGlzIG5vdCBndWFyYW50 ZWVkIHN0YWJsZQ0KICAgYWNyb3NzIGRpZmZlcmVudCBQS0NTIzExIG1vZHVs ZSBpbml0aWFsaXphdGlvbnMuICBIb3dldmVyLCBzbG90DQogICBkZXNjcmlw dGlvbiBhbmQgbWFudWZhY3R1cmVyIElEIG1heSBub3QgYmUgZW5vdWdoIHRv IGlkZW50aWZ5IGENCiAgIHNwZWNpZmljIHJlYWRlci4gIEluIHNpdHVhdGlv bnMgd2hlcmUgc2xvdCBpbmZvcm1hdGlvbiBpcyBuZWNlc3NhcnkNCiAgIHVz ZSBvZiAic2xvdC1pZCIgYXR0cmlidXRlIG1heSBiZSBqdXN0aWZpZWQgaWYg c3VmZmljaWVudCBzbG90IElEDQogICBzdGFiaWxpdHkgaXMgcHJvdmlkZWQg aW4gdGhlIFBLQ1MjMTEgcHJvdmlkZXIgaXRzZWxmIG9yIGV4dGVybmFseS4N Cg0KICAgQW4gZW1wdHkgUEtDUyMxMSBVUkkgcGF0aCBhdHRyaWJ1dGUgdGhh dCBkb2VzIGFsbG93IGZvciBhbiBlbXB0eQ0KICAgdmFsdWUgbWF0Y2hlcyBh IGNvcnJlc3BvbmRpbmcgc3RydWN0dXJlIG1lbWJlciBvciBhbiBvYmplY3Qg YXR0cmlidXRlDQogICB3aXRoIGFuIGVtcHR5IHZhbHVlLiAgTm90ZSB0aGF0 IGFjY29yZGluZyB0byB0aGUgUEtDUyMxMQ0KICAgc3BlY2lmaWNhdGlvbiBb cGtjczExX3NwZWNdLCBlbXB0eSBjaGFyYWN0ZXIgdmFsdWVzIGluIGEgUEtD UyMxMSBBUEkNCiAgIHByb2R1Y2VyIG11c3QgYmUgcGFkZGVkIHdpdGggc3Bh Y2VzIGFuZCBzaG91bGQgbm90IGJlIE5VTEwNCiAgIHRlcm1pbmF0ZWQuDQoN CjMuNC4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBRdWVyeSBBdHRyaWJ1dGUgU2Vt YW50aWNzDQoNCiAgIEFuIGFwcGxpY2F0aW9uIG1heSBhbHdheXMgYXNrIGZv ciBhIFBJTiBieSBhbnkgbWVhbnMgaXQgZGVjaWRlcyB0by4NCiAgIFdoYXQg aXMgbW9yZSwgaW4gb3JkZXIgbm90IHRvIGxpbWl0IFBLQ1MjMTEgVVJJIHBv cnRhYmlsaXR5IHRoZSAicGluLQ0KICAgc291cmNlIiBhdHRyaWJ1dGUgdmFs dWUgZm9ybWF0IGFuZCBpbnRlcnByZXRhdGlvbiBpcyBsZWZ0IHRvIGJlDQog ICBpbXBsZW1lbnRhdGlvbiBzcGVjaWZpYy4gIEhvd2V2ZXIsIHdlIHJlY29t bWVuZCB0aGUgY2VydGFpbiBydWxlcyB0bw0KICAgYmUgZm9sbG93ZWQgaW4g ZGVzY2VuZGluZyBvcmRlciBmb3IgdGhlIHZhbHVlIG9mIHRoZSAicGluLXNv dXJjZSINCiAgIGF0dHJpYnV0ZToNCg0KDQoNCg0KUGVjaGFuZWMgJiBNb2Zm YXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjAsIDIwMTUgICAgICAgICAgICAg ICAgIFtQYWdlIDhdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhl IFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQN Cg0KDQogICBvICBpZiB0aGUgdmFsdWUgcmVwcmVzZW50cyBhIGxvY2FsIGFi c29sdXRlIHBhdGggdGhlIGltcGxlbWVudGF0aW9uDQogICAgICBzaG91bGQg dXNlIGl0IGFzIGEgUElOIGZpbGUgY29udGFpbmluZyB0aGUgUElOIHZhbHVl DQoNCiAgIG8gIGlmIHRoZSB2YWx1ZSBjb250YWlucyAifDxhYnNvbHV0ZS1j b21tYW5kLXBhdGg+IiB0aGUNCiAgICAgIGltcGxlbWVudGF0aW9uIHNob3Vs ZCByZWFkIHRoZSBQSU4gZnJvbSB0aGUgb3V0cHV0IG9mIGFuDQogICAgICBh cHBsaWNhdGlvbiBzcGVjaWZpZWQgd2l0aCBhYnNvbHV0ZSBwYXRoICI8YWJz b2x1dGUtY29tbWFuZC0NCiAgICAgIHBhdGg+Ii4gIE5vdGUgdGhhdCBjaGFy YWN0ZXIgInwiIHJlcHJlc2VudGluZyBhIHBpcGUgZG9lcyBub3QgaGF2ZQ0K ICAgICAgdG8gYmUgcGVyY2VudCBlbmNvZGVkIGluIHRoZSBxdWVyeSBjb21w b25lbnQgb2YgdGhlIFBLQ1MjMTEgVVJJLg0KDQogICBvICBpZiB0aGUgdmFs dWUgcmVwcmVzZW50cyBhIFVSSSB0cmVhdCBpdCBhcyBhbiBvYmplY3QgY29u dGFpbmluZyB0aGUNCiAgICAgIFBJTi4gIFN1Y2ggYSBVUkkgbWF5IGJlICJm aWxlOiIsICJodHRwczoiLCBhbm90aGVyIFBLQ1MjMTEgVVJJLCBvcg0KICAg ICAgc29tZXRoaW5nIGVsc2UuDQoNCiAgIG8gIGludGVycHJldCB0aGUgdmFs dWUgYXMgbmVlZGVkIGluIGFuIGltcGxlbWVudGF0aW9uIGRlcGVuZGVudCB3 YXkNCg0KICAgSWYgYSBVUkkgY29udGFpbnMgYm90aCAicGluLXNvdXJjZSIg YW5kICJwaW4tdmFsdWUiIHF1ZXJ5IGF0dHJpYnV0ZXMNCiAgIHRoZSBVUkkg c2hvdWxkIGJlIHJlZnVzZWQgYXMgaW52YWxpZC4NCg0KICAgVXNlIG9mIHRo ZSAicGluLXZhbHVlIiBhdHRyaWJ1dGUgbWF5IGhhdmUgc2VjdXJpdHkgcmVs YXRlZA0KICAgY29uc2VxdWVuY2VzLiAgU2VjdGlvbiA2IHNob3VsZCBiZSBj b25zdWx0ZWQgYmVmb3JlIHRoaXMgYXR0cmlidXRlIGlzDQogICBldmVyIHVz ZWQuICBTdGFuZGFyZCBwZXJjZW50IGVuY29kaW5nIHJ1bGVzIHNob3VsZCBi ZSBmb2xsb3dlZCBmb3INCiAgIHRoZSBhdHRyaWJ1dGUgdmFsdWUuDQoNCiAg IEEgY29uc3VtZXIgb2YgUEtDUyMxMSBVUklzIG1heSBtb2RpZnkgZGVmYXVs dCBzZXR0aW5ncyBmb3IgYWNjZXNzaW5nDQogICBhIFBLQ1MjMTEgcHJvdmlk ZXIgb3IgcHJvdmlkZXJzIGJ5IGFjY2VwdGluZyBxdWVyeSBjb21wb25lbnQN CiAgIGF0dHJpYnV0ZXMgIm1vZHVsZS1uYW1lIiBhbmQgIm1vZHVsZS1wYXRo Ii4iDQoNCiAgIFByb2Nlc3NpbmcgdGhlIFVSSSBxdWVyeSBtb2R1bGUgYXR0 cmlidXRlcyBzaG91bGQgZm9sbG93IHRoZXNlIHJ1bGVzOg0KDQogICBvICBh dHRyaWJ1dGUgIm1vZHVsZS1uYW1lIiBpcyBleHBlY3RlZCB0byBjb250YWlu IGEgY2FzZS1pbnNlbnNpdGl2ZQ0KICAgICAgUEtDUyMxMSBtb2R1bGUgbmFt ZSAobm90IHBhdGggbm9yIGZpbGVuYW1lKSB3aXRob3V0IHN5c3RlbQ0KICAg ICAgc3BlY2lmaWMgYWZmaXhlcy4gIFN1Y2ggYWZmaXggY291bGQgYmUgYW4g Ii5zbyIgb3IgIi5ETEwiIHN1ZmZpeCwNCiAgICAgIG9yIGEgImxpYiIgcHJl Zml4LCBmb3IgZXhhbXBsZS4gIE5vdCB1c2luZyBzeXN0ZW0gc3BlY2lmaWMg YWZmaXhlcw0KICAgICAgaXMgZXhwZWN0ZWQgdG8gaW5jcmVhc2UgcG9ydGFi aWxpdHkgb2YgUEtDUyMxMSBVUklzIGFtb25nDQogICAgICBkaWZmZXJlbnQg c3lzdGVtcy4gIEEgVVJJIGNvbnN1bWVyIHNlYXJjaGluZyBmb3IgUEtDUyMx MSBtb2R1bGVzDQogICAgICBpcyBleHBlY3RlZCB0byB1c2UgYSBzeXN0ZW0g b3IgYXBwbGljYXRpb24gc3BlY2lmaWMgbG9jYXRpb25zIHRvDQogICAgICBm aW5kIG1vZHVsZXMgYmFzZWQgb24gdGhlIG5hbWUgcHJvdmlkZWQgaW4gdGhl IGF0dHJpYnV0ZS4NCg0KICAgbyAgYXR0cmlidXRlICJtb2R1bGUtcGF0aCIg aXMgZXhwZWN0ZWQgdG8gY29udGFpbiBhIHN5c3RlbSBzcGVjaWZpYw0KICAg ICAgYWJzb2x1dGUgcGF0aCB0byB0aGUgUEtDUyMxMSBtb2R1bGUsIG9yIGEg c3lzdGVtIHNwZWNpZmljIGFic29sdXRlDQogICAgICBwYXRoIHRvIHRoZSBk aXJlY3Rvcnkgb2Ygd2hlcmUgUEtDUyMxMSBtb2R1bGVzIGFyZSBsb2NhdGVk LiAgRm9yDQogICAgICBzZWN1cml0eSByZWFzb25zLCBhIFVSSSB3aXRoIGEg cmVsYXRpdmUgcGF0aCBpbiB0aGlzIGF0dHJpYnV0ZQ0KICAgICAgc2hvdWxk IGJlIGFsd2F5cyByZWplY3RlZC4NCg0KICAgbyAgdGhlIFVSSSBjb25zdW1l ciBtYXkgcmVmdXNlIHRvIGFjY2VwdCBlaXRoZXIgb2YgdGhlIGF0dHJpYnV0 ZXMsIG9yDQogICAgICBib3RoLiAgSWYgdXNlIG9mIGFuIGF0dHJpYnV0ZSBw cmVzZW50IGluIHRoZSBVUkkgc3RyaW5nIGlzIG5vdA0KICAgICAgYWNjZXB0 ZWQgYSB3YXJuaW5nIG1lc3NhZ2Ugc2hvdWxkIGJlIHByZXNlbnRlZCB0byB0 aGUgcHJvdmlkZXIgb2YNCiAgICAgIHRoZSBVUkkuDQoNCg0KDQpQZWNoYW5l YyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyMCwgMjAxNSAgICAg ICAgICAgICAgICAgW1BhZ2UgOV0NCgwNCkludGVybmV0LURyYWZ0ICAgICAg ICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1i ZXIgMjAxNA0KDQoNCiAgIG8gIGlmIGVpdGhlciBvZiB0aGUgbW9kdWxlIGF0 dHJpYnV0ZXMgaXMgcHJlc2VudCwgb25seSB0aG9zZSBtb2R1bGVzDQogICAg ICBmb3VuZCBtYXRjaGluZyB0aGVzZSBxdWVyeSBhdHRyaWJ1dGVzIHNob3Vs ZCBiZSB1c2VkIHRvIHNlYXJjaCBmb3INCiAgICAgIGFuIG9iamVjdCByZXBy ZXNlbnRlZCBieSB0aGUgVVJJLg0KDQogICBvICB1c2Ugb2YgdGhlIG1vZHVs ZSBhdHRyaWJ1dGVzIGRvZXMgbm90IHN1cHByZXNzIG1hdGNoaW5nIG9mIGFu eQ0KICAgICAgb3RoZXIgVVJJIHBhdGggY29tcG9uZW50IGF0dHJpYnV0ZXMg cHJlc2VudCBpbiBhIFVSSS4NCg0KICAgbyAgc2VtYW50aWNzIG9mIHVzaW5n IGJvdGggYXR0cmlidXRlcyBpbiB0aGUgc2FtZSBVUkkgc3RyaW5nIGlzDQog ICAgICBpbXBsZW1lbnRhdGlvbiBzcGVjaWZpYyBidXQgc3VjaCB1c2Ugc2hv dWxkIGJlIGF2b2lkZWQuICBBdHRyaWJ1dGUNCiAgICAgICJtb2R1bGUtbmFt ZSIgaXMgcHJlZmVycmVkIHRvICJtb2R1bGUtcGF0aCIgZHVlIHRvIGl0cyBz eXN0ZW0NCiAgICAgIGluZGVwZW5kZW50IG5hdHVyZSBidXQgdGhlIGxhdHRl ciBtYXkgYmUgbW9yZSBzdWl0YWJsZSBmb3INCiAgICAgIGRldmVsb3BtZW50 IGFuZCBkZWJ1Z2dpbmcuDQoNCiAgIG8gIGEgVVJJIG1heSBub3QgY29udGFp biBtdWx0aXBsZSBtb2R1bGUgYXR0cmlidXRlcyBvZiB0aGUgc2FtZSBuYW1l Lg0KDQogICBVc2Ugb2YgdGhlIG1vZHVsZSBhdHRyaWJ1dGVzIG1heSBoYXZl IHNlY3VyaXR5IHJlbGF0ZWQgY29uc2VxdWVuY2VzLg0KICAgU2VjdGlvbiA2 IHNob3VsZCBiZSBjb25zdWx0ZWQgYmVmb3JlIHRoZXNlIGF0dHJpYnV0ZXMg YXJlIGV2ZXIgdXNlZC4NCg0KICAgQSB3b3JkICJtb2R1bGUiIHdhcyBjaG9z ZW4gb3ZlciB3b3JkICJsaWJyYXJ5IiBpbiB0aGVzZSBxdWVyeQ0KICAgYXR0 cmlidXRlIG5hbWVzIHRvIGF2b2lkIGNvbmZ1c2lvbiB3aXRoIHNlbWFudGlj YWxseSBkaWZmZXJlbnQNCiAgIGxpYnJhcnkgYXR0cmlidXRlcyB1c2VkIGlu IHRoZSBVUkkgcGF0aCBjb21wb25lbnQuDQoNCjMuNS4gIFBLQ1MjMTEgVVJJ IE1hdGNoaW5nIEd1aWRlbGluZXMNCg0KICAgVGhlIFBLQ1MjMTEgVVJJIGNh biBpZGVudGlmeSBQS0NTIzExIHN0b3JhZ2Ugb2JqZWN0cywgdG9rZW5zLCBz bG90cywNCiAgIG9yIENyeXB0b2tpIGxpYnJhcmllcy4gIE5vdGUgdGhhdCBz aW5jZSBhIFVSSSBtYXkgaWRlbnRpZnkgdGhyZWUNCiAgIGRpZmZlcmVudCB0 eXBlcyBvZiBlbnRpdGllcyB0aGUgY29udGV4dCB3aXRoaW4gd2hpY2ggdGhl IFVSSSBpcyB1c2VkDQogICBtYXkgYmUgbmVlZGVkIHRvIGRldGVybWluZSB0 aGUgdHlwZS4gIEZvciBleGFtcGxlLCBhIFVSSSB3aXRoIG9ubHkNCiAgIGxp YnJhcnkgYXR0cmlidXRlcyBtYXkgZWl0aGVyIHJlcHJlc2VudCBhbGwgb2Jq ZWN0cyBpbiBhbGwgdG9rZW5zIGluDQogICBhbGwgQ3J5cHRva2kgbGlicmFy aWVzIGlkZW50aWZpZWQgYnkgdGhlIFVSSSwgYWxsIHRva2VucyBpbiB0aG9z ZQ0KICAgbGlicmFyaWVzLCBvciBqdXN0IHRoZSBsaWJyYXJpZXMuDQoNCiAg IFRoZSBmb2xsb3dpbmcgZ3VpZGVsaW5lcyBzaG91bGQgaGVscCBhIFBLQ1Mj MTEgVVJJIGNvbnN1bWVyIChlZy4gYW4NCiAgIGFwcGxpY2F0aW9uIGFjY2Vw dGluZyBQS0NTIzExIFVSSXMpIHRvIG1hdGNoIHRoZSBVUkkgd2l0aCB0aGUg ZGVzaXJlZA0KICAgcmVzb3VyY2UuDQoNCiAgIG8gIHRoZSBjb25zdW1lciBt dXN0IGtub3cgd2hldGhlciB0aGUgVVJJIGlzIHRvIGlkZW50aWZ5IFBLQ1Mj MTENCiAgICAgIHN0b3JhZ2Ugb2JqZWN0KHMpLCB0b2tlbihzKSwgc2xvdChz KSwgb3IgQ3J5cHRva2kgcHJvZHVjZXIocykuDQoNCiAgIG8gIGlmIHRoZSBj b25zdW1lciBpcyB3aWxsaW5nIHRvIGFjY2VwdCBxdWVyeSBjb21wb25lbnQg bW9kdWxlDQogICAgICBhdHRyaWJ1dGVzIG9ubHkgdGhvc2UgUEtDUyMxMSBw cm92aWRlcnMgbWF0Y2hpbmcgdGhlc2UgYXR0cmlidXRlcw0KICAgICAgc2hv dWxkIGJlIHdvcmtlZCB3aXRoLiAgU2VlIFNlY3Rpb24gMy40IGZvciBtb3Jl IGluZm9ybWF0aW9uLg0KDQogICBvICBhbiB1bnJlY29nbml6ZWQgYXR0cmli dXRlIGluIHRoZSBVUkkgcGF0aCBjb21wb25lbnQsIGluY2x1ZGluZyBhDQog ICAgICB2ZW5kb3Igc3BlY2lmaWMgYXR0cmlidXRlLCBzaG91bGQgcmVzdWx0 IGluIGFuIGVtcHR5IHNldCBvZg0KICAgICAgbWF0Y2hlZCByZXNvdXJjZXMu ICBUaGUgY29uc3VtZXIgc2hvdWxkIGNvbnNpZGVyIHdoZXRoZXIgYW4gZXJy b3INCiAgICAgIG1lc3NhZ2UgcHJlc2VudGVkIHRvIHRoZSB1c2VyIGlzIGFw cHJvcHJpYXRlIGluIHN1Y2ggYSBjYXNlLg0KDQoNCg0KDQpQZWNoYW5lYyAm IE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyMCwgMjAxNSAgICAgICAg ICAgICAgICBbUGFnZSAxMF0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAg ICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIg MjAxNA0KDQoNCiAgIG8gIGFuIHVucmVjb2duaXplZCBhdHRyaWJ1dGUgaW4g dGhlIFVSSSBxdWVyeSBzaG91bGQgYmUgaWdub3JlZC4gIFRoZQ0KICAgICAg Y29uc3VtZXIgc2hvdWxkIGNvbnNpZGVyIHdoZXRoZXIgYSB3YXJuaW5nIG1l c3NhZ2UgcHJlc2VudGVkIHRvDQogICAgICB0aGUgdXNlciBpcyBhcHByb3By aWF0ZSBpbiBzdWNoIGEgY2FzZS4NCg0KICAgbyAgYW4gYXR0cmlidXRlIG5v dCBwcmVzZW50IGluIHRoZSBVUkkgcGF0aCBidXQga25vd24gdG8gYSBjb25z dW1lcg0KICAgICAgbWF0Y2hlcyBldmVyeXRoaW5nLiAgRWFjaCBhZGRpdGlv bmFsIGF0dHJpYnV0ZSBwcmVzZW50IGluIHRoZSBVUkkNCiAgICAgIHBhdGgg ZnVydGhlciByZXN0cmljdHMgdGhlIHNlbGVjdGlvbi4NCg0KICAgbyAgYSBs b2dpY2FsIGV4dGVuc2lvbiBvZiB0aGUgYWJvdmUgaXMgdGhhdCBhbiBlbXB0 eSBVUkkgcGF0aCBtYXRjaGVzDQogICAgICBldmVyeXRoaW5nLiAgRm9yIGV4 YW1wbGUsIGlmIHVzZWQgdG8gaWRlbnRpZnkgc3RvcmFnZSBvYmplY3RzIGl0 DQogICAgICBtYXRjaGVzIGFsbCBhY2Nlc3NpYmxlIG9iamVjdHMgaW4gYWxs IHRva2VucyBwcm92aWRlZCBieSBhbGwNCiAgICAgIFBLQ1MjMTEgQVBJIHBy b2R1Y2VycyBmb3VuZCBpbiB0aGUgc3lzdGVtLg0KDQogICBvICB1c2Ugb2Yg UElOIGF0dHJpYnV0ZXMgbWF5IGNoYW5nZSB0aGUgc2V0IG9mIHN0b3JhZ2Ug b2JqZWN0cw0KICAgICAgdmlzaWJsZSB0byB0aGUgY29uc3VtZXIuDQoNCiAg IG8gIGluIGFkZGl0aW9uIHRvIHF1ZXJ5IGNvbXBvbmVudCBhdHRyaWJ1dGVz IGRlZmluZWQgaW4gdGhpcw0KICAgICAgZG9jdW1lbnQsIHZlbmRvciBzcGVj aWZpYyBxdWVyeSBhdHRyaWJ1dGVzIG1heSBjb250YWluIGZ1cnRoZXINCiAg ICAgIGluZm9ybWF0aW9uIGFib3V0IGhvdyB0byBwZXJmb3JtIHRoZSBzZWxl Y3Rpb24gb3Igb3RoZXIgcmVsYXRlZA0KICAgICAgaW5mb3JtYXRpb24uDQoN CjMuNi4gIFBLQ1MjMTEgVVJJIENvbXBhcmlzb24NCg0KICAgQ29tcGFyaXNv biBvZiB0d28gVVJJcyBpcyBhIHdheSBvZiBkZXRlcm1pbmluZyB3aGV0aGVy IHRoZSBVUklzIGFyZQ0KICAgZXF1aXZhbGVudCB3aXRob3V0IGNvbXBhcmlu ZyB0aGUgYWN0dWFsIHJlc291cmNlIHRoZSBVUklzIHBvaW50IHRvLg0KICAg VGhlIGNvbXBhcmlzb24gb2YgVVJJcyBhaW1zIHRvIG1pbmltaXplIGZhbHNl IG5lZ2F0aXZlcyB3aGlsZQ0KICAgc3RyaWN0bHkgYXZvaWRpbmcgZmFsc2Ug cG9zaXRpdmVzLg0KDQogICBUd28gUEtDUyMxMSBVUklzIGFyZSBzYWlkIHRv IGJlIGVxdWFsIGlmIFVSSXMgYXMgY2hhcmFjdGVyIHN0cmluZ3MNCiAgIGFy ZSBpZGVudGljYWwgYXMgc3BlY2lmaWVkIGluIFNlY3Rpb24gNi4yLjEgb2Yg W1JGQzM5ODZdLCBvciBpZiBib3RoDQogICBmb2xsb3dpbmcgcnVsZXMgYXJl IGZ1bGZpbGxlZDoNCg0KICAgbyAgc2V0IG9mIGF0dHJpYnV0ZXMgcHJlc2Vu dCBpbiB0aGUgVVJJIGlzIGVxdWFsLiAgTm90ZSB0aGF0IHRoZQ0KICAgICAg b3JkZXJpbmcgb2YgYXR0cmlidXRlcyBpbiB0aGUgVVJJIHN0cmluZyBpcyBu b3Qgc2lnbmlmaWNhbnQgZm9yDQogICAgICB0aGUgbWVjaGFuaXNtIG9mIGNv bXBhcmlzb24uDQoNCiAgIG8gIHZhbHVlcyBvZiByZXNwZWN0aXZlIGF0dHJp YnV0ZXMgYXJlIGVxdWFsIGJhc2VkIG9uIHJ1bGVzIHNwZWNpZmllZA0KICAg ICAgYmVsb3cNCg0KICAgVGhlIHJ1bGVzIGZvciBjb21wYXJpbmcgdmFsdWVz IG9mIHJlc3BlY3RpdmUgYXR0cmlidXRlcyBhcmU6DQoNCiAgIG8gIHZhbHVl cyBvZiBwYXRoIGNvbXBvbmVudCBhdHRyaWJ1dGVzICJsaWJyYXJ5LWRlc2Ny aXB0aW9uIiwNCiAgICAgICJsaWJyYXJ5LW1hbnVmYWN0dXJlciIsICJtYW51 ZmFjdHVyZXIiLCAibW9kZWwiLCAib2JqZWN0IiwNCiAgICAgICJzZXJpYWwi LCAic2xvdC1kZXNjcmlwdGlvbiIsICJzbG90LW1hbnVmYWN0dXJlciIsICJ0 b2tlbiIsDQogICAgICAidHlwZSIsIGFuZCBxdWVyeSBjb21wb25lbnQgYXR0 cmlidXRlICJtb2R1bGUtbmFtZSIgbXVzdCBiZQ0KICAgICAgY29tcGFyZWQg dXNpbmcgYSBzaW1wbGUgc3RyaW5nIGNvbXBhcmlzb24gYXMgc3BlY2lmaWVk IGluDQogICAgICBTZWN0aW9uIDYuMi4xIG9mIFtSRkMzOTg2XSBhZnRlciB0 aGUgY2FzZSBhbmQgdGhlIHBlcmNlbnQtZW5jb2RpbmcNCg0KDQoNCg0KUGVj aGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjAsIDIwMTUg ICAgICAgICAgICAgICAgW1BhZ2UgMTFdDQoMDQpJbnRlcm5ldC1EcmFmdCAg ICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERl Y2VtYmVyIDIwMTQNCg0KDQogICAgICBub3JtYWxpemF0aW9uIGFyZSBib3Ro IGFwcGxpZWQgYXMgc3BlY2lmaWVkIGluIFNlY3Rpb24gNi4yLjIgb2YNCiAg ICAgIFtSRkMzOTg2XS4NCg0KICAgbyAgdmFsdWUgb2YgYXR0cmlidXRlICJp ZCIgbXVzdCBiZSBjb21wYXJlZCB1c2luZyB0aGUgc2ltcGxlIHN0cmluZw0K ICAgICAgY29tcGFyaXNvbiBhZnRlciBhbGwgYnl0ZXMgYXJlIHBlcmNlbnQt ZW5jb2RlZCB1c2luZyB1cHBlcmNhc2UNCiAgICAgIGxldHRlcnMgZm9yIGRp Z2l0cyBBLUYuDQoNCiAgIG8gIHZhbHVlIG9mIGF0dHJpYnV0ZSAibGlicmFy eS12ZXJzaW9uIiBtdXN0IGJlIHByb2Nlc3NlZCBhcyBhDQogICAgICBzcGVj aWZpYyBzY2hlbWUtYmFzZWQgbm9ybWFsaXphdGlvbiBwZXJtaXR0ZWQgYnkg U2VjdGlvbiA2LjIuMyBvZg0KICAgICAgW1JGQzM5ODZdLiAgVGhlIHZhbHVl IG11c3QgYmUgc3BsaXQgaW50byBhIG1ham9yIGFuZCBtaW5vciB2ZXJzaW9u DQogICAgICB3aXRoIGNoYXJhY3RlciAnLicgKGRvdCkgc2VydmluZyBhcyBh IGRlbGltaXRlci4gIExpYnJhcnkgdmVyc2lvbg0KICAgICAgIk0iIG11c3Qg YmUgdHJlYXRlZCBhcyAiTSIgZm9yIHRoZSBtYWpvciB2ZXJzaW9uIGFuZCAi MCIgZm9yIHRoZQ0KICAgICAgbWlub3IgdmVyc2lvbi4gIFJlc3VsdGluZyBt aW5vciBhbmQgbWFqb3IgdmVyc2lvbiBudW1iZXJzIG11c3QgYmUNCiAgICAg IHRoZW4gc2VwYXJhdGVseSBjb21wYXJlZCBudW1lcmljYWxseS4NCg0KICAg byAgdmFsdWUgb2YgYXR0cmlidXRlICJzbG90LWlkIiBtdXN0IGJlIHByb2Nl c3NlZCBhcyBhIHNwZWNpZmljDQogICAgICBzY2hlbWUtYmFzZWQgbm9ybWFs aXphdGlvbiBwZXJtaXR0ZWQgYnkgU2VjdGlvbiA2LjIuMyBvZiBbUkZDMzk4 Nl0NCiAgICAgIGFuZCBjb21wYXJlZCBudW1lcmljYWxseS4NCg0KICAgbyAg dmFsdWUgb2YgInBpbi1zb3VyY2UiLCBpZiBkZWVtZWQgY29udGFpbmluZyB0 aGUgZmlsZW5hbWUgd2l0aCB0aGUNCiAgICAgIFBJTiB2YWx1ZSwgbXVzdCBi ZSBjb21wYXJlZCB1c2luZyB0aGUgc2ltcGxlIHN0cmluZyBjb21wYXJpc29u DQogICAgICBhZnRlciB0aGUgZnVsbCBzeW50YXggYmFzZWQgbm9ybWFsaXph dGlvbiBhcyBzcGVjaWZpZWQgaW4NCiAgICAgIFNlY3Rpb24gNi4yLjIgb2Yg W1JGQzM5ODZdIGlzIGFwcGxpZWQuICBJZiB2YWx1ZSBvZiB0aGUgInBpbi0N CiAgICAgIHNvdXJjZSIgYXR0cmlidXRlIGlzIGJlbGlldmVkIHRvIGJlIG92 ZXJsb2FkZWQgaXQgaXMgcmVjb21tZW5kZWQNCiAgICAgIHRvIHBlcmZvcm0g Y2FzZSBhbmQgcGVyY2VudC1lbmNvZGluZyBub3JtYWxpemF0aW9uIGJlZm9y ZSB0aGUNCiAgICAgIHZhbHVlcyBhcmUgY29tcGFyZWQgYnV0IHRoZSBleGFj dCBtZWNoYW5pc20gb2YgY29tcGFyaXNvbiBpcyBsZWZ0DQogICAgICB0byB0 aGUgYXBwbGljYXRpb24uDQoNCiAgIG8gIHZhbHVlIG9mIGF0dHJpYnV0ZSAi bW9kdWxlLXBhdGgiIG11c3QgYmUgY29tcGFyZWQgdXNpbmcgdGhlIHNpbXBs ZQ0KICAgICAgc3RyaW5nIGNvbXBhcmlzb24gYWZ0ZXIgdGhlIGZ1bGwgc3lu dGF4IGJhc2VkIG5vcm1hbGl6YXRpb24gYXMNCiAgICAgIHNwZWNpZmllZCBp biBTZWN0aW9uIDYuMi4yIG9mIFtSRkMzOTg2XSBpcyBhcHBsaWVkLg0KDQog ICBvICB3aGVuIGNvbXBhcmluZyB2ZW5kb3Igc3BlY2lmaWMgYXR0cmlidXRl cyBpdCBpcyByZWNvbW1lbmRlZCB0bw0KICAgICAgcGVyZm9ybSBjYXNlIGFu ZCBwZXJjZW50LWVuY29kaW5nIG5vcm1hbGl6YXRpb24gYmVmb3JlIHRoZSB2 YWx1ZXMNCiAgICAgIGFyZSBjb21wYXJlZCBidXQgdGhlIGV4YWN0IG1lY2hh bmlzbSBvZiBzdWNoIGEgY29tcGFyaXNvbiBpcyBsZWZ0DQogICAgICB0byB0 aGUgYXBwbGljYXRpb24uDQoNCjQuICBFeGFtcGxlcyBvZiBQS0NTIzExIFVS SXMNCg0KICAgVGhpcyBzZWN0aW9uIGNvbnRhaW5zIHNvbWUgZXhhbXBsZXMg b2YgaG93IFBLQ1MjMTEgdG9rZW4gb2JqZWN0cywNCiAgIHRva2Vucywgc2xv dHMsIGFuZCBsaWJyYXJpZXMgY2FuIGJlIGlkZW50aWZpZWQgdXNpbmcgdGhl IFBLQ1MjMTEgVVJJDQogICBzY2hlbWUuICBOb3RlIHRoYXQgaW4gc29tZSBv ZiB0aGUgZm9sbG93aW5nIGV4YW1wbGVzLCBuZXdsaW5lcyBhbmQNCiAgIHNw YWNlcyB3ZXJlIGluc2VydGVkIGZvciBiZXR0ZXIgcmVhZGFiaWxpdHkuICBB cyBzcGVjaWZpZWQgaW4NCiAgIEFwcGVuZGl4IEMgb2YgW1JGQzM5ODZdLCB3 aGl0ZXNwYWNlIHNob3VsZCBiZSBpZ25vcmVkIHdoZW4gZXh0cmFjdGluZw0K ICAgdGhlIFVSSS4gIEFsc28gbm90ZSB0aGF0IGFsbCBzcGFjZXMgYXMgcGFy dCBvZiB0aGUgVVJJIGFyZSBwZXJjZW50LQ0KICAgZW5jb2RlZCwgYXMgc3Bl Y2lmaWVkIGluIEFwcGVuZGl4IEEgb2YgW1JGQzM5ODZdLg0KDQoNCg0KDQoN ClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdW5lIDIwLCAy MDE1ICAgICAgICAgICAgICAgIFtQYWdlIDEyXQ0KDA0KSW50ZXJuZXQtRHJh ZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAgICAgICAg ICBEZWNlbWJlciAyMDE0DQoNCg0KICAgQW4gZW1wdHkgUEtDUyMxMSBVUkkg bWlnaHQgYmUgdXNlZnVsIHRvIFBLQ1MjMTEgY29uc3VtZXJzLiAgU2VlDQog ICBTZWN0aW9uIDMuNSBmb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBzZW1hbnRp Y3Mgb2Ygc3VjaCBhIFVSSS4NCg0KICAgICBwa2NzMTE6DQoNCiAgIE9uZSBv ZiB0aGUgc2ltcGxlc3QgYW5kIG1vc3QgdXNlZnVsIGZvcm1zIG1pZ2h0IGJl IGEgUEtDUyMxMSBVUkkgdGhhdA0KICAgc3BlY2lmaWVzIG9ubHkgYW4gb2Jq ZWN0IGxhYmVsIGFuZCBpdHMgdHlwZS4gIFRoZSBkZWZhdWx0IHRva2VuIGlz DQogICB1c2VkIHNvIHRoZSBVUkkgZG9lcyBub3Qgc3BlY2lmeSBpdC4gIE5v dGUgdGhhdCB3aGVuIHNwZWNpZnlpbmcNCiAgIHB1YmxpYyBvYmplY3RzLCBh IHRva2VuIFBJTiBtaWdodCBub3QgYmUgcmVxdWlyZWQuDQoNCiAgICAgcGtj czExOm9iamVjdD1teS1wdWJrZXk7dHlwZT1wdWJsaWMNCg0KICAgV2hlbiBh IHByaXZhdGUga2V5IGlzIHNwZWNpZmllZCBlaXRoZXIgdGhlICJwaW4tc291 cmNlIiBhdHRyaWJ1dGUsDQogICAicGluLXZhbHVlLCBvciBhbiBhcHBsaWNh dGlvbiBzcGVjaWZpYyBtZXRob2Qgd291bGQgYmUgdXN1YWxseSB1c2VkLg0K ICAgTm90ZSB0aGF0ICcvJyBpcyBub3QgcGVyY2VudC1lbmNvZGVkIGluIHRo ZSAicGluLXNvdXJjZSIgYXR0cmlidXRlDQogICB2YWx1ZSBzaW5jZSB0aGlz IGF0dHJpYnV0ZSBpcyBwYXJ0IG9mIHRoZSBxdWVyeSBjb21wb25lbnQsIG5v dCB0aGUNCiAgIHBhdGgsIGFuZCB0aHVzIGlzIHNlcGFyYXRlZCBieSAnPycg ZnJvbSB0aGUgcmVzdCBvZiB0aGUgVVJJLg0KDQogICAgIHBrY3MxMTpvYmpl Y3Q9bXkta2V5O3R5cGU9cHJpdmF0ZT9waW4tc291cmNlPS9ldGMvdG9rZW4N Cg0KICAgVGhlIGZvbGxvd2luZyBleGFtcGxlIGlkZW50aWZpZXMgYSBjZXJ0 aWZpY2F0ZSBpbiB0aGUgc29mdHdhcmUgdG9rZW4uDQogICBOb3RlIGFuIGVt cHR5IHZhbHVlIGZvciB0aGUgYXR0cmlidXRlICJzZXJpYWwiIHdoaWNoIG1h dGNoZXMgb25seQ0KICAgZW1wdHkgInNlcmlhbE51bWJlciIgbWVtYmVyIG9m IHRoZSAiQ0tfVE9LRU5fSU5GTyIgc3RydWN0dXJlLiAgQWxzbw0KICAgbm90 ZSB0aGF0IHRoZSAiaWQiIGF0dHJpYnV0ZSB2YWx1ZSBpcyBlbnRpcmVseSBw ZXJjZW50LWVuY29kZWQsIGFzDQogICByZWNvbW1lbmRlZC4gIFdoaWxlICcs JyBpcyBpbiB0aGUgcmVzZXJ2ZWQgc2V0IGl0IGRvZXMgbm90IGhhdmUgdG8g YmUNCiAgIHBlcmNlbnQtZW5jb2RlZCBzaW5jZSBpdCBkb2VzIG5vdCBjb25m bGljdCB3aXRoIGFueSBzdWItZGVsaW1pdGVycw0KICAgdXNlZC4gIFRoZSAn IycgY2hhcmFjdGVyIGFzIGluICJUaGUgU29mdHdhcmUgUEtDUyMxMSBTb2Z0 dG9rZW4iIG11c3QNCiAgIGJlIHBlcmNlbnQtZW5jb2RlZC4NCg0KICAgICBw a2NzMTE6dG9rZW49VGhlJTIwU29mdHdhcmUlMjBQS0NTJTIzMTElMjBTb2Z0 dG9rZW47DQogICAgICAgICAgICBtYW51ZmFjdHVyZXI9U25ha2UlMjBPaWws JTIwSW5jLjsNCiAgICAgICAgICAgIG1vZGVsPTEuMDsNCiAgICAgICAgICAg IG9iamVjdD1teS1jZXJ0aWZpY2F0ZTsNCiAgICAgICAgICAgIHR5cGU9Y2Vy dDsNCiAgICAgICAgICAgIGlkPSU2OSU5NSUzRSU1QyVGNCVCRCVFQyU5MTsN CiAgICAgICAgICAgIHNlcmlhbD0NCiAgICAgICAgICAgID9waW4tc291cmNl PS9ldGMvdG9rZW5fcGluDQoNCiAgIFRoZSBuZXh0IGV4YW1wbGUgY292ZXJz IGhvdyB0byB1c2UgdGhlICJtb2R1bGUtbmFtZSIgcXVlcnkgYXR0cmlidXRl Lg0KICAgQ29uc2lkZXJpbmcgdGhhdCB0aGUgbW9kdWxlIGlzIGxvY2F0ZWQg aW4gL3Vzci9saWIvbGlibXlwa2NzMTEuc28uMQ0KICAgZmlsZSwgdGhlIGF0 dHJpYnV0ZSB2YWx1ZSBpcyAibXlwa2NzMTEiLCBtZWFuaW5nIG9ubHkgdGhl IG1vZHVsZSBuYW1lDQogICB3aXRob3V0IHRoZSBmdWxsIHBhdGgsIGFuZCB3 aXRob3V0IHRoZSBwbGF0Zm9ybSBzcGVjaWZpYyAibGliIiBwcmVmaXgNCiAg IGFuZCAiLnNvLjEiIHN1ZmZpeC4NCg0KICAgICBwa2NzMTE6b2JqZWN0PW15 LXNpZ24ta2V5Ow0KICAgICAgICAgICAgdHlwZT1wcml2YXRlDQogICAgICAg ICAgICA/bW9kdWxlLW5hbWU9bXlwa2NzMTENCg0KDQoNCg0KUGVjaGFuZWMg JiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjAsIDIwMTUgICAgICAg ICAgICAgICAgW1BhZ2UgMTNdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAg ICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVy IDIwMTQNCg0KDQogICBUaGUgZm9sbG93aW5nIGV4YW1wbGUgY292ZXJzIGhv dyB0byB1c2UgdGhlICJtb2R1bGUtcGF0aCIgcXVlcnkNCiAgIGF0dHJpYnV0 ZS4gIFRoZSBhdHRyaWJ1dGUgbWF5IGJlIHVzZWZ1bCBpZiBhIHVzZXIgbmVl ZHMgdG8gcHJvdmlkZQ0KICAgdGhlIGtleSB2aWEgYSBQS0NTIzExIG1vZHVs ZSBzdG9yZWQgb24gYSByZW1vdmFibGUgbWVkaWEsIGZvcg0KICAgZXhhbXBs ZS4gIEdldHRpbmcgdGhlIFBJTiB0byBhY2Nlc3MgdGhlIHByaXZhdGUga2V5 IGhlcmUgaXMgbGVmdCB0bw0KICAgYmUgYXBwbGljYXRpb24gc3BlY2lmaWMu DQoNCiAgICAgcGtjczExOm9iamVjdD1teS1zaWduLWtleTsNCiAgICAgICAg ICAgIHR5cGU9cHJpdmF0ZQ0KICAgICAgICAgICAgP21vZHVsZS1wYXRoPS9t bnQvbGlibXlwa2NzMTEuc28uMQ0KDQogICBJbiB0aGUgY29udGV4dCB3aGVy ZSBhIHRva2VuIGlzIGV4cGVjdGVkIHRoZSB0b2tlbiBjYW4gYmUgaWRlbnRp ZmllZA0KICAgd2l0aG91dCBzcGVjaWZ5aW5nIGFueSBQS0NTIzExIG9iamVj dHMuICBBIFBJTiBtaWdodCBzdGlsbCBiZSBuZWVkZWQNCiAgIGluIHRoZSBj b250ZXh0IG9mIGxpc3RpbmcgYWxsIG9iamVjdHMgaW4gdGhlIHRva2VuLCBm b3IgZXhhbXBsZS4NCiAgIFNlY3Rpb24gNiBzaG91bGQgYmUgY29uc3VsdGVk IGJlZm9yZSB0aGUgInBpbi12YWx1ZSIgYXR0cmlidXRlIGlzDQogICBldmVy IHVzZWQuDQoNCiAgICAgcGtjczExOnRva2VuPVNvZnR3YXJlJTIwUEtDUyUy MzExJTIwc29mdHRva2VuOw0KICAgICAgICAgICAgbWFudWZhY3R1cmVyPVNu YWtlJTIwT2lsLCUyMEluYy4NCiAgICAgICAgICAgID9waW4tdmFsdWU9dGhl LXBpbg0KDQogICBJbiB0aGUgY29udGV4dCB3aGVyZSBhIHNsb3QgaXMgZXhw ZWN0ZWQgdGhlIHNsb3QgY2FuIGJlIGlkZW50aWZpZWQNCiAgIHdpdGhvdXQg c3BlY2lmeWluZyBhbnkgUEtDUyMxMSBvYmplY3RzIGluIGFueSB0b2tlbiBp dCBtYXkgYmUNCiAgIGluc2VydGVkIGluIGl0Lg0KDQogICAgIHBrY3MxMTpz bG90LWRlc2NyaXB0aW9uPVN1biUyME1ldGFzbG90DQoNCiAgIFRoZSBDcnlw dG9raSBsaWJyYXJ5IGFsb25lIGNhbiBiZSBhbHNvIGlkZW50aWZpZWQgd2l0 aG91dCBzcGVjaWZ5aW5nDQogICBhIFBLQ1MjMTEgdG9rZW4gb3Igb2JqZWN0 Lg0KDQogICAgIHBrY3MxMTpsaWJyYXJ5LW1hbnVmYWN0dXJlcj1TbmFrZSUy ME9pbCwlMjBJbmMuOw0KICAgICAgICAgICAgbGlicmFyeS1kZXNjcmlwdGlv bj1Tb2Z0JTIwVG9rZW4lMjBMaWJyYXJ5Ow0KICAgICAgICAgICAgbGlicmFy eS12ZXJzaW9uPTEuMjMNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1 bmUgMjAsIDIwMTUgICAgICAgICAgICAgICAgW1BhZ2UgMTRdDQoMDQpJbnRl cm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAg ICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0KDQogICBUaGUgZm9sbG93aW5n IGV4YW1wbGUgc2hvd3MgdGhhdCB0aGUgYXR0cmlidXRlIHZhbHVlIGNhbiBj b250YWluIGENCiAgIHNlbWljb2xvbi4gIEluIHN1Y2ggY2FzZSwgaXQgaXMg cGVyY2VudC1lbmNvZGVkLiAgVGhlIHRva2VuIGF0dHJpYnV0ZQ0KICAgdmFs dWUgbXVzdCBiZSByZWFkIGFzICJNeSB0b2tlbjsgY3JlYXRlZCBieSBKb2Ui LiAgTG93ZXIgY2FzZSBsZXR0ZXJzDQogICBjYW4gYWxzbyBiZSB1c2VkIGlu IHBlcmNlbnQtZW5jb2RpbmcgYXMgc2hvd24gYmVsb3cgaW4gdGhlICJpZCIN CiAgIGF0dHJpYnV0ZSB2YWx1ZSBidXQgbm90ZSB0aGF0IFNlY3Rpb25zIDIu MSBhbmQgNi4yLjIuMSBvZiBbUkZDMzk4Nl0NCiAgIHJlYWQgdGhhdCBhbGwg cGVyY2VudC1lbmNvZGVkIGNoYXJhY3RlcnMgc2hvdWxkIHVzZSB0aGUgdXBw ZXJjYXNlDQogICBoZXhhZGVjaW1hbCBkaWdpdHMuICBNb3JlIHNwZWNpZmlj YWxseSwgaWYgdGhlIFVSSSBzdHJpbmcgd2FzIHRvIGJlDQogICBjb21wYXJl ZCB0aGUgYWxnb3JpdGhtIGRlZmluZWQgaW4gU2VjdGlvbiAzLjYgZXhwbGlj aXRseSByZXF1aXJlcw0KICAgcGVyY2VudC1lbmNvZGluZyB0byB1c2UgdGhl IHVwcGVyY2FzZSBkaWdpdHMgQS1GIGluIHRoZSAiaWQiDQogICBhdHRyaWJ1 dGUgdmFsdWVzLiAgQW5kIGFzIGV4cGxhaW5lZCBpbiBTZWN0aW9uIDMuMywg bGlicmFyeSB2ZXJzaW9uDQogICAiMyIgc2hvdWxkIGJlIGludGVycHJldGVk IGFzICIzIiBmb3IgdGhlIG1ham9yIGFuZCAiMCIgZm9yIHRoZSBtaW5vcg0K ICAgdmVyc2lvbiBvZiB0aGUgbGlicmFyeS4NCg0KICAgICBwa2NzMTE6dG9r ZW49TXklMjB0b2tlbiUyNSUyMGNyZWF0ZWQlMjBieSUyMEpvZTsNCiAgICAg ICAgICAgIGxpYnJhcnktdmVyc2lvbj0zOw0KICAgICAgICAgICAgaWQ9JTAx JTAyJTAzJUJhJWRkJUNhJWZlJTA0JTA1JTA2DQoNCiAgIElmIHRoZXJlIGlz IGFueSBuZWVkIHRvIGluY2x1ZGUgbGl0ZXJhbCAiJTsiIHN1YnN0cmluZywg Zm9yIGV4YW1wbGUsDQogICBib3RoIGNoYXJhY3RlcnMgbXVzdCBiZSBlc2Nh cGVkLiAgVGhlIHRva2VuIHZhbHVlIG11c3QgYmUgcmVhZCBhcyAiQQ0KICAg bmFtZSB3aXRoIGEgc3Vic3RyaW5nICU7Ii4NCg0KICAgICBwa2NzMTE6dG9r ZW49QSUyMG5hbWUlMjB3aXRoJTIwYSUyMHN1YnN0cmluZyUyMCUyNSUzQjsN CiAgICAgICAgICAgIG9iamVjdD1teS1jZXJ0aWZpY2F0ZTsNCiAgICAgICAg ICAgIHR5cGU9Y2VydA0KDQogICBUaGUgbmV4dCBleGFtcGxlIGluY2x1ZGVz IGEgc21hbGwgQSB3aXRoIGFjdXRlIGluIHRoZSB0b2tlbiBuYW1lLiAgSXQN CiAgIG11c3QgYmUgZW5jb2RlZCBpbiBvY3RldHMgYWNjb3JkaW5nIHRvIHRo ZSBVVEYtOCBjaGFyYWN0ZXIgZW5jb2RpbmcNCiAgIGFuZCB0aGVuIHBlcmNl bnQtZW5jb2RlZC4gIEdpdmVuIHRoYXQgYSBzbWFsbCBBIHdpdGggYWN1dGUg aXMgVSsyMjUNCiAgIHVuaWNvZGUgY29kZSBwb2ludCwgdGhlIFVURi04IGVu Y29kaW5nIGlzIDE5NSAxNjEgaW4gZGVjaW1hbCwgYW5kDQogICB0aGF0IGlz ICIlQzMlQTEiIGluIHBlcmNlbnQtZW5jb2RpbmcuDQoNCiAgICAgcGtjczEx OnRva2VuPU5hbWUlMjB3aXRoJTIwYSUyMHNtYWxsJTIwQSUyMHdpdGglMjBh Y3V0ZTolMjAlQzMlQTE7DQogICAgICAgICAgICBvYmplY3Q9bXktY2VydGlm aWNhdGU7DQogICAgICAgICAgICB0eXBlPWNlcnQNCg0KICAgQm90aCB0aGUg cGF0aCBhbmQgcXVlcnkgY29tcG9uZW50cyBtYXkgY29udGFpbiB2ZW5kb3Ig c3BlY2lmaWMNCiAgIGF0dHJpYnV0ZXMuICBBdHRyaWJ1dGVzIGluIHRoZSBx dWVyeSBjb21wb25lbnQgbXVzdCBiZSBkZWxpbWl0ZWQgYnkNCiAgICcmJy4N Cg0KICAgICBwa2NzMTE6dG9rZW49bXktdG9rZW47DQogICAgICAgICAgICBv YmplY3Q9bXktY2VydGlmaWNhdGU7DQogICAgICAgICAgICB0eXBlPWNlcnQ7 DQogICAgICAgICAgICB4LXZlbmQtYWFhPXZhbHVlLWENCiAgICAgICAgICAg ID9waW4tc291cmNlPS9ldGMvdG9rZW5fcGluDQogICAgICAgICAgICAmeC12 ZW5kLWJiYj12YWx1ZS1iDQoNCg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZh dCAgICAgICAgIEV4cGlyZXMgSnVuZSAyMCwgMjAxNSAgICAgICAgICAgICAg ICBbUGFnZSAxNV0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUg UEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0K DQoNCjUuICBJQU5BIENvbnNpZGVyYXRpb25zDQoNCiAgIFRoaXMgZG9jdW1l bnQgbW92ZXMgdGhlICJwa2NzMTEiIFVSSSBzY2hlbWUgZnJvbSB0aGUgcHJv dmlzaW9uYWwgdG8NCiAgIHBlcm1hbmVudCBVUkkgc2NoZW1lIHJlZ2lzdHJ5 LiAgVGhlIHJlZ2lzdHJhdGlvbiB0ZW1wbGF0ZSBmb3IgdGhlIFVSSQ0KICAg c2NoZW1lIGlzIGFjY2Vzc2libGUgb24gaHR0cDovL3d3dy5pYW5hLm9yZy9h c3NpZ25tZW50cy91cmktc2NoZW1lcy4NCg0KNi4gIFNlY3VyaXR5IENvbnNp ZGVyYXRpb25zDQoNCiAgIFRoZXJlIGFyZSBnZW5lcmFsIHNlY3VyaXR5IGNv bnNpZGVyYXRpb25zIGZvciBVUkkgc2NoZW1lcyBkaXNjdXNzZWQNCiAgIGlu IFNlY3Rpb24gNyBvZiBbUkZDMzk4Nl0uDQoNCiAgIEZyb20gdGhvc2Ugc2Vj dXJpdHkgY29uc2lkZXJhdGlvbnMsIFNlY3Rpb24gNy4xIG9mIFtSRkMzOTg2 XSBhcHBsaWVzDQogICBzaW5jZSB0aGVyZSBpcyBubyBndWFyYW50ZWUgdGhh dCB0aGUgc2FtZSBQS0NTIzExIFVSSSB3aWxsIGFsd2F5cw0KICAgaWRlbnRp ZnkgdGhlIHNhbWUgb2JqZWN0LCB0b2tlbiwgc2xvdCwgb3IgYSBsaWJyYXJ5 IGluIHRoZSBmdXR1cmUuDQoNCiAgIFNlY3Rpb24gNy4yIG9mIFtSRkMzOTg2 XSBhcHBsaWVzIHNpbmNlIGJ5IGFjY2VwdGluZyBxdWVyeSBjb21wb25lbnQN CiAgIGF0dHJpYnV0ZXMgIm1vZHVsZS1uYW1lIiBvciAibW9kdWxlLXBhdGgi IHRoZSBjb25zdW1lciBwb3RlbnRpYWxseQ0KICAgYWxsb3dzIGxvYWRpbmcg b2YgYXJiaXRyYXJ5IGNvZGUgaW50byBhIHByb2Nlc3MuDQoNCiAgIFNlY3Rp b24gNy41IG9mIFtSRkMzOTg2XSBhcHBsaWVzIHNpbmNlIHRoZSBQS0NTIzEx IFVSSSBtYXkgYmUgdXNlZCBpbg0KICAgd29ybGQgcmVhZGFibGUgY29tbWFu ZCBsaW5lIGFyZ3VtZW50cyB0byBydW4gYXBwbGljYXRpb25zLCBzdG9yZWQg aW4NCiAgIHB1YmxpYyBjb25maWd1cmF0aW9uIGZpbGVzLCBvciBvdGhlcndp c2UgdXNlZCBpbiBjbGVhciB0ZXh0LiAgRm9yDQogICB0aGF0IHJlYXNvbiB0 aGUgInBpbi12YWx1ZSIgYXR0cmlidXRlIHNob3VsZCBvbmx5IGJlIHVzZWQg aWYgdGhlIFVSSQ0KICAgc3RyaW5nIGl0c2VsZiBpcyBwcm90ZWN0ZWQgd2l0 aCB0aGUgc2FtZSBsZXZlbCBvZiBzZWN1cml0eSBhcyB0aGUNCiAgIHRva2Vu IFBJTiBpdHNlbGYgb3RoZXJ3aXNlIGlzLg0KDQo3LiAgUmVmZXJlbmNlcw0K DQo3LjEuICBOb3JtYXRpdmUgUmVmZXJlbmNlcw0KDQogICBbUkZDMzYyOV0g IFllcmdlYXUsIEYuLCAiVVRGLTgsIGEgdHJhbnNmb3JtYXRpb24gZm9ybWF0 IG9mIElTTw0KICAgICAgICAgICAgICAxMDY0NiIsIFJGQyAzNjI5LCBTVEQg NjMsIE5vdmVtYmVyIDIwMDMuDQoNCiAgIFtSRkMzOTg2XSAgQmVybmVycy1M ZWUsIFQuLCBGaWVsZGluZywgUi4sIGFuZCBMLiBNYXNpbnRlciwgIlVuaWZv cm0NCiAgICAgICAgICAgICAgUmVzb3VyY2UgSWRlbnRpZmllciAoVVJJKTog R2VuZXJpYyBTeW50YXgiLCBSRkMgMzk4NiwgU1REDQogICAgICAgICAgICAg IDY2LCBKYW51YXJ5IDIwMDUuDQoNCiAgIFtSRkM1MjM0XSAgQ3JvY2tlciwg RC4gYW5kIFAuIE92ZXJlbGwsICJBdWdtZW50ZWQgQk5GIGZvciBTeW50YXgN CiAgICAgICAgICAgICAgU3BlY2lmaWNhdGlvbnM6IEFCTkYiLCBSRkMgNTIz NCwgU1REIDY4LCBKYW51YXJ5IDIwMDguDQoNCjcuMi4gIEluZm9ybWF0aXZl IFJlZmVyZW5jZXMNCg0KICAgW1JGQzQzOTVdICBIYW5zZW4sIFQuLCBIYXJk aWUsIFQuLCBhbmQgTC4gTWFzaW50ZXIsICJHdWlkZWxpbmVzIGFuZA0KICAg ICAgICAgICAgICBSZWdpc3RyYXRpb24gUHJvY2VkdXJlcyBmb3IgTmV3IFVS SSBTY2hlbWVzIiwgUkZDIDQzOTUsDQogICAgICAgICAgICAgIEZlYnJ1YXJ5 IDIwMDYuDQoNCg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAgICAgICAg IEV4cGlyZXMgSnVuZSAyMCwgMjAxNSAgICAgICAgICAgICAgICBbUGFnZSAx Nl0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUgUEtDUyMxMSBV UkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0KDQoNCiAgIFtw a2NzMTFfc3BlY10NCiAgICAgICAgICAgICAgUlNBIExhYm9yYXRvcmllcywg IlBLQ1MgIzExOiBDcnlwdG9ncmFwaGljIFRva2VuIEludGVyZmFjZQ0KICAg ICAgICAgICAgICBTdGFuZGFyZCB2Mi4yMCIsIEp1bmUgMjAwNC4NCg0KQXV0 aG9ycycgQWRkcmVzc2VzDQoNCiAgIEphbiBQZWNoYW5lYw0KICAgT3JhY2xl IENvcnBvcmF0aW9uDQogICA0MTgwIE5ldHdvcmsgQ2lyY2xlDQogICBTYW50 YSBDbGFyYSAgQ0EgOTUwNTQNCiAgIFVTQQ0KDQogICBFbWFpbDogSmFuLlBl Y2hhbmVjQE9yYWNsZS5DT00NCiAgIFVSSTogICBodHRwOi8vd3d3Lm9yYWNs ZS5jb20NCg0KDQogICBEYXJyZW4gSi4gTW9mZmF0DQogICBPcmFjbGUgQ29y cG9yYXRpb24NCiAgIE9yYWNsZSBQYXJrd2F5DQogICBUaGFtZXMgVmFsbGV5 IFBhcmsNCiAgIFJlYWRpbmcgIFJHNiAxUkENCiAgIFVLDQoNCiAgIEVtYWls OiBEYXJyZW4uTW9mZmF0QE9yYWNsZS5DT00NCiAgIFVSSTogICBodHRwOi8v d3d3Lm9yYWNsZS5jb20NCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAgICAg ICAgIEV4cGlyZXMgSnVuZSAyMCwgMjAxNSAgICAgICAgICAgICAgICBbUGFn ZSAxN10NCg== ---559023410-752095483-1418885666=:14405-- From nobody Thu Dec 18 03:07:03 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E01061A6FD1; Thu, 18 Dec 2014 03:06:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUSMuy-St1GH; Thu, 18 Dec 2014 03:06:39 -0800 (PST) Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C70C61A6FBC; Thu, 18 Dec 2014 03:06:38 -0800 (PST) Received: by mail-wg0-f52.google.com with SMTP id x12so1266573wgg.25; Thu, 18 Dec 2014 03:06:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:subject:from:to:cc:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; bh=bSp1vRqj+AQZLBJMSS9lbWmW29h3FxmtcPxoe42Hm2Q=; b=VaBkWKgq6E0K2HVMCj6jEGsBBo+UUtOb1/Kb8iFaIHrurfoow/Q48vwGb2fE7zkwxj BzuvsrPFwIFGvDalISHbcinebpqdAe1QHIwf/XHMNmGF8s4kotu7LcRK9HewA5i6KB3m zhMQoov1odTAJXp7veQRVG0Ef+0Lw3vRyfVIr1CE7vk6GS7O/r05uEKRqPToN3ZMf9qn RAFSUGgXfIob6r8e/FJhUZM7MH12OcEHQjQrlGSRB2FlRA1CEUwXHhMFYhI5I/XRnmvh Q4m4WozbZFzs8rd3ssQAgxxICnnPOHXrArO+0QW/8BCwyiAyll2pcTK2XBPM8+sXtBWh ZXdQ== X-Received: by 10.194.71.203 with SMTP id x11mr3016798wju.131.1418900796782; Thu, 18 Dec 2014 03:06:36 -0800 (PST) Received: from aspire.lan (77.49.75.59.dsl.dyn.forthnet.gr. [77.49.75.59]) by mx.google.com with ESMTPSA id p1sm8510343wjy.22.2014.12.18.03.06.34 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Dec 2014 03:06:35 -0800 (PST) Sender: Nikos Mavrogiannopoulos Message-ID: <1418900792.7577.5.camel@gnutls.org> From: Nikos Mavrogiannopoulos To: Jan Pechanec Date: Thu, 18 Dec 2014 13:06:32 +0200 In-Reply-To: References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> <20141218012300.GP9443@localhost> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.8 (3.12.8-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/VgMZJsHDUpaXqHpQ5Awk2LDSZXg Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 11:06:52 -0000 On Wed, 2014-12-17 at 22:54 -0800, Jan Pechanec wrote: > + Slot ID is a Cryptoki-assigned number that is not guaranteed stable > + across PKCS#11 module initializations. However, slot description and > + manufacturer ID may not be enough to uniquely identify a specific > + reader. In situations where slot information is necessary use of > + "slot-id" attribute may be justified if sufficient slot ID stability > + is provided in the PKCS#11 provider itself or externaly. Hello Jan, I'd like to propose the following text instead: "Slot ID is a Cryptoki-assigned number that is not guaranteed stable across PKCS#11 module initializations. However, there are certain libraries and modules which provide stable slot numbers and descriptions. For these cases, when the manufacturer ID is not sufficient to uniquely identify a specific reader, the slot information could be used to increase the precision of the token identification. In other scenarios, using the slot identifiers is likely to cause usability issues." That text discusses both the benefits and the risks. regards, Nikos From nobody Thu Dec 18 03:11:26 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DFCB1A70E2; Thu, 18 Dec 2014 03:11:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkjZOp84_VfW; Thu, 18 Dec 2014 03:11:18 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 451771A6FB9; Thu, 18 Dec 2014 03:11:13 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id BD78FBEEC; Thu, 18 Dec 2014 11:10:58 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ecr6GnJDgvAJ; Thu, 18 Dec 2014 11:10:58 +0000 (GMT) Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8C87ABEE6; Thu, 18 Dec 2014 11:10:58 +0000 (GMT) Message-ID: <5492B642.9000501@cs.tcd.ie> Date: Thu, 18 Dec 2014 11:10:58 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: Jan Pechanec , Jaroslav Imrich , Stef Walter , Nikos Mavrogiannopoulos , Darren J Moffat , Nico Williams References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> <20141218012300.GP9443@localhost> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/jFfvgCwEVAkxqzZZIPzIOQTD9Os Cc: saag@ietf.org, ietf@ietf.org Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 11:11:23 -0000 Hi Jan, On 18/12/14 06:54, Jan Pechanec wrote: > I really appreciate time you already spent reviewing this ID > and I'm not happy to do such last minute changes. I hope this last > one would be worth it. No worries - that's what the IETF LC is for, and it's good to see it doing it's job esp. in this case, where it's not a WG document. Cheers, S. From nobody Thu Dec 18 08:11:05 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D09A31A8AD4; Thu, 18 Dec 2014 08:11:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.666 X-Spam-Level: X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T7coqlhk8B84; Thu, 18 Dec 2014 08:11:01 -0800 (PST) Received: from homiemail-a110.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 9AF181A8A98; Thu, 18 Dec 2014 08:11:00 -0800 (PST) Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id 5A93220047B8A; Thu, 18 Dec 2014 08:11:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=tW8MWxr4rpHEyS tHDL97ZMknDvM=; b=I2P/cMXyEcSXpQ7qTp4LHqSQ1LpWQoAvvtSHqQPDGDgyCK foeLEzASGS8DuwaDMF8CooLmHgK3Y86YcERo5P8b92CmDkq/rqzyfagV3I98HtC7 AEUoTxqlTBL3UQhWXvMbE6XbaDh6ckwAffF2+yqdmRF0yfLmpgk0mIcPeVc3w= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPA id BAE7320047B89; Thu, 18 Dec 2014 08:10:59 -0800 (PST) Date: Thu, 18 Dec 2014 10:10:59 -0600 From: Nico Williams To: Darren J Moffat Message-ID: <20141218161054.GQ9443@localhost> References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <5492B8E1.6010709@Oracle.COM> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5492B8E1.6010709@Oracle.COM> User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/adGg_wvFJI_nO2gnAyfdmxUH76I Cc: Stef Walter , ietf@ietf.org, saag@ietf.org, Jan Pechanec , Nikos Mavrogiannopoulos Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 16:11:03 -0000 On Thu, Dec 18, 2014 at 11:22:09AM +0000, Darren J Moffat wrote: > On 12/18/14 00:15, Jan Pechanec wrote: > > for example, metaslot on Solaris is always 0 so slot-id=0 > >would be reliable there to use to access the soft token. Jan. > > It is the zeroth slot in the list of slots not a slotid with a value > of 0 - the distinction is subtle. But it still works to speak of the nth slot. Perhaps the attrbite should be called 'slot', without the '-id', 'slot-list-offset' perhaps. > I don't think we should have slot-id, it isn't stable and I know > that some vendors use random values. But there's still a list with a zeroth element. The list could be returned in different order every time, but that would just make this attribute useless (and so unused) with such a provider, but not harmful. Perhaps we should say that this attribute should always be used in conjunction with the provider library attributes, to ensure that this attribute has the desired semantics. I.e., unless coupled to a library that gives it semantics, this attribute has none. Nico -- From nobody Thu Dec 18 22:52:22 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F1C21A914B; Thu, 18 Dec 2014 22:52:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s_VVbelnTk9v; Thu, 18 Dec 2014 22:52:17 -0800 (PST) Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AB141A9132; Thu, 18 Dec 2014 22:52:17 -0800 (PST) Received: by mail-wi0-f172.google.com with SMTP id n3so900634wiv.5; Thu, 18 Dec 2014 22:52:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:subject:from:to:cc:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; bh=a7RJlp5jLyZT7/go9Acawv5BL1uS9ChmCfUt68nKdzk=; b=QAV2sp6ywyZVqdO/NK8zEbkGgZg3LUgNoX4coRu3vZw5yMg47m2I229HlEdHh4ZJ2O Fz54nFdIG5Yrl7ahITNt4DgZxc42jfENC5Lgb1NpYXpE4v9naQHY3eqNQauKPjreiLM/ CJPEqDOdnPdLLgKWpB/dWMbdSL60gJDGTV7e59Fc5gdFFS4vleanDUyoD5wZLaliILl5 mXEAkE/wsu5YHjUDtmzpVpP9+d9+Hnmt66eqspurbDe9lUsZIkTxmbYzhMZ5RRwvkUa7 1+k9O1vGjyb59NttCOM4Sa29iZqe+tcFkDVx2zOqxVUM32Se7jV1Fqyq/iU1Zn1YYmRx Lszw== X-Received: by 10.194.6.164 with SMTP id c4mr11008379wja.77.1418971936260; Thu, 18 Dec 2014 22:52:16 -0800 (PST) Received: from aspire.lan (178.128.236.150.dsl.dyn.forthnet.gr. [178.128.236.150]) by mx.google.com with ESMTPSA id ud1sm11589724wjc.7.2014.12.18.22.52.13 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Dec 2014 22:52:14 -0800 (PST) Sender: Nikos Mavrogiannopoulos Message-ID: <1418971932.28712.2.camel@gnutls.org> From: Nikos Mavrogiannopoulos To: Darren J Moffat Date: Fri, 19 Dec 2014 08:52:12 +0200 In-Reply-To: <5492B8E1.6010709@Oracle.COM> References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <5492B8E1.6010709@Oracle.COM> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.8 (3.12.8-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/IIWLum607__8qnD7nTdz0pNT6BI Cc: Stef Walter , Nikos Mavrogiannopoulos , saag@ietf.org, Jan Pechanec , ietf@ietf.org Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2014 06:52:19 -0000 On Thu, 2014-12-18 at 11:22 +0000, Darren J Moffat wrote: > > On 12/18/14 00:15, Jan Pechanec wrote: > > On Wed, 17 Dec 2014, Nico Williams wrote: > > > >>> removable token and you cannot use slot-description, slot-manufacturer and > >>> neither of token attributes? So the only option left is: pkcs11:slot-id=2 > >>> ??? > >> > >> I think so. This is really for Jan to answer. Maybe the Solaris > >> libpkcs11 should just ensure a meaningful (stable and distinct) slot > >> label. If that could be done then slot-id could be excluded here. > >> > >> Jan? > > > > for example, metaslot on Solaris is always 0 so slot-id=0 > > would be reliable there to use to access the soft token. Jan. > > It is the zeroth slot in the list of slots not a slotid with a value of > 0 - the distinction is subtle. > I don't think we should have slot-id, it isn't stable and I know that > some vendors use random values. Jan, Given that this was the main argument for adding slot-id, is there any other reason for adding it? Aren't the description and manufacturer sufficient for the applications which want to restrict to a specific slot? regards, Nikos From nobody Thu Dec 18 23:28:50 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBB911A1B3F; Thu, 18 Dec 2014 23:28:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Qmbenuk5H8t; Thu, 18 Dec 2014 23:28:45 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A94F81A03A4; Thu, 18 Dec 2014 23:28:45 -0800 (PST) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBJ7SYqu006337 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 19 Dec 2014 07:28:35 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBJ7SW39006875 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 19 Dec 2014 07:28:33 GMT Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBJ7SV3j017193; Fri, 19 Dec 2014 07:28:32 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 18 Dec 2014 23:28:31 -0800 Date: Thu, 18 Dec 2014 23:28:30 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nikos Mavrogiannopoulos In-Reply-To: <1418971932.28712.2.camel@gnutls.org> Message-ID: References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <5492B8E1.6010709@Oracle.COM> <1418971932.28712.2.camel@gnutls.org> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Source-IP: acsinet21.oracle.com [141.146.126.237] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/lBdRNzMIMtJN9G00ljP3CttGTyk Cc: Darren J Moffat , Stef Walter , Nikos Mavrogiannopoulos , saag@ietf.org, ietf@ietf.org Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2014 07:28:46 -0000 On Fri, 19 Dec 2014, Nikos Mavrogiannopoulos wrote: >> > for example, metaslot on Solaris is always 0 so slot-id=0 >> > would be reliable there to use to access the soft token. Jan. >> >> It is the zeroth slot in the list of slots not a slotid with a value of >> 0 - the distinction is subtle. >> I don't think we should have slot-id, it isn't stable and I know that >> some vendors use random values. > >Jan, > Given that this was the main argument for adding slot-id, is there any >other reason for adding it? Aren't the description and manufacturer >sufficient for the applications which want to restrict to a specific >slot? hi Nikos, I still think that its ID is 0 since I've been using it that way in C_GetMechanismInfo(0, ...). However, my point is that some modules MAY provide stable IDs and since there is no serial number as for token then description/manufacturer may not be enough to uniquely identify a slot. That's why it could be useful in certain situations. I somehow think that people would end up using it anyway and partly for that reason we added "pin-value" which was initially rejected, too. If we define slot-id we avoid different parsers to use different names like "slot", "slotid", or "slot-id". That's why I think it might be better to include it with a proper note. regards, Jan. -- Jan Pechanec From nobody Fri Dec 19 11:03:12 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 675211A87BE; Fri, 19 Dec 2014 11:03:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.311 X-Spam-Level: X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AUwtiw0LRRoJ; Fri, 19 Dec 2014 11:02:57 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 198AC1ACCE4; Fri, 19 Dec 2014 11:02:57 -0800 (PST) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBJJ2q7V007266 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 19 Dec 2014 19:02:53 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBJJ2pvC017218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 19 Dec 2014 19:02:51 GMT Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBJJ2oAA017161; Fri, 19 Dec 2014 19:02:50 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 19 Dec 2014 11:02:49 -0800 Date: Fri, 19 Dec 2014 11:02:48 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nikos Mavrogiannopoulos In-Reply-To: <1418900792.7577.5.camel@gnutls.org> Message-ID: References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> <20141218012300.GP9443@localhost> <1418900792.7577.5.camel@gnutls.org> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-25426126-1419015769=:4549" X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/3ypSUnnpp03SvJFanMnNhFurPWs Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2014 19:03:09 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-25426126-1419015769=:4549 Content-Type: TEXT/PLAIN; charset=US-ASCII On Thu, 18 Dec 2014, Nikos Mavrogiannopoulos wrote: >On Wed, 2014-12-17 at 22:54 -0800, Jan Pechanec wrote: > >> + Slot ID is a Cryptoki-assigned number that is not guaranteed stable >> + across PKCS#11 module initializations. However, slot description and >> + manufacturer ID may not be enough to uniquely identify a specific >> + reader. In situations where slot information is necessary use of >> + "slot-id" attribute may be justified if sufficient slot ID stability >> + is provided in the PKCS#11 provider itself or externaly. > >Hello Jan, >I'd like to propose the following text instead: >"Slot ID is a Cryptoki-assigned number that is not guaranteed stable >across PKCS#11 module initializations. However, there are certain >libraries and modules which provide stable slot numbers and >descriptions. For these cases, when the manufacturer ID is not >sufficient to uniquely identify a specific reader, the slot >information could be used to increase the precision of the token >identification. In other scenarios, using the slot identifiers is >likely to cause usability issues." > >That text discusses both the benefits and the risks. hi Nikos, thank you, I like that it is more explicit. I made a minor modification since it could be implied that a slot description might have a different stability level than a slot manufacturer ID. - Slot ID is Cryptoki-assigned number that is not guaranteed stable - across PKCS#11 module initializations. However, slot description and - manufacturer ID may not be enough to uniquely identify a specific - reader. In situations where slot information is necessary use of - "slot-id" attribute may be justified if sufficient slot ID stability - is provided in the PKCS#11 provider itself or externaly. + Slot ID is a Cryptoki-assigned number that is not guaranteed stable + across PKCS#11 module initializations. However, there are certain + libraries and modules which provide stable slot identifiers. For + these cases, when the slot description and manufacturer ID is not + sufficient to uniquely identify a specific reader, the slot ID could + be used to increase the precision of the token identification. In + other scenarios, using slot IDs is likely to cause usability + issues. attached is draft-pechanec-pkcs11uri-17-v2.txt there will more versions as I'm gonna address more comments that came in during the last call. regards, Jan. -- Jan Pechanec ---559023410-25426126-1419015769=:4549 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=draft-pechanec-pkcs11uri-17-v2.txt Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=draft-pechanec-pkcs11uri-17-v2.txt DQoNCg0KDQpOZXR3b3JrIFdvcmtpbmcgR3JvdXAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgSi4gUGVjaGFuZWMNCkludGVybmV0 LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIEQuIE1vZmZhdA0KSW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFy ZHMgVHJhY2sgICAgICAgICAgICAgICAgICAgICAgT3JhY2xlIENvcnBvcmF0 aW9uDQpFeHBpcmVzOiBKdW5lIDIyLCAyMDE1ICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgRGVjZW1iZXIgMTksIDIwMTQNCg0KDQogICAgICAg ICAgICAgICAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZQ0KICAg ICAgICAgICAgICAgICAgICAgIGRyYWZ0LXBlY2hhbmVjLXBrY3MxMXVyaS0x Nw0KDQpBYnN0cmFjdA0KDQogICBUaGlzIG1lbW8gc3BlY2lmaWVzIGEgUEtD UyMxMSBVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSkNCiAgIFNj aGVtZSBmb3IgaWRlbnRpZnlpbmcgUEtDUyMxMSBvYmplY3RzIHN0b3JlZCBp biBQS0NTIzExIHRva2VucywgYW5kDQogICBhbHNvIGZvciBpZGVudGlmeWlu ZyBQS0NTIzExIHRva2Vucywgc2xvdHMgb3IgbGlicmFyaWVzLiAgVGhlIFVS SSBpcw0KICAgYmFzZWQgb24gaG93IFBLQ1MjMTEgb2JqZWN0cywgdG9rZW5z LCBzbG90cywgYW5kIGxpYnJhcmllcyBhcmUNCiAgIGlkZW50aWZpZWQgaW4g dGhlIFBLQ1MjMTEgQ3J5cHRvZ3JhcGhpYyBUb2tlbiBJbnRlcmZhY2UgU3Rh bmRhcmQuDQoNClN0YXR1cyBvZiBUaGlzIE1lbW8NCg0KICAgVGhpcyBJbnRl cm5ldC1EcmFmdCBpcyBzdWJtaXR0ZWQgaW4gZnVsbCBjb25mb3JtYW5jZSB3 aXRoIHRoZQ0KICAgcHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJDUCA3OS4N Cg0KICAgSW50ZXJuZXQtRHJhZnRzIGFyZSB3b3JraW5nIGRvY3VtZW50cyBv ZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmcNCiAgIFRhc2sgRm9yY2UgKElF VEYpLiAgTm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmli dXRlDQogICB3b3JraW5nIGRvY3VtZW50cyBhcyBJbnRlcm5ldC1EcmFmdHMu ICBUaGUgbGlzdCBvZiBjdXJyZW50IEludGVybmV0LQ0KICAgRHJhZnRzIGlz IGF0IGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFmdHMvY3VycmVu dC8uDQoNCiAgIEludGVybmV0LURyYWZ0cyBhcmUgZHJhZnQgZG9jdW1lbnRz IHZhbGlkIGZvciBhIG1heGltdW0gb2Ygc2l4IG1vbnRocw0KICAgYW5kIG1h eSBiZSB1cGRhdGVkLCByZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVy IGRvY3VtZW50cyBhdCBhbnkNCiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJp YXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlDQogICBt YXRlcmlhbCBvciB0byBjaXRlIHRoZW0gb3RoZXIgdGhhbiBhcyAid29yayBp biBwcm9ncmVzcy4iDQoNCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBl eHBpcmUgb24gSnVuZSAyMiwgMjAxNS4NCg0KQ29weXJpZ2h0IE5vdGljZQ0K DQogICBDb3B5cmlnaHQgKGMpIDIwMTQgSUVURiBUcnVzdCBhbmQgdGhlIHBl cnNvbnMgaWRlbnRpZmllZCBhcyB0aGUNCiAgIGRvY3VtZW50IGF1dGhvcnMu ICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQogICBUaGlzIGRvY3VtZW50IGlz IHN1YmplY3QgdG8gQkNQIDc4IGFuZCB0aGUgSUVURiBUcnVzdCdzIExlZ2Fs DQogICBQcm92aXNpb25zIFJlbGF0aW5nIHRvIElFVEYgRG9jdW1lbnRzDQog ICAoaHR0cDovL3RydXN0ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZvKSBpbiBl ZmZlY3Qgb24gdGhlIGRhdGUgb2YNCiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMg ZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50cw0KICAg Y2FyZWZ1bGx5LCBhcyB0aGV5IGRlc2NyaWJlIHlvdXIgcmlnaHRzIGFuZCBy ZXN0cmljdGlvbnMgd2l0aCByZXNwZWN0DQogICB0byB0aGlzIGRvY3VtZW50 LiAgQ29kZSBDb21wb25lbnRzIGV4dHJhY3RlZCBmcm9tIHRoaXMgZG9jdW1l bnQgbXVzdA0KICAgaW5jbHVkZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlIHRl eHQgYXMgZGVzY3JpYmVkIGluIFNlY3Rpb24gNC5lIG9mDQogICB0aGUgVHJ1 c3QgTGVnYWwgUHJvdmlzaW9ucyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQg d2FycmFudHkgYXMNCiAgIGRlc2NyaWJlZCBpbiB0aGUgU2ltcGxpZmllZCBC U0QgTGljZW5zZS4NCg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAg RXhwaXJlcyBKdW5lIDIyLCAyMDE1ICAgICAgICAgICAgICAgICBbUGFnZSAx XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVS SSBTY2hlbWUgICAgICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KVGFibGUg b2YgQ29udGVudHMNCg0KICAgMS4gIEludHJvZHVjdGlvbiAgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICAyDQog ICAyLiAgQ29udHJpYnV0b3JzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDMNCiAgIDMuICBQS0NTIzExIFVS SSBTY2hlbWUgRGVmaW5pdGlvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICAgMw0KICAgICAzLjEuICBQS0NTIzExIFVSSSBTY2hlbWUgTmFt ZSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA0DQogICAg IDMuMi4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBTdGF0dXMgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQNCiAgICAgMy4zLiAgUEtDUyMxMSBV UkkgU2NoZW1lIFN5bnRheCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuICAgNA0KICAgICAzLjQuICBQS0NTIzExIFVSSSBTY2hlbWUgUXVlcnkg QXR0cmlidXRlIFNlbWFudGljcyAgLiAuIC4gLiAuIC4gICA4DQogICAgIDMu NS4gIFBLQ1MjMTEgVVJJIE1hdGNoaW5nIEd1aWRlbGluZXMgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgMTANCiAgICAgMy42LiAgUEtDUyMxMSBVUkkg Q29tcGFyaXNvbiAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICAxMQ0KICAgNC4gIEV4YW1wbGVzIG9mIFBLQ1MjMTEgVVJJcyAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEyDQogICA1LiAgSUFO QSBDb25zaWRlcmF0aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgMTYNCiAgIDYuICBTZWN1cml0eSBDb25zaWRlcmF0 aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAx Ng0KICAgNy4gIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE2DQogICAgIDcuMS4gIE5v cm1hdGl2ZSBSZWZlcmVuY2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAgMTYNCiAgICAgNy4yLiAgSW5mb3JtYXRpdmUgUmVmZXJl bmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxNg0K ICAgQXV0aG9ycycgQWRkcmVzc2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE3DQoNCjEuICBJbnRyb2R1Y3Rp b24NCg0KICAgVGhlIFBLQ1MgIzExOiBDcnlwdG9ncmFwaGljIFRva2VuIElu dGVyZmFjZSBTdGFuZGFyZCBbcGtjczExX3NwZWNdDQogICBzcGVjaWZpZXMg YW4gQVBJLCBjYWxsZWQgQ3J5cHRva2ksIGZvciBkZXZpY2VzIHdoaWNoIGhv bGQNCiAgIGNyeXB0b2dyYXBoaWMgaW5mb3JtYXRpb24gYW5kIHBlcmZvcm0g Y3J5cHRvZ3JhcGhpYyBmdW5jdGlvbnMuDQogICBDcnlwdG9raSwgcHJvbm91 bmNlZCBjcnlwdG8ta2V5IGFuZCBzaG9ydCBmb3IgY3J5cHRvZ3JhcGhpYyB0 b2tlbg0KICAgaW50ZXJmYWNlLCBmb2xsb3dzIGEgc2ltcGxlIG9iamVjdC1i YXNlZCBhcHByb2FjaCwgYWRkcmVzc2luZyB0aGUNCiAgIGdvYWxzIG9mIHRl Y2hub2xvZ3kgaW5kZXBlbmRlbmNlIChhbnkga2luZCBvZiBkZXZpY2UgbWF5 IGJlIHVzZWQpIGFuZA0KICAgcmVzb3VyY2Ugc2hhcmluZyAobXVsdGlwbGUg YXBwbGljYXRpb25zIG1heSBhY2Nlc3MgbXVsdGlwbGUgZGV2aWNlcyksDQog ICBwcmVzZW50aW5nIGFwcGxpY2F0aW9ucyB3aXRoIGEgY29tbW9uLCBsb2dp Y2FsIHZpZXcgb2YgdGhlIGRldmljZSAtIGENCiAgIGNyeXB0b2dyYXBoaWMg dG9rZW4uDQoNCiAgIEl0IGlzIGRlc2lyYWJsZSBmb3IgYXBwbGljYXRpb25z IG9yIGxpYnJhcmllcyB0aGF0IHdvcmsgd2l0aCBQS0NTIzExDQogICB0b2tl bnMgdG8gYWNjZXB0IGEgY29tbW9uIGlkZW50aWZpZXIgdGhhdCBjb25zdW1l cnMgY291bGQgdXNlIHRvDQogICBpZGVudGlmeSBhbiBleGlzdGluZyBQS0NT IzExIHN0b3JhZ2Ugb2JqZWN0IGluIGEgUEtDUyMxMSB0b2tlbiwgYW4NCiAg IGV4aXN0aW5nIHRva2VuIGl0c2VsZiwgYSBzbG90LCBvciBhbiBleGlzdGlu ZyBDcnlwdG9raSBsaWJyYXJ5IChhbHNvDQogICBjYWxsZWQgYSBwcm9kdWNl ciwgbW9kdWxlLCBvciBwcm92aWRlcikuICBUaGUgc2V0IG9mIHN0b3JhZ2Ug b2JqZWN0DQogICB0eXBlcyB0aGF0IGNhbiBiZSBzdG9yZWQgaW4gYSBQS0NT IzExIHRva2VuIGluY2x1ZGVzIGEgY2VydGlmaWNhdGUsIGENCiAgIHB1Ymxp YywgcHJpdmF0ZSBvciBzZWNyZXQga2V5LCBhbmQgYSBkYXRhIG9iamVjdC4g IFRoZXNlIG9iamVjdHMgY2FuDQogICBiZSB1bmlxdWVseSBpZGVudGlmaWFi bGUgdmlhIHRoZSBQS0NTIzExIFVSSSBzY2hlbWUgZGVmaW5lZCBpbiB0aGlz DQogICBkb2N1bWVudC4gIFRoZSBzZXQgb2YgYXR0cmlidXRlcyBkZXNjcmli aW5nIGEgc3RvcmFnZSBvYmplY3QgY2FuDQogICBjb250YWluIGFuIG9iamVj dCBsYWJlbCwgaXRzIHR5cGUsIGFuZCBpdHMgSUQuICBUaGUgc2V0IG9mIGF0 dHJpYnV0ZXMNCiAgIHRoYXQgaWRlbnRpZmllcyBhIFBLQ1MjMTEgdG9rZW4g Y2FuIGNvbnRhaW4gYSB0b2tlbiBsYWJlbCwNCiAgIG1hbnVmYWN0dXJlciBu YW1lLCBzZXJpYWwgbnVtYmVyLCBhbmQgdG9rZW4gbW9kZWwuICBBdHRyaWJ1 dGVzIHRoYXQNCiAgIGNhbiBpZGVudGlmeSBhIHNsb3QgYXJlIGEgc2xvdCBJ RCwgZGVzY3JpcHRpb24sIGFuZCBtYW51ZmFjdHVyZXIuDQogICBBdHRyaWJ1 dGVzIHRoYXQgY2FuIGlkZW50aWZ5IGEgQ3J5cHRva2kgbGlicmFyeSBhcmUg YSBsaWJyYXJ5DQogICBtYW51ZmFjdHVyZXIsIGRlc2NyaXB0aW9uLCBhbmQg dmVyc2lvbi4gIExpYnJhcnkgYXR0cmlidXRlcyBtYXkgYmUNCiAgIG5lY2Vz c2FyeSB0byB1c2UgaWYgbW9yZSB0aGFuIG9uZSBDcnlwdG9raSBsaWJyYXJ5 IHByb3ZpZGVzIGEgdG9rZW4NCg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQg ICAgICAgICBFeHBpcmVzIEp1bmUgMjIsIDIwMTUgICAgICAgICAgICAgICAg IFtQYWdlIDJdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBL Q1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0K DQogICBhbmQvb3IgUEtDUyMxMSBvYmplY3RzIG9mIHRoZSBzYW1lIG5hbWUu ICBBIHNldCBvZiBxdWVyeSBhdHRyaWJ1dGVzDQogICBpcyBwcm92aWRlZCBh cyB3ZWxsLg0KDQogICBUaGUgUEtDUyMxMSBVUkkgY2Fubm90IGlkZW50aWZ5 IG90aGVyIG9iamVjdHMgZGVmaW5lZCBpbiB0aGUNCiAgIHNwZWNpZmljYXRp b24gW3BrY3MxMV9zcGVjXSBhc2lkZSBmcm9tIHN0b3JhZ2Ugb2JqZWN0cy4g IEZvciBleGFtcGxlLA0KICAgb2JqZWN0cyBub3QgaWRlbnRpZmlhYmxlIGJ5 IGEgUEtDUyMxMSBVUkkgaW5jbHVkZSBhIGhhcmR3YXJlIGZlYXR1cmUNCiAg IGFuZCBtZWNoYW5pc20uICBOb3RlIHRoYXQgYSBDcnlwdG9raSBsaWJyYXJ5 IGRvZXMgbm90IGhhdmUgdG8gcHJvdmlkZQ0KICAgZm9yIHN0b3JhZ2Ugb2Jq ZWN0cyBhdCBhbGwuICBUaGUgVVJJIGNhbiBzdGlsbCBiZSB1c2VkIHRvIGlk ZW50aWZ5IGENCiAgIHNwZWNpZmljIFBLQ1MjMTEgdG9rZW4sIHNsb3Qgb3Ig YW4gQVBJIHByb2R1Y2VyIGluIHN1Y2ggYSBjYXNlLg0KDQogICBBIHN1YnNl dCBvZiBleGlzdGluZyBQS0NTIzExIHN0cnVjdHVyZSBtZW1iZXJzIGFuZCBv YmplY3QgYXR0cmlidXRlcw0KICAgd2FzIGNob3NlbiBiZWxpZXZlZCB0byBi ZSBzdWZmaWNpZW50IGluIHVuaXF1ZWx5IGlkZW50aWZ5aW5nIGENCiAgIFBL Q1MjMTEgc3RvcmFnZSBvYmplY3QsIHRva2VuLCBzbG90LCBvciBsaWJyYXJ5 IGluIGEgY29uZmlndXJhdGlvbg0KICAgZmlsZSwgb24gYSBjb21tYW5kIGxp bmUsIG9yIGluIGEgY29uZmlndXJhdGlvbiBwcm9wZXJ0eSBvZiBzb21ldGhp bmcNCiAgIGVsc2UuICBTaG91bGQgdGhlcmUgYmUgYSBuZWVkIGZvciBhIG1v cmUgY29tcGxleCBpbmZvcm1hdGlvbiBleGNoYW5nZQ0KICAgb24gUEtDUyMx MSBlbnRpdGllcyBhIGRpZmZlcmVudCBtZWFucyBvZiBkYXRhIG1hcnNoYWxs aW5nIHNob3VsZCBiZQ0KICAgY2hvc2VuIGFjY29yZGluZ2x5Lg0KDQogICBB IFBLQ1MjMTEgVVJJIGlzIG5vdCBpbnRlbmRlZCB0byBiZSB1c2VkIHRvIGNy ZWF0ZSBuZXcgUEtDUyMxMQ0KICAgb2JqZWN0cyBpbiB0b2tlbnMsIG9yIHRv IGNyZWF0ZSBQS0NTIzExIHRva2Vucy4gIEl0IGlzIHNvbGVseSB0byBiZQ0K ICAgdXNlZCB0byBpZGVudGlmeSBhbmQgd29yayB3aXRoIGV4aXN0aW5nIHN0 b3JhZ2Ugb2JqZWN0cywgdG9rZW5zLCBhbmQNCiAgIHNsb3RzIHRocm91Z2gg dGhlIFBLQ1MjMTEgQVBJLCBvciBpZGVudGlmeSBDcnlwdG9raSBsaWJyYXJp ZXMNCiAgIHRoZW1zZWx2ZXMuDQoNCiAgIFRoZSBVUkkgc2NoZW1lIGRlZmlu ZWQgaW4gdGhpcyBkb2N1bWVudCBpcyBkZXNpZ25lZCBzcGVjaWZpY2FsbHkg d2l0aA0KICAgYSBtYXBwaW5nIHRvIHRoZSBQS0NTIzExIEFQSSBpbiBtaW5k LiAgVGhlIFVSSSB1c2VzIHRoZSBzY2hlbWUsIHBhdGgNCiAgIGFuZCBxdWVy eSBjb21wb25lbnRzIGRlZmluZWQgaW4gdGhlIFVuaWZvcm0gUmVzb3VyY2Ug SWRlbnRpZmllcg0KICAgKFVSSSk6IEdlbmVyaWMgU3ludGF4IFtSRkMzOTg2 XSBkb2N1bWVudC4gIFRoZSBVUkkgZG9lcyBub3QgdXNlIHRoZQ0KICAgaGll cmFyY2hpY2FsIGVsZW1lbnQgZm9yIGEgbmFtaW5nIGF1dGhvcml0eSBpbiB0 aGUgcGF0aCBzaW5jZSB0aGUNCiAgIGF1dGhvcml0eSBwYXJ0IGNvdWxkIG5v dCBiZSBtYXBwZWQgdG8gUEtDUyMxMSBBUEkgZWxlbWVudHMuICBUaGUgVVJJ DQogICBkb2VzIG5vdCB1c2UgdGhlIGZyYWdtZW50IGNvbXBvbmVudC4NCg0K ICAgSWYgYW4gYXBwbGljYXRpb24gaGFzIG5vIGFjY2VzcyB0byBhIHByb2R1 Y2VyIG9yIHByb2R1Y2VycyBvZiB0aGUNCiAgIFBLQ1MjMTEgQVBJIHRoZSBx dWVyeSBjb21wb25lbnQgbW9kdWxlIGF0dHJpYnV0ZXMgY2FuIGJlIHVzZWQu DQogICBIb3dldmVyLCB0aGUgUEtDUyMxMSBVUkkgY29uc3VtZXIgY2FuIGFs d2F5cyBkZWNpZGUgdG8gcHJvdmlkZSBpdHMNCiAgIG93biBhZGVxdWF0ZSB1 c2VyIGludGVyZmFjZSB0byBsb2NhdGUgYW5kIGxvYWQgUEtDUyMxMSBBUEkg cHJvZHVjZXJzLg0KDQoyLiAgQ29udHJpYnV0b3JzDQoNCiAgIFN0ZWYgV2Fs dGVyLCBOaWtvcyBNYXZyb2dpYW5ub3BvdWxvcywgTmljbyBXaWxsaWFtcywg RGFuIFdpbnNoaXAsIGFuZA0KICAgSmFyb3NsYXYgSW1yaWNoIGNvbnRyaWJ1 dGVkIHRvIHRoZSBkZXZlbG9wbWVudCBvZiB0aGlzIGRvY3VtZW50Lg0KDQoz LiAgUEtDUyMxMSBVUkkgU2NoZW1lIERlZmluaXRpb24NCg0KICAgSW4gYWNj b3JkYW5jZSB3aXRoIFtSRkM0Mzk1XSwgdGhpcyBzZWN0aW9uIHByb3ZpZGVz IHRoZSBpbmZvcm1hdGlvbg0KICAgcmVxdWlyZWQgdG8gcmVnaXN0ZXIgdGhl IFBLQ1MjMTEgVVJJIHNjaGVtZS4NCg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1v ZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyMiwgMjAxNSAgICAgICAgICAg ICAgICAgW1BhZ2UgM10NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBU aGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAx NA0KDQoNCjMuMS4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBOYW1lDQoNCiAgIHBr Y3MxMQ0KDQozLjIuICBQS0NTIzExIFVSSSBTY2hlbWUgU3RhdHVzDQoNCiAg IFBlcm1hbmVudC4NCg0KMy4zLiAgUEtDUyMxMSBVUkkgU2NoZW1lIFN5bnRh eA0KDQogICBUaGUgUEtDUyMxMSBVUkkgaXMgYSBzZXF1ZW5jZSBvZiBhdHRy aWJ1dGUgdmFsdWUgcGFpcnMgc2VwYXJhdGVkIGJ5IGENCiAgIHNlbWljb2xv biB0aGF0IGZvcm0gYSBvbmUgbGV2ZWwgcGF0aCBjb21wb25lbnQsIG9wdGlv bmFsbHkgZm9sbG93ZWQNCiAgIGJ5IGEgcXVlcnkuICBJbiBhY2NvcmRhbmNl IHdpdGggU2VjdGlvbiAyLjUgb2YgW1JGQzM5ODZdLCB0aGUgZGF0YQ0KICAg c2hvdWxkIGZpcnN0IGJlIGVuY29kZWQgYXMgb2N0ZXRzIGFjY29yZGluZyB0 byB0aGUgVVRGLTggY2hhcmFjdGVyDQogICBlbmNvZGluZyBbUkZDMzYyOV07 IHRoZW4gb25seSB0aG9zZSBvY3RldHMgdGhhdCBkbyBub3QgY29ycmVzcG9u ZCB0bw0KICAgY2hhcmFjdGVycyBpbiB0aGUgdW5yZXNlcnZlZCBzZXQgb3Ig dG8gcGVybWl0dGVkIGNoYXJhY3RlcnMgZnJvbSB0aGUNCiAgIHJlc2VydmVk IHNldCBzaG91bGQgYmUgcGVyY2VudC1lbmNvZGVkLiAgVGhpcyBzcGVjaWZp Y2F0aW9uIHN1Z2dlc3RzDQogICBvbmUgYWxsb3dhYmxlIGV4Y2VwdGlvbiB0 byB0aGF0IHJ1bGUgZm9yIHRoZSAiaWQiIGF0dHJpYnV0ZSwgYXMNCiAgIHN0 YXRlZCBsYXRlciBpbiB0aGlzIHNlY3Rpb24uICBHcmFtbWFyIHJ1bGVzICJ1 bnJlc2VydmVkIiBhbmQgInBjdC0NCiAgIGVuY29kZWQiIGluIHRoZSBQS0NT IzExIFVSSSBzcGVjaWZpY2F0aW9uIGJlbG93IGFyZSBpbXBvcnRlZCBmcm9t DQogICBbUkZDMzk4Nl0uICBBcyBhIHNwZWNpYWwgY2FzZSwgbm90ZSB0aGF0 IGFjY29yZGluZyB0byBBcHBlbmRpeCBBIG9mDQogICBbUkZDMzk4Nl0sIGEg c3BhY2UgbXVzdCBiZSBwZXJjZW50LWVuY29kZWQuDQoNCiAgIFBLQ1MjMTEg c3BlY2lmaWNhdGlvbiBpbXBvc2VzIHZhcmlvdXMgbGltaXRhdGlvbnMgb24g dGhlIHZhbHVlIG9mDQogICBhdHRyaWJ1dGVzLCBiZSBpdCBhIG1vcmUgcmVz dHJpY3RpdmUgY2hhcmFjdGVyIHNldCBmb3IgdGhlICJzZXJpYWwiDQogICBh dHRyaWJ1dGUgb3IgZml4ZWQgc2l6ZWQgYnVmZmVycyBmb3IgYWxtb3N0IGFs bCB0aGUgb3RoZXJzLCBpbmNsdWRpbmcNCiAgICJ0b2tlbiIsICJtYW51ZmFj dHVyZXIiLCBhbmQgIm1vZGVsIiBhdHRyaWJ1dGVzLiAgSG93ZXZlciwgdGhl DQogICBQS0NTIzExIFVSSSBub3RhdGlvbiBkb2VzIG5vdCBpbXBvc2Ugc3Vj aCBsaW1pdGF0aW9ucyBhc2lkZSBmcm9tDQogICByZW1vdmluZyBnZW5lcmlj IGFuZCBQS0NTIzExIFVSSSBkZWxpbWl0ZXJzIGZyb20gYSBwZXJtaXR0ZWQN CiAgIGNoYXJhY3RlciBzZXQuICBXZSBiZWxpZXZlIHRoYXQgYmVpbmcgdG9v IHJlc3RyaWN0aXZlIG9uIHRoZQ0KICAgYXR0cmlidXRlIHZhbHVlcyBjb3Vs ZCBsaW1pdCB0aGUgUEtDUyMxMSBVUkkgdXNlZnVsbmVzcy4gIFdoYXQgaXMN CiAgIG1vcmUsIHBvc3NpYmxlIGZ1dHVyZSBjaGFuZ2VzIHRvIHRoZSBQS0NT IzExIHNwZWNpZmljYXRpb24gc2hvdWxkIG5vdA0KICAgYWZmZWN0IGV4aXN0 aW5nIGF0dHJpYnV0ZXMuDQoNCiAgIEEgUEtDUyMxMSBVUkkgdGFrZXMgdGhl IGZvcm0gKGZvciBleHBsYW5hdGlvbiBvZiBBdWdtZW50ZWQgQk5GLCBzZWUN CiAgIFtSRkM1MjM0XSk6DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQpQZWNoYW5lYyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyMiwg MjAxNSAgICAgICAgICAgICAgICAgW1BhZ2UgNF0NCgwNCkludGVybmV0LURy YWZ0ICAgICAgICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAg ICAgRGVjZW1iZXIgMjAxNA0KDQoNCiAgcGsxMS1VUkkgICAgICAgICAgICAg PSAicGtjczExIiAiOiIgcGsxMS1wYXRoICoxKCI/IiBwazExLXF1ZXJ5KQ0K ICA7IFBhdGggY29tcG9uZW50IGFuZCBpdHMgYXR0cmlidXRlcy4gIFBhdGgg bWF5IGJlIGVtcHR5Lg0KICBwazExLXBhdGggICAgICAgICAgICA9ICoxKHBr MTEtcGF0dHIgKigiOyIgcGsxMS1wYXR0cikpDQogIHBrMTEtcGF0dHIgICAg ICAgICAgID0gcGsxMS10b2tlbiAvIHBrMTEtbWFudWYgLyBwazExLXNlcmlh bCAvDQogICAgICAgICAgICAgICAgICAgICAgICAgcGsxMS1tb2RlbCAvIHBr MTEtbGliLW1hbnVmIC8NCiAgICAgICAgICAgICAgICAgICAgICAgICBwazEx LWxpYi12ZXIgLyBwazExLWxpYi1kZXNjIC8NCiAgICAgICAgICAgICAgICAg ICAgICAgICBwazExLW9iamVjdCAvIHBrMTEtdHlwZSAvIHBrMTEtaWQgLw0K ICAgICAgICAgICAgICAgICAgICAgICAgIHBrMTEtc2xvdC1kZXNjIC8gcGsx MS1zbG90LW1hbnVmIC8NCiAgICAgICAgICAgICAgICAgICAgICAgICBwazEx LXNsb3QtaWQgLyBwazExLXgtcGF0dHINCiAgOyBRdWVyeSBjb21wb25lbnQg YW5kIGl0cyBhdHRyaWJ1dGVzLiAgUXVlcnkgbWF5IGJlIGVtcHR5Lg0KICBw azExLXFhdHRyICAgICAgICAgICA9IHBrMTEtcGluLXNvdXJjZSAvIHBrMTEt cGluLXZhbHVlIC8NCiAgICAgICAgICAgICAgICAgICAgICAgICBwazExLW1v ZHVsZS1uYW1lIC8gcGsxMS1tb2R1bGUtcGF0aCAvDQogICAgICAgICAgICAg ICAgICAgICAgICAgcGsxMS14LXFhdHRyDQogIHBrMTEtcXVlcnkgICAgICAg ICAgID0gKjEocGsxMS1xYXR0ciAqKCImIiBwazExLXFhdHRyKSkNCiAgOyBS RkMgMzk4NiBzZWN0aW9uIDIuMiBtYW5kYXRlcyBhbGwgcG90ZW50aWFsbHkg cmVzZXJ2ZWQgY2hhcmFjdGVycw0KICA7IHRoYXQgZG8gbm90IGNvbmZsaWN0 IHdpdGggYWN0dWFsIGRlbGltaXRlcnMgb2YgdGhlIFVSSSBkbyBub3QgaGF2 ZQ0KICA7IHRvIGJlIHBlcmNlbnQtZW5jb2RlZC4NCiAgcGsxMS1yZXMtYXZh aWwgICAgICAgPSAiOiIgLyAiWyIgLyAiXSIgLyAiQCIgLyAiISIgLyAiJCIg Lw0KICAgICAgICAgICAgICAgICAgICAgICAgICInIiAvICIoIiAvICIpIiAv ICIqIiAvICIrIiAvICIsIiAvICI9Ig0KICBwazExLXBhdGgtcmVzLWF2YWls ICA9IHBrMTEtcmVzLWF2YWlsIC8gIiYiDQogIDsgV2UgYWxsb3cgIi8iIGFu ZCAiPyIgaW4gdGhlIHF1ZXJ5IHRvIGJlIHVuZW5jb2RlZCBidXQgIiYiIG11 c3QNCiAgOyBiZSBlbmNvZGVkIHNpbmNlIGl0IG1heSBiZSB1c2VkIGFzIGEg ZGVsaW1pdGVyIGluIHRoZSBjb21wb25lbnQuDQogIHBrMTEtcXVlcnktcmVz LWF2YWlsID0gcGsxMS1yZXMtYXZhaWwgLyAiLyIgLyAiPyIgLyAifCINCiAg cGsxMS1wY2hhciAgICAgICAgICAgPSB1bnJlc2VydmVkIC8gcGsxMS1wYXRo LXJlcy1hdmFpbCAvIHBjdC1lbmNvZGVkDQogIHBrMTEtcWNoYXIgICAgICAg ICAgID0gdW5yZXNlcnZlZCAvIHBrMTEtcXVlcnktcmVzLWF2YWlsIC8gcGN0 LWVuY29kZWQNCiAgcGsxMS10b2tlbiAgICAgICAgICAgPSAidG9rZW4iICI9 IiAqcGsxMS1wY2hhcg0KICBwazExLW1hbnVmICAgICAgICAgICA9ICJtYW51 ZmFjdHVyZXIiICI9IiAqcGsxMS1wY2hhcg0KICBwazExLXNlcmlhbCAgICAg ICAgICA9ICJzZXJpYWwiICI9IiAqcGsxMS1wY2hhcg0KICBwazExLW1vZGVs ICAgICAgICAgICA9ICJtb2RlbCIgIj0iICpwazExLXBjaGFyDQogIHBrMTEt bGliLW1hbnVmICAgICAgID0gImxpYnJhcnktbWFudWZhY3R1cmVyIiAiPSIg KnBrMTEtcGNoYXINCiAgcGsxMS1saWItZGVzYyAgICAgICAgPSAibGlicmFy eS1kZXNjcmlwdGlvbiIgIj0iICpwazExLXBjaGFyDQogIHBrMTEtbGliLXZl ciAgICAgICAgID0gImxpYnJhcnktdmVyc2lvbiIgIj0iIDEqRElHSVQgKjEo Ii4iIDEqRElHSVQpDQogIHBrMTEtb2JqZWN0ICAgICAgICAgID0gIm9iamVj dCIgIj0iICpwazExLXBjaGFyDQogIHBrMTEtdHlwZSAgICAgICAgICAgID0g InR5cGUiICI9IiAqMSgicHVibGljIiAvICJwcml2YXRlIiAvICJjZXJ0IiAv DQogICAgICAgICAgICAgICAgICAgICAgICAgInNlY3JldC1rZXkiIC8gImRh dGEiKQ0KICBwazExLWlkICAgICAgICAgICAgICA9ICJpZCIgIj0iICpwazEx LXBjaGFyDQogIHBrMTEtc2xvdC1tYW51ZiAgICAgID0gInNsb3QtbWFudWZh Y3R1cmVyIiAiPSIgKnBrMTEtcGNoYXINCiAgcGsxMS1zbG90LWRlc2MgICAg ICAgPSAic2xvdC1kZXNjcmlwdGlvbiIgIj0iICpwazExLXBjaGFyDQogIHBr MTEtc2xvdC1pZCAgICAgICAgID0gInNsb3QtaWQiICI9IiAxKkRJR0lUDQog IHBrMTEtcGluLXNvdXJjZSAgICAgID0gInBpbi1zb3VyY2UiICI9IiAqcGsx MS1xY2hhcg0KICBwazExLXBpbi12YWx1ZSAgICAgICA9ICJwaW4tdmFsdWUi ICI9IiAqcGsxMS1xY2hhcg0KICBwazExLW1vZHVsZS1uYW1lICAgICA9ICJt b2R1bGUtbmFtZSIgIj0iICpwazExLXFjaGFyDQogIHBrMTEtbW9kdWxlLXBh dGggICAgID0gIm1vZHVsZS1wYXRoIiAiPSIgKnBrMTEtcWNoYXINCiAgcGsx MS14LWF0dHItbm0tY2hhciAgPSBBTFBIQSAvIERJR0lUIC8gIi0iIC8gIl8i DQogIDsgUGVybWl0dGVkIHZhbHVlIG9mIGEgdmVuZG9yIHNwZWNpZmljIGF0 dHJpYnV0ZSBpcyBiYXNlZCBvbg0KICA7IHdoZXRoZXIgdGhlIGF0dHJpYnV0 ZSBpcyB1c2VkIGluIHRoZSBwYXRoIG9yIGluIHRoZSBxdWVyeS4NCiAgcGsx MS14LXBhdHRyICAgICAgICAgPSAieC0iIDEqcGsxMS14LWF0dHItbm0tY2hh ciAiPSIgKnBrMTEtcGNoYXINCiAgcGsxMS14LXFhdHRyICAgICAgICAgPSAi eC0iIDEqcGsxMS14LWF0dHItbm0tY2hhciAiPSIgKnBrMTEtcWNoYXINCg0K DQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdW5lIDIy LCAyMDE1ICAgICAgICAgICAgICAgICBbUGFnZSA1XQ0KDA0KSW50ZXJuZXQt RHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAgICAg ICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgVGhlIFVSSSBwYXRoIGNvbXBv bmVudCBjb250YWlucyBhdHRyaWJ1dGVzIHRoYXQgaWRlbnRpZnkgYSByZXNv dXJjZQ0KICAgaW4gYSBvbmUgbGV2ZWwgaGllcmFyY2h5IHByb3ZpZGVkIGJ5 IENyeXB0b2tpIHByb2R1Y2Vycy4gIFRoZSBxdWVyeQ0KICAgY29tcG9uZW50 IGNhbiBjb250YWluIGEgZmV3IGF0dHJpYnV0ZXMgdGhhdCBtYXkgYmUgbmVl ZGVkIHRvIHJldHJpZXZlDQogICB0aGUgcmVzb3VyY2UgaWRlbnRpZmllZCBi eSB0aGUgVVJJIHBhdGguICBCb3RoIHBhdGggYW5kIHF1ZXJ5DQogICBjb21w b25lbnRzIG1heSBjb250YWluIHZlbmRvciBzcGVjaWZpYyBhdHRyaWJ1dGVz LiAgU3VjaCBhdHRyaWJ1dGUNCiAgIG5hbWVzIG11c3Qgc3RhcnQgd2l0aCBh biAieC0iIHByZWZpeC4gIEF0dHJpYnV0ZXMgaW4gdGhlIHBhdGgNCiAgIGNv bXBvbmVudCBhcmUgZGVsaW1pdGVkIGJ5ICc7JyBjaGFyYWN0ZXIsIGF0dHJp YnV0ZXMgaW4gdGhlIHF1ZXJ5DQogICBjb21wb25lbnQgdXNlICcmJyBhcyBh IGRlbGltaXRlci4NCg0KICAgVGhlIGdlbmVyYWwgJy8nIGRlbGltaXRlciB3 YXMgcmVtb3ZlZCBmcm9tIGF2YWlsYWJsZSBjaGFyYWN0ZXJzIHRoYXQNCiAg IGRvIG5vdCBoYXZlIHRvIGJlIHBlcmNlbnQtZW5jb2RlZCBpbiB0aGUgcGF0 aCBjb21wb25lbnQgc28gdGhhdA0KICAgZ2VuZXJpYyBVUkkgcGFyc2VycyBu ZXZlciBzcGxpdCB0aGUgcGF0aCBjb21wb25lbnQgaW50byBtdWx0aXBsZQ0K ICAgc2VnbWVudHMuICBUaGUgJy8nIGRlbGltaXRlciBjYW4gYmUgdXNlZCB1 bmVuY29kZWQgaW4gdGhlIHF1ZXJ5DQogICBjb21wb25lbnQuICBEZWxpbWl0 ZXIgJz8nIHdhcyByZW1vdmVkIHNpbmNlIHRoZSBQS0NTIzExIFVSSSB1c2Vz IGENCiAgIHF1ZXJ5IGNvbXBvbmVudC4gIERlbGltaXRlciAnIycgd2FzIHJl bW92ZWQgc28gdGhhdCBnZW5lcmljIFVSSQ0KICAgcGFyc2VycyBhcmUgbm90 IGNvbmZ1c2VkIGJ5IHVuZW5jb2RlZCBoYXNoIGNoYXJhY3RlcnMuICBBbGwg b3RoZXINCiAgIGdlbmVyaWMgZGVsaW1pdGVycyBhcmUgYWxsb3dlZCB0byBi ZSB1c2VkIHVuZW5jb2RlZCAoJzonLCAnWycsICddJywNCiAgIGFuZCAnQCcp IGluIHRoZSBQS0NTIzExIFVSSS4NCg0KICAgVGhlIGZvbGxvd2luZyB0YWJs ZSBwcmVzZW50cyBtYXBwaW5nIGJldHdlZW4gdGhlIFBLQ1MjMTEgVVJJIHBh dGgNCiAgIGNvbXBvbmVudCBhdHRyaWJ1dGVzIGFuZCB0aGUgUEtDUyMxMSBB UEkgc3RydWN0dXJlIG1lbWJlcnMgYW5kIG9iamVjdA0KICAgYXR0cmlidXRl cy4gIEdpdmVuIHRoYXQgUEtDUyMxMSBVUkkgdXNlcnMgbWF5IGJlIHF1aXRl IGlnbm9yYW50IGFib3V0DQogICB0aGUgUEtDUyMxMSBzcGVjaWZpY2F0aW9u IHRoZSBtYXBwaW5nIGlzIGEgcHJvZHVjdCBvZiBhIG5lY2Vzc2FyeQ0KICAg Y29tcHJvbWlzZSBiZXR3ZWVuIGhvdyBwcmVjaXNlbHkgYXJlIHRoZSBVUkkg YXR0cmlidXRlIG5hbWVzIG1hcHBlZA0KICAgdG8gdGhlIG5hbWVzIGluIHRo ZSBzcGVjaWZpY2F0aW9uIGFuZCB0aGUgZWFzZSBvZiB1c2UgYW5kDQogICB1 bmRlcnN0YW5kaW5nIG9mIHRoZSBVUkkgc2NoZW1lLg0KDQogICArLS0tLS0t LS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0t LS0tLS0tLS0tLS0tLS0tLSsNCiAgIHwgVVJJIGNvbXBvbmVudCBwYXRoICAg fCBBdHRyaWJ1dGUgICAgICAgICAgIHwgQXR0cmlidXRlICAgICAgICAgICAg fA0KICAgfCBhdHRyaWJ1dGUgbmFtZSAgICAgICB8IHJlcHJlc2VudHMgICAg ICAgICAgfCBjb3JyZXNwb25kcyBpbiB0aGUgICB8DQogICB8ICAgICAgICAg ICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IFBLQ1MjMTEg ICAgICAgICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAg ICAgICAgICAgICAgICAgICAgIHwgc3BlY2lmaWNhdGlvbiB0byAgICAgfA0K ICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQogICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAg fCBpZCAgICAgICAgICAgICAgICAgICB8IGtleSBpZGVudGlmaWVyIGZvciAg fCAiQ0tBX0lEIiBvYmplY3QgICAgICB8DQogICB8ICAgICAgICAgICAgICAg ICAgICAgIHwgb2JqZWN0ICAgICAgICAgICAgICB8IGF0dHJpYnV0ZSAgICAg ICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0t LS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCBs aWJyYXJ5LWRlc2NyaXB0aW9uICB8IGNoYXJhY3Rlci1zdHJpbmcgICAgfCAi bGlicmFyeURlc2NyaXB0aW9uIiB8DQogICB8ICAgICAgICAgICAgICAgICAg ICAgIHwgZGVzY3JpcHRpb24gb2YgdGhlICB8IG1lbWJlciBvZiBDS19JTkZP ICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCBsaWJyYXJ5ICAg ICAgICAgICAgIHwgc3RydWN0dXJlICAgICAgICAgICAgfA0KICAgKy0tLS0t LS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLS0rDQogICB8IGxpYnJhcnktbWFudWZhY3R1cmVy IHwgSUQgb2YgdGhlIENyeXB0b2tpICB8ICJtYW51ZmFjdHVyZXJJRCIgICAg IHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCBsaWJyYXJ5ICAgICAg ICAgICAgIHwgbWVtYmVyIG9mIHRoZSAgICAgICAgfA0KICAgfCAgICAgICAg ICAgICAgICAgICAgICB8IG1hbnVmYWN0dXJlciAgICAgICAgfCBDS19JTkZP IHN0cnVjdHVyZSAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSst LS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsN CiAgIHwgbGlicmFyeS12ZXJzaW9uICAgICAgfCBDcnlwdG9raSBsaWJyYXJ5 ICAgIHwgImxpYnJhcnlWZXJzaW9uIiAgICAgfA0KICAgfCAgICAgICAgICAg ICAgICAgICAgICB8IHZlcnNpb24gbnVtYmVyICAgICAgfCBtZW1iZXIgb2Yg Q0tfSU5GTyAgICB8DQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAgICAgICAg IEV4cGlyZXMgSnVuZSAyMiwgMjAxNSAgICAgICAgICAgICAgICAgW1BhZ2Ug Nl0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUgUEtDUyMxMSBV UkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0KDQoNCiAgIHwg ICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwg c3RydWN0dXJlICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rDQogICB8IG1hbnVmYWN0dXJlciAgICAgICAgIHwgSUQgb2YgdGhl IHRva2VuICAgICB8ICJtYW51ZmFjdHVyZXJJRCIgICAgIHwNCiAgIHwgICAg ICAgICAgICAgICAgICAgICAgfCBtYW51ZmFjdHVyZXIgICAgICAgIHwgbWVt YmVyIG9mICAgICAgICAgICAgfA0KICAgfCAgICAgICAgICAgICAgICAgICAg ICB8ICAgICAgICAgICAgICAgICAgICAgfCBDS19UT0tFTl9JTkZPICAgICAg ICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg ICAgICAgICB8IHN0cnVjdHVyZSAgICAgICAgICAgIHwNCiAgICstLS0tLS0t LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0t LS0tLS0tLS0tLS0tLS0tKw0KICAgfCBtb2RlbCAgICAgICAgICAgICAgICB8 IHRva2VuIG1vZGVsICAgICAgICAgfCAibW9kZWwiIG1lbWJlciBvZiAgICB8 DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAg ICAgICB8IENLX1RPS0VOX0lORk8gICAgICAgIHwNCiAgIHwgICAgICAgICAg ICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwgc3RydWN0dXJl ICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0t LS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQog ICB8IG9iamVjdCAgICAgICAgICAgICAgIHwgZGVzY3JpcHRpb24gKG5hbWUp ICB8ICJDS0FfTEFCRUwiIG9iamVjdCAgIHwNCiAgIHwgICAgICAgICAgICAg ICAgICAgICAgfCBvZiB0aGUgb2JqZWN0ICAgICAgIHwgYXR0cmlidXRlICAg ICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0t LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQogICB8 IHNlcmlhbCAgICAgICAgICAgICAgIHwgY2hhcmFjdGVyLXN0cmluZyAgICB8 ICJzZXJpYWxOdW1iZXIiICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAg ICAgICAgfCBzZXJpYWwgbnVtYmVyIG9mICAgIHwgbWVtYmVyIG9mICAgICAg ICAgICAgfA0KICAgfCAgICAgICAgICAgICAgICAgICAgICB8IHRoZSB0b2tl biAgICAgICAgICAgfCBDS19UT0tFTl9JTkZPICAgICAgICB8DQogICB8ICAg ICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IHN0 cnVjdHVyZSAgICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0t LS0tKw0KICAgfCBzbG90LWRlc2NyaXB0aW9uICAgICB8IHNsb3QgZGVzY3Jp cHRpb24gICAgfCAic2xvdERlc2NyaXB0aW9uIiAgICB8DQogICB8ICAgICAg ICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IG1lbWJl ciBvZiAgICAgICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAg fCAgICAgICAgICAgICAgICAgICAgIHwgQ0tfU0xPVF9JTkZPICAgICAgICAg fA0KICAgfCAgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAg ICAgICAgfCBzdHJ1Y3R1cmUgICAgICAgICAgICB8DQogICArLS0tLS0tLS0t LS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0t LS0tLS0tLS0tLS0tLSsNCiAgIHwgc2xvdC1pZCAgICAgICAgICAgICAgfCBD cnlwdG9raS1hc3NpZ25lZCAgIHwgZGVjaW1hbCBudW1iZXIgb2YgICAgfA0K ICAgfCAgICAgICAgICAgICAgICAgICAgICB8IHZhbHVlIHRoYXQgICAgICAg ICAgfCAiQ0tfU0xPVF9JRCIgdHlwZSAgICB8DQogICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgaWRlbnRpZmllcyBhIHNsb3QgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAg fCBzbG90LW1hbnVmYWN0dXJlciAgICB8IElEIG9mIHRoZSBzbG90ICAgICAg fCAibWFudWZhY3R1cmVySUQiICAgICB8DQogICB8ICAgICAgICAgICAgICAg ICAgICAgIHwgbWFudWZhY3R1cmVyICAgICAgICB8IG1lbWJlciBvZiAgICAg ICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAg ICAgICAgICAgICAgIHwgQ0tfU0xPVF9JTkZPICAgICAgICAgfA0KICAgfCAg ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgfCBz dHJ1Y3R1cmUgICAgICAgICAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSsNCiAgIHwgdG9rZW4gICAgICAgICAgICAgICAgfCBhcHBsaWNhdGlv bi1kZWZpbmVkIHwgImxhYmVsIiBtZW1iZXIgb2YgICAgfA0KICAgfCAgICAg ICAgICAgICAgICAgICAgICB8IGxhYmVsLCBhc3NpZ25lZCAgICAgfCB0aGUg Q0tfVE9LRU5fSU5GTyAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAg IHwgZHVyaW5nIHRva2VuICAgICAgICB8IHN0cnVjdHVyZSAgICAgICAgICAg IHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCBpbml0aWFsaXphdGlv biAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0t LS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0t LS0tLS0tLS0tLS0tLS0rDQogICB8IHR5cGUgICAgICAgICAgICAgICAgIHwg b2JqZWN0IGNsYXNzICh0eXBlKSB8ICJDS0FfQ0xBU1MiIG9iamVjdCAgIHwN CiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAg ICAgIHwgYXR0cmlidXRlICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0t LS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0t LS0tLS0tLS0tLS0rDQoNCiAgICBUYWJsZSAxOiBNYXBwaW5nIGJldHdlZW4g VVJJIHBhdGggY29tcG9uZW50IGF0dHJpYnV0ZXMgYW5kIFBLQ1MjMTENCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICBzcGVjaWZpY2F0aW9uIG5hbWVz DQoNCiAgIFRoZSBxdWVyeSBjb21wb25lbnQgYXR0cmlidXRlICJwaW4tc291 cmNlIiBzcGVjaWZpZXMgd2hlcmUgdGhlDQogICBhcHBsaWNhdGlvbiBvciBs aWJyYXJ5IHNob3VsZCBmaW5kIHRoZSBub3JtYWwgdXNlcidzIHRva2VuIFBJ TiwgdGhlDQogICAicGluLXZhbHVlIiBhdHRyaWJ1dGUgcHJvdmlkZXMgdGhl IG5vcm1hbCB1c2VyJ3MgUElOIHZhbHVlIGRpcmVjdGx5LA0KDQoNCg0KUGVj aGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjIsIDIwMTUg ICAgICAgICAgICAgICAgIFtQYWdlIDddDQoMDQpJbnRlcm5ldC1EcmFmdCAg ICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERl Y2VtYmVyIDIwMTQNCg0KDQogICBpZiBuZWVkZWQsIGFuZCB0aGUgIm1vZHVs ZS1uYW1lIiBhbmQgIm1vZHVsZS1wYXRoIiBhdHRyaWJ1dGVzIG1vZGlmeQ0K ICAgZGVmYXVsdCBzZXR0aW5ncyBmb3IgYWNjZXNzaW5nIFBLQ1MjMTEgcHJv dmlkZXJzLiAgRm9yIHRoZSBkZWZpbml0aW9uDQogICBvZiBhICJub3JtYWwg dXNlciIsIHNlZSBbcGtjczExX3NwZWNdLg0KDQogICBUaGUgQUJORiBydWxl cyBhYm92ZSBpcyBhIGJlc3QgZWZmb3J0IGRlZmluaXRpb24gYW5kIHRoaXMg cGFyYWdyYXBoDQogICBzcGVjaWZpZXMgYWRkaXRpb25hbCBjb25zdHJhaW50 cy4gIFRoZSBQS0NTIzExIFVSSSBtdXN0IG5vdCBjb250YWluDQogICBkdXBs aWNhdGUgYXR0cmlidXRlcyBvZiB0aGUgc2FtZSBuYW1lIGluIHRoZSBVUkkg cGF0aCBjb21wb25lbnQuICBJdA0KICAgbWVhbnMgdGhhdCBlYWNoIGF0dHJp YnV0ZSBtYXkgYmUgcHJlc2VudCBhdCBtb3N0IG9uY2UgaW4gdGhlIFBLQ1Mj MTENCiAgIFVSSSBwYXRoLiAgQXNpZGUgZnJvbSB0aGUgcXVlcnkgYXR0cmli dXRlcyBkZWZpbmVkIGluIHRoaXMgZG9jdW1lbnQsDQogICBkdXBsaWNhdGUg YXR0cmlidXRlcyBtYXkgYmUgcHJlc2VudCBpbiB0aGUgVVJJIHF1ZXJ5IGNv bXBvbmVudCBhbmQgaXQNCiAgIGlzIHVwIHRvIHRoZSBVUkkgY29uc3VtZXIg dG8gZGVjaWRlIG9uIGhvdyB0byBkZWFsIHdpdGggc3VjaA0KICAgZHVwbGlj YXRlcy4NCg0KICAgSXQgaXMgcmVjb21tZW5kZWQgdG8gcGVyY2VudC1lbmNv ZGUgdGhlIHdob2xlIHZhbHVlIG9mIHRoZSAiaWQiDQogICBhdHRyaWJ1dGUg d2hpY2ggaXMgc3VwcG9zZWQgdG8gYmUgaGFuZGxlZCBhcyBhcmJpdHJhcnkg YmluYXJ5IGRhdGEuDQoNCiAgIFRoZSAibGlicmFyeS12ZXJzaW9uIiBhdHRy aWJ1dGUgcmVwcmVzZW50cyB0aGUgbWFqb3IgYW5kIG1pbm9yDQogICB2ZXJz aW9uIG51bWJlciBvZiB0aGUgbGlicmFyeSBhbmQgaXRzIGZvcm1hdCBpcyAi TS5OIi4gIEJvdGggbnVtYmVycw0KICAgYXJlIG9uZSBieXRlIGluIHNpemUs IHNlZSB0aGUgImxpYnJhcnlWZXJzaW9uIiBtZW1iZXIgb2YgdGhlIENLX0lO Rk8NCiAgIHN0cnVjdHVyZSBpbiBbcGtjczExX3NwZWNdIGZvciBtb3JlIGlu Zm9ybWF0aW9uLiAgVmFsdWUgIk0iIGZvciB0aGUNCiAgIGF0dHJpYnV0ZSBt dXN0IGJlIGludGVycHJldGVkIGFzICJNIiBmb3IgdGhlIG1ham9yIGFuZCAi MCIgZm9yIHRoZQ0KICAgbWlub3IgdmVyc2lvbiBvZiB0aGUgbGlicmFyeS4g IElmIHRoZSBhdHRyaWJ1dGUgaXMgcHJlc2VudCB0aGUgbWFqb3INCiAgIHZl cnNpb24gbnVtYmVyIGlzIG1hbmRhdG9yeS4gIEJvdGggIk0iIGFuZCAiTiIg bXVzdCBiZSBkZWNpbWFsDQogICBudW1iZXJzLg0KDQogICBTbG90IElEIGlz IGEgQ3J5cHRva2ktYXNzaWduZWQgbnVtYmVyIHRoYXQgaXMgbm90IGd1YXJh bnRlZWQgc3RhYmxlDQogICBhY3Jvc3MgUEtDUyMxMSBtb2R1bGUgaW5pdGlh bGl6YXRpb25zLiAgSG93ZXZlciwgdGhlcmUgYXJlIGNlcnRhaW4NCiAgIGxp YnJhcmllcyBhbmQgbW9kdWxlcyB3aGljaCBwcm92aWRlIHN0YWJsZSBzbG90 IGlkZW50aWZpZXJzLiAgRm9yDQogICB0aGVzZSBjYXNlcywgd2hlbiB0aGUg c2xvdCBkZXNjcmlwdGlvbiBhbmQgbWFudWZhY3R1cmVyIElEIGlzIG5vdA0K ICAgc3VmZmljaWVudCB0byB1bmlxdWVseSBpZGVudGlmeSBhIHNwZWNpZmlj IHJlYWRlciwgdGhlIHNsb3QgSUQgY291bGQNCiAgIGJlIHVzZWQgdG8gaW5j cmVhc2UgdGhlIHByZWNpc2lvbiBvZiB0aGUgdG9rZW4gaWRlbnRpZmljYXRp b24uICBJbg0KICAgb3RoZXIgc2NlbmFyaW9zLCB1c2luZyB0aGUgc2xvdCBJ RHMgaXMgbGlrZWx5IHRvIGNhdXNlIHVzYWJpbGl0eQ0KICAgaXNzdWVzLg0K DQogICBBbiBlbXB0eSBQS0NTIzExIFVSSSBwYXRoIGF0dHJpYnV0ZSB0aGF0 IGRvZXMgYWxsb3cgZm9yIGFuIGVtcHR5DQogICB2YWx1ZSBtYXRjaGVzIGEg Y29ycmVzcG9uZGluZyBzdHJ1Y3R1cmUgbWVtYmVyIG9yIGFuIG9iamVjdCBh dHRyaWJ1dGUNCiAgIHdpdGggYW4gZW1wdHkgdmFsdWUuICBOb3RlIHRoYXQg YWNjb3JkaW5nIHRvIHRoZSBQS0NTIzExDQogICBzcGVjaWZpY2F0aW9uIFtw a2NzMTFfc3BlY10sIGVtcHR5IGNoYXJhY3RlciB2YWx1ZXMgaW4gYSBQS0NT IzExIEFQSQ0KICAgcHJvZHVjZXIgbXVzdCBiZSBwYWRkZWQgd2l0aCBzcGFj ZXMgYW5kIHNob3VsZCBub3QgYmUgTlVMTA0KICAgdGVybWluYXRlZC4NCg0K My40LiAgUEtDUyMxMSBVUkkgU2NoZW1lIFF1ZXJ5IEF0dHJpYnV0ZSBTZW1h bnRpY3MNCg0KICAgQW4gYXBwbGljYXRpb24gbWF5IGFsd2F5cyBhc2sgZm9y IGEgUElOIGJ5IGFueSBtZWFucyBpdCBkZWNpZGVzIHRvLg0KICAgV2hhdCBp cyBtb3JlLCBpbiBvcmRlciBub3QgdG8gbGltaXQgUEtDUyMxMSBVUkkgcG9y dGFiaWxpdHkgdGhlICJwaW4tDQogICBzb3VyY2UiIGF0dHJpYnV0ZSB2YWx1 ZSBmb3JtYXQgYW5kIGludGVycHJldGF0aW9uIGlzIGxlZnQgdG8gYmUNCiAg IGltcGxlbWVudGF0aW9uIHNwZWNpZmljLiAgSG93ZXZlciwgd2UgcmVjb21t ZW5kIHRoZSBjZXJ0YWluIHJ1bGVzIHRvDQoNCg0KDQoNClBlY2hhbmVjICYg TW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdW5lIDIyLCAyMDE1ICAgICAgICAg ICAgICAgICBbUGFnZSA4XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAg IFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAgICAgICAgICBEZWNlbWJlciAy MDE0DQoNCg0KICAgYmUgZm9sbG93ZWQgaW4gZGVzY2VuZGluZyBvcmRlciBm b3IgdGhlIHZhbHVlIG9mIHRoZSAicGluLXNvdXJjZSINCiAgIGF0dHJpYnV0 ZToNCg0KICAgbyAgaWYgdGhlIHZhbHVlIHJlcHJlc2VudHMgYSBsb2NhbCBh YnNvbHV0ZSBwYXRoIHRoZSBpbXBsZW1lbnRhdGlvbg0KICAgICAgc2hvdWxk IHVzZSBpdCBhcyBhIFBJTiBmaWxlIGNvbnRhaW5pbmcgdGhlIFBJTiB2YWx1 ZQ0KDQogICBvICBpZiB0aGUgdmFsdWUgY29udGFpbnMgInw8YWJzb2x1dGUt Y29tbWFuZC1wYXRoPiIgdGhlDQogICAgICBpbXBsZW1lbnRhdGlvbiBzaG91 bGQgcmVhZCB0aGUgUElOIGZyb20gdGhlIG91dHB1dCBvZiBhbg0KICAgICAg YXBwbGljYXRpb24gc3BlY2lmaWVkIHdpdGggYWJzb2x1dGUgcGF0aCAiPGFi c29sdXRlLWNvbW1hbmQtDQogICAgICBwYXRoPiIuICBOb3RlIHRoYXQgY2hh cmFjdGVyICJ8IiByZXByZXNlbnRpbmcgYSBwaXBlIGRvZXMgbm90IGhhdmUN CiAgICAgIHRvIGJlIHBlcmNlbnQgZW5jb2RlZCBpbiB0aGUgcXVlcnkgY29t cG9uZW50IG9mIHRoZSBQS0NTIzExIFVSSS4NCg0KICAgbyAgaWYgdGhlIHZh bHVlIHJlcHJlc2VudHMgYSBVUkkgdHJlYXQgaXQgYXMgYW4gb2JqZWN0IGNv bnRhaW5pbmcgdGhlDQogICAgICBQSU4uICBTdWNoIGEgVVJJIG1heSBiZSAi ZmlsZToiLCAiaHR0cHM6IiwgYW5vdGhlciBQS0NTIzExIFVSSSwgb3INCiAg ICAgIHNvbWV0aGluZyBlbHNlLg0KDQogICBvICBpbnRlcnByZXQgdGhlIHZh bHVlIGFzIG5lZWRlZCBpbiBhbiBpbXBsZW1lbnRhdGlvbiBkZXBlbmRlbnQg d2F5DQoNCiAgIElmIGEgVVJJIGNvbnRhaW5zIGJvdGggInBpbi1zb3VyY2Ui IGFuZCAicGluLXZhbHVlIiBxdWVyeSBhdHRyaWJ1dGVzDQogICB0aGUgVVJJ IHNob3VsZCBiZSByZWZ1c2VkIGFzIGludmFsaWQuDQoNCiAgIFVzZSBvZiB0 aGUgInBpbi12YWx1ZSIgYXR0cmlidXRlIG1heSBoYXZlIHNlY3VyaXR5IHJl bGF0ZWQNCiAgIGNvbnNlcXVlbmNlcy4gIFNlY3Rpb24gNiBzaG91bGQgYmUg Y29uc3VsdGVkIGJlZm9yZSB0aGlzIGF0dHJpYnV0ZSBpcw0KICAgZXZlciB1 c2VkLiAgU3RhbmRhcmQgcGVyY2VudCBlbmNvZGluZyBydWxlcyBzaG91bGQg YmUgZm9sbG93ZWQgZm9yDQogICB0aGUgYXR0cmlidXRlIHZhbHVlLg0KDQog ICBBIGNvbnN1bWVyIG9mIFBLQ1MjMTEgVVJJcyBtYXkgbW9kaWZ5IGRlZmF1 bHQgc2V0dGluZ3MgZm9yIGFjY2Vzc2luZw0KICAgYSBQS0NTIzExIHByb3Zp ZGVyIG9yIHByb3ZpZGVycyBieSBhY2NlcHRpbmcgcXVlcnkgY29tcG9uZW50 DQogICBhdHRyaWJ1dGVzICJtb2R1bGUtbmFtZSIgYW5kICJtb2R1bGUtcGF0 aCIuIg0KDQogICBQcm9jZXNzaW5nIHRoZSBVUkkgcXVlcnkgbW9kdWxlIGF0 dHJpYnV0ZXMgc2hvdWxkIGZvbGxvdyB0aGVzZSBydWxlczoNCg0KICAgbyAg YXR0cmlidXRlICJtb2R1bGUtbmFtZSIgaXMgZXhwZWN0ZWQgdG8gY29udGFp biBhIGNhc2UtaW5zZW5zaXRpdmUNCiAgICAgIFBLQ1MjMTEgbW9kdWxlIG5h bWUgKG5vdCBwYXRoIG5vciBmaWxlbmFtZSkgd2l0aG91dCBzeXN0ZW0NCiAg ICAgIHNwZWNpZmljIGFmZml4ZXMuICBTdWNoIGFmZml4IGNvdWxkIGJlIGFu ICIuc28iIG9yICIuRExMIiBzdWZmaXgsDQogICAgICBvciBhICJsaWIiIHBy ZWZpeCwgZm9yIGV4YW1wbGUuICBOb3QgdXNpbmcgc3lzdGVtIHNwZWNpZmlj IGFmZml4ZXMNCiAgICAgIGlzIGV4cGVjdGVkIHRvIGluY3JlYXNlIHBvcnRh YmlsaXR5IG9mIFBLQ1MjMTEgVVJJcyBhbW9uZw0KICAgICAgZGlmZmVyZW50 IHN5c3RlbXMuICBBIFVSSSBjb25zdW1lciBzZWFyY2hpbmcgZm9yIFBLQ1Mj MTEgbW9kdWxlcw0KICAgICAgaXMgZXhwZWN0ZWQgdG8gdXNlIGEgc3lzdGVt IG9yIGFwcGxpY2F0aW9uIHNwZWNpZmljIGxvY2F0aW9ucyB0bw0KICAgICAg ZmluZCBtb2R1bGVzIGJhc2VkIG9uIHRoZSBuYW1lIHByb3ZpZGVkIGluIHRo ZSBhdHRyaWJ1dGUuDQoNCiAgIG8gIGF0dHJpYnV0ZSAibW9kdWxlLXBhdGgi IGlzIGV4cGVjdGVkIHRvIGNvbnRhaW4gYSBzeXN0ZW0gc3BlY2lmaWMNCiAg ICAgIGFic29sdXRlIHBhdGggdG8gdGhlIFBLQ1MjMTEgbW9kdWxlLCBvciBh IHN5c3RlbSBzcGVjaWZpYyBhYnNvbHV0ZQ0KICAgICAgcGF0aCB0byB0aGUg ZGlyZWN0b3J5IG9mIHdoZXJlIFBLQ1MjMTEgbW9kdWxlcyBhcmUgbG9jYXRl ZC4gIEZvcg0KICAgICAgc2VjdXJpdHkgcmVhc29ucywgYSBVUkkgd2l0aCBh IHJlbGF0aXZlIHBhdGggaW4gdGhpcyBhdHRyaWJ1dGUNCiAgICAgIHNob3Vs ZCBiZSBhbHdheXMgcmVqZWN0ZWQuDQoNCg0KDQoNCg0KUGVjaGFuZWMgJiBN b2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjIsIDIwMTUgICAgICAgICAg ICAgICAgIFtQYWdlIDldDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAg VGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIw MTQNCg0KDQogICBvICB0aGUgVVJJIGNvbnN1bWVyIG1heSByZWZ1c2UgdG8g YWNjZXB0IGVpdGhlciBvZiB0aGUgYXR0cmlidXRlcywgb3INCiAgICAgIGJv dGguICBJZiB1c2Ugb2YgYW4gYXR0cmlidXRlIHByZXNlbnQgaW4gdGhlIFVS SSBzdHJpbmcgaXMgbm90DQogICAgICBhY2NlcHRlZCBhIHdhcm5pbmcgbWVz c2FnZSBzaG91bGQgYmUgcHJlc2VudGVkIHRvIHRoZSBwcm92aWRlciBvZg0K ICAgICAgdGhlIFVSSS4NCg0KICAgbyAgaWYgZWl0aGVyIG9mIHRoZSBtb2R1 bGUgYXR0cmlidXRlcyBpcyBwcmVzZW50LCBvbmx5IHRob3NlIG1vZHVsZXMN CiAgICAgIGZvdW5kIG1hdGNoaW5nIHRoZXNlIHF1ZXJ5IGF0dHJpYnV0ZXMg c2hvdWxkIGJlIHVzZWQgdG8gc2VhcmNoIGZvcg0KICAgICAgYW4gb2JqZWN0 IHJlcHJlc2VudGVkIGJ5IHRoZSBVUkkuDQoNCiAgIG8gIHVzZSBvZiB0aGUg bW9kdWxlIGF0dHJpYnV0ZXMgZG9lcyBub3Qgc3VwcHJlc3MgbWF0Y2hpbmcg b2YgYW55DQogICAgICBvdGhlciBVUkkgcGF0aCBjb21wb25lbnQgYXR0cmli dXRlcyBwcmVzZW50IGluIGEgVVJJLg0KDQogICBvICBzZW1hbnRpY3Mgb2Yg dXNpbmcgYm90aCBhdHRyaWJ1dGVzIGluIHRoZSBzYW1lIFVSSSBzdHJpbmcg aXMNCiAgICAgIGltcGxlbWVudGF0aW9uIHNwZWNpZmljIGJ1dCBzdWNoIHVz ZSBzaG91bGQgYmUgYXZvaWRlZC4gIEF0dHJpYnV0ZQ0KICAgICAgIm1vZHVs ZS1uYW1lIiBpcyBwcmVmZXJyZWQgdG8gIm1vZHVsZS1wYXRoIiBkdWUgdG8g aXRzIHN5c3RlbQ0KICAgICAgaW5kZXBlbmRlbnQgbmF0dXJlIGJ1dCB0aGUg bGF0dGVyIG1heSBiZSBtb3JlIHN1aXRhYmxlIGZvcg0KICAgICAgZGV2ZWxv cG1lbnQgYW5kIGRlYnVnZ2luZy4NCg0KICAgbyAgYSBVUkkgbWF5IG5vdCBj b250YWluIG11bHRpcGxlIG1vZHVsZSBhdHRyaWJ1dGVzIG9mIHRoZSBzYW1l IG5hbWUuDQoNCiAgIFVzZSBvZiB0aGUgbW9kdWxlIGF0dHJpYnV0ZXMgbWF5 IGhhdmUgc2VjdXJpdHkgcmVsYXRlZCBjb25zZXF1ZW5jZXMuDQogICBTZWN0 aW9uIDYgc2hvdWxkIGJlIGNvbnN1bHRlZCBiZWZvcmUgdGhlc2UgYXR0cmli dXRlcyBhcmUgZXZlciB1c2VkLg0KDQogICBBIHdvcmQgIm1vZHVsZSIgd2Fz IGNob3NlbiBvdmVyIHdvcmQgImxpYnJhcnkiIGluIHRoZXNlIHF1ZXJ5DQog ICBhdHRyaWJ1dGUgbmFtZXMgdG8gYXZvaWQgY29uZnVzaW9uIHdpdGggc2Vt YW50aWNhbGx5IGRpZmZlcmVudA0KICAgbGlicmFyeSBhdHRyaWJ1dGVzIHVz ZWQgaW4gdGhlIFVSSSBwYXRoIGNvbXBvbmVudC4NCg0KMy41LiAgUEtDUyMx MSBVUkkgTWF0Y2hpbmcgR3VpZGVsaW5lcw0KDQogICBUaGUgUEtDUyMxMSBV UkkgY2FuIGlkZW50aWZ5IFBLQ1MjMTEgc3RvcmFnZSBvYmplY3RzLCB0b2tl bnMsIHNsb3RzLA0KICAgb3IgQ3J5cHRva2kgbGlicmFyaWVzLiAgTm90ZSB0 aGF0IHNpbmNlIGEgVVJJIG1heSBpZGVudGlmeSB0aHJlZQ0KICAgZGlmZmVy ZW50IHR5cGVzIG9mIGVudGl0aWVzIHRoZSBjb250ZXh0IHdpdGhpbiB3aGlj aCB0aGUgVVJJIGlzIHVzZWQNCiAgIG1heSBiZSBuZWVkZWQgdG8gZGV0ZXJt aW5lIHRoZSB0eXBlLiAgRm9yIGV4YW1wbGUsIGEgVVJJIHdpdGggb25seQ0K ICAgbGlicmFyeSBhdHRyaWJ1dGVzIG1heSBlaXRoZXIgcmVwcmVzZW50IGFs bCBvYmplY3RzIGluIGFsbCB0b2tlbnMgaW4NCiAgIGFsbCBDcnlwdG9raSBs aWJyYXJpZXMgaWRlbnRpZmllZCBieSB0aGUgVVJJLCBhbGwgdG9rZW5zIGlu IHRob3NlDQogICBsaWJyYXJpZXMsIG9yIGp1c3QgdGhlIGxpYnJhcmllcy4N Cg0KICAgVGhlIGZvbGxvd2luZyBndWlkZWxpbmVzIHNob3VsZCBoZWxwIGEg UEtDUyMxMSBVUkkgY29uc3VtZXIgKGVnLiBhbg0KICAgYXBwbGljYXRpb24g YWNjZXB0aW5nIFBLQ1MjMTEgVVJJcykgdG8gbWF0Y2ggdGhlIFVSSSB3aXRo IHRoZSBkZXNpcmVkDQogICByZXNvdXJjZS4NCg0KICAgbyAgdGhlIGNvbnN1 bWVyIG11c3Qga25vdyB3aGV0aGVyIHRoZSBVUkkgaXMgdG8gaWRlbnRpZnkg UEtDUyMxMQ0KICAgICAgc3RvcmFnZSBvYmplY3QocyksIHRva2VuKHMpLCBz bG90KHMpLCBvciBDcnlwdG9raSBwcm9kdWNlcihzKS4NCg0KICAgbyAgaWYg dGhlIGNvbnN1bWVyIGlzIHdpbGxpbmcgdG8gYWNjZXB0IHF1ZXJ5IGNvbXBv bmVudCBtb2R1bGUNCiAgICAgIGF0dHJpYnV0ZXMgb25seSB0aG9zZSBQS0NT IzExIHByb3ZpZGVycyBtYXRjaGluZyB0aGVzZSBhdHRyaWJ1dGVzDQogICAg ICBzaG91bGQgYmUgd29ya2VkIHdpdGguICBTZWUgU2VjdGlvbiAzLjQgZm9y IG1vcmUgaW5mb3JtYXRpb24uDQoNCg0KDQoNClBlY2hhbmVjICYgTW9mZmF0 ICAgICAgICAgRXhwaXJlcyBKdW5lIDIyLCAyMDE1ICAgICAgICAgICAgICAg IFtQYWdlIDEwXQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIFRoZSBQ S0NTIzExIFVSSSBTY2hlbWUgICAgICAgICAgICBEZWNlbWJlciAyMDE0DQoN Cg0KICAgbyAgYW4gdW5yZWNvZ25pemVkIGF0dHJpYnV0ZSBpbiB0aGUgVVJJ IHBhdGggY29tcG9uZW50LCBpbmNsdWRpbmcgYQ0KICAgICAgdmVuZG9yIHNw ZWNpZmljIGF0dHJpYnV0ZSwgc2hvdWxkIHJlc3VsdCBpbiBhbiBlbXB0eSBz ZXQgb2YNCiAgICAgIG1hdGNoZWQgcmVzb3VyY2VzLiAgVGhlIGNvbnN1bWVy IHNob3VsZCBjb25zaWRlciB3aGV0aGVyIGFuIGVycm9yDQogICAgICBtZXNz YWdlIHByZXNlbnRlZCB0byB0aGUgdXNlciBpcyBhcHByb3ByaWF0ZSBpbiBz dWNoIGEgY2FzZS4NCg0KICAgbyAgYW4gdW5yZWNvZ25pemVkIGF0dHJpYnV0 ZSBpbiB0aGUgVVJJIHF1ZXJ5IHNob3VsZCBiZSBpZ25vcmVkLiAgVGhlDQog ICAgICBjb25zdW1lciBzaG91bGQgY29uc2lkZXIgd2hldGhlciBhIHdhcm5p bmcgbWVzc2FnZSBwcmVzZW50ZWQgdG8NCiAgICAgIHRoZSB1c2VyIGlzIGFw cHJvcHJpYXRlIGluIHN1Y2ggYSBjYXNlLg0KDQogICBvICBhbiBhdHRyaWJ1 dGUgbm90IHByZXNlbnQgaW4gdGhlIFVSSSBwYXRoIGJ1dCBrbm93biB0byBh IGNvbnN1bWVyDQogICAgICBtYXRjaGVzIGV2ZXJ5dGhpbmcuICBFYWNoIGFk ZGl0aW9uYWwgYXR0cmlidXRlIHByZXNlbnQgaW4gdGhlIFVSSQ0KICAgICAg cGF0aCBmdXJ0aGVyIHJlc3RyaWN0cyB0aGUgc2VsZWN0aW9uLg0KDQogICBv ICBhIGxvZ2ljYWwgZXh0ZW5zaW9uIG9mIHRoZSBhYm92ZSBpcyB0aGF0IGFu IGVtcHR5IFVSSSBwYXRoIG1hdGNoZXMNCiAgICAgIGV2ZXJ5dGhpbmcuICBG b3IgZXhhbXBsZSwgaWYgdXNlZCB0byBpZGVudGlmeSBzdG9yYWdlIG9iamVj dHMgaXQNCiAgICAgIG1hdGNoZXMgYWxsIGFjY2Vzc2libGUgb2JqZWN0cyBp biBhbGwgdG9rZW5zIHByb3ZpZGVkIGJ5IGFsbA0KICAgICAgUEtDUyMxMSBB UEkgcHJvZHVjZXJzIGZvdW5kIGluIHRoZSBzeXN0ZW0uDQoNCiAgIG8gIHVz ZSBvZiBQSU4gYXR0cmlidXRlcyBtYXkgY2hhbmdlIHRoZSBzZXQgb2Ygc3Rv cmFnZSBvYmplY3RzDQogICAgICB2aXNpYmxlIHRvIHRoZSBjb25zdW1lci4N Cg0KICAgbyAgaW4gYWRkaXRpb24gdG8gcXVlcnkgY29tcG9uZW50IGF0dHJp YnV0ZXMgZGVmaW5lZCBpbiB0aGlzDQogICAgICBkb2N1bWVudCwgdmVuZG9y IHNwZWNpZmljIHF1ZXJ5IGF0dHJpYnV0ZXMgbWF5IGNvbnRhaW4gZnVydGhl cg0KICAgICAgaW5mb3JtYXRpb24gYWJvdXQgaG93IHRvIHBlcmZvcm0gdGhl IHNlbGVjdGlvbiBvciBvdGhlciByZWxhdGVkDQogICAgICBpbmZvcm1hdGlv bi4NCg0KMy42LiAgUEtDUyMxMSBVUkkgQ29tcGFyaXNvbg0KDQogICBDb21w YXJpc29uIG9mIHR3byBVUklzIGlzIGEgd2F5IG9mIGRldGVybWluaW5nIHdo ZXRoZXIgdGhlIFVSSXMgYXJlDQogICBlcXVpdmFsZW50IHdpdGhvdXQgY29t cGFyaW5nIHRoZSBhY3R1YWwgcmVzb3VyY2UgdGhlIFVSSXMgcG9pbnQgdG8u DQogICBUaGUgY29tcGFyaXNvbiBvZiBVUklzIGFpbXMgdG8gbWluaW1pemUg ZmFsc2UgbmVnYXRpdmVzIHdoaWxlDQogICBzdHJpY3RseSBhdm9pZGluZyBm YWxzZSBwb3NpdGl2ZXMuDQoNCiAgIFR3byBQS0NTIzExIFVSSXMgYXJlIHNh aWQgdG8gYmUgZXF1YWwgaWYgVVJJcyBhcyBjaGFyYWN0ZXIgc3RyaW5ncw0K ICAgYXJlIGlkZW50aWNhbCBhcyBzcGVjaWZpZWQgaW4gU2VjdGlvbiA2LjIu MSBvZiBbUkZDMzk4Nl0sIG9yIGlmIGJvdGgNCiAgIGZvbGxvd2luZyBydWxl cyBhcmUgZnVsZmlsbGVkOg0KDQogICBvICBzZXQgb2YgYXR0cmlidXRlcyBw cmVzZW50IGluIHRoZSBVUkkgaXMgZXF1YWwuICBOb3RlIHRoYXQgdGhlDQog ICAgICBvcmRlcmluZyBvZiBhdHRyaWJ1dGVzIGluIHRoZSBVUkkgc3RyaW5n IGlzIG5vdCBzaWduaWZpY2FudCBmb3INCiAgICAgIHRoZSBtZWNoYW5pc20g b2YgY29tcGFyaXNvbi4NCg0KICAgbyAgdmFsdWVzIG9mIHJlc3BlY3RpdmUg YXR0cmlidXRlcyBhcmUgZXF1YWwgYmFzZWQgb24gcnVsZXMgc3BlY2lmaWVk DQogICAgICBiZWxvdw0KDQogICBUaGUgcnVsZXMgZm9yIGNvbXBhcmluZyB2 YWx1ZXMgb2YgcmVzcGVjdGl2ZSBhdHRyaWJ1dGVzIGFyZToNCg0KICAgbyAg dmFsdWVzIG9mIHBhdGggY29tcG9uZW50IGF0dHJpYnV0ZXMgImxpYnJhcnkt ZGVzY3JpcHRpb24iLA0KICAgICAgImxpYnJhcnktbWFudWZhY3R1cmVyIiwg Im1hbnVmYWN0dXJlciIsICJtb2RlbCIsICJvYmplY3QiLA0KDQoNCg0KUGVj aGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjIsIDIwMTUg ICAgICAgICAgICAgICAgW1BhZ2UgMTFdDQoMDQpJbnRlcm5ldC1EcmFmdCAg ICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERl Y2VtYmVyIDIwMTQNCg0KDQogICAgICAic2VyaWFsIiwgInNsb3QtZGVzY3Jp cHRpb24iLCAic2xvdC1tYW51ZmFjdHVyZXIiLCAidG9rZW4iLA0KICAgICAg InR5cGUiLCBhbmQgcXVlcnkgY29tcG9uZW50IGF0dHJpYnV0ZSAibW9kdWxl LW5hbWUiIG11c3QgYmUNCiAgICAgIGNvbXBhcmVkIHVzaW5nIGEgc2ltcGxl IHN0cmluZyBjb21wYXJpc29uIGFzIHNwZWNpZmllZCBpbg0KICAgICAgU2Vj dGlvbiA2LjIuMSBvZiBbUkZDMzk4Nl0gYWZ0ZXIgdGhlIGNhc2UgYW5kIHRo ZSBwZXJjZW50LWVuY29kaW5nDQogICAgICBub3JtYWxpemF0aW9uIGFyZSBi b3RoIGFwcGxpZWQgYXMgc3BlY2lmaWVkIGluIFNlY3Rpb24gNi4yLjIgb2YN CiAgICAgIFtSRkMzOTg2XS4NCg0KICAgbyAgdmFsdWUgb2YgYXR0cmlidXRl ICJpZCIgbXVzdCBiZSBjb21wYXJlZCB1c2luZyB0aGUgc2ltcGxlIHN0cmlu Zw0KICAgICAgY29tcGFyaXNvbiBhZnRlciBhbGwgYnl0ZXMgYXJlIHBlcmNl bnQtZW5jb2RlZCB1c2luZyB1cHBlcmNhc2UNCiAgICAgIGxldHRlcnMgZm9y IGRpZ2l0cyBBLUYuDQoNCiAgIG8gIHZhbHVlIG9mIGF0dHJpYnV0ZSAibGli cmFyeS12ZXJzaW9uIiBtdXN0IGJlIHByb2Nlc3NlZCBhcyBhDQogICAgICBz cGVjaWZpYyBzY2hlbWUtYmFzZWQgbm9ybWFsaXphdGlvbiBwZXJtaXR0ZWQg YnkgU2VjdGlvbiA2LjIuMyBvZg0KICAgICAgW1JGQzM5ODZdLiAgVGhlIHZh bHVlIG11c3QgYmUgc3BsaXQgaW50byBhIG1ham9yIGFuZCBtaW5vciB2ZXJz aW9uDQogICAgICB3aXRoIGNoYXJhY3RlciAnLicgKGRvdCkgc2VydmluZyBh cyBhIGRlbGltaXRlci4gIExpYnJhcnkgdmVyc2lvbg0KICAgICAgIk0iIG11 c3QgYmUgdHJlYXRlZCBhcyAiTSIgZm9yIHRoZSBtYWpvciB2ZXJzaW9uIGFu ZCAiMCIgZm9yIHRoZQ0KICAgICAgbWlub3IgdmVyc2lvbi4gIFJlc3VsdGlu ZyBtaW5vciBhbmQgbWFqb3IgdmVyc2lvbiBudW1iZXJzIG11c3QgYmUNCiAg ICAgIHRoZW4gc2VwYXJhdGVseSBjb21wYXJlZCBudW1lcmljYWxseS4NCg0K ICAgbyAgdmFsdWUgb2YgYXR0cmlidXRlICJzbG90LWlkIiBtdXN0IGJlIHBy b2Nlc3NlZCBhcyBhIHNwZWNpZmljDQogICAgICBzY2hlbWUtYmFzZWQgbm9y bWFsaXphdGlvbiBwZXJtaXR0ZWQgYnkgU2VjdGlvbiA2LjIuMyBvZiBbUkZD Mzk4Nl0NCiAgICAgIGFuZCBjb21wYXJlZCBudW1lcmljYWxseS4NCg0KICAg byAgdmFsdWUgb2YgInBpbi1zb3VyY2UiLCBpZiBkZWVtZWQgY29udGFpbmlu ZyB0aGUgZmlsZW5hbWUgd2l0aCB0aGUNCiAgICAgIFBJTiB2YWx1ZSwgbXVz dCBiZSBjb21wYXJlZCB1c2luZyB0aGUgc2ltcGxlIHN0cmluZyBjb21wYXJp c29uDQogICAgICBhZnRlciB0aGUgZnVsbCBzeW50YXggYmFzZWQgbm9ybWFs aXphdGlvbiBhcyBzcGVjaWZpZWQgaW4NCiAgICAgIFNlY3Rpb24gNi4yLjIg b2YgW1JGQzM5ODZdIGlzIGFwcGxpZWQuICBJZiB2YWx1ZSBvZiB0aGUgInBp bi0NCiAgICAgIHNvdXJjZSIgYXR0cmlidXRlIGlzIGJlbGlldmVkIHRvIGJl IG92ZXJsb2FkZWQgaXQgaXMgcmVjb21tZW5kZWQNCiAgICAgIHRvIHBlcmZv cm0gY2FzZSBhbmQgcGVyY2VudC1lbmNvZGluZyBub3JtYWxpemF0aW9uIGJl Zm9yZSB0aGUNCiAgICAgIHZhbHVlcyBhcmUgY29tcGFyZWQgYnV0IHRoZSBl eGFjdCBtZWNoYW5pc20gb2YgY29tcGFyaXNvbiBpcyBsZWZ0DQogICAgICB0 byB0aGUgYXBwbGljYXRpb24uDQoNCiAgIG8gIHZhbHVlIG9mIGF0dHJpYnV0 ZSAibW9kdWxlLXBhdGgiIG11c3QgYmUgY29tcGFyZWQgdXNpbmcgdGhlIHNp bXBsZQ0KICAgICAgc3RyaW5nIGNvbXBhcmlzb24gYWZ0ZXIgdGhlIGZ1bGwg c3ludGF4IGJhc2VkIG5vcm1hbGl6YXRpb24gYXMNCiAgICAgIHNwZWNpZmll ZCBpbiBTZWN0aW9uIDYuMi4yIG9mIFtSRkMzOTg2XSBpcyBhcHBsaWVkLg0K DQogICBvICB3aGVuIGNvbXBhcmluZyB2ZW5kb3Igc3BlY2lmaWMgYXR0cmli dXRlcyBpdCBpcyByZWNvbW1lbmRlZCB0bw0KICAgICAgcGVyZm9ybSBjYXNl IGFuZCBwZXJjZW50LWVuY29kaW5nIG5vcm1hbGl6YXRpb24gYmVmb3JlIHRo ZSB2YWx1ZXMNCiAgICAgIGFyZSBjb21wYXJlZCBidXQgdGhlIGV4YWN0IG1l Y2hhbmlzbSBvZiBzdWNoIGEgY29tcGFyaXNvbiBpcyBsZWZ0DQogICAgICB0 byB0aGUgYXBwbGljYXRpb24uDQoNCjQuICBFeGFtcGxlcyBvZiBQS0NTIzEx IFVSSXMNCg0KICAgVGhpcyBzZWN0aW9uIGNvbnRhaW5zIHNvbWUgZXhhbXBs ZXMgb2YgaG93IFBLQ1MjMTEgdG9rZW4gb2JqZWN0cywNCiAgIHRva2Vucywg c2xvdHMsIGFuZCBsaWJyYXJpZXMgY2FuIGJlIGlkZW50aWZpZWQgdXNpbmcg dGhlIFBLQ1MjMTEgVVJJDQogICBzY2hlbWUuICBOb3RlIHRoYXQgaW4gc29t ZSBvZiB0aGUgZm9sbG93aW5nIGV4YW1wbGVzLCBuZXdsaW5lcyBhbmQNCiAg IHNwYWNlcyB3ZXJlIGluc2VydGVkIGZvciBiZXR0ZXIgcmVhZGFiaWxpdHku ICBBcyBzcGVjaWZpZWQgaW4NCiAgIEFwcGVuZGl4IEMgb2YgW1JGQzM5ODZd LCB3aGl0ZXNwYWNlIHNob3VsZCBiZSBpZ25vcmVkIHdoZW4gZXh0cmFjdGlu Zw0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1 bmUgMjIsIDIwMTUgICAgICAgICAgICAgICAgW1BhZ2UgMTJdDQoMDQpJbnRl cm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAg ICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0KDQogICB0aGUgVVJJLiAgQWxz byBub3RlIHRoYXQgYWxsIHNwYWNlcyBhcyBwYXJ0IG9mIHRoZSBVUkkgYXJl IHBlcmNlbnQtDQogICBlbmNvZGVkLCBhcyBzcGVjaWZpZWQgaW4gQXBwZW5k aXggQSBvZiBbUkZDMzk4Nl0uDQoNCiAgIEFuIGVtcHR5IFBLQ1MjMTEgVVJJ IG1pZ2h0IGJlIHVzZWZ1bCB0byBQS0NTIzExIGNvbnN1bWVycy4gIFNlZQ0K ICAgU2VjdGlvbiAzLjUgZm9yIG1vcmUgaW5mb3JtYXRpb24gb24gc2VtYW50 aWNzIG9mIHN1Y2ggYSBVUkkuDQoNCiAgICAgcGtjczExOg0KDQogICBPbmUg b2YgdGhlIHNpbXBsZXN0IGFuZCBtb3N0IHVzZWZ1bCBmb3JtcyBtaWdodCBi ZSBhIFBLQ1MjMTEgVVJJIHRoYXQNCiAgIHNwZWNpZmllcyBvbmx5IGFuIG9i amVjdCBsYWJlbCBhbmQgaXRzIHR5cGUuICBUaGUgZGVmYXVsdCB0b2tlbiBp cw0KICAgdXNlZCBzbyB0aGUgVVJJIGRvZXMgbm90IHNwZWNpZnkgaXQuICBO b3RlIHRoYXQgd2hlbiBzcGVjaWZ5aW5nDQogICBwdWJsaWMgb2JqZWN0cywg YSB0b2tlbiBQSU4gbWlnaHQgbm90IGJlIHJlcXVpcmVkLg0KDQogICAgIHBr Y3MxMTpvYmplY3Q9bXktcHVia2V5O3R5cGU9cHVibGljDQoNCiAgIFdoZW4g YSBwcml2YXRlIGtleSBpcyBzcGVjaWZpZWQgZWl0aGVyIHRoZSAicGluLXNv dXJjZSIgYXR0cmlidXRlLA0KICAgInBpbi12YWx1ZSwgb3IgYW4gYXBwbGlj YXRpb24gc3BlY2lmaWMgbWV0aG9kIHdvdWxkIGJlIHVzdWFsbHkgdXNlZC4N CiAgIE5vdGUgdGhhdCAnLycgaXMgbm90IHBlcmNlbnQtZW5jb2RlZCBpbiB0 aGUgInBpbi1zb3VyY2UiIGF0dHJpYnV0ZQ0KICAgdmFsdWUgc2luY2UgdGhp cyBhdHRyaWJ1dGUgaXMgcGFydCBvZiB0aGUgcXVlcnkgY29tcG9uZW50LCBu b3QgdGhlDQogICBwYXRoLCBhbmQgdGh1cyBpcyBzZXBhcmF0ZWQgYnkgJz8n IGZyb20gdGhlIHJlc3Qgb2YgdGhlIFVSSS4NCg0KICAgICBwa2NzMTE6b2Jq ZWN0PW15LWtleTt0eXBlPXByaXZhdGU/cGluLXNvdXJjZT0vZXRjL3Rva2Vu DQoNCiAgIFRoZSBmb2xsb3dpbmcgZXhhbXBsZSBpZGVudGlmaWVzIGEgY2Vy dGlmaWNhdGUgaW4gdGhlIHNvZnR3YXJlIHRva2VuLg0KICAgTm90ZSBhbiBl bXB0eSB2YWx1ZSBmb3IgdGhlIGF0dHJpYnV0ZSAic2VyaWFsIiB3aGljaCBt YXRjaGVzIG9ubHkNCiAgIGVtcHR5ICJzZXJpYWxOdW1iZXIiIG1lbWJlciBv ZiB0aGUgIkNLX1RPS0VOX0lORk8iIHN0cnVjdHVyZS4gIEFsc28NCiAgIG5v dGUgdGhhdCB0aGUgImlkIiBhdHRyaWJ1dGUgdmFsdWUgaXMgZW50aXJlbHkg cGVyY2VudC1lbmNvZGVkLCBhcw0KICAgcmVjb21tZW5kZWQuICBXaGlsZSAn LCcgaXMgaW4gdGhlIHJlc2VydmVkIHNldCBpdCBkb2VzIG5vdCBoYXZlIHRv IGJlDQogICBwZXJjZW50LWVuY29kZWQgc2luY2UgaXQgZG9lcyBub3QgY29u ZmxpY3Qgd2l0aCBhbnkgc3ViLWRlbGltaXRlcnMNCiAgIHVzZWQuICBUaGUg JyMnIGNoYXJhY3RlciBhcyBpbiAiVGhlIFNvZnR3YXJlIFBLQ1MjMTEgU29m dHRva2VuIiBtdXN0DQogICBiZSBwZXJjZW50LWVuY29kZWQuDQoNCiAgICAg cGtjczExOnRva2VuPVRoZSUyMFNvZnR3YXJlJTIwUEtDUyUyMzExJTIwU29m dHRva2VuOw0KICAgICAgICAgICAgbWFudWZhY3R1cmVyPVNuYWtlJTIwT2ls LCUyMEluYy47DQogICAgICAgICAgICBtb2RlbD0xLjA7DQogICAgICAgICAg ICBvYmplY3Q9bXktY2VydGlmaWNhdGU7DQogICAgICAgICAgICB0eXBlPWNl cnQ7DQogICAgICAgICAgICBpZD0lNjklOTUlM0UlNUMlRjQlQkQlRUMlOTE7 DQogICAgICAgICAgICBzZXJpYWw9DQogICAgICAgICAgICA/cGluLXNvdXJj ZT0vZXRjL3Rva2VuX3Bpbg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNClBlY2hh bmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdW5lIDIyLCAyMDE1ICAg ICAgICAgICAgICAgIFtQYWdlIDEzXQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAg ICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAgICAgICAgICBEZWNl bWJlciAyMDE0DQoNCg0KICAgVGhlIG5leHQgZXhhbXBsZSBjb3ZlcnMgaG93 IHRvIHVzZSB0aGUgIm1vZHVsZS1uYW1lIiBxdWVyeSBhdHRyaWJ1dGUuDQog ICBDb25zaWRlcmluZyB0aGF0IHRoZSBtb2R1bGUgaXMgbG9jYXRlZCBpbiAv dXNyL2xpYi9saWJteXBrY3MxMS5zby4xDQogICBmaWxlLCB0aGUgYXR0cmli dXRlIHZhbHVlIGlzICJteXBrY3MxMSIsIG1lYW5pbmcgb25seSB0aGUgbW9k dWxlIG5hbWUNCiAgIHdpdGhvdXQgdGhlIGZ1bGwgcGF0aCwgYW5kIHdpdGhv dXQgdGhlIHBsYXRmb3JtIHNwZWNpZmljICJsaWIiIHByZWZpeA0KICAgYW5k ICIuc28uMSIgc3VmZml4Lg0KDQogICAgIHBrY3MxMTpvYmplY3Q9bXktc2ln bi1rZXk7DQogICAgICAgICAgICB0eXBlPXByaXZhdGUNCiAgICAgICAgICAg ID9tb2R1bGUtbmFtZT1teXBrY3MxMQ0KDQogICBUaGUgZm9sbG93aW5nIGV4 YW1wbGUgY292ZXJzIGhvdyB0byB1c2UgdGhlICJtb2R1bGUtcGF0aCIgcXVl cnkNCiAgIGF0dHJpYnV0ZS4gIFRoZSBhdHRyaWJ1dGUgbWF5IGJlIHVzZWZ1 bCBpZiBhIHVzZXIgbmVlZHMgdG8gcHJvdmlkZQ0KICAgdGhlIGtleSB2aWEg YSBQS0NTIzExIG1vZHVsZSBzdG9yZWQgb24gYSByZW1vdmFibGUgbWVkaWEs IGZvcg0KICAgZXhhbXBsZS4gIEdldHRpbmcgdGhlIFBJTiB0byBhY2Nlc3Mg dGhlIHByaXZhdGUga2V5IGhlcmUgaXMgbGVmdCB0bw0KICAgYmUgYXBwbGlj YXRpb24gc3BlY2lmaWMuDQoNCiAgICAgcGtjczExOm9iamVjdD1teS1zaWdu LWtleTsNCiAgICAgICAgICAgIHR5cGU9cHJpdmF0ZQ0KICAgICAgICAgICAg P21vZHVsZS1wYXRoPS9tbnQvbGlibXlwa2NzMTEuc28uMQ0KDQogICBJbiB0 aGUgY29udGV4dCB3aGVyZSBhIHRva2VuIGlzIGV4cGVjdGVkIHRoZSB0b2tl biBjYW4gYmUgaWRlbnRpZmllZA0KICAgd2l0aG91dCBzcGVjaWZ5aW5nIGFu eSBQS0NTIzExIG9iamVjdHMuICBBIFBJTiBtaWdodCBzdGlsbCBiZSBuZWVk ZWQNCiAgIGluIHRoZSBjb250ZXh0IG9mIGxpc3RpbmcgYWxsIG9iamVjdHMg aW4gdGhlIHRva2VuLCBmb3IgZXhhbXBsZS4NCiAgIFNlY3Rpb24gNiBzaG91 bGQgYmUgY29uc3VsdGVkIGJlZm9yZSB0aGUgInBpbi12YWx1ZSIgYXR0cmli dXRlIGlzDQogICBldmVyIHVzZWQuDQoNCiAgICAgcGtjczExOnRva2VuPVNv ZnR3YXJlJTIwUEtDUyUyMzExJTIwc29mdHRva2VuOw0KICAgICAgICAgICAg bWFudWZhY3R1cmVyPVNuYWtlJTIwT2lsLCUyMEluYy4NCiAgICAgICAgICAg ID9waW4tdmFsdWU9dGhlLXBpbg0KDQogICBJbiB0aGUgY29udGV4dCB3aGVy ZSBhIHNsb3QgaXMgZXhwZWN0ZWQgdGhlIHNsb3QgY2FuIGJlIGlkZW50aWZp ZWQNCiAgIHdpdGhvdXQgc3BlY2lmeWluZyBhbnkgUEtDUyMxMSBvYmplY3Rz IGluIGFueSB0b2tlbiBpdCBtYXkgYmUNCiAgIGluc2VydGVkIGluIGl0Lg0K DQogICAgIHBrY3MxMTpzbG90LWRlc2NyaXB0aW9uPVN1biUyME1ldGFzbG90 DQoNCiAgIFRoZSBDcnlwdG9raSBsaWJyYXJ5IGFsb25lIGNhbiBiZSBhbHNv IGlkZW50aWZpZWQgd2l0aG91dCBzcGVjaWZ5aW5nDQogICBhIFBLQ1MjMTEg dG9rZW4gb3Igb2JqZWN0Lg0KDQogICAgIHBrY3MxMTpsaWJyYXJ5LW1hbnVm YWN0dXJlcj1TbmFrZSUyME9pbCwlMjBJbmMuOw0KICAgICAgICAgICAgbGli cmFyeS1kZXNjcmlwdGlvbj1Tb2Z0JTIwVG9rZW4lMjBMaWJyYXJ5Ow0KICAg ICAgICAgICAgbGlicmFyeS12ZXJzaW9uPTEuMjMNCg0KDQoNCg0KDQoNCg0K DQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdW5lIDIy LCAyMDE1ICAgICAgICAgICAgICAgIFtQYWdlIDE0XQ0KDA0KSW50ZXJuZXQt RHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAgICAg ICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgVGhlIGZvbGxvd2luZyBleGFt cGxlIHNob3dzIHRoYXQgdGhlIGF0dHJpYnV0ZSB2YWx1ZSBjYW4gY29udGFp biBhDQogICBzZW1pY29sb24uICBJbiBzdWNoIGNhc2UsIGl0IGlzIHBlcmNl bnQtZW5jb2RlZC4gIFRoZSB0b2tlbiBhdHRyaWJ1dGUNCiAgIHZhbHVlIG11 c3QgYmUgcmVhZCBhcyAiTXkgdG9rZW47IGNyZWF0ZWQgYnkgSm9lIi4gIExv d2VyIGNhc2UgbGV0dGVycw0KICAgY2FuIGFsc28gYmUgdXNlZCBpbiBwZXJj ZW50LWVuY29kaW5nIGFzIHNob3duIGJlbG93IGluIHRoZSAiaWQiDQogICBh dHRyaWJ1dGUgdmFsdWUgYnV0IG5vdGUgdGhhdCBTZWN0aW9ucyAyLjEgYW5k IDYuMi4yLjEgb2YgW1JGQzM5ODZdDQogICByZWFkIHRoYXQgYWxsIHBlcmNl bnQtZW5jb2RlZCBjaGFyYWN0ZXJzIHNob3VsZCB1c2UgdGhlIHVwcGVyY2Fz ZQ0KICAgaGV4YWRlY2ltYWwgZGlnaXRzLiAgTW9yZSBzcGVjaWZpY2FsbHks IGlmIHRoZSBVUkkgc3RyaW5nIHdhcyB0byBiZQ0KICAgY29tcGFyZWQgdGhl IGFsZ29yaXRobSBkZWZpbmVkIGluIFNlY3Rpb24gMy42IGV4cGxpY2l0bHkg cmVxdWlyZXMNCiAgIHBlcmNlbnQtZW5jb2RpbmcgdG8gdXNlIHRoZSB1cHBl cmNhc2UgZGlnaXRzIEEtRiBpbiB0aGUgImlkIg0KICAgYXR0cmlidXRlIHZh bHVlcy4gIEFuZCBhcyBleHBsYWluZWQgaW4gU2VjdGlvbiAzLjMsIGxpYnJh cnkgdmVyc2lvbg0KICAgIjMiIHNob3VsZCBiZSBpbnRlcnByZXRlZCBhcyAi MyIgZm9yIHRoZSBtYWpvciBhbmQgIjAiIGZvciB0aGUgbWlub3INCiAgIHZl cnNpb24gb2YgdGhlIGxpYnJhcnkuDQoNCiAgICAgcGtjczExOnRva2VuPU15 JTIwdG9rZW4lMjUlMjBjcmVhdGVkJTIwYnklMjBKb2U7DQogICAgICAgICAg ICBsaWJyYXJ5LXZlcnNpb249MzsNCiAgICAgICAgICAgIGlkPSUwMSUwMiUw MyVCYSVkZCVDYSVmZSUwNCUwNSUwNg0KDQogICBJZiB0aGVyZSBpcyBhbnkg bmVlZCB0byBpbmNsdWRlIGxpdGVyYWwgIiU7IiBzdWJzdHJpbmcsIGZvciBl eGFtcGxlLA0KICAgYm90aCBjaGFyYWN0ZXJzIG11c3QgYmUgZXNjYXBlZC4g IFRoZSB0b2tlbiB2YWx1ZSBtdXN0IGJlIHJlYWQgYXMgIkENCiAgIG5hbWUg d2l0aCBhIHN1YnN0cmluZyAlOyIuDQoNCiAgICAgcGtjczExOnRva2VuPUEl MjBuYW1lJTIwd2l0aCUyMGElMjBzdWJzdHJpbmclMjAlMjUlM0I7DQogICAg ICAgICAgICBvYmplY3Q9bXktY2VydGlmaWNhdGU7DQogICAgICAgICAgICB0 eXBlPWNlcnQNCg0KICAgVGhlIG5leHQgZXhhbXBsZSBpbmNsdWRlcyBhIHNt YWxsIEEgd2l0aCBhY3V0ZSBpbiB0aGUgdG9rZW4gbmFtZS4gIEl0DQogICBt dXN0IGJlIGVuY29kZWQgaW4gb2N0ZXRzIGFjY29yZGluZyB0byB0aGUgVVRG LTggY2hhcmFjdGVyIGVuY29kaW5nDQogICBhbmQgdGhlbiBwZXJjZW50LWVu Y29kZWQuICBHaXZlbiB0aGF0IGEgc21hbGwgQSB3aXRoIGFjdXRlIGlzIFUr MjI1DQogICB1bmljb2RlIGNvZGUgcG9pbnQsIHRoZSBVVEYtOCBlbmNvZGlu ZyBpcyAxOTUgMTYxIGluIGRlY2ltYWwsIGFuZA0KICAgdGhhdCBpcyAiJUMz JUExIiBpbiBwZXJjZW50LWVuY29kaW5nLg0KDQogICAgIHBrY3MxMTp0b2tl bj1OYW1lJTIwd2l0aCUyMGElMjBzbWFsbCUyMEElMjB3aXRoJTIwYWN1dGU6 JTIwJUMzJUExOw0KICAgICAgICAgICAgb2JqZWN0PW15LWNlcnRpZmljYXRl Ow0KICAgICAgICAgICAgdHlwZT1jZXJ0DQoNCiAgIEJvdGggdGhlIHBhdGgg YW5kIHF1ZXJ5IGNvbXBvbmVudHMgbWF5IGNvbnRhaW4gdmVuZG9yIHNwZWNp ZmljDQogICBhdHRyaWJ1dGVzLiAgQXR0cmlidXRlcyBpbiB0aGUgcXVlcnkg Y29tcG9uZW50IG11c3QgYmUgZGVsaW1pdGVkIGJ5DQogICAnJicuDQoNCiAg ICAgcGtjczExOnRva2VuPW15LXRva2VuOw0KICAgICAgICAgICAgb2JqZWN0 PW15LWNlcnRpZmljYXRlOw0KICAgICAgICAgICAgdHlwZT1jZXJ0Ow0KICAg ICAgICAgICAgeC12ZW5kLWFhYT12YWx1ZS1hDQogICAgICAgICAgICA/cGlu LXNvdXJjZT0vZXRjL3Rva2VuX3Bpbg0KICAgICAgICAgICAgJngtdmVuZC1i YmI9dmFsdWUtYg0KDQoNCg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAg ICAgICBFeHBpcmVzIEp1bmUgMjIsIDIwMTUgICAgICAgICAgICAgICAgW1Bh Z2UgMTVdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBLQ1Mj MTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0KDQo1 LiAgSUFOQSBDb25zaWRlcmF0aW9ucw0KDQogICBUaGlzIGRvY3VtZW50IG1v dmVzIHRoZSAicGtjczExIiBVUkkgc2NoZW1lIGZyb20gdGhlIHByb3Zpc2lv bmFsIHRvDQogICBwZXJtYW5lbnQgVVJJIHNjaGVtZSByZWdpc3RyeS4gIFRo ZSByZWdpc3RyYXRpb24gdGVtcGxhdGUgZm9yIHRoZSBVUkkNCiAgIHNjaGVt ZSBpcyBhY2Nlc3NpYmxlIG9uIGh0dHA6Ly93d3cuaWFuYS5vcmcvYXNzaWdu bWVudHMvdXJpLXNjaGVtZXMuDQoNCjYuICBTZWN1cml0eSBDb25zaWRlcmF0 aW9ucw0KDQogICBUaGVyZSBhcmUgZ2VuZXJhbCBzZWN1cml0eSBjb25zaWRl cmF0aW9ucyBmb3IgVVJJIHNjaGVtZXMgZGlzY3Vzc2VkDQogICBpbiBTZWN0 aW9uIDcgb2YgW1JGQzM5ODZdLg0KDQogICBGcm9tIHRob3NlIHNlY3VyaXR5 IGNvbnNpZGVyYXRpb25zLCBTZWN0aW9uIDcuMSBvZiBbUkZDMzk4Nl0gYXBw bGllcw0KICAgc2luY2UgdGhlcmUgaXMgbm8gZ3VhcmFudGVlIHRoYXQgdGhl IHNhbWUgUEtDUyMxMSBVUkkgd2lsbCBhbHdheXMNCiAgIGlkZW50aWZ5IHRo ZSBzYW1lIG9iamVjdCwgdG9rZW4sIHNsb3QsIG9yIGEgbGlicmFyeSBpbiB0 aGUgZnV0dXJlLg0KDQogICBTZWN0aW9uIDcuMiBvZiBbUkZDMzk4Nl0gYXBw bGllcyBzaW5jZSBieSBhY2NlcHRpbmcgcXVlcnkgY29tcG9uZW50DQogICBh dHRyaWJ1dGVzICJtb2R1bGUtbmFtZSIgb3IgIm1vZHVsZS1wYXRoIiB0aGUg Y29uc3VtZXIgcG90ZW50aWFsbHkNCiAgIGFsbG93cyBsb2FkaW5nIG9mIGFy Yml0cmFyeSBjb2RlIGludG8gYSBwcm9jZXNzLg0KDQogICBTZWN0aW9uIDcu NSBvZiBbUkZDMzk4Nl0gYXBwbGllcyBzaW5jZSB0aGUgUEtDUyMxMSBVUkkg bWF5IGJlIHVzZWQgaW4NCiAgIHdvcmxkIHJlYWRhYmxlIGNvbW1hbmQgbGlu ZSBhcmd1bWVudHMgdG8gcnVuIGFwcGxpY2F0aW9ucywgc3RvcmVkIGluDQog ICBwdWJsaWMgY29uZmlndXJhdGlvbiBmaWxlcywgb3Igb3RoZXJ3aXNlIHVz ZWQgaW4gY2xlYXIgdGV4dC4gIEZvcg0KICAgdGhhdCByZWFzb24gdGhlICJw aW4tdmFsdWUiIGF0dHJpYnV0ZSBzaG91bGQgb25seSBiZSB1c2VkIGlmIHRo ZSBVUkkNCiAgIHN0cmluZyBpdHNlbGYgaXMgcHJvdGVjdGVkIHdpdGggdGhl IHNhbWUgbGV2ZWwgb2Ygc2VjdXJpdHkgYXMgdGhlDQogICB0b2tlbiBQSU4g aXRzZWxmIG90aGVyd2lzZSBpcy4NCg0KNy4gIFJlZmVyZW5jZXMNCg0KNy4x LiAgTm9ybWF0aXZlIFJlZmVyZW5jZXMNCg0KICAgW1JGQzM2MjldICBZZXJn ZWF1LCBGLiwgIlVURi04LCBhIHRyYW5zZm9ybWF0aW9uIGZvcm1hdCBvZiBJ U08NCiAgICAgICAgICAgICAgMTA2NDYiLCBSRkMgMzYyOSwgU1REIDYzLCBO b3ZlbWJlciAyMDAzLg0KDQogICBbUkZDMzk4Nl0gIEJlcm5lcnMtTGVlLCBU LiwgRmllbGRpbmcsIFIuLCBhbmQgTC4gTWFzaW50ZXIsICJVbmlmb3JtDQog ICAgICAgICAgICAgIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSk6IEdlbmVy aWMgU3ludGF4IiwgUkZDIDM5ODYsIFNURA0KICAgICAgICAgICAgICA2Niwg SmFudWFyeSAyMDA1Lg0KDQogICBbUkZDNTIzNF0gIENyb2NrZXIsIEQuIGFu ZCBQLiBPdmVyZWxsLCAiQXVnbWVudGVkIEJORiBmb3IgU3ludGF4DQogICAg ICAgICAgICAgIFNwZWNpZmljYXRpb25zOiBBQk5GIiwgUkZDIDUyMzQsIFNU RCA2OCwgSmFudWFyeSAyMDA4Lg0KDQo3LjIuICBJbmZvcm1hdGl2ZSBSZWZl cmVuY2VzDQoNCiAgIFtSRkM0Mzk1XSAgSGFuc2VuLCBULiwgSGFyZGllLCBU LiwgYW5kIEwuIE1hc2ludGVyLCAiR3VpZGVsaW5lcyBhbmQNCiAgICAgICAg ICAgICAgUmVnaXN0cmF0aW9uIFByb2NlZHVyZXMgZm9yIE5ldyBVUkkgU2No ZW1lcyIsIFJGQyA0Mzk1LA0KICAgICAgICAgICAgICBGZWJydWFyeSAyMDA2 Lg0KDQoNCg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBp cmVzIEp1bmUgMjIsIDIwMTUgICAgICAgICAgICAgICAgW1BhZ2UgMTZdDQoM DQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNj aGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0KDQogICBbcGtjczEx X3NwZWNdDQogICAgICAgICAgICAgIFJTQSBMYWJvcmF0b3JpZXMsICJQS0NT ICMxMTogQ3J5cHRvZ3JhcGhpYyBUb2tlbiBJbnRlcmZhY2UNCiAgICAgICAg ICAgICAgU3RhbmRhcmQgdjIuMjAiLCBKdW5lIDIwMDQuDQoNCkF1dGhvcnMn IEFkZHJlc3Nlcw0KDQogICBKYW4gUGVjaGFuZWMNCiAgIE9yYWNsZSBDb3Jw b3JhdGlvbg0KICAgNDE4MCBOZXR3b3JrIENpcmNsZQ0KICAgU2FudGEgQ2xh cmEgIENBIDk1MDU0DQogICBVU0ENCg0KICAgRW1haWw6IEphbi5QZWNoYW5l Y0BPcmFjbGUuQ09NDQogICBVUkk6ICAgaHR0cDovL3d3dy5vcmFjbGUuY29t DQoNCg0KICAgRGFycmVuIEouIE1vZmZhdA0KICAgT3JhY2xlIENvcnBvcmF0 aW9uDQogICBPcmFjbGUgUGFya3dheQ0KICAgVGhhbWVzIFZhbGxleSBQYXJr DQogICBSZWFkaW5nICBSRzYgMVJBDQogICBVSw0KDQogICBFbWFpbDogRGFy cmVuLk1vZmZhdEBPcmFjbGUuQ09NDQogICBVUkk6ICAgaHR0cDovL3d3dy5v cmFjbGUuY29tDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBF eHBpcmVzIEp1bmUgMjIsIDIwMTUgICAgICAgICAgICAgICAgW1BhZ2UgMTdd DQo= ---559023410-25426126-1419015769=:4549-- From nobody Fri Dec 19 13:35:49 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 733BE1A6F2E; Thu, 18 Dec 2014 03:22:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtmiRik6cUiS; Thu, 18 Dec 2014 03:22:19 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23C4A1A07BE; Thu, 18 Dec 2014 03:22:19 -0800 (PST) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBIBMDqo021501 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Dec 2014 11:22:13 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBIBMC1w024115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 18 Dec 2014 11:22:12 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBIBMCTH024102; Thu, 18 Dec 2014 11:22:12 GMT Received: from [10.163.198.80] (/10.163.198.80) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 18 Dec 2014 03:22:11 -0800 Message-ID: <5492B8E1.6010709@Oracle.COM> Date: Thu, 18 Dec 2014 11:22:09 +0000 From: Darren J Moffat Organization: Oracle Solaris Security User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:17.0) Gecko/20140924 Thunderbird/17.0.11 MIME-Version: 1.0 To: Jan Pechanec References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet21.oracle.com [141.146.126.237] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/apU4cKdwPJuJLzTCQNdPzT7Fjyg X-Mailman-Approved-At: Fri, 19 Dec 2014 13:35:46 -0800 Cc: Stef Walter , ietf@ietf.org, saag@ietf.org, Nikos Mavrogiannopoulos Subject: Re: [saag] slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 11:22:20 -0000 On 12/18/14 00:15, Jan Pechanec wrote: > On Wed, 17 Dec 2014, Nico Williams wrote: > >>> removable token and you cannot use slot-description, slot-manufacturer and >>> neither of token attributes? So the only option left is: pkcs11:slot-id=2 >>> ??? >> >> I think so. This is really for Jan to answer. Maybe the Solaris >> libpkcs11 should just ensure a meaningful (stable and distinct) slot >> label. If that could be done then slot-id could be excluded here. >> >> Jan? > > for example, metaslot on Solaris is always 0 so slot-id=0 > would be reliable there to use to access the soft token. Jan. It is the zeroth slot in the list of slots not a slotid with a value of 0 - the distinction is subtle. I don't think we should have slot-id, it isn't stable and I know that some vendors use random values. -- Darren J Moffat From nobody Fri Dec 19 13:35:51 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D6AE1A6F2E; Thu, 18 Dec 2014 03:23:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q1Vi_0tU8gGh; Thu, 18 Dec 2014 03:23:55 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D545B1A07BE; Thu, 18 Dec 2014 03:23:54 -0800 (PST) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBIBNnie023029 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Dec 2014 11:23:50 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBIBNm3O029269 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Dec 2014 11:23:49 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id sBIBNlbk005351; Thu, 18 Dec 2014 11:23:47 GMT Received: from [10.163.198.80] (/10.163.198.80) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 18 Dec 2014 03:23:47 -0800 Message-ID: <5492B941.3030408@Oracle.COM> Date: Thu, 18 Dec 2014 11:23:45 +0000 From: Darren J Moffat Organization: Oracle Solaris Security User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:17.0) Gecko/20140924 Thunderbird/17.0.11 MIME-Version: 1.0 To: Nikos Mavrogiannopoulos References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> <20141218012300.GP9443@localhost> <1418900792.7577.5.camel@gnutls.org> In-Reply-To: <1418900792.7577.5.camel@gnutls.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet21.oracle.com [141.146.126.237] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/2_8O20VXwZkZVuK9MLgK70GV3_o X-Mailman-Approved-At: Fri, 19 Dec 2014 13:35:46 -0800 Cc: Stef Walter , ietf@ietf.org, saag@ietf.org, Jan Pechanec Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 11:23:56 -0000 On 12/18/14 11:06, Nikos Mavrogiannopoulos wrote: > On Wed, 2014-12-17 at 22:54 -0800, Jan Pechanec wrote: > >> + Slot ID is a Cryptoki-assigned number that is not guaranteed stable >> + across PKCS#11 module initializations. However, slot description and >> + manufacturer ID may not be enough to uniquely identify a specific >> + reader. In situations where slot information is necessary use of >> + "slot-id" attribute may be justified if sufficient slot ID stability >> + is provided in the PKCS#11 provider itself or externaly. > > Hello Jan, > I'd like to propose the following text instead: > "Slot ID is a Cryptoki-assigned number that is not guaranteed stable > across PKCS#11 module initializations. However, there are certain > libraries and modules which provide stable slot numbers and > descriptions. For these cases, when the manufacturer ID is not > sufficient to uniquely identify a specific reader, the slot > information could be used to increase the precision of the token > identification. In other scenarios, using the slot identifiers is > likely to cause usability issues." > > That text discusses both the benefits and the risks. If the consensus is that slot-id stays then I think text exactly like you wrote is essential. -- Darren J Moffat From nobody Fri Dec 19 15:19:11 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51131A1BCB; Fri, 19 Dec 2014 15:19:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6Lmihpm9tNZ; Fri, 19 Dec 2014 15:19:08 -0800 (PST) Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.201.169]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFBD71A8792; Fri, 19 Dec 2014 15:19:07 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 2BDABE0C6; Fri, 19 Dec 2014 18:19:05 -0500 (EST) X-Virus-Scanned: Debian amavisd-new at mailout.easymail.ca Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (easymail-mailout.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUdJxC8k6FfL; Fri, 19 Dec 2014 18:19:04 -0500 (EST) Received: from [192.168.3.129] (71-80-163-186.static.lsan.ca.charter.com [71.80.163.186]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 24C90E07B; Fri, 19 Dec 2014 18:19:01 -0500 (EST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: "Henry B (Hank) Hotz, CISSP" In-Reply-To: <5492B941.3030408@Oracle.COM> Date: Fri, 19 Dec 2014 15:19:00 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <30738721-F5A2-4485-84AC-573AD9113699@oxy.edu> References: <20141217230150.GB9443@localhost> <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> <20141218012300.GP9443@localhost> <1418900792.7577.5.camel@gnutls.org> <5492B941.3030408@Oracle.COM> To: Darren J Moffat X-Mailer: Apple Mail (2.1878.6) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/VSurIN5bC1MAq5_hkfv3TRzrAxY Cc: Stef Walter , Jan Pechanec , ietf@ietf.org, saag@ietf.org Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2014 23:19:09 -0000 Does this ID, in fact, define an API which is sufficient to support = realistic, interoperable code across a significant range of libraries = and platforms? Is there a unique way to reference the authentication = credential on my guaranteed-unique government-issued smart card = regardless of which reader on which platform it=92s plugged into? Since I did not involve myself in the process, I do not know if those = goals were excluded for some legitimate reason, but the discussion = preceding makes it sound like they were not met. Personal email. hbhotz@oxy.edu From nobody Fri Dec 19 16:05:28 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B61B1A90E5; Fri, 19 Dec 2014 16:05:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.666 X-Spam-Level: X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xRzANN6ERQN3; Fri, 19 Dec 2014 16:05:19 -0800 (PST) Received: from homiemail-a104.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 1CDB81A8A3B; Fri, 19 Dec 2014 16:05:01 -0800 (PST) Received: from homiemail-a104.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTP id D0BAE20047B83; Fri, 19 Dec 2014 16:05:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=wTjkOASKjyxqRW1QnCdTn+XRKhw=; b=IyfaC24Gs0P FUMN+Xu1bBZ1rYF81gGDOK95shnvNrXfLEGueEK677N+KOOCRFOdAbzYfJwMAltu NgmoOGfThx1r5HNc2PSUZxJyRE3DnLAORBbUUFTx26s0ifZIoLoH42/nmcMaI2xF aRUvEhHYL3okoWi6mwc9FYDhANUuL5M4= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTPA id 4EBB920047B82; Fri, 19 Dec 2014 16:05:00 -0800 (PST) Date: Fri, 19 Dec 2014 18:04:59 -0600 From: Nico Williams To: "Henry B (Hank) Hotz, CISSP" Message-ID: <20141220000456.GC12662@localhost> References: <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> <20141218012300.GP9443@localhost> <1418900792.7577.5.camel@gnutls.org> <5492B941.3030408@Oracle.COM> <30738721-F5A2-4485-84AC-573AD9113699@oxy.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <30738721-F5A2-4485-84AC-573AD9113699@oxy.edu> User-Agent: Mutt/1.5.21 (2010-09-15) Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/saag/mmoUpJWvw7x0wvAGo0NR7U-04b8 Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, Jan Pechanec , saag@ietf.org Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2014 00:05:20 -0000 On Fri, Dec 19, 2014 at 03:19:00PM -0800, Henry B (Hank) Hotz, CISSP wrot= e: > Does this ID, in fact, define an API which is sufficient to support > realistic, interoperable code across a significant range of libraries > and platforms? Is there a unique way to reference the authentication > credential on my guaranteed-unique government-issued smart card > regardless of which reader on which platform it=E2=80=99s plugged into? Excellent questions. As to the first: it's a rather abstract API. I'm a bit concerned about some of the semantics, that we might need to make matching a bit more flexible. IIRC there's a token that requires a login even to see public objects. I might want to have a way to say "match public objects that don't require login". Or, I might want to provide slot/token attributes as hints, but not as required attributes, that match preferentially but which are ignored if not. Abstract operations that I think should be described: - given a PKCS#11 URI, return a PKCS#11 provider (e.g., a handle returned by dlopen()/LoadLibrary*(), or a v-table, or whatever is appropriate in the caller's given programming language); This is described, actually. - given a PKCS#11 URI (and, optionally, a PKCS#11 provider) return a PKCS#11 provider and relevant PKCS#11 handles (token, session, object); This is also described. - given a PKCS#11 URI return a list of URIs for all matching tokens and/or objects; This is not described. E.g., given "pkcs11:" output a list of all {provider, slot}, {provider, slot, token}, {provider, slot, token, public object} URIs for actual slots, tokens, public objects. E.g., given "pkcs11:" and a PKCS#11 session return all {provider, slot, token, object} URIs for actual objects reachable via that session. - given a PKCS#11 provider and handle of some sort, return a URI for it, with an option to include or exclude slot/token matching attributes. This is also not described, IIRC. > Since I did not involve myself in the process, I do not know if those > goals were excluded for some legitimate reason, but the discussion > preceding makes it sound like they were not met. They weren't. And the I-D covers semantics in such a way that it defines an abstract API, but perhaps it needs to be made more explicit. Nico --=20 From nobody Fri Dec 19 16:07:04 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67A451A8A3B; Fri, 19 Dec 2014 16:07:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.044 X-Spam-Level: X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id boNmQ0vH7iFB; Fri, 19 Dec 2014 16:07:01 -0800 (PST) Received: from homiemail-a97.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id D50121A875B; Fri, 19 Dec 2014 16:07:01 -0800 (PST) Received: from homiemail-a97.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTP id 39575286059; Fri, 19 Dec 2014 16:07:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=6eW3IbY9t0p7Ckju5mID LcaQz8k=; b=gE8v2ZfSCdbpkI5/ebw8ng91SWTuQaRsmkUApe02udoVYWqYlLSu VKtXUG2YCRasvVKKSI+PvgzKujuJzMNVMTkQqmxOd8UgscKXe0P5uK8JwEw08f8C AqYtQvEx9qCq2WKXgqpucVFXCP71PlXqPipcSuBQjmtmX5sQ5Y3kUQU= Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTPSA id 0ED62286057; Fri, 19 Dec 2014 16:07:01 -0800 (PST) Received: by mail-wi0-f181.google.com with SMTP id r20so3312080wiv.14; Fri, 19 Dec 2014 16:07:00 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.180.74.108 with SMTP id s12mr10559087wiv.28.1419034020017; Fri, 19 Dec 2014 16:07:00 -0800 (PST) Received: by 10.217.7.200 with HTTP; Fri, 19 Dec 2014 16:06:59 -0800 (PST) In-Reply-To: References: <20141217230150.GB9443@localhost> Date: Fri, 19 Dec 2014 18:06:59 -0600 Message-ID: From: Nico Williams To: Jan Pechanec Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/saag/dU9x_NKWHDvMWdMrsBzxoaFVIlk Cc: Darren J Moffat , Stef Walter , "ietf@ietf.org" , "saag@ietf.org" , Nikos Mavrogiannopoulos Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2014 00:07:02 -0000 One thing I just noticed is that you allow Unicode. You might want to reference RFC3987 (IRIs), for, e.g., advice as to normalization. Nico -- From nobody Fri Dec 19 18:24:24 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 495541A8871 for ; Fri, 19 Dec 2014 18:24:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2dJTIjNtx-Aa for ; Fri, 19 Dec 2014 18:24:19 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AD8D1A8F4A for ; Fri, 19 Dec 2014 18:24:19 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 01015BF13 for ; Sat, 20 Dec 2014 02:24:14 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ECBK43Tym4sx for ; Sat, 20 Dec 2014 02:24:13 +0000 (GMT) Received: from [10.87.48.12] (unknown [86.42.21.41]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id DA318BEBF for ; Sat, 20 Dec 2014 02:24:13 +0000 (GMT) Message-ID: <5494DDCD.6030504@cs.tcd.ie> Date: Sat, 20 Dec 2014 02:24:13 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: "saag@ietf.org" Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/_iBX7Lr16ldMyzqYXWUHQe9Iij8 Subject: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2014 02:24:22 -0000 Hiya, The IESG have recently been discussing how the IETF would work better with or for open-source communities. As part of that it'd be good to get some appreciation of which open source activities folks consider important (and why). And of course there are multiple directions here - e.g. where an IETF activity has fed directly into an open-source activity and the opposite where the IETF end up documenting something already done by some open-source community. As part of that analysis, an utterly reasonable question was asked: yeah, but which open-source things are important to IETF participants? So, which bits of open-source do we in the security area of the IETF consider important and why? And what could we do better? (For any sensible definition of "we":-) BTW, those are deliberately open questions - answer in any way you like, (but pithily please:-) to the list or to Kathleen and I off-list if need be. (If we see a bunch of offlist answers, we'll summarise those back to the list.) And since this is really information-gathering, there's no need for us to disagree with one another on the list (but I expect we won't resist that specific temptation, as usual:-) Thanks, S. From nobody Fri Dec 19 21:56:49 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 323401A8872 for ; Fri, 19 Dec 2014 21:56:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.311 X-Spam-Level: X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYZRn0nMCKJy for ; Fri, 19 Dec 2014 21:56:42 -0800 (PST) Received: from smtp.fortinet.com (smtp.fortinet.com [208.91.113.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE5741A87A2 for ; Fri, 19 Dec 2014 21:56:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=fortinet.com; s=20131225; c=relaxed/relaxed; h=from:to:cc:subject:thread-topic:thread-index:date:message-id:references:in-reply-to:accept-language:content-language:x-ms-has-attach:x-ms-tnef-correlator:content-type:content-id:content-transfer-encoding:mime-version:x-feas-system-wl; bh=hObNswt00mDfP2AqX0kudFEaITPEv1YhtsK18KIlrl4=; b=sNKU8OVhJ0gc8vJZvLjdAncxVWGQPXOeE1PQHhxvPxSbNnOW4xpD5CQuJA928kuqPbjPxKM+RTaSBLbiodLhGY6wwcP2bqSauMnN1g3ffE+hpDC6azxn7TJ+a1E1LN29+4lV0i8XqIYByq7VGoa5he4ltloCJ6wm+2Khw2ZlZayoySfqi5qbX3QEaw/eimVXpHomR8DxqNZEkYgQydsoZ0nSqjYmZBSx0fxuE6zMwaLvIxyw4r0KF4BUNlcWCA/ZGarcsrJfij6uRlMYlkq5LFOSrZXoAT1xmc65qKhzB2AZXNkyWSnxCV2sjdzQ9SlKWN0JV6pRjYOrTH8HdE2iSg== From: Edward Lopez To: Stephen Farrell Thread-Topic: [saag] Important open-source activities... Thread-Index: AQHQG/wVzl7zf3CaVU2QlBlWMMKbOpyYgX4A Date: Sat, 20 Dec 2014 05:56:19 +0000 Message-ID: <25C765E3-3BDF-4C4B-AFD3-EA88AD20316A@fortinet.com> References: <5494DDCD.6030504@cs.tcd.ie> In-Reply-To: <5494DDCD.6030504@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-ID: <92F610A176161E4396D7B3F5010449E7@fortinet-us.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-FEAS-SYSTEM-WL: 192.168.221.212 Archived-At: http://mailarchive.ietf.org/arch/msg/saag/T7Lg1sj22E56c-l8_2mrlo6HLkM Cc: "saag@ietf.org" Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2014 05:56:47 -0000 Whenever I speak on network security, I always point out that my principa= l axiom is the "security is not required to create productivity". Creati= ng productivity is easy, we do it continuously within the IETF. Securing= productivity is really hard. In the end, we end up relying on trust rat= her than security, and hope for the best. At the end of the day, we end = up trusting implementations of our efforts. A big part of the problem is that we in the IETF generally represent the = interests of the closed-source community, in many cases developing protoc= ols which represent a lowest common denominator of interoperability, whic= h the commercial interests that fund us work to out compete each other wi= thin closed and costly implementations. Now the open-source community is organizing, such as the case with Linux = Foundation projects and ONF, and is seeking open networking and managemen= t solutions. They've stepped beyond 'working consensus and running code'= to include implementation frameworks. You asked for how we might correctly engage the open-source community. P= art of that discussion has to include why a rift is forming in the first = place. IMHO, the IETF doesn't do a good job in evolving implementation f= rameworks, and since the majority of security issues evolve from implemen= tation, we're not currently in a good position to collaborate effectively= . Ed Lopez - Fortinet > On Dec 19, 2014, at 6:24 PM, Stephen Farrell wrote: > > > Hiya, > > The IESG have recently been discussing how the IETF would > work better with or for open-source communities. As part of > that it'd be good to get some appreciation of which open > source activities folks consider important (and why). And > of course there are multiple directions here - e.g. where an > IETF activity has fed directly into an open-source activity > and the opposite where the IETF end up documenting something > already done by some open-source community. > > As part of that analysis, an utterly reasonable question > was asked: yeah, but which open-source things are important > to IETF participants? > > So, which bits of open-source do we in the security area > of the IETF consider important and why? And what could > we do better? (For any sensible definition of "we":-) > > BTW, those are deliberately open questions - answer in any > way you like, (but pithily please:-) to the list or to > Kathleen and I off-list if need be. (If we see a bunch of > offlist answers, we'll summarise those back to the list.) > > And since this is really information-gathering, there's > no need for us to disagree with one another on the list > (but I expect we won't resist that specific temptation, as > usual:-) > > Thanks, > S. > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag *** Please note that this message and any attachments may contain confid= ential and proprietary material and information and are intended only for the us= e of the intended recipient(s). If you are not the intended recipient, you are= hereby notified that any review, use, disclosure, dissemination, distribution or= copying of this message and any attachments is strictly prohibited. If you have r= eceived this email in error, please immediately notify the sender and destroy thi= s e-mail and any attachments and all copies, whether electronic or printed. Please also note that any views, opinions, conclusions or commitments exp= ressed in this message are those of the individual sender and do not necessarily= reflect the views of Fortinet, Inc., its affiliates, and emails are not binding o= n Fortinet and only a writing manually signed by Fortinet's General Counsel= can be a binding commitment of Fortinet to Fortinet's customers or partners. Tha= nk you. *** From nobody Fri Dec 19 23:30:34 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 564191A1A59; Fri, 19 Dec 2014 23:30:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZe3JekpeFuw; Fri, 19 Dec 2014 23:30:31 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 168A11A004D; Fri, 19 Dec 2014 23:30:31 -0800 (PST) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBK7UP44019245 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 20 Dec 2014 07:30:28 GMT Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBK7UNQn029218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 20 Dec 2014 07:30:24 GMT Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBK7UNtM021842; Sat, 20 Dec 2014 07:30:23 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 19 Dec 2014 23:30:23 -0800 Date: Fri, 19 Dec 2014 23:30:21 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nico Williams In-Reply-To: <20141220000456.GC12662@localhost> Message-ID: References: <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> <20141218012300.GP9443@localhost> <1418900792.7577.5.camel@gnutls.org> <5492B941.3030408@Oracle.COM> <30738721-F5A2-4485-84AC-573AD9113699@oxy.edu> <20141220000456.GC12662@localhost> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-1215378052-1419060623=:22104" X-Source-IP: acsinet21.oracle.com [141.146.126.237] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/Y7518O3NV7SzLLCEIDHM4BuvRuU Cc: Darren J Moffat , ietf@ietf.org, saag@ietf.org, Stef Walter Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2014 07:30:32 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-1215378052-1419060623=:22104 Content-Type: TEXT/PLAIN; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE On Fri, 19 Dec 2014, Nico Williams wrote: >On Fri, Dec 19, 2014 at 03:19:00PM -0800, Henry B (Hank) Hotz, CISSP wrote= : >> Does this ID, in fact, define an API which is sufficient to support >> realistic, interoperable code across a significant range of libraries >> and platforms? Is there a unique way to reference the authentication >> credential on my guaranteed-unique government-issued smart card >> regardless of which reader on which platform it=E2=80=99s plugged into? > >Excellent questions. > >As to the first: it's a rather abstract API. I'm a bit concerned about >some of the semantics, that we might need to make matching a bit more >flexible. > >IIRC there's a token that requires a login even to see public objects. >I might want to have a way to say "match public objects that don't >require login". > >Or, I might want to provide slot/token attributes as hints, but not as >required attributes, that match preferentially but which are ignored if >not. > >Abstract operations that I think should be described: > > - given a PKCS#11 URI, return a PKCS#11 provider (e.g., a handle > returned by dlopen()/LoadLibrary*(), or a v-table, or whatever is > appropriate in the caller's given programming language); > > This is described, actually. > > - given a PKCS#11 URI (and, optionally, a PKCS#11 provider) return a > PKCS#11 provider and relevant PKCS#11 handles (token, session, > object); > > This is also described. > > - given a PKCS#11 URI return a list of URIs for all matching tokens > and/or objects; > > This is not described. > > E.g., given "pkcs11:" output a list of all {provider, slot}, > {provider, slot, token}, {provider, slot, token, public object} URIs > for actual slots, tokens, public objects. > > E.g., given "pkcs11:" and a PKCS#11 session return all {provider, > slot, token, object} URIs for actual objects reachable via that > session. > > - given a PKCS#11 provider and handle of some sort, return a URI for > it, with an option to include or exclude slot/token matching > attributes. > > This is also not described, IIRC. =09so, as well as we have "PKCS#11 URI Matching Guidelines"=20 section, we might need "PKCS#11 URI Generation Guidelines" to discuss=20 these things about "reverse mapping". I will take a look at it. =09J. >> Since I did not involve myself in the process, I do not know if those >> goals were excluded for some legitimate reason, but the discussion >> preceding makes it sound like they were not met. > >They weren't. And the I-D covers semantics in such a way that it >defines an abstract API, but perhaps it needs to be made more explicit. > >Nico > --=20 Jan Pechanec ---559023410-1215378052-1419060623=:22104-- From nobody Sat Dec 20 06:14:33 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43E501A87CB for ; Sat, 20 Dec 2014 06:14:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5dznV_jetcdU for ; Sat, 20 Dec 2014 06:14:30 -0800 (PST) Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id BFFCD1A1AC6 for ; Sat, 20 Dec 2014 06:14:29 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 41D2F2240935 for ; Sat, 20 Dec 2014 15:13:57 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at power.freeradius.org Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yQobjcFMpEML for ; Sat, 20 Dec 2014 15:13:54 +0100 (CET) Received: from [192.168.20.49] (198-84-181-115.cpe.teksavvy.com [198.84.181.115]) by power.freeradius.org (Postfix) with ESMTPSA id 48EA12240143 for ; Sat, 20 Dec 2014 15:13:53 +0100 (CET) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Alan DeKok In-Reply-To: <25C765E3-3BDF-4C4B-AFD3-EA88AD20316A@fortinet.com> Date: Sat, 20 Dec 2014 09:13:52 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <5494DDCD.6030504@cs.tcd.ie> <25C765E3-3BDF-4C4B-AFD3-EA88AD20316A@fortinet.com> To: "saag@ietf.org" X-Mailer: Apple Mail (2.1878.6) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/wPt-ouX1Wd7J9i0AAZXe5urGRPE Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2014 14:14:32 -0000 On Dec 20, 2014, at 12:56 AM, Edward Lopez wrote: > A big part of the problem is that we in the IETF generally represent = the interests of the closed-source community, in many cases developing = protocols which represent a lowest common denominator of = interoperability, which the commercial interests that fund us work to = out compete each other within closed and costly implementations. The IETF has involvement from a sub-set of the closed-source = community. In my experience, many operational people need changes to = protocols, but they=92re not involved in the IETF. They may not have = time, of course. But a larger reason seems to be that there=92s no = organization interest in having them participate. Their jobs are = limited to fighting fires, not researching new ways of preventing fires. That lack means that work in the IETF is often driven by research or = marketing goals. > Now the open-source community is organizing, such as the case with = Linux Foundation projects and ONF, and is seeking open networking and = management solutions. They've stepped beyond 'working consensus and = running code' to include implementation frameworks. Those communities are largely funded by commercial interests. = Companies have discovered that they need open source, but they can=92t = afford to own the people / technology involved. Instead of paying = license fees and support to commercial organizations, they fund open = source projects. This is all about risk mitigation for the purchaser. = If they want to stop paying for open source, they just stop. In = contrast, when they license software from a commercial entity, they=92re = held hostage. The seller can (nearly) arbitrarily raise prices, end of = life products, etc. > You asked for how we might correctly engage the open-source community. = Part of that discussion has to include why a rift is forming in the = first place. IMHO, the IETF doesn't do a good job in evolving = implementation frameworks, and since the majority of security issues = evolve from implementation, we're not currently in a good position to = collaborate effectively.=20 Engaging the open source community means funding people. They can be = funded to write implementations, be given existing implements, or funded = to participate in the IETF. Without funding, your only choice is to = wait for someone to make the technology his hobby. You may be waiting a = long time. I=92m not sure any rift has =93formed=94 between the IETF and the open = source community. I=92m not sure there was ever any coordinated efforts = between the two. What I have seen is that protocols often get pushed to = add features for marketing reasons. In contrast, the push from open = source participants tends to be for for simplicity, ease of = implementation, etc. Because they have a limited budget, and they want = to get things done. That being said, I=92ve been running an open source project for 15+ = years. My opinions are naturally positive towards my own experiences.=20= And I=92m involved in the IETF out of personal interest. I=92m self = funded, but I think it would be a good idea to investigate how to get = more open source people involved in the IETF. Alan DeKok. From nobody Sat Dec 20 07:54:21 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 228FA1A8970 for ; Sat, 20 Dec 2014 07:54:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nblshL9YkiBF for ; Sat, 20 Dec 2014 07:54:19 -0800 (PST) Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FD4C1A8952 for ; Sat, 20 Dec 2014 07:54:19 -0800 (PST) Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 2AB63283049; Sat, 20 Dec 2014 15:54:18 +0000 (UTC) Date: Sat, 20 Dec 2014 15:54:18 +0000 From: Viktor Dukhovni To: saag@ietf.org Message-ID: <20141220155417.GO24649@mournblade.imrryr.org> References: <5494DDCD.6030504@cs.tcd.ie> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5494DDCD.6030504@cs.tcd.ie> User-Agent: Mutt/1.5.23 (2014-03-12) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/FoOgdGq8OZ-PjDqG9RCZmMkNcSk Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: saag@ietf.org List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2014 15:54:21 -0000 On Sat, Dec 20, 2014 at 02:24:13AM +0000, Stephen Farrell wrote: > So, which bits of open-source do we in the security area > of the IETF consider important and why? And what could > we do better? (For any sensible definition of "we":-) Security protocols with at least one reasonably solid and flexibly licensed open source implementation include: * SSH * Kerberos V5 and GSSAPI * DNSSEC * SASL Note however, that BIND 10 seems to have run out of steam and could use support! MIT has managed to build a consortium for funding ongoing Kerberos development, Heimdal is on the other hand currently cycle starved. I don't know how Cyrus SASL development is supported. The MIT model works when there is strong corporate user interest, and the project gets funding from large enterprise users their enterprise vendors that would not otherwise be able to market the toolkit (nobody buys Kerberos, they buy systems in which it is simply there). The Kerberos situation is of a somewhat general nature. Foundational security software rarely makes a useful product, and only thrives when open source development gets broad support from vendors who bundle it and perhaps larger users who depend on it. Things are much less pretty in the TLS space, but OpenSSL is now getting some funding to attempt to dig itself out of its miserable state. It'll be interesting to see how this model evolves. If DTLS is important, it is far from obvious. Where are the working implementations? In the DANE space there are many "toy" implementations, and it is not always easy for users to distinguish these from trustworthy code. There is at present little vendor interest, deployment is for now far too limited. Much security at the network layer was for a time driven by projects like NetBSD. Is Linux picking up enough of the slack now that it is soaking up most of the mind-share and the vast majority of the corporate backing? So it looks "the computer industry" is not always well positioned to deliver those technologies that are core building blocks, but don't provide a clear competitive advantage. How to avoid starving implementations of core security protocols remains an open problem I think. -- Viktor. From nobody Sat Dec 20 11:25:29 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75461A8A1A for ; Sat, 20 Dec 2014 11:25:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwMzgQ8o0jb2 for ; Sat, 20 Dec 2014 11:25:25 -0800 (PST) Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C0AF1A89E1 for ; Sat, 20 Dec 2014 11:25:25 -0800 (PST) Received: by mail-ig0-f182.google.com with SMTP id hn15so2280906igb.3 for ; Sat, 20 Dec 2014 11:25:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=Vq6WSq4f41YmUAi4EzjVGWVIRgqgnFPN82KQo14FLmw=; b=x0TUlN2vwYKyu3aQmKu2oxN8/gSCE6eSnXc9wCwu+fFz+dmfT91MF466i6HQ4t+Qye jEhRYfmeND8IfstPIVQ/hmOgK4QvnOQUdKk5x1TM1QIElxSLq9Uc1xGtdaR7OJkJIGej wMnvgYtfY9DnMKzD8Pv6cXr0GzlDhc2I3BYvtF6RJakM5guPyI6v8Re9RH9pqIX9TbfS xaqAu709luDaZn6oLDiza0th9dn5hgTzuXX7V2hFK58SYzkVQyd0FNP06IS50TBzSoS0 cliB491/skWVG5AGKcR9LaVOpqGzuy3pCwYVESIJXa5HHVBISRlHOcIDSy/pUinVQwP2 Zb7Q== MIME-Version: 1.0 X-Received: by 10.50.29.107 with SMTP id j11mr9178358igh.32.1419103524054; Sat, 20 Dec 2014 11:25:24 -0800 (PST) Received: by 10.107.134.170 with HTTP; Sat, 20 Dec 2014 11:25:23 -0800 (PST) In-Reply-To: <5494DDCD.6030504@cs.tcd.ie> References: <5494DDCD.6030504@cs.tcd.ie> Date: Sat, 20 Dec 2014 14:25:23 -0500 Message-ID: From: Jeffrey Walton To: Stephen Farrell Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/saag/Jh8MdZjNZKmGMcSMbI-Sgqvsej4 Cc: "saag@ietf.org" Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: noloader@gmail.com List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2014 19:25:28 -0000 Hi Stephen, Sorry to go offlist even after you said something about it. This is related to your questions below, and not an answer to them. It would also be helpful to know who the adversaries are, and what threats they pose. So security goals and threat models should be standard fair. I'm still befuddled at the position taken on interception in standards like TLS and Public Key Pinning. I don't understand how an active attacker is not considered a threat (or maybe, more correctly, only a part-time threat). When the next Google Summer of Code (GSoC) arrives, I'm going to suggest the IETF get a few interns and document and produce a document on security goals and a threat model. I understand high caliber folks like you, Sean Turner, EKR, etc are busy - hence the reason to make interns available to you. So don't look it as an insult when it happens. Jeff On Fri, Dec 19, 2014 at 9:24 PM, Stephen Farrell wrote: > > Hiya, > > The IESG have recently been discussing how the IETF would > work better with or for open-source communities. As part of > that it'd be good to get some appreciation of which open > source activities folks consider important (and why). And > of course there are multiple directions here - e.g. where an > IETF activity has fed directly into an open-source activity > and the opposite where the IETF end up documenting something > already done by some open-source community. > > As part of that analysis, an utterly reasonable question > was asked: yeah, but which open-source things are important > to IETF participants? > > So, which bits of open-source do we in the security area > of the IETF consider important and why? And what could > we do better? (For any sensible definition of "we":-) > > BTW, those are deliberately open questions - answer in any > way you like, (but pithily please:-) to the list or to > Kathleen and I off-list if need be. (If we see a bunch of > offlist answers, we'll summarise those back to the list.) > > And since this is really information-gathering, there's > no need for us to disagree with one another on the list > (but I expect we won't resist that specific temptation, as > usual:-) > > Thanks, > S. > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From nobody Sun Dec 21 08:25:31 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9DCA1A1B6D for ; Sun, 21 Dec 2014 08:25:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P9IyNCaeAfUR for ; Sun, 21 Dec 2014 08:25:28 -0800 (PST) Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03FE91A1B85 for ; Sun, 21 Dec 2014 08:25:27 -0800 (PST) Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id DA1CA6D81E; Sun, 21 Dec 2014 11:25:25 -0500 (EST) Message-ID: <5496F473.9030108@iang.org> Date: Sun, 21 Dec 2014 16:25:23 +0000 From: ianG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: noloader@gmail.com, Stephen Farrell References: <5494DDCD.6030504@cs.tcd.ie> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/qJyWv5ZWmy_pp9ZTelP4F4N6xWQ Cc: "saag@ietf.org" Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Dec 2014 16:25:29 -0000 On 20/12/2014 19:25 pm, Jeffrey Walton wrote: > Hi Stephen, > > Sorry to go offlist even after you said something about it. (I'm not sure you're offlist, but nothing shocking to me in your comments.) > This is > related to your questions below, and not an answer to them. > > It would also be helpful to know who the adversaries are, and what > threats they pose. So security goals and threat models should be > standard fair. > > I'm still befuddled at the position taken on interception in standards > like TLS and Public Key Pinning. I don't understand how an active > attacker is not considered a threat (or maybe, more correctly, only a > part-time threat). > > When the next Google Summer of Code (GSoC) arrives, I'm going to > suggest the IETF get a few interns and document and produce a document > on security goals and a threat model. I understand high caliber folks > like you, Sean Turner, EKR, etc are busy - hence the reason to make > interns available to you. So don't look it as an insult when it > happens. It's interesting to propose that IETF get into threat modelling. But I am cautious. I guess I'm infamously on record for opposing such a thing, at least in one instance [0]. This relates to the SSL protocol assuming a thing called the "Internet Threat Model [1]" which was suggested to be some form of standard. I argue it was not only not standard, it was the opposite of reality in terms of the threats we face or faced at the time. Although, arguably, we could say that with the advent of the NSA attacks on core router nodes (passively collecting everything) and the upsurge in ISP datamining, SSL and ITM has finally come of age... Also, if the IETF wanted to get into that area, isn't is just a matter of starting a WG and preparing an RFC? iang [0] http://iang.org/ssl/wytm.html [1] http://www.iang.org/ssl/rescorla_1.html > Jeff > > On Fri, Dec 19, 2014 at 9:24 PM, Stephen Farrell > wrote: From nobody Sun Dec 21 10:08:12 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0FD91A1E0B for ; Sun, 21 Dec 2014 10:08:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.91 X-Spam-Level: X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wE2w0GyasH-H for ; Sun, 21 Dec 2014 10:08:09 -0800 (PST) Received: from ran.psg.com (ran.psg.com [198.180.150.18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C60741A1DE2 for ; Sun, 21 Dec 2014 10:08:09 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.82) (envelope-from ) id 1Y2kvI-00034R-IS; Sun, 21 Dec 2014 18:08:08 +0000 Date: Sun, 21 Dec 2014 13:08:08 -0500 Message-ID: From: Randy Bush To: ianG In-Reply-To: <5496F473.9030108@iang.org> References: <5494DDCD.6030504@cs.tcd.ie> <5496F473.9030108@iang.org> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Archived-At: http://mailarchive.ietf.org/arch/msg/saag/Akx30EFgEdfau6voyw8U8xoB9jw Cc: saag Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Dec 2014 18:08:11 -0000 > It's interesting to propose that IETF get into threat modelling. rfc 7132 for example randy From nobody Sun Dec 21 11:10:47 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 572E31A6FEE for ; Sun, 21 Dec 2014 11:10:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_TVD_MIME_NO_HEADERS=0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JUe5iwslphjh for ; Sun, 21 Dec 2014 11:10:39 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 999991A1BDB for ; Sun, 21 Dec 2014 11:10:39 -0800 (PST) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 2297B20098 for ; Sun, 21 Dec 2014 14:15:02 -0500 (EST) Received: by sandelman.ca (Postfix, from userid 179) id 59EA7637FE; Sun, 21 Dec 2014 14:10:38 -0500 (EST) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 47ACD63745 for ; Sun, 21 Dec 2014 14:10:38 -0500 (EST) From: Michael Richardson To: "saag\@ietf.org" In-Reply-To: References: <5494DDCD.6030504@cs.tcd.ie> X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: mcr@sandelman.ca Archived-At: http://mailarchive.ietf.org/arch/msg/saag/RO3R69oDOQlThFRnQ8xmVaB8Q-0 Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Dec 2014 19:10:46 -0000 --=-=-= Jeffrey Walton wrote: > It would also be helpful to know who the adversaries are, and what > threats they pose. So security goals and threat models should be > standard fair. > I'm still befuddled at the position taken on interception in standards > like TLS and Public Key Pinning. I don't understand how an active > attacker is not considered a threat (or maybe, more correctly, only a > part-time threat). It's a threat, but active attackers can kill all communication if they want. It's not that it's not a problem, it is that we can only deal with so many problems at the same time, and attempts to authenticate all end points tend to look like attempts to boil the ocean. Further, if done in naive ways, it can completely lock down innovation, and/or provide governments with even MORE ways to oppressive citizens. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEVAwUBVJcbLoCLcPvd0N1lAQIIYgf/ZlQT8oO0ltwepXK8ty4ozlZBS4ZdHeIm mWIJFITb4C3LimYc9p1ed9kC83dklavxYJeyHwV1N6WxkG4aPBaKMnMDOniEUCnq gOwdw0b1o9KqxY/Xg0klFTrZM9KaFCFshWt9W2LJy6XtxBHITIRpQwkC/nEJkS1V D6Ae8fVwzZ/apRJ9DLN/AB5AH2a9ue3A6GNMVSUVFExtC1UW5yIhsv5KaB2vTNdu Bu3lWPi1di68y9aFvj13+XAkrnMQ5DpMrYmMQyyaTVYl/en6pQEa5g/zMoR7f4Ox NBFGfd/93tTDJVqCk4hkTU5dibBhgFrWBR6BdGRYMr7J5q0ix+0H5A== =Hnjy -----END PGP SIGNATURE----- --=-=-=-- From nobody Sun Dec 21 11:27:21 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DB1D1A700B for ; Sun, 21 Dec 2014 11:27:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_TVD_MIME_NO_HEADERS=0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OSZ6VpJdk2Cr for ; Sun, 21 Dec 2014 11:27:17 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B64D01A7002 for ; Sun, 21 Dec 2014 11:27:17 -0800 (PST) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C1F4B20098 for ; Sun, 21 Dec 2014 14:31:40 -0500 (EST) Received: by sandelman.ca (Postfix, from userid 179) id CE4FC637FE; Sun, 21 Dec 2014 14:27:16 -0500 (EST) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id B07EE63745 for ; Sun, 21 Dec 2014 14:27:16 -0500 (EST) From: Michael Richardson To: "saag\@ietf.org" In-Reply-To: <5494DDCD.6030504@cs.tcd.ie> References: <5494DDCD.6030504@cs.tcd.ie> X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: mcr@sandelman.ca Archived-At: http://mailarchive.ietf.org/arch/msg/saag/-SV4MfsW2N0Q85P-ExSi3eOuegc Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Dec 2014 19:27:19 -0000 --=-=-= Stephen Farrell wrote: > The IESG have recently been discussing how the IETF would > work better with or for open-source communities. As part of > that it'd be good to get some appreciation of which open > source activities folks consider important (and why). And > of course there are multiple directions here - e.g. where an > IETF activity has fed directly into an open-source activity > and the opposite where the IETF end up documenting something > already done by some open-source community. I've read the thread. Alan's response is astute, but I don't think it answers your question. > As part of that analysis, an utterly reasonable question > was asked: yeah, but which open-source things are important > to IETF participants? I don't really understand this question. What's an IETF participant? The problem is that both "IETF participant" and "open source contributor" are self-selected groups of people. Open source works best when the people involved have an internally driven need to do something ("scratch an itch"). They are then not driven by market or consulting revenue needs. IETF participation works best when the participants need to cooperate with others to get something done; either one entity can control a bit of both ends, or some business interaction naturally involves both ends. (Microsoft IIS/IE in the early days of "XMLHttpRequest" and Adobe Flash are good historic examples of what happens when entities fail to engage in either standards or open source) So I think that the community around HTTP: apache/nginx/rails/django/etc, plus the chrome/firefox/android/libcurl is now a really place. The tragedy of openssl is mostly one of tragedy of the commons: no place I've worked on SSL things has ever been willing to do other than "take" from that space. (We could have some discussions about how BSD vs GPL licenses may contribute to this neglect) webrtc would, I think, have been impossible without the ability of experimenters to hack on both sides of the fence, and then bring their results to the IETF. > So, which bits of open-source do we in the security area > of the IETF consider important and why? And what could > we do better? (For any sensible definition of "we":-) We collectively continue to regularly neglect IPsec. It's been relegated to site to site, and yet, it is easily applied conceptually to many application to application scenarios, but there is no "libipsec", so most are afraid to specify it. We have significant chicken and egg situations with a number of security protocols. If I had my druthers, there would be a golden egg to fund three or four open source implementations of everything that went through the security area. And not just "research" projects either. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEUAwUBVJcfFICLcPvd0N1lAQLnsAf3RAEEMczeDvCzFkBLEMDt4i2OCZpugEmW GwgqxH5YnYLwnxO9B5jYL9ttmJtcSi7FIH/Yn6Wa/nwcHOKq9jn+Egf09zAer+xU Y9dqGgGFExu+s9N3RmiMnhFHLeWQOoLunx6JALo8nZ68fLx6MfKFjfahbayrOr7h y7wlSIiz8N99TrX1Nbg61rbumCR+srJA5N1n1UZXPx6nt27RIFwQy540+o7IYuJB lYrdI9cWY4BZTsvA5ZGkcRFVOkRH9Wnxrhy1ySk0yAexzqPqTts/fm/+wHsESLe/ YUSrsa/gvGWZQm2xst4/EVbVHEu30Ugqy0lGQnF8R8EbggpMlLJ+ =XfA/ -----END PGP SIGNATURE----- --=-=-=-- From nobody Sun Dec 21 12:42:09 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE7D71A87C3 for ; Sun, 21 Dec 2014 12:42:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_TVD_MIME_NO_HEADERS=0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5oZ39-veiylB for ; Sun, 21 Dec 2014 12:42:06 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B9241A87C1 for ; Sun, 21 Dec 2014 12:42:06 -0800 (PST) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 45AA02002A for ; Sun, 21 Dec 2014 15:46:29 -0500 (EST) Received: by sandelman.ca (Postfix, from userid 179) id 3FCDC637FE; Sun, 21 Dec 2014 15:42:05 -0500 (EST) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 26E9863745 for ; Sun, 21 Dec 2014 15:42:05 -0500 (EST) From: Michael Richardson to: "saag\@ietf.org" In-Reply-To: <28418.1419190036@sandelman.ca> References: <5494DDCD.6030504@cs.tcd.ie> <28418.1419190036@sandelman.ca> X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: mcr@sandelman.ca Archived-At: http://mailarchive.ietf.org/arch/msg/saag/zIZ1_i49Iw42NeTH0oduTmzHRt0 Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Dec 2014 20:42:07 -0000 --=-=-= Michael Richardson wrote: > So I think that the community around HTTP: apache/nginx/rails/django/etc, > plus the chrome/firefox/android/libcurl is now a really place. s/now a really place/is now in a REALLY GOOD place/ -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEVAwUBVJcwnICLcPvd0N1lAQKQrAgAjmtYWu5ImcXm7LiQDx4UA7rxvtrp08if ghGE9PMVvqmvODUg2mwvAu6bpf9lRTR/5DraS9A8nbZDXdUPXSVifIa9ISnAo+zW 2mz7Ky3YNl2e6M6jYhVN4Jq8ZfbtqOA7csc1q3lplWJ+F3cc1te3BKkNbD6E9MuV rhlA2paGH5uiFtoLMtq+3zzRCf6tP9tKH65tdXJTGaNZRb31xy5Br1vZyfIS0yp/ lx/EEX0AgIAMkYqrGhRmbmCh10Vl0Si9nfL+q01PvgqNLXneJ1up6n54PzTeVdby dfmgk7v7XpKQixJ2QKU7X4qX4E/1ePlUNZsHhb1ou7oSh3ytY3UZmw== =YrnI -----END PGP SIGNATURE----- --=-=-=-- From nobody Sun Dec 21 21:44:27 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D29C81A00D1; Sun, 21 Dec 2014 21:44:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.51 X-Spam-Level: X-Spam-Status: No, score=-3.51 tagged_above=-999 required=5 tests=[BAYES_50=0.8, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epZRexpQCA81; Sun, 21 Dec 2014 21:44:16 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 812621A00CF; Sun, 21 Dec 2014 21:44:16 -0800 (PST) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBM5hvcV031985 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 22 Dec 2014 05:43:59 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBM5hrJH008973 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 22 Dec 2014 05:43:53 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBM5hqcO007299; Mon, 22 Dec 2014 05:43:52 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 21 Dec 2014 21:43:51 -0800 Date: Sun, 21 Dec 2014 21:43:50 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Bjoern Hoehrmann Message-ID: User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-490998763-1419226216=:24005" Content-ID: X-Source-IP: acsinet22.oracle.com [141.146.126.238] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/edjVyC8Pzo3LYm_KoS17fh8UD9I Cc: Stef Walter , Nikos Mavrogiannopoulos , saag@ietf.org, ietf@ietf.org Subject: [saag] Last Call: (The PKCS#11 URI Scheme) to Proposed Standard: "x-" attribute use X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 05:44:23 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-490998763-1419226216=:24005 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-15 Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: =09hi Bj=F6rn, thank you for your feedback on the PKCS#11 URI=20 Scheme draft. The upcoming draft 17, attached, addresses your=20 comment: >One thing I noticed is that it uses "x-" prefixed vendor extensions; >given BCP 178 there should probably be a rationale included in the >document (the first draft predates the BCP by some years, so perhaps >this is just documenting existing usage). =09the relevant changes are (please note that diff covers other=20 unrelated changes as well): @@ -188,11 +193,12 @@ pk11-model / pk11-lib-manuf / pk11-lib-ver / pk11-lib-desc / pk11-object / pk11-type / pk11-id / - pk11-x-pattr + pk11-slot-desc / pk11-slot-manuf / + pk11-slot-id / pk11-v-pattr ; Query component and its attributes. Query may be empty. pk11-qattr =3D pk11-pin-source / pk11-pin-value / pk11-module-name / pk11-module-path / - pk11-x-qattr + pk11-v-qattr @@ -216,34 +222,41 @@ <...> - pk11-x-pattr =3D "x-" 1*pk11-x-attr-nm-char "=3D" *pk11-pchar - pk11-x-qattr =3D "x-" 1*pk11-x-attr-nm-char "=3D" *pk11-qchar + pk11-v-pattr =3D 1*pk11-v-attr-nm-char "=3D" *pk11-pchar + pk11-v-qattr =3D 1*pk11-v-attr-nm-char "=3D" *pk11-qchar The URI path component contains attributes that identify a resource in a one level hierarchy provided by Cryptoki producers. The query component can contain a few attributes that may be needed to retrieve - the resource identified by the URI path. Both path and query - components may contain vendor specific attributes. Such attribute - names must start with an "x-" prefix. Attributes in the path + the resource identified by the URI path. Attributes in the path component are delimited by ';' character, attributes in the query component use '&' as a delimiter. + Both path and query components may contain vendor specific + attributes. Such attribute names MUST NOT clash with existing + attribute names. Note that in accordance with [BCP178], previously + used convention of starting vendor attributes with an "x-" prefix is + now depricated. =09regards, Jan. --=20 Jan Pechanec ---559023410-490998763-1419226216=:24005 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=draft-pechanec-pkcs11uri-17-v3.txt Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=draft-pechanec-pkcs11uri-17-v3.txt DQoNCg0KDQpOZXR3b3JrIFdvcmtpbmcgR3JvdXAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgSi4gUGVjaGFuZWMNCkludGVybmV0 LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIEQuIE1vZmZhdA0KSW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFy ZHMgVHJhY2sgICAgICAgICAgICAgICAgICAgICAgT3JhY2xlIENvcnBvcmF0 aW9uDQpFeHBpcmVzOiBKdW5lIDI0LCAyMDE1ICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgRGVjZW1iZXIgMjEsIDIwMTQNCg0KDQogICAgICAg ICAgICAgICAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZQ0KICAg ICAgICAgICAgICAgICAgICAgIGRyYWZ0LXBlY2hhbmVjLXBrY3MxMXVyaS0x Nw0KDQpBYnN0cmFjdA0KDQogICBUaGlzIG1lbW8gc3BlY2lmaWVzIGEgUEtD UyMxMSBVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSkNCiAgIFNj aGVtZSBmb3IgaWRlbnRpZnlpbmcgUEtDUyMxMSBvYmplY3RzIHN0b3JlZCBp biBQS0NTIzExIHRva2VucywgYW5kDQogICBhbHNvIGZvciBpZGVudGlmeWlu ZyBQS0NTIzExIHRva2Vucywgc2xvdHMgb3IgbGlicmFyaWVzLiAgVGhlIFVS SSBpcw0KICAgYmFzZWQgb24gaG93IFBLQ1MjMTEgb2JqZWN0cywgdG9rZW5z LCBzbG90cywgYW5kIGxpYnJhcmllcyBhcmUNCiAgIGlkZW50aWZpZWQgaW4g dGhlIFBLQ1MjMTEgQ3J5cHRvZ3JhcGhpYyBUb2tlbiBJbnRlcmZhY2UgU3Rh bmRhcmQuDQoNClN0YXR1cyBvZiBUaGlzIE1lbW8NCg0KICAgVGhpcyBJbnRl cm5ldC1EcmFmdCBpcyBzdWJtaXR0ZWQgaW4gZnVsbCBjb25mb3JtYW5jZSB3 aXRoIHRoZQ0KICAgcHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJDUCA3OS4N Cg0KICAgSW50ZXJuZXQtRHJhZnRzIGFyZSB3b3JraW5nIGRvY3VtZW50cyBv ZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmcNCiAgIFRhc2sgRm9yY2UgKElF VEYpLiAgTm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmli dXRlDQogICB3b3JraW5nIGRvY3VtZW50cyBhcyBJbnRlcm5ldC1EcmFmdHMu ICBUaGUgbGlzdCBvZiBjdXJyZW50IEludGVybmV0LQ0KICAgRHJhZnRzIGlz IGF0IGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFmdHMvY3VycmVu dC8uDQoNCiAgIEludGVybmV0LURyYWZ0cyBhcmUgZHJhZnQgZG9jdW1lbnRz IHZhbGlkIGZvciBhIG1heGltdW0gb2Ygc2l4IG1vbnRocw0KICAgYW5kIG1h eSBiZSB1cGRhdGVkLCByZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVy IGRvY3VtZW50cyBhdCBhbnkNCiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJp YXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlDQogICBt YXRlcmlhbCBvciB0byBjaXRlIHRoZW0gb3RoZXIgdGhhbiBhcyAid29yayBp biBwcm9ncmVzcy4iDQoNCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBl eHBpcmUgb24gSnVuZSAyNCwgMjAxNS4NCg0KQ29weXJpZ2h0IE5vdGljZQ0K DQogICBDb3B5cmlnaHQgKGMpIDIwMTQgSUVURiBUcnVzdCBhbmQgdGhlIHBl cnNvbnMgaWRlbnRpZmllZCBhcyB0aGUNCiAgIGRvY3VtZW50IGF1dGhvcnMu ICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQogICBUaGlzIGRvY3VtZW50IGlz IHN1YmplY3QgdG8gQkNQIDc4IGFuZCB0aGUgSUVURiBUcnVzdCdzIExlZ2Fs DQogICBQcm92aXNpb25zIFJlbGF0aW5nIHRvIElFVEYgRG9jdW1lbnRzDQog ICAoaHR0cDovL3RydXN0ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZvKSBpbiBl ZmZlY3Qgb24gdGhlIGRhdGUgb2YNCiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMg ZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50cw0KICAg Y2FyZWZ1bGx5LCBhcyB0aGV5IGRlc2NyaWJlIHlvdXIgcmlnaHRzIGFuZCBy ZXN0cmljdGlvbnMgd2l0aCByZXNwZWN0DQogICB0byB0aGlzIGRvY3VtZW50 LiAgQ29kZSBDb21wb25lbnRzIGV4dHJhY3RlZCBmcm9tIHRoaXMgZG9jdW1l bnQgbXVzdA0KICAgaW5jbHVkZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlIHRl eHQgYXMgZGVzY3JpYmVkIGluIFNlY3Rpb24gNC5lIG9mDQogICB0aGUgVHJ1 c3QgTGVnYWwgUHJvdmlzaW9ucyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQg d2FycmFudHkgYXMNCiAgIGRlc2NyaWJlZCBpbiB0aGUgU2ltcGxpZmllZCBC U0QgTGljZW5zZS4NCg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAg RXhwaXJlcyBKdW5lIDI0LCAyMDE1ICAgICAgICAgICAgICAgICBbUGFnZSAx XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVS SSBTY2hlbWUgICAgICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KVGFibGUg b2YgQ29udGVudHMNCg0KICAgMS4gIEludHJvZHVjdGlvbiAgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICAyDQog ICAyLiAgQ29udHJpYnV0b3JzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDMNCiAgIDMuICBQS0NTIzExIFVS SSBTY2hlbWUgRGVmaW5pdGlvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICAgNA0KICAgICAzLjEuICBQS0NTIzExIFVSSSBTY2hlbWUgTmFt ZSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA0DQogICAg IDMuMi4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBTdGF0dXMgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQNCiAgICAgMy4zLiAgUEtDUyMxMSBV UkkgU2NoZW1lIFN5bnRheCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuICAgNA0KICAgICAzLjQuICBQS0NTIzExIFVSSSBTY2hlbWUgUXVlcnkg QXR0cmlidXRlIFNlbWFudGljcyAgLiAuIC4gLiAuIC4gICA4DQogICAgIDMu NS4gIFBLQ1MjMTEgVVJJIE1hdGNoaW5nIEd1aWRlbGluZXMgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgMTANCiAgICAgMy42LiAgUEtDUyMxMSBVUkkg Q29tcGFyaXNvbiAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICAxMQ0KICAgNC4gIEV4YW1wbGVzIG9mIFBLQ1MjMTEgVVJJcyAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEyDQogICA1LiAgSUFO QSBDb25zaWRlcmF0aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgMTYNCiAgIDYuICBTZWN1cml0eSBDb25zaWRlcmF0 aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAx Ng0KICAgNy4gIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE2DQogICAgIDcuMS4gIE5v cm1hdGl2ZSBSZWZlcmVuY2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAgMTYNCiAgICAgNy4yLiAgSW5mb3JtYXRpdmUgUmVmZXJl bmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxNg0K ICAgQXV0aG9ycycgQWRkcmVzc2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE3DQoNCjEuICBJbnRyb2R1Y3Rp b24NCg0KICAgVGhlIFBLQ1MgIzExOiBDcnlwdG9ncmFwaGljIFRva2VuIElu dGVyZmFjZSBTdGFuZGFyZCBbcGtjczExX3NwZWNdDQogICBzcGVjaWZpZXMg YW4gQVBJLCBjYWxsZWQgQ3J5cHRva2ksIGZvciBkZXZpY2VzIHdoaWNoIGhv bGQNCiAgIGNyeXB0b2dyYXBoaWMgaW5mb3JtYXRpb24gYW5kIHBlcmZvcm0g Y3J5cHRvZ3JhcGhpYyBmdW5jdGlvbnMuDQogICBDcnlwdG9raSwgcHJvbm91 bmNlZCBjcnlwdG8ta2V5IGFuZCBzaG9ydCBmb3IgY3J5cHRvZ3JhcGhpYyB0 b2tlbg0KICAgaW50ZXJmYWNlLCBmb2xsb3dzIGEgc2ltcGxlIG9iamVjdC1i YXNlZCBhcHByb2FjaCwgYWRkcmVzc2luZyB0aGUNCiAgIGdvYWxzIG9mIHRl Y2hub2xvZ3kgaW5kZXBlbmRlbmNlIChhbnkga2luZCBvZiBkZXZpY2UgbWF5 IGJlIHVzZWQpIGFuZA0KICAgcmVzb3VyY2Ugc2hhcmluZyAobXVsdGlwbGUg YXBwbGljYXRpb25zIG1heSBhY2Nlc3MgbXVsdGlwbGUgZGV2aWNlcyksDQog ICBwcmVzZW50aW5nIGFwcGxpY2F0aW9ucyB3aXRoIGEgY29tbW9uLCBsb2dp Y2FsIHZpZXcgb2YgdGhlIGRldmljZSAtIGENCiAgIGNyeXB0b2dyYXBoaWMg dG9rZW4uDQoNCiAgIEl0IGlzIGRlc2lyYWJsZSBmb3IgYXBwbGljYXRpb25z IG9yIGxpYnJhcmllcyB0aGF0IHdvcmsgd2l0aCBQS0NTIzExDQogICB0b2tl bnMgdG8gYWNjZXB0IGEgY29tbW9uIGlkZW50aWZpZXIgdGhhdCBjb25zdW1l cnMgY291bGQgdXNlIHRvDQogICBpZGVudGlmeSBhbiBleGlzdGluZyBQS0NT IzExIHN0b3JhZ2Ugb2JqZWN0IGluIGEgUEtDUyMxMSB0b2tlbiwgYW4NCiAg IGV4aXN0aW5nIHRva2VuIGl0c2VsZiwgYSBzbG90LCBvciBhbiBleGlzdGlu ZyBDcnlwdG9raSBsaWJyYXJ5IChhbHNvDQogICBjYWxsZWQgYSBwcm9kdWNl ciwgbW9kdWxlLCBvciBwcm92aWRlcikuICBUaGUgc2V0IG9mIHN0b3JhZ2Ug b2JqZWN0DQogICB0eXBlcyB0aGF0IGNhbiBiZSBzdG9yZWQgaW4gYSBQS0NT IzExIHRva2VuIGluY2x1ZGVzIGEgY2VydGlmaWNhdGUsIGENCiAgIHB1Ymxp YywgcHJpdmF0ZSBvciBzZWNyZXQga2V5LCBhbmQgYSBkYXRhIG9iamVjdC4g IFRoZXNlIG9iamVjdHMgY2FuDQogICBiZSB1bmlxdWVseSBpZGVudGlmaWFi bGUgdmlhIHRoZSBQS0NTIzExIFVSSSBzY2hlbWUgZGVmaW5lZCBpbiB0aGlz DQogICBkb2N1bWVudC4gIFRoZSBzZXQgb2YgYXR0cmlidXRlcyBkZXNjcmli aW5nIGEgc3RvcmFnZSBvYmplY3QgY2FuDQogICBjb250YWluIGFuIG9iamVj dCBsYWJlbCwgaXRzIHR5cGUsIGFuZCBpdHMgSUQuICBUaGUgc2V0IG9mIGF0 dHJpYnV0ZXMNCiAgIHRoYXQgaWRlbnRpZmllcyBhIFBLQ1MjMTEgdG9rZW4g Y2FuIGNvbnRhaW4gYSB0b2tlbiBsYWJlbCwNCiAgIG1hbnVmYWN0dXJlciBu YW1lLCBzZXJpYWwgbnVtYmVyLCBhbmQgdG9rZW4gbW9kZWwuICBBdHRyaWJ1 dGVzIHRoYXQNCiAgIGNhbiBpZGVudGlmeSBhIHNsb3QgYXJlIGEgc2xvdCBJ RCwgZGVzY3JpcHRpb24sIGFuZCBtYW51ZmFjdHVyZXIuDQogICBBdHRyaWJ1 dGVzIHRoYXQgY2FuIGlkZW50aWZ5IGEgQ3J5cHRva2kgbGlicmFyeSBhcmUg YSBsaWJyYXJ5DQogICBtYW51ZmFjdHVyZXIsIGRlc2NyaXB0aW9uLCBhbmQg dmVyc2lvbi4gIExpYnJhcnkgYXR0cmlidXRlcyBtYXkgYmUNCiAgIG5lY2Vz c2FyeSB0byB1c2UgaWYgbW9yZSB0aGFuIG9uZSBDcnlwdG9raSBsaWJyYXJ5 IHByb3ZpZGVzIGEgdG9rZW4NCg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQg ICAgICAgICBFeHBpcmVzIEp1bmUgMjQsIDIwMTUgICAgICAgICAgICAgICAg IFtQYWdlIDJdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBL Q1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0K DQogICBhbmQvb3IgUEtDUyMxMSBvYmplY3RzIG9mIHRoZSBzYW1lIG5hbWUu ICBBIHNldCBvZiBxdWVyeSBhdHRyaWJ1dGVzDQogICBpcyBwcm92aWRlZCBh cyB3ZWxsLg0KDQogICBUaGUgUEtDUyMxMSBVUkkgY2Fubm90IGlkZW50aWZ5 IG90aGVyIG9iamVjdHMgZGVmaW5lZCBpbiB0aGUNCiAgIHNwZWNpZmljYXRp b24gW3BrY3MxMV9zcGVjXSBhc2lkZSBmcm9tIHN0b3JhZ2Ugb2JqZWN0cy4g IEZvciBleGFtcGxlLA0KICAgb2JqZWN0cyBub3QgaWRlbnRpZmlhYmxlIGJ5 IGEgUEtDUyMxMSBVUkkgaW5jbHVkZSBhIGhhcmR3YXJlIGZlYXR1cmUNCiAg IGFuZCBtZWNoYW5pc20uICBOb3RlIHRoYXQgYSBDcnlwdG9raSBsaWJyYXJ5 IGRvZXMgbm90IGhhdmUgdG8gcHJvdmlkZQ0KICAgZm9yIHN0b3JhZ2Ugb2Jq ZWN0cyBhdCBhbGwuICBUaGUgVVJJIGNhbiBzdGlsbCBiZSB1c2VkIHRvIGlk ZW50aWZ5IGENCiAgIHNwZWNpZmljIFBLQ1MjMTEgdG9rZW4sIHNsb3Qgb3Ig YW4gQVBJIHByb2R1Y2VyIGluIHN1Y2ggYSBjYXNlLg0KDQogICBBIHN1YnNl dCBvZiBleGlzdGluZyBQS0NTIzExIHN0cnVjdHVyZSBtZW1iZXJzIGFuZCBv YmplY3QgYXR0cmlidXRlcw0KICAgd2FzIGNob3NlbiBiZWxpZXZlZCB0byBi ZSBzdWZmaWNpZW50IGluIHVuaXF1ZWx5IGlkZW50aWZ5aW5nIGENCiAgIFBL Q1MjMTEgc3RvcmFnZSBvYmplY3QsIHRva2VuLCBzbG90LCBvciBsaWJyYXJ5 IGluIGEgY29uZmlndXJhdGlvbg0KICAgZmlsZSwgb24gYSBjb21tYW5kIGxp bmUsIG9yIGluIGEgY29uZmlndXJhdGlvbiBwcm9wZXJ0eSBvZiBzb21ldGhp bmcNCiAgIGVsc2UuICBTaG91bGQgdGhlcmUgYmUgYSBuZWVkIGZvciBhIG1v cmUgY29tcGxleCBpbmZvcm1hdGlvbiBleGNoYW5nZQ0KICAgb24gUEtDUyMx MSBlbnRpdGllcyBhIGRpZmZlcmVudCBtZWFucyBvZiBkYXRhIG1hcnNoYWxs aW5nIHNob3VsZCBiZQ0KICAgY2hvc2VuIGFjY29yZGluZ2x5Lg0KDQogICBB IFBLQ1MjMTEgVVJJIGlzIG5vdCBpbnRlbmRlZCB0byBiZSB1c2VkIHRvIGNy ZWF0ZSBuZXcgUEtDUyMxMQ0KICAgb2JqZWN0cyBpbiB0b2tlbnMsIG9yIHRv IGNyZWF0ZSBQS0NTIzExIHRva2Vucy4gIEl0IGlzIHNvbGVseSB0byBiZQ0K ICAgdXNlZCB0byBpZGVudGlmeSBhbmQgd29yayB3aXRoIGV4aXN0aW5nIHN0 b3JhZ2Ugb2JqZWN0cywgdG9rZW5zLCBhbmQNCiAgIHNsb3RzIHRocm91Z2gg dGhlIFBLQ1MjMTEgQVBJLCBvciBpZGVudGlmeSBDcnlwdG9raSBsaWJyYXJp ZXMNCiAgIHRoZW1zZWx2ZXMuDQoNCiAgIFRoZSBVUkkgc2NoZW1lIGRlZmlu ZWQgaW4gdGhpcyBkb2N1bWVudCBpcyBkZXNpZ25lZCBzcGVjaWZpY2FsbHkg d2l0aA0KICAgYSBtYXBwaW5nIHRvIHRoZSBQS0NTIzExIEFQSSBpbiBtaW5k LiAgVGhlIFVSSSB1c2VzIHRoZSBzY2hlbWUsIHBhdGgNCiAgIGFuZCBxdWVy eSBjb21wb25lbnRzIGRlZmluZWQgaW4gdGhlIFVuaWZvcm0gUmVzb3VyY2Ug SWRlbnRpZmllcg0KICAgKFVSSSk6IEdlbmVyaWMgU3ludGF4IFtSRkMzOTg2 XSBkb2N1bWVudC4gIFRoZSBVUkkgZG9lcyBub3QgdXNlIHRoZQ0KICAgaGll cmFyY2hpY2FsIGVsZW1lbnQgZm9yIGEgbmFtaW5nIGF1dGhvcml0eSBpbiB0 aGUgcGF0aCBzaW5jZSB0aGUNCiAgIGF1dGhvcml0eSBwYXJ0IGNvdWxkIG5v dCBiZSBtYXBwZWQgdG8gUEtDUyMxMSBBUEkgZWxlbWVudHMuICBUaGUgVVJJ DQogICBkb2VzIG5vdCB1c2UgdGhlIGZyYWdtZW50IGNvbXBvbmVudC4NCg0K ICAgSWYgYW4gYXBwbGljYXRpb24gaGFzIG5vIGFjY2VzcyB0byBhIHByb2R1 Y2VyIG9yIHByb2R1Y2VycyBvZiB0aGUNCiAgIFBLQ1MjMTEgQVBJIHRoZSBx dWVyeSBjb21wb25lbnQgbW9kdWxlIGF0dHJpYnV0ZXMgY2FuIGJlIHVzZWQu DQogICBIb3dldmVyLCB0aGUgUEtDUyMxMSBVUkkgY29uc3VtZXIgY2FuIGFs d2F5cyBkZWNpZGUgdG8gcHJvdmlkZSBpdHMNCiAgIG93biBhZGVxdWF0ZSB1 c2VyIGludGVyZmFjZSB0byBsb2NhdGUgYW5kIGxvYWQgUEtDUyMxMSBBUEkg cHJvZHVjZXJzLg0KDQogICBUaGUga2V5IHdvcmRzICJNVVNUIiwgIk1VU1Qg Tk9UIiwgIlJFUVVJUkVEIiwgIlNIQUxMIiwgIlNIQUxMIE5PVCIsDQogICAi U0hPVUxEIiwgIlNIT1VMRCBOT1QiLCAiUkVDT01NRU5ERUQiLCAiTUFZIiwg YW5kICJPUFRJT05BTCIgaW4gdGhpcw0KICAgZG9jdW1lbnQgYXJlIHRvIGJl IGludGVycHJldGVkIGFzIGRlc2NyaWJlZCBpbiBbUkZDMjExOV0uDQoNCjIu ICBDb250cmlidXRvcnMNCg0KICAgU3RlZiBXYWx0ZXIsIE5pa29zIE1hdnJv Z2lhbm5vcG91bG9zLCBOaWNvIFdpbGxpYW1zLCBEYW4gV2luc2hpcCwgYW5k DQogICBKYXJvc2xhdiBJbXJpY2ggY29udHJpYnV0ZWQgdG8gdGhlIGRldmVs b3BtZW50IG9mIHRoaXMgZG9jdW1lbnQuDQoNCg0KDQoNCg0KDQpQZWNoYW5l YyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNCwgMjAxNSAgICAg ICAgICAgICAgICAgW1BhZ2UgM10NCgwNCkludGVybmV0LURyYWZ0ICAgICAg ICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1i ZXIgMjAxNA0KDQoNCjMuICBQS0NTIzExIFVSSSBTY2hlbWUgRGVmaW5pdGlv bg0KDQogICBJbiBhY2NvcmRhbmNlIHdpdGggW1JGQzQzOTVdLCB0aGlzIHNl Y3Rpb24gcHJvdmlkZXMgdGhlIGluZm9ybWF0aW9uDQogICByZXF1aXJlZCB0 byByZWdpc3RlciB0aGUgUEtDUyMxMSBVUkkgc2NoZW1lLg0KDQozLjEuICBQ S0NTIzExIFVSSSBTY2hlbWUgTmFtZQ0KDQogICBwa2NzMTENCg0KMy4yLiAg UEtDUyMxMSBVUkkgU2NoZW1lIFN0YXR1cw0KDQogICBQZXJtYW5lbnQuDQoN CjMuMy4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBTeW50YXgNCg0KICAgVGhlIFBL Q1MjMTEgVVJJIGlzIGEgc2VxdWVuY2Ugb2YgYXR0cmlidXRlIHZhbHVlIHBh aXJzIHNlcGFyYXRlZCBieSBhDQogICBzZW1pY29sb24gdGhhdCBmb3JtIGEg b25lIGxldmVsIHBhdGggY29tcG9uZW50LCBvcHRpb25hbGx5IGZvbGxvd2Vk DQogICBieSBhIHF1ZXJ5LiAgSW4gYWNjb3JkYW5jZSB3aXRoIFNlY3Rpb24g Mi41IG9mIFtSRkMzOTg2XSwgdGhlIGRhdGENCiAgIHNob3VsZCBmaXJzdCBi ZSBlbmNvZGVkIGFzIG9jdGV0cyBhY2NvcmRpbmcgdG8gdGhlIFVURi04IGNo YXJhY3Rlcg0KICAgZW5jb2RpbmcgW1JGQzM2MjldOyB0aGVuIG9ubHkgdGhv c2Ugb2N0ZXRzIHRoYXQgZG8gbm90IGNvcnJlc3BvbmQgdG8NCiAgIGNoYXJh Y3RlcnMgaW4gdGhlIHVucmVzZXJ2ZWQgc2V0IG9yIHRvIHBlcm1pdHRlZCBj aGFyYWN0ZXJzIGZyb20gdGhlDQogICByZXNlcnZlZCBzZXQgc2hvdWxkIGJl IHBlcmNlbnQtZW5jb2RlZC4gIFRoaXMgc3BlY2lmaWNhdGlvbiBzdWdnZXN0 cw0KICAgb25lIGFsbG93YWJsZSBleGNlcHRpb24gdG8gdGhhdCBydWxlIGZv ciB0aGUgImlkIiBhdHRyaWJ1dGUsIGFzDQogICBzdGF0ZWQgbGF0ZXIgaW4g dGhpcyBzZWN0aW9uLiAgR3JhbW1hciBydWxlcyAidW5yZXNlcnZlZCIgYW5k ICJwY3QtDQogICBlbmNvZGVkIiBpbiB0aGUgUEtDUyMxMSBVUkkgc3BlY2lm aWNhdGlvbiBiZWxvdyBhcmUgaW1wb3J0ZWQgZnJvbQ0KICAgW1JGQzM5ODZd LiAgQXMgYSBzcGVjaWFsIGNhc2UsIG5vdGUgdGhhdCBhY2NvcmRpbmcgdG8g QXBwZW5kaXggQSBvZg0KICAgW1JGQzM5ODZdLCBhIHNwYWNlIG11c3QgYmUg cGVyY2VudC1lbmNvZGVkLg0KDQogICBQS0NTIzExIHNwZWNpZmljYXRpb24g aW1wb3NlcyB2YXJpb3VzIGxpbWl0YXRpb25zIG9uIHRoZSB2YWx1ZSBvZg0K ICAgYXR0cmlidXRlcywgYmUgaXQgYSBtb3JlIHJlc3RyaWN0aXZlIGNoYXJh Y3RlciBzZXQgZm9yIHRoZSAic2VyaWFsIg0KICAgYXR0cmlidXRlIG9yIGZp eGVkIHNpemVkIGJ1ZmZlcnMgZm9yIGFsbW9zdCBhbGwgdGhlIG90aGVycywg aW5jbHVkaW5nDQogICAidG9rZW4iLCAibWFudWZhY3R1cmVyIiwgYW5kICJt b2RlbCIgYXR0cmlidXRlcy4gIEhvd2V2ZXIsIHRoZQ0KICAgUEtDUyMxMSBV Ukkgbm90YXRpb24gZG9lcyBub3QgaW1wb3NlIHN1Y2ggbGltaXRhdGlvbnMg YXNpZGUgZnJvbQ0KICAgcmVtb3ZpbmcgZ2VuZXJpYyBhbmQgUEtDUyMxMSBV UkkgZGVsaW1pdGVycyBmcm9tIGEgcGVybWl0dGVkDQogICBjaGFyYWN0ZXIg c2V0LiAgV2UgYmVsaWV2ZSB0aGF0IGJlaW5nIHRvbyByZXN0cmljdGl2ZSBv biB0aGUNCiAgIGF0dHJpYnV0ZSB2YWx1ZXMgY291bGQgbGltaXQgdGhlIFBL Q1MjMTEgVVJJIHVzZWZ1bG5lc3MuICBXaGF0IGlzDQogICBtb3JlLCBwb3Nz aWJsZSBmdXR1cmUgY2hhbmdlcyB0byB0aGUgUEtDUyMxMSBzcGVjaWZpY2F0 aW9uIHNob3VsZCBub3QNCiAgIGFmZmVjdCBleGlzdGluZyBhdHRyaWJ1dGVz Lg0KDQogICBBIFBLQ1MjMTEgVVJJIHRha2VzIHRoZSBmb3JtIChmb3IgZXhw bGFuYXRpb24gb2YgQXVnbWVudGVkIEJORiwgc2VlDQogICBbUkZDNTIzNF0p Og0KDQoNCg0KDQoNCg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAgICAg ICAgIEV4cGlyZXMgSnVuZSAyNCwgMjAxNSAgICAgICAgICAgICAgICAgW1Bh Z2UgNF0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUgUEtDUyMx MSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0KDQoNCiAg cGsxMS1VUkkgICAgICAgICAgICAgPSAicGtjczExIiAiOiIgcGsxMS1wYXRo ICoxKCI/IiBwazExLXF1ZXJ5KQ0KICA7IFBhdGggY29tcG9uZW50IGFuZCBp dHMgYXR0cmlidXRlcy4gIFBhdGggbWF5IGJlIGVtcHR5Lg0KICBwazExLXBh dGggICAgICAgICAgICA9ICoxKHBrMTEtcGF0dHIgKigiOyIgcGsxMS1wYXR0 cikpDQogIHBrMTEtcGF0dHIgICAgICAgICAgID0gcGsxMS10b2tlbiAvIHBr MTEtbWFudWYgLyBwazExLXNlcmlhbCAvDQogICAgICAgICAgICAgICAgICAg ICAgICAgcGsxMS1tb2RlbCAvIHBrMTEtbGliLW1hbnVmIC8NCiAgICAgICAg ICAgICAgICAgICAgICAgICBwazExLWxpYi12ZXIgLyBwazExLWxpYi1kZXNj IC8NCiAgICAgICAgICAgICAgICAgICAgICAgICBwazExLW9iamVjdCAvIHBr MTEtdHlwZSAvIHBrMTEtaWQgLw0KICAgICAgICAgICAgICAgICAgICAgICAg IHBrMTEtc2xvdC1kZXNjIC8gcGsxMS1zbG90LW1hbnVmIC8NCiAgICAgICAg ICAgICAgICAgICAgICAgICBwazExLXNsb3QtaWQgLyBwazExLXYtcGF0dHIN CiAgOyBRdWVyeSBjb21wb25lbnQgYW5kIGl0cyBhdHRyaWJ1dGVzLiAgUXVl cnkgbWF5IGJlIGVtcHR5Lg0KICBwazExLXFhdHRyICAgICAgICAgICA9IHBr MTEtcGluLXNvdXJjZSAvIHBrMTEtcGluLXZhbHVlIC8NCiAgICAgICAgICAg ICAgICAgICAgICAgICBwazExLW1vZHVsZS1uYW1lIC8gcGsxMS1tb2R1bGUt cGF0aCAvDQogICAgICAgICAgICAgICAgICAgICAgICAgcGsxMS12LXFhdHRy DQogIHBrMTEtcXVlcnkgICAgICAgICAgID0gKjEocGsxMS1xYXR0ciAqKCIm IiBwazExLXFhdHRyKSkNCiAgOyBSRkMgMzk4NiBzZWN0aW9uIDIuMiBtYW5k YXRlcyBhbGwgcG90ZW50aWFsbHkgcmVzZXJ2ZWQgY2hhcmFjdGVycw0KICA7 IHRoYXQgZG8gbm90IGNvbmZsaWN0IHdpdGggYWN0dWFsIGRlbGltaXRlcnMg b2YgdGhlIFVSSSBkbyBub3QgaGF2ZQ0KICA7IHRvIGJlIHBlcmNlbnQtZW5j b2RlZC4NCiAgcGsxMS1yZXMtYXZhaWwgICAgICAgPSAiOiIgLyAiWyIgLyAi XSIgLyAiQCIgLyAiISIgLyAiJCIgLw0KICAgICAgICAgICAgICAgICAgICAg ICAgICInIiAvICIoIiAvICIpIiAvICIqIiAvICIrIiAvICIsIiAvICI9Ig0K ICBwazExLXBhdGgtcmVzLWF2YWlsICA9IHBrMTEtcmVzLWF2YWlsIC8gIiYi DQogIDsgIi8iIGFuZCAiPyIgaW4gdGhlIHF1ZXJ5IGNvbXBvbmVudCBNQVkg YmUgdW5lbmNvZGVkIGJ1dCAiJiIgTVVTVA0KICA7IGJlIGVuY29kZWQgc2lu Y2UgaXQgZnVuY3Rpb25zIGFzIGEgZGVsaW1pdGVyIHdpdGhpbiB0aGUgY29t cG9uZW50Lg0KICBwazExLXF1ZXJ5LXJlcy1hdmFpbCA9IHBrMTEtcmVzLWF2 YWlsIC8gIi8iIC8gIj8iIC8gInwiDQogIHBrMTEtcGNoYXIgICAgICAgICAg ID0gdW5yZXNlcnZlZCAvIHBrMTEtcGF0aC1yZXMtYXZhaWwgLyBwY3QtZW5j b2RlZA0KICBwazExLXFjaGFyICAgICAgICAgICA9IHVucmVzZXJ2ZWQgLyBw azExLXF1ZXJ5LXJlcy1hdmFpbCAvIHBjdC1lbmNvZGVkDQogIHBrMTEtdG9r ZW4gICAgICAgICAgID0gInRva2VuIiAiPSIgKnBrMTEtcGNoYXINCiAgcGsx MS1tYW51ZiAgICAgICAgICAgPSAibWFudWZhY3R1cmVyIiAiPSIgKnBrMTEt cGNoYXINCiAgcGsxMS1zZXJpYWwgICAgICAgICAgPSAic2VyaWFsIiAiPSIg KnBrMTEtcGNoYXINCiAgcGsxMS1tb2RlbCAgICAgICAgICAgPSAibW9kZWwi ICI9IiAqcGsxMS1wY2hhcg0KICBwazExLWxpYi1tYW51ZiAgICAgICA9ICJs aWJyYXJ5LW1hbnVmYWN0dXJlciIgIj0iICpwazExLXBjaGFyDQogIHBrMTEt bGliLWRlc2MgICAgICAgID0gImxpYnJhcnktZGVzY3JpcHRpb24iICI9IiAq cGsxMS1wY2hhcg0KICBwazExLWxpYi12ZXIgICAgICAgICA9ICJsaWJyYXJ5 LXZlcnNpb24iICI9IiAxKkRJR0lUICoxKCIuIiAxKkRJR0lUKQ0KICBwazEx LW9iamVjdCAgICAgICAgICA9ICJvYmplY3QiICI9IiAqcGsxMS1wY2hhcg0K ICBwazExLXR5cGUgICAgICAgICAgICA9ICJ0eXBlIiAiPSIgKjEoInB1Ymxp YyIgLyAicHJpdmF0ZSIgLyAiY2VydCIgLw0KICAgICAgICAgICAgICAgICAg ICAgICAgICJzZWNyZXQta2V5IiAvICJkYXRhIikNCiAgcGsxMS1pZCAgICAg ICAgICAgICAgPSAiaWQiICI9IiAqcGsxMS1wY2hhcg0KICBwazExLXNsb3Qt bWFudWYgICAgICA9ICJzbG90LW1hbnVmYWN0dXJlciIgIj0iICpwazExLXBj aGFyDQogIHBrMTEtc2xvdC1kZXNjICAgICAgID0gInNsb3QtZGVzY3JpcHRp b24iICI9IiAqcGsxMS1wY2hhcg0KICBwazExLXNsb3QtaWQgICAgICAgICA9 ICJzbG90LWlkIiAiPSIgMSpESUdJVA0KICBwazExLXBpbi1zb3VyY2UgICAg ICA9ICJwaW4tc291cmNlIiAiPSIgKnBrMTEtcWNoYXINCiAgcGsxMS1waW4t dmFsdWUgICAgICAgPSAicGluLXZhbHVlIiAiPSIgKnBrMTEtcWNoYXINCiAg cGsxMS1tb2R1bGUtbmFtZSAgICAgPSAibW9kdWxlLW5hbWUiICI9IiAqcGsx MS1xY2hhcg0KICBwazExLW1vZHVsZS1wYXRoICAgICA9ICJtb2R1bGUtcGF0 aCIgIj0iICpwazExLXFjaGFyDQogIHBrMTEtdi1hdHRyLW5tLWNoYXIgID0g QUxQSEEgLyBESUdJVCAvICItIiAvICJfIg0KICA7IFBlcm1pdHRlZCB2YWx1 ZSBvZiBhIHZlbmRvciBzcGVjaWZpYyBhdHRyaWJ1dGUgaXMgYmFzZWQgb24N CiAgOyB3aGV0aGVyIHRoZSBhdHRyaWJ1dGUgaXMgdXNlZCBpbiB0aGUgcGF0 aCBvciBpbiB0aGUgcXVlcnkuDQogIHBrMTEtdi1wYXR0ciAgICAgICAgID0g MSpwazExLXYtYXR0ci1ubS1jaGFyICI9IiAqcGsxMS1wY2hhcg0KICBwazEx LXYtcWF0dHIgICAgICAgICA9IDEqcGsxMS12LWF0dHItbm0tY2hhciAiPSIg KnBrMTEtcWNoYXINCg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAg RXhwaXJlcyBKdW5lIDI0LCAyMDE1ICAgICAgICAgICAgICAgICBbUGFnZSA1 XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVS SSBTY2hlbWUgICAgICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgVGhl IFVSSSBwYXRoIGNvbXBvbmVudCBjb250YWlucyBhdHRyaWJ1dGVzIHRoYXQg aWRlbnRpZnkgYSByZXNvdXJjZQ0KICAgaW4gYSBvbmUgbGV2ZWwgaGllcmFy Y2h5IHByb3ZpZGVkIGJ5IENyeXB0b2tpIHByb2R1Y2Vycy4gIFRoZSBxdWVy eQ0KICAgY29tcG9uZW50IGNhbiBjb250YWluIGEgZmV3IGF0dHJpYnV0ZXMg dGhhdCBtYXkgYmUgbmVlZGVkIHRvIHJldHJpZXZlDQogICB0aGUgcmVzb3Vy Y2UgaWRlbnRpZmllZCBieSB0aGUgVVJJIHBhdGguICBBdHRyaWJ1dGVzIGlu IHRoZSBwYXRoDQogICBjb21wb25lbnQgYXJlIGRlbGltaXRlZCBieSAnOycg Y2hhcmFjdGVyLCBhdHRyaWJ1dGVzIGluIHRoZSBxdWVyeQ0KICAgY29tcG9u ZW50IHVzZSAnJicgYXMgYSBkZWxpbWl0ZXIuDQoNCiAgIEJvdGggcGF0aCBh bmQgcXVlcnkgY29tcG9uZW50cyBtYXkgY29udGFpbiB2ZW5kb3Igc3BlY2lm aWMNCiAgIGF0dHJpYnV0ZXMuICBTdWNoIGF0dHJpYnV0ZSBuYW1lcyBNVVNU IE5PVCBjbGFzaCB3aXRoIGV4aXN0aW5nDQogICBhdHRyaWJ1dGUgbmFtZXMu ICBOb3RlIHRoYXQgaW4gYWNjb3JkYW5jZSB3aXRoIFtCQ1AxNzhdLCBwcmV2 aW91c2x5DQogICB1c2VkIGNvbnZlbnRpb24gb2Ygc3RhcnRpbmcgdmVuZG9y IGF0dHJpYnV0ZXMgd2l0aCBhbiAieC0iIHByZWZpeCBpcw0KICAgbm93IGRl cHJpY2F0ZWQuDQoNCiAgIFRoZSBnZW5lcmFsICcvJyBkZWxpbWl0ZXIgTVVT VCBiZSBwZXJjZW50LWVuY29kZWQgaW4gdGhlIHBhdGgNCiAgIGNvbXBvbmVu dCBzbyB0aGF0IGdlbmVyaWMgVVJJIHBhcnNlcnMgbmV2ZXIgc3BsaXQgdGhl IHBhdGggY29tcG9uZW50DQogICBpbnRvIG11bHRpcGxlIHNlZ21lbnRzLiAg SXQgTUFZIGJlIHVuZW5jb2RlZCBpbiB0aGUgcXVlcnkgY29tcG9uZW50Lg0K ICAgRGVsaW1pdGVyICc/JyAgTVVTVCBiZSBwZXJjZW50LWVuY29kZWQgaW4g dGhlIHBhdGggY29tcG9uZW50IHNpbmNlDQogICB0aGUgUEtDUyMxMSBVUkkg dXNlcyBhIHF1ZXJ5IGNvbXBvbmVudC4gIERlbGltaXRlciAnIycgTVVTVCBi ZSBhbHdheXMNCiAgIHBlcmNlbnQtZW5jb2RlZCBzbyB0aGF0IGdlbmVyaWMg VVJJIHBhcnNlcnMgZG8gbm90IHRyZWF0IGEgaGFzaCBhcyBhDQogICBiZWdp bm5pbmcgb2YgYSBmcmFnbWVudCBpZGVudGlmaWVyIGNvbXBvbmVudC4gIEFs bCBvdGhlciBnZW5lcmljDQogICBkZWxpbWl0ZXJzIE1BWSBiZSB1c2VkIHVu ZW5jb2RlZCAoJzonLCAnWycsICddJywgYW5kICdAJykgaW4gdGhlDQogICBQ S0NTIzExIFVSSS4NCg0KICAgVGhlIGZvbGxvd2luZyB0YWJsZSBwcmVzZW50 cyBtYXBwaW5nIGJldHdlZW4gdGhlIFBLQ1MjMTEgVVJJIHBhdGgNCiAgIGNv bXBvbmVudCBhdHRyaWJ1dGVzIGFuZCB0aGUgUEtDUyMxMSBBUEkgc3RydWN0 dXJlIG1lbWJlcnMgYW5kIG9iamVjdA0KICAgYXR0cmlidXRlcy4gIEdpdmVu IHRoYXQgUEtDUyMxMSBVUkkgdXNlcnMgbWF5IGJlIHF1aXRlIGlnbm9yYW50 IGFib3V0DQogICB0aGUgUEtDUyMxMSBzcGVjaWZpY2F0aW9uIHRoZSBtYXBw aW5nIGlzIGEgcHJvZHVjdCBvZiBhIG5lY2Vzc2FyeQ0KICAgY29tcHJvbWlz ZSBiZXR3ZWVuIGhvdyBwcmVjaXNlbHkgYXJlIHRoZSBVUkkgYXR0cmlidXRl IG5hbWVzIG1hcHBlZA0KICAgdG8gdGhlIG5hbWVzIGluIHRoZSBzcGVjaWZp Y2F0aW9uIGFuZCB0aGUgZWFzZSBvZiB1c2UgYW5kDQogICB1bmRlcnN0YW5k aW5nIG9mIHRoZSBVUkkgc2NoZW1lLg0KDQogICArLS0tLS0tLS0tLS0tLS0t LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0t LS0tLS0tLSsNCiAgIHwgVVJJIGNvbXBvbmVudCBwYXRoICAgfCBBdHRyaWJ1 dGUgICAgICAgICAgIHwgQXR0cmlidXRlICAgICAgICAgICAgfA0KICAgfCBh dHRyaWJ1dGUgbmFtZSAgICAgICB8IHJlcHJlc2VudHMgICAgICAgICAgfCBj b3JyZXNwb25kcyBpbiB0aGUgICB8DQogICB8ICAgICAgICAgICAgICAgICAg ICAgIHwgICAgICAgICAgICAgICAgICAgICB8IFBLQ1MjMTEgICAgICAgICAg ICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAg ICAgICAgICAgIHwgc3BlY2lmaWNhdGlvbiB0byAgICAgfA0KICAgKy0tLS0t LS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLS0rDQogICB8ICAgICAgICAgICAgICAgICAgICAg IHwgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAg IHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0t LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCBpZCAgICAg ICAgICAgICAgICAgICB8IGtleSBpZGVudGlmaWVyIGZvciAgfCAiQ0tBX0lE IiBvYmplY3QgICAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwg b2JqZWN0ICAgICAgICAgICAgICB8IGF0dHJpYnV0ZSAgICAgICAgICAgIHwN CiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCBsaWJyYXJ5LWRl c2NyaXB0aW9uICB8IGNoYXJhY3Rlci1zdHJpbmcgICAgfCAibGlicmFyeURl c2NyaXB0aW9uIiB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgZGVz Y3JpcHRpb24gb2YgdGhlICB8IG1lbWJlciBvZiBDS19JTkZPICAgIHwNCiAg IHwgICAgICAgICAgICAgICAgICAgICAgfCBsaWJyYXJ5ICAgICAgICAgICAg IHwgc3RydWN0dXJlICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rDQogICB8IGxpYnJhcnktbWFudWZhY3R1cmVyIHwgSUQgb2Yg dGhlIENyeXB0b2tpICB8ICJtYW51ZmFjdHVyZXJJRCIgICAgIHwNCiAgIHwg ICAgICAgICAgICAgICAgICAgICAgfCBsaWJyYXJ5ICAgICAgICAgICAgIHwg bWVtYmVyIG9mIHRoZSAgICAgICAgfA0KDQoNCg0KUGVjaGFuZWMgJiBNb2Zm YXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjQsIDIwMTUgICAgICAgICAgICAg ICAgIFtQYWdlIDZdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhl IFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQN Cg0KDQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgbWFudWZhY3R1cmVy ICAgICAgICB8IENLX0lORk8gc3RydWN0dXJlICAgIHwNCiAgICstLS0tLS0t LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0t LS0tLS0tLS0tLS0tLS0tKw0KICAgfCBsaWJyYXJ5LXZlcnNpb24gICAgICB8 IENyeXB0b2tpIGxpYnJhcnkgICAgfCAibGlicmFyeVZlcnNpb24iICAgICB8 DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgdmVyc2lvbiBudW1iZXIg ICAgICB8IG1lbWJlciBvZiBDS19JTkZPICAgIHwNCiAgIHwgICAgICAgICAg ICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwgc3RydWN0dXJl ICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0t LS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQog ICB8IG1hbnVmYWN0dXJlciAgICAgICAgIHwgSUQgb2YgdGhlIHRva2VuICAg ICB8ICJtYW51ZmFjdHVyZXJJRCIgICAgIHwNCiAgIHwgICAgICAgICAgICAg ICAgICAgICAgfCBtYW51ZmFjdHVyZXIgICAgICAgIHwgbWVtYmVyIG9mICAg ICAgICAgICAgfA0KICAgfCAgICAgICAgICAgICAgICAgICAgICB8ICAgICAg ICAgICAgICAgICAgICAgfCBDS19UT0tFTl9JTkZPICAgICAgICB8DQogICB8 ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8 IHN0cnVjdHVyZSAgICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0t LS0tLS0tKw0KICAgfCBtb2RlbCAgICAgICAgICAgICAgICB8IHRva2VuIG1v ZGVsICAgICAgICAgfCAibW9kZWwiIG1lbWJlciBvZiAgICB8DQogICB8ICAg ICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IENL X1RPS0VOX0lORk8gICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAg ICAgfCAgICAgICAgICAgICAgICAgICAgIHwgc3RydWN0dXJlICAgICAgICAg ICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0t LS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQogICB8IG9iamVj dCAgICAgICAgICAgICAgIHwgZGVzY3JpcHRpb24gKG5hbWUpICB8ICJDS0Ff TEFCRUwiIG9iamVjdCAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAg fCBvZiB0aGUgb2JqZWN0ICAgICAgIHwgYXR0cmlidXRlICAgICAgICAgICAg fA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQogICB8IHNlcmlhbCAg ICAgICAgICAgICAgIHwgY2hhcmFjdGVyLXN0cmluZyAgICB8ICJzZXJpYWxO dW1iZXIiICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCBz ZXJpYWwgbnVtYmVyIG9mICAgIHwgbWVtYmVyIG9mICAgICAgICAgICAgfA0K ICAgfCAgICAgICAgICAgICAgICAgICAgICB8IHRoZSB0b2tlbiAgICAgICAg ICAgfCBDS19UT0tFTl9JTkZPICAgICAgICB8DQogICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IHN0cnVjdHVyZSAg ICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAg fCBzbG90LWRlc2NyaXB0aW9uICAgICB8IHNsb3QgZGVzY3JpcHRpb24gICAg fCAic2xvdERlc2NyaXB0aW9uIiAgICB8DQogICB8ICAgICAgICAgICAgICAg ICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IG1lbWJlciBvZiAgICAg ICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAg ICAgICAgICAgICAgIHwgQ0tfU0xPVF9JTkZPICAgICAgICAgfA0KICAgfCAg ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgfCBz dHJ1Y3R1cmUgICAgICAgICAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSsNCiAgIHwgc2xvdC1pZCAgICAgICAgICAgICAgfCBDcnlwdG9raS1h c3NpZ25lZCAgIHwgZGVjaW1hbCBudW1iZXIgb2YgICAgfA0KICAgfCAgICAg ICAgICAgICAgICAgICAgICB8IHZhbHVlIHRoYXQgICAgICAgICAgfCAiQ0tf U0xPVF9JRCIgdHlwZSAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAg IHwgaWRlbnRpZmllcyBhIHNsb3QgICB8ICAgICAgICAgICAgICAgICAgICAg IHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0t LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCBzbG90LW1h bnVmYWN0dXJlciAgICB8IElEIG9mIHRoZSBzbG90ICAgICAgfCAibWFudWZh Y3R1cmVySUQiICAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwg bWFudWZhY3R1cmVyICAgICAgICB8IG1lbWJlciBvZiAgICAgICAgICAgIHwN CiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAg ICAgIHwgQ0tfU0xPVF9JTkZPICAgICAgICAgfA0KICAgfCAgICAgICAgICAg ICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgfCBzdHJ1Y3R1cmUg ICAgICAgICAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsNCiAg IHwgdG9rZW4gICAgICAgICAgICAgICAgfCBhcHBsaWNhdGlvbi1kZWZpbmVk IHwgImxhYmVsIiBtZW1iZXIgb2YgICAgfA0KICAgfCAgICAgICAgICAgICAg ICAgICAgICB8IGxhYmVsLCBhc3NpZ25lZCAgICAgfCB0aGUgQ0tfVE9LRU5f SU5GTyAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgZHVyaW5n IHRva2VuICAgICAgICB8IHN0cnVjdHVyZSAgICAgICAgICAgIHwNCiAgIHwg ICAgICAgICAgICAgICAgICAgICAgfCBpbml0aWFsaXphdGlvbiAgICAgIHwg ICAgICAgICAgICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rDQogICB8IHR5cGUgICAgICAgICAgICAgICAgIHwgb2JqZWN0IGNs YXNzICh0eXBlKSB8ICJDS0FfQ0xBU1MiIG9iamVjdCAgIHwNCiAgIHwgICAg ICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwgYXR0 cmlidXRlICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rDQoNCiAgICBUYWJsZSAxOiBNYXBwaW5nIGJldHdlZW4gVVJJIHBhdGgg Y29tcG9uZW50IGF0dHJpYnV0ZXMgYW5kIFBLQ1MjMTENCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICBzcGVjaWZpY2F0aW9uIG5hbWVzDQoNCg0KDQpQ ZWNoYW5lYyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNCwgMjAx NSAgICAgICAgICAgICAgICAgW1BhZ2UgN10NCgwNCkludGVybmV0LURyYWZ0 ICAgICAgICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAg RGVjZW1iZXIgMjAxNA0KDQoNCiAgIFRoZSBxdWVyeSBjb21wb25lbnQgYXR0 cmlidXRlICJwaW4tc291cmNlIiBzcGVjaWZpZXMgd2hlcmUgdGhlDQogICBh cHBsaWNhdGlvbiBvciBsaWJyYXJ5IHNob3VsZCBmaW5kIHRoZSBub3JtYWwg dXNlcidzIHRva2VuIFBJTiwgdGhlDQogICAicGluLXZhbHVlIiBhdHRyaWJ1 dGUgcHJvdmlkZXMgdGhlIG5vcm1hbCB1c2VyJ3MgUElOIHZhbHVlIGRpcmVj dGx5LA0KICAgaWYgbmVlZGVkLCBhbmQgdGhlICJtb2R1bGUtbmFtZSIgYW5k ICJtb2R1bGUtcGF0aCIgYXR0cmlidXRlcyBtb2RpZnkNCiAgIGRlZmF1bHQg c2V0dGluZ3MgZm9yIGFjY2Vzc2luZyBQS0NTIzExIHByb3ZpZGVycy4gIEZv ciB0aGUgZGVmaW5pdGlvbg0KICAgb2YgYSAibm9ybWFsIHVzZXIiLCBzZWUg W3BrY3MxMV9zcGVjXS4NCg0KICAgVGhlIEFCTkYgcnVsZXMgYWJvdmUgaXMg YSBiZXN0IGVmZm9ydCBkZWZpbml0aW9uIGFuZCB0aGlzIHBhcmFncmFwaA0K ICAgc3BlY2lmaWVzIGFkZGl0aW9uYWwgY29uc3RyYWludHMuICBUaGUgUEtD UyMxMSBVUkkgTVVTVCBOT1QgY29udGFpbg0KICAgZHVwbGljYXRlIGF0dHJp YnV0ZXMgb2YgdGhlIHNhbWUgbmFtZSBpbiB0aGUgVVJJIHBhdGggY29tcG9u ZW50LiAgSXQNCiAgIG1lYW5zIHRoYXQgZWFjaCBhdHRyaWJ1dGUgbWF5IGJl IHByZXNlbnQgYXQgbW9zdCBvbmNlIGluIHRoZSBQS0NTIzExDQogICBVUkkg cGF0aC4gIEFzaWRlIGZyb20gdGhlIHF1ZXJ5IGF0dHJpYnV0ZXMgZGVmaW5l ZCBpbiB0aGlzIGRvY3VtZW50LA0KICAgZHVwbGljYXRlICh2ZW5kb3IpIGF0 dHJpYnV0ZXMgTUFZIGJlIHByZXNlbnQgaW4gdGhlIFVSSSBxdWVyeQ0KICAg Y29tcG9uZW50IGFuZCBpdCBpcyB1cCB0byB0aGUgVVJJIGNvbnN1bWVyIHRv IGRlY2lkZSBvbiBob3cgdG8gZGVhbA0KICAgd2l0aCBzdWNoIGR1cGxpY2F0 ZXMuDQoNCiAgIFRoZSB3aG9sZSB2YWx1ZSBvZiB0aGUgImlkIiBhdHRyaWJ1 dGUgU0hPVUxEIGJlIHBlcmNlbnQtZW5jb2RlZCBzaW5jZQ0KICAgaXQgaXMg c3VwcG9zZWQgdG8gYmUgaGFuZGxlZCBhcyBhcmJpdHJhcnkgYmluYXJ5IGRh dGEuDQoNCiAgIFRoZSAibGlicmFyeS12ZXJzaW9uIiBhdHRyaWJ1dGUgcmVw cmVzZW50cyB0aGUgbWFqb3IgYW5kIG1pbm9yDQogICB2ZXJzaW9uIG51bWJl ciBvZiB0aGUgbGlicmFyeSBhbmQgaXRzIGZvcm1hdCBpcyAiTS5OIi4gIEJv dGggbnVtYmVycw0KICAgYXJlIG9uZSBieXRlIGluIHNpemUsIHNlZSB0aGUg ImxpYnJhcnlWZXJzaW9uIiBtZW1iZXIgb2YgdGhlIENLX0lORk8NCiAgIHN0 cnVjdHVyZSBpbiBbcGtjczExX3NwZWNdIGZvciBtb3JlIGluZm9ybWF0aW9u LiAgVmFsdWUgIk0iIGZvciB0aGUNCiAgIGF0dHJpYnV0ZSBNVVNUIGJlIGlu dGVycHJldGVkIGFzICJNIiBmb3IgdGhlIG1ham9yIGFuZCAiMCIgZm9yIHRo ZQ0KICAgbWlub3IgdmVyc2lvbiBvZiB0aGUgbGlicmFyeS4gIElmIHRoZSBh dHRyaWJ1dGUgaXMgcHJlc2VudCB0aGUgbWFqb3INCiAgIHZlcnNpb24gbnVt YmVyIGlzIFJFUVVJUkVELiAgQm90aCAiTSIgYW5kICJOIiBNVVNUIGJlIGRl Y2ltYWwNCiAgIG51bWJlcnMuDQoNCiAgIFNsb3QgSUQgaXMgYSBDcnlwdG9r aS1hc3NpZ25lZCBudW1iZXIgdGhhdCBpcyBub3QgZ3VhcmFudGVlZCBzdGFi bGUNCiAgIGFjcm9zcyBQS0NTIzExIG1vZHVsZSBpbml0aWFsaXphdGlvbnMu ICBIb3dldmVyLCB0aGVyZSBhcmUgY2VydGFpbg0KICAgbGlicmFyaWVzIGFu ZCBtb2R1bGVzIHdoaWNoIHByb3ZpZGUgc3RhYmxlIHNsb3QgaWRlbnRpZmll cnMuICBGb3INCiAgIHRoZXNlIGNhc2VzLCB3aGVuIHRoZSBzbG90IGRlc2Ny aXB0aW9uIGFuZCBtYW51ZmFjdHVyZXIgSUQgaXMgbm90DQogICBzdWZmaWNp ZW50IHRvIHVuaXF1ZWx5IGlkZW50aWZ5IGEgc3BlY2lmaWMgcmVhZGVyLCB0 aGUgc2xvdCBJRCBNQVkgYmUNCiAgIHVzZWQgdG8gaW5jcmVhc2UgdGhlIHBy ZWNpc2lvbiBvZiB0aGUgdG9rZW4gaWRlbnRpZmljYXRpb24uICBJbiBvdGhl cg0KICAgc2NlbmFyaW9zLCB1c2luZyB0aGUgc2xvdCBJRHMgaXMgbGlrZWx5 IHRvIGNhdXNlIHVzYWJpbGl0eSBpc3N1ZXMuDQoNCiAgIEFuIGVtcHR5IFBL Q1MjMTEgVVJJIHBhdGggYXR0cmlidXRlIHRoYXQgZG9lcyBhbGxvdyBmb3Ig YW4gZW1wdHkNCiAgIHZhbHVlIG1hdGNoZXMgYSBjb3JyZXNwb25kaW5nIHN0 cnVjdHVyZSBtZW1iZXIgb3IgYW4gb2JqZWN0IGF0dHJpYnV0ZQ0KICAgd2l0 aCBhbiBlbXB0eSB2YWx1ZS4gIE5vdGUgdGhhdCBhY2NvcmRpbmcgdG8gdGhl IFBLQ1MjMTENCiAgIHNwZWNpZmljYXRpb24gW3BrY3MxMV9zcGVjXSwgZW1w dHkgY2hhcmFjdGVyIHZhbHVlcyBpbiBhIFBLQ1MjMTEgQVBJDQogICBwcm9k dWNlciBtdXN0IGJlIHBhZGRlZCB3aXRoIHNwYWNlcyBhbmQgc2hvdWxkIG5v dCBiZSBOVUxMDQogICB0ZXJtaW5hdGVkLg0KDQozLjQuICBQS0NTIzExIFVS SSBTY2hlbWUgUXVlcnkgQXR0cmlidXRlIFNlbWFudGljcw0KDQogICBBbiBh cHBsaWNhdGlvbiBNQVkgYWx3YXlzIGFzayBmb3IgYSBQSU4gYnkgYW55IG1l YW5zIGl0IGRlY2lkZXMgdG8uDQogICBXaGF0IGlzIG1vcmUsIGluIG9yZGVy IG5vdCB0byBsaW1pdCBQS0NTIzExIFVSSSBwb3J0YWJpbGl0eSB0aGUgInBp bi0NCiAgIHNvdXJjZSIgYXR0cmlidXRlIHZhbHVlIGZvcm1hdCBhbmQgaW50 ZXJwcmV0YXRpb24gaXMgbGVmdCB0byBiZQ0KDQoNCg0KUGVjaGFuZWMgJiBN b2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjQsIDIwMTUgICAgICAgICAg ICAgICAgIFtQYWdlIDhdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAg VGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIw MTQNCg0KDQogICBpbXBsZW1lbnRhdGlvbiBzcGVjaWZpYy4gIEhvd2V2ZXIs IHRoZSBmb2xsb3dpbmcgcnVsZXMgU0hPVUxEIGJlDQogICBmb2xsb3dlZCBp biBkZXNjZW5kaW5nIG9yZGVyIGZvciB0aGUgdmFsdWUgb2YgdGhlICJwaW4t c291cmNlIg0KICAgYXR0cmlidXRlOg0KDQogICBvICBpZiB0aGUgdmFsdWUg cmVwcmVzZW50cyBhIGxvY2FsIGFic29sdXRlIHBhdGggdGhlIGltcGxlbWVu dGF0aW9uDQogICAgICBTSE9VTEQgdXNlIGl0IGFzIGEgUElOIGZpbGUgY29u dGFpbmluZyB0aGUgUElOIHZhbHVlDQoNCiAgIG8gIGlmIHRoZSB2YWx1ZSBj b250YWlucyAifDxhYnNvbHV0ZS1jb21tYW5kLXBhdGg+IiB0aGUNCiAgICAg IGltcGxlbWVudGF0aW9uIFNIT1VMRCByZWFkIHRoZSBQSU4gZnJvbSB0aGUg b3V0cHV0IG9mIGFuDQogICAgICBhcHBsaWNhdGlvbiBzcGVjaWZpZWQgd2l0 aCBhYnNvbHV0ZSBwYXRoICI8YWJzb2x1dGUtY29tbWFuZC0NCiAgICAgIHBh dGg+Ii4gIE5vdGUgdGhhdCBjaGFyYWN0ZXIgInwiIHJlcHJlc2VudGluZyBh IHBpcGUgZG9lcyBub3QgaGF2ZQ0KICAgICAgdG8gYmUgcGVyY2VudCBlbmNv ZGVkIGluIHRoZSBxdWVyeSBjb21wb25lbnQgb2YgdGhlIFBLQ1MjMTEgVVJJ Lg0KDQogICBvICBpZiB0aGUgdmFsdWUgcmVwcmVzZW50cyBhIFVSSSBpdCBT SE9VTEQgYmUgdHJlYXRlZCBhcyBhbiBvYmplY3QNCiAgICAgIGNvbnRhaW5p bmcgdGhlIFBJTi4gIFN1Y2ggYSBVUkkgbWF5IGJlICJmaWxlOiIsICJodHRw czoiLCBhbm90aGVyDQogICAgICBQS0NTIzExIFVSSSwgb3Igc29tZXRoaW5n IGVsc2UuDQoNCiAgIG8gIGludGVycHJldCB0aGUgdmFsdWUgYXMgbmVlZGVk IGluIGFuIGltcGxlbWVudGF0aW9uIGRlcGVuZGVudCB3YXkNCg0KICAgSWYg YSBVUkkgY29udGFpbnMgYm90aCAicGluLXNvdXJjZSIgYW5kICJwaW4tdmFs dWUiIHF1ZXJ5IGF0dHJpYnV0ZXMNCiAgIHRoZSBVUkkgU0hPVUxEIGJlIHJl ZnVzZWQgYXMgaW52YWxpZC4NCg0KICAgVXNlIG9mIHRoZSAicGluLXZhbHVl IiBhdHRyaWJ1dGUgbWF5IGhhdmUgc2VjdXJpdHkgcmVsYXRlZA0KICAgY29u c2VxdWVuY2VzLiAgU2VjdGlvbiA2IHNob3VsZCBiZSBjb25zdWx0ZWQgYmVm b3JlIHRoaXMgYXR0cmlidXRlIGlzDQogICBldmVyIHVzZWQuICBTdGFuZGFy ZCBwZXJjZW50IGVuY29kaW5nIHJ1bGVzIFNIT1VMRCBiZSBmb2xsb3dlZCBm b3INCiAgIHRoZSBhdHRyaWJ1dGUgdmFsdWUuDQoNCiAgIEEgY29uc3VtZXIg b2YgUEtDUyMxMSBVUklzIE1BWSBtb2RpZnkgZGVmYXVsdCBzZXR0aW5ncyBm b3IgYWNjZXNzaW5nDQogICBhIFBLQ1MjMTEgcHJvdmlkZXIgb3IgcHJvdmlk ZXJzIGJ5IGFjY2VwdGluZyBxdWVyeSBjb21wb25lbnQNCiAgIGF0dHJpYnV0 ZXMgIm1vZHVsZS1uYW1lIiBhbmQgIm1vZHVsZS1wYXRoIi4iDQoNCiAgIFBy b2Nlc3NpbmcgdGhlIFVSSSBxdWVyeSBtb2R1bGUgYXR0cmlidXRlcyBTSE9V TEQgZm9sbG93IHRoZXNlIHJ1bGVzOg0KDQogICBvICBhdHRyaWJ1dGUgIm1v ZHVsZS1uYW1lIiBTSE9VTEQgY29udGFpbiBhIGNhc2UtaW5zZW5zaXRpdmUg UEtDUyMxMQ0KICAgICAgbW9kdWxlIG5hbWUgKG5vdCBwYXRoIG5vciBmaWxl bmFtZSkgd2l0aG91dCBzeXN0ZW0gc3BlY2lmaWMNCiAgICAgIGFmZml4ZXMu ICBTdWNoIGFmZml4IGNvdWxkIGJlIGFuICIuc28iIG9yICIuRExMIiBzdWZm aXgsIG9yIGENCiAgICAgICJsaWIiIHByZWZpeCwgZm9yIGV4YW1wbGUuICBO b3QgdXNpbmcgc3lzdGVtIHNwZWNpZmljIGFmZml4ZXMgaXMNCiAgICAgIGV4 cGVjdGVkIHRvIGluY3JlYXNlIHBvcnRhYmlsaXR5IG9mIFBLQ1MjMTEgVVJJ cyBhbW9uZyBkaWZmZXJlbnQNCiAgICAgIHN5c3RlbXMuICBBIFVSSSBjb25z dW1lciBzZWFyY2hpbmcgZm9yIFBLQ1MjMTEgbW9kdWxlcyBTSE9VTEQgdXNl DQogICAgICBhIHN5c3RlbSBvciBhcHBsaWNhdGlvbiBzcGVjaWZpYyBsb2Nh dGlvbnMgdG8gZmluZCBtb2R1bGVzIGJhc2VkDQogICAgICBvbiB0aGUgbmFt ZSBwcm92aWRlZCBpbiB0aGUgYXR0cmlidXRlLg0KDQogICBvICBhdHRyaWJ1 dGUgIm1vZHVsZS1wYXRoIiBTSE9VTEQgY29udGFpbiBhIHN5c3RlbSBzcGVj aWZpYyBhYnNvbHV0ZQ0KICAgICAgcGF0aCB0byB0aGUgUEtDUyMxMSBtb2R1 bGUsIG9yIGEgc3lzdGVtIHNwZWNpZmljIGFic29sdXRlIHBhdGggdG8NCiAg ICAgIHRoZSBkaXJlY3Rvcnkgb2Ygd2hlcmUgUEtDUyMxMSBtb2R1bGVzIGFy ZSBsb2NhdGVkLiAgRm9yIHNlY3VyaXR5DQogICAgICByZWFzb25zLCBhIFVS SSB3aXRoIGEgcmVsYXRpdmUgcGF0aCBpbiB0aGlzIGF0dHJpYnV0ZSBTSE9V TEQgYmUNCiAgICAgIHJlamVjdGVkLg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1v ZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNCwgMjAxNSAgICAgICAgICAg ICAgICAgW1BhZ2UgOV0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBU aGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAx NA0KDQoNCiAgIG8gIHRoZSBVUkkgY29uc3VtZXIgTUFZIHJlZnVzZSB0byBh Y2NlcHQgZWl0aGVyIG9mIHRoZSBhdHRyaWJ1dGVzLCBvcg0KICAgICAgYm90 aC4gIElmIHVzZSBvZiBhbiBhdHRyaWJ1dGUgcHJlc2VudCBpbiB0aGUgVVJJ IHN0cmluZyBpcyBub3QNCiAgICAgIGFjY2VwdGVkIGEgd2FybmluZyBtZXNz YWdlIFNIT1VMRCBiZSBwcmVzZW50ZWQgdG8gdGhlIHByb3ZpZGVyIG9mDQog ICAgICB0aGUgVVJJLg0KDQogICBvICBpZiBlaXRoZXIgb2YgdGhlIG1vZHVs ZSBhdHRyaWJ1dGVzIGlzIHByZXNlbnQsIG9ubHkgdGhvc2UgbW9kdWxlcw0K ICAgICAgZm91bmQgbWF0Y2hpbmcgdGhlc2UgcXVlcnkgYXR0cmlidXRlcyBT SE9VTEQgYmUgdXNlZCB0byBzZWFyY2ggZm9yDQogICAgICBhbiBlbnRpdHkg cmVwcmVzZW50ZWQgYnkgdGhlIFVSSS4NCg0KICAgbyAgdXNlIG9mIHRoZSBt b2R1bGUgYXR0cmlidXRlcyBkb2VzIG5vdCBzdXBwcmVzcyBtYXRjaGluZyBv ZiBhbnkNCiAgICAgIG90aGVyIFVSSSBwYXRoIGNvbXBvbmVudCBhdHRyaWJ1 dGVzIHByZXNlbnQgaW4gYSBVUkkuDQoNCiAgIG8gIHNlbWFudGljcyBvZiB1 c2luZyBib3RoIGF0dHJpYnV0ZXMgaW4gdGhlIHNhbWUgVVJJIHN0cmluZyBp cw0KICAgICAgaW1wbGVtZW50YXRpb24gc3BlY2lmaWMgYnV0IHN1Y2ggdXNl IFNIT1VMRCBiZSBhdm9pZGVkLiAgQXR0cmlidXRlDQogICAgICAibW9kdWxl LW5hbWUiIGlzIHByZWZlcnJlZCB0byAibW9kdWxlLXBhdGgiIGR1ZSB0byBp dHMgc3lzdGVtDQogICAgICBpbmRlcGVuZGVudCBuYXR1cmUgYnV0IHRoZSBs YXR0ZXIgbWF5IGJlIG1vcmUgc3VpdGFibGUgZm9yDQogICAgICBkZXZlbG9w bWVudCBhbmQgZGVidWdnaW5nLg0KDQogICBvICBhIFVSSSBNVVNUIE5PVCBj b250YWluIG11bHRpcGxlIG1vZHVsZSBhdHRyaWJ1dGVzIG9mIHRoZSBzYW1l DQogICAgICBuYW1lLg0KDQogICBVc2Ugb2YgdGhlIG1vZHVsZSBhdHRyaWJ1 dGVzIG1heSBoYXZlIHNlY3VyaXR5IHJlbGF0ZWQgY29uc2VxdWVuY2VzLg0K ICAgU2VjdGlvbiA2IHNob3VsZCBiZSBjb25zdWx0ZWQgYmVmb3JlIHRoZXNl IGF0dHJpYnV0ZXMgYXJlIGV2ZXIgdXNlZC4NCg0KICAgQSB3b3JkICJtb2R1 bGUiIHdhcyBjaG9zZW4gb3ZlciB3b3JkICJsaWJyYXJ5IiBpbiB0aGVzZSBx dWVyeQ0KICAgYXR0cmlidXRlIG5hbWVzIHRvIGF2b2lkIGNvbmZ1c2lvbiB3 aXRoIHNlbWFudGljYWxseSBkaWZmZXJlbnQNCiAgIGxpYnJhcnkgYXR0cmli dXRlcyB1c2VkIGluIHRoZSBVUkkgcGF0aCBjb21wb25lbnQuDQoNCjMuNS4g IFBLQ1MjMTEgVVJJIE1hdGNoaW5nIEd1aWRlbGluZXMNCg0KICAgVGhlIFBL Q1MjMTEgVVJJIGNhbiBpZGVudGlmeSBQS0NTIzExIHN0b3JhZ2Ugb2JqZWN0 cywgdG9rZW5zLCBzbG90cywNCiAgIG9yIENyeXB0b2tpIGxpYnJhcmllcy4g IE5vdGUgdGhhdCBzaW5jZSBhIFVSSSBtYXkgaWRlbnRpZnkgZm91cg0KICAg ZGlmZmVyZW50IHR5cGVzIG9mIGVudGl0aWVzIHRoZSBjb250ZXh0IHdpdGhp biB3aGljaCB0aGUgVVJJIGlzIHVzZWQNCiAgIG1heSBiZSBuZWVkZWQgdG8g ZGV0ZXJtaW5lIHRoZSB0eXBlLiAgRm9yIGV4YW1wbGUsIGEgVVJJIHdpdGgg b25seQ0KICAgbGlicmFyeSBhdHRyaWJ1dGVzIG1heSBlaXRoZXIgcmVwcmVz ZW50IGFsbCBvYmplY3RzIGluIGFsbCB0b2tlbnMgaW4NCiAgIGFsbCBDcnlw dG9raSBsaWJyYXJpZXMgaWRlbnRpZmllZCBieSB0aGUgVVJJLCBhbGwgdG9r ZW5zIGluIHRob3NlDQogICBsaWJyYXJpZXMsIG9yIGp1c3QgdGhlIGxpYnJh cmllcy4NCg0KICAgVGhlIGZvbGxvd2luZyBndWlkZWxpbmVzIGNhbiBoZWxw IGEgUEtDUyMxMSBVUkkgY29uc3VtZXIgKGVnLiBhbg0KICAgYXBwbGljYXRp b24gYWNjZXB0aW5nIFBLQ1MjMTEgVVJJcykgdG8gbWF0Y2ggdGhlIFVSSSB3 aXRoIHRoZSBkZXNpcmVkDQogICByZXNvdXJjZS4NCg0KICAgbyAgdGhlIGNv bnN1bWVyIE1VU1Qga25vdyB3aGV0aGVyIHRoZSBVUkkgaXMgdG8gaWRlbnRp ZnkgUEtDUyMxMQ0KICAgICAgc3RvcmFnZSBvYmplY3QocyksIHRva2VuKHMp LCBzbG90KHMpLCBvciBDcnlwdG9raSBwcm9kdWNlcihzKS4NCg0KICAgbyAg aWYgdGhlIGNvbnN1bWVyIGlzIHdpbGxpbmcgdG8gYWNjZXB0IHF1ZXJ5IGNv bXBvbmVudCBtb2R1bGUNCiAgICAgIGF0dHJpYnV0ZXMgb25seSB0aG9zZSBQ S0NTIzExIHByb3ZpZGVycyBtYXRjaGluZyB0aGVzZSBhdHRyaWJ1dGVzDQog ICAgICBTSE9VTEQgYmUgd29ya2VkIHdpdGguICBTZWUgU2VjdGlvbiAzLjQg Zm9yIG1vcmUgaW5mb3JtYXRpb24uDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZh dCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNCwgMjAxNSAgICAgICAgICAgICAg ICBbUGFnZSAxMF0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUg UEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0K DQoNCiAgIG8gIGFuIHVucmVjb2duaXplZCBhdHRyaWJ1dGUgaW4gdGhlIFVS SSBwYXRoIGNvbXBvbmVudCwgaW5jbHVkaW5nIGENCiAgICAgIHZlbmRvciBz cGVjaWZpYyBhdHRyaWJ1dGUsIFNIT1VMRCByZXN1bHQgaW4gYW4gZW1wdHkg c2V0IG9mDQogICAgICBtYXRjaGVkIHJlc291cmNlcy4gIFRoZSBjb25zdW1l ciBTSE9VTEQgY29uc2lkZXIgd2hldGhlciBhbiBlcnJvcg0KICAgICAgbWVz c2FnZSBwcmVzZW50ZWQgdG8gdGhlIHVzZXIgaXMgYXBwcm9wcmlhdGUgaW4g c3VjaCBhIGNhc2UuDQoNCiAgIG8gIGFuIHVucmVjb2duaXplZCBhdHRyaWJ1 dGUgaW4gdGhlIFVSSSBxdWVyeSBTSE9VTEQgYmUgaWdub3JlZC4gIFRoZQ0K ICAgICAgY29uc3VtZXIgU0hPVUxEIGNvbnNpZGVyIHdoZXRoZXIgYSB3YXJu aW5nIG1lc3NhZ2UgcHJlc2VudGVkIHRvDQogICAgICB0aGUgdXNlciBpcyBh cHByb3ByaWF0ZSBpbiBzdWNoIGEgY2FzZS4NCg0KICAgbyAgYW4gYXR0cmli dXRlIG5vdCBwcmVzZW50IGluIHRoZSBVUkkgcGF0aCBidXQga25vd24gdG8g YSBjb25zdW1lcg0KICAgICAgbWF0Y2hlcyBldmVyeXRoaW5nLiAgRWFjaCBh ZGRpdGlvbmFsIGF0dHJpYnV0ZSBwcmVzZW50IGluIHRoZSBVUkkNCiAgICAg IHBhdGggZnVydGhlciByZXN0cmljdHMgdGhlIHNlbGVjdGlvbi4NCg0KICAg byAgYSBsb2dpY2FsIGV4dGVuc2lvbiBvZiB0aGUgYWJvdmUgaXMgdGhhdCBh biBlbXB0eSBVUkkgcGF0aCBtYXRjaGVzDQogICAgICBldmVyeXRoaW5nLiAg Rm9yIGV4YW1wbGUsIGlmIHVzZWQgdG8gaWRlbnRpZnkgc3RvcmFnZSBvYmpl Y3RzIGl0DQogICAgICBtYXRjaGVzIGFsbCBhY2Nlc3NpYmxlIG9iamVjdHMg aW4gYWxsIHRva2VucyBwcm92aWRlZCBieSBhbGwNCiAgICAgIFBLQ1MjMTEg QVBJIHByb2R1Y2VycyBmb3VuZCBpbiB0aGUgc3lzdGVtLg0KDQogICBvICBu b3RlIHRoYXQgdXNlIG9mIFBJTiBhdHRyaWJ1dGVzIG1heSBjaGFuZ2UgdGhl IHNldCBvZiBzdG9yYWdlDQogICAgICBvYmplY3RzIHZpc2libGUgdG8gdGhl IGNvbnN1bWVyLg0KDQogICBvICBpbiBhZGRpdGlvbiB0byBxdWVyeSBjb21w b25lbnQgYXR0cmlidXRlcyBkZWZpbmVkIGluIHRoaXMNCiAgICAgIGRvY3Vt ZW50LCB2ZW5kb3Igc3BlY2lmaWMgcXVlcnkgYXR0cmlidXRlcyBtYXkgY29u dGFpbiBmdXJ0aGVyDQogICAgICBpbmZvcm1hdGlvbiBhYm91dCBob3cgdG8g cGVyZm9ybSB0aGUgc2VsZWN0aW9uIG9yIG90aGVyIHJlbGF0ZWQNCiAgICAg IGluZm9ybWF0aW9uLg0KDQozLjYuICBQS0NTIzExIFVSSSBDb21wYXJpc29u DQoNCiAgIENvbXBhcmlzb24gb2YgdHdvIFVSSXMgaXMgYSB3YXkgb2YgZGV0 ZXJtaW5pbmcgd2hldGhlciB0aGUgVVJJcyBhcmUNCiAgIGVxdWl2YWxlbnQg d2l0aG91dCBjb21wYXJpbmcgdGhlIGFjdHVhbCByZXNvdXJjZSB0aGUgVVJJ cyBwb2ludCB0by4NCiAgIFRoZSBjb21wYXJpc29uIG9mIFVSSXMgYWltcyB0 byBtaW5pbWl6ZSBmYWxzZSBuZWdhdGl2ZXMgd2hpbGUNCiAgIHN0cmljdGx5 IGF2b2lkaW5nIGZhbHNlIHBvc2l0aXZlcy4NCg0KICAgVHdvIFBLQ1MjMTEg VVJJcyBhcmUgc2FpZCB0byBiZSBlcXVhbCBpZiBVUklzIGFzIGNoYXJhY3Rl ciBzdHJpbmdzDQogICBhcmUgaWRlbnRpY2FsIGFzIHNwZWNpZmllZCBpbiBT ZWN0aW9uIDYuMi4xIG9mIFtSRkMzOTg2XSwgb3IgaWYgYm90aA0KICAgZm9s bG93aW5nIHJ1bGVzIGFyZSBmdWxmaWxsZWQ6DQoNCiAgIG8gIHNldCBvZiBh dHRyaWJ1dGVzIHByZXNlbnQgaW4gdGhlIFVSSSBpcyBlcXVhbC4gIE5vdGUg dGhhdCB0aGUNCiAgICAgIG9yZGVyaW5nIG9mIGF0dHJpYnV0ZXMgaW4gdGhl IFVSSSBzdHJpbmcgaXMgbm90IHNpZ25pZmljYW50IGZvcg0KICAgICAgdGhl IG1lY2hhbmlzbSBvZiBjb21wYXJpc29uLg0KDQogICBvICB2YWx1ZXMgb2Yg cmVzcGVjdGl2ZSBhdHRyaWJ1dGVzIGFyZSBlcXVhbCBiYXNlZCBvbiBydWxl cyBzcGVjaWZpZWQNCiAgICAgIGJlbG93DQoNCiAgIFRoZSBydWxlcyBmb3Ig Y29tcGFyaW5nIHZhbHVlcyBvZiByZXNwZWN0aXZlIGF0dHJpYnV0ZXMgYXJl Og0KDQogICBvICB2YWx1ZXMgb2YgcGF0aCBjb21wb25lbnQgYXR0cmlidXRl cyAibGlicmFyeS1kZXNjcmlwdGlvbiIsDQogICAgICAibGlicmFyeS1tYW51 ZmFjdHVyZXIiLCAibWFudWZhY3R1cmVyIiwgIm1vZGVsIiwgIm9iamVjdCIs DQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVu ZSAyNCwgMjAxNSAgICAgICAgICAgICAgICBbUGFnZSAxMV0NCgwNCkludGVy bmV0LURyYWZ0ICAgICAgICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAg ICAgICAgICAgRGVjZW1iZXIgMjAxNA0KDQoNCiAgICAgICJzZXJpYWwiLCAi c2xvdC1kZXNjcmlwdGlvbiIsICJzbG90LW1hbnVmYWN0dXJlciIsICJ0b2tl biIsDQogICAgICAidHlwZSIsIGFuZCBxdWVyeSBjb21wb25lbnQgYXR0cmli dXRlICJtb2R1bGUtbmFtZSIgTVVTVCBiZQ0KICAgICAgY29tcGFyZWQgdXNp bmcgYSBzaW1wbGUgc3RyaW5nIGNvbXBhcmlzb24gYXMgc3BlY2lmaWVkIGlu DQogICAgICBTZWN0aW9uIDYuMi4xIG9mIFtSRkMzOTg2XSBhZnRlciB0aGUg Y2FzZSBhbmQgdGhlIHBlcmNlbnQtZW5jb2RpbmcNCiAgICAgIG5vcm1hbGl6 YXRpb24gYXJlIGJvdGggYXBwbGllZCBhcyBzcGVjaWZpZWQgaW4gU2VjdGlv biA2LjIuMiBvZg0KICAgICAgW1JGQzM5ODZdLg0KDQogICBvICB2YWx1ZSBv ZiBhdHRyaWJ1dGUgImlkIiBNVVNUIGJlIGNvbXBhcmVkIHVzaW5nIHRoZSBz aW1wbGUgc3RyaW5nDQogICAgICBjb21wYXJpc29uIGFmdGVyIGFsbCBieXRl cyBhcmUgcGVyY2VudC1lbmNvZGVkIHVzaW5nIHVwcGVyY2FzZQ0KICAgICAg bGV0dGVycyBmb3IgZGlnaXRzIEEtRi4NCg0KICAgbyAgdmFsdWUgb2YgYXR0 cmlidXRlICJsaWJyYXJ5LXZlcnNpb24iIE1VU1QgYmUgcHJvY2Vzc2VkIGFz IGENCiAgICAgIHNwZWNpZmljIHNjaGVtZS1iYXNlZCBub3JtYWxpemF0aW9u IHBlcm1pdHRlZCBieSBTZWN0aW9uIDYuMi4zIG9mDQogICAgICBbUkZDMzk4 Nl0uICBUaGUgdmFsdWUgTVVTVCBiZSBzcGxpdCBpbnRvIGEgbWFqb3IgYW5k IG1pbm9yIHZlcnNpb24NCiAgICAgIHdpdGggY2hhcmFjdGVyICcuJyAoZG90 KSBzZXJ2aW5nIGFzIGEgZGVsaW1pdGVyLiAgTGlicmFyeSB2ZXJzaW9uDQog ICAgICAiTSIgTVVTVCBiZSB0cmVhdGVkIGFzICJNIiBmb3IgdGhlIG1ham9y IHZlcnNpb24gYW5kICIwIiBmb3IgdGhlDQogICAgICBtaW5vciB2ZXJzaW9u LiAgUmVzdWx0aW5nIG1pbm9yIGFuZCBtYWpvciB2ZXJzaW9uIG51bWJlcnMg TVVTVCBiZQ0KICAgICAgdGhlbiBzZXBhcmF0ZWx5IGNvbXBhcmVkIG51bWVy aWNhbGx5Lg0KDQogICBvICB2YWx1ZSBvZiBhdHRyaWJ1dGUgInNsb3QtaWQi IE1VU1QgYmUgcHJvY2Vzc2VkIGFzIGEgc3BlY2lmaWMNCiAgICAgIHNjaGVt ZS1iYXNlZCBub3JtYWxpemF0aW9uIHBlcm1pdHRlZCBieSBTZWN0aW9uIDYu Mi4zIG9mIFtSRkMzOTg2XQ0KICAgICAgYW5kIGNvbXBhcmVkIG51bWVyaWNh bGx5Lg0KDQogICBvICB2YWx1ZSBvZiAicGluLXNvdXJjZSIsIGlmIGRlZW1l ZCBjb250YWluaW5nIHRoZSBmaWxlbmFtZSB3aXRoIHRoZQ0KICAgICAgUElO IHZhbHVlLCBNVVNUIGJlIGNvbXBhcmVkIHVzaW5nIHRoZSBzaW1wbGUgc3Ry aW5nIGNvbXBhcmlzb24NCiAgICAgIGFmdGVyIHRoZSBmdWxsIHN5bnRheCBi YXNlZCBub3JtYWxpemF0aW9uIGFzIHNwZWNpZmllZCBpbg0KICAgICAgU2Vj dGlvbiA2LjIuMiBvZiBbUkZDMzk4Nl0gaXMgYXBwbGllZC4gIElmIHZhbHVl IG9mIHRoZSAicGluLQ0KICAgICAgc291cmNlIiBhdHRyaWJ1dGUgaXMgYmVs aWV2ZWQgdG8gYmUgb3ZlcmxvYWRlZCB0aGUgY2FzZSBhbmQNCiAgICAgIHBl cmNlbnQtZW5jb2Rpbmcgbm9ybWFsaXphdGlvbiBTSE9VTEQgYmUgYXBwbGll ZCBiZWZvcmUgdGhlIHZhbHVlcw0KICAgICAgYXJlIGNvbXBhcmVkIGJ1dCB0 aGUgZXhhY3QgbWVjaGFuaXNtIG9mIGNvbXBhcmlzb24gaXMgbGVmdCB0byB0 aGUNCiAgICAgIGFwcGxpY2F0aW9uLg0KDQogICBvICB2YWx1ZSBvZiBhdHRy aWJ1dGUgIm1vZHVsZS1wYXRoIiBNVVNUIGJlIGNvbXBhcmVkIHVzaW5nIHRo ZSBzaW1wbGUNCiAgICAgIHN0cmluZyBjb21wYXJpc29uIGFmdGVyIHRoZSBm dWxsIHN5bnRheCBiYXNlZCBub3JtYWxpemF0aW9uIGFzDQogICAgICBzcGVj aWZpZWQgaW4gU2VjdGlvbiA2LjIuMiBvZiBbUkZDMzk4Nl0gaXMgYXBwbGll ZC4NCg0KICAgbyAgd2hlbiBjb21wYXJpbmcgdmVuZG9yIHNwZWNpZmljIGF0 dHJpYnV0ZXMgdGhlIGNhc2UgYW5kIHBlcmNlbnQtDQogICAgICBlbmNvZGlu ZyBub3JtYWxpemF0aW9uIFNIT1VMRCBiZSBhcHBsaWVkIGJlZm9yZSB0aGUg dmFsdWVzIGFyZQ0KICAgICAgY29tcGFyZWQgYnV0IHRoZSBleGFjdCBtZWNo YW5pc20gb2Ygc3VjaCBhIGNvbXBhcmlzb24gaXMgbGVmdCB0bw0KICAgICAg dGhlIGFwcGxpY2F0aW9uLg0KDQo0LiAgRXhhbXBsZXMgb2YgUEtDUyMxMSBV UklzDQoNCiAgIFRoaXMgc2VjdGlvbiBjb250YWlucyBzb21lIGV4YW1wbGVz IG9mIGhvdyBQS0NTIzExIHRva2VuIG9iamVjdHMsDQogICB0b2tlbnMsIHNs b3RzLCBhbmQgbGlicmFyaWVzIGNhbiBiZSBpZGVudGlmaWVkIHVzaW5nIHRo ZSBQS0NTIzExIFVSSQ0KICAgc2NoZW1lLiAgTm90ZSB0aGF0IGluIHNvbWUg b2YgdGhlIGZvbGxvd2luZyBleGFtcGxlcywgbmV3bGluZXMgYW5kDQogICBz cGFjZXMgd2VyZSBpbnNlcnRlZCBmb3IgYmV0dGVyIHJlYWRhYmlsaXR5LiAg QXMgc3BlY2lmaWVkIGluDQogICBBcHBlbmRpeCBDIG9mIFtSRkMzOTg2XSwg d2hpdGVzcGFjZSBTSE9VTEQgYmUgaWdub3JlZCB3aGVuIGV4dHJhY3RpbmcN Cg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdW5l IDI0LCAyMDE1ICAgICAgICAgICAgICAgIFtQYWdlIDEyXQ0KDA0KSW50ZXJu ZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAg ICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgdGhlIFVSSS4gIEFsc28g bm90ZSB0aGF0IGFsbCBzcGFjZXMgYXMgcGFydCBvZiB0aGUgVVJJIGFyZSBw ZXJjZW50LQ0KICAgZW5jb2RlZCwgYXMgc3BlY2lmaWVkIGluIEFwcGVuZGl4 IEEgb2YgW1JGQzM5ODZdLg0KDQogICBBbiBlbXB0eSBQS0NTIzExIFVSSSBt aWdodCBiZSB1c2VmdWwgdG8gUEtDUyMxMSBjb25zdW1lcnMuICBTZWUNCiAg IFNlY3Rpb24gMy41IGZvciBtb3JlIGluZm9ybWF0aW9uIG9uIHNlbWFudGlj cyBvZiBzdWNoIGEgVVJJLg0KDQogICAgIHBrY3MxMToNCg0KICAgT25lIG9m IHRoZSBzaW1wbGVzdCBhbmQgbW9zdCB1c2VmdWwgZm9ybXMgbWlnaHQgYmUg YSBQS0NTIzExIFVSSSB0aGF0DQogICBzcGVjaWZpZXMgb25seSBhbiBvYmpl Y3QgbGFiZWwgYW5kIGl0cyB0eXBlLiAgVGhlIGRlZmF1bHQgdG9rZW4gaXMN CiAgIHVzZWQgc28gdGhlIFVSSSBkb2VzIG5vdCBzcGVjaWZ5IGl0LiAgTm90 ZSB0aGF0IHdoZW4gc3BlY2lmeWluZw0KICAgcHVibGljIG9iamVjdHMsIGEg dG9rZW4gUElOIG1heSBub3QgYmUgcmVxdWlyZWQuDQoNCiAgICAgcGtjczEx Om9iamVjdD1teS1wdWJrZXk7dHlwZT1wdWJsaWMNCg0KICAgV2hlbiBhIHBy aXZhdGUga2V5IGlzIHNwZWNpZmllZCBlaXRoZXIgdGhlICJwaW4tc291cmNl IiBhdHRyaWJ1dGUsDQogICAicGluLXZhbHVlLCBvciBhbiBhcHBsaWNhdGlv biBzcGVjaWZpYyBtZXRob2Qgd291bGQgYmUgdXN1YWxseSB1c2VkLg0KICAg Tm90ZSB0aGF0ICcvJyBpcyBub3QgcGVyY2VudC1lbmNvZGVkIGluIHRoZSAi cGluLXNvdXJjZSIgYXR0cmlidXRlDQogICB2YWx1ZSBzaW5jZSB0aGlzIGF0 dHJpYnV0ZSBpcyBwYXJ0IG9mIHRoZSBxdWVyeSBjb21wb25lbnQsIG5vdCB0 aGUNCiAgIHBhdGgsIGFuZCB0aHVzIGlzIHNlcGFyYXRlZCBieSAnPycgZnJv bSB0aGUgcmVzdCBvZiB0aGUgVVJJLg0KDQogICAgIHBrY3MxMTpvYmplY3Q9 bXkta2V5O3R5cGU9cHJpdmF0ZT9waW4tc291cmNlPS9ldGMvdG9rZW4NCg0K ICAgVGhlIGZvbGxvd2luZyBleGFtcGxlIGlkZW50aWZpZXMgYSBjZXJ0aWZp Y2F0ZSBpbiB0aGUgc29mdHdhcmUgdG9rZW4uDQogICBOb3RlIGFuIGVtcHR5 IHZhbHVlIGZvciB0aGUgYXR0cmlidXRlICJzZXJpYWwiIHdoaWNoIG1hdGNo ZXMgb25seQ0KICAgZW1wdHkgInNlcmlhbE51bWJlciIgbWVtYmVyIG9mIHRo ZSAiQ0tfVE9LRU5fSU5GTyIgc3RydWN0dXJlLiAgQWxzbw0KICAgbm90ZSB0 aGF0IHRoZSAiaWQiIGF0dHJpYnV0ZSB2YWx1ZSBpcyBlbnRpcmVseSBwZXJj ZW50LWVuY29kZWQsIGFzDQogICByZWNvbW1lbmRlZC4gIFdoaWxlICcsJyBp cyBpbiB0aGUgcmVzZXJ2ZWQgc2V0IGl0IGRvZXMgbm90IGhhdmUgdG8gYmUN CiAgIHBlcmNlbnQtZW5jb2RlZCBzaW5jZSBpdCBkb2VzIG5vdCBjb25mbGlj dCB3aXRoIGFueSBzdWItZGVsaW1pdGVycw0KICAgdXNlZC4gIFRoZSAnIycg Y2hhcmFjdGVyIGFzIGluICJUaGUgU29mdHdhcmUgUEtDUyMxMSBTb2Z0dG9r ZW4iIE1VU1QNCiAgIGJlIHBlcmNlbnQtZW5jb2RlZC4NCg0KICAgICBwa2Nz MTE6dG9rZW49VGhlJTIwU29mdHdhcmUlMjBQS0NTJTIzMTElMjBTb2Z0dG9r ZW47DQogICAgICAgICAgICBtYW51ZmFjdHVyZXI9U25ha2UlMjBPaWwsJTIw SW5jLjsNCiAgICAgICAgICAgIG1vZGVsPTEuMDsNCiAgICAgICAgICAgIG9i amVjdD1teS1jZXJ0aWZpY2F0ZTsNCiAgICAgICAgICAgIHR5cGU9Y2VydDsN CiAgICAgICAgICAgIGlkPSU2OSU5NSUzRSU1QyVGNCVCRCVFQyU5MTsNCiAg ICAgICAgICAgIHNlcmlhbD0NCiAgICAgICAgICAgID9waW4tc291cmNlPS9l dGMvdG9rZW5fcGluDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KUGVjaGFuZWMg JiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjQsIDIwMTUgICAgICAg ICAgICAgICAgW1BhZ2UgMTNdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAg ICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVy IDIwMTQNCg0KDQogICBUaGUgbmV4dCBleGFtcGxlIGNvdmVycyBob3cgdG8g dXNlIHRoZSAibW9kdWxlLW5hbWUiIHF1ZXJ5IGF0dHJpYnV0ZS4NCiAgIENv bnNpZGVyaW5nIHRoYXQgdGhlIG1vZHVsZSBpcyBsb2NhdGVkIGluIC91c3Iv bGliL2xpYm15cGtjczExLnNvLjENCiAgIGZpbGUsIHRoZSBhdHRyaWJ1dGUg dmFsdWUgaXMgIm15cGtjczExIiwgbWVhbmluZyBvbmx5IHRoZSBtb2R1bGUg bmFtZQ0KICAgd2l0aG91dCB0aGUgZnVsbCBwYXRoLCBhbmQgd2l0aG91dCB0 aGUgcGxhdGZvcm0gc3BlY2lmaWMgImxpYiIgcHJlZml4DQogICBhbmQgIi5z by4xIiBzdWZmaXguDQoNCiAgICAgcGtjczExOm9iamVjdD1teS1zaWduLWtl eTsNCiAgICAgICAgICAgIHR5cGU9cHJpdmF0ZQ0KICAgICAgICAgICAgP21v ZHVsZS1uYW1lPW15cGtjczExDQoNCiAgIFRoZSBmb2xsb3dpbmcgZXhhbXBs ZSBjb3ZlcnMgaG93IHRvIHVzZSB0aGUgIm1vZHVsZS1wYXRoIiBxdWVyeQ0K ICAgYXR0cmlidXRlLiAgVGhlIGF0dHJpYnV0ZSBtYXkgYmUgdXNlZnVsIGlm IGEgdXNlciBuZWVkcyB0byBwcm92aWRlDQogICB0aGUga2V5IHZpYSBhIFBL Q1MjMTEgbW9kdWxlIHN0b3JlZCBvbiBhIHJlbW92YWJsZSBtZWRpYSwgZm9y DQogICBleGFtcGxlLiAgR2V0dGluZyB0aGUgUElOIHRvIGFjY2VzcyB0aGUg cHJpdmF0ZSBrZXkgaGVyZSBpcyBsZWZ0IHRvDQogICBiZSBhcHBsaWNhdGlv biBzcGVjaWZpYy4NCg0KICAgICBwa2NzMTE6b2JqZWN0PW15LXNpZ24ta2V5 Ow0KICAgICAgICAgICAgdHlwZT1wcml2YXRlDQogICAgICAgICAgICA/bW9k dWxlLXBhdGg9L21udC9saWJteXBrY3MxMS5zby4xDQoNCiAgIEluIHRoZSBj b250ZXh0IHdoZXJlIGEgdG9rZW4gaXMgZXhwZWN0ZWQgdGhlIHRva2VuIGNh biBiZSBpZGVudGlmaWVkDQogICB3aXRob3V0IHNwZWNpZnlpbmcgYW55IFBL Q1MjMTEgb2JqZWN0cy4gIEEgUElOIG1pZ2h0IHN0aWxsIGJlIG5lZWRlZA0K ICAgaW4gdGhlIGNvbnRleHQgb2YgbGlzdGluZyBhbGwgb2JqZWN0cyBpbiB0 aGUgdG9rZW4sIGZvciBleGFtcGxlLg0KICAgU2VjdGlvbiA2IHNob3VsZCBi ZSBjb25zdWx0ZWQgYmVmb3JlIHRoZSAicGluLXZhbHVlIiBhdHRyaWJ1dGUg aXMNCiAgIGV2ZXIgdXNlZC4NCg0KICAgICBwa2NzMTE6dG9rZW49U29mdHdh cmUlMjBQS0NTJTIzMTElMjBzb2Z0dG9rZW47DQogICAgICAgICAgICBtYW51 ZmFjdHVyZXI9U25ha2UlMjBPaWwsJTIwSW5jLg0KICAgICAgICAgICAgP3Bp bi12YWx1ZT10aGUtcGluDQoNCiAgIEluIHRoZSBjb250ZXh0IHdoZXJlIGEg c2xvdCBpcyBleHBlY3RlZCB0aGUgc2xvdCBjYW4gYmUgaWRlbnRpZmllZA0K ICAgd2l0aG91dCBzcGVjaWZ5aW5nIGFueSBQS0NTIzExIG9iamVjdHMgaW4g YW55IHRva2VuIGl0IG1heSBiZQ0KICAgaW5zZXJ0ZWQgaW4gaXQuDQoNCiAg ICAgcGtjczExOnNsb3QtZGVzY3JpcHRpb249U3VuJTIwTWV0YXNsb3QNCg0K ICAgVGhlIENyeXB0b2tpIGxpYnJhcnkgYWxvbmUgY2FuIGJlIGFsc28gaWRl bnRpZmllZCB3aXRob3V0IHNwZWNpZnlpbmcNCiAgIGEgUEtDUyMxMSB0b2tl biBvciBvYmplY3QuDQoNCiAgICAgcGtjczExOmxpYnJhcnktbWFudWZhY3R1 cmVyPVNuYWtlJTIwT2lsLCUyMEluYy47DQogICAgICAgICAgICBsaWJyYXJ5 LWRlc2NyaXB0aW9uPVNvZnQlMjBUb2tlbiUyMExpYnJhcnk7DQogICAgICAg ICAgICBsaWJyYXJ5LXZlcnNpb249MS4yMw0KDQoNCg0KDQoNCg0KDQoNCg0K UGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjQsIDIw MTUgICAgICAgICAgICAgICAgW1BhZ2UgMTRdDQoMDQpJbnRlcm5ldC1EcmFm dCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAg IERlY2VtYmVyIDIwMTQNCg0KDQogICBUaGUgZm9sbG93aW5nIGV4YW1wbGUg c2hvd3MgYW4gYXR0cmlidXRlIHZhbHVlIHdpdGggYSBzZW1pY29sb24uICBJ bg0KICAgc3VjaCBjYXNlIGl0IE1VU1QgYmUgcGVyY2VudC1lbmNvZGVkLiAg VGhlIHRva2VuIGF0dHJpYnV0ZSB2YWx1ZSBNVVNUDQogICBiZSByZWFkIGFz ICJNeSB0b2tlbjsgY3JlYXRlZCBieSBKb2UiLiAgTG93ZXIgY2FzZSBsZXR0 ZXJzIE1BWSBiZQ0KICAgdXNlZCBpbiBwZXJjZW50LWVuY29kaW5nIGFzIHNo b3duIGJlbG93IGluIHRoZSAiaWQiIGF0dHJpYnV0ZSB2YWx1ZQ0KICAgYnV0 IG5vdGUgdGhhdCBTZWN0aW9ucyAyLjEgYW5kIDYuMi4yLjEgb2YgW1JGQzM5 ODZdIHJlYWQgdGhhdCBhbGwNCiAgIHBlcmNlbnQtZW5jb2RlZCBjaGFyYWN0 ZXJzIFNIT1VMRCB1c2UgdGhlIHVwcGVyY2FzZSBoZXhhZGVjaW1hbA0KICAg ZGlnaXRzLiAgTW9yZSBzcGVjaWZpY2FsbHksIGlmIHRoZSBVUkkgc3RyaW5n IHdhcyB0byBiZSBjb21wYXJlZCB0aGUNCiAgIGFsZ29yaXRobSBkZWZpbmVk IGluIFNlY3Rpb24gMy42IGV4cGxpY2l0bHkgcmVxdWlyZXMgcGVyY2VudC1l bmNvZGluZw0KICAgdG8gdXNlIHRoZSB1cHBlcmNhc2UgZGlnaXRzIEEtRiBp biB0aGUgImlkIiBhdHRyaWJ1dGUgdmFsdWVzLiAgQW5kIGFzDQogICBleHBs YWluZWQgaW4gU2VjdGlvbiAzLjMsIGxpYnJhcnkgdmVyc2lvbiAiMyIgTVVT VCBiZSBpbnRlcnByZXRlZCBhcw0KICAgIjMiIGZvciB0aGUgbWFqb3IgYW5k ICIwIiBmb3IgdGhlIG1pbm9yIHZlcnNpb24gb2YgdGhlIGxpYnJhcnkuDQoN CiAgICAgcGtjczExOnRva2VuPU15JTIwdG9rZW4lMjUlMjBjcmVhdGVkJTIw YnklMjBKb2U7DQogICAgICAgICAgICBsaWJyYXJ5LXZlcnNpb249MzsNCiAg ICAgICAgICAgIGlkPSUwMSUwMiUwMyVCYSVkZCVDYSVmZSUwNCUwNSUwNg0K DQogICBJZiB0aGVyZSBpcyBhbnkgbmVlZCB0byBpbmNsdWRlIGxpdGVyYWwg IiU7IiBzdWJzdHJpbmcsIGZvciBleGFtcGxlLA0KICAgYm90aCBjaGFyYWN0 ZXJzIE1VU1QgYmUgZXNjYXBlZC4gIFRoZSB0b2tlbiB2YWx1ZSBNVVNUIGJl IHJlYWQgYXMgIkENCiAgIG5hbWUgd2l0aCBhIHN1YnN0cmluZyAlOyIuDQoN CiAgICAgcGtjczExOnRva2VuPUElMjBuYW1lJTIwd2l0aCUyMGElMjBzdWJz dHJpbmclMjAlMjUlM0I7DQogICAgICAgICAgICBvYmplY3Q9bXktY2VydGlm aWNhdGU7DQogICAgICAgICAgICB0eXBlPWNlcnQNCg0KICAgVGhlIG5leHQg ZXhhbXBsZSBpbmNsdWRlcyBhIHNtYWxsIEEgd2l0aCBhY3V0ZSBpbiB0aGUg dG9rZW4gbmFtZS4gIEl0DQogICBNVVNUIGJlIGVuY29kZWQgaW4gb2N0ZXRz IGFjY29yZGluZyB0byB0aGUgVVRGLTggY2hhcmFjdGVyIGVuY29kaW5nDQog ICBhbmQgdGhlbiBwZXJjZW50LWVuY29kZWQuICBHaXZlbiB0aGF0IGEgc21h bGwgQSB3aXRoIGFjdXRlIGlzIFUrMjI1DQogICB1bmljb2RlIGNvZGUgcG9p bnQsIHRoZSBVVEYtOCBlbmNvZGluZyBpcyAxOTUgMTYxIGluIGRlY2ltYWws IGFuZA0KICAgdGhhdCBpcyAiJUMzJUExIiBpbiBwZXJjZW50LWVuY29kaW5n Lg0KDQogICAgIHBrY3MxMTp0b2tlbj1OYW1lJTIwd2l0aCUyMGElMjBzbWFs bCUyMEElMjB3aXRoJTIwYWN1dGU6JTIwJUMzJUExOw0KICAgICAgICAgICAg b2JqZWN0PW15LWNlcnRpZmljYXRlOw0KICAgICAgICAgICAgdHlwZT1jZXJ0 DQoNCiAgIEJvdGggdGhlIHBhdGggYW5kIHF1ZXJ5IGNvbXBvbmVudHMgTUFZ IGNvbnRhaW4gdmVuZG9yIHNwZWNpZmljDQogICBhdHRyaWJ1dGVzLiAgQXR0 cmlidXRlcyBpbiB0aGUgcXVlcnkgY29tcG9uZW50IE1VU1QgYmUgZGVsaW1p dGVkIGJ5DQogICAnJicuDQoNCiAgICAgcGtjczExOnRva2VuPW15LXRva2Vu Ow0KICAgICAgICAgICAgb2JqZWN0PW15LWNlcnRpZmljYXRlOw0KICAgICAg ICAgICAgdHlwZT1jZXJ0Ow0KICAgICAgICAgICAgdmVuZG9yLWFhYT12YWx1 ZS1hDQogICAgICAgICAgICA/cGluLXNvdXJjZT0vZXRjL3Rva2VuX3Bpbg0K ICAgICAgICAgICAgJnZlbmRvci1iYmI9dmFsdWUtYg0KDQoNCg0KDQoNCg0K DQpQZWNoYW5lYyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNCwg MjAxNSAgICAgICAgICAgICAgICBbUGFnZSAxNV0NCgwNCkludGVybmV0LURy YWZ0ICAgICAgICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAg ICAgRGVjZW1iZXIgMjAxNA0KDQoNCjUuICBJQU5BIENvbnNpZGVyYXRpb25z DQoNCiAgIFRoaXMgZG9jdW1lbnQgbW92ZXMgdGhlICJwa2NzMTEiIFVSSSBz Y2hlbWUgZnJvbSB0aGUgcHJvdmlzaW9uYWwgdG8NCiAgIHBlcm1hbmVudCBV Ukkgc2NoZW1lIHJlZ2lzdHJ5LiAgVGhlIHJlZ2lzdHJhdGlvbiB0ZW1wbGF0 ZSBmb3IgdGhlIFVSSQ0KICAgc2NoZW1lIGlzIGFjY2Vzc2libGUgb24gaHR0 cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50cy91cmktc2NoZW1lcy4NCg0K Ni4gIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zDQoNCiAgIFRoZXJlIGFyZSBn ZW5lcmFsIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGZvciBVUkkgc2NoZW1l cyBkaXNjdXNzZWQNCiAgIGluIFNlY3Rpb24gNyBvZiBbUkZDMzk4Nl0uDQoN CiAgIEZyb20gdGhvc2Ugc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMsIFNlY3Rp b24gNy4xIG9mIFtSRkMzOTg2XSBhcHBsaWVzDQogICBzaW5jZSB0aGVyZSBp cyBubyBndWFyYW50ZWUgdGhhdCB0aGUgc2FtZSBQS0NTIzExIFVSSSB3aWxs IGFsd2F5cw0KICAgaWRlbnRpZnkgdGhlIHNhbWUgb2JqZWN0LCB0b2tlbiwg c2xvdCwgb3IgYSBsaWJyYXJ5IGluIHRoZSBmdXR1cmUuDQoNCiAgIFNlY3Rp b24gNy4yIG9mIFtSRkMzOTg2XSBhcHBsaWVzIHNpbmNlIGJ5IGFjY2VwdGlu ZyBxdWVyeSBjb21wb25lbnQNCiAgIGF0dHJpYnV0ZXMgIm1vZHVsZS1uYW1l IiBvciAibW9kdWxlLXBhdGgiIHRoZSBjb25zdW1lciBwb3RlbnRpYWxseQ0K ICAgYWxsb3dzIGxvYWRpbmcgb2YgYXJiaXRyYXJ5IGNvZGUgaW50byBhIHBy b2Nlc3MuDQoNCiAgIFNlY3Rpb24gNy41IG9mIFtSRkMzOTg2XSBhcHBsaWVz IHNpbmNlIHRoZSBQS0NTIzExIFVSSSBtYXkgYmUgdXNlZCBpbg0KICAgd29y bGQgcmVhZGFibGUgY29tbWFuZCBsaW5lIGFyZ3VtZW50cyB0byBydW4gYXBw bGljYXRpb25zLCBzdG9yZWQgaW4NCiAgIHB1YmxpYyBjb25maWd1cmF0aW9u IGZpbGVzLCBvciBvdGhlcndpc2UgdXNlZCBpbiBjbGVhciB0ZXh0LiAgRm9y DQogICB0aGF0IHJlYXNvbiB0aGUgInBpbi12YWx1ZSIgYXR0cmlidXRlIHNo b3VsZCBvbmx5IGJlIHVzZWQgaWYgdGhlIFVSSQ0KICAgc3RyaW5nIGl0c2Vs ZiBpcyBwcm90ZWN0ZWQgd2l0aCB0aGUgc2FtZSBsZXZlbCBvZiBzZWN1cml0 eSBhcyB0aGUNCiAgIHRva2VuIFBJTiBpdHNlbGYgb3RoZXJ3aXNlIGlzLg0K DQo3LiAgUmVmZXJlbmNlcw0KDQo3LjEuICBOb3JtYXRpdmUgUmVmZXJlbmNl cw0KDQogICBbUkZDMjExOV0gIEJyYWRuZXIsIFMuLCAiS2V5IHdvcmRzIGZv ciB1c2UgaW4gUkZDcyB0byBJbmRpY2F0ZQ0KICAgICAgICAgICAgICBSZXF1 aXJlbWVudCBMZXZlbHMiLCBSRkMgMjExOSwgU1REIDE0LCBNYXJjaCAxOTk3 Lg0KDQogICBbUkZDMzYyOV0gIFllcmdlYXUsIEYuLCAiVVRGLTgsIGEgdHJh bnNmb3JtYXRpb24gZm9ybWF0IG9mIElTTw0KICAgICAgICAgICAgICAxMDY0 NiIsIFJGQyAzNjI5LCBTVEQgNjMsIE5vdmVtYmVyIDIwMDMuDQoNCiAgIFtS RkMzOTg2XSAgQmVybmVycy1MZWUsIFQuLCBGaWVsZGluZywgUi4sIGFuZCBM LiBNYXNpbnRlciwgIlVuaWZvcm0NCiAgICAgICAgICAgICAgUmVzb3VyY2Ug SWRlbnRpZmllciAoVVJJKTogR2VuZXJpYyBTeW50YXgiLCBSRkMgMzk4Niwg U1REDQogICAgICAgICAgICAgIDY2LCBKYW51YXJ5IDIwMDUuDQoNCiAgIFtS RkM1MjM0XSAgQ3JvY2tlciwgRC4gYW5kIFAuIE92ZXJlbGwsICJBdWdtZW50 ZWQgQk5GIGZvciBTeW50YXgNCiAgICAgICAgICAgICAgU3BlY2lmaWNhdGlv bnM6IEFCTkYiLCBSRkMgNTIzNCwgU1REIDY4LCBKYW51YXJ5IDIwMDguDQoN CjcuMi4gIEluZm9ybWF0aXZlIFJlZmVyZW5jZXMNCg0KICAgW0JDUDE3OF0g ICBTYWludC1BbmRyZSwgUC4sIENyb2NrZXIsIEQuLCBhbmQgTS4gTm90dGlu Z2hhbSwNCiAgICAgICAgICAgICAgIkRlcHJlY2F0aW5nIHRoZSAiWC0iIFBy ZWZpeCBhbmQgU2ltaWxhciBDb25zdHJ1Y3RzIGluDQogICAgICAgICAgICAg IEFwcGxpY2F0aW9uIFByb3RvY29scyIsIFJGQyA2NjQ4LCBCQ1AgMTc4LCBK dW5lIDIwMTIuDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAgICAgICAgIEV4 cGlyZXMgSnVuZSAyNCwgMjAxNSAgICAgICAgICAgICAgICBbUGFnZSAxNl0N CgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUgUEtDUyMxMSBVUkkg U2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0KDQoNCiAgIFtSRkM0 Mzk1XSAgSGFuc2VuLCBULiwgSGFyZGllLCBULiwgYW5kIEwuIE1hc2ludGVy LCAiR3VpZGVsaW5lcyBhbmQNCiAgICAgICAgICAgICAgUmVnaXN0cmF0aW9u IFByb2NlZHVyZXMgZm9yIE5ldyBVUkkgU2NoZW1lcyIsIFJGQyA0Mzk1LA0K ICAgICAgICAgICAgICBGZWJydWFyeSAyMDA2Lg0KDQogICBbcGtjczExX3Nw ZWNdDQogICAgICAgICAgICAgIFJTQSBMYWJvcmF0b3JpZXMsICJQS0NTICMx MTogQ3J5cHRvZ3JhcGhpYyBUb2tlbiBJbnRlcmZhY2UNCiAgICAgICAgICAg ICAgU3RhbmRhcmQgdjIuMjAiLCBKdW5lIDIwMDQuDQoNCkF1dGhvcnMnIEFk ZHJlc3Nlcw0KDQogICBKYW4gUGVjaGFuZWMNCiAgIE9yYWNsZSBDb3Jwb3Jh dGlvbg0KICAgNDE4MCBOZXR3b3JrIENpcmNsZQ0KICAgU2FudGEgQ2xhcmEg IENBIDk1MDU0DQogICBVU0ENCg0KICAgRW1haWw6IEphbi5QZWNoYW5lY0BP cmFjbGUuQ09NDQogICBVUkk6ICAgaHR0cDovL3d3dy5vcmFjbGUuY29tDQoN Cg0KICAgRGFycmVuIEouIE1vZmZhdA0KICAgT3JhY2xlIENvcnBvcmF0aW9u DQogICBPcmFjbGUgUGFya3dheQ0KICAgVGhhbWVzIFZhbGxleSBQYXJrDQog ICBSZWFkaW5nICBSRzYgMVJBDQogICBVSw0KDQogICBFbWFpbDogRGFycmVu Lk1vZmZhdEBPcmFjbGUuQ09NDQogICBVUkk6ICAgaHR0cDovL3d3dy5vcmFj bGUuY29tDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdW5l IDI0LCAyMDE1ICAgICAgICAgICAgICAgIFtQYWdlIDE3XQ0K ---559023410-490998763-1419226216=:24005-- From nobody Mon Dec 22 04:55:09 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ADC11A8ACC for ; Mon, 22 Dec 2014 04:55:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OeYFTRenkEwY for ; Mon, 22 Dec 2014 04:55:03 -0800 (PST) Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 718331A8AD9 for ; Mon, 22 Dec 2014 04:55:03 -0800 (PST) Received: by mail-yh0-f44.google.com with SMTP id c41so2251911yho.3 for ; Mon, 22 Dec 2014 04:55:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7focU+eM+H6TvLFJCdpmqEeX+fiboa1D1e4ZTsSBhxk=; b=svrWejF5QxU7BOxtWVQKs80PIHopF5yiY6GylrrY5xAEhkulEv/2jeKweOjMxUL5/w D6Q49uad3er8XiX1ALTm6rv7Y2ONJuc5o7m6VLh/nBWjwKeAUsipznrNxJ2LsBSkRvmo 3kAhu8CSPDLK7Jd4yqKZRkoKhVpr6LYRXSNTxTYReeFLRquIi8RXBhOGW+PooF1+TTyC qTwS+MzsnQd83uIROCmcBvIG+FJ5ea8325MWXcv4ByuHZsp5iPsenw4J3h3MhYWnMaNQ /IA4B7SAcIXkw+mNNEFBPPjuBXrcq5LitHfKLvNLCIb58YUM6dtpuS2X/hfDif+joT0u v0Cw== MIME-Version: 1.0 X-Received: by 10.236.53.69 with SMTP id f45mr17786023yhc.65.1419252902687; Mon, 22 Dec 2014 04:55:02 -0800 (PST) Received: by 10.170.195.21 with HTTP; Mon, 22 Dec 2014 04:55:02 -0800 (PST) In-Reply-To: <28418.1419190036@sandelman.ca> References: <5494DDCD.6030504@cs.tcd.ie> <28418.1419190036@sandelman.ca> Date: Mon, 22 Dec 2014 07:55:02 -0500 Message-ID: From: Watson Ladd To: Michael Richardson Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/saag/vSX1v-07agmKNyOOUxAyD3CtB3s Cc: "saag@ietf.org" Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 12:55:06 -0000 On Sun, Dec 21, 2014 at 11:27 AM, Michael Richardson wrote: > > So I think that the community around HTTP: apache/nginx/rails/django/etc, > plus the chrome/firefox/android/libcurl is now a really place. > > The tragedy of openssl is mostly one of tragedy of the commons: no place I've > worked on SSL things has ever been willing to do other than "take" from that > space. (We could have some discussions about how BSD vs GPL licenses may > contribute to this neglect) There are multiple alternate implementations of SSL, and were before the Heartbleed brought attention onto the sorry state of OpenSSL. Some of them, like PolarSSL, are quite good. Many of the authors of these implementations are involved in the TLS WG. The reason no one has switched is that OpenSSL exposes large, poorly specified API, which tends to intertwine the application with the underlying library. (Some clients, like curl, have multiple TLS implementations they can use) > > webrtc would, I think, have been impossible without the ability of > experimenters to hack on both sides of the fence, and then bring their > results to the IETF. This should not be unusual: it's how TCP was made, etc, etc. 7000 RFCs later, and not one of them has had anything close to the impact of the early ones. (Yes, it's also how FTP was made: hacking a solution does not mean that things worked in a sane manner) But what is the benefit of bringing things to the IETF, if you can write an implementation and describes how it works, and that implementation is portable to almost every OS people run out of the box? > > > So, which bits of open-source do we in the security area > > of the IETF consider important and why? And what could > > we do better? (For any sensible definition of "we":-) > > We collectively continue to regularly neglect IPsec. > > It's been relegated to site to site, and yet, it is easily applied > conceptually to many application to application scenarios, but there is no > "libipsec", so most are afraid to specify it. > We have significant chicken and egg situations with a number of security > protocols. Which application scenarios/protocol would those be? IPsec is supported on every operating system I can think of, including the *BSDs, with high quality, free implementations. The problem is that IPsec naturally maps onto VPN or related kinds of networks: applications typically want something closer to the semantics TLS provides. One could design a system that negotiated an SA before sending a packet to a system, but why not use TLS instead, especially given the need for OS-level changes? (If you think protocol XYZ is neglected, does it do something protocol ZYX does not? Are the implementations better quality? etc) The fact that there are now two kinds of OS in the world: *nix and Windows. This makes writing portable code, as opposed to reimplementation, a viable strategy for becoming ubiquitous. As a result, standards become less important. At the same time we've made it much harder and expensive to get drafts published. Something like Pond doesn't need to become a standard to become widely adopted. See also Tor, Napster, Bittorrent, etc. It's not actually a problem that people don't use the IETF. It is a problem when we don't solve problems that they face with the results. We've known NTP security was undeployable, and DNSSEC had administrative issues, for quite some time. This hasn't lead to any sort of work on a fix. Unless we start from looking at the benefits and costs of working with the IETF, we won't understand why people act the way they do. The question should be "what does the IETF do for open source, and what should it do"? Sincerely, Watson Ladd > > If I had my druthers, there would be a golden egg to fund three or four open > source implementations of everything that went through the security area. > And not just "research" projects either. > > -- > Michael Richardson , Sandelman Software Works > -= IPv6 IoT consulting =- > > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin From nobody Mon Dec 22 05:54:29 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E11651A8F3B for ; Mon, 22 Dec 2014 05:54:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcVpbtOE_pXL for ; Mon, 22 Dec 2014 05:54:25 -0800 (PST) Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id 159971A8F42 for ; Mon, 22 Dec 2014 05:54:23 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 1B0152240766; Mon, 22 Dec 2014 14:54:22 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at power.freeradius.org Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1LXIMt-XiYBB; Mon, 22 Dec 2014 14:54:21 +0100 (CET) Received: from [192.168.20.49] (198-84-181-115.cpe.teksavvy.com [198.84.181.115]) by power.freeradius.org (Postfix) with ESMTPSA id A82D7224007E; Mon, 22 Dec 2014 14:54:20 +0100 (CET) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Alan DeKok In-Reply-To: Date: Mon, 22 Dec 2014 08:54:17 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <660AD3A8-2BB1-4E22-BE22-DF98D8EA3808@deployingradius.com> References: <5494DDCD.6030504@cs.tcd.ie> <28418.1419190036@sandelman.ca> To: Watson Ladd X-Mailer: Apple Mail (2.1878.6) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/AP7L2DMKB3bB-VRE04hl2rydjzA Cc: Michael Richardson , "saag@ietf.org" Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 13:54:28 -0000 On Dec 22, 2014, at 7:55 AM, Watson Ladd wrote: > There are multiple alternate implementations of SSL, 13 years ago (when I started using it), the only open source one of = any functionality was OpenSSL. > and were before > the Heartbleed brought attention onto the sorry state of OpenSSL. Some > of them, like PolarSSL, are quite good. Many of the authors of these > implementations are involved in the TLS WG. The reason no one has > switched is that OpenSSL exposes large, poorly specified API, which > tends to intertwine the application with the underlying library. Open source programs didn't have an alternative to OpenSSL. Now they = do. But migrating from one library to another is a major effort=85 = which isn=92t funded. RedHat has submitted patches for many pieces of software to move from = OpenSSL to NSS. But they=92re a commercial company, and have funding. > But what is the benefit > of bringing things to the IETF, if you can write an implementation and > describes how it works, and that implementation is portable to almost > every OS people run out of the box? Many reasons. A documented standard is often better than no standard. = Open source people recognize that companies exist, and one way to get = wider adoption in a corporate environment is to have a standard. And = getting peer review is usually beneficial. > The fact that there are now two kinds of OS in the world: *nix and > Windows. This makes writing portable code, as opposed to > reimplementation, a viable strategy for becoming ubiquitous. As a > result, standards become less important. At the same time we've made > it much harder and expensive to get drafts published. Napster, bitttorent, etc. showed you can get wide-spread adoption if = there=92s sufficient customer interest. But that=92s in the consumer = space. For software to be used in the enterprise or telco space, there is a = higher tendency towards standards, and off the shelf commercial = solutions. So the IETF still has a place. In my favorite protocol (RADIUS), I=92ve been running the main open = source project (FreeRADIUS) for over 15 years. As best I can tell, = everyone outside of the top 5 switch vendors uses it. Vendors, telcos, = ISPs, enterprises, etc. Yet if I wanted to extend the protocol myself, = I would get *no* traction. Creating standards in the IETF is the only = way to solve real-world needs. > Something like Pond doesn't need to become a standard to become widely > adopted. See also Tor, Napster, Bittorrent, etc. It's not actually a > problem that people don't use the IETF. It is a problem when we don't > solve problems that they face with the results. We've known NTP > security was undeployable, and DNSSEC had administrative issues, for > quite some time. This hasn't lead to any sort of work on a fix. Are there any commercial reasons to fix those protocols? I can=92t = think of any. That means there will be no funding to fix them. There is an open source alternative (DJB=92s DNScurve). If it solves = a real-world need, why hasn=92t it become ubiquitous? > Unless we start from looking at the benefits and costs of working with > the IETF, we won't understand why people act the way they do. The > question should be "what does the IETF do for open source, and what > should it do"? The IETF doesn=92t do a lot for open source that I=92ve seen. As = Michael said, most open source projects are about someone scratching an = itch. Studies show that most open source projects are written and/or = run by one person. If the IETF wants more involvement in a particular are, the best = option, then, is to find the one critical person, and get them to = participate. Alan DeKok. From nobody Mon Dec 22 09:21:45 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 689A51A1B5E for ; Mon, 22 Dec 2014 09:21:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.233 X-Spam-Level: X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ZOiEBRSpu8B for ; Mon, 22 Dec 2014 09:21:43 -0800 (PST) Received: from homiemail-a109.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 760561A1B35 for ; Mon, 22 Dec 2014 09:21:43 -0800 (PST) Received: from homiemail-a109.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a109.g.dreamhost.com (Postfix) with ESMTP id 1BFA62005D82E; Mon, 22 Dec 2014 09:21:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=BcAjMR5zpQQdNC N6Q2fB+TX+OFs=; b=AD6v4SGfVoeXCL9ae9YxmO5JMvhP5nJsiA0EofaAAy1ti5 8xIewXFd4EfOXu80S+ZkMn+V2o3NNks0CDblOfW8u5vB99zCsTNto8guJHtYLsXa gxyuUeknF1qTdSPedSYJT2QaV8tSJEr8n7Dwm37Xx6/Bwg5zYtVqH97kSqw9o= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a109.g.dreamhost.com (Postfix) with ESMTPA id CFFC42005D823; Mon, 22 Dec 2014 09:21:42 -0800 (PST) Date: Mon, 22 Dec 2014 11:21:42 -0600 From: Nico Williams To: Stephen Farrell Message-ID: <20141222172136.GE12662@localhost> References: <5494DDCD.6030504@cs.tcd.ie> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5494DDCD.6030504@cs.tcd.ie> User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/CvfTvHURNVzse7tZ0hfmInQc1Ho Cc: "saag@ietf.org" Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 17:21:44 -0000 On Sat, Dec 20, 2014 at 02:24:13AM +0000, Stephen Farrell wrote: > The IESG have recently been discussing how the IETF would > work better with or for open-source communities. As part of > that it'd be good to get some appreciation of which open > source activities folks consider important (and why). And > of course there are multiple directions here - e.g. where an > IETF activity has fed directly into an open-source activity > and the opposite where the IETF end up documenting something > already done by some open-source community. The IETF's main open-source activity is producing open-source standards, which is why it's relatively easy to find open-source implementations of them (compare to other SDOs). The IETF's secondary open-source activity is producing tools for its own consumption. IETF participants often produce/maintain or help to produce/maintain open-source implementations of Internet protocols, but this is not an IETF activity. > As part of that analysis, an utterly reasonable question > was asked: yeah, but which open-source things are important > to IETF participants? First and foremost: continue producing open-source Internet Standards. Second: continue producing open-source tooling for the IETF's own needs. Third: continue to liase with other SDOs, and *perhaps* liase with highly visible and important (by deployment) open source projects. Let ISOC get involved with open-source projects if it wants to. Fourth: encourage IPR holders (in so far as the IETF possibly can) to provide meaningfully-free access for use in open-source implementations, and preferably not just limited to infectious licensing. As an aside, security is generally seen as a cost center, and a fairly high cost center at that. Intangible costs/benefits generally don't get accounted for. We've seen how failure to account for opporutinity and other intangible costs can cause highly visible failures. Open-source projects provide a way to share some of these costs, but a risk is that insufficient attention will be paid, leading to low-quality open-source implementations -- there is no easy fix; TANSTAAFL. > So, which bits of open-source do we in the security area > of the IETF consider important and why? And what could > we do better? (For any sensible definition of "we":-) If the value of "we" is "the IETF"... I fear that getting the IETF to be involved with open-source projects not directly related to the IETF's needs... would be a distraction. We, the IETF's participants, are still volunteers; herding us is like herding cats. If the value of "we" is "IETF usual suspects that can influence funding", then in general I'd say: we need high-quality open-source reference implementations of critical infrastructure pieces all over the stack and across areas, not just security (e.g., if we want some new congestion control protocol to get deployed, we'll need it implemented). Security-area standards probably deserve more attention than the others, for the reasons given in the aside above. That said, if "we" (the IETF in general) are going to go down this road, I'd say that high-quality security protocol implementations (with good, usable APIs) are that which we need the most, mainly: a) PK authentication (PKIX and DANE), b) TLS. Cheers, Nico -- From nobody Mon Dec 22 15:04:10 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9F551A88A3 for ; Mon, 22 Dec 2014 15:04:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O8r-GdNqSHRI for ; Mon, 22 Dec 2014 15:04:05 -0800 (PST) Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF5C01A8546 for ; Mon, 22 Dec 2014 15:04:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1419289445; x=1450825445; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=O3iutrOXVnBhcFzZFPlm+PGZqjJx6fp4rlw1HAWXvDA=; b=DZWjbPrfm+PLE1QyXyxG2RZ/Ujtg6eXN8SXZMtRVYqyDrAgrPmXfTv0W 1upwHp7/uva7twE0hn4CaBxO8U+ami4I6iZ/cjgkT0EOwJz13fWZnSe7B RCfGMtPkA5k9O1vS3ASYZiiV5eXxZZu7ZbBMYY96mbfiuSrI6EzFeM+Io I=; X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="298043713" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 23 Dec 2014 12:04:01 +1300 Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.148]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0174.001; Tue, 23 Dec 2014 12:03:58 +1300 From: Peter Gutmann To: Watson Ladd , Michael Richardson , "saag@ietf.org" Thread-Topic: [saag] Important open-source activities... Thread-Index: AdAeO5FCFtBprTceT7K+tIz6lafYIQ== Date: Mon, 22 Dec 2014 23:03:58 +0000 Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AAF4889C@uxcn10-tdc05.UoA.auckland.ac.nz> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/saag/cL6ddZeVr6G7PSB6e7rSzL7WTnc Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 23:04:09 -0000 Watson Ladd writes:=0A= =0A= >The fact that there are now two kinds of OS in the world: *nix and Windows= .=0A= =0A= And that's the exact attitude from standards committees that makes them a= =0A= major pain for me. There are way, way more OSes than Windows and Unix (eCo= s,=0A= AMX, FreeRTOS, MQX, VxWorks, uITRON, RTEMS, uC/OS, VDK, XMK, and others),= =0A= almost all of which are wilfully ignored by standards authors (at best it's= a=0A= "well Moores law will make them all irrelevant anyway so we don't need to= =0A= bother with them"). I'm thinking in particular of HTTP 2.0 and TLS 2.0=0A= (a.k.a. "TLS 1.3"), which are designed for Google's big iron (and equivalen= ts)=0A= on one side and desktop PCs/laptops/tablets/smart phones on the other, and= =0A= that's all, because nothing else exists.=0A= =0A= So one thing that standards committees could do is recognise that there are= =0A= vast numbers of embedded systems out there that are locked out of the=0A= standards process by designers for whom they don't exist. In fact this is= =0A= exactly why we need standards, to accommodate everything out there, not jus= t=0A= one particular content-delivery process.=0A= =0A= Peter.= From nobody Mon Dec 22 15:50:06 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB3951A7018 for ; Mon, 22 Dec 2014 15:50:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.666 X-Spam-Level: X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HgSN-vjGFDAu for ; Mon, 22 Dec 2014 15:50:04 -0800 (PST) Received: from homiemail-a106.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 12F111A6FF1 for ; Mon, 22 Dec 2014 15:50:04 -0800 (PST) Received: from homiemail-a106.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a106.g.dreamhost.com (Postfix) with ESMTP id CB69E2005D00A; Mon, 22 Dec 2014 15:50:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Jx3IqI2DVyoJm/ o3v664KboGUbw=; b=EdJ7HUQYWAneWnoBr/UEfw8N7WfUYyXFL3SqxeItVdftzP JzKIJNJHB26sby9+fnXA05y5lRTgLWyguJ1GHyw4jhEQxCWd7YS98KYAtuRdk+M1 LZnsZur7vS11Gvl3c8beqedKF00TZnGfrJQoao7jid4uWfZt9a2duMrEmVN20= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a106.g.dreamhost.com (Postfix) with ESMTPA id 67A342005D009; Mon, 22 Dec 2014 15:50:03 -0800 (PST) Date: Mon, 22 Dec 2014 17:50:02 -0600 From: Nico Williams To: Peter Gutmann Message-ID: <20141222234958.GK12662@localhost> References: <9A043F3CF02CD34C8E74AC1594475C73AAF4889C@uxcn10-tdc05.UoA.auckland.ac.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73AAF4889C@uxcn10-tdc05.UoA.auckland.ac.nz> User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/Lueju4LCiUmNqGwE2uxCdGvnZl8 Cc: "saag@ietf.org" , Michael Richardson Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 23:50:05 -0000 On Mon, Dec 22, 2014 at 11:03:58PM +0000, Peter Gutmann wrote: > Watson Ladd writes: > >The fact that there are now two kinds of OS in the world: *nix and Windows. > > And that's the exact attitude from standards committees that makes them a > major pain for me. There are way, way more OSes than Windows and Unix (eCos, > AMX, FreeRTOS, MQX, VxWorks, uITRON, RTEMS, uC/OS, VDK, XMK, and others), > almost all of which are wilfully ignored by standards authors (at best it's a > "well Moores law will make them all irrelevant anyway so we don't need to > bother with them"). I'm thinking in particular of HTTP 2.0 and TLS 2.0 > (a.k.a. "TLS 1.3"), which are designed for Google's big iron (and equivalents) > on one side and desktop PCs/laptops/tablets/smart phones on the other, and > that's all, because nothing else exists. OK, I'll bite. What are we doing badly relative to any of the OSes that you list? Be specific. (I wouldn't be too surprised if there are problems with HTTP/2.0 and TLS 1.3 for such OSes, but I want to hear what they might be, particularly for TLS 1.3.) > So one thing that standards committees could do is recognise that there are > vast numbers of embedded systems out there that are locked out of the > standards process by designers for whom they don't exist. In fact this is > exactly why we need standards, to accommodate everything out there, not just > one particular content-delivery process. *This* SDO lets anyone show up and speak up. Other SDOs not so much. Needless to say, volunteers are not required to represent those others who don't show up. Another way to say what you're saying would be: eagerly invite non-usual suspects to participate. Which, I think, is something the IETF perenially hears, and, perenially tries to do (since more participants generally means more meeting attendees, which means making it easier to fund IETF activities). Feel free to help. Nico -- From nobody Mon Dec 22 22:32:38 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9D761A887B; Mon, 22 Dec 2014 22:32:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.91 X-Spam-Level: X-Spam-Status: No, score=-5.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g3dBdXn3uZLU; Mon, 22 Dec 2014 22:32:31 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E61DE1A00C0; Mon, 22 Dec 2014 22:32:30 -0800 (PST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBN6WOpX022325 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 23 Dec 2014 06:32:24 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id sBN6WLdD001100 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 23 Dec 2014 06:32:21 GMT Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id sBN6WKPt001074; Tue, 23 Dec 2014 06:32:20 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 22 Dec 2014 22:32:19 -0800 Date: Mon, 22 Dec 2014 22:32:18 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: =?ISO-8859-15?Q?Martin_J=2E_D=FCrst?= Message-ID: User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-3036460-1419316339=:24928" X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/6RWr2egAld83hiIZfzrmkSBYhKc Cc: uri-review@ietf.org, ietf@ietf.org, saag@ietf.org Subject: Re: [saag] Review Request for draft-pechanec-pkcs11uri-16 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 06:32:37 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-3036460-1419316339=:24928 Content-Type: TEXT/PLAIN; charset=US-ASCII hello Martin, I'm writing with respect to your recent comment on the uri-review@ietf.org list: >My understanding is that the registration template should be in the >document itself, even if it's mostly the same as a previous one. > >Regards, Martin. I've put the registration template to the draft. Current version for draft 17 is attached. Thank you for your feedback. best regards, Jan. -- Jan Pechanec ---559023410-3036460-1419316339=:24928 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=draft-pechanec-pkcs11uri-17-v4.txt Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=draft-pechanec-pkcs11uri-17-v4.txt DQoNCg0KDQpOZXR3b3JrIFdvcmtpbmcgR3JvdXAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgSi4gUGVjaGFuZWMNCkludGVybmV0 LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIEQuIE1vZmZhdA0KSW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFy ZHMgVHJhY2sgICAgICAgICAgICAgICAgICAgICAgT3JhY2xlIENvcnBvcmF0 aW9uDQpFeHBpcmVzOiBKdW5lIDI1LCAyMDE1ICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgRGVjZW1iZXIgMjIsIDIwMTQNCg0KDQogICAgICAg ICAgICAgICAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZQ0KICAg ICAgICAgICAgICAgICAgICAgIGRyYWZ0LXBlY2hhbmVjLXBrY3MxMXVyaS0x Nw0KDQpBYnN0cmFjdA0KDQogICBUaGlzIG1lbW8gc3BlY2lmaWVzIGEgUEtD UyMxMSBVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSkNCiAgIFNj aGVtZSBmb3IgaWRlbnRpZnlpbmcgUEtDUyMxMSBvYmplY3RzIHN0b3JlZCBp biBQS0NTIzExIHRva2VucywgYW5kDQogICBhbHNvIGZvciBpZGVudGlmeWlu ZyBQS0NTIzExIHRva2Vucywgc2xvdHMgb3IgbGlicmFyaWVzLiAgVGhlIFVS SSBpcw0KICAgYmFzZWQgb24gaG93IFBLQ1MjMTEgb2JqZWN0cywgdG9rZW5z LCBzbG90cywgYW5kIGxpYnJhcmllcyBhcmUNCiAgIGlkZW50aWZpZWQgaW4g dGhlIFBLQ1MjMTEgQ3J5cHRvZ3JhcGhpYyBUb2tlbiBJbnRlcmZhY2UgU3Rh bmRhcmQuDQoNClN0YXR1cyBvZiBUaGlzIE1lbW8NCg0KICAgVGhpcyBJbnRl cm5ldC1EcmFmdCBpcyBzdWJtaXR0ZWQgaW4gZnVsbCBjb25mb3JtYW5jZSB3 aXRoIHRoZQ0KICAgcHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJDUCA3OS4N Cg0KICAgSW50ZXJuZXQtRHJhZnRzIGFyZSB3b3JraW5nIGRvY3VtZW50cyBv ZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmcNCiAgIFRhc2sgRm9yY2UgKElF VEYpLiAgTm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmli dXRlDQogICB3b3JraW5nIGRvY3VtZW50cyBhcyBJbnRlcm5ldC1EcmFmdHMu ICBUaGUgbGlzdCBvZiBjdXJyZW50IEludGVybmV0LQ0KICAgRHJhZnRzIGlz IGF0IGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFmdHMvY3VycmVu dC8uDQoNCiAgIEludGVybmV0LURyYWZ0cyBhcmUgZHJhZnQgZG9jdW1lbnRz IHZhbGlkIGZvciBhIG1heGltdW0gb2Ygc2l4IG1vbnRocw0KICAgYW5kIG1h eSBiZSB1cGRhdGVkLCByZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVy IGRvY3VtZW50cyBhdCBhbnkNCiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJp YXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlDQogICBt YXRlcmlhbCBvciB0byBjaXRlIHRoZW0gb3RoZXIgdGhhbiBhcyAid29yayBp biBwcm9ncmVzcy4iDQoNCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBl eHBpcmUgb24gSnVuZSAyNSwgMjAxNS4NCg0KQ29weXJpZ2h0IE5vdGljZQ0K DQogICBDb3B5cmlnaHQgKGMpIDIwMTQgSUVURiBUcnVzdCBhbmQgdGhlIHBl cnNvbnMgaWRlbnRpZmllZCBhcyB0aGUNCiAgIGRvY3VtZW50IGF1dGhvcnMu ICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQogICBUaGlzIGRvY3VtZW50IGlz IHN1YmplY3QgdG8gQkNQIDc4IGFuZCB0aGUgSUVURiBUcnVzdCdzIExlZ2Fs DQogICBQcm92aXNpb25zIFJlbGF0aW5nIHRvIElFVEYgRG9jdW1lbnRzDQog ICAoaHR0cDovL3RydXN0ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZvKSBpbiBl ZmZlY3Qgb24gdGhlIGRhdGUgb2YNCiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMg ZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50cw0KICAg Y2FyZWZ1bGx5LCBhcyB0aGV5IGRlc2NyaWJlIHlvdXIgcmlnaHRzIGFuZCBy ZXN0cmljdGlvbnMgd2l0aCByZXNwZWN0DQogICB0byB0aGlzIGRvY3VtZW50 LiAgQ29kZSBDb21wb25lbnRzIGV4dHJhY3RlZCBmcm9tIHRoaXMgZG9jdW1l bnQgbXVzdA0KICAgaW5jbHVkZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlIHRl eHQgYXMgZGVzY3JpYmVkIGluIFNlY3Rpb24gNC5lIG9mDQogICB0aGUgVHJ1 c3QgTGVnYWwgUHJvdmlzaW9ucyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQg d2FycmFudHkgYXMNCiAgIGRlc2NyaWJlZCBpbiB0aGUgU2ltcGxpZmllZCBC U0QgTGljZW5zZS4NCg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAg RXhwaXJlcyBKdW5lIDI1LCAyMDE1ICAgICAgICAgICAgICAgICBbUGFnZSAx XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVS SSBTY2hlbWUgICAgICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KVGFibGUg b2YgQ29udGVudHMNCg0KICAgMS4gIEludHJvZHVjdGlvbiAgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICAyDQog ICAyLiAgQ29udHJpYnV0b3JzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDMNCiAgIDMuICBQS0NTIzExIFVS SSBTY2hlbWUgRGVmaW5pdGlvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICAgNA0KICAgICAzLjEuICBQS0NTIzExIFVSSSBTY2hlbWUgTmFt ZSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA0DQogICAg IDMuMi4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBTdGF0dXMgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQNCiAgICAgMy4zLiAgUEtDUyMxMSBV UkkgU2NoZW1lIFN5bnRheCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuICAgNA0KICAgICAzLjQuICBQS0NTIzExIFVSSSBTY2hlbWUgUXVlcnkg QXR0cmlidXRlIFNlbWFudGljcyAgLiAuIC4gLiAuIC4gICA4DQogICAgIDMu NS4gIFBLQ1MjMTEgVVJJIE1hdGNoaW5nIEd1aWRlbGluZXMgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgMTANCiAgICAgMy42LiAgUEtDUyMxMSBVUkkg Q29tcGFyaXNvbiAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICAxMQ0KICAgNC4gIEV4YW1wbGVzIG9mIFBLQ1MjMTEgVVJJcyAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEyDQogICA1LiAgSUFO QSBDb25zaWRlcmF0aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgMTYNCiAgIDYuICBTZWN1cml0eSBDb25zaWRlcmF0 aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAx Ng0KICAgNy4gIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE3DQogICAgIDcuMS4gIE5v cm1hdGl2ZSBSZWZlcmVuY2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAgMTcNCiAgICAgNy4yLiAgSW5mb3JtYXRpdmUgUmVmZXJl bmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxNw0K ICAgQXV0aG9ycycgQWRkcmVzc2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE3DQoNCjEuICBJbnRyb2R1Y3Rp b24NCg0KICAgVGhlIFBLQ1MgIzExOiBDcnlwdG9ncmFwaGljIFRva2VuIElu dGVyZmFjZSBTdGFuZGFyZCBbcGtjczExX3NwZWNdDQogICBzcGVjaWZpZXMg YW4gQVBJLCBjYWxsZWQgQ3J5cHRva2ksIGZvciBkZXZpY2VzIHdoaWNoIGhv bGQNCiAgIGNyeXB0b2dyYXBoaWMgaW5mb3JtYXRpb24gYW5kIHBlcmZvcm0g Y3J5cHRvZ3JhcGhpYyBmdW5jdGlvbnMuDQogICBDcnlwdG9raSwgcHJvbm91 bmNlZCBjcnlwdG8ta2V5IGFuZCBzaG9ydCBmb3IgY3J5cHRvZ3JhcGhpYyB0 b2tlbg0KICAgaW50ZXJmYWNlLCBmb2xsb3dzIGEgc2ltcGxlIG9iamVjdC1i YXNlZCBhcHByb2FjaCwgYWRkcmVzc2luZyB0aGUNCiAgIGdvYWxzIG9mIHRl Y2hub2xvZ3kgaW5kZXBlbmRlbmNlIChhbnkga2luZCBvZiBkZXZpY2UgbWF5 IGJlIHVzZWQpIGFuZA0KICAgcmVzb3VyY2Ugc2hhcmluZyAobXVsdGlwbGUg YXBwbGljYXRpb25zIG1heSBhY2Nlc3MgbXVsdGlwbGUgZGV2aWNlcyksDQog ICBwcmVzZW50aW5nIGFwcGxpY2F0aW9ucyB3aXRoIGEgY29tbW9uLCBsb2dp Y2FsIHZpZXcgb2YgdGhlIGRldmljZSAtIGENCiAgIGNyeXB0b2dyYXBoaWMg dG9rZW4uDQoNCiAgIEl0IGlzIGRlc2lyYWJsZSBmb3IgYXBwbGljYXRpb25z IG9yIGxpYnJhcmllcyB0aGF0IHdvcmsgd2l0aCBQS0NTIzExDQogICB0b2tl bnMgdG8gYWNjZXB0IGEgY29tbW9uIGlkZW50aWZpZXIgdGhhdCBjb25zdW1l cnMgY291bGQgdXNlIHRvDQogICBpZGVudGlmeSBhbiBleGlzdGluZyBQS0NT IzExIHN0b3JhZ2Ugb2JqZWN0IGluIGEgUEtDUyMxMSB0b2tlbiwgYW4NCiAg IGV4aXN0aW5nIHRva2VuIGl0c2VsZiwgYSBzbG90LCBvciBhbiBleGlzdGlu ZyBDcnlwdG9raSBsaWJyYXJ5IChhbHNvDQogICBjYWxsZWQgYSBwcm9kdWNl ciwgbW9kdWxlLCBvciBwcm92aWRlcikuICBUaGUgc2V0IG9mIHN0b3JhZ2Ug b2JqZWN0DQogICB0eXBlcyB0aGF0IGNhbiBiZSBzdG9yZWQgaW4gYSBQS0NT IzExIHRva2VuIGluY2x1ZGVzIGEgY2VydGlmaWNhdGUsIGENCiAgIHB1Ymxp YywgcHJpdmF0ZSBvciBzZWNyZXQga2V5LCBhbmQgYSBkYXRhIG9iamVjdC4g IFRoZXNlIG9iamVjdHMgY2FuDQogICBiZSB1bmlxdWVseSBpZGVudGlmaWFi bGUgdmlhIHRoZSBQS0NTIzExIFVSSSBzY2hlbWUgZGVmaW5lZCBpbiB0aGlz DQogICBkb2N1bWVudC4gIFRoZSBzZXQgb2YgYXR0cmlidXRlcyBkZXNjcmli aW5nIGEgc3RvcmFnZSBvYmplY3QgY2FuDQogICBjb250YWluIGFuIG9iamVj dCBsYWJlbCwgaXRzIHR5cGUsIGFuZCBpdHMgSUQuICBUaGUgc2V0IG9mIGF0 dHJpYnV0ZXMNCiAgIHRoYXQgaWRlbnRpZmllcyBhIFBLQ1MjMTEgdG9rZW4g Y2FuIGNvbnRhaW4gYSB0b2tlbiBsYWJlbCwNCiAgIG1hbnVmYWN0dXJlciBu YW1lLCBzZXJpYWwgbnVtYmVyLCBhbmQgdG9rZW4gbW9kZWwuICBBdHRyaWJ1 dGVzIHRoYXQNCiAgIGNhbiBpZGVudGlmeSBhIHNsb3QgYXJlIGEgc2xvdCBJ RCwgZGVzY3JpcHRpb24sIGFuZCBtYW51ZmFjdHVyZXIuDQogICBBdHRyaWJ1 dGVzIHRoYXQgY2FuIGlkZW50aWZ5IGEgQ3J5cHRva2kgbGlicmFyeSBhcmUg YSBsaWJyYXJ5DQogICBtYW51ZmFjdHVyZXIsIGRlc2NyaXB0aW9uLCBhbmQg dmVyc2lvbi4gIExpYnJhcnkgYXR0cmlidXRlcyBtYXkgYmUNCiAgIG5lY2Vz c2FyeSB0byB1c2UgaWYgbW9yZSB0aGFuIG9uZSBDcnlwdG9raSBsaWJyYXJ5 IHByb3ZpZGVzIGEgdG9rZW4NCg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQg ICAgICAgICBFeHBpcmVzIEp1bmUgMjUsIDIwMTUgICAgICAgICAgICAgICAg IFtQYWdlIDJdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBL Q1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0K DQogICBhbmQvb3IgUEtDUyMxMSBvYmplY3RzIG9mIHRoZSBzYW1lIG5hbWUu ICBBIHNldCBvZiBxdWVyeSBhdHRyaWJ1dGVzDQogICBpcyBwcm92aWRlZCBh cyB3ZWxsLg0KDQogICBUaGUgUEtDUyMxMSBVUkkgY2Fubm90IGlkZW50aWZ5 IG90aGVyIG9iamVjdHMgZGVmaW5lZCBpbiB0aGUNCiAgIHNwZWNpZmljYXRp b24gW3BrY3MxMV9zcGVjXSBhc2lkZSBmcm9tIHN0b3JhZ2Ugb2JqZWN0cy4g IEZvciBleGFtcGxlLA0KICAgb2JqZWN0cyBub3QgaWRlbnRpZmlhYmxlIGJ5 IGEgUEtDUyMxMSBVUkkgaW5jbHVkZSBhIGhhcmR3YXJlIGZlYXR1cmUNCiAg IGFuZCBtZWNoYW5pc20uICBOb3RlIHRoYXQgYSBDcnlwdG9raSBsaWJyYXJ5 IGRvZXMgbm90IGhhdmUgdG8gcHJvdmlkZQ0KICAgZm9yIHN0b3JhZ2Ugb2Jq ZWN0cyBhdCBhbGwuICBUaGUgVVJJIGNhbiBzdGlsbCBiZSB1c2VkIHRvIGlk ZW50aWZ5IGENCiAgIHNwZWNpZmljIFBLQ1MjMTEgdG9rZW4sIHNsb3Qgb3Ig YW4gQVBJIHByb2R1Y2VyIGluIHN1Y2ggYSBjYXNlLg0KDQogICBBIHN1YnNl dCBvZiBleGlzdGluZyBQS0NTIzExIHN0cnVjdHVyZSBtZW1iZXJzIGFuZCBv YmplY3QgYXR0cmlidXRlcw0KICAgd2FzIGNob3NlbiBiZWxpZXZlZCB0byBi ZSBzdWZmaWNpZW50IGluIHVuaXF1ZWx5IGlkZW50aWZ5aW5nIGENCiAgIFBL Q1MjMTEgc3RvcmFnZSBvYmplY3QsIHRva2VuLCBzbG90LCBvciBsaWJyYXJ5 IGluIGEgY29uZmlndXJhdGlvbg0KICAgZmlsZSwgb24gYSBjb21tYW5kIGxp bmUsIG9yIGluIGEgY29uZmlndXJhdGlvbiBwcm9wZXJ0eSBvZiBzb21ldGhp bmcNCiAgIGVsc2UuICBTaG91bGQgdGhlcmUgYmUgYSBuZWVkIGZvciBhIG1v cmUgY29tcGxleCBpbmZvcm1hdGlvbiBleGNoYW5nZQ0KICAgb24gUEtDUyMx MSBlbnRpdGllcyBhIGRpZmZlcmVudCBtZWFucyBvZiBkYXRhIG1hcnNoYWxs aW5nIHNob3VsZCBiZQ0KICAgY2hvc2VuIGFjY29yZGluZ2x5Lg0KDQogICBB IFBLQ1MjMTEgVVJJIGlzIG5vdCBpbnRlbmRlZCB0byBiZSB1c2VkIHRvIGNy ZWF0ZSBuZXcgUEtDUyMxMQ0KICAgb2JqZWN0cyBpbiB0b2tlbnMsIG9yIHRv IGNyZWF0ZSBQS0NTIzExIHRva2Vucy4gIEl0IGlzIHNvbGVseSB0byBiZQ0K ICAgdXNlZCB0byBpZGVudGlmeSBhbmQgd29yayB3aXRoIGV4aXN0aW5nIHN0 b3JhZ2Ugb2JqZWN0cywgdG9rZW5zLCBhbmQNCiAgIHNsb3RzIHRocm91Z2gg dGhlIFBLQ1MjMTEgQVBJLCBvciBpZGVudGlmeSBDcnlwdG9raSBsaWJyYXJp ZXMNCiAgIHRoZW1zZWx2ZXMuDQoNCiAgIFRoZSBVUkkgc2NoZW1lIGRlZmlu ZWQgaW4gdGhpcyBkb2N1bWVudCBpcyBkZXNpZ25lZCBzcGVjaWZpY2FsbHkg d2l0aA0KICAgYSBtYXBwaW5nIHRvIHRoZSBQS0NTIzExIEFQSSBpbiBtaW5k LiAgVGhlIFVSSSB1c2VzIHRoZSBzY2hlbWUsIHBhdGgNCiAgIGFuZCBxdWVy eSBjb21wb25lbnRzIGRlZmluZWQgaW4gdGhlIFVuaWZvcm0gUmVzb3VyY2Ug SWRlbnRpZmllcg0KICAgKFVSSSk6IEdlbmVyaWMgU3ludGF4IFtSRkMzOTg2 XSBkb2N1bWVudC4gIFRoZSBVUkkgZG9lcyBub3QgdXNlIHRoZQ0KICAgaGll cmFyY2hpY2FsIGVsZW1lbnQgZm9yIGEgbmFtaW5nIGF1dGhvcml0eSBpbiB0 aGUgcGF0aCBzaW5jZSB0aGUNCiAgIGF1dGhvcml0eSBwYXJ0IGNvdWxkIG5v dCBiZSBtYXBwZWQgdG8gUEtDUyMxMSBBUEkgZWxlbWVudHMuICBUaGUgVVJJ DQogICBkb2VzIG5vdCB1c2UgdGhlIGZyYWdtZW50IGNvbXBvbmVudC4NCg0K ICAgSWYgYW4gYXBwbGljYXRpb24gaGFzIG5vIGFjY2VzcyB0byBhIHByb2R1 Y2VyIG9yIHByb2R1Y2VycyBvZiB0aGUNCiAgIFBLQ1MjMTEgQVBJIHRoZSBx dWVyeSBjb21wb25lbnQgbW9kdWxlIGF0dHJpYnV0ZXMgY2FuIGJlIHVzZWQu DQogICBIb3dldmVyLCB0aGUgUEtDUyMxMSBVUkkgY29uc3VtZXIgY2FuIGFs d2F5cyBkZWNpZGUgdG8gcHJvdmlkZSBpdHMNCiAgIG93biBhZGVxdWF0ZSB1 c2VyIGludGVyZmFjZSB0byBsb2NhdGUgYW5kIGxvYWQgUEtDUyMxMSBBUEkg cHJvZHVjZXJzLg0KDQogICBUaGUga2V5IHdvcmRzICJNVVNUIiwgIk1VU1Qg Tk9UIiwgIlJFUVVJUkVEIiwgIlNIQUxMIiwgIlNIQUxMIE5PVCIsDQogICAi U0hPVUxEIiwgIlNIT1VMRCBOT1QiLCAiUkVDT01NRU5ERUQiLCAiTUFZIiwg YW5kICJPUFRJT05BTCIgaW4gdGhpcw0KICAgZG9jdW1lbnQgYXJlIHRvIGJl IGludGVycHJldGVkIGFzIGRlc2NyaWJlZCBpbiBbUkZDMjExOV0uDQoNCjIu ICBDb250cmlidXRvcnMNCg0KICAgU3RlZiBXYWx0ZXIsIE5pa29zIE1hdnJv Z2lhbm5vcG91bG9zLCBOaWNvIFdpbGxpYW1zLCBEYW4gV2luc2hpcCwgYW5k DQogICBKYXJvc2xhdiBJbXJpY2ggY29udHJpYnV0ZWQgdG8gdGhlIGRldmVs b3BtZW50IG9mIHRoaXMgZG9jdW1lbnQuDQoNCg0KDQoNCg0KDQpQZWNoYW5l YyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNSwgMjAxNSAgICAg ICAgICAgICAgICAgW1BhZ2UgM10NCgwNCkludGVybmV0LURyYWZ0ICAgICAg ICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1i ZXIgMjAxNA0KDQoNCjMuICBQS0NTIzExIFVSSSBTY2hlbWUgRGVmaW5pdGlv bg0KDQogICBJbiBhY2NvcmRhbmNlIHdpdGggW1JGQzQzOTVdLCB0aGlzIHNl Y3Rpb24gcHJvdmlkZXMgdGhlIGluZm9ybWF0aW9uDQogICByZXF1aXJlZCB0 byByZWdpc3RlciB0aGUgUEtDUyMxMSBVUkkgc2NoZW1lLg0KDQozLjEuICBQ S0NTIzExIFVSSSBTY2hlbWUgTmFtZQ0KDQogICBwa2NzMTENCg0KMy4yLiAg UEtDUyMxMSBVUkkgU2NoZW1lIFN0YXR1cw0KDQogICBQZXJtYW5lbnQuDQoN CjMuMy4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBTeW50YXgNCg0KICAgVGhlIFBL Q1MjMTEgVVJJIGlzIGEgc2VxdWVuY2Ugb2YgYXR0cmlidXRlIHZhbHVlIHBh aXJzIHNlcGFyYXRlZCBieSBhDQogICBzZW1pY29sb24gdGhhdCBmb3JtIGEg b25lIGxldmVsIHBhdGggY29tcG9uZW50LCBvcHRpb25hbGx5IGZvbGxvd2Vk DQogICBieSBhIHF1ZXJ5LiAgSW4gYWNjb3JkYW5jZSB3aXRoIFNlY3Rpb24g Mi41IG9mIFtSRkMzOTg2XSwgdGhlIGRhdGENCiAgIHNob3VsZCBmaXJzdCBi ZSBlbmNvZGVkIGFzIG9jdGV0cyBhY2NvcmRpbmcgdG8gdGhlIFVURi04IGNo YXJhY3Rlcg0KICAgZW5jb2RpbmcgW1JGQzM2MjldOyB0aGVuIG9ubHkgdGhv c2Ugb2N0ZXRzIHRoYXQgZG8gbm90IGNvcnJlc3BvbmQgdG8NCiAgIGNoYXJh Y3RlcnMgaW4gdGhlIHVucmVzZXJ2ZWQgc2V0IG9yIHRvIHBlcm1pdHRlZCBj aGFyYWN0ZXJzIGZyb20gdGhlDQogICByZXNlcnZlZCBzZXQgc2hvdWxkIGJl IHBlcmNlbnQtZW5jb2RlZC4gIFRoaXMgc3BlY2lmaWNhdGlvbiBzdWdnZXN0 cw0KICAgb25lIGFsbG93YWJsZSBleGNlcHRpb24gdG8gdGhhdCBydWxlIGZv ciB0aGUgImlkIiBhdHRyaWJ1dGUsIGFzDQogICBzdGF0ZWQgbGF0ZXIgaW4g dGhpcyBzZWN0aW9uLiAgR3JhbW1hciBydWxlcyAidW5yZXNlcnZlZCIgYW5k ICJwY3QtDQogICBlbmNvZGVkIiBpbiB0aGUgUEtDUyMxMSBVUkkgc3BlY2lm aWNhdGlvbiBiZWxvdyBhcmUgaW1wb3J0ZWQgZnJvbQ0KICAgW1JGQzM5ODZd LiAgQXMgYSBzcGVjaWFsIGNhc2UsIG5vdGUgdGhhdCBhY2NvcmRpbmcgdG8g QXBwZW5kaXggQSBvZg0KICAgW1JGQzM5ODZdLCBhIHNwYWNlIG11c3QgYmUg cGVyY2VudC1lbmNvZGVkLg0KDQogICBQS0NTIzExIHNwZWNpZmljYXRpb24g aW1wb3NlcyB2YXJpb3VzIGxpbWl0YXRpb25zIG9uIHRoZSB2YWx1ZSBvZg0K ICAgYXR0cmlidXRlcywgYmUgaXQgYSBtb3JlIHJlc3RyaWN0aXZlIGNoYXJh Y3RlciBzZXQgZm9yIHRoZSAic2VyaWFsIg0KICAgYXR0cmlidXRlIG9yIGZp eGVkIHNpemVkIGJ1ZmZlcnMgZm9yIGFsbW9zdCBhbGwgdGhlIG90aGVycywg aW5jbHVkaW5nDQogICAidG9rZW4iLCAibWFudWZhY3R1cmVyIiwgYW5kICJt b2RlbCIgYXR0cmlidXRlcy4gIEhvd2V2ZXIsIHRoZQ0KICAgUEtDUyMxMSBV Ukkgbm90YXRpb24gZG9lcyBub3QgaW1wb3NlIHN1Y2ggbGltaXRhdGlvbnMg YXNpZGUgZnJvbQ0KICAgcmVtb3ZpbmcgZ2VuZXJpYyBhbmQgUEtDUyMxMSBV UkkgZGVsaW1pdGVycyBmcm9tIGEgcGVybWl0dGVkDQogICBjaGFyYWN0ZXIg c2V0LiAgV2UgYmVsaWV2ZSB0aGF0IGJlaW5nIHRvbyByZXN0cmljdGl2ZSBv biB0aGUNCiAgIGF0dHJpYnV0ZSB2YWx1ZXMgY291bGQgbGltaXQgdGhlIFBL Q1MjMTEgVVJJIHVzZWZ1bG5lc3MuICBXaGF0IGlzDQogICBtb3JlLCBwb3Nz aWJsZSBmdXR1cmUgY2hhbmdlcyB0byB0aGUgUEtDUyMxMSBzcGVjaWZpY2F0 aW9uIHNob3VsZCBub3QNCiAgIGFmZmVjdCBleGlzdGluZyBhdHRyaWJ1dGVz Lg0KDQogICBBIFBLQ1MjMTEgVVJJIHRha2VzIHRoZSBmb3JtIChmb3IgZXhw bGFuYXRpb24gb2YgQXVnbWVudGVkIEJORiwgc2VlDQogICBbUkZDNTIzNF0p Og0KDQoNCg0KDQoNCg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAgICAg ICAgIEV4cGlyZXMgSnVuZSAyNSwgMjAxNSAgICAgICAgICAgICAgICAgW1Bh Z2UgNF0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUgUEtDUyMx MSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0KDQoNCiAg cGsxMS1VUkkgICAgICAgICAgICAgPSAicGtjczExIiAiOiIgcGsxMS1wYXRo ICoxKCI/IiBwazExLXF1ZXJ5KQ0KICA7IFBhdGggY29tcG9uZW50IGFuZCBp dHMgYXR0cmlidXRlcy4gIFBhdGggbWF5IGJlIGVtcHR5Lg0KICBwazExLXBh dGggICAgICAgICAgICA9ICoxKHBrMTEtcGF0dHIgKigiOyIgcGsxMS1wYXR0 cikpDQogIHBrMTEtcGF0dHIgICAgICAgICAgID0gcGsxMS10b2tlbiAvIHBr MTEtbWFudWYgLyBwazExLXNlcmlhbCAvDQogICAgICAgICAgICAgICAgICAg ICAgICAgcGsxMS1tb2RlbCAvIHBrMTEtbGliLW1hbnVmIC8NCiAgICAgICAg ICAgICAgICAgICAgICAgICBwazExLWxpYi12ZXIgLyBwazExLWxpYi1kZXNj IC8NCiAgICAgICAgICAgICAgICAgICAgICAgICBwazExLW9iamVjdCAvIHBr MTEtdHlwZSAvIHBrMTEtaWQgLw0KICAgICAgICAgICAgICAgICAgICAgICAg IHBrMTEtc2xvdC1kZXNjIC8gcGsxMS1zbG90LW1hbnVmIC8NCiAgICAgICAg ICAgICAgICAgICAgICAgICBwazExLXNsb3QtaWQgLyBwazExLXYtcGF0dHIN CiAgOyBRdWVyeSBjb21wb25lbnQgYW5kIGl0cyBhdHRyaWJ1dGVzLiAgUXVl cnkgbWF5IGJlIGVtcHR5Lg0KICBwazExLXFhdHRyICAgICAgICAgICA9IHBr MTEtcGluLXNvdXJjZSAvIHBrMTEtcGluLXZhbHVlIC8NCiAgICAgICAgICAg ICAgICAgICAgICAgICBwazExLW1vZHVsZS1uYW1lIC8gcGsxMS1tb2R1bGUt cGF0aCAvDQogICAgICAgICAgICAgICAgICAgICAgICAgcGsxMS12LXFhdHRy DQogIHBrMTEtcXVlcnkgICAgICAgICAgID0gKjEocGsxMS1xYXR0ciAqKCIm IiBwazExLXFhdHRyKSkNCiAgOyBSRkMgMzk4NiBzZWN0aW9uIDIuMiBtYW5k YXRlcyBhbGwgcG90ZW50aWFsbHkgcmVzZXJ2ZWQgY2hhcmFjdGVycw0KICA7 IHRoYXQgZG8gbm90IGNvbmZsaWN0IHdpdGggYWN0dWFsIGRlbGltaXRlcnMg b2YgdGhlIFVSSSBkbyBub3QgaGF2ZQ0KICA7IHRvIGJlIHBlcmNlbnQtZW5j b2RlZC4NCiAgcGsxMS1yZXMtYXZhaWwgICAgICAgPSAiOiIgLyAiWyIgLyAi XSIgLyAiQCIgLyAiISIgLyAiJCIgLw0KICAgICAgICAgICAgICAgICAgICAg ICAgICInIiAvICIoIiAvICIpIiAvICIqIiAvICIrIiAvICIsIiAvICI9Ig0K ICBwazExLXBhdGgtcmVzLWF2YWlsICA9IHBrMTEtcmVzLWF2YWlsIC8gIiYi DQogIDsgIi8iIGFuZCAiPyIgaW4gdGhlIHF1ZXJ5IGNvbXBvbmVudCBNQVkg YmUgdW5lbmNvZGVkIGJ1dCAiJiIgTVVTVA0KICA7IGJlIGVuY29kZWQgc2lu Y2UgaXQgZnVuY3Rpb25zIGFzIGEgZGVsaW1pdGVyIHdpdGhpbiB0aGUgY29t cG9uZW50Lg0KICBwazExLXF1ZXJ5LXJlcy1hdmFpbCA9IHBrMTEtcmVzLWF2 YWlsIC8gIi8iIC8gIj8iIC8gInwiDQogIHBrMTEtcGNoYXIgICAgICAgICAg ID0gdW5yZXNlcnZlZCAvIHBrMTEtcGF0aC1yZXMtYXZhaWwgLyBwY3QtZW5j b2RlZA0KICBwazExLXFjaGFyICAgICAgICAgICA9IHVucmVzZXJ2ZWQgLyBw azExLXF1ZXJ5LXJlcy1hdmFpbCAvIHBjdC1lbmNvZGVkDQogIHBrMTEtdG9r ZW4gICAgICAgICAgID0gInRva2VuIiAiPSIgKnBrMTEtcGNoYXINCiAgcGsx MS1tYW51ZiAgICAgICAgICAgPSAibWFudWZhY3R1cmVyIiAiPSIgKnBrMTEt cGNoYXINCiAgcGsxMS1zZXJpYWwgICAgICAgICAgPSAic2VyaWFsIiAiPSIg KnBrMTEtcGNoYXINCiAgcGsxMS1tb2RlbCAgICAgICAgICAgPSAibW9kZWwi ICI9IiAqcGsxMS1wY2hhcg0KICBwazExLWxpYi1tYW51ZiAgICAgICA9ICJs aWJyYXJ5LW1hbnVmYWN0dXJlciIgIj0iICpwazExLXBjaGFyDQogIHBrMTEt bGliLWRlc2MgICAgICAgID0gImxpYnJhcnktZGVzY3JpcHRpb24iICI9IiAq cGsxMS1wY2hhcg0KICBwazExLWxpYi12ZXIgICAgICAgICA9ICJsaWJyYXJ5 LXZlcnNpb24iICI9IiAxKkRJR0lUICoxKCIuIiAxKkRJR0lUKQ0KICBwazEx LW9iamVjdCAgICAgICAgICA9ICJvYmplY3QiICI9IiAqcGsxMS1wY2hhcg0K ICBwazExLXR5cGUgICAgICAgICAgICA9ICJ0eXBlIiAiPSIgKjEoInB1Ymxp YyIgLyAicHJpdmF0ZSIgLyAiY2VydCIgLw0KICAgICAgICAgICAgICAgICAg ICAgICAgICJzZWNyZXQta2V5IiAvICJkYXRhIikNCiAgcGsxMS1pZCAgICAg ICAgICAgICAgPSAiaWQiICI9IiAqcGsxMS1wY2hhcg0KICBwazExLXNsb3Qt bWFudWYgICAgICA9ICJzbG90LW1hbnVmYWN0dXJlciIgIj0iICpwazExLXBj aGFyDQogIHBrMTEtc2xvdC1kZXNjICAgICAgID0gInNsb3QtZGVzY3JpcHRp b24iICI9IiAqcGsxMS1wY2hhcg0KICBwazExLXNsb3QtaWQgICAgICAgICA9 ICJzbG90LWlkIiAiPSIgMSpESUdJVA0KICBwazExLXBpbi1zb3VyY2UgICAg ICA9ICJwaW4tc291cmNlIiAiPSIgKnBrMTEtcWNoYXINCiAgcGsxMS1waW4t dmFsdWUgICAgICAgPSAicGluLXZhbHVlIiAiPSIgKnBrMTEtcWNoYXINCiAg cGsxMS1tb2R1bGUtbmFtZSAgICAgPSAibW9kdWxlLW5hbWUiICI9IiAqcGsx MS1xY2hhcg0KICBwazExLW1vZHVsZS1wYXRoICAgICA9ICJtb2R1bGUtcGF0 aCIgIj0iICpwazExLXFjaGFyDQogIHBrMTEtdi1hdHRyLW5tLWNoYXIgID0g QUxQSEEgLyBESUdJVCAvICItIiAvICJfIg0KICA7IFBlcm1pdHRlZCB2YWx1 ZSBvZiBhIHZlbmRvciBzcGVjaWZpYyBhdHRyaWJ1dGUgaXMgYmFzZWQgb24N CiAgOyB3aGV0aGVyIHRoZSBhdHRyaWJ1dGUgaXMgdXNlZCBpbiB0aGUgcGF0 aCBvciBpbiB0aGUgcXVlcnkuDQogIHBrMTEtdi1wYXR0ciAgICAgICAgID0g MSpwazExLXYtYXR0ci1ubS1jaGFyICI9IiAqcGsxMS1wY2hhcg0KICBwazEx LXYtcWF0dHIgICAgICAgICA9IDEqcGsxMS12LWF0dHItbm0tY2hhciAiPSIg KnBrMTEtcWNoYXINCg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAg RXhwaXJlcyBKdW5lIDI1LCAyMDE1ICAgICAgICAgICAgICAgICBbUGFnZSA1 XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVS SSBTY2hlbWUgICAgICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgVGhl IFVSSSBwYXRoIGNvbXBvbmVudCBjb250YWlucyBhdHRyaWJ1dGVzIHRoYXQg aWRlbnRpZnkgYSByZXNvdXJjZQ0KICAgaW4gYSBvbmUgbGV2ZWwgaGllcmFy Y2h5IHByb3ZpZGVkIGJ5IENyeXB0b2tpIHByb2R1Y2Vycy4gIFRoZSBxdWVy eQ0KICAgY29tcG9uZW50IGNhbiBjb250YWluIGEgZmV3IGF0dHJpYnV0ZXMg dGhhdCBtYXkgYmUgbmVlZGVkIHRvIHJldHJpZXZlDQogICB0aGUgcmVzb3Vy Y2UgaWRlbnRpZmllZCBieSB0aGUgVVJJIHBhdGguICBBdHRyaWJ1dGVzIGlu IHRoZSBwYXRoDQogICBjb21wb25lbnQgYXJlIGRlbGltaXRlZCBieSAnOycg Y2hhcmFjdGVyLCBhdHRyaWJ1dGVzIGluIHRoZSBxdWVyeQ0KICAgY29tcG9u ZW50IHVzZSAnJicgYXMgYSBkZWxpbWl0ZXIuDQoNCiAgIEJvdGggcGF0aCBh bmQgcXVlcnkgY29tcG9uZW50cyBtYXkgY29udGFpbiB2ZW5kb3Igc3BlY2lm aWMNCiAgIGF0dHJpYnV0ZXMuICBTdWNoIGF0dHJpYnV0ZSBuYW1lcyBNVVNU IE5PVCBjbGFzaCB3aXRoIGV4aXN0aW5nDQogICBhdHRyaWJ1dGUgbmFtZXMu ICBOb3RlIHRoYXQgaW4gYWNjb3JkYW5jZSB3aXRoIFtCQ1AxNzhdLCBwcmV2 aW91c2x5DQogICB1c2VkIGNvbnZlbnRpb24gb2Ygc3RhcnRpbmcgdmVuZG9y IGF0dHJpYnV0ZXMgd2l0aCBhbiAieC0iIHByZWZpeCBpcw0KICAgbm93IGRl cHJpY2F0ZWQuDQoNCiAgIFRoZSBnZW5lcmFsICcvJyBkZWxpbWl0ZXIgTVVT VCBiZSBwZXJjZW50LWVuY29kZWQgaW4gdGhlIHBhdGgNCiAgIGNvbXBvbmVu dCBzbyB0aGF0IGdlbmVyaWMgVVJJIHBhcnNlcnMgbmV2ZXIgc3BsaXQgdGhl IHBhdGggY29tcG9uZW50DQogICBpbnRvIG11bHRpcGxlIHNlZ21lbnRzLiAg SXQgTUFZIGJlIHVuZW5jb2RlZCBpbiB0aGUgcXVlcnkgY29tcG9uZW50Lg0K ICAgRGVsaW1pdGVyICc/JyAgTVVTVCBiZSBwZXJjZW50LWVuY29kZWQgaW4g dGhlIHBhdGggY29tcG9uZW50IHNpbmNlDQogICB0aGUgUEtDUyMxMSBVUkkg dXNlcyBhIHF1ZXJ5IGNvbXBvbmVudC4gIERlbGltaXRlciAnIycgTVVTVCBi ZSBhbHdheXMNCiAgIHBlcmNlbnQtZW5jb2RlZCBzbyB0aGF0IGdlbmVyaWMg VVJJIHBhcnNlcnMgZG8gbm90IHRyZWF0IGEgaGFzaCBhcyBhDQogICBiZWdp bm5pbmcgb2YgYSBmcmFnbWVudCBpZGVudGlmaWVyIGNvbXBvbmVudC4gIEFs bCBvdGhlciBnZW5lcmljDQogICBkZWxpbWl0ZXJzIE1BWSBiZSB1c2VkIHVu ZW5jb2RlZCAoJzonLCAnWycsICddJywgYW5kICdAJykgaW4gdGhlDQogICBQ S0NTIzExIFVSSS4NCg0KICAgVGhlIGZvbGxvd2luZyB0YWJsZSBwcmVzZW50 cyBtYXBwaW5nIGJldHdlZW4gdGhlIFBLQ1MjMTEgVVJJIHBhdGgNCiAgIGNv bXBvbmVudCBhdHRyaWJ1dGVzIGFuZCB0aGUgUEtDUyMxMSBBUEkgc3RydWN0 dXJlIG1lbWJlcnMgYW5kIG9iamVjdA0KICAgYXR0cmlidXRlcy4gIEdpdmVu IHRoYXQgUEtDUyMxMSBVUkkgdXNlcnMgbWF5IGJlIHF1aXRlIGlnbm9yYW50 IGFib3V0DQogICB0aGUgUEtDUyMxMSBzcGVjaWZpY2F0aW9uIHRoZSBtYXBw aW5nIGlzIGEgcHJvZHVjdCBvZiBhIG5lY2Vzc2FyeQ0KICAgY29tcHJvbWlz ZSBiZXR3ZWVuIGhvdyBwcmVjaXNlbHkgYXJlIHRoZSBVUkkgYXR0cmlidXRl IG5hbWVzIG1hcHBlZA0KICAgdG8gdGhlIG5hbWVzIGluIHRoZSBzcGVjaWZp Y2F0aW9uIGFuZCB0aGUgZWFzZSBvZiB1c2UgYW5kDQogICB1bmRlcnN0YW5k aW5nIG9mIHRoZSBVUkkgc2NoZW1lLg0KDQogICArLS0tLS0tLS0tLS0tLS0t LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0t LS0tLS0tLSsNCiAgIHwgVVJJIGNvbXBvbmVudCBwYXRoICAgfCBBdHRyaWJ1 dGUgICAgICAgICAgIHwgQXR0cmlidXRlICAgICAgICAgICAgfA0KICAgfCBh dHRyaWJ1dGUgbmFtZSAgICAgICB8IHJlcHJlc2VudHMgICAgICAgICAgfCBj b3JyZXNwb25kcyBpbiB0aGUgICB8DQogICB8ICAgICAgICAgICAgICAgICAg ICAgIHwgICAgICAgICAgICAgICAgICAgICB8IFBLQ1MjMTEgICAgICAgICAg ICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAg ICAgICAgICAgIHwgc3BlY2lmaWNhdGlvbiB0byAgICAgfA0KICAgKy0tLS0t LS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLS0rDQogICB8ICAgICAgICAgICAgICAgICAgICAg IHwgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAg IHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0t LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCBpZCAgICAg ICAgICAgICAgICAgICB8IGtleSBpZGVudGlmaWVyIGZvciAgfCAiQ0tBX0lE IiBvYmplY3QgICAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwg b2JqZWN0ICAgICAgICAgICAgICB8IGF0dHJpYnV0ZSAgICAgICAgICAgIHwN CiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCBsaWJyYXJ5LWRl c2NyaXB0aW9uICB8IGNoYXJhY3Rlci1zdHJpbmcgICAgfCAibGlicmFyeURl c2NyaXB0aW9uIiB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgZGVz Y3JpcHRpb24gb2YgdGhlICB8IG1lbWJlciBvZiBDS19JTkZPICAgIHwNCiAg IHwgICAgICAgICAgICAgICAgICAgICAgfCBsaWJyYXJ5ICAgICAgICAgICAg IHwgc3RydWN0dXJlICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rDQogICB8IGxpYnJhcnktbWFudWZhY3R1cmVyIHwgSUQgb2Yg dGhlIENyeXB0b2tpICB8ICJtYW51ZmFjdHVyZXJJRCIgICAgIHwNCiAgIHwg ICAgICAgICAgICAgICAgICAgICAgfCBsaWJyYXJ5ICAgICAgICAgICAgIHwg bWVtYmVyIG9mIHRoZSAgICAgICAgfA0KDQoNCg0KUGVjaGFuZWMgJiBNb2Zm YXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjUsIDIwMTUgICAgICAgICAgICAg ICAgIFtQYWdlIDZdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhl IFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQN Cg0KDQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgbWFudWZhY3R1cmVy ICAgICAgICB8IENLX0lORk8gc3RydWN0dXJlICAgIHwNCiAgICstLS0tLS0t LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0t LS0tLS0tLS0tLS0tLS0tKw0KICAgfCBsaWJyYXJ5LXZlcnNpb24gICAgICB8 IENyeXB0b2tpIGxpYnJhcnkgICAgfCAibGlicmFyeVZlcnNpb24iICAgICB8 DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgdmVyc2lvbiBudW1iZXIg ICAgICB8IG1lbWJlciBvZiBDS19JTkZPICAgIHwNCiAgIHwgICAgICAgICAg ICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwgc3RydWN0dXJl ICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0t LS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQog ICB8IG1hbnVmYWN0dXJlciAgICAgICAgIHwgSUQgb2YgdGhlIHRva2VuICAg ICB8ICJtYW51ZmFjdHVyZXJJRCIgICAgIHwNCiAgIHwgICAgICAgICAgICAg ICAgICAgICAgfCBtYW51ZmFjdHVyZXIgICAgICAgIHwgbWVtYmVyIG9mICAg ICAgICAgICAgfA0KICAgfCAgICAgICAgICAgICAgICAgICAgICB8ICAgICAg ICAgICAgICAgICAgICAgfCBDS19UT0tFTl9JTkZPICAgICAgICB8DQogICB8 ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8 IHN0cnVjdHVyZSAgICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0t LS0tLS0tKw0KICAgfCBtb2RlbCAgICAgICAgICAgICAgICB8IHRva2VuIG1v ZGVsICAgICAgICAgfCAibW9kZWwiIG1lbWJlciBvZiAgICB8DQogICB8ICAg ICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IENL X1RPS0VOX0lORk8gICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAg ICAgfCAgICAgICAgICAgICAgICAgICAgIHwgc3RydWN0dXJlICAgICAgICAg ICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0t LS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQogICB8IG9iamVj dCAgICAgICAgICAgICAgIHwgZGVzY3JpcHRpb24gKG5hbWUpICB8ICJDS0Ff TEFCRUwiIG9iamVjdCAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAg fCBvZiB0aGUgb2JqZWN0ICAgICAgIHwgYXR0cmlidXRlICAgICAgICAgICAg fA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQogICB8IHNlcmlhbCAg ICAgICAgICAgICAgIHwgY2hhcmFjdGVyLXN0cmluZyAgICB8ICJzZXJpYWxO dW1iZXIiICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCBz ZXJpYWwgbnVtYmVyIG9mICAgIHwgbWVtYmVyIG9mICAgICAgICAgICAgfA0K ICAgfCAgICAgICAgICAgICAgICAgICAgICB8IHRoZSB0b2tlbiAgICAgICAg ICAgfCBDS19UT0tFTl9JTkZPICAgICAgICB8DQogICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IHN0cnVjdHVyZSAg ICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAg fCBzbG90LWRlc2NyaXB0aW9uICAgICB8IHNsb3QgZGVzY3JpcHRpb24gICAg fCAic2xvdERlc2NyaXB0aW9uIiAgICB8DQogICB8ICAgICAgICAgICAgICAg ICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IG1lbWJlciBvZiAgICAg ICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAg ICAgICAgICAgICAgIHwgQ0tfU0xPVF9JTkZPICAgICAgICAgfA0KICAgfCAg ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgfCBz dHJ1Y3R1cmUgICAgICAgICAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSsNCiAgIHwgc2xvdC1pZCAgICAgICAgICAgICAgfCBDcnlwdG9raS1h c3NpZ25lZCAgIHwgZGVjaW1hbCBudW1iZXIgb2YgICAgfA0KICAgfCAgICAg ICAgICAgICAgICAgICAgICB8IHZhbHVlIHRoYXQgICAgICAgICAgfCAiQ0tf U0xPVF9JRCIgdHlwZSAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAg IHwgaWRlbnRpZmllcyBhIHNsb3QgICB8ICAgICAgICAgICAgICAgICAgICAg IHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0t LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCBzbG90LW1h bnVmYWN0dXJlciAgICB8IElEIG9mIHRoZSBzbG90ICAgICAgfCAibWFudWZh Y3R1cmVySUQiICAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwg bWFudWZhY3R1cmVyICAgICAgICB8IG1lbWJlciBvZiAgICAgICAgICAgIHwN CiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAg ICAgIHwgQ0tfU0xPVF9JTkZPICAgICAgICAgfA0KICAgfCAgICAgICAgICAg ICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgfCBzdHJ1Y3R1cmUg ICAgICAgICAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsNCiAg IHwgdG9rZW4gICAgICAgICAgICAgICAgfCBhcHBsaWNhdGlvbi1kZWZpbmVk IHwgImxhYmVsIiBtZW1iZXIgb2YgICAgfA0KICAgfCAgICAgICAgICAgICAg ICAgICAgICB8IGxhYmVsLCBhc3NpZ25lZCAgICAgfCB0aGUgQ0tfVE9LRU5f SU5GTyAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgZHVyaW5n IHRva2VuICAgICAgICB8IHN0cnVjdHVyZSAgICAgICAgICAgIHwNCiAgIHwg ICAgICAgICAgICAgICAgICAgICAgfCBpbml0aWFsaXphdGlvbiAgICAgIHwg ICAgICAgICAgICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rDQogICB8IHR5cGUgICAgICAgICAgICAgICAgIHwgb2JqZWN0IGNs YXNzICh0eXBlKSB8ICJDS0FfQ0xBU1MiIG9iamVjdCAgIHwNCiAgIHwgICAg ICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwgYXR0 cmlidXRlICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rDQoNCiAgICBUYWJsZSAxOiBNYXBwaW5nIGJldHdlZW4gVVJJIHBhdGgg Y29tcG9uZW50IGF0dHJpYnV0ZXMgYW5kIFBLQ1MjMTENCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICBzcGVjaWZpY2F0aW9uIG5hbWVzDQoNCg0KDQpQ ZWNoYW5lYyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNSwgMjAx NSAgICAgICAgICAgICAgICAgW1BhZ2UgN10NCgwNCkludGVybmV0LURyYWZ0 ICAgICAgICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAg RGVjZW1iZXIgMjAxNA0KDQoNCiAgIFRoZSBxdWVyeSBjb21wb25lbnQgYXR0 cmlidXRlICJwaW4tc291cmNlIiBzcGVjaWZpZXMgd2hlcmUgdGhlDQogICBh cHBsaWNhdGlvbiBvciBsaWJyYXJ5IHNob3VsZCBmaW5kIHRoZSBub3JtYWwg dXNlcidzIHRva2VuIFBJTiwgdGhlDQogICAicGluLXZhbHVlIiBhdHRyaWJ1 dGUgcHJvdmlkZXMgdGhlIG5vcm1hbCB1c2VyJ3MgUElOIHZhbHVlIGRpcmVj dGx5LA0KICAgaWYgbmVlZGVkLCBhbmQgdGhlICJtb2R1bGUtbmFtZSIgYW5k ICJtb2R1bGUtcGF0aCIgYXR0cmlidXRlcyBtb2RpZnkNCiAgIGRlZmF1bHQg c2V0dGluZ3MgZm9yIGFjY2Vzc2luZyBQS0NTIzExIHByb3ZpZGVycy4gIEZv ciB0aGUgZGVmaW5pdGlvbg0KICAgb2YgYSAibm9ybWFsIHVzZXIiLCBzZWUg W3BrY3MxMV9zcGVjXS4NCg0KICAgVGhlIEFCTkYgcnVsZXMgYWJvdmUgaXMg YSBiZXN0IGVmZm9ydCBkZWZpbml0aW9uIGFuZCB0aGlzIHBhcmFncmFwaA0K ICAgc3BlY2lmaWVzIGFkZGl0aW9uYWwgY29uc3RyYWludHMuICBUaGUgUEtD UyMxMSBVUkkgTVVTVCBOT1QgY29udGFpbg0KICAgZHVwbGljYXRlIGF0dHJp YnV0ZXMgb2YgdGhlIHNhbWUgbmFtZSBpbiB0aGUgVVJJIHBhdGggY29tcG9u ZW50LiAgSXQNCiAgIG1lYW5zIHRoYXQgZWFjaCBhdHRyaWJ1dGUgbWF5IGJl IHByZXNlbnQgYXQgbW9zdCBvbmNlIGluIHRoZSBQS0NTIzExDQogICBVUkkg cGF0aC4gIEFzaWRlIGZyb20gdGhlIHF1ZXJ5IGF0dHJpYnV0ZXMgZGVmaW5l ZCBpbiB0aGlzIGRvY3VtZW50LA0KICAgZHVwbGljYXRlICh2ZW5kb3IpIGF0 dHJpYnV0ZXMgTUFZIGJlIHByZXNlbnQgaW4gdGhlIFVSSSBxdWVyeQ0KICAg Y29tcG9uZW50IGFuZCBpdCBpcyB1cCB0byB0aGUgVVJJIGNvbnN1bWVyIHRv IGRlY2lkZSBvbiBob3cgdG8gZGVhbA0KICAgd2l0aCBzdWNoIGR1cGxpY2F0 ZXMuDQoNCiAgIFRoZSB3aG9sZSB2YWx1ZSBvZiB0aGUgImlkIiBhdHRyaWJ1 dGUgU0hPVUxEIGJlIHBlcmNlbnQtZW5jb2RlZCBzaW5jZQ0KICAgaXQgaXMg c3VwcG9zZWQgdG8gYmUgaGFuZGxlZCBhcyBhcmJpdHJhcnkgYmluYXJ5IGRh dGEuDQoNCiAgIFRoZSAibGlicmFyeS12ZXJzaW9uIiBhdHRyaWJ1dGUgcmVw cmVzZW50cyB0aGUgbWFqb3IgYW5kIG1pbm9yDQogICB2ZXJzaW9uIG51bWJl ciBvZiB0aGUgbGlicmFyeSBhbmQgaXRzIGZvcm1hdCBpcyAiTS5OIi4gIEJv dGggbnVtYmVycw0KICAgYXJlIG9uZSBieXRlIGluIHNpemUsIHNlZSB0aGUg ImxpYnJhcnlWZXJzaW9uIiBtZW1iZXIgb2YgdGhlIENLX0lORk8NCiAgIHN0 cnVjdHVyZSBpbiBbcGtjczExX3NwZWNdIGZvciBtb3JlIGluZm9ybWF0aW9u LiAgVmFsdWUgIk0iIGZvciB0aGUNCiAgIGF0dHJpYnV0ZSBNVVNUIGJlIGlu dGVycHJldGVkIGFzICJNIiBmb3IgdGhlIG1ham9yIGFuZCAiMCIgZm9yIHRo ZQ0KICAgbWlub3IgdmVyc2lvbiBvZiB0aGUgbGlicmFyeS4gIElmIHRoZSBh dHRyaWJ1dGUgaXMgcHJlc2VudCB0aGUgbWFqb3INCiAgIHZlcnNpb24gbnVt YmVyIGlzIFJFUVVJUkVELiAgQm90aCAiTSIgYW5kICJOIiBNVVNUIGJlIGRl Y2ltYWwNCiAgIG51bWJlcnMuDQoNCiAgIFNsb3QgSUQgaXMgYSBDcnlwdG9r aS1hc3NpZ25lZCBudW1iZXIgdGhhdCBpcyBub3QgZ3VhcmFudGVlZCBzdGFi bGUNCiAgIGFjcm9zcyBQS0NTIzExIG1vZHVsZSBpbml0aWFsaXphdGlvbnMu ICBIb3dldmVyLCB0aGVyZSBhcmUgY2VydGFpbg0KICAgbGlicmFyaWVzIGFu ZCBtb2R1bGVzIHdoaWNoIHByb3ZpZGUgc3RhYmxlIHNsb3QgaWRlbnRpZmll cnMuICBGb3INCiAgIHRoZXNlIGNhc2VzLCB3aGVuIHRoZSBzbG90IGRlc2Ny aXB0aW9uIGFuZCBtYW51ZmFjdHVyZXIgSUQgaXMgbm90DQogICBzdWZmaWNp ZW50IHRvIHVuaXF1ZWx5IGlkZW50aWZ5IGEgc3BlY2lmaWMgcmVhZGVyLCB0 aGUgc2xvdCBJRCBNQVkgYmUNCiAgIHVzZWQgdG8gaW5jcmVhc2UgdGhlIHBy ZWNpc2lvbiBvZiB0aGUgdG9rZW4gaWRlbnRpZmljYXRpb24uICBJbiBvdGhl cg0KICAgc2NlbmFyaW9zLCB1c2luZyB0aGUgc2xvdCBJRHMgaXMgbGlrZWx5 IHRvIGNhdXNlIHVzYWJpbGl0eSBpc3N1ZXMuDQoNCiAgIEFuIGVtcHR5IFBL Q1MjMTEgVVJJIHBhdGggYXR0cmlidXRlIHRoYXQgZG9lcyBhbGxvdyBmb3Ig YW4gZW1wdHkNCiAgIHZhbHVlIG1hdGNoZXMgYSBjb3JyZXNwb25kaW5nIHN0 cnVjdHVyZSBtZW1iZXIgb3IgYW4gb2JqZWN0IGF0dHJpYnV0ZQ0KICAgd2l0 aCBhbiBlbXB0eSB2YWx1ZS4gIE5vdGUgdGhhdCBhY2NvcmRpbmcgdG8gdGhl IFBLQ1MjMTENCiAgIHNwZWNpZmljYXRpb24gW3BrY3MxMV9zcGVjXSwgZW1w dHkgY2hhcmFjdGVyIHZhbHVlcyBpbiBhIFBLQ1MjMTEgQVBJDQogICBwcm9k dWNlciBtdXN0IGJlIHBhZGRlZCB3aXRoIHNwYWNlcyBhbmQgc2hvdWxkIG5v dCBiZSBOVUxMDQogICB0ZXJtaW5hdGVkLg0KDQozLjQuICBQS0NTIzExIFVS SSBTY2hlbWUgUXVlcnkgQXR0cmlidXRlIFNlbWFudGljcw0KDQogICBBbiBh cHBsaWNhdGlvbiBNQVkgYWx3YXlzIGFzayBmb3IgYSBQSU4gYnkgYW55IG1l YW5zIGl0IGRlY2lkZXMgdG8uDQogICBXaGF0IGlzIG1vcmUsIGluIG9yZGVy IG5vdCB0byBsaW1pdCBQS0NTIzExIFVSSSBwb3J0YWJpbGl0eSB0aGUgInBp bi0NCiAgIHNvdXJjZSIgYXR0cmlidXRlIHZhbHVlIGZvcm1hdCBhbmQgaW50 ZXJwcmV0YXRpb24gaXMgbGVmdCB0byBiZQ0KDQoNCg0KUGVjaGFuZWMgJiBN b2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjUsIDIwMTUgICAgICAgICAg ICAgICAgIFtQYWdlIDhdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAg VGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIw MTQNCg0KDQogICBpbXBsZW1lbnRhdGlvbiBzcGVjaWZpYy4gIEhvd2V2ZXIs IHRoZSBmb2xsb3dpbmcgcnVsZXMgU0hPVUxEIGJlDQogICBmb2xsb3dlZCBp biBkZXNjZW5kaW5nIG9yZGVyIGZvciB0aGUgdmFsdWUgb2YgdGhlICJwaW4t c291cmNlIg0KICAgYXR0cmlidXRlOg0KDQogICBvICBpZiB0aGUgdmFsdWUg cmVwcmVzZW50cyBhIGxvY2FsIGFic29sdXRlIHBhdGggdGhlIGltcGxlbWVu dGF0aW9uDQogICAgICBTSE9VTEQgdXNlIGl0IGFzIGEgUElOIGZpbGUgY29u dGFpbmluZyB0aGUgUElOIHZhbHVlDQoNCiAgIG8gIGlmIHRoZSB2YWx1ZSBj b250YWlucyAifDxhYnNvbHV0ZS1jb21tYW5kLXBhdGg+IiB0aGUNCiAgICAg IGltcGxlbWVudGF0aW9uIFNIT1VMRCByZWFkIHRoZSBQSU4gZnJvbSB0aGUg b3V0cHV0IG9mIGFuDQogICAgICBhcHBsaWNhdGlvbiBzcGVjaWZpZWQgd2l0 aCBhYnNvbHV0ZSBwYXRoICI8YWJzb2x1dGUtY29tbWFuZC0NCiAgICAgIHBh dGg+Ii4gIE5vdGUgdGhhdCBjaGFyYWN0ZXIgInwiIHJlcHJlc2VudGluZyBh IHBpcGUgZG9lcyBub3QgaGF2ZQ0KICAgICAgdG8gYmUgcGVyY2VudCBlbmNv ZGVkIGluIHRoZSBxdWVyeSBjb21wb25lbnQgb2YgdGhlIFBLQ1MjMTEgVVJJ Lg0KDQogICBvICBpZiB0aGUgdmFsdWUgcmVwcmVzZW50cyBhIFVSSSBpdCBT SE9VTEQgYmUgdHJlYXRlZCBhcyBhbiBvYmplY3QNCiAgICAgIGNvbnRhaW5p bmcgdGhlIFBJTi4gIFN1Y2ggYSBVUkkgbWF5IGJlICJmaWxlOiIsICJodHRw czoiLCBhbm90aGVyDQogICAgICBQS0NTIzExIFVSSSwgb3Igc29tZXRoaW5n IGVsc2UuDQoNCiAgIG8gIGludGVycHJldCB0aGUgdmFsdWUgYXMgbmVlZGVk IGluIGFuIGltcGxlbWVudGF0aW9uIGRlcGVuZGVudCB3YXkNCg0KICAgSWYg YSBVUkkgY29udGFpbnMgYm90aCAicGluLXNvdXJjZSIgYW5kICJwaW4tdmFs dWUiIHF1ZXJ5IGF0dHJpYnV0ZXMNCiAgIHRoZSBVUkkgU0hPVUxEIGJlIHJl ZnVzZWQgYXMgaW52YWxpZC4NCg0KICAgVXNlIG9mIHRoZSAicGluLXZhbHVl IiBhdHRyaWJ1dGUgbWF5IGhhdmUgc2VjdXJpdHkgcmVsYXRlZA0KICAgY29u c2VxdWVuY2VzLiAgU2VjdGlvbiA2IHNob3VsZCBiZSBjb25zdWx0ZWQgYmVm b3JlIHRoaXMgYXR0cmlidXRlIGlzDQogICBldmVyIHVzZWQuICBTdGFuZGFy ZCBwZXJjZW50IGVuY29kaW5nIHJ1bGVzIFNIT1VMRCBiZSBmb2xsb3dlZCBm b3INCiAgIHRoZSBhdHRyaWJ1dGUgdmFsdWUuDQoNCiAgIEEgY29uc3VtZXIg b2YgUEtDUyMxMSBVUklzIE1BWSBtb2RpZnkgZGVmYXVsdCBzZXR0aW5ncyBm b3IgYWNjZXNzaW5nDQogICBhIFBLQ1MjMTEgcHJvdmlkZXIgb3IgcHJvdmlk ZXJzIGJ5IGFjY2VwdGluZyBxdWVyeSBjb21wb25lbnQNCiAgIGF0dHJpYnV0 ZXMgIm1vZHVsZS1uYW1lIiBhbmQgIm1vZHVsZS1wYXRoIi4iDQoNCiAgIFBy b2Nlc3NpbmcgdGhlIFVSSSBxdWVyeSBtb2R1bGUgYXR0cmlidXRlcyBTSE9V TEQgZm9sbG93IHRoZXNlIHJ1bGVzOg0KDQogICBvICBhdHRyaWJ1dGUgIm1v ZHVsZS1uYW1lIiBTSE9VTEQgY29udGFpbiBhIGNhc2UtaW5zZW5zaXRpdmUg UEtDUyMxMQ0KICAgICAgbW9kdWxlIG5hbWUgKG5vdCBwYXRoIG5vciBmaWxl bmFtZSkgd2l0aG91dCBzeXN0ZW0gc3BlY2lmaWMNCiAgICAgIGFmZml4ZXMu ICBTdWNoIGFmZml4IGNvdWxkIGJlIGFuICIuc28iIG9yICIuRExMIiBzdWZm aXgsIG9yIGENCiAgICAgICJsaWIiIHByZWZpeCwgZm9yIGV4YW1wbGUuICBO b3QgdXNpbmcgc3lzdGVtIHNwZWNpZmljIGFmZml4ZXMgaXMNCiAgICAgIGV4 cGVjdGVkIHRvIGluY3JlYXNlIHBvcnRhYmlsaXR5IG9mIFBLQ1MjMTEgVVJJ cyBhbW9uZyBkaWZmZXJlbnQNCiAgICAgIHN5c3RlbXMuICBBIFVSSSBjb25z dW1lciBzZWFyY2hpbmcgZm9yIFBLQ1MjMTEgbW9kdWxlcyBTSE9VTEQgdXNl DQogICAgICBhIHN5c3RlbSBvciBhcHBsaWNhdGlvbiBzcGVjaWZpYyBsb2Nh dGlvbnMgdG8gZmluZCBtb2R1bGVzIGJhc2VkDQogICAgICBvbiB0aGUgbmFt ZSBwcm92aWRlZCBpbiB0aGUgYXR0cmlidXRlLg0KDQogICBvICBhdHRyaWJ1 dGUgIm1vZHVsZS1wYXRoIiBTSE9VTEQgY29udGFpbiBhIHN5c3RlbSBzcGVj aWZpYyBhYnNvbHV0ZQ0KICAgICAgcGF0aCB0byB0aGUgUEtDUyMxMSBtb2R1 bGUsIG9yIGEgc3lzdGVtIHNwZWNpZmljIGFic29sdXRlIHBhdGggdG8NCiAg ICAgIHRoZSBkaXJlY3Rvcnkgb2Ygd2hlcmUgUEtDUyMxMSBtb2R1bGVzIGFy ZSBsb2NhdGVkLiAgRm9yIHNlY3VyaXR5DQogICAgICByZWFzb25zLCBhIFVS SSB3aXRoIGEgcmVsYXRpdmUgcGF0aCBpbiB0aGlzIGF0dHJpYnV0ZSBTSE9V TEQgYmUNCiAgICAgIHJlamVjdGVkLg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1v ZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNSwgMjAxNSAgICAgICAgICAg ICAgICAgW1BhZ2UgOV0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBU aGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAx NA0KDQoNCiAgIG8gIHRoZSBVUkkgY29uc3VtZXIgTUFZIHJlZnVzZSB0byBh Y2NlcHQgZWl0aGVyIG9mIHRoZSBhdHRyaWJ1dGVzLCBvcg0KICAgICAgYm90 aC4gIElmIHVzZSBvZiBhbiBhdHRyaWJ1dGUgcHJlc2VudCBpbiB0aGUgVVJJ IHN0cmluZyBpcyBub3QNCiAgICAgIGFjY2VwdGVkIGEgd2FybmluZyBtZXNz YWdlIFNIT1VMRCBiZSBwcmVzZW50ZWQgdG8gdGhlIHByb3ZpZGVyIG9mDQog ICAgICB0aGUgVVJJLg0KDQogICBvICBpZiBlaXRoZXIgb2YgdGhlIG1vZHVs ZSBhdHRyaWJ1dGVzIGlzIHByZXNlbnQsIG9ubHkgdGhvc2UgbW9kdWxlcw0K ICAgICAgZm91bmQgbWF0Y2hpbmcgdGhlc2UgcXVlcnkgYXR0cmlidXRlcyBT SE9VTEQgYmUgdXNlZCB0byBzZWFyY2ggZm9yDQogICAgICBhbiBlbnRpdHkg cmVwcmVzZW50ZWQgYnkgdGhlIFVSSS4NCg0KICAgbyAgdXNlIG9mIHRoZSBt b2R1bGUgYXR0cmlidXRlcyBkb2VzIG5vdCBzdXBwcmVzcyBtYXRjaGluZyBv ZiBhbnkNCiAgICAgIG90aGVyIFVSSSBwYXRoIGNvbXBvbmVudCBhdHRyaWJ1 dGVzIHByZXNlbnQgaW4gYSBVUkkuDQoNCiAgIG8gIHNlbWFudGljcyBvZiB1 c2luZyBib3RoIGF0dHJpYnV0ZXMgaW4gdGhlIHNhbWUgVVJJIHN0cmluZyBp cw0KICAgICAgaW1wbGVtZW50YXRpb24gc3BlY2lmaWMgYnV0IHN1Y2ggdXNl IFNIT1VMRCBiZSBhdm9pZGVkLiAgQXR0cmlidXRlDQogICAgICAibW9kdWxl LW5hbWUiIGlzIHByZWZlcnJlZCB0byAibW9kdWxlLXBhdGgiIGR1ZSB0byBp dHMgc3lzdGVtDQogICAgICBpbmRlcGVuZGVudCBuYXR1cmUgYnV0IHRoZSBs YXR0ZXIgbWF5IGJlIG1vcmUgc3VpdGFibGUgZm9yDQogICAgICBkZXZlbG9w bWVudCBhbmQgZGVidWdnaW5nLg0KDQogICBvICBhIFVSSSBNVVNUIE5PVCBj b250YWluIG11bHRpcGxlIG1vZHVsZSBhdHRyaWJ1dGVzIG9mIHRoZSBzYW1l DQogICAgICBuYW1lLg0KDQogICBVc2Ugb2YgdGhlIG1vZHVsZSBhdHRyaWJ1 dGVzIG1heSBoYXZlIHNlY3VyaXR5IHJlbGF0ZWQgY29uc2VxdWVuY2VzLg0K ICAgU2VjdGlvbiA2IHNob3VsZCBiZSBjb25zdWx0ZWQgYmVmb3JlIHRoZXNl IGF0dHJpYnV0ZXMgYXJlIGV2ZXIgdXNlZC4NCg0KICAgQSB3b3JkICJtb2R1 bGUiIHdhcyBjaG9zZW4gb3ZlciB3b3JkICJsaWJyYXJ5IiBpbiB0aGVzZSBx dWVyeQ0KICAgYXR0cmlidXRlIG5hbWVzIHRvIGF2b2lkIGNvbmZ1c2lvbiB3 aXRoIHNlbWFudGljYWxseSBkaWZmZXJlbnQNCiAgIGxpYnJhcnkgYXR0cmli dXRlcyB1c2VkIGluIHRoZSBVUkkgcGF0aCBjb21wb25lbnQuDQoNCjMuNS4g IFBLQ1MjMTEgVVJJIE1hdGNoaW5nIEd1aWRlbGluZXMNCg0KICAgVGhlIFBL Q1MjMTEgVVJJIGNhbiBpZGVudGlmeSBQS0NTIzExIHN0b3JhZ2Ugb2JqZWN0 cywgdG9rZW5zLCBzbG90cywNCiAgIG9yIENyeXB0b2tpIGxpYnJhcmllcy4g IE5vdGUgdGhhdCBzaW5jZSBhIFVSSSBtYXkgaWRlbnRpZnkgZm91cg0KICAg ZGlmZmVyZW50IHR5cGVzIG9mIGVudGl0aWVzIHRoZSBjb250ZXh0IHdpdGhp biB3aGljaCB0aGUgVVJJIGlzIHVzZWQNCiAgIG1heSBiZSBuZWVkZWQgdG8g ZGV0ZXJtaW5lIHRoZSB0eXBlLiAgRm9yIGV4YW1wbGUsIGEgVVJJIHdpdGgg b25seQ0KICAgbGlicmFyeSBhdHRyaWJ1dGVzIG1heSBlaXRoZXIgcmVwcmVz ZW50IGFsbCBvYmplY3RzIGluIGFsbCB0b2tlbnMgaW4NCiAgIGFsbCBDcnlw dG9raSBsaWJyYXJpZXMgaWRlbnRpZmllZCBieSB0aGUgVVJJLCBhbGwgdG9r ZW5zIGluIHRob3NlDQogICBsaWJyYXJpZXMsIG9yIGp1c3QgdGhlIGxpYnJh cmllcy4NCg0KICAgVGhlIGZvbGxvd2luZyBndWlkZWxpbmVzIGNhbiBoZWxw IGEgUEtDUyMxMSBVUkkgY29uc3VtZXIgKGVnLiBhbg0KICAgYXBwbGljYXRp b24gYWNjZXB0aW5nIFBLQ1MjMTEgVVJJcykgdG8gbWF0Y2ggdGhlIFVSSSB3 aXRoIHRoZSBkZXNpcmVkDQogICByZXNvdXJjZS4NCg0KICAgbyAgdGhlIGNv bnN1bWVyIE1VU1Qga25vdyB3aGV0aGVyIHRoZSBVUkkgaXMgdG8gaWRlbnRp ZnkgUEtDUyMxMQ0KICAgICAgc3RvcmFnZSBvYmplY3QocyksIHRva2VuKHMp LCBzbG90KHMpLCBvciBDcnlwdG9raSBwcm9kdWNlcihzKS4NCg0KICAgbyAg aWYgdGhlIGNvbnN1bWVyIGlzIHdpbGxpbmcgdG8gYWNjZXB0IHF1ZXJ5IGNv bXBvbmVudCBtb2R1bGUNCiAgICAgIGF0dHJpYnV0ZXMgb25seSB0aG9zZSBQ S0NTIzExIHByb3ZpZGVycyBtYXRjaGluZyB0aGVzZSBhdHRyaWJ1dGVzDQog ICAgICBTSE9VTEQgYmUgd29ya2VkIHdpdGguICBTZWUgU2VjdGlvbiAzLjQg Zm9yIG1vcmUgaW5mb3JtYXRpb24uDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZh dCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNSwgMjAxNSAgICAgICAgICAgICAg ICBbUGFnZSAxMF0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUg UEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0K DQoNCiAgIG8gIGFuIHVucmVjb2duaXplZCBhdHRyaWJ1dGUgaW4gdGhlIFVS SSBwYXRoIGNvbXBvbmVudCwgaW5jbHVkaW5nIGENCiAgICAgIHZlbmRvciBz cGVjaWZpYyBhdHRyaWJ1dGUsIFNIT1VMRCByZXN1bHQgaW4gYW4gZW1wdHkg c2V0IG9mDQogICAgICBtYXRjaGVkIHJlc291cmNlcy4gIFRoZSBjb25zdW1l ciBTSE9VTEQgY29uc2lkZXIgd2hldGhlciBhbiBlcnJvcg0KICAgICAgbWVz c2FnZSBwcmVzZW50ZWQgdG8gdGhlIHVzZXIgaXMgYXBwcm9wcmlhdGUgaW4g c3VjaCBhIGNhc2UuDQoNCiAgIG8gIGFuIHVucmVjb2duaXplZCBhdHRyaWJ1 dGUgaW4gdGhlIFVSSSBxdWVyeSBTSE9VTEQgYmUgaWdub3JlZC4gIFRoZQ0K ICAgICAgY29uc3VtZXIgU0hPVUxEIGNvbnNpZGVyIHdoZXRoZXIgYSB3YXJu aW5nIG1lc3NhZ2UgcHJlc2VudGVkIHRvDQogICAgICB0aGUgdXNlciBpcyBh cHByb3ByaWF0ZSBpbiBzdWNoIGEgY2FzZS4NCg0KICAgbyAgYW4gYXR0cmli dXRlIG5vdCBwcmVzZW50IGluIHRoZSBVUkkgcGF0aCBidXQga25vd24gdG8g YSBjb25zdW1lcg0KICAgICAgbWF0Y2hlcyBldmVyeXRoaW5nLiAgRWFjaCBh ZGRpdGlvbmFsIGF0dHJpYnV0ZSBwcmVzZW50IGluIHRoZSBVUkkNCiAgICAg IHBhdGggZnVydGhlciByZXN0cmljdHMgdGhlIHNlbGVjdGlvbi4NCg0KICAg byAgYSBsb2dpY2FsIGV4dGVuc2lvbiBvZiB0aGUgYWJvdmUgaXMgdGhhdCBh biBlbXB0eSBVUkkgcGF0aCBtYXRjaGVzDQogICAgICBldmVyeXRoaW5nLiAg Rm9yIGV4YW1wbGUsIGlmIHVzZWQgdG8gaWRlbnRpZnkgc3RvcmFnZSBvYmpl Y3RzIGl0DQogICAgICBtYXRjaGVzIGFsbCBhY2Nlc3NpYmxlIG9iamVjdHMg aW4gYWxsIHRva2VucyBwcm92aWRlZCBieSBhbGwNCiAgICAgIFBLQ1MjMTEg QVBJIHByb2R1Y2VycyBmb3VuZCBpbiB0aGUgc3lzdGVtLg0KDQogICBvICBu b3RlIHRoYXQgdXNlIG9mIFBJTiBhdHRyaWJ1dGVzIG1heSBjaGFuZ2UgdGhl IHNldCBvZiBzdG9yYWdlDQogICAgICBvYmplY3RzIHZpc2libGUgdG8gdGhl IGNvbnN1bWVyLg0KDQogICBvICBpbiBhZGRpdGlvbiB0byBxdWVyeSBjb21w b25lbnQgYXR0cmlidXRlcyBkZWZpbmVkIGluIHRoaXMNCiAgICAgIGRvY3Vt ZW50LCB2ZW5kb3Igc3BlY2lmaWMgcXVlcnkgYXR0cmlidXRlcyBtYXkgY29u dGFpbiBmdXJ0aGVyDQogICAgICBpbmZvcm1hdGlvbiBhYm91dCBob3cgdG8g cGVyZm9ybSB0aGUgc2VsZWN0aW9uIG9yIG90aGVyIHJlbGF0ZWQNCiAgICAg IGluZm9ybWF0aW9uLg0KDQozLjYuICBQS0NTIzExIFVSSSBDb21wYXJpc29u DQoNCiAgIENvbXBhcmlzb24gb2YgdHdvIFVSSXMgaXMgYSB3YXkgb2YgZGV0 ZXJtaW5pbmcgd2hldGhlciB0aGUgVVJJcyBhcmUNCiAgIGVxdWl2YWxlbnQg d2l0aG91dCBjb21wYXJpbmcgdGhlIGFjdHVhbCByZXNvdXJjZSB0aGUgVVJJ cyBwb2ludCB0by4NCiAgIFRoZSBjb21wYXJpc29uIG9mIFVSSXMgYWltcyB0 byBtaW5pbWl6ZSBmYWxzZSBuZWdhdGl2ZXMgd2hpbGUNCiAgIHN0cmljdGx5 IGF2b2lkaW5nIGZhbHNlIHBvc2l0aXZlcy4NCg0KICAgVHdvIFBLQ1MjMTEg VVJJcyBhcmUgc2FpZCB0byBiZSBlcXVhbCBpZiBVUklzIGFzIGNoYXJhY3Rl ciBzdHJpbmdzDQogICBhcmUgaWRlbnRpY2FsIGFzIHNwZWNpZmllZCBpbiBT ZWN0aW9uIDYuMi4xIG9mIFtSRkMzOTg2XSwgb3IgaWYgYm90aA0KICAgZm9s bG93aW5nIHJ1bGVzIGFyZSBmdWxmaWxsZWQ6DQoNCiAgIG8gIHNldCBvZiBh dHRyaWJ1dGVzIHByZXNlbnQgaW4gdGhlIFVSSSBpcyBlcXVhbC4gIE5vdGUg dGhhdCB0aGUNCiAgICAgIG9yZGVyaW5nIG9mIGF0dHJpYnV0ZXMgaW4gdGhl IFVSSSBzdHJpbmcgaXMgbm90IHNpZ25pZmljYW50IGZvcg0KICAgICAgdGhl IG1lY2hhbmlzbSBvZiBjb21wYXJpc29uLg0KDQogICBvICB2YWx1ZXMgb2Yg cmVzcGVjdGl2ZSBhdHRyaWJ1dGVzIGFyZSBlcXVhbCBiYXNlZCBvbiBydWxl cyBzcGVjaWZpZWQNCiAgICAgIGJlbG93DQoNCiAgIFRoZSBydWxlcyBmb3Ig Y29tcGFyaW5nIHZhbHVlcyBvZiByZXNwZWN0aXZlIGF0dHJpYnV0ZXMgYXJl Og0KDQogICBvICB2YWx1ZXMgb2YgcGF0aCBjb21wb25lbnQgYXR0cmlidXRl cyAibGlicmFyeS1kZXNjcmlwdGlvbiIsDQogICAgICAibGlicmFyeS1tYW51 ZmFjdHVyZXIiLCAibWFudWZhY3R1cmVyIiwgIm1vZGVsIiwgIm9iamVjdCIs DQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVu ZSAyNSwgMjAxNSAgICAgICAgICAgICAgICBbUGFnZSAxMV0NCgwNCkludGVy bmV0LURyYWZ0ICAgICAgICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAg ICAgICAgICAgRGVjZW1iZXIgMjAxNA0KDQoNCiAgICAgICJzZXJpYWwiLCAi c2xvdC1kZXNjcmlwdGlvbiIsICJzbG90LW1hbnVmYWN0dXJlciIsICJ0b2tl biIsDQogICAgICAidHlwZSIsIGFuZCBxdWVyeSBjb21wb25lbnQgYXR0cmli dXRlICJtb2R1bGUtbmFtZSIgTVVTVCBiZQ0KICAgICAgY29tcGFyZWQgdXNp bmcgYSBzaW1wbGUgc3RyaW5nIGNvbXBhcmlzb24gYXMgc3BlY2lmaWVkIGlu DQogICAgICBTZWN0aW9uIDYuMi4xIG9mIFtSRkMzOTg2XSBhZnRlciB0aGUg Y2FzZSBhbmQgdGhlIHBlcmNlbnQtZW5jb2RpbmcNCiAgICAgIG5vcm1hbGl6 YXRpb24gYXJlIGJvdGggYXBwbGllZCBhcyBzcGVjaWZpZWQgaW4gU2VjdGlv biA2LjIuMiBvZg0KICAgICAgW1JGQzM5ODZdLg0KDQogICBvICB2YWx1ZSBv ZiBhdHRyaWJ1dGUgImlkIiBNVVNUIGJlIGNvbXBhcmVkIHVzaW5nIHRoZSBz aW1wbGUgc3RyaW5nDQogICAgICBjb21wYXJpc29uIGFmdGVyIGFsbCBieXRl cyBhcmUgcGVyY2VudC1lbmNvZGVkIHVzaW5nIHVwcGVyY2FzZQ0KICAgICAg bGV0dGVycyBmb3IgZGlnaXRzIEEtRi4NCg0KICAgbyAgdmFsdWUgb2YgYXR0 cmlidXRlICJsaWJyYXJ5LXZlcnNpb24iIE1VU1QgYmUgcHJvY2Vzc2VkIGFz IGENCiAgICAgIHNwZWNpZmljIHNjaGVtZS1iYXNlZCBub3JtYWxpemF0aW9u IHBlcm1pdHRlZCBieSBTZWN0aW9uIDYuMi4zIG9mDQogICAgICBbUkZDMzk4 Nl0uICBUaGUgdmFsdWUgTVVTVCBiZSBzcGxpdCBpbnRvIGEgbWFqb3IgYW5k IG1pbm9yIHZlcnNpb24NCiAgICAgIHdpdGggY2hhcmFjdGVyICcuJyAoZG90 KSBzZXJ2aW5nIGFzIGEgZGVsaW1pdGVyLiAgTGlicmFyeSB2ZXJzaW9uDQog ICAgICAiTSIgTVVTVCBiZSB0cmVhdGVkIGFzICJNIiBmb3IgdGhlIG1ham9y IHZlcnNpb24gYW5kICIwIiBmb3IgdGhlDQogICAgICBtaW5vciB2ZXJzaW9u LiAgUmVzdWx0aW5nIG1pbm9yIGFuZCBtYWpvciB2ZXJzaW9uIG51bWJlcnMg TVVTVCBiZQ0KICAgICAgdGhlbiBzZXBhcmF0ZWx5IGNvbXBhcmVkIG51bWVy aWNhbGx5Lg0KDQogICBvICB2YWx1ZSBvZiBhdHRyaWJ1dGUgInNsb3QtaWQi IE1VU1QgYmUgcHJvY2Vzc2VkIGFzIGEgc3BlY2lmaWMNCiAgICAgIHNjaGVt ZS1iYXNlZCBub3JtYWxpemF0aW9uIHBlcm1pdHRlZCBieSBTZWN0aW9uIDYu Mi4zIG9mIFtSRkMzOTg2XQ0KICAgICAgYW5kIGNvbXBhcmVkIG51bWVyaWNh bGx5Lg0KDQogICBvICB2YWx1ZSBvZiAicGluLXNvdXJjZSIsIGlmIGRlZW1l ZCBjb250YWluaW5nIHRoZSBmaWxlbmFtZSB3aXRoIHRoZQ0KICAgICAgUElO IHZhbHVlLCBNVVNUIGJlIGNvbXBhcmVkIHVzaW5nIHRoZSBzaW1wbGUgc3Ry aW5nIGNvbXBhcmlzb24NCiAgICAgIGFmdGVyIHRoZSBmdWxsIHN5bnRheCBi YXNlZCBub3JtYWxpemF0aW9uIGFzIHNwZWNpZmllZCBpbg0KICAgICAgU2Vj dGlvbiA2LjIuMiBvZiBbUkZDMzk4Nl0gaXMgYXBwbGllZC4gIElmIHZhbHVl IG9mIHRoZSAicGluLQ0KICAgICAgc291cmNlIiBhdHRyaWJ1dGUgaXMgYmVs aWV2ZWQgdG8gYmUgb3ZlcmxvYWRlZCB0aGUgY2FzZSBhbmQNCiAgICAgIHBl cmNlbnQtZW5jb2Rpbmcgbm9ybWFsaXphdGlvbiBTSE9VTEQgYmUgYXBwbGll ZCBiZWZvcmUgdGhlIHZhbHVlcw0KICAgICAgYXJlIGNvbXBhcmVkIGJ1dCB0 aGUgZXhhY3QgbWVjaGFuaXNtIG9mIGNvbXBhcmlzb24gaXMgbGVmdCB0byB0 aGUNCiAgICAgIGFwcGxpY2F0aW9uLg0KDQogICBvICB2YWx1ZSBvZiBhdHRy aWJ1dGUgIm1vZHVsZS1wYXRoIiBNVVNUIGJlIGNvbXBhcmVkIHVzaW5nIHRo ZSBzaW1wbGUNCiAgICAgIHN0cmluZyBjb21wYXJpc29uIGFmdGVyIHRoZSBm dWxsIHN5bnRheCBiYXNlZCBub3JtYWxpemF0aW9uIGFzDQogICAgICBzcGVj aWZpZWQgaW4gU2VjdGlvbiA2LjIuMiBvZiBbUkZDMzk4Nl0gaXMgYXBwbGll ZC4NCg0KICAgbyAgd2hlbiBjb21wYXJpbmcgdmVuZG9yIHNwZWNpZmljIGF0 dHJpYnV0ZXMgdGhlIGNhc2UgYW5kIHBlcmNlbnQtDQogICAgICBlbmNvZGlu ZyBub3JtYWxpemF0aW9uIFNIT1VMRCBiZSBhcHBsaWVkIGJlZm9yZSB0aGUg dmFsdWVzIGFyZQ0KICAgICAgY29tcGFyZWQgYnV0IHRoZSBleGFjdCBtZWNo YW5pc20gb2Ygc3VjaCBhIGNvbXBhcmlzb24gaXMgbGVmdCB0bw0KICAgICAg dGhlIGFwcGxpY2F0aW9uLg0KDQo0LiAgRXhhbXBsZXMgb2YgUEtDUyMxMSBV UklzDQoNCiAgIFRoaXMgc2VjdGlvbiBjb250YWlucyBzb21lIGV4YW1wbGVz IG9mIGhvdyBQS0NTIzExIHRva2VuIG9iamVjdHMsDQogICB0b2tlbnMsIHNs b3RzLCBhbmQgbGlicmFyaWVzIGNhbiBiZSBpZGVudGlmaWVkIHVzaW5nIHRo ZSBQS0NTIzExIFVSSQ0KICAgc2NoZW1lLiAgTm90ZSB0aGF0IGluIHNvbWUg b2YgdGhlIGZvbGxvd2luZyBleGFtcGxlcywgbmV3bGluZXMgYW5kDQogICBz cGFjZXMgd2VyZSBpbnNlcnRlZCBmb3IgYmV0dGVyIHJlYWRhYmlsaXR5LiAg QXMgc3BlY2lmaWVkIGluDQogICBBcHBlbmRpeCBDIG9mIFtSRkMzOTg2XSwg d2hpdGVzcGFjZSBTSE9VTEQgYmUgaWdub3JlZCB3aGVuIGV4dHJhY3RpbmcN Cg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdW5l IDI1LCAyMDE1ICAgICAgICAgICAgICAgIFtQYWdlIDEyXQ0KDA0KSW50ZXJu ZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAg ICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgdGhlIFVSSS4gIEFsc28g bm90ZSB0aGF0IGFsbCBzcGFjZXMgYXMgcGFydCBvZiB0aGUgVVJJIGFyZSBw ZXJjZW50LQ0KICAgZW5jb2RlZCwgYXMgc3BlY2lmaWVkIGluIEFwcGVuZGl4 IEEgb2YgW1JGQzM5ODZdLg0KDQogICBBbiBlbXB0eSBQS0NTIzExIFVSSSBt aWdodCBiZSB1c2VmdWwgdG8gUEtDUyMxMSBjb25zdW1lcnMuICBTZWUNCiAg IFNlY3Rpb24gMy41IGZvciBtb3JlIGluZm9ybWF0aW9uIG9uIHNlbWFudGlj cyBvZiBzdWNoIGEgVVJJLg0KDQogICAgIHBrY3MxMToNCg0KICAgT25lIG9m IHRoZSBzaW1wbGVzdCBhbmQgbW9zdCB1c2VmdWwgZm9ybXMgbWlnaHQgYmUg YSBQS0NTIzExIFVSSSB0aGF0DQogICBzcGVjaWZpZXMgb25seSBhbiBvYmpl Y3QgbGFiZWwgYW5kIGl0cyB0eXBlLiAgVGhlIGRlZmF1bHQgdG9rZW4gaXMN CiAgIHVzZWQgc28gdGhlIFVSSSBkb2VzIG5vdCBzcGVjaWZ5IGl0LiAgTm90 ZSB0aGF0IHdoZW4gc3BlY2lmeWluZw0KICAgcHVibGljIG9iamVjdHMsIGEg dG9rZW4gUElOIG1heSBub3QgYmUgcmVxdWlyZWQuDQoNCiAgICAgcGtjczEx Om9iamVjdD1teS1wdWJrZXk7dHlwZT1wdWJsaWMNCg0KICAgV2hlbiBhIHBy aXZhdGUga2V5IGlzIHNwZWNpZmllZCBlaXRoZXIgdGhlICJwaW4tc291cmNl IiBhdHRyaWJ1dGUsDQogICAicGluLXZhbHVlLCBvciBhbiBhcHBsaWNhdGlv biBzcGVjaWZpYyBtZXRob2Qgd291bGQgYmUgdXN1YWxseSB1c2VkLg0KICAg Tm90ZSB0aGF0ICcvJyBpcyBub3QgcGVyY2VudC1lbmNvZGVkIGluIHRoZSAi cGluLXNvdXJjZSIgYXR0cmlidXRlDQogICB2YWx1ZSBzaW5jZSB0aGlzIGF0 dHJpYnV0ZSBpcyBwYXJ0IG9mIHRoZSBxdWVyeSBjb21wb25lbnQsIG5vdCB0 aGUNCiAgIHBhdGgsIGFuZCB0aHVzIGlzIHNlcGFyYXRlZCBieSAnPycgZnJv bSB0aGUgcmVzdCBvZiB0aGUgVVJJLg0KDQogICAgIHBrY3MxMTpvYmplY3Q9 bXkta2V5O3R5cGU9cHJpdmF0ZT9waW4tc291cmNlPS9ldGMvdG9rZW4NCg0K ICAgVGhlIGZvbGxvd2luZyBleGFtcGxlIGlkZW50aWZpZXMgYSBjZXJ0aWZp Y2F0ZSBpbiB0aGUgc29mdHdhcmUgdG9rZW4uDQogICBOb3RlIGFuIGVtcHR5 IHZhbHVlIGZvciB0aGUgYXR0cmlidXRlICJzZXJpYWwiIHdoaWNoIG1hdGNo ZXMgb25seQ0KICAgZW1wdHkgInNlcmlhbE51bWJlciIgbWVtYmVyIG9mIHRo ZSAiQ0tfVE9LRU5fSU5GTyIgc3RydWN0dXJlLiAgQWxzbw0KICAgbm90ZSB0 aGF0IHRoZSAiaWQiIGF0dHJpYnV0ZSB2YWx1ZSBpcyBlbnRpcmVseSBwZXJj ZW50LWVuY29kZWQsIGFzDQogICByZWNvbW1lbmRlZC4gIFdoaWxlICcsJyBp cyBpbiB0aGUgcmVzZXJ2ZWQgc2V0IGl0IGRvZXMgbm90IGhhdmUgdG8gYmUN CiAgIHBlcmNlbnQtZW5jb2RlZCBzaW5jZSBpdCBkb2VzIG5vdCBjb25mbGlj dCB3aXRoIGFueSBzdWItZGVsaW1pdGVycw0KICAgdXNlZC4gIFRoZSAnIycg Y2hhcmFjdGVyIGFzIGluICJUaGUgU29mdHdhcmUgUEtDUyMxMSBTb2Z0dG9r ZW4iIE1VU1QNCiAgIGJlIHBlcmNlbnQtZW5jb2RlZC4NCg0KICAgICBwa2Nz MTE6dG9rZW49VGhlJTIwU29mdHdhcmUlMjBQS0NTJTIzMTElMjBTb2Z0dG9r ZW47DQogICAgICAgICAgICBtYW51ZmFjdHVyZXI9U25ha2UlMjBPaWwsJTIw SW5jLjsNCiAgICAgICAgICAgIG1vZGVsPTEuMDsNCiAgICAgICAgICAgIG9i amVjdD1teS1jZXJ0aWZpY2F0ZTsNCiAgICAgICAgICAgIHR5cGU9Y2VydDsN CiAgICAgICAgICAgIGlkPSU2OSU5NSUzRSU1QyVGNCVCRCVFQyU5MTsNCiAg ICAgICAgICAgIHNlcmlhbD0NCiAgICAgICAgICAgID9waW4tc291cmNlPS9l dGMvdG9rZW5fcGluDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KUGVjaGFuZWMg JiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjUsIDIwMTUgICAgICAg ICAgICAgICAgW1BhZ2UgMTNdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAg ICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVy IDIwMTQNCg0KDQogICBUaGUgbmV4dCBleGFtcGxlIGNvdmVycyBob3cgdG8g dXNlIHRoZSAibW9kdWxlLW5hbWUiIHF1ZXJ5IGF0dHJpYnV0ZS4NCiAgIENv bnNpZGVyaW5nIHRoYXQgdGhlIG1vZHVsZSBpcyBsb2NhdGVkIGluIC91c3Iv bGliL2xpYm15cGtjczExLnNvLjENCiAgIGZpbGUsIHRoZSBhdHRyaWJ1dGUg dmFsdWUgaXMgIm15cGtjczExIiwgbWVhbmluZyBvbmx5IHRoZSBtb2R1bGUg bmFtZQ0KICAgd2l0aG91dCB0aGUgZnVsbCBwYXRoLCBhbmQgd2l0aG91dCB0 aGUgcGxhdGZvcm0gc3BlY2lmaWMgImxpYiIgcHJlZml4DQogICBhbmQgIi5z by4xIiBzdWZmaXguDQoNCiAgICAgcGtjczExOm9iamVjdD1teS1zaWduLWtl eTsNCiAgICAgICAgICAgIHR5cGU9cHJpdmF0ZQ0KICAgICAgICAgICAgP21v ZHVsZS1uYW1lPW15cGtjczExDQoNCiAgIFRoZSBmb2xsb3dpbmcgZXhhbXBs ZSBjb3ZlcnMgaG93IHRvIHVzZSB0aGUgIm1vZHVsZS1wYXRoIiBxdWVyeQ0K ICAgYXR0cmlidXRlLiAgVGhlIGF0dHJpYnV0ZSBtYXkgYmUgdXNlZnVsIGlm IGEgdXNlciBuZWVkcyB0byBwcm92aWRlDQogICB0aGUga2V5IHZpYSBhIFBL Q1MjMTEgbW9kdWxlIHN0b3JlZCBvbiBhIHJlbW92YWJsZSBtZWRpYSwgZm9y DQogICBleGFtcGxlLiAgR2V0dGluZyB0aGUgUElOIHRvIGFjY2VzcyB0aGUg cHJpdmF0ZSBrZXkgaGVyZSBpcyBsZWZ0IHRvDQogICBiZSBhcHBsaWNhdGlv biBzcGVjaWZpYy4NCg0KICAgICBwa2NzMTE6b2JqZWN0PW15LXNpZ24ta2V5 Ow0KICAgICAgICAgICAgdHlwZT1wcml2YXRlDQogICAgICAgICAgICA/bW9k dWxlLXBhdGg9L21udC9saWJteXBrY3MxMS5zby4xDQoNCiAgIEluIHRoZSBj b250ZXh0IHdoZXJlIGEgdG9rZW4gaXMgZXhwZWN0ZWQgdGhlIHRva2VuIGNh biBiZSBpZGVudGlmaWVkDQogICB3aXRob3V0IHNwZWNpZnlpbmcgYW55IFBL Q1MjMTEgb2JqZWN0cy4gIEEgUElOIG1pZ2h0IHN0aWxsIGJlIG5lZWRlZA0K ICAgaW4gdGhlIGNvbnRleHQgb2YgbGlzdGluZyBhbGwgb2JqZWN0cyBpbiB0 aGUgdG9rZW4sIGZvciBleGFtcGxlLg0KICAgU2VjdGlvbiA2IHNob3VsZCBi ZSBjb25zdWx0ZWQgYmVmb3JlIHRoZSAicGluLXZhbHVlIiBhdHRyaWJ1dGUg aXMNCiAgIGV2ZXIgdXNlZC4NCg0KICAgICBwa2NzMTE6dG9rZW49U29mdHdh cmUlMjBQS0NTJTIzMTElMjBzb2Z0dG9rZW47DQogICAgICAgICAgICBtYW51 ZmFjdHVyZXI9U25ha2UlMjBPaWwsJTIwSW5jLg0KICAgICAgICAgICAgP3Bp bi12YWx1ZT10aGUtcGluDQoNCiAgIEluIHRoZSBjb250ZXh0IHdoZXJlIGEg c2xvdCBpcyBleHBlY3RlZCB0aGUgc2xvdCBjYW4gYmUgaWRlbnRpZmllZA0K ICAgd2l0aG91dCBzcGVjaWZ5aW5nIGFueSBQS0NTIzExIG9iamVjdHMgaW4g YW55IHRva2VuIGl0IG1heSBiZQ0KICAgaW5zZXJ0ZWQgaW4gaXQuDQoNCiAg ICAgcGtjczExOnNsb3QtZGVzY3JpcHRpb249U3VuJTIwTWV0YXNsb3QNCg0K ICAgVGhlIENyeXB0b2tpIGxpYnJhcnkgYWxvbmUgY2FuIGJlIGFsc28gaWRl bnRpZmllZCB3aXRob3V0IHNwZWNpZnlpbmcNCiAgIGEgUEtDUyMxMSB0b2tl biBvciBvYmplY3QuDQoNCiAgICAgcGtjczExOmxpYnJhcnktbWFudWZhY3R1 cmVyPVNuYWtlJTIwT2lsLCUyMEluYy47DQogICAgICAgICAgICBsaWJyYXJ5 LWRlc2NyaXB0aW9uPVNvZnQlMjBUb2tlbiUyMExpYnJhcnk7DQogICAgICAg ICAgICBsaWJyYXJ5LXZlcnNpb249MS4yMw0KDQoNCg0KDQoNCg0KDQoNCg0K UGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjUsIDIw MTUgICAgICAgICAgICAgICAgW1BhZ2UgMTRdDQoMDQpJbnRlcm5ldC1EcmFm dCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAg IERlY2VtYmVyIDIwMTQNCg0KDQogICBUaGUgZm9sbG93aW5nIGV4YW1wbGUg c2hvd3MgYW4gYXR0cmlidXRlIHZhbHVlIHdpdGggYSBzZW1pY29sb24uICBJ bg0KICAgc3VjaCBjYXNlIGl0IE1VU1QgYmUgcGVyY2VudC1lbmNvZGVkLiAg VGhlIHRva2VuIGF0dHJpYnV0ZSB2YWx1ZSBNVVNUDQogICBiZSByZWFkIGFz ICJNeSB0b2tlbjsgY3JlYXRlZCBieSBKb2UiLiAgTG93ZXIgY2FzZSBsZXR0 ZXJzIE1BWSBiZQ0KICAgdXNlZCBpbiBwZXJjZW50LWVuY29kaW5nIGFzIHNo b3duIGJlbG93IGluIHRoZSAiaWQiIGF0dHJpYnV0ZSB2YWx1ZQ0KICAgYnV0 IG5vdGUgdGhhdCBTZWN0aW9ucyAyLjEgYW5kIDYuMi4yLjEgb2YgW1JGQzM5 ODZdIHJlYWQgdGhhdCBhbGwNCiAgIHBlcmNlbnQtZW5jb2RlZCBjaGFyYWN0 ZXJzIFNIT1VMRCB1c2UgdGhlIHVwcGVyY2FzZSBoZXhhZGVjaW1hbA0KICAg ZGlnaXRzLiAgTW9yZSBzcGVjaWZpY2FsbHksIGlmIHRoZSBVUkkgc3RyaW5n IHdhcyB0byBiZSBjb21wYXJlZCB0aGUNCiAgIGFsZ29yaXRobSBkZWZpbmVk IGluIFNlY3Rpb24gMy42IGV4cGxpY2l0bHkgcmVxdWlyZXMgcGVyY2VudC1l bmNvZGluZw0KICAgdG8gdXNlIHRoZSB1cHBlcmNhc2UgZGlnaXRzIEEtRiBp biB0aGUgImlkIiBhdHRyaWJ1dGUgdmFsdWVzLiAgQW5kIGFzDQogICBleHBs YWluZWQgaW4gU2VjdGlvbiAzLjMsIGxpYnJhcnkgdmVyc2lvbiAiMyIgTVVT VCBiZSBpbnRlcnByZXRlZCBhcw0KICAgIjMiIGZvciB0aGUgbWFqb3IgYW5k ICIwIiBmb3IgdGhlIG1pbm9yIHZlcnNpb24gb2YgdGhlIGxpYnJhcnkuDQoN CiAgICAgcGtjczExOnRva2VuPU15JTIwdG9rZW4lMjUlMjBjcmVhdGVkJTIw YnklMjBKb2U7DQogICAgICAgICAgICBsaWJyYXJ5LXZlcnNpb249MzsNCiAg ICAgICAgICAgIGlkPSUwMSUwMiUwMyVCYSVkZCVDYSVmZSUwNCUwNSUwNg0K DQogICBJZiB0aGVyZSBpcyBhbnkgbmVlZCB0byBpbmNsdWRlIGxpdGVyYWwg IiU7IiBzdWJzdHJpbmcsIGZvciBleGFtcGxlLA0KICAgYm90aCBjaGFyYWN0 ZXJzIE1VU1QgYmUgZXNjYXBlZC4gIFRoZSB0b2tlbiB2YWx1ZSBNVVNUIGJl IHJlYWQgYXMgIkENCiAgIG5hbWUgd2l0aCBhIHN1YnN0cmluZyAlOyIuDQoN CiAgICAgcGtjczExOnRva2VuPUElMjBuYW1lJTIwd2l0aCUyMGElMjBzdWJz dHJpbmclMjAlMjUlM0I7DQogICAgICAgICAgICBvYmplY3Q9bXktY2VydGlm aWNhdGU7DQogICAgICAgICAgICB0eXBlPWNlcnQNCg0KICAgVGhlIG5leHQg ZXhhbXBsZSBpbmNsdWRlcyBhIHNtYWxsIEEgd2l0aCBhY3V0ZSBpbiB0aGUg dG9rZW4gbmFtZS4gIEl0DQogICBNVVNUIGJlIGVuY29kZWQgaW4gb2N0ZXRz IGFjY29yZGluZyB0byB0aGUgVVRGLTggY2hhcmFjdGVyIGVuY29kaW5nDQog ICBhbmQgdGhlbiBwZXJjZW50LWVuY29kZWQuICBHaXZlbiB0aGF0IGEgc21h bGwgQSB3aXRoIGFjdXRlIGlzIFUrMjI1DQogICB1bmljb2RlIGNvZGUgcG9p bnQsIHRoZSBVVEYtOCBlbmNvZGluZyBpcyAxOTUgMTYxIGluIGRlY2ltYWws IGFuZA0KICAgdGhhdCBpcyAiJUMzJUExIiBpbiBwZXJjZW50LWVuY29kaW5n Lg0KDQogICAgIHBrY3MxMTp0b2tlbj1OYW1lJTIwd2l0aCUyMGElMjBzbWFs bCUyMEElMjB3aXRoJTIwYWN1dGU6JTIwJUMzJUExOw0KICAgICAgICAgICAg b2JqZWN0PW15LWNlcnRpZmljYXRlOw0KICAgICAgICAgICAgdHlwZT1jZXJ0 DQoNCiAgIEJvdGggdGhlIHBhdGggYW5kIHF1ZXJ5IGNvbXBvbmVudHMgTUFZ IGNvbnRhaW4gdmVuZG9yIHNwZWNpZmljDQogICBhdHRyaWJ1dGVzLiAgQXR0 cmlidXRlcyBpbiB0aGUgcXVlcnkgY29tcG9uZW50IE1VU1QgYmUgZGVsaW1p dGVkIGJ5DQogICAnJicuDQoNCiAgICAgcGtjczExOnRva2VuPW15LXRva2Vu Ow0KICAgICAgICAgICAgb2JqZWN0PW15LWNlcnRpZmljYXRlOw0KICAgICAg ICAgICAgdHlwZT1jZXJ0Ow0KICAgICAgICAgICAgdmVuZG9yLWFhYT12YWx1 ZS1hDQogICAgICAgICAgICA/cGluLXNvdXJjZT0vZXRjL3Rva2VuX3Bpbg0K ICAgICAgICAgICAgJnZlbmRvci1iYmI9dmFsdWUtYg0KDQoNCg0KDQoNCg0K DQpQZWNoYW5lYyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNSwg MjAxNSAgICAgICAgICAgICAgICBbUGFnZSAxNV0NCgwNCkludGVybmV0LURy YWZ0ICAgICAgICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAg ICAgRGVjZW1iZXIgMjAxNA0KDQoNCjUuICBJQU5BIENvbnNpZGVyYXRpb25z DQoNCiAgIFRoaXMgZG9jdW1lbnQgbW92ZXMgdGhlICJwa2NzMTEiIFVSSSBz Y2hlbWUgZnJvbSB0aGUgcHJvdmlzaW9uYWwgdG8NCiAgIHBlcm1hbmVudCBV Ukkgc2NoZW1lIHJlZ2lzdHJ5Lg0KDQogICBUaGUgcmVnaXN0cmF0aW9uIHRl bXBsYXRlIGlzIGFzIGZvbGxvd3M6DQoNCiAgICAgIFVSSSBzY2hlbWUgbmFt ZTogcGtjczExDQoNCiAgICAgIFVSSSBzY2hlbWUgc3RhdHVzOiBwZXJtYW5l bnQNCg0KICAgICAgVVJJIHNjaGVtZSBzeW50YXg6IHNlZSBTZWN0aW9uIDMu Mw0KDQogICAgICBVUkkgc2NoZW1lIHNlbWFudGljczogc2VlIFNlY3Rpb24g MQ0KDQogICAgICBFbmNvZGluZyBjb25zaWRlcmF0aW9uczogc2VlIFNlY3Rp b24gMy4zDQoNCiAgICAgIEFwcGxpY2F0aW9ucy9wcm90b2NvbHMgdGhhdCB1 c2UgdGhpcyBVUkkgc2NoZW1lIG5hbWU6IGZvciBnZW5lcmFsDQogICAgICBp bmZvcm1hdGlvbiwgc2VlIFNlY3Rpb24gMS4gIExpc3Qgb2Yga25vd24gY29u c3VtZXJzIG9mIHRoZQ0KICAgICAgUEtDUyMxMSBVUkkgaW5jbHVkZSBHbnVU TFMsIEdub21lLCBwMTEta2l0LCBTb2xhcmlzIDExIGFuZCBoaWdoZXIsDQog ICAgICBPcGVuU0MsIE9wZW5Db25uZWN0LCBhbmQgRnJlZUlQQS4NCg0KICAg ICAgSW50ZXJvcGVyYWJpbGl0eSBjb25zaWRlcmF0aW9uczogTi9BDQoNCiAg ICAgIFNlY3VyaXR5IGNvbnNpZGVyYXRpb25zOiBzZWUgU2VjdGlvbiA2DQoN CiAgICAgIENvbnRhY3Q6IHNlZSBBdXRob3JzJyBBZGRyZXNzZXMgc2VjdGlv bg0KDQogICAgICBBdXRob3IvQ2hhbmdlIENvbnRyb2xsZXI6IHNlZSBBdXRo b3JzJyBBZGRyZXNzZXMgc2VjdGlvbg0KDQogICAgICBSZWZlcmVuY2VzOiBz ZWUgUmVmZXJlbmNlcyBzZWN0aW9uDQoNCjYuICBTZWN1cml0eSBDb25zaWRl cmF0aW9ucw0KDQogICBUaGVyZSBhcmUgZ2VuZXJhbCBzZWN1cml0eSBjb25z aWRlcmF0aW9ucyBmb3IgVVJJIHNjaGVtZXMgZGlzY3Vzc2VkDQogICBpbiBT ZWN0aW9uIDcgb2YgW1JGQzM5ODZdLg0KDQogICBGcm9tIHRob3NlIHNlY3Vy aXR5IGNvbnNpZGVyYXRpb25zLCBTZWN0aW9uIDcuMSBvZiBbUkZDMzk4Nl0g YXBwbGllcw0KICAgc2luY2UgdGhlcmUgaXMgbm8gZ3VhcmFudGVlIHRoYXQg dGhlIHNhbWUgUEtDUyMxMSBVUkkgd2lsbCBhbHdheXMNCiAgIGlkZW50aWZ5 IHRoZSBzYW1lIG9iamVjdCwgdG9rZW4sIHNsb3QsIG9yIGEgbGlicmFyeSBp biB0aGUgZnV0dXJlLg0KDQogICBTZWN0aW9uIDcuMiBvZiBbUkZDMzk4Nl0g YXBwbGllcyBzaW5jZSBieSBhY2NlcHRpbmcgcXVlcnkgY29tcG9uZW50DQog ICBhdHRyaWJ1dGVzICJtb2R1bGUtbmFtZSIgb3IgIm1vZHVsZS1wYXRoIiB0 aGUgY29uc3VtZXIgcG90ZW50aWFsbHkNCiAgIGFsbG93cyBsb2FkaW5nIG9m IGFyYml0cmFyeSBjb2RlIGludG8gYSBwcm9jZXNzLg0KDQogICBTZWN0aW9u IDcuNSBvZiBbUkZDMzk4Nl0gYXBwbGllcyBzaW5jZSB0aGUgUEtDUyMxMSBV UkkgbWF5IGJlIHVzZWQgaW4NCiAgIHdvcmxkIHJlYWRhYmxlIGNvbW1hbmQg bGluZSBhcmd1bWVudHMgdG8gcnVuIGFwcGxpY2F0aW9ucywgc3RvcmVkIGlu DQogICBwdWJsaWMgY29uZmlndXJhdGlvbiBmaWxlcywgb3Igb3RoZXJ3aXNl IHVzZWQgaW4gY2xlYXIgdGV4dC4gIEZvcg0KDQoNCg0KUGVjaGFuZWMgJiBN b2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bmUgMjUsIDIwMTUgICAgICAgICAg ICAgICAgW1BhZ2UgMTZdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAg VGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIw MTQNCg0KDQogICB0aGF0IHJlYXNvbiB0aGUgInBpbi12YWx1ZSIgYXR0cmli dXRlIHNob3VsZCBvbmx5IGJlIHVzZWQgaWYgdGhlIFVSSQ0KICAgc3RyaW5n IGl0c2VsZiBpcyBwcm90ZWN0ZWQgd2l0aCB0aGUgc2FtZSBsZXZlbCBvZiBz ZWN1cml0eSBhcyB0aGUNCiAgIHRva2VuIFBJTiBpdHNlbGYgb3RoZXJ3aXNl IGlzLg0KDQo3LiAgUmVmZXJlbmNlcw0KDQo3LjEuICBOb3JtYXRpdmUgUmVm ZXJlbmNlcw0KDQogICBbUkZDMjExOV0gIEJyYWRuZXIsIFMuLCAiS2V5IHdv cmRzIGZvciB1c2UgaW4gUkZDcyB0byBJbmRpY2F0ZQ0KICAgICAgICAgICAg ICBSZXF1aXJlbWVudCBMZXZlbHMiLCBSRkMgMjExOSwgU1REIDE0LCBNYXJj aCAxOTk3Lg0KDQogICBbUkZDMzYyOV0gIFllcmdlYXUsIEYuLCAiVVRGLTgs IGEgdHJhbnNmb3JtYXRpb24gZm9ybWF0IG9mIElTTw0KICAgICAgICAgICAg ICAxMDY0NiIsIFJGQyAzNjI5LCBTVEQgNjMsIE5vdmVtYmVyIDIwMDMuDQoN CiAgIFtSRkMzOTg2XSAgQmVybmVycy1MZWUsIFQuLCBGaWVsZGluZywgUi4s IGFuZCBMLiBNYXNpbnRlciwgIlVuaWZvcm0NCiAgICAgICAgICAgICAgUmVz b3VyY2UgSWRlbnRpZmllciAoVVJJKTogR2VuZXJpYyBTeW50YXgiLCBSRkMg Mzk4NiwgU1REDQogICAgICAgICAgICAgIDY2LCBKYW51YXJ5IDIwMDUuDQoN CiAgIFtSRkM1MjM0XSAgQ3JvY2tlciwgRC4gYW5kIFAuIE92ZXJlbGwsICJB dWdtZW50ZWQgQk5GIGZvciBTeW50YXgNCiAgICAgICAgICAgICAgU3BlY2lm aWNhdGlvbnM6IEFCTkYiLCBSRkMgNTIzNCwgU1REIDY4LCBKYW51YXJ5IDIw MDguDQoNCjcuMi4gIEluZm9ybWF0aXZlIFJlZmVyZW5jZXMNCg0KICAgW0JD UDE3OF0gICBTYWludC1BbmRyZSwgUC4sIENyb2NrZXIsIEQuLCBhbmQgTS4g Tm90dGluZ2hhbSwNCiAgICAgICAgICAgICAgIkRlcHJlY2F0aW5nIHRoZSAi WC0iIFByZWZpeCBhbmQgU2ltaWxhciBDb25zdHJ1Y3RzIGluDQogICAgICAg ICAgICAgIEFwcGxpY2F0aW9uIFByb3RvY29scyIsIFJGQyA2NjQ4LCBCQ1Ag MTc4LCBKdW5lIDIwMTIuDQoNCiAgIFtSRkM0Mzk1XSAgSGFuc2VuLCBULiwg SGFyZGllLCBULiwgYW5kIEwuIE1hc2ludGVyLCAiR3VpZGVsaW5lcyBhbmQN CiAgICAgICAgICAgICAgUmVnaXN0cmF0aW9uIFByb2NlZHVyZXMgZm9yIE5l dyBVUkkgU2NoZW1lcyIsIFJGQyA0Mzk1LA0KICAgICAgICAgICAgICBGZWJy dWFyeSAyMDA2Lg0KDQogICBbcGtjczExX3NwZWNdDQogICAgICAgICAgICAg IFJTQSBMYWJvcmF0b3JpZXMsICJQS0NTICMxMTogQ3J5cHRvZ3JhcGhpYyBU b2tlbiBJbnRlcmZhY2UNCiAgICAgICAgICAgICAgU3RhbmRhcmQgdjIuMjAi LCBKdW5lIDIwMDQuDQoNCkF1dGhvcnMnIEFkZHJlc3Nlcw0KDQogICBKYW4g UGVjaGFuZWMNCiAgIE9yYWNsZSBDb3Jwb3JhdGlvbg0KICAgNDE4MCBOZXR3 b3JrIENpcmNsZQ0KICAgU2FudGEgQ2xhcmEgIENBIDk1MDU0DQogICBVU0EN Cg0KICAgRW1haWw6IEphbi5QZWNoYW5lY0BPcmFjbGUuQ09NDQogICBVUkk6 ICAgaHR0cDovL3d3dy5vcmFjbGUuY29tDQoNCg0KDQoNCg0KDQpQZWNoYW5l YyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVuZSAyNSwgMjAxNSAgICAg ICAgICAgICAgICBbUGFnZSAxN10NCgwNCkludGVybmV0LURyYWZ0ICAgICAg ICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1i ZXIgMjAxNA0KDQoNCiAgIERhcnJlbiBKLiBNb2ZmYXQNCiAgIE9yYWNsZSBD b3Jwb3JhdGlvbg0KICAgT3JhY2xlIFBhcmt3YXkNCiAgIFRoYW1lcyBWYWxs ZXkgUGFyaw0KICAgUmVhZGluZyAgUkc2IDFSQQ0KICAgVUsNCg0KICAgRW1h aWw6IERhcnJlbi5Nb2ZmYXRAT3JhY2xlLkNPTQ0KICAgVVJJOiAgIGh0dHA6 Ly93d3cub3JhY2xlLmNvbQ0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVz IEp1bmUgMjUsIDIwMTUgICAgICAgICAgICAgICAgW1BhZ2UgMThdDQo= ---559023410-3036460-1419316339=:24928-- From nobody Wed Dec 24 11:50:49 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 489A51A1A72 for ; Wed, 24 Dec 2014 11:50:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wqxv9yN2-ZXH for ; Wed, 24 Dec 2014 11:50:42 -0800 (PST) Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:4830:143:1::3a11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF91D1A1A6E for ; Wed, 24 Dec 2014 11:50:42 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 615B0E2036 for ; Wed, 24 Dec 2014 14:50:39 -0500 (EST) Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 09362-02 for ; Wed, 24 Dec 2014 14:50:35 -0500 (EST) Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id F2A3FE2034 for ; Wed, 24 Dec 2014 14:50:34 -0500 (EST) Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id sBOJoXaP001232; Wed, 24 Dec 2014 14:50:33 -0500 From: Derek Atkins To: saag@ietf.org References: <5494DDCD.6030504@cs.tcd.ie> <20141220155417.GO24649@mournblade.imrryr.org> Date: Wed, 24 Dec 2014 14:50:32 -0500 In-Reply-To: <20141220155417.GO24649@mournblade.imrryr.org> (Viktor Dukhovni's message of "Sat, 20 Dec 2014 15:54:18 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Virus-Scanned: Maia Mailguard 1.0.2a Archived-At: http://mailarchive.ietf.org/arch/msg/saag/zSkiEVwLrNaILXNDvAD5QSOlGYs Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 19:50:46 -0000 Viktor Dukhovni writes: > On Sat, Dec 20, 2014 at 02:24:13AM +0000, Stephen Farrell wrote: > >> So, which bits of open-source do we in the security area >> of the IETF consider important and why? And what could >> we do better? (For any sensible definition of "we":-) > > Security protocols with at least one reasonably solid and flexibly > licensed open source implementation include: > > * SSH > * Kerberos V5 and GSSAPI > * DNSSEC > * SASL I would also add OpenPGP to the list, although I suppose GPL (the license of GnuPG) is probably not considered a "flexible license." But there is also BouncyCastle's implementation, which is definitely more flexible and I would consider "solid". There are also multiple open source implementations of IPsec and IKEv1 that qualify by your definitions. As for the question of "what can we do better", how about listing places where we actually see problems? In my experience the problems are getting more involvement from members of Open Source Projects, in particular ones that aren't as well funded. -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant From nobody Fri Dec 26 19:28:05 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E71CC1A1B5F for ; Fri, 26 Dec 2014 19:28:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P_Yz4XHDLaYs for ; Fri, 26 Dec 2014 19:28:03 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABBB51A1B5B for ; Fri, 26 Dec 2014 19:28:03 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7178ABF0B for ; Sat, 27 Dec 2014 03:28:02 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jW4Egqrqz8Fl for ; Sat, 27 Dec 2014 03:28:01 +0000 (GMT) Received: from [10.87.48.10] (unknown [86.41.53.28]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2C713BF0A for ; Sat, 27 Dec 2014 03:28:01 +0000 (GMT) Message-ID: <549E2740.5070405@cs.tcd.ie> Date: Sat, 27 Dec 2014 03:28:00 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: "saag@ietf.org" Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/OgdCDK2rbHoxP9Rf9uympPwImvM Subject: [saag] IETF areas re-organisation steps X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Dec 2014 03:28:05 -0000 Hiya, There are a bunch of folks on this list who're not on the general ietf@ietf.org list and who apparently care about IETF processes in general (yes, that's a contradiction, but there are enough of us here to require the presence of such eccentricity;-) so I wanted to make sure [1] was shoved before your collective nostrils in case you want to comment. (And more seriously, please do comment, the proposal [1] might produce some significant changes in how the IESG works.) If you turn out to be interested in this, please follow up as usual for such discussions via ietf@ietf.org Thanks, S. [1] https://www.ietf.org/mail-archive/web/ietf-announce/current/msg13597.html From nobody Mon Dec 29 08:00:58 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAEBF1A8852 for ; Mon, 29 Dec 2014 08:00:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.6 X-Spam-Level: X-Spam-Status: No, score=-0.6 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBSeTXMLnJE8 for ; Mon, 29 Dec 2014 08:00:52 -0800 (PST) Received: from mail-yh0-x22f.google.com (mail-yh0-x22f.google.com [IPv6:2607:f8b0:4002:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3B891A884D for ; Mon, 29 Dec 2014 08:00:51 -0800 (PST) Received: by mail-yh0-f47.google.com with SMTP id f73so6653923yha.34 for ; Mon, 29 Dec 2014 08:00:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=XD91XvG0fhZ+zr2Hnq0z+UY84H999xNyrNt3wEryxlM=; b=ekC9kx60CbDtjNCCRh7+5KqGzL90GRAZs9oBgsMVx+KRVstlCzJx5XudOYFvSaSjex 9WpApwX5b3blmW+rMv9WJGU/EEK1W+FC/D3L5GstOEM4XAQhWvu/ihwkqbSas5PbioHo krxMYQ/U0pjg4I0AbyCZy8iOtrVEf3LLs83wAocUwnh+alBMTftH65+9E9we0RSDXMT5 8/WrK4/hZEz9XqKPpa363aPUjED+22ZPqY8zDbT2G6eXrsXCh6nwhJ4lTvFpyGXGxn2Q e9HEkPHy0Bfu17jP2/eHPPggz519oNdhoOPoJegDetjnbHnFOOLO2Ql4nK7DO0DTV1OR hvuQ== MIME-Version: 1.0 X-Received: by 10.236.63.6 with SMTP id z6mr4386277yhc.65.1419868851150; Mon, 29 Dec 2014 08:00:51 -0800 (PST) Received: by 10.170.207.6 with HTTP; Mon, 29 Dec 2014 08:00:51 -0800 (PST) Date: Mon, 29 Dec 2014 11:00:51 -0500 Message-ID: From: Watson Ladd To: "saag@ietf.org" Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/saag/9r0aitNbXo4Vj4b3nlNtGMpgNqs Subject: [saag] PSK considered helpful X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 16:00:55 -0000 Dear all, The NSA is devoting a great deal of effort to exploiting IPsec, PPTP, SSH, etc. From the documents it appears that the majority of effort is in extracting configurations from routers that contain PSK keys, which then permit the decryption of data. There is no information on how the configurations are being extracted, sadly, as the documents don't contain this detail. I think the decision made in TLS 1.3 to use forward secure methods exclusively ought to be emulated more broadly across the security area. Would one BCP on this across everything make sense, or do we have to do it one at a time? Sincerely, Watson From nobody Mon Dec 29 09:57:37 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 104CA1A8A4D for ; Mon, 29 Dec 2014 09:57:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDSe0ZXC9ZaS for ; Mon, 29 Dec 2014 09:57:34 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80CE11A8A4C for ; Mon, 29 Dec 2014 09:57:34 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 4E351BF2E; Mon, 29 Dec 2014 17:57:33 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70BIyJTNQiQc; Mon, 29 Dec 2014 17:57:31 +0000 (GMT) Received: from [10.87.48.7] (unknown [86.46.21.173]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E6DEEBF37; Mon, 29 Dec 2014 17:57:30 +0000 (GMT) Message-ID: <54A1960A.3010902@cs.tcd.ie> Date: Mon, 29 Dec 2014 17:57:30 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: Watson Ladd , "saag@ietf.org" References: In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/_OgPePAhq_OAmEsZotIZLzgF2dk Subject: Re: [saag] PSK considered helpful X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 17:57:36 -0000 On 29/12/14 16:00, Watson Ladd wrote: > Dear all, > > The NSA is devoting a great deal of effort to exploiting IPsec, PPTP, > SSH, etc. From the documents it appears that the majority of effort is > in extracting configurations from routers that contain PSK keys, which > then permit the decryption of data. > > There is no information on how the configurations are being extracted, > sadly, as the documents don't contain this detail. Yeah, pity about that. They do talk about mining config files from routers in one of the files though, maybe that all starts from admin/admin and builds from there, who knows;-) I also haven't yet seen any info on how successful they claim to be, e.g. with what probability would the "request key" call give back a working key? The importance of this stuff would be affected a lot by that I figure - if the probability is high over all domains/VPNs then that'd be much worse than if the probability was tiny for a randomly selected VPN. > I think the decision made in TLS 1.3 to use forward secure methods > exclusively ought to be emulated more broadly across the security > area. Would one BCP on this across everything make sense, or do we > have to do it one at a time? A BCP could be useful yes, but protocols (such as TLS) are only really revised when there's sufficient reason for that and enough folks want to do the work. So even with a generic BCP, the actual protocol specs still need to be done one at a time. Hopefully, if there were a generic BCP that'd feed into each instance of that work though. I also suspect there'd be push-back on trying to entirely deprecate PSK - it's arguably just too useful to drop fully. So what might make for a good BCP is to recommend something more like an opportunistic DH exchange with a PSK used to authenticate that there's no MitM (i.e. the PSK is only for authentication and never for confidentiality). Lastly, we do already have bcp107 [1] though, so what you're after could be an updated version of that maybe. That update might require more work than just adding "prefer forward secrecy" though. I've found that bcp107 hasn't been that useful a guide for folks developing protocols and nor has it been that useful a stick for beating them with either when protocol developers ignore key management. That's maybe because it's too late in the process by the time a SEC AD tries to use bcp107 as a stick. So updating bcp107 might require a good bit of thought/work. (If someone does feel they have the ablity/interest/energy, ping Kathleen and I I guess.) Cheers, S. [1] https://tools.ietf.org/html/bcp107 > > Sincerely, > Watson > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > From nobody Mon Dec 29 10:41:27 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37CC1A8AE8 for ; Mon, 29 Dec 2014 10:41:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPXOZYLKzHBr for ; Mon, 29 Dec 2014 10:41:23 -0800 (PST) Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A9C01A8AF7 for ; Mon, 29 Dec 2014 10:41:22 -0800 (PST) Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id B805A6D762; Mon, 29 Dec 2014 13:41:20 -0500 (EST) Message-ID: <54A1A04F.6000803@iang.org> Date: Mon, 29 Dec 2014 18:41:19 +0000 From: ianG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: saag@ietf.org References: <5494DDCD.6030504@cs.tcd.ie> In-Reply-To: <5494DDCD.6030504@cs.tcd.ie> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/1aLdNyHOEauwx1fUZ_rrJ3eBY94 Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 18:41:25 -0000 I have two observations speaking to the issue of the open source community and use of IETF standards. I don't have solutions, just problems. First of two: 1. The never ending saga of secure browsing and website authentication: It became obvious around about 2005 that phishing was rising and pillaging. Browser vendors then could have done something about it, but did not. This inaction requires answers. One thing that they claimed stopped them doing anything was that they followed standards, and the standards weren't telling them anything different. This brings up a whole host of issues for IETF as a standards org in the security area. On investigation this claim appeared to have some merit. Certainly, certain aspects appear true: Vendors do follow standards and they won't for example listen to external agents on just anything [0]. Vendors have not typically employed what we might call security architects to actually work in this area (as opposed to security implementors) [1] thus confirming their intent to follow security standards and not do original security work [2]. Meanwhile, in contrast, some aspects are not true: standards organisations do not believe that they tell vendors what to do. Standards would have not solved the phishing crisis because there wasn't in existence any standard that addressed the basic secure browsing flaw(s) which was the failure to identify a website not being secure, as it was an application failure not a TLS failure. In short, I believe that in the case of phishing the vendors looked away, and standards gave them a convenient excuse to do that. What could be done? I think a minimum could have been for standards organisations to investigate such issues and state that it isn't their bailiwick. Such a claim might have led to some valuable finger-pointing, and also some valuable rethinking. In the latter vein, it is still not clear where the buck stops for secure browsing. Who carries the liability for the user's losses, who's going to fix it, who's to blame? Get any group of experts together and we can be sure of one thing: "it isn't my problem." This "whining & whinging" needs to be seen in the context of phishing rising up in the mid 2000s and industrialising the process to server hacking and so forth. Billion dollar losses. You only get to wear the badge of security if you're actually securing the users. As I say, it's a problem to which I have no solution... iang [0] In practice, no security vendor likes to listen to outsiders, as is seen with bug disclosures. An oft-assumed mistake is to think that an open source vendor will listen to outsiders, but unfortunately this is not really true. [1] There is some evidence that one vendor is working at the security architecture level, but this is not the norm. [2] An unfortunate practice known as "best practices". On 20/12/2014 02:24 am, Stephen Farrell wrote: > > Hiya, > > The IESG have recently been discussing how the IETF would > work better with or for open-source communities. As part of > that it'd be good to get some appreciation of which open > source activities folks consider important (and why). And > of course there are multiple directions here - e.g. where an > IETF activity has fed directly into an open-source activity > and the opposite where the IETF end up documenting something > already done by some open-source community. > > As part of that analysis, an utterly reasonable question > was asked: yeah, but which open-source things are important > to IETF participants? > > So, which bits of open-source do we in the security area > of the IETF consider important and why? And what could > we do better? (For any sensible definition of "we":-) > > BTW, those are deliberately open questions - answer in any > way you like, (but pithily please:-) to the list or to > Kathleen and I off-list if need be. (If we see a bunch of > offlist answers, we'll summarise those back to the list.) > > And since this is really information-gathering, there's > no need for us to disagree with one another on the list > (but I expect we won't resist that specific temptation, as > usual:-) > > Thanks, > S. > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > From nobody Mon Dec 29 10:41:56 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D62E1A8AF5 for ; Mon, 29 Dec 2014 10:41:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E0BpV8thO7De for ; Mon, 29 Dec 2014 10:41:49 -0800 (PST) Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BEE01A8AE8 for ; Mon, 29 Dec 2014 10:41:48 -0800 (PST) Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 15DA26D762; Mon, 29 Dec 2014 13:41:46 -0500 (EST) Message-ID: <54A1A06A.7090501@iang.org> Date: Mon, 29 Dec 2014 18:41:46 +0000 From: ianG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: saag@ietf.org References: <5494DDCD.6030504@cs.tcd.ie> In-Reply-To: <5494DDCD.6030504@cs.tcd.ie> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/m5rCWo2pAthvViZc_3NjiQL2jOU Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 18:41:53 -0000 I have two observations speaking to the issue of the open source community and use of IETF standards. I don't have answers, just problems. Second: 2. The second issue which is more squarely in IETF's domain is the issue of standards & versions deprecation. In short, things like SSL v2 should have been rolled over a long time ago. Now, it is very easy to say it's someone else's problem. But if it is SEPs, then it is hard for IETF to claim it delivers secure protocols in the first place. In any WG there are vicious and protracted arguments about getting a protocol secure and state of the art right now. So there is certainly a consensus that a security area WG delivers a secure protocol. But once complete, the thing is thrown over the wall. Then the inevitable happens: that protocol goes through a security rotting process, whereby what we thought was secure one day becomes clumsy the next, bad the following, and inevitably a joke. For example, SSL v2, v3, old short cipher suites, MD5, RC4, etc. If it is the WG's responsibility to deliver a secure protocol today, who's responsibility is it to change things when time rots the security statement? iang On 20/12/2014 02:24 am, Stephen Farrell wrote: > > Hiya, > > The IESG have recently been discussing how the IETF would > work better with or for open-source communities. As part of > that it'd be good to get some appreciation of which open > source activities folks consider important (and why). And > of course there are multiple directions here - e.g. where an > IETF activity has fed directly into an open-source activity > and the opposite where the IETF end up documenting something > already done by some open-source community. > > As part of that analysis, an utterly reasonable question > was asked: yeah, but which open-source things are important > to IETF participants? > > So, which bits of open-source do we in the security area > of the IETF consider important and why? And what could > we do better? (For any sensible definition of "we":-) > > BTW, those are deliberately open questions - answer in any > way you like, (but pithily please:-) to the list or to > Kathleen and I off-list if need be. (If we see a bunch of > offlist answers, we'll summarise those back to the list.) > > And since this is really information-gathering, there's > no need for us to disagree with one another on the list > (but I expect we won't resist that specific temptation, as > usual:-) > > Thanks, > S. > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > From nobody Mon Dec 29 10:58:03 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29B4C1A8F4A for ; Mon, 29 Dec 2014 10:58:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q7Gu_F2cwNqJ for ; Mon, 29 Dec 2014 10:57:57 -0800 (PST) Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB6EC1A8F3D for ; Mon, 29 Dec 2014 10:57:56 -0800 (PST) Received: by mail-wg0-f46.google.com with SMTP id x13so19590066wgg.19 for ; Mon, 29 Dec 2014 10:57:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yLz24C05fuK7YwOlBX8prTmhdQYUF5iYetP2J3gpQNY=; b=D8pwt57CR2oCkNpkul6QyE+gKMLc2qtml0nL1MGU8OyolPMu5SXYx2gkj7/F+OD3wv /Dg4qUq9gDs8AOuhb7il97j+Vm0TAVr7mz4zqY5+VFgnU3spuWTmoA5gUTu+ekNKHdP3 yKc05G47ExgtvuiqZ6kf65JZKyGEncsk1Z6FM+XHnUEp0ww1bTEIfOrxGrJzUpmi+I+S 1yTHNsEo7R+vSdQ8T3ntSZ+1OxLZod8IqtV2AtBOhbzjZbcGPF2VWU+zXzWiG0xErKYL aFKsOoSiKneav7p2iIhZwdywSD91rmPcGr7G1swtYWX6Nak6biguTh8lz+v+N8knT0dW IMdA== X-Received: by 10.194.80.193 with SMTP id t1mr112052767wjx.8.1419879475732; Mon, 29 Dec 2014 10:57:55 -0800 (PST) Received: from [192.168.1.104] (IGLD-84-228-227-214.inter.net.il. [84.228.227.214]) by mx.google.com with ESMTPSA id n8sm51011419wjx.0.2014.12.29.10.57.54 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 29 Dec 2014 10:57:55 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) From: Yoav Nir In-Reply-To: <54A1A04F.6000803@iang.org> Date: Mon, 29 Dec 2014 20:57:53 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <5C16278D-004F-41E2-8AF4-8A207A78AD5D@gmail.com> References: <5494DDCD.6030504@cs.tcd.ie> <54A1A04F.6000803@iang.org> To: ianG X-Mailer: Apple Mail (2.1993) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/BcUSaQPik2qs4J4FNV2PivHbz1s Cc: Security Area Advisory Group Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 18:58:02 -0000 > On Dec 29, 2014, at 8:41 PM, ianG wrote: >=20 > 1. The never ending saga of secure browsing and website = authentication: It became obvious around about 2005 that phishing was = rising and pillaging. Browser vendors then could have done something = about it, but did not. =20 Really? What could they do? People get an email. It says, "click this link, and enter your Paypal = credentials in the browser window.=E2=80=9D So they click the link ( = https://l33t-hax0rz-R-us.com/phish.html&site=3Dpaypal ) and see a PayPal = logo. They proceed to fill in their credentials.=20 What can the browser vendors do against that? Yoav From nobody Mon Dec 29 11:06:56 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B667E1A9048 for ; Mon, 29 Dec 2014 11:06:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TTX-64UwfvQ4 for ; Mon, 29 Dec 2014 11:06:53 -0800 (PST) Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CE881A9041 for ; Mon, 29 Dec 2014 11:06:53 -0800 (PST) Received: by mail-wg0-f42.google.com with SMTP id k14so19626973wgh.1 for ; Mon, 29 Dec 2014 11:06:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=gd4fO1vE5Putr2EOdhCLOa3wt2Jl2AJGOLIgZPeWHQc=; b=UlGDLRKLEBMBbp5o7FPLdb2EyGziYwPJe6PZF7WU2VpoeK4ZbqQBGW3s0eLAYtFwUN CwH0dwCFNJTOm2VhHyU95LMjmz5CwsPVcNWdbZglEa7KIlq80Qysy48NBXA1QnhMFd/t qTW9M8gog+4t7K7htAtaY+fenVjn/cDSXpXgbcQzg/RNWclyEMIUMTHqVaMznlyiwTDs 9ADMhYfOo+tGcYLzE+TDuMnwQYLQvoPF4wQSPnb/yMsHJstrO9IHhzxZwVI2T0KR2oBA QMzDKCpbn6H+2FYEph8LeONjr3eHydr+rmbs9/WgnqZXT0sR5MR398vBmO+ojSS+Vmvq Fejw== X-Received: by 10.180.107.195 with SMTP id he3mr95388885wib.44.1419880011881; Mon, 29 Dec 2014 11:06:51 -0800 (PST) Received: from [192.168.1.104] (IGLD-84-228-227-214.inter.net.il. [84.228.227.214]) by mx.google.com with ESMTPSA id q10sm41176112wjx.34.2014.12.29.11.06.50 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 29 Dec 2014 11:06:51 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) From: Yoav Nir In-Reply-To: <54A1A06A.7090501@iang.org> Date: Mon, 29 Dec 2014 21:06:49 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <6D1A6D9D-57FE-406F-B846-736342B3FAD3@gmail.com> References: <5494DDCD.6030504@cs.tcd.ie> <54A1A06A.7090501@iang.org> To: ianG X-Mailer: Apple Mail (2.1993) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/lxXSkgh80AAZDs3L3Wz9HudlN5M Cc: Security Area Advisory Group Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 19:06:54 -0000 > On Dec 29, 2014, at 8:41 PM, ianG wrote: >=20 > I have two observations speaking to the issue of the open source = community and use of IETF standards. I don't have answers, just = problems. Second: >=20 >=20 >=20 > 2. The second issue which is more squarely in IETF's domain is the = issue of standards & versions deprecation. In short, things like SSL v2 = should have been rolled over a long time ago. >=20 > Now, it is very easy to say it's someone else's problem. But if it is = SEPs, then it is hard for IETF to claim it delivers secure protocols in = the first place. >=20 > In any WG there are vicious and protracted arguments about getting a = protocol secure and state of the art right now. So there is certainly a = consensus that a security area WG delivers a secure protocol. >=20 > But once complete, the thing is thrown over the wall. Then the = inevitable happens: that protocol goes through a security rotting = process, whereby what we thought was secure one day becomes clumsy the = next, bad the following, and inevitably a joke. For example, SSL v2, = v3, old short cipher suites, MD5, RC4, etc. >=20 > If it is the WG's responsibility to deliver a secure protocol today, = who's responsibility is it to change things when time rots the security = statement? Hi, Ian To me this is similar to the Y2K problem. In the 1970s nobody believed = that the software they were writing was going to still be used at the = turn of the century. Turns out they were writing some pretty good stuff. = The same is true today. Older OpenSSL versions, ancient Windows = versions, they=E2=80=99re all around. In the 90s people replaced = computers every 2-3 years. These days a 5 or 7 year old computer, even a = server is quite usable, and it=E2=80=99s probably running the software = that it shipped with.=20 So it you=E2=80=99re providing a service for such computers, you have to = keep compatibility with them. You can=E2=80=99t deploy today a server = than won=E2=80=99t work with 7-year-old computers. So if seven years ago = it made sense to ship a client that offered SSLv2, it=E2=80=99s = problematic to ship a server today that will balk at an SSLv2 = ClientHello. It was easier in the 90s. By about 1997 you could ignore = Windows 3.1 machines. By 2000 you could ignore Windows 95. That=E2=80=99s = not true anymore. And this is an issue that the IETF can=E2=80=99t fix. = The vendors could fix it if they could guarantee free and trouble-free = software upgrades. They can=E2=80=99t. Yoav From nobody Mon Dec 29 11:28:25 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3C2B1A90F6 for ; Mon, 29 Dec 2014 11:28:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.233 X-Spam-Level: X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLidByPItr9C for ; Mon, 29 Dec 2014 11:28:23 -0800 (PST) Received: from homiemail-a113.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id E54201A90C9 for ; Mon, 29 Dec 2014 11:28:23 -0800 (PST) Received: from homiemail-a113.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a113.g.dreamhost.com (Postfix) with ESMTP id 70A8720058D84; Mon, 29 Dec 2014 11:28:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=r3L8blkW2Pqc6l c/zFUs7edD8dI=; b=uqdHtZaGkzj8bTOC864xdK/3mwuZ5lt/deIRfvSkY4HaV4 YXXIP4ZIsFdcOlX+dModFHN+7oX0YIvVePOZ0NXsn4YCCVrBUS9x4Rl9VD0pnZCO Gd55GC+jD7ctivStB+bJGY3+IjnPIHeJodDT8LhFzwdKyzXE800f9qrXgvljs= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a113.g.dreamhost.com (Postfix) with ESMTPA id 2F90B20058D82; Mon, 29 Dec 2014 11:28:23 -0800 (PST) Date: Mon, 29 Dec 2014 13:28:22 -0600 From: Nico Williams To: ianG Message-ID: <20141229192817.GE24442@localhost> References: <5494DDCD.6030504@cs.tcd.ie> <54A1A04F.6000803@iang.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <54A1A04F.6000803@iang.org> User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/qOutPNOK8Dul8S08Drzm_dYT1Aw Cc: saag@ietf.org Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 19:28:25 -0000 On Mon, Dec 29, 2014 at 06:41:19PM +0000, ianG wrote: > I have two observations speaking to the issue of the open source > community and use of IETF standards. I don't have solutions, just > problems. > > First of two: > > 1. The never ending saga of secure browsing and website > authentication: It became obvious around about 2005 that phishing > was rising and pillaging. Browser vendors then could have done > something about it, but did not. This inaction requires answers. An assertion like this requires backup. There have certainly been attempts to address phishing. I've attended one W3C workshop on the matter (IDBROWSER); I presented there. I recall many presentations were made over several days. I believe there have been other workshops I've not attended. There was some activity here in the IETF as well (look up Sam Hartman's I-Ds, for example; Sam also presented at IDBROWSER). Perhaps there is an underlying problem that we can't really solve technologically: humans are easy prey for con artists. We can only make some attacks harder (e.g., confusables), but we can't really prevent them. There are other reasons for apparent slow movement. But you're hot on the trail here, so let's let you investigate them. > One thing that they claimed stopped them doing anything was that > they followed standards, and the standards weren't telling them > anything different. Got a link for this "they claimed" thing? I'd like to read that. > This brings up a whole host of issues for IETF as a standards org in > the security area. It probably would, yes. > On investigation this claim appeared to have some merit. Certainly, You've investigated! Great! Please let us see your work. > certain aspects appear true: Vendors do follow standards and they > won't for example listen to external agents on just anything [0]. > Vendors have not typically employed what we might call security > architects to actually work in this area (as opposed to security > implementors) [1] thus confirming their intent to follow security > standards and not do original security work [2]. Footnotes! Excellent!1!! I'm looking forward to seeing some references there for your investigation. > [...skipping to the references...] > > [0] In practice, no security vendor likes to listen to outsiders, > as is seen with bug disclosures. An oft-assumed mistake is to think > that an open source vendor will listen to outsiders, but > unfortunately this is not really true. > [1] There is some evidence that one vendor is working at the > security architecture level, but this is not the norm. > [2] An unfortunate practice known as "best practices". Oh, wait, no. There's no actual references here. That's a bit of a let-down, eh. Nico -- From nobody Mon Dec 29 22:38:05 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A4ED1A1F1D; Mon, 29 Dec 2014 22:37:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.31 X-Spam-Level: X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZTFmoCvcrgXl; Mon, 29 Dec 2014 22:37:54 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 294051A0AF1; Mon, 29 Dec 2014 22:37:54 -0800 (PST) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBU6bneS018197 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 30 Dec 2014 06:37:50 GMT Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBU6bmJG003374 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 30 Dec 2014 06:37:49 GMT Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBU6bm6p003371; Tue, 30 Dec 2014 06:37:48 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 29 Dec 2014 22:37:48 -0800 Date: Mon, 29 Dec 2014 22:37:46 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nico Williams In-Reply-To: Message-ID: References: <20141217230150.GB9443@localhost> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-1635017012-1419921468=:1509" X-Source-IP: acsinet22.oracle.com [141.146.126.238] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/HDkaZ4NiB8YkIwq4UNYtokbGnoE Cc: Darren J Moffat , Stef Walter , "ietf@ietf.org" , "saag@ietf.org" , Nikos Mavrogiannopoulos Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 06:37:58 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-1635017012-1419921468=:1509 Content-Type: TEXT/PLAIN; charset=US-ASCII On Fri, 19 Dec 2014, Nico Williams wrote: >One thing I just noticed is that you allow Unicode. You might want to >reference RFC3987 (IRIs), for, e.g., advice as to normalization. hi Nico, that's a good point. I've added a note there (plus an entry to the References section): --- draft-pechanec-pkcs11uri-17-v5.txt 2014-12-29 21:46:05.000000000 -0800 +++ draft-pechanec-pkcs11uri-17-v6.txt 2014-12-29 22:32:16.000000000 -0800 @@ -193,10 +193,13 @@ characters in the unreserved set or to permitted characters from the reserved set should be percent-encoded. This specification suggests one allowable exception to that rule for the "id" attribute, as - stated later in this section. Grammar rules "unreserved" and "pct- - encoded" in the PKCS#11 URI specification below are imported from - [RFC3986]. As a special case, note that according to Appendix A of - [RFC3986], a space must be percent-encoded. + stated later in this section. Note that if a URI does carry + characters outside of the ASCII character set a conversion to an + Internationalized Resource Identifier (IRI) defined in [RFC3987] may + be considered. Grammar rules "unreserved" and "pct-encoded" in the + PKCS#11 URI specification below are imported from [RFC3986]. As a + special case, note that according to Appendix A of [RFC3986], a space + must be percent-encoded. The PKCS#11 specification imposes various limitations on the value of attributes, be it a more restrictive character set for the "serial" latest working version of draft 17 (v6) is attached. thank you, Jan. -- Jan Pechanec ---559023410-1635017012-1419921468=:1509 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=draft-pechanec-pkcs11uri-17-v6.txt Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=draft-pechanec-pkcs11uri-17-v6.txt DQoNCg0KDQpOZXR3b3JrIFdvcmtpbmcgR3JvdXAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgSi4gUGVjaGFuZWMNCkludGVybmV0 LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIEQuIE1vZmZhdA0KSW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFy ZHMgVHJhY2sgICAgICAgICAgICAgICAgICAgICAgT3JhY2xlIENvcnBvcmF0 aW9uDQpFeHBpcmVzOiBKdWx5IDIsIDIwMTUgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgRGVjZW1iZXIgMjksIDIwMTQNCg0KDQogICAgICAg ICAgICAgICAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZQ0KICAg ICAgICAgICAgICAgICAgICAgIGRyYWZ0LXBlY2hhbmVjLXBrY3MxMXVyaS0x Nw0KDQpBYnN0cmFjdA0KDQogICBUaGlzIG1lbW8gc3BlY2lmaWVzIGEgUEtD UyMxMSBVbmlmb3JtIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSkNCiAgIFNj aGVtZSBmb3IgaWRlbnRpZnlpbmcgUEtDUyMxMSBvYmplY3RzIHN0b3JlZCBp biBQS0NTIzExIHRva2VucywgYW5kDQogICBhbHNvIGZvciBpZGVudGlmeWlu ZyBQS0NTIzExIHRva2Vucywgc2xvdHMgb3IgbGlicmFyaWVzLiAgVGhlIFVS SSBpcw0KICAgYmFzZWQgb24gaG93IFBLQ1MjMTEgb2JqZWN0cywgdG9rZW5z LCBzbG90cywgYW5kIGxpYnJhcmllcyBhcmUNCiAgIGlkZW50aWZpZWQgaW4g dGhlIFBLQ1MjMTEgQ3J5cHRvZ3JhcGhpYyBUb2tlbiBJbnRlcmZhY2UgU3Rh bmRhcmQuDQoNClN0YXR1cyBvZiBUaGlzIE1lbW8NCg0KICAgVGhpcyBJbnRl cm5ldC1EcmFmdCBpcyBzdWJtaXR0ZWQgaW4gZnVsbCBjb25mb3JtYW5jZSB3 aXRoIHRoZQ0KICAgcHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJDUCA3OS4N Cg0KICAgSW50ZXJuZXQtRHJhZnRzIGFyZSB3b3JraW5nIGRvY3VtZW50cyBv ZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmcNCiAgIFRhc2sgRm9yY2UgKElF VEYpLiAgTm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmli dXRlDQogICB3b3JraW5nIGRvY3VtZW50cyBhcyBJbnRlcm5ldC1EcmFmdHMu ICBUaGUgbGlzdCBvZiBjdXJyZW50IEludGVybmV0LQ0KICAgRHJhZnRzIGlz IGF0IGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFmdHMvY3VycmVu dC8uDQoNCiAgIEludGVybmV0LURyYWZ0cyBhcmUgZHJhZnQgZG9jdW1lbnRz IHZhbGlkIGZvciBhIG1heGltdW0gb2Ygc2l4IG1vbnRocw0KICAgYW5kIG1h eSBiZSB1cGRhdGVkLCByZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVy IGRvY3VtZW50cyBhdCBhbnkNCiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJp YXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlDQogICBt YXRlcmlhbCBvciB0byBjaXRlIHRoZW0gb3RoZXIgdGhhbiBhcyAid29yayBp biBwcm9ncmVzcy4iDQoNCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBl eHBpcmUgb24gSnVseSAyLCAyMDE1Lg0KDQpDb3B5cmlnaHQgTm90aWNlDQoN CiAgIENvcHlyaWdodCAoYykgMjAxNCBJRVRGIFRydXN0IGFuZCB0aGUgcGVy c29ucyBpZGVudGlmaWVkIGFzIHRoZQ0KICAgZG9jdW1lbnQgYXV0aG9ycy4g IEFsbCByaWdodHMgcmVzZXJ2ZWQuDQoNCiAgIFRoaXMgZG9jdW1lbnQgaXMg c3ViamVjdCB0byBCQ1AgNzggYW5kIHRoZSBJRVRGIFRydXN0J3MgTGVnYWwN CiAgIFByb3Zpc2lvbnMgUmVsYXRpbmcgdG8gSUVURiBEb2N1bWVudHMNCiAg IChodHRwOi8vdHJ1c3RlZS5pZXRmLm9yZy9saWNlbnNlLWluZm8pIGluIGVm ZmVjdCBvbiB0aGUgZGF0ZSBvZg0KICAgcHVibGljYXRpb24gb2YgdGhpcyBk b2N1bWVudC4gIFBsZWFzZSByZXZpZXcgdGhlc2UgZG9jdW1lbnRzDQogICBj YXJlZnVsbHksIGFzIHRoZXkgZGVzY3JpYmUgeW91ciByaWdodHMgYW5kIHJl c3RyaWN0aW9ucyB3aXRoIHJlc3BlY3QNCiAgIHRvIHRoaXMgZG9jdW1lbnQu ICBDb2RlIENvbXBvbmVudHMgZXh0cmFjdGVkIGZyb20gdGhpcyBkb2N1bWVu dCBtdXN0DQogICBpbmNsdWRlIFNpbXBsaWZpZWQgQlNEIExpY2Vuc2UgdGV4 dCBhcyBkZXNjcmliZWQgaW4gU2VjdGlvbiA0LmUgb2YNCiAgIHRoZSBUcnVz dCBMZWdhbCBQcm92aXNpb25zIGFuZCBhcmUgcHJvdmlkZWQgd2l0aG91dCB3 YXJyYW50eSBhcw0KICAgZGVzY3JpYmVkIGluIHRoZSBTaW1wbGlmaWVkIEJT RCBMaWNlbnNlLg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBF eHBpcmVzIEp1bHkgMiwgMjAxNSAgICAgICAgICAgICAgICAgIFtQYWdlIDFd DQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJ IFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0KDQpUYWJsZSBv ZiBDb250ZW50cw0KDQogICAxLiAgSW50cm9kdWN0aW9uICAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDINCiAg IDIuICBDb250cmlidXRvcnMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgMw0KICAgMy4gIFBLQ1MjMTEgVVJJ IFNjaGVtZSBEZWZpbml0aW9uIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gICA0DQogICAgIDMuMS4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBOYW1l IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQNCiAgICAg My4yLiAgUEtDUyMxMSBVUkkgU2NoZW1lIFN0YXR1cyAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuICAgNA0KICAgICAzLjMuICBQS0NTIzExIFVS SSBTY2hlbWUgU3ludGF4IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gICA0DQogICAgIDMuNC4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBRdWVyeSBB dHRyaWJ1dGUgU2VtYW50aWNzICAuIC4gLiAuIC4gLiAgIDgNCiAgICAgMy41 LiAgUEtDUyMxMSBVUkkgTWF0Y2hpbmcgR3VpZGVsaW5lcyAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuICAxMA0KICAgICAzLjYuICBQS0NTIzExIFVSSSBD b21wYXJpc29uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g IDExDQogICA0LiAgRXhhbXBsZXMgb2YgUEtDUyMxMSBVUklzICAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTINCiAgIDUuICBJQU5B IENvbnNpZGVyYXRpb25zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuICAxNg0KICAgNi4gIFNlY3VyaXR5IENvbnNpZGVyYXRp b25zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE2 DQogICA3LiAgUmVmZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTcNCiAgICAgNy4xLiAgTm9y bWF0aXZlIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuICAxNw0KICAgICA3LjIuICBJbmZvcm1hdGl2ZSBSZWZlcmVu Y2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE3DQog ICBBdXRob3JzJyBBZGRyZXNzZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTcNCg0KMS4gIEludHJvZHVjdGlv bg0KDQogICBUaGUgUEtDUyAjMTE6IENyeXB0b2dyYXBoaWMgVG9rZW4gSW50 ZXJmYWNlIFN0YW5kYXJkIFtwa2NzMTFfc3BlY10NCiAgIHNwZWNpZmllcyBh biBBUEksIGNhbGxlZCBDcnlwdG9raSwgZm9yIGRldmljZXMgd2hpY2ggaG9s ZA0KICAgY3J5cHRvZ3JhcGhpYyBpbmZvcm1hdGlvbiBhbmQgcGVyZm9ybSBj cnlwdG9ncmFwaGljIGZ1bmN0aW9ucy4NCiAgIENyeXB0b2tpLCBwcm9ub3Vu Y2VkIGNyeXB0by1rZXkgYW5kIHNob3J0IGZvciBjcnlwdG9ncmFwaGljIHRv a2VuDQogICBpbnRlcmZhY2UsIGZvbGxvd3MgYSBzaW1wbGUgb2JqZWN0LWJh c2VkIGFwcHJvYWNoLCBhZGRyZXNzaW5nIHRoZQ0KICAgZ29hbHMgb2YgdGVj aG5vbG9neSBpbmRlcGVuZGVuY2UgKGFueSBraW5kIG9mIGRldmljZSBtYXkg YmUgdXNlZCkgYW5kDQogICByZXNvdXJjZSBzaGFyaW5nIChtdWx0aXBsZSBh cHBsaWNhdGlvbnMgbWF5IGFjY2VzcyBtdWx0aXBsZSBkZXZpY2VzKSwNCiAg IHByZXNlbnRpbmcgYXBwbGljYXRpb25zIHdpdGggYSBjb21tb24sIGxvZ2lj YWwgdmlldyBvZiB0aGUgZGV2aWNlIC0gYQ0KICAgY3J5cHRvZ3JhcGhpYyB0 b2tlbi4NCg0KICAgSXQgaXMgZGVzaXJhYmxlIGZvciBhcHBsaWNhdGlvbnMg b3IgbGlicmFyaWVzIHRoYXQgd29yayB3aXRoIFBLQ1MjMTENCiAgIHRva2Vu cyB0byBhY2NlcHQgYSBjb21tb24gaWRlbnRpZmllciB0aGF0IGNvbnN1bWVy cyBjb3VsZCB1c2UgdG8NCiAgIGlkZW50aWZ5IGFuIGV4aXN0aW5nIFBLQ1Mj MTEgc3RvcmFnZSBvYmplY3QgaW4gYSBQS0NTIzExIHRva2VuLCBhbg0KICAg ZXhpc3RpbmcgdG9rZW4gaXRzZWxmLCBhIHNsb3QsIG9yIGFuIGV4aXN0aW5n IENyeXB0b2tpIGxpYnJhcnkgKGFsc28NCiAgIGNhbGxlZCBhIHByb2R1Y2Vy LCBtb2R1bGUsIG9yIHByb3ZpZGVyKS4gIFRoZSBzZXQgb2Ygc3RvcmFnZSBv YmplY3QNCiAgIHR5cGVzIHRoYXQgY2FuIGJlIHN0b3JlZCBpbiBhIFBLQ1Mj MTEgdG9rZW4gaW5jbHVkZXMgYSBjZXJ0aWZpY2F0ZSwgYQ0KICAgcHVibGlj LCBwcml2YXRlIG9yIHNlY3JldCBrZXksIGFuZCBhIGRhdGEgb2JqZWN0LiAg VGhlc2Ugb2JqZWN0cyBjYW4NCiAgIGJlIHVuaXF1ZWx5IGlkZW50aWZpYWJs ZSB2aWEgdGhlIFBLQ1MjMTEgVVJJIHNjaGVtZSBkZWZpbmVkIGluIHRoaXMN CiAgIGRvY3VtZW50LiAgVGhlIHNldCBvZiBhdHRyaWJ1dGVzIGRlc2NyaWJp bmcgYSBzdG9yYWdlIG9iamVjdCBjYW4NCiAgIGNvbnRhaW4gYW4gb2JqZWN0 IGxhYmVsLCBpdHMgdHlwZSwgYW5kIGl0cyBJRC4gIFRoZSBzZXQgb2YgYXR0 cmlidXRlcw0KICAgdGhhdCBpZGVudGlmaWVzIGEgUEtDUyMxMSB0b2tlbiBj YW4gY29udGFpbiBhIHRva2VuIGxhYmVsLA0KICAgbWFudWZhY3R1cmVyIG5h bWUsIHNlcmlhbCBudW1iZXIsIGFuZCB0b2tlbiBtb2RlbC4gIEF0dHJpYnV0 ZXMgdGhhdA0KICAgY2FuIGlkZW50aWZ5IGEgc2xvdCBhcmUgYSBzbG90IElE LCBkZXNjcmlwdGlvbiwgYW5kIG1hbnVmYWN0dXJlci4NCiAgIEF0dHJpYnV0 ZXMgdGhhdCBjYW4gaWRlbnRpZnkgYSBDcnlwdG9raSBsaWJyYXJ5IGFyZSBh IGxpYnJhcnkNCiAgIG1hbnVmYWN0dXJlciwgZGVzY3JpcHRpb24sIGFuZCB2 ZXJzaW9uLiAgTGlicmFyeSBhdHRyaWJ1dGVzIG1heSBiZQ0KICAgbmVjZXNz YXJ5IHRvIHVzZSBpZiBtb3JlIHRoYW4gb25lIENyeXB0b2tpIGxpYnJhcnkg cHJvdmlkZXMgYSB0b2tlbg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAg ICAgICAgIEV4cGlyZXMgSnVseSAyLCAyMDE1ICAgICAgICAgICAgICAgICAg W1BhZ2UgMl0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUgUEtD UyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0KDQoN CiAgIGFuZC9vciBQS0NTIzExIG9iamVjdHMgb2YgdGhlIHNhbWUgbmFtZS4g IEEgc2V0IG9mIHF1ZXJ5IGF0dHJpYnV0ZXMNCiAgIGlzIHByb3ZpZGVkIGFz IHdlbGwuDQoNCiAgIFRoZSBQS0NTIzExIFVSSSBjYW5ub3QgaWRlbnRpZnkg b3RoZXIgb2JqZWN0cyBkZWZpbmVkIGluIHRoZQ0KICAgc3BlY2lmaWNhdGlv biBbcGtjczExX3NwZWNdIGFzaWRlIGZyb20gc3RvcmFnZSBvYmplY3RzLiAg Rm9yIGV4YW1wbGUsDQogICBvYmplY3RzIG5vdCBpZGVudGlmaWFibGUgYnkg YSBQS0NTIzExIFVSSSBpbmNsdWRlIGEgaGFyZHdhcmUgZmVhdHVyZQ0KICAg YW5kIG1lY2hhbmlzbS4gIE5vdGUgdGhhdCBhIENyeXB0b2tpIGxpYnJhcnkg ZG9lcyBub3QgaGF2ZSB0byBwcm92aWRlDQogICBmb3Igc3RvcmFnZSBvYmpl Y3RzIGF0IGFsbC4gIFRoZSBVUkkgY2FuIHN0aWxsIGJlIHVzZWQgdG8gaWRl bnRpZnkgYQ0KICAgc3BlY2lmaWMgUEtDUyMxMSB0b2tlbiwgc2xvdCBvciBh biBBUEkgcHJvZHVjZXIgaW4gc3VjaCBhIGNhc2UuDQoNCiAgIEEgc3Vic2V0 IG9mIGV4aXN0aW5nIFBLQ1MjMTEgc3RydWN0dXJlIG1lbWJlcnMgYW5kIG9i amVjdCBhdHRyaWJ1dGVzDQogICB3YXMgY2hvc2VuIHRvIHVuaXF1ZWx5IGlk ZW50aWZ5IGEgUEtDUyMxMSBzdG9yYWdlIG9iamVjdCwgdG9rZW4sDQogICBz bG90LCBvciBsaWJyYXJ5IGluIGEgY29uZmlndXJhdGlvbiBmaWxlLCBvbiBh IGNvbW1hbmQgbGluZSwgb3IgaW4gYQ0KICAgY29uZmlndXJhdGlvbiBwcm9w ZXJ0eSBvZiBzb21ldGhpbmcgZWxzZS4gIFNob3VsZCB0aGVyZSBiZSBhIG5l ZWQgZm9yDQogICBhIG1vcmUgY29tcGxleCBpbmZvcm1hdGlvbiBleGNoYW5n ZSBvbiBQS0NTIzExIGVudGl0aWVzIGEgZGlmZmVyZW50DQogICBtZWFucyBv ZiBkYXRhIG1hcnNoYWxsaW5nIHNob3VsZCBiZSBjaG9zZW4gYWNjb3JkaW5n bHkuDQoNCiAgIEEgUEtDUyMxMSBVUkkgaXMgbm90IGludGVuZGVkIHRvIGJl IHVzZWQgdG8gY3JlYXRlIG5ldyBQS0NTIzExDQogICBvYmplY3RzIGluIHRv a2Vucywgb3IgdG8gY3JlYXRlIFBLQ1MjMTEgdG9rZW5zLiAgSXQgaXMgc29s ZWx5IHRvIGJlDQogICB1c2VkIHRvIGlkZW50aWZ5IGFuZCB3b3JrIHdpdGgg ZXhpc3Rpbmcgc3RvcmFnZSBvYmplY3RzLCB0b2tlbnMsIGFuZA0KICAgc2xv dHMgdGhyb3VnaCB0aGUgUEtDUyMxMSBBUEksIG9yIGlkZW50aWZ5IENyeXB0 b2tpIGxpYnJhcmllcw0KICAgdGhlbXNlbHZlcy4NCg0KICAgVGhlIFVSSSBz Y2hlbWUgZGVmaW5lZCBpbiB0aGlzIGRvY3VtZW50IGlzIGRlc2lnbmVkIHNw ZWNpZmljYWxseSB3aXRoDQogICBhIG1hcHBpbmcgdG8gdGhlIFBLQ1MjMTEg QVBJIGluIG1pbmQuICBUaGUgVVJJIHVzZXMgdGhlIHNjaGVtZSwgcGF0aA0K ICAgYW5kIHF1ZXJ5IGNvbXBvbmVudHMgZGVmaW5lZCBpbiB0aGUgVW5pZm9y bSBSZXNvdXJjZSBJZGVudGlmaWVyDQogICAoVVJJKTogR2VuZXJpYyBTeW50 YXggW1JGQzM5ODZdIGRvY3VtZW50LiAgVGhlIFVSSSBkb2VzIG5vdCB1c2Ug dGhlDQogICBoaWVyYXJjaGljYWwgZWxlbWVudCBmb3IgYSBuYW1pbmcgYXV0 aG9yaXR5IGluIHRoZSBwYXRoIHNpbmNlIHRoZQ0KICAgYXV0aG9yaXR5IHBh cnQgY291bGQgbm90IGJlIG1hcHBlZCB0byBQS0NTIzExIEFQSSBlbGVtZW50 cy4gIFRoZSBVUkkNCiAgIGRvZXMgbm90IHVzZSB0aGUgZnJhZ21lbnQgY29t cG9uZW50Lg0KDQogICBJZiBhbiBhcHBsaWNhdGlvbiBoYXMgbm8gYWNjZXNz IHRvIGEgcHJvZHVjZXIgb3IgcHJvZHVjZXJzIG9mIHRoZQ0KICAgUEtDUyMx MSBBUEkgdGhlIHF1ZXJ5IGNvbXBvbmVudCBtb2R1bGUgYXR0cmlidXRlcyBj YW4gYmUgdXNlZC4NCiAgIEhvd2V2ZXIsIHRoZSBQS0NTIzExIFVSSSBjb25z dW1lciBjYW4gYWx3YXlzIGRlY2lkZSB0byBwcm92aWRlIGl0cw0KICAgb3du IGFkZXF1YXRlIHVzZXIgaW50ZXJmYWNlIHRvIGxvY2F0ZSBhbmQgbG9hZCBQ S0NTIzExIEFQSSBwcm9kdWNlcnMuDQoNCiAgIFRoZSBrZXkgd29yZHMgIk1V U1QiLCAiTVVTVCBOT1QiLCAiUkVRVUlSRUQiLCAiU0hBTEwiLCAiU0hBTEwg Tk9UIiwNCiAgICJTSE9VTEQiLCAiU0hPVUxEIE5PVCIsICJSRUNPTU1FTkRF RCIsICJNQVkiLCBhbmQgIk9QVElPTkFMIiBpbiB0aGlzDQogICBkb2N1bWVu dCBhcmUgdG8gYmUgaW50ZXJwcmV0ZWQgYXMgZGVzY3JpYmVkIGluIFtSRkMy MTE5XS4NCg0KMi4gIENvbnRyaWJ1dG9ycw0KDQogICBTdGVmIFdhbHRlciwg Tmlrb3MgTWF2cm9naWFubm9wb3Vsb3MsIE5pY28gV2lsbGlhbXMsIERhbiBX aW5zaGlwLCBhbmQNCiAgIEphcm9zbGF2IEltcmljaCBjb250cmlidXRlZCB0 byB0aGUgZGV2ZWxvcG1lbnQgb2YgdGhpcyBkb2N1bWVudC4NCg0KDQoNCg0K DQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bHkg MiwgMjAxNSAgICAgICAgICAgICAgICAgIFtQYWdlIDNdDQoMDQpJbnRlcm5l dC1EcmFmdCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAg ICAgICAgIERlY2VtYmVyIDIwMTQNCg0KDQozLiAgUEtDUyMxMSBVUkkgU2No ZW1lIERlZmluaXRpb24NCg0KICAgSW4gYWNjb3JkYW5jZSB3aXRoIFtSRkM0 Mzk1XSwgdGhpcyBzZWN0aW9uIHByb3ZpZGVzIHRoZSBpbmZvcm1hdGlvbg0K ICAgcmVxdWlyZWQgdG8gcmVnaXN0ZXIgdGhlIFBLQ1MjMTEgVVJJIHNjaGVt ZS4NCg0KMy4xLiAgUEtDUyMxMSBVUkkgU2NoZW1lIE5hbWUNCg0KICAgcGtj czExDQoNCjMuMi4gIFBLQ1MjMTEgVVJJIFNjaGVtZSBTdGF0dXMNCg0KICAg UGVybWFuZW50Lg0KDQozLjMuICBQS0NTIzExIFVSSSBTY2hlbWUgU3ludGF4 DQoNCiAgIFRoZSBQS0NTIzExIFVSSSBpcyBhIHNlcXVlbmNlIG9mIGF0dHJp YnV0ZSB2YWx1ZSBwYWlycyBzZXBhcmF0ZWQgYnkgYQ0KICAgc2VtaWNvbG9u IHRoYXQgZm9ybSBhIG9uZSBsZXZlbCBwYXRoIGNvbXBvbmVudCwgb3B0aW9u YWxseSBmb2xsb3dlZA0KICAgYnkgYSBxdWVyeS4gIEluIGFjY29yZGFuY2Ug d2l0aCBTZWN0aW9uIDIuNSBvZiBbUkZDMzk4Nl0sIHRoZSBkYXRhDQogICBz aG91bGQgZmlyc3QgYmUgZW5jb2RlZCBhcyBvY3RldHMgYWNjb3JkaW5nIHRv IHRoZSBVVEYtOCBjaGFyYWN0ZXINCiAgIGVuY29kaW5nIFtSRkMzNjI5XTsg dGhlbiBvbmx5IHRob3NlIG9jdGV0cyB0aGF0IGRvIG5vdCBjb3JyZXNwb25k IHRvDQogICBjaGFyYWN0ZXJzIGluIHRoZSB1bnJlc2VydmVkIHNldCBvciB0 byBwZXJtaXR0ZWQgY2hhcmFjdGVycyBmcm9tIHRoZQ0KICAgcmVzZXJ2ZWQg c2V0IHNob3VsZCBiZSBwZXJjZW50LWVuY29kZWQuICBUaGlzIHNwZWNpZmlj YXRpb24gc3VnZ2VzdHMNCiAgIG9uZSBhbGxvd2FibGUgZXhjZXB0aW9uIHRv IHRoYXQgcnVsZSBmb3IgdGhlICJpZCIgYXR0cmlidXRlLCBhcw0KICAgc3Rh dGVkIGxhdGVyIGluIHRoaXMgc2VjdGlvbi4gIE5vdGUgdGhhdCBpZiBhIFVS SSBkb2VzIGNhcnJ5DQogICBjaGFyYWN0ZXJzIG91dHNpZGUgb2YgdGhlIEFT Q0lJIGNoYXJhY3RlciBzZXQgYSBjb252ZXJzaW9uIHRvIGFuDQogICBJbnRl cm5hdGlvbmFsaXplZCBSZXNvdXJjZSBJZGVudGlmaWVyIChJUkkpIGRlZmlu ZWQgaW4gW1JGQzM5ODddIG1heQ0KICAgYmUgY29uc2lkZXJlZC4gIEdyYW1t YXIgcnVsZXMgInVucmVzZXJ2ZWQiIGFuZCAicGN0LWVuY29kZWQiIGluIHRo ZQ0KICAgUEtDUyMxMSBVUkkgc3BlY2lmaWNhdGlvbiBiZWxvdyBhcmUgaW1w b3J0ZWQgZnJvbSBbUkZDMzk4Nl0uICBBcyBhDQogICBzcGVjaWFsIGNhc2Us IG5vdGUgdGhhdCBhY2NvcmRpbmcgdG8gQXBwZW5kaXggQSBvZiBbUkZDMzk4 Nl0sIGEgc3BhY2UNCiAgIG11c3QgYmUgcGVyY2VudC1lbmNvZGVkLg0KDQog ICBUaGUgUEtDUyMxMSBzcGVjaWZpY2F0aW9uIGltcG9zZXMgdmFyaW91cyBs aW1pdGF0aW9ucyBvbiB0aGUgdmFsdWUgb2YNCiAgIGF0dHJpYnV0ZXMsIGJl IGl0IGEgbW9yZSByZXN0cmljdGl2ZSBjaGFyYWN0ZXIgc2V0IGZvciB0aGUg InNlcmlhbCINCiAgIGF0dHJpYnV0ZSBvciBmaXhlZCBzaXplZCBidWZmZXJz IGZvciBhbG1vc3QgYWxsIHRoZSBvdGhlcnMsIGluY2x1ZGluZw0KICAgInRv a2VuIiwgIm1hbnVmYWN0dXJlciIsIGFuZCAibW9kZWwiIGF0dHJpYnV0ZXMu ICBIb3dldmVyLCB0aGUNCiAgIFBLQ1MjMTEgVVJJIG5vdGF0aW9uIGRvZXMg bm90IGltcG9zZSBzdWNoIGxpbWl0YXRpb25zIGFzaWRlIGZyb20NCiAgIHJl bW92aW5nIGdlbmVyaWMgYW5kIFBLQ1MjMTEgVVJJIGRlbGltaXRlcnMgZnJv bSBhIHBlcm1pdHRlZA0KICAgY2hhcmFjdGVyIHNldC4gIFdlIGJlbGlldmUg dGhhdCBiZWluZyB0b28gcmVzdHJpY3RpdmUgb24gdGhlDQogICBhdHRyaWJ1 dGUgdmFsdWVzIGNvdWxkIGxpbWl0IHRoZSBQS0NTIzExIFVSSSB1c2VmdWxu ZXNzLiAgV2hhdCBpcw0KICAgbW9yZSwgcG9zc2libGUgZnV0dXJlIGNoYW5n ZXMgdG8gdGhlIFBLQ1MjMTEgc3BlY2lmaWNhdGlvbiBzaG91bGQgbm90DQog ICBhZmZlY3QgZXhpc3RpbmcgYXR0cmlidXRlcy4NCg0KICAgQSBQS0NTIzEx IFVSSSB0YWtlcyB0aGUgZm9ybSAoZm9yIGV4cGxhbmF0aW9uIG9mIEF1Z21l bnRlZCBCTkYsIHNlZQ0KICAgW1JGQzUyMzRdKToNCg0KDQoNCg0KDQoNCg0K UGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bHkgMiwgMjAx NSAgICAgICAgICAgICAgICAgIFtQYWdlIDRdDQoMDQpJbnRlcm5ldC1EcmFm dCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAg IERlY2VtYmVyIDIwMTQNCg0KDQogIHBrMTEtVVJJICAgICAgICAgICAgID0g InBrY3MxMToiIHBrMTEtcGF0aCBbICI/IiBwazExLXF1ZXJ5IF0NCiAgOyBQ YXRoIGNvbXBvbmVudCBhbmQgaXRzIGF0dHJpYnV0ZXMuICBQYXRoIG1heSBi ZSBlbXB0eS4NCiAgcGsxMS1wYXRoICAgICAgICAgICAgPSBbIHBrMTEtcGF0 dHIgKigiOyIgcGsxMS1wYXR0cikgXQ0KICBwazExLXBhdHRyICAgICAgICAg ICA9IHBrMTEtdG9rZW4gLyBwazExLW1hbnVmIC8gcGsxMS1zZXJpYWwgLw0K ICAgICAgICAgICAgICAgICAgICAgICAgIHBrMTEtbW9kZWwgLyBwazExLWxp Yi1tYW51ZiAvDQogICAgICAgICAgICAgICAgICAgICAgICAgcGsxMS1saWIt dmVyIC8gcGsxMS1saWItZGVzYyAvDQogICAgICAgICAgICAgICAgICAgICAg ICAgcGsxMS1vYmplY3QgLyBwazExLXR5cGUgLyBwazExLWlkIC8NCiAgICAg ICAgICAgICAgICAgICAgICAgICBwazExLXNsb3QtZGVzYyAvIHBrMTEtc2xv dC1tYW51ZiAvDQogICAgICAgICAgICAgICAgICAgICAgICAgcGsxMS1zbG90 LWlkIC8gcGsxMS12LXBhdHRyDQogIDsgUXVlcnkgY29tcG9uZW50IGFuZCBp dHMgYXR0cmlidXRlcy4gIFF1ZXJ5IG1heSBiZSBlbXB0eS4NCiAgcGsxMS1x YXR0ciAgICAgICAgICAgPSBwazExLXBpbi1zb3VyY2UgLyBwazExLXBpbi12 YWx1ZSAvDQogICAgICAgICAgICAgICAgICAgICAgICAgcGsxMS1tb2R1bGUt bmFtZSAvIHBrMTEtbW9kdWxlLXBhdGggLw0KICAgICAgICAgICAgICAgICAg ICAgICAgIHBrMTEtdi1xYXR0cg0KICBwazExLXF1ZXJ5ICAgICAgICAgICA9 IFsgcGsxMS1xYXR0ciAqKCImIiBwazExLXFhdHRyKSBdDQogIDsgUkZDIDM5 ODYgc2VjdGlvbiAyLjIgbWFuZGF0ZXMgYWxsIHBvdGVudGlhbGx5IHJlc2Vy dmVkIGNoYXJhY3RlcnMNCiAgOyB0aGF0IGRvIG5vdCBjb25mbGljdCB3aXRo IGFjdHVhbCBkZWxpbWl0ZXJzIG9mIHRoZSBVUkkgZG8gbm90IGhhdmUNCiAg OyB0byBiZSBwZXJjZW50LWVuY29kZWQuDQogIHBrMTEtcmVzLWF2YWlsICAg ICAgID0gIjoiIC8gIlsiIC8gIl0iIC8gIkAiIC8gIiEiIC8gIiQiIC8NCiAg ICAgICAgICAgICAgICAgICAgICAgICAiJyIgLyAiKCIgLyAiKSIgLyAiKiIg LyAiKyIgLyAiLCIgLyAiPSINCiAgcGsxMS1wYXRoLXJlcy1hdmFpbCAgPSBw azExLXJlcy1hdmFpbCAvICImIg0KICA7ICIvIiBhbmQgIj8iIGluIHRoZSBx dWVyeSBjb21wb25lbnQgTUFZIGJlIHVuZW5jb2RlZCBidXQgIiYiIE1VU1QN CiAgOyBiZSBlbmNvZGVkIHNpbmNlIGl0IGZ1bmN0aW9ucyBhcyBhIGRlbGlt aXRlciB3aXRoaW4gdGhlIGNvbXBvbmVudC4NCiAgcGsxMS1xdWVyeS1yZXMt YXZhaWwgPSBwazExLXJlcy1hdmFpbCAvICIvIiAvICI/IiAvICJ8Ig0KICBw azExLXBjaGFyICAgICAgICAgICA9IHVucmVzZXJ2ZWQgLyBwazExLXBhdGgt cmVzLWF2YWlsIC8gcGN0LWVuY29kZWQNCiAgcGsxMS1xY2hhciAgICAgICAg ICAgPSB1bnJlc2VydmVkIC8gcGsxMS1xdWVyeS1yZXMtYXZhaWwgLyBwY3Qt ZW5jb2RlZA0KICBwazExLXRva2VuICAgICAgICAgICA9ICJ0b2tlbiIgIj0i ICpwazExLXBjaGFyDQogIHBrMTEtbWFudWYgICAgICAgICAgID0gIm1hbnVm YWN0dXJlciIgIj0iICpwazExLXBjaGFyDQogIHBrMTEtc2VyaWFsICAgICAg ICAgID0gInNlcmlhbCIgIj0iICpwazExLXBjaGFyDQogIHBrMTEtbW9kZWwg ICAgICAgICAgID0gIm1vZGVsIiAiPSIgKnBrMTEtcGNoYXINCiAgcGsxMS1s aWItbWFudWYgICAgICAgPSAibGlicmFyeS1tYW51ZmFjdHVyZXIiICI9IiAq cGsxMS1wY2hhcg0KICBwazExLWxpYi1kZXNjICAgICAgICA9ICJsaWJyYXJ5 LWRlc2NyaXB0aW9uIiAiPSIgKnBrMTEtcGNoYXINCiAgcGsxMS1saWItdmVy ICAgICAgICAgPSAibGlicmFyeS12ZXJzaW9uIiAiPSIgMSpESUdJVCBbICIu IiAxKkRJR0lUIF0NCiAgcGsxMS1vYmplY3QgICAgICAgICAgPSAib2JqZWN0 IiAiPSIgKnBrMTEtcGNoYXINCiAgcGsxMS10eXBlICAgICAgICAgICAgPSAi dHlwZSIgIj0iICggInB1YmxpYyIgLyAicHJpdmF0ZSIgLyAiY2VydCIgLw0K ICAgICAgICAgICAgICAgICAgICAgICAgICJzZWNyZXQta2V5IiAvICJkYXRh IiApDQogIHBrMTEtaWQgICAgICAgICAgICAgID0gImlkIiAiPSIgKnBrMTEt cGNoYXINCiAgcGsxMS1zbG90LW1hbnVmICAgICAgPSAic2xvdC1tYW51ZmFj dHVyZXIiICI9IiAqcGsxMS1wY2hhcg0KICBwazExLXNsb3QtZGVzYyAgICAg ICA9ICJzbG90LWRlc2NyaXB0aW9uIiAiPSIgKnBrMTEtcGNoYXINCiAgcGsx MS1zbG90LWlkICAgICAgICAgPSAic2xvdC1pZCIgIj0iIDEqRElHSVQNCiAg cGsxMS1waW4tc291cmNlICAgICAgPSAicGluLXNvdXJjZSIgIj0iICpwazEx LXFjaGFyDQogIHBrMTEtcGluLXZhbHVlICAgICAgID0gInBpbi12YWx1ZSIg Ij0iICpwazExLXFjaGFyDQogIHBrMTEtbW9kdWxlLW5hbWUgICAgID0gIm1v ZHVsZS1uYW1lIiAiPSIgKnBrMTEtcWNoYXINCiAgcGsxMS1tb2R1bGUtcGF0 aCAgICAgPSAibW9kdWxlLXBhdGgiICI9IiAqcGsxMS1xY2hhcg0KICBwazEx LXYtYXR0ci1ubS1jaGFyICA9IEFMUEhBIC8gRElHSVQgLyAiLSIgLyAiXyIN CiAgOyBQZXJtaXR0ZWQgdmFsdWUgb2YgYSB2ZW5kb3Igc3BlY2lmaWMgYXR0 cmlidXRlIGlzIGJhc2VkIG9uDQogIDsgd2hldGhlciB0aGUgYXR0cmlidXRl IGlzIHVzZWQgaW4gdGhlIHBhdGggb3IgaW4gdGhlIHF1ZXJ5Lg0KICBwazEx LXYtcGF0dHIgICAgICAgICA9IDEqcGsxMS12LWF0dHItbm0tY2hhciAiPSIg KnBrMTEtcGNoYXINCiAgcGsxMS12LXFhdHRyICAgICAgICAgPSAxKnBrMTEt di1hdHRyLW5tLWNoYXIgIj0iICpwazExLXFjaGFyDQoNCg0KDQpQZWNoYW5l YyAmIE1vZmZhdCAgICAgICAgIEV4cGlyZXMgSnVseSAyLCAyMDE1ICAgICAg ICAgICAgICAgICAgW1BhZ2UgNV0NCgwNCkludGVybmV0LURyYWZ0ICAgICAg ICAgICBUaGUgUEtDUyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1i ZXIgMjAxNA0KDQoNCiAgIFRoZSBVUkkgcGF0aCBjb21wb25lbnQgY29udGFp bnMgYXR0cmlidXRlcyB0aGF0IGlkZW50aWZ5IGEgcmVzb3VyY2UNCiAgIGlu IGEgb25lIGxldmVsIGhpZXJhcmNoeSBwcm92aWRlZCBieSBDcnlwdG9raSBw cm9kdWNlcnMuICBUaGUgcXVlcnkNCiAgIGNvbXBvbmVudCBjYW4gY29udGFp biBhIGZldyBhdHRyaWJ1dGVzIHRoYXQgbWF5IGJlIG5lZWRlZCB0byByZXRy aWV2ZQ0KICAgdGhlIHJlc291cmNlIGlkZW50aWZpZWQgYnkgdGhlIFVSSSBw YXRoLiAgQXR0cmlidXRlcyBpbiB0aGUgcGF0aA0KICAgY29tcG9uZW50IGFy ZSBkZWxpbWl0ZWQgYnkgJzsnIGNoYXJhY3RlciwgYXR0cmlidXRlcyBpbiB0 aGUgcXVlcnkNCiAgIGNvbXBvbmVudCB1c2UgJyYnIGFzIGEgZGVsaW1pdGVy Lg0KDQogICBCb3RoIHBhdGggYW5kIHF1ZXJ5IGNvbXBvbmVudHMgbWF5IGNv bnRhaW4gdmVuZG9yIHNwZWNpZmljDQogICBhdHRyaWJ1dGVzLiAgU3VjaCBh dHRyaWJ1dGUgbmFtZXMgTVVTVCBOT1QgY2xhc2ggd2l0aCBleGlzdGluZw0K ICAgYXR0cmlidXRlIG5hbWVzLiAgTm90ZSB0aGF0IGluIGFjY29yZGFuY2Ug d2l0aCBbQkNQMTc4XSwgcHJldmlvdXNseQ0KICAgdXNlZCBjb252ZW50aW9u IG9mIHN0YXJ0aW5nIHZlbmRvciBhdHRyaWJ1dGVzIHdpdGggYW4gIngtIiBw cmVmaXggaXMNCiAgIG5vdyBkZXByaWNhdGVkLg0KDQogICBUaGUgZ2VuZXJh bCAnLycgZGVsaW1pdGVyIE1VU1QgYmUgcGVyY2VudC1lbmNvZGVkIGluIHRo ZSBwYXRoDQogICBjb21wb25lbnQgc28gdGhhdCBnZW5lcmljIFVSSSBwYXJz ZXJzIG5ldmVyIHNwbGl0IHRoZSBwYXRoIGNvbXBvbmVudA0KICAgaW50byBt dWx0aXBsZSBzZWdtZW50cy4gIEl0IE1BWSBiZSB1bmVuY29kZWQgaW4gdGhl IHF1ZXJ5IGNvbXBvbmVudC4NCiAgIERlbGltaXRlciAnPycgIE1VU1QgYmUg cGVyY2VudC1lbmNvZGVkIGluIHRoZSBwYXRoIGNvbXBvbmVudCBzaW5jZQ0K ICAgdGhlIFBLQ1MjMTEgVVJJIHVzZXMgYSBxdWVyeSBjb21wb25lbnQuICBE ZWxpbWl0ZXIgJyMnIE1VU1QgYmUgYWx3YXlzDQogICBwZXJjZW50LWVuY29k ZWQgc28gdGhhdCBnZW5lcmljIFVSSSBwYXJzZXJzIGRvIG5vdCB0cmVhdCBh IGhhc2ggYXMgYQ0KICAgYmVnaW5uaW5nIG9mIGEgZnJhZ21lbnQgaWRlbnRp ZmllciBjb21wb25lbnQuICBBbGwgb3RoZXIgZ2VuZXJpYw0KICAgZGVsaW1p dGVycyBNQVkgYmUgdXNlZCB1bmVuY29kZWQgKCc6JywgJ1snLCAnXScsIGFu ZCAnQCcpIGluIHRoZQ0KICAgUEtDUyMxMSBVUkkuDQoNCiAgIFRoZSBmb2xs b3dpbmcgdGFibGUgcHJlc2VudHMgbWFwcGluZyBiZXR3ZWVuIHRoZSBQS0NT IzExIFVSSSBwYXRoDQogICBjb21wb25lbnQgYXR0cmlidXRlcyBhbmQgdGhl IFBLQ1MjMTEgQVBJIHN0cnVjdHVyZSBtZW1iZXJzIGFuZCBvYmplY3QNCiAg IGF0dHJpYnV0ZXMuICBHaXZlbiB0aGF0IFBLQ1MjMTEgVVJJIHVzZXJzIG1h eSBiZSBxdWl0ZSBpZ25vcmFudCBhYm91dA0KICAgdGhlIFBLQ1MjMTEgc3Bl Y2lmaWNhdGlvbiB0aGUgbWFwcGluZyBpcyBhIHByb2R1Y3Qgb2YgYSBuZWNl c3NhcnkNCiAgIGNvbXByb21pc2UgYmV0d2VlbiBob3cgcHJlY2lzZWx5IGFy ZSB0aGUgVVJJIGF0dHJpYnV0ZSBuYW1lcyBtYXBwZWQNCiAgIHRvIHRoZSBu YW1lcyBpbiB0aGUgc3BlY2lmaWNhdGlvbiBhbmQgdGhlIGVhc2Ugb2YgdXNl IGFuZA0KICAgdW5kZXJzdGFuZGluZyBvZiB0aGUgVVJJIHNjaGVtZS4NCg0K ICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQogICB8IFVSSSBjb21wb25l bnQgcGF0aCAgIHwgQXR0cmlidXRlICAgICAgICAgICB8IEF0dHJpYnV0ZSAg ICAgICAgICAgIHwNCiAgIHwgYXR0cmlidXRlIG5hbWUgICAgICAgfCByZXBy ZXNlbnRzICAgICAgICAgIHwgY29ycmVzcG9uZHMgaW4gdGhlICAgfA0KICAg fCAgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAg fCBQS0NTIzExICAgICAgICAgICAgICB8DQogICB8ICAgICAgICAgICAgICAg ICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IHNwZWNpZmljYXRpb24g dG8gICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0t LS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCAg ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgfCAg ICAgICAgICAgICAgICAgICAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSsNCiAgIHwgaWQgICAgICAgICAgICAgICAgICAgfCBrZXkgaWRlbnRp ZmllciBmb3IgIHwgIkNLQV9JRCIgb2JqZWN0ICAgICAgfA0KICAgfCAgICAg ICAgICAgICAgICAgICAgICB8IG9iamVjdCAgICAgICAgICAgICAgfCBhdHRy aWJ1dGUgICAgICAgICAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0tLS0t LSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0t LSsNCiAgIHwgbGlicmFyeS1kZXNjcmlwdGlvbiAgfCBjaGFyYWN0ZXItc3Ry aW5nICAgIHwgImxpYnJhcnlEZXNjcmlwdGlvbiIgfA0KICAgfCAgICAgICAg ICAgICAgICAgICAgICB8IGRlc2NyaXB0aW9uIG9mIHRoZSAgfCBtZW1iZXIg b2YgQ0tfSU5GTyAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwg bGlicmFyeSAgICAgICAgICAgICB8IHN0cnVjdHVyZSAgICAgICAgICAgIHwN CiAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCBsaWJyYXJ5LW1h bnVmYWN0dXJlciB8IElEIG9mIHRoZSBDcnlwdG9raSAgfCAibWFudWZhY3R1 cmVySUQiICAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgbGli cmFyeSAgICAgICAgICAgICB8IG1lbWJlciBvZiB0aGUgICAgICAgIHwNCg0K DQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdWx5IDIs IDIwMTUgICAgICAgICAgICAgICAgICBbUGFnZSA2XQ0KDA0KSW50ZXJuZXQt RHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAgICAg ICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgfCAgICAgICAgICAgICAgICAg ICAgICB8IG1hbnVmYWN0dXJlciAgICAgICAgfCBDS19JTkZPIHN0cnVjdHVy ZSAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0t LS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsNCiAgIHwgbGli cmFyeS12ZXJzaW9uICAgICAgfCBDcnlwdG9raSBsaWJyYXJ5ICAgIHwgImxp YnJhcnlWZXJzaW9uIiAgICAgfA0KICAgfCAgICAgICAgICAgICAgICAgICAg ICB8IHZlcnNpb24gbnVtYmVyICAgICAgfCBtZW1iZXIgb2YgQ0tfSU5GTyAg ICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg ICAgICAgICB8IHN0cnVjdHVyZSAgICAgICAgICAgIHwNCiAgICstLS0tLS0t LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0t LS0tLS0tLS0tLS0tLS0tKw0KICAgfCBtYW51ZmFjdHVyZXIgICAgICAgICB8 IElEIG9mIHRoZSB0b2tlbiAgICAgfCAibWFudWZhY3R1cmVySUQiICAgICB8 DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgbWFudWZhY3R1cmVyICAg ICAgICB8IG1lbWJlciBvZiAgICAgICAgICAgIHwNCiAgIHwgICAgICAgICAg ICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwgQ0tfVE9LRU5f SU5GTyAgICAgICAgfA0KICAgfCAgICAgICAgICAgICAgICAgICAgICB8ICAg ICAgICAgICAgICAgICAgICAgfCBzdHJ1Y3R1cmUgICAgICAgICAgICB8DQog ICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0t LS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsNCiAgIHwgbW9kZWwgICAgICAg ICAgICAgICAgfCB0b2tlbiBtb2RlbCAgICAgICAgIHwgIm1vZGVsIiBtZW1i ZXIgb2YgICAgfA0KICAgfCAgICAgICAgICAgICAgICAgICAgICB8ICAgICAg ICAgICAgICAgICAgICAgfCBDS19UT0tFTl9JTkZPICAgICAgICB8DQogICB8 ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8 IHN0cnVjdHVyZSAgICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0t LS0tLS0tKw0KICAgfCBvYmplY3QgICAgICAgICAgICAgICB8IGRlc2NyaXB0 aW9uIChuYW1lKSAgfCAiQ0tBX0xBQkVMIiBvYmplY3QgICB8DQogICB8ICAg ICAgICAgICAgICAgICAgICAgIHwgb2YgdGhlIG9iamVjdCAgICAgICB8IGF0 dHJpYnV0ZSAgICAgICAgICAgIHwNCiAgICstLS0tLS0tLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0t LS0tKw0KICAgfCBzZXJpYWwgICAgICAgICAgICAgICB8IGNoYXJhY3Rlci1z dHJpbmcgICAgfCAic2VyaWFsTnVtYmVyIiAgICAgICB8DQogICB8ICAgICAg ICAgICAgICAgICAgICAgIHwgc2VyaWFsIG51bWJlciBvZiAgICB8IG1lbWJl ciBvZiAgICAgICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAg fCB0aGUgdG9rZW4gICAgICAgICAgIHwgQ0tfVE9LRU5fSU5GTyAgICAgICAg fA0KICAgfCAgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAg ICAgICAgfCBzdHJ1Y3R1cmUgICAgICAgICAgICB8DQogICArLS0tLS0tLS0t LS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0t LS0tLS0tLS0tLS0tLSsNCiAgIHwgc2xvdC1kZXNjcmlwdGlvbiAgICAgfCBz bG90IGRlc2NyaXB0aW9uICAgIHwgInNsb3REZXNjcmlwdGlvbiIgICAgfA0K ICAgfCAgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAg ICAgfCBtZW1iZXIgb2YgICAgICAgICAgICB8DQogICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8IENLX1NMT1RfSU5G TyAgICAgICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAg ICAgICAgICAgICAgICAgIHwgc3RydWN0dXJlICAgICAgICAgICAgfA0KICAg Ky0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0t Ky0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQogICB8IHNsb3QtaWQgICAgICAg ICAgICAgIHwgQ3J5cHRva2ktYXNzaWduZWQgICB8IGRlY2ltYWwgbnVtYmVy IG9mICAgIHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCB2YWx1ZSB0 aGF0ICAgICAgICAgIHwgIkNLX1NMT1RfSUQiIHR5cGUgICAgfA0KICAgfCAg ICAgICAgICAgICAgICAgICAgICB8IGlkZW50aWZpZXMgYSBzbG90ICAgfCAg ICAgICAgICAgICAgICAgICAgICB8DQogICArLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSsNCiAgIHwgc2xvdC1tYW51ZmFjdHVyZXIgICAgfCBJRCBvZiB0aGUg c2xvdCAgICAgIHwgIm1hbnVmYWN0dXJlcklEIiAgICAgfA0KICAgfCAgICAg ICAgICAgICAgICAgICAgICB8IG1hbnVmYWN0dXJlciAgICAgICAgfCBtZW1i ZXIgb2YgICAgICAgICAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAg IHwgICAgICAgICAgICAgICAgICAgICB8IENLX1NMT1RfSU5GTyAgICAgICAg IHwNCiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAg ICAgICAgIHwgc3RydWN0dXJlICAgICAgICAgICAgfA0KICAgKy0tLS0tLS0t LS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0t LS0tLS0tLS0tLS0tLS0rDQogICB8IHRva2VuICAgICAgICAgICAgICAgIHwg YXBwbGljYXRpb24tZGVmaW5lZCB8ICJsYWJlbCIgbWVtYmVyIG9mICAgIHwN CiAgIHwgICAgICAgICAgICAgICAgICAgICAgfCBsYWJlbCwgYXNzaWduZWQg ICAgIHwgdGhlIENLX1RPS0VOX0lORk8gICAgfA0KICAgfCAgICAgICAgICAg ICAgICAgICAgICB8IGR1cmluZyB0b2tlbiAgICAgICAgfCBzdHJ1Y3R1cmUg ICAgICAgICAgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgaW5p dGlhbGl6YXRpb24gICAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwNCiAg ICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0t LSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgfCB0eXBlICAgICAgICAg ICAgICAgICB8IG9iamVjdCBjbGFzcyAodHlwZSkgfCAiQ0tBX0NMQVNTIiBv YmplY3QgICB8DQogICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAg ICAgICAgICAgICAgICB8IGF0dHJpYnV0ZSAgICAgICAgICAgIHwNCiAgICst LS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLSst LS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KDQogICAgVGFibGUgMTogTWFwcGlu ZyBiZXR3ZWVuIFVSSSBwYXRoIGNvbXBvbmVudCBhdHRyaWJ1dGVzIGFuZCBQ S0NTIzExDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgc3BlY2lmaWNh dGlvbiBuYW1lcw0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBF eHBpcmVzIEp1bHkgMiwgMjAxNSAgICAgICAgICAgICAgICAgIFtQYWdlIDdd DQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJ IFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0KDQogICBUaGUg cXVlcnkgY29tcG9uZW50IGF0dHJpYnV0ZSAicGluLXNvdXJjZSIgc3BlY2lm aWVzIHdoZXJlIHRoZQ0KICAgYXBwbGljYXRpb24gb3IgbGlicmFyeSBzaG91 bGQgZmluZCB0aGUgbm9ybWFsIHVzZXIncyB0b2tlbiBQSU4sIHRoZQ0KICAg InBpbi12YWx1ZSIgYXR0cmlidXRlIHByb3ZpZGVzIHRoZSBub3JtYWwgdXNl cidzIFBJTiB2YWx1ZSBkaXJlY3RseSwNCiAgIGlmIG5lZWRlZCwgYW5kIHRo ZSAibW9kdWxlLW5hbWUiIGFuZCAibW9kdWxlLXBhdGgiIGF0dHJpYnV0ZXMg bW9kaWZ5DQogICBkZWZhdWx0IHNldHRpbmdzIGZvciBhY2Nlc3NpbmcgUEtD UyMxMSBwcm92aWRlcnMuICBGb3IgdGhlIGRlZmluaXRpb24NCiAgIG9mIGEg Im5vcm1hbCB1c2VyIiwgc2VlIFtwa2NzMTFfc3BlY10uDQoNCiAgIFRoZSBB Qk5GIHJ1bGVzIGFib3ZlIGlzIGEgYmVzdCBlZmZvcnQgZGVmaW5pdGlvbiBh bmQgdGhpcyBwYXJhZ3JhcGgNCiAgIHNwZWNpZmllcyBhZGRpdGlvbmFsIGNv bnN0cmFpbnRzLiAgVGhlIFBLQ1MjMTEgVVJJIE1VU1QgTk9UIGNvbnRhaW4N CiAgIGR1cGxpY2F0ZSBhdHRyaWJ1dGVzIG9mIHRoZSBzYW1lIG5hbWUgaW4g dGhlIFVSSSBwYXRoIGNvbXBvbmVudC4gIEl0DQogICBtZWFucyB0aGF0IGVh Y2ggYXR0cmlidXRlIG1heSBiZSBwcmVzZW50IGF0IG1vc3Qgb25jZSBpbiB0 aGUgUEtDUyMxMQ0KICAgVVJJIHBhdGguICBBc2lkZSBmcm9tIHRoZSBxdWVy eSBhdHRyaWJ1dGVzIGRlZmluZWQgaW4gdGhpcyBkb2N1bWVudCwNCiAgIGR1 cGxpY2F0ZSAodmVuZG9yKSBhdHRyaWJ1dGVzIE1BWSBiZSBwcmVzZW50IGlu IHRoZSBVUkkgcXVlcnkNCiAgIGNvbXBvbmVudCBhbmQgaXQgaXMgdXAgdG8g dGhlIFVSSSBjb25zdW1lciB0byBkZWNpZGUgb24gaG93IHRvIGRlYWwNCiAg IHdpdGggc3VjaCBkdXBsaWNhdGVzLg0KDQogICBUaGUgd2hvbGUgdmFsdWUg b2YgdGhlICJpZCIgYXR0cmlidXRlIFNIT1VMRCBiZSBwZXJjZW50LWVuY29k ZWQgc2luY2UNCiAgIGl0IGlzIHN1cHBvc2VkIHRvIGJlIGhhbmRsZWQgYXMg YXJiaXRyYXJ5IGJpbmFyeSBkYXRhLg0KDQogICBUaGUgImxpYnJhcnktdmVy c2lvbiIgYXR0cmlidXRlIHJlcHJlc2VudHMgdGhlIG1ham9yIGFuZCBtaW5v cg0KICAgdmVyc2lvbiBudW1iZXIgb2YgdGhlIGxpYnJhcnkgYW5kIGl0cyBm b3JtYXQgaXMgIk0uTiIuICBCb3RoIG51bWJlcnMNCiAgIGFyZSBvbmUgYnl0 ZSBpbiBzaXplLCBzZWUgdGhlICJsaWJyYXJ5VmVyc2lvbiIgbWVtYmVyIG9m IHRoZSBDS19JTkZPDQogICBzdHJ1Y3R1cmUgaW4gW3BrY3MxMV9zcGVjXSBm b3IgbW9yZSBpbmZvcm1hdGlvbi4gIFZhbHVlICJNIiBmb3IgdGhlDQogICBh dHRyaWJ1dGUgTVVTVCBiZSBpbnRlcnByZXRlZCBhcyAiTSIgZm9yIHRoZSBt YWpvciBhbmQgIjAiIGZvciB0aGUNCiAgIG1pbm9yIHZlcnNpb24gb2YgdGhl IGxpYnJhcnkuICBJZiB0aGUgYXR0cmlidXRlIGlzIHByZXNlbnQgdGhlIG1h am9yDQogICB2ZXJzaW9uIG51bWJlciBpcyBSRVFVSVJFRC4gIEJvdGggIk0i IGFuZCAiTiIgTVVTVCBiZSBkZWNpbWFsDQogICBudW1iZXJzLg0KDQogICBT bG90IElEIGlzIGEgQ3J5cHRva2ktYXNzaWduZWQgbnVtYmVyIHRoYXQgaXMg bm90IGd1YXJhbnRlZWQgc3RhYmxlDQogICBhY3Jvc3MgUEtDUyMxMSBtb2R1 bGUgaW5pdGlhbGl6YXRpb25zLiAgSG93ZXZlciwgdGhlcmUgYXJlIGNlcnRh aW4NCiAgIGxpYnJhcmllcyBhbmQgbW9kdWxlcyB3aGljaCBwcm92aWRlIHN0 YWJsZSBzbG90IGlkZW50aWZpZXJzLiAgRm9yDQogICB0aGVzZSBjYXNlcywg d2hlbiB0aGUgc2xvdCBkZXNjcmlwdGlvbiBhbmQgbWFudWZhY3R1cmVyIElE IGlzIG5vdA0KICAgc3VmZmljaWVudCB0byB1bmlxdWVseSBpZGVudGlmeSBh IHNwZWNpZmljIHJlYWRlciwgdGhlIHNsb3QgSUQgTUFZIGJlDQogICB1c2Vk IHRvIGluY3JlYXNlIHRoZSBwcmVjaXNpb24gb2YgdGhlIHRva2VuIGlkZW50 aWZpY2F0aW9uLiAgSW4gb3RoZXINCiAgIHNjZW5hcmlvcywgdXNpbmcgdGhl IHNsb3QgSURzIGlzIGxpa2VseSB0byBjYXVzZSB1c2FiaWxpdHkgaXNzdWVz Lg0KDQogICBBbiBlbXB0eSBQS0NTIzExIFVSSSBwYXRoIGF0dHJpYnV0ZSB0 aGF0IGRvZXMgYWxsb3cgZm9yIGFuIGVtcHR5DQogICB2YWx1ZSBtYXRjaGVz IGEgY29ycmVzcG9uZGluZyBzdHJ1Y3R1cmUgbWVtYmVyIG9yIGFuIG9iamVj dCBhdHRyaWJ1dGUNCiAgIHdpdGggYW4gZW1wdHkgdmFsdWUuICBOb3RlIHRo YXQgYWNjb3JkaW5nIHRvIHRoZSBQS0NTIzExDQogICBzcGVjaWZpY2F0aW9u IFtwa2NzMTFfc3BlY10sIGVtcHR5IGNoYXJhY3RlciB2YWx1ZXMgaW4gYSBQ S0NTIzExIEFQSQ0KICAgcHJvZHVjZXIgbXVzdCBiZSBwYWRkZWQgd2l0aCBz cGFjZXMgYW5kIHNob3VsZCBub3QgYmUgTlVMTA0KICAgdGVybWluYXRlZC4N Cg0KMy40LiAgUEtDUyMxMSBVUkkgU2NoZW1lIFF1ZXJ5IEF0dHJpYnV0ZSBT ZW1hbnRpY3MNCg0KICAgQW4gYXBwbGljYXRpb24gTUFZIGFsd2F5cyBhc2sg Zm9yIGEgUElOIGJ5IGFueSBtZWFucyBpdCBkZWNpZGVzIHRvLg0KICAgV2hh dCBpcyBtb3JlLCBpbiBvcmRlciBub3QgdG8gbGltaXQgUEtDUyMxMSBVUkkg cG9ydGFiaWxpdHkgdGhlICJwaW4tDQogICBzb3VyY2UiIGF0dHJpYnV0ZSB2 YWx1ZSBmb3JtYXQgYW5kIGludGVycHJldGF0aW9uIGlzIGxlZnQgdG8gYmUN Cg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdWx5 IDIsIDIwMTUgICAgICAgICAgICAgICAgICBbUGFnZSA4XQ0KDA0KSW50ZXJu ZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAg ICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgaW1wbGVtZW50YXRpb24g c3BlY2lmaWMuICBIb3dldmVyLCB0aGUgZm9sbG93aW5nIHJ1bGVzIFNIT1VM RCBiZQ0KICAgZm9sbG93ZWQgaW4gZGVzY2VuZGluZyBvcmRlciBmb3IgdGhl IHZhbHVlIG9mIHRoZSAicGluLXNvdXJjZSINCiAgIGF0dHJpYnV0ZToNCg0K ICAgbyAgaWYgdGhlIHZhbHVlIHJlcHJlc2VudHMgYSBsb2NhbCBhYnNvbHV0 ZSBwYXRoIHRoZSBpbXBsZW1lbnRhdGlvbg0KICAgICAgU0hPVUxEIHVzZSBp dCBhcyBhIFBJTiBmaWxlIGNvbnRhaW5pbmcgdGhlIFBJTiB2YWx1ZQ0KDQog ICBvICBpZiB0aGUgdmFsdWUgY29udGFpbnMgInw8YWJzb2x1dGUtY29tbWFu ZC1wYXRoPiIgdGhlDQogICAgICBpbXBsZW1lbnRhdGlvbiBTSE9VTEQgcmVh ZCB0aGUgUElOIGZyb20gdGhlIG91dHB1dCBvZiBhbg0KICAgICAgYXBwbGlj YXRpb24gc3BlY2lmaWVkIHdpdGggYWJzb2x1dGUgcGF0aCAiPGFic29sdXRl LWNvbW1hbmQtDQogICAgICBwYXRoPiIuICBOb3RlIHRoYXQgY2hhcmFjdGVy ICJ8IiByZXByZXNlbnRpbmcgYSBwaXBlIGRvZXMgbm90IGhhdmUNCiAgICAg IHRvIGJlIHBlcmNlbnQgZW5jb2RlZCBpbiB0aGUgcXVlcnkgY29tcG9uZW50 IG9mIHRoZSBQS0NTIzExIFVSSS4NCg0KICAgbyAgaWYgdGhlIHZhbHVlIHJl cHJlc2VudHMgYSBVUkkgaXQgU0hPVUxEIGJlIHRyZWF0ZWQgYXMgYW4gb2Jq ZWN0DQogICAgICBjb250YWluaW5nIHRoZSBQSU4uICBTdWNoIGEgVVJJIG1h eSBiZSAiZmlsZToiLCAiaHR0cHM6IiwgYW5vdGhlcg0KICAgICAgUEtDUyMx MSBVUkksIG9yIHNvbWV0aGluZyBlbHNlLg0KDQogICBvICBpbnRlcnByZXQg dGhlIHZhbHVlIGFzIG5lZWRlZCBpbiBhbiBpbXBsZW1lbnRhdGlvbiBkZXBl bmRlbnQgd2F5DQoNCiAgIElmIGEgVVJJIGNvbnRhaW5zIGJvdGggInBpbi1z b3VyY2UiIGFuZCAicGluLXZhbHVlIiBxdWVyeSBhdHRyaWJ1dGVzDQogICB0 aGUgVVJJIFNIT1VMRCBiZSByZWZ1c2VkIGFzIGludmFsaWQuDQoNCiAgIFVz ZSBvZiB0aGUgInBpbi12YWx1ZSIgYXR0cmlidXRlIG1heSBoYXZlIHNlY3Vy aXR5IHJlbGF0ZWQNCiAgIGNvbnNlcXVlbmNlcy4gIFNlY3Rpb24gNiBzaG91 bGQgYmUgY29uc3VsdGVkIGJlZm9yZSB0aGlzIGF0dHJpYnV0ZSBpcw0KICAg ZXZlciB1c2VkLiAgU3RhbmRhcmQgcGVyY2VudCBlbmNvZGluZyBydWxlcyBT SE9VTEQgYmUgZm9sbG93ZWQgZm9yDQogICB0aGUgYXR0cmlidXRlIHZhbHVl Lg0KDQogICBBIGNvbnN1bWVyIG9mIFBLQ1MjMTEgVVJJcyBNQVkgbW9kaWZ5 IGRlZmF1bHQgc2V0dGluZ3MgZm9yIGFjY2Vzc2luZw0KICAgYSBQS0NTIzEx IHByb3ZpZGVyIG9yIHByb3ZpZGVycyBieSBhY2NlcHRpbmcgcXVlcnkgY29t cG9uZW50DQogICBhdHRyaWJ1dGVzICJtb2R1bGUtbmFtZSIgYW5kICJtb2R1 bGUtcGF0aCIuIg0KDQogICBQcm9jZXNzaW5nIHRoZSBVUkkgcXVlcnkgbW9k dWxlIGF0dHJpYnV0ZXMgU0hPVUxEIGZvbGxvdyB0aGVzZSBydWxlczoNCg0K ICAgbyAgYXR0cmlidXRlICJtb2R1bGUtbmFtZSIgU0hPVUxEIGNvbnRhaW4g YSBjYXNlLWluc2Vuc2l0aXZlIFBLQ1MjMTENCiAgICAgIG1vZHVsZSBuYW1l IChub3QgcGF0aCBub3IgZmlsZW5hbWUpIHdpdGhvdXQgc3lzdGVtIHNwZWNp ZmljDQogICAgICBhZmZpeGVzLiAgU3VjaCBhZmZpeCBjb3VsZCBiZSBhbiAi LnNvIiBvciAiLkRMTCIgc3VmZml4LCBvciBhDQogICAgICAibGliIiBwcmVm aXgsIGZvciBleGFtcGxlLiAgTm90IHVzaW5nIHN5c3RlbSBzcGVjaWZpYyBh ZmZpeGVzIGlzDQogICAgICBleHBlY3RlZCB0byBpbmNyZWFzZSBwb3J0YWJp bGl0eSBvZiBQS0NTIzExIFVSSXMgYW1vbmcgZGlmZmVyZW50DQogICAgICBz eXN0ZW1zLiAgQSBVUkkgY29uc3VtZXIgc2VhcmNoaW5nIGZvciBQS0NTIzEx IG1vZHVsZXMgU0hPVUxEIHVzZQ0KICAgICAgYSBzeXN0ZW0gb3IgYXBwbGlj YXRpb24gc3BlY2lmaWMgbG9jYXRpb25zIHRvIGZpbmQgbW9kdWxlcyBiYXNl ZA0KICAgICAgb24gdGhlIG5hbWUgcHJvdmlkZWQgaW4gdGhlIGF0dHJpYnV0 ZS4NCg0KICAgbyAgYXR0cmlidXRlICJtb2R1bGUtcGF0aCIgU0hPVUxEIGNv bnRhaW4gYSBzeXN0ZW0gc3BlY2lmaWMgYWJzb2x1dGUNCiAgICAgIHBhdGgg dG8gdGhlIFBLQ1MjMTEgbW9kdWxlLCBvciBhIHN5c3RlbSBzcGVjaWZpYyBh YnNvbHV0ZSBwYXRoIHRvDQogICAgICB0aGUgZGlyZWN0b3J5IG9mIHdoZXJl IFBLQ1MjMTEgbW9kdWxlcyBhcmUgbG9jYXRlZC4gIEZvciBzZWN1cml0eQ0K ICAgICAgcmVhc29ucywgYSBVUkkgd2l0aCBhIHJlbGF0aXZlIHBhdGggaW4g dGhpcyBhdHRyaWJ1dGUgU0hPVUxEIGJlDQogICAgICByZWplY3RlZC4NCg0K DQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bHkg MiwgMjAxNSAgICAgICAgICAgICAgICAgIFtQYWdlIDldDQoMDQpJbnRlcm5l dC1EcmFmdCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAg ICAgICAgIERlY2VtYmVyIDIwMTQNCg0KDQogICBvICB0aGUgVVJJIGNvbnN1 bWVyIE1BWSByZWZ1c2UgdG8gYWNjZXB0IGVpdGhlciBvZiB0aGUgYXR0cmli dXRlcywgb3INCiAgICAgIGJvdGguICBJZiB1c2Ugb2YgYW4gYXR0cmlidXRl IHByZXNlbnQgaW4gdGhlIFVSSSBzdHJpbmcgaXMgbm90DQogICAgICBhY2Nl cHRlZCBhIHdhcm5pbmcgbWVzc2FnZSBTSE9VTEQgYmUgcHJlc2VudGVkIHRv IHRoZSBwcm92aWRlciBvZg0KICAgICAgdGhlIFVSSS4NCg0KICAgbyAgaWYg ZWl0aGVyIG9mIHRoZSBtb2R1bGUgYXR0cmlidXRlcyBpcyBwcmVzZW50LCBv bmx5IHRob3NlIG1vZHVsZXMNCiAgICAgIGZvdW5kIG1hdGNoaW5nIHRoZXNl IHF1ZXJ5IGF0dHJpYnV0ZXMgU0hPVUxEIGJlIHVzZWQgdG8gc2VhcmNoIGZv cg0KICAgICAgYW4gZW50aXR5IHJlcHJlc2VudGVkIGJ5IHRoZSBVUkkuDQoN CiAgIG8gIHVzZSBvZiB0aGUgbW9kdWxlIGF0dHJpYnV0ZXMgZG9lcyBub3Qg c3VwcHJlc3MgbWF0Y2hpbmcgb2YgYW55DQogICAgICBvdGhlciBVUkkgcGF0 aCBjb21wb25lbnQgYXR0cmlidXRlcyBwcmVzZW50IGluIGEgVVJJLg0KDQog ICBvICBzZW1hbnRpY3Mgb2YgdXNpbmcgYm90aCBhdHRyaWJ1dGVzIGluIHRo ZSBzYW1lIFVSSSBzdHJpbmcgaXMNCiAgICAgIGltcGxlbWVudGF0aW9uIHNw ZWNpZmljIGJ1dCBzdWNoIHVzZSBTSE9VTEQgYmUgYXZvaWRlZC4gIEF0dHJp YnV0ZQ0KICAgICAgIm1vZHVsZS1uYW1lIiBpcyBwcmVmZXJyZWQgdG8gIm1v ZHVsZS1wYXRoIiBkdWUgdG8gaXRzIHN5c3RlbQ0KICAgICAgaW5kZXBlbmRl bnQgbmF0dXJlIGJ1dCB0aGUgbGF0dGVyIG1heSBiZSBtb3JlIHN1aXRhYmxl IGZvcg0KICAgICAgZGV2ZWxvcG1lbnQgYW5kIGRlYnVnZ2luZy4NCg0KICAg byAgYSBVUkkgTVVTVCBOT1QgY29udGFpbiBtdWx0aXBsZSBtb2R1bGUgYXR0 cmlidXRlcyBvZiB0aGUgc2FtZQ0KICAgICAgbmFtZS4NCg0KICAgVXNlIG9m IHRoZSBtb2R1bGUgYXR0cmlidXRlcyBtYXkgaGF2ZSBzZWN1cml0eSByZWxh dGVkIGNvbnNlcXVlbmNlcy4NCiAgIFNlY3Rpb24gNiBzaG91bGQgYmUgY29u c3VsdGVkIGJlZm9yZSB0aGVzZSBhdHRyaWJ1dGVzIGFyZSBldmVyIHVzZWQu DQoNCiAgIEEgd29yZCAibW9kdWxlIiB3YXMgY2hvc2VuIG92ZXIgd29yZCAi bGlicmFyeSIgaW4gdGhlc2UgcXVlcnkNCiAgIGF0dHJpYnV0ZSBuYW1lcyB0 byBhdm9pZCBjb25mdXNpb24gd2l0aCBzZW1hbnRpY2FsbHkgZGlmZmVyZW50 DQogICBsaWJyYXJ5IGF0dHJpYnV0ZXMgdXNlZCBpbiB0aGUgVVJJIHBhdGgg Y29tcG9uZW50Lg0KDQozLjUuICBQS0NTIzExIFVSSSBNYXRjaGluZyBHdWlk ZWxpbmVzDQoNCiAgIFRoZSBQS0NTIzExIFVSSSBjYW4gaWRlbnRpZnkgUEtD UyMxMSBzdG9yYWdlIG9iamVjdHMsIHRva2Vucywgc2xvdHMsDQogICBvciBD cnlwdG9raSBsaWJyYXJpZXMuICBOb3RlIHRoYXQgc2luY2UgYSBVUkkgbWF5 IGlkZW50aWZ5IGZvdXINCiAgIGRpZmZlcmVudCB0eXBlcyBvZiBlbnRpdGll cyB0aGUgY29udGV4dCB3aXRoaW4gd2hpY2ggdGhlIFVSSSBpcyB1c2VkDQog ICBtYXkgYmUgbmVlZGVkIHRvIGRldGVybWluZSB0aGUgdHlwZS4gIEZvciBl eGFtcGxlLCBhIFVSSSB3aXRoIG9ubHkNCiAgIGxpYnJhcnkgYXR0cmlidXRl cyBtYXkgZWl0aGVyIHJlcHJlc2VudCBhbGwgb2JqZWN0cyBpbiBhbGwgdG9r ZW5zIGluDQogICBhbGwgQ3J5cHRva2kgbGlicmFyaWVzIGlkZW50aWZpZWQg YnkgdGhlIFVSSSwgYWxsIHRva2VucyBpbiB0aG9zZQ0KICAgbGlicmFyaWVz LCBvciBqdXN0IHRoZSBsaWJyYXJpZXMuDQoNCiAgIFRoZSBmb2xsb3dpbmcg Z3VpZGVsaW5lcyBjYW4gaGVscCBhIFBLQ1MjMTEgVVJJIGNvbnN1bWVyIChl Zy4gYW4NCiAgIGFwcGxpY2F0aW9uIGFjY2VwdGluZyBQS0NTIzExIFVSSXMp IHRvIG1hdGNoIHRoZSBVUkkgd2l0aCB0aGUgZGVzaXJlZA0KICAgcmVzb3Vy Y2UuDQoNCiAgIG8gIHRoZSBjb25zdW1lciBNVVNUIGtub3cgd2hldGhlciB0 aGUgVVJJIGlzIHRvIGlkZW50aWZ5IFBLQ1MjMTENCiAgICAgIHN0b3JhZ2Ug b2JqZWN0KHMpLCB0b2tlbihzKSwgc2xvdChzKSwgb3IgQ3J5cHRva2kgcHJv ZHVjZXIocykuDQoNCiAgIG8gIGlmIHRoZSBjb25zdW1lciBpcyB3aWxsaW5n IHRvIGFjY2VwdCBxdWVyeSBjb21wb25lbnQgbW9kdWxlDQogICAgICBhdHRy aWJ1dGVzIG9ubHkgdGhvc2UgUEtDUyMxMSBwcm92aWRlcnMgbWF0Y2hpbmcg dGhlc2UgYXR0cmlidXRlcw0KICAgICAgU0hPVUxEIGJlIHdvcmtlZCB3aXRo LiAgU2VlIFNlY3Rpb24gMy40IGZvciBtb3JlIGluZm9ybWF0aW9uLg0KDQoN Cg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAgICBFeHBpcmVzIEp1bHkgMiwg MjAxNSAgICAgICAgICAgICAgICAgW1BhZ2UgMTBdDQoMDQpJbnRlcm5ldC1E cmFmdCAgICAgICAgICAgVGhlIFBLQ1MjMTEgVVJJIFNjaGVtZSAgICAgICAg ICAgIERlY2VtYmVyIDIwMTQNCg0KDQogICBvICBhbiB1bnJlY29nbml6ZWQg YXR0cmlidXRlIGluIHRoZSBVUkkgcGF0aCBjb21wb25lbnQsIGluY2x1ZGlu ZyBhDQogICAgICB2ZW5kb3Igc3BlY2lmaWMgYXR0cmlidXRlLCBTSE9VTEQg cmVzdWx0IGluIGFuIGVtcHR5IHNldCBvZg0KICAgICAgbWF0Y2hlZCByZXNv dXJjZXMuICBUaGUgY29uc3VtZXIgU0hPVUxEIGNvbnNpZGVyIHdoZXRoZXIg YW4gZXJyb3INCiAgICAgIG1lc3NhZ2UgcHJlc2VudGVkIHRvIHRoZSB1c2Vy IGlzIGFwcHJvcHJpYXRlIGluIHN1Y2ggYSBjYXNlLg0KDQogICBvICBhbiB1 bnJlY29nbml6ZWQgYXR0cmlidXRlIGluIHRoZSBVUkkgcXVlcnkgU0hPVUxE IGJlIGlnbm9yZWQuICBUaGUNCiAgICAgIGNvbnN1bWVyIFNIT1VMRCBjb25z aWRlciB3aGV0aGVyIGEgd2FybmluZyBtZXNzYWdlIHByZXNlbnRlZCB0bw0K ICAgICAgdGhlIHVzZXIgaXMgYXBwcm9wcmlhdGUgaW4gc3VjaCBhIGNhc2Uu DQoNCiAgIG8gIGFuIGF0dHJpYnV0ZSBub3QgcHJlc2VudCBpbiB0aGUgVVJJ IHBhdGggYnV0IGtub3duIHRvIGEgY29uc3VtZXINCiAgICAgIG1hdGNoZXMg ZXZlcnl0aGluZy4gIEVhY2ggYWRkaXRpb25hbCBhdHRyaWJ1dGUgcHJlc2Vu dCBpbiB0aGUgVVJJDQogICAgICBwYXRoIGZ1cnRoZXIgcmVzdHJpY3RzIHRo ZSBzZWxlY3Rpb24uDQoNCiAgIG8gIGEgbG9naWNhbCBleHRlbnNpb24gb2Yg dGhlIGFib3ZlIGlzIHRoYXQgYW4gZW1wdHkgVVJJIHBhdGggbWF0Y2hlcw0K ICAgICAgZXZlcnl0aGluZy4gIEZvciBleGFtcGxlLCBpZiB1c2VkIHRvIGlk ZW50aWZ5IHN0b3JhZ2Ugb2JqZWN0cyBpdA0KICAgICAgbWF0Y2hlcyBhbGwg YWNjZXNzaWJsZSBvYmplY3RzIGluIGFsbCB0b2tlbnMgcHJvdmlkZWQgYnkg YWxsDQogICAgICBQS0NTIzExIEFQSSBwcm9kdWNlcnMgZm91bmQgaW4gdGhl IHN5c3RlbS4NCg0KICAgbyAgbm90ZSB0aGF0IHVzZSBvZiBQSU4gYXR0cmli dXRlcyBtYXkgY2hhbmdlIHRoZSBzZXQgb2Ygc3RvcmFnZQ0KICAgICAgb2Jq ZWN0cyB2aXNpYmxlIHRvIHRoZSBjb25zdW1lci4NCg0KICAgbyAgaW4gYWRk aXRpb24gdG8gcXVlcnkgY29tcG9uZW50IGF0dHJpYnV0ZXMgZGVmaW5lZCBp biB0aGlzDQogICAgICBkb2N1bWVudCwgdmVuZG9yIHNwZWNpZmljIHF1ZXJ5 IGF0dHJpYnV0ZXMgbWF5IGNvbnRhaW4gZnVydGhlcg0KICAgICAgaW5mb3Jt YXRpb24gYWJvdXQgaG93IHRvIHBlcmZvcm0gdGhlIHNlbGVjdGlvbiBvciBv dGhlciByZWxhdGVkDQogICAgICBpbmZvcm1hdGlvbi4NCg0KMy42LiAgUEtD UyMxMSBVUkkgQ29tcGFyaXNvbg0KDQogICBDb21wYXJpc29uIG9mIHR3byBV UklzIGlzIGEgd2F5IG9mIGRldGVybWluaW5nIHdoZXRoZXIgdGhlIFVSSXMg YXJlDQogICBlcXVpdmFsZW50IHdpdGhvdXQgY29tcGFyaW5nIHRoZSBhY3R1 YWwgcmVzb3VyY2UgdGhlIFVSSXMgcG9pbnQgdG8uDQogICBUaGUgY29tcGFy aXNvbiBvZiBVUklzIGFpbXMgdG8gbWluaW1pemUgZmFsc2UgbmVnYXRpdmVz IHdoaWxlDQogICBzdHJpY3RseSBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMu DQoNCiAgIFR3byBQS0NTIzExIFVSSXMgYXJlIHNhaWQgdG8gYmUgZXF1YWwg aWYgVVJJcyBhcyBjaGFyYWN0ZXIgc3RyaW5ncw0KICAgYXJlIGlkZW50aWNh bCBhcyBzcGVjaWZpZWQgaW4gU2VjdGlvbiA2LjIuMSBvZiBbUkZDMzk4Nl0s IG9yIGlmIGJvdGgNCiAgIGZvbGxvd2luZyBydWxlcyBhcmUgZnVsZmlsbGVk Og0KDQogICBvICBzZXQgb2YgYXR0cmlidXRlcyBwcmVzZW50IGluIHRoZSBV UkkgaXMgZXF1YWwuICBOb3RlIHRoYXQgdGhlDQogICAgICBvcmRlcmluZyBv ZiBhdHRyaWJ1dGVzIGluIHRoZSBVUkkgc3RyaW5nIGlzIG5vdCBzaWduaWZp Y2FudCBmb3INCiAgICAgIHRoZSBtZWNoYW5pc20gb2YgY29tcGFyaXNvbi4N Cg0KICAgbyAgdmFsdWVzIG9mIHJlc3BlY3RpdmUgYXR0cmlidXRlcyBhcmUg ZXF1YWwgYmFzZWQgb24gcnVsZXMgc3BlY2lmaWVkDQogICAgICBiZWxvdw0K DQogICBUaGUgcnVsZXMgZm9yIGNvbXBhcmluZyB2YWx1ZXMgb2YgcmVzcGVj dGl2ZSBhdHRyaWJ1dGVzIGFyZToNCg0KICAgbyAgdmFsdWVzIG9mIHBhdGgg Y29tcG9uZW50IGF0dHJpYnV0ZXMgImxpYnJhcnktZGVzY3JpcHRpb24iLA0K ICAgICAgImxpYnJhcnktbWFudWZhY3R1cmVyIiwgIm1hbnVmYWN0dXJlciIs ICJtb2RlbCIsICJvYmplY3QiLA0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQg ICAgICAgICBFeHBpcmVzIEp1bHkgMiwgMjAxNSAgICAgICAgICAgICAgICAg W1BhZ2UgMTFdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBL Q1MjMTEgVVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0K DQogICAgICAic2VyaWFsIiwgInNsb3QtZGVzY3JpcHRpb24iLCAic2xvdC1t YW51ZmFjdHVyZXIiLCAidG9rZW4iLA0KICAgICAgInR5cGUiLCBhbmQgcXVl cnkgY29tcG9uZW50IGF0dHJpYnV0ZSAibW9kdWxlLW5hbWUiIE1VU1QgYmUN CiAgICAgIGNvbXBhcmVkIHVzaW5nIGEgc2ltcGxlIHN0cmluZyBjb21wYXJp c29uIGFzIHNwZWNpZmllZCBpbg0KICAgICAgU2VjdGlvbiA2LjIuMSBvZiBb UkZDMzk4Nl0gYWZ0ZXIgdGhlIGNhc2UgYW5kIHRoZSBwZXJjZW50LWVuY29k aW5nDQogICAgICBub3JtYWxpemF0aW9uIGFyZSBib3RoIGFwcGxpZWQgYXMg c3BlY2lmaWVkIGluIFNlY3Rpb24gNi4yLjIgb2YNCiAgICAgIFtSRkMzOTg2 XS4NCg0KICAgbyAgdmFsdWUgb2YgYXR0cmlidXRlICJpZCIgTVVTVCBiZSBj b21wYXJlZCB1c2luZyB0aGUgc2ltcGxlIHN0cmluZw0KICAgICAgY29tcGFy aXNvbiBhZnRlciBhbGwgYnl0ZXMgYXJlIHBlcmNlbnQtZW5jb2RlZCB1c2lu ZyB1cHBlcmNhc2UNCiAgICAgIGxldHRlcnMgZm9yIGRpZ2l0cyBBLUYuDQoN CiAgIG8gIHZhbHVlIG9mIGF0dHJpYnV0ZSAibGlicmFyeS12ZXJzaW9uIiBN VVNUIGJlIHByb2Nlc3NlZCBhcyBhDQogICAgICBzcGVjaWZpYyBzY2hlbWUt YmFzZWQgbm9ybWFsaXphdGlvbiBwZXJtaXR0ZWQgYnkgU2VjdGlvbiA2LjIu MyBvZg0KICAgICAgW1JGQzM5ODZdLiAgVGhlIHZhbHVlIE1VU1QgYmUgc3Bs aXQgaW50byBhIG1ham9yIGFuZCBtaW5vciB2ZXJzaW9uDQogICAgICB3aXRo IGNoYXJhY3RlciAnLicgKGRvdCkgc2VydmluZyBhcyBhIGRlbGltaXRlci4g IExpYnJhcnkgdmVyc2lvbg0KICAgICAgIk0iIE1VU1QgYmUgdHJlYXRlZCBh cyAiTSIgZm9yIHRoZSBtYWpvciB2ZXJzaW9uIGFuZCAiMCIgZm9yIHRoZQ0K ICAgICAgbWlub3IgdmVyc2lvbi4gIFJlc3VsdGluZyBtaW5vciBhbmQgbWFq b3IgdmVyc2lvbiBudW1iZXJzIE1VU1QgYmUNCiAgICAgIHRoZW4gc2VwYXJh dGVseSBjb21wYXJlZCBudW1lcmljYWxseS4NCg0KICAgbyAgdmFsdWUgb2Yg YXR0cmlidXRlICJzbG90LWlkIiBNVVNUIGJlIHByb2Nlc3NlZCBhcyBhIHNw ZWNpZmljDQogICAgICBzY2hlbWUtYmFzZWQgbm9ybWFsaXphdGlvbiBwZXJt aXR0ZWQgYnkgU2VjdGlvbiA2LjIuMyBvZiBbUkZDMzk4Nl0NCiAgICAgIGFu ZCBjb21wYXJlZCBudW1lcmljYWxseS4NCg0KICAgbyAgdmFsdWUgb2YgInBp bi1zb3VyY2UiLCBpZiBkZWVtZWQgY29udGFpbmluZyB0aGUgZmlsZW5hbWUg d2l0aCB0aGUNCiAgICAgIFBJTiB2YWx1ZSwgTVVTVCBiZSBjb21wYXJlZCB1 c2luZyB0aGUgc2ltcGxlIHN0cmluZyBjb21wYXJpc29uDQogICAgICBhZnRl ciB0aGUgZnVsbCBzeW50YXggYmFzZWQgbm9ybWFsaXphdGlvbiBhcyBzcGVj aWZpZWQgaW4NCiAgICAgIFNlY3Rpb24gNi4yLjIgb2YgW1JGQzM5ODZdIGlz IGFwcGxpZWQuICBJZiB2YWx1ZSBvZiB0aGUgInBpbi0NCiAgICAgIHNvdXJj ZSIgYXR0cmlidXRlIGlzIGJlbGlldmVkIHRvIGJlIG92ZXJsb2FkZWQgdGhl IGNhc2UgYW5kDQogICAgICBwZXJjZW50LWVuY29kaW5nIG5vcm1hbGl6YXRp b24gU0hPVUxEIGJlIGFwcGxpZWQgYmVmb3JlIHRoZSB2YWx1ZXMNCiAgICAg IGFyZSBjb21wYXJlZCBidXQgdGhlIGV4YWN0IG1lY2hhbmlzbSBvZiBjb21w YXJpc29uIGlzIGxlZnQgdG8gdGhlDQogICAgICBhcHBsaWNhdGlvbi4NCg0K ICAgbyAgdmFsdWUgb2YgYXR0cmlidXRlICJtb2R1bGUtcGF0aCIgTVVTVCBi ZSBjb21wYXJlZCB1c2luZyB0aGUgc2ltcGxlDQogICAgICBzdHJpbmcgY29t cGFyaXNvbiBhZnRlciB0aGUgZnVsbCBzeW50YXggYmFzZWQgbm9ybWFsaXph dGlvbiBhcw0KICAgICAgc3BlY2lmaWVkIGluIFNlY3Rpb24gNi4yLjIgb2Yg W1JGQzM5ODZdIGlzIGFwcGxpZWQuDQoNCiAgIG8gIHdoZW4gY29tcGFyaW5n IHZlbmRvciBzcGVjaWZpYyBhdHRyaWJ1dGVzIHRoZSBjYXNlIGFuZCBwZXJj ZW50LQ0KICAgICAgZW5jb2Rpbmcgbm9ybWFsaXphdGlvbiBTSE9VTEQgYmUg YXBwbGllZCBiZWZvcmUgdGhlIHZhbHVlcyBhcmUNCiAgICAgIGNvbXBhcmVk IGJ1dCB0aGUgZXhhY3QgbWVjaGFuaXNtIG9mIHN1Y2ggYSBjb21wYXJpc29u IGlzIGxlZnQgdG8NCiAgICAgIHRoZSBhcHBsaWNhdGlvbi4NCg0KNC4gIEV4 YW1wbGVzIG9mIFBLQ1MjMTEgVVJJcw0KDQogICBUaGlzIHNlY3Rpb24gY29u dGFpbnMgc29tZSBleGFtcGxlcyBvZiBob3cgUEtDUyMxMSB0b2tlbiBvYmpl Y3RzLA0KICAgdG9rZW5zLCBzbG90cywgYW5kIGxpYnJhcmllcyBjYW4gYmUg aWRlbnRpZmllZCB1c2luZyB0aGUgUEtDUyMxMSBVUkkNCiAgIHNjaGVtZS4g IE5vdGUgdGhhdCBpbiBzb21lIG9mIHRoZSBmb2xsb3dpbmcgZXhhbXBsZXMs IG5ld2xpbmVzIGFuZA0KICAgc3BhY2VzIHdlcmUgaW5zZXJ0ZWQgZm9yIGJl dHRlciByZWFkYWJpbGl0eS4gIEFzIHNwZWNpZmllZCBpbg0KICAgQXBwZW5k aXggQyBvZiBbUkZDMzk4Nl0sIHdoaXRlc3BhY2UgU0hPVUxEIGJlIGlnbm9y ZWQgd2hlbiBleHRyYWN0aW5nDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAg ICAgICAgIEV4cGlyZXMgSnVseSAyLCAyMDE1ICAgICAgICAgICAgICAgICBb UGFnZSAxMl0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICAgICBUaGUgUEtD UyMxMSBVUkkgU2NoZW1lICAgICAgICAgICAgRGVjZW1iZXIgMjAxNA0KDQoN CiAgIHRoZSBVUkkuICBBbHNvIG5vdGUgdGhhdCBhbGwgc3BhY2VzIGFzIHBh cnQgb2YgdGhlIFVSSSBhcmUgcGVyY2VudC0NCiAgIGVuY29kZWQsIGFzIHNw ZWNpZmllZCBpbiBBcHBlbmRpeCBBIG9mIFtSRkMzOTg2XS4NCg0KICAgQW4g ZW1wdHkgUEtDUyMxMSBVUkkgbWlnaHQgYmUgdXNlZnVsIHRvIFBLQ1MjMTEg Y29uc3VtZXJzLiAgU2VlDQogICBTZWN0aW9uIDMuNSBmb3IgbW9yZSBpbmZv cm1hdGlvbiBvbiBzZW1hbnRpY3Mgb2Ygc3VjaCBhIFVSSS4NCg0KICAgICBw a2NzMTE6DQoNCiAgIE9uZSBvZiB0aGUgc2ltcGxlc3QgYW5kIG1vc3QgdXNl ZnVsIGZvcm1zIG1pZ2h0IGJlIGEgUEtDUyMxMSBVUkkgdGhhdA0KICAgc3Bl Y2lmaWVzIG9ubHkgYW4gb2JqZWN0IGxhYmVsIGFuZCBpdHMgdHlwZS4gIFRo ZSBkZWZhdWx0IHRva2VuIGlzDQogICB1c2VkIHNvIHRoZSBVUkkgZG9lcyBu b3Qgc3BlY2lmeSBpdC4gIE5vdGUgdGhhdCB3aGVuIHNwZWNpZnlpbmcNCiAg IHB1YmxpYyBvYmplY3RzLCBhIHRva2VuIFBJTiBtYXkgbm90IGJlIHJlcXVp cmVkLg0KDQogICAgIHBrY3MxMTpvYmplY3Q9bXktcHVia2V5O3R5cGU9cHVi bGljDQoNCiAgIFdoZW4gYSBwcml2YXRlIGtleSBpcyBzcGVjaWZpZWQgZWl0 aGVyIHRoZSAicGluLXNvdXJjZSIgYXR0cmlidXRlLA0KICAgInBpbi12YWx1 ZSwgb3IgYW4gYXBwbGljYXRpb24gc3BlY2lmaWMgbWV0aG9kIHdvdWxkIGJl IHVzdWFsbHkgdXNlZC4NCiAgIE5vdGUgdGhhdCAnLycgaXMgbm90IHBlcmNl bnQtZW5jb2RlZCBpbiB0aGUgInBpbi1zb3VyY2UiIGF0dHJpYnV0ZQ0KICAg dmFsdWUgc2luY2UgdGhpcyBhdHRyaWJ1dGUgaXMgcGFydCBvZiB0aGUgcXVl cnkgY29tcG9uZW50LCBub3QgdGhlDQogICBwYXRoLCBhbmQgdGh1cyBpcyBz ZXBhcmF0ZWQgYnkgJz8nIGZyb20gdGhlIHJlc3Qgb2YgdGhlIFVSSS4NCg0K ICAgICBwa2NzMTE6b2JqZWN0PW15LWtleTt0eXBlPXByaXZhdGU/cGluLXNv dXJjZT0vZXRjL3Rva2VuDQoNCiAgIFRoZSBmb2xsb3dpbmcgZXhhbXBsZSBp ZGVudGlmaWVzIGEgY2VydGlmaWNhdGUgaW4gdGhlIHNvZnR3YXJlIHRva2Vu Lg0KICAgTm90ZSBhbiBlbXB0eSB2YWx1ZSBmb3IgdGhlIGF0dHJpYnV0ZSAi c2VyaWFsIiB3aGljaCBtYXRjaGVzIG9ubHkNCiAgIGVtcHR5ICJzZXJpYWxO dW1iZXIiIG1lbWJlciBvZiB0aGUgIkNLX1RPS0VOX0lORk8iIHN0cnVjdHVy ZS4gIEFsc28NCiAgIG5vdGUgdGhhdCB0aGUgImlkIiBhdHRyaWJ1dGUgdmFs dWUgaXMgZW50aXJlbHkgcGVyY2VudC1lbmNvZGVkLCBhcw0KICAgcmVjb21t ZW5kZWQuICBXaGlsZSAnLCcgaXMgaW4gdGhlIHJlc2VydmVkIHNldCBpdCBk b2VzIG5vdCBoYXZlIHRvIGJlDQogICBwZXJjZW50LWVuY29kZWQgc2luY2Ug aXQgZG9lcyBub3QgY29uZmxpY3Qgd2l0aCBhbnkgc3ViLWRlbGltaXRlcnMN CiAgIHVzZWQuICBUaGUgJyMnIGNoYXJhY3RlciBhcyBpbiAiVGhlIFNvZnR3 YXJlIFBLQ1MjMTEgU29mdHRva2VuIiBNVVNUDQogICBiZSBwZXJjZW50LWVu Y29kZWQuDQoNCiAgICAgcGtjczExOnRva2VuPVRoZSUyMFNvZnR3YXJlJTIw UEtDUyUyMzExJTIwU29mdHRva2VuOw0KICAgICAgICAgICAgbWFudWZhY3R1 cmVyPVNuYWtlJTIwT2lsLCUyMEluYy47DQogICAgICAgICAgICBtb2RlbD0x LjA7DQogICAgICAgICAgICBvYmplY3Q9bXktY2VydGlmaWNhdGU7DQogICAg ICAgICAgICB0eXBlPWNlcnQ7DQogICAgICAgICAgICBpZD0lNjklOTUlM0Ul NUMlRjQlQkQlRUMlOTE7DQogICAgICAgICAgICBzZXJpYWw9DQogICAgICAg ICAgICA/cGluLXNvdXJjZT0vZXRjL3Rva2VuX3Bpbg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBK dWx5IDIsIDIwMTUgICAgICAgICAgICAgICAgIFtQYWdlIDEzXQ0KDA0KSW50 ZXJuZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUg ICAgICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgVGhlIG5leHQgZXhh bXBsZSBjb3ZlcnMgaG93IHRvIHVzZSB0aGUgIm1vZHVsZS1uYW1lIiBxdWVy eSBhdHRyaWJ1dGUuDQogICBDb25zaWRlcmluZyB0aGF0IHRoZSBtb2R1bGUg aXMgbG9jYXRlZCBpbiAvdXNyL2xpYi9saWJteXBrY3MxMS5zby4xDQogICBm aWxlLCB0aGUgYXR0cmlidXRlIHZhbHVlIGlzICJteXBrY3MxMSIsIG1lYW5p bmcgb25seSB0aGUgbW9kdWxlIG5hbWUNCiAgIHdpdGhvdXQgdGhlIGZ1bGwg cGF0aCwgYW5kIHdpdGhvdXQgdGhlIHBsYXRmb3JtIHNwZWNpZmljICJsaWIi IHByZWZpeA0KICAgYW5kICIuc28uMSIgc3VmZml4Lg0KDQogICAgIHBrY3Mx MTpvYmplY3Q9bXktc2lnbi1rZXk7DQogICAgICAgICAgICB0eXBlPXByaXZh dGUNCiAgICAgICAgICAgID9tb2R1bGUtbmFtZT1teXBrY3MxMQ0KDQogICBU aGUgZm9sbG93aW5nIGV4YW1wbGUgY292ZXJzIGhvdyB0byB1c2UgdGhlICJt b2R1bGUtcGF0aCIgcXVlcnkNCiAgIGF0dHJpYnV0ZS4gIFRoZSBhdHRyaWJ1 dGUgbWF5IGJlIHVzZWZ1bCBpZiBhIHVzZXIgbmVlZHMgdG8gcHJvdmlkZQ0K ICAgdGhlIGtleSB2aWEgYSBQS0NTIzExIG1vZHVsZSBzdG9yZWQgb24gYSBy ZW1vdmFibGUgbWVkaWEsIGZvcg0KICAgZXhhbXBsZS4gIEdldHRpbmcgdGhl IFBJTiB0byBhY2Nlc3MgdGhlIHByaXZhdGUga2V5IGhlcmUgaXMgbGVmdCB0 bw0KICAgYmUgYXBwbGljYXRpb24gc3BlY2lmaWMuDQoNCiAgICAgcGtjczEx Om9iamVjdD1teS1zaWduLWtleTsNCiAgICAgICAgICAgIHR5cGU9cHJpdmF0 ZQ0KICAgICAgICAgICAgP21vZHVsZS1wYXRoPS9tbnQvbGlibXlwa2NzMTEu c28uMQ0KDQogICBJbiB0aGUgY29udGV4dCB3aGVyZSBhIHRva2VuIGlzIGV4 cGVjdGVkIHRoZSB0b2tlbiBjYW4gYmUgaWRlbnRpZmllZA0KICAgd2l0aG91 dCBzcGVjaWZ5aW5nIGFueSBQS0NTIzExIG9iamVjdHMuICBBIFBJTiBtaWdo dCBzdGlsbCBiZSBuZWVkZWQNCiAgIGluIHRoZSBjb250ZXh0IG9mIGxpc3Rp bmcgYWxsIG9iamVjdHMgaW4gdGhlIHRva2VuLCBmb3IgZXhhbXBsZS4NCiAg IFNlY3Rpb24gNiBzaG91bGQgYmUgY29uc3VsdGVkIGJlZm9yZSB0aGUgInBp bi12YWx1ZSIgYXR0cmlidXRlIGlzDQogICBldmVyIHVzZWQuDQoNCiAgICAg cGtjczExOnRva2VuPVNvZnR3YXJlJTIwUEtDUyUyMzExJTIwc29mdHRva2Vu Ow0KICAgICAgICAgICAgbWFudWZhY3R1cmVyPVNuYWtlJTIwT2lsLCUyMElu Yy4NCiAgICAgICAgICAgID9waW4tdmFsdWU9dGhlLXBpbg0KDQogICBJbiB0 aGUgY29udGV4dCB3aGVyZSBhIHNsb3QgaXMgZXhwZWN0ZWQgdGhlIHNsb3Qg Y2FuIGJlIGlkZW50aWZpZWQNCiAgIHdpdGhvdXQgc3BlY2lmeWluZyBhbnkg UEtDUyMxMSBvYmplY3RzIGluIGFueSB0b2tlbiBpdCBtYXkgYmUNCiAgIGlu c2VydGVkIGluIGl0Lg0KDQogICAgIHBrY3MxMTpzbG90LWRlc2NyaXB0aW9u PVN1biUyME1ldGFzbG90DQoNCiAgIFRoZSBDcnlwdG9raSBsaWJyYXJ5IGFs b25lIGNhbiBiZSBhbHNvIGlkZW50aWZpZWQgd2l0aG91dCBzcGVjaWZ5aW5n DQogICBhIFBLQ1MjMTEgdG9rZW4gb3Igb2JqZWN0Lg0KDQogICAgIHBrY3Mx MTpsaWJyYXJ5LW1hbnVmYWN0dXJlcj1TbmFrZSUyME9pbCwlMjBJbmMuOw0K ICAgICAgICAgICAgbGlicmFyeS1kZXNjcmlwdGlvbj1Tb2Z0JTIwVG9rZW4l MjBMaWJyYXJ5Ow0KICAgICAgICAgICAgbGlicmFyeS12ZXJzaW9uPTEuMjMN Cg0KDQoNCg0KDQoNCg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAg RXhwaXJlcyBKdWx5IDIsIDIwMTUgICAgICAgICAgICAgICAgIFtQYWdlIDE0 XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVS SSBTY2hlbWUgICAgICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgVGhl IGZvbGxvd2luZyBleGFtcGxlIHNob3dzIGFuIGF0dHJpYnV0ZSB2YWx1ZSB3 aXRoIGEgc2VtaWNvbG9uLiAgSW4NCiAgIHN1Y2ggY2FzZSBpdCBNVVNUIGJl IHBlcmNlbnQtZW5jb2RlZC4gIFRoZSB0b2tlbiBhdHRyaWJ1dGUgdmFsdWUg TVVTVA0KICAgYmUgcmVhZCBhcyAiTXkgdG9rZW47IGNyZWF0ZWQgYnkgSm9l Ii4gIExvd2VyIGNhc2UgbGV0dGVycyBNQVkgYmUNCiAgIHVzZWQgaW4gcGVy Y2VudC1lbmNvZGluZyBhcyBzaG93biBiZWxvdyBpbiB0aGUgImlkIiBhdHRy aWJ1dGUgdmFsdWUNCiAgIGJ1dCBub3RlIHRoYXQgU2VjdGlvbnMgMi4xIGFu ZCA2LjIuMi4xIG9mIFtSRkMzOTg2XSByZWFkIHRoYXQgYWxsDQogICBwZXJj ZW50LWVuY29kZWQgY2hhcmFjdGVycyBTSE9VTEQgdXNlIHRoZSB1cHBlcmNh c2UgaGV4YWRlY2ltYWwNCiAgIGRpZ2l0cy4gIE1vcmUgc3BlY2lmaWNhbGx5 LCBpZiB0aGUgVVJJIHN0cmluZyB3YXMgdG8gYmUgY29tcGFyZWQgdGhlDQog ICBhbGdvcml0aG0gZGVmaW5lZCBpbiBTZWN0aW9uIDMuNiBleHBsaWNpdGx5 IHJlcXVpcmVzIHBlcmNlbnQtZW5jb2RpbmcNCiAgIHRvIHVzZSB0aGUgdXBw ZXJjYXNlIGRpZ2l0cyBBLUYgaW4gdGhlICJpZCIgYXR0cmlidXRlIHZhbHVl cy4gIEFuZCBhcw0KICAgZXhwbGFpbmVkIGluIFNlY3Rpb24gMy4zLCBsaWJy YXJ5IHZlcnNpb24gIjMiIE1VU1QgYmUgaW50ZXJwcmV0ZWQgYXMNCiAgICIz IiBmb3IgdGhlIG1ham9yIGFuZCAiMCIgZm9yIHRoZSBtaW5vciB2ZXJzaW9u IG9mIHRoZSBsaWJyYXJ5Lg0KDQogICAgIHBrY3MxMTp0b2tlbj1NeSUyMHRv a2VuJTI1JTIwY3JlYXRlZCUyMGJ5JTIwSm9lOw0KICAgICAgICAgICAgbGli cmFyeS12ZXJzaW9uPTM7DQogICAgICAgICAgICBpZD0lMDElMDIlMDMlQmEl ZGQlQ2ElZmUlMDQlMDUlMDYNCg0KICAgSWYgdGhlcmUgaXMgYW55IG5lZWQg dG8gaW5jbHVkZSBsaXRlcmFsICIlOyIgc3Vic3RyaW5nLCBmb3IgZXhhbXBs ZSwNCiAgIGJvdGggY2hhcmFjdGVycyBNVVNUIGJlIGVzY2FwZWQuICBUaGUg dG9rZW4gdmFsdWUgTVVTVCBiZSByZWFkIGFzICJBDQogICBuYW1lIHdpdGgg YSBzdWJzdHJpbmcgJTsiLg0KDQogICAgIHBrY3MxMTp0b2tlbj1BJTIwbmFt ZSUyMHdpdGglMjBhJTIwc3Vic3RyaW5nJTIwJTI1JTNCOw0KICAgICAgICAg ICAgb2JqZWN0PW15LWNlcnRpZmljYXRlOw0KICAgICAgICAgICAgdHlwZT1j ZXJ0DQoNCiAgIFRoZSBuZXh0IGV4YW1wbGUgaW5jbHVkZXMgYSBzbWFsbCBB IHdpdGggYWN1dGUgaW4gdGhlIHRva2VuIG5hbWUuICBJdA0KICAgTVVTVCBi ZSBlbmNvZGVkIGluIG9jdGV0cyBhY2NvcmRpbmcgdG8gdGhlIFVURi04IGNo YXJhY3RlciBlbmNvZGluZw0KICAgYW5kIHRoZW4gcGVyY2VudC1lbmNvZGVk LiAgR2l2ZW4gdGhhdCBhIHNtYWxsIEEgd2l0aCBhY3V0ZSBpcyBVKzIyNQ0K ICAgdW5pY29kZSBjb2RlIHBvaW50LCB0aGUgVVRGLTggZW5jb2RpbmcgaXMg MTk1IDE2MSBpbiBkZWNpbWFsLCBhbmQNCiAgIHRoYXQgaXMgIiVDMyVBMSIg aW4gcGVyY2VudC1lbmNvZGluZy4NCg0KICAgICBwa2NzMTE6dG9rZW49TmFt ZSUyMHdpdGglMjBhJTIwc21hbGwlMjBBJTIwd2l0aCUyMGFjdXRlOiUyMCVD MyVBMTsNCiAgICAgICAgICAgIG9iamVjdD1teS1jZXJ0aWZpY2F0ZTsNCiAg ICAgICAgICAgIHR5cGU9Y2VydA0KDQogICBCb3RoIHRoZSBwYXRoIGFuZCBx dWVyeSBjb21wb25lbnRzIE1BWSBjb250YWluIHZlbmRvciBzcGVjaWZpYw0K ICAgYXR0cmlidXRlcy4gIEF0dHJpYnV0ZXMgaW4gdGhlIHF1ZXJ5IGNvbXBv bmVudCBNVVNUIGJlIGRlbGltaXRlZCBieQ0KICAgJyYnLg0KDQogICAgIHBr Y3MxMTp0b2tlbj1teS10b2tlbjsNCiAgICAgICAgICAgIG9iamVjdD1teS1j ZXJ0aWZpY2F0ZTsNCiAgICAgICAgICAgIHR5cGU9Y2VydDsNCiAgICAgICAg ICAgIHZlbmRvci1hYWE9dmFsdWUtYQ0KICAgICAgICAgICAgP3Bpbi1zb3Vy Y2U9L2V0Yy90b2tlbl9waW4NCiAgICAgICAgICAgICZ2ZW5kb3ItYmJiPXZh bHVlLWINCg0KDQoNCg0KDQoNCg0KUGVjaGFuZWMgJiBNb2ZmYXQgICAgICAg ICBFeHBpcmVzIEp1bHkgMiwgMjAxNSAgICAgICAgICAgICAgICAgW1BhZ2Ug MTVdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgVGhlIFBLQ1MjMTEg VVJJIFNjaGVtZSAgICAgICAgICAgIERlY2VtYmVyIDIwMTQNCg0KDQo1LiAg SUFOQSBDb25zaWRlcmF0aW9ucw0KDQogICBUaGlzIGRvY3VtZW50IG1vdmVz IHRoZSAicGtjczExIiBVUkkgc2NoZW1lIGZyb20gdGhlIHByb3Zpc2lvbmFs IHRvDQogICBwZXJtYW5lbnQgVVJJIHNjaGVtZSByZWdpc3RyeS4NCg0KICAg VGhlIHJlZ2lzdHJhdGlvbiB0ZW1wbGF0ZSBpcyBhcyBmb2xsb3dzOg0KDQog ICAgICBVUkkgc2NoZW1lIG5hbWU6IHBrY3MxMQ0KDQogICAgICBVUkkgc2No ZW1lIHN0YXR1czogcGVybWFuZW50DQoNCiAgICAgIFVSSSBzY2hlbWUgc3lu dGF4OiBzZWUgU2VjdGlvbiAzLjMNCg0KICAgICAgVVJJIHNjaGVtZSBzZW1h bnRpY3M6IHNlZSBTZWN0aW9uIDENCg0KICAgICAgRW5jb2RpbmcgY29uc2lk ZXJhdGlvbnM6IHNlZSBTZWN0aW9uIDMuMw0KDQogICAgICBBcHBsaWNhdGlv bnMvcHJvdG9jb2xzIHRoYXQgdXNlIHRoaXMgVVJJIHNjaGVtZSBuYW1lOiBm b3IgZ2VuZXJhbA0KICAgICAgaW5mb3JtYXRpb24sIHNlZSBTZWN0aW9uIDEu ICBMaXN0IG9mIGtub3duIGNvbnN1bWVycyBvZiB0aGUNCiAgICAgIFBLQ1Mj MTEgVVJJIGluY2x1ZGUgR251VExTLCBHbm9tZSwgcDExLWtpdCwgU29sYXJp cyAxMSBhbmQgaGlnaGVyLA0KICAgICAgT3BlblNDLCBPcGVuQ29ubmVjdCwg YW5kIEZyZWVJUEEuDQoNCiAgICAgIEludGVyb3BlcmFiaWxpdHkgY29uc2lk ZXJhdGlvbnM6IE4vQQ0KDQogICAgICBTZWN1cml0eSBjb25zaWRlcmF0aW9u czogc2VlIFNlY3Rpb24gNg0KDQogICAgICBDb250YWN0OiBzZWUgQXV0aG9y cycgQWRkcmVzc2VzIHNlY3Rpb24NCg0KICAgICAgQXV0aG9yL0NoYW5nZSBD b250cm9sbGVyOiBzZWUgQXV0aG9ycycgQWRkcmVzc2VzIHNlY3Rpb24NCg0K ICAgICAgUmVmZXJlbmNlczogc2VlIFJlZmVyZW5jZXMgc2VjdGlvbg0KDQo2 LiAgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMNCg0KICAgVGhlcmUgYXJlIGdl bmVyYWwgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgZm9yIFVSSSBzY2hlbWVz IGRpc2N1c3NlZA0KICAgaW4gU2VjdGlvbiA3IG9mIFtSRkMzOTg2XS4NCg0K ICAgRnJvbSB0aG9zZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucywgU2VjdGlv biA3LjEgb2YgW1JGQzM5ODZdIGFwcGxpZXMNCiAgIHNpbmNlIHRoZXJlIGlz IG5vIGd1YXJhbnRlZSB0aGF0IHRoZSBzYW1lIFBLQ1MjMTEgVVJJIHdpbGwg YWx3YXlzDQogICBpZGVudGlmeSB0aGUgc2FtZSBvYmplY3QsIHRva2VuLCBz bG90LCBvciBhIGxpYnJhcnkgaW4gdGhlIGZ1dHVyZS4NCg0KICAgU2VjdGlv biA3LjIgb2YgW1JGQzM5ODZdIGFwcGxpZXMgc2luY2UgYnkgYWNjZXB0aW5n IHF1ZXJ5IGNvbXBvbmVudA0KICAgYXR0cmlidXRlcyAibW9kdWxlLW5hbWUi IG9yICJtb2R1bGUtcGF0aCIgdGhlIGNvbnN1bWVyIHBvdGVudGlhbGx5DQog ICBhbGxvd3MgbG9hZGluZyBvZiBhcmJpdHJhcnkgY29kZSBpbnRvIGEgcHJv Y2Vzcy4NCg0KICAgU2VjdGlvbiA3LjUgb2YgW1JGQzM5ODZdIGFwcGxpZXMg c2luY2UgdGhlIFBLQ1MjMTEgVVJJIG1heSBiZSB1c2VkIGluDQogICB3b3Js ZCByZWFkYWJsZSBjb21tYW5kIGxpbmUgYXJndW1lbnRzIHRvIHJ1biBhcHBs aWNhdGlvbnMsIHN0b3JlZCBpbg0KICAgcHVibGljIGNvbmZpZ3VyYXRpb24g ZmlsZXMsIG9yIG90aGVyd2lzZSB1c2VkIGluIGNsZWFyIHRleHQuICBGb3IN Cg0KDQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdWx5 IDIsIDIwMTUgICAgICAgICAgICAgICAgIFtQYWdlIDE2XQ0KDA0KSW50ZXJu ZXQtRHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAg ICAgICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgdGhhdCByZWFzb24gdGhl ICJwaW4tdmFsdWUiIGF0dHJpYnV0ZSBzaG91bGQgb25seSBiZSB1c2VkIGlm IHRoZSBVUkkNCiAgIHN0cmluZyBpdHNlbGYgaXMgcHJvdGVjdGVkIHdpdGgg dGhlIHNhbWUgbGV2ZWwgb2Ygc2VjdXJpdHkgYXMgdGhlDQogICB0b2tlbiBQ SU4gaXRzZWxmIG90aGVyd2lzZSBpcy4NCg0KNy4gIFJlZmVyZW5jZXMNCg0K Ny4xLiAgTm9ybWF0aXZlIFJlZmVyZW5jZXMNCg0KICAgW1JGQzIxMTldICBC cmFkbmVyLCBTLiwgIktleSB3b3JkcyBmb3IgdXNlIGluIFJGQ3MgdG8gSW5k aWNhdGUNCiAgICAgICAgICAgICAgUmVxdWlyZW1lbnQgTGV2ZWxzIiwgUkZD IDIxMTksIFNURCAxNCwgTWFyY2ggMTk5Ny4NCg0KICAgW1JGQzM2MjldICBZ ZXJnZWF1LCBGLiwgIlVURi04LCBhIHRyYW5zZm9ybWF0aW9uIGZvcm1hdCBv ZiBJU08NCiAgICAgICAgICAgICAgMTA2NDYiLCBSRkMgMzYyOSwgU1REIDYz LCBOb3ZlbWJlciAyMDAzLg0KDQogICBbUkZDMzk4Nl0gIEJlcm5lcnMtTGVl LCBULiwgRmllbGRpbmcsIFIuLCBhbmQgTC4gTWFzaW50ZXIsICJVbmlmb3Jt DQogICAgICAgICAgICAgIFJlc291cmNlIElkZW50aWZpZXIgKFVSSSk6IEdl bmVyaWMgU3ludGF4IiwgUkZDIDM5ODYsIFNURA0KICAgICAgICAgICAgICA2 NiwgSmFudWFyeSAyMDA1Lg0KDQogICBbUkZDNTIzNF0gIENyb2NrZXIsIEQu IGFuZCBQLiBPdmVyZWxsLCAiQXVnbWVudGVkIEJORiBmb3IgU3ludGF4DQog ICAgICAgICAgICAgIFNwZWNpZmljYXRpb25zOiBBQk5GIiwgUkZDIDUyMzQs IFNURCA2OCwgSmFudWFyeSAyMDA4Lg0KDQo3LjIuICBJbmZvcm1hdGl2ZSBS ZWZlcmVuY2VzDQoNCiAgIFtCQ1AxNzhdICAgU2FpbnQtQW5kcmUsIFAuLCBD cm9ja2VyLCBELiwgYW5kIE0uIE5vdHRpbmdoYW0sDQogICAgICAgICAgICAg ICJEZXByZWNhdGluZyB0aGUgIlgtIiBQcmVmaXggYW5kIFNpbWlsYXIgQ29u c3RydWN0cyBpbg0KICAgICAgICAgICAgICBBcHBsaWNhdGlvbiBQcm90b2Nv bHMiLCBSRkMgNjY0OCwgQkNQIDE3OCwgSnVuZSAyMDEyLg0KDQogICBbUkZD Mzk4N10gIER1ZXJzdCwgTS4gYW5kIE0uIFN1aWduYXJkLCAiSW50ZXJuYXRp b25hbGl6ZWQgUmVzb3VyY2UNCiAgICAgICAgICAgICAgSWRlbnRpZmllcnMg KElSSXMpIiwgUkZDIDM5ODcsIEphbnVhcnkgMjAwNS4NCg0KICAgW1JGQzQz OTVdICBIYW5zZW4sIFQuLCBIYXJkaWUsIFQuLCBhbmQgTC4gTWFzaW50ZXIs ICJHdWlkZWxpbmVzIGFuZA0KICAgICAgICAgICAgICBSZWdpc3RyYXRpb24g UHJvY2VkdXJlcyBmb3IgTmV3IFVSSSBTY2hlbWVzIiwgUkZDIDQzOTUsDQog ICAgICAgICAgICAgIEZlYnJ1YXJ5IDIwMDYuDQoNCiAgIFtwa2NzMTFfc3Bl Y10NCiAgICAgICAgICAgICAgUlNBIExhYm9yYXRvcmllcywgIlBLQ1MgIzEx OiBDcnlwdG9ncmFwaGljIFRva2VuIEludGVyZmFjZQ0KICAgICAgICAgICAg ICBTdGFuZGFyZCB2Mi4yMCIsIEp1bmUgMjAwNC4NCg0KQXV0aG9ycycgQWRk cmVzc2VzDQoNCiAgIEphbiBQZWNoYW5lYw0KICAgT3JhY2xlIENvcnBvcmF0 aW9uDQogICA0MTgwIE5ldHdvcmsgQ2lyY2xlDQogICBTYW50YSBDbGFyYSAg Q0EgOTUwNTQNCiAgIFVTQQ0KDQogICBFbWFpbDogSmFuLlBlY2hhbmVjQE9y YWNsZS5DT00NCiAgIFVSSTogICBodHRwOi8vd3d3Lm9yYWNsZS5jb20NCg0K DQoNClBlY2hhbmVjICYgTW9mZmF0ICAgICAgICAgRXhwaXJlcyBKdWx5IDIs IDIwMTUgICAgICAgICAgICAgICAgIFtQYWdlIDE3XQ0KDA0KSW50ZXJuZXQt RHJhZnQgICAgICAgICAgIFRoZSBQS0NTIzExIFVSSSBTY2hlbWUgICAgICAg ICAgICBEZWNlbWJlciAyMDE0DQoNCg0KICAgRGFycmVuIEouIE1vZmZhdA0K ICAgT3JhY2xlIENvcnBvcmF0aW9uDQogICBPcmFjbGUgUGFya3dheQ0KICAg VGhhbWVzIFZhbGxleSBQYXJrDQogICBSZWFkaW5nICBSRzYgMVJBDQogICBV Sw0KDQogICBFbWFpbDogRGFycmVuLk1vZmZhdEBPcmFjbGUuQ09NDQogICBV Ukk6ICAgaHR0cDovL3d3dy5vcmFjbGUuY29tDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQpQZWNoYW5lYyAmIE1vZmZhdCAgICAg ICAgIEV4cGlyZXMgSnVseSAyLCAyMDE1ICAgICAgICAgICAgICAgICBbUGFn ZSAxOF0NCg== ---559023410-1635017012-1419921468=:1509-- From nobody Mon Dec 29 23:41:35 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07AB91ACD4B; Mon, 29 Dec 2014 23:41:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.856 X-Spam-Level: X-Spam-Status: No, score=0.856 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SKdj5HOldgLy; Mon, 29 Dec 2014 23:41:33 -0800 (PST) Received: from homiemail-a105.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 7D9F71A8AFB; Mon, 29 Dec 2014 23:41:33 -0800 (PST) Received: from homiemail-a105.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a105.g.dreamhost.com (Postfix) with ESMTP id BDEBA20046B15; Mon, 29 Dec 2014 23:41:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=F6rUMOBShEU0B46e8hgZ qm+bRCw=; b=qmucaZ6HM/jRgxbUsWhxpBxkuHACrJ8wn+A7T8v3Xv7aUkuQ0E48 e5+LMZ6v1sx+GJRLvDA7bfQpMXeX+kmOb9np3aZ3YSBA8MK/Ov90lfxoNeIeDsdX q9p7daETApsTjFbegF007AVreG778sCgfOQyE6nNgI7iTqWP1OCZcXU= Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com [209.85.212.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a105.g.dreamhost.com (Postfix) with ESMTPSA id 9922120046912; Mon, 29 Dec 2014 23:41:31 -0800 (PST) Received: by mail-wi0-f171.google.com with SMTP id bs8so23515341wib.16; Mon, 29 Dec 2014 23:41:30 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.180.211.2 with SMTP id my2mr101845406wic.3.1419925290729; Mon, 29 Dec 2014 23:41:30 -0800 (PST) Received: by 10.217.7.206 with HTTP; Mon, 29 Dec 2014 23:41:30 -0800 (PST) In-Reply-To: References: <20141217230150.GB9443@localhost> Date: Tue, 30 Dec 2014 01:41:30 -0600 Message-ID: From: Nico Williams To: Jan Pechanec Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/saag/Fl5epeTVU4jZ4VI61PXwINgEzIY Cc: Darren J Moffat , Stef Walter , "ietf@ietf.org" , "saag@ietf.org" , Nikos Mavrogiannopoulos Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 07:41:34 -0000 Better not even think about saying anything about normalization, right? PKCS#11 nowadays supports UTF-8 for the strings we care about, but says nothing about normalization. I suppose you could say that matching should be (lowercase) normalization-insensitive. In practice it will never matter (which is why the lowercase). Nico -- From nobody Tue Dec 30 09:05:36 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 373D11ACEE7; Tue, 30 Dec 2014 00:14:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.234 X-Spam-Level: X-Spam-Status: No, score=0.234 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DZXEgEjiqiWa; Tue, 30 Dec 2014 00:14:22 -0800 (PST) Received: from homiemail-a113.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 836961ACDC3; Tue, 30 Dec 2014 00:14:22 -0800 (PST) Received: from homiemail-a113.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a113.g.dreamhost.com (Postfix) with ESMTP id 5D91220058D84; Tue, 30 Dec 2014 00:14:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=8uFjCmVwgBI/te 4T+YS+9GflRF4=; b=ytHrg6L16aEjaE7Z8J7MSQq/8hKkIp3FT33Nk1O2YaHOht KvjNGMrcYYMsybhiTRPkLZnFtEvuhKBvP397xUe7DgBrgVmJeLsXzvVsD4ZIszzZ ZA5jrVThANd+3fn5BCqpw3zRaBdN9JwMh1LAZ4AgOpSLcMM2Eo4L0y0E1kkXE= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a113.g.dreamhost.com (Postfix) with ESMTPA id 942F720058D83; Tue, 30 Dec 2014 00:14:21 -0800 (PST) Date: Tue, 30 Dec 2014 02:14:21 -0600 From: Nico Williams To: Jan Pechanec Message-ID: <20141230081415.GH24442@localhost> References: <20141218004717.GN9443@localhost> <20141218012300.GP9443@localhost> <1418900792.7577.5.camel@gnutls.org> <5492B941.3030408@Oracle.COM> <30738721-F5A2-4485-84AC-573AD9113699@oxy.edu> <20141220000456.GC12662@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/okv0o6_A7h6MfpXnw7ZOdqCU4TU X-Mailman-Approved-At: Tue, 30 Dec 2014 09:05:30 -0800 Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Nikos Mavrogiannopoulos Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 08:14:23 -0000 On Mon, Dec 29, 2014 at 11:13:18PM -0800, Jan Pechanec wrote: > On Fri, 19 Dec 2014, Jan Pechanec wrote: > >On Fri, 19 Dec 2014, Nico Williams wrote: > >> [discussion about an abstract "list PKCS#11 resource URIs" > >> operation elided.] > > I've been thinking about this for the past days and I'm not > sure if such guidelines should be provided since it very much depends > on how a URI will be used and in what scenarios. > > for example, if referencing a key pair, an "id" attribute is > there to distinguish multiple public-key/private-key pairs held by the > same subject. However, I think that if used on a command line to > provide an access to the key pair, it would be used only if there > really were multiple keys of the same name. And that information I > may acquire only when I try not to use those attributes when I get an > error message about multiple key pairs - which may or may not be > acceptible. On the other hand, it may be a good idea to use it always > if such a URI would be provided in a long lived configuration file, > for example. Which attributes to use for the listing would have to be context-specific. Most apps/users would never want to match on slot attributes, but some might. We can't say much about that. Users will mostly not be writing PKCS#11 URIs, that's for sure. PKCS#11 is not very user-friendly... Where a PKCS#11 URI is used, I suspect it will be produced by an application, and then cut-n-pasted around as necessary by the user. Do we have to say much about how the app should go about forming a URI for a PKCS#11 resource? It depends. If the same app will consume the same URI, then we need not say anything. If a different app will consume the same URI then we might have to. This is about inter-app interoperation. As to how to say anything about this, here's what comes to mind: Given a PKCS#11 URI template [RFC6570], an application MAY support listing URIs of PKCS#11 resources such that the resulting URIs can later be used to access the same resources if the template captured the necessary context. I don't think we could say much more without gaining experience with deployment. Caveat emptor: I'm not too conversant with URI templating, so I don't know how to phrase this correctly... Nico -- From nobody Tue Dec 30 09:05:41 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95B2D1A8F40; Mon, 29 Dec 2014 23:13:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.31 X-Spam-Level: X-Spam-Status: No, score=-2.31 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08ZsXAzi17Ph; Mon, 29 Dec 2014 23:13:37 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CB4F1A901D; Mon, 29 Dec 2014 23:13:37 -0800 (PST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBU7DOdT025059 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 30 Dec 2014 07:13:24 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id sBU7DLBK004709 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 30 Dec 2014 07:13:21 GMT Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBU7DKw3007759; Tue, 30 Dec 2014 07:13:20 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 29 Dec 2014 23:13:20 -0800 Date: Mon, 29 Dec 2014 23:13:18 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nico Williams In-Reply-To: Message-ID: References: <20141218000736.GL9443@localhost> <20141218004717.GN9443@localhost> <20141218012300.GP9443@localhost> <1418900792.7577.5.camel@gnutls.org> <5492B941.3030408@Oracle.COM> <30738721-F5A2-4485-84AC-573AD9113699@oxy.edu> <20141220000456.GC12662@localhost> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-620685175-1419923600=:1509" X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/xhyf4oNO8O52QojoRHhnajN6Yww X-Mailman-Approved-At: Tue, 30 Dec 2014 09:05:30 -0800 Cc: Darren J Moffat , Stef Walter , ietf@ietf.org, saag@ietf.org, Nikos Mavrogiannopoulos Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 07:13:45 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-620685175-1419923600=:1509 Content-Type: TEXT/PLAIN; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE On Fri, 19 Dec 2014, Jan Pechanec wrote: >On Fri, 19 Dec 2014, Nico Williams wrote: > >>On Fri, Dec 19, 2014 at 03:19:00PM -0800, Henry B (Hank) Hotz, CISSP wrot= e: >>> Does this ID, in fact, define an API which is sufficient to support >>> realistic, interoperable code across a significant range of libraries >>> and platforms? Is there a unique way to reference the authentication >>> credential on my guaranteed-unique government-issued smart card >>> regardless of which reader on which platform it=E2=80=99s plugged into? >> >>Excellent questions. >> >>As to the first: it's a rather abstract API. I'm a bit concerned about >>some of the semantics, that we might need to make matching a bit more >>flexible. >> >>IIRC there's a token that requires a login even to see public objects. >>I might want to have a way to say "match public objects that don't >>require login". >> >>Or, I might want to provide slot/token attributes as hints, but not as >>required attributes, that match preferentially but which are ignored if >>not. >> >>Abstract operations that I think should be described: >> >> - given a PKCS#11 URI, return a PKCS#11 provider (e.g., a handle >> returned by dlopen()/LoadLibrary*(), or a v-table, or whatever is >> appropriate in the caller's given programming language); >> >> This is described, actually. >> >> - given a PKCS#11 URI (and, optionally, a PKCS#11 provider) return a >> PKCS#11 provider and relevant PKCS#11 handles (token, session, >> object); >> >> This is also described. >> >> - given a PKCS#11 URI return a list of URIs for all matching tokens >> and/or objects; >> >> This is not described. >> >> E.g., given "pkcs11:" output a list of all {provider, slot}, >> {provider, slot, token}, {provider, slot, token, public object} URIs >> for actual slots, tokens, public objects. >> >> E.g., given "pkcs11:" and a PKCS#11 session return all {provider, >> slot, token, object} URIs for actual objects reachable via that >> session. >> >> - given a PKCS#11 provider and handle of some sort, return a URI for >> it, with an option to include or exclude slot/token matching >> attributes. >> >> This is also not described, IIRC. > >=09so, as well as we have "PKCS#11 URI Matching Guidelines"=20 >section, we might need "PKCS#11 URI Generation Guidelines" to discuss=20 >these things about "reverse mapping". I will take a look at it. =09I've been thinking about this for the past days and I'm not=20 sure if such guidelines should be provided since it very much depends=20 on how a URI will be used and in what scenarios. =09for example, if referencing a key pair, an "id" attribute is=20 there to distinguish multiple public-key/private-key pairs held by the=20 same subject. However, I think that if used on a command line to=20 provide an access to the key pair, it would be used only if there=20 really were multiple keys of the same name. And that information I=20 may acquire only when I try not to use those attributes when I get an=20 error message about multiple key pairs - which may or may not be=20 acceptible. On the other hand, it may be a good idea to use it always=20 if such a URI would be provided in a long lived configuration file,=20 for example. =09similarly with a token. To uniquely identify a token (either=20 to refence it by itself or because I have objects of the same name in=20 multiple tokens), manufacturer and serial number should be used but=20 again, I'd rather use the token (name) attribute unless I have=20 multiple tokens of the same name. What is more, if the token is not=20 guaranteed unique then I may need library attributes (say for soft=20 tokens in multiple libraries). And even that may not be sufficient if=20 I link to the same libraries from different file paths in which case=20 the module attributes may be needed. Again, I'd want to use all these=20 attributes only when such a situation arises. =09if the consensus is that I should provide a paragraph that=20 would summarize ideally in a more succint way what I've been saying=20 above (or whether I should do something else) I will try to come up=20 with a reasonable text but at this point I still don't think it is=20 necessary. =09thank you, Jan. --=20 Jan Pechanec ---559023410-620685175-1419923600=:1509-- From nobody Tue Dec 30 10:14:29 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 238CE1A0371; Tue, 30 Dec 2014 10:14:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.21 X-Spam-Level: X-Spam-Status: No, score=-6.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NF0VDjZxq3lz; Tue, 30 Dec 2014 10:14:26 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDBA31A00FD; Tue, 30 Dec 2014 10:14:26 -0800 (PST) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBUIEKqS003473 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 30 Dec 2014 18:14:21 GMT Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBUIEJ1R000835 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 30 Dec 2014 18:14:20 GMT Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBUIEJWx012548; Tue, 30 Dec 2014 18:14:19 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 30 Dec 2014 10:14:19 -0800 Date: Tue, 30 Dec 2014 10:14:18 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nico Williams In-Reply-To: Message-ID: References: <20141217230150.GB9443@localhost> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Source-IP: acsinet21.oracle.com [141.146.126.237] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/tPJFHr-ya3xzmtL2ntL7RcLRjpE Cc: Darren J Moffat , Stef Walter , "ietf@ietf.org" , "saag@ietf.org" , Nikos Mavrogiannopoulos Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 18:14:28 -0000 On Tue, 30 Dec 2014, Nico Williams wrote: >Better not even think about saying anything about normalization, >right? PKCS#11 nowadays supports UTF-8 for the strings we care about, >but says nothing about normalization. I suppose you could say that >matching should be (lowercase) normalization-insensitive. In practice >it will never matter (which is why the lowercase). hi Nico, I assume you talk about case normalization now. I also agree we need not to say anything about it - and we don't aside from "case normalization" as defined in 6.2.2.1 of RFC 3986 where only the following sections are relevant to us: For all URIs, the hexadecimal digits within a percent-encoding triplet (e.g., "%3a" versus "%3A") are case-insensitive and therefore should be normalized to use uppercase letters for the digits A-F. and: The other generic syntax components are assumed to be case-sensitive unless specifically defined otherwise by the scheme (see Section 6.2.3). I also understand that technically it is not specified which pairs form lower-upper character relationship and that in some alphabets not everybody agrees on what the uppercase version of a specific character is. I can also see a report that perl and GNU libc conversion routines work differently and that it may not be simply a bug in one or the other. so I'd rather compare UTF-8 strings literaly and assume that producers of PKCS#11 URIs will use exactly what they get via the PKCS#11 API and that consumers will not apply any case normalization post-processing on such URIs. cheers, Jan. -- Jan Pechanec From nobody Tue Dec 30 11:54:03 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F7B21A1B38; Tue, 30 Dec 2014 11:54:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.044 X-Spam-Level: X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MxEpLIRfhwq1; Tue, 30 Dec 2014 11:53:55 -0800 (PST) Received: from homiemail-a88.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 584C01A1B30; Tue, 30 Dec 2014 11:53:55 -0800 (PST) Received: from homiemail-a88.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a88.g.dreamhost.com (Postfix) with ESMTP id 1E3C226405D; Tue, 30 Dec 2014 11:53:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=mmDSjRzyNpJthiy/jyTT eB2bfRM=; b=JogWYS+pDtc/zsQiWlQ4sXppvXObwAhj2cdv543QHfSF3O1Udh9n B5qxeRUuVauDj2H2wXQJLyHEuNKZ+7yPz6L3FaYphPYw1QOm62UarhToYUVJBbxi BDuSN7w6H3cAMGVn2gHwwp1l4KNeLWwcKvQ69KDAAFw+vRjoNgf7NUk= Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a88.g.dreamhost.com (Postfix) with ESMTPSA id EC640264057; Tue, 30 Dec 2014 11:53:54 -0800 (PST) Received: by mail-wi0-f175.google.com with SMTP id l15so24483343wiw.14; Tue, 30 Dec 2014 11:53:53 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.194.190.46 with SMTP id gn14mr56854553wjc.36.1419969233536; Tue, 30 Dec 2014 11:53:53 -0800 (PST) Received: by 10.217.7.206 with HTTP; Tue, 30 Dec 2014 11:53:53 -0800 (PST) In-Reply-To: References: <20141217230150.GB9443@localhost> Date: Tue, 30 Dec 2014 13:53:53 -0600 Message-ID: From: Nico Williams To: Jan Pechanec Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/saag/WnD5HoEIq0I85auauAqUpKQt4Kk Cc: Darren J Moffat , "saag@ietf.org" , "ietf@ietf.org" Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 19:54:01 -0000 On Tue, Dec 30, 2014 at 12:14 PM, Jan Pechanec wrote: > On Tue, 30 Dec 2014, Nico Williams wrote: >>Better not even think about saying anything about normalization, >>right? PKCS#11 nowadays supports UTF-8 for the strings we care about, >>but says nothing about normalization. I suppose you could say that >>matching should be (lowercase) normalization-insensitive. In practice >>it will never matter (which is why the lowercase). > > hi Nico, I assume you talk about case normalization now. I > also agree we need not to say anything about it - and we don't aside > from "case normalization" as defined in 6.2.2.1 of RFC 3986 where only > the following sections are relevant to us: No, I meant Unicode normalization. It's a messy business. Better say nothing, because I think the thing to do is obvious enough, but if we must say anything, it's that the various strings (e.g., token manuf) are to be compared normalization-insensitively. Nico -- From nobody Tue Dec 30 12:44:05 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 270E51A6F39; Tue, 30 Dec 2014 12:44:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fzGrYaR1L1a; Tue, 30 Dec 2014 12:44:03 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40F921A6F33; Tue, 30 Dec 2014 12:44:03 -0800 (PST) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBUKi0CN028425 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 30 Dec 2014 20:44:01 GMT Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBUKhxRx020684 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 30 Dec 2014 20:44:00 GMT Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBUKhxsN010481; Tue, 30 Dec 2014 20:43:59 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 30 Dec 2014 12:43:59 -0800 Date: Tue, 30 Dec 2014 12:43:58 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: Nico Williams In-Reply-To: Message-ID: References: <20141217230150.GB9443@localhost> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/s3reruTThnJSjT2oaVFMxIALe2k Cc: Darren J Moffat , "saag@ietf.org" , "ietf@ietf.org" Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 20:44:04 -0000 On Tue, 30 Dec 2014, Nico Williams wrote: >On Tue, Dec 30, 2014 at 12:14 PM, Jan Pechanec wrote: >> On Tue, 30 Dec 2014, Nico Williams wrote: >>>Better not even think about saying anything about normalization, >>>right? PKCS#11 nowadays supports UTF-8 for the strings we care about, >>>but says nothing about normalization. I suppose you could say that >>>matching should be (lowercase) normalization-insensitive. In practice >>>it will never matter (which is why the lowercase). >> >> hi Nico, I assume you talk about case normalization now. I >> also agree we need not to say anything about it - and we don't aside >> from "case normalization" as defined in 6.2.2.1 of RFC 3986 where only >> the following sections are relevant to us: > >No, I meant Unicode normalization. It's a messy business. Better say >nothing, because I think the thing to do is obvious enough, but if we >must say anything, it's that the various strings (e.g., token manuf) >are to be compared normalization-insensitively. yes, in that case I agree that we don't need to say anything. Thanks for bringing this up, Jan. -- Jan Pechanec From nobody Tue Dec 30 22:29:55 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 387CF1A1B46; Tue, 30 Dec 2014 22:29:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.961 X-Spam-Level: X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mrsvSw-R0N7v; Tue, 30 Dec 2014 22:29:49 -0800 (PST) Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 980071A0382; Tue, 30 Dec 2014 22:29:49 -0800 (PST) Received: from [IPv6:2a02:80:3ffc::2052:de55:8a05:c974] (unknown [IPv6:2a02:80:3ffc:0:2052:de55:8a05:c974]) by mail.frobbit.se (Postfix) with ESMTPSA id CA0A92026F; Wed, 31 Dec 2014 07:29:47 +0100 (CET) Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Content-Type: multipart/signed; boundary="Apple-Mail=_1534E963-BF49-4538-B4A9-1C07BA000995"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Pgp-Agent: GPGMail 2.5b4 From: =?utf-8?Q?Patrik_F=C3=A4ltstr=C3=B6m?= In-Reply-To: Date: Wed, 31 Dec 2014 07:29:47 +0100 Message-Id: References: <20141217230150.GB9443@localhost> To: Nico Williams X-Mailer: Apple Mail (2.1993) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/ZhsAPiSSIaZwW6Q64SPjqU9l-kM Cc: Darren J Moffat , "saag@ietf.org" , Jan Pechanec , "ietf@ietf.org" Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 06:29:51 -0000 --Apple-Mail=_1534E963-BF49-4538-B4A9-1C07BA000995 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii > On 30 dec 2014, at 20:53, Nico Williams wrote: > > Better say > nothing, because I think the thing to do is obvious enough, but if we > must say anything, it's that the various strings (e.g., token manuf) > are to be compared normalization-insensitively. Sorry, but I have not heard the term "normalization-insensitively" before. Can you explain what you mean? Patrik --Apple-Mail=_1534E963-BF49-4538-B4A9-1C07BA000995 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iD8DBQFUo5fbrMabGguI180RAmfAAJsG9HBm2hVAyAzXk0LsLlu0PlbqSQCfbRZR lsDbN8L+wHC0Cgzqbhqb9kM= =n3De -----END PGP SIGNATURE----- --Apple-Mail=_1534E963-BF49-4538-B4A9-1C07BA000995-- From nobody Tue Dec 30 23:03:46 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BD521A8A94; Tue, 30 Dec 2014 23:03:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.334 X-Spam-Level: * X-Spam-Status: No, score=1.334 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uW9DXNmaEjjs; Tue, 30 Dec 2014 23:03:35 -0800 (PST) Received: from homiemail-a32.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id E8D0B1A8A8D; Tue, 30 Dec 2014 23:03:34 -0800 (PST) Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id 8888E584065; Tue, 30 Dec 2014 23:03:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=N4mmWNknQi5g41zd4s+OVw1iBKg=; b=m2freedPunC o2G6v6IqnN5i6ElCB/FkD/Q7gk4Bd6ShH6MsoW7KIWm1Ci55AdsekgQSUjMXauCh qyBYsioKLwpSpJ4tfawcJHKFI7G62KxX3SAWirEA5Aq+Q5+AEYwuhD4XTyTh1IIz PLiFKq6u+NpxoUeXDPYONA4045i1CurI= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPA id 09733584064; Tue, 30 Dec 2014 23:03:33 -0800 (PST) Date: Wed, 31 Dec 2014 01:03:33 -0600 From: Nico Williams To: Patrik =?iso-8859-1?B?RuRsdHN0cvZt?= Message-ID: <20141231070328.GK24442@localhost> References: <20141217230150.GB9443@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/saag/LxXS5YGov0omsi835_Zyp3R1ulY Cc: Darren J Moffat , "saag@ietf.org" , Jan Pechanec , "ietf@ietf.org" Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 07:03:36 -0000 On Wed, Dec 31, 2014 at 07:29:47AM +0100, Patrik F=E4ltstr=F6m wrote: > > On 30 dec 2014, at 20:53, Nico Williams wrote= : > > Better say > > nothing, because I think the thing to do is obvious enough, but if we > > must say anything, it's that the various strings (e.g., token manuf) > > are to be compared normalization-insensitively. >=20 > Sorry, but I have not heard the term "normalization-insensitively" befo= re. >=20 > Can you explain what you mean? Notionally, if you're comparing two unnormalized strings, you could normalize both then compare the two normalized strings. Of course, that can be inefficient (e.g., if it means allocating memory, of if they will prove not equal in the first few codepoints) or infeasible (e.g., if one of the strings is actually a hashed key to a hash table). What you can for the first case is compare code-unit by code-unit, with a fast path for the cases that need no normalization, and normalizing one character (but possibly multiple codepoints, of course) at a time. This limits the total memory consumption, and anyways, for the common case you can often expect an inequality result long before you're done traversing the shorter string. This is (can be, if you do it right), of course, equivalent to normalizing both strings then comparing -- but it should usually be much faster. For the second case the thing to do is to normalize the key at hash time, naturally. [ZFS, incidentally, supports this for filesystem object names, and has for years now.] Now, PKCS#11 nowadays supports UTF-8 for things like "token label", but it doesn't say anything about form -- why should it (see below)? But where PKCS#11 URIs are intended to _match_ PKCS#11 resources by name... apps will need to care about normalization. In practice, like a great many applications, doing nothing about normalization will probably work fine (until the day that it doesn't). But saying anything about this could be tricky: what if there are two tokens with equivalent labels, just in different forms? Fortunately PKCS#11 URIs can match on more attributes than labels, so there's that. PKCS#11 should say "don't do that" or "don't do that, normalize to NFC" (or NFD, whatever), but doesn't (or I didn't find where it does, if it does), so the most that this document could say is "compare normalization-insensitively where possible". Nico --=20 From nobody Tue Dec 30 23:33:34 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AF6F1A1B3E; Tue, 30 Dec 2014 23:33:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.961 X-Spam-Level: X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxMiBVpR-TwK; Tue, 30 Dec 2014 23:33:31 -0800 (PST) Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52C8C1A01C6; Tue, 30 Dec 2014 23:33:31 -0800 (PST) Received: from [IPv6:2a02:80:3ffc::2052:de55:8a05:c974] (unknown [IPv6:2a02:80:3ffc:0:2052:de55:8a05:c974]) by mail.frobbit.se (Postfix) with ESMTPSA id 0964A22720; Wed, 31 Dec 2014 08:33:29 +0100 (CET) Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Content-Type: multipart/signed; boundary="Apple-Mail=_617DFA80-0015-42AF-9A0A-05FD15F8B4F8"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Pgp-Agent: GPGMail 2.5b4 From: =?utf-8?Q?Patrik_F=C3=A4ltstr=C3=B6m?= In-Reply-To: <20141231070328.GK24442@localhost> Date: Wed, 31 Dec 2014 08:33:28 +0100 Message-Id: References: <20141217230150.GB9443@localhost> <20141231070328.GK24442@localhost> To: Nico Williams X-Mailer: Apple Mail (2.1993) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/w2JUfzdRiInd2bDGIMYIFthcxWc Cc: Darren J Moffat , "saag@ietf.org" , Jan Pechanec , "ietf@ietf.org" Subject: Re: [saag] PKCS#11 URI slot attributes & last call X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 07:33:33 -0000 --Apple-Mail=_617DFA80-0015-42AF-9A0A-05FD15F8B4F8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 > On 31 dec 2014, at 08:03, Nico Williams wrote: >=20 > On Wed, Dec 31, 2014 at 07:29:47AM +0100, Patrik F=E4ltstr=F6m wrote: >>> On 30 dec 2014, at 20:53, Nico Williams = wrote: >>> Better say >>> nothing, because I think the thing to do is obvious enough, but if = we >>> must say anything, it's that the various strings (e.g., token manuf) >>> are to be compared normalization-insensitively. >>=20 >> Sorry, but I have not heard the term "normalization-insensitively" = before. >>=20 >> Can you explain what you mean? >=20 > Notionally, if you're comparing two unnormalized strings, you could > normalize both then compare the two normalized strings. >=20 > Of course, that can be inefficient (e.g., if it means allocating = memory, > of if they will prove not equal in the first few codepoints) or > infeasible (e.g., if one of the strings is actually a hashed key to a > hash table). >=20 > What you can for the first case is compare code-unit by code-unit, = with > a fast path for the cases that need no normalization, and normalizing > one character (but possibly multiple codepoints, of course) at a time. > This limits the total memory consumption, and anyways, for the common > case you can often expect an inequality result long before you're done > traversing the shorter string. This is (can be, if you do it right), = of > course, equivalent to normalizing both strings then comparing -- but = it > should usually be much faster. >=20 > For the second case the thing to do is to normalize the key at hash > time, naturally. >=20 > [ZFS, incidentally, supports this for filesystem object names, and has > for years now.] >=20 > Now, PKCS#11 nowadays supports UTF-8 for things like "token label", = but > it doesn't say anything about form -- why should it (see below)? >=20 > But where PKCS#11 URIs are intended to _match_ PKCS#11 resources by > name... apps will need to care about normalization. In practice, like = a > great many applications, doing nothing about normalization will = probably > work fine (until the day that it doesn't). But saying anything about > this could be tricky: what if there are two tokens with equivalent > labels, just in different forms? Fortunately PKCS#11 URIs can match = on > more attributes than labels, so there's that. >=20 > PKCS#11 should say "don't do that" or "don't do that, normalize to = NFC" > (or NFD, whatever), but doesn't (or I didn't find where it does, if it > does), so the most that this document could say is "compare > normalization-insensitively where possible". Ok, so what you say is that the side that is to calculate whether there = is a match or not can do whatever normalization they want on the = string(s)? Or do you say that whoever is doing a match is to not do = normalization at all as the application (on client side) can and should = define what normalization (in a broader sense, not only Unicode = Normalization) must be possible to define? In IDNA2008, as you know, we did choose the latter, but recommend = applications to define what normalization to do, and that NFC is the = Unicode Normalization to use. Patrik --Apple-Mail=_617DFA80-0015-42AF-9A0A-05FD15F8B4F8 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iD8DBQFUo6bIrMabGguI180RAg6IAKCFzYctlMQDhKsF03kNUIZCPfzpUACfdCGH 34U6kNFuxp3XUakTGU2EnDM= =8jDR -----END PGP SIGNATURE----- --Apple-Mail=_617DFA80-0015-42AF-9A0A-05FD15F8B4F8-- From nobody Tue Dec 30 23:46:50 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD9921A6EEF; Tue, 30 Dec 2014 23:46:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.334 X-Spam-Level: * X-Spam-Status: No, score=1.334 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YyiZa0TrjgCa; Tue, 30 Dec 2014 23:46:47 -0800 (PST) Received: from homiemail-a70.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id F26F21A01C6; Tue, 30 Dec 2014 23:46:46 -0800 (PST) Received: from homiemail-a70.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTP id B1DFE768059; Tue, 30 Dec 2014 23:46:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=wjRwwh+sNwNhSJ5Roxm/S1YIoDo=; b=SDOgEjQaFV/ gBNkwj6PUWJY0gW6JsJLUL9ZoNuTXjj8WjJQdNxL/fK8COfIBJkpIJup2P11s67k Zca6tDDQ9X7ix5cYbtXKbVgY/bLtDSr+BaVCEdQD+u+FOVIf5enGIWZ8KE/l9uvy i5Pj9K5IbzrI9ptrIq/QN7kDO3lAve4E= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTPA id 407B8768057; Tue, 30 Dec 2014 23:46:46 -0800 (PST) Date: Wed, 31 Dec 2014 01:46:45 -0600 From: Nico Williams To: Patrik =?iso-8859-1?B?RuRsdHN0cvZt?= Message-ID: <20141231074641.GM24442@localhost> References: <20141217230150.GB9443@localhost> <20141231070328.GK24442@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/saag/va9AJShBuTaZV78a8Yi1b1OufoE Cc: Darren J Moffat , "saag@ietf.org" , Jan Pechanec , "ietf@ietf.org" Subject: [saag] NF* (Re: PKCS#11 URI slot attributes & last call) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 07:46:48 -0000 On Wed, Dec 31, 2014 at 08:33:28AM +0100, Patrik F=E4ltstr=F6m wrote: > Ok, so what you say is that the side that is to calculate whether > there is a match or not can do whatever normalization they want on the > string(s)? Or do you say that whoever is doing a match is to not do > normalization at all as the application (on client side) can and > should define what normalization (in a broader sense, not only Unicode > Normalization) must be possible to define? I'm saying something subtly different: When you don't have the luxury of every string you might chance upon being required to be normalized to the one true form, then you have three choices: - give up - go fix whatever needs to be fixed so that you do have that luxury Here that would be: PKCS#11 itself, token vendors, and so on. I.e., not quite boiling the oceans but maybe a Great lake. - try your best Normalization-insensitive comparison falls into the third bucket. > In IDNA2008, as you know, we did choose the latter, but recommend > applications to define what normalization to do, and that NFC is the > Unicode Normalization to use. For another example, in the world of filesystems we have: - most of the world just-uses-8 (UTF-8, ISO-8859-*, whatever, and when UTF-8, form is accidental) - some of the world insists on UTF-8 (though it's hard for a filesystem to enforce this: all it sees is octet strings) - some of the world normalizes to NFD (close enough) on create and lookup (e.g., HFS+) - some of the world is normalization-preserving-but-form-insensitive (ZFS) The NFD case is obnoxious because even on those systems the input system tends to produce NFC... But anyways. When you have no canonical form for whatever reason, you can try form-insensitive matching. Obviously there's aliasing to consider (but there is anyways), and so on. But none of this is terribly interesting here except for the "best effort matching" idea, since that's probably the user-friendly and not-too-dangerous thing to do here. Nico --=20 From nobody Tue Dec 30 23:54:09 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 904F11A8A9E; Tue, 30 Dec 2014 23:54:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.261 X-Spam-Level: X-Spam-Status: No, score=-1.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-eF_NcB7iVG; Tue, 30 Dec 2014 23:54:02 -0800 (PST) Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 754AF1A8A9D; Tue, 30 Dec 2014 23:54:02 -0800 (PST) Received: from [192.168.1.84] (frobbit.cust.teleservice.net [85.30.128.225]) by mail.frobbit.se (Postfix) with ESMTPSA id 20A722026F; Wed, 31 Dec 2014 08:54:01 +0100 (CET) Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Content-Type: multipart/signed; boundary="Apple-Mail=_235D3920-0E8C-435A-B65C-DEF6018F1E1D"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Pgp-Agent: GPGMail 2.5b4 From: =?utf-8?Q?Patrik_F=C3=A4ltstr=C3=B6m?= In-Reply-To: <20141231074641.GM24442@localhost> Date: Wed, 31 Dec 2014 08:54:00 +0100 Message-Id: <947CA101-D717-4B56-8EEE-84B3A53BF4A1@frobbit.se> References: <20141217230150.GB9443@localhost> <20141231070328.GK24442@localhost> <20141231074641.GM24442@localhost> To: Nico Williams X-Mailer: Apple Mail (2.1993) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/Hir8r1njQl9hNxVLQmB_NCrmFbY Cc: Darren J Moffat , "saag@ietf.org" , Jan Pechanec , "ietf@ietf.org" Subject: Re: [saag] NF* (Re: PKCS#11 URI slot attributes & last call) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 07:54:06 -0000 --Apple-Mail=_235D3920-0E8C-435A-B65C-DEF6018F1E1D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 > On 31 dec 2014, at 08:46, Nico Williams wrote: >=20 > The NFD case is obnoxious because even on those systems the input = system > tends to produce NFC... But anyways. When you have no canonical form > for whatever reason, you can try form-insensitive matching. Ok, got it (and yes, I have been bitten myself a few times on the NFD = issues with HFS+). What I think is then needed is for this case: 1. A simple explanation what you really is talking about What is the requirement on whom regarding = normalization/mapping/whatever? 2. An evaluation whether the choice is the right one or not The tricky part regarding choice of normalization (together with = selection of code points allowed) is of course whether false positives = or false negatives is the most troublesome event when trying to do = matching. I.e. say that matching algorithm is not defined. Is there a larger risk = you will get false positives, and because of that possible attacks using = some kind of "hamming-distance"/"homograph" (based on normalization)? Or = rather, a description must be part of the security considerations = section to explain what should not be done to not increase the risk for = such attacks. Let me just be clear here, I am very much in favor of specifications = that say that "server side matching" should NOT do normalization, as = that give most freedom for the applications that use whatever mechanism = is defined. But, that to me set requirements on "client side" to do the = right thing (for example like in IDNA2008 only be allowed to use certain = code points). So, given your choice on server side matching, what are the requirements = on client side? Patrik --Apple-Mail=_235D3920-0E8C-435A-B65C-DEF6018F1E1D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iD8DBQFUo6uYrMabGguI180RAiJgAJ9vJViiGZyab2s8KQip6bsoCNoE6gCaAurM j9BIxjuVl7XR9Drok4DGtVM= =Xy8P -----END PGP SIGNATURE----- --Apple-Mail=_235D3920-0E8C-435A-B65C-DEF6018F1E1D-- From nobody Wed Dec 31 00:26:03 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 540B51A8AA3; Wed, 31 Dec 2014 00:25:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.334 X-Spam-Level: * X-Spam-Status: No, score=1.334 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VP25m5r4cShP; Wed, 31 Dec 2014 00:25:57 -0800 (PST) Received: from homiemail-a25.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 14D1C1A8AA0; Wed, 31 Dec 2014 00:25:57 -0800 (PST) Received: from homiemail-a25.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTP id E205E678062; Wed, 31 Dec 2014 00:25:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=k8NTKmT0EYBCyr9S7K77JnDCzBM=; b=ysZzu2VFlGI cHFf4Nf/EU+wweU8ZBcarIqZ01fNVSeAILJ4TD6UFk2AHRuMQn590gY0dS3LqhGQ Xd1p/ebAPavhzQ1svubKF0uH8JgqP9mHFjOFgEMXjCf5pkCBzfvomgzdEmwfqiYV oHOOCpSCVc4pgqLQClGNYFuottYD9BuY= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTPA id 6CAEC678058; Wed, 31 Dec 2014 00:25:56 -0800 (PST) Date: Wed, 31 Dec 2014 02:25:55 -0600 From: Nico Williams To: Patrik =?iso-8859-1?B?RuRsdHN0cvZt?= Message-ID: <20141231082551.GN24442@localhost> References: <20141231070328.GK24442@localhost> <20141231074641.GM24442@localhost> <947CA101-D717-4B56-8EEE-84B3A53BF4A1@frobbit.se> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <947CA101-D717-4B56-8EEE-84B3A53BF4A1@frobbit.se> User-Agent: Mutt/1.5.21 (2010-09-15) Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/saag/UWMPk6jxTqI-lTF2z8MjXlSBr2s Cc: Darren J Moffat , "saag@ietf.org" , Jan Pechanec , "ietf@ietf.org" Subject: Re: [saag] NF* (Re: PKCS#11 URI slot attributes & last call) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 08:25:58 -0000 On Wed, Dec 31, 2014 at 08:54:00AM +0100, Patrik F=E4ltstr=F6m wrote: > What I think is then needed is for this case: >=20 > 1. A simple explanation what you really is talking about >=20 > What is the requirement on whom regarding normalization/mapping/whateve= r? The I-D in question defines a URI scheme for PKCS#11 resources some of whose naming attributes are character strings which PKCS#11 says should be UTF-8. PKCS#11 (*not* an Internet standard) does not say anything about form. Should this I-D say anything about form? IMO the most it should say is "PKCS#11 doesn't specify a canonical form for these labels, therefore the application may need to canonicalize prior to comparing them". The alternative is to say nothing. PKCS#11 is an API. PKCS#11 apps might "interoperate" using PKCS#11 URIs communicated over, e.g., IPC (or plain old cut-n-paste). PKC#11 URI _templates_ might well be exchanged far and wide, but still not really as a part of a network protocol. > The tricky part regarding choice of normalization (together with > selection of code points allowed) is of course whether false positives > or false negatives is the most troublesome event when trying to do > matching. This can be true even if we say nothing. > Let me just be clear here, I am very much in favor of specifications > that say that "server side matching" should NOT do normalization, as > that give most freedom for the applications that use whatever Where this works for filesystems, it is by accident: because input methods "agree" on a canonical form for inputs. As you know it actually doesn't work that well for filesystems: "clients" (e.g., a program using a POSIX open() function) don't do anything about normalization. Neither do C library/run-time system call stubs. Neither do kernels. Neither do clients. They just don't. Why would they? These systems have lineages much older than Unicode. For IDNA, of course, the DNS client application has to canonicalize. IOW, what to do depends on the application. For filesystems I say: be form-preserving-form-insensitive. For IDNA there's no choice but to go with clients-must-normalize. Each app will be different. > mechanism is defined. But, that to me set requirements on "client > side" to do the right thing (for example like in IDNA2008 only be > allowed to use certain code points). >=20 > So, given your choice on server side matching, what are the > requirements on client side? There's no network protocol here. There's an API and applications interoperating over IPC ("cut-n-paste"). Of course, the issues are the same, it's just that there's no "server" to consider. It's all as good as "clients". Unlike IDNA, it's all UTF-8, all the time, so that form-insensitive can work. Nico --=20 From nobody Wed Dec 31 01:09:48 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DE5F1A8AA9; Wed, 31 Dec 2014 01:09:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.261 X-Spam-Level: X-Spam-Status: No, score=-1.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G_2BSnJj7X8C; Wed, 31 Dec 2014 01:09:43 -0800 (PST) Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A5BB1A8760; Wed, 31 Dec 2014 01:09:43 -0800 (PST) Received: from [192.165.72.22] (unknown [192.165.72.22]) by mail.frobbit.se (Postfix) with ESMTPSA id B00811FD32; Wed, 31 Dec 2014 10:09:40 +0100 (CET) Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Content-Type: multipart/signed; boundary="Apple-Mail=_E760699F-2F5B-461D-BAD0-D507440D1D87"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Pgp-Agent: GPGMail 2.5b4 From: =?utf-8?Q?Patrik_F=C3=A4ltstr=C3=B6m?= In-Reply-To: <20141231082551.GN24442@localhost> Date: Wed, 31 Dec 2014 10:09:39 +0100 Message-Id: <48A18B23-AAF9-44EA-8557-D25EBE398B56@frobbit.se> References: <20141231070328.GK24442@localhost> <20141231074641.GM24442@localhost> <947CA101-D717-4B56-8EEE-84B3A53BF4A1@frobbit.se> <20141231082551.GN24442@localhost> To: Nico Williams X-Mailer: Apple Mail (2.1993) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/Mp0krnJ2MHu73tRtzsO0q70uk1A Cc: Darren J Moffat , "saag@ietf.org" , Jan Pechanec , "ietf@ietf.org" Subject: Re: [saag] NF* (Re: PKCS#11 URI slot attributes & last call) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 09:09:47 -0000 --Apple-Mail=_E760699F-2F5B-461D-BAD0-D507440D1D87 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 > On 31 Dec 2014, at 09:25, Nico Williams wrote: >=20 >> So, given your choice on server side matching, what are the >> requirements on client side? >=20 > There's no network protocol here. There's an API and applications > interoperating over IPC ("cut-n-paste"). >=20 > Of course, the issues are the same, it's just that there's no "server" > to consider. It's all as good as "clients". Unlike IDNA, it's all > UTF-8, all the time, so that form-insensitive can work. Well, the definition of a URI like in this case in reality define a = protocol with a client and server, if we think about the case when the = URI is used. Someone create a URI (by typing, speaking, OCR:ing, = copying) and use it to reach a resource. So the issues are the same. Regarding "the PKCS#11 does not talk about the issue, so why would IETF" = is a question I think has a clear answer. IETF have in many cases = created profiles, or let me say "interpretations" of definitions made = elsewhere. Simply because IETF do not think the specification is crisp = enough. Look at UTF-8 for example. You also write: > IOW, what to do depends on the application. For filesystems I say: be > form-preserving-form-insensitive. For IDNA there's no choice but to = go > with clients-must-normalize. Each app will be different. Sure, that is my point. What you say is that the IETF use of PKCS#11, without any specification = of normalisation, mapping or otherwise, will not have any security = implications what so ever regardless of what an application do (i.e. one = party participating using one normalisation form, another do PRECIS = mapping, a third do NFC,...)? That is what I see you write, and if either I understand you wrong, or = if that is not what you are saying, then a text must be created and = added that explain the pitfalls -- at least as part of the security = considerations section if not in the specification on how PKCS#11 is to = be used. Patrik --Apple-Mail=_E760699F-2F5B-461D-BAD0-D507440D1D87 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlSjvVMACgkQrMabGguI182V9gCeMhXK5J7e4aQV3bJlNoLNBglr hPwAn2sI7ck4ObEdAtXPgPmb8mWRj7WE =qoP4 -----END PGP SIGNATURE----- --Apple-Mail=_E760699F-2F5B-461D-BAD0-D507440D1D87-- From nobody Wed Dec 31 01:19:28 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6788A1A8AA9; Wed, 31 Dec 2014 01:19:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.034 X-Spam-Level: X-Spam-Status: No, score=0.034 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 602DgA5hQ8U8; Wed, 31 Dec 2014 01:19:12 -0800 (PST) Received: from homiemail-a54.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 36E8B1A8768; Wed, 31 Dec 2014 01:19:12 -0800 (PST) Received: from homiemail-a54.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a54.g.dreamhost.com (Postfix) with ESMTP id C25844012D694; Wed, 31 Dec 2014 01:19:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=ZSS0v1pOURfSEzKxCbjmEPJ5k6s=; b=po2kEdZfViu 7bUMp9u0oZ4JhDTJPuY30KK8hgW3A+lj7X+pP2HTYMA5v1yjhIZA7746kOgUgASg KTrivnEs0C2Ls+I7EaBCUWp6vFsFRtrWDugO23X+5IEiPHRNEDYcYKliV/5yP79f t67KYTonkg04zP9IVTWgDADEda3PFD5A= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a54.g.dreamhost.com (Postfix) with ESMTPA id 4F1354012D68E; Wed, 31 Dec 2014 01:19:11 -0800 (PST) Date: Wed, 31 Dec 2014 03:19:10 -0600 From: Nico Williams To: Patrik =?iso-8859-1?B?RuRsdHN0cvZt?= Message-ID: <20141231091906.GO24442@localhost> References: <20141231070328.GK24442@localhost> <20141231074641.GM24442@localhost> <947CA101-D717-4B56-8EEE-84B3A53BF4A1@frobbit.se> <20141231082551.GN24442@localhost> <48A18B23-AAF9-44EA-8557-D25EBE398B56@frobbit.se> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <48A18B23-AAF9-44EA-8557-D25EBE398B56@frobbit.se> User-Agent: Mutt/1.5.21 (2010-09-15) Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/saag/V9HVfNp1WDR7u7_36-18u3TzY0g Cc: Darren J Moffat , "saag@ietf.org" , Jan Pechanec , "ietf@ietf.org" Subject: Re: [saag] NF* (Re: PKCS#11 URI slot attributes & last call) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 09:19:13 -0000 On Wed, Dec 31, 2014 at 10:09:39AM +0100, Patrik F=E4ltstr=F6m wrote: > > On 31 Dec 2014, at 09:25, Nico Williams wrote= : > > Of course, the issues are the same, it's just that there's no "server= " > > to consider. It's all as good as "clients". Unlike IDNA, it's all > > UTF-8, all the time, so that form-insensitive can work. >=20 > Well, the definition of a URI like in this case in reality define a > protocol with a client and server, if we think about the case when the > URI is used. Someone create a URI (by typing, speaking, OCR:ing, > copying) and use it to reach a resource. As with filesystems, the "processes" creating and accessing the resource are all clients. There are no servers that can make right, therefore we might as well not speak of them :) (We're agreeing.) > Regarding "the PKCS#11 does not talk about the issue, so why would > IETF" is a question I think has a clear answer. IETF have in many > cases created profiles, or let me say "interpretations" of definitions > made elsewhere. Simply because IETF do not think the specification is > crisp enough. Yes. The question is whether we should in this case. I'm in favor of saying "do form-insensitive comparison". I'd settle for "always normalize to NFC when creating PKCS#11 resources" because, after all, that's what IRIs need anyways, it's just that a PKCS#11 URI-using app might not be in a position to make "normalize on create" happen. OTOH, I think this is a minor issue, so if reaching consensus is hard, then I say "say nothing", normatively anyways. However, you're right that as far as Security Considerations go, we can't say nothing. > Look at UTF-8 for example. Indeed. We make things better. > You also write: >=20 > > IOW, what to do depends on the application. For filesystems I say: > > be form-preserving-form-insensitive. For IDNA there's no choice but > > to go with clients-must-normalize. Each app will be different. >=20 > Sure, that is my point. Yes, we agree :) > What you say is that the IETF use of PKCS#11, without any > specification of normalisation, mapping or otherwise, will not have > any security implications what so ever regardless of what an > application do (i.e. one party participating using one normalisation > form, another do PRECIS mapping, a third do NFC,...)? No, it will have security considerations regardless. The only way to help that is to force normalization on create, but as I say, that's not something this spec can cause to happen or assume has happened. > That is what I see you write, and if either I understand you wrong, or > if that is not what you are saying, then a text must be created and > added that explain the pitfalls -- at least as part of the security > considerations section if not in the specification on how PKCS#11 is > to be used. Yes. Nico --=20 From nobody Wed Dec 31 07:41:40 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAF4A1A9066; Wed, 31 Dec 2014 07:41:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.411 X-Spam-Level: X-Spam-Status: No, score=-2.411 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, GB_I_LETTER=-2, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2gY2sxocXCjZ; Wed, 31 Dec 2014 07:41:35 -0800 (PST) Received: from bsa2.jck.com (ns.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6DEA1A9090; Wed, 31 Dec 2014 07:41:34 -0800 (PST) Received: from localhost ([::1]) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from ) id 1Y6LOq-000Ect-Mc; Wed, 31 Dec 2014 10:41:28 -0500 Date: Wed, 31 Dec 2014 10:41:28 -0500 From: John C Klensin To: Nico Williams , =?UTF-8?Q?Patrik_F=C3=A4ltstr=C3=B6m?= Message-ID: In-Reply-To: <20141231082551.GN24442@localhost> References: <20141231070328.GK24442@localhost> <20141231074641.GM24442@localhost> <947CA101-D717-4B56-8EEE-84B3A53BF4A1@frobbit.se> <20141231082551.GN24442@localhost> X-Mailer: Mulberry/4.0.8 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Mail-From: john-ietf@jck.com X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false Archived-At: http://mailarchive.ietf.org/arch/msg/saag/5hwJZ18kwD1o7vtC0_-WggryKho Cc: Darren J Moffat , saag@ietf.org, Jan Pechanec , ietf@ietf.org Subject: [saag] i18n requirements (was: Re: NF* (Re: PKCS#11 URI slot attributes & last call)) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 15:41:37 -0000 --On Wednesday, 31 December, 2014 02:25 -0600 Nico Williams wrote: > On Wed, Dec 31, 2014 at 08:54:00AM +0100, Patrik = F=C3=A4ltstr=C3=B6m > wrote: >> What I think is then needed is for this case: >>=20 >> 1. A simple explanation what you really is talking about >>=20 >> What is the requirement on whom regarding >> normalization/mapping/whatever? >=20 > The I-D in question defines a URI scheme for PKCS#11 resources > some of whose naming attributes are character strings which > PKCS#11 says should be UTF-8. PKCS#11 (*not* an Internet > standard) does not say anything about form. Should this I-D > say anything about form? >=20 > IMO the most it should say is "PKCS#11 doesn't specify a > canonical form for these labels, therefore the application may > need to canonicalize prior to comparing them". The > alternative is to say nothing. Nico, commenting on this issue only and doing it in more general terms (going a bit beyond Patrik's "IETF have in many cases created profiles...": The conventions for IETF-approved publications include that they are supposed to support interoperability and that features/ characteristics that would interfere with interoperability are grave defects. This is especially true of Standards Track documents, where 2026 very clearly makes "known technical omissions" absent specific reasons for waiving that requirement. At least by convention for nearly two decades, the IESG reaching such a conclusion requires clear documentation of the defect and the reason for making an exception in the specification and usually in the Last Call. Nowhere in our procedures is that any provision for a standards-track document to get a waiver because some other standards body got sloppy, did something that wouldn't meet our standards, or didn't quite understand the implications of what they were doing. Now, we've had a lot of specs written on the assumption that a sufficient path to internationalization of a protocol designed around ASCII (or an ISO 646 profile or IA5) was "just say 'UTF-8' where we used to say 'ASCII', use UTf-8, and go merrily on your way". After a while, with help from both experience and some of our friends, we figured out that wasn't a good idea and various specs now, appropriately, push back anything resembling "just use UTF-8" (a statement like "It's all UTF-8, all the time, so that form-insensitive can work" (from your earlier note, not the spec) is an example of "just used UTF-8" thinking. In addition, we have an often-ignored requirement for an "Internationalization Considerations" section when a document touches on i18n issues (See Section 6 of RFC 2277). Personally, I don't think it is important for documents that really address i18n topics but that it is extremely so when, e.g., the spec doesn't really address the i18n issues but repeatedly says things like "...in environments that are not strictly limited to US-ASCII". Without specific instructions (and I can find none on quick skimming), that is dealing with i18n considerations by aggressive handwaving. One of the more impressive examples of this is "...an implementer ought to use the spirit rather than the letter of the rules when generating or parsing these formats in environments that are not strictly limited to US-ASCII." But the most frequent complaint we hear about i18n from protocol designers in the IETF is similar to "I'm not an expert on this stuff and don't intend to become one; just tell me what to do". The above does nothing for "just tell me what to do". It instead implies that the implementer should become enough of an expert to figure out what the implications of "the spirit" actually are. FWIW, I can't easily figure that out because there are so many whitespace characters, zero-width things, breaks and non-breaks of various sorts, etc., in Unicode to say nothing of conventions in various scripts that don't separate "words" with space-like things. There is some guidance in a few Unicode specs, but they are hard to read and understand, much less apply reasonably to a particular situation, unless one already has a good understanding of the Unicode Standard and some of the issues involved. Normalization is easily dealt with by making a clear statement. Historically, our experience has been that the obvious reasonably clear statement is "use NFC". The growing community opinion (including in the W3C i18n effort which is much more active than various IETF-related groups) seems to be "don't worry about normalization until comparison (or equivalent) time because it will have to be done again then anyway to be safe). You (and the authors) pick, but I agree with Patrik that something needs to be said unless you take the alternate suggestion below. But other issues, like the whitespace one called out above, are far more complex and require serious treatment of some sort. Alternate suggestion in the interest of getting this out and recognizing that this is mostly a PKCS#11 problem (presumably ITU and/or RSA, but what do I know) and shouldn't be an IETF = one: (1) Put in an Internationalization Considerations section, which I believe is required anyway. (2) Indicate that PKCS#11 severely underspecifies issues associated with characters outside the ASCII repertoire and, especially, contexts not associated with European languages. =20 (3) Say that, at least until PKCS#11 is updated to more adequately handle and specify i18n issues, such characters, and certificates that use them, SHOULD NOT be used in or referenced from URIs, unless there is a clear need and the issues associated with the characters to be used are clearly = understood. (4) As appropriate, update the handwaving in this document to point to that new section. That would make it very clear that you are not telling people how to do it and would make the warning as obvious as it should be. Finally... > PKCS#11 is an API. PKCS#11 apps might "interoperate" using > PKCS#11 URIs communicated over, e.g., IPC (or plain old > cut-n-paste). >=20 > PKC#11 URI _templates_ might well be exchanged far and wide, > but still not really as a part of a network protocol. For many years, the IETF had a very strong "we don't do APIs" policy. That was motivated, at least in part, because APIs tend to make strong assumptions about programming language and operating system environments, either favoring some over others (a business we didn't want to be in) or not standing the test of time as things outside the IETF evolved. The view was that we were much better off specifying requirements and protocols and leaving APIs to particular languages, libraries/packages, or operational environments. Times change but it seems that many of the times we do APIs drop us into a rat hole similar to this one in which we are trying to do an overlay to a spec over which we have little or no control. Part of the problem is that an API is a somewhat different type of beast from a protocol-style Technical Specification. If we are going to keep doing these, it may be time to modify/update 2026 to introduce a new class of standards-track document. Until and unless we are willing to do that, I think we'd better get used to these rough edges and stop pretending that they are good excuses for work that doesn't meet the Technical Specification target criteria. john From nobody Wed Dec 31 09:14:20 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EA2E1A0060 for ; Wed, 31 Dec 2014 09:14:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fiOW0XpJGf_G for ; Wed, 31 Dec 2014 09:14:16 -0800 (PST) Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA911A0053 for ; Wed, 31 Dec 2014 09:14:16 -0800 (PST) Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 8652C6D782; Wed, 31 Dec 2014 12:14:14 -0500 (EST) Message-ID: <54A42EE5.5070708@iang.org> Date: Wed, 31 Dec 2014 17:14:13 +0000 From: ianG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Nico Williams References: <5494DDCD.6030504@cs.tcd.ie> <54A1A04F.6000803@iang.org> <20141229192817.GE24442@localhost> In-Reply-To: <20141229192817.GE24442@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/saag/hfCN5PuI3RSlW9_SemIxRW65p3o Cc: saag@ietf.org Subject: Re: [saag] Important open-source activities... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 17:14:18 -0000 On 29/12/2014 19:28 pm, Nico Williams wrote: > On Mon, Dec 29, 2014 at 06:41:19PM +0000, ianG wrote: >> I have two observations speaking to the issue of the open source >> community and use of IETF standards. I don't have solutions, just >> problems. >> >> First of two: >> >> 1. The never ending saga of secure browsing and website >> authentication: It became obvious around about 2005 that phishing >> was rising and pillaging. Browser vendors then could have done >> something about it, but did not. This inaction requires answers. > > An assertion like this requires backup. This is an area where every technical person worth his salt will leap forth and say "Naye, for it just ain't so." I fought through all this for a multi-year era and got nowhere. I've little incentive to try and battle through the excuses that get thrown in any more. Right now I'm only looking at the big picture. OP asked whether we could do more and better to work the open source security field. I see phishing as an issue that regardless of the micro-events, at the macro level the industry failed to deal with. Why was that? What went wrong? > There have certainly been > attempts to address phishing. I've attended one W3C workshop on the > matter (IDBROWSER); I presented there. I recall many presentations were > made over several days. I believe there have been other workshops I've > not attended. There was some activity here in the IETF as well (look up > Sam Hartman's I-Ds, for example; Sam also presented at IDBROWSER). Did any of that effort make its way into browsers? Did that change make a difference to phishing? > Perhaps there is an underlying problem that we can't really solve > technologically: humans are easy prey for con artists. We can only make > some attacks harder (e.g., confusables), but we can't really prevent > them. Yep, that's excuse #1 in security geek forums. It's social engineering, the user is responsible. Sorry, it just doesn't fly in this case. > There are other reasons for apparent slow movement. But you're hot on > the trail here, so let's let you investigate them. > >> One thing that they claimed stopped them doing anything was that >> they followed standards, and the standards weren't telling them >> anything different. > > Got a link for this "they claimed" thing? I'd like to read that. Personal conversations. No "link" and you are entirely right that if you could get the vendors to comment on this at all they would deny it. So you can write it off as just another crazy iang claim if you like. >> This brings up a whole host of issues for IETF as a standards org in >> the security area. > > It probably would, yes. > >> On investigation this claim appeared to have some merit. Certainly, > > You've investigated! Great! Please let us see your work. Cites! Another lousy excuse to shut it all down. Look, we all know that you can knock down a claim by demanding cites, research, et al. I've seen that played over and over by the browser vendors. Whenever someone comes up with an idea, the vendor can say "show me the research, show me the evidence." Idea, contribution, forward movement all stops. So your best bet here is to do what the browser vendors do: ignore the crazy fringe element on some base or another, and not worry about it. The vendors have allowed phishing to grow rampant without change since it arose, so the strategy worked for them. An entire decade in which their liability has not been questioned. Meanwhile, those people with a longitudinal view can look at the record of the different institutions in Internet security and ask how it's going. What did we do over that decade, with all the info available to us? I don't care if you don't like my story. What's your version of what was done over a decade? What went wrong? iang >> certain aspects appear true: Vendors do follow standards and they >> won't for example listen to external agents on just anything [0]. >> Vendors have not typically employed what we might call security >> architects to actually work in this area (as opposed to security >> implementors) [1] thus confirming their intent to follow security >> standards and not do original security work [2]. > > Footnotes! Excellent!1!! I'm looking forward to seeing some references > there for your investigation. > >> [...skipping to the references...] >> >> [0] In practice, no security vendor likes to listen to outsiders, >> as is seen with bug disclosures. An oft-assumed mistake is to think >> that an open source vendor will listen to outsiders, but >> unfortunately this is not really true. >> [1] There is some evidence that one vendor is working at the >> security architecture level, but this is not the norm. >> [2] An unfortunate practice known as "best practices". > > Oh, wait, no. There's no actual references here. That's a bit of a > let-down, eh. > > Nico > From nobody Wed Dec 31 10:05:59 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 654C31A0390 for ; Wed, 31 Dec 2014 10:05:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.722 X-Spam-Level: X-Spam-Status: No, score=0.722 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHVchx2_QsV5 for ; Wed, 31 Dec 2014 10:05:52 -0800 (PST) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D281C1A0398 for ; Wed, 31 Dec 2014 10:05:41 -0800 (PST) Received: by mail-wg0-f50.google.com with SMTP id a1so22264237wgh.23 for ; Wed, 31 Dec 2014 10:05:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=rIuIynNo57jmyLGOsDvKBj4EJE3JMJjlsb3zQk53/l8=; b=TZpKxTe9l1xsojpvCH4fHy/QyTbQhok+EiRePZtVAgGGGD2U90uvgKNzglM6BTUXv3 UPyKK3K4bfGCAq8bvPiAvx4Bukvfgc3/yr9IQ/ua+d/U1R9ApM5je7XeCeVZZd0ZXz+O 9qaIcLubpBP5YOEyfybottecBOI3KrHSNNgzNqFlyM9fTVWn5qkf6LZKDMVg8Jg6NApN x/25oB3y5Osu1eWiynJv4YdcAKb6mO09ZMJ/vRCCycwb80+Sav89wC+FUqdHS8Qg9XHK Bei3FUWXURznoGOHAKL+tSyKjbtEVNv7BSFjZ66SPMIztROA9ufgHL9uXtDoAGD2/mxr Yd/g== X-Gm-Message-State: ALoCoQm1GpecXqdC5/L+bZ8lGNMpgVMpTdFoVtVH6DVdvrtjQk7+mbuu48GadsaC6w25kqL0IuAL MIME-Version: 1.0 X-Received: by 10.194.19.131 with SMTP id f3mr128470479wje.46.1420049140390; Wed, 31 Dec 2014 10:05:40 -0800 (PST) Received: by 10.194.64.37 with HTTP; Wed, 31 Dec 2014 10:05:40 -0800 (PST) In-Reply-To: <54A1960A.3010902@cs.tcd.ie> References: <54A1960A.3010902@cs.tcd.ie> Date: Wed, 31 Dec 2014 13:05:40 -0500 Message-ID: From: Warren Kumari To: Stephen Farrell Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/saag/MmzhFJmwxLq_HlvoSKj-z9D9Sn0 Cc: "saag@ietf.org" Subject: Re: [saag] PSK considered helpful X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 18:05:55 -0000 On Mon, Dec 29, 2014 at 12:57 PM, Stephen Farrell wrote: > > > On 29/12/14 16:00, Watson Ladd wrote: >> Dear all, >> >> The NSA is devoting a great deal of effort to exploiting IPsec, PPTP, >> SSH, etc. From the documents it appears that the majority of effort is >> in extracting configurations from routers that contain PSK keys, which >> then permit the decryption of data. >> >> There is no information on how the configurations are being extracted, >> sadly, as the documents don't contain this detail. > > Yeah, pity about that. They do talk about mining config files > from routers in one of the files though, maybe that all starts > from admin/admin and builds from there, who knows;-) > > I also haven't yet seen any info on how successful they claim > to be, e.g. with what probability would the "request key" call > give back a working key? The importance of this stuff would be > affected a lot by that I figure - if the probability is high > over all domains/VPNs then that'd be much worse than if the > probability was tiny for a randomly selected VPN. > >> I think the decision made in TLS 1.3 to use forward secure methods >> exclusively ought to be emulated more broadly across the security >> area. Would one BCP on this across everything make sense, or do we >> have to do it one at a time? > > A BCP could be useful yes, but protocols (such as TLS) are only > really revised when there's sufficient reason for that and enough > folks want to do the work. So even with a generic BCP, the actual > protocol specs still need to be done one at a time. Hopefully, > if there were a generic BCP that'd feed into each instance of that > work though. > > I also suspect there'd be push-back on trying to entirely > deprecate PSK - it's arguably just too useful to drop fully. Yup. Many moons ago I used to spend significant amounts of time building IPSec VPNs for a large ISP ('twas great - VoIP over GRE over IPsec over crappy copper from Dulles, VA, USA to various call centers in India - what could *possibly* go wrong....) Anyway, we'd often end up with different vendors at each end (Netscreen, Cisco (IOS/PIX/ASA), Checkpoint(!), 3COM, etc). I'd always try and make this work with certs, but in many cases the only way to make this work between Vendor X and Vendor Y to resort to a PSK, which of course got slapped into NVRAM and never changed. For a while there was an effort to make sure that all devices were wiped before being RMA'ed, but this eventually fell by the wayside. I had a large matrix of the highest security between all of the vendors, and some scripts to generate the best configs, but eventually engineers get bored, and everything ended up 3DES, SHA1, DH Group 2 and no PFS. So, if you were sufficiently motivated you too could listen in on a thousand call center reps all chanting "Have you tried turning it off and on again?" W > So what might make for a good BCP is to recommend something more > like an opportunistic DH exchange with a PSK used to authenticate > that there's no MitM (i.e. the PSK is only for authentication > and never for confidentiality). > > Lastly, we do already have bcp107 [1] though, so what you're after > could be an updated version of that maybe. That update might > require more work than just adding "prefer forward secrecy" though. > I've found that bcp107 hasn't been that useful a guide for folks > developing protocols and nor has it been that useful a stick for > beating them with either when protocol developers ignore key > management. That's maybe because it's too late in the process by > the time a SEC AD tries to use bcp107 as a stick. So updating > bcp107 might require a good bit of thought/work. (If someone does > feel they have the ablity/interest/energy, ping Kathleen and I > I guess.) > > Cheers, > S. > > [1] https://tools.ietf.org/html/bcp107 > > >> >> Sincerely, >> Watson >> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag >> >> > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf From nobody Wed Dec 31 11:44:38 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBEF1A1A3E; Wed, 31 Dec 2014 11:44:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.034 X-Spam-Level: * X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ejUE2iQvf9-d; Wed, 31 Dec 2014 11:44:32 -0800 (PST) Received: from homiemail-a112.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id AC7DC1A1A39; Wed, 31 Dec 2014 11:44:32 -0800 (PST) Received: from homiemail-a112.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a112.g.dreamhost.com (Postfix) with ESMTP id 7AB3520046B15; Wed, 31 Dec 2014 11:44:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Fqd3dp7CJeQ9QA wIqw39CFzt2qs=; b=RZsRFT9LChDKEQiyvIJm16RaOQS20ZUMFTaqno09jTw2FU Im1FXLhKcxQRo+BoxYyDIJOK/6vuip1kfZc9a1GqnqWSX+1ET1Z7gGVqxtdif2I8 0d+jwbl4JouDUSMyPRP2U3CXuTTl+I0i1UNK1H5zJwzK94b/pa4qDpm9rLSCI= Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a112.g.dreamhost.com (Postfix) with ESMTPA id EA48220046913; Wed, 31 Dec 2014 11:44:31 -0800 (PST) Date: Wed, 31 Dec 2014 13:44:31 -0600 From: Nico Williams To: John C Klensin Message-ID: <20141231194426.GP24442@localhost> References: <20141231070328.GK24442@localhost> <20141231074641.GM24442@localhost> <947CA101-D717-4B56-8EEE-84B3A53BF4A1@frobbit.se> <20141231082551.GN24442@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/gf4ic7n9g0QTclPOAxOhUXzRNX4 Cc: Darren J Moffat , ietf@ietf.org, saag@ietf.org, Jan Pechanec , Patrik =?iso-8859-1?B?RuRsdHN0cvZt?= Subject: Re: [saag] i18n requirements (was: Re: NF* (Re: PKCS#11 URI slot attributes & last call)) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 19:44:34 -0000 On Wed, Dec 31, 2014 at 10:41:28AM -0500, John C Klensin wrote: > Nowhere in our procedures is that any provision for a > standards-track document to get a waiver because some other > standards body got sloppy, did something that wouldn't meet our > standards, or didn't quite understand the implications of what > they were doing. I think you're misreading what I wrote. Please read my latest reply to Patrik. > Now, we've had a lot of specs written on the assumption that a > sufficient path to internationalization of a protocol designed > around ASCII (or an ISO 646 profile or IA5) was "just say > 'UTF-8' where we used to say 'ASCII', use UTf-8, and go merrily > on your way". After a while, with help from both experience and We've had specs that naively said "normalize" too. NFSv4 comes to mind. > some of our friends, we figured out that wasn't a good idea and > various specs now, appropriately, push back anything resembling > "just use UTF-8" (a statement like "It's all UTF-8, all the > time, so that form-insensitive can work" (from your earlier > note, not the spec) is an example of "just used UTF-8" thinking. You're twisting my words. I very specifically said that what to do about normalization depends on the application. I don't think there's a one-size-fits-all approach, not without a time machine on hand. > Normalization is easily dealt with by making a clear statement. My experience with filesystems is that that's an easy statement to make and much harder to make real. This is why ZFS is form-preserving/ form-insensitive: it was the best solution in a world where none of the moving parts could be expected to normalize to the one true canonical form. A funny story from back when: Apple apparently was porting ZFS to OS X, and they made it normalize to NFD (close enough) to match HFS+. This caused breakage. As I recall it the notable breakage was with git, and ZFS got blamed by Linus T. But of course, the problem was that the filesystem in question (not ZFS, but ZFS modified to normalize to NFD) was using an inconvenient NF. That HFS+ normalizes to NFD is a reality that can't be changed. That input methods tend to produce NFC-ish output is also a reality that can't be changed. That system call stubs in C libraries don't apply codeset conversions and normalization is a reality that can be changed, but only at great effort. I can go on. The point is that "just normalize" is naive, and each application requires careful consideration. > You (and the authors) pick, but I agree with Patrik that > something needs to be said unless you take the alternate > suggestion below. I agree with Patrick that something needs to be said at the very least in the security considerations section. Also, *I* brought up the issue, as I'm rather sensitive to normalization issues. *I* suggested something minimal and said that if there was no consensus for it, I'd be fine with saying nothing, mostly because it's late in the day and I don't think it will be critical in this case. > Alternate suggestion in the interest of getting this out and > recognizing that this is mostly a PKCS#11 problem (presumably > ITU and/or RSA, but what do I know) and shouldn't be an IETF one: RSA. > (1) Put in an Internationalization Considerations section, which > I believe is required anyway. Is it? I'd like that to be required. > (2) Indicate that PKCS#11 severely underspecifies issues > associated with characters outside the ASCII repertoire and, > especially, contexts not associated with European languages. Sure. > (3) Say that, at least until PKCS#11 is updated to more > adequately handle and specify i18n issues, such characters, and > certificates that use them, SHOULD NOT be used in or referenced > from URIs, unless there is a clear need and the issues > associated with the characters to be used are clearly understood. I think that's too strong. > (4) As appropriate, update the handwaving in this document to > point to that new section. Sure. > That would make it very clear that you are not telling people > how to do it and would make the warning as obvious as it should > be. > > Finally... > > > PKCS#11 is an API. PKCS#11 apps might "interoperate" using > > PKCS#11 URIs communicated over, e.g., IPC (or plain old > > cut-n-paste). > > > > PKC#11 URI _templates_ might well be exchanged far and wide, > > but still not really as a part of a network protocol. > > For many years, the IETF had a very strong "we don't do APIs" > policy. That was motivated, at least in part, because APIs tend Please point to a Standards-Track document that says that. > to make strong assumptions about programming language and > operating system environments, either favoring some over others > (a business we didn't want to be in) or not standing the test of > time as things outside the IETF evolved. The view was that we > were much better off specifying requirements and protocols and > leaving APIs to particular languages, libraries/packages, or > operational environments. We certainly have done APIs. E.g., SCTP socket API, GSS-API. GSS comes in two flavors: abstract, and bindings of the abstract API to specific programming languages. FYI, GSS defines a protocol _pattern_ (and just a handful of bits on the wire of that pattern), but vast majority of it is an API. Compare to SASL, which also defines a protocol pattern, practically no bits on the wire, and no API (of course, there are SASL APIs, because at the end of the day most application developers want off-the-shelf implementatins of such things). Should we stop all work on GSS because you claim there's a policy against APIs? Further, I believe a lot of real problems have arisen from the lack of APIs. In particular I believe end-to-end IPsec is useless without binding per-packet security into a higher-order construct like "packet flow", which necessarily involves exposure of IPsec information to higher layers, which then necessitates a notional (abstract) API. That API does not exist, therefore IPsec has been relegated to small networks and VPNs, where local configuration is small, manageable, and can be assumed. The lack of an abstract API here hurt adoption. > Times change but it seems that many of the times we do APIs drop > us into a rat hole similar to this one in which we are trying to > do an overlay to a spec over which we have little or no control. This might well be the case here, but the problem isn't "oh noes, it's API", but that the API (which could have been a protocol) in question is defined _elsewhere_. > Part of the problem is that an API is a somewhat different type > of beast from a protocol-style Technical Specification. If we I disagree vehemently. See above examples. I think this opinion of yours is harmful and hand-wavy. If you have a detailed argument for why APIs are so different from "protocol-style" specs that we should not engage in API design, I'd like to see it. > are going to keep doing these, it may be time to modify/update > 2026 to introduce a new class of standards-track document. To read RFC2026 as a prohibition on IETF work on APIs is real stretch. Clearly many have disagreed with that take over the years since RFC2026 was published, and they (we) have published RFCs that contravene your reading of RFC2026. Nico -- From nobody Wed Dec 31 11:45:22 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DD391A1A4E; Wed, 31 Dec 2014 11:45:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id srhiQlK-YxJS; Wed, 31 Dec 2014 11:45:15 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4911F1A1A4D; Wed, 31 Dec 2014 11:45:13 -0800 (PST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBVJj4K7031058 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 31 Dec 2014 19:45:04 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id sBVJj3ZZ018816 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 31 Dec 2014 19:45:03 GMT Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id sBVJj2bA018769; Wed, 31 Dec 2014 19:45:03 GMT Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 31 Dec 2014 11:45:02 -0800 Date: Wed, 31 Dec 2014 11:45:01 -0800 (PST) From: Jan Pechanec X-X-Sender: jpechane@keflavik To: ietf@ietf.org Message-ID: User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Archived-At: http://mailarchive.ietf.org/arch/msg/saag/zLoOxFhVDVJ-LZbhTzGUzzwbpWw Cc: Darren.Moffat@oracle.com, Stef Walter , Nikos Mavrogiannopoulos , saag@ietf.org Subject: [saag] Last Call: (The PKCS#11 URI Scheme) to Proposed Standard: new draft 17 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 19:45:19 -0000 hi, I've addressed comments received so far during the last call and given that there are several different changes I've filed a new draft 17. There is still an ongoing discussion on i18n requirements and I expect that there will be a new draft following on. draft-pechanec-pkcs11uri-17.txt contains the following changes: - slot attributes added to identify a PKCS#11 slot - some minor editorial changes as suggested by Derek Atkins - IANA registration template added to the draft itself as suggested by Martin Duerst. - normative language used as per RFC2119 as suggested by Sarah Banks - IRIs (RFC3987) are referenced per Nico Williams's suggestion - a syntax error found by Shawn Emery fixed in the ABNF grammar - ABNF was simplified as suggested by the ABNF check tool http://tools.ietf.org/tools/bap/abnf.cgi (I replaced "*1(xx)" with "[ xx ]") - text notes that use of "x-*" attributes is obsolete and should be avoided as per BCP178. Based on a comment by Bjoern Hoehrmann. - a new section on generating PKCS#11 URIs added based on initial comment by Henry B. Hotz. direct link to the diff from the previous version: http://www.ietf.org/rfcdiff?url1=draft-pechanec-pkcs11uri-16&url2=draft-pechanec-pkcs11uri-17 best regards, Jan. -- Jan Pechanec From nobody Wed Dec 31 14:23:01 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1079E1A1AF2 for ; Wed, 31 Dec 2014 14:23:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.247 X-Spam-Level: X-Spam-Status: No, score=-2.247 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJF-UGaMryzO for ; Wed, 31 Dec 2014 14:22:59 -0800 (PST) Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E908C1A1AEA for ; Wed, 31 Dec 2014 14:22:58 -0800 (PST) Received: from [10.20.30.90] (50-1-98-91.dsl.dynamic.fusionbroadband.com [50.1.98.91]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id sBVMMud7010030 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 31 Dec 2014 15:22:57 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: proper.com: Host 50-1-98-91.dsl.dynamic.fusionbroadband.com [50.1.98.91] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) From: Paul Hoffman In-Reply-To: Date: Wed, 31 Dec 2014 14:22:57 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <15DEE242-686D-4022-94FA-F15280B95D27@vpnc.org> References: To: Watson Ladd X-Mailer: Apple Mail (2.1993) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/d2tRwfkq9XXQDfvBfvgJQ1-61kM Cc: "saag@ietf.org" Subject: Re: [saag] PSK considered helpful X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 22:23:00 -0000 On Dec 29, 2014, at 8:00 AM, Watson Ladd wrote: > The NSA is devoting a great deal of effort to exploiting IPsec, PPTP, > SSH, etc. =46rom the documents it appears that the majority of effort = is > in extracting configurations from routers that contain PSK keys, which > then permit the decryption of data. >=20 > There is no information on how the configurations are being extracted, > sadly, as the documents don't contain this detail. Having looked at some (but certainly not all) of the = recently-highlighted documents, I do not see discussion of IPsec and = PSK. Could you send this list a specific reference? I ask because PSK = mode in IKE would not allow later decryption of data: it is only used = for authentication. You might instead be thinking of "static keying", which is in IPsec and = not IKE, and would certainly allow later decryption because the IPsec = session key never changes. If that is what you are referring to, this = becomes much less worrisome from a protocol standpoint, because we have = known and documented all along that static IPsec keying is horribly = dangerous; most vendors make this clear in their admin front ends. If it = is not what you are referring to, seeing the actual documents might help = the IPsecME WG determine how to make IPsec and IKEv2 more secure. --Paul Hoffman= From nobody Wed Dec 31 14:45:09 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 350281A1A6D for ; Wed, 31 Dec 2014 14:45:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnRR7CjEmxfN for ; Wed, 31 Dec 2014 14:45:04 -0800 (PST) Received: from mail-yh0-x229.google.com (mail-yh0-x229.google.com [IPv6:2607:f8b0:4002:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ACFC1A1A52 for ; Wed, 31 Dec 2014 14:45:04 -0800 (PST) Received: by mail-yh0-f41.google.com with SMTP id a41so8247506yho.28 for ; Wed, 31 Dec 2014 14:45:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=XVGsvUlfJlawxesIHabrLKxnj6vuhUz/CbZoUUq+06Q=; b=C8iUDhPPWc/MHeJ4X/m6ngc9YTbtyYRWhn1cBCpjyh9UszfKX0H80GySKgZnQVLwP/ 3M8CPqs5Ma5szAidyizKFZIuGjSX99CzEmC49r283lBGKisW9GP2FCYot05xoKPnwfia NrL9j5AMIBD1b+nyXTDaTpVqkpz5V9JWYj++O4uzZ0/waVTYNpxQFO6LQ1BJV3jOaKWu Kh+7TdTkRZGhDk3DVpwjkFyMhxSF7LreZLBSx1lvDIN3WQn+IB4ZSkTja7YP0NM3NUWU SleSPilgoaEepryJ1tFt9WEswtr8WzAMcKFM82UMo9pvkml5rDNJyHXfSsmebfpZ0F9O grNw== MIME-Version: 1.0 X-Received: by 10.170.129.19 with SMTP id v19mr51632648ykb.126.1420065903278; Wed, 31 Dec 2014 14:45:03 -0800 (PST) Received: by 10.170.207.6 with HTTP; Wed, 31 Dec 2014 14:45:03 -0800 (PST) In-Reply-To: <15DEE242-686D-4022-94FA-F15280B95D27@vpnc.org> References: <15DEE242-686D-4022-94FA-F15280B95D27@vpnc.org> Date: Wed, 31 Dec 2014 17:45:03 -0500 Message-ID: From: Watson Ladd To: Paul Hoffman Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/saag/xX1ExnXNf_RauKxw-H7cPPLQbow Cc: "saag@ietf.org" Subject: Re: [saag] PSK considered helpful X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 22:45:06 -0000 On Wed, Dec 31, 2014 at 5:22 PM, Paul Hoffman wrote= : > On Dec 29, 2014, at 8:00 AM, Watson Ladd wrote: >> The NSA is devoting a great deal of effort to exploiting IPsec, PPTP, >> SSH, etc. From the documents it appears that the majority of effort is >> in extracting configurations from routers that contain PSK keys, which >> then permit the decryption of data. >> >> There is no information on how the configurations are being extracted, >> sadly, as the documents don't contain this detail. > > Having looked at some (but certainly not all) of the recently-highlighted= documents, I do not see discussion of IPsec and PSK. Could you send this = list a specific reference? I ask because PSK mode in IKE would not allow la= ter decryption of data: it is only used for authentication. > > You might instead be thinking of "static keying", which is in IPsec and n= ot IKE, and would certainly allow later decryption because the IPsec sessio= n key never changes. If that is what you are referring to, this becomes muc= h less worrisome from a protocol standpoint, because we have known and docu= mented all along that static IPsec keying is horribly dangerous; most vendo= rs make this clear in their admin front ends. If it is not what you are ref= erring to, seeing the actual documents might help the IPsecME WG determine = how to make IPsec and IKEv2 more secure. So I asked Yoav Nir what was going on, and looked at some more documents, in particular those relating POISONNUT. All of this was from der Spiegel: I don't have access to any Snowden docs not publically released, and the data that lead me to the conclusions below is spread out over multiple ones. What is happening, according to Yoav and the other documents I looked at, is a MITM attack on IKE exchanges using PSK. In a first stage the PSK is brute-forced or found via software vulnerabilities, or interception of email or IM chat containing it. In the second stage when an IKE exchange is observed using this PSK, a MITM attack is performed, and the data can be decrypted. I'm less certain of the second half then the first. What is true is the data decryption requires a near real time passing of the IKE exchange to a CES computer, which runs the attack. It's basically IKEcrack on steroids. Sincerely, Watson Ladd > > --Paul Hoffman --=20 "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin From nobody Wed Dec 31 15:01:08 2014 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A5911A1A6D for ; Wed, 31 Dec 2014 15:01:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.647 X-Spam-Level: X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKCaJvqqVFZD for ; Wed, 31 Dec 2014 15:01:06 -0800 (PST) Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40A7F1A1A52 for ; Wed, 31 Dec 2014 15:01:06 -0800 (PST) Received: from [10.20.30.90] (50-1-98-91.dsl.dynamic.fusionbroadband.com [50.1.98.91]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id sBVN13Tj013621 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 31 Dec 2014 16:01:04 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: proper.com: Host 50-1-98-91.dsl.dynamic.fusionbroadband.com [50.1.98.91] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) From: Paul Hoffman In-Reply-To: Date: Wed, 31 Dec 2014 15:01:03 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <5AD0E6C9-39DF-4D46-B23D-79E20709A1CC@vpnc.org> References: <15DEE242-686D-4022-94FA-F15280B95D27@vpnc.org> To: Watson Ladd X-Mailer: Apple Mail (2.1993) Archived-At: http://mailarchive.ietf.org/arch/msg/saag/s986cVJaoFCeESghht516JTE0Rg Cc: "saag@ietf.org" Subject: Re: [saag] PSK considered helpful X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 23:01:07 -0000 On Dec 31, 2014, at 2:45 PM, Watson Ladd wrote: >=20 > On Wed, Dec 31, 2014 at 5:22 PM, Paul Hoffman = wrote: >> On Dec 29, 2014, at 8:00 AM, Watson Ladd = wrote: >>> The NSA is devoting a great deal of effort to exploiting IPsec, = PPTP, >>> SSH, etc. =46rom the documents it appears that the majority of = effort is >>> in extracting configurations from routers that contain PSK keys, = which >>> then permit the decryption of data. >>>=20 >>> There is no information on how the configurations are being = extracted, >>> sadly, as the documents don't contain this detail. >>=20 >> Having looked at some (but certainly not all) of the = recently-highlighted documents, I do not see discussion of IPsec and = PSK. Could you send this list a specific reference? I ask because PSK = mode in IKE would not allow later decryption of data: it is only used = for authentication. >>=20 >> You might instead be thinking of "static keying", which is in IPsec = and not IKE, and would certainly allow later decryption because the = IPsec session key never changes. If that is what you are referring to, = this becomes much less worrisome from a protocol standpoint, because we = have known and documented all along that static IPsec keying is horribly = dangerous; most vendors make this clear in their admin front ends. If it = is not what you are referring to, seeing the actual documents might help = the IPsecME WG determine how to make IPsec and IKEv2 more secure. >=20 > So I asked Yoav Nir what was going on, and looked at some more > documents, in particular those relating POISONNUT. All of this was > from der Spiegel: I don't have access to any Snowden docs not > publically released, and the data that lead me to the conclusions > below is spread out over multiple ones. >=20 > What is happening, according to Yoav and the other documents I looked > at, is a MITM attack on IKE exchanges using PSK. In a first stage the > PSK is brute-forced or found via software vulnerabilities, or > interception of email or IM chat containing it. In the second stage > when an IKE exchange is observed using this PSK, a MITM attack is > performed, and the data can be decrypted. I'm less certain of the > second half then the first. Thanks, that makes perfect sense. When you wrote "which then permit the = decryption of data", I thought you meant "decrypt passively snooped = data" and/or "decrypt previously captured data". If an attacker can see = your config and find the PSK for authentication, they can probably also = see the private key for asymmetric keying authentication. > What is true is the data decryption requires a near real time passing > of the IKE exchange to a CES computer, which runs the attack. The attack you describe should require a true "in the middle" that is = decrypting from one end and then impersonating before re-encrypting on = the other. Simply seeing the traffic in near-real-time would not be = sufficient. Possibly that's what you are saying but, if so, I'm not sure = why you say "near real time". > It's basically IKEcrack on steroids. The attack above is unrelated to IKEcrack in that IKEcrack only worked = with Aggressive mode in IKEv1, and was used to determine the PSK by = brute force. --Paul Hoffman=